From: Sumeet Pawnikar sumeet4linux@gmail.com
[ Upstream commit efc4c35b741af973de90f6826bf35d3b3ac36bf1 ]
Fix inconsistent error handling for sscanf() return value check.
Implicit boolean conversion is used instead of explicit return value checks. The code checks if (!sscanf(...)) which is incorrect because: 1. sscanf returns the number of successfully parsed items 2. On success, it returns 1 (one item passed) 3. On failure, it returns 0 or EOF 4. The check 'if (!sscanf(...))' is wrong because it treats success (1) as failure
All occurrences of sscanf() now uses explicit return value check. With this behavior it returns '-EINVAL' when parsing fails (returns 0 or EOF), and continues when parsing succeeds (returns 1).
Signed-off-by: Sumeet Pawnikar sumeet4linux@gmail.com [ rjw: Subject and changelog edits ] Link: https://patch.msgid.link/20251207151549.202452-1-sumeet4linux@gmail.com Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Looking at this commit carefully to assess its suitability for stable backporting.
## Commit Analysis
### 1. COMMIT MESSAGE ANALYSIS
The commit fixes incorrect error handling for `sscanf()` return value checks in the powercap subsystem. The message claims that `if (!sscanf(...))` is wrong because: - `sscanf()` returns the number of successfully parsed items - On success: returns 1 - On failure: returns 0 or EOF (typically -1)
### 2. CODE CHANGE ANALYSIS
Three identical changes in `drivers/powercap/powercap_sys.c`: ```c // Before: if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id))
// After: if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) ```
Let me trace through the bug: - When `sscanf()` returns 0 (no match): `!0` = 1 (true) → error path taken ✓ - When `sscanf()` returns 1 (success): `!1` = 0 (false) → continues ✓ - When `sscanf()` returns EOF (-1): `!(-1)` = 0 (false) → **error path NOT taken** ✗
The critical issue is the EOF case. If `sscanf()` returns EOF (e.g., empty string input), the check passes incorrectly and execution continues with an **uninitialized `id` variable**. This then leads to: ```c if (id >= power_zone->const_id_cnt) // garbage comparison return -EINVAL; pconst = &power_zone->constraints[id]; // POTENTIAL OUT-OF-BOUNDS ACCESS ```
### 3. CLASSIFICATION
This is a **bug fix** that prevents: - Potential out-of-bounds array access - Use of uninitialized variable - Possible kernel crash or memory corruption in edge cases
Not a feature addition, code cleanup, or optimization.
### 4. SCOPE AND RISK ASSESSMENT
- **Lines changed**: 3 lines (identical pattern) - **Files affected**: 1 file - **Risk**: Extremely low - the change only makes the check stricter and more explicit - **Could break anything?**: No - the new check `!= 1` is strictly more conservative than `!`
### 5. USER IMPACT
The powercap subsystem manages: - Intel RAPL power capping - Power domain constraints - Used by tools like powertop, thermald
While the EOF triggering condition is rare (would require malformed attribute names), the consequence (OOB access) could be severe.
### 6. STABILITY INDICATORS
- Signed-off by Rafael J. Wysocki (Intel power management maintainer) - Self-contained fix with no dependencies - The powercap subsystem has existed since kernel 3.13
### 7. DEPENDENCY CHECK
- No dependencies on other commits - Simple standalone fix - Code exists in all active stable trees
## Summary
**What it fixes**: Incorrect sscanf error handling that could allow execution with uninitialized data, potentially leading to out-of-bounds array access.
**Why it matters for stable**: While the triggering condition (EOF from sscanf) is rare, the fix prevents a potential memory safety issue. The change is trivially correct with zero regression risk.
**Meets stable criteria**: - ✓ Obviously correct (explicit `!= 1` check is cleaner and more robust) - ✓ Fixes a real bug (uninitialized variable use, potential OOB access) - ✓ Small and contained (3 identical one-line changes) - ✓ No new features - ✓ No dependencies
**Risk vs benefit**: The benefit (preventing potential memory corruption) outweighs the near-zero risk of regression.
**YES**
drivers/powercap/powercap_sys.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c index d14b36b75189..1ff369880beb 100644 --- a/drivers/powercap/powercap_sys.c +++ b/drivers/powercap/powercap_sys.c @@ -68,7 +68,7 @@ static ssize_t show_constraint_##_attr(struct device *dev, \ int id; \ struct powercap_zone_constraint *pconst;\ \ - if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) \ + if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) \ return -EINVAL; \ if (id >= power_zone->const_id_cnt) \ return -EINVAL; \ @@ -93,7 +93,7 @@ static ssize_t store_constraint_##_attr(struct device *dev,\ int id; \ struct powercap_zone_constraint *pconst;\ \ - if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) \ + if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) \ return -EINVAL; \ if (id >= power_zone->const_id_cnt) \ return -EINVAL; \ @@ -162,7 +162,7 @@ static ssize_t show_constraint_name(struct device *dev, ssize_t len = -ENODATA; struct powercap_zone_constraint *pconst;
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) + if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) return -EINVAL; if (id >= power_zone->const_id_cnt) return -EINVAL;
From: "Mario Limonciello (AMD)" superm1@kernel.org
[ Upstream commit 7bbf6d15e935abbb3d604c1fa157350e84a26f98 ]
SVA support is required, which isn't configured by hypervisor solutions.
Closes: https://github.com/QubesOS/qubes-issues/issues/10275 Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4656 Reviewed-by: Lizhi Hou lizhi.hou@amd.com Link: https://patch.msgid.link/20251213054513.87925-1-superm1@kernel.org Signed-off-by: Mario Limonciello (AMD) superm1@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Commit Analysis: accel/amdxdna: Block running under a hypervisor
### 1. COMMIT MESSAGE ANALYSIS
The commit message indicates this fix prevents the amdxdna driver from running under hypervisors because SVA (Shared Virtual Addressing) support is required but not configured in hypervisor solutions. Two bug tracker links are provided: - QubesOS issue #10275 - freedesktop.org AMD issue #4656
This shows real users are hitting this problem.
### 2. CODE CHANGE ANALYSIS
The change is minimal:
```c +#include <asm/hypervisor.h> ... + if (!hypervisor_is_type(X86_HYPER_NATIVE)) { + XDNA_ERR(xdna, "Running under hypervisor not supported"); + return -EINVAL; + } ```
The fix adds an early check in `aie2_init()` that: 1. Uses the well-established x86 hypervisor detection infrastructure 2. If not running on bare metal (native), prints an error and returns -EINVAL 3. This happens before any resource allocation, making it a clean early- exit
**The bug mechanism:** Without this check, when users run this driver in virtualized environments (QubesOS, etc.), the driver attempts to initialize but fails due to missing SVA support. This leads to confusing errors, potential crashes, or undefined behavior. The fix makes the driver fail gracefully with a clear message.
### 3. CLASSIFICATION
This is a **bug fix** - specifically a "graceful failure" fix that prevents the driver from attempting an unsupported configuration. It does not add features; it blocks an unsupported environment with a clear error.
### 4. SCOPE AND RISK ASSESSMENT
- **Lines changed:** 5 lines (1 include + 4 lines of logic) - **Files touched:** 1 file - **Complexity:** Very low - trivial conditional check - **Risk:** Very low - early return before any resource allocation - **Dependencies:** Uses `hypervisor_is_type()` and `X86_HYPER_NATIVE` which have been in the kernel for years (x86 hypervisor detection is mature infrastructure)
### 5. USER IMPACT
- **Affected users:** Those running VMs (QubesOS, etc.) with AMD XDNA hardware - **Severity without fix:** Confusing failures, crashes, or undefined behavior when attempting to use the driver - **Severity with fix:** Clean error message explaining the limitation
The linked issues show this is a real problem users are encountering.
### 6. STABILITY INDICATORS
- Has `Reviewed-by:` from AMD engineer (Lizhi Hou) - Has real bug reports from multiple sources - Simple, obvious fix
### 7. DEPENDENCY CHECK
The amdxdna driver is relatively new (added around kernel 6.11-6.12). It exists in: - Recent mainline releases - Potentially only very recent stable trees (6.12.x if supported)
The hypervisor detection APIs used (`hypervisor_is_type`, `X86_HYPER_NATIVE`) are stable and have existed for years.
### 8. STABLE CRITERIA ASSESSMENT
| Criterion | Assessment | |-----------|------------| | Obviously correct | ✅ Yes - trivial check | | Fixes real bug | ✅ Yes - prevents crashes in VMs | | Important issue | ✅ Yes - affects VM users | | Small/contained | ✅ Yes - 5 lines | | No new features | ✅ Yes - disables unsupported config | | Low risk | ✅ Yes - clean early return |
### CONCLUSION
This commit is appropriate for stable backporting. It's a small, low- risk fix that prevents the driver from running in unsupported virtualized environments where it would otherwise fail with confusing behavior or crashes. The fix is surgically precise - adding an early check with a clean error return.
The stable maintainers will only apply this to kernel versions that contain the amdxdna driver (likely only very recent stable trees like 6.12.x). The patch itself meets all stable criteria: obviously correct, fixes a real bug that users are hitting, small scope, and no new features.
**YES**
drivers/accel/amdxdna/aie2_pci.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/accel/amdxdna/aie2_pci.c b/drivers/accel/amdxdna/aie2_pci.c index 43f725e1a2d7..6e07793bbeac 100644 --- a/drivers/accel/amdxdna/aie2_pci.c +++ b/drivers/accel/amdxdna/aie2_pci.c @@ -17,6 +17,7 @@ #include <linux/iopoll.h> #include <linux/pci.h> #include <linux/xarray.h> +#include <asm/hypervisor.h>
#include "aie2_msg_priv.h" #include "aie2_pci.h" @@ -486,6 +487,11 @@ static int aie2_init(struct amdxdna_dev *xdna) unsigned long bars = 0; int i, nvec, ret;
+ if (!hypervisor_is_type(X86_HYPER_NATIVE)) { + XDNA_ERR(xdna, "Running under hypervisor not supported"); + return -EINVAL; + } + ndev = drmm_kzalloc(&xdna->ddev, sizeof(*ndev), GFP_KERNEL); if (!ndev) return -ENOMEM;
From: Brian Kocoloski brian.kocoloski@amd.com
[ Upstream commit 969faea4e9d01787c58bab4d945f7ad82dad222d ]
Pass character "0" rather than NULL terminator to properly format queue restoration SMI events. Currently, the NULL terminator precedes the newline character that is intended to delineate separate events in the SMI event buffer, which can break userspace parsers.
Signed-off-by: Brian Kocoloski brian.kocoloski@amd.com Reviewed-by: Philip Yang Philip.Yang@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com (cherry picked from commit 6e7143e5e6e21f9d5572e0390f7089e6d53edf3c) Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Summary
### Technical Analysis
**The Bug:** Commit 663b0f1e141d introduced a refactoring that changed the inline format string to use the `KFD_EVENT_FMT_QUEUE_RESTORE` macro. This macro is defined as: ```c #define KFD_EVENT_FMT_QUEUE_RESTORE(ns, pid, node, rescheduled)\ "%lld -%d %x %c\n", (ns), (pid), (node), (rescheduled) ```
The format specifier `%c` expects a **character**. The buggy code passes integer `0` (which is the NULL terminator 0x00). When printed with `%c`, this NULL byte terminates the string before the newline `\n` gets written, causing: - Malformed event strings in the SMI buffer - Userspace parsers expecting newline-delimited events to fail
**The Fix:** Change `0` to `'0'` (ASCII character 0x30 = 48) so the `%c` format prints the character "0" followed by the newline.
**Evidence the fix is correct:** 1. The sibling function `kfd_smi_event_queue_restore_rescheduled` correctly uses `'R'` (a character) for the same parameter 2. The format specifier is `%c` which requires a character 3. The original pre-refactoring code had no character parameter at all (format was `"%lld -%d %x\n"`)
### Stable Kernel Criteria Assessment
| Criteria | Assessment | |----------|------------| | Obviously correct | ✅ Yes - format `%c` requires character, `'0'` vs `0` is clearly the fix | | Fixes real bug | ✅ Yes - breaks userspace parsers relying on newline- delimited events | | Important issue | ✅ Yes - affects userspace ABI/behavior | | Small and contained | ✅ Yes - 1 line, 1 file, single character change | | No new features | ✅ Correct - no new functionality | | Tested | ✅ Reviewed-by and cherry-picked from mainline |
### Risk Assessment
- **Risk:** Extremely low - the change is trivial and obviously correct - **Scope:** Only affects AMD GPU users using SMI event monitoring - **Regression potential:** None - this is restoring correct behavior
### Affected Versions
The bug was introduced in commit 663b0f1e141d which landed in v6.12-rc1. This fix is relevant for the 6.12.y stable branch.
### Conclusion
This is an ideal stable backport candidate: a small, obvious, low-risk fix for a user-visible bug that breaks userspace tools. The fix is trivial (single character), has clear evidence of correctness, and has been reviewed by AMD engineers. The commit message clearly explains the problem and the solution.
**YES**
drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c index a499449fcb06..d2bc169e84b0 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c @@ -312,7 +312,7 @@ void kfd_smi_event_queue_restore(struct kfd_node *node, pid_t pid) { kfd_smi_event_add(pid, node, KFD_SMI_EVENT_QUEUE_RESTORE, KFD_EVENT_FMT_QUEUE_RESTORE(ktime_get_boottime_ns(), pid, - node->id, 0)); + node->id, '0')); }
void kfd_smi_event_queue_restore_rescheduled(struct mm_struct *mm)
From: Niklas Cassel cassel@kernel.org
[ Upstream commit ba624ba88d9f5c3e2ace9bb6697dbeb05b2dbc44 ]
According to a user report, the ST2000DM008-2FR102 has problems with LPM.
Reported-by: Emerson Pinter e@pinter.dev Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220693 Signed-off-by: Niklas Cassel cassel@kernel.org Signed-off-by: Damien Le Moal dlemoal@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Analysis of Commit: Disable LPM on ST2000DM008-2FR102
### 1. COMMIT MESSAGE ANALYSIS
The commit message is clear and provides essential information: - **Purpose:** Disabling Link Power Management (LPM) for a specific Seagate hard drive model - **Evidence of real issue:** Has `Reported-by:` tag and references kernel bugzilla #220693 - **Proper sign-offs:** Signed by both the patch author (Niklas Cassel) and the libata maintainer (Damien Le Moal)
### 2. CODE CHANGE ANALYSIS
The change adds exactly 3 lines to the `__ata_dev_quirks[]` array in `drivers/ata/libata-core.c`:
```c /* Seagate disks with LPM issues */ { "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM }, ```
This follows the exact same pattern as existing quirks in the table. Looking at the context, there's already another Seagate drive with `ATA_QUIRK_NOLPM`: ```c { "ST1000LM024 HN-M101MBB", NULL, ATA_QUIRK_BROKEN_FPDMA_AA | ATA_QUIRK_NOLPM }, ```
The mechanism is well-understood: when this specific drive model is detected, LPM is disabled to avoid the hardware-specific issues it causes.
### 3. CLASSIFICATION
This is a **hardware quirk/workaround** - one of the explicit exceptions allowed in stable: - It's adding a device-specific workaround to an existing quirk table - Identical pattern to dozens of other quirks already in the table - Fixes real-world hardware issues even though it "adds code"
### 4. SCOPE AND RISK ASSESSMENT
| Metric | Assessment | |--------|------------| | Lines changed | 3 (minimal) | | Files touched | 1 | | Complexity | Trivial - data table addition | | Risk to other users | Zero - only affects this specific drive model | | Regression potential | None - well-established mechanism |
The risk is essentially zero. This is a data-only change to a static array. The quirk mechanism has been stable for many years and is used extensively for similar hardware workarounds.
### 5. USER IMPACT
- **Affected users:** Owners of ST2000DM008-2FR102 (2TB Seagate Barracuda) - a popular consumer HDD - **Without the fix:** LPM-related issues typically cause drive disconnects, I/O errors, or system hangs - **Severity:** Medium to High - LPM issues can cause data corruption or loss in severe cases - **Real bug evidence:** Bugzilla report indicates actual users hitting this problem
### 6. STABILITY INDICATORS
- Approved by libata maintainer (Damien Le Moal) - Proper bug tracking with Closes: tag - Reported-by indicates real user testing/reporting
### 7. DEPENDENCY CHECK
- **Dependencies:** None - standalone quirk addition - **Code exists in stable:** Yes - the quirk table and `ATA_QUIRK_NOLPM` exist in all maintained stable kernels - **Backport complexity:** Trivial - should apply cleanly to any stable kernel
### FINAL ASSESSMENT
This commit is a textbook example of what SHOULD be backported to stable:
**Meets all stable criteria:** 1. ✅ Obviously correct - identical pattern to existing quirks 2. ✅ Fixes a real bug - LPM issues reported by users 3. ✅ Small and contained - 3 lines, 1 file 4. ✅ No new features - just a hardware workaround 5. ✅ Falls into "quirks/workarounds" exception category
**Risk vs Benefit:** - **Risk:** Essentially zero - only affects one specific drive model, cannot break anything else - **Benefit:** Fixes LPM-related issues (drive disconnects, errors, potential data corruption) for users of this popular Seagate drive
This is exactly the type of low-risk, high-value hardware workaround that stable trees are designed to include.
**YES**
drivers/ata/libata-core.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index f48fb63d7e85..1216b4f2eb90 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4132,6 +4132,9 @@ static const struct ata_dev_quirks_entry __ata_dev_quirks[] = { { "ST3320[68]13AS", "SD1[5-9]", ATA_QUIRK_NONCQ | ATA_QUIRK_FIRMWARE_WARN },
+ /* Seagate disks with LPM issues */ + { "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM }, + /* drives which fail FPDMA_AA activation (some may freeze afterwards) the ST disks also have LPM issues */ { "ST1000LM024 HN-M101MBB", NULL, ATA_QUIRK_BROKEN_FPDMA_AA |
From: Marcus Hughes marcus.hughes@betterinternet.ltd
[ Upstream commit 71cfa7c893a05d09e7dc14713b27a8309fd4a2db ]
Some Potron SFP+ XGSPON ONU sticks are shipped with different EEPROM vendor ID and vendor name strings, but are otherwise functionally identical to the existing "Potron SFP+ XGSPON ONU Stick" handled by sfp_quirk_potron().
These modules, including units distributed under the "Better Internet" branding, use the same UART pin assignment and require the same TX_FAULT/LOS behaviour and boot delay. Re-use the existing Potron quirk for this EEPROM variant.
Signed-off-by: Marcus Hughes marcus.hughes@betterinternet.ltd Link: https://patch.msgid.link/20251207210355.333451-1-marcus.hughes@betterinterne... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## SUMMARY
**What the commit does**: Adds a single entry to the SFP quirks array for hardware that has a different vendor/part ID ("BIDB"/"X-ONU-SFPP") but requires identical handling to already-supported Potron modules.
**Does it meet stable kernel rules?**
1. ✅ **Obviously correct**: It's a one-line addition using existing, proven quirk infrastructure 2. ✅ **Fixes a real bug**: Without this quirk, the hardware doesn't work properly (TX_FAULT/LOS pins are misinterpreted) 3. ✅ **Important issue**: Hardware that users have purchased doesn't function 4. ✅ **Small and contained**: Single line addition to an array 5. ✅ **No new features**: Just extends existing quirk to another device ID
**Dependency check**: The `sfp_fixup_potron()` function was introduced in commit `dfec1c14aece` (June 2025) and has already been backported to stable trees (confirmed by seeing backport commit `34a890983183`). This commit requires that parent commit to be present.
**Risk vs Benefit**: - **Risk**: Near zero - only affects specific hardware identified by exact vendor/part match - **Benefit**: High for affected users - enables hardware to work properly
## CONCLUSION
This commit is a textbook example of a hardware quirk addition that IS appropriate for stable backporting. It: - Uses existing, tested infrastructure - Has minimal code change (1 line) - Enables real hardware that users have in the field - Has zero risk of regression for anyone else - The parent quirk function is already in stable trees
The only caveat is that stable kernels must have the original Potron quirk commit (`dfec1c14aece`) first, which based on the git history appears to have already been backported.
**YES**
drivers/net/phy/sfp.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c index 0401fa6b24d2..6166e9196364 100644 --- a/drivers/net/phy/sfp.c +++ b/drivers/net/phy/sfp.c @@ -497,6 +497,8 @@ static const struct sfp_quirk sfp_quirks[] = { SFP_QUIRK("ALCATELLUCENT", "3FE46541AA", sfp_quirk_2500basex, sfp_fixup_nokia),
+ SFP_QUIRK_F("BIDB", "X-ONU-SFPP", sfp_fixup_potron), + // FLYPRO SFP-10GT-CS-30M uses Rollball protocol to talk to the PHY. SFP_QUIRK_F("FLYPRO", "SFP-10GT-CS-30M", sfp_fixup_rollball),
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
[ Upstream commit 5d5602236f5db19e8b337a2cd87a90ace5ea776d ]
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed.
Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window.
Reported-by: syzbot syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Acked-by: Oleksij Rempel o.rempel@pengutronix.de Link: https://patch.msgid.link/b9653191-d479-4c8b-8536-1326d028db5c@I-love.SAKURA.... Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
---
## FINAL ANALYSIS SUMMARY
### What the commit fixes: A race condition in the CAN J1939 protocol driver where `j1939_session_activate()` can succeed even after `j1939_cancel_active_session()` from the NETDEV_UNREGISTER handler has completed. This leaves orphaned sessions with references to devices being unregistered, causing the "waiting for device to become free" hang.
### Why it matters to stable users: - **System hang**: The bug can cause network device unregistration to hang indefinitely - **Syzbot reproducible**: The bug was found by automated fuzzing, meaning it's triggerable in practice - **CAN J1939 users**: Affects automotive and industrial systems using the CAN J1939 protocol
### Stable kernel rule compliance:
| Criterion | Assessment | |-----------|------------| | Obviously correct | ✅ Yes - simple check using established kernel pattern | | Fixes real bug | ✅ Yes - syzbot-reported hang | | Small and contained | ✅ Yes - 2 lines added, 1 file changed | | No new features | ✅ Correct - only adds error path | | Tested | ✅ Has Acked-by from maintainer |
### Risk assessment: - **Very low risk**: The change only adds a conditional check before adding a session to the active list - **Uses established pattern**: `dev->reg_state != NETREG_REGISTERED` is used throughout net/can/raw.c and other networking code - **Cannot break existing functionality**: Adds a new error return path that's already properly handled (callers handle error returns)
### Dependencies: - The fix is logically independent - it adds a safety check that works regardless of other commits - The related commit 93a27b5891b8 is about a different part of the fix (adding missing calls in the unregister handler) - Both commits are improvements to the same underlying issue but can be applied separately
### Conclusion: This is a textbook example of a good stable backport candidate: 1. Fixes a real, user-visible bug (system hang) 2. Minimal change (2 lines) 3. Uses established kernel patterns 4. Has proper subsystem maintainer review 5. Low risk of regression
**YES**
net/can/j1939/transport.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c index fbf5c8001c9d..613a911dda10 100644 --- a/net/can/j1939/transport.c +++ b/net/can/j1939/transport.c @@ -1567,6 +1567,8 @@ int j1939_session_activate(struct j1939_session *session) if (active) { j1939_session_put(active); ret = -EAGAIN; + } else if (priv->ndev->reg_state != NETREG_REGISTERED) { + ret = -ENODEV; } else { WARN_ON_ONCE(session->state != J1939_SESSION_NEW); list_add_tail(&session->active_session_list_entry,
linux-stable-mirror@lists.linaro.org
-
Sasha Levin