[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.120-part6 #1428
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] Add service task schedule to set_rx_mode. In some cases there are error messages printed out in PTP application (ptp4l): ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp This happens when service task would not run immediately after set_rx_mode, and we need it for setup tasks. This service task checks, if PTP RX packets are hung in firmware, and propagate correct settings such as multicast address for IEEE 1588 Precision Time Protocol. RX timestamping depends on some of these filters set. Bug happens only with high PTP packets frequency incoming, and not every run since sometimes service task is being ran from a different place immediately after starting ptp4l. Fixes: 0e4425e ("i40e: fix: do not sleep in netdev_ops") Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com> Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f38cca04a23f14d8a7f0bc23aea537338ed87eea) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9b ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty deepin-community#156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 43a3d9b ("i40evf: Allow PF driver to configure RSS") Signed-off-by: Kohei Enju <enjuk@amazon.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Tested-by: Rafal Romanowski <rafal.romanowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 18de0e41d69d97fab10b91fecf10ae78a5e43232) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. Fixes: 0a27032 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") Reported-by: Xiumei Mu <xmu@redhat.com> Reported-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0279978adec6f1296af66b642cce641c6580be46) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ] This reverts commit 98921db ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. Fixes: 98921db ("Bluetooth: Use devm_kzalloc in btusb.c file") Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c0ecb3e4451fe94f4315e6d09c4046dfbc42090b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] The Aspeed MDIO controller may return incorrect data when a read operation follows immediately after a write. Due to a controller bug, the subsequent read can latch stale data, causing the polling logic to terminate earlier than expected. To work around this hardware issue, insert a dummy read after each write operation. This ensures that the next actual read returns the correct data and prevents premature polling exit. This workaround has been verified to stabilize MDIO transactions on affected Aspeed platforms. Fixes: f160e99 ("net: phy: Add mdio-aspeed") Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 248dadfee95aad6833c1813de764ea9a7dc54bb6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] The openvswitch teardown code will immediately call ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. It will then start the dp_notify_work workqueue, which will later end up calling the vport destroy() callback. This callback takes the RTNL to do another ovs_netdev_detach_port(), which in this case is unnecessary. This causes extra pressure on the RTNL, in some cases leading to "unregister_netdevice: waiting for XX to become free" warnings on teardown. We can straight-forwardly avoid the extra RTNL lock acquisition by checking the device flags before taking the lock, and skip the locking altogether if the IFF_OVS_DATAPATH flag has already been unset. Fixes: b07c265 ("openvswitch: fix vport-netdev unregister") Tested-by: Adrian Moreno <amorenoz@redhat.com> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Aaron Conole <aconole@redhat.com> Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0fc642f011cb7a7eff41109e66d3b552e9f4d795) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 Fixes: c12b395 ("gre: Support GRE over IPv6") Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1717357007db150c2d703f13f5695460e960f26c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] A sysfs group is created in msi_init() when old_ec_model is enabled, but never removed. Remove the msipf_old_attribute_group in that case. Fixes: 03696e5 ("msi-laptop: Disable brightness control for new EC") Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ec24f3b4a8315ce1516652f611283e41348b4ae4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] The ibm_rtl_init() function searches for the signature but has a pointer arithmetic error. The loop counter suggests searching at 4-byte intervals but the implementation only advances by 1 byte per iteration. Fix by properly advancing the pointer by sizeof(unsigned int) bytes each iteration. Reported-by: Yuhao Jiang <danisjiang@gmail.com> Reported-by: Junrui Luo <moonafterrain@outlook.com> Fixes: 35f0ce0 ("IBM Real-Time "SMI Free" mode driver -v7") Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 859bf9688bfbcea6b08be06953c5e8740ae551d2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…nged() [ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f Fixes: 6c31ff3 ("team: remove synchronize_rcu() called during queue override change") Signed-off-by: Jiri Pirko <jiri@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6bfb62b6010a16112dcae52f490e5e0e6abe12a3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ] During the stress tests, early RX adaptation handshakes can fail, such as missing the RX_ADAPT ACK or not receiving a coefficient update before block lock is established. Continuing to retry RX adaptation in this state is often ineffective if the current mode selection is not viable. Resetting the RX adaptation retry counter when an RX_ADAPT request fails to receive ACK or a coefficient update prior to block lock, and clearing mode_set so the next bring-up performs a fresh mode selection rather than looping on a likely invalid configuration. Fixes: 4f3b20b ("amd-xgbe: add support for rx-adaptation") Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com> Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e5ee9d93229b2e0280338b103c2639539f7e3e24) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 Fixes: 4d12997 ("drivers: net: usb: rtl8150: concurrent URB bugfix") Signed-off-by: Deepakkumar Karn <dkarn@redhat.com> Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 4bd4ea3eb326608ffc296db12c105f92dc2f2190) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
the strcpy() in rtattr_add_strsz() is replaced with a checked
version which causes the test to consistently fail when compiled
with toolchains for which this option is enabled by default.
TAP version 13
1..3
# Starting 3 tests from 1 test cases.
# RUN tap.test_packet_valid_udp_gso ...
*** buffer overflow detected ***: terminated
# test_packet_valid_udp_gso: Test terminated by assertion
# FAIL tap.test_packet_valid_udp_gso
not ok 1 tap.test_packet_valid_udp_gso
# RUN tap.test_packet_valid_udp_csum ...
*** buffer overflow detected ***: terminated
# test_packet_valid_udp_csum: Test terminated by assertion
# FAIL tap.test_packet_valid_udp_csum
not ok 2 tap.test_packet_valid_udp_csum
# RUN tap.test_packet_crash_tap_invalid_eth_proto ...
*** buffer overflow detected ***: terminated
# test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
# FAIL tap.test_packet_crash_tap_invalid_eth_proto
not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
# FAILED: 0 / 3 tests passed.
# Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
A buffer overflow is detected by the fortified glibc __strcpy_chk()
since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
reported as 1, even though there is ample space in its bounding
buffer `req`.
Additionally, given that IFLA_IFNAME also expects a null-terminated
string, callers of rtaddr_add_str{,sz}() could simply use the
rtaddr_add_strsz() variant. (which has been renamed to remove the
trailing `sz`) memset() has been used for this function since it
is unchecked and thus circumvents the issue discussed in the
previous paragraph.
Fixes: 2e64fe4 ("selftests: add few test cases for tap driver")
Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 2ac08f3dcd0c10b347071b5b071b3e86b4c77609)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ] When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty deepin-community#179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). Fixes: 342a932 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>") Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ef277ae121b3249c99994652210a326b52d527b0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' Fixes: 52fbf11 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au Acked-by: Randy Dunlap <rdunlap@infradead.org> Tested-by: Randy Dunlap <rdunlap@infradead.org> Cc: Alexey Skidanov <alexey.skidanov@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 535ce34a5bdba1c7353f1c5d0a1ae707e68df763) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] It looks like the buffer allocated and mapped in add_card() is done with size RCV_BUFFER_SIZE which is 16 KB and 4KB. Fixes: 2864682 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com> Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 328dc0b12fb8be5c2f6bee356df5ede74a29e444) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] port_fdb_dump() is supposed to only add fdb entries, but we iterate over the full ARL table, which also includes multicast entries. So check if the entry is a multicast entry before passing it on to the callback(). Additionally, the port of those entries is a bitmask, not a port number, so any included entries would have even be for the wrong port. Fixes: 1da6df8 ("net: dsa: b53: Implement ARL add/del/dump operations") Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com> Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com> Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0e85ce7a3755f8a5489c85b3a6af661053d00b5a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ] The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232 Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com Fixes: 7e88b11 ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return") Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1] Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 38722e69ee64dbb020028c93898d25d6f4c0e0b2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ruct [ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] Sphinx reports kernel-doc warning: WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' Fix it by describing @tunnel_hash member. Fixes: efa5356 ("bridge: per vlan dst_metadata netlink support") Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 25be7178446cc5a0c33fd17ea1605792b2876642) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…age parsing [ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ] The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. Reported-by: Yuhao Jiang <danisjiang@gmail.com> Reported-by: Junrui Luo <moonafterrain@outlook.com> Fixes: e6c7b3e ("platform/x86: hp-bioscfg: string-attributes") Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit cf7ae870560b988247a4bbbe5399edd326632680) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. Fixes: d45d897 ("octeontx2-pf: Add basic ethtool support") Signed-off-by: Anshumali Gaur <agaur@marvell.com> Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b23a2e15589466a027c9baa3fb5813c9f6a6c6dc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ] There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. Fixes: bba2556 ("net: stmmac: Enable RX via AF_XDP zero-copy") Signed-off-by: Wei Fang <wei.fang@nxp.com> Reviewed-by: Hariprasad Kelam <hkelam@marvell.com> Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 4d0ceb7677e1c4616afb96abb4518f70b65abb0d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Fixes: 2917f57 ("calipso: Allow the lsm to label the skbuff directly.")
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c53aa6a5086f03f19564096ee084a202a8c738c0)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…bjects [ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. Fixes: 493ced1 ("ipv4: Allow routes to use nexthop objects") Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5979338c83012110ccd45cae6517591770bfe536) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. Fixes: 64b8bc7 ("net/rose: fix races in rose_kill_by_device()") Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu> Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu> Signed-off-by: Pwnverse <stanksal@purdue.edu> Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9f6185a32496834d6980b168cffcccc2d6b17280) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ] irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> Fixes: 915cc7a ("RDMA/irdma: Add miscellaneous utility definitions") Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com Signed-off-by: Michal Schmidt <mschmidt@redhat.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fc23d05f0b3fb4d80657e7afebae2cae686b31c8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] The page size used for device might in some cases be smaller than PAGE_SIZE what results in a negative shift when calculating the number of host pages in PAGE_SIZE for a debug log. Remove the debug line together with the calculation. Fixes: 40909f6 ("RDMA/efa: Add EFA verbs implementation") Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com Reviewed-by: Tom Sela <tomsela@amazon.com> Reviewed-by: Yonatan Nachum <ynachum@amazon.com> Signed-off-by: Michael Margolin <mrgolin@amazon.com> Reviewed-by: Gal Pressman <gal.pressman@linux.dev> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c67499757bcf8337b6585bd55e50c57d209cdd65) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the conditional statement. The constant was used directly instead of being compared with net_type, causing the condition to always evaluate to true. Fixes: 1c15b4f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr> Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr Signed-off-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 78d9259378aa62992744da4988dedf03c877d38b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking !creq_db->reg.bar_id is incorrect and always false. pci_resource_start() returns the BAR base address, and a value of 0 indicates that the BAR is unassigned. Update the condition to test bar_base == 0 instead. This ensures the driver detects and logs an error for an unassigned RCFW communication BAR. Fixes: cee0c7b ("RDMA/bnxt_re: Refactor command queue management code") Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com> Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com> Signed-off-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 689eb90b703b75995b90a5c26bcef1fbab64976e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
The bnxt_re SEND path checks wr->send_flags to enable features such as
IP checksum offload. However, send_flags is a bitmask and may contain
multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
existing code uses a switch() statement that only matches when
send_flags is exactly IB_SEND_IP_CSUM.
As a result, checksum offload is not enabled when additional SEND
flags are present.
Replace the switch() with a bitmask test:
if (wr->send_flags & IB_SEND_IP_CSUM)
This ensures IP checksum offload is enabled correctly when multiple
SEND flags are used.
Fixes: 1ac5a40 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 639e07bbfa17bd9605e968ffeeaee366d74c6301)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…0c_thread() commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream. It's possible for max1 to remain -1 if msp_read() always fail. This variable is further used as index for accessing arrays. Fix that by checking max1 prior to array accesses. It seems that restart is the preferable action in case of out-of-bounds value. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 8a4b275 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)") Cc: stable@vger.kernel.org Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3a294b90cd1ab3fbf9226bf936af59e24475caee) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…f_bond_enabled commit 445e1658894fd74eab7e53071fa16233887574ed upstream. The function calls of_parse_phandle() which returns a device node with an incremented reference count. When the bonded device is not available, the function returns NULL without releasing the reference, causing a reference leak. Add of_node_put(np) to release the device node reference. The of_node_put function handles NULL pointers. Found through static analysis by reviewing the doc of of_parse_phandle() and cross-checking its usage patterns across the codebase. Fixes: 7625ee9 ("[media] media: platform: rcar_drif: Add DRIF support") Cc: stable@vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4d8da22db9355e914fa93e27751b5ab24e478fce) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b upstream. v4l2_device_register_subdev_nodes() must called without taking media_dev->graph_mutex to avoid potential AB-BA deadlock on further subdevice driver initialization. Fixes: fa91f10 ("[media] exynos4-is: Add support for asynchronous subdevices registration") Cc: stable@vger.kernel.org Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1b560207855771693c296cf4c58c7ef46836743e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream. The delayed_work delayed_work_enable_hpd is initialized with INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe(). Calling cancel_delayed_work() on a work that has never been scheduled is redundant and unnecessary, as there is no pending work to cancel. Remove the redundant cancel_delayed_work() from error handling path in tda1997x_probe() to avoid potential confusion. Fixes: 9ac0038 ("media: i2c: Add TDA1997x HDMI receiver driver") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b93abb4385b8f3ed34487ca0060d9bc32b4af1e1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 47825b1646a6a9eca0f90baa3d4f98947c2add96 upstream. Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a ninvalid index is received from user space. This protects the hardware from doing faulty memory access which then leads to bus errors. To be noted that when a reference is missing, userspace such as GStreamer passes an invalid DPB index of 255. This issue was found by seeking to a CRA picture using GStreamer. The framework is currently missing the code to skip over RASL pictures placed after the CRA. This situation can also occur while doing live streaming over lossy transport. Fixes: cb5dd5a ("media: hantro: Introduce G2/HEVC decoder") Cc: stable@vger.kernel.org Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 99293be855c320e6a937edcda6927c2ff4869b6e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 94de23a9aa487d7c1372efb161721d7949a177ae upstream. In vb2_dc_alloc(), get_device() is called to increment the device reference count. However, if subsequent DMA allocation fails (vb2_dc_alloc_coherent or vb2_dc_alloc_non_coherent returns error), the function returns without calling put_device(), causing a device reference leak. Add put_device() call in the error path before kfree() to properly release the device reference acquired earlier. Fixes: de27891 ("media: videobuf2: handle non-contiguous DMA allocations") Cc: stable@vger.kernel.org Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn> Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1ad7c817410965f6098f53ae543a26359d489ee5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 0ef841113724166c3c484d0e9ae6db1eb5634fde upstream. Platform drivers can be probed after their init sections have been discarded (e.g. on probe deferral or manual rebind through sysfs) so the probe function must not live in init. Note that commit ffa1b39 ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") incorrectly suppressed the modpost warning. Fixes: ffa1b39 ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") Fixes: 6ffefff ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467") Cc: stable@vger.kernel.org # 2.6.32 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 08c6c6f2a5707d98ea562efee5144adb2e3570d6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 59ca64bf98e4209df8ace8057d31ae3c80f948cd upstream. Platform drivers can be probed after their init sections have been discarded (e.g. on probe deferral or manual rebind through sysfs) so the probe function must not live in init. Note that commit ffa1b39 ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") incorrectly suppressed the modpost warning. Fixes: ffa1b39 ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") Fixes: e7332e3 ("V4L/DVB (12176): davinci/vpif_display: Add VPIF display driver") Cc: stable@vger.kernel.org # 2.6.32 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 52604951b90cd0f6e58c988993a9f327d95cda9a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd upstream. To avoid accessing the VPU register after release of the VPU core, cancel the message work and destroy the workqueue that handles the VPU message before release of the VPU core. Fixes: 3cd0845 ("media: amphion: add vpu v4l2 m2m support") Cc: stable@vger.kernel.org Signed-off-by: Ming Qian <ming.qian@oss.nxp.com> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4b139f88c2ab0eaa52839763ddea16a499bc833c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream. The delayed_work delayed_work_enable_hotplug is initialized with INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled anywhere in the probe function. Calling cancel_delayed_work() on a work that has never been scheduled is redundant and unnecessary, as there is no pending work to cancel. Remove the redundant cancel_delayed_work() from error handling path and adjust the goto label accordingly to simplify the code and avoid potential confusion. Fixes: 54450f5 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a8e6cf7fa2be90b4a82be23de7ab784c8d1cc054) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream. The delayed_work delayed_work_enable_hotplug is initialized with INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled anywhere in the probe function. Calling cancel_delayed_work() on a work that has never been scheduled is redundant and unnecessary, as there is no pending work to cancel. Remove the redundant cancel_delayed_work() from error handling path and adjust the goto label accordingly to simplify the code and avoid potential confusion. Fixes: a89bcd4 ("[media] adv7842: add new video decoder driver") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 53e256b5c3602776b5ec90b58424d7a598316ce2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…it() commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd upstream. vpu_get_plat_device() increases the reference count of the returned platform device. However, when devm_kzalloc() fails, the reference is not released, causing a reference leak. Fix this by calling put_device() on fw_pdev->dev before returning on the error path. Fixes: e25a89f ("media: mtk-vcodec: potential dereference of null pointer") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 80617b75fd70b01b6e89c944c822436317c3ceee) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d upstream. Loongson-2K3000 has a new PCI ID (0x7a46) for its display controller, Add it for pci_fixup_vgadev() since we prefer a discrete graphics card as default boot device if present. Cc: stable@vger.kernel.org Signed-off-by: Tianrui Zhao <zhaotianrui@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4632c8b0966de992f502793de181ace7b7ac4c18) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f upstream. For thread_count, the current calculation method has a maximum of 255, which may not be sufficient in the future. Therefore, we are correcting it now. Reference: SMBIOS Specification, 7.5 Processor Information (Type 4)[1] [1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.9.0.pdf Cc: stable@vger.kernel.org Signed-off-by: Qiang Ma <maqianga@uniontech.com> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [ Conflict because of ("LoongArch: Adjust the calculation of the number of packages") ] (cherry picked from commit 155d6a8f5d5f7549b3d2e6c505c741da428b591f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com> Conflicts: arch/loongarch/kernel/setup.c
commit 3c250aecef62da81deb38ac6738ac0a88d91f1fc upstream. When CONFIG_RANDSTRUCT enabled, members of task_struct are randomized. There is a chance that TASK_STACK_CANARY be out of 12bit immediate's range and causes build errors. TASK_STACK_CANARY is naturally aligned, so fix it by replacing ld.d/st.d with ldptr.d/stptr.d which have 14bit immediates. Cc: stable@vger.kernel.org Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202511240656.0NaPcJs1-lkp@intel.com/ Suggested-by: Rui Wang <wangrui@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 582c1dcc5bb5a730a1d07ff77f7ec32f69fe8530) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4a71df151e703b5e7e85b33369cee59ef2665e61 upstream.
The __pmd() and __pte() helper macros provide the correct initialization
syntax and abstraction for the pmd_t and pte_t types.
Use __pmd() to fix follow warning about __swp_entry_to_pmd() with gcc-15
under specific configs [1] :
In file included from ./include/linux/pgtable.h:6,
from ./include/linux/mm.h:31,
from ./include/linux/pagemap.h:8,
from arch/loongarch/mm/init.c:14:
./include/linux/swapops.h: In function ‘swp_entry_to_pmd’:
./arch/loongarch/include/asm/pgtable.h:302:34: error: missing braces around initializer [-Werror=missing-braces]
302 | #define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE })
| ^
./include/linux/swapops.h:559:16: note: in expansion of macro ‘__swp_entry_to_pmd’
559 | return __swp_entry_to_pmd(arch_entry);
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Also update __swp_entry_to_pte() to use __pte() for consistency.
[1]. https://download.01.org/0day-ci/archive/20251119/202511190316.luI90kAo-lkp@intel.com/config
Cc: stable@vger.kernel.org
Signed-off-by: Yuli Wang <wangyl5933@chinaunicom.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f0b9e0bdc8bc3e4294a1774bd35b084d3bab981a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a258a3cb1895e3acf5f2fe245d17426e894bc935 upstream. It is better to use unsigned long rather than long for _end and _text to calculate the kernel length. Cc: stable@vger.kernel.org # v6.3+ Fixes: e5f02b5 ("LoongArch: Add support for kernel address space layout randomization (KASLR)") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b9b5f45cc1b72953e1fe27bb32d9f3ace46ba4f2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 2fb6915fa22dc5524d704afba58a13305dd9f533 upstream. "auto" was defined as a keyword back in the K&R days, but as a storage type specifier. No one ever used it, since it was and is the default storage type for local variables. C++11 recycled the keyword to allow a type to be declared based on the type of an initializer. This was finally adopted into standard C in C23. gcc and clang provide the "__auto_type" alias keyword as an extension for pre-C23, however, there is no reason to pollute the bulk of the source base with this temporary keyword; instead define "auto" as a macro unless the compiler is running in C23+ mode. This macro is added in <linux/compiler_types.h> because that header is included in some of the tools headers, wheres <linux/compiler.h> is not as it has a bunch of very kernel-specific things in it. [ Cc: stable to reduce potential backporting burden. ] Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com> Acked-by: Miguel Ojeda <ojeda@kernel.org> Cc: <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e53bfe4530590f2832a96b21bd55e9416b4b1dc1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6f13db031e27e88213381039032a9cc061578ea6 upstream. A KASAN tag mismatch, possibly causing a kernel panic, can be observed on systems with a tag-based KASAN enabled and with multiple NUMA nodes. It was reported on arm64 and reproduced on x86. It can be explained in the following points: 1. There can be more than one virtual memory chunk. 2. Chunk's base address has a tag. 3. The base address points at the first chunk and thus inherits the tag of the first chunk. 4. The subsequent chunks will be accessed with the tag from the first chunk. 5. Thus, the subsequent chunks need to have their tag set to match that of the first chunk. Refactor code by reusing __kasan_unpoison_vmalloc in a new helper in preparation for the actual fix. Link: https://lkml.kernel.org/r/eb61d93b907e262eefcaa130261a08bcb6c5ce51.1764874575.git.m.wieczorretman@pm.me Fixes: 1d96320 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS") Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Danilo Krummrich <dakr@kernel.org> Cc: Dmitriy Vyukov <dvyukov@google.com> Cc: Jiayuan Chen <jiayuan.chen@linux.dev> Cc: Kees Cook <kees@kernel.org> Cc: Marco Elver <elver@google.com> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: <stable@vger.kernel.org> [6.1+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c9acbaec693b3bcbb61c2192ad0f92774cb0e53d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit c6e8e595a0798ad67da0f7bebaf69c31ef70dfff upstream. If you use an IDR with a non-zero base, and specify a range that lies entirely below the base, 'max - base' becomes very large and idr_get_free() can return an ID that lies outside of the requested range. Link: https://lkml.kernel.org/r/20251128161853.3200058-1-willy@infradead.org Fixes: 6ce711f ("idr: Make 1-based IDRs more efficient") Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reported-by: Jan Sokolowski <jan.sokolowski@intel.com> Reported-by: Koen Koning <koen.koning@intel.com> Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449 Reviewed-by: Christian König <christian.koenig@amd.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3e3c0dc025f06d331df6aeb939126e08742fa83f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
deepin-ci-robot
requested review from
Avenger-285714,
Wenlp and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
deepin pr auto reviewGit Diff 代码审查报告我已仔细审查了提供的代码差异,以下是从语法逻辑、代码质量、代码性能和代码安全四个方面的详细分析和改进建议。 一、整体评估这是一份涉及多个子系统(ARM/LoongArch/PowerPC架构、网络驱动、IOMMU、媒体驱动等)的代码变更,主要包含设备树配置修复、内存管理优化、驱动程序错误处理改进和硬件特定功能增强。代码整体质量较高,但存在一些潜在问题需要改进。 二、具体问题分析1. 设备树配置变更 (k3-j721e-sk.dts)问题: 分析:
建议:
2. LoongArch架构变更2.1 页表管理 (pgtable.h)问题:交换条目到页表项的转换方式变更 -#define __swp_entry_to_pte(x) ((pte_t) { (x).val })
+#define __swp_entry_to_pte(x) __pte((x).val)分析:
建议:
2.2 内核重定位 (relocate.c)问题:内核长度计算类型变更 -kernel_length = (long)_end - (long)_text;
+kernel_length = (unsigned long)_end - (unsigned long)_text;分析:
建议:
2.3 CPU信息解析 (setup.c)问题:SMBIOS线程数解析增强 + if (dm->length >= 0x30 && loongson_sysconf.cores_per_package == 0xff) {
+ /* SMBIOS 3.0+ has ThreadCount2 for more than 255 threads */
+ loongson_sysconf.cores_per_package =
+ *(u16 *)(dmi_data + SMBIOS_THREAD_PACKAGE_2_OFFSET);
+ }分析:
建议:
3. PowerPC架构变更3.1 TLB刷新 (tlbflush.h)问题:新增 +void hash__flush_gather(struct mmu_gather *tlb);分析:
建议:
3.2 SLB预加载优化 (slb.c)问题:删除了 分析:
建议:
4. 网络驱动变更4.1 块多队列 (blk-mq.c)问题:CPU掩码处理优化 +static bool blk_mq_hctx_empty_cpumask(struct blk_mq_hw_ctx *hctx)
+{
+ return hctx->next_cpu >= nr_cpu_ids;
+}分析:
建议:
4.2 蓝牙USB驱动 (btusb.c)问题:内存分配和错误处理改进 -data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
+data = kzalloc(sizeof(*data), GFP_KERNEL);分析:
建议:
5. IOMMU驱动变更5.1 多个IOMMU驱动 (apple-dart.c, qcom_iommu.c等)问题:设备引用计数处理 +put_device(&iommu_pdev->dev);分析:
建议:
6. 媒体驱动变更6.1 LED驱动 (leds-lp50xx.c)问题:LED控制逻辑改进 +static int lp50xx_enable(struct lp50xx *priv)
+{
+ // ...
+}
+
+static int lp50xx_disable(struct lp50xx *priv)
+{
+ // ...
+}分析:
建议:
7. 其他变更7.1 KASAN内存检查 (kasan.h)问题:新增 +static __always_inline void
+kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{ }分析:
建议:
三、总体建议
四、具体改进建议
if (dm->length >= 0x30 && loongson_sysconf.cores_per_package == 0xff) {
/* SMBIOS 3.0+ has ThreadCount2 for more than 255 threads */
if (dm->length < SMBIOS_THREAD_PACKAGE_2_OFFSET + sizeof(u16)) {
pr_warn("SMBIOS table too short for ThreadCount2\n");
loongson_sysconf.cores_per_package = 0; /* Use default */
} else {
loongson_sysconf.cores_per_package =
*(u16 *)(dmi_data + SMBIOS_THREAD_PACKAGE_2_OFFSET);
/* Validate the read value */
if (loongson_sysconf.cores_per_package == 0 ||
loongson_sysconf.cores_per_package > 1024) {
pr_warn("Invalid ThreadCount2 value: %u\n",
loongson_sysconf.cores_per_package);
loongson_sysconf.cores_per_package = 0; /* Use default */
}
}
}
/*
* SLB preloading has been removed because:
* 1. Modern hardware handles SLB misses efficiently
* 2. The complexity of maintaining preload cache outweighs benefits
* 3. Performance testing showed negligible impact on most workloads
*/
/*
* Using kzalloc instead of devm_kzalloc because:
* 1. Device may be unbound before probe completes
* 2. Manual free allows better control over cleanup order
* 3. Consistent with other error handling paths
*/
data = kzalloc(sizeof(*data), GFP_KERNEL);五、结论这份代码变更总体上是正确的,主要改进了设备树配置、内存管理和驱动程序的错误处理。大多数变更都遵循了良好的编码实践,但一些变更可以添加更多注释和文档来提高可维护性。建议在合并前进行全面的测试,特别是性能和稳定性测试,以确保变更不会引入新的问题。 |
There was a problem hiding this comment.
Pull request overview
This pull request is part 6 of 8 for updating the Linux kernel base to version 6.6.120. It contains 100 upstream commits addressing various bug fixes, memory leaks, device reference leaks, and other critical issues across multiple kernel subsystems.
Changes:
- Fixes critical bugs including array indexing errors, incorrect conditional logic, and buffer overflow issues
- Addresses resource leaks (memory, device references, OF nodes) across multiple drivers
- Corrects hardware-specific issues in networking, media, IOMMU, and platform drivers
Reviewed changes
Copilot reviewed 105 out of 105 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tools/testing/selftests/net/tap.c | Fixes buffer overflow by including null terminator in string size calculation |
| tools/testing/selftests/ftrace/func_traceonoff_triggers.tc | Strips process names from trace output to handle cache-only name storage |
| tools/testing/radix-tree/idr-test.c | Adds test case for IDR allocation with invalid range |
| sound/soc/stm/stm32_sai*.c | Fixes device and OF node leaks on error paths |
| sound/soc/qcom/qdsp6/*.c | Corrects COPP device management and hardware constraints |
| net/rose/af_rose.c | Fixes critical array indexing bug using 'i' instead of 'cnt' |
| net/openvswitch/vport-netdev.c | Avoids taking RTNL lock unnecessarily on vport destroy |
| net/ipv6/*.c | Fixes skb expansion and calipso attribute issues |
| net/ipv4/fib_trie.c | Corrects error route handling with nexthop objects |
| net/bridge/br_private.h | Adds missing documentation for tunnel_hash member |
| mm/vmalloc.c, mm/kasan/common.c | Refactors pcpu kasan vmalloc unpoisoning |
| lib/idr.c | Fixes IDR allocation returning out-of-range IDs |
| include/linux/*.h | Adds auto macro and new KASAN functions |
| fs/smb/server/smb2pdu.c | Fixes memory leak in get_file_all_info |
| fs/ntfs3/frecord.c | Prevents overwriting uptodate pages |
| drivers/video/fbdev/*.c | Fixes physical address usage and timing calculations |
| drivers/platform/x86/*.c | Fixes array bounds checking and EBDA signature search |
| drivers/pci/pci-driver.c | Reinstates state_saved clearing in legacy paths |
| drivers/net/usb/*.c | Fixes memory leaks and PHY address validation |
| drivers/net/team/team.c | Corrects inverted conditional logic |
| drivers/net/mdio/mdio-aspeed.c | Adds dummy read for read-after-write issue |
| drivers/net/ethernet//.c | Various fixes for XDP, RSS, IRQ context, and device resets |
| drivers/net/dsa/b53/b53_common.c | Skips multicast entries for fdb_dump |
| drivers/mfd/*.c | Fixes device leaks and IRQ chip conflicts |
| drivers/media//.c | Removes redundant cancel_delayed_work, fixes leaks and bounds checks |
| drivers/leds/leds-lp50xx.c | Enables chip before communication and fixes bank configuration |
| drivers/md/*.c | Fixes buffer dirty marking and write boundary alignment |
| drivers/iommu//.c | Fixes device leaks across multiple IOMMU drivers |
| drivers/infiniband//.c | Fixes conditional logic, BAR checks, and DMA handling |
| drivers/hid/hid-logitech-dj.c | Consolidates error logging and removes duplicate messages |
| drivers/firmware/stratix10-svc.c | Adds mutex protection for multi-client operations |
| drivers/firewire/nosy.c | Fixes DMA buffer size mismatch |
| drivers/clk/samsung/clk-exynos-clkout.c | Assigns .num before accessing .hws array |
| drivers/bluetooth/btusb.c | Reverts use of devm_kzalloc to fix resource management |
| crypto/seqiv.c | Fixes req->iv usage after crypto_aead_encrypt |
| block/blk-mq.c | Avoids scheduling block kworker on isolated/unmapped CPUs |
| arch/powerpc//.c | Fixes mprotect, SLB multihit, and TLB flush issues |
| arch/parisc/kernel/*.c | Fixes space adjustment for 64-bit userspace |
| arch/loongarch//.c | Corrects thread count calculation and swap entry conversions |
| arch/arm64/boot/dts/ti/k3-j721e-sk.dts | Fixes pinmux for power regulator pin |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to github limit, submit part 6/8 of v6.6.120.
Handle:
LoongArch: Correct the calculation logic of thread_count
git log --oneline v6.6.120
235..v6.6.120135 | wc100 877 7163
Alice C. Munduruca (1):
selftests: net: fix "buffer overflow detected" for tap.c
Alok Tiwari (2):
RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
Andrew Morton (1):
genalloc.h: fix htmldocs warning
Anshumali Gaur (1):
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
Bagas Sanjaya (1):
net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
struct
Christian Hitz (3):
leds: leds-lp50xx: Allow LED 0 to be added to module bank
leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
leds: leds-lp50xx: Enable chip before any communication
Cong Zhang (1):
blk-mq: skip CPU offline notify on unmapped hctx
Dave Vasilevsky (1):
powerpc, mm: Fix mprotect on book3s 32-bit
David Hildenbrand (1):
powerpc/pseries/cmm: call balloon_devinfo_init() also without
CONFIG_BALLOON_COMPACTION
Deepakkumar Karn (1):
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Deepanshu Kartikey (1):
net: usb: asix: validate PHY address before use
Donet Tom (1):
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Duoming Zhou (3):
media: TDA1997x: Remove redundant cancel_delayed_work in probe
media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
Eric Dumazet (1):
ip6_gre: make ip6gre_header() robust
H. Peter Anvin (1):
compiler_types.h: add "auto" as a macro for "__auto_type"
Hans de Goede (1):
HID: logitech-dj: Remove duplicate error logging
Haotian Zhang (3):
media: rc: st_rc: Fix reset control resource leak
media: cec: Fix debugfs leak on bus_register() failure
media: videobuf2: Fix device reference leak in vb2_dc_alloc error path
Haoxiang Li (1):
media: mediatek: vcodec: Fix a reference leak in
mtk_vcodec_fw_vpu_init()
Herbert Xu (1):
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
Honggang LI (1):
RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
Huacai Chen (2):
LoongArch: Add new PCI ID for pci_fixup_vgadev()
LoongArch: Fix build errors for CONFIG_RANDSTRUCT
Ido Schimmel (1):
ipv4: Fix reference count leak when using error routes with nexthop
objects
Ivan Abramov (2):
media: adv7842: Avoid possible out-of-bounds array accesses in
adv7842_cp_log_status()
media: msp3400: Avoid possible out-of-bounds array accesses in
msp3400c_thread()
Jacky Chou (1):
net: mdio: aspeed: add dummy read to avoid read-after-write issue
Jang Ingyu (1):
RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
Jinhui Guo (1):
iommu/amd: Fix pci_segment memleak in alloc_pci_segment()
Jiri Pirko (1):
team: fix check for port enabled in
team_queue_override_port_prio_changed()
Johan Hovold (16):
ASoC: stm32: sai: fix device leak on probe
ASoC: stm32: sai: fix clk prepare imbalance on probe failure
ASoC: stm32: sai: fix OF node leak on probe
iommu/apple-dart: fix device leak on of_xlate()
iommu/exynos: fix device leak on of_xlate()
iommu/ipmmu-vmsa: fix device leak on of_xlate()
iommu/mediatek-v1: fix device leak on probe_device()
iommu/mediatek-v1: fix device leaks on probe()
iommu/mediatek: fix device leak on of_xlate()
iommu/omap: fix device leaks on probe_device()
iommu/qcom: fix device leak on of_xlate()
iommu/sun50i: fix device leak on of_xlate()
iommu/tegra: fix device leak on probe_device()
mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
media: vpif_capture: fix section mismatch
media: vpif_display: fix section mismatch
Jonas Gorski (1):
net: dsa: b53: skip multicast entries for fdb_dump()
Junrui Luo (2):
platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI
package parsing
Kalesh AP (1):
RDMA/bnxt_re: Fix to use correct page size for PDE table
Kohei Enju (1):
iavf: fix off-by-one issues in iavf_config_rss_reg()
Krzysztof Kozlowski (1):
mfd: max77620: Fix potential IRQ chip conflict when probing two
devices
Lu Baolu (1):
iommu: disable SVA when CONFIG_X86 is set
Lukas Wunner (1):
PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
Maciej Wieczor-Retman (1):
kasan: refactor pcpu kasan vmalloc unpoison
Mahesh Rao (1):
firmware: stratix10-svc: Add mutex in stratix10 memory management
Marek Szyprowski (1):
media: samsung: exynos4-is: fix potential ABBA deadlock on init
Matthew Wilcox (Oracle) (2):
ntfs: Do not overwrite uptodate pages
idr: fix idr_alloc() returning an ID out of range
Miaoqian Lin (1):
media: renesas: rcar_drif: fix device node reference leak in
rcar_drif_bond_enabled
Michael Margolin (1):
RDMA/efa: Remove possible negative shift
Michal Schmidt (1):
RDMA/irdma: avoid invalid read in irdma_net_event
Mikulas Patocka (1):
dm-bufio: align write boundary on physical block size
Ming Lei (1):
blk-mq: don't schedule block kworker on isolated CPUs
Ming Qian (1):
media: amphion: Cancel message work before releasing the VPU core
Nathan Chancellor (1):
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Nicolas Dufresne (1):
media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
Przemyslaw Korba (1):
i40e: fix scheduling in set_rx_mode
Pwnverse (1):
net: rose: fix invalid array index in rose_kill_by_device()
Qiang Ma (1):
LoongArch: Correct the calculation logic of thread_count
Raju Rangoju (1):
amd-xgbe: reset retries and mode on RX adapt failures
Raphael Pinsonneault-Thibeault (1):
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Rene Rebe (1):
fbdev: gbefb: fix to use physical address instead of dma address
René Rebe (1):
fbdev: tcx.c fix mem_map to correct smem_start offset
Siddharth Vadapalli (1):
arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power
regulator
Srinivas Kandagatla (4):
ASoC: qcom: q6apm-dai: set flags to reflect correct operation of
appl_ptr
ASoC: qcom: q6asm-dai: perform correct state check before closing
ASoC: qcom: q6adm: the the copp device only during last instance
ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
Sven Schnelle (2):
parisc: entry.S: fix space adjustment on interruption for 64-bit
userspace
parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
Thomas Fourier (3):
platform/x86: msi-laptop: add missing sysfs_remove_group()
firewire: nosy: Fix dma_free_coherent() size
RDMA/bnxt_re: fix dma_free_coherent() pointer
Thorsten Blum (1):
fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
Tiezhu Yang (1):
LoongArch: Use unsigned long for _end and _text
Toke Høiland-Jørgensen (1):
net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
Uladzislau Rezki (Sony) (1):
dm-ebs: Mark full buffer dirty even on partial write
WangYuli (1):
LoongArch: Use __pmd()/__pte() for swap entry conversions
Wei Fang (1):
net: stmmac: fix the crash issue for zero copy XDP_TX action
Will Rosenberg (1):
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Yeoreum Yun (1):
smc91x: fix broken irq-context in PREEMPT_RT
Yipeng Zou (1):
selftests/ftrace: traceonoff_triggers: strip off names
Zilin Guan (1):
ksmbd: Fix memory leak in get_file_all_info()
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 12 +-
arch/loongarch/include/asm/pgtable.h | 4 +-
arch/loongarch/kernel/relocate.c | 4 +-
arch/loongarch/kernel/setup.c | 8 +-
arch/loongarch/kernel/switch.S | 4 +-
arch/loongarch/pci/pci.c | 2 +
arch/parisc/kernel/asm-offsets.c | 2 +
arch/parisc/kernel/entry.S | 16 +-
arch/powerpc/include/asm/book3s/32/tlbflush.h | 5 +-
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 -
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/mm/book3s32/tlb.c | 9 ++
arch/powerpc/mm/book3s64/internal.h | 2 -
arch/powerpc/mm/book3s64/mmu_context.c | 2 -
arch/powerpc/mm/book3s64/slb.c | 88 -----------
arch/powerpc/platforms/pseries/cmm.c | 2 +-
block/blk-mq.c | 57 +++++--
crypto/seqiv.c | 8 +-
drivers/bluetooth/btusb.c | 12 +-
drivers/clk/samsung/clk-exynos-clkout.c | 2 +-
drivers/firewire/nosy.c | 10 +-
drivers/firmware/stratix10-svc.c | 11 ++
drivers/hid/hid-logitech-dj.c | 56 +++----
drivers/infiniband/core/verbs.c | 2 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +-
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 8 +-
drivers/infiniband/hw/efa/efa_verbs.c | 4 -
drivers/infiniband/hw/irdma/utils.c | 3 +-
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
drivers/iommu/amd/init.c | 15 +-
drivers/iommu/apple-dart.c | 2 +
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 +-
drivers/iommu/exynos-iommu.c | 9 +-
drivers/iommu/iommu-sva.c | 3 +
drivers/iommu/ipmmu-vmsa.c | 2 +
drivers/iommu/mtk_iommu.c | 2 +
drivers/iommu/mtk_iommu_v1.c | 25 ++-
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 -
drivers/iommu/sun50i-iommu.c | 2 +
drivers/iommu/tegra-smmu.c | 5 +-
drivers/leds/leds-lp50xx.c | 67 +++++---
drivers/md/dm-bufio.c | 10 +-
drivers/md/dm-ebs-target.c | 2 +-
drivers/media/cec/core/cec-core.c | 1 +
.../common/videobuf2/videobuf2-dma-contig.c | 1 +
drivers/media/i2c/adv7604.c | 4 +-
drivers/media/i2c/adv7842.c | 11 +-
drivers/media/i2c/msp3400-kthreads.c | 2 +
drivers/media/i2c/tda1997x.c | 1 -
drivers/media/platform/amphion/vpu_v4l2.c | 6 +-
.../vcodec/common/mtk_vcodec_fw_vpu.c | 4 +-
drivers/media/platform/renesas/rcar_drif.c | 1 +
.../platform/samsung/exynos4-is/media-dev.c | 10 +-
.../media/platform/ti/davinci/vpif_capture.c | 4 +-
.../media/platform/ti/davinci/vpif_display.c | 4 +-
.../platform/verisilicon/hantro_g2_hevc_dec.c | 15 +-
drivers/media/rc/st_rc.c | 2 +-
drivers/mfd/altera-sysmgr.c | 2 +
drivers/mfd/max77620.c | 15 +-
drivers/net/dsa/b53/b53_common.c | 3 +
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 +-
.../marvell/octeontx2/nic/otx2_ethtool.c | 8 +
drivers/net/ethernet/smsc/smc91x.c | 10 +-
.../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +-
drivers/net/mdio/mdio-aspeed.c | 7 +
drivers/net/team/team.c | 2 +-
drivers/net/usb/asix_common.c | 5 +
drivers/net/usb/rtl8150.c | 2 +
drivers/pci/pci-driver.c | 4 +
.../x86/hp/hp-bioscfg/enum-attributes.c | 4 +-
.../x86/hp/hp-bioscfg/int-attributes.c | 2 +-
.../x86/hp/hp-bioscfg/order-list-attributes.c | 5 +
.../x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +
.../x86/hp/hp-bioscfg/string-attributes.c | 2 +-
drivers/platform/x86/ibm_rtl.c | 2 +-
drivers/platform/x86/msi-laptop.c | 3 +
drivers/video/fbdev/gbefb.c | 5 +-
drivers/video/fbdev/pxafb.c | 12 +-
drivers/video/fbdev/tcx.c | 2 +-
fs/ntfs3/frecord.c | 35 ++++-
fs/smb/server/smb2pdu.c | 4 +-
include/linux/compiler_types.h | 13 ++
include/linux/genalloc.h | 1 +
include/linux/kasan.h | 15 ++
lib/idr.c | 2 +
mm/kasan/common.c | 17 ++
mm/vmalloc.c | 4 +-
net/bridge/br_private.h | 1 +
net/ipv4/fib_trie.c | 7 +-
net/ipv6/calipso.c | 3 +-
net/ipv6/ip6_gre.c | 9 +-
net/openvswitch/vport-netdev.c | 17 +-
net/rose/af_rose.c | 2 +-
sound/soc/qcom/qdsp6/q6adm.c | 146 +++++++++---------
sound/soc/qcom/qdsp6/q6apm-dai.c | 2 +
sound/soc/qcom/qdsp6/q6asm-dai.c | 7 +-
sound/soc/stm/stm32_sai.c | 14 +-
sound/soc/stm/stm32_sai_sub.c | 51 ++++--
tools/testing/radix-tree/idr-test.c | 21 +++
.../test.d/ftrace/func_traceonoff_triggers.tc | 5 +-
tools/testing/selftests/net/tap.c | 16 +-
105 files changed, 655 insertions(+), 434 deletions(-)