April 2021 - Linux-stable-mirror

[PATCH 5.12 -stable] iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd()

by Jiri Kosina

[ commit e7020bb068d8be50a92f48e36b236a1a1ef9282e upstream ] From: Jiri Kosina <jkosina(a)suse.cz> Analogically to what we did in 2800aadc18a6 ("iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd()"), we must apply the same fix to iwl_pcie_gen2_enqueue_hcmd(), as it's being called from exactly the same contexts. Reported-by: Heiner Kallweit <hkallweit1(a)gmail.com Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> Signed-off-by: Kalle Valo <kvalo(a)codeaurora.org> Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2104171112390.18270@cbobk.fhfr.pm --- This fix unfortunately didn't make it upstream in time. drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c index 4456abb9a074..34bde8c87324 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c @@ -40,6 +40,7 @@ int iwl_pcie_gen2_enqueue_hcmd(struct iwl_trans *trans, const u8 *cmddata[IWL_MAX_CMD_TBS_PER_TFD]; u16 cmdlen[IWL_MAX_CMD_TBS_PER_TFD]; struct iwl_tfh_tfd *tfd; + unsigned long flags; copy_size = sizeof(struct iwl_cmd_header_wide); cmd_size = sizeof(struct iwl_cmd_header_wide); @@ -108,14 +109,14 @@ int iwl_pcie_gen2_enqueue_hcmd(struct iwl_trans *trans, goto free_dup_buf; } - spin_lock_bh(&txq->lock); + spin_lock_irqsave(&txq->lock, flags); idx = iwl_txq_get_cmd_index(txq, txq->write_ptr); tfd = iwl_txq_get_tfd(trans, txq, txq->write_ptr); memset(tfd, 0, sizeof(*tfd)); if (iwl_txq_space(trans, txq) < ((cmd->flags & CMD_ASYNC) ? 2 : 1)) { - spin_unlock_bh(&txq->lock); + spin_unlock_irqrestore(&txq->lock, flags); IWL_ERR(trans, "No space in command queue\n"); iwl_op_mode_cmd_queue_full(trans->op_mode); @@ -250,7 +251,7 @@ int iwl_pcie_gen2_enqueue_hcmd(struct iwl_trans *trans, spin_unlock(&trans_pcie->reg_lock); out: - spin_unlock_bh(&txq->lock); + spin_unlock_irqrestore(&txq->lock, flags); free_dup_buf: if (idx < 0) kfree(dup_buf); -- 2.12.3 -- Jiri Kosina SUSE Labs

3 years, 8 months

2
1
0 0

patch "dyndbg: fix parsing file query without a line-range suffix" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dyndbg: fix parsing file query without a line-range suffix to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 7b1ae248279bea33af9e797a93c35f49601cb8a0 Mon Sep 17 00:00:00 2001 From: Shuo Chen <shuochen(a)google.com> Date: Wed, 14 Apr 2021 14:24:00 -0700 Subject: dyndbg: fix parsing file query without a line-range suffix Query like 'file tcp_input.c line 1234 +p' was broken by commit aaebe329bff0 ("dyndbg: accept 'file foo.c:func1' and 'file foo.c:10-100'") because a file name without a ':' now makes the loop in ddebug_parse_query() exits early before parsing the 'line 1234' part. As a result, all pr_debug() in tcp_input.c will be enabled, instead of only the one on line 1234. Changing 'break' to 'continue' fixes this. Fixes: aaebe329bff0 ("dyndbg: accept 'file foo.c:func1' and 'file foo.c:10-100'") Cc: stable <stable(a)vger.kernel.org> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Shuo Chen <shuochen(a)google.com> Acked-by: Jason Baron <jbaron(a)akamai.com> Link: https://lore.kernel.org/r/20210414212400.2927281-1-giantchen@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- lib/dynamic_debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c index c70d6347afa2..921d0a654243 100644 --- a/lib/dynamic_debug.c +++ b/lib/dynamic_debug.c @@ -396,7 +396,7 @@ static int ddebug_parse_query(char *words[], int nwords, /* tail :$info is function or line-range */ fline = strchr(query->filename, ':'); if (!fline) - break; + continue; *fline++ = '\0'; if (isalpha(*fline) || *fline == '*' || *fline == '?') { /* take as function name */ -- 2.31.1

3 years, 8 months

1
0
0 0

[PATCH] drm/amd/display: Update modifier list for gfx10_3

by Qingqing Zhuo

The attached patch failed to apply to 5.11-stable tree, but would be preferred to be there. Thanks, Lillian --- commit 6d638b3ffd27036c062d32cb4efd4be172c2a65e upstream. [Why] Current list supports modifiers that have DCC_MAX_COMPRESSED_BLOCK set to AMD_FMT_MOD_DCC_BLOCK_128B, while AMD_FMT_MOD_DCC_BLOCK_64B is used instead by userspace. [How] Replace AMD_FMT_MOD_DCC_BLOCK_128B with AMD_FMT_MOD_DCC_BLOCK_64B for modifiers with DCC supported. Fixes: faa37f54ce0462 ("drm/amd/display: Expose modifiers") Signed-off-by: Qingqing Zhuo <qingqing.zhuo(a)amd.com> Reviewed-by: Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> Tested-by: Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 54fd48ee5f27..62a637c03f60 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -4184,7 +4184,7 @@ add_gfx10_3_modifiers(const struct amdgpu_device *adev, AMD_FMT_MOD_SET(DCC_CONSTANT_ENCODE, 1) | AMD_FMT_MOD_SET(DCC_INDEPENDENT_64B, 1) | AMD_FMT_MOD_SET(DCC_INDEPENDENT_128B, 1) | - AMD_FMT_MOD_SET(DCC_MAX_COMPRESSED_BLOCK, AMD_FMT_MOD_DCC_BLOCK_128B)); + AMD_FMT_MOD_SET(DCC_MAX_COMPRESSED_BLOCK, AMD_FMT_MOD_DCC_BLOCK_64B)); add_modifier(mods, size, capacity, AMD_FMT_MOD | AMD_FMT_MOD_SET(TILE, AMD_FMT_MOD_TILE_GFX9_64K_R_X) | @@ -4196,7 +4196,7 @@ add_gfx10_3_modifiers(const struct amdgpu_device *adev, AMD_FMT_MOD_SET(DCC_CONSTANT_ENCODE, 1) | AMD_FMT_MOD_SET(DCC_INDEPENDENT_64B, 1) | AMD_FMT_MOD_SET(DCC_INDEPENDENT_128B, 1) | - AMD_FMT_MOD_SET(DCC_MAX_COMPRESSED_BLOCK, AMD_FMT_MOD_DCC_BLOCK_128B)); + AMD_FMT_MOD_SET(DCC_MAX_COMPRESSED_BLOCK, AMD_FMT_MOD_DCC_BLOCK_64B)); add_modifier(mods, size, capacity, AMD_FMT_MOD | AMD_FMT_MOD_SET(TILE, AMD_FMT_MOD_TILE_GFX9_64K_R_X) | -- 2.25.1

3 years, 8 months

1
0
0 0

Linux 5.4.115

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.115 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/omap3.dtsi | 3 arch/arm64/boot/dts/allwinner/sun50i-a64-pine64-lts.dts | 2 arch/csky/Kconfig | 2 arch/csky/include/asm/page.h | 2 arch/ia64/mm/discontig.c | 6 - arch/s390/kernel/entry.S | 1 arch/s390/kernel/ptrace.c | 17 +++- arch/x86/events/intel/core.c | 2 arch/x86/events/intel/uncore_snbep.c | 61 ++++++---------- arch/x86/kernel/crash.c | 2 drivers/gpio/gpio-omap.c | 9 ++ drivers/hid/hid-alps.c | 1 drivers/hid/hid-google-hammer.c | 2 drivers/hid/hid-ids.h | 1 drivers/hid/wacom_wac.c | 2 drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h | 2 drivers/net/geneve.c | 6 + drivers/net/usb/hso.c | 2 drivers/net/xen-netback/xenbus.c | 12 ++- drivers/pinctrl/intel/pinctrl-lewisburg.c | 6 - drivers/usb/class/cdc-acm.c | 3 include/linux/platform_data/gpio-omap.h | 3 kernel/locking/qrwlock.c | 7 + tools/arch/ia64/include/asm/barrier.h | 3 tools/perf/util/auxtrace.c | 2 26 files changed, 94 insertions(+), 67 deletions(-) Ali Saidi (1): locking/qrwlock: Fix ordering in queued_write_lock_slowpath() Andre Przywara (1): arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS Greg Kroah-Hartman (1): Linux 5.4.115 Jia-Ju Bai (1): HID: alps: fix error return code in alps_input_configured() Jiapeng Zhong (1): HID: wacom: Assign boolean values to a bool variable Jim Mattson (1): perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[] Johan Hovold (1): net: hso: fix NULL-deref on disconnect regression John Paul Adrian Glaubitz (1): ia64: tools: remove duplicate definition of ia64_mf() on ia64 Kan Liang (1): perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 Leo Yan (1): perf auxtrace: Fix potential NULL pointer dereference Michael Brown (1): xen-netback: Check for hotplug-status existence before watching Mike Galbraith (1): x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access Oliver Neukum (1): USB: CDC-ACM: fix poison/unpoison imbalance Phillip Potter (1): net: geneve: check skb is large enough for IPv4/IPv6 header Randy Dunlap (2): csky: change a Kconfig symbol name to fix e1000 build error ia64: fix discontig.c section mismatches Shou-Chieh Hsu (1): HID: google: add don USB id Sven Schnelle (1): s390/ptrace: return -ENOSYS when invalid syscall is supplied Tony Lindgren (2): gpio: omap: Save and restore sysconfig ARM: dts: Fix swapped mmc order for omap3 Vasily Gorbik (1): s390/entry: save the caller of psw_idle Wan Jiabing (1): cavium/liquidio: Fix duplicate argument Yuanyuan Zhong (1): pinctrl: lewisburg: Update number of pins in community

3 years, 8 months

2
2
0 0

Linux 4.19.189

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.189 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arc/kernel/signal.c | 4 - arch/arm/boot/dts/omap3.dtsi | 3 + arch/arm/boot/dts/omap4.dtsi | 5 + arch/arm/boot/dts/omap44xx-clocks.dtsi | 8 -- arch/arm/boot/dts/omap5.dtsi | 5 + arch/arm/mach-footbridge/cats-pci.c | 4 - arch/arm/mach-footbridge/ebsa285-pci.c | 4 - arch/arm/mach-footbridge/netwinder-pci.c | 2 arch/arm/mach-footbridge/personal-pci.c | 5 - arch/arm/mach-keystone/keystone.c | 4 - arch/arm/probes/uprobes/core.c | 4 - arch/arm64/include/asm/alternative.h | 8 +- arch/arm64/include/asm/word-at-a-time.h | 10 +-- arch/ia64/mm/discontig.c | 6 +- arch/s390/kernel/entry.S | 1 arch/x86/events/intel/uncore_snbep.c | 61 ++++++++------------- arch/x86/kernel/crash.c | 2 drivers/dma/dw/Kconfig | 2 drivers/gpio/gpiolib-sysfs.c | 8 ++ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 - drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 4 - drivers/hid/hid-alps.c | 1 drivers/hid/hid-google-hammer.c | 2 drivers/hid/hid-ids.h | 1 drivers/hid/wacom_wac.c | 8 +- drivers/input/keyboard/nspire-keypad.c | 56 ++++++++++--------- drivers/input/serio/i8042-x86ia64io.h | 1 drivers/input/touchscreen/s6sy761.c | 4 - drivers/md/dm-verity-fec.c | 11 ++- drivers/md/dm-verity-fec.h | 1 drivers/net/dsa/mv88e6xxx/chip.c | 30 ++++------ drivers/net/ethernet/amd/pcnet32.c | 5 + drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h | 2 drivers/net/ethernet/davicom/dm9000.c | 6 +- drivers/net/ethernet/ibm/ibmvnic.c | 14 ---- drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++ drivers/net/geneve.c | 6 ++ drivers/net/phy/marvell.c | 28 ++++++++- drivers/net/usb/hso.c | 2 drivers/net/xen-netback/xenbus.c | 12 ++-- drivers/pinctrl/intel/pinctrl-lewisburg.c | 6 +- drivers/scsi/libsas/sas_ata.c | 9 +-- drivers/scsi/scsi_transport_srp.c | 2 drivers/usb/class/cdc-acm.c | 3 - fs/readdir.c | 6 ++ include/linux/marvell_phy.h | 5 + kernel/locking/lockdep.c | 3 - kernel/locking/qrwlock.c | 7 +- mm/gup.c | 44 +++++++++++++-- mm/huge_memory.c | 7 +- net/core/neighbour.c | 2 net/ieee802154/nl802154.c | 29 +++++++++ net/ipv6/ip6_tunnel.c | 10 +++ net/ipv6/sit.c | 4 - net/mac80211/cfg.c | 4 + net/netfilter/nf_conntrack_standalone.c | 1 net/netfilter/nft_limit.c | 4 - net/sctp/socket.c | 13 +--- sound/soc/fsl/fsl_esai.c | 8 +- tools/arch/ia64/include/asm/barrier.h | 3 - 61 files changed, 324 insertions(+), 198 deletions(-) Alexander Aring (7): net: ieee802154: stop dump llsec keys for monitors net: ieee802154: stop dump llsec devs for monitors net: ieee802154: forbid monitor for add llsec dev net: ieee802154: stop dump llsec devkeys for monitors net: ieee802154: forbid monitor for add llsec devkey net: ieee802154: stop dump llsec seclevels for monitors net: ieee802154: forbid monitor for add llsec seclevel Alexander Shiyan (1): ASoC: fsl_esai: Fix TDM slot setup for I2S mode Ali Saidi (1): locking/qrwlock: Fix ordering in queued_write_lock_slowpath() Andy Shevchenko (1): dmaengine: dw: Make it dependent to HAS_IOMEM Arnd Bergmann (2): ARM: keystone: fix integer overflow warning Input: i8042 - fix Pegatron C15B ID entry Caleb Connolly (1): Input: s6sy761 - fix coordinate read bit shift Christophe JAILLET (1): net: davicom: Fix regulator not turned off on failed probe Eric Dumazet (1): netfilter: nft_limit: avoid possible divide error in nft_limit_init Fabian Vogt (1): Input: nspire-keypad - enable interrupts only when opened Fredrik Strupe (1): ARM: 9071/1: uprobes: Don't hook on thumb instructions Greg Kroah-Hartman (1): Linux 4.19.189 Guenter Roeck (1): pcnet32: Use pci_resource_len to validate PCI resource Hristo Venev (2): net: sit: Unregister catch-all devices net: ip6_tunnel: Unregister catch-all devices Jaegeuk Kim (1): dm verity fec: fix misaligned RS roots IO Jason Xing (1): i40e: fix the panic when running bpf in xdpdrv mode Jia-Ju Bai (1): HID: alps: fix error return code in alps_input_configured() Jiapeng Zhong (1): HID: wacom: Assign boolean values to a bool variable Johan Hovold (1): net: hso: fix NULL-deref on disconnect regression John Paul Adrian Glaubitz (1): ia64: tools: remove duplicate definition of ia64_mf() on ia64 Jolly Shah (1): scsi: libsas: Reset num_scatter if libata marks qc as NODATA Kan Liang (1): perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 Lijun Pan (3): ibmvnic: avoid calling napi_disable() twice ibmvnic: remove duplicate napi_schedule call in do_reset function ibmvnic: remove duplicate napi_schedule call in open function Linus Torvalds (2): readdir: make sure to verify directory entry for legacy interfaces too gup: document and work around "COW can break either way" issue Martin Wilck (1): scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state Matti Vaittinen (1): gpio: sysfs: Obey valid_mask Michael Brown (1): xen-netback: Check for hotplug-status existence before watching Mike Galbraith (1): x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access Nathan Chancellor (1): arm64: alternatives: Move length validation in alternative_{insn, endif} Oliver Neukum (1): USB: CDC-ACM: fix poison/unpoison imbalance Or Cohen (1): net/sctp: fix race condition in sctp_destroy_sock Pablo Neira Ayuso (1): netfilter: conntrack: do not print icmpv6 as unknown via /proc Pali Rohár (1): net: phy: marvell: fix detection of PHY on Topaz switches Peter Collingbourne (1): arm64: fix inline asm in load_unaligned_zeropad() Phillip Potter (1): net: geneve: check skb is large enough for IPv4/IPv6 header Ping Cheng (1): HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices Randy Dunlap (1): ia64: fix discontig.c section mismatches Rob Clark (1): drm/msm: Fix a5xx/a6xx timestamps Russell King (1): ARM: footbridge: fix PCI interrupt mapping Seevalamuthu Mariappan (1): mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN Shou-Chieh Hsu (1): HID: google: add don USB id Tetsuo Handa (1): lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message Tong Zhu (1): neighbour: Disregard DEAD dst in neigh_update Tony Lindgren (3): ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 ARM: dts: Fix swapped mmc order for omap3 Vasily Gorbik (1): s390/entry: save the caller of psw_idle Wan Jiabing (1): cavium/liquidio: Fix duplicate argument Wang Qing (1): arc: kernel: Return -EFAULT if copy_to_user() fails Yuanyuan Zhong (1): pinctrl: lewisburg: Update number of pins in community

3 years, 8 months

2
2
0 0

Linux 5.10.33

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.33 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/omap3.dtsi | 3 arch/arm64/boot/dts/allwinner/sun50i-a64-pine64-lts.dts | 2 arch/arm64/kernel/probes/kprobes.c | 6 arch/csky/Kconfig | 2 arch/csky/include/asm/page.h | 2 arch/ia64/mm/discontig.c | 6 arch/s390/kernel/entry.S | 1 arch/x86/events/intel/core.c | 2 arch/x86/events/intel/uncore_snbep.c | 61 - arch/x86/kernel/crash.c | 2 block/ioctl.c | 2 drivers/dma/tegra20-apb-dma.c | 4 drivers/dma/xilinx/xilinx_dpdma.c | 31 drivers/gpio/gpio-omap.c | 9 drivers/hid/hid-alps.c | 1 drivers/hid/hid-cp2112.c | 22 drivers/hid/hid-google-hammer.c | 2 drivers/hid/hid-ids.h | 1 drivers/hid/wacom_wac.c | 2 drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h | 2 drivers/net/geneve.c | 6 drivers/net/usb/hso.c | 2 drivers/net/xen-netback/xenbus.c | 12 drivers/pinctrl/core.c | 14 drivers/pinctrl/intel/pinctrl-lewisburg.c | 6 drivers/soc/qcom/qcom-geni-se.c | 3 drivers/usb/class/cdc-acm.c | 3 drivers/vdpa/mlx5/core/mr.c | 4 drivers/vhost/vdpa.c | 6 include/linux/bpf.h | 5 include/linux/bpf_verifier.h | 3 include/linux/platform_data/gpio-omap.h | 3 kernel/bpf/verifier.c | 774 ++++++++++++---- kernel/locking/qrwlock.c | 7 scripts/Makefile.kasan | 12 security/keys/trusted-keys/trusted_tpm2.c | 2 tools/arch/ia64/include/asm/barrier.h | 3 tools/perf/util/auxtrace.c | 2 tools/perf/util/map.c | 7 40 files changed, 744 insertions(+), 295 deletions(-) Ali Saidi (1): locking/qrwlock: Fix ordering in queued_write_lock_slowpath() Andre Przywara (1): arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS Andrei Matei (1): bpf: Allow variable-offset stack access Andy Shevchenko (1): pinctrl: core: Show pin numbers for the controllers with base = 0 Arnd Bergmann (1): kasan: fix hwasan build for gcc Christoph Hellwig (1): block: return -EBUSY when there are open partitions in blkdev_reread_part Daniel Borkmann (2): bpf: Refactor and streamline bounds check into helper bpf: Tighten speculative pointer arithmetic mask Dinghao Liu (1): dmaengine: tegra20: Fix runtime PM imbalance on error Douglas Gilbert (1): HID cp2112: fix support for multiple gpiochips Eli Cohen (1): vdpa/mlx5: Set err = -ENOMEM in case dma_map_sg_attrs fails Greg Kroah-Hartman (1): Linux 5.10.33 James Bottomley (1): KEYS: trusted: Fix TPM reservation for seal/unseal Jia-Ju Bai (1): HID: alps: fix error return code in alps_input_configured() Jiapeng Zhong (1): HID: wacom: Assign boolean values to a bool variable Jim Mattson (1): perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[] Jisheng Zhang (1): arm64: kprobes: Restore local irqflag if kprobes is cancelled Johan Hovold (1): net: hso: fix NULL-deref on disconnect regression John Paul Adrian Glaubitz (1): ia64: tools: remove duplicate definition of ia64_mf() on ia64 Kan Liang (1): perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 Laurent Pinchart (2): dmaengine: xilinx: dpdma: Fix descriptor issuing on video group dmaengine: xilinx: dpdma: Fix race condition in done IRQ Leo Yan (1): perf auxtrace: Fix potential NULL pointer dereference Michael Brown (1): xen-netback: Check for hotplug-status existence before watching Mike Galbraith (1): x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access Oliver Neukum (1): USB: CDC-ACM: fix poison/unpoison imbalance Phillip Potter (1): net: geneve: check skb is large enough for IPv4/IPv6 header Randy Dunlap (2): csky: change a Kconfig symbol name to fix e1000 build error ia64: fix discontig.c section mismatches Shawn Guo (1): soc: qcom: geni: shield geni_icc_get() for ACPI boot Shou-Chieh Hsu (1): HID: google: add don USB id Tony Lindgren (2): gpio: omap: Save and restore sysconfig ARM: dts: Fix swapped mmc order for omap3 Vasily Gorbik (1): s390/entry: save the caller of psw_idle Wan Jiabing (1): cavium/liquidio: Fix duplicate argument Xie Yongji (1): vhost-vdpa: protect concurrent access to vhost device iotlb Yonghong Song (1): bpf: Permits pointers on stack for helper calls Yuanyuan Zhong (1): pinctrl: lewisburg: Update number of pins in community Zhen Lei (1): perf map: Fix error return code in maps__clone()

3 years, 8 months

2
2
0 0

patch "nitro_enclaves: Fix stale file descriptors on failed usercopy" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled nitro_enclaves: Fix stale file descriptors on failed usercopy to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From f1ce3986baa62cffc3c5be156994de87524bab99 Mon Sep 17 00:00:00 2001 From: Mathias Krause <minipli(a)grsecurity.net> Date: Thu, 29 Apr 2021 19:59:41 +0300 Subject: nitro_enclaves: Fix stale file descriptors on failed usercopy A failing usercopy of the slot uid will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios. Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't solve the underlying issue, as the file descriptor might have been replaced in the meantime, e.g. via userland calling close() on it (leading to a NULL pointer dereference in the error handling code as 'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a completely different file object to that very file descriptor, leading to the same situation: a dangling file descriptor pointing to a freed object -- just in this case to a file object of user's choosing. Generally speaking, after the call to fd_install() the file descriptor is live and userland is free to do whatever with it. We cannot rely on it to still refer to our enclave object afterwards. In fact, by abusing userfaultfd() userland can hit the condition without any racing and abuse the error handling in the nitro code as it pleases. To fix the above issues, defer the call to fd_install() until all possible errors are handled. In this case it's just the usercopy, so do it directly in ne_create_vm_ioctl() itself. Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Signed-off-by: Andra Paraschiv <andraprs(a)amazon.com> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20210429165941.27020-2-andraprs@amazon.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/virt/nitro_enclaves/ne_misc_dev.c | 43 +++++++++-------------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/drivers/virt/nitro_enclaves/ne_misc_dev.c b/drivers/virt/nitro_enclaves/ne_misc_dev.c index f1964ea4b826..e21e1e86ad15 100644 --- a/drivers/virt/nitro_enclaves/ne_misc_dev.c +++ b/drivers/virt/nitro_enclaves/ne_misc_dev.c @@ -1524,7 +1524,8 @@ static const struct file_operations ne_enclave_fops = { * enclave file descriptor to be further used for enclave * resources handling e.g. memory regions and CPUs. * @ne_pci_dev : Private data associated with the PCI device. - * @slot_uid: Generated unique slot id associated with an enclave. + * @slot_uid: User pointer to store the generated unique slot id + * associated with an enclave to. * * Context: Process context. This function is called with the ne_pci_dev enclave * mutex held. @@ -1532,7 +1533,7 @@ static const struct file_operations ne_enclave_fops = { * * Enclave fd on success. * * Negative return value on failure. */ -static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 *slot_uid) +static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 __user *slot_uid) { struct ne_pci_dev_cmd_reply cmd_reply = {}; int enclave_fd = -1; @@ -1634,7 +1635,18 @@ static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 *slot_uid) list_add(&ne_enclave->enclave_list_entry, &ne_pci_dev->enclaves_list); - *slot_uid = ne_enclave->slot_uid; + if (copy_to_user(slot_uid, &ne_enclave->slot_uid, sizeof(ne_enclave->slot_uid))) { + /* + * As we're holding the only reference to 'enclave_file', fput() + * will call ne_enclave_release() which will do a proper cleanup + * of all so far allocated resources, leaving only the unused fd + * for us to free. + */ + fput(enclave_file); + put_unused_fd(enclave_fd); + + return -EFAULT; + } fd_install(enclave_fd, enclave_file); @@ -1671,34 +1683,13 @@ static long ne_ioctl(struct file *file, unsigned int cmd, unsigned long arg) switch (cmd) { case NE_CREATE_VM: { int enclave_fd = -1; - struct file *enclave_file = NULL; struct ne_pci_dev *ne_pci_dev = ne_devs.ne_pci_dev; - int rc = -EINVAL; - u64 slot_uid = 0; + u64 __user *slot_uid = (void __user *)arg; mutex_lock(&ne_pci_dev->enclaves_list_mutex); - - enclave_fd = ne_create_vm_ioctl(ne_pci_dev, &slot_uid); - if (enclave_fd < 0) { - rc = enclave_fd; - - mutex_unlock(&ne_pci_dev->enclaves_list_mutex); - - return rc; - } - + enclave_fd = ne_create_vm_ioctl(ne_pci_dev, slot_uid); mutex_unlock(&ne_pci_dev->enclaves_list_mutex); - if (copy_to_user((void __user *)arg, &slot_uid, sizeof(slot_uid))) { - enclave_file = fget(enclave_fd); - /* Decrement file refs to have release() called. */ - fput(enclave_file); - fput(enclave_file); - put_unused_fd(enclave_fd); - - return -EFAULT; - } - return enclave_fd; } -- 2.31.1

3 years, 8 months

1
0
0 0

[PATCH v1 0/1] Nitro Enclaves kernel driver issue fix

by Andra Paraschiv

An issue was found in the Nitro Enclaves kernel driver codebase [1] included in the v5.10 upstream Linux kernel. The fix for it has been tested on the AWS side. The issue does not break the isolation or security of what is running inside the enclave. Nitro Enclaves already assumes that the instance running the Nitro Enclaves kernel driver is untrusted. We would like to thank Mathias Krause from Open Source Security, Inc. for reporting and providing a fix for this issue directly to AWS. The patch will be merged into the latest upstream Linux kernel release and into the v5.10+ stable kernel releases. Thanks, Andra [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/dri… Mathias Krause (1): nitro_enclaves: Fix stale file descriptors on failed usercopy drivers/virt/nitro_enclaves/ne_misc_dev.c | 43 +++++++++-------------- 1 file changed, 17 insertions(+), 26 deletions(-) -- 2.20.1 (Apple Git-117) Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.

3 years, 8 months

1
1
0 0

[PATCH] hfsplus: Prevent corruption in shrinking truncate

by Jouni Roivas

I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check. Cc: <stable(a)vger.kernel.org> Cc: <linux-fsdevel(a)vger.kernel.org> Reviewed-by: Anton Altaparmakov <anton(a)tuxera.com> Signed-off-by: Jouni Roivas <jouni.roivas(a)tuxera.com> --- fs/hfsplus/extents.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c index a930ddd15681..7054a542689f 100644 --- a/fs/hfsplus/extents.c +++ b/fs/hfsplus/extents.c @@ -598,13 +598,15 @@ void hfsplus_file_truncate(struct inode *inode) res = __hfsplus_ext_cache_extent(&fd, inode, alloc_cnt); if (res) break; - hfs_brec_remove(&fd); - mutex_unlock(&fd.tree->tree_lock); start = hip->cached_start; + if (blk_cnt <= start) + hfs_brec_remove(&fd); + mutex_unlock(&fd.tree->tree_lock); hfsplus_free_extents(sb, hip->cached_extents, alloc_cnt - start, alloc_cnt - blk_cnt); hfsplus_dump_extent(hip->cached_extents); + mutex_lock(&fd.tree->tree_lock); if (blk_cnt > start) { hip->extent_state |= HFSPLUS_EXT_DIRTY; break; @@ -612,7 +614,6 @@ void hfsplus_file_truncate(struct inode *inode) alloc_cnt = start; hip->cached_start = hip->cached_blocks = 0; hip->extent_state &= ~(HFSPLUS_EXT_DIRTY | HFSPLUS_EXT_NEW); - mutex_lock(&fd.tree->tree_lock); } hfs_find_exit(&fd); -- 2.25.1

3 years, 8 months

1
0
0 0

[PATCH] sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues

by Ignat Korchagin

efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is later used to allocate and traverse efx->xdp_tx_queues lookup array. However, we may end up not initializing all the array slots with real queues during probing. This results, for example, in a NULL pointer dereference, when running "# ethtool -S <iface>", similar to below [2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [2570283.681283][T4126959] #PF: supervisor read access in kernel mode [2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page [2570283.710013][T4126959] PGD 0 P4D 0 [2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI [2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1 [2570283.752641][T4126959] Hardware name: <redacted> [2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc] [2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b [2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202 [2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018 [2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005 [2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f [2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8 [2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c [2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000 [2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0 [2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [2570283.997308][T4126959] PKRU: 55555554 [2570284.007649][T4126959] Call Trace: [2570284.017598][T4126959] dev_ethtool+0x1832/0x2830 Fix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true value of initialized slots in efx->xdp_tx_queues. Signed-off-by: Ignat Korchagin <ignat(a)cloudflare.com> Fixes: e26ca4b53582 ("sfc: reduce the number of requested xdp ev queues") Cc: <stable(a)vger.kernel.org> # 5.12.x --- drivers/net/ethernet/sfc/efx_channels.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c index 1bfeee283ea9..a3ca406a3561 100644 --- a/drivers/net/ethernet/sfc/efx_channels.c +++ b/drivers/net/ethernet/sfc/efx_channels.c @@ -914,6 +914,8 @@ int efx_set_channels(struct efx_nic *efx) } } } + if (xdp_queue_number) + efx->xdp_tx_queue_count = xdp_queue_number; rc = netif_set_real_num_tx_queues(efx->net_dev, efx->n_tx_channels); if (rc) -- 2.20.1

3 years, 8 months

3
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2021