- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.62 release. There are 49 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 12 Dec 2025 07:29:38 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.62-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.62-rc1 Daniele Palmas <dnlplm(a)gmail.com> bus: mhi: host: pci_generic: Add Telit FN990B40 modem support Daniele Palmas <dnlplm(a)gmail.com> bus: mhi: host: pci_generic: Add Telit FN920C04 modem support Navaneeth K <knavaneeth786(a)gmail.com> staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Navaneeth K <knavaneeth786(a)gmail.com> staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Navaneeth K <knavaneeth786(a)gmail.com> staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: check device's attached status in compat ioctls Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: multiq3: sanitize config options in multiq3_attach() Ian Abbott <abbotti(a)mev.co.uk> comedi: c6xdigio: Fix invalid PNP driver unregistration Zenm Chen <zenmchen(a)gmail.com> wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Zenm Chen <zenmchen(a)gmail.com> wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Linus Torvalds <torvalds(a)linux-foundation.org> samples: work around glibc redefining some of our defines wrong Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Mask all interrupts during kexec/kdump Naoki Ueki <naoki25519(a)gmail.com> HID: elecom: Add support for ELECOM M-XT3URBK (018F) Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Jia Ston <ston.jia(a)outlook.com> platform/x86: huawei-wmi: add keys for HONOR models April Grimoire <april(a)aprilg.moe> HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf <W_Armin(a)gmx.de> platform/x86: acer-wmi: Ignore backlight event Praveen Talari <praveen.talari(a)oss.qualcomm.com> pinctrl: qcom: msm: Fix deadlock in pinmux configuration Keith Busch <kbusch(a)kernel.org> nvme: fix admin request_queue lifetime Mario Limonciello (AMD) <superm1(a)kernel.org> HID: hid-input: Extend Elan ignore battery quirk to USB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bfs: Reconstruct file type when loading from disk Lushih Hsieh <bruce(a)mail.kh.edu.tw> ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Harish Kasiviswanathan <Harish.Kasiviswanathan(a)amd.com> drm/amdkfd: Fix GPU mappings for APU after prefetch Yiqi Sun <sunyiqixm(a)gmail.com> smb: fix invalid username check in smb3_fs_context_parse_param() Max Chou <max.chou(a)realtek.com> Bluetooth: btrtl: Avoid loading the config file on security chips Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Use kref in vmw_bo_dirty Robin Gong <yibin.gong(a)nxp.com> spi: imx: keep dma request disabled before dma transfer setup Alvaro Gamez Machado <alvaro.gamez(a)hazent.com> spi: xilinx: increase number of retries before declaring stall Song Liu <song(a)kernel.org> ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Johan Hovold <johan(a)kernel.org> USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Johan Hovold <johan(a)kernel.org> USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Magne Bruno <magne.bruno(a)addi-data.com> serial: add support of CPCI cards Johan Hovold <johan(a)kernel.org> USB: serial: ftdi_sio: match on interface number for jtag Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: move Telit 0x10c7 composition in the right place Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE910C04 new compositions Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W760 Omar Sandoval <osandov(a)fb.com> KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Alexey Nepomnyashih <sdl(a)nppct.ru> ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alexander Sverdlin <alexander.sverdlin(a)siemens.com> locking/spinlock/debug: Fix data-race in do_raw_write_lock Qianchang Zhao <pioooooooooip(a)gmail.com> ksmbd: ipc: fix use-after-free in ipc_msg_send_request Deepanshu Kartikey <kartikey406(a)gmail.com> ext4: refresh inline data size before write operations Ye Bin <yebin10(a)huawei.com> jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Bagas Sanjaya <bagasdotme(a)gmail.com> Documentation: process: Also mention Sasha Levin as stable tree maintainer Sabrina Dubroca <sd(a)queasysnail.net> xfrm: flush all states in xfrm_state_fini Sabrina Dubroca <sd(a)queasysnail.net> xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Sabrina Dubroca <sd(a)queasysnail.net> Revert "xfrm: destroy xfrm_state synchronously on net exit path" Sabrina Dubroca <sd(a)queasysnail.net> xfrm: delete x->tunnel as we delete x ------------- Diffstat: Documentation/process/2.Process.rst | 6 ++- Makefile | 4 +- arch/loongarch/kernel/machine_kexec.c | 2 + arch/x86/include/asm/kvm_host.h | 9 ++++ arch/x86/kvm/svm/svm.c | 24 +++++---- arch/x86/kvm/x86.c | 21 ++++++++ drivers/bluetooth/btrtl.c | 24 +++++---- drivers/bus/mhi/host/pci_generic.c | 52 +++++++++++++++++++ drivers/comedi/comedi_fops.c | 42 ++++++++++++--- drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++---- drivers/comedi/drivers/multiq3.c | 9 ++++ drivers/comedi/drivers/pcl818.c | 5 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 + drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 ++--- drivers/hid/hid-apple.c | 1 + drivers/hid/hid-elecom.c | 6 ++- drivers/hid/hid-ids.h | 3 +- drivers/hid/hid-input.c | 5 +- drivers/hid/hid-quirks.c | 3 +- drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 ++ drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 + drivers/nvme/host/core.c | 3 +- drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- drivers/platform/x86/acer-wmi.c | 4 ++ drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 +++++++++ drivers/platform/x86/huawei-wmi.c | 4 ++ drivers/spi/spi-imx.c | 15 ++++-- drivers/spi/spi-xilinx.c | 2 +- drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++--- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +++-- drivers/tty/serial/8250/8250_pci.c | 37 +++++++++++++ drivers/usb/serial/belkin_sa.c | 28 ++++++---- drivers/usb/serial/ftdi_sio.c | 72 +++++++++----------------- drivers/usb/serial/kobil_sct.c | 18 +++---- drivers/usb/serial/option.c | 22 ++++++-- fs/bfs/inode.c | 19 ++++++- fs/ext4/inline.c | 14 ++++- fs/jbd2/transaction.c | 19 +++++-- fs/smb/client/fs_context.c | 2 +- fs/smb/server/transport_ipc.c | 7 ++- include/net/xfrm.h | 13 ++--- kernel/locking/spinlock_debug.c | 4 +- kernel/trace/ftrace.c | 40 ++++++++++---- net/ipv4/ipcomp.c | 2 + net/ipv6/ipcomp6.c | 2 + net/ipv6/xfrm6_tunnel.c | 2 +- net/key/af_key.c | 2 +- net/xfrm/xfrm_ipcomp.c | 1 - net/xfrm/xfrm_state.c | 41 ++++++--------- net/xfrm/xfrm_user.c | 2 +- samples/vfs/test-statx.c | 6 +++ samples/watch_queue/watch_test.c | 6 +++ sound/usb/quirks.c | 6 +++ 53 files changed, 521 insertions(+), 207 deletions(-)

4 hours, 42 minutes

13
61
0 0

[PATCH] erspan: Initialize options_len before referencing options.

by Frode Nordahl

The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. In the normal case the ip_tunnel_info_opts_set() helper is used which would initialize options_len properly, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… Reported-at: https://launchpad.net/bugs/2129580 Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info") Signed-off-by: Frode Nordahl <fnordahl(a)ubuntu.com> --- net/ipv4/ip_gre.c | 18 ++++++++++++++++-- net/ipv6/ip6_gre.c | 18 ++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 761a53c6a89a..285a656c9e41 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -330,6 +330,22 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!tun_dst) return PACKET_REJECT; + /* The struct ip_tunnel_info has a flexible array member named + * options that is protected by a counted_by(options_len) + * attribute. + * + * The compiler will use this information to enforce runtime bounds + * checking deployed by FORTIFY_SOURCE string helpers. + * + * As laid out in the GCC documentation, the counter must be + * initialized before the first reference to the flexible array + * member. + * + * Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… + */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -344,10 +360,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); - info = &tun_dst->u.tun_info; __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); } skb_reset_mac_header(skb); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c82a75510c0e..eb840a11b93b 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -535,6 +535,22 @@ static int ip6erspan_rcv(struct sk_buff *skb, if (!tun_dst) return PACKET_REJECT; + /* The struct ip_tunnel_info has a flexible array member named + * options that is protected by a counted_by(options_len) + * attribute. + * + * The compiler will use this information to enforce runtime bounds + * checking deployed by FORTIFY_SOURCE string helpers. + * + * As laid out in the GCC documentation, the counter must be + * initialized before the first reference to the flexible array + * member. + * + * Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… + */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -543,7 +559,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, skb_network_header_len(skb); pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + sizeof(*ershdr)); - info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; md2 = &md->u.md2; @@ -551,7 +566,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, ERSPAN_V2_MDSIZE); __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); ip6_tnl_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error); -- 2.43.0

4 hours, 46 minutes

4
6
0 0

Re: Patch "media: ov02c10: Fix default vertical flip" has been added to the 6.18-stable tree

by Hans de Goede

Hi Sasha, On 13-Dec-25 10:35, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > media: ov02c10: Fix default vertical flip This fix is incomplete, leading to wrong colors and it causes the image to be upside down on some Dell XPS models where it currently is the right way up. There is a series of fixes which applies on top of this to fix both issues: https://lore.kernel.org/linux-media/20251210112436.167212-1-johannes.goede@… For now (without the fixes on top) we are better of not adding this patch to the stable series. Can you drop this patch please? Same for 6.17 and other stable series. Regards, Hans > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > media-ov02c10-fix-default-vertical-flip.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 14cc4474799a595caeccdb8fdf2ca4b867cef972 > Author: Sebastian Reichel <sre(a)kernel.org> > Date: Wed Aug 20 02:13:19 2025 +0200 > > media: ov02c10: Fix default vertical flip > > [ Upstream commit d5ebe3f7d13d4cee3ff7e718de23564915aaf163 ] > > The driver right now defaults to setting the vertical flip bit. This > conflicts with proper handling of the rotation property defined in > ACPI or device tree, so drop the VFLIP bit. It should be handled via > V4L2_CID_VFLIP instead. > > Reported-by: Frederic Stuyk <fstuyk(a)runbox.com> > Closes: https://lore.kernel.org/all/b6df9ae7-ea9f-4e5a-8065-5b130f534f37@runbox.com/ > Fixes: 44f89010dae0 ("media: i2c: Add Omnivision OV02C10 sensor driver") > Signed-off-by: Sebastian Reichel <sre(a)kernel.org> > Reviewed-by: Bryan O'Donoghue <bod(a)kernel.org> > Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> > Signed-off-by: Hans Verkuil <hverkuil+cisco(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c > index 8c4d85dc7922e..8e22ff446b0c4 100644 > --- a/drivers/media/i2c/ov02c10.c > +++ b/drivers/media/i2c/ov02c10.c > @@ -174,7 +174,7 @@ static const struct reg_sequence sensor_1928x1092_30fps_setting[] = { > {0x3816, 0x01}, > {0x3817, 0x01}, > > - {0x3820, 0xb0}, > + {0x3820, 0xa0}, > {0x3821, 0x00}, > {0x3822, 0x80}, > {0x3823, 0x08},

9 hours, 21 minutes

1
0
0 0

Re: Patch "RAS: Report all ARM processor CPER information to userspace" has been added to the 6.18-stable tree

by Mauro Carvalho Chehab

Hi Sacha, Em Sat, 13 Dec 2025 04:49:42 -0500 Sasha Levin <sashal(a)kernel.org> escreveu: > This is a note to let you know that I've just added the patch titled > > RAS: Report all ARM processor CPER information to userspace > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > ras-report-all-arm-processor-cper-information-to-use.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. You should also backport this patch(*): 96b010536ee0 efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs It fixes a bug at the UEFI parser for the ARM Processor Error record: basically, the specs were not clear about how the error type should be reported. The Kernel implementation were assuming that this was an enum, but UEFI errata 2.9A make it clear that the value is a bitmap. So, basically, all kernels up to 6.18 are not parsing the field the expected way: only "Cache error" was properly reported. The other 3 types were wrong. (*) You could need to backport those patches as well: a976d790f494 efi/cper: Add a new helper function to print bitmasks 8ad2c72e21ef efi/cper: Adjust infopfx size to accept an extra space Regards, Mauro Thanks, Mauro

10 hours, 59 minutes

1
0
0 0

[PATCH net v2] erspan: Initialize options_len before referencing options.

by Frode Nordahl

The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Cc: stable(a)vger.kernel.org Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… Reported-at: https://launchpad.net/bugs/2129580 Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info") Signed-off-by: Frode Nordahl <fnordahl(a)ubuntu.com> --- v2: - target correct netdev tree and properly cc stable in commit message. - replace repeated long in-line comments and link with a single line. - document search for any similar offenses in the code base in commit message. v1: https://lore.kernel.org/all/20251212073202.13153-1-fnordahl@ubuntu.com/ net/ipv4/ip_gre.c | 6 ++++-- net/ipv6/ip6_gre.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 761a53c6a89a..8178c44a3cdd 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -330,6 +330,10 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!tun_dst) return PACKET_REJECT; + /* MUST set options_len before referencing options */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -344,10 +348,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); - info = &tun_dst->u.tun_info; __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); } skb_reset_mac_header(skb); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c82a75510c0e..4603554d4c7f 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -535,6 +535,10 @@ static int ip6erspan_rcv(struct sk_buff *skb, if (!tun_dst) return PACKET_REJECT; + /* MUST set options_len before referencing options */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -543,7 +547,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, skb_network_header_len(skb); pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + sizeof(*ershdr)); - info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; md2 = &md->u.md2; @@ -551,7 +554,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, ERSPAN_V2_MDSIZE); __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); ip6_tnl_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error); -- 2.51.0

11 hours

1
0
0 0

[PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation

by Huacai Chen

Commit 863a320dc6fd7c855f47da4b ("LoongArch: Mask all interrupts during kexec/kdump") is backported to LTS branches, but they lack a generic machine_kexec_mask_interrupts() implementation, so add an arch-specific one. Signed-off-by: Tianyang Zhang <zhangtianyang(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- 6.6LTS also need it if commit 863a320dc6fd7c855f47da4b is backported. arch/loongarch/kernel/machine_kexec.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/arch/loongarch/kernel/machine_kexec.c b/arch/loongarch/kernel/machine_kexec.c index 8ef4e4595d61..19bd763263d3 100644 --- a/arch/loongarch/kernel/machine_kexec.c +++ b/arch/loongarch/kernel/machine_kexec.c @@ -136,6 +136,28 @@ void kexec_reboot(void) BUG(); } +static void machine_kexec_mask_interrupts(void) +{ + unsigned int i; + struct irq_desc *desc; + + for_each_irq_desc(i, desc) { + struct irq_chip *chip; + + chip = irq_desc_get_chip(desc); + if (!chip) + continue; + + if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data)) + chip->irq_eoi(&desc->irq_data); + + if (chip->irq_mask) + chip->irq_mask(&desc->irq_data); + + if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data)) + chip->irq_disable(&desc->irq_data); + } +} #ifdef CONFIG_SMP static void kexec_shutdown_secondary(void *regs) -- 2.47.3

11 hours, 22 minutes

2
1
0 0

[PATCH v2] ocfs2: fix kernel BUG in ocfs2_write_block

by Prithvi Tambewagh

When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing an if condition block in ocfs2_update_disk_slot(), right before calling ocfs2_write_block(), which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned back to caller of ocfs2_update_disk_slot() i.e. ocfs2_find_slot(). If the return value is zero. then error code EIO is returned. Reported-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- v1->v2: - Remove usage of le16_to_cpu() from ocfs2_error() - Cast bh->b_blocknr to unsigned long long - Remove type casting for OCFS2_SUPER_BLOCK_BLKNO - Fix Sparse warnings reported in v1 by kernel test robot - Update title from 'ocfs2: Fix kernel BUG in ocfs2_write_block' to 'ocfs2: fix kernel BUG in ocfs2_write_block' v1 link: https://lore.kernel.org/all/20251206154819.175479-1-activprithvi@gmail.com/… fs/ocfs2/slot_map.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..e916a2e8f92d 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -193,6 +193,16 @@ static int ocfs2_update_disk_slot(struct ocfs2_super *osb, else ocfs2_update_disk_slot_old(si, slot_num, &bh); spin_unlock(&osb->osb_lock); + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + status = ocfs2_error(osb->sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >= %d", + (unsigned long long)bh->b_blocknr, + OCFS2_SUPER_BLOCK_BLKNO); + if (!status) + return -EIO; + return status; + } status = ocfs2_write_block(osb, bh, INODE_CACHE(si->si_inode)); if (status < 0) base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 -- 2.43.0

12 hours, 18 minutes

3
2
0 0

[PATCH] scsi: be2iscsi: fix a memory leak in beiscsi_boot_get_sinfo()

by Haoxiang Li

If nonemb_cmd->va fails to be allocated, call free_mcc_wrb() to restore the impact caused by alloc_mcc_wrb(). Fixes: 50a4b824be9e ("scsi: be2iscsi: Fix to make boot discovery non-blocking") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/scsi/be2iscsi/be_mgmt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index 4e899ec1477d..b1cba986f0fb 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -1025,6 +1025,7 @@ unsigned int beiscsi_boot_get_sinfo(struct beiscsi_hba *phba) &nonemb_cmd->dma, GFP_KERNEL); if (!nonemb_cmd->va) { + free_mcc_wrb(ctrl, tag); mutex_unlock(&ctrl->mbox_lock); return 0; } -- 2.25.1

12 hours, 36 minutes

1
0
0 0

[PATCH] drm/amd/display: Apply e4479aecf658 to dml

by Nathan Chancellor

After an innocuous optimization change in clang-22, allmodconfig (which enables CONFIG_KASAN and CONFIG_WERROR) breaks with: drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) | ^ With clang-21, this function was already pretty close to the existing limit of 3072 bytes. drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) | ^ A similar situation occurred in dml2, which was resolved by commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger than limit when compile testing with clang") by increasing the limit for clang when compile testing with certain sanitizer enabled, so that allmodconfig (an easy testing target) continues to work. Apply that same change to the dml folder to clear up the warning for allmodconfig, unbreaking the build. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2135 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/Makefile b/drivers/gpu/drm/amd/display/dc/dml/Makefile index b357683b4255..268b5fbdb48b 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/Makefile +++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile @@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU) ifneq ($(CONFIG_FRAME_WARN),0) ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) - frame_warn_limit := 3072 + ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) + frame_warn_limit := 4096 + else + frame_warn_limit := 3072 + endif else frame_warn_limit := 2048 endif --- base-commit: f24e96d69f5b9eb0f3b9c49e53c385c50729edfd change-id: 20251213-dml-bump-frame-warn-clang-sanitizers-0a34fc916aec Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

14 hours, 56 minutes

1
0
0 0

[PATCH] input: synaptics_i2c - cancel delayed work before freeing device

by Minseong Kim

synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). The delayed work performs I2C transactions and may still be running (or get queued) when the device is removed. synaptics_i2c_remove() currently frees 'touch' without canceling touch->dwork. If removal happens while the work is pending/running, the work handler may dereference freed memory, leading to a potential use-after-free. Cancel the delayed work synchronously before unregistering/freeing the device. Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad Reported-by: Minseong Kim <ii4gsp(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Minseong Kim <ii4gsp(a)gmail.com> --- drivers/input/mouse/synaptics_i2c.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c index a0d707e47d93..fe30bf9aea3a 100644 --- a/drivers/input/mouse/synaptics_i2c.c +++ b/drivers/input/mouse/synaptics_i2c.c @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) if (!polling_req) free_irq(client->irq, touch); + cancel_delayed_work_sync(&touch->dwork); + input_unregister_device(touch->input); kfree(touch); } -- 2.39.5

16 hours, 35 minutes

3
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror