Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.1.y 2026-04-07T07:00:26+00:00 2026-04-07T07:00:26+00:00 Rosen Penev rosenp@gmail.com 2026-04-01T21:47:26+00:00 urn:sha1:498c05821bb42f70e9bf6512c3dec4aa821815d0 Use a flexible array member and kzalloc_flex to combine allocations. Add __counted_by for extra runtime analysis. Move counting variable assignment after allocation. kzalloc_flex with GCC >= 15 does this automatically. Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2025-11-17T07:24:24+00:00 Alan Borzeszkowski alan.borzeszkowski@linux.intel.com 2025-09-02T14:38:47+00:00 urn:sha1:c3d53000d2a59c0922615aa10e97161a28a094f2 Fix typos in tunnel.c. No functional changes. Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2025-09-23T15:16:38+00:00 Duoming Zhou duoming@zju.edu.cn 2025-09-23T05:13:57+00:00 urn:sha1:67600ccfc4f38ebd331b9332ac94717bfbc87ea7 The original code relies on cancel_delayed_work() in tb_dp_dprx_stop(), which does not ensure that the delayed work item tunnel->dprx_work has fully completed if it was already running. This leads to use-after-free scenarios where tb_tunnel is deallocated by tb_tunnel_put(), while tunnel->dprx_work remains active and attempts to dereference tb_tunnel in tb_dp_dprx_work(). A typical race condition is illustrated below: CPU 0 | CPU 1 tb_dp_tunnel_active() | tb_deactivate_and_free_tunnel()| tb_dp_dprx_start() tb_tunnel_deactivate() | queue_delayed_work() tb_dp_activate() | tb_dp_dprx_stop() | tb_dp_dprx_work() //delayed worker cancel_delayed_work() | tb_tunnel_put(tunnel); | | tunnel = container_of(...); //UAF | tunnel-> //UAF Replacing cancel_delayed_work() with cancel_delayed_work_sync() is not feasible as it would introduce a deadlock: both tb_dp_dprx_work() and the cleanup path acquire tb->lock, and cancel_delayed_work_sync() would wait indefinitely for the work item that cannot proceed. Instead, implement proper reference counting: - If cancel_delayed_work() returns true (work is pending), we release the reference in the stop function. - If it returns false (work is executing or already completed), the reference is released in delayed work function itself. This ensures the tb_tunnel remains valid during work item execution while preventing memory leaks. This bug was found by static analysis. Fixes: d6d458d42e1e ("thunderbolt: Handle DisplayPort tunnel activation asynchronously") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2025-09-17T05:33:00+00:00 Alan Borzeszkowski alan.borzeszkowski@linux.intel.com 2025-08-27T11:56:41+00:00 urn:sha1:6f3ed985b7d1e4950f1f63139f32a7d889e4aaee Make tunnel.c function documentation compliant with current kernel-doc standards. No functional changes. Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2025-04-24T05:24:39+00:00 Alan Borzeszkowski alan.borzeszkowski@linux.intel.com 2025-01-21T17:46:21+00:00 urn:sha1:785da9e6a1bd9e00d7494e37cbca2f66e48375b8 This adds notification whenever software connection manager activates, changes or deactivates a tunnel, and also if there is limitation in bandwidth. The notification looks like below: TUNNEL_EVENT=activated|changed|deactivated|low bandwidth| insufficient bandwidth TUNNEL_DETAILS=0:12 <-> 1:20 (USB3) Userspace can then listen these and inform user if needed. For example if there is not enough bandwidth, it can show warning dialog to the user. Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2025-04-03T01:23:31+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-04-03T01:23:31+00:00 urn:sha1:a1b5bd45d4ee58af4f56e49497b8c3db96d8f8a3 Pull USB / Thunderbolt updates from Greg KH: "Here is the big set of USB and Thunderbolt driver updates for 6.15-rc1. Included in here are: - Thunderbolt driver and core api updates for new hardware and features - usb-storage const array cleanups - typec driver updates - dwc3 driver updates - xhci driver updates and bugfixes - small USB documentation updates - usb cdns3 driver updates - usb gadget driver updates - other small driver updates and fixes All of these have been in linux-next for a while with no reported issues" * tag 'usb-6.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (92 commits) thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer thunderbolt: Scan retimers after device router has been enumerated usb: host: cdns3: forward lost power information to xhci usb: host: xhci-plat: allow upper layers to signal power loss usb: xhci: change xhci_resume() parameters to explicit the desired info usb: cdns3-ti: run HW init at resume() if HW was reset usb: cdns3-ti: move reg writes to separate function usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() usb: cdns3: rename hibernated argument of role->resume() to lost_power usb: xhci: tegra: rename `runtime` boolean to `is_auto_runtime` usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func usb: dwc3: Don't use %pK through printk usb: core: Don't use %pK through printk usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() dt-bindings: usb: qcom,dwc3: Synchronize minItems for interrupts and -names usb: common: usb-conn-gpio: switch psy_cfg from of_node to fwnode usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running usb: xhci: Don't change the status of stalled TDs on failed Stop EP xhci: Avoid queuing redundant Stop Endpoint command for stalled endpoint xhci: Handle spurious events on Etron host isoc enpoints ... 2025-03-07T12:00:58+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2025-03-03T17:40:29+00:00 urn:sha1:502843396ec2a3eb4f58a2e4618a4a85fc5e0f46 Kenneth noticed that his laptop crashes randomly when resuming from hibernate if there is device connected and display tunneled. I was able to reproduce this as well with the following steps: 1. Boot the system up, nothing connected. 2. Connect Thunderbolt 4 dock to the host. 3. Connect monitor to the Thunderbolt 4 dock. 4. Verify that there is picture on the screen. 5. Enter hibernate. 6. Exit hibernate. 7. Wait for the system to resume. Expectation: System resumes just fine, the connected monitor still shows screen. Actual result: There is crash during resume, screen is blank. What happens is that during resume from hibernate we tear down any existing tunnels created by the boot kernel and this ends up calling tb_dp_dprx_stop() which calls tb_tunnel_put() dropping the reference count to zero even though we never called tb_dp_dprx_start() for it (we never do that for discovery). This makes the discovered DP tunnel memory to be released and any access after that causes use-after-free and possible crash. Fix this so that we only stop DPRX flow if it has been started in the first place. Reported-by: Kenneth Crudup <kenny@panix.com> Closes: https://lore.kernel.org/linux-usb/8e175721-806f-45d6-892a-bd3356af80c9@panix.com/ Cc: stable@vger.kernel.org Fixes: d6d458d42e1e ("thunderbolt: Handle DisplayPort tunnel activation asynchronously") Reviewed-by: Yehezkel Bernat <YehezkelShB@gmail.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2025-02-24T07:36:47+00:00 Alan Borzeszkowski alan.borzeszkowski@linux.intel.com 2025-01-21T18:04:01+00:00 urn:sha1:72cef52b353cc693d71ad37d80237d975f9951d9 Make the tb_tunnel_alloc_usb3() error codepaths consistent with the DisplayPort and PCIe counterparts. No functional changes. Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>