October 2025 - Linux-stable-mirror

[PATCH 5.4.y] iommu/amd: Fix 2G+ memory-size overflow in unmap_sg()

by Jinhui Guo

Since npages is declared as int, shifting npages << PAGE_SHIFT for a 2 GB+ scatter-gather list overflows before reaching __unmap_single(), leading to incorrect unmapping. A 2 GB region equals 524,288 pages. The expression npages << PAGE_SHIFT yields 0x80000000, which exceeds INT32_MAX (0x7FFFFFFF). Casting to size_t therefore produces 0xFFFFFFFF80000000, an overflow value that breaks the unmap size calculation. Fix the overflow by casting npages to size_t before the PAGE_SHIFT left-shift. Fixes: 89736a0ee81d ("Revert "iommu/amd: Remove the leftover of bypass support"") Cc: stable(a)vger.kernel.org # 5.4 Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> --- Hi, We hit an IO_PAGE_FAULT on AMD with 5.4-stable when mapping a 2 GB scatter-gather list. The fault is caused by an overflow in unmap_sg(): on stable-5.4 the SG-mmap path was never moved to the IOMMU framework, so the bug exists only in this branch. Regards, Jinhui drivers/iommu/amd_iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c index a30aac41af42..60872d7be52b 100644 --- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -2682,7 +2682,7 @@ static void unmap_sg(struct device *dev, struct scatterlist *sglist, dma_dom = to_dma_ops_domain(domain); npages = sg_num_pages(dev, sglist, nelems); - __unmap_single(dma_dom, startaddr, npages << PAGE_SHIFT, dir); + __unmap_single(dma_dom, startaddr, (size_t)npages << PAGE_SHIFT, dir); } /* -- 2.20.1

3 weeks, 1 day

2
1
0 0

[PATCH 1/3] KVM: arm64: Make ID_PFR1_EL1.GIC writable

by Marc Zyngier

Similarly to ID_AA64PFR0_EL1.GIC, relax ID_PFR1_EL1.GIC to be writable. Fixes: 5cb57a1aff755 ("KVM: arm64: Zero ID_AA64PFR0_EL1.GIC when no GICv3 is presented to the guest") Reported-by: Peter Maydell <peter.maydell(a)linaro.org> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/sys_regs.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index b29f72478a50d..73dcefe51a3e7 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -2528,6 +2528,12 @@ static bool bad_redir_trap(struct kvm_vcpu *vcpu, .val = mask, \ } +#define AA32_ID_WRITABLE(name, mask) { \ + ID_DESC(name), \ + .visibility = aa32_id_visibility, \ + .val = mask, \ +} + /* sys_reg_desc initialiser for cpufeature ID registers that need filtering */ #define ID_FILTERED(sysreg, name, mask) { \ ID_DESC(sysreg), \ @@ -3040,7 +3046,7 @@ static const struct sys_reg_desc sys_reg_descs[] = { /* AArch64 mappings of the AArch32 ID registers */ /* CRm=1 */ AA32_ID_SANITISED(ID_PFR0_EL1), - AA32_ID_SANITISED(ID_PFR1_EL1), + AA32_ID_WRITABLE(ID_PFR1_EL1, ID_PFR1_EL1_GIC), { SYS_DESC(SYS_ID_DFR0_EL1), .access = access_id_reg, .get_user = get_id_reg, -- 2.47.3

3 weeks, 1 day

2
2
0 0

[PATCH] HID: amd_sfh: Stop sensor before starting

by Mario Limonciello (AMD)

Titas reports that the accelerometer sensor on their laptop only works after a warm boot or unloading/reloading the amd-sfh kernel module. Presumably the sensor is in a bad state on cold boot and failing to start, so explicitly stop it before starting. Cc: stable(a)vger.kernel.org Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality") Reported-by: Titas <novatitas366(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670 Tested-by: Titas <novatitas366(a)gmail.com> Signed-off-by: Mario Limonciello (AMD) <superm1(a)kernel.org> --- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c index 0a9b44ce4904e..b0bab2a1ddcc5 100644 --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c @@ -194,6 +194,8 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) if (rc) goto cleanup; + mp2_ops->stop(privdata, cl_data->sensor_idx[i]); + amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR); writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); mp2_ops->start(privdata, info); status = amd_sfh_wait_for_response -- 2.43.0

3 weeks, 1 day

2
1
0 0

[PATCH] net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()

by Jiaming Zhang

The ethtool tsconfig Netlink path can trigger a null pointer dereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower() results in generic_hwtstamp_ioctl_lower() being called with kernel_cfg->ifr as NULL. The generic_hwtstamp_ioctl_lower() function does not expect a NULL ifr and dereferences it, leading to a system crash. Fix this by adding a NULL check for kernel_cfg->ifr in generic_hwtstamp_get/set_lower(). If ifr is NULL, return -EOPNOTSUPP to prevent the call to the legacy IOCTL helper. Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config") Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8-b78a-f5e811247ba8@linux.dev… Signed-off-by: Jiaming Zhang <r772577952(a)gmail.com> --- net/core/dev_ioctl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c index ad54b12d4b4c..39eaf6ba981a 100644 --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev, return err; } + /* Netlink path with unconverted driver */ + if (!kernel_cfg->ifr) + return -EOPNOTSUPP; + /* Legacy path: unconverted lower driver */ return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg); } @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev, return err; } + /* Netlink path with unconverted driver */ + if (!kernel_cfg->ifr) + return -EOPNOTSUPP; + /* Legacy path: unconverted lower driver */ return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg); } -- 2.34.1

3 weeks, 1 day

3
4
0 0

[PATCH 2/2] drm/sched: Use proper locks for drm_sched_job_init()

by Philipp Stanner

drm_sched_job_init() is just racing when checking an entity's runqueue, without taking the proper spinlock. Add the lock. Cc: stable(a)vger.kernel.org # 6.7+ Fixes: 56e449603f0a ("drm/sched: Convert the GPU scheduler to variable number of run-queues") Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- drivers/gpu/drm/scheduler/sched_main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 7f938f491b6f..30028054385f 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -799,7 +799,12 @@ int drm_sched_job_init(struct drm_sched_job *job, u32 credits, void *owner, uint64_t drm_client_id) { - if (!entity->rq) { + struct drm_sched_rq *rq; + + spin_lock(&entity->lock); + rq = entity->rq; + spin_unlock(&entity->lock); + if (!rq) { /* This will most likely be followed by missing frames * or worse--a blank screen--leave a trail in the * logs, so this can be debugged easier. -- 2.49.0

3 weeks, 1 day

1
0
0 0

[PATCH 1/2] drm/sched: Use proper locks in drm_sched_job_arm()

by Philipp Stanner

drm_sched_job_arm() is just racing when dereferencing entity and runqueue. Add the proper spinlocks. Cc: stable(a)vger.kernel.org # v5.16+ Fixes: dbe48d030b28 ("drm/sched: Split drm_sched_job_init") Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- drivers/gpu/drm/scheduler/sched_main.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index c39f0245e3a9..7f938f491b6f 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -859,10 +859,16 @@ void drm_sched_job_arm(struct drm_sched_job *job) BUG_ON(!entity); drm_sched_entity_select_rq(entity); + + spin_lock(&entity->lock); + spin_lock(&entity->rq->lock); sched = entity->rq->sched; + spin_unlock(&entity->rq->lock); + + job->s_priority = entity->priority; + spin_unlock(&entity->lock); job->sched = sched; - job->s_priority = entity->priority; drm_sched_fence_init(job->s_fence, job->entity); } -- 2.49.0

3 weeks, 1 day

1
0
0 0

Re: [PATCH v2] HID: quirks: Add device descriptor for 4c4a:4155

by zhangheng

Hi Terry Junge， I have made the changes as per your suggestion. mic.txt is the microphone report descriptor and is working properly.

3 weeks, 1 day

4
6
0 0

[PATCH 1/4] ASoC: codecs: lpass-tx-macro: fix SM6115 support

by Srinivas Kandagatla

SM6115 is compatible with SM8450 and SM6115 does have soundwire controller in tx. For some reason we ended up with this incorrect patch. Fix this by removing it from the codec compatible list and let dt use sm8450 as compatible codec for sm6115 SoC. Fixes: 510c46884299 ("ASoC: codecs: lpass-tx-macro: Add SM6115 support") Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/codecs/lpass-tx-macro.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c index 1aefd3bde818..1f8fe87b310a 100644 --- a/sound/soc/codecs/lpass-tx-macro.c +++ b/sound/soc/codecs/lpass-tx-macro.c @@ -2472,15 +2472,6 @@ static const struct tx_macro_data lpass_ver_9_2 = { .extra_routes_num = ARRAY_SIZE(tx_audio_map_v9_2), }; -static const struct tx_macro_data lpass_ver_10_sm6115 = { - .flags = LPASS_MACRO_FLAG_HAS_NPL_CLOCK, - .ver = LPASS_VER_10_0_0, - .extra_widgets = tx_macro_dapm_widgets_v9_2, - .extra_widgets_num = ARRAY_SIZE(tx_macro_dapm_widgets_v9_2), - .extra_routes = tx_audio_map_v9_2, - .extra_routes_num = ARRAY_SIZE(tx_audio_map_v9_2), -}; - static const struct tx_macro_data lpass_ver_11 = { .flags = LPASS_MACRO_FLAG_RESET_SWR, .ver = LPASS_VER_11_0_0, @@ -2500,9 +2491,6 @@ static const struct of_device_id tx_macro_dt_match[] = { */ .compatible = "qcom,sc7280-lpass-tx-macro", .data = &lpass_ver_9, - }, { - .compatible = "qcom,sm6115-lpass-tx-macro", - .data = &lpass_ver_10_sm6115, }, { .compatible = "qcom,sm8250-lpass-tx-macro", .data = &lpass_ver_9, -- 2.51.0

3 weeks, 1 day

2
2
0 0

[PATCH net] virtio_net: fix alignment for virtio_net_hdr_v1_hash

by Jason Wang

From: "Michael S. Tsirkin" <mst(a)redhat.com> Changing alignment of header would mean it's no longer safe to cast a 2 byte aligned pointer between formats. Use two 16 bit fields to make it 2 byte aligned as previously. This fixes the performance regression since commit ("virtio_net: enable gso over UDP tunnel support.") as it uses virtio_net_hdr_v1_hash_tunnel which embeds virtio_net_hdr_v1_hash. Pktgen in guest + XDP_DROP on TAP + vhost_net shows the TX PPS is recovered from 2.4Mpps to 4.45Mpps. Fixes: 56a06bd40fab ("virtio_net: enable gso over UDP tunnel support.") Cc: stable(a)vger.kernel.org Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Jason Wang <jasowang(a)redhat.com> --- drivers/net/virtio_net.c | 15 +++++++++++++-- include/uapi/linux/virtio_net.h | 3 ++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..5e998d88db44 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -2534,6 +2534,13 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, return NULL; } +static inline u32 +virtio_net_hash_value(const struct virtio_net_hdr_v1_hash *hdr_hash) +{ + return __le16_to_cpu(hdr_hash->hash_value_lo) | + (__le16_to_cpu(hdr_hash->hash_value_hi) << 16); +} + static void virtio_skb_set_hash(const struct virtio_net_hdr_v1_hash *hdr_hash, struct sk_buff *skb) { @@ -2560,7 +2567,7 @@ static void virtio_skb_set_hash(const struct virtio_net_hdr_v1_hash *hdr_hash, default: rss_hash_type = PKT_HASH_TYPE_NONE; } - skb_set_hash(skb, __le32_to_cpu(hdr_hash->hash_value), rss_hash_type); + skb_set_hash(skb, virtio_net_hash_value(hdr_hash), rss_hash_type); } static void virtnet_receive_done(struct virtnet_info *vi, struct receive_queue *rq, @@ -3306,6 +3313,10 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb, bool orphan) pr_debug("%s: xmit %p %pM\n", vi->dev->name, skb, dest); + /* Make sure it's safe to cast between formats */ + BUILD_BUG_ON(__alignof__(*hdr) != __alignof__(hdr->hash_hdr)); + BUILD_BUG_ON(__alignof__(*hdr) != __alignof__(hdr->hash_hdr.hdr)); + can_push = vi->any_header_sg && !((unsigned long)skb->data & (__alignof__(*hdr) - 1)) && !skb_header_cloned(skb) && skb_headroom(skb) >= hdr_len; @@ -6745,7 +6756,7 @@ static int virtnet_xdp_rx_hash(const struct xdp_md *_ctx, u32 *hash, hash_report = VIRTIO_NET_HASH_REPORT_NONE; *rss_type = virtnet_xdp_rss_type[hash_report]; - *hash = __le32_to_cpu(hdr_hash->hash_value); + *hash = virtio_net_hash_value(hdr_hash); return 0; } diff --git a/include/uapi/linux/virtio_net.h b/include/uapi/linux/virtio_net.h index 8bf27ab8bcb4..1db45b01532b 100644 --- a/include/uapi/linux/virtio_net.h +++ b/include/uapi/linux/virtio_net.h @@ -193,7 +193,8 @@ struct virtio_net_hdr_v1 { struct virtio_net_hdr_v1_hash { struct virtio_net_hdr_v1 hdr; - __le32 hash_value; + __le16 hash_value_lo; + __le16 hash_value_hi; #define VIRTIO_NET_HASH_REPORT_NONE 0 #define VIRTIO_NET_HASH_REPORT_IPv4 1 #define VIRTIO_NET_HASH_REPORT_TCPv4 2 -- 2.42.0

3 weeks, 1 day

4
5
0 0

[PATCH 5.10] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path

by Andrey Troshin

From: Stefan Metzmacher <metze(a)samba.org> [ Upstream commit daac51c7032036a0ca5f1aa419ad1b0471d1c6e0 ] During tests of another unrelated patch I was able to trigger this error: Objects remaining on __kmem_cache_shutdown() Cc: Steve French <smfrench(a)gmail.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: Long Li <longli(a)microsoft.com> Cc: Namjae Jeon <linkinjeon(a)kernel.org> Cc: linux-cifs(a)vger.kernel.org Cc: samba-technical(a)lists.samba.org Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Andrey Troshin: backport fix from fs/cifs/smbdirect.c to fs/smb/client/smbdirect.c] Signed-off-by: Andrey Troshin <drtrosh(a)yandex-team.ru> --- Backport fix for CVE-2025-39929 Link: https://nvd.nist.gov/vuln/detail/CVE-2025-39929 --- fs/cifs/smbdirect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c index ae332f3771f6..e273f3b9efcb 100644 --- a/fs/cifs/smbdirect.c +++ b/fs/cifs/smbdirect.c @@ -1083,8 +1083,10 @@ static int smbd_negotiate(struct smbd_connection *info) log_rdma_event(INFO, "smbd_post_recv rc=%d iov.addr=%llx iov.length=%x iov.lkey=%x\n", rc, response->sge.addr, response->sge.length, response->sge.lkey); - if (rc) + if (rc) { + put_receive_buffer(info, response); return rc; + } init_completion(&info->negotiate_completion); info->negotiate_done = false; -- 2.34.1

3 weeks, 1 day

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2025