October 2020 - Linux-stable-mirror

[PATCH] x86/mpx: fix recursive munmap() corruption

by Dave Hansen

This is a bit of a mess, to put it mildly. But, it's a bug that seems to have gone unticked up to now, probably because nobody uses MPX. The other alternative to this fix is to just deprecate MPX, even in -stable kernels. MPX has the arch_unmap() hook inside of munmap() because MPX uses bounds tables that protect other areas of memory. When memory is unmapped, there is also a need to unmap the MPX bounds tables. Barring this, unused bounds tables can eat 80% of the address space. But, the recursive do_munmap() that gets called vi arch_unmap() wreaks havoc with __do_munmap()'s state. It can result in freeing populated page tables, accessing bogus VMA state, double-freed VMAs and more. To fix this, call arch_unmap() before __do_unmap() has a chance to do anything meaningful. Also, remove the 'vma' argument and force the MPX code to do its own, independent VMA lookup. For the common success case this is functionally identical to what was there before. For the munmap() failure case, it's possible that some MPX tables will be zapped for memory that continues to be in use. But, this is an extraordinarily unlikely scenario and the harm would be that MPX provides no protection since the bounds table got reset (zeroed). I can't imagine anyone doing this: ptr = mmap(); // use ptr ret = munmap(ptr); if (ret) // oh, there was an error, I'll // keep using ptr. Because if you're doing munmap(), you are *done* with the memory. There's probably no good data in there _anyway_. This passes the original reproducer from Richard Biener as well as the existing mpx selftests/. ==== The long story: munmap() has a couple of pieces: 1. Find the affected VMA(s) 2. Split the start/end one(s) if neceesary 3. Pull the VMAs out of the rbtree 4. Actually zap the memory via unmap_region(), including freeing page tables (or queueing them to be freed). 5. Fixup some of the accounting (like fput()) and actually free the VMA itself. I decided to put the arch_unmap() call right afer #3. This was *just* before mmap_sem looked like it might get downgraded (it won't in this context), but it looked right. It wasn't. Richard Biener reported a test that shows this in dmesg: [1216548.787498] BUG: Bad rss-counter state mm:0000000017ce560b idx:1 val:551 [1216548.787500] BUG: non-zero pgtables_bytes on freeing mm: 24576 What triggered this was the recursive do_munmap() called via arch_unmap(). It was freeing page tables that has not been properly zapped. But, the problem was bigger than this. For one, arch_unmap() can free VMAs. But, the calling __do_munmap() has variables that *point* to VMAs and obviously can't handle them just getting freed while the pointer is still valid. I tried a couple of things here. First, I tried to fix the page table freeing problem in isolation, but I then found the VMA issue. I also tried having the MPX code return a flag if it modified the rbtree which would force __do_munmap() to re-walk to restart. That spiralled out of control in complexity pretty fast. Just moving arch_unmap() and accepting that the bonkers failure case might eat some bounds tables seems like the simplest viable fix. Reported-by: Richard Biener <rguenther(a)suse.de> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: x86(a)kernel.org Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: linux-kernel(a)vger.kernel.org Cc: linux-mm(a)kvack.org Cc: stable(a)vger.kernel.org --- b/arch/x86/include/asm/mmu_context.h | 6 +++--- b/arch/x86/include/asm/mpx.h | 5 ++--- b/arch/x86/mm/mpx.c | 10 ++++++---- b/include/asm-generic/mm_hooks.h | 1 - b/mm/mmap.c | 15 ++++++++------- 5 files changed, 19 insertions(+), 18 deletions(-) diff -puN mm/mmap.c~mpx-rss-pass-no-vma mm/mmap.c --- a/mm/mmap.c~mpx-rss-pass-no-vma 2019-04-01 06:56:53.409411123 -0700 +++ b/mm/mmap.c 2019-04-01 06:56:53.423411123 -0700 @@ -2731,9 +2731,17 @@ int __do_munmap(struct mm_struct *mm, un return -EINVAL; len = PAGE_ALIGN(len); + end = start + len; if (len == 0) return -EINVAL; + /* + * arch_unmap() might do unmaps itself. It must be called + * and finish any rbtree manipulation before this code + * runs and also starts to manipulate the rbtree. + */ + arch_unmap(mm, start, end); + /* Find the first overlapping VMA */ vma = find_vma(mm, start); if (!vma) @@ -2742,7 +2750,6 @@ int __do_munmap(struct mm_struct *mm, un /* we have start < vma->vm_end */ /* if it doesn't overlap, we have nothing.. */ - end = start + len; if (vma->vm_start >= end) return 0; @@ -2812,12 +2819,6 @@ int __do_munmap(struct mm_struct *mm, un /* Detach vmas from rbtree */ detach_vmas_to_be_unmapped(mm, vma, prev, end); - /* - * mpx unmap needs to be called with mmap_sem held for write. - * It is safe to call it before unmap_region(). - */ - arch_unmap(mm, vma, start, end); - if (downgrade) downgrade_write(&mm->mmap_sem); diff -puN arch/x86/include/asm/mmu_context.h~mpx-rss-pass-no-vma arch/x86/include/asm/mmu_context.h --- a/arch/x86/include/asm/mmu_context.h~mpx-rss-pass-no-vma 2019-04-01 06:56:53.412411123 -0700 +++ b/arch/x86/include/asm/mmu_context.h 2019-04-01 06:56:53.423411123 -0700 @@ -277,8 +277,8 @@ static inline void arch_bprm_mm_init(str mpx_mm_init(mm); } -static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long start, unsigned long end) +static inline void arch_unmap(struct mm_struct *mm, unsigned long start, + unsigned long end) { /* * mpx_notify_unmap() goes and reads a rarely-hot @@ -298,7 +298,7 @@ static inline void arch_unmap(struct mm_ * consistently wrong. */ if (unlikely(cpu_feature_enabled(X86_FEATURE_MPX))) - mpx_notify_unmap(mm, vma, start, end); + mpx_notify_unmap(mm, start, end); } /* diff -puN include/asm-generic/mm_hooks.h~mpx-rss-pass-no-vma include/asm-generic/mm_hooks.h --- a/include/asm-generic/mm_hooks.h~mpx-rss-pass-no-vma 2019-04-01 06:56:53.414411123 -0700 +++ b/include/asm-generic/mm_hooks.h 2019-04-01 06:56:53.423411123 -0700 @@ -18,7 +18,6 @@ static inline void arch_exit_mmap(struct } static inline void arch_unmap(struct mm_struct *mm, - struct vm_area_struct *vma, unsigned long start, unsigned long end) { } diff -puN arch/x86/mm/mpx.c~mpx-rss-pass-no-vma arch/x86/mm/mpx.c --- a/arch/x86/mm/mpx.c~mpx-rss-pass-no-vma 2019-04-01 06:56:53.416411123 -0700 +++ b/arch/x86/mm/mpx.c 2019-04-01 06:56:53.423411123 -0700 @@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_st * the virtual address region start...end have already been split if * necessary, and the 'vma' is the first vma in this range (start -> end). */ -void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long start, unsigned long end) +void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, + unsigned long end) { + struct vm_area_struct *vma; int ret; /* @@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct * * which should not occur normally. Being strict about it here * helps ensure that we do not have an exploitable stack overflow. */ - do { + vma = find_vma(mm, start); + while (vma && vma->vm_start < end) { if (vma->vm_flags & VM_MPX) return; vma = vma->vm_next; - } while (vma && vma->vm_start < end); + } ret = mpx_unmap_tables(mm, start, end); if (ret) diff -puN arch/x86/include/asm/mpx.h~mpx-rss-pass-no-vma arch/x86/include/asm/mpx.h --- a/arch/x86/include/asm/mpx.h~mpx-rss-pass-no-vma 2019-04-01 06:56:53.418411123 -0700 +++ b/arch/x86/include/asm/mpx.h 2019-04-01 06:56:53.424411123 -0700 @@ -78,8 +78,8 @@ static inline void mpx_mm_init(struct mm */ mm->context.bd_addr = MPX_INVALID_BOUNDS_DIR; } -void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long start, unsigned long end); +void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, + unsigned long end); unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len, unsigned long flags); @@ -100,7 +100,6 @@ static inline void mpx_mm_init(struct mm { } static inline void mpx_notify_unmap(struct mm_struct *mm, - struct vm_area_struct *vma, unsigned long start, unsigned long end) { } _

4 years, 2 months

7
13
0 0

Linux 4.19.153

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.153 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/kernel-parameters.txt | 2 Documentation/networking/ip-sysctl.txt | 4 Makefile | 2 arch/arc/plat-hsdk/Kconfig | 1 arch/arm/mm/cache-l2x0.c | 16 arch/powerpc/include/asm/drmem.h | 18 - arch/powerpc/include/asm/reg.h | 2 arch/powerpc/kernel/tau_6xx.c | 55 +-- arch/powerpc/platforms/pseries/rng.c | 1 arch/powerpc/sysdev/xics/icp-hv.c | 1 arch/x86/events/amd/iommu.c | 2 arch/x86/kernel/fpu/init.c | 30 + arch/x86/kernel/nmi.c | 5 arch/x86/kvm/mmu.c | 1 arch/x86/kvm/svm.c | 1 crypto/algif_aead.c | 7 crypto/algif_skcipher.c | 2 drivers/android/binder.c | 35 -- drivers/bluetooth/hci_ldisc.c | 1 drivers/bluetooth/hci_serdev.c | 2 drivers/cpufreq/armada-37xx-cpufreq.c | 6 drivers/crypto/chelsio/chtls/chtls_cm.c | 3 drivers/crypto/chelsio/chtls/chtls_io.c | 5 drivers/crypto/ixp4xx_crypto.c | 2 drivers/crypto/mediatek/mtk-platform.c | 8 drivers/crypto/omap-sham.c | 3 drivers/crypto/picoxcell_crypto.c | 9 drivers/edac/i5100_edac.c | 11 drivers/edac/ti_edac.c | 3 drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 drivers/hid/hid-input.c | 4 drivers/hid/hid-roccat-kone.c | 23 - drivers/hwmon/pmbus/max34440.c | 3 drivers/infiniband/core/ucma.c | 6 drivers/infiniband/hw/mlx4/cm.c | 3 drivers/infiniband/hw/mlx4/mad.c | 34 + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 drivers/infiniband/hw/qedr/main.c | 2 drivers/infiniband/hw/qedr/verbs.c | 2 drivers/media/i2c/m5mols/m5mols_core.c | 3 drivers/media/i2c/tc358743.c | 14 drivers/media/platform/exynos4-is/media-dev.c | 4 drivers/media/platform/mx2_emmaprp.c | 7 drivers/media/platform/omap3isp/isp.c | 6 drivers/media/platform/qcom/camss/camss-csiphy.c | 4 drivers/media/platform/rcar-fcp.c | 4 drivers/media/platform/rcar-vin/rcar-dma.c | 4 drivers/media/platform/rockchip/rga/rga-buf.c | 1 drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 drivers/media/platform/stm32/stm32-dcmi.c | 4 drivers/media/platform/ti-vpe/vpe.c | 2 drivers/media/tuners/tuner-simple.c | 5 drivers/media/usb/uvc/uvc_ctrl.c | 6 drivers/media/usb/uvc/uvc_entity.c | 35 ++ drivers/mfd/sm501.c | 8 drivers/misc/mic/scif/scif_rma.c | 4 drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 drivers/mtd/lpddr/lpddr2_nvm.c | 35 +- drivers/mtd/mtdoops.c | 11 drivers/net/dsa/realtek-smi.h | 4 drivers/net/dsa/rtl8366.c | 280 ++++++++-------- drivers/net/dsa/rtl8366rb.c | 2 drivers/net/ethernet/cisco/enic/enic.h | 1 drivers/net/ethernet/cisco/enic/enic_api.c | 6 drivers/net/ethernet/cisco/enic/enic_main.c | 27 + drivers/net/ethernet/freescale/fec_main.c | 35 +- drivers/net/ethernet/ibm/ibmveth.c | 19 - drivers/net/ethernet/korina.c | 3 drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 5 drivers/net/ethernet/realtek/r8169.c | 54 +-- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 33 - drivers/net/usb/qmi_wwan.c | 1 drivers/net/wan/hdlc.c | 10 drivers/net/wan/hdlc_raw_eth.c | 1 drivers/net/wireless/ath/ath10k/ce.c | 2 drivers/net/wireless/ath/ath10k/mac.c | 2 drivers/net/wireless/ath/ath6kl/main.c | 3 drivers/net/wireless/ath/ath6kl/wmi.c | 5 drivers/net/wireless/ath/ath9k/htc_hst.c | 2 drivers/net/wireless/ath/wcn36xx/main.c | 2 drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 drivers/net/wireless/marvell/mwifiex/scan.c | 2 drivers/net/wireless/marvell/mwifiex/sdio.c | 2 drivers/net/wireless/quantenna/qtnfmac/commands.c | 2 drivers/perf/xgene_pmu.c | 32 - drivers/pinctrl/bcm/Kconfig | 1 drivers/pinctrl/pinctrl-mcp23s08.c | 24 - drivers/platform/x86/mlx-platform.c | 15 drivers/pwm/pwm-lpss.c | 7 drivers/regulator/core.c | 21 - drivers/scsi/be2iscsi/be_main.c | 4 drivers/scsi/csiostor/csio_hw.c | 2 drivers/scsi/qla2xxx/qla_nvme.c | 2 drivers/scsi/qla4xxx/ql4_os.c | 2 drivers/slimbus/core.c | 6 drivers/slimbus/qcom-ngd-ctrl.c | 4 drivers/spi/spi-s3c64xx.c | 52 ++ drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 2 drivers/target/target_core_user.c | 2 drivers/tty/hvc/hvcs.c | 14 drivers/tty/pty.c | 2 drivers/tty/serial/Kconfig | 1 drivers/usb/dwc2/gadget.c | 40 +- drivers/usb/dwc2/params.c | 2 drivers/usb/gadget/function/f_ncm.c | 6 drivers/usb/gadget/function/u_ether.c | 2 drivers/video/backlight/sky81452-backlight.c | 1 drivers/video/fbdev/aty/radeon_base.c | 2 drivers/video/fbdev/sis/init.c | 11 drivers/video/fbdev/vga16fb.c | 14 drivers/virt/fsl_hypervisor.c | 17 fs/cifs/asn1.c | 16 fs/cifs/smb2ops.c | 2 fs/proc/base.c | 3 fs/quota/quota_v2.c | 1 fs/xfs/libxfs/xfs_rtbitmap.c | 11 fs/xfs/xfs_fsmap.c | 3 include/linux/oom.h | 1 include/linux/sched/coredump.h | 1 include/net/ip.h | 6 include/net/netfilter/nf_log.h | 1 kernel/fork.c | 21 + mm/memcontrol.c | 5 mm/oom_kill.c | 2 net/ipv4/icmp.c | 7 net/ipv4/netfilter/nf_log_arp.c | 19 - net/ipv4/netfilter/nf_log_ipv4.c | 6 net/ipv4/route.c | 4 net/ipv4/tcp_input.c | 2 net/ipv6/ip6_fib.c | 4 net/ipv6/netfilter/nf_log_ipv6.c | 8 net/netfilter/ipvs/ip_vs_xmit.c | 6 net/netfilter/nf_log_common.c | 12 net/nfc/netlink.c | 2 net/sched/act_tunnel_key.c | 2 net/smc/smc_core.c | 2 net/tipc/msg.c | 3 net/tls/tls_device.c | 11 net/wireless/nl80211.c | 5 security/integrity/ima/ima_crypto.c | 2 sound/core/seq/oss/seq_oss.c | 7 sound/firewire/bebob/bebob_hwdep.c | 3 sound/pci/hda/patch_realtek.c | 42 ++ sound/soc/qcom/lpass-cpu.c | 16 sound/soc/qcom/lpass-platform.c | 3 148 files changed, 970 insertions(+), 566 deletions(-) Alex Dewar (1): VMCI: check return value of get_user_pages_fast() for errors Arnd Bergmann (1): mtd: lpddr: fix excessive stack usage with clang Artem Savkov (1): pty: do tty_flip_buffer_push without port->lock in pty_write Arvind Sankar (1): x86/fpu: Allow multiple bits in clearcpuid= parameter Bryan O'Donoghue (1): wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 Christophe JAILLET (5): crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path mwifiex: Do not use GFP_KERNEL in atomic context staging: rtl8192u: Do not use GFP_KERNEL in atomic context scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' Colin Ian King (3): x86/events/amd/iommu: Fix sizeof mismatch video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error qtnfmac: fix resource leaks on unsupported iftype error return path Cong Wang (1): tipc: fix the skb_unshare() in tipc_buf_append() Dan Carpenter (8): ALSA: bebob: potential info leak in hwdep_read() cifs: remove bogus debug code ath6kl: prevent potential array overflow in ath6kl_add_new_sta() ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() HID: roccat: add bounds checking in kone_sysfs_write_settings() ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() mfd: sm501: Fix leaks in probe() scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() Darrick J. Wong (2): xfs: limit entries returned when counting fsmap records xfs: fix high key handling in the rt allocator's query_range function David Ahern (1): ipv4: Restore flowi4_oif update before call to xfrm_lookup_route David Wilder (2): ibmveth: Switch order of ibmveth_helper calls. ibmveth: Identify ingress large send packets. Davide Caratti (1): net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels Defang Bo (1): nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() Dinghao Liu (4): EDAC/i5100: Fix error handling order in i5100_init_one() media: omap3isp: Fix memleak in isp_probe media: mx2_emmaprp: Fix memleak in emmaprp_probe video: fbdev: radeon: Fix memleak in radeonfb_pci_register Dmitry Torokhov (1): HID: hid-input: fix stylus battery reporting Emmanuel Grumbach (1): iwlwifi: mvm: split a print to avoid a WARNING in ROC Eran Ben Elisha (1): net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow Eric Dumazet (2): icmp: randomize the global rate limiter quota: clear padding in v2r1_mem2diskdqb() Finn Thain (3): powerpc/tau: Use appropriate temperature sample interval powerpc/tau: Convert from timer to workqueue powerpc/tau: Remove duplicated set_thresholds() call Greg Kroah-Hartman (1): Linux 4.19.153 Guenter Roeck (1): hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} Guillaume Tucker (1): ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values Hans de Goede (2): pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() pwm: lpss: Add range limit check for the base_unit register value Heiner Kallweit (2): r8169: fix data corruption issue on RTL8402 r8169: fix operation under forced interrupt threading Herbert Xu (2): crypto: algif_aead - Do not set MAY_BACKLOG on the async path crypto: algif_skcipher - EBUSY on aio should be an error Håkon Bugge (2): IB/mlx4: Fix starvation in paravirt mux/demux IB/mlx4: Adjust delayed work when a dup is observed Jason Gunthorpe (2): RDMA/ucma: Fix locking for ctx->events_reported RDMA/ucma: Add missing locking around rdma_leave_multicast() Jian-Hong Pan (1): ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 Johannes Berg (1): nl80211: fix non-split wiphy information John Donnelly (1): scsi: target: tcmu: Fix warning: 'page' may be used uninitialized Jonathan Lemon (1): mlx4: handle non-napi callers to napi_poll Julian Anastasov (1): ipvs: clear skb->tstamp in forwarding path Karsten Graul (1): net/smc: fix valid DMBE buffer sizes Krzysztof Kozlowski (1): EDAC/ti: Fix handling of platform_get_irq() error Laurent Pinchart (2): media: uvcvideo: Set media controller entity functions media: uvcvideo: Silence shift-out-of-bounds warning Libing Zhou (1): x86/nmi: Fix nmi_handle() duration miscalculation Linus Walleij (4): net: dsa: rtl8366: Check validity of passed VLANs net: dsa: rtl8366: Refactor VLAN/PVID init net: dsa: rtl8366: Skip PVID setting if not requested net: dsa: rtl8366rb: Support all 4096 VLANs Lorenzo Colitti (2): usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well Maciej Żenczykowski (1): net/ipv4: always honour route mtu during forwarding Madhuparna Bhowmik (1): crypto: picoxcell - Fix potential race condition bug Marek Vasut (2): net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() net: fec: Fix PHY init after phy_reset_after_clk_enable() Mark Salter (1): drivers/perf: xgene_pmu: Fix uninitialized resource struct Mark Tomlinson (1): mtd: mtdoops: Don't write panic data twice Michal Kalderon (2): RDMA/qedr: Fix use of uninitialized field RDMA/qedr: Fix inline size returned for iWARP Michał Mirosław (1): regulator: resolve supply after creating regulator Minas Harutyunyan (1): usb: dwc2: Fix INTR OUT transfers in DDMA mode. Nathan Chancellor (1): usb: dwc2: Fix parameter type in function pointer prototype Nathan Lynch (1): powerpc/pseries: explicitly reschedule during drmem_lmb list traversal Neal Cardwell (1): tcp: fix to update snd_wl1 in bulk receiver fast path Necip Fazil Yildiran (2): pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER Nicholas Mc Guire (2): powerpc/pseries: Fix missing of_node_put() in rng_init() powerpc/icp-hv: Fix missing of_node_put() in success path Ong Boon Leong (1): net: stmmac: use netif_tx_start|stop_all_queues() function Pablo Neira Ayuso (1): netfilter: nf_log: missing vlan offload tag and proto Pali Rohár (1): cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE Qiushi Wu (7): media: rcar-vin: Fix a reference count leak. media: rockchip/rga: Fix a reference count leak. media: platform: fcp: Fix a reference count leak. media: camss: Fix a reference count leak. media: s5p-mfc: Fix a reference count leak media: stm32-dcmi: Fix a reference count leak media: ti-vpe: Fix a missing check and reference count leak Ralph Campbell (1): mm/memcg: fix device private memcg accounting Roberto Sassu (1): ima: Don't ignore errors from crypto_shash_update() Rohit Maheshwari (1): net/tls: sendfile fails with ktls offload Rohit kumar (2): ASoC: qcom: lpass-platform: fix memory leak ASoC: qcom: lpass-cpu: fix concurrency issue Samuel Holland (1): Bluetooth: hci_uart: Cancel init work before unregistering Sean Christopherson (1): KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages Shyam Prasad N (1): cifs: Return the error from crypt_message when enc/dec key not found. Souptick Joarder (2): drivers/virt/fsl_hypervisor: Fix error handling path misc: mic: scif: Fix error handling path Srinivas Kandagatla (3): slimbus: core: check get_addr before removing laddr ida slimbus: core: do not enter to clock pause mode in core slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback Suravee Suthikulpanit (1): KVM: SVM: Initialize prev_ga_tag before use Suren Baghdasaryan (1): mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary Sylwester Nawrocki (1): media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" Takashi Iwai (1): ALSA: seq: oss: Avoid mutex lock for a long-time ioctl Tero Kristo (1): crypto: omap-sham - fix digcnt register handling with export/import Thomas Gleixner (1): net: enic: Cure the enic api locking trainwreck Thomas Preston (2): pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser pinctrl: mcp23s08: Fix mcp23x17 precious range Tianjia Zhang (3): crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() Todd Kjos (1): binder: fix UAF when releasing todo list Tom Rix (8): media: tuner-simple: fix regression in simple_set_radio_freq media: m5mols: Check function pointer in m5mols_sensor_power media: tc358743: initialize variable media: tc358743: cleanup tc358743_cec_isr brcmfmac: check ndev pointer drm/gma500: fix error check video: fbdev: sis: fix null ptr dereference mwifiex: fix double free Tong Zhang (1): tty: serial: earlycon dependency Tyrel Datwyler (1): tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() Vadim Pasternak (1): platform/x86: mlx-platform: Remove PSU EEPROM configuration Valentin Vidic (1): net: korina: fix kfree of rx/tx descriptor array Venkateswara Naralasetty (1): ath10k: provide survey info as accumulated data Vinay Kumar Yadav (3): chelsio/chtls: fix socket lock chelsio/chtls: correct netdevice for vlan interface chelsio/chtls: correct function return and return type Wilken Gottwalt (1): net: usb: qmi_wwan: add Cellient MPL200 card Xiaoliang Pang (1): cypto: mediatek - fix leaks in mtk_desc_ring_alloc Xie He (2): net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup Yonghong Song (1): net: fix pos incrementment in ipv6_route_seq_next dinghao.liu(a)zju.edu.cn (1): backlight: sky81452-backlight: Fix refcount imbalance on error Łukasz Stelmach (2): spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() spi: spi-s3c64xx: Check return values

4 years, 2 months

4
7
0 0

[PATCH 1/4] erofs: fix setting up pcluster for temporary pages

by Gao Xiang

From: Gao Xiang <hsiangkao(a)redhat.com> pcluster should be only set up for all managed pages instead of temporary pages. Since it currently uses page->mapping to identify, the impact is minor for now. Fixes: 5ddcee1f3a1c ("erofs: get rid of __stagingpage_alloc helper") Cc: <stable(a)vger.kernel.org> # 5.5+ Signed-off-by: Gao Xiang <hsiangkao(a)redhat.com> --- fs/erofs/zdata.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c index 50912a5420b4..86fd3bf62af6 100644 --- a/fs/erofs/zdata.c +++ b/fs/erofs/zdata.c @@ -1078,8 +1078,11 @@ static struct page *pickup_page_for_submission(struct z_erofs_pcluster *pcl, cond_resched(); goto repeat; } - set_page_private(page, (unsigned long)pcl); - SetPagePrivate(page); + + if (tocache) { + set_page_private(page, (unsigned long)pcl); + SetPagePrivate(page); + } out: /* the only exit (for tracing and debugging) */ return page; } -- 2.24.0

4 years, 2 months

4
7
0 0

[PATCH 1/1] iommu: Fix deferred domain attachment in iommu_probe_device()

by Lu Baolu

The IOMMU core has support for deferring the attachment of default domain to device. Fix a missed deferred attaching check in iommu_probe_device(). Fixes: cf193888bfbd3 ("iommu: Move new probe_device path to separate function") Cc: stable(a)vger.kernel.org # v5.8+ Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/iommu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 6d847027d35e..690abf60239d 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -93,6 +93,8 @@ static void __iommu_detach_group(struct iommu_domain *domain, static int iommu_create_device_direct_mappings(struct iommu_group *group, struct device *dev); static struct iommu_group *iommu_group_get_for_dev(struct device *dev); +static bool iommu_is_attach_deferred(struct iommu_domain *domain, + struct device *dev); #define IOMMU_GROUP_ATTR(_name, _mode, _show, _store) \ struct iommu_group_attribute iommu_group_attr_##_name = \ @@ -264,7 +266,8 @@ int iommu_probe_device(struct device *dev) */ iommu_alloc_default_domain(group, dev); - if (group->default_domain) + if (group->default_domain && + !iommu_is_attach_deferred(group->default_domain, dev)) ret = __iommu_attach_device(group->default_domain, dev); iommu_create_device_direct_mappings(group, dev); -- 2.17.1

4 years, 2 months

2
2
0 0

[PATCH] erofs: derive atime instead of leaving it empty

by Gao Xiang

From: Gao Xiang <hsiangkao(a)redhat.com> EROFS has _only one_ ondisk timestamp (ctime is currently documented and recorded, we might also record mtime instead with a new compat feature if needed) for each extended inode since EROFS isn't mainly for archival purposes so no need to keep all timestamps on disk especially for Android scenarios due to security concerns. Also, romfs/cramfs don't have their own on-disk timestamp, and squashfs only records mtime instead. Let's also derive access time from ondisk timestamp rather than leaving it empty, and if mtime/atime for each file are really needed for specific scenarios as well, we can also use xattrs to record them then. Reported-by: nl6720 <nl6720(a)gmail.com> [ Gao Xiang: It'd be better to backport for user-friendly concern. ] Fixes: 431339ba9042 ("staging: erofs: add inode operations") Cc: stable <stable(a)vger.kernel.org> # 4.19+ Signed-off-by: Gao Xiang <hsiangkao(a)redhat.com> --- fs/erofs/inode.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c index 139d0bed42f8..3e21c0e8adae 100644 --- a/fs/erofs/inode.c +++ b/fs/erofs/inode.c @@ -107,11 +107,9 @@ static struct page *erofs_read_inode(struct inode *inode, i_gid_write(inode, le32_to_cpu(die->i_gid)); set_nlink(inode, le32_to_cpu(die->i_nlink)); - /* ns timestamp */ - inode->i_mtime.tv_sec = inode->i_ctime.tv_sec = - le64_to_cpu(die->i_ctime); - inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec = - le32_to_cpu(die->i_ctime_nsec); + /* extended inode has its own timestamp */ + inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime); + inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec); inode->i_size = le64_to_cpu(die->i_size); @@ -149,11 +147,9 @@ static struct page *erofs_read_inode(struct inode *inode, i_gid_write(inode, le16_to_cpu(dic->i_gid)); set_nlink(inode, le16_to_cpu(dic->i_nlink)); - /* use build time to derive all file time */ - inode->i_mtime.tv_sec = inode->i_ctime.tv_sec = - sbi->build_time; - inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec = - sbi->build_time_nsec; + /* use build time for compact inodes */ + inode->i_ctime.tv_sec = sbi->build_time; + inode->i_ctime.tv_nsec = sbi->build_time_nsec; inode->i_size = le32_to_cpu(dic->i_size); if (erofs_inode_is_data_compressed(vi->datalayout)) @@ -167,6 +163,11 @@ static struct page *erofs_read_inode(struct inode *inode, goto err_out; } + inode->i_mtime.tv_sec = inode->i_ctime.tv_sec; + inode->i_atime.tv_sec = inode->i_ctime.tv_sec; + inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec; + inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec; + if (!nblks) /* measure inode.i_blocks as generic filesystems */ inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9; -- 2.24.0

4 years, 2 months

4
4
0 0

[PATCH] drm/edid: Fix uninitialized variable in drm_cvt_modes()

by Lyude Paul

Noticed this when trying to compile with -Wall on a kernel fork. We potentially don't set width here, which causes the compiler to complain about width potentially being uninitialized in drm_cvt_modes(). So, let's fix that. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Cc: <stable(a)vger.kernel.org> # v5.9+ Fixes: 3f649ab728cd ("treewide: Remove uninitialized_var() usage") Signed-off-by: Lyude Paul <lyude(a)redhat.com> --- drivers/gpu/drm/drm_edid.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c index 631125b46e04..2da158ffed8e 100644 --- a/drivers/gpu/drm/drm_edid.c +++ b/drivers/gpu/drm/drm_edid.c @@ -3094,6 +3094,7 @@ static int drm_cvt_modes(struct drm_connector *connector, for (i = 0; i < 4; i++) { int width, height; + u8 cvt_aspect_ratio; cvt = &(timing->data.other_data.data.cvt[i]); @@ -3101,7 +3102,8 @@ static int drm_cvt_modes(struct drm_connector *connector, continue; height = (cvt->code[0] + ((cvt->code[1] & 0xf0) << 4) + 1) * 2; - switch (cvt->code[1] & 0x0c) { + cvt_aspect_ratio = cvt->code[1] & 0x0c; + switch (cvt_aspect_ratio) { case 0x00: width = height * 4 / 3; break; @@ -3114,6 +3116,10 @@ static int drm_cvt_modes(struct drm_connector *connector, case 0x0c: width = height * 15 / 9; break; + default: + drm_dbg_kms(dev, "[CONNECTOR:%d:%s] unknown CVT aspect ratio %x\n", + connector->base.id, connector->name, cvt_aspect_ratio); + continue; } for (j = 1; j < 5; j++) { -- 2.26.2

4 years, 2 months

2
4
0 0

[PATCH] perf: increase size of buf in perf_evsel__hists_browse()

by Song Liu

Making perf with gcc-9.1.1 generates the following warning: CC ui/browsers/hists.o ui/browsers/hists.c: In function 'perf_evsel__hists_browse': ui/browsers/hists.c:3078:61: error: '%d' directive output may be \ truncated writing between 1 and 11 bytes into a region of size \ between 2 and 12 [-Werror=format-truncation=] 3078 | "Max event group index to sort is %d (index from 0 to %d)", | ^~ ui/browsers/hists.c:3078:7: note: directive argument in the range [-2147483648, 8] 3078 | "Max event group index to sort is %d (index from 0 to %d)", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from /usr/include/stdio.h:937, from ui/browsers/hists.c:5: IOW, the string in line 3078 might be too long for buf[] of 64 bytes. Fix this by increasing the size of buf[] to 128. Fixes: dbddf1747441 ("perf report/top TUI: Support hotkeys to let user select any event for sorting") Cc: stable <stable(a)vger.kernel.org> # v5.7+ Cc: Jin Yao <yao.jin(a)linux.intel.com> Cc: Jiri Olsa <jolsa(a)kernel.org> Cc: Arnaldo Carvalho de Melo <acme(a)redhat.com> Cc: Arnaldo Carvalho de Melo <acme(a)kernel.org> Signed-off-by: Song Liu <songliubraving(a)fb.com> --- tools/perf/ui/browsers/hists.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c index a07626f072087..b0e1880cf992b 100644 --- a/tools/perf/ui/browsers/hists.c +++ b/tools/perf/ui/browsers/hists.c @@ -2963,7 +2963,7 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events, struct popup_action actions[MAX_OPTIONS]; int nr_options = 0; int key = -1; - char buf[64]; + char buf[128]; int delay_secs = hbt ? hbt->refresh : 0; #define HIST_BROWSER_HELP_COMMON \ -- 2.24.1

4 years, 2 months

4
4
0 0

[PATCH v3 2/3] scsi: megaraid_sas: check user-provided offsets

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> It sounds unwise to let user space pass an unchecked 32-bit offset into a kernel structure in an ioctl. This is an unsigned variable, so checking the upper bound for the size of the structure it points into is sufficient to avoid data corruption, but as the pointer might also be unaligned, it has to be written carefully as well. While I stumbled over this problem by reading the code, I did not continue checking the function for further problems like it. Cc: <stable(a)vger.kernel.org> # v2.6.15+ Fixes: c4a3e0a529ab ("[SCSI] MegaRAID SAS RAID: new driver") Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- drivers/scsi/megaraid/megaraid_sas_base.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index 41cd66fc7d81..b1b9a8823c8c 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -8134,7 +8134,7 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance, int error = 0, i; void *sense = NULL; dma_addr_t sense_handle; - unsigned long *sense_ptr; + void *sense_ptr; u32 opcode = 0; int ret = DCMD_SUCCESS; @@ -8257,6 +8257,12 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance, } if (ioc->sense_len) { + /* make sure the pointer is part of the frame */ + if (ioc->sense_off > (sizeof(union megasas_frame) - sizeof(__le64))) { + error = -EINVAL; + goto out; + } + sense = dma_alloc_coherent(&instance->pdev->dev, ioc->sense_len, &sense_handle, GFP_KERNEL); if (!sense) { @@ -8264,12 +8270,11 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance, goto out; } - sense_ptr = - (unsigned long *) ((unsigned long)cmd->frame + ioc->sense_off); + sense_ptr = (void *)cmd->frame + ioc->sense_off; if (instance->consistent_mask_64bit) - *sense_ptr = cpu_to_le64(sense_handle); + put_unaligned_le64(sense_handle, sense_ptr); else - *sense_ptr = cpu_to_le32(sense_handle); + put_unaligned_le32(sense_handle, sense_ptr); } /* -- 2.27.0

4 years, 2 months

2
1
0 0

[PATCH 5.9 00/74] 5.9.3-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.9.3 release. There are 74 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon, 02 Nov 2020 11:34:42 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.9.3-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.9.3-rc1 Pali Rohár <pali(a)kernel.org> phy: marvell: comphy: Convert internal SMCC firmware return codes to errno Ricky Wu <ricky_wu(a)realtek.com> misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() Pavel Begunkov <asml.silence(a)gmail.com> io_uring: don't reuse linked_timeout Souptick Joarder <jrdr.linux(a)gmail.com> xen/gntdev.c: Mark pages as dirty Jens Axboe <axboe(a)kernel.dk> mm: mark async iocb read as NOWAIT once some data has been copied Geert Uytterhoeven <geert+renesas(a)glider.be> ata: sata_rcar: Fix DMA boundary mask Grygorii Strashko <grygorii.strashko(a)ti.com> PM: runtime: Fix timer_expires data type on 32-bit arches Peter Zijlstra <peterz(a)infradead.org> serial: pl011: Fix lockdep splat when handling magic-sysrq interrupt Paras Sharma <parashar(a)codeaurora.org> serial: qcom_geni_serial: To correct QUP Version detection logic Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915/gem: Serialise debugfs i915_gem_objects with ctx->mutex Gustavo A. R. Silva <gustavo(a)embeddedor.com> mtd: lpddr: Fix bad logic in print_drs_error Jason Gunthorpe <jgg(a)ziepe.ca> RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() Frederic Barrat <fbarrat(a)linux.ibm.com> cxl: Rework error message for incompatible slots Jia-Ju Bai <baijiaju(a)tsinghua.edu.cn> p54: avoid accessing the data mapped to streaming DMA Roberto Sassu <roberto.sassu(a)huawei.com> evm: Check size of security.evm before using it Song Liu <songliubraving(a)fb.com> bpf: Fix comment for helper bpf_current_task_under_cgroup() Miklos Szeredi <mszeredi(a)redhat.com> fuse: fix page dereference after free Pali Rohár <pali(a)kernel.org> ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 Pali Rohár <pali(a)kernel.org> PCI: aardvark: Fix initialization with old Marvell's Arm Trusted Firmware Juergen Gross <jgross(a)suse.com> x86/xen: disable Firmware First mode for correctable memory errors Thomas Gleixner <tglx(a)linutronix.de> x86/traps: Fix #DE Oops message regression Kim Phillips <kim.phillips(a)amd.com> arch/x86/amd/ibs: Fix re-arming IBS Fetch Gao Xiang <hsiangkao(a)redhat.com> erofs: avoid duplicated permission check for "trusted." xattrs Leon Romanovsky <leon(a)kernel.org> net: protect tcf_block_unbind with block lock Karsten Graul <kgraul(a)linux.ibm.com> net/smc: fix suppressed return code Karsten Graul <kgraul(a)linux.ibm.com> net/smc: fix invalid return code in smcd_new_buf_create() Tung Nguyen <tung.q.nguyen(a)dektech.com.au> tipc: fix memory leak caused by tipc_buf_append() Arjun Roy <arjunroy(a)google.com> tcp: Prevent low rmem stalls with SO_RCVLOWAT. Andrew Gabbasov <andrew_gabbasov(a)mentor.com> ravb: Fix bit fields checking in ravb_hwtstamp_get() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix issue with forced threading in combination with shared interrupts Guillaume Nault <gnault(a)redhat.com> net/sched: act_mpls: Add softdep on mpls_gso.ko Alex Elder <elder(a)linaro.org> net: ipa: command payloads already mapped Zenghui Yu <yuzenghui(a)huawei.com> net: hns3: Clear the CMDQ registers before unmapping BAR region Aleksandr Nogikh <nogikh(a)google.com> netem: fix zero division in tabledist Amit Cohen <amcohen(a)nvidia.com> mlxsw: Only advertise link modes supported by both driver and device Ido Schimmel <idosch(a)nvidia.com> mlxsw: core: Fix memory leak on module removal Lijun Pan <ljp(a)linux.ibm.com> ibmvnic: fix ibmvnic_set_mac Thomas Bogendoerfer <tbogendoerfer(a)suse.de> ibmveth: Fix use of ibmveth in a bridge. Masahiro Fujiwara <fujiwara.masahiro(a)gmail.com> gtp: fix an use-before-init in gtp_newlink() Raju Rangoju <rajur(a)chelsio.com> cxgb4: set up filter action after rewrites Vinay Kumar Yadav <vinay.yadav(a)chelsio.com> chelsio/chtls: fix tls record info to user Vinay Kumar Yadav <vinay.yadav(a)chelsio.com> chelsio/chtls: fix memory leaks in CPL handlers Vinay Kumar Yadav <vinay.yadav(a)chelsio.com> chelsio/chtls: fix deadlock issue Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> bnxt_en: Send HWRM_FUNC_RESET fw command unconditionally. Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> bnxt_en: Re-write PCI BARs after PCI fatal error. Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> bnxt_en: Invoke cancel_delayed_work_sync() for PFs also. Vasundhara Volam <vasundhara-v.volam(a)broadcom.com> bnxt_en: Fix regression in workqueue cleanup logic in bnxt_remove_one(). Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Check abort error state in bnxt_open_nic(). Michael Schaller <misch(a)google.com> efivarfs: Replace invalid slashes with exclamation marks in dentries. Dan Williams <dan.j.williams(a)intel.com> x86/copy_mc: Introduce copy_mc_enhanced_fast_string() Dan Williams <dan.j.williams(a)intel.com> x86, powerpc: Rename memcpy_mcsafe() to copy_mc_to_{user, kernel}() Randy Dunlap <rdunlap(a)infradead.org> x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled Nick Desaulniers <ndesaulniers(a)google.com> arm64: link with -z norelro regardless of CONFIG_RELOCATABLE Marc Zyngier <maz(a)kernel.org> arm64: Run ARCH_WORKAROUND_2 enabling code on all CPUs Marc Zyngier <maz(a)kernel.org> arm64: Run ARCH_WORKAROUND_1 enabling code on all CPUs Kees Cook <keescook(a)chromium.org> fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum Ard Biesheuvel <ardb(a)kernel.org> efi/arm64: libstub: Deal gracefully with EFI_RNG_PROTOCOL failure Rasmus Villemoes <linux(a)rasmusvillemoes.dk> scripts/setlocalversion: make git describe output more reliable Matthew Wilcox (Oracle) <willy(a)infradead.org> io_uring: Convert advanced XArray uses to the normal API Matthew Wilcox (Oracle) <willy(a)infradead.org> io_uring: Fix XArray usage in io_uring_add_task_file Matthew Wilcox (Oracle) <willy(a)infradead.org> io_uring: Fix use of XArray in __io_uring_files_cancel Jens Axboe <axboe(a)kernel.dk> io_uring: no need to call xa_destroy() on empty xarray Hillf Danton <hdanton(a)sina.com> io-wq: fix use-after-free in io_wq_worker_running Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> io_wq: Make io_wqe::lock a raw_spinlock_t Jens Axboe <axboe(a)kernel.dk> io_uring: reference ->nsproxy for file table commands Jens Axboe <axboe(a)kernel.dk> io_uring: don't rely on weak ->files references Jens Axboe <axboe(a)kernel.dk> io_uring: enable task/files specific overflow flushing Jens Axboe <axboe(a)kernel.dk> io_uring: return cancelation status from poll/timeout/files handlers Jens Axboe <axboe(a)kernel.dk> io_uring: unconditionally grab req->task Jens Axboe <axboe(a)kernel.dk> io_uring: stash ctx task reference for SQPOLL Jens Axboe <axboe(a)kernel.dk> io_uring: move dropping of files into separate helper Jens Axboe <axboe(a)kernel.dk> io_uring: allow timeout/poll/files killing to take task into account Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Improve code around unlisted freq check ------------- Diffstat: Makefile | 4 +- arch/arm64/Makefile | 4 +- arch/arm64/kernel/cpu_errata.c | 15 + arch/powerpc/Kconfig | 2 +- arch/powerpc/include/asm/string.h | 2 - arch/powerpc/include/asm/uaccess.h | 40 +- arch/powerpc/lib/Makefile | 2 +- .../lib/{memcpy_mcsafe_64.S => copy_mc_64.S} | 4 +- arch/x86/Kconfig | 2 +- arch/x86/Kconfig.debug | 2 +- arch/x86/events/amd/ibs.c | 15 +- arch/x86/include/asm/copy_mc_test.h | 75 +++ arch/x86/include/asm/mce.h | 9 + arch/x86/include/asm/mcsafe_test.h | 75 --- arch/x86/include/asm/string_64.h | 32 -- arch/x86/include/asm/uaccess.h | 9 + arch/x86/include/asm/uaccess_64.h | 20 - arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/quirks.c | 10 +- arch/x86/kernel/traps.c | 2 +- arch/x86/lib/Makefile | 1 + arch/x86/lib/copy_mc.c | 96 ++++ arch/x86/lib/copy_mc_64.S | 163 +++++++ arch/x86/lib/memcpy_64.S | 115 ----- arch/x86/lib/usercopy_64.c | 21 - arch/x86/pci/intel_mid_pci.c | 1 + arch/x86/xen/enlighten_pv.c | 9 + drivers/ata/ahci.h | 2 + drivers/ata/ahci_mvebu.c | 2 +- drivers/ata/libahci_platform.c | 2 +- drivers/ata/sata_rcar.c | 2 +- drivers/base/firmware_loader/fallback_platform.c | 2 +- drivers/cpufreq/cpufreq.c | 15 +- drivers/crypto/chelsio/chtls/chtls_cm.c | 29 +- drivers/crypto/chelsio/chtls/chtls_io.c | 7 +- drivers/firmware/efi/libstub/arm64-stub.c | 8 +- drivers/firmware/efi/libstub/fdt.c | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 + drivers/infiniband/core/addr.c | 11 +- drivers/md/dm-writecache.c | 15 +- drivers/misc/cardreader/rtsx_pcr.c | 4 - drivers/misc/cxl/pci.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 49 +- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 56 ++- drivers/net/ethernet/chelsio/cxgb4/t4_tcb.h | 4 + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +- drivers/net/ethernet/ibm/ibmveth.c | 6 - drivers/net/ethernet/ibm/ibmvnic.c | 8 +- drivers/net/ethernet/mellanox/mlxsw/core.c | 2 + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 9 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 + .../net/ethernet/mellanox/mlxsw/spectrum_ethtool.c | 30 ++ drivers/net/ethernet/realtek/r8169_main.c | 4 +- drivers/net/ethernet/renesas/ravb_main.c | 10 +- drivers/net/gtp.c | 16 +- drivers/net/ipa/gsi_trans.c | 21 +- drivers/net/wireless/intersil/p54/p54pci.c | 4 +- drivers/nvdimm/claim.c | 2 +- drivers/nvdimm/pmem.c | 6 +- drivers/pci/controller/pci-aardvark.c | 4 +- drivers/phy/marvell/phy-mvebu-a3700-comphy.c | 14 +- drivers/phy/marvell/phy-mvebu-cp110-comphy.c | 14 +- drivers/tty/serial/amba-pl011.c | 11 +- drivers/tty/serial/qcom_geni_serial.c | 2 +- drivers/xen/gntdev.c | 17 +- fs/efivarfs/super.c | 3 + fs/erofs/xattr.c | 2 - fs/exec.c | 6 + fs/file.c | 2 + fs/fuse/dev.c | 28 +- fs/io-wq.c | 172 +++---- fs/io-wq.h | 1 + fs/io_uring.c | 502 ++++++++++++++++----- include/linux/fs.h | 1 - include/linux/io_uring.h | 53 +++ include/linux/mtd/pfow.h | 2 +- include/linux/pm.h | 2 +- include/linux/qcom-geni-se.h | 3 + include/linux/sched.h | 5 + include/linux/string.h | 9 +- include/linux/uaccess.h | 13 + include/linux/uio.h | 10 +- include/net/netfilter/nf_tables.h | 6 + include/uapi/linux/bpf.h | 4 +- init/init_task.c | 3 + kernel/fork.c | 6 + lib/Kconfig | 7 +- lib/iov_iter.c | 48 +- mm/filemap.c | 8 + net/ipv4/tcp.c | 2 + net/ipv4/tcp_input.c | 3 +- net/netfilter/nf_tables_api.c | 6 +- net/netfilter/nf_tables_offload.c | 4 +- net/sched/act_mpls.c | 1 + net/sched/cls_api.c | 4 +- net/sched/sch_netem.c | 9 +- net/smc/smc_core.c | 6 +- net/tipc/msg.c | 5 +- scripts/setlocalversion | 21 +- security/integrity/evm/evm_main.c | 6 + tools/arch/x86/include/asm/mcsafe_test.h | 13 - tools/arch/x86/lib/memcpy_64.S | 115 ----- tools/include/uapi/linux/bpf.h | 4 +- tools/objtool/check.c | 5 +- tools/perf/bench/Build | 1 - tools/perf/bench/mem-memcpy-x86-64-lib.c | 24 - tools/testing/nvdimm/test/nfit.c | 49 +- .../testing/selftests/powerpc/copyloops/.gitignore | 2 +- tools/testing/selftests/powerpc/copyloops/Makefile | 6 +- .../selftests/powerpc/copyloops/copy_mc_64.S | 242 ++++++++++ 111 files changed, 1638 insertions(+), 926 deletions(-)

4 years, 2 months

6
85
0 0

Stable backport request for "xen/events: don't use chip_data for legacy IRQs"

by Ross Lagerwall

Hi, Please backport [1] to 4.4, 4.9, 4.14, 4.19. It fixes a commit that has been backported to all the current stable releases but for some reason the fixup was only backported to 5.4 & 5.8. Debian 9 no longer boots as a Xen HVM guest because it is missing the fixup patch. Thanks, Ross [1]: commit 0891fb39ba67bd7ae023ea0d367297ffff010781 Author: Juergen Gross <jgross(a)suse.com> Date: Wed Sep 30 11:16:14 2020 +0200 xen/events: don't use chip_data for legacy IRQs Since commit c330fb1ddc0a ("XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information.") Xen is using the chip_data pointer for storing IRQ specific data. When running as a HVM domain this can result in problems for legacy IRQs, as those might use chip_data for their own purposes. Use a local array for this purpose in case of legacy IRQs, avoiding the double use. Cc: stable(a)vger.kernel.org Fixes: c330fb1ddc0a ("XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information.") Signed-off-by: Juergen Gross <jgross(a)suse.com> Tested-by: Stefan Bader <stefan.bader(a)canonical.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Link: https://lore.kernel.org/r/20200930091614.13660-1-jgross@suse.com Signed-off-by: Juergen Gross <jgross(a)suse.com>

4 years, 2 months

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2020