Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

324 participants
124228 discussions

[PATCH v4 1/3] mm/kasan: Fix incorrect unpoisoning in vrealloc for KASAN

by Maciej Wieczor-Retman

From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Syzkaller reported a memory out-of-bounds bug [1]. This patch fixes two issues: 1. In vrealloc the KASAN_VMALLOC_VM_ALLOC flag is missing when unpoisoning the extended region. This flag is required to correctly associate the allocation with KASAN's vmalloc tracking. Note: In contrast, vzalloc (via __vmalloc_node_range_noprof) explicitly sets KASAN_VMALLOC_VM_ALLOC and calls kasan_unpoison_vmalloc() with it. vrealloc must behave consistently — especially when reusing existing vmalloc regions — to ensure KASAN can track allocations correctly. 2. When vrealloc reuses an existing vmalloc region (without allocating new pages) KASAN generates a new tag, which breaks tag-based memory access tracking. Introduce KASAN_VMALLOC_KEEP_TAG, a new KASAN flag that allows reusing the tag already attached to the pointer, ensuring consistent tag behavior during reallocation. Pass KASAN_VMALLOC_KEEP_TAG and KASAN_VMALLOC_VM_ALLOC to the kasan_unpoison_vmalloc inside vrealloc_node_align_noprof(). [1]: https://syzkaller.appspot.com/bug?extid=997752115a851cb0cf36 Fixes: a0309faf1cb0 ("mm: vmalloc: support more granular vrealloc() sizing") Cc: <stable(a)vger.kernel.org> Reported-by: syzbot+997752115a851cb0cf36(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e243a2.050a0220.1696c6.007d.GAE@google.com/T/ Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Co-developed-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Reviewed-by: Andrey Konovalov <andreyknvl(a)gmail.com> --- include/linux/kasan.h | 1 + mm/kasan/hw_tags.c | 2 +- mm/kasan/shadow.c | 4 +++- mm/vmalloc.c | 4 +++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index d12e1a5f5a9a..6d7972bb390c 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -28,6 +28,7 @@ typedef unsigned int __bitwise kasan_vmalloc_flags_t; #define KASAN_VMALLOC_INIT ((__force kasan_vmalloc_flags_t)0x01u) #define KASAN_VMALLOC_VM_ALLOC ((__force kasan_vmalloc_flags_t)0x02u) #define KASAN_VMALLOC_PROT_NORMAL ((__force kasan_vmalloc_flags_t)0x04u) +#define KASAN_VMALLOC_KEEP_TAG ((__force kasan_vmalloc_flags_t)0x08u) #define KASAN_VMALLOC_PAGE_RANGE 0x1 /* Apply exsiting page range */ #define KASAN_VMALLOC_TLB_FLUSH 0x2 /* TLB flush */ diff --git a/mm/kasan/hw_tags.c b/mm/kasan/hw_tags.c index 1c373cc4b3fa..cbef5e450954 100644 --- a/mm/kasan/hw_tags.c +++ b/mm/kasan/hw_tags.c @@ -361,7 +361,7 @@ void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, return (void *)start; } - tag = kasan_random_tag(); + tag = (flags & KASAN_VMALLOC_KEEP_TAG) ? get_tag(start) : kasan_random_tag(); start = set_tag(start, tag); /* Unpoison and initialize memory up to size. */ diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index 5d2a876035d6..5e47ae7fdd59 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -648,7 +648,9 @@ void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, !(flags & KASAN_VMALLOC_PROT_NORMAL)) return (void *)start; - start = set_tag(start, kasan_random_tag()); + if (unlikely(!(flags & KASAN_VMALLOC_KEEP_TAG))) + start = set_tag(start, kasan_random_tag()); + kasan_unpoison(start, size, false); return (void *)start; } diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 798b2ed21e46..22a73a087135 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4176,7 +4176,9 @@ void *vrealloc_node_align_noprof(const void *p, size_t size, unsigned long align */ if (size <= alloced_size) { kasan_unpoison_vmalloc(p + old_size, size - old_size, - KASAN_VMALLOC_PROT_NORMAL); + KASAN_VMALLOC_PROT_NORMAL | + KASAN_VMALLOC_VM_ALLOC | + KASAN_VMALLOC_KEEP_TAG); /* * No need to zero memory here, as unused memory will have * already been zeroed at initial allocation time or during -- 2.52.0

1 month, 1 week

[PATCH] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()

by Denis Arefev

The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") Cc: stable(a)vger.kernel.org Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- sound/hda/codecs/side-codecs/cs35l41_hda.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/hda/codecs/side-codecs/cs35l41_hda.c b/sound/hda/codecs/side-codecs/cs35l41_hda.c index c0f2a3ff77a1..21e00055c0c4 100644 --- a/sound/hda/codecs/side-codecs/cs35l41_hda.c +++ b/sound/hda/codecs/side-codecs/cs35l41_hda.c @@ -1901,6 +1901,8 @@ static int cs35l41_hda_read_acpi(struct cs35l41_hda *cs35l41, const char *hid, i cs35l41->dacpi = adev; physdev = get_device(acpi_get_first_physical_node(adev)); + if (!physdev) + return -ENODEV; sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); if (IS_ERR(sub)) -- 2.43.0

1 month, 1 week

[PATCH v3 3/3] kasan: Unpoison vms[area] addresses with a common tag

by Maciej Wieczor-Retman

1 month, 1 week

[PATCH 6.12 000/132] 6.12.61-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.61 release. There are 132 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.61-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.61-rc1 Thomas Weißschuh <linux(a)weissschuh.net> spi: spi-nxp-fspi: Check return value of devm_mutex_init() Imre Deak <imre.deak(a)intel.com> drm/i915/dp: Initialize the source OUI write timestamp always Punit Agrawal <punit.agrawal(a)oss.qualcomm.com> Revert "ACPI: Suppress misleading SPCR console message when SPCR table is absent" Sarika Sharma <quic_sarishar(a)quicinc.com> wifi: ath12k: correctly handle mcast packets for clients Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Free previously initialized ports on init failures Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Do not execute PTP driver code for unsupported switches Thomas Zimmermann <tzimmermann(a)suse.de> drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Fix redundant updates of LBR MSR intercepts Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Fix and simplify LBR virtualization handling with nested Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Introduce svm_recalc_lbr_msr_intercepts() Wei Yang <richard.weiyang(a)gmail.com> mm/huge_memory: fix NULL pointer deference when splitting folio Jimmy Hu <hhhuuu(a)google.com> usb: gadget: udc: fix use-after-free in usb_gadget_state_work Kuen-Han Tsai <khtsai(a)google.com> usb: udc: Add trace event for usb_gadget_set_state Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix CAN-FD mode as default Jameson Thies <jthies(a)google.com> usb: typec: ucsi: psy: Set max current to zero when disconnected NeilBrown <neil(a)brown.name> nfsd: Replace clamp_t in nfsd4_get_drc_mem() Philipp Hortmann <philipp.g.hortmann(a)gmail.com> staging: rtl8712: Remove driver using deprecated API wext ziming zhang <ezrakiez(a)gmail.com> libceph: replace BUG_ON with bounds check for map->max_osd ziming zhang <ezrakiez(a)gmail.com> libceph: prevent potential out-of-bounds writes in handle_auth_session_key() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix potential use-after-free in have_mon_and_osd_map() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Don't free uninitialized ksz_irq Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: ptp: Fix checks on irq_find_mapping() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: common: Fix checks on irq_find_mapping() Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Don't change brightness for disabled connectors Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check NULL before accessing Michael Chen <michael.chen(a)amd.com> drm/amd/amdgpu: reserve vm invalidation engine for uni_mes Prike Liang <Prike.Liang(a)amd.com> drm/amdgpu: attach tlb fence to the PTs update Johan Hovold <johan(a)kernel.org> drm: sti: fix device leaks at component probe Vanillan Wang <vanillanwang(a)163.com> USB: serial: option: add support for Rolling RW101R-GL Oleksandr Suvorov <cryosay(a)gmail.com> USB: serial: ftdi_sio: add support for u-blox EVK-M101 Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbgtty: fix device unregister Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix stale flag preventig URBs after link state error is cleared Manish Nagar <manish.nagar(a)oss.qualcomm.com> usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: Sort out the Intel device IDs Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Nova Lake -S Owen Gu <guhuinan(a)xiaomi.com> usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Tianchu Chen <flynnnchen(a)tencent.com> usb: storage: sddr55: Reject out-of-bound new_pba Alan Stern <stern(a)rowland.harvard.edu> USB: storage: Remove subclass and protocol overrides from Novatek quirk Desnes Nunes <desnesn(a)redhat.com> usb: storage: Fix memory leak in USB bulk transport Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Fix synchronous external abort on unbind Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_eem: Fix memory leak in eem_unwrap Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: Fix double resource release in cdns3_pci_probe Johan Hovold <johan(a)kernel.org> most: usb: fix double free on late probe failure Miaoqian Lin <linmq006(a)gmail.com> serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Kuniyuki Iwashima <kuniyu(a)google.com> mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). Paolo Abeni <pabeni(a)redhat.com> mptcp: clear scheduled subflows on retransmit Jisheng Zhang <jszhang(a)kernel.org> mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level Deepanshu Kartikey <kartikey406(a)gmail.com> mm/memfd: fix information leak in hugetlb folios Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> firmware: stratix10-svc: fix bug in saving controller data Wentao Guan <guanwentao(a)uniontech.com> nvmem: layouts: fix nvmem_layout_bus_uevent Miaoqian Lin <linmq006(a)gmail.com> slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Alan Borzeszkowski <alan.borzeszkowski(a)linux.intel.com> thunderbolt: Add support for Intel Wildcat Lake Paulo Alcantara <pc(a)manguebit.org> smb: client: fix memory leak in cifs_construct_tcon() Jamie Iles <jamie.iles(a)oss.qualcomm.com> drivers/usb/dwc3: fix PCI parent check Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix unreliable memory allocation Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: fix crash in process_v2_sparse_read() for encrypted directories Marc Kleine-Budde <mkl(a)pengutronix.de> can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling Thomas Mühlbacher <tmuehlbacher(a)posteo.net> can: sja1000: fix max irq loop handling Douglas Anderson <dianders(a)chromium.org> Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Gui-Dong Han <hanguidong02(a)gmail.com> atm/fore200e: Fix possible data race in fore200e_open() Maarten Zanders <maarten(a)zanders.be> ARM: dts: nxp: imx6ul: correct SAI3 interrupt line Xu Yang <xu.yang_2(a)nxp.com> arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity Frank Li <Frank.Li(a)nxp.com> arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos Ivan Zhaldak <i.v.zhaldak(a)gmail.com> ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 Deepanshu Kartikey <kartikey406(a)gmail.com> tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification ChiYuan Huang <cy_huang(a)richtek.com> iio: adc: rtq6056: Correct the sign bit index David Lechner <dlechner(a)baylibre.com> iio: adc: ad7280a: fix ad7280_store_balance_timer() Valek Andrej <andrej.v(a)skyrain.eu> iio: accel: fix ADXL355 startup race condition Linus Walleij <linus.walleij(a)linaro.org> iio: accel: bmc150: Fix irq assumption regression Olivier Moysan <olivier.moysan(a)foss.st.com> iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio:common:ssp_sensors: Fix an error handling path ssp_probe() Francesco Lavra <flavra(a)baylibre.com> iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> iio: humditiy: hdc3020: fix units for thresholds and hysteresis Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> iio: humditiy: hdc3020: fix units for temperature and humidity measurement Nuno Sá <nuno.sa(a)analog.com> iio: buffer: support getting dma channel from the buffer Nuno Sá <nuno.sa(a)analog.com> iio: buffer-dmaengine: enable .get_dma_dev() Nuno Sá <nuno.sa(a)analog.com> iio: buffer-dma: support getting the DMA channel Jiri Olsa <jolsa(a)kernel.org> Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/display: Move setup_stream_attribute" Hang Zhou <929513338(a)qq.com> spi: bcm63xx: fix premature CS deassertion on RX-only transactions Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: nxp-fspi: Propagate fwnode in ACPI case as well Haibo Chen <haibo.chen(a)nxp.com> spi: spi-nxp-fspi: Add OCT-DTR mode support Haibo Chen <haibo.chen(a)nxp.com> spi: spi-nxp-fspi: remove the goto in probe Miquel Raynal <miquel.raynal(a)bootlin.com> spi: nxp-fspi: Support per spi-mem operation frequency switches Miquel Raynal <miquel.raynal(a)bootlin.com> spi: spi-mem: Add a new controller capability Miquel Raynal <miquel.raynal(a)bootlin.com> spi: spi-mem: Extend spi-mem operations with a per-operation maximum frequency Tudor Ambarus <tudor.ambarus(a)linaro.org> spi: spi-mem: Allow specifying the byte order in Octal DTR mode Haotian Zhang <vulab(a)iscas.ac.cn> spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors Francesco Lavra <flavra(a)baylibre.com> spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA Andrei Vagin <avagin(a)google.com> fs/namespace: fix reference leak in grab_requested_mnt_ns Jamie Iles <jamie.iles(a)oss.qualcomm.com> mailbox: pcc: don't zero error register Sudeep Holla <sudeep.holla(a)arm.com> mailbox: pcc: Refactor error handling in irq handler into separate function Jason-JH Lin <jason-jh.lin(a)mediatek.com> mailbox: mtk-cmdq: Refine DMA address handling for the command buffer Haotian Zhang <vulab(a)iscas.ac.cn> mailbox: mailbox-test: Fix debugfs_create_dir error checking Haotian Zhang <vulab(a)iscas.ac.cn> usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors Mario Tesi <martepisa(a)gmail.com> iio: st_lsm6dsx: Fixed calibrated timestamp calculation Wei Fang <wei.fang(a)nxp.com> net: fec: do not register PPS event for PEROUT Wei Fang <wei.fang(a)nxp.com> net: fec: do not allow enabling PPS and PEROUT simultaneously Wei Fang <wei.fang(a)nxp.com> net: fec: do not update PEROUT if it is enabled Wei Fang <wei.fang(a)nxp.com> net: fec: cancel perout_timer when PEROUT is disabled Jiefeng Zhang <jiefeng.z.zhang(a)gmail.com> net: atlantic: fix fragment overflow handling in RX path Mohsin Bashir <mohsin.bashr(a)gmail.com> eth: fbnic: Fix counter roll-over issue Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: sja1105: simplify static configuration reload Slark Xiao <slark_xiao(a)163.com> net: wwan: mhi: Keep modem name match with Foxconn T99W640 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix cyan_skillfish2 gpu info fw handling Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> net: sxgbe: fix potential NULL dereference in sxgbe_rx() Nikola Z. Ivanov <zlatistiv(a)gmail.com> team: Move team device type change at the end of team_port_add Danielle Costantino <dcostantino(a)meta.com> net/mlx5e: Fix validation logic in rate limiting Harish Chegondi <harish.chegondi(a)intel.com> drm/xe: Fix conversion from clock ticks to milliseconds Horatiu Vultur <horatiu.vultur(a)microchip.com> net: lan966x: Fix the initialization of taprio Kai-Heng Feng <kaihengf(a)nvidia.com> net: aquantia: Add missing descriptor cache invalidation on ATL2 Dan Carpenter <dan.carpenter(a)linaro.org> platform/x86: intel: punit_ipc: fix memory corruption Daniel Golle <daniel(a)makrotopia.org> net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY Jesper Dangaard Brouer <hawk(a)kernel.org> veth: reduce XDP no_direct return section to fix race Jesper Dangaard Brouer <hawk(a)kernel.org> veth: more robust handing of race to avoid txq getting stuck Jesper Dangaard Brouer <hawk(a)kernel.org> veth: prevent NULL pointer dereference in veth_xdp_rcv Jesper Dangaard Brouer <hawk(a)kernel.org> veth: apply qdisc backpressure on full ptr_ring to reduce TX drops Jesper Dangaard Brouer <hawk(a)kernel.org> net: sched: generalize check for no-queue qdisc on TX queue Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix not generating mackey and ltk when repairing Edward Adam Davis <eadavis(a)qq.com> Bluetooth: hci_sock: Prevent race in socket write iter and sock bind Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Seungjin Bae <eeodqql09(a)gmail.com> can: kvaser_usb: leaf: Fix potential infinite loop in command parsers ------------- Diffstat: MAINTAINERS | 5 - Makefile | 4 +- arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +- arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi | 4 +- arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 4 +- arch/arm64/kernel/acpi.c | 10 +- arch/mips/mm/tlb-r4k.c | 118 +- arch/x86/events/core.c | 10 +- arch/x86/kvm/svm/nested.c | 20 +- arch/x86/kvm/svm/svm.c | 98 +- arch/x86/kvm/svm/svm.h | 1 + drivers/atm/fore200e.c | 2 + drivers/bluetooth/btusb.c | 39 +- drivers/firmware/stratix10-svc.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 15 + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 11 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 - .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 - .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 - drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 + .../display/dc/virtual/virtual_stream_encoder.c | 7 - drivers/gpu/drm/drm_fb_helper.c | 6 - drivers/gpu/drm/i915/display/intel_dp.c | 5 +- drivers/gpu/drm/i915/display/intel_fbdev.c | 6 - drivers/gpu/drm/radeon/radeon_fbdev.c | 5 - drivers/gpu/drm/sti/sti_vtg.c | 7 +- drivers/gpu/drm/xe/xe_gt_clock.c | 7 +- drivers/iio/accel/adxl355_core.c | 44 +- drivers/iio/accel/bmc150-accel-core.c | 5 + drivers/iio/accel/bmc150-accel.h | 1 + drivers/iio/adc/ad7280a.c | 2 +- drivers/iio/adc/rtq6056.c | 2 +- drivers/iio/adc/stm32-dfsdm-adc.c | 5 +- drivers/iio/buffer/industrialio-buffer-dma.c | 6 + drivers/iio/buffer/industrialio-buffer-dmaengine.c | 2 + drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +- drivers/iio/humidity/hdc3020.c | 73 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 40 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 19 +- drivers/iio/industrialio-buffer.c | 21 +- drivers/mailbox/mailbox-test.c | 2 +- drivers/mailbox/mtk-cmdq-mailbox.c | 45 +- drivers/mailbox/pcc.c | 32 +- drivers/md/dm-verity-fec.c | 6 +- drivers/mmc/host/sdhci-of-dwcmshc.c | 29 +- drivers/most/most_usb.c | 14 +- drivers/mtd/nand/spi/core.c | 2 + drivers/net/can/rcar/rcar_canfd.c | 53 +- drivers/net/can/sja1000/sja1000.c | 4 +- drivers/net/can/sun4i_can.c | 4 +- drivers/net/can/usb/gs_usb.c | 102 +- drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 +- drivers/net/dsa/microchip/ksz_common.c | 65 +- drivers/net/dsa/microchip/ksz_common.h | 1 + drivers/net/dsa/microchip/ksz_ptp.c | 22 +- drivers/net/dsa/sja1105/sja1105_main.c | 66 +- .../net/ethernet/aquantia/atlantic/aq_hw_utils.c | 22 + .../net/ethernet/aquantia/atlantic/aq_hw_utils.h | 1 + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 19 +- .../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 2 +- drivers/net/ethernet/freescale/fec.h | 1 + drivers/net/ethernet/freescale/fec_ptp.c | 64 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 2 +- drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 2 +- .../net/ethernet/microchip/lan966x/lan966x_ptp.c | 5 +- drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 4 +- drivers/net/phy/mxl-gpy.c | 2 +- drivers/net/team/team_core.c | 23 +- drivers/net/veth.c | 64 +- drivers/net/vrf.c | 4 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 5 + drivers/net/wireless/ath/ath12k/peer.c | 3 + drivers/net/wireless/ath/ath12k/peer.h | 2 + drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvmem/layouts.c | 2 +- drivers/platform/x86/intel/punit_ipc.c | 2 +- drivers/slimbus/qcom-ngd-ctrl.c | 1 + drivers/spi/Kconfig | 4 +- drivers/spi/spi-amlogic-spifc-a1.c | 4 +- drivers/spi/spi-bcm63xx.c | 14 + drivers/spi/spi-mem.c | 37 + drivers/spi/spi-nxp-fspi.c | 123 +- drivers/staging/Kconfig | 2 - drivers/staging/Makefile | 1 - drivers/staging/rtl8712/Kconfig | 21 - drivers/staging/rtl8712/Makefile | 35 - drivers/staging/rtl8712/TODO | 13 - drivers/staging/rtl8712/basic_types.h | 28 - drivers/staging/rtl8712/drv_types.h | 175 -- drivers/staging/rtl8712/ethernet.h | 21 - drivers/staging/rtl8712/hal_init.c | 401 ---- drivers/staging/rtl8712/ieee80211.c | 415 ---- drivers/staging/rtl8712/ieee80211.h | 165 -- drivers/staging/rtl8712/mlme_linux.c | 160 -- drivers/staging/rtl8712/mlme_osdep.h | 31 - drivers/staging/rtl8712/mp_custom_oid.h | 287 --- drivers/staging/rtl8712/os_intfs.c | 482 ----- drivers/staging/rtl8712/osdep_intf.h | 32 - drivers/staging/rtl8712/osdep_service.h | 60 - drivers/staging/rtl8712/recv_linux.c | 139 -- drivers/staging/rtl8712/recv_osdep.h | 39 - drivers/staging/rtl8712/rtl8712_bitdef.h | 26 - drivers/staging/rtl8712/rtl8712_cmd.c | 409 ---- drivers/staging/rtl8712/rtl8712_cmd.h | 231 -- drivers/staging/rtl8712/rtl8712_cmdctrl_bitdef.h | 95 - drivers/staging/rtl8712/rtl8712_cmdctrl_regdef.h | 19 - drivers/staging/rtl8712/rtl8712_debugctrl_bitdef.h | 41 - drivers/staging/rtl8712/rtl8712_debugctrl_regdef.h | 32 - .../staging/rtl8712/rtl8712_edcasetting_bitdef.h | 65 - .../staging/rtl8712/rtl8712_edcasetting_regdef.h | 24 - drivers/staging/rtl8712/rtl8712_efuse.c | 563 ----- drivers/staging/rtl8712/rtl8712_efuse.h | 44 - drivers/staging/rtl8712/rtl8712_event.h | 86 - drivers/staging/rtl8712/rtl8712_fifoctrl_bitdef.h | 131 -- drivers/staging/rtl8712/rtl8712_fifoctrl_regdef.h | 61 - drivers/staging/rtl8712/rtl8712_gp_bitdef.h | 68 - drivers/staging/rtl8712/rtl8712_gp_regdef.h | 29 - drivers/staging/rtl8712/rtl8712_hal.h | 142 -- drivers/staging/rtl8712/rtl8712_interrupt_bitdef.h | 44 - drivers/staging/rtl8712/rtl8712_io.c | 99 - drivers/staging/rtl8712/rtl8712_led.c | 1830 ---------------- .../staging/rtl8712/rtl8712_macsetting_bitdef.h | 31 - .../staging/rtl8712/rtl8712_macsetting_regdef.h | 20 - drivers/staging/rtl8712/rtl8712_powersave_bitdef.h | 39 - drivers/staging/rtl8712/rtl8712_powersave_regdef.h | 26 - drivers/staging/rtl8712/rtl8712_ratectrl_bitdef.h | 36 - drivers/staging/rtl8712/rtl8712_ratectrl_regdef.h | 43 - drivers/staging/rtl8712/rtl8712_recv.c | 1075 --------- drivers/staging/rtl8712/rtl8712_recv.h | 145 -- drivers/staging/rtl8712/rtl8712_regdef.h | 32 - drivers/staging/rtl8712/rtl8712_security_bitdef.h | 34 - drivers/staging/rtl8712/rtl8712_spec.h | 121 -- drivers/staging/rtl8712/rtl8712_syscfg_bitdef.h | 163 -- drivers/staging/rtl8712/rtl8712_syscfg_regdef.h | 42 - drivers/staging/rtl8712/rtl8712_timectrl_bitdef.h | 49 - drivers/staging/rtl8712/rtl8712_timectrl_regdef.h | 26 - drivers/staging/rtl8712/rtl8712_wmac_bitdef.h | 49 - drivers/staging/rtl8712/rtl8712_wmac_regdef.h | 36 - drivers/staging/rtl8712/rtl8712_xmit.c | 732 ------- drivers/staging/rtl8712/rtl8712_xmit.h | 108 - drivers/staging/rtl8712/rtl871x_cmd.c | 750 ------- drivers/staging/rtl8712/rtl871x_cmd.h | 750 ------- drivers/staging/rtl8712/rtl871x_debug.h | 130 -- drivers/staging/rtl8712/rtl871x_eeprom.c | 220 -- drivers/staging/rtl8712/rtl871x_eeprom.h | 88 - drivers/staging/rtl8712/rtl871x_event.h | 109 - drivers/staging/rtl8712/rtl871x_ht.h | 33 - drivers/staging/rtl8712/rtl871x_io.c | 147 -- drivers/staging/rtl8712/rtl871x_io.h | 236 -- drivers/staging/rtl8712/rtl871x_ioctl.h | 94 - drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2275 -------------------- drivers/staging/rtl8712/rtl871x_ioctl_rtl.c | 519 ----- drivers/staging/rtl8712/rtl871x_ioctl_rtl.h | 109 - drivers/staging/rtl8712/rtl871x_ioctl_set.c | 354 --- drivers/staging/rtl8712/rtl871x_ioctl_set.h | 45 - drivers/staging/rtl8712/rtl871x_led.h | 118 - drivers/staging/rtl8712/rtl871x_mlme.c | 1710 --------------- drivers/staging/rtl8712/rtl871x_mlme.h | 205 -- drivers/staging/rtl8712/rtl871x_mp.c | 724 ------- drivers/staging/rtl8712/rtl871x_mp.h | 275 --- drivers/staging/rtl8712/rtl871x_mp_ioctl.c | 883 -------- drivers/staging/rtl8712/rtl871x_mp_ioctl.h | 328 --- drivers/staging/rtl8712/rtl871x_mp_phy_regdef.h | 1034 --------- drivers/staging/rtl8712/rtl871x_pwrctrl.c | 234 -- drivers/staging/rtl8712/rtl871x_pwrctrl.h | 113 - drivers/staging/rtl8712/rtl871x_recv.c | 671 ------ drivers/staging/rtl8712/rtl871x_recv.h | 208 -- drivers/staging/rtl8712/rtl871x_rf.h | 55 - drivers/staging/rtl8712/rtl871x_security.c | 1386 ------------ drivers/staging/rtl8712/rtl871x_security.h | 218 -- drivers/staging/rtl8712/rtl871x_sta_mgt.c | 263 --- drivers/staging/rtl8712/rtl871x_wlan_sme.h | 35 - drivers/staging/rtl8712/rtl871x_xmit.c | 1056 --------- drivers/staging/rtl8712/rtl871x_xmit.h | 287 --- drivers/staging/rtl8712/sta_info.h | 132 -- drivers/staging/rtl8712/usb_halinit.c | 307 --- drivers/staging/rtl8712/usb_intf.c | 638 ------ drivers/staging/rtl8712/usb_ops.c | 195 -- drivers/staging/rtl8712/usb_ops.h | 38 - drivers/staging/rtl8712/usb_ops_linux.c | 508 ----- drivers/staging/rtl8712/usb_osintf.h | 35 - drivers/staging/rtl8712/wifi.h | 196 -- drivers/staging/rtl8712/wlan_bssdef.h | 223 -- drivers/staging/rtl8712/xmit_linux.c | 181 -- drivers/staging/rtl8712/xmit_osdep.h | 52 - drivers/thunderbolt/nhi.c | 2 + drivers/thunderbolt/nhi.h | 1 + drivers/tty/serial/amba-pl011.c | 2 +- drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +- drivers/usb/dwc3/core.c | 3 +- drivers/usb/dwc3/dwc3-pci.c | 82 +- drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 + drivers/usb/gadget/function/f_eem.c | 7 +- drivers/usb/gadget/udc/core.c | 18 +- drivers/usb/gadget/udc/renesas_usbf.c | 4 +- drivers/usb/gadget/udc/trace.h | 5 + drivers/usb/host/xhci-dbgcap.h | 1 + drivers/usb/host/xhci-dbgtty.c | 23 +- drivers/usb/host/xhci-ring.c | 15 +- drivers/usb/host/xhci.c | 1 + drivers/usb/renesas_usbhs/common.c | 14 +- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 1 + drivers/usb/serial/option.c | 10 +- drivers/usb/storage/sddr55.c | 6 + drivers/usb/storage/transport.c | 16 + drivers/usb/storage/uas.c | 5 + drivers/usb/storage/unusual_devs.h | 2 +- drivers/usb/typec/ucsi/psy.c | 5 + drivers/video/fbdev/core/fbcon.c | 9 + fs/namespace.c | 7 +- fs/nfsd/nfs4state.c | 6 +- fs/smb/client/connect.c | 1 + include/linux/iio/buffer-dma.h | 1 + include/linux/iio/buffer_impl.h | 2 + include/linux/mailbox/mtk-cmdq-mailbox.h | 10 + include/linux/spi/spi-mem.h | 22 +- include/linux/usb/gadget.h | 5 + include/net/bluetooth/hci_core.h | 1 - include/net/sch_generic.h | 8 + kernel/trace/trace.c | 10 + mm/huge_memory.c | 17 +- mm/memfd.c | 27 + net/bluetooth/hci_core.c | 16 +- net/bluetooth/hci_sock.c | 2 + net/bluetooth/smp.c | 31 +- net/ceph/auth_x.c | 2 + net/ceph/ceph_common.c | 53 +- net/ceph/debugfs.c | 16 +- net/ceph/messenger_v2.c | 11 +- net/ceph/osdmap.c | 18 +- net/mptcp/protocol.c | 19 +- sound/usb/quirks.c | 3 + 238 files changed, 1344 insertions(+), 28212 deletions(-)

1 month, 1 week

[PATCH 6.6 00/93] 6.6.119-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.119 release. There are 93 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.119-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.119-rc1 Alan Stern <stern(a)rowland.harvard.edu> HID: core: Harden s32ton() against conversion to 0 bits Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Free previously initialized ports on init failures Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in session logoff Paolo Abeni <pabeni(a)redhat.com> mptcp: fix duplicate reset on fastclose Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: properly kill background tasks Philipp Hortmann <philipp.g.hortmann(a)gmail.com> staging: rtl8712: Remove driver using deprecated API wext luoguangfei <15388634752(a)163.com> net: macb: fix unregister_netdev call order in macb_remove() ChiYuan Huang <cy_huang(a)richtek.com> iio: adc: rtq6056: Correct the sign bit index Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix CAN-FD mode as default Jameson Thies <jthies(a)google.com> usb: typec: ucsi: psy: Set max current to zero when disconnected Jimmy Hu <hhhuuu(a)google.com> usb: gadget: udc: fix use-after-free in usb_gadget_state_work Kuen-Han Tsai <khtsai(a)google.com> usb: udc: Add trace event for usb_gadget_set_state NeilBrown <neil(a)brown.name> nfsd: Replace clamp_t in nfsd4_get_drc_mem() Wang Liang <wangliang74(a)huawei.com> bonding: check xdp prog when set bond mode Hangbin Liu <liuhangbin(a)gmail.com> bonding: return detailed error when loading native XDP fails ziming zhang <ezrakiez(a)gmail.com> libceph: replace BUG_ON with bounds check for map->max_osd ziming zhang <ezrakiez(a)gmail.com> libceph: prevent potential out-of-bounds writes in handle_auth_session_key() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix potential use-after-free in have_mon_and_osd_map() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: ptp: Fix checks on irq_find_mapping() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: common: Fix checks on irq_find_mapping() Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check NULL before accessing Johan Hovold <johan(a)kernel.org> drm: sti: fix device leaks at component probe Vanillan Wang <vanillanwang(a)163.com> USB: serial: option: add support for Rolling RW101R-GL Oleksandr Suvorov <cryosay(a)gmail.com> USB: serial: ftdi_sio: add support for u-blox EVK-M101 Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbgtty: fix device unregister Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Manish Nagar <manish.nagar(a)oss.qualcomm.com> usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: Sort out the Intel device IDs Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Nova Lake -S Owen Gu <guhuinan(a)xiaomi.com> usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Tianchu Chen <flynnnchen(a)tencent.com> usb: storage: sddr55: Reject out-of-bound new_pba Alan Stern <stern(a)rowland.harvard.edu> USB: storage: Remove subclass and protocol overrides from Novatek quirk Desnes Nunes <desnesn(a)redhat.com> usb: storage: Fix memory leak in USB bulk transport Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Fix synchronous external abort on unbind Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_eem: Fix memory leak in eem_unwrap Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: Fix double resource release in cdns3_pci_probe Johan Hovold <johan(a)kernel.org> most: usb: fix double free on late probe failure Miaoqian Lin <linmq006(a)gmail.com> serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Paolo Abeni <pabeni(a)redhat.com> mptcp: clear scheduled subflows on retransmit Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> firmware: stratix10-svc: fix bug in saving controller data Miaoqian Lin <linmq006(a)gmail.com> slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Alan Borzeszkowski <alan.borzeszkowski(a)linux.intel.com> thunderbolt: Add support for Intel Wildcat Lake Paulo Alcantara <pc(a)manguebit.org> smb: client: fix memory leak in cifs_construct_tcon() Jamie Iles <jamie.iles(a)oss.qualcomm.com> drivers/usb/dwc3: fix PCI parent check Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix unreliable memory allocation Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: fix crash in process_v2_sparse_read() for encrypted directories Marc Kleine-Budde <mkl(a)pengutronix.de> can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling Thomas Mühlbacher <tmuehlbacher(a)posteo.net> can: sja1000: fix max irq loop handling Gui-Dong Han <hanguidong02(a)gmail.com> atm/fore200e: Fix possible data race in fore200e_open() Maarten Zanders <maarten(a)zanders.be> ARM: dts: nxp: imx6ul: correct SAI3 interrupt line Ivan Zhaldak <i.v.zhaldak(a)gmail.com> ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification David Lechner <dlechner(a)baylibre.com> iio: adc: ad7280a: fix ad7280_store_balance_timer() Valek Andrej <andrej.v(a)skyrain.eu> iio: accel: fix ADXL355 startup race condition Linus Walleij <linus.walleij(a)linaro.org> iio: accel: bmc150: Fix irq assumption regression Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio:common:ssp_sensors: Fix an error handling path ssp_probe() Francesco Lavra <flavra(a)baylibre.com> iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Jiri Olsa <jolsa(a)kernel.org> Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Hang Zhou <929513338(a)qq.com> spi: bcm63xx: fix premature CS deassertion on RX-only transactions Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: nxp-fspi: Propagate fwnode in ACPI case as well Miquel Raynal <miquel.raynal(a)bootlin.com> spi: nxp-fspi: Support per spi-mem operation frequency switches Miquel Raynal <miquel.raynal(a)bootlin.com> spi: spi-mem: Add a new controller capability Miquel Raynal <miquel.raynal(a)bootlin.com> spi: spi-mem: Extend spi-mem operations with a per-operation maximum frequency Tudor Ambarus <tudor.ambarus(a)linaro.org> spi: spi-mem: Allow specifying the byte order in Octal DTR mode Haotian Zhang <vulab(a)iscas.ac.cn> spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors Francesco Lavra <flavra(a)baylibre.com> spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA Jamie Iles <jamie.iles(a)oss.qualcomm.com> mailbox: pcc: don't zero error register Sudeep Holla <sudeep.holla(a)arm.com> mailbox: pcc: Refactor error handling in irq handler into separate function Haotian Zhang <vulab(a)iscas.ac.cn> mailbox: mailbox-test: Fix debugfs_create_dir error checking Haotian Zhang <vulab(a)iscas.ac.cn> usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors Mario Tesi <martepisa(a)gmail.com> iio: st_lsm6dsx: Fixed calibrated timestamp calculation Wei Fang <wei.fang(a)nxp.com> net: fec: do not register PPS event for PEROUT Wei Fang <wei.fang(a)nxp.com> net: fec: do not allow enabling PPS and PEROUT simultaneously Wei Fang <wei.fang(a)nxp.com> net: fec: do not update PEROUT if it is enabled Wei Fang <wei.fang(a)nxp.com> net: fec: cancel perout_timer when PEROUT is disabled Jiefeng Zhang <jiefeng.z.zhang(a)gmail.com> net: atlantic: fix fragment overflow handling in RX path Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: sja1105: simplify static configuration reload Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix cyan_skillfish2 gpu info fw handling Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> net: sxgbe: fix potential NULL dereference in sxgbe_rx() Danielle Costantino <dcostantino(a)meta.com> net/mlx5e: Fix validation logic in rate limiting Horatiu Vultur <horatiu.vultur(a)microchip.com> net: lan966x: Fix the initialization of taprio Kai-Heng Feng <kaihengf(a)nvidia.com> net: aquantia: Add missing descriptor cache invalidation on ATL2 Dan Carpenter <dan.carpenter(a)linaro.org> platform/x86: intel: punit_ipc: fix memory corruption Daniel Golle <daniel(a)makrotopia.org> net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix not generating mackey and ltk when repairing Edward Adam Davis <eadavis(a)qq.com> Bluetooth: hci_sock: Prevent race in socket write iter and sock bind Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Seungjin Bae <eeodqql09(a)gmail.com> can: kvaser_usb: leaf: Fix potential infinite loop in command parsers ------------- Diffstat: MAINTAINERS | 6 - Makefile | 4 +- arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +- arch/mips/mm/tlb-r4k.c | 118 +- arch/x86/events/core.c | 10 +- drivers/atm/fore200e.c | 2 + drivers/firmware/stratix10-svc.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 11 +- drivers/gpu/drm/sti/sti_vtg.c | 7 +- drivers/hid/hid-core.c | 7 +- drivers/iio/accel/adxl355_core.c | 44 +- drivers/iio/accel/bmc150-accel-core.c | 5 + drivers/iio/accel/bmc150-accel.h | 1 + drivers/iio/adc/ad7280a.c | 2 +- drivers/iio/adc/rtq6056.c | 2 +- drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 40 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 19 +- drivers/mailbox/mailbox-test.c | 2 +- drivers/mailbox/pcc.c | 32 +- drivers/md/dm-verity-fec.c | 6 +- drivers/most/most_usb.c | 14 +- drivers/mtd/nand/spi/core.c | 2 + drivers/net/bonding/bond_main.c | 11 +- drivers/net/bonding/bond_options.c | 3 + drivers/net/can/rcar/rcar_canfd.c | 53 +- drivers/net/can/sja1000/sja1000.c | 4 +- drivers/net/can/sun4i_can.c | 4 +- drivers/net/can/usb/gs_usb.c | 102 +- drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 +- drivers/net/dsa/microchip/ksz_common.c | 30 +- drivers/net/dsa/microchip/ksz_ptp.c | 22 +- drivers/net/dsa/sja1105/sja1105_main.c | 66 +- .../net/ethernet/aquantia/atlantic/aq_hw_utils.c | 22 + .../net/ethernet/aquantia/atlantic/aq_hw_utils.h | 1 + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 19 +- .../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 2 +- drivers/net/ethernet/cadence/macb_main.c | 2 +- drivers/net/ethernet/freescale/fec.h | 1 + drivers/net/ethernet/freescale/fec_ptp.c | 64 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 2 +- .../net/ethernet/microchip/lan966x/lan966x_ptp.c | 5 +- drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 4 +- drivers/net/phy/mxl-gpy.c | 2 +- drivers/platform/x86/intel/punit_ipc.c | 2 +- drivers/slimbus/qcom-ngd-ctrl.c | 1 + drivers/spi/Kconfig | 4 +- drivers/spi/spi-amlogic-spifc-a1.c | 4 +- drivers/spi/spi-bcm63xx.c | 14 + drivers/spi/spi-mem.c | 37 + drivers/spi/spi-nxp-fspi.c | 22 +- drivers/staging/Kconfig | 2 - drivers/staging/Makefile | 1 - drivers/staging/rtl8712/Kconfig | 21 - drivers/staging/rtl8712/Makefile | 35 - drivers/staging/rtl8712/TODO | 13 - drivers/staging/rtl8712/basic_types.h | 28 - drivers/staging/rtl8712/drv_types.h | 175 -- drivers/staging/rtl8712/ethernet.h | 21 - drivers/staging/rtl8712/hal_init.c | 401 ---- drivers/staging/rtl8712/ieee80211.c | 415 ---- drivers/staging/rtl8712/ieee80211.h | 165 -- drivers/staging/rtl8712/mlme_linux.c | 160 -- drivers/staging/rtl8712/mlme_osdep.h | 31 - drivers/staging/rtl8712/mp_custom_oid.h | 287 --- drivers/staging/rtl8712/os_intfs.c | 482 ---- drivers/staging/rtl8712/osdep_intf.h | 32 - drivers/staging/rtl8712/osdep_service.h | 60 - drivers/staging/rtl8712/recv_linux.c | 139 -- drivers/staging/rtl8712/recv_osdep.h | 39 - drivers/staging/rtl8712/rtl8712_bitdef.h | 26 - drivers/staging/rtl8712/rtl8712_cmd.c | 409 ---- drivers/staging/rtl8712/rtl8712_cmd.h | 231 -- drivers/staging/rtl8712/rtl8712_cmdctrl_bitdef.h | 95 - drivers/staging/rtl8712/rtl8712_cmdctrl_regdef.h | 19 - drivers/staging/rtl8712/rtl8712_debugctrl_bitdef.h | 41 - drivers/staging/rtl8712/rtl8712_debugctrl_regdef.h | 32 - .../staging/rtl8712/rtl8712_edcasetting_bitdef.h | 65 - .../staging/rtl8712/rtl8712_edcasetting_regdef.h | 24 - drivers/staging/rtl8712/rtl8712_efuse.c | 564 ----- drivers/staging/rtl8712/rtl8712_efuse.h | 44 - drivers/staging/rtl8712/rtl8712_event.h | 86 - drivers/staging/rtl8712/rtl8712_fifoctrl_bitdef.h | 131 -- drivers/staging/rtl8712/rtl8712_fifoctrl_regdef.h | 61 - drivers/staging/rtl8712/rtl8712_gp_bitdef.h | 68 - drivers/staging/rtl8712/rtl8712_gp_regdef.h | 29 - drivers/staging/rtl8712/rtl8712_hal.h | 142 -- drivers/staging/rtl8712/rtl8712_interrupt_bitdef.h | 44 - drivers/staging/rtl8712/rtl8712_io.c | 99 - drivers/staging/rtl8712/rtl8712_led.c | 1830 --------------- .../staging/rtl8712/rtl8712_macsetting_bitdef.h | 31 - .../staging/rtl8712/rtl8712_macsetting_regdef.h | 20 - drivers/staging/rtl8712/rtl8712_powersave_bitdef.h | 39 - drivers/staging/rtl8712/rtl8712_powersave_regdef.h | 26 - drivers/staging/rtl8712/rtl8712_ratectrl_bitdef.h | 36 - drivers/staging/rtl8712/rtl8712_ratectrl_regdef.h | 43 - drivers/staging/rtl8712/rtl8712_recv.c | 1080 --------- drivers/staging/rtl8712/rtl8712_recv.h | 145 -- drivers/staging/rtl8712/rtl8712_regdef.h | 32 - drivers/staging/rtl8712/rtl8712_security_bitdef.h | 34 - drivers/staging/rtl8712/rtl8712_spec.h | 121 - drivers/staging/rtl8712/rtl8712_syscfg_bitdef.h | 163 -- drivers/staging/rtl8712/rtl8712_syscfg_regdef.h | 42 - drivers/staging/rtl8712/rtl8712_timectrl_bitdef.h | 49 - drivers/staging/rtl8712/rtl8712_timectrl_regdef.h | 26 - drivers/staging/rtl8712/rtl8712_wmac_bitdef.h | 49 - drivers/staging/rtl8712/rtl8712_wmac_regdef.h | 36 - drivers/staging/rtl8712/rtl8712_xmit.c | 744 ------- drivers/staging/rtl8712/rtl8712_xmit.h | 108 - drivers/staging/rtl8712/rtl871x_cmd.c | 796 ------- drivers/staging/rtl8712/rtl871x_cmd.h | 761 ------- drivers/staging/rtl8712/rtl871x_debug.h | 130 -- drivers/staging/rtl8712/rtl871x_eeprom.c | 220 -- drivers/staging/rtl8712/rtl871x_eeprom.h | 88 - drivers/staging/rtl8712/rtl871x_event.h | 109 - drivers/staging/rtl8712/rtl871x_ht.h | 33 - drivers/staging/rtl8712/rtl871x_io.c | 147 -- drivers/staging/rtl8712/rtl871x_io.h | 236 -- drivers/staging/rtl8712/rtl871x_ioctl.h | 94 - drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2330 -------------------- drivers/staging/rtl8712/rtl871x_ioctl_rtl.c | 519 ----- drivers/staging/rtl8712/rtl871x_ioctl_rtl.h | 109 - drivers/staging/rtl8712/rtl871x_ioctl_set.c | 354 --- drivers/staging/rtl8712/rtl871x_ioctl_set.h | 45 - drivers/staging/rtl8712/rtl871x_led.h | 118 - drivers/staging/rtl8712/rtl871x_mlme.c | 1710 -------------- drivers/staging/rtl8712/rtl871x_mlme.h | 205 -- drivers/staging/rtl8712/rtl871x_mp.c | 724 ------ drivers/staging/rtl8712/rtl871x_mp.h | 275 --- drivers/staging/rtl8712/rtl871x_mp_ioctl.c | 883 -------- drivers/staging/rtl8712/rtl871x_mp_ioctl.h | 328 --- drivers/staging/rtl8712/rtl871x_mp_phy_regdef.h | 1034 --------- drivers/staging/rtl8712/rtl871x_pwrctrl.c | 234 -- drivers/staging/rtl8712/rtl871x_pwrctrl.h | 113 - drivers/staging/rtl8712/rtl871x_recv.c | 671 ------ drivers/staging/rtl8712/rtl871x_recv.h | 208 -- drivers/staging/rtl8712/rtl871x_rf.h | 55 - drivers/staging/rtl8712/rtl871x_security.c | 1386 ------------ drivers/staging/rtl8712/rtl871x_security.h | 218 -- drivers/staging/rtl8712/rtl871x_sta_mgt.c | 263 --- drivers/staging/rtl8712/rtl871x_wlan_sme.h | 35 - drivers/staging/rtl8712/rtl871x_xmit.c | 1059 --------- drivers/staging/rtl8712/rtl871x_xmit.h | 288 --- drivers/staging/rtl8712/sta_info.h | 132 -- drivers/staging/rtl8712/usb_halinit.c | 307 --- drivers/staging/rtl8712/usb_intf.c | 638 ------ drivers/staging/rtl8712/usb_ops.c | 195 -- drivers/staging/rtl8712/usb_ops.h | 38 - drivers/staging/rtl8712/usb_ops_linux.c | 515 ----- drivers/staging/rtl8712/usb_osintf.h | 35 - drivers/staging/rtl8712/wifi.h | 196 -- drivers/staging/rtl8712/wlan_bssdef.h | 223 -- drivers/staging/rtl8712/xmit_linux.c | 181 -- drivers/staging/rtl8712/xmit_osdep.h | 52 - drivers/thunderbolt/nhi.c | 2 + drivers/thunderbolt/nhi.h | 1 + drivers/tty/serial/amba-pl011.c | 2 +- drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +- drivers/usb/dwc3/core.c | 3 +- drivers/usb/dwc3/dwc3-pci.c | 82 +- drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 + drivers/usb/gadget/function/f_eem.c | 7 +- drivers/usb/gadget/udc/core.c | 18 +- drivers/usb/gadget/udc/renesas_usbf.c | 4 +- drivers/usb/gadget/udc/trace.h | 5 + drivers/usb/host/xhci-dbgcap.h | 1 + drivers/usb/host/xhci-dbgtty.c | 23 +- drivers/usb/renesas_usbhs/common.c | 14 +- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 1 + drivers/usb/serial/option.c | 10 +- drivers/usb/storage/sddr55.c | 6 + drivers/usb/storage/transport.c | 16 + drivers/usb/storage/uas.c | 5 + drivers/usb/storage/unusual_devs.h | 2 +- drivers/usb/typec/ucsi/psy.c | 5 + fs/nfsd/nfs4state.c | 6 +- fs/smb/client/connect.c | 1 + fs/smb/server/smb2pdu.c | 4 - include/linux/spi/spi-mem.h | 22 +- include/linux/usb/gadget.h | 5 + include/net/bonding.h | 1 + net/bluetooth/hci_sock.c | 2 + net/bluetooth/smp.c | 31 +- net/ceph/auth_x.c | 2 + net/ceph/ceph_common.c | 53 +- net/ceph/debugfs.c | 16 +- net/ceph/messenger_v2.c | 11 +- net/ceph/osdmap.c | 18 +- net/mptcp/protocol.c | 48 +- sound/usb/quirks.c | 3 + tools/testing/selftests/net/mptcp/mptcp_join.sh | 14 +- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 + 196 files changed, 914 insertions(+), 28087 deletions(-)

1 month, 1 week

[PATCH v3] gpio: regmap: Fix memleak in gpio_remap_register

by Wentao Guan

We should call gpiochip_remove(chip) to free the resource alloced by gpiochip_add_data(chip, gpio) after the err path. Fixes: 553b75d4bfe9 ("gpio: regmap: Allow to allocate regmap-irq device") Fixes: ae495810cffe ("gpio: regmap: add the .fixed_direction_output configuration parameter") CC: stable(a)vger.kernel.org Co-developed-by: WangYuli <wangyl5933(a)chinaunicom.cn> Signed-off-by: WangYuli <wangyl5933(a)chinaunicom.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> --- changelog in v3: Add dependency fixes tag which suggested by Andy Shevchenko. changelog in v2: 1. format commit message. 2. rebase to mainline now. --- --- drivers/gpio/gpio-regmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-regmap.c b/drivers/gpio/gpio-regmap.c index f4267af00027e..c64805dcb9f88 100644 --- a/drivers/gpio/gpio-regmap.c +++ b/drivers/gpio/gpio-regmap.c @@ -328,7 +328,7 @@ struct gpio_regmap *gpio_regmap_register(const struct gpio_regmap_config *config config->regmap_irq_line, config->regmap_irq_flags, 0, config->regmap_irq_chip, &gpio->irq_chip_data); if (ret) - goto err_free_bitmap; + goto err_remove_gpiochip; irq_domain = regmap_irq_get_domain(gpio->irq_chip_data); } else -- 2.20.1

1 month, 1 week

[PATCH v3 2/3] kasan: Refactor pcpu kasan vmalloc unpoison

by Maciej Wieczor-Retman

From: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> A KASAN tag mismatch, possibly causing a kernel panic, can be observed on systems with a tag-based KASAN enabled and with multiple NUMA nodes. It was reported on arm64 and reproduced on x86. It can be explained in the following points: 1. There can be more than one virtual memory chunk. 2. Chunk's base address has a tag. 3. The base address points at the first chunk and thus inherits the tag of the first chunk. 4. The subsequent chunks will be accessed with the tag from the first chunk. 5. Thus, the subsequent chunks need to have their tag set to match that of the first chunk. Refactor code by reusing __kasan_unpoison_vmalloc in a new helper in preparation for the actual fix. Changelog v1 (after splitting of from the KASAN series): - Rewrite first paragraph of the patch message to point at the user impact of the issue. - Move helper to common.c so it can be compiled in all KASAN modes. Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS") Cc: <stable(a)vger.kernel.org> # 6.1+ Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> --- Changelog v3: - Redo the patch after applying Andrey's comments to align the code more with what's already in include/linux/kasan.h Changelog v2: - Redo the whole patch so it's an actual refactor. include/linux/kasan.h | 15 +++++++++++++++ mm/kasan/common.c | 17 +++++++++++++++++ mm/vmalloc.c | 4 +--- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index 6d7972bb390c..cde493cb7702 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -615,6 +615,16 @@ static __always_inline void kasan_poison_vmalloc(const void *start, __kasan_poison_vmalloc(start, size); } +void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags); +static __always_inline void +kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags) +{ + if (kasan_enabled()) + __kasan_unpoison_vmap_areas(vms, nr_vms, flags); +} + #else /* CONFIG_KASAN_VMALLOC */ static inline void kasan_populate_early_vm_area_shadow(void *start, @@ -639,6 +649,11 @@ static inline void *kasan_unpoison_vmalloc(const void *start, static inline void kasan_poison_vmalloc(const void *start, unsigned long size) { } +static __always_inline void +kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags) +{ } + #endif /* CONFIG_KASAN_VMALLOC */ #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ diff --git a/mm/kasan/common.c b/mm/kasan/common.c index d4c14359feaf..1ed6289d471a 100644 --- a/mm/kasan/common.c +++ b/mm/kasan/common.c @@ -28,6 +28,7 @@ #include <linux/string.h> #include <linux/types.h> #include <linux/bug.h> +#include <linux/vmalloc.h> #include "kasan.h" #include "../slab.h" @@ -582,3 +583,19 @@ bool __kasan_check_byte(const void *address, unsigned long ip) } return true; } + +#ifdef CONFIG_KASAN_VMALLOC +void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags) +{ + unsigned long size; + void *addr; + int area; + + for (area = 0 ; area < nr_vms ; area++) { + size = vms[area]->size; + addr = vms[area]->addr; + vms[area]->addr = __kasan_unpoison_vmalloc(addr, size, flags); + } +} +#endif diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 22a73a087135..33e705ccafba 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4872,9 +4872,7 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, * With hardware tag-based KASAN, marking is skipped for * non-VM_ALLOC mappings, see __kasan_unpoison_vmalloc(). */ - for (area = 0; area < nr_vms; area++) - vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr, - vms[area]->size, KASAN_VMALLOC_PROT_NORMAL); + kasan_unpoison_vmap_areas(vms, nr_vms, KASAN_VMALLOC_PROT_NORMAL); kfree(vas); return vms; -- 2.52.0

1 month, 1 week

[PATCH 6.1.y] ksmbd: fix out-of-bounds in parse_sec_desc()

by Rajani Kantha

From: Namjae Jeon <linkinjeon(a)kernel.org> commit d6e13e19063db24f94b690159d0633aaf72a0f03 upstream. If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd struct size. If it is smaller, It could cause slab-out-of-bounds. And when validating sid, It need to check it included subauth array size. Cc: stable(a)vger.kernel.org Reported-by: Norbert Szetei <norbert(a)doyensec.com> Tested-by: Norbert Szetei <norbert(a)doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Rajani Kantha <681739313(a)139.com> --- fs/smb/server/smbacl.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index 90c5e3edbf46..5c05f0e8b6ea 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -815,6 +815,13 @@ static int parse_sid(struct smb_sid *psid, char *end_of_acl) return -EINVAL; } + if (!psid->num_subauth) + return 0; + + if (psid->num_subauth > SID_MAX_SUB_AUTHORITIES || + end_of_acl < (char *)psid + 8 + sizeof(__le32) * psid->num_subauth) + return -EINVAL; + return 0; } @@ -856,6 +863,9 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, pntsd->type = cpu_to_le16(DACL_PRESENT); if (pntsd->osidoffset) { + if (le32_to_cpu(pntsd->osidoffset) < sizeof(struct smb_ntsd)) + return -EINVAL; + rc = parse_sid(owner_sid_ptr, end_of_acl); if (rc) { pr_err("%s: Error %d parsing Owner SID\n", __func__, rc); @@ -871,6 +881,9 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, } if (pntsd->gsidoffset) { + if (le32_to_cpu(pntsd->gsidoffset) < sizeof(struct smb_ntsd)) + return -EINVAL; + rc = parse_sid(group_sid_ptr, end_of_acl); if (rc) { pr_err("%s: Error %d mapping Owner SID to gid\n", @@ -892,6 +905,9 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, pntsd->type |= cpu_to_le16(DACL_PROTECTED); if (dacloffset) { + if (dacloffset < sizeof(struct smb_ntsd)) + return -EINVAL; + parse_dacl(user_ns, dacl_ptr, end_of_acl, owner_sid_ptr, group_sid_ptr, fattr); } -- 2.17.1

1 month, 1 week

[PATCH 6.1] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()

by Chen Yu

From: Vladimir Oltean <vladimir.oltean(a)nxp.com> [ Upstream commit 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 ] There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only that we touch it, not that it becomes in active use. But I suppose it can lead to issues if the out-of-bounds element is part of an unmapped page. Fixes: 6666cebc5e30 ("net: dsa: sja1105: Add support for VLAN operations") Signed-off-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250318115716.2124395-4-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Chen Yu <xnguchen(a)sina.cn> --- drivers/net/dsa/sja1105/sja1105_static_config.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/sja1105/sja1105_static_config.c b/drivers/net/dsa/sja1105/sja1105_static_config.c index baba204ad62f..2ac91fe2a79b 100644 --- a/drivers/net/dsa/sja1105/sja1105_static_config.c +++ b/drivers/net/dsa/sja1105/sja1105_static_config.c @@ -1921,8 +1921,10 @@ int sja1105_table_delete_entry(struct sja1105_table *table, int i) if (i > table->entry_count) return -ERANGE; - memmove(entries + i * entry_size, entries + (i + 1) * entry_size, - (table->entry_count - i) * entry_size); + if (i + 1 < table->entry_count) { + memmove(entries + i * entry_size, entries + (i + 1) * entry_size, + (table->entry_count - i - 1) * entry_size); + } table->entry_count--; -- 2.17.1

1 month, 1 week

[PATCH v2 1/3] dm-pcache: advance slot index before writing slot

by Dongsheng Yang

In dm-pcache, in order to ensure crash-consistency, a dual-copy scheme is used to alternately update metadata, and there is a slot index that records the current slot. However, in the write path the current implementation writes directly to the current slot indexed by slot index, and then advances the slot — which ends up overwriting the existing slot, violating the crash-consistency guarantee. This patch fixes that behavior, preventing metadata from being overwritten incorrectly. In addition, this patch add a missing pmem_wmb() after memcpy_flushcache(). Signed-off-by: Dongsheng Yang <dongsheng.yang(a)linux.dev> Reviewed-by: Zheng Gu <cengku(a)gmail.com> Cc: stable(a)vger.kernel.org # 6.18 --- drivers/md/dm-pcache/cache.c | 8 ++++---- drivers/md/dm-pcache/cache_segment.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/md/dm-pcache/cache.c b/drivers/md/dm-pcache/cache.c index 698697a7a73c..d4385d76ac36 100644 --- a/drivers/md/dm-pcache/cache.c +++ b/drivers/md/dm-pcache/cache.c @@ -21,10 +21,10 @@ static void cache_info_write(struct pcache_cache *cache) cache_info->header.crc = pcache_meta_crc(&cache_info->header, sizeof(struct pcache_cache_info)); + cache->info_index = (cache->info_index + 1) % PCACHE_META_INDEX_MAX; memcpy_flushcache(get_cache_info_addr(cache), cache_info, sizeof(struct pcache_cache_info)); - - cache->info_index = (cache->info_index + 1) % PCACHE_META_INDEX_MAX; + pmem_wmb(); } static void cache_info_init_default(struct pcache_cache *cache); @@ -93,10 +93,10 @@ void cache_pos_encode(struct pcache_cache *cache, pos_onmedia.header.seq = seq; pos_onmedia.header.crc = cache_pos_onmedia_crc(&pos_onmedia); + *index = (*index + 1) % PCACHE_META_INDEX_MAX; + memcpy_flushcache(pos_onmedia_addr, &pos_onmedia, sizeof(struct pcache_cache_pos_onmedia)); pmem_wmb(); - - *index = (*index + 1) % PCACHE_META_INDEX_MAX; } int cache_pos_decode(struct pcache_cache *cache, diff --git a/drivers/md/dm-pcache/cache_segment.c b/drivers/md/dm-pcache/cache_segment.c index f0b58980806e..ae57cc261422 100644 --- a/drivers/md/dm-pcache/cache_segment.c +++ b/drivers/md/dm-pcache/cache_segment.c @@ -26,11 +26,11 @@ static void cache_seg_info_write(struct pcache_cache_segment *cache_seg) seg_info->header.seq++; seg_info->header.crc = pcache_meta_crc(&seg_info->header, sizeof(struct pcache_segment_info)); + cache_seg->info_index = (cache_seg->info_index + 1) % PCACHE_META_INDEX_MAX; + seg_info_addr = get_seg_info_addr(cache_seg); memcpy_flushcache(seg_info_addr, seg_info, sizeof(struct pcache_segment_info)); pmem_wmb(); - - cache_seg->info_index = (cache_seg->info_index + 1) % PCACHE_META_INDEX_MAX; mutex_unlock(&cache_seg->info_lock); } @@ -129,10 +129,10 @@ static void cache_seg_ctrl_write(struct pcache_cache_segment *cache_seg) cache_seg_gen.header.crc = pcache_meta_crc(&cache_seg_gen.header, sizeof(struct pcache_cache_seg_gen)); + cache_seg->gen_index = (cache_seg->gen_index + 1) % PCACHE_META_INDEX_MAX; + memcpy_flushcache(get_cache_seg_gen_addr(cache_seg), &cache_seg_gen, sizeof(struct pcache_cache_seg_gen)); pmem_wmb(); - - cache_seg->gen_index = (cache_seg->gen_index + 1) % PCACHE_META_INDEX_MAX; } static void cache_seg_ctrl_init(struct pcache_cache_segment *cache_seg) -- 2.43.0

1 month, 1 week

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror