- Linux-stable-mirror - lists.linaro.org

[PATCH v3] KVM: x86: Add x2APIC "features" to control EOI broadcast suppression

by Khushit Shah

Add two flags for KVM_CAP_X2APIC_API to allow userspace to control support for Suppress EOI Broadcasts, which KVM completely mishandles. When x2APIC support was first added, KVM incorrectly advertised and "enabled" Suppress EOI Broadcast, without fully supporting the I/O APIC side of the equation, i.e. without adding directed EOI to KVM's in-kernel I/O APIC. That flaw was carried over to split IRQCHIP support, i.e. KVM advertised support for Suppress EOI Broadcasts irrespective of whether or not the userspace I/O APIC implementation supported directed EOIs. Even worse, KVM didn't actually suppress EOI broadcasts, i.e. userspace VMMs without support for directed EOI came to rely on the "spurious" broadcasts. KVM "fixed" the in-kernel I/O APIC implementation by completely disabling support for Suppress EOI Broadcasts in commit 0bcc3fb95b97 ("KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use"), but didn't do anything to remedy userspace I/O APIC implementations. KVM's bogus handling of Suppress EOI Broadcast is problematic when the guest relies on interrupts being masked in the I/O APIC until well after the initial local APIC EOI. E.g. Windows with Credential Guard enabled handles interrupts in the following order: 1. Interrupt for L2 arrives. 2. L1 APIC EOIs the interrupt. 3. L1 resumes L2 and injects the interrupt. 4. L2 EOIs after servicing. 5. L1 performs the I/O APIC EOI. Because KVM EOIs the I/O APIC at step #2, the guest can get an interrupt storm, e.g. if the IRQ line is still asserted and userspace reacts to the EOI by re-injecting the IRQ, because the guest doesn't de-assert the line until step #4, and doesn't expect the interrupt to be re-enabled until step #5. Unfortunately, simply "fixing" the bug isn't an option, as KVM has no way of knowing if the userspace I/O APIC supports directed EOIs, i.e. suppressing EOI broadcasts would result in interrupts being stuck masked in the userspace I/O APIC due to step #5 being ignored by userspace. And fully disabling support for Suppress EOI Broadcast is also undesirable, as picking up the fix would require a guest reboot, *and* more importantly would change the virtual CPU model exposed to the guest without any buy-in from userspace. Add two flags to allow userspace to choose exactly how to solve the immediate issue, and in the long term to allow userspace to control the virtual CPU model that is exposed to the guest (KVM should never have enabled support for Suppress EOI Broadcast without a userspace opt-in). Note, Suppress EOI Broadcasts is defined only in Intel's SDM, not in AMD's APM. But the bit is writable on some AMD CPUs, e.g. Turin, and KVM's ABI is to support Directed EOI (KVM's name) irrespective of guest CPU vendor. Fixes: 7543a635aa09 ("KVM: x86: Add KVM exit for IOAPIC EOIs") Closes: https://lore.kernel.org/kvm/7D497EF1-607D-4D37-98E7-DAF95F099342@nutanix.com Cc: stable(a)vger.kernel.org Co-developed-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Khushit Shah <khushit.shah(a)nutanix.com> --- v3: - Resend with correct patch contents; v2 mail formatting was broken. No functional changes beyond the naming and grammar feedback from v1. Testing: I ran the tests with QEMU 9.1 and a 6.12 kernel with the patch applied. - With an unmodified QEMU build, KVM's LAPIC SEOIB behavior remains unchanged. - Invoking the x2APIC API with KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK correctly suppresses LAPIC -> IOAPIC EOI broadcasts (verified via KVM tracepoints). - Invoking the x2APIC API with KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST results in SEOIB not being advertised to the guest, as expected (confirmed by checking the LAPIC LVR value inside the guest). I'll send the corresponding QEMU-side patch shortly. --- Documentation/virt/kvm/api.rst | 14 ++++++++++++-- arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/include/uapi/asm/kvm.h | 6 ++++-- arch/x86/kvm/lapic.c | 13 +++++++++++++ arch/x86/kvm/x86.c | 12 +++++++++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 57061fa29e6a..4141d2bd8156 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -7800,8 +7800,10 @@ Will return -EBUSY if a VCPU has already been created. Valid feature flags in args[0] are:: - #define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) - #define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) + #define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) + #define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) + #define KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK (1ULL << 2) + #define KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST (1ULL << 3) Enabling KVM_X2APIC_API_USE_32BIT_IDS changes the behavior of KVM_SET_GSI_ROUTING, KVM_SIGNAL_MSI, KVM_SET_LAPIC, and KVM_GET_LAPIC, @@ -7814,6 +7816,14 @@ as a broadcast even in x2APIC mode in order to support physical x2APIC without interrupt remapping. This is undesirable in logical mode, where 0xff represents CPUs 0-7 in cluster 0. +Setting KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK overrides +KVM's quirky behavior of not actually suppressing EOI broadcasts for split IRQ +chips when support for Suppress EOI Broadcasts is advertised to the guest. + +Setting KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST disables support for +Suppress EOI Broadcasts entirely, i.e. instructs KVM to NOT advertise support +to the guest and thus disallow enabling EOI broadcast suppression in SPIV. + 7.8 KVM_CAP_S390_USER_INSTR0 ---------------------------- diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 48598d017d6f..f6fdc0842c05 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1480,6 +1480,8 @@ struct kvm_arch { bool x2apic_format; bool x2apic_broadcast_quirk_disabled; + bool disable_ignore_suppress_eoi_broadcast_quirk; + bool x2apic_disable_suppress_eoi_broadcast; bool has_mapped_host_mmio; bool guest_can_read_msr_platform_info; diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h index d420c9c066d4..7255385b6d80 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -913,8 +913,10 @@ struct kvm_sev_snp_launch_finish { __u64 pad1[4]; }; -#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) -#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) +#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) +#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) +#define KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK (1ULL << 2) +#define KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST (1ULL << 3) struct kvm_hyperv_eventfd { __u32 conn_id; diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 0ae7f913d782..cf8a2162872b 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -562,6 +562,7 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) * IOAPIC. */ if (guest_cpu_cap_has(vcpu, X86_FEATURE_X2APIC) && + !vcpu->kvm->arch.x2apic_disable_suppress_eoi_broadcast && !ioapic_in_kernel(vcpu->kvm)) v |= APIC_LVR_DIRECTED_EOI; kvm_lapic_set_reg(apic, APIC_LVR, v); @@ -1517,6 +1518,18 @@ static void kvm_ioapic_send_eoi(struct kvm_lapic *apic, int vector) /* Request a KVM exit to inform the userspace IOAPIC. */ if (irqchip_split(apic->vcpu->kvm)) { + /* + * Don't exit to userspace if the guest has enabled Directed + * EOI, a.k.a. Suppress EOI Broadcasts, in which case the local + * APIC doesn't broadcast EOIs (the guest must EOI the target + * I/O APIC(s) directly). Ignore the suppression if userspace + * has NOT disabled KVM's quirk (KVM advertised support for + * Suppress EOI Broadcasts without actually suppressing EOIs). + */ + if ((kvm_lapic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI) && + apic->vcpu->kvm->arch.disable_ignore_suppress_eoi_broadcast_quirk) + return; + apic->vcpu->arch.pending_ioapic_eoi = vector; kvm_make_request(KVM_REQ_IOAPIC_EOI_EXIT, apic->vcpu); return; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c9c2aa6f4705..e1b6fe783615 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -121,8 +121,11 @@ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE); #define KVM_CAP_PMU_VALID_MASK KVM_PMU_CAP_DISABLE -#define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \ - KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK) +#define KVM_X2APIC_API_VALID_FLAGS \ + (KVM_X2APIC_API_USE_32BIT_IDS | \ + KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK | \ + KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK | \ + KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST) static void update_cr8_intercept(struct kvm_vcpu *vcpu); static void process_nmi(struct kvm_vcpu *vcpu); @@ -6782,7 +6785,10 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, kvm->arch.x2apic_format = true; if (cap->args[0] & KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK) kvm->arch.x2apic_broadcast_quirk_disabled = true; - + if (cap->args[0] & KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK) + kvm->arch.disable_ignore_suppress_eoi_broadcast_quirk = true; + if (cap->args[0] & KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST) + kvm->arch.x2apic_disable_suppress_eoi_broadcast = true; r = 0; break; case KVM_CAP_X86_DISABLE_EXITS: -- 2.39.3

4 days, 20 hours

5
19
0 0

[PATCH 6.12.y 0/2] Backport support for Telit FN920C04 and FN990B40 modems

by Fabio Porcedda

Hi, these two patches are backports for 6.12.y of the following commits: commit d2b91b3097c693f784393a28801a3885778615df bus: mhi: host: pci_generic: Add Telit FN920C04 modem support commit 00559ba3ae740e7544b48fb509b2b97f56615892 bus: mhi: host: pci_generic: Add Telit FN990B40 modem support The cherry-pick of the original commits don't apply so I made this patches after fixing the conflict. Regards Daniele Palmas (2): bus: mhi: host: pci_generic: Add Telit FN920C04 modem support bus: mhi: host: pci_generic: Add Telit FN990B40 modem support drivers/bus/mhi/host/pci_generic.c | 52 ++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) -- 2.52.0

4 days, 20 hours

1
2
0 0

[PATCH] gpio: regmap: Fix gpio_remap_register

by Wentao Guan

Because gpiochip_add_data successfully done, use err_remove_gpiochip instead of err_free_bitmap to free such as gdev,descs.. Fixes: 553b75d4bfe9 ("gpio: regmap: Allow to allocate regmap-irq device") CC: stable(a)vger.kernel.org Co-developed-by: WangYuli <wangyl5933(a)chinaunicom.cn> Signed-off-by: WangYuli <wangyl5933(a)chinaunicom.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> --- drivers/gpio/gpio-regmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-regmap.c b/drivers/gpio/gpio-regmap.c index fd986afa7db5f..f0bcb2c2c6748 100644 --- a/drivers/gpio/gpio-regmap.c +++ b/drivers/gpio/gpio-regmap.c @@ -310,7 +310,7 @@ struct gpio_regmap *gpio_regmap_register(const struct gpio_regmap_config *config config->regmap_irq_line, config->regmap_irq_flags, 0, config->regmap_irq_chip, &gpio->irq_chip_data); if (ret) - goto err_free_bitmap; + goto err_remove_gpiochip; irq_domain = regmap_irq_get_domain(gpio->irq_chip_data); } else -- 2.20.1

4 days, 20 hours

3
3
0 0

FAILED: patch "[PATCH] mptcp: Initialise rcv_mss before calling" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f07f4ea53e22429c84b20832fa098b5ecc0d4e35 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025120334-preamble-cobalt-4ca0@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f07f4ea53e22429c84b20832fa098b5ecc0d4e35 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)google.com> Date: Tue, 25 Nov 2025 19:53:29 +0000 Subject: [PATCH] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Let's apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc90003017640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028 R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:281 [inline] __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793 mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253 mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776 mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3bd/0x520 net/socket.c:2244 __do_sys_sendto net/socket.c:2251 [inline] __se_sys_sendto net/socket.c:2247 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2247 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66e998f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006 </TASK> Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose") Reported-by: syzbot+3a92d359bc2ec6255a33(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/69260882.a70a0220.d98e3.00b4.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu(a)google.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251125195331.309558-1-kuniyu@google.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 8abb425d8b5f..1e413426deee 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2798,6 +2798,12 @@ static void mptcp_do_fastclose(struct sock *sk) goto unlock; subflow->send_fastclose = 1; + + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 + * issue in __tcp_select_window(), see tcp_disconnect(). + */ + inet_csk(ssk)->icsk_ack.rcv_mss = TCP_MIN_MSS; + tcp_send_active_reset(ssk, ssk->sk_allocation, SK_RST_REASON_TCP_ABORT_ON_CLOSE); unlock:

4 days, 21 hours

1
0
0 0

FAILED: patch "[PATCH] mptcp: Initialise rcv_mss before calling" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f07f4ea53e22429c84b20832fa098b5ecc0d4e35 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025120333-undamaged-punctual-31dc@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f07f4ea53e22429c84b20832fa098b5ecc0d4e35 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)google.com> Date: Tue, 25 Nov 2025 19:53:29 +0000 Subject: [PATCH] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Let's apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc90003017640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028 R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:281 [inline] __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793 mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253 mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776 mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3bd/0x520 net/socket.c:2244 __do_sys_sendto net/socket.c:2251 [inline] __se_sys_sendto net/socket.c:2247 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2247 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66e998f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006 </TASK> Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose") Reported-by: syzbot+3a92d359bc2ec6255a33(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/69260882.a70a0220.d98e3.00b4.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu(a)google.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251125195331.309558-1-kuniyu@google.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 8abb425d8b5f..1e413426deee 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2798,6 +2798,12 @@ static void mptcp_do_fastclose(struct sock *sk) goto unlock; subflow->send_fastclose = 1; + + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 + * issue in __tcp_select_window(), see tcp_disconnect(). + */ + inet_csk(ssk)->icsk_ack.rcv_mss = TCP_MIN_MSS; + tcp_send_active_reset(ssk, ssk->sk_allocation, SK_RST_REASON_TCP_ABORT_ON_CLOSE); unlock:

4 days, 21 hours

1
0
0 0

please consider to backport "drm/i915/dp: Initialize the source OUI write timestamp always"

by H. Nikolaus Schaller

Adding this patch solves an observed 5 minutes wait delay issue with stable kernels (up to v6.12) on my AcePC T11 (with Atom Z8350 Cherry Trail). Commit is 5861258c4e6a("drm/i915/dp: Initialize the source OUI write timestamp always") resp. https://patchwork.freedesktop.org/patch/621660/ It apparently appeared upstream with v6.13-rc1 but got not backported. BR and thanks, Nikolaus

4 days, 21 hours

2
1
0 0

Linux 5.4.302

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.302 kernel. This is the LAST 5.4.y release. It is now end-of-life and should not be used by anyone, anymore. As of this point in time, there are 1539 documented unfixed CVEs for this kernel branch, and that number will only increase over time as more CVEs get assigned for kernel bugs. All users of the 5.4 kernel series must upgrade to a newer branch as this point in time. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arc/include/asm/bitops.h | 2 arch/mips/boot/dts/lantiq/danube.dtsi | 6 arch/mips/lantiq/xway/sysctrl.c | 2 arch/mips/mti-malta/malta-init.c | 20 - arch/powerpc/kernel/eeh_driver.c | 2 arch/sparc/include/asm/elf_64.h | 1 arch/sparc/kernel/module.c | 1 arch/x86/entry/vsyscall/vsyscall_64.c | 17 + arch/x86/kernel/cpu/bugs.c | 5 arch/x86/kernel/cpu/resctrl/monitor.c | 10 drivers/acpi/acpi_video.c | 4 drivers/acpi/acpica/dsmethod.c | 10 drivers/acpi/property.c | 24 + drivers/acpi/video_detect.c | 8 drivers/ata/libata-scsi.c | 8 drivers/base/devcoredump.c | 138 ++++++---- drivers/base/regmap/regmap-slimbus.c | 6 drivers/bluetooth/btusb.c | 13 drivers/bluetooth/hci_bcsp.c | 3 drivers/char/misc.c | 8 drivers/clocksource/timer-vf-pit.c | 22 - drivers/cpufreq/longhaul.c | 3 drivers/dma/dw-edma/dw-edma-core.c | 22 + drivers/dma/mv_xor.c | 4 drivers/dma/sh/shdma-base.c | 25 + drivers/dma/sh/shdmac.c | 17 - drivers/edac/altera_edac.c | 22 + drivers/extcon/extcon-adc-jack.c | 2 drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 8 drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 9 drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 drivers/hid/hid-ids.h | 7 drivers/hid/hid-quirks.c | 14 - drivers/hwmon/dell-smm-hwmon.c | 7 drivers/iio/adc/spear_adc.c | 9 drivers/input/keyboard/cros_ec_keyb.c | 6 drivers/input/misc/ati_remote2.c | 2 drivers/input/misc/cm109.c | 2 drivers/input/misc/powermate.c | 2 drivers/input/misc/yealink.c | 2 drivers/input/tablet/acecad.c | 2 drivers/input/tablet/pegasus_notetaker.c | 11 drivers/irqchip/irq-gic-v2m.c | 13 drivers/isdn/hardware/mISDN/hfcsusb.c | 18 - drivers/media/i2c/ir-kbd-i2c.c | 6 drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 drivers/media/pci/ivtv/ivtv-driver.h | 3 drivers/media/pci/ivtv/ivtv-fileops.c | 18 - drivers/media/pci/ivtv/ivtv-irq.c | 4 drivers/media/rc/imon.c | 61 ++-- drivers/media/rc/redrat3.c | 2 drivers/media/tuners/xc4000.c | 8 drivers/media/tuners/xc5000.c | 12 drivers/memstick/core/memstick.c | 8 drivers/mfd/madera-core.c | 4 drivers/mfd/stmpe-i2c.c | 1 drivers/mfd/stmpe.c | 3 drivers/mmc/host/renesas_sdhi_core.c | 6 drivers/mmc/host/sdhci-msm.c | 15 + drivers/net/can/usb/gs_usb.c | 23 - drivers/net/dsa/b53/b53_common.c | 57 +++- drivers/net/dsa/b53/b53_regs.h | 4 drivers/net/ethernet/cadence/macb_main.c | 4 drivers/net/ethernet/emulex/benet/be_main.c | 7 drivers/net/ethernet/freescale/fec_main.c | 2 drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 15 - drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 drivers/net/ethernet/qlogic/qede/qede_main.c | 2 drivers/net/ethernet/renesas/ravb_main.c | 16 + drivers/net/ethernet/renesas/sh_eth.c | 4 drivers/net/ethernet/ti/netcp_core.c | 10 drivers/net/phy/dp83867.c | 6 drivers/net/phy/mdio_bus.c | 5 drivers/net/usb/asix_devices.c | 12 drivers/net/usb/qmi_wwan.c | 6 drivers/net/usb/usbnet.c | 2 drivers/net/wireless/ath/ath10k/wmi.c | 1 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 21 - drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 drivers/pci/p2pdma.c | 2 drivers/pci/quirks.c | 1 drivers/phy/cadence/cdns-dphy.c | 4 drivers/regulator/fixed.c | 6 drivers/remoteproc/qcom_q6v5.c | 5 drivers/s390/net/ctcm_mpc.c | 1 drivers/scsi/lpfc/lpfc_debugfs.h | 3 drivers/scsi/lpfc/lpfc_scsi.c | 14 - drivers/scsi/pm8001/pm8001_ctl.c | 2 drivers/scsi/sg.c | 10 drivers/soc/imx/gpc.c | 2 drivers/soc/qcom/smem.c | 2 drivers/soc/ti/knav_dma.c | 14 - drivers/spi/spi-loopback-test.c | 12 drivers/spi/spi.c | 10 drivers/target/loopback/tcm_loop.c | 3 drivers/tee/tee_core.c | 2 drivers/tty/serial/8250/8250_dw.c | 128 ++++----- drivers/uio/uio_hv_generic.c | 21 + drivers/usb/gadget/function/f_fs.c | 8 drivers/usb/gadget/function/f_hid.c | 4 drivers/usb/gadget/function/f_ncm.c | 3 drivers/usb/host/xhci-plat.c | 1 drivers/usb/mon/mon_bin.c | 14 - drivers/video/backlight/lp855x_bl.c | 2 drivers/video/fbdev/aty/atyfb_base.c | 8 drivers/video/fbdev/core/bitblit.c | 33 ++ drivers/video/fbdev/pvr2fb.c | 2 drivers/video/fbdev/valkyriefb.c | 2 fs/9p/v9fs.c | 9 fs/btrfs/transaction.c | 2 fs/ceph/locks.c | 5 fs/hpfs/namei.c | 18 - fs/jfs/inode.c | 8 fs/jfs/jfs_txnmgr.c | 9 fs/nfs/nfs4client.c | 1 fs/nfs/nfs4proc.c | 6 fs/nfs/nfs4state.c | 3 fs/open.c | 10 fs/orangefs/xattr.c | 12 fs/proc/generic.c | 12 include/linux/ata.h | 1 include/linux/compiler_types.h | 5 include/linux/filter.h | 2 include/linux/mm.h | 2 include/linux/shdma-base.h | 2 include/linux/usb.h | 16 - include/net/cls_cgroup.h | 2 include/net/nfc/nci_core.h | 2 include/net/pkt_sched.h | 25 + kernel/events/uprobes.c | 7 kernel/gcov/gcc_4_7.c | 4 kernel/trace/trace_events_hist.c | 6 mm/page_alloc.c | 2 net/8021q/vlan.c | 2 net/bluetooth/6lowpan.c | 97 ++++--- net/bluetooth/l2cap_core.c | 1 net/bluetooth/sco.c | 7 net/bridge/br_forward.c | 3 net/core/netpoll.c | 7 net/core/page_pool.c | 6 net/core/sock.c | 15 - net/ipv4/nexthop.c | 6 net/ipv4/route.c | 5 net/ipv6/ah6.c | 50 ++- net/ipv6/raw.c | 2 net/ipv6/udp.c | 2 net/mac80211/rx.c | 10 net/openvswitch/actions.c | 68 ---- net/openvswitch/flow_netlink.c | 64 ---- net/openvswitch/flow_netlink.h | 2 net/rds/rds.h | 2 net/sched/act_ife.c | 12 net/sched/sch_api.c | 10 net/sched/sch_generic.c | 24 - net/sched/sch_hfsc.c | 16 - net/sched/sch_qfq.c | 2 net/sctp/associola.c | 10 net/sctp/chunk.c | 2 net/sctp/diag.c | 7 net/sctp/endpointola.c | 6 net/sctp/input.c | 5 net/sctp/output.c | 2 net/sctp/outqueue.c | 6 net/sctp/sm_make_chunk.c | 7 net/sctp/sm_sideeffect.c | 16 - net/sctp/sm_statefuns.c | 2 net/sctp/socket.c | 12 net/sctp/stream.c | 3 net/sctp/stream_interleave.c | 23 - net/sctp/transport.c | 15 - net/sctp/ulpqueue.c | 15 - net/strparser/strparser.c | 2 net/tipc/core.c | 4 net/tipc/core.h | 8 net/tipc/discover.c | 4 net/tipc/link.c | 5 net/tipc/link.h | 1 net/tipc/net.c | 17 - net/vmw_vsock/af_vsock.c | 40 ++ scripts/kconfig/mconf.c | 3 scripts/kconfig/nconf.c | 3 sound/soc/codecs/cs4271.c | 10 sound/soc/codecs/max98090.c | 6 sound/soc/qcom/qdsp6/q6asm.c | 2 sound/usb/mixer.c | 11 tools/power/cpupower/lib/cpuidle.c | 5 tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 26 + tools/testing/selftests/Makefile | 2 tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 tools/testing/selftests/net/fcnal-test.sh | 4 tools/testing/selftests/net/psock_tpacket.c | 4 200 files changed, 1294 insertions(+), 813 deletions(-) Abdun Nihaal (1): isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Al Viro (2): allow finish_no_open(file, ERR_PTR(-E...)) nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Albin Babu Varghese (1): fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Aleksander Jan Bajkowski (3): mips: lantiq: danube: add missing properties to cpu node mips: lantiq: danube: add missing device_type in pci node mips: lantiq: xway: sysctrl: rename stp clock Aleksei Nikiforov (1): s390/ctcm: Fix double-kfree Alexander Stein (2): mfd: stmpe: Remove IRQ domain upon removal mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexey Klimov (1): regmap: slimbus: fix bus_context pointer in regmap init calls Amber Lin (1): drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Amirreza Zarrabi (1): tee: allow a driver to allocate a tee_device without a pool Andrey Vatoropin (1): be2net: pass wrb_params in case of OS2BMC Andy Shevchenko (2): serial: 8250_dw: Use devm_clk_get_optional() to get the input clock serial: 8250_dw: Use devm_add_action_or_reset() Anthony Iliopoulos (1): NFSv4.1: fix mount hang after CREATE_SESSION failure Armin Wolf (1): hwmon: (dell-smm) Add support for Dell OptiPlex 7040 Arnd Bergmann (1): mfd: madera: Work around false-positive -Wininitialized warning Artem Shimko (1): serial: 8250_dw: handle reset control deassert error Babu Moger (1): x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Bart Van Assche (1): scsi: sg: Do not sleep in atomic context Benjamin Berg (1): wifi: mac80211: skip rate verification for not captured PSDUs Biju Das (1): mmc: host: renesas_sdhi: Fix the actual clock Brahmajit Das (1): net: intel: fm10k: Fix parameter idx set but not used Breno Leitao (1): net: netpoll: fix incorrect refcount handling causing incorrect cleanup Buday Csaba (1): net: mdio: fix resource leak in mdiobus_register_device() Celeste Liu (1): can: gs_usb: increase max interface to U8_MAX Charalampos Mitrodimas (1): net: ipv6: fix field-spanning memcpy warning in AH output Chelsy Ratnawat (1): media: fix uninitialized symbol warnings Chris Morgan (1): regulator: fixed: use dev_err_probe for register Christian Bruel (1): irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment Christoph Paasch (1): net: When removing nexthops, don't call synchronize_net if it is not necessary Chuang Wang (1): ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Cryolitia PukNgae (1): ALSA: usb-audio: apply quirk for MOONDROP Quark2 Daniel Lezcano (1): clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Daniel Palmer (1): fbdev: atyfb: Check if pll_ops->init_pll failed David Ahern (2): selftests: Disable dad for ipv6 in fcnal-test.sh selftests: Replace sleep with slowwait David Kaplan (1): x86/bugs: Fix reporting of LFENCE retpoline Dennis Beier (1): cpufreq/longhaul: handle NULL policy in longhaul_exit Devendra K Verma (1): dmaengine: dw-edma: Set status for callback_result Dragos Tatulea (1): page_pool: Clamp pool size to max 16K pages Emanuele Ghidoli (1): net: phy: dp83867: Disable EEE support as not implemented Eric Dumazet (5): net: call cond_resched() less often in __release_sock() ipv6: np->rxpmtu race annotation sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto net_sched: remove need_resched() from qdisc_run() net_sched: limit try_bulk_dequeue_skb() batches Filipe Manana (1): btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Florian Fuchs (1): fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Forest Crossman (1): usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Gal Pressman (2): net/mlx5e: Fix maxrate wraparound in threshold between units net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Geoffrey McRae (1): drm/amdkfd: return -ENOTTY for unsupported IOCTLs Gokul Sivakumar (1): wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Greg Kroah-Hartman (1): Linux 5.4.302 Haein Lee (1): ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Hamza Mahfooz (1): scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Hangbin Liu (1): net: vlan: sync VLAN features with lower device Hans de Goede (2): ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() spi: Try to get ACPI GPIO IRQ earlier Haotian Zhang (2): regulator: fixed: fix GPIO descriptor leak on register failure ASoC: cs4271: Fix regulator leak on probe failure Harikrishna Shenoy (1): phy: cadence: cdns-dphy: Enable lower resolutions in dphy Ian Forbes (1): drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Ido Schimmel (1): bridge: Redirect to backup port when port is administratively down Ilya Maximets (1): net: openvswitch: remove never-working support for setting nsh fields Isaac J. Manjarres (1): mm/page_alloc: fix hash table order logging in alloc_large_system_hash() Ivan Pravdin (1): Bluetooth: bcsp: receive data only if registered Jakub Acs (1): mm/ksm: fix flag-dropping behavior in ksm_madvise Jakub Horký (2): kconfig/mconf: Initialize the default locale at startup kconfig/nconf: Initialize the default locale at startup Jens Reidel (1): soc: qcom: smem: Fix endian-unaware access of num_entries Jiayi Li (1): memstick: Add timeout to prevent indefinite waiting Jiri Olsa (1): uprobe: Do not emulate/sstep original instruction when ip is changed Jonas Gorski (3): net: dsa: b53: fix resetting speed and pause on forced link net: dsa: b53: fix enabling ip multicast net: dsa: b53: stop reading ARL entries if search is done Joshua Watt (1): NFS4: Fix state renewals missing after boot Junjie Cao (1): fbdev: bitblit: bound-check glyph index in bit_putcs* Juraj Šarinay (1): net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Justin Tee (2): scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET scsi: lpfc: Define size of debugfs entry for xri rebalancing Kaushlendra Kumar (1): tools/cpupower: Fix incorrect size in cpuidle_state_disable() Kees Cook (1): arc: Fix __fls() const-foldability via __builtin_clzl() Kirill A. Shutemov (1): x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall Koakuma (1): sparc/module: Add R_SPARC_UA64 relocation handling Krishna Kurapati (1): usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Krzysztof Kozlowski (2): extcon: adc-jack: Fix wakeup source leaks on device unbind extcon: adc-jack: Cleanup wakeup source only if it was enabled Kuniyuki Iwashima (2): net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. tipc: Fix use-after-free in tipc_mon_reinit_self(). Lad Prabhakar (1): net: ravb: Enforce descriptor type ordering Laurent Pinchart (1): media: pci: ivtv: Don't create fake v4l2_fh Len Brown (2): tools/power x86_energy_perf_policy: Enhance HWP enable tools/power x86_energy_perf_policy: Prefer driver HWP limits Lizhi Xu (1): usbnet: Prevents free active kevent Loic Poulain (1): wifi: ath10k: Fix memory leak on unsupported WMI command Long Li (1): uio_hv_generic: Set event for all channels on the device Luiz Augusto von Dentz (1): Bluetooth: SCO: Fix UAF on sco_conn_free Maarten Lankhorst (1): devcoredump: Fix circular locking dependency with devcd->mutex. Maciej W. Rozycki (1): MIPS: Malta: Fix !EVA SOC-it PCI MMIO Marcos Del Sol Vives (1): PCI: Disable MSI on RDC PCI to PCIe bridges Mario Limonciello (AMD) (1): ACPI: video: force native for Lenovo 82K8 Miaoqian Lin (3): net: usb: asix_devices: Check return value of usbnet_get_endpoints fbdev: valkyriefb: Fix reference count leak in valkyriefb_init pmdomain: imx: Fix reference count leak in imx_gpc_remove Michal Luczaj (1): vsock: Ignore signal/timeout on connect() if already established Mike Marshall (1): orangefs: fix xattr related buffer overflow... Nai-Chen Cheng (1): selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Nate Karstens (1): strparser: Fix signed/unsigned mismatch bug Nathan Chancellor (1): net: qede: Initialize qede_ll_ops with designated initializer Niklas Cassel (1): ata: libata-scsi: Fix system suspend for a security locked drive Niklas Schnelle (1): powerpc/eeh: Use result of error_detected() in uevent Niklas Söderlund (1): net: sh_eth: Disable WoL if system can not suspend Niravkumar L Rabara (2): EDAC/altera: Handle OCRAM ECC enable after warm reset EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Nishanth Menon (1): net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Olga Kornievskaia (1): NFSv4: handle ERR_GRACE on delegation recalls Owen Gu (1): usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Pauli Virtanen (4): Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Bluetooth: L2CAP: export l2cap_chan_hold for modules Peter Oberparleiter (1): gcov: add support for GCC 15 Peter Zijlstra (1): compiler_types: Move unused static inline functions warning to W=2 Qendrim Maxhuni (1): net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Qianfeng Rong (2): scsi: pm8001: Use int instead of u32 to store error codes media: redrat3: use int type to store negative error codes Randall P. Embry (2): 9p: fix /sys/fs/9p/caches overwriting itself 9p: sysfs_init: don't hardcode error to ENOMEM Ranganath V N (1): net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Raphael Pinsonneault-Thibeault (1): Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF René Rebe (1): ALSA: usb-audio: fix uac2 clock source at terminal parser Ricardo B. Marlière (1): selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 Rodrigo Gobbi (1): iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Rosen Penev (1): dmaengine: mv_xor: match alloc_wc and free_wc Russell King (1): net: dsa/b53: change b53_force_port_config() pause argument Sakari Ailus (1): ACPI: property: Return present device nodes only on fwnode interface Saket Dumbre (1): ACPICA: Update dsmethod.c to get rid of unused variable warning Sarthak Garg (1): mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Seungjin Bae (1): Input: pegasus-notetaker - fix potential out-of-bounds access Seyediman Seyedarab (1): drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() Sharique Mohammad (1): ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Shaurya Rane (1): jfs: fix uninitialized waitqueue in transaction manager Srinivas Kandagatla (1): ASoC: qdsp6: q6asm: do not sleep while atomic Stefan Wiehler (2): sctp: Hold RCU read lock while iterating over address list sctp: Prevent TOCTOU out-of-bounds write Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid handling handover twice Sudeep Holla (1): pmdomain: arm: scmi: Fix genpd leak on provider registration failure Sungho Kim (1): PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Svyatoslav Ryhel (1): video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Tetsuo Handa (2): media: imon: make send_packet() more robust jfs: Verify inode mode when loading from disk Thomas Andreatta (1): dmaengine: sh: setup_xref error handling Thomas Weißschuh (2): spi: loopback-test: Don't use %pK through printk bpf: Don't use %pK through printk Théo Lebrun (1): net: macb: avoid dealing with endianness in macb_set_hwaddr() Tomeu Vizoso (1): drm/etnaviv: fix flush sequence logic Tristan Lobb (1): HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Tzung-Bi Shih (1): Input: cros_ec_keyb - fix an invalid memory access Ujwal Kundur (1): rds: Fix endianness annotation for RDS_MPATH_HASH Viacheslav Dubeyko (1): ceph: add checking of wait_for_completion_killable() return value Vincent Mailhol (2): usb: deprecate the third argument of usb_maxpacket() Input: remove third argument of usb_maxpacket() Wake Liu (2): selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 selftests/net: Ensure assert() triggers in psock_tpacket.c Wei Fang (1): net: fec: correct rx_bytes statistic for the case SHIFT16 is set Wei Yang (1): fs/proc: fix uaf in proc_readdir_de() William Wu (1): usb: gadget: f_hid: Fix zero length packet transfer Xiang Mei (1): net/sched: sch_qfq: Fix null-deref in agg_dequeue Xin Long (2): sctp: get netns from asoc and ep base tipc: simplify the finalize work queue Yafang Shao (1): net/cls_cgroup: Fix task_get_classid() during qdisc run Yikang Yue (1): fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink Yuhao Jiang (1): ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Zhang Heng (1): HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Zijun Hu (1): char: misc: Does not request module for miscdevice with dynamic minor Zilin Guan (2): tracing: Fix memory leaks in create_field_var() mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() raub camaioni (1): usb: gadget: f_ncm: Fix MAC assignment NCM ethernet Álvaro Fernández Rojas (1): net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325

4 days, 21 hours

1
2
0 0

[PATCH v6.1 0/4] sched: The newidle balance regression

by Ajay Kaher

This series is to backport following patches for v6.1: link: https://lore.kernel.org/lkml/20251107160645.929564468@infradead.org/ Peter Zijlstra (4): sched/fair: Revert max_newidle_lb_cost bump sched/fair: Small cleanup to sched_balance_newidle() sched/fair: Small cleanup to update_newidle_cost() sched/fair: Proportional newidle balance include/linux/sched/topology.h | 3 ++ kernel/sched/core.c | 3 ++ kernel/sched/fair.c | 75 +++++++++++++++++++++++----------- kernel/sched/features.h | 5 +++ kernel/sched/sched.h | 7 ++++ kernel/sched/topology.c | 6 +++ 6 files changed, 75 insertions(+), 24 deletions(-) -- 2.40.4

4 days, 23 hours

1
4
0 0

[PATCH 6.1.y] HID: core: Harden s32ton() against conversion to 0 bits

by jetlan9＠163.com

From: Alan Stern <stern(a)rowland.harvard.edu> [ Upstream commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd ] Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. Signed-off-by: Alan Stern <stern(a)rowland.harvard.edu> Reported-by: syzbot+b63d677d63bcac06cf90(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.… Tested-by: syzbot+b63d677d63bcac06cf90(a)syzkaller.appspotmail.com Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harva… Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> [ s32ton() was moved by c653ffc28340 ("HID: stop exporting hid_snto32()"). Minor context change fixed. ] Signed-off-by: Wenshan Lan <jetlan9(a)163.com> --- drivers/hid/hid-core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index ed65523d77c2..c8cca0c7ec67 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1354,7 +1354,12 @@ EXPORT_SYMBOL_GPL(hid_snto32); static u32 s32ton(__s32 value, unsigned n) { - s32 a = value >> (n - 1); + s32 a; + if (!value || !n) + return 0; + + a = value >> (n - 1); + if (a && a != -1) return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; return value & ((1 << n) - 1); -- 2.43.0

4 days, 23 hours

1
0
0 0

[PATCH 6.6.y] HID: core: Harden s32ton() against conversion to 0 bits

by jetlan9＠163.com

From: Alan Stern <stern(a)rowland.harvard.edu> [ Upstream commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd ] Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. Signed-off-by: Alan Stern <stern(a)rowland.harvard.edu> Reported-by: syzbot+b63d677d63bcac06cf90(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.… Tested-by: syzbot+b63d677d63bcac06cf90(a)syzkaller.appspotmail.com Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harva… Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> [ s32ton() was moved by c653ffc28340 ("HID: stop exporting hid_snto32()"). Minor context change fixed. ] Signed-off-by: Wenshan Lan <jetlan9(a)163.com> --- drivers/hid/hid-core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 266cd56dec50..d8fda282d049 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1351,7 +1351,12 @@ EXPORT_SYMBOL_GPL(hid_snto32); static u32 s32ton(__s32 value, unsigned n) { - s32 a = value >> (n - 1); + s32 a; + + if (!value || !n) + return 0; + + a = value >> (n - 1); if (a && a != -1) return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; return value & ((1 << n) - 1); -- 2.43.0

4 days, 23 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror