* [PATCH 6.6 000/474] 6.6.140-rc1 review
@ 2026-05-15 15:41 Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 001/474] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
` (474 more replies)
0 siblings, 475 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.6.140 release.
There are 474 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 17 May 2026 15:46:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.140-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.140-rc1
Bjoern Doebel <doebel@amazon.de>
smb: client: use kzalloc to zero-initialize security descriptor buffer
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
Thorsten Blum <thorsten.blum@linux.dev>
crypto: nx - fix context leak in nx842_crypto_free_ctx
Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
mtd: spi-nor: sst: Fix SST write failure
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn4: Avoid overflow on msg bound check
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn3: Avoid overflow on msg bound check
Eric Dumazet <edumazet@google.com>
vsock/virtio: fix potential unbounded skb queue
Stefano Garzarella <sgarzare@redhat.com>
vsock/virtio: fix length and offset in tap skb for split packets
Dudu Lu <phx0fer@gmail.com>
vsock/virtio: fix accept queue count leak on transport mismatch
Norbert Szetei <norbert@doyensec.com>
vsock: fix buffer size clamping order
Marc Zyngier <maz@kernel.org>
KVM: arm64: Wake-up from WFI when iqrchip is in userspace
Max Kellermann <max.kellermann@ionos.com>
ceph: only d_add() negative dentries when they are unhashed
Selvarasu Ganesan <selvarasu.g@samsung.com>
usb: dwc3: Move GUID programming after PHY initialization
Steven Rostedt <rostedt@goodmis.org>
tracing/probes: Limit size of event probe to 3K
Yochai Eisenrich <yochaie@sweet.security>
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix tp_num leak on kmalloc failure
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: stop tp_meter sessions during mesh teardown
Viorel Suman (OSS) <viorel.suman@oss.nxp.com>
pwm: imx-tpm: Count the number of enabled channels in probe
Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
mtd: spi-nor: sst: Fix write enable before AAI sequence
Bence Csókás <csokas.bence@prolan.hu>
mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
SeongJae Park <sj@kernel.org>
mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
Amit Sunil Dhamne <amitsd@google.com>
usb: typec: tcpm: reset internal port states on soft reset AMS
SeongJae Park <sj@kernel.org>
mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
SeongJae Park <sj@kernel.org>
mm/damon/core: implement damon_kdamond_pid()
Hyunwoo Kim <imv4bel@gmail.com>
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
SeongJae Park <sj@kernel.org>
mm/damon/core: disallow time-quota setting zero esz
Nikolay Aleksandrov <razor@blackwall.org>
bonding: fix use-after-free due to enslave fail after slave array update
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
David Howells <dhowells@redhat.com>
rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Thomas Zimmermann <tzimmermann@suse.de>
fbcon: Avoid OOB font access if console rotation fails
Johan Hovold <johan@kernel.org>
spi: microchip-core-qspi: fix controller deregistration
Li Zetao <lizetao1@huawei.com>
spi: microchip-core-qspi: Use helper function devm_clk_get_enabled()
Sang-Heon Jeon <ekffu200098@gmail.com>
mm/hugetlb_cma: round up per_node before logging it
Johan Hovold <johan@kernel.org>
spi: uniphier: fix controller deregistration
Pei Xiao <xiaopei01@kylinos.cn>
spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
Yang Yingliang <yangyingliang@huawei.com>
spi: uniphier: switch to use modern name
Johan Hovold <johan@kernel.org>
spi: tegra20-sflash: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: tegra114: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: sun6i: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: sun6i: switch to use modern name
Johan Hovold <johan@kernel.org>
spi: zynq-qspi: fix controller deregistration
Pei Xiao <xiaopei01@kylinos.cn>
spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
Yang Yingliang <yangyingliang@huawei.com>
spi: zynq-qspi: switch to use modern name
Johan Hovold <johan@kernel.org>
spi: ti-qspi: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: spi-ti-qspi: switch to use modern name
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: spi-ti-qspi: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
spi: sun4i: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: sun4i: switch to use modern name
Johan Hovold <johan@kernel.org>
spi: syncuacer: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: synquacer: switch to use modern name
David Carlier <devnexen@gmail.com>
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Michal Kosiorek <mkosiorek121@gmail.com>
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: account for ESN high bits in async callbacks
Eric Biggers <ebiggers@google.com>
net: ipv6: stop checking crypto_ahash_alignmask
Eric Biggers <ebiggers@google.com>
net: ipv4: stop checking crypto_ahash_alignmask
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: seq: Fix UMP group 16 filtering
Takashi Iwai <tiwai@suse.de>
ALSA: seq: Notify client and port info changes
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: core: Serialize deferred fasync state checks
Takashi Iwai <tiwai@suse.de>
ALSA: misc: Use guard() for spin locks
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: hda: cs35l56: Propagate ASP TX source control errors
David Carlier <devnexen@gmail.com>
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
Sam Edwards <cfsworks@gmail.com>
net: stmmac: Prevent NULL deref when RX memory exhausted
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: avoid shadowing global buf_sz
Thorsten Blum <thorsten.blum@linux.dev>
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Thorsten Blum <thorsten.blum@linux.dev>
printk: add print_hex_dump_devel()
Junrui Luo <moonafterrain@outlook.com>
erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
Ard Biesheuvel <ardb@kernel.org>
crypto: nx - Migrate to scomp API
Gustavo A. R. Silva <gustavoars@kernel.org>
crypto: nx - Avoid -Wflex-array-member-not-at-end warning
DaeMyung Kang <charsyam@gmail.com>
ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
Yi Cong <yicong@kylinos.cn>
wifi: rtl8xxxu: fix potential use of uninitialized value
Zilin Guan <zilin@seu.edu.cn>
hfsplus: fix held lock freed on hfsplus_fill_super()
Deepanshu Kartikey <kartikey406@gmail.com>
hfsplus: fix uninit-value by validating catalog record size
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
xfs: fix a resource leak in xfs_alloc_buftarg()
Luke Wang <ziniu.wang_1@nxp.com>
mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
Seohyeon Maeng <bioloidgp@gmail.com>
udf: fix partition descriptor append bookkeeping
Thomas Zimmermann <tzimmermann@suse.de>
firmware: google: framebuffer: Do not unregister platform device
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
Johan Hovold <johan@kernel.org>
spi: fix resource leaks on device setup failure
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the total number of nodes
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the maximum number of lookups
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the maximum server registration per node
Zhengchuan Liang <zcliangcn@gmail.com>
net: bridge: use a stable FDB dst snapshot in RCU readers
Yuan Zhaoming <yuanzm2@lenovo.com>
net: mctp: fix don't require received header reserved bits to be zero
Long Li <longli@microsoft.com>
RDMA/mana_ib: Disable RX steering on RSS QP destroy
Joseph Salisbury <joseph.salisbury@oracle.com>
sched: Use u64 for bandwidth ratio calculations
Naman Jain <namjain@linux.microsoft.com>
block: relax pgmap check in bio_add_page for compatible zone device pages
Oliver Neukum <oneukum@suse.com>
media: rc: igorplugusb: heed coherency rules
Thorsten Blum <thorsten.blum@linux.dev>
ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
Oliver Neukum <oneukum@suse.com>
media: rc: ttusbir: respect DMA coherency rules
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: aoa: i2sbus: clear stale prepared state
Takashi Iwai <tiwai@suse.de>
ALSA: aoa: Use guard() for mutex locks
Corey Minyard <corey@minyard.net>
ipmi:ssif: Clean up kthread on errors
Corey Minyard <corey@minyard.net>
ipmi:ssif: Fix a shutdown race
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
thermal: core: Fix thermal zone governor cleanup issues
Daniel Hodges <git@danielhodges.dev>
PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
Deren Wu <deren.wu@mediatek.com>
wifi: mt76: connac: introduce helper for mt7925 chipset
Anshuman Khandual <anshuman.khandual@arm.com>
arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
Alistair Popple <apopple@nvidia.com>
lib: test_hmm: evict device pages on file close to avoid use-after-free
Daniel Hodges <git@danielhodges.dev>
wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: replace connection list with hash table
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: use msleep instaed of schedule_timeout_interruptible()
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate the whole DACL before rewriting it in cifsacl
Michael Bommarito <michael.bommarito@gmail.com>
ksmbd: require minimum ACE size in smb_check_perm_dacl()
Namjae Jeon <linkinjeon@kernel.org>
smb: common: change the data type of num_aces to le16
ChenXiaoSong <chenxiaosong@kylinos.cn>
smb: move some duplicate definitions to common/smbacl.h
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: put backbone reference on failed claim hash insert
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: only purge non-released claims
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: prevent use-after-free when deleting claims
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: stop caching unowned originator pointers in BAT IV
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: reject new tp_meter sessions during teardown
Lyes Bourennani <lbourennani@fuzzinglabs.com>
batman-adv: fix integer overflow on buff_pos
Ben Morris <bmorris@anthropic.com>
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/pm: align Hawaii mclk workaround with radeon
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/pm: add missing revision check for CI
John B. Moore <jbmoore61@gmail.com>
drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
John B. Moore <jbmoore61@gmail.com>
drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
Philip Yang <Philip.Yang@amd.com>
drm/amdgpu: zero-initialize GART table on allocation
Alex Deucher <alexander.deucher@amd.com>
drm/radeon: add missing revision check for CI
Alysa Liu <Alysa.Liu@amd.com>
drm/amdkfd: validate SVM ioctl nattr against buffer size
Ashutosh Desai <ashutoshdesai993@gmail.com>
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vce: Prevent partial address patches
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu: Add bounds checking to ib_{get,set}_value
Alysa Liu <Alysa.Liu@amd.com>
drm/amdkfd: Add upper bound check for num_of_nodes
Amir Shetaia <Amir.Shetaia@amd.com>
drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
Johan Hovold <johan@kernel.org>
spi: cadence: fix unclocked access on unbind
Johan Hovold <johan@kernel.org>
spi: cadence: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: mpc52xx: fix use-after-free on unbind
Johan Hovold <johan@kernel.org>
spi: orion: fix clock imbalance on registration failure
Johan Hovold <johan@kernel.org>
spi: orion: fix runtime pm leak on unbind
Johan Hovold <johan@kernel.org>
spi: imx: fix runtime pm leak on probe deferral
Johan Hovold <johan@kernel.org>
spi: img-spfi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: rspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: sprd: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: coldfire-qspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: bcmbca-hsspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: fsl: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: sh-hspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: mtk-nor: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: omap2-mcspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: fsl-espi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: s3c64xx: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: dln2: fix controller deregistration
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
media: omap3isp: drop the use count of v4l2 pipeline
Matthias Fend <matthias.fend@emfend.at>
media: i2c: ov08d10: fix image vertical start setting
Michael Tretter <m.tretter@pengutronix.de>
media: staging: imx: request mbus_config in csi_start
Wenmeng Liu <wenmeng.liu@oss.qualcomm.com>
media: i2c: imx412: Assert reset GPIO during probe
Sergey Shtylyov <s.shtylyov@auroraos.dev>
media: dib8000: avoid division by 0 in dib8000_set_dds()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
media: pci: zoran: fix potential memory leak in zoran_probe()
Krishna Chomal <krishna.chomal108@gmail.com>
platform/x86: hp-wmi: Ignore backlight and FnLock events
Wang Jun <1742789905@qq.com>
media: saa7164: add ioremap return checks and cleanups
Johan Hovold <johan@kernel.org>
spi: at91-usart: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: qup: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: lantiq-ssc: fix controller deregistration
Johan Hovold <johan@kernel.org>
regulator: bd9571mwv: fix OF node reference imbalance
Johan Hovold <johan@kernel.org>
regulator: act8945a: fix OF node reference imbalance
Janne Grunau <j@jannau.net>
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
Johan Hovold <johan@kernel.org>
regulator: rk808: fix OF node reference imbalance
Oliver Neukum <oneukum@suse.com>
media: rc: streamzap: Error handling in probe
Oliver Neukum <oneukum@suse.com>
media: rc: xbox_remote: heed DMA restrictions
Johan Hovold <johan@kernel.org>
regulator: max77650: fix OF node reference imbalance
Johan Hovold <johan@kernel.org>
regulator: mt6357: fix OF node reference imbalance
Sakari Ailus <sakari.ailus@linux.intel.com>
staging: media: atomisp: Disallow all private IOCTLs
Johan Hovold <johan@kernel.org>
spi: atmel: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: bcm63xx: fix controller deregistration
Alexander Koskovich <akoskovich@pm.me>
media: i2c: ov8856: free control handler on error in ov8856_init_controls()
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Enable VB2_DMABUF for metadata stream
T.J. Mercier <tjmercier@google.com>
HID: playstation: Clamp num_touch_reports
Paul E. McKenney <paulmck@kernel.org>
exit: Sleep at TASK_IDLE when waiting for application core dump
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
Wentao Guan <guanwentao@uniontech.com>
LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
Quentin Perret <qperret@google.com>
KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
David Woodhouse <dwmw@amazon.co.uk>
KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix node_cnt race between extent node destroy and writeback
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix fiemap boundary handling when read extent cache is incomplete
Cen Zhang <zzzccc427@gmail.com>
f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
Gang Yan <yangang@kylinos.cn>
mptcp: fix scheduling with atomic in timestamp sockopt
Gang Yan <yangang@kylinos.cn>
mptcp: sockopt: set timestamp flags on subflow socket, not msk
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: fastclose msk when linger time is 0
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/rxe: Reject unknown opcodes before ICRC processing
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
Junrui Luo <moonafterrain@outlook.com>
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
André Draszik <andre.draszik@linaro.org>
power: supply: max17042: avoid overflow when determining health
Lukas Wunner <lukas@wunner.de>
PCI/AER: Stop ruling out unbound devices as error source
Shuai Xue <xueshuai@linux.alibaba.com>
PCI/AER: Clear only error bits in PCIe Device Status
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: check for nEPT/nNPT in slow flush hypercalls
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate dacloffset before building DACL pointers
Zisen Ye <zisenye@stu.xidian.edu.cn>
smb/client: fix out-of-bounds read in symlink_data()
Zisen Ye <zisenye@stu.xidian.edu.cn>
smb/client: fix out-of-bounds read in smb2_compound_op()
Vasily Gorbik <gor@linux.ibm.com>
s390/debug: Reject zero-length input in debug_input_flush_fn()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
Ilya Maximets <i.maximets@ovn.org>
openvswitch: vport: fix self-deadlock on release of tunnel ports
Chaitanya Kulkarni <kch@nvidia.com>
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
Fedor Pchelkin <pchelkin@ispras.ru>
nvme-apple: drop invalid put of admin queue reference count
Junrui Luo <moonafterrain@outlook.com>
md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix slab-out-of-bounds access in auth message processing
Christian A. Ehrhardt <lk@c--e.de>
lib/scatterlist: fix temp buffer in extract_user_to_sg()
Christian A. Ehrhardt <lk@c--e.de>
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Lukas Wunner <lukas@wunner.de>
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Michael Bommarito <michael.bommarito@gmail.com>
isofs: validate block number from NFS file handle in isofs_export_iget
Michael Bommarito <michael.bommarito@gmail.com>
isofs: validate Rock Ridge CE continuation extent against volume size
Eric Biggers <ebiggers@kernel.org>
dm-verity-fec: correctly reject too-small hash devices
Eric Biggers <ebiggers@kernel.org>
dm-verity-fec: correctly reject too-small FEC devices
David Carlier <devnexen@gmail.com>
eventfs: Hold eventfs_mutex and SRCU when remount walks events
Mikulas Patocka <mpatocka@redhat.com>
dm: fix a buffer overflow in ioctl processing
Mikulas Patocka <mpatocka@redhat.com>
dm: don't report warning when doing deferred remove
Mikulas Patocka <mpatocka@redhat.com>
dm-thin: fix metadata refcount underflow
Guangshuo Li <lgs201920130244@gmail.com>
btrfs: fix double free in create_space_info() error path
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm: remove child devices when apm is removed
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
Joseph Salisbury <joseph.salisbury@oracle.com>
ASoC: fsl_easrc: fix comment typo
Tommaso Soncin <soncintommaso@gmail.com>
ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
Shrikanth Hegde <sshegde@linux.ibm.com>
cpuidle: powerpc: avoid double clear when breaking snooze
Conor Dooley <conor.dooley@microchip.com>
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
Stefan Eichenberger <stefan.eichenberger@toradex.com>
clk: imx: imx8-acm: fix flags for acm clocks
Johan Hovold <johan@kernel.org>
spi: topcliff-pch: fix use-after-free on unbind
Thorsten Blum <thorsten.blum@linux.dev>
thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
Thorsten Blum <thorsten.blum@linux.dev>
thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
Michael Bommarito <michael.bommarito@gmail.com>
udf: reject descriptors with oversized CRC length
Mingming Cao <mmc@linux.ibm.com>
ibmveth: Disable GSO for packets with small MSS
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
hv_sock: fix ARM64 support
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
gpio: of: clear OF_POPULATED on hog nodes in remove path
Xu Yang <xu.yang_2@nxp.com>
extcon: ptn5150: handle pending IRQ events during system resume
Shyam Prasad N <sprasad@microsoft.com>
cifs: change_conf needs to be called for session setup
Shyam Prasad N <sprasad@microsoft.com>
cifs: abort open_cached_dir if we don't request leases
Naman Jain <namjain@linux.microsoft.com>
block: add pgmap check to biovec_phys_mergeable
Jiexun Wang <wangjiexun2025@gmail.com>
af_unix: Reject SIOCATMARK on non-stream sockets
Myeonghun Pak <mhun512@gmail.com>
hwmon: (corsair-psu) Close HID device on probe errors
Johan Hovold <johan@kernel.org>
clk: rk808: fix OF node reference imbalance
Sanman Pradhan <psanman@juniper.net>
hwmon: (ltc2992) Fix u32 overflow in power read path
Sanman Pradhan <psanman@juniper.net>
hwmon: (ltc2992) Clamp threshold writes to hardware range
Hongling Zeng <zenghongling@kylinos.cn>
parisc: Fix IRQ leak in LASI driver
Pavitra Jha <jhapavitra98@gmail.com>
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Nan Li <tonanli66@gmail.com>
net/rds: handle zerocopy send cleanup before the message is queued
Maoyi Xie <maoyixie.tju@gmail.com>
ip6_gre: Use cached t->net in ip6erspan_changelink().
Jiawen Wu <jiawenwu@trustnetic.com>
net: libwx: fix VF illegal register access
SeungJu Cheon <suunj1331@gmail.com>
sound: ua101: fix division by zero at probe
Kai Zen <kai.aizen.dev@gmail.com>
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
Tudor Ambarus <tudor.ambarus@linaro.org>
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Miklos Szeredi <mszeredi@redhat.com>
fanotify: fix false positive on permission events
Johan Hovold <johan@kernel.org>
staging: vme_user: fix root device leak on init failure
Johan Hovold <johan@kernel.org>
spi: s3c64xx: fix NULL-deref on driver unbind
Johan Hovold <johan@kernel.org>
spi: zynqmp-gqspi: fix controller deregistration
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: virtio_bt: validate rx pkt_type header length
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: virtio_bt: clamp rx length before skb_put
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: prune /sys/fs/selinux/disable
Stephen Smalley <stephen.smalley.work@gmail.com>
selinux: shrink critical section in sel_write_load()
David Windsor <dwindsor@gmail.com>
selinux: don't reserve xattr slot when we won't fill it
Yilin Zhu <zylzyl2333@gmail.com>
ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
Ruijie Li <ruijieli51@gmail.com>
xfrm: provide message size for XFRM_MSG_MAPPING
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: firewire-tascam: Do not drop unread control events
Felix Gu <ustc.gu@gmail.com>
usb: ulpi: fix memory leak on ulpi_register() error paths
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion LE910Cx compositions
Aaro Koskinen <aaro.koskinen@iki.fi>
USB: omap_udc: DMA: Don't enable burst 4 mode
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Fix UAC3 cluster descriptor size check
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: midi2: Restart output URBs on resume
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usblp: fix heap leak in IEEE 1284 device ID via short response
Marek Szyprowski <m.szyprowski@samsung.com>
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
Tristan Madani <tristan@talencesecurity.com>
wifi: b43: enforce bounds check on firmware key index in b43_rx()
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: remove station if connection prep fails
Jiri Slaby (SUSE) <jirislaby@kernel.org>
wifi: ath5k: do not access array OOB
Jeongjun Park <aha310510@gmail.com>
wifi: rsi: fix kthread lifetime race between self-exit and external-stop
Catherine <enderaoelyther@gmail.com>
wifi: mac80211: drop stray 'static' from fast-RX rx_result
Tristan Madani <tristan@talencesecurity.com>
wifi: b43legacy: enforce bounds check on firmware key index in RX path
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
Leon Yen <leon.yen@mediatek.com>
wifi: mt76: mt7921: fix a potential clc buffer length underflow
Jann Horn <jannh@google.com>
exit: prevent preemption of oopsing TASK_DEAD task
Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Don't mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: validate fake register spill/fill precision backtracking logic
Andrii Nakryiko <andrii@kernel.org>
bpf: handle fake register spill to stack with BPF_ST_MEM instruction
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros
Andrii Nakryiko <andrii@kernel.org>
bpf: track aligned STACK_ZERO cases as imprecise spilled registers
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: validate zero preservation for sub-slot loads
Andrii Nakryiko <andrii@kernel.org>
bpf: preserve constant zero when doing partial register restore
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: validate STACK_ZERO is preserved on subreg spill
Andrii Nakryiko <andrii@kernel.org>
bpf: preserve STACK_ZERO slots on partial reg spills
Andrii Nakryiko <andrii@kernel.org>
selftests/bpf: add stack access precision test
Andrii Nakryiko <andrii@kernel.org>
bpf: support non-r10 register spill/fill to/from stack in precision tracking
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Paolo Bonzini <pbonzini@redhat.com>
KVM: SVM: check validity of VMCB controls when returning from SMM
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix leaking event log memory
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix crash when the event log is disabled
Jiawen Wu <jiawenwu@trustnetic.com>
net: txgbe: fix RTNL assertion warning when remove module
Qingfang Deng <qingfang.deng@linux.dev>
flow_dissector: do not dissect PPPoE PFC frames
Dong Chenchen <dongchenchen2@huawei.com>
net: Fix icmp host relookup triggering ip_rt_bug
Ankit Soni <Ankit.Soni@amd.com>
iommu/amd: serialize sequence allocation under concurrent TLB invalidations
Uros Bizjak <ubizjak@gmail.com>
iommu/amd: Use atomic64_inc_return() in iommu.c
Sean Christopherson <seanjc@google.com>
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
David Howells <dhowells@redhat.com>
rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
Tejas Bharambe <tejas.bharambe@outlook.com>
ext4: validate p_idx bounds in ext4_ext_correct_indexes
David Howells <dhowells@redhat.com>
rxrpc: Fix potential UAF after skb_unshare() failure
Felix Gu <ustc.gu@gmail.com>
spi: meson-spicc: Fix double-put in remove path
Rick Edgecombe <rick.p.edgecombe@intel.com>
x86/shstk: Prevent deadlock during shstk sigreturn
Yussuf Khalil <dev@pp3345.net>
drm/amd/display: Do not skip unrelated mode changes in DSC validation
Linus Torvalds <torvalds@linux-foundation.org>
x86: shadow stacks: proper error handling for mmap lock
Johan Hovold <johan@kernel.org>
spi: rockchip: fix controller deregistration
Mark Brown <broonie@kernel.org>
ASoC: SOF: Don't allow pointer operations on unconfigured streams
Sina Hassani <sina@openai.com>
iommufd: Fix a race with concurrent allocation and unmap
Shivam Kalra <shivamkalra98@zohomail.in>
ACPI: video: force native backlight on HP OMEN 16 (8A44)
Jinjie Ruan <ruanjinjie@huawei.com>
ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
Guangshuo Li <lgs201920130244@gmail.com>
ACPI: scan: Use acpi_dev_put() in object add error paths
Rajat Gupta <rajgupt@qti.qualcomm.com>
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Corey Minyard <corey@minyard.net>
ipmi:si: Return state to normal if message allocation fails
Corey Minyard <corey@minyard.net>
ipmi: Check event message buffer response for bad data
Corey Minyard <corey@minyard.net>
ipmi: Add limits to event and receive message requests
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
Kai Ma <k4729.23098@gmail.com>
netfilter: reject zero shift in nft_bitwise
Andrea Mayer <andrea.mayer@uniroma2.it>
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
Deepanshu Kartikey <kartikey406@gmail.com>
ALSA: caiaq: fix usb_dev refcount leak on probe failure
Arjan van de Ven <arjan@linux.intel.com>
drm/amdgpu: fix zero-size GDS range init on RDNA4
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
Takashi Iwai <tiwai@suse.de>
ALSA: caiaq: Don't abort when no input device is available
Takashi Iwai <tiwai@suse.de>
ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
Douglas Anderson <dianders@chromium.org>
driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
Yucheng Lu <kanolyc@gmail.com>
crypto: authencesn - reject short ahash digests during instance creation
Andrea Mayer <andrea.mayer@uniroma2.it>
seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
Yang Xiuwei <yangxiuwei@kylinos.cn>
scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
Keenan Dong <keenanat2000@gmail.com>
rtmutex: Use waiter::task instead of current in remove_waiter()
Tobias Gaertner <tob.gaertner@me.com>
ntfs3: fix integer overflow in run_unpack() volume boundary check
Tobias Gaertner <tob.gaertner@me.com>
ntfs3: add buffer boundary checks to run_unpack()
Steven Rostedt <rostedt@goodmis.org>
ktest: Fix the month in the name of the failure directory
Chen Zhao <chezhao@nvidia.com>
IB/core: Fix zero dmac race in neighbor resolution
Junrui Luo <moonafterrain@outlook.com>
dm mirror: fix integer overflow in create_dirty_log()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-tdes - fix DMA sync direction
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
crypto: ccree - fix a memory leak in cc_mac_digest()
Thomas Fourier <fourier.thomas@gmail.com>
crypto: hisilicon - Fix dma_unmap_single() direction
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-ecc - Release client on allocation failure
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
Eric Biggers <ebiggers@kernel.org>
crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
Johan Hovold <johan@kernel.org>
can: ucan: fix devres lifetime
Shuvam Pandey <shuvampandey1@gmail.com>
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
Yiyang Chen <cyyzero16@gmail.com>
taskstats: set version in TGID exit notifications
Zhenzhong Wu <jt26wzz@gmail.com>
tcp: call sk_data_ready() after listener migration
Chia-Ming Chang <chiamingc@synology.com>
inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
Junrui Luo <moonafterrain@outlook.com>
md/raid5: validate payload size before accessing journal metadata
Chia-Ming Chang <chiamingc@synology.com>
md/raid5: fix soft lockup in retry_aligned_read()
Sohei Koyama <skoyama@ddn.com>
ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
Deepanshu Kartikey <kartikey406@gmail.com>
ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
Jens Axboe <axboe@kernel.dk>
io_uring/poll: fix multishot recv missing EOF on wakeup race
James Kim <james010kim@gmail.com>
mtd: docg3: fix use-after-free in docg3_release()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mtd: docg3: Convert to platform remove callback returning void
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Add missing consistency check for nCR3 validity
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
Sean Christopherson <seanjc@google.com>
KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
Kevin Cheng <chengkev@google.com>
KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
Sean Christopherson <seanjc@google.com>
KVM: x86: Defer non-architectural deliver of exception payload to userspace read
Denis M. Karpov <komlomal@gmail.com>
userfaultfd: allow registration of ranges below mmap_min_addr
SeongJae Park <sj@kernel.org>
mm/damon/core: use time_in_range_open() for damos quota window start
Johan Hovold <johan@kernel.org>
rtc: ntxec: fix OF node reference imbalance
Jacqueline Wong <jacqwong@google.com>
tpm: tpm_tis: stop transmit if retries are exhausted
Jacqueline Wong <jacqwong@google.com>
tpm: tpm_tis: add error logging for data transfer
Paul Louvel <paul.louvel@bootlin.com>
crypto: talitos - rename first/last to first_desc/last_desc
Paul Louvel <paul.louvel@bootlin.com>
crypto: talitos - fix SEC1 32k ahash request limitation
Francesco Dolcini <francesco.dolcini@toradex.com>
arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
Shawn Lin <shawn.lin@rock-chips.com>
mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
Bin Liu <b-liu@ti.com>
mmc: block: use single block write in retry
Ryan Roberts <ryan.roberts@arm.com>
randomize_kstack: Maintain kstack_offset per task
Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
power: supply: axp288_charger: Do not cancel work before initializing it
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Show CPU vulnerabilites correctly
Arnd Bergmann <arnd@arndb.de>
tpm: avoid -Wunused-but-set-variable
Nathan Chancellor <nathan@kernel.org>
extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
Ruide Cao <caoruide123@gmail.com>
ipv4: icmp: validate reply type before using icmp_pointers
hkbinbin <hkbinbinbin@gmail.com>
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/arcpgu: fix device node leak
Marek Vasut <marex@nabladev.com>
net: ks8851: Avoid excess softirq scheduling
Marek Vasut <marex@nabladev.com>
net: ks8851: Reinstate disabling of BHs around IRQ handler
Ruijie Li <ruijieli51@gmail.com>
net/smc: avoid early lgr access in smc_clc_wait_msg
Jiawen Wu <jiawenwu@trustnetic.com>
net: txgbe: fix firmware version check
Ao Zhou <draw51280@163.com>
net: rds: fix MR cleanup on copy error
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Free the node during ctrl_cmd_bye()
Yiyang Chen <cyyzero16@gmail.com>
tools/accounting: handle truncated taskstats netlink messages
David Howells <dhowells@redhat.com>
rxrpc: Fix re-decryption of RESPONSE packets
David Howells <dhowells@redhat.com>
rxrpc: Fix rxkad crypto unalignment handling
David Howells <dhowells@redhat.com>
rxrpc: Fix memory leaks in rxkad_verify_response()
Jonathan Santos <Jonathan.Santos@analog.com>
iio: adc: ad7768-1: fix one-shot mode data acquisition
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: pcmtest: Fix resource leaks in module init error paths
Guangshuo Li <lgs201920130244@gmail.com>
ALSA: pcmtest: fix reference leak on failed device registration
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: 6fire: Fix input volume change detection
Takashi Iwai <tiwai@suse.de>
ALSA: caiaq: Handle probe errors properly
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: caiaq: Fix control_put() result and cache rollback
Takashi Iwai <tiwai@suse.de>
ALSA: core: Fix potential data race at fasync handling
Jens Axboe <axboe@kernel.dk>
io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
Longxuan Yu <ylong030@ucr.edu>
io_uring/poll: fix signed comparison in io_poll_get_ownership()
David Lechner <dlechner@baylibre.com>
iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
Pavel Begunkov <asml.silence@gmail.com>
io_uring/timeout: check unused sqe fields
Dawei Feng <dawei.feng@seu.edu.cn>
rbd: fix null-ptr-deref when device_add_disk() fails
Simon Liebold <simonlie@amazon.de>
selftests/mqueue: Fix incorrectly named file
Ben Levinsky <ben.levinsky@amd.com>
remoteproc: xlnx: Only access buffer information if IPI is buffered
Helge Deller <deller@gmx.de>
parisc: _llseek syscall is only available for 32-bit userspace
Robert Beckett <bob.beckett@collabora.com>
nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
Robert Beckett <bob.beckett@collabora.com>
nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
Marek Vasut <marex@nabladev.com>
mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
Josh Hunt <johunt@akamai.com>
md/raid10: fix deadlock with check operation and nowait requests
Gao Xiang <xiang@kernel.org>
erofs: fix the out-of-bounds nameoff handling for trailing dirents
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
Harin Lee <me@harin.net>
ALSA: ctxfi: Add fallback to default RSR for S/PDIF
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: aoa: i2sbus: fix OF node lifetime handling
Vasiliy Kovalev <kovalev@altlinux.org>
ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Fix use-after-free in driver remove()
Chen Ni <nichen@iscas.ac.cn>
media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
Josh Law <objecting@objecting.org>
lib/ts_kmp: fix integer overflow in pattern length calculation
Rong Zhang <i@rong.moe>
Revert "ALSA: usb: Increase volume range that triggers a warning"
Koichiro Den <den@valinux.co.jp>
PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
Fan Wu <fanwu01@zju.edu.cn>
media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
Luxiao Xu <rakukuip@gmail.com>
net: strparser: fix skb_head leak in strp_abort_strp()
Zhengchuan Liang <zcliangcn@gmail.com>
net: caif: clear client service pointer on teardown
Ziqing Chen <chenziqing@xiaomi.com>
ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Fix race between m2m job_abort and device_run
Wentao Liang <vulab@iscas.ac.cn>
of: unittest: fix use-after-free in testdrv_probe()
Herbert Xu <herbert@gondor.apana.org.au>
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
Chao Yu <chao@kernel.org>
f2fs: fix to detect potential corrupted nid in free_nid_list
Johan Hovold <johan@kernel.org>
spi: imx: fix use-after-free on unbind
Michael Bommarito <michael.bommarito@gmail.com>
um: drivers: call kernel_strrchr() explicitly in cow_user.c
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: rtw88: check for PCI upstream bridge existence
Sergey Senozhatsky <senozhatsky@chromium.org>
zram: do not forget to endio for partial discard requests
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
LoongArch: Add spectre boundry for syscall dispatch table
Douglas Anderson <dianders@chromium.org>
driver core: Don't let a device probe until it's ready
Heming Zhao <heming.zhao@suse.com>
ocfs2: split transactions in dio completion to avoid credit exhaustion
Douglas Anderson <dianders@chromium.org>
device property: Make modifications of fwnode "flags" thread safe
Douglas Anderson <dianders@chromium.org>
regset: use kvzalloc() for regset_get_alloc()
Jesse.Zhang <Jesse.Zhang@amd.com>
drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
Herbert Xu <herbert@gondor.apana.org.au>
padata: Remove comment for reorder_work
Herbert Xu <herbert@gondor.apana.org.au>
padata: Fix pd UAF once and for all
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix possible UAFs
Thomas Zimmermann <tzimmermann@suse.de>
firmware: google: framebuffer: Do not mark framebuffer as busy
Tyllis Xu <livelycarpet87@gmail.com>
ibmasm: fix heap over-read in ibmasm_send_i2o_message()
Tyllis Xu <livelycarpet87@gmail.com>
ibmasm: fix OOB reads in command_file_write due to missing size checks
Tyllis Xu <livelycarpet87@gmail.com>
misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
leds: qcom-lpg: Check for array overflow when selecting the high resolution
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Evaluate packsize caps at the right place
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: otg: not wait vbus drop if use role_switch
Michal Pecio <michal.pecio@gmail.com>
usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Avoid false E-MU sample-rate notifications
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 20 +-
arch/arm64/crypto/aes-modes.S | 4 +-
arch/arm64/kvm/arm.c | 5 +
arch/arm64/kvm/hyp/nvhe/setup.c | 8 +-
arch/arm64/kvm/vgic/vgic-mmio-v2.c | 2 +-
arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
arch/arm64/mm/mmu.c | 36 ++-
arch/loongarch/kernel/cpu-probe.c | 7 +
arch/loongarch/kernel/syscall.c | 3 +-
arch/loongarch/pci/acpi.c | 5 +
arch/loongarch/pci/pci.c | 3 +
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
arch/powerpc/kexec/Makefile | 2 +-
arch/s390/kernel/debug.c | 5 +
arch/um/drivers/cow_user.c | 8 +-
arch/x86/kernel/shstk.c | 45 ++-
arch/x86/kvm/hyperv.c | 2 +-
arch/x86/kvm/mmu/mmu.c | 35 +--
arch/x86/kvm/svm/nested.c | 56 +++-
arch/x86/kvm/svm/svm.c | 17 ++
arch/x86/kvm/svm/svm.h | 2 +
arch/x86/kvm/x86.c | 62 ++--
block/bio-integrity.c | 2 +
block/bio.c | 14 +-
block/blk.h | 21 ++
certs/extract-cert.c | 6 +-
crypto/authencesn.c | 5 +
crypto/pcrypt.c | 7 +-
drivers/acpi/cppc_acpi.c | 6 +-
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c | 2 +-
drivers/acpi/video_detect.c | 8 +
drivers/base/core.c | 39 ++-
drivers/base/dd.c | 20 ++
drivers/block/rbd.c | 6 +-
drivers/block/zram/zram_drv.c | 3 +-
drivers/bluetooth/virtio_bt.c | 39 ++-
drivers/bus/imx-weim.c | 2 +-
drivers/char/ipmi/ipmi_si_intf.c | 70 ++++-
drivers/char/ipmi/ipmi_ssif.c | 36 ++-
drivers/char/tpm/tpm_tis_core.c | 11 +-
drivers/clk/clk-rk808.c | 2 +-
drivers/clk/imx/clk-imx8-acm.c | 3 +-
drivers/clk/microchip/clk-mpfs-ccc.c | 6 +-
drivers/cpuidle/cpuidle-powernv.c | 5 +-
drivers/cpuidle/cpuidle-pseries.c | 5 +-
drivers/crypto/atmel-aes.c | 2 +-
drivers/crypto/atmel-ecc.c | 1 +
drivers/crypto/atmel-sha204a.c | 6 +-
drivers/crypto/atmel-tdes.c | 8 +-
drivers/crypto/caam/caamalg_qi2.c | 4 +-
drivers/crypto/caam/caamhash.c | 4 +-
drivers/crypto/ccree/cc_hash.c | 1 +
drivers/crypto/hisilicon/sec/sec_algs.c | 2 +-
drivers/crypto/nx/nx-842.c | 47 +--
drivers/crypto/nx/nx-842.h | 25 +-
drivers/crypto/nx/nx-common-powernv.c | 31 +-
drivers/crypto/nx/nx-common-pseries.c | 33 +-
drivers/crypto/talitos.c | 340 +++++++++++++--------
drivers/dma/idxd/device.c | 3 +-
drivers/extcon/extcon-ptn5150.c | 14 +
drivers/firmware/google/framebuffer-coreboot.c | 12 +-
drivers/gpio/gpiolib-of.c | 9 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 43 ++-
drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 -
drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 +-
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 25 +-
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 46 ++-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 29 +-
drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 4 +
drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 7 +-
.../gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 13 +-
drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 +-
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
drivers/gpu/drm/radeon/ci_dpm.c | 9 +-
drivers/gpu/drm/tiny/arcpgu.c | 3 +-
drivers/hid/hid-playstation.c | 6 +-
drivers/hwmon/corsair-psu.c | 4 +-
drivers/hwmon/ltc2992.c | 41 ++-
drivers/i2c/i2c-core-of.c | 2 +-
drivers/iio/adc/ad7768-1.c | 9 +-
drivers/iio/adc/ti-ads7950.c | 11 +-
drivers/infiniband/core/addr.c | 3 +
drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +
drivers/infiniband/hw/mana/qp.c | 15 +
drivers/infiniband/hw/mlx4/srq.c | 4 +-
drivers/infiniband/hw/mlx5/main.c | 1 +
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 +-
drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 2 +-
drivers/infiniband/sw/rxe/rxe_recv.c | 14 +-
drivers/infiniband/sw/rxe/rxe_resp.c | 14 +-
drivers/iommu/amd/amd_iommu_types.h | 2 +-
drivers/iommu/amd/init.c | 2 +-
drivers/iommu/amd/iommu.c | 18 +-
drivers/iommu/iommufd/io_pagetable.c | 10 +
drivers/leds/rgb/leds-qcom-lpg.c | 7 +-
drivers/md/dm-ioctl.c | 6 +-
drivers/md/dm-raid1.c | 6 +-
drivers/md/dm-verity-fec.c | 8 +-
drivers/md/persistent-data/dm-btree-remove.c | 8 +
drivers/md/raid10.c | 6 +-
drivers/md/raid5-cache.c | 48 ++-
drivers/md/raid5.c | 8 +-
drivers/media/common/videobuf2/videobuf2-dma-sg.c | 1 +
drivers/media/dvb-frontends/dib8000.c | 4 +-
drivers/media/i2c/imx219.c | 3 +
drivers/media/i2c/imx412.c | 2 +-
drivers/media/i2c/ov08d10.c | 10 +-
drivers/media/i2c/ov8856.c | 10 +-
drivers/media/pci/saa7164/saa7164-core.c | 47 ++-
drivers/media/pci/zoran/zoran_card.c | 2 +-
drivers/media/platform/amphion/vpu_v4l2.c | 9 +-
.../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 +
drivers/media/platform/ti/omap3isp/ispvideo.c | 1 +
drivers/media/rc/igorplugusb.c | 16 +-
drivers/media/rc/streamzap.c | 12 +-
drivers/media/rc/ttusbir.c | 13 +-
drivers/media/rc/xbox_remote.c | 9 +-
drivers/media/usb/uvc/uvc_queue.c | 3 +-
drivers/mfd/stpmic1.c | 20 +-
drivers/misc/ibmasm/ibmasmfs.c | 7 +
drivers/misc/ibmasm/lowlevel.c | 12 +-
drivers/misc/ibmasm/remote.c | 5 +
drivers/mmc/core/block.c | 12 +-
drivers/mmc/core/card.h | 5 +
drivers/mmc/core/queue.c | 8 +-
drivers/mmc/core/queue.h | 3 +
drivers/mmc/core/quirks.h | 9 +
drivers/mmc/host/sdhci-of-dwcmshc.c | 19 +-
drivers/mtd/devices/docg3.c | 8 +-
drivers/mtd/spi-nor/debugfs.c | 4 +-
drivers/mtd/spi-nor/sst.c | 50 +--
drivers/net/bonding/bond_main.c | 6 +-
drivers/net/can/usb/ucan.c | 2 +-
drivers/net/ethernet/ibm/ibmveth.c | 22 ++
drivers/net/ethernet/ibm/ibmveth.h | 1 +
drivers/net/ethernet/micrel/ks8851.h | 6 +-
drivers/net/ethernet/micrel/ks8851_common.c | 69 ++---
drivers/net/ethernet/micrel/ks8851_par.c | 15 +-
drivers/net/ethernet/micrel/ks8851_spi.c | 11 +-
drivers/net/ethernet/microsoft/mana/mana_en.c | 11 +-
drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 2 +-
drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 47 +--
drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +-
drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 +-
drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c | 2 +
drivers/net/phy/mdio_bus.c | 4 +-
drivers/net/wireless/ath/ath5k/base.c | 3 +-
drivers/net/wireless/broadcom/b43/xmit.c | 3 +-
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 +-
drivers/net/wireless/marvell/mwifiex/init.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt76_connac.h | 6 +
.../net/wireless/mediatek/mt76/mt76_connac_mac.c | 4 +-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 3 +-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.h | 2 +-
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +
drivers/net/wireless/mediatek/mt76/mt792x_regs.h | 4 +
drivers/net/wireless/mediatek/mt76/mt792x_usb.c | 51 +++-
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 28 +-
drivers/net/wireless/realtek/rtw88/pci.c | 3 +-
drivers/net/wireless/rsi/rsi_common.h | 5 +-
drivers/net/wwan/t7xx/t7xx_modem_ops.c | 20 +-
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 +-
drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
drivers/nvme/host/apple.c | 6 +-
drivers/nvme/host/core.c | 2 +-
drivers/nvme/host/pci.c | 2 +
drivers/nvme/target/core.c | 2 +-
drivers/of/base.c | 2 +-
drivers/of/dynamic.c | 2 +-
drivers/of/platform.c | 2 +-
drivers/of/unittest.c | 1 -
drivers/parisc/lasi.c | 12 +-
drivers/pci/endpoint/functions/pci-epf-mhi.c | 4 +
drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 +---
drivers/pci/pci.c | 7 +-
drivers/pci/pcie/aer.c | 2 -
drivers/platform/x86/hp/hp-wmi.c | 5 +
drivers/power/supply/axp288_charger.c | 19 +-
drivers/power/supply/max17042_battery.c | 2 +-
drivers/pwm/pwm-imx-tpm.c | 8 +
drivers/regulator/act8945a-regulator.c | 3 +-
drivers/regulator/bd9571mwv-regulator.c | 3 +-
drivers/regulator/max77650-regulator.c | 2 +-
drivers/regulator/mt6357-regulator.c | 2 +-
drivers/regulator/rk808-regulator.c | 3 +-
drivers/remoteproc/xlnx_r5_remoteproc.c | 20 +-
drivers/rtc/rtc-ntxec.c | 2 +-
drivers/scsi/sd.c | 1 +
drivers/spi/spi-at91-usart.c | 8 +-
drivers/spi/spi-atmel.c | 8 +-
drivers/spi/spi-bcm63xx.c | 8 +-
drivers/spi/spi-bcmbca-hsspi.c | 4 +-
drivers/spi/spi-cadence.c | 15 +-
drivers/spi/spi-coldfire-qspi.c | 10 +-
drivers/spi/spi-dln2.c | 8 +-
drivers/spi/spi-fsl-espi.c | 10 +-
drivers/spi/spi-fsl-spi.c | 14 +-
drivers/spi/spi-img-spfi.c | 8 +-
drivers/spi/spi-imx.c | 5 +
drivers/spi/spi-lantiq-ssc.c | 8 +-
drivers/spi/spi-meson-spicc.c | 2 -
drivers/spi/spi-microchip-core-qspi.c | 41 +--
drivers/spi/spi-mpc52xx.c | 3 +-
drivers/spi/spi-mtk-nor.c | 4 +-
drivers/spi/spi-omap2-mcspi.c | 8 +-
drivers/spi/spi-orion.c | 9 +
drivers/spi/spi-qup.c | 8 +-
drivers/spi/spi-rockchip.c | 4 +-
drivers/spi/spi-rspi.c | 10 +-
drivers/spi/spi-s3c64xx.c | 9 +-
drivers/spi/spi-sh-hspi.c | 10 +-
drivers/spi/spi-sprd.c | 8 +-
drivers/spi/spi-sun4i.c | 80 ++---
drivers/spi/spi-sun6i.c | 154 +++++-----
drivers/spi/spi-synquacer.c | 88 +++---
drivers/spi/spi-tegra114.c | 8 +-
drivers/spi/spi-tegra20-sflash.c | 8 +-
drivers/spi/spi-ti-qspi.c | 97 +++---
drivers/spi/spi-topcliff-pch.c | 6 +-
drivers/spi/spi-uniphier.c | 212 +++++++------
drivers/spi/spi-zynq-qspi.c | 79 ++---
drivers/spi/spi-zynqmp-gqspi.c | 4 +-
drivers/spi/spi.c | 63 ++--
drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 4 +
drivers/staging/media/imx/imx-media-csi.c | 40 ++-
drivers/staging/vme_user/vme_fake.c | 2 +
drivers/target/target_core_configfs.c | 2 +-
drivers/thermal/sprd_thermal.c | 4 +-
drivers/thermal/thermal_core.c | 7 +-
drivers/usb/chipidea/core.c | 45 +--
drivers/usb/chipidea/otg.c | 7 +-
drivers/usb/class/usblp.c | 3 +-
drivers/usb/common/ulpi.c | 5 +-
drivers/usb/dwc3/core.c | 12 +-
drivers/usb/gadget/udc/omap_udc.c | 4 -
drivers/usb/host/xhci.c | 1 -
drivers/usb/serial/option.c | 4 +
drivers/usb/typec/tcpm/tcpm.c | 2 +
drivers/video/fbdev/core/fb_defio.c | 179 ++++++++---
drivers/video/fbdev/core/fbcon_rotate.c | 5 +-
drivers/video/fbdev/udlfb.c | 31 +-
fs/binfmt_elf.c | 2 +-
fs/btrfs/ioctl.c | 5 +-
fs/btrfs/space-info.c | 2 +-
fs/ceph/dir.c | 6 +-
fs/erofs/decompressor.c | 1 +
fs/erofs/dir.c | 28 +-
fs/ext2/inode.c | 14 +-
fs/ext4/extents.c | 15 +
fs/ext4/xattr.c | 6 +-
fs/f2fs/data.c | 32 +-
fs/f2fs/extent_cache.c | 17 +-
fs/f2fs/f2fs.h | 2 +-
fs/f2fs/inode.c | 2 +-
fs/f2fs/node.c | 17 +-
fs/f2fs/segment.c | 6 +-
fs/f2fs/super.c | 11 +-
fs/hfsplus/bfind.c | 51 ++++
fs/hfsplus/catalog.c | 4 +-
fs/hfsplus/dir.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 9 +
fs/hfsplus/super.c | 6 +-
fs/isofs/export.c | 2 +-
fs/isofs/rock.c | 9 +
fs/notify/fsnotify.c | 2 +-
fs/notify/inotify/inotify_user.c | 1 +
fs/notify/mark.c | 18 +-
fs/ntfs3/run.c | 18 +-
fs/ocfs2/aops.c | 74 +++--
fs/smb/client/cached_dir.c | 8 +
fs/smb/client/cifsacl.c | 177 ++++++++---
fs/smb/client/cifsacl.h | 91 +-----
fs/smb/client/smb2inode.c | 12 +-
fs/smb/client/smb2misc.c | 3 +-
fs/smb/client/smb2ops.c | 11 +
fs/smb/common/smbacl.h | 122 ++++++++
fs/smb/server/connection.c | 28 +-
fs/smb/server/connection.h | 6 +-
fs/smb/server/smb2pdu.c | 4 +-
fs/smb/server/smbacl.c | 48 +--
fs/smb/server/smbacl.h | 113 +------
fs/smb/server/transport_rdma.c | 5 +
fs/smb/server/transport_tcp.c | 25 +-
fs/smb/server/vfs_cache.c | 40 ++-
fs/tracefs/event_inode.c | 14 +
fs/tracefs/inode.c | 5 +-
fs/tracefs/internal.h | 3 +
fs/udf/misc.c | 8 +-
fs/udf/super.c | 4 +-
fs/userfaultfd.c | 2 -
fs/xfs/xfs_buf.c | 1 +
include/linux/bpf_verifier.h | 31 +-
include/linux/damon.h | 2 +
include/linux/device.h | 45 +++
include/linux/f2fs_fs.h | 1 +
include/linux/fb.h | 4 +-
include/linux/fsnotify_backend.h | 1 +
include/linux/fwnode.h | 44 ++-
include/linux/mmap_lock.h | 6 +-
include/linux/mmc/card.h | 1 +
include/linux/padata.h | 4 -
include/linux/printk.h | 13 +
include/linux/randomize_kstack.h | 26 +-
include/linux/sched.h | 4 +
include/linux/tpm_eventlog.h | 9 +-
include/linux/usb.h | 3 +-
include/net/mana/mana.h | 1 +
include/net/mctp.h | 3 +
include/trace/events/rxrpc.h | 6 +-
include/video/udlfb.h | 1 +
init/main.c | 1 -
io_uring/poll.c | 14 +-
io_uring/timeout.c | 4 +
kernel/bpf/verifier.c | 236 +++++++++-----
kernel/exit.c | 3 +-
kernel/fork.c | 2 +
kernel/locking/rtmutex.c | 13 +-
kernel/padata.c | 136 +++------
kernel/regset.c | 6 +-
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/taskstats.c | 1 +
kernel/trace/trace_probe.c | 6 +
kernel/trace/trace_probe.h | 4 +-
kernel/tracepoint.c | 2 +
lib/crypto/mpi/mpicoder.c | 2 +-
lib/scatterlist.c | 8 +-
lib/test_hmm.c | 86 +++---
lib/ts_kmp.c | 18 +-
mm/damon/core.c | 37 ++-
mm/damon/lru_sort.c | 88 ++++--
mm/damon/reclaim.c | 88 ++++--
mm/damon/sysfs-schemes.c | 12 +-
mm/hugetlb.c | 1 +
net/batman-adv/bat_iv_ogm.c | 85 ++++--
net/batman-adv/bridge_loop_avoidance.c | 11 +-
net/batman-adv/main.c | 1 +
net/batman-adv/tp_meter.c | 116 +++++--
net/batman-adv/tp_meter.h | 1 +
net/batman-adv/types.h | 4 +
net/bluetooth/hci_conn.c | 19 +-
net/bluetooth/hci_event.c | 47 ++-
net/bluetooth/l2cap_sock.c | 9 +
net/bluetooth/mgmt.c | 262 +++++++++++-----
net/bluetooth/mgmt_util.c | 46 +++
net/bluetooth/mgmt_util.h | 3 +
net/bridge/br_arp_nd_proxy.c | 8 +-
net/bridge/br_fdb.c | 28 +-
net/caif/cfsrvl.c | 14 +-
net/ceph/auth.c | 4 +-
net/ceph/mon_client.c | 2 +
net/core/flow_dissector.c | 13 +-
net/core/rtnetlink.c | 1 +
net/ipv4/ah4.c | 29 +-
net/ipv4/icmp.c | 8 +-
net/ipv4/inet_connection_sock.c | 3 +
net/ipv6/ah6.c | 27 +-
net/ipv6/exthdrs.c | 9 +-
net/ipv6/ip6_gre.c | 5 +-
net/ipv6/rpl_iptunnel.c | 9 +
net/ipv6/seg6_iptunnel.c | 12 +-
net/ipv6/xfrm6_protocol.c | 4 +-
net/mac80211/mlme.c | 9 +-
net/mac80211/rx.c | 2 +-
net/mctp/route.c | 8 +-
net/mptcp/protocol.c | 3 +-
net/mptcp/sockopt.c | 12 +-
net/mptcp/subflow.c | 4 +-
net/netfilter/nft_bitwise.c | 3 +-
net/openvswitch/vport-netdev.c | 6 +-
net/qrtr/ns.c | 86 +++++-
net/rds/message.c | 20 +-
net/rds/rdma.c | 4 -
net/rxrpc/ar-internal.h | 1 -
net/rxrpc/call_event.c | 27 +-
net/rxrpc/conn_event.c | 44 ++-
net/rxrpc/io_thread.c | 24 +-
net/rxrpc/rxkad.c | 112 +++----
net/rxrpc/skbuff.c | 9 -
net/sched/sch_red.c | 2 +-
net/sctp/socket.c | 9 +
net/smc/smc_clc.c | 4 +-
net/strparser/strparser.c | 8 +
net/unix/af_unix.c | 3 +
net/vmw_vsock/af_vsock.c | 6 +-
net/vmw_vsock/hyperv_transport.c | 4 +-
net/vmw_vsock/virtio_transport_common.c | 15 +-
net/xfrm/xfrm_state.c | 12 +-
net/xfrm/xfrm_user.c | 1 +
security/selinux/hooks.c | 3 +-
security/selinux/selinuxfs.c | 54 +---
sound/aoa/codecs/onyx.c | 104 ++-----
sound/aoa/codecs/tas.c | 113 +++----
sound/aoa/core/gpio-feature.c | 20 +-
sound/aoa/core/gpio-pmf.c | 26 +-
sound/aoa/soundbus/i2sbus/core.c | 12 +-
sound/aoa/soundbus/i2sbus/pcm.c | 143 ++++-----
sound/core/control.c | 4 +
sound/core/misc.c | 44 +--
sound/core/seq/oss/seq_oss_rw.c | 6 +-
sound/core/seq/seq_clientmgr.c | 9 +-
sound/core/seq/seq_clientmgr.h | 5 +-
sound/core/seq/seq_ump_client.c | 4 +-
sound/drivers/pcmtest.c | 19 +-
sound/firewire/tascam/tascam-hwdep.c | 1 +
sound/pci/ctxfi/ctatc.c | 3 +-
sound/pci/hda/cs35l56_hda.c | 19 +-
sound/soc/amd/yc/acp6x-mach.c | 14 +
sound/soc/fsl/fsl_easrc.c | 2 +-
sound/soc/intel/boards/bytcr_wm5102.c | 1 +
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +-
sound/soc/qcom/qdsp6/q6apm.c | 3 +
sound/soc/sof/compress.c | 3 +
sound/usb/6fire/control.c | 10 +-
sound/usb/caiaq/control.c | 52 +++-
sound/usb/caiaq/device.c | 35 ++-
sound/usb/caiaq/input.c | 2 +-
sound/usb/endpoint.c | 6 +-
sound/usb/format.c | 2 +-
sound/usb/midi2.c | 9 +-
sound/usb/misc/ua101.c | 7 +
sound/usb/mixer.c | 7 +-
sound/usb/mixer_quirks.c | 12 +-
sound/usb/stream.c | 4 +-
tools/accounting/getdelays.c | 41 ++-
tools/accounting/procacct.c | 40 ++-
tools/testing/ktest/ktest.pl | 2 +-
.../selftests/bpf/progs/verifier_spill_fill.c | 281 +++++++++++++++++
.../bpf/progs/verifier_subprog_precision.c | 87 +++++-
tools/testing/selftests/bpf/verifier/precise.c | 38 ++-
.../testing/selftests/mqueue/{setting => settings} | 0
447 files changed, 5555 insertions(+), 2927 deletions(-)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 001/474] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 002/474] ALSA: usb-audio: Avoid false E-MU sample-rate notifications Greg Kroah-Hartman
` (473 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d56178c27a4710960820,
Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 3c318f97dcc50b2e0556a1813bd6958678e881fd upstream.
parse_uac2_sample_rate_range() caps the number of enumerated
rates at MAX_NR_RATES, but it only breaks out of the current
rate loop. A malformed UAC2 RANGE response with additional
triplets continues parsing the remaining triplets and repeatedly
prints "invalid uac2 rates" while probe still holds
register_mutex.
Stop the whole parse once the cap is reached and return the
number of rates collected so far.
Fixes: 4fa0e81b8350 ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()")
Cc: stable@vger.kernel.org
Reported-by: syzbot+d56178c27a4710960820@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d56178c27a4710960820
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260415-usb-audio-uac2-rate-cap-v1-1-5ecbafc120d8@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/format.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -461,7 +461,7 @@ static int parse_uac2_sample_rate_range(
nr_rates++;
if (nr_rates >= MAX_NR_RATES) {
usb_audio_err(chip, "invalid uac2 rates\n");
- break;
+ return nr_rates;
}
skip_rate:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 002/474] ALSA: usb-audio: Avoid false E-MU sample-rate notifications
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 001/474] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 003/474] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch Greg Kroah-Hartman
` (472 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit fca9c850042a7ab4828ce3a9caa8bc40ea09856a upstream.
snd_emuusb_set_samplerate() unconditionally notifies the E-MU
SampleRate Extension Unit control after issuing SET_CUR.
If snd_usb_mixer_set_ctl_value() fails, the control value has not
changed, yet snd_usb_mixer_notify_id() still invalidates the cache and
emits a value-change event to userspace.
Notify the control only after a successful write.
Fixes: 7d2b451e65d2 ("ALSA: usb-audio - Added functionality for E-mu 0404USB/0202USB/TrackerPre")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-alsa-emuusb-samplerate-notify-v1-1-8b63bbc1d7f1@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1561,15 +1561,17 @@ void snd_emuusb_set_samplerate(struct sn
{
struct usb_mixer_interface *mixer;
struct usb_mixer_elem_info *cval;
+ int err;
int unitid = 12; /* SampleRate ExtensionUnit ID */
list_for_each_entry(mixer, &chip->mixer_list, list) {
if (mixer->id_elems[unitid]) {
cval = mixer_elem_list_to_info(mixer->id_elems[unitid]);
- snd_usb_mixer_set_ctl_value(cval, UAC_SET_CUR,
- cval->control << 8,
- samplerate_id);
- snd_usb_mixer_notify_id(mixer, unitid);
+ err = snd_usb_mixer_set_ctl_value(cval, UAC_SET_CUR,
+ cval->control << 8,
+ samplerate_id);
+ if (!err)
+ snd_usb_mixer_notify_id(mixer, unitid);
break;
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 003/474] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 001/474] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 002/474] ALSA: usb-audio: Avoid false E-MU sample-rate notifications Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 004/474] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Greg Kroah-Hartman
` (471 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit a9224f26b754b5034719248891ff3c2ea0d11144 upstream.
snd_microii_spdif_switch_put() returns 0 when the requested
vendor register value differs from the cached one.
This comparison was inverted by the resume-support conversion,
so real SPDIF switch toggles are ignored while no-op writes still
issue SET_CUR and report success.
Return early only when the requested value matches the cached one.
Fixes: 288673beae6c ("ALSA: usb-audio: Add resume support for MicroII SPDIF ctls")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-microii-spdif-switch-fix-v1-1-5c50dc28b88f@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -2066,7 +2066,7 @@ static int snd_microii_spdif_switch_put(
int err;
reg = ucontrol->value.integer.value[0] ? 0x28 : 0x2a;
- if (reg != list->kctl->private_value)
+ if (reg == list->kctl->private_value)
return 0;
kcontrol->private_value = reg;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 004/474] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 003/474] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 005/474] usb: chipidea: otg: not wait vbus drop if use role_switch Greg Kroah-Hartman
` (470 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Mathias Nyman
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 25e531b422dc2ac90cdae3b6e74b5cdeb081440d upstream.
xHCI hardware maintains its endpoint state between add_endpoint()
and drop_endpoint() calls followed by successful check_bandwidth().
So does the driver.
Core may call endpoint_disable() during xHCI endpoint life, so don't
clear host_ep->hcpriv then, because this breaks endpoint_reset().
If a driver calls usb_set_interface(), submits URBs which make host
sequence state non-zero and calls usb_clear_halt(), the device clears
its sequence state but xhci_endpoint_reset() bails out. The next URB
malfunctions: USB2 loses one packet, USB3 gets Transaction Error or
may not complete at all on some (buggy?) HCs from ASMedia and AMD.
This is triggered by uvcvideo on bulk video devices.
The code was copied from ehci_endpoint_disable() but it isn't needed
here - hcpriv should only be NULL on emulated root hub endpoints.
It might prevent resetting and inadvertently enabling a disabled and
dropped endpoint, but core shouldn't try to reset dropped endpoints.
Document xhci requirements regarding hcpriv. They are currently met.
Fixes: 18b74067ac78 ("xhci: Fix use-after-free regression in xhci clear hub TT implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260402131342.2628648-26-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 1 -
include/linux/usb.h | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3102,7 +3102,6 @@ rescan:
xhci_dbg(xhci, "endpoint disable with ep_state 0x%x\n",
ep->ep_state);
done:
- host_ep->hcpriv = NULL;
spin_unlock_irqrestore(&xhci->lock, flags);
}
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -53,7 +53,8 @@ struct ep_device;
* @ssp_isoc_ep_comp: SuperSpeedPlus isoc companion descriptor for this endpoint
* @urb_list: urbs queued to this endpoint; maintained by usbcore
* @hcpriv: for use by HCD; typically holds hardware dma queue head (QH)
- * with one or more transfer descriptors (TDs) per urb
+ * with one or more transfer descriptors (TDs) per urb; must be preserved
+ * by core while BW is allocated for the endpoint
* @ep_dev: ep_device for sysfs info
* @extra: descriptors following this endpoint in the configuration
* @extralen: how many bytes of "extra" are valid
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 005/474] usb: chipidea: otg: not wait vbus drop if use role_switch
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 004/474] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 006/474] usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change Greg Kroah-Hartman
` (469 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peter Chen, Jun Li, Xu Yang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit a4e99587102a83ee911c670752fbca694c7e557f upstream.
The usb role switch will update ID and VBUS states at the same time, and
vbus will not drop when execute data role swap in Type-C usecase. So lets
not wait vbus drop in usb role switch case too.
Fixes: e1b5d2bed67c ("usb: chipidea: core: handle usb role switch in a common way")
Cc: stable@vger.kernel.org
Acked-by: Peter Chen <peter.chen@kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260402071457.2516021-3-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/otg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/chipidea/otg.c
+++ b/drivers/usb/chipidea/otg.c
@@ -187,8 +187,8 @@ void ci_handle_id_switch(struct ci_hdrc
ci_role_stop(ci);
- if (role == CI_ROLE_GADGET &&
- IS_ERR(ci->platdata->vbus_extcon.edev))
+ if (role == CI_ROLE_GADGET && !ci->role_switch &&
+ IS_ERR(ci->platdata->vbus_extcon.edev))
/*
* Wait vbus lower than OTGSC_BSV before connecting
* to host. If connecting status is from an external
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 006/474] usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 005/474] usb: chipidea: otg: not wait vbus drop if use role_switch Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 007/474] ALSA: usb-audio: Evaluate packsize caps at the right place Greg Kroah-Hartman
` (468 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peter Chen, Xu Yang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit b94b631d9f78e653855f7fb58dbcb86c2a856f6f upstream.
For USB role switch-triggered IRQ, ID and VBUS change come together, for
example when switching from host to device mode. ID indicate a role switch
and VBUS is required to determine whether the device controller can start
operating. Currently, ci_irq_handler() handles only a single event per
invocation. This can cause an issue where switching to device mode results
in the device controller not working at all. Allowing ci_irq_handler() to
handle both ID and VBUS change in one call resolves this issue.
Meanwhile, this change also affects the VBUS event handling logic.
Previously, if an ID event indicated host mode the VBUS IRQ will be
ignored as the device disable BSE when stop() is called. With the new
behavior, if ID and VBUS IRQ occur together and the target mode is host,
the VBUS event is queued and ci_handle_vbus_change() will call
usb_gadget_vbus_connect(), after which USBMODE is switched to device mode,
causing host mode to stop working. To prevent this, an additional check is
added to skip handling VBUS event when current role is not device mode.
Suggested-by: Peter Chen <peter.chen@kernel.org>
Fixes: e1b5d2bed67c ("usb: chipidea: core: handle usb role switch in a common way")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260402071457.2516021-2-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/core.c | 45 ++++++++++++++++++++++----------------------
drivers/usb/chipidea/otg.c | 3 ++
2 files changed, 26 insertions(+), 22 deletions(-)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -543,30 +543,31 @@ static irqreturn_t ci_irq_handler(int ir
if (ret == IRQ_HANDLED)
return ret;
}
- }
- /*
- * Handle id change interrupt, it indicates device/host function
- * switch.
- */
- if (ci->is_otg && (otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS)) {
- ci->id_event = true;
- /* Clear ID change irq status */
- hw_write_otgsc(ci, OTGSC_IDIS, OTGSC_IDIS);
- ci_otg_queue_work(ci);
- return IRQ_HANDLED;
- }
+ /*
+ * Handle id change interrupt, it indicates device/host function
+ * switch.
+ */
+ if ((otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS)) {
+ ci->id_event = true;
+ /* Clear ID change irq status */
+ hw_write_otgsc(ci, OTGSC_IDIS, OTGSC_IDIS);
+ }
- /*
- * Handle vbus change interrupt, it indicates device connection
- * and disconnection events.
- */
- if (ci->is_otg && (otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS)) {
- ci->b_sess_valid_event = true;
- /* Clear BSV irq */
- hw_write_otgsc(ci, OTGSC_BSVIS, OTGSC_BSVIS);
- ci_otg_queue_work(ci);
- return IRQ_HANDLED;
+ /*
+ * Handle vbus change interrupt, it indicates device connection
+ * and disconnection events.
+ */
+ if ((otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS)) {
+ ci->b_sess_valid_event = true;
+ /* Clear BSV irq */
+ hw_write_otgsc(ci, OTGSC_BSVIS, OTGSC_BSVIS);
+ }
+
+ if (ci->id_event || ci->b_sess_valid_event) {
+ ci_otg_queue_work(ci);
+ return IRQ_HANDLED;
+ }
}
/* Handle device/host interrupt */
--- a/drivers/usb/chipidea/otg.c
+++ b/drivers/usb/chipidea/otg.c
@@ -130,6 +130,9 @@ enum ci_role ci_otg_role(struct ci_hdrc
void ci_handle_vbus_change(struct ci_hdrc *ci)
{
+ if (ci->role != CI_ROLE_GADGET)
+ return;
+
if (!ci->is_otg) {
if (ci->platdata->flags & CI_HDRC_FORCE_VBUS_ACTIVE_ALWAYS)
usb_gadget_vbus_connect(&ci->gadget);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 007/474] ALSA: usb-audio: Evaluate packsize caps at the right place
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 006/474] usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 008/474] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check Greg Kroah-Hartman
` (467 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 52521e8398839105ef8eb22b3f0993f9b0d11a57 upstream.
We introduced the upper bound checks of the packet sizes by the
ep->maxframesize for avoiding the URB submission errors. However, the
check was applied at an incorrect place in the function
snd_usb_endpoint_set_params() where ep->maxframesize isn't defined
yet; the value is defined at a bit later position. So this ended up
with a failure at the first run while the second run works.
For fixing it, move the check at the correct place, right after the
calculation of ep->maxframesize in the same function.
Fixes: 7fe8dec3f628 ("ALSA: usb-audio: Cap the packet size pre-calculations")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221292
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260410143220.1676344-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/endpoint.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1397,9 +1397,6 @@ int snd_usb_endpoint_set_params(struct s
goto unlock;
}
- ep->packsize[0] = min(ep->packsize[0], ep->maxframesize);
- ep->packsize[1] = min(ep->packsize[1], ep->maxframesize);
-
/* calculate the frequency in 16.16 format */
ep->freqm = ep->freqn;
ep->freqshift = INT_MIN;
@@ -1426,6 +1423,9 @@ int snd_usb_endpoint_set_params(struct s
ep->maxframesize = ep->maxpacksize / ep->cur_frame_bytes;
ep->curframesize = ep->curpacksize / ep->cur_frame_bytes;
+ ep->packsize[0] = min(ep->packsize[0], ep->maxframesize);
+ ep->packsize[1] = min(ep->packsize[1], ep->maxframesize);
+
err = update_clock_ref_rate(chip, ep);
if (err >= 0) {
ep->need_setup = false;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 008/474] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 007/474] ALSA: usb-audio: Evaluate packsize caps at the right place Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 009/474] leds: qcom-lpg: Check for array overflow when selecting the high resolution Greg Kroah-Hartman
` (466 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Danilo Krummrich,
Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann, David Airlie,
Simona Vetter, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2fc87d37be1b730a149b035f9375fdb8cc5333a5 upstream.
nouveau_gem_pushbuf_reloc_apply() validates each relocation with
if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)
but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer
literal 4 promotes to unsigned int, so the addition is performed in 32
bits and wraps before the comparison against the size_t bo size.
Cast to u64 so the addition happens in 64-bit arithmetic.
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Reported-by: Anthropic
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Add Fixes: tag. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -679,7 +679,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n
}
nvbo = (void *)(unsigned long)bo[r->reloc_bo_index].user_priv;
- if (unlikely(r->reloc_bo_offset + 4 >
+ if (unlikely((u64)r->reloc_bo_offset + 4 >
nvbo->bo.base.size)) {
NV_PRINTK(err, cli, "reloc outside of bo\n");
ret = -EINVAL;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 009/474] leds: qcom-lpg: Check for array overflow when selecting the high resolution
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 008/474] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 010/474] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() Greg Kroah-Hartman
` (465 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d45963a93c1495e9f1338fde91d0ebba8fd22474 upstream.
When selecting the high resolution values from the array, FIELD_GET() is
used to pull from a 3 bit register, yet the array being indexed has only
5 values in it. Odds are the hardware is sane, but just to be safe,
properly check before just overflowing and reading random data and then
setting up chip values based on that.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026021934-nearby-playroom-036b@gregkh
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/rgb/leds-qcom-lpg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/leds/rgb/leds-qcom-lpg.c
+++ b/drivers/leds/rgb/leds-qcom-lpg.c
@@ -1043,7 +1043,12 @@ static int lpg_pwm_get_state(struct pwm_
return ret;
if (chan->subtype == LPG_SUBTYPE_HI_RES_PWM) {
- refclk = lpg_clk_rates_hi_res[FIELD_GET(PWM_CLK_SELECT_HI_RES_MASK, val)];
+ unsigned int clk_idx = FIELD_GET(PWM_CLK_SELECT_HI_RES_MASK, val);
+
+ if (clk_idx >= ARRAY_SIZE(lpg_clk_rates_hi_res))
+ return -EINVAL;
+
+ refclk = lpg_clk_rates_hi_res[clk_idx];
resolution = lpg_pwm_resolution_hi_res[FIELD_GET(PWM_SIZE_HI_RES_MASK, val)];
} else {
refclk = lpg_clk_rates[FIELD_GET(PWM_CLK_SELECT_MASK, val)];
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 010/474] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 009/474] leds: qcom-lpg: Check for array overflow when selecting the high resolution Greg Kroah-Hartman
@ 2026-05-15 15:41 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 011/474] ibmasm: fix OOB reads in command_file_write due to missing size checks Greg Kroah-Hartman
` (464 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, ychen, Tyllis Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 4b6e6ead556734bdc14024c5f837132b1e7a4b84 upstream.
ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read
when the queue reader or writer index from hardware exceeds
REMOTE_QUEUE_SIZE (60).
A compromised service processor can trigger this by writing an
out-of-range value to the reader or writer MMIO register before
asserting an interrupt. Since writer is re-read from hardware on
every loop iteration, it can also be set to an out-of-range value
after the loop has already started.
The root cause is that get_queue_reader() and get_queue_writer() return
raw readl() values that are passed directly into get_queue_entry(),
which computes:
queue_begin + reader * sizeof(struct remote_input)
with no bounds check. This unchecked MMIO address is then passed to
memcpy_fromio(), reading 8 bytes from unintended device registers.
For sufficiently large values the address falls outside the PCI BAR
mapping entirely, triggering a machine check exception.
Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of
the loop body, before any call to get_queue_entry(). On an out-of-range
value, reset the reader register to 0 via set_queue_reader() before
breaking, so that normal queue operation can resume if the corrupted
hardware state is transient.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Fixes: 278d72ae8803 ("[PATCH] ibmasm driver: redesign handling of remote control events")
Cc: stable@vger.kernel.org
Cc: ychen@northwestern.edu
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260308062108.258940-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/remote.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/misc/ibmasm/remote.c
+++ b/drivers/misc/ibmasm/remote.c
@@ -177,6 +177,11 @@ void ibmasm_handle_mouse_interrupt(struc
writer = get_queue_writer(sp);
while (reader != writer) {
+ if (reader >= REMOTE_QUEUE_SIZE || writer >= REMOTE_QUEUE_SIZE) {
+ set_queue_reader(sp, 0);
+ break;
+ }
+
memcpy_fromio(&input, get_queue_entry(sp, reader),
sizeof(struct remote_input));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 011/474] ibmasm: fix OOB reads in command_file_write due to missing size checks
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-05-15 15:41 ` [PATCH 6.6 010/474] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 012/474] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Greg Kroah-Hartman
` (463 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Tyllis Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 0eb09f737428e482a32a2e31e5e223f2b35a71d3 upstream.
The command_file_write() handler allocates a kernel buffer of exactly
count bytes and copies user data into it, but does not validate the
buffer against the dot command protocol before passing it to
get_dot_command_size() and get_dot_command_timeout().
Since both the allocation size (count) and the header fields (command_size,
data_size) are independently user-controlled, an attacker can cause
get_dot_command_size() to return a value exceeding the allocation,
triggering OOB reads in get_dot_command_timeout() and an out-of-bounds
memcpy_toio() that leaks kernel heap memory to the service processor.
Fix with two guards: reject writes smaller than sizeof(struct
dot_command_header) before allocation, then after copying user data
reject commands where the buffer is smaller than the total size declared
by the header (sizeof(header) + command_size + data_size). This ensures
all subsequent header and payload field accesses stay within the buffer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260314165355.548119-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/ibmasmfs.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/misc/ibmasm/ibmasmfs.c
+++ b/drivers/misc/ibmasm/ibmasmfs.c
@@ -303,6 +303,8 @@ static ssize_t command_file_write(struct
return -EINVAL;
if (count == 0 || count > IBMASM_CMD_MAX_BUFFER_SIZE)
return 0;
+ if (count < sizeof(struct dot_command_header))
+ return -EINVAL;
if (*offset != 0)
return 0;
@@ -319,6 +321,11 @@ static ssize_t command_file_write(struct
return -EFAULT;
}
+ if (count < get_dot_command_size(cmd->buffer)) {
+ command_put(cmd);
+ return -EINVAL;
+ }
+
spin_lock_irqsave(&command_data->sp->lock, flags);
if (command_data->command) {
spin_unlock_irqrestore(&command_data->sp->lock, flags);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 012/474] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 011/474] ibmasm: fix OOB reads in command_file_write due to missing size checks Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 013/474] firmware: google: framebuffer: Do not mark framebuffer as busy Greg Kroah-Hartman
` (462 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Tyllis Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 9aad71144fa3682cca3837a06c8623016790e7ec upstream.
The ibmasm_send_i2o_message() function uses get_dot_command_size() to
compute the byte count for memcpy_toio(), but this value is derived from
user-controlled fields in the dot_command_header (command_size: u8,
data_size: u16) and is never validated against the actual allocation size.
A root user can write a small buffer with inflated header fields, causing
memcpy_toio() to read up to ~65 KB past the end of the allocation into
adjacent kernel heap, which is then forwarded to the service processor
over MMIO.
Silently clamping the copy size is not sufficient: if the header fields
claim a larger size than the buffer, the SP receives a dot command whose
own header is inconsistent with the I2O message length, which can cause
the SP to desynchronize. Reject such commands outright by returning
failure.
Validate command_size before calling get_mfa_inbound() to avoid leaking
an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware
frame from the controller's free pool, and returning without a
corresponding set_mfa_inbound() call would permanently exhaust it.
Additionally, clamp command_size to I2O_COMMAND_SIZE before the
memcpy_toio() so the MMIO write stays within the I2O message frame,
consistent with the clamping already performed by outgoing_message_size()
for the header field.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260314165805.548293-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/lowlevel.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/misc/ibmasm/lowlevel.c
+++ b/drivers/misc/ibmasm/lowlevel.c
@@ -19,17 +19,21 @@ static struct i2o_header header = I2O_HE
int ibmasm_send_i2o_message(struct service_processor *sp)
{
u32 mfa;
- unsigned int command_size;
+ size_t command_size;
struct i2o_message *message;
struct command *command = sp->current_command;
+ command_size = get_dot_command_size(command->buffer);
+ if (command_size > command->buffer_size)
+ return 1;
+ if (command_size > I2O_COMMAND_SIZE)
+ command_size = I2O_COMMAND_SIZE;
+
mfa = get_mfa_inbound(sp->base_address);
if (!mfa)
return 1;
- command_size = get_dot_command_size(command->buffer);
- header.message_size = outgoing_message_size(command_size);
-
+ header.message_size = outgoing_message_size((unsigned int)command_size);
message = get_i2o_message(sp->base_address, mfa);
memcpy_toio(&message->header, &header, sizeof(struct i2o_header));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 013/474] firmware: google: framebuffer: Do not mark framebuffer as busy
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 012/474] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 014/474] Bluetooth: MGMT: Fix possible UAFs Greg Kroah-Hartman
` (461 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Tzung-Bi Shih,
Julius Werner, Samuel Holland, Brian Norris, chrome-platform
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit f3850d399de3b6142b02315227ef9e772ed0c302 upstream.
Remove the flag IORESOURCE_BUSY flag from coreboot's framebuffer
resource. It prevents simpledrm from successfully requesting the
range for its own use; resulting in errors such as
[ 2.775430] simple-framebuffer simple-framebuffer.0: [drm] could not acquire memory region [mem 0x80000000-0x80407fff flags 0x80000200]
As with other uses of simple-framebuffer, the simple-framebuffer
device should only declare it's I/O resources, but not actively use
them.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 851b4c14532d ("firmware: coreboot: Add coreboot framebuffer driver")
Acked-by: Tzung-Bi Shih <tzungbi@kernel.org>
Acked-by: Julius Werner <jwerner@chromium.org>
Cc: Samuel Holland <samuel@sholland.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tzung-Bi Shih <tzungbi@kernel.org>
Cc: Brian Norris <briannorris@chromium.org>
Cc: Julius Werner <jwerner@chromium.org>
Cc: chrome-platform@lists.linux.dev
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://patch.msgid.link/20260217155836.96267-3-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/google/framebuffer-coreboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/google/framebuffer-coreboot.c
+++ b/drivers/firmware/google/framebuffer-coreboot.c
@@ -50,7 +50,7 @@ static int framebuffer_probe(struct core
return -ENODEV;
memset(&res, 0, sizeof(res));
- res.flags = IORESOURCE_MEM | IORESOURCE_BUSY;
+ res.flags = IORESOURCE_MEM;
res.name = "Coreboot Framebuffer";
res.start = fb->physical_address;
length = PAGE_ALIGN(fb->y_resolution * fb->bytes_per_line);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 014/474] Bluetooth: MGMT: Fix possible UAFs
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 013/474] firmware: google: framebuffer: Do not mark framebuffer as busy Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 015/474] padata: Fix pd UAF once and for all Greg Kroah-Hartman
` (460 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, cen zhang, Luiz Augusto von Dentz,
Charles Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 302a1f674c00dd5581ab8e493ef44767c5101aab ]
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED")
Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync")
Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync")
Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP")
Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE")
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME")
Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION")
Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor")
Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING")
Reported-by: cen zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Charles Xu <charles_xu@189.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 259 ++++++++++++++++++++++++++------------
net/bluetooth/mgmt_util.c | 46 +++++++
net/bluetooth/mgmt_util.h | 3 +
3 files changed, 231 insertions(+), 77 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 51a6ad6a36c8d..4bf6c0aae9673 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1319,8 +1319,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
struct mgmt_mode *cp;
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
cp = cmd->param;
@@ -1347,23 +1346,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
mgmt_status(err));
}
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_powered_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp;
+ struct mgmt_mode cp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
/* Make sure cmd still outstanding. */
- if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
return -ECANCELED;
+ }
- cp = cmd->param;
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
BT_DBG("%s", hdev->name);
- return hci_set_powered_sync(hdev, cp->val);
+ return hci_set_powered_sync(hdev, cp.val);
}
static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -1504,8 +1509,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
bt_dev_dbg(hdev, "err %d", err);
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
hci_dev_lock(hdev);
@@ -1527,12 +1531,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
new_settings(hdev, cmd->sk);
done:
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
}
static int set_discoverable_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
BT_DBG("%s", hdev->name);
return hci_update_discoverable_sync(hdev);
@@ -1679,8 +1686,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
bt_dev_dbg(hdev, "err %d", err);
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
hci_dev_lock(hdev);
@@ -1696,7 +1702,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
done:
if (cmd)
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
}
@@ -1732,6 +1738,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
static int set_connectable_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
BT_DBG("%s", hdev->name);
return hci_update_connectable_sync(hdev);
@@ -1908,14 +1917,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
{
struct cmd_lookup match = { NULL, hdev };
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 enable = cp->val;
+ struct mgmt_mode *cp;
+ u8 enable;
bool changed;
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
+ cp = cmd->param;
+ enable = cp->val;
+
if (err) {
u8 mgmt_err = mgmt_status(err);
@@ -1924,8 +1936,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
new_settings(hdev, NULL);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
- cmd_status_rsp, &mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
return;
}
@@ -1935,7 +1946,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
+ settings_rsp(cmd, &match);
if (changed)
new_settings(hdev, match.sk);
@@ -1949,14 +1960,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
static int set_ssp_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
+ struct mgmt_mode cp;
bool changed = false;
int err;
- if (cp->val)
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ if (cp.val)
changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
- err = hci_write_ssp_mode_sync(hdev, cp->val);
+ err = hci_write_ssp_mode_sync(hdev, cp.val);
if (!err && changed)
hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
@@ -2049,32 +2071,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
static void set_le_complete(struct hci_dev *hdev, void *data, int err)
{
+ struct mgmt_pending_cmd *cmd = data;
struct cmd_lookup match = { NULL, hdev };
u8 status = mgmt_status(err);
bt_dev_dbg(hdev, "err %d", err);
- if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
- &status);
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
return;
+
+ if (status) {
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
+ goto done;
}
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
+ settings_rsp(cmd, &match);
new_settings(hdev, match.sk);
if (match.sk)
sock_put(match.sk);
+
+done:
+ mgmt_pending_free(cmd);
}
static int set_le_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 val = !!cp->val;
+ struct mgmt_mode cp;
+ u8 val;
int err;
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+ val = !!cp.val;
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
if (!val) {
hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
@@ -2116,7 +2156,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
u8 status = mgmt_status(err);
- struct sock *sk = cmd->sk;
+ struct sock *sk;
+
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
+ return;
+
+ sk = cmd->sk;
if (status) {
mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
@@ -2131,24 +2176,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
static int set_mesh_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_mesh *cp = cmd->param;
- size_t len = cmd->param_len;
+ struct mgmt_cp_set_mesh cp;
+ size_t len;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ len = cmd->param_len;
memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
- if (cp->enable)
+ if (cp.enable)
hci_dev_set_flag(hdev, HCI_MESH);
else
hci_dev_clear_flag(hdev, HCI_MESH);
- hdev->le_scan_interval = __le16_to_cpu(cp->period);
- hdev->le_scan_window = __le16_to_cpu(cp->window);
+ hdev->le_scan_interval = __le16_to_cpu(cp.period);
+ hdev->le_scan_window = __le16_to_cpu(cp.window);
- len -= sizeof(*cp);
+ len -= sizeof(cp);
/* If filters don't fit, forward all adv pkts */
if (len <= sizeof(hdev->mesh_ad_types))
- memcpy(hdev->mesh_ad_types, cp->ad_types, len);
+ memcpy(hdev->mesh_ad_types, cp.ad_types, len);
hci_update_passive_scan_sync(hdev);
return 0;
@@ -3802,15 +3860,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data)
static void set_name_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_local_name *cp = cmd->param;
+ struct mgmt_cp_set_local_name *cp;
u8 status = mgmt_status(err);
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
+ cp = cmd->param;
+
if (status) {
mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
status);
@@ -3822,16 +3881,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
}
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_name_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_local_name *cp = cmd->param;
+ struct mgmt_cp_set_local_name cp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
if (lmp_bredr_capable(hdev)) {
- hci_update_name_sync(hdev, cp->name);
+ hci_update_name_sync(hdev, cp.name);
hci_update_eir_sync(hdev);
}
@@ -3983,12 +4053,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- struct sk_buff *skb = cmd->skb;
+ struct sk_buff *skb;
u8 status = mgmt_status(err);
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
- return;
+ skb = cmd->skb;
if (!status) {
if (!skb)
@@ -4015,7 +4083,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
if (skb && !IS_ERR(skb))
kfree_skb(skb);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_default_phy_sync(struct hci_dev *hdev, void *data)
@@ -4023,7 +4091,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data)
struct mgmt_pending_cmd *cmd = data;
struct mgmt_cp_set_phy_configuration *cp = cmd->param;
struct hci_cp_le_set_default_phy cp_phy;
- u32 selected_phys = __le32_to_cpu(cp->selected_phys);
+ u32 selected_phys;
+
+ selected_phys = __le32_to_cpu(cp->selected_phys);
memset(&cp_phy, 0, sizeof(cp_phy));
@@ -4163,7 +4233,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
goto unlock;
}
- cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
+ cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
len);
if (!cmd)
err = -ENOMEM;
@@ -5253,7 +5323,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
{
struct mgmt_rp_add_adv_patterns_monitor rp;
struct mgmt_pending_cmd *cmd = data;
- struct adv_monitor *monitor = cmd->user_data;
+ struct adv_monitor *monitor;
+
+ /* This is likely the result of hdev being closed and mgmt_index_removed
+ * is attempting to clean up any pending command so
+ * hci_adv_monitors_clear is about to be called which will take care of
+ * freeing the adv_monitor instances.
+ */
+ if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
+ return;
+
+ monitor = cmd->user_data;
hci_dev_lock(hdev);
@@ -5279,9 +5359,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct adv_monitor *monitor = cmd->user_data;
+ struct adv_monitor *mon;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ mon = cmd->user_data;
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
- return hci_add_adv_monitor(hdev, monitor);
+ return hci_add_adv_monitor(hdev, mon);
}
static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
@@ -5548,7 +5639,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
status);
}
-static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
+static void read_local_oob_data_complete(struct hci_dev *hdev, void *data,
+ int err)
{
struct mgmt_rp_read_local_oob_data mgmt_rp;
size_t rp_size = sizeof(mgmt_rp);
@@ -5568,7 +5660,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e
bt_dev_dbg(hdev, "status %d", status);
if (status) {
- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
+ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
+ status);
goto remove;
}
@@ -5873,17 +5966,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED)
- return;
-
- if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
- cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
- cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
DISCOVERY_FINDING);
@@ -5891,6 +5979,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
static int start_discovery_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
return hci_start_discovery_sync(hdev);
}
@@ -6113,15 +6204,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
bt_dev_dbg(hdev, "err %d", err);
mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
if (!err)
hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
@@ -6129,6 +6219,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
static int stop_discovery_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
return hci_stop_discovery_sync(hdev);
}
@@ -6338,14 +6431,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err)
static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
{
+ struct mgmt_pending_cmd *cmd = data;
struct cmd_lookup match = { NULL, hdev };
u8 instance;
struct adv_info *adv_instance;
u8 status = mgmt_status(err);
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
+ return;
+
if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
- cmd_status_rsp, &status);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
+ mgmt_pending_free(cmd);
return;
}
@@ -6354,8 +6451,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING);
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
- &match);
+ settings_rsp(cmd, &match);
new_settings(hdev, match.sk);
@@ -6387,10 +6483,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
static int set_adv_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 val = !!cp->val;
+ struct mgmt_mode cp;
+ u8 val;
- if (cp->val == 0x02)
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ val = !!cp.val;
+
+ if (cp.val == 0x02)
hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
@@ -8100,10 +8209,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
u8 status = mgmt_status(err);
u16 eir_len;
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
- return;
-
if (!status) {
if (!skb)
status = MGMT_STATUS_FAILED;
@@ -8210,7 +8315,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
kfree_skb(skb);
kfree(mgmt_rp);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
@@ -8219,7 +8324,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
struct mgmt_pending_cmd *cmd;
int err;
- cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
+ cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
cp, sizeof(*cp));
if (!cmd)
return -ENOMEM;
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index 4ba500c377a4c..e612121b96d0c 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
mgmt_pending_free(cmd);
}
+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ struct mgmt_pending_cmd *tmp;
+
+ lockdep_assert_held(&hdev->mgmt_pending_lock);
+
+ if (!cmd)
+ return false;
+
+ list_for_each_entry(tmp, &hdev->mgmt_pending, list) {
+ if (cmd == tmp)
+ return true;
+ }
+
+ return false;
+}
+
+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ bool listed;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+ listed = __mgmt_pending_listed(hdev, cmd);
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ return listed;
+}
+
+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ bool listed;
+
+ if (!cmd)
+ return false;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ listed = __mgmt_pending_listed(hdev, cmd);
+ if (listed)
+ list_del(&cmd->list);
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ return listed;
+}
+
void mgmt_mesh_foreach(struct hci_dev *hdev,
void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
void *data, struct sock *sk)
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index 024e51dd69375..bcba8c9d89528 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
void *data, u16 len);
void mgmt_pending_free(struct mgmt_pending_cmd *cmd);
void mgmt_pending_remove(struct mgmt_pending_cmd *cmd);
+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
void mgmt_mesh_foreach(struct hci_dev *hdev,
void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
void *data, struct sock *sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 015/474] padata: Fix pd UAF once and for all
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 014/474] Bluetooth: MGMT: Fix possible UAFs Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 016/474] padata: Remove comment for reorder_work Greg Kroah-Hartman
` (459 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Bin Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 71203f68c7749609d7fc8ae6ad054bdedeb24f91 ]
There is a race condition/UAF in padata_reorder that goes back
to the initial commit. A reference count is taken at the start
of the process in padata_do_parallel, and released at the end in
padata_serial_worker.
This reference count is (and only is) required for padata_replace
to function correctly. If padata_replace is never called then
there is no issue.
In the function padata_reorder which serves as the core of padata,
as soon as padata is added to queue->serial.list, and the associated
spin lock released, that padata may be processed and the reference
count on pd would go away.
Fix this by getting the next padata before the squeue->serial lock
is released.
In order to make this possible, simplify padata_reorder by only
calling it once the next padata arrives.
Fixes: 16295bec6398 ("padata: Generic parallelization/serialization interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ Adjust context of padata_find_next(). Replace
cpumask_next_wrap(cpu, pd->cpumask.pcpu) with
cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false) in padata_reorder() in
v6.6 according to dc5bb9b769c9 ("cpumask: deprecate cpumask_next_wrap()") and
f954a2d37637 ("padata: switch padata_find_next() to using cpumask_next_wrap()")
. ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/padata.h | 3 -
kernel/padata.c | 136 +++++++++++------------------------------
2 files changed, 37 insertions(+), 102 deletions(-)
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 495b16b6b4d72..9ca779d7e310e 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -91,7 +91,6 @@ struct padata_cpumask {
* @cpu: Next CPU to be processed.
* @cpumask: The cpumasks in use for parallel and serial workers.
* @reorder_work: work struct for reordering.
- * @lock: Reorder lock.
*/
struct parallel_data {
struct padata_shell *ps;
@@ -102,8 +101,6 @@ struct parallel_data {
unsigned int processed;
int cpu;
struct padata_cpumask cpumask;
- struct work_struct reorder_work;
- spinlock_t ____cacheline_aligned lock;
};
/**
diff --git a/kernel/padata.c b/kernel/padata.c
index 9260ab0b39eb5..44ea75bfd8681 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -261,20 +261,17 @@ EXPORT_SYMBOL(padata_do_parallel);
* be parallel processed by another cpu and is not yet present in
* the cpu's reorder queue.
*/
-static struct padata_priv *padata_find_next(struct parallel_data *pd,
- bool remove_object)
+static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,
+ unsigned int processed)
{
struct padata_priv *padata;
struct padata_list *reorder;
- int cpu = pd->cpu;
reorder = per_cpu_ptr(pd->reorder_list, cpu);
spin_lock(&reorder->lock);
- if (list_empty(&reorder->list)) {
- spin_unlock(&reorder->lock);
- return NULL;
- }
+ if (list_empty(&reorder->list))
+ goto notfound;
padata = list_entry(reorder->list.next, struct padata_priv, list);
@@ -282,101 +279,52 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd,
* Checks the rare case where two or more parallel jobs have hashed to
* the same CPU and one of the later ones finishes first.
*/
- if (padata->seq_nr != pd->processed) {
- spin_unlock(&reorder->lock);
- return NULL;
- }
-
- if (remove_object) {
- list_del_init(&padata->list);
- ++pd->processed;
- /* When sequence wraps around, reset to the first CPU. */
- if (unlikely(pd->processed == 0))
- pd->cpu = cpumask_first(pd->cpumask.pcpu);
- else
- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
- }
+ if (padata->seq_nr != processed)
+ goto notfound;
+ list_del_init(&padata->list);
spin_unlock(&reorder->lock);
return padata;
+
+notfound:
+ pd->processed = processed;
+ pd->cpu = cpu;
+ spin_unlock(&reorder->lock);
+ return NULL;
}
-static void padata_reorder(struct parallel_data *pd)
+static void padata_reorder(struct padata_priv *padata)
{
+ struct parallel_data *pd = padata->pd;
struct padata_instance *pinst = pd->ps->pinst;
- int cb_cpu;
- struct padata_priv *padata;
- struct padata_serial_queue *squeue;
- struct padata_list *reorder;
+ unsigned int processed;
+ int cpu;
- /*
- * We need to ensure that only one cpu can work on dequeueing of
- * the reorder queue the time. Calculating in which percpu reorder
- * queue the next object will arrive takes some time. A spinlock
- * would be highly contended. Also it is not clear in which order
- * the objects arrive to the reorder queues. So a cpu could wait to
- * get the lock just to notice that there is nothing to do at the
- * moment. Therefore we use a trylock and let the holder of the lock
- * care for all the objects enqueued during the holdtime of the lock.
- */
- if (!spin_trylock_bh(&pd->lock))
- return;
+ processed = pd->processed;
+ cpu = pd->cpu;
- while (1) {
- padata = padata_find_next(pd, true);
+ do {
+ struct padata_serial_queue *squeue;
+ int cb_cpu;
- /*
- * If the next object that needs serialization is parallel
- * processed by another cpu and is still on it's way to the
- * cpu's reorder queue, nothing to do for now.
- */
- if (!padata)
- break;
+ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+ processed++;
cb_cpu = padata->cb_cpu;
squeue = per_cpu_ptr(pd->squeue, cb_cpu);
spin_lock(&squeue->serial.lock);
list_add_tail(&padata->list, &squeue->serial.list);
- spin_unlock(&squeue->serial.lock);
-
queue_work_on(cb_cpu, pinst->serial_wq, &squeue->work);
- }
- spin_unlock_bh(&pd->lock);
-
- /*
- * The next object that needs serialization might have arrived to
- * the reorder queues in the meantime.
- *
- * Ensure reorder queue is read after pd->lock is dropped so we see
- * new objects from another task in padata_do_serial. Pairs with
- * smp_mb in padata_do_serial.
- */
- smp_mb();
-
- reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
- if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
/*
- * Other context(eg. the padata_serial_worker) can finish the request.
- * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
+ * If the next object that needs serialization is parallel
+ * processed by another cpu and is still on it's way to the
+ * cpu's reorder queue, end the loop.
*/
- padata_get_pd(pd);
- if (!queue_work(pinst->serial_wq, &pd->reorder_work))
- padata_put_pd(pd);
- }
-}
-
-static void invoke_padata_reorder(struct work_struct *work)
-{
- struct parallel_data *pd;
-
- local_bh_disable();
- pd = container_of(work, struct parallel_data, reorder_work);
- padata_reorder(pd);
- local_bh_enable();
- /* Pairs with putting the reorder_work in the serial_wq */
- padata_put_pd(pd);
+ padata = padata_find_next(pd, cpu, processed);
+ spin_unlock(&squeue->serial.lock);
+ } while (padata);
}
static void padata_serial_worker(struct work_struct *serial_work)
@@ -427,6 +375,7 @@ void padata_do_serial(struct padata_priv *padata)
struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
struct padata_priv *cur;
struct list_head *pos;
+ bool gotit = true;
spin_lock(&reorder->lock);
/* Sort in ascending order of sequence number. */
@@ -436,17 +385,14 @@ void padata_do_serial(struct padata_priv *padata)
if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
break;
}
- list_add(&padata->list, pos);
+ if (padata->seq_nr != pd->processed) {
+ gotit = false;
+ list_add(&padata->list, pos);
+ }
spin_unlock(&reorder->lock);
- /*
- * Ensure the addition to the reorder list is ordered correctly
- * with the trylock of pd->lock in padata_reorder. Pairs with smp_mb
- * in padata_reorder.
- */
- smp_mb();
-
- padata_reorder(pd);
+ if (gotit)
+ padata_reorder(padata);
}
EXPORT_SYMBOL(padata_do_serial);
@@ -633,9 +579,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
padata_init_squeues(pd);
pd->seq_nr = -1;
refcount_set(&pd->refcnt, 1);
- spin_lock_init(&pd->lock);
pd->cpu = cpumask_first(pd->cpumask.pcpu);
- INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
return pd;
@@ -1145,12 +1089,6 @@ void padata_free_shell(struct padata_shell *ps)
if (!ps)
return;
- /*
- * Wait for all _do_serial calls to finish to avoid touching
- * freed pd's and ps's.
- */
- synchronize_rcu();
-
mutex_lock(&ps->pinst->lock);
list_del(&ps->list);
pd = rcu_dereference_protected(ps->pd, 1);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 016/474] padata: Remove comment for reorder_work
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 015/474] padata: Fix pd UAF once and for all Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 017/474] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array Greg Kroah-Hartman
` (458 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Herbert Xu,
Bin Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 82a0302e7167d0b7c6cde56613db3748f8dd806d ]
Remove comment for reorder_work which no longer exists.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Fixes: 71203f68c774 ("padata: Fix pd UAF once and for all")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/padata.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 9ca779d7e310e..6f07e12a43819 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -90,7 +90,6 @@ struct padata_cpumask {
* @processed: Number of already processed objects.
* @cpu: Next CPU to be processed.
* @cpumask: The cpumasks in use for parallel and serial workers.
- * @reorder_work: work struct for reordering.
*/
struct parallel_data {
struct padata_shell *ps;
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 017/474] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 016/474] padata: Remove comment for reorder_work Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 018/474] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
` (457 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Alex Deucher,
Fang Wang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
[ Upstream commit c4ac100e9ae252b09986766ad23b1f83ca3a369d ]
Replace kvmalloc_array() + copy_from_user() with vmemdup_array_user() on
the fast path.
This shrinks the source code and improves separation between the kernel
and userspace slabs.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 41 +++++++++------------
1 file changed, 17 insertions(+), 24 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
index 9a53ca555e708..db0a1c828fe15 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
@@ -195,43 +195,36 @@ void amdgpu_bo_list_put(struct amdgpu_bo_list *list)
int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in,
struct drm_amdgpu_bo_list_entry **info_param)
{
- const void __user *uptr = u64_to_user_ptr(in->bo_info_ptr);
const uint32_t info_size = sizeof(struct drm_amdgpu_bo_list_entry);
+ const void __user *uptr = u64_to_user_ptr(in->bo_info_ptr);
+ const uint32_t bo_info_size = in->bo_info_size;
+ const uint32_t bo_number = in->bo_number;
struct drm_amdgpu_bo_list_entry *info;
- int r;
-
- info = kvmalloc_array(in->bo_number, info_size, GFP_KERNEL);
- if (!info)
- return -ENOMEM;
/* copy the handle array from userspace to a kernel buffer */
- r = -EFAULT;
- if (likely(info_size == in->bo_info_size)) {
- unsigned long bytes = in->bo_number *
- in->bo_info_size;
-
- if (copy_from_user(info, uptr, bytes))
- goto error_free;
-
+ if (likely(info_size == bo_info_size)) {
+ info = vmemdup_array_user(uptr, bo_number, info_size);
+ if (IS_ERR(info))
+ return PTR_ERR(info);
} else {
- unsigned long bytes = min(in->bo_info_size, info_size);
+ const uint32_t bytes = min(bo_info_size, info_size);
unsigned i;
- memset(info, 0, in->bo_number * info_size);
- for (i = 0; i < in->bo_number; ++i) {
- if (copy_from_user(&info[i], uptr, bytes))
- goto error_free;
+ info = kvmalloc_array(bo_number, info_size, GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
- uptr += in->bo_info_size;
+ memset(info, 0, bo_number * info_size);
+ for (i = 0; i < bo_number; ++i, uptr += bo_info_size) {
+ if (copy_from_user(&info[i], uptr, bytes)) {
+ kvfree(info);
+ return -EFAULT;
+ }
}
}
*info_param = info;
return 0;
-
-error_free:
- kvfree(info);
- return r;
}
int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data,
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 018/474] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 017/474] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 019/474] regset: use kvzalloc() for regset_get_alloc() Greg Kroah-Hartman
` (456 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Jesse Zhang,
Alex Deucher, Fang Wang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse.Zhang <Jesse.Zhang@amd.com>
[ Upstream commit 6270b1a5dab94665d7adce3dc78bc9066ed28bdd ]
Userspace can pass an arbitrary number of BO list entries via the
bo_number field. Although the previous multiplication overflow check
prevents out-of-bounds allocation, a large number of entries could still
cause excessive memory allocation (up to potentially gigabytes) and
unnecessarily long list processing times.
Introduce a hard limit of 128k entries per BO list, which is more than
sufficient for any realistic use case (e.g., a single list containing all
buffers in a large scene). This prevents memory exhaustion attacks and
ensures predictable performance.
Return -EINVAL if the requested entry count exceeds the limit
Reviewed-by: Christian König <christian.koenig@amd.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
Cc: stable@vger.kernel.org
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
index db0a1c828fe15..4efdc49d1015f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
@@ -36,6 +36,7 @@
#define AMDGPU_BO_LIST_MAX_PRIORITY 32u
#define AMDGPU_BO_LIST_NUM_BUCKETS (AMDGPU_BO_LIST_MAX_PRIORITY + 1)
+#define AMDGPU_BO_LIST_MAX_ENTRIES (128 * 1024)
static void amdgpu_bo_list_free_rcu(struct rcu_head *rcu)
{
@@ -201,6 +202,9 @@ int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in,
const uint32_t bo_number = in->bo_number;
struct drm_amdgpu_bo_list_entry *info;
+ if (bo_number > AMDGPU_BO_LIST_MAX_ENTRIES)
+ return -EINVAL;
+
/* copy the handle array from userspace to a kernel buffer */
if (likely(info_size == bo_info_size)) {
info = vmemdup_array_user(uptr, bo_number, info_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 019/474] regset: use kvzalloc() for regset_get_alloc()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 018/474] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 020/474] device property: Make modifications of fwnode "flags" thread safe Greg Kroah-Hartman
` (455 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Catalin Marinas,
Al Viro, Christian Brauner, Dave Martin, Eric Biederman, Jan Kara,
Kees Cook, Mark Brown, Matthew Wilcox (Oracle), Oleg Nesterov,
Will Deacon, Andrew Morton, Wen Yang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit 6b839b3b76cf17296ebd4a893841f32cae08229c upstream.
While browsing through ChromeOS crash reports, I found one with an
allocation failure that looked like this:
chrome: page allocation failure: order:7,
mode:0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO),
nodemask=(null),cpuset=urgent,mems_allowed=0
CPU: 7 PID: 3295 Comm: chrome Not tainted
5.15.133-20574-g8044615ac35c #1 (HASH:1162 1)
Hardware name: Google Lazor (rev3 - 8) with KB Backlight (DT)
Call trace:
...
warn_alloc+0x104/0x174
__alloc_pages+0x5f0/0x6e4
kmalloc_order+0x44/0x98
kmalloc_order_trace+0x34/0x124
__kmalloc+0x228/0x36c
__regset_get+0x68/0xcc
regset_get_alloc+0x1c/0x28
elf_core_dump+0x3d8/0xd8c
do_coredump+0xeb8/0x1378
get_signal+0x14c/0x804
...
An order 7 allocation is (1 << 7) contiguous pages, or 512K. It's not
a surprise that this allocation failed on a system that's been running
for a while.
More digging showed that it was fairly easy to see the order 7
allocation by just sending a SIGQUIT to chrome (or other processes) to
generate a core dump. The actual amount being allocated was 279,584
bytes and it was for "core_note_type" NT_ARM_SVE.
There was quite a bit of discussion [1] on the mailing lists in
response to my v1 patch attempting to switch to vmalloc. The overall
conclusion was that we could likely reduce the 279,584 byte allocation
by quite a bit and Mark Brown has sent a patch to that effect [2].
However even with the 279,584 byte allocation gone there are still
65,552 byte allocations. These are just barely more than the 65,536
bytes and thus would require an order 5 allocation.
An order 5 allocation is still something to avoid unless necessary and
nothing needs the memory here to be contiguous. Change the allocation
to kvzalloc() which should still be efficient for small allocations
but doesn't force the memory subsystem to work hard (and maybe fail)
at getting a large contiguous chunk.
[1] https://lore.kernel.org/r/20240201171159.1.Id9ad163b60d21c9e56c2d686b0cc9083a8ba7924@changeid
[2] https://lore.kernel.org/r/20240203-arm64-sve-ptrace-regset-size-v1-1-2c3ba1386b9e@kernel.org
Link: https://lkml.kernel.org/r/20240205092626.v2.1.Id9ad163b60d21c9e56c2d686b0cc9083a8ba7924@changeid
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Wen Yang <wen.yang@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_elf.c | 2 +-
kernel/regset.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 3ff7d2e47c7e9..e4348dd76658e 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -2035,7 +2035,7 @@ static void free_note_info(struct elf_note_info *info)
threads = t->next;
WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
for (i = 1; i < info->thread_notes; ++i)
- kfree(t->notes[i].data);
+ kvfree(t->notes[i].data);
kfree(t);
}
kfree(info->psinfo.data);
diff --git a/kernel/regset.c b/kernel/regset.c
index 586823786f397..b2871fa68b2a7 100644
--- a/kernel/regset.c
+++ b/kernel/regset.c
@@ -16,14 +16,14 @@ static int __regset_get(struct task_struct *target,
if (size > regset->n * regset->size)
size = regset->n * regset->size;
if (!p) {
- to_free = p = kzalloc(size, GFP_KERNEL);
+ to_free = p = kvzalloc(size, GFP_KERNEL);
if (!p)
return -ENOMEM;
}
res = regset->regset_get(target, regset,
(struct membuf){.p = p, .left = size});
if (res < 0) {
- kfree(to_free);
+ kvfree(to_free);
return res;
}
*data = p;
@@ -71,6 +71,6 @@ int copy_regset_to_user(struct task_struct *target,
ret = regset_get_alloc(target, regset, size, &buf);
if (ret > 0)
ret = copy_to_user(data, buf, ret) ? -EFAULT : 0;
- kfree(buf);
+ kvfree(buf);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 020/474] device property: Make modifications of fwnode "flags" thread safe
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 019/474] regset: use kvzalloc() for regset_get_alloc() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 021/474] ocfs2: split transactions in dio completion to avoid credit exhaustion Greg Kroah-Hartman
` (454 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Mark Brown,
Wolfram Sang, Douglas Anderson, Rafael J. Wysocki (Intel),
Saravana Kannan, Danilo Krummrich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit f72e77c33e4b5657af35125e75bab249256030f3 upstream.
In various places in the kernel, we modify the fwnode "flags" member
by doing either:
fwnode->flags |= SOME_FLAG;
fwnode->flags &= ~SOME_FLAG;
This type of modification is not thread-safe. If two threads are both
mucking with the flags at the same time then one can clobber the
other.
While flags are often modified while under the "fwnode_link_lock",
this is not universally true.
Create some accessor functions for setting, clearing, and testing the
FWNODE flags and move all users to these accessor functions. New
accessor functions use set_bit() and clear_bit(), which are
thread-safe.
Cc: stable@vger.kernel.org
Fixes: c2c724c868c4 ("driver core: Add fw_devlink_parse_fwtree()")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Saravana Kannan <saravanak@kernel.org>
Link: https://patch.msgid.link/20260317090112.v2.1.I0a4d03104ecd5103df3d76f66c8d21b1d15a2e38@changeid
[ Fix fwnode_clear_flag() argument alignment, restore dropped blank
line in fwnode_dev_initialized(), and remove unnecessary parentheses
around fwnode_test_flag() calls. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/core.c | 24 ++++++++++++------------
drivers/bus/imx-weim.c | 2 +-
drivers/i2c/i2c-core-of.c | 2 +-
drivers/net/phy/mdio_bus.c | 4 ++--
drivers/of/base.c | 2 +-
drivers/of/dynamic.c | 2 +-
drivers/of/platform.c | 2 +-
drivers/spi/spi.c | 2 +-
include/linux/fwnode.h | 44 +++++++++++++++++++++++++++++++++-----------
9 files changed, 53 insertions(+), 31 deletions(-)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -182,7 +182,7 @@ void fw_devlink_purge_absent_suppliers(s
if (fwnode->dev)
return;
- fwnode->flags |= FWNODE_FLAG_NOT_DEVICE;
+ fwnode_set_flag(fwnode, FWNODE_FLAG_NOT_DEVICE);
fwnode_links_purge_consumers(fwnode);
fwnode_for_each_available_child_node(fwnode, child)
@@ -228,7 +228,7 @@ static void __fw_devlink_pickup_dangling
if (fwnode->dev && fwnode->dev->bus)
return;
- fwnode->flags |= FWNODE_FLAG_NOT_DEVICE;
+ fwnode_set_flag(fwnode, FWNODE_FLAG_NOT_DEVICE);
__fwnode_links_move_consumers(fwnode, new_sup);
fwnode_for_each_available_child_node(fwnode, child)
@@ -1013,7 +1013,7 @@ static void device_links_missing_supplie
static bool dev_is_best_effort(struct device *dev)
{
return (fw_devlink_best_effort && dev->can_match) ||
- (dev->fwnode && (dev->fwnode->flags & FWNODE_FLAG_BEST_EFFORT));
+ (dev->fwnode && fwnode_test_flag(dev->fwnode, FWNODE_FLAG_BEST_EFFORT));
}
static struct fwnode_handle *fwnode_links_check_suppliers(
@@ -1729,11 +1729,11 @@ bool fw_devlink_is_strict(void)
static void fw_devlink_parse_fwnode(struct fwnode_handle *fwnode)
{
- if (fwnode->flags & FWNODE_FLAG_LINKS_ADDED)
+ if (fwnode_test_flag(fwnode, FWNODE_FLAG_LINKS_ADDED))
return;
fwnode_call_int_op(fwnode, add_links);
- fwnode->flags |= FWNODE_FLAG_LINKS_ADDED;
+ fwnode_set_flag(fwnode, FWNODE_FLAG_LINKS_ADDED);
}
static void fw_devlink_parse_fwtree(struct fwnode_handle *fwnode)
@@ -1892,7 +1892,7 @@ static bool fwnode_init_without_drv(stru
struct device *dev;
bool ret;
- if (!(fwnode->flags & FWNODE_FLAG_INITIALIZED))
+ if (!fwnode_test_flag(fwnode, FWNODE_FLAG_INITIALIZED))
return false;
dev = get_dev_from_fwnode(fwnode);
@@ -1951,10 +1951,10 @@ static bool __fw_devlink_relax_cycles(st
* We aren't trying to find all cycles. Just a cycle between con and
* sup_handle.
*/
- if (sup_handle->flags & FWNODE_FLAG_VISITED)
+ if (fwnode_test_flag(sup_handle, FWNODE_FLAG_VISITED))
return false;
- sup_handle->flags |= FWNODE_FLAG_VISITED;
+ fwnode_set_flag(sup_handle, FWNODE_FLAG_VISITED);
/* Termination condition. */
if (sup_handle == con_handle) {
@@ -2024,7 +2024,7 @@ static bool __fw_devlink_relax_cycles(st
}
out:
- sup_handle->flags &= ~FWNODE_FLAG_VISITED;
+ fwnode_clear_flag(sup_handle, FWNODE_FLAG_VISITED);
put_device(sup_dev);
put_device(con_dev);
put_device(par_dev);
@@ -2077,7 +2077,7 @@ static int fw_devlink_create_devlink(str
* When such a flag is set, we can't create device links where P is the
* supplier of C as that would delay the probe of C.
*/
- if (sup_handle->flags & FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD &&
+ if (fwnode_test_flag(sup_handle, FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD) &&
fwnode_is_ancestor_of(sup_handle, con->fwnode))
return -EINVAL;
@@ -2100,7 +2100,7 @@ static int fw_devlink_create_devlink(str
else
flags = FW_DEVLINK_FLAGS_PERMISSIVE;
- if (sup_handle->flags & FWNODE_FLAG_NOT_DEVICE)
+ if (fwnode_test_flag(sup_handle, FWNODE_FLAG_NOT_DEVICE))
sup_dev = fwnode_get_next_parent_dev(sup_handle);
else
sup_dev = get_dev_from_fwnode(sup_handle);
@@ -2112,7 +2112,7 @@ static int fw_devlink_create_devlink(str
* supplier device indefinitely.
*/
if (sup_dev->links.status == DL_DEV_NO_DRIVER &&
- sup_handle->flags & FWNODE_FLAG_INITIALIZED) {
+ fwnode_test_flag(sup_handle, FWNODE_FLAG_INITIALIZED)) {
dev_dbg(con,
"Not linking %pfwf - dev might never probe\n",
sup_handle);
--- a/drivers/bus/imx-weim.c
+++ b/drivers/bus/imx-weim.c
@@ -335,7 +335,7 @@ static int of_weim_notify(struct notifie
* fw_devlink doesn't skip adding consumers to this
* device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
if (!of_platform_device_create(rd->dn, NULL, &pdev->dev)) {
dev_err(&pdev->dev,
"Failed to create child device '%pOF'\n",
--- a/drivers/i2c/i2c-core-of.c
+++ b/drivers/i2c/i2c-core-of.c
@@ -182,7 +182,7 @@ static int of_i2c_notify(struct notifier
* Clear the flag before adding the device so that fw_devlink
* doesn't skip adding consumers to this device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
client = of_i2c_register_device(adap, rd->dn);
if (IS_ERR(client)) {
dev_err(&adap->dev, "failed to create client for '%pOF'\n",
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -675,8 +675,8 @@ int __mdiobus_register(struct mii_bus *b
return -EINVAL;
if (bus->parent && bus->parent->of_node)
- bus->parent->of_node->fwnode.flags |=
- FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD;
+ fwnode_set_flag(&bus->parent->of_node->fwnode,
+ FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD);
WARN(bus->state != MDIOBUS_ALLOCATED &&
bus->state != MDIOBUS_UNREGISTERED,
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -1759,7 +1759,7 @@ void of_alias_scan(void * (*dt_alloc)(u6
if (name)
of_stdout = of_find_node_opts_by_path(name, &of_stdout_options);
if (of_stdout)
- of_stdout->fwnode.flags |= FWNODE_FLAG_BEST_EFFORT;
+ fwnode_set_flag(&of_stdout->fwnode, FWNODE_FLAG_BEST_EFFORT);
}
if (!of_aliases)
--- a/drivers/of/dynamic.c
+++ b/drivers/of/dynamic.c
@@ -224,7 +224,7 @@ static void __of_attach_node(struct devi
np->sibling = np->parent->child;
np->parent->child = np;
of_node_clear_flag(np, OF_DETACHED);
- np->fwnode.flags |= FWNODE_FLAG_NOT_DEVICE;
+ fwnode_set_flag(&np->fwnode, FWNODE_FLAG_NOT_DEVICE);
raw_spin_unlock_irqrestore(&devtree_lock, flags);
--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -774,7 +774,7 @@ static int of_platform_notify(struct not
* Clear the flag before adding the device so that fw_devlink
* doesn't skip adding consumers to this device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
/* pdev_parent may be NULL when no bus platform device */
pdev_parent = of_find_device_by_node(rd->dn->parent);
pdev = of_platform_device_create(rd->dn, NULL,
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -4532,7 +4532,7 @@ static int of_spi_notify(struct notifier
* Clear the flag before adding the device so that fw_devlink
* doesn't skip adding consumers to this device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
spi = of_register_spi_device(ctlr, rd->dn);
put_device(&ctlr->dev);
--- a/include/linux/fwnode.h
+++ b/include/linux/fwnode.h
@@ -12,6 +12,7 @@
#include <linux/types.h>
#include <linux/list.h>
#include <linux/bits.h>
+#include <linux/bitops.h>
#include <linux/err.h>
struct fwnode_operations;
@@ -31,12 +32,12 @@ struct device;
* suppliers. Only enforce ordering with suppliers that have
* drivers.
*/
-#define FWNODE_FLAG_LINKS_ADDED BIT(0)
-#define FWNODE_FLAG_NOT_DEVICE BIT(1)
-#define FWNODE_FLAG_INITIALIZED BIT(2)
-#define FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD BIT(3)
-#define FWNODE_FLAG_BEST_EFFORT BIT(4)
-#define FWNODE_FLAG_VISITED BIT(5)
+#define FWNODE_FLAG_LINKS_ADDED 0
+#define FWNODE_FLAG_NOT_DEVICE 1
+#define FWNODE_FLAG_INITIALIZED 2
+#define FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD 3
+#define FWNODE_FLAG_BEST_EFFORT 4
+#define FWNODE_FLAG_VISITED 5
struct fwnode_handle {
struct fwnode_handle *secondary;
@@ -44,7 +45,7 @@ struct fwnode_handle {
struct device *dev;
struct list_head suppliers;
struct list_head consumers;
- u8 flags;
+ unsigned long flags;
};
/*
@@ -197,16 +198,37 @@ static inline void fwnode_init(struct fw
INIT_LIST_HEAD(&fwnode->suppliers);
}
+static inline void fwnode_set_flag(struct fwnode_handle *fwnode,
+ unsigned int bit)
+{
+ set_bit(bit, &fwnode->flags);
+}
+
+static inline void fwnode_clear_flag(struct fwnode_handle *fwnode,
+ unsigned int bit)
+{
+ clear_bit(bit, &fwnode->flags);
+}
+
+static inline void fwnode_assign_flag(struct fwnode_handle *fwnode,
+ unsigned int bit, bool value)
+{
+ assign_bit(bit, &fwnode->flags, value);
+}
+
+static inline bool fwnode_test_flag(struct fwnode_handle *fwnode,
+ unsigned int bit)
+{
+ return test_bit(bit, &fwnode->flags);
+}
+
static inline void fwnode_dev_initialized(struct fwnode_handle *fwnode,
bool initialized)
{
if (IS_ERR_OR_NULL(fwnode))
return;
- if (initialized)
- fwnode->flags |= FWNODE_FLAG_INITIALIZED;
- else
- fwnode->flags &= ~FWNODE_FLAG_INITIALIZED;
+ fwnode_assign_flag(fwnode, FWNODE_FLAG_INITIALIZED, initialized);
}
extern bool fw_devlink_is_strict(void);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 021/474] ocfs2: split transactions in dio completion to avoid credit exhaustion
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 020/474] device property: Make modifications of fwnode "flags" thread safe Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 022/474] driver core: Dont let a device probe until its ready Greg Kroah-Hartman
` (453 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heming Zhao, Jan Kara, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heming Zhao <heming.zhao@suse.com>
commit d647c5b2fbf81560818dacade360abc8c00a9665 upstream.
During ocfs2 dio operations, JBD2 may report warnings via following
call trace:
ocfs2_dio_end_io_write
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_split_extent
ocfs2_try_to_merge_extent
ocfs2_extend_rotate_transaction
ocfs2_extend_trans
jbd2__journal_restart
start_this_handle
output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449
To prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to
handle extents in a batch of transaction.
Additionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode
should only be removed from the orphan list after the extent tree update
is complete. This ensures that if a crash occurs in the middle of extent
tree updates, we won't leave stale blocks beyond EOF.
This patch also changes the logic for updating the inode size and removing
orphan, making it similar to ext4_dio_write_end_io(). Both operations are
performed only when everything looks good.
Finally, thanks to Jans and Joseph for providing the bug fix prototype and
suggestions.
Link: https://lkml.kernel.org/r/20260402134328.27334-2-heming.zhao@suse.com
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Suggested-by: Jan Kara <jack@suse.cz>
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/aops.c | 74 ++++++++++++++++++++++++++++++++++----------------------
1 file changed, 45 insertions(+), 29 deletions(-)
--- a/fs/ocfs2/aops.c
+++ b/fs/ocfs2/aops.c
@@ -37,6 +37,8 @@
#include "namei.h"
#include "sysfile.h"
+#define OCFS2_DIO_MARK_EXTENT_BATCH 200
+
static int ocfs2_symlink_get_block(struct inode *inode, sector_t iblock,
struct buffer_head *bh_result, int create)
{
@@ -2305,7 +2307,7 @@ static int ocfs2_dio_end_io_write(struct
struct ocfs2_alloc_context *meta_ac = NULL;
handle_t *handle = NULL;
loff_t end = offset + bytes;
- int ret = 0, credits = 0;
+ int ret = 0, credits = 0, batch = 0;
ocfs2_init_dealloc_ctxt(&dealloc);
@@ -2322,18 +2324,6 @@ static int ocfs2_dio_end_io_write(struct
goto out;
}
- /* Delete orphan before acquire i_rwsem. */
- if (dwc->dw_orphaned) {
- BUG_ON(dwc->dw_writer_pid != task_pid_nr(current));
-
- end = end > i_size_read(inode) ? end : 0;
-
- ret = ocfs2_del_inode_from_orphan(osb, inode, di_bh,
- !!end, end);
- if (ret < 0)
- mlog_errno(ret);
- }
-
down_write(&oi->ip_alloc_sem);
di = (struct ocfs2_dinode *)di_bh->b_data;
@@ -2354,24 +2344,25 @@ static int ocfs2_dio_end_io_write(struct
credits = ocfs2_calc_extend_credits(inode->i_sb, &di->id2.i_list);
- handle = ocfs2_start_trans(osb, credits);
- if (IS_ERR(handle)) {
- ret = PTR_ERR(handle);
- mlog_errno(ret);
- goto unlock;
- }
- ret = ocfs2_journal_access_di(handle, INODE_CACHE(inode), di_bh,
- OCFS2_JOURNAL_ACCESS_WRITE);
- if (ret) {
- mlog_errno(ret);
- goto commit;
- }
-
list_for_each_entry(ue, &dwc->dw_zero_list, ue_node) {
+ if (!handle) {
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+ mlog_errno(ret);
+ goto unlock;
+ }
+ ret = ocfs2_journal_access_di(handle, INODE_CACHE(inode), di_bh,
+ OCFS2_JOURNAL_ACCESS_WRITE);
+ if (ret) {
+ mlog_errno(ret);
+ goto commit;
+ }
+ }
ret = ocfs2_assure_trans_credits(handle, credits);
if (ret < 0) {
mlog_errno(ret);
- break;
+ goto commit;
}
ret = ocfs2_mark_extent_written(inode, &et, handle,
ue->ue_cpos, 1,
@@ -2379,19 +2370,44 @@ static int ocfs2_dio_end_io_write(struct
meta_ac, &dealloc);
if (ret < 0) {
mlog_errno(ret);
- break;
+ goto commit;
+ }
+
+ if (++batch == OCFS2_DIO_MARK_EXTENT_BATCH) {
+ ocfs2_commit_trans(osb, handle);
+ handle = NULL;
+ batch = 0;
}
}
if (end > i_size_read(inode)) {
+ if (!handle) {
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+ mlog_errno(ret);
+ goto unlock;
+ }
+ }
ret = ocfs2_set_inode_size(handle, inode, di_bh, end);
if (ret < 0)
mlog_errno(ret);
}
+
commit:
- ocfs2_commit_trans(osb, handle);
+ if (handle)
+ ocfs2_commit_trans(osb, handle);
unlock:
up_write(&oi->ip_alloc_sem);
+
+ /* everything looks good, let's start the cleanup */
+ if (!ret && dwc->dw_orphaned) {
+ BUG_ON(dwc->dw_writer_pid != task_pid_nr(current));
+
+ ret = ocfs2_del_inode_from_orphan(osb, inode, di_bh, 0, 0);
+ if (ret < 0)
+ mlog_errno(ret);
+ }
ocfs2_inode_unlock(inode, 1);
brelse(di_bh);
out:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 022/474] driver core: Dont let a device probe until its ready
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 021/474] ocfs2: split transactions in dio completion to avoid credit exhaustion Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 023/474] LoongArch: Add spectre boundry for syscall dispatch table Greg Kroah-Hartman
` (452 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern,
Rafael J. Wysocki (Intel), Danilo Krummrich, Marek Szyprowski,
Douglas Anderson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit a2225b6e834a838ae3c93709760edc0a169eb2f2 ]
The moment we link a "struct device" into the list of devices for the
bus, it's possible probe can happen. This is because another thread
can load the driver at any time and that can cause the device to
probe. This has been seen in practice with a stack crawl that looks
like this [1]:
really_probe()
__driver_probe_device()
driver_probe_device()
__driver_attach()
bus_for_each_dev()
driver_attach()
bus_add_driver()
driver_register()
__platform_driver_register()
init_module() [some module]
do_one_initcall()
do_init_module()
load_module()
__arm64_sys_finit_module()
invoke_syscall()
As a result of the above, it was seen that device_links_driver_bound()
could be called for the device before "dev->fwnode->dev" was
assigned. This prevented __fw_devlink_pickup_dangling_consumers() from
being called which meant that other devices waiting on our driver's
sub-nodes were stuck deferring forever.
It's believed that this problem is showing up suddenly for two
reasons:
1. Android has recently (last ~1 year) implemented an optimization to
the order it loads modules [2]. When devices opt-in to this faster
loading, modules are loaded one-after-the-other very quickly. This
is unlike how other distributions do it. The reproduction of this
problem has only been seen on devices that opt-in to Android's
"parallel module loading".
2. Android devices typically opt-in to fw_devlink, and the most
noticeable issue is the NULL "dev->fwnode->dev" in
device_links_driver_bound(). fw_devlink is somewhat new code and
also not in use by all Linux devices.
Even though the specific symptom where "dev->fwnode->dev" wasn't
assigned could be fixed by moving that assignment higher in
device_add(), other parts of device_add() (like the call to
device_pm_add()) are also important to run before probe. Only moving
the "dev->fwnode->dev" assignment would likely fix the current
symptoms but lead to difficult-to-debug problems in the future.
Fix the problem by preventing probe until device_add() has run far
enough that the device is ready to probe. If somehow we end up trying
to probe before we're allowed, __driver_probe_device() will return
-EPROBE_DEFER which will make certain the device is noticed.
In the race condition that was seen with Android's faster module
loading, we will temporarily add the device to the deferred list and
then take it off immediately when device_add() probes the device.
Instead of adding another flag to the bitfields already in "struct
device", instead add a new "flags" field and use that. This allows us
to freely change the bit from different thread without worrying about
corrupting nearby bits (and means threads changing other bit won't
corrupt us).
[1] Captured on a machine running a downstream 6.6 kernel
[2] https://cs.android.com/android/platform/superproject/main/+/main:system/core/libmodprobe/libmodprobe.cpp?q=LoadModulesParallel
Cc: stable@vger.kernel.org
Fixes: 2023c610dc54 ("Driver core: add new device to bus's list before probing")
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20260406162231.v5.1.Id750b0fbcc94f23ed04b7aecabcead688d0d8c17@changeid
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/core.c | 15 ++++++++++++++
drivers/base/dd.c | 20 +++++++++++++++++++
include/linux/device.h | 44 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
diff --git a/drivers/base/core.c b/drivers/base/core.c
index a7033e11e38f3..3c172e6d3fe0d 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -3680,6 +3680,21 @@ int device_add(struct device *dev)
fw_devlink_link_device(dev);
}
+ /*
+ * The moment the device was linked into the bus's "klist_devices" in
+ * bus_add_device() then it's possible that probe could have been
+ * attempted in a different thread via userspace loading a driver
+ * matching the device. "ready_to_probe" being unset would have
+ * blocked those attempts. Now that all of the above initialization has
+ * happened, unblock probe. If probe happens through another thread
+ * after this point but before bus_probe_device() runs then it's fine.
+ * bus_probe_device() -> device_initial_probe() -> __device_attach()
+ * will notice (under device_lock) that the device is already bound.
+ */
+ device_lock(dev);
+ dev_set_ready_to_probe(dev);
+ device_unlock(dev);
+
bus_probe_device(dev);
/*
diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index 7e2fb159bb895..d371c3437dc6b 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -785,6 +785,26 @@ static int __driver_probe_device(struct device_driver *drv, struct device *dev)
if (dev->driver)
return -EBUSY;
+ /*
+ * In device_add(), the "struct device" gets linked into the subsystem's
+ * list of devices and broadcast to userspace (via uevent) before we're
+ * quite ready to probe. Those open pathways to driver probe before
+ * we've finished enough of device_add() to reliably support probe.
+ * Detect this and tell other pathways to try again later. device_add()
+ * itself will also try to probe immediately after setting
+ * "ready_to_probe".
+ */
+ if (!dev_ready_to_probe(dev))
+ return dev_err_probe(dev, -EPROBE_DEFER, "Device not ready to probe\n");
+
+ /*
+ * Set can_match = true after calling dev_ready_to_probe(), so
+ * driver_deferred_probe_add() won't actually add the device to the
+ * deferred probe list when dev_ready_to_probe() returns false.
+ *
+ * When dev_ready_to_probe() returns false, it means that device_add()
+ * will do another probe() attempt for us.
+ */
dev->can_match = true;
pr_debug("bus: '%s': %s: matched device %s with driver %s\n",
drv->bus->name, __func__, dev_name(dev), drv->name);
diff --git a/include/linux/device.h b/include/linux/device.h
index e5f1a773dc547..34a327f5797c7 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -602,6 +602,21 @@ struct device_physical_location {
bool lid;
};
+/**
+ * enum struct_device_flags - Flags in struct device
+ *
+ * Each flag should have a set of accessor functions created via
+ * __create_dev_flag_accessors() for each access.
+ *
+ * @DEV_FLAG_READY_TO_PROBE: If set then device_add() has finished enough
+ * initialization that probe could be called.
+ */
+enum struct_device_flags {
+ DEV_FLAG_READY_TO_PROBE = 0,
+
+ DEV_FLAG_COUNT
+};
+
/**
* struct device - The basic device structure
* @parent: The device's "parent" device, the device to which it is attached.
@@ -693,6 +708,7 @@ struct device_physical_location {
* and optionall (if the coherent mask is large enough) also
* for dma allocations. This flag is managed by the dma ops
* instance from ->dma_supported.
+ * @flags: DEV_FLAG_XXX flags. Use atomic bitfield operations to modify.
*
* At the lowest level, every device in a Linux system is represented by an
* instance of struct device. The device structure contains the information
@@ -805,8 +821,36 @@ struct device {
#ifdef CONFIG_DMA_OPS_BYPASS
bool dma_ops_bypass : 1;
#endif
+
+ DECLARE_BITMAP(flags, DEV_FLAG_COUNT);
};
+#define __create_dev_flag_accessors(accessor_name, flag_name) \
+static inline bool dev_##accessor_name(const struct device *dev) \
+{ \
+ return test_bit(flag_name, dev->flags); \
+} \
+static inline void dev_set_##accessor_name(struct device *dev) \
+{ \
+ set_bit(flag_name, dev->flags); \
+} \
+static inline void dev_clear_##accessor_name(struct device *dev) \
+{ \
+ clear_bit(flag_name, dev->flags); \
+} \
+static inline void dev_assign_##accessor_name(struct device *dev, bool value) \
+{ \
+ assign_bit(flag_name, dev->flags, value); \
+} \
+static inline bool dev_test_and_set_##accessor_name(struct device *dev) \
+{ \
+ return test_and_set_bit(flag_name, dev->flags); \
+}
+
+__create_dev_flag_accessors(ready_to_probe, DEV_FLAG_READY_TO_PROBE);
+
+#undef __create_dev_flag_accessors
+
/**
* struct device_link - Device link representation.
* @supplier: The device on the supplier end of the link.
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 023/474] LoongArch: Add spectre boundry for syscall dispatch table
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 022/474] driver core: Dont let a device probe until its ready Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 024/474] zram: do not forget to endio for partial discard requests Greg Kroah-Hartman
` (451 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huacai Chen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d ]
The LoongArch syscall number is directly controlled by userspace, but
does not have a array_index_nospec() boundry to prevent access past the
syscall function pointer tables.
Cc: stable@vger.kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/kernel/syscall.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/loongarch/kernel/syscall.c b/arch/loongarch/kernel/syscall.c
index b4c5acd7aa3b3..f4e3bd219b1d7 100644
--- a/arch/loongarch/kernel/syscall.c
+++ b/arch/loongarch/kernel/syscall.c
@@ -9,6 +9,7 @@
#include <linux/entry-common.h>
#include <linux/errno.h>
#include <linux/linkage.h>
+#include <linux/nospec.h>
#include <linux/syscalls.h>
#include <linux/unistd.h>
@@ -55,7 +56,7 @@ void noinstr do_syscall(struct pt_regs *regs)
nr = syscall_enter_from_user_mode(regs, nr);
if (nr < NR_syscalls) {
- syscall_fn = sys_call_table[nr];
+ syscall_fn = sys_call_table[array_index_nospec(nr, NR_syscalls)];
regs->regs[4] = syscall_fn(regs->orig_a0, regs->regs[5], regs->regs[6],
regs->regs[7], regs->regs[8], regs->regs[9]);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 024/474] zram: do not forget to endio for partial discard requests
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 023/474] LoongArch: Add spectre boundry for syscall dispatch table Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 025/474] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
` (450 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky, Qu Wenruo,
Avinesh Kumar, Christoph Hellwig, Brian Geffon, Jens Axboe,
Minchan Kim, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <senozhatsky@chromium.org>
commit e3668b371329ea036ff022ce8ecc82f8befcf003 upstream.
As reported by Qu Wenruo and Avinesh Kumar, the following
getconf PAGESIZE
65536
blkdiscard -p 4k /dev/zram0
takes literally forever to complete. zram doesn't support partial
discards and just returns immediately w/o doing any discard work in such
cases. The problem is that we forget to endio on our way out, so
blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to
end_bio label, which does bio_endio().
Link: https://lore.kernel.org/20260331074255.777019-1-senozhatsky@chromium.org
Fixes: 0120dd6e4e20 ("zram: make zram_bio_discard more self-contained")
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reported-by: Qu Wenruo <wqu@suse.com>
Closes: https://lore.kernel.org/linux-block/92361cd3-fb8b-482e-bc89-15ff1acb9a59@suse.com
Tested-by: Qu Wenruo <wqu@suse.com>
Reported-by: Avinesh Kumar <avinesh.kumar@suse.com>
Closes: https://bugzilla.suse.com/show_bug.cgi?id=1256530
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Brian Geffon <bgeffon@google.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Minchan Kim <minchan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/zram/zram_drv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -1880,7 +1880,7 @@ static void zram_bio_discard(struct zram
*/
if (offset) {
if (n <= (PAGE_SIZE - offset))
- return;
+ goto end_bio;
n -= (PAGE_SIZE - offset);
index++;
@@ -1895,6 +1895,7 @@ static void zram_bio_discard(struct zram
n -= PAGE_SIZE;
}
+end_bio:
bio_endio(bio);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 025/474] wifi: rtw88: check for PCI upstream bridge existence
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 024/474] zram: do not forget to endio for partial discard requests Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 026/474] um: drivers: call kernel_strrchr() explicitly in cow_user.c Greg Kroah-Hartman
` (449 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ping-Ke Shih
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 upstream.
pci_upstream_bridge() returns NULL if the device is on a root bus. If
8821CE is installed in the system with such a PCI topology, the probing
routine will crash. This has probably been unnoticed as 8821CE is mostly
supplied in laptops where there is a PCI-to-PCI bridge located upstream
from the device. However the card might be installed on a system with
different configuration.
Check if the bridge does exist for the specific workaround to be applied.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1749,7 +1749,8 @@ int rtw_pci_probe(struct pci_dev *pdev,
}
/* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
- if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C &&
+ bridge && bridge->vendor == PCI_VENDOR_ID_INTEL)
rtwpci->rx_no_aspm = true;
rtw_pci_phy_cfg(rtwdev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 026/474] um: drivers: call kernel_strrchr() explicitly in cow_user.c
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 025/474] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 027/474] spi: imx: fix use-after-free on unbind Greg Kroah-Hartman
` (448 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Michael Bommarito,
Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 91e901c65b4da02a6fd543e3f0049829ae9645b7 upstream.
Building ARCH=um on glibc >= 2.43 fails:
arch/um/drivers/cow_user.c: error: implicit declaration of
function 'strrchr' [-Wimplicit-function-declaration]
glibc 2.43's C23 const-preserving strrchr() macro does not survive
UML's global -Dstrrchr=kernel_strrchr remap from arch/um/Makefile.
Call kernel_strrchr() directly in cow_user.c so the source no longer
depends on the -D rewrite.
Fixes: 2c51a4bc0233 ("um: fix strrchr() problems")
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260408070102.2325572-1-michael.bommarito@gmail.com
[remove unnecessary 'extern']
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/um/drivers/cow_user.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/um/drivers/cow_user.c
+++ b/arch/um/drivers/cow_user.c
@@ -15,6 +15,12 @@
#include "cow.h"
#include "cow_sys.h"
+/*
+ * arch/um/Makefile remaps strrchr to kernel_strrchr; call the kernel
+ * name directly to avoid glibc >= 2.43's C23 strrchr macro.
+ */
+char *kernel_strrchr(const char *, int);
+
#define PATH_LEN_V1 256
/* unsigned time_t works until year 2106 */
@@ -153,7 +159,7 @@ static int absolutize(char *to, int size
errno);
return -1;
}
- slash = strrchr(from, '/');
+ slash = kernel_strrchr(from, '/');
if (slash != NULL) {
*slash = '\0';
if (chdir(from)) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 027/474] spi: imx: fix use-after-free on unbind
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 026/474] um: drivers: call kernel_strrchr() explicitly in cow_user.c Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 028/474] f2fs: fix to detect potential corrupted nid in free_nid_list Greg Kroah-Hartman
` (447 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 1c78c2002380a1fe31bfb01a3d5f29809e55a096 upstream.
The SPI subsystem frees the controller and any subsystem allocated
driver data as part of deregistration (unless the allocation is device
managed).
Take another reference before deregistering the controller so that the
driver data is not freed until the driver is done with it.
Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
Cc: stable@vger.kernel.org # 5.19
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260324082326.901043-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-imx.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1898,6 +1898,8 @@ static void spi_imx_remove(struct platfo
struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
int ret;
+ spi_controller_get(controller);
+
spi_unregister_controller(controller);
ret = pm_runtime_get_sync(spi_imx->dev);
@@ -1911,6 +1913,8 @@ static void spi_imx_remove(struct platfo
pm_runtime_disable(spi_imx->dev);
spi_imx_sdma_exit(spi_imx);
+
+ spi_controller_put(controller);
}
static int __maybe_unused spi_imx_runtime_resume(struct device *dev)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 028/474] f2fs: fix to detect potential corrupted nid in free_nid_list
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 027/474] spi: imx: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 029/474] crypto: pcrypt - Fix handling of MAY_BACKLOG requests Greg Kroah-Hartman
` (446 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Robert Garcia,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 8fc6056dcf79937c46c97fa4996cda65956437a9 ]
As reported, on-disk footer.ino and footer.nid is the same and
out-of-range, let's add sanity check on f2fs_alloc_nid() to detect
any potential corruption in free_nid_list.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/node.c | 17 ++++++++++++++++-
include/linux/f2fs_fs.h | 1 +
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 133141f10d94d..586a90643ddd2 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -27,12 +27,17 @@ static struct kmem_cache *free_nid_slab;
static struct kmem_cache *nat_entry_set_slab;
static struct kmem_cache *fsync_node_entry_slab;
+static inline bool is_invalid_nid(struct f2fs_sb_info *sbi, nid_t nid)
+{
+ return nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid;
+}
+
/*
* Check whether the given nid is within node id range.
*/
int f2fs_check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
{
- if (unlikely(nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid)) {
+ if (unlikely(is_invalid_nid(sbi, nid))) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
f2fs_warn(sbi, "%s: out-of-range nid=%x, run fsck to fix.",
__func__, nid);
@@ -2603,6 +2608,16 @@ bool f2fs_alloc_nid(struct f2fs_sb_info *sbi, nid_t *nid)
f2fs_bug_on(sbi, list_empty(&nm_i->free_nid_list));
i = list_first_entry(&nm_i->free_nid_list,
struct free_nid, list);
+
+ if (unlikely(is_invalid_nid(sbi, i->nid))) {
+ spin_unlock(&nm_i->nid_list_lock);
+ f2fs_err(sbi, "Corrupted nid %u in free_nid_list",
+ i->nid);
+ f2fs_stop_checkpoint(sbi, false,
+ STOP_CP_REASON_CORRUPTED_NID);
+ return false;
+ }
+
*nid = i->nid;
__move_free_nid(sbi, i, FREE_NID, PREALLOC_NID);
diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
index b9affa64b7fa2..fed8bec024db7 100644
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -77,6 +77,7 @@ enum stop_cp_reason {
STOP_CP_REASON_UPDATE_INODE,
STOP_CP_REASON_FLUSH_FAIL,
STOP_CP_REASON_NO_SEGMENT,
+ STOP_CP_REASON_CORRUPTED_NID,
STOP_CP_REASON_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 029/474] crypto: pcrypt - Fix handling of MAY_BACKLOG requests
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 028/474] f2fs: fix to detect potential corrupted nid in free_nid_list Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 030/474] of: unittest: fix use-after-free in testdrv_probe() Greg Kroah-Hartman
` (445 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiming Qian, Herbert Xu,
Eric Biggers
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 915b692e6cb723aac658c25eb82c58fd81235110 upstream.
MAY_BACKLOG requests can return EBUSY. Handle them by checking
for that value and filtering out EINPROGRESS notifications.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 5a1436beec57 ("crypto: pcrypt - call the complete function on error")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/pcrypt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -69,6 +69,9 @@ static void pcrypt_aead_done(void *data,
struct pcrypt_request *preq = aead_request_ctx(req);
struct padata_priv *padata = pcrypt_request_padata(preq);
+ if (err == -EINPROGRESS)
+ return;
+
padata->info = err;
padata_do_serial(padata);
@@ -82,7 +85,7 @@ static void pcrypt_aead_enc(struct padat
ret = crypto_aead_encrypt(req);
- if (ret == -EINPROGRESS)
+ if (ret == -EINPROGRESS || ret == -EBUSY)
return;
padata->info = ret;
@@ -133,7 +136,7 @@ static void pcrypt_aead_dec(struct padat
ret = crypto_aead_decrypt(req);
- if (ret == -EINPROGRESS)
+ if (ret == -EINPROGRESS || ret == -EBUSY)
return;
padata->info = ret;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 030/474] of: unittest: fix use-after-free in testdrv_probe()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 029/474] crypto: pcrypt - Fix handling of MAY_BACKLOG requests Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 031/474] media: amphion: Fix race between m2m job_abort and device_run Greg Kroah-Hartman
` (444 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Rob Herring (Arm)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 07fd339b2c253205794bea5d9b4b7548a4546c56 upstream.
The function testdrv_probe() retrieves the device_node from the PCI
device, applies an overlay, and then immediately calls of_node_put(dn).
This releases the reference held by the PCI core, potentially freeing
the node if the reference count drops to zero. Later, the same freed
pointer 'dn' is passed to of_platform_default_populate(), leading to a
use-after-free.
The reference to pdev->dev.of_node is owned by the device model and
should not be released by the driver. Remove the erroneous of_node_put()
to prevent premature freeing.
Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409034859.429071-1-vulab@iscas.ac.cn
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/unittest.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -3862,7 +3862,6 @@ static int testdrv_probe(struct pci_dev
size = info->dtbo_end - info->dtbo_begin;
ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn);
- of_node_put(dn);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 031/474] media: amphion: Fix race between m2m job_abort and device_run
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 030/474] of: unittest: fix use-after-free in testdrv_probe() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 032/474] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Greg Kroah-Hartman
` (443 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit 8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e upstream.
Fix kernel panic caused by race condition where v4l2_m2m_ctx_release()
frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run
with the same context.
Race sequence:
v4l2_m2m_try_run(): v4l2_m2m_ctx_release():
lock/unlock v4l2_m2m_cancel_job()
job_abort()
v4l2_m2m_job_finish()
kfree(m2m_ctx) <- frees ctx
device_run() <- use-after-free crash at 0x538
Crash trace:
Unable to handle kernel read from unreadable memory at virtual address
0000000000000538
v4l2_m2m_try_run+0x78/0x138
v4l2_m2m_device_run_work+0x14/0x20
The amphion vpu driver does not rely on the m2m framework's device_run
callback to perform encode/decode operations.
Fix the race by preventing m2m framework job scheduling entirely:
- Add job_ready callback returning 0 (no jobs ready for m2m framework)
- Remove job_abort callback to avoid the race condition
Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_v4l2.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -441,17 +441,14 @@ static void vpu_m2m_device_run(void *pri
{
}
-static void vpu_m2m_job_abort(void *priv)
+static int vpu_m2m_job_ready(void *priv)
{
- struct vpu_inst *inst = priv;
- struct v4l2_m2m_ctx *m2m_ctx = inst->fh.m2m_ctx;
-
- v4l2_m2m_job_finish(m2m_ctx->m2m_dev, m2m_ctx);
+ return 0;
}
static const struct v4l2_m2m_ops vpu_m2m_ops = {
.device_run = vpu_m2m_device_run,
- .job_abort = vpu_m2m_job_abort
+ .job_ready = vpu_m2m_job_ready,
};
static int vpu_vb2_queue_setup(struct vb2_queue *vq,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 032/474] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 031/474] media: amphion: Fix race between m2m job_abort and device_run Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 033/474] net: caif: clear client service pointer on teardown Greg Kroah-Hartman
` (442 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziqing Chen, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziqing Chen <chenziqing@xiaomi.com>
commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream.
snd_ctl_elem_init_enum_names() advances pointer p through the names
buffer while decrementing buf_len. If buf_len reaches zero but items
remain, the next iteration calls strnlen(p, 0).
While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
maxlen against __builtin_dynamic_object_size(). When Clang loses track
of p's object size inside the loop, this triggers a BRK exception panic
before the return value is examined.
Add a buf_len == 0 guard at the loop entry to prevent calling fortified
strnlen() on an exhausted buffer.
Found by kernel fuzz testing through Xiaomi Smartphone.
Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls")
Cc: stable@vger.kernel.org
Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com>
Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/control.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1672,6 +1672,10 @@ static int snd_ctl_elem_init_enum_names(
/* check that there are enough valid names */
p = names;
for (i = 0; i < ue->info.value.enumerated.items; ++i) {
+ if (buf_len == 0) {
+ kvfree(names);
+ return -EINVAL;
+ }
name_len = strnlen(p, buf_len);
if (name_len == 0 || name_len >= 64 || name_len == buf_len) {
kvfree(names);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 033/474] net: caif: clear client service pointer on teardown
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 032/474] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 034/474] net: strparser: fix skb_head leak in strp_abort_strp() Greg Kroah-Hartman
` (441 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ren Wei, Zhengchuan Liang, Ren Wei,
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream.
`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.
When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.
Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.
Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/caif/cfsrvl.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -197,10 +197,20 @@ bool cfsrvl_phyid_match(struct cflayer *
void caif_free_client(struct cflayer *adap_layer)
{
+ struct cflayer *serv_layer;
struct cfsrvl *servl;
- if (adap_layer == NULL || adap_layer->dn == NULL)
+
+ if (!adap_layer)
+ return;
+
+ serv_layer = adap_layer->dn;
+ if (!serv_layer)
return;
- servl = container_obj(adap_layer->dn);
+
+ layer_set_dn(adap_layer, NULL);
+ layer_set_up(serv_layer, NULL);
+
+ servl = container_obj(serv_layer);
servl->release(&servl->layer);
}
EXPORT_SYMBOL(caif_free_client);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 034/474] net: strparser: fix skb_head leak in strp_abort_strp()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 033/474] net: caif: clear client service pointer on teardown Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 035/474] media: mtk-jpeg: fix use-after-free in release path due to uncancelled work Greg Kroah-Hartman
` (440 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Luxiao Xu, Ren Wei, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luxiao Xu <rakukuip@gmail.com>
commit fe72340daaf1af588be88056faf98965f39e6032 upstream.
When the stream parser is aborted, for example after a message assembly timeout,
it can still hold a reference to a partially assembled message in
strp->skb_head.
That skb is not released in strp_abort_strp(), which leaks the partially
assembled message and can be triggered repeatedly to exhaust memory.
Fix this by freeing strp->skb_head and resetting the parser state in the
abort path. Leave strp_stop() unchanged so final cleanup still happens in
strp_done() after the work and timer have been synchronized.
Fixes: 43a0c6751a32 ("strparser: Stream parser for messages")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/strparser/strparser.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strpa
strp->stopped = 1;
+ if (strp->skb_head) {
+ kfree_skb(strp->skb_head);
+ strp->skb_head = NULL;
+ }
+
+ strp->skb_nextp = NULL;
+ strp->need_bytes = 0;
+
if (strp->sk) {
struct sock *sk = strp->sk;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 035/474] media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 034/474] net: strparser: fix skb_head leak in strp_abort_strp() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 036/474] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown Greg Kroah-Hartman
` (439 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Nicolas Dufresne,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 34c519feef3e4fcff1078dc8bdb25fbbbd10303f upstream.
The mtk_jpeg_release() function frees the context structure (ctx) without
first cancelling any pending or running work in ctx->jpeg_work. This
creates a race window where the workqueue callback may still be accessing
the context memory after it has been freed.
Race condition:
CPU 0 (release) CPU 1 (workqueue)
---------------- ------------------
close()
mtk_jpeg_release()
mtk_jpegenc_worker()
ctx = work->data
// accessing ctx
kfree(ctx) // freed!
access ctx // UAF!
The work is queued via queue_work() during JPEG encode/decode operations
(via mtk_jpeg_device_run). If the device is closed while work is pending
or running, the work handler will access freed memory.
Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This
ordering is critical: if cancel_work_sync() is called after mutex_lock(),
and the work handler also tries to acquire the same mutex, it would cause
a deadlock.
Note: The open error path does NOT need cancel_work_sync() because
INIT_WORK() only initializes the work structure - it does not schedule
it. Work is only scheduled later during ioctl operations.
Fixes: 5fb1c2361e56 ("mtk-jpegenc: add jpeg encode worker interface")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
@@ -1214,6 +1214,7 @@ static int mtk_jpeg_release(struct file
struct mtk_jpeg_dev *jpeg = video_drvdata(file);
struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data);
+ cancel_work_sync(&ctx->jpeg_work);
mutex_lock(&jpeg->lock);
v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 036/474] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 035/474] media: mtk-jpeg: fix use-after-free in release path due to uncancelled work Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 037/474] Revert "ALSA: usb: Increase volume range that triggers a warning" Greg Kroah-Hartman
` (438 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Frank Li
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
commit 3446beddba450c8d6f9aca2f028712ac527fead3 upstream.
epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to do later. This leads to an oops when .allow_link fails or
when .drop_link is performed. Remove the helper.
Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC
group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
Fixes: 8b821cf76150 ("PCI: endpoint: Add EP function driver to provide NTB functionality")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260226084142.2226875-3-den@valinux.co.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 ---------------------------
1 file changed, 2 insertions(+), 54 deletions(-)
--- a/drivers/pci/endpoint/functions/pci-epf-ntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c
@@ -1495,47 +1495,6 @@ err_alloc_peer_mem:
}
/**
- * epf_ntb_epc_destroy_interface() - Cleanup NTB EPC interface
- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
- * @type: PRIMARY interface or SECONDARY interface
- *
- * Unbind NTB function device from EPC and relinquish reference to pci_epc
- * for each of the interface.
- */
-static void epf_ntb_epc_destroy_interface(struct epf_ntb *ntb,
- enum pci_epc_interface_type type)
-{
- struct epf_ntb_epc *ntb_epc;
- struct pci_epc *epc;
- struct pci_epf *epf;
-
- if (type < 0)
- return;
-
- epf = ntb->epf;
- ntb_epc = ntb->epc[type];
- if (!ntb_epc)
- return;
- epc = ntb_epc->epc;
- pci_epc_remove_epf(epc, epf, type);
- pci_epc_put(epc);
-}
-
-/**
- * epf_ntb_epc_destroy() - Cleanup NTB EPC interface
- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
- *
- * Wrapper for epf_ntb_epc_destroy_interface() to cleanup all the NTB interfaces
- */
-static void epf_ntb_epc_destroy(struct epf_ntb *ntb)
-{
- enum pci_epc_interface_type type;
-
- for (type = PRIMARY_INTERFACE; type <= SECONDARY_INTERFACE; type++)
- epf_ntb_epc_destroy_interface(ntb, type);
-}
-
-/**
* epf_ntb_epc_create_interface() - Create and initialize NTB EPC interface
* @ntb: NTB device that facilitates communication between HOST1 and HOST2
* @epc: struct pci_epc to which a particular NTB interface should be associated
@@ -1614,15 +1573,8 @@ static int epf_ntb_epc_create(struct epf
ret = epf_ntb_epc_create_interface(ntb, epf->sec_epc,
SECONDARY_INTERFACE);
- if (ret) {
+ if (ret)
dev_err(dev, "SECONDARY intf: Fail to create NTB EPC\n");
- goto err_epc_create;
- }
-
- return 0;
-
-err_epc_create:
- epf_ntb_epc_destroy_interface(ntb, PRIMARY_INTERFACE);
return ret;
}
@@ -1887,7 +1839,7 @@ static int epf_ntb_bind(struct pci_epf *
ret = epf_ntb_init_epc_bar(ntb);
if (ret) {
dev_err(dev, "Failed to create NTB EPC\n");
- goto err_bar_init;
+ return ret;
}
ret = epf_ntb_config_spad_bar_alloc_interface(ntb);
@@ -1909,9 +1861,6 @@ static int epf_ntb_bind(struct pci_epf *
err_bar_alloc:
epf_ntb_config_spad_bar_free(ntb);
-err_bar_init:
- epf_ntb_epc_destroy(ntb);
-
return ret;
}
@@ -1927,7 +1876,6 @@ static void epf_ntb_unbind(struct pci_ep
epf_ntb_epc_cleanup(ntb);
epf_ntb_config_spad_bar_free(ntb);
- epf_ntb_epc_destroy(ntb);
}
#define EPF_NTB_R(_name) \
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 037/474] Revert "ALSA: usb: Increase volume range that triggers a warning"
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 036/474] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 038/474] lib/ts_kmp: fix integer overflow in pattern length calculation Greg Kroah-Hartman
` (437 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rong Zhang, Arun Raghavan,
Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <i@rong.moe>
commit 41d78cb724f4b40b7548af420ccfe524b14023bb upstream.
UAC uses 2 bytes to store volume values, so the maximum volume range is
0xFFFF (65535, val = -32768/32767/1).
The reverted commit bumpped the range of triggering the warning to >
65535, effectively making the range check a no-op. It didn't fix
anything but covered any potential problems and deviated from the
original intention of the range check.
This reverts commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62.
Fixes: 6b971191fcfc ("ALSA: usb: Increase volume range that triggers a warning")
Cc: stable@vger.kernel.org
Signed-off-by: Rong Zhang <i@rong.moe>
Acked-by: Arun Raghavan <arunr@valvesoftware.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260303194805.266158-2-i@rong.moe
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1814,10 +1814,11 @@ static void __build_feature_ctl(struct u
range = (cval->max - cval->min) / cval->res;
/*
- * There are definitely devices with a range of ~20,000, so let's be
- * conservative and allow for a bit more.
+ * Are there devices with volume range more than 255? I use a bit more
+ * to be sure. 384 is a resolution magic number found on Logitech
+ * devices. It will definitively catch all buggy Logitech devices.
*/
- if (range > 65535) {
+ if (range > 384) {
usb_audio_warn(mixer->chip,
"Warning! Unlikely big volume range (=%u), cval->res is probably wrong.",
range);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 038/474] lib/ts_kmp: fix integer overflow in pattern length calculation
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 037/474] Revert "ALSA: usb: Increase volume range that triggers a warning" Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 039/474] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() Greg Kroah-Hartman
` (436 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 8cdf30813ea8ce881cecc08664144416dbdb3e16 upstream.
The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single
allocation sized from the pattern length. If the prefix_tbl[] size
calculation wraps, the resulting allocation can be too small and
subsequent pattern copies can overflow it.
Fix this by rejecting zero-length patterns and by using overflow helpers
before calculating the combined allocation size.
This fixes a potential heap overflow. The pattern length calculation can
wrap during a size_t addition, leading to an undersized allocation.
Because the textsearch library is reachable from userspace via Netfilter's
xt_string module, this is a security risk that should be backported to LTS
kernels.
Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/ts_kmp.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/lib/ts_kmp.c
+++ b/lib/ts_kmp.c
@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const
struct ts_config *conf;
struct ts_kmp *kmp;
int i;
- unsigned int prefix_tbl_len = len * sizeof(unsigned int);
- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
+ unsigned int prefix_tbl_len;
+ size_t priv_size;
+
+ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */
+ if (unlikely(!len))
+ return ERR_PTR(-EINVAL);
+
+ /*
+ * kmp->pattern is stored immediately after the prefix_tbl[] table.
+ * Reject lengths that would wrap while sizing either region.
+ */
+ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl),
+ &prefix_tbl_len) ||
+ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) ||
+ check_add_overflow(priv_size, prefix_tbl_len, &priv_size)))
+ return ERR_PTR(-EINVAL);
conf = alloc_ts_config(priv_size, gfp_mask);
if (IS_ERR(conf))
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 039/474] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 038/474] lib/ts_kmp: fix integer overflow in pattern length calculation Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 040/474] net: qrtr: ns: Fix use-after-free in driver remove() Greg Kroah-Hartman
` (435 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Dave Stevenson, Jai Luthra,
Sakari Ailus, Mauro Carvalho Chehab
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
commit 943b1f27a3eead21b22e2531a5432ea5910b60eb upstream.
The devm_gpiod_get_optional() function may return an error pointer
(ERR_PTR) in case of a genuine failure during GPIO acquisition,
not just NULL which indicates the legitimate absence of an optional
GPIO.
Add an IS_ERR() check after the function call to catch such errors and
propagate them to the probe function, ensuring the driver fails to load
safely rather than proceeding with an invalid pointer.
Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Reviewed-by: Jai Luthra <jai.luthra@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx219.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/i2c/imx219.c
+++ b/drivers/media/i2c/imx219.c
@@ -1274,6 +1274,9 @@ static int imx219_probe(struct i2c_clien
/* Request optional enable pin */
imx219->reset_gpio = devm_gpiod_get_optional(dev, "reset",
GPIOD_OUT_HIGH);
+ if (IS_ERR(imx219->reset_gpio))
+ return dev_err_probe(dev, PTR_ERR(imx219->reset_gpio),
+ "failed to get reset gpio\n");
/*
* The sensor must be powered for imx219_identify_module()
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 040/474] net: qrtr: ns: Fix use-after-free in driver remove()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 039/474] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 041/474] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() Greg Kroah-Hartman
` (434 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
commit 7809fea20c9404bfcfa6112ec08d1fe1d3520beb upstream.
In the remove callback, if a packet arrives after destroy_workqueue() is
called, but before sock_release(), the qrtr_ns_data_ready() callback will
try to queue the work, causing use-after-free issue.
Fix this issue by saving the default 'sk_data_ready' callback during
qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
the start of remove(). This ensures that even if a packet arrives after
destroy_workqueue(), the work struct will not be dereferenced.
Note that it is also required to ensure that the RX threads are completed
before destroying the workqueue, because the threads could be using the
qrtr_ns_data_ready() callback.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -24,6 +24,7 @@ static struct {
struct list_head lookups;
struct workqueue_struct *workqueue;
struct work_struct work;
+ void (*saved_data_ready)(struct sock *sk);
int local_node;
} qrtr_ns;
@@ -706,6 +707,7 @@ int qrtr_ns_init(void)
goto err_sock;
}
+ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready;
qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready;
sq.sq_port = QRTR_PORT_CTRL;
@@ -746,6 +748,10 @@ int qrtr_ns_init(void)
return 0;
err_wq:
+ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
+ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+
destroy_workqueue(qrtr_ns.workqueue);
err_sock:
sock_release(qrtr_ns.sock);
@@ -755,7 +761,12 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init);
void qrtr_ns_remove(void)
{
+ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
+ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+
cancel_work_sync(&qrtr_ns.work);
+ synchronize_net();
destroy_workqueue(qrtr_ns.workqueue);
/* sock_release() expects the two references that were put during
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 041/474] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 040/474] net: qrtr: ns: Fix use-after-free in driver remove() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 042/474] ALSA: aoa: i2sbus: fix OF node lifetime handling Greg Kroah-Hartman
` (433 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vasiliy Kovalev, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
commit 25947cc5b2374cd5bf627fe3141496444260d04f upstream.
ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is
zero or i_dtime is set, treating them as deleted. However, the case of
i_nlink == 0 with a non-zero mode and zero dtime slips through. Since
ext2 has no orphan list, such a combination can only result from
filesystem corruption - a legitimate inode deletion always sets either
i_dtime or clears i_mode before freeing the inode.
A crafted image can exploit this gap to present such an inode to the
VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via
ext2_unlink(), ext2_rename() and ext2_rmdir():
WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1
Call Trace:
<TASK>
inode_dec_link_count include/linux/fs.h:2518 [inline]
ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295
vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477
do_unlinkat+0x53e/0x730 fs/namei.c:4541
__x64_sys_unlink+0xc6/0x110 fs/namei.c:4587
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1
Call Trace:
<TASK>
inode_dec_link_count include/linux/fs.h:2518 [inline]
ext2_rename+0x35e/0x850 fs/ext2/namei.c:374
vfs_rename+0xf2f/0x2060 fs/namei.c:5021
do_renameat2+0xbe2/0xd50 fs/namei.c:5178
__x64_sys_rename+0x7e/0xa0 fs/namei.c:5223
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1
Call Trace:
<TASK>
inode_dec_link_count include/linux/fs.h:2518 [inline]
ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311
vfs_rmdir+0x204/0x690 fs/namei.c:4348
do_rmdir+0x372/0x3e0 fs/namei.c:4407
__x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Extend the existing i_nlink == 0 check to also catch this case,
reporting the corruption via ext2_error() and returning -EFSCORRUPTED.
This rejects the inode at load time and prevents it from reaching any
of the namei.c paths.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://patch.msgid.link/20260404152011.2590197-1-kovalev@altlinux.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext2/inode.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1432,9 +1432,17 @@ struct inode *ext2_iget (struct super_bl
* the test is that same one that e2fsck uses
* NeilBrown 1999oct15
*/
- if (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) {
- /* this inode is deleted */
- ret = -ESTALE;
+ if (inode->i_nlink == 0) {
+ if (inode->i_mode == 0 || ei->i_dtime) {
+ /* this inode is deleted */
+ ret = -ESTALE;
+ } else {
+ ext2_error(sb, __func__,
+ "inode %lu has zero i_nlink with mode 0%o and no dtime, "
+ "filesystem may be corrupt",
+ ino, inode->i_mode);
+ ret = -EFSCORRUPTED;
+ }
goto bad_inode;
}
inode->i_blocks = le32_to_cpu(raw_inode->i_blocks);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 042/474] ALSA: aoa: i2sbus: fix OF node lifetime handling
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 041/474] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 043/474] ALSA: ctxfi: Add fallback to default RSR for S/PDIF Greg Kroah-Hartman
` (432 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 4ec93f070eda6b765b62efcaed9241c3b3b0b6ad upstream.
i2sbus_add_dev() keeps the matched "sound" child pointer after
for_each_child_of_node() has dropped the iterator reference. Take an
extra reference before saving that node and drop it after the
layout-id/device-id lookup is complete.
The function also stores np in dev->sound.ofdev.dev.of_node without
taking a reference for the embedded soundbus device. Since i2sbus
overrides the embedded platform device release callback, balance that
reference explicitly in the local error path and in i2sbus_release_dev().
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260330-aoa-i2sbus-ofnode-lifetime-v1-1-51c309f4ff06@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/core.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/core.c
+++ b/sound/aoa/soundbus/i2sbus/core.c
@@ -83,6 +83,7 @@ static void i2sbus_release_dev(struct de
for (i = aoa_resource_i2smmio; i <= aoa_resource_rxdbdma; i++)
free_irq(i2sdev->interrupts[i], i2sdev);
i2sbus_control_remove_dev(i2sdev->control, i2sdev);
+ of_node_put(i2sdev->sound.ofdev.dev.of_node);
mutex_destroy(&i2sdev->lock);
kfree(i2sdev);
}
@@ -148,7 +149,6 @@ static int i2sbus_get_and_fixup_rsrc(str
}
/* Returns 1 if added, 0 for otherwise; don't return a negative value! */
-/* FIXME: look at device node refcounting */
static int i2sbus_add_dev(struct macio_dev *macio,
struct i2sbus_control *control,
struct device_node *np)
@@ -179,8 +179,9 @@ static int i2sbus_add_dev(struct macio_d
i = 0;
for_each_child_of_node(np, child) {
if (of_node_name_eq(child, "sound")) {
+ of_node_put(sound);
i++;
- sound = child;
+ sound = of_node_get(child);
}
}
if (i == 1) {
@@ -206,6 +207,7 @@ static int i2sbus_add_dev(struct macio_d
}
}
}
+ of_node_put(sound);
/* for the time being, until we can handle non-layout-id
* things in some fabric, refuse to attach if there is no
* layout-id property or we haven't been forced to attach.
@@ -220,7 +222,7 @@ static int i2sbus_add_dev(struct macio_d
mutex_init(&dev->lock);
spin_lock_init(&dev->low_lock);
dev->sound.ofdev.archdata.dma_mask = macio->ofdev.archdata.dma_mask;
- dev->sound.ofdev.dev.of_node = np;
+ dev->sound.ofdev.dev.of_node = of_node_get(np);
dev->sound.ofdev.dev.dma_mask = &dev->sound.ofdev.archdata.dma_mask;
dev->sound.ofdev.dev.parent = &macio->ofdev.dev;
dev->sound.ofdev.dev.release = i2sbus_release_dev;
@@ -328,6 +330,7 @@ static int i2sbus_add_dev(struct macio_d
for (i=0;i<3;i++)
release_and_free_resource(dev->allocated_resource[i]);
mutex_destroy(&dev->lock);
+ of_node_put(dev->sound.ofdev.dev.of_node);
kfree(dev);
return 0;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 043/474] ALSA: ctxfi: Add fallback to default RSR for S/PDIF
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 042/474] ALSA: aoa: i2sbus: fix OF node lifetime handling Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 044/474] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes Greg Kroah-Hartman
` (431 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harin Lee, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harin Lee <me@harin.net>
commit 7d61662197ecdc458e33e475b6ada7f6da61d364 upstream.
spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR
for the MSR calculation loop. However, pll_rate is only updated in
atc_pll_init() and not in hw_pll_init(), so it remains 0 after the
card init.
When spdif_passthru_playback_setup() skips atc_pll_init() for
32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin
indefinitely.
Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects
the hardware state, since hw_card_init() already configures the PLL
to the default RSR.
Fixes: 8cc72361481f ("ALSA: SB X-Fi driver merge")
Cc: stable@vger.kernel.org
Signed-off-by: Harin Lee <me@harin.net>
Link: https://patch.msgid.link/20260406074913.217374-1-me@harin.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/ctxfi/ctatc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/pci/ctxfi/ctatc.c
+++ b/sound/pci/ctxfi/ctatc.c
@@ -791,7 +791,8 @@ static int spdif_passthru_playback_get_r
struct src *src;
int err;
int n_amixer = apcm->substream->runtime->channels, i;
- unsigned int pitch, rsr = atc->pll_rate;
+ unsigned int pitch;
+ unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr;
/* first release old resources */
atc_pcm_release_resources(atc, apcm);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 044/474] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 043/474] ALSA: ctxfi: Add fallback to default RSR for S/PDIF Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 045/474] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
` (430 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit bbc6c0dda54fc0ad8f8aed0b796c23e186e1a188 upstream.
snd_seq_oss_write() currently returns the raw load_patch() callback
result for SEQ_FULLSIZE events.
That callback is documented as returning 0 on success and -errno on
failure, but snd_seq_oss_write() is the file write path and should
report the number of user bytes consumed on success. Some in-tree
backends also return backend-specific positive values, which can still
be shorter than the original write size.
Return the full byte count for successful SEQ_FULLSIZE writes.
Preserve negative errors and convert any nonnegative completion to the
original count.
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260324-alsa-seq-oss-fullsize-write-return-v1-1-66d448510538@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/oss/seq_oss_rw.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/core/seq/oss/seq_oss_rw.c
+++ b/sound/core/seq/oss/seq_oss_rw.c
@@ -101,9 +101,9 @@ snd_seq_oss_write(struct seq_oss_devinfo
break;
}
fmt = (*(unsigned short *)rec.c) & 0xffff;
- /* FIXME the return value isn't correct */
- return snd_seq_oss_synth_load_patch(dp, rec.s.dev,
- fmt, buf, 0, count);
+ err = snd_seq_oss_synth_load_patch(dp, rec.s.dev,
+ fmt, buf, 0, count);
+ return err < 0 ? err : count;
}
if (ev_is_long(&rec)) {
/* extended code */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 045/474] erofs: fix the out-of-bounds nameoff handling for trailing dirents
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 044/474] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 046/474] md/raid10: fix deadlock with check operation and nowait requests Greg Kroah-Hartman
` (429 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Chao Yu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
commit d18a3b5d337fa412a38e776e6b4b857a58836575 upstream.
Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.
If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.
nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].
[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com
Cc: stable@vger.kernel.org
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/dir.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/fs/erofs/dir.c
+++ b/fs/erofs/dir.c
@@ -22,20 +22,18 @@ static int erofs_fill_dentries(struct in
nameoff = le16_to_cpu(de->nameoff);
de_name = (char *)dentry_blk + nameoff;
- /* the last dirent in the block? */
- if (de + 1 >= end)
- de_namelen = strnlen(de_name, maxsize - nameoff);
- else
+ /* non-trailing dirent in the directory block? */
+ if (de + 1 < end)
de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
+ else if (maxsize <= nameoff)
+ goto err_bogus;
+ else
+ de_namelen = strnlen(de_name, maxsize - nameoff);
- /* a corrupted entry is found */
- if (nameoff + de_namelen > maxsize ||
- de_namelen > EROFS_NAME_LEN) {
- erofs_err(dir->i_sb, "bogus dirent @ nid %llu",
- EROFS_I(dir)->nid);
- DBG_BUGON(1);
- return -EFSCORRUPTED;
- }
+ /* a corrupted entry is found (including negative namelen) */
+ if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) ||
+ nameoff + de_namelen > maxsize)
+ goto err_bogus;
if (!dir_emit(ctx, de_name, de_namelen,
le64_to_cpu(de->nid), d_type))
@@ -44,6 +42,10 @@ static int erofs_fill_dentries(struct in
ctx->pos += sizeof(struct erofs_dirent);
}
return 0;
+err_bogus:
+ erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid);
+ DBG_BUGON(1);
+ return -EFSCORRUPTED;
}
static int erofs_readdir(struct file *f, struct dir_context *ctx)
@@ -72,7 +74,7 @@ static int erofs_readdir(struct file *f,
}
nameoff = le16_to_cpu(de->nameoff);
- if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) {
+ if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) {
erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu",
nameoff, EROFS_I(dir)->nid);
err = -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 046/474] md/raid10: fix deadlock with check operation and nowait requests
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 045/474] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 047/474] mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused Greg Kroah-Hartman
` (428 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Hunt, Yu Kuai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Hunt <johunt@akamai.com>
commit 7d96f3120a7fb7210d21b520c5b6f495da6ba436 upstream.
When an array check is running it will raise the barrier at which point
normal requests will become blocked and increment the nr_pending value to
signal there is work pending inside of wait_barrier(). NOWAIT requests
do not block and so will return immediately with an error, and additionally
do not increment nr_pending in wait_barrier(). Upstream change commit
43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a
call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit
this condition. raid_end_bio_io() eventually calls allow_barrier() and
it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even
though the corresponding increment on nr_pending didn't happen in the
NOWAIT case.
This can be easily seen by starting a check operation while an application
is doing nowait IO on the same array. This results in a deadlocked state
due to nr_pending value underflowing and so the md resync thread gets stuck
waiting for nr_pending to == 0.
Output of r10conf state of the array when we hit this condition:
crash> struct r10conf
barrier = 1,
nr_pending = {
counter = -41
},
nr_waiting = 15,
nr_queued = 0,
Example of md_sync thread stuck waiting on raise_barrier() and other
requests stuck in wait_barrier():
md1_resync
[<0>] raise_barrier+0xce/0x1c0
[<0>] raid10_sync_request+0x1ca/0x1ed0
[<0>] md_do_sync+0x779/0x1110
[<0>] md_thread+0x90/0x160
[<0>] kthread+0xbe/0xf0
[<0>] ret_from_fork+0x34/0x50
[<0>] ret_from_fork_asm+0x1a/0x30
kworker/u1040:2+flush-253:4
[<0>] wait_barrier+0x1de/0x220
[<0>] regular_request_wait+0x30/0x180
[<0>] raid10_make_request+0x261/0x1000
[<0>] md_handle_request+0x13b/0x230
[<0>] __submit_bio+0x107/0x1f0
[<0>] submit_bio_noacct_nocheck+0x16f/0x390
[<0>] ext4_io_submit+0x24/0x40
[<0>] ext4_do_writepages+0x254/0xc80
[<0>] ext4_writepages+0x84/0x120
[<0>] do_writepages+0x7a/0x260
[<0>] __writeback_single_inode+0x3d/0x300
[<0>] writeback_sb_inodes+0x1dd/0x470
[<0>] __writeback_inodes_wb+0x4c/0xe0
[<0>] wb_writeback+0x18b/0x2d0
[<0>] wb_workfn+0x2a1/0x400
[<0>] process_one_work+0x149/0x330
[<0>] worker_thread+0x2d2/0x410
[<0>] kthread+0xbe/0xf0
[<0>] ret_from_fork+0x34/0x50
[<0>] ret_from_fork_asm+0x1a/0x30
Fixes: 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Hunt <johunt@akamai.com>
Link: https://lore.kernel.org/linux-raid/20260303005619.1352958-1-johunt@akamai.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid10.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1204,7 +1204,7 @@ static void raid10_read_request(struct m
}
if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) {
- raid_end_bio_io(r10_bio);
+ free_r10bio(r10_bio);
return;
}
@@ -1425,7 +1425,7 @@ static void raid10_write_request(struct
sectors = r10_bio->sectors;
if (!regular_request_wait(mddev, conf, bio, sectors)) {
- raid_end_bio_io(r10_bio);
+ free_r10bio(r10_bio);
return;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 047/474] mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 046/474] md/raid10: fix deadlock with check operation and nowait requests Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 048/474] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 Greg Kroah-Hartman
` (427 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit ffdc5c51f8bcd0e5e8255ca275a0a3b958475d99 upstream.
Attempt to shut down again, in case the first attempt failed.
The STPMIC1 might get confused and the first regmap_update_bits()
returns with -ETIMEDOUT / -110 . If that or similar transient
failure occurs, try to shut down again. If the second attempt
fails, there is some bigger problem, report it to user.
Cc: stable@vger.kernel.org
Fixes: 6e9df38f359a ("mfd: stpmic1: Add PMIC poweroff via sys-off handler")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260122111423.62591-1-marex@nabladev.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/stpmic1.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/mfd/stpmic1.c
+++ b/drivers/mfd/stpmic1.c
@@ -16,6 +16,8 @@
#include <dt-bindings/mfd/st,stpmic1.h>
+#define STPMIC1_MAX_RETRIES 2
+
#define STPMIC1_MAIN_IRQ 0
static const struct regmap_range stpmic1_readable_ranges[] = {
@@ -121,9 +123,23 @@ static const struct regmap_irq_chip stpm
static int stpmic1_power_off(struct sys_off_data *data)
{
struct stpmic1 *ddata = data->cb_data;
+ int ret;
+
+ /*
+ * Attempt to shut down again, in case the first attempt failed.
+ * The STPMIC1 might get confused and the first regmap_update_bits()
+ * returns with -ETIMEDOUT / -110 . If that or similar transient
+ * failure occurs, try to shut down again. If the second attempt
+ * fails, there is some bigger problem, report it to user.
+ */
+ for (int retries = 0; retries < STPMIC1_MAX_RETRIES; retries++) {
+ ret = regmap_update_bits(ddata->regmap, MAIN_CR, SOFTWARE_SWITCH_OFF,
+ SOFTWARE_SWITCH_OFF);
+ if (!ret)
+ return NOTIFY_DONE;
+ }
- regmap_update_bits(ddata->regmap, MAIN_CR,
- SOFTWARE_SWITCH_OFF, SOFTWARE_SWITCH_OFF);
+ dev_err(ddata->dev, "Failed to access PMIC I2C bus (%d)\n", ret);
return NOTIFY_DONE;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 048/474] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 047/474] mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 049/474] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
` (426 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Robert Beckett, Keith Busch
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Beckett <bob.beckett@collabora.com>
commit a8eebf9699d69987cc49cec4e4fdb4111ab32423 upstream.
The Kingston OM3SGP42048K2-A00 (PCI ID 2646:502f) firmware has a race
condition when processing concurrent write zeroes and DSM (discard)
commands, causing spurious "LBA Out of Range" errors and IOMMU page
faults at address 0x0.
The issue is reliably triggered by running two concurrent mkfs commands
on different partitions of the same drive, which generates interleaved
write zeroes and discard operations.
Disable write zeroes for this device, matching the pattern used for
other Kingston OM* drives that have similar firmware issues.
Cc: stable@vger.kernel.org
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Assisted-by: claude-opus-4-6-v1
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3589,6 +3589,8 @@ static const struct pci_device_id nvme_i
.driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
{ PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */
.driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
+ { PCI_DEVICE(0x2646, 0x502F), /* KINGSTON OM3SGP4xxxxK NVMe SSD */
+ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
{ PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */
.driver_data = NVME_QUIRK_BOGUS_NID, },
{ PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 049/474] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 048/474] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 050/474] parisc: _llseek syscall is only available for 32-bit userspace Greg Kroah-Hartman
` (425 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Robert Beckett, Keith Busch
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Beckett <bob.beckett@collabora.com>
commit 40f0496b617b431f8d2dd94d7f785c1121f8a68a upstream.
The NVM Command Set Identify Controller data may report a non-zero
Write Zeroes Size Limit (wzsl). When present, nvme_init_non_mdts_limits()
unconditionally overrides max_zeroes_sectors from wzsl, even if
NVME_QUIRK_DISABLE_WRITE_ZEROES previously set it to zero.
This effectively re-enables write zeroes for devices that need it
disabled, defeating the quirk. Several Kingston OM* drives rely on
this quirk to avoid firmware issues with write zeroes commands.
Check for the quirk before applying the wzsl override.
Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits")
Cc: stable@vger.kernel.org
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Assisted-by: claude-opus-4-6-v1
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2943,7 +2943,7 @@ static int nvme_init_non_mdts_limits(str
if (id->dmrl)
ctrl->max_discard_segments = id->dmrl;
ctrl->dmrsl = le32_to_cpu(id->dmrsl);
- if (id->wzsl)
+ if (id->wzsl && !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES))
ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl);
free_data:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 050/474] parisc: _llseek syscall is only available for 32-bit userspace
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 049/474] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 051/474] remoteproc: xlnx: Only access buffer information if IPI is buffered Greg Kroah-Hartman
` (424 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit da3680f564bd787ce974f9931e6e924d908b3b2a upstream.
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -154,7 +154,7 @@
# 137 was afs_syscall
138 common setfsuid sys_setfsuid
139 common setfsgid sys_setfsgid
-140 common _llseek sys_llseek
+140 32 _llseek sys_llseek
141 common getdents sys_getdents compat_sys_getdents
142 common _newselect sys_select compat_sys_select
143 common flock sys_flock
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 051/474] remoteproc: xlnx: Only access buffer information if IPI is buffered
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 050/474] parisc: _llseek syscall is only available for 32-bit userspace Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 052/474] selftests/mqueue: Fix incorrectly named file Greg Kroah-Hartman
` (423 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Levinsky, Tanmay Shah,
Mathieu Poirier
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Levinsky <ben.levinsky@amd.com>
commit 38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6 upstream.
In the receive callback check if message is NULL to prevent
possibility of crash by NULL pointer dereferencing.
Signed-off-by: Ben Levinsky <ben.levinsky@amd.com>
Signed-off-by: Tanmay Shah <tanmay.shah@amd.com>
Fixes: 5dfb28c257b7 ("remoteproc: xilinx: Add mailbox channels for rpmsg")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20260303235127.2317955-3-tanmay.shah@amd.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/remoteproc/xlnx_r5_remoteproc.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
--- a/drivers/remoteproc/xlnx_r5_remoteproc.c
+++ b/drivers/remoteproc/xlnx_r5_remoteproc.c
@@ -179,17 +179,19 @@ static void zynqmp_r5_mb_rx_cb(struct mb
ipi = container_of(cl, struct mbox_info, mbox_cl);
- /* copy data from ipi buffer to r5_core */
+ /* copy data from ipi buffer to r5_core if IPI is buffered. */
ipi_msg = (struct zynqmp_ipi_message *)msg;
- buf_msg = (struct zynqmp_ipi_message *)ipi->rx_mc_buf;
- len = ipi_msg->len;
- if (len > IPI_BUF_LEN_MAX) {
- dev_warn(cl->dev, "msg size exceeded than %d\n",
- IPI_BUF_LEN_MAX);
- len = IPI_BUF_LEN_MAX;
+ if (ipi_msg) {
+ buf_msg = (struct zynqmp_ipi_message *)ipi->rx_mc_buf;
+ len = ipi_msg->len;
+ if (len > IPI_BUF_LEN_MAX) {
+ dev_warn(cl->dev, "msg size exceeded than %d\n",
+ IPI_BUF_LEN_MAX);
+ len = IPI_BUF_LEN_MAX;
+ }
+ buf_msg->len = len;
+ memcpy(buf_msg->data, ipi_msg->data, len);
}
- buf_msg->len = len;
- memcpy(buf_msg->data, ipi_msg->data, len);
/* received and processed interrupt ack */
if (mbox_send_message(ipi->rx_chan, NULL) < 0)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 052/474] selftests/mqueue: Fix incorrectly named file
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 051/474] remoteproc: xlnx: Only access buffer information if IPI is buffered Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 053/474] rbd: fix null-ptr-deref when device_add_disk() fails Greg Kroah-Hartman
` (422 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simon Liebold, Shuah Khan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Liebold <simonlie@amazon.de>
commit 64fac99037689020ad97e472ae898e96ea3616dc upstream.
Commit 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds")
intended to increase the timeout for mq_perf_tests from the default
kselftest limit of 45 seconds to 180 seconds.
Unfortunately, the file storing this information was incorrectly named
`setting` instead of `settings`, causing the kselftest runner not to
pick up the limit and keep using the default 45 seconds limit.
Fix this by renaming it to `settings` to ensure that the kselftest
runner uses the increased timeout of 180 seconds for this test.
Fixes: 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds")
Cc: <stable@vger.kernel.org> # 5.10.y
Signed-off-by: Simon Liebold <simonlie@amazon.de>
Link: https://lore.kernel.org/r/20260312140200.2224850-1-simonlie@amazon.de
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mqueue/{setting => settings} | 0
tools/testing/selftests/mqueue/setting | 1 -
tools/testing/selftests/mqueue/settings | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
rename tools/testing/selftests/mqueue/{setting => settings} (100%)
--- a/tools/testing/selftests/mqueue/setting
+++ /dev/null
@@ -1 +0,0 @@
-timeout=180
--- /dev/null
+++ b/tools/testing/selftests/mqueue/settings
@@ -0,0 +1 @@
+timeout=180
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 053/474] rbd: fix null-ptr-deref when device_add_disk() fails
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 052/474] selftests/mqueue: Fix incorrectly named file Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 054/474] io_uring/timeout: check unused sqe fields Greg Kroah-Hartman
` (421 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit d1fef92e414433ca7b89abf85cb0df42b8d475eb upstream.
do_rbd_add() publishes the device with device_add() before calling
device_add_disk(). If device_add_disk() fails after device_add()
succeeds, the error path calls rbd_free_disk() directly and then later
falls through to rbd_dev_device_release(), which calls rbd_free_disk()
again. This double teardown can leave blk-mq cleanup operating on
invalid state and trigger a null-ptr-deref in
__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().
Fix this by following the normal remove ordering: call device_del()
before rbd_dev_device_release() when device_add_disk() fails after
device_add(). That keeps the teardown sequence consistent and avoids
re-entering disk cleanup through the wrong path.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available.
We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64
guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer
confines failslab injections to the __add_disk() range and injects
fail-nth while mapping an RBD image through
/sys/bus/rbd/add_single_major.
On the unpatched kernel, fail-nth=4 reliably triggered the fault:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240
Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00
RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4
RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b
R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000
R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004
FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0
PKRU: 55555554
Call Trace:
<TASK>
blk_mq_free_tag_set+0x77/0x460
do_rbd_add+0x1446/0x2b80
? __pfx_do_rbd_add+0x10/0x10
? lock_acquire+0x18c/0x300
? find_held_lock+0x2b/0x80
? sysfs_file_kobj+0xb6/0x1b0
? __pfx_sysfs_kf_write+0x10/0x10
kernfs_fop_write_iter+0x2f4/0x4a0
vfs_write+0x98e/0x1000
? expand_files+0x51f/0x850
? __pfx_vfs_write+0x10/0x10
ksys_write+0xf2/0x1d0
? __pfx_ksys_write+0x10/0x10
do_syscall_64+0x115/0x690
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0fbea15907
Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907
RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001
RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141
R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058
R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004
</TASK>
With this fix applied, rerunning the reproducer over fail-nth=1..256
yields no KASAN reports.
[ idryomov: rename err_out_device_del -> err_out_device ]
Cc: stable@vger.kernel.org
Fixes: 27c97abc30e2 ("rbd: add add_disk() error handling")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7172,7 +7172,7 @@ static ssize_t do_rbd_add(const char *bu
rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
if (rc)
- goto err_out_cleanup_disk;
+ goto err_out_device;
spin_lock(&rbd_dev_list_lock);
list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7186,8 +7186,8 @@ out:
module_put(THIS_MODULE);
return rc;
-err_out_cleanup_disk:
- rbd_free_disk(rbd_dev);
+err_out_device:
+ device_del(&rbd_dev->dev);
err_out_image_lock:
rbd_dev_image_unlock(rbd_dev);
rbd_dev_device_release(rbd_dev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 054/474] io_uring/timeout: check unused sqe fields
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 053/474] rbd: fix null-ptr-deref when device_add_disk() fails Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 055/474] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() Greg Kroah-Hartman
` (420 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit 484ae637a3e3d909718de7c07afd3bb34b6b8504 upstream.
Zero check unused SQE fields addr3 and pad2 for timeout and timeout
update requests. They're not needed now, but could be used sometime
in the future.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/timeout.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/io_uring/timeout.c
+++ b/io_uring/timeout.c
@@ -428,6 +428,8 @@ int io_timeout_remove_prep(struct io_kio
if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
return -EINVAL;
+ if (sqe->addr3 || sqe->__pad2[0])
+ return -EINVAL;
if (sqe->buf_index || sqe->len || sqe->splice_fd_in)
return -EINVAL;
@@ -500,6 +502,8 @@ static int __io_timeout_prep(struct io_k
unsigned flags;
u32 off = READ_ONCE(sqe->off);
+ if (sqe->addr3 || sqe->__pad2[0])
+ return -EINVAL;
if (sqe->buf_index || sqe->len != 1 || sqe->splice_fd_in)
return -EINVAL;
if (off && is_timeout_link)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 055/474] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 054/474] io_uring/timeout: check unused sqe fields Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 056/474] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
` (419 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Lechner, Stable,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de upstream.
Use iio_push_to_buffers_with_ts_unaligned() to avoid unaligned access
when writing the timestamp in the rx_buf.
The previous implementation would have been fine on architectures that
support 4-byte alignment of 64-bit integers but could cause issues on
architectures that require 8-byte alignment.
Fixes: 902c4b2446d4 ("iio: adc: New driver for TI ADS7950 chips")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-ads7950.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/iio/adc/ti-ads7950.c
+++ b/drivers/iio/adc/ti-ads7950.c
@@ -47,8 +47,6 @@
#define TI_ADS7950_MAX_CHAN 16
#define TI_ADS7950_NUM_GPIOS 4
-#define TI_ADS7950_TIMESTAMP_SIZE (sizeof(int64_t) / sizeof(__be16))
-
/* val = value, dec = left shift, bits = number of bits of the mask */
#define TI_ADS7950_EXTRACT(val, dec, bits) \
(((val) >> (dec)) & ((1 << (bits)) - 1))
@@ -105,8 +103,7 @@ struct ti_ads7950_state {
* DMA (thus cache coherency maintenance) may require the
* transfer buffers to live in their own cache lines.
*/
- u16 rx_buf[TI_ADS7950_MAX_CHAN + 2 + TI_ADS7950_TIMESTAMP_SIZE]
- __aligned(IIO_DMA_MINALIGN);
+ u16 rx_buf[TI_ADS7950_MAX_CHAN + 2] __aligned(IIO_DMA_MINALIGN);
u16 tx_buf[TI_ADS7950_MAX_CHAN + 2];
u16 single_tx;
u16 single_rx;
@@ -313,8 +310,10 @@ static irqreturn_t ti_ads7950_trigger_ha
if (ret < 0)
goto out;
- iio_push_to_buffers_with_timestamp(indio_dev, &st->rx_buf[2],
- iio_get_time_ns(indio_dev));
+ iio_push_to_buffers_with_ts_unaligned(indio_dev, &st->rx_buf[2],
+ sizeof(*st->rx_buf) *
+ TI_ADS7950_MAX_CHAN,
+ iio_get_time_ns(indio_dev));
out:
mutex_unlock(&st->slock);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 056/474] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 055/474] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 057/474] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE Greg Kroah-Hartman
` (418 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Zhengchuan Liang, Longxuan Yu, Ren Wei, Pavel Begunkov,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longxuan Yu <ylong030@ucr.edu>
commit 326941b22806cbf2df1fbfe902b7908b368cce42 upstream.
io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:
if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.
Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.
Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Longxuan Yu <ylong030@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/poll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -91,7 +91,7 @@ static bool io_poll_get_ownership_slowpa
*/
static inline bool io_poll_get_ownership(struct io_kiocb *req)
{
- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
return io_poll_get_ownership_slowpath(req);
return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 057/474] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 056/474] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 058/474] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
` (417 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Azizcan Daştan, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 upstream.
Commit:
aacf2f9f382c ("io_uring: fix req->apoll_events")
fixed an issue where poll->events and req->apoll_events weren't
synchronized, but then when the commit referenced in Fixes got added,
it didn't ensure the same thing.
If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then
ensure it's done for both. Including a link to the original report
below, even though it's mostly nonsense. But it includes a reproducer
that does show that IORING_CQE_F_MORE is set in the previous CQE,
while no more CQEs will be generated for this request. Just ignore
anything that pretends this is security related in any way, it's just
the typical AI nonsense.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/
Reported-by: Azizcan Daştan <azizcan.d@mileniumsec.com>
Fixes: 4464853277d0 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/poll.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -441,8 +441,10 @@ static int io_poll_wake(struct wait_queu
* disable multishot as there is a circular dependency between
* CQ posting and triggering the event.
*/
- if (mask & EPOLL_URING_WAKE)
+ if (mask & EPOLL_URING_WAKE) {
poll->events |= EPOLLONESHOT;
+ req->apoll_events |= EPOLLONESHOT;
+ }
/* optional, saves extra locking for removal in tw handler */
if (mask && poll->events & EPOLLONESHOT) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 058/474] ALSA: core: Fix potential data race at fasync handling
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 057/474] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 059/474] ALSA: caiaq: Fix control_put() result and cache rollback Greg Kroah-Hartman
` (416 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jake Lamberson, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 8146cd333d235ed32d48bb803fdf743472d7c783 upstream.
In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks. The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock. Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync(). Although there shouldn't be
critical UAF, it's still better to be addressed.
This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above. The handling in
fasync->on flag is optimized in the loop to skip directly.
Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.
Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/misc.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -171,14 +171,18 @@ static LIST_HEAD(snd_fasync_list);
static void snd_fasync_work_fn(struct work_struct *work)
{
struct snd_fasync *fasync;
+ int signal, poll;
spin_lock_irq(&snd_fasync_lock);
while (!list_empty(&snd_fasync_list)) {
fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list);
list_del_init(&fasync->list);
+ if (!fasync->on)
+ continue;
+ signal = fasync->signal;
+ poll = fasync->poll;
spin_unlock_irq(&snd_fasync_lock);
- if (fasync->on)
- kill_fasync(&fasync->fasync, fasync->signal, fasync->poll);
+ kill_fasync(&fasync->fasync, signal, poll);
spin_lock_irq(&snd_fasync_lock);
}
spin_unlock_irq(&snd_fasync_lock);
@@ -234,7 +238,10 @@ void snd_fasync_free(struct snd_fasync *
{
if (!fasync)
return;
- fasync->on = 0;
+
+ scoped_guard(spinlock_irq, &snd_fasync_lock)
+ list_del_init(&fasync->list);
+
flush_work(&snd_fasync_work);
kfree(fasync);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 059/474] ALSA: caiaq: Fix control_put() result and cache rollback
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 058/474] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 060/474] ALSA: caiaq: Handle probe errors properly Greg Kroah-Hartman
` (415 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit a3542d1b30f92307f545f2def14e8d988dffdff0 upstream.
control_put() always returns 1 and updates cdev->control_state[]
before sending the USB command. It also ignores transport errors
from usb_bulk_msg(), snd_usb_caiaq_send_command(), and
snd_usb_caiaq_send_command_bank().
That breaks the ALSA .put() contract and can leave control_get()
reporting a cached value the device never accepted.
Return 0 for unchanged values, propagate transport failures,
and restore the cached byte when the write fails.
Fixes: 8e3cd08ed8e59 ("[ALSA] caiaq - add control API and more input features")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260417-caiaq-control-put-v1-1-c37826e92447@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/control.c | 54 +++++++++++++++++++++++++++++++---------------
1 file changed, 37 insertions(+), 17 deletions(-)
--- a/sound/usb/caiaq/control.c
+++ b/sound/usb/caiaq/control.c
@@ -87,6 +87,7 @@ static int control_put(struct snd_kcontr
struct snd_usb_caiaqdev *cdev = caiaqdev(chip->card);
int pos = kcontrol->private_value;
int v = ucontrol->value.integer.value[0];
+ int ret;
unsigned char cmd;
switch (cdev->chip.usb_id) {
@@ -103,6 +104,10 @@ static int control_put(struct snd_kcontr
if (pos & CNT_INTVAL) {
int i = pos & ~CNT_INTVAL;
+ unsigned char old = cdev->control_state[i];
+
+ if (old == v)
+ return 0;
cdev->control_state[i] = v;
@@ -113,10 +118,11 @@ static int control_put(struct snd_kcontr
cdev->ep8_out_buf[0] = i;
cdev->ep8_out_buf[1] = v;
- usb_bulk_msg(cdev->chip.dev,
- usb_sndbulkpipe(cdev->chip.dev, 8),
- cdev->ep8_out_buf, sizeof(cdev->ep8_out_buf),
- &actual_len, 200);
+ ret = usb_bulk_msg(cdev->chip.dev,
+ usb_sndbulkpipe(cdev->chip.dev, 8),
+ cdev->ep8_out_buf,
+ sizeof(cdev->ep8_out_buf),
+ &actual_len, 200);
} else if (cdev->chip.usb_id ==
USB_ID(USB_VID_NATIVEINSTRUMENTS, USB_PID_MASCHINECONTROLLER)) {
@@ -128,21 +134,36 @@ static int control_put(struct snd_kcontr
offset = MASCHINE_BANK_SIZE;
}
- snd_usb_caiaq_send_command_bank(cdev, cmd, bank,
- cdev->control_state + offset,
- MASCHINE_BANK_SIZE);
+ ret = snd_usb_caiaq_send_command_bank(cdev, cmd, bank,
+ cdev->control_state + offset,
+ MASCHINE_BANK_SIZE);
} else {
- snd_usb_caiaq_send_command(cdev, cmd,
- cdev->control_state, sizeof(cdev->control_state));
+ ret = snd_usb_caiaq_send_command(cdev, cmd,
+ cdev->control_state,
+ sizeof(cdev->control_state));
}
- } else {
- if (v)
- cdev->control_state[pos / 8] |= 1 << (pos % 8);
- else
- cdev->control_state[pos / 8] &= ~(1 << (pos % 8));
- snd_usb_caiaq_send_command(cdev, cmd,
- cdev->control_state, sizeof(cdev->control_state));
+ if (ret < 0) {
+ cdev->control_state[i] = old;
+ return ret;
+ }
+ } else {
+ int idx = pos / 8;
+ unsigned char mask = 1 << (pos % 8);
+ unsigned char old = cdev->control_state[idx];
+ unsigned char val = v ? (old | mask) : (old & ~mask);
+
+ if (old == val)
+ return 0;
+
+ cdev->control_state[idx] = val;
+ ret = snd_usb_caiaq_send_command(cdev, cmd,
+ cdev->control_state,
+ sizeof(cdev->control_state));
+ if (ret < 0) {
+ cdev->control_state[idx] = old;
+ return ret;
+ }
}
return 1;
@@ -640,4 +661,3 @@ int snd_usb_caiaq_control_init(struct sn
return ret;
}
-
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 060/474] ALSA: caiaq: Handle probe errors properly
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 059/474] ALSA: caiaq: Fix control_put() result and cache rollback Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 061/474] ALSA: 6fire: Fix input volume change detection Greg Kroah-Hartman
` (414 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 28abd224db4a49560b452115bca3672a20e45b2f upstream.
The probe procedure of setup_card() in caiaq driver doesn't treat the
error cases gracefully, e.g. the error from snd_card_register() calls
snd_card_free() but continues. This would lead to a UAF for the
further calls like snd_usb_caiaq_control_init(), as Berk suggested in
another patch in the link below.
However, the problem is not only that; in general, this function drops
the all error handlings (as it's a void function) although its caller
can propagate an error to snd_probe(), which eventually calls
snd_card_free() as a proper error path. That said, we should treat
each error case in setup_card(), and just return the error code
promptly, which is then handled later as a fatal error in snd_probe().
This patch achieves it by changing the setup_card() to return an error
code. Also, the superfluous snd_card_free() call is removed, too.
Note that card->private_free can be set still safely at returning an
error. All called functions in card_free() have checks of the
unassigned resources or NULL checks.
Fixes: 8e3cd08ed8e5 ("[ALSA] caiaq - add control API and more input features")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20260413034941.1131465-2-berkcgoksel@gmail.com
Link: https://patch.msgid.link/20260414105916.364073-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -290,7 +290,7 @@ int snd_usb_caiaq_set_auto_msg(struct sn
tmp, sizeof(tmp));
}
-static void setup_card(struct snd_usb_caiaqdev *cdev)
+static int setup_card(struct snd_usb_caiaqdev *cdev)
{
int ret;
char val[4];
@@ -325,8 +325,10 @@ static void setup_card(struct snd_usb_ca
snd_usb_caiaq_send_command(cdev, EP1_CMD_READ_IO, NULL, 0);
if (!wait_event_timeout(cdev->ep1_wait_queue,
- cdev->control_state[0] != 0xff, HZ))
- return;
+ cdev->control_state[0] != 0xff, HZ)) {
+ dev_err(dev, "Read timeout for control state\n");
+ return -EINVAL;
+ }
/* fix up some defaults */
if ((cdev->control_state[1] != 2) ||
@@ -347,33 +349,43 @@ static void setup_card(struct snd_usb_ca
cdev->spec.num_digital_audio_out +
cdev->spec.num_digital_audio_in > 0) {
ret = snd_usb_caiaq_audio_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up audio system (ret=%d)\n", ret);
+ return ret;
+ }
}
if (cdev->spec.num_midi_in +
cdev->spec.num_midi_out > 0) {
ret = snd_usb_caiaq_midi_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up MIDI system (ret=%d)\n", ret);
+ return ret;
+ }
}
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
ret = snd_usb_caiaq_input_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up input system (ret=%d)\n", ret);
+ return ret;
+ }
#endif
/* finally, register the card and all its sub-instances */
ret = snd_card_register(cdev->chip.card);
if (ret < 0) {
dev_err(dev, "snd_card_register() returned %d\n", ret);
- snd_card_free(cdev->chip.card);
+ return ret;
}
ret = snd_usb_caiaq_control_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up control system (ret=%d)\n", ret);
+ return ret;
+ }
+
+ return 0;
}
static void card_free(struct snd_card *card)
@@ -499,8 +511,11 @@ static int init_card(struct snd_usb_caia
scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
cdev->vendor_name, cdev->product_name, usbpath);
- setup_card(cdev);
card->private_free = card_free;
+ err = setup_card(cdev);
+ if (err < 0)
+ return err;
+
return 0;
err_kill_urb:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 061/474] ALSA: 6fire: Fix input volume change detection
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 060/474] ALSA: caiaq: Handle probe errors properly Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 062/474] ALSA: pcmtest: fix reference leak on failed device registration Greg Kroah-Hartman
` (413 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit dc88eef8f55e85e92d016cdf7e291f5560efd79b upstream.
usb6fire_control_input_vol_put() stores the analog capture volume
as a signed offset in rt->input_vol[] (-15..+15), but it compares
the cached value against the user-visible mixer value (0..30)
before subtracting 15.
This mixes two domains in the change detection path. Since the
runtime is zero-initialized, the visible default is 15; writing 0
right after probe is ignored, while writing 15 is reported as a
change even though the cached value remains 0.
Normalize the user value before comparing it with the cached offset.
Fixes: 06bb4e743501 ("ALSA: snd-usb-6fire: add analog input volume control")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260416-alsa-6fire-input-volume-change-detection-v1-1-ec78299168df@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/6fire/control.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/sound/usb/6fire/control.c
+++ b/sound/usb/6fire/control.c
@@ -290,15 +290,17 @@ static int usb6fire_control_input_vol_pu
struct snd_ctl_elem_value *ucontrol)
{
struct control_runtime *rt = snd_kcontrol_chip(kcontrol);
+ int vol0 = ucontrol->value.integer.value[0] - 15;
+ int vol1 = ucontrol->value.integer.value[1] - 15;
int changed = 0;
- if (rt->input_vol[0] != ucontrol->value.integer.value[0]) {
- rt->input_vol[0] = ucontrol->value.integer.value[0] - 15;
+ if (rt->input_vol[0] != vol0) {
+ rt->input_vol[0] = vol0;
rt->ivol_updated &= ~(1 << 0);
changed = 1;
}
- if (rt->input_vol[1] != ucontrol->value.integer.value[1]) {
- rt->input_vol[1] = ucontrol->value.integer.value[1] - 15;
+ if (rt->input_vol[1] != vol1) {
+ rt->input_vol[1] = vol1;
rt->ivol_updated &= ~(1 << 1);
changed = 1;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 062/474] ALSA: pcmtest: fix reference leak on failed device registration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 061/474] ALSA: 6fire: Fix input volume change detection Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 063/474] ALSA: pcmtest: Fix resource leaks in module init error paths Greg Kroah-Hartman
` (412 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 4ff036f95238f02c87e5d7c0a9d93748582a8950 upstream.
When platform_device_register() fails in mod_init(), the embedded struct
device in pcmtst_pdev has already been initialized by
device_initialize(), but the failure path returns the error without
dropping the device reference for the current platform device:
mod_init()
-> platform_device_register(&pcmtst_pdev)
-> device_initialize(&pcmtst_pdev.dev)
-> setup_pdev_dma_masks(&pcmtst_pdev)
-> platform_device_add(&pcmtst_pdev)
This leads to a reference leak when platform_device_register() fails.
Fix this by calling platform_device_put() before returning the error.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fixes: 315a3d57c64c5 ("ALSA: Implement the new Virtual PCM Test Driver")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260415193138.3861297-1-lgs201920130244@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/drivers/pcmtest.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/drivers/pcmtest.c
+++ b/sound/drivers/pcmtest.c
@@ -755,8 +755,10 @@ static int __init mod_init(void)
if (err)
return err;
err = platform_device_register(&pcmtst_pdev);
- if (err)
+ if (err) {
+ platform_device_put(&pcmtst_pdev);
return err;
+ }
err = platform_driver_register(&pcmtst_pdrv);
if (err)
platform_device_unregister(&pcmtst_pdev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 063/474] ALSA: pcmtest: Fix resource leaks in module init error paths
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 062/474] ALSA: pcmtest: fix reference leak on failed device registration Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 064/474] iio: adc: ad7768-1: fix one-shot mode data acquisition Greg Kroah-Hartman
` (411 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit d5d5f80416a3a749906c04d56575e2290792654b upstream.
pcmtest allocates its pattern buffers and creates its debugfs tree
before registering the platform device and driver, but mod_init()
does not release those resources when a later init step fails.
As a result, a debugfs directory creation failure leaks the pattern
buffers, while platform_device_register() and
platform_driver_register() failures leave both the pattern buffers
and the debugfs tree behind. The recent fix for failed device
registration only dropped the embedded device reference.
Add the missing cleanup for the debugfs tree and pattern buffers in
the remaining module init error paths.
Fixes: 315a3d57c64c ("ALSA: Implement the new Virtual PCM Test Driver")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-alsa-pcmtest-init-unwind-v1-1-03fe0c423dbb@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/drivers/pcmtest.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/sound/drivers/pcmtest.c
+++ b/sound/drivers/pcmtest.c
@@ -753,15 +753,24 @@ static int __init mod_init(void)
err = init_debug_files(buf_allocated);
if (err)
- return err;
+ goto err_free_patterns;
err = platform_device_register(&pcmtst_pdev);
if (err) {
platform_device_put(&pcmtst_pdev);
- return err;
+ goto err_clear_debug;
}
err = platform_driver_register(&pcmtst_pdrv);
- if (err)
+ if (err) {
platform_device_unregister(&pcmtst_pdev);
+ goto err_clear_debug;
+ }
+
+ return 0;
+
+err_clear_debug:
+ clear_debug_files();
+err_free_patterns:
+ free_pattern_buffers();
return err;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 064/474] iio: adc: ad7768-1: fix one-shot mode data acquisition
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 063/474] ALSA: pcmtest: Fix resource leaks in module init error paths Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 065/474] rxrpc: Fix memory leaks in rxkad_verify_response() Greg Kroah-Hartman
` (410 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Santos, David Lechner,
Stable, Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Santos <Jonathan.Santos@analog.com>
commit 8be19e233744961db6069da9c9ab63eb085a0447 upstream.
According to the datasheet, one-shot mode requires a SYNC_IN pulse to
trigger a new sample conversion. In the current implementation, No sync
pulse was sent after switching to one-shot mode and reinit_completion()
was called before mode switching, creating a race condition where spurious
interrupts during mode change could trigger completion prematurely.
Fix by sending a sync pulse after configuring one-shot mode and
reinit_completion() to ensure it only waits for the actual conversion
completion.
Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support")
Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7768-1.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -241,12 +241,17 @@ static int ad7768_scan_direct(struct iio
struct ad7768_state *st = iio_priv(indio_dev);
int readval, ret;
- reinit_completion(&st->completion);
-
ret = ad7768_set_mode(st, AD7768_ONE_SHOT);
if (ret < 0)
return ret;
+ reinit_completion(&st->completion);
+
+ /* One-shot mode requires a SYNC pulse to generate a new sample */
+ ret = ad7768_send_sync_pulse(st);
+ if (ret)
+ return ret;
+
ret = wait_for_completion_timeout(&st->completion,
msecs_to_jiffies(1000));
if (!ret)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 065/474] rxrpc: Fix memory leaks in rxkad_verify_response()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 064/474] iio: adc: ad7768-1: fix one-shot mode data acquisition Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 066/474] rxrpc: Fix rxkad crypto unalignment handling Greg Kroah-Hartman
` (409 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 34f61a07e0cdefaecd3ec03bb5fb22215643678f upstream.
Fix rxkad_verify_response() to free the ticket and the server key under all
circumstances by initialising the ticket pointer to NULL and then making
all paths through the function after the first allocation has been done go
through a single common epilogue that just releases everything - where all
the releases skip on a NULL pointer.
Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure")
Fixes: ec832bd06d6f ("rxrpc: Don't retain the server key in the connection")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/rxkad.c | 103 ++++++++++++++++++++++--------------------------------
1 file changed, 42 insertions(+), 61 deletions(-)
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -1047,7 +1047,7 @@ static int rxkad_verify_response(struct
struct rxrpc_crypt session_key;
struct key *server_key;
time64_t expiry;
- void *ticket;
+ void *ticket = NULL;
u32 version, kvno, ticket_len, level;
__be32 csum;
int ret, i;
@@ -1073,13 +1073,13 @@ static int rxkad_verify_response(struct
ret = -ENOMEM;
response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
if (!response)
- goto temporary_error;
+ goto error;
if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
response, sizeof(*response)) < 0) {
- rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
- rxkad_abort_resp_short);
- goto protocol_error;
+ ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
+ rxkad_abort_resp_short);
+ goto error;
}
version = ntohl(response->version);
@@ -1089,62 +1089,62 @@ static int rxkad_verify_response(struct
trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
if (version != RXKAD_VERSION) {
- rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
- rxkad_abort_resp_version);
- goto protocol_error;
+ ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
+ rxkad_abort_resp_version);
+ goto error;
}
if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
- rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
- rxkad_abort_resp_tkt_len);
- goto protocol_error;
+ ret = rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
+ rxkad_abort_resp_tkt_len);
+ goto error;
}
if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
- rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
- rxkad_abort_resp_unknown_tkt);
- goto protocol_error;
+ ret = rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
+ rxkad_abort_resp_unknown_tkt);
+ goto error;
}
/* extract the kerberos ticket and decrypt and decode it */
ret = -ENOMEM;
ticket = kmalloc(ticket_len, GFP_NOFS);
if (!ticket)
- goto temporary_error_free_resp;
+ goto error;
if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
ticket, ticket_len) < 0) {
- rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
- rxkad_abort_resp_short_tkt);
- goto protocol_error;
+ ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
+ rxkad_abort_resp_short_tkt);
+ goto error;
}
ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
&session_key, &expiry);
if (ret < 0)
- goto temporary_error_free_ticket;
+ goto error;
/* use the session key from inside the ticket to decrypt the
* response */
ret = rxkad_decrypt_response(conn, response, &session_key);
if (ret < 0)
- goto temporary_error_free_ticket;
+ goto error;
if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
ntohl(response->encrypted.cid) != conn->proto.cid ||
ntohl(response->encrypted.securityIndex) != conn->security_ix) {
- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
- rxkad_abort_resp_bad_param);
- goto protocol_error_free;
+ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+ rxkad_abort_resp_bad_param);
+ goto error;
}
csum = response->encrypted.checksum;
response->encrypted.checksum = 0;
rxkad_calc_response_checksum(response);
if (response->encrypted.checksum != csum) {
- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
- rxkad_abort_resp_bad_checksum);
- goto protocol_error_free;
+ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+ rxkad_abort_resp_bad_checksum);
+ goto error;
}
for (i = 0; i < RXRPC_MAXCALLS; i++) {
@@ -1152,38 +1152,38 @@ static int rxkad_verify_response(struct
u32 counter = READ_ONCE(conn->channels[i].call_counter);
if (call_id > INT_MAX) {
- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
- rxkad_abort_resp_bad_callid);
- goto protocol_error_free;
+ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+ rxkad_abort_resp_bad_callid);
+ goto error;
}
if (call_id < counter) {
- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
- rxkad_abort_resp_call_ctr);
- goto protocol_error_free;
+ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+ rxkad_abort_resp_call_ctr);
+ goto error;
}
if (call_id > counter) {
if (conn->channels[i].call) {
- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
rxkad_abort_resp_call_state);
- goto protocol_error_free;
+ goto error;
}
conn->channels[i].call_counter = call_id;
}
}
if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
- rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
- rxkad_abort_resp_ooseq);
- goto protocol_error_free;
+ ret = rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
+ rxkad_abort_resp_ooseq);
+ goto error;
}
level = ntohl(response->encrypted.level);
if (level > RXRPC_SECURITY_ENCRYPT) {
- rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
- rxkad_abort_resp_level);
- goto protocol_error_free;
+ ret = rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
+ rxkad_abort_resp_level);
+ goto error;
}
conn->security_level = level;
@@ -1191,31 +1191,12 @@ static int rxkad_verify_response(struct
* this the connection security can be handled in exactly the same way
* as for a client connection */
ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
- if (ret < 0)
- goto temporary_error_free_ticket;
-
- kfree(ticket);
- kfree(response);
- _leave(" = 0");
- return 0;
-
-protocol_error_free:
- kfree(ticket);
-protocol_error:
- kfree(response);
- key_put(server_key);
- return -EPROTO;
-temporary_error_free_ticket:
+error:
kfree(ticket);
-temporary_error_free_resp:
kfree(response);
-temporary_error:
- /* Ignore the response packet if we got a temporary error such as
- * ENOMEM. We just want to send the challenge again. Note that we
- * also come out this way if the ticket decryption fails.
- */
key_put(server_key);
+ _leave(" = %d", ret);
return ret;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 066/474] rxrpc: Fix rxkad crypto unalignment handling
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 065/474] rxrpc: Fix memory leaks in rxkad_verify_response() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 067/474] rxrpc: Fix re-decryption of RESPONSE packets Greg Kroah-Hartman
` (408 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit def304aae2edf321d2671fd6ca766a93c21f877e upstream.
Fix handling of a packet with a misaligned crypto length. Also handle
non-ENOMEM errors from decryption by aborting. Further, remove the
WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can
still be emitted).
Fixes: f93af41b9f5f ("rxrpc: Fix missing error checks for rxkad encryption/decryption failure")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/rxrpc.h | 1 +
net/rxrpc/rxkad.c | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -36,6 +36,7 @@
EM(rxkad_abort_1_short_encdata, "rxkad1-short-encdata") \
EM(rxkad_abort_1_short_header, "rxkad1-short-hdr") \
EM(rxkad_abort_2_short_check, "rxkad2-short-check") \
+ EM(rxkad_abort_2_crypto_unaligned, "rxkad2-crypto-unaligned") \
EM(rxkad_abort_2_short_data, "rxkad2-short-data") \
EM(rxkad_abort_2_short_header, "rxkad2-short-hdr") \
EM(rxkad_abort_2_short_len, "rxkad2-short-len") \
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -492,6 +492,9 @@ static int rxkad_verify_packet_2(struct
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_2_short_header);
+ /* Don't let the crypto algo see a misaligned length. */
+ sp->len = round_down(sp->len, 8);
+
/* Decrypt the skbuff in-place. TODO: We really want to decrypt
* directly into the target buffer.
*/
@@ -525,8 +528,10 @@ static int rxkad_verify_packet_2(struct
if (sg != _sg)
kfree(sg);
if (ret < 0) {
- WARN_ON_ONCE(ret != -ENOMEM);
- return ret;
+ if (ret == -ENOMEM)
+ return ret;
+ return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
+ rxkad_abort_2_crypto_unaligned);
}
/* Extract the decrypted packet length */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 067/474] rxrpc: Fix re-decryption of RESPONSE packets
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 066/474] rxrpc: Fix rxkad crypto unalignment handling Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 068/474] tools/accounting: handle truncated taskstats netlink messages Greg Kroah-Hartman
` (407 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 0422e7a4883f25101903f3e8105c0808aa5f4ce9 upstream.
If a RESPONSE packet gets a temporary failure during processing, it may end
up in a partially decrypted state - and then get requeued for a retry.
Fix this by just discarding the packet; we will send another CHALLENGE
packet and thereby elicit a further response. Similarly, discard an
incoming CHALLENGE packet if we get an error whilst generating a RESPONSE;
the server will send another CHALLENGE.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/rxrpc.h | 1 -
net/rxrpc/conn_event.c | 14 ++------------
2 files changed, 2 insertions(+), 13 deletions(-)
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -232,7 +232,6 @@
EM(rxrpc_conn_put_unidle, "PUT unidle ") \
EM(rxrpc_conn_put_work, "PUT work ") \
EM(rxrpc_conn_queue_challenge, "QUE chall ") \
- EM(rxrpc_conn_queue_retry_work, "QUE retry-wk") \
EM(rxrpc_conn_queue_rx_work, "QUE rx-work ") \
EM(rxrpc_conn_see_new_service_conn, "SEE new-svc ") \
EM(rxrpc_conn_see_reap_service, "SEE reap-svc") \
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -344,7 +344,6 @@ again:
static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
{
struct sk_buff *skb;
- int ret;
if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
rxrpc_secure_connection(conn);
@@ -353,17 +352,8 @@ static void rxrpc_do_process_connection(
* connection that each one has when we've finished with it */
while ((skb = skb_dequeue(&conn->rx_queue))) {
rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
- ret = rxrpc_process_event(conn, skb);
- switch (ret) {
- case -ENOMEM:
- case -EAGAIN:
- skb_queue_head(&conn->rx_queue, skb);
- rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work);
- break;
- default:
- rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
- break;
- }
+ rxrpc_process_event(conn, skb);
+ rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 068/474] tools/accounting: handle truncated taskstats netlink messages
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 067/474] rxrpc: Fix re-decryption of RESPONSE packets Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 069/474] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
` (406 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiyang Chen, Balbir Singh,
Dr. Thomas Orgis, Fan Yu, Wang Yaxin, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiyang Chen <cyyzero16@gmail.com>
commit cc82b3dcc6a8fa259fbda12ab00d6fc00908a49e upstream.
procacct and getdelays use a fixed receive buffer for taskstats generic
netlink messages. A multi-threaded process exit can emit a single
PID+TGID notification large enough to exceed that buffer on newer kernels.
Switch to recvmsg() so MSG_TRUNC is detected explicitly, increase the
message buffer size, and report truncated datagrams clearly instead of
misparsing them as fatal netlink errors.
Also print the taskstats version in debug output to make version
mismatches easier to diagnose while inspecting taskstats traffic.
Link: https://lkml.kernel.org/r/520308bb4cbbaf8dc2c7296b5f60f11e12fb30a5.1774810498.git.cyyzero16@gmail.com
Signed-off-by: Yiyang Chen <cyyzero16@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Cc: Fan Yu <fan.yu9@zte.com.cn>
Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/accounting/getdelays.c | 41 +++++++++++++++++++++++++++++++++++++----
tools/accounting/procacct.c | 40 ++++++++++++++++++++++++++++++++++++----
2 files changed, 73 insertions(+), 8 deletions(-)
--- a/tools/accounting/getdelays.c
+++ b/tools/accounting/getdelays.c
@@ -59,7 +59,7 @@ int print_task_context_switch_counts;
}
/* Maximum size of response requested or message sent */
-#define MAX_MSG_SIZE 1024
+#define MAX_MSG_SIZE 2048
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS 32
@@ -114,6 +114,32 @@ error:
return -1;
}
+static int recv_taskstats_msg(int sd, struct msgtemplate *msg)
+{
+ struct sockaddr_nl nladdr;
+ struct iovec iov = {
+ .iov_base = msg,
+ .iov_len = sizeof(*msg),
+ };
+ struct msghdr hdr = {
+ .msg_name = &nladdr,
+ .msg_namelen = sizeof(nladdr),
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ };
+ int ret;
+
+ ret = recvmsg(sd, &hdr, 0);
+ if (ret < 0)
+ return -1;
+ if (hdr.msg_flags & MSG_TRUNC) {
+ errno = EMSGSIZE;
+ return -1;
+ }
+
+ return ret;
+}
+
static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
__u8 genl_cmd, __u16 nla_type,
@@ -465,12 +491,16 @@ int main(int argc, char *argv[])
}
do {
- rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
+ rep_len = recv_taskstats_msg(nl_sd, &msg);
PRINTF("received %d bytes\n", rep_len);
if (rep_len < 0) {
- fprintf(stderr, "nonfatal reply error: errno %d\n",
- errno);
+ if (errno == EMSGSIZE)
+ fprintf(stderr,
+ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n");
+ else
+ fprintf(stderr, "nonfatal reply error: errno %d\n",
+ errno);
continue;
}
if (msg.n.nlmsg_type == NLMSG_ERROR ||
@@ -512,6 +542,9 @@ int main(int argc, char *argv[])
printf("TGID\t%d\n", rtid);
break;
case TASKSTATS_TYPE_STATS:
+ PRINTF("version %u\n",
+ ((struct taskstats *)
+ NLA_DATA(na))->version);
if (print_delays)
print_delayacct((struct taskstats *) NLA_DATA(na));
if (print_io_accounting)
--- a/tools/accounting/procacct.c
+++ b/tools/accounting/procacct.c
@@ -71,7 +71,7 @@ int print_task_context_switch_counts;
}
/* Maximum size of response requested or message sent */
-#define MAX_MSG_SIZE 1024
+#define MAX_MSG_SIZE 2048
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS 32
@@ -121,6 +121,32 @@ error:
return -1;
}
+static int recv_taskstats_msg(int sd, struct msgtemplate *msg)
+{
+ struct sockaddr_nl nladdr;
+ struct iovec iov = {
+ .iov_base = msg,
+ .iov_len = sizeof(*msg),
+ };
+ struct msghdr hdr = {
+ .msg_name = &nladdr,
+ .msg_namelen = sizeof(nladdr),
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ };
+ int ret;
+
+ ret = recvmsg(sd, &hdr, 0);
+ if (ret < 0)
+ return -1;
+ if (hdr.msg_flags & MSG_TRUNC) {
+ errno = EMSGSIZE;
+ return -1;
+ }
+
+ return ret;
+}
+
static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
__u8 genl_cmd, __u16 nla_type,
@@ -239,6 +265,8 @@ void handle_aggr(int mother, struct nlat
PRINTF("TGID\t%d\n", rtid);
break;
case TASKSTATS_TYPE_STATS:
+ PRINTF("version %u\n",
+ ((struct taskstats *)NLA_DATA(na))->version);
if (mother == TASKSTATS_TYPE_AGGR_PID)
print_procacct((struct taskstats *) NLA_DATA(na));
if (fd) {
@@ -348,12 +376,16 @@ int main(int argc, char *argv[])
}
do {
- rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
+ rep_len = recv_taskstats_msg(nl_sd, &msg);
PRINTF("received %d bytes\n", rep_len);
if (rep_len < 0) {
- fprintf(stderr, "nonfatal reply error: errno %d\n",
- errno);
+ if (errno == EMSGSIZE)
+ fprintf(stderr,
+ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n");
+ else
+ fprintf(stderr, "nonfatal reply error: errno %d\n",
+ errno);
continue;
}
if (msg.n.nlmsg_type == NLMSG_ERROR ||
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 069/474] net: qrtr: ns: Free the node during ctrl_cmd_bye()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 068/474] tools/accounting: handle truncated taskstats netlink messages Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 070/474] net: rds: fix MR cleanup on copy error Greg Kroah-Hartman
` (405 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
commit 68efba36446a7774ea5b971257ade049272a07ac upstream.
A node sends the BYE packet when it is about to go down. So the nameserver
should advertise the removal of the node to all remote and local observers
and free the node finally. But currently, the nameserver doesn't free the
node memory even after processing the BYE packet. This causes the node
memory to leak.
Hence, remove the node from Xarray list and free the node memory during
both success and failure case of ctrl_cmd_bye().
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-3-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -339,7 +339,7 @@ static int ctrl_cmd_bye(struct sockaddr_
struct qrtr_node *node;
unsigned long index;
struct kvec iv;
- int ret;
+ int ret = 0;
iv.iov_base = &pkt;
iv.iov_len = sizeof(pkt);
@@ -354,8 +354,10 @@ static int ctrl_cmd_bye(struct sockaddr_
/* Advertise the removal of this client to all local servers */
local_node = node_get(qrtr_ns.local_node);
- if (!local_node)
- return 0;
+ if (!local_node) {
+ ret = 0;
+ goto delete_node;
+ }
memset(&pkt, 0, sizeof(pkt));
pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
@@ -372,10 +374,18 @@ static int ctrl_cmd_bye(struct sockaddr_
ret = kernel_sendmsg(qrtr_ns.sock, &msg, &iv, 1, sizeof(pkt));
if (ret < 0) {
pr_err("failed to send bye cmd\n");
- return ret;
+ goto delete_node;
}
}
- return 0;
+
+ /* Ignore -ENODEV */
+ ret = 0;
+
+delete_node:
+ xa_erase(&nodes, from->sq_node);
+ kfree(node);
+
+ return ret;
}
static int ctrl_cmd_del_client(struct sockaddr_qrtr *from,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 070/474] net: rds: fix MR cleanup on copy error
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 069/474] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
@ 2026-05-15 15:42 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 071/474] net: txgbe: fix firmware version check Greg Kroah-Hartman
` (404 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ao Zhou, Ren Wei, Allison Henderson,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ao Zhou <draw51280@163.com>
commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream.
__rds_rdma_map() hands sg/pages ownership to the transport after
get_mr() succeeds. If copying the generated cookie back to user space
fails after that point, the error path must not free those resources
again before dropping the MR reference.
Remove the duplicate unpin/free from the put_user() failure branch so
that MR teardown is handled only through the existing final cleanup
path.
Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ao Zhou <draw51280@163.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/rdma.c | 4 ----
1 file changed, 4 deletions(-)
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc
if (args->cookie_addr &&
put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) {
- if (!need_odp) {
- unpin_user_pages(pages, nr_pages);
- kfree(sg);
- }
ret = -EFAULT;
goto out;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 071/474] net: txgbe: fix firmware version check
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-05-15 15:42 ` [PATCH 6.6 070/474] net: rds: fix MR cleanup on copy error Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 072/474] net/smc: avoid early lgr access in smc_clc_wait_msg Greg Kroah-Hartman
` (403 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Jacob Keller,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
commit c263f644add3d6ad81f9d62a99284fde408f0caa upstream.
For the device SP, the firmware version is a 32-bit value where the
lower 20 bits represent the base version number. And the customized
firmware version populates the upper 12 bits with a specific
identification number.
For other devices AML 25G and 40G, the upper 12 bits of the firmware
version is always non-zero, and they have other naming conventions.
Only SP devices need to check this to tell if XPCS will work properly.
So the judgement of MAC type is added here.
And the original logic compared the entire 32-bit value against 0x20010,
which caused the outdated base firmwares bypass the version check
without a warning. Apply a mask 0xfffff to isolate the lower 20 bits for
an accurate base version comparison.
Fixes: ab928c24e6cd ("net: txgbe: add FW version warning")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/C787AA5C07598B13+20260422071837.372731-1-jiawenwu@trustnetic.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
@@ -696,7 +696,8 @@ static int txgbe_probe(struct pci_dev *p
"0x%08x", etrack_id);
}
- if (etrack_id < 0x20010)
+ if (wx->mac.type == wx_mac_sp &&
+ ((etrack_id & 0xfffff) < 0x20010))
dev_warn(&pdev->dev, "Please upgrade the firmware to 0x20010 or above.\n");
txgbe = devm_kzalloc(&pdev->dev, sizeof(*txgbe), GFP_KERNEL);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 072/474] net/smc: avoid early lgr access in smc_clc_wait_msg
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 071/474] net: txgbe: fix firmware version check Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 073/474] net: ks8851: Reinstate disabling of BHs around IRQ handler Greg Kroah-Hartman
` (402 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Ren Wei, Dust Li, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream.
A CLC decline can be received while the handshake is still in an early
stage, before the connection has been associated with a link group.
The decline handling in smc_clc_wait_msg() updates link-group level sync
state for first-contact declines, but that state only exists after link
group setup has completed. Guard the link-group update accordingly and
keep the per-socket peer diagnosis handling unchanged.
This preserves the existing sync_err handling for established link-group
contexts and avoids touching link-group state before it is available.
Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/smc/smc_clc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -784,8 +784,8 @@ int smc_clc_wait_msg(struct smc_sock *sm
dclc = (struct smc_clc_msg_decline *)clcm;
reason_code = SMC_CLC_DECL_PEERDECL;
smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
- SMC_FIRST_CONTACT_MASK) {
+ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
+ smc->conn.lgr) {
smc->conn.lgr->sync_err = 1;
smc_lgr_terminate_sched(smc->conn.lgr);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 073/474] net: ks8851: Reinstate disabling of BHs around IRQ handler
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 072/474] net/smc: avoid early lgr access in smc_clc_wait_msg Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 074/474] net: ks8851: Avoid excess softirq scheduling Greg Kroah-Hartman
` (401 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Marek Vasut, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit 5c9fcac3c872224316714d0d8914d9af16c76a6d upstream.
If the driver executes ks8851_irq() AND a TX packet has been sent, then
the driver enables TX queue via netif_wake_queue() which schedules TX
softirq to queue packets for this device.
If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by
the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to
allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()
is called with BH enabled, then local_bh_enable() at the end of
netdev_alloc_skb_ip_align() will trigger the pending softirq processing,
which may ultimately call the .xmit callback ks8851_start_xmit_par().
The ks8851_start_xmit_par() will try to lock struct ks8851_net_par
.lock spinlock, which is already locked by ks8851_irq() from which
ks8851_start_xmit_par() was called. This leads to a deadlock, which
is reported by the kernel, including a trace listed below.
If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0
("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock
can also be triggered without received packet in the RX FIFO. The
pending softirqs will be processed on return from
spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the
deadlock as well.
Fix the problem by disabling BH around critical sections, including the
IRQ handler, thus preventing the net_tx_action() softirq from triggering
during these critical sections. The net_tx_action() softirq is triggered
once BH are re-enabled and at the end of the IRQ handler, once all the
other IRQ handler actions have been completed.
__schedule from schedule_rtlock+0x1c/0x34
schedule_rtlock from rtlock_slowlock_locked+0x548/0x904
rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c
rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8
ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44
netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188
dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c
sch_direct_xmit from __qdisc_run+0x1f8/0x4ec
__qdisc_run from qdisc_run+0x1c/0x28
qdisc_run from net_tx_action+0x1f0/0x268
net_tx_action from handle_softirqs+0x1a4/0x270
handle_softirqs from __local_bh_enable_ip+0xcc/0xe0
__local_bh_enable_ip from __alloc_skb+0xd8/0x128
__alloc_skb from __netdev_alloc_skb+0x3c/0x19c
__netdev_alloc_skb from ks8851_irq+0x388/0x4d4
ks8851_irq from irq_thread_fn+0x24/0x64
irq_thread_fn from irq_thread+0x178/0x28c
irq_thread from kthread+0x12c/0x138
kthread from ret_from_fork+0x14/0x28
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260415231020.455298-1-marex@nabladev.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/micrel/ks8851.h | 6 --
drivers/net/ethernet/micrel/ks8851_common.c | 64 +++++++++++-----------------
drivers/net/ethernet/micrel/ks8851_par.c | 15 ++----
drivers/net/ethernet/micrel/ks8851_spi.c | 11 +---
4 files changed, 38 insertions(+), 58 deletions(-)
--- a/drivers/net/ethernet/micrel/ks8851.h
+++ b/drivers/net/ethernet/micrel/ks8851.h
@@ -408,10 +408,8 @@ struct ks8851_net {
struct gpio_desc *gpio;
struct mii_bus *mii_bus;
- void (*lock)(struct ks8851_net *ks,
- unsigned long *flags);
- void (*unlock)(struct ks8851_net *ks,
- unsigned long *flags);
+ void (*lock)(struct ks8851_net *ks);
+ void (*unlock)(struct ks8851_net *ks);
unsigned int (*rdreg16)(struct ks8851_net *ks,
unsigned int reg);
void (*wrreg16)(struct ks8851_net *ks,
--- a/drivers/net/ethernet/micrel/ks8851_common.c
+++ b/drivers/net/ethernet/micrel/ks8851_common.c
@@ -28,25 +28,23 @@
/**
* ks8851_lock - register access lock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Claim chip register access lock
*/
-static void ks8851_lock(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_lock(struct ks8851_net *ks)
{
- ks->lock(ks, flags);
+ ks->lock(ks);
}
/**
* ks8851_unlock - register access unlock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Release chip register access lock
*/
-static void ks8851_unlock(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_unlock(struct ks8851_net *ks)
{
- ks->unlock(ks, flags);
+ ks->unlock(ks);
}
/**
@@ -129,11 +127,10 @@ static void ks8851_set_powermode(struct
static int ks8851_write_mac_addr(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
u16 val;
int i;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/*
* Wake up chip in case it was powered off when stopped; otherwise,
@@ -149,7 +146,7 @@ static int ks8851_write_mac_addr(struct
if (!netif_running(dev))
ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return 0;
}
@@ -163,12 +160,11 @@ static int ks8851_write_mac_addr(struct
static void ks8851_read_mac_addr(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
u8 addr[ETH_ALEN];
u16 reg;
int i;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
for (i = 0; i < ETH_ALEN; i += 2) {
reg = ks8851_rdreg16(ks, KS_MAR(i));
@@ -177,7 +173,7 @@ static void ks8851_read_mac_addr(struct
}
eth_hw_addr_set(dev, addr);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
}
/**
@@ -328,11 +324,10 @@ static irqreturn_t ks8851_irq(int irq, v
{
struct ks8851_net *ks = _ks;
struct sk_buff_head rxq;
- unsigned long flags;
unsigned int status;
struct sk_buff *skb;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
status = ks8851_rdreg16(ks, KS_ISR);
ks8851_wrreg16(ks, KS_ISR, status);
@@ -389,7 +384,7 @@ static irqreturn_t ks8851_irq(int irq, v
ks8851_wrreg16(ks, KS_RXCR1, rxc->rxcr1);
}
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
if (status & IRQ_LCI)
mii_check_link(&ks->mii);
@@ -421,7 +416,6 @@ static void ks8851_flush_tx_work(struct
static int ks8851_net_open(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
int ret;
ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
@@ -434,7 +428,7 @@ static int ks8851_net_open(struct net_de
/* lock the card, even if we may not actually be doing anything
* else at the moment */
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
netif_dbg(ks, ifup, ks->netdev, "opening\n");
@@ -487,7 +481,7 @@ static int ks8851_net_open(struct net_de
netif_dbg(ks, ifup, ks->netdev, "network device up\n");
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
mii_check_link(&ks->mii);
return 0;
}
@@ -503,23 +497,22 @@ static int ks8851_net_open(struct net_de
static int ks8851_net_stop(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
netif_info(ks, ifdown, dev, "shutting down\n");
netif_stop_queue(dev);
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/* turn off the IRQs and ack any outstanding */
ks8851_wrreg16(ks, KS_IER, 0x0000);
ks8851_wrreg16(ks, KS_ISR, 0xffff);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
/* stop any outstanding work */
ks8851_flush_tx_work(ks);
flush_work(&ks->rxctrl_work);
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/* shutdown RX process */
ks8851_wrreg16(ks, KS_RXCR1, 0x0000);
@@ -528,7 +521,7 @@ static int ks8851_net_stop(struct net_de
/* set powermode to soft power down to save power */
ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
/* ensure any queued tx buffers are dumped */
while (!skb_queue_empty(&ks->txq)) {
@@ -582,14 +575,13 @@ static netdev_tx_t ks8851_start_xmit(str
static void ks8851_rxctrl_work(struct work_struct *work)
{
struct ks8851_net *ks = container_of(work, struct ks8851_net, rxctrl_work);
- unsigned long flags;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/* need to shutdown RXQ before modifying filter parameters */
ks8851_wrreg16(ks, KS_RXCR1, 0x00);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
}
static void ks8851_set_rx_mode(struct net_device *dev)
@@ -796,7 +788,6 @@ static int ks8851_set_eeprom(struct net_
{
struct ks8851_net *ks = netdev_priv(dev);
int offset = ee->offset;
- unsigned long flags;
int len = ee->len;
u16 tmp;
@@ -810,7 +801,7 @@ static int ks8851_set_eeprom(struct net_
if (!(ks->rc_ccr & CCR_EEPROM))
return -ENOENT;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
ks8851_eeprom_claim(ks);
@@ -833,7 +824,7 @@ static int ks8851_set_eeprom(struct net_
eeprom_93cx6_wren(&ks->eeprom, false);
ks8851_eeprom_release(ks);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return 0;
}
@@ -843,7 +834,6 @@ static int ks8851_get_eeprom(struct net_
{
struct ks8851_net *ks = netdev_priv(dev);
int offset = ee->offset;
- unsigned long flags;
int len = ee->len;
/* must be 2 byte aligned */
@@ -853,7 +843,7 @@ static int ks8851_get_eeprom(struct net_
if (!(ks->rc_ccr & CCR_EEPROM))
return -ENOENT;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
ks8851_eeprom_claim(ks);
@@ -861,7 +851,7 @@ static int ks8851_get_eeprom(struct net_
eeprom_93cx6_multiread(&ks->eeprom, offset/2, (__le16 *)data, len/2);
ks8851_eeprom_release(ks);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return 0;
}
@@ -920,7 +910,6 @@ static int ks8851_phy_reg(int reg)
static int ks8851_phy_read_common(struct net_device *dev, int phy_addr, int reg)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
int result;
int ksreg;
@@ -928,9 +917,9 @@ static int ks8851_phy_read_common(struct
if (ksreg < 0)
return ksreg;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
result = ks8851_rdreg16(ks, ksreg);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return result;
}
@@ -965,14 +954,13 @@ static void ks8851_phy_write(struct net_
int phy, int reg, int value)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
int ksreg;
ksreg = ks8851_phy_reg(reg);
if (ksreg >= 0) {
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
ks8851_wrreg16(ks, ksreg, value);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
}
}
--- a/drivers/net/ethernet/micrel/ks8851_par.c
+++ b/drivers/net/ethernet/micrel/ks8851_par.c
@@ -55,29 +55,27 @@ struct ks8851_net_par {
/**
* ks8851_lock_par - register access lock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Claim chip register access lock
*/
-static void ks8851_lock_par(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_lock_par(struct ks8851_net *ks)
{
struct ks8851_net_par *ksp = to_ks8851_par(ks);
- spin_lock_irqsave(&ksp->lock, *flags);
+ spin_lock_bh(&ksp->lock);
}
/**
* ks8851_unlock_par - register access unlock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Release chip register access lock
*/
-static void ks8851_unlock_par(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_unlock_par(struct ks8851_net *ks)
{
struct ks8851_net_par *ksp = to_ks8851_par(ks);
- spin_unlock_irqrestore(&ksp->lock, *flags);
+ spin_unlock_bh(&ksp->lock);
}
/**
@@ -233,7 +231,6 @@ static netdev_tx_t ks8851_start_xmit_par
{
struct ks8851_net *ks = netdev_priv(dev);
netdev_tx_t ret = NETDEV_TX_OK;
- unsigned long flags;
unsigned int txqcr;
u16 txmir;
int err;
@@ -241,7 +238,7 @@ static netdev_tx_t ks8851_start_xmit_par
netif_dbg(ks, tx_queued, ks->netdev,
"%s: skb %p, %d@%p\n", __func__, skb, skb->len, skb->data);
- ks8851_lock_par(ks, &flags);
+ ks8851_lock_par(ks);
txmir = ks8851_rdreg16_par(ks, KS_TXMIR) & 0x1fff;
@@ -262,7 +259,7 @@ static netdev_tx_t ks8851_start_xmit_par
ret = NETDEV_TX_BUSY;
}
- ks8851_unlock_par(ks, &flags);
+ ks8851_unlock_par(ks);
return ret;
}
--- a/drivers/net/ethernet/micrel/ks8851_spi.c
+++ b/drivers/net/ethernet/micrel/ks8851_spi.c
@@ -73,11 +73,10 @@ struct ks8851_net_spi {
/**
* ks8851_lock_spi - register access lock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Claim chip register access lock
*/
-static void ks8851_lock_spi(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_lock_spi(struct ks8851_net *ks)
{
struct ks8851_net_spi *kss = to_ks8851_spi(ks);
@@ -87,11 +86,10 @@ static void ks8851_lock_spi(struct ks885
/**
* ks8851_unlock_spi - register access unlock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Release chip register access lock
*/
-static void ks8851_unlock_spi(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_unlock_spi(struct ks8851_net *ks)
{
struct ks8851_net_spi *kss = to_ks8851_spi(ks);
@@ -311,7 +309,6 @@ static void ks8851_tx_work(struct work_s
struct ks8851_net_spi *kss;
unsigned short tx_space;
struct ks8851_net *ks;
- unsigned long flags;
struct sk_buff *txb;
bool last;
@@ -319,7 +316,7 @@ static void ks8851_tx_work(struct work_s
ks = &kss->ks8851;
last = skb_queue_empty(&ks->txq);
- ks8851_lock_spi(ks, &flags);
+ ks8851_lock_spi(ks);
while (!last) {
txb = skb_dequeue(&ks->txq);
@@ -345,7 +342,7 @@ static void ks8851_tx_work(struct work_s
ks->tx_space = tx_space;
spin_unlock_bh(&ks->statelock);
- ks8851_unlock_spi(ks, &flags);
+ ks8851_unlock_spi(ks);
}
/**
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 074/474] net: ks8851: Avoid excess softirq scheduling
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 073/474] net: ks8851: Reinstate disabling of BHs around IRQ handler Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 075/474] drm/arcpgu: fix device node leak Greg Kroah-Hartman
` (400 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Marek Vasut, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit 22230e68b2cf1ab6b027be8cf1198164a949c4fa upstream.
The code injects a packet into netif_rx() repeatedly, which will add
it to its internal NAPI and schedule a softirq, and process it. It is
more efficient to queue multiple packets and process them all at the
local_bh_enable() time.
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260415231020.455298-2-marex@nabladev.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/micrel/ks8851_common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/micrel/ks8851_common.c
+++ b/drivers/net/ethernet/micrel/ks8851_common.c
@@ -389,9 +389,12 @@ static irqreturn_t ks8851_irq(int irq, v
if (status & IRQ_LCI)
mii_check_link(&ks->mii);
- if (status & IRQ_RXI)
+ if (status & IRQ_RXI) {
+ local_bh_disable();
while ((skb = __skb_dequeue(&rxq)))
netif_rx(skb);
+ local_bh_enable();
+ }
return IRQ_HANDLED;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 075/474] drm/arcpgu: fix device node leak
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 074/474] net: ks8851: Avoid excess softirq scheduling Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 076/474] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv Greg Kroah-Hartman
` (399 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Louis Chauvet, Luca Ceresoli
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c upstream.
This function gets a device_node reference via
of_graph_get_remote_port_parent() and stores it in encoder_node, but never
puts that reference. Add it.
There used to be a of_node_put(encoder_node) but it has been removed by
mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline
arcpgu_drm_hdmi_init").
Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init")
Cc: stable@vger.kernel.org
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tiny/arcpgu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/tiny/arcpgu.c
+++ b/drivers/gpu/drm/tiny/arcpgu.c
@@ -248,7 +248,8 @@ DEFINE_DRM_GEM_DMA_FOPS(arcpgu_drm_ops);
static int arcpgu_load(struct arcpgu_drm_private *arcpgu)
{
struct platform_device *pdev = to_platform_device(arcpgu->drm.dev);
- struct device_node *encoder_node = NULL, *endpoint_node = NULL;
+ struct device_node *encoder_node __free(device_node) = NULL;
+ struct device_node *endpoint_node = NULL;
struct drm_connector *connector = NULL;
struct drm_device *drm = &arcpgu->drm;
struct resource *res;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 076/474] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 075/474] drm/arcpgu: fix device node leak Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 077/474] ipv4: icmp: validate reply type before using icmp_pointers Greg Kroah-Hartman
` (398 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, hkbinbin, Zhu Yanjun,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: hkbinbin <hkbinbinbin@gmail.com>
commit 7244491dab347f648e661da96dc0febadd9daec3 upstream.
rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.
However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:
payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
- RXE_ICRC_SIZE
This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.
Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.
Cc: stable@vger.kernel.org
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com
Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/sw/rxe/rxe_recv.c
+++ b/drivers/infiniband/sw/rxe/rxe_recv.c
@@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb)
pkt->qp = NULL;
pkt->mask |= rxe_opcode[pkt->opcode].mask;
- if (unlikely(skb->len < header_size(pkt)))
+ if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
+ RXE_ICRC_SIZE))
goto drop;
err = hdr_check(pkt);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 077/474] ipv4: icmp: validate reply type before using icmp_pointers
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 076/474] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 078/474] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() Greg Kroah-Hartman
` (397 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruide Cao, Ren Wei, Simon Horman,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruide Cao <caoruide123@gmail.com>
commit 67bf002a2d7387a6312138210d0bd06e3cf4879b upstream.
Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
That value is outside the range covered by icmp_pointers[], which only
describes the traditional ICMP types up to NR_ICMP_TYPES.
Avoid consulting icmp_pointers[] for reply types outside that range, and
use array_index_nospec() for the remaining in-range lookup. Normal ICMP
replies keep their existing behavior unchanged.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/0dace90c01a5978e829ca741ef684dbd7304ce62.1776628519.git.caoruide123@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/icmp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -64,6 +64,7 @@
#include <linux/jiffies.h>
#include <linux/kernel.h>
#include <linux/fcntl.h>
+#include <linux/nospec.h>
#include <linux/socket.h>
#include <linux/in.h>
#include <linux/inet.h>
@@ -359,7 +360,9 @@ static int icmp_glue_bits(void *from, ch
to, len);
skb->csum = csum_block_add(skb->csum, csum, odd);
- if (icmp_pointers[icmp_param->data.icmph.type].error)
+ if (icmp_param->data.icmph.type <= NR_ICMP_TYPES &&
+ icmp_pointers[array_index_nospec(icmp_param->data.icmph.type,
+ NR_ICMP_TYPES + 1)].error)
nf_ct_attach(skb, icmp_param->skb);
return 0;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 078/474] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 077/474] ipv4: icmp: validate reply type before using icmp_pointers Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 079/474] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE Greg Kroah-Hartman
` (396 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 5199c125d25aeae8615c4fc31652cc0fe624338e upstream.
If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
protocol and result, this is currently not treated as an error. In case
of ac->negotiating == true and ac->protocol > 0, this leads to setting
ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
ac->protocol != protocol returns false, and init_protocol() is not
called. Subsequently, ac->ops->handle_reply() is called, which leads to
a null pointer dereference, because ac->ops is still NULL.
This patch changes the check for ac->protocol != protocol to
!ac->protocol, as this also includes the case when the protocol was set
to zero in the message. This causes the message to be treated as
containing a bad auth protocol.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_a
ac->protocol = 0;
ac->ops = NULL;
}
- if (ac->protocol != protocol) {
+ if (!ac->protocol) {
ret = init_protocol(ac, protocol);
if (ret) {
pr_err("auth protocol '%s' init failed: %d\n",
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 079/474] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 078/474] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 080/474] tpm: avoid -Wunused-but-set-variable Greg Kroah-Hartman
` (395 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nick Desaulniers, Nathan Chancellor
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 4f96b7c68a9904e01049ef610d701b382dca9574 upstream.
A recent strengthening of -Wunused-but-set-variable (enabled with -Wall)
in clang under a new subwarning, -Wunused-but-set-global, points out an
unused static global variable in certs/extract-cert.c:
certs/extract-cert.c:46:20: error: variable 'key_pass' set but not used [-Werror,-Wunused-but-set-global]
46 | static const char *key_pass;
| ^
After commit 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider
for OPENSSL MAJOR >= 3"), key_pass is only used with the OpenSSL engine
API, not the new provider API. Wrap key_pass's declaration and
assignment with '#ifdef USE_PKCS11_ENGINE' so that it is only included
with its use to clear up the warning. While this is a little uglier than
just marking key_pass with the unused attribute, this will make it
easier to clean up all code associated with the use of the engine API if
it were ever removed in the future. While in the area, use a tab for
the key_pass assignment line to match the rest of the file.
Cc: stable@vger.kernel.org
Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3")
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://patch.msgid.link/20260325-certs-extract-cert-key_pass-unused-but-set-global-v1-1-ecf94326d532@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -43,7 +43,9 @@ void format(void)
exit(2);
}
+#ifdef USE_PKCS11_ENGINE
static const char *key_pass;
+#endif
static BIO *wb;
static char *cert_dst;
static bool verbose;
@@ -135,7 +137,9 @@ int main(int argc, char **argv)
if (verbose_env && strchr(verbose_env, '1'))
verbose = true;
- key_pass = getenv("KBUILD_SIGN_PIN");
+#ifdef USE_PKCS11_ENGINE
+ key_pass = getenv("KBUILD_SIGN_PIN");
+#endif
if (argc != 3)
format();
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 080/474] tpm: avoid -Wunused-but-set-variable
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 079/474] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 081/474] LoongArch: Show CPU vulnerabilites correctly Greg Kroah-Hartman
` (394 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Thorsten Blum,
Jarkko Sakkinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream.
Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are
defined as trivial macros, leading to the mapping_size variable ending
up unused:
In file included from drivers/char/tpm/tpm-sysfs.c:16:
In file included from drivers/char/tpm/tpm.h:28:
include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable]
167 | int mapping_size;
Turn the stubs into inline functions to avoid this warning.
Cc: stable@vger.kernel.org # v5.3+
Fixes: c46f3405692d ("tpm: Reserve the TPM final events table")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/tpm_eventlog.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/tpm_eventlog.h
+++ b/include/linux/tpm_eventlog.h
@@ -131,11 +131,16 @@ struct tcg_algorithm_info {
};
#ifndef TPM_MEMREMAP
-#define TPM_MEMREMAP(start, size) NULL
+static inline void *TPM_MEMREMAP(unsigned long start, size_t size)
+{
+ return NULL;
+}
#endif
#ifndef TPM_MEMUNMAP
-#define TPM_MEMUNMAP(start, size) do{} while(0)
+static inline void TPM_MEMUNMAP(void *mapping, size_t size)
+{
+}
#endif
/**
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 081/474] LoongArch: Show CPU vulnerabilites correctly
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 080/474] tpm: avoid -Wunused-but-set-variable Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 082/474] power: supply: axp288_charger: Do not cancel work before initializing it Greg Kroah-Hartman
` (393 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 37e57e8ad96cdec4a57b55fd10bef50f7370a954 upstream.
Most LoongArch processors are vulnerable to Spectre-V1 Proof-of-Concept
(PoC). And the generic mechanism, __user pointer sanitization, can be
used as a mitigation. This means to use array_index_nospec() to prevent
out of boundry access in syscall and other critical paths.
Implement the arch-specific cpu_show_spectre_v1() to show CPU Spectre-V1
vulnerabilites correctly.
Cc: stable@vger.kernel.org
Link: https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/cpu-probe.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/loongarch/kernel/cpu-probe.c
+++ b/arch/loongarch/kernel/cpu-probe.c
@@ -7,6 +7,7 @@
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/ptrace.h>
+#include <linux/cpu.h>
#include <linux/smp.h>
#include <linux/stddef.h>
#include <linux/export.h>
@@ -327,3 +328,9 @@ void cpu_probe(void)
cpu_report();
}
+
+ssize_t cpu_show_spectre_v1(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ return sysfs_emit(buf, "Mitigation: __user pointer sanitization\n");
+}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 082/474] power: supply: axp288_charger: Do not cancel work before initializing it
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 081/474] LoongArch: Show CPU vulnerabilites correctly Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 083/474] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
` (392 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Hans de Goede,
Chen-Yu Tsai, Sebastian Reichel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
commit 658342fd75b582cbb06544d513171c3d645faead upstream.
Driver registered devm handler to cancel_work_sync() before even the
work was initialized, thus leading to possible warning from
kernel/workqueue.c on (!work->func) check, if the error path was hit
before the initialization happened.
Use devm_work_autocancel() on each work item independently, which
handles the initialization and handler to cancel work.
Fixes: 165c2357744e ("power: supply: axp288_charger: Properly stop work on probe-error / remove")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
Link: https://patch.msgid.link/20260220174938.672883-5-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/axp288_charger.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/drivers/power/supply/axp288_charger.c
+++ b/drivers/power/supply/axp288_charger.c
@@ -10,6 +10,7 @@
#include <linux/acpi.h>
#include <linux/bitops.h>
#include <linux/module.h>
+#include <linux/devm-helpers.h>
#include <linux/device.h>
#include <linux/regmap.h>
#include <linux/workqueue.h>
@@ -821,14 +822,6 @@ static int charger_init_hw_regs(struct a
return 0;
}
-static void axp288_charger_cancel_work(void *data)
-{
- struct axp288_chrg_info *info = data;
-
- cancel_work_sync(&info->otg.work);
- cancel_work_sync(&info->cable.work);
-}
-
static int axp288_charger_probe(struct platform_device *pdev)
{
int ret, i, pirq;
@@ -911,12 +904,12 @@ static int axp288_charger_probe(struct p
}
/* Cancel our work on cleanup, register this before the notifiers */
- ret = devm_add_action(dev, axp288_charger_cancel_work, info);
+ ret = devm_work_autocancel(dev, &info->cable.work,
+ axp288_charger_extcon_evt_worker);
if (ret)
return ret;
/* Register for extcon notification */
- INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker);
info->cable.nb.notifier_call = axp288_charger_handle_cable_evt;
ret = devm_extcon_register_notifier_all(dev, info->cable.edev,
&info->cable.nb);
@@ -926,8 +919,12 @@ static int axp288_charger_probe(struct p
}
schedule_work(&info->cable.work);
+ ret = devm_work_autocancel(dev, &info->otg.work,
+ axp288_charger_otg_evt_worker);
+ if (ret)
+ return ret;
+
/* Register for OTG notification */
- INIT_WORK(&info->otg.work, axp288_charger_otg_evt_worker);
info->otg.id_nb.notifier_call = axp288_charger_handle_otg_evt;
if (info->otg.cable) {
ret = devm_extcon_register_notifier(dev, info->otg.cable,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 083/474] randomize_kstack: Maintain kstack_offset per task
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 082/474] power: supply: axp288_charger: Do not cancel work before initializing it Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 084/474] mmc: block: use single block write in retry Greg Kroah-Hartman
` (391 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Rutland, Ryan Roberts,
Kees Cook
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit 37beb42560165869838e7d91724f3e629db64129 upstream.
kstack_offset was previously maintained per-cpu, but this caused a
couple of issues. So let's instead make it per-task.
Issue 1: add_random_kstack_offset() and choose_random_kstack_offset()
expected and required to be called with interrupts and preemption
disabled so that it could manipulate per-cpu state. But arm64, loongarch
and risc-v are calling them with interrupts and preemption enabled. I
don't _think_ this causes any functional issues, but it's certainly
unexpected and could lead to manipulating the wrong cpu's state, which
could cause a minor performance degradation due to bouncing the cache
lines. By maintaining the state per-task those functions can safely be
called in preemptible context.
Issue 2: add_random_kstack_offset() is called before executing the
syscall and expands the stack using a previously chosen random offset.
choose_random_kstack_offset() is called after executing the syscall and
chooses and stores a new random offset for the next syscall. With
per-cpu storage for this offset, an attacker could force cpu migration
during the execution of the syscall and prevent the offset from being
updated for the original cpu such that it is predictable for the next
syscall on that cpu. By maintaining the state per-task, this problem
goes away because the per-task random offset is updated after the
syscall regardless of which cpu it is executing on.
Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall")
Closes: https://lore.kernel.org/all/dd8c37bc-795f-4c7a-9086-69e584d8ab24@arm.com/
Cc: stable@vger.kernel.org
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Link: https://patch.msgid.link/20260303150840.3789438-2-ryan.roberts@arm.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/randomize_kstack.h | 26 +++++++++++++++-----------
include/linux/sched.h | 4 ++++
init/main.c | 1 -
kernel/fork.c | 2 ++
4 files changed, 21 insertions(+), 12 deletions(-)
--- a/include/linux/randomize_kstack.h
+++ b/include/linux/randomize_kstack.h
@@ -9,7 +9,6 @@
DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
randomize_kstack_offset);
-DECLARE_PER_CPU(u32, kstack_offset);
/*
* Do not use this anywhere else in the kernel. This is used here because
@@ -44,15 +43,14 @@ DECLARE_PER_CPU(u32, kstack_offset);
* add_random_kstack_offset - Increase stack utilization by previously
* chosen random offset
*
- * This should be used in the syscall entry path when interrupts and
- * preempt are disabled, and after user registers have been stored to
- * the stack. For testing the resulting entropy, please see:
- * tools/testing/selftests/lkdtm/stack-entropy.sh
+ * This should be used in the syscall entry path after user registers have been
+ * stored to the stack. Preemption may be enabled. For testing the resulting
+ * entropy, please see: tools/testing/selftests/lkdtm/stack-entropy.sh
*/
#define add_random_kstack_offset() do { \
if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
&randomize_kstack_offset)) { \
- u32 offset = raw_cpu_read(kstack_offset); \
+ u32 offset = current->kstack_offset; \
u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset)); \
/* Keep allocation even after "ptr" loses scope. */ \
asm volatile("" :: "r"(ptr) : "memory"); \
@@ -63,9 +61,9 @@ DECLARE_PER_CPU(u32, kstack_offset);
* choose_random_kstack_offset - Choose the random offset for the next
* add_random_kstack_offset()
*
- * This should only be used during syscall exit when interrupts and
- * preempt are disabled. This position in the syscall flow is done to
- * frustrate attacks from userspace attempting to learn the next offset:
+ * This should only be used during syscall exit. Preemption may be enabled. This
+ * position in the syscall flow is done to frustrate attacks from userspace
+ * attempting to learn the next offset:
* - Maximize the timing uncertainty visible from userspace: if the
* offset is chosen at syscall entry, userspace has much more control
* over the timing between choosing offsets. "How long will we be in
@@ -79,14 +77,20 @@ DECLARE_PER_CPU(u32, kstack_offset);
#define choose_random_kstack_offset(rand) do { \
if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
&randomize_kstack_offset)) { \
- u32 offset = raw_cpu_read(kstack_offset); \
+ u32 offset = current->kstack_offset; \
offset = ror32(offset, 5) ^ (rand); \
- raw_cpu_write(kstack_offset, offset); \
+ current->kstack_offset = offset; \
} \
} while (0)
+
+static inline void random_kstack_task_init(struct task_struct *tsk)
+{
+ tsk->kstack_offset = 0;
+}
#else /* CONFIG_RANDOMIZE_KSTACK_OFFSET */
#define add_random_kstack_offset() do { } while (0)
#define choose_random_kstack_offset(rand) do { } while (0)
+#define random_kstack_task_init(tsk) do { } while (0)
#endif /* CONFIG_RANDOMIZE_KSTACK_OFFSET */
#endif
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1501,6 +1501,10 @@ struct task_struct {
unsigned long prev_lowest_stack;
#endif
+#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET
+ u32 kstack_offset;
+#endif
+
#ifdef CONFIG_X86_MCE
void __user *mce_vaddr;
__u64 mce_kflags;
--- a/init/main.c
+++ b/init/main.c
@@ -816,7 +816,6 @@ static inline void initcall_debug_enable
#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET
DEFINE_STATIC_KEY_MAYBE_RO(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
randomize_kstack_offset);
-DEFINE_PER_CPU(u32, kstack_offset);
static int __init early_randomize_kstack_offset(char *buf)
{
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -93,6 +93,7 @@
#include <linux/thread_info.h>
#include <linux/stackleak.h>
#include <linux/kasan.h>
+#include <linux/randomize_kstack.h>
#include <linux/scs.h>
#include <linux/io_uring.h>
#include <linux/bpf.h>
@@ -2517,6 +2518,7 @@ __latent_entropy struct task_struct *cop
if (retval)
goto bad_fork_cleanup_io;
+ random_kstack_task_init(p);
stackleak_task_init(p);
if (pid != &init_struct_pid) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 084/474] mmc: block: use single block write in retry
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 083/474] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 085/474] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
` (390 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Bin Liu, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu <b-liu@ti.com>
commit c7c6d4f5103864f73ee3a78bfd6da241f84197dd upstream.
Due to errata i2493[0], multi-block write would still fail in retries.
With i2493, the MMC interface has the potential of write failures when
issuing multi-block writes operating in HS200 mode with excessive IO
supply noise.
While the errata provides guidance in hardware design and layout to
minimize the IO supply noise, in theory the write failure cannot be
resolved in hardware. The software solution to ensure the data integrity
is to add minimum 5us delay between block writes. Single-block write is
the practical way to introduce the delay.
This patch reuses recovery_mode flag, and switches to single-block
write in retry when multi-block write fails. It covers both CQE and
non-CQE cases.
[0] https://www.ti.com/lit/pdf/sprz582
Cc: stable@vger.kernel.org
Suggested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/block.c | 12 ++++++++++--
drivers/mmc/core/queue.h | 3 +++
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -1378,6 +1378,9 @@ static void mmc_blk_data_prep(struct mmc
rq_data_dir(req) == WRITE &&
(md->flags & MMC_BLK_REL_WR);
+ if (mqrq->flags & MQRQ_XFER_SINGLE_BLOCK)
+ recovery_mode = 1;
+
memset(brq, 0, sizeof(struct mmc_blk_request));
mmc_crypto_prepare_req(mqrq);
@@ -1517,10 +1520,13 @@ static void mmc_blk_cqe_complete_rq(stru
err = 0;
if (err) {
- if (mqrq->retries++ < MMC_CQE_RETRIES)
+ if (mqrq->retries++ < MMC_CQE_RETRIES) {
+ if (rq_data_dir(req) == WRITE)
+ mqrq->flags |= MQRQ_XFER_SINGLE_BLOCK;
blk_mq_requeue_request(req, true);
- else
+ } else {
blk_mq_end_request(req, BLK_STS_IOERR);
+ }
} else if (mrq->data) {
if (blk_update_request(req, BLK_STS_OK, mrq->data->bytes_xfered))
blk_mq_requeue_request(req, true);
@@ -2058,6 +2064,8 @@ static void mmc_blk_mq_complete_rq(struc
} else if (!blk_rq_bytes(req)) {
__blk_mq_end_request(req, BLK_STS_IOERR);
} else if (mqrq->retries++ < MMC_MAX_RETRIES) {
+ if (rq_data_dir(req) == WRITE)
+ mqrq->flags |= MQRQ_XFER_SINGLE_BLOCK;
blk_mq_requeue_request(req, true);
} else {
if (mmc_card_removed(mq->card))
--- a/drivers/mmc/core/queue.h
+++ b/drivers/mmc/core/queue.h
@@ -61,6 +61,8 @@ enum mmc_drv_op {
MMC_DRV_OP_GET_EXT_CSD,
};
+#define MQRQ_XFER_SINGLE_BLOCK BIT(0)
+
struct mmc_queue_req {
struct mmc_blk_request brq;
struct scatterlist *sg;
@@ -69,6 +71,7 @@ struct mmc_queue_req {
void *drv_op_data;
unsigned int ioc_count;
int retries;
+ u32 flags;
};
struct mmc_queue {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 085/474] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 084/474] mmc: block: use single block write in retry Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 086/474] arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins Greg Kroah-Hartman
` (389 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shawn Lin, Adrian Hunter,
Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit 6546a49bbe656981d99a389195560999058c89c4 upstream.
According to the ASIC design recommendations, the clock must be
disabled before operating the DLL to prevent glitches that could
affect the internal digital logic. In extreme cases, failing to
do so may cause the controller to malfunction completely.
Adds a step to disable the clock before DLL configuration and
re-enables it at the end.
Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support")
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-dwcmshc.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
+++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
@@ -243,12 +243,15 @@ static void dwcmshc_rk3568_set_clock(str
extra &= ~BIT(0);
sdhci_writel(host, extra, reg);
+ /* Disable clock while config DLL */
+ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
+
if (clock <= 52000000) {
if (host->mmc->ios.timing == MMC_TIMING_MMC_HS200 ||
host->mmc->ios.timing == MMC_TIMING_MMC_HS400) {
dev_err(mmc_dev(host->mmc),
"Can't reduce the clock below 52MHz in HS200/HS400 mode");
- return;
+ goto enable_clk;
}
/*
@@ -268,7 +271,7 @@ static void dwcmshc_rk3568_set_clock(str
DLL_STRBIN_DELAY_NUM_SEL |
DLL_STRBIN_DELAY_NUM_DEFAULT << DLL_STRBIN_DELAY_NUM_OFFSET;
sdhci_writel(host, extra, DWCMSHC_EMMC_DLL_STRBIN);
- return;
+ goto enable_clk;
}
/* Reset DLL */
@@ -295,7 +298,7 @@ static void dwcmshc_rk3568_set_clock(str
500 * USEC_PER_MSEC);
if (err) {
dev_err(mmc_dev(host->mmc), "DLL lock timeout!\n");
- return;
+ goto enable_clk;
}
extra = 0x1 << 16 | /* tune clock stop en */
@@ -328,6 +331,16 @@ static void dwcmshc_rk3568_set_clock(str
DLL_STRBIN_TAPNUM_DEFAULT |
DLL_STRBIN_TAPNUM_FROM_SW;
sdhci_writel(host, extra, DWCMSHC_EMMC_DLL_STRBIN);
+
+enable_clk:
+ /*
+ * The sdclk frequency select bits in SDHCI_CLOCK_CONTROL are not functional
+ * on Rockchip's SDHCI implementation. Instead, the clock frequency is fully
+ * controlled via external clk provider by calling clk_set_rate(). Consequently,
+ * passing 0 to sdhci_enable_clk() only re-enables the already-configured clock,
+ * which matches the hardware's actual behavior.
+ */
+ sdhci_enable_clk(host, 0);
}
static void rk35xx_sdhci_reset(struct sdhci_host *host, u8 mask)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 086/474] arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 085/474] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 087/474] crypto: talitos - fix SEC1 32k ahash request limitation Greg Kroah-Hartman
` (388 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Francesco Dolcini,
Vignesh Raghavendra
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Dolcini <francesco.dolcini@toradex.com>
commit d5325810814ee995debfa0b6c4a22e0391598bef upstream.
Verdin AM62 board does not have external pullups on eMMC DAT1-DAT7 pins.
Enable internal pullups on DAT1-DAT7 considering:
- without a host-side pullup, these lines rely solely on the eMMC
device's internal pullup (R_int, 10kohm-150kohm per JEDEC), which may
exceed the recommended 50kohm max for 1.8V VCCQ
- JEDEC JESD84-B51 Table 200 requires host-side pullups (R_DAT,
10kohm-100kohm) on all data lines to prevent bus floating
Fixes: 316b80246b16 ("arm64: dts: ti: add verdin am62")
Cc: stable@vger.kernel.org
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Link: https://patch.msgid.link/20260320073032.10427-1-francesco@dolcini.it
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
@@ -507,16 +507,16 @@
/* On-module eMMC */
pinctrl_sdhci0: main-mmc0-default-pins {
pinctrl-single,pins = <
- AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (Y3) MMC0_CMD */
- AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (AB1) MMC0_CLK */
- AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (AA2) MMC0_DAT0 */
- AM62X_IOPAD(0x210, PIN_INPUT, 0) /* (AA1) MMC0_DAT1 */
- AM62X_IOPAD(0x20c, PIN_INPUT, 0) /* (AA3) MMC0_DAT2 */
- AM62X_IOPAD(0x208, PIN_INPUT, 0) /* (Y4) MMC0_DAT3 */
- AM62X_IOPAD(0x204, PIN_INPUT, 0) /* (AB2) MMC0_DAT4 */
- AM62X_IOPAD(0x200, PIN_INPUT, 0) /* (AC1) MMC0_DAT5 */
- AM62X_IOPAD(0x1fc, PIN_INPUT, 0) /* (AD2) MMC0_DAT6 */
- AM62X_IOPAD(0x1f8, PIN_INPUT, 0) /* (AC2) MMC0_DAT7 */
+ AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (Y3) MMC0_CMD */
+ AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (AB1) MMC0_CLK */
+ AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (AA2) MMC0_DAT0 */
+ AM62X_IOPAD(0x210, PIN_INPUT_PULLUP, 0) /* (AA1) MMC0_DAT1 */
+ AM62X_IOPAD(0x20c, PIN_INPUT_PULLUP, 0) /* (AA3) MMC0_DAT2 */
+ AM62X_IOPAD(0x208, PIN_INPUT_PULLUP, 0) /* (Y4) MMC0_DAT3 */
+ AM62X_IOPAD(0x204, PIN_INPUT_PULLUP, 0) /* (AB2) MMC0_DAT4 */
+ AM62X_IOPAD(0x200, PIN_INPUT_PULLUP, 0) /* (AC1) MMC0_DAT5 */
+ AM62X_IOPAD(0x1fc, PIN_INPUT_PULLUP, 0) /* (AD2) MMC0_DAT6 */
+ AM62X_IOPAD(0x1f8, PIN_INPUT_PULLUP, 0) /* (AC2) MMC0_DAT7 */
>;
};
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 087/474] crypto: talitos - fix SEC1 32k ahash request limitation
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 086/474] arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 088/474] crypto: talitos - rename first/last to first_desc/last_desc Greg Kroah-Hartman
` (387 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit 655ef638a2bc3cd0a9eff99a02f83cab94a3a917 upstream.
Since commit c662b043cdca ("crypto: af_alg/hash: Support
MSG_SPLICE_PAGES"), the crypto core may pass large scatterlists spanning
multiple pages to drivers supporting ahash operations. As a result, a
driver can now receive large ahash requests.
The SEC1 engine has a limitation where a single descriptor cannot
process more than 32k of data. The current implementation attempts to
handle the entire request within a single descriptor, which leads to
failures raised by the driver:
"length exceeds h/w max limit"
Address this limitation by splitting large ahash requests into multiple
descriptors, each respecting the 32k hardware limit. This allows
processing arbitrarily large requests.
Cc: stable@vger.kernel.org
Fixes: c662b043cdca ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES")
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 216 +++++++++++++++++++++++++++++++----------------
1 file changed, 147 insertions(+), 69 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -12,6 +12,7 @@
* All rights reserved.
*/
+#include <linux/workqueue.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/mod_devicetable.h>
@@ -870,10 +871,18 @@ struct talitos_ahash_req_ctx {
unsigned int swinit;
unsigned int first;
unsigned int last;
+ unsigned int last_request;
unsigned int to_hash_later;
unsigned int nbuf;
struct scatterlist bufsl[2];
struct scatterlist *psrc;
+
+ struct scatterlist request_bufsl[2];
+ struct ahash_request *areq;
+ struct scatterlist *request_sl;
+ unsigned int remaining_ahash_request_bytes;
+ unsigned int current_ahash_request_bytes;
+ struct work_struct sec1_ahash_process_remaining;
};
struct talitos_export_state {
@@ -1759,7 +1768,20 @@ static void ahash_done(struct device *de
kfree(edesc);
- ahash_request_complete(areq, err);
+ if (err) {
+ ahash_request_complete(areq, err);
+ return;
+ }
+
+ req_ctx->remaining_ahash_request_bytes -=
+ req_ctx->current_ahash_request_bytes;
+
+ if (!req_ctx->remaining_ahash_request_bytes) {
+ ahash_request_complete(areq, 0);
+ return;
+ }
+
+ schedule_work(&req_ctx->sec1_ahash_process_remaining);
}
/*
@@ -1925,60 +1947,7 @@ static struct talitos_edesc *ahash_edesc
nbytes, 0, 0, 0, areq->base.flags, false);
}
-static int ahash_init(struct ahash_request *areq)
-{
- struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
- struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
- struct device *dev = ctx->dev;
- struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- unsigned int size;
- dma_addr_t dma;
-
- /* Initialize the context */
- req_ctx->buf_idx = 0;
- req_ctx->nbuf = 0;
- req_ctx->first = 1; /* first indicates h/w must init its context */
- req_ctx->swinit = 0; /* assume h/w init of context */
- size = (crypto_ahash_digestsize(tfm) <= SHA256_DIGEST_SIZE)
- ? TALITOS_MDEU_CONTEXT_SIZE_MD5_SHA1_SHA256
- : TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512;
- req_ctx->hw_context_size = size;
-
- dma = dma_map_single(dev, req_ctx->hw_context, req_ctx->hw_context_size,
- DMA_TO_DEVICE);
- dma_unmap_single(dev, dma, req_ctx->hw_context_size, DMA_TO_DEVICE);
-
- return 0;
-}
-
-/*
- * on h/w without explicit sha224 support, we initialize h/w context
- * manually with sha224 constants, and tell it to run sha256.
- */
-static int ahash_init_sha224_swinit(struct ahash_request *areq)
-{
- struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
-
- req_ctx->hw_context[0] = SHA224_H0;
- req_ctx->hw_context[1] = SHA224_H1;
- req_ctx->hw_context[2] = SHA224_H2;
- req_ctx->hw_context[3] = SHA224_H3;
- req_ctx->hw_context[4] = SHA224_H4;
- req_ctx->hw_context[5] = SHA224_H5;
- req_ctx->hw_context[6] = SHA224_H6;
- req_ctx->hw_context[7] = SHA224_H7;
-
- /* init 64-bit count */
- req_ctx->hw_context[8] = 0;
- req_ctx->hw_context[9] = 0;
-
- ahash_init(areq);
- req_ctx->swinit = 1;/* prevent h/w initting context with sha256 values*/
-
- return 0;
-}
-
-static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
+static int ahash_process_req_one(struct ahash_request *areq, unsigned int nbytes)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
@@ -1997,12 +1966,12 @@ static int ahash_process_req(struct ahas
if (!req_ctx->last && (nbytes + req_ctx->nbuf <= blocksize)) {
/* Buffer up to one whole block */
- nents = sg_nents_for_len(areq->src, nbytes);
+ nents = sg_nents_for_len(req_ctx->request_sl, nbytes);
if (nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
return nents;
}
- sg_copy_to_buffer(areq->src, nents,
+ sg_copy_to_buffer(req_ctx->request_sl, nents,
ctx_buf + req_ctx->nbuf, nbytes);
req_ctx->nbuf += nbytes;
return 0;
@@ -2029,7 +1998,7 @@ static int ahash_process_req(struct ahas
sg_init_table(req_ctx->bufsl, nsg);
sg_set_buf(req_ctx->bufsl, ctx_buf, req_ctx->nbuf);
if (nsg > 1)
- sg_chain(req_ctx->bufsl, 2, areq->src);
+ sg_chain(req_ctx->bufsl, 2, req_ctx->request_sl);
req_ctx->psrc = req_ctx->bufsl;
} else if (is_sec1 && req_ctx->nbuf && req_ctx->nbuf < blocksize) {
int offset;
@@ -2038,26 +2007,26 @@ static int ahash_process_req(struct ahas
offset = blocksize - req_ctx->nbuf;
else
offset = nbytes_to_hash - req_ctx->nbuf;
- nents = sg_nents_for_len(areq->src, offset);
+ nents = sg_nents_for_len(req_ctx->request_sl, offset);
if (nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
return nents;
}
- sg_copy_to_buffer(areq->src, nents,
+ sg_copy_to_buffer(req_ctx->request_sl, nents,
ctx_buf + req_ctx->nbuf, offset);
req_ctx->nbuf += offset;
- req_ctx->psrc = scatterwalk_ffwd(req_ctx->bufsl, areq->src,
+ req_ctx->psrc = scatterwalk_ffwd(req_ctx->bufsl, req_ctx->request_sl,
offset);
} else
- req_ctx->psrc = areq->src;
+ req_ctx->psrc = req_ctx->request_sl;
if (to_hash_later) {
- nents = sg_nents_for_len(areq->src, nbytes);
+ nents = sg_nents_for_len(req_ctx->request_sl, nbytes);
if (nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
return nents;
}
- sg_pcopy_to_buffer(areq->src, nents,
+ sg_pcopy_to_buffer(req_ctx->request_sl, nents,
req_ctx->buf[(req_ctx->buf_idx + 1) & 1],
to_hash_later,
nbytes - to_hash_later);
@@ -2065,7 +2034,7 @@ static int ahash_process_req(struct ahas
req_ctx->to_hash_later = to_hash_later;
/* Allocate extended descriptor */
- edesc = ahash_edesc_alloc(areq, nbytes_to_hash);
+ edesc = ahash_edesc_alloc(req_ctx->areq, nbytes_to_hash);
if (IS_ERR(edesc))
return PTR_ERR(edesc);
@@ -2087,14 +2056,123 @@ static int ahash_process_req(struct ahas
if (ctx->keylen && (req_ctx->first || req_ctx->last))
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_HMAC;
- return common_nonsnoop_hash(edesc, areq, nbytes_to_hash, ahash_done);
+ return common_nonsnoop_hash(edesc, req_ctx->areq, nbytes_to_hash, ahash_done);
}
-static int ahash_update(struct ahash_request *areq)
+static void sec1_ahash_process_remaining(struct work_struct *work)
{
+ struct talitos_ahash_req_ctx *req_ctx =
+ container_of(work, struct talitos_ahash_req_ctx,
+ sec1_ahash_process_remaining);
+ int err = 0;
+
+ req_ctx->request_sl = scatterwalk_ffwd(req_ctx->request_bufsl,
+ req_ctx->request_sl, TALITOS1_MAX_DATA_LEN);
+
+ if (req_ctx->remaining_ahash_request_bytes > TALITOS1_MAX_DATA_LEN)
+ req_ctx->current_ahash_request_bytes = TALITOS1_MAX_DATA_LEN;
+ else {
+ req_ctx->current_ahash_request_bytes =
+ req_ctx->remaining_ahash_request_bytes;
+
+ if (req_ctx->last_request)
+ req_ctx->last = 1;
+ }
+
+ err = ahash_process_req_one(req_ctx->areq,
+ req_ctx->current_ahash_request_bytes);
+
+ if (err != -EINPROGRESS)
+ ahash_request_complete(req_ctx->areq, err);
+}
+
+static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
+{
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct device *dev = ctx->dev;
+ struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+ struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+
+ req_ctx->areq = areq;
+ req_ctx->request_sl = areq->src;
+ req_ctx->remaining_ahash_request_bytes = nbytes;
+
+ if (is_sec1) {
+ if (nbytes > TALITOS1_MAX_DATA_LEN)
+ nbytes = TALITOS1_MAX_DATA_LEN;
+ else if (req_ctx->last_request)
+ req_ctx->last = 1;
+ }
+
+ req_ctx->current_ahash_request_bytes = nbytes;
+
+ return ahash_process_req_one(req_ctx->areq,
+ req_ctx->current_ahash_request_bytes);
+}
+
+static int ahash_init(struct ahash_request *areq)
+{
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ struct talitos_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct device *dev = ctx->dev;
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+ unsigned int size;
+ dma_addr_t dma;
+ /* Initialize the context */
+ req_ctx->buf_idx = 0;
+ req_ctx->nbuf = 0;
+ req_ctx->first = 1; /* first indicates h/w must init its context */
+ req_ctx->swinit = 0; /* assume h/w init of context */
+ size = (crypto_ahash_digestsize(tfm) <= SHA256_DIGEST_SIZE)
+ ? TALITOS_MDEU_CONTEXT_SIZE_MD5_SHA1_SHA256
+ : TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512;
+ req_ctx->hw_context_size = size;
+ req_ctx->last_request = 0;
req_ctx->last = 0;
+ INIT_WORK(&req_ctx->sec1_ahash_process_remaining, sec1_ahash_process_remaining);
+
+ dma = dma_map_single(dev, req_ctx->hw_context, req_ctx->hw_context_size,
+ DMA_TO_DEVICE);
+ dma_unmap_single(dev, dma, req_ctx->hw_context_size, DMA_TO_DEVICE);
+
+ return 0;
+}
+
+/*
+ * on h/w without explicit sha224 support, we initialize h/w context
+ * manually with sha224 constants, and tell it to run sha256.
+ */
+static int ahash_init_sha224_swinit(struct ahash_request *areq)
+{
+ struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+
+ req_ctx->hw_context[0] = SHA224_H0;
+ req_ctx->hw_context[1] = SHA224_H1;
+ req_ctx->hw_context[2] = SHA224_H2;
+ req_ctx->hw_context[3] = SHA224_H3;
+ req_ctx->hw_context[4] = SHA224_H4;
+ req_ctx->hw_context[5] = SHA224_H5;
+ req_ctx->hw_context[6] = SHA224_H6;
+ req_ctx->hw_context[7] = SHA224_H7;
+
+ /* init 64-bit count */
+ req_ctx->hw_context[8] = 0;
+ req_ctx->hw_context[9] = 0;
+
+ ahash_init(areq);
+ req_ctx->swinit = 1;/* prevent h/w initting context with sha256 values*/
+
+ return 0;
+}
+
+static int ahash_update(struct ahash_request *areq)
+{
+ struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
+
+ req_ctx->last_request = 0;
return ahash_process_req(areq, areq->nbytes);
}
@@ -2103,7 +2181,7 @@ static int ahash_final(struct ahash_requ
{
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- req_ctx->last = 1;
+ req_ctx->last_request = 1;
return ahash_process_req(areq, 0);
}
@@ -2112,7 +2190,7 @@ static int ahash_finup(struct ahash_requ
{
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- req_ctx->last = 1;
+ req_ctx->last_request = 1;
return ahash_process_req(areq, areq->nbytes);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 088/474] crypto: talitos - rename first/last to first_desc/last_desc
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 087/474] crypto: talitos - fix SEC1 32k ahash request limitation Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 089/474] tpm: tpm_tis: add error logging for data transfer Greg Kroah-Hartman
` (386 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Louvel, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Louvel <paul.louvel@bootlin.com>
commit a1b80018b8cec27fc06a8b04a7f8b5f6cfe86eae upstream.
Previous commit introduces a new last_request variable in the context
structure.
Renaming the first/last existing member variable in the context
structure to improve readability.
Cc: stable@vger.kernel.org
Signed-off-by: Paul Louvel <paul.louvel@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/talitos.c | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -869,8 +869,8 @@ struct talitos_ahash_req_ctx {
u8 buf[2][HASH_MAX_BLOCK_SIZE];
int buf_idx;
unsigned int swinit;
- unsigned int first;
- unsigned int last;
+ unsigned int first_desc;
+ unsigned int last_desc;
unsigned int last_request;
unsigned int to_hash_later;
unsigned int nbuf;
@@ -889,8 +889,8 @@ struct talitos_export_state {
u32 hw_context[TALITOS_MDEU_MAX_CONTEXT_SIZE / sizeof(u32)];
u8 buf[HASH_MAX_BLOCK_SIZE];
unsigned int swinit;
- unsigned int first;
- unsigned int last;
+ unsigned int first_desc;
+ unsigned int last_desc;
unsigned int to_hash_later;
unsigned int nbuf;
};
@@ -1722,7 +1722,7 @@ static void common_nonsnoop_hash_unmap(s
if (desc->next_desc &&
desc->ptr[5].ptr != desc2->ptr[5].ptr)
unmap_single_talitos_ptr(dev, &desc2->ptr[5], DMA_FROM_DEVICE);
- if (req_ctx->last)
+ if (req_ctx->last_desc)
memcpy(areq->result, req_ctx->hw_context,
crypto_ahash_digestsize(tfm));
@@ -1759,7 +1759,7 @@ static void ahash_done(struct device *de
container_of(desc, struct talitos_edesc, desc);
struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq);
- if (!req_ctx->last && req_ctx->to_hash_later) {
+ if (!req_ctx->last_desc && req_ctx->to_hash_later) {
/* Position any partial block for next update/final/finup */
req_ctx->buf_idx = (req_ctx->buf_idx + 1) & 1;
req_ctx->nbuf = req_ctx->to_hash_later;
@@ -1825,7 +1825,7 @@ static int common_nonsnoop_hash(struct t
/* first DWORD empty */
/* hash context in */
- if (!req_ctx->first || req_ctx->swinit) {
+ if (!req_ctx->first_desc || req_ctx->swinit) {
map_single_talitos_ptr_nosync(dev, &desc->ptr[1],
req_ctx->hw_context_size,
req_ctx->hw_context,
@@ -1833,7 +1833,7 @@ static int common_nonsnoop_hash(struct t
req_ctx->swinit = 0;
}
/* Indicate next op is not the first. */
- req_ctx->first = 0;
+ req_ctx->first_desc = 0;
/* HMAC key */
if (ctx->keylen)
@@ -1866,7 +1866,7 @@ static int common_nonsnoop_hash(struct t
/* fifth DWORD empty */
/* hash/HMAC out -or- hash context out */
- if (req_ctx->last)
+ if (req_ctx->last_desc)
map_single_talitos_ptr(dev, &desc->ptr[5],
crypto_ahash_digestsize(tfm),
req_ctx->hw_context, DMA_FROM_DEVICE);
@@ -1908,7 +1908,7 @@ static int common_nonsnoop_hash(struct t
if (sg_count > 1)
sync_needed = true;
copy_talitos_ptr(&desc2->ptr[5], &desc->ptr[5], is_sec1);
- if (req_ctx->last)
+ if (req_ctx->last_desc)
map_single_talitos_ptr_nosync(dev, &desc->ptr[5],
req_ctx->hw_context_size,
req_ctx->hw_context,
@@ -1964,7 +1964,7 @@ static int ahash_process_req_one(struct
bool is_sec1 = has_ftr_sec1(priv);
u8 *ctx_buf = req_ctx->buf[req_ctx->buf_idx];
- if (!req_ctx->last && (nbytes + req_ctx->nbuf <= blocksize)) {
+ if (!req_ctx->last_desc && (nbytes + req_ctx->nbuf <= blocksize)) {
/* Buffer up to one whole block */
nents = sg_nents_for_len(req_ctx->request_sl, nbytes);
if (nents < 0) {
@@ -1981,7 +1981,7 @@ static int ahash_process_req_one(struct
nbytes_to_hash = nbytes + req_ctx->nbuf;
to_hash_later = nbytes_to_hash & (blocksize - 1);
- if (req_ctx->last)
+ if (req_ctx->last_desc)
to_hash_later = 0;
else if (to_hash_later)
/* There is a partial block. Hash the full block(s) now */
@@ -2041,19 +2041,19 @@ static int ahash_process_req_one(struct
edesc->desc.hdr = ctx->desc_hdr_template;
/* On last one, request SEC to pad; otherwise continue */
- if (req_ctx->last)
+ if (req_ctx->last_desc)
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_PAD;
else
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_CONT;
/* request SEC to INIT hash. */
- if (req_ctx->first && !req_ctx->swinit)
+ if (req_ctx->first_desc && !req_ctx->swinit)
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_INIT;
/* When the tfm context has a keylen, it's an HMAC.
* A first or last (ie. not middle) descriptor must request HMAC.
*/
- if (ctx->keylen && (req_ctx->first || req_ctx->last))
+ if (ctx->keylen && (req_ctx->first_desc || req_ctx->last_desc))
edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_HMAC;
return common_nonsnoop_hash(edesc, req_ctx->areq, nbytes_to_hash, ahash_done);
@@ -2076,7 +2076,7 @@ static void sec1_ahash_process_remaining
req_ctx->remaining_ahash_request_bytes;
if (req_ctx->last_request)
- req_ctx->last = 1;
+ req_ctx->last_desc = 1;
}
err = ahash_process_req_one(req_ctx->areq,
@@ -2103,7 +2103,7 @@ static int ahash_process_req(struct ahas
if (nbytes > TALITOS1_MAX_DATA_LEN)
nbytes = TALITOS1_MAX_DATA_LEN;
else if (req_ctx->last_request)
- req_ctx->last = 1;
+ req_ctx->last_desc = 1;
}
req_ctx->current_ahash_request_bytes = nbytes;
@@ -2124,14 +2124,14 @@ static int ahash_init(struct ahash_reque
/* Initialize the context */
req_ctx->buf_idx = 0;
req_ctx->nbuf = 0;
- req_ctx->first = 1; /* first indicates h/w must init its context */
+ req_ctx->first_desc = 1; /* first_desc indicates h/w must init its context */
req_ctx->swinit = 0; /* assume h/w init of context */
size = (crypto_ahash_digestsize(tfm) <= SHA256_DIGEST_SIZE)
? TALITOS_MDEU_CONTEXT_SIZE_MD5_SHA1_SHA256
: TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512;
req_ctx->hw_context_size = size;
req_ctx->last_request = 0;
- req_ctx->last = 0;
+ req_ctx->last_desc = 0;
INIT_WORK(&req_ctx->sec1_ahash_process_remaining, sec1_ahash_process_remaining);
dma = dma_map_single(dev, req_ctx->hw_context, req_ctx->hw_context_size,
@@ -2223,8 +2223,8 @@ static int ahash_export(struct ahash_req
req_ctx->hw_context_size);
memcpy(export->buf, req_ctx->buf[req_ctx->buf_idx], req_ctx->nbuf);
export->swinit = req_ctx->swinit;
- export->first = req_ctx->first;
- export->last = req_ctx->last;
+ export->first_desc = req_ctx->first_desc;
+ export->last_desc = req_ctx->last_desc;
export->to_hash_later = req_ctx->to_hash_later;
export->nbuf = req_ctx->nbuf;
@@ -2249,8 +2249,8 @@ static int ahash_import(struct ahash_req
memcpy(req_ctx->hw_context, export->hw_context, size);
memcpy(req_ctx->buf[0], export->buf, export->nbuf);
req_ctx->swinit = export->swinit;
- req_ctx->first = export->first;
- req_ctx->last = export->last;
+ req_ctx->first_desc = export->first_desc;
+ req_ctx->last_desc = export->last_desc;
req_ctx->to_hash_later = export->to_hash_later;
req_ctx->nbuf = export->nbuf;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 089/474] tpm: tpm_tis: add error logging for data transfer
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 088/474] crypto: talitos - rename first/last to first_desc/last_desc Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 090/474] tpm: tpm_tis: stop transmit if retries are exhausted Greg Kroah-Hartman
` (385 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacqueline Wong, Jordan Hand,
Jarkko Sakkinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacqueline Wong <jacqwong@google.com>
commit 0471921e2d1043dcc6de5cffb49dd37709521abe upstream.
Add logging to more easily determine reason for transmit failure
Cc: stable@vger.kernel.org # v6.6+
Fixes: 280db21e153d8 ("tpm_tis: Resend command to recover from data transfer errors")
Signed-off-by: Jacqueline Wong <jacqwong@google.com>
Signed-off-by: Jordan Hand <jhand@google.com>
Link: https://lore.kernel.org/r/20260415160006.2275325-2-jacqwong@google.com
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis_core.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -472,6 +472,8 @@ static int tpm_tis_send_data(struct tpm_
status = tpm_tis_status(chip);
if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) {
rc = -EIO;
+ dev_err(&chip->dev, "TPM_STS_DATA_EXPECT should be set. sts = 0x%08x\n",
+ status);
goto out_err;
}
}
@@ -492,6 +494,8 @@ static int tpm_tis_send_data(struct tpm_
status = tpm_tis_status(chip);
if (!itpm && (status & TPM_STS_DATA_EXPECT) != 0) {
rc = -EIO;
+ dev_err(&chip->dev, "TPM_STS_DATA_EXPECT should be unset. sts = 0x%08x\n",
+ status);
goto out_err;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 090/474] tpm: tpm_tis: stop transmit if retries are exhausted
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 089/474] tpm: tpm_tis: add error logging for data transfer Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 091/474] rtc: ntxec: fix OF node reference imbalance Greg Kroah-Hartman
` (384 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacqueline Wong, Jordan Hand,
Jarkko Sakkinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacqueline Wong <jacqwong@google.com>
commit 949692da7211572fac419b2986b6abc0cd1aeb76 upstream.
tpm_tis_send_main() will attempt to retry sending data TPM_RETRY times.
Currently, if those retries are exhausted, the driver will attempt to
call execute. The TPM will be in the wrong state, leading to the
operation simply timing out.
Instead, if there is still an error after retries are exhausted, return
that error immediately.
Cc: stable@vger.kernel.org # v6.6+
Fixes: 280db21e153d8 ("tpm_tis: Resend command to recover from data transfer errors")
Signed-off-by: Jacqueline Wong <jacqwong@google.com>
Signed-off-by: Jordan Hand <jhand@google.com>
Link: https://lore.kernel.org/r/20260415160006.2275325-3-jacqwong@google.com
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -557,11 +557,16 @@ static int tpm_tis_send_main(struct tpm_
break;
else if (rc != -EAGAIN && rc != -EIO)
/* Data transfer failed, not recoverable */
- return rc;
+ goto out_err;
usleep_range(priv->timeout_min, priv->timeout_max);
}
+ if (rc == -EAGAIN || rc == -EIO) {
+ dev_err(&chip->dev, "Exhausted %d tpm_tis_send_data retries\n", TPM_RETRY);
+ goto out_err;
+ }
+
/* go and do it */
rc = tpm_tis_write8(priv, TPM_STS(priv->locality), TPM_STS_GO);
if (rc < 0)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 091/474] rtc: ntxec: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 090/474] tpm: tpm_tis: stop transmit if retries are exhausted Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 092/474] mm/damon/core: use time_in_range_open() for damos quota window start Greg Kroah-Hartman
` (383 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Neuschäfer,
Johan Hovold, Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 30c4d2f26bb3538c328035cea2e6265c8320539e upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 435af89786c6 ("rtc: New driver for RTC in Netronix embedded controller")
Cc: stable@vger.kernel.org # 5.13
Cc: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260407122717.2676774-1-johan@kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/rtc-ntxec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/rtc-ntxec.c
+++ b/drivers/rtc/rtc-ntxec.c
@@ -110,7 +110,7 @@ static int ntxec_rtc_probe(struct platfo
struct rtc_device *dev;
struct ntxec_rtc *rtc;
- pdev->dev.of_node = pdev->dev.parent->of_node;
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
rtc = devm_kzalloc(&pdev->dev, sizeof(*rtc), GFP_KERNEL);
if (!rtc)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 092/474] mm/damon/core: use time_in_range_open() for damos quota window start
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 091/474] rtc: ntxec: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 093/474] userfaultfd: allow registration of ranges below mmap_min_addr Greg Kroah-Hartman
` (382 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 049a57421dd67a28c45ae7e92c36df758033e5fa upstream.
damos_adjust_quota() uses time_after_eq() to show if it is time to start a
new quota charge window, comparing the current jiffies and the scheduled
next charge window start time. If it is, the next charge window start
time is updated and the new charge window starts.
The time check and next window start time update is skipped while the
scheme is deactivated by the watermarks. Let's suppose the deactivation
is kept more than LONG_MAX jiffies (assuming CONFIG_HZ of 250, more than
99 days in 32 bit systems and more than one billion years in 64 bit
systems), resulting in having the jiffies larger than the next charge
window start time + LONG_MAX. Then, the time_after_eq() call can return
false until another LONG_MAX jiffies are passed.
This means the scheme can continue working after being reactivated by the
watermarks. But, soon, the quota will be exceeded and the scheme will
again effectively stop working until the next charge window starts.
Because the current charge window is extended to up to LONG_MAX jiffies,
however, it will look like it stopped unexpectedly and indefinitely, from
the user's perspective.
Fix this by using !time_in_range_open() instead.
The issue was discovered [1] by sashiko.
Link: https://lore.kernel.org/20260329152306.45796-1-sj@kernel.org
Link: https://lore.kernel.org/20260324040722.57944-1-sj@kernel.org [1]
Fixes: ee801b7dd782 ("mm/damon/schemes: activate schemes based on a watermarks mechanism")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1048,7 +1048,8 @@ static void damos_adjust_quota(struct da
quota->charged_from = jiffies;
/* New charge window starts */
- if (time_after_eq(jiffies, quota->charged_from +
+ if (!time_in_range_open(jiffies, quota->charged_from,
+ quota->charged_from +
msecs_to_jiffies(quota->reset_interval))) {
if (quota->esz && quota->charged_sz >= quota->esz)
s->stat.qt_exceeds++;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 093/474] userfaultfd: allow registration of ranges below mmap_min_addr
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 092/474] mm/damon/core: use time_in_range_open() for damos quota window start Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 094/474] KVM: x86: Defer non-architectural deliver of exception payload to userspace read Greg Kroah-Hartman
` (381 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis M. Karpov, Lorenzo Stoakes,
Harry Yoo (Oracle), Pedro Falcato, Liam R. Howlett,
Mike Rapoport (Microsoft), Alexander Viro, Christian Brauner,
Jan Kara, Jann Horn, Peter Xu, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis M. Karpov <komlomal@gmail.com>
commit 161ce69c2c89781784b945d8e281ff2da9dede9c upstream.
The current implementation of validate_range() in fs/userfaultfd.c
performs a hard check against mmap_min_addr. This is redundant because
UFFDIO_REGISTER operates on memory ranges that must already be backed by a
VMA.
Enforcing mmap_min_addr or capability checks again in userfaultfd is
unnecessary and prevents applications like binary compilers from using
UFFD for valid memory regions mapped by application.
Remove the redundant check for mmap_min_addr.
We started using UFFD instead of the classic mprotect approach in the
binary translator to track application writes. During development, we
encountered this bug. The translator cannot control where the translated
application chooses to map its memory and if the app requires a
low-address area, UFFD fails, whereas mprotect would work just fine. I
believe this is a genuine logic bug rather than an improvement, and I
would appreciate including the fix in stable.
Link: https://lore.kernel.org/20260409103345.15044-1-komlomal@gmail.com
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Denis M. Karpov <komlomal@gmail.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 2 --
1 file changed, 2 deletions(-)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1295,8 +1295,6 @@ static __always_inline int validate_unal
return -EINVAL;
if (!len)
return -EINVAL;
- if (start < mmap_min_addr)
- return -EINVAL;
if (start >= task_size)
return -EINVAL;
if (len > task_size - start)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 094/474] KVM: x86: Defer non-architectural deliver of exception payload to userspace read
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 093/474] userfaultfd: allow registration of ranges below mmap_min_addr Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 095/474] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state Greg Kroah-Hartman
` (380 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit d0ad1b05bbe6f8da159a4dfb6692b3b7ce30ccc8 upstream.
When attempting to play nice with userspace that hasn't enabled
KVM_CAP_EXCEPTION_PAYLOAD, defer KVM's non-architectural delivery of the
payload until userspace actually reads relevant vCPU state, and more
importantly, force delivery of the payload in *all* paths where userspace
saves relevant vCPU state, not just KVM_GET_VCPU_EVENTS.
Ignoring userspace save/restore for the moment, delivering the payload
before the exception is injected is wrong regardless of whether L1 or L2
is running. To make matters even more confusing, the flaw *currently*
being papered over by the !is_guest_mode() check isn't even the same bug
that commit da998b46d244 ("kvm: x86: Defer setting of CR2 until #PF
delivery") was trying to avoid.
At the time of commit da998b46d244, KVM didn't correctly handle exception
intercepts, as KVM would wait until VM-Entry into L2 was imminent to check
if the queued exception should morph to a nested VM-Exit. I.e. KVM would
deliver the payload to L2 and then synthesize a VM-Exit into L1. But the
payload was only the most blatant issue, e.g. waiting to check exception
intercepts would also lead to KVM incorrectly escalating a
should-be-intercepted #PF into a #DF.
That underlying bug was eventually fixed by commit 7709aba8f716 ("KVM: x86:
Morph pending exceptions to pending VM-Exits at queue time"), but in the
interim, commit a06230b62b89 ("KVM: x86: Deliver exception payload on
KVM_GET_VCPU_EVENTS") came along and subtly added another dependency on
the !is_guest_mode() check.
While not recorded in the changelog, the motivation for deferring the
!exception_payload_enabled delivery was to fix a flaw where a synthesized
MTF (Monitor Trap Flag) VM-Exit would drop a pending #DB and clobber DR6.
On a VM-Exit, VMX CPUs save pending #DB information into the VMCS, which
is emulated by KVM in nested_vmx_update_pending_dbg() by grabbing the
payload from the queue/pending exception. I.e. prematurely delivering the
payload would cause the pending #DB to not be recorded in the VMCS, and of
course, clobber L2's DR6 as seen by L1.
Jumping back to save+restore, the quirked behavior of forcing delivery of
the payload only works if userspace does KVM_GET_VCPU_EVENTS *before*
CR2 or DR6 is saved, i.e. before KVM_GET_SREGS{,2} and KVM_GET_DEBUGREGS.
E.g. if userspace does KVM_GET_SREGS before KVM_GET_VCPU_EVENTS, then the
CR2 saved by userspace won't contain the payload for the exception save by
KVM_GET_VCPU_EVENTS.
Deliberately deliver the payload in the store_regs() path, as it's the
least awful option even though userspace may not be doing save+restore.
Because if userspace _is_ doing save restore, it could elide KVM_GET_SREGS
knowing that SREGS were already saved when the vCPU exited.
Link: https://lore.kernel.org/all/20200207103608.110305-1-oupton@google.com
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Tested-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260218005438.2619063-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 62 +++++++++++++++++++++++++++++++++--------------------
1 file changed, 39 insertions(+), 23 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -695,9 +695,6 @@ static void kvm_multiple_exception(struc
vcpu->arch.exception.error_code = error_code;
vcpu->arch.exception.has_payload = has_payload;
vcpu->arch.exception.payload = payload;
- if (!is_guest_mode(vcpu))
- kvm_deliver_exception_payload(vcpu,
- &vcpu->arch.exception);
return;
}
@@ -5147,18 +5144,8 @@ static int kvm_vcpu_ioctl_x86_set_mce(st
return 0;
}
-static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
- struct kvm_vcpu_events *events)
+static struct kvm_queued_exception *kvm_get_exception_to_save(struct kvm_vcpu *vcpu)
{
- struct kvm_queued_exception *ex;
-
- process_nmi(vcpu);
-
-#ifdef CONFIG_KVM_SMM
- if (kvm_check_request(KVM_REQ_SMI, vcpu))
- process_smi(vcpu);
-#endif
-
/*
* KVM's ABI only allows for one exception to be migrated. Luckily,
* the only time there can be two queued exceptions is if there's a
@@ -5169,21 +5156,46 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_
if (vcpu->arch.exception_vmexit.pending &&
!vcpu->arch.exception.pending &&
!vcpu->arch.exception.injected)
- ex = &vcpu->arch.exception_vmexit;
- else
- ex = &vcpu->arch.exception;
+ return &vcpu->arch.exception_vmexit;
+
+ return &vcpu->arch.exception;
+}
+
+static void kvm_handle_exception_payload_quirk(struct kvm_vcpu *vcpu)
+{
+ struct kvm_queued_exception *ex = kvm_get_exception_to_save(vcpu);
/*
- * In guest mode, payload delivery should be deferred if the exception
- * will be intercepted by L1, e.g. KVM should not modifying CR2 if L1
- * intercepts #PF, ditto for DR6 and #DBs. If the per-VM capability,
- * KVM_CAP_EXCEPTION_PAYLOAD, is not set, userspace may or may not
- * propagate the payload and so it cannot be safely deferred. Deliver
- * the payload if the capability hasn't been requested.
+ * If KVM_CAP_EXCEPTION_PAYLOAD is disabled, then (prematurely) deliver
+ * the pending exception payload when userspace saves *any* vCPU state
+ * that interacts with exception payloads to avoid breaking userspace.
+ *
+ * Architecturally, KVM must not deliver an exception payload until the
+ * exception is actually injected, e.g. to avoid losing pending #DB
+ * information (which VMX tracks in the VMCS), and to avoid clobbering
+ * state if the exception is never injected for whatever reason. But
+ * if KVM_CAP_EXCEPTION_PAYLOAD isn't enabled, then userspace may or
+ * may not propagate the payload across save+restore, and so KVM can't
+ * safely defer delivery of the payload.
*/
if (!vcpu->kvm->arch.exception_payload_enabled &&
ex->pending && ex->has_payload)
kvm_deliver_exception_payload(vcpu, ex);
+}
+
+static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
+ struct kvm_vcpu_events *events)
+{
+ struct kvm_queued_exception *ex = kvm_get_exception_to_save(vcpu);
+
+ process_nmi(vcpu);
+
+#ifdef CONFIG_KVM_SMM
+ if (kvm_check_request(KVM_REQ_SMI, vcpu))
+ process_smi(vcpu);
+#endif
+
+ kvm_handle_exception_payload_quirk(vcpu);
memset(events, 0, sizeof(*events));
@@ -5364,6 +5376,8 @@ static void kvm_vcpu_ioctl_x86_get_debug
{
unsigned long val;
+ kvm_handle_exception_payload_quirk(vcpu);
+
memset(dbgregs, 0, sizeof(*dbgregs));
memcpy(dbgregs->db, vcpu->arch.db, sizeof(vcpu->arch.db));
kvm_get_dr(vcpu, 6, &val);
@@ -11396,6 +11410,8 @@ static void __get_sregs_common(struct kv
if (vcpu->arch.guest_state_protected)
goto skip_protected_regs;
+ kvm_handle_exception_payload_quirk(vcpu);
+
kvm_get_segment(vcpu, &sregs->cs, VCPU_SREG_CS);
kvm_get_segment(vcpu, &sregs->ds, VCPU_SREG_DS);
kvm_get_segment(vcpu, &sregs->es, VCPU_SREG_ES);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 095/474] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 094/474] KVM: x86: Defer non-architectural deliver of exception payload to userspace read Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 096/474] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 Greg Kroah-Hartman
` (379 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit e63fb1379f4b9300a44739964e69549bebbcdca4 upstream.
When restoring a vCPU in guest mode, any state restored before
KVM_SET_NESTED_STATE (e.g. KVM_SET_SREGS) will mark the corresponding
dirty bits in vmcb01, as it is the active VMCB before switching to
vmcb02 in svm_set_nested_state().
Hence, mark all fields in vmcb02 dirty in svm_set_nested_state() to
capture any previously restored fields.
Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260210010806.3204289-1-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1753,6 +1753,12 @@ static int svm_set_nested_state(struct k
nested_vmcb02_prepare_control(svm, svm->vmcb->save.rip, svm->vmcb->save.cs.base);
/*
+ * Any previously restored state (e.g. KVM_SET_SREGS) would mark fields
+ * dirty in vmcb01 instead of vmcb02, so mark all of vmcb02 dirty here.
+ */
+ vmcb_mark_all_dirty(svm->vmcb);
+
+ /*
* While the nested guest CR3 is already checked and set by
* KVM_SET_SREGS, it was set when nested state was yet loaded,
* thus MMU might not be initialized correctly.
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 096/474] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 095/474] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 097/474] KVM: nSVM: Sync interrupt shadow " Greg Kroah-Hartman
` (378 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 778d8c1b2a6ffe622ddcd3bb35b620e6e41f4da0 upstream.
After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.
NextRIP is also written by the CPU (in some cases) after VMRUN, but is
not sync'd to the cached vmcb12. As a result, it is corrupted after
save/restore (replaced by the original value written by L1 on nested
VMRUN). This could cause problems for both KVM (e.g. when injecting a
soft IRQ) or L1 (e.g. when using NextRIP to advance RIP after emulating
an instruction).
Fix this by sync'ing NextRIP to the cache after VMRUN of L2, but only
after completing interrupts (not in nested_sync_control_from_vmcb02()),
as KVM may update NextRIP (e.g. when re-injecting a soft IRQ).
Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260225005950.3739782-2-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4339,6 +4339,16 @@ static __no_kcsan fastpath_t svm_vcpu_ru
svm_complete_interrupts(vcpu);
+ /*
+ * Update the cache after completing interrupts to get an accurate
+ * NextRIP, e.g. when re-injecting a soft interrupt.
+ *
+ * FIXME: Rework svm_get_nested_state() to not pull data from the
+ * cache (except for maybe int_ctl).
+ */
+ if (is_guest_mode(vcpu))
+ svm->nested.ctl.next_rip = svm->vmcb->control.next_rip;
+
return svm_exit_handlers_fastpath(vcpu);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 097/474] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 096/474] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 098/474] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 Greg Kroah-Hartman
` (377 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 03bee264f8ebfd39e0254c98e112d033a7aa9055 upstream.
After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.
int_state is also written by the CPU, specifically bit 0 (i.e.
SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to
cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE
preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow
would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites
what KVM_SET_NESTED_STATE restored in int_state).
However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an
interrupt shadow would be restored into vmcb01 instead of vmcb02. This
would mostly be benign for L1 (delays an interrupt), but not for L2. For
L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before
a HLT that should have been in an interrupt shadow).
Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()
to avoid this problem. With that, KVM_SET_NESTED_STATE restores the
correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it
would overwrite it with the same value.
Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260225005950.3739782-3-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -412,6 +412,7 @@ void nested_sync_control_from_vmcb02(str
u32 mask;
svm->nested.ctl.event_inj = svm->vmcb->control.event_inj;
svm->nested.ctl.event_inj_err = svm->vmcb->control.event_inj_err;
+ svm->nested.ctl.int_state = svm->vmcb->control.int_state;
/* Only a few fields of int_ctl are written by the processor. */
mask = V_IRQ_MASK | V_TPR_MASK;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 098/474] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 097/474] KVM: nSVM: Sync interrupt shadow " Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 099/474] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts Greg Kroah-Hartman
` (376 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Cheng, Yosry Ahmed,
Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cheng <chengkev@google.com>
commit d99df02ff427f461102230f9c5b90a6c64ee8e23 upstream.
INVLPGA should cause a #UD when EFER.SVME is not set. Add a check to
properly inject #UD when EFER.SVME=0.
Fixes: ff092385e828 ("KVM: SVM: Implement INVLPGA")
Cc: stable@vger.kernel.org
Signed-off-by: Kevin Cheng <chengkev@google.com>
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260228033328.2285047-3-chengkev@google.com
[sean: tag for stable@]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2494,6 +2494,9 @@ static int invlpga_interception(struct k
gva_t gva = kvm_rax_read(vcpu);
u32 asid = kvm_rcx_read(vcpu);
+ if (nested_svm_check_permissions(vcpu))
+ return 1;
+
/* FIXME: Handle an address size prefix. */
if (!is_long_mode(vcpu))
gva = (u32)gva;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 099/474] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 098/474] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 100/474] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode Greg Kroah-Hartman
` (375 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit d5bde6113aed8315a2bfe708730b721be9c2f48b upstream.
When reacting to an intercept update, explicitly mark vmcb01's intercepts
dirty, as KVM always initially operates on vmcb01, and nested_svm_vmexit()
isn't guaranteed to mark VMCB_INTERCEPTS as dirty. I.e. if L2 is active,
KVM will modify the intercepts for L1, but might not mark them as dirty
before the next VMRUN of L1.
Fixes: 116a0a23676e ("KVM: SVM: Add clean-bit for intercetps, tsc-offset and pause filter count")
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260218230958.2877682-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -129,11 +129,13 @@ void recalc_intercepts(struct vcpu_svm *
struct vmcb_ctrl_area_cached *g;
unsigned int i;
- vmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+ vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_INTERCEPTS);
if (!is_guest_mode(&svm->vcpu))
return;
+ vmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+
c = &svm->vmcb->control;
h = &svm->vmcb01.ptr->control;
g = &svm->nested.ctl;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 100/474] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 099/474] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 101/474] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT Greg Kroah-Hartman
` (374 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 24f7d36b824b65cf1a2db3db478059187b2a37b0 upstream.
On nested VMRUN, KVM ensures AVIC is inhibited by requesting
KVM_REQ_APICV_UPDATE, triggering a check of inhibit reasons, finding
APICV_INHIBIT_REASON_NESTED, and disabling AVIC.
However, when KVM_SET_NESTED_STATE is performed on a vCPU not in guest
mode with AVIC enabled, KVM_REQ_APICV_UPDATE is not requested, and AVIC
is not inhibited.
Request KVM_REQ_APICV_UPDATE in the KVM_SET_NESTED_STATE path if AVIC is
active, similar to the nested VMRUN path.
Fixes: f44509f849fe ("KVM: x86: SVM: allow AVIC to co-exist with a nested guest running")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260224225017.3303870-1-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1774,6 +1774,9 @@ static int svm_set_nested_state(struct k
svm->nested.force_msr_bitmap_recalc = true;
+ if (kvm_vcpu_apicv_active(vcpu))
+ kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
+
kvm_make_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
ret = 0;
out_free:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 101/474] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 100/474] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 102/474] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN Greg Kroah-Hartman
` (373 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 5c247d08bc81bbad4c662dcf5654137a2f8483ec upstream.
KVM currently uses the value of CR2 from vmcb02 to update vmcb12 on
nested #VMEXIT. This value is incorrect in some cases, causing L1 to run
L2 with a corrupted CR2. This could lead to segfaults or data corruption
if L2 is in the middle of handling a #PF and reads a corrupted CR2. Use
the correct value in vcpu->arch.cr2 instead.
The value in vcpu->arch.cr2 is sync'd to vmcb02 shortly before a VMRUN
of L2, and sync'd back to vcpu->arch.cr2 shortly after. The value are
only out-of-sync in two cases: after save+restore, and after a #PF is
injected into L2. In either case, if a #VMEXIT to L1 is synthesized
before L2 runs, using the value in vmcb02 would be incorrect.
After save+restore, the value of CR2 is restored by KVM_SET_SREGS into
vcpu->arch.cr2. It is not reflect in vmcb02 until a VMRUN of L2. Before
that, it holds whatever was in vmcb02 before restore, which would be
zero on a new vCPU that never ran nested. If a #VMEXIT to L1 is
synthesized before L2 ever runs, using vcpu->arch.cr2 to update vmcb12
is the right thing to do.
The #PF injection case is more nuanced. Although the APM is a bit
unclear about when CR2 is written during a #PF, the SDM is more clear:
Processors update CR2 whenever a page fault is detected. If a
second page fault occurs while an earlier page fault is being
delivered, the faulting linear address of the second fault will
overwrite the contents of CR2 (replacing the previous address).
These updates to CR2 occur even if the page fault results in a
double fault or occurs during the delivery of a double fault.
KVM injecting the exception surely counts as the #PF being "detected".
More importantly, when an exception is injected into L2 at the time of a
synthesized #VMEXIT, KVM updates exit_int_info in vmcb12 accordingly,
such that an L1 hypervisor can re-inject the exception. If CR2 is not
written at that point, the L1 hypervisor have no way of correctly
re-injecting the #PF. Hence, if a #VMEXIT to L1 is synthesized after
the #PF is injected into L2 but before it actually runs, using
vcpu->arch.cr2 to update vmcb12 is also the right thing to do.
Note that KVM does _not_ update vcpu->arch.cr2 when a #PF is pending for
L2, only when it is injected. The distinction is important, because only
injected (but not intercepted) exceptions are propagated to L1 through
exit_int_info. It would be incorrect to update CR2 in vmcb12 for a
pending #PF, as L1 would perceive an updated CR2 value with no #PF.
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260203201010.1871056-1-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1005,7 +1005,7 @@ int nested_svm_vmexit(struct vcpu_svm *s
vmcb12->save.efer = svm->vcpu.arch.efer;
vmcb12->save.cr0 = kvm_read_cr0(vcpu);
vmcb12->save.cr3 = kvm_read_cr3(vcpu);
- vmcb12->save.cr2 = vmcb02->save.cr2;
+ vmcb12->save.cr2 = vcpu->arch.cr2;
vmcb12->save.cr4 = svm->vcpu.arch.cr4;
vmcb12->save.rflags = kvm_get_rflags(vcpu);
vmcb12->save.rip = kvm_rip_read(vcpu);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 102/474] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 101/474] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 103/474] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) Greg Kroah-Hartman
` (372 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 01ddcdc55e097ca38c28ae656711b8e6d1df71f8 upstream.
nested_svm_vmrun() currently only injects a #GP if kvm_vcpu_map() fails
with -EINVAL. But it could also fail with -EFAULT if creating a host
mapping failed. Inject a #GP in all cases, no reason to treat failure
modes differently.
Fixes: 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest memory")
CC: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-6-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -863,12 +863,9 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
}
vmcb12_gpa = svm->vmcb->save.rax;
- ret = kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map);
- if (ret == -EINVAL) {
+ if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map)) {
kvm_inject_gp(vcpu, 0);
return 1;
- } else if (ret) {
- return kvm_skip_emulated_instruction(vcpu);
}
ret = kvm_skip_emulated_instruction(vcpu);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 103/474] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 102/474] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 104/474] KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT Greg Kroah-Hartman
` (371 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit f85a6ce06e4a0d49652f57967a649ab09e06287c upstream.
According to the APM, GIF is set to 0 on any #VMEXIT, including
an #VMEXIT(INVALID) due to failed consistency checks. Clear GIF on
consistency check failures.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-11-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -884,6 +884,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
vmcb12->control.exit_info_2 = 0;
+ svm_set_gif(svm, false);
goto out;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 104/474] KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 103/474] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 105/474] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ " Greg Kroah-Hartman
` (370 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 69b721a86d0dcb026f6db7d111dcde7550442d2e upstream.
According to the APM, from the reference of the VMRUN instruction:
Upon #VMEXIT, the processor performs the following actions in order to
return to the host execution context:
...
clear EVENTINJ field in VMCB
KVM already syncs EVENTINJ fields from vmcb02 to cached vmcb12 on every
L2->L0 #VMEXIT. Since these fields are zeroed by the CPU on #VMEXIT, they
will mostly be zeroed in vmcb12 on nested #VMEXIT by nested_svm_vmexit().
However, this is not the case when:
1. Consistency checks fail, as nested_svm_vmexit() is not called.
2. Entering guest mode fails before L2 runs (e.g. due to failed load of
CR3).
(2) was broken by commit 2d8a42be0e2b ("KVM: nSVM: synchronize VMCB
controls updated by the processor on every vmexit"), as prior to that
nested_svm_vmexit() always zeroed EVENTINJ fields.
Explicitly clear the fields in all nested #VMEXIT code paths.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Fixes: 2d8a42be0e2b ("KVM: nSVM: synchronize VMCB controls updated by the processor on every vmexit")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-12-yosry@kernel.org
[sean: massage changelog formatting]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -884,6 +884,8 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
vmcb12->control.exit_info_2 = 0;
+ vmcb12->control.event_inj = 0;
+ vmcb12->control.event_inj_err = 0;
svm_set_gif(svm, false);
goto out;
}
@@ -1025,9 +1027,9 @@ int nested_svm_vmexit(struct vcpu_svm *s
if (guest_can_use(vcpu, X86_FEATURE_NRIPS))
vmcb12->control.next_rip = vmcb02->control.next_rip;
+ vmcb12->control.event_inj = 0;
+ vmcb12->control.event_inj_err = 0;
vmcb12->control.int_ctl = svm->nested.ctl.int_ctl;
- vmcb12->control.event_inj = svm->nested.ctl.event_inj;
- vmcb12->control.event_inj_err = svm->nested.ctl.event_inj_err;
if (!kvm_pause_in_guest(vcpu->kvm)) {
vmcb01->control.pause_filter_count = vmcb02->control.pause_filter_count;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 105/474] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 104/474] KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 106/474] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS Greg Kroah-Hartman
` (369 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 8998e1d012f3f45d0456f16706682cef04c3c436 upstream.
KVM clears tracking of L1->L2 injected NMIs (i.e. nmi_l1_to_l2) and soft
IRQs (i.e. soft_int_injected) on a synthesized #VMEXIT(INVALID) due to
failed VMRUN. However, they are not explicitly cleared in other
synthesized #VMEXITs.
soft_int_injected is always cleared after the first VMRUN of L2 when
completing interrupts, as any re-injection is then tracked by KVM
(instead of purely in vmcb02).
nmi_l1_to_l2 is not cleared after the first VMRUN if NMI injection
failed, as KVM still needs to keep track that the NMI originated from L1
to avoid blocking NMIs for L1. It is only cleared when the NMI injection
succeeds.
KVM could synthesize a #VMEXIT to L1 before successfully injecting the
NMI into L2 (e.g. due to a #NPF on L2's NMI handler in L1's NPTs). In
this case, nmi_l1_to_l2 will remain true, and KVM may not correctly mask
NMIs and intercept IRET when injecting an NMI into L1.
Clear both nmi_l1_to_l2 and soft_int_injected in nested_svm_vmexit(), i.e.
for all #VMEXITs except those that occur due to failed consistency checks,
as those happen before nmi_l1_to_l2 or soft_int_injected are set.
Fixes: 159fc6fa3b7d ("KVM: nSVM: Transparently handle L1 -> L2 NMI re-injection")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-13-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -913,8 +913,6 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
out_exit_err:
svm->nested.nested_run_pending = 0;
- svm->nmi_l1_to_l2 = false;
- svm->soft_int_injected = false;
svm->vmcb->control.exit_code = SVM_EXIT_ERR;
svm->vmcb->control.exit_code_hi = -1u;
@@ -1154,6 +1152,10 @@ int nested_svm_vmexit(struct vcpu_svm *s
if (unlikely(vmcb01->save.rflags & X86_EFLAGS_TF))
kvm_queue_exception(&(svm->vcpu), DB_VECTOR);
+ /* Drop tracking for L1->L2 injected NMIs and soft IRQs */
+ svm->nmi_l1_to_l2 = false;
+ svm->soft_int_injected = false;
+
/*
* Un-inhibit the AVIC right away, so that other vCPUs can start
* to benefit from it right away.
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 106/474] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 105/474] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ " Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 107/474] KVM: nSVM: Add missing consistency check for nCR3 validity Greg Kroah-Hartman
` (368 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 96bd3e76a171a8e21a6387e54e4c420a81968492 upstream.
According to the APM Volume #2, 15.5, Canonicalization and Consistency
Checks (24593—Rev. 3.42—March 2024), the following condition (among
others) results in a #VMEXIT with VMEXIT_INVALID (aka SVM_EXIT_ERR):
EFER.LME, CR0.PG, CR4.PAE, CS.L, and CS.D are all non-zero.
In the list of consistency checks done when EFER.LME and CR0.PG are set,
add a check that CS.L and CS.D are not both set, after the existing
check that CR4.PAE is set.
This is functionally a nop because the nested VMRUN results in
SVM_EXIT_ERR in HW, which is forwarded to L1, but KVM makes all
consistency checks before a VMRUN is actually attempted.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-17-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++++
arch/x86/kvm/svm/svm.h | 1 +
2 files changed, 7 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -304,6 +304,10 @@ static bool __nested_vmcb_check_save(str
CC(!(save->cr0 & X86_CR0_PE)) ||
CC(kvm_vcpu_is_illegal_gpa(vcpu, save->cr3)))
return false;
+
+ if (CC((save->cs.attrib & SVM_SELECTOR_L_MASK) &&
+ (save->cs.attrib & SVM_SELECTOR_DB_MASK)))
+ return false;
}
/* Note, SVM doesn't have any additional restrictions on CR4. */
@@ -390,6 +394,8 @@ static void __nested_copy_vmcb_save_to_c
* Copy only fields that are validated, as we need them
* to avoid TOC/TOU races.
*/
+ to->cs = from->cs;
+
to->efer = from->efer;
to->cr0 = from->cr0;
to->cr3 = from->cr3;
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -115,6 +115,7 @@ struct kvm_vmcb_info {
};
struct vmcb_save_area_cached {
+ struct vmcb_seg cs;
u64 efer;
u64 cr4;
u64 cr3;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 107/474] KVM: nSVM: Add missing consistency check for nCR3 validity
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 106/474] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 108/474] mtd: docg3: Convert to platform remove callback returning void Greg Kroah-Hartman
` (367 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit b71138fcc362c67ebe66747bb22cb4e6b4d6a651 upstream.
>From the APM Volume #2, 15.25.4 (24593—Rev. 3.42—March 2024):
When VMRUN is executed with nested paging enabled (NP_ENABLE = 1), the
following conditions are considered illegal state combinations, in
addition to those mentioned in “Canonicalization and Consistency Checks”:
• Any MBZ bit of nCR3 is set.
• Any G_PAT.PA field has an unsupported type encoding or any
reserved field in G_PAT has a nonzero value.
Add the consistency check for nCR3 being a legal GPA with no MBZ bits
set. Note, the G_PAT.PA check is being handled separately[*].
Link: https://lore.kernel.org/kvm/20260205214326.1029278-3-jmattson@google.com [*]
Fixes: 4b16184c1cca ("KVM: SVM: Initialize Nested Nested MMU context on VMRUN")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-16-yosry@kernel.org
[sean: capture everything in CC(), massage changelog formatting]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -265,6 +265,10 @@ static bool __nested_vmcb_check_controls
if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && !npt_enabled))
return false;
+ if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) &&
+ !kvm_vcpu_is_legal_gpa(vcpu, control->nested_cr3)))
+ return false;
+
if (CC(!nested_svm_check_bitmap_pa(vcpu, control->msrpm_base_pa,
MSRPM_SIZE)))
return false;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 108/474] mtd: docg3: Convert to platform remove callback returning void
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 107/474] KVM: nSVM: Add missing consistency check for nCR3 validity Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 109/474] mtd: docg3: fix use-after-free in docg3_release() Greg Kroah-Hartman
` (366 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Miquel Raynal,
Tudor Ambarus, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit eb0cec77d534413a800ec20944a2b1e37cfecdcf ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Acked-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://lore.kernel.org/linux-mtd/20231008200143.196369-5-u.kleine-koenig@pengutronix.de
Stable-dep-of: ca19808bc6fa ("mtd: docg3: fix use-after-free in docg3_release()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/devices/docg3.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 22e73dd6118b9..a2b643af70194 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2046,7 +2046,7 @@ static int __init docg3_probe(struct platform_device *pdev)
*
* Returns 0
*/
-static int docg3_release(struct platform_device *pdev)
+static void docg3_release(struct platform_device *pdev)
{
struct docg3_cascade *cascade = platform_get_drvdata(pdev);
struct docg3 *docg3 = cascade->floors[0]->priv;
@@ -2058,7 +2058,6 @@ static int docg3_release(struct platform_device *pdev)
doc_release_device(cascade->floors[floor]);
bch_free(docg3->cascade->bch);
- return 0;
}
#ifdef CONFIG_OF
@@ -2076,7 +2075,7 @@ static struct platform_driver g3_driver = {
},
.suspend = docg3_suspend,
.resume = docg3_resume,
- .remove = docg3_release,
+ .remove_new = docg3_release,
};
module_platform_driver_probe(g3_driver, docg3_probe);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 109/474] mtd: docg3: fix use-after-free in docg3_release()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 108/474] mtd: docg3: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 110/474] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
` (365 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, James Kim, Miquel Raynal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Kim <james010kim@gmail.com>
[ Upstream commit ca19808bc6fac7e29420d8508df569b346b3e339 ]
In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Fixes: c8ae3f744ddc ("lib/bch: Rework a little bit the exported function names")
Cc: stable@vger.kernel.org
Signed-off-by: James Kim <james010kim@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/devices/docg3.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index a2b643af70194..e37fb11556479 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ static int __init docg3_probe(struct platform_device *pdev)
static void docg3_release(struct platform_device *pdev)
{
struct docg3_cascade *cascade = platform_get_drvdata(pdev);
- struct docg3 *docg3 = cascade->floors[0]->priv;
int floor;
doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
if (cascade->floors[floor])
doc_release_device(cascade->floors[floor]);
- bch_free(docg3->cascade->bch);
+ bch_free(cascade->bch);
}
#ifdef CONFIG_OF
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 110/474] io_uring/poll: fix multishot recv missing EOF on wakeup race
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 109/474] mtd: docg3: fix use-after-free in docg3_release() Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 111/474] ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access Greg Kroah-Hartman
` (364 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francis Brosseau, Jens Axboe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit a68ed2df72131447d131531a08fe4dfcf4fa4653 ]
When a socket send and shutdown() happen back-to-back, both fire
wake-ups before the receiver's task_work has a chance to run. The first
wake gets poll ownership (poll_refs=1), and the second bumps it to 2.
When io_poll_check_events() runs, it calls io_poll_issue() which does a
recv that reads the data and returns IOU_RETRY. The loop then drains all
accumulated refs (atomic_sub_return(2) -> 0) and exits, even though only
the first event was consumed. Since the shutdown is a persistent state
change, no further wakeups will happen, and the multishot recv can hang
forever.
Check specifically for HUP in the poll loop, and ensure that another
loop is done to check for status if more than a single poll activation
is pending. This ensures we don't lose the shutdown event.
Backport notes for linux-6.6.y:
- In 6.6.y the do-while masks v in the while-condition itself
(`atomic_sub_return(v & IO_POLL_REF_MASK, ...) & IO_POLL_REF_MASK`),
so v can carry IO_POLL_RETRY_FLAG / IO_POLL_CANCEL_FLAG bits when
we reach the multishot branch. The HUP check therefore compares
`(v & IO_POLL_REF_MASK) != 1` rather than the upstream
`v != 1`, to avoid reacting to flag bits.
- io_poll_issue takes `ts` (struct io_tw_state *) here.
CVE: CVE-2026-23473
Cc: stable@vger.kernel.org # 6.6.y
Fixes: dbc2564cfe0f ("io_uring: let fast poll support multishot")
Reported-by: Francis Brosseau <francis@malagauche.com>
Link: https://github.com/axboe/liburing/issues/1549
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[backport for linux-6.6.y, verified 2026-05-01]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/poll.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/io_uring/poll.c b/io_uring/poll.c
index a154df4d16204..66a0a9b9950b4 100644
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -321,7 +321,13 @@ static int io_poll_check_events(struct io_kiocb *req, struct io_tw_state *ts)
return IOU_POLL_REMOVE_POLL_USE_RES;
}
} else {
- int ret = io_poll_issue(req, ts);
+ int ret;
+
+ /* multiple refs and HUP, ensure we loop once more */
+ if ((req->cqe.res & (POLLHUP | POLLRDHUP)) &&
+ (v & IO_POLL_REF_MASK) != 1)
+ v--;
+ ret = io_poll_issue(req, ts);
if (ret == IOU_STOP_MULTISHOT)
return IOU_POLL_REMOVE_POLL_USE_RES;
else if (ret == IOU_REQUEUE)
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 111/474] ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 110/474] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 112/474] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
` (363 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit eceafc31ea7b42c984ece10d79d505c0bb6615d5 upstream.
The bounds check for the next xattr entry in check_xattrs() uses
(void *)next >= end, which allows next to point within sizeof(u32)
bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4
bytes via *(__u32 *)(entry), which can overrun the valid xattr region.
For example, if next lands at end - 1, the check passes since
next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1,
accessing 3 bytes beyond the valid region.
Fix this by changing the check to (void *)next + sizeof(u32) > end,
ensuring there is always enough space for the IS_LAST_ENTRY() read
on the subsequent iteration.
Fixes: 3478c83cf26b ("ext4: improve xattr consistency checking and error reporting")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20260224231429.31361-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260328150038.349497-1-kartikey406@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -226,7 +226,7 @@ check_xattrs(struct inode *inode, struct
/* Find the end of the names list */
while (!IS_LAST_ENTRY(e)) {
struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e);
- if ((void *)next >= end) {
+ if ((void *)next + sizeof(u32) > end) {
err_str = "e_name out of bounds";
goto errout;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 112/474] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 111/474] ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 113/474] md/raid5: fix soft lockup in retry_aligned_read() Greg Kroah-Hartman
` (362 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sohei Koyama, Andreas Dilger,
Ritesh Harjani (IBM), Zhang Yi, Baokun Li, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sohei Koyama <skoyama@ddn.com>
commit 77d059519382bd66283e6a4e83ee186e87e7708f upstream.
The commit c8e008b60492 ("ext4: ignore xattrs past end")
introduced a refcount leak in when block_csum is false.
ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to
get iloc.bh, but never releases it with brelse().
Fixes: c8e008b60492 ("ext4: ignore xattrs past end")
Signed-off-by: Sohei Koyama <skoyama@ddn.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
Link: https://patch.msgid.link/20260406074830.8480-1-skoyama@ddn.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1165,7 +1165,7 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
{
struct inode *ea_inode;
struct ext4_xattr_entry *entry;
- struct ext4_iloc iloc;
+ struct ext4_iloc iloc = { .bh = NULL };
bool dirty = false;
unsigned int ea_ino;
int err;
@@ -1260,6 +1260,8 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
ext4_warning_inode(parent,
"handle dirty metadata err=%d", err);
}
+
+ brelse(iloc.bh);
}
/*
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 113/474] md/raid5: fix soft lockup in retry_aligned_read()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 112/474] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 114/474] md/raid5: validate payload size before accessing journal metadata Greg Kroah-Hartman
` (361 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, FengWei Shih, Chia-Ming Chang,
Yu Kuai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Ming Chang <chiamingc@synology.com>
commit 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc upstream.
When retry_aligned_read() encounters an overlapped stripe, it releases
the stripe via raid5_release_stripe() which puts it on the lockless
released_stripes llist. In the next raid5d loop iteration,
release_stripe_list() drains the stripe onto handle_list (since
STRIPE_HANDLE is set by the original IO), but retry_aligned_read()
runs before handle_active_stripes() and removes the stripe from
handle_list via find_get_stripe() -> list_del_init(). This prevents
handle_stripe() from ever processing the stripe to resolve the
overlap, causing an infinite loop and soft lockup.
Fix this by using __release_stripe() with temp_inactive_list instead
of raid5_release_stripe() in the failure path, so the stripe does not
go through the released_stripes llist. This allows raid5d to break out
of its loop, and the overlap will be resolved when the stripe is
eventually processed by handle_stripe().
Fixes: 773ca82fa1ee ("raid5: make release_stripe lockless")
Cc: stable@vger.kernel.org
Signed-off-by: FengWei Shih <dannyshih@synology.com>
Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
Link: https://lore.kernel.org/linux-raid/20260402061406.455755-1-chiamingc@synology.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6691,7 +6691,13 @@ static int retry_aligned_read(struct r5
}
if (!add_stripe_bio(sh, raid_bio, dd_idx, 0, 0)) {
- raid5_release_stripe(sh);
+ int hash;
+
+ spin_lock_irq(&conf->device_lock);
+ hash = sh->hash_lock_index;
+ __release_stripe(conf, sh,
+ &conf->temp_inactive_list[hash]);
+ spin_unlock_irq(&conf->device_lock);
conf->retry_read_aligned = raid_bio;
conf->retry_read_offset = scnt;
return handled;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 114/474] md/raid5: validate payload size before accessing journal metadata
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 113/474] md/raid5: fix soft lockup in retry_aligned_read() Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 115/474] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Greg Kroah-Hartman
` (360 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yu Kuai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 upstream.
r5c_recovery_analyze_meta_block() and
r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a
journal metadata block using on-disk payload size fields without
validating them against the remaining space in the metadata block.
A corrupted journal contains payload sizes extending beyond the PAGE_SIZE
boundary can cause out-of-bounds reads when accessing payload fields or
computing offsets.
Add bounds validation for each payload type to ensure the full payload
fits within meta_size before processing.
Fixes: b4c625c67362 ("md/r5cache: r5cache recovery: part 1")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/linux-raid/SYBPR01MB78815E78D829BB86CD7C8015AF5FA@SYBPR01MB7881.ausprd01.prod.outlook.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5-cache.c | 48 ++++++++++++++++++++++++++++++++---------------
1 file changed, 33 insertions(+), 15 deletions(-)
--- a/drivers/md/raid5-cache.c
+++ b/drivers/md/raid5-cache.c
@@ -2010,15 +2010,27 @@ r5l_recovery_verify_data_checksum_for_mb
return -ENOMEM;
while (mb_offset < le32_to_cpu(mb->meta_size)) {
+ sector_t payload_len;
+
payload = (void *)mb + mb_offset;
payload_flush = (void *)mb + mb_offset;
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) {
+ payload_len = sizeof(struct r5l_payload_data_parity) +
+ (sector_t)sizeof(__le32) *
+ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ goto mismatch;
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
goto mismatch;
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_PARITY) {
+ payload_len = sizeof(struct r5l_payload_data_parity) +
+ (sector_t)sizeof(__le32) *
+ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ goto mismatch;
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
@@ -2031,22 +2043,18 @@ r5l_recovery_verify_data_checksum_for_mb
payload->checksum[1]) < 0)
goto mismatch;
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
- /* nothing to do for R5LOG_PAYLOAD_FLUSH here */
+ payload_len = sizeof(struct r5l_payload_flush) +
+ (sector_t)le32_to_cpu(payload_flush->size);
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ goto mismatch;
} else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */
goto mismatch;
- if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
- mb_offset += sizeof(struct r5l_payload_flush) +
- le32_to_cpu(payload_flush->size);
- } else {
- /* DATA or PARITY payload */
+ if (le16_to_cpu(payload->header.type) != R5LOG_PAYLOAD_FLUSH) {
log_offset = r5l_ring_add(log, log_offset,
le32_to_cpu(payload->size));
- mb_offset += sizeof(struct r5l_payload_data_parity) +
- sizeof(__le32) *
- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
}
-
+ mb_offset += payload_len;
}
put_page(page);
@@ -2097,6 +2105,7 @@ r5c_recovery_analyze_meta_block(struct r
log_offset = r5l_ring_add(log, ctx->pos, BLOCK_SECTORS);
while (mb_offset < le32_to_cpu(mb->meta_size)) {
+ sector_t payload_len;
int dd;
payload = (void *)mb + mb_offset;
@@ -2105,6 +2114,12 @@ r5c_recovery_analyze_meta_block(struct r
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
int i, count;
+ payload_len = sizeof(struct r5l_payload_flush) +
+ (sector_t)le32_to_cpu(payload_flush->size);
+ if (mb_offset + payload_len >
+ le32_to_cpu(mb->meta_size))
+ return -EINVAL;
+
count = le32_to_cpu(payload_flush->size) / sizeof(__le64);
for (i = 0; i < count; ++i) {
stripe_sect = le64_to_cpu(payload_flush->flush_stripes[i]);
@@ -2118,12 +2133,17 @@ r5c_recovery_analyze_meta_block(struct r
}
}
- mb_offset += sizeof(struct r5l_payload_flush) +
- le32_to_cpu(payload_flush->size);
+ mb_offset += payload_len;
continue;
}
/* DATA or PARITY payload */
+ payload_len = sizeof(struct r5l_payload_data_parity) +
+ (sector_t)sizeof(__le32) *
+ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ return -EINVAL;
+
stripe_sect = (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) ?
raid5_compute_sector(
conf, le64_to_cpu(payload->location), 0, &dd,
@@ -2188,9 +2208,7 @@ r5c_recovery_analyze_meta_block(struct r
log_offset = r5l_ring_add(log, log_offset,
le32_to_cpu(payload->size));
- mb_offset += sizeof(struct r5l_payload_data_parity) +
- sizeof(__le32) *
- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ mb_offset += payload_len;
}
return 0;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 115/474] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 114/474] md/raid5: validate payload size before accessing journal metadata Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 116/474] tcp: call sk_data_ready() after listener migration Greg Kroah-Hartman
` (359 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chia-Ming Chang, robbieko,
Nikolay Borisov, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Ming Chang <chiamingc@synology.com>
commit 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 upstream.
When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
the error path calls inotify_remove_from_idr() but does not call
dec_inotify_watches() to undo the preceding inc_inotify_watches().
This leaks a watch count, and repeated failures can exhaust the
max_user_watches limit with -ENOSPC even when no watches are active.
Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
limits"), the watch count was incremented after fsnotify_add_mark_locked()
succeeded, so this path was not affected. The conversion moved
inc_inotify_watches() before the mark insertion without adding the
corresponding rollback.
Add the missing dec_inotify_watches() call in the error path.
Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
Cc: stable@vger.kernel.org
Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
Signed-off-by: robbieko <robbieko@synology.com>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Link: https://patch.msgid.link/20260224093442.3076294-1-chiamingc@synology.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/inotify/inotify_user.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -622,6 +622,7 @@ static int inotify_new_watch(struct fsno
if (ret) {
/* we failed to get on the inode, get off the idr */
inotify_remove_from_idr(group, tmp_i_mark);
+ dec_inotify_watches(group->inotify_data.ucounts);
goto out_err;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 116/474] tcp: call sk_data_ready() after listener migration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 115/474] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 117/474] taskstats: set version in TGID exit notifications Greg Kroah-Hartman
` (358 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Zhenzhong Wu, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenzhong Wu <jt26wzz@gmail.com>
commit 3864c6ba1e041bc75342353a70fa2a2c6f909923 upstream.
When inet_csk_listen_stop() migrates an established child socket from
a closing listener to another socket in the same SO_REUSEPORT group,
the target listener gets a new accept-queue entry via
inet_csk_reqsk_queue_add(), but that path never notifies the target
listener's waiters. A nonblocking accept() still works because it
checks the queue directly, but poll()/epoll_wait() waiters and
blocking accept() callers can also remain asleep indefinitely.
Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration
in inet_csk_listen_stop().
However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired
in reuseport_migrate_sock() is effectively transferred to
nreq->rsk_listener. Another CPU can then dequeue nreq via accept()
or listener shutdown, hit reqsk_put(), and drop that listener ref.
Since listeners are SOCK_RCU_FREE, wrap the post-queue_add()
dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also
covers the existing sock_net(nsk) access in that path.
The reqsk_timer_handler() path does not need the same changes for two
reasons: half-open requests become readable only after the final ACK,
where tcp_child_process() already wakes the listener; and once nreq is
visible via inet_ehash_insert(), the success path no longer touches
nsk directly.
Fixes: 54b92e841937 ("tcp: Migrate TCP_ESTABLISHED/TCP_SYN_RECV sockets in accept queues.")
Cc: stable@vger.kernel.org
Suggested-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Zhenzhong Wu <jt26wzz@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260422024554.130346-2-jt26wzz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_connection_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1429,16 +1429,19 @@ void inet_csk_listen_stop(struct sock *s
if (nreq) {
refcount_set(&nreq->rsk_refcnt, 1);
+ rcu_read_lock();
if (inet_csk_reqsk_queue_add(nsk, nreq, child)) {
__NET_INC_STATS(sock_net(nsk),
LINUX_MIB_TCPMIGRATEREQSUCCESS);
reqsk_migrate_reset(req);
+ READ_ONCE(nsk->sk_data_ready)(nsk);
} else {
__NET_INC_STATS(sock_net(nsk),
LINUX_MIB_TCPMIGRATEREQFAILURE);
reqsk_migrate_reset(nreq);
__reqsk_free(nreq);
}
+ rcu_read_unlock();
/* inet_csk_reqsk_queue_add() has already
* called inet_child_forget() on failure case.
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 117/474] taskstats: set version in TGID exit notifications
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 116/474] tcp: call sk_data_ready() after listener migration Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 118/474] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
` (357 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiyang Chen, Balbir Singh,
Dr. Thomas Orgis, Fan Yu, Wang Yaxin, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiyang Chen <cyyzero16@gmail.com>
commit 16c4f0211aaa1ec1422b11b59f64f1abe9009fc0 upstream.
delay accounting started populating taskstats records with a valid version
field via fill_pid() and fill_tgid().
Later, commit ad4ecbcba728 ("[PATCH] delay accounting taskstats interface
send tgid once") changed the TGID exit path to send the cached
signal->stats aggregate directly instead of building the outgoing record
through fill_tgid(). Unlike fill_tgid(), fill_tgid_exit() only
accumulates accounting data and never initializes stats->version.
As a result, TGID exit notifications can reach userspace with version == 0
even though PID exit notifications and TASKSTATS_CMD_GET replies carry a
valid taskstats version.
This is easy to reproduce with `tools/accounting/getdelays.c`.
I have a small follow-up patch for that tool which:
1. increases the receive buffer/message size so the pid+tgid
combined exit notification is not dropped/truncated
2. prints `stats->version`.
With that patch, the reproducer is:
Terminal 1:
./getdelays -d -v -l -m 0
Terminal 2:
taskset -c 0 python3 -c 'import threading,time; t=threading.Thread(target=time.sleep,args=(0.1,)); t.start(); t.join()'
That produces both PID and TGID exit notifications for the same
process. The PID exit record reports a valid taskstats version, while
the TGID exit record reports `version 0`.
This patch (of 2):
Set stats->version = TASKSTATS_VERSION after copying the cached TGID
aggregate into the outgoing netlink payload so all taskstats records are
self-describing again.
Link: https://lkml.kernel.org/r/ba83d934e59edd431b693607de573eb9ca059309.1774810498.git.cyyzero16@gmail.com
Fixes: ad4ecbcba728 ("[PATCH] delay accounting taskstats interface send tgid once")
Signed-off-by: Yiyang Chen <cyyzero16@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Cc: Fan Yu <fan.yu9@zte.com.cn>
Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/taskstats.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -656,6 +656,7 @@ void taskstats_exit(struct task_struct *
goto err;
memcpy(stats, tsk->signal->stats, sizeof(*stats));
+ stats->version = TASKSTATS_VERSION;
send:
send_cpu_listeners(rep_skb, listeners);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 118/474] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 117/474] taskstats: set version in TGID exit notifications Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 119/474] can: ucan: fix devres lifetime Greg Kroah-Hartman
` (356 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuvam Pandey,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuvam Pandey <shuvampandey1@gmail.com>
commit 85fa3512048793076eef658f66489112dcc91993 upstream.
hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.
Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.
Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.
Fixes: 92a25256f142 ("Bluetooth: mgmt: Implement support for passkey notification")
Cc: stable@vger.kernel.org
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5409,9 +5409,11 @@ static void hci_user_passkey_notify_evt(
bt_dev_dbg(hdev, "");
+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
if (!conn)
- return;
+ goto unlock;
conn->passkey_notify = __le32_to_cpu(ev->passkey);
conn->passkey_entered = 0;
@@ -5420,6 +5422,9 @@ static void hci_user_passkey_notify_evt(
mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
conn->dst_type, conn->passkey_notify,
conn->passkey_entered);
+
+unlock:
+ hci_dev_unlock(hdev);
}
static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
@@ -5430,14 +5435,16 @@ static void hci_keypress_notify_evt(stru
bt_dev_dbg(hdev, "");
+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
if (!conn)
- return;
+ goto unlock;
switch (ev->type) {
case HCI_KEYPRESS_STARTED:
conn->passkey_entered = 0;
- return;
+ goto unlock;
case HCI_KEYPRESS_ENTERED:
conn->passkey_entered++;
@@ -5452,13 +5459,16 @@ static void hci_keypress_notify_evt(stru
break;
case HCI_KEYPRESS_COMPLETED:
- return;
+ goto unlock;
}
if (hci_dev_test_flag(hdev, HCI_MGMT))
mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
conn->dst_type, conn->passkey_notify,
conn->passkey_entered);
+
+unlock:
+ hci_dev_unlock(hdev);
}
static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 119/474] can: ucan: fix devres lifetime
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 118/474] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 120/474] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit Greg Kroah-Hartman
` (355 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakob Unterwurzacher, Johan Hovold,
Marc Kleine-Budde
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit fed4626501c871890da287bec62a96e52da1af89 upstream.
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the control message buffer lifetime so that it is released on driver
unbind.
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Cc: stable@vger.kernel.org # 4.19
Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260327104520.1310158-1-johan@kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ucan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interfa
*/
/* Prepare Memory for control transfers */
- ctl_msg_buffer = devm_kzalloc(&udev->dev,
+ ctl_msg_buffer = devm_kzalloc(&intf->dev,
sizeof(union ucan_ctl_payload),
GFP_KERNEL);
if (!ctl_msg_buffer) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 120/474] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 119/474] can: ucan: fix devres lifetime Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 121/474] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup Greg Kroah-Hartman
` (354 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Eric Biggers
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit f8f08d7cc43237e91e3aedf7b67d015d24c38fcc upstream.
Since the 'enc_after' argument to neon_aes_mac_update() and
ce_aes_mac_update() has type 'int', it needs to be accessed using the
corresponding 32-bit register, not the 64-bit register. The upper half
of the corresponding 64-bit register may contain garbage.
Fixes: 4860620da7e5 ("crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver")
Cc: stable@vger.kernel.org
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260218213501.136844-4-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/crypto/aes-modes.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/crypto/aes-modes.S
+++ b/arch/arm64/crypto/aes-modes.S
@@ -838,7 +838,7 @@ AES_FUNC_START(aes_mac_update)
encrypt_block v0, w2, x1, x7, w8
eor v0.16b, v0.16b, v4.16b
cmp w3, wzr
- csinv x5, x6, xzr, eq
+ csinv w5, w6, wzr, eq
cbz w5, .Lmacout
encrypt_block v0, w2, x1, x7, w8
st1 {v0.16b}, [x4] /* return dg */
@@ -852,7 +852,7 @@ AES_FUNC_START(aes_mac_update)
eor v0.16b, v0.16b, v1.16b /* ..and xor with dg */
subs w3, w3, #1
- csinv x5, x6, xzr, eq
+ csinv w5, w6, wzr, eq
cbz w5, .Lmacout
.Lmacenc:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 121/474] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 120/474] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 122/474] crypto: atmel-ecc - Release client on allocation failure Greg Kroah-Hartman
` (353 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 3fcfff4ed35f963380a68741bcd52742baff7f76 upstream.
atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with
ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the
first page using free_page(), leaking the remaining 3 pages. Use
free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak.
Fixes: bbe628ed897d ("crypto: atmel-aes - improve performances of data transfer")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-aes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2323,7 +2323,7 @@ static int atmel_aes_buff_init(struct at
static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
{
- free_page((unsigned long)dd->buf);
+ free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
}
static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 122/474] crypto: atmel-ecc - Release client on allocation failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 121/474] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 123/474] crypto: hisilicon - Fix dma_unmap_single() direction Greg Kroah-Hartman
` (352 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 095d50008d55d13f8fcf1bbeb7c6eba51779bc85 upstream.
Call atmel_ecc_i2c_client_free() to release the I2C client reserved by
atmel_ecc_i2c_client_alloc() when crypto_alloc_kpp() fails. Otherwise
->tfm_count will be out of sync.
Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-ecc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/crypto/atmel-ecc.c
+++ b/drivers/crypto/atmel-ecc.c
@@ -261,6 +261,7 @@ static int atmel_ecdh_init_tfm(struct cr
if (IS_ERR(fallback)) {
dev_err(&ctx->client->dev, "Failed to allocate transformation for '%s': %ld\n",
alg, PTR_ERR(fallback));
+ atmel_ecc_i2c_client_free(ctx->client);
return PTR_ERR(fallback);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 123/474] crypto: hisilicon - Fix dma_unmap_single() direction
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 122/474] crypto: atmel-ecc - Release client on allocation failure Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 124/474] crypto: ccree - fix a memory leak in cc_mac_digest() Greg Kroah-Hartman
` (351 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Thorsten Blum,
Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 1ee57ab93b75eb59f426aef37b5498a7ffc28278 upstream.
The direction used to map the buffer skreq->iv is DMA_TO_DEVICE but it is
unmapped with direction DMA_BIDIRECTIONAL in the error path.
Change the unmap to match the mapping.
Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/hisilicon/sec/sec_algs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -844,7 +844,7 @@ err_free_elements:
if (crypto_skcipher_ivsize(atfm))
dma_unmap_single(info->dev, sec_req->dma_iv,
crypto_skcipher_ivsize(atfm),
- DMA_BIDIRECTIONAL);
+ DMA_TO_DEVICE);
err_unmap_out_sg:
if (split)
sec_unmap_sg_on_err(skreq->dst, steps, splits_out,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 124/474] crypto: ccree - fix a memory leak in cc_mac_digest()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 123/474] crypto: hisilicon - Fix dma_unmap_single() direction Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 125/474] crypto: atmel-tdes - fix DMA sync direction Greg Kroah-Hartman
` (350 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 02c64052fad03699b9c6d1df2f9b444d17e4ac50 upstream.
Add cc_unmap_result() if cc_map_hash_request_final()
fails to prevent potential memory leak.
Fixes: 63893811b0fc ("crypto: ccree - add ahash support")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccree/cc_hash.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_re
if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
req->nbytes, 1, flags)) {
dev_err(dev, "map_ahash_request_final() failed\n");
+ cc_unmap_result(dev, state, digestsize, req->result);
cc_unmap_req(dev, state, ctx);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 125/474] crypto: atmel-tdes - fix DMA sync direction
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 124/474] crypto: ccree - fix a memory leak in cc_mac_digest() Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 126/474] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Greg Kroah-Hartman
` (349 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit c8a9a647532f5c2a04180352693215e24e9dba03 upstream.
Before DMA output is consumed by the CPU, ->dma_addr_out must be synced
with dma_sync_single_for_cpu() instead of dma_sync_single_for_device().
Using the wrong direction can return stale cache data on non-coherent
platforms.
Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver")
Fixes: 1f858040c2f7 ("crypto: atmel-tdes - add support for latest release of the IP (0x700)")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-tdes.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -304,8 +304,8 @@ static int atmel_tdes_crypt_pdc_stop(str
dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
} else {
- dma_sync_single_for_device(dd->dev, dd->dma_addr_out,
- dd->dma_size, DMA_FROM_DEVICE);
+ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out,
+ dd->dma_size, DMA_FROM_DEVICE);
/* copy data */
count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset,
@@ -655,8 +655,8 @@ static int atmel_tdes_crypt_dma_stop(str
dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
} else {
- dma_sync_single_for_device(dd->dev, dd->dma_addr_out,
- dd->dma_size, DMA_FROM_DEVICE);
+ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out,
+ dd->dma_size, DMA_FROM_DEVICE);
/* copy data */
count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 126/474] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 125/474] crypto: atmel-tdes - fix DMA sync direction Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 127/474] dm mirror: fix integer overflow in create_dirty_log() Greg Kroah-Hartman
` (348 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit bab1adf3b87e4bfac92c4f5963c63db434d561c1 upstream.
Unregister the hwrng to prevent new ->read() calls and flush the Atmel
I2C workqueue before teardown to prevent a potential UAF if a queued
callback runs while the device is being removed.
Drop the early return to ensure sysfs entries are removed and
->hwrng.priv is freed, preventing a memory leak.
Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-sha204a.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -125,10 +125,8 @@ static void atmel_sha204a_remove(struct
{
struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
- if (atomic_read(&i2c_priv->tfm_count)) {
- dev_emerg(&client->dev, "Device is busy, will remove it anyhow\n");
- return;
- }
+ devm_hwrng_unregister(&client->dev, &i2c_priv->hwrng);
+ atmel_i2c_flush_queue();
kfree((void *)i2c_priv->hwrng.priv);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 127/474] dm mirror: fix integer overflow in create_dirty_log()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 126/474] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 128/474] IB/core: Fix zero dmac race in neighbor resolution Greg Kroah-Hartman
` (347 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Benjamin Marzinski, Mikulas Patocka
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 4c788c6f921b22f9b6c3f316c4a071c05683e7de upstream.
The argument count calculation in create_dirty_log() performs
`*args_used = 2 + param_count` before validating against argc. When a
user provides a param_count close to UINT_MAX via the device mapper
table string, this unsigned addition wraps around to a small value,
causing the subsequent `argc < *args_used` check to be bypassed.
The overflowed param_count is then passed as argc to dm_dirty_log_create(),
where it can cause out-of-bounds reads on the argv array.
Fix by comparing param_count against argc - 2 before performing the
addition, following the same pattern used by parse_features() in the
same file. Since argc >= 2 is already guaranteed, the subtraction is
safe.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-raid1.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -993,13 +993,13 @@ static struct dm_dirty_log *create_dirty
return NULL;
}
- *args_used = 2 + param_count;
-
- if (argc < *args_used) {
+ if (param_count > argc - 2) {
ti->error = "Insufficient mirror log arguments";
return NULL;
}
+ *args_used = 2 + param_count;
+
dl = dm_dirty_log_create(argv[0], ti, mirror_flush, param_count,
argv + 2);
if (!dl) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 128/474] IB/core: Fix zero dmac race in neighbor resolution
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 127/474] dm mirror: fix integer overflow in create_dirty_log() Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 129/474] ktest: Fix the month in the name of the failure directory Greg Kroah-Hartman
` (346 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhao, Parav Pandit,
Leon Romanovsky, Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Zhao <chezhao@nvidia.com>
commit 5e6de34d82b49cab9d8a42063e9cd0f22a4f31e5 upstream.
dst_fetch_ha() checks nud_state without holding the neighbor lock, then
copies ha under the seqlock. A race in __neigh_update() where nud_state
is set to NUD_REACHABLE before ha is written allows dst_fetch_ha() to
read a zero MAC address while the seqlock reports no concurrent writer.
netevent_callback amplifies this by waking ALL pending addr_req workers
when ANY neighbor becomes NUD_VALID. At scale (N peers resolving ARP
concurrently), the hit probability scales as N^2, making it near-certain
for large RDMA workloads.
N(A): neigh_update(A) W(A): addr_resolve(A)
| [sleep]
| write_lock_bh(&A->lock) |
| A->nud_state = NUD_REACHABLE |
| // A->ha is still 0 |
| [woken by netevent_cb() of
| another neighbour]
| | dst_fetch_ha(A)
| | A->nud_state & NUD_VALID
| | read_seqbegin(&A->ha_lock)
| | snapshot = A->ha /* 0 */
| | read_seqretry(&A->ha_lock)
| | return snapshot
| seqlock(&A->ha_lock)
| A->ha = mac_A /* too late */
| sequnlock(&A->ha_lock)
| write_unlock_bh(&A->lock)
The incorrect/zero mac is read and programmed in the device QP while it
was not yet updated. This causes silent packet loss and eventual
RETRY_EXC_ERR.
Fix by holding the neighbor read lock across the nud_state check and
ha copy in dst_fetch_ha(), ensuring it synchronizes with
__neigh_update() which is updating while holding the write lock.
Cc: stable@vger.kernel.org
Fixes: 92ebb6a0a13a ("IB/cm: Remove now useless rcu_lock in dst_fetch_ha")
Link: https://patch.msgid.link/r/20260405-fix-dmac-race-v1-1-cfa1ec2ce54a@nvidia.com
Signed-off-by: Chen Zhao <chezhao@nvidia.com>
Reviewed-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -321,11 +321,14 @@ static int dst_fetch_ha(const struct dst
if (!n)
return -ENODATA;
+ read_lock_bh(&n->lock);
if (!(n->nud_state & NUD_VALID)) {
+ read_unlock_bh(&n->lock);
neigh_event_send(n, NULL);
ret = -ENODATA;
} else {
neigh_ha_snapshot(dev_addr->dst_dev_addr, n, dst->dev);
+ read_unlock_bh(&n->lock);
}
neigh_release(n);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 129/474] ktest: Fix the month in the name of the failure directory
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 128/474] IB/core: Fix zero dmac race in neighbor resolution Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 130/474] ntfs3: add buffer boundary checks to run_unpack() Greg Kroah-Hartman
` (345 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, Steven Rostedt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 768059ede35f197575a38b10797b52402d9d4d2f upstream.
The Perl localtime() function returns the month starting at 0 not 1. This
caused the date produced to create the directory for saving files of a
failed run to have the month off by one.
machine-test-useconfig-fail-20260314073628
The above happened in April, not March. The correct name should have been:
machine-test-useconfig-fail-20260414073628
This was somewhat confusing.
Cc: stable@vger.kernel.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
Link: https://patch.msgid.link/20260420142426.33ad0293@fedora
Fixes: 7faafbd69639b ("ktest: Add open and close console and start stop monitor")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/ktest.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -1777,7 +1777,7 @@ sub save_logs {
my ($result, $basedir) = @_;
my @t = localtime;
my $date = sprintf "%04d%02d%02d%02d%02d%02d",
- 1900+$t[5],$t[4],$t[3],$t[2],$t[1],$t[0];
+ 1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0];
my $type = $build_type;
if ($type =~ /useconfig/) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 130/474] ntfs3: add buffer boundary checks to run_unpack()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 129/474] ktest: Fix the month in the name of the failure directory Greg Kroah-Hartman
@ 2026-05-15 15:43 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 131/474] ntfs3: fix integer overflow in run_unpack() volume boundary check Greg Kroah-Hartman
` (344 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tobias Gaertner, Konstantin Komarov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Gaertner <tob.gaertner@me.com>
commit b62567bca47408e6739dee75f02a2113548af875 upstream.
run_unpack() checks `run_buf < run_last` at the top of the while loop
but then reads size_size and offset_size bytes via run_unpack_s64()
without verifying they fit within the remaining buffer. A crafted NTFS
image with truncated run data in an MFT attribute triggers an OOB heap
read of up to 15 bytes when the filesystem is mounted.
Add boundary checks before each run_unpack_s64() call to ensure the
declared field size does not exceed the remaining buffer.
Found by fuzzing with a source-patched harness (LibAFL + QEMU).
Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -963,6 +963,9 @@ int run_unpack(struct runs_tree *run, st
if (size_size > 8)
return -EINVAL;
+ if (run_buf + size_size > run_last)
+ return -EINVAL;
+
len = run_unpack_s64(run_buf, size_size, 0);
/* Skip size_size. */
run_buf += size_size;
@@ -975,6 +978,9 @@ int run_unpack(struct runs_tree *run, st
else if (offset_size <= 8) {
s64 dlcn;
+ if (run_buf + offset_size > run_last)
+ return -EINVAL;
+
/* Initial value of dlcn is -1 or 0. */
dlcn = (run_buf[offset_size - 1] & 0x80) ? (s64)-1 : 0;
dlcn = run_unpack_s64(run_buf, offset_size, dlcn);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 131/474] ntfs3: fix integer overflow in run_unpack() volume boundary check
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-05-15 15:43 ` [PATCH 6.6 130/474] ntfs3: add buffer boundary checks to run_unpack() Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 132/474] rtmutex: Use waiter::task instead of current in remove_waiter() Greg Kroah-Hartman
` (343 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tobias Gaertner, Konstantin Komarov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Gaertner <tob.gaertner@me.com>
commit 984a415f019536ea2d24de9010744e5302a9a948 upstream.
The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw
addition which can wrap around for large lcn and len values, bypassing
the validation. Use check_add_overflow() as is already done for the
adjacent prev_lcn + dlcn and vcn64 + len checks added by commit
3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").
Found by fuzzing with a source-patched harness (LibAFL + QEMU).
Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -1018,9 +1018,15 @@ int run_unpack(struct runs_tree *run, st
return -EOPNOTSUPP;
}
#endif
- if (lcn != SPARSE_LCN64 && lcn + len > sbi->used.bitmap.nbits) {
- /* LCN range is out of volume. */
- return -EINVAL;
+ if (lcn != SPARSE_LCN64) {
+ u64 lcn_end;
+
+ if (check_add_overflow(lcn, len, &lcn_end))
+ return -EINVAL;
+ if (lcn_end > sbi->used.bitmap.nbits) {
+ /* LCN range is out of volume. */
+ return -EINVAL;
+ }
}
if (!run)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 132/474] rtmutex: Use waiter::task instead of current in remove_waiter()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 131/474] ntfs3: fix integer overflow in run_unpack() volume boundary check Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 133/474] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
` (342 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Keenan Dong, Thomas Gleixner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keenan Dong <keenanat2000@gmail.com>
commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 upstream.
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/rtmutex.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1511,20 +1511,23 @@ static bool rtmutex_spin_on_owner(struct
*
* Must be called with lock->wait_lock held and interrupts disabled. It must
* have just failed to try_to_take_rt_mutex().
+ *
+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current !
*/
static void __sched remove_waiter(struct rt_mutex_base *lock,
struct rt_mutex_waiter *waiter)
{
bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock));
struct task_struct *owner = rt_mutex_owner(lock);
+ struct task_struct *waiter_task = waiter->task;
struct rt_mutex_base *next_lock;
lockdep_assert_held(&lock->wait_lock);
- raw_spin_lock(¤t->pi_lock);
- rt_mutex_dequeue(lock, waiter);
- current->pi_blocked_on = NULL;
- raw_spin_unlock(¤t->pi_lock);
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+ rt_mutex_dequeue(lock, waiter);
+ waiter_task->pi_blocked_on = NULL;
+ }
/*
* Only update priority if the waiter was the highest priority
@@ -1560,7 +1563,7 @@ static void __sched remove_waiter(struct
raw_spin_unlock_irq(&lock->wait_lock);
rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock,
- next_lock, NULL, current);
+ next_lock, NULL, waiter_task);
raw_spin_lock_irq(&lock->wait_lock);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 133/474] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 132/474] rtmutex: Use waiter::task instead of current in remove_waiter() Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 134/474] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode Greg Kroah-Hartman
` (341 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Yang Xiuwei,
Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Xiuwei <yangxiuwei@kylinos.cn>
commit 1e111c4b3a726df1254670a5cc4868cedb946d37 upstream.
If device_add(&sdkp->disk_dev) fails, put_device() runs
scsi_disk_release(), which frees the scsi_disk but leaves the gendisk
referenced. The device_add_disk() error path in sd_probe() calls
put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Fixes: 265dfe8ebbab ("scsi: sd: Free scsi_disk device via put_device()")
Cc: stable@vger.kernel.org
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Yang Xiuwei <yangxiuwei@kylinos.cn>
Link: https://patch.msgid.link/20260330014952.152776-1-yangxiuwei@kylinos.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3727,6 +3727,7 @@ static int sd_probe(struct device *dev)
error = device_add(&sdkp->disk_dev);
if (error) {
put_device(&sdkp->disk_dev);
+ put_disk(gd);
goto out;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 134/474] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 133/474] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 135/474] crypto: authencesn - reject short ahash digests during instance creation Greg Kroah-Hartman
` (340 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Mayer, Justin Iurman,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Mayer <andrea.mayer@uniroma2.it>
commit ade67d5f588832c7ba131aadd4215a94ce0a15c8 upstream.
When SEG6_IPTUN_MODE_L2ENCAP_RED (L2ENCAP_RED) was introduced, the
condition in seg6_build_state() that excludes L2 encap modes from
setting LWTUNNEL_STATE_OUTPUT_REDIRECT was not updated to account for
the new mode.
As a consequence, L2ENCAP_RED routes incorrectly trigger seg6_output()
on the output path, where the packet is silently dropped because
skb_mac_header_was_set() fails on L3 packets.
Extend the check to also exclude L2ENCAP_RED, consistent with L2ENCAP.
Fixes: 13f0296be8ec ("seg6: add support for SRv6 H.L2Encaps.Red behavior")
Cc: stable@vger.kernel.org
Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Link: https://patch.msgid.link/20260418162838.31979-1-andrea.mayer@uniroma2.it
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_iptunnel.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -711,7 +711,8 @@ static int seg6_build_state(struct net *
newts->type = LWTUNNEL_ENCAP_SEG6;
newts->flags |= LWTUNNEL_STATE_INPUT_REDIRECT;
- if (tuninfo->mode != SEG6_IPTUN_MODE_L2ENCAP)
+ if (tuninfo->mode != SEG6_IPTUN_MODE_L2ENCAP &&
+ tuninfo->mode != SEG6_IPTUN_MODE_L2ENCAP_RED)
newts->flags |= LWTUNNEL_STATE_OUTPUT_REDIRECT;
newts->headroom = seg6_lwt_headroom(tuninfo);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 135/474] crypto: authencesn - reject short ahash digests during instance creation
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 134/474] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 136/474] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value Greg Kroah-Hartman
` (339 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Yuhang Zheng, Eric Biggers, Yucheng Lu,
Ren Wei, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yucheng Lu <kanolyc@gmail.com>
commit 5db6ef9847717329f12c5ea8aba7e9f588a980c0 upstream.
authencesn requires either a zero authsize or an authsize of at least
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of
high-order sequence number data at the end of the authenticated data.
While crypto_authenc_esn_setauthsize() already rejects explicit
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()
still copied auth->digestsize into inst->alg.maxauthsize without
validating it. The AEAD core then initialized the tfm's default
authsize from that value.
As a result, selecting an ahash with digest size 1..3, such as
cbcmac(cipher_null), exposed authencesn instances whose default
authsize was invalid even though setauthsize() would have rejected the
same value. AF_ALG could then trigger the ESN tail handling with a
too-short tag and hit an out-of-bounds access.
Reject authencesn instances whose ahash digest size is in the invalid
non-zero range 1..3 so that no tfm can inherit an unsupported default
authsize.
Fixes: f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/authencesn.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -397,6 +397,11 @@ static int crypto_authenc_esn_create(str
auth = crypto_spawn_ahash_alg(&ctx->auth);
auth_base = &auth->base;
+ if (auth->digestsize > 0 && auth->digestsize < 4) {
+ err = -EINVAL;
+ goto err_free_inst;
+ }
+
err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
crypto_attr_alg_name(tb[2]), 0, mask);
if (err)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 136/474] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 135/474] crypto: authencesn - reject short ahash digests during instance creation Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 137/474] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path Greg Kroah-Hartman
` (338 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Douglas Anderson,
Danilo Krummrich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit 5b484311507b5d403c1f7a45f6aa3778549e268b upstream.
Even though nobody should use this value (except when declaring the
"flags" bitmap), kernel-doc still gets upset that it's not documented.
It reports:
WARNING: ../include/linux/device.h:519
Enum value 'DEV_FLAG_COUNT' not described in enum 'struct_device_flags'
Add the description of DEV_FLAG_COUNT.
Fixes: a2225b6e834a ("driver core: Don't let a device probe until it's ready")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Closes: https://lore.kernel.org/f318cd43-81fd-48b9-abf7-92af85f12f91@infradead.org
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260413195910.1.I23aca74fe2d3636a47df196a80920fecb2643220@changeid
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/device.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -610,6 +610,7 @@ struct device_physical_location {
*
* @DEV_FLAG_READY_TO_PROBE: If set then device_add() has finished enough
* initialization that probe could be called.
+ * @DEV_FLAG_COUNT: Number of defined struct_device_flags.
*/
enum struct_device_flags {
DEV_FLAG_READY_TO_PROBE = 0,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 137/474] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 136/474] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 138/474] ALSA: caiaq: Dont abort when no input device is available Greg Kroah-Hartman
` (337 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 0a7b5221b5b51cc798fcfc3be00d02eade149d69 upstream.
The previous fix for handling the error from setup_card() missed that
an internal URB cdev->ep1_in_urb might have been already submitted
beforehand. In the normal case, this URB gets killed at the
disconnection, but in the error path, we didn't do it, hence there can
be a potential leak.
Fix it in the error path for setup_card(), too.
Fixes: 28abd224db4a ("ALSA: caiaq: Handle probe errors properly")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260427123819.890185-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caia
card->private_free = card_free;
err = setup_card(cdev);
if (err < 0)
- return err;
+ goto err_kill_urb;
return 0;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 138/474] ALSA: caiaq: Dont abort when no input device is available
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 137/474] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 139/474] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows Greg Kroah-Hartman
` (336 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit b32ae47a2b0a1fb4bd4942242847966d9b178222 upstream.
The previous fix to handle the error from setup_card() caused a
regression for the models that have no dedicated input device;
snd_usb_caiaq_input_init() just returns -EINVAL, and we treat it as a
fatal error although it should be ignored.
As a regression fix, change the error code to -ENODEV, and ignore this
error in the callee, to continue probing.
Fixes: 28abd224db4a ("ALSA: caiaq: Handle probe errors properly")
Cc: <stable@vger.kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221423
Link: https://patch.msgid.link/20260427145642.6637-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 2 +-
sound/usb/caiaq/input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -366,7 +366,7 @@ static int setup_card(struct snd_usb_cai
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
ret = snd_usb_caiaq_input_init(cdev);
- if (ret < 0) {
+ if (ret < 0 && ret != -ENODEV) {
dev_err(dev, "Unable to set up input system (ret=%d)\n", ret);
return ret;
}
--- a/sound/usb/caiaq/input.c
+++ b/sound/usb/caiaq/input.c
@@ -804,7 +804,7 @@ int snd_usb_caiaq_input_init(struct snd_
default:
/* no input methods supported on this device */
- ret = -EINVAL;
+ ret = -ENODEV;
goto exit_free_idev;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 139/474] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 138/474] ALSA: caiaq: Dont abort when no input device is available Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 140/474] drm/amdgpu: fix zero-size GDS range init on RDNA4 Greg Kroah-Hartman
` (335 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e6bf146b55999a095bb14f73a843942456d1adc upstream.
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:
skb_set_mac_header(skb, -skb->mac_len);
will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Cc: stable <stable@kernel.org>
Reported-by: Anthropic
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042133-gout-unvented-1bd9@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -491,6 +491,7 @@ static int ipv6_rpl_srh_rcv(struct sk_bu
struct net *net = dev_net(skb->dev);
struct inet6_dev *idev;
struct ipv6hdr *oldhdr;
+ unsigned int chdr_len;
unsigned char *buf;
int accept_rpl_seg;
int i, err;
@@ -594,8 +595,10 @@ looped_back:
skb_pull(skb, ((hdr->hdrlen + 1) << 3));
skb_postpull_rcsum(skb, oldhdr,
sizeof(struct ipv6hdr) + ((hdr->hdrlen + 1) << 3));
- if (unlikely(!hdr->segments_left)) {
- if (pskb_expand_head(skb, sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3), 0,
+ chdr_len = sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3);
+ if (unlikely(!hdr->segments_left ||
+ skb_headroom(skb) < chdr_len + skb->mac_len)) {
+ if (pskb_expand_head(skb, chdr_len + skb->mac_len, 0,
GFP_ATOMIC)) {
__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_OUTDISCARDS);
kfree_skb(skb);
@@ -605,7 +608,7 @@ looped_back:
oldhdr = ipv6_hdr(skb);
}
- skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr));
+ skb_push(skb, chdr_len);
skb_reset_network_header(skb);
skb_mac_header_rebuild(skb);
skb_set_transport_header(skb, sizeof(struct ipv6hdr));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 140/474] drm/amdgpu: fix zero-size GDS range init on RDNA4
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 139/474] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 141/474] ALSA: caiaq: fix usb_dev refcount leak on probe failure Greg Kroah-Hartman
` (334 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arjan van de Ven, Alex Deucher,
Christian König, amd-gfx, dri-devel, linux-kernel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arjan van de Ven <arjan@linux.intel.com>
commit 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb upstream.
RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory
resources. The gfx_v12_0 initialisation code correctly leaves
adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at
zero to reflect this.
amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for
each of these resources regardless of size. When the size is zero,
amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(),
which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires
DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is
zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT.
Guard against this by returning 0 early from
amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM
resource manager registration for hardware resources that are absent,
without affecting any other GPU type.
DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in
the kernel config. This is apparently rarely enabled as these chips
have been in the market for over a year and this issue was only reported
now.
Link: https://lore.kernel.org/all/bug-221376-2300@https.bugzilla.kernel.org%2F/
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221376
Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html
Assisted-by: GitHub Copilot:Claude Sonnet 4.6 linux-kernel-oops-x86.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: amd-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struc
unsigned int type,
uint64_t size_in_page)
{
+ if (!size_in_page)
+ return 0;
+
return ttm_range_man_init(&adev->mman.bdev, type,
false, size_in_page);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 141/474] ALSA: caiaq: fix usb_dev refcount leak on probe failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 140/474] drm/amdgpu: fix zero-size GDS range init on RDNA4 Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 142/474] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels Greg Kroah-Hartman
` (333 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2afd7e71155c7e241560,
Deepanshu Kartikey, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b upstream.
create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.
However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.
syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.
Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().
Fixes: 80bb50e2d459 ("ALSA: caiaq: take a reference on the USB device in create_card()")
Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Tested-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260426001934.70813-1-kartikey406@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -423,6 +423,7 @@ static int create_card(struct usb_device
cdev = caiaqdev(card);
cdev->chip.dev = usb_get_dev(usb_dev);
+ card->private_free = card_free;
cdev->chip.card = card;
cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
le16_to_cpu(usb_dev->descriptor.idProduct));
@@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caia
scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
cdev->vendor_name, cdev->product_name, usbpath);
- card->private_free = card_free;
err = setup_card(cdev);
if (err < 0)
goto err_kill_urb;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 142/474] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 141/474] ALSA: caiaq: fix usb_dev refcount leak on probe failure Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 143/474] netfilter: reject zero shift in nft_bitwise Greg Kroah-Hartman
` (332 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Mayer, Simon Horman,
Justin Iurman, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Mayer <andrea.mayer@uniroma2.it>
commit f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e upstream.
seg6_input_core() and rpl_input() call ip6_route_input() which sets a
NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking
dst_hold() unconditionally.
On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can
release the underlying pcpu_rt between the lookup and the caching
through a concurrent FIB lookup on a shared nexthop.
Simplified race sequence:
ksoftirqd/X higher-prio task (same CPU X)
----------- --------------------------------
seg6_input_core(,skb)/rpl_input(skb)
dst_cache_get()
-> miss
ip6_route_input(skb)
-> ip6_pol_route(,skb,flags)
[RT6_LOOKUP_F_DST_NOREF in flags]
-> FIB lookup resolves fib6_nh
[nhid=N route]
-> rt6_make_pcpu_route()
[creates pcpu_rt, refcount=1]
pcpu_rt->sernum = fib6_sernum
[fib6_sernum=W]
-> cmpxchg(fib6_nh.rt6i_pcpu,
NULL, pcpu_rt)
[slot was empty, store succeeds]
-> skb_dst_set_noref(skb, dst)
[dst is pcpu_rt, refcount still 1]
rt_genid_bump_ipv6()
-> bumps fib6_sernum
[fib6_sernum from W to Z]
ip6_route_output()
-> ip6_pol_route()
-> FIB lookup resolves fib6_nh
[nhid=N]
-> rt6_get_pcpu_route()
pcpu_rt->sernum != fib6_sernum
[W <> Z, stale]
-> prev = xchg(rt6i_pcpu, NULL)
-> dst_release(prev)
[prev is pcpu_rt,
refcount 1->0, dead]
dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
-> dst_hold() on dead dst
-> WARN / use-after-free
For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without
PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release
the pcpu_rt. Shared nexthop objects provide such a path, as two routes
pointing to the same nhid share the same fib6_nh and its rt6i_pcpu
entry.
Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after
ip6_route_input() to force the NOREF dst into a refcounted one before
caching.
The output path is not affected as ip6_route_output() already returns a
refcounted dst.
Fixes: af4a2209b134 ("ipv6: sr: use dst_cache in seg6_input")
Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Link: https://patch.msgid.link/20260421094735.20997-1-andrea.mayer@uniroma2.it
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/rpl_iptunnel.c | 9 +++++++++
net/ipv6/seg6_iptunnel.c | 9 +++++++++
2 files changed, 18 insertions(+)
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -282,7 +282,16 @@ static int rpl_input(struct sk_buff *skb
if (!dst) {
ip6_route_input(skb);
+
+ /* ip6_route_input() sets a NOREF dst; force a refcount on it
+ * before caching or further use.
+ */
+ skb_dst_force(skb);
dst = skb_dst(skb);
+ if (unlikely(!dst)) {
+ err = -ENETUNREACH;
+ goto drop;
+ }
/* cache only if we don't create a dst reference loop */
if (!dst->error && lwtst != dst->lwtstate) {
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -496,7 +496,16 @@ static int seg6_input_core(struct net *n
if (!dst) {
ip6_route_input(skb);
+
+ /* ip6_route_input() sets a NOREF dst; force a refcount on it
+ * before caching or further use.
+ */
+ skb_dst_force(skb);
dst = skb_dst(skb);
+ if (unlikely(!dst)) {
+ err = -ENETUNREACH;
+ goto drop;
+ }
/* cache only if we don't create a dst reference loop */
if (!dst->error && lwtst != dst->lwtstate) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 143/474] netfilter: reject zero shift in nft_bitwise
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 142/474] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 144/474] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
` (331 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Kai Ma, Ren Wei, Fernando Fernandez Mancera,
Pablo Neira Ayuso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Ma <k4729.23098@gmail.com>
commit fe11e5c40817b84abaa5d83bfb6586d8412bfd07 upstream.
Reject zero shift operands for nft_bitwise left and right shift
expressions during initialization.
The carry propagation logic computes the carry from the adjacent 32-bit
word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this
into a 32-bit shift, which is undefined behaviour.
Reject zero shift operands in the control plane, alongside the existing
check for values greater than or equal to 32, so malformed rules never
reach the packet path.
Fixes: 567d746b55bc ("netfilter: bitwise: add support for shifts.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Kai Ma <k4729.23098@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_bitwise.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct
if (err < 0)
return err;
- if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+ if (!priv->data.data[0] ||
+ priv->data.data[0] >= BITS_PER_TYPE(u32)) {
nft_data_release(&priv->data, desc.type);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 144/474] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 143/474] netfilter: reject zero shift in nft_bitwise Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 145/474] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
` (330 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 772a896a56e0e3ef9424a025cec9176f9d8f4552 upstream.
target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a
256-byte stack buffer, then will memcpy() cur_len bytes from that
buffer. snprintf() returns the length the output would have had, which
can exceed the buffer size when the fabric WWN is long because iSCSI IQN
names can be up to 223 bytes. The check at the memcpy() site only
guards the destination page write, not the source read, so memcpy() will
read past the stack buffer and copy adjacent stack contents to the sysfs
reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()
will be triggered.
Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length
check to avoid buffer overflow") added the same bound to the
target_lu_gp_members_show() but the tg_pt_gp variant was missed so
resolve that here.
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6")
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026041159-garter-theft-3be0@gregkh
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_configfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -3134,7 +3134,7 @@ static ssize_t target_tg_pt_gp_members_s
config_item_name(&lun->lun_group.cg_item));
cur_len++; /* Extra byte for NULL terminator */
- if ((cur_len + len) > PAGE_SIZE) {
+ if (cur_len > TG_PT_GROUP_NAME_BUF || (cur_len + len) > PAGE_SIZE) {
pr_warn("Ran out of lu_gp_show_attr"
"_members buffer\n");
break;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 145/474] ipmi: Add limits to event and receive message requests
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 144/474] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 146/474] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
` (329 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Fleming, Corey Minyard
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit c4cca236968683eb0d59abfb12d5c7e4d8514227 upstream.
The driver would just fetch events and receive messages until the
BMC said it was done. To avoid issues with BMCs that never say they are
done, add a limit of 10 fetches at a time.
In addition, an si interface has an attn state it can return from the
hardware which is supposed to cause a flag fetch to see if the driver
needs to fetch events or message or a few other things. If the attn
bit gets stuck, it's a similar problem. So allow messages in between
flag fetches so the driver itself doesn't get stuck.
This is a more general fix than the previous fix for the specific bad
BMC, but should fix the more general issue of a BMC that won't stop
saying it has data.
This has been there from the beginning of the driver. It's not a bug
per-se, but it is accounting for bugs in BMCs.
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/lkml/20260415115930.3428942-1-matt@readmodwrite.com/
Fixes: <1da177e4c3f4> ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 54 +++++++++++++++++++++++++++++++--------
drivers/char/ipmi/ipmi_ssif.c | 23 +++++++++++++++-
2 files changed, 64 insertions(+), 13 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -162,6 +162,10 @@ struct smi_info {
OEM2_DATA_AVAIL)
unsigned char msg_flags;
+ /* When requesting events and messages, don't do it forever. */
+ unsigned int num_requests_in_a_row;
+ bool last_was_flag_fetch;
+
/* Does the BMC have an event buffer? */
bool has_event_buffer;
@@ -394,7 +398,10 @@ static void start_getting_msg_queue(stru
start_new_msg(smi_info, smi_info->curr_msg->data,
smi_info->curr_msg->data_size);
- smi_info->si_state = SI_GETTING_MESSAGES;
+ if (smi_info->si_state != SI_GETTING_MESSAGES) {
+ smi_info->num_requests_in_a_row = 0;
+ smi_info->si_state = SI_GETTING_MESSAGES;
+ }
}
static void start_getting_events(struct smi_info *smi_info)
@@ -405,7 +412,10 @@ static void start_getting_events(struct
start_new_msg(smi_info, smi_info->curr_msg->data,
smi_info->curr_msg->data_size);
- smi_info->si_state = SI_GETTING_EVENTS;
+ if (smi_info->si_state != SI_GETTING_EVENTS) {
+ smi_info->num_requests_in_a_row = 0;
+ smi_info->si_state = SI_GETTING_EVENTS;
+ }
}
/*
@@ -579,6 +589,7 @@ static void handle_transaction_done(stru
smi_info->si_state = SI_NORMAL;
} else {
smi_info->msg_flags = msg[3];
+ smi_info->last_was_flag_fetch = true;
handle_flags(smi_info);
}
break;
@@ -624,6 +635,11 @@ static void handle_transaction_done(stru
} else {
smi_inc_stat(smi_info, events);
+ smi_info->num_requests_in_a_row++;
+ if (smi_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ smi_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
+
/*
* Do this before we deliver the message
* because delivering the message releases the
@@ -662,6 +678,11 @@ static void handle_transaction_done(stru
} else {
smi_inc_stat(smi_info, incoming_messages);
+ smi_info->num_requests_in_a_row++;
+ if (smi_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ smi_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
+
/*
* Do this before we deliver the message
* because delivering the message releases the
@@ -790,6 +811,26 @@ restart:
}
/*
+ * If we are currently idle, or if the last thing that was
+ * done was a flag fetch and there is a message pending, try
+ * to start the next message.
+ *
+ * We do the waiting message check to avoid a stuck flag
+ * completely wedging the driver. Let a message through
+ * in between flag operations if that happens.
+ */
+ if (si_sm_result == SI_SM_IDLE ||
+ (si_sm_result == SI_SM_ATTN && smi_info->waiting_msg &&
+ smi_info->last_was_flag_fetch)) {
+ smi_info->last_was_flag_fetch = false;
+ smi_inc_stat(smi_info, idles);
+
+ si_sm_result = start_next_msg(smi_info);
+ if (si_sm_result != SI_SM_IDLE)
+ goto restart;
+ }
+
+ /*
* We prefer handling attn over new messages. But don't do
* this if there is not yet an upper layer to handle anything.
*/
@@ -822,15 +863,6 @@ restart:
}
}
- /* If we are currently idle, try to start the next message. */
- if (si_sm_result == SI_SM_IDLE) {
- smi_inc_stat(smi_info, idles);
-
- si_sm_result = start_next_msg(smi_info);
- if (si_sm_result != SI_SM_IDLE)
- goto restart;
- }
-
if ((si_sm_result == SI_SM_IDLE)
&& (atomic_read(&smi_info->req_events))) {
/*
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -225,6 +225,9 @@ struct ssif_info {
bool has_event_buffer;
bool supports_alert;
+ /* When requesting events and messages, don't do it forever. */
+ unsigned int num_requests_in_a_row;
+
/*
* Used to tell what we should do with alerts. If we are
* waiting on a response, read the data immediately.
@@ -413,7 +416,10 @@ static void start_event_fetch(struct ssi
}
ssif_info->curr_msg = msg;
- ssif_info->ssif_state = SSIF_GETTING_EVENTS;
+ if (ssif_info->ssif_state != SSIF_GETTING_EVENTS) {
+ ssif_info->num_requests_in_a_row = 0;
+ ssif_info->ssif_state = SSIF_GETTING_EVENTS;
+ }
ipmi_ssif_unlock_cond(ssif_info, flags);
msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
@@ -436,7 +442,10 @@ static void start_recv_msg_fetch(struct
}
ssif_info->curr_msg = msg;
- ssif_info->ssif_state = SSIF_GETTING_MESSAGES;
+ if (ssif_info->ssif_state != SSIF_GETTING_MESSAGES) {
+ ssif_info->num_requests_in_a_row = 0;
+ ssif_info->ssif_state = SSIF_GETTING_MESSAGES;
+ }
ipmi_ssif_unlock_cond(ssif_info, flags);
msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
@@ -843,6 +852,11 @@ static void msg_done_handler(struct ssif
ssif_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
handle_flags(ssif_info, flags);
} else {
+ ssif_info->num_requests_in_a_row++;
+ if (ssif_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ ssif_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
+
handle_flags(ssif_info, flags);
ssif_inc_stat(ssif_info, events);
deliver_recv_msg(ssif_info, msg);
@@ -876,6 +890,11 @@ static void msg_done_handler(struct ssif
ssif_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
handle_flags(ssif_info, flags);
} else {
+ ssif_info->num_requests_in_a_row++;
+ if (ssif_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ ssif_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
+
ssif_inc_stat(ssif_info, incoming_messages);
handle_flags(ssif_info, flags);
deliver_recv_msg(ssif_info, msg);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 146/474] ipmi: Check event message buffer response for bad data
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 145/474] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 147/474] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
` (328 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Fleming, Corey Minyard
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 36920f30e78e69df01f9691c470b6f3ba8aebf98 upstream.
The event message buffer response data size got checked later when
processing, but check it right after the response comes back. It
appears some BMCs may return an empty message instead of an error
when fetching events.
There are apparently some new BMCs that make this error, so we need to
compensate.
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/lkml/20260415115930.3428942-1-matt@readmodwrite.com/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -625,7 +625,13 @@ static void handle_transaction_done(stru
*/
msg = smi_info->curr_msg;
smi_info->curr_msg = NULL;
- if (msg->rsp[2] != 0) {
+ /*
+ * It appears some BMCs, with no event data, return no
+ * data in the message and not a 0x80 error as the
+ * spec says they should. Shut down processing if
+ * the data is not the right length.
+ */
+ if (msg->rsp[2] != 0 || msg->rsp_size != 19) {
/* Error getting event, probably done. */
msg->done(msg);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 147/474] ipmi:si: Return state to normal if message allocation fails
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 146/474] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 148/474] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
` (327 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 09dd798270ff582d7309f285d4aaf5dbebae01cb upstream.
There were places where nothing would get started if a message
allocation failed, so the driver needs to return to normal state.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -481,15 +481,19 @@ retry:
} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
/* Messages available. */
smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
- if (!smi_info->curr_msg)
+ if (!smi_info->curr_msg) {
+ smi_info->si_state = SI_NORMAL;
return;
+ }
start_getting_msg_queue(smi_info);
} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
/* Events available. */
smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
- if (!smi_info->curr_msg)
+ if (!smi_info->curr_msg) {
+ smi_info->si_state = SI_NORMAL;
return;
+ }
start_getting_events(smi_info);
} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 148/474] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 147/474] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 149/474] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
` (326 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rajat Gupta, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajat Gupta <rajgupt@qti.qualcomm.com>
commit 8de779dc40d35d39fa07387b6f921eb11df0f511 upstream.
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.
Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Signed-off-by: Rajat Gupta <rajgupt@qti.qualcomm.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/udlfb.c | 31 ++++++++++++++++++++++++++++++-
include/video/udlfb.h | 1 +
2 files changed, 31 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -321,12 +321,32 @@ static int dlfb_set_video_mode(struct dl
return retval;
}
+static void dlfb_vm_open(struct vm_area_struct *vma)
+{
+ struct dlfb_data *dlfb = vma->vm_private_data;
+
+ atomic_inc(&dlfb->mmap_count);
+}
+
+static void dlfb_vm_close(struct vm_area_struct *vma)
+{
+ struct dlfb_data *dlfb = vma->vm_private_data;
+
+ atomic_dec(&dlfb->mmap_count);
+}
+
+static const struct vm_operations_struct dlfb_vm_ops = {
+ .open = dlfb_vm_open,
+ .close = dlfb_vm_close,
+};
+
static int dlfb_ops_mmap(struct fb_info *info, struct vm_area_struct *vma)
{
unsigned long start = vma->vm_start;
unsigned long size = vma->vm_end - vma->vm_start;
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
unsigned long page, pos;
+ struct dlfb_data *dlfb = info->par;
if (info->fbdefio)
return fb_deferred_io_mmap(info, vma);
@@ -356,6 +376,9 @@ static int dlfb_ops_mmap(struct fb_info
size = 0;
}
+ vma->vm_ops = &dlfb_vm_ops;
+ vma->vm_private_data = dlfb;
+ atomic_inc(&dlfb->mmap_count);
return 0;
}
@@ -1219,7 +1242,6 @@ static void dlfb_deferred_vfree(struct d
/*
* Assumes &info->lock held by caller
- * Assumes no active clients have framebuffer open
*/
static int dlfb_realloc_framebuffer(struct dlfb_data *dlfb, struct fb_info *info, u32 new_len)
{
@@ -1231,6 +1253,13 @@ static int dlfb_realloc_framebuffer(stru
new_len = PAGE_ALIGN(new_len);
if (new_len > old_len) {
+ if (atomic_read(&dlfb->mmap_count) > 0) {
+ dev_warn(info->dev,
+ "refusing realloc: %d active mmaps\n",
+ atomic_read(&dlfb->mmap_count));
+ return -EBUSY;
+ }
+
/*
* Alloc system memory for virtual framebuffer
*/
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -56,6 +56,7 @@ struct dlfb_data {
spinlock_t damage_lock;
struct work_struct damage_work;
struct fb_ops ops;
+ atomic_t mmap_count;
/* blit-only rendering path metrics, exposed through sysfs */
atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
atomic_t bytes_identical; /* saved effort with backbuffer comparison */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 149/474] ACPI: scan: Use acpi_dev_put() in object add error paths
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 148/474] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 150/474] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
` (325 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9c0acc169ac71535477caedea8315f7041c5f07c upstream.
After acpi_init_device_object(), the lifetime of struct acpi_device is
managed by the driver core through reference counting.
Both acpi_add_power_resource() and acpi_add_single_object() call
acpi_init_device_object() and then invoke acpi_device_add(). If that
fails, their error paths call the release callback directly instead of
dropping the device reference through acpi_dev_put().
This bypasses the normal device lifetime rules and frees the object
without releasing the reference acquired by device_initialize(), which
may lead to a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fix both error paths by using acpi_dev_put() and let the release
callback handle the final cleanup.
Fixes: 781d737c7466 ("ACPI: Drop power resources driver")
Fixes: 718fb0de8ff88 ("ACPI: fix NULL bug for HID/UID string")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260413135343.2884481-1-lgs201920130244@gmail.com
Signed-off-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/acpi/power.c
+++ b/drivers/acpi/power.c
@@ -986,7 +986,7 @@ struct acpi_device *acpi_add_power_resou
return device;
err:
- acpi_release_power_resource(&device->dev);
+ acpi_dev_put(device);
return NULL;
}
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -1862,7 +1862,7 @@ static int acpi_add_single_object(struct
result = acpi_device_add(device);
if (result) {
- acpi_device_release(&device->dev);
+ acpi_dev_put(device);
return result;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 150/474] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 149/474] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 151/474] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
` (324 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Kelley, Jinjie Ruan,
Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 75141a770f4f8225d316f6c7e146723a32e9720e upstream.
When concurrently bringing up and down two SMT threads of a physical
core, many warning call traces occur as below:
The issue timeline is as follows:
1. When the system starts,
cpufreq: CPU: 220, policy->related_cpus: 220-221, policy->cpus: 220-221
2. Offline CPU 220 and CPU 221.
3. Online CPU 220
- CPU 221 is now offline, as acpi_get_psd_map() use
for_each_online_cpu(), so the cpu_data->shared_cpu_map,
policy->cpus, and related_cpus has only CPU 220.
cpufreq: CPU: 220, policy->related_cpus: 220, policy->cpus: 220
4. Offline CPU 220
5. Online CPU 221, the below call trace occurs:
- Since CPU 220 and CPU 221 share one policy, and
policy->related_cpus = 220 after step 3, so CPU 221
is not in policy->related_cpus but
per_cpu(cpufreq_cpu_data, cpu221) is not NULL.
After reverting commit 56eb0c0ed345 ("ACPI: CPPC: Fix remaining
for_each_possible_cpu() to use online CPUs"), the issue disappeared.
The _PSD (P-State Dependency) defines the hardware-level dependency of
frequency control across CPU cores. Since this relationship is a physical
attribute of the hardware topology, it remains constant regardless of the
online or offline status of the CPUs.
Using for_each_online_cpu() in acpi_get_psd_map() is problematic. If a
CPU is offline, it will be excluded from the shared_cpu_map.
Consequently, if that CPU is brought online later, the kernel will fail
to recognize it as part of any shared frequency domain.
Switch back to for_each_possible_cpu() to ensure that all cores defined
in the ACPI tables are correctly mapped into their respective performance
domains from the start. This aligns with the logic of policy->related_cpus,
which must encompass all potentially available cores in the domain to
prevent logic gaps during CPU hotplug operations.
To resolve the original issue regarding the "nosmt" or "nosmt=force"
boot parameter, as send_pcc_cmd() function already does if (!desc)
continue, so reverting that loop back to for_each_possible_cpu() is ok,
only need to change the match_cpc_ptr NULL case in acpi_get_psd_map() to
continue as Sean suggested.
How to reproduce, on arm64 machine with SMT support which use acpi cppc
cpufreq driver:
bash test.sh 220 & bash test.sh 221 &
The test.sh is as below:
while true
do
echo 0 > /sys/devices/system/cpu/cpu${1}/online
sleep 0.5
cat /sys/devices/system/cpu/cpu${1}/cpufreq/related_cpus
echo 1 > /sys/devices/system/cpu/cpu${1}/online
cat /sys/devices/system/cpu/cpu${1}/cpufreq/related_cpus
done
CPU: 221 PID: 1119 Comm: cpuhp/221 Kdump: loaded Not tainted 6.6.0debug+ #5
Hardware name: To be filled by O.E.M. S920X20/BC83AMDA01-7270Z, BIOS 20.39 09/04/2024
pstate: a1400009 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : cpufreq_online+0x8ac/0xa90
lr : cpuhp_cpufreq_online+0x18/0x30
sp : ffff80008739bce0
x29: ffff80008739bce0 x28: 0000000000000000 x27: ffff28400ca32200
x26: 0000000000000000 x25: 0000000000000003 x24: ffffd483503ff000
x23: ffffd483504051a0 x22: ffffd48350024a00 x21: 00000000000000dd
x20: 000000000000001d x19: ffff28400ca32000 x18: 0000000000000000
x17: 0000000000000020 x16: ffffd4834e6a3fc8 x15: 0000000000000020
x14: 0000000000000008 x13: 0000000000000001 x12: 00000000ffffffff
x11: 0000000000000040 x10: ffffd48350430728 x9 : ffffd4834f087c78
x8 : 0000000000000001 x7 : ffff2840092bdf00 x6 : ffffd483504264f0
x5 : ffffd48350405000 x4 : ffff283f7f95cc60 x3 : 0000000000000000
x2 : ffff53bc2f94b000 x1 : 00000000000000dd x0 : 0000000000000000
Call trace:
cpufreq_online+0x8ac/0xa90
cpuhp_cpufreq_online+0x18/0x30
cpuhp_invoke_callback+0x128/0x580
cpuhp_thread_fun+0x110/0x1b0
smpboot_thread_fn+0x140/0x190
kthread+0xec/0x100
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
Cc: All applicable <stable@vger.kernel.org>
Fixes: 56eb0c0ed345 ("ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs")
Co-developed-by: Sean Kelley <skelley@nvidia.com>
Signed-off-by: Sean Kelley <skelley@nvidia.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20260417040112.3727756-1-ruanjinjie@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -347,7 +347,7 @@ static int send_pcc_cmd(int pcc_ss_id, u
end:
if (cmd == CMD_WRITE) {
if (unlikely(ret)) {
- for_each_online_cpu(i) {
+ for_each_possible_cpu(i) {
struct cpc_desc *desc = per_cpu(cpc_desc_ptr, i);
if (!desc)
@@ -509,13 +509,13 @@ int acpi_get_psd_map(unsigned int cpu, s
else if (pdomain->coord_type == DOMAIN_COORD_TYPE_SW_ANY)
cpu_data->shared_type = CPUFREQ_SHARED_TYPE_ANY;
- for_each_online_cpu(i) {
+ for_each_possible_cpu(i) {
if (i == cpu)
continue;
match_cpc_ptr = per_cpu(cpc_desc_ptr, i);
if (!match_cpc_ptr)
- goto err_fault;
+ continue;
match_pdomain = &(match_cpc_ptr->domain_info);
if (match_pdomain->domain != pdomain->domain)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 151/474] ACPI: video: force native backlight on HP OMEN 16 (8A44)
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 150/474] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 152/474] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
` (323 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shivam Kalra, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivam Kalra <shivamkalra98@zohomail.in>
commit 4b506ea5351a1f5937ac632a4a5c35f6f796cc41 upstream.
The HP OMEN 16 Gaming Laptop (board name 8A44) has a mux-less hybrid
GPU configuration with AMD Rembrandt (Radeon 680M) and NVIDIA GA104
(RTX 3070 Ti). The internal eDP panel is wired to the AMD iGPU.
When Nouveau loads without GSP firmware, the ACPI video backlight
device (acpi_video0) gets registered alongside the native AMD
backlight (amdgpu_bl2). In this state, writes to amdgpu_bl2 update
the software brightness value but fail to change the physical panel
brightness.
Force native backlight to prevent acpi_video0 from registering.
Confirmed that booting with acpi_backlight=native resolves the
issue.
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Shivam Kalra <shivamkalra98@zohomail.in>
Link: https://patch.msgid.link/20260426-omen-16-backlight-fix-v1-1-62364f268ea6@zohomail.in
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/video_detect.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -820,6 +820,14 @@ static const struct dmi_system_id video_
DMI_MATCH(DMI_PRODUCT_NAME, "Z830"),
},
},
+ {
+ .callback = video_detect_force_native,
+ /* HP OMEN Gaming Laptop 16-n0xxx */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16-n0xxx"),
+ },
+ },
/*
* Models which have nvidia-ec-wmi support, but should not use it.
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 152/474] iommufd: Fix a race with concurrent allocation and unmap
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 151/474] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 153/474] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
` (322 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sina Hassani, Kevin Tian,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sina Hassani <sina@openai.com>
commit 8602018b1f17fbdaa5e5d79f4c8603ad20640c12 upstream.
iopt_unmap_iova_range() releases the lock on iova_rwsem inside the loop
body when getting to the more expensive unmap operations. This is fine on
its own, except the loop condition is based on the first area that matches
the unmap address range. If a concurrent call to map picks an area that
was unmapped in previous iterations, the loop mistakenly tries to unmap
it.
This is reproducible by having one userspace thread map buffers and pass
them to another thread that unmaps them. The problem manifests as EBUSY
errors with single page mappings.
Fix this by advancing the start pointer after unmapping an area. This
ensures each iteration only examines the IOVA range that remains mapped,
which is guaranteed not to have overlaps.
Cc: stable@vger.kernel.org
Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping")
Link: https://patch.msgid.link/r/CAAJpGJSR4r_ds1JOjmkqHtsBPyxu8GntoeW08Sk5RNQPmgi+tg@mail.gmail.com
Signed-off-by: Sina Hassani <sina@openai.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/io_pagetable.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/iommu/iommufd/io_pagetable.c
+++ b/drivers/iommu/iommufd/io_pagetable.c
@@ -552,6 +552,16 @@ again:
unmapped_bytes += area_last - area_first + 1;
down_write(&iopt->iova_rwsem);
+
+ /*
+ * After releasing the iova_rwsem concurrent allocation could
+ * place new areas at IOVAs we have already unmapped. Keep
+ * moving the start of the search forward to ignore the area
+ * already unmapped.
+ */
+ if (area_last >= last)
+ break;
+ start = area_last + 1;
}
out_unlock_iova:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 153/474] ASoC: SOF: Dont allow pointer operations on unconfigured streams
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 152/474] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 154/474] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
` (321 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8 upstream.
When reporting the pointer for a compressed stream we report the current
I/O frame position by dividing the position by the number of channels
multiplied by the number of container bytes. These values default to 0 and
are only configured as part of setting the stream parameters so this allows
a divide by zero to be configured. Validate that they are non zero,
returning an error if not
Fixes: c1a731c71359 ("ASoC: SOF: compress: Add support for computing timestamps")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260326-asoc-compress-tstamp-params-v1-1-3dc735b3d599@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/sof/compress.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/soc/sof/compress.c
+++ b/sound/soc/sof/compress.c
@@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_
if (!spcm)
return -EINVAL;
+ if (!sstream->channels || !sstream->sample_container_bytes)
+ return -EBUSY;
+
tstamp->sampling_rate = sstream->sampling_rate;
tstamp->copied_total = sstream->copied_total;
tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 154/474] spi: rockchip: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 153/474] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 155/474] x86: shadow stacks: proper error handling for mmap lock Greg Kroah-Hartman
` (320 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, addy ke, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 53e7a16070feb7d1d4d81a583eaac5e25048b9c3 upstream.
Make sure to deregister the controller before freeing underlying
resources like DMA channels during driver unbind.
Fixes: 64e36824b32b ("spi/rockchip: add driver for Rockchip RK3xxx SoCs integrated SPI")
Cc: stable@vger.kernel.org # 3.17
Cc: addy ke <addy.ke@rock-chips.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260324082326.901043-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-rockchip.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -921,7 +921,7 @@ static int rockchip_spi_probe(struct pla
break;
}
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0) {
dev_err(&pdev->dev, "Failed to register controller\n");
goto err_free_dma_rx;
@@ -957,6 +957,8 @@ static void rockchip_spi_remove(struct p
clk_disable_unprepare(rs->spiclk);
clk_disable_unprepare(rs->apb_pclk);
+ spi_unregister_controller(ctlr);
+
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 155/474] x86: shadow stacks: proper error handling for mmap lock
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 154/474] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 156/474] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
` (319 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, 김영민,
Oleg Nesterov, Dave Hansen, Rick Edgecombe, Linus Torvalds,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 ]
김영민 reports that shstk_pop_sigframe() doesn't check for errors from
mmap_read_lock_killable(), which is a silly oversight, and also shows
that we haven't marked those functions with "__must_check", which would
have immediately caught it.
So let's fix both issues.
Reported-by: 김영민 <osori@hspace.io>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Dave Hansen <dave.hansen@intel.com>
Acked-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/shstk.c | 3 ++-
include/linux/mmap_lock.h | 6 +++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 19e4db582fb69..d259d7d5b962f 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -311,7 +311,8 @@ static int shstk_pop_sigframe(unsigned long *ssp)
need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp;
if (need_to_check_vma)
- mmap_read_lock_killable(current->mm);
+ if (mmap_read_lock_killable(current->mm))
+ return -EINTR;
err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp);
if (unlikely(err))
diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h
index 8d38dcb6d044c..153e018677909 100644
--- a/include/linux/mmap_lock.h
+++ b/include/linux/mmap_lock.h
@@ -116,7 +116,7 @@ static inline void mmap_write_lock_nested(struct mm_struct *mm, int subclass)
__mmap_lock_trace_acquire_returned(mm, true, true);
}
-static inline int mmap_write_lock_killable(struct mm_struct *mm)
+static inline int __must_check mmap_write_lock_killable(struct mm_struct *mm)
{
int ret;
@@ -147,7 +147,7 @@ static inline void mmap_read_lock(struct mm_struct *mm)
__mmap_lock_trace_acquire_returned(mm, false, true);
}
-static inline int mmap_read_lock_killable(struct mm_struct *mm)
+static inline int __must_check mmap_read_lock_killable(struct mm_struct *mm)
{
int ret;
@@ -157,7 +157,7 @@ static inline int mmap_read_lock_killable(struct mm_struct *mm)
return ret;
}
-static inline bool mmap_read_trylock(struct mm_struct *mm)
+static inline bool __must_check mmap_read_trylock(struct mm_struct *mm)
{
bool ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 156/474] drm/amd/display: Do not skip unrelated mode changes in DSC validation
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 155/474] x86: shadow stacks: proper error handling for mmap lock Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 157/474] x86/shstk: Prevent deadlock during shstk sigreturn Greg Kroah-Hartman
` (318 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yussuf Khalil, Harry Wentland,
Alex Deucher, Fang Wang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yussuf Khalil <dev@pp3345.net>
[ Upstream commit aed3d041ab061ec8a64f50a3edda0f4db7280025 ]
Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in
atomic check"), amdgpu resets the CRTC state mode_changed flag to false when
recomputing the DSC configuration results in no timing change for a particular
stream.
However, this is incorrect in scenarios where a change in MST/DSC configuration
happens in the same KMS commit as another (unrelated) mode change. For example,
the integrated panel of a laptop may be configured differently (e.g., HDR
enabled/disabled) depending on whether external screens are attached. In this
case, plugging in external DP-MST screens may result in the mode_changed flag
being dropped incorrectly for the integrated panel if its DSC configuration
did not change during precomputation in pre_validate_dsc().
At this point, however, dm_update_crtc_state() has already created new streams
for CRTCs with DSC-independent mode changes. In turn,
amdgpu_dm_commit_streams() will never release the old stream, resulting in a
memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to
the new stream either, which manifests as a use-after-free when the stream gets
disabled later on:
BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]
Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977
Workqueue: events drm_mode_rmfb_work_fn
Call Trace:
<TASK>
dump_stack_lvl+0x6e/0xa0
print_address_description.constprop.0+0x88/0x320
? dc_stream_release+0x25/0x90 [amdgpu]
print_report+0xfc/0x1ff
? srso_alias_return_thunk+0x5/0xfbef5
? __virt_addr_valid+0x225/0x4e0
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_report+0xe1/0x180
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_check_range+0x125/0x200
dc_stream_release+0x25/0x90 [amdgpu]
dc_state_destruct+0x14d/0x5c0 [amdgpu]
dc_state_release.part.0+0x4e/0x130 [amdgpu]
dm_atomic_destroy_state+0x3f/0x70 [amdgpu]
drm_atomic_state_default_clear+0x8ee/0xf30
? drm_mode_object_put.part.0+0xb1/0x130
__drm_atomic_state_free+0x15c/0x2d0
atomic_remove_fb+0x67e/0x980
Since there is no reliable way of figuring out whether a CRTC has unrelated
mode changes pending at the time of DSC validation, remember the value of the
mode_changed flag from before the point where a CRTC was marked as potentially
affected by a change in DSC configuration. Reset the mode_changed flag to this
earlier value instead in pre_validate_dsc().
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5004
Fixes: 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check")
Signed-off-by: Yussuf Khalil <dev@pp3345.net>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 7 +++++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index f51c3921cbc26..12f75b2ad664d 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -10152,6 +10152,11 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
}
if (dc_resource_is_dsc_encoding_supported(dc)) {
+ for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
+ dm_new_crtc_state = to_dm_crtc_state(new_crtc_state);
+ dm_new_crtc_state->mode_changed_independent_from_dsc = new_crtc_state->mode_changed;
+ }
+
for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
if (drm_atomic_crtc_needs_modeset(new_crtc_state)) {
ret = add_affected_mst_dsc_crtcs(state, crtc);
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
index 88606b805330d..8d4f2cadb9157 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
@@ -737,6 +737,7 @@ struct dm_crtc_state {
bool freesync_vrr_info_changed;
+ bool mode_changed_independent_from_dsc;
bool dsc_force_changed;
bool vrr_supported;
struct mod_freesync_config freesync_config;
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
index 2698e5c74ddfd..ab6924d3046b7 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -1587,8 +1587,11 @@ int pre_validate_dsc(struct drm_atomic_state *state,
} else {
int ind = find_crtc_index_in_state_by_stream(state, stream);
- if (ind >= 0)
- state->crtcs[ind].new_state->mode_changed = 0;
+ if (ind >= 0) {
+ struct dm_crtc_state *dm_new_crtc_state = to_dm_crtc_state(state->crtcs[ind].new_state);
+
+ dm_new_crtc_state->base.mode_changed = dm_new_crtc_state->mode_changed_independent_from_dsc;
+ }
}
}
clean_exit:
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 157/474] x86/shstk: Prevent deadlock during shstk sigreturn
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 156/474] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 158/474] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
` (317 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rick Edgecombe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
[ Upstream commit 9874b2917b9fbc30956fee209d3c4aa47201c64e ]
During sigreturn the shadow stack signal frame is popped. The kernel does
this by reading the shadow stack using normal read accesses. When it can't
assume the memory is shadow stack, it takes extra steps to makes sure it is
reading actual shadow stack memory and not other normal readable memory. It
does this by holding the mmap read lock while doing the access and checking
the flags of the VMA.
Unfortunately that is not safe. If the read of the shadow stack sigframe
hits a page fault, the fault handler will try to recursively grab another
mmap read lock. This normally works ok, but if a writer on another CPU is
also waiting, the second read lock could fail and cause a deadlock.
Fix this by doing the read of the userspace memory via gup. Embed it in the
get_shstk_data() helper.
Currently there is a check that skips the lookup work when the SSP can be
assumed to be on a shadow stack. While reorganizing the function, remove
the optimization to make the tricky code flows more common, such that
issues like this cannot escape detection for so long.
[Due to missing per-vma MM sequence counter, use a simpler GUP based
solution for the backport]
Cc: <stable@vger.kernel.org> # Depends on https://lore.kernel.org/all/20260504205924.536382-1-rick.p.edgecombe@intel.com/
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/shstk.c | 46 ++++++++++++++++++++++++++---------------
1 file changed, 29 insertions(+), 17 deletions(-)
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index d259d7d5b962f..ba93c4e6a2319 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -18,6 +18,7 @@
#include <linux/sizes.h>
#include <linux/user.h>
#include <linux/syscalls.h>
+#include <linux/highmem.h>
#include <asm/msr.h>
#include <asm/fpu/xstate.h>
#include <asm/fpu/types.h>
@@ -262,11 +263,29 @@ static int put_shstk_data(u64 __user *addr, u64 data)
return 0;
}
+/* Copy from aligned address in userspace without risk of page fault. */
+static int shstk_copy_user_gup(unsigned long *ldata, unsigned long __user *addr)
+{
+ struct page *page;
+ void *kaddr;
+
+ mmap_assert_locked(current->mm);
+ if (get_user_pages((unsigned long)addr, 1, 0, &page) != 1)
+ return -EFAULT;
+
+ kaddr = kmap_local_page(page);
+ *ldata = *(unsigned long *)(kaddr + offset_in_page(addr));
+ kunmap_local(kaddr);
+ put_page(page);
+
+ return 0;
+}
+
static int get_shstk_data(unsigned long *data, unsigned long __user *addr)
{
unsigned long ldata;
- if (unlikely(get_user(ldata, addr)))
+ if (shstk_copy_user_gup(&ldata, addr))
return -EFAULT;
if (!(ldata & SHSTK_DATA_BIT))
@@ -296,7 +315,6 @@ static int shstk_pop_sigframe(unsigned long *ssp)
{
struct vm_area_struct *vma;
unsigned long token_addr;
- bool need_to_check_vma;
int err = 1;
/*
@@ -308,26 +326,21 @@ static int shstk_pop_sigframe(unsigned long *ssp)
if (!IS_ALIGNED(*ssp, 8))
return -EINVAL;
- need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp;
-
- if (need_to_check_vma)
- if (mmap_read_lock_killable(current->mm))
- return -EINTR;
+ if (mmap_read_lock_killable(current->mm))
+ return -EINTR;
err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp);
if (unlikely(err))
goto out_err;
- if (need_to_check_vma) {
- vma = find_vma(current->mm, *ssp);
- if (!vma || !(vma->vm_flags & VM_SHADOW_STACK)) {
- err = -EFAULT;
- goto out_err;
- }
-
- mmap_read_unlock(current->mm);
+ vma = find_vma(current->mm, *ssp);
+ if (!vma || !(vma->vm_flags & VM_SHADOW_STACK)) {
+ err = -EFAULT;
+ goto out_err;
}
+ mmap_read_unlock(current->mm);
+
/* Restore SSP aligned? */
if (unlikely(!IS_ALIGNED(token_addr, 8)))
return -EINVAL;
@@ -340,8 +353,7 @@ static int shstk_pop_sigframe(unsigned long *ssp)
return 0;
out_err:
- if (need_to_check_vma)
- mmap_read_unlock(current->mm);
+ mmap_read_unlock(current->mm);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 158/474] spi: meson-spicc: Fix double-put in remove path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 157/474] x86/shstk: Prevent deadlock during shstk sigreturn Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 159/474] rxrpc: Fix potential UAF after skb_unshare() failure Greg Kroah-Hartman
` (316 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Johan Hovold, Mark Brown,
Wenshan Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 63542bb402b7013171c9f621c28b609eda4dbf1f ]
meson_spicc_probe() registers the controller with
devm_spi_register_controller(), so teardown already drops the
controller reference via devm cleanup.
Calling spi_controller_put() again in meson_spicc_remove()
causes a double-put.
Fixes: 8311ee2164c5 ("spi: meson-spicc: fix memory leak in meson_spicc_remove")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260322-rockchip-v1-1-fac3f0c6dad8@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[ In v6.6, commit 68bf3288c7eb ("spi: meson-spicc: switch to use modern name")
has not been applied, so the driver still uses the legacy spicc->master field
and spi_master_put() API. The line to remove is spi_master_put(spicc->master)
rather than spi_controller_put(spicc->host) as in the upstream patch.
They are functionally identical. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-meson-spicc.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
index 43d134f4b42b1..de8cf91658fd5 100644
--- a/drivers/spi/spi-meson-spicc.c
+++ b/drivers/spi/spi-meson-spicc.c
@@ -918,8 +918,6 @@ static void meson_spicc_remove(struct platform_device *pdev)
clk_disable_unprepare(spicc->core);
clk_disable_unprepare(spicc->pclk);
-
- spi_master_put(spicc->master);
}
static const struct meson_spicc_data meson_spicc_gx_data = {
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 159/474] rxrpc: Fix potential UAF after skb_unshare() failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 158/474] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 160/474] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
` (315 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski,
Sasha Levin, Wentao Guan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 1f2740150f904bfa60e4bad74d65add3ccb5e7f8 ]
If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out. This will likely cause the call to
trace_rxrpc_rx_done() to oops.
Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet(). There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
Fixes: 2d1faf7a0ca3 ("rxrpc: Simplify skbuff accounting in receive path")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Relocated the unshare/skb_copy block from rxrpc_input_call_event()'s rx_queue dequeue loop to existing `if (skb) rxrpc_input_call_packet()` site, and substituted rxrpc_skb_put_call_rx with rxrpc_skb_put_input. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Readd rxrpc_skb_put_response_copy() or will cause a build fail with commit 24481a7f5733 ("rxrpc: Fix conn-level packet handling to unshare RESPONSE packets") ]
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/rxrpc.h | 4 ++--
net/rxrpc/ar-internal.h | 1 -
net/rxrpc/call_event.c | 23 +++++++++++++++++++++--
net/rxrpc/io_thread.c | 24 ++----------------------
net/rxrpc/skbuff.c | 9 ---------
5 files changed, 25 insertions(+), 36 deletions(-)
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index 539801f8ee282..f0560087637ed 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -126,8 +126,6 @@
E_(rxrpc_call_poke_timer_now, "Timer-now")
#define rxrpc_skb_traces \
- EM(rxrpc_skb_eaten_by_unshare, "ETN unshare ") \
- EM(rxrpc_skb_eaten_by_unshare_nomem, "ETN unshar-nm") \
EM(rxrpc_skb_get_conn_secured, "GET conn-secd") \
EM(rxrpc_skb_get_conn_work, "GET conn-work") \
EM(rxrpc_skb_get_last_nack, "GET last-nack") \
@@ -146,12 +144,14 @@
EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \
EM(rxrpc_skb_put_last_nack, "PUT last-nack") \
EM(rxrpc_skb_put_purge, "PUT purge ") \
+ EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \
EM(rxrpc_skb_put_rotate, "PUT rotate ") \
EM(rxrpc_skb_put_unknown, "PUT unknown ") \
EM(rxrpc_skb_see_conn_work, "SEE conn-work") \
EM(rxrpc_skb_see_recvmsg, "SEE recvmsg ") \
EM(rxrpc_skb_see_reject, "SEE reject ") \
EM(rxrpc_skb_see_rotate, "SEE rotate ") \
+ EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \
E_(rxrpc_skb_see_version, "SEE version ")
#define rxrpc_local_traces \
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index f4512761f572d..1db479f3d6d3c 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -1269,7 +1269,6 @@ int rxrpc_server_keyring(struct rxrpc_sock *, sockptr_t, int);
void rxrpc_kernel_data_consumed(struct rxrpc_call *, struct sk_buff *);
void rxrpc_new_skb(struct sk_buff *, enum rxrpc_skb_trace);
void rxrpc_see_skb(struct sk_buff *, enum rxrpc_skb_trace);
-void rxrpc_eaten_skb(struct sk_buff *, enum rxrpc_skb_trace);
void rxrpc_get_skb(struct sk_buff *, enum rxrpc_skb_trace);
void rxrpc_free_skb(struct sk_buff *, enum rxrpc_skb_trace);
void rxrpc_purge_queue(struct sk_buff_head *);
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index 0f78544d043be..c8a4a4c979eb6 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -456,8 +456,27 @@ bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb)
resend = true;
}
- if (skb)
- rxrpc_input_call_packet(call, skb);
+ if (skb) {
+ struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+
+ if (sp->hdr.securityIndex != 0 && skb_cloned(skb)) {
+ /* Unshare the packet so that it can be modified by
+ * in-place decryption.
+ */
+ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+ if (nskb) {
+ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+ rxrpc_input_call_packet(call, nskb);
+ rxrpc_free_skb(nskb, rxrpc_skb_put_input);
+ } else {
+ /* OOM - Drop the packet. */
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+ }
+ } else {
+ rxrpc_input_call_packet(call, skb);
+ }
+ }
rxrpc_transmit_some_data(call);
diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c
index 0491f2bbf61e0..f542eda13ff0b 100644
--- a/net/rxrpc/io_thread.c
+++ b/net/rxrpc/io_thread.c
@@ -167,13 +167,12 @@ static bool rxrpc_extract_abort(struct sk_buff *skb)
/*
* Process packets received on the local endpoint
*/
-static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb)
+static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff *skb)
{
struct rxrpc_connection *conn;
struct sockaddr_rxrpc peer_srx;
struct rxrpc_skb_priv *sp;
struct rxrpc_peer *peer = NULL;
- struct sk_buff *skb = *_skb;
bool ret = false;
skb_pull(skb, sizeof(struct udphdr));
@@ -219,25 +218,6 @@ static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb)
return rxrpc_bad_message(skb, rxrpc_badmsg_zero_call);
if (sp->hdr.seq == 0)
return rxrpc_bad_message(skb, rxrpc_badmsg_zero_seq);
-
- /* Unshare the packet so that it can be modified for in-place
- * decryption.
- */
- if (sp->hdr.securityIndex != 0) {
- skb = skb_unshare(skb, GFP_ATOMIC);
- if (!skb) {
- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
- *_skb = NULL;
- return just_discard;
- }
-
- if (skb != *_skb) {
- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
- *_skb = skb;
- rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
- sp = rxrpc_skb(skb);
- }
- }
break;
case RXRPC_PACKET_TYPE_CHALLENGE:
@@ -479,7 +459,7 @@ int rxrpc_io_thread(void *data)
switch (skb->mark) {
case RXRPC_SKB_MARK_PACKET:
skb->priority = 0;
- if (!rxrpc_input_packet(local, &skb))
+ if (!rxrpc_input_packet(local, skb))
rxrpc_reject_packet(local, skb);
trace_rxrpc_rx_done(skb->mark, skb->priority);
rxrpc_free_skb(skb, rxrpc_skb_put_input);
diff --git a/net/rxrpc/skbuff.c b/net/rxrpc/skbuff.c
index 3bcd6ee803960..e2169d1a14b5f 100644
--- a/net/rxrpc/skbuff.c
+++ b/net/rxrpc/skbuff.c
@@ -46,15 +46,6 @@ void rxrpc_get_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
skb_get(skb);
}
-/*
- * Note the dropping of a ref on a socket buffer by the core.
- */
-void rxrpc_eaten_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
-{
- int n = atomic_inc_return(&rxrpc_n_rx_skbs);
- trace_rxrpc_skb(skb, 0, n, why);
-}
-
/*
* Note the destruction of a socket buffer.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 160/474] ext4: validate p_idx bounds in ext4_ext_correct_indexes
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 159/474] rxrpc: Fix potential UAF after skb_unshare() failure Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 161/474] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets Greg Kroah-Hartman
` (314 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+04c4e65cab786a2e5b7e,
Tejas Bharambe, Theodore Tso, stable, Jianqiang kang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejas Bharambe <tejas.bharambe@outlook.com>
[ Upstream commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 ]
ext4_ext_correct_indexes() walks up the extent tree correcting
index entries when the first extent in a leaf is modified. Before
accessing path[k].p_idx->ei_block, there is no validation that
p_idx falls within the valid range of index entries for that
level.
If the on-disk extent header contains a corrupted or crafted
eh_entries value, p_idx can point past the end of the allocated
buffer, causing a slab-out-of-bounds read.
Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
both access sites: before the while loop and inside it. Return
-EFSCORRUPTED if the index pointer is out of range, consistent
with how other bounds violations are handled in the ext4 extent
tree code.
Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ Minor conflict resolved. ]
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 7626cf2b07f1c..a94798e23c1af 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1743,6 +1743,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
return err;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ return -EFSCORRUPTED;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
@@ -1755,6 +1762,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
break;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ err = -EFSCORRUPTED;
+ break;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 161/474] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 160/474] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 162/474] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
` (313 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 55b2984c96c37f909bbfe8851f13152693951382 ]
Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
ABORT, etc..
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/call_event.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index c8a4a4c979eb6..d6dfc7c08cf04 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -459,7 +459,9 @@ bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb)
if (skb) {
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- if (sp->hdr.securityIndex != 0 && skb_cloned(skb)) {
+ if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+ sp->hdr.securityIndex != 0 &&
+ skb_cloned(skb)) {
/* Unshare the packet so that it can be modified by
* in-place decryption.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 162/474] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 161/474] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 163/474] iommu/amd: Use atomic64_inc_return() in iommu.c Greg Kroah-Hartman
` (312 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Bulekov, Fred Griffoul,
Sean Christopherson, Paolo Bonzini, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0cb2af2ea66ad8ff195c156ea690f11216285bdf upstream.
The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modified between VM entries (similar to commit
aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even
when creating an MMIO SPTE", 2026-03-27). The flow is as follows:
- a PDE is installed for a 2MB mapping, and a page in that area is
accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages;
the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because
the guest's mapping is a huge page (and thus contiguous).
- the PDE mapping is changed from outside the guest.
- the guest accesses another page in the same 2MB area. KVM installs
a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN
(i.e. based on the new mapping, as changed in the previous step) but
that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore
the rmap entry cannot be found and removed when the kvm_mmu_page
is zapped.
- the memslot that covers the first 2MB mapping is deleted, and the
kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove()
only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,
and fails to find the rmap entry that was recorded by step 3.
- any operation that causes an rmap walk for the same page accessed
by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.
This includes dirty logging or MMU notifier invalidations (e.g., from
MADV_DONTNEED).
The underlying issue is that KVM's walking of shadow PTEs assumes that
if a SPTE is present when KVM wants to install a non-leaf SPTE, then the
existing kvm_mmu_page must be for the correct gfn. Because the only way
for the gfn to be wrong is if KVM messed up and failed to zap a SPTE...
which shouldn't happen, but *actually* only happens in response to a
guest write.
That bug dates back literally forever, as even the first version of KVM
assumes that the GFN matches and walks into the "wrong" shadow page.
However, that was only an imprecision until 2032a93d66fa ("KVM: MMU:
Don't allocate gfns page for direct mmu pages") came along.
Fix it by checking for a target gfn mismatch and zapping the existing
SPTE. That way the old SP and rmap entries are gone, KVM installs
the rmap in the right location, and everyone is happy.
Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Fixes: 6aa8b732ca01 ("kvm: userspace interface")
Reported-by: Alexander Bulekov <bkov@amazon.com>
Reported-by: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://patch.msgid.link/20260503201029.106481-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 35 ++++++++++++++---------------------
1 file changed, 14 insertions(+), 21 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 0dc804149b0f3..774bc26b8235e 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -182,6 +182,8 @@ struct kmem_cache *mmu_page_header_cache;
static struct percpu_counter kvm_total_used_mmu_pages;
static void mmu_spte_set(u64 *sptep, u64 spte);
+static int mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
+ u64 *spte, struct list_head *invalid_list);
struct kvm_mmu_role_regs {
const unsigned long cr0;
@@ -1194,19 +1196,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep)
rmap_remove(kvm, sptep);
}
-static void drop_large_spte(struct kvm *kvm, u64 *sptep, bool flush)
-{
- struct kvm_mmu_page *sp;
-
- sp = sptep_to_sp(sptep);
- WARN_ON_ONCE(sp->role.level == PG_LEVEL_4K);
-
- drop_spte(kvm, sptep);
-
- if (flush)
- kvm_flush_remote_tlbs_sptep(kvm, sptep);
-}
-
/*
* Write-protect on the specified @sptep, @pt_protect indicates whether
* spte write-protection is caused by protecting shadow page table.
@@ -2350,7 +2339,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
{
union kvm_mmu_page_role role;
- if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep))
+ if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep) &&
+ spte_to_child_sp(*sptep) && spte_to_child_sp(*sptep)->gfn == gfn)
return ERR_PTR(-EEXIST);
role = kvm_mmu_child_role(sptep, direct, access);
@@ -2428,13 +2418,16 @@ static void __link_shadow_page(struct kvm *kvm,
BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
- /*
- * If an SPTE is present already, it must be a leaf and therefore
- * a large one. Drop it, and flush the TLB if needed, before
- * installing sp.
- */
- if (is_shadow_present_pte(*sptep))
- drop_large_spte(kvm, sptep, flush);
+ if (is_shadow_present_pte(*sptep)) {
+ struct kvm_mmu_page *parent_sp;
+ LIST_HEAD(invalid_list);
+
+ parent_sp = sptep_to_sp(sptep);
+ WARN_ON_ONCE(parent_sp->role.level == PG_LEVEL_4K);
+
+ mmu_page_zap_pte(kvm, parent_sp, sptep, &invalid_list);
+ kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, true);
+ }
spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 163/474] iommu/amd: Use atomic64_inc_return() in iommu.c
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 162/474] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 164/474] iommu/amd: serialize sequence allocation under concurrent TLB invalidations Greg Kroah-Hartman
` (311 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uros Bizjak, Joerg Roedel,
Suravee Suthikulpanit, Will Deacon, Robin Murphy, Jason Gunthorpe,
Joerg Roedel, Salvatore Bonaccorso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uros Bizjak <ubizjak@gmail.com>
commit 5ce73c524f5fb5abd7b1bfed0115474b4fb437b4 upstream.
Use atomic64_inc_return(&ref) instead of atomic64_add_return(1, &ref)
to use optimized implementation and ease register pressure around
the primitive for targets that implement optimized variant.
Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Will Deacon <will@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20241007084356.47799-1-ubizjak@gmail.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Stable-dep-of: 9e249c48412828e807afddc21527eb734dc9bd3d ("iommu/amd: serialize sequence allocation under concurrent TLB invalidations")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/iommu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index d119a104a3436..6d0d28050052a 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -1209,7 +1209,7 @@ static int iommu_completion_wait(struct amd_iommu *iommu)
if (!iommu->need_sync)
return 0;
- data = atomic64_add_return(1, &iommu->cmd_sem_val);
+ data = atomic64_inc_return(&iommu->cmd_sem_val);
build_completion_wait(&cmd, iommu, data);
raw_spin_lock_irqsave(&iommu->lock, flags);
@@ -2877,7 +2877,7 @@ static void iommu_flush_irt_and_complete(struct amd_iommu *iommu, u16 devid)
return;
build_inv_irt(&cmd, devid);
- data = atomic64_add_return(1, &iommu->cmd_sem_val);
+ data = atomic64_inc_return(&iommu->cmd_sem_val);
build_completion_wait(&cmd2, iommu, data);
raw_spin_lock_irqsave(&iommu->lock, flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 164/474] iommu/amd: serialize sequence allocation under concurrent TLB invalidations
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 163/474] iommu/amd: Use atomic64_inc_return() in iommu.c Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 165/474] net: Fix icmp host relookup triggering ip_rt_bug Greg Kroah-Hartman
` (310 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srikanth Aithal, Ankit Soni,
Vasant Hegde, Joerg Roedel, Salvatore Bonaccorso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Soni <Ankit.Soni@amd.com>
commit 9e249c48412828e807afddc21527eb734dc9bd3d upstream.
With concurrent TLB invalidations, completion wait randomly gets timed out
because cmd_sem_val was incremented outside the IOMMU spinlock, allowing
CMD_COMPL_WAIT commands to be queued out of sequence and breaking the
ordering assumption in wait_on_sem().
Move the cmd_sem_val increment under iommu->lock so completion sequence
allocation is serialized with command queuing.
And remove the unnecessary return.
Fixes: d2a0cac10597 ("iommu/amd: move wait_on_sem() out of spinlock")
Tested-by: Srikanth Aithal <sraithal@amd.com>
Reported-by: Srikanth Aithal <sraithal@amd.com>
Signed-off-by: Ankit Soni <Ankit.Soni@amd.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
[Salvatore Bonaccorso: Backport to v6.12.y where f32fe7cb0198
("iommu/amd: Add support to remap/unmap IOMMU buffers for kdump") is not
present]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/amd_iommu_types.h | 2 +-
drivers/iommu/amd/init.c | 2 +-
drivers/iommu/amd/iommu.c | 18 ++++++++++++------
3 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h
index d872054b874fa..2571a782b7b61 100644
--- a/drivers/iommu/amd/amd_iommu_types.h
+++ b/drivers/iommu/amd/amd_iommu_types.h
@@ -765,7 +765,7 @@ struct amd_iommu {
u32 flags;
volatile u64 *cmd_sem;
- atomic64_t cmd_sem_val;
+ u64 cmd_sem_val;
#ifdef CONFIG_AMD_IOMMU_DEBUGFS
/* DebugFS Info */
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 6261bc7304e97..e5fee1aae587b 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -1805,7 +1805,7 @@ static int __init init_iommu_one(struct amd_iommu *iommu, struct ivhd_header *h,
iommu->pci_seg = pci_seg;
raw_spin_lock_init(&iommu->lock);
- atomic64_set(&iommu->cmd_sem_val, 0);
+ iommu->cmd_sem_val = 0;
/* Add IOMMU to internal data structures */
list_add_tail(&iommu->list, &amd_iommu_list);
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 6d0d28050052a..48cf9e9e15976 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -1195,6 +1195,12 @@ static int iommu_queue_command(struct amd_iommu *iommu, struct iommu_cmd *cmd)
return iommu_queue_command_sync(iommu, cmd, true);
}
+static u64 get_cmdsem_val(struct amd_iommu *iommu)
+{
+ lockdep_assert_held(&iommu->lock);
+ return ++iommu->cmd_sem_val;
+}
+
/*
* This function queues a completion wait command into the command
* buffer of an IOMMU
@@ -1209,11 +1215,11 @@ static int iommu_completion_wait(struct amd_iommu *iommu)
if (!iommu->need_sync)
return 0;
- data = atomic64_inc_return(&iommu->cmd_sem_val);
- build_completion_wait(&cmd, iommu, data);
-
raw_spin_lock_irqsave(&iommu->lock, flags);
+ data = get_cmdsem_val(iommu);
+ build_completion_wait(&cmd, iommu, data);
+
ret = __iommu_queue_command_sync(iommu, &cmd, false);
raw_spin_unlock_irqrestore(&iommu->lock, flags);
@@ -2877,10 +2883,11 @@ static void iommu_flush_irt_and_complete(struct amd_iommu *iommu, u16 devid)
return;
build_inv_irt(&cmd, devid);
- data = atomic64_inc_return(&iommu->cmd_sem_val);
- build_completion_wait(&cmd2, iommu, data);
raw_spin_lock_irqsave(&iommu->lock, flags);
+ data = get_cmdsem_val(iommu);
+ build_completion_wait(&cmd2, iommu, data);
+
ret = __iommu_queue_command_sync(iommu, &cmd, true);
if (ret)
goto out_err;
@@ -2894,7 +2901,6 @@ static void iommu_flush_irt_and_complete(struct amd_iommu *iommu, u16 devid)
out_err:
raw_spin_unlock_irqrestore(&iommu->lock, flags);
- return;
}
static void set_dte_irq_entry(struct amd_iommu *iommu, u16 devid,
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 165/474] net: Fix icmp host relookup triggering ip_rt_bug
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 164/474] iommu/amd: serialize sequence allocation under concurrent TLB invalidations Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 166/474] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
` (309 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dong Chenchen, David Ahern,
Eric Dumazet, Jakub Kicinski, Jiayuan Chen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dong Chenchen <dongchenchen2@huawei.com>
[ Upstream commit c44daa7e3c73229f7ac74985acb8c7fb909c4e0a ]
arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:
WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:ip_rt_bug+0x14/0x20
Call Trace:
<IRQ>
ip_send_skb+0x14/0x40
__icmp_send+0x42d/0x6a0
ipv4_link_failure+0xe2/0x1d0
arp_error_report+0x3c/0x50
neigh_invalidate+0x8d/0x100
neigh_timer_handler+0x2e1/0x330
call_timer_fn+0x21/0x120
__run_timer_base.part.0+0x1c9/0x270
run_timer_softirq+0x4c/0x80
handle_softirqs+0xac/0x280
irq_exit_rcu+0x62/0x80
sysvec_apic_timer_interrupt+0x77/0x90
The script below reproduces this scenario:
ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \
dir out priority 0 ptype main flag localok icmp
ip l a veth1 type veth
ip a a 192.168.141.111/24 dev veth0
ip l s veth0 up
ping 192.168.141.155 -c 1
icmp_route_lookup() create input routes for locally generated packets
while xfrm relookup ICMP traffic.Then it will set input route
(dst->out = ip_rt_bug) to skb for DESTUNREACH.
For ICMP err triggered by locally generated packets, dst->dev of output
route is loopback. Generally, xfrm relookup verification is not required
on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).
Skip icmp relookup for locally generated packets to fix it.
Fixes: 8b7817f3a959 ("[IPSEC]: Add ICMP host relookup support")
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241127040850.1513135-1-dongchenchen2@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/icmp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 29c73b05b1e1a..3fcf11f83d87b 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -518,6 +518,9 @@ static struct rtable *icmp_route_lookup(struct net *net, struct flowi4 *fl4,
if (!IS_ERR(rt)) {
if (rt != rt2)
return rt;
+ if (inet_addr_type_dev_table(net, route_lookup_dev,
+ fl4->daddr) == RTN_LOCAL)
+ return rt;
} else if (PTR_ERR(rt) == -EPERM) {
rt = NULL;
} else
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 166/474] flow_dissector: do not dissect PPPoE PFC frames
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 165/474] net: Fix icmp host relookup triggering ip_rt_bug Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 167/474] net: txgbe: fix RTNL assertion warning when remove module Greg Kroah-Hartman
` (308 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@linux.dev>
[ Upstream commit d6c19b31a3c1d519fabdcf0aa239e6b6109b9473 ]
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Fixes: 46126db9c861 ("flow_dissector: Add PPPoE dissectors")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Link: https://patch.msgid.link/20260415022456.141758-1-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/flow_dissector.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index aafa754b6cbab..9432e5362b44f 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1350,16 +1350,13 @@ bool __skb_flow_dissect(const struct net *net,
break;
}
- /* least significant bit of the most significant octet
- * indicates if protocol field was compressed
+ /* PFC (compressed 1-byte protocol) frames are not processed.
+ * A compressed protocol field has the least significant bit of
+ * the most significant octet set, which will fail the following
+ * ppp_proto_is_valid(), returning FLOW_DISSECT_RET_OUT_BAD.
*/
ppp_proto = ntohs(hdr->proto);
- if (ppp_proto & 0x0100) {
- ppp_proto = ppp_proto >> 8;
- nhoff += PPPOE_SES_HLEN - 1;
- } else {
- nhoff += PPPOE_SES_HLEN;
- }
+ nhoff += PPPOE_SES_HLEN;
if (ppp_proto == PPP_IP) {
proto = htons(ETH_P_IP);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 167/474] net: txgbe: fix RTNL assertion warning when remove module
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 166/474] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 168/474] dmaengine: idxd: Fix crash when the event log is disabled Greg Kroah-Hartman
` (307 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Russell King (Oracle),
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
[ Upstream commit e159f05e12cc1111a3103b99375ddf0dfd0e7d63 ]
For the copper NIC with external PHY, the driver called
phylink_connect_phy() during probe and phylink_disconnect_phy() during
remove. It caused an RTNL assertion warning in phylink_disconnect_phy()
upon module remove.
To fix this, add rtnl_lock() and rtnl_unlock() around the
phylink_disconnect_phy() in remove function.
------------[ cut here ]------------
RTNL: assertion failed at drivers/net/phy/phylink.c (2351)
WARNING: drivers/net/phy/phylink.c:2351 at
phylink_disconnect_phy+0xd8/0xf0 [phylink], CPU#0: rmmod/4464
Modules linked in: ...
CPU: 0 UID: 0 PID: 4464 Comm: rmmod Kdump: loaded Not tainted 7.0.0-rc4+
Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING
PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024
RIP: 0010:phylink_disconnect_phy+0xe4/0xf0 [phylink]
Code: 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 f6 31 ff e9 3a 38 8f e7
48 8d 3d 48 87 e2 ff ba 2f 09 00 00 48 c7 c6 c1 22 24 c0 <67> 48 0f b9 3a
e9 34 ff ff ff 66 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffce7288363ac0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff89654b2a1a00 RCX: 0000000000000000
RDX: 000000000000092f RSI: ffffffffc02422c1 RDI: ffffffffc0239020
RBP: ffffce7288363ae8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8964c4022000
R13: ffff89654fce3028 R14: ffff89654ebb4000 R15: ffffffffc0226348
FS: 0000795e80d93780(0000) GS:ffff896c52857000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005b528b592000 CR3: 0000000170d0f000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
txgbe_remove_phy+0xbb/0xd0 [txgbe]
txgbe_remove+0x4c/0xb0 [txgbe]
pci_device_remove+0x41/0xb0
device_remove+0x43/0x80
device_release_driver_internal+0x206/0x270
driver_detach+0x4a/0xa0
bus_remove_driver+0x83/0x120
driver_unregister+0x2f/0x60
pci_unregister_driver+0x40/0x90
txgbe_driver_exit+0x10/0x850 [txgbe]
__do_sys_delete_module.isra.0+0x1c3/0x2f0
__x64_sys_delete_module+0x12/0x20
x64_sys_call+0x20c3/0x2390
do_syscall_64+0x11c/0x1500
? srso_alias_return_thunk+0x5/0xfbef5
? do_syscall_64+0x15a/0x1500
? srso_alias_return_thunk+0x5/0xfbef5
? do_fault+0x312/0x580
? srso_alias_return_thunk+0x5/0xfbef5
? __handle_mm_fault+0x9d5/0x1040
? srso_alias_return_thunk+0x5/0xfbef5
? count_memcg_events+0x101/0x1d0
? srso_alias_return_thunk+0x5/0xfbef5
? handle_mm_fault+0x1e8/0x2f0
? srso_alias_return_thunk+0x5/0xfbef5
? do_user_addr_fault+0x2f8/0x820
? srso_alias_return_thunk+0x5/0xfbef5
? irqentry_exit+0xb2/0x600
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x92/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 02b2a6f91b90 ("net: txgbe: support copper NIC with external PHY")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/8B47A5872884147D+20260407094041.4646-1-jiawenwu@trustnetic.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
index 4159c84035fdc..2494a3a171fdc 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
@@ -820,7 +820,9 @@ int txgbe_init_phy(struct txgbe *txgbe)
void txgbe_remove_phy(struct txgbe *txgbe)
{
if (txgbe->wx->media_type == sp_media_copper) {
+ rtnl_lock();
phylink_disconnect_phy(txgbe->phylink);
+ rtnl_unlock();
phylink_destroy(txgbe->phylink);
return;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 168/474] dmaengine: idxd: Fix crash when the event log is disabled
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 167/474] net: txgbe: fix RTNL assertion warning when remove module Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 169/474] dmaengine: idxd: Fix leaking event log memory Greg Kroah-Hartman
` (306 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Wenshan Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 52d2edea0d63c935e82631e4b9e4a94eccf97b5b ]
If reporting errors to the event log is not supported by the hardware,
and an error that causes Function Level Reset (FLR) is received, the
driver will try to restore the event log even if it was not allocated.
Also, only try to free the event log if it was properly allocated.
Fixes: 6078a315aec1 ("dmaengine: idxd: Add idxd_device_config_save() and idxd_device_config_restore() helpers")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-2-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[ Only the idxd_device_evl_free() NULL check portion was backported in v6.6.
idxd_device_config_restore() does not exist in v6.6. It was introduced
in 6.14. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/device.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index 44bbeb3acd14e..e769e1f0d28b2 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -810,6 +810,9 @@ static void idxd_device_evl_free(struct idxd_device *idxd)
struct device *dev = &idxd->pdev->dev;
struct idxd_evl *evl = idxd->evl;
+ if (!evl)
+ return;
+
gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
if (!gencfg.evl_en)
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 169/474] dmaengine: idxd: Fix leaking event log memory
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 168/474] dmaengine: idxd: Fix crash when the event log is disabled Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 170/474] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
` (305 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Wenshan Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ]
During the device remove process, the device is reset, causing the
configuration registers to go back to their default state, which is
zero. As the driver is checking if the event log support was enabled
before deallocating, it will fail if a reset happened before.
Do not check if the support was enabled, the check for 'idxd->evl'
being valid (only allocated if the HW capability is available) is
enough.
Fixes: 244da66cda35 ("dmaengine: idxd: setup event log configuration")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-10-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/device.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index e769e1f0d28b2..13af4ef2f43f0 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -813,10 +813,6 @@ static void idxd_device_evl_free(struct idxd_device *idxd)
if (!evl)
return;
- gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
- if (!gencfg.evl_en)
- return;
-
mutex_lock(&evl->lock);
gencfg.evl_en = 0;
iowrite32(gencfg.bits, idxd->reg_base + IDXD_GENCFG_OFFSET);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 170/474] KVM: SVM: check validity of VMCB controls when returning from SMM
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 169/474] dmaengine: idxd: Fix leaking event log memory Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 171/474] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (304 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit be5fa8737d42c5ba16d2ea72c23681f8abbb07e8 upstream.
The VMCB12 is stored in guest memory and can be mangled while in SMM; it
is then reloaded by svm_leave_smm(), but it is not checked again for
validity.
Move the cached vmcb12 control and save consistency checks out of
svm_set_nested_state() and into a helper, and reuse it in
svm_leave_smm().
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 12 ++++++++++--
arch/x86/kvm/svm/svm.c | 4 ++++
arch/x86/kvm/svm/svm.h | 1 +
3 files changed, 15 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -415,6 +415,15 @@ void nested_copy_vmcb_save_to_cache(stru
__nested_copy_vmcb_save_to_cache(&svm->nested.save, save);
}
+int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu)
+{
+ if (!nested_vmcb_check_save(vcpu) ||
+ !nested_vmcb_check_controls(vcpu))
+ return -EINVAL;
+
+ return 0;
+}
+
/*
* Synchronize fields that are written by the processor, so that
* they can be copied back into the vmcb12.
@@ -888,8 +897,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
- if (!nested_vmcb_check_save(vcpu) ||
- !nested_vmcb_check_controls(vcpu)) {
+ if (nested_svm_check_cached_vmcb12(vcpu) < 0) {
vmcb12->control.exit_code = SVM_EXIT_ERR;
vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4817,6 +4817,10 @@ static int svm_leave_smm(struct kvm_vcpu
vmcb12 = map.hva;
nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
+
+ if (nested_svm_check_cached_vmcb12(vcpu) < 0)
+ goto unmap_save;
+
ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12, false);
if (ret)
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -612,6 +612,7 @@ static inline int nested_svm_simple_vmex
int nested_svm_exit_handled(struct vcpu_svm *svm);
int nested_svm_check_permissions(struct kvm_vcpu *vcpu);
+int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu);
int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
bool has_error_code, u32 error_code);
int nested_svm_exit_special(struct vcpu_svm *svm);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 171/474] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 170/474] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 172/474] bpf: support non-r10 register spill/fill to/from stack in precision tracking Greg Kroah-Hartman
` (303 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manas, Rakshit Awasthi,
Jamal Hadi Salim, Eric Dumazet, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
commit 458d5615272d3de535748342eb68ca492343048c upstream.
When red qdisc has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (red in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(red) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (red). And herein lies the problem.
- red will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)
[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]
[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d
[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216
[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048
[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078
[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000
[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200
[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000
[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0
[ 78.671585][ T363] PKRU: 55555554
[ 78.671713][ T363] Call Trace:
[ 78.671843][ T363] <TASK>
[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]
[ 78.672148][ T363] ? __pfx__printk+0x10/0x10
[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0
[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0
[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]
[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]
[ 78.673566][ T363] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: 77be155cba4e ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.")
Reported-by: Manas <ghandatmanas@gmail.com>
Reported-by: Rakshit Awasthi <rakshitawasthi17@gmail.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-2-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_red.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -153,7 +153,7 @@ static struct sk_buff *red_dequeue(struc
struct red_sched_data *q = qdisc_priv(sch);
struct Qdisc *child = q->qdisc;
- skb = child->dequeue(child);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
qdisc_qstats_backlog_dec(sch, skb);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 172/474] bpf: support non-r10 register spill/fill to/from stack in precision tracking
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 171/474] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 173/474] selftests/bpf: add stack access precision test Greg Kroah-Hartman
` (302 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Tao Lyu,
Andrii Nakryiko, Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu,
Daniel Borkmann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 41f6f64e6999a837048b1bd13a2f8742964eca6b ]
Use instruction (jump) history to record instructions that performed
register spill/fill to/from stack, regardless if this was done through
read-only r10 register, or any other register after copying r10 into it
*and* potentially adjusting offset.
To make this work reliably, we push extra per-instruction flags into
instruction history, encoding stack slot index (spi) and stack frame
number in extra 10 bit flags we take away from prev_idx in instruction
history. We don't touch idx field for maximum performance, as it's
checked most frequently during backtracking.
This change removes basically the last remaining practical limitation of
precision backtracking logic in BPF verifier. It fixes known
deficiencies, but also opens up new opportunities to reduce number of
verified states, explored in the subsequent patches.
There are only three differences in selftests' BPF object files
according to veristat, all in the positive direction (less states).
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
-------------------------------------- ------------- --------- --------- ------------- ---------- ---------- -------------
test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%)
xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%)
xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)
Note, I avoided renaming jmp_history to more generic insn_hist to
minimize number of lines changed and potential merge conflicts between
bpf and bpf-next trees.
Notice also cur_hist_entry pointer reset to NULL at the beginning of
instruction verification loop. This pointer avoids the problem of
relying on last jump history entry's insn_idx to determine whether we
already have entry for current instruction or not. It can happen that we
added jump history entry because current instruction is_jmp_point(), but
also we need to add instruction flags for stack access. In this case, we
don't want to entries, so we need to reuse last added entry, if it is
present.
Relying on insn_idx comparison has the same ambiguity problem as the one
that was fixed recently in [0], so we avoid that.
[0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Tao Lyu <tao.lyu@epfl.ch>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ Note: Adapted the expected log format for selftests as the map format
in verifier logs was changed in commits 1db747d75b1d and
0c95c9fdb696. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf_verifier.h | 31 +++-
kernel/bpf/verifier.c | 175 ++++++++++--------
.../bpf/progs/verifier_subprog_precision.c | 23 ++-
.../testing/selftests/bpf/verifier/precise.c | 38 ++--
4 files changed, 169 insertions(+), 98 deletions(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 32e89758176be..dba211d3bb9a0 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -319,12 +319,34 @@ struct bpf_func_state {
struct bpf_stack_state *stack;
};
-struct bpf_idx_pair {
- u32 prev_idx;
+#define MAX_CALL_FRAMES 8
+
+/* instruction history flags, used in bpf_jmp_history_entry.flags field */
+enum {
+ /* instruction references stack slot through PTR_TO_STACK register;
+ * we also store stack's frame number in lower 3 bits (MAX_CALL_FRAMES is 8)
+ * and accessed stack slot's index in next 6 bits (MAX_BPF_STACK is 512,
+ * 8 bytes per slot, so slot index (spi) is [0, 63])
+ */
+ INSN_F_FRAMENO_MASK = 0x7, /* 3 bits */
+
+ INSN_F_SPI_MASK = 0x3f, /* 6 bits */
+ INSN_F_SPI_SHIFT = 3, /* shifted 3 bits to the left */
+
+ INSN_F_STACK_ACCESS = BIT(9), /* we need 10 bits total */
+};
+
+static_assert(INSN_F_FRAMENO_MASK + 1 >= MAX_CALL_FRAMES);
+static_assert(INSN_F_SPI_MASK + 1 >= MAX_BPF_STACK / 8);
+
+struct bpf_jmp_history_entry {
u32 idx;
+ /* insn idx can't be bigger than 1 million */
+ u32 prev_idx : 22;
+ /* special flags, e.g., whether insn is doing register stack spill/load */
+ u32 flags : 10;
};
-#define MAX_CALL_FRAMES 8
/* Maximum number of register states that can exist at once */
#define BPF_ID_MAP_SIZE ((MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) * MAX_CALL_FRAMES)
struct bpf_verifier_state {
@@ -407,7 +429,7 @@ struct bpf_verifier_state {
* For most states jmp_history_cnt is [0-3].
* For loops can go up to ~40.
*/
- struct bpf_idx_pair *jmp_history;
+ struct bpf_jmp_history_entry *jmp_history;
u32 jmp_history_cnt;
u32 dfs_depth;
u32 callback_unroll_depth;
@@ -641,6 +663,7 @@ struct bpf_verifier_env {
int cur_stack;
} cfg;
struct backtrack_state bt;
+ struct bpf_jmp_history_entry *cur_hist_ent;
u32 pass_cnt; /* number of times do_check() was called */
u32 subprog_cnt;
/* number of instructions analyzed by the verifier */
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 45eb795c8c045..e44da369dff63 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1763,8 +1763,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
int i, err;
dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history,
- src->jmp_history_cnt, sizeof(struct bpf_idx_pair),
- GFP_USER);
+ src->jmp_history_cnt, sizeof(*dst_state->jmp_history),
+ GFP_USER);
if (!dst_state->jmp_history)
return -ENOMEM;
dst_state->jmp_history_cnt = src->jmp_history_cnt;
@@ -3418,6 +3418,21 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
return __check_reg_arg(env, state->regs, regno, t);
}
+static int insn_stack_access_flags(int frameno, int spi)
+{
+ return INSN_F_STACK_ACCESS | (spi << INSN_F_SPI_SHIFT) | frameno;
+}
+
+static int insn_stack_access_spi(int insn_flags)
+{
+ return (insn_flags >> INSN_F_SPI_SHIFT) & INSN_F_SPI_MASK;
+}
+
+static int insn_stack_access_frameno(int insn_flags)
+{
+ return insn_flags & INSN_F_FRAMENO_MASK;
+}
+
static void mark_jmp_point(struct bpf_verifier_env *env, int idx)
{
env->insn_aux_data[idx].jmp_point = true;
@@ -3429,28 +3444,51 @@ static bool is_jmp_point(struct bpf_verifier_env *env, int insn_idx)
}
/* for any branch, call, exit record the history of jmps in the given state */
-static int push_jmp_history(struct bpf_verifier_env *env,
- struct bpf_verifier_state *cur)
+static int push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_state *cur,
+ int insn_flags)
{
u32 cnt = cur->jmp_history_cnt;
- struct bpf_idx_pair *p;
+ struct bpf_jmp_history_entry *p;
size_t alloc_size;
- if (!is_jmp_point(env, env->insn_idx))
+ /* combine instruction flags if we already recorded this instruction */
+ if (env->cur_hist_ent) {
+ /* atomic instructions push insn_flags twice, for READ and
+ * WRITE sides, but they should agree on stack slot
+ */
+ WARN_ONCE((env->cur_hist_ent->flags & insn_flags) &&
+ (env->cur_hist_ent->flags & insn_flags) != insn_flags,
+ "verifier insn history bug: insn_idx %d cur flags %x new flags %x\n",
+ env->insn_idx, env->cur_hist_ent->flags, insn_flags);
+ env->cur_hist_ent->flags |= insn_flags;
return 0;
+ }
cnt++;
alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p)));
p = krealloc(cur->jmp_history, alloc_size, GFP_USER);
if (!p)
return -ENOMEM;
- p[cnt - 1].idx = env->insn_idx;
- p[cnt - 1].prev_idx = env->prev_insn_idx;
cur->jmp_history = p;
+
+ p = &cur->jmp_history[cnt - 1];
+ p->idx = env->insn_idx;
+ p->prev_idx = env->prev_insn_idx;
+ p->flags = insn_flags;
cur->jmp_history_cnt = cnt;
+ env->cur_hist_ent = p;
+
return 0;
}
+static struct bpf_jmp_history_entry *get_jmp_hist_entry(struct bpf_verifier_state *st,
+ u32 hist_end, int insn_idx)
+{
+ if (hist_end > 0 && st->jmp_history[hist_end - 1].idx == insn_idx)
+ return &st->jmp_history[hist_end - 1];
+ return NULL;
+}
+
/* Backtrack one insn at a time. If idx is not at the top of recorded
* history then previous instruction came from straight line execution.
* Return -ENOENT if we exhausted all instructions within given state.
@@ -3612,9 +3650,14 @@ static inline bool bt_is_reg_set(struct backtrack_state *bt, u32 reg)
return bt->reg_masks[bt->frame] & (1 << reg);
}
+static inline bool bt_is_frame_slot_set(struct backtrack_state *bt, u32 frame, u32 slot)
+{
+ return bt->stack_masks[frame] & (1ull << slot);
+}
+
static inline bool bt_is_slot_set(struct backtrack_state *bt, u32 slot)
{
- return bt->stack_masks[bt->frame] & (1ull << slot);
+ return bt_is_frame_slot_set(bt, bt->frame, slot);
}
/* format registers bitmask, e.g., "r0,r2,r4" for 0x15 mask */
@@ -3668,7 +3711,7 @@ static bool calls_callback(struct bpf_verifier_env *env, int insn_idx);
* - *was* processed previously during backtracking.
*/
static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
- struct backtrack_state *bt)
+ struct bpf_jmp_history_entry *hist, struct backtrack_state *bt)
{
const struct bpf_insn_cbs cbs = {
.cb_call = disasm_kfunc_name,
@@ -3681,7 +3724,7 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
u8 mode = BPF_MODE(insn->code);
u32 dreg = insn->dst_reg;
u32 sreg = insn->src_reg;
- u32 spi, i;
+ u32 spi, i, fr;
if (insn->code == 0)
return 0;
@@ -3744,20 +3787,15 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
* by 'precise' mark in corresponding register of this state.
* No further tracking necessary.
*/
- if (insn->src_reg != BPF_REG_FP)
+ if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))
return 0;
-
/* dreg = *(u64 *)[fp - off] was a fill from the stack.
* that [fp - off] slot contains scalar that needs to be
* tracked with precision
*/
- spi = (-insn->off - 1) / BPF_REG_SIZE;
- if (spi >= 64) {
- verbose(env, "BUG spi %d\n", spi);
- WARN_ONCE(1, "verifier backtracking bug");
- return -EFAULT;
- }
- bt_set_slot(bt, spi);
+ spi = insn_stack_access_spi(hist->flags);
+ fr = insn_stack_access_frameno(hist->flags);
+ bt_set_frame_slot(bt, fr, spi);
} else if (class == BPF_STX || class == BPF_ST) {
if (bt_is_reg_set(bt, dreg))
/* stx & st shouldn't be using _scalar_ dst_reg
@@ -3766,17 +3804,13 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
*/
return -ENOTSUPP;
/* scalars can only be spilled into stack */
- if (insn->dst_reg != BPF_REG_FP)
+ if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))
return 0;
- spi = (-insn->off - 1) / BPF_REG_SIZE;
- if (spi >= 64) {
- verbose(env, "BUG spi %d\n", spi);
- WARN_ONCE(1, "verifier backtracking bug");
- return -EFAULT;
- }
- if (!bt_is_slot_set(bt, spi))
+ spi = insn_stack_access_spi(hist->flags);
+ fr = insn_stack_access_frameno(hist->flags);
+ if (!bt_is_frame_slot_set(bt, fr, spi))
return 0;
- bt_clear_slot(bt, spi);
+ bt_clear_frame_slot(bt, fr, spi);
if (class == BPF_STX)
bt_set_reg(bt, sreg);
} else if (class == BPF_JMP || class == BPF_JMP32) {
@@ -3820,10 +3854,14 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
WARN_ONCE(1, "verifier backtracking bug");
return -EFAULT;
}
- /* we don't track register spills perfectly,
- * so fallback to force-precise instead of failing */
- if (bt_stack_mask(bt) != 0)
- return -ENOTSUPP;
+ /* we are now tracking register spills correctly,
+ * so any instance of leftover slots is a bug
+ */
+ if (bt_stack_mask(bt) != 0) {
+ verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt));
+ WARN_ONCE(1, "verifier backtracking bug (subprog leftover stack slots)");
+ return -EFAULT;
+ }
/* propagate r1-r5 to the caller */
for (i = BPF_REG_1; i <= BPF_REG_5; i++) {
if (bt_is_reg_set(bt, i)) {
@@ -3848,8 +3886,11 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
WARN_ONCE(1, "verifier backtracking bug");
return -EFAULT;
}
- if (bt_stack_mask(bt) != 0)
- return -ENOTSUPP;
+ if (bt_stack_mask(bt) != 0) {
+ verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt));
+ WARN_ONCE(1, "verifier backtracking bug (callback leftover stack slots)");
+ return -EFAULT;
+ }
/* clear r1-r5 in callback subprog's mask */
for (i = BPF_REG_1; i <= BPF_REG_5; i++)
bt_clear_reg(bt, i);
@@ -4286,6 +4327,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
for (;;) {
DECLARE_BITMAP(mask, 64);
u32 history = st->jmp_history_cnt;
+ struct bpf_jmp_history_entry *hist;
if (env->log.level & BPF_LOG_LEVEL2) {
verbose(env, "mark_precise: frame%d: last_idx %d first_idx %d subseq_idx %d \n",
@@ -4349,7 +4391,8 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
err = 0;
skip_first = false;
} else {
- err = backtrack_insn(env, i, subseq_idx, bt);
+ hist = get_jmp_hist_entry(st, history, i);
+ err = backtrack_insn(env, i, subseq_idx, hist, bt);
}
if (err == -ENOTSUPP) {
mark_all_scalars_precise(env, env->cur_state);
@@ -4402,22 +4445,10 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
bitmap_from_u64(mask, bt_frame_stack_mask(bt, fr));
for_each_set_bit(i, mask, 64) {
if (i >= func->allocated_stack / BPF_REG_SIZE) {
- /* the sequence of instructions:
- * 2: (bf) r3 = r10
- * 3: (7b) *(u64 *)(r3 -8) = r0
- * 4: (79) r4 = *(u64 *)(r10 -8)
- * doesn't contain jmps. It's backtracked
- * as a single block.
- * During backtracking insn 3 is not recognized as
- * stack access, so at the end of backtracking
- * stack slot fp-8 is still marked in stack_mask.
- * However the parent state may not have accessed
- * fp-8 and it's "unallocated" stack space.
- * In such case fallback to conservative.
- */
- mark_all_scalars_precise(env, env->cur_state);
- bt_reset(bt);
- return 0;
+ verbose(env, "BUG backtracking (stack slot %d, total slots %d)\n",
+ i, func->allocated_stack / BPF_REG_SIZE);
+ WARN_ONCE(1, "verifier backtracking bug (stack slot out of bounds)");
+ return -EFAULT;
}
if (!is_spilled_scalar_reg(&func->stack[i])) {
@@ -4582,7 +4613,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
struct bpf_insn *insn = &env->prog->insnsi[insn_idx];
struct bpf_reg_state *reg = NULL;
- u32 dst_reg = insn->dst_reg;
+ int insn_flags = insn_stack_access_flags(state->frameno, spi);
/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
* so it's aligned access and [off, off + size) are within stack limits
@@ -4621,17 +4652,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
mark_stack_slot_scratched(env, spi);
if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&
!register_is_null(reg) && env->bpf_capable) {
- if (dst_reg != BPF_REG_FP) {
- /* The backtracking logic can only recognize explicit
- * stack slot address like [fp - 8]. Other spill of
- * scalar via different register has to be conservative.
- * Backtrack from here and mark all registers as precise
- * that contributed into 'reg' being a constant.
- */
- err = mark_chain_precision(env, value_regno);
- if (err)
- return err;
- }
save_register_state(state, spi, reg, size);
/* Break the relation on a narrowing spill. */
if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
@@ -4643,6 +4663,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
__mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
save_register_state(state, spi, &fake_reg, size);
+ insn_flags = 0; /* not a register spill */
} else if (reg && is_spillable_regtype(reg->type)) {
/* register containing pointer is being spilled into stack */
if (size != BPF_REG_SIZE) {
@@ -4688,9 +4709,12 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
/* Mark slots affected by this stack write. */
for (i = 0; i < size; i++)
- state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
- type;
+ state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = type;
+ insn_flags = 0; /* not a register spill */
}
+
+ if (insn_flags)
+ return push_jmp_history(env, env->cur_state, insn_flags);
return 0;
}
@@ -4879,6 +4903,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
struct bpf_reg_state *reg;
u8 *stype, type;
+ int insn_flags = insn_stack_access_flags(reg_state->frameno, spi);
stype = reg_state->stack[spi].slot_type;
reg = ®_state->stack[spi].spilled_ptr;
@@ -4924,12 +4949,10 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
return -EACCES;
}
mark_reg_unknown(env, state->regs, dst_regno);
+ insn_flags = 0; /* not restoring original register state */
}
state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
- return 0;
- }
-
- if (dst_regno >= 0) {
+ } else if (dst_regno >= 0) {
/* restore register state from stack */
copy_register_state(&state->regs[dst_regno], reg);
/* mark reg as written since spilled pointer state likely
@@ -4965,7 +4988,10 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
if (dst_regno >= 0)
mark_reg_stack_read(env, reg_state, off, off + size, dst_regno);
+ insn_flags = 0; /* we are not restoring spilled register */
}
+ if (insn_flags)
+ return push_jmp_history(env, env->cur_state, insn_flags);
return 0;
}
@@ -7050,7 +7076,6 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
BPF_SIZE(insn->code), BPF_WRITE, -1, true, false);
if (err)
return err;
-
return 0;
}
@@ -16845,7 +16870,8 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
* the precision needs to be propagated back in
* the current state.
*/
- err = err ? : push_jmp_history(env, cur);
+ if (is_jmp_point(env, env->insn_idx))
+ err = err ? : push_jmp_history(env, cur, 0);
err = err ? : propagate_precision(env, &sl->state);
if (err)
return err;
@@ -17069,6 +17095,9 @@ static int do_check(struct bpf_verifier_env *env)
u8 class;
int err;
+ /* reset current history entry on each new instruction */
+ env->cur_hist_ent = NULL;
+
env->prev_insn_idx = prev_insn_idx;
if (env->insn_idx >= insn_cnt) {
verbose(env, "invalid insn idx %d insn_cnt %d\n",
@@ -17108,7 +17137,7 @@ static int do_check(struct bpf_verifier_env *env)
}
if (is_jmp_point(env, env->insn_idx)) {
- err = push_jmp_history(env, state);
+ err = push_jmp_history(env, state, 0);
if (err)
return err;
}
diff --git a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
index f61d623b1ce8d..7c159b5618624 100644
--- a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
+++ b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
@@ -541,11 +541,24 @@ static __u64 subprog_spill_reg_precise(void)
SEC("?raw_tp")
__success __log_level(2)
-/* precision backtracking can't currently handle stack access not through r10,
- * so we won't be able to mark stack slot fp-8 as precise, and so will
- * fallback to forcing all as precise
- */
-__msg("mark_precise: frame0: falling back to forcing all scalars precise")
+__msg("10: (0f) r1 += r7")
+__msg("mark_precise: frame0: last_idx 10 first_idx 7 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r7 stack= before 9: (bf) r1 = r8")
+__msg("mark_precise: frame0: regs=r7 stack= before 8: (27) r7 *= 4")
+__msg("mark_precise: frame0: regs=r7 stack= before 7: (79) r7 = *(u64 *)(r10 -8)")
+__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=2 R6_w=1 R8_rw=map_value(off=0,ks=4,vs=16,imm=0) R10=fp0 fp-8_rw=P1")
+__msg("mark_precise: frame0: last_idx 18 first_idx 0 subseq_idx 7")
+__msg("mark_precise: frame0: regs= stack=-8 before 18: (95) exit")
+__msg("mark_precise: frame1: regs= stack= before 17: (0f) r0 += r2")
+__msg("mark_precise: frame1: regs= stack= before 16: (79) r2 = *(u64 *)(r1 +0)")
+__msg("mark_precise: frame1: regs= stack= before 15: (79) r0 = *(u64 *)(r10 -16)")
+__msg("mark_precise: frame1: regs= stack= before 14: (7b) *(u64 *)(r10 -16) = r2")
+__msg("mark_precise: frame1: regs= stack= before 13: (7b) *(u64 *)(r1 +0) = r2")
+__msg("mark_precise: frame1: regs=r2 stack= before 6: (85) call pc+6")
+__msg("mark_precise: frame0: regs=r2 stack= before 5: (bf) r2 = r6")
+__msg("mark_precise: frame0: regs=r6 stack= before 4: (07) r1 += -8")
+__msg("mark_precise: frame0: regs=r6 stack= before 3: (bf) r1 = r10")
+__msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1")
__naked int subprog_spill_into_parent_stack_slot_precise(void)
{
asm volatile (
diff --git a/tools/testing/selftests/bpf/verifier/precise.c b/tools/testing/selftests/bpf/verifier/precise.c
index 0d84dd1f38b6b..8a2ff81d83508 100644
--- a/tools/testing/selftests/bpf/verifier/precise.c
+++ b/tools/testing/selftests/bpf/verifier/precise.c
@@ -140,10 +140,11 @@
.result = REJECT,
},
{
- "precise: ST insn causing spi > allocated_stack",
+ "precise: ST zero to stack insn is supported",
.insns = {
BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
+ /* not a register spill, so we stop precision propagation for R4 here */
BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
BPF_MOV64_IMM(BPF_REG_0, -1),
@@ -157,11 +158,11 @@
mark_precise: frame0: last_idx 4 first_idx 2\
mark_precise: frame0: regs=r4 stack= before 4\
mark_precise: frame0: regs=r4 stack= before 3\
- mark_precise: frame0: regs= stack=-8 before 2\
- mark_precise: frame0: falling back to forcing all scalars precise\
- force_precise: frame0: forcing r0 to be precise\
mark_precise: frame0: last_idx 5 first_idx 5\
- mark_precise: frame0: parent state regs= stack=:",
+ mark_precise: frame0: parent state regs=r0 stack=:\
+ mark_precise: frame0: last_idx 4 first_idx 2\
+ mark_precise: frame0: regs=r0 stack= before 4\
+ 5: R0=-1 R4=0",
.result = VERBOSE_ACCEPT,
.retval = -1,
},
@@ -169,6 +170,8 @@
"precise: STX insn causing spi > allocated_stack",
.insns = {
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
+ /* make later reg spill more interesting by having somewhat known scalar */
+ BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
@@ -179,18 +182,21 @@
},
.prog_type = BPF_PROG_TYPE_XDP,
.flags = BPF_F_TEST_STATE_FREQ,
- .errstr = "mark_precise: frame0: last_idx 6 first_idx 6\
+ .errstr = "mark_precise: frame0: last_idx 7 first_idx 7\
mark_precise: frame0: parent state regs=r4 stack=:\
- mark_precise: frame0: last_idx 5 first_idx 3\
- mark_precise: frame0: regs=r4 stack= before 5\
- mark_precise: frame0: regs=r4 stack= before 4\
- mark_precise: frame0: regs= stack=-8 before 3\
- mark_precise: frame0: falling back to forcing all scalars precise\
- force_precise: frame0: forcing r0 to be precise\
- force_precise: frame0: forcing r0 to be precise\
- force_precise: frame0: forcing r0 to be precise\
- force_precise: frame0: forcing r0 to be precise\
- mark_precise: frame0: last_idx 6 first_idx 6\
+ mark_precise: frame0: last_idx 6 first_idx 4\
+ mark_precise: frame0: regs=r4 stack= before 6: (b7) r0 = -1\
+ mark_precise: frame0: regs=r4 stack= before 5: (79) r4 = *(u64 *)(r10 -8)\
+ mark_precise: frame0: regs= stack=-8 before 4: (7b) *(u64 *)(r3 -8) = r0\
+ mark_precise: frame0: parent state regs=r0 stack=:\
+ mark_precise: frame0: last_idx 3 first_idx 3\
+ mark_precise: frame0: regs=r0 stack= before 3: (55) if r3 != 0x7b goto pc+0\
+ mark_precise: frame0: regs=r0 stack= before 2: (bf) r3 = r10\
+ mark_precise: frame0: regs=r0 stack= before 1: (57) r0 &= 255\
+ mark_precise: frame0: parent state regs=r0 stack=:\
+ mark_precise: frame0: last_idx 0 first_idx 0\
+ mark_precise: frame0: regs=r0 stack= before 0: (85) call bpf_get_prandom_u32#7\
+ mark_precise: frame0: last_idx 7 first_idx 7\
mark_precise: frame0: parent state regs= stack=:",
.result = VERBOSE_ACCEPT,
.retval = -1,
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 173/474] selftests/bpf: add stack access precision test
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 172/474] bpf: support non-r10 register spill/fill to/from stack in precision tracking Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 174/474] bpf: preserve STACK_ZERO slots on partial reg spills Greg Kroah-Hartman
` (301 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 876301881c436bf38e83a2c0d276a24b642e4aab ]
Add a new selftests that validates precision tracking for stack access
instruction, using both r10-based and non-r10-based accesses. For
non-r10 ones we also make sure to have non-zero var_off to validate that
final stack offset is tracked properly in instruction history
information inside verifier.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-3-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../bpf/progs/verifier_subprog_precision.c | 64 +++++++++++++++++--
1 file changed, 59 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
index 7c159b5618624..4b8b0f45d17d7 100644
--- a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
+++ b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
@@ -593,14 +593,68 @@ __naked int subprog_spill_into_parent_stack_slot_precise(void)
);
}
-__naked __noinline __used
-static __u64 subprog_with_checkpoint(void)
+SEC("?raw_tp")
+__success __log_level(2)
+__msg("17: (0f) r1 += r0")
+__msg("mark_precise: frame0: last_idx 17 first_idx 0 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r0 stack= before 16: (bf) r1 = r7")
+__msg("mark_precise: frame0: regs=r0 stack= before 15: (27) r0 *= 4")
+__msg("mark_precise: frame0: regs=r0 stack= before 14: (79) r0 = *(u64 *)(r10 -16)")
+__msg("mark_precise: frame0: regs= stack=-16 before 13: (7b) *(u64 *)(r7 -8) = r0")
+__msg("mark_precise: frame0: regs=r0 stack= before 12: (79) r0 = *(u64 *)(r8 +16)")
+__msg("mark_precise: frame0: regs= stack=-16 before 11: (7b) *(u64 *)(r8 +16) = r0")
+__msg("mark_precise: frame0: regs=r0 stack= before 10: (79) r0 = *(u64 *)(r7 -8)")
+__msg("mark_precise: frame0: regs= stack=-16 before 9: (7b) *(u64 *)(r10 -16) = r0")
+__msg("mark_precise: frame0: regs=r0 stack= before 8: (07) r8 += -32")
+__msg("mark_precise: frame0: regs=r0 stack= before 7: (bf) r8 = r10")
+__msg("mark_precise: frame0: regs=r0 stack= before 6: (07) r7 += -8")
+__msg("mark_precise: frame0: regs=r0 stack= before 5: (bf) r7 = r10")
+__msg("mark_precise: frame0: regs=r0 stack= before 21: (95) exit")
+__msg("mark_precise: frame1: regs=r0 stack= before 20: (bf) r0 = r1")
+__msg("mark_precise: frame1: regs=r1 stack= before 4: (85) call pc+15")
+__msg("mark_precise: frame0: regs=r1 stack= before 3: (bf) r1 = r6")
+__msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1")
+__naked int stack_slot_aliases_precision(void)
{
asm volatile (
- "r0 = 0;"
- /* guaranteed checkpoint if BPF_F_TEST_STATE_FREQ is used */
- "goto +0;"
+ "r6 = 1;"
+ /* pass r6 through r1 into subprog to get it back as r0;
+ * this whole chain will have to be marked as precise later
+ */
+ "r1 = r6;"
+ "call identity_subprog;"
+ /* let's setup two registers that are aliased to r10 */
+ "r7 = r10;"
+ "r7 += -8;" /* r7 = r10 - 8 */
+ "r8 = r10;"
+ "r8 += -32;" /* r8 = r10 - 32 */
+ /* now spill subprog's return value (a r6 -> r1 -> r0 chain)
+ * a few times through different stack pointer regs, making
+ * sure to use r10, r7, and r8 both in LDX and STX insns, and
+ * *importantly* also using a combination of const var_off and
+ * insn->off to validate that we record final stack slot
+ * correctly, instead of relying on just insn->off derivation,
+ * which is only valid for r10-based stack offset
+ */
+ "*(u64 *)(r10 - 16) = r0;"
+ "r0 = *(u64 *)(r7 - 8);" /* r7 - 8 == r10 - 16 */
+ "*(u64 *)(r8 + 16) = r0;" /* r8 + 16 = r10 - 16 */
+ "r0 = *(u64 *)(r8 + 16);"
+ "*(u64 *)(r7 - 8) = r0;"
+ "r0 = *(u64 *)(r10 - 16);"
+ /* get ready to use r0 as an index into array to force precision */
+ "r0 *= 4;"
+ "r1 = %[vals];"
+ /* here r0->r1->r6 chain is forced to be precise and has to be
+ * propagated back to the beginning, including through the
+ * subprog call and all the stack spills and loads
+ */
+ "r1 += r0;"
+ "r0 = *(u32 *)(r1 + 0);"
"exit;"
+ :
+ : __imm_ptr(vals)
+ : __clobber_common, "r6"
);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 174/474] bpf: preserve STACK_ZERO slots on partial reg spills
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 173/474] selftests/bpf: add stack access precision test Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 175/474] selftests/bpf: validate STACK_ZERO is preserved on subreg spill Greg Kroah-Hartman
` (300 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit eaf18febd6ebc381aeb61543705148b3e28c7c47 ]
Instead of always forcing STACK_ZERO slots to STACK_MISC, preserve it in
situations where this is possible. E.g., when spilling register as
1/2/4-byte subslots on the stack, all the remaining bytes in the stack
slot do not automatically become unknown. If we knew they contained
zeroes, we can preserve those STACK_ZERO markers.
Add a helper mark_stack_slot_misc(), similar to scrub_spilled_slot(),
but that doesn't overwrite either STACK_INVALID nor STACK_ZERO. Note
that we need to take into account possibility of being in unprivileged
mode, in which case STACK_INVALID is forced to STACK_MISC for correctness,
as treating STACK_INVALID as equivalent STACK_MISC is only enabled in
privileged mode.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-5-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e44da369dff63..8309504d1660e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1347,6 +1347,21 @@ static bool is_spilled_scalar_reg(const struct bpf_stack_state *stack)
stack->spilled_ptr.type == SCALAR_VALUE;
}
+/* Mark stack slot as STACK_MISC, unless it is already STACK_INVALID, in which
+ * case they are equivalent, or it's STACK_ZERO, in which case we preserve
+ * more precise STACK_ZERO.
+ * Note, in uprivileged mode leaving STACK_INVALID is wrong, so we take
+ * env->allow_ptr_leaks into account and force STACK_MISC, if necessary.
+ */
+static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype)
+{
+ if (*stype == STACK_ZERO)
+ return;
+ if (env->allow_ptr_leaks && *stype == STACK_INVALID)
+ return;
+ *stype = STACK_MISC;
+}
+
static void scrub_spilled_slot(u8 *stype)
{
if (*stype != STACK_INVALID)
@@ -4577,7 +4592,8 @@ static void copy_register_state(struct bpf_reg_state *dst, const struct bpf_reg_
dst->live = live;
}
-static void save_register_state(struct bpf_func_state *state,
+static void save_register_state(struct bpf_verifier_env *env,
+ struct bpf_func_state *state,
int spi, struct bpf_reg_state *reg,
int size)
{
@@ -4592,7 +4608,7 @@ static void save_register_state(struct bpf_func_state *state,
/* size < 8 bytes spill */
for (; i; i--)
- scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]);
+ mark_stack_slot_misc(env, &state->stack[spi].slot_type[i - 1]);
}
static bool is_bpf_st_mem(struct bpf_insn *insn)
@@ -4652,7 +4668,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
mark_stack_slot_scratched(env, spi);
if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&
!register_is_null(reg) && env->bpf_capable) {
- save_register_state(state, spi, reg, size);
+ save_register_state(env, state, spi, reg, size);
/* Break the relation on a narrowing spill. */
if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
state->stack[spi].spilled_ptr.id = 0;
@@ -4662,7 +4678,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
__mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
- save_register_state(state, spi, &fake_reg, size);
+ save_register_state(env, state, spi, &fake_reg, size);
insn_flags = 0; /* not a register spill */
} else if (reg && is_spillable_regtype(reg->type)) {
/* register containing pointer is being spilled into stack */
@@ -4675,7 +4691,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
verbose(env, "cannot spill pointers to stack into stack frame of the caller\n");
return -EINVAL;
}
- save_register_state(state, spi, reg, size);
+ save_register_state(env, state, spi, reg, size);
} else {
u8 type = STACK_MISC;
@@ -4942,6 +4958,8 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
continue;
if (type == STACK_MISC)
continue;
+ if (type == STACK_ZERO)
+ continue;
if (type == STACK_INVALID && env->allow_uninit_stack)
continue;
verbose(env, "invalid read from stack off %d+%d size %d\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 175/474] selftests/bpf: validate STACK_ZERO is preserved on subreg spill
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 174/474] bpf: preserve STACK_ZERO slots on partial reg spills Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 176/474] bpf: preserve constant zero when doing partial register restore Greg Kroah-Hartman
` (299 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit b33ceb6a3d2ee07fdd836373383a6d4783581324 ]
Add tests validating that STACK_ZERO slots are preserved when slot is
partially overwritten with subregister spill.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-6-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/progs/verifier_spill_fill.c | 40 +++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
index 6115520154e33..d9dabae811767 100644
--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
@@ -4,6 +4,7 @@
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"
+#include <../../../tools/include/linux/filter.h>
struct {
__uint(type, BPF_MAP_TYPE_RINGBUF);
@@ -450,4 +451,43 @@ l0_%=: r1 >>= 16; \
: __clobber_all);
}
+SEC("raw_tp")
+__log_level(2)
+__success
+__msg("fp-8=0m??mmmm")
+__msg("fp-16=00mm??mm")
+__msg("fp-24=00mm???m")
+__naked void spill_subregs_preserve_stack_zero(void)
+{
+ asm volatile (
+ "call %[bpf_get_prandom_u32];"
+
+ /* 32-bit subreg spill with ZERO, MISC, and INVALID */
+ ".8byte %[fp1_u8_st_zero];" /* ZERO, LLVM-18+: *(u8 *)(r10 -1) = 0; */
+ "*(u8 *)(r10 -2) = r0;" /* MISC */
+ /* fp-3 and fp-4 stay INVALID */
+ "*(u32 *)(r10 -8) = r0;"
+
+ /* 16-bit subreg spill with ZERO, MISC, and INVALID */
+ ".8byte %[fp10_u16_st_zero];" /* ZERO, LLVM-18+: *(u16 *)(r10 -10) = 0; */
+ "*(u16 *)(r10 -12) = r0;" /* MISC */
+ /* fp-13 and fp-14 stay INVALID */
+ "*(u16 *)(r10 -16) = r0;"
+
+ /* 8-bit subreg spill with ZERO, MISC, and INVALID */
+ ".8byte %[fp18_u16_st_zero];" /* ZERO, LLVM-18+: *(u16 *)(r18 -10) = 0; */
+ "*(u16 *)(r10 -20) = r0;" /* MISC */
+ /* fp-21, fp-22, and fp-23 stay INVALID */
+ "*(u8 *)(r10 -24) = r0;"
+
+ "r0 = 0;"
+ "exit;"
+ :
+ : __imm(bpf_get_prandom_u32),
+ __imm_insn(fp1_u8_st_zero, BPF_ST_MEM(BPF_B, BPF_REG_FP, -1, 0)),
+ __imm_insn(fp10_u16_st_zero, BPF_ST_MEM(BPF_H, BPF_REG_FP, -10, 0)),
+ __imm_insn(fp18_u16_st_zero, BPF_ST_MEM(BPF_H, BPF_REG_FP, -18, 0))
+ : __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 176/474] bpf: preserve constant zero when doing partial register restore
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 175/474] selftests/bpf: validate STACK_ZERO is preserved on subreg spill Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 177/474] selftests/bpf: validate zero preservation for sub-slot loads Greg Kroah-Hartman
` (298 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit e322f0bcb8d371f4606eaf141c7f967e1a79bcb7 ]
Similar to special handling of STACK_ZERO, when reading 1/2/4 bytes from
stack from slot that has register spilled into it and that register has
a constant value zero, preserve that zero and mark spilled register as
precise for that. This makes spilled const zero register and STACK_ZERO
cases equivalent in their behavior.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-7-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8309504d1660e..eaeb996ff56a2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4952,22 +4952,39 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
copy_register_state(&state->regs[dst_regno], reg);
state->regs[dst_regno].subreg_def = subreg_def;
} else {
+ int spill_cnt = 0, zero_cnt = 0;
+
for (i = 0; i < size; i++) {
type = stype[(slot - i) % BPF_REG_SIZE];
- if (type == STACK_SPILL)
+ if (type == STACK_SPILL) {
+ spill_cnt++;
continue;
+ }
if (type == STACK_MISC)
continue;
- if (type == STACK_ZERO)
+ if (type == STACK_ZERO) {
+ zero_cnt++;
continue;
+ }
if (type == STACK_INVALID && env->allow_uninit_stack)
continue;
verbose(env, "invalid read from stack off %d+%d size %d\n",
off, i, size);
return -EACCES;
}
- mark_reg_unknown(env, state->regs, dst_regno);
- insn_flags = 0; /* not restoring original register state */
+
+ if (spill_cnt == size &&
+ tnum_is_const(reg->var_off) && reg->var_off.value == 0) {
+ __mark_reg_const_zero(&state->regs[dst_regno]);
+ /* this IS register fill, so keep insn_flags */
+ } else if (zero_cnt == size) {
+ /* similarly to mark_reg_stack_read(), preserve zeroes */
+ __mark_reg_const_zero(&state->regs[dst_regno]);
+ insn_flags = 0; /* not restoring original register state */
+ } else {
+ mark_reg_unknown(env, state->regs, dst_regno);
+ insn_flags = 0; /* not restoring original register state */
+ }
}
state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
} else if (dst_regno >= 0) {
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 177/474] selftests/bpf: validate zero preservation for sub-slot loads
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 176/474] bpf: preserve constant zero when doing partial register restore Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 178/474] bpf: track aligned STACK_ZERO cases as imprecise spilled registers Greg Kroah-Hartman
` (297 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Alexei Starovoitov,
Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit add1cd7f22e61756987865ada9fe95cd86569025 ]
Validate that 1-, 2-, and 4-byte loads from stack slots not aligned on
8-byte boundary still preserve zero, when loading from all-STACK_ZERO
sub-slots, or when stack sub-slots are covered by spilled register with
known constant zero value.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-8-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/progs/verifier_spill_fill.c | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
index d9dabae811767..41fd61299eab0 100644
--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
@@ -490,4 +490,75 @@ __naked void spill_subregs_preserve_stack_zero(void)
: __clobber_all);
}
+char single_byte_buf[1] SEC(".data.single_byte_buf");
+
+SEC("raw_tp")
+__log_level(2)
+__success
+__naked void partial_stack_load_preserves_zeros(void)
+{
+ asm volatile (
+ /* fp-8 is all STACK_ZERO */
+ ".8byte %[fp8_st_zero];" /* LLVM-18+: *(u64 *)(r10 -8) = 0; */
+
+ /* fp-16 is const zero register */
+ "r0 = 0;"
+ "*(u64 *)(r10 -16) = r0;"
+
+ /* load single U8 from non-aligned STACK_ZERO slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u8 *)(r10 -1);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U8 from non-aligned ZERO REG slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u8 *)(r10 -9);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U16 from non-aligned STACK_ZERO slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u16 *)(r10 -2);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U16 from non-aligned ZERO REG slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u16 *)(r10 -10);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U32 from non-aligned STACK_ZERO slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u32 *)(r10 -4);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U32 from non-aligned ZERO REG slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u32 *)(r10 -12);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* for completeness, load U64 from STACK_ZERO slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u64 *)(r10 -8);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* for completeness, load U64 from ZERO REG slot */
+ "r1 = %[single_byte_buf];"
+ "r2 = *(u64 *)(r10 -16);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ "r0 = 0;"
+ "exit;"
+ :
+ : __imm_ptr(single_byte_buf),
+ __imm_insn(fp8_st_zero, BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0))
+ : __clobber_common);
+}
+
char _license[] SEC("license") = "GPL";
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 178/474] bpf: track aligned STACK_ZERO cases as imprecise spilled registers
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 177/474] selftests/bpf: validate zero preservation for sub-slot loads Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 179/474] selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros Greg Kroah-Hartman
` (296 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 18a433b62061e3d787bfc3e670fa711fecbd7cb4 ]
Now that precision backtracing is supporting register spill/fill to/from
stack, there is another oportunity to be exploited here: minimizing
precise STACK_ZERO cases. With a simple code change we can rely on
initially imprecise register spill tracking for cases when register
spilled to stack was a known zero.
This is a very common case for initializing on the stack variables,
including rather large structures. Often times zero has no special
meaning for the subsequent BPF program logic and is often overwritten
with non-zero values soon afterwards. But due to STACK_ZERO vs
STACK_MISC tracking, such initial zero initialization actually causes
duplication of verifier states as STACK_ZERO is clearly different than
STACK_MISC or spilled SCALAR_VALUE register.
The effect of this (now) trivial change is huge, as can be seen below.
These are differences between BPF selftests, Cilium, and Meta-internal
BPF object files relative to previous patch in this series. You can see
improvements ranging from single-digit percentage improvement for
instructions and states, all the way to 50-60% reduction for some of
Meta-internal host agent programs, and even some Cilium programs.
For Meta-internal ones I left only the differences for largest BPF
object files by states/instructions, as there were too many differences
in the overall output. All the differences were improvements, reducting
number of states and thus instructions validated.
Note, Meta-internal BPF object file names are not printed below.
Many copies of balancer_ingress are actually many different
configurations of Katran, so they are different BPF programs, which
explains state reduction going from -16% all the way to 31%, depending
on BPF program logic complexity.
I also tooked a closer look at a few small-ish BPF programs to validate
the behavior. Let's take bpf_iter_netrlink.bpf.o (first row below).
While it's just 8 vs 5 states, verifier log is still pretty long to
include it here. But the reduction in states is due to the following
piece of C code:
unsigned long ino;
...
sk = s->sk_socket;
if (!sk) {
ino = 0;
} else {
inode = SOCK_INODE(sk);
bpf_probe_read_kernel(&ino, sizeof(ino), &inode->i_ino);
}
BPF_SEQ_PRINTF(seq, "%-8u %-8lu\n", s->sk_drops.counter, ino);
return 0;
You can see that in some situations `ino` is zero-initialized, while in
others it's unknown value filled out by bpf_probe_read_kernel(). Before
this change code after if/else branches have to be validated twice. Once
with (precise) ino == 0, due to eager STACK_ZERO logic, and then again
for when ino is just STACK_MISC. But BPF_SEQ_PRINTF() doesn't care about
precise value of ino, so with the change in this patch verifier is able
to prune states from after one of the branches, reducing number of total
states (and instructions) required for successful validation.
Similar principle applies to bigger real-world applications, just at
a much larger scale.
SELFTESTS
=========
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
--------------------------------------- ----------------------- --------- --------- --------------- ---------- ---------- -------------
bpf_iter_netlink.bpf.linked3.o dump_netlink 148 104 -44 (-29.73%) 8 5 -3 (-37.50%)
bpf_iter_unix.bpf.linked3.o dump_unix 8474 8404 -70 (-0.83%) 151 147 -4 (-2.65%)
bpf_loop.bpf.linked3.o stack_check 560 324 -236 (-42.14%) 42 24 -18 (-42.86%)
local_storage_bench.bpf.linked3.o get_local 120 77 -43 (-35.83%) 9 6 -3 (-33.33%)
loop6.bpf.linked3.o trace_virtqueue_add_sgs 10167 9868 -299 (-2.94%) 226 206 -20 (-8.85%)
pyperf600_bpf_loop.bpf.linked3.o on_event 4872 3423 -1449 (-29.74%) 322 229 -93 (-28.88%)
strobemeta.bpf.linked3.o on_event 180697 176036 -4661 (-2.58%) 4780 4734 -46 (-0.96%)
test_cls_redirect.bpf.linked3.o cls_redirect 65594 65401 -193 (-0.29%) 4230 4212 -18 (-0.43%)
test_global_func_args.bpf.linked3.o test_cls 145 136 -9 (-6.21%) 10 9 -1 (-10.00%)
test_l4lb.bpf.linked3.o balancer_ingress 4760 2612 -2148 (-45.13%) 113 102 -11 (-9.73%)
test_l4lb_noinline.bpf.linked3.o balancer_ingress 4845 4877 +32 (+0.66%) 219 221 +2 (+0.91%)
test_l4lb_noinline_dynptr.bpf.linked3.o balancer_ingress 2072 2087 +15 (+0.72%) 97 98 +1 (+1.03%)
test_seg6_loop.bpf.linked3.o __add_egr_x 12440 9975 -2465 (-19.82%) 364 353 -11 (-3.02%)
test_tcp_hdr_options.bpf.linked3.o estab 2558 2572 +14 (+0.55%) 179 180 +1 (+0.56%)
test_xdp_dynptr.bpf.linked3.o _xdp_tx_iptunnel 645 596 -49 (-7.60%) 26 24 -2 (-7.69%)
test_xdp_noinline.bpf.linked3.o balancer_ingress_v6 3520 3516 -4 (-0.11%) 216 216 +0 (+0.00%)
xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82661 81241 -1420 (-1.72%) 5073 5155 +82 (+1.62%)
xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 84964 82297 -2667 (-3.14%) 5130 5157 +27 (+0.53%)
META-INTERNAL
=============
Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
-------------------------------------- --------- --------- ----------------- ---------- ---------- ---------------
balancer_ingress 27925 23608 -4317 (-15.46%) 1488 1482 -6 (-0.40%)
balancer_ingress 31824 27546 -4278 (-13.44%) 1658 1652 -6 (-0.36%)
balancer_ingress 32213 27935 -4278 (-13.28%) 1689 1683 -6 (-0.36%)
balancer_ingress 32213 27935 -4278 (-13.28%) 1689 1683 -6 (-0.36%)
balancer_ingress 31824 27546 -4278 (-13.44%) 1658 1652 -6 (-0.36%)
balancer_ingress 38647 29562 -9085 (-23.51%) 2069 1835 -234 (-11.31%)
balancer_ingress 38647 29562 -9085 (-23.51%) 2069 1835 -234 (-11.31%)
balancer_ingress 40339 30792 -9547 (-23.67%) 2193 1934 -259 (-11.81%)
balancer_ingress 37321 29055 -8266 (-22.15%) 1972 1795 -177 (-8.98%)
balancer_ingress 38176 29753 -8423 (-22.06%) 2008 1831 -177 (-8.81%)
balancer_ingress 29193 20910 -8283 (-28.37%) 1599 1422 -177 (-11.07%)
balancer_ingress 30013 21452 -8561 (-28.52%) 1645 1447 -198 (-12.04%)
balancer_ingress 28691 24290 -4401 (-15.34%) 1545 1531 -14 (-0.91%)
balancer_ingress 34223 28965 -5258 (-15.36%) 1984 1875 -109 (-5.49%)
balancer_ingress 35481 26158 -9323 (-26.28%) 2095 1806 -289 (-13.79%)
balancer_ingress 35481 26158 -9323 (-26.28%) 2095 1806 -289 (-13.79%)
balancer_ingress 35868 26455 -9413 (-26.24%) 2140 1827 -313 (-14.63%)
balancer_ingress 35868 26455 -9413 (-26.24%) 2140 1827 -313 (-14.63%)
balancer_ingress 35481 26158 -9323 (-26.28%) 2095 1806 -289 (-13.79%)
balancer_ingress 35481 26158 -9323 (-26.28%) 2095 1806 -289 (-13.79%)
balancer_ingress 34844 29485 -5359 (-15.38%) 2036 1918 -118 (-5.80%)
fbflow_egress 3256 2652 -604 (-18.55%) 218 192 -26 (-11.93%)
fbflow_ingress 1026 944 -82 (-7.99%) 70 63 -7 (-10.00%)
sslwall_tc_egress 8424 7360 -1064 (-12.63%) 498 458 -40 (-8.03%)
syar_accept_protect 15040 9539 -5501 (-36.58%) 364 220 -144 (-39.56%)
syar_connect_tcp_v6 15036 9535 -5501 (-36.59%) 360 216 -144 (-40.00%)
syar_connect_udp_v4 15039 9538 -5501 (-36.58%) 361 217 -144 (-39.89%)
syar_connect_connect4_protect4 24805 15833 -8972 (-36.17%) 756 480 -276 (-36.51%)
syar_lsm_file_open 167772 151813 -15959 (-9.51%) 1836 1667 -169 (-9.20%)
syar_namespace_create_new 14805 9304 -5501 (-37.16%) 353 209 -144 (-40.79%)
syar_python3_detect 17531 12030 -5501 (-31.38%) 391 247 -144 (-36.83%)
syar_ssh_post_fork 16412 10911 -5501 (-33.52%) 405 261 -144 (-35.56%)
syar_enter_execve 14728 9227 -5501 (-37.35%) 345 201 -144 (-41.74%)
syar_enter_execveat 14728 9227 -5501 (-37.35%) 345 201 -144 (-41.74%)
syar_exit_execve 16622 11121 -5501 (-33.09%) 376 232 -144 (-38.30%)
syar_exit_execveat 16622 11121 -5501 (-33.09%) 376 232 -144 (-38.30%)
syar_syscalls_kill 15288 9787 -5501 (-35.98%) 398 254 -144 (-36.18%)
syar_task_enter_pivot_root 14898 9397 -5501 (-36.92%) 357 213 -144 (-40.34%)
syar_syscalls_setreuid 16678 11177 -5501 (-32.98%) 429 285 -144 (-33.57%)
syar_syscalls_setuid 16678 11177 -5501 (-32.98%) 429 285 -144 (-33.57%)
syar_syscalls_process_vm_readv 14959 9458 -5501 (-36.77%) 364 220 -144 (-39.56%)
syar_syscalls_process_vm_writev 15757 10256 -5501 (-34.91%) 390 246 -144 (-36.92%)
do_uprobe 15519 10018 -5501 (-35.45%) 373 229 -144 (-38.61%)
edgewall 179715 55783 -123932 (-68.96%) 12607 3999 -8608 (-68.28%)
bictcp_state 7570 4131 -3439 (-45.43%) 496 269 -227 (-45.77%)
cubictcp_state 7570 4131 -3439 (-45.43%) 496 269 -227 (-45.77%)
tcp_rate_skb_delivered 447 272 -175 (-39.15%) 29 18 -11 (-37.93%)
kprobe__bbr_set_state 4566 2615 -1951 (-42.73%) 209 124 -85 (-40.67%)
kprobe__bictcp_state 4566 2615 -1951 (-42.73%) 209 124 -85 (-40.67%)
inet_sock_set_state 1501 1337 -164 (-10.93%) 93 85 -8 (-8.60%)
tcp_retransmit_skb 1145 981 -164 (-14.32%) 67 59 -8 (-11.94%)
tcp_retransmit_synack 1183 951 -232 (-19.61%) 67 55 -12 (-17.91%)
bpf_tcptuner 1459 1187 -272 (-18.64%) 99 80 -19 (-19.19%)
tw_egress 801 776 -25 (-3.12%) 69 66 -3 (-4.35%)
tw_ingress 795 770 -25 (-3.14%) 69 66 -3 (-4.35%)
ttls_tc_ingress 19025 19383 +358 (+1.88%) 470 465 -5 (-1.06%)
ttls_nat_egress 490 299 -191 (-38.98%) 33 20 -13 (-39.39%)
ttls_nat_ingress 448 285 -163 (-36.38%) 32 21 -11 (-34.38%)
tw_twfw_egress 511127 212071 -299056 (-58.51%) 16733 8504 -8229 (-49.18%)
tw_twfw_ingress 500095 212069 -288026 (-57.59%) 16223 8504 -7719 (-47.58%)
tw_twfw_tc_eg 511113 212064 -299049 (-58.51%) 16732 8504 -8228 (-49.18%)
tw_twfw_tc_in 500095 212069 -288026 (-57.59%) 16223 8504 -7719 (-47.58%)
tw_twfw_egress 12632 12435 -197 (-1.56%) 276 260 -16 (-5.80%)
tw_twfw_ingress 12631 12454 -177 (-1.40%) 278 261 -17 (-6.12%)
tw_twfw_tc_eg 12595 12435 -160 (-1.27%) 274 259 -15 (-5.47%)
tw_twfw_tc_in 12631 12454 -177 (-1.40%) 278 261 -17 (-6.12%)
tw_xdp_dump 266 209 -57 (-21.43%) 9 8 -1 (-11.11%)
CILIUM
=========
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
------------- -------------------------------- --------- --------- ---------------- ---------- ---------- --------------
bpf_host.o cil_to_netdev 6047 4578 -1469 (-24.29%) 362 249 -113 (-31.22%)
bpf_host.o handle_lxc_traffic 2227 1585 -642 (-28.83%) 156 103 -53 (-33.97%)
bpf_host.o tail_handle_ipv4_from_netdev 2244 1458 -786 (-35.03%) 163 106 -57 (-34.97%)
bpf_host.o tail_handle_nat_fwd_ipv4 21022 10479 -10543 (-50.15%) 1289 670 -619 (-48.02%)
bpf_host.o tail_handle_nat_fwd_ipv6 15433 11375 -4058 (-26.29%) 905 643 -262 (-28.95%)
bpf_host.o tail_ipv4_host_policy_ingress 2219 1367 -852 (-38.40%) 161 96 -65 (-40.37%)
bpf_host.o tail_nodeport_nat_egress_ipv4 22460 19862 -2598 (-11.57%) 1469 1293 -176 (-11.98%)
bpf_host.o tail_nodeport_nat_ingress_ipv4 5526 3534 -1992 (-36.05%) 366 243 -123 (-33.61%)
bpf_host.o tail_nodeport_nat_ingress_ipv6 5132 4256 -876 (-17.07%) 241 219 -22 (-9.13%)
bpf_host.o tail_nodeport_nat_ipv6_egress 3702 3542 -160 (-4.32%) 215 205 -10 (-4.65%)
bpf_lxc.o tail_handle_nat_fwd_ipv4 21022 10479 -10543 (-50.15%) 1289 670 -619 (-48.02%)
bpf_lxc.o tail_handle_nat_fwd_ipv6 15433 11375 -4058 (-26.29%) 905 643 -262 (-28.95%)
bpf_lxc.o tail_ipv4_ct_egress 5073 3374 -1699 (-33.49%) 262 172 -90 (-34.35%)
bpf_lxc.o tail_ipv4_ct_ingress 5093 3385 -1708 (-33.54%) 262 172 -90 (-34.35%)
bpf_lxc.o tail_ipv4_ct_ingress_policy_only 5093 3385 -1708 (-33.54%) 262 172 -90 (-34.35%)
bpf_lxc.o tail_ipv6_ct_egress 4593 3878 -715 (-15.57%) 194 151 -43 (-22.16%)
bpf_lxc.o tail_ipv6_ct_ingress 4606 3891 -715 (-15.52%) 194 151 -43 (-22.16%)
bpf_lxc.o tail_ipv6_ct_ingress_policy_only 4606 3891 -715 (-15.52%) 194 151 -43 (-22.16%)
bpf_lxc.o tail_nodeport_nat_ingress_ipv4 5526 3534 -1992 (-36.05%) 366 243 -123 (-33.61%)
bpf_lxc.o tail_nodeport_nat_ingress_ipv6 5132 4256 -876 (-17.07%) 241 219 -22 (-9.13%)
bpf_overlay.o tail_handle_nat_fwd_ipv4 20524 10114 -10410 (-50.72%) 1271 638 -633 (-49.80%)
bpf_overlay.o tail_nodeport_nat_egress_ipv4 22718 19490 -3228 (-14.21%) 1475 1275 -200 (-13.56%)
bpf_overlay.o tail_nodeport_nat_ingress_ipv4 5526 3534 -1992 (-36.05%) 366 243 -123 (-33.61%)
bpf_overlay.o tail_nodeport_nat_ingress_ipv6 5132 4256 -876 (-17.07%) 241 219 -22 (-9.13%)
bpf_overlay.o tail_nodeport_nat_ipv6_egress 3638 3548 -90 (-2.47%) 209 203 -6 (-2.87%)
bpf_overlay.o tail_rev_nodeport_lb4 4368 3820 -548 (-12.55%) 248 215 -33 (-13.31%)
bpf_overlay.o tail_rev_nodeport_lb6 2867 2428 -439 (-15.31%) 167 140 -27 (-16.17%)
bpf_sock.o cil_sock6_connect 1718 1703 -15 (-0.87%) 100 99 -1 (-1.00%)
bpf_xdp.o tail_handle_nat_fwd_ipv4 12917 12443 -474 (-3.67%) 875 849 -26 (-2.97%)
bpf_xdp.o tail_handle_nat_fwd_ipv6 13515 13264 -251 (-1.86%) 715 702 -13 (-1.82%)
bpf_xdp.o tail_lb_ipv4 39492 36367 -3125 (-7.91%) 2430 2251 -179 (-7.37%)
bpf_xdp.o tail_lb_ipv6 80441 78058 -2383 (-2.96%) 3647 3523 -124 (-3.40%)
bpf_xdp.o tail_nodeport_ipv6_dsr 1038 901 -137 (-13.20%) 61 55 -6 (-9.84%)
bpf_xdp.o tail_nodeport_nat_egress_ipv4 13027 12096 -931 (-7.15%) 868 809 -59 (-6.80%)
bpf_xdp.o tail_nodeport_nat_ingress_ipv4 7617 5900 -1717 (-22.54%) 522 413 -109 (-20.88%)
bpf_xdp.o tail_nodeport_nat_ingress_ipv6 7575 7395 -180 (-2.38%) 383 374 -9 (-2.35%)
bpf_xdp.o tail_rev_nodeport_lb4 6808 6739 -69 (-1.01%) 403 396 -7 (-1.74%)
bpf_xdp.o tail_rev_nodeport_lb6 16173 15847 -326 (-2.02%) 1010 990 -20 (-1.98%)
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-9-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index eaeb996ff56a2..705582bdda681 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4666,8 +4666,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
return err;
mark_stack_slot_scratched(env, spi);
- if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&
- !register_is_null(reg) && env->bpf_capable) {
+ if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) && env->bpf_capable) {
save_register_state(env, state, spi, reg, size);
/* Break the relation on a narrowing spill. */
if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
@@ -4716,7 +4715,12 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
/* when we zero initialize stack slots mark them as such */
if ((reg && register_is_null(reg)) ||
(!reg && is_bpf_st_mem(insn) && insn->imm == 0)) {
- /* backtracking doesn't work for STACK_ZERO yet. */
+ /* STACK_ZERO case happened because register spill
+ * wasn't properly aligned at the stack slot boundary,
+ * so it's not a register spill anymore; force
+ * originating register to be precise to make
+ * STACK_ZERO correct for subsequent states
+ */
err = mark_chain_precision(env, value_regno);
if (err)
return err;
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 179/474] selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 178/474] bpf: track aligned STACK_ZERO cases as imprecise spilled registers Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 180/474] bpf: handle fake register spill to stack with BPF_ST_MEM instruction Greg Kroah-Hartman
` (295 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Andrii Nakryiko,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 064e0bea19b356c5d5f48a4549d80a3c03ce898b ]
Enhance partial_stack_load_preserves_zeros subtest with detailed
precision propagation log checks. We know expect fp-16 to be spilled,
initially imprecise, zero const register, which is later marked as
precise even when partial stack slot load is performed, even if it's not
a register fill (!).
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-10-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/progs/verifier_spill_fill.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
index 41fd61299eab0..df4920da34728 100644
--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
@@ -495,6 +495,22 @@ char single_byte_buf[1] SEC(".data.single_byte_buf");
SEC("raw_tp")
__log_level(2)
__success
+/* make sure fp-8 is all STACK_ZERO */
+__msg("2: (7a) *(u64 *)(r10 -8) = 0 ; R10=fp0 fp-8_w=00000000")
+/* but fp-16 is spilled IMPRECISE zero const reg */
+__msg("4: (7b) *(u64 *)(r10 -16) = r0 ; R0_w=0 R10=fp0 fp-16_w=0")
+/* and now check that precision propagation works even for such tricky case */
+__msg("10: (71) r2 = *(u8 *)(r10 -9) ; R2_w=P0 R10=fp0 fp-16_w=0")
+__msg("11: (0f) r1 += r2")
+__msg("mark_precise: frame0: last_idx 11 first_idx 0 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 10: (71) r2 = *(u8 *)(r10 -9)")
+__msg("mark_precise: frame0: regs= stack=-16 before 9: (bf) r1 = r6")
+__msg("mark_precise: frame0: regs= stack=-16 before 8: (73) *(u8 *)(r1 +0) = r2")
+__msg("mark_precise: frame0: regs= stack=-16 before 7: (0f) r1 += r2")
+__msg("mark_precise: frame0: regs= stack=-16 before 6: (71) r2 = *(u8 *)(r10 -1)")
+__msg("mark_precise: frame0: regs= stack=-16 before 5: (bf) r1 = r6")
+__msg("mark_precise: frame0: regs= stack=-16 before 4: (7b) *(u64 *)(r10 -16) = r0")
+__msg("mark_precise: frame0: regs=r0 stack= before 3: (b7) r0 = 0")
__naked void partial_stack_load_preserves_zeros(void)
{
asm volatile (
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 180/474] bpf: handle fake register spill to stack with BPF_ST_MEM instruction
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 179/474] selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 181/474] selftests/bpf: validate fake register spill/fill precision backtracking logic Greg Kroah-Hartman
` (294 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Eduard Zingerman,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 482d548d40b0af9af730e4869903d4433e44f014 ]
When verifier validates BPF_ST_MEM instruction that stores known
constant to stack (e.g., *(u64 *)(r10 - 8) = 123), it effectively spills
a fake register with a constant (but initially imprecise) value to
a stack slot. Because read-side logic treats it as a proper register
fill from stack slot, we need to mark such stack slot initialization as
INSN_F_STACK_ACCESS instruction to stop precision backtracking from
missing it.
Fixes: 41f6f64e6999 ("bpf: support non-r10 register spill/fill to/from stack in precision tracking")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20231209010958.66758-1-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 705582bdda681..f6040169ef749 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4678,7 +4678,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
__mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
save_register_state(env, state, spi, &fake_reg, size);
- insn_flags = 0; /* not a register spill */
} else if (reg && is_spillable_regtype(reg->type)) {
/* register containing pointer is being spilled into stack */
if (size != BPF_REG_SIZE) {
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 181/474] selftests/bpf: validate fake register spill/fill precision backtracking logic
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 180/474] bpf: handle fake register spill to stack with BPF_ST_MEM instruction Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 182/474] bpf: Dont mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc Greg Kroah-Hartman
` (293 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Eduard Zingerman,
Alexei Starovoitov, Paul Chaignon, Shung-Hsi Yu, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 7d8ed51bcb32716a40d71043fcd01c4118858c51 ]
Add two tests validating that verifier's precision backtracking logic
handles BPF_ST_MEM instructions that produce fake register spill into
register slot. This is happening when non-zero constant is written
directly to a slot, e.g., *(u64 *)(r10 -8) = 123.
Add both full 64-bit register spill, as well as 32-bit "sub-spill".
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20231209010958.66758-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ Note: Adapted the expected log format for the selftests because it
changed later on in commits 67d43dfbb42d, 0c95c9fdb696, and
1db747d75b1d. ]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/progs/verifier_spill_fill.c | 154 ++++++++++++++++++
1 file changed, 154 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
index df4920da34728..1f71f596d33f8 100644
--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
@@ -577,4 +577,158 @@ __naked void partial_stack_load_preserves_zeros(void)
: __clobber_common);
}
+char two_byte_buf[2] SEC(".data.two_byte_buf");
+
+SEC("raw_tp")
+__log_level(2) __flag(BPF_F_TEST_STATE_FREQ)
+__success
+/* make sure fp-8 is IMPRECISE fake register spill */
+__msg("3: (7a) *(u64 *)(r10 -8) = 1 ; R10=fp0 fp-8_w=1")
+/* and fp-16 is spilled IMPRECISE const reg */
+__msg("5: (7b) *(u64 *)(r10 -16) = r0 ; R0_w=1 R10=fp0 fp-16_w=1")
+/* validate load from fp-8, which was initialized using BPF_ST_MEM */
+__msg("8: (79) r2 = *(u64 *)(r10 -8) ; R2_w=1 R10=fp0 fp-8=1")
+__msg("9: (0f) r1 += r2")
+__msg("mark_precise: frame0: last_idx 9 first_idx 7 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 8: (79) r2 = *(u64 *)(r10 -8)")
+__msg("mark_precise: frame0: regs= stack=-8 before 7: (bf) r1 = r6")
+/* note, fp-8 is precise, fp-16 is not yet precise, we'll get there */
+__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=1 R1=ctx(off=0,imm=0) R6_r=map_value(off=0,ks=4,vs=2,imm=0) R10=fp0 fp-8_rw=P1 fp-16_w=1")
+__msg("mark_precise: frame0: last_idx 6 first_idx 3 subseq_idx 7")
+__msg("mark_precise: frame0: regs= stack=-8 before 6: (05) goto pc+0")
+__msg("mark_precise: frame0: regs= stack=-8 before 5: (7b) *(u64 *)(r10 -16) = r0")
+__msg("mark_precise: frame0: regs= stack=-8 before 4: (b7) r0 = 1")
+__msg("mark_precise: frame0: regs= stack=-8 before 3: (7a) *(u64 *)(r10 -8) = 1")
+__msg("10: R1_w=map_value(off=1,ks=4,vs=2,imm=0) R2_w=1")
+/* validate load from fp-16, which was initialized using BPF_STX_MEM */
+__msg("12: (79) r2 = *(u64 *)(r10 -16) ; R2_w=1 R10=fp0 fp-16=1")
+__msg("13: (0f) r1 += r2")
+__msg("mark_precise: frame0: last_idx 13 first_idx 7 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 12: (79) r2 = *(u64 *)(r10 -16)")
+__msg("mark_precise: frame0: regs= stack=-16 before 11: (bf) r1 = r6")
+__msg("mark_precise: frame0: regs= stack=-16 before 10: (73) *(u8 *)(r1 +0) = r2")
+__msg("mark_precise: frame0: regs= stack=-16 before 9: (0f) r1 += r2")
+__msg("mark_precise: frame0: regs= stack=-16 before 8: (79) r2 = *(u64 *)(r10 -8)")
+__msg("mark_precise: frame0: regs= stack=-16 before 7: (bf) r1 = r6")
+/* now both fp-8 and fp-16 are precise, very good */
+__msg("mark_precise: frame0: parent state regs= stack=-16: R0_w=1 R1=ctx(off=0,imm=0) R6_r=map_value(off=0,ks=4,vs=2,imm=0) R10=fp0 fp-8_rw=P1 fp-16_rw=P1")
+__msg("mark_precise: frame0: last_idx 6 first_idx 3 subseq_idx 7")
+__msg("mark_precise: frame0: regs= stack=-16 before 6: (05) goto pc+0")
+__msg("mark_precise: frame0: regs= stack=-16 before 5: (7b) *(u64 *)(r10 -16) = r0")
+__msg("mark_precise: frame0: regs=r0 stack= before 4: (b7) r0 = 1")
+__msg("14: R1_w=map_value(off=1,ks=4,vs=2,imm=0) R2_w=1")
+__naked void stack_load_preserves_const_precision(void)
+{
+ asm volatile (
+ /* establish checkpoint with state that has no stack slots;
+ * if we bubble up to this state without finding desired stack
+ * slot, then it's a bug and should be caught
+ */
+ "goto +0;"
+
+ /* fp-8 is const 1 *fake* register */
+ ".8byte %[fp8_st_one];" /* LLVM-18+: *(u64 *)(r10 -8) = 1; */
+
+ /* fp-16 is const 1 register */
+ "r0 = 1;"
+ "*(u64 *)(r10 -16) = r0;"
+
+ /* force checkpoint to check precision marks preserved in parent states */
+ "goto +0;"
+
+ /* load single U64 from aligned FAKE_REG=1 slot */
+ "r1 = %[two_byte_buf];"
+ "r2 = *(u64 *)(r10 -8);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U64 from aligned REG=1 slot */
+ "r1 = %[two_byte_buf];"
+ "r2 = *(u64 *)(r10 -16);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ "r0 = 0;"
+ "exit;"
+ :
+ : __imm_ptr(two_byte_buf),
+ __imm_insn(fp8_st_one, BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 1))
+ : __clobber_common);
+}
+
+SEC("raw_tp")
+__log_level(2) __flag(BPF_F_TEST_STATE_FREQ)
+__success
+/* make sure fp-8 is 32-bit FAKE subregister spill */
+__msg("3: (62) *(u32 *)(r10 -8) = 1 ; R10=fp0 fp-8=1")
+/* but fp-16 is spilled IMPRECISE zero const reg */
+__msg("5: (63) *(u32 *)(r10 -16) = r0 ; R0_w=1 R10=fp0 fp-16=1")
+/* validate load from fp-8, which was initialized using BPF_ST_MEM */
+__msg("8: (61) r2 = *(u32 *)(r10 -8) ; R2_w=1 R10=fp0 fp-8=1")
+__msg("9: (0f) r1 += r2")
+__msg("mark_precise: frame0: last_idx 9 first_idx 7 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 8: (61) r2 = *(u32 *)(r10 -8)")
+__msg("mark_precise: frame0: regs= stack=-8 before 7: (bf) r1 = r6")
+__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=1 R1=ctx(off=0,imm=0) R6_r=map_value(off=0,ks=4,vs=2,imm=0) R10=fp0 fp-8_r=P1 fp-16=1")
+__msg("mark_precise: frame0: last_idx 6 first_idx 3 subseq_idx 7")
+__msg("mark_precise: frame0: regs= stack=-8 before 6: (05) goto pc+0")
+__msg("mark_precise: frame0: regs= stack=-8 before 5: (63) *(u32 *)(r10 -16) = r0")
+__msg("mark_precise: frame0: regs= stack=-8 before 4: (b7) r0 = 1")
+__msg("mark_precise: frame0: regs= stack=-8 before 3: (62) *(u32 *)(r10 -8) = 1")
+__msg("10: R1_w=map_value(off=1,ks=4,vs=2,imm=0) R2_w=1")
+/* validate load from fp-16, which was initialized using BPF_STX_MEM */
+__msg("12: (61) r2 = *(u32 *)(r10 -16) ; R2_w=1 R10=fp0 fp-16=1")
+__msg("13: (0f) r1 += r2")
+__msg("mark_precise: frame0: last_idx 13 first_idx 7 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 12: (61) r2 = *(u32 *)(r10 -16)")
+__msg("mark_precise: frame0: regs= stack=-16 before 11: (bf) r1 = r6")
+__msg("mark_precise: frame0: regs= stack=-16 before 10: (73) *(u8 *)(r1 +0) = r2")
+__msg("mark_precise: frame0: regs= stack=-16 before 9: (0f) r1 += r2")
+__msg("mark_precise: frame0: regs= stack=-16 before 8: (61) r2 = *(u32 *)(r10 -8)")
+__msg("mark_precise: frame0: regs= stack=-16 before 7: (bf) r1 = r6")
+__msg("mark_precise: frame0: parent state regs= stack=-16: R0_w=1 R1=ctx(off=0,imm=0) R6_r=map_value(off=0,ks=4,vs=2,imm=0) R10=fp0 fp-8_r=P1 fp-16_r=P1")
+__msg("mark_precise: frame0: last_idx 6 first_idx 3 subseq_idx 7")
+__msg("mark_precise: frame0: regs= stack=-16 before 6: (05) goto pc+0")
+__msg("mark_precise: frame0: regs= stack=-16 before 5: (63) *(u32 *)(r10 -16) = r0")
+__msg("mark_precise: frame0: regs=r0 stack= before 4: (b7) r0 = 1")
+__msg("14: R1_w=map_value(off=1,ks=4,vs=2,imm=0) R2_w=1")
+__naked void stack_load_preserves_const_precision_subreg(void)
+{
+ asm volatile (
+ /* establish checkpoint with state that has no stack slots;
+ * if we bubble up to this state without finding desired stack
+ * slot, then it's a bug and should be caught
+ */
+ "goto +0;"
+
+ /* fp-8 is const 1 *fake* SUB-register */
+ ".8byte %[fp8_st_one];" /* LLVM-18+: *(u32 *)(r10 -8) = 1; */
+
+ /* fp-16 is const 1 SUB-register */
+ "r0 = 1;"
+ "*(u32 *)(r10 -16) = r0;"
+
+ /* force checkpoint to check precision marks preserved in parent states */
+ "goto +0;"
+
+ /* load single U32 from aligned FAKE_REG=1 slot */
+ "r1 = %[two_byte_buf];"
+ "r2 = *(u32 *)(r10 -8);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ /* load single U32 from aligned REG=1 slot */
+ "r1 = %[two_byte_buf];"
+ "r2 = *(u32 *)(r10 -16);"
+ "r1 += r2;"
+ "*(u8 *)(r1 + 0) = r2;" /* this should be fine */
+
+ "r0 = 0;"
+ "exit;"
+ :
+ : __imm_ptr(two_byte_buf),
+ __imm_insn(fp8_st_one, BPF_ST_MEM(BPF_W, BPF_REG_FP, -8, 1)) /* 32-bit spill */
+ : __clobber_common);
+}
+
char _license[] SEC("license") = "GPL";
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 182/474] bpf: Dont mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 181/474] selftests/bpf: validate fake register spill/fill precision backtracking logic Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 183/474] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
` (292 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Tao Lyu,
Kumar Kartikeya Dwivedi, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
[ Upstream commit 69772f509e084ec6bca12dbcdeeeff41b0103774 ]
Inside mark_stack_slot_misc, we should not upgrade STACK_INVALID to
STACK_MISC when allow_ptr_leaks is false, since invalid contents
shouldn't be read unless the program has the relevant capabilities.
The relaxation only makes sense when env->allow_ptr_leaks is true.
However, such conversion in privileged mode becomes unnecessary, as
invalid slots can be read without being upgraded to STACK_MISC.
Currently, the condition is inverted (i.e. checking for true instead of
false), simply remove it to restore correct behavior.
Fixes: eaf18febd6eb ("bpf: preserve STACK_ZERO slots on partial reg spills")
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Reported-by: Tao Lyu <tao.lyu@epfl.ch>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20241204044757.1483141-2-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f6040169ef749..b7fd3995538bf 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1350,14 +1350,17 @@ static bool is_spilled_scalar_reg(const struct bpf_stack_state *stack)
/* Mark stack slot as STACK_MISC, unless it is already STACK_INVALID, in which
* case they are equivalent, or it's STACK_ZERO, in which case we preserve
* more precise STACK_ZERO.
- * Note, in uprivileged mode leaving STACK_INVALID is wrong, so we take
- * env->allow_ptr_leaks into account and force STACK_MISC, if necessary.
+ * Regardless of allow_ptr_leaks setting (i.e., privileged or unprivileged
+ * mode), we won't promote STACK_INVALID to STACK_MISC. In privileged case it is
+ * unnecessary as both are considered equivalent when loading data and pruning,
+ * in case of unprivileged mode it will be incorrect to allow reads of invalid
+ * slots.
*/
static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype)
{
if (*stype == STACK_ZERO)
return;
- if (env->allow_ptr_leaks && *stype == STACK_INVALID)
+ if (*stype == STACK_INVALID)
return;
*stype = STACK_MISC;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 183/474] exit: prevent preemption of oopsing TASK_DEAD task
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 182/474] bpf: Dont mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 184/474] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
` (291 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Peter Zijlstra,
Linus Torvalds
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 upstream.
When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled. That is forbidden:
do_task_dead() calls __schedule(), which has a comment saying "WARNING:
must be called with preemption disabled!".
If an oopsing task is preempted in do_task_dead(), between becoming
TASK_DEAD and entering the scheduler explicitly, bad things happen:
finish_task_switch() assumes that once the scheduler has switched away
from a TASK_DEAD task, the task can never run again and its stack is no
longer needed; but that assumption apparently doesn't hold if the dead
task was preempted (the SM_PREEMPT case).
This means that the scheduler ends up repeatedly dropping references on
the dead task's stack, which can lead to use-after-free or double-free
of the entire task stack; in other words, two tasks can end up running
on the same stack, resulting in various kinds of memory corruption.
(This does not just affect "recursively oopsing" tasks; it is enough to
oops once during task exit, for example in a file_operations::release
handler)
Fixes: 7f80a2fd7db9 ("exit: Stop poorly open coding do_task_dead in make_task_dead")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/exit.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -981,6 +981,7 @@ void __noreturn make_task_dead(int signr
futex_exit_recursive(tsk);
tsk->exit_state = EXIT_DEAD;
refcount_inc(&tsk->rcu_users);
+ preempt_disable();
do_task_dead();
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 184/474] wifi: mt76: mt7921: fix a potential clc buffer length underflow
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 183/474] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 185/474] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
` (290 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Yen, Ming Yen Hsieh,
Felix Fietkau
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Yen <leon.yen@mediatek.com>
commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream.
The buf_len is used to limit the iterations for retrieving the country
power setting and may underflow under certain conditions due to changes
in the power table in CLC.
This underflow leads to an almost infinite loop or an invalid power
setting resulting in driver initialization failure.
Cc: stable@vger.kernel.org
Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC")
Signed-off-by: Leon Yen <leon.yen@mediatek.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
@@ -1155,6 +1155,9 @@ int __mt7921_mcu_set_clc(struct mt792x_d
u16 len = le16_to_cpu(rule->len);
u16 offset = len + sizeof(*rule);
+ if (buf_len < offset)
+ break;
+
pos += offset;
buf_len -= offset;
if (rule->alpha2[0] != alpha2[0] ||
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 185/474] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 184/474] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 186/474] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
` (289 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Sean Wang, Felix Fietkau
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
commit fdfa39f9f4fbae532b162da913a67b2410caf38f upstream.
The mt7921_set_roc API may be executed concurrently with mt7921_roc_work,
specifically between the following code paths:
- The check and clear of MT76_STATE_ROC in mt7921_roc_work:
if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
return;
- The execution of ieee80211_iterate_active_interfaces.
This race condition can interrupt the ROC abort flow, resulting in
the ROC process failing to abort as expected.
To address this defect, the modification of MT76_STATE_ROC is now
protected by mt792x_mutex_acquire(phy->dev). This ensures that
changes to the ROC state are properly synchronized, preventing
race conditions and ensuring the ROC abort flow is not interrupted.
Fixes: 034ae28b56f1 ("wifi: mt76: mt7921: introduce remain_on_channel support")
Cc: stable@vger.kernel.org
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Reviewed-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/2568ece8b557e5dda79391414c834ef3233049b6.1769133724.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -361,10 +361,11 @@ void mt7921_roc_work(struct work_struct
phy = (struct mt792x_phy *)container_of(work, struct mt792x_phy,
roc_work);
- if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
- return;
-
mt792x_mutex_acquire(phy->dev);
+ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) {
+ mt792x_mutex_release(phy->dev);
+ return;
+ }
ieee80211_iterate_active_interfaces(phy->mt76->hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_roc_iter, phy);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 186/474] wifi: b43legacy: enforce bounds check on firmware key index in RX path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 185/474] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 187/474] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
` (288 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tristan Madani, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit a035766f970bde2d4298346a31a80685be5c0205 upstream.
Same fix as b43: the firmware-controlled key index in b43legacy_rx()
can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
non-enforcing in production builds, allowing an out-of-bounds read of
dev->key[].
Make the check enforcing by dropping the frame for invalid indices.
Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
+++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev
* key index, but the ucode passed it slightly different.
*/
keyidx = b43legacy_kidx_to_raw(dev, keyidx);
- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
+ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
+ goto drop;
if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
/* Remove PROTECTED flag to mark it as decrypted. */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 187/474] wifi: mac80211: drop stray static from fast-RX rx_result
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 186/474] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 188/474] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
` (287 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Catherine, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catherine <enderaoelyther@gmail.com>
commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba upstream.
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support")
Cc: stable@vger.kernel.org
Signed-off-by: Catherine <enderaoelyther@gmail.com>
Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -4820,7 +4820,7 @@ static bool ieee80211_invoke_fast_rx(str
struct sk_buff *skb = rx->skb;
struct ieee80211_hdr *hdr = (void *)skb->data;
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
- static ieee80211_rx_result res;
+ ieee80211_rx_result res;
int orig_len = skb->len;
int hdrlen = ieee80211_hdrlen(hdr->frame_control);
int snap_offs = hdrlen;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 188/474] wifi: rsi: fix kthread lifetime race between self-exit and external-stop
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 187/474] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 189/474] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
` (286 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5de83f57cd8531f55596,
Jeongjun Park, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream.
RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
first, and in this case, no particular issues occur.
However, in rare instances where kthread_complete_and_exit() is called
first and then kthread_stop() is called, a UAF occurs because the kthread
object, which has already exited and been freed, is accessed again.
Therefore, to prevent this with minimal modification, you must remove
kthread_stop() and change the code to wait until the self-exit operation
is completed.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_common.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str
return 0;
}
-static inline int rsi_kill_thread(struct rsi_thread *handle)
+static inline void rsi_kill_thread(struct rsi_thread *handle)
{
atomic_inc(&handle->thread_done);
rsi_set_event(&handle->event);
-
- return kthread_stop(handle->task);
+ wait_for_completion(&handle->completion);
}
void rsi_mac80211_detach(struct rsi_hw *hw);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 189/474] wifi: ath5k: do not access array OOB
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 188/474] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 190/474] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
` (285 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Vincent Danjean,
Jeff Johnson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
commit d748603f12baff112caa3ab7d39f50100f010dbd upstream.
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Reported-by: Vincent Danjean <vdanjean@debian.org>
Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
Closes: https://bugs.debian.org/1119093
Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath5k/base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath5k/base.c
+++ b/drivers/net/wireless/ath/ath5k/base.c
@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw
}
info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
- info->status.rates[ts->ts_final_idx + 1].idx = -1;
+ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
+ info->status.rates[ts->ts_final_idx + 1].idx = -1;
if (unlikely(ts->ts_status)) {
ah->stats.ack_fail++;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 190/474] wifi: mac80211: remove station if connection prep fails
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 189/474] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
@ 2026-05-15 15:44 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 191/474] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
` (284 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miriam Rachel Korenblit,
Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 upstream.
If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.
Cc: stable@vger.kernel.org
Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mlme.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -6940,7 +6940,7 @@ static int ieee80211_prep_connection(str
struct ieee80211_bss *bss = (void *)cbss->priv;
struct sta_info *new_sta = NULL;
struct ieee80211_link_data *link;
- bool have_sta = false;
+ struct sta_info *have_sta = NULL;
bool mlo;
int err;
@@ -6978,11 +6978,8 @@ static int ieee80211_prep_connection(str
goto out_err;
}
- if (assoc) {
- rcu_read_lock();
+ if (assoc)
have_sta = sta_info_get(sdata, ap_mld_addr);
- rcu_read_unlock();
- }
if (!have_sta) {
if (mlo)
@@ -7106,6 +7103,8 @@ static int ieee80211_prep_connection(str
out_release_chan:
ieee80211_link_release_channel(link);
out_err:
+ if (mlo && have_sta)
+ WARN_ON(__sta_info_destroy(have_sta));
ieee80211_vif_set_links(sdata, 0, 0);
return err;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 191/474] wifi: b43: enforce bounds check on firmware key index in b43_rx()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-05-15 15:44 ` [PATCH 6.6 190/474] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 192/474] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
` (283 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Michael Büsch,
Tristan Madani, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream.
The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read.
Make the B43_WARN_ON check enforcing by dropping the frame when the
firmware returns an invalid key index.
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Michael Büsch <m@bues.ch>
Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc
* key index, but the ucode passed it slightly different.
*/
keyidx = b43_kidx_to_raw(dev, keyidx);
- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
+ goto drop;
if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
wlhdr_len = ieee80211_hdrlen(fctl);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 192/474] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 191/474] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 193/474] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
` (282 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Arend van Spriel,
Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit c623b63580880cc742255eaed3d79804c1b91143 upstream.
Watchdog task might end between send_sig() and kthread_stop() calls, what
results in the use-after-free issue. Fix this by increasing watchdog task
reference count before calling send_sig() and dropping it by switching to
kthread_stop_put().
Cc: stable@vger.kernel.org
Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything")
Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -2475,8 +2475,9 @@ static void brcmf_sdio_bus_stop(struct d
brcmf_dbg(TRACE, "Enter\n");
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
- kthread_stop(bus->watchdog_tsk);
+ kthread_stop_put(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
@@ -4557,8 +4558,9 @@ void brcmf_sdio_remove(struct brcmf_sdio
if (bus) {
/* Stop watchdog task */
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
- kthread_stop(bus->watchdog_tsk);
+ kthread_stop_put(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 193/474] usb: usblp: fix heap leak in IEEE 1284 device ID via short response
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 192/474] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 194/474] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
` (281 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pete Zaitcev, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream.
usblp_ctrl_msg() collapses the usb_control_msg() return value to
0/-errno, discarding the actual number of bytes transferred. A broken
printer can complete the GET_DEVICE_ID control transfer short and the
driver has no way to know.
usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
from the response and trusts it (clamped only to the buffer bounds).
The buffer is kmalloc(1024) at probe time. A device that sends exactly
two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
device_id_string[2..1022] holding stale kmalloc heap.
That stale data is then exposed:
- via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
at the first NUL in the stale heap), and
- via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
claimed length regardless of NULs, up to 1021 bytes of uninitialized
heap, with the leak size chosen by the device.
Fix this up by just zapping the buffer with zeros before each request
sent to the device.
Cc: Pete Zaitcev <zaitcev@redhat.com>
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usblp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1365,6 +1365,7 @@ static int usblp_cache_device_id_string(
{
int err, length;
+ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE);
err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1);
if (err < 0) {
dev_dbg(&usblp->intf->dev,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 194/474] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 193/474] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 195/474] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
` (280 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pete Zaitcev, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream.
Just like in a previous problem in this driver, usblp_ctrl_msg() will
collapse the usb_control_msg() return value to 0/-errno, discarding the
actual number of bytes transferred.
Ideally that short command should be detected and error out, but many
printers are known to send "incorrect" responses back so we can't just
do that.
statusbuf is kmalloc(8) at probe time and never filled before the first
LPGETSTATUS ioctl.
usblp_read_status() requests 1 byte. If a malicious printer responds
with zero bytes, *statusbuf is one byte of stale kmalloc heap,
sign-extended into the local int status, which the LPGETSTATUS path then
copy_to_user()s directly to the ioctl caller.
Fix this all by just zapping out the memory buffer when allocated at
probe time. If a later call does a short read, the data will be
identical to what the device sent it the last time, so there is no
"leak" of information happening.
Cc: Pete Zaitcev <zaitcev@redhat.com>
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usblp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1166,7 +1166,7 @@ static int usblp_probe(struct usb_interf
}
/* Allocate buffer for printer status */
- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL);
+ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL);
if (!usblp->statusbuf) {
retval = -ENOMEM;
goto abort;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 195/474] ALSA: usb-audio: midi2: Restart output URBs on resume
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 194/474] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 196/474] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
` (279 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit f3c57c9c2a49a21d784b7c04a2c883bffc070659 upstream.
USB MIDI 2.0 suspend saves the endpoint running state, clears it and
kills all endpoint URBs. Resume restores the running state, but only
restarts input endpoints.
For a running output endpoint, this leaves the endpoint marked running
with an empty URB queue. Output transfer progress depends on either the
rawmidi trigger path starting the queue or an output completion refilling
it. After suspend there is no completion left, and output data that
remains queued in the raw UMP or legacy rawmidi buffer can stay stalled
until userspace happens to trigger the stream again.
Restore the saved state with atomic accessors, keep input endpoints
restarted as before, and restart output endpoints that were running before
suspend. Clear the saved suspend state after restoring it.
Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260504-usb-midi2-output-resume-v1-1-c089cc8ad3c6@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi2.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -234,7 +234,7 @@ static void kill_midi_urbs(struct snd_us
if (!ep)
return;
if (suspending)
- ep->suspended = ep->running;
+ atomic_set(&ep->suspended, atomic_read(&ep->running));
atomic_set(&ep->running, 0);
for (i = 0; i < ep->num_urbs; i++) {
if (!ep->urbs[i].urb)
@@ -1193,10 +1193,11 @@ void snd_usb_midi_v2_suspend_all(struct
static void resume_midi2_endpoint(struct snd_usb_midi2_endpoint *ep)
{
- ep->running = ep->suspended;
- if (ep->direction == STR_IN)
+ atomic_set(&ep->running, atomic_read(&ep->suspended));
+ atomic_set(&ep->suspended, 0);
+
+ if (ep->direction == STR_IN || atomic_read(&ep->running))
submit_io_urbs(ep);
- /* FIXME: does it all? */
}
void snd_usb_midi_v2_resume_all(struct snd_usb_audio *chip)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 196/474] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 195/474] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 197/474] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
` (278 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd upstream.
The convert_chmap_v3() has a loop with its increment size of
cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
which may lead to potential endless loop by a malformed descriptor.
Add a proper size check to abort the loop for plugging the hole.
Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
if (len < sizeof(*cs_desc))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
+ if (cs_len < sizeof(*cs_desc))
+ break;
if (len < cs_len)
break;
cs_type = cs_desc->bSegmentType;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 197/474] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 196/474] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 198/474] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
` (277 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 26265dd69da32d88a88d21987853cec899d9e21f upstream.
The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.
However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.
Check against sizeof(*cluster) instead.
Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -993,7 +993,7 @@ snd_usb_get_audioformat_uac3(struct snd_
* and request Cluster Descriptor
*/
wLength = le16_to_cpu(hc_header.wLength);
- if (wLength < sizeof(cluster))
+ if (wLength < sizeof(*cluster))
return NULL;
cluster = kzalloc(wLength, GFP_KERNEL);
if (!cluster)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 198/474] USB: omap_udc: DMA: Dont enable burst 4 mode
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 197/474] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 199/474] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
` (276 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Aaro Koskinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream.
Commit 65111084c63d7 ("USB: more omap_udc updates (dma and omap1710)")
added setting for DMA burst 4 mode. But I think this should be undone for
two reasons:
- It breaks DMA on 15xx boards - transfers just silently stall.
- On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable
performance impact when testing TCP throughput with g_ether with large
15000 byte MTU size.
It's also worth noting that when the original change was made, the
OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and
actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst
disabled. This was fixed not until a couple kernel releases later in an
unrelated commit 1a8bfa1eb998a ("[ARM] 3142/1: OMAP 2/5: Update files
common to omap1 and omap2").
So based on this it seems there was never really a very good reason to
enable this burst mode in omap_udc, so remove it now to allow 15xx DMA
to work again (it provides 2x throughput compared to PIO mode).
Fixes: 65111084c63d ("[PATCH] USB: more omap_udc updates (dma and omap1710)")
Cc: stable <stable@kernel.org>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/omap_udc.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/usb/gadget/udc/omap_udc.c
+++ b/drivers/usb/gadget/udc/omap_udc.c
@@ -734,8 +734,6 @@ static void dma_channel_claim(struct oma
if (status == 0) {
omap_writew(reg, UDC_TXDMA_CFG);
/* EMIFF or SDRC */
- omap_set_dma_src_burst_mode(ep->lch,
- OMAP_DMA_DATA_BURST_4);
omap_set_dma_src_data_pack(ep->lch, 1);
/* TIPB */
omap_set_dma_dest_params(ep->lch,
@@ -757,8 +755,6 @@ static void dma_channel_claim(struct oma
UDC_DATA_DMA,
0, 0);
/* EMIFF or SDRC */
- omap_set_dma_dest_burst_mode(ep->lch,
- OMAP_DMA_DATA_BURST_4);
omap_set_dma_dest_data_pack(ep->lch, 1);
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 199/474] USB: serial: option: add Telit Cinterion LE910Cx compositions
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 198/474] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 200/474] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
` (275 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream.
Add the following Telit Cinterion LE910Cx compositions:
0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1251 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1253 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1254: tty (AT) + tty (AT)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1254 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1255 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1513,7 +1513,11 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */
.driver_info = NCTRL(2) | RSVD(3) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1251, 0xff) }, /* Telit LE910Cx (RNDIS) */
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1253, 0xff) }, /* Telit LE910Cx (ECM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1254, 0xff) }, /* Telit LE910Cx */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1255, 0xff) }, /* Telit LE910Cx */
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1260),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1261),
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 200/474] usb: ulpi: fix memory leak on ulpi_register() error paths
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 199/474] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 201/474] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
` (274 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Felix Gu, Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream.
Commit 01af542392b5 ("usb: ulpi: fix double free in
ulpi_register_interface() error path") removed kfree(ulpi) from
ulpi_register_interface() to fix a double-free when device_register()
fails.
But when ulpi_of_register() or ulpi_read_id() fail before
device_register() is called, the ulpi allocation is leaked.
Add kfree(ulpi) on both error paths to properly clean up the allocation.
Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path")
Cc: stable <stable@kernel.org>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/common/ulpi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/common/ulpi.c
+++ b/drivers/usb/common/ulpi.c
@@ -286,12 +286,15 @@ static int ulpi_register(struct device *
ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev));
ret = ulpi_of_register(ulpi);
- if (ret)
+ if (ret) {
+ kfree(ulpi);
return ret;
+ }
ret = ulpi_read_id(ulpi);
if (ret) {
of_node_put(ulpi->dev.of_node);
+ kfree(ulpi);
return ret;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 201/474] ALSA: firewire-tascam: Do not drop unread control events
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 200/474] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 202/474] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
` (273 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Sakamoto,
Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream.
tscm_hwdep_read_queue() copies as many queued control events as fit in
the userspace buffer. When the buffer is smaller than the current
contiguous queue segment, length is rounded down to the number of bytes
that can be copied.
However, after copying that shortened length, the code advances pull_pos
to the original tail_pos, marking the whole contiguous segment as
consumed. Any events between the copied portion and tail_pos are lost.
Limit tail_pos to the position after the entries actually copied before
updating pull_pos. When the whole segment fits, this is equivalent to the
old tail_pos update; when the buffer is smaller, the remaining events
stay queued for the next read.
Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications")
Cc: stable@vger.kernel.org
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/tascam/tascam-hwdep.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/firewire/tascam/tascam-hwdep.c
+++ b/sound/firewire/tascam/tascam-hwdep.c
@@ -73,6 +73,7 @@ static long tscm_hwdep_read_queue(struct
length = rounddown(remained, sizeof(*entries));
if (length == 0)
break;
+ tail_pos = head_pos + length / sizeof(*entries);
spin_unlock_irq(&tscm->lock);
if (copy_to_user(pos, &entries[head_pos], length))
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 202/474] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 201/474] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 203/474] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
` (272 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Venkat Rao Bagalkote,
Ritesh Harjani (IBM), Mahesh Salgaonkar, Aboorva Devarajan,
Sourabh Jain, Madhavan Srinivasan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
commit b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 upstream.
KASAN instrumentation is intended to be disabled for the kexec core
code, but the existing Makefile entry misses the object suffix. As a
result, the flag is not applied correctly to core_$(BITS).o.
So when KASAN is enabled, kexec_copy_flush and copy_segments in
kexec/core_64.c are instrumented, which can result in accesses to
shadow memory via normal address translation paths. Since these run
with the MMU disabled, such accesses may trigger page faults
(bad_page_fault) that cannot be handled in the kdump path, ultimately
causing a hang and preventing the kdump kernel from booting. The same
is true for kexec as well, since the same functions are used there.
Update the entry to include the “.o” suffix so that KASAN
instrumentation is properly disabled for this object file.
Fixes: 2ab2d5794f14 ("powerpc/kasan: Disable address sanitization in kexec paths")
Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Closes: https://lore.kernel.org/all/1dee8891-8bcc-46b4-93f3-fc3a774abd5b@linux.ibm.com/
Cc: stable@vger.kernel.org
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Acked-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Tested-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260407124349.1698552-1-sourabhjain@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kexec/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kexec/Makefile
+++ b/arch/powerpc/kexec/Makefile
@@ -14,4 +14,4 @@ GCOV_PROFILE_core_$(BITS).o := n
KCOV_INSTRUMENT_core_$(BITS).o := n
UBSAN_SANITIZE_core_$(BITS).o := n
KASAN_SANITIZE_core.o := n
-KASAN_SANITIZE_core_$(BITS) := n
+KASAN_SANITIZE_core_$(BITS).o := n
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 203/474] xfrm: provide message size for XFRM_MSG_MAPPING
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 202/474] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 204/474] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
` (271 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Ren Wei, Steffen Klassert
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
xfrm_msg_min[] does not provide the native payload size for this
message type.
Add the missing XFRM_MSG_MAPPING entry so compat translation can size
and translate mapping notifications correctly.
Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3015,6 +3015,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
[XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
[XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
[XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
};
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 204/474] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 203/474] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 205/474] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
` (270 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ruide Cao, Yilin Zhu, Ren Wei, Simon Horman,
Steffen Klassert
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yilin Zhu <zylzyl2333@gmail.com>
commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
already have a dst attached. ip6_route_input_lookup() returns a
referenced dst entry even when the lookup resolves to an error route.
If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
the dst to the skb and without releasing the reference returned by the
lookup. Repeated packets hitting this path therefore leak dst entries.
Release the dst before jumping to the drop path.
Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/xfrm6_protocol.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv6/xfrm6_protocol.c
+++ b/net/ipv6/xfrm6_protocol.c
@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
skb, flags);
- if (dst->error)
+ if (dst->error) {
+ dst_release(dst);
goto drop;
+ }
skb_dst_set(skb, dst);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 205/474] selinux: dont reserve xattr slot when we wont fill it
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 204/474] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 206/474] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
` (269 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Windsor, Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Windsor <dwindsor@gmail.com>
commit 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 upstream.
Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
initxattrs() callbacks stop iterating at the first NULL ->name, silently
dropping xattrs installed by later LSMs.
Cc: stable@vger.kernel.org
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2903,7 +2903,7 @@ static int selinux_inode_init_security(s
{
const struct task_security_struct *tsec = selinux_cred(current_cred());
struct superblock_security_struct *sbsec;
- struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
+ struct xattr *xattr;
u32 newsid, clen;
int rc;
char *context;
@@ -2930,6 +2930,7 @@ static int selinux_inode_init_security(s
!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
+ xattr = lsm_get_xattr_slot(xattrs, xattr_count);
if (xattr) {
rc = security_sid_to_context_force(newsid,
&context, &clen);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 206/474] selinux: shrink critical section in sel_write_load()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 205/474] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 207/474] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
` (268 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream.
Currently sel_write_load() takes the policy mutex earlier than
necessary. Move the taking of the mutex later. This avoids
holding it unnecessarily across the vmalloc() and copy_from_user()
of the policy data.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/selinuxfs.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -594,34 +594,31 @@ static ssize_t sel_write_load(struct fil
if (!count)
return -EINVAL;
- mutex_lock(&selinux_state.policy_mutex);
-
length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL);
if (length)
- goto out;
+ return length;
data = vmalloc(count);
- if (!data) {
- length = -ENOMEM;
- goto out;
- }
+ if (!data)
+ return -ENOMEM;
if (copy_from_user(data, buf, count) != 0) {
length = -EFAULT;
goto out;
}
+ mutex_lock(&selinux_state.policy_mutex);
length = security_load_policy(data, count, &load_state);
if (length) {
pr_warn_ratelimited("SELinux: failed to load policy\n");
- goto out;
+ goto out_unlock;
}
fsi = file_inode(file)->i_sb->s_fs_info;
length = sel_make_policy_nodes(fsi, load_state.policy);
if (length) {
pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");
selinux_policy_cancel(&load_state);
- goto out;
+ goto out_unlock;
}
selinux_policy_commit(&load_state);
@@ -631,8 +628,9 @@ static ssize_t sel_write_load(struct fil
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
-out:
+out_unlock:
mutex_unlock(&selinux_state.policy_mutex);
+out:
vfree(data);
return length;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 207/474] selinux: prune /sys/fs/selinux/disable
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 206/474] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 208/474] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
` (267 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Smalley, Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <stephen.smalley.work@gmail.com>
commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream.
Commit f22f9aaf6c3d ("selinux: remove the runtime disable
functionality") removed the underlying SELinux runtime disable
functionality but left everything else intact and started logging an
error message to warn any residual users.
Prune it to just log an error message once and to return count
(i.e. all bytes written successfully) to avoid breaking
userspace. This also fixes a local DoS from logspam.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/selinuxfs.c | 36 +++++++-----------------------------
1 file changed, 7 insertions(+), 29 deletions(-)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct
size_t count, loff_t *ppos)
{
- char *page;
- ssize_t length;
- int new_value;
-
- if (count >= PAGE_SIZE)
- return -ENOMEM;
-
- /* No partial writes. */
- if (*ppos != 0)
- return -EINVAL;
-
- page = memdup_user_nul(buf, count);
- if (IS_ERR(page))
- return PTR_ERR(page);
-
- if (sscanf(page, "%d", &new_value) != 1) {
- length = -EINVAL;
- goto out;
- }
- length = count;
-
- if (new_value) {
- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
- pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
- }
-
-out:
- kfree(page);
- return length;
+ /*
+ * Setting disable is no longer supported, see
+ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
+ */
+ pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n",
+ current->comm, current->pid);
+ return count;
}
static const struct file_operations sel_disable_ops = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 208/474] Bluetooth: virtio_bt: clamp rx length before skb_put
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 207/474] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 209/474] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
` (266 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soenke Huster, Michael Bommarito,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream.
virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().
Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.
The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.
Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().
Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.
Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.
Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
Cc: stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/virtio_bt.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/bluetooth/virtio_bt.c
+++ b/drivers/bluetooth/virtio_bt.c
@@ -12,6 +12,7 @@
#include <net/bluetooth/hci_core.h>
#define VERSION "0.1"
+#define VIRTBT_RX_BUF_SIZE 1000
enum {
VIRTBT_VQ_TX,
@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti
struct sk_buff *skb;
int err;
- skb = alloc_skb(1000, GFP_KERNEL);
+ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL);
if (!skb)
return -ENOMEM;
- sg_init_one(sg, skb->data, 1000);
+ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE);
err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL);
if (err < 0) {
@@ -227,8 +228,15 @@ static void virtbt_rx_work(struct work_s
if (!skb)
return;
- skb_put(skb, len);
- virtbt_rx_handle(vbt, skb);
+ if (!len || len > VIRTBT_RX_BUF_SIZE) {
+ bt_dev_err_ratelimited(vbt->hdev,
+ "rx reply len %u outside [1, %u]\n",
+ len, VIRTBT_RX_BUF_SIZE);
+ kfree_skb(skb);
+ } else {
+ skb_put(skb, len);
+ virtbt_rx_handle(vbt, skb);
+ }
if (virtbt_add_inbuf(vbt) < 0)
return;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 209/474] Bluetooth: virtio_bt: validate rx pkt_type header length
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 208/474] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 210/474] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
` (265 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soenke Huster, Michael Bommarito,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream.
virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
and forwards the remainder to hci_recv_frame() for every
event/ACL/SCO/ISO type, without checking that the remaining payload
is at least the fixed HCI header for that type.
After the preceding patch bounds the backend-supplied used.len to
[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
hci_recv_frame() with skb->len already pulled to 0. If the byte
happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
fast-path in hci_dev_classify_pkt_type() dereferences
hci_acl_hdr(skb)->handle whenever the HCI device has an active
CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
uninitialized RX-buffer data. The same hazard exists for every
packet type the driver accepts because none of the switch cases in
virtbt_rx_handle() check skb->len against the per-type minimum HCI
header size before handing the frame to the core.
After stripping pkt_type, require skb->len to cover the fixed
header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
before calling hci_recv_frame(); drop ratelimited otherwise.
Unknown pkt_type values still take the original kfree_skb() default
path.
Use bt_dev_err_ratelimited() because both the length and pkt_type
values come from an untrusted backend that can otherwise flood the
kernel log.
Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
Cc: stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/virtio_bt.c
+++ b/drivers/bluetooth/virtio_bt.c
@@ -198,6 +198,7 @@ static int virtbt_shutdown_generic(struc
static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
{
+ size_t min_hdr;
__u8 pkt_type;
pkt_type = *((__u8 *) skb->data);
@@ -205,16 +206,32 @@ static void virtbt_rx_handle(struct virt
switch (pkt_type) {
case HCI_EVENT_PKT:
+ min_hdr = sizeof(struct hci_event_hdr);
+ break;
case HCI_ACLDATA_PKT:
+ min_hdr = sizeof(struct hci_acl_hdr);
+ break;
case HCI_SCODATA_PKT:
+ min_hdr = sizeof(struct hci_sco_hdr);
+ break;
case HCI_ISODATA_PKT:
- hci_skb_pkt_type(skb) = pkt_type;
- hci_recv_frame(vbt->hdev, skb);
+ min_hdr = sizeof(struct hci_iso_hdr);
break;
default:
kfree_skb(skb);
- break;
+ return;
}
+
+ if (skb->len < min_hdr) {
+ bt_dev_err_ratelimited(vbt->hdev,
+ "rx pkt_type 0x%02x payload %u < hdr %zu\n",
+ pkt_type, skb->len, min_hdr);
+ kfree_skb(skb);
+ return;
+ }
+
+ hci_skb_pkt_type(skb) = pkt_type;
+ hci_recv_frame(vbt->hdev, skb);
}
static void virtbt_rx_work(struct work_struct *work)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 210/474] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 209/474] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 211/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
` (264 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhiTao Ou, Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 5ddb8014261137cadaf83ab5617a588d80a22586 upstream.
hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
iteration. However, there is no check that i stays within ev->num_bis
before the array access.
When a controller sends a LE_Create_BIG_Complete event with fewer
bis_handle entries than there are BT_BOUND connections for that BIG,
or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
array into adjacent heap memory. Since the out-of-bounds values
typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
rejects them and the connection remains in BT_BOUND state. The same
connection is then found again by hci_conn_hash_lookup_big_state(),
creating an infinite loop with hci_dev_lock held.
Fix this by terminating the BIG if in case not all BIS could be setup
properly.
Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
Cc: stable@vger.kernel.org
Signed-off-by: ZhiTao Ou <hkbinbinbin@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6874,9 +6874,29 @@ static void hci_le_create_big_complete_e
continue;
}
+ if (ev->num_bis <= i) {
+ bt_dev_err(hdev,
+ "Not enough BIS handles for BIG 0x%2.2x",
+ ev->handle);
+ ev->status = HCI_ERROR_UNSPECIFIED;
+ hci_connect_cfm(conn, ev->status);
+ hci_conn_del(conn);
+ continue;
+ }
+
if (hci_conn_set_handle(conn,
- __le16_to_cpu(ev->bis_handle[i++])))
+ __le16_to_cpu(ev->bis_handle[i++]))) {
+ bt_dev_err(hdev,
+ "Failed to set BIS handle for BIG 0x%2.2x",
+ ev->handle);
+ /* Force error so BIG gets terminated as not all BIS
+ * could be connected.
+ */
+ ev->status = HCI_ERROR_UNSPECIFIED;
+ hci_connect_cfm(conn, ev->status);
+ hci_conn_del(conn);
continue;
+ }
conn->state = BT_CONNECTED;
set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6885,7 +6905,10 @@ static void hci_le_create_big_complete_e
hci_iso_setup_path(conn);
}
- if (!ev->status && !i)
+ /* If there is an unexpected error or if no BISes have been connected
+ * for the BIG, terminate it.
+ */
+ if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
/* If no BISes have been connected for the BIG,
* terminate. This is in case all bound connections
* have been closed before the BIG creation
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 211/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 210/474] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 212/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
` (263 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1464,6 +1464,9 @@ static struct l2cap_chan *l2cap_sock_new
{
struct sock *sk, *parent = chan->data;
+ if (!parent)
+ return NULL;
+
lock_sock(parent);
/* Check for backlog size */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 212/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 211/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 213/474] spi: zynqmp-gqspi: fix controller deregistration Greg Kroah-Hartman
` (262 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1627,6 +1627,9 @@ static void l2cap_sock_state_change_cb(s
{
struct sock *sk = chan->data;
+ if (!sk)
+ return;
+
sk->sk_state = state;
if (err)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 213/474] spi: zynqmp-gqspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 212/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 214/474] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
` (261 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjit Waghmode, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
Cc: stable@vger.kernel.org # 4.2
Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -1324,7 +1324,7 @@ static int zynqmp_qspi_probe(struct plat
ctlr->dev.of_node = np;
ctlr->auto_runtime_pm = true;
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret) {
dev_err(&pdev->dev, "spi_register_controller failed\n");
goto clk_dis_all;
@@ -1365,6 +1365,8 @@ static void zynqmp_qspi_remove(struct pl
pm_runtime_get_sync(&pdev->dev);
+ spi_unregister_controller(xqspi->ctlr);
+
zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
pm_runtime_disable(&pdev->dev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 214/474] spi: s3c64xx: fix NULL-deref on driver unbind
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 213/474] spi: zynqmp-gqspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 215/474] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
` (260 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adithya K V, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 45daacbead8a009844bd5dba6cfa731332184d17 upstream.
A change moving DMA channel allocation from probe() back to
s3c64xx_spi_prepare_transfer() failed to remove the corresponding
deallocation from remove().
Drop the bogus DMA channel release from remove() to avoid triggering a
NULL-pointer dereference on driver unbind.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer")
Cc: stable@vger.kernel.org # 6.0
Cc: Adithya K V <adithya.kv@samsung.com>
Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-s3c64xx.c | 5 -----
1 file changed, 5 deletions(-)
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1338,11 +1338,6 @@ static void s3c64xx_spi_remove(struct pl
writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
- if (!is_polling(sdd)) {
- dma_release_channel(sdd->rx_dma.ch);
- dma_release_channel(sdd->tx_dma.ch);
- }
-
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 215/474] staging: vme_user: fix root device leak on init failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 214/474] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 216/474] fanotify: fix false positive on permission events Greg Kroah-Hartman
` (259 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martyn Welch, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream.
Make sure to deregister and free the root device in case module
initialisation fails.
Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Cc: stable@vger.kernel.org # 4.9
Cc: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vme_user/vme_fake.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/staging/vme_user/vme_fake.c
+++ b/drivers/staging/vme_user/vme_fake.c
@@ -1235,6 +1235,8 @@ err_master:
err_driver:
kfree(fake_bridge);
err_struct:
+ root_device_unregister(vme_root);
+
return retval;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 216/474] fanotify: fix false positive on permission events
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 215/474] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 217/474] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
` (258 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miklos Szeredi, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 7746e3bd4cc19b5092e00d32d676e329bfcb6900 upstream.
fsnotify_get_mark_safe() may return false for a mark on an unrelated group,
which results in bypassing the permission check.
Fix by skipping over detached marks that are not in the current group.
CC: stable@vger.kernel.org
Fixes: abc77577a669 ("fsnotify: Provide framework for dropping SRCU lock in ->handle_event")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://patch.msgid.link/20260410144950.156160-1-mszeredi@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fsnotify.c | 2 +-
fs/notify/mark.c | 18 +++++++++++-------
include/linux/fsnotify_backend.h | 1 +
3 files changed, 13 insertions(+), 8 deletions(-)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -398,7 +398,7 @@ static struct fsnotify_mark *fsnotify_fi
return hlist_entry_safe(node, struct fsnotify_mark, obj_list);
}
-static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
+struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
{
struct hlist_node *node = NULL;
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -380,9 +380,6 @@ EXPORT_SYMBOL_GPL(fsnotify_put_mark);
*/
static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
{
- if (!mark)
- return true;
-
if (refcount_inc_not_zero(&mark->refcnt)) {
spin_lock(&mark->lock);
if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) {
@@ -423,15 +420,22 @@ bool fsnotify_prepare_user_wait(struct f
int type;
fsnotify_foreach_iter_type(type) {
+ struct fsnotify_mark *mark = iter_info->marks[type];
+
/* This can fail if mark is being removed */
- if (!fsnotify_get_mark_safe(iter_info->marks[type])) {
- __release(&fsnotify_mark_srcu);
- goto fail;
+ while (mark && !fsnotify_get_mark_safe(mark)) {
+ if (mark->group == iter_info->current_group) {
+ __release(&fsnotify_mark_srcu);
+ goto fail;
+ }
+ /* This is a mark in an unrelated group, skip */
+ mark = fsnotify_next_mark(mark);
+ iter_info->marks[type] = mark;
}
}
/*
- * Now that both marks are pinned by refcount in the inode / vfsmount
+ * Now that all marks are pinned by refcount in the inode / vfsmount / etc
* lists, we can drop SRCU lock, and safely resume the list iteration
* once userspace returns.
*/
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -817,6 +817,7 @@ static inline void fsnotify_clear_sb_mar
}
extern void fsnotify_get_mark(struct fsnotify_mark *mark);
extern void fsnotify_put_mark(struct fsnotify_mark *mark);
+struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark);
extern void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info);
extern bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 217/474] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 216/474] fanotify: fix false positive on permission events Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 218/474] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
` (257 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Michael Walle, Pratyush Yadav, Miquel Raynal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit e47029b977e747cb3a9174308fd55762cce70147 upstream.
Sashiko noticed an out-of-bounds read [1].
In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).
Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.
Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.
Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.
Cc: stable@vger.kernel.org
Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/debugfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mtd/spi-nor/debugfs.c
+++ b/drivers/mtd/spi-nor/debugfs.c
@@ -1,5 +1,6 @@
// SPDX-License-Identifier: GPL-2.0
+#include <linux/array_size.h>
#include <linux/debugfs.h>
#include <linux/mtd/spi-nor.h>
#include <linux/spi/spi.h>
@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct se
seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes);
seq_puts(s, "flags\t\t");
- spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));
+ spi_nor_print_flags(s, nor->flags, snor_f_names,
+ ARRAY_SIZE(snor_f_names));
seq_puts(s, "\n");
seq_puts(s, "\nopcodes\n");
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 218/474] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 217/474] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 219/474] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
` (256 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kai Zen, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Zen <kai.aizen.dev@gmail.com>
commit 4b9e327991815e128ad3af75c3a04630a63ce3e0 upstream.
rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack
without initialisation:
struct ifla_vf_broadcast vf_broadcast;
The struct contains a single fixed 32-byte field:
/* include/uapi/linux/if_link.h */
struct ifla_vf_broadcast {
__u8 broadcast[32];
};
The function then copies dev->broadcast into it using dev->addr_len
as the length:
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
On Ethernet devices (the overwhelming majority of SR-IOV NICs)
dev->addr_len is 6, so only the first 6 bytes of broadcast[] are
written. The remaining 26 bytes retain whatever was previously on
the kernel stack. The full struct is then handed to userspace via:
nla_put(skb, IFLA_VF_BROADCAST,
sizeof(vf_broadcast), &vf_broadcast)
leaking up to 26 bytes of uninitialised kernel stack per VF per
RTM_GETLINK request, repeatable.
The other vf_* structs in the same function are explicitly zeroed
for exactly this reason - see the memset() calls for ivi,
vf_vlan_info, node_guid and port_guid a few lines above.
vf_broadcast was simply missed when it was added.
Reachability: any unprivileged local process can open AF_NETLINK /
NETLINK_ROUTE without capabilities and send RTM_GETLINK with an
IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks
each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per
VF per request. Stack residue at this call site can include return
addresses and transient sensitive data; KASAN with stack
instrumentation, or KMSAN, will flag the nla_put() when reproduced.
Zero the on-stack struct before the partial memcpy, matching the
existing pattern used for the other vf_* structs in the same
function.
Fixes: 75345f888f70 ("ipoib: show VF broadcast address")
Cc: stable@vger.kernel.org
Signed-off-by: Kai Zen <kai.aizen.dev@gmail.com>
Link: https://patch.msgid.link/3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/rtnetlink.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1362,6 +1362,7 @@ static noinline_for_stack int rtnl_fill_
port_guid.vf = ivi.vf;
memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
+ memset(&vf_broadcast, 0, sizeof(vf_broadcast));
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
vf_vlan.vlan = ivi.vlan;
vf_vlan.qos = ivi.qos;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 219/474] sound: ua101: fix division by zero at probe
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 218/474] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 220/474] net: libwx: fix VF illegal register access Greg Kroah-Hartman
` (255 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeungJu Cheon, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
commit d1f73f169c1014463b5060e3f60813e13ddc7b87 upstream.
Add a missing sanity check for bNrChannels in detect_usb_format()
to prevent a division by zero in playback_urb_complete() and
capture_urb_complete().
USB core does not validate class-specific descriptor fields such
as bNrChannels, so drivers must verify them before use. If a
device provides bNrChannels = 0, frame_bytes becomes zero and is
later used as a divisor in the URB completion handlers, leading
to a kernel crash.
Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Link: https://patch.msgid.link/20260426111239.103296-1-suunj1331@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/misc/ua101.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -994,6 +994,13 @@ static int detect_usb_format(struct ua10
ua->capture.channels = fmt_capture->bNrChannels;
ua->playback.channels = fmt_playback->bNrChannels;
+ if (!ua->capture.channels || !ua->playback.channels) {
+ dev_err(&ua->dev->dev,
+ "invalid channel count: capture %u, playback %u\n",
+ ua->capture.channels, ua->playback.channels);
+ return -EINVAL;
+ }
+
ua->capture.frame_bytes =
fmt_capture->bSubframeSize * ua->capture.channels;
ua->playback.frame_bytes =
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 220/474] net: libwx: fix VF illegal register access
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 219/474] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 221/474] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
` (254 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
commit 694de316f607fe2473d52ca0707e3918e72c1562 upstream.
Register WX_CFG_PORT_ST is a PF restricted register. When a VF is
initialized, attempting to read this register triggers an illegal
register access, which lead to a system hang.
When the device is VF, the bus function ID can be obtained directly from
the PCI_FUNC(pdev->devfn).
Fixes: a04ea57aae37 ("net: libwx: fix device bus LAN ID")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/4D1F4452D21DE107+20260429083743.88961-1-jiawenwu@trustnetic.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c
+++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c
@@ -1667,8 +1667,11 @@ int wx_sw_init(struct wx *wx)
wx->oem_svid = pdev->subsystem_vendor;
wx->oem_ssid = pdev->subsystem_device;
wx->bus.device = PCI_SLOT(pdev->devfn);
- wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID,
- rd32(wx, WX_CFG_PORT_ST));
+ if (pdev->is_virtfn)
+ wx->bus.func = PCI_FUNC(pdev->devfn);
+ else
+ wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID,
+ rd32(wx, WX_CFG_PORT_ST));
if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) {
wx->subsystem_vendor_id = pdev->subsystem_vendor;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 221/474] ip6_gre: Use cached t->net in ip6erspan_changelink().
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 220/474] net: libwx: fix VF illegal register access Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 222/474] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
` (253 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 1d324c2f43f70c965f25c58cc3611c779adbe47e upstream.
After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.
This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).
ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.
Fixes: 2d665034f239 ("net: ip6_gre: Fix ip6erspan hlen calculation")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260430103318.3206018-1-maoyi.xie@ntu.edu.sg
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_gre.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -2299,10 +2299,11 @@ static int ip6erspan_changelink(struct n
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+ struct ip6_tnl *t = netdev_priv(dev);
struct __ip6_tnl_parm p;
- struct ip6_tnl *t;
+ struct ip6gre_net *ign;
+ ign = net_generic(t->net, ip6gre_net_id);
t = ip6gre_changelink_common(dev, tb, data, &p, extack);
if (IS_ERR(t))
return PTR_ERR(t);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 222/474] net/rds: handle zerocopy send cleanup before the message is queued
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 221/474] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 223/474] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
` (252 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Xiao Liu, Nan Li, Ren Wei, Allison Henderson,
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nan Li <tonanli66@gmail.com>
commit 44b550d88b267320459d518c0743a241ab2108fa upstream.
A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.
The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.
Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.
This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.
Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/d2ea98a6313d5467bac00f7c9fef8c7acddb9258.1777550074.git.tonanli66@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/message.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -129,24 +129,34 @@ static void rds_rm_zerocopy_callback(str
*/
static void rds_message_purge(struct rds_message *rm)
{
+ struct rds_znotifier *znotifier;
unsigned long i, flags;
- bool zcopy = false;
+ bool zcopy;
if (unlikely(test_bit(RDS_MSG_PAGEVEC, &rm->m_flags)))
return;
spin_lock_irqsave(&rm->m_rs_lock, flags);
+ znotifier = rm->data.op_mmp_znotifier;
+ rm->data.op_mmp_znotifier = NULL;
+ zcopy = !!znotifier;
+
if (rm->m_rs) {
struct rds_sock *rs = rm->m_rs;
- if (rm->data.op_mmp_znotifier) {
- zcopy = true;
- rds_rm_zerocopy_callback(rs, rm->data.op_mmp_znotifier);
+ if (znotifier) {
+ rds_rm_zerocopy_callback(rs, znotifier);
rds_wake_sk_sleep(rs);
- rm->data.op_mmp_znotifier = NULL;
}
sock_put(rds_rs_to_sk(rs));
rm->m_rs = NULL;
+ } else if (znotifier) {
+ /*
+ * Zerocopy can fail before the message is queued on the
+ * socket, so there is no rs to carry the notification.
+ */
+ mm_unaccount_pinned_pages(&znotifier->z_mmp);
+ kfree(rds_info_from_znotifier(znotifier));
}
spin_unlock_irqrestore(&rm->m_rs_lock, flags);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 223/474] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 222/474] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 224/474] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
` (251 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavitra Jha, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavitra Jha <jhapavitra98@gmail.com>
commit 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 upstream.
t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.
Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.
Add a struct_size() check after extracting port_count and before the loop.
In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.
Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.
Fixes: da45d2566a1d ("net: wwan: t7xx: Add control port")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Link: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wwan/t7xx/t7xx_modem_ops.c | 20 +++++++++++++++++---
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 ++++++++++++++++--
drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
3 files changed, 34 insertions(+), 6 deletions(-)
--- a/drivers/net/wwan/t7xx/t7xx_modem_ops.c
+++ b/drivers/net/wwan/t7xx/t7xx_modem_ops.c
@@ -417,8 +417,20 @@ static int t7xx_parse_host_rt_data(struc
offset = sizeof(struct feature_query);
for (i = 0; i < FEATURE_COUNT && offset < data_length; i++) {
+ size_t remaining = data_length - offset;
+ size_t feat_data_len, feat_total;
+
+ if (remaining < sizeof(*rt_feature))
+ break;
+
rt_feature = data + offset;
- offset += sizeof(*rt_feature) + le32_to_cpu(rt_feature->data_len);
+ feat_data_len = le32_to_cpu(rt_feature->data_len);
+
+ if (feat_data_len > remaining - sizeof(*rt_feature))
+ break;
+
+ feat_total = sizeof(*rt_feature) + feat_data_len;
+ offset += feat_total;
ft_spt_cfg = FIELD_GET(FEATURE_MSK, core->feature_set[i]);
if (ft_spt_cfg != MTK_FEATURE_MUST_BE_SUPPORTED)
@@ -428,8 +440,10 @@ static int t7xx_parse_host_rt_data(struc
if (ft_spt_st != MTK_FEATURE_MUST_BE_SUPPORTED)
return -EINVAL;
- if (i == RT_ID_MD_PORT_ENUM || i == RT_ID_AP_PORT_ENUM)
- t7xx_port_enum_msg_handler(ctl->md, rt_feature->data);
+ if (i == RT_ID_MD_PORT_ENUM || i == RT_ID_AP_PORT_ENUM) {
+ t7xx_port_enum_msg_handler(ctl->md, rt_feature->data,
+ feat_data_len);
+ }
}
return 0;
--- a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
+++ b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
@@ -117,6 +117,7 @@ static int fsm_ee_message_handler(struct
* t7xx_port_enum_msg_handler() - Parse the port enumeration message to create/remove nodes.
* @md: Modem context.
* @msg: Message.
+ * @msg_len: Length of @msg in bytes.
*
* Used to control create/remove device node.
*
@@ -124,12 +125,18 @@ static int fsm_ee_message_handler(struct
* * 0 - Success.
* * -EFAULT - Message check failure.
*/
-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg)
+int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len)
{
struct device *dev = &md->t7xx_dev->pdev->dev;
unsigned int version, port_count, i;
struct port_msg *port_msg = msg;
+ if (msg_len < sizeof(*port_msg)) {
+ dev_err(dev, "Port enum msg too short for header: need %zu, have %zu\n",
+ sizeof(*port_msg), msg_len);
+ return -EINVAL;
+ }
+
version = FIELD_GET(PORT_MSG_VERSION, le32_to_cpu(port_msg->info));
if (version != PORT_ENUM_VER ||
le32_to_cpu(port_msg->head_pattern) != PORT_ENUM_HEAD_PATTERN ||
@@ -141,6 +148,13 @@ int t7xx_port_enum_msg_handler(struct t7
}
port_count = FIELD_GET(PORT_MSG_PRT_CNT, le32_to_cpu(port_msg->info));
+
+ if (msg_len < struct_size(port_msg, data, port_count)) {
+ dev_err(dev, "Port enum msg too short: need %zu, have %zu\n",
+ struct_size(port_msg, data, port_count), msg_len);
+ return -EINVAL;
+ }
+
for (i = 0; i < port_count; i++) {
u32 port_info = le32_to_cpu(port_msg->data[i]);
unsigned int ch_id;
@@ -191,7 +205,7 @@ static int control_msg_handler(struct t7
case CTL_ID_PORT_ENUM:
skb_pull(skb, sizeof(*ctrl_msg_h));
- ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data);
+ ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data, skb->len);
if (!ret)
ret = port_ctl_send_msg_to_md(port, CTL_ID_PORT_ENUM, 0);
else
--- a/drivers/net/wwan/t7xx/t7xx_port_proxy.h
+++ b/drivers/net/wwan/t7xx/t7xx_port_proxy.h
@@ -95,7 +95,7 @@ void t7xx_port_proxy_reset(struct port_p
void t7xx_port_proxy_uninit(struct port_proxy *port_prox);
int t7xx_port_proxy_init(struct t7xx_modem *md);
void t7xx_port_proxy_md_status_notify(struct port_proxy *port_prox, unsigned int state);
-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg);
+int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len);
int t7xx_port_proxy_chl_enable_disable(struct port_proxy *port_prox, unsigned int ch_id,
bool en_flag);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 224/474] parisc: Fix IRQ leak in LASI driver
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 223/474] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 225/474] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
` (250 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Hongling Zeng, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 37b0dc5e279f35036fb638d1e187197b6c05a76d upstream.
When request_irq() succeeds but gsc_common_setup() fails later,
the IRQ is never released. Fix this by adding proper error handling
with goto labels to ensure resources are released in LIFO order.
Detected by Smatch:
drivers/parisc/lasi.c:216 lasi_init_chip() warn: 'lasi->gsc_irq.irq'
from request_irq() not released on lines: 207.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604180957.4QdAIxP6-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/lasi.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/parisc/lasi.c
+++ b/drivers/parisc/lasi.c
@@ -193,8 +193,7 @@ static int __init lasi_init_chip(struct
ret = request_irq(lasi->gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi);
if (ret < 0) {
- kfree(lasi);
- return ret;
+ goto err_free;
}
/* enable IRQ's for devices below LASI */
@@ -203,8 +202,7 @@ static int __init lasi_init_chip(struct
/* Done init'ing, register this driver */
ret = gsc_common_setup(dev, lasi);
if (ret) {
- kfree(lasi);
- return ret;
+ goto err_irq;
}
gsc_fixup_irqs(dev, lasi, lasi_choose_irq);
@@ -214,6 +212,12 @@ static int __init lasi_init_chip(struct
SYS_OFF_PRIO_DEFAULT, lasi_power_off, lasi);
return ret;
+
+err_irq:
+ free_irq(lasi->gsc_irq.irq, lasi);
+err_free:
+ kfree(lasi);
+ return ret;
}
static struct parisc_device_id lasi_tbl[] __initdata = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 225/474] hwmon: (ltc2992) Clamp threshold writes to hardware range
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 224/474] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 226/474] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
` (249 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit d6cc7c99bf1f73eda7d565d224d791d16239bb41 upstream.
ltc2992_set_voltage(), ltc2992_set_current(), and ltc2992_set_power()
do not validate the user-supplied value before converting it to a
register value. This can result in:
1. Negative input values wrapping to large positive register values.
For power, the negative long is implicitly cast to u64 in
mul_u64_u32_div(), producing an incorrect value. For voltage and
current, the negative converted value wraps when passed to
ltc2992_write_reg() as a u32.
2. Intermediate arithmetic exceeding the range representable in u64 on
64-bit platforms. In ltc2992_set_voltage(), (u64)val * 1000 can
exceed U64_MAX when val is a large positive long. In
ltc2992_set_current(), (u64)val * r_sense_uohm can overflow
similarly. In ltc2992_set_power(), the computed value may not fit
in u64.
3. Register values exceeding the hardware field width. Voltage and
current threshold registers are 12-bit (stored left-justified in
16 bits), and power threshold registers are 24-bit. Without
clamping, bits above the field width are truncated in
ltc2992_write_reg().
Fix by clamping negative values to zero, clamping positive values to
the rounded hardware-representable maximum (the value returned by the
read path for a full-scale register) to prevent intermediate overflow,
and clamping the converted register value to the hardware field width
before writing. The existing conversion formula and rounding behavior
are preserved.
In the power write path, cancel the factor of 1000 from both the
numerator (r_sense_uohm * 1000) and the denominator
(VADC_UV_LSB * IADC_NANOV_LSB) to also eliminate a u32 overflow of
r_sense_uohm * 1000 when r_sense_uohm exceeds about 4.29 ohms.
Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260416215904.101969-2-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -421,10 +421,16 @@ static int ltc2992_get_voltage(struct lt
static int ltc2992_set_voltage(struct ltc2992_state *st, u32 reg, u32 scale, long val)
{
- val = DIV_ROUND_CLOSEST(val * 1000, scale);
- val = val << 4;
+ u32 reg_val;
+ long vmax;
+
+ vmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * scale, 1000);
+ val = max(val, 0L);
+ val = min(val, vmax);
+ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * 1000, scale),
+ 0xFFFULL) << 4;
- return ltc2992_write_reg(st, reg, 2, val);
+ return ltc2992_write_reg(st, reg, 2, reg_val);
}
static int ltc2992_read_gpio_alarm(struct ltc2992_state *st, int nr_gpio, u32 attr, long *val)
@@ -549,9 +555,15 @@ static int ltc2992_get_current(struct lt
static int ltc2992_set_current(struct ltc2992_state *st, u32 reg, u32 channel, long val)
{
u32 reg_val;
+ long cmax;
- reg_val = DIV_ROUND_CLOSEST(val * st->r_sense_uohm[channel], LTC2992_IADC_NANOV_LSB);
- reg_val = reg_val << 4;
+ cmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
+ val = max(val, 0L);
+ val = min(val, cmax);
+ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * st->r_sense_uohm[channel],
+ LTC2992_IADC_NANOV_LSB),
+ 0xFFFULL) << 4;
return ltc2992_write_reg(st, reg, 2, reg_val);
}
@@ -624,9 +636,18 @@ static int ltc2992_get_power(struct ltc2
static int ltc2992_set_power(struct ltc2992_state *st, u32 reg, u32 channel, long val)
{
u32 reg_val;
+ u64 pmax, uval;
- reg_val = mul_u64_u32_div(val, st->r_sense_uohm[channel] * 1000,
- LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB);
+ uval = max(val, 0L);
+ pmax = mul_u64_u32_div(0xFFFFFFULL,
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
+ uval = min(uval, pmax);
+ reg_val = min(mul_u64_u32_div(uval, st->r_sense_uohm[channel],
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB),
+ 0xFFFFFFULL);
return ltc2992_write_reg(st, reg, 3, reg_val);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 226/474] hwmon: (ltc2992) Fix u32 overflow in power read path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 225/474] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 227/474] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
` (248 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 2da0c1fd01dbd6b22844e8676585153dfc660cbe upstream.
ltc2992_get_power() computes the divisor for mul_u64_u32_div() as
r_sense_uohm * 1000. This multiplication overflows u32 when
r_sense_uohm exceeds about 4.29 ohms (4294967 micro-ohms), producing
a truncated divisor and an incorrect power reading.
Cancel the factor of 1000 from both the numerator
(VADC_UV_LSB * IADC_NANOV_LSB = 312500000) and the divisor
(r_sense_uohm * 1000), giving (VADC_UV_LSB / 1000) * IADC_NANOV_LSB
= 312500 as the numerator and plain r_sense_uohm as the divisor.
The cancellation is exact because LTC2992_VADC_UV_LSB (25000) is
divisible by 1000.
This is the read-path counterpart of the write-path fix applied in
the preceding patch.
Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260416215904.101969-3-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -627,8 +627,10 @@ static int ltc2992_get_power(struct ltc2
if (reg_val < 0)
return reg_val;
- *val = mul_u64_u32_div(reg_val, LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB,
- st->r_sense_uohm[channel] * 1000);
+ *val = mul_u64_u32_div(reg_val,
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
return 0;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 227/474] clk: rk808: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 226/474] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 228/474] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
` (247 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Johan Hovold,
Brian Masney, Heiko Stuebner, Stephen Boyd
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit de019f203b0d472c98ead4081ad4f05d92c9b826 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 2dc51ca822e4 ("clk: RK808: Reduce 'struct rk808' usage")
Cc: stable@vger.kernel.org # 6.5
Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/clk-rk808.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/clk-rk808.c
+++ b/drivers/clk/clk-rk808.c
@@ -153,7 +153,7 @@ static int rk808_clkout_probe(struct pla
struct rk808_clkout *rk808_clkout;
int ret;
- dev->of_node = pdev->dev.parent->of_node;
+ device_set_of_node_from_dev(dev, dev->parent);
rk808_clkout = devm_kzalloc(dev,
sizeof(*rk808_clkout), GFP_KERNEL);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 228/474] hwmon: (corsair-psu) Close HID device on probe errors
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 227/474] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 229/474] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
` (246 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Wilken Gottwalt,
Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit 174606451fbb17db506ebaacdd5e203e57773d5f upstream.
corsairpsu_probe() opens the HID device before sending the device init
and firmware-info commands. If either command fails, the error path jumps
directly to fail_and_stop and skips hid_hw_close().
Use the existing fail_and_close label for those post-open failures so the
open count and low-level close callback are balanced before hid_hw_stop().
Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver")
Cc: stable@vger.kernel.org
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Reviewed-by: Wilken Gottwalt <wilken.gottwalt@posteo.net>
Link: https://lore.kernel.org/r/20260424135107.13720-1-mhun512@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/corsair-psu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/corsair-psu.c
+++ b/drivers/hwmon/corsair-psu.c
@@ -805,13 +805,13 @@ static int corsairpsu_probe(struct hid_d
ret = corsairpsu_init(priv);
if (ret < 0) {
dev_err(&hdev->dev, "unable to initialize device (%d)\n", ret);
- goto fail_and_stop;
+ goto fail_and_close;
}
ret = corsairpsu_fwinfo(priv);
if (ret < 0) {
dev_err(&hdev->dev, "unable to query firmware (%d)\n", ret);
- goto fail_and_stop;
+ goto fail_and_close;
}
corsairpsu_get_criticals(priv);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 229/474] af_unix: Reject SIOCATMARK on non-stream sockets
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 228/474] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 230/474] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
` (245 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Kuniyuki Iwashima, Jiexun Wang, Ren Wei,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream.
SIOCATMARK reports whether the receive queue is at the urgent mark for
MSG_OOB.
In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets.
SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(),
so they should not support SIOCATMARK either.
Return -EOPNOTSUPP for non-stream sockets before checking the receive
queue.
Fixes: 314001f0bf92 ("af_unix: Add OOB support")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/af_unix.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2807,6 +2807,9 @@ again:
goto out;
}
+ if (sk->sk_type != SOCK_STREAM)
+ return -EOPNOTSUPP;
+
mutex_lock(&u->iolock);
goto redo;
unlock:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 230/474] block: add pgmap check to biovec_phys_mergeable
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 229/474] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 231/474] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
` (244 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Naman Jain,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naman Jain <namjain@linux.microsoft.com>
commit 13920e4b7b784b40cf4519ff1f0f3e513476a499 upstream.
biovec_phys_mergeable() is used by the request merge, DMA mapping,
and integrity merge paths to decide if two physically contiguous
bvec segments can be coalesced into one. It currently has no check
for whether the segments belong to different dev_pagemaps.
When zone device memory is registered in multiple chunks, each chunk
gets its own dev_pagemap. A single bio can legitimately contain
bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at
pgmap boundaries but the outer loop in bio_iov_iter_get_pages()
continues filling the same bio. If such bvecs are physically
contiguous, biovec_phys_mergeable() will coalesce them, making it
impossible to recover the correct pgmap for the merged segment
via page_pgmap().
Add a zone_device_pages_have_same_pgmap() check to prevent merging
bvec segments that span different pgmaps.
Fixes: 49580e690755 ("block: add check when merging zone device pages")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
Link: https://patch.msgid.link/20260410153414.4159050-2-namjain@linux.microsoft.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk.h | 2 ++
1 file changed, 2 insertions(+)
--- a/block/blk.h
+++ b/block/blk.h
@@ -95,6 +95,8 @@ static inline bool biovec_phys_mergeable
if (addr1 + vec1->bv_len != addr2)
return false;
+ if (!zone_device_pages_have_same_pgmap(vec1->bv_page, vec2->bv_page))
+ return false;
if (xen_domain() && !xen_biovec_phys_mergeable(vec1, vec2->bv_page))
return false;
if ((addr1 | mask) != ((addr2 + vec2->bv_len - 1) | mask))
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 231/474] cifs: abort open_cached_dir if we dont request leases
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 230/474] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 232/474] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
` (243 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit d68ce834f8cf6cb2e77f3331df65166b35466b53 upstream.
It is possible that SMB2_open_init may not set lease context based
on the requested oplock level. This can happen when leases have been
temporarily or permanently disabled. When this happens, we will have
open_cached_dir making an open without lease context and the response
will anyway be rejected by open_cached_dir (thereby forcing a close to
discard this open). That's unnecessary two round-trips to the server.
This change adds a check before making the open request to the server
to make sure that SMB2_open_init did add the expected lease context
to the open in open_cached_dir.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cached_dir.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/smb/client/cached_dir.c
+++ b/fs/smb/client/cached_dir.c
@@ -261,6 +261,14 @@ replay_again:
&rqst[0], &oplock, &oparms, utf16_path);
if (rc)
goto oshr_free;
+
+ if (oplock != SMB2_OPLOCK_LEVEL_II) {
+ rc = -EINVAL;
+ cifs_dbg(FYI, "%s: Oplock level %d not suitable for cached directory\n",
+ __func__, oplock);
+ goto oshr_free;
+ }
+
smb2_set_next_command(tcon, &rqst[0]);
memset(&qi_iov, 0, sizeof(qi_iov));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 232/474] cifs: change_conf needs to be called for session setup
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 231/474] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 233/474] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
` (242 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit c208a2b95811d6e1ebae65d0d2fc13f73707f8e7 upstream.
Today we skip calling change_conf for negotiates and session setup
requests. This can be a problem for mchan as the immediate next call
after session setup could be due to an I/O that is made on the
mount point. For single channel, this is not a problem as
there will be several calls after setting up session.
This change enforces calling change_conf when the total credits contain
enough for reservations for echoes and oplocks. We expect this to happen
during the last session setup response. This way, echoes and oplocks are
not disabled before the first request to the server. So if that first
request is an open, it does not need to disable requesting leases.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -96,10 +96,21 @@ smb2_add_credits(struct TCP_Server_Info
}
WARN_ON_ONCE(server->in_flight == 0);
server->in_flight--;
+
+ /*
+ * Rebalance credits when an op drains in_flight. For session setup,
+ * do this only when the total accumulated credits are high enough (>2)
+ * so that a newly established secondary channel can reserve credits for
+ * echoes and oplocks. We expect this to happen at the end of the final
+ * session setup response.
+ */
if (server->in_flight == 0 &&
((optype & CIFS_OP_MASK) != CIFS_NEG_OP) &&
((optype & CIFS_OP_MASK) != CIFS_SESS_OP))
rc = change_conf(server);
+ else if (server->in_flight == 0 &&
+ ((optype & CIFS_OP_MASK) == CIFS_SESS_OP) && *val > 2)
+ rc = change_conf(server);
/*
* Sometimes server returns 0 credits on oplock break ack - we need to
* rebalance credits in this case.
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 233/474] extcon: ptn5150: handle pending IRQ events during system resume
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 232/474] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 234/474] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
` (241 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, MyungJoo Ham,
Xu Yang, Chanwoo Choi
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 4652fefcda3c604c83d1ae28ede94544e2142f06 upstream.
When the system is suspended and ptn5150 wakeup interrupt is disabled,
any changes on ptn5150 will only be record in interrupt status
registers and won't fire an IRQ since its trigger type is falling
edge. So the HW interrupt line will keep at low state and any further
changes won't trigger IRQ anymore. To fix it, this will schedule a
work to check whether any IRQ are pending and handle it accordingly.
Fixes: 4ed754de2d66 ("extcon: Add support for ptn5150 extcon driver")
Cc: stable@vger.kernel.org
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Link: https://lore.kernel.org/lkml/20251115025905.1395347-1-xu.yang_2@nxp.com/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/extcon/extcon-ptn5150.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/extcon/extcon-ptn5150.c
+++ b/drivers/extcon/extcon-ptn5150.c
@@ -331,6 +331,19 @@ static int ptn5150_i2c_probe(struct i2c_
return 0;
}
+static int ptn5150_resume(struct device *dev)
+{
+ struct i2c_client *i2c = to_i2c_client(dev);
+ struct ptn5150_info *info = i2c_get_clientdata(i2c);
+
+ /* Need to check possible pending interrupt events */
+ schedule_work(&info->irq_work);
+
+ return 0;
+}
+
+static DEFINE_SIMPLE_DEV_PM_OPS(ptn5150_pm_ops, NULL, ptn5150_resume);
+
static const struct of_device_id ptn5150_dt_match[] = {
{ .compatible = "nxp,ptn5150" },
{ },
@@ -346,6 +359,7 @@ MODULE_DEVICE_TABLE(i2c, ptn5150_i2c_id)
static struct i2c_driver ptn5150_i2c_driver = {
.driver = {
.name = "ptn5150",
+ .pm = pm_sleep_ptr(&ptn5150_pm_ops),
.of_match_table = ptn5150_dt_match,
},
.probe = ptn5150_i2c_probe,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 234/474] gpio: of: clear OF_POPULATED on hog nodes in remove path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 233/474] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 235/474] hv_sock: fix ARM64 support Greg Kroah-Hartman
` (240 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Andy Shevchenko,
Bartosz Golaszewski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit bbee90e750262bfb406d66dc65c46d616d2b6673 upstream.
The previously set OF_POPULATED flag should be cleared on the hog nodes
when removing the chip.
Cc: stable@vger.kernel.org
Fixes: 63636d956c455 ("gpio: of: Add DT overlay support for GPIO hogs")
Acked-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260309-gpio-hog-fwnode-v2-1-4e61f3dbf06a@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-of.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -1136,5 +1136,12 @@ int of_gpiochip_add(struct gpio_chip *ch
void of_gpiochip_remove(struct gpio_chip *chip)
{
- of_node_put(dev_of_node(&chip->gpiodev->dev));
+ struct device_node *np = dev_of_node(&chip->gpiodev->dev);
+
+ for_each_child_of_node_scoped(np, child) {
+ if (of_property_present(child, "gpio-hog"))
+ of_node_clear_flag(child, OF_POPULATED);
+ }
+
+ of_node_put(np);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 235/474] hv_sock: fix ARM64 support
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 234/474] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 236/474] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
` (239 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dexuan Cui, Hamza Mahfooz,
Stefano Garzarella, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit b31681206e3f527970a7c7ed807fbf6a028fc25b upstream.
VMBUS ring buffers must be page aligned. Therefore, the current value of
24K presents a challenge on ARM64 kernels (with 64K pages). So, use
VMBUS_RING_SIZE() to ensure they are always aligned and large enough to
hold all of the relevant data.
Cc: stable@vger.kernel.org
Fixes: 77ffe33363c0 ("hv_sock: use HV_HYP_PAGE_SIZE for Hyper-V communication")
Tested-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260428125339.13963-1-hamzamahfooz@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/hyperv_transport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -375,10 +375,10 @@ static void hvs_open_connection(struct v
} else {
sndbuf = max_t(int, sk->sk_sndbuf, RINGBUFFER_HVS_SND_SIZE);
sndbuf = min_t(int, sndbuf, RINGBUFFER_HVS_MAX_SIZE);
- sndbuf = ALIGN(sndbuf, HV_HYP_PAGE_SIZE);
+ sndbuf = VMBUS_RING_SIZE(sndbuf);
rcvbuf = max_t(int, sk->sk_rcvbuf, RINGBUFFER_HVS_RCV_SIZE);
rcvbuf = min_t(int, rcvbuf, RINGBUFFER_HVS_MAX_SIZE);
- rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
+ rcvbuf = VMBUS_RING_SIZE(rcvbuf);
}
chan->max_pkt_size = HVS_MAX_PKT_SIZE;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 236/474] ibmveth: Disable GSO for packets with small MSS
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 235/474] hv_sock: fix ARM64 support Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 237/474] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
` (238 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian King, Shaik Abdulla,
Naveed Ahmed, Mingming Cao, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingming Cao <mmc@linux.ibm.com>
commit cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 upstream.
Some physical adapters on Power systems do not support segmentation
offload when the MSS is less than 224 bytes. Attempting to send such
packets causes the adapter to freeze, stopping all traffic until
manually reset.
Implement ndo_features_check to disable GSO for packets with small MSS
values. The network stack will perform software segmentation instead.
The 224-byte minimum matches ibmvnic
commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
on GSO packets")
which uses the same physical adapters in SEA configurations.
The issue occurs specifically when the hardware attempts to perform
segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
(gso_segs == 1) do not trigger the problematic LSO code path and are
transmitted normally without segmentation.
Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
Also call vlan_features_check() to ensure proper handling of VLAN packets,
particularly QinQ (802.1ad) configurations where the hardware parser may
not support certain offload features.
Validated using iptables to force small MSS values. Without the fix,
the adapter freezes. With the fix, packets are segmented in software
and transmission succeeds. Comprehensive regression testing completedd
(MSS tests, performance, stability).
Fixes: 8641dd85799f ("ibmveth: Add support for TSO")
Cc: stable@vger.kernel.org
Reviewed-by: Brian King <bjking1@linux.ibm.com>
Tested-by: Shaik Abdulla <shaik.abdulla1@ibm.com>
Tested-by: Naveed Ahmed <naveedaus@in.ibm.com>
Signed-off-by: Mingming Cao <mmc@linux.ibm.com>
Link: https://patch.msgid.link/20260424162917.65725-1-mmc@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/ibm/ibmveth.c | 22 ++++++++++++++++++++++
drivers/net/ethernet/ibm/ibmveth.h | 1 +
2 files changed, 23 insertions(+)
--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1630,6 +1630,27 @@ static int ibmveth_set_mac_addr(struct n
return 0;
}
+static netdev_features_t ibmveth_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features)
+{
+ /* Some physical adapters do not support segmentation offload with
+ * MSS < 224. Disable GSO for such packets to avoid adapter freeze.
+ * Note: Single-segment packets (gso_segs == 1) don't need this check
+ * as they bypass the LSO path and are transmitted without segmentation.
+ */
+ if (skb_is_gso(skb)) {
+ if (skb_shinfo(skb)->gso_size < IBMVETH_MIN_LSO_MSS) {
+ netdev_warn_once(dev,
+ "MSS %u too small for LSO, disabling GSO\n",
+ skb_shinfo(skb)->gso_size);
+ features &= ~NETIF_F_GSO_MASK;
+ }
+ }
+
+ return vlan_features_check(skb, features);
+}
+
static const struct net_device_ops ibmveth_netdev_ops = {
.ndo_open = ibmveth_open,
.ndo_stop = ibmveth_close,
@@ -1641,6 +1662,7 @@ static const struct net_device_ops ibmve
.ndo_set_features = ibmveth_set_features,
.ndo_validate_addr = eth_validate_addr,
.ndo_set_mac_address = ibmveth_set_mac_addr,
+ .ndo_features_check = ibmveth_features_check,
#ifdef CONFIG_NET_POLL_CONTROLLER
.ndo_poll_controller = ibmveth_poll_controller,
#endif
--- a/drivers/net/ethernet/ibm/ibmveth.h
+++ b/drivers/net/ethernet/ibm/ibmveth.h
@@ -36,6 +36,7 @@
#define IBMVETH_ILLAN_IPV4_TCP_CSUM 0x0000000000000002UL
#define IBMVETH_ILLAN_ACTIVE_TRUNK 0x0000000000000001UL
+#define IBMVETH_MIN_LSO_MSS 224 /* Minimum MSS for LSO */
/* hcall macros */
#define h_register_logical_lan(ua, buflst, rxq, fltlst, mac) \
plpar_hcall_norets(H_REGISTER_LOGICAL_LAN, ua, buflst, rxq, fltlst, mac)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 237/474] udf: reject descriptors with oversized CRC length
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 236/474] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 238/474] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
` (237 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 upstream.
udf_read_tagged() skips CRC verification when descCRCLength +
sizeof(struct tag) exceeds the block size. A crafted UDF image can
set descCRCLength to an oversized value to bypass CRC validation
entirely; the descriptor is then accepted based solely on the 8-bit
tag checksum, which is trivially recomputable.
Reject such descriptors instead of silently accepting them. A
legitimate single-block descriptor should never have a CRC length that
exceeds the block.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/misc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -230,8 +230,12 @@ struct buffer_head *udf_read_tagged(stru
}
/* Verify the descriptor CRC */
- if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize ||
- le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
+ if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) {
+ udf_err(sb, "block %u: CRC length %u exceeds block size\n",
+ block, le16_to_cpu(tag_p->descCRCLength));
+ goto error_out;
+ }
+ if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
bh->b_data + sizeof(struct tag),
le16_to_cpu(tag_p->descCRCLength)))
return bh;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 238/474] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 237/474] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 239/474] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
` (236 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Lezcano,
Baolin Wang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 upstream.
The temperature was never clamped to SPRD_THM_TEMP_LOW or
SPRD_THM_TEMP_HIGH because the return value of clamp() was not used. Fix
this by assigning the clamped value to 'temp'.
Casting SPRD_THM_TEMP_LOW and SPRD_THM_TEMP_HIGH to int is also
redundant and can be removed.
Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260307102422.306055-1-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/sprd_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/sprd_thermal.c
+++ b/drivers/thermal/sprd_thermal.c
@@ -192,7 +192,7 @@ static int sprd_thm_temp_to_rawdata(int
{
u32 val;
- clamp(temp, (int)SPRD_THM_TEMP_LOW, (int)SPRD_THM_TEMP_HIGH);
+ temp = clamp(temp, SPRD_THM_TEMP_LOW, SPRD_THM_TEMP_HIGH);
/*
* According to the thermal datasheet, the formula of converting
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 239/474] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 238/474] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 240/474] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
` (235 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Lezcano,
Baolin Wang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 upstream.
The raw temperature data was never clamped to SPRD_THM_RAW_DATA_LOW or
SPRD_THM_RAW_DATA_HIGH because the return value of clamp() was not used.
Fix this by assigning the clamped value to 'rawdata'.
Casting SPRD_THM_RAW_DATA_LOW and SPRD_THM_RAW_DATA_HIGH to u32 is also
redundant and can be removed.
Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260307102422.306055-2-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/sprd_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/sprd_thermal.c
+++ b/drivers/thermal/sprd_thermal.c
@@ -178,7 +178,7 @@ static int sprd_thm_sensor_calibration(s
static int sprd_thm_rawdata_to_temp(struct sprd_thermal_sensor *sen,
u32 rawdata)
{
- clamp(rawdata, (u32)SPRD_THM_RAW_DATA_LOW, (u32)SPRD_THM_RAW_DATA_HIGH);
+ rawdata = clamp(rawdata, SPRD_THM_RAW_DATA_LOW, SPRD_THM_RAW_DATA_HIGH);
/*
* According to the thermal datasheet, the formula of converting
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 240/474] spi: topcliff-pch: fix use-after-free on unbind
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 239/474] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 241/474] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
` (234 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomoya MORINAGA, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9d72732fe70c11424bc90ed466c7ccfa58b42a9a upstream.
Give the driver a chance to flush its queue before releasing the DMA
buffers on driver unbind
Fixes: c37f3c2749b5 ("spi/topcliff_pch: DMA support")
Cc: stable@vger.kernel.org # 3.1
Cc: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-9-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1406,9 +1406,6 @@ static void pch_spi_pd_remove(struct pla
dev_dbg(&plat_dev->dev, "%s:[ch%d] irq=%d\n",
__func__, plat_dev->id, board_dat->pdev->irq);
- if (use_dma)
- pch_free_dma_buf(board_dat, data);
-
/* check for any pending messages; no action is taken if the queue
* is still full; but at least we tried. Unload anyway */
count = 500;
@@ -1432,6 +1429,9 @@ static void pch_spi_pd_remove(struct pla
free_irq(board_dat->pdev->irq, data);
}
+ if (use_dma)
+ pch_free_dma_buf(board_dat, data);
+
pci_iounmap(board_dat->pdev, data->io_remap_addr);
spi_unregister_master(data->master);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 241/474] clk: imx: imx8-acm: fix flags for acm clocks
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 240/474] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 242/474] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
` (233 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Eichenberger, Shengjiu Wang,
Peng Fan, Abel Vesa
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit f2c2fc93b4a3efdfcf3805ab74741826d343ff2c upstream.
Currently, the flags for the ACM clocks are set to 0. This configuration
causes the fsl-sai audio driver to fail when attempting to set the
sysclk, returning an EINVAL error. The following error messages
highlight the issue:
fsl-sai 59090000.sai: ASoC: error at snd_soc_dai_set_sysclk on 59090000.sai: -22
imx-hdmi sound-hdmi: failed to set cpu sysclk: -22
By setting the flag CLK_SET_RATE_NO_REPARENT, we signal that the ACM
driver does not support reparenting and instead relies on the clock tree
as defined in the device tree. This change resolves the issue with the
fsl-sai audio driver.
CC: stable@vger.kernel.org
Fixes: d3a0946d7ac9 ("clk: imx: imx8: add audio clock mux driver")
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260212085750.3253187-1-shengjiu.wang@nxp.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/imx/clk-imx8-acm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/clk/imx/clk-imx8-acm.c
+++ b/drivers/clk/imx/clk-imx8-acm.c
@@ -368,7 +368,8 @@ static int imx8_acm_clk_probe(struct pla
for (i = 0; i < priv->soc_data->num_sels; i++) {
hws[sels[i].clkid] = devm_clk_hw_register_mux_parent_data_table(dev,
sels[i].name, sels[i].parents,
- sels[i].num_parents, 0,
+ sels[i].num_parents,
+ CLK_SET_RATE_NO_REPARENT,
base + sels[i].reg,
sels[i].shift, sels[i].width,
0, NULL, NULL);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 242/474] clk: microchip: mpfs-ccc: fix out of bounds access during output registration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 241/474] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 243/474] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
` (232 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brian Masney, Conor Dooley
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conor Dooley <conor.dooley@microchip.com>
commit 2f7ae8ab6aa73daaf080d5332110357c29df9c36 upstream.
UBSAN reported an out of bounds access during registration of the last
two outputs. This out of bounds access occurs because space is only
allocated in the hws array for two PLLs and the four output dividers
that each has, but the defined IDs contain two DLLS and their two
outputs each, which are not supported by the driver. The ID order is
PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs
by two while adding them to the array to avoid the problem.
Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
CC: stable@vger.kernel.org
Reviewed-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/microchip/clk-mpfs-ccc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/clk/microchip/clk-mpfs-ccc.c
+++ b/drivers/clk/microchip/clk-mpfs-ccc.c
@@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(str
return dev_err_probe(dev, ret, "failed to register clock id: %d\n",
out_hw->id);
- data->hw_data.hws[out_hw->id] = &out_hw->divider.hw;
+ data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw;
}
return 0;
@@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platfor
unsigned int num_clks;
int ret;
+ /*
+ * If DLLs get added here, mpfs_ccc_register_outputs() currently packs
+ * sparse clock IDs in the hws array
+ */
num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
ARRAY_SIZE(mpfs_ccc_pll1out_clks);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 243/474] cpuidle: powerpc: avoid double clear when breaking snooze
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 242/474] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 244/474] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
` (231 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Kumar Chaurasiya (IBM),
Shrikanth Hegde, Madhavan Srinivasan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shrikanth Hegde <sshegde@linux.ibm.com>
commit 64ed1e3e728afb57ba9acb59e69de930ead847d9 upstream.
snooze_loop is done often in any system which has fair bit of
idle time. So it qualifies for even micro-optimizations.
When breaking the snooze due to timeout, TIF_POLLING_NRFLAG is cleared
twice. Clearing the bit invokes atomics. Avoid double clear and thereby
avoid one atomic write.
dev->poll_time_limit indicates whether the loop was broken due to
timeout. Use that instead of defining a new variable.
Fixes: 7ded429152e8 ("cpuidle: powerpc: no memory barrier after break from idle")
Cc: stable@vger.kernel.org
Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260311061709.1230440-1-sshegde@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpuidle/cpuidle-powernv.c | 5 ++++-
drivers/cpuidle/cpuidle-pseries.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/cpuidle/cpuidle-powernv.c
+++ b/drivers/cpuidle/cpuidle-powernv.c
@@ -95,7 +95,10 @@ static int snooze_loop(struct cpuidle_de
HMT_medium();
ppc64_runlatch_on();
- clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ /* Avoid double clear when breaking */
+ if (!dev->poll_time_limit)
+ clear_thread_flag(TIF_POLLING_NRFLAG);
local_irq_disable();
--- a/drivers/cpuidle/cpuidle-pseries.c
+++ b/drivers/cpuidle/cpuidle-pseries.c
@@ -63,7 +63,10 @@ int snooze_loop(struct cpuidle_device *d
}
HMT_medium();
- clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ /* Avoid double clear when breaking */
+ if (!dev->poll_time_limit)
+ clear_thread_flag(TIF_POLLING_NRFLAG);
raw_local_irq_disable();
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 244/474] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 243/474] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 245/474] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
` (230 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tommaso Soncin, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tommaso Soncin <soncintommaso@gmail.com>
commit d63c219b7ff39f897da10c160a2edef76320f16c upstream.
Add a DMI quirk for the HP OMEN Gaming Laptop 16-ap0xxx line fixing the
issue where the internal microphone was not detected.
Cc: stable@vger.kernel.org
Signed-off-by: Tommaso Soncin <soncintommaso@gmail.com>
Link: https://patch.msgid.link/20260429160858.538986-1-soncintommaso@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -55,6 +55,13 @@ static const struct dmi_system_id yc_acp
{
.driver_data = &acp6x_card,
.matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN Gaming Laptop 16-ap0xxx"),
+ }
+ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "Dell Inc."),
DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5525"),
}
@@ -648,6 +655,13 @@ static const struct dmi_system_id yc_acp
}
},
{
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_BOARD_NAME, "8E35"),
+ }
+ },
+ {
.driver_data = &acp6x_card,
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "MECHREVO"),
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 245/474] ASoC: fsl_easrc: fix comment typo
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 244/474] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 246/474] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
` (229 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joseph Salisbury, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@oracle.com>
commit 804dce6c73fdfa44184ee4e8b09abad7f5da408f upstream.
The file contains a spelling error in a source comment (funciton).
Typos in comments reduce readability and make text searches less reliable
for developers and maintainers.
Replace 'funciton' with 'function' in the affected comment. This is a
comment-only cleanup and does not change behavior.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Cc: stable@vger.kernel.org
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Link: https://patch.msgid.link/20260316180545.144032-1-joseph.salisbury@oracle.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/fsl/fsl_easrc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -1286,7 +1286,7 @@ static int fsl_easrc_request_context(int
/*
* Release the context
*
- * This funciton is mainly doing the revert thing in request context
+ * This function is mainly doing the revert thing in request context
*/
static void fsl_easrc_release_context(struct fsl_asrc_pair *ctx)
{
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 246/474] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 245/474] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 247/474] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
` (228 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Cezary Rojewski,
Hans de Goede, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 13d30682e8dee191ac04e93642f0372a723e8b0c upstream.
If byt_wm5102_prepare_and_enable_pll1() fails in the
SND_SOC_DAPM_EVENT_ON() path, platform_clock_control() returns after
clk_prepare_enable(priv->mclk) without disabling the clock again.
This leaks an MCLK enable reference on failed power-up attempts. Add the
missing clk_disable_unprepare() on the error path, matching the unwind
used by the other Intel platform_clock_control() implementations.
Fixes: 9a87fc1e0619 ("ASoC: Intel: bytcr_wm5102: Add machine driver for BYT/WM5102")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260427-bytcr-wm5102-mclk-leak-v1-1-02b96d08e99c@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/intel/boards/bytcr_wm5102.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/intel/boards/bytcr_wm5102.c
+++ b/sound/soc/intel/boards/bytcr_wm5102.c
@@ -111,6 +111,7 @@ static int platform_clock_control(struct
ret = byt_wm5102_prepare_and_enable_pll1(codec_dai, 48000);
if (ret) {
dev_err(card->dev, "Error setting codec sysclk: %d\n", ret);
+ clk_disable_unprepare(priv->mclk);
return ret;
}
} else {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 247/474] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 246/474] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 248/474] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
` (227 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cab45ab95ce7600fc0ff84585c77fd45b7b0d67c upstream.
Reset queue pointer on SNDRV_PCM_TRIGGER_STOP event to be inline
with resetting appl_ptr. Without this we will end up with a queue_ptr
out of sync and driver could try to send data that is not ready yet.
Fix this by resetting the queue_ptr.
Fixes: 3d4a4411aa8bb ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-6-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 2 ++
2 files changed, 3 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -321,6 +321,7 @@ static int q6apm_dai_trigger(struct snd_
case SNDRV_PCM_TRIGGER_STOP:
/* TODO support be handled via SoftPause Module */
prtd->state = Q6APM_STREAM_STOPPED;
+ prtd->queue_ptr = 0;
break;
case SNDRV_PCM_TRIGGER_SUSPEND:
case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -225,6 +225,8 @@ int q6apm_map_memory_regions(struct q6ap
mutex_lock(&graph->lock);
+ data->dsp_buf = 0;
+
if (data->buf) {
mutex_unlock(&graph->lock);
return 0;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 248/474] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 247/474] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 249/474] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
` (226 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 upstream.
As prepare can be called mulitple times, this can result in multiple
graph opens for playback path.
This will result in a memory leaks, fix this by adding a check before
opening.
Fixes: be1fae62cf25 ("ASoC: q6apm-lpass-dai: close graph on prepare errors")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-5-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
@@ -175,7 +175,7 @@ static int q6apm_lpass_dai_prepare(struc
* It is recommend to load DSP with source graph first and then sink
* graph, so sequence for playback and capture will be different
*/
- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && dai_data->graph[dai->id] == NULL) {
graph = q6apm_graph_open(dai->dev, NULL, dai->dev, graph_id);
if (IS_ERR(graph)) {
dev_err(dai->dev, "Failed to open graph (%d)\n", graph_id);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 249/474] ASoC: qcom: q6apm: remove child devices when apm is removed
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 248/474] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 250/474] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
` (225 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4a0e1bcc98f7281d1605768bd2fe71eacc34f9b7 upstream.
looks like q6apm driver does not remove the child driver q6apm-dai and
q6apm-bedais when the this driver is removed.
Fix this by depopulating them in remove callback.
With this change when the dsp is shutdown all the devices associated with
q6apm will now be removed.
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -781,6 +781,7 @@ static int apm_probe(gpr_device_t *gdev)
static void apm_remove(gpr_device_t *gdev)
{
+ of_platform_depopulate(&gdev->dev);
snd_soc_unregister_component(&gdev->dev);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 250/474] btrfs: fix double free in create_space_info() error path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 249/474] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
@ 2026-05-15 15:45 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 251/474] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
` (224 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Guangshuo Li,
David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 3f487be81292702a59ea9dbc4088b3360a50e837 upstream.
When kobject_init_and_add() fails, the call chain is:
create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)
Then control returns to create_space_info():
btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)
This causes a double free.
Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.
Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
CC: stable@vger.kernel.org # 6.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -293,7 +293,7 @@ static int create_space_info(struct btrf
ret = btrfs_sysfs_add_space_info_type(info, space_info);
if (ret)
- goto out_free;
+ return ret;
list_add(&space_info->list, &info->space_info);
if (flags & BTRFS_BLOCK_GROUP_DATA)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 251/474] dm-thin: fix metadata refcount underflow
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-05-15 15:45 ` [PATCH 6.6 250/474] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 252/474] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
` (223 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream.
There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.
If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.
Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 3241b1d3e0aa ("dm: add persistent data library")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/persistent-data/dm-btree-remove.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -490,12 +490,20 @@ static int rebalance_children(struct sha
if (le32_to_cpu(n->header.nr_entries) == 1) {
struct dm_block *child;
+ int is_shared;
dm_block_t b = value64(n, 0);
+ r = dm_tm_block_is_shared(info->tm, b, &is_shared);
+ if (r)
+ return r;
+
r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child);
if (r)
return r;
+ if (is_shared)
+ inc_children(info->tm, dm_block_data(child), vt);
+
memcpy(n, dm_block_data(child),
dm_bm_block_size(dm_tm_get_bm(info->tm)));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 252/474] dm: dont report warning when doing deferred remove
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 251/474] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 253/474] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
` (222 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Zdenek Kabelac
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit b7cce3e2cca9cd78418f3c3784474b778e7996fe upstream.
If dm_hash_remove_all was called from dm_deferred_remove, it would write
a warning "remove_all left %d open device(s)" if there are some other
devices active.
The warning is bogus, so let's disable it in this case.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 2c140a246dc0 ("dm: allow remove to be deferred")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -384,7 +384,7 @@ retry:
up_write(&_hash_lock);
- if (dev_skipped)
+ if (dev_skipped && !only_deferred)
DMWARN("remove_all left %d open device(s)", dev_skipped);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 253/474] dm: fix a buffer overflow in ioctl processing
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 252/474] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 254/474] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
` (221 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Asleson, Mikulas Patocka,
Bryn M. Reeves
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 2fa49cc884f6496a915c35621ba4da35649bf159 upstream.
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the
function retrieve_status:
1. The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
2. Then, the code aligns the "outptr" variable to the next 8-byte
boundary:
outptr = align_ptr(outptr);
3. The alignment doesn't check overflow, so outptr could point past the
buffer end
4. The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
5. If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
6. With "remaining" being high, the code writes more data past the end of
the buffer
Luckily, this bug has no security implications because:
1. Only root can issue device mapper ioctls
2. The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to
8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
buffer and the bug can't happen accidentally
Reported-by: Tony Asleson <tasleson@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Bryn M. Reeves <bmr@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_ta
used = param->data_start + (outptr - outbuf);
outptr = align_ptr(outptr);
+ if (!outptr || outptr > outbuf + len) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ break;
+ }
spec->next = outptr - outbuf;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 254/474] eventfs: Hold eventfs_mutex and SRCU when remount walks events
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 253/474] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 255/474] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
` (220 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier, Steven Rostedt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 07004a8c4b572171934390148ee48c4175c77eed upstream.
Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk only holds the rcu_read_lock() taken by
tracefs_apply_options() over tracefs_inodes, which is wrong:
- list_for_each_entry over ei->children races with the list_del_rcu()
in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as
d2603279c7d6.
- eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).
rcu_read_lock() does not extend an SRCU grace period, so ti->private
can be reclaimed under the walk.
- The writes to ei->attr race with eventfs_set_attr(), which holds
eventfs_mutex.
Reproducer:
while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &
while :; do
echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events
echo > /sys/kernel/tracing/kprobe_events
done
Wrap the events portion of tracefs_apply_options() in
eventfs_remount_lock()/_unlock() that take eventfs_mutex and
srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the
nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.
Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Fixes: 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260418191737.10289-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/tracefs/event_inode.c | 14 ++++++++++++++
fs/tracefs/inode.c | 5 ++++-
fs/tracefs/internal.h | 3 +++
3 files changed, 21 insertions(+), 1 deletion(-)
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -310,6 +310,8 @@ static void eventfs_set_attrs(struct eve
{
struct eventfs_inode *ei_child;
+ lockdep_assert_held(&eventfs_mutex);
+
/* Update events/<system>/<event> */
if (WARN_ON_ONCE(level > 3))
return;
@@ -985,3 +987,15 @@ void eventfs_remove_events_dir(struct ev
d_invalidate(dentry);
dput(dentry);
}
+
+int eventfs_remount_lock(void)
+{
+ mutex_lock(&eventfs_mutex);
+ return srcu_read_lock(&eventfs_srcu);
+}
+
+void eventfs_remount_unlock(int srcu_idx)
+{
+ srcu_read_unlock(&eventfs_srcu, srcu_idx);
+ mutex_unlock(&eventfs_mutex);
+}
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -362,6 +362,7 @@ static int tracefs_apply_options(struct
struct tracefs_mount_opts *opts = &fsi->mount_opts;
struct tracefs_inode *ti;
bool update_uid, update_gid;
+ int srcu_idx;
umode_t tmp_mode;
/*
@@ -386,6 +387,7 @@ static int tracefs_apply_options(struct
update_uid = opts->opts & BIT(Opt_uid);
update_gid = opts->opts & BIT(Opt_gid);
+ srcu_idx = eventfs_remount_lock();
rcu_read_lock();
list_for_each_entry_rcu(ti, &tracefs_inodes, list) {
if (update_uid)
@@ -398,6 +400,7 @@ static int tracefs_apply_options(struct
eventfs_remount(ti, update_uid, update_gid);
}
rcu_read_unlock();
+ eventfs_remount_unlock(srcu_idx);
}
return 0;
@@ -444,7 +447,7 @@ static int tracefs_drop_inode(struct ino
* This inode is being freed and cannot be used for
* eventfs. Clear the flag so that it doesn't call into
* eventfs during the remount flag updates. The eventfs_inode
- * gets freed after an RCU cycle, so the content will still
+ * gets freed after an SRCU cycle, so the content will still
* be safe if the iteration is going on now.
*/
ti->flags &= ~TRACEFS_EVENT_INODE;
--- a/fs/tracefs/internal.h
+++ b/fs/tracefs/internal.h
@@ -76,4 +76,7 @@ struct inode *tracefs_get_inode(struct s
void eventfs_remount(struct tracefs_inode *ti, bool update_uid, bool update_gid);
void eventfs_d_release(struct dentry *dentry);
+int eventfs_remount_lock(void);
+void eventfs_remount_unlock(int srcu_idx);
+
#endif /* _TRACEFS_INTERNAL_H */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 255/474] dm-verity-fec: correctly reject too-small FEC devices
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 254/474] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 256/474] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
` (219 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Mikulas Patocka
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 2b14e0bb63cc671120e7791658f5c494fc66d072 upstream.
Fix verity_fec_ctr() to reject too-small FEC devices by correctly
computing the number of parity blocks as 'f->rounds * f->roots'.
Previously it incorrectly used 'div64_u64(f->rounds * f->roots,
v->fec->roots << SECTOR_SHIFT)' which is a much smaller value.
Note that the units of 'rounds' are blocks, not bytes. This matches the
units of the value returned by dm_bufio_get_device_size(), which are
also blocks. A later commit will give 'rounds' a clearer name.
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -688,7 +688,7 @@ int verity_fec_ctr(struct dm_verity *v)
{
struct dm_verity_fec *f = v->fec;
struct dm_target *ti = v->ti;
- u64 hash_blocks, fec_blocks;
+ u64 hash_blocks;
int ret;
if (!verity_fec_is_enabled(v)) {
@@ -769,8 +769,7 @@ int verity_fec_ctr(struct dm_verity *v)
dm_bufio_set_sector_offset(f->bufio, f->start << (v->data_dev_block_bits - SECTOR_SHIFT));
- fec_blocks = div64_u64(f->rounds * f->roots, v->fec->roots << SECTOR_SHIFT);
- if (dm_bufio_get_device_size(f->bufio) < fec_blocks) {
+ if (dm_bufio_get_device_size(f->bufio) < f->rounds * f->roots) {
ti->error = "FEC device is too small";
return -E2BIG;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 256/474] dm-verity-fec: correctly reject too-small hash devices
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 255/474] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 257/474] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
` (218 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Mikulas Patocka
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 4355142245f7e55336dcc005ec03592df4d546f8 upstream.
Fix verity_fec_ctr() to reject too-small hash devices by correctly
taking hash_start into account.
Note that this is necessary because dm-verity doesn't call
dm_bufio_set_sector_offset() on the hash device's bufio client
(v->bufio). Thus, dm_bufio_get_device_size(v->bufio) returns a size
relative to 0 rather than hash_start. An alternative fix would be to
call dm_bufio_set_sector_offset() on v->bufio, but then all the code
that reads from the hash device would have to be adjusted accordingly.
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -751,7 +751,8 @@ int verity_fec_ctr(struct dm_verity *v)
* it to be large enough.
*/
f->hash_blocks = f->blocks - v->data_blocks;
- if (dm_bufio_get_device_size(v->bufio) < f->hash_blocks) {
+ if (dm_bufio_get_device_size(v->bufio) <
+ v->hash_start + f->hash_blocks) {
ti->error = "Hash device is too small for "
DM_VERITY_OPT_FEC_BLOCKS;
return -E2BIG;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 257/474] isofs: validate Rock Ridge CE continuation extent against volume size
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 256/474] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 258/474] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
` (217 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a36d990f591320e9dd379ab30063ebfe91d47e1f upstream.
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Fixes: f54e18f1b831 ("isofs: Fix infinite looping over CE entries")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-2-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/rock.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -101,6 +101,15 @@ static int rock_continue(struct rock_sta
goto out;
}
+ if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) {
+ printk(KERN_NOTICE "rock: corrupted directory entry. "
+ "extent=%u out of volume (nzones=%lu)\n",
+ (unsigned)rs->cont_extent,
+ ISOFS_SB(rs->inode->i_sb)->s_nzones);
+ ret = -EIO;
+ goto out;
+ }
+
if (rs->cont_extent) {
struct buffer_head *bh;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 258/474] isofs: validate block number from NFS file handle in isofs_export_iget
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 257/474] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 259/474] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
` (216 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 24376458138387fb251e782e624c7776e9826796 upstream.
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d08 ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.
Fixes: 0405d4b63d08 ("isofs: Prevent the use of too small fid")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-3-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/isofs/export.c
+++ b/fs/isofs/export.c
@@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb
{
struct inode *inode;
- if (block == 0)
+ if (block == 0 || block >= ISOFS_SB(sb)->s_nzones)
return ERR_PTR(-ESTALE);
inode = isofs_iget(sb, block, offset);
if (IS_ERR(inode))
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 259/474] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 258/474] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 260/474] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
` (215 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ignat Korchagin,
Jarkko Sakkinen, Eric Biggers, Yiming Qian
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 upstream.
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Reported-by: Yiming Qian <yimingqian591@gmail.com> # off-list
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/r/59eca92ff4f87e2081777f1423a0efaaadcfdb39.1776003111.git.lukas@wunner.de
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/crypto/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/crypto/mpi/mpicoder.c
+++ b/lib/crypto/mpi/mpicoder.c
@@ -453,7 +453,7 @@ MPI mpi_read_raw_from_sgl(struct scatter
lzeros = 0;
len = 0;
while (nbytes > 0) {
- while (len && !*buff) {
+ while (len && !*buff && lzeros < nbytes) {
lzeros++;
len--;
buff++;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 260/474] lib/scatterlist: fix length calculations in extract_kvec_to_sg
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 259/474] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 261/474] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
` (214 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt, David Gow,
David Howells, Kees Cook, Petr Mladek, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
commit 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 upstream.
Patch series "Fix bugs in extract_iter_to_sg()", v3.
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series
is growing due to useful remarks made by sashiko.dev.
The main bugs are:
- The length for an sglist entry when extracting from
a kvec can exceed the number of bytes in the page. This
is obviously not intended.
- When extracting a user buffer the sglist is temporarily
used as a scratch buffer for extracted page pointers.
If the sglist already contains some elements this scratch
buffer could overlap with existing entries in the sglist.
The series adds test cases to the kunit_iov_iter test that demonstrate all
of these bugs. Additionally, there is a memory leak fix for the test
itself.
The bugs were orignally introduced into kernel v6.3 where the function
lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in
v6.5. Thus the actual fix is only marked for backports to v6.5+.
This patch (of 5):
When extracting from a kvec to a scatterlist, do not cross page
boundaries. The required length was already calculated but not used as
intended.
Adjust the copied length if the loop runs out of sglist entries without
extracting everything.
While there, return immediately from extract_iter_to_sg if there are no
sglist entries at all.
A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Link: https://lkml.kernel.org/r/20260326214905.818170-1-lk@c--e.de
Link: https://lkml.kernel.org/r/20260326214905.818170-2-lk@c--e.de
Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Cc: David Gow <davidgow@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: <stable@vger.kernel.org> [v6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/scatterlist.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1241,7 +1241,7 @@ static ssize_t extract_kvec_to_sg(struct
else
page = virt_to_page((void *)kaddr);
- sg_set_page(sg, page, len, off);
+ sg_set_page(sg, page, seg, off);
sgtable->nents++;
sg++;
sg_max--;
@@ -1250,6 +1250,7 @@ static ssize_t extract_kvec_to_sg(struct
kaddr += PAGE_SIZE;
off = 0;
} while (len > 0 && sg_max > 0);
+ ret -= len;
if (maxsize <= 0 || sg_max == 0)
break;
@@ -1342,7 +1343,7 @@ ssize_t extract_iter_to_sg(struct iov_it
struct sg_table *sgtable, unsigned int sg_max,
iov_iter_extraction_t extraction_flags)
{
- if (maxsize == 0)
+ if (maxsize == 0 || sg_max == 0)
return 0;
switch (iov_iter_type(iter)) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 261/474] lib/scatterlist: fix temp buffer in extract_user_to_sg()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 260/474] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 262/474] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
` (213 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt, David Howells,
David Gow, Kees Cook, Petr Mladek, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
commit 118cf3f55975352ac357fb194405031458186819 upstream.
Instead of allocating a temporary buffer for extracted user pages
extract_user_to_sg() uses the end of the to be filled scatterlist as a
temporary buffer.
Fix the calculation of the start address if the scatterlist already
contains elements. The unused space starts at sgtable->sgl +
sgtable->nents not directly at sgtable->nents and the temporary buffer is
placed at the end of this unused space.
A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Pointed out by sashiko.dev on a previous iteration of this series.
Link: https://lkml.kernel.org/r/20260326214905.818170-3-lk@c--e.de
Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Cc: David Howells <dhowells@redhat.com>
Cc: David Gow <davidgow@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: <stable@vger.kernel.org> [v6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/scatterlist.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1117,8 +1117,7 @@ static ssize_t extract_user_to_sg(struct
size_t len, off;
/* We decant the page list into the tail of the scatterlist */
- pages = (void *)sgtable->sgl +
- array_size(sg_max, sizeof(struct scatterlist));
+ pages = (void *)sg + array_size(sg_max, sizeof(struct scatterlist));
pages -= sg_max;
do {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 262/474] libceph: Fix slab-out-of-bounds access in auth message processing
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 261/474] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 263/474] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
` (212 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 1c439de70b1c3eb3c6bffa8245c16b9fc318f114 upstream.
If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY
contains a positive value in its result field, it is treated as an
error code by ceph_handle_auth_reply() and returned to
handle_auth_reply(). Thereafter, an attempt is made to send the
preallocated message of type CEPH_MSG_AUTH, where the returned value is
interpreted as the size of the front segment to send. If the result
value in the message is greater than the size of the memory buffer
allocated for the front segment, an out-of-bounds access occurs, and
the content of the memory region beyond this buffer is sent out.
This patch fixes the issue by treating only negative values in the
result field as errors. Positive values are therefore treated as success
in the same way as a zero value. Additionally, a BUG_ON is added to
__send_prepared_auth_request() comparing the len parameter to
front_alloc_len to prevent sending the message if it exceeds the bounds
of the allocation and to make it easier to catch any logic flaws leading
to this.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 2 +-
net/ceph/mon_client.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_a
ac->negotiating = false;
}
- if (result) {
+ if (result < 0) {
pr_err("auth protocol '%s' mauth authentication failed: %d\n",
ceph_auth_proto_name(ac->protocol), result);
ret = result;
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_mon
*/
static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
{
+ BUG_ON(len > monc->m_auth->front_alloc_len);
+
monc->pending_auth = 1;
monc->m_auth->front.iov_len = len;
monc->m_auth->hdr.front_len = cpu_to_le32(len);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 263/474] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 262/474] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 264/474] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
` (211 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yu Kuai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 9aa6d860b0930e2f72795665c42c44252a558a0c upstream.
setup_geo() extracts near_copies (nc) and far_copies (fc) from the
user-provided layout parameter without checking for zero. When fc=0
with the "improved" far set layout selected, 'geo->far_set_size =
disks / fc' triggers a divide-by-zero.
Validate nc and fc immediately after extraction, returning -1 if
either is zero.
Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/linux-raid/SYBPR01MB7881A5E2556806CC1D318582AF232@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid10.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3986,6 +3986,8 @@ static int setup_geo(struct geom *geo, s
nc = layout & 255;
fc = (layout >> 8) & 255;
fo = layout & (1<<16);
+ if (!nc || !fc)
+ return -1;
geo->raid_disks = disks;
geo->near_copies = nc;
geo->far_copies = fc;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 264/474] nvme-apple: drop invalid put of admin queue reference count
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 263/474] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 265/474] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
` (210 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Fedor Pchelkin,
Keith Busch
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit ba9d308ccd6732dd97ed8080d834a4a89e758e14 upstream.
Commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") moved the
admin queue reference ->put call into nvme_free_ctrl() - a controller
device release callback performed for every nvme driver doing
nvme_init_ctrl().
nvme-apple sets refcount of the admin queue to 1 at allocation during the
probe function and then puts it twice now:
nvme_free_ctrl()
blk_put_queue(ctrl->admin_q) // #1
->free_ctrl()
apple_nvme_free_ctrl()
blk_put_queue(anv->ctrl.admin_q) // #2
Note that there is a commit 941f7298c70c ("nvme-apple: remove an extra
queue reference") which intended to drop taking an extra admin queue
reference. Looks like at that moment it accidentally fixed a refcount
leak, which existed since the driver's introduction. There were two ->get
calls at driver's probe function and a single ->put inside
apple_nvme_free_ctrl().
However now after commit 03b3bcd319b3 ("nvme: fix admin request_queue
lifetime") the refcount is imbalanced again. Fix it by removing extra
->put call from apple_nvme_free_ctrl(). anv->dev and ctrl->dev point to
the same device, so use ctrl->dev directly for simplification. Compile
tested only.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/apple.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1208,11 +1208,7 @@ static int apple_nvme_get_address(struct
static void apple_nvme_free_ctrl(struct nvme_ctrl *ctrl)
{
- struct apple_nvme *anv = ctrl_to_apple_nvme(ctrl);
-
- if (anv->ctrl.admin_q)
- blk_put_queue(anv->ctrl.admin_q);
- put_device(anv->dev);
+ put_device(ctrl->dev);
}
static const struct nvme_ctrl_ops nvme_ctrl_ops = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 265/474] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 264/474] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 266/474] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
` (209 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Chaitanya Kulkarni, Keith Busch
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kulkarni <kch@nvidia.com>
commit aade8abd8b868b6ffa9697aadaea28ec7f65bee6 upstream.
nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the
final controller reference through nvmet_cq_put(). If that triggers
nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on
the same nvmet-wq.
Call chain:
nvmet_tcp_schedule_release_queue()
kref_put(&queue->kref, nvmet_tcp_release_queue)
nvmet_tcp_release_queue()
queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq
process_one_work()
nvmet_tcp_release_queue_work()
nvmet_cq_put(&queue->nvme_cq)
nvmet_cq_destroy()
nvmet_ctrl_put(cq->ctrl)
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work) <--- nvmet_wq
Previously Scheduled by :-
nvmet_add_async_event
queue_work(nvmet_wq, &ctrl->async_event_work);
This trips lockdep with a possible recursive locking warning.
[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55
[ 5223.061801] loop0: detected capacity change from 0 to 2097152
[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.
[ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
[ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"
[ 5233.227718] ============================================
[ 5233.231283] WARNING: possible recursive locking detected
[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N
[ 5233.238434] --------------------------------------------
[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:
[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
[ 5233.251438]
but task is already holding lock:
[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.261125]
other info that might help us debug this:
[ 5233.265333] Possible unsafe locking scenario:
[ 5233.269217] CPU0
[ 5233.270795] ----
[ 5233.272436] lock((wq_completion)nvmet-wq);
[ 5233.275241] lock((wq_completion)nvmet-wq);
[ 5233.278020]
*** DEADLOCK ***
[ 5233.281793] May be due to missing lock nesting notation
[ 5233.286195] 3 locks held by kworker/u192:6/2413:
[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0
[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
[ 5233.304290]
stack backtrace:
[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)
[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST
[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]
[ 5233.306532] Call Trace:
[ 5233.306534] <TASK>
[ 5233.306536] dump_stack_lvl+0x73/0xb0
[ 5233.306552] print_deadlock_bug+0x225/0x2f0
[ 5233.306556] __lock_acquire+0x13f0/0x2290
[ 5233.306563] lock_acquire+0xd0/0x300
[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306571] ? __flush_work+0x20b/0x530
[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90
[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306583] ? __flush_work+0x20b/0x530
[ 5233.306585] __flush_work+0x268/0x530
[ 5233.306588] ? __pfx_wq_barrier_func+0x10/0x10
[ 5233.306594] ? xen_error_entry+0x30/0x60
[ 5233.306600] nvmet_ctrl_free+0x140/0x310 [nvmet]
[ 5233.306617] nvmet_cq_put+0x74/0x90 [nvmet]
[ 5233.306629] nvmet_tcp_release_queue_work+0x19f/0x360 [nvmet_tcp]
[ 5233.306634] process_one_work+0x206/0x6e0
[ 5233.306640] worker_thread+0x184/0x320
[ 5233.306643] ? __pfx_worker_thread+0x10/0x10
[ 5233.306646] kthread+0xf1/0x130
[ 5233.306648] ? __pfx_kthread+0x10/0x10
[ 5233.306651] ret_from_fork+0x355/0x450
[ 5233.306653] ? __pfx_kthread+0x10/0x10
[ 5233.306656] ret_from_fork_asm+0x1a/0x30
[ 5233.306664] </TASK>
There is also no need to flush async_event_work from controller
teardown. The admin queue teardown already fails outstanding AER
requests before the final controller put :-
nvmet_sq_destroy(admin sq)
nvmet_async_events_failall(ctrl)
The controller has already been removed from the subsystem list before
nvmet_ctrl_free() quiesces outstanding work.
Replace flush_work() with cancel_work_sync() so a pending
async_event_work item is canceled and a running instance is waited on
without recursing into the same workqueue.
Fixes: 06406d81a2d7 ("nvmet: cancel fatal error and flush async work before free controller")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1497,7 +1497,7 @@ static void nvmet_ctrl_free(struct kref
nvmet_stop_keep_alive_timer(ctrl);
- flush_work(&ctrl->async_event_work);
+ cancel_work_sync(&ctrl->async_event_work);
cancel_work_sync(&ctrl->fatal_err_work);
nvmet_destroy_auth(ctrl);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 266/474] openvswitch: vport: fix self-deadlock on release of tunnel ports
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 265/474] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 267/474] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
` (208 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eelco Chaudron, Ilya Maximets,
Aaron Conole, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
commit aa69918bd418e700309fdd08509dba324fb24296 upstream.
vports are used concurrently and protected by RCU, so netdev_put()
must happen after the RCU grace period. So, either in an RCU call or
after the synchronize_net(). The rtnl_delete_link() must happen under
RTNL and so can't be executed in RCU context. Calling synchronize_net()
while holding RTNL is not a good idea for performance and system
stability under load in general, so calling netdev_put() in RCU call
is the right solution here.
However,
when the device is deleted, rtnl_unlock() will call netdev_run_todo()
and block until all the references are gone. In the current code this
means that we never reach the call_rcu() and the vport is never freed
and the reference is never released, causing a self-deadlock on device
removal.
Fix that by moving the rcu_call() before the rtnl_unlock(), so the
scheduled RCU callback will be executed when synchronize_net() is
called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself
is already released.
Fixes: 6931d21f87bc ("openvswitch: defer tunnel netdev_put to RCU release")
Cc: stable@vger.kernel.org
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20260430233848.440994-2-i.maximets@ovn.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/openvswitch/vport-netdev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -189,9 +189,13 @@ void ovs_netdev_tunnel_destroy(struct vp
*/
if (vport->dev->reg_state == NETREG_REGISTERED)
rtnl_delete_link(vport->dev, 0, NULL);
- rtnl_unlock();
+ /* We can't put the device reference yet, since it can still be in
+ * use, but rtnl_unlock()->netdev_run_todo() will block until all
+ * the references are released, so the RCU call must be before it.
+ */
call_rcu(&vport->rcu, vport_netdev_free);
+ rtnl_unlock();
}
EXPORT_SYMBOL_GPL(ovs_netdev_tunnel_destroy);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 267/474] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 266/474] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 268/474] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
` (207 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junxian Huang, Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 0c99acbc8b6c6dd526ae475a48ee1897b61072fb upstream.
Sashiko points out that hns_roce_qp_remove() requires the caller to hold
locks. The error flow in hns_roce_create_qp_common() doesn't hold those
locks for the error unwind so it risks corrupting memory.
Grab the same locks the other two callers use.
Cc: stable@vger.kernel.org
Fixes: e088a685eae9 ("RDMA/hns: Support rq record doorbell for the user space")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=9
Link: https://patch.msgid.link/r/15-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -1082,6 +1082,7 @@ static int hns_roce_create_qp_common(str
struct hns_roce_ib_create_qp_resp resp = {};
struct ib_device *ibdev = &hr_dev->ib_dev;
struct hns_roce_ib_create_qp ucmd = {};
+ unsigned long flags;
int ret;
mutex_init(&hr_qp->mutex);
@@ -1165,7 +1166,13 @@ static int hns_roce_create_qp_common(str
return 0;
err_flow_ctrl:
+ spin_lock_irqsave(&hr_dev->qp_list_lock, flags);
+ hns_roce_lock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL,
+ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL);
hns_roce_qp_remove(hr_dev, hr_qp);
+ hns_roce_unlock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL,
+ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL);
+ spin_unlock_irqrestore(&hr_dev->qp_list_lock, flags);
err_store:
free_qpc(hr_dev, hr_qp);
err_qpc:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 268/474] s390/debug: Reject zero-length input in debug_input_flush_fn()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 267/474] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 269/474] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
` (206 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik <gor@linux.ibm.com>
commit e14622a7584f9608927c59a7d6ae4a0999dc545e upstream.
debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.
Reject zero-length writes before copying from userspace.
Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/debug.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1434,6 +1434,11 @@ static int debug_input_flush_fn(debug_in
char input_buf[1];
int rc = user_len;
+ if (!user_len) {
+ rc = -EINVAL;
+ goto out;
+ }
+
if (user_len > 0x10000)
user_len = 0x10000;
if (*offset != 0) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 269/474] smb/client: fix out-of-bounds read in smb2_compound_op()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 268/474] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 270/474] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
` (205 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zisen Ye, ChenXiaoSong, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zisen Ye <zisenye@stu.xidian.edu.cn>
commit 8d09328dfda089675e4c049f3f256064a1d1996b upstream.
If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.
Then smb2_compound_op() does:
memcpy(idata->wsl.eas, data[0], size[0]);
Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.
Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
Cc: stable@vger.kernel.org
Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2inode.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -108,7 +108,7 @@ static int check_wsl_eas(struct kvec *rs
u32 outlen, next;
u16 vlen;
u8 nlen;
- u8 *end;
+ u8 *ea_end, *iov_end;
outlen = le32_to_cpu(rsp->OutputBufferLength);
if (outlen < SMB2_WSL_MIN_QUERY_EA_RESP_SIZE ||
@@ -117,15 +117,19 @@ static int check_wsl_eas(struct kvec *rs
ea = (void *)((u8 *)rsp_iov->iov_base +
le16_to_cpu(rsp->OutputBufferOffset));
- end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
+ ea_end = (u8 *)ea + outlen;
+ iov_end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
+ if (ea_end > iov_end)
+ return -EINVAL;
+
for (;;) {
- if ((u8 *)ea > end - sizeof(*ea))
+ if ((u8 *)ea > ea_end - sizeof(*ea))
return -EINVAL;
nlen = ea->ea_name_length;
vlen = le16_to_cpu(ea->ea_value_length);
if (nlen != SMB2_WSL_XATTR_NAME_LEN ||
- (u8 *)ea->ea_data + nlen + 1 + vlen > end)
+ (u8 *)ea->ea_data + nlen + 1 + vlen > ea_end)
return -EINVAL;
switch (vlen) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 270/474] smb/client: fix out-of-bounds read in symlink_data()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 269/474] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 271/474] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
` (204 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Zisen Ye, ChenXiaoSong,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zisen Ye <zisenye@stu.xidian.edu.cn>
commit d62b8d236fab503c6fec1d3e9a38bea71feaca20 upstream.
Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.
Link: https://lore.kernel.org/linux-cifs/297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com/
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: Stable@vger.kernel.org
Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2misc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned i
if (len != calc_len) {
/* create failed on symlink */
if (command == SMB2_CREATE_HE &&
- shdr->Status == STATUS_STOPPED_ON_SYMLINK)
+ shdr->Status == STATUS_STOPPED_ON_SYMLINK &&
+ len > calc_len)
return 0;
/* Windows 7 server returns 24 bytes more */
if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 271/474] smb: client: validate dacloffset before building DACL pointers
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 270/474] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 272/474] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
` (203 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit f98b48151cc502ada59d9778f0112d21f2586ca3 upstream.
parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.
On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.
Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1216,6 +1216,17 @@ static int parse_sid(struct smb_sid *psi
return 0;
}
+static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset)
+{
+ if (acl_len < sizeof(struct smb_acl))
+ return false;
+
+ if (dacloffset < sizeof(struct smb_ntsd))
+ return false;
+
+ return dacloffset <= acl_len - sizeof(struct smb_acl);
+}
+
/* Convert CIFS ACL to POSIX form */
static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
@@ -1236,7 +1247,6 @@ static int parse_sec_desc(struct cifs_sb
group_sid_ptr = (struct smb_sid *)((char *)pntsd +
le32_to_cpu(pntsd->gsidoffset));
dacloffset = le32_to_cpu(pntsd->dacloffset);
- dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
le32_to_cpu(pntsd->gsidoffset),
@@ -1267,11 +1277,18 @@ static int parse_sec_desc(struct cifs_sb
return rc;
}
- if (dacloffset)
+ if (dacloffset) {
+ if (!dacl_offset_valid(acl_len, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
+ dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
group_sid_ptr, fattr, get_mode_from_special_sid);
- else
+ } else {
cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
+ }
return rc;
}
@@ -1294,6 +1311,11 @@ static int build_sec_desc(struct smb_nts
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
cifs_dbg(VFS, "Server returned illegal ACL size\n");
@@ -1668,6 +1690,12 @@ id_mode_to_cifs_acl(struct inode *inode,
nsecdesclen = sizeof(struct smb_ntsd) + (sizeof(struct smb_sid) * 2);
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ rc = -EINVAL;
+ goto id_mode_to_cifs_acl_exit;
+ }
+
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
if (mode_from_sid)
nsecdesclen +=
@@ -1704,6 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode,
rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
}
+id_mode_to_cifs_acl_exit:
cifs_put_tlink(tlink);
kfree(pnntsd);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 272/474] KVM: x86: check for nEPT/nNPT in slow flush hypercalls
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 271/474] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 273/474] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
` (202 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 464af6fc2b1dcc74005b7f58ee3812b17777efee upstream.
Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa()
is only valid if an L2 guest is running *with nested EPT/NPT enabled*.
Instead use the same condition as translate_nested_gpa() itself.
Cc: stable@vger.kernel.org
Reviewed-by: Sean Christopherson <seanjc@google.com>
Fixes: aee738236dca ("KVM: x86: Prepare kvm_hv_flush_tlb() to handle L2's GPAs", 2022-11-18)
Link: https://patch.msgid.link/20260503200905.106077-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/hyperv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -1987,7 +1987,7 @@ static u64 kvm_hv_flush_tlb(struct kvm_v
* flush). Translate the address here so the memory can be uniformly
* read with kvm_read_guest().
*/
- if (!hc->fast && is_guest_mode(vcpu)) {
+ if (!hc->fast && mmu_is_nested(vcpu)) {
hc->ingpa = translate_nested_gpa(vcpu, hc->ingpa, 0, NULL);
if (unlikely(hc->ingpa == INVALID_GPA))
return HV_STATUS_INVALID_HYPERCALL_INPUT;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 273/474] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 272/474] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 274/474] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
` (201 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxi Qian, SeongJae Park,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 1e68eb96e8beb1abefd12dd22c5637795d8a877e upstream.
Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".
Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race
with their writes, results in use-after-free. Fix those.
This patch (of 2):
damon_sysfs_scheme_filter->mmecg_path can be read and written by users,
via DAMON sysfs memcg_path file. It can also be indirectly read, for the
parameters {on,off}line committing to DAMON. The reads for parameters
committing are protected by damon_sysfs_lock to avoid the sysfs files
being destroyed while any of the parameters are being read. But the
user-driven direct reads and writes are not protected by any lock, while
the write is deallocating the memcg_path-pointing buffer. As a result,
the readers could read the already freed buffer (user-after-free). Note
that the user-reads don't race when the same open file is used by the
writer, due to kernfs's open file locking. Nonetheless, doing the reads
and writes with separate open files would be common. Fix it by protecting
both the user-direct reads and writes with damon_sysfs_lock.
Link: https://lore.kernel.org/20260423150253.111520-1-sj@kernel.org
Link: https://lore.kernel.org/20260423150253.111520-2-sj@kernel.org
Fixes: 4f489fe6afb3 ("mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write")
Co-developed-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -360,9 +360,14 @@ static ssize_t memcg_path_show(struct ko
{
struct damon_sysfs_scheme_filter *filter = container_of(kobj,
struct damon_sysfs_scheme_filter, kobj);
+ int len;
- return sysfs_emit(buf, "%s\n",
+ if (!mutex_trylock(&damon_sysfs_lock))
+ return -EBUSY;
+ len = sysfs_emit(buf, "%s\n",
filter->memcg_path ? filter->memcg_path : "");
+ mutex_unlock(&damon_sysfs_lock);
+ return len;
}
static ssize_t memcg_path_store(struct kobject *kobj,
@@ -376,8 +381,13 @@ static ssize_t memcg_path_store(struct k
return -ENOMEM;
strscpy(path, buf, count + 1);
+ if (!mutex_trylock(&damon_sysfs_lock)) {
+ kfree(path);
+ return -EBUSY;
+ }
kfree(filter->memcg_path);
filter->memcg_path = path;
+ mutex_unlock(&damon_sysfs_lock);
return count;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 274/474] PCI/AER: Clear only error bits in PCIe Device Status
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 273/474] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 275/474] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
` (200 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Shuai Xue,
Bjorn Helgaas, Kuppuswamy Sathyanarayanan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
commit a8aeea1bf3c80cc87983689e0118770e019bd4f3 upstream.
Currently, pcie_clear_device_status() clears the entire PCIe Device Status
register (PCI_EXP_DEVSTA) by writing back the value read from the register,
which affects not only the error status bits but also other writable bits.
According to PCIe r7.0, sec 7.5.3.5, this register contains:
- RW1C error status bits (CED, NFED, FED, URD at bits 0-3): These are the
four error status bits that need to be cleared.
- Read-only bits (AUXPD at bit 4, TRPND at bit 5): Writing to these has
no effect.
- Emergency Power Reduction Detected (bit 6): A RW1C non-error bit
introduced in PCIe r5.0 (2019). This is currently the only writable
non-error bit in the Device Status register. Unconditionally clearing
this bit can interfere with other software components that rely on this
power management indication.
- Reserved bits (RsvdZ): These bits are required to be written as zero.
Writing 1s to them (as the current implementation may do) violates the
specification.
To prevent unintended side effects, modify pcie_clear_device_status() to
only write 1s to the four error status bits (CED, NFED, FED, URD), leaving
the Emergency Power Reduction Detected bit and reserved bits unaffected.
Fixes: ec752f5d54d7 ("PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL")
Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260211124624.49656-1-xueshuai@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -2426,10 +2426,9 @@ EXPORT_SYMBOL_GPL(pci_set_pcie_reset_sta
#ifdef CONFIG_PCIEAER
void pcie_clear_device_status(struct pci_dev *dev)
{
- u16 sta;
-
- pcie_capability_read_word(dev, PCI_EXP_DEVSTA, &sta);
- pcie_capability_write_word(dev, PCI_EXP_DEVSTA, sta);
+ pcie_capability_write_word(dev, PCI_EXP_DEVSTA,
+ PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
+ PCI_EXP_DEVSTA_FED | PCI_EXP_DEVSTA_URD);
}
#endif
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 275/474] PCI/AER: Stop ruling out unbound devices as error source
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 274/474] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 276/474] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
` (199 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Stefan Roese
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 1ab4a3c805084d752ec571efc78272295a9f2f74 upstream.
When searching for the error source, the AER driver rules out devices whose
enable_cnt is zero. This was introduced in 2009 by commit 28eb27cf0839
("PCI AER: support invalid error source IDs") without providing a
rationale.
Drivers typically call pci_enable_device() on probe, hence the enable_cnt
check essentially filters out unbound devices. At the time of the commit,
drivers had to opt in to AER by calling pci_enable_pcie_error_reporting()
and so any AER-enabled device could be assumed to be bound to a driver.
The check thus made sense because it allowed skipping config space accesses
to devices which were known not to be the error source.
But since 2022, AER is universally enabled on all devices when they are
enumerated, cf. commit f26e58bf6f54 ("PCI/AER: Enable error reporting when
AER is native").
Errors may very well be reported by unbound devices, e.g. due to link
instability. By ruling them out as error source, errors reported by them
are neither logged nor cleared. When they do get bound and another error
occurs, the earlier error is reported together with the new error, which
may confuse users. Stop doing so.
Fixes: f26e58bf6f54 ("PCI/AER: Enable error reporting when AER is native")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Cc: stable@vger.kernel.org # v6.0+
Link: https://patch.msgid.link/734338c2e8b669db5a5a3b45d34131b55ffebfca.1774605029.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pcie/aer.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -849,8 +849,6 @@ static bool is_error_source(struct pci_d
* 3) There are multiple errors and prior ID comparing fails;
* We check AER status registers to find possible reporter.
*/
- if (atomic_read(&dev->enable_cnt) == 0)
- return false;
/* Check if AER is enabled */
pcie_capability_read_word(dev, PCI_EXP_DEVCTL, ®16);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 276/474] power: supply: max17042: avoid overflow when determining health
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 275/474] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 277/474] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
` (198 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, André Draszik,
Sebastian Reichel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
commit 9a44949da669708f19d29141e65b3ac774d08f5a upstream.
If vmax has the default value of INT_MAX (e.g. because not specified in
DT), battery health is reported as over-voltage. This is because adding
any value to vmax (the vmax tolerance in this case) causes it to wrap
around, making it negative and smaller than the measured battery
voltage.
Avoid that by using size_add().
Fixes: edd4ab055931 ("power: max17042_battery: add HEALTH and TEMP_* properties support")
Cc: stable@vger.kernel.org
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://patch.msgid.link/20260302-max77759-fg-v3-6-3c5f01dbda23@linaro.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max17042_battery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c
@@ -199,7 +199,7 @@ static int max17042_get_battery_health(s
goto out;
}
- if (vbatt > chip->pdata->vmax + MAX17042_VMAX_TOLERANCE) {
+ if (vbatt > size_add(chip->pdata->vmax, MAX17042_VMAX_TOLERANCE)) {
*health = POWER_SUPPLY_HEALTH_OVERVOLTAGE;
goto out;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 277/474] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 276/474] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 278/474] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
` (197 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c upstream.
Sashiko points out that mlx4_srq_alloc() was not undone during error
unwind, add the missing call to mlx4_srq_free().
Cc: stable@vger.kernel.org
Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=8
Link: https://patch.msgid.link/r/11-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx4/srq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/srq.c
+++ b/drivers/infiniband/hw/mlx4/srq.c
@@ -193,13 +193,15 @@ int mlx4_ib_create_srq(struct ib_srq *ib
if (udata)
if (ib_copy_to_udata(udata, &srq->msrq.srqn, sizeof (__u32))) {
err = -EFAULT;
- goto err_wrid;
+ goto err_srq;
}
init_attr->attr.max_wr = srq->msrq.max - 1;
return 0;
+err_srq:
+ mlx4_srq_free(dev->dev, &srq->msrq);
err_wrid:
if (udata)
mlx4_ib_db_unmap_user(ucontext, &srq->db);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 278/474] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 277/474] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 279/474] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
` (196 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 upstream.
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.
This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.
Fix by adding the same `goto unlock` in the s1 failure path.
Cc: stable@vger.kernel.org
Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx5/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -2924,6 +2924,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5
ret = PTR_ERR(s1);
mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret);
ib_destroy_srq(s0);
+ goto unlock;
}
devr->s0 = s0;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 279/474] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 278/474] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 280/474] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
` (195 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 34fbf48cf3b410d2a6e8c586fa952a36331ca5ba upstream.
Sashiko points out that pd->uctx isn't initialized until late in the
function so all these error flow references are NULL and will crash. Use
the uctx that isn't NULL.
Cc: stable@vger.kernel.org
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/9-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct o
ucopy_err:
if (pd->dpp_enabled)
- ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE);
+ ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE);
dpp_map_err:
- ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size);
+ ocrdma_del_mmap(uctx, db_page_addr, db_page_size);
return status;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 280/474] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 279/474] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 281/474] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
` (194 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Zhu Yanjun,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 1114c87aa6f195cf07da55a27b2122ae26557b26 upstream.
atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c
unconditionally dereferences 8 bytes at payload_addr(pkt):
value = *(u64 *)payload_addr(pkt);
check_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==
resid == 0 because the length validation only compared pktlen against
resid. A remote initiator that sets the RETH length to 0 therefore reaches
atomic_write_reply() with a zero-byte logical payload, and the responder
reads sizeof(u64) bytes from past the logical end of the packet into
skb->head tailroom, then writes those 8 bytes into the attacker's MR via
rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel
tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).
IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is
protocol-invalid. Hoist a strict length check into check_rkey() so the
responder never reaches the unchecked dereference, and keep the existing
WRITE-family length logic for the normal RDMA WRITE path.
Reproduced on mainline with an unmodified rxe driver: a sustained
zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer
bytes into the attacker's MR, including recognisable kernel strings and
partial kernel-direct-map pointer words. With this patch applied the
responder rejects the PDU and the MR stays all-zero.
Cc: stable@vger.kernel.org
Fixes: 034e285f8b99 ("RDMA/rxe: Make responder support atomic write on RC service")
Link: https://patch.msgid.link/r/20260418162141.3610201-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_resp.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -536,7 +536,19 @@ static enum resp_states check_rkey(struc
}
skip_check_range:
- if (pkt->mask & (RXE_WRITE_MASK | RXE_ATOMIC_WRITE_MASK)) {
+ if (pkt->mask & RXE_ATOMIC_WRITE_MASK) {
+ /* IBA oA19-28: ATOMIC_WRITE payload is exactly 8 bytes.
+ * Reject any other length before the responder reads
+ * sizeof(u64) bytes from payload_addr(pkt); a shorter
+ * payload would read past the logical end of the packet
+ * into skb->head tailroom.
+ */
+ if (resid != sizeof(u64) || pktlen != sizeof(u64) ||
+ bth_pad(pkt)) {
+ state = RESPST_ERR_LENGTH;
+ goto err;
+ }
+ } else if (pkt->mask & RXE_WRITE_MASK) {
if (resid > mtu) {
if (pktlen != mtu || bth_pad(pkt)) {
state = RESPST_ERR_LENGTH;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 281/474] RDMA/rxe: Reject unknown opcodes before ICRC processing
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 280/474] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 282/474] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
` (193 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Zhu Yanjun,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4c6f86d85d03cdb33addce86aa69aa795ca6c47a upstream.
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC
before payload_size() in rxe_rcv"), a single unauthenticated UDP packet
can still trigger panic. That patch handled payload_size() underflow only
for valid opcodes with short packets, not for packets carrying an unknown
opcode. The unknown-opcode OOB read described below predates that commit
and reaches back to the initial Soft RoCE driver.
The check added there reads
pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE
where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The
rxe_opcode[] array has 256 entries but is only populated for defined IB
opcodes; any other entry (for example opcode 0xff) is zero-initialized, so
length == 0 and the check degenerates to
pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE
which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes
rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES
which underflows when length == 0 and passes a huge value to rxe_crc32(),
causing an out-of-bounds read of the skb payload.
Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with
CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after
rdma link add rxe0 type rxe netdev eth0
A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and
QPN=IB_MULTICAST_QPN triggers:
BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170
Read of size 1 at addr ...
The buggy address is located 0 bytes to the right of
allocated 704-byte region
Call Trace:
crc32_le+0x115/0x170
rxe_icrc_hdr.isra.0+0x226/0x300
rxe_icrc_check+0x13f/0x3a0
rxe_rcv+0x6e1/0x16e0
rxe_udp_encap_recv+0x20a/0x320
udp_queue_rcv_one_skb+0x7ed/0x12c0
Subsequent packets with the same shape fault on unmapped memory and panic
the kernel. The trigger requires only module load and "rdma link add"; no
QP, no connection, and no authentication.
Fix this by rejecting packets whose opcode has no rxe_opcode[] entry,
detected via the zero mask or zero length, before any length arithmetic
runs.
Cc: stable@vger.kernel.org
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260414111555.3386793-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_recv.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/infiniband/sw/rxe/rxe_recv.c
+++ b/drivers/infiniband/sw/rxe/rxe_recv.c
@@ -330,6 +330,17 @@ void rxe_rcv(struct sk_buff *skb)
pkt->qp = NULL;
pkt->mask |= rxe_opcode[pkt->opcode].mask;
+ /*
+ * Unknown opcodes have a zero-initialized rxe_opcode[] entry, so
+ * both mask and length are 0. Reject them before any length math:
+ * rxe_icrc_hdr() would otherwise compute length - RXE_BTH_BYTES
+ * and pass the underflowed value to rxe_crc32(), producing an
+ * out-of-bounds read.
+ */
+ if (unlikely(!rxe_opcode[pkt->opcode].mask ||
+ !rxe_opcode[pkt->opcode].length))
+ goto drop;
+
if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE))
goto drop;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 282/474] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 281/474] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 283/474] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
` (192 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit e38e86995df27f1f854063dab1f0c6a513db3faf upstream.
Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
Cc: stable@vger.kernel.org
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucon
uresp.qp_tab_size = vdev->dsr->caps.max_qp;
ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));
if (ret) {
- pvrdma_uar_free(vdev, &context->uar);
+ /* pvrdma_dealloc_ucontext() also frees the UAR */
pvrdma_dealloc_ucontext(&context->ibucontext);
return -EFAULT;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 283/474] mptcp: fastclose msk when linger time is 0
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 282/474] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 284/474] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
` (191 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lance Tuller, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit f14d6e9c3678a067f304abba561e0c5446c7e845 upstream.
The SO_LINGER socket option has been supported for a while with MPTCP
sockets [1], but it didn't cause the equivalent of a TCP reset as
expected when enabled and its time was set to 0. This was causing some
behavioural differences with TCP where some connections were not
promptly stopped as expected.
To fix that, an extra condition is checked at close() time before
sending an MP_FASTCLOSE, the MPTCP equivalent of a TCP reset.
Note that backporting up to [1] will be difficult as more changes are
needed to be able to send MP_FASTCLOSE. It seems better to stop at [2],
which was supposed to already imitate TCP.
Validated with MPTCP packetdrill tests [3].
Fixes: 268b12387460 ("mptcp: setsockopt: support SO_LINGER") [1]
Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios") [2]
Cc: stable@vger.kernel.org
Reported-by: Lance Tuller <lance@lance0.com>
Closes: https://github.com/lance0/xfr/pull/67
Link: https://github.com/multipath-tcp/packetdrill/pull/196 [3]
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-3-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3177,7 +3177,8 @@ bool __mptcp_close(struct sock *sk, long
goto cleanup;
}
- if (mptcp_data_avail(msk) || timeout < 0) {
+ if (mptcp_data_avail(msk) || timeout < 0 ||
+ (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)) {
/* If the msk has read data, or the caller explicitly ask it,
* do the MPTCP equivalent of TCP reset, aka MPTCP fastclose
*/
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 284/474] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 283/474] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 285/474] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
` (190 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Shardul Bankar, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
commit c4a99a921949cddc590b22bb14eeb23dffcc3ba6 upstream.
In subflow_finish_connect(), HMAC validation of the server's HMAC
in SYN/ACK + MP_JOIN increments MPTCP_MIB_JOINACKMAC ("HMAC was
wrong on ACK + MP_JOIN") on failure. The function processes the
SYN/ACK, not the ACK; the matching MPTCP_MIB_JOINSYNACKMAC counter
("HMAC was wrong on SYN/ACK + MP_JOIN") exists but is not
incremented anywhere in the tree.
The mirror site on the server, subflow_syn_recv_sock(), already
uses JOINACKMAC correctly for ACK HMAC failure. Use JOINSYNACKMAC
at the SYN/ACK validation site so each counter reflects the packet
whose HMAC actually failed.
Suggested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Fixes: fc518953bc9c ("mptcp: add and use MIB counter infrastructure")
Cc: stable@vger.kernel.org
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-1-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -558,7 +558,7 @@ static void subflow_finish_connect(struc
subflow->backup);
if (!subflow_thmac_valid(subflow)) {
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINACKMAC);
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINSYNACKMAC);
subflow->reset_reason = MPTCP_RST_EMPTCP;
goto do_reset;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 285/474] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 284/474] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 286/474] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
` (189 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Shardul Bankar, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
commit a6da02d4c00fdda2417e42ad2b762a9209e6cc49 upstream.
When HMAC validation fails on a received ACK + MP_JOIN in
subflow_syn_recv_sock(), the subflow is reset with reason
MPTCP_RST_EPROHIBIT ("Administratively prohibited"). This is
incorrect: HMAC validation failure is an MPTCP protocol-level
error, not an administrative policy denial.
The mirror site on the client, in subflow_finish_connect(), already
uses MPTCP_RST_EMPTCP ("MPTCP-specific error") for the same kind of
HMAC failure on the SYN/ACK + MP_JOIN. Use the same reason on the
server side for symmetry and accuracy.
Suggested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Fixes: 443041deb5ef ("mptcp: fix NULL pointer in can_accept_new_subflow")
Cc: stable@vger.kernel.org
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-2-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -885,7 +885,7 @@ create_child:
if (!subflow_hmac_valid(req, &mp_opt)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
- subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ subflow_add_reset_reason(skb, MPTCP_RST_EMPTCP);
goto dispose_child;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 286/474] mptcp: sockopt: set timestamp flags on subflow socket, not msk
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 285/474] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 287/474] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
` (188 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Matthieu Baerts (NGI0),
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit 5f95c21fc23a7ef22b4d27d1ed9bb55557ffb926 upstream.
Both mptcp_setsockopt_sol_socket_tstamp() and
mptcp_setsockopt_sol_socket_timestamping() iterate over subflows,
acquire the subflow socket lock, but then erroneously pass the MPTCP
msk socket to sock_set_timestamp() / sock_set_timestamping() instead
of the subflow ssk. As a result, the timestamp flags are set on the
wrong socket and have no effect on the actual subflows.
Pass ssk instead of sk to both helpers.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-1-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -161,7 +161,7 @@ static int mptcp_setsockopt_sol_socket_t
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
bool slow = lock_sock_fast(ssk);
- sock_set_timestamp(sk, optname, !!val);
+ sock_set_timestamp(ssk, optname, !!val);
unlock_sock_fast(ssk, slow);
}
@@ -237,7 +237,7 @@ static int mptcp_setsockopt_sol_socket_t
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
bool slow = lock_sock_fast(ssk);
- sock_set_timestamping(sk, optname, timestamping);
+ sock_set_timestamping(ssk, optname, timestamping);
unlock_sock_fast(ssk, slow);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 287/474] mptcp: fix scheduling with atomic in timestamp sockopt
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 286/474] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 288/474] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
` (187 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit b5c52908d52c6c8eb8933264aa6087a0600fd892 upstream.
Using lock_sock_fast() (atomic context) around sock_set_timestamp()
and sock_set_timestamping() is unsafe, as both helpers can sleep.
Replace lock_sock_fast() with sleepable lock_sock()/release_sock()
to avoid scheduling while atomic panic.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260420093343.16443-1-gang.yan@linux.dev
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-2-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -159,10 +159,10 @@ static int mptcp_setsockopt_sol_socket_t
lock_sock(sk);
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- bool slow = lock_sock_fast(ssk);
+ lock_sock(ssk);
sock_set_timestamp(ssk, optname, !!val);
- unlock_sock_fast(ssk, slow);
+ release_sock(ssk);
}
release_sock(sk);
@@ -235,10 +235,10 @@ static int mptcp_setsockopt_sol_socket_t
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- bool slow = lock_sock_fast(ssk);
+ lock_sock(ssk);
sock_set_timestamping(ssk, optname, timestamping);
- unlock_sock_fast(ssk, slow);
+ release_sock(ssk);
}
release_sock(sk);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 288/474] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 287/474] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 289/474] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
` (186 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cen Zhang, Chao Yu, Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cen Zhang <zzzccc427@gmail.com>
commit 5471834a96fb697874be2ca0b052e74bcf3c23d1 upstream.
f2fs_update_inode() reads inode->i_blocks without holding i_lock to
serialize it to the on-disk inode, while concurrent truncate or
allocation paths may modify i_blocks under i_lock. Since blkcnt_t is
u64, this risks torn reads on 32-bit architectures.
Following the approach in ext4_inode_blocks_set(), add READ_ONCE() to prevent
potential compiler-induced tearing.
Fixes: 19f99cee206c ("f2fs: add core inode operations")
Cc: stable@vger.kernel.org
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -665,7 +665,7 @@ void f2fs_update_inode(struct inode *ino
ri->i_uid = cpu_to_le32(i_uid_read(inode));
ri->i_gid = cpu_to_le32(i_gid_read(inode));
ri->i_links = cpu_to_le32(inode->i_nlink);
- ri->i_blocks = cpu_to_le64(SECTOR_TO_BLOCK(inode->i_blocks) + 1);
+ ri->i_blocks = cpu_to_le64(SECTOR_TO_BLOCK(READ_ONCE(inode->i_blocks)) + 1);
if (!f2fs_is_atomic_file(inode) ||
is_inode_flag_set(inode, FI_ATOMIC_COMMITTED))
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 289/474] f2fs: fix fiemap boundary handling when read extent cache is incomplete
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 288/474] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 290/474] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
` (185 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 95e159ad3e52f7478cfd22e44ec37c9f334f8993 upstream.
f2fs_fiemap() calls f2fs_map_blocks() to obtain the block mapping a
file, and then merges contiguous mappings into extents. If the mapping
is found in the read extent cache, node blocks do not need to be read.
However, in the following scenario, a contiguous extent can be split
into two extents:
$ dd if=/dev/zero of=data.128M bs=1M count=128
$ losetup -f data.128M
$ mkfs.f2fs /dev/loop0 -f
$ mount -o mode=lfs /dev/loop0 /mnt/f2fs/
$ cd /mnt/f2fs/
$ dd if=/dev/zero of=data.72M bs=1M count=72 && sync
$ dd if=/dev/zero of=data.4M bs=1M count=4 && sync
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=2 conv=notrunc && sync
$ echo 3 > /proc/sys/vm/drop_caches
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=0 conv=notrunc && sync
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=0 conv=notrunc && sync
$ f2fs_io fiemap 0 1024 data.4M
Fiemap: offset = 0 len = 1024
logical addr. physical addr. length flags
0 0000000000000000 0000000006400000 0000000000200000 00001000
1 0000000000200000 0000000006600000 0000000000200000 00001001
Although the physical addresses of the ranges 0~2MB and 2M~4MB are
contiguous, the mapping for the 2M~4MB range is not present in memory.
When the physical addresses for the 0~2MB range are updated, no merge
happens because the adjacent mapping is missing from the in-memory
cache. As a result, fiemap reports two separate extents instead of a
single contiguous one.
The root cause is that the read extent cache does not guarantee that all
blocks of an extent are present in memory. Therefore, when the extent
length returned by f2fs_map_blocks_cached() is smaller than maxblocks,
the remaining mappings are retrieved via f2fs_get_dnode_of_data() to
ensure correct fiemap extent boundary handling.
Cc: stable@kernel.org
Fixes: cd8fc5226bef ("f2fs: remove the create argument to f2fs_map_blocks")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1543,8 +1543,26 @@ int f2fs_map_blocks(struct inode *inode,
if (!maxblocks)
return 0;
- if (!map->m_may_create && f2fs_map_blocks_cached(inode, map, flag))
- goto out;
+ if (!map->m_may_create && f2fs_map_blocks_cached(inode, map, flag)) {
+ struct extent_info ei;
+
+ /*
+ * 1. If map->m_multidev_dio is true, map->m_pblk cannot be
+ * waitted by f2fs_wait_on_block_writeback_range() and are not
+ * mergeable.
+ * 2. If pgofs hits the read extent cache, it means the mapping
+ * is already cached in the extent cache, but it is not
+ * mergeable, and there is no need to query the mapping again
+ * via f2fs_get_dnode_of_data().
+ */
+ pgofs = (pgoff_t)map->m_lblk + map->m_len;
+ if (map->m_len == maxblocks ||
+ map->m_multidev_dio ||
+ f2fs_lookup_read_extent_cache(inode, pgofs, &ei))
+ goto out;
+ ofs = map->m_len;
+ goto map_more;
+ }
map->m_bdev = inode->i_sb->s_bdev;
map->m_multidev_dio =
@@ -1555,7 +1573,8 @@ int f2fs_map_blocks(struct inode *inode,
/* it only supports block size == page size */
pgofs = (pgoff_t)map->m_lblk;
- end = pgofs + maxblocks;
+map_more:
+ end = (pgoff_t)map->m_lblk + maxblocks;
next_dnode:
if (map->m_may_create) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 290/474] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 289/474] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 291/474] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
` (184 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit eb2ca3ca983551a80e16a4a25df5a4ce59df8484 upstream.
When f2fs_map_blocks()->f2fs_map_blocks_cached() hits the read extent
cache, map->m_multidev_dio is not updated, which leads to incorrect
multidevice information being reported by trace_f2fs_map_blocks().
This patch updates map->m_multidev_dio in f2fs_map_blocks_cached() when
the read extent cache is hit.
Cc: stable@kernel.org
Fixes: 0094e98bd147 ("f2fs: factor a f2fs_map_blocks_cached helper")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1507,7 +1507,8 @@ static bool f2fs_map_blocks_cached(struc
f2fs_wait_on_block_writeback_range(inode,
map->m_pblk, map->m_len);
- if (f2fs_allow_multi_device_dio(sbi, flag)) {
+ map->m_multidev_dio = f2fs_allow_multi_device_dio(sbi, flag);
+ if (map->m_multidev_dio) {
int bidx = f2fs_target_device_index(sbi, map->m_pblk);
struct f2fs_dev_info *dev = &sbi->devs[bidx];
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 291/474] f2fs: fix node_cnt race between extent node destroy and writeback
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 290/474] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 292/474] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
` (183 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yongpeng Yang, Chao Yu, Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit ed78aeebef05212ef7dca93bd931e4eff67c113f upstream.
f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing
extent nodes. When called from f2fs_drop_inode() with I_SYNC set,
concurrent kworker writeback can insert new extent nodes into the same
extent tree, racing with the destroy and triggering f2fs_bug_on() in
__destroy_extent_node(). The scenario is as follows:
drop inode writeback
- iput
- f2fs_drop_inode // I_SYNC set
- f2fs_destroy_extent_node
- __destroy_extent_node
- while (node_cnt) {
write_lock(&et->lock)
__free_extent_tree
write_unlock(&et->lock)
- __writeback_single_inode
- f2fs_outplace_write_data
- f2fs_update_read_extent_cache
- __update_extent_tree_range
// FI_NO_EXTENT not set,
// insert new extent node
} // node_cnt == 0, exit while
- f2fs_bug_on(node_cnt) // node_cnt > 0
Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for
EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.
This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),
consistent with other callers (__update_extent_tree_range and
__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and
EX_BLOCK_AGE tree.
Fixes: 3fc5d5a182f6 ("f2fs: fix to shrink read extent node in batches")
Cc: stable@vger.kernel.org
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/extent_cache.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -87,9 +87,10 @@ static bool __may_extent_tree(struct ino
if (!__init_may_extent_tree(inode, type))
return false;
+ if (is_inode_flag_set(inode, FI_NO_EXTENT))
+ return false;
+
if (type == EX_READ) {
- if (is_inode_flag_set(inode, FI_NO_EXTENT))
- return false;
if (is_inode_flag_set(inode, FI_COMPRESSED_FILE) &&
!f2fs_sb_has_readonly(F2FS_I_SB(inode)))
return false;
@@ -602,6 +603,8 @@ static unsigned int __destroy_extent_nod
while (atomic_read(&et->node_cnt)) {
write_lock(&et->lock);
+ if (!is_inode_flag_set(inode, FI_NO_EXTENT))
+ set_inode_flag(inode, FI_NO_EXTENT);
node_cnt += __free_extent_tree(sbi, et, nr_shrink);
write_unlock(&et->lock);
}
@@ -637,12 +640,12 @@ static void __update_extent_tree_range(s
write_lock(&et->lock);
- if (type == EX_READ) {
- if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
- write_unlock(&et->lock);
- return;
- }
+ if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
+ write_unlock(&et->lock);
+ return;
+ }
+ if (type == EX_READ) {
prev = et->largest;
dei.len = 0;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 292/474] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 291/474] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 293/474] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
` (182 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Woodhouse, Marc Zyngier
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit a0e6ae45af17e8b27958830595799c702ffbab8d upstream.
The uaccess write handlers for GICD_IIDR in both GICv2 and GICv3
extract the revision field from 'reg' (the current IIDR value read back
from the emulated distributor) instead of 'val' (the value userspace is
trying to write). This means userspace can never actually change the
implementation revision — the extracted value is always the current one.
Fix the FIELD_GET to use 'val' so that userspace can select a different
revision for migration compatibility.
Fixes: 49a1a2c70a7f ("KVM: arm64: vgic-v3: Advertise GICR_CTLR.{IR, CES} as a new GICD_IIDR revision")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Link: https://patch.msgid.link/20260407210949.2076251-2-dwmw2@infradead.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-mmio-v2.c | 2 +-
arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/vgic/vgic-mmio-v2.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v2.c
@@ -91,7 +91,7 @@ static int vgic_mmio_uaccess_write_v2_mi
* migration from old kernels to new kernels with legacy
* userspace.
*/
- reg = FIELD_GET(GICD_IIDR_REVISION_MASK, reg);
+ reg = FIELD_GET(GICD_IIDR_REVISION_MASK, val);
switch (reg) {
case KVM_VGIC_IMP_REV_2:
case KVM_VGIC_IMP_REV_3:
--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
@@ -167,7 +167,7 @@ static int vgic_mmio_uaccess_write_v3_mi
if ((reg ^ val) & ~GICD_IIDR_REVISION_MASK)
return -EINVAL;
- reg = FIELD_GET(GICD_IIDR_REVISION_MASK, reg);
+ reg = FIELD_GET(GICD_IIDR_REVISION_MASK, val);
switch (reg) {
case KVM_VGIC_IMP_REV_2:
case KVM_VGIC_IMP_REV_3:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 293/474] KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 292/474] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 294/474] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
` (181 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Perret, Fuad Tabba,
Marc Zyngier
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Perret <qperret@google.com>
commit 5bb0aed57ba944f8c201e4e82ec066e0187e0f85 upstream.
fix_host_ownership() walks the hypervisor's stage-1 page-table to
adjust the host's stage-2 accordingly. Any such adjustment that
requires cache maintenance operations depends on the per-CPU hyp
fixmap being present. However, fix_host_ownership() is currently
called before fix_hyp_pgtable_refcnt() and hyp_create_fixmap(), so
the fixmap does not yet exist when it runs.
This is benign today because the host stage-2 starts empty and no
CMOs are needed, but it becomes a latent crash as soon as
fix_host_ownership() is extended to operate on a non-empty
page-table.
Reorder the calls so that fix_hyp_pgtable_refcnt() and
hyp_create_fixmap() complete before fix_host_ownership() is invoked.
Fixes: 0d16d12eb26e ("KVM: arm64: Fix-up hyp stage-1 refcounts for all pages mapped at EL2")
Signed-off-by: Quentin Perret <qperret@google.com>
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260424084908.370776-7-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/nvhe/setup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/arm64/kvm/hyp/nvhe/setup.c
+++ b/arch/arm64/kvm/hyp/nvhe/setup.c
@@ -284,15 +284,15 @@ void __noreturn __pkvm_init_finalise(voi
};
pkvm_pgtable.mm_ops = &pkvm_pgtable_mm_ops;
- ret = fix_host_ownership();
+ ret = fix_hyp_pgtable_refcnt();
if (ret)
goto out;
- ret = fix_hyp_pgtable_refcnt();
+ ret = hyp_create_pcpu_fixmap();
if (ret)
goto out;
- ret = hyp_create_pcpu_fixmap();
+ ret = fix_host_ownership();
if (ret)
goto out;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 294/474] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 293/474] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 295/474] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
` (180 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Guan, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e upstream.
The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and
readl(crtc_reg) will access with random address, because the "device" is
from "base+PCI_DEVICE_ID", "base" is from "pdev->devfn+1". This is wrong
when my platform inserts a discrete GPU:
lspci -tv
-[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller
...
+-06.0 Loongson Technology LLC LG100 GPU
+-06.2 Loongson Technology LLC Device 7a37
...
Add a default switch case to fix the panic as below:
Kernel ade access[#1]:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4
pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0
a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002
a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001
t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000
t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0
t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8
s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000
s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000
ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210
ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210
CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
PRMD: 00000004 (PPLV0 +PIE -PWE)
EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)
BADV: 7fffffffffffff00
PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)
Modules linked in:
Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))
Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007
0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff
900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08
0000000000000000 0000000000000000 0000000000000006 90000001002fb778
90000001000530b8 90000000027af000 0000000000000000 9000000100054000
9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001
90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000
0000000000000006 90000000027af000 0000000000000030 90000000027af000
900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560
7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030
...
Call Trace:
[<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210
[<9000000000eebc08>] pci_fixup_device+0x108/0x280
[<9000000000ebb70c>] pci_setup_device+0x24c/0x690
[<9000000000ebc560>] pci_scan_single_device+0xe0/0x140
[<9000000000ebc684>] pci_scan_slot+0xc4/0x280
[<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0
[<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420
[<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440
[<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0
[<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0
[<90000000010e200c>] device_for_each_child+0x6c/0xe0
[<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70
[<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0
[<90000000010e200c>] device_for_each_child+0x6c/0xe0
[<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70
[<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0
[<9000000000f5211c>] acpi_bus_scan+0x6c/0x280
[<900000000189c028>] acpi_scan_init+0x194/0x310
[<900000000189bc6c>] acpi_init+0xcc/0x140
[<9000000000220cdc>] do_one_initcall+0x4c/0x310
[<90000000018618fc>] kernel_init_freeable+0x258/0x2d4
[<900000000184326c>] kernel_init+0x28/0x13c
[<9000000000222008>] ret_from_kernel_thread+0xc/0xa4
Cc: stable@vger.kernel.org
Fixes: 95db0c9f526d ("LoongArch: Workaround LS2K/LS7A GPU DMA hang bug")
Link: https://gist.github.com/opsiff/ebf2dac51b4013d22462f2124c55f807
Link: https://gist.github.com/opsiff/a62f2a73db0492b3c49bf223a339b133
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/pci.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/loongarch/pci/pci.c
+++ b/arch/loongarch/pci/pci.c
@@ -133,6 +133,9 @@ static void loongson_gpu_fixup_dma_hang(
crtc_reg = regbase;
crtc_offset = 0x400;
break;
+ default:
+ iounmap(regbase);
+ return;
}
for (i = 0; i < CRTC_NUM_MAX; i++, crtc_reg += crtc_offset) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 295/474] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 294/474] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 296/474] exit: Sleep at TASK_IDLE when waiting for application core dump Greg Kroah-Hartman
` (179 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Li, Dongyan Qian, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 49f33840dcc907d21313d369e34872880846b61c upstream.
When firmware enables 64-bit PCI host bridge support, some root bridges
already provide valid 64-bit mem resource windows through ACPI.
In this case, the LoongArch-specific mem resource high-bits fixup in
acpi_prepare_root_resources() should not be applied unconditionally.
Otherwise, the kernel may override the native resource layout derived
from firmware, and later BAR assignment can fail to place device BARs
into the intended 64-bit address space correctly.
Add a per-root-bridge ACPI flag, PCIH, and evaluate it from the current
root bridge device scope. When PCIH is set, skip the mem resource high-
bits fixup path and let the kernel use the firmware-provided resource
description directly. When PCIH is absent or cleared, keep the existing
behavior and continue filling the high address bits from the host bridge
address.
This makes the behavior per-root-bridge configurable and avoids breaking
valid 64-bit BAR space allocation on bridges whose 64-bit windows have
already been fully described by firmware.
Cc: stable@vger.kernel.org
Suggested-by: Chao Li <lichao@loongson.cn>
Tested-by: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/acpi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/loongarch/pci/acpi.c
+++ b/arch/loongarch/pci/acpi.c
@@ -61,11 +61,16 @@ static void acpi_release_root_info(struc
static int acpi_prepare_root_resources(struct acpi_pci_root_info *ci)
{
int status;
+ unsigned long long pci_h = 0;
struct resource_entry *entry, *tmp;
struct acpi_device *device = ci->bridge;
status = acpi_pci_probe_root_resources(ci);
if (status > 0) {
+ acpi_evaluate_integer(device->handle, "PCIH", NULL, &pci_h);
+ if (pci_h)
+ return status;
+
resource_list_for_each_entry_safe(entry, tmp, &ci->resources) {
if (entry->res->flags & IORESOURCE_MEM) {
entry->offset = ci->root->mcfg_addr & GENMASK_ULL(63, 40);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 296/474] exit: Sleep at TASK_IDLE when waiting for application core dump
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 295/474] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 297/474] HID: playstation: Clamp num_touch_reports Greg Kroah-Hartman
` (178 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anhad Jai Singh, Paul E. McKenney,
Oleg Nesterov, Jens Axboe, Christian Brauner, Andrew Morton,
Matthew Wilcox (Oracle), Chris Mason, Rik van Riel, Paul Menzel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
commit b8e753128ed074fcb48e9ceded940752f6b1c19f upstream.
Currently, the coredump_task_exit() function sets the task state
to TASK_UNINTERRUPTIBLE|TASK_FREEZABLE, which usually works well.
But a combination of large memory and slow (and/or highly contended)
mass storage can cause application core dumps to take more than
two minutes, which can cause check_hung_task(), which is invoked by
check_hung_uninterruptible_tasks(), to produce task-blocked splats.
There does not seem to be any reasonable benefit to getting these splats.
Furthermore, as Oleg Nesterov points out, TASK_UNINTERRUPTIBLE could
be misleading because the task sleeping in coredump_task_exit() really
is killable, albeit indirectly. See the check of signal->core_state
in prepare_signal() and the check of fatal_signal_pending()
in dump_interrupted(), which bypass the normal unkillability of
TASK_UNINTERRUPTIBLE, resulting in coredump_finish() invoking
wake_up_process() on any threads sleeping in coredump_task_exit().
Therefore, change that TASK_UNINTERRUPTIBLE to TASK_IDLE.
Reported-by: Anhad Jai Singh <ffledgling@meta.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Chris Mason <clm@fb.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/exit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -430,7 +430,7 @@ static void coredump_task_exit(struct ta
complete(&core_state->startup);
for (;;) {
- set_current_state(TASK_UNINTERRUPTIBLE|TASK_FREEZABLE);
+ set_current_state(TASK_IDLE|TASK_FREEZABLE);
if (!self.task) /* see coredump_finish() */
break;
schedule();
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 297/474] HID: playstation: Clamp num_touch_reports
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 296/474] exit: Sleep at TASK_IDLE when waiting for application core dump Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 298/474] media: uvcvideo: Enable VB2_DMABUF for metadata stream Greg Kroah-Hartman
` (177 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xingyu Jin, T.J. Mercier,
Jiri Kosina
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: T.J. Mercier <tjmercier@google.com>
commit cac61b58a3b6340c52afa06bb15eac033158db2f upstream.
A device would never lie about the number of touch reports would it?
If it does the loop in dualshock4_parse_report will read off the end of
the touch_reports array, up to about 2 KiB for the maximum number of 256
loop iteraions. The data that is read is emitted via evdev if the
DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by
clamping the num_touch_reports value provided by the device to the
maximum size of the touch_reports array.
Fixes: 752038248808 ("HID: playstation: add DualShock4 touchpad support.")
Cc: stable@vger.kernel.org
Reported-by: Xingyu Jin <xingyuj@google.com>
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-playstation.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/hid/hid-playstation.c
+++ b/drivers/hid/hid-playstation.c
@@ -2200,7 +2200,8 @@ static int dualshock4_parse_report(struc
struct dualshock4_input_report_usb *usb = (struct dualshock4_input_report_usb *)data;
ds4_report = &usb->common;
- num_touch_reports = usb->num_touch_reports;
+ num_touch_reports = min_t(u8, usb->num_touch_reports,
+ ARRAY_SIZE(usb->touch_reports));
touch_reports = usb->touch_reports;
} else if (hdev->bus == BUS_BLUETOOTH && report->id == DS4_INPUT_REPORT_BT &&
size == DS4_INPUT_REPORT_BT_SIZE) {
@@ -2214,7 +2215,8 @@ static int dualshock4_parse_report(struc
}
ds4_report = &bt->common;
- num_touch_reports = bt->num_touch_reports;
+ num_touch_reports = min_t(u8, bt->num_touch_reports,
+ ARRAY_SIZE(bt->touch_reports));
touch_reports = bt->touch_reports;
} else {
hid_err(hdev, "Unhandled reportID=%d\n", report->id);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 298/474] media: uvcvideo: Enable VB2_DMABUF for metadata stream
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 297/474] HID: playstation: Clamp num_touch_reports Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 299/474] media: i2c: ov8856: free control handler on error in ov8856_init_controls() Greg Kroah-Hartman
` (176 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Laurent Pinchart,
Hans de Goede, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit fbac03467e53d8d72e5099c03df26d9adae11416 upstream.
The UVC driver has two video streams, one for the frames and another one
for the metadata. Both streams share most of the codebase, but only the
data stream declares support for DMABUF transfer mode.
I have tried the DMABUF transfer mode with CONFIG_DMABUF_HEAPS_SYSTEM
and the frames looked correct.
This patch announces the support for DMABUF for the metadata stream.
This is useful for apps/HALs that only want to support DMABUF.
Cc: stable@vger.kernel.org
Fixes: 088ead2552458 ("media: uvcvideo: Add a metadata device node")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260309-uvc-metadata-dmabuf-v1-1-fc8b87bd29c5@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_queue.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_queue.c
+++ b/drivers/media/usb/uvc/uvc_queue.c
@@ -218,7 +218,7 @@ int uvc_queue_init(struct uvc_video_queu
int ret;
queue->queue.type = type;
- queue->queue.io_modes = VB2_MMAP | VB2_USERPTR;
+ queue->queue.io_modes = VB2_MMAP | VB2_USERPTR | VB2_DMABUF;
queue->queue.drv_priv = queue;
queue->queue.buf_struct_size = sizeof(struct uvc_buffer);
queue->queue.mem_ops = &vb2_vmalloc_memops;
@@ -231,7 +231,6 @@ int uvc_queue_init(struct uvc_video_queu
queue->queue.ops = &uvc_meta_queue_qops;
break;
default:
- queue->queue.io_modes |= VB2_DMABUF;
queue->queue.ops = &uvc_queue_qops;
break;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 299/474] media: i2c: ov8856: free control handler on error in ov8856_init_controls()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 298/474] media: uvcvideo: Enable VB2_DMABUF for metadata stream Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 300/474] spi: bcm63xx: fix controller deregistration Greg Kroah-Hartman
` (175 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Koskovich, Sakari Ailus,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <akoskovich@pm.me>
commit f75e160745663ce9b13362ae6e90bd439c58df69 upstream.
The control handler wasn't freed if adding controls failed, add an error
exit label and convert the existing error return to use it.
Fixes: 879347f0c258 ("media: ov8856: Add support for OV8856 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov8856.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/ov8856.c
+++ b/drivers/media/i2c/ov8856.c
@@ -1954,12 +1954,18 @@ static int ov8856_init_controls(struct o
V4L2_CID_HFLIP, 0, 1, 1, 0);
v4l2_ctrl_new_std(ctrl_hdlr, &ov8856_ctrl_ops,
V4L2_CID_VFLIP, 0, 1, 1, 0);
- if (ctrl_hdlr->error)
- return ctrl_hdlr->error;
+ if (ctrl_hdlr->error) {
+ ret = ctrl_hdlr->error;
+ goto err_ctrl_handler_free;
+ }
ov8856->sd.ctrl_handler = ctrl_hdlr;
return 0;
+
+err_ctrl_handler_free:
+ v4l2_ctrl_handler_free(ctrl_hdlr);
+ return ret;
}
static void ov8856_update_pad_format(struct ov8856 *ov8856,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 300/474] spi: bcm63xx: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 299/474] media: i2c: ov8856: free control handler on error in ov8856_init_controls() Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 301/474] spi: atmel: " Greg Kroah-Hartman
` (174 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c39e65a4e3b8e764efed0b2f5152a1a8547b80fd upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b42dfed83d95 ("spi: add Broadcom BCM63xx SPI controller driver")
Cc: stable@vger.kernel.org # 3.4
Cc: Florian Fainelli <florian@openwrt.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-6-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-bcm63xx.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-bcm63xx.c
+++ b/drivers/spi/spi-bcm63xx.c
@@ -603,7 +603,7 @@ static int bcm63xx_spi_probe(struct plat
goto out_clk_disable;
/* register and we are done */
- ret = devm_spi_register_controller(dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(dev, "spi register failed\n");
goto out_clk_disable;
@@ -626,11 +626,17 @@ static void bcm63xx_spi_remove(struct pl
struct spi_controller *host = platform_get_drvdata(pdev);
struct bcm63xx_spi *bs = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
/* reset spi block */
bcm_spi_writeb(bs, 0, SPI_INT_MASK);
/* HW shutdown */
clk_disable_unprepare(bs->clk);
+
+ spi_controller_put(host);
}
static int bcm63xx_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 301/474] spi: atmel: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 300/474] spi: bcm63xx: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 302/474] staging: media: atomisp: Disallow all private IOCTLs Greg Kroah-Hartman
` (173 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8d4de97e83520be89d0ff40610ca633b3963a7de upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 754ce4f29937 ("[PATCH] SPI: atmel_spi driver")
Cc: stable@vger.kernel.org # 2.6.21
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-atmel.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -1647,7 +1647,7 @@ static int atmel_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto out_free_dma;
@@ -1679,8 +1679,12 @@ static void atmel_spi_remove(struct plat
struct spi_controller *host = platform_get_drvdata(pdev);
struct atmel_spi *as = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
pm_runtime_get_sync(&pdev->dev);
+ spi_unregister_controller(host);
+
/* reset the hardware and block queue progress */
if (as->use_dma) {
atmel_spi_stop_dma(host);
@@ -1705,6 +1709,8 @@ static void atmel_spi_remove(struct plat
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+
+ spi_controller_put(host);
}
static int atmel_spi_runtime_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 302/474] staging: media: atomisp: Disallow all private IOCTLs
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 301/474] spi: atmel: " Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 303/474] regulator: mt6357: fix OF node reference imbalance Greg Kroah-Hartman
` (172 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soufiane Dani, Sakari Ailus,
Mauro Carvalho Chehab
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c upstream.
Disallow all private IOCTLs. These aren't quite as safe as one could
assume of IOCTL handlers; disable them for now. Instead of removing the
code, return in the beginning of the function if cmd is non-zero in order
to keep static checkers happy.
Reported-by: Soufiane Dani <soufianeda@tutanota.com>
Closes: https://lore.kernel.org/linux-staging/20260210-atomisp-fix-v1-1-024429cbff31@tutanota.com/
Cc: stable@vger.kernel.org
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
@@ -1780,6 +1780,10 @@ static long atomisp_vidioc_default(struc
struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
int err;
+ /* Disable all private IOCTLs for now! */
+ if (cmd)
+ return -EINVAL;
+
switch (cmd) {
case ATOMISP_IOC_S_SENSOR_RUNMODE:
if (IS_ISP2401)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 303/474] regulator: mt6357: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 302/474] staging: media: atomisp: Disallow all private IOCTLs Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 304/474] regulator: max77650: " Greg Kroah-Hartman
` (171 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2f38e96c273e15f5e9f5d1fc2c0cbba703751602 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: dafc7cde23dc ("regulator: add mt6357 regulator")
Cc: stable@vger.kernel.org # 6.2
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/mt6357-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/mt6357-regulator.c
+++ b/drivers/regulator/mt6357-regulator.c
@@ -410,7 +410,7 @@ static int mt6357_regulator_probe(struct
struct regulator_dev *rdev;
int i;
- pdev->dev.of_node = pdev->dev.parent->of_node;
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
for (i = 0; i < MT6357_MAX_REGULATOR; i++) {
config.dev = &pdev->dev;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 304/474] regulator: max77650: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 303/474] regulator: mt6357: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 305/474] media: rc: xbox_remote: heed DMA restrictions Greg Kroah-Hartman
` (170 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2edaf5f7ada0ab5c9ec1f0836bd19779a8d85262 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: bcc61f1c44fd ("regulator: max77650: add regulator support")
Cc: stable@vger.kernel.org # 5.1
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/max77650-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/max77650-regulator.c
+++ b/drivers/regulator/max77650-regulator.c
@@ -339,7 +339,7 @@ static int max77650_regulator_probe(stru
parent = dev->parent;
if (!dev->of_node)
- dev->of_node = parent->of_node;
+ device_set_of_node_from_dev(dev, parent);
rdescs = devm_kcalloc(dev, MAX77650_REGULATOR_NUM_REGULATORS,
sizeof(*rdescs), GFP_KERNEL);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 305/474] media: rc: xbox_remote: heed DMA restrictions
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 304/474] regulator: max77650: " Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 306/474] media: rc: streamzap: Error handling in probe Greg Kroah-Hartman
` (169 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff upstream.
The buffer for IO must not be part of the device structure
because that violates the DMA coherency rules.
Fixes: 02d32bdad3123 ("media: rc: add driver for Xbox DVD Movie Playback Kit")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/xbox_remote.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/media/rc/xbox_remote.c
+++ b/drivers/media/rc/xbox_remote.c
@@ -55,7 +55,7 @@ struct xbox_remote {
struct usb_interface *interface;
struct urb *irq_urb;
- unsigned char inbuf[DATA_BUFSIZE] __aligned(sizeof(u16));
+ u8 *inbuf;
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
@@ -218,6 +218,10 @@ static int xbox_remote_probe(struct usb_
if (!xbox_remote || !rc_dev)
goto exit_free_dev_rdev;
+ xbox_remote->inbuf = kzalloc(DATA_BUFSIZE, GFP_KERNEL);
+ if (!xbox_remote->inbuf)
+ goto exit_free_inbuf;
+
/* Allocate URB buffer */
xbox_remote->irq_urb = usb_alloc_urb(0, GFP_KERNEL);
if (!xbox_remote->irq_urb)
@@ -262,6 +266,8 @@ exit_kill_urbs:
usb_kill_urb(xbox_remote->irq_urb);
exit_free_buffers:
usb_free_urb(xbox_remote->irq_urb);
+exit_free_inbuf:
+ kfree(xbox_remote->inbuf);
exit_free_dev_rdev:
rc_free_device(rc_dev);
kfree(xbox_remote);
@@ -286,6 +292,7 @@ static void xbox_remote_disconnect(struc
usb_kill_urb(xbox_remote->irq_urb);
rc_unregister_device(xbox_remote->rdev);
usb_free_urb(xbox_remote->irq_urb);
+ kfree(xbox_remote->inbuf);
kfree(xbox_remote);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 306/474] media: rc: streamzap: Error handling in probe
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 305/474] media: rc: xbox_remote: heed DMA restrictions Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 307/474] regulator: rk808: fix OF node reference imbalance Greg Kroah-Hartman
` (168 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 42844992664f03ef9f930e64f7370fa481e9c267 upstream.
If submitting the URB fails, the device will be unusable.
Probe() must fail.
Fixes: 7a569f524dd36 ("V4L/DVB: IR/streamzap: functional in-kernel decoding")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/streamzap.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -219,9 +219,8 @@ static void streamzap_callback(struct ur
case -ESHUTDOWN:
/*
* this urb is terminated, clean up.
- * sz might already be invalid at this point
*/
- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+ dev_dbg(sz->dev, "urb terminated, status: %d\n", urb->status);
return;
default:
break;
@@ -358,11 +357,16 @@ static int streamzap_probe(struct usb_in
usb_set_intfdata(intf, sz);
- if (usb_submit_urb(sz->urb_in, GFP_ATOMIC))
+ retval = usb_submit_urb(sz->urb_in, GFP_ATOMIC);
+ if (retval < 0) {
dev_err(sz->dev, "urb submit failed\n");
+ goto rc_submit_fail;
+ }
return 0;
-
+rc_submit_fail:
+ rc_free_device(sz->rdev);
+ usb_set_intfdata(intf, NULL);
rc_dev_fail:
usb_free_urb(sz->urb_in);
free_buf_in:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 307/474] regulator: rk808: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 306/474] media: rc: streamzap: Error handling in probe Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 308/474] media: videobuf2: Set vma_flags in vb2_dma_sg_mmap Greg Kroah-Hartman
` (167 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Douglas Anderson,
Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 65290b24d8a5f0b8cd065201e653db824c4a4da6 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 647e57351f8e ("regulator: rk808: reduce 'struct rk808' usage")
Cc: stable@vger.kernel.org # 6.2
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/rk808-regulator.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/regulator/rk808-regulator.c
+++ b/drivers/regulator/rk808-regulator.c
@@ -1674,8 +1674,7 @@ static int rk808_regulator_probe(struct
struct regmap *regmap;
int ret, i, nregulators;
- pdev->dev.of_node = pdev->dev.parent->of_node;
- pdev->dev.of_node_reused = true;
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
regmap = dev_get_regmap(pdev->dev.parent, NULL);
if (!regmap)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 308/474] media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 307/474] regulator: rk808: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 309/474] regulator: act8945a: fix OF node reference imbalance Greg Kroah-Hartman
` (166 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janne Grunau, Marek Szyprowski,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janne Grunau <j@jannau.net>
commit 7254b31a13aaa0c2c0f9ffbc335b718656117ff4 upstream.
vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not
see a reason why vb2_dma_sg should behave differently. This avoids
hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in
drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of
tree Apple ISP camera capture driver which uses vb2_dma_sg_memops.
gst-launch-1.0 v4l2src ! gtk4paintablesink
[ 38.201528] ------------[ cut here ]------------
[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210
[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer
snd_seq snd_seq_device uinput nf_conntrack_netbios_ns
nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep
nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc
hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic
cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev
aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2
snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor
macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi
macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3
snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon
apple_sart apple_dockchannel macsmc apple_rtkit_helper
spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses
pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core
spi_apple
[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram
[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)
[ 38.219040] Tainted: [W]=WARN
[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210
[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210
[ 38.222178] sp : ffffc0008dc678e0
[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480
[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968
[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0
[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968
[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8
[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff
[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8
[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000
[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038
[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb
[ 38.231488] Call trace:
[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)
[ 38.232342] drm_gem_mmap+0x140/0x260
[ 38.232813] __mmap_region+0x488/0x9a0
[ 38.233277] mmap_region+0xd0/0x148
[ 38.233703] do_mmap+0x350/0x5c0
[ 38.234148] vm_mmap_pgoff+0x14c/0x200
[ 38.234612] ksys_mmap_pgoff+0x150/0x208
[ 38.235107] __arm64_sys_mmap+0x34/0x50
[ 38.235611] invoke_syscall+0x50/0x120
[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0
[ 38.236680] do_el0_svc+0x24/0x38
[ 38.237113] el0_svc+0x38/0x168
[ 38.237507] el0t_64_sync_handler+0xa0/0xe8
[ 38.238034] el0t_64_sync+0x198/0x1a0
[ 38.238491] ---[ end trace 0000000000000000 ]---
There were discussions in [1] at the end of 2023 that mmap() on imported
dma-bufs should not be supported but as of v6.17 drm_gem_shmem_mmap() in
drm_gem_shmem_helper.c still supports it.
This might affect all gpu or accel drivers using drm_gem_shmem_mmap() or
the wrapper drm_gem_shmem_object_mmap().
[1] https://lore.kernel.org/dri-devel/bc7f7844-0aa3-4802-b203-69d58e8be2fa@linux.intel.com/
Cc: stable@vger.kernel.org
Fixes: 5ba3f757f059 ("[media] v4l: videobuf2: add DMA scatter/gather allocator")
Signed-off-by: Janne Grunau <j@jannau.net>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/videobuf2/videobuf2-dma-sg.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
@@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_pri
return err;
}
+ vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP);
/*
* Use common vm_area operations to track buffer refcount.
*/
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 309/474] regulator: act8945a: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 308/474] media: videobuf2: Set vma_flags in vb2_dma_sg_mmap Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 310/474] regulator: bd9571mwv: " Greg Kroah-Hartman
` (165 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wenyou Yang, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0d15ce31375ccef4162f960b34547a821b7619d2 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 38c09961048b ("regulator: act8945a: add regulator driver for ACT8945A")
Cc: stable@vger.kernel.org # 4.6
Cc: Wenyou Yang <wenyou.yang@atmel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-7-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/act8945a-regulator.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/regulator/act8945a-regulator.c
+++ b/drivers/regulator/act8945a-regulator.c
@@ -302,8 +302,9 @@ static int act8945a_pmic_probe(struct pl
num_regulators = ARRAY_SIZE(act8945a_regulators);
}
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
+
config.dev = &pdev->dev;
- config.dev->of_node = pdev->dev.parent->of_node;
config.driver_data = act8945a;
for (i = 0; i < num_regulators; i++) {
rdev = devm_regulator_register(&pdev->dev, ®ulators[i],
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 310/474] regulator: bd9571mwv: fix OF node reference imbalance
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 309/474] regulator: act8945a: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-15 15:46 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 311/474] spi: lantiq-ssc: fix controller deregistration Greg Kroah-Hartman
` (164 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8498100ee1d00422b8c5b161b3e332278b92a59a upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: e85c5a153fe2 ("regulator: Add ROHM BD9571MWV-M PMIC regulator driver")
Cc: stable@vger.kernel.org # 4.12
Cc: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-8-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/bd9571mwv-regulator.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/regulator/bd9571mwv-regulator.c
+++ b/drivers/regulator/bd9571mwv-regulator.c
@@ -288,8 +288,9 @@ static int bd9571mwv_regulator_probe(str
platform_set_drvdata(pdev, bdreg);
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
+
config.dev = &pdev->dev;
- config.dev->of_node = pdev->dev.parent->of_node;
config.driver_data = bdreg;
config.regmap = bdreg->regmap;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 311/474] spi: lantiq-ssc: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-05-15 15:46 ` [PATCH 6.6 310/474] regulator: bd9571mwv: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 312/474] spi: qup: " Greg Kroah-Hartman
` (163 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hauke Mehrtens, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b99206710d032c16b7f8b75e4bc18414d8e4b9f4 upstream.
Make sure to deregister the controller before releasing underlying
resources like clocks during driver unbind.
Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller")
Cc: stable@vger.kernel.org # 4.11
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-17-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-lantiq-ssc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-lantiq-ssc.c
+++ b/drivers/spi/spi-lantiq-ssc.c
@@ -998,7 +998,7 @@ static int lantiq_ssc_probe(struct platf
"Lantiq SSC SPI controller (Rev %i, TXFS %u, RXFS %u, DMA %u)\n",
revision, spi->tx_fifo_size, spi->rx_fifo_size, supports_dma);
- err = devm_spi_register_controller(dev, host);
+ err = spi_register_controller(host);
if (err) {
dev_err(dev, "failed to register spi host\n");
goto err_wq_destroy;
@@ -1022,6 +1022,10 @@ static void lantiq_ssc_remove(struct pla
{
struct lantiq_ssc_spi *spi = platform_get_drvdata(pdev);
+ spi_controller_get(spi->host);
+
+ spi_unregister_controller(spi->host);
+
lantiq_ssc_writel(spi, 0, LTQ_SPI_IRNEN);
lantiq_ssc_writel(spi, 0, LTQ_SPI_CLC);
rx_fifo_flush(spi);
@@ -1031,6 +1035,8 @@ static void lantiq_ssc_remove(struct pla
destroy_workqueue(spi->wq);
clk_disable_unprepare(spi->spi_clk);
clk_put(spi->fpi_clk);
+
+ spi_controller_put(spi->host);
}
static struct platform_driver lantiq_ssc_driver = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 312/474] spi: qup: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 311/474] spi: lantiq-ssc: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 313/474] spi: at91-usart: " Greg Kroah-Hartman
` (162 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 443e3a0005a4342b218b6dbd4c6387d3c7fed85a upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 64ff247a978f ("spi: Add Qualcomm QUP SPI controller support")
Cc: stable@vger.kernel.org # 3.15
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-10-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-qup.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -1149,7 +1149,7 @@ static int spi_qup_probe(struct platform
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
- ret = devm_spi_register_controller(dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto disable_pm;
@@ -1274,6 +1274,10 @@ static void spi_qup_remove(struct platfo
struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
ret = pm_runtime_get_sync(&pdev->dev);
if (ret >= 0) {
@@ -1293,6 +1297,8 @@ static void spi_qup_remove(struct platfo
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+
+ spi_controller_put(host);
}
static const struct of_device_id spi_qup_dt_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 313/474] spi: at91-usart: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 312/474] spi: qup: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 314/474] media: saa7164: add ioremap return checks and cleanups Greg Kroah-Hartman
` (161 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Radu Pirea, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9acecc9bcff058eaef40fd7a4c3650e88b06b220 upstream.
Make sure to deregister the controller before disabling and releasing
underlying resources like clocks and DMA during driver unbind.
Fixes: e1892546ff66 ("spi: at91-usart: Add driver for at91-usart as SPI")
Cc: stable@vger.kernel.org # 4.20
Cc: Radu Pirea <radu.pirea@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-at91-usart.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-at91-usart.c
+++ b/drivers/spi/spi-at91-usart.c
@@ -570,7 +570,7 @@ static int at91_usart_spi_probe(struct p
spin_lock_init(&aus->lock);
init_completion(&aus->xfer_completion);
- ret = devm_spi_register_controller(&pdev->dev, controller);
+ ret = spi_register_controller(controller);
if (ret)
goto at91_usart_fail_register_controller;
@@ -648,8 +648,14 @@ static void at91_usart_spi_remove(struct
struct spi_controller *ctlr = platform_get_drvdata(pdev);
struct at91_usart_spi *aus = spi_controller_get_devdata(ctlr);
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
+
at91_usart_spi_release_dma(ctlr);
clk_disable_unprepare(aus->clk);
+
+ spi_controller_put(ctlr);
}
static const struct dev_pm_ops at91_usart_spi_pm_ops = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 314/474] media: saa7164: add ioremap return checks and cleanups
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 313/474] spi: at91-usart: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 315/474] platform/x86: hp-wmi: Ignore backlight and FnLock events Greg Kroah-Hartman
` (160 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Jun, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Jun <1742789905@qq.com>
commit d51c60a498e83c9a79884c8e420f97e3885c9583 upstream.
Add checks for ioremap return values in saa7164_dev_setup(). If
ioremap for BAR0 or BAR2 fails, release the already allocated PCI
memory regions, remove the device from the global list, decrement
the device count, and return -ENODEV.
This prevents potential null pointer dereferences and ensures proper
cleanup on memory mapping failures.
Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon")
Cc: stable@vger.kernel.org
Signed-off-by: Wang Jun <1742789905@qq.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/saa7164/saa7164-core.c | 47 +++++++++++++++++++++++--------
1 file changed, 35 insertions(+), 12 deletions(-)
--- a/drivers/media/pci/saa7164/saa7164-core.c
+++ b/drivers/media/pci/saa7164/saa7164-core.c
@@ -888,6 +888,15 @@ static int get_resources(struct saa7164_
return -EBUSY;
}
+static void release_resources(struct saa7164_dev *dev)
+{
+ release_mem_region(pci_resource_start(dev->pci, 0),
+ pci_resource_len(dev->pci, 0));
+
+ release_mem_region(pci_resource_start(dev->pci, 2),
+ pci_resource_len(dev->pci, 2));
+}
+
static int saa7164_port_init(struct saa7164_dev *dev, int portnr)
{
struct saa7164_port *port = NULL;
@@ -947,9 +956,9 @@ static int saa7164_dev_setup(struct saa7
snprintf(dev->name, sizeof(dev->name), "saa7164[%d]", dev->nr);
- mutex_lock(&devlist);
- list_add_tail(&dev->devlist, &saa7164_devlist);
- mutex_unlock(&devlist);
+ scoped_guard(mutex, &devlist) {
+ list_add_tail(&dev->devlist, &saa7164_devlist);
+ }
/* board config */
dev->board = UNSET;
@@ -996,11 +1005,17 @@ static int saa7164_dev_setup(struct saa7
}
/* PCI/e allocations */
- dev->lmmio = ioremap(pci_resource_start(dev->pci, 0),
- pci_resource_len(dev->pci, 0));
+ dev->lmmio = pci_ioremap_bar(dev->pci, 0);
+ if (!dev->lmmio) {
+ dev_err(&dev->pci->dev, "Failed to remap MMIO BAR 0\n");
+ goto err_ioremap_bar0;
+ }
- dev->lmmio2 = ioremap(pci_resource_start(dev->pci, 2),
- pci_resource_len(dev->pci, 2));
+ dev->lmmio2 = pci_ioremap_bar(dev->pci, 2);
+ if (!dev->lmmio2) {
+ dev_err(&dev->pci->dev, "Failed to remap MMIO BAR 2\n");
+ goto err_ioremap_bar2;
+ }
dev->bmmio = (u8 __iomem *)dev->lmmio;
dev->bmmio2 = (u8 __iomem *)dev->lmmio2;
@@ -1019,17 +1034,25 @@ static int saa7164_dev_setup(struct saa7
saa7164_pci_quirks(dev);
return 0;
+
+err_ioremap_bar2:
+ iounmap(dev->lmmio);
+err_ioremap_bar0:
+ release_resources(dev);
+
+ scoped_guard(mutex, &devlist) {
+ list_del(&dev->devlist);
+ }
+ saa7164_devcount--;
+
+ return -ENODEV;
}
static void saa7164_dev_unregister(struct saa7164_dev *dev)
{
dprintk(1, "%s()\n", __func__);
- release_mem_region(pci_resource_start(dev->pci, 0),
- pci_resource_len(dev->pci, 0));
-
- release_mem_region(pci_resource_start(dev->pci, 2),
- pci_resource_len(dev->pci, 2));
+ release_resources(dev);
if (!atomic_dec_and_test(&dev->refcount))
return;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 315/474] platform/x86: hp-wmi: Ignore backlight and FnLock events
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 314/474] media: saa7164: add ioremap return checks and cleanups Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 316/474] media: pci: zoran: fix potential memory leak in zoran_probe() Greg Kroah-Hartman
` (159 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem S. Tashkinov, Krishna Chomal,
Ilpo Järvinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Chomal <krishna.chomal108@gmail.com>
commit e8c597368b8500a824c639bfb5ed0044068c6870 upstream.
On HP OmniBook 7 the keyboard backlight and FnLock keys are handled
directly by the firmware. However, they still trigger WMI events which
results in "Unknown key code" warnings in dmesg.
Add these key codes to the keymap with KE_IGNORE to silence the warnings
since no software action is needed.
Tested-by: Artem S. Tashkinov <aros@gmx.com>
Reported-by: Artem S. Tashkinov <aros@gmx.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221181
Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com>
Link: https://patch.msgid.link/20260403080155.169653-1-krishna.chomal108@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-wmi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/platform/x86/hp/hp-wmi.c
+++ b/drivers/platform/x86/hp/hp-wmi.c
@@ -238,6 +238,11 @@ static const struct key_entry hp_wmi_key
{ KE_KEY, 0x21a9, { KEY_TOUCHPAD_OFF } },
{ KE_KEY, 0x121a9, { KEY_TOUCHPAD_ON } },
{ KE_KEY, 0x231b, { KEY_HELP } },
+ { KE_IGNORE, 0x21ab, }, /* FnLock on */
+ { KE_IGNORE, 0x121ab, }, /* FnLock off */
+ { KE_IGNORE, 0x30021aa, }, /* kbd backlight: level 2 -> off */
+ { KE_IGNORE, 0x33221aa, }, /* kbd backlight: off -> level 1 */
+ { KE_IGNORE, 0x36421aa, }, /* kbd backlight: level 1 -> level 2*/
{ KE_END, 0 }
};
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 316/474] media: pci: zoran: fix potential memory leak in zoran_probe()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 315/474] platform/x86: hp-wmi: Ignore backlight and FnLock events Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 317/474] media: dib8000: avoid division by 0 in dib8000_set_dds() Greg Kroah-Hartman
` (158 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
commit 8ea21435fe36fb853706f4935d78bc11beb63fb4 upstream.
The memory allocated for codec in videocodec_attach() is not freed in
one of the error paths, due to an incorrect goto label. Fix the label
to free it on error.
Fixes: 8f7cc5c0b0eb ("media: staging: media: zoran: introduce zoran_i2c_init")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/zoran/zoran_card.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/pci/zoran/zoran_card.c
+++ b/drivers/media/pci/zoran/zoran_card.c
@@ -1377,7 +1377,7 @@ static int zoran_probe(struct pci_dev *p
}
if (zr->codec->type != zr->card.video_codec) {
pci_err(pdev, "%s - wrong codec\n", __func__);
- goto zr_unreg_videocodec;
+ goto zr_detach_codec;
}
}
if (zr->card.video_vfe != 0) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 317/474] media: dib8000: avoid division by 0 in dib8000_set_dds()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 316/474] media: pci: zoran: fix potential memory leak in zoran_probe() Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 318/474] media: i2c: imx412: Assert reset GPIO during probe Greg Kroah-Hartman
` (157 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sergey Shtylyov, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Shtylyov <s.shtylyov@auroraos.dev>
commit dde3c37af95cd6fa301c4906f33d627bc9dd874c upstream.
In dib8000_set_dds(), 1 << 26 (67108864) divided by e.g. 1 apparently can't
fit into 16-bit variable unit_khz_dds_val, being truncated to 0; this will
cause division by 0 while calling dprintk() with debugging enabled (via the
module parameter). Use s32 instead of s16 to declare the variable, getting
rid of the cast to u16 in the *else* branch as well...
Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.
Fixes: 173a64cb3fcf ("[media] dib8000: enhancement")
Cc: stable@vger.kernel.org
Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-frontends/dib8000.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/dvb-frontends/dib8000.c
+++ b/drivers/media/dvb-frontends/dib8000.c
@@ -2694,7 +2694,7 @@ static void dib8000_viterbi_state(struct
static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz)
{
- s16 unit_khz_dds_val;
+ s32 unit_khz_dds_val;
u32 abs_offset_khz = abs(offset_khz);
u32 dds = state->cfg.pll->ifreq & 0x1ffffff;
u8 invert = !!(state->cfg.pll->ifreq & (1 << 25));
@@ -2715,7 +2715,7 @@ static void dib8000_set_dds(struct dib80
dds = (1<<26) - dds;
} else {
ratio = 2;
- unit_khz_dds_val = (u16) (67108864 / state->cfg.pll->internal);
+ unit_khz_dds_val = 67108864 / state->cfg.pll->internal;
if (offset_khz < 0)
unit_khz_dds_val *= -1;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 318/474] media: i2c: imx412: Assert reset GPIO during probe
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 317/474] media: dib8000: avoid division by 0 in dib8000_set_dds() Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 319/474] media: staging: imx: request mbus_config in csi_start Greg Kroah-Hartman
` (156 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenmeng Liu, Sakari Ailus,
Mauro Carvalho Chehab
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenmeng Liu <wenmeng.liu@oss.qualcomm.com>
commit 8467c5ff5acae28513bc1e0af535e06b41b04344 upstream.
Assert the reset GPIO before first power up. This avoids a mismatch where
the first power up (when the reset GPIO defaults deasserted) differs from
subsequent cycles.
Signed-off-by: Wenmeng Liu <wenmeng.liu@oss.qualcomm.com>
Fixes: 9214e86c0cc1 ("media: i2c: Add imx412 camera sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx412.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/imx412.c
+++ b/drivers/media/i2c/imx412.c
@@ -934,7 +934,7 @@ static int imx412_parse_hw_config(struct
/* Request optional reset pin */
imx412->reset_gpio = devm_gpiod_get_optional(imx412->dev, "reset",
- GPIOD_OUT_LOW);
+ GPIOD_OUT_HIGH);
if (IS_ERR(imx412->reset_gpio)) {
dev_err(imx412->dev, "failed to get reset gpio %ld\n",
PTR_ERR(imx412->reset_gpio));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 319/474] media: staging: imx: request mbus_config in csi_start
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 318/474] media: i2c: imx412: Assert reset GPIO during probe Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 320/474] media: i2c: ov08d10: fix image vertical start setting Greg Kroah-Hartman
` (155 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Michael Tretter,
Philipp Zabel, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Tretter <m.tretter@pengutronix.de>
commit 9df2aaa64890c0b6226057eb6fcb6352bd2df432 upstream.
Request the upstream mbus_config in csi_start, which starts the stream,
instead of caching it in link_validate.
This allows to get rid of the mbus_cfg field in the struct csi_priv and
avoids state in the driver.
Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/imx/imx-media-csi.c | 40 ++++++++++++++++++------------
1 file changed, 24 insertions(+), 16 deletions(-)
--- a/drivers/staging/media/imx/imx-media-csi.c
+++ b/drivers/staging/media/imx/imx-media-csi.c
@@ -97,9 +97,6 @@ struct csi_priv {
/* the mipi virtual channel number at link validate */
int vc_num;
- /* media bus config of the upstream subdevice CSI is receiving from */
- struct v4l2_mbus_config mbus_cfg;
-
spinlock_t irqlock; /* protect eof_irq handler */
struct timer_list eof_timeout_timer;
int eof_irq;
@@ -403,7 +400,8 @@ static void csi_idmac_unsetup_vb2_buf(st
}
/* init the SMFC IDMAC channel */
-static int csi_idmac_setup_channel(struct csi_priv *priv)
+static int csi_idmac_setup_channel(struct csi_priv *priv,
+ struct v4l2_mbus_config *mbus_cfg)
{
struct imx_media_video_dev *vdev = priv->vdev;
const struct imx_media_pixfmt *incc;
@@ -432,7 +430,7 @@ static int csi_idmac_setup_channel(struc
image.phys0 = phys[0];
image.phys1 = phys[1];
- passthrough = requires_passthrough(&priv->mbus_cfg, infmt, incc);
+ passthrough = requires_passthrough(mbus_cfg, infmt, incc);
passthrough_cycles = 1;
/*
@@ -572,11 +570,12 @@ static void csi_idmac_unsetup(struct csi
csi_idmac_unsetup_vb2_buf(priv, state);
}
-static int csi_idmac_setup(struct csi_priv *priv)
+static int csi_idmac_setup(struct csi_priv *priv,
+ struct v4l2_mbus_config *mbus_cfg)
{
int ret;
- ret = csi_idmac_setup_channel(priv);
+ ret = csi_idmac_setup_channel(priv, mbus_cfg);
if (ret)
return ret;
@@ -595,7 +594,8 @@ static int csi_idmac_setup(struct csi_pr
return 0;
}
-static int csi_idmac_start(struct csi_priv *priv)
+static int csi_idmac_start(struct csi_priv *priv,
+ struct v4l2_mbus_config *mbus_cfg)
{
struct imx_media_video_dev *vdev = priv->vdev;
int ret;
@@ -619,7 +619,7 @@ static int csi_idmac_start(struct csi_pr
priv->last_eof = false;
priv->nfb4eof = false;
- ret = csi_idmac_setup(priv);
+ ret = csi_idmac_setup(priv, mbus_cfg);
if (ret) {
v4l2_err(&priv->sd, "csi_idmac_setup failed: %d\n", ret);
goto out_free_dma_buf;
@@ -701,7 +701,8 @@ static void csi_idmac_stop(struct csi_pr
}
/* Update the CSI whole sensor and active windows */
-static int csi_setup(struct csi_priv *priv)
+static int csi_setup(struct csi_priv *priv,
+ struct v4l2_mbus_config *mbus_cfg)
{
struct v4l2_mbus_framefmt *infmt, *outfmt;
const struct imx_media_pixfmt *incc;
@@ -719,7 +720,7 @@ static int csi_setup(struct csi_priv *pr
* if cycles is set, we need to handle this over multiple cycles as
* generic/bayer data
*/
- if (is_parallel_bus(&priv->mbus_cfg) && incc->cycles) {
+ if (is_parallel_bus(mbus_cfg) && incc->cycles) {
if_fmt.width *= incc->cycles;
crop.width *= incc->cycles;
}
@@ -730,7 +731,7 @@ static int csi_setup(struct csi_priv *pr
priv->crop.width == 2 * priv->compose.width,
priv->crop.height == 2 * priv->compose.height);
- ipu_csi_init_interface(priv->csi, &priv->mbus_cfg, &if_fmt, outfmt);
+ ipu_csi_init_interface(priv->csi, mbus_cfg, &if_fmt, outfmt);
ipu_csi_set_dest(priv->csi, priv->dest);
@@ -745,9 +746,17 @@ static int csi_setup(struct csi_priv *pr
static int csi_start(struct csi_priv *priv)
{
+ struct v4l2_mbus_config mbus_cfg = { .type = 0 };
struct v4l2_fract *input_fi, *output_fi;
int ret;
+ ret = csi_get_upstream_mbus_config(priv, &mbus_cfg);
+ if (ret) {
+ v4l2_err(&priv->sd,
+ "failed to get upstream media bus configuration\n");
+ return ret;
+ }
+
input_fi = &priv->frame_interval[CSI_SINK_PAD];
output_fi = &priv->frame_interval[priv->active_output_pad];
@@ -758,7 +767,7 @@ static int csi_start(struct csi_priv *pr
return ret;
/* Skip first few frames from a BT.656 source */
- if (priv->mbus_cfg.type == V4L2_MBUS_BT656) {
+ if (mbus_cfg.type == V4L2_MBUS_BT656) {
u32 delay_usec, bad_frames = 20;
delay_usec = DIV_ROUND_UP_ULL((u64)USEC_PER_SEC *
@@ -769,12 +778,12 @@ static int csi_start(struct csi_priv *pr
}
if (priv->dest == IPU_CSI_DEST_IDMAC) {
- ret = csi_idmac_start(priv);
+ ret = csi_idmac_start(priv, &mbus_cfg);
if (ret)
goto stop_upstream;
}
- ret = csi_setup(priv);
+ ret = csi_setup(priv, &mbus_cfg);
if (ret)
goto idmac_stop;
@@ -1122,7 +1131,6 @@ static int csi_link_validate(struct v4l2
mutex_lock(&priv->lock);
- priv->mbus_cfg = mbus_cfg;
is_csi2 = !is_parallel_bus(&mbus_cfg);
if (is_csi2) {
/*
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 320/474] media: i2c: ov08d10: fix image vertical start setting
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 319/474] media: staging: imx: request mbus_config in csi_start Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 321/474] media: omap3isp: drop the use count of v4l2 pipeline Greg Kroah-Hartman
` (154 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Fend, Sakari Ailus,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Fend <matthias.fend@emfend.at>
commit 5d150fa0f16096d736bd24d13e04495da5116fab upstream.
The current settings for the "image vertical start" register appear to be
incorrect. While this only results in an incorrect start line for native
modes, this faulty setting causes actual problems in binning mode. At least
on an i.MX8MP test system, only corrupted frames could be received.
To correct this, the recommended settings from the reference register sets
are used for all modes. Since this shifts the start by one line, the Bayer
pattern also changes, which has also been corrected.
Fixes: 7be91e02ed57 ("media: i2c: Add ov08d10 camera sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Matthias Fend <matthias.fend@emfend.at>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov08d10.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/media/i2c/ov08d10.c
+++ b/drivers/media/i2c/ov08d10.c
@@ -217,7 +217,7 @@ static const struct ov08d10_reg lane_2_m
{0x9a, 0x30},
{0xa8, 0x02},
{0xfd, 0x02},
- {0xa1, 0x01},
+ {0xa1, 0x00},
{0xa2, 0x09},
{0xa3, 0x9c},
{0xa5, 0x00},
@@ -335,7 +335,7 @@ static const struct ov08d10_reg lane_2_m
{0x9a, 0x30},
{0xa8, 0x02},
{0xfd, 0x02},
- {0xa1, 0x09},
+ {0xa1, 0x08},
{0xa2, 0x09},
{0xa3, 0x90},
{0xa5, 0x08},
@@ -467,7 +467,7 @@ static const struct ov08d10_reg lane_2_m
{0xaa, 0xd0},
{0xab, 0x06},
{0xac, 0x68},
- {0xa1, 0x09},
+ {0xa1, 0x04},
{0xa2, 0x04},
{0xa3, 0xc8},
{0xa5, 0x04},
@@ -615,8 +615,8 @@ static const struct ov08d10_lane_cfg lan
static u32 ov08d10_get_format_code(struct ov08d10 *ov08d10)
{
static const u32 codes[2][2] = {
- { MEDIA_BUS_FMT_SGRBG10_1X10, MEDIA_BUS_FMT_SRGGB10_1X10},
- { MEDIA_BUS_FMT_SBGGR10_1X10, MEDIA_BUS_FMT_SGBRG10_1X10},
+ { MEDIA_BUS_FMT_SBGGR10_1X10, MEDIA_BUS_FMT_SGBRG10_1X10 },
+ { MEDIA_BUS_FMT_SGRBG10_1X10, MEDIA_BUS_FMT_SRGGB10_1X10 },
};
return codes[ov08d10->vflip->val][ov08d10->hflip->val];
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 321/474] media: omap3isp: drop the use count of v4l2 pipeline
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 320/474] media: i2c: ov08d10: fix image vertical start setting Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 322/474] spi: dln2: fix controller deregistration Greg Kroah-Hartman
` (153 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Sakari Ailus,
Mauro Carvalho Chehab
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 9da49bd9d4224035cff39b40d7395310abb10201 upstream.
In isp_video_open(), drop the use count of v4l2
pipeline if vb2_queue_init() fails.
Fixes: 8fd390b89cc8 ("media: Split v4l2_pipeline_pm_use into v4l2_pipeline_pm_{get, put}")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/omap3isp/ispvideo.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/ti/omap3isp/ispvideo.c
+++ b/drivers/media/platform/ti/omap3isp/ispvideo.c
@@ -1324,6 +1324,7 @@ static int isp_video_open(struct file *f
ret = vb2_queue_init(&handle->queue);
if (ret < 0) {
+ v4l2_pipeline_pm_put(&video->video.entity);
omap3isp_put(video->isp);
goto done;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 322/474] spi: dln2: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 321/474] media: omap3isp: drop the use count of v4l2 pipeline Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 323/474] spi: s3c64xx: " Greg Kroah-Hartman
` (152 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurentiu Palcu, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c353020fbfa8514ee91a6de2d88de4e5edca5803 upstream.
Make sure to deregister the controller before disabling it to allow
SPI device drivers to do I/O during deregistration.
Fixes: 3d8c0d749da3 ("spi: add support for DLN-2 USB-SPI adapter")
Cc: stable@vger.kernel.org # 4.0
Cc: Laurentiu Palcu <laurentiu.palcu@intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-12-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-dln2.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-dln2.c
+++ b/drivers/spi/spi-dln2.c
@@ -761,7 +761,7 @@ static int dln2_spi_probe(struct platfor
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret < 0) {
dev_err(&pdev->dev, "Failed to register host\n");
goto exit_register;
@@ -786,10 +786,16 @@ static void dln2_spi_remove(struct platf
struct spi_controller *host = platform_get_drvdata(pdev);
struct dln2_spi *dln2 = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(&pdev->dev);
if (dln2_spi_enable(dln2, false) < 0)
dev_err(&pdev->dev, "Failed to disable SPI module\n");
+
+ spi_controller_put(host);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 323/474] spi: s3c64xx: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 322/474] spi: dln2: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 324/474] spi: fsl-espi: " Greg Kroah-Hartman
` (151 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c1446b61e472da24d1547525193467b4bea4a7cb upstream.
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Fixes: 91800f0e9005 ("spi/s3c64xx: Use managed registration")
Cc: stable@vger.kernel.org # 3.13: 76fbad410c0f
Cc: stable@vger.kernel.org # 3.13
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-12-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-s3c64xx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -1305,7 +1305,7 @@ static int s3c64xx_spi_probe(struct plat
S3C64XX_SPI_INT_TX_OVERRUN_EN | S3C64XX_SPI_INT_TX_UNDERRUN_EN,
sdd->regs + S3C64XX_SPI_INT_EN);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret != 0) {
dev_err(&pdev->dev, "cannot register SPI host: %d\n", ret);
goto err_pm_put;
@@ -1336,6 +1336,8 @@ static void s3c64xx_spi_remove(struct pl
pm_runtime_get_sync(&pdev->dev);
+ spi_unregister_controller(host);
+
writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
pm_runtime_put_noidle(&pdev->dev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 324/474] spi: fsl-espi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 323/474] spi: s3c64xx: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 325/474] spi: omap2-mcspi: " Greg Kroah-Hartman
` (150 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e506a700a7ad229f5c8f01f4b8350119cccb4158 upstream.
Make sure to deregister the controller before disabling runtime PM
(which can leave the controller disabled) to allow SPI device drivers to
do I/O during deregistration.
Fixes: e9abb4db8d10 ("spi: fsl-espi: add runtime PM")
Cc: stable@vger.kernel.org # 4.3
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-14-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-espi.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-espi.c
+++ b/drivers/spi/spi-fsl-espi.c
@@ -720,7 +720,7 @@ static int fsl_espi_probe(struct device
pm_runtime_enable(dev);
pm_runtime_get_sync(dev);
- ret = devm_spi_register_controller(dev, host);
+ ret = spi_register_controller(host);
if (ret < 0)
goto err_pm;
@@ -785,7 +785,15 @@ static int of_fsl_espi_probe(struct plat
static void of_fsl_espi_remove(struct platform_device *dev)
{
+ struct spi_controller *host = platform_get_drvdata(dev);
+
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(&dev->dev);
+
+ spi_controller_put(host);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 325/474] spi: omap2-mcspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 324/474] spi: fsl-espi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 326/474] spi: mtk-nor: " Greg Kroah-Hartman
` (149 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit fb45f95c377e4a4bdece2c5e17643b459c9c13e7 upstream.
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Fixes: ccdc7bf92573 ("SPI: omap2_mcspi driver")
Cc: stable@vger.kernel.org # 2.6.23
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-6-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-omap2-mcspi.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-omap2-mcspi.c
+++ b/drivers/spi/spi-omap2-mcspi.c
@@ -1541,7 +1541,7 @@ static int omap2_mcspi_probe(struct plat
if (status < 0)
goto disable_pm;
- status = devm_spi_register_controller(&pdev->dev, ctlr);
+ status = spi_register_controller(ctlr);
if (status < 0)
goto disable_pm;
@@ -1562,11 +1562,17 @@ static void omap2_mcspi_remove(struct pl
struct spi_controller *ctlr = platform_get_drvdata(pdev);
struct omap2_mcspi *mcspi = spi_controller_get_devdata(ctlr);
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
+
omap2_mcspi_release_dma(ctlr);
pm_runtime_dont_use_autosuspend(mcspi->dev);
pm_runtime_put_sync(mcspi->dev);
pm_runtime_disable(&pdev->dev);
+
+ spi_controller_put(ctlr);
}
/* work with hotplug and coldplug */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 326/474] spi: mtk-nor: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 325/474] spi: omap2-mcspi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 327/474] spi: sh-hspi: " Greg Kroah-Hartman
` (148 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuanhong Guo, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 76336f24934621db286cabb20b483773ee01dcaa upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 881d1ee9fe81 ("spi: add support for mediatek spi-nor controller")
Cc: stable@vger.kernel.org # 5.7
Cc: Chuanhong Guo <gch981213@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-mtk-nor.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-mtk-nor.c
+++ b/drivers/spi/spi-mtk-nor.c
@@ -914,7 +914,7 @@ static int mtk_nor_probe(struct platform
pm_runtime_enable(&pdev->dev);
pm_runtime_get_noresume(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0)
goto err_probe;
@@ -940,6 +940,8 @@ static void mtk_nor_remove(struct platfo
struct spi_controller *ctlr = dev_get_drvdata(&pdev->dev);
struct mtk_nor *sp = spi_controller_get_devdata(ctlr);
+ spi_unregister_controller(ctlr);
+
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
pm_runtime_dont_use_autosuspend(&pdev->dev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 327/474] spi: sh-hspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 326/474] spi: mtk-nor: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 328/474] spi: fsl: " Greg Kroah-Hartman
` (147 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e63982e6392e45a6ecd68d6c317a081cc8e70143 upstream.
Make sure to deregister the controller before releasing underlying
resources like clocks during driver unbind.
Fixes: 49e599b8595f ("spi: sh-hspi: control spi clock more correctly")
Cc: stable@vger.kernel.org # 3.4
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-13-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sh-hspi.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-sh-hspi.c
+++ b/drivers/spi/spi-sh-hspi.c
@@ -258,9 +258,9 @@ static int hspi_probe(struct platform_de
ctlr->transfer_one_message = hspi_transfer_one_message;
ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0) {
- dev_err(&pdev->dev, "devm_spi_register_controller error.\n");
+ dev_err(&pdev->dev, "failed to register controller\n");
goto error2;
}
@@ -280,9 +280,15 @@ static void hspi_remove(struct platform_
{
struct hspi_priv *hspi = platform_get_drvdata(pdev);
+ spi_controller_get(hspi->ctlr);
+
+ spi_unregister_controller(hspi->ctlr);
+
pm_runtime_disable(&pdev->dev);
clk_put(hspi->clk);
+
+ spi_controller_put(hspi->ctlr);
}
static const struct of_device_id hspi_of_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 328/474] spi: fsl: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 327/474] spi: sh-hspi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 329/474] spi: bcmbca-hsspi: " Greg Kroah-Hartman
` (146 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9b7abfed4c3754062d1f3ffd452e65a38667f586 upstream.
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Fixes: 4178b6b1b595 ("spi: fsl-(e)spi: migrate to using devm_ functions to simplify cleanup")
Cc: stable@vger.kernel.org # 4.3
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410064749.496888-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-spi.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -615,7 +615,7 @@ static struct spi_controller *fsl_spi_pr
mpc8xxx_spi_write_reg(®_base->mode, regval);
- ret = devm_spi_register_controller(dev, host);
+ ret = spi_register_controller(host);
if (ret < 0)
goto err_probe;
@@ -706,7 +706,13 @@ static void of_fsl_spi_remove(struct pla
struct spi_controller *host = platform_get_drvdata(ofdev);
struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
fsl_spi_cpm_free(mpc8xxx_spi);
+
+ spi_controller_put(host);
}
static struct platform_driver of_fsl_spi_driver = {
@@ -752,7 +758,13 @@ static void plat_mpc8xxx_spi_remove(stru
struct spi_controller *host = platform_get_drvdata(pdev);
struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
fsl_spi_cpm_free(mpc8xxx_spi);
+
+ spi_controller_put(host);
}
MODULE_ALIAS("platform:mpc8xxx_spi");
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 329/474] spi: bcmbca-hsspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 328/474] spi: fsl: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 330/474] spi: coldfire-qspi: " Greg Kroah-Hartman
` (145 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, William Zhang, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c3d97c3320b9a1ebbd6119857341be034f7b3efc upstream.
Make sure to deregister the controller before disabling underlying
resources like interrupts during driver unbind to allow SPI drivers to
do I/O during deregistration.
Note that clocks were also disabled before the recent commit
e532e21a246d ("spi: bcm63xx-hsspi: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller")
Cc: stable@vger.kernel.org # 6.3: deb269e0394f
Cc: stable@vger.kernel.org # 6.3
Cc: William Zhang <william.zhang@broadcom.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-8-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-bcmbca-hsspi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-bcmbca-hsspi.c
+++ b/drivers/spi/spi-bcmbca-hsspi.c
@@ -557,7 +557,7 @@ static int bcmbca_hsspi_probe(struct pla
}
/* register and we are done */
- ret = devm_spi_register_controller(dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto out_sysgroup_disable;
@@ -581,6 +581,8 @@ static void bcmbca_hsspi_remove(struct p
struct spi_controller *host = platform_get_drvdata(pdev);
struct bcmbca_hsspi *bs = spi_controller_get_devdata(host);
+ spi_unregister_controller(host);
+
/* reset the hardware and block queue progress */
__raw_writel(0, bs->regs + HSSPI_INT_MASK_REG);
clk_disable_unprepare(bs->pll_clk);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 330/474] spi: coldfire-qspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 329/474] spi: bcmbca-hsspi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 331/474] spi: sprd: " Greg Kroah-Hartman
` (144 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steven King, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e7c510e192ff2a1264d999575eea39a506424264 upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks (via runtime pm) during driver unbind.
Fixes: 34b8c6617366 ("spi: Add Freescale/Motorola Coldfire QSPI driver")
Cc: stable@vger.kernel.org # 2.6.34
Cc: Steven King <sfking@fdwdc.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-11-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-coldfire-qspi.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-coldfire-qspi.c
+++ b/drivers/spi/spi-coldfire-qspi.c
@@ -410,9 +410,9 @@ static int mcfqspi_probe(struct platform
platform_set_drvdata(pdev, host);
pm_runtime_enable(&pdev->dev);
- status = devm_spi_register_controller(&pdev->dev, host);
+ status = spi_register_controller(host);
if (status) {
- dev_dbg(&pdev->dev, "devm_spi_register_controller failed\n");
+ dev_dbg(&pdev->dev, "failed to register controller\n");
goto fail1;
}
@@ -436,11 +436,17 @@ static void mcfqspi_remove(struct platfo
struct spi_controller *host = platform_get_drvdata(pdev);
struct mcfqspi *mcfqspi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(&pdev->dev);
/* disable the hardware (set the baud rate to 0) */
mcfqspi_wr_qmr(mcfqspi, MCFQSPI_QMR_MSTR);
mcfqspi_cs_teardown(mcfqspi);
+
+ spi_controller_put(host);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 331/474] spi: sprd: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 330/474] spi: coldfire-qspi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 332/474] spi: rspi: " Greg Kroah-Hartman
` (143 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lanqing Liu, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 123d17dbc5f07059752fa5e616385ca29a8f935a upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Note that the controller is suspended before disabling and releasing
resources since commit de082d866cce ("spi: sprd: Add the SPI irq
function for the SPI DMA mode") which avoids issues like unclocked
accesses but prevents SPI device drivers from doing I/O during
deregistration.
Fixes: e7d973a31c24 ("spi: sprd: Add SPI driver for Spreadtrum SC9860")
Cc: stable@vger.kernel.org # 4.20
Cc: Lanqing Liu <lanqing.liu@spreadtrum.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-17-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sprd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-sprd.c
+++ b/drivers/spi/spi-sprd.c
@@ -978,7 +978,7 @@ static int sprd_spi_probe(struct platfor
goto err_rpm_put;
}
- ret = devm_spi_register_controller(&pdev->dev, sctlr);
+ ret = spi_register_controller(sctlr);
if (ret)
goto err_rpm_put;
@@ -1010,7 +1010,9 @@ static void sprd_spi_remove(struct platf
if (ret < 0)
dev_err(ss->dev, "failed to resume SPI controller\n");
- spi_controller_suspend(sctlr);
+ spi_controller_get(sctlr);
+
+ spi_unregister_controller(sctlr);
if (ret >= 0) {
if (ss->dma.enable)
@@ -1019,6 +1021,8 @@ static void sprd_spi_remove(struct platf
}
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+
+ spi_controller_put(sctlr);
}
static int __maybe_unused sprd_spi_runtime_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 332/474] spi: rspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 331/474] spi: sprd: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 333/474] spi: img-spfi: " Greg Kroah-Hartman
` (142 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc upstream.
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Fixes: 9e03d05eee4c ("spi: rcar: Use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.14
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-11-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-rspi.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-rspi.c
+++ b/drivers/spi/spi-rspi.c
@@ -1176,8 +1176,14 @@ static void rspi_remove(struct platform_
{
struct rspi_data *rspi = platform_get_drvdata(pdev);
+ spi_controller_get(rspi->ctlr);
+
+ spi_unregister_controller(rspi->ctlr);
+
rspi_release_dma(rspi->ctlr);
pm_runtime_disable(&pdev->dev);
+
+ spi_controller_put(rspi->ctlr);
}
static const struct spi_ops rspi_ops = {
@@ -1387,9 +1393,9 @@ static int rspi_probe(struct platform_de
if (ret < 0)
dev_warn(&pdev->dev, "DMA not available, using PIO\n");
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0) {
- dev_err(&pdev->dev, "devm_spi_register_controller error.\n");
+ dev_err(&pdev->dev, "failed to register controller\n");
goto error3;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 333/474] spi: img-spfi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 332/474] spi: rspi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 334/474] spi: imx: fix runtime pm leak on probe deferral Greg Kroah-Hartman
` (141 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Bresticker, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 upstream.
Make sure to deregister the controller before disabling and releasing
underlying resources like clocks and DMA during driver unbind.
Fixes: deba25800a12 ("spi: Add driver for IMG SPFI controller")
Cc: stable@vger.kernel.org # 3.19
Cc: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-16-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-img-spfi.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-img-spfi.c
+++ b/drivers/spi/spi-img-spfi.c
@@ -644,7 +644,7 @@ static int img_spfi_probe(struct platfor
pm_runtime_set_active(spfi->dev);
pm_runtime_enable(spfi->dev);
- ret = devm_spi_register_controller(spfi->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto disable_pm;
@@ -670,6 +670,10 @@ static void img_spfi_remove(struct platf
struct spi_controller *host = platform_get_drvdata(pdev);
struct img_spfi *spfi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
if (spfi->tx_ch)
dma_release_channel(spfi->tx_ch);
if (spfi->rx_ch)
@@ -680,6 +684,8 @@ static void img_spfi_remove(struct platf
clk_disable_unprepare(spfi->spfi_clk);
clk_disable_unprepare(spfi->sys_clk);
}
+
+ spi_controller_put(host);
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 334/474] spi: imx: fix runtime pm leak on probe deferral
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 333/474] spi: img-spfi: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 335/474] spi: orion: fix runtime pm leak on unbind Greg Kroah-Hartman
` (140 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sascha Hauer, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream.
Make sure to balance the runtime PM usage count before returning on
probe failure (e.g. probe deferral) so that the controller can be
suspended when a driver is later bound.
Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM")
Cc: stable@vger.kernel.org # 5.10
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-imx.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1881,6 +1881,7 @@ out_register_controller:
out_runtime_pm_put:
pm_runtime_dont_use_autosuspend(spi_imx->dev);
pm_runtime_disable(spi_imx->dev);
+ pm_runtime_put_noidle(spi_imx->dev);
pm_runtime_set_suspended(&pdev->dev);
clk_disable_unprepare(spi_imx->clk_ipg);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 335/474] spi: orion: fix runtime pm leak on unbind
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 334/474] spi: imx: fix runtime pm leak on probe deferral Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 336/474] spi: orion: fix clock imbalance on registration failure Greg Kroah-Hartman
` (139 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Russell King, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 upstream.
Make sure to balance the runtime PM usage count on driver unbind so that
the controller can be suspended when a driver is rebound.
Also restore the autosuspend setting.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
Cc: stable@vger.kernel.org # 3.17
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=6
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260421130211.1537628-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-orion.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/spi/spi-orion.c
+++ b/drivers/spi/spi-orion.c
@@ -814,6 +814,9 @@ static void orion_spi_remove(struct plat
spi_unregister_controller(host);
pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
}
MODULE_ALIAS("platform:" DRIVER_NAME);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 336/474] spi: orion: fix clock imbalance on registration failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 335/474] spi: orion: fix runtime pm leak on unbind Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 337/474] spi: mpc52xx: fix use-after-free on unbind Greg Kroah-Hartman
` (138 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Russell King, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream.
Make sure that the controller is not runtime suspended before disabling
clocks on probe failure.
Also restore the autosuspend setting.
Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
Cc: stable@vger.kernel.org # 3.17
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-orion.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/spi/spi-orion.c
+++ b/drivers/spi/spi-orion.c
@@ -778,6 +778,7 @@ static int orion_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_use_autosuspend(&pdev->dev);
pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
+ pm_runtime_get_noresume(&pdev->dev);
pm_runtime_enable(&pdev->dev);
status = orion_spi_reset(spi);
@@ -789,10 +790,15 @@ static int orion_spi_probe(struct platfo
if (status < 0)
goto out_rel_pm;
+ pm_runtime_put_autosuspend(&pdev->dev);
+
return status;
out_rel_pm:
pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
out_rel_axi_clk:
clk_disable_unprepare(spi->axi_clk);
out_rel_clk:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 337/474] spi: mpc52xx: fix use-after-free on unbind
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 336/474] spi: orion: fix clock imbalance on registration failure Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 338/474] spi: cadence: fix controller deregistration Greg Kroah-Hartman
` (137 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Johan Hovold, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream.
The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.
Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
Cc: stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-mpc52xx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -519,10 +519,11 @@ static void mpc52xx_spi_remove(struct pl
struct mpc52xx_spi *ms = spi_master_get_devdata(master);
int i;
- cancel_work_sync(&ms->work);
free_irq(ms->irq0, ms);
free_irq(ms->irq1, ms);
+ cancel_work_sync(&ms->work);
+
for (i = 0; i < ms->gpio_cs_count; i++)
gpiod_put(ms->gpio_cs[i]);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 338/474] spi: cadence: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 337/474] spi: mpc52xx: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 339/474] spi: cadence: fix unclocked access on unbind Greg Kroah-Hartman
` (136 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini Katakam, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 666fa7e9ca98e71c880086ca24147ae843f1ed6e upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: c474b3866546 ("spi: Add driver for Cadence SPI controller")
Cc: stable@vger.kernel.org # 3.16
Cc: Harini Katakam <harinik@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -686,6 +686,10 @@ static void cdns_spi_remove(struct platf
struct spi_controller *ctlr = platform_get_drvdata(pdev);
struct cdns_spi *xspi = spi_controller_get_devdata(ctlr);
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
+
cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
if (!spi_controller_is_target(ctlr)) {
@@ -693,7 +697,7 @@ static void cdns_spi_remove(struct platf
pm_runtime_set_suspended(&pdev->dev);
}
- spi_unregister_controller(ctlr);
+ spi_controller_put(ctlr);
}
/**
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 339/474] spi: cadence: fix unclocked access on unbind
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 338/474] spi: cadence: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 340/474] drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure Greg Kroah-Hartman
` (135 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shubhrajyoti Datta, Johan Hovold,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5b1689a41f02955c5361944f748a4812a6ff9307 upstream.
Make sure that the controller is runtime resumed before disabling it
during driver unbind to avoid unclocked register access and unbalanced
clock disable.
Also restore the autosuspend setting.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation")
Cc: stable@vger.kernel.org # 4.7
Cc: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=1
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260421123615.1533617-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -685,16 +685,23 @@ static void cdns_spi_remove(struct platf
{
struct spi_controller *ctlr = platform_get_drvdata(pdev);
struct cdns_spi *xspi = spi_controller_get_devdata(ctlr);
+ int ret = 0;
+
+ if (!spi_controller_is_target(ctlr))
+ ret = pm_runtime_get_sync(&pdev->dev);
spi_controller_get(ctlr);
spi_unregister_controller(ctlr);
- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+ if (ret >= 0)
+ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
if (!spi_controller_is_target(ctlr)) {
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
}
spi_controller_put(ctlr);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 340/474] drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 339/474] spi: cadence: fix unclocked access on unbind Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 341/474] drm/amdkfd: Add upper bound check for num_of_nodes Greg Kroah-Hartman
` (134 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Shetaia, Christian König,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Shetaia <Amir.Shetaia@amd.com>
commit ad52d61d82181dbdb7f05826de38352d5e550cc2 upstream.
KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
VRAM with stale data from prior use observable by compute kernels.
The GEM ioctl path already sets VRAM_CLEARED for all userspace
allocations via amdgpu_gem_create_ioctl() and
amdgpu_mode_dumb_create(). The KFD path was missing this flag,
allowing stale page table remnants to leak into user buffers.
This causes crashes in RCCL P2P transport where non-zero data in
ptrExchange/head/tail fields corrupts the protocol handshake.
Signed-off-by: Amir Shetaia <Amir.Shetaia@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1665,7 +1665,8 @@ int amdgpu_amdkfd_gpuvm_alloc_memory_of_
alloc_domain = AMDGPU_GEM_DOMAIN_GTT;
alloc_flags = 0;
} else {
- alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE;
+ alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE |
+ AMDGPU_GEM_CREATE_VRAM_CLEARED;
alloc_flags |= (flags & KFD_IOC_ALLOC_MEM_FLAGS_PUBLIC) ?
AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED : 0;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 341/474] drm/amdkfd: Add upper bound check for num_of_nodes
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 340/474] drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 342/474] drm/amdgpu: Add bounds checking to ib_{get,set}_value Greg Kroah-Hartman
` (133 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Kasiviswanathan, Alysa Liu,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 74b73fa56a395d46745e4f245225963e9f8be7f1 upstream.
drm/amdkfd: Add upper bound check for num_of_nodes
in kfd_ioctl_get_process_apertures_new.
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 98ff46a5ea090c14d2cdb4f5b993b05d74f3949f)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +++
drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 +
drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +++++++++++
3 files changed, 15 insertions(+)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -784,6 +784,9 @@ static int kfd_ioctl_get_process_apertur
goto out_unlock;
}
+ if (args->num_of_nodes > kfd_topology_get_num_devices())
+ return -EINVAL;
+
/* Fill in process-aperture information for all available
* nodes, but not more than args->num_of_nodes as that is
* the amount of memory allocated by user
--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
@@ -1145,6 +1145,7 @@ static inline struct kfd_node *kfd_node_
return NULL;
}
int kfd_topology_enum_kfd_devices(uint8_t idx, struct kfd_node **kdev);
+uint32_t kfd_topology_get_num_devices(void);
int kfd_numa_node_to_apic_id(int numa_node_id);
/* Interrupts */
--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
@@ -2177,6 +2177,17 @@ int kfd_topology_remove_device(struct kf
return res;
}
+uint32_t kfd_topology_get_num_devices(void)
+{
+ uint32_t num_devices;
+
+ down_read(&topology_lock);
+ num_devices = sys_props.num_devices;
+ up_read(&topology_lock);
+
+ return num_devices;
+}
+
/* kfd_topology_enum_kfd_devices - Enumerate through all devices in KFD
* topology. If GPU device is found @idx, then valid kfd_dev pointer is
* returned through @kdev
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 342/474] drm/amdgpu: Add bounds checking to ib_{get,set}_value
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 341/474] drm/amdkfd: Add upper bound check for num_of_nodes Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 343/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Greg Kroah-Hartman
` (132 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream.
The uvd/vce/vcn code accesses the IB at predefined offsets without
checking that the IB is large enough. Check the bounds here. The caller
is responsible for making sure it can handle arbitrary return values.
Also make the idx a uint32_t to prevent overflows causing the condition
to fail.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
@@ -440,15 +440,18 @@ void amdgpu_debugfs_ring_init(struct amd
int amdgpu_ring_init_mqd(struct amdgpu_ring *ring);
-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx)
+static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx)
{
- return ib->ptr[idx];
+ if (idx < ib->length_dw)
+ return ib->ptr[idx];
+ return 0;
}
-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx,
+static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx,
uint32_t value)
{
- ib->ptr[idx] = value;
+ if (idx < ib->length_dw)
+ ib->ptr[idx] = value;
}
int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 343/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 342/474] drm/amdgpu: Add bounds checking to ib_{get,set}_value Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 344/474] drm/amdgpu/vce: Prevent partial address patches Greg Kroah-Hartman
` (131 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 2444eb0ec8283f4a3845eb7febad378476e1ba3c upstream.
Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the
bounds checks.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Acked-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1755,9 +1755,10 @@ out:
static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int start)
{
int i;
+ uint32_t len;
- for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) {
- if (ib->ptr[i + 1] == id)
+ for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) {
+ if (amdgpu_ib_get_value(ib, i + 1) == id)
return i;
}
return -1;
@@ -1768,8 +1769,6 @@ static int vcn_v4_0_ring_patch_cs_in_pla
struct amdgpu_ib *ib)
{
struct amdgpu_ring *ring = amdgpu_job_ring(job);
- struct amdgpu_vcn_decode_buffer *decode_buffer;
- uint64_t addr;
uint32_t val;
int idx = 0, sidx;
@@ -1780,20 +1779,22 @@ static int vcn_v4_0_ring_patch_cs_in_pla
while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) {
val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */
if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
- decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6];
+ uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 6);
+ uint64_t msg_buffer_addr;
- if (!(decode_buffer->valid_buf_flag & 0x1))
+ if (!(valid_buf_flag & 0x1))
return 0;
- addr = ((u64)decode_buffer->msg_buffer_address_hi) << 32 |
- decode_buffer->msg_buffer_address_lo;
- return vcn_v4_0_dec_msg(p, job, addr);
+ msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 7)) << 32 |
+ amdgpu_ib_get_value(ib, idx + 8);
+ return vcn_v4_0_dec_msg(p, job, msg_buffer_addr);
} else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx);
- if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1)
+ if (sidx >= 0 &&
+ amdgpu_ib_get_value(ib, sidx + 2) == RENCODE_ENCODE_STANDARD_AV1)
return vcn_v4_0_limit_sched(p, job);
}
- idx += ib->ptr[idx] / 4;
+ idx += amdgpu_ib_get_value(ib, idx) / 4;
}
return 0;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 344/474] drm/amdgpu/vce: Prevent partial address patches
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 343/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 345/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Greg Kroah-Hartman
` (130 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream.
In the case that only one of lo/hi is valid, the patching could result
in a bad address written to in FW.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
@@ -654,6 +654,9 @@ static int amdgpu_vce_cs_reloc(struct am
uint64_t addr;
int r;
+ if (lo >= ib->length_dw || hi >= ib->length_dw)
+ return -EINVAL;
+
if (index == 0xffffffff)
index = 0;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 345/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 344/474] drm/amdgpu/vce: Prevent partial address patches Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 346/474] drm/amdgpu/vcn3: " Greg Kroah-Hartman
` (129 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream.
Check bounds against the end of the BO whenever we access the msg.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1668,7 +1668,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
{
struct ttm_operation_ctx ctx = { false, false };
struct amdgpu_bo_va_mapping *map;
- uint32_t *msg, num_buffers;
+ uint32_t *msg, num_buffers, len_dw;
struct amdgpu_bo *bo;
uint64_t start, end;
unsigned int i;
@@ -1689,6 +1689,11 @@ static int vcn_v4_0_dec_msg(struct amdgp
return -EINVAL;
}
+ if (end - addr < 16) {
+ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
+ return -EINVAL;
+ }
+
bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
@@ -1705,8 +1710,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
msg = ptr + addr - start;
- /* Check length */
if (msg[1] > end - addr) {
+ DRM_ERROR("VCN message header does not fit in BO!\n");
r = -EINVAL;
goto out;
}
@@ -1714,7 +1719,16 @@ static int vcn_v4_0_dec_msg(struct amdgp
if (msg[3] != RDECODE_MSG_CREATE)
goto out;
+ len_dw = msg[1] / 4;
num_buffers = msg[2];
+
+ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
+ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
+ DRM_ERROR("VCN message has too many buffers!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
@@ -1724,7 +1738,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (offset + size > end) {
+ if (size < 4 || offset + size > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 346/474] drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 345/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 347/474] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() Greg Kroah-Hartman
` (128 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit b193019860d61e92da395eae2011f2f6716b182f upstream.
Check bounds against the end of the BO whenever we access the msg.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1789,7 +1789,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
{
struct ttm_operation_ctx ctx = { false, false };
struct amdgpu_bo_va_mapping *map;
- uint32_t *msg, num_buffers;
+ uint32_t *msg, num_buffers, len_dw;
struct amdgpu_bo *bo;
uint64_t start, end;
unsigned int i;
@@ -1810,6 +1810,11 @@ static int vcn_v3_0_dec_msg(struct amdgp
return -EINVAL;
}
+ if (end - addr < 16) {
+ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
+ return -EINVAL;
+ }
+
bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
@@ -1826,8 +1831,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
msg = ptr + addr - start;
- /* Check length */
if (msg[1] > end - addr) {
+ DRM_ERROR("VCN message header does not fit in BO!\n");
r = -EINVAL;
goto out;
}
@@ -1835,7 +1840,16 @@ static int vcn_v3_0_dec_msg(struct amdgp
if (msg[3] != RDECODE_MSG_CREATE)
goto out;
+ len_dw = msg[1] / 4;
num_buffers = msg[2];
+
+ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
+ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
+ DRM_ERROR("VCN message has too many buffers!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
@@ -1845,14 +1859,15 @@ static int vcn_v3_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (offset + size > end) {
+ if (size < 4 || offset + size > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
}
create = ptr + addr + offset - start;
- /* H246, HEVC and VP9 can run on any instance */
+ /* H264, HEVC and VP9 can run on any instance */
if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11)
continue;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 347/474] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 346/474] drm/amdgpu/vcn3: " Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 348/474] drm/amdkfd: validate SVM ioctl nattr against buffer size Greg Kroah-Hartman
` (127 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Ashutosh Desai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream.
drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
using plain integer division:
unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
drm_format_info_plane_width/height() which round up dimensions via
DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
size check for certain pixel format and dimension combinations.
For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
GEM size validation path sees height=0 instead of height=1. The
expression (height - 1) then wraps to UINT_MAX as an unsigned int,
causing min_size to overflow and wrap back to a small value. A tiny
GEM object therefore passes the size guard, yet when the GPU accesses
the chroma plane it will read or write memory beyond the object's
bounds.
Fix by replacing the open-coded divisions with drm_format_info_plane_width()
and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
the calculation already used in framebuffer_check().
Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library")
Cc: stable@vger.kernel.org # v4.14+
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
+++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
@@ -174,8 +174,8 @@ int drm_gem_fb_init_with_funcs(struct dr
}
for (i = 0; i < info->num_planes; i++) {
- unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
- unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
+ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i);
+ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i);
unsigned int min_size;
objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 348/474] drm/amdkfd: validate SVM ioctl nattr against buffer size
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 347/474] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 349/474] drm/radeon: add missing revision check for CI Greg Kroah-Hartman
` (126 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Amir Shetaia, Alysa Liu,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 045e0ff208f0838a246c10204105126611b267a1 upstream.
Validate nattr field against the buffer size, preventing
out-of-bounds buffer access via user-controlled attribute count.
Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++--
drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++
2 files changed, 27 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -26,6 +26,7 @@
#include <linux/err.h>
#include <linux/fs.h>
#include <linux/file.h>
+#include <linux/overflow.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
@@ -1705,6 +1706,16 @@ static int kfd_ioctl_smi_events(struct f
return kfd_smi_event_open(pdd->dev, &args->anon_fd);
}
+static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize)
+{
+ struct kfd_ioctl_svm_args *args = kdata;
+ size_t expected = struct_size(args, attrs, args->nattr);
+
+ if (expected == SIZE_MAX || usize < expected)
+ return -EINVAL;
+ return 0;
+}
+
#if IS_ENABLED(CONFIG_HSA_AMD_SVM)
static int kfd_ioctl_set_xnack_mode(struct file *filep,
@@ -3128,7 +3139,11 @@ out:
#define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \
[_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
- .cmd_drv = 0, .name = #ioctl}
+ .validate = NULL, .cmd_drv = 0, .name = #ioctl}
+
+#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \
+ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
+ .validate = _validate, .cmd_drv = 0, .name = #ioctl}
/** Ioctl table */
static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = {
@@ -3225,7 +3240,8 @@ static const struct amdkfd_ioctl_desc am
AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS,
kfd_ioctl_smi_events, 0),
- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0),
+ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm,
+ kfd_ioctl_svm_validate, 0),
AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE,
kfd_ioctl_set_xnack_mode, 0),
@@ -3347,6 +3363,12 @@ static long kfd_ioctl(struct file *filep
memset(kdata, 0, usize);
}
+ if (ioctl->validate) {
+ retcode = ioctl->validate(kdata, usize);
+ if (retcode)
+ goto err_i1;
+ }
+
retcode = func(filep, process, kdata);
if (cmd & IOC_OUT)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
@@ -1006,10 +1006,13 @@ extern struct srcu_struct kfd_processes_
typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p,
void *data);
+typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize);
+
struct amdkfd_ioctl_desc {
unsigned int cmd;
int flags;
amdkfd_ioctl_t *func;
+ amdkfd_ioctl_validate_t *validate;
unsigned int cmd_drv;
const char *name;
};
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 349/474] drm/radeon: add missing revision check for CI
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 348/474] drm/amdkfd: validate SVM ioctl nattr against buffer size Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 350/474] drm/amdgpu: zero-initialize GART table on allocation Greg Kroah-Hartman
` (125 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Kent Russell,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 17223816498f7b117d138d18eb0eba63604dc74e upstream.
The memory level workarounds only apply to revision 0 SKUs.
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii")
Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards")
Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/radeon/ci_dpm.c
+++ b/drivers/gpu/drm/radeon/ci_dpm.c
@@ -2466,7 +2466,8 @@ static void ci_register_patching_mc_arb(
if (patch &&
((rdev->pdev->device == 0x67B0) ||
- (rdev->pdev->device == 0x67B1))) {
+ (rdev->pdev->device == 0x67B1)) &&
+ (rdev->pdev->revision == 0)) {
if ((memory_clock > 100000) && (memory_clock <= 125000)) {
tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff;
*dram_timimg2 &= ~0x00ff0000;
@@ -3307,7 +3308,8 @@ static int ci_populate_all_memory_levels
pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
if ((dpm_table->mclk_table.count >= 2) &&
- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) {
+ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) &&
+ (rdev->pdev->revision == 0)) {
pi->smc_state_table.MemoryLevel[1].MinVddc =
pi->smc_state_table.MemoryLevel[0].MinVddc;
pi->smc_state_table.MemoryLevel[1].MinVddcPhases =
@@ -4504,7 +4506,8 @@ static int ci_register_patching_mc_seq(s
if (patch &&
((rdev->pdev->device == 0x67B0) ||
- (rdev->pdev->device == 0x67B1))) {
+ (rdev->pdev->device == 0x67B1)) &&
+ (rdev->pdev->revision == 0)) {
for (i = 0; i < table->last; i++) {
if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
return -EINVAL;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 350/474] drm/amdgpu: zero-initialize GART table on allocation
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 349/474] drm/radeon: add missing revision check for CI Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 351/474] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ Greg Kroah-Hartman
` (124 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling, Philip Yang,
Christian König, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream.
GART TLB is flushed after unmapping but not after mapping. Since
amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a
single PTE is written the TLB may speculatively load other uninitialized
entries from the same cacheline. Those garbage entries can appear valid,
and a subsequent write to another PTE in the same cacheline may cause the
GPU to use a stale garbage PTE from the TLB.
Fix this by calling memset_io() to zero-initialize the GART table with
gart_pte_flags immediately after allocation.
Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work
since SDMA needs GART to be initialized to work.
Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
@@ -252,12 +252,19 @@ void amdgpu_gart_table_ram_free(struct a
*/
int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev)
{
+ int r;
+
if (adev->gart.bo != NULL)
return 0;
- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
- NULL, (void *)&adev->gart.ptr);
+ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
+ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
+ NULL, (void *)&adev->gart.ptr);
+ if (r)
+ return r;
+
+ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size);
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 351/474] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 350/474] drm/amdgpu: zero-initialize GART table on allocation Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 352/474] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission Greg Kroah-Hartman
` (123 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, John B. Moore,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John B. Moore <jbmoore61@gmail.com>
commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream.
Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from
gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit
fence writes; the 32-bit writeback address constraint is an
upper-layer convention, not a hardware limitation. The check serves
no purpose and should not be present.
Found by code inspection while investigating related BUG_ON
assertions in the GFX and compute ring emission paths.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: John B. Moore <jbmoore61@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -5388,9 +5388,6 @@ static void gfx_v9_0_ring_emit_fence_kiq
{
struct amdgpu_device *adev = ring->adev;
- /* we only allocate 32bit for each seq wb address */
- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT);
-
/* write fence seq to the "addr" */
amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3));
amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) |
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 352/474] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 351/474] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 353/474] drm/amdgpu/pm: add missing revision check for CI Greg Kroah-Hartman
` (122 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, John B. Moore,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John B. Moore <jbmoore61@gmail.com>
commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream.
sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached from unprivileged userspace via crafted
DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
scheduler worker thread.
Replace both BUG_ON() calls with WARN_ON() to log the condition without
crashing the kernel. A misaligned fence address at this point indicates
a driver bug, but crashing the kernel is never the correct response when
the assertion is reachable from userspace.
The CS IOCTL path is the correct place to filter invalid submissions;
the ring emission callback is too late to do anything about it.
Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)")
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: John B. Moore <jbmoore61@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -841,7 +841,7 @@ static void sdma_v4_0_ring_emit_fence(st
/* write the fence */
amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
/* zero in first two bits */
- BUG_ON(addr & 0x3);
+ WARN_ON(addr & 0x3);
amdgpu_ring_write(ring, lower_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(addr));
amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -851,7 +851,7 @@ static void sdma_v4_0_ring_emit_fence(st
addr += 4;
amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
/* zero in first two bits */
- BUG_ON(addr & 0x3);
+ WARN_ON(addr & 0x3);
amdgpu_ring_write(ring, lower_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(seq));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 353/474] drm/amdgpu/pm: add missing revision check for CI
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 352/474] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 354/474] drm/amdgpu/pm: align Hawaii mclk workaround with radeon Greg Kroah-Hartman
` (121 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Kent Russell,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream.
The ci_populate_all_memory_levels() workaround only
applies to revision 0 SKUs.
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1326,8 +1326,9 @@ static int ci_populate_all_memory_levels
dev_id = adev->pdev->device;
- if ((dpm_table->mclk_table.count >= 2)
- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) {
+ if ((dpm_table->mclk_table.count >= 2) &&
+ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
+ (adev->pdev->revision == 0)) {
smu_data->smc_state_table.MemoryLevel[1].MinVddci =
smu_data->smc_state_table.MemoryLevel[0].MinVddci;
smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 354/474] drm/amdgpu/pm: align Hawaii mclk workaround with radeon
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 353/474] drm/amdgpu/pm: add missing revision check for CI Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 355/474] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL Greg Kroah-Hartman
` (120 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Kent Russell,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream.
Align the hawaii mclk workaround with radeon and windows.
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1329,10 +1329,10 @@ static int ci_populate_all_memory_levels
if ((dpm_table->mclk_table.count >= 2) &&
((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
(adev->pdev->revision == 0)) {
- smu_data->smc_state_table.MemoryLevel[1].MinVddci =
- smu_data->smc_state_table.MemoryLevel[0].MinVddci;
- smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
- smu_data->smc_state_table.MemoryLevel[0].MinMvdd;
+ smu_data->smc_state_table.MemoryLevel[1].MinVddc =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddc;
+ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases;
}
smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F;
CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 355/474] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 354/474] drm/amdgpu/pm: align Hawaii mclk workaround with radeon Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 356/474] batman-adv: fix integer overflow on buff_pos Greg Kroah-Hartman
` (119 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Morris, Xin Long, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Morris <bmorris@anthropic.com>
commit abb5f36771cc4c05899b34000829a787572a8817 upstream.
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu(). The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp. After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).
Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns. @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.
Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
Cc: stable@vger.kernel.org
Signed-off-by: Ben Morris <bmorris@anthropic.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1985,6 +1985,15 @@ static int sctp_sendmsg(struct sock *sk,
goto out_unlock;
iov_iter_revert(&msg->msg_iter, err);
+
+ /* sctp_sendmsg_to_asoc() may have released the socket
+ * lock (sctp_wait_for_sndbuf), during which other
+ * associations on ep->asocs could have been peeled
+ * off or freed. @asoc itself is revalidated by the
+ * base.dead and base.sk checks in sctp_wait_for_sndbuf,
+ * so re-derive the cached cursor from it.
+ */
+ tmp = list_next_entry(asoc, asocs);
}
goto out_unlock;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 356/474] batman-adv: fix integer overflow on buff_pos
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 355/474] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 357/474] batman-adv: reject new tp_meter sessions during teardown Greg Kroah-Hartman
` (118 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyes Bourennani, Alexis Pinson,
Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream.
Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
buff_pos variable uses the s16 type. This could lead to an out-of-bound
read.
Cc: stable@vger.kernel.org
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Lyes Bourennani <lbourennani@fuzzinglabs.com>
Signed-off-by: Alexis Pinson <apinson@fuzzinglabs.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_iv_ogm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(str
struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
const char *fwd_str;
u8 packet_num;
- s16 buff_pos;
+ int buff_pos;
struct batadv_ogm_packet *batadv_ogm_packet;
struct sk_buff *skb;
u8 *packet_pos;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 357/474] batman-adv: reject new tp_meter sessions during teardown
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 356/474] batman-adv: fix integer overflow on buff_pos Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 358/474] batman-adv: stop caching unowned originator pointers in BAT IV Greg Kroah-Hartman
` (117 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxing Yin, Jiexun Wang, Ren Wei,
Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit 3243543592425beec83d453793e9d27caa0d8e66 upstream.
Prevent tp_meter from starting new sender or receiver sessions after
mesh_state has left BATADV_MESH_ACTIVE.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv
/* look for an already existing test towards this node */
spin_lock_bh(&bat_priv->tp_list_lock);
+ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) {
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE,
+ dst, bat_priv, session_cookie);
+ return;
+ }
+
tp_vars = batadv_tp_list_find(bat_priv, dst);
if (tp_vars) {
spin_unlock_bh(&bat_priv->tp_list_lock);
@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars *
batadv_tp_init_recv(struct batadv_priv *bat_priv,
const struct batadv_icmp_tp_packet *icmp)
{
- struct batadv_tp_vars *tp_vars;
+ struct batadv_tp_vars *tp_vars = NULL;
spin_lock_bh(&bat_priv->tp_list_lock);
+ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
+ goto out_unlock;
+
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
icmp->session);
if (tp_vars)
@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_
{
struct batadv_icmp_tp_packet *icmp;
+ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
+ goto out;
+
icmp = (struct batadv_icmp_tp_packet *)skb->data;
switch (icmp->subtype) {
@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_
"Received unknown TP Metric packet type %u\n",
icmp->subtype);
}
+
+out:
consume_skb(skb);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 358/474] batman-adv: stop caching unowned originator pointers in BAT IV
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 357/474] batman-adv: reject new tp_meter sessions during teardown Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 359/474] batman-adv: bla: prevent use-after-free when deleting claims Greg Kroah-Hartman
` (116 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Jiexun Wang, Ren Wei, Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit f03e8583532941b07761c5429de7d50766fa3110 upstream.
BAT IV keeps the last-hop neighbor address in each neigh_node, but some
paths also cache an originator pointer derived from a temporary lookup.
That pointer is not owned by the neigh_node and may no longer refer to a
live originator entry after purge handling runs.
Stop storing the auxiliary originator pointer in the BAT IV neighbor
state. When BAT IV needs the neighbor originator data, resolve it from
the stored neighbor address and drop the reference again after use.
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
[sven: avoid bonding logic for outgoing OGM]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++-------------
1 file changed, 59 insertions(+), 24 deletions(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -172,19 +172,12 @@ free_orig_node_hash:
static struct batadv_neigh_node *
batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
const u8 *neigh_addr,
- struct batadv_orig_node *orig_node,
- struct batadv_orig_node *orig_neigh)
+ struct batadv_orig_node *orig_node)
{
struct batadv_neigh_node *neigh_node;
neigh_node = batadv_neigh_node_get_or_create(orig_node,
hard_iface, neigh_addr);
- if (!neigh_node)
- goto out;
-
- neigh_node->orig_node = orig_neigh;
-
-out:
return neigh_node;
}
@@ -901,6 +894,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru
}
/**
+ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor
+ * @bat_priv: the bat priv with all the mesh interface information
+ * @neigh_node: last-hop neighbor of an originator
+ *
+ * Return: Number of replied (rebroadcasted) OGMs for the originator currently
+ * announced by the neighbor. Returns 0 if the neighbor's originator entry is
+ * not available anymore.
+ */
+static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv,
+ const struct batadv_neigh_node *neigh_node)
+{
+ struct batadv_orig_node *orig_neigh;
+ u8 sum;
+
+ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr);
+ if (!orig_neigh)
+ return 0;
+
+ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming);
+ batadv_orig_node_put(orig_neigh);
+
+ return sum;
+}
+
+/**
* batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an
* originator
* @bat_priv: the bat priv with all the soft interface information
@@ -969,17 +987,9 @@ batadv_iv_ogm_orig_update(struct batadv_
}
if (!neigh_node) {
- struct batadv_orig_node *orig_tmp;
-
- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source);
- if (!orig_tmp)
- goto unlock;
-
neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
ethhdr->h_source,
- orig_node, orig_tmp);
-
- batadv_orig_node_put(orig_tmp);
+ orig_node);
if (!neigh_node)
goto unlock;
} else {
@@ -1031,10 +1041,9 @@ batadv_iv_ogm_orig_update(struct batadv_
*/
if (router_ifinfo &&
neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) {
- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node,
- router->if_incoming);
- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node,
- neigh_node->if_incoming);
+ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router);
+ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv,
+ neigh_node);
if (sum_orig >= sum_neigh)
goto out;
}
@@ -1100,7 +1109,6 @@ static bool batadv_iv_ogm_calc_tq(struct
if (!neigh_node)
neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
orig_neigh_node->orig,
- orig_neigh_node,
orig_neigh_node);
if (!neigh_node)
@@ -1297,6 +1305,32 @@ out:
}
/**
+ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address
+ * @bat_priv: the bat priv with all the mesh interface information
+ * @orig_addr: the originator MAC address to search the best next hop router for
+ * @if_outgoing: the interface where the OGM should be sent to
+ *
+ * Return: A neighbor node which is the best router towards the given originator
+ * address. Bonding candidates are ignored.
+ */
+static struct batadv_neigh_node *
+batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr,
+ struct batadv_hard_iface *if_outgoing)
+{
+ struct batadv_neigh_node *neigh_node;
+ struct batadv_orig_node *orig_node;
+
+ orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
+ if (!orig_node)
+ return NULL;
+
+ neigh_node = batadv_orig_router_get(orig_node, if_outgoing);
+ batadv_orig_node_put(orig_node);
+
+ return neigh_node;
+}
+
+/**
* batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing
* interface
* @skb: the skb containing the OGM
@@ -1366,8 +1400,9 @@ batadv_iv_ogm_process_per_outif(const st
router = batadv_orig_router_get(orig_node, if_outgoing);
if (router) {
- router_router = batadv_orig_router_get(router->orig_node,
- if_outgoing);
+ router_router = batadv_orig_to_direct_router(bat_priv,
+ router->addr,
+ if_outgoing);
router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 359/474] batman-adv: bla: prevent use-after-free when deleting claims
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 358/474] batman-adv: stop caching unowned originator pointers in BAT IV Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 360/474] batman-adv: bla: only purge non-released claims Greg Kroah-Hartman
` (115 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 4ae1709a314060a196981b344610d023ea841e57 upstream.
When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
does this by dropping the link entry in the hash list. This list entry
itself was one of the references which need to be dropped at the same time
via batadv_claim_put().
But the batadv_claim_put() must not be done before the last access to the
claim object in this function. Otherwise the claim might be freed already
by the batadv_claim_release() function before the list entry was dropped.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct ba
if (claim->backbone_gw != backbone_gw)
continue;
- batadv_claim_put(claim);
hlist_del_rcu(&claim->hash_entry);
+ batadv_claim_put(claim);
}
spin_unlock_bh(list_lock);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 360/474] batman-adv: bla: only purge non-released claims
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 359/474] batman-adv: bla: prevent use-after-free when deleting claims Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 361/474] batman-adv: bla: put backbone reference on failed claim hash insert Greg Kroah-Hartman
` (114 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cf6b604011591865ae39ac82de8978c1120d17af upstream.
When batadv_bla_purge_claims() goes through the list of claims, it is only
traversing the hash list with an rcu_read_lock(). Due to a potential
parallel batadv_claim_put(), it can happen that it encounters a claim which
was actually in the process of being released+freed by
batadv_claim_release(). In this case, backbone_gw is set to NULL before the
delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
then no longer allowed because it would cause a NULL-ptr derefence.
To avoid this, only claims with a valid reference counter must be purged.
All others are already taken care of.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(stru
rcu_read_lock();
hlist_for_each_entry_rcu(claim, head, hash_entry) {
+ /* only purge claims not currently in the process of being released.
+ * Such claims could otherwise have a NULL-ptr backbone_gw set because
+ * they already went through batadv_claim_release()
+ */
+ if (!kref_get_unless_zero(&claim->refcount))
+ continue;
+
backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
if (now)
goto purge_now;
@@ -1313,6 +1320,7 @@ purge_now:
claim->addr, claim->vid);
skip:
batadv_backbone_gw_put(backbone_gw);
+ batadv_claim_put(claim);
}
rcu_read_unlock();
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 361/474] batman-adv: bla: put backbone reference on failed claim hash insert
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 360/474] batman-adv: bla: only purge non-released claims Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 362/474] smb: move some duplicate definitions to common/smbacl.h Greg Kroah-Hartman
` (113 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream.
When batadv_bla_add_claim() fails to insert a new claim into the hash, it
leaked a reference to the backbone_gw for which the claim was intended.
Call batadv_backbone_gw_put() on the error path to release the reference
and avoid leaking the backbone_gw object.
Cc: stable@kernel.org
Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct
if (unlikely(hash_added != 0)) {
/* only local changes happened. */
+ batadv_backbone_gw_put(backbone_gw);
kfree(claim);
return;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 362/474] smb: move some duplicate definitions to common/smbacl.h
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 361/474] batman-adv: bla: put backbone reference on failed claim hash insert Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 363/474] smb: common: change the data type of num_aces to le16 Greg Kroah-Hartman
` (112 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
[ Upstream commit b51174da743b6b7cd87c02e882ebe60dcb99f8bf ]
In order to maintain the code more easily, move duplicate definitions
to new common header file.
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.h | 91 ------------------------------------
fs/smb/common/smbacl.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++
fs/smb/server/smbacl.h | 111 --------------------------------------------
3 files changed, 123 insertions(+), 200 deletions(-)
create mode 100644 fs/smb/common/smbacl.h
--- a/fs/smb/client/cifsacl.h
+++ b/fs/smb/client/cifsacl.h
@@ -9,8 +9,7 @@
#ifndef _CIFSACL_H
#define _CIFSACL_H
-#define NUM_AUTHS (6) /* number of authority fields */
-#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */
+#include "../common/smbacl.h"
#define READ_BIT 0x4
#define WRITE_BIT 0x2
@@ -23,12 +22,6 @@
#define UBITSHIFT 6
#define GBITSHIFT 3
-#define ACCESS_ALLOWED 0
-#define ACCESS_DENIED 1
-
-#define SIDOWNER 1
-#define SIDGROUP 2
-
/*
* Security Descriptor length containing DACL with 3 ACEs (one each for
* owner, group and world).
@@ -38,88 +31,6 @@
(sizeof(struct smb_ace) * 4))
/*
- * Maximum size of a string representation of a SID:
- *
- * The fields are unsigned values in decimal. So:
- *
- * u8: max 3 bytes in decimal
- * u32: max 10 bytes in decimal
- *
- * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator
- *
- * For authority field, max is when all 6 values are non-zero and it must be
- * represented in hex. So "-0x" + 12 hex digits.
- *
- * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-')
- */
-#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1)
-#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */
-
-struct smb_ntsd {
- __le16 revision; /* revision level */
- __le16 type;
- __le32 osidoffset;
- __le32 gsidoffset;
- __le32 sacloffset;
- __le32 dacloffset;
-} __attribute__((packed));
-
-struct smb_sid {
- __u8 revision; /* revision level */
- __u8 num_subauth;
- __u8 authority[NUM_AUTHS];
- __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
-} __attribute__((packed));
-
-/* size of a struct smb_sid, sans sub_auth array */
-#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS)
-
-struct smb_acl {
- __le16 revision; /* revision level */
- __le16 size;
- __le32 num_aces;
-} __attribute__((packed));
-
-/* ACE types - see MS-DTYP 2.4.4.1 */
-#define ACCESS_ALLOWED_ACE_TYPE 0x00
-#define ACCESS_DENIED_ACE_TYPE 0x01
-#define SYSTEM_AUDIT_ACE_TYPE 0x02
-#define SYSTEM_ALARM_ACE_TYPE 0x03
-#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04
-#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05
-#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06
-#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07
-#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08
-#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09
-#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A
-#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B
-#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C
-#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D
-#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */
-#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F
-#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */
-#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11
-#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12
-#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13
-
-/* ACE flags */
-#define OBJECT_INHERIT_ACE 0x01
-#define CONTAINER_INHERIT_ACE 0x02
-#define NO_PROPAGATE_INHERIT_ACE 0x04
-#define INHERIT_ONLY_ACE 0x08
-#define INHERITED_ACE 0x10
-#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40
-#define FAILED_ACCESS_ACE_FLAG 0x80
-
-struct smb_ace {
- __u8 type; /* see above and MS-DTYP 2.4.4.1 */
- __u8 flags;
- __le16 size;
- __le32 access_req;
- struct smb_sid sid; /* ie UUID of user or group who gets these perms */
-} __attribute__((packed));
-
-/*
* The current SMB3 form of security descriptor is similar to what was used for
* cifs (see above) but some fields are split, and fields in the struct below
* matches names of fields to the spec, MS-DTYP (see sections 2.4.5 and
--- /dev/null
+++ b/fs/smb/common/smbacl.h
@@ -0,0 +1,121 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+/*
+ * Copyright (c) International Business Machines Corp., 2007
+ * Author(s): Steve French (sfrench@us.ibm.com)
+ * Modified by Namjae Jeon (linkinjeon@kernel.org)
+ */
+
+#ifndef _COMMON_SMBACL_H
+#define _COMMON_SMBACL_H
+
+#define NUM_AUTHS (6) /* number of authority fields */
+#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */
+
+/* ACE types - see MS-DTYP 2.4.4.1 */
+#define ACCESS_ALLOWED_ACE_TYPE 0x00
+#define ACCESS_DENIED_ACE_TYPE 0x01
+#define SYSTEM_AUDIT_ACE_TYPE 0x02
+#define SYSTEM_ALARM_ACE_TYPE 0x03
+#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04
+#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05
+#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06
+#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07
+#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08
+#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09
+#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A
+#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B
+#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C
+#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D
+#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */
+#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F
+#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */
+#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11
+#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12
+#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13
+
+/* ACE flags */
+#define OBJECT_INHERIT_ACE 0x01
+#define CONTAINER_INHERIT_ACE 0x02
+#define NO_PROPAGATE_INHERIT_ACE 0x04
+#define INHERIT_ONLY_ACE 0x08
+#define INHERITED_ACE 0x10
+#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40
+#define FAILED_ACCESS_ACE_FLAG 0x80
+
+/*
+ * Maximum size of a string representation of a SID:
+ *
+ * The fields are unsigned values in decimal. So:
+ *
+ * u8: max 3 bytes in decimal
+ * u32: max 10 bytes in decimal
+ *
+ * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator
+ *
+ * For authority field, max is when all 6 values are non-zero and it must be
+ * represented in hex. So "-0x" + 12 hex digits.
+ *
+ * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-')
+ */
+#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1)
+#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */
+
+#define DOMAIN_USER_RID_LE cpu_to_le32(513)
+
+/*
+ * ACE types - see MS-DTYP 2.4.4.1
+ */
+enum {
+ ACCESS_ALLOWED,
+ ACCESS_DENIED,
+};
+
+/*
+ * Security ID types
+ */
+enum {
+ SIDOWNER = 1,
+ SIDGROUP,
+ SIDCREATOR_OWNER,
+ SIDCREATOR_GROUP,
+ SIDUNIX_USER,
+ SIDUNIX_GROUP,
+ SIDNFS_USER,
+ SIDNFS_GROUP,
+ SIDNFS_MODE,
+};
+
+struct smb_ntsd {
+ __le16 revision; /* revision level */
+ __le16 type;
+ __le32 osidoffset;
+ __le32 gsidoffset;
+ __le32 sacloffset;
+ __le32 dacloffset;
+} __attribute__((packed));
+
+struct smb_sid {
+ __u8 revision; /* revision level */
+ __u8 num_subauth;
+ __u8 authority[NUM_AUTHS];
+ __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
+} __attribute__((packed));
+
+/* size of a struct smb_sid, sans sub_auth array */
+#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS)
+
+struct smb_acl {
+ __le16 revision; /* revision level */
+ __le16 size;
+ __le32 num_aces;
+} __attribute__((packed));
+
+struct smb_ace {
+ __u8 type; /* see above and MS-DTYP 2.4.4.1 */
+ __u8 flags;
+ __le16 size;
+ __le32 access_req;
+ struct smb_sid sid; /* ie UUID of user or group who gets these perms */
+} __attribute__((packed));
+
+#endif /* _COMMON_SMBACL_H */
--- a/fs/smb/server/smbacl.h
+++ b/fs/smb/server/smbacl.h
@@ -8,6 +8,7 @@
#ifndef _SMBACL_H
#define _SMBACL_H
+#include "../common/smbacl.h"
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/posix_acl.h>
@@ -15,32 +16,6 @@
#include "mgmt/tree_connect.h"
-#define NUM_AUTHS (6) /* number of authority fields */
-#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */
-
-/*
- * ACE types - see MS-DTYP 2.4.4.1
- */
-enum {
- ACCESS_ALLOWED,
- ACCESS_DENIED,
-};
-
-/*
- * Security ID types
- */
-enum {
- SIDOWNER = 1,
- SIDGROUP,
- SIDCREATOR_OWNER,
- SIDCREATOR_GROUP,
- SIDUNIX_USER,
- SIDUNIX_GROUP,
- SIDNFS_USER,
- SIDNFS_GROUP,
- SIDNFS_MODE,
-};
-
/* Revision for ACLs */
#define SD_REVISION 1
@@ -62,92 +37,8 @@ enum {
#define RM_CONTROL_VALID 0x4000
#define SELF_RELATIVE 0x8000
-/* ACE types - see MS-DTYP 2.4.4.1 */
-#define ACCESS_ALLOWED_ACE_TYPE 0x00
-#define ACCESS_DENIED_ACE_TYPE 0x01
-#define SYSTEM_AUDIT_ACE_TYPE 0x02
-#define SYSTEM_ALARM_ACE_TYPE 0x03
-#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04
-#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05
-#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06
-#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07
-#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08
-#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09
-#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A
-#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B
-#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C
-#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D
-#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */
-#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F
-#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */
-#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11
-#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12
-#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13
-
-/* ACE flags */
-#define OBJECT_INHERIT_ACE 0x01
-#define CONTAINER_INHERIT_ACE 0x02
-#define NO_PROPAGATE_INHERIT_ACE 0x04
-#define INHERIT_ONLY_ACE 0x08
-#define INHERITED_ACE 0x10
-#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40
-#define FAILED_ACCESS_ACE_FLAG 0x80
-
-/*
- * Maximum size of a string representation of a SID:
- *
- * The fields are unsigned values in decimal. So:
- *
- * u8: max 3 bytes in decimal
- * u32: max 10 bytes in decimal
- *
- * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator
- *
- * For authority field, max is when all 6 values are non-zero and it must be
- * represented in hex. So "-0x" + 12 hex digits.
- *
- * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-')
- */
-#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1)
-#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */
-
-#define DOMAIN_USER_RID_LE cpu_to_le32(513)
-
struct ksmbd_conn;
-struct smb_ntsd {
- __le16 revision; /* revision level */
- __le16 type;
- __le32 osidoffset;
- __le32 gsidoffset;
- __le32 sacloffset;
- __le32 dacloffset;
-} __packed;
-
-struct smb_sid {
- __u8 revision; /* revision level */
- __u8 num_subauth;
- __u8 authority[NUM_AUTHS];
- __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */
-} __packed;
-
-/* size of a struct cifs_sid, sans sub_auth array */
-#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS)
-
-struct smb_acl {
- __le16 revision; /* revision level */
- __le16 size;
- __le32 num_aces;
-} __packed;
-
-struct smb_ace {
- __u8 type;
- __u8 flags;
- __le16 size;
- __le32 access_req;
- struct smb_sid sid; /* ie UUID of user or group who gets these perms */
-} __packed;
-
struct smb_fattr {
kuid_t cf_uid;
kgid_t cf_gid;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 363/474] smb: common: change the data type of num_aces to le16
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 362/474] smb: move some duplicate definitions to common/smbacl.h Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 364/474] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
` (111 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Igor Leite Ladessa, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d ]
2.4.5 in [MS-DTYP].pdf describe the data type of num_aces as le16.
AceCount (2 bytes): An unsigned 16-bit integer that specifies the count
of the number of ACE records in the ACL.
Change it to le16 and add reserved field to smb_acl struct.
Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 26 +++++++++++++-------------
fs/smb/common/smbacl.h | 3 ++-
fs/smb/server/smbacl.c | 31 ++++++++++++++++---------------
fs/smb/server/smbacl.h | 2 +-
4 files changed, 32 insertions(+), 30 deletions(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -763,7 +763,7 @@ static void parse_dacl(struct smb_acl *p
struct cifs_fattr *fattr, bool mode_from_special_sid)
{
int i;
- int num_aces = 0;
+ u16 num_aces = 0;
int acl_size;
char *acl_base;
struct smb_ace **ppace;
@@ -786,7 +786,7 @@ static void parse_dacl(struct smb_acl *p
cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
- le32_to_cpu(pdacl->num_aces));
+ le16_to_cpu(pdacl->num_aces));
/* reset rwx permissions for user/group/other.
Also, if num_aces is 0 i.e. DACL has no ACEs,
@@ -796,7 +796,7 @@ static void parse_dacl(struct smb_acl *p
acl_base = (char *)pdacl;
acl_size = sizeof(struct smb_acl);
- num_aces = le32_to_cpu(pdacl->num_aces);
+ num_aces = le16_to_cpu(pdacl->num_aces);
if (num_aces > 0) {
umode_t denied_mode = 0;
@@ -957,12 +957,12 @@ unsigned int setup_special_user_owner_AC
static void populate_new_aces(char *nacl_base,
struct smb_sid *pownersid,
struct smb_sid *pgrpsid,
- __u64 *pnmode, u32 *pnum_aces, u16 *pnsize,
+ __u64 *pnmode, u16 *pnum_aces, u16 *pnsize,
bool modefromsid,
bool posix)
{
__u64 nmode;
- u32 num_aces = 0;
+ u16 num_aces = 0;
u16 nsize = 0;
__u64 user_mode;
__u64 group_mode;
@@ -1070,7 +1070,7 @@ static __u16 replace_sids_and_copy_aces(
u16 size = 0;
struct smb_ace *pntace = NULL;
char *acl_base = NULL;
- u32 src_num_aces = 0;
+ u16 src_num_aces = 0;
u16 nsize = 0;
struct smb_ace *pnntace = NULL;
char *nacl_base = NULL;
@@ -1078,7 +1078,7 @@ static __u16 replace_sids_and_copy_aces(
acl_base = (char *)pdacl;
size = sizeof(struct smb_acl);
- src_num_aces = le32_to_cpu(pdacl->num_aces);
+ src_num_aces = le16_to_cpu(pdacl->num_aces);
nacl_base = (char *)pndacl;
nsize = sizeof(struct smb_acl);
@@ -1110,11 +1110,11 @@ static int set_chmod_dacl(struct smb_acl
u16 size = 0;
struct smb_ace *pntace = NULL;
char *acl_base = NULL;
- u32 src_num_aces = 0;
+ u16 src_num_aces = 0;
u16 nsize = 0;
struct smb_ace *pnntace = NULL;
char *nacl_base = NULL;
- u32 num_aces = 0;
+ u16 num_aces = 0;
bool new_aces_set = false;
/* Assuming that pndacl and pnmode are never NULL */
@@ -1132,7 +1132,7 @@ static int set_chmod_dacl(struct smb_acl
acl_base = (char *)pdacl;
size = sizeof(struct smb_acl);
- src_num_aces = le32_to_cpu(pdacl->num_aces);
+ src_num_aces = le16_to_cpu(pdacl->num_aces);
/* Retain old ACEs which we can retain */
for (i = 0; i < src_num_aces; ++i) {
@@ -1178,7 +1178,7 @@ next_ace:
}
finalize_dacl:
- pndacl->num_aces = cpu_to_le32(num_aces);
+ pndacl->num_aces = cpu_to_le16(num_aces);
pndacl->size = cpu_to_le16(nsize);
return 0;
@@ -1335,7 +1335,7 @@ static int build_sec_desc(struct smb_nts
dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION);
ndacl_ptr->size = cpu_to_le16(0);
- ndacl_ptr->num_aces = cpu_to_le32(0);
+ ndacl_ptr->num_aces = cpu_to_le16(0);
rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr,
pnmode, mode_from_sid, posix);
@@ -1699,7 +1699,7 @@ id_mode_to_cifs_acl(struct inode *inode,
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
if (mode_from_sid)
nsecdesclen +=
- le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);
+ le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);
else /* cifsacl */
nsecdesclen += le16_to_cpu(dacl_ptr->size);
}
--- a/fs/smb/common/smbacl.h
+++ b/fs/smb/common/smbacl.h
@@ -107,7 +107,8 @@ struct smb_sid {
struct smb_acl {
__le16 revision; /* revision level */
__le16 size;
- __le32 num_aces;
+ __le16 num_aces;
+ __le16 reserved;
} __attribute__((packed));
struct smb_ace {
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -338,7 +338,7 @@ void posix_state_to_acl(struct posix_acl
pace->e_perm = state->other.allow;
}
-int init_acl_state(struct posix_acl_state *state, int cnt)
+int init_acl_state(struct posix_acl_state *state, u16 cnt)
{
int alloc;
@@ -373,7 +373,7 @@ static void parse_dacl(struct mnt_idmap
struct smb_fattr *fattr)
{
int i, ret;
- int num_aces = 0;
+ u16 num_aces = 0;
unsigned int acl_size;
char *acl_base;
struct smb_ace **ppace;
@@ -394,12 +394,12 @@ static void parse_dacl(struct mnt_idmap
ksmbd_debug(SMB, "DACL revision %d size %d num aces %d\n",
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
- le32_to_cpu(pdacl->num_aces));
+ le16_to_cpu(pdacl->num_aces));
acl_base = (char *)pdacl;
acl_size = sizeof(struct smb_acl);
- num_aces = le32_to_cpu(pdacl->num_aces);
+ num_aces = le16_to_cpu(pdacl->num_aces);
if (num_aces <= 0)
return;
@@ -589,7 +589,7 @@ static void parse_dacl(struct mnt_idmap
static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap,
struct smb_ace *pndace,
- struct smb_fattr *fattr, u32 *num_aces,
+ struct smb_fattr *fattr, u16 *num_aces,
u16 *size, u32 nt_aces_num)
{
struct posix_acl_entry *pace;
@@ -717,7 +717,7 @@ static void set_ntacl_dacl(struct mnt_id
struct smb_fattr *fattr)
{
struct smb_ace *ntace, *pndace;
- int nt_num_aces = le32_to_cpu(nt_dacl->num_aces), num_aces = 0;
+ u16 nt_num_aces = le16_to_cpu(nt_dacl->num_aces), num_aces = 0;
unsigned short size = 0;
int i;
@@ -745,7 +745,7 @@ static void set_ntacl_dacl(struct mnt_id
set_posix_acl_entries_dacl(idmap, pndace, fattr,
&num_aces, &size, nt_num_aces);
- pndacl->num_aces = cpu_to_le32(num_aces);
+ pndacl->num_aces = cpu_to_le16(num_aces);
pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size);
}
@@ -753,7 +753,7 @@ static void set_mode_dacl(struct mnt_idm
struct smb_acl *pndacl, struct smb_fattr *fattr)
{
struct smb_ace *pace, *pndace;
- u32 num_aces = 0;
+ u16 num_aces = 0;
u16 size = 0, ace_size = 0;
uid_t uid;
const struct smb_sid *sid;
@@ -809,7 +809,7 @@ static void set_mode_dacl(struct mnt_idm
fattr->cf_mode, 0007);
out:
- pndacl->num_aces = cpu_to_le32(num_aces);
+ pndacl->num_aces = cpu_to_le16(num_aces);
pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size);
}
@@ -1039,8 +1039,9 @@ int smb_inherit_dacl(struct ksmbd_conn *
struct smb_sid owner_sid, group_sid;
struct dentry *parent = path->dentry->d_parent;
struct mnt_idmap *idmap = mnt_idmap(path->mnt);
- int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size;
- int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;
+ int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size;
+ int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;
+ u16 num_aces, ace_cnt = 0;
char *aces_base;
bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);
@@ -1056,7 +1057,7 @@ int smb_inherit_dacl(struct ksmbd_conn *
parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset);
acl_len = pntsd_size - dacloffset;
- num_aces = le32_to_cpu(parent_pdacl->num_aces);
+ num_aces = le16_to_cpu(parent_pdacl->num_aces);
pntsd_type = le16_to_cpu(parent_pntsd->type);
pdacl_size = le16_to_cpu(parent_pdacl->size);
@@ -1215,7 +1216,7 @@ pass:
pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));
pdacl->revision = cpu_to_le16(2);
pdacl->size = cpu_to_le16(sizeof(struct smb_acl) + nt_size);
- pdacl->num_aces = cpu_to_le32(ace_cnt);
+ pdacl->num_aces = cpu_to_le16(ace_cnt);
pace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
memcpy(pace, aces_base, nt_size);
pntsd_size += sizeof(struct smb_acl) + nt_size;
@@ -1296,7 +1297,7 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
- for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
+ for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
@@ -1317,7 +1318,7 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
- for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
+ for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
--- a/fs/smb/server/smbacl.h
+++ b/fs/smb/server/smbacl.h
@@ -86,7 +86,7 @@ int parse_sec_desc(struct mnt_idmap *idm
int build_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd,
struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info,
__u32 *secdesclen, struct smb_fattr *fattr);
-int init_acl_state(struct posix_acl_state *state, int cnt);
+int init_acl_state(struct posix_acl_state *state, u16 cnt);
void free_acl_state(struct posix_acl_state *state);
void posix_state_to_acl(struct posix_acl_state *state,
struct posix_acl_entry *pace);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 364/474] ksmbd: require minimum ACE size in smb_check_perm_dacl()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 363/474] smb: common: change the data type of num_aces to le16 Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 365/474] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
` (110 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d07b26f39246a82399661936dd0c853983cfade7 ]
Both ACE-walk loops in smb_check_perm_dacl() only guard against an
under-sized remaining buffer, not against an ACE whose declared
`ace->size` is smaller than the struct it claims to describe:
if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size)
break;
The first check only requires the 4-byte ACE header to be in bounds;
it does not require access_req (4 bytes at offset 4) to be readable.
An attacker who has set a crafted DACL on a file they own can declare
ace->size == 4 with aces_size == 4, pass both checks, and then
granted |= le32_to_cpu(ace->access_req); /* upper loop */
compare_sids(&sid, &ace->sid); /* lower loop */
reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at
offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES
* 4 bytes).
Tighten both loops to require
ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE
which is the smallest valid on-wire ACE layout (4-byte header +
4-byte access_req + 8-byte sid base with zero sub-auths). Also
reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES
before letting compare_sids() dereference sub_auth[] entries.
parse_sec_desc() already enforces an equivalent check (lines 441-448);
smb_check_perm_dacl() simply grew weaker validation over time.
Reachability: authenticated SMB client with permission to set an ACL
on a file. On a subsequent CREATE against that file, the kernel
walks the stored DACL via smb_check_perm_dacl() and triggers the
OOB read. Not pre-auth, and the OOB read is not reflected to the
attacker, but KASAN reports and kernel state corruption are
possible.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1298,10 +1298,13 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, access_req) > aces_size)
+ if (offsetof(struct smb_ace, sid) +
+ aces_size < CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
- if (ace_size > aces_size)
+ if (ace_size > aces_size ||
+ ace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
aces_size -= ace_size;
granted |= le32_to_cpu(ace->access_req);
@@ -1319,13 +1322,19 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, access_req) > aces_size)
+ if (offsetof(struct smb_ace, sid) +
+ aces_size < CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
- if (ace_size > aces_size)
+ if (ace_size > aces_size ||
+ ace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
aces_size -= ace_size;
+ if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES)
+ break;
+
if (!compare_sids(&sid, &ace->sid) ||
!compare_sids(&sid_unix_NFS_mode, &ace->sid)) {
found = 1;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 365/474] smb: client: validate the whole DACL before rewriting it in cifsacl
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 364/474] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 366/474] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
` (109 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 0a8cf165566ba55a39fd0f4de172119dd646d39a ]
build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.
The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.
A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.
Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths. parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ no kmalloc_objs ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 116 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 85 insertions(+), 31 deletions(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -758,6 +758,77 @@ static void dump_ace(struct smb_ace *pac
}
#endif
+static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl)
+{
+ int i, ace_hdr_size, ace_size, min_ace_size;
+ u16 dacl_size, num_aces;
+ char *acl_base, *end_of_dacl;
+ struct smb_ace *pace;
+
+ if (!pdacl)
+ return 0;
+
+ if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ dacl_size = le16_to_cpu(pdacl->size);
+ if (dacl_size < sizeof(struct smb_acl) ||
+ end_of_acl < (char *)pdacl + dacl_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ num_aces = le16_to_cpu(pdacl->num_aces);
+ if (!num_aces)
+ return 0;
+
+ ace_hdr_size = offsetof(struct smb_ace, sid) +
+ offsetof(struct smb_sid, sub_auth);
+ min_ace_size = ace_hdr_size + sizeof(__le32);
+ if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ end_of_dacl = (char *)pdacl + dacl_size;
+ acl_base = (char *)pdacl;
+ ace_size = sizeof(struct smb_acl);
+
+ for (i = 0; i < num_aces; ++i) {
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ pace = (struct smb_ace *)(acl_base + ace_size);
+ acl_base = (char *)pace;
+
+ if (end_of_dacl - acl_base < ace_hdr_size ||
+ pace->sid.num_subauth == 0 ||
+ pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;
+ if (end_of_dacl - acl_base < ace_size ||
+ le16_to_cpu(pace->size) < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = le16_to_cpu(pace->size);
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
struct smb_sid *pownersid, struct smb_sid *pgrpsid,
struct cifs_fattr *fattr, bool mode_from_special_sid)
@@ -765,7 +836,7 @@ static void parse_dacl(struct smb_acl *p
int i;
u16 num_aces = 0;
int acl_size;
- char *acl_base;
+ char *acl_base, *end_of_dacl;
struct smb_ace **ppace;
/* BB need to add parm so we can store the SID BB */
@@ -777,12 +848,8 @@ static void parse_dacl(struct smb_acl *p
return;
}
- /* validate that we do not go past end of acl */
- if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) ||
- end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
- cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ if (validate_dacl(pdacl, end_of_acl))
return;
- }
cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
@@ -793,6 +860,7 @@ static void parse_dacl(struct smb_acl *p
user/group/other have no permissions */
fattr->cf_mode &= ~(0777);
+ end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);
acl_base = (char *)pdacl;
acl_size = sizeof(struct smb_acl);
@@ -800,36 +868,16 @@ static void parse_dacl(struct smb_acl *p
if (num_aces > 0) {
umode_t denied_mode = 0;
- if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
- (offsetof(struct smb_ace, sid) +
- offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
- return;
-
ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *),
GFP_KERNEL);
if (!ppace)
return;
for (i = 0; i < num_aces; ++i) {
- if (end_of_acl - acl_base < acl_size)
- break;
-
ppace[i] = (struct smb_ace *) (acl_base + acl_size);
- acl_base = (char *)ppace[i];
- acl_size = offsetof(struct smb_ace, sid) +
- offsetof(struct smb_sid, sub_auth);
-
- if (end_of_acl - acl_base < acl_size ||
- ppace[i]->sid.num_subauth == 0 ||
- ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
- (end_of_acl - acl_base <
- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
- (le16_to_cpu(ppace[i]->size) <
- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))
- break;
#ifdef CONFIG_CIFS_DEBUG2
- dump_ace(ppace[i], end_of_acl);
+ dump_ace(ppace[i], end_of_dacl);
#endif
if (mode_from_special_sid &&
ppace[i]->sid.num_subauth >= 3 &&
@@ -872,6 +920,7 @@ static void parse_dacl(struct smb_acl *p
(void *)ppace[i],
sizeof(struct smb_ace)); */
+ acl_base = (char *)ppace[i];
acl_size = le16_to_cpu(ppace[i]->size);
}
@@ -1317,10 +1366,9 @@ static int build_sec_desc(struct smb_nts
}
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
- if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
- cifs_dbg(VFS, "Server returned illegal ACL size\n");
- return -EINVAL;
- }
+ rc = validate_dacl(dacl_ptr, end_of_acl);
+ if (rc)
+ return rc;
}
owner_sid_ptr = (struct smb_sid *)((char *)pntsd +
@@ -1697,6 +1745,12 @@ id_mode_to_cifs_acl(struct inode *inode,
}
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
+ rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
+ if (rc) {
+ kfree(pntsd);
+ cifs_put_tlink(tlink);
+ return rc;
+ }
if (mode_from_sid)
nsecdesclen +=
le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 366/474] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 365/474] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 367/474] ksmbd: use msleep instaed of schedule_timeout_interruptible() Greg Kroah-Hartman
` (108 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+6e4cb1cac5efc96ea0ca,
Yongpeng Yang, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53 ]
The xfstests case "generic/107" and syzbot have both reported a NULL
pointer dereference.
The concurrent scenario that triggers the panic is as follows:
F2FS_WB_CP_DATA write callback umount
- f2fs_write_checkpoint
- f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)
- blk_mq_end_request
- bio_endio
- f2fs_write_end_io
: dec_page_count(sbi, F2FS_WB_CP_DATA)
: wake_up(&sbi->cp_wait)
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: iput(sbi->node_inode)
: sbi->node_inode = NULL
: f2fs_in_warm_node_list
- is_node_folio // sbi->node_inode is NULL and panic
The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and
sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is
decremented to zero. As a result, f2fs_in_warm_node_list() may
dereference a NULL node_inode when checking whether a folio belongs to
the node inode, leading to a panic.
This patch fixes the issue by calling f2fs_in_warm_node_list() before
decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the
use-after-free condition.
Cc: stable@kernel.org
Fixes: 50fa53eccf9f ("f2fs: fix to avoid broken of dnode block list")
Reported-by: syzbot+6e4cb1cac5efc96ea0ca@syzkaller.appspotmail.com
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -356,6 +356,8 @@ static void f2fs_write_end_io(struct bio
f2fs_bug_on(sbi, page->mapping == NODE_MAPPING(sbi) &&
page->index != nid_of_node(page));
+ if (f2fs_in_warm_node_list(sbi, page))
+ f2fs_del_fsync_node_entry(sbi, page);
dec_page_count(sbi, type);
@@ -367,8 +369,6 @@ static void f2fs_write_end_io(struct bio
wq_has_sleeper(&sbi->cp_wait))
wake_up(&sbi->cp_wait);
- if (f2fs_in_warm_node_list(sbi, page))
- f2fs_del_fsync_node_entry(sbi, page);
clear_page_private_gcing(page);
end_page_writeback(page);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 367/474] ksmbd: use msleep instaed of schedule_timeout_interruptible()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 366/474] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 368/474] ksmbd: replace connection list with hash table Greg Kroah-Hartman
` (107 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit f75f8bdd4ff4830abe31a1b94892eb12b85b9535 ]
use msleep instaed of schedule_timeout_interruptible()
to guarantee the task delays as expected.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: def036ef87f8 ("ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -495,7 +495,7 @@ again:
up_read(&conn_list_lock);
if (!list_empty(&conn_list)) {
- schedule_timeout_interruptible(HZ / 10); /* 100ms */
+ msleep(100);
goto again;
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 368/474] ksmbd: replace connection list with hash table
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 367/474] ksmbd: use msleep instaed of schedule_timeout_interruptible() Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 369/474] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
` (106 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 0bcc831be535269556f59cb70396f7e34f03a276 ]
Replace connection list with hash table to improve lookup performance.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: def036ef87f8 ("ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.c | 23 +++++++++++------------
fs/smb/server/connection.h | 6 ++++--
fs/smb/server/smb2pdu.c | 4 ++--
fs/smb/server/transport_rdma.c | 5 +++++
fs/smb/server/transport_tcp.c | 25 +++++++++++++++++++++----
5 files changed, 43 insertions(+), 20 deletions(-)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -19,7 +19,7 @@ static DEFINE_MUTEX(init_lock);
static struct ksmbd_conn_ops default_conn_ops;
-LIST_HEAD(conn_list);
+DEFINE_HASHTABLE(conn_list, CONN_HASH_BITS);
DECLARE_RWSEM(conn_list_lock);
/**
@@ -33,7 +33,7 @@ DECLARE_RWSEM(conn_list_lock);
void ksmbd_conn_free(struct ksmbd_conn *conn)
{
down_write(&conn_list_lock);
- list_del(&conn->conns_list);
+ hash_del(&conn->hlist);
up_write(&conn_list_lock);
xa_destroy(&conn->sessions);
@@ -78,7 +78,6 @@ struct ksmbd_conn *ksmbd_conn_alloc(void
init_waitqueue_head(&conn->req_running_q);
init_waitqueue_head(&conn->r_count_q);
- INIT_LIST_HEAD(&conn->conns_list);
INIT_LIST_HEAD(&conn->requests);
INIT_LIST_HEAD(&conn->async_requests);
spin_lock_init(&conn->request_lock);
@@ -91,19 +90,17 @@ struct ksmbd_conn *ksmbd_conn_alloc(void
init_rwsem(&conn->session_lock);
- down_write(&conn_list_lock);
- list_add(&conn->conns_list, &conn_list);
- up_write(&conn_list_lock);
return conn;
}
bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c)
{
struct ksmbd_conn *t;
+ int bkt;
bool ret = false;
down_read(&conn_list_lock);
- list_for_each_entry(t, &conn_list, conns_list) {
+ hash_for_each(conn_list, bkt, t, hlist) {
if (memcmp(t->ClientGUID, c->ClientGUID, SMB2_CLIENT_GUID_SIZE))
continue;
@@ -164,9 +161,10 @@ void ksmbd_conn_unlock(struct ksmbd_conn
void ksmbd_all_conn_set_status(u64 sess_id, u32 status)
{
struct ksmbd_conn *conn;
+ int bkt;
down_read(&conn_list_lock);
- list_for_each_entry(conn, &conn_list, conns_list) {
+ hash_for_each(conn_list, bkt, conn, hlist) {
if (conn->binding || xa_load(&conn->sessions, sess_id))
WRITE_ONCE(conn->status, status);
}
@@ -182,14 +180,14 @@ int ksmbd_conn_wait_idle_sess_id(struct
{
struct ksmbd_conn *conn;
int rc, retry_count = 0, max_timeout = 120;
- int rcount = 1;
+ int rcount = 1, bkt;
retry_idle:
if (retry_count >= max_timeout)
return -EIO;
down_read(&conn_list_lock);
- list_for_each_entry(conn, &conn_list, conns_list) {
+ hash_for_each(conn_list, bkt, conn, hlist) {
if (conn->binding || xa_load(&conn->sessions, sess_id)) {
if (conn == curr_conn)
rcount = 2;
@@ -480,10 +478,11 @@ static void stop_sessions(void)
{
struct ksmbd_conn *conn;
struct ksmbd_transport *t;
+ int bkt;
again:
down_read(&conn_list_lock);
- list_for_each_entry(conn, &conn_list, conns_list) {
+ hash_for_each(conn_list, bkt, conn, hlist) {
t = conn->transport;
ksmbd_conn_set_exiting(conn);
if (t->ops->shutdown) {
@@ -494,7 +493,7 @@ again:
}
up_read(&conn_list_lock);
- if (!list_empty(&conn_list)) {
+ if (!hash_empty(conn_list)) {
msleep(100);
goto again;
}
--- a/fs/smb/server/connection.h
+++ b/fs/smb/server/connection.h
@@ -52,11 +52,12 @@ struct ksmbd_conn {
u8 inet6_addr[16];
#endif
};
+ unsigned int inet_hash;
char *request_buf;
struct ksmbd_transport *transport;
struct nls_table *local_nls;
struct unicode_map *um;
- struct list_head conns_list;
+ struct hlist_node hlist;
struct rw_semaphore session_lock;
/* smb session 1 per user */
struct xarray sessions;
@@ -151,7 +152,8 @@ struct ksmbd_transport {
#define KSMBD_TCP_SEND_TIMEOUT (5 * HZ)
#define KSMBD_TCP_PEER_SOCKADDR(c) ((struct sockaddr *)&((c)->peer_addr))
-extern struct list_head conn_list;
+#define CONN_HASH_BITS 12
+extern DECLARE_HASHTABLE(conn_list, CONN_HASH_BITS);
extern struct rw_semaphore conn_list_lock;
bool ksmbd_conn_alive(struct ksmbd_conn *conn);
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7348,7 +7348,7 @@ int smb2_lock(struct ksmbd_work *work)
int nolock = 0;
LIST_HEAD(lock_list);
LIST_HEAD(rollback_list);
- int prior_lock = 0;
+ int prior_lock = 0, bkt;
WORK_BUFFERS(work, req, rsp);
@@ -7458,7 +7458,7 @@ int smb2_lock(struct ksmbd_work *work)
nolock = 1;
/* check locks in connection list */
down_read(&conn_list_lock);
- list_for_each_entry(conn, &conn_list, conns_list) {
+ hash_for_each(conn_list, bkt, conn, hlist) {
spin_lock(&conn->llist_lock);
list_for_each_entry_safe(cmp_lock, tmp2, &conn->lock_list, clist) {
if (file_inode(cmp_lock->fl->fl_file) !=
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -381,6 +381,11 @@ static struct smb_direct_transport *allo
conn = ksmbd_conn_alloc();
if (!conn)
goto err;
+
+ down_write(&conn_list_lock);
+ hash_add(conn_list, &conn->hlist, 0);
+ up_write(&conn_list_lock);
+
conn->transport = KSMBD_TRANS(t);
KSMBD_TRANS(t)->conn = conn;
KSMBD_TRANS(t)->ops = &ksmbd_smb_direct_transport_ops;
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -89,13 +89,21 @@ static struct tcp_transport *alloc_trans
}
#if IS_ENABLED(CONFIG_IPV6)
- if (client_sk->sk->sk_family == AF_INET6)
+ if (client_sk->sk->sk_family == AF_INET6) {
memcpy(&conn->inet6_addr, &client_sk->sk->sk_v6_daddr, 16);
- else
+ conn->inet_hash = ipv6_addr_hash(&client_sk->sk->sk_v6_daddr);
+ } else {
conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
+ conn->inet_hash = ipv4_addr_hash(inet_sk(client_sk->sk)->inet_daddr);
+ }
#else
conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
+ conn->inet_hash = ipv4_addr_hash(inet_sk(client_sk->sk)->inet_daddr);
#endif
+ down_write(&conn_list_lock);
+ hash_add(conn_list, &conn->hlist, conn->inet_hash);
+ up_write(&conn_list_lock);
+
conn->transport = KSMBD_TRANS(t);
KSMBD_TRANS(t)->conn = conn;
KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops;
@@ -242,7 +250,7 @@ static int ksmbd_kthread_fn(void *p)
struct socket *client_sk = NULL;
struct interface *iface = (struct interface *)p;
struct ksmbd_conn *conn;
- int ret;
+ int ret, inet_hash;
unsigned int max_ip_conns;
while (!kthread_should_stop()) {
@@ -267,9 +275,18 @@ static int ksmbd_kthread_fn(void *p)
/*
* Limits repeated connections from clients with the same IP.
*/
+#if IS_ENABLED(CONFIG_IPV6)
+ if (client_sk->sk->sk_family == AF_INET6)
+ inet_hash = ipv6_addr_hash(&client_sk->sk->sk_v6_daddr);
+ else
+ inet_hash = ipv4_addr_hash(inet_sk(client_sk->sk)->inet_daddr);
+#else
+ inet_hash = ipv4_addr_hash(inet_sk(client_sk->sk)->inet_daddr);
+#endif
+
max_ip_conns = 0;
down_read(&conn_list_lock);
- list_for_each_entry(conn, &conn_list, conns_list) {
+ hash_for_each_possible(conn_list, conn, hlist, inet_hash) {
#if IS_ENABLED(CONFIG_IPV6)
if (client_sk->sk->sk_family == AF_INET6) {
if (memcmp(&client_sk->sk->sk_v6_daddr,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 369/474] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 368/474] ksmbd: replace connection list with hash table Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 370/474] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
` (105 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+62538b67389ee582837a,
Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6af249c996f7d73a3435f9e577956fa259347d18 ]
Syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1900!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6527 Comm: syz.5.110 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:f2fs_issue_discard_timeout+0x59b/0x5a0 fs/f2fs/segment.c:1900
Code: d9 80 e1 07 80 c1 03 38 c1 0f 8c d6 fe ff ff 48 89 df e8 a8 5e fa fd e9 c9 fe ff ff e8 4e 46 94 fd 90 0f 0b e8 46 46 94 fd 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc9000494f940 EFLAGS: 00010283
RAX: ffffffff843009ca RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9001ca78000 RSI: 00000000000029f3 RDI: 00000000000029f4
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed100893a431 R12: 1ffff1100893a430
R13: 1ffff1100c2b702c R14: dffffc0000000000 R15: ffff8880449d2160
FS: 00007ffa35fed6c0(0000) GS:ffff88812643d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2b68634000 CR3: 0000000039f62000 CR4: 00000000003526f0
Call Trace:
<TASK>
__f2fs_remount fs/f2fs/super.c:2960 [inline]
f2fs_reconfigure+0x108a/0x1710 fs/f2fs/super.c:5443
reconfigure_super+0x227/0x8a0 fs/super.c:1080
do_remount fs/namespace.c:3391 [inline]
path_mount+0xdc5/0x10e0 fs/namespace.c:4151
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffa37dbda0a
The root cause is there will be race condition in between f2fs_ioc_fitrim()
and f2fs_remount():
- f2fs_remount - f2fs_ioc_fitrim
- f2fs_issue_discard_timeout
- __issue_discard_cmd
- __drop_discard_cmd
- __wait_all_discard_cmd
- f2fs_trim_fs
- f2fs_write_checkpoint
- f2fs_clear_prefree_segments
- f2fs_issue_discard
- __issue_discard_async
- __queue_discard_cmd
- __update_discard_tree_range
- __insert_discard_cmd
- __create_discard_cmd
: atomic_inc(&dcc->discard_cmd_cnt);
- sanity check on dcc->discard_cmd_cnt (expect discard_cmd_cnt to be zero)
This will only happen when fitrim races w/ remount rw, if we remount to
readonly filesystem, remount will wait until mnt_pcp.mnt_writers to zero,
that means fitrim is not in process at that time.
Cc: stable@kernel.org
Fixes: 2482c4325dfe ("f2fs: detect bug_on in f2fs_wait_discard_bios")
Reported-by: syzbot+62538b67389ee582837a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/69b07d7c.050a0220.8df7.09a1.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ dereferenced flags pointer (`*flags & SB_RDONLY`) to match `int *flags` remount signature ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 +-
fs/f2fs/segment.c | 6 +++---
fs/f2fs/super.c | 11 ++++++++---
3 files changed, 12 insertions(+), 7 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3722,7 +3722,7 @@ bool f2fs_is_checkpointed_data(struct f2
int f2fs_start_discard_thread(struct f2fs_sb_info *sbi);
void f2fs_drop_discard_cmd(struct f2fs_sb_info *sbi);
void f2fs_stop_discard_thread(struct f2fs_sb_info *sbi);
-bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi);
+bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check);
void f2fs_clear_prefree_segments(struct f2fs_sb_info *sbi,
struct cp_control *cpc);
void f2fs_dirty_to_prefree(struct f2fs_sb_info *sbi);
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -1873,7 +1873,7 @@ void f2fs_stop_discard_thread(struct f2f
*
* Return true if issued all discard cmd or no discard cmd need issue, otherwise return false.
*/
-bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi)
+bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check)
{
struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
struct discard_policy dpolicy;
@@ -1890,7 +1890,7 @@ bool f2fs_issue_discard_timeout(struct f
/* just to make sure there is no pending discard commands */
__wait_all_discard_cmd(sbi, NULL);
- f2fs_bug_on(sbi, atomic_read(&dcc->discard_cmd_cnt));
+ f2fs_bug_on(sbi, need_check && atomic_read(&dcc->discard_cmd_cnt));
return !dropped;
}
@@ -2349,7 +2349,7 @@ static void destroy_discard_cmd_control(
* Recovery can cache discard commands, so in error path of
* fill_super(), it needs to give a chance to handle them.
*/
- f2fs_issue_discard_timeout(sbi);
+ f2fs_issue_discard_timeout(sbi, true);
kfree(dcc);
SM_I(sbi)->dcc_info = NULL;
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1612,7 +1612,7 @@ static void f2fs_put_super(struct super_
}
/* be sure to wait for any on-going discard commands */
- done = f2fs_issue_discard_timeout(sbi);
+ done = f2fs_issue_discard_timeout(sbi, true);
if (f2fs_realtime_discard_enable(sbi) && !sbi->discard_blks && done) {
struct cp_control cpc = {
.reason = CP_UMOUNT | CP_TRIMMED,
@@ -1754,7 +1754,7 @@ static int f2fs_unfreeze(struct super_bl
* will recover after removal of snapshot.
*/
if (test_opt(sbi, DISCARD) && !f2fs_hw_support_discard(sbi))
- f2fs_issue_discard_timeout(sbi);
+ f2fs_issue_discard_timeout(sbi, true);
clear_sbi_flag(F2FS_SB(sb), SBI_IS_FREEZING);
return 0;
@@ -2515,7 +2515,12 @@ static int f2fs_remount(struct super_blo
need_stop_discard = true;
} else {
f2fs_stop_discard_thread(sbi);
- f2fs_issue_discard_timeout(sbi);
+ /*
+ * f2fs_ioc_fitrim() won't race w/ "remount ro"
+ * so it's safe to check discard_cmd_cnt in
+ * f2fs_issue_discard_timeout().
+ */
+ f2fs_issue_discard_timeout(sbi, *flags & SB_RDONLY);
need_restart_discard = true;
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 370/474] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 369/474] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
@ 2026-05-15 15:47 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 371/474] lib: test_hmm: evict device pages on file close to avoid use-after-free Greg Kroah-Hartman
` (104 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <git@danielhodges.dev>
[ Upstream commit ae5e95d4157481693be2317e3ffcd84e36010cbb ]
The mwifiex_adapter_cleanup() function uses timer_delete()
(non-synchronous) for the wakeup_timer before the adapter structure is
freed. This is incorrect because timer_delete() does not wait for any
running timer callback to complete.
If the wakeup_timer callback (wakeup_timer_fn) is executing when
mwifiex_adapter_cleanup() is called, the callback will continue to
access adapter fields (adapter->hw_status, adapter->if_ops.card_reset,
etc.) which may be freed by mwifiex_free_adapter() called later in the
mwifiex_remove_card() path.
Use timer_delete_sync() instead to ensure any running timer callback has
completed before returning.
Fixes: 4636187da60b ("mwifiex: add wakeup timer based recovery mechanism")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
Link: https://patch.msgid.link/20260206194401.2346-1-git@danielhodges.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ changed `timer_delete_sync()` to `del_timer_sync()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/marvell/mwifiex/init.c
+++ b/drivers/net/wireless/marvell/mwifiex/init.c
@@ -386,7 +386,7 @@ static void mwifiex_invalidate_lists(str
static void
mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
{
- del_timer(&adapter->wakeup_timer);
+ del_timer_sync(&adapter->wakeup_timer);
cancel_delayed_work_sync(&adapter->devdump_work);
mwifiex_cancel_all_pending_cmd(adapter);
wake_up_interruptible(&adapter->cmd_wait_q.wait);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 371/474] lib: test_hmm: evict device pages on file close to avoid use-after-free
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-05-15 15:47 ` [PATCH 6.6 370/474] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 372/474] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
` (103 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple, Zenghui Yu,
Balbir Singh, David Hildenbrand, Jason Gunthorpe, Leon Romanovsky,
Liam Howlett, Lorenzo Stoakes (Oracle), Michal Hocko,
Mike Rapoport, Suren Baghdasaryan, Matthew Brost, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <apopple@nvidia.com>
[ Upstream commit 744dd97752ef1076a8d8672bb0d8aa2c7abc1144 ]
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special thanks to Lorenzo for analysing and
pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but
doesn't migrate device private pages back to system memory first. This
leaves those pages with a dangling zone_device_data pointer to the freed
dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the
dmirror_devmem_fault() callback dereferences the stale pointer causing a
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,
where a test failure triggered SIGABRT and the resulting coredump walked
the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in
dmirror_fops_release() to migrate all device private pages back to system
memory before freeing the dmirror struct. The function is moved earlier
in the file to avoid a forward declaration.
Link: https://lore.kernel.org/20260331063445.3551404-1-apopple@nvidia.com
Link: https://lore.kernel.org/20260331063445.3551404-2-apopple@nvidia.com
Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Reported-by: Zenghui Yu <zenghui.yu@linux.dev>
Closes: https://lore.kernel.org/linux-mm/8bd0396a-8997-4d2e-a13f-5aac033083d7@linux.dev/
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Tested-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zenghui Yu <zenghui.yu@linux.dev>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ kept the existing simpler `dmirror_device_evict_chunk()` body instead of the upstream compound-folio version ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/test_hmm.c | 86 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 49 insertions(+), 37 deletions(-)
--- a/lib/test_hmm.c
+++ b/lib/test_hmm.c
@@ -183,11 +183,60 @@ static int dmirror_fops_open(struct inod
return 0;
}
+static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk)
+{
+ unsigned long start_pfn = chunk->pagemap.range.start >> PAGE_SHIFT;
+ unsigned long end_pfn = chunk->pagemap.range.end >> PAGE_SHIFT;
+ unsigned long npages = end_pfn - start_pfn + 1;
+ unsigned long i;
+ unsigned long *src_pfns;
+ unsigned long *dst_pfns;
+
+ src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL);
+ dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL);
+
+ migrate_device_range(src_pfns, start_pfn, npages);
+ for (i = 0; i < npages; i++) {
+ struct page *dpage, *spage;
+
+ spage = migrate_pfn_to_page(src_pfns[i]);
+ if (!spage || !(src_pfns[i] & MIGRATE_PFN_MIGRATE))
+ continue;
+
+ if (WARN_ON(!is_device_private_page(spage) &&
+ !is_device_coherent_page(spage)))
+ continue;
+ spage = BACKING_PAGE(spage);
+ dpage = alloc_page(GFP_HIGHUSER_MOVABLE | __GFP_NOFAIL);
+ lock_page(dpage);
+ copy_highpage(dpage, spage);
+ dst_pfns[i] = migrate_pfn(page_to_pfn(dpage));
+ if (src_pfns[i] & MIGRATE_PFN_WRITE)
+ dst_pfns[i] |= MIGRATE_PFN_WRITE;
+ }
+ migrate_device_pages(src_pfns, dst_pfns, npages);
+ migrate_device_finalize(src_pfns, dst_pfns, npages);
+ kvfree(src_pfns);
+ kvfree(dst_pfns);
+}
+
static int dmirror_fops_release(struct inode *inode, struct file *filp)
{
struct dmirror *dmirror = filp->private_data;
+ struct dmirror_device *mdevice = dmirror->mdevice;
+ int i;
mmu_interval_notifier_remove(&dmirror->notifier);
+
+ if (mdevice->devmem_chunks) {
+ for (i = 0; i < mdevice->devmem_count; i++) {
+ struct dmirror_chunk *devmem =
+ mdevice->devmem_chunks[i];
+
+ dmirror_device_evict_chunk(devmem);
+ }
+ }
+
xa_destroy(&dmirror->pt);
kfree(dmirror);
return 0;
@@ -1217,43 +1266,6 @@ static int dmirror_snapshot(struct dmirr
return ret;
}
-static void dmirror_device_evict_chunk(struct dmirror_chunk *chunk)
-{
- unsigned long start_pfn = chunk->pagemap.range.start >> PAGE_SHIFT;
- unsigned long end_pfn = chunk->pagemap.range.end >> PAGE_SHIFT;
- unsigned long npages = end_pfn - start_pfn + 1;
- unsigned long i;
- unsigned long *src_pfns;
- unsigned long *dst_pfns;
-
- src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL);
- dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL);
-
- migrate_device_range(src_pfns, start_pfn, npages);
- for (i = 0; i < npages; i++) {
- struct page *dpage, *spage;
-
- spage = migrate_pfn_to_page(src_pfns[i]);
- if (!spage || !(src_pfns[i] & MIGRATE_PFN_MIGRATE))
- continue;
-
- if (WARN_ON(!is_device_private_page(spage) &&
- !is_device_coherent_page(spage)))
- continue;
- spage = BACKING_PAGE(spage);
- dpage = alloc_page(GFP_HIGHUSER_MOVABLE | __GFP_NOFAIL);
- lock_page(dpage);
- copy_highpage(dpage, spage);
- dst_pfns[i] = migrate_pfn(page_to_pfn(dpage));
- if (src_pfns[i] & MIGRATE_PFN_WRITE)
- dst_pfns[i] |= MIGRATE_PFN_WRITE;
- }
- migrate_device_pages(src_pfns, dst_pfns, npages);
- migrate_device_finalize(src_pfns, dst_pfns, npages);
- kvfree(src_pfns);
- kvfree(dst_pfns);
-}
-
/* Removes free pages from the free list so they can't be re-allocated */
static void dmirror_remove_free_pages(struct dmirror_chunk *devmem)
{
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 372/474] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 371/474] lib: test_hmm: evict device pages on file close to avoid use-after-free Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 373/474] wifi: mt76: connac: introduce helper for mt7925 chipset Greg Kroah-Hartman
` (102 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, linux-arm-kernel,
linux-kernel, David Hildenbrand (Arm), Ryan Roberts,
Anshuman Khandual, Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshuman Khandual <anshuman.khandual@arm.com>
[ Upstream commit 48478b9f791376b4b89018d7afdfd06865498f65 ]
During a memory hot remove operation, both linear and vmemmap mappings for
the memory range being removed, get unmapped via unmap_hotplug_range() but
mapped pages get freed only for vmemmap mapping. This is just a sequential
operation where each table entry gets cleared, followed by a leaf specific
TLB flush, and then followed by memory free operation when applicable.
This approach was simple and uniform both for vmemmap and linear mappings.
But linear mapping might contain CONT marked block memory where it becomes
necessary to first clear out all entire in the range before a TLB flush.
This is as per the architecture requirement. Hence batch all TLB flushes
during the table tear down walk and finally do it in unmap_hotplug_range().
Prior to this fix, it was hypothetically possible for a speculative access
to a higher address in the contiguous block to fill the TLB with shattered
entries for the entire contiguous range after a lower address had already
been cleared and invalidated. Due to the table entries being shattered, the
subsequent TLB invalidation for the higher address would not then clear the
TLB entries for the lower address, meaning stale TLB entries could persist.
Besides it also helps in improving the performance via TLBI range operation
along with reduced synchronization instructions. The time spent executing
unmap_hotplug_range() improved 97% measured over a 2GB memory hot removal
in KVM guest.
This scheme is not applicable during vmemmap mapping tear down where memory
needs to be freed and hence a TLB flush is required after clearing out page
table entry.
Cc: Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Closes: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/
Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
Cc: stable@vger.kernel.org
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ replaced `__pte_clear()` with `pte_clear()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -870,10 +870,14 @@ static void unmap_hotplug_pte_range(pmd_
WARN_ON(!pte_present(pte));
pte_clear(&init_mm, addr, ptep);
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ /* CONT blocks are not supported in the vmemmap */
+ WARN_ON(pte_cont(pte));
+ flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
free_hotplug_page_range(pte_page(pte),
PAGE_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
} while (addr += PAGE_SIZE, addr < end);
}
@@ -894,15 +898,14 @@ static void unmap_hotplug_pmd_range(pud_
WARN_ON(!pmd_present(pmd));
if (pmd_sect(pmd)) {
pmd_clear(pmdp);
-
- /*
- * One TLBI should be sufficient here as the PMD_SIZE
- * range is mapped with a single block entry.
- */
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ /* CONT blocks are not supported in the vmemmap */
+ WARN_ON(pmd_cont(pmd));
+ flush_tlb_kernel_range(addr, addr + PMD_SIZE);
free_hotplug_page_range(pmd_page(pmd),
PMD_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
continue;
}
WARN_ON(!pmd_table(pmd));
@@ -927,15 +930,12 @@ static void unmap_hotplug_pud_range(p4d_
WARN_ON(!pud_present(pud));
if (pud_sect(pud)) {
pud_clear(pudp);
-
- /*
- * One TLBI should be sufficient here as the PUD_SIZE
- * range is mapped with a single block entry.
- */
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ flush_tlb_kernel_range(addr, addr + PUD_SIZE);
free_hotplug_page_range(pud_page(pud),
PUD_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
continue;
}
WARN_ON(!pud_table(pud));
@@ -965,6 +965,7 @@ static void unmap_hotplug_p4d_range(pgd_
static void unmap_hotplug_range(unsigned long addr, unsigned long end,
bool free_mapped, struct vmem_altmap *altmap)
{
+ unsigned long start = addr;
unsigned long next;
pgd_t *pgdp, pgd;
@@ -986,6 +987,9 @@ static void unmap_hotplug_range(unsigned
WARN_ON(!pgd_present(pgd));
unmap_hotplug_p4d_range(pgdp, addr, next, free_mapped, altmap);
} while (addr = next, addr < end);
+
+ if (!free_mapped)
+ flush_tlb_kernel_range(start, end);
}
static void free_empty_pte_table(pmd_t *pmdp, unsigned long addr,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 373/474] wifi: mt76: connac: introduce helper for mt7925 chipset
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 372/474] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 374/474] wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor Greg Kroah-Hartman
` (101 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Deren Wu,
Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deren Wu <deren.wu@mediatek.com>
[ Upstream commit 525209262f9c2999f6f5fa0c40b4519cd6acfa2e ]
Introduce is_mt7925() helper for new chipset. mt7925 runs the same
firmware download and mmio map flow as mt7921.
This is a preliminary patch to support mt7925 driver.
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Stable-dep-of: 56154fef47d1 ("wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt76_connac.h | 6 ++++++
drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 4 ++--
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 3 ++-
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h | 2 +-
4 files changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac.h
@@ -172,6 +172,11 @@ struct mt76_connac_tx_free {
extern const struct wiphy_wowlan_support mt76_connac_wowlan_support;
+static inline bool is_mt7925(struct mt76_dev *dev)
+{
+ return mt76_chip(dev) == 0x7925;
+}
+
static inline bool is_mt7922(struct mt76_dev *dev)
{
return mt76_chip(dev) == 0x7922;
@@ -245,6 +250,7 @@ static inline bool is_mt76_fw_txp(struct
switch (mt76_chip(dev)) {
case 0x7961:
case 0x7922:
+ case 0x7925:
case 0x7663:
case 0x7622:
return false;
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -170,7 +170,7 @@ void mt76_connac_write_hw_txp(struct mt7
txp->msdu_id[0] = cpu_to_le16(id | MT_MSDU_ID_VALID);
- if (is_mt7663(dev) || is_mt7921(dev))
+ if (is_mt7663(dev) || is_mt7921(dev) || is_mt7925(dev))
last_mask = MT_TXD_LEN_LAST;
else
last_mask = MT_TXD_LEN_AMSDU_LAST |
@@ -214,7 +214,7 @@ mt76_connac_txp_skb_unmap_hw(struct mt76
u32 last_mask;
int i;
- if (is_mt7663(dev) || is_mt7921(dev))
+ if (is_mt7663(dev) || is_mt7921(dev) || is_mt7925(dev))
last_mask = MT_TXD_LEN_LAST;
else
last_mask = MT_TXD_LEN_MSDU_LAST;
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -66,6 +66,7 @@ int mt76_connac_mcu_init_download(struct
if ((!is_connac_v1(dev) && addr == MCU_PATCH_ADDRESS) ||
(is_mt7921(dev) && addr == 0x900000) ||
+ (is_mt7925(dev) && addr == 0x900000) ||
(is_mt7996(dev) && addr == 0x900000))
cmd = MCU_CMD(PATCH_START_REQ);
else
@@ -3080,7 +3081,7 @@ static u32 mt76_connac2_get_data_mode(st
{
u32 mode = DL_MODE_NEED_RSP;
- if (!is_mt7921(dev) || info == PATCH_SEC_NOT_SUPPORT)
+ if ((!is_mt7921(dev) && !is_mt7925(dev)) || info == PATCH_SEC_NOT_SUPPORT)
return mode;
switch (FIELD_GET(PATCH_SEC_ENC_TYPE_MASK, info)) {
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
@@ -1739,7 +1739,7 @@ mt76_connac_mcu_gen_dl_mode(struct mt76_
ret |= feature_set & FW_FEATURE_SET_ENCRYPT ?
DL_MODE_ENCRYPT | DL_MODE_RESET_SEC_IV : 0;
- if (is_mt7921(dev))
+ if (is_mt7921(dev) || is_mt7925(dev))
ret |= feature_set & FW_FEATURE_ENCRY_MODE ?
DL_CONFIG_ENCRY_MODE_SEL : 0;
ret |= FIELD_PREP(DL_MODE_KEY_IDX,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 374/474] wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 373/474] wifi: mt76: connac: introduce helper for mt7925 chipset Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 375/474] wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling Greg Kroah-Hartman
` (100 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Wang, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit e6f48512c1ceebcd1ce6bb83df3b3d56a261507d ]
Prepare mt792xu_wfsys_reset() for chips that share the same USB WFSYS
reset flow but use different register definitions.
This is a pure refactor of the current mt7921u path and keeps the reset
sequence unchanged.
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20260311002825.15502-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Stable-dep-of: 56154fef47d1 ("wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt792x_usb.c | 40 +++++++++++++++++++-----
1 file changed, 32 insertions(+), 8 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt792x_usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt792x_usb.c
@@ -208,6 +208,24 @@ static void mt792xu_epctl_rst_opt(struct
mt792xu_uhw_wr(&dev->mt76, MT_SSUSB_EPCTL_CSR_EP_RST_OPT, val);
}
+struct mt792xu_wfsys_desc {
+ u32 rst_reg;
+ u32 done_reg;
+ u32 done_mask;
+ u32 done_val;
+ u32 delay_ms;
+ bool need_status_sel;
+};
+
+static const struct mt792xu_wfsys_desc mt7921_wfsys_desc = {
+ .rst_reg = MT_CBTOP_RGU_WF_SUBSYS_RST,
+ .done_reg = MT_UDMA_CONN_INFRA_STATUS,
+ .done_mask = MT_UDMA_CONN_WFSYS_INIT_DONE,
+ .done_val = MT_UDMA_CONN_WFSYS_INIT_DONE,
+ .delay_ms = 0,
+ .need_status_sel = true,
+};
+
int mt792xu_dma_init(struct mt792x_dev *dev, bool resume)
{
int err;
@@ -238,25 +256,31 @@ EXPORT_SYMBOL_GPL(mt792xu_dma_init);
int mt792xu_wfsys_reset(struct mt792x_dev *dev)
{
+ const struct mt792xu_wfsys_desc *desc = &mt7921_wfsys_desc;
u32 val;
int i;
mt792xu_epctl_rst_opt(dev, false);
- val = mt792xu_uhw_rr(&dev->mt76, MT_CBTOP_RGU_WF_SUBSYS_RST);
+ val = mt792xu_uhw_rr(&dev->mt76, desc->rst_reg);
val |= MT_CBTOP_RGU_WF_SUBSYS_RST_WF_WHOLE_PATH;
- mt792xu_uhw_wr(&dev->mt76, MT_CBTOP_RGU_WF_SUBSYS_RST, val);
+ mt792xu_uhw_wr(&dev->mt76, desc->rst_reg, val);
- usleep_range(10, 20);
+ if (desc->delay_ms)
+ msleep(desc->delay_ms);
+ else
+ usleep_range(10, 20);
- val = mt792xu_uhw_rr(&dev->mt76, MT_CBTOP_RGU_WF_SUBSYS_RST);
+ val = mt792xu_uhw_rr(&dev->mt76, desc->rst_reg);
val &= ~MT_CBTOP_RGU_WF_SUBSYS_RST_WF_WHOLE_PATH;
- mt792xu_uhw_wr(&dev->mt76, MT_CBTOP_RGU_WF_SUBSYS_RST, val);
+ mt792xu_uhw_wr(&dev->mt76, desc->rst_reg, val);
+
+ if (desc->need_status_sel)
+ mt792xu_uhw_wr(&dev->mt76, MT_UDMA_CONN_INFRA_STATUS_SEL, 0);
- mt792xu_uhw_wr(&dev->mt76, MT_UDMA_CONN_INFRA_STATUS_SEL, 0);
for (i = 0; i < MT792x_WFSYS_INIT_RETRY_COUNT; i++) {
- val = mt792xu_uhw_rr(&dev->mt76, MT_UDMA_CONN_INFRA_STATUS);
- if (val & MT_UDMA_CONN_WFSYS_INIT_DONE)
+ val = mt792xu_uhw_rr(&dev->mt76, desc->done_reg);
+ if ((val & desc->done_mask) == desc->done_val)
break;
msleep(100);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 375/474] wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 374/474] wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 376/474] PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete Greg Kroah-Hartman
` (99 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Wang, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit 56154fef47d104effa9f29ed3db4f805cbc0d640 ]
mt7925u uses different reset/status registers from mt7921u. Reusing the
mt7921u register set causes the WFSYS reset to fail.
Add a chip-specific descriptor in mt792xu_wfsys_reset() to select the
correct registers and fix mt7925u failing to initialize after a warm
reboot.
Fixes: d28e1a48952e ("wifi: mt76: mt792x: introduce mt792x-usb module")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20260311002825.15502-2-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt792x_regs.h | 4 ++++
drivers/net/wireless/mediatek/mt76/mt792x_usb.c | 13 ++++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/mediatek/mt76/mt792x_regs.h
+++ b/drivers/net/wireless/mediatek/mt76/mt792x_regs.h
@@ -385,6 +385,10 @@
#define MT_CBTOP_RGU_WF_SUBSYS_RST MT_CBTOP_RGU(0x600)
#define MT_CBTOP_RGU_WF_SUBSYS_RST_WF_WHOLE_PATH BIT(0)
+#define MT7925_CBTOP_RGU_WF_SUBSYS_RST 0x70028600
+#define MT7925_WFSYS_INIT_DONE_ADDR 0x184c1604
+#define MT7925_WFSYS_INIT_DONE 0x00001d1e
+
#define MT_HW_BOUND 0x70010020
#define MT_HW_CHIPID 0x70010200
#define MT_HW_REV 0x70010204
--- a/drivers/net/wireless/mediatek/mt76/mt792x_usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt792x_usb.c
@@ -226,6 +226,15 @@ static const struct mt792xu_wfsys_desc m
.need_status_sel = true,
};
+static const struct mt792xu_wfsys_desc mt7925_wfsys_desc = {
+ .rst_reg = MT7925_CBTOP_RGU_WF_SUBSYS_RST,
+ .done_reg = MT7925_WFSYS_INIT_DONE_ADDR,
+ .done_mask = U32_MAX,
+ .done_val = MT7925_WFSYS_INIT_DONE,
+ .delay_ms = 20,
+ .need_status_sel = false,
+};
+
int mt792xu_dma_init(struct mt792x_dev *dev, bool resume)
{
int err;
@@ -256,7 +265,9 @@ EXPORT_SYMBOL_GPL(mt792xu_dma_init);
int mt792xu_wfsys_reset(struct mt792x_dev *dev)
{
- const struct mt792xu_wfsys_desc *desc = &mt7921_wfsys_desc;
+ const struct mt792xu_wfsys_desc *desc = is_mt7925(&dev->mt76) ?
+ &mt7925_wfsys_desc :
+ &mt7921_wfsys_desc;
u32 val;
int i;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 376/474] PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 375/474] wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 377/474] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
` (98 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Manivannan Sadhasivam,
Krishna Chaitanya Chundru, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <git@danielhodges.dev>
[ Upstream commit 36bfc3642b19a98f1302aed4437c331df9b481f0 ]
pci_epf_mhi_edma_read() and pci_epf_mhi_edma_write() start DMA
operations and wait for completion with a timeout.
On successful completion, they previously returned the remaining
timeout, which callers may treat as an error. In particular,
mhi_ep_ring_add_element(), which calls pci_epf_mhi_edma_write() via
mhi_cntrl->write_sync(), interprets any non-zero return value as
failure.
Return 0 on success instead of the remaining timeout to prevent
mhi_ep_ring_add_element() from treating successful completion as an
error.
Fixes: 7b99aaaddabb ("PCI: epf-mhi: Add eDMA support")
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
[mani: changed commit log as per https://lore.kernel.org/linux-pci/20260227191510.GA3904799@bhelgaas]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260206200529.10784-1-git@danielhodges.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/functions/pci-epf-mhi.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/endpoint/functions/pci-epf-mhi.c
+++ b/drivers/pci/endpoint/functions/pci-epf-mhi.c
@@ -331,6 +331,8 @@ static int pci_epf_mhi_edma_read(struct
dev_err(dev, "DMA transfer timeout\n");
dmaengine_terminate_sync(chan);
ret = -ETIMEDOUT;
+ } else {
+ ret = 0;
}
err_unmap:
@@ -402,6 +404,8 @@ static int pci_epf_mhi_edma_write(struct
dev_err(dev, "DMA transfer timeout\n");
dmaengine_terminate_sync(chan);
ret = -ETIMEDOUT;
+ } else {
+ ret = 0;
}
err_unmap:
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 377/474] thermal: core: Fix thermal zone governor cleanup issues
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 376/474] PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 378/474] ipmi:ssif: Fix a shutdown race Greg Kroah-Hartman
` (97 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit 41ff66baf81c6541f4f985dd7eac4494d03d9440 ]
If thermal_zone_device_register_with_trips() fails after adding
a thermal governor to the thermal zone being registered, the
governor is not removed from it as appropriate which may lead to
a memory leak.
In turn, thermal_zone_device_unregister() calls thermal_set_governor()
without acquiring the thermal zone lock beforehand which may race with
a governor update via sysfs and may lead to a use-after-free in that
case.
Address these issues by adding two thermal_set_governor() calls, one to
thermal_release() to remove the governor from the given thermal zone,
and one to the thermal zone registration error path to cover failures
preceding the thermal zone device registration.
Fixes: e33df1d2f3a0 ("thermal: let governors have private data for each thermal zone")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5092923.31r3eYUQgx@rafael.j.wysocki
[ kept the `thermal_zone_create_device_groups(tz, mask)` signature when adding the new failure-path cleanup ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/thermal_core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -804,6 +804,7 @@ static void thermal_release(struct devic
sizeof("thermal_zone") - 1)) {
tz = to_thermal_zone(dev);
thermal_zone_destroy_device_groups(tz);
+ thermal_set_governor(tz, NULL);
mutex_destroy(&tz->lock);
complete(&tz->removal);
} else if (!strncmp(dev_name(dev), "cooling_device",
@@ -1325,8 +1326,10 @@ thermal_zone_device_register_with_trips(
/* sys I/F */
/* Add nodes that are always present via .groups */
result = thermal_zone_create_device_groups(tz, mask);
- if (result)
+ if (result) {
+ thermal_set_governor(tz, NULL);
goto remove_id;
+ }
/* A new thermal zone needs to be updated anyway. */
atomic_set(&tz->need_update, 1);
@@ -1478,8 +1481,6 @@ void thermal_zone_device_unregister(stru
cancel_delayed_work_sync(&tz->poll_queue);
- thermal_set_governor(tz, NULL);
-
thermal_remove_hwmon_sysfs(tz);
ida_free(&thermal_tz_ida, tz->id);
ida_destroy(&tz->ida);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 378/474] ipmi:ssif: Fix a shutdown race
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 377/474] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 379/474] ipmi:ssif: Clean up kthread on errors Greg Kroah-Hartman
` (96 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
It was possible for the SSIF thread to stop and quit before the
kthread_stop() call because ssif->stopping was set before the
stop. So only exit the SSIF thread is kthread_should_stop()
returns true.
There is no need to wake the thread, as the wait will be interrupted
by kthread_stop().
Signed-off-by: Corey Minyard <cminyard@mvista.com>
(cherry picked from commit 6bd0eb6d759b9a22c5509ea04e19c2e8407ba418)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -490,8 +490,6 @@ static int ipmi_ssif_thread(void *data)
/* Wait for something to do */
result = wait_for_completion_interruptible(
&ssif_info->wake_thread);
- if (ssif_info->stopping)
- break;
if (result == -ERESTARTSYS)
continue;
init_completion(&ssif_info->wake_thread);
@@ -1289,10 +1287,8 @@ static void shutdown_ssif(void *send_inf
ssif_info->stopping = true;
del_timer_sync(&ssif_info->watch_timer);
del_timer_sync(&ssif_info->retry_timer);
- if (ssif_info->thread) {
- complete(&ssif_info->wake_thread);
+ if (ssif_info->thread)
kthread_stop(ssif_info->thread);
- }
}
static void ssif_remove(struct i2c_client *client)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 379/474] ipmi:ssif: Clean up kthread on errors
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 378/474] ipmi:ssif: Fix a shutdown race Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 380/474] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
` (95 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiao, Corey Minyard
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
If an error occurs after the ssif kthread is created, but before the
main IPMI code starts the ssif interface, the ssif kthread will not
be stopped.
So make sure the kthread is stopped on an error condition if it is
running.
Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
Reported-by: Li Xiao <<252270051@hdu.edu.cn>
Cc: stable@vger.kernel.org
Reviewed-by: Li Xiao <252270051@hdu.edu.cn>
Signed-off-by: Corey Minyard <corey@minyard.net>
(cherry picked from commit 75c486cb1bcaa1a3ec3a6438498176a3a4998ae4)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -1287,8 +1287,10 @@ static void shutdown_ssif(void *send_inf
ssif_info->stopping = true;
del_timer_sync(&ssif_info->watch_timer);
del_timer_sync(&ssif_info->retry_timer);
- if (ssif_info->thread)
+ if (ssif_info->thread) {
kthread_stop(ssif_info->thread);
+ ssif_info->thread = NULL;
+ }
}
static void ssif_remove(struct i2c_client *client)
@@ -1913,6 +1915,15 @@ static int ssif_probe(struct i2c_client
out:
if (rv) {
+ /*
+ * If ipmi_register_smi() starts the interface, it will
+ * call shutdown and that will free the thread and set
+ * it to NULL. Otherwise it must be freed here.
+ */
+ if (ssif_info->thread) {
+ kthread_stop(ssif_info->thread);
+ ssif_info->thread = NULL;
+ }
if (addr_info)
addr_info->client = NULL;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 380/474] ALSA: aoa: Use guard() for mutex locks
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 379/474] ipmi:ssif: Clean up kthread on errors Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 381/474] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
` (94 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1cb6ecbb372002ef9e531c5377e5f60122411e40 ]
Replace the manual mutex lock/unlock pairs with guard() for code
simplification.
Only code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829151335.7342-14-tiwai@suse.de
Stable-dep-of: 5ed060d54915 ("ALSA: aoa: i2sbus: clear stale prepared state")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/codecs/onyx.c | 104 +++++++++++-------------------------
sound/aoa/codecs/tas.c | 113 +++++++++++++---------------------------
sound/aoa/core/gpio-feature.c | 20 ++-----
sound/aoa/core/gpio-pmf.c | 26 +++------
sound/aoa/soundbus/i2sbus/pcm.c | 76 ++++++++------------------
5 files changed, 112 insertions(+), 227 deletions(-)
--- a/sound/aoa/codecs/onyx.c
+++ b/sound/aoa/codecs/onyx.c
@@ -121,10 +121,9 @@ static int onyx_snd_vol_get(struct snd_k
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
s8 l, r;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_LEFT, &l);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT, &r);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = l + VOLUME_RANGE_SHIFT;
ucontrol->value.integer.value[1] = r + VOLUME_RANGE_SHIFT;
@@ -145,15 +144,13 @@ static int onyx_snd_vol_put(struct snd_k
ucontrol->value.integer.value[1] > -1 + VOLUME_RANGE_SHIFT)
return -EINVAL;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_LEFT, &l);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT, &r);
if (l + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[0] &&
- r + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[1]) {
- mutex_unlock(&onyx->mutex);
+ r + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[1])
return 0;
- }
onyx_write_register(onyx, ONYX_REG_DAC_ATTEN_LEFT,
ucontrol->value.integer.value[0]
@@ -161,7 +158,6 @@ static int onyx_snd_vol_put(struct snd_k
onyx_write_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT,
ucontrol->value.integer.value[1]
- VOLUME_RANGE_SHIFT);
- mutex_unlock(&onyx->mutex);
return 1;
}
@@ -197,9 +193,8 @@ static int onyx_snd_inputgain_get(struct
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 ig;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &ig);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] =
(ig & ONYX_ADC_PGA_GAIN_MASK) + INPUTGAIN_RANGE_SHIFT;
@@ -216,14 +211,13 @@ static int onyx_snd_inputgain_put(struct
if (ucontrol->value.integer.value[0] < 3 + INPUTGAIN_RANGE_SHIFT ||
ucontrol->value.integer.value[0] > 28 + INPUTGAIN_RANGE_SHIFT)
return -EINVAL;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
n = v;
n &= ~ONYX_ADC_PGA_GAIN_MASK;
n |= (ucontrol->value.integer.value[0] - INPUTGAIN_RANGE_SHIFT)
& ONYX_ADC_PGA_GAIN_MASK;
onyx_write_register(onyx, ONYX_REG_ADC_CONTROL, n);
- mutex_unlock(&onyx->mutex);
return n != v;
}
@@ -251,9 +245,8 @@ static int onyx_snd_capture_source_get(s
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
s8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
- mutex_unlock(&onyx->mutex);
ucontrol->value.enumerated.item[0] = !!(v&ONYX_ADC_INPUT_MIC);
@@ -264,13 +257,12 @@ static void onyx_set_capture_source(stru
{
s8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
v &= ~ONYX_ADC_INPUT_MIC;
if (mic)
v |= ONYX_ADC_INPUT_MIC;
onyx_write_register(onyx, ONYX_REG_ADC_CONTROL, v);
- mutex_unlock(&onyx->mutex);
}
static int onyx_snd_capture_source_put(struct snd_kcontrol *kcontrol,
@@ -311,9 +303,8 @@ static int onyx_snd_mute_get(struct snd_
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 c;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &c);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = !(c & ONYX_MUTE_LEFT);
ucontrol->value.integer.value[1] = !(c & ONYX_MUTE_RIGHT);
@@ -328,9 +319,9 @@ static int onyx_snd_mute_put(struct snd_
u8 v = 0, c = 0;
int err = -EBUSY;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (onyx->analog_locked)
- goto out_unlock;
+ return -EBUSY;
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &v);
c = v;
@@ -341,9 +332,6 @@ static int onyx_snd_mute_put(struct snd_
c |= ONYX_MUTE_RIGHT;
err = onyx_write_register(onyx, ONYX_REG_DAC_CONTROL, c);
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
return !err ? (v != c) : err;
}
@@ -372,9 +360,8 @@ static int onyx_snd_single_bit_get(struc
u8 address = (pv >> 8) & 0xff;
u8 mask = pv & 0xff;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, address, &c);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = !!(c & mask) ^ polarity;
@@ -393,11 +380,10 @@ static int onyx_snd_single_bit_put(struc
u8 address = (pv >> 8) & 0xff;
u8 mask = pv & 0xff;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (spdiflock && onyx->spdif_locked) {
/* even if alsamixer doesn't care.. */
- err = -EBUSY;
- goto out_unlock;
+ return -EBUSY;
}
onyx_read_register(onyx, address, &v);
c = v;
@@ -406,9 +392,6 @@ static int onyx_snd_single_bit_put(struc
c |= mask;
err = onyx_write_register(onyx, address, c);
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
return !err ? (v != c) : err;
}
@@ -489,7 +472,7 @@ static int onyx_spdif_get(struct snd_kco
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO1, &v);
ucontrol->value.iec958.status[0] = v & 0x3e;
@@ -501,7 +484,6 @@ static int onyx_spdif_get(struct snd_kco
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
ucontrol->value.iec958.status[4] = v & 0x0f;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -512,7 +494,7 @@ static int onyx_spdif_put(struct snd_kco
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO1, &v);
v = (v & ~0x3e) | (ucontrol->value.iec958.status[0] & 0x3e);
onyx_write_register(onyx, ONYX_REG_DIG_INFO1, v);
@@ -527,7 +509,6 @@ static int onyx_spdif_put(struct snd_kco
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
v = (v & ~0x0f) | (ucontrol->value.iec958.status[4] & 0x0f);
onyx_write_register(onyx, ONYX_REG_DIG_INFO4, v);
- mutex_unlock(&onyx->mutex);
return 1;
}
@@ -672,14 +653,13 @@ static int onyx_usable(struct codec_info
struct onyx *onyx = cii->codec_data;
int spdif_enabled, analog_enabled;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
spdif_enabled = !!(v & ONYX_SPDIF_ENABLE);
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &v);
analog_enabled =
(v & (ONYX_MUTE_RIGHT|ONYX_MUTE_LEFT))
!= (ONYX_MUTE_RIGHT|ONYX_MUTE_LEFT);
- mutex_unlock(&onyx->mutex);
switch (ti->tag) {
case 0: return 1;
@@ -695,9 +675,8 @@ static int onyx_prepare(struct codec_inf
{
u8 v;
struct onyx *onyx = cii->codec_data;
- int err = -EBUSY;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
#ifdef SNDRV_PCM_FMTBIT_COMPRESSED_16BE
if (substream->runtime->format == SNDRV_PCM_FMTBIT_COMPRESSED_16BE) {
@@ -706,10 +685,9 @@ static int onyx_prepare(struct codec_inf
if (onyx_write_register(onyx,
ONYX_REG_DAC_CONTROL,
v | ONYX_MUTE_RIGHT | ONYX_MUTE_LEFT))
- goto out_unlock;
+ return -EBUSY;
onyx->analog_locked = 1;
- err = 0;
- goto out_unlock;
+ return 0;
}
#endif
switch (substream->runtime->rate) {
@@ -719,8 +697,7 @@ static int onyx_prepare(struct codec_inf
/* these rates are ok for all outputs */
/* FIXME: program spdif channel control bits here so that
* userspace doesn't have to if it only plays pcm! */
- err = 0;
- goto out_unlock;
+ return 0;
default:
/* got some rate that the digital output can't do,
* so disable and lock it */
@@ -728,16 +705,12 @@ static int onyx_prepare(struct codec_inf
if (onyx_write_register(onyx,
ONYX_REG_DIG_INFO4,
v & ~ONYX_SPDIF_ENABLE))
- goto out_unlock;
+ return -EBUSY;
onyx->spdif_locked = 1;
- err = 0;
- goto out_unlock;
+ return 0;
}
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return -EBUSY;
}
static int onyx_open(struct codec_info_item *cii,
@@ -745,9 +718,8 @@ static int onyx_open(struct codec_info_i
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx->open_count++;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -757,11 +729,10 @@ static int onyx_close(struct codec_info_
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx->open_count--;
if (!onyx->open_count)
onyx->spdif_locked = onyx->analog_locked = 0;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -771,7 +742,7 @@ static int onyx_switch_clock(struct code
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
/* this *MUST* be more elaborate later... */
switch (what) {
case CLOCK_SWITCH_PREPARE_SLAVE:
@@ -783,7 +754,6 @@ static int onyx_switch_clock(struct code
default: /* silence warning */
break;
}
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -794,27 +764,21 @@ static int onyx_suspend(struct codec_inf
{
struct onyx *onyx = cii->codec_data;
u8 v;
- int err = -ENXIO;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (onyx_read_register(onyx, ONYX_REG_CONTROL, &v))
- goto out_unlock;
+ return -ENXIO;
onyx_write_register(onyx, ONYX_REG_CONTROL, v | ONYX_ADPSV | ONYX_DAPSV);
/* Apple does a sleep here but the datasheet says to do it on resume */
- err = 0;
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return 0;
}
static int onyx_resume(struct codec_info_item *cii)
{
struct onyx *onyx = cii->codec_data;
u8 v;
- int err = -ENXIO;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
/* reset codec */
onyx->codec.gpio->methods->set_hw_reset(onyx->codec.gpio, 0);
@@ -826,17 +790,13 @@ static int onyx_resume(struct codec_info
/* take codec out of suspend (if it still is after reset) */
if (onyx_read_register(onyx, ONYX_REG_CONTROL, &v))
- goto out_unlock;
+ return -ENXIO;
onyx_write_register(onyx, ONYX_REG_CONTROL, v & ~(ONYX_ADPSV | ONYX_DAPSV));
/* FIXME: should divide by sample rate, but 8k is the lowest we go */
msleep(2205000/8000);
/* reset all values */
onyx_register_init(onyx);
- err = 0;
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return 0;
}
#endif /* CONFIG_PM */
--- a/sound/aoa/codecs/tas.c
+++ b/sound/aoa/codecs/tas.c
@@ -235,10 +235,9 @@ static int tas_snd_vol_get(struct snd_kc
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->cached_volume_l;
ucontrol->value.integer.value[1] = tas->cached_volume_r;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -254,18 +253,15 @@ static int tas_snd_vol_put(struct snd_kc
ucontrol->value.integer.value[1] > 177)
return -EINVAL;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->cached_volume_l == ucontrol->value.integer.value[0]
- && tas->cached_volume_r == ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->cached_volume_r == ucontrol->value.integer.value[1])
return 0;
- }
tas->cached_volume_l = ucontrol->value.integer.value[0];
tas->cached_volume_r = ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_volume(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -285,10 +281,9 @@ static int tas_snd_mute_get(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = !tas->mute_l;
ucontrol->value.integer.value[1] = !tas->mute_r;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -297,18 +292,15 @@ static int tas_snd_mute_put(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->mute_l == !ucontrol->value.integer.value[0]
- && tas->mute_r == !ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->mute_r == !ucontrol->value.integer.value[1])
return 0;
- }
tas->mute_l = !ucontrol->value.integer.value[0];
tas->mute_r = !ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_volume(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -337,10 +329,9 @@ static int tas_snd_mixer_get(struct snd_
struct tas *tas = snd_kcontrol_chip(kcontrol);
int idx = kcontrol->private_value;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->mixer_l[idx];
ucontrol->value.integer.value[1] = tas->mixer_r[idx];
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -351,19 +342,16 @@ static int tas_snd_mixer_put(struct snd_
struct tas *tas = snd_kcontrol_chip(kcontrol);
int idx = kcontrol->private_value;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->mixer_l[idx] == ucontrol->value.integer.value[0]
- && tas->mixer_r[idx] == ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->mixer_r[idx] == ucontrol->value.integer.value[1])
return 0;
- }
tas->mixer_l[idx] = ucontrol->value.integer.value[0];
tas->mixer_r[idx] = ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_mixer(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -396,9 +384,8 @@ static int tas_snd_drc_range_get(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->drc_range;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -411,16 +398,13 @@ static int tas_snd_drc_range_put(struct
ucontrol->value.integer.value[0] > TAS3004_DRC_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->drc_range == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->drc_range == ucontrol->value.integer.value[0])
return 0;
- }
tas->drc_range = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas3004_set_drc(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -440,9 +424,8 @@ static int tas_snd_drc_switch_get(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->drc_enabled;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -451,16 +434,13 @@ static int tas_snd_drc_switch_put(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
- if (tas->drc_enabled == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->drc_enabled == ucontrol->value.integer.value[0])
return 0;
- }
tas->drc_enabled = !!ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas3004_set_drc(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -486,9 +466,8 @@ static int tas_snd_capture_source_get(st
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.enumerated.item[0] = !!(tas->acr & TAS_ACR_INPUT_B);
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -500,7 +479,7 @@ static int tas_snd_capture_source_put(st
if (ucontrol->value.enumerated.item[0] > 1)
return -EINVAL;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
oldacr = tas->acr;
/*
@@ -512,13 +491,10 @@ static int tas_snd_capture_source_put(st
if (ucontrol->value.enumerated.item[0])
tas->acr |= TAS_ACR_INPUT_B | TAS_ACR_B_MONAUREAL |
TAS_ACR_B_MON_SEL_RIGHT;
- if (oldacr == tas->acr) {
- mutex_unlock(&tas->mtx);
+ if (oldacr == tas->acr)
return 0;
- }
if (tas->hw_enabled)
tas_write_reg(tas, TAS_REG_ACR, 1, &tas->acr);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -557,9 +533,8 @@ static int tas_snd_treble_get(struct snd
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->treble;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -571,16 +546,13 @@ static int tas_snd_treble_put(struct snd
if (ucontrol->value.integer.value[0] < TAS3004_TREBLE_MIN ||
ucontrol->value.integer.value[0] > TAS3004_TREBLE_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->treble == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->treble == ucontrol->value.integer.value[0])
return 0;
- }
tas->treble = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas_set_treble(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -608,9 +580,8 @@ static int tas_snd_bass_get(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->bass;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -622,16 +593,13 @@ static int tas_snd_bass_put(struct snd_k
if (ucontrol->value.integer.value[0] < TAS3004_BASS_MIN ||
ucontrol->value.integer.value[0] > TAS3004_BASS_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->bass == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->bass == ucontrol->value.integer.value[0])
return 0;
- }
tas->bass = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas_set_bass(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -722,13 +690,13 @@ static int tas_switch_clock(struct codec
break;
case CLOCK_SWITCH_SLAVE:
/* Clocks are back, re-init the codec */
- mutex_lock(&tas->mtx);
- tas_reset_init(tas);
- tas_set_volume(tas);
- tas_set_mixer(tas);
- tas->hw_enabled = 1;
- tas->codec.gpio->methods->all_amps_restore(tas->codec.gpio);
- mutex_unlock(&tas->mtx);
+ scoped_guard(mutex, &tas->mtx) {
+ tas_reset_init(tas);
+ tas_set_volume(tas);
+ tas_set_mixer(tas);
+ tas->hw_enabled = 1;
+ tas->codec.gpio->methods->all_amps_restore(tas->codec.gpio);
+ }
break;
default:
/* doesn't happen as of now */
@@ -743,23 +711,21 @@ static int tas_switch_clock(struct codec
* our i2c device is suspended, and then take note of that! */
static int tas_suspend(struct tas *tas)
{
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
tas->hw_enabled = 0;
tas->acr |= TAS_ACR_ANALOG_PDOWN;
tas_write_reg(tas, TAS_REG_ACR, 1, &tas->acr);
- mutex_unlock(&tas->mtx);
return 0;
}
static int tas_resume(struct tas *tas)
{
/* reset codec */
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
tas_reset_init(tas);
tas_set_volume(tas);
tas_set_mixer(tas);
tas->hw_enabled = 1;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -802,14 +768,13 @@ static int tas_init_codec(struct aoa_cod
return -EINVAL;
}
- mutex_lock(&tas->mtx);
- if (tas_reset_init(tas)) {
- printk(KERN_ERR PFX "tas failed to initialise\n");
- mutex_unlock(&tas->mtx);
- return -ENXIO;
+ scoped_guard(mutex, &tas->mtx) {
+ if (tas_reset_init(tas)) {
+ printk(KERN_ERR PFX "tas failed to initialise\n");
+ return -ENXIO;
+ }
+ tas->hw_enabled = 1;
}
- tas->hw_enabled = 1;
- mutex_unlock(&tas->mtx);
if (tas->codec.soundbus_dev->attach_codec(tas->codec.soundbus_dev,
aoa_get_card(),
--- a/sound/aoa/core/gpio-feature.c
+++ b/sound/aoa/core/gpio-feature.c
@@ -212,10 +212,9 @@ static void ftr_handle_notify(struct wor
struct gpio_notification *notif =
container_of(work, struct gpio_notification, work.work);
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
if (notif->notify)
notif->notify(notif->data);
- mutex_unlock(¬if->mutex);
}
static void gpio_enable_dual_edge(int gpio)
@@ -341,19 +340,17 @@ static int ftr_set_notify(struct gpio_ru
if (!irq)
return -ENODEV;
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
old = notif->notify;
- if (!old && !notify) {
- err = 0;
- goto out_unlock;
- }
+ if (!old && !notify)
+ return 0;
if (old && notify) {
if (old == notify && notif->data == data)
err = 0;
- goto out_unlock;
+ return err;
}
if (old && !notify)
@@ -362,16 +359,13 @@ static int ftr_set_notify(struct gpio_ru
if (!old && notify) {
err = request_irq(irq, ftr_handle_notify_irq, 0, name, notif);
if (err)
- goto out_unlock;
+ return err;
}
notif->notify = notify;
notif->data = data;
- err = 0;
- out_unlock:
- mutex_unlock(¬if->mutex);
- return err;
+ return 0;
}
static int ftr_get_detect(struct gpio_runtime *rt,
--- a/sound/aoa/core/gpio-pmf.c
+++ b/sound/aoa/core/gpio-pmf.c
@@ -74,10 +74,9 @@ static void pmf_handle_notify(struct wor
struct gpio_notification *notif =
container_of(work, struct gpio_notification, work.work);
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
if (notif->notify)
notif->notify(notif->data);
- mutex_unlock(¬if->mutex);
}
static void pmf_gpio_init(struct gpio_runtime *rt)
@@ -154,19 +153,17 @@ static int pmf_set_notify(struct gpio_ru
return -EINVAL;
}
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
old = notif->notify;
- if (!old && !notify) {
- err = 0;
- goto out_unlock;
- }
+ if (!old && !notify)
+ return 0;
if (old && notify) {
if (old == notify && notif->data == data)
err = 0;
- goto out_unlock;
+ return err;
}
if (old && !notify) {
@@ -178,10 +175,8 @@ static int pmf_set_notify(struct gpio_ru
if (!old && notify) {
irq_client = kzalloc(sizeof(struct pmf_irq_client),
GFP_KERNEL);
- if (!irq_client) {
- err = -ENOMEM;
- goto out_unlock;
- }
+ if (!irq_client)
+ return -ENOMEM;
irq_client->data = notif;
irq_client->handler = pmf_handle_notify_irq;
irq_client->owner = THIS_MODULE;
@@ -192,17 +187,14 @@ static int pmf_set_notify(struct gpio_ru
printk(KERN_ERR "snd-aoa: gpio layer failed to"
" register %s irq (%d)\n", name, err);
kfree(irq_client);
- goto out_unlock;
+ return err;
}
notif->gpio_private = irq_client;
}
notif->notify = notify;
notif->data = data;
- err = 0;
- out_unlock:
- mutex_unlock(¬if->mutex);
- return err;
+ return 0;
}
static int pmf_get_detect(struct gpio_runtime *rt,
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -79,11 +79,10 @@ static int i2sbus_pcm_open(struct i2sbus
u64 formats = 0;
unsigned int rates = 0;
struct transfer_info v;
- int result = 0;
int bus_factor = 0, sysclock_factor = 0;
int found_this;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, &other);
@@ -92,8 +91,7 @@ static int i2sbus_pcm_open(struct i2sbus
if (pi->active) {
/* alsa messed up */
- result = -EBUSY;
- goto out_unlock;
+ return -EBUSY;
}
/* we now need to assign the hw */
@@ -117,10 +115,8 @@ static int i2sbus_pcm_open(struct i2sbus
ti++;
}
}
- if (!masks_inited || !bus_factor || !sysclock_factor) {
- result = -ENODEV;
- goto out_unlock;
- }
+ if (!masks_inited || !bus_factor || !sysclock_factor)
+ return -ENODEV;
/* bus dependent stuff */
hw->info = SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID |
SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_RESUME |
@@ -194,15 +190,12 @@ static int i2sbus_pcm_open(struct i2sbus
hw->periods_max = MAX_DBDMA_COMMANDS;
err = snd_pcm_hw_constraint_integer(pi->substream->runtime,
SNDRV_PCM_HW_PARAM_PERIODS);
- if (err < 0) {
- result = err;
- goto out_unlock;
- }
+ if (err < 0)
+ return err;
list_for_each_entry(cii, &sdev->codec_list, list) {
if (cii->codec->open) {
err = cii->codec->open(cii, pi->substream);
if (err) {
- result = err;
/* unwind */
found_this = 0;
list_for_each_entry_reverse(rev,
@@ -214,14 +207,12 @@ static int i2sbus_pcm_open(struct i2sbus
if (rev == cii)
found_this = 1;
}
- goto out_unlock;
+ return err;
}
}
}
- out_unlock:
- mutex_unlock(&i2sdev->lock);
- return result;
+ return 0;
}
#undef CHECK_RATE
@@ -232,7 +223,7 @@ static int i2sbus_pcm_close(struct i2sbu
struct pcm_info *pi;
int err = 0, tmp;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, NULL);
@@ -246,7 +237,6 @@ static int i2sbus_pcm_close(struct i2sbu
pi->substream = NULL;
pi->active = 0;
- mutex_unlock(&i2sdev->lock);
return err;
}
@@ -330,33 +320,26 @@ static int i2sbus_pcm_prepare(struct i2s
int input_16bit;
struct pcm_info *pi, *other;
int cnt;
- int result = 0;
unsigned int cmd, stopaddr;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, &other);
- if (pi->dbdma_ring.running) {
- result = -EBUSY;
- goto out_unlock;
- }
+ if (pi->dbdma_ring.running)
+ return -EBUSY;
if (pi->dbdma_ring.stopping)
i2sbus_wait_for_stop(i2sdev, pi);
- if (!pi->substream || !pi->substream->runtime) {
- result = -EINVAL;
- goto out_unlock;
- }
+ if (!pi->substream || !pi->substream->runtime)
+ return -EINVAL;
runtime = pi->substream->runtime;
pi->active = 1;
if (other->active &&
((i2sdev->format != runtime->format)
- || (i2sdev->rate != runtime->rate))) {
- result = -EINVAL;
- goto out_unlock;
- }
+ || (i2sdev->rate != runtime->rate)))
+ return -EINVAL;
i2sdev->format = runtime->format;
i2sdev->rate = runtime->rate;
@@ -412,10 +395,8 @@ static int i2sbus_pcm_prepare(struct i2s
bi.bus_factor = cii->codec->bus_factor;
break;
}
- if (!bi.bus_factor) {
- result = -ENODEV;
- goto out_unlock;
- }
+ if (!bi.bus_factor)
+ return -ENODEV;
input_16bit = 1;
break;
case SNDRV_PCM_FORMAT_S32_BE:
@@ -426,8 +407,7 @@ static int i2sbus_pcm_prepare(struct i2s
input_16bit = 0;
break;
default:
- result = -EINVAL;
- goto out_unlock;
+ return -EINVAL;
}
/* we assume all sysclocks are the same! */
list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
@@ -438,10 +418,8 @@ static int i2sbus_pcm_prepare(struct i2s
if (clock_and_divisors(bi.sysclock_factor,
bi.bus_factor,
runtime->rate,
- &sfr) < 0) {
- result = -EINVAL;
- goto out_unlock;
- }
+ &sfr) < 0)
+ return -EINVAL;
switch (bi.bus_factor) {
case 32:
sfr |= I2S_SF_SERIAL_FORMAT_I2S_32X;
@@ -457,10 +435,8 @@ static int i2sbus_pcm_prepare(struct i2s
int err = 0;
if (cii->codec->prepare)
err = cii->codec->prepare(cii, &bi, pi->substream);
- if (err) {
- result = err;
- goto out_unlock;
- }
+ if (err)
+ return err;
}
/* codecs are fine with it, so set our clocks */
if (input_16bit)
@@ -476,7 +452,7 @@ static int i2sbus_pcm_prepare(struct i2s
/* not locking these is fine since we touch them only in this function */
if (in_le32(&i2sdev->intfregs->serial_format) == sfr
&& in_le32(&i2sdev->intfregs->data_word_sizes) == dws)
- goto out_unlock;
+ return 0;
/* let's notify the codecs about clocks going away.
* For now we only do mastering on the i2s cell... */
@@ -514,9 +490,7 @@ static int i2sbus_pcm_prepare(struct i2s
if (cii->codec->switch_clock)
cii->codec->switch_clock(cii, CLOCK_SWITCH_SLAVE);
- out_unlock:
- mutex_unlock(&i2sdev->lock);
- return result;
+ return 0;
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 381/474] ALSA: aoa: i2sbus: clear stale prepared state
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 380/474] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 382/474] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
` (93 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Cássio Gabriel, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 5ed060d5491597490fb53ec69da3edc4b1e8c165 ]
The i2sbus PCM code uses pi->active to constrain the sibling stream to
an already prepared duplex format and rate in i2sbus_pcm_open().
That state is set from i2sbus_pcm_prepare(), but the current code only
clears it on close. As a result, the sibling stream can inherit stale
constraints after the prepared state has been torn down.
Clear pi->active when hw_params() or hw_free() tears down the prepared
state, and set it again only after prepare succeeds.
Replace the stale FIXME in the duplex constraint comment with a description
of the current driver behavior: i2sbus still programs a single shared
transport configuration for both directions, so mixed formats are not
supported in duplex mode.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202604010125.AvkWBYKI-lkp@intel.com/
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260331-aoa-i2sbus-clear-stale-active-v2-1-3764ae2889a1@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/pcm.c | 55 ++++++++++++++++++++++++++++++++--------
1 file changed, 44 insertions(+), 11 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -165,17 +165,16 @@ static int i2sbus_pcm_open(struct i2sbus
* currently in use (if any). */
hw->rate_min = 5512;
hw->rate_max = 192000;
- /* if the other stream is active, then we can only
- * support what it is currently using.
- * FIXME: I lied. This comment is wrong. We can support
- * anything that works with the same serial format, ie.
- * when recording 24 bit sound we can well play 16 bit
- * sound at the same time iff using the same transfer mode.
+ /* If the other stream is already prepared, keep this stream
+ * on the same duplex format and rate.
+ *
+ * i2sbus_pcm_prepare() still programs one shared transport
+ * configuration for both directions, so mixed duplex formats
+ * are not supported here.
*/
if (other->active) {
- /* FIXME: is this guaranteed by the alsa api? */
hw->formats &= pcm_format_to_bits(i2sdev->format);
- /* see above, restrict rates to the one we already have */
+ /* Restrict rates to the one already in use. */
hw->rate_min = i2sdev->rate;
hw->rate_max = i2sdev->rate;
}
@@ -283,6 +282,23 @@ void i2sbus_wait_for_stop_both(struct i2
}
#endif
+static void i2sbus_pcm_clear_active(struct i2sbus_dev *i2sdev, int in)
+{
+ struct pcm_info *pi;
+
+ guard(mutex)(&i2sdev->lock);
+
+ get_pcm_info(i2sdev, in, &pi, NULL);
+ pi->active = 0;
+}
+
+static inline int i2sbus_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params, int in)
+{
+ i2sbus_pcm_clear_active(snd_pcm_substream_chip(substream), in);
+ return 0;
+}
+
static inline int i2sbus_hw_free(struct snd_pcm_substream *substream, int in)
{
struct i2sbus_dev *i2sdev = snd_pcm_substream_chip(substream);
@@ -291,14 +307,27 @@ static inline int i2sbus_hw_free(struct
get_pcm_info(i2sdev, in, &pi, NULL);
if (pi->dbdma_ring.stopping)
i2sbus_wait_for_stop(i2sdev, pi);
+ i2sbus_pcm_clear_active(i2sdev, in);
return 0;
}
+static int i2sbus_playback_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params)
+{
+ return i2sbus_hw_params(substream, params, 0);
+}
+
static int i2sbus_playback_hw_free(struct snd_pcm_substream *substream)
{
return i2sbus_hw_free(substream, 0);
}
+static int i2sbus_record_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params)
+{
+ return i2sbus_hw_params(substream, params, 1);
+}
+
static int i2sbus_record_hw_free(struct snd_pcm_substream *substream)
{
return i2sbus_hw_free(substream, 1);
@@ -335,7 +364,6 @@ static int i2sbus_pcm_prepare(struct i2s
return -EINVAL;
runtime = pi->substream->runtime;
- pi->active = 1;
if (other->active &&
((i2sdev->format != runtime->format)
|| (i2sdev->rate != runtime->rate)))
@@ -450,9 +478,11 @@ static int i2sbus_pcm_prepare(struct i2s
/* early exit if already programmed correctly */
/* not locking these is fine since we touch them only in this function */
- if (in_le32(&i2sdev->intfregs->serial_format) == sfr
- && in_le32(&i2sdev->intfregs->data_word_sizes) == dws)
+ if (in_le32(&i2sdev->intfregs->serial_format) == sfr &&
+ in_le32(&i2sdev->intfregs->data_word_sizes) == dws) {
+ pi->active = 1;
return 0;
+ }
/* let's notify the codecs about clocks going away.
* For now we only do mastering on the i2s cell... */
@@ -490,6 +520,7 @@ static int i2sbus_pcm_prepare(struct i2s
if (cii->codec->switch_clock)
cii->codec->switch_clock(cii, CLOCK_SWITCH_SLAVE);
+ pi->active = 1;
return 0;
}
@@ -746,6 +777,7 @@ static snd_pcm_uframes_t i2sbus_playback
static const struct snd_pcm_ops i2sbus_playback_ops = {
.open = i2sbus_playback_open,
.close = i2sbus_playback_close,
+ .hw_params = i2sbus_playback_hw_params,
.hw_free = i2sbus_playback_hw_free,
.prepare = i2sbus_playback_prepare,
.trigger = i2sbus_playback_trigger,
@@ -814,6 +846,7 @@ static snd_pcm_uframes_t i2sbus_record_p
static const struct snd_pcm_ops i2sbus_record_ops = {
.open = i2sbus_record_open,
.close = i2sbus_record_close,
+ .hw_params = i2sbus_record_hw_params,
.hw_free = i2sbus_record_hw_free,
.prepare = i2sbus_record_prepare,
.trigger = i2sbus_record_trigger,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 382/474] media: rc: ttusbir: respect DMA coherency rules
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 381/474] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 383/474] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
` (92 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 50acaad3d202c064779db8dc3d010007347f59c7 ]
Buffers must not share a cache line with other data structures.
Allocate separately.
Fixes: 0938069fa0897 ("[media] rc: Add support for the TechnoTrend USB IR Receiver")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ kept kzalloc(sizeof(*tt), GFP_KERNEL) instead of kzalloc_obj() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/ttusbir.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -32,7 +32,7 @@ struct ttusbir {
struct led_classdev led;
struct urb *bulk_urb;
- uint8_t bulk_buffer[5];
+ u8 *bulk_buffer;
int bulk_out_endp, iso_in_endp;
bool led_on, is_led_on;
atomic_t led_complete;
@@ -186,13 +186,16 @@ static int ttusbir_probe(struct usb_inte
struct rc_dev *rc;
int i, j, ret;
int altsetting = -1;
+ u8 *buffer;
tt = kzalloc(sizeof(*tt), GFP_KERNEL);
+ buffer = kzalloc(5, GFP_KERNEL);
rc = rc_allocate_device(RC_DRIVER_IR_RAW);
- if (!tt || !rc) {
+ if (!tt || !rc || buffer) {
ret = -ENOMEM;
goto out;
}
+ tt->bulk_buffer = buffer;
/* find the correct alt setting */
for (i = 0; i < intf->num_altsetting && altsetting == -1; i++) {
@@ -281,8 +284,8 @@ static int ttusbir_probe(struct usb_inte
tt->bulk_buffer[3] = 0x01;
usb_fill_bulk_urb(tt->bulk_urb, tt->udev, usb_sndbulkpipe(tt->udev,
- tt->bulk_out_endp), tt->bulk_buffer, sizeof(tt->bulk_buffer),
- ttusbir_bulk_complete, tt);
+ tt->bulk_out_endp), tt->bulk_buffer, 5,
+ ttusbir_bulk_complete, tt);
tt->led.name = "ttusbir:green:power";
tt->led.default_trigger = "rc-feedback";
@@ -351,6 +354,7 @@ out:
kfree(tt);
}
rc_free_device(rc);
+ kfree(buffer);
return ret;
}
@@ -373,6 +377,7 @@ static void ttusbir_disconnect(struct us
}
usb_kill_urb(tt->bulk_urb);
usb_free_urb(tt->bulk_urb);
+ kfree(tt->bulk_buffer);
usb_set_intfdata(intf, NULL);
kfree(tt);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 383/474] ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 382/474] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 384/474] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
` (91 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit fd7df93013c5118812e63a52635dc6c3a805a1de ]
In i2sbus_resume(), skip devices with an empty codec list, which avoids
using an uninitialized 'sysclock_factor' in the 32-bit format path in
i2sbus_pcm_prepare().
In i2sbus_pcm_prepare(), replace two list_for_each_entry() loops with a
single list_first_entry() now that the codec list is guaranteed to be
non-empty by all callers.
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260310102921.210109-3-thorsten.blum@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/core.c | 3 +++
sound/aoa/soundbus/i2sbus/pcm.c | 16 +++++-----------
2 files changed, 8 insertions(+), 11 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/core.c
+++ b/sound/aoa/soundbus/i2sbus/core.c
@@ -411,6 +411,9 @@ static int i2sbus_resume(struct macio_de
int err, ret = 0;
list_for_each_entry(i2sdev, &control->list, item) {
+ if (list_empty(&i2sdev->sound.codec_list))
+ continue;
+
/* reset i2s bus format etc. */
i2sbus_pcm_prepare_both(i2sdev);
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -411,6 +411,9 @@ static int i2sbus_pcm_prepare(struct i2s
/* set stop command */
command->command = cpu_to_le16(DBDMA_STOP);
+ cii = list_first_entry(&i2sdev->sound.codec_list,
+ struct codec_info_item, list);
+
/* ok, let's set the serial format and stuff */
switch (runtime->format) {
/* 16 bit formats */
@@ -418,13 +421,7 @@ static int i2sbus_pcm_prepare(struct i2s
case SNDRV_PCM_FORMAT_U16_BE:
/* FIXME: if we add different bus factors we need to
* do more here!! */
- bi.bus_factor = 0;
- list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
- bi.bus_factor = cii->codec->bus_factor;
- break;
- }
- if (!bi.bus_factor)
- return -ENODEV;
+ bi.bus_factor = cii->codec->bus_factor;
input_16bit = 1;
break;
case SNDRV_PCM_FORMAT_S32_BE:
@@ -438,10 +435,7 @@ static int i2sbus_pcm_prepare(struct i2s
return -EINVAL;
}
/* we assume all sysclocks are the same! */
- list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
- bi.sysclock_factor = cii->codec->sysclock_factor;
- break;
- }
+ bi.sysclock_factor = cii->codec->sysclock_factor;
if (clock_and_divisors(bi.sysclock_factor,
bi.bus_factor,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 384/474] media: rc: igorplugusb: heed coherency rules
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 383/474] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 385/474] block: relax pgmap check in bio_add_page for compatible zone device pages Greg Kroah-Hartman
` (90 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit eac69475b01fe1e861dfe3960b57fa95671c132e ]
In a control request, the USB request structure
can be subject to DMA on some HCs. Hence it must obey
the rules for DMA coherency. Allocate it separately.
Fixes: b1c97193c6437 ("[media] rc: port IgorPlug-USB to rc-core")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ replaced kzalloc_obj(*ir->request, GFP_KERNEL) with kzalloc(sizeof(*ir->request), GFP_KERNEL) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/igorplugusb.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -34,7 +34,7 @@ struct igorplugusb {
struct device *dev;
struct urb *urb;
- struct usb_ctrlrequest request;
+ struct usb_ctrlrequest *request;
struct timer_list timer;
@@ -122,7 +122,7 @@ static void igorplugusb_cmd(struct igorp
{
int ret;
- ir->request.bRequest = cmd;
+ ir->request->bRequest = cmd;
ir->urb->transfer_flags = 0;
ret = usb_submit_urb(ir->urb, GFP_ATOMIC);
if (ret && ret != -EPERM)
@@ -164,13 +164,17 @@ static int igorplugusb_probe(struct usb_
if (!ir)
return -ENOMEM;
+ ir->request = kzalloc(sizeof(*ir->request), GFP_KERNEL);
+ if (!ir->request)
+ goto fail;
+
ir->dev = &intf->dev;
timer_setup(&ir->timer, igorplugusb_timer, 0);
- ir->request.bRequest = GET_INFRACODE;
- ir->request.bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
- ir->request.wLength = cpu_to_le16(MAX_PACKET);
+ ir->request->bRequest = GET_INFRACODE;
+ ir->request->bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
+ ir->request->wLength = cpu_to_le16(MAX_PACKET);
ir->urb = usb_alloc_urb(0, GFP_KERNEL);
if (!ir->urb)
@@ -228,6 +232,7 @@ fail:
usb_free_urb(ir->urb);
rc_free_device(ir->rc);
kfree(ir->buf_in);
+ kfree(ir->request);
return ret;
}
@@ -243,6 +248,7 @@ static void igorplugusb_disconnect(struc
usb_unpoison_urb(ir->urb);
usb_free_urb(ir->urb);
kfree(ir->buf_in);
+ kfree(ir->request);
}
static const struct usb_device_id igorplugusb_table[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 385/474] block: relax pgmap check in bio_add_page for compatible zone device pages
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 384/474] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 386/474] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
` (89 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naman Jain, Christoph Hellwig,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naman Jain <namjain@linux.microsoft.com>
[ Upstream commit 41c665aae2b5dbecddddcc8ace344caf630cc7a4 ]
bio_add_page() and bio_integrity_add_page() reject pages from different
dev_pagemaps entirely, returning 0 even when those pages have compatible
DMA mapping requirements. This forces callers to start a new bio when
buffers span pgmap boundaries, even though the pages could safely coexist
as separate bvec entries.
This matters for guests where memory is registered through
devm_memremap_pages() with MEMORY_DEVICE_GENERIC in multiple calls,
creating separate dev_pagemaps for each chunk. When a direct I/O buffer
spans two such chunks, bio_add_page() rejects the second page, forcing an
unnecessary bio split or I/O failure.
Introduce zone_device_pages_compatible() in blk.h to check whether two
pages can coexist in the same bio as separate bvec entries. The block DMA
iterator (blk_dma_map_iter_start) caches the P2PDMA mapping state from the
first segment and applies it to all others, so P2PDMA pages from different
pgmaps must not be mixed, and neither must P2PDMA and non-P2PDMA pages.
All other combinations (MEMORY_DEVICE_GENERIC pages from different pgmaps,
or MEMORY_DEVICE_GENERIC with normal RAM) use the same dma_map_phys path
and are safe.
Replace the blanket zone_device_pages_have_same_pgmap() rejection with
zone_device_pages_compatible(), while keeping
zone_device_pages_have_same_pgmap() as a merge guard.
Pages from different pgmaps can be added as separate bvec entries but
must not be coalesced into the same segment, as that would make
it impossible to recover the correct pgmap via page_pgmap().
Fixes: 49580e690755 ("block: add check when merging zone device pages")
Cc: stable@vger.kernel.org
Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260410153414.4159050-3-namjain@linux.microsoft.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ restructured combined `if` into explicit `bv` block ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/bio-integrity.c | 2 ++
block/bio.c | 14 +++++++++-----
block/blk.h | 19 +++++++++++++++++++
3 files changed, 30 insertions(+), 5 deletions(-)
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -134,6 +134,8 @@ int bio_integrity_add_page(struct bio *b
struct bio_vec *bv = &bip->bip_vec[bip->bip_vcnt - 1];
bool same_page = false;
+ if (!zone_device_pages_compatible(bv->bv_page, page))
+ return 0;
if (bvec_try_merge_hw_page(q, bv, page, len, offset,
&same_page)) {
bip->bip_iter.bi_size += len;
--- a/block/bio.c
+++ b/block/bio.c
@@ -1098,11 +1098,15 @@ int bio_add_page(struct bio *bio, struct
if (bio->bi_iter.bi_size > UINT_MAX - len)
return 0;
- if (bio->bi_vcnt > 0 &&
- bvec_try_merge_page(&bio->bi_io_vec[bio->bi_vcnt - 1],
- page, len, offset, &same_page)) {
- bio->bi_iter.bi_size += len;
- return len;
+ if (bio->bi_vcnt > 0) {
+ struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1];
+
+ if (!zone_device_pages_compatible(bv->bv_page, page))
+ return 0;
+ if (bvec_try_merge_page(bv, page, len, offset, &same_page)) {
+ bio->bi_iter.bi_size += len;
+ return len;
+ }
}
if (bio->bi_vcnt >= bio->bi_max_vecs)
--- a/block/blk.h
+++ b/block/blk.h
@@ -104,6 +104,25 @@ static inline bool biovec_phys_mergeable
return true;
}
+/*
+ * Check if two pages from potentially different zone device pgmaps can
+ * coexist as separate bvec entries in the same bio.
+ *
+ * The block DMA iterator (blk_dma_map_iter_start) caches the P2PDMA mapping
+ * state from the first segment and applies it to all subsequent segments, so
+ * P2PDMA pages from different pgmaps must not be mixed in the same bio.
+ *
+ * Other zone device types (FS_DAX, GENERIC) use the same dma_map_phys() path
+ * as normal RAM. PRIVATE and COHERENT pages never appear in bios.
+ */
+static inline bool zone_device_pages_compatible(const struct page *a,
+ const struct page *b)
+{
+ if (is_pci_p2pdma_page(a) || is_pci_p2pdma_page(b))
+ return zone_device_pages_have_same_pgmap(a, b);
+ return true;
+}
+
static inline bool __bvec_gap_to_prev(const struct queue_limits *lim,
struct bio_vec *bprv, unsigned int offset)
{
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 386/474] sched: Use u64 for bandwidth ratio calculations
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 385/474] block: relax pgmap check in bio_add_page for compatible zone device pages Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 387/474] RDMA/mana_ib: Disable RX steering on RSS QP destroy Greg Kroah-Hartman
` (88 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Salisbury,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@oracle.com>
[ Upstream commit c6e80201e057dfb7253385e60bf541121bf5dc33 ]
to_ratio() computes BW_SHIFT-scaled bandwidth ratios from u64 period and
runtime values, but it returns unsigned long. tg_rt_schedulable() also
stores the current group limit and the accumulated child sum in unsigned
long.
On 32-bit builds, large bandwidth ratios can be truncated and the RT
group sum can wrap when enough siblings are present. That can let an
overcommitted RT hierarchy pass the schedulability check, and it also
narrows the helper result for other callers.
Return u64 from to_ratio() and use u64 for the RT group totals so
bandwidth ratios are preserved and compared at full width on both 32-bit
and 64-bit builds.
Fixes: b40b2e8eb521 ("sched: rt: multi level group constraints")
Assisted-by: Codex:GPT-5
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260403210014.2713404-1-joseph.salisbury@oracle.com
[ dropped `extern` keyword from `to_ratio()` declaration ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/sched/sched.h | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4823,7 +4823,7 @@ void sched_post_fork(struct task_struct
uclamp_post_fork(p);
}
-unsigned long to_ratio(u64 period, u64 runtime)
+u64 to_ratio(u64 period, u64 runtime)
{
if (runtime == RUNTIME_INF)
return BW_UNIT;
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -2776,7 +2776,7 @@ static int tg_rt_schedulable(struct task
{
struct rt_schedulable_data *d = data;
struct task_group *child;
- unsigned long total, sum = 0;
+ u64 total, sum = 0;
u64 period, runtime;
period = ktime_to_ns(tg->rt_bandwidth.rt_period);
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -2463,7 +2463,7 @@ extern void init_dl_entity(struct sched_
#define RATIO_SHIFT 8
#define MAX_BW_BITS (64 - BW_SHIFT)
#define MAX_BW ((1ULL << MAX_BW_BITS) - 1)
-unsigned long to_ratio(u64 period, u64 runtime);
+u64 to_ratio(u64 period, u64 runtime);
extern void init_entity_runnable_average(struct sched_entity *se);
extern void post_init_entity_util_avg(struct task_struct *p);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 387/474] RDMA/mana_ib: Disable RX steering on RSS QP destroy
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 386/474] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 388/474] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
` (87 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
[ Upstream commit dbeb256e8dd87233d891b170c0b32a6466467036 ]
When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()
destroys the RX WQ objects but does not disable vPort RX steering in
firmware. This leaves stale steering configuration that still points to
the destroyed RX objects.
If traffic continues to arrive (e.g. peer VM is still transmitting) and
the VF interface is subsequently brought up (mana_open), the firmware
may deliver completions using stale CQ IDs from the old RX objects.
These CQ IDs can be reused by the ethernet driver for new TX CQs,
causing RX completions to land on TX CQs:
WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)
WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)
Fix this by disabling vPort RX steering before destroying RX WQ objects.
Note that mana_fence_rqs() cannot be used here because the fence
completion is delivered on the CQ, which is polled by user-mode (e.g.
DPDK) and not visible to the kernel driver.
Refactor the disable logic into a shared mana_disable_vport_rx() in
mana_en, exported for use by mana_ib, replacing the duplicate code.
The ethernet driver's mana_dealloc_queues() is also updated to call
this common function.
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Cc: stable@vger.kernel.org
Signed-off-by: Long Li <longli@microsoft.com>
Link: https://patch.msgid.link/20260325194100.1929056-1-longli@microsoft.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
[ kept early-return error handling and used unquoted NET_MANA namespace in EXPORT_SYMBOL_NS ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/qp.c | 15 +++++++++++++++
drivers/net/ethernet/microsoft/mana/mana_en.c | 11 ++++++++++-
include/net/mana/mana.h | 1 +
3 files changed, 26 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -449,6 +449,21 @@ static int mana_ib_destroy_qp_rss(struct
ndev = mc->ports[qp->port - 1];
mpc = netdev_priv(ndev);
+ /* Disable vPort RX steering before destroying RX WQ objects.
+ * Otherwise firmware still routes traffic to the destroyed queues,
+ * which can cause bogus completions on reused CQ IDs when the
+ * ethernet driver later creates new queues on mana_open().
+ *
+ * Unlike the ethernet teardown path, mana_fence_rqs() cannot be
+ * used here because the fence completion CQE is delivered on the
+ * CQ which is polled by userspace (e.g. DPDK), so there is no way
+ * for the kernel to wait for fence completion.
+ *
+ * This is best effort — if it fails there is not much we can do,
+ * and mana_cfg_vport_steering() already logs the error.
+ */
+ mana_disable_vport_rx(mpc);
+
for (i = 0; i < (1 << ind_tbl->log_ind_tbl_size); i++) {
ibwq = ind_tbl->ind_tbl[i];
wq = container_of(ibwq, struct mana_ib_wq, ibwq);
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -2380,6 +2380,13 @@ static void mana_rss_table_init(struct m
ethtool_rxfh_indir_default(i, apc->num_queues);
}
+int mana_disable_vport_rx(struct mana_port_context *apc)
+{
+ return mana_cfg_vport_steering(apc, TRI_STATE_FALSE, false, false,
+ false);
+}
+EXPORT_SYMBOL_NS(mana_disable_vport_rx, NET_MANA);
+
int mana_config_rss(struct mana_port_context *apc, enum TRI_STATE rx,
bool update_hash, bool update_tab)
{
@@ -2620,12 +2627,14 @@ static int mana_dealloc_queues(struct ne
*/
apc->rss_state = TRI_STATE_FALSE;
- err = mana_config_rss(apc, TRI_STATE_FALSE, false, false);
+ err = mana_disable_vport_rx(apc);
if (err) {
netdev_err(ndev, "Failed to disable vPort: %d\n", err);
return err;
}
+ mana_fence_rqs(apc);
+
mana_destroy_vport(apc);
return 0;
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -437,6 +437,7 @@ struct mana_port_context {
netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev);
int mana_config_rss(struct mana_port_context *ac, enum TRI_STATE rx,
bool update_hash, bool update_tab);
+int mana_disable_vport_rx(struct mana_port_context *apc);
int mana_alloc_queues(struct net_device *ndev);
int mana_attach(struct net_device *ndev);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 388/474] net: mctp: fix dont require received header reserved bits to be zero
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 387/474] RDMA/mana_ib: Disable RX steering on RSS QP destroy Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 389/474] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
` (86 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Zhaoming, Jeremy Kerr,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Zhaoming <yuanzm2@lenovo.com>
[ Upstream commit a663bac71a2f0b3ac6c373168ca57b2a6e6381aa ]
>From the MCTP Base specification (DSP0236 v1.2.1), the first byte of
the MCTP header contains a 4 bit reserved field, and 4 bit version.
On our current receive path, we require those 4 reserved bits to be
zero, but the 9500-8i card is non-conformant, and may set these
reserved bits.
DSP0236 states that the reserved bits must be written as zero, and
ignored when read. While the device might not conform to the former,
we should accept these message to conform to the latter.
Relax our check on the MCTP version byte to allow non-zero bits in the
reserved field.
Fixes: 889b7da23abf ("mctp: Add initial routing framework")
Signed-off-by: Yuan Zhaoming <yuanzm2@lenovo.com>
Cc: stable@vger.kernel.org
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260417141340.5306-1-yuanzhaoming901030@126.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/mctp.h | 3 +++
net/mctp/route.c | 8 ++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
--- a/include/net/mctp.h
+++ b/include/net/mctp.h
@@ -26,6 +26,9 @@ struct mctp_hdr {
#define MCTP_VER_MIN 1
#define MCTP_VER_MAX 1
+/* Definitions for ver field */
+#define MCTP_HDR_VER_MASK GENMASK(3, 0)
+
/* Definitions for flags_seq_tag field */
#define MCTP_HDR_FLAG_SOM BIT(7)
#define MCTP_HDR_FLAG_EOM BIT(6)
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -335,6 +335,7 @@ static int mctp_route_input(struct mctp_
unsigned long f;
u8 tag, flags;
int rc;
+ u8 ver;
msk = NULL;
rc = -EINVAL;
@@ -357,7 +358,8 @@ static int mctp_route_input(struct mctp_
mh = mctp_hdr(skb);
skb_pull(skb, sizeof(struct mctp_hdr));
- if (mh->ver != 1)
+ ver = mh->ver & MCTP_HDR_VER_MASK;
+ if (ver < MCTP_VER_MIN || ver > MCTP_VER_MAX)
goto out;
flags = mh->flags_seq_tag & (MCTP_HDR_FLAG_SOM | MCTP_HDR_FLAG_EOM);
@@ -1124,6 +1126,7 @@ static int mctp_pkttype_receive(struct s
struct mctp_skb_cb *cb;
struct mctp_route *rt;
struct mctp_hdr *mh;
+ u8 ver;
rcu_read_lock();
mdev = __mctp_dev_get(dev);
@@ -1141,7 +1144,8 @@ static int mctp_pkttype_receive(struct s
/* We have enough for a header; decode and route */
mh = mctp_hdr(skb);
- if (mh->ver < MCTP_VER_MIN || mh->ver > MCTP_VER_MAX)
+ ver = mh->ver & MCTP_HDR_VER_MASK;
+ if (ver < MCTP_VER_MIN || ver > MCTP_VER_MAX)
goto err_drop;
/* source must be valid unicast or null; drop reserved ranges and
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 389/474] net: bridge: use a stable FDB dst snapshot in RCU readers
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 388/474] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 390/474] net: qrtr: ns: Limit the maximum server registration per node Greg Kroah-Hartman
` (85 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ren Wei, Zhengchuan Liang, Ren Wei,
Ido Schimmel, Nikolay Aleksandrov, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
[ Upstream commit df4601653201de21b487c3e7fffd464790cab808 ]
Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
updates `f->dst` to another port or to `NULL` while keeping the entry
alive. Several bridge RCU readers inspect `f->dst`, including
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.
These readers currently load `f->dst` multiple times and can therefore
observe inconsistent values across the check and later dereference.
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
`f->dst` after the NULL check and before the `port_no` dereference,
leading to a NULL-ptr-deref.
Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Fixes: 960b589f86c7 ("bridge: Properly check if local fdb entry can be deleted in br_fdb_change_mac_address")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/6570fabb85ecadb8baaf019efe856f407711c7b9.1776043229.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ kept `*idx < cb->args[2]` instead of `*idx < ctx->fdb_idx` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_arp_nd_proxy.c | 8 +++++---
net/bridge/br_fdb.c | 28 ++++++++++++++++++----------
2 files changed, 23 insertions(+), 13 deletions(-)
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -199,11 +199,12 @@ void br_do_proxy_suppress_arp(struct sk_
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
if ((p && (p->flags & BR_PROXYARP)) ||
- (f->dst && (f->dst->flags & BR_PROXYARP_WIFI)) ||
- br_is_neigh_suppress_enabled(f->dst, vid)) {
+ (dst && (dst->flags & BR_PROXYARP_WIFI)) ||
+ br_is_neigh_suppress_enabled(dst, vid)) {
if (!vid)
br_arp_send(br, p, skb->dev, sip, tip,
sha, n->ha, sha, 0, 0);
@@ -463,9 +464,10 @@ void br_do_suppress_nd(struct sk_buff *s
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
- if (br_is_neigh_suppress_enabled(f->dst, vid)) {
+ if (br_is_neigh_suppress_enabled(dst, vid)) {
if (vid != 0)
br_nd_send(br, p, skb, n,
skb->vlan_proto,
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -246,6 +246,7 @@ struct net_device *br_fdb_find_port(cons
const unsigned char *addr,
__u16 vid)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct net_device *dev = NULL;
struct net_bridge *br;
@@ -258,8 +259,11 @@ struct net_device *br_fdb_find_port(cons
br = netdev_priv(br_dev);
rcu_read_lock();
f = br_fdb_find_rcu(br, addr, vid);
- if (f && f->dst)
- dev = f->dst->dev;
+ if (f) {
+ dst = READ_ONCE(f->dst);
+ if (dst)
+ dev = dst->dev;
+ }
rcu_read_unlock();
return dev;
@@ -349,7 +353,7 @@ static void fdb_delete_local(struct net_
vg = nbp_vlan_group(op);
if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
(!vid || br_vlan_find(vg, vid))) {
- f->dst = op;
+ WRITE_ONCE(f->dst, op);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -360,7 +364,7 @@ static void fdb_delete_local(struct net_
/* Maybe bridge device has same hw addr? */
if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
(!vid || (v && br_vlan_should_use(v)))) {
- f->dst = NULL;
+ WRITE_ONCE(f->dst, NULL);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -790,6 +794,7 @@ int br_fdb_test_addr(struct net_device *
int br_fdb_fillbuf(struct net_bridge *br, void *buf,
unsigned long maxnum, unsigned long skip)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct __fdb_entry *fe = buf;
unsigned long delta;
@@ -806,7 +811,8 @@ int br_fdb_fillbuf(struct net_bridge *br
continue;
/* ignore pseudo entry for local MAC address */
- if (!f->dst)
+ dst = READ_ONCE(f->dst);
+ if (!dst)
continue;
if (skip) {
@@ -818,8 +824,8 @@ int br_fdb_fillbuf(struct net_bridge *br
memcpy(fe->mac_addr, f->key.addr.addr, ETH_ALEN);
/* due to ABI compat need to split into hi/lo */
- fe->port_no = f->dst->port_no;
- fe->port_hi = f->dst->port_no >> 8;
+ fe->port_no = dst->port_no;
+ fe->port_hi = dst->port_no >> 8;
fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
if (!test_bit(BR_FDB_STATIC, &f->flags)) {
@@ -940,9 +946,11 @@ int br_fdb_dump(struct sk_buff *skb,
rcu_read_lock();
hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
+
if (*idx < cb->args[2])
goto skip;
- if (filter_dev && (!f->dst || f->dst->dev != filter_dev)) {
+ if (filter_dev && (!dst || dst->dev != filter_dev)) {
if (filter_dev != dev)
goto skip;
/* !f->dst is a special case for bridge
@@ -950,10 +958,10 @@ int br_fdb_dump(struct sk_buff *skb,
* Therefore need a little more filtering
* we only want to dump the !f->dst case
*/
- if (f->dst)
+ if (dst)
goto skip;
}
- if (!filter_dev && f->dst)
+ if (!filter_dev && dst)
goto skip;
err = fdb_fill_info(skb, br, f,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 390/474] net: qrtr: ns: Limit the maximum server registration per node
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 389/474] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 391/474] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
` (84 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Simon Horman,
Manivannan Sadhasivam, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit d5ee2ff98322337951c56398e79d51815acbf955 ]
Current code does no bound checking on the number of servers added per
node. A malicious client can flood NEW_SERVER messages and exhaust memory.
Fix this issue by limiting the maximum number of server registrations to
256 per node. If the NEW_SERVER message is received for an old port, then
don't restrict it as it will get replaced. While at it, also rate limit
the error messages in the failure path of qrtr_ns_worker().
Note that the limit of 256 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-1-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -68,8 +68,14 @@ struct qrtr_server {
struct qrtr_node {
unsigned int id;
struct xarray servers;
+ u32 server_count;
};
+/* Max server limit is chosen based on the current platform requirements. If the
+ * requirement changes in the future, this value can be increased.
+ */
+#define QRTR_NS_MAX_SERVERS 256
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -227,6 +233,17 @@ static struct qrtr_server *server_add(un
if (!service || !port)
return NULL;
+ node = node_get(node_id);
+ if (!node)
+ return NULL;
+
+ /* Make sure the new servers per port are capped at the maximum value */
+ old = xa_load(&node->servers, port);
+ if (!old && node->server_count >= QRTR_NS_MAX_SERVERS) {
+ pr_err_ratelimited("QRTR client node %u exceeds max server limit!\n", node_id);
+ return NULL;
+ }
+
srv = kzalloc(sizeof(*srv), GFP_KERNEL);
if (!srv)
return NULL;
@@ -236,10 +253,6 @@ static struct qrtr_server *server_add(un
srv->node = node_id;
srv->port = port;
- node = node_get(node_id);
- if (!node)
- goto err;
-
/* Delete the old server on the same port */
old = xa_store(&node->servers, port, srv, GFP_KERNEL);
if (old) {
@@ -250,6 +263,8 @@ static struct qrtr_server *server_add(un
} else {
kfree(old);
}
+ } else {
+ node->server_count++;
}
trace_qrtr_ns_server_add(srv->service, srv->instance,
@@ -290,6 +305,7 @@ static int server_del(struct qrtr_node *
}
kfree(srv);
+ node->server_count--;
return 0;
}
@@ -678,7 +694,7 @@ static void qrtr_ns_worker(struct work_s
}
if (ret < 0)
- pr_err("failed while handling packet from %d:%d",
+ pr_err_ratelimited("failed while handling packet from %d:%d",
sq.sq_node, sq.sq_port);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 391/474] net: qrtr: ns: Limit the maximum number of lookups
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 390/474] net: qrtr: ns: Limit the maximum server registration per node Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 392/474] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
` (83 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 5640227d9a21c6a8be249a10677b832e7f40dc55 ]
Current code does no bound checking on the number of lookups a client can
perform. Though the code restricts the lookups to local clients, there is
still a possibility of a malicious local client sending a flood of
NEW_LOOKUP messages over the same socket.
Fix this issue by limiting the maximum number of lookups to 64 globally.
Since the nameserver allows only atmost one local observer, this global
lookup count will ensure that the lookups stay within the limit.
Note that, limit of 64 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-2-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted comment block to only mention QRTR_NS_MAX_LOOKUPS and kept kzalloc() instead of kzalloc_obj() due to missing prerequisite commits ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -22,6 +22,7 @@ static struct {
struct socket *sock;
struct sockaddr_qrtr bcast_sq;
struct list_head lookups;
+ u32 lookup_count;
struct workqueue_struct *workqueue;
struct work_struct work;
void (*saved_data_ready)(struct sock *sk);
@@ -76,6 +77,11 @@ struct qrtr_node {
*/
#define QRTR_NS_MAX_SERVERS 256
+/* Max lookup limit is chosen based on the current platform requirements. If the
+ * requirement changes in the future, this value can be increased.
+ */
+#define QRTR_NS_MAX_LOOKUPS 64
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -441,6 +447,7 @@ static int ctrl_cmd_del_client(struct so
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
/* Remove the server belonging to this port but don't broadcast
@@ -558,6 +565,11 @@ static int ctrl_cmd_new_lookup(struct so
if (from->sq_node != qrtr_ns.local_node)
return -EINVAL;
+ if (qrtr_ns.lookup_count >= QRTR_NS_MAX_LOOKUPS) {
+ pr_err_ratelimited("QRTR client node exceeds max lookup limit!\n");
+ return -ENOSPC;
+ }
+
lookup = kzalloc(sizeof(*lookup), GFP_KERNEL);
if (!lookup)
return -ENOMEM;
@@ -566,6 +578,7 @@ static int ctrl_cmd_new_lookup(struct so
lookup->service = service;
lookup->instance = instance;
list_add_tail(&lookup->li, &qrtr_ns.lookups);
+ qrtr_ns.lookup_count++;
memset(&filter, 0, sizeof(filter));
filter.service = service;
@@ -606,6 +619,7 @@ static void ctrl_cmd_del_lookup(struct s
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 392/474] net: qrtr: ns: Limit the total number of nodes
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 391/474] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 393/474] spi: fix resource leaks on device setup failure Greg Kroah-Hartman
` (82 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 27d5e84e810b0849d08b9aec68e48570461ce313 ]
Currently, the nameserver doesn't limit the number of nodes it handles.
This can be an attack vector if a malicious client starts registering
random nodes, leading to memory exhaustion.
Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is
chosen based on the current platform requirements. If requirement changes
in the future, this limit can be increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-4-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ dropped comment/define changes for missing QRTR_NS_MAX_SERVERS/LOOKUPS prereqs and kept plain kzalloc instead of kzalloc_obj ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -82,6 +82,13 @@ struct qrtr_node {
*/
#define QRTR_NS_MAX_LOOKUPS 64
+/* Max nodes limit is chosen based on the current platform requirements.
+ * If the requirement changes in the future, this value can be increased.
+ */
+#define QRTR_NS_MAX_NODES 64
+
+static u8 node_count;
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -90,6 +97,11 @@ static struct qrtr_node *node_get(unsign
if (node)
return node;
+ if (node_count >= QRTR_NS_MAX_NODES) {
+ pr_err_ratelimited("QRTR clients exceed max node limit!\n");
+ return NULL;
+ }
+
/* If node didn't exist, allocate and insert it to the tree */
node = kzalloc(sizeof(*node), GFP_KERNEL);
if (!node)
@@ -103,6 +115,8 @@ static struct qrtr_node *node_get(unsign
return NULL;
}
+ node_count++;
+
return node;
}
@@ -406,6 +420,7 @@ static int ctrl_cmd_bye(struct sockaddr_
delete_node:
xa_erase(&nodes, from->sq_node);
kfree(node);
+ node_count--;
return ret;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 393/474] spi: fix resource leaks on device setup failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 392/474] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 394/474] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
` (81 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saravana Kannan, Johan Hovold,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit db357034f7e0cf23f233f414a8508312dfe8fbbe ]
Make sure to call controller cleanup() if spi_setup() fails while
registering a device to avoid leaking any resources allocated by
setup().
Fixes: c7299fea6769 ("spi: Fix spi device unregister flow")
Cc: stable@vger.kernel.org # 5.13
Cc: Saravana Kannan <saravanak@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410154907.129248-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi.c | 61 ++++++++++++++++++++++++++++++++----------------------
1 file changed, 37 insertions(+), 24 deletions(-)
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -42,6 +42,8 @@ EXPORT_TRACEPOINT_SYMBOL(spi_transfer_st
#include "internals.h"
+static int __spi_setup(struct spi_device *spi, bool initial_setup);
+
static DEFINE_IDR(spi_master_idr);
static void spidev_release(struct device *dev)
@@ -677,7 +679,7 @@ static int __spi_add_device(struct spi_d
* normally rely on the device being setup. Devices
* using SPI_CS_HIGH can't coexist well otherwise...
*/
- status = spi_setup(spi);
+ status = __spi_setup(spi, true);
if (status < 0) {
dev_err(dev, "can't setup %s, status %d\n",
dev_name(&spi->dev), status);
@@ -3734,27 +3736,7 @@ static int spi_set_cs_timing(struct spi_
return status;
}
-/**
- * spi_setup - setup SPI mode and clock rate
- * @spi: the device whose settings are being modified
- * Context: can sleep, and no requests are queued to the device
- *
- * SPI protocol drivers may need to update the transfer mode if the
- * device doesn't work with its default. They may likewise need
- * to update clock rates or word sizes from initial values. This function
- * changes those settings, and must be called from a context that can sleep.
- * Except for SPI_CS_HIGH, which takes effect immediately, the changes take
- * effect the next time the device is selected and data is transferred to
- * or from it. When this function returns, the SPI device is deselected.
- *
- * Note that this call will fail if the protocol driver specifies an option
- * that the underlying controller or its driver does not support. For
- * example, not all hardware supports wire transfers using nine bit words,
- * LSB-first wire encoding, or active-high chipselects.
- *
- * Return: zero on success, else a negative error code.
- */
-int spi_setup(struct spi_device *spi)
+static int __spi_setup(struct spi_device *spi, bool initial_setup)
{
unsigned bad_bits, ugly_bits;
int status = 0;
@@ -3833,7 +3815,7 @@ int spi_setup(struct spi_device *spi)
status = spi_set_cs_timing(spi);
if (status) {
mutex_unlock(&spi->controller->io_mutex);
- return status;
+ goto err_cleanup;
}
if (spi->controller->auto_runtime_pm && spi->controller->set_cs) {
@@ -3842,7 +3824,7 @@ int spi_setup(struct spi_device *spi)
mutex_unlock(&spi->controller->io_mutex);
dev_err(&spi->controller->dev, "Failed to power device: %d\n",
status);
- return status;
+ goto err_cleanup;
}
/*
@@ -3879,6 +3861,37 @@ int spi_setup(struct spi_device *spi)
status);
return status;
+
+err_cleanup:
+ if (initial_setup)
+ spi_cleanup(spi);
+
+ return status;
+}
+
+/**
+ * spi_setup - setup SPI mode and clock rate
+ * @spi: the device whose settings are being modified
+ * Context: can sleep, and no requests are queued to the device
+ *
+ * SPI protocol drivers may need to update the transfer mode if the
+ * device doesn't work with its default. They may likewise need
+ * to update clock rates or word sizes from initial values. This function
+ * changes those settings, and must be called from a context that can sleep.
+ * Except for SPI_CS_HIGH, which takes effect immediately, the changes take
+ * effect the next time the device is selected and data is transferred to
+ * or from it. When this function returns, the SPI device is deselected.
+ *
+ * Note that this call will fail if the protocol driver specifies an option
+ * that the underlying controller or its driver does not support. For
+ * example, not all hardware supports wire transfers using nine bit words,
+ * LSB-first wire encoding, or active-high chipselects.
+ *
+ * Return: zero on success, else a negative error code.
+ */
+int spi_setup(struct spi_device *spi)
+{
+ return __spi_setup(spi, false);
}
EXPORT_SYMBOL_GPL(spi_setup);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 394/474] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 393/474] spi: fix resource leaks on device setup failure Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 395/474] firmware: google: framebuffer: Do not unregister platform device Greg Kroah-Hartman
` (80 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
linux-fbdev, dri-devel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 9ded47ad003f09a94b6a710b5c47f4aa5ceb7429 ]
Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an
instance as part of initializing deferred I/O and remove it only after
the final mapping has been closed. If the fb_info and the contained
deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info
to invalidate the mapping. Any access will then result in a SIGBUS
signal.
Fixes a long-standing problem, where a device hot-unplug happens while
user space still has an active mapping of the graphics memory. The hot-
unplug frees the instance of struct fb_info. Accessing the memory will
operate on undefined state.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support")
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v2.6.22+
Signed-off-by: Helge Deller <deller@gmx.de>
[ replaced `kzalloc_obj` with `kzalloc`, and dropped `mutex_destroy(&fbdefio->lock)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fb_defio.c | 179 ++++++++++++++++++++++++++++--------
include/linux/fb.h | 4
2 files changed, 145 insertions(+), 38 deletions(-)
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -23,6 +23,75 @@
#include <linux/rmap.h>
#include <linux/pagemap.h>
+/*
+ * struct fb_deferred_io_state
+ */
+
+struct fb_deferred_io_state {
+ struct kref ref;
+
+ struct mutex lock; /* mutex that protects the pageref list */
+ /* fields protected by lock */
+ struct fb_info *info;
+};
+
+static struct fb_deferred_io_state *fb_deferred_io_state_alloc(void)
+{
+ struct fb_deferred_io_state *fbdefio_state;
+
+ fbdefio_state = kzalloc(sizeof(*fbdefio_state), GFP_KERNEL);
+ if (!fbdefio_state)
+ return NULL;
+
+ kref_init(&fbdefio_state->ref);
+ mutex_init(&fbdefio_state->lock);
+
+ return fbdefio_state;
+}
+
+static void fb_deferred_io_state_release(struct fb_deferred_io_state *fbdefio_state)
+{
+ mutex_destroy(&fbdefio_state->lock);
+
+ kfree(fbdefio_state);
+}
+
+static void fb_deferred_io_state_get(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_get(&fbdefio_state->ref);
+}
+
+static void __fb_deferred_io_state_release(struct kref *ref)
+{
+ struct fb_deferred_io_state *fbdefio_state =
+ container_of(ref, struct fb_deferred_io_state, ref);
+
+ fb_deferred_io_state_release(fbdefio_state);
+}
+
+static void fb_deferred_io_state_put(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_put(&fbdefio_state->ref, __fb_deferred_io_state_release);
+}
+
+/*
+ * struct vm_operations_struct
+ */
+
+static void fb_deferred_io_vm_open(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_get(fbdefio_state);
+}
+
+static void fb_deferred_io_vm_close(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_put(fbdefio_state);
+}
+
static struct page *fb_deferred_io_page(struct fb_info *info, unsigned long offs)
{
void *screen_base = (void __force *) info->screen_base;
@@ -93,17 +162,31 @@ static void fb_deferred_io_pageref_put(s
/* this is to find and return the vmalloc-ed fb pages */
static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
{
+ struct fb_info *info;
unsigned long offset;
struct page *page;
- struct fb_info *info = vmf->vma->vm_private_data;
+ vm_fault_t ret;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
+
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
offset = vmf->pgoff << PAGE_SHIFT;
- if (offset >= info->fix.smem_len)
- return VM_FAULT_SIGBUS;
+ if (offset >= info->fix.smem_len) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
page = fb_deferred_io_page(info, offset);
- if (!page)
- return VM_FAULT_SIGBUS;
+ if (!page) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
get_page(page);
@@ -115,8 +198,15 @@ static vm_fault_t fb_deferred_io_fault(s
BUG_ON(!page->mapping);
page->index = vmf->pgoff; /* for page_mkclean() */
+ mutex_unlock(&fbdefio_state->lock);
+
vmf->page = page;
+
return 0;
+
+err_mutex_unlock:
+ mutex_unlock(&fbdefio_state->lock);
+ return ret;
}
int fb_deferred_io_fsync(struct file *file, loff_t start, loff_t end, int datasync)
@@ -143,15 +233,24 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_fsync);
* Adds a page to the dirty list. Call this from struct
* vm_operations_struct.page_mkwrite.
*/
-static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long offset,
- struct page *page)
+static vm_fault_t fb_deferred_io_track_page(struct fb_deferred_io_state *fbdefio_state,
+ unsigned long offset, struct page *page)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_info *info;
+ struct fb_deferred_io *fbdefio;
struct fb_deferred_io_pageref *pageref;
vm_fault_t ret;
/* protect against the workqueue changing the page list */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
+
+ fbdefio = info->fbdefio;
pageref = fb_deferred_io_pageref_get(info, offset, page);
if (WARN_ON_ONCE(!pageref)) {
@@ -169,50 +268,38 @@ static vm_fault_t fb_deferred_io_track_p
*/
lock_page(pageref->page);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
/* come back after delay to process the deferred IO */
schedule_delayed_work(&info->deferred_work, fbdefio->delay);
return VM_FAULT_LOCKED;
err_mutex_unlock:
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
return ret;
}
-/*
- * fb_deferred_io_page_mkwrite - Mark a page as written for deferred I/O
- * @fb_info: The fbdev info structure
- * @vmf: The VM fault
- *
- * This is a callback we get when userspace first tries to
- * write to the page. We schedule a workqueue. That workqueue
- * will eventually mkclean the touched pages and execute the
- * deferred framebuffer IO. Then if userspace touches a page
- * again, we repeat the same scheme.
- *
- * Returns:
- * VM_FAULT_LOCKED on success, or a VM_FAULT error otherwise.
- */
-static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
+static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_deferred_io_state *fbdefio_state,
+ struct vm_fault *vmf)
{
unsigned long offset = vmf->pgoff << PAGE_SHIFT;
struct page *page = vmf->page;
file_update_time(vmf->vma->vm_file);
- return fb_deferred_io_track_page(info, offset, page);
+ return fb_deferred_io_track_page(fbdefio_state, offset, page);
}
-/* vm_ops->page_mkwrite handler */
static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
{
- struct fb_info *info = vmf->vma->vm_private_data;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
- return fb_deferred_io_page_mkwrite(info, vmf);
+ return fb_deferred_io_page_mkwrite(fbdefio_state, vmf);
}
static const struct vm_operations_struct fb_deferred_io_vm_ops = {
+ .open = fb_deferred_io_vm_open,
+ .close = fb_deferred_io_vm_close,
.fault = fb_deferred_io_fault,
.page_mkwrite = fb_deferred_io_mkwrite,
};
@@ -227,7 +314,10 @@ int fb_deferred_io_mmap(struct fb_info *
vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP);
if (!(info->flags & FBINFO_VIRTFB))
vm_flags_set(vma, VM_IO);
- vma->vm_private_data = info;
+ vma->vm_private_data = info->fbdefio_state;
+
+ fb_deferred_io_state_get(info->fbdefio_state); /* released in vma->vm_ops->close() */
+
return 0;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_mmap);
@@ -238,9 +328,10 @@ static void fb_deferred_io_work(struct w
struct fb_info *info = container_of(work, struct fb_info, deferred_work.work);
struct fb_deferred_io_pageref *pageref, *next;
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
/* here we mkclean the pages, then do all deferred IO */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
list_for_each_entry(pageref, &fbdefio->pagereflist, list) {
struct page *cur = pageref->page;
lock_page(cur);
@@ -255,12 +346,13 @@ static void fb_deferred_io_work(struct w
list_for_each_entry_safe(pageref, next, &fbdefio->pagereflist, list)
fb_deferred_io_pageref_put(pageref, info);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
}
int fb_deferred_io_init(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
struct fb_deferred_io_pageref *pagerefs;
unsigned long npagerefs, i;
int ret;
@@ -270,7 +362,11 @@ int fb_deferred_io_init(struct fb_info *
if (WARN_ON(!info->fix.smem_len))
return -EINVAL;
- mutex_init(&fbdefio->lock);
+ fbdefio_state = fb_deferred_io_state_alloc();
+ if (!fbdefio_state)
+ return -ENOMEM;
+ fbdefio_state->info = info;
+
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
INIT_LIST_HEAD(&fbdefio->pagereflist);
if (fbdefio->delay == 0) /* set a default of 1 s */
@@ -289,10 +385,12 @@ int fb_deferred_io_init(struct fb_info *
info->npagerefs = npagerefs;
info->pagerefs = pagerefs;
+ info->fbdefio_state = fbdefio_state;
+
return 0;
err:
- mutex_destroy(&fbdefio->lock);
+ fb_deferred_io_state_release(fbdefio_state);
return ret;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_init);
@@ -333,11 +431,18 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_release
void fb_deferred_io_cleanup(struct fb_info *info)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
fb_deferred_io_lastclose(info);
+ info->fbdefio_state = NULL;
+
+ mutex_lock(&fbdefio_state->lock);
+ fbdefio_state->info = NULL;
+ mutex_unlock(&fbdefio_state->lock);
+
+ fb_deferred_io_state_put(fbdefio_state);
+
kvfree(info->pagerefs);
- mutex_destroy(&fbdefio->lock);
}
EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -214,11 +214,12 @@ struct fb_deferred_io {
unsigned long delay;
bool sort_pagereflist; /* sort pagelist by offset */
int open_count; /* number of opened files; protected by fb_info lock */
- struct mutex lock; /* mutex that protects the pageref list */
struct list_head pagereflist; /* list of pagerefs for touched pages */
/* callback */
void (*deferred_io)(struct fb_info *info, struct list_head *pagelist);
};
+
+struct fb_deferred_io_state;
#endif
/*
@@ -476,6 +477,7 @@ struct fb_info {
unsigned long npagerefs;
struct fb_deferred_io_pageref *pagerefs;
struct fb_deferred_io *fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
#endif
const struct fb_ops *fbops;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 395/474] firmware: google: framebuffer: Do not unregister platform device
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 394/474] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 396/474] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
` (79 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Tzung-Bi Shih,
Julius Werner, Javier Martinez Canillas, Hans de Goede,
linux-fbdev, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 5cd28bd28c8ce426b56ce4230dbd17537181d5ad ]
The native driver takes over the framebuffer aperture by removing the
system- framebuffer platform device. Afterwards the pointer in drvdata
is dangling. Remove the entire logic around drvdata and let the kernel's
aperture helpers handle this. The platform device depends on the native
hardware device instead of the coreboot device anyway.
When commit 851b4c14532d ("firmware: coreboot: Add coreboot framebuffer
driver") added the coreboot framebuffer code, the kernel did not support
device-based aperture management. Instead native driviers only removed
the conflicting fbdev device. At that point, unregistering the framebuffer
device most likely worked correctly. It was definitely broken after
commit d9702b2a2171 ("fbdev/simplefb: Do not use struct
fb_info.apertures"). So take this commit for the Fixes tag. Earlier
releases might work depending on the native hardware driver.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: d9702b2a2171 ("fbdev/simplefb: Do not use struct fb_info.apertures")
Acked-by: Tzung-Bi Shih <tzungbi@kernel.org>
Acked-by: Julius Werner <jwerner@chromium.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: Hans de Goede <hansg@kernel.org>
Cc: linux-fbdev@vger.kernel.org
Cc: <stable@vger.kernel.org> # v6.3+
Link: https://patch.msgid.link/20260217155836.96267-2-tzimmermann@suse.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/google/framebuffer-coreboot.c | 10 ----------
1 file changed, 10 deletions(-)
--- a/drivers/firmware/google/framebuffer-coreboot.c
+++ b/drivers/firmware/google/framebuffer-coreboot.c
@@ -64,22 +64,12 @@ static int framebuffer_probe(struct core
sizeof(pdata));
if (IS_ERR(pdev))
pr_warn("coreboot: could not register framebuffer\n");
- else
- dev_set_drvdata(&dev->dev, pdev);
return PTR_ERR_OR_ZERO(pdev);
}
-static void framebuffer_remove(struct coreboot_device *dev)
-{
- struct platform_device *pdev = dev_get_drvdata(&dev->dev);
-
- platform_device_unregister(pdev);
-}
-
static struct coreboot_driver framebuffer_driver = {
.probe = framebuffer_probe,
- .remove = framebuffer_remove,
.drv = {
.name = "framebuffer",
},
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 396/474] udf: fix partition descriptor append bookkeeping
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 395/474] firmware: google: framebuffer: Do not unregister platform device Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 397/474] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
` (78 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seohyeon Maeng, Jan Kara,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seohyeon Maeng <bioloidgp@gmail.com>
[ Upstream commit 08841b06fa64d8edbd1a21ca6e613420c90cc4b8 ]
Mounting a crafted UDF image with repeated partition descriptors can
trigger a heap out-of-bounds write in part_descs_loc[].
handle_partition_descriptor() deduplicates entries by partition number,
but appended slots never record partnum. As a result duplicate
Partition Descriptors are appended repeatedly and num_part_descs keeps
growing.
Once the table is full, the growth path still sizes the allocation from
partnum even though inserts are indexed by num_part_descs. If partnum is
already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep
the old capacity and the next append writes past the end of the table.
Store partnum in the appended slot and size growth from the next append
count so deduplication and capacity tracking follow the same model.
Fixes: ee4af50ca94f ("udf: Fix mounting of Win7 created UDF filesystems")
Cc: stable@vger.kernel.org
Signed-off-by: Seohyeon Maeng <bioloidgp@gmail.com>
Link: https://patch.msgid.link/20260310081652.21220-1-bioloidgp@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
[ replaced kzalloc_objs() helper with equivalent kcalloc() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1656,8 +1656,9 @@ static struct udf_vds_record *handle_par
return &(data->part_descs_loc[i].rec);
if (data->num_part_descs >= data->size_part_descs) {
struct part_desc_seq_scan_data *new_loc;
- unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP);
+ unsigned int new_size;
+ new_size = data->num_part_descs + PART_DESC_ALLOC_STEP;
new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL);
if (!new_loc)
return ERR_PTR(-ENOMEM);
@@ -1667,6 +1668,7 @@ static struct udf_vds_record *handle_par
data->part_descs_loc = new_loc;
data->size_part_descs = new_size;
}
+ data->part_descs_loc[data->num_part_descs].partnum = partnum;
return &(data->part_descs_loc[data->num_part_descs++].rec);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 397/474] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 396/474] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 398/474] xfs: fix a resource leak in xfs_alloc_buftarg() Greg Kroah-Hartman
` (77 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luke Wang, Ulf Hansson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luke Wang <ziniu.wang_1@nxp.com>
[ Upstream commit d6bf2e64dec87322f2b11565ddb59c0e967f96e3 ]
Kingston eMMC IY2964 and IB2932 takes a fixed ~2 seconds for each secure
erase/trim operation regardless of size - that is, a single secure
erase/trim operation of 1MB takes the same time as 1GB. With default
calculated 3.5MB max discard size, secure erase 1GB requires ~300 separate
operations taking ~10 minutes total.
Add a card quirk, MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME, to set maximum
secure erase size for those devices. This allows 1GB secure erase to
complete in a single operation, reducing time from 10 minutes to just 2
seconds.
Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[ adapted `lim->max_secure_erase_sectors =` assignment to `blk_queue_max_secure_erase_sectors(q, ...)` setter and used pre-rename `mmc_can_secure_erase_trim`/`mmc_can_trim` helpers ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/card.h | 5 +++++
drivers/mmc/core/queue.c | 8 ++++++--
drivers/mmc/core/quirks.h | 9 +++++++++
include/linux/mmc/card.h | 1 +
4 files changed, 21 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/card.h
+++ b/drivers/mmc/core/card.h
@@ -297,4 +297,9 @@ static inline int mmc_card_no_uhs_ddr50_
return c->quirks & MMC_QUIRK_NO_UHS_DDR50_TUNING;
}
+static inline int mmc_card_fixed_secure_erase_trim_time(const struct mmc_card *c)
+{
+ return c->quirks & MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME;
+}
+
#endif
--- a/drivers/mmc/core/queue.c
+++ b/drivers/mmc/core/queue.c
@@ -188,8 +188,12 @@ static void mmc_queue_setup_discard(stru
/* granularity must not be greater than max. discard */
if (card->pref_erase > max_discard)
q->limits.discard_granularity = SECTOR_SIZE;
- if (mmc_can_secure_erase_trim(card))
- blk_queue_max_secure_erase_sectors(q, max_discard);
+ if (mmc_can_secure_erase_trim(card)) {
+ if (mmc_card_fixed_secure_erase_trim_time(card))
+ blk_queue_max_secure_erase_sectors(q, UINT_MAX >> card->erase_shift);
+ else
+ blk_queue_max_secure_erase_sectors(q, max_discard);
+ }
if (mmc_can_trim(card) && card->erased_byte == 0)
blk_queue_max_write_zeroes_sectors(q, max_discard);
}
--- a/drivers/mmc/core/quirks.h
+++ b/drivers/mmc/core/quirks.h
@@ -153,6 +153,15 @@ static const struct mmc_fixup __maybe_un
MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
MMC_QUIRK_TRIM_BROKEN),
+ /*
+ * On Some Kingston eMMCs, secure erase/trim time is independent
+ * of erase size, fixed at approximately 2 seconds.
+ */
+ MMC_FIXUP("IY2964", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
+ MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME),
+ MMC_FIXUP("IB2932", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
+ MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME),
+
END_FIXUP
};
--- a/include/linux/mmc/card.h
+++ b/include/linux/mmc/card.h
@@ -298,6 +298,7 @@ struct mmc_card {
#define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */
#define MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY (1<<17) /* Disable broken SD poweroff notify support */
#define MMC_QUIRK_NO_UHS_DDR50_TUNING (1<<18) /* Disable DDR50 tuning */
+#define MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME (1<<20) /* Secure erase/trim time is fixed regardless of size */
bool written_flag; /* Indicates eMMC has been written since power on */
bool reenable_cmdq; /* Re-enable Command Queue */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 398/474] xfs: fix a resource leak in xfs_alloc_buftarg()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 397/474] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 399/474] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
` (76 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Darrick J. Wong,
Carlos Maiolino, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
[ Upstream commit 29a7b2614357393b176ef06ba5bc3ff5afc8df69 ]
In the error path, call fs_put_dax() to drop the DAX
device reference.
Fixes: 6f643c57d57c ("xfs: implement ->notify_failure() for XFS")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
[ kept `kmem_free(btp)` and `return NULL` instead of `kfree(btp)`/`ERR_PTR(error)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_buf.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -2045,6 +2045,7 @@ error_pcpu:
error_lru:
list_lru_destroy(&btp->bt_lru);
error_free:
+ fs_put_dax(btp->bt_daxdev, mp);
kmem_free(btp);
return NULL;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 399/474] hfsplus: fix uninit-value by validating catalog record size
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 398/474] xfs: fix a resource leak in xfs_alloc_buftarg() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 400/474] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
` (75 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d80abb5b890d39261e72,
Viacheslav Dubeyko, Charalampos Mitrodimas, Deepanshu Kartikey,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b6b592275aeff184aa82fcf6abccd833fb71b393 ]
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The
root cause is that hfs_brec_read() doesn't validate that the on-disk
record size matches the expected size for the record type being read.
When mounting a corrupted filesystem, hfs_brec_read() may read less data
than expected. For example, when reading a catalog thread record, the
debug output showed:
HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26
HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!
hfs_brec_read() only validates that entrylength is not greater than the
buffer size, but doesn't check if it's less than expected. It successfully
reads 26 bytes into a 520-byte structure and returns success, leaving 494
bytes uninitialized.
This uninitialized data in tmp.thread.nodeName then gets copied by
hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering
the KMSAN warning when the uninitialized bytes are used as array indices
in case_fold().
Fix by introducing hfsplus_brec_read_cat() wrapper that:
1. Calls hfs_brec_read() to read the data
2. Validates the record size based on the type field:
- Fixed size for folder and file records
- Variable size for thread records (depends on string length)
3. Returns -EIO if size doesn't match expected
For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading
nodeName.length to avoid reading uninitialized data at call sites that
don't zero-initialize the entry structure.
Also initialize the tmp variable in hfsplus_find_cat() as defensive
programming to ensure no uninitialized data even if validation is
bypassed.
Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/ [v1]
Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmail.com/ [v2]
Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmail.com/ [v3]
Link: https://lore.kernel.org/all/20260214002100.436125-1-kartikey406@gmail.com/T/ [v4]
Link: https://lore.kernel.org/all/20260221061626.15853-1-kartikey406@gmail.com/T/ [v5]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260307010302.41547-1-kartikey406@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Stable-dep-of: 90c500e4fd83 ("hfsplus: fix held lock freed on hfsplus_fill_super()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/bfind.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
fs/hfsplus/catalog.c | 4 +--
fs/hfsplus/dir.c | 2 -
fs/hfsplus/hfsplus_fs.h | 9 ++++++++
fs/hfsplus/super.c | 2 -
5 files changed, 64 insertions(+), 4 deletions(-)
--- a/fs/hfsplus/bfind.c
+++ b/fs/hfsplus/bfind.c
@@ -287,3 +287,54 @@ out:
fd->bnode = bnode;
return res;
}
+
+/**
+ * hfsplus_brec_read_cat - read and validate a catalog record
+ * @fd: find data structure
+ * @entry: pointer to catalog entry to read into
+ *
+ * Reads a catalog record and validates its size matches the expected
+ * size based on the record type.
+ *
+ * Returns 0 on success, or negative error code on failure.
+ */
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry)
+{
+ int res;
+ u32 expected_size;
+
+ res = hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry));
+ if (res)
+ return res;
+
+ /* Validate catalog record size based on type */
+ switch (be16_to_cpu(entry->type)) {
+ case HFSPLUS_FOLDER:
+ expected_size = sizeof(struct hfsplus_cat_folder);
+ break;
+ case HFSPLUS_FILE:
+ expected_size = sizeof(struct hfsplus_cat_file);
+ break;
+ case HFSPLUS_FOLDER_THREAD:
+ case HFSPLUS_FILE_THREAD:
+ /* Ensure we have at least the fixed fields before reading nodeName.length */
+ if (fd->entrylength < HFSPLUS_MIN_THREAD_SZ) {
+ pr_err("thread record too short (got %u)\n", fd->entrylength);
+ return -EIO;
+ }
+ expected_size = hfsplus_cat_thread_size(&entry->thread);
+ break;
+ default:
+ pr_err("unknown catalog record type %d\n",
+ be16_to_cpu(entry->type));
+ return -EIO;
+ }
+
+ if (fd->entrylength != expected_size) {
+ pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n",
+ be16_to_cpu(entry->type), fd->entrylength, expected_size);
+ return -EIO;
+ }
+
+ return 0;
+}
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struc
int hfsplus_find_cat(struct super_block *sb, u32 cnid,
struct hfs_find_data *fd)
{
- hfsplus_cat_entry tmp;
+ hfsplus_cat_entry tmp = {0};
int err;
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
- err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
+ err = hfsplus_brec_read_cat(fd, &tmp);
if (err)
return err;
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(str
if (unlikely(err < 0))
goto fail;
again:
- err = hfs_brec_read(&fd, &entry, sizeof(entry));
+ err = hfsplus_brec_read_cat(&fd, &entry);
if (err) {
if (err == -ENOENT) {
hfs_find_exit(&fd);
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -535,6 +535,15 @@ int hfsplus_submit_bio(struct super_bloc
void **data, blk_opf_t opf);
int hfsplus_read_wrapper(struct super_block *sb);
+static inline u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread)
+{
+ return offsetof(struct hfsplus_cat_thread, nodeName) +
+ offsetof(struct hfsplus_unistr, unicode) +
+ be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr);
+}
+
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry);
+
/*
* time helpers: convert between 1904-base and 1970-base timestamps
*
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -541,7 +541,7 @@ static int hfsplus_fill_super(struct sup
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
if (unlikely(err < 0))
goto out_put_root;
- if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
err = -EIO;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 400/474] hfsplus: fix held lock freed on hfsplus_fill_super()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 399/474] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 401/474] wifi: rtl8xxxu: fix potential use of uninitialized value Greg Kroah-Hartman
` (74 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Viacheslav Dubeyko,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 ]
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b:00007fff1ab55718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffacad55eae
RDX: 000055740c64e5b0 RSI: 000055740c64e630 RDI: 000055740c651ab0
RBP: 000055740c64e380 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055740c64e5b0 R14: 000055740c651ab0 R15: 000055740c64e380
</TASK>
After applying this patch, the warning no longer appears.
Fixes: 89ac9b4d3d1a ("hfsplus: fix longname handling")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -539,8 +539,10 @@ static int hfsplus_fill_super(struct sup
if (err)
goto out_put_root;
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ hfs_find_exit(&fd);
goto out_put_root;
+ }
if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 401/474] wifi: rtl8xxxu: fix potential use of uninitialized value
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 400/474] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 402/474] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() Greg Kroah-Hartman
` (73 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Yi Cong, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yi Cong <yicong@kylinos.cn>
[ Upstream commit f8a2fc809bfeb49130709b31a4d357a049f28547 ]
The local variables 'mcs' and 'nss' in rtl8xxxu_update_ra_report() are
passed to rtl8xxxu_desc_to_mcsrate() as output parameters. If the helper
function encounters an unhandled rate index, it may return without setting
these values, leading to the use of uninitialized stack data.
Remove the helper rtl8xxxu_desc_to_mcsrate() and inline the logic into
rtl8xxxu_update_ra_report(). This fixes the use of uninitialized 'mcs'
and 'nss' variables for legacy rates.
The new implementation explicitly handles:
- Legacy rates: Set bitrate only.
- HT rates (MCS0-15): Set MCS flags, index, and NSS (1 or 2) directly.
- Invalid rates: Return early.
Fixes: 7de16123d9e2 ("wifi: rtl8xxxu: Introduce rtl8xxxu_update_ra_report")
Cc: stable@vger.kernel.org
Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Yi Cong <yicong@kylinos.cn>
Link: https://lore.kernel.org/all/96e31963da0c42dcb52ce44f818963d7@realtek.com/
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260306071627.56501-1-cong.yi@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 28 +++++-------------
1 file changed, 8 insertions(+), 20 deletions(-)
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -4809,20 +4809,6 @@ static const struct ieee80211_rate rtl8x
{.bitrate = 540, .hw_value = 0x0b,},
};
-static void rtl8xxxu_desc_to_mcsrate(u16 rate, u8 *mcs, u8 *nss)
-{
- if (rate <= DESC_RATE_54M)
- return;
-
- if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
- if (rate < DESC_RATE_MCS8)
- *nss = 1;
- else
- *nss = 2;
- *mcs = rate - DESC_RATE_MCS0;
- }
-}
-
static void rtl8xxxu_set_basic_rates(struct rtl8xxxu_priv *priv, u32 rate_cfg)
{
struct ieee80211_hw *hw = priv->hw;
@@ -4927,23 +4913,25 @@ static void rtl8xxxu_set_aifs(struct rtl
void rtl8xxxu_update_ra_report(struct rtl8xxxu_ra_report *rarpt,
u8 rate, u8 sgi, u8 bw)
{
- u8 mcs, nss;
-
rarpt->txrate.flags = 0;
if (rate <= DESC_RATE_54M) {
rarpt->txrate.legacy = rtl8xxxu_legacy_ratetable[rate].bitrate;
- } else {
- rtl8xxxu_desc_to_mcsrate(rate, &mcs, &nss);
+ } else if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
rarpt->txrate.flags |= RATE_INFO_FLAGS_MCS;
+ if (rate < DESC_RATE_MCS8)
+ rarpt->txrate.nss = 1;
+ else
+ rarpt->txrate.nss = 2;
- rarpt->txrate.mcs = mcs;
- rarpt->txrate.nss = nss;
+ rarpt->txrate.mcs = rate - DESC_RATE_MCS0;
if (sgi)
rarpt->txrate.flags |= RATE_INFO_FLAGS_SHORT_GI;
rarpt->txrate.bw = bw;
+ } else {
+ return;
}
rarpt->bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 402/474] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 401/474] wifi: rtl8xxxu: fix potential use of uninitialized value Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 403/474] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
` (72 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit def036ef87f8641c1c525d5ae17438d7a1006491 ]
rcount is intended to be connection-specific: 2 for curr_conn, 1 for
every other connection sharing the same session. However, it is
initialised only once before the hash iteration and is never reset.
After the loop visits curr_conn, later sibling connections are also
checked against rcount == 2, so a sibling with req_running == 1 is
incorrectly treated as idle. This makes the outcome depend on the
hash iteration order: whether a given sibling is checked against the
loose (< 2) or the strict (< 1) threshold is decided by whether it
happens to be visited before or after curr_conn.
The function's contract is "wait until every connection sharing this
session is idle" so that destroy_previous_session() can safely tear
the session down. The latched rcount violates that contract and
reopens the teardown race window the wait logic was meant to close:
destroy_previous_session() may proceed before sibling channels have
actually quiesced, overlapping session teardown with in-flight work
on those connections.
Recompute rcount inside the loop so each connection is compared
against its own threshold regardless of iteration order.
This is a code-inspection fix for an iteration-order-dependent logic
error; a targeted reproducer would require SMB3 multichannel with
in-flight work on a sibling channel landing after curr_conn in hash
order, which is not something that can be triggered reliably.
Fixes: 76e98a158b20 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()")
Cc: stable@vger.kernel.org
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -180,7 +180,7 @@ int ksmbd_conn_wait_idle_sess_id(struct
{
struct ksmbd_conn *conn;
int rc, retry_count = 0, max_timeout = 120;
- int rcount = 1, bkt;
+ int rcount, bkt;
retry_idle:
if (retry_count >= max_timeout)
@@ -189,8 +189,7 @@ retry_idle:
down_read(&conn_list_lock);
hash_for_each(conn_list, bkt, conn, hlist) {
if (conn->binding || xa_load(&conn->sessions, sess_id)) {
- if (conn == curr_conn)
- rcount = 2;
+ rcount = (conn == curr_conn) ? 2 : 1;
if (atomic_read(&conn->req_running) >= rcount) {
rc = wait_event_timeout(conn->req_running_q,
atomic_read(&conn->req_running) < rcount,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 403/474] crypto: nx - Avoid -Wflex-array-member-not-at-end warning
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 402/474] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 404/474] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
` (71 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
[ Upstream commit 1e6b251ce1759392666856908113dd5d7cea044d ]
-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting
ready to enable it globally. So, we are deprecating flexible-array
members in the middle of another structure.
There is currently an object (`header`) in `struct nx842_crypto_ctx`
that contains a flexible structure (`struct nx842_crypto_header`):
struct nx842_crypto_ctx {
...
struct nx842_crypto_header header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
...
};
So, in order to avoid ending up with a flexible-array member in the
middle of another struct, we use the `struct_group_tagged()` helper to
separate the flexible array from the rest of the members in the flexible
structure:
struct nx842_crypto_header {
struct_group_tagged(nx842_crypto_header_hdr, hdr,
... the rest of the members
);
struct nx842_crypto_header_group group[];
} __packed;
With the change described above, we can now declare an object of the
type of the tagged struct, without embedding the flexible array in the
middle of another struct:
struct nx842_crypto_ctx {
...
struct nx842_crypto_header_hdr header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
...
} __packed;
We also use `container_of()` whenever we need to retrieve a pointer to
the flexible structure, through which we can access the flexible
array if needed.
So, with these changes, fix the following warning:
In file included from drivers/crypto/nx/nx-842.c:55:
drivers/crypto/nx/nx-842.h:174:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
174 | struct nx842_crypto_header header;
| ^~~~~~
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: adb3faf2db1a ("crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 6 ++++--
drivers/crypto/nx/nx-842.h | 10 ++++++----
2 files changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -251,7 +251,9 @@ int nx842_crypto_compress(struct crypto_
u8 *dst, unsigned int *dlen)
{
struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
- struct nx842_crypto_header *hdr = &ctx->header;
+ struct nx842_crypto_header *hdr =
+ container_of(&ctx->header,
+ struct nx842_crypto_header, hdr);
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
unsigned int groups, hdrsize, h;
@@ -490,7 +492,7 @@ int nx842_crypto_decompress(struct crypt
}
memcpy(&ctx->header, src, hdr_len);
- hdr = &ctx->header;
+ hdr = container_of(&ctx->header, struct nx842_crypto_header, hdr);
for (n = 0; n < hdr->groups; n++) {
/* ignore applies to last group */
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -157,9 +157,11 @@ struct nx842_crypto_header_group {
} __packed;
struct nx842_crypto_header {
- __be16 magic; /* NX842_CRYPTO_MAGIC */
- __be16 ignore; /* decompressed end bytes to ignore */
- u8 groups; /* total groups in this header */
+ struct_group_tagged(nx842_crypto_header_hdr, hdr,
+ __be16 magic; /* NX842_CRYPTO_MAGIC */
+ __be16 ignore; /* decompressed end bytes to ignore */
+ u8 groups; /* total groups in this header */
+ );
struct nx842_crypto_header_group group[];
} __packed;
@@ -171,7 +173,7 @@ struct nx842_crypto_ctx {
u8 *wmem;
u8 *sbounce, *dbounce;
- struct nx842_crypto_header header;
+ struct nx842_crypto_header_hdr header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
struct nx842_driver *driver;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 404/474] crypto: nx - Migrate to scomp API
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 403/474] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 405/474] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
` (70 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Upstream commit 980b5705f4e73f567e405cd18337cc32fd51cf79 ]
The only remaining user of 842 compression has been migrated to the
acomp compression API, and so the NX hardware driver has to follow suit,
given that no users of the obsolete 'comp' API remain, and it is going
to be removed.
So migrate the NX driver code to scomp. These will be wrapped and
exposed as acomp implementation via the crypto subsystem's
acomp-to-scomp adaptation layer.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: adb3faf2db1a ("crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 33 +++++++++++++++++++--------------
drivers/crypto/nx/nx-842.h | 15 ++++++++-------
drivers/crypto/nx/nx-common-powernv.c | 31 +++++++++++++++----------------
drivers/crypto/nx/nx-common-pseries.c | 33 ++++++++++++++++-----------------
4 files changed, 58 insertions(+), 54 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -101,9 +101,13 @@ static int update_param(struct nx842_cry
return 0;
}
-int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver)
+void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+ return ERR_PTR(-ENOMEM);
spin_lock_init(&ctx->lock);
ctx->driver = driver;
@@ -114,22 +118,23 @@ int nx842_crypto_init(struct crypto_tfm
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
- return -ENOMEM;
+ kfree(ctx);
+ return ERR_PTR(-ENOMEM);
}
- return 0;
+ return ctx;
}
-EXPORT_SYMBOL_GPL(nx842_crypto_init);
+EXPORT_SYMBOL_GPL(nx842_crypto_alloc_ctx);
-void nx842_crypto_exit(struct crypto_tfm *tfm)
+void nx842_crypto_free_ctx(void *p)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
}
-EXPORT_SYMBOL_GPL(nx842_crypto_exit);
+EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
static void check_constraints(struct nx842_constraints *c)
{
@@ -246,11 +251,11 @@ nospc:
return update_param(p, slen, dskip + dlen);
}
-int nx842_crypto_compress(struct crypto_tfm *tfm,
+int nx842_crypto_compress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen)
+ u8 *dst, unsigned int *dlen, void *pctx)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = pctx;
struct nx842_crypto_header *hdr =
container_of(&ctx->header,
struct nx842_crypto_header, hdr);
@@ -431,11 +436,11 @@ usesw:
return update_param(p, slen + padding, dlen);
}
-int nx842_crypto_decompress(struct crypto_tfm *tfm,
+int nx842_crypto_decompress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen)
+ u8 *dst, unsigned int *dlen, void *pctx)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = pctx;
struct nx842_crypto_header *hdr;
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -3,7 +3,6 @@
#ifndef __NX_842_H__
#define __NX_842_H__
-#include <crypto/algapi.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
@@ -101,6 +100,8 @@
#define LEN_ON_SIZE(pa, size) ((size) - ((pa) & ((size) - 1)))
#define LEN_ON_PAGE(pa) LEN_ON_SIZE(pa, PAGE_SIZE)
+struct crypto_scomp;
+
static inline unsigned long nx842_get_pa(void *addr)
{
if (!is_vmalloc_addr(addr))
@@ -179,13 +180,13 @@ struct nx842_crypto_ctx {
struct nx842_driver *driver;
};
-int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver);
-void nx842_crypto_exit(struct crypto_tfm *tfm);
-int nx842_crypto_compress(struct crypto_tfm *tfm,
+void *nx842_crypto_alloc_ctx(struct nx842_driver *driver);
+void nx842_crypto_free_ctx(void *ctx);
+int nx842_crypto_compress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen);
-int nx842_crypto_decompress(struct crypto_tfm *tfm,
+ u8 *dst, unsigned int *dlen, void *ctx);
+int nx842_crypto_decompress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen);
+ u8 *dst, unsigned int *dlen, void *ctx);
#endif /* __NX_842_H__ */
--- a/drivers/crypto/nx/nx-common-powernv.c
+++ b/drivers/crypto/nx/nx-common-powernv.c
@@ -9,6 +9,7 @@
#include "nx-842.h"
+#include <crypto/internal/scompress.h>
#include <linux/timer.h>
#include <asm/prom.h>
@@ -1031,23 +1032,21 @@ static struct nx842_driver nx842_powernv
.decompress = nx842_powernv_decompress,
};
-static int nx842_powernv_crypto_init(struct crypto_tfm *tfm)
+static void *nx842_powernv_crypto_alloc_ctx(void)
{
- return nx842_crypto_init(tfm, &nx842_powernv_driver);
+ return nx842_crypto_alloc_ctx(&nx842_powernv_driver);
}
-static struct crypto_alg nx842_powernv_alg = {
- .cra_name = "842",
- .cra_driver_name = "842-nx",
- .cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
- .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = nx842_powernv_crypto_init,
- .cra_exit = nx842_crypto_exit,
- .cra_u = { .compress = {
- .coa_compress = nx842_crypto_compress,
- .coa_decompress = nx842_crypto_decompress } }
+static struct scomp_alg nx842_powernv_alg = {
+ .base.cra_name = "842",
+ .base.cra_driver_name = "842-nx",
+ .base.cra_priority = 300,
+ .base.cra_module = THIS_MODULE,
+
+ .alloc_ctx = nx842_powernv_crypto_alloc_ctx,
+ .free_ctx = nx842_crypto_free_ctx,
+ .compress = nx842_crypto_compress,
+ .decompress = nx842_crypto_decompress,
};
static __init int nx_compress_powernv_init(void)
@@ -1107,7 +1106,7 @@ static __init int nx_compress_powernv_in
nx842_powernv_exec = nx842_exec_vas;
}
- ret = crypto_register_alg(&nx842_powernv_alg);
+ ret = crypto_register_scomp(&nx842_powernv_alg);
if (ret) {
nx_delete_coprocs();
return ret;
@@ -1128,7 +1127,7 @@ static void __exit nx_compress_powernv_e
if (!nx842_ct)
vas_unregister_api_powernv();
- crypto_unregister_alg(&nx842_powernv_alg);
+ crypto_unregister_scomp(&nx842_powernv_alg);
nx_delete_coprocs();
}
--- a/drivers/crypto/nx/nx-common-pseries.c
+++ b/drivers/crypto/nx/nx-common-pseries.c
@@ -11,6 +11,7 @@
#include <asm/vio.h>
#include <asm/hvcall.h>
#include <asm/vas.h>
+#include <crypto/internal/scompress.h>
#include "nx-842.h"
#include "nx_csbcpb.h" /* struct nx_csbcpb */
@@ -1008,23 +1009,21 @@ static struct nx842_driver nx842_pseries
.decompress = nx842_pseries_decompress,
};
-static int nx842_pseries_crypto_init(struct crypto_tfm *tfm)
+static void *nx842_pseries_crypto_alloc_ctx(void)
{
- return nx842_crypto_init(tfm, &nx842_pseries_driver);
+ return nx842_crypto_alloc_ctx(&nx842_pseries_driver);
}
-static struct crypto_alg nx842_pseries_alg = {
- .cra_name = "842",
- .cra_driver_name = "842-nx",
- .cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
- .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = nx842_pseries_crypto_init,
- .cra_exit = nx842_crypto_exit,
- .cra_u = { .compress = {
- .coa_compress = nx842_crypto_compress,
- .coa_decompress = nx842_crypto_decompress } }
+static struct scomp_alg nx842_pseries_alg = {
+ .base.cra_name = "842",
+ .base.cra_driver_name = "842-nx",
+ .base.cra_priority = 300,
+ .base.cra_module = THIS_MODULE,
+
+ .alloc_ctx = nx842_pseries_crypto_alloc_ctx,
+ .free_ctx = nx842_crypto_free_ctx,
+ .compress = nx842_crypto_compress,
+ .decompress = nx842_crypto_decompress,
};
static int nx842_probe(struct vio_dev *viodev,
@@ -1072,7 +1071,7 @@ static int nx842_probe(struct vio_dev *v
if (ret)
goto error;
- ret = crypto_register_alg(&nx842_pseries_alg);
+ ret = crypto_register_scomp(&nx842_pseries_alg);
if (ret) {
dev_err(&viodev->dev, "could not register comp alg: %d\n", ret);
goto error;
@@ -1120,7 +1119,7 @@ static void nx842_remove(struct vio_dev
if (caps_feat)
sysfs_remove_group(&viodev->dev.kobj, &nxcop_caps_attr_group);
- crypto_unregister_alg(&nx842_pseries_alg);
+ crypto_unregister_scomp(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
@@ -1252,7 +1251,7 @@ static void __exit nx842_pseries_exit(vo
vas_unregister_api_pseries();
- crypto_unregister_alg(&nx842_pseries_alg);
+ crypto_unregister_scomp(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 405/474] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 404/474] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 406/474] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
` (69 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c ]
The bounce buffers are allocated with __get_free_pages() using
BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
path and nx842_crypto_free_ctx() release the buffers with free_page().
Use free_pages() with the matching order instead.
Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx84
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
kfree(ctx);
return ERR_PTR(-ENOMEM);
}
@@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p)
struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
}
EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 406/474] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 405/474] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 407/474] printk: add print_hex_dump_devel() Greg Kroah-Hartman
` (68 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab ]
Some crafted images can have illegal (!partial_decoding &&
m_llen < m_plen) extents, and the LZ4 inplace decompression path
can be wrongly hit, but it cannot handle (outpages < inpages)
properly: "outpages - inpages" wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.
However, such crafted cases can correctly result in a corruption
report in the normal LZ4 non-inplace path.
Let's add an additional check to fix this for backporting.
Reproducible image (base64-encoded gzipped blob):
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g
dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i
PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz
2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w
ywAAAAAAAADwu14ATsEYtgBQAAA=
$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1
Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
[ inverted condition to early-out `goto docopy` form and used `ctx->inpages`/`ctx->outpages` instead of `rq->` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/decompressor.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -133,6 +133,7 @@ static void *z_erofs_lz4_handle_overlap(
if (rq->inplace_io) {
omargin = PAGE_ALIGN(ctx->oend) - ctx->oend;
if (rq->partial_decoding || !may_inplace ||
+ ctx->outpages < ctx->inpages ||
omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize))
goto docopy;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 407/474] printk: add print_hex_dump_devel()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 406/474] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 408/474] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
` (67 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Thorsten Blum,
John Ogness, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit d134feeb5df33fbf77f482f52a366a44642dba09 ]
Add print_hex_dump_devel() as the hex dump equivalent of pr_devel(),
which emits output only when DEBUG is enabled, but keeps call sites
compiled otherwise.
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 177730a273b1 ("crypto: caam - guard HMAC key hex dumps in hash_digest_key")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/printk.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -745,6 +745,19 @@ static inline void print_hex_dump_debug(
}
#endif
+#if defined(DEBUG)
+#define print_hex_dump_devel(prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii) \
+ print_hex_dump(KERN_DEBUG, prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+#else
+static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
+ int rowsize, int groupsize,
+ const void *buf, size_t len, bool ascii)
+{
+}
+#endif
+
/**
* print_hex_dump_bytes - shorthand form of print_hex_dump() with default params
* @prefix_str: string to prefix each line with;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 408/474] crypto: caam - guard HMAC key hex dumps in hash_digest_key
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 407/474] printk: add print_hex_dump_devel() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 409/474] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
` (66 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 177730a273b18e195263ed953853273e901b5064 ]
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in
hash_digest_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Fixes: 045e36780f11 ("crypto: caam - ahash hmac support")
Fixes: 3f16f6c9d632 ("crypto: caam/qi2 - add support for ahash algorithms")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg_qi2.c | 4 ++--
drivers/crypto/caam/caamhash.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/caam/caamalg_qi2.c
+++ b/drivers/crypto/caam/caamalg_qi2.c
@@ -3268,7 +3268,7 @@ static int hash_digest_key(struct caam_h
dpaa2_fl_set_addr(out_fle, key_dma);
dpaa2_fl_set_len(out_fle, digestsize);
- print_hex_dump_debug("key_in@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("shdesc@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -3288,7 +3288,7 @@ static int hash_digest_key(struct caam_h
/* in progress */
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -393,7 +393,7 @@ static int hash_digest_key(struct caam_h
append_seq_store(desc, digestsize, LDST_CLASS_2_CCB |
LDST_SRCDST_BYTE_CONTEXT);
- print_hex_dump_debug("key_in@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("jobdesc@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -408,7 +408,7 @@ static int hash_digest_key(struct caam_h
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 409/474] net: stmmac: avoid shadowing global buf_sz
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 408/474] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 410/474] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
` (65 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle), Furong Xu,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
[ Upstream commit 876cfb20e8892143c0c967b3657074f9131f9b5f ]
stmmac_rx() declares a local variable named "buf_sz" but there is also
a global variable for a module parameter which is called the same. To
avoid confusion, rename the local variable.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Furong Xu <0x1207@gmail.com>
Link: https://patch.msgid.link/E1tpswi-005U6C-Py@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0bb05e6adfa9 ("net: stmmac: Prevent NULL deref when RX memory exhausted")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5279,10 +5279,10 @@ static int stmmac_rx(struct stmmac_priv
struct sk_buff *skb = NULL;
struct stmmac_xdp_buff ctx;
int xdp_status = 0;
- int buf_sz;
+ int bufsz;
dma_dir = page_pool_get_dma_dir(rx_q->page_pool);
- buf_sz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
+ bufsz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
limit = min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit);
if (netif_msg_rx_status(priv)) {
@@ -5397,7 +5397,7 @@ read_again:
dma_sync_single_for_cpu(priv->device, buf->addr,
buf1_len, dma_dir);
- xdp_init_buff(&ctx.xdp, buf_sz, &rx_q->xdp_rxq);
+ xdp_init_buff(&ctx.xdp, bufsz, &rx_q->xdp_rxq);
xdp_prepare_buff(&ctx.xdp, page_address(buf->page),
buf->page_offset, buf1_len, true);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 410/474] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 409/474] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 411/474] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
` (64 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
[ Upstream commit 6b4286e0550814cdc4b897f881ec1fa8b0313227 ]
STMMAC_GET_ENTRY() doesn't describe what this macro is doing - it is
incrementing the provided index for the circular array of descriptors.
Replace "GET" with "NEXT" as this better describes the action here.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/E1w2vba-0000000DbWo-1oL5@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0bb05e6adfa9 ("net: stmmac: Prevent NULL deref when RX memory exhausted")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 2 -
drivers/net/ethernet/stmicro/stmmac/common.h | 2 -
drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 26 +++++++++++-----------
4 files changed, 16 insertions(+), 16 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
@@ -47,7 +47,7 @@ static int jumbo_frm(struct stmmac_tx_qu
while (len != 0) {
tx_q->tx_skbuff[entry] = NULL;
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
desc = tx_q->dma_tx + entry;
if (len > bmax) {
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -54,7 +54,7 @@
#define DMA_MIN_RX_SIZE 64
#define DMA_MAX_RX_SIZE 1024
#define DMA_DEFAULT_RX_SIZE 512
-#define STMMAC_GET_ENTRY(x, size) ((x + 1) & (size - 1))
+#define STMMAC_NEXT_ENTRY(x, size) ((x + 1) & (size - 1))
#undef FRAME_FILTER_DEBUG
/* #define FRAME_FILTER_DEBUG */
--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
@@ -51,7 +51,7 @@ static int jumbo_frm(struct stmmac_tx_qu
stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum,
STMMAC_RING_MODE, 0, false, skb->len);
tx_q->tx_skbuff[entry] = NULL;
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
if (priv->extend_desc)
desc = (struct dma_desc *)(tx_q->dma_etx + entry);
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2503,7 +2503,7 @@ static bool stmmac_xdp_xmit_zc(struct st
stmmac_enable_dma_transmission(priv, priv->ioaddr);
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
entry = tx_q->cur_tx;
}
u64_stats_update_begin(&txq_stats->napi_syncp);
@@ -2659,7 +2659,7 @@ static int stmmac_tx_clean(struct stmmac
stmmac_release_tx_desc(priv, p, priv->mode);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
}
tx_q->dirty_tx = entry;
@@ -3973,7 +3973,7 @@ static bool stmmac_vlan_insert(struct st
return false;
stmmac_set_tx_owner(priv, p);
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
return true;
}
@@ -4001,7 +4001,7 @@ static void stmmac_tso_allocator(struct
while (tmp_len > 0) {
dma_addr_t curr_addr;
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx,
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx,
priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[tx_q->cur_tx]);
@@ -4133,7 +4133,7 @@ static netdev_tx_t stmmac_tso_xmit(struc
stmmac_set_mss(priv, mss_desc, mss);
tx_q->mss = mss;
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx,
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx,
priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[tx_q->cur_tx]);
}
@@ -4258,7 +4258,7 @@ static netdev_tx_t stmmac_tso_xmit(struc
* ndo_start_xmit will fill this descriptor the next time it's
* called and stmmac_tx_clean may clean up to this descriptor.
*/
- tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ tx_q->cur_tx = STMMAC_NEXT_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
if (unlikely(stmmac_tx_avail(priv, queue) <= (MAX_SKB_FRAGS + 1))) {
netif_dbg(priv, hw, priv->dev, "%s: stop transmitted packets\n",
@@ -4451,7 +4451,7 @@ static netdev_tx_t stmmac_xmit(struct sk
int len = skb_frag_size(frag);
bool last_segment = (i == (nfrags - 1));
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
WARN_ON(tx_q->tx_skbuff[entry]);
if (likely(priv->extend_desc))
@@ -4521,7 +4521,7 @@ static netdev_tx_t stmmac_xmit(struct sk
* ndo_start_xmit will fill this descriptor the next time it's
* called and stmmac_tx_clean may clean up to this descriptor.
*/
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
tx_q->cur_tx = entry;
if (netif_msg_pktdata(priv)) {
@@ -4691,7 +4691,7 @@ static inline void stmmac_rx_refill(stru
dma_wmb();
stmmac_set_rx_owner(priv, p, use_rx_wd);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_rx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_rx_size);
}
rx_q->dirty_rx = entry;
rx_q->rx_tail_addr = rx_q->dma_rx_phy +
@@ -4818,7 +4818,7 @@ static int stmmac_xdp_xmit_xdpf(struct s
stmmac_enable_dma_transmission(priv, priv->ioaddr);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_tx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_tx_size);
tx_q->cur_tx = entry;
return STMMAC_XDP_TX;
@@ -5048,7 +5048,7 @@ static bool stmmac_rx_refill_zc(struct s
dma_wmb();
stmmac_set_rx_owner(priv, rx_desc, use_rx_wd);
- entry = STMMAC_GET_ENTRY(entry, priv->dma_conf.dma_rx_size);
+ entry = STMMAC_NEXT_ENTRY(entry, priv->dma_conf.dma_rx_size);
}
if (rx_desc) {
@@ -5143,7 +5143,7 @@ read_again:
break;
/* Prefetch the next RX descriptor */
- rx_q->cur_rx = STMMAC_GET_ENTRY(rx_q->cur_rx,
+ rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
priv->dma_conf.dma_rx_size);
next_entry = rx_q->cur_rx;
@@ -5339,7 +5339,7 @@ read_again:
if (unlikely(status & dma_own))
break;
- rx_q->cur_rx = STMMAC_GET_ENTRY(rx_q->cur_rx,
+ rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
priv->dma_conf.dma_rx_size);
next_entry = rx_q->cur_rx;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 411/474] net: stmmac: Prevent NULL deref when RX memory exhausted
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 410/474] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 412/474] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
` (63 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King, Sam Edwards,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Edwards <cfsworks@gmail.com>
[ Upstream commit 0bb05e6adfa99a2ea1fee1125cc0953409f83ed8 ]
The CPU receives frames from the MAC through conventional DMA: the CPU
allocates buffers for the MAC, then the MAC fills them and returns
ownership to the CPU. For each hardware RX queue, the CPU and MAC
coordinate through a shared ring array of DMA descriptors: one
descriptor per DMA buffer. Each descriptor includes the buffer's
physical address and a status flag ("OWN") indicating which side owns
the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set
the flag and the MAC is only allowed to clear it, and both must move
through the ring in sequence: thus the ring is used for both
"submissions" and "completions."
In the stmmac driver, stmmac_rx() bookmarks its position in the ring
with the `cur_rx` index. The main receive loop in that function checks
for rx_descs[cur_rx].own=0, gives the corresponding buffer to the
network stack (NULLing the pointer), and increments `cur_rx` modulo the
ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its
position with `dirty_rx`, allocates fresh buffers and rearms the
descriptors (setting OWN=1). If it fails any allocation, it simply stops
early (leaving OWN=0) and will retry where it left off when next called.
This means descriptors have a three-stage lifecycle (terms my own):
- `empty` (OWN=1, buffer valid)
- `full` (OWN=0, buffer valid and populated)
- `dirty` (OWN=0, buffer NULL)
But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In
the past (see 'Fixes:'), there was a bug where the loop could cycle
`cur_rx` all the way back to the first descriptor it dirtied, resulting
in a NULL dereference when mistaken for `full`. The aforementioned
commit resolved that *specific* failure by capping the loop's iteration
limit at `dma_rx_size - 1`, but this is only a partial fix: if the
previous stmmac_rx_refill() didn't complete, then there are leftover
`dirty` descriptors that the loop might encounter without needing to
cycle fully around. The current code therefore panics (see 'Closes:')
when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to
catch up to `dirty_rx`.
Fix this by explicitly checking, before advancing `cur_rx`, if the next
entry is dirty; exit the loop if so. This prevents processing of the
final, used descriptor until stmmac_rx_refill() succeeds, but
fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix
intended: so remove the clamp as well. Since stmmac_rx_zc() is a
copy-paste-and-tweak of stmmac_rx() and the code structure is identical,
any fix to stmmac_rx() will also need a corresponding fix for
stmmac_rx_zc(). Therefore, apply the same check there.
In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the
MAC sets OWN=0 on the final descriptor, it will be unable to send any
further DMA-complete IRQs until it's given more `empty` descriptors.
Currently, the driver simply *hopes* that the next stmmac_rx_refill()
succeeds, risking an indefinite stall of the receive process if not. But
this is not a regression, so it can be addressed in a future change.
Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010
Cc: stable@vger.kernel.org
Suggested-by: Russell King <linux@armlinux.org.uk>
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Link: https://patch.msgid.link/20260422044503.5349-1-CFSworks@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5143,9 +5143,12 @@ read_again:
break;
/* Prefetch the next RX descriptor */
- rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
- priv->dma_conf.dma_rx_size);
- next_entry = rx_q->cur_rx;
+ next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
+ priv->dma_conf.dma_rx_size);
+ if (unlikely(next_entry == rx_q->dirty_rx))
+ break;
+
+ rx_q->cur_rx = next_entry;
if (priv->extend_desc)
np = (struct dma_desc *)(rx_q->dma_erx + next_entry);
@@ -5283,7 +5286,6 @@ static int stmmac_rx(struct stmmac_priv
dma_dir = page_pool_get_dma_dir(rx_q->page_pool);
bufsz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE;
- limit = min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit);
if (netif_msg_rx_status(priv)) {
void *rx_head;
@@ -5339,9 +5341,12 @@ read_again:
if (unlikely(status & dma_own))
break;
- rx_q->cur_rx = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
- priv->dma_conf.dma_rx_size);
- next_entry = rx_q->cur_rx;
+ next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx,
+ priv->dma_conf.dma_rx_size);
+ if (unlikely(next_entry == rx_q->dirty_rx))
+ break;
+
+ rx_q->cur_rx = next_entry;
if (priv->extend_desc)
np = (struct dma_desc *)(rx_q->dma_erx + next_entry);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 412/474] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 411/474] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 413/474] ALSA: hda: cs35l56: Propagate ASP TX source control errors Greg Kroah-Hartman
` (62 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
David Carlier, Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit fad217e16fded7f3c09f8637b0f6a224d58b5f2e ]
When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()
invokes the subsystem's ext->regfunc() before attempting to install the
new probe via func_add(). If func_add() then fails (for example, when
allocate_probes() cannot allocate a new probe array under memory pressure
and returns -ENOMEM), the function returns the error without calling the
matching ext->unregfunc(), leaving the side effects of regfunc() behind
with no installed probe to justify them.
For syscall tracepoints this is particularly unpleasant: syscall_regfunc()
bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.
After a leaked failure, the refcount is stuck at a non-zero value with no
consumer, and every task continues paying the syscall trace entry/exit
overhead until reboot. Other subsystems providing regfunc()/unregfunc()
pairs exhibit similarly scoped persistent state.
Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the
func_add() error path, gated on the same condition used there so the
unwind is symmetric with the registration.
Fixes: 8cf868affdc4 ("tracing: Have the reg function allow to fail")
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260413190601.21993-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
[ changed `tp->ext->unregfunc` to `tp->unregfunc` to match older struct layout ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/tracepoint.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -337,6 +337,8 @@ static int tracepoint_add_func(struct tr
lockdep_is_held(&tracepoints_mutex));
old = func_add(&tp_funcs, func, prio);
if (IS_ERR(old)) {
+ if (tp->unregfunc && !static_key_enabled(&tp->key))
+ tp->unregfunc();
WARN_ON_ONCE(warn && PTR_ERR(old) != -ENOMEM);
return PTR_ERR(old);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 413/474] ALSA: hda: cs35l56: Propagate ASP TX source control errors
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 412/474] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 414/474] ALSA: misc: Use guard() for spin locks Greg Kroah-Hartman
` (61 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel,
Richard Fitzgerald, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 0faacc0841d66f3cf51989c10a83f3a82d52ff2c ]
cs35l56_hda_mixer_get() ignores regmap_read() and
cs35l56_hda_mixer_put() ignores regmap_update_bits_check().
This makes the ASP TX source controls report success when a regmap
access fails. The write path returns no change instead of an error,
and the read path continues after a failed read instead of aborting
the control callback.
Propagate the regmap errors, matching the posture and volume controls
in this driver.
Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260423-alsa-cs35l56-asp-tx-source-errors-v1-1-17ea7c62ec31@gmail.com
[ adjusted path to sound/pci/hda/ and dropped cs35l56_hda_wait_dsp_ready() context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/cs35l56_hda.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/sound/pci/hda/cs35l56_hda.c
+++ b/sound/pci/hda/cs35l56_hda.c
@@ -176,9 +176,13 @@ static int cs35l56_hda_mixer_get(struct
{
struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int reg_val;
- int i;
+ int i, ret;
+
+ ret = regmap_read(cs35l56->base.regmap, kcontrol->private_value,
+ ®_val);
+ if (ret)
+ return ret;
- regmap_read(cs35l56->base.regmap, kcontrol->private_value, ®_val);
reg_val &= CS35L56_ASP_TXn_SRC_MASK;
for (i = 0; i < CS35L56_NUM_INPUT_SRC; ++i) {
@@ -197,13 +201,18 @@ static int cs35l56_hda_mixer_put(struct
struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int item = ucontrol->value.enumerated.item[0];
bool changed;
+ int ret;
if (item >= CS35L56_NUM_INPUT_SRC)
return -EINVAL;
- regmap_update_bits_check(cs35l56->base.regmap, kcontrol->private_value,
- CS35L56_INPUT_MASK, cs35l56_tx_input_values[item],
- &changed);
+ ret = regmap_update_bits_check(cs35l56->base.regmap,
+ kcontrol->private_value,
+ CS35L56_INPUT_MASK,
+ cs35l56_tx_input_values[item],
+ &changed);
+ if (ret)
+ return ret;
return changed;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 414/474] ALSA: misc: Use guard() for spin locks
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 413/474] ALSA: hda: cs35l56: Propagate ASP TX source control errors Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 415/474] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
` (60 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit b8e1684163ae52db90f428965bd9aaff7205c02e ]
Clean up the code using guard() for spin locks.
Merely code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829151335.7342-20-tiwai@suse.de
Stable-dep-of: 5337213381df ("ALSA: core: Serialize deferred fasync state checks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/misc.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -202,35 +202,30 @@ int snd_fasync_helper(int fd, struct fil
INIT_LIST_HEAD(&fasync->list);
}
- spin_lock_irq(&snd_fasync_lock);
- if (*fasyncp) {
- kfree(fasync);
- fasync = *fasyncp;
- } else {
- if (!fasync) {
- spin_unlock_irq(&snd_fasync_lock);
- return 0;
+ scoped_guard(spinlock_irq, &snd_fasync_lock) {
+ if (*fasyncp) {
+ kfree(fasync);
+ fasync = *fasyncp;
+ } else {
+ if (!fasync)
+ return 0;
+ *fasyncp = fasync;
}
- *fasyncp = fasync;
+ fasync->on = on;
}
- fasync->on = on;
- spin_unlock_irq(&snd_fasync_lock);
return fasync_helper(fd, file, on, &fasync->fasync);
}
EXPORT_SYMBOL_GPL(snd_fasync_helper);
void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
{
- unsigned long flags;
-
if (!fasync || !fasync->on)
return;
- spin_lock_irqsave(&snd_fasync_lock, flags);
+ guard(spinlock_irqsave)(&snd_fasync_lock);
fasync->signal = signal;
fasync->poll = poll;
list_move(&fasync->list, &snd_fasync_list);
schedule_work(&snd_fasync_work);
- spin_unlock_irqrestore(&snd_fasync_lock, flags);
}
EXPORT_SYMBOL_GPL(snd_kill_fasync);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 415/474] ALSA: core: Serialize deferred fasync state checks
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 414/474] ALSA: misc: Use guard() for spin locks Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 416/474] ALSA: seq: Notify client and port info changes Greg Kroah-Hartman
` (59 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 5337213381df578058e2e41da93cbd0e4639935f ]
snd_fasync_helper() updates fasync->on under snd_fasync_lock, and
snd_fasync_work_fn() now also evaluates fasync->on under the same
lock. snd_kill_fasync() still tests the flag before taking the lock,
leaving an unsynchronized read against FASYNC enable/disable updates.
Move the enabled-state check into the locked section.
Also clear fasync->on under snd_fasync_lock in snd_fasync_free()
before unlinking the pending entry. Together with the locked sender-side
check, this publishes teardown before flushing the deferred work and
prevents a racing sender from requeueing the entry after free has
started.
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Fixes: 8146cd333d23 ("ALSA: core: Fix potential data race at fasync handling")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/misc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -219,9 +219,11 @@ EXPORT_SYMBOL_GPL(snd_fasync_helper);
void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
{
- if (!fasync || !fasync->on)
+ if (!fasync)
return;
guard(spinlock_irqsave)(&snd_fasync_lock);
+ if (!fasync->on)
+ return;
fasync->signal = signal;
fasync->poll = poll;
list_move(&fasync->list, &snd_fasync_list);
@@ -234,8 +236,10 @@ void snd_fasync_free(struct snd_fasync *
if (!fasync)
return;
- scoped_guard(spinlock_irq, &snd_fasync_lock)
+ scoped_guard(spinlock_irq, &snd_fasync_lock) {
+ fasync->on = 0;
list_del_init(&fasync->list);
+ }
flush_work(&snd_fasync_work);
kfree(fasync);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 416/474] ALSA: seq: Notify client and port info changes
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 415/474] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 417/474] ALSA: seq: Fix UMP group 16 filtering Greg Kroah-Hartman
` (58 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Lentczner, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit b8e49e24cdba27a0810a0988e810e2c68f2033cb ]
It was supposed to be notified when a sequencer client info and a port
info has changed (via SNDRV_SEQ_EVENT_CLIENT_CHANGE and
SNDRV_SEQ_EVENT_PORT_CHANGE event, respectively), and there are
already helper functions. But those aren't really sent from the
driver so far, except for the recent support of UMP, simply due to the
lack of implementations.
This patch adds the missing notifications at updating the client and
the port info. The formerly added notification for UMP is dropped
because it's handled now in the port info side.
Reported-by: Mark Lentczner <mark@glyphic.com>
Link: https://lore.kernel.org/CAPnksqRok7xGa4bxq9WWimVV=28-7_j628OmrWLS=S0=hzaTHQ@mail.gmail.com
Link: https://patch.msgid.link/20241128074734.32165-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: 92429ca999db ("ALSA: seq: Fix UMP group 16 filtering")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 7 +++++++
sound/core/seq/seq_ump_client.c | 2 --
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1334,6 +1334,10 @@ static int snd_seq_ioctl_set_client_info
client->midi_version = client_info->midi_version;
memcpy(client->event_filter, client_info->event_filter, 32);
client->group_filter = client_info->group_filter;
+
+ /* notify the change */
+ snd_seq_system_client_ev_client_change(client->number);
+
return 0;
}
@@ -1457,6 +1461,9 @@ static int snd_seq_ioctl_set_port_info(s
if (port) {
snd_seq_set_port_info(port, info);
snd_seq_port_unlock(port);
+ /* notify the change */
+ snd_seq_system_client_ev_port_change(info->addr.client,
+ info->addr.port);
}
return 0;
}
--- a/sound/core/seq/seq_ump_client.c
+++ b/sound/core/seq/seq_ump_client.c
@@ -273,8 +273,6 @@ static void update_port_infos(struct seq
new);
if (err < 0)
continue;
- /* notify to system port */
- snd_seq_system_client_ev_port_change(client->seq_client, i);
}
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 417/474] ALSA: seq: Fix UMP group 16 filtering
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 416/474] ALSA: seq: Notify client and port info changes Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 418/474] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
` (57 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 92429ca999db99febced82f23362a71b2ba4c1d8 ]
The sequencer UAPI defines group_filter as an unsigned int bitmap.
Bit 0 filters groupless messages and bits 1-16 filter UMP groups 1-16.
The internal snd_seq_client storage is only unsigned short, so bit 16
is truncated when userspace sets the filter. The same truncation affects
the automatic UMP client filter used to avoid delivery to inactive
groups, so events for group 16 cannot be filtered.
Store the internal bitmap as unsigned int and keep both userspace-provided
and automatically generated values limited to the defined UAPI bits.
Fixes: d2b706077792 ("ALSA: seq: Add UMP group filter")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260506-alsa-seq-ump-group16-filter-v1-1-b75160bf6993@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 2 +-
sound/core/seq/seq_clientmgr.h | 5 ++++-
sound/core/seq/seq_ump_client.c | 2 +-
3 files changed, 6 insertions(+), 3 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1333,7 +1333,7 @@ static int snd_seq_ioctl_set_client_info
if (client->user_pversion >= SNDRV_PROTOCOL_VERSION(1, 0, 3))
client->midi_version = client_info->midi_version;
memcpy(client->event_filter, client_info->event_filter, 32);
- client->group_filter = client_info->group_filter;
+ client->group_filter = client_info->group_filter & SND_SEQ_GROUP_FILTER_MASK;
/* notify the change */
snd_seq_system_client_ev_client_change(client->number);
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -14,6 +14,9 @@
/* client manager */
+#define SND_SEQ_GROUP_FILTER_MASK GENMASK(SNDRV_UMP_MAX_GROUPS, 0)
+#define SND_SEQ_GROUP_FILTER_GROUPS GENMASK(SNDRV_UMP_MAX_GROUPS, 1)
+
struct snd_seq_user_client {
struct file *file; /* file struct of client */
/* ... */
@@ -40,7 +43,7 @@ struct snd_seq_client {
int number; /* client number */
unsigned int filter; /* filter flags */
DECLARE_BITMAP(event_filter, 256);
- unsigned short group_filter;
+ unsigned int group_filter;
snd_use_lock_t use_lock;
int event_lost;
/* ports */
--- a/sound/core/seq/seq_ump_client.c
+++ b/sound/core/seq/seq_ump_client.c
@@ -370,7 +370,7 @@ static void setup_client_group_filter(st
cptr = snd_seq_kernel_client_get(client->seq_client);
if (!cptr)
return;
- filter = ~(1U << 0); /* always allow groupless messages */
+ filter = SND_SEQ_GROUP_FILTER_GROUPS; /* always allow groupless messages */
for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) {
if (client->ump->groups[p].active)
filter &= ~(1U << (p + 1));
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 418/474] net: ipv4: stop checking crypto_ahash_alignmask
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 417/474] ALSA: seq: Fix UMP group 16 filtering Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 419/474] net: ipv6: " Greg Kroah-Hartman
` (56 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit e77f5dd701381cef35b9ea8b6dea6e62c8a7f9f3 ]
Now that the alignmask for ahash and shash algorithms is always 0,
crypto_ahash_alignmask() always returns 0 and will be removed. In
preparation for this, stop checking crypto_ahash_alignmask() in ah4.c.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: ec54093e6a8f ("xfrm: ah: account for ESN high bits in async callbacks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -27,9 +27,7 @@ static void *ah_alloc_tmp(struct crypto_
{
unsigned int len;
- len = size + crypto_ahash_digestsize(ahash) +
- (crypto_ahash_alignmask(ahash) &
- ~(crypto_tfm_ctx_alignment() - 1));
+ len = size + crypto_ahash_digestsize(ahash);
len = ALIGN(len, crypto_tfm_ctx_alignment());
@@ -46,10 +44,9 @@ static inline u8 *ah_tmp_auth(void *tmp,
return tmp + offset;
}
-static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
- unsigned int offset)
+static inline u8 *ah_tmp_icv(void *tmp, unsigned int offset)
{
- return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
+ return tmp + offset;
}
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
@@ -129,7 +126,7 @@ static void ah_output_done(void *data, i
int ihl = ip_hdrlen(skb);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(ahp->ahash, iph, ihl);
+ icv = ah_tmp_icv(iph, ihl);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -182,7 +179,7 @@ static int ah_output(struct xfrm_state *
if (!iph)
goto out;
seqhi = (__be32 *)((char *)iph + ihl);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
@@ -279,7 +276,7 @@ static void ah_input_done(void *data, in
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, ihl);
- icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
@@ -374,7 +371,7 @@ static int ah_input(struct xfrm_state *x
seqhi = (__be32 *)((char *)work_iph + ihl);
auth_data = ah_tmp_auth(seqhi, seqhi_len);
- icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 419/474] net: ipv6: stop checking crypto_ahash_alignmask
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 418/474] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 420/474] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
` (55 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit 0a6bfaa0e695facb072f2fedfb55df37c4483b50 ]
Now that the alignmask for ahash and shash algorithms is always 0,
crypto_ahash_alignmask() always returns 0 and will be removed. In
preparation for this, stop checking crypto_ahash_alignmask() in ah6.c.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: ec54093e6a8f ("xfrm: ah: account for ESN high bits in async callbacks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ah6.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -79,9 +79,7 @@ static void *ah_alloc_tmp(struct crypto_
{
unsigned int len;
- len = size + crypto_ahash_digestsize(ahash) +
- (crypto_ahash_alignmask(ahash) &
- ~(crypto_tfm_ctx_alignment() - 1));
+ len = size + crypto_ahash_digestsize(ahash);
len = ALIGN(len, crypto_tfm_ctx_alignment());
@@ -103,10 +101,9 @@ static inline u8 *ah_tmp_auth(u8 *tmp, u
return tmp + offset;
}
-static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
- unsigned int offset)
+static inline u8 *ah_tmp_icv(void *tmp, unsigned int offset)
{
- return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
+ return tmp + offset;
}
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
@@ -327,7 +324,7 @@ static void ah6_output_done(void *data,
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen);
+ icv = ah_tmp_icv(iph_ext, extlen);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -384,7 +381,7 @@ static int ah6_output(struct xfrm_state
iph_ext = ah_tmp_ext(iph_base);
seqhi = (__be32 *)((char *)iph_ext + extlen);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
@@ -480,7 +477,7 @@ static void ah6_input_done(void *data, i
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
@@ -588,7 +585,7 @@ static int ah6_input(struct xfrm_state *
auth_data = ah_tmp_auth((u8 *)work_iph, hdr_len);
seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 420/474] xfrm: ah: account for ESN high bits in async callbacks
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 419/474] net: ipv6: " Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 421/474] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
` (54 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 ]
AH allocates its temporary auth/ICV layout differently when ESN is enabled:
the async ahash setup appends a 4-byte seqhi slot before the ICV or
auth_data area, but the async completion callbacks still reconstruct the
temporary layout as if seqhi were absent.
With an async AH implementation selected, that makes AH copy or compare
the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH
with ESN and forced async hmac(sha1), ping fails with 100% packet loss,
and the callback logs show the pre-fix drift:
ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24
ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36
Reconstruct the callback-side layout the same way the setup path built it
by skipping the ESN seqhi slot before locating the saved auth_data or ICV.
Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV
computation, so the async callbacks must account for the seqhi slot.
Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows
the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24
expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o
build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the
change has not been tested against a real async hardware AH engine.
Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part")
Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part")
Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part")
Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5-4
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 14 ++++++++++++--
net/ipv6/ah6.c | 14 ++++++++++++--
2 files changed, 24 insertions(+), 4 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -124,9 +124,14 @@ static void ah_output_done(void *data, i
struct iphdr *top_iph = ip_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
+ int seqhi_len = 0;
+ __be32 *seqhi;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(iph, ihl);
+ seqhi = (__be32 *)((char *)iph + ihl);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -270,12 +275,17 @@ static void ah_input_done(void *data, in
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
int ah_hlen = (ah->hdrlen + 2) << 2;
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
- auth_data = ah_tmp_auth(work_iph, ihl);
+ seqhi = (__be32 *)((char *)work_iph + ihl);
+ auth_data = ah_tmp_auth(seqhi, seqhi_len);
icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -317,14 +317,19 @@ static void ah6_output_done(void *data,
struct ipv6hdr *top_iph = ipv6_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
struct tmp_ext *iph_ext;
+ int seqhi_len = 0;
+ __be32 *seqhi;
extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
if (extlen)
extlen += sizeof(*iph_ext);
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(iph_ext, extlen);
+ seqhi = (__be32 *)((char *)iph_ext + extlen);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -471,13 +476,18 @@ static void ah6_input_done(void *data, i
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int hdr_len = skb_network_header_len(skb);
int ah_hlen = ipv6_authlen(ah);
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
+ seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 421/474] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 420/474] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 422/474] Bluetooth: hci_conn: fix potential UAF in create_big_sync Greg Kroah-Hartman
` (53 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Kosiorek, Steffen Klassert,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kosiorek <mkosiorek121@gmail.com>
[ Upstream commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 ]
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reachable via the same code path on
torvalds/master and on the ipsec tree). Nine unique signatures cluster
in the xfrm_state lifecycle, the load-bearing one being:
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
Workqueue: netns cleanup_net
Call Trace:
__hlist_del / hlist_del_rcu
__xfrm_state_delete
xfrm_state_delete
xfrm_state_flush
xfrm_state_fini
ops_exit_list
cleanup_net
The other observed signatures hit the same slab object from
__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
write variant of __xfrm_state_delete, all on the byseq/byspi
hash chains.
__xfrm_state_delete() guards its byseq and byspi unhashes with
value-based predicates:
if (x->km.seq)
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
while everywhere else in the file (e.g. state_cache, state_cache_input)
the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
into byspi, but a path that observes x->id.spi != 0 outside of
xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
with whether x is actually on the list. The same holds for x->km.seq
versus byseq, and the bydst/bysrc unhashes have no predicate at all,
so a second __xfrm_state_delete() on the same object writes through
LIST_POISON pprev.
The defensive change here:
- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
bysrc, byseq and byspi so a second deletion is a no-op rather
than a write through LIST_POISON pprev. The byseq/byspi nodes
are already initialised in xfrm_state_alloc().
- Test hlist_unhashed() rather than the value predicate for
byseq/byspi, so the unhash decision tracks list state rather than
mutable scalar fields.
Empirical verification: applied this patch on top of v6.12.47, rebuilt,
and re-ran the same syzkaller harness for 1h16m on a previously-crashy
configuration that produced ~100 hits each of slab-use-after-free
Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
confirms the xfrm_state slab is actively allocated and freed during
the run (~143 KiB resident), so the fuzzer is still exercising those
code paths -- they just no longer crash.
Reproduction:
- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
- 9 unique signatures collected in ~9h, all within xfrm_state
lifecycle
Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.")
Reported-by: Michal Kosiorek <mkosiorek121@gmail.com>
Tested-by: Michal Kosiorek <mkosiorek121@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michal Kosiorek <mkosiorek121@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[ dropped state_cache/state_cache_input unhash hunks and xfrm_nat_keepalive_state_updated() call ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_state.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -752,12 +752,12 @@ int __xfrm_state_delete(struct xfrm_stat
x->km.state = XFRM_STATE_DEAD;
spin_lock(&net->xfrm.xfrm_state_lock);
list_del(&x->km.all);
- hlist_del_rcu(&x->bydst);
- hlist_del_rcu(&x->bysrc);
- if (x->km.seq)
- hlist_del_rcu(&x->byseq);
- if (x->id.spi)
- hlist_del_rcu(&x->byspi);
+ hlist_del_init_rcu(&x->bydst);
+ hlist_del_init_rcu(&x->bysrc);
+ if (!hlist_unhashed(&x->byseq))
+ hlist_del_init_rcu(&x->byseq);
+ if (!hlist_unhashed(&x->byspi))
+ hlist_del_init_rcu(&x->byspi);
net->xfrm.state_num--;
spin_unlock(&net->xfrm.xfrm_state_lock);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 422/474] Bluetooth: hci_conn: fix potential UAF in create_big_sync
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 421/474] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 423/474] spi: synquacer: switch to use modern name Greg Kroah-Hartman
` (52 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
David Carlier, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 0beddb0c380bed5f5b8e61ddbe14635bb73d0b41 ]
Add hci_conn_valid() check in create_big_sync() to detect stale
connections before proceeding with BIG creation. Handle the
resulting -ECANCELED in create_big_complete() and re-validate the
connection under hci_dev_lock() before dereferencing, matching the
pattern used by create_le_conn_complete() and create_pa_complete().
Keep the hci_conn object alive across the async boundary by taking
a reference via hci_conn_get() when queueing create_big_sync(), and
dropping it in the completion callback. The refcount and the lock
are complementary: the refcount keeps the object allocated, while
hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on
hdev->conn_hash, as required by hci_conn_del().
hci_conn_put() is called outside hci_dev_unlock() so the final put
(which resolves to kfree() via bt_link_release) does not run under
hdev->lock, though the release path would be safe either way.
Without this, create_big_complete() would unconditionally
dereference the conn pointer on error, causing a use-after-free
via hci_connect_cfm() and hci_conn_del().
Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
Cc: stable@vger.kernel.org
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ kept stable's `qos->bcast.out.phy == 0x02` context line instead of upstream's renamed `qos->bcast.out.phys == BIT(1)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_conn.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2014,6 +2014,9 @@ static int create_big_sync(struct hci_de
u32 flags = 0;
int err;
+ if (!hci_conn_valid(hdev, conn))
+ return -ECANCELED;
+
if (qos->bcast.out.phy == 0x02)
flags |= MGMT_ADV_FLAG_SEC_2M;
@@ -2125,11 +2128,24 @@ static void create_big_complete(struct h
bt_dev_dbg(hdev, "conn %p", conn);
+ if (err == -ECANCELED)
+ goto done;
+
+ hci_dev_lock(hdev);
+
+ if (!hci_conn_valid(hdev, conn))
+ goto unlock;
+
if (err) {
bt_dev_err(hdev, "Unable to create BIG: %d", err);
hci_connect_cfm(conn, err);
hci_conn_del(conn);
}
+
+unlock:
+ hci_dev_unlock(hdev);
+done:
+ hci_conn_put(conn);
}
struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst,
@@ -2230,10 +2246,11 @@ struct hci_conn *hci_connect_bis(struct
BT_BOUND, &data);
/* Queue start periodic advertising and create BIG */
- err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
+ err = hci_cmd_sync_queue(hdev, create_big_sync, hci_conn_get(conn),
create_big_complete);
if (err < 0) {
hci_conn_drop(conn);
+ hci_conn_put(conn);
return ERR_PTR(err);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 423/474] spi: synquacer: switch to use modern name
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 422/474] Bluetooth: hci_conn: fix potential UAF in create_big_sync Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 424/474] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
` (51 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 3524d1b727a66712f02f92807219a3650e5cf910 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-10-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 75d849c3452e ("spi: syncuacer: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 84 ++++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 42 deletions(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -225,11 +225,11 @@ static int write_fifo(struct synquacer_s
return 0;
}
-static int synquacer_spi_config(struct spi_master *master,
+static int synquacer_spi_config(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
unsigned int speed, mode, bpw, cs, bus_width, transfer_mode;
u32 rate, val, div;
@@ -263,7 +263,7 @@ static int synquacer_spi_config(struct s
}
sspi->transfer_mode = transfer_mode;
- rate = master->max_speed_hz;
+ rate = host->max_speed_hz;
div = DIV_ROUND_UP(rate, speed);
if (div > 254) {
@@ -350,11 +350,11 @@ static int synquacer_spi_config(struct s
return 0;
}
-static int synquacer_spi_transfer_one(struct spi_master *master,
+static int synquacer_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
int ret;
int status = 0;
u32 words;
@@ -378,7 +378,7 @@ static int synquacer_spi_transfer_one(st
if (bpw == 8 && !(xfer->len % 4) && !(spi->mode & SPI_LSB_FIRST))
xfer->bits_per_word = 32;
- ret = synquacer_spi_config(master, spi, xfer);
+ ret = synquacer_spi_config(host, spi, xfer);
/* restore */
xfer->bits_per_word = bpw;
@@ -482,7 +482,7 @@ static int synquacer_spi_transfer_one(st
static void synquacer_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct synquacer_spi *sspi = spi_master_get_devdata(spi->master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(spi->controller);
u32 val;
val = readl(sspi->regs + SYNQUACER_HSSPI_REG_DMSTART);
@@ -517,11 +517,11 @@ static int synquacer_spi_wait_status_upd
return -EBUSY;
}
-static int synquacer_spi_enable(struct spi_master *master)
+static int synquacer_spi_enable(struct spi_controller *host)
{
u32 val;
int status;
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
/* Disable module */
writel(0, sspi->regs + SYNQUACER_HSSPI_REG_MCTRL);
@@ -601,18 +601,18 @@ static irqreturn_t sq_spi_tx_handler(int
static int synquacer_spi_probe(struct platform_device *pdev)
{
struct device_node *np = pdev->dev.of_node;
- struct spi_master *master;
+ struct spi_controller *host;
struct synquacer_spi *sspi;
int ret;
int rx_irq, tx_irq;
- master = spi_alloc_master(&pdev->dev, sizeof(*sspi));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*sspi));
+ if (!host)
return -ENOMEM;
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- sspi = spi_master_get_devdata(master);
+ sspi = spi_controller_get_devdata(host);
sspi->dev = &pdev->dev;
init_completion(&sspi->transfer_done);
@@ -625,7 +625,7 @@ static int synquacer_spi_probe(struct pl
sspi->clk_src_type = SYNQUACER_HSSPI_CLOCK_SRC_IHCLK; /* Default */
device_property_read_u32(&pdev->dev, "socionext,ihclk-rate",
- &master->max_speed_hz); /* for ACPI */
+ &host->max_speed_hz); /* for ACPI */
if (dev_of_node(&pdev->dev)) {
if (device_property_match_string(&pdev->dev,
@@ -655,21 +655,21 @@ static int synquacer_spi_probe(struct pl
goto put_spi;
}
- master->max_speed_hz = clk_get_rate(sspi->clk);
+ host->max_speed_hz = clk_get_rate(sspi->clk);
}
- if (!master->max_speed_hz) {
+ if (!host->max_speed_hz) {
dev_err(&pdev->dev, "missing clock source\n");
ret = -EINVAL;
goto disable_clk;
}
- master->min_speed_hz = master->max_speed_hz / 254;
+ host->min_speed_hz = host->max_speed_hz / 254;
sspi->aces = device_property_read_bool(&pdev->dev,
"socionext,set-aces");
sspi->rtm = device_property_read_bool(&pdev->dev, "socionext,use-rtm");
- master->num_chipselect = SYNQUACER_HSSPI_NUM_CHIP_SELECT;
+ host->num_chipselect = SYNQUACER_HSSPI_NUM_CHIP_SELECT;
rx_irq = platform_get_irq(pdev, 0);
if (rx_irq <= 0) {
@@ -699,27 +699,27 @@ static int synquacer_spi_probe(struct pl
goto disable_clk;
}
- master->dev.of_node = np;
- master->dev.fwnode = pdev->dev.fwnode;
- master->auto_runtime_pm = true;
- master->bus_num = pdev->id;
-
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_TX_DUAL | SPI_RX_DUAL |
- SPI_TX_QUAD | SPI_RX_QUAD;
- master->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(24) |
- SPI_BPW_MASK(16) | SPI_BPW_MASK(8);
+ host->dev.of_node = np;
+ host->dev.fwnode = pdev->dev.fwnode;
+ host->auto_runtime_pm = true;
+ host->bus_num = pdev->id;
+
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_TX_DUAL | SPI_RX_DUAL |
+ SPI_TX_QUAD | SPI_RX_QUAD;
+ host->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(24) |
+ SPI_BPW_MASK(16) | SPI_BPW_MASK(8);
- master->set_cs = synquacer_spi_set_cs;
- master->transfer_one = synquacer_spi_transfer_one;
+ host->set_cs = synquacer_spi_set_cs;
+ host->transfer_one = synquacer_spi_transfer_one;
- ret = synquacer_spi_enable(master);
+ ret = synquacer_spi_enable(host);
if (ret)
goto disable_clk;
pm_runtime_set_active(sspi->dev);
pm_runtime_enable(sspi->dev);
- ret = devm_spi_register_master(sspi->dev, master);
+ ret = devm_spi_register_controller(sspi->dev, host);
if (ret)
goto disable_pm;
@@ -730,15 +730,15 @@ disable_pm:
disable_clk:
clk_disable_unprepare(sspi->clk);
put_spi:
- spi_master_put(master);
+ spi_controller_put(host);
return ret;
}
static void synquacer_spi_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
pm_runtime_disable(sspi->dev);
@@ -747,11 +747,11 @@ static void synquacer_spi_remove(struct
static int __maybe_unused synquacer_spi_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
int ret;
- ret = spi_master_suspend(master);
+ ret = spi_controller_suspend(host);
if (ret)
return ret;
@@ -763,8 +763,8 @@ static int __maybe_unused synquacer_spi_
static int __maybe_unused synquacer_spi_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
int ret;
if (!pm_runtime_suspended(dev)) {
@@ -778,7 +778,7 @@ static int __maybe_unused synquacer_spi_
return ret;
}
- ret = synquacer_spi_enable(master);
+ ret = synquacer_spi_enable(host);
if (ret) {
clk_disable_unprepare(sspi->clk);
dev_err(dev, "failed to enable spi (%d)\n", ret);
@@ -786,7 +786,7 @@ static int __maybe_unused synquacer_spi_
}
}
- ret = spi_master_resume(master);
+ ret = spi_controller_resume(host);
if (ret < 0)
clk_disable_unprepare(sspi->clk);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 424/474] spi: syncuacer: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 423/474] spi: synquacer: switch to use modern name Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 425/474] spi: sun4i: switch to use modern name Greg Kroah-Hartman
` (50 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahisa Kojima, Johan Hovold,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 75d849c3452e9611de031db45b3149ba9a99035f ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform")
Cc: stable@vger.kernel.org # 5.3
Cc: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-21-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -719,7 +719,7 @@ static int synquacer_spi_probe(struct pl
pm_runtime_set_active(sspi->dev);
pm_runtime_enable(sspi->dev);
- ret = devm_spi_register_controller(sspi->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto disable_pm;
@@ -740,9 +740,15 @@ static void synquacer_spi_remove(struct
struct spi_controller *host = platform_get_drvdata(pdev);
struct synquacer_spi *sspi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(sspi->dev);
clk_disable_unprepare(sspi->clk);
+
+ spi_controller_put(host);
}
static int __maybe_unused synquacer_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 425/474] spi: sun4i: switch to use modern name
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 424/474] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 426/474] spi: sun4i: fix controller deregistration Greg Kroah-Hartman
` (49 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6d232cc8a7e59af0c083319827541966a68817a0 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-7-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 42108a2f03e0 ("spi: sun4i: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 72 ++++++++++++++++++++++++------------------------
1 file changed, 36 insertions(+), 36 deletions(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -75,7 +75,7 @@
#define SUN4I_FIFO_STA_TF_CNT_BITS 16
struct sun4i_spi {
- struct spi_master *master;
+ struct spi_controller *host;
void __iomem *base_addr;
struct clk *hclk;
struct clk *mclk;
@@ -161,7 +161,7 @@ static inline void sun4i_spi_fill_fifo(s
static void sun4i_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct sun4i_spi *sspi = spi_master_get_devdata(spi->master);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(spi->controller);
u32 reg;
reg = sun4i_spi_read(sspi, SUN4I_CTL_REG);
@@ -201,11 +201,11 @@ static size_t sun4i_spi_max_transfer_siz
return SUN4I_MAX_XFER_SIZE - 1;
}
-static int sun4i_spi_transfer_one(struct spi_master *master,
+static int sun4i_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *tfr)
{
- struct sun4i_spi *sspi = spi_master_get_devdata(master);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(host);
unsigned int mclk_rate, div, timeout;
unsigned int start, end, tx_time;
unsigned int tx_len = 0;
@@ -334,7 +334,7 @@ static int sun4i_spi_transfer_one(struct
msecs_to_jiffies(tx_time));
end = jiffies;
if (!timeout) {
- dev_warn(&master->dev,
+ dev_warn(&host->dev,
"%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
dev_name(&spi->dev), tfr->len, tfr->speed_hz,
jiffies_to_msecs(end - start), tx_time);
@@ -389,8 +389,8 @@ static irqreturn_t sun4i_spi_handler(int
static int sun4i_spi_runtime_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct sun4i_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(sspi->hclk);
@@ -418,8 +418,8 @@ out:
static int sun4i_spi_runtime_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct sun4i_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct sun4i_spi *sspi = spi_controller_get_devdata(host);
clk_disable_unprepare(sspi->mclk);
clk_disable_unprepare(sspi->hclk);
@@ -429,62 +429,62 @@ static int sun4i_spi_runtime_suspend(str
static int sun4i_spi_probe(struct platform_device *pdev)
{
- struct spi_master *master;
+ struct spi_controller *host;
struct sun4i_spi *sspi;
int ret = 0, irq;
- master = spi_alloc_master(&pdev->dev, sizeof(struct sun4i_spi));
- if (!master) {
- dev_err(&pdev->dev, "Unable to allocate SPI Master\n");
+ host = spi_alloc_host(&pdev->dev, sizeof(struct sun4i_spi));
+ if (!host) {
+ dev_err(&pdev->dev, "Unable to allocate SPI Host\n");
return -ENOMEM;
}
- platform_set_drvdata(pdev, master);
- sspi = spi_master_get_devdata(master);
+ platform_set_drvdata(pdev, host);
+ sspi = spi_controller_get_devdata(host);
sspi->base_addr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(sspi->base_addr)) {
ret = PTR_ERR(sspi->base_addr);
- goto err_free_master;
+ goto err_free_host;
}
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = -ENXIO;
- goto err_free_master;
+ goto err_free_host;
}
ret = devm_request_irq(&pdev->dev, irq, sun4i_spi_handler,
0, "sun4i-spi", sspi);
if (ret) {
dev_err(&pdev->dev, "Cannot request IRQ\n");
- goto err_free_master;
+ goto err_free_host;
}
- sspi->master = master;
- master->max_speed_hz = 100 * 1000 * 1000;
- master->min_speed_hz = 3 * 1000;
- master->set_cs = sun4i_spi_set_cs;
- master->transfer_one = sun4i_spi_transfer_one;
- master->num_chipselect = 4;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
- master->bits_per_word_mask = SPI_BPW_MASK(8);
- master->dev.of_node = pdev->dev.of_node;
- master->auto_runtime_pm = true;
- master->max_transfer_size = sun4i_spi_max_transfer_size;
+ sspi->host = host;
+ host->max_speed_hz = 100 * 1000 * 1000;
+ host->min_speed_hz = 3 * 1000;
+ host->set_cs = sun4i_spi_set_cs;
+ host->transfer_one = sun4i_spi_transfer_one;
+ host->num_chipselect = 4;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
+ host->bits_per_word_mask = SPI_BPW_MASK(8);
+ host->dev.of_node = pdev->dev.of_node;
+ host->auto_runtime_pm = true;
+ host->max_transfer_size = sun4i_spi_max_transfer_size;
sspi->hclk = devm_clk_get(&pdev->dev, "ahb");
if (IS_ERR(sspi->hclk)) {
dev_err(&pdev->dev, "Unable to acquire AHB clock\n");
ret = PTR_ERR(sspi->hclk);
- goto err_free_master;
+ goto err_free_host;
}
sspi->mclk = devm_clk_get(&pdev->dev, "mod");
if (IS_ERR(sspi->mclk)) {
dev_err(&pdev->dev, "Unable to acquire module clock\n");
ret = PTR_ERR(sspi->mclk);
- goto err_free_master;
+ goto err_free_host;
}
init_completion(&sspi->done);
@@ -496,16 +496,16 @@ static int sun4i_spi_probe(struct platfo
ret = sun4i_spi_runtime_resume(&pdev->dev);
if (ret) {
dev_err(&pdev->dev, "Couldn't resume the device\n");
- goto err_free_master;
+ goto err_free_host;
}
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
pm_runtime_idle(&pdev->dev);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret) {
- dev_err(&pdev->dev, "cannot register SPI master\n");
+ dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
}
@@ -514,8 +514,8 @@ static int sun4i_spi_probe(struct platfo
err_pm_disable:
pm_runtime_disable(&pdev->dev);
sun4i_spi_runtime_suspend(&pdev->dev);
-err_free_master:
- spi_master_put(master);
+err_free_host:
+ spi_controller_put(host);
return ret;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 426/474] spi: sun4i: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 425/474] spi: sun4i: switch to use modern name Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 427/474] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (48 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 42108a2f03e0fdeabe9d02d085bdb058baa1189f ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b5f6517948cc ("spi: sunxi: Add Allwinner A10 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -503,7 +503,7 @@ static int sun4i_spi_probe(struct platfo
pm_runtime_enable(&pdev->dev);
pm_runtime_idle(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
@@ -521,7 +521,15 @@ err_free_host:
static void sun4i_spi_remove(struct platform_device *pdev)
{
+ struct spi_controller *host = platform_get_drvdata(pdev);
+
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_force_suspend(&pdev->dev);
+
+ spi_controller_put(host);
}
static const struct of_device_id sun4i_spi_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 427/474] spi: spi-ti-qspi: Convert to platform remove callback returning void
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 426/474] spi: sun4i: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 428/474] spi: spi-ti-qspi: switch to use modern name Greg Kroah-Hartman
` (47 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 2f2802d1a59d79a3d00cb429841db502c2bbc3df ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Add an error message to the error path that returned an error before to
replace the core's error message with more information. Apart from the
different wording of the error message, this patch doesn't introduce a
semantic difference.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231105172649.3738556-2-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0c18a1bacbb1 ("spi: ti-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -907,21 +907,22 @@ free_master:
return ret;
}
-static int ti_qspi_remove(struct platform_device *pdev)
+static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
int rc;
rc = spi_master_suspend(qspi->master);
- if (rc)
- return rc;
+ if (rc) {
+ dev_alert(&pdev->dev, "spi_master_suspend() failed (%pe)\n",
+ ERR_PTR(rc));
+ return;
+ }
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
-
- return 0;
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
@@ -930,7 +931,7 @@ static const struct dev_pm_ops ti_qspi_p
static struct platform_driver ti_qspi_driver = {
.probe = ti_qspi_probe,
- .remove = ti_qspi_remove,
+ .remove_new = ti_qspi_remove,
.driver = {
.name = "ti-qspi",
.pm = &ti_qspi_pm_ops,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 428/474] spi: spi-ti-qspi: switch to use modern name
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 427/474] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 429/474] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
` (46 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 9d93c8d97b4cdb5edddb4c5530881c90eecb7e44 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-16-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0c18a1bacbb1 ("spi: ti-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 88 +++++++++++++++++++++++-----------------------
1 file changed, 44 insertions(+), 44 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -40,7 +40,7 @@ struct ti_qspi {
/* list synchronization */
struct mutex list_lock;
- struct spi_master *master;
+ struct spi_controller *host;
void __iomem *base;
void __iomem *mmap_base;
size_t mmap_size;
@@ -137,20 +137,20 @@ static inline void ti_qspi_write(struct
static int ti_qspi_setup(struct spi_device *spi)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
int ret;
- if (spi->master->busy) {
- dev_dbg(qspi->dev, "master busy doing other transfers\n");
+ if (spi->controller->busy) {
+ dev_dbg(qspi->dev, "host busy doing other transfers\n");
return -EBUSY;
}
- if (!qspi->master->max_speed_hz) {
+ if (!qspi->host->max_speed_hz) {
dev_err(qspi->dev, "spi max frequency not defined\n");
return -EINVAL;
}
- spi->max_speed_hz = min(spi->max_speed_hz, qspi->master->max_speed_hz);
+ spi->max_speed_hz = min(spi->max_speed_hz, qspi->host->max_speed_hz);
ret = pm_runtime_resume_and_get(qspi->dev);
if (ret < 0) {
@@ -526,7 +526,7 @@ static int ti_qspi_dma_xfer_sg(struct ti
static void ti_qspi_enable_memory_map(struct spi_device *spi)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
ti_qspi_write(qspi, MM_SWITCH, QSPI_SPI_SWITCH_REG);
if (qspi->ctrl_base) {
@@ -540,7 +540,7 @@ static void ti_qspi_enable_memory_map(st
static void ti_qspi_disable_memory_map(struct spi_device *spi)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
ti_qspi_write(qspi, 0, QSPI_SPI_SWITCH_REG);
if (qspi->ctrl_base)
@@ -554,7 +554,7 @@ static void ti_qspi_setup_mmap_read(stru
u8 data_nbits, u8 addr_width,
u8 dummy_bytes)
{
- struct ti_qspi *qspi = spi_master_get_devdata(spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(spi->controller);
u32 memval = opcode;
switch (data_nbits) {
@@ -576,7 +576,7 @@ static void ti_qspi_setup_mmap_read(stru
static int ti_qspi_adjust_op_size(struct spi_mem *mem, struct spi_mem_op *op)
{
- struct ti_qspi *qspi = spi_controller_get_devdata(mem->spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(mem->spi->controller);
size_t max_len;
if (op->data.dir == SPI_MEM_DATA_IN) {
@@ -606,7 +606,7 @@ static int ti_qspi_adjust_op_size(struct
static int ti_qspi_exec_mem_op(struct spi_mem *mem,
const struct spi_mem_op *op)
{
- struct ti_qspi *qspi = spi_master_get_devdata(mem->spi->master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(mem->spi->controller);
u32 from = 0;
int ret = 0;
@@ -633,10 +633,10 @@ static int ti_qspi_exec_mem_op(struct sp
struct sg_table sgt;
if (virt_addr_valid(op->data.buf.in) &&
- !spi_controller_dma_map_mem_op_data(mem->spi->master, op,
+ !spi_controller_dma_map_mem_op_data(mem->spi->controller, op,
&sgt)) {
ret = ti_qspi_dma_xfer_sg(qspi, sgt, from);
- spi_controller_dma_unmap_mem_op_data(mem->spi->master,
+ spi_controller_dma_unmap_mem_op_data(mem->spi->controller,
op, &sgt);
} else {
ret = ti_qspi_dma_bounce_buffer(qspi, from,
@@ -658,10 +658,10 @@ static const struct spi_controller_mem_o
.adjust_op_size = ti_qspi_adjust_op_size,
};
-static int ti_qspi_start_transfer_one(struct spi_master *master,
+static int ti_qspi_start_transfer_one(struct spi_controller *host,
struct spi_message *m)
{
- struct ti_qspi *qspi = spi_master_get_devdata(master);
+ struct ti_qspi *qspi = spi_controller_get_devdata(host);
struct spi_device *spi = m->spi;
struct spi_transfer *t;
int status = 0, ret;
@@ -720,7 +720,7 @@ static int ti_qspi_start_transfer_one(st
ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG);
m->status = status;
- spi_finalize_current_message(master);
+ spi_finalize_current_message(host);
return status;
}
@@ -756,33 +756,33 @@ MODULE_DEVICE_TABLE(of, ti_qspi_match);
static int ti_qspi_probe(struct platform_device *pdev)
{
struct ti_qspi *qspi;
- struct spi_master *master;
+ struct spi_controller *host;
struct resource *r, *res_mmap;
struct device_node *np = pdev->dev.of_node;
u32 max_freq;
int ret = 0, num_cs, irq;
dma_cap_mask_t mask;
- master = spi_alloc_master(&pdev->dev, sizeof(*qspi));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*qspi));
+ if (!host)
return -ENOMEM;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_RX_DUAL | SPI_RX_QUAD;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_RX_DUAL | SPI_RX_QUAD;
- master->flags = SPI_CONTROLLER_HALF_DUPLEX;
- master->setup = ti_qspi_setup;
- master->auto_runtime_pm = true;
- master->transfer_one_message = ti_qspi_start_transfer_one;
- master->dev.of_node = pdev->dev.of_node;
- master->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(16) |
- SPI_BPW_MASK(8);
- master->mem_ops = &ti_qspi_mem_ops;
+ host->flags = SPI_CONTROLLER_HALF_DUPLEX;
+ host->setup = ti_qspi_setup;
+ host->auto_runtime_pm = true;
+ host->transfer_one_message = ti_qspi_start_transfer_one;
+ host->dev.of_node = pdev->dev.of_node;
+ host->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(16) |
+ SPI_BPW_MASK(8);
+ host->mem_ops = &ti_qspi_mem_ops;
if (!of_property_read_u32(np, "num-cs", &num_cs))
- master->num_chipselect = num_cs;
+ host->num_chipselect = num_cs;
- qspi = spi_master_get_devdata(master);
- qspi->master = master;
+ qspi = spi_controller_get_devdata(host);
+ qspi->host = host;
qspi->dev = &pdev->dev;
platform_set_drvdata(pdev, qspi);
@@ -792,7 +792,7 @@ static int ti_qspi_probe(struct platform
if (r == NULL) {
dev_err(&pdev->dev, "missing platform data\n");
ret = -ENODEV;
- goto free_master;
+ goto free_host;
}
}
@@ -812,7 +812,7 @@ static int ti_qspi_probe(struct platform
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = irq;
- goto free_master;
+ goto free_host;
}
mutex_init(&qspi->list_lock);
@@ -820,7 +820,7 @@ static int ti_qspi_probe(struct platform
qspi->base = devm_ioremap_resource(&pdev->dev, r);
if (IS_ERR(qspi->base)) {
ret = PTR_ERR(qspi->base);
- goto free_master;
+ goto free_host;
}
@@ -830,7 +830,7 @@ static int ti_qspi_probe(struct platform
"syscon-chipselects");
if (IS_ERR(qspi->ctrl_base)) {
ret = PTR_ERR(qspi->ctrl_base);
- goto free_master;
+ goto free_host;
}
ret = of_property_read_u32_index(np,
"syscon-chipselects",
@@ -838,7 +838,7 @@ static int ti_qspi_probe(struct platform
if (ret) {
dev_err(&pdev->dev,
"couldn't get ctrl_mod reg index\n");
- goto free_master;
+ goto free_host;
}
}
@@ -853,7 +853,7 @@ static int ti_qspi_probe(struct platform
pm_runtime_enable(&pdev->dev);
if (!of_property_read_u32(np, "spi-max-frequency", &max_freq))
- master->max_speed_hz = max_freq;
+ host->max_speed_hz = max_freq;
dma_cap_zero(mask);
dma_cap_set(DMA_MEMCPY, mask);
@@ -876,7 +876,7 @@ static int ti_qspi_probe(struct platform
dma_release_channel(qspi->rx_chan);
goto no_dma;
}
- master->dma_rx = qspi->rx_chan;
+ host->dma_rx = qspi->rx_chan;
init_completion(&qspi->transfer_complete);
if (res_mmap)
qspi->mmap_phys_base = (dma_addr_t)res_mmap->start;
@@ -889,21 +889,21 @@ no_dma:
"mmap failed with error %ld using PIO mode\n",
PTR_ERR(qspi->mmap_base));
qspi->mmap_base = NULL;
- master->mem_ops = NULL;
+ host->mem_ops = NULL;
}
}
qspi->mmap_enabled = false;
qspi->current_cs = -1;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (!ret)
return 0;
ti_qspi_dma_cleanup(qspi);
pm_runtime_disable(&pdev->dev);
-free_master:
- spi_master_put(master);
+free_host:
+ spi_controller_put(host);
return ret;
}
@@ -912,9 +912,9 @@ static void ti_qspi_remove(struct platfo
struct ti_qspi *qspi = platform_get_drvdata(pdev);
int rc;
- rc = spi_master_suspend(qspi->master);
+ rc = spi_controller_suspend(qspi->host);
if (rc) {
- dev_alert(&pdev->dev, "spi_master_suspend() failed (%pe)\n",
+ dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n",
ERR_PTR(rc));
return;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 429/474] spi: ti-qspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 428/474] spi: spi-ti-qspi: switch to use modern name Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 430/474] spi: zynq-qspi: switch to use modern name Greg Kroah-Hartman
` (45 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Johan Hovold, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Note that the controller is suspended before disabling and releasing
resources since commit 3ac066e2227c ("spi: spi-ti-qspi: Suspend the
queue before removing the device") which avoids issues like unclocked
accesses but prevents SPI device drivers from doing I/O during
deregistration.
Fixes: 3b3a80019ff1 ("spi: ti-qspi: one only one interrupt handler")
Cc: stable@vger.kernel.org # 3.13
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-24-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -895,7 +895,7 @@ no_dma:
qspi->mmap_enabled = false;
qspi->current_cs = -1;
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (!ret)
return 0;
@@ -910,19 +910,17 @@ free_host:
static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
- int rc;
- rc = spi_controller_suspend(qspi->host);
- if (rc) {
- dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n",
- ERR_PTR(rc));
- return;
- }
+ spi_controller_get(qspi->host);
+
+ spi_unregister_controller(qspi->host);
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
+
+ spi_controller_put(qspi->host);
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 430/474] spi: zynq-qspi: switch to use modern name
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 429/474] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:48 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 431/474] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
` (44 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 178ebb0c505b0a35edb4fb2a0e23a1f29e1db14d ]
Change legacy name master/slave to modern name host/target or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-24-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -54,10 +54,10 @@
#define ZYNQ_QSPI_CONFIG_MSTREN_MASK BIT(0) /* Master Mode */
/*
- * QSPI Configuration Register - Baud rate and slave select
+ * QSPI Configuration Register - Baud rate and target select
*
* These are the values used in the calculation of baud rate divisor and
- * setting the slave select.
+ * setting the target select.
*/
#define ZYNQ_QSPI_CONFIG_BAUD_DIV_MAX GENMASK(2, 0) /* Baud rate maximum */
#define ZYNQ_QSPI_CONFIG_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift */
@@ -164,14 +164,14 @@ static inline void zynq_qspi_write(struc
*
* The default settings of the QSPI controller's configurable parameters on
* reset are
- * - Master mode
+ * - Host mode
* - Baud rate divisor is set to 2
* - Tx threshold set to 1l Rx threshold set to 32
* - Flash memory interface mode enabled
* - Size of the word to be transferred as 8 bit
* This function performs the following actions
* - Disable and clear all the interrupts
- * - Enable manual slave select
+ * - Enable manual target select
* - Enable manual start
* - Deselect all the chip select lines
* - Set the size of the word to be transferred as 32 bit
@@ -289,7 +289,7 @@ static void zynq_qspi_txfifo_op(struct z
*/
static void zynq_qspi_chipselect(struct spi_device *spi, bool assert)
{
- struct spi_controller *ctlr = spi->master;
+ struct spi_controller *ctlr = spi->controller;
struct zynq_qspi *xqspi = spi_controller_get_devdata(ctlr);
u32 config_reg;
@@ -377,7 +377,7 @@ static int zynq_qspi_config_op(struct zy
*/
static int zynq_qspi_setup_op(struct spi_device *spi)
{
- struct spi_controller *ctlr = spi->master;
+ struct spi_controller *ctlr = spi->controller;
struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr);
int ret;
@@ -534,7 +534,7 @@ static irqreturn_t zynq_qspi_irq(int irq
static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
const struct spi_mem_op *op)
{
- struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
+ struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->controller);
int err = 0, i;
u8 *tmpbuf;
@@ -646,7 +646,7 @@ static int zynq_qspi_probe(struct platfo
struct zynq_qspi *xqspi;
u32 num_cs;
- ctlr = spi_alloc_master(&pdev->dev, sizeof(*xqspi));
+ ctlr = spi_alloc_host(&pdev->dev, sizeof(*xqspi));
if (!ctlr)
return -ENOMEM;
@@ -656,14 +656,14 @@ static int zynq_qspi_probe(struct platfo
xqspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(xqspi->regs)) {
ret = PTR_ERR(xqspi->regs);
- goto remove_master;
+ goto remove_ctlr;
}
xqspi->pclk = devm_clk_get(&pdev->dev, "pclk");
if (IS_ERR(xqspi->pclk)) {
dev_err(&pdev->dev, "pclk clock not found.\n");
ret = PTR_ERR(xqspi->pclk);
- goto remove_master;
+ goto remove_ctlr;
}
init_completion(&xqspi->data_completion);
@@ -672,13 +672,13 @@ static int zynq_qspi_probe(struct platfo
if (IS_ERR(xqspi->refclk)) {
dev_err(&pdev->dev, "ref_clk clock not found.\n");
ret = PTR_ERR(xqspi->refclk);
- goto remove_master;
+ goto remove_ctlr;
}
ret = clk_prepare_enable(xqspi->pclk);
if (ret) {
dev_err(&pdev->dev, "Unable to enable APB clock.\n");
- goto remove_master;
+ goto remove_ctlr;
}
ret = clk_prepare_enable(xqspi->refclk);
@@ -724,7 +724,7 @@ static int zynq_qspi_probe(struct platfo
ret = devm_spi_register_controller(&pdev->dev, ctlr);
if (ret) {
- dev_err(&pdev->dev, "spi_register_master failed\n");
+ dev_err(&pdev->dev, "devm_spi_register_controller failed\n");
goto clk_dis_all;
}
@@ -734,7 +734,7 @@ clk_dis_all:
clk_disable_unprepare(xqspi->refclk);
clk_dis_pclk:
clk_disable_unprepare(xqspi->pclk);
-remove_master:
+remove_ctlr:
spi_controller_put(ctlr);
return ret;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 431/474] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-05-15 15:48 ` [PATCH 6.6 430/474] spi: zynq-qspi: switch to use modern name Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 432/474] spi: zynq-qspi: fix controller deregistration Greg Kroah-Hartman
` (43 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pei Xiao, Michal Simek, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 1f8fd9490e3184e9a2394df2e682901a1d57ce71 ]
Replace devm_clk_get() followed by clk_prepare_enable() with
devm_clk_get_enabled() for both "pclk" and "ref_clk". This removes
the need for explicit clock enable and disable calls, as the managed
API automatically disables the clocks on device removal or probe
failure.
Remove the now-unnecessary clk_disable_unprepare() calls from the
probe error paths and the remove callback. Simplify error handling
by jumping directly to the remove_ctlr label.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Acked-by: Michal Simek <michal.simek@amd.com>
Link: https://patch.msgid.link/24043625f89376da36feca2408f990a85be7ab36.1775555500.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 42 ++++++------------------------------------
1 file changed, 6 insertions(+), 36 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -379,21 +379,10 @@ static int zynq_qspi_setup_op(struct spi
{
struct spi_controller *ctlr = spi->controller;
struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr);
- int ret;
if (ctlr->busy)
return -EBUSY;
- ret = clk_enable(qspi->refclk);
- if (ret)
- return ret;
-
- ret = clk_enable(qspi->pclk);
- if (ret) {
- clk_disable(qspi->refclk);
- return ret;
- }
-
zynq_qspi_write(qspi, ZYNQ_QSPI_ENABLE_OFFSET,
ZYNQ_QSPI_ENABLE_ENABLE_MASK);
@@ -659,7 +648,7 @@ static int zynq_qspi_probe(struct platfo
goto remove_ctlr;
}
- xqspi->pclk = devm_clk_get(&pdev->dev, "pclk");
+ xqspi->pclk = devm_clk_get_enabled(&pdev->dev, "pclk");
if (IS_ERR(xqspi->pclk)) {
dev_err(&pdev->dev, "pclk clock not found.\n");
ret = PTR_ERR(xqspi->pclk);
@@ -668,36 +657,24 @@ static int zynq_qspi_probe(struct platfo
init_completion(&xqspi->data_completion);
- xqspi->refclk = devm_clk_get(&pdev->dev, "ref_clk");
+ xqspi->refclk = devm_clk_get_enabled(&pdev->dev, "ref_clk");
if (IS_ERR(xqspi->refclk)) {
dev_err(&pdev->dev, "ref_clk clock not found.\n");
ret = PTR_ERR(xqspi->refclk);
goto remove_ctlr;
}
- ret = clk_prepare_enable(xqspi->pclk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable APB clock.\n");
- goto remove_ctlr;
- }
-
- ret = clk_prepare_enable(xqspi->refclk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable device clock.\n");
- goto clk_dis_pclk;
- }
-
xqspi->irq = platform_get_irq(pdev, 0);
if (xqspi->irq < 0) {
ret = xqspi->irq;
- goto clk_dis_all;
+ goto remove_ctlr;
}
ret = devm_request_irq(&pdev->dev, xqspi->irq, zynq_qspi_irq,
0, pdev->name, xqspi);
if (ret != 0) {
ret = -ENXIO;
dev_err(&pdev->dev, "request_irq failed\n");
- goto clk_dis_all;
+ goto remove_ctlr;
}
ret = of_property_read_u32(np, "num-cs",
@@ -707,7 +684,7 @@ static int zynq_qspi_probe(struct platfo
} else if (num_cs > ZYNQ_QSPI_MAX_NUM_CS) {
ret = -EINVAL;
dev_err(&pdev->dev, "only 2 chip selects are available\n");
- goto clk_dis_all;
+ goto remove_ctlr;
} else {
ctlr->num_chipselect = num_cs;
}
@@ -725,15 +702,11 @@ static int zynq_qspi_probe(struct platfo
ret = devm_spi_register_controller(&pdev->dev, ctlr);
if (ret) {
dev_err(&pdev->dev, "devm_spi_register_controller failed\n");
- goto clk_dis_all;
+ goto remove_ctlr;
}
return ret;
-clk_dis_all:
- clk_disable_unprepare(xqspi->refclk);
-clk_dis_pclk:
- clk_disable_unprepare(xqspi->pclk);
remove_ctlr:
spi_controller_put(ctlr);
@@ -755,9 +728,6 @@ static void zynq_qspi_remove(struct plat
struct zynq_qspi *xqspi = platform_get_drvdata(pdev);
zynq_qspi_write(xqspi, ZYNQ_QSPI_ENABLE_OFFSET, 0);
-
- clk_disable_unprepare(xqspi->refclk);
- clk_disable_unprepare(xqspi->pclk);
}
static const struct of_device_id zynq_qspi_of_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 432/474] spi: zynq-qspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 431/474] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 433/474] spi: sun6i: switch to use modern name Greg Kroah-Hartman
` (42 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naga Sureshkumar Relli, Johan Hovold,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit c9c012706c9fa8ca6d129a9161caf92ab625a3fd ]
Make sure to deregister the controller before disabling it during driver
unbind.
Note that clocks were also disabled before the recent commit
1f8fd9490e31 ("spi: zynq-qspi: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
Cc: stable@vger.kernel.org # 5.2: 8eb2fd00f65a
Cc: stable@vger.kernel.org # 5.2
Cc: Naga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-27-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -641,7 +641,7 @@ static int zynq_qspi_probe(struct platfo
xqspi = spi_controller_get_devdata(ctlr);
xqspi->dev = dev;
- platform_set_drvdata(pdev, xqspi);
+ platform_set_drvdata(pdev, ctlr);
xqspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(xqspi->regs)) {
ret = PTR_ERR(xqspi->regs);
@@ -699,9 +699,9 @@ static int zynq_qspi_probe(struct platfo
/* QSPI controller initializations */
zynq_qspi_init_hw(xqspi, ctlr->num_chipselect);
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret) {
- dev_err(&pdev->dev, "devm_spi_register_controller failed\n");
+ dev_err(&pdev->dev, "failed to register controller\n");
goto remove_ctlr;
}
@@ -725,9 +725,16 @@ remove_ctlr:
*/
static void zynq_qspi_remove(struct platform_device *pdev)
{
- struct zynq_qspi *xqspi = platform_get_drvdata(pdev);
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct zynq_qspi *xqspi = spi_controller_get_devdata(ctlr);
+
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
zynq_qspi_write(xqspi, ZYNQ_QSPI_ENABLE_OFFSET, 0);
+
+ spi_controller_put(ctlr);
}
static const struct of_device_id zynq_qspi_of_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 433/474] spi: sun6i: switch to use modern name
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 432/474] spi: zynq-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 434/474] spi: sun6i: fix controller deregistration Greg Kroah-Hartman
` (41 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 9f55bb79893a9dc75982372bee1307bdce48976b ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-8-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: d874a1c33aee ("spi: sun6i: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun6i.c | 148 ++++++++++++++++++++++++------------------------
1 file changed, 74 insertions(+), 74 deletions(-)
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -97,7 +97,7 @@ struct sun6i_spi_cfg {
};
struct sun6i_spi {
- struct spi_master *master;
+ struct spi_controller *host;
void __iomem *base_addr;
dma_addr_t dma_addr_rx;
dma_addr_t dma_addr_tx;
@@ -181,7 +181,7 @@ static inline void sun6i_spi_fill_fifo(s
static void sun6i_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct sun6i_spi *sspi = spi_master_get_devdata(spi->master);
+ struct sun6i_spi *sspi = spi_controller_get_devdata(spi->controller);
u32 reg;
reg = sun6i_spi_read(sspi, SUN6I_TFR_CTL_REG);
@@ -212,7 +212,7 @@ static int sun6i_spi_prepare_dma(struct
struct spi_transfer *tfr)
{
struct dma_async_tx_descriptor *rxdesc, *txdesc;
- struct spi_master *master = sspi->master;
+ struct spi_controller *host = sspi->host;
rxdesc = NULL;
if (tfr->rx_buf) {
@@ -223,9 +223,9 @@ static int sun6i_spi_prepare_dma(struct
.src_maxburst = 8,
};
- dmaengine_slave_config(master->dma_rx, &rxconf);
+ dmaengine_slave_config(host->dma_rx, &rxconf);
- rxdesc = dmaengine_prep_slave_sg(master->dma_rx,
+ rxdesc = dmaengine_prep_slave_sg(host->dma_rx,
tfr->rx_sg.sgl,
tfr->rx_sg.nents,
DMA_DEV_TO_MEM,
@@ -245,38 +245,38 @@ static int sun6i_spi_prepare_dma(struct
.dst_maxburst = 8,
};
- dmaengine_slave_config(master->dma_tx, &txconf);
+ dmaengine_slave_config(host->dma_tx, &txconf);
- txdesc = dmaengine_prep_slave_sg(master->dma_tx,
+ txdesc = dmaengine_prep_slave_sg(host->dma_tx,
tfr->tx_sg.sgl,
tfr->tx_sg.nents,
DMA_MEM_TO_DEV,
DMA_PREP_INTERRUPT);
if (!txdesc) {
if (rxdesc)
- dmaengine_terminate_sync(master->dma_rx);
+ dmaengine_terminate_sync(host->dma_rx);
return -EINVAL;
}
}
if (tfr->rx_buf) {
dmaengine_submit(rxdesc);
- dma_async_issue_pending(master->dma_rx);
+ dma_async_issue_pending(host->dma_rx);
}
if (tfr->tx_buf) {
dmaengine_submit(txdesc);
- dma_async_issue_pending(master->dma_tx);
+ dma_async_issue_pending(host->dma_tx);
}
return 0;
}
-static int sun6i_spi_transfer_one(struct spi_master *master,
+static int sun6i_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *tfr)
{
- struct sun6i_spi *sspi = spi_master_get_devdata(master);
+ struct sun6i_spi *sspi = spi_controller_get_devdata(host);
unsigned int div, div_cdr1, div_cdr2, timeout;
unsigned int start, end, tx_time;
unsigned int trig_level;
@@ -293,7 +293,7 @@ static int sun6i_spi_transfer_one(struct
sspi->tx_buf = tfr->tx_buf;
sspi->rx_buf = tfr->rx_buf;
sspi->len = tfr->len;
- use_dma = master->can_dma ? master->can_dma(master, spi, tfr) : false;
+ use_dma = host->can_dma ? host->can_dma(host, spi, tfr) : false;
/* Clear pending interrupts */
sun6i_spi_write(sspi, SUN6I_INT_STA_REG, ~0);
@@ -463,7 +463,7 @@ static int sun6i_spi_transfer_one(struct
} else {
ret = sun6i_spi_prepare_dma(sspi, tfr);
if (ret) {
- dev_warn(&master->dev,
+ dev_warn(&host->dev,
"%s: prepare DMA failed, ret=%d",
dev_name(&spi->dev), ret);
return ret;
@@ -486,7 +486,7 @@ static int sun6i_spi_transfer_one(struct
reg = sun6i_spi_read(sspi, SUN6I_TFR_CTL_REG);
sun6i_spi_write(sspi, SUN6I_TFR_CTL_REG, reg | SUN6I_TFR_CTL_XCH);
- tx_time = spi_controller_xfer_timeout(master, tfr);
+ tx_time = spi_controller_xfer_timeout(host, tfr);
start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
msecs_to_jiffies(tx_time));
@@ -502,13 +502,13 @@ static int sun6i_spi_transfer_one(struct
timeout = wait_for_completion_timeout(&sspi->dma_rx_done,
timeout);
if (!timeout)
- dev_warn(&master->dev, "RX DMA timeout\n");
+ dev_warn(&host->dev, "RX DMA timeout\n");
}
}
end = jiffies;
if (!timeout) {
- dev_warn(&master->dev,
+ dev_warn(&host->dev,
"%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
dev_name(&spi->dev), tfr->len, tfr->speed_hz,
jiffies_to_msecs(end - start), tx_time);
@@ -518,8 +518,8 @@ static int sun6i_spi_transfer_one(struct
sun6i_spi_write(sspi, SUN6I_INT_CTL_REG, 0);
if (ret && use_dma) {
- dmaengine_terminate_sync(master->dma_rx);
- dmaengine_terminate_sync(master->dma_tx);
+ dmaengine_terminate_sync(host->dma_rx);
+ dmaengine_terminate_sync(host->dma_tx);
}
return ret;
@@ -564,8 +564,8 @@ static irqreturn_t sun6i_spi_handler(int
static int sun6i_spi_runtime_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct sun6i_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct sun6i_spi *sspi = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(sspi->hclk);
@@ -601,8 +601,8 @@ out:
static int sun6i_spi_runtime_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct sun6i_spi *sspi = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct sun6i_spi *sspi = spi_controller_get_devdata(host);
reset_control_assert(sspi->rstc);
clk_disable_unprepare(sspi->mclk);
@@ -611,11 +611,11 @@ static int sun6i_spi_runtime_suspend(str
return 0;
}
-static bool sun6i_spi_can_dma(struct spi_master *master,
+static bool sun6i_spi_can_dma(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct sun6i_spi *sspi = spi_master_get_devdata(master);
+ struct sun6i_spi *sspi = spi_controller_get_devdata(host);
/*
* If the number of spi words to transfer is less or equal than
@@ -627,67 +627,67 @@ static bool sun6i_spi_can_dma(struct spi
static int sun6i_spi_probe(struct platform_device *pdev)
{
- struct spi_master *master;
+ struct spi_controller *host;
struct sun6i_spi *sspi;
struct resource *mem;
int ret = 0, irq;
- master = spi_alloc_master(&pdev->dev, sizeof(struct sun6i_spi));
- if (!master) {
- dev_err(&pdev->dev, "Unable to allocate SPI Master\n");
+ host = spi_alloc_host(&pdev->dev, sizeof(struct sun6i_spi));
+ if (!host) {
+ dev_err(&pdev->dev, "Unable to allocate SPI Host\n");
return -ENOMEM;
}
- platform_set_drvdata(pdev, master);
- sspi = spi_master_get_devdata(master);
+ platform_set_drvdata(pdev, host);
+ sspi = spi_controller_get_devdata(host);
sspi->base_addr = devm_platform_get_and_ioremap_resource(pdev, 0, &mem);
if (IS_ERR(sspi->base_addr)) {
ret = PTR_ERR(sspi->base_addr);
- goto err_free_master;
+ goto err_free_host;
}
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = -ENXIO;
- goto err_free_master;
+ goto err_free_host;
}
ret = devm_request_irq(&pdev->dev, irq, sun6i_spi_handler,
0, "sun6i-spi", sspi);
if (ret) {
dev_err(&pdev->dev, "Cannot request IRQ\n");
- goto err_free_master;
+ goto err_free_host;
}
- sspi->master = master;
+ sspi->host = host;
sspi->cfg = of_device_get_match_data(&pdev->dev);
- master->max_speed_hz = 100 * 1000 * 1000;
- master->min_speed_hz = 3 * 1000;
- master->use_gpio_descriptors = true;
- master->set_cs = sun6i_spi_set_cs;
- master->transfer_one = sun6i_spi_transfer_one;
- master->num_chipselect = 4;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST |
- sspi->cfg->mode_bits;
- master->bits_per_word_mask = SPI_BPW_MASK(8);
- master->dev.of_node = pdev->dev.of_node;
- master->auto_runtime_pm = true;
- master->max_transfer_size = sun6i_spi_max_transfer_size;
+ host->max_speed_hz = 100 * 1000 * 1000;
+ host->min_speed_hz = 3 * 1000;
+ host->use_gpio_descriptors = true;
+ host->set_cs = sun6i_spi_set_cs;
+ host->transfer_one = sun6i_spi_transfer_one;
+ host->num_chipselect = 4;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST |
+ sspi->cfg->mode_bits;
+ host->bits_per_word_mask = SPI_BPW_MASK(8);
+ host->dev.of_node = pdev->dev.of_node;
+ host->auto_runtime_pm = true;
+ host->max_transfer_size = sun6i_spi_max_transfer_size;
sspi->hclk = devm_clk_get(&pdev->dev, "ahb");
if (IS_ERR(sspi->hclk)) {
dev_err(&pdev->dev, "Unable to acquire AHB clock\n");
ret = PTR_ERR(sspi->hclk);
- goto err_free_master;
+ goto err_free_host;
}
sspi->mclk = devm_clk_get(&pdev->dev, "mod");
if (IS_ERR(sspi->mclk)) {
dev_err(&pdev->dev, "Unable to acquire module clock\n");
ret = PTR_ERR(sspi->mclk);
- goto err_free_master;
+ goto err_free_host;
}
init_completion(&sspi->done);
@@ -697,34 +697,34 @@ static int sun6i_spi_probe(struct platfo
if (IS_ERR(sspi->rstc)) {
dev_err(&pdev->dev, "Couldn't get reset controller\n");
ret = PTR_ERR(sspi->rstc);
- goto err_free_master;
+ goto err_free_host;
}
- master->dma_tx = dma_request_chan(&pdev->dev, "tx");
- if (IS_ERR(master->dma_tx)) {
+ host->dma_tx = dma_request_chan(&pdev->dev, "tx");
+ if (IS_ERR(host->dma_tx)) {
/* Check tx to see if we need defer probing driver */
- if (PTR_ERR(master->dma_tx) == -EPROBE_DEFER) {
+ if (PTR_ERR(host->dma_tx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
- goto err_free_master;
+ goto err_free_host;
}
dev_warn(&pdev->dev, "Failed to request TX DMA channel\n");
- master->dma_tx = NULL;
+ host->dma_tx = NULL;
}
- master->dma_rx = dma_request_chan(&pdev->dev, "rx");
- if (IS_ERR(master->dma_rx)) {
- if (PTR_ERR(master->dma_rx) == -EPROBE_DEFER) {
+ host->dma_rx = dma_request_chan(&pdev->dev, "rx");
+ if (IS_ERR(host->dma_rx)) {
+ if (PTR_ERR(host->dma_rx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
goto err_free_dma_tx;
}
dev_warn(&pdev->dev, "Failed to request RX DMA channel\n");
- master->dma_rx = NULL;
+ host->dma_rx = NULL;
}
- if (master->dma_tx && master->dma_rx) {
+ if (host->dma_tx && host->dma_rx) {
sspi->dma_addr_tx = mem->start + SUN6I_TXDATA_REG;
sspi->dma_addr_rx = mem->start + SUN6I_RXDATA_REG;
- master->can_dma = sun6i_spi_can_dma;
+ host->can_dma = sun6i_spi_can_dma;
}
/*
@@ -742,9 +742,9 @@ static int sun6i_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret) {
- dev_err(&pdev->dev, "cannot register SPI master\n");
+ dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
}
@@ -754,26 +754,26 @@ err_pm_disable:
pm_runtime_disable(&pdev->dev);
sun6i_spi_runtime_suspend(&pdev->dev);
err_free_dma_rx:
- if (master->dma_rx)
- dma_release_channel(master->dma_rx);
+ if (host->dma_rx)
+ dma_release_channel(host->dma_rx);
err_free_dma_tx:
- if (master->dma_tx)
- dma_release_channel(master->dma_tx);
-err_free_master:
- spi_master_put(master);
+ if (host->dma_tx)
+ dma_release_channel(host->dma_tx);
+err_free_host:
+ spi_controller_put(host);
return ret;
}
static void sun6i_spi_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
+ struct spi_controller *host = platform_get_drvdata(pdev);
pm_runtime_force_suspend(&pdev->dev);
- if (master->dma_tx)
- dma_release_channel(master->dma_tx);
- if (master->dma_rx)
- dma_release_channel(master->dma_rx);
+ if (host->dma_tx)
+ dma_release_channel(host->dma_tx);
+ if (host->dma_rx)
+ dma_release_channel(host->dma_rx);
}
static const struct sun6i_spi_cfg sun6i_a31_spi_cfg = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 434/474] spi: sun6i: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 433/474] spi: sun6i: switch to use modern name Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 435/474] spi: tegra114: " Greg Kroah-Hartman
` (40 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-20-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun6i.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -742,7 +742,7 @@ static int sun6i_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI host\n");
goto err_pm_disable;
@@ -768,12 +768,18 @@ static void sun6i_spi_remove(struct plat
{
struct spi_controller *host = platform_get_drvdata(pdev);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_force_suspend(&pdev->dev);
if (host->dma_tx)
dma_release_channel(host->dma_tx);
if (host->dma_rx)
dma_release_channel(host->dma_rx);
+
+ spi_controller_put(host);
}
static const struct sun6i_spi_cfg sun6i_a31_spi_cfg = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 435/474] spi: tegra114: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 434/474] spi: sun6i: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 436/474] spi: tegra20-sflash: " Greg Kroah-Hartman
` (39 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9c9c27ff2058142d8f800de3186d6864184958de ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 5c8096439600 ("spi: tegra114: use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.13
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-22-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller/host API calls to spi_master/master equivalents ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra114.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -1416,7 +1416,7 @@ static int tegra_spi_probe(struct platfo
}
master->dev.of_node = pdev->dev.of_node;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
goto exit_free_irq;
@@ -1442,6 +1442,10 @@ static void tegra_spi_remove(struct plat
struct spi_master *master = platform_get_drvdata(pdev);
struct tegra_spi_data *tspi = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
free_irq(tspi->irq, tspi);
if (tspi->tx_dma_chan)
@@ -1453,6 +1457,8 @@ static void tegra_spi_remove(struct plat
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
tegra_spi_runtime_suspend(&pdev->dev);
+
+ spi_master_put(master);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 436/474] spi: tegra20-sflash: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 435/474] spi: tegra114: " Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 437/474] spi: uniphier: switch to use modern name Greg Kroah-Hartman
` (38 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit ad7310e983327f939dd6c4e801eab13238992572 ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: f12f7318c44a ("spi: tegra20-sflash: use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.13
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-23-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ translated spi_controller/host API to legacy spi_master/master naming and dropped devm-managed registration ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra20-sflash.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra20-sflash.c
+++ b/drivers/spi/spi-tegra20-sflash.c
@@ -506,7 +506,7 @@ static int tegra_sflash_probe(struct pla
pm_runtime_put(&pdev->dev);
master->dev.of_node = pdev->dev.of_node;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
goto exit_pm_disable;
@@ -529,11 +529,17 @@ static void tegra_sflash_remove(struct p
struct spi_master *master = platform_get_drvdata(pdev);
struct tegra_sflash_data *tsd = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
free_irq(tsd->irq, tsd);
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
tegra_sflash_runtime_suspend(&pdev->dev);
+
+ spi_master_put(master);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 437/474] spi: uniphier: switch to use modern name
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 436/474] spi: tegra20-sflash: " Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 438/474] spi: uniphier: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
` (37 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 4c2ee0991013ca8a32bb093a017d460204790112 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-19-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0245435f7772 ("spi: uniphier: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 198 ++++++++++++++++++++++-----------------------
1 file changed, 99 insertions(+), 99 deletions(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -26,7 +26,7 @@ struct uniphier_spi_priv {
void __iomem *base;
dma_addr_t base_dma_addr;
struct clk *clk;
- struct spi_master *master;
+ struct spi_controller *host;
struct completion xfer_done;
int error;
@@ -127,7 +127,7 @@ static inline void uniphier_spi_irq_disa
static void uniphier_spi_set_mode(struct spi_device *spi)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val1, val2;
/*
@@ -180,7 +180,7 @@ static void uniphier_spi_set_mode(struct
static void uniphier_spi_set_transfer_size(struct spi_device *spi, int size)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val;
val = readl(priv->base + SSI_TXWDS);
@@ -198,7 +198,7 @@ static void uniphier_spi_set_transfer_si
static void uniphier_spi_set_baudrate(struct spi_device *spi,
unsigned int speed)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val, ckdiv;
/*
@@ -217,7 +217,7 @@ static void uniphier_spi_set_baudrate(st
static void uniphier_spi_setup_transfer(struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val;
priv->error = 0;
@@ -333,7 +333,7 @@ static void uniphier_spi_fill_tx_fifo(st
static void uniphier_spi_set_cs(struct spi_device *spi, bool enable)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(spi->master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(spi->controller);
u32 val;
val = readl(priv->base + SSI_FPS);
@@ -346,16 +346,16 @@ static void uniphier_spi_set_cs(struct s
writel(val, priv->base + SSI_FPS);
}
-static bool uniphier_spi_can_dma(struct spi_master *master,
+static bool uniphier_spi_can_dma(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
unsigned int bpw = bytes_per_word(priv->bits_per_word);
- if ((!master->dma_tx && !master->dma_rx)
- || (!master->dma_tx && t->tx_buf)
- || (!master->dma_rx && t->rx_buf))
+ if ((!host->dma_tx && !host->dma_rx)
+ || (!host->dma_tx && t->tx_buf)
+ || (!host->dma_rx && t->rx_buf))
return false;
return DIV_ROUND_UP(t->len, bpw) > SSI_FIFO_DEPTH;
@@ -363,33 +363,33 @@ static bool uniphier_spi_can_dma(struct
static void uniphier_spi_dma_rxcb(void *data)
{
- struct spi_master *master = data;
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct spi_controller *host = data;
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
int state = atomic_fetch_andnot(SSI_DMA_RX_BUSY, &priv->dma_busy);
uniphier_spi_irq_disable(priv, SSI_IE_RXRE);
if (!(state & SSI_DMA_TX_BUSY))
- spi_finalize_current_transfer(master);
+ spi_finalize_current_transfer(host);
}
static void uniphier_spi_dma_txcb(void *data)
{
- struct spi_master *master = data;
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct spi_controller *host = data;
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
int state = atomic_fetch_andnot(SSI_DMA_TX_BUSY, &priv->dma_busy);
uniphier_spi_irq_disable(priv, SSI_IE_TXRE);
if (!(state & SSI_DMA_RX_BUSY))
- spi_finalize_current_transfer(master);
+ spi_finalize_current_transfer(host);
}
-static int uniphier_spi_transfer_one_dma(struct spi_master *master,
+static int uniphier_spi_transfer_one_dma(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
struct dma_async_tx_descriptor *rxdesc = NULL, *txdesc = NULL;
int buswidth;
@@ -412,23 +412,23 @@ static int uniphier_spi_transfer_one_dma
.src_maxburst = SSI_FIFO_BURST_NUM,
};
- dmaengine_slave_config(master->dma_rx, &rxconf);
+ dmaengine_slave_config(host->dma_rx, &rxconf);
rxdesc = dmaengine_prep_slave_sg(
- master->dma_rx,
+ host->dma_rx,
t->rx_sg.sgl, t->rx_sg.nents,
DMA_DEV_TO_MEM, DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!rxdesc)
goto out_err_prep;
rxdesc->callback = uniphier_spi_dma_rxcb;
- rxdesc->callback_param = master;
+ rxdesc->callback_param = host;
uniphier_spi_irq_enable(priv, SSI_IE_RXRE);
atomic_or(SSI_DMA_RX_BUSY, &priv->dma_busy);
dmaengine_submit(rxdesc);
- dma_async_issue_pending(master->dma_rx);
+ dma_async_issue_pending(host->dma_rx);
}
if (priv->tx_buf) {
@@ -439,23 +439,23 @@ static int uniphier_spi_transfer_one_dma
.dst_maxburst = SSI_FIFO_BURST_NUM,
};
- dmaengine_slave_config(master->dma_tx, &txconf);
+ dmaengine_slave_config(host->dma_tx, &txconf);
txdesc = dmaengine_prep_slave_sg(
- master->dma_tx,
+ host->dma_tx,
t->tx_sg.sgl, t->tx_sg.nents,
DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!txdesc)
goto out_err_prep;
txdesc->callback = uniphier_spi_dma_txcb;
- txdesc->callback_param = master;
+ txdesc->callback_param = host;
uniphier_spi_irq_enable(priv, SSI_IE_TXRE);
atomic_or(SSI_DMA_TX_BUSY, &priv->dma_busy);
dmaengine_submit(txdesc);
- dma_async_issue_pending(master->dma_tx);
+ dma_async_issue_pending(host->dma_tx);
}
/* signal that we need to wait for completion */
@@ -463,17 +463,17 @@ static int uniphier_spi_transfer_one_dma
out_err_prep:
if (rxdesc)
- dmaengine_terminate_sync(master->dma_rx);
+ dmaengine_terminate_sync(host->dma_rx);
return -EINVAL;
}
-static int uniphier_spi_transfer_one_irq(struct spi_master *master,
+static int uniphier_spi_transfer_one_irq(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
- struct device *dev = master->dev.parent;
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
+ struct device *dev = host->dev.parent;
unsigned long time_left;
reinit_completion(&priv->xfer_done);
@@ -495,11 +495,11 @@ static int uniphier_spi_transfer_one_irq
return priv->error;
}
-static int uniphier_spi_transfer_one_poll(struct spi_master *master,
+static int uniphier_spi_transfer_one_poll(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
int loop = SSI_POLL_TIMEOUT_US * 10;
while (priv->tx_bytes) {
@@ -520,14 +520,14 @@ static int uniphier_spi_transfer_one_pol
return 0;
irq_transfer:
- return uniphier_spi_transfer_one_irq(master, spi, t);
+ return uniphier_spi_transfer_one_irq(host, spi, t);
}
-static int uniphier_spi_transfer_one(struct spi_master *master,
+static int uniphier_spi_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *t)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
unsigned long threshold;
bool use_dma;
@@ -537,9 +537,9 @@ static int uniphier_spi_transfer_one(str
uniphier_spi_setup_transfer(spi, t);
- use_dma = master->can_dma ? master->can_dma(master, spi, t) : false;
+ use_dma = host->can_dma ? host->can_dma(host, spi, t) : false;
if (use_dma)
- return uniphier_spi_transfer_one_dma(master, spi, t);
+ return uniphier_spi_transfer_one_dma(host, spi, t);
/*
* If the transfer operation will take longer than
@@ -548,33 +548,33 @@ static int uniphier_spi_transfer_one(str
threshold = DIV_ROUND_UP(SSI_POLL_TIMEOUT_US * priv->speed_hz,
USEC_PER_SEC * BITS_PER_BYTE);
if (t->len > threshold)
- return uniphier_spi_transfer_one_irq(master, spi, t);
+ return uniphier_spi_transfer_one_irq(host, spi, t);
else
- return uniphier_spi_transfer_one_poll(master, spi, t);
+ return uniphier_spi_transfer_one_poll(host, spi, t);
}
-static int uniphier_spi_prepare_transfer_hardware(struct spi_master *master)
+static int uniphier_spi_prepare_transfer_hardware(struct spi_controller *host)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
writel(SSI_CTL_EN, priv->base + SSI_CTL);
return 0;
}
-static int uniphier_spi_unprepare_transfer_hardware(struct spi_master *master)
+static int uniphier_spi_unprepare_transfer_hardware(struct spi_controller *host)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
writel(0, priv->base + SSI_CTL);
return 0;
}
-static void uniphier_spi_handle_err(struct spi_master *master,
+static void uniphier_spi_handle_err(struct spi_controller *host,
struct spi_message *msg)
{
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
u32 val;
/* stop running spi transfer */
@@ -587,12 +587,12 @@ static void uniphier_spi_handle_err(stru
uniphier_spi_irq_disable(priv, SSI_IE_ALL_MASK);
if (atomic_read(&priv->dma_busy) & SSI_DMA_TX_BUSY) {
- dmaengine_terminate_async(master->dma_tx);
+ dmaengine_terminate_async(host->dma_tx);
atomic_andnot(SSI_DMA_TX_BUSY, &priv->dma_busy);
}
if (atomic_read(&priv->dma_busy) & SSI_DMA_RX_BUSY) {
- dmaengine_terminate_async(master->dma_rx);
+ dmaengine_terminate_async(host->dma_rx);
atomic_andnot(SSI_DMA_RX_BUSY, &priv->dma_busy);
}
}
@@ -641,7 +641,7 @@ done:
static int uniphier_spi_probe(struct platform_device *pdev)
{
struct uniphier_spi_priv *priv;
- struct spi_master *master;
+ struct spi_controller *host;
struct resource *res;
struct dma_slave_caps caps;
u32 dma_tx_burst = 0, dma_rx_burst = 0;
@@ -649,20 +649,20 @@ static int uniphier_spi_probe(struct pla
int irq;
int ret;
- master = spi_alloc_master(&pdev->dev, sizeof(*priv));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*priv));
+ if (!host)
return -ENOMEM;
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- priv = spi_master_get_devdata(master);
- priv->master = master;
+ priv = spi_controller_get_devdata(host);
+ priv->host = host;
priv->is_save_param = false;
priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
if (IS_ERR(priv->base)) {
ret = PTR_ERR(priv->base);
- goto out_master_put;
+ goto out_host_put;
}
priv->base_dma_addr = res->start;
@@ -670,12 +670,12 @@ static int uniphier_spi_probe(struct pla
if (IS_ERR(priv->clk)) {
dev_err(&pdev->dev, "failed to get clock\n");
ret = PTR_ERR(priv->clk);
- goto out_master_put;
+ goto out_host_put;
}
ret = clk_prepare_enable(priv->clk);
if (ret)
- goto out_master_put;
+ goto out_host_put;
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
@@ -694,35 +694,35 @@ static int uniphier_spi_probe(struct pla
clk_rate = clk_get_rate(priv->clk);
- master->max_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MIN_CLK_DIVIDER);
- master->min_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MAX_CLK_DIVIDER);
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
- master->dev.of_node = pdev->dev.of_node;
- master->bus_num = pdev->id;
- master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32);
-
- master->set_cs = uniphier_spi_set_cs;
- master->transfer_one = uniphier_spi_transfer_one;
- master->prepare_transfer_hardware
+ host->max_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MIN_CLK_DIVIDER);
+ host->min_speed_hz = DIV_ROUND_UP(clk_rate, SSI_MAX_CLK_DIVIDER);
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST;
+ host->dev.of_node = pdev->dev.of_node;
+ host->bus_num = pdev->id;
+ host->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32);
+
+ host->set_cs = uniphier_spi_set_cs;
+ host->transfer_one = uniphier_spi_transfer_one;
+ host->prepare_transfer_hardware
= uniphier_spi_prepare_transfer_hardware;
- master->unprepare_transfer_hardware
+ host->unprepare_transfer_hardware
= uniphier_spi_unprepare_transfer_hardware;
- master->handle_err = uniphier_spi_handle_err;
- master->can_dma = uniphier_spi_can_dma;
+ host->handle_err = uniphier_spi_handle_err;
+ host->can_dma = uniphier_spi_can_dma;
- master->num_chipselect = 1;
- master->flags = SPI_CONTROLLER_MUST_RX | SPI_CONTROLLER_MUST_TX;
+ host->num_chipselect = 1;
+ host->flags = SPI_CONTROLLER_MUST_RX | SPI_CONTROLLER_MUST_TX;
- master->dma_tx = dma_request_chan(&pdev->dev, "tx");
- if (IS_ERR_OR_NULL(master->dma_tx)) {
- if (PTR_ERR(master->dma_tx) == -EPROBE_DEFER) {
+ host->dma_tx = dma_request_chan(&pdev->dev, "tx");
+ if (IS_ERR_OR_NULL(host->dma_tx)) {
+ if (PTR_ERR(host->dma_tx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
goto out_disable_clk;
}
- master->dma_tx = NULL;
+ host->dma_tx = NULL;
dma_tx_burst = INT_MAX;
} else {
- ret = dma_get_slave_caps(master->dma_tx, &caps);
+ ret = dma_get_slave_caps(host->dma_tx, &caps);
if (ret) {
dev_err(&pdev->dev, "failed to get TX DMA capacities: %d\n",
ret);
@@ -731,16 +731,16 @@ static int uniphier_spi_probe(struct pla
dma_tx_burst = caps.max_burst;
}
- master->dma_rx = dma_request_chan(&pdev->dev, "rx");
- if (IS_ERR_OR_NULL(master->dma_rx)) {
- if (PTR_ERR(master->dma_rx) == -EPROBE_DEFER) {
+ host->dma_rx = dma_request_chan(&pdev->dev, "rx");
+ if (IS_ERR_OR_NULL(host->dma_rx)) {
+ if (PTR_ERR(host->dma_rx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
goto out_release_dma;
}
- master->dma_rx = NULL;
+ host->dma_rx = NULL;
dma_rx_burst = INT_MAX;
} else {
- ret = dma_get_slave_caps(master->dma_rx, &caps);
+ ret = dma_get_slave_caps(host->dma_rx, &caps);
if (ret) {
dev_err(&pdev->dev, "failed to get RX DMA capacities: %d\n",
ret);
@@ -749,41 +749,41 @@ static int uniphier_spi_probe(struct pla
dma_rx_burst = caps.max_burst;
}
- master->max_dma_len = min(dma_tx_burst, dma_rx_burst);
+ host->max_dma_len = min(dma_tx_burst, dma_rx_burst);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret)
goto out_release_dma;
return 0;
out_release_dma:
- if (!IS_ERR_OR_NULL(master->dma_rx)) {
- dma_release_channel(master->dma_rx);
- master->dma_rx = NULL;
- }
- if (!IS_ERR_OR_NULL(master->dma_tx)) {
- dma_release_channel(master->dma_tx);
- master->dma_tx = NULL;
+ if (!IS_ERR_OR_NULL(host->dma_rx)) {
+ dma_release_channel(host->dma_rx);
+ host->dma_rx = NULL;
+ }
+ if (!IS_ERR_OR_NULL(host->dma_tx)) {
+ dma_release_channel(host->dma_tx);
+ host->dma_tx = NULL;
}
out_disable_clk:
clk_disable_unprepare(priv->clk);
-out_master_put:
- spi_master_put(master);
+out_host_put:
+ spi_controller_put(host);
return ret;
}
static void uniphier_spi_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
- struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
- if (master->dma_tx)
- dma_release_channel(master->dma_tx);
- if (master->dma_rx)
- dma_release_channel(master->dma_rx);
+ if (host->dma_tx)
+ dma_release_channel(host->dma_tx);
+ if (host->dma_rx)
+ dma_release_channel(host->dma_rx);
clk_disable_unprepare(priv->clk);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 438/474] spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 437/474] spi: uniphier: switch to use modern name Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 439/474] spi: uniphier: fix controller deregistration Greg Kroah-Hartman
` (36 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pei Xiao, Kunihiko Hayashi,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit fdca270f8f87cae2eb5b619234b9dd11a863ce6b ]
Replace devm_clk_get() followed by clk_prepare_enable() with
devm_clk_get_enabled() for the clock. This removes the need for
explicit clock enable and disable calls, as the managed API automatically
handles clock disabling on device removal or probe failure.
Remove the now-unnecessary clk_disable_unprepare() calls from the probe
error path and the remove callback. Adjust error labels accordingly.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Reviewed-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://patch.msgid.link/b2deeefd4ef1a4bce71116aabfcb7e81400f6d37.1775546948.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0245435f7772 ("spi: uniphier: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -666,28 +666,24 @@ static int uniphier_spi_probe(struct pla
}
priv->base_dma_addr = res->start;
- priv->clk = devm_clk_get(&pdev->dev, NULL);
+ priv->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(priv->clk)) {
dev_err(&pdev->dev, "failed to get clock\n");
ret = PTR_ERR(priv->clk);
goto out_host_put;
}
- ret = clk_prepare_enable(priv->clk);
- if (ret)
- goto out_host_put;
-
irq = platform_get_irq(pdev, 0);
if (irq < 0) {
ret = irq;
- goto out_disable_clk;
+ goto out_host_put;
}
ret = devm_request_irq(&pdev->dev, irq, uniphier_spi_handler,
0, "uniphier-spi", priv);
if (ret) {
dev_err(&pdev->dev, "failed to request IRQ\n");
- goto out_disable_clk;
+ goto out_host_put;
}
init_completion(&priv->xfer_done);
@@ -717,7 +713,7 @@ static int uniphier_spi_probe(struct pla
if (IS_ERR_OR_NULL(host->dma_tx)) {
if (PTR_ERR(host->dma_tx) == -EPROBE_DEFER) {
ret = -EPROBE_DEFER;
- goto out_disable_clk;
+ goto out_host_put;
}
host->dma_tx = NULL;
dma_tx_burst = INT_MAX;
@@ -767,9 +763,6 @@ out_release_dma:
host->dma_tx = NULL;
}
-out_disable_clk:
- clk_disable_unprepare(priv->clk);
-
out_host_put:
spi_controller_put(host);
return ret;
@@ -778,14 +771,11 @@ out_host_put:
static void uniphier_spi_remove(struct platform_device *pdev)
{
struct spi_controller *host = platform_get_drvdata(pdev);
- struct uniphier_spi_priv *priv = spi_controller_get_devdata(host);
if (host->dma_tx)
dma_release_channel(host->dma_tx);
if (host->dma_rx)
dma_release_channel(host->dma_rx);
-
- clk_disable_unprepare(priv->clk);
}
static const struct of_device_id uniphier_spi_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 439/474] spi: uniphier: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 438/474] spi: uniphier: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 440/474] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
` (35 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keiji Hayashibara, Johan Hovold,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0245435f777264ac45945ed2f325dd095a41d1af ]
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Note that clocks were also disabled before the recent commit
fdca270f8f87 ("spi: uniphier: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 5ba155a4d4cc ("spi: add SPI controller driver for UniPhier SoC")
Cc: stable@vger.kernel.org # 4.19
Cc: Keiji Hayashibara <hayashibara.keiji@socionext.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-25-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -747,7 +747,7 @@ static int uniphier_spi_probe(struct pla
host->max_dma_len = min(dma_tx_burst, dma_rx_burst);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto out_release_dma;
@@ -772,10 +772,16 @@ static void uniphier_spi_remove(struct p
{
struct spi_controller *host = platform_get_drvdata(pdev);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
if (host->dma_tx)
dma_release_channel(host->dma_tx);
if (host->dma_rx)
dma_release_channel(host->dma_rx);
+
+ spi_controller_put(host);
}
static const struct of_device_id uniphier_spi_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 440/474] mm/hugetlb_cma: round up per_node before logging it
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 439/474] spi: uniphier: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 441/474] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
` (34 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sang-Heon Jeon, Muchun Song,
David Hildenbrand, Oscar Salvador, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sang-Heon Jeon <ekffu200098@gmail.com>
[ Upstream commit 8f5ce56b76303c55b78a87af996e2e0f8535f979 ]
When the user requests a total hugetlb CMA size without per-node
specification, hugetlb_cma_reserve() computes per_node from
hugetlb_cma_size and the number of nodes that have memory
per_node = DIV_ROUND_UP(hugetlb_cma_size,
nodes_weight(hugetlb_bootmem_nodes));
The reservation loop later computes
size = round_up(min(per_node, hugetlb_cma_size - reserved),
PAGE_SIZE << order);
So the actually reserved per_node size is multiple of (PAGE_SIZE <<
order), but the logged per_node is not rounded up, so it may be smaller
than the actual reserved size.
For example, as the existing comment describes, if a 3 GB area is
requested on a machine with 4 NUMA nodes that have memory, 1 GB is
allocated on the first three nodes, but the printed log is
hugetlb_cma: reserve 3072 MiB, up to 768 MiB per node
Round per_node up to (PAGE_SIZE << order) before logging so that the
printed log always matches the actual reserved size. No functional change
to the actual reservation size, as the following case analysis shows
1. remaining (hugetlb_cma_size - reserved) >= rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks rounded per_node;
round_up() returns rounded per_node (no-op)
2. remaining < unrounded per_node
- AS-IS: min() picks remaining;
round_up() returns round_up(remaining)
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining)
3. unrounded per_node <= remaining < rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining) equals rounded per_node
Link: https://lore.kernel.org/20260422143353.852257-1-ekffu200098@gmail.com
Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") # 5.7
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ applied the single-line addition to mm/hugetlb.c since mm/hugetlb_cma.c didn't exist yet in 6.12 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7493,6 +7493,7 @@ void __init hugetlb_cma_reserve(int orde
* let's allocate 1 GB on first three nodes and ignore the last one.
*/
per_node = DIV_ROUND_UP(hugetlb_cma_size, nr_online_nodes);
+ per_node = round_up(per_node, PAGE_SIZE << order);
pr_info("hugetlb_cma: reserve %lu MiB, up to %lu MiB per node\n",
hugetlb_cma_size / SZ_1M, per_node / SZ_1M);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 441/474] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 440/474] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 442/474] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
` (33 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Li Zetao,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit e922f3fff21445117e9196bd8e940ad8e15ca8c7 ]
Since commit 7ef9651e9792 ("clk: Provide new devm_clk helpers for prepared
and enabled clocks"), devm_clk_get() and clk_prepare_enable() can now be
replaced by devm_clk_get_enabled() when driver enables (and possibly
prepares) the clocks for the whole lifetime of the device. Moreover, it is
no longer necessary to unprepare and disable the clocks explicitly.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Link: https://lore.kernel.org/r/20230823133938.1359106-18-lizetao1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: e6464140d439 ("spi: microchip-core-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 29 +++++++----------------------
1 file changed, 7 insertions(+), 22 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -519,30 +519,23 @@ static int mchp_coreqspi_probe(struct pl
return dev_err_probe(&pdev->dev, PTR_ERR(qspi->regs),
"failed to map registers\n");
- qspi->clk = devm_clk_get(&pdev->dev, NULL);
+ qspi->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(qspi->clk))
return dev_err_probe(&pdev->dev, PTR_ERR(qspi->clk),
"could not get clock\n");
- ret = clk_prepare_enable(qspi->clk);
- if (ret)
- return dev_err_probe(&pdev->dev, ret,
- "failed to enable clock\n");
-
init_completion(&qspi->data_completion);
mutex_init(&qspi->op_lock);
qspi->irq = platform_get_irq(pdev, 0);
- if (qspi->irq < 0) {
- ret = qspi->irq;
- goto out;
- }
+ if (qspi->irq < 0)
+ return qspi->irq;
ret = devm_request_irq(&pdev->dev, qspi->irq, mchp_coreqspi_isr,
IRQF_SHARED, pdev->name, qspi);
if (ret) {
dev_err(&pdev->dev, "request_irq failed %d\n", ret);
- goto out;
+ return ret;
}
ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
@@ -553,18 +546,11 @@ static int mchp_coreqspi_probe(struct pl
ctlr->dev.of_node = np;
ret = devm_spi_register_controller(&pdev->dev, ctlr);
- if (ret) {
- dev_err_probe(&pdev->dev, ret,
- "spi_register_controller failed\n");
- goto out;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret,
+ "spi_register_controller failed\n");
return 0;
-
-out:
- clk_disable_unprepare(qspi->clk);
-
- return ret;
}
static void mchp_coreqspi_remove(struct platform_device *pdev)
@@ -575,7 +561,6 @@ static void mchp_coreqspi_remove(struct
mchp_coreqspi_disable_ints(qspi);
control &= ~CONTROL_ENABLE;
writel_relaxed(control, qspi->regs + REG_CONTROL);
- clk_disable_unprepare(qspi->clk);
}
static const struct of_device_id mchp_coreqspi_of_match[] = {
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 442/474] spi: microchip-core-qspi: fix controller deregistration
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 441/474] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 443/474] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
` (32 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naga Sureshkumar Relli, Johan Hovold,
Conor Dooley, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit e6464140d439f2d42f072eb422a5b1fec470c5a6 ]
Make sure to deregister the controller before disabling underlying
resources like interrupts during driver unbind.
Fixes: 8596124c4c1b ("spi: microchip-core-qspi: Add support for microchip fpga qspi controllers")
Cc: stable@vger.kernel.org # 6.1
Cc: Naga Sureshkumar Relli <nagasuresh.relli@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260409120419.388546-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-microchip-core-qspi.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -512,7 +512,7 @@ static int mchp_coreqspi_probe(struct pl
"unable to allocate master for QSPI controller\n");
qspi = spi_controller_get_devdata(ctlr);
- platform_set_drvdata(pdev, qspi);
+ platform_set_drvdata(pdev, ctlr);
qspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(qspi->regs))
@@ -545,7 +545,7 @@ static int mchp_coreqspi_probe(struct pl
SPI_TX_DUAL | SPI_TX_QUAD;
ctlr->dev.of_node = np;
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret)
return dev_err_probe(&pdev->dev, ret,
"spi_register_controller failed\n");
@@ -555,9 +555,13 @@ static int mchp_coreqspi_probe(struct pl
static void mchp_coreqspi_remove(struct platform_device *pdev)
{
- struct mchp_coreqspi *qspi = platform_get_drvdata(pdev);
- u32 control = readl_relaxed(qspi->regs + REG_CONTROL);
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+ u32 control;
+ spi_unregister_controller(ctlr);
+
+ control = readl_relaxed(qspi->regs + REG_CONTROL);
mchp_coreqspi_disable_ints(qspi);
control &= ~CONTROL_ENABLE;
writel_relaxed(control, qspi->regs + REG_CONTROL);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 443/474] fbcon: Avoid OOB font access if console rotation fails
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 442/474] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 444/474] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Greg Kroah-Hartman
` (31 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit e4ef723d8975a2694cc90733a6b888a5e2841842 ]
Clear the font buffer if the reallocation during console rotation fails
in fbcon_rotate_font(). The putcs implementations for the rotated buffer
will return early in this case. See [1] for an example.
Currently, fbcon_rotate_font() keeps the old buffer, which is too small
for the rotated font. Printing to the rotated console with a high-enough
character code will overflow the font buffer.
v2:
- fix typos in commit message
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 6cc50e1c5b57 ("[PATCH] fbcon: Console Rotation - Add support to rotate font bitmap")
Cc: stable@vger.kernel.org # v2.6.15+
Link: https://elixir.bootlin.com/linux/v6.19/source/drivers/video/fbdev/core/fbcon_ccw.c#L144 # [1]
Signed-off-by: Helge Deller <deller@gmx.de>
[ renamed `par` to `ops` to match the 6.12 local pointer name ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon_rotate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fbcon_rotate.c
+++ b/drivers/video/fbdev/core/fbcon_rotate.c
@@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_i
info->fbops->fb_sync(info);
if (ops->fd_size < d_cellsize * len) {
+ kfree(ops->fontbuffer);
+ ops->fontbuffer = NULL;
+ ops->fd_size = 0;
+
dst = kmalloc_array(len, d_cellsize, GFP_KERNEL);
if (dst == NULL) {
@@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_i
}
ops->fd_size = d_cellsize * len;
- kfree(ops->fontbuffer);
ops->fontbuffer = dst;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 444/474] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 443/474] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 445/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
` (30 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ]
The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).
Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct
rxrpc_notify_socket(call);
}
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+ struct sk_buff *skb)
+{
+ int ret;
+
+ if (skb_cloned(skb)) {
+ /* Copy the packet if shared so that we can do in-place
+ * decryption.
+ */
+ struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+ if (nskb) {
+ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+ ret = conn->security->verify_response(conn, nskb);
+ rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
+ } else {
+ /* OOM - Drop the packet. */
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+ ret = -ENOMEM;
+ }
+ } else {
+ ret = conn->security->verify_response(conn, skb);
+ }
+
+ return ret;
+}
+
/*
* connection-level Rx packet processor
*/
@@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rx
}
spin_unlock(&conn->state_lock);
- ret = conn->security->verify_response(conn, skb);
+ ret = rxrpc_verify_response(conn, skb);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 445/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 444/474] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 446/474] bonding: fix use-after-free due to enslave fail after slave array update Greg Kroah-Hartman
` (29 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1731,6 +1731,9 @@ static long l2cap_sock_get_sndtimeo_cb(s
{
struct sock *sk = chan->data;
+ if (!sk)
+ return 0;
+
return sk->sk_sndtimeo;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 446/474] bonding: fix use-after-free due to enslave fail after slave array update
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 445/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 447/474] mm/damon/core: disallow time-quota setting zero esz Greg Kroah-Hartman
` (28 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Chen Zhen,
Jussi Maki, Daniel Borkmann, Paolo Abeni, Sasha Levin,
Yunseong Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
commit e9acda52fd2ee0cdca332f996da7a95c5fd25294 upstream.
Fix a use-after-free which happens due to enslave failure after the new
slave has been added to the array. Since the new slave can be used for Tx
immediately, we can use it after it has been freed by the enslave error
cleanup path which frees the allocated slave memory. Slave update array is
supposed to be called last when further enslave failures are not expected.
Move it after xdp setup to avoid any problems.
It is very easy to reproduce the problem with a simple xdp_pass prog:
ip l add bond1 type bond mode balance-xor
ip l set bond1 up
ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass
ip l add dumdum type dummy
Then run in parallel:
while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;
mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
The crash happens almost immediately:
[ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
[ 605.602979] Tainted: [B]=BAD_PAGE
[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
[ 605.603373] Call Trace:
[ 605.603392] <TASK>
[ 605.603410] __dev_queue_xmit+0x448/0x32a0
[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603546] ? _printk+0xcb/0x100
[ 605.603566] ? __pfx__printk+0x10/0x10
[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603627] ? add_taint+0x5e/0x70
[ 605.603648] ? add_taint+0x2a/0x70
[ 605.603670] ? end_report.cold+0x51/0x75
[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]
Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reported-by: Chen Zhen <chenzhen126@huawei.com>
Closes: https://lore.kernel.org/netdev/fae17c21-4940-5605-85b2-1d5e17342358@huawei.com/
CC: Jussi Maki <joamaki@gmail.com>
CC: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://patch.msgid.link/20260123120659.571187-1-razor@blackwall.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Tested-by: Yunseong Kim <yunseong.kim@est.tech>
Signed-off-by: Yunseong Kim <yunseong.kim@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2309,9 +2309,6 @@ skip_mac_set:
unblock_netpoll_tx();
}
- if (bond_mode_can_use_xmit_hash(bond))
- bond_update_slave_arr(bond, NULL);
-
if (!slave_dev->netdev_ops->ndo_bpf ||
!slave_dev->netdev_ops->ndo_xdp_xmit) {
if (bond->xdp_prog) {
@@ -2345,6 +2342,9 @@ skip_mac_set:
bpf_prog_inc(bond->xdp_prog);
}
+ if (bond_mode_can_use_xmit_hash(bond))
+ bond_update_slave_arr(bond, NULL);
+
bond_xdp_set_features(bond_dev);
slave_info(bond_dev, slave_dev, "Enslaving as %s interface with %s link\n",
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 447/474] mm/damon/core: disallow time-quota setting zero esz
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 446/474] bonding: fix use-after-free due to enslave fail after slave array update Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 448/474] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Greg Kroah-Hartman
` (27 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 8bbde987c2b84f80da0853f739f0a920386f8b99 upstream.
When the throughput of a DAMOS scheme is very slow, DAMOS time quota can
make the effective size quota smaller than damon_ctx->min_region_sz. In
the case, damos_apply_scheme() will skip applying the action, because the
action is tried at region level, which requires >=min_region_sz size.
That is, the quota is effectively exceeded for the quota charge window.
Because no action will be applied, the total_charged_sz and
total_charged_ns are also not updated. damos_set_effective_quota() will
try to update the effective size quota before starting the next charge
window. However, because the total_charged_sz and total_charged_ns have
not updated, the throughput and effective size quota are also not changed.
Since effective size quota can only be decreased, other effective size
quota update factors including DAMOS quota goals and size quota cannot
make any change, either.
As a result, the scheme is unexpectedly deactivated until the user notices
and mitigates the situation. The users can mitigate this situation by
changing the time quota online or re-install the scheme. While the
mitigation is somewhat straightforward, finding the situation would be
challenging, because DAMON is not providing good observabilities for that.
Even if such observability is provided, doing the additional monitoring
and the mitigation is somewhat cumbersome and not aligned to the intention
of the time quota. The time quota was intended to help reduce the user's
administration overhead.
Fix the problem by setting time quota-modified effective size quota be at
least min_region_sz always.
The issue was discovered [1] by sashiko.
Link: https://lore.kernel.org/20260407003153.79589-1-sj@kernel.org
Link: https://lore.kernel.org/20260405192504.110014-1-sj@kernel.org [1]
Fixes: 1cd243030059 ("mm/damon/schemes: implement time quota")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.16.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1026,6 +1026,7 @@ static void damos_set_effective_quota(st
else
throughput = PAGE_SIZE * 1024;
esz = throughput * quota->ms;
+ esz = max(DAMON_MIN_REGION, esz);
if (quota->sz && quota->sz < esz)
esz = quota->sz;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 448/474] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 447/474] mm/damon/core: disallow time-quota setting zero esz Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 449/474] mm/damon/core: implement damon_kdamond_pid() Greg Kroah-Hartman
` (26 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Jiayuan Chen,
David Howells, Linus Torvalds, Wentao Guan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 upstream.
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/call_event.c | 4 +++-
net/rxrpc/conn_event.c | 3 ++-
2 files changed, 5 insertions(+), 2 deletions(-)
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -461,7 +461,9 @@ bool rxrpc_input_call_event(struct rxrpc
if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
sp->hdr.securityIndex != 0 &&
- skb_cloned(skb)) {
+ (skb_cloned(skb) ||
+ skb_has_frag_list(skb) ||
+ skb_has_shared_frag(skb))) {
/* Unshare the packet so that it can be modified by
* in-place decryption.
*/
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -231,7 +231,8 @@ static int rxrpc_verify_response(struct
{
int ret;
- if (skb_cloned(skb)) {
+ if (skb_cloned(skb) || skb_has_frag_list(skb) ||
+ skb_has_shared_frag(skb)) {
/* Copy the packet if shared so that we can do in-place
* decryption.
*/
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 449/474] mm/damon/core: implement damon_kdamond_pid()
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 448/474] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 450/474] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
` (25 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 4262c53236977de3ceaa3bf2aefdf772c9b874dd upstream.
Patch series "mm/damon: hide kdamond and kdamond_lock from API callers".
'kdamond' and 'kdamond_lock' fields initially exposed to DAMON API callers
for flexible synchronization and use cases. As DAMON API became somewhat
complicated compared to the early days, Keeping those exposed could only
encourage the API callers to invent more creative but complicated and
difficult-to-debug use cases.
Fortunately DAMON API callers didn't invent that many creative use cases.
There exist only two use cases of 'kdamond' and 'kdamond_lock'. Finding
whether the kdamond is actively running, and getting the pid of the
kdamond. For the first use case, a dedicated API function, namely
'damon_is_running()' is provided, and all DAMON API callers are using the
function for the use case. Hence only the second use case is where the
fields are directly being used by DAMON API callers.
To prevent future invention of complicated and erroneous use cases of the
fields, hide the fields from the API callers. For that, provide new
dedicated DAMON API functions for the remaining use case, namely
damon_kdamond_pid(), migrate DAMON API callers to use the new function,
and mark the fields as private fields.
This patch (of 5):
'kdamond' and 'kdamond_lock' are directly being used by DAMON API callers
for getting the pid of the corresponding kdamond. To discourage invention
of creative but complicated and erroneous new usages of the fields that
require careful synchronization, implement a new API function that can
simply be used without the manual synchronizations.
Link: https://lkml.kernel.org/r/20260115152047.68415-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20260115152047.68415-2-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 1 +
mm/damon/core.c | 17 +++++++++++++++++
2 files changed, 18 insertions(+)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -677,6 +677,7 @@ static inline unsigned int damon_max_nr_
int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive);
int damon_stop(struct damon_ctx **ctxs, int nr_ctxs);
+int damon_kdamond_pid(struct damon_ctx *ctx);
int damon_set_region_biggest_system_ram_default(struct damon_target *t,
unsigned long *start, unsigned long *end);
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -762,6 +762,23 @@ int damon_stop(struct damon_ctx **ctxs,
return err;
}
+/**
+ * damon_kdamond_pid() - Return pid of a given DAMON context's worker thread.
+ * @ctx: The DAMON context of the question.
+ *
+ * Return: pid if @ctx is running, negative error code otherwise.
+ */
+int damon_kdamond_pid(struct damon_ctx *ctx)
+{
+ int pid = -EINVAL;
+
+ mutex_lock(&ctx->kdamond_lock);
+ if (ctx->kdamond)
+ pid = ctx->kdamond->pid;
+ mutex_unlock(&ctx->kdamond_lock);
+ return pid;
+}
+
/*
* Reset the aggregated monitoring results ('nr_accesses' of each region).
*/
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 450/474] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 449/474] mm/damon/core: implement damon_kdamond_pid() Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 451/474] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
` (24 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liew Rui Yan, SeongJae Park,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit b98b7ff6025ae82570d4915e083f0cbd8d48b3cf upstream.
DAMON_LRU_SORT updates 'enabled' and 'kdamond_pid' parameter values, which
represents the running status of its kdamond, when the user explicitly
requests start/stop of the kdamond. The kdamond can, however, be stopped
in events other than the explicit user request in the following three
events.
1. ctx->regions_score_histogram allocation failure at beginning of the
execution,
2. damon_commit_ctx() failure due to invalid user input, and
3. damon_commit_ctx() failure due to its internal allocation failures.
Hence, if the kdamond is stopped by the above three events, the values of
the status parameters can be stale. Users could show the stale values and
be confused. This is already bad, but the real consequence is worse.
DAMON_LRU_SORT avoids unnecessary damon_start() and damon_stop() calls
based on the 'enabled' parameter value. And the update of 'enabled'
parameter value depends on the damon_start() and damon_stop() call
results. Hence, once the kdamond has stopped by the unintentional events,
the user cannot restart the kdamond before the system reboot. For
example, the issue can be reproduced via below steps.
# cd /sys/module/damon_lru_sort/parameters
#
# # start DAMON_LRU_SORT
# echo Y > enabled
# ps -ef | grep kdamond
root 806 2 0 17:53 ? 00:00:00 [kdamond.0]
root 808 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # commit wrong input to stop kdamond withou explicit stop request
# echo 3 > addr_unit
# echo Y > commit_inputs
bash: echo: write error: Invalid argument
#
# # confirm kdamond is stopped
# ps -ef | grep kdamond
root 811 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # users casn now show stable status
# cat enabled
Y
# cat kdamond_pid
806
#
# # even after fixing the wrong parameter,
# # kdamond cannot be restarted.
# echo 1 > addr_unit
# echo Y > enabled
# ps -ef | grep kdamond
root 815 803 0 17:54 pts/4 00:00:00 grep kdamond
The problem will only rarely happen in real and common setups for the
following reasons. The allocation failures are unlikely in such setups
since those allocations are arguably too small to fail. Also sane users
on real production environments may not commit wrong input parameters.
But once it happens, the consequence is quite bad. And the bug is a bug.
The issue stems from the fact that there are multiple events that can
change the status, and following all the events is challenging.
Dynamically detect and use the fresh status for the parameters when those
are requested.
Link: https://lore.kernel.org/20260419161003.79176-3-sj@kernel.org
Fixes: 40e983cca927 ("mm/damon: introduce DAMON-based LRU-lists Sorting")
Co-developed-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.0.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
(port parts of 42b7491af14c ("mm/damon/core: introduce damon_call()")
and d2b5be741a50 ("mm/damon/sysfs: use DAMON core API
damon_is_running()") for damon_is_running() dependency)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 1
mm/damon/core.c | 16 +++++++++
mm/damon/lru_sort.c | 88 +++++++++++++++++++++++++++++++-------------------
3 files changed, 73 insertions(+), 32 deletions(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -677,6 +677,7 @@ static inline unsigned int damon_max_nr_
int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive);
int damon_stop(struct damon_ctx **ctxs, int nr_ctxs);
+bool damon_is_running(struct damon_ctx *ctx);
int damon_kdamond_pid(struct damon_ctx *ctx);
int damon_set_region_biggest_system_ram_default(struct damon_target *t,
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -763,6 +763,22 @@ int damon_stop(struct damon_ctx **ctxs,
}
/**
+ * damon_is_running() - Returns if a given DAMON context is running.
+ * @ctx: The DAMON context to see if running.
+ *
+ * Return: true if @ctx is running, false otherwise.
+ */
+bool damon_is_running(struct damon_ctx *ctx)
+{
+ bool running;
+
+ mutex_lock(&ctx->kdamond_lock);
+ running = ctx->kdamond != NULL;
+ mutex_unlock(&ctx->kdamond_lock);
+ return running;
+}
+
+/**
* damon_kdamond_pid() - Return pid of a given DAMON context's worker thread.
* @ctx: The DAMON context of the question.
*
--- a/mm/damon/lru_sort.c
+++ b/mm/damon/lru_sort.c
@@ -111,15 +111,6 @@ module_param(monitor_region_start, ulong
static unsigned long monitor_region_end __read_mostly;
module_param(monitor_region_end, ulong, 0600);
-/*
- * PID of the DAMON thread
- *
- * If DAMON_LRU_SORT is enabled, this becomes the PID of the worker thread.
- * Else, -1.
- */
-static int kdamond_pid __read_mostly = -1;
-module_param(kdamond_pid, int, 0400);
-
static struct damos_stat damon_lru_sort_hot_stat;
DEFINE_DAMON_MODULES_DAMOS_STATS_PARAMS(damon_lru_sort_hot_stat,
lru_sort_tried_hot_regions, lru_sorted_hot_regions,
@@ -249,60 +240,93 @@ static int damon_lru_sort_turn(bool on)
{
int err;
- if (!on) {
- err = damon_stop(&ctx, 1);
- if (!err)
- kdamond_pid = -1;
- return err;
- }
+ if (!on)
+ return damon_stop(&ctx, 1);
err = damon_lru_sort_apply_parameters();
if (err)
return err;
- err = damon_start(&ctx, 1, true);
- if (err)
- return err;
- kdamond_pid = ctx->kdamond->pid;
- return 0;
+ return damon_start(&ctx, 1, true);
+}
+
+static bool damon_lru_sort_enabled(void)
+{
+ if (!ctx)
+ return false;
+ return damon_is_running(ctx);
}
static int damon_lru_sort_enabled_store(const char *val,
const struct kernel_param *kp)
{
- bool is_enabled = enabled;
- bool enable;
int err;
- err = kstrtobool(val, &enable);
+ err = kstrtobool(val, &enabled);
if (err)
return err;
- if (is_enabled == enable)
+ if (damon_lru_sort_enabled() == enabled)
return 0;
/* Called before init function. The function will handle this. */
if (!ctx)
- goto set_param_out;
+ return 0;
- err = damon_lru_sort_turn(enable);
- if (err)
- return err;
+ return damon_lru_sort_turn(enabled);
+}
-set_param_out:
- enabled = enable;
- return err;
+static int damon_lru_sort_enabled_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ return sprintf(buffer, "%c\n", damon_lru_sort_enabled() ? 'Y' : 'N');
}
static const struct kernel_param_ops enabled_param_ops = {
.set = damon_lru_sort_enabled_store,
- .get = param_get_bool,
+ .get = damon_lru_sort_enabled_load,
};
module_param_cb(enabled, &enabled_param_ops, &enabled, 0600);
MODULE_PARM_DESC(enabled,
"Enable or disable DAMON_LRU_SORT (default: disabled)");
+static int damon_lru_sort_kdamond_pid_store(const char *val,
+ const struct kernel_param *kp)
+{
+ /*
+ * kdamond_pid is read-only, but kernel command line could write it.
+ * Do nothing here.
+ */
+ return 0;
+}
+
+static int damon_lru_sort_kdamond_pid_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ int kdamond_pid = -1;
+
+ if (ctx) {
+ kdamond_pid = damon_kdamond_pid(ctx);
+ if (kdamond_pid < 0)
+ kdamond_pid = -1;
+ }
+ return sprintf(buffer, "%d\n", kdamond_pid);
+}
+
+static const struct kernel_param_ops kdamond_pid_param_ops = {
+ .set = damon_lru_sort_kdamond_pid_store,
+ .get = damon_lru_sort_kdamond_pid_load,
+};
+
+/*
+ * PID of the DAMON thread
+ *
+ * If DAMON_LRU_SORT is enabled, this becomes the PID of the worker thread.
+ * Else, -1.
+ */
+module_param_cb(kdamond_pid, &kdamond_pid_param_ops, NULL, 0400);
+
static int damon_lru_sort_handle_commit_inputs(void)
{
int err;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 451/474] usb: typec: tcpm: reset internal port states on soft reset AMS
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 450/474] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 452/474] mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
` (23 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Sunil Dhamne, stable,
Badhri Jagan Sridharan, Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Sunil Dhamne <amitsd@google.com>
commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream.
Reset internal port states (such as vdm_sm_running and
explicit_contract) on soft reset AMS as the port needs to negotiate a
new contract. The consequence of leaving the states in as-is cond are as
follows:
* port is in SRC power role and an explicit contract is negotiated
with the port partner (in sink role)
* port partner sends a Soft Reset AMS while VDM State Machine is
running
* port accepts the Soft Reset request and the port advertises src caps
* port partner sends a Request message but since the explicit_contract
and vdm_sm_running are true from previous negotiation, the port ends
up sending Soft Reset instead of Accept msg.
Stub Log:
[ 203.653942] AMS DISCOVER_IDENTITY start
[ 203.653947] PD TX, header: 0x176f
[ 203.655901] PD TX complete, status: 0
[ 203.657470] PD RX, header: 0x124f [1]
[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
[ 203.657482] AMS DISCOVER_IDENTITY finished
[ 203.657484] cc:=4
[ 204.155698] PD RX, header: 0x144f [1]
[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
[ 204.155741] PD TX, header: 0x196f
[ 204.157622] PD TX complete, status: 0
[ 204.160060] PD RX, header: 0x4d [1]
[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
[ 204.160076] PD TX, header: 0x163
[ 204.162486] PD TX complete, status: 0
[ 204.162832] AMS SOFT_RESET_AMS finished
[ 204.162840] cc:=4
[ 204.162891] AMS POWER_NEGOTIATION start
[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
[ 204.162913] PD TX, header: 0x1361
[ 204.165529] PD TX complete, status: 0
[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
[ 204.166996] PD RX, header: 0x1242 [1]
[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
[ 204.167019] AMS POWER_NEGOTIATION finished
[ 204.167020] cc:=4
[ 204.167083] AMS SOFT_RESET_AMS start
[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
[ 204.167092] PD TX, header: 0x16d
[ 204.168824] PD TX complete, status: 0
[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
[ 204.171876] PD RX, header: 0x43 [1]
[ 204.171879] AMS SOFT_RESET_AMS finished
This causes COMMON.PROC.PD.11.2 check failure for
TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -4610,6 +4610,8 @@ static void run_state_machine(struct tcp
usb_power_delivery_unregister_capabilities(port->partner_source_caps);
port->partner_source_caps = NULL;
tcpm_pd_send_control(port, PD_CTRL_ACCEPT);
+ port->vdm_sm_running = false;
+ port->explicit_contract = false;
tcpm_ams_finish(port);
if (port->pwr_role == TYPEC_SOURCE) {
port->upcoming_state = SRC_SEND_CAPABILITIES;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 452/474] mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 451/474] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 453/474] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
` (22 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liew Rui Yan, SeongJae Park,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 64a140afa5ed1c6f5ba6d451512cbdbbab1ba339 upstream.
Patch series "mm/damon/modules: detect and use fresh status", v3.
DAMON modules including DAMON_RECLAIM, DAMON_LRU_SORT and DAMON_STAT
commonly expose the kdamond running status via their parameters. Under
certain scenarios including wrong user inputs and memory allocation
failures, those parameter values can be stale. It can confuse users. For
DAMON_RECLAIM and DAMON_LRU_SORT, it even makes the kdamond unable to be
restarted before the system reboot.
The problem comes from the fact that there are multiple events for the
status changes and it is difficult to follow up all the scenarios. Fix
the issue by detecting and using the status on demand, instead of using a
cached status that is difficult to be updated.
Patches 1-3 fix the bugs in DAMON_RECLAIM, DAMON_LRU_SORT and DAMON_STAT
in the order.
This patch (of 3):
DAMON_RECLAIM updates 'enabled' and 'kdamond_pid' parameter values, which
represents the running status of its kdamond, when the user explicitly
requests start/stop of the kdamond. The kdamond can, however, be stopped
in events other than the explicit user request in the following three
events.
1. ctx->regions_score_histogram allocation failure at beginning of the
execution,
2. damon_commit_ctx() failure due to invalid user input, and
3. damon_commit_ctx() failure due to its internal allocation failures.
Hence, if the kdamond is stopped by the above three events, the values of
the status parameters can be stale. Users could show the stale values and
be confused. This is already bad, but the real consequence is worse.
DAMON_RECLAIM avoids unnecessary damon_start() and damon_stop() calls
based on the 'enabled' parameter value. And the update of 'enabled'
parameter value depends on the damon_start() and damon_stop() call
results. Hence, once the kdamond has stopped by the unintentional events,
the user cannot restart the kdamond before the system reboot. For
example, the issue can be reproduced via below steps.
# cd /sys/module/damon_reclaim/parameters
#
# # start DAMON_RECLAIM
# echo Y > enabled
# ps -ef | grep kdamond
root 806 2 0 17:53 ? 00:00:00 [kdamond.0]
root 808 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # commit wrong input to stop kdamond withou explicit stop request
# echo 3 > addr_unit
# echo Y > commit_inputs
bash: echo: write error: Invalid argument
#
# # confirm kdamond is stopped
# ps -ef | grep kdamond
root 811 803 0 17:53 pts/4 00:00:00 grep kdamond
#
# # users casn now show stable status
# cat enabled
Y
# cat kdamond_pid
806
#
# # even after fixing the wrong parameter,
# # kdamond cannot be restarted.
# echo 1 > addr_unit
# echo Y > enabled
# ps -ef | grep kdamond
root 815 803 0 17:54 pts/4 00:00:00 grep kdamond
The problem will only rarely happen in real and common setups for the
following reasons. The allocation failures are unlikely in such setups
since those allocations are arguably too small to fail. Also sane users
on real production environments may not commit wrong input parameters.
But once it happens, the consequence is quite bad. And the bug is a bug.
The issue stems from the fact that there are multiple events that can
change the status, and following all the events is challenging.
Dynamically detect and use the fresh status for the parameters when those
are requested.
Link: https://lore.kernel.org/20260419161003.79176-1-sj@kernel.org
Link: https://lore.kernel.org/20260419161003.79176-2-sj@kernel.org
Fixes: e035c280f6df ("mm/damon/reclaim: support online inputs update")
Co-developed-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: Liew Rui Yan <aethernet65535@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.19.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/reclaim.c | 88 +++++++++++++++++++++++++++++++++--------------------
1 file changed, 56 insertions(+), 32 deletions(-)
--- a/mm/damon/reclaim.c
+++ b/mm/damon/reclaim.c
@@ -107,15 +107,6 @@ module_param(monitor_region_end, ulong,
static bool skip_anon __read_mostly;
module_param(skip_anon, bool, 0600);
-/*
- * PID of the DAMON thread
- *
- * If DAMON_RECLAIM is enabled, this becomes the PID of the worker thread.
- * Else, -1.
- */
-static int kdamond_pid __read_mostly = -1;
-module_param(kdamond_pid, int, 0400);
-
static struct damos_stat damon_reclaim_stat;
DEFINE_DAMON_MODULES_DAMOS_STATS_PARAMS(damon_reclaim_stat,
reclaim_tried_regions, reclaimed_regions, quota_exceeds);
@@ -203,60 +194,93 @@ static int damon_reclaim_turn(bool on)
{
int err;
- if (!on) {
- err = damon_stop(&ctx, 1);
- if (!err)
- kdamond_pid = -1;
- return err;
- }
+ if (!on)
+ return damon_stop(&ctx, 1);
err = damon_reclaim_apply_parameters();
if (err)
return err;
- err = damon_start(&ctx, 1, true);
- if (err)
- return err;
- kdamond_pid = ctx->kdamond->pid;
- return 0;
+ return damon_start(&ctx, 1, true);
+}
+
+static bool damon_reclaim_enabled(void)
+{
+ if (!ctx)
+ return false;
+ return damon_is_running(ctx);
}
static int damon_reclaim_enabled_store(const char *val,
const struct kernel_param *kp)
{
- bool is_enabled = enabled;
- bool enable;
int err;
- err = kstrtobool(val, &enable);
+ err = kstrtobool(val, &enabled);
if (err)
return err;
- if (is_enabled == enable)
+ if (damon_reclaim_enabled() == enabled)
return 0;
/* Called before init function. The function will handle this. */
if (!ctx)
- goto set_param_out;
+ return 0;
- err = damon_reclaim_turn(enable);
- if (err)
- return err;
+ return damon_reclaim_turn(enabled);
+}
-set_param_out:
- enabled = enable;
- return err;
+static int damon_reclaim_enabled_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ return sprintf(buffer, "%c\n", damon_reclaim_enabled() ? 'Y' : 'N');
}
static const struct kernel_param_ops enabled_param_ops = {
.set = damon_reclaim_enabled_store,
- .get = param_get_bool,
+ .get = damon_reclaim_enabled_load,
};
module_param_cb(enabled, &enabled_param_ops, &enabled, 0600);
MODULE_PARM_DESC(enabled,
"Enable or disable DAMON_RECLAIM (default: disabled)");
+static int damon_reclaim_kdamond_pid_store(const char *val,
+ const struct kernel_param *kp)
+{
+ /*
+ * kdamond_pid is read-only, but kernel command line could write it.
+ * Do nothing here.
+ */
+ return 0;
+}
+
+static int damon_reclaim_kdamond_pid_load(char *buffer,
+ const struct kernel_param *kp)
+{
+ int kdamond_pid = -1;
+
+ if (ctx) {
+ kdamond_pid = damon_kdamond_pid(ctx);
+ if (kdamond_pid < 0)
+ kdamond_pid = -1;
+ }
+ return sprintf(buffer, "%d\n", kdamond_pid);
+}
+
+static const struct kernel_param_ops kdamond_pid_param_ops = {
+ .set = damon_reclaim_kdamond_pid_store,
+ .get = damon_reclaim_kdamond_pid_load,
+};
+
+/*
+ * PID of the DAMON thread
+ *
+ * If DAMON_RECLAIM is enabled, this becomes the PID of the worker thread.
+ * Else, -1.
+ */
+module_param_cb(kdamond_pid, &kdamond_pid_param_ops, NULL, 0400);
+
static int damon_reclaim_handle_commit_inputs(void)
{
int err;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 453/474] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 452/474] mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 454/474] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` Greg Kroah-Hartman
` (21 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, munan Huang, ChenXiaoSong,
Namjae Jeon, Steve French, Alva Lan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 235e32320a470fcd3998fb3774f2290a0eb302a1 upstream.
When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.
Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:
spin_lock(&fp->conn->llist_lock);
This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().
The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.
To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
- Safely skip clist deletion when list is empty and fp->conn is NULL.
- Remove the lock from the old connection's lock_list in
session_fd_check()
- Re-add the lock to the new connection's lock_list in
ksmbd_reopen_durable_fd().
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Co-developed-by: munan Huang <munanevil@gmail.com>
Signed-off-by: munan Huang <munanevil@gmail.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Minor context conflict resolved. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs_cache.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -356,9 +356,11 @@ static void __ksmbd_close_fd(struct ksmb
* there are not accesses to fp->lock_list.
*/
list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
- spin_lock(&fp->conn->llist_lock);
- list_del(&smb_lock->clist);
- spin_unlock(&fp->conn->llist_lock);
+ if (!list_empty(&smb_lock->clist) && fp->conn) {
+ spin_lock(&fp->conn->llist_lock);
+ list_del(&smb_lock->clist);
+ spin_unlock(&fp->conn->llist_lock);
+ }
list_del(&smb_lock->flist);
locks_free_lock(smb_lock->fl);
@@ -755,6 +757,7 @@ static bool session_fd_check(struct ksmb
struct ksmbd_inode *ci;
struct oplock_info *op;
struct ksmbd_conn *conn;
+ struct ksmbd_lock *smb_lock, *tmp_lock;
if (!is_reconnectable(fp))
return false;
@@ -771,6 +774,12 @@ static bool session_fd_check(struct ksmb
}
up_write(&ci->m_lock);
+ list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
+ spin_lock(&fp->conn->llist_lock);
+ list_del_init(&smb_lock->clist);
+ spin_unlock(&fp->conn->llist_lock);
+ }
+
fp->conn = NULL;
fp->tcon = NULL;
fp->volatile_id = KSMBD_NO_FID;
@@ -844,6 +853,9 @@ int ksmbd_reopen_durable_fd(struct ksmbd
{
struct ksmbd_inode *ci;
struct oplock_info *op;
+ struct ksmbd_conn *conn = work->conn;
+ struct ksmbd_lock *smb_lock;
+ unsigned int old_f_state;
if (!fp->is_durable || fp->conn || fp->tcon) {
pr_err("Invalid durable fd [%p:%p]\n", fp->conn, fp->tcon);
@@ -855,9 +867,23 @@ int ksmbd_reopen_durable_fd(struct ksmbd
return -EBADF;
}
- fp->conn = work->conn;
+ old_f_state = fp->f_state;
+ fp->f_state = FP_NEW;
+ __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID);
+ if (!has_file_id(fp->volatile_id)) {
+ fp->f_state = old_f_state;
+ return -EBADF;
+ }
+
+ fp->conn = conn;
fp->tcon = work->tcon;
+ list_for_each_entry(smb_lock, &fp->lock_list, flist) {
+ spin_lock(&conn->llist_lock);
+ list_add_tail(&smb_lock->clist, &conn->lock_list);
+ spin_unlock(&conn->llist_lock);
+ }
+
ci = fp->f_ci;
down_write(&ci->m_lock);
list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) {
@@ -868,12 +894,6 @@ int ksmbd_reopen_durable_fd(struct ksmbd
}
up_write(&ci->m_lock);
- __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID);
- if (!has_file_id(fp->volatile_id)) {
- fp->conn = NULL;
- fp->tcon = NULL;
- return -EBADF;
- }
return 0;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 454/474] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 453/474] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 455/474] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
` (20 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, =20Bence?=, Pratyush Yadav
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bence Csókás <csokas.bence@prolan.hu>
commit 18bcb4aa54eab75dce41e5c176a1c2bff94f0f79 upstream.
Writing to the Flash in `sst_nor_write()` is a 3-step process:
first an optional one-byte write to get 2-byte-aligned, then the
bulk of the data is written out in vendor-specific 2-byte writes.
Finally, if there's a byte left over, another one-byte write.
This was implemented 3 times in the body of `sst_nor_write()`.
To reduce code duplication, factor out these sub-steps to their
own function.
Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
[pratyush@kernel.org: fixup whitespace, use %zu instead of %i in WARN()]
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Link: https://lore.kernel.org/r/20240710091401.1282824-1-csokas.bence@prolan.hu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 39 +++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 20 deletions(-)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -123,6 +123,21 @@ static const struct flash_info sst_nor_p
.fixups = &sst26vf_nor_fixups },
};
+static int sst_nor_write_data(struct spi_nor *nor, loff_t to, size_t len,
+ const u_char *buf)
+{
+ u8 op = (len == 1) ? SPINOR_OP_BP : SPINOR_OP_AAI_WP;
+ int ret;
+
+ nor->program_opcode = op;
+ ret = spi_nor_write_data(nor, to, 1, buf);
+ if (ret < 0)
+ return ret;
+ WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret);
+
+ return spi_nor_wait_till_ready(nor);
+}
+
static int sst_nor_write(struct mtd_info *mtd, loff_t to, size_t len,
size_t *retlen, const u_char *buf)
{
@@ -144,16 +159,10 @@ static int sst_nor_write(struct mtd_info
/* Start write from odd address. */
if (to % 2) {
- nor->program_opcode = SPINOR_OP_BP;
-
/* write one byte. */
- ret = spi_nor_write_data(nor, to, 1, buf);
+ ret = sst_nor_write_data(nor, to, 1, buf);
if (ret < 0)
goto out;
- WARN(ret != 1, "While writing 1 byte written %i bytes\n", ret);
- ret = spi_nor_wait_till_ready(nor);
- if (ret)
- goto out;
to++;
actual++;
@@ -161,16 +170,11 @@ static int sst_nor_write(struct mtd_info
/* Write out most of the data here. */
for (; actual < len - 1; actual += 2) {
- nor->program_opcode = SPINOR_OP_AAI_WP;
-
/* write two bytes. */
- ret = spi_nor_write_data(nor, to, 2, buf + actual);
+ ret = sst_nor_write_data(nor, to, 2, buf + actual);
if (ret < 0)
goto out;
- WARN(ret != 2, "While writing 2 bytes written %i bytes\n", ret);
- ret = spi_nor_wait_till_ready(nor);
- if (ret)
- goto out;
+
to += 2;
nor->sst_write_second = true;
}
@@ -190,14 +194,9 @@ static int sst_nor_write(struct mtd_info
if (ret)
goto out;
- nor->program_opcode = SPINOR_OP_BP;
- ret = spi_nor_write_data(nor, to, 1, buf + actual);
+ ret = sst_nor_write_data(nor, to, 1, buf + actual);
if (ret < 0)
goto out;
- WARN(ret != 1, "While writing 1 byte written %i bytes\n", ret);
- ret = spi_nor_wait_till_ready(nor);
- if (ret)
- goto out;
actual += 1;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 455/474] mtd: spi-nor: sst: Fix write enable before AAI sequence
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 454/474] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 456/474] pwm: imx-tpm: Count the number of enabled channels in probe Greg Kroah-Hartman
` (19 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjaikumar V S, Hendrik Donner,
Pratyush Yadav (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
commit a0f64241d3566a49c0a9b33ba7ae458ae22003a9 upstream.
When writing to SST flash starting at an odd address, a single byte is
first programmed using the byte program (BP) command. After this
operation completes, the flash hardware automatically clears the Write
Enable Latch (WEL) bit.
If an AAI (Auto Address Increment) word program sequence follows, it
requires WEL to be set. Without re-enabling writes, the AAI sequence
fails.
Add spi_nor_write_enable() after the odd-address byte program when more
data needs to be written. Use a local boolean for clarity.
Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR")
Cc: stable@vger.kernel.org
Signed-off-by: Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
Tested-by: Hendrik Donner <hd@os-cillation.de>
Reviewed-by: Hendrik Donner <hd@os-cillation.de>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -159,6 +159,8 @@ static int sst_nor_write(struct mtd_info
/* Start write from odd address. */
if (to % 2) {
+ bool needs_write_enable = (len > 1);
+
/* write one byte. */
ret = sst_nor_write_data(nor, to, 1, buf);
if (ret < 0)
@@ -166,6 +168,17 @@ static int sst_nor_write(struct mtd_info
to++;
actual++;
+
+ /*
+ * Byte program clears the write enable latch. If more
+ * data needs to be written using the AAI sequence,
+ * re-enable writes.
+ */
+ if (needs_write_enable) {
+ ret = spi_nor_write_enable(nor);
+ if (ret)
+ goto out;
+ }
}
/* Write out most of the data here. */
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 456/474] pwm: imx-tpm: Count the number of enabled channels in probe
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 455/474] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 457/474] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
` (18 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viorel Suman (OSS),
Uwe Kleine-König
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viorel Suman (OSS) <viorel.suman@oss.nxp.com>
commit 3962c24f2d14e8a7f8a23f56b7ce320523947342 upstream.
On a soft reset TPM PWM IP may preserve its internal state from previous
runtime, therefore on a subsequent OS boot and driver probe
"enable_count" value and TPM PWM IP internal channels "enabled" states
may get unaligned. In consequence on a suspend/resume cycle the call "if
(--tpm->enable_count == 0)" may lead to "enable_count" overflow the
system being blocked from entering suspend due to:
if (tpm->enable_count > 0)
return -EBUSY;
Fix the problem by counting the enabled channels in probe function.
Signed-off-by: Viorel Suman (OSS) <viorel.suman@oss.nxp.com>
Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support")
Link: https://patch.msgid.link/20260311123309.348904-1-viorel.suman@oss.nxp.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
[ukleinek: backport to linux-6.6.y]
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-imx-tpm.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/pwm/pwm-imx-tpm.c
+++ b/drivers/pwm/pwm-imx-tpm.c
@@ -350,6 +350,7 @@ static int pwm_imx_tpm_probe(struct plat
{
struct imx_tpm_pwm_chip *tpm;
int ret;
+ unsigned int i;
u32 val;
tpm = devm_kzalloc(&pdev->dev, sizeof(*tpm), GFP_KERNEL);
@@ -383,6 +384,13 @@ static int pwm_imx_tpm_probe(struct plat
mutex_init(&tpm->lock);
+ /* count the enabled channels */
+ for (i = 0; i < tpm->chip.npwm; ++i) {
+ val = readl(tpm->base + PWM_IMX_TPM_CnSC(i));
+ if (FIELD_GET(PWM_IMX_TPM_CnSC_ELS, val))
+ ++tpm->enable_count;
+ }
+
ret = pwmchip_add(&tpm->chip);
if (ret) {
dev_err(&pdev->dev, "failed to add PWM chip: %d\n", ret);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 457/474] batman-adv: stop tp_meter sessions during mesh teardown
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 456/474] pwm: imx-tpm: Count the number of enabled channels in probe Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 458/474] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
` (17 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxing Yin, Jiexun Wang, Ren Wei,
Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream.
TP meter sessions remain linked on bat_priv->tp_list after the netlink
request has already finished. When the mesh interface is removed,
batadv_mesh_free() currently tears down the mesh without first draining
these sessions.
A running sender thread or a late incoming tp_meter packet can then keep
processing against a mesh instance which is already shutting down.
Synchronize tp_meter with the mesh lifetime by stopping all active
sessions from batadv_mesh_free() and waiting for sender threads to exit
before teardown continues.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/main.c | 1
net/batman-adv/tp_meter.c | 94 +++++++++++++++++++++++++++++++++++++---------
net/batman-adv/tp_meter.h | 1
net/batman-adv/types.h | 4 +
4 files changed, 82 insertions(+), 18 deletions(-)
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -262,6 +262,7 @@ void batadv_mesh_free(struct net_device
atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
batadv_purge_outstanding_packets(bat_priv, NULL);
+ batadv_tp_stop_all(bat_priv);
batadv_gw_node_free(bat_priv);
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -12,6 +12,7 @@
#include <linux/byteorder/generic.h>
#include <linux/cache.h>
#include <linux/compiler.h>
+#include <linux/completion.h>
#include <linux/container_of.h>
#include <linux/err.h>
#include <linux/etherdevice.h>
@@ -365,23 +366,38 @@ static void batadv_tp_vars_put(struct ba
}
/**
- * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
- * @bat_priv: the bat priv with all the soft interface information
- * @tp_vars: the private data of the current TP meter session to cleanup
+ * batadv_tp_list_detach() - remove tp session from mesh session list once
+ * @tp_vars: the private data of the current TP meter session
*/
-static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
- struct batadv_tp_vars *tp_vars)
+static void batadv_tp_list_detach(struct batadv_tp_vars *tp_vars)
{
- cancel_delayed_work(&tp_vars->finish_work);
+ bool detached = false;
spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
- hlist_del_rcu(&tp_vars->list);
+ if (!hlist_unhashed(&tp_vars->list)) {
+ hlist_del_init_rcu(&tp_vars->list);
+ detached = true;
+ }
spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+ if (!detached)
+ return;
+
+ atomic_dec(&tp_vars->bat_priv->tp_num);
+
/* drop list reference */
batadv_tp_vars_put(tp_vars);
+}
- atomic_dec(&tp_vars->bat_priv->tp_num);
+/**
+ * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
+ * @tp_vars: the private data of the current TP meter session to cleanup
+ */
+static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars)
+{
+ cancel_delayed_work_sync(&tp_vars->finish_work);
+
+ batadv_tp_list_detach(tp_vars);
/* kill the timer and remove its reference */
del_timer_sync(&tp_vars->timer);
@@ -886,7 +902,8 @@ out:
batadv_orig_node_put(orig_node);
batadv_tp_sender_end(bat_priv, tp_vars);
- batadv_tp_sender_cleanup(bat_priv, tp_vars);
+ batadv_tp_sender_cleanup(tp_vars);
+ complete(&tp_vars->finished);
batadv_tp_vars_put(tp_vars);
@@ -918,7 +935,8 @@ static void batadv_tp_start_kthread(stru
batadv_tp_vars_put(tp_vars);
/* cleanup of failed tp meter variables */
- batadv_tp_sender_cleanup(bat_priv, tp_vars);
+ batadv_tp_sender_cleanup(tp_vars);
+ complete(&tp_vars->finished);
return;
}
@@ -1024,6 +1042,7 @@ void batadv_tp_start(struct batadv_priv
tp_vars->start_time = jiffies;
init_waitqueue_head(&tp_vars->more_bytes);
+ init_completion(&tp_vars->finished);
spin_lock_init(&tp_vars->unacked_lock);
INIT_LIST_HEAD(&tp_vars->unacked_list);
@@ -1126,14 +1145,7 @@ static void batadv_tp_receiver_shutdown(
"Shutting down for inactivity (more than %dms) from %pM\n",
BATADV_TP_RECV_TIMEOUT, tp_vars->other_end);
- spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
- hlist_del_rcu(&tp_vars->list);
- spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
-
- /* drop list reference */
- batadv_tp_vars_put(tp_vars);
-
- atomic_dec(&bat_priv->tp_num);
+ batadv_tp_list_detach(tp_vars);
spin_lock_bh(&tp_vars->unacked_lock);
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
@@ -1497,6 +1509,52 @@ out:
}
/**
+ * batadv_tp_stop_all() - stop all currently running tp meter sessions
+ * @bat_priv: the bat priv with all the mesh interface information
+ */
+void batadv_tp_stop_all(struct batadv_priv *bat_priv)
+{
+ struct batadv_tp_vars *tp_vars[BATADV_TP_MAX_NUM];
+ struct batadv_tp_vars *tp_var;
+ size_t count = 0;
+ size_t i;
+
+ spin_lock_bh(&bat_priv->tp_list_lock);
+ hlist_for_each_entry(tp_var, &bat_priv->tp_list, list) {
+ if (WARN_ON_ONCE(count >= BATADV_TP_MAX_NUM))
+ break;
+
+ if (!kref_get_unless_zero(&tp_var->refcount))
+ continue;
+
+ tp_vars[count++] = tp_var;
+ }
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+
+ for (i = 0; i < count; i++) {
+ tp_var = tp_vars[i];
+
+ switch (tp_var->role) {
+ case BATADV_TP_SENDER:
+ batadv_tp_sender_shutdown(tp_var,
+ BATADV_TP_REASON_CANCEL);
+ wake_up(&tp_var->more_bytes);
+ wait_for_completion(&tp_var->finished);
+ break;
+ case BATADV_TP_RECEIVER:
+ batadv_tp_list_detach(tp_var);
+ if (timer_shutdown_sync(&tp_var->timer))
+ batadv_tp_vars_put(tp_var);
+ break;
+ }
+
+ batadv_tp_vars_put(tp_var);
+ }
+
+ synchronize_net();
+}
+
+/**
* batadv_tp_meter_init() - initialize global tp_meter structures
*/
void __init batadv_tp_meter_init(void)
--- a/net/batman-adv/tp_meter.h
+++ b/net/batman-adv/tp_meter.h
@@ -17,6 +17,7 @@ void batadv_tp_start(struct batadv_priv
u32 test_length, u32 *cookie);
void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst,
u8 return_value);
+void batadv_tp_stop_all(struct batadv_priv *bat_priv);
void batadv_tp_meter_recv(struct batadv_priv *bat_priv, struct sk_buff *skb);
#endif /* _NET_BATMAN_ADV_TP_METER_H_ */
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -14,6 +14,7 @@
#include <linux/average.h>
#include <linux/bitops.h>
#include <linux/compiler.h>
+#include <linux/completion.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/kref.h>
@@ -1396,6 +1397,9 @@ struct batadv_tp_vars {
/** @finish_work: work item for the finishing procedure */
struct delayed_work finish_work;
+ /** @finished: completion signaled when a sender thread exits */
+ struct completion finished;
+
/** @test_length: test length in milliseconds */
u32 test_length;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 458/474] batman-adv: tp_meter: fix tp_num leak on kmalloc failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 457/474] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 459/474] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
` (16 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit ce425dd05d0fe7594930a0fb103634f35ac47bb6 upstream.
When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new
tp_vars object, the previously incremented bat_priv->tp_num counter is
never decremented. This causes tp_num to drift upward on each allocation
failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count
is never reduced for these failed allocations, it causes to an exhaustion
of throughput meter sessions. In worst case, no new throughput meter
session can be started until the mesh interface is removed.
The error handling must decrement tp_num releasing the lock and aborting
the creation of an throughput meter session
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 7f3dd3c393e0..16da48b23f57 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -969,6 +969,7 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
if (!tp_vars) {
+ atomic_dec(&bat_priv->tp_num);
spin_unlock_bh(&bat_priv->tp_list_lock);
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: %s cannot allocate list elements\n",
@@ -1344,8 +1345,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
}
tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
- if (!tp_vars)
+ if (!tp_vars) {
+ atomic_dec(&bat_priv->tp_num);
goto out_unlock;
+ }
ether_addr_copy(tp_vars->other_end, icmp->orig);
tp_vars->role = BATADV_TP_RECEIVER;
--
2.47.3
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 459/474] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 458/474] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 460/474] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
` (15 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yochai Eisenrich, David Sterba,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yochai Eisenrich <yochaie@sweet.security>
[ Upstream commit 973e57c726c1f8e77259d1c8e519519f1e9aea77 ]
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the allocation size, then the second pass fills the buffer. The
groups_sem rwlock is released between passes, allowing concurrent block
group removal to reduce the entry count.
When the second pass fills fewer entries than the first pass counted,
copy_to_user() copies the full alloc_size bytes including trailing
uninitialized kmalloc bytes to userspace.
Fix by copying only total_spaces entries (the actually-filled count from
the second pass) instead of alloc_size bytes, and switch to kzalloc so
any future copy size mismatch cannot leak heap data.
Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl")
CC: stable@vger.kernel.org # 3.0
Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ adapted upstream's `return -EFAULT;` to stable's `ret = -EFAULT;` fall-through to existing `out:` cleanup label ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 4723013995f5b..d17d1eff8eff4 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3087,7 +3087,7 @@ static long btrfs_ioctl_space_info(struct btrfs_fs_info *fs_info,
return -ENOMEM;
space_args.total_spaces = 0;
- dest = kmalloc(alloc_size, GFP_KERNEL);
+ dest = kzalloc(alloc_size, GFP_KERNEL);
if (!dest)
return -ENOMEM;
dest_orig = dest;
@@ -3143,7 +3143,8 @@ static long btrfs_ioctl_space_info(struct btrfs_fs_info *fs_info,
user_dest = (struct btrfs_ioctl_space_info __user *)
(arg + sizeof(struct btrfs_ioctl_space_args));
- if (copy_to_user(user_dest, dest_orig, alloc_size))
+ if (copy_to_user(user_dest, dest_orig,
+ space_args.total_spaces * sizeof(*dest_orig)))
ret = -EFAULT;
kfree(dest_orig);
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 460/474] tracing/probes: Limit size of event probe to 3K
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 459/474] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 461/474] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
` (14 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Steven Rostedt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit b2aa3b4d64e460ac606f386c24e7d8a873ce6f1a ]
There currently isn't a max limit an event probe can be. One could make an
event greater than PAGE_SIZE, which makes the event useless because if
it's bigger than the max event that can be recorded into the ring buffer,
then it will never be recorded.
A event probe should never need to be greater than 3K, so make that the
max size. As long as the max is less than the max that can be recorded
onto the ring buffer, it should be fine.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events")
Link: https://patch.msgid.link/20260428122302.706610ba@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[ adjusted context to place MAX_PROBE_EVENT_SIZE near MAX_STRING_SIZE and appended EVENT_TOO_BIG after NEED_STRING_TYPE ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_probe.c | 6 ++++++
kernel/trace/trace_probe.h | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index d46a1033ba5b3..dee9494ed189a 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -1366,6 +1366,12 @@ static int traceprobe_parse_probe_arg_body(const char *argv, ssize_t *size,
parg->offset = *size;
*size += parg->type->size * (parg->count ?: 1);
+ if (*size > MAX_PROBE_EVENT_SIZE) {
+ ret = -E2BIG;
+ trace_probe_log_err(ctx->offset, EVENT_TOO_BIG);
+ goto fail;
+ }
+
if (parg->count) {
len = strlen(parg->type->fmttype) + 6;
parg->fmt = kmalloc(len, GFP_KERNEL);
diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h
index c71fa9c2f3815..ce5a0935cd45c 100644
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -35,6 +35,7 @@
#define MAX_ARG_NAME_LEN 32
#define MAX_BTF_ARGS_LEN 128
#define MAX_STRING_SIZE PATH_MAX
+#define MAX_PROBE_EVENT_SIZE 3072
/* Reserved field names */
#define FIELD_STRING_IP "__probe_ip"
@@ -546,7 +547,8 @@ extern int traceprobe_define_arg_fields(struct trace_event_call *event_call,
C(NO_BTF_FIELD, "This field is not found."), \
C(BAD_BTF_TID, "Failed to get BTF type info."),\
C(BAD_TYPE4STR, "This type does not fit for string."),\
- C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),
+ C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),\
+ C(EVENT_TOO_BIG, "Event too big (too many fields?)"),
#undef C
#define C(a, b) TP_ERR_##a
--
2.53.0
^ permalink raw reply related [flat|nested] 476+ messages in thread
* [PATCH 6.6 461/474] usb: dwc3: Move GUID programming after PHY initialization
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 460/474] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 462/474] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
` (13 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Pritam Manohar Sutar,
Selvarasu Ganesan, Thinh Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvarasu Ganesan <selvarasu.g@samsung.com>
[ Upstream commit aad35f9c926ec220b0742af1ada45666ae667956 ]
The Linux Version Code is currently written to the GUID register before
PHY initialization. Certain PHY implementations (such as Synopsys eUSB
PHY performing link_sw_reset) clear the GUID register to its default
value during initialization, causing the kernel version information to
be lost.
Move the GUID register programming to occur after PHY initialization
completes to ensure the Linux version information persists.
Fixes: fa0ea13e9f1c ("usb: dwc3: core: write LINUX_VERSION_CODE to our GUID register")
Cc: stable <stable@kernel.org>
Reported-by: Pritam Manohar Sutar <pritam.sutar@samsung.com>
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260417063314.2359-1-selvarasu.g@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ adapted dwc3_writel(dwc, ...) to dwc3_writel(dwc->regs, ...) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -1240,12 +1240,6 @@ static int dwc3_core_init(struct dwc3 *d
hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
- /*
- * Write Linux Version Code to our GUID register so it's easy to figure
- * out which kernel version a bug was found.
- */
- dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE);
-
ret = dwc3_phy_setup(dwc);
if (ret)
return ret;
@@ -1277,6 +1271,12 @@ static int dwc3_core_init(struct dwc3 *d
if (ret)
goto err_exit_phy;
+ /*
+ * Write Linux Version Code to our GUID register so it's easy to figure
+ * out which kernel version a bug was found.
+ */
+ dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE);
+
dwc3_core_setup_global_control(dwc);
dwc3_core_num_eps(dwc);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 462/474] ceph: only d_add() negative dentries when they are unhashed
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 461/474] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 463/474] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
` (12 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
[ Upstream commit 803447f93d75ab6e40c85e6d12b5630d281d70d6 ]
Ceph can call d_add(dentry, NULL) on a negative dentry that is already
present in the primary dcache hash.
In the current VFS that is not safe. d_add() goes through __d_add()
to __d_rehash(), which unconditionally reinserts dentry->d_hash into
the hlist_bl bucket. If the dentry is already hashed, reinserting the
same node can corrupt the bucket, including creating a self-loop.
Once that happens, __d_lookup() can spin forever in the hlist_bl walk,
typically looping only on the d_name.hash mismatch check and
eventually triggering RCU stall reports like this one:
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829
rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192)
CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE
Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023
RIP: 0010:__d_lookup+0x46/0xb0
Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f
RSP: 0018:ff745a70c8253898 EFLAGS: 00000282
RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966
RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0
RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89
R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0
R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f
FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
lookup_fast+0x9f/0x100
walk_component+0x1f/0x150
link_path_walk+0x20e/0x3d0
path_lookupat+0x68/0x180
filename_lookup+0xdc/0x1e0
vfs_statx+0x6c/0x140
vfs_fstatat+0x67/0xa0
__do_sys_newfstatat+0x24/0x60
do_syscall_64+0x6a/0x230
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is reachable with reused cached negative dentries. A Ceph lookup
or atomic_open can be handed a negative dentry that is already hashed,
and fs/ceph/dir.c then hits one of two paths that incorrectly assume
"negative" also means "unhashed":
- ceph_finish_lookup():
MDS reply is -ENOENT with no trace
-> d_add(dentry, NULL)
- ceph_lookup():
local ENOENT fast path for a complete directory with shared caps
-> d_add(dentry, NULL)
Both paths can therefore re-add an already-hashed negative dentry.
Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only
calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)
is true.
Fix both fs/ceph/dir.c sites the same way: only call d_add() for a
negative dentry when it is actually unhashed. If the negative dentry
is already hashed, leave it in place and reuse it as-is.
This preserves the existing behavior for unhashed dentries while
avoiding d_hash list corruption for reused hashed negatives.
Cc: stable@vger.kernel.org
Fixes: 2817b000b02c ("ceph: directory operations")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
[ kept existing dout() debug call instead of upstream's doutc() form when adding the d_unhashed() guard around d_add() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -745,7 +745,8 @@ struct dentry *ceph_finish_lookup(struct
d_drop(dentry);
err = -ENOENT;
} else {
- d_add(dentry, NULL);
+ if (d_unhashed(dentry))
+ d_add(dentry, NULL);
}
}
}
@@ -813,7 +814,8 @@ static struct dentry *ceph_lookup(struct
__ceph_touch_fmode(ci, mdsc, CEPH_FILE_MODE_RD);
spin_unlock(&ci->i_ceph_lock);
dout(" dir %p complete, -ENOENT\n", dir);
- d_add(dentry, NULL);
+ if (d_unhashed(dentry))
+ d_add(dentry, NULL);
di->lease_shared_gen = atomic_read(&ci->i_shared_gen);
return NULL;
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 463/474] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 462/474] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 464/474] vsock: fix buffer size clamping order Greg Kroah-Hartman
` (11 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 4ce98bf0865c349e7026ad9c14f48da264920953 upstream
It appears that there is nothing in the wake-up path that
evaluates whether the in-kernel interrupts are pending unless
we have a vgic.
This means that the userspace irqchip support has been broken for
about four years, and nobody noticed. It was also broken before
as we wouldn't wake-up on a PMU interrupt, but hey, who cares...
It is probably time to remove the feature altogether, because it
was a terrible idea 10 years ago, and it still is.
Fixes: b57de4ffd7c6d ("KVM: arm64: Simplify kvm_cpu_has_pending_timer()")
Link: https://patch.msgid.link/20260423163607.486345-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/arm.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -557,6 +557,11 @@ int kvm_arch_vcpu_ioctl_set_mpstate(stru
int kvm_arch_vcpu_runnable(struct kvm_vcpu *v)
{
bool irq_lines = *vcpu_hcr(v) & (HCR_VI | HCR_VF);
+
+ irq_lines |= (!irqchip_in_kernel(v->kvm) &&
+ (kvm_timer_should_notify_user(v) ||
+ kvm_pmu_should_notify_user(v)));
+
return ((irq_lines || kvm_vgic_vcpu_pending_irq(v))
&& !kvm_arm_vcpu_stopped(v) && !v->arch.pause);
}
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 464/474] vsock: fix buffer size clamping order
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 463/474] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 465/474] vsock/virtio: fix accept queue count leak on transport mismatch Greg Kroah-Hartman
` (10 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Norbert Szetei,
Jakub Kicinski, Luigi Leonardi
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Norbert Szetei <norbert@doyensec.com>
commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream.
In vsock_update_buffer_size(), the buffer size was being clamped to the
maximum first, and then to the minimum. If a user sets a minimum buffer
size larger than the maximum, the minimum check overrides the maximum
check, inverting the constraint.
This breaks the intended socket memory boundaries by allowing the
vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
Fix this by checking the minimum first, and then the maximum. This
ensures the buffer size never exceeds the buffer_max_size.
Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Cc: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/af_vsock.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1728,12 +1728,12 @@ static void vsock_update_buffer_size(str
const struct vsock_transport *transport,
u64 val)
{
- if (val > vsk->buffer_max_size)
- val = vsk->buffer_max_size;
-
if (val < vsk->buffer_min_size)
val = vsk->buffer_min_size;
+ if (val > vsk->buffer_max_size)
+ val = vsk->buffer_max_size;
+
if (val != vsk->buffer_size &&
transport && transport->notify_buffer_size)
transport->notify_buffer_size(vsk, &val);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 465/474] vsock/virtio: fix accept queue count leak on transport mismatch
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 464/474] vsock: fix buffer size clamping order Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 466/474] vsock/virtio: fix length and offset in tap skb for split packets Greg Kroah-Hartman
` (9 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Bobby Eshleman,
Luigi Leonardi, Stefano Garzarella, Michael S. Tsirkin,
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
commit 52bcb57a4e8a0865a76c587c2451906342ae1b2d upstream.
virtio_transport_recv_listen() calls sk_acceptq_added() before
vsock_assign_transport(). If vsock_assign_transport() fails or
selects a different transport, the error path returns without
calling sk_acceptq_removed(), permanently incrementing
sk_ack_backlog.
After approximately backlog+1 such failures, sk_acceptq_is_full()
returns true, causing the listener to reject all new connections.
Fix by moving sk_acceptq_added() to after the transport validation,
matching the pattern used by vmci_transport and hyperv_transport.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20260413131409.19022-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Cc: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1353,8 +1353,6 @@ virtio_transport_recv_listen(struct sock
return -ENOMEM;
}
- sk_acceptq_added(sk);
-
lock_sock_nested(child, SINGLE_DEPTH_NESTING);
child->sk_state = TCP_ESTABLISHED;
@@ -1376,6 +1374,7 @@ virtio_transport_recv_listen(struct sock
return ret;
}
+ sk_acceptq_added(sk);
if (virtio_transport_space_update(child, skb))
child->sk_write_space(child);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 466/474] vsock/virtio: fix length and offset in tap skb for split packets
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 465/474] vsock/virtio: fix accept queue count leak on transport mismatch Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 467/474] vsock/virtio: fix potential unbounded skb queue Greg Kroah-Hartman
` (8 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Bobby Eshleman,
Arseniy Krasnov, Michael S. Tsirkin, Paolo Abeni, Luigi Leonardi
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
commit 5f344d809e015fba3709e5219428c00b8ac5d7df upstream.
virtio_transport_build_skb() builds a new skb to be delivered to the
vsockmon tap device. To build the new skb, it uses the original skb
data length as payload length, but as the comment notes, the original
packet stored in the skb may have been split in multiple packets, so we
need to use the length in the header, which is correctly updated before
the packet is delivered to the tap, and the offset for the data.
This was also similar to what we did before commit 71dc9ec9ac7d
("virtio/vsock: replace virtio_vsock_pkt with sk_buff") where we probably
missed something during the skb conversion.
Also update the comment above, which was left stale by the skb
conversion and still mentioned a buffer pointer that no longer exists.
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Reviewed-by: Arseniy Krasnov <avkrasnov@rulkc.org>
Link: https://patch.msgid.link/20260508164411.261440-2-sgarzare@redhat.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[LL: Fixed conflict since this tree does not use the offset added by commit
0df7cd3c13e4 ("vsock/virtio/vhost: read data from non-linear skb")]
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -122,12 +122,12 @@ static struct sk_buff *virtio_transport_
size_t payload_len;
void *payload_buf;
- /* A packet could be split to fit the RX buffer, so we can retrieve
- * the payload length from the header and the buffer pointer taking
- * care of the offset in the original packet.
+ /* A packet could be split to fit the RX buffer, so we use
+ * the payload length from the header, which has been updated
+ * by the sender to reflect the fragment size.
*/
pkt_hdr = virtio_vsock_hdr(pkt);
- payload_len = pkt->len;
+ payload_len = le32_to_cpu(pkt_hdr->len);
payload_buf = pkt->data;
skb = alloc_skb(sizeof(*hdr) + sizeof(*pkt_hdr) + payload_len,
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 467/474] vsock/virtio: fix potential unbounded skb queue
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 466/474] vsock/virtio: fix length and offset in tap skb for split packets Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 468/474] drm/amdgpu/vcn3: Avoid overflow on msg bound check Greg Kroah-Hartman
` (7 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Arseniy Krasnov,
Stefan Hajnoczi, Stefano Garzarella, Michael S. Tsirkin,
Jason Wang, Xuan Zhuo, Eugenio Pérez, virtualization,
Jakub Kicinski, Luigi Leonardi
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream.
virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
virtio_transport_recv_enqueue() skips coalescing for packets
with VIRTIO_VSOCK_SEQ_EOM.
If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,
a very large number of packets can be queued
because vvs->rx_bytes stays at 0.
Fix this by estimating the skb metadata size:
(Number of skbs in the queue) * SKB_TRUESIZE(0)
Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: "Eugenio Pérez" <eperezma@redhat.com>
Cc: virtualization@lists.linux.dev
Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[LL: Fixed conflict since this tree does not use buf_used added by commit
45ca7e9f0730 ("vsock/virtio: fix `rx_bytes` accounting for stream sockets")]
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -283,7 +283,9 @@ static int virtio_transport_send_pkt_inf
static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
u32 len)
{
- if (vvs->rx_bytes + len > vvs->buf_alloc)
+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
+
+ if (skb_overhead + vvs->rx_bytes + len > vvs->buf_alloc)
return false;
vvs->rx_bytes += len;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 468/474] drm/amdgpu/vcn3: Avoid overflow on msg bound check
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 467/474] vsock/virtio: fix potential unbounded skb queue Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 469/474] drm/amdgpu/vcn4: " Greg Kroah-Hartman
` (6 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SDL, Benjamin Cheng, Ruijing Dong,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit e6e9faba8100628990cccd13f0f044a648c303cf upstream.
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
Cc: SDL <sdl@nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1852,6 +1852,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
+ uint64_t buf_end;
if (msg[0] != RDECODE_MESSAGE_CREATE)
continue;
@@ -1859,7 +1860,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (size < 4 || offset + size > end - addr) {
+ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+ buf_end > end - addr) {
DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 469/474] drm/amdgpu/vcn4: Avoid overflow on msg bound check
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 468/474] drm/amdgpu/vcn3: Avoid overflow on msg bound check Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 470/474] mtd: spi-nor: sst: Fix SST write failure Greg Kroah-Hartman
` (5 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SDL, Benjamin Cheng, Ruijing Dong,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream.
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg")
Cc: SDL <sdl@nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1731,6 +1731,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
+ uint64_t buf_end;
if (msg[0] != RDECODE_MESSAGE_CREATE)
continue;
@@ -1738,7 +1739,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (size < 4 || offset + size > end - addr) {
+ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+ buf_end > end - addr) {
DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 470/474] mtd: spi-nor: sst: Fix SST write failure
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 469/474] drm/amdgpu/vcn4: " Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 471/474] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Greg Kroah-Hartman
` (4 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Kumar Mahapatra, Pratyush Yadav,
Tudor Ambarus, Bence Csókás
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream.
'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation
to `sst_nor_write_data()`")' introduced a bug where only one byte of data
is written, regardless of the number of bytes passed to
sst_nor_write_data(), causing a kernel crash during the write operation.
Ensure the correct number of bytes are written as passed to
sst_nor_write_data().
Call trace:
[ 57.400180] ------------[ cut here ]------------
[ 57.404842] While writing 2 byte written 1 bytes
[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74
[ 57.418464] Modules linked in:
[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30
[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT)
[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 57.444557] pc : sst_nor_write_data+0x6c/0x74
[ 57.448911] lr : sst_nor_write_data+0x6c/0x74
[ 57.453264] sp : ffff80008232bb40
[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001
[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000
[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000
[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006
[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580
[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4
[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530
[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001
[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000
[ 57.527916] Call trace:
[ 57.530354] sst_nor_write_data+0x6c/0x74
[ 57.534361] sst_nor_write+0xb4/0x18c
[ 57.538019] mtd_write_oob_std+0x7c/0x88
[ 57.541941] mtd_write_oob+0x70/0xbc
[ 57.545511] mtd_write+0x68/0xa8
[ 57.548733] mtdchar_write+0x10c/0x290
[ 57.552477] vfs_write+0xb4/0x3a8
[ 57.555791] ksys_write+0x74/0x10c
[ 57.559189] __arm64_sys_write+0x1c/0x28
[ 57.563109] invoke_syscall+0x54/0x11c
[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0
[ 57.571557] do_el0_svc+0x1c/0x28
[ 57.574868] el0_svc+0x30/0xcc
[ 57.577921] el0t_64_sync_handler+0x120/0x12c
[ 57.582276] el0t_64_sync+0x190/0x194
[ 57.585933] ---[ end trace 0000000000000000 ]---
Cc: stable@vger.kernel.org
Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`")
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Bence Csókás <csokas.bence@prolan.hu>
[pratyush@kernel.org: add Cc stable tag]
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -130,7 +130,7 @@ static int sst_nor_write_data(struct spi
int ret;
nor->program_opcode = op;
- ret = spi_nor_write_data(nor, to, 1, buf);
+ ret = spi_nor_write_data(nor, to, len, buf);
if (ret < 0)
return ret;
WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 471/474] Bluetooth: MGMT: Fix memory leak in set_ssp_complete
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 470/474] mtd: spi-nor: sst: Fix SST write failure Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 472/474] crypto: nx - fix context leak in nx842_crypto_free_ctx Greg Kroah-Hartman
` (3 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jianpeng Chang,
Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 upstream.
Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.
This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.
Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().
Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1937,6 +1937,7 @@ static void set_ssp_complete(struct hci_
}
mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
+ mgmt_pending_free(cmd);
return;
}
@@ -1955,6 +1956,7 @@ static void set_ssp_complete(struct hci_
sock_put(match.sk);
hci_update_eir_sync(hdev);
+ mgmt_pending_free(cmd);
}
static int set_ssp_sync(struct hci_dev *hdev, void *data)
@@ -6452,6 +6454,7 @@ static void set_advertising_complete(str
hci_dev_clear_flag(hdev, HCI_ADVERTISING);
settings_rsp(cmd, &match);
+ mgmt_pending_free(cmd);
new_settings(hdev, match.sk);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 472/474] crypto: nx - fix context leak in nx842_crypto_free_ctx
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 471/474] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 473/474] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete Greg Kroah-Hartman
` (2 subsequent siblings)
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Ard Biesheuvel,
Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 344e6a4f7ff4756b9b3f75e0eb7eaec297e35540 upstream.
Since the scomp conversion, nx842_crypto_alloc_ctx() allocates the
context separately, but nx842_crypto_free_ctx() never releases it. Add
the missing kfree(ctx) to nx842_crypto_free_ctx(), and reuse
nx842_crypto_free_ctx() in the allocation error path.
Fixes: 980b5705f4e7 ("crypto: nx - Migrate to scomp API")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -115,10 +115,7 @@ void *nx842_crypto_alloc_ctx(struct nx84
ctx->sbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
- kfree(ctx->wmem);
- free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
- free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
- kfree(ctx);
+ nx842_crypto_free_ctx(ctx);
return ERR_PTR(-ENOMEM);
}
@@ -133,6 +130,7 @@ void nx842_crypto_free_ctx(void *p)
kfree(ctx->wmem);
free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
+ kfree(ctx);
}
EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 473/474] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 472/474] crypto: nx - fix context leak in nx842_crypto_free_ctx Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 474/474] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
2026-05-15 19:21 ` [PATCH 6.6 000/474] 6.6.140-rc1 review Wentao Guan
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Paul Menzel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 5f5fa4cd35f707344f65ce9e225b6528691dbbaa upstream.
This fixes the condition checking so mgmt_pending_valid is executed
whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)
would kfree(cmd) without unlinking it from the list first, leaving a
dangling pointer. Any subsequent list traversal (e.g.,
mgmt_pending_foreach during __mgmt_power_off, or another
mgmt_pending_valid call) would dereference freed memory.
Link: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06
Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5332,7 +5332,7 @@ static void mgmt_add_adv_patterns_monito
* hci_adv_monitors_clear is about to be called which will take care of
* freeing the adv_monitor instances.
*/
- if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
+ if (status == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
monitor = cmd->user_data;
^ permalink raw reply [flat|nested] 476+ messages in thread
* [PATCH 6.6 474/474] smb: client: use kzalloc to zero-initialize security descriptor buffer
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 473/474] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete Greg Kroah-Hartman
@ 2026-05-15 15:49 ` Greg Kroah-Hartman
2026-05-15 19:21 ` [PATCH 6.6 000/474] 6.6.140-rc1 review Wentao Guan
474 siblings, 0 replies; 476+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-15 15:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjoern Doebel, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjoern Doebel <doebel@amazon.de>
commit 5e489c6c47a2ac15edbaca153b9348e42c1eacab upstream.
Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces
to le16") split struct smb_acl's __le32 num_aces field into __le16
num_aces and __le16 reserved. The reserved field corresponds to Sbz2
in the MS-DTYP ACL wire format, which must be zero [1].
When building an ACL descriptor in build_sec_desc(), we are using a
kmalloc()'ed descriptor buffer and writing the fields explicitly using
le16() writes now. This never writes to the 2 byte reserved field,
leaving it as uninitialized heap data.
When the reserved field happens to contain non-zero slab garbage,
Samba rejects the security descriptor with "ndr_pull_security_descriptor
failed: Range Error", causing chmod to fail with EINVAL.
Change kmalloc() to kzalloc() to ensure the entire buffer is
zero-initialized.
Fixes: 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16")
Cc: stable@vger.kernel.org
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Assisted-by: Kiro:claude-opus-4.6
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1766,7 +1766,7 @@ id_mode_to_cifs_acl(struct inode *inode,
* descriptor parameters, and security descriptor itself
*/
nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);
- pnntsd = kmalloc(nsecdesclen, GFP_KERNEL);
+ pnntsd = kzalloc(nsecdesclen, GFP_KERNEL);
if (!pnntsd) {
kfree(pntsd);
cifs_put_tlink(tlink);
^ permalink raw reply [flat|nested] 476+ messages in thread
* Re: [PATCH 6.6 000/474] 6.6.140-rc1 review
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-05-15 15:49 ` [PATCH 6.6 474/474] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
@ 2026-05-15 19:21 ` Wentao Guan
474 siblings, 0 replies; 476+ messages in thread
From: Wentao Guan @ 2026-05-15 19:21 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Wentao Guan
Build tested in our x86,arm64,loongarch,riscv config successfully without error.
Tested-by: Wentao Guan <guanwentao@uniontech.com>
BRs
Wentao Guan
Log:
Linux version 6.6.140-rc1-arm64-desktop-hwe-g7a0265922ac4-dirty (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT
Linux version 6.6.140-rc1-arm64-desktop-hwe-g7a0265922ac4-dirty (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #25.01.01.23 SMP PREEMPT Sat May 16 02:47:56 CST 2026
Linux version 6.6.140-rc1-loong64-desktop-hwe-g7a0265922ac4-dirty (guanwentao@uos-PC) (loongarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT
Linux version 6.6.140-rc1-loong64-desktop-hwe-g7a0265922ac4-dirty (guanwentao@uos-PC) (loongarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #25.01.01.23 SMP PREEMPT Sat May 16 03:02:51 CST 2026
Linux version 6.6.140-rc1-riscv64-desktop-hwe+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP
Linux version 6.6.140-rc1-riscv64-desktop-hwe+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #25.01.01.23 SMP Sat May 16 03:17:21 CST 2026
Linux version 6.6.140-rc1-amd64-desktop-hwe-g7a0265922ac4-dirty (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
Linux version 6.6.140-rc1-amd64-desktop-hwe-g7a0265922ac4-dirty (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #25.01.01.23 SMP PREEMPT_DYNAMIC Sat May 16 02:31:39 CST 2026
^ permalink raw reply [flat|nested] 476+ messages in thread
end of thread, other threads:[~2026-05-15 19:24 UTC | newest]
Thread overview: 476+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 15:41 [PATCH 6.6 000/474] 6.6.140-rc1 review Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 001/474] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 002/474] ALSA: usb-audio: Avoid false E-MU sample-rate notifications Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 003/474] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 004/474] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 005/474] usb: chipidea: otg: not wait vbus drop if use role_switch Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 006/474] usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 007/474] ALSA: usb-audio: Evaluate packsize caps at the right place Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 008/474] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 009/474] leds: qcom-lpg: Check for array overflow when selecting the high resolution Greg Kroah-Hartman
2026-05-15 15:41 ` [PATCH 6.6 010/474] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 011/474] ibmasm: fix OOB reads in command_file_write due to missing size checks Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 012/474] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 013/474] firmware: google: framebuffer: Do not mark framebuffer as busy Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 014/474] Bluetooth: MGMT: Fix possible UAFs Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 015/474] padata: Fix pd UAF once and for all Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 016/474] padata: Remove comment for reorder_work Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 017/474] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 018/474] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 019/474] regset: use kvzalloc() for regset_get_alloc() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 020/474] device property: Make modifications of fwnode "flags" thread safe Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 021/474] ocfs2: split transactions in dio completion to avoid credit exhaustion Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 022/474] driver core: Dont let a device probe until its ready Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 023/474] LoongArch: Add spectre boundry for syscall dispatch table Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 024/474] zram: do not forget to endio for partial discard requests Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 025/474] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 026/474] um: drivers: call kernel_strrchr() explicitly in cow_user.c Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 027/474] spi: imx: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 028/474] f2fs: fix to detect potential corrupted nid in free_nid_list Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 029/474] crypto: pcrypt - Fix handling of MAY_BACKLOG requests Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 030/474] of: unittest: fix use-after-free in testdrv_probe() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 031/474] media: amphion: Fix race between m2m job_abort and device_run Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 032/474] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 033/474] net: caif: clear client service pointer on teardown Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 034/474] net: strparser: fix skb_head leak in strp_abort_strp() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 035/474] media: mtk-jpeg: fix use-after-free in release path due to uncancelled work Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 036/474] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 037/474] Revert "ALSA: usb: Increase volume range that triggers a warning" Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 038/474] lib/ts_kmp: fix integer overflow in pattern length calculation Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 039/474] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 040/474] net: qrtr: ns: Fix use-after-free in driver remove() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 041/474] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 042/474] ALSA: aoa: i2sbus: fix OF node lifetime handling Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 043/474] ALSA: ctxfi: Add fallback to default RSR for S/PDIF Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 044/474] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 045/474] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 046/474] md/raid10: fix deadlock with check operation and nowait requests Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 047/474] mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 048/474] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 049/474] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 050/474] parisc: _llseek syscall is only available for 32-bit userspace Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 051/474] remoteproc: xlnx: Only access buffer information if IPI is buffered Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 052/474] selftests/mqueue: Fix incorrectly named file Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 053/474] rbd: fix null-ptr-deref when device_add_disk() fails Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 054/474] io_uring/timeout: check unused sqe fields Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 055/474] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 056/474] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 057/474] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 058/474] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 059/474] ALSA: caiaq: Fix control_put() result and cache rollback Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 060/474] ALSA: caiaq: Handle probe errors properly Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 061/474] ALSA: 6fire: Fix input volume change detection Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 062/474] ALSA: pcmtest: fix reference leak on failed device registration Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 063/474] ALSA: pcmtest: Fix resource leaks in module init error paths Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 064/474] iio: adc: ad7768-1: fix one-shot mode data acquisition Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 065/474] rxrpc: Fix memory leaks in rxkad_verify_response() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 066/474] rxrpc: Fix rxkad crypto unalignment handling Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 067/474] rxrpc: Fix re-decryption of RESPONSE packets Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 068/474] tools/accounting: handle truncated taskstats netlink messages Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 069/474] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
2026-05-15 15:42 ` [PATCH 6.6 070/474] net: rds: fix MR cleanup on copy error Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 071/474] net: txgbe: fix firmware version check Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 072/474] net/smc: avoid early lgr access in smc_clc_wait_msg Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 073/474] net: ks8851: Reinstate disabling of BHs around IRQ handler Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 074/474] net: ks8851: Avoid excess softirq scheduling Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 075/474] drm/arcpgu: fix device node leak Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 076/474] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 077/474] ipv4: icmp: validate reply type before using icmp_pointers Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 078/474] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 079/474] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 080/474] tpm: avoid -Wunused-but-set-variable Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 081/474] LoongArch: Show CPU vulnerabilites correctly Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 082/474] power: supply: axp288_charger: Do not cancel work before initializing it Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 083/474] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 084/474] mmc: block: use single block write in retry Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 085/474] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 086/474] arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 087/474] crypto: talitos - fix SEC1 32k ahash request limitation Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 088/474] crypto: talitos - rename first/last to first_desc/last_desc Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 089/474] tpm: tpm_tis: add error logging for data transfer Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 090/474] tpm: tpm_tis: stop transmit if retries are exhausted Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 091/474] rtc: ntxec: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 092/474] mm/damon/core: use time_in_range_open() for damos quota window start Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 093/474] userfaultfd: allow registration of ranges below mmap_min_addr Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 094/474] KVM: x86: Defer non-architectural deliver of exception payload to userspace read Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 095/474] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 096/474] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 097/474] KVM: nSVM: Sync interrupt shadow " Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 098/474] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 099/474] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 100/474] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 101/474] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 102/474] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 103/474] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 104/474] KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 105/474] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ " Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 106/474] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 107/474] KVM: nSVM: Add missing consistency check for nCR3 validity Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 108/474] mtd: docg3: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 109/474] mtd: docg3: fix use-after-free in docg3_release() Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 110/474] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 111/474] ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 112/474] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 113/474] md/raid5: fix soft lockup in retry_aligned_read() Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 114/474] md/raid5: validate payload size before accessing journal metadata Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 115/474] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 116/474] tcp: call sk_data_ready() after listener migration Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 117/474] taskstats: set version in TGID exit notifications Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 118/474] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 119/474] can: ucan: fix devres lifetime Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 120/474] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 121/474] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 122/474] crypto: atmel-ecc - Release client on allocation failure Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 123/474] crypto: hisilicon - Fix dma_unmap_single() direction Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 124/474] crypto: ccree - fix a memory leak in cc_mac_digest() Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 125/474] crypto: atmel-tdes - fix DMA sync direction Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 126/474] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 127/474] dm mirror: fix integer overflow in create_dirty_log() Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 128/474] IB/core: Fix zero dmac race in neighbor resolution Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 129/474] ktest: Fix the month in the name of the failure directory Greg Kroah-Hartman
2026-05-15 15:43 ` [PATCH 6.6 130/474] ntfs3: add buffer boundary checks to run_unpack() Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 131/474] ntfs3: fix integer overflow in run_unpack() volume boundary check Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 132/474] rtmutex: Use waiter::task instead of current in remove_waiter() Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 133/474] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 134/474] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 135/474] crypto: authencesn - reject short ahash digests during instance creation Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 136/474] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 137/474] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 138/474] ALSA: caiaq: Dont abort when no input device is available Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 139/474] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 140/474] drm/amdgpu: fix zero-size GDS range init on RDNA4 Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 141/474] ALSA: caiaq: fix usb_dev refcount leak on probe failure Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 142/474] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 143/474] netfilter: reject zero shift in nft_bitwise Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 144/474] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 145/474] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 146/474] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 147/474] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 148/474] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 149/474] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 150/474] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 151/474] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 152/474] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 153/474] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 154/474] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 155/474] x86: shadow stacks: proper error handling for mmap lock Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 156/474] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 157/474] x86/shstk: Prevent deadlock during shstk sigreturn Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 158/474] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 159/474] rxrpc: Fix potential UAF after skb_unshare() failure Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 160/474] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 161/474] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 162/474] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 163/474] iommu/amd: Use atomic64_inc_return() in iommu.c Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 164/474] iommu/amd: serialize sequence allocation under concurrent TLB invalidations Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 165/474] net: Fix icmp host relookup triggering ip_rt_bug Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 166/474] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 167/474] net: txgbe: fix RTNL assertion warning when remove module Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 168/474] dmaengine: idxd: Fix crash when the event log is disabled Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 169/474] dmaengine: idxd: Fix leaking event log memory Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 170/474] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 171/474] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 172/474] bpf: support non-r10 register spill/fill to/from stack in precision tracking Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 173/474] selftests/bpf: add stack access precision test Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 174/474] bpf: preserve STACK_ZERO slots on partial reg spills Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 175/474] selftests/bpf: validate STACK_ZERO is preserved on subreg spill Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 176/474] bpf: preserve constant zero when doing partial register restore Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 177/474] selftests/bpf: validate zero preservation for sub-slot loads Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 178/474] bpf: track aligned STACK_ZERO cases as imprecise spilled registers Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 179/474] selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 180/474] bpf: handle fake register spill to stack with BPF_ST_MEM instruction Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 181/474] selftests/bpf: validate fake register spill/fill precision backtracking logic Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 182/474] bpf: Dont mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 183/474] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 184/474] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 185/474] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 186/474] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 187/474] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 188/474] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 189/474] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
2026-05-15 15:44 ` [PATCH 6.6 190/474] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 191/474] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 192/474] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 193/474] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 194/474] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 195/474] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 196/474] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 197/474] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 198/474] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 199/474] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 200/474] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 201/474] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 202/474] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 203/474] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 204/474] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 205/474] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 206/474] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 207/474] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 208/474] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 209/474] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 210/474] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 211/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 212/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 213/474] spi: zynqmp-gqspi: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 214/474] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 215/474] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 216/474] fanotify: fix false positive on permission events Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 217/474] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 218/474] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 219/474] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 220/474] net: libwx: fix VF illegal register access Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 221/474] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 222/474] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 223/474] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 224/474] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 225/474] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 226/474] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 227/474] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 228/474] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 229/474] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 230/474] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 231/474] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 232/474] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 233/474] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 234/474] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 235/474] hv_sock: fix ARM64 support Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 236/474] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 237/474] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 238/474] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 239/474] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 240/474] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 241/474] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 242/474] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 243/474] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 244/474] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 245/474] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 246/474] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 247/474] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 248/474] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 249/474] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
2026-05-15 15:45 ` [PATCH 6.6 250/474] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 251/474] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 252/474] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 253/474] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 254/474] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 255/474] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 256/474] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 257/474] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 258/474] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 259/474] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 260/474] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 261/474] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 262/474] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 263/474] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 264/474] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 265/474] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 266/474] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 267/474] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 268/474] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 269/474] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 270/474] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 271/474] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 272/474] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 273/474] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 274/474] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 275/474] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 276/474] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 277/474] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 278/474] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 279/474] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 280/474] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 281/474] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 282/474] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 283/474] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 284/474] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 285/474] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 286/474] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 287/474] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 288/474] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 289/474] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 290/474] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 291/474] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 292/474] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 293/474] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 294/474] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 295/474] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 296/474] exit: Sleep at TASK_IDLE when waiting for application core dump Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 297/474] HID: playstation: Clamp num_touch_reports Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 298/474] media: uvcvideo: Enable VB2_DMABUF for metadata stream Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 299/474] media: i2c: ov8856: free control handler on error in ov8856_init_controls() Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 300/474] spi: bcm63xx: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 301/474] spi: atmel: " Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 302/474] staging: media: atomisp: Disallow all private IOCTLs Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 303/474] regulator: mt6357: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 304/474] regulator: max77650: " Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 305/474] media: rc: xbox_remote: heed DMA restrictions Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 306/474] media: rc: streamzap: Error handling in probe Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 307/474] regulator: rk808: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 308/474] media: videobuf2: Set vma_flags in vb2_dma_sg_mmap Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 309/474] regulator: act8945a: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-15 15:46 ` [PATCH 6.6 310/474] regulator: bd9571mwv: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 311/474] spi: lantiq-ssc: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 312/474] spi: qup: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 313/474] spi: at91-usart: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 314/474] media: saa7164: add ioremap return checks and cleanups Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 315/474] platform/x86: hp-wmi: Ignore backlight and FnLock events Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 316/474] media: pci: zoran: fix potential memory leak in zoran_probe() Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 317/474] media: dib8000: avoid division by 0 in dib8000_set_dds() Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 318/474] media: i2c: imx412: Assert reset GPIO during probe Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 319/474] media: staging: imx: request mbus_config in csi_start Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 320/474] media: i2c: ov08d10: fix image vertical start setting Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 321/474] media: omap3isp: drop the use count of v4l2 pipeline Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 322/474] spi: dln2: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 323/474] spi: s3c64xx: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 324/474] spi: fsl-espi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 325/474] spi: omap2-mcspi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 326/474] spi: mtk-nor: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 327/474] spi: sh-hspi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 328/474] spi: fsl: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 329/474] spi: bcmbca-hsspi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 330/474] spi: coldfire-qspi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 331/474] spi: sprd: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 332/474] spi: rspi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 333/474] spi: img-spfi: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 334/474] spi: imx: fix runtime pm leak on probe deferral Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 335/474] spi: orion: fix runtime pm leak on unbind Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 336/474] spi: orion: fix clock imbalance on registration failure Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 337/474] spi: mpc52xx: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 338/474] spi: cadence: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 339/474] spi: cadence: fix unclocked access on unbind Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 340/474] drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 341/474] drm/amdkfd: Add upper bound check for num_of_nodes Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 342/474] drm/amdgpu: Add bounds checking to ib_{get,set}_value Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 343/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 344/474] drm/amdgpu/vce: Prevent partial address patches Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 345/474] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 346/474] drm/amdgpu/vcn3: " Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 347/474] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 348/474] drm/amdkfd: validate SVM ioctl nattr against buffer size Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 349/474] drm/radeon: add missing revision check for CI Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 350/474] drm/amdgpu: zero-initialize GART table on allocation Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 351/474] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 352/474] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 353/474] drm/amdgpu/pm: add missing revision check for CI Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 354/474] drm/amdgpu/pm: align Hawaii mclk workaround with radeon Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 355/474] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 356/474] batman-adv: fix integer overflow on buff_pos Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 357/474] batman-adv: reject new tp_meter sessions during teardown Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 358/474] batman-adv: stop caching unowned originator pointers in BAT IV Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 359/474] batman-adv: bla: prevent use-after-free when deleting claims Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 360/474] batman-adv: bla: only purge non-released claims Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 361/474] batman-adv: bla: put backbone reference on failed claim hash insert Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 362/474] smb: move some duplicate definitions to common/smbacl.h Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 363/474] smb: common: change the data type of num_aces to le16 Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 364/474] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 365/474] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 366/474] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 367/474] ksmbd: use msleep instaed of schedule_timeout_interruptible() Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 368/474] ksmbd: replace connection list with hash table Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 369/474] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
2026-05-15 15:47 ` [PATCH 6.6 370/474] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 371/474] lib: test_hmm: evict device pages on file close to avoid use-after-free Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 372/474] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 373/474] wifi: mt76: connac: introduce helper for mt7925 chipset Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 374/474] wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 375/474] wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 376/474] PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 377/474] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 378/474] ipmi:ssif: Fix a shutdown race Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 379/474] ipmi:ssif: Clean up kthread on errors Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 380/474] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 381/474] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 382/474] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 383/474] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 384/474] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 385/474] block: relax pgmap check in bio_add_page for compatible zone device pages Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 386/474] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 387/474] RDMA/mana_ib: Disable RX steering on RSS QP destroy Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 388/474] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 389/474] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 390/474] net: qrtr: ns: Limit the maximum server registration per node Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 391/474] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 392/474] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 393/474] spi: fix resource leaks on device setup failure Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 394/474] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 395/474] firmware: google: framebuffer: Do not unregister platform device Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 396/474] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 397/474] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 398/474] xfs: fix a resource leak in xfs_alloc_buftarg() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 399/474] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 400/474] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 401/474] wifi: rtl8xxxu: fix potential use of uninitialized value Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 402/474] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 403/474] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 404/474] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 405/474] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 406/474] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 407/474] printk: add print_hex_dump_devel() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 408/474] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 409/474] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 410/474] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 411/474] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 412/474] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 413/474] ALSA: hda: cs35l56: Propagate ASP TX source control errors Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 414/474] ALSA: misc: Use guard() for spin locks Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 415/474] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 416/474] ALSA: seq: Notify client and port info changes Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 417/474] ALSA: seq: Fix UMP group 16 filtering Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 418/474] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 419/474] net: ipv6: " Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 420/474] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 421/474] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 422/474] Bluetooth: hci_conn: fix potential UAF in create_big_sync Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 423/474] spi: synquacer: switch to use modern name Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 424/474] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 425/474] spi: sun4i: switch to use modern name Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 426/474] spi: sun4i: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 427/474] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 428/474] spi: spi-ti-qspi: switch to use modern name Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 429/474] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:48 ` [PATCH 6.6 430/474] spi: zynq-qspi: switch to use modern name Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 431/474] spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 432/474] spi: zynq-qspi: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 433/474] spi: sun6i: switch to use modern name Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 434/474] spi: sun6i: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 435/474] spi: tegra114: " Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 436/474] spi: tegra20-sflash: " Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 437/474] spi: uniphier: switch to use modern name Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 438/474] spi: uniphier: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 439/474] spi: uniphier: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 440/474] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 441/474] spi: microchip-core-qspi: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 442/474] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 443/474] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 444/474] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 445/474] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 446/474] bonding: fix use-after-free due to enslave fail after slave array update Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 447/474] mm/damon/core: disallow time-quota setting zero esz Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 448/474] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 449/474] mm/damon/core: implement damon_kdamond_pid() Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 450/474] mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 451/474] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 452/474] mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 453/474] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 454/474] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 455/474] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 456/474] pwm: imx-tpm: Count the number of enabled channels in probe Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 457/474] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 458/474] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 459/474] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 460/474] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 461/474] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 462/474] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 463/474] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 464/474] vsock: fix buffer size clamping order Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 465/474] vsock/virtio: fix accept queue count leak on transport mismatch Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 466/474] vsock/virtio: fix length and offset in tap skb for split packets Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 467/474] vsock/virtio: fix potential unbounded skb queue Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 468/474] drm/amdgpu/vcn3: Avoid overflow on msg bound check Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 469/474] drm/amdgpu/vcn4: " Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 470/474] mtd: spi-nor: sst: Fix SST write failure Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 471/474] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 472/474] crypto: nx - fix context leak in nx842_crypto_free_ctx Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 473/474] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete Greg Kroah-Hartman
2026-05-15 15:49 ` [PATCH 6.6 474/474] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
2026-05-15 19:21 ` [PATCH 6.6 000/474] 6.6.140-rc1 review Wentao Guan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox