- Linux-stable-mirror - lists.linaro.org

[PATCH v4] w1: therm: Fix off-by-one buffer overflow in alarms_store

by Thorsten Blum

The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. Cc: stable(a)vger.kernel.org Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- Compile-tested only. Changes in v4: - Use simple_strtoll because kstrtoint also parses long long internally - Return -ERANGE in addition to -EINVAL to match kstrtoint's behavior - Remove any changes unrelated to fixing the buffer overflow (Krzysztof) while maintaining the same behavior and return values as before - Link to v3: https://lore.kernel.org/lkml/20251030155614.447905-1-thorsten.blum@linux.de… Changes in v3: - Add integer range check for 'temp' to match kstrtoint() behavior - Explicitly cast 'temp' to int when calling int_to_short() - Link to v2: https://lore.kernel.org/lkml/20251029130045.70127-2-thorsten.blum@linux.dev/ Changes in v2: - Fix buffer overflow instead of truncating the copy using strscpy() - Parse buffer directly using simple_strtol() as suggested by David - Update patch subject and description - Link to v1: https://lore.kernel.org/lkml/20251017170047.114224-2-thorsten.blum@linux.de… --- drivers/w1/slaves/w1_therm.c | 64 ++++++++++++------------------------ 1 file changed, 21 insertions(+), 43 deletions(-) diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c index 9ccedb3264fb..5707fa34e804 100644 --- a/drivers/w1/slaves/w1_therm.c +++ b/drivers/w1/slaves/w1_therm.c @@ -1836,55 +1836,36 @@ static ssize_t alarms_store(struct device *device, struct w1_slave *sl = dev_to_w1_slave(device); struct therm_info info; u8 new_config_register[3]; /* array of data to be written */ - int temp, ret; - char *token = NULL; + long long temp; + int ret = 0; s8 tl, th; /* 1 byte per value + temp ring order */ - char *p_args, *orig; - - p_args = orig = kmalloc(size, GFP_KERNEL); - /* Safe string copys as buf is const */ - if (!p_args) { - dev_warn(device, - "%s: error unable to allocate memory %d\n", - __func__, -ENOMEM); - return size; - } - strcpy(p_args, buf); - - /* Split string using space char */ - token = strsep(&p_args, " "); - - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - - /* Convert 1st entry to int */ - ret = kstrtoint (token, 10, &temp); + const char *p = buf; + char *endp; + + temp = simple_strtoll(p, &endp, 10); + if (p == endp || *endp != ' ') + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + goto err; } tl = int_to_short(temp); - /* Split string using space char */ - token = strsep(&p_args, " "); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - /* Convert 2nd entry to int */ - ret = kstrtoint (token, 10, &temp); + p = endp + 1; + temp = simple_strtoll(p, &endp, 10); + if (p == endp) + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + goto err; } - /* Prepare to cast to short by eliminating out of range values */ th = int_to_short(temp); @@ -1905,7 +1886,7 @@ static ssize_t alarms_store(struct device *device, dev_info(device, "%s: error reading from the slave device %d\n", __func__, ret); - goto free_m; + goto err; } /* Write data in the device RAM */ @@ -1913,7 +1894,7 @@ static ssize_t alarms_store(struct device *device, dev_info(device, "%s: Device not supported by the driver %d\n", __func__, -ENODEV); - goto free_m; + goto err; } ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); @@ -1922,10 +1903,7 @@ static ssize_t alarms_store(struct device *device, "%s: error writing to the slave device %d\n", __func__, ret); -free_m: - /* free allocated memory */ - kfree(orig); - +err: return size; } -- 2.51.1

4 days, 19 hours

3
6
0 0

[PATCH] ext4: xattr: fix wrong search.here in clone_block

by Jinchao Wang

syzbot reported a KASAN out-of-bounds Read in ext4_xattr_set_entry()[1]. When xattr_find_entry() returns -ENODATA, search.here still points to the position after the last valid entry. ext4_xattr_block_set() clones the xattr block because the original block maybe shared and must not be modified in place. In the clone_block, search.here is recomputed unconditionally from the old offset, which may place it past search.first. This results in a negative reset size and an out-of-bounds memmove() in ext4_xattr_set_entry(). Fix this by initializing search.here correctly when search.not_found is set. #syz test [1] https://syzkaller.appspot.com/bug?extid=f792df426ff0f5ceb8d1 Fixes: fd48e9acdf2 (ext4: Unindent codeblock in ext4_xattr_block_set) Cc: stable(a)vger.kernel.org Reported-by: syzbot+f792df426ff0f5ceb8d1(a)syzkaller.appspotmail.com Signed-off-by: Jinchao Wang <wangjinchao600(a)gmail.com> --- fs/ext4/xattr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 2e02efbddaac..cc30abeb7f30 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1980,7 +1980,10 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode, goto cleanup; s->first = ENTRY(header(s->base)+1); header(s->base)->h_refcount = cpu_to_le32(1); - s->here = ENTRY(s->base + offset); + if (s->not_found) + s->here = s->first; + else + s->here = ENTRY(s->base + offset); s->end = s->base + bs->bh->b_size; /* -- 2.43.0

4 days, 20 hours

2
1
0 0

[PATCH v4] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer

by Krzysztof Niemiec

Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is nullified, which is a source of a NULL deref bug described in [1]. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being nullified as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15062 Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf") Reported-by: Gangmin Kim <km.kim1503(a)gmail.com> Cc: <stable(a)vger.kernel.org> # 5.16.x Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec(a)intel.com> --- I messed up the continuity in previous revisions; the original patch was sent as [1], and the first revision (which I didn't mark as v2 due to the title change) was sent as [2]. This is the full current changelog: v4: - delete an empty line (Janusz), reword the comment a bit (Krzysztof, Janusz) v3: - use memset() to fill the entire eb.vma array with zeros instead of looping through the elements (Janusz) - add a comment clarifying the mechanism of the initial allocation (Janusz) - change the commit log again, including title - rearrange the tags to keep checkpatch happy v2: - set the eb->vma[i].vma pointers to NULL during setup instead of ad-hoc at failure (Janusz) - romanize the reporter's name (Andi, offline) - change the commit log, including title [1] https://patchwork.freedesktop.org/series/156832/ [2] https://patchwork.freedesktop.org/series/158036/ .../gpu/drm/i915/gem/i915_gem_execbuffer.c | 37 +++++++++---------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c index b057c2fa03a4..348023d13668 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c @@ -951,13 +951,13 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) vma = eb_lookup_vma(eb, eb->exec[i].handle); if (IS_ERR(vma)) { err = PTR_ERR(vma); - goto err; + return err; } err = eb_validate_vma(eb, &eb->exec[i], vma); if (unlikely(err)) { i915_vma_put(vma); - goto err; + return err; } err = eb_add_vma(eb, &current_batch, i, vma); @@ -966,19 +966,8 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) if (i915_gem_object_is_userptr(vma->obj)) { err = i915_gem_object_userptr_submit_init(vma->obj); - if (err) { - if (i + 1 < eb->buffer_count) { - /* - * Execbuffer code expects last vma entry to be NULL, - * since we already initialized this entry, - * set the next value to NULL or we mess up - * cleanup handling. - */ - eb->vma[i + 1].vma = NULL; - } - + if (err) return err; - } eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT; eb->args->flags |= __EXEC_USERPTR_USED; @@ -986,10 +975,6 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) } return 0; - -err: - eb->vma[i].vma = NULL; - return err; } static int eb_lock_vmas(struct i915_execbuffer *eb) @@ -3375,7 +3360,8 @@ i915_gem_do_execbuffer(struct drm_device *dev, eb.exec = exec; eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1); - eb.vma[0].vma = NULL; + memset(eb.vma, 0x00, args->buffer_count * sizeof(struct eb_vma)); + eb.batch_pool = NULL; eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS; @@ -3584,7 +3570,18 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data, if (err) return err; - /* Allocate extra slots for use by the command parser */ + /* + * Allocate extra slots for use by the command parser. + * + * Note that this allocation handles two different arrays (the + * exec2_list array, and the eventual eb.vma array introduced in + * i915_gem_do_execubuffer()), that reside in virtually contiguous + * memory. Also note that the allocation intentionally doesn't fill the + * area with zeros (because the exec2_list part doesn't need to be, as + * it's immediately overwritten by user data a few lines below). + * However, the eb.vma part is explicitly zeroed later in + * i915_gem_do_execbuffer(). + */ exec2_list = kvmalloc_array(count + 2, eb_element_size(), __GFP_NOWARN | GFP_KERNEL); if (exec2_list == NULL) { -- 2.45.2

4 days, 20 hours

4
3
0 0

[PATCH] leds: leds-cros_ec: Skip LEDs without color components

by Thomas Weißschuh

A user reports that on their Lenovo Corsola Magneton with EC firmware steelix-15194.270.0 the driver probe fails with EINVAL. It turns out that the power LED does not contain any color components as indicated by the following "ectool led power query" output: Brightness range for LED 1: red : 0x0 green : 0x0 blue : 0x0 yellow : 0x0 white : 0x0 amber : 0x0 The LED also does not react to commands sent manually through ectool and is generally non-functional. Instead of failing the probe for all LEDs managed by the EC when one without color components is encountered, silently skip those. Fixes: 8d6ce6f3ec9d ("leds: Add ChromeOS EC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/leds/leds-cros_ec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/leds/leds-cros_ec.c b/drivers/leds/leds-cros_ec.c index 377cf04e202a..bea3cc3fbfd2 100644 --- a/drivers/leds/leds-cros_ec.c +++ b/drivers/leds/leds-cros_ec.c @@ -142,9 +142,6 @@ static int cros_ec_led_count_subleds(struct device *dev, } } - if (!num_subleds) - return -EINVAL; - *max_brightness = common_range; return num_subleds; } @@ -189,6 +186,8 @@ static int cros_ec_led_probe_one(struct device *dev, struct cros_ec_device *cros &priv->led_mc_cdev.led_cdev.max_brightness); if (num_subleds < 0) return num_subleds; + if (num_subleds == 0) + return 0; /* LED without any colors, skip */ priv->cros_ec = cros_ec; priv->led_id = id; --- base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787 change-id: 20251028-cros_ec-leds-no-colors-18eb8d1efa92 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

4 days, 20 hours

2
2
0 0

Re: [PATCH v1] rust: Add some DMA helpers for architectures without CONFIG_HAS_DMA

by Danilo Krummrich

(Cc: stable(a)vger.kernel.org) On Thu Dec 4, 2025 at 5:06 PM CET, FUJITA Tomonori wrote: > Add dma_set_mask(), dma_set_coherent_mask(), dma_map_sgtable(), and > dma_max_mapping_size() helpers to fix a build error when > CONFIG_HAS_DMA is not enabled. > > Note that when CONFIG_HAS_DMA is enabled, they are included in both > bindings_generated.rs and bindings_helpers_generated.rs. The former > takes precedence so behavior remains unchanged in that case. > > This fixes the following build error on UML: > > error[E0425]: cannot find function `dma_set_mask` in crate `bindings` > --> /linux/rust/kernel/dma.rs:46:38 > | > 46 | to_result(unsafe { bindings::dma_set_mask(self.as_ref().as_raw(), mask.value()) }) > | ^^^^^^^^^^^^ help: a function with a similar name exists: `xa_set_mark` > | > ::: /build/um/rust/bindings/bindings_generated.rs:24690:5 > | > 24690 | pub fn xa_set_mark(arg1: *mut xarray, index: ffi::c_ulong, arg2: xa_mark_t); > | ---------------------------------------------------------------------------- similarly named function `xa_set_mark` defined here > > error[E0425]: cannot find function `dma_set_coherent_mask` in crate `bindings` > --> /linux/rust/kernel/dma.rs:63:38 > | > 63 | to_result(unsafe { bindings::dma_set_coherent_mask(self.as_ref().as_raw(), mask.value()) }) > | ^^^^^^^^^^^^^^^^^^^^^ help: a function with a similar name exists: `dma_coherent_ok` > | > ::: /build/um/rust/bindings/bindings_generated.rs:52745:5 > | > 52745 | pub fn dma_coherent_ok(dev: *mut device, phys: phys_addr_t, size: usize) -> bool_; > | ---------------------------------------------------------------------------------- similarly named function `dma_coherent_ok` defined here > > error[E0425]: cannot find function `dma_map_sgtable` in crate `bindings` > --> /linux/rust/kernel/scatterlist.rs:212:23 > | > 212 | bindings::dma_map_sgtable(dev.as_raw(), sgt.as_ptr(), dir.into(), 0) > | ^^^^^^^^^^^^^^^ help: a function with a similar name exists: `dma_unmap_sgtable` > | > ::: /build/um/rust/bindings/bindings_helpers_generated.rs:1351:5 > | > 1351 | / pub fn dma_unmap_sgtable( > 1352 | | dev: *mut device, > 1353 | | sgt: *mut sg_table, > 1354 | | dir: dma_data_direction, > 1355 | | attrs: ffi::c_ulong, > 1356 | | ); > | |______- similarly named function `dma_unmap_sgtable` defined here > > error[E0425]: cannot find function `dma_max_mapping_size` in crate `bindings` > --> /linux/rust/kernel/scatterlist.rs:356:52 > | > 356 | let max_segment = match unsafe { bindings::dma_max_mapping_size(dev.as_raw()) } { > | ^^^^^^^^^^^^^^^^^^^^ not found in `bindings` > > error: aborting due to 4 previous errors > > Fixes: 101d66828a4ee ("rust: dma: add DMA addressing capabilities") > Signed-off-by: FUJITA Tomonori <fujita.tomonori(a)gmail.com> Applied to driver-core-linus, thanks! [ Use relative paths in the error splat; add 'dma' prefix. - Danilo ]

4 days, 20 hours

1
0
0 0

[PATCH v2] usb: typec: ucsi: Fix null pointer dereference in ucsi_sync_control_common

by Mario Limonciello (AMD)

Add missing null check for cci parameter before dereferencing it in ucsi_sync_control_common(). The function can be called with cci=NULL from ucsi_acknowledge(), which leads to a null pointer dereference when accessing *cci in the condition check. The crash occurs because the code checks if cci is not null before calling ucsi->ops->read_cci(ucsi, cci), but then immediately dereferences cci without a null check in the following condition: (*cci & UCSI_CCI_COMMAND_COMPLETE). KASAN trace: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ucsi_sync_control_common+0x2ae/0x4e0 [typec_ucsi] Cc: stable(a)vger.kernel.org Fixes: 667ecac55861 ("usb: typec: ucsi: return CCI and message from sync_control callback") Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Mario Limonciello (AMD) <superm1(a)kernel.org> --- v2: * Add stable tag * Add Heikki's tag --- drivers/usb/typec/ucsi/ucsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index 9b3df776137a1..7129973f19e7e 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -97,7 +97,7 @@ int ucsi_sync_control_common(struct ucsi *ucsi, u64 command, u32 *cci) if (!ret && cci) ret = ucsi->ops->read_cci(ucsi, cci); - if (!ret && ucsi->message_in_size > 0 && + if (!ret && cci && ucsi->message_in_size > 0 && (*cci & UCSI_CCI_COMMAND_COMPLETE)) ret = ucsi->ops->read_message_in(ucsi, ucsi->message_in, ucsi->message_in_size); -- 2.43.0

4 days, 20 hours

1
0
0 0

[PATCH RESEND] dmaengine: ti-dma-crossbar: Fix error handling in ti_am335x_xbar_route_allocate

by Ma Ke

ti_am335x_xbar_route_allocate() calls of_find_device_by_node() which increments the reference count of the platform device, but fails to call put_device() to decrement the reference count before returning. This could cause a reference count leak each time the function is called, preventing the platform device from being properly cleaned up and leading to memory leakage. Add proper put_device() calls in all exit paths to fix the reference count imbalance. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 42dbdcc6bf96 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/dma/ti/dma-crossbar.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c index 7f17ee87a6dc..58bc515ec8b3 100644 --- a/drivers/dma/ti/dma-crossbar.c +++ b/drivers/dma/ti/dma-crossbar.c @@ -80,33 +80,40 @@ static void *ti_am335x_xbar_route_allocate(struct of_phandle_args *dma_spec, struct platform_device *pdev = of_find_device_by_node(ofdma->of_node); struct ti_am335x_xbar_data *xbar = platform_get_drvdata(pdev); struct ti_am335x_xbar_map *map; + int ret; - if (dma_spec->args_count != 3) - return ERR_PTR(-EINVAL); + if (dma_spec->args_count != 3) { + ret = -EINVAL; + goto err_put_device; + } if (dma_spec->args[2] >= xbar->xbar_events) { dev_err(&pdev->dev, "Invalid XBAR event number: %d\n", dma_spec->args[2]); - return ERR_PTR(-EINVAL); + ret = -EINVAL; + goto err_put_device; } if (dma_spec->args[0] >= xbar->dma_requests) { dev_err(&pdev->dev, "Invalid DMA request line number: %d\n", dma_spec->args[0]); - return ERR_PTR(-EINVAL); + ret = -EINVAL; + goto err_put_device; } /* The of_node_put() will be done in the core for the node */ dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0); if (!dma_spec->np) { dev_err(&pdev->dev, "Can't get DMA master\n"); - return ERR_PTR(-EINVAL); + ret = -EINVAL; + goto err_put_device; } map = kzalloc(sizeof(*map), GFP_KERNEL); if (!map) { of_node_put(dma_spec->np); - return ERR_PTR(-ENOMEM); + ret = -ENOMEM; + goto err_put_device; } map->dma_line = (u16)dma_spec->args[0]; @@ -120,7 +127,12 @@ static void *ti_am335x_xbar_route_allocate(struct of_phandle_args *dma_spec, ti_am335x_xbar_write(xbar->iomem, map->dma_line, map->mux_val); + put_device(&pdev->dev); return map; + +err_put_device: + put_device(&pdev->dev); + return ERR_PTR(ret); } static const struct of_device_id ti_am335x_master_match[] __maybe_unused = { -- 2.17.1

4 days, 20 hours

3
2
0 0

Notificación urgente: Su contraseña ha expirado y perderá el acceso a su correo electrónico.

by Soporte de correo lists.linaro.org

4 days, 21 hours

1
0
0 0

FAILED: patch "[PATCH] ALSA: wavefront: Clear substream pointers on close" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e11c5c13ce0ab2325d38fe63500be1dd88b81e38 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025121601-suffrage-senate-99ab@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e11c5c13ce0ab2325d38fe63500be1dd88b81e38 Mon Sep 17 00:00:00 2001 From: Junrui Luo <moonafterrain(a)outlook.com> Date: Thu, 6 Nov 2025 10:24:57 +0800 Subject: [PATCH] ALSA: wavefront: Clear substream pointers on close Clear substream pointers in close functions to avoid leaving dangling pointers, helping to improve code safety and prevents potential issues. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Reported-by: Junrui Luo <moonafterrain(a)outlook.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain(a)outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB78… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/isa/wavefront/wavefront_midi.c b/sound/isa/wavefront/wavefront_midi.c index 1250ecba659a..69d87c4cafae 100644 --- a/sound/isa/wavefront/wavefront_midi.c +++ b/sound/isa/wavefront/wavefront_midi.c @@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_close(struct snd_rawmidi_substream *substrea return -EIO; guard(spinlock_irqsave)(&midi->open); + midi->substream_input[mpu] = NULL; midi->mode[mpu] &= ~MPU401_MODE_INPUT; return 0; @@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_close(struct snd_rawmidi_substream *substre return -EIO; guard(spinlock_irqsave)(&midi->open); + midi->substream_output[mpu] = NULL; midi->mode[mpu] &= ~MPU401_MODE_OUTPUT; return 0; }

4 days, 21 hours

2
1
0 0

6.17.9 / 6.18 AMDGPU DMCUB Error

by Neil Gammie

Hello all, please forgive me if this issue is already known, but I couldn't find any reference to it with regard to the 6.17.9 kernel. Anyway, when updating from 6.17.8 to 6.17.9, the following error is raised on every boot: Dec 04 14:44:20 P14s kernel: amdgpu: Topology: Add dGPU node [0x1638:0x1002] Dec 04 14:44:20 P14s kernel: kfd kfd: amdgpu: added device 1002:1638 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 8 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring gfx uses VM inv eng 0 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.0.0 uses VM inv eng 1 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.1.0 uses VM inv eng 4 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.2.0 uses VM inv eng 5 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.3.0 uses VM inv eng 6 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.0.1 uses VM inv eng 7 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.1.1 uses VM inv eng 8 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.2.1 uses VM inv eng 9 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring comp_1.3.1 uses VM inv eng 10 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring kiq_0.2.1.0 uses VM inv eng 11 on hub 0 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring sdma0 uses VM inv eng 0 on hub 8 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring vcn_dec uses VM inv eng 1 on hub 8 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring vcn_enc0 uses VM inv eng 4 on hub 8 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring vcn_enc1 uses VM inv eng 5 on hub 8 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: ring jpeg_dec uses VM inv eng 6 on hub 8 Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: Runtime PM not available Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: amdgpu: [drm] Using custom brightness curve Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: [drm] Registered 4 planes with drm panic Dec 04 14:44:20 P14s kernel: [drm] Initialized amdgpu 3.64.0 for 0000:07:00.0 on minor 1 Dec 04 14:44:20 P14s kernel: fbcon: amdgpudrmfb (fb0) is primary device Dec 04 14:44:20 P14s kernel: amdgpu 0000:07:00.0: [drm] *ERROR* dc_dmub_srv_log_diagnostic_data: DMCUB error - collecting diagnostic data Dec 04 14:44:21 P14s kernel: amdgpu 0000:07:00.0: [drm] fb0: amdgpudrmfb frame buffer device Setup is as follows: Hardware: ThinkPad P14s Gen 2 AMD Processor: AMD Ryzen™ 7 PRO 5850U OS: Arch Linux AMD Firmware: linux-firmware-amdgpu 20251125 Running a bisection gives the following: git bisect start # status: waiting for both good and bad commits # good: [8ac42a63c561a8b4cccfe84ed8b97bb057e6ffae] Linux 6.17.8 git bisect good 8ac42a63c561a8b4cccfe84ed8b97bb057e6ffae # status: waiting for bad commit, 1 good commit known # bad: [1bfd0faa78d09eb41b81b002e0292db0f3e75de0] Linux 6.17.9 git bisect bad 1bfd0faa78d09eb41b81b002e0292db0f3e75de0 # bad: [92ef36a75fbb56a02a16b141fe684f64fb2b1cb9] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN git bisect bad 92ef36a75fbb56a02a16b141fe684f64fb2b1cb9 # bad: [aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d] sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto git bisect bad aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d # bad: [b3b288206a1ea7e21472f8d1c7834ebface9bb33] drm/amdkfd: fix suspend/resume all calls in mes based eviction path git bisect bad b3b288206a1ea7e21472f8d1c7834ebface9bb33 # good: [ac486718d6cc96e07bc67094221e682ba5ea6f76] drm/amd/pm: Use pm_display_cfg in legacy DPM (v2) git bisect good ac486718d6cc96e07bc67094221e682ba5ea6f76 # bad: [1009f007b3afba93082599e263b3807d05177d53] RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors git bisect bad 1009f007b3afba93082599e263b3807d05177d53 # bad: [ccd8af579101ca68f1fba8c9e055554202381cab] drm/amd: Disable ASPM on SI git bisect bad ccd8af579101ca68f1fba8c9e055554202381cab # bad: [e95425b6df29cc88fac7d0d77aa38a5a131dbf45] drm/amd/pm: Disable MCLK switching on SI at high pixel clocks git bisect bad e95425b6df29cc88fac7d0d77aa38a5a131dbf45 # bad: [5ee434b55134c24df7ad426d40fe28c6542fab4d] drm/amd/display: Disable fastboot on DCE 6 too git bisect bad 5ee434b55134c24df7ad426d40fe28c6542fab4d # first bad commit: [5ee434b55134c24df7ad426d40fe28c6542fab4d] drm/amd/display: Disable fastboot on DCE 6 too The error still occurs in 6.18, but reverting the above bad commit removes it. Although an error is reported, the system still boots to the graphical interface and appears to function normally, although I have neither benchmarked graphics performance or used the system for an extended period after the error has been flagged. Yours faithfully, Neil Gammie

4 days, 21 hours

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror