[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.142#1795
Merged
opsiff merged 166 commits intoJun 2, 2026
Merged
Conversation
commit fcf04b14334641f4b0b8647824480935e9416d52 upstream. On passive MPTCP connections, the msk sndbuf is not updated correctly. The root cause is an order issue in the accept path: - tcp_check_req() -> subflow_syn_recv_sock() -> mptcp_sk_clone_init() calls __mptcp_propagate_sndbuf() to copy the ssk sndbuf into msk - Later, tcp_child_process() -> tcp_init_transfer() -> tcp_sndbuf_expand() grows the ssk sndbuf. So __mptcp_propagate_sndbuf() runs before the ssk sndbuf has been expanded and the msk ends up with a much smaller sndbuf than the subflow: MPTCP: msk->sndbuf:20480, msk->first->sndbuf:2626560 Fix this by moving the __mptcp_propagate_sndbuf() call from mptcp_sk_clone_init() -- the ssk sndbuf is not yet finalized there -- to __mptcp_propagate_sndbuf() at accept() time, when the ssk sndbuf has been fully expanded by tcp_sndbuf_expand(). Fixes: 8005184 ("mptcp: refactor sndbuf auto-tuning") Cc: stable@vger.kernel.org Closes: multipath-tcp/mptcp_net-next#602 Signed-off-by: Gang Yan <yangang@kylinos.cn> Acked-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260420-net-mptcp-sync-sndbuf-accept-v1-1-e3523e3aeb44@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> [ No conflicts, but move __mptcp_propagate_sndbuf() above the for-loop (mptcp_for_each_subflow()) present in this version, which will modify 'subflow' used by __mptcp_propagate_sndbuf() in this new patch. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b386aa38b81dc2f7bfe35cc28db6734d8e28a89f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 03f324f3f1f7619a47b9c91282cb12775ab0a2f1 upstream. ADD_ADDR can be sent for the ID 0, which corresponds to the local address and port linked to the initial subflow. Indeed, this address could be removed, and re-added later on, e.g. what is done in the "delete re-add signal" MPTCP Join selftests. So no reason to ignore it. Fixes: 00cfd77 ("mptcp: retransmit ADD_ADDR when timeout") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 19a3ec9ef176acdbfccb0df1691cfba8d2989a3c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 9634cb35af17019baec21ca648516ce376fa10e6 upstream. When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end. Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak. While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as "unlikely". Fixes: 00cfd77 ("mptcp: retransmit ADD_ADDR when timeout") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-4-fca8091060a4@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9426265e157dd77ec237c795901ed4dea6d69b5c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b7b9a461569734d33d3259d58d2507adfac107ed upstream. When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put(). But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on "itself". Fixes: 00cfd77 ("mptcp: retransmit ADD_ADDR when timeout") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-5-fca8091060a4@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ Applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c. Also, there were conflicts, because commit 30549ee ("mptcp: make ADD_ADDR retransmission timeout adaptive") is not in this version and changed the context. Also, other conflicts were due to newer patches being backported with resolved conflicts before this one. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6a3af482188f6db4186d1605f64d911d7330abb3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 40534d1 ] The spidev driver previously used two mutexes, spi_lock and buf_lock, but acquired them in different orders depending on the code path: write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lock This AB-BA locking pattern triggers lockdep warnings and can cause real deadlocks: WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) *** DEADLOCK *** The issue is reproducible with a simple userspace program that performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads on the same spidev file descriptor. Fix this by simplifying the locking model and removing the lock inversion entirely. spidev_sync() no longer performs any locking, and all callers serialize access using spi_lock. buf_lock is removed since its functionality is fully covered by spi_lock, eliminating the possibility of lock ordering issues. This removes the lock inversion and prevents deadlocks without changing userspace ABI or behaviour. Signed-off-by: Fabian Godehardt <fg@emlix.com> Link: https://patch.msgid.link/20260211072616.489522-1-fg@emlix.com Signed-off-by: Mark Brown <broonie@kernel.org> [ Minor context conflict resolved. ] Signed-off-by: Wenshan Lan <jetlan9@163.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fabfed1afe273717ea33b8aee46b767360edbb80) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c366a7b5ed7564e41345c380285bd3f6cb98971b ] debug_get_user_string() copies the userspace buffer into a newly allocated NUL-terminated buffer and then unconditionally looks at buffer[user_len - 1] to strip a trailing newline. A zero-length write reaches this helper unchanged, so the newline trim reads before the start of the allocated buffer. Reject empty writes before accessing the last input byte. Fixes: 66a464d ("[PATCH] s390: debug feature changes") Cc: stable@vger.kernel.org Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Reviewed-by: Benjamin Block <bblock@linux.ibm.com> Reviewed-by: Vasily Gorbik <gor@linux.ibm.com> Tested-by: Vasily Gorbik <gor@linux.ibm.com> Link: https://lore.kernel.org/r/20260417073530.96002-1-pengpeng@iscas.ac.cn Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a052c2d8399a6fcffdef59aca13ecb5bf48e3bec) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ] When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the station exists but not whether it is actually a TDLS station. This allows the operation to proceed for non-TDLS stations, causing unintended side effects like modifying channel context and HT protection before failing. Add a check for sta->sta.tdls early in the ENABLE_LINK case, before any side effects occur, to ensure the operation is only allowed for actual TDLS peers. Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Suggested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Li hongliang <1468888505@139.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ba5b43db126a5e7378553869e3f7954d9187349f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
This reverts commit db82a94b0c109e7697a593f36783e7ef36073983. Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2682bf9a804b52a9490cfbc654d53f324e2c644d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 520da3c ] The expired durable opens should not be reclaimed by client. This patch add ->durable_scavenger_timeout to fp and check it in ksmbd_lookup_durable_fd(). Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Alva Lan <alvalan9@foxmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 50a23fa28e762c2cfcde6934ef0b83197e272af5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d484d62 ] Launch ksmbd-durable-scavenger kernel thread to scan durable fps that have not been reclaimed by a client within the configured time. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> [ Minor context conflict resolved. ] Signed-off-by: Alva Lan <alvalan9@foxmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 7f0cb478703cbeaddfe5c9101c5c73cd975d1073) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 49110a8ce654bbe56bef7c5e44cce31f4b102b8a ] Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC). Fixes: c8efcc7 ("ksmbd: add support for durable handles v1/v2") Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com> Reported-by: Navaneeth K <knavaneeth786@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> [ Minor context conflict resolved. ] Signed-off-by: Alva Lan <alvalan9@foxmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 712cdf917e77a6444ce3836874829d770db20ee6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bf736184d063da1a552ffeff0481813599a182cc ]
ksmbd_durable_scavenger() has two related races against any walker
that iterates f_ci->m_fp_list, including ksmbd_lookup_fd_inode()
(used by ksmbd_vfs_rename) and the share-mode checks in
fs/smb/server/smb_common.c.
(1) fp->node list-head reuse. Durable-preserved handles can remain
linked on f_ci->m_fp_list after session teardown so share-mode checks
still see them while the handle is reconnectable. The scavenger
collected expired handles by adding fp->node to a local
scavenger_list after removing them from the global durable idr.
Because fp->node is the same list_head used by m_fp_list,
list_add(&fp->node, &scavenger_list) overwrites the m_fp_list links
and corrupts both lists. CONFIG_DEBUG_LIST can report this on the
share-mode walk path.
(2) Refcount race against m_fp_list walkers. The scavenger qualifies
an expired durable handle with atomic_read(&fp->refcount) > 1 and
fp->conn under global_ft.lock, removes fp from global_ft, then drops
global_ft.lock before unlinking fp from m_fp_list and freeing it.
During that gap fp is still linked on m_fp_list with f_state ==
FP_INITED. ksmbd_lookup_fd_inode() under m_lock read calls
ksmbd_fp_get() (atomic_inc_not_zero on refcount that is still 1) and
takes a live reference; the scavenger then unlinks and frees fp
while the holder owns a reference, leading to UAF on the holder's
subsequent ksmbd_fd_put() and on any field reads performed by a
concurrent share-mode walker that iterates m_fp_list without taking
ksmbd_fp_get() (smb_check_perm_dleases-like paths).
Fix both:
* Stop reusing fp->node as a scavenger-private list node. Remove
one expired handle from global_ft under global_ft.lock, take an
explicit transient reference, drop the lock, unlink fp->node
from m_fp_list under f_ci->m_lock, then drop both the durable
lifetime and transient references with atomic_sub_and_test(2,
&fp->refcount). If the scavenger is the last putter the close
runs there; otherwise an in-flight holder that already raced
through the m_fp_list lookup owns the final close via its
ksmbd_fd_put() path. The one-at-a-time disposal can rescan the
durable idr when multiple handles expire in the same pass, but
durable scavenging is a background expiration path and the final
full scan recomputes min_timeout before the next wait.
* Clear fp->persistent_id inside __ksmbd_remove_durable_fd() right
after idr_remove(), so a delayed final close from a holder that
snatched fp does not re-issue idr_remove() on a persistent id
that idr_alloc_cyclic() in ksmbd_open_durable_fd() may have
already handed out to a brand-new durable handle.
* Bypass the per-conn open_files_count decrement in
__put_fd_final() when fp is detached from any session table
(fp->conn cleared by session_fd_check() at durable preserve --
paired with the volatile_id clear at unpublish, so checking
fp->conn alone is sufficient). The walker that owns the final
close runs from an unrelated work->conn whose
stats.open_files_count never tracked this durable fp; without
this guard the holder would underflow that unrelated counter.
The two races are folded into one patch because patch (1) alone
cleans up the corrupted list but leaves a deterministic UAF window
for m_fp_list walkers that the transient-reference and
persistent_id discipline in (2) close; bisecting onto an
intermediate state would land on a UAF that pre-patch chaos merely
made less reproducible.
Validation:
* CONFIG_DEBUG_LIST coverage for the list_head reuse path.
* KASAN-enabled direct SMB2 durable-handle coverage that exercised
ksmbd_durable_scavenger() and non-NULL ksmbd_lookup_fd_inode()
returns while durable handles expired under concurrent rename
lookups, with no KASAN, UAF, list-corruption, ODEBUG, or WARNING
reports.
* checkpatch --strict
* make -j$(nproc) M=fs/smb/server
Fixes: d484d62 ("ksmbd: add durable scavenger timer")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 3a436932eb397e909d0607d76a8325abd9d85a35)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e5b31d988a41549037b8d8721a3c3cae893d8670 ] Igor Ushakov reported that GC purged the receive queue of an alive socket due to a race with MSG_PEEK with a nice repro. This is the exact same issue previously fixed by commit cbcf011 ("af_unix: fix garbage collect vs MSG_PEEK"). After GC was replaced with the current algorithm, the cited commit removed the locking dance in unix_peek_fds() and reintroduced the same issue. The problem is that MSG_PEEK bumps a file refcount without interacting with GC. Consider an SCC containing sk-A and sk-B, where sk-A is close()d but can be recv()ed via sk-B. The bad thing happens if sk-A is recv()ed with MSG_PEEK from sk-B and sk-B is close()d while GC is checking unix_vertex_dead() for sk-A and sk-B. GC thread User thread --------- ----------- unix_vertex_dead(sk-A) -> true <------. \ `------ recv(sk-B, MSG_PEEK) invalidate !! -> sk-A's file refcount : 1 -> 2 close(sk-B) -> sk-B's file refcount : 2 -> 1 unix_vertex_dead(sk-B) -> true Initially, sk-A's file refcount is 1 by the inflight fd in sk-B recvq. GC thinks sk-A is dead because the file refcount is the same as the number of its inflight fds. However, sk-A's file refcount is bumped silently by MSG_PEEK, which invalidates the previous evaluation. At this moment, sk-B's file refcount is 2; one by the open fd, and one by the inflight fd in sk-A. The subsequent close() releases one refcount by the former. Finally, GC incorrectly concludes that both sk-A and sk-B are dead. One option is to restore the locking dance in unix_peek_fds(), but we can resolve this more elegantly thanks to the new algorithm. The point is that the issue does not occur without the subsequent close() and we actually do not need to synchronise MSG_PEEK with the dead SCC detection. When the issue occurs, close() and GC touch the same file refcount. If GC sees the refcount being decremented by close(), it can just give up garbage-collecting the SCC. Therefore, we only need to signal the race during MSG_PEEK with a proper memory barrier to make it visible to the GC. Let's use seqcount_t to notify GC when MSG_PEEK occurs and let it defer the SCC to the next run. This way no locking is needed on the MSG_PEEK side, and we can avoid imposing a penalty on every MSG_PEEK unnecessarily. Note that we can retry within unix_scc_dead() if MSG_PEEK is detected, but we do not do so to avoid hung task splat from abusive MSG_PEEK calls. Fixes: 118f457 ("af_unix: Remove lock dance in unix_peek_fds().") Reported-by: Igor Ushakov <sysroot314@gmail.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260311054043.1231316-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ Using include/net/af_unix.h instead of net/unix/af_unix.h on 6.6 ] Signed-off-by: Leon Chen <leonchen.oss@139.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3106f326f67c03dd9da4ca64663d11e40138cf40) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3da1fdf4efbc490041eb4f836bf596201203f8f2 upstream. cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key. Fixes: f1d662a ("[CIFS] Add upcall files for cifs to use spnego/kerberos") Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2035acfb17221729b1b8ac335e941868a04ca079) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
This reverts commit ca6f9d9aee5408c47e6c0fac10955cb6825ecd96. Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6331b0f7b71e6edf88a000414f84cf18462a12fa) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
This reverts commit a753619ffecfe629ee73c821469edd8b37c72d3b. Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 7963b6141b4cd59550e5fe7cf61dd97e4333e11b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 237557b8a81ab948e8332f7c0058e758f081c0a3 upstream. When sysfs_update_group() is called for a named group and create_files() fails (e.g. -ENOMEM), internal_create_group() calls kernfs_remove(kn) on the group directory. In the update path, kn was obtained via kernfs_find_and_get() and refers to a directory that already existed before this call. Removing it silently destroys a sysfs group that the caller did not create. Only remove the directory if we created it ourselves. On update failure the directory remains as it is left empty by remove_files() inside create_files(), but can be repopulated by a retry. Cc: Rajat Jain <rajatja@google.com> Fixes: c855cf2 ("sysfs: Fix internal_create_group() for named group updates") Cc: stable <stable@kernel.org> Assisted-by: gkh_clanker_t1000 Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Reviewed-by: Danilo Krummrich <dakr@kernel.org> Link: https://patch.msgid.link/2026052003-uniquely-hastily-c093@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 31527d80234caf83dc96ad478645e57df9de4472) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit d4e7b5c4cc353f154d5ab8bb2e1ce7714d77a6e9 upstream. damon_sysfs_memcg_path_to_id() breaks mem_cgroup_iter() loop without calling mem_cgroup_iter_break(). This leaks the cgroup reference. Fix the issue by calling mem_cgroup_iter_break() before the break. The issue was discovered [1] by Sashiko. Link: https://lore.kernel.org/20260426173625.86521-1-sj@kernel.org Link: https://lore.kernel.org/20260423004148.74722-1-sj@kernel.org [1] Fixes: 29cbb9a ("mm/damon/sysfs-schemes: implement scheme filters") Signed-off-by: SeongJae Park <sj@kernel.org> Cc: <stable@vger.kernel.org> # 6.3.x Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 082351f9d40007414ad6af062b3a26fa02fd4b5f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4b83cbc4c15f09b000cc06f033f64b0824b6dc87 upstream. session_fd_check() walks the per-inode m_op_list during durable-handle session teardown and sets op->conn = NULL for every opinfo whose conn matched the closing session's connection. The matching opinfo, however, stays linked in its per-ClientGuid lease_table_list entry's lb->lease_list because destroy_lease_table() only runs on full TCP-connection teardown, not on SESSION_LOGOFF. If the same TCP connection then negotiates a fresh session with the same ClientGuid (ClientGuid is bound to NEGOTIATE, not the session, and is unchanged across LOGOFF + SETUP) and issues a SMB2 CREATE with a lease context on a different inode, find_same_lease_key() walks lb->lease_list, reaches the stale opinfo, and calls compare_guid_key(), which unconditionally dereferences opinfo->conn->ClientGUID. The conn pointer is NULL and the kernel panics. Reproducer requires only a successful SMB2 SESSION_SETUP and a share configured with 'durable handles = yes'. KASAN report on mainline 70390501d194: general protection fault, probably for non-canonical address 0xdffffc0000000069: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000348-0x000000000000034f] Workqueue: ksmbd-io handle_ksmbd_work RIP: 0010:bcmp+0x5b/0x230 Call Trace: compare_guid_key+0x4b/0xd0 find_same_lease_key+0x324/0x690 smb2_open+0x6aea/0x8e60 handle_ksmbd_work+0x796/0xee0 ... Faulting address 0x348 is the offset of ClientGUID within struct ksmbd_conn, confirming opinfo->conn was NULL. Read opinfo->conn once and bail out if it has been cleared by a concurrent session_fd_check(). A half-detached opinfo cannot be the owner of an active lease, so returning 0 is the correct match result. Fixes: c8efcc7 ("ksmbd: add support for durable handles v1/v2") Cc: stable@vger.kernel.org Signed-off-by: Jeremy Laratro <research@aradex.io> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e43cb36d4d7827710cfcd48e95e29a507f0d87be) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit af92ee994cc7f7e83a41c2025f32257a2f82a7ef upstream.
Commit 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16
DACL size overflow") added check_add_overflow() guards that break out
of the ACE-building loops in set_posix_acl_entries_dacl() when the
accumulated DACL size would wrap past 65535.
However, each iteration allocates a struct smb_sid via kmalloc_obj()
at the top of the loop and relies on the kfree(sid) call at the end
of the loop body (the 'pass_same_sid' label in the first loop, and
the explicit kfree at the tail of the second loop) to release it.
The newly introduced 'break' statements bypass those kfree() calls,
leaking the sid buffer every time an overflow is detected.
A malicious or malformed file with enough POSIX ACL entries to trip
the overflow check will leak one or more struct smb_sid allocations
on every request that touches the file's DACL, providing a trivial
kernel memory exhaustion vector.
Free sid before breaking out of the loops to plug the leak.
Fixes: 299f962c0b02 ("ksmbd: use check_add_overflow() to prevent u16 DACL size overflow")
Cc: stable@vger.kernel.org
Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 9d378e17c864da08c3a4df41dae92cfa6468b00a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…locked() commit 4d8690dace005a38e6dbde9ecce2da3ad85c7c41 upstream. Commit 96c4af4 ("cifs: Fix locking usage for tcon fields") refactored cifs code to change cifs_tcp_ses_lock for tc_lock around tc_count changes. There was missing lock around tc_count increment inside smb2_find_smb_sess_tcon_unlocked(). Cc: stable@vger.kernel.org Fixes: 96c4af4 ("cifs: Fix locking usage for tcon fields") Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7df1df6f40c0720d30206aa35c0343b962350e0d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4ec9c8e023c79f613fe4d5ad8cc737112efb2e44 upstream.
Reproducer:
1. server: systemctl start ksmbd
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: C program: openat(AT_FDCWD, "/mnt", O_RDWR | O_TMPFILE, 0600)
Do not treat `FILE_DELETE_ON_CLOSE_LE` as delete pending while files
remain open.
This patch fixes xfstests generic/004.
Cc: stable@vger.kernel.org
Link: https://chenxiaosong.com/en/smb-xfstests-generic-004.html
Co-developed-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Tested-by: Steve French <stfrench@microsoft.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit adcfb16ae402dbd6ebb71ec558dd6a3833c3d49e)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit eee213daa1e1b402eb631bcd1b8c5aa340a6b081 upstream. adm1266_nvmem_read_blackbox() declares a 5-byte stack buffer and passes it to i2c_smbus_read_block_data() to retrieve the 4-byte BLACKBOX_INFO response. i2c_smbus_read_block_data() does not honour caller buffer sizes -- it memcpy()s data.block[0] bytes from the SMBus transaction (where data.block[0] is the length byte returned by the slave device, up to I2C_SMBUS_BLOCK_MAX = 32): memcpy(values, &data.block[1], data.block[0]); If the device returns any block length above 5, the call overflows the caller's 5-byte stack buffer before the post-call if (ret != 4) return -EIO; check has a chance to reject the response. Widen the local buffer to I2C_SMBUS_BLOCK_MAX so the helper has room for any well-formed SMBus block response, matching the convention used by the other i2c_smbus_read_block_data() callers in this driver. Fixes: 15609d1 ("hwmon: (pmbus/adm1266) read blackbox") Cc: stable@vger.kernel.org Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai> Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-2-1c1ea1349cfe@nexthop.ai Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0dbf64c502443c08c2e28a77ecbfcc5479d93228) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b59d5c51bb328a60749b4dd5fe7e649bfb4089b4 upstream. find_format_descriptor() walks the class-specific interface extras by advancing with bLength. It rejects descriptors that extend past the remaining buffer, but it does not reject descriptor lengths smaller than a USB descriptor header. Reject too-short descriptors before using bLength to advance the local scan. This keeps the UA-101 parser robust against malformed descriptor data and matches the usual USB descriptor walking rules. Fixes: 63978ab ("sound: add Edirol UA-101 support") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260519-alsa-ua101-desc-len-v1-1-4307d1a5e054@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit dade81458966d8a11e590f2fa18da2c87f8b56c1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e4d3386b74fba8e01280484b67ee481ece00201e upstream. At transition to the iov_iter for PCM data transfer, we blindly applied the iov_iter setup also for silencing (i.e. data = NULL), and it leads to a calculation of bogus iov_iter. Fortunately this didn't cause troubles on most of architectures but it goes wrong on RISC-V now, causing a NULL dereference. Handle the NULL data case to treat the silencing in interleaved_copy() for addressing the bug above. noninterleaved_copy() has already the NULL data handling, so it doesn't need changes. Reported-by: Jiakai Xu <xujiakai24@mails.ucas.ac.cn> Closes: https://lore.kernel.org/20260515051516.3103036-1-xujiakai24@mails.ucas.ac.cn Fixes: cf393ba ("ALSA: pcm: Add copy ops with iov_iter") Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20260517165121.31399-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 41a766c647294842c9b17672449f8e011048cba9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7b7d6572145c1dab2dd9bfb550b188e5f0ff3c3f upstream. find_control() to retrieve a cached info accesses the array with the given index blindly, which may lead to an OOB array access. Add a sanity check for avoiding it. Link: https://sashiko.dev/#/patchset/20260511230121.28606-1-rosenp%40gmail.com Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20260515085606.242284-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7b6f8c8eb93f02a74b1de8e521c0952af10d1f43) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 13c6da02e767152c9ac4330962247a5e47011035 upstream. Since commit 5894cf5 ("acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers") ACPI PRM calls are delegated to a workqueue which runs in a kernel thread, making it easier to detect and mitigate faulting memory accesses performed by the firmware. Rafael reports that such PRM accesses may occur before efisubsys_init() executes, which is where the workqueue is allocated, leading to NULL pointer dereferences. Since acpi_init() [which triggers the early PRM accesses] executes as a subsys_initcall() as well, and has its own dependencies that may be sensitive to initcall ordering, deferring acpi_init() is not an option. So instead, split off the workqueue allocation into its own postcore initcall, as this is the only missing piece to allow EFI runtime calls to be made. This ensures that EFI runtime call (including PRM calls) are accessible to all code running at subsys_initcall() level. Cc: <stable@vger.kernel.org> Fixes: 5894cf5 ("acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers") Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 29cd94e678fcb3c4fd0f359deeac6d61334323fc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ting commit 03a2cc1756a0570f887d624cd6c535ea0cbd4951 upstream. memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory block via find_memory_block_by_id(), which acquires a reference to the memory block device. Both helpers use the returned memory block without dropping that reference, leaking the device reference on each successful lookup. Drop the reference after updating nr_hwpoison. Link: https://lore.kernel.org/20260428085219.1316047-3-songmuchun@bytedance.com Fixes: 5033091 ("mm/hwpoison: introduce per-memory_block hwpoison counter") Signed-off-by: Muchun Song <songmuchun@bytedance.com> Reviewed-by: Miaohe Lin <linmiaohe@huawei.com> Acked-by: Oscar Salvador <osalvador@suse.de> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Danilo Krummrich <dakr@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: "Huang, Ying" <huang.ying.caritas@gmail.com> Cc: Naoya Horiguchi <nao.horiguchi@gmail.com> Cc: "Rafael J. Wysocki" <rafael@kernel.org> Cc: Vishal Verma <vishal.l.verma@intel.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 686b4283f82cd630fafd7ca9b03dfc080b3ec8fa) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit c5d93b2c40355e999715262a824965aac025a427 upstream. The memory allocated in ipc_protocol_init() is not freed on the error paths that follow in ipc_imem_init(). Fix that by calling the corresponding release function ipc_protocol_deinit() in the error path. Fixes: 3670970 ("net: iosm: shared memory IPC interface") Cc: stable@vger.kernel.org Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in> Link: https://patch.msgid.link/20260519062815.55545-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6f63a60580ebdd9a1f22f89a84814d1fefe16b1c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ab1513597c6cf17cd1ad2a21e3b045421b48e022 upstream.
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
Fixes: 15f02b9 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@vger.kernel.org
Reported-by: Siwei Zhang <oss@fourdim.xyz>
Reviewed-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Safa Karakuş <safa.karakus@secunnix.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5d86d2f1b4d9a508c441d3e45277ae1a73cfed57)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0e46b6635b03d29807f810c3b415c4755a3f958d ] Fix two cases where pdsc_devcmd_wait() returns stale success from the completion register instead of an error: 1. FW crash: If firmware stops running, the wait loop breaks early with running=false. The condition "if ((!done || timeout) && running)" is false, so error handling is bypassed and stale status is returned. Check !running first and return -ENXIO. 2. Timeout: If a command times out, err is set to -ETIMEDOUT but then overwritten by pdsc_err_to_errno(status) which reads stale status. Return -ETIMEDOUT immediately after cleaning up. Both errors now propagate to pdsc_devcmd_locked() which queues health_work for recovery. Fixes: 45d76f4 ("pds_core: set up device and adminq") Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com> Link: https://patch.msgid.link/20260515212907.998028-1-nikhil.rao@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3231aff8ab26111c54e630b1a200fc43a729dd14) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit dc416e32baaeb620b9809e9e25fc7b30889686e9 ] debugfs_lookup() returns a dentry with an elevated reference count that must be released with dput(). The current code discards the returned dentry without calling dput(), causing a reference leak on every firmware reset recovery. Additionally, when CONFIG_DEBUG_FS is disabled, debugfs_lookup() returns ERR_PTR(-ENODEV), not NULL. The current check passes for error pointers and would call dput() on an invalid pointer, causing a crash. Fixes: bc90fbe ("pds_core: Rework teardown/setup flow to be more common") Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com> Link: https://patch.msgid.link/20260515212907.998028-3-nikhil.rao@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 60ef1675b652e912f3eb064767af4432393291fd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5431fdd ] Created as testing for the conditional guard infrastructure. Specifically this makes use of the following form: scoped_cond_guard (mutex_intr, return -ERESTARTNOINTR, &task->signal->cred_guard_mutex) { ... } ... return 0; Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Link: https://lkml.kernel.org/r/20231102110706.568467727%40infradead.org Stable-dep-of: 60a1969fae62 ("ALSA: seq: Serialize UMP output teardown with event_input") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b6d3d3816c67550be492b34bb38a8fec07643e46) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6487e36 ] We can simplify the code gracefully with new guard() macro and co for automatic cleanup of locks. Only the code refactoring, and no functional changes. Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20240227085306.9764-19-tiwai@suse.de Stable-dep-of: 60a1969fae62 ("ALSA: seq: Serialize UMP output teardown with event_input") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e5604a4804879f00ca8052b498268b7f483a1a52) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 60a1969fae6209644698fca91c185d153674f631 ] seq_ump_process_event() borrows client->out_rfile.output without synchronizing with the first-open and last-close transition in seq_ump_client_open() and seq_ump_client_close(). The last output unuse can therefore drop opened[STR_OUT] to zero and release the rawmidi file while an in-flight event_input callback is still inside snd_rawmidi_kernel_write(). That leaves the rawmidi substream runtime exposed to teardown before the write path has taken its own buffer reference. Add a per-client rwlock for the event_input-visible output file. Publish a newly opened output file under the write side, and hold the read side from the output lookup through snd_rawmidi_kernel_write(). The last output close copies and clears the visible output file under the write side, then drops the lock and releases the saved rawmidi file. Use IRQ-safe rwlock guards because event_input can also be reached from atomic sequencer delivery. The buggy scenario involves two paths, with each column showing the order within that path: path A label: event_input path path B label: last unuse path 1. seq_ump_process_event() reads 1. seq_ump_client_close() client->out_rfile.output. drops opened[STR_OUT] to zero. 2. snd_rawmidi_kernel_write1() 2. snd_rawmidi_kernel_release() has not yet pinned runtime. closes the output file. 3. The writer continues using 3. close_substream() frees the borrowed substream. substream->runtime. This keeps the output substream and runtime alive for the full event_input write while keeping rawmidi release outside the rwlock. KASAN reproduced this as a slab-use-after-free in snd_rawmidi_kernel_write1(), with allocation through seq_ump_use()/snd_seq_port_connect() and free through seq_ump_unuse()/snd_seq_port_disconnect(). Suggested-by: Takashi Iwai <tiwai@suse.de> Validation reproduced this kernel report: KASAN slab-use-after-free in snd_rawmidi_kernel_write1+0x9d/0x400 RIP: 0033:0x7f5528af837f Read of size 8 Call trace: dump_stack_lvl+0x73/0xb0 (?:?) print_report+0xd1/0x650 (?:?) srso_alias_return_thunk+0x5/0xfbef5 (?:?) __virt_addr_valid+0x1a7/0x340 (?:?) kasan_complete_mode_report_info+0x64/0x200 (?:?) kasan_report+0xf7/0x130 (?:?) snd_rawmidi_kernel_write1+0x9d/0x400 (?:?) __asan_load8+0x82/0xb0 (?:?) update_stack_state+0x1ef/0x2d0 (?:?) snd_rawmidi_kernel_write+0x1a/0x20 (?:?) seq_ump_process_event+0xd4/0x120 (sound/core/seq/seq_ump_client.c:82) __snd_seq_deliver_single_event+0x8a/0xe0 (?:?) snd_seq_deliver_from_ump+0x2b2/0xd60 (?:?) lock_acquire+0x14e/0x2e0 (?:?) find_held_lock+0x31/0x90 (?:?) snd_seq_port_use_ptr+0xa6/0xe0 (?:?) __kasan_check_write+0x18/0x20 (?:?) do_raw_read_unlock+0x32/0xa0 (?:?) _raw_read_unlock+0x26/0x50 (?:?) snd_seq_deliver_single_event+0x45c/0x4b0 (?:?) snd_seq_deliver_event+0x10d/0x1b0 (?:?) snd_seq_client_enqueue_event+0x192/0x240 (?:?) snd_seq_write+0x2cd/0x450 (?:?) apparmor_file_permission+0x20/0x30 (?:?) security_file_permission+0x51/0x60 (?:?) vfs_write+0x1ce/0x850 (?:?) __fget_files+0x12b/0x220 (?:?) lock_release+0xc8/0x2a0 (?:?) __rcu_read_unlock+0x74/0x2d0 (?:?) __fget_files+0x135/0x220 (?:?) ksys_write+0x15a/0x180 (?:?) rcu_is_watching+0x24/0x60 (?:?) __x64_sys_write+0x46/0x60 (?:?) x64_sys_call+0x7d/0x20d0 (?:?) do_syscall_64+0xc1/0x360 (arch/x86/entry/syscall_64.c:87) entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?) Fixes: 81fd444 ("ALSA: seq: Bind UMP device") Signed-off-by: Zhang Cen <rollkingzzc@gmail.com> Link: https://patch.msgid.link/20260520103249.3048345-1-rollkingzzc@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 8ba1c4ddbb1c67d34bb440aecb9f5690ed3f64cb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 576ec047d20b368b43c4d5db98c4f2e0f3c101ec ] hist_field_name() returns "" everywhere except the fully-qualified VAR_REF/EXPR case, where snprintf() truncation returns NULL early and bypasses the bottom NULL->"" guard. Callers don't expect NULL: strcat(expr, hist_field_name(field, 0)) at trace_events_hist.c:1758 and the strcmp() in the sort-key match loop at :4804 both deref it. system and event_name are bounded by MAX_EVENT_NAME_LEN, but the field name on a VAR_REF is kstrdup'd from a histogram variable name parsed out of the trigger string and has no length cap, so a long enough var name in a fully qualified reference can reach the truncation path. Keep the length check but leave field_name as "" on overflow. Link: https://patch.msgid.link/20260508195747.25492-1-devnexen@gmail.com Fixes: 5ec1d1e97de1 ("tracing: Rebuild full_name on each hist_field_name() call") Signed-off-by: David Carlier <devnexen@gmail.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e91687643c440ca3997d67646e6f80b92edc6703) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit dd1dda6b8d6e1f4376a5b3055a04f0ecbdb4d6bd ] The setup_packet of control urb is not freed if usb_submit_urb fails or the submitted urb is killed. Add free in these two paths. Fixes: a1c49c4 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2a1905730e0c771b999906a7b509722f795563c6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e7c70bf97e90d974cd575e4c90f8f9b07d056da3 ] Complete error handling for a failed platform_get_irq() call Fixes: d51b6ce ("net: ethernet: add ag71xx driver") Signed-off-by: Rosen Penev <rosenp@gmail.com> Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://patch.msgid.link/20260516212616.11758-1-rosenp@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 40fc66218ad12222385de71e71bac0ef5e9f82a4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ddf8029623a1af20e984c040e89ff918158397ab ] sk_psock_strp_data_ready() already checks tls_sw_has_ctx_rx() and defers to psock->saved_data_ready when a TLS RX context is present, avoiding a conflict with the TLS strparser's ownership of the receive queue (commit e91de6a, "bpf: Fix running sk_skb program types with ktls"). sk_psock_verdict_data_ready() has no equivalent guard. When a socket is inserted into a sockmap (BPF_SK_SKB_VERDICT) before TLS RX is configured, tls_sw_strparser_arm() saves sk_psock_verdict_data_ready as rx_ctx->saved_data_ready. On data arrival: tls_data_ready -> tls_strp_data_ready -> tls_rx_msg_ready -> saved_data_ready() = sk_psock_verdict_data_ready() -> tcp_read_skb() drains sk_receive_queue via __skb_unlink() without calling tcp_eat_skb(), so copied_seq is not advanced. tls_strp_msg_load() then finds tcp_inq() >= full_len (stale), calls tcp_recv_skb() on the now-empty queue, hits WARN_ON_ONCE(!first), and returns with rx_ctx->strp.anchor.frag_list pointing at a psock-owned (potentially freed) skb. tls_decrypt_sg() subsequently walks that frag_list: use-after-free. Apply the same fix as sk_psock_strp_data_ready(): if a TLS RX context is present, call psock->saved_data_ready (sock_def_readable) to wake recv() waiters and return immediately, leaving the receive queue untouched. TLS retains sole ownership of the queue and decrypts the record normally through tls_sw_recvmsg(). Fixes: ef56592 ("bpf, sockmap: Allow skipping sk_skb parser program") Signed-off-by: Xingwang Xiang <v3rdant.xiang@gmail.com> Link: https://patch.msgid.link/20260517145630.20521-2-v3rdant.xiang@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c9ea01768903ae47f210cd457af1dead6de7a9c3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3942bb4 ] Almost two thirds of the memchr_inv() usages check if the memory area is all zeros, with no interest in where in the buffer the first non-zero byte is located. Checking for !memchr_inv(s, 0, n) is also not very intuitive or discoverable. Add an explicit mem_is_zero() helper for this use case. Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: Andy Shevchenko <andy@kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240814100035.3100852-1-jani.nikula@intel.com Signed-off-by: Jani Nikula <jani.nikula@intel.com> Stable-dep-of: 3e6ccd790ed6 ("gpio: cdev: check if uAPI v2 config attributes are correctly zeroed") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit cd87492b79d14893a6e078747ff79643d49bba7c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e106b1d ] Use the mem_is_zero() helper where possible. Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com> Link: https://lore.kernel.org/r/20241110201706.16614-1-andy.shevchenko@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Stable-dep-of: 3e6ccd790ed6 ("gpio: cdev: check if uAPI v2 config attributes are correctly zeroed") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0f1fd5e83f0b418db5e4a132a3deb5e0ded6891b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3e6ccd790ed69bedd3d9626d01dd35cf9821c121 ] We check the padding of other uAPI v2 structures but not that of line config attributes. For used attributes: check if their padding is zeroed, for unused: check if the entire structure is zeroed. Fixes: 3c0d9c6 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL") Reviewed-by: Kent Gibson <warthog618@gmail.com> Link: https://patch.msgid.link/20260521-gpio-cdev-attr-padding-check-v3-1-ec3bcbe2e358@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d798b25c24f402c4d940f58ad94dae3dafe4e6f4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 18e7bd9f2446664053f8c34b72abd4606d22d858 ] Use flush_work() instead of cancel_work_sync() to terminate pending IRQ work in cs35l56_sdw_remove(). And flush_work() again after masking the interrupts to flush any queueing that was racing with the masking. This is the same sequence as cs35l56_sdw_system_suspend(). cs35l56_sdw_interrupt() takes the pm_runtime to prevent the bus powering- down before the interrupt status can be read and handled. The work releases this pm_runtime. So cancelling it, instead of flushing, could leave an unbalanced pm_runtime. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: e496112 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56") Link: https://patch.msgid.link/20260521123057.988732-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3dee2fe0c8184e6062b371e12033921efdff9ec9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b809d0409991b75a6cff846a5ac27c3062953f84 ] In mana_hwc_rx_event_handler(), rx_req_idx is derived from sge->address in DMA-coherent memory. In Confidential VMs (SEV-SNP/TDX), this memory is shared unencrypted and HW can modify WQE contents at any time. No bounds check exists on rx_req_idx, which can lead to an out-of-bounds access into reqs[]. Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before using it to index the reqs[] array. Fixes: ca9c54d ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com> Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com> Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 01f7f893d5e1baae995beeb86cd0f3e6bb2a3b01) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a1e4c33 ] check the value of 'ret' after call 'devlink_info_version_stored_put'. Signed-off-by: Su Hui <suhui@nfschina.com> Reviewed-by: Shannon Nelson <shannon.nelson@amd.com> Link: https://lore.kernel.org/r/20231019083351.1526484-1-suhui@nfschina.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 3d4432d34c19 ("pds_core: ensure null-termination for firmware version strings") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d3f3d6fa0cad8193f049e5b65d9e9cb2cbdb1b4c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3d4432d34c1992701289cbe12df9fd024f315998 ] The driver passes fw_version directly to devlink_info_version_stored_put() without ensuring null-termination. While current firmware null-terminates these strings, the driver should not rely on this behavior. Add explicit null-termination to prevent potential issues if firmware behavior changes. Fixes: 45d76f4 ("pds_core: set up device and adminq") Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com> Link: https://patch.msgid.link/20260520205842.1486718-1-nikhil.rao@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f504118252af7be07039cdc1643a5c5f5dab4dd0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 4db79a322db8c97f7b73b8a347395ef4d685eb40 ] skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs. Fixes: 753f1ca ("net: introduce managed frags infrastructure") Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1f9c828556416fbe3f49386708ce999fc4d4da06) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1c856e158fd34ef2c4475a81c1dc386329989938 ] KPROBE_HIT_SS and KPROBE_REENTER are two types of fatal recursions that can not be safely recovered in kprobes. KPROBE_HIT_SS means that a kprobe is hit during single-stepping. At this point, the architecture-specific single-step context is already active. Nested single-stepping would corrupt the state, as the kprobe control block (kcb) and hardware registers cannot safely store multiple levels of stepping state. KPROBE_REENTER means that a third-level recursion occurs when a probe is hit while the system is already handling a nested probe (second- level). The kcb only provides a single slot (prev_kprobe) to backup the state. When a third probe is hit, there is no more space to save the state without corrupting the first-level backup. Kprobes work by replacing instructions with breakpoints. In order to execute the original instruction and continue, it must be moved to a temporary "single-step" slot. Since there is no backup space left to set up this slot safely, the CPU would be forced to return to the same original breakpoint address, triggering an endless loop. Currently, the code only prints a warning and returns. This leads to an infinite re-entry loop as the CPU repeatedly hits the same trap and a "stuck" CPU core because preemption was disabled at the start of the handler and never re-enabled in this early return path. Fix the logic by: 1. Merging KPROBE_HIT_SS and KPROBE_REENTER cases, as both represent fatal recursions that cannot be safely recovered. 2. Replacing WARN_ON_ONCE() with BUG() to terminate the system. This aligns LoongArch with other architectures (x86, arm64, riscv) and prevents stack overflow while providing diagnostic information. Fixes: 6d4cc40 ("LoongArch: Add kprobes support") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 105c6a594b3f5cdbf5632ae8819c414e0f78f890) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 43a1e3744548e6fd85873e6fb43e293eb4010694 upstream. Nicholas Carlini reports that the keyring code calls assoc_array_find() in find_key_to_update() without holding the RCU read lock, while the assoc_array_gc() code really is designed around removing the node from the tree and then freeing it after an RCU grace-period. The regular key handling doesn't see this because holding the keyring semaphore hides any lifetime issues, but the persistent key handling uses a different model. Instead of extending the keyring locking, just do the simple RCU locking that the assoc_array was designed for. Reported-by: Nicholas Carlini <npc@anthropic.com> Cc: David Howells <dhowells@redhat.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Cc: Paul Moore <paul@paul-moore.com> Cc: James Morris James Morris <jmorris@namei.org> Cc: Serge E. Hallyn <serge@hallyn.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit cefa4265b11176c897a7d9e8e54d89e3701c5584) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260528194928.941004471@linuxfoundation.org Tested-by: Ron Economos <re@w6rz.net> Tested-by: Miguel Ojeda <ojeda@kernel.org> Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Pavel Machek (CIP) <pavel@nabladev.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Wentao Guan <guanwentao@uniontech.com> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 924b4a879cbb75aef37c160b955b92f6894b11a4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @opsiff, your pull request is larger than the review limit of 150000 diff characters
deepin-ci-robot
requested review from
Avenger-285714,
Ink-Paper,
MingcongBai and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This pull request updates the Deepin kernel base from Linux 6.6.141 to 6.6.142, pulling in the corresponding upstream stable fixes across a wide range of subsystems (sound, networking, filesystems, drivers, arch, tracing, security, etc.).
Changes:
- Bump kernel sublevel to 6.6.142.
- Integrate upstream stable fixes across multiple subsystems (notably networking, Bluetooth, SMB server/client, tracing, DRM, and various drivers).
- Introduce/extend a number of safety and correctness hardenings (bounds checks, refcount/RCU/locking fixes, overflow checks).
Reviewed changes
Copilot reviewed 166 out of 166 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Bump SUBLEVEL to 142. |
| sound/usb/misc/ua101.c | Harden USB audio descriptor length validation. |
| sound/soc/codecs/cs35l56-sdw.c | Adjust work flushing during SoundWire remove. |
| sound/pci/hda/cs35l56_hda.c | Fix ACPI device refcount handling. |
| sound/pci/asihpi/hpicmn.c | Add bounds check for control cache indexing. |
| sound/core/seq/seq_ump_client.c | Add locking around rawmidi output file access and refactor open/close. |
| sound/core/pcm_lib.c | Handle NULL data by filling silence for interleaved copy. |
| security/keys/keyring.c | Add RCU guard before assoc_array_find(). |
| net/wireless/scan.c | Fix iterator state updates during profile merge loop. |
| net/vmw_vsock/vmci_transport.c | Simplify error return on protocol violation. |
| net/vmw_vsock/virtio_transport_common.c | Make RX enqueue report failure and close connection on ENOBUFS to avoid data loss. |
| net/unix/garbage.c | Add MSG_PEEK interaction handling via seqcount; refactor SCC “dead” detection. |
| net/unix/af_unix.c | Hook unix_peek_fpl() into MSG_PEEK fd handling. |
| net/tls/tls_sw.c | Fix sg chaining for TLS 1.3; improve rx wait error semantics when data already copied. |
| net/smc/smc_tracepoint.h | Avoid NULL deref in tracepoint string field. |
| net/smc/af_smc.c | Guard ism_chid access with ism_dev presence. |
| net/phonet/pep.c | Ensure BH state consistency around child sock receive. |
| net/netfilter/nft_inner.c | Remove incorrect thoff update in IPv6 fragment case. |
| net/netfilter/nfnetlink_queue.c | Include skb_dev in device comparison for queue entries. |
| net/netfilter/nf_queue.c | Track/hold/put skb->dev via new skb_dev field in nf_queue_entry. |
| net/netfilter/ipset/ip_set_hash_ipportnet.c | Fix loop termination to avoid overflow/infinite iteration at range end. |
| net/netfilter/ipset/ip_set_hash_ipportip.c | Fix loop termination to avoid overflow/infinite iteration at range end. |
| net/netfilter/ipset/ip_set_hash_ipport.c | Fix loop termination to avoid overflow/infinite iteration at range end. |
| net/netfilter/ipset/ip_set_hash_ipmark.c | Fix loop termination to avoid overflow/infinite iteration at range end. |
| net/mptcp/protocol.c | Adjust sndbuf propagation timing for accepted sockets. |
| net/mptcp/pm_netlink.c | Timer lifetime/cleanup adjustments; avoid sync stop if timer already completed. |
| net/mac80211/tdls.c | Reject TDLS op if sta missing or not TDLS. |
| net/ipv6/netfilter/ip6table_security.c | Fix teardown order for pernet/template unregister. |
| net/ipv6/netfilter/ip6table_raw.c | Fix teardown order for pernet/template unregister. |
| net/ipv6/netfilter/ip6table_mangle.c | Fix teardown order for pernet/template unregister. |
| net/ipv6/netfilter/ip6table_filter.c | Fix teardown order for pernet/template unregister. |
| net/ipv6/netfilter/ip6t_hbh.c | Validate optsnr bounds in check routine. |
| net/ipv4/raw.c | Reject too-short IP header length when HDRINCL. |
| net/ipv4/netfilter/iptable_security.c | Fix teardown order for template/pernet unregister. |
| net/ipv4/netfilter/iptable_raw.c | Fix teardown order for template/pernet unregister. |
| net/ipv4/netfilter/iptable_mangle.c | Fix teardown order for pernet/template unregister. |
| net/ipv4/netfilter/iptable_filter.c | Fix teardown order for pernet/template unregister. |
| net/ipv4/netfilter/arptable_filter.c | Fix teardown order for pernet/template unregister. |
| net/ipv4/inet_connection_sock.c | Use oreq->rsk_listener when dropping reqsk. |
| net/ethtool/bitset.c | Fix zero-range handling and memchr_inv logic. |
| net/core/skmsg.c | Ensure TLS RX data_ready uses saved callback before verdict path. |
| net/core/gro.c | Disallow GRO receive when either skb uses zcopy. |
| net/bridge/br_multicast.c | Factor enable/disable for all ports; respect VLAN snooping option. |
| net/bluetooth/sco.c | Fix reference handling around bt_accept_dequeue() results. |
| net/bluetooth/rfcomm/sock.c | Fix reference handling around bt_accept_dequeue() results. |
| net/bluetooth/mgmt.c | Validate expected payload length for ext adv data command. |
| net/bluetooth/l2cap_sock.c | Fix accept queue ref/lifetime and teardown locking; avoid double put. |
| net/bluetooth/iso.c | Fix accept queue ref/lifetime; validate unexpected end frames. |
| net/bluetooth/bnep/core.c | Fix lock/unlock placement around device name copy. |
| net/bluetooth/af_bluetooth.c | Add accept_q_lock and harden accept queue traversal/ref handling. |
| net/batman-adv/types.h | Type fixes for size fields; rework tp vars atomic state tracking. |
| net/batman-adv/tp_meter.c | Replace “sending” atomic with send_result; strengthen receiver shutdown logic. |
| net/batman-adv/originator.c | Move mcast purge to non-RCU-free path. |
| net/batman-adv/gateway_client.c | Clear curr_gw with rcu_replace_pointer and drop reference. |
| net/batman-adv/fragmentation.c | Add overflow checks and prevent “fragment-in-fragment” recursion. |
| net/batman-adv/distributed-arp-table.c | Handle pskb_copy_for_clone() failure. |
| net/batman-adv/bridge_loop_avoidance.c | Fix purge loop to safely cancel work and drop references after removal. |
| mm/damon/sysfs-schemes.c | Break memcg iterator on match to avoid extra iteration. |
| lib/test_kprobes.c | Add KP_CLEAR() and reset probes in suite init. |
| lib/kunit/Kconfig | Make KUNIT_DEBUGFS depend on DEBUG_FS and default y. |
| kernel/trace/tracing_map.c | Split internal/free paths to avoid calling elt_free on partially inited objects. |
| kernel/trace/trace_events_hist.c | Avoid returning NULL for long names; keep empty/default behavior. |
| kernel/trace/ring_buffer.c | Reset missed_events on iterator reset/advance; don’t clear it in “dropped” accessor. |
| kernel/ptrace.c | Refactor attach flow with scoped guards; factor ptrace_set_stopped(). |
| kernel/irq_work.c | Add synchronize_rcu() in sync path; guard rcu in worker runner. |
| include/trace/events/btrfs.h | Simplify parent inode fetch without dget/dput. |
| include/net/netfilter/nf_queue.h | Add skb_dev to nf_queue_entry. |
| include/net/bluetooth/bluetooth.h | Add accept_q_lock to bt_sock. |
| include/net/af_unix.h | Export unix_peek_fpl(). |
| include/linux/string.h | Add mem_is_zero() helper. |
| include/linux/spinlock.h | Add guard helpers for rwlock read/write variants. |
| include/linux/sched/task.h | Add task_lock guard wrapper. |
| include/linux/phy.h | Declare genphy_c45_pma_read_ext_abilities(). |
| include/linux/fwnode.h | Initialize fwnode->secondary to NULL. |
| include/asm-generic/kprobes.h | Add notrace to __kprobes section attribute. |
| fs/zonefs/super.c | Add overflow-safe filename-to-number conversion. |
| fs/sysfs/group.c | Avoid kernfs_remove() on update path for named groups. |
| fs/smb/server/vfs_cache.h | Add durable owner/scavenger declarations; change destroy signature. |
| fs/smb/server/vfs_cache.c | Add durable scavenger thread, durable owner tracking, and durable-id removal hardening. |
| fs/smb/server/smbacl.c | Free sid on overflow before breaking. |
| fs/smb/server/smb2pdu.h | Define DURABLE_HANDLE_MAX_TIMEOUT constant. |
| fs/smb/server/smb2pdu.c | Use DURABLE_HANDLE_MAX_TIMEOUT; pass user through durable oplock check. |
| fs/smb/server/server.h | Add dh_task pointer in server config. |
| fs/smb/server/server.c | Stop durable scavenger on server reset. |
| fs/smb/server/oplock.h | Extend smb2_check_durable_oplock() signature to include user. |
| fs/smb/server/oplock.c | Validate reconnect durable owner; avoid TOCTOU on opinfo->conn access. |
| fs/smb/server/mgmt/user_session.c | Destroy file table earlier; launch scavenger after session cleanup/expiry. |
| fs/smb/client/smb2transport.c | Protect tc_count increment with tc_lock. |
| fs/smb/client/cifsfs.c | Flush deferredclose workqueue during unmount. |
| fs/smb/client/cifs_spnego.c | Add vet_description to prevent userspace-crafted authority-bearing spnego key descriptions. |
| fs/netfs/iterator.c | Harden extract_pages overrun handling with WARN and EIO. |
| drivers/spi/spidev.c | Remove buf_lock; serialize I/O using spi_lock and handle device removal. |
| drivers/spi/spi-ti-qspi.c | Null rx_chan pointer after dma_release_channel() on alloc failure. |
| drivers/spi/spi-sprd.c | Only release DMA resources if DMA was enabled. |
| drivers/spi/spi-qup.c | Null dma channel pointers after release on init error. |
| drivers/spi/spi-mtk-snfi.c | Fix error path goto target for DMA timeout. |
| drivers/scsi/isci/host.c | Kill completion tasklet after controller stop. |
| drivers/platform/x86/intel/vbtn.c | Validate ACPI handle before use. |
| drivers/platform/x86/intel/hid.c | Validate ACPI handle before use. |
| drivers/platform/x86/hp/hp_accel.c | Require ACPI companion before proceeding. |
| drivers/platform/x86/adv_swbutton.c | Validate ACPI handle before use. |
| drivers/pinctrl/qcom/pinctrl-sm8150.c | Remove duplicate/incorrect wakeirq map entries. |
| drivers/phy/tegra/xusb.h | Add has_per_pad_term field. |
| drivers/phy/tegra/xusb-tegra186.c | Support per-pad termination calibration; allocate arrays per USB2 port. |
| drivers/phy/marvell/phy-mvebu-a3700-utmi.c | Use regmap_update_bits() instead of raw read/modify/write. |
| drivers/net/wwan/iosm/iosm_ipc_imem.c | Deinit ipc_protocol on init failure. |
| drivers/net/wireless/ath/ath11k/wmi.c | Free skb on WMI cmd send failure; return error. |
| drivers/net/wireless/ath/ath11k/testmode.c | Free skb on WMI send failure. |
| drivers/net/wireless/ath/ath11k/hal.c | Clear shared hp/tp buffers on SRNG clear. |
| drivers/net/wireless/ath/ath11k/hal_rx.c | Always assign peer_id from MPDU info (no “if peer_id” gate). |
| drivers/net/wireless/ath/ath11k/dp_rx.c | Unconditionally look up peer by peer_id. |
| drivers/net/phy/phy-c45.c | Factor extended abilities parsing into new helper and export it. |
| drivers/net/phy/dp83tc811.c | Use genphy_c45_pma_read_ext_abilities for get_features. |
| drivers/net/ifb.c | Fix ethtool stats accounting to use num_tx_queues consistently. |
| drivers/net/ethernet/qlogic/qed/qed_cxt.c | Null bitmap pointers after free to avoid reuse. |
| drivers/net/ethernet/microsoft/mana/hw_channel.c | Fix TOCTOU on DMA msg_id; bounds check request index. |
| drivers/net/ethernet/microchip/lan966x/lan966x_main.c | Harden cleanup and error handling for port probe/register. |
| drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | Handle out_count==0 in ipsec dest modify path. |
| drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | Set skb=NULL after freeing to avoid reuse. |
| drivers/net/ethernet/intel/ice/ice_txrx.c | Drop jumbo hopopt early and avoid touching uninitialized “first” on drop path. |
| drivers/net/ethernet/intel/ice/ice_main.c | Treat -EEXIST as non-fatal for VLAN promisc filter set. |
| drivers/net/ethernet/intel/ice/ice_dcb_lib.c | Fix mutex lock ordering around ETS query. |
| drivers/net/ethernet/cortina/gemini.c | Persist partial RX frame state in port struct; reset on stop and error paths. |
| drivers/net/ethernet/cirrus/cs89x0.c | Remove incorrect conditional compilation around reset. |
| drivers/net/ethernet/broadcom/genet/bcmgenet.c | Keep RBUF EEE/PM disabled to avoid breaking RX; only clear if set. |
| drivers/net/ethernet/atheros/ag71xx.c | Validate IRQ retrieval before request_irq. |
| drivers/net/ethernet/amd/pds_core/devlink.c | Ensure fw_version strings are NUL-terminated and propagate errors. |
| drivers/net/ethernet/amd/pds_core/dev.c | Improve devcmd wait error handling when FW not running vs timeout. |
| drivers/net/ethernet/amd/pds_core/debugfs.c | Fix debugfs_lookup() dentry ref handling. |
| drivers/net/dsa/mt7530.h | Rename/register bit macros and enum for to-CPU forwarding; comment cleanup. |
| drivers/net/dsa/mt7530.c | Adjust aging time algorithm; preserve VLAN tags on trapped frames; set aging bounds. |
| drivers/irqchip/irq-ath79-cpu.c | Remove unused legacy init helper. |
| drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | Fix kobject_put ordering in error path. |
| drivers/infiniband/sw/siw/siw_qp_rx.c | Validate mpa_len to prevent underflow and unsafe copy lengths. |
| drivers/hwmon/pmbus/adm1266.c | Harden SMBus block reads, blackbox parsing limits, and RTC time source; reorder probe steps. |
| drivers/hid/hid-uclogic-core.c | Fix suffix handling to avoid allocating name when suffix is NULL. |
| drivers/hid/hid-quirks.c | Fix config symbol name for appledisplay special-driver list. |
| drivers/gpu/drm/virtio/virtgpu_plane.c | Use uninterruptible single-resv locking helper; handle failure cleanup. |
| drivers/gpu/drm/virtio/virtgpu_gem.c | Add virtio_gpu_lock_one_resv_uninterruptible(). |
| drivers/gpu/drm/virtio/virtgpu_drv.h | Export new helper prototype. |
| drivers/gpu/drm/msm/msm_iommu.c | Correct iommu_map_sgtable() return type handling (negative errors). |
| drivers/gpu/drm/msm/dsi/dsi_host.c | Adjust ctrl_size after applying io_offset. |
| drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | Fix register dump sizing/printing for non-aligned lengths. |
| drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | Remove bridge if IRQ request fails. |
| drivers/gpu/drm/bridge/ite-it66121.c | Require reset GPIO and error out cleanly if missing. |
| drivers/gpu/drm/bridge/chipone-icn6211.c | Convert to devm_drm_bridge_add(). |
| drivers/gpu/drm/amd/display/dc/core/dc.c | Validate link index and payload length instead of ASSERT. |
| drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | Validate BIOS image bounds before accessing GPIO LUT tables. |
| drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c | Fix bios_get_image() overflow/bounds checks. |
| drivers/gpio/gpiolib-cdev.c | Use mem_is_zero() and validate padding/unused attrs in v2 config. |
| drivers/firmware/efi/efi.c | Split postcore init from subsystem init; set up runtime workqueue earlier. |
| drivers/firmware/arm_ffa/driver.c | Fix error path goto label on RX buffer alloc failure. |
| drivers/firmware/arm_ffa/bus.c | Require id_table; handle NULL id_table in match. |
| drivers/bluetooth/hci_ldisc.c | Tighten work cancellation and flag clearing to avoid races/UAF. |
| drivers/bluetooth/btmtk.c | Fix URB setup_packet/dr allocation cleanup on error paths. |
| drivers/base/memory.c | Put device reference from find_memory_block_by_id(). |
| drivers/accel/qaic/qaic_data.c | Add overflow-safe remap bounds handling for mmap of SG list. |
| arch/x86/xen/setup.c | Fix address calculation in e820 swap logic. |
| arch/x86/include/asm/segment.h | Fix RDPID inline asm constraints/type and alternative sequence. |
| arch/s390/kernel/debug.c | Reject zero-length user string requests. |
| arch/powerpc/kernel/time.c | Document preempt-disable requirement and remove internal disable/enable pair. |
| arch/loongarch/mm/init.c | Remove unused page computation in arch_remove_memory(). |
| arch/loongarch/kernel/kprobes.c | Adjust reenter_kprobe state handling; BUG() on unrecoverable reentry. |
| arch/arm64/kvm/vgic/vgic-its.c | Reject invalid EID bit counts when restoring DTE. |
| arch/arm64/include/asm/insn.h | Fix bcond instruction mask. |
| arch/arm/mach-versatile/integrator_cp.c | Move sched_clock_register into init_machine path when syscon is available. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+943
to
+950
| durable_scavenger_running = true; | ||
|
|
||
| server_conf.dh_task = kthread_run(ksmbd_durable_scavenger, | ||
| (void *)NULL, "ksmbd-durable-scavenger"); | ||
| if (IS_ERR(server_conf.dh_task)) | ||
| pr_err("cannot start conn thread, err : %ld\n", | ||
| PTR_ERR(server_conf.dh_task)); | ||
| mutex_unlock(&durable_scavenger_lock); |
Comment on lines
+280
to
+281
| HPI_DEBUG_LOG(VERBOSE, "control_index out of bounce %d\n", | ||
| control_index); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.6.142.
git log --oneline v6.6.141..v6.6.142 |wc
174 1513 12646
Merged:
Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c
Bluetooth: btmtk: rename btmediatek_data
Bluetooth: btusb: mediatek: refactor the function btusb_mtk_reset
Bluetooth: btmtk: add the function to get the fw name
Revert "af_unix: Reject SIOCATMARK on non-stream sockets"
Revert "s390/cio: Update purge function to unregister the unused subchannels"
driver core: generalize driver_override in struct device
driver core: platform: use generic driver_override infrastructure