- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.2 release. There are 26 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 12 Oct 2025 13:13:18 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.2-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.2-rc1 Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> ring buffer: Propagate __rb_map_vma return value to caller Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on node footer for non inode dnode Sean Christopherson <seanjc(a)google.com> KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> net/9p: fix double req put in p9_fd_cancelled Herbert Xu <herbert(a)gondor.apana.org.au> crypto: rng - Ensure set_ent is always present Herbert Xu <herbert(a)gondor.apana.org.au> crypto: zstd - Fix compression bug caused by truncation Herbert Xu <herbert(a)gondor.apana.org.au> Revert "crypto: testmgr - desupport SHA-1 for FIPS 140" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core/PM: Set power.no_callbacks along with power.no_pm Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core: faux: Set power.no_pm for faux devices Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: flush RX FIFO on read errors Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix TX handling on copy_from_user() failure Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix maximum TX packet length check Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> serial: stm32: allow selecting console when the driver is module Carlos Llamas <cmllamas(a)google.com> binder: fix double-free in dbitmap Max Kellermann <max.kellermann(a)ionos.com> drivers/misc/amd-sbi/Kconfig: select REGMAP_I2C Michael Walle <mwalle(a)kernel.org> nvmem: layouts: fix automatic module loading Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> serial: qcom-geni: Fix blocked task Rahul Rameshbabu <sergeantsagara(a)protonmail.com> rust: pci: fix incorrect platform reference in PCI driver unbind doc comment Rahul Rameshbabu <sergeantsagara(a)protonmail.com> rust: pci: fix incorrect platform reference in PCI driver probe doc comment Miguel Ojeda <ojeda(a)kernel.org> rust: block: fix `srctree/` links Miguel Ojeda <ojeda(a)kernel.org> rust: drm: fix `srctree/` links Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Don't claim USB ID 07b8:8188 Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Xiaowei Li <xiaowei.li(a)simcom.com> USB: serial: option: add SIMCom 8230C compositions Mario Limonciello <mario.limonciello(a)amd.com> drm/amdgpu: Enable MES lr_compute_wa by default ------------- Diffstat: Makefile | 4 +- arch/x86/kvm/emulate.c | 9 +- arch/x86/kvm/kvm_emulate.h | 3 +- arch/x86/kvm/x86.c | 15 +- crypto/rng.c | 8 + crypto/testmgr.c | 5 + crypto/zstd.c | 2 +- drivers/android/dbitmap.h | 1 + drivers/base/faux.c | 1 + drivers/bluetooth/btusb.c | 2 + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 6 + drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 + drivers/gpu/drm/amd/include/mes_v11_api_def.h | 3 +- drivers/gpu/drm/amd/include/mes_v12_api_def.h | 3 +- drivers/misc/amd-sbi/Kconfig | 1 + drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 - .../net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 - drivers/nvmem/layouts.c | 13 ++ drivers/staging/axis-fifo/axis-fifo.c | 68 ++++---- drivers/tty/serial/Kconfig | 2 +- drivers/tty/serial/qcom_geni_serial.c | 176 ++------------------- drivers/usb/serial/option.c | 6 + fs/f2fs/f2fs.h | 4 +- fs/f2fs/gc.c | 4 +- fs/f2fs/node.c | 58 ++++--- fs/f2fs/node.h | 1 + fs/f2fs/recovery.c | 2 +- include/linux/device.h | 3 + kernel/trace/ring_buffer.c | 2 +- net/9p/trans_fd.c | 8 +- rust/kernel/block/mq/gen_disk.rs | 2 +- rust/kernel/drm/device.rs | 2 +- rust/kernel/drm/driver.rs | 2 +- rust/kernel/drm/file.rs | 2 +- rust/kernel/drm/gem/mod.rs | 2 +- rust/kernel/drm/ioctl.rs | 2 +- rust/kernel/pci.rs | 6 +- 37 files changed, 179 insertions(+), 257 deletions(-)

4 hours, 53 minutes

11
36
0 0

[PATCH 6.16 00/41] 6.16.12-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.12 release. There are 41 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 12 Oct 2025 13:13:18 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.12-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.12-rc1 Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> ring buffer: Propagate __rb_map_vma return value to caller Sean Christopherson <seanjc(a)google.com> KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> net/9p: fix double req put in p9_fd_cancelled Herbert Xu <herbert(a)gondor.apana.org.au> crypto: rng - Ensure set_ent is always present Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core/PM: Set power.no_callbacks along with power.no_pm Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core: faux: Set power.no_pm for faux devices Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: flush RX FIFO on read errors Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix TX handling on copy_from_user() failure Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix maximum TX packet length check Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> serial: stm32: allow selecting console when the driver is module Carlos Llamas <cmllamas(a)google.com> binder: fix double-free in dbitmap Max Kellermann <max.kellermann(a)ionos.com> drivers/misc/amd-sbi/Kconfig: select REGMAP_I2C Michael Walle <mwalle(a)kernel.org> nvmem: layouts: fix automatic module loading Arnaud Lecomte <contact(a)arnaud-lcm.com> hid: fix I2C read buffer overflow in raw_event() for mcp2221 Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list Duy Nguyen <duy.nguyen.rh(a)renesas.com> can: rcar_canfd: Fix controller mode setting Chen Yufeng <chenyufeng(a)iie.ac.cn> can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: WARN if an object is aborted with an elevated refcount Lizhi Xu <lizhi.xu(a)windriver.com> netfs: Prevent duplicate unlocking David Sterba <dsterba(a)suse.com> btrfs: ref-verify: handle damaged extent root tree Jack Yu <jack.yu(a)realtek.com> ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> platform/x86/amd/pmf: Support new ACPI ID AMDI0108 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu/gfx11: Add Cleaner Shader Support for GFX11.0.1/11.0.4 GPUs hupu <hupu.gm(a)gmail.com> perf subcmd: avoid crash in exclude_cmds when excludes is empty Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: oxpec: Add support for OneXPlayer X1Pro EVA-02 aprilgrimoire <aprilgrimoire(a)proton.me> platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: limit MAX_TAG_SIZE to 255 Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Adjust pdm gain value Shuming Fan <shumingf(a)realtek.com> ASoC: rt712: avoid skipping the blind write Antheas Kapenekakis <lkml(a)antheas.dev> gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-05 Rahul Rameshbabu <sergeantsagara(a)protonmail.com> rust: pci: fix incorrect platform reference in PCI driver probe doc comment Miguel Ojeda <ojeda(a)kernel.org> rust: block: fix `srctree/` links Miguel Ojeda <ojeda(a)kernel.org> rust: drm: fix `srctree/` links Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Don't claim USB ID 07b8:8188 Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Xiaowei Li <xiaowei.li(a)simcom.com> USB: serial: option: add SIMCom 8230C compositions Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw89: mcc: stop TX during MCC prepare Mario Limonciello <mario.limonciello(a)amd.com> drm/amdgpu: Enable MES lr_compute_wa by default Shenghao Ding <shenghao-ding(a)ti.com> ALSA: hda/tas2781: Fix the order of TAS2781 calibrated-data ------------- Diffstat: Makefile | 4 +- arch/x86/kvm/emulate.c | 9 ++- arch/x86/kvm/kvm_emulate.h | 3 +- arch/x86/kvm/x86.c | 15 ++--- crypto/rng.c | 8 +++ drivers/android/dbitmap.h | 1 + drivers/base/faux.c | 1 + drivers/bluetooth/btusb.c | 2 + drivers/gpio/gpiolib-acpi-quirks.c | 12 ++++ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 15 +++++ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 6 ++ drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 ++ drivers/gpu/drm/amd/include/mes_v11_api_def.h | 3 +- drivers/gpu/drm/amd/include/mes_v12_api_def.h | 3 +- drivers/hid/hid-mcp2221.c | 4 ++ drivers/iommu/iommufd/device.c | 3 +- drivers/iommu/iommufd/iommufd_private.h | 3 +- drivers/iommu/iommufd/main.c | 4 ++ drivers/md/dm-integrity.c | 2 +- drivers/misc/amd-sbi/Kconfig | 1 + drivers/net/can/rcar/rcar_canfd.c | 7 ++- drivers/net/can/spi/hi311x.c | 33 ++++++----- drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 - .../net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 - drivers/net/wireless/realtek/rtw89/chan.c | 35 +++++++++++ drivers/net/wireless/realtek/rtw89/chan.h | 2 + drivers/net/wireless/realtek/rtw89/core.c | 32 ++++++++-- drivers/net/wireless/realtek/rtw89/core.h | 37 +++++++++++- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/net/wireless/realtek/rtw89/ser.c | 2 + drivers/nvmem/layouts.c | 13 +++++ drivers/platform/x86/amd/pmc/pmc-quirks.c | 15 +++++ drivers/platform/x86/amd/pmf/core.c | 1 + drivers/platform/x86/oxpec.c | 7 +++ drivers/staging/axis-fifo/axis-fifo.c | 68 ++++++++++------------ drivers/tty/serial/Kconfig | 2 +- drivers/usb/serial/option.c | 6 ++ fs/btrfs/ref-verify.c | 9 ++- fs/netfs/buffered_write.c | 2 +- include/linux/device.h | 3 + kernel/trace/ring_buffer.c | 2 +- net/9p/trans_fd.c | 8 +-- rust/kernel/block/mq/gen_disk.rs | 2 +- rust/kernel/drm/device.rs | 2 +- rust/kernel/drm/driver.rs | 2 +- rust/kernel/drm/file.rs | 2 +- rust/kernel/drm/gem/mod.rs | 2 +- rust/kernel/drm/ioctl.rs | 2 +- rust/kernel/pci.rs | 4 +- sound/pci/hda/tas2781_hda.c | 25 ++++++-- sound/soc/amd/acp/amd.h | 2 +- sound/soc/codecs/rt5682s.c | 17 +++--- sound/soc/codecs/rt712-sdca.c | 6 +- tools/lib/subcmd/help.c | 3 + 54 files changed, 339 insertions(+), 124 deletions(-)

6 hours, 18 minutes

11
51
0 0

[PATCH 6.12 00/35] 6.12.52-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.52 release. There are 35 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 12 Oct 2025 13:13:18 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.52-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.52-rc1 Sean Christopherson <seanjc(a)google.com> KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> net/9p: fix double req put in p9_fd_cancelled Herbert Xu <herbert(a)gondor.apana.org.au> crypto: rng - Ensure set_ent is always present Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core/PM: Set power.no_callbacks along with power.no_pm Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: flush RX FIFO on read errors Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix TX handling on copy_from_user() failure Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix maximum TX packet length check Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> serial: stm32: allow selecting console when the driver is module Carlos Llamas <cmllamas(a)google.com> binder: fix double-free in dbitmap Michael Walle <mwalle(a)kernel.org> nvmem: layouts: fix automatic module loading Arnaud Lecomte <contact(a)arnaud-lcm.com> hid: fix I2C read buffer overflow in raw_event() for mcp2221 Jeongjun Park <aha310510(a)gmail.com> ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Kill timer properly at removal Mario Limonciello <mario.limonciello(a)amd.com> drm/amdgpu: Enable MES lr_compute_wa by default Shaoyun Liu <shaoyun.liu(a)amd.com> drm/amd/include : Update MES v12 API for fence update Shaoyun Liu <shaoyun.liu(a)amd.com> drm/amd/include : MES v11 and v12 API header update Shaoyun Liu <shaoyun.liu(a)amd.com> drm/amd : Update MES API header file for v11 & v12 Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list Duy Nguyen <duy.nguyen.rh(a)renesas.com> can: rcar_canfd: Fix controller mode setting Chen Yufeng <chenyufeng(a)iie.ac.cn> can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled Lizhi Xu <lizhi.xu(a)windriver.com> netfs: Prevent duplicate unlocking David Sterba <dsterba(a)suse.com> btrfs: ref-verify: handle damaged extent root tree Jack Yu <jack.yu(a)realtek.com> ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> platform/x86/amd/pmf: Support new ACPI ID AMDI0108 hupu <hupu.gm(a)gmail.com> perf subcmd: avoid crash in exclude_cmds when excludes is empty aprilgrimoire <aprilgrimoire(a)proton.me> platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: limit MAX_TAG_SIZE to 255 Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Adjust pdm gain value Miguel Ojeda <ojeda(a)kernel.org> rust: block: fix `srctree/` links Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Don't claim USB ID 07b8:8188 Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Xiaowei Li <xiaowei.li(a)simcom.com> USB: serial: option: add SIMCom 8230C compositions Duoming Zhou <duoming(a)zju.edu.cn> media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() ------------- Diffstat: Makefile | 4 +- arch/x86/kvm/emulate.c | 9 ++- arch/x86/kvm/kvm_emulate.h | 3 +- arch/x86/kvm/x86.c | 15 +++-- crypto/rng.c | 8 +++ drivers/android/dbitmap.h | 1 + drivers/bluetooth/btusb.c | 2 + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 6 ++ drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 ++ drivers/gpu/drm/amd/include/mes_v11_api_def.h | 47 +++++++++++++- drivers/gpu/drm/amd/include/mes_v12_api_def.h | 74 +++++++++++++++++++++- drivers/hid/hid-mcp2221.c | 4 ++ drivers/md/dm-integrity.c | 2 +- drivers/media/i2c/tc358743.c | 4 +- drivers/net/can/rcar/rcar_canfd.c | 7 +- drivers/net/can/spi/hi311x.c | 33 +++++----- drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 - .../net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 - drivers/net/wireless/realtek/rtw89/core.c | 31 +++++++-- drivers/net/wireless/realtek/rtw89/core.h | 35 +++++++++- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/net/wireless/realtek/rtw89/ser.c | 3 + drivers/nvmem/layouts.c | 13 ++++ drivers/platform/x86/amd/pmc/pmc-quirks.c | 15 +++++ drivers/platform/x86/amd/pmf/core.c | 1 + drivers/staging/axis-fifo/axis-fifo.c | 68 +++++++++----------- drivers/tty/serial/Kconfig | 2 +- drivers/usb/serial/option.c | 6 ++ fs/btrfs/ref-verify.c | 9 ++- fs/netfs/buffered_write.c | 2 +- include/linux/device.h | 3 + net/9p/trans_fd.c | 8 +-- rust/kernel/block/mq/gen_disk.rs | 2 +- sound/soc/amd/acp/amd.h | 2 +- sound/soc/codecs/rt5682s.c | 17 ++--- sound/usb/midi.c | 10 +-- tools/lib/subcmd/help.c | 3 + 37 files changed, 347 insertions(+), 113 deletions(-)

6 hours, 53 minutes

10
44
0 0

[for-linus][PATCH v2 2/2] tracing: Stop fortify-string from warning in tracing_mark_raw_write()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The way tracing_mark_raw_write() records its data is that it has the following structure: struct { struct trace_entry; int id; char buf[]; }; But memcpy(&entry->id, buf, size) triggers the following warning when the size is greater than the id: ------------[ cut here ]------------ memcpy: detected field-spanning write (size 6) of single field "&entry->id" at kernel/trace/trace.c:7458 (size 4) WARNING: CPU: 7 PID: 995 at kernel/trace/trace.c:7458 write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Modules linked in: CPU: 7 UID: 0 PID: 995 Comm: bash Not tainted 6.17.0-test-00007-g60b82183e78a-dirty #211 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Code: 04 00 75 a7 b9 04 00 00 00 48 89 de 48 89 04 24 48 c7 c2 e0 b1 d1 b2 48 c7 c7 40 b2 d1 b2 c6 05 2d 88 6a 04 01 e8 f7 e8 bd ff <0f> 0b 48 8b 04 24 e9 76 ff ff ff 49 8d 7c 24 04 49 8d 5c 24 08 48 RSP: 0018:ffff888104c3fc78 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff6b363b4 RDI: 0000000000000001 RBP: ffff888100058a00 R08: ffffffffb041d459 R09: ffffed1020987f40 R10: 0000000000000007 R11: 0000000000000001 R12: ffff888100bb9010 R13: 0000000000000000 R14: 00000000000003e3 R15: ffff888134800000 FS: 00007fa61d286740(0000) GS:ffff888286cad000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560d28d509f1 CR3: 00000001047a4006 CR4: 0000000000172ef0 Call Trace: <TASK> tracing_mark_raw_write+0x1fe/0x290 ? __pfx_tracing_mark_raw_write+0x10/0x10 ? security_file_permission+0x50/0xf0 ? rw_verify_area+0x6f/0x4b0 vfs_write+0x1d8/0xdd0 ? __pfx_vfs_write+0x10/0x10 ? __pfx_css_rstat_updated+0x10/0x10 ? count_memcg_events+0xd9/0x410 ? fdget_pos+0x53/0x5e0 ksys_write+0x182/0x200 ? __pfx_ksys_write+0x10/0x10 ? do_user_addr_fault+0x4af/0xa30 do_syscall_64+0x63/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa61d318687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007ffd87fe0120 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa61d286740 RCX: 00007fa61d318687 RDX: 0000000000000006 RSI: 0000560d28d509f0 RDI: 0000000000000001 RBP: 0000560d28d509f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000006 R13: 00007fa61d4715c0 R14: 00007fa61d46ee80 R15: 0000000000000000 </TASK> ---[ end trace 0000000000000000 ]--- This is because fortify string sees that the size of entry->id is only 4 bytes, but it is writing more than that. But this is OK as the dynamic_array is allocated to handle that copy. The size allocated on the ring buffer was actually a bit too big: size = sizeof(*entry) + cnt; But cnt includes the 'id' and the buffer data, so adding cnt to the size of *entry actually allocates too much on the ring buffer. Change the allocation to: size = struct_size(entry, buf, cnt - sizeof(entry->id)); and the memcpy() to unsafe_memcpy() with an added justification. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Link: https://lore.kernel.org/20251011112032.77be18e4@gandalf.local.home Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index bbb89206a891..eb256378e65b 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7441,7 +7441,8 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, ssize_t written; size_t size; - size = sizeof(*entry) + cnt; + /* cnt includes both the entry->id and the data behind it. */ + size = struct_size(entry, buf, cnt - sizeof(entry->id)); buffer = tr->array_buffer.buffer; @@ -7455,7 +7456,10 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, return -EBADF; entry = ring_buffer_event_data(event); - memcpy(&entry->id, buf, cnt); + unsafe_memcpy(&entry->id, buf, cnt, + "id and content already reserved on ring buffer" + "'buf' includes the 'id' and the data." + "'entry' was allocated with cnt from 'id'."); written = cnt; __buffer_unlock_commit(buffer, event); -- 2.51.0

7 hours, 10 minutes

1
0
0 0

[for-linus][PATCH v2 1/2] tracing: Fix tracing_mark_raw_write() to use buf and not ubuf

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The fix to use a per CPU buffer to read user space tested only the writes to trace_marker. But it appears that the selftests are missing tests to the trace_maker_raw file. The trace_maker_raw file is used by applications that writes data structures and not strings into the file, and the tools read the raw ring buffer to process the structures it writes. The fix that reads the per CPU buffers passes the new per CPU buffer to the trace_marker file writes, but the update to the trace_marker_raw write read the data from user space into the per CPU buffer, but then still used then passed the user space address to the function that records the data. Pass in the per CPU buffer and not the user space address. TODO: Add a test to better test trace_marker_raw. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Link: https://lore.kernel.org/20251011035243.386098147@kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0fd582651293..bbb89206a891 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7497,12 +7497,12 @@ tracing_mark_raw_write(struct file *filp, const char __user *ubuf, if (tr == &global_trace) { guard(rcu)(); list_for_each_entry_rcu(tr, &marker_copies, marker_list) { - written = write_raw_marker_to_buffer(tr, ubuf, cnt); + written = write_raw_marker_to_buffer(tr, buf, cnt); if (written < 0) break; } } else { - written = write_raw_marker_to_buffer(tr, ubuf, cnt); + written = write_raw_marker_to_buffer(tr, buf, cnt); } return written; -- 2.51.0

7 hours, 10 minutes

1
0
0 0

[PATCH 6.6 00/28] 6.6.111-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.111 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 12 Oct 2025 13:13:18 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.111-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.111-rc1 Sean Christopherson <seanjc(a)google.com> KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> net/9p: fix double req put in p9_fd_cancelled Herbert Xu <herbert(a)gondor.apana.org.au> crypto: rng - Ensure set_ent is always present Charlie Jenkins <charlie(a)rivosinc.com> riscv: mm: Do not restrict mmap address based on hint Charlie Jenkins <charlie(a)rivosinc.com> riscv: mm: Use hint address in mmap if available Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core/PM: Set power.no_callbacks along with power.no_pm Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: flush RX FIFO on read errors Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix TX handling on copy_from_user() failure Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix maximum TX packet length check Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> serial: stm32: allow selecting console when the driver is module Arnaud Lecomte <contact(a)arnaud-lcm.com> hid: fix I2C read buffer overflow in raw_event() for mcp2221 Jeongjun Park <aha310510(a)gmail.com> ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Kill timer properly at removal Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list Duy Nguyen <duy.nguyen.rh(a)renesas.com> can: rcar_canfd: Fix controller mode setting Chen Yufeng <chenyufeng(a)iie.ac.cn> can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled David Sterba <dsterba(a)suse.com> btrfs: ref-verify: handle damaged extent root tree Jack Yu <jack.yu(a)realtek.com> ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue hupu <hupu.gm(a)gmail.com> perf subcmd: avoid crash in exclude_cmds when excludes is empty aprilgrimoire <aprilgrimoire(a)proton.me> platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: limit MAX_TAG_SIZE to 255 Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Adjust pdm gain value Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 Xiaowei Li <xiaowei.li(a)simcom.com> USB: serial: option: add SIMCom 8230C compositions Duoming Zhou <duoming(a)zju.edu.cn> media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Duoming Zhou <duoming(a)zju.edu.cn> media: tuner: xc5000: Fix use-after-free in xc5000_release Ricardo Ribalda <ribalda(a)chromium.org> media: tunner: xc5000: Refactor firmware load Will Deacon <will(a)kernel.org> KVM: arm64: Fix softirq masking in FPSIMD register saving sequence ------------- Diffstat: Makefile | 4 +- arch/arm64/kernel/fpsimd.c | 8 ++- arch/riscv/include/asm/processor.h | 33 ++--------- arch/x86/kvm/emulate.c | 9 ++- arch/x86/kvm/kvm_emulate.h | 3 +- arch/x86/kvm/x86.c | 15 ++--- crypto/rng.c | 8 +++ drivers/hid/hid-mcp2221.c | 4 ++ drivers/md/dm-integrity.c | 2 +- drivers/media/i2c/tc358743.c | 4 +- drivers/media/tuners/xc5000.c | 41 ++++++------- drivers/net/can/rcar/rcar_canfd.c | 7 ++- drivers/net/can/spi/hi311x.c | 33 ++++++----- .../net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 - drivers/platform/x86/amd/pmc/pmc-quirks.c | 15 +++++ drivers/staging/axis-fifo/axis-fifo.c | 68 ++++++++++------------ drivers/tty/serial/Kconfig | 2 +- drivers/usb/serial/option.c | 6 ++ fs/btrfs/ref-verify.c | 9 ++- include/linux/device.h | 3 + net/9p/trans_fd.c | 8 +-- sound/soc/amd/acp/amd.h | 2 +- sound/soc/codecs/rt5682s.c | 17 +++--- sound/usb/midi.c | 10 ++-- tools/lib/subcmd/help.c | 3 + 25 files changed, 166 insertions(+), 149 deletions(-)

7 hours, 28 minutes

8
35
0 0

+ mm-prevent-poison-consumption-when-splitting-thp.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: prevent poison consumption when splitting THP has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-prevent-poison-consumption-when-splitting-thp.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Subject: mm: prevent poison consumption when splitting THP Date: Sat, 11 Oct 2025 15:55:19 +0800 When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the sub-pages of the THP to identify zero-filled pages. However, reading the sub-pages results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access sub-pages of the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the sub-page of the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned sub-page of the THP during zeropage identification, while continuing to scan unaffected sub-pages of the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. [ Credits to Andrew Zaborowski <andrew.zaborowski(a)intel.com> for his original fix that prevents passing the RMP_USE_SHARED_ZEROPAGE flag to remap_page() in Step[3] if the THP has the has_hwpoisoned flag set, avoiding access to the entire THP for zero-page identification. ] Link: https://lkml.kernel.org/r/20251011075520.320862-1-qiuxu.zhuo@intel.com Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Reported-by: Farrah Chen <farrah.chen(a)intel.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Tested-by: Farrah Chen <farrah.chen(a)intel.com> Tested-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Acked-by: Lance Yang <lance.yang(a)linux.dev> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Jiaqi Yan <jiaqiyan(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: "Luck, Tony" <tony.luck(a)intel.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 3 +++ mm/migrate.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) --- a/mm/huge_memory.c~mm-prevent-poison-consumption-when-splitting-thp +++ a/mm/huge_memory.c @@ -4109,6 +4109,9 @@ static bool thp_underused(struct folio * if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1) return false; + if (folio_contain_hwpoisoned_page(folio)) + return false; + for (i = 0; i < folio_nr_pages(folio); i++) { if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { if (++num_zero_pages > khugepaged_max_ptes_none) --- a/mm/migrate.c~mm-prevent-poison-consumption-when-splitting-thp +++ a/mm/migrate.c @@ -301,8 +301,9 @@ static bool try_to_map_unused_to_zeropag struct page *page = folio_page(folio, idx); pte_t newpte; - if (PageCompound(page)) + if (PageCompound(page) || PageHWPoison(page)) return false; + VM_BUG_ON_PAGE(!PageAnon(page), page); VM_BUG_ON_PAGE(!PageLocked(page), page); VM_BUG_ON_PAGE(pte_present(old_pte), page); _ Patches currently in -mm which might be from qiuxu.zhuo(a)intel.com are mm-prevent-poison-consumption-when-splitting-thp.patch

8 hours, 34 minutes

1
0
0 0

[PATCH v2 0/5] rtc: Fix problems with missing UIE irqs

by Esben Haabendal

This fixes a couple of different problems, that can cause RTC (alarm) irqs to be missing when generating UIE interrupts. The first commit fixes a long-standing problem, which has been documented in a comment since 2010. This fixes a race that could cause UIE irqs to stop being generated, which was easily reproduced by timing the use of RTC_UIE_ON ioctl with the seconds tick in the RTC. The last commit ensures that RTC (alarm) irqs are enabled whenever RTC_UIE_ON ioctl is used. The driver specific commits avoids kernel warnings about unbalanced enable_irq/disable_irq, which gets triggered on first RTC_UIE_ON with the last commit. Before this series, the same warning should be seen on initial RTC_AIE_ON with those drivers. Signed-off-by: Esben Haabendal <esben(a)geanix.com> --- Changes in v2: - Dropped patch for rtc-st-lpc driver. - Link to v1: https://lore.kernel.org/r/20241203-rtc-uie-irq-fixes-v1-0-01286ecd9f3f@gean… --- Esben Haabendal (5): rtc: interface: Fix long-standing race when setting alarm rtc: isl12022: Fix initial enable_irq/disable_irq balance rtc: cpcap: Fix initial enable_irq/disable_irq balance rtc: tps6586x: Fix initial enable_irq/disable_irq balance rtc: interface: Ensure alarm irq is enabled when UIE is enabled drivers/rtc/interface.c | 27 +++++++++++++++++++++++++++ drivers/rtc/rtc-cpcap.c | 1 + drivers/rtc/rtc-isl12022.c | 1 + drivers/rtc/rtc-tps6586x.c | 1 + 4 files changed, 30 insertions(+) --- base-commit: 82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3 change-id: 20241203-rtc-uie-irq-fixes-f2838782d0f8 Best regards, -- Esben Haabendal <esben(a)geanix.com>

10 hours, 31 minutes

2
3
0 0

[PATCH] leds: leds-lp50xx: allow LED 0 to be added to module bank

by Christian Hitz

From: Christian Hitz <christian.hitz(a)bbv.ch> led_banks contains LED module number(s) that should be grouped into the module bank. led_banks is 0-initialized. By checking the led_banks entries for 0, un-set entries are detected. But a 0-entry also indicates that LED module 0 should be grouped into the module bank. By only iterating over the available entries no check for unused entries is required and LED module 0 can be added to bank. Signed-off-by: Christian Hitz <christian.hitz(a)bbv.ch> Cc: stable(a)vger.kernel.org --- drivers/leds/leds-lp50xx.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c index 94f8ef6b482c..d50c7f3e8f99 100644 --- a/drivers/leds/leds-lp50xx.c +++ b/drivers/leds/leds-lp50xx.c @@ -341,17 +341,15 @@ static int lp50xx_brightness_set(struct led_classdev *cdev, return ret; } -static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[]) +static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[], int num_leds) { u8 led_config_lo, led_config_hi; u32 bank_enable_mask = 0; int ret; int i; - for (i = 0; i < priv->chip_info->max_modules; i++) { - if (led_banks[i]) - bank_enable_mask |= (1 << led_banks[i]); - } + for (i = 0; i < num_leds; i++) + bank_enable_mask |= (1 << led_banks[i]); led_config_lo = bank_enable_mask; led_config_hi = bank_enable_mask >> 8; @@ -405,7 +403,7 @@ static int lp50xx_probe_leds(struct fwnode_handle *child, struct lp50xx *priv, return ret; } - ret = lp50xx_set_banks(priv, led_banks); + ret = lp50xx_set_banks(priv, led_banks, num_leds); if (ret) { dev_err(priv->dev, "Cannot setup banked LEDs\n"); return ret; -- 2.51.0

14 hours, 36 minutes

2
1
0 0

[PATCH] ALSA: usb-audio: apply quirk for Huawei Technologies Co., Ltd. CM-Q3

by Cryolitia PukNgae

There're several different actual hardwares sold by Huawei, using the same USB ID 12d1:3a07. The first one we found, having a volume control named "Headset Playback Volume", reports a min value -15360, and will mute iff setting it to -15360. It can be simply fixed by quirk flag MIXER_PLAYBACK_MIN_MUTE, which we have already submitted previously.[1] The second one we found today, having a volume control named "PCM Playback Volume", reports its min -11520 and res 256, and will mute when less than -11008. Because of the already existing quirk flag, we can just set its min to -11264, and the new minimum value will still not be available to userspace, so that userspace's minimum will be the correct -11008. 1. https://lore.kernel.org/all/20250903-sound-v1-3-d4ca777b8512@uniontech.com/ Tested-by: Guoli An <anguoli(a)uniontech.com> Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae(a)linux.dev> --- sound/usb/mixer.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index 34bcbfd8b54e66abc0229eefd354eb7bc4c01576..ae412e651faf905c9f7d600de8e19c51995cd3f9 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1189,6 +1189,13 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval, cval->min = -14208; /* Mute under it */ } break; + case USB_ID(0x12d1, 0x3a07): /* Huawei Technologies Co., Ltd. CM-Q3 */ + if (!strcmp(kctl->id.name, "PCM Playback Volume")) { + usb_audio_info(chip, + "set volume quirk for Huawei Technologies Co., Ltd. CM-Q3\n"); + cval->min = -11264; /* Mute under it */ + } + break; } } --- base-commit: 7e9827afc78073096149cf3565ba668fe2ef4831 change-id: 20251011-sound_quirk-6a8326325451 Best regards, -- Cryolitia PukNgae <cryolitia.pukngae(a)linux.dev>

16 hours, 2 minutes

3
2
0 0

[PATCH] pidfs: fix ERR_PTR dereference in pidfd_info()

by Zhen Ni

pidfd_pid() may return an ERR_PTR() when the file does not refer to a valid pidfs file. Currently pidfd_info() calls pid_in_current_pidns() directly on the returned value, which risks dereferencing an ERR_PTR. Fix it by explicitly checking IS_ERR(pid) and returning PTR_ERR(pid) before further use. Fixes: 7477d7dce48a ("pidfs: allow to retrieve exit information") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- fs/pidfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/pidfs.c b/fs/pidfs.c index 0ef5b47d796a..16670648bb09 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -314,6 +314,9 @@ static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg) if (copy_from_user(&mask, &uinfo->mask, sizeof(mask))) return -EFAULT; + if (IS_ERR(pid)) + return PTR_ERR(pid); + /* * Restrict information retrieval to tasks within the caller's pid * namespace hierarchy. -- 2.20.1

17 hours, 28 minutes

2
1
0 0

[PATCH] fs: Fix uninitialized 'offp' in statmount_string()

by Zhen Ni

In statmount_string(), most flags assign an output offset pointer (offp) which is later updated with the string offset. However, the STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the struct fields instead of using offp. This leaves offp uninitialized, leading to a possible uninitialized dereference when *offp is updated. Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code path consistent. Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- fs/namespace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index d82910f33dc4..5b5ab2ae238b 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -5454,11 +5454,11 @@ static int statmount_string(struct kstatmount *s, u64 flag) ret = statmount_sb_source(s, seq); break; case STATMOUNT_MNT_UIDMAP: - sm->mnt_uidmap = start; + offp = &sm->mnt_uidmap; ret = statmount_mnt_uidmap(s, seq); break; case STATMOUNT_MNT_GIDMAP: - sm->mnt_gidmap = start; + offp = &sm->mnt_gidmap; ret = statmount_mnt_gidmap(s, seq); break; default: -- 2.20.1

17 hours, 39 minutes

1
0
0 0

[REGRESSION] bisected: perf: hang when using async-profiler caused by perf: Fix the POLL_HUP delivery breakage

by Octavia Togami

Using async-profiler (https://github.com/async-profiler/async-profiler/) on Linux 6.17.1-arch1-1 causes a complete hang of the CPU. This has been reported by many people at https://github.com/lucko/spark/issues/530. spark is a piece of software that uses async-profiler internally. As seen in https://github.com/lucko/spark/issues/530#issuecomment-3339974827, this was bisected to 18dbcbfabfffc4a5d3ea10290c5ad27f22b0d240 perf: Fix the POLL_HUP delivery breakage. Reverting this commit on 6.17.1 fixed the issue for me. Steps to reproduce: 1. Get a copy of async-profiler. I tested both v3 (affects older spark versions) and v4.1 (latest at time of writing). Unarchive it, this is <async-profiler-dir>. 2. Set kernel parameters kernel.perf_event_paranoid=1 and kernel.kptr_restrict=0 as instructed by https://github.com/async-profiler/async-profiler/blob/fb673227c7fb311f872ce… 3. Install a version of Java that comes with jshell, i.e. Java 9 or newer. Note: jshell is used for ease of reproduction. Any Java application that is actively running will work. 4. Run `printf 'int acc; while (true) { acc++; }' | jshell -`. This will start an infinitely running Java process. 5. Run `jps` and take the PID next to the text RemoteExecutionControl -- this is the process that was just started. 6. Attach async-profiler to this process by running `<async-profiler-dir>/bin/asprof -d 1 <PID>`. This will run for one second, then the system should freeze entirely shortly thereafter. I triggered a sysrq crash while the system was frozen, and the output I found in journalctl afterwards is at https://gist.github.com/octylFractal/76611ee76060051e5efc0c898dd0949e I'm not sure if that text is actually from the triggered crash, but it seems relevant. If needed, please tell me how to get the actual crash report, I'm not sure where it is. I'm using an AMD Ryzen 9 5900X 12-Core Processor. Given that I've seen no Intel reports, it may be AMD specific. I don't have an Intel CPU on hand to test with. /proc/version: Linux version 6.17.1-arch1-1 (linux@archlinux) (gcc (GCC) 15.2.1 20250813, GNU ld (GNU Binutils) 2.45.0) #1 SMP PREEMPT_DYNAMIC Mon, 06 Oct 2025 18:48:29 +0000 Operating System: Arch Linux uname -mi: x86_64 unknown

18 hours, 21 minutes

1
0
0 0

[PATCH net v3] r8152: add error handling in rtl8152_driver_init

by yicongsrfy＠163.com

From: Yi Cong <yicong(a)kylinos.cn> rtl8152_driver_init missing error handling. If cannot register rtl8152_driver, rtl8152_cfgselector_driver should be deregistered. Fixes: ec51fbd1b8a2 ("r8152: add USB device driver for config selection") Cc: stable(a)vger.kernel.org Signed-off-by: Yi Cong <yicong(a)kylinos.cn> Reviewed-by: Simon Horman <horms(a)kernel.org> --- v2: replacing return 0 with return ret and adding Cc stable v3: delete the redundant return ret --- drivers/net/usb/r8152.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c index 44cba7acfe7d..a22d4bb2cf3b 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -10122,7 +10122,12 @@ static int __init rtl8152_driver_init(void) ret = usb_register_device_driver(&rtl8152_cfgselector_driver, THIS_MODULE); if (ret) return ret; - return usb_register(&rtl8152_driver); + + ret = usb_register(&rtl8152_driver); + if (ret) + usb_deregister_device_driver(&rtl8152_cfgselector_driver); + + return ret; } static void __exit rtl8152_driver_exit(void) -- 2.25.1

18 hours, 28 minutes

1
0
0 0

[PATCH] drm/mediatek: fix device use-after-free on unbind

by Johan Hovold

A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv") Reported-by: Sjoerd Simons <sjoerd(a)collabora.com> Link: https://lore.kernel.org/r/20251003-mtk-drm-refcount-v1-1-3b3f2813b0db@colla… Cc: stable(a)vger.kernel.org Cc: Ma Ke <make24(a)iscas.ac.cn> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 384b0510272c..a94c51a83261 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -686,10 +686,6 @@ static int mtk_drm_bind(struct device *dev) for (i = 0; i < private->data->mmsys_dev_num; i++) private->all_drm_private[i]->drm = NULL; err_put_dev: - for (i = 0; i < private->data->mmsys_dev_num; i++) { - /* For device_find_child in mtk_drm_get_all_priv() */ - put_device(private->all_drm_private[i]->dev); - } put_device(private->mutex_dev); return ret; } @@ -697,18 +693,12 @@ static int mtk_drm_bind(struct device *dev) static void mtk_drm_unbind(struct device *dev) { struct mtk_drm_private *private = dev_get_drvdata(dev); - int i; /* for multi mmsys dev, unregister drm dev in mmsys master */ if (private->drm_master) { drm_dev_unregister(private->drm); mtk_drm_kms_deinit(private->drm); drm_dev_put(private->drm); - - for (i = 0; i < private->data->mmsys_dev_num; i++) { - /* For device_find_child in mtk_drm_get_all_priv() */ - put_device(private->all_drm_private[i]->dev); - } put_device(private->mutex_dev); } private->mtk_drm_bound = false; -- 2.49.1

18 hours, 55 minutes

3
2
0 0

[PATCH v2] ALSA: hda: Fix missing pointer check in hda_component_manager_init function

by Denis Arefev

The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: ae7abe36e352 ("ALSA: hda/realtek: Add CS35L41 support for Thinkpad laptops") Cc: stable(a)vger.kernel.org Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- V1 -> V2: Changed tag Fixes Add print to log an error it as Stefan Binding <sbinding(a)opensource.cirrus.com> suggested sound/hda/codecs/side-codecs/hda_component.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/hda/codecs/side-codecs/hda_component.c b/sound/hda/codecs/side-codecs/hda_component.c index bcf47a301697..603a9b8ca481 100644 --- a/sound/hda/codecs/side-codecs/hda_component.c +++ b/sound/hda/codecs/side-codecs/hda_component.c @@ -174,6 +174,10 @@ int hda_component_manager_init(struct hda_codec *cdc, sm->match_str = match_str; sm->index = i; component_match_add(dev, &match, hda_comp_match_dev_name, sm); + if (IS_ERR(match)) { + codec_err(cdc, "Fail to add component %ld\n", PTR_ERR(match)); + return PTR_ERR(match); + } } ret = component_master_add_with_match(dev, ops, match); -- 2.43.0

20 hours, 22 minutes

2
1
0 0

[PATCH] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()

by Denis Arefev

Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 447106e92a0c ("ALSA: hda: cs35l41: Support mute notifications for CS35L41 HDA") Cc: stable(a)vger.kernel.org Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- sound/hda/codecs/side-codecs/cs35l41_hda.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/hda/codecs/side-codecs/cs35l41_hda.c b/sound/hda/codecs/side-codecs/cs35l41_hda.c index 37f2cdc8ce82..890ddb8cc66c 100644 --- a/sound/hda/codecs/side-codecs/cs35l41_hda.c +++ b/sound/hda/codecs/side-codecs/cs35l41_hda.c @@ -1426,6 +1426,8 @@ static int cs35l41_get_acpi_mute_state(struct cs35l41_hda *cs35l41, acpi_handle if (cs35l41_dsm_supported(handle, CS35L41_DSM_GET_MUTE)) { ret = acpi_evaluate_dsm(handle, &guid, 0, CS35L41_DSM_GET_MUTE, NULL); + if (!ret) + return -EINVAL; mute = *ret->buffer.pointer; dev_dbg(cs35l41->dev, "CS35L41_DSM_GET_MUTE: %d\n", mute); } -- 2.43.0

20 hours, 22 minutes

2
1
0 0

[PATCH v2] exfat: fix out-of-bounds in exfat_nls_to_ucs2()

by Jeongjun Park

In exfat_nls_to_ucs2(), if there is no NLS loss and the char-to-ucs2 conversion is successfully completed, the variable "i" will have the same value as len. However, exfat_nls_to_ucs2() checks p_cstring[i] to determine whether nls is lost immediately after the while loop ends, so if len is FSLABEL_MAX, "i" will also be FSLABEL_MAX immediately after the while loop ends, resulting in an out-of-bounds read of 1 byte from the p_cstring stack memory. Therefore, to prevent this and properly determine whether nls has been lost, it should be modified to check if "i" and len are equal, rather than dereferencing p_cstring. Cc: <stable(a)vger.kernel.org> Reported-by: syzbot+98cc76a76de46b3714d4(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=98cc76a76de46b3714d4 Fixes: 370e812b3ec1 ("exfat: add nls operations") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- fs/exfat/nls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exfat/nls.c b/fs/exfat/nls.c index 8243d94ceaf4..de06abe426d7 100644 --- a/fs/exfat/nls.c +++ b/fs/exfat/nls.c @@ -616,7 +616,7 @@ static int exfat_nls_to_ucs2(struct super_block *sb, unilen++; } - if (p_cstring[i] != '\0') + if (i != len) lossy |= NLS_NAME_OVERLEN; *uniname = '\0'; --

21 hours, 12 minutes

3
2
0 0

[PATCH 2/2] tracing: Stop fortify-string from warning in tracing_mark_raw_write()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The way tracing_mark_raw_write() records its data is that it has the following structure: struct { struct trace_entry; int id; char dynamic_array[]; }; But memcpy(&entry->id, buf, size) triggers the following warning when the size is greater than the id: ------------[ cut here ]------------ memcpy: detected field-spanning write (size 6) of single field "&entry->id" at kernel/trace/trace.c:7458 (size 4) WARNING: CPU: 7 PID: 995 at kernel/trace/trace.c:7458 write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Modules linked in: CPU: 7 UID: 0 PID: 995 Comm: bash Not tainted 6.17.0-test-00007-g60b82183e78a-dirty #211 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Code: 04 00 75 a7 b9 04 00 00 00 48 89 de 48 89 04 24 48 c7 c2 e0 b1 d1 b2 48 c7 c7 40 b2 d1 b2 c6 05 2d 88 6a 04 01 e8 f7 e8 bd ff <0f> 0b 48 8b 04 24 e9 76 ff ff ff 49 8d 7c 24 04 49 8d 5c 24 08 48 RSP: 0018:ffff888104c3fc78 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff6b363b4 RDI: 0000000000000001 RBP: ffff888100058a00 R08: ffffffffb041d459 R09: ffffed1020987f40 R10: 0000000000000007 R11: 0000000000000001 R12: ffff888100bb9010 R13: 0000000000000000 R14: 00000000000003e3 R15: ffff888134800000 FS: 00007fa61d286740(0000) GS:ffff888286cad000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560d28d509f1 CR3: 00000001047a4006 CR4: 0000000000172ef0 Call Trace: <TASK> tracing_mark_raw_write+0x1fe/0x290 ? __pfx_tracing_mark_raw_write+0x10/0x10 ? security_file_permission+0x50/0xf0 ? rw_verify_area+0x6f/0x4b0 vfs_write+0x1d8/0xdd0 ? __pfx_vfs_write+0x10/0x10 ? __pfx_css_rstat_updated+0x10/0x10 ? count_memcg_events+0xd9/0x410 ? fdget_pos+0x53/0x5e0 ksys_write+0x182/0x200 ? __pfx_ksys_write+0x10/0x10 ? do_user_addr_fault+0x4af/0xa30 do_syscall_64+0x63/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa61d318687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007ffd87fe0120 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa61d286740 RCX: 00007fa61d318687 RDX: 0000000000000006 RSI: 0000560d28d509f0 RDI: 0000000000000001 RBP: 0000560d28d509f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000006 R13: 00007fa61d4715c0 R14: 00007fa61d46ee80 R15: 0000000000000000 </TASK> ---[ end trace 0000000000000000 ]--- This is because fortify string sees that the size of entry->id is only 4 bytes, but it is writing more than that. But this is OK as the dynamic_array is allocated to handle that copy. Use a void pointer and get the offset via offsetof() to keep fortify string from warning about this copy. Cc: stable(a)vger.kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index bbb89206a891..27855fc9e0f2 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7440,6 +7440,7 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, struct raw_data_entry *entry; ssize_t written; size_t size; + void *ptr; size = sizeof(*entry) + cnt; @@ -7455,7 +7456,10 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, return -EBADF; entry = ring_buffer_event_data(event); - memcpy(&entry->id, buf, cnt); + /* Do not let fortify-string warn copying to &entry->id */ + ptr = (void *)entry; + ptr += offsetof(typeof(*entry), id); + memcpy(ptr, buf, cnt); written = cnt; __buffer_unlock_commit(buffer, event); -- 2.51.0

23 hours, 1 minute

1
0
0 0

[PATCH 1/2] tracing: Fix tracing_mark_raw_write() to use buf and not ubuf

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The fix to use a per CPU buffer to read user space tested only the writes to trace_marker. But it appears that the selftests are missing tests to the trace_maker_raw file. The trace_maker_raw file is used by applications that writes data structures and not strings into the file, and the tools read the raw ring buffer to process the structures it writes. The fix that reads the per CPU buffers passes the new per CPU buffer to the trace_marker file writes, but the update to the trace_marker_raw write read the data from user space into the per CPU buffer, but then still used then passed the user space address to the function that records the data. Pass in the per CPU buffer and not the user space address. TODO: Add a test to better test trace_marker_raw. Cc: stable(a)vger.kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0fd582651293..bbb89206a891 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7497,12 +7497,12 @@ tracing_mark_raw_write(struct file *filp, const char __user *ubuf, if (tr == &global_trace) { guard(rcu)(); list_for_each_entry_rcu(tr, &marker_copies, marker_list) { - written = write_raw_marker_to_buffer(tr, ubuf, cnt); + written = write_raw_marker_to_buffer(tr, buf, cnt); if (written < 0) break; } } else { - written = write_raw_marker_to_buffer(tr, ubuf, cnt); + written = write_raw_marker_to_buffer(tr, buf, cnt); } return written; -- 2.51.0

23 hours, 1 minute

1
0
0 0

[PATCH] perf tools: Fix bool return value in gzip_is_compressed()

by Miaoqian Lin

gzip_is_compressed() returns -1 on error but is declared as bool. And -1 gets converted to true, which could be misleading. Return false instead to match the declared type. Fixes: 88c74dc76a30 ("perf tools: Add gzip_is_compressed function") Cc: <stable(a)vger.kernel.org> Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- tools/perf/util/zlib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/util/zlib.c b/tools/perf/util/zlib.c index 78d2297c1b67..1f7c06523059 100644 --- a/tools/perf/util/zlib.c +++ b/tools/perf/util/zlib.c @@ -88,7 +88,7 @@ bool gzip_is_compressed(const char *input) ssize_t rc; if (fd < 0) - return -1; + return false; rc = read(fd, buf, sizeof(buf)); close(fd); -- 2.39.5 (Apple Git-154)

23 hours, 4 minutes

2
1
0 0

[PATCH] perf lzma: Fix return value in lzma_is_compressed()

by Miaoqian Lin

lzma_is_compressed() returns -1 on error but is declared as bool. And -1 gets converted to true, which could be misleading. Return false instead to match the declared type. Fixes: 4b57fd44b61b ("perf tools: Add lzma_is_compressed function") Cc: <stable(a)vger.kernel.org> Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- tools/perf/util/lzma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c index bbcd2ffcf4bd..c355757ed391 100644 --- a/tools/perf/util/lzma.c +++ b/tools/perf/util/lzma.c @@ -120,7 +120,7 @@ bool lzma_is_compressed(const char *input) ssize_t rc; if (fd < 0) - return -1; + return false; rc = read(fd, buf, sizeof(buf)); close(fd); -- 2.39.5 (Apple Git-154)

23 hours, 5 minutes

2
1
0 0

[for-linus][PATCH 2/2] tracing: Stop fortify-string from warning in tracing_mark_raw_write()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The way tracing_mark_raw_write() records its data is that it has the following structure: struct { struct trace_entry; int id; char dynamic_array[]; }; But memcpy(&entry->id, buf, size) triggers the following warning when the size is greater than the id: ------------[ cut here ]------------ memcpy: detected field-spanning write (size 6) of single field "&entry->id" at kernel/trace/trace.c:7458 (size 4) WARNING: CPU: 7 PID: 995 at kernel/trace/trace.c:7458 write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Modules linked in: CPU: 7 UID: 0 PID: 995 Comm: bash Not tainted 6.17.0-test-00007-g60b82183e78a-dirty #211 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Code: 04 00 75 a7 b9 04 00 00 00 48 89 de 48 89 04 24 48 c7 c2 e0 b1 d1 b2 48 c7 c7 40 b2 d1 b2 c6 05 2d 88 6a 04 01 e8 f7 e8 bd ff <0f> 0b 48 8b 04 24 e9 76 ff ff ff 49 8d 7c 24 04 49 8d 5c 24 08 48 RSP: 0018:ffff888104c3fc78 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff6b363b4 RDI: 0000000000000001 RBP: ffff888100058a00 R08: ffffffffb041d459 R09: ffffed1020987f40 R10: 0000000000000007 R11: 0000000000000001 R12: ffff888100bb9010 R13: 0000000000000000 R14: 00000000000003e3 R15: ffff888134800000 FS: 00007fa61d286740(0000) GS:ffff888286cad000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560d28d509f1 CR3: 00000001047a4006 CR4: 0000000000172ef0 Call Trace: <TASK> tracing_mark_raw_write+0x1fe/0x290 ? __pfx_tracing_mark_raw_write+0x10/0x10 ? security_file_permission+0x50/0xf0 ? rw_verify_area+0x6f/0x4b0 vfs_write+0x1d8/0xdd0 ? __pfx_vfs_write+0x10/0x10 ? __pfx_css_rstat_updated+0x10/0x10 ? count_memcg_events+0xd9/0x410 ? fdget_pos+0x53/0x5e0 ksys_write+0x182/0x200 ? __pfx_ksys_write+0x10/0x10 ? do_user_addr_fault+0x4af/0xa30 do_syscall_64+0x63/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa61d318687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007ffd87fe0120 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa61d286740 RCX: 00007fa61d318687 RDX: 0000000000000006 RSI: 0000560d28d509f0 RDI: 0000000000000001 RBP: 0000560d28d509f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000006 R13: 00007fa61d4715c0 R14: 00007fa61d46ee80 R15: 0000000000000000 </TASK> ---[ end trace 0000000000000000 ]--- This is because fortify string sees that the size of entry->id is only 4 bytes, but it is writing more than that. But this is OK as the dynamic_array is allocated to handle that copy. Use a void pointer and get the offset via offsetof() to keep fortify string from warning about this copy. Cc: stable(a)vger.kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index bbb89206a891..27855fc9e0f2 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7440,6 +7440,7 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, struct raw_data_entry *entry; ssize_t written; size_t size; + void *ptr; size = sizeof(*entry) + cnt; @@ -7455,7 +7456,10 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, return -EBADF; entry = ring_buffer_event_data(event); - memcpy(&entry->id, buf, cnt); + /* Do not let fortify-string warn copying to &entry->id */ + ptr = (void *)entry; + ptr += offsetof(typeof(*entry), id); + memcpy(ptr, buf, cnt); written = cnt; __buffer_unlock_commit(buffer, event); -- 2.51.0

23 hours, 6 minutes

1
0
0 0

[for-linus][PATCH 1/2] tracing: Fix tracing_mark_raw_write() to use buf and not ubuf

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The fix to use a per CPU buffer to read user space tested only the writes to trace_marker. But it appears that the selftests are missing tests to the trace_maker_raw file. The trace_maker_raw file is used by applications that writes data structures and not strings into the file, and the tools read the raw ring buffer to process the structures it writes. The fix that reads the per CPU buffers passes the new per CPU buffer to the trace_marker file writes, but the update to the trace_marker_raw write read the data from user space into the per CPU buffer, but then still used then passed the user space address to the function that records the data. Pass in the per CPU buffer and not the user space address. TODO: Add a test to better test trace_marker_raw. Cc: stable(a)vger.kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0fd582651293..bbb89206a891 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7497,12 +7497,12 @@ tracing_mark_raw_write(struct file *filp, const char __user *ubuf, if (tr == &global_trace) { guard(rcu)(); list_for_each_entry_rcu(tr, &marker_copies, marker_list) { - written = write_raw_marker_to_buffer(tr, ubuf, cnt); + written = write_raw_marker_to_buffer(tr, buf, cnt); if (written < 0) break; } } else { - written = write_raw_marker_to_buffer(tr, ubuf, cnt); + written = write_raw_marker_to_buffer(tr, buf, cnt); } return written; -- 2.51.0

23 hours, 6 minutes

1
0
0 0

[PATCH] dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure

by Zhen Ni

When fsl_edma_alloc_chan_resources() fails after clk_prepare_enable(), the error paths only free IRQs and destroy the TCD pool, but forget to call clk_disable_unprepare(). This causes the channel clock to remain enabled, leaking power and resources. Fix it by disabling the channel clock in the error unwind path. Fixes: d8d4355861d8 ("dmaengine: fsl-edma: add i.MX8ULP edma support") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- drivers/dma/fsl-edma-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/dma/fsl-edma-common.c b/drivers/dma/fsl-edma-common.c index 4976d7dde080..bd673f08f610 100644 --- a/drivers/dma/fsl-edma-common.c +++ b/drivers/dma/fsl-edma-common.c @@ -852,6 +852,8 @@ int fsl_edma_alloc_chan_resources(struct dma_chan *chan) free_irq(fsl_chan->txirq, fsl_chan); err_txirq: dma_pool_destroy(fsl_chan->tcd_pool); + if (fsl_edma_drvflags(fsl_chan) & FSL_EDMA_DRV_HAS_CHCLK) + clk_disable_unprepare(fsl_chan->clk); return ret; } -- 2.20.1

23 hours, 46 minutes

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror