- Linux-stable-mirror - lists.linaro.org

[PATCH net v2] page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches

by Toke Høiland-Jørgensen

Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine. Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch changes the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel pointers for page_pool-tagged pages. The fix relies on the kernel pointers that alias with the pp_magic field always being above PAGE_OFFSET. With this assumption, we can use the lowest bit of the value of PAGE_OFFSET as the upper bound of the PP_DMA_INDEX_MASK, which should avoid the false positives. Because we cannot rely on PAGE_OFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dma_index storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages. v2: - Make sure there's at least 8 bits available and that the PAGE_OFFSET bit calculation doesn't wrap Link: https://lore.kernel.org/all/aMNJMFa5fDalFmtn@p100/ Fixes: ee62ce7a1d90 ("page_pool: Track DMA-mapped pages and unmap them when destroying the pool") Cc: stable(a)vger.kernel.org # 6.15+ Tested-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Toke Høiland-Jørgensen <toke(a)redhat.com> --- include/linux/mm.h | 22 +++++++------ net/core/page_pool.c | 76 ++++++++++++++++++++++++++++++-------------- 2 files changed, 66 insertions(+), 32 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 1ae97a0b8ec7..0905eb6b55ec 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4159,14 +4159,13 @@ int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status); * since this value becomes part of PP_SIGNATURE; meaning we can just use the * space between the PP_SIGNATURE value (without POISON_POINTER_DELTA), and the * lowest bits of POISON_POINTER_DELTA. On arches where POISON_POINTER_DELTA is - * 0, we make sure that we leave the two topmost bits empty, as that guarantees - * we won't mistake a valid kernel pointer for a value we set, regardless of the - * VMSPLIT setting. + * 0, we use the lowest bit of PAGE_OFFSET as the boundary if that value is + * known at compile-time. * - * Altogether, this means that the number of bits available is constrained by - * the size of an unsigned long (at the upper end, subtracting two bits per the - * above), and the definition of PP_SIGNATURE (with or without - * POISON_POINTER_DELTA). + * If the value of PAGE_OFFSET is not known at compile time, or if it is too + * small to leave at least 8 bits available above PP_SIGNATURE, we define the + * number of bits to be 0, which turns off the DMA index tracking altogether + * (see page_pool_register_dma_index()). */ #define PP_DMA_INDEX_SHIFT (1 + __fls(PP_SIGNATURE - POISON_POINTER_DELTA)) #if POISON_POINTER_DELTA > 0 @@ -4175,8 +4174,13 @@ int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status); */ #define PP_DMA_INDEX_BITS MIN(32, __ffs(POISON_POINTER_DELTA) - PP_DMA_INDEX_SHIFT) #else -/* Always leave out the topmost two; see above. */ -#define PP_DMA_INDEX_BITS MIN(32, BITS_PER_LONG - PP_DMA_INDEX_SHIFT - 2) +/* Use the lowest bit of PAGE_OFFSET if there's at least 8 bits available; see above */ +#define PP_DMA_INDEX_MIN_OFFSET (1 << (PP_DMA_INDEX_SHIFT + 8)) +#define PP_DMA_INDEX_BITS ((__builtin_constant_p(PAGE_OFFSET) && \ + PAGE_OFFSET >= PP_DMA_INDEX_MIN_OFFSET && \ + !(PAGE_OFFSET & (PP_DMA_INDEX_MIN_OFFSET - 1))) ? \ + MIN(32, __ffs(PAGE_OFFSET) - PP_DMA_INDEX_SHIFT) : 0) + #endif #define PP_DMA_INDEX_MASK GENMASK(PP_DMA_INDEX_BITS + PP_DMA_INDEX_SHIFT - 1, \ diff --git a/net/core/page_pool.c b/net/core/page_pool.c index 492728f9e021..1a5edec485f1 100644 --- a/net/core/page_pool.c +++ b/net/core/page_pool.c @@ -468,11 +468,60 @@ page_pool_dma_sync_for_device(const struct page_pool *pool, } } +static int page_pool_register_dma_index(struct page_pool *pool, + netmem_ref netmem, gfp_t gfp) +{ + int err = 0; + u32 id; + + if (unlikely(!PP_DMA_INDEX_BITS)) + goto out; + + if (in_softirq()) + err = xa_alloc(&pool->dma_mapped, &id, netmem_to_page(netmem), + PP_DMA_INDEX_LIMIT, gfp); + else + err = xa_alloc_bh(&pool->dma_mapped, &id, netmem_to_page(netmem), + PP_DMA_INDEX_LIMIT, gfp); + if (err) { + WARN_ONCE(err != -ENOMEM, "couldn't track DMA mapping, please report to netdev@"); + goto out; + } + + netmem_set_dma_index(netmem, id); +out: + return err; +} + +static int page_pool_release_dma_index(struct page_pool *pool, + netmem_ref netmem) +{ + struct page *old, *page = netmem_to_page(netmem); + unsigned long id; + + if (unlikely(!PP_DMA_INDEX_BITS)) + return 0; + + id = netmem_get_dma_index(netmem); + if (!id) + return -1; + + if (in_softirq()) + old = xa_cmpxchg(&pool->dma_mapped, id, page, NULL, 0); + else + old = xa_cmpxchg_bh(&pool->dma_mapped, id, page, NULL, 0); + if (old != page) + return -1; + + netmem_set_dma_index(netmem, 0); + + return 0; +} + static bool page_pool_dma_map(struct page_pool *pool, netmem_ref netmem, gfp_t gfp) { dma_addr_t dma; int err; - u32 id; /* Setup DMA mapping: use 'struct page' area for storing DMA-addr * since dma_addr_t can be either 32 or 64 bits and does not always fit @@ -491,18 +540,10 @@ static bool page_pool_dma_map(struct page_pool *pool, netmem_ref netmem, gfp_t g goto unmap_failed; } - if (in_softirq()) - err = xa_alloc(&pool->dma_mapped, &id, netmem_to_page(netmem), - PP_DMA_INDEX_LIMIT, gfp); - else - err = xa_alloc_bh(&pool->dma_mapped, &id, netmem_to_page(netmem), - PP_DMA_INDEX_LIMIT, gfp); - if (err) { - WARN_ONCE(err != -ENOMEM, "couldn't track DMA mapping, please report to netdev@"); + err = page_pool_register_dma_index(pool, netmem, gfp); + if (err) goto unset_failed; - } - netmem_set_dma_index(netmem, id); page_pool_dma_sync_for_device(pool, netmem, pool->p.max_len); return true; @@ -680,8 +721,6 @@ void page_pool_clear_pp_info(netmem_ref netmem) static __always_inline void __page_pool_release_netmem_dma(struct page_pool *pool, netmem_ref netmem) { - struct page *old, *page = netmem_to_page(netmem); - unsigned long id; dma_addr_t dma; if (!pool->dma_map) @@ -690,15 +729,7 @@ static __always_inline void __page_pool_release_netmem_dma(struct page_pool *poo */ return; - id = netmem_get_dma_index(netmem); - if (!id) - return; - - if (in_softirq()) - old = xa_cmpxchg(&pool->dma_mapped, id, page, NULL, 0); - else - old = xa_cmpxchg_bh(&pool->dma_mapped, id, page, NULL, 0); - if (old != page) + if (page_pool_release_dma_index(pool, netmem)) return; dma = page_pool_get_dma_addr_netmem(netmem); @@ -708,7 +739,6 @@ static __always_inline void __page_pool_release_netmem_dma(struct page_pool *poo PAGE_SIZE << pool->p.order, pool->p.dma_dir, DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING); page_pool_set_dma_addr_netmem(netmem, 0); - netmem_set_dma_index(netmem, 0); } /* Disconnects a page (from a page_pool). API users can have a need -- 2.51.0

2 months, 2 weeks

4
5
0 0

[PATCH] PCI: probe: fix typo: CONFIG_PCI_PWRCTRL -> CONFIG_PCI_PWRCTL

by Victor Paul

The commit 8c493cc91f3a ("PCI/pwrctrl: Create pwrctrl devices only when CONFIG_PCI_PWRCTRL is enabled") introduced a typo, it uses CONFIG_PCI_PWRCTRL while the correct symbol is CONFIG_PCI_PWRCTL. As reported by Daniel Martin, it causes device initialization failures on some arm boards. I encountered it on sm8250-xiaomi-pipa after rebasing from v6.15.8 to v6.15.11, with the following error: [ 6.035321] pcieport 0000:00:00.0: Failed to create device link (0x180) with supplier qca6390-pmu for /soc@0/pcie@1c00000/pcie@0/wifi@0 Fix the typo to use the correct CONFIG_PCI_PWRCTL symbol. Fixes: 8c493cc91f3a ("PCI/pwrctrl: Create pwrctrl devices only when CONFIG_PCI_PWRCTRL is enabled") Cc: stable(a)vger.kernel.org Reported-by: Daniel Martin <dmanlfc(a)gmail.com> Closes: https://lore.kernel.org/linux-pci/2025081053-expectant-observant-6268@gregk… Signed-off-by: Victor Paul <vipoll(a)mainlining.org> --- drivers/pci/probe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 19010c382864..7e97e33b3fb5 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -2508,7 +2508,7 @@ bool pci_bus_read_dev_vendor_id(struct pci_bus *bus, int devfn, u32 *l, } EXPORT_SYMBOL(pci_bus_read_dev_vendor_id); -#if IS_ENABLED(CONFIG_PCI_PWRCTRL) +#if IS_ENABLED(CONFIG_PCI_PWRCTL) static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn) { struct pci_host_bridge *host = pci_find_host_bridge(bus); -- 2.51.0

2 months, 2 weeks

3
2
0 0

[PATCH] serial: sc16is7xx: remove useless enable of enhanced features

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Commit 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") permanently enabled access to the enhanced features in sc16is7xx_probe(), and it is never disabled after that. Therefore, remove re-enable of enhanced features in sc16is7xx_set_baud(). This eliminates a potential useless read + write cycle each time the baud rate is reconfigured. Fixes: 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- This patch was originally part of this series: https://lore.kernel.org/linux-serial/20251002145738.3250272-1-hugo@hugovil.… and it is now separate as suggested by Greg to facilitate stable backporting. --- drivers/tty/serial/sc16is7xx.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 1a2c4c14f6aac..c7435595dce13 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -588,13 +588,6 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) div /= prescaler; } - /* Enable enhanced features */ - sc16is7xx_efr_lock(port); - sc16is7xx_port_update(port, SC16IS7XX_EFR_REG, - SC16IS7XX_EFR_ENABLE_BIT, - SC16IS7XX_EFR_ENABLE_BIT); - sc16is7xx_efr_unlock(port); - /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */ sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, SC16IS7XX_MCR_CLKSEL_BIT, base-commit: fd94619c43360eb44d28bd3ef326a4f85c600a07 -- 2.39.5

2 months, 2 weeks

1
0
0 0

[PATCH v3] Revert "sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN"

by John Paul Adrian Glaubitz

In a11f6ca9aef9 ("sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN"), a maximum retry count was added to __vdc_tx_trigger(). After this change, several users reported disk I/O errors when running Linux inside a logical domain on Solaris 11.4: [19095.192532] sunvdc: vdc_tx_trigger() failure, err=-11 [19095.192605] I/O error, dev vdiskc, sector 368208928 op 0x1:(WRITE) flags 0x1000 phys_seg 2 prio class 2 [19095.205681] XFS (vdiskc1): metadata I/O error in "xfs_buf_ioend+0x28c/0x600 [xfs]" at daddr 0x15f26420 len 32 error 5 [19432.043471] sunvdc: vdc_tx_trigger() failure, err=-11 [19432.043529] I/O error, dev vdiskc, sector 3732568 op 0x1:(WRITE) flags 0x1000 phys_seg 1 prio class 2 [19432.058821] sunvdc: vdc_tx_trigger() failure, err=-11 [19432.058843] I/O error, dev vdiskc, sector 3736256 op 0x1:(WRITE) flags 0x1000 phys_seg 4 prio class 2 [19432.074109] sunvdc: vdc_tx_trigger() failure, err=-11 [19432.074128] I/O error, dev vdiskc, sector 3736512 op 0x1:(WRITE) flags 0x1000 phys_seg 4 prio class 2 [19432.089425] sunvdc: vdc_tx_trigger() failure, err=-11 [19432.089443] I/O error, dev vdiskc, sector 3737024 op 0x1:(WRITE) flags 0x1000 phys_seg 1 prio class 2 [19432.100964] XFS (vdiskc1): metadata I/O error in "xfs_buf_ioend+0x28c/0x600 [xfs]" at daddr 0x38ec58 len 8 error 5 Since this change seems to have only been justified by reading the code which becomes evident by the reference to adddc32d6fde ("sunvnet: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN") in the commit message, it can be safely assumed that the change was neither properly tested nor motivated by any actual bug reports. Thus, let's revert this change to address the disk I/O errors above. Cc: stable(a)vger.kernel.org Fixes: a11f6ca9aef9 ("sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN") Signed-off-by: John Paul Adrian Glaubitz <glaubitz(a)physik.fu-berlin.de> --- Changes since v1: - Rephrase commit message Changes since v2: - Add missing CC and Fixes tags --- drivers/block/sunvdc.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c index 282f81616a78..f56023c2b033 100644 --- a/drivers/block/sunvdc.c +++ b/drivers/block/sunvdc.c @@ -45,8 +45,6 @@ MODULE_VERSION(DRV_MODULE_VERSION); #define WAITING_FOR_GEN_CMD 0x04 #define WAITING_FOR_ANY -1 -#define VDC_MAX_RETRIES 10 - static struct workqueue_struct *sunvdc_wq; struct vdc_req_entry { @@ -437,7 +435,6 @@ static int __vdc_tx_trigger(struct vdc_port *port) .end_idx = dr->prod, }; int err, delay; - int retries = 0; hdr.seq = dr->snd_nxt; delay = 1; @@ -450,8 +447,6 @@ static int __vdc_tx_trigger(struct vdc_port *port) udelay(delay); if ((delay <<= 1) > 128) delay = 128; - if (retries++ > VDC_MAX_RETRIES) - break; } while (err == -EAGAIN); if (err == -ENOTCONN) -- 2.47.3

2 months, 2 weeks

1
0
0 0

71d2893a235bf3b95baccead27b3d47f2f2cdc4c

by Gergo Koteles

Hey Greg, I think this commit should be applied to v6.16 stable, because without it some speakers may be damaged. Thanks, Gergo

2 months, 2 weeks

2
1
0 0

[STABLE 5.15.y] [PATCH] KVM: arm64: Fix softirq masking in FPSIMD register saving sequence

by Will Deacon

Stable commit 23249dade24e ("KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix") fixed a kernel BUG() caused by a bad backport of upstream commit fbc7e61195e2 ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") by ensuring that softirqs are disabled/enabled across the fpsimd register save operation. Unfortunately, although this fixes the original issue, it can now lead to deadlock when re-enabling softirqs causes pending softirqs to be handled with locks already held: | BUG: spinlock recursion on CPU#7, CPU 3/KVM/57616 | lock: 0xffff3045ef850240, .magic: dead4ead, .owner: CPU 3/KVM/57616, .owner_cpu: 7 | CPU: 7 PID: 57616 Comm: CPU 3/KVM Tainted: G O 6.1.152 #1 | Hardware name: SoftIron SoftIron Platform Mainboard/SoftIron Platform Mainboard, BIOS 1.31 May 11 2023 | Call trace: | dump_backtrace+0xe4/0x110 | show_stack+0x20/0x30 | dump_stack_lvl+0x6c/0x88 | dump_stack+0x18/0x34 | spin_dump+0x98/0xac | do_raw_spin_lock+0x70/0x128 | _raw_spin_lock+0x18/0x28 | raw_spin_rq_lock_nested+0x18/0x28 | update_blocked_averages+0x70/0x550 | run_rebalance_domains+0x50/0x70 | handle_softirqs+0x198/0x328 | __do_softirq+0x1c/0x28 | ____do_softirq+0x18/0x28 | call_on_irq_stack+0x30/0x48 | do_softirq_own_stack+0x24/0x30 | do_softirq+0x74/0x90 | __local_bh_enable_ip+0x64/0x80 | fpsimd_save_and_flush_cpu_state+0x5c/0x68 | kvm_arch_vcpu_put_fp+0x4c/0x88 | kvm_arch_vcpu_put+0x28/0x88 | kvm_sched_out+0x38/0x58 | __schedule+0x55c/0x6c8 | schedule+0x60/0xa8 Take a tiny step towards the upstream fix in 9b19700e623f ("arm64: fpsimd: Drop unneeded 'busy' flag") by additionally disabling hardirqs while saving the fpsimd registers. Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Lee Jones <lee(a)kernel.org> Cc: Sasha Levin <sashal(a)kernel.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org Cc: <stable(a)vger.kernel.org> # 5.15.y Fixes: 23249dade24e ("KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix") Reported-by: Kenneth Van Alstyne <kvanals(a)kvanals.org> Link: https://lore.kernel.org/r/010001999bae0958-4d80d25d-8dda-4006-a6b9-798f3e77… Signed-off-by: Will Deacon <will(a)kernel.org> --- arch/arm64/kernel/fpsimd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index fc51cdd5aaa7..db1ed940a6dc 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1300,13 +1300,17 @@ static void fpsimd_flush_cpu_state(void) */ void fpsimd_save_and_flush_cpu_state(void) { + unsigned long flags; + if (!system_supports_fpsimd()) return; WARN_ON(preemptible()); - get_cpu_fpsimd_context(); + local_irq_save(flags); + __get_cpu_fpsimd_context(); fpsimd_save(); fpsimd_flush_cpu_state(); - put_cpu_fpsimd_context(); + __put_cpu_fpsimd_context(); + local_irq_restore(flags); } #ifdef CONFIG_KERNEL_MODE_NEON -- 2.51.0.618.g983fd99d29-goog

2 months, 2 weeks

3
3
0 0

Linux 6.17.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.1 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 block/blk-mq-tag.c | 1 drivers/media/i2c/tc358743.c | 4 - drivers/media/pci/b2c2/flexcop-pci.c | 2 drivers/media/platform/qcom/iris/iris_buffer.c | 10 +++ drivers/media/platform/st/stm32/stm32-csi.c | 4 - drivers/media/rc/imon.c | 27 ++++++--- drivers/media/tuners/xc5000.c | 2 drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++---------- drivers/media/usb/uvc/uvcvideo.h | 2 drivers/net/wireless/ath/ath11k/qmi.c | 2 drivers/net/wireless/realtek/rtw89/core.c | 30 ++++++++-- drivers/net/wireless/realtek/rtw89/core.h | 35 +++++++++++ drivers/net/wireless/realtek/rtw89/pci.c | 3 - drivers/net/wireless/realtek/rtw89/ser.c | 2 drivers/target/target_core_configfs.c | 2 mm/swapfile.c | 3 + scripts/gcc-plugins/gcc-common.h | 7 ++ sound/soc/qcom/qdsp6/topology.c | 4 - sound/usb/midi.c | 9 +-- 20 files changed, 165 insertions(+), 59 deletions(-) Chandra Mohan Sundar (1): media: stm32-csi: Fix dereference before NULL check Charan Teja Kalla (1): mm: swap: check for stable address space before operating on the VMA Dikshita Agarwal (1): media: iris: Fix memory leak by freeing untracked persist buffer Duoming Zhou (3): media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe media: tuner: xc5000: Fix use-after-free in xc5000_release Fedor Pchelkin (1): wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() Greg Kroah-Hartman (1): Linux 6.17.1 Jeongjun Park (1): ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Kees Cook (1): gcc-plugins: Remove TODO_verify_il for GCC >= 16 Larshin Sergey (1): media: rc: fix races with imon_disconnect() Matvey Kovalev (1): wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() Srinivas Kandagatla (1): ASoC: qcom: audioreach: fix potential null pointer dereference Thadeu Lima de Souza Cascardo (1): media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Wang Haoran (1): scsi: target: target_core_configfs: Add length check to avoid buffer overflow Yu Kuai (1): blk-mq: fix blk_mq_tags double free while nr_requests grown

2 months, 2 weeks

1
1
0 0

Linux 6.16.11

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.11 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 block/blk-mq-tag.c | 1 drivers/media/i2c/tc358743.c | 4 - drivers/media/pci/b2c2/flexcop-pci.c | 2 drivers/media/platform/qcom/iris/iris_buffer.c | 10 +++ drivers/media/platform/st/stm32/stm32-csi.c | 4 - drivers/media/rc/imon.c | 27 ++++++--- drivers/media/tuners/xc5000.c | 2 drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++---------- drivers/media/usb/uvc/uvcvideo.h | 2 drivers/net/wireless/ath/ath11k/qmi.c | 2 drivers/target/target_core_configfs.c | 2 mm/swapfile.c | 3 + scripts/gcc-plugins/gcc-common.h | 7 ++ sound/soc/qcom/qdsp6/topology.c | 4 - sound/usb/midi.c | 9 +-- 16 files changed, 104 insertions(+), 50 deletions(-) Chandra Mohan Sundar (1): media: stm32-csi: Fix dereference before NULL check Charan Teja Kalla (1): mm: swap: check for stable address space before operating on the VMA Dikshita Agarwal (1): media: iris: Fix memory leak by freeing untracked persist buffer Duoming Zhou (3): media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe media: tuner: xc5000: Fix use-after-free in xc5000_release Greg Kroah-Hartman (1): Linux 6.16.11 Jeongjun Park (1): ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Kees Cook (1): gcc-plugins: Remove TODO_verify_il for GCC >= 16 Larshin Sergey (1): media: rc: fix races with imon_disconnect() Matvey Kovalev (1): wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() Srinivas Kandagatla (1): ASoC: qcom: audioreach: fix potential null pointer dereference Thadeu Lima de Souza Cascardo (1): media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Wang Haoran (1): scsi: target: target_core_configfs: Add length check to avoid buffer overflow Yu Kuai (1): blk-mq: fix blk_mq_tags double free while nr_requests grown

2 months, 2 weeks

1
1
0 0

Linux 6.12.51

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.51 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/media/pci/b2c2/flexcop-pci.c | 2 drivers/media/rc/imon.c | 27 +++++++++--- drivers/media/tuners/xc5000.c | 2 drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++++++++------------- drivers/media/usb/uvc/uvcvideo.h | 2 drivers/net/wireless/ath/ath11k/qmi.c | 2 drivers/target/target_core_configfs.c | 2 include/crypto/sha256_base.h | 2 mm/swapfile.c | 3 + scripts/gcc-plugins/gcc-common.h | 7 +++ sound/soc/qcom/qdsp6/topology.c | 4 - 12 files changed, 86 insertions(+), 42 deletions(-) Breno Leitao (1): crypto: sha256 - fix crash at kexec Charan Teja Kalla (1): mm: swap: check for stable address space before operating on the VMA Duoming Zhou (2): media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove media: tuner: xc5000: Fix use-after-free in xc5000_release Greg Kroah-Hartman (1): Linux 6.12.51 Kees Cook (1): gcc-plugins: Remove TODO_verify_il for GCC >= 16 Larshin Sergey (1): media: rc: fix races with imon_disconnect() Matvey Kovalev (1): wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() Srinivas Kandagatla (1): ASoC: qcom: audioreach: fix potential null pointer dereference Thadeu Lima de Souza Cascardo (1): media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Wang Haoran (1): scsi: target: target_core_configfs: Add length check to avoid buffer overflow

2 months, 2 weeks

1
1
0 0

Linux 6.6.110

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.110 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/media/pci/b2c2/flexcop-pci.c | 2 drivers/media/rc/imon.c | 27 +++++++++--- drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++++++++------------- drivers/media/usb/uvc/uvcvideo.h | 2 drivers/target/target_core_configfs.c | 2 include/crypto/sha256_base.h | 2 scripts/gcc-plugins/gcc-common.h | 7 +++ sound/soc/qcom/qdsp6/topology.c | 4 - 9 files changed, 81 insertions(+), 40 deletions(-) Breno Leitao (1): crypto: sha256 - fix crash at kexec Duoming Zhou (1): media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove Greg Kroah-Hartman (1): Linux 6.6.110 Kees Cook (1): gcc-plugins: Remove TODO_verify_il for GCC >= 16 Larshin Sergey (1): media: rc: fix races with imon_disconnect() Srinivas Kandagatla (1): ASoC: qcom: audioreach: fix potential null pointer dereference Thadeu Lima de Souza Cascardo (1): media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Wang Haoran (1): scsi: target: target_core_configfs: Add length check to avoid buffer overflow

2 months, 2 weeks

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror