- Linux-stable-mirror - lists.linaro.org

[PATCH 6.1.y] net: macb: fix unregister_netdev call order in macb_remove()

by alvalan9＠foxmail.com

From: luoguangfei <15388634752(a)163.com> [ Upstream commit 01b9128c5db1b470575d07b05b67ffa3cb02ebf1 ] When removing a macb device, the driver calls phy_exit() before unregister_netdev(). This leads to a WARN from kernfs: ------------[ cut here ]------------ kernfs: can not remove 'attached_dev', no directory WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683 Call trace: kernfs_remove_by_name_ns+0xd8/0xf0 sysfs_remove_link+0x24/0x58 phy_detach+0x5c/0x168 phy_disconnect+0x4c/0x70 phylink_disconnect_phy+0x6c/0xc0 [phylink] macb_close+0x6c/0x170 [macb] ... macb_remove+0x60/0x168 [macb] platform_remove+0x5c/0x80 ... The warning happens because the PHY is being exited while the netdev is still registered. The correct order is to unregister the netdev before shutting down the PHY and cleaning up the MDIO bus. Fix this by moving unregister_netdev() ahead of phy_exit() in macb_remove(). Fixes: 8b73fa3ae02b ("net: macb: Added ZynqMP-specific initialization") Signed-off-by: luoguangfei <15388634752(a)163.com> Link: https://patch.msgid.link/20250818232527.1316-1-15388634752@163.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Minor context change fixed. ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/net/ethernet/cadence/macb_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index 1ea7c86f7501..9da142efe9d4 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -5068,11 +5068,11 @@ static int macb_remove(struct platform_device *pdev) if (dev) { bp = netdev_priv(dev); + unregister_netdev(dev); phy_exit(bp->sgmii_phy); mdiobus_unregister(bp->mii_bus); mdiobus_free(bp->mii_bus); - unregister_netdev(dev); tasklet_kill(&bp->hresp_err_tasklet); pm_runtime_disable(&pdev->dev); pm_runtime_dont_use_autosuspend(&pdev->dev); -- 2.43.0

2 days, 14 hours

1
0
0 0

[PATCH v3] ocfs2: fix kernel BUG in ocfs2_find_victim_chain

by Prithvi Tambewagh

syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. Reported-by: syzbot+96d38c6e1655c1420a72(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72 Tested-by: syzbot+96d38c6e1655c1420a72(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- v2->v3 - Revise log message for reflecting changes from v1->v2 - Format code style as suggested in v2 v1->v2: - Remove extra line before the if statement in patch - Add upper limit check for cl->cl_next_free_rec in the if condition fs/ocfs2/suballoc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 6ac4dcd54588..e93fc842bb20 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1992,6 +1992,16 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac, } cl = (struct ocfs2_chain_list *) &fe->id2.i_chain; + if (!le16_to_cpu(cl->cl_next_free_rec) || + le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) { + status = ocfs2_error(ac->ac_inode->i_sb, + "Chain allocator dinode %llu has invalid next " + "free chain record %u, but only %u total\n", + (unsigned long long)le64_to_cpu(fe->i_blkno), + le16_to_cpu(cl->cl_next_free_rec), + le16_to_cpu(cl->cl_count)); + goto bail; + } victim = ocfs2_find_victim_chain(cl); ac->ac_chain = victim; base-commit: 939f15e640f193616691d3bcde0089760e75b0d3 -- 2.34.1

2 days, 14 hours

1
0
0 0

FAILED: patch "[PATCH] mptcp: Disallow MPTCP subflows from sockmap" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x fbade4bd08ba52cbc74a71c4e86e736f059f99f7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112455-daughter-unsealed-699a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fbade4bd08ba52cbc74a71c4e86e736f059f99f7 Mon Sep 17 00:00:00 2001 From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Date: Tue, 11 Nov 2025 14:02:50 +0800 Subject: [PATCH] mptcp: Disallow MPTCP subflows from sockmap The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' Consider two scenarios: 1. When the server has MPTCP enabled and the client also requests MPTCP, the sk passed to the BPF program is a subflow sk. Since subflows only handle partial data, replacing their sk_prot is meaningless and will cause traffic disruption. 2. When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops() converts the subflow to plain TCP. For the first case, we should prevent it from being combined with sockmap by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by sockmap's own flow. For the second case, since subflow_syn_recv_sock() has already restored sk_prot to native tcp_prot/tcpv6_prot, no further action is needed. Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index e8325890a322..af707ce0f624 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -2144,6 +2144,10 @@ void __init mptcp_subflow_init(void) tcp_prot_override = tcp_prot; tcp_prot_override.release_cb = tcp_release_cb_override; tcp_prot_override.diag_destroy = tcp_abort_override; +#ifdef CONFIG_BPF_SYSCALL + /* Disable sockmap processing for subflows */ + tcp_prot_override.psock_update_sk_prot = NULL; +#endif #if IS_ENABLED(CONFIG_MPTCP_IPV6) /* In struct mptcp_subflow_request_sock, we assume the TCP request sock @@ -2180,6 +2184,10 @@ void __init mptcp_subflow_init(void) tcpv6_prot_override = tcpv6_prot; tcpv6_prot_override.release_cb = tcp_release_cb_override; tcpv6_prot_override.diag_destroy = tcp_abort_override; +#ifdef CONFIG_BPF_SYSCALL + /* Disable sockmap processing for subflows */ + tcpv6_prot_override.psock_update_sk_prot = NULL; +#endif #endif mptcp_diag_subflow_init(&subflow_ulp_ops);

2 days, 15 hours

2
1
0 0

FAILED: patch "[PATCH] mptcp: Fix proto fallback detection with BPF" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c77b3b79a92e3345aa1ee296180d1af4e7031f8f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112449-untaxed-cola-39b4@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001 From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Date: Tue, 11 Nov 2025 14:02:51 +0800 Subject: [PATCH] mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]--- Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Jakub Sitnicki <jakub(a)cloudflare.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 2d6b8de35c44..90b4aeca2596 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -61,11 +61,13 @@ static u64 mptcp_wnd_end(const struct mptcp_sock *msk) static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk) { + unsigned short family = READ_ONCE(sk->sk_family); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) - if (sk->sk_prot == &tcpv6_prot) + if (family == AF_INET6) return &inet6_stream_ops; #endif - WARN_ON_ONCE(sk->sk_prot != &tcp_prot); + WARN_ON_ONCE(family != AF_INET); return &inet_stream_ops; }

2 days, 15 hours

5
4
0 0

[PATCH v2] arm64: kernel: initialize missing kexec_buf->random field

by Yeoreum Yun

Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly") introduced the kexec_buf->random field to enable random placement of kexec_buf. However, this field was never properly initialized for kexec images that do not need to be placed randomly, leading to the following UBSAN warning: [ +0.364528] ------------[ cut here ]------------ [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12 [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool') [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full) [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 [ +0.000000] Call trace: [ +0.000001] show_stack+0x24/0x40 (C) [ +0.000006] __dump_stack+0x28/0x48 [ +0.000002] dump_stack_lvl+0x7c/0xb0 [ +0.000002] dump_stack+0x18/0x34 [ +0.000001] ubsan_epilogue+0x10/0x50 [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0 [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0 [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0 [ +0.000001] kexec_add_buffer+0xa8/0x178 [ +0.000002] image_load+0xf0/0x258 [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718 [ +0.000002] invoke_syscall+0x68/0xe8 [ +0.000001] el0_svc_common+0xb0/0xf8 [ +0.000002] do_el0_svc+0x28/0x48 [ +0.000001] el0_svc+0x40/0xe8 [ +0.000002] el0t_64_sync_handler+0x84/0x140 [ +0.000002] el0t_64_sync+0x1bc/0x1c0 To address this, initialise kexec_buf->random field properly. Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly") Suggested-by: Breno Leitao <leitao(a)debian.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> --- arch/arm64/kernel/kexec_image.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c index 532d72ea42ee..b70f4df15a1a 100644 --- a/arch/arm64/kernel/kexec_image.c +++ b/arch/arm64/kernel/kexec_image.c @@ -41,7 +41,7 @@ static void *image_load(struct kimage *image, struct arm64_image_header *h; u64 flags, value; bool be_image, be_kernel; - struct kexec_buf kbuf; + struct kexec_buf kbuf = {}; unsigned long text_offset, kernel_segment_number; struct kexec_segment *kernel_segment; int ret; -- LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}

2 days, 16 hours

2
1
0 0

FAILED: patch "[PATCH] mptcp: Fix proto fallback detection with BPF" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x c77b3b79a92e3345aa1ee296180d1af4e7031f8f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112454-comic-external-4ced@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001 From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Date: Tue, 11 Nov 2025 14:02:51 +0800 Subject: [PATCH] mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]--- Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Jakub Sitnicki <jakub(a)cloudflare.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 2d6b8de35c44..90b4aeca2596 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -61,11 +61,13 @@ static u64 mptcp_wnd_end(const struct mptcp_sock *msk) static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk) { + unsigned short family = READ_ONCE(sk->sk_family); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) - if (sk->sk_prot == &tcpv6_prot) + if (family == AF_INET6) return &inet6_stream_ops; #endif - WARN_ON_ONCE(sk->sk_prot != &tcp_prot); + WARN_ON_ONCE(family != AF_INET); return &inet_stream_ops; }

2 days, 16 hours

3
2
0 0

FAILED: patch "[PATCH] mptcp: Fix proto fallback detection with BPF" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c77b3b79a92e3345aa1ee296180d1af4e7031f8f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112444-entangled-winking-ac86@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001 From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Date: Tue, 11 Nov 2025 14:02:51 +0800 Subject: [PATCH] mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]--- Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Jakub Sitnicki <jakub(a)cloudflare.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 2d6b8de35c44..90b4aeca2596 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -61,11 +61,13 @@ static u64 mptcp_wnd_end(const struct mptcp_sock *msk) static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk) { + unsigned short family = READ_ONCE(sk->sk_family); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) - if (sk->sk_prot == &tcpv6_prot) + if (family == AF_INET6) return &inet6_stream_ops; #endif - WARN_ON_ONCE(sk->sk_prot != &tcp_prot); + WARN_ON_ONCE(family != AF_INET); return &inet_stream_ops; }

2 days, 16 hours

5
4
0 0

[BUG] Missing backport for commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")

by Slavin Liu

Hi, I would like to request backporting commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x") to all LTS kernels. This patch actually fixes a use-after-free issue, but it hasn't been backported to any of the LTS versions, which are still being affected. As the patch describes, a specific trigger scenario could be: If a tunnel packet is received (e.g., in ip_local_deliver()), with the outer layer being IPComp protocol and the inner layer being fragmented packets, during outer packet processing, it will go through xfrm_input() to hold a reference to the IPComp xfrm_state. Then, it is re-injected into the network stack via gro_cells_receive() and placed in the reassembly queue. When exiting the netns and calling cleanup_net(), although ipv4_frags_exit_net() is called before xfrm_net_exit(), due to asynchronous scheduling, fqdir_free_work() may execute after xfrm_state_fini(). In xfrm_state_fini(), xfrm_state_flush() puts and deletes the xfrm_state for IPPROTO_COMP, but does not delete the xfrm_state for IPPROTO_IPIP. Meanwhile, the skb in the reassembly queue holds the last reference to the IPPROTO_COMP xfrm_state, so it isn't destroyed yet. Only when the skb in the reassembly queue is destroyed does the IPPROTO_COMP xfrm_state get fully destroyed, which calls ipcomp_destroy() to delete the IPPROTO_IPIP xfrm_state. However, by this time, the hash tables (net->xfrm.state_byxxx) have already been kfreed in xfrm_state_fini(), leading to a use-after-free during the deletion. The bug has existed since kernel v2.6.29, so the patch should be backported to all LTS kernels. thanks, Slavin Liu

2 days, 16 hours

2
2
0 0

Linux 6.17.10

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.10 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +- Documentation/wmi/driver-development-guide.rst | 1 Makefile | 2 arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3576.dtsi | 12 arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 arch/arm64/kvm/hyp/nvhe/ffa.c | 9 arch/loongarch/include/uapi/asm/ptrace.h | 40 +-- arch/loongarch/kernel/numa.c | 60 +--- arch/loongarch/net/bpf_jit.c | 3 arch/loongarch/pci/pci.c | 8 arch/mips/boot/dts/econet/en751221.dtsi | 2 arch/mips/kernel/process.c | 2 arch/mips/mti-malta/malta-init.c | 20 + arch/s390/include/asm/pgtable.h | 12 arch/s390/mm/pgtable.c | 4 arch/x86/events/intel/uncore.c | 1 arch/x86/kernel/cpu/amd.c | 2 arch/x86/kernel/cpu/microcode/amd.c | 20 + arch/x86/kvm/svm/svm.c | 9 arch/x86/kvm/svm/svm.h | 1 block/blk-crypto.c | 2 drivers/acpi/apei/einj-core.c | 64 +++-- drivers/ata/libata-scsi.c | 11 drivers/base/power/main.c | 25 +- drivers/bcma/main.c | 6 drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 4 drivers/clk/sunxi-ng/ccu-sun55i-a523.c | 2 drivers/gpio/gpiolib-cdev.c | 9 drivers/gpio/gpiolib-swnode.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 65 +++++ drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.h | 10 drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 3 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 4 drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 4 drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 58 ---- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 4 drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 +--- drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 4 drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 26 +- drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 11 drivers/gpu/drm/drm_plane.c | 4 drivers/gpu/drm/i915/display/intel_cx0_phy.c | 14 - drivers/gpu/drm/i915/display/intel_display_device.c | 13 + drivers/gpu/drm/i915/display/intel_display_device.h | 4 drivers/gpu/drm/i915/display/intel_dmc.c | 10 drivers/gpu/drm/i915/display/intel_dp.c | 30 -- drivers/gpu/drm/i915/display/intel_psr.c | 36 ++ drivers/gpu/drm/i915/display/intel_quirks.c | 9 drivers/gpu/drm/i915/display/intel_quirks.h | 1 drivers/gpu/drm/msm/msm_iommu.c | 5 drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 drivers/gpu/drm/radeon/radeon_fence.c | 7 drivers/gpu/drm/tegra/dc.c | 1 drivers/gpu/drm/tegra/dsi.c | 9 drivers/gpu/drm/tegra/uapi.c | 7 drivers/gpu/drm/xe/tests/xe_mocs.c | 2 drivers/gpu/drm/xe/xe_irq.c | 18 - drivers/gpu/drm/xe/xe_pci.c | 1 drivers/gpu/drm/xe/xe_vm.c | 4 drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 drivers/hid/hid-ids.h | 4 drivers/hid/hid-quirks.c | 13 - drivers/input/keyboard/cros_ec_keyb.c | 6 drivers/input/keyboard/imx_sc_key.c | 2 drivers/input/tablet/pegasus_notetaker.c | 9 drivers/input/touchscreen/goodix.c | 1 drivers/mtd/mtdchar.c | 6 drivers/mtd/nand/raw/cadence-nand-controller.c | 3 drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 - drivers/net/dsa/microchip/lan937x_main.c | 1 drivers/net/ethernet/airoha/airoha_eth.h | 11 drivers/net/ethernet/airoha/airoha_ppe.c | 103 ++++++-- drivers/net/ethernet/emulex/benet/be_main.c | 7 drivers/net/ethernet/intel/ice/ice_ptp.c | 22 + drivers/net/ethernet/intel/idpf/idpf_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 9 drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 drivers/net/ethernet/ti/netcp_core.c | 10 drivers/net/phy/phylink.c | 3 drivers/net/veth.c | 38 +-- drivers/net/wireless/realtek/rtw89/fw.c | 7 drivers/nvme/host/fc.c | 15 - drivers/nvme/host/multipath.c | 2 drivers/nvme/target/auth.c | 4 drivers/nvme/target/fabrics-cmd-auth.c | 1 drivers/nvme/target/nvmet.h | 1 drivers/perf/riscv_pmu_sbi.c | 2 drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 + drivers/pinctrl/mediatek/pinctrl-mt8189.c | 4 drivers/pinctrl/mediatek/pinctrl-mt8196.c | 6 drivers/pinctrl/nxp/pinctrl-s32cc.c | 3 drivers/pinctrl/realtek/Kconfig | 1 drivers/platform/x86/Kconfig | 1 drivers/platform/x86/dell/alienware-wmi-wmax.c | 104 ++------ drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h | 9 drivers/platform/x86/msi-wmi-platform.c | 43 +++ drivers/reset/reset-imx8mp-audiomix.c | 4 drivers/s390/net/ctcm_mpc.c | 1 drivers/scsi/hosts.c | 5 drivers/scsi/sg.c | 10 drivers/soc/ti/knav_dma.c | 14 - drivers/target/loopback/tcm_loop.c | 3 drivers/tty/vt/vt_ioctl.c | 4 drivers/ufs/host/ufs-qcom.c | 15 + fs/btrfs/inode.c | 1 fs/btrfs/tree-log.c | 3 fs/exfat/super.c | 5 fs/fat/inode.c | 6 fs/isofs/inode.c | 5 fs/namespace.c | 4 fs/smb/client/cached_dir.c | 43 +++ fs/smb/client/cifsfs.c | 2 fs/smb/client/cifsproto.h | 2 fs/smb/client/connect.c | 38 +-- fs/smb/client/dfs_cache.c | 55 +++- fs/smb/client/fs_context.c | 4 fs/xfs/scrub/symlink_repair.c | 4 fs/xfs/xfs_super.c | 5 include/drm/intel/pciids.h | 5 include/linux/ata.h | 1 include/net/tls.h | 25 +- include/net/xfrm.h | 3 io_uring/cmd_net.c | 2 kernel/events/core.c | 2 kernel/sched/ext.c | 121 +++++++++- kernel/sched/sched.h | 1 kernel/time/tick-sched.c | 11 kernel/time/timekeeping.c | 21 - kernel/time/timer.c | 7 lib/test_kho.c | 3 mm/mempool.c | 32 ++ mm/shmem.c | 15 - mm/truncate.c | 35 ++ net/core/dev_ioctl.c | 3 net/devlink/rate.c | 4 net/ipv4/esp4_offload.c | 6 net/ipv6/esp6_offload.c | 6 net/mptcp/options.c | 54 ++++ net/mptcp/pm.c | 20 + net/mptcp/pm_kernel.c | 2 net/mptcp/protocol.c | 84 ++++-- net/mptcp/protocol.h | 3 net/mptcp/subflow.c | 8 net/openvswitch/actions.c | 68 ----- net/openvswitch/flow_netlink.c | 64 ----- net/openvswitch/flow_netlink.h | 2 net/tls/tls_device.c | 4 net/unix/af_unix.c | 3 net/vmw_vsock/af_vsock.c | 40 ++- net/xfrm/xfrm_device.c | 2 net/xfrm/xfrm_output.c | 8 net/xfrm/xfrm_state.c | 16 - net/xfrm/xfrm_user.c | 5 scripts/kconfig/mconf.c | 3 scripts/kconfig/nconf.c | 3 security/selinux/hooks.c | 79 +++--- security/selinux/include/objsec.h | 20 + sound/hda/codecs/realtek/alc269.c | 2 sound/soc/codecs/rt721-sdca.c | 4 sound/soc/codecs/rt721-sdca.h | 1 sound/usb/mixer.c | 2 tools/arch/riscv/include/asm/csr.h | 5 tools/testing/selftests/cachestat/test_cachestat.c | 4 tools/testing/selftests/net/bareudp.sh | 2 tools/testing/selftests/net/forwarding/lib_sh_test.sh | 7 tools/testing/selftests/net/lib.sh | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 - tools/tracing/latency/latency-collector.c | 2 184 files changed, 1493 insertions(+), 919 deletions(-) Aleksander Jan Bajkowski (1): mips: dts: econet: fix EN751221 core type Aleksei Nikiforov (1): s390/ctcm: Fix double-kfree Alexey Charkov (1): arm64: dts: rockchip: Remove non-functioning CPU OPPs from RK3576 Alistair Francis (1): nvmet-auth: update sc_c in target host hash calculation Andrea Righi (1): sched_ext: Fix scx_kick_pseqs corruption on concurrent scheduler loads Andrey Vatoropin (1): be2net: pass wrb_params in case of OS2BMC Ankit Nautiyal (2): Revert "drm/i915/dp: Reject HBR3 when sink doesn't support TPS4" drm/i915/dp: Add device specific quirk to limit eDP rate to HBR2 Anthony Wong (1): platform/x86: alienware-wmi-wmax: Add AWCC support to Alienware 16 Aurora Armin Wolf (2): platform/x86: msi-wmi-platform: Only load on MSI devices platform/x86: msi-wmi-platform: Fix typo in WMI GUID Bart Van Assche (2): scsi: sg: Do not sleep in atomic context scsi: core: Fix a regression triggered by scsi_host_busy() Bartosz Golaszewski (1): gpio: cdev: make sure the cdev fd is still active before emitting events Bibo Mao (1): LoongArch: Fix NUMA node parsing with numa_memblks Bitterblue Smith (1): wifi: rtw89: hw_scan: Don't let the operating channel be last Borislav Petkov (AMD) (2): x86/microcode/AMD: Limit Entrysign signature checking to known generations x86/CPU/AMD: Extend Zen6 model range Carlos Llamas (1): blk-crypto: use BLK_STS_INVAL for alignment errors Charlene Liu (1): drm/amd/display: Insert dccg log for easy debug Charles Keepax (1): Revert "gpio: swnode: don't use the swnode's name as the key for GPIO lookup" Chen Pei (1): tools: riscv: Fixed misalignment of CSR related definitions Chen-Yu Tsai (2): clk: sunxi-ng: sun55i-a523-r-ccu: Mark bus-r-dma as critical clk: sunxi-ng: sun55i-a523-ccu: Lower audio0 pll minimum rate Dan Carpenter (2): mtdchar: fix integer overflow in read/write ioctls Input: imx_sc_key - fix memory corruption on unload Dapeng Mi (1): perf: Fix 0 count issue of cpu-clock Darrick J. Wong (1): xfs: fix out of bounds memory read error in symlink repair Diederik de Haas (1): arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 Diogo Ivo (1): Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Dnyaneshwar Bhadane (4): drm/i915/xe3lpd: Load DMC for Xe3_LPD version 30.02 drm/pcids: Split PTL pciids group to make wcl subplatform drm/i915/display: Add definition for wcl as subplatform drm/i915/xe3: Restrict PTL intel_encoder_is_c10phy() to only PHY A Emil Tantilov (1): idpf: fix possible vport_config NULL pointer deref in remove Emil Tsalapatis (2): sched_ext: defer queue_balance_callback() until after ops.dispatch sched_ext: fix flag check for deferred callbacks Eren Demir (1): ALSA: hda/realtek: Fix mute led for HP Victus 15-fa1xxx (MB 8C2D) Eric Dumazet (2): mptcp: fix race condition in mptcp_schedule_work() mptcp: fix a race in mptcp_pm_del_add_timer() Ewan D. Milne (2): nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Fangzhi Zuo (2): drm/amd/display: Fix pbn to kbps Conversion drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched Filipe Manana (1): btrfs: set inode flag BTRFS_INODE_COPY_EVERYTHING when logging new name Gang Yan (1): mptcp: fix address removal logic in mptcp_pm_nl_rm_addr Greg Kroah-Hartman (1): Linux 6.17.10 Grzegorz Nitka (1): ice: fix PTP cleanup on driver removal in error path Hamza Mahfooz (1): scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Hans de Goede (1): Input: goodix - add support for ACPI ID GDIX1003 Haotian Zhang (2): pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos Heiko Carstens (1): s390/mm: Fix __ptep_rdp() inline assembly Henrique Carvalho (2): smb: client: introduce close_cached_dir_locked() smb: client: fix incomplete backport in cfids_invalidation_worker() Huacai Chen (1): LoongArch: Don't panic if no valid cache info for PCI Ido Schimmel (1): selftests: net: lib: Do not overwrite error messages Ilya Maximets (1): net: openvswitch: remove never-working support for setting nsh fields Imre Deak (1): drm/i915/dp_mst: Disable Panel Replay Ivan Lipski (1): drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 J-Donald Tournier (1): ALSA: hda/realtek: Add quirk for Lenovo Yoga 7 2-in-1 14AKP10 Jakub Horký (2): kconfig/mconf: Initialize the default locale at startup kconfig/nconf: Initialize the default locale at startup Jared Kangas (2): pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() Jari Ruusu (1): tty/vt: fix up incorrect backport to stable releases Jens Axboe (1): io_uring/cmd_net: fix wrong argument types for skb_queue_splice() Jernej Skrabec (1): clk: sunxi-ng: Mark A523 bus-r-cpucfg clock as critical Jesper Dangaard Brouer (1): veth: more robust handing of race to avoid txq getting stuck Jiaming Zhang (1): net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() Jianbo Liu (3): xfrm: Check inner packet family directly from skb_dst xfrm: Determine inner GSO type from packet inner protocol xfrm: Prevent locally generated packets from direct output in tunnel mode Jiayuan Chen (2): mptcp: Disallow MPTCP subflows from sockmap mptcp: Fix proto fallback detection with BPF Jouni Högander (1): drm/i915/psr: Check drm_dp_dpcd_read return value on PSR dpcd init Kiryl Shutsemau (1): mm/truncate: unmap large folio on split failure Krzysztof Kozlowski (1): dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Kuniyuki Iwashima (1): af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). Kurt Borja (4): platform/x86: alienware-wmi-wmax: Fix "Alienware m16 R1 AMD" quirk order platform/x86: alienware-wmi-wmax: Add support for the whole "M" family platform/x86: alienware-wmi-wmax: Add support for the whole "X" family platform/x86: alienware-wmi-wmax: Add support for the whole "G" family Laurentiu Mihalcea (1): reset: imx8mp-audiomix: Fix bad mask values Lorenzo Bianconi (2): net: airoha: Add wlan flowtable TX offload net: airoha: Do not loopback traffic to GDM2 if it is available on the device Louis-Alexis Eyraud (2): pinctrl: mediatek: mt8196: align register base names to dt-bindings ones pinctrl: mediatek: mt8189: align register base names to dt-bindings ones Ma Ke (1): drm/tegra: dc: Fix reference leak in tegra_dc_couple() Maciej W. Rozycki (1): MIPS: Malta: Fix !EVA SOC-it PCI MMIO Malaya Kumar Rout (1): timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths Marcelo Moreira (1): xfs: Replace strncpy with memcpy Mario Limonciello (1): drm/amd: Skip power ungate during suspend for VPE Mario Limonciello (AMD) (3): HID: amd_sfh: Stop sensor before starting drm/amd/display: Increase DPCD read retries drm/amd/display: Move sleep into each retry for retrieve_link_cap() Matt Roper (1): drm/xe/kunit: Fix forcewake assertion in mocs test Matthieu Baerts (NGI0) (2): selftests: mptcp: join: endpoints: longer timeout selftests: mptcp: join: userspace: longer timeout Michal Luczaj (1): vsock: Ignore signal/timeout on connect() if already established Mike Yuan (1): shmem: fix tmpfs reconfiguration (remount) when noswap is set Mykola Kvach (1): arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 Nam Cao (1): nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot Niklas Cassel (1): ata: libata-scsi: Fix system suspend for a security locked drive Niravkumar L Rabara (1): mtd: rawnand: cadence: fix DMA device NULL pointer dereference Nishanth Menon (1): net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Nitin Rawat (1): scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) Oleksij Rempel (1): net: dsa: microchip: lan937x: Fix RGMII delay tuning Paolo Abeni (6): mptcp: fix ack generation for fallback msk mptcp: fix duplicate reset on fastclose mptcp: fix premature close in case of fallback mptcp: avoid unneeded subflow-level drops mptcp: decouple mptcp fastclose from tcp close mptcp: do not fallback when OoO is present Pasha Tatashin (1): lib/test_kho: check if KHO is enabled Paulo Alcantara (1): smb: client: handle lack of IPC in dfs_cache_refresh() Pavel Zhigulin (3): net: dsa: hellcreek: fix missing error handling in LED registration net: mlxsw: linecards: fix missing error check in mlxsw_linecard_devlink_info_get() net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Po-Hsu Lin (1): selftests: net: use BASH for bareudp testing Pradyumn Rahar (1): net/mlx5: Clean up only new IRQ glue on request_irq() failure Prateek Agarwal (1): drm/tegra: Add call to put_pid() Quentin Schulz (2): arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 arm64: dts: rockchip: disable HS400 on RK3588 Tiger Rafael J. Wysocki (1): PM: sleep: core: Fix runtime PM enabling in device_resume_early() Rafał Miłecki (1): bcma: don't register devices disabled in OF Randy Dunlap (1): platform/x86: intel-uncore-freq: fix all header kernel-doc warnings René Rebe (1): ALSA: usb-audio: fix uac2 clock source at terminal parser Rob Clark (1): drm/msm: Fix pgtable prealloc error path Robert McClinton (1): drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Sabrina Dubroca (4): xfrm: drop SA reference in xfrm_state_update if dir doesn't match xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add the state xfrm: set err and extack on failure to create pcpu SA Saket Kumar Bhaskar (1): sched_ext: Fix scx_enable() crash on helper kthread creation failure Samuel Zhang (1): drm/amdgpu: fix gpu page fault after hibernation on PF passthrough Sathishkumar S (2): drm/amdgpu/jpeg: Move parse_cs to amdgpu_jpeg.c drm/amdgpu/jpeg: Add parse_cs for JPEG5_0_1 Sebastian Ene (1): KVM: arm64: Check the untrusted offset in FF-A memory share Seungjin Bae (1): Input: pegasus-notetaker - fix potential out-of-bounds access Shahar Shitrit (2): net: tls: Change async resync helpers argument net: tls: Cancel RX async resync request on rcd_delta overflow Shaurya Rane (1): cifs: fix memory leak in smb3_fs_context_parse_param error path Shay Drory (1): devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Shin'ichiro Kawasaki (1): nvme-multipath: fix lockdep WARN due to partition scan work Shuicheng Lin (1): drm/xe: Prevent BIT() overflow when handling invalid prefetch region Shuming Fan (1): ASoC: rt721: fix prepare clock stop failed Sidharth Seela (1): selftests: cachestat: Fix warning on declaration under label Stephen Smalley (2): selinux: rename task_security_struct to cred_security_struct selinux: move avdcache to per-task security struct Steve French (1): cifs: fix typo in enable_gcm_256 module parameter Tejun Heo (1): sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc() Thomas Bogendoerfer (1): MIPS: kernel: Fix random segmentation faults Thomas Weißschuh (1): LoongArch: Use UAPI types in ptrace UAPI header Tony Luck (1): ACPI: APEI: EINJ: Fix EINJV2 initialization and injection Tzung-Bi Shih (1): Input: cros_ec_keyb - fix an invalid memory access Venkata Ramana Nayana (1): drm/xe/irq: Handle msix vector0 interrupt Ville Syrjälä (1): drm/plane: Fix create_in_format_blob() return value Vincent Li (1): LoongArch: BPF: Disable trampoline for kernel module function trace Vlastimil Babka (1): mm/mempool: fix poisoning order>0 pages with HIGHMEM Wei Fang (1): net: phylink: add missing supported link modes for the fixed-link Wen Yang (1): tick/sched: Fix bogus condition in report_idle_softirq() Yifan Zha (1): drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled Yihang Li (1): ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() Yipeng Zou (1): timers: Fix NULL function pointer race in timer_shutdown_sync() Yongpeng Yang (4): vfat: fix missing sb_min_blocksize() return value checks xfs: check the return value of sb_min_blocksize() in xfs_fs_fill_super isofs: check the return value of sb_min_blocksize() in isofs_fill_super exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Yosry Ahmed (1): KVM: SVM: Fix redundant updates of LBR MSR intercepts Yu-Chun Lin (1): pinctrl: realtek: Select REGMAP_MMIO for RTD driver Zhang Chujun (1): tracing/tools: Fix incorrcet short option in usage text for --threads Zhang Heng (1): HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Zhen Ni (1): fs: Fix uninitialized 'offp' in statmount_string() Zilin Guan (1): mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() dongsheng (1): perf/x86/intel/uncore: Add uncore PMU support for Wildcat Lake

2 days, 16 hours

1
1
0 0

Linux 6.12.60

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.60 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +-- Documentation/wmi/driver-development-guide.rst | 1 Makefile | 2 arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 arch/arm64/kvm/hyp/nvhe/ffa.c | 9 - arch/arm64/kvm/sys_regs.c | 61 +++---- arch/loongarch/include/uapi/asm/ptrace.h | 40 ++-- arch/loongarch/pci/pci.c | 8 arch/mips/mti-malta/malta-init.c | 20 +- arch/s390/include/asm/pgtable.h | 12 - arch/s390/mm/pgtable.c | 4 arch/x86/kernel/cpu/microcode/amd.c | 20 ++ block/blk-crypto.c | 2 drivers/ata/libata-scsi.c | 11 + drivers/bcma/main.c | 6 drivers/gpio/gpiolib-swnode.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 3 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 4 drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 4 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 ++----- drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 20 +- drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 60 +++++-- drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 21 +- drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 11 - drivers/gpu/drm/i915/display/intel_psr.c | 4 drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 drivers/gpu/drm/radeon/radeon_fence.c | 7 drivers/gpu/drm/tegra/dc.c | 1 drivers/gpu/drm/tegra/dsi.c | 9 - drivers/gpu/drm/tegra/uapi.c | 7 drivers/gpu/drm/xe/xe_vm.c | 4 drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 drivers/hid/hid-ids.h | 4 drivers/hid/hid-quirks.c | 13 + drivers/infiniband/hw/irdma/Kconfig | 7 drivers/input/keyboard/cros_ec_keyb.c | 6 drivers/input/keyboard/imx_sc_key.c | 2 drivers/input/tablet/pegasus_notetaker.c | 9 + drivers/input/touchscreen/goodix.c | 1 drivers/mtd/mtdchar.c | 6 drivers/mtd/nand/raw/cadence-nand-controller.c | 3 drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 + drivers/net/dsa/microchip/lan937x_main.c | 1 drivers/net/ethernet/emulex/benet/be_main.c | 7 drivers/net/ethernet/intel/ice/ice_ptp.c | 22 ++ drivers/net/ethernet/intel/idpf/idpf_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 9 - drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 drivers/net/ethernet/ti/netcp_core.c | 10 - drivers/nvme/host/fc.c | 15 - drivers/nvme/host/multipath.c | 2 drivers/perf/riscv_pmu_sbi.c | 2 drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 ++ drivers/pinctrl/nxp/pinctrl-s32cc.c | 3 drivers/pinctrl/realtek/Kconfig | 1 drivers/platform/x86/Kconfig | 1 drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 drivers/platform/x86/msi-wmi-platform.c | 43 ++++- drivers/s390/net/ctcm_mpc.c | 1 drivers/scsi/hosts.c | 5 drivers/scsi/sg.c | 10 + drivers/soc/ti/knav_dma.c | 14 - drivers/target/loopback/tcm_loop.c | 3 drivers/tty/vt/vt_ioctl.c | 4 fs/exfat/super.c | 5 fs/isofs/inode.c | 5 fs/smb/client/cached_dir.c | 43 ++++- fs/smb/client/cifsfs.c | 2 fs/smb/client/fs_context.c | 4 fs/xfs/scrub/symlink_repair.c | 4 include/linux/ata.h | 1 include/net/tls.h | 25 +- include/net/xfrm.h | 3 kernel/time/timer.c | 7 lib/maple_tree.c | 30 +-- mm/mempool.c | 32 +++ mm/shmem.c | 15 - net/devlink/rate.c | 4 net/ipv4/esp4_offload.c | 6 net/ipv6/esp6_offload.c | 6 net/mptcp/options.c | 54 ++++++ net/mptcp/pm_netlink.c | 20 +- net/mptcp/protocol.c | 84 ++++++---- net/mptcp/protocol.h | 3 net/mptcp/subflow.c | 8 net/openvswitch/actions.c | 68 -------- net/openvswitch/flow_netlink.c | 64 ------- net/openvswitch/flow_netlink.h | 2 net/tls/tls_device.c | 4 net/unix/af_unix.c | 36 ++-- net/vmw_vsock/af_vsock.c | 40 +++- net/xfrm/xfrm_output.c | 6 net/xfrm/xfrm_state.c | 8 net/xfrm/xfrm_user.c | 5 scripts/kconfig/mconf.c | 3 scripts/kconfig/nconf.c | 3 sound/usb/endpoint.c | 3 sound/usb/mixer.c | 2 tools/arch/riscv/include/asm/csr.h | 5 tools/testing/selftests/net/bareudp.sh | 2 tools/testing/selftests/net/forwarding/lib_sh_test.sh | 7 tools/testing/selftests/net/lib.sh | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 +- tools/tracing/latency/latency-collector.c | 2 112 files changed, 850 insertions(+), 522 deletions(-) Aleksei Nikiforov (1): s390/ctcm: Fix double-kfree Andrey Vatoropin (1): be2net: pass wrb_params in case of OS2BMC Armin Wolf (2): platform/x86: msi-wmi-platform: Only load on MSI devices platform/x86: msi-wmi-platform: Fix typo in WMI GUID Bart Van Assche (2): scsi: sg: Do not sleep in atomic context scsi: core: Fix a regression triggered by scsi_host_busy() Borislav Petkov (AMD) (1): x86/microcode/AMD: Limit Entrysign signature checking to known generations Carlos Llamas (1): blk-crypto: use BLK_STS_INVAL for alignment errors Charlene Liu (3): drm/amd/display: avoid reset DTBCLK at clock init drm/amd/display: disable DPP RCG before DPP CLK enable drm/amd/display: Insert dccg log for easy debug Charles Keepax (1): Revert "gpio: swnode: don't use the swnode's name as the key for GPIO lookup" Chen Pei (1): tools: riscv: Fixed misalignment of CSR related definitions Dan Carpenter (2): mtdchar: fix integer overflow in read/write ioctls Input: imx_sc_key - fix memory corruption on unload Darrick J. Wong (1): xfs: fix out of bounds memory read error in symlink repair Diederik de Haas (1): arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 Diogo Ivo (1): Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Emil Tantilov (1): idpf: fix possible vport_config NULL pointer deref in remove Eric Dumazet (2): mptcp: fix race condition in mptcp_schedule_work() mptcp: fix a race in mptcp_pm_del_add_timer() Ewan D. Milne (2): nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Fangzhi Zuo (2): drm/amd/display: Fix pbn to kbps Conversion drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched Greg Kroah-Hartman (1): Linux 6.12.60 Grzegorz Nitka (1): ice: fix PTP cleanup on driver removal in error path Hamza Mahfooz (1): scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Hans de Goede (1): Input: goodix - add support for ACPI ID GDIX1003 Haotian Zhang (2): pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos Heiko Carstens (1): s390/mm: Fix __ptep_rdp() inline assembly Henrique Carvalho (2): smb: client: introduce close_cached_dir_locked() smb: client: fix incomplete backport in cfids_invalidation_worker() Huacai Chen (1): LoongArch: Don't panic if no valid cache info for PCI Ido Schimmel (1): selftests: net: lib: Do not overwrite error messages Ilya Maximets (1): net: openvswitch: remove never-working support for setting nsh fields Imre Deak (1): drm/i915/dp_mst: Disable Panel Replay Ivan Lipski (1): drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 Jakub Horký (2): kconfig/mconf: Initialize the default locale at startup kconfig/nconf: Initialize the default locale at startup Jared Kangas (2): pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() Jari Ruusu (1): tty/vt: fix up incorrect backport to stable releases Jianbo Liu (2): xfrm: Determine inner GSO type from packet inner protocol xfrm: Prevent locally generated packets from direct output in tunnel mode Jiayuan Chen (2): mptcp: Disallow MPTCP subflows from sockmap mptcp: Fix proto fallback detection with BPF Krzysztof Kozlowski (1): dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Kuniyuki Iwashima (2): af_unix: Cache state->msg in unix_stream_read_generic(). af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). Ma Ke (1): drm/tegra: dc: Fix reference leak in tegra_dc_couple() Maciej W. Rozycki (1): MIPS: Malta: Fix !EVA SOC-it PCI MMIO Marc Zyngier (1): KVM: arm64: Make all 32bit ID registers fully writable Marcelo Moreira (1): xfs: Replace strncpy with memcpy Mario Limonciello (1): drm/amd: Skip power ungate during suspend for VPE Mario Limonciello (AMD) (3): HID: amd_sfh: Stop sensor before starting drm/amd/display: Increase DPCD read retries drm/amd/display: Move sleep into each retry for retrieve_link_cap() Martin Kaiser (1): maple_tree: fix tracepoint string pointers Matthieu Baerts (NGI0) (2): selftests: mptcp: join: endpoints: longer timeout selftests: mptcp: join: userspace: longer timeout Michal Luczaj (1): vsock: Ignore signal/timeout on connect() if already established Mike Yuan (1): shmem: fix tmpfs reconfiguration (remount) when noswap is set Mykola Kvach (1): arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 Nam Cao (1): nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot Niklas Cassel (1): ata: libata-scsi: Fix system suspend for a security locked drive Niravkumar L Rabara (1): mtd: rawnand: cadence: fix DMA device NULL pointer dereference Nishanth Menon (1): net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Oleksij Rempel (1): net: dsa: microchip: lan937x: Fix RGMII delay tuning Paolo Abeni (6): mptcp: fix ack generation for fallback msk mptcp: fix duplicate reset on fastclose mptcp: fix premature close in case of fallback mptcp: avoid unneeded subflow-level drops mptcp: decouple mptcp fastclose from tcp close mptcp: do not fallback when OoO is present Pavel Zhigulin (3): net: dsa: hellcreek: fix missing error handling in LED registration net: mlxsw: linecards: fix missing error check in mlxsw_linecard_devlink_info_get() net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Po-Hsu Lin (1): selftests: net: use BASH for bareudp testing Pradyumn Rahar (1): net/mlx5: Clean up only new IRQ glue on request_irq() failure Prateek Agarwal (1): drm/tegra: Add call to put_pid() Quentin Schulz (2): arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 arm64: dts: rockchip: disable HS400 on RK3588 Tiger Rafał Miłecki (1): bcma: don't register devices disabled in OF René Rebe (1): ALSA: usb-audio: fix uac2 clock source at terminal parser Robert McClinton (1): drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Sabrina Dubroca (2): xfrm: drop SA reference in xfrm_state_update if dir doesn't match xfrm: set err and extack on failure to create pcpu SA Samuel Zhang (1): drm/amdgpu: fix gpu page fault after hibernation on PF passthrough Sebastian Ene (1): KVM: arm64: Check the untrusted offset in FF-A memory share Seungjin Bae (1): Input: pegasus-notetaker - fix potential out-of-bounds access Shahar Shitrit (2): net: tls: Change async resync helpers argument net: tls: Cancel RX async resync request on rcd_delta overflow Shaurya Rane (1): cifs: fix memory leak in smb3_fs_context_parse_param error path Shay Drory (1): devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Shin'ichiro Kawasaki (1): nvme-multipath: fix lockdep WARN due to partition scan work Shuicheng Lin (1): drm/xe: Prevent BIT() overflow when handling invalid prefetch region Steve French (1): cifs: fix typo in enable_gcm_256 module parameter Takashi Iwai (1): ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check Thomas Weißschuh (1): LoongArch: Use UAPI types in ptrace UAPI header Tzung-Bi Shih (1): Input: cros_ec_keyb - fix an invalid memory access Vlastimil Babka (1): mm/mempool: fix poisoning order>0 pages with HIGHMEM Wentao Guan (1): Revert "RDMA/irdma: Update Kconfig" Yifan Zha (1): drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled Yihang Li (1): ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() Yipeng Zou (1): timers: Fix NULL function pointer race in timer_shutdown_sync() Yongpeng Yang (2): isofs: check the return value of sb_min_blocksize() in isofs_fill_super exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Yu-Chun Lin (1): pinctrl: realtek: Select REGMAP_MMIO for RTD driver Zhang Chujun (1): tracing/tools: Fix incorrcet short option in usage text for --threads Zhang Heng (1): HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Zilin Guan (1): mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats()

2 days, 16 hours

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror