[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.124#1503
Merged
opsiff merged 87 commits intodeepin-community:linux-6.6.yfrom Feb 12, 2026
Merged
Conversation
commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c upstream. nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec. Fixes: 872d26a ("nvmet-tcp: add NVMe over TCP target driver") Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Joonkyo Jung <joonkyoj@yonsei.ac.kr> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit dca1a6ba0da9f472ef040525fab10fd9956db59f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 16459fe7e0ca6520a6e8f603de4ccd52b90fd765 upstream. The original patch inverted the PTE unconditionally to avoid L1TF-vulnerable PTEs, but Linux doesn't make this adjustment in 2-level paging. Adjust the logic to use the flip_protnone_guard() helper, which is a nop on 2-level paging but inverts the address bits in all other paging modes. This doesn't matter for the Xen aspect of the original change. Linux no longer supports running 32bit PV under Xen, and Xen doesn't support running any 32bit PV guests without using PAE paging. Link: https://lkml.kernel.org/r/20260126211046.2096622-1-andrew.cooper3@citrix.com Fixes: b505f1944535 ("x86/kfence: avoid writing L1TF-vulnerable PTEs") Reported-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Closes: https://lore.kernel.org/lkml/CAKFNMokwjw68ubYQM9WkzOuH51wLznHpEOMSqtMoV1Rn9JV_gw@mail.gmail.com/ Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: Alexander Potapenko <glider@google.com> Cc: Marco Elver <elver@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Jann Horn <jannh@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c56b4c84b3b21e9a7de4da39e0ba063bb1573952) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 25e9e322d2ab5c03602eff4fbf4f7c40019d8de2 upstream. The LTR blocking statistics and wakeup event counters are incorrectly cross-referenced during debugfs output rendering. The code populates pss_ltr_blkd[] with LTR blocking data and pss_s0ix_wakeup[] with wakeup data, but the display loops reference the wrong arrays. This causes the "LTR Blocking Status" section to print wakeup events and the "Wakes Status" section to print LTR blockers, misleading power management analysis and S0ix residency debugging. Fix by aligning array usage with the intended output section labels. Fixes: 87bee29 ("platform:x86: Add Intel Telemetry Debugfs interfaces") Cc: stable@vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com> Link: https://patch.msgid.link/20251224032053.3915900-1-kaushlendra.kumar@intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 302651ccef698774ab540b4a64431cbf6ccac1a1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…t state commit 8aa6f7697f5981d336cac7af6ddd182a03c6da01 upstream. As it is indicated by the comment, the rpmpd_aggregate_corner() function tries to clamp the state to the highest corner/level supported by the given power domain, however the calculation of the highest state contains an off-by-one error. The 'max_state' member of the 'rpmpd' structure indicates the highest corner/level, and as such it does not needs to be decremented. Change the code to use the 'max_state' value directly to avoid the error. Fixes: 98c8b3e ("soc: qcom: rpmpd: Add sync_state") Signed-off-by: Gabor Juhos <j4g8y7@gmail.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c28dcc1cb4fda72d60893554d6b623b599ca9030) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e9ab2b83893dd03cf04d98faded81190e635233f upstream. Current design will power off all dependent GPC power domains in imx8mp_blk_ctrl_suspend(), even though the user device has enabled wakeup capability. The result is that wakeup function never works for such device. An example will be USB wakeup on i.MX8MP. PHY device '382f0040.usb-phy' is attached to power domain 'hsioblk-usb-phy2' which is spawned by hsio block control. A virtual power domain device 'genpd:3:32f10000.blk-ctrl' is created to build connection with 'hsioblk-usb-phy2' and it depends on GPC power domain 'usb-otg2'. If device '382f0040.usb-phy' enable wakeup, only power domain 'hsioblk-usb-phy2' keeps on during system suspend, power domain 'usb-otg2' is off all the time. So the wakeup event can't happen. In order to further establish a connection between the power domains related to GPC and block control during system suspend, register a genpd power on/off notifier for the power_dev. This allows us to prevent the GPC power domain from being powered off, in case the block control power domain is kept on to serve system wakeup. Suggested-by: Ulf Hansson <ulf.hansson@linaro.org> Fixes: 556f5cf ("soc: imx: add i.MX8MP HSIO blk-ctrl") Cc: stable@vger.kernel.org Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1267af5b2033d1e1138b756d457d3e3f8f1a96f1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ae0a24c5a8dcea20bf8e344eadf6593e6d1959c3 upstream. On i.MX8MM, the GPUMIX, GPU2D, and GPU3D blocks share a common reset domain. Due to this hardware limitation, powering off/on GPU2D or GPU3D also triggers a reset of the GPUMIX domain, including its ADB400 port. However, the ADB400 interface must always be placed into power‑down mode before being reset. Currently the GPUMIX and GPU2D/3D power domains rely on runtime PM to handle dependency ordering. In some corner cases, the GPUMIX power off sequence is skipped, leaving the ADB400 port active when GPU2D/3D reset. This causes the GPUMIX ADB400 port to be reset while still active, leading to unpredictable bus behavior and GPU hangs. To avoid this, refine the power‑domain control logic so that the GPUMIX ADB400 port is explicitly powered down and powered up as part of the GPU power domain on/off sequence. This ensures proper ordering and prevents incorrect ADB400 reset. Suggested-by: Lucas Stach <l.stach@pengutronix.de> Signed-off-by: Jacky Bai <ping.bai@nxp.com> Reviewed-by: Lucas Stach <l.stach@pengutronix.de> Tested-by: Philipp Zabel <p.zabel@pengutronix.de> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e2e1c77319d52fa4b8fa008161d4f065cae22435) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…keup commit e2c4c5b2bbd4f688a0f9f6da26cdf6d723c53478 upstream. USB system wakeup need its PHY on, so add the GENPD_FLAG_ACTIVE_WAKEUP flags to USB PHY genpd configuration. Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Fixes: 556f5cf ("soc: imx: add i.MX8MP HSIO blk-ctrl") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7aa0c2bb0771a6d0ffb8b62642a48846eff58bff) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6bd8b4a92a901fae1a422e6f914801063c345e8d upstream. Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove(). Fixes: 2684ac0 ("soc: imx: add i.MX8M blk-ctrl driver") Cc: stable@kernel.org Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 071159ff5c0bf2e5efff79501e23faf3775cbcd1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bd3884a204c3b507e6baa9a4091aa927f9af5404 upstream. Similar to commit 870611e ("rbd: get snapshot context after exclusive lock is ensured to be held"), move the "beyond EOD" check into the image request state machine so that it's performed after exclusive lock is ensured to be held. This avoids various race conditions which can arise when the image is shrunk under I/O (in practice, mostly readahead). In one such scenario rbd_assert(objno < rbd_dev->object_map_size); can be triggered if a close-to-EOD read gets queued right before the shrink is initiated and the EOD check is performed against an outdated mapping_size. After the resize is done on the server side and exclusive lock is (re)acquired bringing along the new (now shrunk) object map, the read starts going through the state machine and rbd_obj_may_exist() gets invoked on an object that is out of bounds of rbd_dev->object_map array. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Dongsheng Yang <dongsheng.yang@linux.dev> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4f9f1fdc0ebdfd65c9fe5f6235baba8ab3f0d97a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 23ea2a4c72323feb6e3e025e8a6f18336513d5ad upstream. On big-endian systems the 32-bit low and high halves need to be swapped for the underlying assembly implementation to work correctly. Fixes: fd1d362 ("ARM: implement memset32 & memset64") Cc: stable@vger.kernel.org Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7f7467be748ebacc61449606169ddbb9f86c77bb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 243b467dea1735fed904c2e54d248a46fa417a2d upstream. This reverts commit 7294863. This commit was erroneously applied again after commit 0ab5d71 ("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device") removed it, leading to very hard to debug crashes, when used with a system with two AMD GPUs of which only one supports ASPM. Link: https://lore.kernel.org/linux-acpi/20251006120944.7880-1-spasswolf@web.de/ Link: acpica/acpica#1060 Fixes: 0ab5d71 ("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device") Signed-off-by: Bert Karwatzki <spasswolf@web.de> Reviewed-by: Christian König <christian.koenig@amd.com> Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d2bddc2da2b3ba5d738877c476bf97932dba32e8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b4d37cdb77a0015f51fee083598fa227cc07aaf1 upstream. When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below), clobbering the entry type without notifying arch code is surprising and error prone. As a bonus, checking that the irqfd is active provides a convenient location for documenting _why_ KVM must not consume the routing entry for an irqfd that is in the process of being deassigned: once the irqfd is deleted from the list (which happens *before* the eventfd is detached), it will no longer receive updates via kvm_irq_routing_update(), and so KVM could deliver an event using stale routing information (relative to KVM_SET_GSI_ROUTING returning to userspace). As an even better bonus, explicitly checking for the irqfd being active fixes a similar bug to the one the clobbering is trying to prevent: if an irqfd is deactivated, and then its routing is changed, kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing() (because the irqfd isn't in the list). And so if the irqfd is in bypass mode, IRQs will continue to be posted using the old routing information. As for kvm_arch_irq_bypass_del_producer(), clobbering the routing type results in KVM incorrectly keeping the IRQ in bypass mode, which is especially problematic on AMD as KVM tracks IRQs that are being posted to a vCPU in a list whose lifetime is tied to the irqfd. Without the help of KASAN to detect use-after-free, the most common sympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to the memory for irqfd structure being re-allocated and zeroed, resulting in irqfd->irq_bypass_data being NULL when read by avic_update_iommu_vcpu_affinity(): BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd deepin-community#31 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:amd_iommu_update_ga+0x19/0xe0 Call Trace: <TASK> avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd] __avic_vcpu_load+0xf4/0x130 [kvm_amd] kvm_arch_vcpu_load+0x89/0x210 [kvm] vcpu_load+0x30/0x40 [kvm] kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm] kvm_vcpu_ioctl+0x571/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x46893b </TASK> ---[ end trace 0000000000000000 ]--- If AVIC is inhibited when the irfd is deassigned, the bug will manifest as list corruption, e.g. on the next irqfd assignment. list_add corruption. next->prev should be prev (ffff8d474d5cd588), but was 0000000000000000. (next=ffff8d8658f86530). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Oops: invalid opcode: 0000 [#1] SMP CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd deepin-community#28 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:__list_add_valid_or_report+0x97/0xc0 Call Trace: <TASK> avic_pi_update_irte+0x28e/0x2b0 [kvm_amd] kvm_pi_update_irte+0xbf/0x190 [kvm] kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm] irq_bypass_register_consumer+0xcd/0x170 [irqbypass] kvm_irqfd+0x4c6/0x540 [kvm] kvm_vm_ioctl+0x118/0x5d0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- On Intel and arm64, the bug is less noisy, as the end result is that the device keeps posting IRQs to the vCPU even after it's been deassigned. Note, the worst of the breakage can be traced back to commit cb21073 ("KVM: Pass new routing entries and irqfd when updating IRTEs"), as before that commit KVM would pull the routing information from the per-VM routing table. But as above, similar bugs have existed since support for IRQ bypass was added. E.g. if a routing change finished before irq_shutdown() invoked kvm_arch_irq_bypass_del_producer(), VMX and SVM would see stale routing information and potentially leave the irqfd in bypass mode. Alternatively, x86 could be fixed by explicitly checking irq_bypass_vcpu instead of irq_entry.type in kvm_arch_irq_bypass_del_producer(), and arm64 could be modified to utilize irq_bypass_vcpu in a similar manner. But (a) that wouldn't fix the routing updates bug, and (b) fixing core code doesn't preclude x86 (or arm64) from adding such code as a sanity check (spoiler alert). Fixes: f70c20a ("KVM: Add an arch specific hooks in 'struct kvm_kernel_irqfd'") Fixes: cb21073 ("KVM: Pass new routing entries and irqfd when updating IRTEs") Fixes: a0d7e2f ("KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs") Cc: stable@vger.kernel.org Cc: Marc Zyngier <maz@kernel.org> Cc: Oliver Upton <oupton@kernel.org> Link: https://patch.msgid.link/20260113174606.104978-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b61f9b2fcf181451d0a319889478cc53c001123e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b85e336 upstream. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7 ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX") Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [ Keerthana: Handle freeing new_lt ] Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit df524a68d9021c1401965d610bb6e42ee5d9611e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bea3e1d upstream. BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290 CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x5f0 mm/kasan/report.c:482 kasan_report+0xca/0x100 mm/kasan/report.c:595 hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe0e9fae16d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 </TASK> Allocated by task 14290: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4333 [inline] __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 kmalloc_noprof include/linux/slab.h:909 [inline] hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f When hfsplus_uni2asc is called from hfsplus_listxattr, it actually passes in a struct hfsplus_attr_unistr*. The size of the corresponding structure is different from that of hfsplus_unistr, so the previous fix (9445878) is insufficient. The pointer on the unicode buffer is still going beyond the allocated memory. This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and hfsplus_uni2asc_str to process two unicode buffers, struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively. When ustrlen value is bigger than the allocated memory size, the ustrlen value is limited to an safe size. Fixes: 9445878 ("hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()") Signed-off-by: Kang Chen <k.chen@smail.nju.edu.cn> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Link: https://lore.kernel.org/r/20250909031316.1647094-1-k.chen@smail.nju.edu.cn Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Jianqiang kang <jianqkang@sina.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit c258f5c4502c9667bccf5d76fa731ab9c96687c1 upstream. When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task's task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. Fixes: 71f28f3 ("ublk_drv: add io_uring based userspace block driver") Link: ublk-org/ublksrv#170 [1] Signed-off-by: Ming Lei <ming.lei@redhat.com> Reviewed-by: Caleb Sander Mateos <csander@purestorage.com> [axboe: rewrite comment in ublk] Signed-off-by: Jens Axboe <axboe@kernel.dk> [ The fix omits the change in __ublk_do_auto_buf_reg() since this function doesn't exist in Linux 6.6. ] Signed-off-by: Alva Lan <alvalan9@foxmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 64c0b7e2293757e8320f13434cd809f1c9257a62) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 690e47d upstream. Overview ======== When a CPU chooses to call push_rt_task and picks a task to push to another CPU's runqueue then it will call find_lock_lowest_rq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may lead to dropping the current runqueue lock and reacquiring both the locks at once. During this window it is possible that the task is already migrated and is running on some other CPU. These cases are already handled. However, if the task is migrated and has already been executed and another CPU is now trying to wake it up (ttwu) such that it is queued again on the runqeue (on_rq is 1) and also if the task was run by the same CPU, then the current checks will pass even though the task was migrated out and is no longer in the pushable tasks list. Crashes ======= This bug resulted in quite a few flavors of crashes triggering kernel panics with various crash signatures such as assert failures, page faults, null pointer dereferences, and queue corruption errors all coming from scheduler itself. Some of the crashes: -> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? pick_next_task_rt+0x6e/0x1d0 ? do_error_trap+0x64/0xa0 ? pick_next_task_rt+0x6e/0x1d0 ? exc_invalid_op+0x4c/0x60 ? pick_next_task_rt+0x6e/0x1d0 ? asm_exc_invalid_op+0x12/0x20 ? pick_next_task_rt+0x6e/0x1d0 __schedule+0x5cb/0x790 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: kernel NULL pointer dereference, address: 00000000000000c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? __warn+0x8a/0xe0 ? exc_page_fault+0x3d6/0x520 ? asm_exc_page_fault+0x1e/0x30 ? pick_next_task_rt+0xb5/0x1d0 ? pick_next_task_rt+0x8c/0x1d0 __schedule+0x583/0x7e0 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: unable to handle page fault for address: ffff9464daea5900 kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) -> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? dequeue_top_rt_rq+0xa2/0xb0 ? do_error_trap+0x64/0xa0 ? dequeue_top_rt_rq+0xa2/0xb0 ? exc_invalid_op+0x4c/0x60 ? dequeue_top_rt_rq+0xa2/0xb0 ? asm_exc_invalid_op+0x12/0x20 ? dequeue_top_rt_rq+0xa2/0xb0 dequeue_rt_entity+0x1f/0x70 dequeue_task_rt+0x2d/0x70 __schedule+0x1a8/0x7e0 ? blk_finish_plug+0x25/0x40 schedule+0x3c/0xb0 futex_wait_queue_me+0xb6/0x120 futex_wait+0xd9/0x240 do_futex+0x344/0xa90 ? get_mm_exe_file+0x30/0x60 ? audit_exe_compare+0x58/0x70 ? audit_filter_rules.constprop.26+0x65e/0x1220 __x64_sys_futex+0x148/0x1f0 do_syscall_64+0x30/0x80 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? spurious_kernel_fault+0x171/0x1c0 ? exc_page_fault+0x3b6/0x520 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? asm_exc_page_fault+0x1e/0x30 ? _cond_resched+0x15/0x30 ? futex_wait_queue_me+0xc8/0x120 ? futex_wait+0xd9/0x240 ? try_to_wake_up+0x1b8/0x490 ? futex_wake+0x78/0x160 ? do_futex+0xcd/0xa90 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? plist_del+0x6a/0xd0 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? dequeue_pushable_task+0x20/0x70 ? __schedule+0x382/0x7e0 ? asm_sysvec_reschedule_ipi+0xa/0x20 ? schedule+0x3c/0xb0 ? exit_to_user_mode_prepare+0x9e/0x150 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_sysvec_reschedule_ipi+0x12/0x20 Above are some of the common examples of the crashes that were observed due to this issue. Details ======= Let's look at the following scenario to understand this race. 1) CPU A enters push_rt_task a) CPU A has chosen next_task = task p. b) CPU A calls find_lock_lowest_rq(Task p, CPU Z’s rq). c) CPU A identifies CPU X as a destination CPU (X < Z). d) CPU A enters double_lock_balance(CPU Z’s rq, CPU X’s rq). e) Since X is lower than Z, CPU A unlocks CPU Z’s rq. Someone else has locked CPU X’s rq, and thus, CPU A must wait. 2) At CPU Z a) Previous task has completed execution and thus, CPU Z enters schedule, locks its own rq after CPU A releases it. b) CPU Z dequeues previous task and begins executing task p. c) CPU Z unlocks its rq. d) Task p yields the CPU (ex. by doing IO or waiting to acquire a lock) which triggers the schedule function on CPU Z. e) CPU Z enters schedule again, locks its own rq, and dequeues task p. f) As part of dequeue, it sets p.on_rq = 0 and unlocks its rq. 3) At CPU B a) CPU B enters try_to_wake_up with input task p. b) Since CPU Z dequeued task p, p.on_rq = 0, and CPU B updates B.state = WAKING. c) CPU B via select_task_rq determines CPU Y as the target CPU. 4) The race a) CPU A acquires CPU X’s lock and relocks CPU Z. b) CPU A reads task p.cpu = Z and incorrectly concludes task p is still on CPU Z. c) CPU A failed to notice task p had been dequeued from CPU Z while CPU A was waiting for locks in double_lock_balance. If CPU A knew that task p had been dequeued, it would return NULL forcing push_rt_task to give up the task p's migration. d) CPU B updates task p.cpu = Y and calls ttwu_queue. e) CPU B locks Ys rq. CPU B enqueues task p onto Y and sets task p.on_rq = 1. f) CPU B unlocks CPU Y, triggering memory synchronization. g) CPU A reads task p.on_rq = 1, cementing its assumption that task p has not migrated. h) CPU A decides to migrate p to CPU X. This leads to A dequeuing p from Y's queue and various crashes down the line. Solution ======== The solution here is fairly simple. After obtaining the lock (at 4a), the check is enhanced to make sure that the task is still at the head of the pushable tasks list. If not, then it is anyway not suitable for being pushed out. Testing ======= The fix is tested on a cluster of 3 nodes, where the panics due to this are hit every couple of days. A fix similar to this was deployed on such cluster and was stable for more than 30 days. Co-developed-by: Jon Kohler <jon@nutanix.com> Signed-off-by: Jon Kohler <jon@nutanix.com> Co-developed-by: Gauri Patwardhan <gauri.patwardhan@nutanix.com> Signed-off-by: Gauri Patwardhan <gauri.patwardhan@nutanix.com> Co-developed-by: Rahul Chunduru <rahul.chunduru@nutanix.com> Signed-off-by: Rahul Chunduru <rahul.chunduru@nutanix.com> Signed-off-by: Harshit Agarwal <harshit@nutanix.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: "Steven Rostedt (Google)" <rostedt@goodmis.org> Reviewed-by: Phil Auld <pauld@redhat.com> Tested-by: Will Ton <william.ton@nutanix.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20250225180553.167995-1-harshit@nutanix.com Signed-off-by: Rajani Kantha <681739313@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9f6022b2573ae068793810db719e131df3ded405) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1769f90e5ba2a6d24bb46b85da33fe861c68f005 upstream. The error logging for failed transactions is misleading as it always reports "dead process or thread" even when the target is actually frozen. Additionally, the pid and tid are reversed which can further confuse debugging efforts. Fix both issues. Cc: stable@kernel.org Cc: Steven Moreland <smoreland@google.com> Fixes: a15dac8 ("binder: additional transaction error logs") Signed-off-by: Carlos Llamas <cmllamas@google.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260123175702.2154348-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ebb6aa6928d5cafd1c12e335ddb2bf05de008631) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream. The 'max' argument of ida_alloc_max() takes the maximum valid ID and not the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor would exceed the limits of minor numbers (20-bits). Fix this off-by-one error by subtracting 1 from the 'max'. Cc: stable@vger.kernel.org Fixes: 3ad20fe ("binder: implement binderfs") Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 46c93903e4c1920d1e82d630ef0c17f1091e5167) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…t failures [ Upstream commit e396a74222654486d6ab45dca5d0c54c408b8b91 ] Some distributions (such as Ubuntu) configure GCC so that _FORTIFY_SOURCE is automatically enabled at -O1 or above. This results in some fortified version of definitions of standard library functions are included. While linker resolves the symbols, the fortified versions might override the definitions in lib/string_override.c and reference to those PLT entries in GLIBC. This is not a problem for the code in host, but it is a disaster for the guest code. E.g., if build and run x86/nested_emulation_test on Ubuntu 24.04 will encounter a L1 #PF due to memset() reference to __memset_chk@plt. The option -fno-builtin-memset is not helpful here, because those fortified versions are not built-in but some definitions which are included by header, they are for different intentions. In order to eliminate the unpredictable behaviors may vary depending on the linker and platform, add the "-U_FORTIFY_SOURCE" into CFLAGS to prevent from introducing the fortified definitions. Signed-off-by: Zhiquan Li <zhiquan_li@163.com> Link: https://patch.msgid.link/20260122053551.548229-1-zhiquan_li@163.com Fixes: 6b6f714 ("KVM: selftests: Implement memcmp(), memcpy(), and memset() for guest use") Cc: stable@vger.kernel.org [sean: tag for stable] Signed-off-by: Sean Christopherson <seanjc@google.com> [ Makefile.kvm -> Makefile ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a8adf1ceee4e188b0521f0638c97bff278143924) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7b9ebcce0296e104a0d82a6b09d68564806158ff ] The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats. When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption. If the queue count is decreased, there is a gap between the driver and NIC stats, leading to incorrect stats reporting. This change fixes the issue by allocating stats region with maximum size, and the offset calculation for NIC stats is changed to match with the calculation of the NIC. Cc: stable@vger.kernel.org Fixes: 24aeb56 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.") Signed-off-by: Debarghya Kundu <debarghyak@google.com> Reviewed-by: Joshua Washington <joshwash@google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Link: https://patch.msgid.link/20260202193925.3106272-2-hramamurthy@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ no stopped-queue feature in older trees ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit df54838ab61826ecc1a562ffa5e280c3ab7289a7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 033c55fe2e326bea022c3cc5178ecf3e0e459b82 ]
The fields of ftrace specific events (events used to save ftrace internal
events like function traces and trace_printk) are generated similarly to
how normal trace event fields are generated. That is, the fields are added
to a trace_events_fields array that saves the name, offset, size,
alignment and signness of the field. It is used to produce the output in
the format file in tracefs so that tooling knows how to parse the binary
data of the trace events.
The issue is that some of the ftrace event structures are packed. The
function graph exit event structures are one of them. The 64 bit calltime
and rettime fields end up 4 byte aligned, but the algorithm to show to
userspace shows them as 8 byte aligned.
The macros that create the ftrace events has one for embedded structure
fields. There's two macros for theses fields:
__field_desc() and __field_packed()
The difference of the latter macro is that it treats the field as packed.
Rename that field to __field_desc_packed() and create replace the
__field_packed() to be a normal field that is packed and have the calltime
and rettime use those.
This showed up on 32bit architectures for function graph time fields. It
had:
~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format
[..]
field:unsigned long func; offset:8; size:4; signed:0;
field:unsigned int depth; offset:12; size:4; signed:0;
field:unsigned int overrun; offset:16; size:4; signed:0;
field:unsigned long long calltime; offset:24; size:8; signed:0;
field:unsigned long long rettime; offset:32; size:8; signed:0;
Notice that overrun is at offset 16 with size 4, where in the structure
calltime is at offset 20 (16 + 4), but it shows the offset at 24. That's
because it used the alignment of unsigned long long when used as a
declaration and not as a member of a structure where it would be aligned
by word size (in this case 4).
By using the proper structure alignment, the format has it at the correct
offset:
~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format
[..]
field:unsigned long func; offset:8; size:4; signed:0;
field:unsigned int depth; offset:12; size:4; signed:0;
field:unsigned int overrun; offset:16; size:4; signed:0;
field:unsigned long long calltime; offset:20; size:8; signed:0;
field:unsigned long long rettime; offset:28; size:8; signed:0;
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reported-by: "jempty.liang" <imntjempty@163.com>
Link: https://patch.msgid.link/20260204113628.53faec78@gandalf.local.home
Fixes: 04ae87a ("ftrace: Rework event_create_dir()")
Closes: https://lore.kernel.org/all/20260130015740.212343-1-imntjempty@163.com/
Closes: https://lore.kernel.org/all/20260202123342.2544795-1-imntjempty@163.com/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
[ adapted field types and macro arguments ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit d75245dad5cc665a8c0693b10ce5e638397571e1)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB. RX may run before JOIN_OCB is executed, in which case the OCB interface is not operational. Skip RX peer handling when the interface is not joined to avoid warnings in the RX path. Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com> Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes). Signed-off-by: Peter Astrand <astrand@lysator.liu.se> Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b167312390fdd461c81ead516f2b0b44e83a9edb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] Some SR9700 devices have an SPI flash chip containing a virtual driver CD, in which case they appear as a device with two interfaces and product ID 0x9702. Interface 0 is the driver CD and interface 1 is the Ethernet device. Link: https://github.com/name-kurniawan/usb-lan Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com> Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com [pabeni@redhat.com: fixes link tags] Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 8365785e59ea4e0160aa07c4a79e2155bbb9944f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] Route bfqg_stats_add_aux() time accumulation into the destination stats object instead of the source, aligning with other stat fields. Reviewed-by: Yu Kuai <yukuai@fnnas.com> Signed-off-by: shechenglong <shechenglong@xfusion.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b03415955ed31d14f1fc76cdaeb0cfad210612bf) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…b2_pipe() [ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 04dd114b682a4ccaeba2c2bad049c8b50ce740d8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d5be446948b379f1d1a8e7bc6656d13f44c5c7b1 ] For 32BIT platform _PAGE_PROTNONE is 0, so set a VMA to be VM_NONE or VM_SHARED will make pages non-present, then cause Oops with kernel page fault. Fix it by set correct protection_map[] for VM_NONE/VM_SHARED, replacing _PAGE_PROTNONE with _PAGE_PRESENT. Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5fbdf95d2575ec53fd4a5c18e789b4d54a0281fe) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f416c556997aa56ec4384c6b6efd6a0e6ac70aa7 ] When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file must be released. Suggested-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2456fde2b137703328f1695f60c68fe488d17e36) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0 ] This patch allows the LoongArch BPF JIT to handle recoverable memory access errors generated by BPF_PROBE_MEM* instructions. When a BPF program performs memory access operations, the instructions it executes may trigger ADEM exceptions. The kernel’s built-in BPF exception table mechanism (EX_TYPE_BPF) will generate corresponding exception fixup entries in the JIT compilation phase; however, the architecture-specific trap handling function needs to proactively call the common fixup routine to achieve exception recovery. do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs, ensure safe execution. Relevant test cases: illegal address access tests in module_attach and subprogs_extable of selftests/bpf. Signed-off-by: Chenghao Duan <duanchenghao@kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 73ede654d9daa2ee41bdd17bc62946fc5a0258cb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3296c3012a9d9a27e81e34910384e55a6ff3cff0 ] When the command is a replay operation and -ENOEXEC is returned, the refcount of ksmbd_file must be released. Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 07df5ff4f6490a5c96715b7c562e0b2908422e04) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…tional() in adin1110_check_spi() [ Upstream commit 78211543d2e44f84093049b4ef5f5bfa535f4645 ] The devm_gpiod_get_optional() function may return an ERR_PTR in case of genuine GPIO acquisition errors, not just NULL which indicates the legitimate absence of an optional GPIO. Add an IS_ERR() check after the call in adin1110_check_spi(). On error, return the error code to ensure proper failure handling rather than proceeding with invalid pointers. Fixes: 36934ca ("net: ethernet: adi: adin1110: add reset GPIO") Signed-off-by: Chen Ni <nichen@iscas.ac.cn> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Link: https://patch.msgid.link/20260202040228.4129097-1-nichen@iscas.ac.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 00a7512ff71951a8c6bfbd43baedab43746bec79) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5c2c3c38be396257a6a2e55bd601a12bb9781507 ] The udp GRO complete stage assumes that all the packets inserted the RX have the `encapsulation` flag zeroed. Such assumption is not true, as a few H/W NICs can set such flag when H/W offloading the checksum for an UDP encapsulated traffic, the tun driver can inject GSO packets with UDP encapsulation and the problematic layout can also be created via a veth based setup. Due to the above, in the problematic scenarios, udp4_gro_complete() uses the wrong network offset (inner instead of outer) to compute the outer UDP header pseudo checksum, leading to csum validation errors later on in packet processing. Address the issue always clearing the encapsulation flag at GRO completion time. Such flag will be set again as needed for encapsulated packets by udp_gro_complete(). Fixes: 5ef31ea ("net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb") Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/562638dbebb3b15424220e26a180274b387e2a88.1770032084.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9d40a85138568696387ef04cd004c64612a70874) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ]
The mgag200_bmc_stop_scanout() function is called by the .atomic_disable()
handler for the MGA G200 VGA BMC encoder. This function performs a few
register writes to inform the BMC of an upcoming mode change, and then
polls to wait until the BMC actually stops.
The polling is implemented using a busy loop with udelay() and an iteration
timeout of 300, resulting in the function blocking for 300 milliseconds.
The function gets called ultimately by the output_poll_execute work thread
for the DRM output change polling thread of the mgag200 driver:
kworker/0:0-mm_ 3528 [000] 4555.315364:
ffffffffaa0e25b3 delay_halt.part.0+0x33
ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178
ffffffffc087ae7a disable_outputs+0x12a
ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a
ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26
ffffffffc087c9c1 commit_tail+0x91
ffffffffc087d51b drm_atomic_helper_commit+0x11b
ffffffffc0509694 drm_atomic_commit+0xa4
ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8
ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56
ffffffffc0510e24 drm_client_modeset_commit+0x24
ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93
ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3
ffffffffc050f8aa drm_client_dev_hotplug+0x9a
ffffffffc088555a output_poll_execute+0x29a
ffffffffa9b35924 process_one_work+0x194
ffffffffa9b364ee worker_thread+0x2fe
ffffffffa9b3ecad kthread+0xdd
ffffffffa9a08549 ret_from_fork+0x29
On a server running ptp4l with the mgag200 driver loaded, we found that
ptp4l would sometimes get blocked from execution because of this busy
waiting loop.
Every so often, approximately once every 20 minutes -- though with large
variance -- the output_poll_execute() thread would detect some sort of
change that required performing a hotplug event which results in attempting
to stop the BMC scanout, resulting in a 300msec delay on one CPU.
On this system, ptp4l was pinned to a single CPU. When the
output_poll_execute() thread ran on that CPU, it blocked ptp4l from
executing for its 300 millisecond duration.
This resulted in PTP service disruptions such as failure to send a SYNC
message on time, failure to handle ANNOUNCE messages on time, and clock
check warnings from the application. All of this despite the application
being configured with FIFO_RT and a higher priority than the background
workqueue tasks. (However, note that the kernel did not use
CONFIG_PREEMPT...)
It is unclear if the event is due to a faulty VGA connection, another bug,
or actual events causing a change in the connection. At least on the system
under test it is not a one-time event and consistently causes disruption to
the time sensitive applications.
The function has some helpful comments explaining what steps it is
attempting to take. In particular, step 3a and 3b are explained as such:
3a - The third step is to verify if there is an active scan. We are
waiting on a 0 on remhsyncsts (<XSPAREREG<0>.
3b - This step occurs only if the remove is actually scanning. We are
waiting for the end of the frame which is a 1 on remvsyncsts
(<XSPAREREG<1>).
The actual steps 3a and 3b are implemented as while loops with a
non-sleeping udelay(). The first step iterates while the tmp value at
position 0 is *not* set. That is, it keeps iterating as long as the bit is
zero. If the bit is already 0 (because there is no active scan), it will
iterate the entire 300 attempts which wastes 300 milliseconds in total.
This is opposite of what the description claims.
The step 3b logic only executes if we do not iterate over the entire 300
attempts in the first loop. If it does trigger, it is trying to check and
wait for a 1 on the remvsyncsts. However, again the condition is actually
inverted and it will loop as long as the bit is 1, stopping once it hits
zero (rather than the explained attempt to wait until we see a 1).
Worse, both loops are implemented using non-sleeping waits which spin
instead of allowing the scheduler to run other processes. If the kernel is
not configured to allow arbitrary preemption, it will waste valuable CPU
time doing nothing.
There does not appear to be any documentation for the BMC register
interface, beyond what is in the comments here. It seems more probable that
the comment here is correct and the implementation accidentally got
inverted from the intended logic.
Reading through other DRM driver implementations, it does not appear that
the .atomic_enable or .atomic_disable handlers need to delay instead of
sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function
calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name
is referring to the atomic modesetting support, which is the support to
enable atomic configuration from userspace, and not to the "atomic context"
of the kernel. There is no reason to use udelay() here if a sleep would be
sufficient.
Replace the while loops with a read_poll_timeout() based implementation
that will sleep between iterations, and which stops polling once the
condition is met (instead of looping as long as the condition is met). This
aligns with the commented behavior and avoids blocking on the CPU while
doing nothing.
Note the RREG_DAC is implemented using a statement expression to allow
working properly with the read_poll_timeout family of functions. The other
RREG_<TYPE> macros ought to be cleaned up to have better semantics, and
several places in the mgag200 driver could make use of RREG_DAC or similar
RREG_* macros should likely be cleaned up for better semantics as well, but
that task has been left as a future cleanup for a non-bugfix.
Fixes: 414c453 ("mgag200: initial g200se driver (v2)")
Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 3f89a4ef6505a8f0f20ac6a670beafc813700e24)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] This is a printf-style function, which gcc -Werror=suggest-attribute=format correctly points out: drivers/hwmon/occ/common.c: In function 'occ_init_attribute': drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] Add the attribute to avoid this warning and ensure any incorrect format strings are detected here. Fixes: 744c2fe ("hwmon: (occ) Rework attribute registration for stack usage") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 8c934bafd10b968bc2be9ad83ab99710247ce251) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…activate()
[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ]
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
Fixes: 628bd3e ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Andrew Fasano <andrew.fasano@nist.gov>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 42c574c1504aa089a0a142e4c13859327570473d)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 ]
syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6
route. [0]
Commit f72514b3c569 ("ipv6: clear RA flags when adding a static
route") introduced logic to clear RTF_ADDRCONF from existing routes
when a static route with the same nexthop is added. However, this
causes a problem when the existing route has a gateway.
When RTF_ADDRCONF is cleared from a route that has a gateway, that
route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns
true. The issue is that this route was never added to the
fib6_siblings list.
This leads to a mismatch between the following counts:
- The sibling count computed by iterating fib6_next chain, which
includes the newly ECMP-eligible route
- The actual siblings in fib6_siblings list, which does not include
that route
When a subsequent ECMP route is added, fib6_add_rt2node() hits
BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the
counts don't match.
Fix this by only clearing RTF_ADDRCONF when the existing route does
not have a gateway. Routes without a gateway cannot qualify for ECMP
anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing
RTF_ADDRCONF on them is safe and matches the original intent of the
commit.
[0]:
kernel BUG at net/ipv6/ip6_fib.c:1217!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217
[...]
Call Trace:
<TASK>
fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532
__ip6_ins_rt net/ipv6/route.c:1351 [inline]
ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946
ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571
inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577
sock_do_ioctl+0xdc/0x300 net/socket.c:1245
sock_ioctl+0x576/0x790 net/socket.c:1366
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: f72514b3c569 ("ipv6: clear RA flags when adding a static route")
Reported-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cb809def1baaac68ab92
Tested-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260204095837.1285552-1-syoshida@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 50b7c7a255858a85c4636a1e990ca04591153dca)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] Fixes: 4a767b1 ("ASoC: amd: add acp3x pdm driver dma ops") Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com> Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0e0120214b5dcb0bf6b2171bb4e68e38968b2861) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 38e818718c5e04961eea0fa8feff3f100ce40408 upstream.
From the memory-barriers.txt document regarding memory barrier ordering
guarantees:
(*) These guarantees do not apply to bitfields, because compilers often
generate code to modify these using non-atomic read-modify-write
sequences. Do not attempt to use bitfields to synchronize parallel
algorithms.
(*) Even in cases where bitfields are protected by locks, all fields
in a given bitfield must be protected by one lock. If two fields
in a given bitfield are protected by different locks, the compiler's
non-atomic read-modify-write sequences can cause an update to one
field to corrupt the value of an adjacent field.
btrfs_space_info has a bitfield sharing an underlying word consisting of
the fields full, chunk_alloc, and flush:
struct btrfs_space_info {
struct btrfs_fs_info * fs_info; /* 0 8 */
struct btrfs_space_info * parent; /* 8 8 */
...
int clamp; /* 172 4 */
unsigned int full:1; /* 176: 0 4 */
unsigned int chunk_alloc:1; /* 176: 1 4 */
unsigned int flush:1; /* 176: 2 4 */
...
Therefore, to be safe from parallel read-modify-writes losing a write to
one of the bitfield members protected by a lock, all writes to all the
bitfields must use the lock. They almost universally do, except for
btrfs_clear_space_info_full() which iterates over the space_infos and
writes out found->full = 0 without a lock.
Imagine that we have one thread completing a transaction in which we
finished deleting a block_group and are thus calling
btrfs_clear_space_info_full() while simultaneously the data reclaim
ticket infrastructure is running do_async_reclaim_data_space():
T1 T2
btrfs_commit_transaction
btrfs_clear_space_info_full
data_sinfo->full = 0
READ: full:0, chunk_alloc:0, flush:1
do_async_reclaim_data_space(data_sinfo)
spin_lock(&space_info->lock);
if(list_empty(tickets))
space_info->flush = 0;
READ: full: 0, chunk_alloc:0, flush:1
MOD/WRITE: full: 0, chunk_alloc:0, flush:0
spin_unlock(&space_info->lock);
return;
MOD/WRITE: full:0, chunk_alloc:0, flush:1
and now data_sinfo->flush is 1 but the reclaim worker has exited. This
breaks the invariant that flush is 0 iff there is no work queued or
running. Once this invariant is violated, future allocations that go
into __reserve_bytes() will add tickets to space_info->tickets but will
see space_info->flush is set to 1 and not queue the work. After this,
they will block forever on the resulting ticket, as it is now impossible
to kick the worker again.
I also confirmed by looking at the assembly of the affected kernel that
it is doing RMW operations. For example, to set the flush (3rd) bit to 0,
the assembly is:
andb $0xfb,0x60(%rbx)
and similarly for setting the full (1st) bit to 0:
andb $0xfe,-0x20(%rax)
So I think this is really a bug on practical systems. I have observed
a number of systems in this exact state, but am currently unable to
reproduce it.
Rather than leaving this footgun lying around for the future, take
advantage of the fact that there is room in the struct anyway, and that
it is already quite large and simply change the three bitfield members to
bools. This avoids writes to space_info->full having any effect on
writes to space_info->flush, regardless of locking.
Fixes: 957780e ("Btrfs: introduce ticketed enospc infrastructure")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ The context change is due to the commit cc0517f
("btrfs: tweak extent/chunk allocation for space_info sub-space")
in v6.16 which is irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit d4a81b8ec639895999275ea2472c69825cd67ea4)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c7db85d579a1dccb624235534508c75fbf2dfe46 ] The gve driver's "rx_dropped" statistic, exposed via `ethtool -S`, incorrectly includes `rx_buf_alloc_fail` counts. These failures represent an inability to allocate receive buffers, not true packet drops where a received packet is discarded. This misrepresentation can lead to inaccurate diagnostics. This patch rectifies the ethtool "rx_dropped" calculation. It removes `rx_buf_alloc_fail` from the total and adds `xdp_tx_errors` and `xdp_redirect_errors`, which represent legitimate packet drops within the XDP path. Cc: stable@vger.kernel.org Fixes: 433e274 ("gve: Add stats for gve.") Signed-off-by: Max Yuan <maxyuan@google.com> Reviewed-by: Jordan Rhee <jordanrhee@google.com> Reviewed-by: Joshua Washington <joshwash@google.com> Reviewed-by: Matt Olson <maolson@google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Link: https://patch.msgid.link/20260202193925.3106272-3-hramamurthy@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a168f2002b2b4a4c3dccef5fdbe94cf52021c362) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
… transfer
[ Upstream commit aabd8ea0aa253d40cf5f20a609fc3d6f61e38299 ]
When the ISR thread wakes up late and finds that the timeout handler
has already processed the transfer (curr_xfer is NULL), return
IRQ_HANDLED instead of IRQ_NONE.
Use a similar approach to tegra_qspi_handle_timeout() by reading
QSPI_TRANS_STATUS and checking the QSPI_RDY bit to determine if the
hardware actually completed the transfer. If QSPI_RDY is set, the
interrupt was legitimate and triggered by real hardware activity.
The fact that the timeout path handled it first doesn't make it
spurious. Returning IRQ_NONE incorrectly suggests the interrupt
wasn't for this device, which can cause issues with shared interrupt
lines and interrupt accounting.
Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Usama Arif <usamaarif642@gmail.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260126-tegra_xfer-v2-1-6d2115e4f387@debian.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 552e3d8a8bef219746a4663a4f3a3571a9dbcd92)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ef13ba357656451d6371940d8414e3e271df97e3 ] Move the assignment of the transfer pointer from curr_xfer inside the spinlock critical section in both handle_cpu_based_xfer() and handle_dma_based_xfer(). Previously, curr_xfer was read before acquiring the lock, creating a window where the timeout path could clear curr_xfer between reading it and using it. By moving the read inside the lock, the handlers are guaranteed to see a consistent value that cannot be modified by the timeout path. Fixes: 921fc18 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller") Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Thierry Reding <treding@nvidia.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Acked-by: Jon Hunter <jonathanh@nvidia.com> Link: https://patch.msgid.link/20260126-tegra_xfer-v2-2-6d2115e4f387@debian.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f9cafa63039b88c97081e1dfbe2fcf35df49a644) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…transfer_one [ Upstream commit f5a4d7f5e32ba163cff893493ec1cbb0fd2fb0d5 ] When the timeout handler processes a completed transfer and signals completion, the transfer thread can immediately set up the next transfer and assign curr_xfer to point to it. If a delayed ISR from the previous transfer then runs, it checks if (!tqspi->curr_xfer) (currently without the lock also -- to be fixed soon) to detect stale interrupts, but this check passes because curr_xfer now points to the new transfer. The ISR then incorrectly processes the new transfer's context. Protect the curr_xfer assignment with the spinlock to ensure the ISR either sees NULL (and bails out) or sees the new value only after the assignment is complete. Fixes: 921fc18 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller") Signed-off-by: Breno Leitao <leitao@debian.org> Tested-by: Jon Hunter <jonathanh@nvidia.com> Acked-by: Jon Hunter <jonathanh@nvidia.com> Acked-by: Thierry Reding <treding@nvidia.com> Link: https://patch.msgid.link/20260126-tegra_xfer-v2-3-6d2115e4f387@debian.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 53eba2a4a4666ed0e6cc3df56635930dece21f41) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bf4528ab28e2bf112c3a2cdef44fd13f007781cd ]
The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.
Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.
Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Breno Leitao <leitao@debian.org>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260126-tegra_xfer-v2-4-6d2115e4f387@debian.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 712cde8d916889e282727cdf304a43683adf899e)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ined_seq_xfer
[ Upstream commit 6d7723e8161f3c3f14125557e19dd080e9d882be ]
Protect the curr_xfer clearing in tegra_qspi_non_combined_seq_xfer()
with the spinlock to prevent a race with the interrupt handler that
reads this field to check if a transfer is in progress.
Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Breno Leitao <leitao@debian.org>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260126-tegra_xfer-v2-5-6d2115e4f387@debian.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit dfc63678980774e8aff159d775fba76a3b3c922a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc ] In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. Fixes: eb9913b ("spi: tegra: Fix missing IRQ check in tegra_slink_probe()") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Jon Hunter <jonathanh@nvidia.com> Link: https://patch.msgid.link/20260202-slink-v1-1-eac50433a6f9@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 126a09f4fcd2b895a818ca43fde078d907c1ac9a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a0a75b40c919b9f6d3a0b6c978e6ccf344c1be5a ] The COMMAND1 register bits [29:28] set the SPI mode, which controls the clock idle level. When a transfer ends, tegra_spi_transfer_end() writes def_command1_reg back to restore the default state, but this register value currently lacks the mode bits. This results in the clock always being configured as idle low, breaking devices that need it high. Fix this by storing the mode bits in def_command1_reg during setup, to prevent this field from always being cleared. Fixes: f333a33 ("spi/tegra114: add spi driver") Signed-off-by: Vishwaroop A <va@nvidia.com> Link: https://patch.msgid.link/20260204141212.1540382-1-va@nvidia.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d0a6e43d7ccccf19374e9e140cd86f7b74a7e5e2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1aaedafb21f38cb872d44f7608b4828a1e14e795 upstream.
Add a PCI quirk to enable microphone detection on the headphone jack of
TongFang X6AR55xU devices.
The former quirk entry did not acomplish this and is removed.
Fixes: b48fe9af1e60 ("ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU")
Signed-off-by: Tim Guttzeit <t.guttzeit@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260123221233.28273-1-wse@tuxedocomputers.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 23897ece6167cab657b1129c6d62fee460d9819f)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260209142304.770150175@linuxfoundation.org Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1b4ef5214f17e671cc13f2da4a678574ce91d151) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewer's GuideRebases Deepin 6.6-y kernel to upstream 6.6.124 and forward-ports the corresponding stable fixes, including networking, storage, tracing, architecture, and HID changes, plus local adjustments in gve stats, RT scheduler push logic, KVM irqfd handling, LiquidIO init/cleanup, TI davinci ASoC probe error paths, Tegra SPI locking, RBD EOD handling, BMC video reset polling, ublk completion deadlock avoidance, i.MX power-domain wakeup/notifier logic, and a large set of smaller bug fixes across subsystems. Sequence diagram for updated KVM irqfd deassign and wakeup handlingsequenceDiagram
participant Userspace
participant KVM as kvm
participant IRQFD as irqfd
participant EventFD as eventfd
rect rgb(230,230,255)
Userspace->>kvm: kvm_irqfd_deassign(args)
activate kvm
kvm->>kvm: spin_lock_irq(irqfds.lock)
kvm->>kvm: list_for_each_entry_safe(irqfd)
alt match by eventfd and gsi
kvm->>IRQFD: irqfd_deactivate(irqfd)
activate IRQFD
IRQFD->>IRQFD: lockdep_assert_held(irqfds.lock)
IRQFD->>IRQFD: BUG_ON(!irqfd_is_active(irqfd))
IRQFD->>IRQFD: list_del_init(irqfd.list)
IRQFD->>kvm: schedule_work(shutdown)
deactivate IRQFD
end
kvm->>kvm: spin_unlock_irq(irqfds.lock)
deactivate kvm
end
rect rgb(230,255,230)
EventFD-->>IRQFD: wakeup (waitqueue)
activate IRQFD
IRQFD->>IRQFD: irqfd_wakeup()
activate kvm
IRQFD->>IRQFD: read_seqcount_begin(irq_entry_sc)
IRQFD->>IRQFD: read irq_entry
IRQFD->>IRQFD: read_seqcount_retry()
IRQFD->>IRQFD: irqfd_is_active(irqfd)
note over IRQFD,kvm: lockdep_assert_once(irqfds.lock held or irq_srcu held)
alt irqfd is not active
IRQFD-->>IRQFD: return early
else irqfd is active
IRQFD->>kvm: kvm_arch_set_irq_inatomic(irq_entry)
alt returns -EWOULDBLOCK
IRQFD->>IRQFD: schedule_work(inject)
else success
IRQFD-->>IRQFD: interrupt injected
end
end
deactivate kvm
deactivate IRQFD
end
Updated class diagram for key kernel structures in this rebaseclassDiagram
class btrfs_space_info {
+u64 flags
+u64 total_bytes
+u64 bytes_used
+u64 bytes_readonly
+u64 bytes_may_use
+u64 bytes_reserved
+u64 bytes_pinned
+u64 bytes_read_mirror
+u64 bytes_zone_unusable
+atomic64_t tickets_id
+bool full
+bool chunk_alloc
+bool flush
+unsigned int force_alloc
+spinlock_t lock
+struct list_head list
}
class btrfs_fs_info {
+struct list_head space_info
+struct mutex chunk_mutex
}
btrfs_fs_info "1" o-- "*" btrfs_space_info : has
class imx8mp_blk_ctrl_domain_data {
+const char* name
+const char* const* clk_names
+int num_clks
+const char* const* path_names
+int num_paths
+const char* gpc_name
+unsigned int flags
}
class generic_pm_domain {
+const char* name
+unsigned int flags
+int status
+int (*power_on)(generic_pm_domain*)
+int (*power_off)(generic_pm_domain*)
}
class notifier_block {
+int (*notifier_call)(notifier_block*, unsigned long, void*)
+struct notifier_block* next
+int priority
}
class imx8mp_blk_ctrl_domain {
+generic_pm_domain genpd
+struct clk* clks[3]
+struct icc_bulk_data paths[3]
+struct device* power_dev
+struct imx8mp_blk_ctrl* bc
+notifier_block power_nb
+int num_paths
+int id
}
class imx8mp_blk_ctrl {
+struct device* dev
+imx8mp_blk_ctrl_domain* domains
+int num_domains
}
imx8mp_blk_ctrl "1" o-- "*" imx8mp_blk_ctrl_domain : manages
imx8mp_blk_ctrl_domain --> imx8mp_blk_ctrl : bc
imx8mp_blk_ctrl_domain --> imx8mp_blk_ctrl_domain_data : uses
imx8mp_blk_ctrl_domain --> notifier_block : power_nb
imx8mp_blk_ctrl_domain --> generic_pm_domain : embeds
class kvm {
+spinlock_t irqfds_lock
+struct srcu_struct irq_srcu
+struct list_head irqfds_items
}
class kvm_kernel_irq_routing_entry {
+u32 gsi
+u32 type
+u32 flags
}
class kvm_kernel_irqfd {
+struct list_head list
+struct kvm* kvm
+struct eventfd_ctx* eventfd
+int gsi
+seqcount_t irq_entry_sc
+kvm_kernel_irq_routing_entry irq_entry
+struct work_struct inject
+struct work_struct shutdown
}
kvm "1" o-- "*" kvm_kernel_irqfd : owns
kvm_kernel_irqfd --> kvm_kernel_irq_routing_entry : irq_entry
class nvmet_tcp_cmd {
+struct nvmet_req req
+struct bio_vec* iov
+struct scatterlist* sg
+u32 pdu_len
+u32 rbytes_done
+u32 sg_idx
+struct nvmet_tcp_queue* queue
}
class nvmet_tcp_queue {
+struct socket* sock
+struct work_struct io_work
}
nvmet_tcp_cmd --> nvmet_tcp_queue : queue
class hfsplus_unistr {
+__be16 length
+__be16 unicode[255]
}
class hfsplus_attr_unistr {
+__be16 length
+__be16 unicode[127]
}
class super_block {
+void* s_fs_info
}
class hfsplus_sb_info {
+struct nls_table* nls
}
super_block --> hfsplus_sb_info : HFSPLUS_SB
class hfsplus_unicode_helpers {
+int hfsplus_uni2asc_str(super_block* sb, hfsplus_unistr* ustr, char* astr, int* len_p)
+int hfsplus_uni2asc_xattr_str(super_block* sb, hfsplus_attr_unistr* ustr, char* astr, int* len_p)
}
hfsplus_unicode_helpers ..> hfsplus_unistr : converts
hfsplus_unicode_helpers ..> hfsplus_attr_unistr : converts
hfsplus_unicode_helpers ..> super_block : uses nls via HFSPLUS_SB
Flow diagram for RT scheduler find_lock_lowest_rq with pushable task checkflowchart TD
A["find_lock_lowest_rq(task, rq)"] --> B["loop over candidate lowest_rq"]
B --> C["double_lock_balance(rq, lowest_rq)"]
C --> D{"rq lock had to be dropped?"}
D -->|No| E["check lowest_rq suitability"]
E --> F["return lowest_rq (locked)"]
D -->|Yes| G["task may have migrated or changed affinity"]
G --> H["if is_migration_disabled(task) then fail"]
H --> I{"cpumask_test_cpu(lowest_rq->cpu, task->cpus_mask)?"}
I -->|No| J["double_unlock_balance(rq, lowest_rq); lowest_rq = NULL"]
J --> K["continue search or return NULL"]
I -->|Yes| L["p = pick_next_pushable_task(rq)"]
L --> M{"task == p?"}
M -->|No| J
M -->|Yes| N["lowest_rq remains valid"]
N --> E
subgraph pick_next_pushable_task
P1{"has_pushable_tasks(rq)?"} -->|No| P2["return NULL"]
P1 -->|Yes| P3["p = first entry in rq->rt.pushable_tasks"]
P3 --> P4["BUG_ON(rq->cpu != task_cpu(p))"]
P4 --> P5["BUG_ON(task_current(rq, p))"]
P5 --> P6["BUG_ON(p->nr_cpus_allowed <= 1)"]
P6 --> P7["BUG_ON(!task_on_rq_queued(p))"]
P7 --> P8["BUG_ON(!rt_task(p))"]
P8 --> P9["return p"]
end
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
deepin-ci-robot
requested review from
Ink-Paper,
MingcongBai,
hello666888999 and
justforlxz
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location> `drivers/base/regmap/regcache-maple.c:99-105` </location>
<code_context>
mas_unlock(&mas);
- if (ret == 0) {
- kfree(lower);
- kfree(upper);
+ if (ret) {
+ kfree(entry);
+ return ret;
}
-
- return ret;
+ kfree(lower);
+ kfree(upper);
+ return 0;
}
</code_context>
<issue_to_address>
**issue (bug_risk):** On error, regcache_maple_write() now frees only `entry` but still leaks `lower` and `upper` allocations.
The original code leaked `entry` on error; the new version fixes that but now exits early on `ret != 0` after freeing only `entry`, so `lower` and `upper` are leaked. Please also free `lower` and `upper` before the early return, or refactor so all three allocations are always freed on both success and failure paths.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
-99
to
105
| if (ret == 0) { | ||
| kfree(lower); | ||
| kfree(upper); | ||
| if (ret) { | ||
| kfree(entry); | ||
| return ret; | ||
| } | ||
|
|
||
| return ret; | ||
| kfree(lower); | ||
| kfree(upper); | ||
| return 0; | ||
| } |
There was a problem hiding this comment.
issue (bug_risk): On error, regcache_maple_write() now frees only entry but still leaks lower and upper allocations.
The original code leaked entry on error; the new version fixes that but now exits early on ret != 0 after freeing only entry, so lower and upper are leaked. Please also free lower and upper before the early return, or refactor so all three allocations are always freed on both success and failure paths.
There was a problem hiding this comment.
Pull request overview
Updates the Deepin 6.6-y kernel base to Linux 6.6.124, pulling in the upstream stable fixes across core subsystems (KVM, networking, filesystems, block, drivers, tracing, arch code).
Changes:
- Bump kernel sublevel to 6.6.124.
- Integrate upstream stable fixes across networking/storage/filesystems/drivers (incl. multiple bounds/race/memory-leak fixes).
- Adjust KVM selftests build flags to reduce fortify-related flakiness.
Reviewed changes
Copilot reviewed 84 out of 84 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Bump kernel sublevel to 6.6.124. |
| arch/arm/include/asm/string.h | Fix memset64() behavior on big-endian. |
| arch/loongarch/kernel/traps.c | Add exception fixup for specific ADE subcode. |
| arch/loongarch/mm/cache.c | Correct protection_map handling for VM_NONE/VM_SHARED. |
| arch/x86/include/asm/kfence.h | Fix KFENCE page protection on 32-bit non-PAE systems. |
| block/bfq-cgroup.c | Fix aux stat accumulation target. |
| drivers/android/binder.c | Improve BR_FROZEN_REPLY vs dead error logging. |
| drivers/android/binderfs.c | Fix ida_alloc_max() upper bound for minor allocation. |
| drivers/base/regmap/regcache-maple.c | Fix error-path cleanup in maple regcache write. |
| drivers/block/rbd.c | Add EOD validation tied to lock ownership; move EOD check earlier. |
| drivers/block/ublk_drv.c | Avoid deadlock by running request completion with softirqs disabled. |
| drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | Revert ASPM check behavior. |
| drivers/gpu/drm/mgag200/mgag200_bmc.c | Convert polling loops to read_poll_timeout; tighten behavior. |
| drivers/gpu/drm/mgag200/mgag200_drv.h | Add DAC read macro helper. |
| drivers/hid/hid-ids.h | Add new USB IDs (Edifier QR30, Chicony camera). |
| drivers/hid/hid-multitouch.c | Add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL. |
| drivers/hid/hid-playstation.c | Center initial joystick axis values to avoid spurious events. |
| drivers/hid/hid-quirks.c | Add new HID quirks/ignore-list entries. |
| drivers/hid/i2c-hid/i2c-hid-core.c | Clamp recv_len to avoid potential buffer overflow. |
| drivers/hid/intel-ish-hid/ishtp-hid-client.c | Reset enum_devices_done before enumeration. |
| drivers/hid/intel-ish-hid/ishtp/bus.c | Improve bus match logic to support ID tables. |
| drivers/hwmon/occ/common.c | Add __printf annotation for format checking. |
| drivers/net/ethernet/adi/adin1110.c | Check/reset-gpio acquisition error handling. |
| drivers/net/ethernet/cavium/liquidio/lio_main.c | Fix netdev init/cleanup ordering and off-by-one cleanup. |
| drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | Fix off-by-one cleanup behavior in setup error path. |
| drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | Add bounds checks for if_id and num_ifs==0 handling. |
| drivers/net/ethernet/google/gve/gve_ethtool.c | Fix stats report parsing/indexing; adjust dropped counters and NIC stats offsets. |
| drivers/net/ethernet/google/gve/gve_main.c | Allocate stats report sized by max queues. |
| drivers/net/macvlan.c | Fix error recovery/teardown ordering for macvlan port. |
| drivers/net/usb/sr9700.c | Add device ID for SR9700 variant w/ virtual CD-ROM interface. |
| drivers/net/wireless/ti/wlcore/tx.c | Ensure skb headroom before skb_push; handle expand failure. |
| drivers/nvme/host/fc.c | Release admin tagset on init failure. |
| drivers/nvme/target/tcp.c | Add bounds checks in iovec build; fix listen callback state handling. |
| drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | Skip empty attribute names. |
| drivers/platform/x86/intel/telemetry/debugfs.c | Fix swapped PSS debugfs arrays. |
| drivers/platform/x86/intel/telemetry/pltdrv.c | Fix mask used for event_regs calculation. |
| drivers/platform/x86/toshiba_haps.c | Convert allocation to devm_kzalloc() to avoid leaks. |
| drivers/pmdomain/imx/gpcv2.c | Fix GPU handshake bit definitions and domain bits usage. |
| drivers/pmdomain/imx/imx8m-blk-ctrl.c | Fix remove loop condition to avoid out-of-range access. |
| drivers/pmdomain/imx/imx8mp-blk-ctrl.c | Add GENPD wakeup flags + notifier to prevent improper power-off. |
| drivers/pmdomain/qcom/rpmpd.c | Fix corner clamping off-by-one. |
| drivers/spi/spi-hisi-kunpeng.c | Fix debugfs node naming by using correct controller pointer. |
| drivers/spi/spi-tegra114.c | Preserve SPI mode bits in def_command1_reg. |
| drivers/spi/spi-tegra20-slink.c | Fix probe error path cleanup after IRQ retrieval failure. |
| drivers/spi/spi-tegra210-quad.c | Fix races around curr_xfer; improve ISR thread behavior on timeout/spurious IRQs. |
| drivers/target/iscsi/iscsi_target_util.c | Fix UAF by dropping locks before complete(). |
| fs/btrfs/block-group.c | Convert space-info flags to bool; fix full/chunk_alloc updates. |
| fs/btrfs/inode.c | Fix transaction/path error handling in inline COW path. |
| fs/btrfs/space-info.c | Convert space-info flush/full handling to bool and adjust logic. |
| fs/btrfs/space-info.h | Change bitfields to bool to avoid racy bitfield writes. |
| fs/hfsplus/dir.c | Switch to new uni2asc wrapper with correct max length. |
| fs/hfsplus/hfsplus_fs.h | Replace hfsplus_uni2asc() with new public wrappers. |
| fs/hfsplus/unicode.c | Add bounded uni2asc helpers and new wrappers. |
| fs/hfsplus/xattr.c | Use xattr-specific unicode conversion wrapper. |
| fs/smb/client/smb2file.c | Fix memory leak on retry path by freeing error response buffer. |
| fs/smb/server/smb2pdu.c | Fix refcount leak / RPC close on error paths; reorder durable FD put. |
| include/linux/skbuff.h | Add skb_header_pointer_careful() helper. |
| kernel/sched/rt.c | Fix RT push race by validating head of pushable list after unlock. |
| kernel/trace/ring_buffer.c | Avoid softlockup in resize by cond_resched() during large frees. |
| kernel/trace/trace.h | Fix trace field macro definitions for packed/desc variants. |
| kernel/trace/trace_entries.h | Fix ftrace event field packing/descriptor metadata. |
| kernel/trace/trace_export.c | Align trace macro plumbing for packed/desc packed fields. |
| net/bridge/netfilter/ebtables.c | Use -EBUSY instead of -EEXIST for template register conflicts. |
| net/core/filter.c | Avoid touching dev->stats in BPF redirect paths; use core dropped counters. |
| net/core/gro.c | Clear encapsulation flag on GRO complete for encapsulated inputs. |
| net/ipv6/ip6_fib.c | Fix ECMP sibling count mismatch when clearing addrconf flags. |
| net/mac80211/iface.c | Correctly check CSA active across links. |
| net/mac80211/key.c | Avoid double incrementing tailroom need count for tainted keys. |
| net/mac80211/ocb.c | Skip rx_no_sta when interface is not joined. |
| net/mac80211/sta_info.c | Collect station statistics earlier during disconnect. |
| net/netfilter/nf_log.c | Use -EBUSY instead of -EEXIST for logger registration conflicts. |
| net/netfilter/nf_tables_api.c | Fix inverted genmask check in nft_map_catchall_activate(). |
| net/netfilter/nft_set_pipapo.c | Clamp allocation sizes to avoid overflow/invalid sizes. |
| net/netfilter/x_tables.c | Use -EBUSY instead of -EEXIST for template registration conflicts. |
| net/sched/cls_u32.c | Use skb_header_pointer_careful() to harden header access. |
| net/tipc/crypto.c | Use kfree_sensitive() for session key material. |
| net/wireless/util.c | Fix HE bitrate calculation overflow by using u64/div helpers. |
| sound/pci/hda/patch_realtek.c | Add new Realtek quirk entries for HP/TongFang systems. |
| sound/soc/amd/renoir/acp3x-pdm-dma.c | Fix memory leak by freeing per-stream private data on close. |
| sound/soc/amd/yc/acp6x-mach.c | Add ASUS M6500RE quirk entry. |
| sound/soc/codecs/tlv320adcx140.c | Propagate GPIO reset acquisition errors via dev_err_probe(). |
| sound/soc/ti/davinci-evm.c | Fix reference leaks by putting parsed OF nodes on error paths. |
| tools/testing/selftests/kvm/Makefile | Add -U_FORTIFY_SOURCE to reduce test flakiness. |
| virt/kvm/eventfd.c | Fix irqfd deassignment/routing handling; add lock/SRCU assertions. |
Comments suppressed due to low confidence (1)
drivers/net/ethernet/google/gve/gve_ethtool.c:370
- Similar to RX,
tx_qid_to_stats_idxis populated usingqueue_idfrom the device report without bounds checking againstnum_tx_queues, and entries are not initialized before later lookup. Add bounds validation and initialize entries to a sentinel so missing/invalid queue IDs don’t result in using garbage indices intoreport_stats.
u32 stat_name = be32_to_cpu(report_stats[stats_idx].stat_name);
u32 queue_id = be32_to_cpu(report_stats[stats_idx].queue_id);
if (stat_name == 0) {
/* no stats written by NIC yet */
skip_nic_stats = true;
break;
}
tx_qid_to_stats_idx[queue_id] = stats_idx;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
286
to
287
| u32 stat_name = be32_to_cpu(report_stats[stats_idx].stat_name); | ||
| u32 queue_id = be32_to_cpu(report_stats[stats_idx].queue_id); |
There was a problem hiding this comment.
queue_id is read from the device-provided stats report here and later used to index rx_qid_to_stats_idx (and to look up NIC stats) without any bounds checking. Please validate queue_id < priv->rx_cfg.num_queues and also initialize rx_qid_to_stats_idx to a sentinel (e.g., -1) so missing/invalid queue IDs can be detected and handled (e.g., fall back to skip_nic_stats).
Comment on lines
+282
to
+295
| inline int hfsplus_uni2asc_str(struct super_block *sb, | ||
| const struct hfsplus_unistr *ustr, char *astr, | ||
| int *len_p) | ||
| { | ||
| return hfsplus_uni2asc(sb, ustr, HFSPLUS_MAX_STRLEN, astr, len_p); | ||
| } | ||
|
|
||
| inline int hfsplus_uni2asc_xattr_str(struct super_block *sb, | ||
| const struct hfsplus_attr_unistr *ustr, | ||
| char *astr, int *len_p) | ||
| { | ||
| return hfsplus_uni2asc(sb, (const struct hfsplus_unistr *)ustr, | ||
| HFSPLUS_ATTR_MAX_STRLEN, astr, len_p); | ||
| } |
There was a problem hiding this comment.
hfsplus_uni2asc_str() and hfsplus_uni2asc_xattr_str() are defined with inline but have external linkage (they’re declared as non-inline in hfsplus_fs.h and called from other .c files). With C99/C11 inline semantics this can result in no out-of-line definition being emitted and cause link failures/undefined references. Drop inline here (or make them static inline in the header and provide a non-inline definition in one TU).
Comment on lines
+4126
to
+4136
| /* Variant of skb_header_pointer() where @offset is user-controlled | ||
| * and potentially negative. | ||
| */ | ||
| static inline void * __must_check | ||
| skb_header_pointer_careful(const struct sk_buff *skb, int offset, | ||
| int len, void *buffer) | ||
| { | ||
| if (unlikely(offset < 0 && -offset > skb_headroom(skb))) | ||
| return NULL; | ||
| return skb_header_pointer(skb, offset, len, buffer); | ||
| } |
There was a problem hiding this comment.
skb_header_pointer_careful() uses -offset when offset < 0. If offset == INT_MIN, negation overflows (UB) and hlen - offset in skb_header_pointer() can also overflow. Please rework the bounds check to avoid signed overflow (e.g., compare against headroom using a wider type/cast and explicitly handle offset == INT_MIN).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.6.124.
git log --oneline v6.6.123..v6.6.124 |wc
87 752 6444
Handle:
spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi debugfs initialization
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
Andrew Cooper (1):
x86/kfence: fix booting on 32bit non-PAE systems
Andrew Fasano (1):
netfilter: nf_tables: fix inverted genmask check in
nft_map_catchall_activate()
Arnd Bergmann (1):
hwmon: (occ) Mark occ_init_attribute() as __printf
Baochen Qiang (1):
wifi: mac80211: collect station statistics earlier when disconnect
Bert Karwatzki (1):
Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
Boris Burkov (1):
btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
Breno Leitao (5):
spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed
transfer
spi: tegra210-quad: Move curr_xfer read inside spinlock
spi: tegra210-quad: Protect curr_xfer assignment in
tegra_qspi_setup_transfer_one
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
spi: tegra210-quad: Protect curr_xfer clearing in
tegra_qspi_non_combined_seq_xfer
Carlos Llamas (2):
binder: fix BR_FROZEN_REPLY error log
binderfs: fix ida_alloc_max() upper bound
Chaitanya Kulkarni (1):
nvme-fc: release admin tagset if init fails
Chen Ni (1):
net: ethernet: adi: adin1110: Check return value of
devm_gpiod_get_optional() in adin1110_check_spi()
ChenXiaoSong (1):
smb/client: fix memory leak in smb2_open_file()
Chenghao Duan (1):
LoongArch: Enable exception fixup for specific ADE subcode
Chris Bainbridge (1):
ASoC: amd: fix memory leak in acp3x pdm dma ops
Chris Chiu (1):
HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list
Daniel Gomez (1):
netfilter: replace -EEXIST with -EBUSY
Daniel Hodges (1):
tipc: use kfree_sensitive() for session key material
DaytonCL (1):
HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL
Debarghya Kundu (1):
gve: Fix stats report corruption on queue count change
Devyn Liu (1):
spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi
debugfs initialization
Dimitrios Katsaros (1):
ASoC: tlv320adcx140: Propagate error codes during probe
Eric Dumazet (3):
net: add skb_header_pointer_careful() helper
net/sched: cls_u32: use skb_header_pointer_careful()
macvlan: fix error recovery in macvlan_common_newlink()
Ethan Nelson-Moore (1):
net: usb: sr9700: support devices with virtual driver CD
Felix Gu (1):
spi: tegra: Fix a memory leak in tegra_slink_probe()
Filipe Manana (1):
btrfs: fix reservation leak in some error paths when inserting inline
extent
Gabor Juhos (1):
pmdomain: qcom: rpmpd: fix off-by-one error in clamping to the highest
state
Greg Kroah-Hartman (1):
Linux 6.6.124
Hannes Reinecke (1):
nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
Harshit Agarwal (1):
sched/rt: Fix race in push_rt_task
Huacai Chen (1):
LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED
Ilya Dryomov (1):
rbd: check for EOD after exclusive lock is ensured to be held
Jacky Bai (1):
pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400
reset
Jacob Keller (1):
drm/mgag200: fix mgag200_bmc_stop_scanout()
Jakub Kicinski (1):
net: don't touch dev->stats in BPF redirect paths
Junrui Luo (2):
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
dpaa2-switch: add bounds check for if_id in IRQ handler
Kang Chen (1):
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Kaushlendra Kumar (3):
platform/x86: intel_telemetry: Fix swapped arrays in PSS output
regmap: maple: free entry on mas_store_gfp() failure
platform/x86: intel_telemetry: Fix PSS event register mask
Kery Qi (1):
ASoC: davinci-evm: Fix reference leak in davinci_evm_probe
Kwok Kin Ming (1):
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
Mario Limonciello (1):
platform/x86: hp-bioscfg: Skip empty attribute names
Maurizio Lombardi (2):
scsi: target: iscsi: Fix use-after-free in
iscsit_dec_session_usage_count()
scsi: target: iscsi: Fix use-after-free in
iscsit_dec_conn_usage_count()
Max Yuan (1):
gve: Correct ethtool rx_dropped calculation
Ming Lei (1):
ublk: fix deadlock when reading partition table
Miri Korenblit (2):
wifi: mac80211: correctly check if CSA is active
wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice
Moon Hee Lee (1):
wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
Pablo Neira Ayuso (1):
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
Paolo Abeni (1):
net: gro: fix outer network offset
Peter Åstrand (1):
wifi: wlcore: ensure skb headroom before skb_push
Radhi Bajahaw (1):
ASoC: amd: yc: Fix microphone on ASUS M6500RE
Rafael J. Wysocki (1):
platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
Rodrigo Lugathe da Conceição Alves (1):
HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101)
Ruslan Krupitsa (1):
ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk
Sean Christopherson (1):
KVM: Don't clobber irqfd routing type when deassigning irqfd
Shigeru Yoshida (1):
ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
Siarhei Vishniakou (1):
HID: playstation: Center initial joystick axes to prevent spurious
events
Steven Rostedt (1):
tracing: Fix ftrace event field alignments
Thomas Weissschuh (1):
ARM: 9468/1: fix memset64() on big-endian
Tim Guttzeit (1):
ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
Veerendranath Jakkam (1):
wifi: cfg80211: Fix bitrate calculation overflow for HE rates
Vishwaroop A (1):
spi: tegra114: Preserve SPI mode bits in def_command1_reg
Werner Sembach (1):
ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU.
Wupeng Ma (1):
ring-buffer: Avoid softlockup in ring_buffer_resize() during memory
free
Xu Yang (3):
pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup
pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system
wakeup
pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
YunJe Shin (1):
nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Zhang Lixu (2):
HID: intel-ish-hid: Update ishtp bus match to support device ID table
HID: intel-ish-hid: Reset enum_devices_done before enumeration
ZhangGuoDong (3):
smb/server: call ksmbd_session_rpc_close() on error path in
create_smb2_pipe()
smb/server: fix refcount leak in smb2_open()
smb/server: fix refcount leak in parse_durable_handle_context()
Zhiquan Li (1):
KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test
failures
Zilin Guan (3):
net: liquidio: Initialize netdev pointer before queue setup
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
shechenglong (1):
block,bfq: fix aux stat accumulation destination
Makefile | 2 +-
arch/arm/include/asm/string.h | 5 +-
arch/loongarch/kernel/traps.c | 5 ++
arch/loongarch/mm/cache.c | 8 +--
arch/x86/include/asm/kfence.h | 7 +-
block/bfq-cgroup.c | 2 +-
drivers/android/binder.c | 5 +-
drivers/android/binderfs.c | 8 +--
drivers/base/regmap/regcache-maple.c | 11 +--
drivers/block/rbd.c | 33 +++++----
drivers/block/ublk_drv.c | 30 +++++++-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 -
drivers/gpu/drm/mgag200/mgag200_bmc.c | 31 ++++-----
drivers/gpu/drm/mgag200/mgag200_drv.h | 6 ++
drivers/hid/hid-ids.h | 4 ++
drivers/hid/hid-multitouch.c | 1 +
drivers/hid/hid-playstation.c | 5 ++
drivers/hid/hid-quirks.c | 2 +
drivers/hid/i2c-hid/i2c-hid-core.c | 1 +
drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 +
drivers/hid/intel-ish-hid/ishtp/bus.c | 12 +++-
drivers/hwmon/occ/common.c | 1 +
drivers/net/ethernet/adi/adin1110.c | 3 +
.../net/ethernet/cavium/liquidio/lio_main.c | 39 +++++------
.../ethernet/cavium/liquidio/lio_vf_main.c | 4 +-
.../ethernet/freescale/dpaa2/dpaa2-switch.c | 10 +++
drivers/net/ethernet/google/gve/gve_ethtool.c | 68 +++++++++++++------
drivers/net/ethernet/google/gve/gve_main.c | 4 +-
drivers/net/macvlan.c | 5 +-
drivers/net/usb/sr9700.c | 5 ++
drivers/net/wireless/ti/wlcore/tx.c | 5 ++
drivers/nvme/host/fc.c | 2 +
drivers/nvme/target/tcp.c | 26 +++++--
drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 5 ++
.../platform/x86/intel/telemetry/debugfs.c | 4 +-
drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +-
drivers/platform/x86/toshiba_haps.c | 2 +-
drivers/pmdomain/imx/gpcv2.c | 8 +--
drivers/pmdomain/imx/imx8m-blk-ctrl.c | 2 +-
drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 30 ++++++++
drivers/pmdomain/qcom/rpmpd.c | 2 +-
drivers/spi/spi-hisi-kunpeng.c | 4 +-
drivers/spi/spi-tegra114.c | 3 +
drivers/spi/spi-tegra20-slink.c | 6 +-
drivers/spi/spi-tegra210-quad.c | 36 ++++++++--
drivers/target/iscsi/iscsi_target_util.c | 10 ++-
fs/btrfs/block-group.c | 6 +-
fs/btrfs/inode.c | 16 +++--
fs/btrfs/space-info.c | 22 +++---
fs/btrfs/space-info.h | 6 +-
fs/hfsplus/dir.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 8 ++-
fs/hfsplus/unicode.c | 24 +++++--
fs/hfsplus/xattr.c | 6 +-
fs/smb/client/smb2file.c | 1 +
fs/smb/server/smb2pdu.c | 8 ++-
include/linux/skbuff.h | 12 ++++
kernel/sched/rt.c | 52 +++++++-------
kernel/trace/ring_buffer.c | 2 +
kernel/trace/trace.h | 7 +-
kernel/trace/trace_entries.h | 26 +++----
kernel/trace/trace_export.c | 21 ++++--
net/bridge/netfilter/ebtables.c | 2 +-
net/core/filter.c | 8 +--
net/core/gro.c | 2 +
net/ipv6/ip6_fib.c | 3 +-
net/mac80211/iface.c | 8 ++-
net/mac80211/key.c | 3 +-
net/mac80211/ocb.c | 3 +
net/mac80211/sta_info.c | 7 +-
net/netfilter/nf_log.c | 4 +-
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nft_set_pipapo.c | 8 +++
net/netfilter/x_tables.c | 2 +-
net/sched/cls_u32.c | 13 ++--
net/tipc/crypto.c | 4 +-
net/wireless/util.c | 8 ++-
sound/pci/hda/patch_realtek.c | 2 +
sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 +
sound/soc/amd/yc/acp6x-mach.c | 7 ++
sound/soc/codecs/tlv320adcx140.c | 3 +
sound/soc/ti/davinci-evm.c | 39 ++++++++---
tools/testing/selftests/kvm/Makefile | 1 +
virt/kvm/eventfd.c | 44 ++++++------
84 files changed, 589 insertions(+), 273 deletions(-)
Summary by Sourcery
Rebase the Deepin 6.6-y kernel to Linux 6.6.124 and pull in the associated upstream fixes across networking, storage, filesystems, HID, tracing, power domains, and platform drivers.
Bug Fixes:
Enhancements:
Build:
Tests: