October 2023 - Linux-stable-mirror

[PATCH 1/2] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run

by Zheng Wang

In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 7194f88edc0f..252ba9b6857b 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void *priv) if (ret < 0) goto dec_end; - schedule_delayed_work(&jpeg->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) goto dec_end; + schedule_delayed_work(&jpeg->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&jpeg->hw_lock, flags); mtk_jpeg_dec_reset(jpeg->reg_base); mtk_jpeg_dec_set_config(jpeg->reg_base, -- 2.25.1

1 year, 12 months

1
0
0 0

[PATCH 6.5 000/285] 6.5.4-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.5.4 release. There are 285 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 19 Sep 2023 19:10:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.4-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.5.4-rc1 Wesley Chalmers <wesley.chalmers(a)amd.com> drm/amd/display: Fix a bug when searching for insert_above_mpcc Linus Torvalds <torvalds(a)linux-foundation.org> vm: fix move_vma() memory accounting being off Kuniyuki Iwashima <kuniyu(a)amazon.com> kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> net: renesas: rswitch: Fix unmasking irq condition Corinna Vinschen <vinschen(a)redhat.com> igb: clean up in all error paths when enabling SR-IOV Vadim Fedorenko <vadim.fedorenko(a)linux.dev> ixgbe: fix timestamp configuration code Kuniyuki Iwashima <kuniyu(a)amazon.com> selftest: tcp: Fix address length in bind_wildcard.c. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix bind() regression for v4-mapped-v6 wildcard address. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any). Eric Dumazet <edumazet(a)google.com> ipv6: fix ip6_sock_set_addr_preferences() typo Toke Høiland-Jørgensen <toke(a)redhat.com> veth: Update XDP feature set when bringing up device Sascha Hauer <s.hauer(a)pengutronix.de> net: macb: fix sleep inside spinlock Liu Jian <liujian56(a)huawei.com> net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Geert Uytterhoeven <geert+renesas(a)glider.be> platform/mellanox: NVSW_SN2201 should depend on ACPI Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Fix potential buffer overflows Liming Sun <limings(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: Drop jumbo frames Liming Sun <limings(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors Shigeru Yoshida <syoshida(a)redhat.com> kcm: Fix memory leak in error path of kcm_sendmsg() Hayes Wang <hayeswang(a)realtek.com> r8152: check budget for r8152_poll() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: hide all multicast addresses from "bridge fdb show" Ciprian Regus <ciprian.regus(a)analog.com> net:ethernet:adi:adin1110: Fix forwarding offload Yang Yingliang <yangyingliang(a)huawei.com> net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign broadcast address Ziyang Xuan <william.xuanziyang(a)huawei.com> hsr: Fix uninit-value access in fill_frame_info() Hangyu Hua <hbh25y(a)gmail.com> net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() Hangyu Hua <hbh25y(a)gmail.com> net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() Vincent Whitchurch <vincent.whitchurch(a)axis.com> net: stmmac: fix handling of zero coalescing tx-usecs Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add Ratheesh Kannoth <rkannoth(a)marvell.com> octeontx2-pf: Fix page pool cache index corruption. Jinjie Ruan <ruanjinjie(a)huawei.com> net: microchip: vcap api: Fix possible memory leak for vcap_dup_rule() Naveen N Rao <naveen(a)kernel.org> selftests/ftrace: Fix dependencies for some of the synthetic event tests Björn Töpel <bjorn(a)rivosinc.com> selftests: Keep symlinks, when possible Björn Töpel <bjorn(a)rivosinc.com> kselftest/runner.sh: Propagate SIGTERM to runner child Liu Jian <liujian56(a)huawei.com> net: ipv4: fix one memleak in __inet_del_ifa() Jinjie Ruan <ruanjinjie(a)huawei.com> kunit: Fix wild-memory-access bug in kunit_free_suite_set() Helge Deller <deller(a)gmx.de> parisc: sba_iommu: Fix build warning if procfs if disabled Biju Das <biju.das.jz(a)bp.renesas.com> regulator: raa215300: Fix resource leak in case of error Biju Das <biju.das.jz(a)bp.renesas.com> regulator: raa215300: Change the scope of the variables {clkin_name, xin_name} Arnd Bergmann <arnd(a)arndb.de> bpf: fix bpf_probe_read_kernel prototype mismatch Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amdgpu: register a dirty framebuffer callback for fbcon Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Add missing gfx11 MQD manager callbacks Gabe Teeger <gabe.teeger(a)amd.com> drm/amd/display: Remove wait while locked Wenjing Liu <wenjing.liu(a)amd.com> drm/amd/display: always switch off ODM before committing more streams Namhyung Kim <namhyung(a)kernel.org> perf hists browser: Fix the number of entries for 'e' key Namhyung Kim <namhyung(a)kernel.org> perf build: Include generated header files properly Namhyung Kim <namhyung(a)kernel.org> perf tools: Handle old data in PERF_RECORD_ATTR Namhyung Kim <namhyung(a)kernel.org> perf test shell stat_bpf_counters: Fix test on Intel Namhyung Kim <namhyung(a)kernel.org> perf build: Update build rule for generated files Namhyung Kim <namhyung(a)kernel.org> perf hists browser: Fix hierarchy mode header Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Only fiddle with CHECKFLAGS if `need-compiler' Sean Christopherson <seanjc(a)google.com> KVM: SVM: Skip VMSA init in sev_es_init_vmcb() if pointer is NULL Sean Christopherson <seanjc(a)google.com> KVM: SVM: Set target pCPU during IRTE update if target vCPU is running Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Check instead of asserting on nested TSC scaling support Sean Christopherson <seanjc(a)google.com> KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Sean Christopherson <seanjc(a)google.com> KVM: SVM: Don't inject #UD if KVM attempts to skip SEV guest insn Sean Christopherson <seanjc(a)google.com> KVM: SVM: Take and hold ir_list_lock when updating vCPU's Physical ID entry Sean Christopherson <seanjc(a)google.com> KVM: VMX: Refresh available regs and IDT vectoring info before NMI handling Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: prevent potential division by zero errors Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: limit the v_startup workaround to ASICs older than DCN3.1 Melissa Wen <mwen(a)igalia.com> drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma Hamza Mahfooz <hamza.mahfooz(a)amd.com> Revert "drm/amd/display: Remove v_startup workaround for dcn3+" William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix potential false time out warning Linus Walleij <linus.walleij(a)linaro.org> mtd: spi-nor: Correct flags for Winbond w25q128 William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix crash during the panic_write Liu Ying <victor.liu(a)nxp.com> drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() Qu Wenruo <wqu(a)suse.com> btrfs: scrub: fix grouping of read IO Qu Wenruo <wqu(a)suse.com> btrfs: scrub: avoid unnecessary csum tree search preparing stripes Qu Wenruo <wqu(a)suse.com> btrfs: scrub: avoid unnecessary extent tree search preparing stripes Anand Jain <anand.jain(a)oracle.com> btrfs: use the correct superblock to compare fsid in btrfs_validate_super Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: re-enable metadata over-commit for zoned mode Josef Bacik <josef(a)toxicpanda.com> btrfs: set page extent mapped after read_folio in relocate_one_page Filipe Manana <fdmanana(a)suse.com> btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART Boris Burkov <boris(a)bur.io> btrfs: free qgroup rsv on io failure Boris Burkov <boris(a)bur.io> btrfs: fix start transaction qgroup rsv double free Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: do not zone finish data relocation block group ruanmeisi <ruan.meisi(a)zte.com.cn> fuse: nlookup missing decrement in fuse_direntplus_link Damien Le Moal <dlemoal(a)kernel.org> ata: pata_ftide010: Add missing MODULE_DESCRIPTION Damien Le Moal <dlemoal(a)kernel.org> ata: sata_gemini: Add missing MODULE_DESCRIPTION Michael Schmitz <schmitzmic(a)gmail.com> ata: pata_falcon: fix IO base selection for Q40 Werner Fischer <devlists(a)wefi.net> ata: ahci: Add Elkhart Lake AHCI controller Johannes Weiner <hannes(a)cmpxchg.org> memcontrol: ensure memcg acquired by id is properly set up Christian Marangi <ansuelsmth(a)gmail.com> hwspinlock: qcom: add missing regmap config for SFPB MMIO implementation Nathan Chancellor <nathan(a)kernel.org> lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix() Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: avoid false alarm of circular locking Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: flush inode if atomic file is aborted Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: get out of a repeat loop when getting a locked data page Brian Foster <bfoster(a)redhat.com> ext4: drop dio overwrite only flag and associated warning Luís Henriques <lhenriques(a)suse.de> ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} Wang Jianjian <wangjianjian0(a)foxmail.com> ext4: add correct group descriptors and reserved GDT blocks to system zone Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_es_insert_extent() Zhang Yi <yi.zhang(a)huawei.com> jbd2: correct the end of the journal recovery scan range Zhihao Cheng <chengzhihao1(a)huawei.com> jbd2: check 'jh->b_transaction' before removing it from checkpoint Zhang Yi <yi.zhang(a)huawei.com> jbd2: fix checkpoint cleanup performance regression Ekansh Gupta <quic_ekangupt(a)quicinc.com> misc: fastrpc: Fix incorrect DMA mapping unmap request Ekansh Gupta <quic_ekangupt(a)quicinc.com> misc: fastrpc: Fix remote heap allocation request Hien Huynh <hien.huynh.px(a)renesas.com> dmaengine: sh: rz-dmac: Fix destination and source data size setting Walter Chang <walter.chang(a)mediatek.com> clocksource/drivers/arm_arch_timer: Disable timer before programming CVAL Pavel Kozlov <pavel.kozlov(a)synopsys.com> ARC: atomics: Add compiler barrier to atomic operations... Fangzhi Zuo <jerry.zuo(a)amd.com> drm/amd/display: Temporary Disable MST DP Colorspace Property Florent CARLI <fcarli(a)gmail.com> watchdog: advantech_ec_wdt: fix Kconfig dependencies Masahiro Yamada <masahiroy(a)kernel.org> linux/export: fix reference to exported functions for parisc64 Duoming Zhou <duoming(a)zju.edu.cn> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug Petr Tesarik <petr.tesarik.ext(a)huawei.com> sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: enetc: distinguish error from valid pointers in enetc_fixup_clear_rss_rfs() Jie Wang <wangjie125(a)huawei.com> net: hns3: remove GSO partial feature bit Yisen Zhuang <yisen.zhuang(a)huawei.com> net: hns3: fix the port information display when sfp is absent Jijie Shao <shaojijie(a)huawei.com> net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue Hao Chen <chenhao418(a)huawei.com> net: hns3: fix debugfs concurrency issue between kfree buffer and read Hao Chen <chenhao418(a)huawei.com> net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read() Jian Shen <shenjian15(a)huawei.com> net: hns3: fix tx timeout issue Lukasz Majewski <lukma(a)denx.de> net: phy: Provide Module 4 KSZ9477 errata (DS80000754C) Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: Unbreak audit log reset Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction Wander Lairson Costa <wander(a)redhat.com> netfilter: nfnetlink_osf: avoid OOB read Florian Westphal <fw(a)strlen.de> netfilter: nftables: exthdr: fix 4-byte stack OOB write Martin KaFai Lau <martin.lau(a)kernel.org> bpf: bpf_sk_storage: Fix the missing uncharge in sk_omem_alloc Martin KaFai Lau <martin.lau(a)kernel.org> bpf: bpf_sk_storage: Fix invalid wait context lockdep report Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Pass through tail call counter in trampolines Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check. Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf(). Jakub Kicinski <kuba(a)kernel.org> net: phylink: fix sphinx complaint about invalid literal Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: complete tc-cbs offload support on SJA1110 Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload Bodong Wang <bodong(a)nvidia.com> mlx5/core: E-Switch, Create ACL FT for eswitch manager in switchdev mode Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Push devlink port PF/VF init/cleanup calls out of devlink_port_register/unregister() Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Rework devlink port alloc/free into init/cleanup Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Give esw_offloads_load/unload_rep() "mlx5_" prefix Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Clear mirred devices array if the rule is split Eric Dumazet <edumazet(a)google.com> ip_tunnels: use DEV_STATS_INC() Ariel Marcovitch <arielmarcovitch(a)gmail.com> idr: fix param name in idr_alloc_cyclic() doc Jerome Neanne <jneanne(a)baylibre.com> regulator: tps6594-regulator: Fix random kernel crash Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> s390/zcrypt: don't leak memory if dev_set_name() fails Olga Zaborska <olga.zaborska(a)intel.com> igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 Olga Zaborska <olga.zaborska(a)intel.com> igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 Olga Zaborska <olga.zaborska(a)intel.com> igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 Geetha sowjanya <gakula(a)marvell.com> octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler Shigeru Yoshida <syoshida(a)redhat.com> kcm: Destroy mutex in kcm_exit_net() valis <sec(a)valis.email> net: sched: sch_qfq: Fix UAF in qfq_dequeue() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data race around sk->sk_err. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data-races around sk->sk_shutdown. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data-race around unix_tot_inflight. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data-races around user->unix_inflight. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix msg_controllen test in scm_pidfd_recv() for MSG_CMSG_COMPAT. John Fastabend <john.fastabend(a)gmail.com> bpf, sockmap: Fix skb refcnt race after locking changes Oleksij Rempel <linux(a)rempel-privat.de> net: phy: micrel: Correct bit assignments for phy_device flags Alex Henrie <alexhenrie24(a)gmail.com> net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr Liang Chen <liangchen.linux(a)gmail.com> veth: Fixing transmit return status for dropped packets Eric Dumazet <edumazet(a)google.com> gve: fix frag_list chaining Corinna Vinschen <vinschen(a)redhat.com> igb: disable virtualization features on 82580 Xu Kuohai <xukuohai(a)huawei.com> selftests/bpf: Fix a CI failure caused by vsock write Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> ipv6: ignore dst hint for multipath routes Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> ipv4: ignore dst hint for multipath routes Eric Dumazet <edumazet(a)google.com> net: annotate data-races around sk->sk_bind_phc Eric Dumazet <edumazet(a)google.com> net: annotate data-races around sk->sk_tsflags Eric Dumazet <edumazet(a)google.com> mptcp: annotate data-races around msk->rmem_fwd_alloc Eric Dumazet <edumazet(a)google.com> net: annotate data-races around sk->sk_forward_alloc Eric Dumazet <edumazet(a)google.com> net: use sk_forward_alloc_get() in sk_get_meminfo() Eric Dumazet <edumazet(a)google.com> net/handshake: fix null-ptr-deref in handshake_nl_done_doit() Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: fix mode scaling (RMX_.*) Sean Christopherson <seanjc(a)google.com> drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() Sean Christopherson <seanjc(a)google.com> drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn() Sean Christopherson <seanjc(a)google.com> drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page" Xiubo Li <xiubli(a)redhat.com> ceph: make members in struct ceph_mds_request_args_ext a union Magnus Karlsson <magnus.karlsson(a)intel.com> xsk: Fix xsk_diag use-after-free error during socket cleanup Florian Westphal <fw(a)strlen.de> net: fib: avoid warn splat in flow dissector Eric Dumazet <edumazet(a)google.com> net: read sk->sk_family once in sk_mc_loop() Eric Dumazet <edumazet(a)google.com> ipv4: annotate data-races around fi->fib_dead Eric Dumazet <edumazet(a)google.com> sctp: annotate data-races around sk->sk_wmem_queued Eric Dumazet <edumazet(a)google.com> net/sched: fq_pie: avoid stalls in fq_pie_timer() Katya Orlova <e.orlova(a)ispras.ru> smb: propagate error code of extract_sharename() Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log rule reset Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log setelem reset Yu Kuai <yukuai3(a)huawei.com> blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice() Yu Kuai <yukuai3(a)huawei.com> blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice() Andrzej Hajda <andrzej.hajda(a)intel.com> drm/i915: mark requests for GuC virtual engines to avoid use-after-free Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix flaky cgroup_iter_sleepable subtest Vincent Whitchurch <vincent.whitchurch(a)axis.com> regulator: tps6287x: Fix n_voltages Namhyung Kim <namhyung(a)kernel.org> perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test Kajol Jain <kjain(a)linux.ibm.com> perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical operators Miquel Raynal <miquel.raynal(a)bootlin.com> i3c: master: svc: Describe member 'saved_regs' Ian Rogers <irogers(a)google.com> perf header: Fix missing PMU caps Justin Stitt <justinstitt(a)google.com> accel/ivpu: refactor deprecated strncpy Vladimir Zapolskiy <vz(a)mleia.com> pwm: lpc32xx: Remove handling of PWM channels Ilkka Koskinen <ilkka(a)os.amperecomputing.com> perf vendor events arm64: Remove L1D_CACHE_LMISS from AmpereOne list Raag Jadav <raag.jadav(a)intel.com> watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load Arnaldo Carvalho de Melo <acme(a)redhat.com> perf lock: Don't pass an ERR_PTR() directly to perf_session__delete() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf top: Don't pass an ERR_PTR() directly to perf_session__delete() Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Update metric event names for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Move JSON/events to appropriate files for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Drop STORES_PER_INST metric event for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Drop some of the JSON/events for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Update the JSON/events descriptions for power10 platform Adrian Hunter <adrian.hunter(a)intel.com> perf dlfilter: Add al_cleanup() Arnaldo Carvalho de Melo <acme(a)kernel.org> perf dlfilter: Initialize addr_location before passing it to thread__find_symbol_fb() Namhyung Kim <namhyung(a)kernel.org> perf bpf-filter: Fix sample flag check with || Ivan Babrou <ivan(a)cloudflare.com> perf script: Print "cgroup" field on the same line as "comm" Sean Christopherson <seanjc(a)google.com> x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf annotate bpf: Don't enclose non-debug code with an assert() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: tca6416-keypad - fix interrupt enable disbalance Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: tca6416-keypad - always expect proper IRQ number in i2c client Sean Christopherson <seanjc(a)google.com> KVM: SVM: Don't defer NMI unblocking until next exit for SEV-ES guests Ian Rogers <irogers(a)google.com> perf parse-events: Additional error reporting Ian Rogers <irogers(a)google.com> perf parse-events: Separate ENOMEM memory handling Ian Rogers <irogers(a)google.com> perf parse-events: Move instances of YYABORT to YYNOMEM Ian Rogers <irogers(a)google.com> perf parse-events: Separate YYABORT and YYNOMEM cases Ying Liu <victor.liu(a)nxp.com> backlight: gpio_backlight: Drop output GPIO direction check for initial power state Artur Weber <aweber.kernel(a)gmail.com> backlight: lp855x: Initialize PWM state on first brightness change Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: atmel-tcb: Fix resource freeing in error path and remove Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: atmel-tcb: Harmonize resource allocation order Arnaldo Carvalho de Melo <acme(a)redhat.com> perf trace: Really free the evsel->priv area Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - configure power mode before triggering ATI Xie XiuQi <xiexiuqi(a)huawei.com> tools/mm: fix undefined reference to pthread_once Konstantin Meskhidze <konstantin.meskhidze(a)huawei.com> kconfig: fix possible buffer overflow Jonathan Marek <jonathan(a)marek.ca> mailbox: qcom-ipcc: fix incorrect num_chans counting Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: low-memory forced flush fixes Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Switch to wait_event in gfs2_logd Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> tpm_crb: Fix an error handling path in crb_acpi_add() Jiri Slaby <jirislaby(a)kernel.org> kbuild: dummy-tools: make MPROFILE_KERNEL checks work on BE Masahiro Yamada <masahiroy(a)kernel.org> kbuild: do not run depmod for 'make modules_sign' Masahiro Yamada <masahiroy(a)kernel.org> kbuild: rpm-pkg: define _arch conditionally Qiang Yu <quic_qianyu(a)quicinc.com> bus: mhi: host: Skip MHI reset if device is in RDDM Fedor Pchelkin <pchelkin(a)ispras.ru> NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix a potential data corruption Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: mss-sc7180: fix missing resume during probe Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: q6sstop-qcs404: fix missing resume during probe Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: lpasscc-sc7280: fix missing resume during probe Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: dispcc-sm8550: fix runtime PM imbalance on probe errors Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: dispcc-sm8450: fix runtime PM imbalance on probe errors Chris Lew <quic_clew(a)quicinc.com> soc: qcom: qmi_encdec: Restrict string length in decode Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock Marco Felsch <m.felsch(a)pengutronix.de> clk: imx: pll14xx: align pdiv with reference manual Ahmad Fatoum <a.fatoum(a)pengutronix.de> clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: clock: xlnx,versal-clk: drop select:false Raag Jadav <raag.jadav(a)intel.com> pinctrl: cherryview: fix address_space_handler() argument Bharath SM <bharathsm(a)microsoft.com> cifs: update desired access while requesting for directory lease Helge Deller <deller(a)gmx.de> parisc: led: Reduce CPU overhead for disk & lan LED computation Helge Deller <deller(a)gmx.de> parisc: led: Fix LAN receive and transmit LEDs Kalesh Singh <kaleshsingh(a)google.com> Multi-gen LRU: avoid race in inc_min_seq() Andrew Donnellan <ajd(a)linux.ibm.com> lib/test_meminit: allocate pages up to order MAX_ORDER Muchun Song <muchun.song(a)linux.dev> mm: hugetlb_vmemmap: fix a race between vmemmap pmd split Michal Hocko <mhocko(a)suse.com> memcg: drop kmem.limit_in_bytes Steve French <stfrench(a)microsoft.com> send channel sequence number in SMB3 requests after reconnects Aleksey Nasibulin <alealexpro100(a)ya.ru> ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 Chris Paterson <chris.paterson2(a)renesas.com> arm64: dts: renesas: rzg2l: Fix txdv-skew-psec typos Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974pro-castor: correct touchscreen syna,nosleep-mode Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974pro-castor: correct touchscreen function names Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8953-vince: drop duplicated touschreen parent interrupt Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974pro-castor: correct inverted X of touchscreen Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: turingcc-qcs404: fix missing resume during probe Sameer Pujar <spujar(a)nvidia.com> arm64: tegra: Update AHUB clock parent and rate Sheetal <sheetal(a)nvidia.com> arm64: tegra: Update AHUB clock parent and rate on Tegra234 Paul Cercueil <paul(a)crapouillou.net> ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size Sheetal <sheetal(a)nvidia.com> ASoC: tegra: Fix SFC conversion for few rates Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Fix DRAM init on AST2200 Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: camcc-sc7180: fix async resume during probe Thomas Zimmermann <tzimmermann(a)suse.de> fbdev/ep93xx-fb: Do not assign to struct fb_info.dev Ian Kent <raven(a)themaw.net> kernfs: fix missing kernfs_iattr_rwsem locking Chengming Zhou <zhouchengming(a)bytedance.com> null_blk: fix poll request timeout handling Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix firmware resource tracking Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Error code did not return to upper layer Nilesh Javali <njavali(a)marvell.com> scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Flush mailbox commands on chip reset Manish Rangankar <mrangankar(a)marvell.com> scsi: qla2xxx: Remove unsupported ql2xenabledif option Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix TMF leak through Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix session hang in gnl Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Turn off noisy message log Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix erroneous link up failure Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix command flush during TMF Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: fix inconsistent TMF timeout Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix deletion race condition Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Limit TMF to 8 per function Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Adjust IOCB resource on qpair create Bean Huo <beanhuo(a)micron.com> scsi: ufs: core: Add advanced RPMB support where UFSHCI 4.0 does not support EHS length in UTRD Gurchetan Singh <gurchetansingh(a)chromium.org> drm/virtio: Conditionally allocate virtio_gpu_fence Quan Tian <qtian(a)vmware.com> net/ipv6: SKB symmetric hash should incorporate transport ports ------------- Diffstat: Documentation/admin-guide/cgroup-v1/memory.rst | 2 - .../devicetree/bindings/clock/xlnx,versal-clk.yaml | 2 - Makefile | 6 +- arch/arc/include/asm/atomic-llsc.h | 6 +- arch/arc/include/asm/atomic64-arcv2.h | 6 +- .../dts/broadcom/bcm4708-linksys-ea6500-v2.dts | 3 +- .../qcom-msm8974pro-sony-xperia-shinano-castor.dts | 8 +- arch/arm/boot/dts/samsung/exynos4210-i9100.dts | 4 +- arch/arm64/boot/dts/nvidia/tegra186.dtsi | 3 +- arch/arm64/boot/dts/nvidia/tegra194.dtsi | 3 +- arch/arm64/boot/dts/nvidia/tegra210.dtsi | 3 +- arch/arm64/boot/dts/nvidia/tegra234.dtsi | 3 +- arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts | 1 - arch/arm64/boot/dts/renesas/rzg2l-smarc-som.dtsi | 4 +- arch/arm64/boot/dts/renesas/rzg2lc-smarc-som.dtsi | 2 +- arch/arm64/boot/dts/renesas/rzg2ul-smarc-som.dtsi | 4 +- arch/mips/Makefile | 6 +- arch/parisc/include/asm/led.h | 4 +- arch/parisc/include/asm/mckinley.h | 8 - arch/s390/net/bpf_jit_comp.c | 10 + arch/sh/boards/mach-ap325rxa/setup.c | 2 +- arch/sh/boards/mach-ecovec24/setup.c | 6 +- arch/sh/boards/mach-kfr2r09/setup.c | 2 +- arch/sh/boards/mach-migor/setup.c | 2 +- arch/sh/boards/mach-se/7724/setup.c | 6 +- arch/sh/drivers/push-switch.c | 2 +- arch/x86/include/asm/virtext.h | 6 - arch/x86/kvm/svm/avic.c | 59 +++- arch/x86/kvm/svm/nested.c | 9 +- arch/x86/kvm/svm/sev.c | 14 +- arch/x86/kvm/svm/svm.c | 45 ++- arch/x86/kvm/vmx/vmx.c | 21 +- block/blk-throttle.c | 99 +++--- drivers/accel/ivpu/ivpu_jsm_msg.c | 3 +- drivers/ata/ahci.c | 2 + drivers/ata/pata_falcon.c | 50 +-- drivers/ata/pata_ftide010.c | 1 + drivers/ata/sata_gemini.c | 1 + drivers/block/null_blk/main.c | 12 +- drivers/bus/mhi/host/pm.c | 5 + drivers/char/tpm/tpm_crb.c | 5 +- drivers/clk/imx/clk-pll14xx.c | 13 +- drivers/clk/qcom/camcc-sc7180.c | 2 +- drivers/clk/qcom/dispcc-sm8450.c | 13 +- drivers/clk/qcom/dispcc-sm8550.c | 13 +- drivers/clk/qcom/gcc-mdm9615.c | 2 +- drivers/clk/qcom/lpasscc-sc7280.c | 16 +- drivers/clk/qcom/mss-sc7180.c | 13 +- drivers/clk/qcom/q6sstop-qcs404.c | 15 +- drivers/clk/qcom/turingcc-qcs404.c | 13 +- drivers/clocksource/arm_arch_timer.c | 7 + drivers/dma/sh/rz-dmac.c | 11 +- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 26 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c | 3 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 7 + drivers/gpu/drm/amd/display/dc/Makefile | 1 + drivers/gpu/drm/amd/display/dc/core/dc.c | 68 ++-- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_mpc.c | 5 +- drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 11 - .../gpu/drm/amd/display/dc/dml/dcn20/dcn20_fpu.c | 25 +- .../drm/amd/display/modules/freesync/freesync.c | 9 +- drivers/gpu/drm/ast/ast_post.c | 2 +- drivers/gpu/drm/i915/gt/intel_engine_types.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 3 + drivers/gpu/drm/i915/gvt/gtt.c | 27 +- drivers/gpu/drm/i915/gvt/gtt.h | 1 - drivers/gpu/drm/i915/i915_request.c | 7 +- drivers/gpu/drm/mxsfb/mxsfb_kms.c | 9 + drivers/gpu/drm/virtio/virtgpu_submit.c | 32 +- drivers/hwspinlock/qcom_hwspinlock.c | 9 + drivers/i3c/master/svc-i3c-master.c | 1 + drivers/input/keyboard/tca6416-keypad.c | 31 +- drivers/input/misc/iqs7222.c | 8 +- drivers/mailbox/qcom-ipcc.c | 4 +- drivers/misc/fastrpc.c | 22 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 112 ++++-- drivers/mtd/spi-nor/winbond.c | 5 +- drivers/net/dsa/microchip/ksz_common.c | 16 +- drivers/net/dsa/sja1105/sja1105.h | 4 + drivers/net/dsa/sja1105/sja1105_dynamic_config.c | 93 +++-- drivers/net/dsa/sja1105/sja1105_main.c | 120 +++++-- drivers/net/dsa/sja1105/sja1105_spi.c | 4 + drivers/net/ethernet/adi/adin1110.c | 10 +- drivers/net/ethernet/cadence/macb_main.c | 5 +- drivers/net/ethernet/freescale/enetc/enetc_pf.c | 2 +- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 5 +- drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 19 +- drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 20 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 14 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.h | 2 - drivers/net/ethernet/intel/igb/igb.h | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 10 +- drivers/net/ethernet/intel/igbvf/igbvf.h | 4 +- drivers/net/ethernet/intel/igc/igc.h | 4 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 28 +- drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 + .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 21 +- drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 6 +- drivers/net/ethernet/marvell/octeontx2/nic/cn10k.h | 2 +- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 43 +-- .../ethernet/marvell/octeontx2/nic/otx2_common.h | 3 +- .../net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 7 +- .../net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 30 +- .../net/ethernet/marvell/octeontx2/nic/otx2_txrx.h | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 + .../net/ethernet/mellanox/mlx5/core/en/tc/act/ct.c | 4 +- .../ethernet/mellanox/mlx5/core/en/tc/act/mirred.c | 1 + .../ethernet/mellanox/mlx5/core/en/tc/act/pedit.c | 4 +- .../mlx5/core/en/tc/act/redirect_ingress.c | 1 + .../ethernet/mellanox/mlx5/core/en/tc/act/vlan.c | 1 + .../mellanox/mlx5/core/en/tc/act/vlan_mangle.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 1 + .../ethernet/mellanox/mlx5/core/esw/devlink_port.c | 62 ++-- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 64 +++- drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 8 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 75 ++-- drivers/net/ethernet/microchip/vcap/vcap_api.c | 18 +- drivers/net/ethernet/renesas/rswitch.c | 8 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 10 +- drivers/net/phy/micrel.c | 9 +- drivers/net/usb/r8152.c | 3 + drivers/net/veth.c | 6 +- drivers/parisc/led.c | 4 +- drivers/parisc/sba_iommu.c | 10 +- drivers/pinctrl/intel/pinctrl-cherryview.c | 5 +- drivers/platform/mellanox/Kconfig | 4 +- drivers/platform/mellanox/mlxbf-pmc.c | 41 +-- drivers/platform/mellanox/mlxbf-tmfifo.c | 90 +++-- drivers/pwm/pwm-atmel-tcb.c | 64 ++-- drivers/pwm/pwm-lpc32xx.c | 16 +- drivers/regulator/raa215300.c | 32 +- drivers/regulator/tps6287x-regulator.c | 2 +- drivers/regulator/tps6594-regulator.c | 31 +- drivers/s390/crypto/zcrypt_api.c | 1 + drivers/scsi/qla2xxx/qla_attr.c | 2 - drivers/scsi/qla2xxx/qla_dbg.c | 2 +- drivers/scsi/qla2xxx/qla_def.h | 21 +- drivers/scsi/qla2xxx/qla_dfs.c | 10 + drivers/scsi/qla2xxx/qla_gbl.h | 1 + drivers/scsi/qla2xxx/qla_init.c | 234 ++++++++----- drivers/scsi/qla2xxx/qla_inline.h | 57 +++- drivers/scsi/qla2xxx/qla_iocb.c | 1 + drivers/scsi/qla2xxx/qla_isr.c | 7 +- drivers/scsi/qla2xxx/qla_mbx.c | 7 +- drivers/scsi/qla2xxx/qla_nvme.c | 3 +- drivers/scsi/qla2xxx/qla_os.c | 26 +- drivers/scsi/qla2xxx/qla_target.c | 14 +- drivers/soc/qcom/qmi_encdec.c | 4 +- drivers/ufs/core/ufs_bsg.c | 3 +- drivers/ufs/core/ufshcd.c | 10 +- drivers/video/backlight/gpio_backlight.c | 3 +- drivers/video/backlight/lp855x_bl.c | 20 +- drivers/video/fbdev/ep93xx-fb.c | 1 - drivers/watchdog/Kconfig | 2 + drivers/watchdog/intel-mid_wdt.c | 1 + fs/btrfs/disk-io.c | 5 +- fs/btrfs/extent-tree.c | 43 +-- fs/btrfs/file-item.c | 34 +- fs/btrfs/file-item.h | 6 +- fs/btrfs/inode.c | 7 + fs/btrfs/raid56.c | 4 +- fs/btrfs/relocation.c | 12 +- fs/btrfs/scrub.c | 152 ++++++--- fs/btrfs/space-info.c | 6 +- fs/btrfs/transaction.c | 26 +- fs/btrfs/zoned.c | 16 +- fs/ext4/balloc.c | 15 +- fs/ext4/block_validity.c | 8 +- fs/ext4/crypto.c | 4 + fs/ext4/ext4.h | 2 + fs/ext4/extents_status.c | 44 ++- fs/ext4/file.c | 25 +- fs/f2fs/data.c | 8 +- fs/f2fs/f2fs.h | 24 +- fs/f2fs/inline.c | 3 +- fs/f2fs/segment.c | 2 + fs/fuse/readdir.c | 10 +- fs/gfs2/aops.c | 4 +- fs/gfs2/log.c | 25 +- fs/jbd2/checkpoint.c | 22 +- fs/jbd2/recovery.c | 12 +- fs/kernfs/dir.c | 4 + fs/nfs/direct.c | 20 +- fs/nfs/pnfs_dev.c | 2 +- fs/smb/client/cached_dir.c | 2 +- fs/smb/client/cifsglob.h | 1 + fs/smb/client/connect.c | 1 + fs/smb/client/fscache.c | 2 +- fs/smb/client/smb2ops.c | 11 +- fs/smb/client/smb2pdu.c | 11 + fs/smb/common/smb2pdu.h | 22 ++ include/linux/audit.h | 2 + include/linux/bpf.h | 12 + include/linux/ceph/ceph_fs.h | 24 +- include/linux/export-internal.h | 2 + include/linux/ipv6.h | 1 + include/linux/micrel_phy.h | 7 +- include/linux/phylink.h | 4 +- include/linux/tca6416_keypad.h | 1 - include/net/ip.h | 3 +- include/net/ip6_fib.h | 5 +- include/net/ip_fib.h | 5 +- include/net/ip_tunnels.h | 15 +- include/net/ipv6.h | 7 +- include/net/scm.h | 14 +- include/net/sock.h | 29 +- kernel/auditsc.c | 2 + kernel/bpf/bpf_local_storage.c | 49 +-- kernel/bpf/core.c | 10 +- kernel/bpf/syscall.c | 2 +- kernel/bpf/trampoline.c | 5 +- kernel/trace/bpf_trace.c | 11 - lib/idr.c | 2 +- lib/kunit/test.c | 3 +- lib/test_meminit.c | 2 +- lib/test_scanf.c | 2 +- mm/hugetlb_vmemmap.c | 34 +- mm/memcontrol.c | 32 +- mm/mremap.c | 2 +- mm/vmscan.c | 13 +- net/can/j1939/socket.c | 10 +- net/core/flow_dissector.c | 3 +- net/core/skbuff.c | 10 +- net/core/skmsg.c | 12 +- net/core/sock.c | 27 +- net/handshake/netlink.c | 18 +- net/hsr/hsr_forward.c | 1 + net/ipv4/devinet.c | 10 +- net/ipv4/fib_semantics.c | 5 +- net/ipv4/fib_trie.c | 3 +- net/ipv4/inet_hashtables.c | 36 +- net/ipv4/ip_input.c | 3 +- net/ipv4/ip_output.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/route.c | 1 + net/ipv4/tcp.c | 4 +- net/ipv4/tcp_output.c | 2 +- net/ipv4/udp.c | 6 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_input.c | 3 +- net/ipv6/ip6_output.c | 2 +- net/ipv6/ping.c | 2 +- net/ipv6/raw.c | 2 +- net/ipv6/route.c | 3 + net/ipv6/udp.c | 2 +- net/kcm/kcmsock.c | 15 +- net/mptcp/protocol.c | 23 +- net/netfilter/nf_tables_api.c | 54 ++- net/netfilter/nfnetlink_osf.c | 8 + net/netfilter/nft_exthdr.c | 22 +- net/netfilter/nft_set_rbtree.c | 8 +- net/sched/sch_fq_pie.c | 27 +- net/sched/sch_plug.c | 2 +- net/sched/sch_qfq.c | 22 +- net/sctp/proc.c | 2 +- net/sctp/socket.c | 10 +- net/smc/smc_core.c | 2 + net/socket.c | 15 +- net/tls/tls_sw.c | 4 +- net/unix/af_unix.c | 2 +- net/unix/scm.c | 6 +- net/xdp/xsk_diag.c | 3 + scripts/dummy-tools/gcc | 3 +- scripts/kconfig/preprocess.c | 3 + scripts/mod/modpost.c | 9 + scripts/package/mkspec | 2 +- sound/soc/tegra/tegra210_sfc.c | 31 +- sound/soc/tegra/tegra210_sfc.h | 4 +- tools/build/Makefile.build | 10 + tools/mm/Makefile | 4 +- tools/perf/Documentation/perf-dlfilter.txt | 22 +- tools/perf/Makefile.perf | 2 +- tools/perf/builtin-lock.c | 1 + tools/perf/builtin-script.c | 22 +- tools/perf/builtin-top.c | 1 + tools/perf/builtin-trace.c | 9 +- tools/perf/dlfilters/dlfilter-test-api-v2.c | 377 +++++++++++++++++++++ tools/perf/include/perf/perf_dlfilter.h | 11 +- tools/perf/pmu-events/Build | 6 + .../arch/arm64/ampere/ampereone/cache.json | 3 - .../pmu-events/arch/powerpc/power10/cache.json | 47 +-- .../arch/powerpc/power10/floating_point.json | 66 +++- .../pmu-events/arch/powerpc/power10/frontend.json | 188 +--------- .../pmu-events/arch/powerpc/power10/marked.json | 194 ++++++++--- .../pmu-events/arch/powerpc/power10/memory.json | 91 +---- .../pmu-events/arch/powerpc/power10/metrics.json | 56 ++- .../pmu-events/arch/powerpc/power10/others.json | 209 ++---------- .../pmu-events/arch/powerpc/power10/pipeline.json | 269 +++++++++++---- .../perf/pmu-events/arch/powerpc/power10/pmc.json | 193 ++++++++++- .../arch/powerpc/power10/translation.json | 42 +-- tools/perf/pmu-events/jevents.py | 2 +- tools/perf/tests/dlfilter-test.c | 38 ++- tools/perf/tests/shell/stat_bpf_counters.sh | 4 +- tools/perf/tests/shell/stat_bpf_counters_cgrp.sh | 28 +- tools/perf/ui/browsers/hists.c | 60 ++-- tools/perf/util/annotate.c | 10 +- tools/perf/util/bpf-filter.c | 14 +- tools/perf/util/dlfilter.c | 30 ++ tools/perf/util/expr.c | 4 +- tools/perf/util/header.c | 42 +-- tools/perf/util/parse-events.c | 4 +- tools/perf/util/parse-events.y | 256 +++++++++----- tools/perf/util/pmu.c | 4 +- .../selftests/bpf/prog_tests/bpf_obj_pinning.c | 5 +- .../selftests/bpf/prog_tests/sockmap_helpers.h | 26 ++ .../selftests/bpf/prog_tests/sockmap_listen.c | 7 + .../trigger-synthetic-event-dynstring.tc | 2 +- .../trigger-synthetic_event_syntax_errors.tc | 2 +- tools/testing/selftests/kselftest/runner.sh | 3 +- tools/testing/selftests/lib.mk | 4 +- tools/testing/selftests/net/bind_wildcard.c | 2 +- 316 files changed, 3898 insertions(+), 2319 deletions(-)

1 year, 12 months

18
318
0 0

[PATCH v2] nvme: remove unprivileged passthrough support

by Kanchan Joshi

Passthrough has got a hole that can be exploited to cause kernel memory corruption. This is about making the device do larger DMA into short meta/data buffer owned by kernel [1]. As a stopgap measure, disable the support of unprivileged passthrough. This patch brings back coarse-granular CAP_SYS_ADMIN checks by reverting following patches: - 7d9d7d59d44 ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") - 313c08c72ee ("nvme: don't allow unprivileged passthrough on partitions") - 6f99ac04c46 ("nvme: consult the CSE log page for unprivileged passthrough") - ea43fceea41 ("nvme: allow unprivileged passthrough of Identify Controller") - e4fbcf32c86 ("nvme: identify-namespace without CAP_SYS_ADMIN") - 855b7717f44 ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands") [1] https://lore.kernel.org/linux-nvme/20231013051458.39987-1-joshi.k@samsung.c… CC: stable(a)vger.kernel.org # 6.2 Fixes: 855b7717f44b1 ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands") Suggested-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Kanchan Joshi <joshi.k(a)samsung.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> --- Changes since v1: - Fix the way "Fixes:" was written before (Greg) drivers/nvme/host/ioctl.c | 159 ++++++++------------------------------ include/linux/nvme.h | 2 - 2 files changed, 34 insertions(+), 127 deletions(-) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index d8ff796fd5f2..788b36e7915a 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -10,80 +10,8 @@ enum { NVME_IOCTL_VEC = (1 << 0), - NVME_IOCTL_PARTITION = (1 << 1), }; -static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, - unsigned int flags, bool open_for_write) -{ - u32 effects; - - if (capable(CAP_SYS_ADMIN)) - return true; - - /* - * Do not allow unprivileged passthrough on partitions, as that allows an - * escape from the containment of the partition. - */ - if (flags & NVME_IOCTL_PARTITION) - return false; - - /* - * Do not allow unprivileged processes to send vendor specific or fabrics - * commands as we can't be sure about their effects. - */ - if (c->common.opcode >= nvme_cmd_vendor_start || - c->common.opcode == nvme_fabrics_command) - return false; - - /* - * Do not allow unprivileged passthrough of admin commands except - * for a subset of identify commands that contain information required - * to form proper I/O commands in userspace and do not expose any - * potentially sensitive information. - */ - if (!ns) { - if (c->common.opcode == nvme_admin_identify) { - switch (c->identify.cns) { - case NVME_ID_CNS_NS: - case NVME_ID_CNS_CS_NS: - case NVME_ID_CNS_NS_CS_INDEP: - case NVME_ID_CNS_CS_CTRL: - case NVME_ID_CNS_CTRL: - return true; - } - } - return false; - } - - /* - * Check if the controller provides a Commands Supported and Effects log - * and marks this command as supported. If not reject unprivileged - * passthrough. - */ - effects = nvme_command_effects(ns->ctrl, ns, c->common.opcode); - if (!(effects & NVME_CMD_EFFECTS_CSUPP)) - return false; - - /* - * Don't allow passthrough for command that have intrusive (or unknown) - * effects. - */ - if (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC | - NVME_CMD_EFFECTS_UUID_SEL | - NVME_CMD_EFFECTS_SCOPE_MASK)) - return false; - - /* - * Only allow I/O commands that transfer data to the controller or that - * change the logical block contents if the file descriptor is open for - * writing. - */ - if (nvme_is_write(c) || (effects & NVME_CMD_EFFECTS_LBCC)) - return open_for_write; - return true; -} - /* * Convert integer values from ioctl structures to user pointers, silently * ignoring the upper bits in the compat case to match behaviour of 32-bit @@ -335,8 +263,7 @@ static bool nvme_validate_passthru_nsid(struct nvme_ctrl *ctrl, } static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, - struct nvme_passthru_cmd __user *ucmd, unsigned int flags, - bool open_for_write) + struct nvme_passthru_cmd __user *ucmd) { struct nvme_passthru_cmd cmd; struct nvme_command c; @@ -344,6 +271,8 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u64 result; int status; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; if (copy_from_user(&cmd, ucmd, sizeof(cmd))) return -EFAULT; if (cmd.flags) @@ -364,9 +293,6 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(cmd.cdw14); c.common.cdw15 = cpu_to_le32(cmd.cdw15); - if (!nvme_cmd_allowed(ns, &c, 0, open_for_write)) - return -EACCES; - if (cmd.timeout_ms) timeout = msecs_to_jiffies(cmd.timeout_ms); @@ -383,14 +309,16 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, } static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns, - struct nvme_passthru_cmd64 __user *ucmd, unsigned int flags, - bool open_for_write) + struct nvme_passthru_cmd64 __user *ucmd, + unsigned int flags) { struct nvme_passthru_cmd64 cmd; struct nvme_command c; unsigned timeout = 0; int status; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; if (copy_from_user(&cmd, ucmd, sizeof(cmd))) return -EFAULT; if (cmd.flags) @@ -411,9 +339,6 @@ static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(cmd.cdw14); c.common.cdw15 = cpu_to_le32(cmd.cdw15); - if (!nvme_cmd_allowed(ns, &c, flags, open_for_write)) - return -EACCES; - if (cmd.timeout_ms) timeout = msecs_to_jiffies(cmd.timeout_ms); @@ -563,6 +488,9 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, void *meta = NULL; int ret; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + c.common.opcode = READ_ONCE(cmd->opcode); c.common.flags = READ_ONCE(cmd->flags); if (c.common.flags) @@ -584,9 +512,6 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(READ_ONCE(cmd->cdw14)); c.common.cdw15 = cpu_to_le32(READ_ONCE(cmd->cdw15)); - if (!nvme_cmd_allowed(ns, &c, 0, ioucmd->file->f_mode & FMODE_WRITE)) - return -EACCES; - d.metadata = READ_ONCE(cmd->metadata); d.addr = READ_ONCE(cmd->addr); d.data_len = READ_ONCE(cmd->data_len); @@ -643,13 +568,13 @@ static bool is_ctrl_ioctl(unsigned int cmd) } static int nvme_ctrl_ioctl(struct nvme_ctrl *ctrl, unsigned int cmd, - void __user *argp, bool open_for_write) + void __user *argp) { switch (cmd) { case NVME_IOCTL_ADMIN_CMD: - return nvme_user_cmd(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd(ctrl, NULL, argp); case NVME_IOCTL_ADMIN64_CMD: - return nvme_user_cmd64(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd64(ctrl, NULL, argp, 0); default: return sed_ioctl(ctrl->opal_dev, cmd, argp); } @@ -674,14 +599,16 @@ struct nvme_user_io32 { #endif /* COMPAT_FOR_U64_ALIGNMENT */ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned int cmd, - void __user *argp, unsigned int flags, bool open_for_write) + void __user *argp) { + unsigned int flags = 0; + switch (cmd) { case NVME_IOCTL_ID: force_successful_syscall_return(); return ns->head->ns_id; case NVME_IOCTL_IO_CMD: - return nvme_user_cmd(ns->ctrl, ns, argp, flags, open_for_write); + return nvme_user_cmd(ns->ctrl, ns, argp); /* * struct nvme_user_io can have different padding on some 32-bit ABIs. * Just accept the compat version as all fields that are used are the @@ -696,39 +623,32 @@ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned int cmd, flags |= NVME_IOCTL_VEC; fallthrough; case NVME_IOCTL_IO64_CMD: - return nvme_user_cmd64(ns->ctrl, ns, argp, flags, - open_for_write); + return nvme_user_cmd64(ns->ctrl, ns, argp, flags); default: return -ENOTTY; } } -int nvme_ioctl(struct block_device *bdev, blk_mode_t mode, +int nvme_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, unsigned long arg) { struct nvme_ns *ns = bdev->bd_disk->private_data; - bool open_for_write = mode & BLK_OPEN_WRITE; void __user *argp = (void __user *)arg; - unsigned int flags = 0; - - if (bdev_is_partition(bdev)) - flags |= NVME_IOCTL_PARTITION; if (is_ctrl_ioctl(cmd)) - return nvme_ctrl_ioctl(ns->ctrl, cmd, argp, open_for_write); - return nvme_ns_ioctl(ns, cmd, argp, flags, open_for_write); + return nvme_ctrl_ioctl(ns->ctrl, cmd, argp); + return nvme_ns_ioctl(ns, cmd, argp); } long nvme_ns_chr_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct nvme_ns *ns = container_of(file_inode(file)->i_cdev, struct nvme_ns, cdev); - bool open_for_write = file->f_mode & FMODE_WRITE; void __user *argp = (void __user *)arg; if (is_ctrl_ioctl(cmd)) - return nvme_ctrl_ioctl(ns->ctrl, cmd, argp, open_for_write); - return nvme_ns_ioctl(ns, cmd, argp, 0, open_for_write); + return nvme_ctrl_ioctl(ns->ctrl, cmd, argp); + return nvme_ns_ioctl(ns, cmd, argp); } static int nvme_uring_cmd_checks(unsigned int issue_flags) @@ -792,8 +712,7 @@ int nvme_ns_chr_uring_cmd_iopoll(struct io_uring_cmd *ioucmd, } #ifdef CONFIG_NVME_MULTIPATH static int nvme_ns_head_ctrl_ioctl(struct nvme_ns *ns, unsigned int cmd, - void __user *argp, struct nvme_ns_head *head, int srcu_idx, - bool open_for_write) + void __user *argp, struct nvme_ns_head *head, int srcu_idx) __releases(&head->srcu) { struct nvme_ctrl *ctrl = ns->ctrl; @@ -801,7 +720,7 @@ static int nvme_ns_head_ctrl_ioctl(struct nvme_ns *ns, unsigned int cmd, nvme_get_ctrl(ns->ctrl); srcu_read_unlock(&head->srcu, srcu_idx); - ret = nvme_ctrl_ioctl(ns->ctrl, cmd, argp, open_for_write); + ret = nvme_ctrl_ioctl(ns->ctrl, cmd, argp); nvme_put_ctrl(ctrl); return ret; @@ -811,14 +730,9 @@ int nvme_ns_head_ioctl(struct block_device *bdev, blk_mode_t mode, unsigned int cmd, unsigned long arg) { struct nvme_ns_head *head = bdev->bd_disk->private_data; - bool open_for_write = mode & BLK_OPEN_WRITE; void __user *argp = (void __user *)arg; struct nvme_ns *ns; int srcu_idx, ret = -EWOULDBLOCK; - unsigned int flags = 0; - - if (bdev_is_partition(bdev)) - flags |= NVME_IOCTL_PARTITION; srcu_idx = srcu_read_lock(&head->srcu); ns = nvme_find_path(head); @@ -831,10 +745,9 @@ int nvme_ns_head_ioctl(struct block_device *bdev, blk_mode_t mode, * deadlock when deleting namespaces using the passthrough interface. */ if (is_ctrl_ioctl(cmd)) - return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx, - open_for_write); + return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx); - ret = nvme_ns_ioctl(ns, cmd, argp, flags, open_for_write); + ret = nvme_ns_ioctl(ns, cmd, argp); out_unlock: srcu_read_unlock(&head->srcu, srcu_idx); return ret; @@ -843,7 +756,6 @@ int nvme_ns_head_ioctl(struct block_device *bdev, blk_mode_t mode, long nvme_ns_head_chr_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { - bool open_for_write = file->f_mode & FMODE_WRITE; struct cdev *cdev = file_inode(file)->i_cdev; struct nvme_ns_head *head = container_of(cdev, struct nvme_ns_head, cdev); @@ -857,10 +769,9 @@ long nvme_ns_head_chr_ioctl(struct file *file, unsigned int cmd, goto out_unlock; if (is_ctrl_ioctl(cmd)) - return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx, - open_for_write); + return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx); - ret = nvme_ns_ioctl(ns, cmd, argp, 0, open_for_write); + ret = nvme_ns_ioctl(ns, cmd, argp); out_unlock: srcu_read_unlock(&head->srcu, srcu_idx); return ret; @@ -909,8 +820,7 @@ int nvme_dev_uring_cmd(struct io_uring_cmd *ioucmd, unsigned int issue_flags) return ret; } -static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp, - bool open_for_write) +static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp) { struct nvme_ns *ns; int ret; @@ -934,7 +844,7 @@ static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp, kref_get(&ns->kref); up_read(&ctrl->namespaces_rwsem); - ret = nvme_user_cmd(ctrl, ns, argp, 0, open_for_write); + ret = nvme_user_cmd(ctrl, ns, argp); nvme_put_ns(ns); return ret; @@ -946,17 +856,16 @@ static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp, long nvme_dev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { - bool open_for_write = file->f_mode & FMODE_WRITE; struct nvme_ctrl *ctrl = file->private_data; void __user *argp = (void __user *)arg; switch (cmd) { case NVME_IOCTL_ADMIN_CMD: - return nvme_user_cmd(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd(ctrl, NULL, argp); case NVME_IOCTL_ADMIN64_CMD: - return nvme_user_cmd64(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd64(ctrl, NULL, argp, 0); case NVME_IOCTL_IO_CMD: - return nvme_dev_user_cmd(ctrl, argp, open_for_write); + return nvme_dev_user_cmd(ctrl, argp); case NVME_IOCTL_RESET: if (!capable(CAP_SYS_ADMIN)) return -EACCES; diff --git a/include/linux/nvme.h b/include/linux/nvme.h index 26dd3f859d9d..df3e2c619448 100644 --- a/include/linux/nvme.h +++ b/include/linux/nvme.h @@ -642,7 +642,6 @@ enum { NVME_CMD_EFFECTS_CCC = 1 << 4, NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16), NVME_CMD_EFFECTS_UUID_SEL = 1 << 19, - NVME_CMD_EFFECTS_SCOPE_MASK = GENMASK(31, 20), }; struct nvme_effects_log { @@ -834,7 +833,6 @@ enum nvme_opcode { nvme_cmd_zone_mgmt_send = 0x79, nvme_cmd_zone_mgmt_recv = 0x7a, nvme_cmd_zone_append = 0x7d, - nvme_cmd_vendor_start = 0x80, }; #define nvme_opcode_name(opcode) { opcode, #opcode } -- 2.25.1

1 year, 12 months

4
12
0 0

[PATCH 1/1] genirq/generic_chip: Fix irq_remove_generic_chip() when an irq domain is used

by Herve Codina

irq_remove_generic_chip() can call (depending on the msk parameter value) several operations on irqs based on gc->irq_base such as irq_set_handler(irq, NULL) to remove an handler. When the generic chip is present in an irq domain (created with a call to irq_alloc_domain_generic_chips()), gc->irq_base is the base hardware irq for this chip. It is set to 0 for the first chip in the domain, 0 + n for the next chip (with n the number of hardware irqs per chip) and so on. In that case, the operations done on irqs based on gc->irq_base touch some irqs not related to the chip nor the domain breaking some unrelated components in the system. In order to avoid touching these "outside" irqs, take care of the domain irq mapping and translate the chip hardware irq to an irq number suitable for the several operations done. Fixes: cfefd21e693d ("genirq: Add chip suspend and resume callbacks") Cc: stable(a)vger.kernel.org Signed-off-by: Herve Codina <herve.codina(a)bootlin.com> --- kernel/irq/generic-chip.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/kernel/irq/generic-chip.c b/kernel/irq/generic-chip.c index c653cd31548d..494584e25ef4 100644 --- a/kernel/irq/generic-chip.c +++ b/kernel/irq/generic-chip.c @@ -544,21 +544,28 @@ EXPORT_SYMBOL_GPL(irq_setup_alt_chip); void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk, unsigned int clr, unsigned int set) { - unsigned int i = gc->irq_base; + unsigned int irq; + unsigned int i; raw_spin_lock(&gc_lock); list_del(&gc->list); raw_spin_unlock(&gc_lock); - for (; msk; msk >>= 1, i++) { + for (i = 0; msk; msk >>= 1, i++) { if (!(msk & 0x01)) continue; + irq = gc->domain ? + irq_find_mapping(gc->domain, gc->irq_base + i) : + gc->irq_base + i; + if (!irq) + continue; + /* Remove handler first. That will mask the irq line */ - irq_set_handler(i, NULL); - irq_set_chip(i, &no_irq_chip); - irq_set_chip_data(i, NULL); - irq_modify_status(i, clr, set); + irq_set_handler(irq, NULL); + irq_set_chip(irq, &no_irq_chip); + irq_set_chip_data(irq, NULL); + irq_modify_status(irq, clr, set); } } EXPORT_SYMBOL_GPL(irq_remove_generic_chip); -- 2.41.0

1 year, 12 months

2
1
0 0

[PATCH v4] nvme: fix corruption for passthrough meta/data

by Kanchan Joshi

User can specify a smaller meta buffer than what the device is wired to update/access. Kernel makes a copy of the meta buffer into which the device does DMA. As a result, the device overwrites the unrelated kernel memory, causing random kernel crashes. Same issue is possible for extended-lba case also. When user specifies a short unaligned buffer, the kernel makes a copy and uses that for DMA. Detect these situations and prevent corruption for unprivileged user passthrough. No change to status-quo for privileged/root user. Fixes: 63263d60e0f9 ("nvme: Use metadata for passthrough commands") Cc: stable(a)vger.kernel.org Reported-by: Vincent Fu <vincent.fu(a)samsung.com> Signed-off-by: Kanchan Joshi <joshi.k(a)samsung.com> --- Changes since v3: - Block only unprivileged user - Harden the checks by disallowing everything for which data length (nlb) can not be determined - Separate the bounce buffer checks to a different function - Factor in CSIs beyond NVM and ZNS Changes since v2: - Handle extended-lba case: short unaligned buffer IO - Reduce the scope of check to only well-known commands - Do not check early. Move it deeper so that check gets executed less often - Combine two patches into one. Changes since v1: - Revise the check to exclude PRACT=1 case drivers/nvme/host/ioctl.c | 116 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index d8ff796fd5f2..57160ca02e65 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -96,6 +96,76 @@ static void __user *nvme_to_user_ptr(uintptr_t ptrval) return (void __user *)ptrval; } +static inline bool nvme_nlb_in_cdw12(struct nvme_ns *ns, u8 opcode) +{ + u8 csi = ns->head->ids.csi; + + if (csi != NVME_CSI_NVM && csi != NVME_CSI_ZNS) + return false; + + switch (opcode) { + case nvme_cmd_read: + case nvme_cmd_write: + case nvme_cmd_compare: + case nvme_cmd_zone_append: + return true; + default: + return false; + } +} + +/* + * NVMe has no separate field to encode the metadata length expected + * (except when using SGLs). + * + * Because of that we can't allow to transfer arbitrary metadata, as + * a metadata buffer that is shorted than what the device expects for + * the command will lead to arbitrary kernel (if bounce buffering) or + * userspace (if not) memory corruption. + * + * Check that external metadata is only specified for the few commands + * where we know the length based of other fields, and that it fits + * the actual data transfer from/to the device. + */ +static bool nvme_validate_metadata_len(struct request *req, unsigned meta_len) +{ + struct nvme_ns *ns = req->q->queuedata; + struct nvme_command *c = nvme_req(req)->cmd; + u32 len_by_nlb; + + /* Do not guard admin */ + if (capable(CAP_SYS_ADMIN)) + return true; + + /* Block commands that do not have nlb in cdw12 */ + if (!nvme_nlb_in_cdw12(ns, c->common.opcode)) { + dev_err(ns->ctrl->device, + "unknown metadata command %c\n", c->common.opcode); + return false; + } + + /* Skip when PI is inserted or stripped and not transferred */ + if (ns->ms == ns->pi_size && + (c->rw.control & cpu_to_le16(NVME_RW_PRINFO_PRACT))) + return true; + + if (ns->features & NVME_NS_EXT_LBAS) { + dev_err(ns->ctrl->device, + "requires extended LBAs for metadata\n"); + return false; + } + + len_by_nlb = (le16_to_cpu(c->rw.length) + 1) * ns->ms; + if (meta_len < len_by_nlb) { + dev_err(ns->ctrl->device, + "metadata length (%u instad of %u) is too small.\n", + meta_len, len_by_nlb); + return false; + } + + return true; +} + static void *nvme_add_user_metadata(struct request *req, void __user *ubuf, unsigned len, u32 seed) { @@ -104,6 +174,9 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf, void *buf; struct bio *bio = req->bio; + if (!nvme_validate_metadata_len(req, len)) + return ERR_PTR(-EINVAL); + buf = kmalloc(len, GFP_KERNEL); if (!buf) goto out; @@ -134,6 +207,41 @@ static void *nvme_add_user_metadata(struct request *req, void __user *ubuf, return ERR_PTR(ret); } +static bool nvme_validate_buffer_len(struct nvme_ns *ns, struct nvme_command *c, + unsigned meta_len, unsigned data_len) +{ + u32 mlen_by_nlb, dlen_by_nlb; + + /* Do not guard admin */ + if (capable(CAP_SYS_ADMIN)) + return true; + + /* Block commands that do not have nlb in cdw12 */ + if (!nvme_nlb_in_cdw12(ns, c->common.opcode)) { + dev_err(ns->ctrl->device, + "unknown metadata command %c.\n", c->common.opcode); + return false; + } + + /* When PI is inserted or stripped and not transferred.*/ + if (ns->ms == ns->pi_size && + (c->rw.control & cpu_to_le16(NVME_RW_PRINFO_PRACT))) + mlen_by_nlb = 0; + else + mlen_by_nlb = (le16_to_cpu(c->rw.length) + 1) * ns->ms; + + dlen_by_nlb = (le16_to_cpu(c->rw.length) + 1) << ns->lba_shift; + + if (data_len < (dlen_by_nlb + mlen_by_nlb)) { + dev_err(ns->ctrl->device, + "buffer length (%u instad of %u) is too small.\n", + data_len, dlen_by_nlb + mlen_by_nlb); + return false; + } + + return true; +} + static int nvme_finish_user_metadata(struct request *req, void __user *ubuf, void *meta, unsigned len, int ret) { @@ -202,6 +310,14 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer, } *metap = meta; } + /* Guard for a short bounce buffer */ + if (bio->bi_private) { + if (!nvme_validate_buffer_len(ns, nvme_req(req)->cmd, + meta_len, bufflen)) { + ret = -EINVAL; + goto out_unmap; + } + } return ret; -- 2.25.1

1 year, 12 months

4
16
0 0

[PATCH] regmap: Ensure range selector registers are updated after cache sync

by Mark Brown

When we sync the register cache we do so with the cache bypassed in order to avoid overhead from writing the synced values back into the cache. If the regmap has ranges and the selector register for those ranges is in a register which is cached this has the unfortunate side effect of meaning that the physical and cached copies of the selector register can be out of sync after a cache sync. The cache will have whatever the selector was when the sync started and the hardware will have the selector for the register that was synced last. Fix this by rewriting all cached selector registers after every sync, ensuring that the hardware and cache have the same content. This will result in extra writes that wouldn't otherwise be needed but is simple so hopefully robust. We don't read from the hardware since not all devices have physical read support. Given that nobody noticed this until now it is likely that we are rarely if ever hitting this case. Reported-by: Hector Martin <marcan(a)marcan.st> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/base/regmap/regcache.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c index c5d151e9c481..92592f944a3d 100644 --- a/drivers/base/regmap/regcache.c +++ b/drivers/base/regmap/regcache.c @@ -334,6 +334,11 @@ static int regcache_default_sync(struct regmap *map, unsigned int min, return 0; } +static int rbtree_all(const void *key, const struct rb_node *node) +{ + return 0; +} + /** * regcache_sync - Sync the register cache with the hardware. * @@ -351,6 +356,7 @@ int regcache_sync(struct regmap *map) unsigned int i; const char *name; bool bypass; + struct rb_node *node; if (WARN_ON(map->cache_type == REGCACHE_NONE)) return -EINVAL; @@ -392,6 +398,30 @@ int regcache_sync(struct regmap *map) /* Restore the bypass state */ map->cache_bypass = bypass; map->no_sync_defaults = false; + + /* + * If we did any paging with cache bypassed and a cached + * paging register then the register and cache state might + * have gone out of sync, force writes of all the paging + * registers. + */ + rb_for_each(node, 0, &map->range_tree, rbtree_all) { + struct regmap_range_node *this = + rb_entry(node, struct regmap_range_node, node); + + /* If there's nothing in the cache there's nothing to sync */ + ret = regcache_read(map, this->selector_reg, &i); + if (ret != 0) + continue; + + ret = _regmap_write(map, this->selector_reg, i); + if (ret != 0) { + dev_err(map->dev, "Failed to write %x = %x: %d\n", + this->selector_reg, i, ret); + break; + } + } + map->unlock(map->lock_arg); regmap_async_complete(map); --- base-commit: 611da07b89fdd53f140d7b33013f255bf0ed8f34 change-id: 20231026-regmap-fix-selector-sync-ad1514fd15df Best regards, -- Mark Brown <broonie(a)kernel.org>

1 year, 12 months

2
3
0 0

Linux kernel 6.1 - drivers/usb/storage/unusual_cypress.h "Super Top" minimum bcdDevice too high

by LihaSika

Hi, in kernel 6.1 (maybe 5.x - 6.x) there's an ATACB setting for "Super Top USB 2.0 SATA Bridge" -devices, where the minimum bcdDevice version to match has been set to 1.60. It's in the file drivers/usb/storage/unusual_cypress.h: """ UNUSUAL_DEV( 0x14cd, 0x6116, 0x0160, 0x0160, "Super Top", "USB 2.0 SATA BRIDGE", USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0), """ My old USB HDD with a "Super Top" bridge has bcdDevice version 1.50, thus the setting won't match and it will not mount. I'm not sure when this changed (after kernel 4.x?), but it used to work before. Reading some earlier bug reports, it seems that the max version used to be 0x9999, which then caused corruption in "Super Top" devices with version >=2.20. So that's a reason for lowering the maximum value, but I wonder why the minimum value has also been set to 0x0160. I created a patch, changing 0x0160 to 0x0150 (though I should've left the max version as it was...): """ UNUSUAL_DEV( 0x14cd, 0x6116, 0x0150, 0x0150, """ Built, installed and rebooted; now the USB HDD can be mounted and works perfectly again. I did some write & read tests, checked with diff, cmp and md5sum - no corruption, everything OK 👍 Best regards, LihaS

1 year, 12 months

2
1
0 0

Re: [PATCH] sched: psi: fix unprivileged polling against cgroups

by Daniel Black

Thank you, Reported-by: Daniel Black <daniel(a)mariadb.org>

1 year, 12 months

1
0
0 0

[PATCH v3 1/3] s390/vfio-ap: unpin pages on gisc registration failure

by Tony Krowiak

From: Anthony Krowiak <akrowiak(a)linux.ibm.com> In the vfio_ap_irq_enable function, after the page containing the notification indicator byte (NIB) is pinned, the function attempts to register the guest ISC. If registration fails, the function sets the status response code and returns without unpinning the page containing the NIB. In order to avoid a memory leak, the NIB should be unpinned before returning from the vfio_ap_irq_enable function. Co-developed-by: Janosch Frank <frankja(a)linux.ibm.com> Signed-off-by: Janosch Frank <frankja(a)linux.ibm.com> Signed-off-by: Anthony Krowiak <akrowiak(a)linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato(a)linux.ibm.com> Fixes: 783f0a3ccd79 ("s390/vfio-ap: add s390dbf logging to the vfio_ap_irq_enable function") Cc: <stable(a)vger.kernel.org> --- drivers/s390/crypto/vfio_ap_ops.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/s390/crypto/vfio_ap_ops.c b/drivers/s390/crypto/vfio_ap_ops.c index 4db538a55192..9cb28978c186 100644 --- a/drivers/s390/crypto/vfio_ap_ops.c +++ b/drivers/s390/crypto/vfio_ap_ops.c @@ -457,6 +457,7 @@ static struct ap_queue_status vfio_ap_irq_enable(struct vfio_ap_queue *q, VFIO_AP_DBF_WARN("%s: gisc registration failed: nisc=%d, isc=%d, apqn=%#04x\n", __func__, nisc, isc, q->apqn); + vfio_unpin_pages(&q->matrix_mdev->vdev, nib, 1); status.response_code = AP_RESPONSE_INVALID_GISA; return status; } -- 2.41.0

1 year, 12 months

1
0
0 0

[PATCH v2 1/1] PCI: qcom-ep: Implement write_dbi2() callback for writing DBI2 registers properly

by Manivannan Sadhasivam

DWC core driver exposes the write_dbi2() callback for writing to the DBI2 registers in a vendor specific way. On the Qcom EP plaforms, DBI_CS2 bit in the ELBI region needs to be asserted before writing to any DBI2 registers and deasserted once done. So let's implement the callback for the Qcom PCIe EP driver so that the DBI2 writes are handled properly in the hardware. Without this callback, DBI2 register writes like BAR size won't go through and as a result, the default BAR size is set for all BARs. Cc: stable(a)vger.kernel.org # 5.16+ Fixes: f55fee56a631 ("PCI: qcom-ep: Add Qualcomm PCIe Endpoint controller driver") Suggested-by: Serge Semin <fancer.lancer(a)gmail.com> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- drivers/pci/controller/dwc/pcie-qcom-ep.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-qcom-ep.c b/drivers/pci/controller/dwc/pcie-qcom-ep.c index 32c8d9e37876..7da0599f70e7 100644 --- a/drivers/pci/controller/dwc/pcie-qcom-ep.c +++ b/drivers/pci/controller/dwc/pcie-qcom-ep.c @@ -124,6 +124,7 @@ /* ELBI registers */ #define ELBI_SYS_STTS 0x08 +#define ELBI_CS2_ENABLE 0xa4 /* DBI registers */ #define DBI_CON_STATUS 0x44 @@ -262,6 +263,21 @@ static void qcom_pcie_dw_stop_link(struct dw_pcie *pci) disable_irq(pcie_ep->perst_irq); } +static void qcom_pcie_write_dbi2(struct dw_pcie *pci, void __iomem *base, + u32 reg, size_t size, u32 val) +{ + struct qcom_pcie_ep *pcie_ep = to_pcie_ep(pci); + int ret; + + writel(1, pcie_ep->elbi + ELBI_CS2_ENABLE); + + ret = dw_pcie_write(pci->dbi_base2 + reg, size, val); + if (ret) + dev_err(pci->dev, "Failed to write DBI2 register (0x%x): %d\n", reg, ret); + + writel(0, pcie_ep->elbi + ELBI_CS2_ENABLE); +} + static void qcom_pcie_ep_icc_update(struct qcom_pcie_ep *pcie_ep) { struct dw_pcie *pci = &pcie_ep->pci; @@ -500,6 +516,7 @@ static const struct dw_pcie_ops pci_ops = { .link_up = qcom_pcie_dw_link_up, .start_link = qcom_pcie_dw_start_link, .stop_link = qcom_pcie_dw_stop_link, + .write_dbi2 = qcom_pcie_write_dbi2, }; static int qcom_pcie_ep_get_io_resources(struct platform_device *pdev, -- 2.25.1

1 year, 12 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2023