- Linux-stable-mirror - lists.linaro.org

[PATCH v6.12.y] ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check

by Takashi Iwai

The recent backport of the upstream commit 05a1fc5efdd8 ("ALSA: usb-audio: Fix potential overflow of PCM transfer buffer") on the older stable kernels like 6.12.y was broken since it doesn't consider the mutex unlock, where the upstream code manages with guard(). In the older code, we still need an explicit unlock. This is a fix that corrects the error path, applied only on old stable trees. Reported-by: Pavel Machek <pavel(a)denx.de> Closes: https://lore.kernel.org/aSWtH0AZH5+aeb+a@duo.ucw.cz Fixes: 98e9d5e33bda ("ALSA: usb-audio: Fix potential overflow of PCM transfer buffer") Reviewed-by: Pavel Machek <pavel(a)denx.de> Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/usb/endpoint.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c index 7238f65cbcff..aa201e4744bf 100644 --- a/sound/usb/endpoint.c +++ b/sound/usb/endpoint.c @@ -1389,7 +1389,8 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, if (ep->packsize[1] > ep->maxpacksize) { usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n", ep->maxpacksize, ep->cur_rate, ep->pps); - return -EINVAL; + err = -EINVAL; + goto unlock; } /* calculate the frequency in 16.16 format */ -- 2.52.0

2 weeks, 3 days

2
1
0 0

FAILED: patch "[PATCH] drm/xe: Prevent BIT() overflow when handling invalid prefetch" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x d52dea485cd3c98cfeeb474cf66cf95df2ab142f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112407-envious-erupt-fc37@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d52dea485cd3c98cfeeb474cf66cf95df2ab142f Mon Sep 17 00:00:00 2001 From: Shuicheng Lin <shuicheng.lin(a)intel.com> Date: Wed, 12 Nov 2025 18:10:06 +0000 Subject: [PATCH] drm/xe: Prevent BIT() overflow when handling invalid prefetch region If user provides a large value (such as 0x80) for parameter prefetch_mem_region_instance in vm_bind ioctl, it will cause BIT(prefetch_region) overflow as below: " ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in drivers/gpu/drm/xe/xe_vm.c:3414:7 shift exponent 128 is too large for 64-bit type 'long unsigned int' CPU: 8 UID: 0 PID: 53120 Comm: xe_exec_system_ Tainted: G W 6.18.0-rc1-lgci-xe-kernel+ #200 PREEMPT(voluntary) Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 0812 02/24/2023 Call Trace: <TASK> dump_stack_lvl+0xa0/0xc0 dump_stack+0x10/0x20 ubsan_epilogue+0x9/0x40 __ubsan_handle_shift_out_of_bounds+0x10e/0x170 ? mutex_unlock+0x12/0x20 xe_vm_bind_ioctl.cold+0x20/0x3c [xe] ... " Fix it by validating prefetch_region before the BIT() usage. v2: Add Closes and Cc stable kernels. (Matt) Reported-by: Koen Koning <koen.koning(a)intel.com> Reported-by: Peter Senna Tschudin <peter.senna(a)linux.intel.com> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6478 Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Shuicheng Lin <shuicheng.lin(a)intel.com> Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Link: https://patch.msgid.link/20251112181005.2120521-2-shuicheng.lin@intel.com (cherry picked from commit 8f565bdd14eec5611cc041dba4650e42ccdf71d9) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index ccb09ef4ec9e..cdd1dc540a59 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -3369,8 +3369,10 @@ static int vm_bind_ioctl_check_args(struct xe_device *xe, struct xe_vm *vm, op == DRM_XE_VM_BIND_OP_PREFETCH) || XE_IOCTL_DBG(xe, prefetch_region && op != DRM_XE_VM_BIND_OP_PREFETCH) || - XE_IOCTL_DBG(xe, (prefetch_region != DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC && - !(BIT(prefetch_region) & xe->info.mem_region_mask))) || + XE_IOCTL_DBG(xe, (prefetch_region != DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC && + /* Guard against undefined shift in BIT(prefetch_region) */ + (prefetch_region >= (sizeof(xe->info.mem_region_mask) * 8) || + !(BIT(prefetch_region) & xe->info.mem_region_mask)))) || XE_IOCTL_DBG(xe, obj && op == DRM_XE_VM_BIND_OP_UNMAP) || XE_IOCTL_DBG(xe, (flags & DRM_XE_VM_BIND_FLAG_MADVISE_AUTORESET) &&

2 weeks, 3 days

3
2
0 0

[PATCH 5.15.y 0/2] Backport fix of CVE-2024-37354 to 5.15.y

by Harshvardhan Jha

The fix of CVE-2024-37354 1ff2bd566fbc doesn't apply cleanly to 5.15 as it requires an extra prequisite patch `8a2b3da191e5a btrfs: add helper to truncate inode items when logging inode` for the context to be the same. Therefore two patches were brought back as part of this backport. The prerequisite patch is part of a 10 patch patch series however bringing all of them back felt more of a feature backport rather than CVE fix. Please let me know if bringing the entire series back is more preferrable then I shall re-send v2. Some basic smoke testing and btrfs testing on inhouse test suite was done and no regressions were observerd. Filipe Manana (1): btrfs: add helper to truncate inode items when logging inode Omar Sandoval (1): btrfs: fix crash on racing fsync and size-extending write into prealloc fs/btrfs/tree-log.c | 47 ++++++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 18 deletions(-) -- 2.50.1

2 weeks, 3 days

1
2
0 0

[PATCH 6.12 000/185] 6.12.59-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.59 release. There are 185 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 23 Nov 2025 13:01:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.59-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.59-rc1 Pauli Virtanen <pav(a)iki.fi> Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete Jialin Wang <wjl.linux(a)gmail.com> proc: proc_maps_open allow proc_mem_open to return NULL John Sperbeck <jsperbeck(a)google.com> net: netpoll: ensure skb_pool list is always initialized Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Fix lan8814_config_init Abdun Nihaal <nihaal(a)cse.iitm.ac.in> isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Zi Yan <ziy(a)nvidia.com> mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order Zi Yan <ziy(a)nvidia.com> mm/huge_memory: do not change split_huge_page*() target order silently Lance Yang <lance.yang(a)linux.dev> mm/secretmem: fix use-after-free race in fault handler Kiryl Shutsemau <kas(a)kernel.org> mm/truncate: unmap large folio on split failure Kiryl Shutsemau <kas(a)kernel.org> mm/memory: do not populate page table entries beyond i_size Long Li <longli(a)microsoft.com> uio_hv_generic: Set event for all channels on the device Miguel Ojeda <ojeda(a)kernel.org> rust: kbuild: workaround `rustdoc` doctests modifier bug Miguel Ojeda <ojeda(a)kernel.org> rust: kbuild: treat `build_error` and `rustdoc` as kernel objects Olivier Langlois <olivier(a)trillion01.com> io_uring/napi: fix io_napi_entry RCU accesses Denis Arefev <arefev(a)swemel.ru> ALSA: hda: Fix missing pointer check in hda_component_manager_init function Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> KVM: VMX: Fix check for valid GVA on an EPT violation Sean Christopherson <seanjc(a)google.com> KVM: VMX: Split out guts of EPT violation to common/exposed function Breno Leitao <leitao(a)debian.org> net: netpoll: fix incorrect refcount handling causing incorrect cleanup Breno Leitao <leitao(a)debian.org> net: netpoll: flush skb pool during cleanup Breno Leitao <leitao(a)debian.org> net: netpoll: Individualize the skb pool Sean Christopherson <seanjc(a)google.com> KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying Yan Zhao <yan.y.zhao(a)intel.com> KVM: guest_memfd: Remove RCU-protected attribute from slot->gmem.file Sean Christopherson <seanjc(a)google.com> KVM: guest_memfd: Pass index, not gfn, to __kvm_gmem_get_pfn() Michal Hocko <mhocko(a)suse.com> mm, percpu: do not consider sleepable allocations atomic Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work Benjamin Berg <benjamin.berg(a)intel.com> wifi: cfg80211: add an hrtimer based delayed work item Paolo Abeni <pabeni(a)redhat.com> mptcp: fix MSG_PEEK stream corruption Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: properly kill background tasks Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer transfer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: trunc: read all recv data Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer transfer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: rm: set backup flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: fix fallback note due to OoO André Draszik <andre.draszik(a)linaro.org> pmdomain: samsung: plug potential memleak during probe Miaoqian Lin <linmq006(a)gmail.com> pmdomain: imx: Fix reference count leak in imx_gpc_remove Sudeep Holla <sudeep.holla(a)arm.com> pmdomain: arm: scmi: Fix genpd leak on provider registration failure Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Jonathan Kim <jonathan.kim(a)amd.com> drm/amdkfd: relax checks for over allocation of save area Zilin Guan <zilin(a)seu.edu.cn> btrfs: release root after error in data_reloc_print_warning_inode() Filipe Manana <fdmanana(a)suse.com> btrfs: do not update last_log_commit when logging inode due to a new name Zilin Guan <zilin(a)seu.edu.cn> btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix conventional zone capacity calculation Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Use atomic64_t for compressed_size variable Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Emit an error when image writing fails Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Handle OCRAM ECC enable after warm reset Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Song Liu <song(a)kernel.org> ftrace: Fix BPF fexit with livepatch Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> selftests/user_events: fix type cast for write_index packed member in perf_test Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Hans de Goede <hansg(a)kernel.org> spi: Try to get ACPI GPIO IRQ earlier Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix cifs_pick_channel when channel needs reconnect Miaoqian Lin <linmq006(a)gmail.com> crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value Sourabh Jain <sourabhjain(a)linux.ibm.com> crash: fix crashkernel resource shrink Hao Ge <gehao(a)kylinos.cn> codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Edward Adam Davis <eadavis(a)qq.com> cifs: client: fix memory leak in smb3_fs_context_parse_param Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Shawn Lin <shawn.lin(a)rock-chips.com> mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Shawn Lin <shawn.lin(a)rock-chips.com> mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 Kairui Song <kasong(a)tencent.com> mm/shmem: fix THP allocation and fallback loop Isaac J. Manjarres <isaacmanjarres(a)google.com> mm/mm_init: fix hash table order logging in alloc_large_system_hash() Wei Yang <albinwyang(a)tencent.com> fs/proc: fix uaf in proc_readdir_de() Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: reject address change while connecting Steven Rostedt <rostedt(a)goodmis.org> selftests/tracing: Run sample events to clear page cache events Edward Adam Davis <eadavis(a)qq.com> nilfs2: avoid having an active sc_timer before freeing sci Chuang Wang <nashuiliang(a)gmail.com> ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Tianyang Zhang <zhangtianyang(a)loongson.cn> LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use correct accessor to read FWPC/MWPC Qinxin Xia <xiaqinxin(a)huawei.com> dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Nate Karstens <nate.karstens(a)garmin.com> strparser: Fix signed/unsigned mismatch bug Pedro Demarchi Gomes <pedrodemargomes(a)gmail.com> ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Joshua Rogers <linux(a)joshua.hu> ksmbd: close accepted socket when per-IP limit rejects connection Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 15 Olga Kornievskaia <okorniev(a)redhat.com> NFSD: free copynotify stateid in nfs4_free_ol_stateid() Olga Kornievskaia <okorniev(a)redhat.com> nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes NeilBrown <neil(a)brown.name> nfsd: fix refcount leak in nfsd_set_fh_dentry() Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Add delay until timer interrupt injected Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Restore guest PMU if it is enabled Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Abdun Nihaal <nihaal(a)cse.iitm.ac.in> HID: uclogic: Fix potential memory leak in error path Abdun Nihaal <nihaal(a)cse.iitm.ac.in> HID: playstation: Fix memory leak in dualshock4_get_calibration_data() Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY Masami Ichikawa <masami256(a)gmail.com> HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: imx51-zii-rdu1: Fix audmux node names Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Anand Moon <linux.amoon(a)gmail.com> arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject duplicate device on updates Pablo Neira Ayuso <pablo(a)netfilter.org> Revert "netfilter: nf_tables: Reintroduce shortened deletion notifications" Zqiang <qiang.zhang(a)linux.dev> sched_ext: Fix unsafe locking in the scx_dump_state() Andrei Vagin <avagin(a)google.com> fs/namespace: correctly handle errors returned by grab_requested_mnt_ns Alok Tiwari <alok.a.tiwari(a)oracle.com> virtio-fs: fix incorrect check for fsvq->kobj Dan Carpenter <dan.carpenter(a)linaro.org> mtd: onenand: Pass correct pointer to IRQ handler Hongbo Li <lihongbo22(a)huawei.com> hostfs: Fix only passing host root in boot stage with new mount Chao Yu <chao(a)kernel.org> f2fs: fix to avoid overflow while left shift operation Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix possible UAFs Ye Bin <yebin10(a)huawei.com> ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Eric Biggers <ebiggers(a)kernel.org> lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Ye Bin <yebin10(a)huawei.com> ext4: introduce ITAIL helper Penglei Jiang <superman.xpt(a)gmail.com> proc: fix the issue of proc_mem_open returning NULL Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path Nick Hu <nick.hu(a)sifive.com> irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Eduard Zingerman <eddyz87(a)gmail.com> bpf: account for current allocated stack depth in widen_imprecise_scalars() Eric Dumazet <edumazet(a)google.com> bpf: Add bpf_prog_run_data_pointers() Dave Jiang <dave.jiang(a)intel.com> acpi/hmat: Fix lockdep warning for hmem_register_resource() Haein Lee <lhi0729(a)kaist.ac.kr> ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Dai Ngo <dai.ngo(a)oracle.com> NFS: Fix LTP test failures when timestamps are delegated Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Yang Xiuwei <yangxiuwei(a)kylinos.cn> NFS: sysfs: fix leak when nfs_client kobject add fails Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv2/v3: Fix error handling in nfs_atomic_open_v23() Al Viro <viro(a)zeniv.linux.org.uk> simplify nfs_atomic_open_v23() Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() Shenghao Ding <shenghao-ding(a)ti.com> ASoC: tas2781: fix getting the wrong device number Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: codecs: va-macro: fix resource leak in probe error path Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: cs4271: Fix regulator leak on probe failure Haotian Zhang <vulab(a)iscas.ac.cn> regulator: fixed: fix GPIO descriptor leak on register failure Shuai Xue <xueshuai(a)linux.alibaba.com> acpi,srat: Fix incorrect device handle check for Generic Initiator Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: export l2cap_chan_hold for modules Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Perform fast check switch only for online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Check _CPC validity for only the online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Detect preferred core availability on online CPUs Felix Maurer <fmaurer(a)redhat.com> hsr: Fix supervision frame sending on HSRv0 Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio-net: fix incorrect flags recording in big mode Eric Dumazet <edumazet(a)google.com> net_sched: limit try_bulk_dequeue_skb() batches Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix potentially misleading debug message Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix maxrate wraparound in threshold between units Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Eric Dumazet <edumazet(a)google.com> net_sched: act_connmark: use RCU in tcf_connmark_dump() Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Initialise scc_index in unix_add_edge(). Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: skip rate verification for not captured PSDUs Buday Csaba <buday.csaba(a)prolan.hu> net: mdio: fix resource leak in mdiobus_register_device() Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_mon_reinit_self(). Aksh Garg <a-garg7(a)ti.com> net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Aksh Garg <a-garg7(a)ti.com> net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout Zilin Guan <zilin(a)seu.edu.cn> net/handshake: Fix memory leak in tls_handshake_accept() D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix mismatch between CLC header and proposal Eric Dumazet <edumazet(a)google.com> sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Pauli Virtanen <pav(a)iki.fi> Bluetooth: MGMT: cancel mesh send timer when hdev removed Chuck Lever <chuck.lever(a)oracle.com> NFSD: Skip close replay processing if XDR encoding fails Xi Ruoyao <xry111(a)xry111.site> rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: lan8814 fix reset of the QSGMII interface Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Replace hardcoded pages with defines Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Introduce lanphy_modify_page_reg Wei Fang <wei.fang(a)nxp.com> net: fec: correct rx_bytes statistic for the case SHIFT16 is set Alexander Sverdlin <alexander.sverdlin(a)siemens.com> selftests: net: local_termination: Wait for interfaces to come up Gao Xiang <xiang(a)kernel.org> erofs: avoid infinite loop due to incomplete zstd-compressed data Nicolas Escande <nico.escande(a)gmail.com> wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Sharique Mohammad <sharq0406(a)gmail.com> ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Stuart Hayhurst <stuart.a.hayhurst(a)gmail.com> HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL ZhangGuoDong <zhangguodong(a)kylinos.cn> smb/server: fix possible refcount leak in smb2_sess_setup() ZhangGuoDong <zhangguodong(a)kylinos.cn> smb/server: fix possible memory leak in smb2_read() Jaehun Gou <p22gone(a)gmail.com> exfat: fix improper check of dentry.stream.valid_size Oleg Makarenko <oleg(a)makarenk.ooo> HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Scott Mayhew <smayhew(a)redhat.com> NFS: check if suid/sgid was cleared after a write as needed Vicki Pfau <vi(a)endrift.com> HID: nintendo: Wait longer for initial probe Tristan Lobb <tristan.lobb(a)it-lobb.de> HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Joshua Watt <jpewhacker(a)gmail.com> NFS4: Apply delay_retrans to async operations Joshua Watt <jpewhacker(a)gmail.com> NFS4: Fix state renewals missing after boot Jesse.Zhang <Jesse.Zhang(a)amd.com> drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Christian König <christian.koenig(a)amd.com> drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Christian König <christian.koenig(a)amd.com> drm/amdgpu: remove two invalid BUG_ON()s Han Gao <rabenda.cn(a)gmail.com> riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Danil Skrebenkov <danil.skrebenkov(a)cloudbear.ru> RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Feng Jiang <jiangfeng(a)kylinos.cn> riscv: Build loader.bin exclusively for Canaan K210 Peter Zijlstra <peterz(a)infradead.org> compiler_types: Move unused static inline functions warning to W=2 Yang Shi <yang(a)os.amperecomputing.com> arm64: kprobes: check the return value of set_memory_rox() Jouni Högander <jouni.hogander(a)intel.com> drm/xe: Do clean shutdown also when using flr Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Move declarations under conditional branch Balasubramani Vivekanandan <balasubramani.vivekanandan(a)intel.com> drm/xe/guc: Synchronize Dead CT worker with unbind Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Fix suspend failure with secure display TA Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Make vfio_compat's unmap succeed if the range is already empty Shuhao Fu <sfual(a)cse.ust.hk> smb: client: fix refcount leak in smb2_set_path_attr Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> drm/i915: Fix conversion between clock ticks and nanoseconds Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Jason-JH Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add pm_runtime support for GCE power control ------------- Diffstat: Makefile | 4 +- .../boot/dts/broadcom/bcm47189-luxul-xap-1440.dts | 4 +- arch/arm/boot/dts/nxp/imx/imx51-zii-rdu1.dts | 4 +- arch/arm/crypto/Kconfig | 2 +- arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 + arch/arm64/boot/dts/rockchip/rk3588-opp.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 2 +- arch/arm64/kernel/probes/kprobes.c | 5 +- arch/loongarch/include/asm/hw_breakpoint.h | 4 +- arch/loongarch/include/asm/pgtable.h | 11 +- arch/loongarch/kernel/traps.c | 4 +- arch/loongarch/kvm/timer.c | 2 + arch/loongarch/kvm/vcpu.c | 5 + arch/riscv/Makefile | 2 +- arch/riscv/kernel/cpu-hotplug.c | 1 + arch/riscv/kernel/setup.c | 7 +- arch/x86/kernel/acpi/cppc.c | 2 +- arch/x86/kernel/cpu/microcode/amd.c | 1 + arch/x86/kvm/svm/svm.c | 4 + arch/x86/kvm/vmx/common.h | 34 ++ arch/x86/kvm/vmx/vmx.c | 25 +- drivers/acpi/cppc_acpi.c | 6 +- drivers/acpi/numa/hmat.c | 46 +- drivers/acpi/numa/srat.c | 2 +- drivers/bluetooth/btusb.c | 13 +- drivers/crypto/hisilicon/qm.c | 2 + drivers/edac/altera_edac.c | 22 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 12 + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 - drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 +- drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 5 + drivers/gpu/drm/i915/gt/intel_gt_clock_utils.c | 4 +- drivers/gpu/drm/i915/i915_vma.c | 16 +- drivers/gpu/drm/mediatek/mtk_crtc.c | 7 + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 + drivers/gpu/drm/xe/xe_device.c | 14 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 + drivers/hid/hid-ids.h | 4 + drivers/hid/hid-logitech-hidpp.c | 21 + drivers/hid/hid-nintendo.c | 2 +- drivers/hid/hid-ntrig.c | 7 +- drivers/hid/hid-playstation.c | 2 + drivers/hid/hid-quirks.c | 2 + drivers/hid/hid-uclogic-params.c | 4 +- drivers/iommu/iommufd/io_pagetable.c | 12 +- drivers/iommu/iommufd/ioas.c | 4 + drivers/irqchip/irq-riscv-intc.c | 3 +- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +- drivers/mmc/host/dw_mmc-rockchip.c | 4 +- drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +- drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- drivers/net/dsa/sja1105/sja1105_static_config.c | 6 +- drivers/net/ethernet/freescale/fec_main.c | 2 + drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 33 +- drivers/net/ethernet/ti/am65-cpsw-qos.c | 53 ++- drivers/net/phy/mdio_bus.c | 5 +- drivers/net/phy/micrel.c | 515 +++++++++++++-------- drivers/net/virtio_net.c | 16 +- drivers/net/wireless/ath/ath11k/pci.c | 2 + drivers/net/wireless/ath/ath11k/wmi.c | 3 + drivers/pmdomain/arm/scmi_pm_domain.c | 13 +- drivers/pmdomain/imx/gpc.c | 2 + drivers/pmdomain/samsung/exynos-pm-domains.c | 11 +- drivers/regulator/fixed.c | 1 + drivers/spi/spi.c | 10 + drivers/uio/uio_hv_generic.c | 32 +- fs/btrfs/inode.c | 4 +- fs/btrfs/scrub.c | 2 + fs/btrfs/tree-log.c | 2 +- fs/btrfs/zoned.c | 4 +- fs/erofs/decompressor_zstd.c | 11 +- fs/exfat/namei.c | 6 +- fs/ext4/inode.c | 5 + fs/ext4/xattr.c | 32 +- fs/ext4/xattr.h | 10 + fs/f2fs/compress.c | 2 +- fs/fuse/virtio_fs.c | 2 +- fs/hostfs/hostfs_kern.c | 29 +- fs/namespace.c | 32 +- fs/nfs/dir.c | 23 +- fs/nfs/inode.c | 18 +- fs/nfs/nfs3client.c | 14 +- fs/nfs/nfs4client.c | 15 +- fs/nfs/nfs4proc.c | 22 +- fs/nfs/pnfs_nfs.c | 34 +- fs/nfs/sysfs.c | 1 + fs/nfs/write.c | 3 +- fs/nfsd/nfs4state.c | 3 +- fs/nfsd/nfs4xdr.c | 3 +- fs/nfsd/nfsd.h | 1 + fs/nfsd/nfsfh.c | 6 +- fs/nilfs2/segment.c | 7 +- fs/proc/base.c | 12 +- fs/proc/generic.c | 12 +- fs/proc/task_mmu.c | 8 +- fs/proc/task_nommu.c | 4 +- fs/smb/client/fs_context.c | 2 + fs/smb/client/smb2inode.c | 2 + fs/smb/client/transport.c | 2 +- fs/smb/server/smb2pdu.c | 2 + fs/smb/server/transport_tcp.c | 5 +- include/linux/compiler_types.h | 5 +- include/linux/filter.h | 20 + include/linux/huge_mm.h | 21 +- include/linux/kvm_host.h | 7 +- include/linux/map_benchmark.h | 1 + include/linux/netpoll.h | 1 + include/linux/nfs_xdr.h | 1 + include/net/bluetooth/mgmt.h | 2 +- include/net/cfg80211.h | 78 ++++ include/net/tc_act/tc_connmark.h | 1 + include/uapi/linux/mount.h | 2 +- io_uring/napi.c | 19 +- kernel/bpf/trampoline.c | 5 - kernel/bpf/verifier.c | 6 +- kernel/crash_core.c | 2 +- kernel/gcov/gcc_4_7.c | 4 +- kernel/power/swap.c | 17 +- kernel/sched/ext.c | 4 +- kernel/trace/ftrace.c | 20 +- mm/filemap.c | 20 +- mm/huge_memory.c | 32 +- mm/ksm.c | 113 ++++- mm/memory.c | 23 +- mm/mm_init.c | 2 +- mm/percpu.c | 8 +- mm/secretmem.c | 2 +- mm/shmem.c | 9 +- mm/slub.c | 6 +- mm/truncate.c | 27 +- net/bluetooth/6lowpan.c | 103 +++-- net/bluetooth/l2cap_core.c | 1 + net/bluetooth/mgmt.c | 260 ++++++++--- net/bluetooth/mgmt_util.c | 46 ++ net/bluetooth/mgmt_util.h | 3 + net/core/netpoll.c | 56 ++- net/handshake/tlshd.c | 1 + net/hsr/hsr_device.c | 3 + net/ipv4/route.c | 5 + net/mac80211/chan.c | 2 +- net/mac80211/ieee80211_i.h | 4 +- net/mac80211/iface.c | 14 +- net/mac80211/link.c | 4 +- net/mac80211/mlme.c | 18 +- net/mac80211/rx.c | 10 +- net/mptcp/protocol.c | 36 +- net/netfilter/nf_tables_api.c | 66 ++- net/sched/act_bpf.c | 6 +- net/sched/act_connmark.c | 30 +- net/sched/act_ife.c | 12 +- net/sched/cls_bpf.c | 6 +- net/sched/sch_generic.c | 17 +- net/sctp/transport.c | 13 +- net/smc/smc_clc.c | 1 + net/strparser/strparser.c | 2 +- net/tipc/net.c | 2 + net/unix/garbage.c | 14 +- net/wireless/core.c | 56 +++ net/wireless/trace.h | 21 + rust/Makefile | 16 +- sound/pci/hda/hda_component.c | 4 + sound/soc/codecs/cs4271.c | 10 +- sound/soc/codecs/lpass-va-macro.c | 2 +- sound/soc/codecs/max98090.c | 6 +- sound/soc/codecs/tas2781-i2c.c | 9 +- sound/usb/endpoint.c | 5 + sound/usb/mixer.c | 2 + .../ftrace/test.d/filter/event-filter-function.tc | 4 + tools/testing/selftests/iommu/iommufd.c | 2 + .../selftests/net/forwarding/local_termination.sh | 2 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 +- tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 90 ++-- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 + tools/testing/selftests/user_events/perf_test.c | 2 +- virt/kvm/guest_memfd.c | 89 ++-- 182 files changed, 2094 insertions(+), 912 deletions(-)

2 weeks, 3 days

13
202
0 0

[PATCH v2] media: venus: vdec: restrict EOS addr quirk to IRIS2 only

by Dikshita Agarwal

On SM8250 (IRIS2) with firmware older than 1.0.087, the firmware could not handle a dummy device address for EOS buffers, so a NULL device address is sent instead. The existing check used IS_V6() alongside a firmware version gate: if (IS_V6(core) && is_fw_rev_or_older(core, 1, 0, 87)) fdata.device_addr = 0; else fdata.device_addr = 0xdeadb000; However, SC7280 which is also V6, uses a firmware string of the form "1.0.<commit-hash>", which the version parser translates to 1.0.0. This unintentionally satisfies the `is_fw_rev_or_older(..., 1, 0, 87)` condition on SC7280. Combined with IS_V6() matching there as well, the quirk is incorrectly applied to SC7280, causing VP9 decode failures. Constrain the check to IRIS2 (SM8250) only, which is the only platform that needed this quirk, by replacing IS_V6() with IS_IRIS2(). This restores correct behavior on SC7280 (no forced NULL EOS buffer address). Fixes: 47f867cb1b63 ("media: venus: fix EOS handling in decoder stop command") Cc: stable(a)vger.kernel.org Reported-by: Mecid <mecid(a)mecomediagroup.de> Closes: https://github.com/qualcomm-linux/kernel-topics/issues/222 Co-developed-by: Renjiang Han <renjiang.han(a)oss.qualcomm.com> Signed-off-by: Renjiang Han <renjiang.han(a)oss.qualcomm.com> Signed-off-by: Dikshita Agarwal <dikshita.agarwal(a)oss.qualcomm.com> --- Changes in v2: - Fixed email address for Mecid (Konrad) - Added inline comment for the quirk (Konrad) - Link to v1: https://lore.kernel.org/r/20251124-venus-vp9-fix-v1-1-2ff36d9f2374@oss.qual… --- drivers/media/platform/qcom/venus/vdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c index 4a6641fdffcf79705893be58c7ec5cf485e2fab9..6b3d5e59133e6902353d15c24c8bbaed4fcb6808 100644 --- a/drivers/media/platform/qcom/venus/vdec.c +++ b/drivers/media/platform/qcom/venus/vdec.c @@ -565,7 +565,13 @@ vdec_decoder_cmd(struct file *file, void *fh, struct v4l2_decoder_cmd *cmd) fdata.buffer_type = HFI_BUFFER_INPUT; fdata.flags |= HFI_BUFFERFLAG_EOS; - if (IS_V6(inst->core) && is_fw_rev_or_older(inst->core, 1, 0, 87)) + + /* Send NULL EOS addr for only IRIS2 (SM8250),for firmware <= 1.0.87. + * SC7280 also reports "1.0.<hash>" parsed as 1.0.0; restricting to IRIS2 + * avoids misapplying this quirk and breaking VP9 decode on SC7280. + */ + + if (IS_IRIS2(inst->core) && is_fw_rev_or_older(inst->core, 1, 0, 87)) fdata.device_addr = 0; else fdata.device_addr = 0xdeadb000; --- base-commit: 1f2353f5a1af995efbf7bea44341aa0d03460b28 change-id: 20251121-venus-vp9-fix-1ff602724c02 Best regards, -- Dikshita Agarwal <dikshita.agarwal(a)oss.qualcomm.com>

2 weeks, 3 days

3
6
0 0

[PATCH v2] xhci: dbgtty: fix device unregister

by Łukasz Bartosik

From: Łukasz Bartosik <ukaszb(a)chromium.org> When DbC is disconnected then xhci_dbc_tty_unregister_device() is called. However if there is any user space process blocked on write to DbC terminal device then it will never be signalled and thus stay blocked indifinitely. This fix adds a tty_vhangup() call in xhci_dbc_tty_unregister_device(). The tty_vhangup() wakes up any blocked writers and causes subsequent write attempts to DbC terminal device to fail. Cc: stable(a)vger.kernel.org Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") Signed-off-by: Łukasz Bartosik <ukaszb(a)chromium.org> --- Changes in v2: - Replaced tty_hangup() with tty_vhangup() --- drivers/usb/host/xhci-dbgtty.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index d894081d8d15..ad86f315c26d 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -535,6 +535,12 @@ static void xhci_dbc_tty_unregister_device(struct xhci_dbc *dbc) if (!port->registered) return; + /* + * Hang up the TTY. This wakes up any blocked + * writers and causes subsequent writes to fail. + */ + tty_vhangup(port->port.tty); + tty_unregister_device(dbc_tty_driver, port->minor); xhci_dbc_tty_exit_port(port); port->registered = false; -- 2.52.0.rc1.455.g30608eb744-goog

2 weeks, 3 days

4
8
0 0

[PATCH v2 2/2] usb: typec: ucsi: fix use-after-free caused by uec->work

by Duoming Zhou

The delayed work uec->work is scheduled in gaokun_ucsi_probe() but never properly canceled in gaokun_ucsi_remove(). This creates use-after-free scenarios where the ucsi and gaokun_ucsi structure are freed after ucsi_destroy() completes execution, while the gaokun_ucsi_register_worker() might be either currently executing or still pending in the work queue. The already-freed gaokun_ucsi or ucsi structure may then be accessed. Furthermore, the race window is 3 seconds, which is sufficiently long to make this bug easily reproducible. The following is the trace captured by KASAN: ================================================================== BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 ... Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x78/0x90 print_report+0x114/0x580 kasan_report+0xa4/0xf0 __asan_report_store8_noabort+0x20/0x2c __run_timers+0x5ec/0x630 run_timer_softirq+0xe8/0x1cc handle_softirqs+0x294/0x720 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x30/0x48 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x27c/0x364 irq_exit_rcu+0x10/0x1c el1_interrupt+0x40/0x60 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 arch_local_irq_enable+0x4/0x8 (P) do_idle+0x334/0x458 cpu_startup_entry+0x60/0x70 rest_init+0x158/0x174 start_kernel+0x2f8/0x394 __primary_switched+0x8c/0x94 Allocated by task 72 on cpu 0 at 27.510341s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c kasan_save_alloc_info+0x40/0x54 __kasan_kmalloc+0xa0/0xb8 __kmalloc_node_track_caller_noprof+0x1c0/0x588 devm_kmalloc+0x7c/0x1c8 gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 really_probe+0x17c/0x5b8 __driver_probe_device+0x158/0x2c4 driver_probe_device+0x10c/0x264 __device_attach_driver+0x168/0x2d0 bus_for_each_drv+0x100/0x188 __device_attach+0x174/0x368 device_initial_probe+0x14/0x20 bus_probe_device+0x120/0x150 device_add+0xb3c/0x10fc __auxiliary_device_add+0x88/0x130 ... Freed by task 73 on cpu 1 at 28.910627s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c __kasan_save_free_info+0x4c/0x74 __kasan_slab_free+0x60/0x8c kfree+0xd4/0x410 devres_release_all+0x140/0x1f0 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x344/0x460 device_release_driver+0x18/0x24 bus_remove_device+0x198/0x274 device_del+0x310/0xa84 ... The buggy address belongs to the object at ffff00000ec28c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 200 bytes inside of freed 512-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) page_type: f5(slab) raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Add disable_delayed_work_sync() in gaokun_ucsi_remove() to ensure that uec->work is properly canceled and prevented from executing after the ucsi and gaokun_ucsi structure have been deallocated. Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") Cc: stable(a)vger.kernel.org Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> --- drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c index 8401ab414bd..c5965656bab 100644 --- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c @@ -503,6 +503,7 @@ static void gaokun_ucsi_remove(struct auxiliary_device *adev) { struct gaokun_ucsi *uec = auxiliary_get_drvdata(adev); + disable_delayed_work_sync(&uec->work); gaokun_ec_unregister_notify(uec->ec, &uec->nb); ucsi_unregister(uec->ucsi); ucsi_destroy(uec->ucsi); -- 2.34.1

2 weeks, 3 days

4
4
0 0

[PATCH net v2] platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak

by yongxin.liu＠windriver.com

From: Yongxin Liu <yongxin.liu(a)windriver.com> The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory for the ACPI evaluation result but never frees it, causing a 192-byte memory leak on each call. This leak is triggered during network interface initialization when the stmmac driver calls intel_mac_finish() -> intel_pmc_ipc(). unreferenced object 0xffff96a848d6ea80 (size 192): comm "dhcpcd", pid 541, jiffies 4294684345 hex dump (first 32 bytes): 04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H.... 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ backtrace (crc b1564374): kmemleak_alloc+0x2d/0x40 __kmalloc_noprof+0x2fa/0x730 acpi_ut_initialize_buffer+0x83/0xc0 acpi_evaluate_object+0x29a/0x2f0 intel_pmc_ipc+0xfd/0x170 intel_mac_finish+0x168/0x230 stmmac_mac_finish+0x3d/0x50 phylink_major_config+0x22b/0x5b0 phylink_mac_initial_config.constprop.0+0xf1/0x1b0 phylink_start+0x8e/0x210 __stmmac_open+0x12c/0x2b0 stmmac_open+0x23c/0x380 __dev_open+0x11d/0x2c0 __dev_change_flags+0x1d2/0x250 netif_change_flags+0x2b/0x70 dev_change_flags+0x40/0xb0 Add kfree() to properly release the allocated buffer. Cc: stable(a)vger.kernel.org Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC register access") Signed-off-by: Yongxin Liu <yongxin.liu(a)windriver.com> --- V1->V2: Cover all potential paths for kfree(); --- include/linux/platform_data/x86/intel_pmc_ipc.h | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/include/linux/platform_data/x86/intel_pmc_ipc.h b/include/linux/platform_data/x86/intel_pmc_ipc.h index 1d34435b7001..b65193b1e043 100644 --- a/include/linux/platform_data/x86/intel_pmc_ipc.h +++ b/include/linux/platform_data/x86/intel_pmc_ipc.h @@ -49,7 +49,7 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf }; struct acpi_object_list arg_list = { PMC_IPCS_PARAM_COUNT, params }; union acpi_object *obj; - int status; + int status, ret = 0; if (!ipc_cmd || !rbuf) return -EINVAL; @@ -78,18 +78,22 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf obj->package.count == VALID_IPC_RESPONSE) { const union acpi_object *objs = obj->package.elements; - if ((u8)objs[0].integer.value != 0) - return -EINVAL; + if ((u8)objs[0].integer.value != 0) { + ret = -EINVAL; + goto out; + } rbuf->buf[0] = objs[1].integer.value; rbuf->buf[1] = objs[2].integer.value; rbuf->buf[2] = objs[3].integer.value; rbuf->buf[3] = objs[4].integer.value; } else { - return -EINVAL; + ret = -EINVAL; } - return 0; +out: + kfree(buffer.pointer); + return ret; #else return -ENODEV; #endif /* CONFIG_ACPI */ -- 2.46.2

2 weeks, 3 days

4
5
0 0

[PATCH v2 1/2] usb: typec: ucsi: fix probe failure in gaokun_ucsi_probe()

by Duoming Zhou

The gaokun_ucsi_probe() uses ucsi_create() to allocate a UCSI instance. The ucsi_create() validates whether ops->poll_cci is defined, and if not, it directly returns -EINVAL. However, the gaokun_ucsi_ops structure does not define the poll_cci, causing ucsi_create() always fail with -EINVAL. This issue can be observed in the kernel log with the following error: ucsi_huawei_gaokun.ucsi huawei_gaokun_ec.ucsi.0: probe with driver ucsi_huawei_gaokun.ucsi failed with error -22 Fix the issue by adding the missing poll_cci callback to gaokun_ucsi_ops. Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") Cc: stable(a)vger.kernel.org Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> --- Changes in v2: - Add cc: stable. - Correct spelling mistake. drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c index 7b5222081bb..8401ab414bd 100644 --- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c @@ -196,6 +196,7 @@ static void gaokun_ucsi_connector_status(struct ucsi_connector *con) const struct ucsi_operations gaokun_ucsi_ops = { .read_version = gaokun_ucsi_read_version, .read_cci = gaokun_ucsi_read_cci, + .poll_cci = gaokun_ucsi_read_cci, .read_message_in = gaokun_ucsi_read_message_in, .sync_control = ucsi_sync_control_common, .async_control = gaokun_ucsi_async_control, -- 2.34.1

2 weeks, 3 days

2
1
0 0

[PATCH] crypto: octeontx: Fix length check to avoid truncation in ucode_load_store

by Thorsten Blum

OTX_CPT_UCODE_NAME_LENGTH limits the microcode name to 64 bytes. If a user writes a string of exactly 64 characters, the original code used 'strlen(buf) > 64' to check the length, but then strscpy() copies only 63 characters before adding a NUL terminator, silently truncating the copied string. Fix this off-by-one error by using 'count' directly for the length check to ensure long names are rejected early and copied without truncation. Cc: stable(a)vger.kernel.org Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c index 9f5601c0280b..417a48f41350 100644 --- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c +++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c @@ -1326,7 +1326,7 @@ static ssize_t ucode_load_store(struct device *dev, int del_grp_idx = -1; int ucode_idx = 0; - if (strlen(buf) > OTX_CPT_UCODE_NAME_LENGTH) + if (count >= OTX_CPT_UCODE_NAME_LENGTH) return -EINVAL; eng_grps = container_of(attr, struct otx_cpt_eng_grps, ucode_load_attr); -- Thorsten Blum <thorsten.blum(a)linux.dev> GPG: 1D60 735E 8AEF 3BE4 73B6 9D84 7336 78FD 8DFE EAD4

2 weeks, 3 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror