| Age | Commit message (Collapse) | Author |
|
Pull rdma fixes from Jason Gunthorpe:
"More bug fixes, many found by tools:
- Protect from a possible DOS with certain RMPP traffic patterns
- Correct mac address comparison so CMA works properly on IB
- Some crashes in irdma around memory registration
- Uninitialized value in erdma and mana
- Wrong order setting up a QP in SIW allowed a network packet to
reach an unready QP struct
- Catch math overflows in hns and irdma"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/irdma: Prevent overflows in memory contiguity checks
RDMA/siw: publish QP after initialization
RDMA/hns: Fix potential integer overflow in mhop hem cleanup
RDMA/core: Fix memory leak in __ib_create_cq() on invalid cqe
RDMA/mana_ib: initialize err for empty send WR lists
RDMA/erdma: initialize ret for empty receive WR lists
RDMA/irdma: Prevent user-triggered null deref on QP create
RDMA/irdma: Prevent rereg_mr for non-mem regions
RDMA/cma: Fix hardware address comparison length in netevent callback
RDMa/mlx5: Avoid frame overflow warning
IB/mad: Drop unmatched RMPP responses before reassembly
|
|
The TPM character devices expose a sequential command/response
interface, but their open handlers leave FMODE_PREAD and FMODE_PWRITE
enabled.
After a command leaves a response pending, pread(fd, buf, 16, 0x1400)
passes 0x1400 as *off to tpm_common_read(). The transfer length is
bounded by response_length, but the offset is used unchecked when
forming data_buffer + *off. A sufficiently large offset therefore causes
an out-of-bounds heap read through copy_to_user() and, if the copy
succeeds, an out-of-bounds zero-write through the following memset().
Positional I/O does not provide coherent semantics for this interface.
An arbitrary pread offset cannot represent how much of a response has
been consumed sequentially. The write callback always stores a command
at the start of data_buffer, while pwrite() does not update file->f_pos
and can leave the sequential read cursor stale.
Call nonseekable_open() from both open handlers. This removes
FMODE_PREAD and FMODE_PWRITE, causing positional reads and writes to
fail with -ESPIPE before reaching the TPM callbacks, and explicitly
marks the files non-seekable. Normal read() and write() continue to use
the existing sequential f_pos cursor, leaving the response state machine
unchanged.
Tested on Linux 6.12 with KASAN and a swtpm TPM2 device:
- sequential partial reads returned the complete response
- pread() and preadv() with offset 0x1400 returned -ESPIPE
- pwrite() and pwritev() with offset zero returned -ESPIPE
- the pending response remained intact after the rejected operations
- a subsequent normal command/response cycle completed normally
- no KASAN report was produced.
Fixes: 9488585b21be ("tpm: add support for partial reads")
Link: https://lore.kernel.org/all/20260710090217.191289-1-yong010301@gmail.com/
Cc: stable@vger.kernel.org
Signed-off-by: Jaewon Yang <yong010301@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver fixes from Greg KH:
"Here are some staging driver fixes for 7.2-rc3 for some reported bugs
in the vme_user and rtl8723bs drivers. These include:
- many rtl8723bs OOB fixes for when connecting to "bad" wifi hosts
- vme_user bugfixes to correctly validate some user-provided data
All of these have been in linux-next for a while with no reported
issues"
* tag 'staging-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr()
staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
staging: rtl8723bs: fix OOB write in HT_caps_handler()
staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()
staging: vme_user: fix location monitor leak in tsi148 bridge
staging: vme_user: fix location monitor leak in fake bridge
staging: vme_user: bound slave read/write to the kern_buf size
staging: rtl8723bs: don't drop short TX frames in _rtw_pktfile_read()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull Android/IIO fixes from Greg KH:
"Here is a set of bugfixes for 7.2-rc3 that resolve a bunch of reported
issues in just the binder and iio codebases. Included in here are:
- binder driver bugfixes for both the rust and c versions for
reported problems
- lots and lots of iio driver bugfixes for lots of reported issues
(including a hid sensor driver bugfix)
Full details are in the shortlog, all of these have been in linux-next
with no reported issues"
* tag 'char-misc-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (36 commits)
iio: event: Fix event FIFO reset race
iio: imu: inv_icm42600: fix timestamp clock period by using lower value
iio: light: al3010: fix incorrect scale for the highest gain range
iio: adc: nxp-sar-adc: Fix the delay calculation in nxp_sar_adc_wait_for()
iio: light: tsl2591: return actual error from probe IRQ failure
iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading
iio: imu: st_lsm6dsx: deselect shub page before reading whoami
rust_binder: clear freeze listener on node removal
rust_binder: reject context manager self-transaction
rust_binder: use a u64 stride when cleaning up the offsets array
binder: fix UAF in binder_free_transaction()
binder: fix UAF in binder_thread_release()
rust_binder: synchronize Rust Binder stats with freeze commands
binder: cache secctx size before release zeroes it
rust_binder: fix BINDER_GET_EXTENDED_ERROR
iio: adc: ad7779: add missing 'select IIO_TRIGGERED_BUFFER' to Kconfig
iio: adc: ad4130: add missing `select IIO_TRIGGERED_BUFFER` to Kconfig
iio: adc: ti-ads124s08: Return reset GPIO lookup errors
iio: temperature: Build mlx90635 with CONFIG_MLX90635
iio: light: al3320a: add missing REGMAP_I2C to Kconfig
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are some small tty/serial/vt fixes for 7.2-rc3 that resolve some
reported problems. Included in here are:
- vt spurious modifier issue that showed up in -rc1 (reported a
bunch)
- 8250 driver bugfixes
- msm serial driver bugfix
- max310x serial driver bugfix
All of these have been in linux-next with no reported issues"
* tag 'tty-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
serial: 8250: Ignore flow control on suspend/resume with no_console_suspend
serial: 8250_mid: Disable DMA for selected platforms
serial: 8250_omap: clear rx_running on zero-length DMA completes
vt: fix spurious modifier in CSI/cursor key sequences
serial: msm: Disable DMA for kernel console UART
serial: max310x: implement gpio_chip::get_direction()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are a number of small USB driver fixes for many reported issues.
Included in here are:
- usb serial driver corruption and use-after-free fixes
- usb gadget rndis bugfixes for malicious/buggy host connections
- typec driver fixes for a load of different tiny reported issues
- typec mux driver revert for a broken patch in -rc1
- usb gadget driver fixes for many different reported problems
- new usb device quirks added
- usbip tool fixes and some core usbip fixes as well
- dwc3 driver fixes for minor issues
- xhci driver fixes for reported problems
- lots of other tiny usb driver fixes for many tiny issues
All of these have been in linux-next with no reported issues"
* tag 'usb-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (56 commits)
USB: core: ratelimit cabling message
usb: misc: usbio: fix disconnect UAF in client teardown
Revert "usb: typec: mux: avoid duplicated mux switches"
USB: chaoskey: Fix slab-use-after-free in chaoskey_release()
usb: ucsi: huawei_gaokun: move typec_altmode off stack
usb: typec: tcpci_rt1711h: unregister TCPCI port with devres
usb: typec: tcpm: Fix VDM type for Enter Mode commands
usb: typec: ucsi: cancel pending work on system suspend
usb: typec: class: drop PD lookup reference
usb: typec: ps883x: Fix DP+USB3 configuration
usb: xhci: Fix sleep in atomic context in xhci_free_streams()
xhci: sideband: fix ring sg table pages leak
usb: gadget: udc: Fix use-after-free in gadget_match_driver
usb: dwc3: run gadget disconnect from sleepable suspend context
usb: sl811-hcd: disable controller wakeup on remove
usb: typec: anx7411: use devm_pm_runtime_enable()
usb: dwc3: fix dwc3_readl() and dwc3_writel() calls in dwc3_ulpi_setup()
USB: misc: uss720: unregister parport on probe failure
usb: gadget: function: rndis: add length check for header
usb: gadget: function: rndis: add length check to response query
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Vasily Gorbik:
- Fix missing array_index_nospec() call in diag310 memory topology code
to prevent speculative execution with a user controlled array index
- Fix get_align_mask() return type to match vm_unmapped_area_info
align_mask, avoiding possible truncation for future larger masks
- Remove empty zcrypt CEX2 files left over after CEX2 and CEX3 driver
removal
- Add build salt to the vDSO so it gets a unique build id, similar to
the kernel and modules
* tag 's390-7.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390: Add build salt to the vDSO
s390/zcrypt: Remove the empty file
s390/mm: Fix type mismatch in get_align_mask().
s390/diag: Add missing array_index_nospec() call to memtop_get_page_count()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing fixes from Steven Rostedt:
- Free field in error path of synthetic event parse
In __create_synth_event() the field was allocated but was not freed
in the error path
- Fix ring_buffer_event_length() on 8 byte aligned architectures
On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
ring_buffer_event_length() may return the wrong size. This is because
archs with that config set will always use the "big event meta
header" as that is 8 bytes keeping the payload 8 bytes aligned, even
when a 4 byte header could hold the size of the event
But ring_buffer_event_length() doesn't take this into account and
only subtracts 4 bytes for the meta header in the length when it
should have subtracted 8 bytes
- Have osnoise wait for a full rcu synchronization on unregister
osnoise_unregister_instance() used to call synchronize_rcu() before
freeing its copy of the instance but was switched to kfree_rcu(). The
osniose tracer has code that traverses the instances that it uses,
and inst is just a pointer to that instance. By using kfree_rcu()
instead of synchronize_rcu(), the instance that the inst pointer is
pointing to can be freed while the osnoise code is still referencing
it
That is, a rmdir on an instance first unregisters the tracer. When
the unregister finishes, the rmdir expects that the tracer is
finished with the instance that it is using. By putting back the
synchronize_rcu() in osnoise_unregister_instance() the unregistering
of osnoise will now return when all the users of the instance have
finished
- Remove an unused setting of "ret" in tracing_set_tracer()
- Fix ring_buffer_read_page() copying events
The commit that changed ring_buffer_read_page() to show dropped
events from the buffer itself, split the "commit" variable between
the commit value (with flags) and "size" that holds the size of the
sub-buffer. A cut and paste error changed the test of the reading
from checking the size of the buffer to the size of the event causing
reads to only read one event at a time
- Make tracepoint_printk a static variable
When the tracing sysctl knobs were move from sysctl.c to trace.c, the
variable tracepoint_printk no longer needed to be global. Make it
static
- Fix some typos
- Fix NULL pointer dereference in func_set_flag()
The flags update of the function tracer first checks if the value of
the flag is the same and exits if they are, and then it checks if the
current tracer is the function tracer and exits if it isn't. The
problem is that these checks need to be in a reversed order, as if
the tracer isn't the function tracer, then the flag being checked may
not exist. Reverse the order of these checks
- Fix ufs core trace events to not dereference a pointer in TP_printk()
The TP_printk() part of the TRACE_EVENT() macro is called when the
user reads the "trace" file. This can be seconds, minutes, hours,
days, weeks, and even months after the data was recorded into the
ring buffer. Thus, saving a pointer to an object into the ring buffer
and then dereferencing it from TP_printk() can cause harm as the
object the pointer is pointing to may no longer exist
Fix all the trace events in ufs core to save the device name in the
ring buffer instead of dereferencing the device descriptor from
TP_printk()
- Prevent out-of-bound reads in glob matching of trace events
The filter logic of events allows simple glob logic to add wild cards
to filter on strings. But some events have fields that may not have a
terminating 'nul' character. This may cause the glob matching to go
beyond the string. Change the logic to always pass in the length of
the field that is being matched
- Add no-rcu-check version of trace_##event##_enabled()
The trace_##event##_enabled() usually wraps trace events to do extra
work that is only needed when the trace event is enabled. But this
can hide events that are placed in locations where RCU is not
watching, and can make lockdep not see these bugs when the event is
not enabled
The trace_##event##_enabled() was updated to always test to make sure
RCU is watching to catch locations that may call events without RCU
being active
This caused a false positive for the irq_disabled() and related
events. As that use trace_irq_disabled_enabled() to force RCU to be
watching when the event is enabled via the ct_irq_enter() function,
calls the event, and then calls ct_irq_exit() to put RCU back to its
original state
The trace_irq_disabled_enabled() should not trigger a warning when
RCU is not watching because the code within its block handles the
case properly. Make a __trace_##event##_enabled() version for this
event to use that doesn't check RCU is watching as it handles the
case when it isn't
- Fix use-after-free in user_event_mm_dup()
When the enabler is removed from the link list, it is freed
immediately. But it is protected via RCU and needs to be freed after
an RCU grace period. Use queue_rcu_work() so that the event_mutex can
also be taken as user_event_put() takes the mutex on the last
reference is released
- Free type string in error path of parse_synth_field()
There's an error path in parse_synth_field() where the allocated type
string is not freed
- Add selftest that tests deferred event teardown
- Fix leak in error path of trace_remote_alloc_buffer()
If page allocation fails, the desc->nr_cpus is not incremented for
the current CPU and the allocations done for it are not freed
- Fix allocation length in trace_remote_alloc_buffer()
The logic to calculate the struct_len was doing a double count and
setting the value too large. Calculate the size upfront to fix the
error and simplify the logic
- Fix sparse CPU masks in ring_buffer_desc()
If there are sparse CPUs (gaps in the numbering), the
ring_buffer_desc() will fail as it tests the CPU number against the
number of CPUs that are used
* tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
selftests/user_events: Wait for deferred event teardown after unregister
tracing/synthetic: Free type string on error path
tracing/user_events: Fix use-after-free in user_event_mm_dup()
tracing: Add a no-rcu-check version of trace_##event##_enabled()
tracing: Prevent out-of-bounds read in glob matching
ufs: core: tracing: Do not dereference pointers in TP_printk()
tracing: Fix NULL pointer dereference in func_set_flag()
samples: ftrace: Fix typos in benchmark comment
tracing: Make tracepoint_printk static as not exported
ring-buffer: Fix ring_buffer_read_page() copying only one event per page
tracing: Remove unused ret assignment in tracing_set_tracer()
tracing/osnoise: Call synchronize_rcu() when unregistering
ring-buffer: Fix event length with forced 8-byte alignment
tracing/synthetic: Free pending field on error path
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- fix MELFAS MMS114 touchscreen driver to reject invalid touch IDs and
avoid multi-touch slot corruption
- fix a crash in the Sega Dreamcast (Maple) mouse driver when opening
the device, caused by missing driver data
- fixes for Maple drivers (keyboard, mouse, joystick) to properly order
setting driver data and device registration to avoid races
* tag 'input-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: mms114 - fix multi-touch slot corruption
Input: maple_keyb - set driver data before registering input device
Input: maplecontrol - set driver data before registering input device
Input: maplemouse - set driver data before registering input device
Input: maplemouse - fix NULL pointer dereference in open()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mikulas Patocka:
- dm-log: fix overflow on 32-bit machines
- dm-era: fix out of bounds memory access; fix crashes on invalid args
- dm-verity: fix buffer overflow in forward error correction
- dm-thin: fix misbehavior on I/O failures
- dm-pcache: fix NULL pointer dereference on invalid arguments
- dm-inlinecrypt: fix memory leak on error handling
- dm-integrity: fix ignoring the 'fix_hmac' option on device open
- dm: don't store the keyring in memory for a long term
- 12 miscellaneous fixes for bugs found by Claude Opus 4.6
* tag 'for-7.2/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: (23 commits)
dm thin metadata: fix superblock refcount leak on snapshot shadow failure
dm-stats: fix dm_jiffies_to_msec64
dm-stats: fix merge accounting
dm-bufio: fix wrong count calculation in dm_bufio_issue_discard
dm-verity: make error counter atomic
dm-verity: increase sprintf buffer size
dm-verity: fix a possible NULL pointer dereference
dm-verity: avoid double increment of &use_bh_wq_enabled
dm-ioctl: fix a possible overflow in list_version_get_info
dm_early_create: fix freeing used table on dm_resume failure
dm-integrity: fix a bug if the bio is out of limits
dm-integrity: don't increment hash_offset twice
dm-integrity: fix leaking uninitialized kernel memory
dm-integrity: fix the 'fix_hmac' option
dm era: fix error code propagation in era_ctr()
dm era: fix NULL pointer dereference in metadata_open()
dm: avoid leaking the caller's thread keyring via the table device file
dm-inlinecrypt: Fix an error handling path in inlinecrypt_ctr()
dm-pcache: reject option groups without values
dm thin metadata: fix metadata snapshot consistency on commit failure
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
Pull block fixes from Jens Axboe:
- Limit blk_hctx_poll() to one jiffy. Prevents buggy drivers from
spinning for too long, hence triggering a stalled RCU read section
warning
- Avoid a potential deadlock on zone revalidation failure, which could
otherwise trigger a lockdep circular locking splat during a SCSI disk
rescan
- Remove a redundant GD_NEED_PART_SCAN set in add_disk_final()
- Make writes to queue/wbt_lat_usec honor the WBT enable state
- ublk fix to snapshot the batch commands before preparing IO, so that
userspace can't change an already processed tag and trip the
WARN_ON_ONCE() in the rollback path
- xen-blkfront fix for a double completion of split requests on resume
- drbd fix to reject data replies with an out-of-range payload size
* tag 'block-7.2-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
block: remove redundant GD_NEED_PART_SCAN in add_disk_final()
drbd: reject data replies with an out-of-range payload size
xen-blkfront: fix double completion of split requests on resume
ublk: snapshot batch commands before preparing I/O
block: Make WBT latency writes honor enable state
block: avoid potential deadlock on zone revalidation failure
blk-mq: bound blk_hctx_poll() to one jiffy
|
|
__reserve_metadata_snap() increments THIN_SUPERBLOCK_LOCATION in the
metadata space map before shadowing it. When dm_tm_shadow_block()
fails, a reference is leaked in the metadata space map.
Fix by adding the missing dm_sm_dec_block().
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: cc8394d86f04 ("dm thin: provide userspace access to pool metadata")
Cc: stable@vger.kernel.org
|
|
If the touchscreen controller reports a touch ID of 0, the driver
calculates the slot ID as touch->id - 1, which underflows to UINT_MAX.
This is passed to input_mt_slot() as -1.
Since the input core ignores negative slot values, the active slot remains
unchanged. The driver then reports the touch coordinates for the previously
active slot, corrupting its state.
Fix this by rejecting touch reports with ID 0.
Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
Cc: stable@vger.kernel.org
Reported-by: sashiko-bot@kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Link: https://patch.msgid.link/20260704060115.353049-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A couple of straightforward fixes for device loading, plus a fix for
the core support for keeping multiple regulators with voltages close
to each other that was sadly introduced due to one of the more
beautiful corners of our API design"
* tag 'regulator-fix-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: core: regulator_lock_two() should test for EDEADLK not EDEADLOCK
regulator: mt6363: add missing MODULE_DEVICE_TABLE()
regulator: mt6316: add missing MODULE_DEVICE_TABLE()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform driver fixes from Ilpo Järvinen:
- amd/pmc:
- Use correct IP block table for AMD 1Ah M80H SoC
- Avoid logging "(null)" for missing DMI values
- asus-armoury: update power limits for G614PR
- bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume
* tag 'platform-drivers-x86-v7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
platform/x86: amd-pmc: Use correct IP block table for AMD 1Ah M80H SoC
platform/x86: asus-armoury: update power limits for G614PR
platform/x86: bitland-mifs-wmi: Fix NULL pointer dereference during suspend/resume
platform/x86/amd/pmc: Avoid logging "(null)" for DMI values
|
|
There were wrong calculations in dm_jiffies_to_msec64 that produced
incorrect output when HZ was different from 1000. This commit fixes them.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: fd2ed4d25270 ("dm: add statistics support")
Cc: stable@vger.kernel.org
|
|
There were wrong parentheses when setting stats_aux->merged, so that
merging was never properly accounted. This commit fixes it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: fd2ed4d25270 ("dm: add statistics support")
Cc: stable@vger.kernel.org
|
|
block_to_sector converts a block number to a sector number and adds
c->start to the result. It is inappropriate to use this function for
converting the number of blocks to a number to sectors because c->start
would be incorrectly added to the result.
Luckily, the only target that uses dm_bufio_issue_discard is dm-ebs,
which sets c->start to 0, so this bug is latent.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: 6fbeb0048e6b ("dm bufio: implement discard")
Cc: stable@vger.kernel.org
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio fixes from Bartosz Golaszewski:
- provide the missing .get_direction() callback in gpio-palmas
- fix interrupt handling in gpio-dwapb
- add a GPIO self-test program binary to .gitignore
- fix a resource leak in gpio-mvebu
- make the GPIO sharing heuristic more adaptable
* tag 'gpio-fixes-for-v7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
gpio: mvebu: free generic chips on unbind
selftests: gpio: add gpio-cdev-uaf to .gitignore
gpio: dwapb: Mask interrupts at hardware initialization
gpio: dwapb: Defer clock gating until noirq
gpio: shared: make the voting mechanism adaptable
gpios: palmas: add .get_direction() op
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux
Pull ata fixes from Damien Le Moal:
- Fix handling of security locked drive revalidation. This prevents
such drives from being dropped when locked on resume (Terrence)
* tag 'ata-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
ata: libata-core: Allow capacity transition to zero for locked drives
ata: libata-core: Skip HPA resize for locked drives
|
|
Pull drm fixes from Dave Airlie:
"Weekly fixes pull for drm, amdgpu, amdxdna, xe leading the way, some
small core fixes and a nouveau stability fix along with some minor
changes in other drivers.
Seems to be a bit quiter than last week at least.
fb-helper:
- Sync on first active crtc in fb_dirty, rather than first crtc
drm_exec:
- Use direct label in drm_exec
buddy:
- Rework try_harder in the buddy allocator
i915:
- fix underrun on panthor lake
- LT PHY SSC programming fix
- fix some NULL derefs and leaks
nouveau:
- fix a vmm large/small page table update race
xe:
- Fix PTE index in xe_vm_populate_pgtable for chunked binds
- Wait on external BO kernel fences in exec IOCTL
- Remove duplicate include
- Free madvise VMA array on L2 flush failure
- Stub notifier_lock helpers when DRM_GPUSVM=n
amdgpu:
- PSP 15.0.9 update
- SMU 15.0.9 update
- VCN 5.3 fix
- VI ASPM fix
- Userq fix
- lifetime fix for amdgpu_vm_get_task_info_pasid()
- Gfx10 fix
- SMU 14 fix
amdkfd:
- CRIU bounds checking fixes
- secondary context id fix
- Event bounds checking fix
amdxdna:
- Fix uaf in mmap failure path
- A lot of deadlocks, access races and return value fixes
analogix_dp:
- Fix analogix_dp bitshifts during link training
v3d:
- Fix absent indirect bo handling
imagination:
- Make function static to solve compiler warning
- Fix error checking"
* tag 'drm-fixes-2026-07-10' of https://gitlab.freedesktop.org/drm/kernel: (44 commits)
nouveau/vmm: fix another SPT/LPT race
drm/imagination: fix error checking of pvr_vm_context_lookup()
drm/imagination: make pvr_fw_trace_init_mask_ops static
gpu/buddy: bail out of try_harder when alignment cannot be honoured
drm/xe/userptr: Stub notifier_lock helpers when DRM_GPUSVM=n
drm/xe: free madvise VMA array on L2 flush failure
drm/xe: remove duplicate <kunit/test-bug.h> include
drm/xe: Wait on external BO kernel fences in exec IOCTL
drm/xe: Fix PTE index in xe_vm_populate_pgtable() for chunked binds
drm/fb-helper: Only consider active CRTCs for vblank sync
drm/amdkfd: Check bounds on CRIU restore queue type and mqd size
drm/amd/pm: fix smu14 power limit range calculation
drm/amdkfd: Check bounds in allocate_event_notification_slot
amdkfd: properly free secondary context id
drm/amdkfd: Don't acquire buffers during CRIU queue restore
drm/amdkfd: Check bounds on CRIU restore event id
drm/gfx10: Program DB_RING_CONTROL
drm/amdgpu: fix lifetime issue of amdgpu_vm_get_task_info_pasid()
drm/amdgpu: trigger GPU recovery when userq destroy fails to unmap a hung queue
drm/amd/amdgpu: disable ASPM on VI if pcie dpm is disabled
...
|
|
recv_dless_read() receives a P_DATA_REPLY from a peer into the bio of an
outstanding read request. The peer-supplied payload length reaches it as
the signed int data_size, and two peer-controlled inputs can make it
negative. With a negotiated data-integrity-alg the digest length is
subtracted first, so a reply whose payload is smaller than the digest
underflows data_size. With no integrity algorithm (the default) data_size
is assigned from the unsigned h95/h100 wire length and drbdd() never
bounds it for a payload-carrying command, so a length above INT_MAX casts
it negative; this path needs no non-default feature. The bio receive loop
then computes expect = min_t(int, data_size, bv_len), which is negative,
and drbd_recv_all_warn(mapped, expect) receives with a size_t of SIZE_MAX
into the first mapped page.
The sibling receive path read_in_block() is not affected: it uses an
unsigned size and rejects it against DRBD_MAX_BIO_SIZE before receiving.
Reject a data reply whose size is negative after the optional digest
subtraction, covering both triggers.
Impact: a malicious or man-in-the-middle DRBD peer copies attacker-chosen
bytes past a bio page in the receiver, corrupting kernel memory. A node
that reads from its peer (a diskless node, or read-balancing to the peer)
is exposed in the default configuration; data-integrity-alg is not
required.
Fixes: b411b3637fa7 ("The DRBD driver")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5-5-xhigh
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Link: https://patch.msgid.link/20260710022837.3738461-1-michael.bommarito@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
If no_console_suspend is specified, on suspend the 8250 console driver
uses a scratch register (UART_SCR) to store a special canary value. This
is used during the resume path to identify a printk() call before the
driver's own ->resume() callback. In this case,
serial8250_console_restore() is called to quickly re-init the 8250 for
console printing.
See commit 4516d50aabed ("serial: 8250: Use canary to restart console after
suspend") for the original motivation.
Unfortunately, this canary workaround does not work in all cases (such as
suspend to mem) because the scratch register will not reset. This has not
been a real issue until now because it could simply lead to some garbage
characters upon resume. However, with the introduction of console flow
control it becomes a real problem because a failed suspend/resume detection
when flow control is enabled leads to all characters hitting the flow
control timeout.
Workaround this issue by temporarily ignoring console flow control when
the debug canary suspend/resume detection is active.
Fixes: 5e6dfb87b191 ("serial: 8250: Add support for console flow control")
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Link: https://patch.msgid.link/20260707141032.5074-1-john.ogness@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
In accordance with Errata (specification updates)
HSUART May Stop Functioning when DMA is Active.
- Denverton document #572409, rev 3.4, DNV60
- Ice Lake Xeon D document #714070, ICXD65
- Snowridge document #731931, SNR44
For a quick fix just disable the respective callbacks during the device probe.
Depending on the future development we might remove them completely.
Reported-by: micas-opensource <zjianan156@gmail.com>
Closes: https://lore.kernel.org/linux-serial/20250625031409.2404219-1-opensource@ruijie.com.cn/
Fixes: 6ede6dcd87aa ("serial: 8250_mid: add support for DMA engine handling from UART MMIO")
Cc: stable <stable@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260626094937.561776-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
On AM33xx RX DMA only triggers when the FIFO reaches the
configured threshold (typically 48 bytes). For smaller bursts
no DMA request is issued and the FIFO is drained by RX timeout.
In this case __dma_rx_do_complete() can legitimately see count == 0.
The current code exits early in this case and does not clear
dma->rx_running, leaving the DMA state inconsistent. This can
prevent RX DMA from restarting and may cause
omap_8250_rx_dma_flush() to fail, marking DMA as broken.
Fix this by clearing dma->rx_running once the DMA transfer has
completed or been terminated, even if no data was transferred.
Fixes: a5fd8945a478 ("serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA termination is done")
Cc: stable <stable@kernel.org>
Signed-off-by: Matthias Feser <mfe@KBSgmbhfr.onmicrosoft.com>
Reviewed-by: Moteen Shah <m-shah@ti.com>
Link: https://patch.msgid.link/BE3P281MB55155F2F5795E411F5A65282EE0B2@BE3P281MB5515.DEUP281.PROD.OUTLOOK.COM
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
csi_modifier_param() builds the xterm modifier parameter from
shift_state, counting KG_SHIFTL/KG_SHIFTR as Shift, KG_ALTGR as Alt
and KG_CTRLL/KG_CTRLR as Ctrl in addition to the canonical KG_SHIFT,
KG_ALT and KG_CTRL.
That is wrong when those weights are not plain modifiers. Keymaps
derived from XKB layouts (by kbd's xkbsupport, and by the
console-setup used in Debian, Ubuntu and others) encode the active
layout group using KG_SHIFTL/KG_SHIFTR:
group 1: -
group 2: shiftl
group 3: shiftr
group 4: shiftl | shiftr
So while a non-default layout group is selected, KG_SHIFTL and/or
KG_SHIFTR are set in shift_state with no Shift key held.
csi_modifier_param() then adds a spurious Shift to every cursor and
CSI key: pressing Up while group 2 is active emits ESC[1;2A (Shift+Up)
instead of ESC[A. KG_ALTGR has the same problem since it is the
standard third-level selector.
Normal keymaps bind the physical Shift/Ctrl/Alt keys to KG_SHIFT,
KG_CTRL and KG_ALT, leaving the left/right and AltGr weights free for
layout and level selection. Count only those canonical weights, so
genuine modifiers are still encoded while layout/level selectors are
not.
Fixes: 4af70f151671 ("vt: add modifier support to cursor keys")
Reported-by: Alexey Gladkov <legion@kernel.org>
Closes: https://lore.kernel.org/kbd/aj2gR0Y7sM6i9s2G@example.org/
Cc: stable <stable@kernel.org>
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Link: https://patch.msgid.link/20260626024833.3419086-1-nico@fluxnic.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The error counter "v->corrupted_errs" was not atomic, thus it could be
subject to race conditions. The call to
dm_audit_log_target("max-corrupted-errors") may be skipped due to the
races.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: 65ff5b7ddf05 ("dm verity: add error handling modes for corrupted blocks")
Cc: stable@vger.kernel.org
|
|
The prefix "DM_VERITY_ERR_BLOCK_NR" is 22 chars. Add '=', one digit for
type, ',', up to 20 digits for a u64 block number, and a NUL terminator:
that's 46 bytes. The buffer is 42 bytes. For block numbers >= 16 decimal
digits (devices larger than ~16 EB with 4K blocks), snprintf silently
truncates the uevent environment variable.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: 65ff5b7ddf05 ("dm verity: add error handling modes for corrupted blocks")
Cc: stable@vger.kernel.org
|
|
Fix a possible NULL pointer dereference dm_verity_loadpin_is_bdev_trusted
if the device has no table.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
Cc: stable@vger.kernel.org
|
|
verity_parse_opt_args is called twice, first with the only_modifier_opts,
first with only_modifier_opts == true and then with only_modifier_opts ==
false. Thus, the static branch &use_bh_wq_enabled was incremented twice
and the destructor verity_dtr would only decrement it once.
Fix tihs bug by only incrementing it on the first call, on the second
call, when v->use_bh_wq is true, do nothing.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Cc: stable@vger.kernel.org
Fixes: df326e7a0699 ("dm verity: allow optional args to alter primary args handling")
|
|
sizeof(tt->version) is 12 bytes, but the code writes 16 bytes into the
output buffer - info->vers->version[0], info->vers->version[1],
info->vers->version[2] and info->vers->next. This can cause buffer
overflow.
Fix this buffer overflow by replacing "sizeof(tt->version)" with
"sizeof(struct dm_target_versions)".
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Cc: stable@vger.kernel.org
|
|
If dm_resume fails, the kernel attempts to free table with
dm_table_destroy, but the table was already instantiated with
dm_swap_table. This commit skips the call to dm_table_destroy in this
case.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: 6bbc923dfcf5 ("dm: add support to directly boot to a mapped device")
Cc: stable@vger.kernel.org
|
|
If dm_integrity_check_limits fails, the code would exit with
DM_MAPIO_KILL. However, the range would be already locked at this point,
and it wouldn't be unlocked, resulting in a deadlock. Let's move the
limit check up, so that when it exits, no resources are leaked.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: fb0987682c62 ("dm-integrity: introduce the Inline mode")
Cc: stable@vger.kernel.org
|
|
hash_offset is already incremented in the loop "for (i = 0; i < to_copy;
i++, ts--)". Do not increment it again.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: 84597a44a9d8 ("dm-integrity: dm integrity: add optional discard support")
Cc: stable@vger.kernel.org
|
|
If hash size is less than device's tuple size, dm-integrity is supposed
to zero the remaining space. There was a bug in the code that zeroing
didn't work. This commit fixes it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4.6
Fixes: fb0987682c62 ("dm-integrity: introduce the Inline mode")
Cc: stable@vger.kernel.org
|
|
When the "fix_hmac" argument is used, dm-integrity is supposed to check
the superblock with the journal_mac. However, there was a logic bug in
the code - the code only checked the superblock mac if the bit
SB_FLAG_FIXED_HMAC was set in the superblock. So, the attacker could
clear this bit and bypass the checking trivially.
This commit changes dm-integrity so that when the user specified the
"fix_hmac" flag and the superblock doesn't have the bit
SB_FLAG_FIXED_HMAC set, the activation is aborted with an error.
Unfortunatelly, there's a bug in the integritysetup tool that when using
the 'open' command it passes the "fix_hmac" argument to the kernel even
if the user specified --integrity-legacy-hmac. The bug will be fixed in
the upcoming 2.8.7 release.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Shukai Ni <shukai.ni@kuleuven.be>
|
|
We've had an unknown Turing issue for a while with page faults since
large pages and compression.
I've got a patch series that syncs all our L2 handling with ogkm and it
made this fault happen more.
After writing a bunch of debugging patches, I spotted an invalid LPT
entry where there should have been a valid one.
A 64K MAP succeeds on a range, but a subsequent SPT put drops SPT refs
across multiple ranges,
We shouldn't assume all ranges where SPTEs go away will have the same
sparse/invalid/valid state, just iterate over each instead and do the
right thing.
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Fixes: d19512f5abb1 ("nouveau/vmm: start tracking if the LPT PTE is valid. (v6)")
Link: https://patch.msgid.link/20260615044737.3419585-1-airlied@gmail.com
[ Properly format commit message. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
(cherry picked from commit d008141ed4ce924167a03d46fbce9ad1fe4efa29)
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes
Driver Changes:
- Fix PTE index in xe_vm_populate_pgtable for chunked binds (Matt Brost)
- Wait on external BO kernel fences in exec IOCTL (Matt Brost)
- Remove duplicate include (Anas Khan)
- Free madvise VMA array on L2 flush failure (Guangshuo Li)
- Stub notifier_lock helpers when DRM_GPUSVM=n (Shuicheng Lin)
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
Link: https://patch.msgid.link/alASIbW318Rl-HTv@fedora
|
|
https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
amd-drm-fixes-7.2-2026-07-09:
amdgpu:
- PSP 15.0.9 update
- SMU 15.0.9 update
- VCN 5.3 fix
- VI ASPM fix
- Userq fix
- lifetime fix for amdgpu_vm_get_task_info_pasid()
- Gfx10 fix
- SMU 14 fix
amdkfd:
- CRIU bounds checking fixes
- secondary context id fix
- Event bounds checking fix
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patch.msgid.link/20260709212303.15913-1-alexander.deucher@amd.com
|
|
https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
drm-misc-fixes for v7.2-rc3:
- Fix uaf in amdxdna mmap failure path.
- A lot of deadlocks, access races and return value fixes in amdxdna.
- Fix analogix_dp bitshifts during link training.
- Use direct label in drm_exec.
- Fix absent indirect bo handling in v3d.
- Sync on first active crtc in fb_dirty, rather than first crtc.
- Rework try_harder in the buddy allocator.
- Make imagination function static to solve compiler warning.
- Fix imagination error checking.
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patch.msgid.link/71e5b48b-307f-47f5-8fd5-b60ea43e4196@linux.intel.com
|
|
When a block request is too large for a single ring entry and the
backend does not support indirect descriptors, blkfront splits it across
two ring requests. This only happens when the frontend runs on a
64K-page kernel (e.g. arm64): there, even a single-page request may not
fit in one ring slot and must be split. blkif_ring_get_request() is
called twice and both shadow slots (shadow[id] and shadow[extra_id])
point at the *same* struct request, linked through associated_id.
blkif_completion() collapses the pair on the normal completion path,
recycling the second slot and completing the request once. The
suspend/resume walk in blkfront_resume() does not: it visits every
shadow slot with ->request set and calls blk_mq_end_request() or
re-queues ->request. For an in-flight split request it therefore
processes the shared struct request twice on resume/migration -- a
double completion.
Skip the secondary slot of a split request in the resume walk so each
logical request is processed exactly once. The secondary slot is the
linked one (associated_id != NO_ASSOCIATED_ID) that carries no
scatter-gather list (num_sg == 0); the first slot always keeps the sg
list. The bug is only reachable on suspend/resume or live migration of
such a guest, so it has no local reproducer.
Fixes: 6cc568339047 ("xen/blkfront: Handle non-indirect grant with 64KB pages")
Assisted-by: 0sec:claude-opus-4-8
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Link: https://patch.msgid.link/20260709100853.7489-1-doruk@0sec.ai
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from netfilter, Bluetooth and batman-adv.
Current release - regressions:
- bluetooth: fix using chan->conn as indication to no remote netdev
Current release - new code bugs:
- netfilter: cap to maximum number of expectation per master on
updates
Previous releases - regressions:
- bluetooth:
- fix UAF of hci_conn_params in add_device_complete
- fix null ptr deref in hci_abort_conn()
- igmp: remove multicast group from hash table on device destruction
- batman-adv: prevent TVLV OOB check overflow
- eth: mlx5/mlx5e:
- fix off-by-one in single-FDB error rollback
- skip peer flow cleanup when LAG seq is unavailable
- fix crashes in dynamic per-channel stats and HV VHCA agent
- eth: mana: Sync page pool RX frags for CPU
Previous releases - always broken:
- netfilter:
- mark malformed IPv6 extension headers for hotdrop
- terminate table name before find_table_lock()
- ipvs: use parsed transport offset in TCP state lookup
- sched: act_pedit: fix TOCTOU heap OOB write in tc offload
- ethtool: rss: fix hfunc and input_xfrm parsing on big endian
- ipv4/ipv6: fix UAF and memory leak in IGMP/MLD
- tls: consume empty data records in tls_sw_read_sock()
- eth:
- octeontx2-af: fix VF bringup affecting PF promiscuous state
- gue: validate REMCSUM private option length"
* tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)
macsec: don't read an unset MAC header in macsec_encrypt()
dibs: loopback: validate offset and size in move_data()
octeontx2-af: fix VF bringup affecting PF promiscuous state
ethtool: rss: Fix hfunc and input_xfrm parsing on big endian
net/mlx5: Fix L3 tunnel entropy refcount leak
net: macb: drop in-flight Tx SKBs on close
net: mana: Sync page pool RX frags for CPU
net: mana: Validate the packet length reported by the NIC
selftests/net: fix EVP_MD_CTX leak in tcp_mmap
ipvs: ensure inner headers in ICMP errors are in headroom
ipvs: use parsed transport offset in SCTP state lookup
ipvs: use parsed transport offset in TCP state lookup
ipvs: pass parsed transport offset to state handlers
netfilter: handle unreadable frags
netfilter: flowtable: support IPIP tunnel with direct xmit
netfilter: flowtable: IPIP tunnel hardware offload is not yet support
netfilter: flowtable: use dst in this direction when pushing IPIP header
netfilter: ipset: allocate the proper memory for the generic hash structure
netfilter: ipset: cleanup the add/del backlog when resize failed
netfilter: ipset: exclude gc when resize is in progress
...
|
|
Since pvr_vm_context_lookup() returns either NULL or a pointer, then stop
using IS_ERR() for checking the return value.
Using IS_ERR() leads to the kernel oops reported below. It can be
reproduced by passing an invalid VM context handle from userspace to the
DRM_IOCTL_PVR_CREATE_CONTEXT ioctl.
[ 92.733119] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000148
[ 92.742042] Mem abort info:
[ 92.744890] ESR = 0x0000000096000004
[ 92.748686] EC = 0x25: DABT (current EL), IL = 32 bits
[ 92.754020] SET = 0, FnV = 0
[ 92.757154] EA = 0, S1PTW = 0
[ 92.760337] FSC = 0x04: level 0 translation fault
[ 92.765243] Data abort info:
[ 92.768129] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 92.773626] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 92.778763] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 92.784098] user pgtable: 4k pages, 48-bit VAs, pgdp=000000088ed23000
[ 92.790550] [0000000000000148] pgd=0000000000000000, p4d=0000000000000000
[ 92.797381] Internal error: Oops: 0000000096000004 [#1] SMP
[ 92.803027] Modules linked in: powervr
[ 92.852533] CPU: 0 UID: 0 PID: 409 Comm: triangle Not tainted 7.1.0-rc5-g98b46e693b91 #1 PREEMPT
[ 92.861385] Hardware name: Texas Instruments AM68 SK (DT)
[ 92.866766] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 92.873709] pc : pvr_vm_get_fw_mem_context+0x0/0xc [powervr]
[ 92.879376] lr : pvr_queue_create+0x26c/0x440 [powervr]
[ 92.884595] sp : ffff8000837fbb00
[ 92.887895] x29: ffff8000837fbb60 x28: 0000000000000000 x27: ffff8000837fbce8
[ 92.895015] x26: ffff000807f61a40 x25: ffff000807f61a00 x24: ffff000807f64400
[ 92.902135] x23: ffff00080a5ab000 x22: ffff800079b24730 x21: ffff000807f61800
[ 92.909254] x20: ffff00080999e680 x19: 0000000000000000 x18: 0000000000000000
[ 92.916373] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000001
[ 92.923492] x14: 0000000000000000 x13: 0000000000000002 x12: ffff80008145b298
[ 92.930611] x11: ffff8000844e5000 x10: ffff80008165a130 x9 : 0000000000000100
[ 92.937730] x8 : 0000000000000001 x7 : ffff0008076b27e0 x6 : ffff00080ec43b7c
[ 92.944850] x5 : ffff00080ec43b78 x4 : 0000000000000000 x3 : ffff00080999e680
[ 92.951968] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[ 92.959088] Call trace:
[ 92.961521] pvr_vm_get_fw_mem_context+0x0/0xc [powervr] (P)
[ 92.967173] pvr_context_create+0x190/0x410 [powervr]
[ 92.972218] pvr_ioctl_create_context+0x44/0x8c [powervr]
[ 92.977608] drm_ioctl_kernel+0xbc/0x124 [drm]
[ 92.982127] drm_ioctl+0x1f8/0x4dc [drm]
[ 92.986098] __arm64_sys_ioctl+0xac/0x104
[ 92.990102] invoke_syscall+0x54/0x10c
[ 92.993842] el0_svc_common.constprop.0+0x40/0xe0
[ 92.998532] do_el0_svc+0x1c/0x28
[ 93.001835] el0_svc+0x38/0x11c
[ 93.004969] el0t_64_sync_handler+0xa0/0xe4
[ 93.009139] el0t_64_sync+0x198/0x19c
[ 93.012792] Code: aa1703e0 d2800014 95cb0ba4 17ffffe8 (f940a400)
[ 93.018869] ---[ end trace 0000000000000000 ]---
Fixes: d2d79d29bb98 ("drm/imagination: Implement context creation/destruction ioctls")
Cc: stable@vger.kernel.org
Signed-off-by: Luigi Santivetti <luigi.santivetti@imgtec.com>
Reviewed-by: Alessio Belle <alessio.belle@imgtec.com>
Link: https://patch.msgid.link/20260707-staging-ddkopsrc-2435-v1-1-24e160d44476@imgtec.com
Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
|
|
The pvr_fw_trace_init_mask_ops is not used outside pvr_fw_trace.c
so make it static to avoid the following sparse warning:
drivers/gpu/drm/imagination/pvr_fw_trace.c:74:31: warning: symbol 'pvr_fw_trace_init_mask_ops' was not declared. Should it be static?
Fixes: c6978643ea1c ("drm/imagination: Validate fw trace group_mask")
Reviewed-by: Alessio Belle <alessio.belle@imgtec.com>
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Link: https://patch.msgid.link/20260703162338.2848039-1-ben.dooks@codethink.co.uk
Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
|
|
The try_harder contiguous fallback could return a range whose start
offset did not match the caller's min_block_size. When a candidate's
start is misaligned, realign it: free the misaligned run and reallocate
exactly @size at the next lower min_block_size boundary. This keeps the
returned size unchanged with no surplus to trim, and rejects the request
only when no aligned candidate fits.
v2: align misaligned candidates down to min_block_size instead of
bailing out, for both the RHS and LHS paths (Matthew).
Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation")
Suggested-by: Christian König <christian.koenig@amd.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Timur Kristóf <timur.kristof@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Tested-by: John Olender <john.olender@gmail.com>
Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
Link: https://patch.msgid.link/20260709131050.1022759-1-Arunpravin.PaneerSelvam@amd.com
|
|
macsec_encrypt() reads the Ethernet header via eth_hdr(skb)
(skb->head + skb->mac_header) to memmove() the 12 source/destination MAC
bytes forward and make room for the SecTAG.
On the AF_PACKET SOCK_RAW + PACKET_QDISC_BYPASS transmit path the skb
reaches the macsec ndo_start_xmit() with the MAC header unset, so
eth_hdr(skb) resolves to skb->head + (u16)~0 and the read is out of
bounds: a 12-byte heap over-read that is also emitted on the wire as the
frame's outer source/destination MAC. KASAN reports a slab-out-of-bounds
read in macsec_start_xmit() on 6.0; on current mainline a CONFIG_DEBUG_NET
build flags it as an unset mac header in skb_mac_header().
On the TX path the L2 header is at skb->data, so use skb_eth_hdr(), added
by commit 96cc4b69581d ("macvlan: do not assume mac_header is set in
macvlan_broadcast()") for exactly this purpose.
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Cc: stable@vger.kernel.org
Signed-off-by: Daehyeon Ko <4ncienth@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260703083634.2035145-1-4ncienth@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
The loopback move_data() performs a memcpy into the registered DMB
without checking whether offset + size exceeds the DMB length. Unlike
real ISM hardware, which enforces memory region bounds natively, the
software loopback has no such protection.
A peer-supplied out-of-bounds offset or oversized write would result in
an OOB write past the allocated kernel buffer. Add an explicit bounds
check before the memcpy to reject such requests with -EINVAL.
Fixes: f7a22071dbf3 ("net/smc: implement DMB-related operations of loopback-ism")
Cc: stable@vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
Reported-by: Baul Lee <baul.lee@xbow.com>
Link: https://patch.msgid.link/20260707074318.1448662-1-dust.li@linux.alibaba.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
When CONFIG_DRM_GPUSVM=n (e.g. um-allyesconfig), the only caller of
xe_pt_svm_userptr_notifier_lock() is compiled out, triggering:
drivers/gpu/drm/xe/xe_pt.c:1418:13: warning:
'xe_pt_svm_userptr_notifier_lock' defined but not used
[-Wunused-function]
The helpers cannot simply be removed in this case: the matching
xe_pt_svm_userptr_notifier_unlock() is also referenced from
xe_pt_update_ops_run(), which lives outside any DRM_GPUSVM ifdef and is
gated only at runtime by pt_update_ops->needs_svm_lock. The symbol must
exist in all builds.
Provide empty static inline stubs for !DRM_GPUSVM, matching the pattern
used by xe_svm_notifier_lock()/_unlock() in xe_svm.h.
Fixes: dca6e08c923a ("drm/xe/userptr: Hold notifier_lock for write on inject test path")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202606302210.QqcLbOEN-lkp@intel.com/
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260630192221.2998168-1-shuicheng.lin@intel.com
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit 3359422bf0a1140e96d783a19a397686e580a3ca)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
|
|
xe_vm_madvise_ioctl() allocates madvise_range.vmas in get_vmas().
After get_vmas() succeeds with at least one VMA, error paths must go
through free_vmas so the array is released before the madvise details are
destroyed.
The L2 flush validation path added for PAT madvise rejects some
SVM/userptr ranges after get_vmas() has succeeded, but jumps directly to
madv_fini. This skips kfree(madvise_range.vmas), leaking the VMA array on
each failed ioctl.
Jump to free_vmas instead, matching the other validation failure paths
after get_vmas() has succeeded.
Fixes: 4f39a194d41e ("drm/xe/xe3p_lpg: Restrict UAPI to enable L2 flush optimization")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patch.msgid.link/20260708073422.725186-1-lgs201920130244@gmail.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit c3a1c3579b1250060da73507a4acef712974c78a)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
|
|
xe_pci.c includes <kunit/test-bug.h> twice, separated only by the
<kunit/test.h> include. Drop the redundant second include; this is a
non-functional cleanup flagged by scripts/checkincludes.pl.
Fixes: 6cad22853cb8 ("drm/xe/kunit: Add stub to read_gmdid")
Signed-off-by: Anas Khan <anxkhn28@gmail.com>
Link: https://patch.msgid.link/20260702112820.34675-1-anxkhn28@gmail.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit 84ed5b0a925721aaf069d36e18a99db966ff4e80)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
|