- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.60 release. There are 112 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 29 Nov 2025 14:40:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.60-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.60-rc1 Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: Insert dccg log for easy debug Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: disable DPP RCG before DPP CLK enable Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: avoid reset DTBCLK at clock init Darrick J. Wong <djwong(a)kernel.org> xfs: fix out of bounds memory read error in symlink repair Marcelo Moreira <marcelomoreira1905(a)gmail.com> xfs: Replace strncpy with memcpy Eric Dumazet <edumazet(a)google.com> mptcp: fix a race in mptcp_pm_del_add_timer() Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Disable Panel Replay Martin Kaiser <martin(a)kaiser.cx> maple_tree: fix tracepoint string pointers Jari Ruusu <jariruusu(a)protonmail.com> tty/vt: fix up incorrect backport to stable releases Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix incomplete backport in cfids_invalidation_worker() Samuel Zhang <guoqing.zhang(a)amd.com> drm/amdgpu: fix gpu page fault after hibernation on PF passthrough Zhang Chujun <zhangchujun(a)cmss.chinamobile.com> tracing/tools: Fix incorrcet short option in usage text for --threads Nishanth Menon <nm(a)ti.com> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error René Rebe <rene(a)exactco.de> ALSA: usb-audio: fix uac2 clock source at terminal parser Heiko Carstens <hca(a)linux.ibm.com> s390/mm: Fix __ptep_rdp() inline assembly Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Prevent BIT() overflow when handling invalid prefetch region Wentao Guan <guanwentao(a)uniontech.com> Revert "RDMA/irdma: Update Kconfig" Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make all 32bit ID registers fully writable Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check Jakub Horký <jakub.git(a)horky.net> kconfig/nconf: Initialize the default locale at startup Jakub Horký <jakub.git(a)horky.net> kconfig/mconf: Initialize the default locale at startup Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Cancel RX async resync request on rcd_delta overflow Carlos Llamas <cmllamas(a)google.com> blk-crypto: use BLK_STS_INVAL for alignment errors Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Change async resync helpers argument Po-Hsu Lin <po-hsu.lin(a)canonical.com> selftests: net: use BASH for bareudp testing Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Limit Entrysign signature checking to known generations Bart Van Assche <bvanassche(a)acm.org> scsi: core: Fix a regression triggered by scsi_host_busy() Steve French <stfrench(a)microsoft.com> cifs: fix typo in enable_gcm_256 module parameter Rafał Miłecki <rafal(a)milecki.pl> bcma: don't register devices disabled in OF Michal Luczaj <mhal(a)rbox.co> vsock: Ignore signal/timeout on connect() if already established Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> cifs: fix memory leak in smb3_fs_context_parse_param error path Thomas Weißschuh <linux(a)weissschuh.net> LoongArch: Use UAPI types in ptrace UAPI header Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Cache state->msg in unix_stream_read_generic(). Pradyumn Rahar <pradyumn.rahar(a)oracle.com> net/mlx5: Clean up only new IRQ glue on request_irq() failure Shay Drory <shayd(a)nvidia.com> devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix PTP cleanup on driver removal in error path Emil Tantilov <emil.s.tantilov(a)intel.com> idpf: fix possible vport_config NULL pointer deref in remove Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Haotian Zhang <vulab(a)iscas.ac.cn> platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos Ido Schimmel <idosch(a)nvidia.com> selftests: net: lib: Do not overwrite error messages Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> s390/ctcm: Fix double-kfree Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> nvme-multipath: fix lockdep WARN due to partition scan work Chen Pei <cp0613(a)linux.alibaba.com> tools: riscv: Fixed misalignment of CSR related definitions Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove never-working support for setting nsh fields Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: mlxsw: linecards: fix missing error check in mlxsw_linecard_devlink_info_get() Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: dsa: hellcreek: fix missing error handling in LED registration Prateek Agarwal <praagarwal(a)nvidia.com> drm/tegra: Add call to put_pid() Zilin Guan <zilin(a)seu.edu.cn> mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Fix typo in WMI GUID Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Only load on MSI devices Haotian Zhang <vulab(a)iscas.ac.cn> pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() Jianbo Liu <jianbol(a)nvidia.com> xfrm: Prevent locally generated packets from direct output in tunnel mode Jianbo Liu <jianbol(a)nvidia.com> xfrm: Determine inner GSO type from packet inner protocol Yu-Chun Lin <eleanor.lin(a)realtek.com> pinctrl: realtek: Select REGMAP_MMIO for RTD driver Sabrina Dubroca <sd(a)queasysnail.net> xfrm: set err and extack on failure to create pcpu SA Sabrina Dubroca <sd(a)queasysnail.net> xfrm: drop SA reference in xfrm_state_update if dir doesn't match Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix pbn to kbps Conversion Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Move sleep into each retry for retrieve_link_cap() Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Increase DPCD read retries Yifan Zha <Yifan.Zha(a)amd.com> drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Skip power ungate during suspend for VPE Robert McClinton <rbmccav(a)gmail.com> drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Ma Ke <make24(a)iscas.ac.cn> drm/tegra: dc: Fix reference leak in tegra_dc_couple() Paolo Abeni <pabeni(a)redhat.com> mptcp: do not fallback when OoO is present Paolo Abeni <pabeni(a)redhat.com> mptcp: decouple mptcp fastclose from tcp close Paolo Abeni <pabeni(a)redhat.com> mptcp: avoid unneeded subflow-level drops Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer timeout Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer timeout Paolo Abeni <pabeni(a)redhat.com> mptcp: fix premature close in case of fallback Paolo Abeni <pabeni(a)redhat.com> mptcp: fix duplicate reset on fastclose Paolo Abeni <pabeni(a)redhat.com> mptcp: fix ack generation for fallback msk Eric Dumazet <edumazet(a)google.com> mptcp: fix race condition in mptcp_schedule_work() Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Don't panic if no valid cache info for PCI Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Malta: Fix !EVA SOC-it PCI MMIO Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Bart Van Assche <bvanassche(a)acm.org> scsi: sg: Do not sleep in atomic context Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() Nam Cao <namcao(a)linutronix.de> nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot Vlastimil Babka <vbabka(a)suse.cz> mm/mempool: fix poisoning order>0 pages with HIGHMEM Seungjin Bae <eeodqql09(a)gmail.com> Input: pegasus-notetaker - fix potential out-of-bounds access Dan Carpenter <dan.carpenter(a)linaro.org> Input: imx_sc_key - fix memory corruption on unload Hans de Goede <hdegoede(a)redhat.com> Input: goodix - add support for ACPI ID GDIX1003 Tzung-Bi Shih <tzungbi(a)kernel.org> Input: cros_ec_keyb - fix an invalid memory access Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Oleksij Rempel <o.rempel(a)pengutronix.de> net: dsa: microchip: lan937x: Fix RGMII delay tuning Andrey Vatoropin <a.vatoropin(a)crpt.ru> be2net: pass wrb_params in case of OS2BMC Yihang Li <liyihang9(a)h-partners.com> ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: introduce close_cached_dir_locked() Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification Niklas Cassel <cassel(a)kernel.org> ata: libata-scsi: Fix system suspend for a security locked drive Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Fix proto fallback detection with BPF Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Disallow MPTCP subflows from sockmap Yongpeng Yang <yangyongpeng(a)xiaomi.com> exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Mike Yuan <me(a)yhndnzj.com> shmem: fix tmpfs reconfiguration (remount) when noswap is set Yongpeng Yang <yangyongpeng(a)xiaomi.com> isofs: check the return value of sb_min_blocksize() in isofs_fill_super Dan Carpenter <dan.carpenter(a)linaro.org> mtdchar: fix integer overflow in read/write ioctls Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> mtd: rawnand: cadence: fix DMA device NULL pointer dereference Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable HS400 on RK3588 Tiger Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 Mykola Kvach <xakep.amatop(a)gmail.com> arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 Diederik de Haas <diederik(a)cknow-tech.com> arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 Zhang Heng <zhangheng(a)kylinos.cn> HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Mario Limonciello (AMD) <superm1(a)kernel.org> HID: amd_sfh: Stop sensor before starting Yipeng Zou <zouyipeng(a)huawei.com> timers: Fix NULL function pointer race in timer_shutdown_sync() Sebastian Ene <sebastianene(a)google.com> KVM: arm64: Check the untrusted offset in FF-A memory share ------------- Diffstat: .../bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++--- Documentation/wmi/driver-development-guide.rst | 1 + Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +- .../arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 +- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +- arch/arm64/kvm/sys_regs.c | 63 +++++++------ arch/loongarch/include/uapi/asm/ptrace.h | 40 ++++---- arch/loongarch/pci/pci.c | 8 +- arch/mips/mm/tlb-r4k.c | 102 +++++++++++++-------- arch/mips/mti-malta/malta-init.c | 20 ++-- arch/s390/include/asm/pgtable.h | 12 +-- arch/s390/mm/pgtable.c | 4 +- arch/x86/kernel/cpu/microcode/amd.c | 20 +++- block/blk-crypto.c | 2 +- drivers/ata/libata-scsi.c | 11 ++- drivers/bcma/main.c | 6 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +- drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 3 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 4 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 +++++------- .../amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 20 ++-- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 60 ++++++++---- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 ++ .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 21 +++-- .../display/dc/link/protocols/link_dp_capability.c | 11 ++- drivers/gpu/drm/i915/display/intel_psr.c | 4 + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 + drivers/gpu/drm/radeon/radeon_fence.c | 7 -- drivers/gpu/drm/tegra/dc.c | 1 + drivers/gpu/drm/tegra/dsi.c | 9 -- drivers/gpu/drm/tegra/uapi.c | 7 +- drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 + drivers/hid/hid-ids.h | 4 +- drivers/hid/hid-quirks.c | 13 ++- drivers/infiniband/hw/irdma/Kconfig | 7 +- drivers/input/keyboard/cros_ec_keyb.c | 6 ++ drivers/input/keyboard/imx_sc_key.c | 2 +- drivers/input/tablet/pegasus_notetaker.c | 9 ++ drivers/input/touchscreen/goodix.c | 1 + drivers/mtd/mtdchar.c | 6 +- drivers/mtd/nand/raw/cadence-nand-controller.c | 3 +- drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++- drivers/net/dsa/microchip/lan937x_main.c | 1 + drivers/net/ethernet/emulex/benet/be_main.c | 7 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 22 ++++- drivers/net/ethernet/intel/idpf/idpf_main.c | 2 + .../ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 9 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 +- .../net/ethernet/mellanox/mlxsw/core_linecards.c | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +- drivers/net/ethernet/ti/netcp_core.c | 10 +- drivers/nvme/host/fc.c | 15 +-- drivers/nvme/host/multipath.c | 2 +- drivers/perf/riscv_pmu_sbi.c | 2 +- drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 21 ++++- drivers/pinctrl/nxp/pinctrl-s32cc.c | 3 +- drivers/pinctrl/realtek/Kconfig | 1 + drivers/platform/x86/Kconfig | 1 + .../x86/intel/speed_select_if/isst_if_mmio.c | 4 +- drivers/platform/x86/msi-wmi-platform.c | 43 ++++++++- drivers/s390/net/ctcm_mpc.c | 1 - drivers/scsi/hosts.c | 5 +- drivers/scsi/sg.c | 10 +- drivers/soc/ti/knav_dma.c | 14 +-- drivers/target/loopback/tcm_loop.c | 3 + drivers/tty/vt/vt_ioctl.c | 4 +- fs/exfat/super.c | 5 +- fs/isofs/inode.c | 5 + fs/smb/client/cached_dir.c | 43 ++++++++- fs/smb/client/cifsfs.c | 2 +- fs/smb/client/fs_context.c | 4 + fs/xfs/scrub/symlink_repair.c | 4 +- include/linux/ata.h | 1 + include/net/tls.h | 25 ++--- include/net/xfrm.h | 3 +- kernel/time/timer.c | 7 +- lib/maple_tree.c | 30 +++--- mm/mempool.c | 32 +++++-- mm/shmem.c | 15 ++- net/devlink/rate.c | 4 +- net/ipv4/esp4_offload.c | 6 +- net/ipv6/esp6_offload.c | 6 +- net/mptcp/options.c | 54 ++++++++++- net/mptcp/pm_netlink.c | 20 ++-- net/mptcp/protocol.c | 84 +++++++++++------ net/mptcp/protocol.h | 3 +- net/mptcp/subflow.c | 8 ++ net/openvswitch/actions.c | 68 +------------- net/openvswitch/flow_netlink.c | 64 ++----------- net/openvswitch/flow_netlink.h | 2 - net/tls/tls_device.c | 4 +- net/unix/af_unix.c | 36 ++++---- net/vmw_vsock/af_vsock.c | 40 ++++++-- net/xfrm/xfrm_output.c | 6 +- net/xfrm/xfrm_state.c | 8 +- net/xfrm/xfrm_user.c | 5 +- scripts/kconfig/mconf.c | 3 + scripts/kconfig/nconf.c | 3 + sound/usb/endpoint.c | 3 +- sound/usb/mixer.c | 2 +- tools/arch/riscv/include/asm/csr.h | 5 +- tools/testing/selftests/net/bareudp.sh | 2 +- .../selftests/net/forwarding/lib_sh_test.sh | 7 ++ tools/testing/selftests/net/lib.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 ++-- tools/tracing/latency/latency-collector.c | 2 +- 112 files changed, 914 insertions(+), 560 deletions(-)

3 days, 13 hours

4
115
0 0

[PATCH 6.17 000/175] 6.17.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.10 release. There are 175 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 29 Nov 2025 14:40:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.10-rc1 Emil Tsalapatis <etsal(a)meta.com> sched_ext: fix flag check for deferred callbacks Andrea Righi <arighi(a)nvidia.com> sched_ext: Fix scx_kick_pseqs corruption on concurrent scheduler loads Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/dp: Add device specific quirk to limit eDP rate to HBR2 Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> Revert "drm/i915/dp: Reject HBR3 when sink doesn't support TPS4" Jari Ruusu <jariruusu(a)protonmail.com> tty/vt: fix up incorrect backport to stable releases Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: Insert dccg log for easy debug Gang Yan <yangang(a)kylinos.cn> mptcp: fix address removal logic in mptcp_pm_nl_rm_addr Darrick J. Wong <djwong(a)kernel.org> xfs: fix out of bounds memory read error in symlink repair Marcelo Moreira <marcelomoreira1905(a)gmail.com> xfs: Replace strncpy with memcpy Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Add parse_cs for JPEG5_0_1 Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Move parse_cs to amdgpu_jpeg.c Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Disable Panel Replay Jouni Högander <jouni.hogander(a)intel.com> drm/i915/psr: Check drm_dp_dpcd_read return value on PSR dpcd init Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix incomplete backport in cfids_invalidation_worker() Samuel Zhang <guoqing.zhang(a)amd.com> drm/amdgpu: fix gpu page fault after hibernation on PF passthrough Filipe Manana <fdmanana(a)suse.com> btrfs: set inode flag BTRFS_INODE_COPY_EVERYTHING when logging new name Zhang Chujun <zhangchujun(a)cmss.chinamobile.com> tracing/tools: Fix incorrcet short option in usage text for --threads Nishanth Menon <nm(a)ti.com> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Nitin Rawat <nitin.rawat(a)oss.qualcomm.com> scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) René Rebe <rene(a)exactco.de> ALSA: usb-audio: fix uac2 clock source at terminal parser Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Prevent BIT() overflow when handling invalid prefetch region Jakub Horký <jakub.git(a)horky.net> kconfig/nconf: Initialize the default locale at startup Jakub Horký <jakub.git(a)horky.net> kconfig/mconf: Initialize the default locale at startup Borislav Petkov (AMD) <bp(a)alien8.de> x86/CPU/AMD: Extend Zen6 model range Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Cancel RX async resync request on rcd_delta overflow Carlos Llamas <cmllamas(a)google.com> blk-crypto: use BLK_STS_INVAL for alignment errors Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Change async resync helpers argument Po-Hsu Lin <po-hsu.lin(a)canonical.com> selftests: net: use BASH for bareudp testing Paulo Alcantara <pc(a)manguebit.org> smb: client: handle lack of IPC in dfs_cache_refresh() Sidharth Seela <sidharthseela(a)gmail.com> selftests: cachestat: Fix warning on declaration under label Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Limit Entrysign signature checking to known generations dongsheng <dongsheng.x.zhang(a)intel.com> perf/x86/intel/uncore: Add uncore PMU support for Wildcat Lake Eren Demir <eren.demir2479090(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Victus 15-fa1xxx (MB 8C2D) Bart Van Assche <bvanassche(a)acm.org> scsi: core: Fix a regression triggered by scsi_host_busy() Steve French <stfrench(a)microsoft.com> cifs: fix typo in enable_gcm_256 module parameter Shuming Fan <shumingf(a)realtek.com> ASoC: rt721: fix prepare clock stop failed Rob Clark <robin.clark(a)oss.qualcomm.com> drm/msm: Fix pgtable prealloc error path Emil Tsalapatis <etsal(a)meta.com> sched_ext: defer queue_balance_callback() until after ops.dispatch Rafał Miłecki <rafal(a)milecki.pl> bcma: don't register devices disabled in OF Tejun Heo <tj(a)kernel.org> sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc() J-Donald Tournier <jdtournier(a)gmail.com> ALSA: hda/realtek: Add quirk for Lenovo Yoga 7 2-in-1 14AKP10 Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: kernel: Fix random segmentation faults Malaya Kumar Rout <mrout(a)redhat.com> timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths Michal Luczaj <mhal(a)rbox.co> vsock: Ignore signal/timeout on connect() if already established Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf: Fix 0 count issue of cpu-clock Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> cifs: fix memory leak in smb3_fs_context_parse_param error path Thomas Weißschuh <linux(a)weissschuh.net> LoongArch: Use UAPI types in ptrace UAPI header Wen Yang <wen.yang(a)linux.dev> tick/sched: Fix bogus condition in report_idle_softirq() Wei Fang <wei.fang(a)nxp.com> net: phylink: add missing supported link modes for the fixed-link Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: cdev: make sure the cdev fd is still active before emitting events Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). Pradyumn Rahar <pradyumn.rahar(a)oracle.com> net/mlx5: Clean up only new IRQ glue on request_irq() failure Shay Drory <shayd(a)nvidia.com> devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix PTP cleanup on driver removal in error path Emil Tantilov <emil.s.tantilov(a)intel.com> idpf: fix possible vport_config NULL pointer deref in remove Venkata Ramana Nayana <venkata.ramana.nayana(a)intel.com> drm/xe/irq: Handle msix vector0 interrupt Matt Roper <matthew.d.roper(a)intel.com> drm/xe/kunit: Fix forcewake assertion in mocs test Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/i915/xe3: Restrict PTL intel_encoder_is_c10phy() to only PHY A Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/i915/display: Add definition for wcl as subplatform Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/pcids: Split PTL pciids group to make wcl subplatform Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Randy Dunlap <rdunlap(a)infradead.org> platform/x86: intel-uncore-freq: fix all header kernel-doc warnings Haotian Zhang <vulab(a)iscas.ac.cn> platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos Lorenzo Bianconi <lorenzo(a)kernel.org> net: airoha: Do not loopback traffic to GDM2 if it is available on the device Lorenzo Bianconi <lorenzo(a)kernel.org> net: airoha: Add wlan flowtable TX offload Ido Schimmel <idosch(a)nvidia.com> selftests: net: lib: Do not overwrite error messages Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> s390/ctcm: Fix double-kfree Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/i915/xe3lpd: Load DMC for Xe3_LPD version 30.02 Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> nvme-multipath: fix lockdep WARN due to partition scan work Alistair Francis <alistair.francis(a)wdc.com> nvmet-auth: update sc_c in target host hash calculation Chen Pei <cp0613(a)linux.alibaba.com> tools: riscv: Fixed misalignment of CSR related definitions Jesper Dangaard Brouer <hawk(a)kernel.org> veth: more robust handing of race to avoid txq getting stuck Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove never-working support for setting nsh fields Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: mlxsw: linecards: fix missing error check in mlxsw_linecard_devlink_info_get() Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: dsa: hellcreek: fix missing error handling in LED registration Prateek Agarwal <praagarwal(a)nvidia.com> drm/tegra: Add call to put_pid() Zilin Guan <zilin(a)seu.edu.cn> mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() Jiaming Zhang <r772577952(a)gmail.com> net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: dts: econet: fix EN751221 core type Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Fix typo in WMI GUID Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Only load on MSI devices Haotian Zhang <vulab(a)iscas.ac.cn> pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() Jianbo Liu <jianbol(a)nvidia.com> xfrm: Prevent locally generated packets from direct output in tunnel mode Jianbo Liu <jianbol(a)nvidia.com> xfrm: Determine inner GSO type from packet inner protocol Jianbo Liu <jianbol(a)nvidia.com> xfrm: Check inner packet family directly from skb_dst Yu-Chun Lin <eleanor.lin(a)realtek.com> pinctrl: realtek: Select REGMAP_MMIO for RTD driver Chen-Yu Tsai <wens(a)kernel.org> clk: sunxi-ng: sun55i-a523-ccu: Lower audio0 pll minimum rate Chen-Yu Tsai <wens(a)kernel.org> clk: sunxi-ng: sun55i-a523-r-ccu: Mark bus-r-dma as critical Jernej Skrabec <jernej.skrabec(a)gmail.com> clk: sunxi-ng: Mark A523 bus-r-cpucfg clock as critical Sabrina Dubroca <sd(a)queasysnail.net> xfrm: set err and extack on failure to create pcpu SA Sabrina Dubroca <sd(a)queasysnail.net> xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add the state Sabrina Dubroca <sd(a)queasysnail.net> xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Sabrina Dubroca <sd(a)queasysnail.net> xfrm: drop SA reference in xfrm_state_update if dir doesn't match Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> pinctrl: mediatek: mt8189: align register base names to dt-bindings ones Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> pinctrl: mediatek: mt8196: align register base names to dt-bindings ones Kiryl Shutsemau <kas(a)kernel.org> mm/truncate: unmap large folio on split failure Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix pbn to kbps Conversion Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Move sleep into each retry for retrieve_link_cap() Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Increase DPCD read retries Yifan Zha <Yifan.Zha(a)amd.com> drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Skip power ungate during suspend for VPE Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/plane: Fix create_in_format_blob() return value Robert McClinton <rbmccav(a)gmail.com> drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Ma Ke <make24(a)iscas.ac.cn> drm/tegra: dc: Fix reference leak in tegra_dc_couple() Paolo Abeni <pabeni(a)redhat.com> mptcp: do not fallback when OoO is present Paolo Abeni <pabeni(a)redhat.com> mptcp: decouple mptcp fastclose from tcp close Paolo Abeni <pabeni(a)redhat.com> mptcp: avoid unneeded subflow-level drops Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer timeout Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer timeout Paolo Abeni <pabeni(a)redhat.com> mptcp: fix premature close in case of fallback Paolo Abeni <pabeni(a)redhat.com> mptcp: fix duplicate reset on fastclose Paolo Abeni <pabeni(a)redhat.com> mptcp: fix ack generation for fallback msk Eric Dumazet <edumazet(a)google.com> mptcp: fix a race in mptcp_pm_del_add_timer() Eric Dumazet <edumazet(a)google.com> mptcp: fix race condition in mptcp_schedule_work() Anthony Wong <anthony.wong(a)ubuntu.com> platform/x86: alienware-wmi-wmax: Add AWCC support to Alienware 16 Aurora Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for the whole "G" family Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for the whole "X" family Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for the whole "M" family Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Fix "Alienware m16 R1 AMD" quirk order Bibo Mao <maobibo(a)loongson.cn> LoongArch: Fix NUMA node parsing with numa_memblks Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Don't panic if no valid cache info for PCI Vincent Li <vincent.mc.li(a)gmail.com> LoongArch: BPF: Disable trampoline for kernel module function trace Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Malta: Fix !EVA SOC-it PCI MMIO Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Bart Van Assche <bvanassche(a)acm.org> scsi: sg: Do not sleep in atomic context Saket Kumar Bhaskar <skb99(a)linux.ibm.com> sched_ext: Fix scx_enable() crash on helper kthread creation failure Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: core: Fix runtime PM enabling in device_resume_early() Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() Nam Cao <namcao(a)linutronix.de> nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot Vlastimil Babka <vbabka(a)suse.cz> mm/mempool: fix poisoning order>0 pages with HIGHMEM Seungjin Bae <eeodqql09(a)gmail.com> Input: pegasus-notetaker - fix potential out-of-bounds access Dan Carpenter <dan.carpenter(a)linaro.org> Input: imx_sc_key - fix memory corruption on unload Hans de Goede <hansg(a)kernel.org> Input: goodix - add support for ACPI ID GDIX1003 Tzung-Bi Shih <tzungbi(a)kernel.org> Input: cros_ec_keyb - fix an invalid memory access Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Oleksij Rempel <o.rempel(a)pengutronix.de> net: dsa: microchip: lan937x: Fix RGMII delay tuning Jens Axboe <axboe(a)kernel.dk> io_uring/cmd_net: fix wrong argument types for skb_queue_splice() Andrey Vatoropin <a.vatoropin(a)crpt.ru> be2net: pass wrb_params in case of OS2BMC Yihang Li <liyihang9(a)h-partners.com> ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw89: hw_scan: Don't let the operating channel be last Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: introduce close_cached_dir_locked() Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: move avdcache to per-task security struct Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: rename task_security_struct to cred_security_struct Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification Niklas Cassel <cassel(a)kernel.org> ata: libata-scsi: Fix system suspend for a security locked drive Tony Luck <tony.luck(a)intel.com> ACPI: APEI: EINJ: Fix EINJV2 initialization and injection Pasha Tatashin <pasha.tatashin(a)soleen.com> lib/test_kho: check if KHO is enabled Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Fix proto fallback detection with BPF Heiko Carstens <hca(a)linux.ibm.com> s390/mm: Fix __ptep_rdp() inline assembly Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Disallow MPTCP subflows from sockmap Yongpeng Yang <yangyongpeng(a)xiaomi.com> exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Mike Yuan <me(a)yhndnzj.com> shmem: fix tmpfs reconfiguration (remount) when noswap is set Yongpeng Yang <yangyongpeng(a)xiaomi.com> isofs: check the return value of sb_min_blocksize() in isofs_fill_super Yongpeng Yang <yangyongpeng(a)xiaomi.com> xfs: check the return value of sb_min_blocksize() in xfs_fs_fill_super Dan Carpenter <dan.carpenter(a)linaro.org> mtdchar: fix integer overflow in read/write ioctls Zhen Ni <zhen.ni(a)easystack.cn> fs: Fix uninitialized 'offp' in statmount_string() Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> mtd: rawnand: cadence: fix DMA device NULL pointer dereference Yongpeng Yang <yangyongpeng(a)xiaomi.com> vfat: fix missing sb_min_blocksize() return value checks Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Fix redundant updates of LBR MSR intercepts Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable HS400 on RK3588 Tiger Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 Laurentiu Mihalcea <laurentiu.mihalcea(a)nxp.com> reset: imx8mp-audiomix: Fix bad mask values Mykola Kvach <xakep.amatop(a)gmail.com> arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 Diederik de Haas <diederik(a)cknow-tech.com> arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 Zhang Heng <zhangheng(a)kylinos.cn> HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Mario Limonciello (AMD) <superm1(a)kernel.org> HID: amd_sfh: Stop sensor before starting Alexey Charkov <alchark(a)gmail.com> arm64: dts: rockchip: Remove non-functioning CPU OPPs from RK3576 Yipeng Zou <zouyipeng(a)huawei.com> timers: Fix NULL function pointer race in timer_shutdown_sync() Sebastian Ene <sebastianene(a)google.com> KVM: arm64: Check the untrusted offset in FF-A memory share ------------- Diffstat: .../bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++-- Documentation/wmi/driver-development-guide.rst | 1 + Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3576.dtsi | 12 -- arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +- .../arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 +- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +- arch/loongarch/include/uapi/asm/ptrace.h | 40 +++---- arch/loongarch/kernel/numa.c | 60 +++------- arch/loongarch/net/bpf_jit.c | 3 + arch/loongarch/pci/pci.c | 8 +- arch/mips/boot/dts/econet/en751221.dtsi | 2 +- arch/mips/kernel/process.c | 2 +- arch/mips/mm/tlb-r4k.c | 102 ++++++++++------- arch/mips/mti-malta/malta-init.c | 20 ++-- arch/s390/include/asm/pgtable.h | 12 +- arch/s390/mm/pgtable.c | 4 +- arch/x86/events/intel/uncore.c | 1 + arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/microcode/amd.c | 20 +++- arch/x86/kvm/svm/svm.c | 9 +- arch/x86/kvm/svm/svm.h | 1 + block/blk-crypto.c | 2 +- drivers/acpi/apei/einj-core.c | 64 +++++++---- drivers/ata/libata-scsi.c | 11 +- drivers/base/power/main.c | 25 +++-- drivers/bcma/main.c | 6 + drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 4 +- drivers/clk/sunxi-ng/ccu-sun55i-a523.c | 2 +- drivers/gpio/gpiolib-cdev.c | 9 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 65 +++++++++++ drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.h | 10 ++ drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 3 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 4 +- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 58 +--------- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 - drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 4 +- drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 1 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 ++++------ .../amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 4 +- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 26 ++++- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 ++ .../display/dc/link/protocols/link_dp_capability.c | 11 +- drivers/gpu/drm/drm_plane.c | 4 +- drivers/gpu/drm/i915/display/intel_cx0_phy.c | 14 +-- .../gpu/drm/i915/display/intel_display_device.c | 13 +++ .../gpu/drm/i915/display/intel_display_device.h | 4 +- drivers/gpu/drm/i915/display/intel_dmc.c | 10 +- drivers/gpu/drm/i915/display/intel_dp.c | 30 ++--- drivers/gpu/drm/i915/display/intel_psr.c | 36 ++++-- drivers/gpu/drm/i915/display/intel_quirks.c | 9 ++ drivers/gpu/drm/i915/display/intel_quirks.h | 1 + drivers/gpu/drm/msm/msm_iommu.c | 5 + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 + drivers/gpu/drm/radeon/radeon_fence.c | 7 -- drivers/gpu/drm/tegra/dc.c | 1 + drivers/gpu/drm/tegra/dsi.c | 9 -- drivers/gpu/drm/tegra/uapi.c | 7 +- drivers/gpu/drm/xe/tests/xe_mocs.c | 2 +- drivers/gpu/drm/xe/xe_irq.c | 18 +-- drivers/gpu/drm/xe/xe_pci.c | 1 + drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 + drivers/hid/hid-ids.h | 4 +- drivers/hid/hid-quirks.c | 13 ++- drivers/input/keyboard/cros_ec_keyb.c | 6 + drivers/input/keyboard/imx_sc_key.c | 2 +- drivers/input/tablet/pegasus_notetaker.c | 9 ++ drivers/input/touchscreen/goodix.c | 1 + drivers/mtd/mtdchar.c | 6 +- drivers/mtd/nand/raw/cadence-nand-controller.c | 3 +- drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++- drivers/net/dsa/microchip/lan937x_main.c | 1 + drivers/net/ethernet/airoha/airoha_eth.h | 11 ++ drivers/net/ethernet/airoha/airoha_ppe.c | 95 +++++++++++----- drivers/net/ethernet/emulex/benet/be_main.c | 7 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 22 +++- drivers/net/ethernet/intel/idpf/idpf_main.c | 2 + .../ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 9 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 +- .../net/ethernet/mellanox/mlxsw/core_linecards.c | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +- drivers/net/ethernet/ti/netcp_core.c | 10 +- drivers/net/phy/phylink.c | 3 + drivers/net/veth.c | 38 ++++--- drivers/net/wireless/realtek/rtw89/fw.c | 7 ++ drivers/nvme/host/fc.c | 15 +-- drivers/nvme/host/multipath.c | 2 +- drivers/nvme/target/auth.c | 4 +- drivers/nvme/target/fabrics-cmd-auth.c | 1 + drivers/nvme/target/nvmet.h | 1 + drivers/perf/riscv_pmu_sbi.c | 2 +- drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 21 +++- drivers/pinctrl/mediatek/pinctrl-mt8189.c | 4 +- drivers/pinctrl/mediatek/pinctrl-mt8196.c | 6 +- drivers/pinctrl/nxp/pinctrl-s32cc.c | 3 +- drivers/pinctrl/realtek/Kconfig | 1 + drivers/platform/x86/Kconfig | 1 + drivers/platform/x86/dell/alienware-wmi-wmax.c | 104 +++++------------- .../x86/intel/speed_select_if/isst_if_mmio.c | 4 +- .../uncore-frequency/uncore-frequency-common.h | 9 +- drivers/platform/x86/msi-wmi-platform.c | 43 +++++++- drivers/reset/reset-imx8mp-audiomix.c | 4 +- drivers/s390/net/ctcm_mpc.c | 1 - drivers/scsi/hosts.c | 5 +- drivers/scsi/sg.c | 10 +- drivers/soc/ti/knav_dma.c | 14 +-- drivers/target/loopback/tcm_loop.c | 3 + drivers/tty/vt/vt_ioctl.c | 4 +- drivers/ufs/host/ufs-qcom.c | 15 ++- fs/btrfs/inode.c | 1 - fs/btrfs/tree-log.c | 3 + fs/exfat/super.c | 5 +- fs/fat/inode.c | 6 +- fs/isofs/inode.c | 5 + fs/namespace.c | 4 +- fs/smb/client/cached_dir.c | 43 +++++++- fs/smb/client/cifsfs.c | 2 +- fs/smb/client/cifsproto.h | 2 + fs/smb/client/connect.c | 38 +++---- fs/smb/client/dfs_cache.c | 55 ++++++++-- fs/smb/client/fs_context.c | 4 + fs/xfs/scrub/symlink_repair.c | 4 +- fs/xfs/xfs_super.c | 5 +- include/drm/intel/pciids.h | 5 +- include/linux/ata.h | 1 + include/net/tls.h | 25 +++-- include/net/xfrm.h | 3 +- io_uring/cmd_net.c | 2 +- kernel/events/core.c | 2 +- kernel/sched/ext.c | 121 +++++++++++++++++++-- kernel/sched/sched.h | 1 + kernel/time/tick-sched.c | 11 +- kernel/time/timekeeping.c | 21 ++-- kernel/time/timer.c | 7 +- lib/test_kho.c | 3 + mm/mempool.c | 32 +++++- mm/shmem.c | 15 ++- mm/truncate.c | 35 +++++- net/core/dev_ioctl.c | 3 + net/devlink/rate.c | 4 +- net/ipv4/esp4_offload.c | 6 +- net/ipv6/esp6_offload.c | 6 +- net/mptcp/options.c | 54 ++++++++- net/mptcp/pm.c | 20 ++-- net/mptcp/pm_kernel.c | 2 +- net/mptcp/protocol.c | 84 +++++++++----- net/mptcp/protocol.h | 3 +- net/mptcp/subflow.c | 8 ++ net/openvswitch/actions.c | 68 +----------- net/openvswitch/flow_netlink.c | 64 ++--------- net/openvswitch/flow_netlink.h | 2 - net/tls/tls_device.c | 4 +- net/unix/af_unix.c | 3 +- net/vmw_vsock/af_vsock.c | 40 +++++-- net/xfrm/xfrm_device.c | 2 +- net/xfrm/xfrm_output.c | 8 +- net/xfrm/xfrm_state.c | 16 ++- net/xfrm/xfrm_user.c | 5 +- scripts/kconfig/mconf.c | 3 + scripts/kconfig/nconf.c | 3 + security/selinux/hooks.c | 79 +++++++------- security/selinux/include/objsec.h | 20 +++- sound/hda/codecs/realtek/alc269.c | 2 + sound/soc/codecs/rt721-sdca.c | 4 + sound/soc/codecs/rt721-sdca.h | 1 + sound/usb/mixer.c | 2 +- tools/arch/riscv/include/asm/csr.h | 5 +- tools/testing/selftests/cachestat/test_cachestat.c | 4 +- tools/testing/selftests/net/bareudp.sh | 2 +- .../selftests/net/forwarding/lib_sh_test.sh | 7 ++ tools/testing/selftests/net/lib.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 +-- tools/tracing/latency/latency-collector.c | 2 +- 184 files changed, 1552 insertions(+), 952 deletions(-)

3 days, 14 hours

3
179
0 0

[PATCH v4] platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak

by yongxin.liu＠windriver.com

From: Yongxin Liu <yongxin.liu(a)windriver.com> The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory for the ACPI evaluation result but never frees it, causing a 192-byte memory leak on each call. This leak is triggered during network interface initialization when the stmmac driver calls intel_mac_finish() -> intel_pmc_ipc(). unreferenced object 0xffff96a848d6ea80 (size 192): comm "dhcpcd", pid 541, jiffies 4294684345 hex dump (first 32 bytes): 04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H.... 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ backtrace (crc b1564374): kmemleak_alloc+0x2d/0x40 __kmalloc_noprof+0x2fa/0x730 acpi_ut_initialize_buffer+0x83/0xc0 acpi_evaluate_object+0x29a/0x2f0 intel_pmc_ipc+0xfd/0x170 intel_mac_finish+0x168/0x230 stmmac_mac_finish+0x3d/0x50 phylink_major_config+0x22b/0x5b0 phylink_mac_initial_config.constprop.0+0xf1/0x1b0 phylink_start+0x8e/0x210 __stmmac_open+0x12c/0x2b0 stmmac_open+0x23c/0x380 __dev_open+0x11d/0x2c0 __dev_change_flags+0x1d2/0x250 netif_change_flags+0x2b/0x70 dev_change_flags+0x40/0xb0 Add __free(kfree) for ACPI object to properly release the allocated buffer. Cc: stable(a)vger.kernel.org Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC register access") Signed-off-by: Yongxin Liu <yongxin.liu(a)windriver.com> --- V3->V4: Move declaration of *obj to where it gets assigned. V2->V3: Use __free(kfree) instead of goto and kfree(); V1->V2: Cover all potential paths for kfree(); --- include/linux/platform_data/x86/intel_pmc_ipc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/platform_data/x86/intel_pmc_ipc.h b/include/linux/platform_data/x86/intel_pmc_ipc.h index 1d34435b7001..85ea381e4a27 100644 --- a/include/linux/platform_data/x86/intel_pmc_ipc.h +++ b/include/linux/platform_data/x86/intel_pmc_ipc.h @@ -9,6 +9,7 @@ #ifndef INTEL_PMC_IPC_H #define INTEL_PMC_IPC_H #include <linux/acpi.h> +#include <linux/cleanup.h> #define IPC_SOC_REGISTER_ACCESS 0xAA #define IPC_SOC_SUB_CMD_READ 0x00 @@ -48,7 +49,6 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf {.type = ACPI_TYPE_INTEGER,}, }; struct acpi_object_list arg_list = { PMC_IPCS_PARAM_COUNT, params }; - union acpi_object *obj; int status; if (!ipc_cmd || !rbuf) @@ -72,7 +72,7 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf if (ACPI_FAILURE(status)) return -ENODEV; - obj = buffer.pointer; + union acpi_object *obj __free(kfree) = buffer.pointer; if (obj && obj->type == ACPI_TYPE_PACKAGE && obj->package.count == VALID_IPC_RESPONSE) { -- 2.46.2

3 days, 14 hours

2
1
0 0

[PATCH v2] ocfs2: fix kernel BUG in ocfs2_find_victim_chain

by Prithvi Tambewagh

syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition and panicking the kernel. To fix this, `cl_next_free_rec` is checked inside the caller of ocfs2_find_victim_chain() i.e. ocfs2_claim_suballoc_bits() and if it is equal to 0, ocfs2_error() is called, to log the corruption and force the filesystem into read-only mode, to prevent further damage. Reported-by: syzbot+96d38c6e1655c1420a72(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72 Tested-by: syzbot+96d38c6e1655c1420a72(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- v1->v2: - Remove extra line before the if statement in patch - Add upper limit check for cl->cl_next_free_rec in the if condition fs/ocfs2/suballoc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 6ac4dcd54588..1257c39c2c11 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1992,6 +1992,13 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac, } cl = (struct ocfs2_chain_list *) &fe->id2.i_chain; + if (!le16_to_cpu(cl->cl_next_free_rec) || + le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) { + status = ocfs2_error(ac->ac_inode->i_sb, + "Chain allocator dinode %llu has 0 chains\n", + (unsigned long long)le64_to_cpu(fe->i_blkno)); + goto bail; + } victim = ocfs2_find_victim_chain(cl); ac->ac_chain = victim; base-commit: 939f15e640f193616691d3bcde0089760e75b0d3 -- 2.34.1

3 days, 15 hours

1
0
0 0

Re: [PATCH] bcache: call bio_endio() to replace directly calling bio->bi_end_io()

by Stephen Zhang

Hi Coly, For this issue, I've previously sent a fix here: https://lore.kernel.org/all/20251129090122.2457896-2-zhangshida@kylinos.cn/ Would you be able to take a look and see if that one is suitable to pick up? Thanks, Shida

3 days, 18 hours

2
1
0 0

[PATCH] Bluetooth: HCI: Fix hci0 not release in usb disconnect process

by zhangchen200426＠163.com

From: zhangchen <zhangchen01(a)kylinos.cn> If hci_resume_dev before hci_unregister_dev, the hci command will timeout and the reference count of hdev will not reset to zero. Then the node "hci0" will not release. The output in question is as follows: [ 3391.553518][ 7] [T247244] Bluetooth: hci0: command 0x0c01 tx timeout [ 3391.553588][ 7] [T264732] Bluetooth: hci0: Opcode 0x0c01 failed: -110 [ 3393.569514][ 3] [T247244] Bluetooth: hci0: command 0x0c01 tx timeout [ 3393.569515][ 3] [T264732] Bluetooth: hci0: Opcode 0x0c1a failed: -110 [ 3393.709645][ 6] [T104579] usb 10-1: new full-speed USB device number 95 using xhci-hcd [ 3393.862194][ 6] [T104579] usb 10-1: New USB device found, idVendor=13d3, idProduct=3570, bcdDevice= 0.00 [ 3393.862205][ 6] [T104579] usb 10-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 3393.862208][ 6] [T104579] usb 10-1: Product: Bluetooth Radio [ 3393.862210][ 6] [T104579] usb 10-1: Manufacturer: Realtek [ 3393.862212][ 6] [T104579] usb 10-1: SerialNumber: 00e04c000001 [ 3393.867589][ 6] [T247244] Bluetooth: hci1: RTL: examining hci_ver=0b hci_rev=000b lmp_ver=0b lmp_subver=8852 [ 3393.868573][ 6] [T247244] Bluetooth: hci1: RTL: rom_version status=0 version=1 [ 3393.868583][ 6] [T247244] Bluetooth: hci1: RTL: loading rtl_bt/rtl8852bu_fw.bin [ 3393.868672][ 6] [T247244] Bluetooth: hci1: RTL: loading rtl_bt/rtl8852bu_config.bin [ 3393.869699][ 6] [T247244] Bluetooth: hci1: RTL: cfg_sz 6, total sz 65603 The call sequence in question is as follows: usb disconnect: btusb_disconnect hci_unregister_dev hci_dev_set_flag hci_cmd_sync_clear hci_unregister_suspend_notifier hci_dev_do_close device_del device resume: hci_suspend_notifier hci_resume_dev hci_resume_sync hci_set_event_mask_sync __hci_cmd_sync_status __hci_cmd_sync_status_sk __hci_cmd_sync_sk wait_event_interruptible_timeout The output after adding debug information in question is as follows: [ 6378.366215][ 6] [T434033] hci_resume_dev hci name hci0 [ 6378.366218][ 6] [T434033] hci_resume_sync set event mask sync [ 6378.366219][ 6] [T434033] hci_set_event_mask_sync [ 6378.366220][ 6] [T434033] __hci_cmd_sync_sk hci name hci0 Opcode 0x0c01 [ 6378.366227][ 6] [T434033] __hci_cmd_sync_sk wait event interruptible timeout [ 6378.367632][ 6] [T420012] btusb_disconnect intf 0000000024117fc1 [ 6378.367637][ 6] [T420012] btusb_disconnect hci_unregister_dev [ 6378.367638][ 6] [T420012] hci_unregister_dev 0000000064bfd783 name hci0 bus 1 [ 6378.367641][ 6] [T420012] hci_unregister_dev set flag [ 6378.367804][ 6] [T420012] hci_unregister_dev cmd sync clear [ 6378.367807][ 6] [T420012] hci_unregister_dev unregister suspend notifier [ 6380.367544][ 6] [T434033] __hci_cmd_sync_sk cmd timeout [ 6380.367542][ 6] [T197498] Bluetooth: hci0: command 0x0c01 tx timeout [ 6380.367550][ 6] [T434033] __hci_cmd_sync_sk hci0 end: err -110 [ 6380.367552][ 6] [T434033] Bluetooth: hci0: Opcode 0x0c01 failed: -110 [ 6380.367555][ 6] [T434033] hci_resume_sync clear event filter [ 6380.367556][ 6] [T434033] hci_resume_sync resume scan sync [ 6380.367558][ 6] [T434033] __hci_cmd_sync_sk hci name hci0 Opcode 0x0c1a [ 6380.367561][ 6] [T434033] __hci_cmd_sync_sk wait event interruptible timeout [ 6382.383538][ 6] [T197498] Bluetooth: hci0: command 0x0c01 tx timeout [ 6382.383593][ 6] [T434033] __hci_cmd_sync_sk hci0 end: err -110 [ 6382.383597][ 6] [T434033] Bluetooth: hci0: Opcode 0x0c1a failed: -110 The output after adding debug information in normal is as follows: [50.039156][ 6] [ T8360] btusb_disconnect intf 00000000fca35842 [50.039160][ 6] [ T8360] btusb_disconnect hci_unregister_dev [50.039162][ 6] [ T8360] hci_unregister_dev 000000002422b946 name hci0 bus 1 [50.039164][ 6] [ T8360] hci_unregister_dev set flag [50.039224][ 6] [ T8360] hci_unregister_dev cmd sync clear [50.039227][ 5] [ T8360] hci_unregister_dev unregister suspend notifier [50.043542][ 5] [ T8284] hci_resume_dev hci name hci0 This patch add hci_cancel_cmd_sync in hci_unregister_dev to wake up hdev->req_wait_q, and stop __hci_cmd_sync_sk by judging the HCI_UNREGISTER flag. Then stopping hci_resume_dev process based on the returned error code. Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") Cc: stable(a)vger.kernel.org Signed-off-by: zhangchen <zhangchen01(a)kylinos.cn> --- net/bluetooth/hci_core.c | 6 ++++++ net/bluetooth/hci_sync.c | 22 ++++++++++++++++------ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 3418d7b964a1..c977bcba3e76 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -50,6 +50,7 @@ static void hci_rx_work(struct work_struct *work); static void hci_cmd_work(struct work_struct *work); static void hci_tx_work(struct work_struct *work); +static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err); /* HCI device list */ LIST_HEAD(hci_dev_list); @@ -2695,6 +2696,8 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_dev_set_flag(hdev, HCI_UNREGISTER); mutex_unlock(&hdev->unregister_lock); + hci_cancel_cmd_sync(hdev, EINTR); + write_lock(&hci_dev_list_lock); list_del(&hdev->list); write_unlock(&hci_dev_list_lock); @@ -2877,6 +2880,9 @@ int hci_resume_dev(struct hci_dev *hdev) ret = hci_resume_sync(hdev); hci_req_sync_unlock(hdev); + if (ret && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return 0; + mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr, hdev->wake_addr_type); diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 6e76798ec786..f48d34fbfff2 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -174,10 +174,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, return ERR_PTR(err); err = wait_event_interruptible_timeout(hdev->req_wait_q, - hdev->req_status != HCI_REQ_PEND, + hdev->req_status != HCI_REQ_PEND || + hci_dev_test_flag(hdev, HCI_UNREGISTER), timeout); - if (err == -ERESTARTSYS) + if (err == -ERESTARTSYS || hci_dev_test_flag(hdev, HCI_UNREGISTER)) return ERR_PTR(-EINTR); switch (hdev->req_status) { @@ -6296,6 +6297,7 @@ static int hci_resume_scan_sync(struct hci_dev *hdev) */ int hci_resume_sync(struct hci_dev *hdev) { + int err; /* If not marked as suspended there nothing to do */ if (!hdev->suspended) return 0; @@ -6303,10 +6305,14 @@ int hci_resume_sync(struct hci_dev *hdev) hdev->suspended = false; /* Restore event mask */ - hci_set_event_mask_sync(hdev); + err = hci_set_event_mask_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; /* Clear any event filters and restore scan state */ - hci_clear_event_filter_sync(hdev); + err = hci_clear_event_filter_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; /* Resume scanning */ hci_resume_scan_sync(hdev); @@ -6315,10 +6321,14 @@ int hci_resume_sync(struct hci_dev *hdev) hci_resume_monitor_sync(hdev); /* Resume other advertisements */ - hci_resume_advertising_sync(hdev); + err = hci_resume_advertising_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; /* Resume discovery */ - hci_resume_discovery_sync(hdev); + err = hci_resume_discovery_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; return 0; } -- 2.25.1

3 days, 21 hours

1
0
0 0

[PATCH] Bluetooth: HCI: Fix hci0 not release in usb disconnect process

by zhangchen200426＠163.com

From: zhangchen <zhangchen01(a)kylinos.cn> If hci_resume_dev before hci_unregister_dev, the hci command will timeout and the reference count of hdev will not reset to zero. Then the node "hci0" will not release. The output in question is as follows: [ 3391.553518][ 7] [T247244] Bluetooth: hci0: command 0x0c01 tx timeout [ 3391.553588][ 7] [T264732] Bluetooth: hci0: Opcode 0x0c01 failed: -110 [ 3393.569514][ 3] [T247244] Bluetooth: hci0: command 0x0c01 tx timeout [ 3393.569515][ 3] [T264732] Bluetooth: hci0: Opcode 0x0c1a failed: -110 [ 3393.709645][ 6] [T104579] usb 10-1: new full-speed USB device number 95 using xhci-hcd [ 3393.862194][ 6] [T104579] usb 10-1: New USB device found, idVendor=13d3, idProduct=3570, bcdDevice= 0.00 [ 3393.862205][ 6] [T104579] usb 10-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 3393.862208][ 6] [T104579] usb 10-1: Product: Bluetooth Radio [ 3393.862210][ 6] [T104579] usb 10-1: Manufacturer: Realtek [ 3393.862212][ 6] [T104579] usb 10-1: SerialNumber: 00e04c000001 [ 3393.867589][ 6] [T247244] Bluetooth: hci1: RTL: examining hci_ver=0b hci_rev=000b lmp_ver=0b lmp_subver=8852 [ 3393.868573][ 6] [T247244] Bluetooth: hci1: RTL: rom_version status=0 version=1 [ 3393.868583][ 6] [T247244] Bluetooth: hci1: RTL: loading rtl_bt/rtl8852bu_fw.bin [ 3393.868672][ 6] [T247244] Bluetooth: hci1: RTL: loading rtl_bt/rtl8852bu_config.bin [ 3393.869699][ 6] [T247244] Bluetooth: hci1: RTL: cfg_sz 6, total sz 65603 The call sequence in question is as follows: usb disconnect: btusb_disconnect hci_unregister_dev hci_dev_set_flag hci_cmd_sync_clear hci_unregister_suspend_notifier hci_dev_do_close device_del device resume: hci_suspend_notifier hci_resume_dev hci_resume_sync hci_set_event_mask_sync __hci_cmd_sync_status __hci_cmd_sync_status_sk __hci_cmd_sync_sk wait_event_interruptible_timeout The output after adding debug information in question is as follows: [ 6378.366215][ 6] [T434033] hci_resume_dev hci name hci0 [ 6378.366218][ 6] [T434033] hci_resume_sync set event mask sync [ 6378.366219][ 6] [T434033] hci_set_event_mask_sync [ 6378.366220][ 6] [T434033] __hci_cmd_sync_sk hci name hci0 Opcode 0x0c01 [ 6378.366227][ 6] [T434033] __hci_cmd_sync_sk wait event interruptible timeout [ 6378.367632][ 6] [T420012] btusb_disconnect intf 0000000024117fc1 [ 6378.367637][ 6] [T420012] btusb_disconnect hci_unregister_dev [ 6378.367638][ 6] [T420012] hci_unregister_dev 0000000064bfd783 name hci0 bus 1 [ 6378.367641][ 6] [T420012] hci_unregister_dev set flag [ 6378.367804][ 6] [T420012] hci_unregister_dev cmd sync clear [ 6378.367807][ 6] [T420012] hci_unregister_dev unregister suspend notifier [ 6380.367544][ 6] [T434033] __hci_cmd_sync_sk cmd timeout [ 6380.367542][ 6] [T197498] Bluetooth: hci0: command 0x0c01 tx timeout [ 6380.367550][ 6] [T434033] __hci_cmd_sync_sk hci0 end: err -110 [ 6380.367552][ 6] [T434033] Bluetooth: hci0: Opcode 0x0c01 failed: -110 [ 6380.367555][ 6] [T434033] hci_resume_sync clear event filter [ 6380.367556][ 6] [T434033] hci_resume_sync resume scan sync [ 6380.367558][ 6] [T434033] __hci_cmd_sync_sk hci name hci0 Opcode 0x0c1a [ 6380.367561][ 6] [T434033] __hci_cmd_sync_sk wait event interruptible timeout [ 6382.383538][ 6] [T197498] Bluetooth: hci0: command 0x0c01 tx timeout [ 6382.383593][ 6] [T434033] __hci_cmd_sync_sk hci0 end: err -110 [ 6382.383597][ 6] [T434033] Bluetooth: hci0: Opcode 0x0c1a failed: -110 The output after adding debug information in normal is as follows: [50.039156][ 6] [ T8360] btusb_disconnect intf 00000000fca35842 [50.039160][ 6] [ T8360] btusb_disconnect hci_unregister_dev [50.039162][ 6] [ T8360] hci_unregister_dev 000000002422b946 name hci0 bus 1 [50.039164][ 6] [ T8360] hci_unregister_dev set flag [50.039224][ 6] [ T8360] hci_unregister_dev cmd sync clear [50.039227][ 5] [ T8360] hci_unregister_dev unregister suspend notifier [50.043542][ 5] [ T8284] hci_resume_dev hci name hci0 This patch add hci_cancel_cmd_sync in hci_unregister_dev to wake up hdev->req_wait_q, and stop __hci_cmd_sync_sk by judging the HCI_UNREGISTER flag. Then stopping hci_resume_dev process based on the returned error code. Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") Cc: stable(a)vger.kernel.org Signed-off-by: zhangchen <zhangchen01(a)kylinos.cn> --- net/bluetooth/hci_core.c | 6 ++++++ net/bluetooth/hci_sync.c | 22 ++++++++++++++++------ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 3418d7b964a1..c977bcba3e76 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -50,6 +50,7 @@ static void hci_rx_work(struct work_struct *work); static void hci_cmd_work(struct work_struct *work); static void hci_tx_work(struct work_struct *work); +static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err); /* HCI device list */ LIST_HEAD(hci_dev_list); @@ -2695,6 +2696,8 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_dev_set_flag(hdev, HCI_UNREGISTER); mutex_unlock(&hdev->unregister_lock); + hci_cancel_cmd_sync(hdev, EINTR); + write_lock(&hci_dev_list_lock); list_del(&hdev->list); write_unlock(&hci_dev_list_lock); @@ -2877,6 +2880,9 @@ int hci_resume_dev(struct hci_dev *hdev) ret = hci_resume_sync(hdev); hci_req_sync_unlock(hdev); + if (ret && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return 0; + mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr, hdev->wake_addr_type); diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 6e76798ec786..f48d34fbfff2 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -174,10 +174,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, return ERR_PTR(err); err = wait_event_interruptible_timeout(hdev->req_wait_q, - hdev->req_status != HCI_REQ_PEND, + hdev->req_status != HCI_REQ_PEND || + hci_dev_test_flag(hdev, HCI_UNREGISTER), timeout); - if (err == -ERESTARTSYS) + if (err == -ERESTARTSYS || hci_dev_test_flag(hdev, HCI_UNREGISTER)) return ERR_PTR(-EINTR); switch (hdev->req_status) { @@ -6296,6 +6297,7 @@ static int hci_resume_scan_sync(struct hci_dev *hdev) */ int hci_resume_sync(struct hci_dev *hdev) { + int err; /* If not marked as suspended there nothing to do */ if (!hdev->suspended) return 0; @@ -6303,10 +6305,14 @@ int hci_resume_sync(struct hci_dev *hdev) hdev->suspended = false; /* Restore event mask */ - hci_set_event_mask_sync(hdev); + err = hci_set_event_mask_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; /* Clear any event filters and restore scan state */ - hci_clear_event_filter_sync(hdev); + err = hci_clear_event_filter_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; /* Resume scanning */ hci_resume_scan_sync(hdev); @@ -6315,10 +6321,14 @@ int hci_resume_sync(struct hci_dev *hdev) hci_resume_monitor_sync(hdev); /* Resume other advertisements */ - hci_resume_advertising_sync(hdev); + err = hci_resume_advertising_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; /* Resume discovery */ - hci_resume_discovery_sync(hdev); + err = hci_resume_discovery_sync(hdev); + if (err && hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return err; return 0; } -- 2.25.1

3 days, 22 hours

1
0
0 0

[PATCH 6.1.y v1 0/2] mptcp: Fix conflicts between MPTCP and sockmap

by Jiayuan Chen

Overall, we encountered a warning [1] that can be triggered by running the selftest I provided. sockmap works by replacing sk_data_ready, recvmsg, sendmsg operations and implementing fast socket-level forwarding logic: 1. Users can obtain file descriptors through userspace socket()/accept() interfaces, then call BPF syscall to perform these replacements. 2. Users can also use the bpf_sock_hash_update helper (in sockops programs) to replace handlers when TCP connections enter ESTABLISHED state (BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB/BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB) However, when combined with MPTCP, an issue arises: MPTCP creates subflow sk's and performs TCP handshakes, so the BPF program obtains subflow sk's and may incorrectly replace their sk_prot. We need to reject such operations. In patch 1, we set psock_update_sk_prot to NULL in the subflow's custom sk_prot. Additionally, if the server's listening socket has MPTCP enabled and the client's TCP also uses MPTCP, we should allow the combination of subflow and sockmap. This is because the latest Golang programs have enabled MPTCP for listening sockets by default [2]. For programs already using sockmap, upgrading Golang should not cause sockmap functionality to fail. Patch 2 prevents the panic from occurring. Despite these patches fixing stream corruption, users of sockmap must set GODEBUG=multipathtcp=0 to disable MPTCP until sockmap fully supports it. [1] truncated warning: ------------[ cut here ]------------ BUG: kernel NULL pointer dereference, address: 00000000000004bb PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 400 Comm: test_progs Not tainted 6.1.0+ #16 RIP: 0010:mptcp_stream_accept (./include/linux/list.h:88 net/mptcp/protocol.c:3719) RSP: 0018:ffffc90000ef3cf0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880089dcc58 RDX: 0000000000000003 RSI: 0000002c000000b0 RDI: 0000000000000000 RBP: ffffc90000ef3d38 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880089dc600 R13: ffff88800b859e00 R14: ffff88800638c680 R15: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000004bb CR3: 000000000b8e8006 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? apparmor_socket_accept (security/apparmor/lsm.c:966) do_accept (net/socket.c:1856) __sys_accept4 (net/socket.c:1897 net/socket.c:1927) __x64_sys_accept (net/socket.c:1941) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [2]: https://go-review.googlesource.com/c/go/+/607715 Jiayuan Chen (2): mptcp: disallow MPTCP subflows from sockmap net,mptcp: fix proto fallback detection with BPF net/mptcp/protocol.c | 5 +++-- net/mptcp/subflow.c | 8 ++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) -- 2.43.0

3 days, 22 hours

2
5
0 0

[PATCH AUTOSEL 6.17-6.12] Revert "drm/amd/display: Move setup_stream_attribute"

by Sasha Levin

From: Alex Deucher <alexander.deucher(a)amd.com> [ Upstream commit 3126c9ccb4373d8758733c6699ba5ab93dbe5c9d ] This reverts commit 2681bf4ae8d24df950138b8c9ea9c271cd62e414. This results in a blank screen on the HDMI port on some systems. Revert for now so as not to regress 6.18, can be addressed in 6.19 once the issue is root caused. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4652 Cc: Sunpeng.Li(a)amd.com Cc: ivan.lipski(a)amd.com Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit d0e9de7a81503cdde37fb2d37f1d102f9e0f38fb) Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Now I have a complete understanding of the issue. Let me summarize my analysis: ## Comprehensive Analysis ### 1. Commit Message Analysis This is a **revert** of commit `2681bf4ae8d24df950138b8c9ea9c271cd62e414` that moved `setup_stream_attribute()` from `link_set_dpms_on()` to individual `enable_stream()` functions. The commit clearly states: - The change "results in a blank screen on the HDMI port on some systems" - Includes a bug report link: https://gitlab.freedesktop.org/drm/amd/-/issues/4652 - Explicitly intended to "not regress 6.18" - Cherry-picked from upstream with maintainer sign-off ### 2. Critical Finding: Buggy Commit Already Backported **The original problematic commit (`7965cb360655`) was already backported to stable trees** (as shown by `[ Upstream commit ... ]` and Sasha Levin's signature). This means **stable users are currently affected by this regression** and need the fix. ### 3. Technical Root Cause The original commit attempted to fix a symclk RCO clock gating issue by moving `setup_stream_attribute()` later in the sequence, after clock ungating in `enable_stream()`. However: - **For DP (DisplayPort)**: This ordering works because DP needs symclk ungated first - **For HDMI/TMDS**: The stream attributes must be set earlier, specifically before VPG power-on and infoframe construction in `link_set_dpms_on()` The code at line 3055 in `dcn20_hwseq.c` shows where the call was moved: ```c link_hwss->setup_stream_attribute(pipe_ctx); ``` This call happens too late for HDMI paths, causing blank screens because the HDMI signal initialization sequence depends on attributes being programmed before the display pipe is fully enabled. ### 4. Code Change Assessment The revert is small and surgical: - **5 files changed** - Removes `link_hwss->setup_stream_attribute()` from 3 hwseq files (dce110, dcn20, dcn401) - Restores the call in `link_dpms.c` at the correct position (after `set_out_mux()`, before VPG power-on) - Removes unused LVDS stub from virtual_stream_encoder.c ### 5. Stable Kernel Rules Compliance | Criteria | Assessment | |----------|------------| | Fixes a real bug affecting users | ✅ Blank HDMI screen - severe user- visible regression | | Obviously correct | ✅ Simple revert to known-working code | | Small and contained | ✅ ~20 lines removed, ~5 lines added | | No new features | ✅ Pure regression fix | | Bug exists in stable | ✅ Original buggy commit was backported | ### 6. Risk Assessment - **Regression risk: LOW** - This reverts to previously known-working behavior that was stable for years - **Trade-off**: The original symclk RCO issue will remain unfixed, but: - RCO issue affects a narrow DP corner case - Blank HDMI affects common consumer hardware - A blank screen is a far worse failure than the clock gating issue - **Testing**: Upstream maintainer sign-off (Alex Deucher) and cherry- picked from mainline ### 7. User Impact - **Severity: CRITICAL** - Complete display failure on HDMI - **Scope: HIGH** - HDMI is ubiquitous; affects multiple hardware generations (dce110, dcn20, dcn401) - **Real users affected**: Bug report confirms actual user impact ### Conclusion This commit is an **ideal stable backport candidate**: 1. The regression-causing commit was already backported to stable trees, so stable users are currently broken 2. It fixes a critical user-visible bug (blank HDMI displays) 3. The fix is a simple, safe revert to known-good code 4. It has proper upstream maintainer approval 5. The risk of the revert causing problems is minimal (returning to proven behavior) The revert is **mandatory** for any stable tree that includes commit `7965cb360655` to restore working HDMI functionality. **YES** drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 - drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 -- drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 -- drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 +++ .../drm/amd/display/dc/virtual/virtual_stream_encoder.c | 7 ------- 5 files changed, 3 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c index 537f53811460..39de51cbbde9 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c @@ -671,7 +671,6 @@ void dce110_enable_stream(struct pipe_ctx *pipe_ctx) uint32_t early_control = 0; struct timing_generator *tg = pipe_ctx->stream_res.tg; - link_hwss->setup_stream_attribute(pipe_ctx); link_hwss->setup_stream_encoder(pipe_ctx); dc->hwss.update_info_frame(pipe_ctx); diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c index f7b72b24b750..921023500bec 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c @@ -3052,8 +3052,6 @@ void dcn20_enable_stream(struct pipe_ctx *pipe_ctx) link_enc->transmitter - TRANSMITTER_UNIPHY_A); } - link_hwss->setup_stream_attribute(pipe_ctx); - if (dc->res_pool->dccg->funcs->set_pixel_rate_div) dc->res_pool->dccg->funcs->set_pixel_rate_div( dc->res_pool->dccg, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c index 0fe763704945..b95b98cc2553 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c @@ -968,8 +968,6 @@ void dcn401_enable_stream(struct pipe_ctx *pipe_ctx) } } - link_hwss->setup_stream_attribute(pipe_ctx); - if (dc->res_pool->dccg->funcs->set_pixel_rate_div) { dc->res_pool->dccg->funcs->set_pixel_rate_div( dc->res_pool->dccg, diff --git a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c index cb80b4599936..8c8682f743d6 100644 --- a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c +++ b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c @@ -2458,6 +2458,7 @@ void link_set_dpms_on( struct link_encoder *link_enc = pipe_ctx->link_res.dio_link_enc; enum otg_out_mux_dest otg_out_dest = OUT_MUX_DIO; struct vpg *vpg = pipe_ctx->stream_res.stream_enc->vpg; + const struct link_hwss *link_hwss = get_link_hwss(link, &pipe_ctx->link_res); bool apply_edp_fast_boot_optimization = pipe_ctx->stream->apply_edp_fast_boot_optimization; @@ -2501,6 +2502,8 @@ void link_set_dpms_on( pipe_ctx->stream_res.tg->funcs->set_out_mux(pipe_ctx->stream_res.tg, otg_out_dest); } + link_hwss->setup_stream_attribute(pipe_ctx); + pipe_ctx->stream->apply_edp_fast_boot_optimization = false; // Enable VPG before building infoframe diff --git a/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c index 6ffc74fc9dcd..ad088d70e189 100644 --- a/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c +++ b/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c @@ -44,11 +44,6 @@ static void virtual_stream_encoder_dvi_set_stream_attribute( struct dc_crtc_timing *crtc_timing, bool is_dual_link) {} -static void virtual_stream_encoder_lvds_set_stream_attribute( - struct stream_encoder *enc, - struct dc_crtc_timing *crtc_timing) -{} - static void virtual_stream_encoder_set_throttled_vcp_size( struct stream_encoder *enc, struct fixed31_32 avg_time_slots_per_mtp) @@ -120,8 +115,6 @@ static const struct stream_encoder_funcs virtual_str_enc_funcs = { virtual_stream_encoder_hdmi_set_stream_attribute, .dvi_set_stream_attribute = virtual_stream_encoder_dvi_set_stream_attribute, - .lvds_set_stream_attribute = - virtual_stream_encoder_lvds_set_stream_attribute, .set_throttled_vcp_size = virtual_stream_encoder_set_throttled_vcp_size, .update_hdmi_info_packets = -- 2.51.0

3 days, 22 hours

1
2
0 0

[PATCH v2] tpm2-sessions: address out-of-range indexing

by Jarkko Sakkinen

'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID. Address the issue by: 1. Rename 'name_size' as 'tpm2_name_size' so that it is bit easier to recognize and make it a fallible function. 2. Check for only known algorithms in 'tpm2_name_size'. Return -EINVAL for unrecognized algorithms. 3. In order to correctly propagate possible errors make also 'tpm2_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible and address their possible errors at the call sites. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: There was spurious extra field added to tpm2_hash by mistake. drivers/char/tpm/tpm2-cmd.c | 23 ++++- drivers/char/tpm/tpm2-sessions.c | 108 ++++++++++++++-------- include/linux/tpm.h | 6 +- security/keys/trusted-keys/trusted_tpm2.c | 38 ++++++-- 4 files changed, 124 insertions(+), 51 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 5b6ccf901623..e63254135a74 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -187,7 +187,12 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, } if (!disable_pcr_integrity) { - tpm_buf_append_name(chip, &buf, pcr_idx, NULL); + rc = tpm_buf_append_name(chip, &buf, pcr_idx, NULL); + if (rc) { + tpm2_end_auth_session(chip); + return rc; + } + tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); } else { tpm_buf_append_handle(chip, &buf, pcr_idx); @@ -202,8 +207,14 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, chip->allocated_banks[i].digest_size); } - if (!disable_pcr_integrity) - tpm_buf_fill_hmac_session(chip, &buf); + if (!disable_pcr_integrity) { + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) { + tpm2_end_auth_session(chip); + return rc; + } + } + rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value"); if (!disable_pcr_integrity) rc = tpm_buf_check_hmac_response(chip, &buf, rc); @@ -261,7 +272,11 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) | TPM2_SA_CONTINUE_SESSION, NULL, 0); tpm_buf_append_u16(&buf, num_bytes); - tpm_buf_fill_hmac_session(chip, &buf); + + err = tpm_buf_fill_hmac_session(chip, &buf); + if (err) + goto out; + err = tpm_transmit_cmd(chip, &buf, offsetof(struct tpm2_get_random_out, buffer), diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6d03c224e6b2..82b9d9096fd1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -141,19 +141,28 @@ struct tpm2_auth { }; #ifdef CONFIG_TCG_TPM2_HMAC + /* - * Name Size based on TPM algorithm (assumes no hash bigger than 255) + * Calculate size of the TPMT_HA payload of TPM2B_NAME. */ -static u8 name_size(const u8 *name) +static int tpm2_name_size(const u8 *name) { - static u8 size_map[] = { - [TPM_ALG_SHA1] = SHA1_DIGEST_SIZE, - [TPM_ALG_SHA256] = SHA256_DIGEST_SIZE, - [TPM_ALG_SHA384] = SHA384_DIGEST_SIZE, - [TPM_ALG_SHA512] = SHA512_DIGEST_SIZE, - }; - u16 alg = get_unaligned_be16(name); - return size_map[alg] + 2; + u16 hash_alg = get_unaligned_be16(name); + + switch (hash_alg) { + case TPM_ALG_SHA1: + return SHA1_DIGEST_SIZE + 2; + case TPM_ALG_SHA256: + return SHA256_DIGEST_SIZE + 2; + case TPM_ALG_SHA384: + return SHA384_DIGEST_SIZE + 2; + case TPM_ALG_SHA512: + return SHA512_DIGEST_SIZE + 2; + case TPM_ALG_SM3_256: + return SM3256_DIGEST_SIZE + 2; + } + + return -EINVAL; } static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) @@ -161,6 +170,7 @@ static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) struct tpm_header *head = (struct tpm_header *)buf->data; off_t offset = TPM_HEADER_SIZE; u32 tot_len = be32_to_cpu(head->length); + int name_size_alg; u32 val; /* we're starting after the header so adjust the length */ @@ -172,9 +182,15 @@ static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) return -EINVAL; offset += val; /* name */ + val = tpm_buf_read_u16(buf, &offset); - if (val != name_size(&buf->data[offset])) + name_size_alg = tpm2_name_size(&buf->data[offset]); + if (name_size_alg < 0) + return name_size_alg; + + if (val != name_size_alg) return -EINVAL; + memcpy(name, &buf->data[offset], val); /* forget the rest */ return 0; @@ -222,46 +238,59 @@ static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) * will be caused by an incorrect programming model and indicated by a * kernel message. */ -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name) +int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name) { #ifdef CONFIG_TCG_TPM2_HMAC enum tpm2_mso_type mso = tpm2_handle_mso(handle); struct tpm2_auth *auth; + int name_size; int slot; + int ret; #endif if (!tpm2_chip_auth(chip)) { tpm_buf_append_handle(chip, buf, handle); - return; + return 0; } #ifdef CONFIG_TCG_TPM2_HMAC slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4; if (slot >= AUTH_MAX_NAMES) { - dev_err(&chip->dev, "TPM: too many handles\n"); - return; + dev_err(&chip->dev, "too many handles\n"); + return -ENOMEM; } auth = chip->auth; - WARN(auth->session != tpm_buf_length(buf), - "name added in wrong place\n"); + if (auth->session != tpm_buf_length(buf)) { + dev_err(&chip->dev, "session state malformed"); + return -EIO; + } tpm_buf_append_u32(buf, handle); auth->session += 4; if (mso == TPM2_MSO_PERSISTENT || mso == TPM2_MSO_VOLATILE || mso == TPM2_MSO_NVRAM) { - if (!name) - tpm2_read_public(chip, handle, auth->name[slot]); + if (!name) { + ret = tpm2_read_public(chip, handle, auth->name[slot]); + if (ret) + return tpm_ret_to_err(ret); + } } else { if (name) - dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); + return -EINVAL; } auth->name_h[slot] = handle; - if (name) - memcpy(auth->name[slot], name, name_size(name)); + if (name) { + name_size = tpm2_name_size(name); + if (name_size < 0) + return name_size; + + memcpy(auth->name[slot], name, name_size); + } #endif + return 0; } EXPORT_SYMBOL_GPL(tpm_buf_append_name); @@ -537,7 +566,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip, * will be caused by an incorrect programming model and indicated by a * kernel message. */ -void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) +int tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) { u32 cc, handles, val; struct tpm2_auth *auth = chip->auth; @@ -549,9 +578,10 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) u8 cphash[SHA256_DIGEST_SIZE]; struct sha256_ctx sctx; struct hmac_sha256_ctx hctx; + int name_size; if (!auth) - return; + return -EINVAL; /* save the command code in BE format */ auth->ordinal = head->ordinal; @@ -559,10 +589,9 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) cc = be32_to_cpu(head->ordinal); i = tpm2_find_cc(chip, cc); - if (i < 0) { - dev_err(&chip->dev, "Command 0x%x not found in TPM\n", cc); - return; - } + if (i < 0) + return -EINVAL; + attrs = chip->cc_attrs_tbl[i]; handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0); @@ -576,9 +605,8 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) u32 handle = tpm_buf_read_u32(buf, &offset_s); if (auth->name_h[i] != handle) { - dev_err(&chip->dev, "TPM: handle %d wrong for name\n", - i); - return; + dev_err(&chip->dev, "invalid handle 0x%08x\n", handle); + return -EINVAL; } } /* point offset_s to the start of the sessions */ @@ -609,12 +637,12 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) offset_s += len; } if (offset_s != offset_p) { - dev_err(&chip->dev, "TPM session length is incorrect\n"); - return; + dev_err(&chip->dev, "session length is incorrect\n"); + return -EINVAL; } if (!hmac) { - dev_err(&chip->dev, "TPM could not find HMAC session\n"); - return; + dev_err(&chip->dev, "could not find HMAC session\n"); + return -EINVAL; } /* encrypt before HMAC */ @@ -646,8 +674,11 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) if (mso == TPM2_MSO_PERSISTENT || mso == TPM2_MSO_VOLATILE || mso == TPM2_MSO_NVRAM) { - sha256_update(&sctx, auth->name[i], - name_size(auth->name[i])); + name_size = tpm2_name_size(auth->name[i]); + if (name_size < 0) + return name_size; + + sha256_update(&sctx, auth->name[i], name_size); } else { __be32 h = cpu_to_be32(auth->name_h[i]); @@ -668,6 +699,7 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) hmac_sha256_update(&hctx, auth->tpm_nonce, sizeof(auth->tpm_nonce)); hmac_sha256_update(&hctx, &auth->attrs, 1); hmac_sha256_final(&hctx, hmac); + return 0; } EXPORT_SYMBOL(tpm_buf_fill_hmac_session); diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 0e9e043f728c..1a59f0190eb3 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -528,8 +528,8 @@ static inline struct tpm2_auth *tpm2_chip_auth(struct tpm_chip *chip) #endif } -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name); +int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -562,7 +562,7 @@ static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, #ifdef CONFIG_TCG_TPM2_HMAC int tpm2_start_auth_session(struct tpm_chip *chip); -void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf); +int tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf); int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, int rc); void tpm2_end_auth_session(struct tpm_chip *chip); diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index e165b117bbca..33544b6bc105 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -283,7 +283,13 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out_put; } - tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + if (rc) { + tpm_buf_destroy(&buf); + tpm2_end_auth_session(chip); + goto out_put; + } + tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_DECRYPT, options->keyauth, TPM_DIGEST_SIZE); @@ -331,7 +337,12 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out; } - tpm_buf_fill_hmac_session(chip, &buf); + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) { + tpm2_end_auth_session(chip); + goto out; + } + rc = tpm_transmit_cmd(chip, &buf, 4, "sealing data"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); if (rc) @@ -438,7 +449,12 @@ static int tpm2_load_cmd(struct tpm_chip *chip, return rc; } - tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + if (rc) { + tpm2_end_auth_session(chip); + return rc; + } + tpm_buf_append_hmac_session(chip, &buf, 0, options->keyauth, TPM_DIGEST_SIZE); @@ -450,7 +466,10 @@ static int tpm2_load_cmd(struct tpm_chip *chip, goto out; } - tpm_buf_fill_hmac_session(chip, &buf); + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) + goto out; + rc = tpm_transmit_cmd(chip, &buf, 4, "loading blob"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); if (!rc) @@ -497,7 +516,11 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, return rc; } - tpm_buf_append_name(chip, &buf, blob_handle, NULL); + rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + if (rc) { + tpm2_end_auth_session(chip); + return rc; + } if (!options->policyhandle) { tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_ENCRYPT, @@ -522,7 +545,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, NULL, 0); } - tpm_buf_fill_hmac_session(chip, &buf); + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) + goto out; + rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); -- 2.52.0

4 days, 3 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror