October 2023 - Linux-stable-mirror

[PATCH v2] iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data()

by Tzung-Bi Shih

cros_ec_sensors_push_data() reads `indio_dev->active_scan_mask` and calls iio_push_to_buffers_with_timestamp() without making sure the `indio_dev` stays in buffer mode. There is a race if `indio_dev` exits buffer mode right before cros_ec_sensors_push_data() accesses them. An use-after-free on `indio_dev->active_scan_mask` was observed. The call trace: [...] _find_next_bit cros_ec_sensors_push_data cros_ec_sensorhub_event blocking_notifier_call_chain cros_ec_irq_thread It was caused by a race condition: one thread just freed `active_scan_mask` at [1]; while another thread tried to access the memory at [2]. Fix it by calling iio_device_claim_buffer_mode() to ensure the `indio_dev` can't exit buffer mode during cros_ec_sensors_push_data(). [1]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/industrialio-buffe… [2]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/common/cros_ec_sen… Cc: stable(a)vger.kernel.org Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO") Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Changes from v1(https://patchwork.kernel.org/project/linux-iio/patch/20230828094339.1248…: - Use iio_device_{claim|release}_buffer_mode() instead of accessing `mlock`. drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c index b72d39fc2434..6bfe5d6847e7 100644 --- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c +++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c @@ -190,8 +190,11 @@ int cros_ec_sensors_push_data(struct iio_dev *indio_dev, /* * Ignore samples if the buffer is not set: it is needed if the ODR is * set but the buffer is not enabled yet. + * + * Note: iio_device_claim_buffer_mode() returns -EBUSY if the buffer + * is not enabled. */ - if (!iio_buffer_enabled(indio_dev)) + if (iio_device_claim_buffer_mode(indio_dev) < 0) return 0; out = (s16 *)st->samples; @@ -210,6 +213,7 @@ int cros_ec_sensors_push_data(struct iio_dev *indio_dev, iio_push_to_buffers_with_timestamp(indio_dev, st->samples, timestamp + delta); + iio_device_release_buffer_mode(indio_dev); return 0; } EXPORT_SYMBOL_GPL(cros_ec_sensors_push_data); -- 2.42.0.rc2.253.gd59a3bf2b4-goog

1 year, 2 months

5
5
0 0

[PATCH v2] bus: mhi: host: Add alignment check for event ring read pointer

by Krishna chaitanya chundru

Though we do check the event ring read pointer by "is_valid_ring_ptr" to make sure it is in the buffer range, but there is another risk the pointer may be not aligned. Since we are expecting event ring elements are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer could lead to multiple issues like DoS or ring buffer memory corruption. So add a alignment check for event ring read pointer. Fixes: ec32332df764 ("bus: mhi: core: Sanity check values from remote device before use") cc: stable(a)vger.kernel.org Signed-off-by: Krishna chaitanya chundru <quic_krichai(a)quicinc.com> --- Changes in v2: - Change the modulus operation to bit-wise & operation as suggested by Jeff. - Link to v1: https://lore.kernel.org/r/20231023-alignment_check-v1-1-2ca5716d5c15@quicin… --- drivers/bus/mhi/host/main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c index 499590437e9b..e765c16a99d1 100644 --- a/drivers/bus/mhi/host/main.c +++ b/drivers/bus/mhi/host/main.c @@ -268,7 +268,8 @@ static void mhi_del_ring_element(struct mhi_controller *mhi_cntrl, static bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr) { - return addr >= ring->iommu_base && addr < ring->iommu_base + ring->len; + return addr >= ring->iommu_base && addr < ring->iommu_base + ring->len && + !(addr & (sizeof(struct mhi_ring_element) - 1)); } int mhi_destroy_device(struct device *dev, void *data) --- base-commit: 71e68e182e382e951d6248bccc3c960dcec5a718 change-id: 20231013-alignment_check-c013f509d24a Best regards, -- Krishna chaitanya chundru <quic_krichai(a)quicinc.com>

1 year, 2 months

4
5
0 0

[PATCH 5.4 000/131] 5.4.258-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.258 release. There are 131 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 11 Oct 2023 13:00:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.258-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.258-rc1 Arnd Bergmann <arnd(a)arndb.de> ima: rework CONFIG_IMA dependency block Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix a race in __nfs_list_for_each_server() John David Anglin <dave(a)parisc-linux.org> parisc: Restore __ldcw_align for PA-RISC 2.0 processors Shay Drory <shayd(a)nvidia.com> RDMA/mlx5: Fix NULL string error Bernard Metzler <bmt(a)zurich.ibm.com> RDMA/siw: Fix connection failure handling Konstantin Meskhidze <konstantin.meskhidze(a)huawei.com> RDMA/uverbs: Fix typo of sizeof argument Leon Romanovsky <leonro(a)nvidia.com> RDMA/cma: Fix truncation compilation warning in make_cma_ports Duje Mihanović <duje.mihanovic(a)skole.hr> gpio: pxa: disable pinctrl calls for MMP_GPIO Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> IB/mlx4: Fix the size of a buffer in add_port_entries() Leon Romanovsky <leonro(a)nvidia.com> RDMA/core: Require admin capabilities to set system parameters Ivan Babrou <ivan(a)cloudflare.com> cpupower: add Makefile dependencies for install targets Xin Long <lucien.xin(a)gmail.com> sctp: update hb timer immediately after users change hb_interval Xin Long <lucien.xin(a)gmail.com> sctp: update transport state when processing a dupcook packet Neal Cardwell <ncardwell(a)google.com> tcp: fix delayed ACKs for MSS boundary condition Neal Cardwell <ncardwell(a)google.com> tcp: fix quick-ack counting to count actual ACKs of new data Ben Wolsieffer <ben.wolsieffer(a)hefring.com> net: stmmac: dwmac-stm32: fix resume on STM32 MCU Xin Long <lucien.xin(a)gmail.com> netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp Jeremy Cline <jeremy(a)jcline.org> net: nfc: llcp: Add lock when modifying device list Shigeru Yoshida <syoshida(a)redhat.com> net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg Fabio Estevam <festevam(a)denx.de> net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent David Howells <dhowells(a)redhat.com> ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() Eric Dumazet <edumazet(a)google.com> net: fix possible store tearing in neigh_periodic_work() Mauricio Faria de Oliveira <mfo(a)canonical.com> modpost: add missing else to the "of" check Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix a nfs4_state_manager() race Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Add a helper nfs_client_for_each_server() Chuck Lever <chuck.lever(a)oracle.com> NFS4: Trace state recovery operation Junxiao Bi <junxiao.bi(a)oracle.com> scsi: target: core: Fix deadlock due to recursive locking Oleksandr Tymoshenko <ovt(a)google.com> ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig Richard Fitzgerald <rf(a)opensource.cirrus.com> regmap: rbtree: Fix wrong register marked as in-cache when creating new node Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling Alexandra Diupina <adiupina(a)astralinux.ru> drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() Pin-yen Lin <treapking(a)chromium.org> wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet Arnd Bergmann <arnd(a)arndb.de> wifi: iwlwifi: dbg_ini: fix structure packing Zhihao Cheng <chengzhihao1(a)huawei.com> ubi: Refuse attaching if mtd's erasesize is 0 Jordan Rife <jrife(a)google.com> net: prevent rewrite of msg_name in sock_sendmsg() Qu Wenruo <wqu(a)suse.com> btrfs: reject unknown mount options early Jordan Rife <jrife(a)google.com> net: replace calls to sock->ops->connect() with kernel_connect() Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix tlv_buf_left calculation Gustavo A. R. Silva <gustavoars(a)kernel.org> qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info Dinghao Liu <dinghao.liu(a)zju.edu.cn> scsi: zfcp: Fix a double put in zfcp_port_enqueue() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3" Ilya Dryomov <idryomov(a)gmail.com> rbd: take header_rwsem in rbd_dev_refresh() only when updating Ilya Dryomov <idryomov(a)gmail.com> rbd: decouple parent info read-in from updating rbd_dev Ilya Dryomov <idryomov(a)gmail.com> rbd: decouple header read-in from updating rbd_dev->header Ilya Dryomov <idryomov(a)gmail.com> rbd: move rbd_dev_refresh() definition Greg Ungerer <gerg(a)kernel.org> fs: binfmt_elf_efpic: fix personality for ELF-FDPIC Matthias Schiffer <mschiffer(a)universe-factory.net> ata: libata-sata: increase PMP SRST timeout to 10s Damien Le Moal <dlemoal(a)kernel.org> ata: libata-core: Do not register PM operations for SAS ports Damien Le Moal <dlemoal(a)kernel.org> ata: libata-core: Fix port and device removal Damien Le Moal <dlemoal(a)kernel.org> ata: libata-core: Fix ata_port_request_pm() locking Mika Westerberg <mika.westerberg(a)linux.intel.com> net: thunderbolt: Fix TCPv6 GSO checksum calculation Josef Bacik <josef(a)toxicpanda.com> btrfs: properly report 0 avail for very full file systems Steven Rostedt (Google) <rostedt(a)goodmis.org> ring-buffer: Update "shortest_full" in polling Heiner Kallweit <hkallweit1(a)gmail.com> i2c: i801: unregister tco_pdev in i801_probe() error path Niklas Cassel <niklas.cassel(a)wdc.com> ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES Kailang Yang <kailang(a)realtek.com> ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q Pan Bian <bianpan2016(a)163.com> nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: 8250_port: Check IRQ data before use Vishal Goel <vishal.goel(a)samsung.com> Smack:- Use overlay inode label in smack_inode_copy_up() Roberto Sassu <roberto.sassu(a)huawei.com> smack: Retrieve transmuting information in smack_inode_getsecurity() Roberto Sassu <roberto.sassu(a)huawei.com> smack: Record transmuting in smk_transmuted Stefan Assmann <sassmann(a)kpanic.de> i40e: fix return of uninitialized aq_ret in i40e_set_vsi_promisc Stefan Assmann <sassmann(a)kpanic.de> i40e: always propagate error value in i40e_set_vsi_promisc() Stefan Assmann <sassmann(a)kpanic.de> i40e: improve locking of mac_filter_hash Mika Westerberg <mika.westerberg(a)linux.intel.com> watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running Mika Westerberg <mika.westerberg(a)linux.intel.com> watchdog: iTCO_wdt: No need to stop the timer in probe Pratyush Yadav <ptyadav(a)amazon.de> nvme-pci: do not set the NUMA node of device if it has none Thomas Zimmermann <tzimmermann(a)suse.de> fbdev/sh7760fb: Depend on FB=y Johnathan Mantey <johnathanx.mantey(a)intel.com> ncsi: Propagate carrier gain/loss events to the NCSI controller Benjamin Gray <bgray(a)linux.ibm.com> powerpc/watchpoints: Annotate atomic context in more places Stanislav Fomichev <sdf(a)google.com> bpf: Clarify error expectations from bpf_clone_redirect Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: reset the FLSHxCR1 registers Niklas Cassel <niklas.cassel(a)wdc.com> ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() Zheng Yejian <zhengyejian1(a)huawei.com> ring-buffer: Avoid softlockup in ring_buffer_resize() Zheng Yejian <zhengyejian1(a)huawei.com> selftests/ftrace: Correctly enable event in instance-event.tc Helge Deller <deller(a)gmx.de> parisc: irq: Make irq_stack_union static to avoid sparse warning Helge Deller <deller(a)gmx.de> parisc: drivers: Fix sparse warning Helge Deller <deller(a)gmx.de> parisc: iosapic.c: Fix sparse warnings Helge Deller <deller(a)gmx.de> parisc: sba: Fix compile warning wrt list of SBA devices Wenhua Lin <Wenhua.Lin(a)unisoc.com> gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip Max Filippov <jcmvbkbc(a)gmail.com> xtensa: boot/lib: fix function prototypes Randy Dunlap <rdunlap(a)infradead.org> xtensa: boot: don't add include-dirs Randy Dunlap <rdunlap(a)infradead.org> xtensa: iss/network: make functions static Max Filippov <jcmvbkbc(a)gmail.com> xtensa: add default definition for XCHAL_HAVE_DIV32 Tony Lindgren <tony(a)atomide.com> bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up Tony Lindgren <tony(a)atomide.com> ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot Timo Alho <talho(a)nvidia.com> clk: tegra: fix error return case for recalc_rate Christoph Hellwig <hch(a)lst.de> MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled Niklas Cassel <niklas.cassel(a)wdc.com> ata: libata: disallow dev-initiated LPM transitions to unsupported states Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: prevent potential division by zero errors Anthony Koo <Anthony.Koo(a)amd.com> drm/amd/display: Fix LFC multiplier changing erratically Amanda Liu <amanda.liu(a)amd.com> drm/amd/display: Reinstate LFC optimization Ahmad Fatoum <a.fatoum(a)pengutronix.de> clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz Anson Huang <Anson.Huang(a)nxp.com> clk: imx: pll14xx: Add new frequency entries for pll1443x table YueHaibing <yuehaibing(a)huawei.com> clk: imx: clk-pll14xx: Make two variables static Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix deletion race condition Himanshu Madhani <hmadhani(a)marvell.com> scsi: qla2xxx: Fix update_fcport for current_topology Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN Xiaoke Wang <xkernel.wang(a)foxmail.com> i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP Artem Chernyshev <artem.chernyshev(a)red-soft.ru> net: rds: Fix possible NULL-pointer dereference Ziyang Xuan <william.xuanziyang(a)huawei.com> team: fix null-ptr-deref when team device type is changed Eric Dumazet <edumazet(a)google.com> net: bridge: use DEV_STATS_INC() Jie Wang <wangjie125(a)huawei.com> net: hns3: add 5ms delay before clear firmware reset irq source Eric Dumazet <edumazet(a)google.com> dccp: fix dccp_v4_err()/dccp_v6_err() again Kajol Jain <kjain(a)linux.ibm.com> powerpc/perf/hv-24x7: Update domain value check Kyle Zeng <zengyhkyle(a)gmail.com> ipv4: fix null-deref in ipv4_link_failure Ivan Vecera <ivecera(a)redhat.com> i40e: Fix VF VLAN offloading when port VLAN is configured Karen Sornek <karen.sornek(a)intel.com> i40e: Fix warning message and call stack during rmmod i40e driver Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: Remove scheduling while atomic possibility Sylwia Wnuczko <sylwia.wnuczko(a)intel.com> i40e: Fix for persistent lldp support Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: imx-audmix: Fix return error with devm_clk_get() Sabrina Dubroca <sd(a)queasysnail.net> selftests: tls: swap the TX and RX sockets in some tests Kees Cook <keescook(a)chromium.org> selftests/tls: Add {} to avoid static checker warning Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: Avoid deadlock when using queue and stack maps from NMI Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: disallow element removal on anonymous sets Jerome Brunet <jbrunet(a)baylibre.com> ASoC: meson: spdifin: start hw on dai probe Jan Kara <jack(a)suse.cz> ext4: do not let fstrim block system suspend Jan Kara <jack(a)suse.cz> ext4: move setting of trimmed bit into ext4_try_to_trim_range() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: replace the traditional ternary conditional operator with with max()/min() Dmitry Monakhov <dmtrmonakhov(a)yandex-team.ru> ext4: mark group as trimmed only if it was fully scanned Lukas Czerner <lczerner(a)redhat.com> ext4: change s_last_trim_minblks type to unsigned long Lukas Bulwahn <lukas.bulwahn(a)gmail.com> ext4: scope ret locally in ext4_try_to_trim_range() Wang Jianchao <wangjianchao(a)kuaishou.com> ext4: add new helper interface ext4_try_to_trim_range() Wang Jianchao <wangjianchao(a)kuaishou.com> ext4: remove the 'group' parameter of ext4_trim_extent Szuying Chen <chensiying21(a)gmail.com> ata: libahci: clear pending interrupt status Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Increase trace array ref count on enable and filter files Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: Mark the cred for revalidation if the server rejects it Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS/pNFS: Report EINVAL errors from connect() to the server ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/omap4-droid4-xt894.dts | 4 +- arch/mips/alchemy/devboards/db1000.c | 4 + arch/mips/alchemy/devboards/db1200.c | 6 + arch/mips/alchemy/devboards/db1300.c | 4 + arch/parisc/include/asm/ldcw.h | 36 +- arch/parisc/include/asm/ropes.h | 3 + arch/parisc/include/asm/spinlock_types.h | 5 - arch/parisc/kernel/drivers.c | 2 +- arch/parisc/kernel/irq.c | 2 +- arch/powerpc/kernel/hw_breakpoint.c | 9 + arch/powerpc/perf/hv-24x7.c | 2 +- arch/xtensa/boot/Makefile | 3 +- arch/xtensa/boot/lib/zmem.c | 5 +- arch/xtensa/include/asm/core.h | 4 + arch/xtensa/platforms/iss/network.c | 4 +- drivers/ata/ahci.c | 9 + drivers/ata/libahci.c | 35 +- drivers/ata/libata-core.c | 60 ++- drivers/ata/libata-eh.c | 13 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata-transport.c | 9 +- drivers/ata/libata.h | 2 + drivers/base/regmap/regcache-rbtree.c | 3 +- drivers/block/rbd.c | 420 +++++++++++---------- drivers/bus/ti-sysc.c | 22 +- drivers/char/agp/parisc-agp.c | 2 - drivers/clk/imx/clk-pll14xx.c | 8 +- drivers/clk/tegra/clk-bpmp.c | 2 +- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpio-pmic-eic-sprd.c | 1 + drivers/gpio/gpio-pxa.c | 1 + drivers/gpio/gpio-tb10x.c | 6 +- .../drm/amd/display/modules/freesync/freesync.c | 69 +++- .../gpu/drm/amd/display/modules/inc/mod_freesync.h | 1 + drivers/i2c/busses/i2c-i801.c | 1 + drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 + drivers/infiniband/core/cma_configfs.c | 2 +- drivers/infiniband/core/nldev.c | 1 + drivers/infiniband/core/uverbs_main.c | 2 +- drivers/infiniband/hw/mlx4/sysfs.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 2 +- drivers/infiniband/sw/siw/siw_cm.c | 16 +- drivers/input/serio/i8042-x86ia64io.h | 7 + drivers/mtd/ubi/build.c | 7 + drivers/net/dsa/mv88e6xxx/chip.c | 6 +- drivers/net/dsa/mv88e6xxx/global1.c | 31 -- drivers/net/dsa/mv88e6xxx/global1.h | 1 - drivers/net/dsa/mv88e6xxx/global2.c | 2 +- drivers/net/dsa/mv88e6xxx/global2.h | 1 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 + drivers/net/ethernet/intel/i40e/i40e_dcb.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_dcb.h | 3 + drivers/net/ethernet/intel/i40e/i40e_nvm.c | 61 +-- drivers/net/ethernet/intel/i40e/i40e_prototype.h | 10 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 319 +++++++++------- drivers/net/ethernet/qlogic/qed/qed_ll2.h | 2 +- drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c | 7 +- drivers/net/team/team.c | 10 +- drivers/net/thunderbolt.c | 3 +- drivers/net/usb/smsc75xx.c | 4 +- drivers/net/wan/fsl_ucc_hdlc.c | 12 +- drivers/net/wireless/intel/iwlwifi/fw/error-dump.h | 6 +- .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 4 +- drivers/net/wireless/marvell/mwifiex/sta_rx.c | 16 +- .../net/wireless/mediatek/mt76/mt76x02_eeprom.c | 7 - drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 13 +- drivers/nvme/host/pci.c | 2 - drivers/parisc/iosapic.c | 4 +- drivers/parisc/iosapic_private.h | 4 +- drivers/pci/controller/dwc/pcie-qcom.c | 2 - drivers/s390/scsi/zfcp_aux.c | 9 +- drivers/scsi/qla2xxx/qla_init.c | 21 +- drivers/scsi/qla2xxx/qla_target.c | 12 +- drivers/spi/spi-nxp-fspi.c | 7 + drivers/target/target_core_device.c | 11 +- drivers/tty/serial/8250/8250_port.c | 5 +- drivers/video/fbdev/Kconfig | 2 +- drivers/watchdog/iTCO_wdt.c | 26 +- fs/binfmt_elf_fdpic.c | 5 +- fs/btrfs/super.c | 6 +- fs/ext4/ext4.h | 2 +- fs/ext4/mballoc.c | 138 ++++--- fs/nfs/flexfilelayout/flexfilelayout.c | 1 + fs/nfs/internal.h | 4 +- fs/nfs/nfs4state.c | 10 + fs/nfs/nfs4trace.h | 93 +++++ fs/nfs/super.c | 35 ++ fs/nilfs2/gcinode.c | 6 +- include/linux/if_team.h | 2 + include/linux/libata.h | 6 +- include/linux/netfilter/nf_conntrack_sctp.h | 1 + include/net/tcp.h | 6 +- include/uapi/linux/bpf.h | 4 +- kernel/bpf/queue_stack_maps.c | 21 +- kernel/trace/ring_buffer.c | 5 + kernel/trace/trace.c | 27 ++ kernel/trace/trace.h | 2 + kernel/trace/trace_events.c | 6 +- net/bridge/br_forward.c | 4 +- net/bridge/br_input.c | 4 +- net/core/neighbour.c | 4 +- net/dccp/ipv4.c | 9 +- net/dccp/ipv6.c | 9 +- net/ipv4/route.c | 4 +- net/ipv4/tcp_input.c | 13 + net/ipv4/tcp_output.c | 7 +- net/l2tp/l2tp_ip6.c | 2 +- net/ncsi/ncsi-aen.c | 5 + net/netfilter/ipset/ip_set_core.c | 12 +- net/netfilter/ipvs/ip_vs_sync.c | 4 +- net/netfilter/nf_conntrack_proto_sctp.c | 43 ++- net/netfilter/nf_tables_api.c | 9 +- net/nfc/llcp_core.c | 2 + net/rds/rdma_transport.c | 8 +- net/rds/tcp_connect.c | 2 +- net/sctp/associola.c | 3 +- net/sctp/socket.c | 1 + net/socket.c | 29 +- net/sunrpc/clnt.c | 1 + scripts/mod/file2alias.c | 2 +- security/integrity/ima/Kconfig | 20 +- security/smack/smack.h | 1 + security/smack/smack_lsm.c | 65 +++- sound/pci/hda/hda_intel.c | 1 + sound/soc/fsl/imx-audmix.c | 2 +- sound/soc/meson/axg-spdifin.c | 49 +-- tools/include/uapi/linux/bpf.h | 4 +- tools/power/cpupower/Makefile | 8 +- tools/power/cpupower/bench/Makefile | 2 +- .../ftrace/test.d/instances/instance-event.tc | 2 +- tools/testing/selftests/net/tls.c | 11 +- 132 files changed, 1389 insertions(+), 773 deletions(-)

1 year, 2 months

9
142
0 0

[PATCH] s390/vfio-ap: fix sysfs status attribute for AP queue devices

by Tony Krowiak

The 'status' attribute for AP queue devices bound to the vfio_ap device driver displays incorrect status when the mediated device is attached to a guest, but the queue device is not passed through. In the current implementation, the status displayed is 'in_use' which is not correct; it should be 'assigned'. This can happen if one of the queue devices associated with a given adapter is not bound to the vfio_ap device driver. For example: Queues listed in /sys/bus/ap/drivers/vfio_ap: 14.0005 14.0006 14.000d 16.0006 16.000d Queues listed in /sys/devices/vfio_ap/matrix/$UUID/matrix 14.0005 14.0006 14.000d 16.0005 16.0006 16.000d Queues listed in /sys/devices/vfio_ap/matrix/$UUID/guest_matrix 14.0005 14.0006 14.000d The reason no queues for adapter 0x16 are listed in the guest_matrix is because queue 16.0005 is not bound to the vfio_ap device driver, so no queue associated with the adapter is passed through to the guest; therefore, each queue device for adapter 0x16 should display 'assigned' instead of 'in_use', because those queues are not in use by a guest, but only assigned to the mediated device. Let's check the AP configuration for the guest to determine whether a queue device is passed through before displaying a status of 'in_use'. Signed-off-by: Tony Krowiak <akrowiak(a)linux.ibm.com> Fixes: f139862b92cf ("s390/vfio-ap: add status attribute to AP queue device's sysfs dir") Cc: stable(a)vger.kernel.org --- drivers/s390/crypto/vfio_ap_ops.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/s390/crypto/vfio_ap_ops.c b/drivers/s390/crypto/vfio_ap_ops.c index 4db538a55192..871c14a6921f 100644 --- a/drivers/s390/crypto/vfio_ap_ops.c +++ b/drivers/s390/crypto/vfio_ap_ops.c @@ -1976,6 +1976,7 @@ static ssize_t status_show(struct device *dev, { ssize_t nchars = 0; struct vfio_ap_queue *q; + unsigned long apid, apqi; struct ap_matrix_mdev *matrix_mdev; struct ap_device *apdev = to_ap_dev(dev); @@ -1984,7 +1985,11 @@ static ssize_t status_show(struct device *dev, matrix_mdev = vfio_ap_mdev_for_queue(q); if (matrix_mdev) { - if (matrix_mdev->kvm) + apid = AP_QID_CARD(q->apqn); + apqi = AP_QID_QUEUE(q->apqn); + if (matrix_mdev->kvm && + test_bit_inv(apid, matrix_mdev->shadow_apcb.apm) && + test_bit_inv(apqi, matrix_mdev->shadow_apcb.aqm)) nchars = scnprintf(buf, PAGE_SIZE, "%s\n", AP_QUEUE_IN_USE); else -- 2.41.0

1 year, 2 months

3
4
0 0

Intermittent storage (dm-crypt?) freeze - regression 6.4->6.5

by Marek Marczykowski-Górecki

Hi, Since updating from 6.4.13 to 6.5.5 occasionally I hit a storage subsystem freeze - any I/O ends up frozen. I'm not sure what exactly triggers the issue, but often it happens when doing some LVM operations (lvremove, lvrename etc) on a dm-thin volume together with bulk data copy to/from another LVM thin volume with ext4 fs. The storage stack I use is: nvme -> dm-crypt (LUKS) -> dm-thin (LVM thin pool) -> ext4 And this whole thing running in a (PV) dom0 under Xen, on Qubes OS 4.2 to be specific. I can reproduce the issue on at least 3 different machines. I did tried also 6.5.6 and the issue is still there. I haven't checked newer versions, but briefly reviewed git log and haven't found anything suggesting a fix to similar issue. I managed to bisect it down to this commit: commit 5054e778fcd9cd29ddaa8109077cd235527e4f94 Author: Mikulas Patocka <mpatocka(a)redhat.com> Date: Mon May 1 09:19:17 2023 -0400 dm crypt: allocate compound pages if possible It was reported that allocating pages for the write buffer in dm-crypt causes measurable overhead [1]. Change dm-crypt to allocate compound pages if they are available. If not, fall back to the mempool. [1] https://listman.redhat.com/archives/dm-devel/2023-February/053284.html Suggested-by: Matthew Wilcox <willy(a)infradead.org> Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> TBH, I'm not sure if the bug is in this commit, or maybe in some functions it uses (I don't see dm-crypt functions directly involved in the stack traces I collected). But reverting this commit on top of 6.5.6 seems to fix the issue. I tried also CONFIG_PROVE_LOCKING, but it didn't show any issue. I managed to collect "blocked tasks" dump via sysrq below. Few more can be found at https://github.com/QubesOS/qubes-issues/issues/8575 [ 4246.558313] sysrq: Show Blocked State [ 4246.558388] task:journal-offline state:D stack:0 pid:8098 ppid:1 flags:0x00000002 [ 4246.558407] Call Trace: [ 4246.558414] <TASK> [ 4246.558422] __schedule+0x23d/0x670 [ 4246.558440] schedule+0x5e/0xd0 [ 4246.558450] io_schedule+0x46/0x70 [ 4246.558461] folio_wait_bit_common+0x13d/0x350 [ 4246.558475] ? __pfx_wake_page_function+0x10/0x10 [ 4246.558488] folio_wait_writeback+0x2c/0x90 [ 4246.558498] mpage_prepare_extent_to_map+0x15c/0x4d0 [ 4246.558512] ext4_do_writepages+0x25f/0x770 [ 4246.558523] ext4_writepages+0xad/0x180 [ 4246.558533] do_writepages+0xcf/0x1e0 [ 4246.558543] ? __seccomp_filter+0x32a/0x4f0 [ 4246.558554] filemap_fdatawrite_wbc+0x63/0x90 [ 4246.558567] __filemap_fdatawrite_range+0x5c/0x80 [ 4246.558578] file_write_and_wait_range+0x4a/0xb0 [ 4246.558588] ext4_sync_file+0x88/0x380 [ 4246.558598] __x64_sys_fsync+0x3b/0x70 [ 4246.558609] do_syscall_64+0x5c/0x90 [ 4246.558621] ? exit_to_user_mode_prepare+0xb2/0xd0 [ 4246.558632] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 4246.558644] RIP: 0033:0x7710cf124d0a [ 4246.558654] RSP: 002b:00007710ccdfda40 EFLAGS: 00000293 ORIG_RAX: 000000000000004a [ 4246.558668] RAX: ffffffffffffffda RBX: 000064bb92f67e60 RCX: 00007710cf124d0a [ 4246.558679] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000028 [ 4246.558691] RBP: 000064bb92f72670 R08: 0000000000000000 R09: 00007710ccdfe6c0 [ 4246.558702] R10: 00007710cf0adfee R11: 0000000000000293 R12: 000064bb92505940 [ 4246.558713] R13: 0000000000000002 R14: 00007ffc05649500 R15: 00007710cc5fe000 [ 4246.558728] </TASK> [ 4246.558836] task:lvm state:D stack:0 pid:7835 ppid:5665 flags:0x00004006 [ 4246.558852] Call Trace: [ 4246.558857] <TASK> [ 4246.558863] __schedule+0x23d/0x670 [ 4246.558874] schedule+0x5e/0xd0 [ 4246.558884] io_schedule+0x46/0x70 [ 4246.558894] dm_wait_for_bios_completion+0xfc/0x110 [ 4246.558909] ? __pfx_autoremove_wake_function+0x10/0x10 [ 4246.558922] __dm_suspend+0x7e/0x1b0 [ 4246.558932] dm_internal_suspend_noflush+0x5c/0x80 [ 4246.558946] pool_presuspend+0xcc/0x130 [dm_thin_pool] [ 4246.558968] dm_table_presuspend_targets+0x3f/0x60 [ 4246.558980] __dm_suspend+0x41/0x1b0 [ 4246.558991] dm_suspend+0xc0/0xe0 [ 4246.559001] dev_suspend+0xa5/0xd0 [ 4246.559011] ctl_ioctl+0x26e/0x350 [ 4246.559020] ? __pfx_dev_suspend+0x10/0x10 [ 4246.559032] dm_ctl_ioctl+0xe/0x20 [ 4246.559041] __x64_sys_ioctl+0x94/0xd0 [ 4246.559052] do_syscall_64+0x5c/0x90 [ 4246.559062] ? do_syscall_64+0x6b/0x90 [ 4246.559072] ? do_syscall_64+0x6b/0x90 [ 4246.559081] ? xen_pv_evtchn_do_upcall+0x54/0xb0 [ 4246.559093] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 4246.559104] RIP: 0033:0x7f1cb77cfe0f [ 4246.559112] RSP: 002b:00007fff870f2560 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 4246.559141] RAX: ffffffffffffffda RBX: 00005b8d13c16580 RCX: 00007f1cb77cfe0f [ 4246.559152] RDX: 00005b8d144a2180 RSI: 00000000c138fd06 RDI: 0000000000000003 [ 4246.559164] RBP: 00005b8d144a2180 R08: 00005b8d132b1190 R09: 00007fff870f2420 [ 4246.559175] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c [ 4246.559186] R13: 00005b8d132aacf0 R14: 00005b8d1324414d R15: 00005b8d144a21b0 [ 4246.559199] </TASK> [ 4246.559207] task:kworker/u8:3 state:D stack:0 pid:8033 ppid:2 flags:0x00004000 [ 4246.559222] Workqueue: writeback wb_workfn (flush-253:4) [ 4246.559238] Call Trace: [ 4246.559244] <TASK> [ 4246.559249] __schedule+0x23d/0x670 [ 4246.559260] schedule+0x5e/0xd0 [ 4246.559270] io_schedule+0x46/0x70 [ 4246.559280] folio_wait_bit_common+0x13d/0x350 [ 4246.559290] ? __pfx_wake_page_function+0x10/0x10 [ 4246.559302] mpage_prepare_extent_to_map+0x309/0x4d0 [ 4246.559314] ext4_do_writepages+0x25f/0x770 [ 4246.559324] ext4_writepages+0xad/0x180 [ 4246.559334] do_writepages+0xcf/0x1e0 [ 4246.559344] ? find_busiest_group+0x42/0x1a0 [ 4246.559354] __writeback_single_inode+0x3d/0x280 [ 4246.559368] writeback_sb_inodes+0x1ed/0x4a0 [ 4246.559381] __writeback_inodes_wb+0x4c/0xf0 [ 4246.559393] wb_writeback+0x298/0x310 [ 4246.559403] wb_do_writeback+0x230/0x2b0 [ 4246.559414] wb_workfn+0x5f/0x260 [ 4246.559424] ? _raw_spin_unlock+0xe/0x30 [ 4246.559434] ? finish_task_switch.isra.0+0x95/0x2b0 [ 4246.559447] ? __schedule+0x245/0x670 [ 4246.559457] process_one_work+0x1df/0x3e0 [ 4246.559466] worker_thread+0x51/0x390 [ 4246.559475] ? __pfx_worker_thread+0x10/0x10 [ 4246.559484] kthread+0xe5/0x120 [ 4246.559495] ? __pfx_kthread+0x10/0x10 [ 4246.559504] ret_from_fork+0x31/0x50 [ 4246.559514] ? __pfx_kthread+0x10/0x10 [ 4246.559523] ret_from_fork_asm+0x1b/0x30 [ 4246.559536] </TASK> -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

1 year, 2 months

15
61
0 0

[PATCH] riscv: kprobes: allow writing to x0

by Nam Cao

Instructions can write to x0, so we should simulate these instructions normally. Currently, the kernel hangs if an instruction who writes to x0 is simulated. Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Cc: stable(a)vger.kernel.org Signed-off-by: Nam Cao <namcaov(a)gmail.com> --- arch/riscv/kernel/probes/simulate-insn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/kernel/probes/simulate-insn.c b/arch/riscv/kernel/probes/simulate-insn.c index d3099d67816d..6c166029079c 100644 --- a/arch/riscv/kernel/probes/simulate-insn.c +++ b/arch/riscv/kernel/probes/simulate-insn.c @@ -24,7 +24,7 @@ static inline bool rv_insn_reg_set_val(struct pt_regs *regs, u32 index, unsigned long val) { if (index == 0) - return false; + return true; else if (index <= 31) *((unsigned long *)regs + index) = val; else -- 2.34.1

1 year, 2 months

4
3
0 0

FAILED: patch "[PATCH] mmap: fix error paths with dup_anon_vma()" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x 824135c46b00df7fb369ec7f1f8607427bbebeb0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023102742-carnation-spinach-79d8@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 824135c46b00df7fb369ec7f1f8607427bbebeb0 Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Date: Fri, 29 Sep 2023 14:30:40 -0400 Subject: [PATCH] mmap: fix error paths with dup_anon_vma() When the calling function fails after the dup_anon_vma(), the duplication of the anon_vma is not being undone. Add the necessary unlink_anon_vma() call to the error paths that are missing them. This issue showed up during inspection of the error path in vma_merge() for an unrelated vma iterator issue. Users may experience increased memory usage, which may be problematic as the failure would likely be caused by a low memory situation. Link: https://lkml.kernel.org/r/20230929183041.2835469-3-Liam.Howlett@oracle.com Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Lorenzo Stoakes <lstoakes(a)gmail.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/mmap.c b/mm/mmap.c index a0917ed26057..9e018d8dd7d6 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -583,11 +583,12 @@ static inline void vma_complete(struct vma_prepare *vp, * dup_anon_vma() - Helper function to duplicate anon_vma * @dst: The destination VMA * @src: The source VMA + * @dup: Pointer to the destination VMA when successful. * * Returns: 0 on success. */ static inline int dup_anon_vma(struct vm_area_struct *dst, - struct vm_area_struct *src) + struct vm_area_struct *src, struct vm_area_struct **dup) { /* * Easily overlooked: when mprotect shifts the boundary, make sure the @@ -595,9 +596,15 @@ static inline int dup_anon_vma(struct vm_area_struct *dst, * anon pages imported. */ if (src->anon_vma && !dst->anon_vma) { + int ret; + vma_assert_write_locked(dst); dst->anon_vma = src->anon_vma; - return anon_vma_clone(dst, src); + ret = anon_vma_clone(dst, src); + if (ret) + return ret; + + *dup = dst; } return 0; @@ -624,6 +631,7 @@ int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma, unsigned long start, unsigned long end, pgoff_t pgoff, struct vm_area_struct *next) { + struct vm_area_struct *anon_dup = NULL; bool remove_next = false; struct vma_prepare vp; @@ -633,7 +641,7 @@ int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma, remove_next = true; vma_start_write(next); - ret = dup_anon_vma(vma, next); + ret = dup_anon_vma(vma, next, &anon_dup); if (ret) return ret; } @@ -661,6 +669,8 @@ int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma, return 0; nomem: + if (anon_dup) + unlink_anon_vmas(anon_dup); return -ENOMEM; } @@ -860,6 +870,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, { struct vm_area_struct *curr, *next, *res; struct vm_area_struct *vma, *adjust, *remove, *remove2; + struct vm_area_struct *anon_dup = NULL; struct vma_prepare vp; pgoff_t vma_pgoff; int err = 0; @@ -927,18 +938,18 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, vma_start_write(next); remove = next; /* case 1 */ vma_end = next->vm_end; - err = dup_anon_vma(prev, next); + err = dup_anon_vma(prev, next, &anon_dup); if (curr) { /* case 6 */ vma_start_write(curr); remove = curr; remove2 = next; if (!next->anon_vma) - err = dup_anon_vma(prev, curr); + err = dup_anon_vma(prev, curr, &anon_dup); } } else if (merge_prev) { /* case 2 */ if (curr) { vma_start_write(curr); - err = dup_anon_vma(prev, curr); + err = dup_anon_vma(prev, curr, &anon_dup); if (end == curr->vm_end) { /* case 7 */ remove = curr; } else { /* case 5 */ @@ -954,7 +965,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, vma_end = addr; adjust = next; adj_start = -(prev->vm_end - addr); - err = dup_anon_vma(next, prev); + err = dup_anon_vma(next, prev, &anon_dup); } else { /* * Note that cases 3 and 8 are the ONLY ones where prev @@ -968,7 +979,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, vma_pgoff = curr->vm_pgoff; vma_start_write(curr); remove = curr; - err = dup_anon_vma(next, curr); + err = dup_anon_vma(next, curr, &anon_dup); } } } @@ -1018,6 +1029,9 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, return res; prealloc_fail: + if (anon_dup) + unlink_anon_vmas(anon_dup); + anon_vma_fail: vma_iter_set(vmi, addr); vma_iter_load(vmi);

1 year, 2 months

3
2
0 0

FAILED: patch "[PATCH] x86: KVM: SVM: always update the x2avic msr interception" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b65235f6e102354ccafda601eaa1c5bef5284d21 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023102017-human-marine-7125@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b65235f6e102354ccafda601eaa1c5bef5284d21 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 28 Sep 2023 20:33:51 +0300 Subject: [PATCH] x86: KVM: SVM: always update the x2avic msr interception The following problem exists since x2avic was enabled in the KVM: svm_set_x2apic_msr_interception is called to enable the interception of the x2apic msrs. In particular it is called at the moment the guest resets its apic. Assuming that the guest's apic was in x2apic mode, the reset will bring it back to the xapic mode. The svm_set_x2apic_msr_interception however has an erroneous check for '!apic_x2apic_mode()' which prevents it from doing anything in this case. As a result of this, all x2apic msrs are left unintercepted, and that exposes the bare metal x2apic (if enabled) to the guest. Oops. Remove the erroneous '!apic_x2apic_mode()' check to fix that. This fixes CVE-2023-5090 Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode") Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Reviewed-by: Sean Christopherson <seanjc(a)google.com> Message-Id: <20230928173354.217464-2-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 9507df93f410..acdd0b89e471 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -913,8 +913,7 @@ void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool intercept) if (intercept == svm->x2avic_msrs_intercepted) return; - if (!x2avic_enabled || - !apic_x2apic_mode(svm->vcpu.arch.apic)) + if (!x2avic_enabled) return; for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) {

1 year, 2 months

3
4
0 0

[PATCH 5.15 v2 1/2] drm/amd: Move helper for dynamic speed switch check out of smu13

by Mario Limonciello

This helper is used for checking if the connected host supports the feature, it can be moved into generic code to be used by other smu implementations as well. Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Reviewed-by: Evan Quan <evan.quan(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 188623076d0f1a500583d392b6187056bf7cc71a) The original problematic dGPU is not supported in 5.15. Just introduce new function for 5.15 as a dependency for fixing unrelated dGPU that uses this symbol as well. Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- v1->v2: * Update commit to 6.5-rc2 commit. It merged as both of these: 188623076d0f1a500583d392b6187056bf7cc71a 5d1eb4c4c872b55664f5754cc16827beff8630a7 It's already been backported into 6.1.y as well. --- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h index d90da384d185..1f1e7966beb5 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h @@ -1285,6 +1285,7 @@ int amdgpu_device_gpu_recover(struct amdgpu_device *adev, void amdgpu_device_pci_config_reset(struct amdgpu_device *adev); int amdgpu_device_pci_reset(struct amdgpu_device *adev); bool amdgpu_device_need_post(struct amdgpu_device *adev); +bool amdgpu_device_pcie_dynamic_switching_supported(void); bool amdgpu_device_should_use_aspm(struct amdgpu_device *adev); bool amdgpu_device_aspm_support_quirk(void); diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index 2cf49a32ac6c..f57334fff7fc 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -1319,6 +1319,25 @@ bool amdgpu_device_need_post(struct amdgpu_device *adev) return true; } +/* + * Intel hosts such as Raptor Lake and Sapphire Rapids don't support dynamic + * speed switching. Until we have confirmation from Intel that a specific host + * supports it, it's safer that we keep it disabled for all. + * + * https://edc.intel.com/content/www/us/en/design/products/platforms/details/r… + * https://gitlab.freedesktop.org/drm/amd/-/issues/2663 + */ +bool amdgpu_device_pcie_dynamic_switching_supported(void) +{ +#if IS_ENABLED(CONFIG_X86) + struct cpuinfo_x86 *c = &cpu_data(0); + + if (c->x86_vendor == X86_VENDOR_INTEL) + return false; +#endif + return true; +} + /** * amdgpu_device_should_use_aspm - check if the device should program ASPM * -- 2.34.1

1 year, 2 months

2
2
0 0

FAILED: patch "[PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023102012-pleat-snippet-29cf@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001 From: Sagi Grimberg <sagi(a)grimberg.me> Date: Mon, 2 Oct 2023 13:54:28 +0300 Subject: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup From Alon: "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, a malicious user can cause a UAF and a double free, which may lead to RCE (may also lead to an LPE in case the attacker already has local privileges)." Hence, when a queue initialization fails after the ahash requests are allocated, it is guaranteed that the queue removal async work will be called, hence leave the deallocation to the queue removal. Also, be extra careful not to continue processing the socket, so set queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. Cc: stable(a)vger.kernel.org Reported-by: Alon Zahavi <zahavi.alon(a)gmail.com> Tested-by: Alon Zahavi <zahavi.alon(a)gmail.com> Signed-off-by: Sagi Grimberg <sagi(a)grimberg.me> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Signed-off-by: Keith Busch <kbusch(a)kernel.org> diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index cd92d7ddf5ed..197fc2ecb164 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -372,6 +372,7 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) { + queue->rcv_state = NVMET_TCP_RECV_ERR; if (status == -EPIPE || status == -ECONNRESET) kernel_sock_shutdown(queue->sock, SHUT_RDWR); else @@ -910,15 +911,11 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) iov.iov_len = sizeof(*icresp); ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); if (ret < 0) - goto free_crypto; + return ret; /* queue removal will cleanup */ queue->state = NVMET_TCP_Q_LIVE; nvmet_prepare_receive_pdu(queue); return 0; -free_crypto: - if (queue->hdr_digest || queue->data_digest) - nvmet_tcp_free_crypto(queue); - return ret; } static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,

1 year, 2 months

3
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2023