- Linux-stable-mirror - lists.linaro.org

[PATCH v3] net/handshake: restore destructor on submit failure

by caoping

handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests") Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> Cc: stable(a)vger.kernel.org Signed-off-by: caoping <caoping(a)cmss.chinamobile.com> --- net/handshake/request.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/handshake/request.c b/net/handshake/request.c index 274d2c89b6b2..89435ed755cd 100644 --- a/net/handshake/request.c +++ b/net/handshake/request.c @@ -276,6 +276,8 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req, out_unlock: spin_unlock(&hn->hn_lock); out_err: + /* Restore original destructor so socket teardown still runs on failure */ + req->hr_sk->sk_destruct = req->hr_odestruct; trace_handshake_submit_err(net, req, req->hr_sk, ret); handshake_req_destroy(req); return ret; base-commit: 4a26e7032d7d57c998598c08a034872d6f0d3945 -- 2.47.3

4 days, 2 hours

3
2
0 0

[PATCH] drm/xe/bo: Don't include the CCS metadata in the dma-buf sg-table

by Thomas Hellström

Some Xe bos are allocated with extra backing-store for the CCS metadata. It's never been the intention to share the CCS metadata when exporting such bos as dma-buf. Don't include it in the dma-buf sg-table. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index 54e42960daad..7c74a31d4486 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -124,7 +124,7 @@ static struct sg_table *xe_dma_buf_map(struct dma_buf_attachment *attach, case XE_PL_TT: sgt = drm_prime_pages_to_sg(obj->dev, bo->ttm.ttm->pages, - bo->ttm.ttm->num_pages); + obj->size >> PAGE_SHIFT); if (IS_ERR(sgt)) return sgt; -- 2.51.1

4 days, 2 hours

3
2
0 0

[PATCH v2] media: cx25821: Add missing unmap in snd_cx25821_hw_params()

by Haoxiang Li

In error path, add cx25821_alsa_dma_unmap() to release the resource acquired by cx25821_alsa_dma_map() Fixes: 8d8e6d6005de ("[media] cx28521: drop videobuf abuse in cx25821-alsa") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- Changes in v2: - Fix the "Fixes" tag error. --- drivers/media/pci/cx25821/cx25821-alsa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/cx25821/cx25821-alsa.c b/drivers/media/pci/cx25821/cx25821-alsa.c index a42f0c03a7ca..f463365163b7 100644 --- a/drivers/media/pci/cx25821/cx25821-alsa.c +++ b/drivers/media/pci/cx25821/cx25821-alsa.c @@ -535,6 +535,7 @@ static int snd_cx25821_hw_params(struct snd_pcm_substream *substream, chip->period_size, chip->num_periods, 1); if (ret < 0) { pr_info("DEBUG: ERROR after cx25821_risc_databuffer_audio()\n"); + cx25821_alsa_dma_unmap(chip); goto error; } -- 2.25.1

4 days, 2 hours

1
0
0 0

[PATCH net 2/2] can: gs_usb: gs_can_open(): fix error handling

by Marc Kleine-Budde

Commit 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling") added missing error handling to the gs_can_open() function. The driver uses 2 USB anchors to track the allocated URBs: the TX URBs in struct gs_can::tx_submitted for each netdev and the RX URBs in struct gs_usb::rx_submitted for the USB device. gs_can_open() allocates the RX URBs, while TX URBs are allocated during gs_can_start_xmit(). The cleanup in gs_can_open() kills all anchored dev->tx_submitted URBs (which is not necessary since the netdev is not yet registered), but misses the parent->rx_submitted URBs. Fix the problem by killing the rx_submitted instead of the tx_submitted. Fixes: 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling") Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251210-gs_usb-fix-error-handling-v1-1-d6a5a03f10… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/gs_usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index e29e85b67fd4..a0233e550a5a 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -1074,7 +1074,7 @@ static int gs_can_open(struct net_device *netdev) usb_free_urb(urb); out_usb_kill_anchored_urbs: if (!parent->active_channels) { - usb_kill_anchored_urbs(&dev->tx_submitted); + usb_kill_anchored_urbs(&parent->rx_submitted); if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) gs_usb_timestamp_stop(parent); -- 2.51.0

4 days, 2 hours

1
0
0 0

[PATCH can] can: gs_usb: gs_can_open(): fix error handling

by Marc Kleine-Budde

Commit 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling") added missing error handling to the gs_can_open() function. The driver uses 2 USB anchors to track the allocated URBs: the TX URBs in struct gs_can::tx_submitted for each netdev and the RX URBs in struct gs_usb::rx_submitted for the USB device. gs_can_open() allocates the RX URBs, while TX URBs are allocated during gs_can_start_xmit(). The cleanup in gs_can_open() kills all anchored dev->tx_submitted URBs (which is not necessary since the netdev is not yet registered), but misses the parent->rx_submitted URBs. Fix the problem by killing the rx_submitted instead of the tx_submitted. Fixes: 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling") Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/gs_usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index e29e85b67fd4..a0233e550a5a 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -1074,7 +1074,7 @@ static int gs_can_open(struct net_device *netdev) usb_free_urb(urb); out_usb_kill_anchored_urbs: if (!parent->active_channels) { - usb_kill_anchored_urbs(&dev->tx_submitted); + usb_kill_anchored_urbs(&parent->rx_submitted); if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) gs_usb_timestamp_stop(parent); --- base-commit: 186468c67fc687650b7fb713d8c627d5c8566886 change-id: 20251210-gs_usb-fix-error-handling-4f980294424c Best regards, -- Marc Kleine-Budde <mkl(a)pengutronix.de>

4 days, 2 hours

1
0
0 0

[PATCH v2] net: nfc: nci: Fix parameter validation for packet data

by Michael Thalmeier

Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). For these cases it is only possible to check for minimum packet length. Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") Cc: stable(a)vger.kernel.org Signed-off-by: Michael Thalmeier <michael.thalmeier(a)hale.at> --- Changes in v2: - Reference correct commit hash --- net/nfc/nci/ntf.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index 418b84e2b260..5161e94f067f 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -58,7 +58,8 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, struct nci_conn_info *conn_info; int i; - if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + /* Minimal packet size for num_entries=1 is 1 x __u8 + 1 x conn_credit_entry */ + if (skb->len < (sizeof(__u8) + sizeof(struct conn_credit_entry))) return -EINVAL; ntf = (struct nci_core_conn_credit_ntf *)skb->data; @@ -364,7 +365,8 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, const __u8 *data; bool add_target = true; - if (skb->len < sizeof(struct nci_rf_discover_ntf)) + /* Minimal packet size is 5 if rf_tech_specific_params_len=0 */ + if (skb->len < (5 * sizeof(__u8))) return -EINVAL; data = skb->data; @@ -596,7 +598,10 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, const __u8 *data; int err = NCI_STATUS_OK; - if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + /* Minimal packet size is 11 if + * f_tech_specific_params_len=0 and activation_params_len=0 + */ + if (skb->len < (11 * sizeof(__u8))) return -EINVAL; data = skb->data; -- 2.52.0

4 days, 3 hours

1
0
0 0

[PATCH] net: nfc: nci: Fix parameter validation for packet data

by Michael Thalmeier

Since commit 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). For these cases it is only possible to check for minimum packet length. Fixes: 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data") Cc: stable(a)vger.kernel.org Signed-off-by: Michael Thalmeier <michael.thalmeier(a)hale.at> --- net/nfc/nci/ntf.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index 418b84e2b260..5161e94f067f 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -58,7 +58,8 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, struct nci_conn_info *conn_info; int i; - if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + /* Minimal packet size for num_entries=1 is 1 x __u8 + 1 x conn_credit_entry */ + if (skb->len < (sizeof(__u8) + sizeof(struct conn_credit_entry))) return -EINVAL; ntf = (struct nci_core_conn_credit_ntf *)skb->data; @@ -364,7 +365,8 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, const __u8 *data; bool add_target = true; - if (skb->len < sizeof(struct nci_rf_discover_ntf)) + /* Minimal packet size is 5 if rf_tech_specific_params_len=0 */ + if (skb->len < (5 * sizeof(__u8))) return -EINVAL; data = skb->data; @@ -596,7 +598,10 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, const __u8 *data; int err = NCI_STATUS_OK; - if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + /* Minimal packet size is 11 if + * f_tech_specific_params_len=0 and activation_params_len=0 + */ + if (skb->len < (11 * sizeof(__u8))) return -EINVAL; data = skb->data; -- 2.52.0

4 days, 3 hours

2
2
0 0

Re: Patch "dma-mapping: Allow use of DMA_BIT_MASK(64) in global scope" has been added to the 6.17-stable tree

by Nathan Chancellor

On Sun, Dec 07, 2025 at 10:07:49PM -0500, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > dma-mapping: Allow use of DMA_BIT_MASK(64) in global scope > > to the 6.17-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > dma-mapping-allow-use-of-dma_bit_mask-64-in-global-s.patch > and it can be found in the queue-6.17 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 51a1912d46ceb70602de50c167e440966b9836f1 > Author: James Clark <james.clark(a)linaro.org> > Date: Thu Oct 30 14:05:27 2025 +0000 > > dma-mapping: Allow use of DMA_BIT_MASK(64) in global scope > > [ Upstream commit a50f7456f853ec3a6f07cbe1d16ad8a8b2501320 ] This change has a pending bug fix, consider waiting to apply this to the stable trees. https://lore.kernel.org/20251207184756.97904-1-johannes.goede@oss.qualcomm.… Cheers, Nathan

4 days, 4 hours

2
1
0 0

[PATCH AUTOSEL 6.18-5.10] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready

by Sasha Levin

From: Wenhua Lin <Wenhua.Lin(a)unisoc.com> [ Upstream commit 29e8a0c587e328ed458380a45d6028adf64d7487 ] In sprd_clk_init(), when devm_clk_get() returns -EPROBE_DEFER for either uart or source clock, we should propagate the error instead of just warning and continuing with NULL clocks. Currently the driver only emits a warning when clock acquisition fails and proceeds with NULL clock pointers. This can lead to issues later when the clocks are actually needed. More importantly, when the clock provider is not ready yet and returns -EPROBE_DEFER, we should return this error to allow deferred probing. This change adds explicit checks for -EPROBE_DEFER after both: 1. devm_clk_get(uport->dev, uart) 2. devm_clk_get(uport->dev, source) When -EPROBE_DEFER is encountered, the function now returns -EPROBE_DEFER to let the driver framework retry probing later when the clock dependencies are resolved. Signed-off-by: Wenhua Lin <Wenhua.Lin(a)unisoc.com> Link: https://patch.msgid.link/20251022030840.956589-1-Wenhua.Lin@unisoc.com Reviewed-by: Cixi Geng <cixi.geng(a)linux.dev> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ## Commit Analysis: serial: sprd: Return -EPROBE_DEFER when uart clock is not ready ### 1. COMMIT MESSAGE ANALYSIS **Subject**: Fixes incorrect handling of `-EPROBE_DEFER` error from `devm_clk_get()` **Key observations**: - No `Cc: stable(a)vger.kernel.org` tag present - No `Fixes:` tag pointing to when the bug was introduced - Has `Reviewed-by:` from Cixi Geng - Accepted by Greg Kroah-Hartman (serial subsystem maintainer) ### 2. CODE CHANGE ANALYSIS The change adds two checks in `sprd_clk_init()`: ```c clk_uart = devm_clk_get(uport->dev, "uart"); if (IS_ERR(clk_uart)) { + if (PTR_ERR(clk_uart) == -EPROBE_DEFER) + return -EPROBE_DEFER; dev_warn(...); clk_uart = NULL; } clk_parent = devm_clk_get(uport->dev, "source"); if (IS_ERR(clk_parent)) { + if (PTR_ERR(clk_parent) == -EPROBE_DEFER) + return -EPROBE_DEFER; dev_warn(...); clk_parent = NULL; } ``` **Technical bug mechanism**: When clock providers aren't ready yet, `devm_clk_get()` returns `-EPROBE_DEFER`. The existing code ignores this error, sets the clock pointer to NULL, and continues. This bypasses the kernel's deferred probing mechanism which exists precisely to handle this dependency ordering scenario. **Existing pattern**: The function already has identical handling for the "enable" clock (visible in the context lines). This fix makes the handling consistent for all three clocks. ### 3. CLASSIFICATION **Type**: Bug fix (not a feature addition) This fixes incorrect error handling. The `-EPROBE_DEFER` mechanism is a fundamental kernel feature for handling driver load order dependencies. Not propagating this error is a bug. ### 4. SCOPE AND RISK ASSESSMENT - **Lines changed**: 6 lines added (two 3-line checks) - **Files touched**: 1 file (`drivers/tty/serial/sprd_serial.c`) - **Complexity**: Very low - follows identical pattern already in the same function - **Subsystem**: Hardware-specific serial driver for Spreadtrum/Unisoc UARTs **Risk**: Very low - Pattern is already established and proven in the same function - Only affects error handling during probe - No changes to normal operation when clocks are available - Worst case: probe failure happens earlier/more explicitly ### 5. USER IMPACT **Affected users**: Users of Spreadtrum/Unisoc UART hardware (embedded devices, some Android phones) **Severity**: Medium-High for affected users - without this fix, the serial port may not work correctly on systems where clock providers load after the serial driver. This is common in embedded systems with device tree-based configurations. **Real bug**: This is a practical issue in probe ordering scenarios. The driver would proceed with NULL clocks instead of waiting for dependencies to be ready. ### 6. STABILITY INDICATORS - Reviewed-by tag indicates code review - Maintainer accepted the change - Simple, straightforward change following existing code patterns - No complex logic introduced ### 7. DEPENDENCY CHECK - **Dependencies**: None - self-contained fix - **Code existence in stable**: The sprd_serial driver has existed since ~2015 (commit 3e1f2029a4b40), so it's present in all active stable trees ### SUMMARY **What it fixes**: Incorrect handling of `-EPROBE_DEFER` from `devm_clk_get()` for two clocks ("uart" and "source"), causing the driver to proceed with NULL clocks instead of deferring probe when clock providers aren't ready. **Stable kernel criteria**: - ✅ Obviously correct (follows identical pattern already in function) - ✅ Fixes a real bug (broken deferred probing) - ✅ Small and contained (6 lines, 1 file) - ✅ No new features - ✅ Low risk of regression **Concerns**: - No explicit `Cc: stable` tag (author/maintainer didn't flag for stable) - Relatively niche driver (Spreadtrum hardware) **Risk vs Benefit**: The fix is minimal risk (identical pattern to existing code) and addresses a real bug that could leave serial hardware non-functional on embedded systems. The benefit outweighs the minimal risk. The lack of `Cc: stable` tag is notable but not determinative - this is a straightforward bug fix that meets all stable criteria. The fix is small, obviously correct, and addresses a real probe ordering issue that embedded system users could encounter. **YES** drivers/tty/serial/sprd_serial.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c index 8c9366321f8e7..092755f356836 100644 --- a/drivers/tty/serial/sprd_serial.c +++ b/drivers/tty/serial/sprd_serial.c @@ -1133,6 +1133,9 @@ static int sprd_clk_init(struct uart_port *uport) clk_uart = devm_clk_get(uport->dev, "uart"); if (IS_ERR(clk_uart)) { + if (PTR_ERR(clk_uart) == -EPROBE_DEFER) + return -EPROBE_DEFER; + dev_warn(uport->dev, "uart%d can't get uart clock\n", uport->line); clk_uart = NULL; @@ -1140,6 +1143,9 @@ static int sprd_clk_init(struct uart_port *uport) clk_parent = devm_clk_get(uport->dev, "source"); if (IS_ERR(clk_parent)) { + if (PTR_ERR(clk_parent) == -EPROBE_DEFER) + return -EPROBE_DEFER; + dev_warn(uport->dev, "uart%d can't get source clock\n", uport->line); clk_parent = NULL; -- 2.51.0

4 days, 4 hours

1
7
0 0

[PATCH v2] media: dw2102: validate I2C messages in su3000_i2c_transfer()

by Dharanitharan R

syzbot reports a general protection fault caused by su3000_i2c_transfer() dereferencing msg->buf without validating the message length or buffer pointer. Although i2c-dev blocks zero-length messages, malformed I²C messages can still reach the driver through the DVB USB subsystem. Add strict validation of each message to prevent NULL-pointer dereferences. Reported-by: syzbot+d99f3a288cc7d8ef60fb(a)syzkaller.appspotmail.com Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write") Closes: https://syzkaller.appspot.com/bug?extid=d99f3a288cc7d8ef60fb Cc: stable(a)vger.kernel.org Signed-off-by: Dharanitharan R <dharanitharan725(a)gmail.com> --- drivers/media/usb/dvb-usb/dw2102.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c index 4fecf2f965e9..0dd210ea16f3 100644 --- a/drivers/media/usb/dvb-usb/dw2102.c +++ b/drivers/media/usb/dvb-usb/dw2102.c @@ -733,6 +733,36 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], return -EAGAIN; } + /* Validate incoming I²C messages */ + if (!msg || num <= 0) { + mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return -EINVAL; + } + + for (j = 0; j < num; j++) { + /* msg buffer must exist */ + if (!msg[j].buf) { + mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return -EINVAL; + } + + /* zero or negative length is invalid */ + if (msg[j].len <= 0) { + mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return -EINVAL; + } + + /* protect against unreasonable sizes */ + if (msg[j].len > 256) { + mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return -EOPNOTSUPP; + } + } + j = 0; while (j < num) { switch (msg[j].addr) { -- 2.43.0

4 days, 5 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror