February 2023 - Linux-stable-mirror

[PATCH AUTOSEL 5.4 01/10] selftests/bpf: Verify copy_register_state() preserves parent/live fields

by Sasha Levin

From: Eduard Zingerman <eddyz87(a)gmail.com> [ Upstream commit b9fa9bc839291020b362ab5392e5f18ba79657ac ] A testcase to check that verifier.c:copy_register_state() preserves register parentage chain and livness information. Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Link: https://lore.kernel.org/r/20230106142214.1040390-3-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/bpf/verifier/search_pruning.c | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/search_pruning.c b/tools/testing/selftests/bpf/verifier/search_pruning.c index 7e50cb80873a5..7e36078f8f482 100644 --- a/tools/testing/selftests/bpf/verifier/search_pruning.c +++ b/tools/testing/selftests/bpf/verifier/search_pruning.c @@ -154,3 +154,39 @@ .result_unpriv = ACCEPT, .insn_processed = 15, }, +/* The test performs a conditional 64-bit write to a stack location + * fp[-8], this is followed by an unconditional 8-bit write to fp[-8], + * then data is read from fp[-8]. This sequence is unsafe. + * + * The test would be mistakenly marked as safe w/o dst register parent + * preservation in verifier.c:copy_register_state() function. + * + * Note the usage of BPF_F_TEST_STATE_FREQ to force creation of the + * checkpoint state after conditional 64-bit assignment. + */ +{ + "write tracking and register parent chain bug", + .insns = { + /* r6 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + /* r0 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + /* if r0 > r6 goto +1 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_6, 1), + /* *(u64 *)(r10 - 8) = 0xdeadbeef */ + BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0xdeadbeef), + /* r1 = 42 */ + BPF_MOV64_IMM(BPF_REG_1, 42), + /* *(u8 *)(r10 - 8) = r1 */ + BPF_STX_MEM(BPF_B, BPF_REG_FP, BPF_REG_1, -8), + /* r2 = *(u64 *)(r10 - 8) */ + BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_FP, -8), + /* exit(0) */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .flags = BPF_F_TEST_STATE_FREQ, + .errstr = "invalid read from stack off -8+1 size 8", + .result = REJECT, +}, -- 2.39.0

2 years, 2 months

2
10
0 0

[PATCH] f2fs: Revert "f2fs: truncate blocks in batch in __complete_revoke_list()"

by Jaegeuk Kim

We should not truncate replaced blocks, and were supposed to truncate the first part as well. This reverts commit 78a99fe6254cad4be310cd84af39f6c46b668c72. Cc: stable(a)vger.kernel.org Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> --- fs/f2fs/segment.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 719329c1808c..227e25836173 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -265,19 +265,24 @@ static void __complete_revoke_list(struct inode *inode, struct list_head *head, bool revoke) { struct revoke_entry *cur, *tmp; + pgoff_t start_index = 0; bool truncate = is_inode_flag_set(inode, FI_ATOMIC_REPLACE); list_for_each_entry_safe(cur, tmp, head, list) { - if (revoke) + if (revoke) { __replace_atomic_write_block(inode, cur->index, cur->old_addr, NULL, true); + } else if (truncate) { + f2fs_truncate_hole(inode, start_index, cur->index); + start_index = cur->index + 1; + } list_del(&cur->list); kmem_cache_free(revoke_entry_slab, cur); } if (!revoke && truncate) - f2fs_do_truncate_blocks(inode, 0, false); + f2fs_do_truncate_blocks(inode, start_index * PAGE_SIZE, false); } static int __f2fs_commit_atomic_write(struct inode *inode) -- 2.39.1.581.gbfd45094c4-goog

2 years, 2 months

3
2
0 0

stable/linux-5.10.y build: 37 builds: 0 failed, 37 passed, 1 warning (v5.10.168)

by kernelci.org bot

stable/linux-5.10.y build: 37 builds: 0 failed, 37 passed, 1 warning (v5.10.168) Full Build Summary: https://kernelci.org/build/stable/branch/linux-5.10.y/kernel/v5.10.168/ Tree: stable Branch: linux-5.10.y Git Describe: v5.10.168 Git Commit: 707c48210a5384a72c82655a37895b7e822755f2 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git Built: 4 unique architectures Warnings Detected: arc: arm: mips: decstation_defconfig (gcc-10): 1 warning x86_64: Warnings summary: 1 kernel/rcu/tasks.h:710:13: warning: ‘show_rcu_tasks_rude_gp_kthread’ defined but not used [-Wunused-function] ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- allnoconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- am200epdkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- assabet_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- axs103_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- badge4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- bcm63xx_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- cavium_octeon_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- decstation_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches Warnings: kernel/rcu/tasks.h:710:13: warning: ‘show_rcu_tasks_rude_gp_kthread’ defined but not used [-Wunused-function] -------------------------------------------------------------------------------- eseries_pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- gcw0_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- h3600_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- h5000_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- hackkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- haps_hs_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- hsdk_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- jmr3927_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lemote2f_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lpc32xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lubbock_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- magician_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- maltasmvp_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mmp2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mpc30x_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mps2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- neponset_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nhk8815_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nlm_xlr_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- orion5x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- realview_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- s3c6400_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- sb1250_swarm_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tango4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tb0219_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tb0226_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- vt8500_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- workpad_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

2 years, 2 months

1
0
0 0

[PATCH 6.1 0/4] mptcp: Stable backports for 6.1.12

by Matthieu Baerts

Hi Greg, Sasha, Here are two MPTCP patches backports (patches 2-3/4), and one prerequisite (patch 1/4), that recently failed to apply to the 6.1 stable tree. They prevent some locking issues with MPTCP. After having cherry-picked patch 1/4 -- a simple refactoring to make a function more generic -- patch 2/4 applied without any issue. For patch 3/4, I had to resolve two simple function because two if-statements around the modified code have curly braces in v6.1, not later, see commit 976d302fb616 ("mptcp: deduplicate error paths on endpoint creation"). On top of that, patch 4/4 fixes MPTCP userspace PM selftest that has been recently broken due to a backport done in v6.1.8. Signed-off-by: Matthieu Baerts <matthieu.baerts(a)tessares.net> --- Matthieu Baerts (2): mptcp: sockopt: make 'tcp_fastopen_connect' generic selftests: mptcp: userspace: fix v4-v6 test in v6.1 Paolo Abeni (2): mptcp: fix locking for setsockopt corner-case mptcp: fix locking for in-kernel listener creation net/mptcp/pm_netlink.c | 10 ++++++---- net/mptcp/sockopt.c | 20 ++++++++++++++------ net/mptcp/subflow.c | 2 +- tools/testing/selftests/net/mptcp/userspace_pm.sh | 11 +++++++++++ 4 files changed, 32 insertions(+), 11 deletions(-) --- base-commit: 9012d1ebd3236e1d741ab4264f1d14e276c2e29f change-id: 20230214-upstream-stable-20230214-linux-6-1-12-rc1-mptcp-fixes-df24a5f41151 Best regards, -- Matthieu Baerts <matthieu.baerts(a)tessares.net>

2 years, 2 months

3
6
0 0

Linux 5.10.168

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.168 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 4 arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 6 arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 6 arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h | 2 arch/parisc/kernel/firmware.c | 5 arch/parisc/kernel/ptrace.c | 15 arch/powerpc/perf/imc-pmu.c | 14 arch/riscv/Makefile | 3 arch/riscv/mm/cacheflush.c | 4 arch/x86/include/asm/debugreg.h | 26 drivers/ata/libata-core.c | 2 drivers/bus/sunxi-rsb.c | 8 drivers/firewire/core-cdev.c | 4 drivers/firmware/efi/efi.c | 2 drivers/firmware/efi/memattr.c | 2 drivers/fpga/stratix10-soc.c | 4 drivers/fsi/fsi-sbefifo.c | 6 drivers/gpu/drm/i915/gem/i915_gem_tiling.c | 9 drivers/gpu/drm/vc4/vc4_hdmi.c | 3 drivers/i2c/busses/i2c-mxs.c | 4 drivers/i2c/busses/i2c-rk3x.c | 44 drivers/iio/accel/hid-sensor-accel-3d.c | 1 drivers/iio/adc/berlin2-adc.c | 4 drivers/iio/adc/stm32-dfsdm-adc.c | 1 drivers/iio/adc/twl6030-gpadc.c | 32 drivers/iio/imu/fxos8700_core.c | 111 - drivers/infiniband/hw/hfi1/file_ops.c | 7 drivers/infiniband/hw/usnic/usnic_uiom.c | 8 drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 drivers/input/serio/i8042-x86ia64io.h | 1188 +++++++----- drivers/net/bonding/bond_debugfs.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 2 drivers/net/ethernet/intel/igc/igc_ptp.c | 14 drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 3 drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c | 13 drivers/net/ethernet/mscc/ocelot_flower.c | 24 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 15 drivers/net/ethernet/qlogic/qede/qede_fp.c | 10 drivers/net/ethernet/sfc/efx.c | 5 drivers/net/phy/dp83822.c | 6 drivers/net/phy/meson-gxl.c | 4 drivers/net/usb/plusb.c | 4 drivers/net/virtio_net.c | 8 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 17 drivers/nvmem/core.c | 8 drivers/nvmem/qcom-spmi-sdam.c | 1 drivers/of/address.c | 21 drivers/pinctrl/aspeed/pinctrl-aspeed.c | 2 drivers/pinctrl/intel/pinctrl-intel.c | 16 drivers/pinctrl/pinctrl-single.c | 2 drivers/platform/x86/dell-wmi.c | 3 drivers/scsi/iscsi_tcp.c | 9 drivers/scsi/scsi_scan.c | 7 drivers/spi/spi-dw-core.c | 2 drivers/target/target_core_file.c | 4 drivers/target/target_core_tmr.c | 4 drivers/tty/serial/8250/8250_dma.c | 26 drivers/tty/vt/vc_screen.c | 9 drivers/usb/core/quirks.c | 3 drivers/usb/dwc3/dwc3-qcom.c | 10 drivers/usb/gadget/function/f_fs.c | 4 drivers/usb/typec/altmodes/displayport.c | 8 drivers/vhost/net.c | 3 drivers/vhost/vhost.c | 3 drivers/vhost/vhost.h | 1 drivers/video/fbdev/core/fbcon.c | 7 drivers/video/fbdev/smscufx.c | 46 drivers/watchdog/diag288_wdt.c | 15 drivers/xen/pvcalls-back.c | 8 fs/btrfs/volumes.c | 22 fs/btrfs/zlib.c | 2 fs/ceph/mds_client.c | 6 fs/cifs/file.c | 4 fs/f2fs/gc.c | 18 fs/proc/task_mmu.c | 4 fs/squashfs/squashfs_fs.h | 2 fs/squashfs/squashfs_fs_sb.h | 2 fs/squashfs/xattr.h | 4 fs/squashfs/xattr_id.c | 4 include/linux/hugetlb.h | 19 include/linux/nvmem-provider.h | 4 include/linux/util_macros.h | 12 include/uapi/linux/ip.h | 1 include/uapi/linux/ipv6.h | 1 kernel/bpf/verifier.c | 102 - kernel/trace/bpf_trace.c | 3 kernel/trace/trace.c | 3 mm/gup.c | 2 mm/hugetlb.c | 6 mm/memory-failure.c | 2 mm/memory_hotplug.c | 2 mm/mempolicy.c | 5 mm/migrate.c | 7 mm/page_alloc.c | 5 mm/swapfile.c | 1 net/bridge/br_netfilter_hooks.c | 1 net/can/j1939/address-claim.c | 40 net/can/j1939/transport.c | 4 net/ipv4/tcp_bpf.c | 4 net/netrom/af_netrom.c | 5 net/openvswitch/datapath.c | 12 net/qrtr/ns.c | 5 net/rds/message.c | 6 net/x25/af_x25.c | 6 net/xfrm/xfrm_compat.c | 4 net/xfrm/xfrm_input.c | 3 sound/pci/hda/patch_realtek.c | 3 sound/pci/hda/patch_via.c | 3 sound/pci/lx6464es/lx_core.c | 11 sound/synth/emux/emux_nrpn.c | 3 tools/testing/selftests/net/forwarding/lib.sh | 4 tools/testing/selftests/net/udpgso_bench.sh | 24 tools/testing/selftests/net/udpgso_bench_rx.c | 4 tools/testing/selftests/net/udpgso_bench_tx.c | 36 116 files changed, 1510 insertions(+), 797 deletions(-) Al Viro (4): WRITE is "data source", not destination... READ is "data destination", not source... fix iov_iter_bvec() "direction" argument fix "direction" argument of iov_iter_kvec() Alan Stern (1): net: USB: Fix wrong-direction WARNING in plusb.c Alexander Egorenkov (2): watchdog: diag288_wdt: do not use stack buffers for hardware data watchdog: diag288_wdt: fix __diag288() inline assembly Alexander Potapenko (1): btrfs: zlib: zero-initialize zlib workspace Anand Jain (1): btrfs: free device in btrfs_close_devices for a single device filesystem Anastasia Belova (1): xfrm: compat: change expression for switch in xfrm_xlate64 Andre Kalb (1): net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices Andreas Kemnade (2): iio:adc:twl6030: Enable measurements of VUSB, VBAT and others iio:adc:twl6030: Enable measurement of VAC Andreas Schwab (1): riscv: disable generation of unwind tables Andrei Gherzan (4): selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking Andy Shevchenko (1): pinctrl: intel: Restore the pins that used to be in Direct IRQ mode Anirudh Venkataramanan (1): ice: Do not use WQ_MEM_RECLAIM flag for workqueue Anton Gusev (1): efi: fix potential NULL deref in efi_mem_reserve_persistent Ard Biesheuvel (1): efi: Accept version 2 of memory attributes table Artemii Karasev (2): ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Bhaskar Upadhaya (1): qede: add netpoll support for qede driver Carlos Song (9): iio: imu: fxos8700: fix ACCEL measurement range selection iio: imu: fxos8700: fix incomplete ACCEL and MAGN channels readback iio: imu: fxos8700: fix IMU data bits returned to user space iio: imu: fxos8700: fix map label of channel type to MAGN sensor iio: imu: fxos8700: fix swapped ACCEL and MAGN channels readback iio: imu: fxos8700: fix incorrect ODR mode readback iio: imu: fxos8700: fix failed initialization ODR mode assignment iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN iio: imu: fxos8700: fix MAGN sensor scale and unit Chao Yu (1): f2fs: fix to do sanity check on i_extra_isize in is_alive() Chris Healy (1): net: phy: meson-gxl: Add generic dummy stubs for MMD register access Christian Hopps (1): xfrm: fix bug with DSCP copy to v6 from v4 tunnel Christophe Kerello (1): nvmem: core: Fix a conflict between MTD and NVMEM on wp-gpios property Damien Le Moal (1): ata: libata: Fix sata_down_spd_limit() when no link speed is reported Dan Carpenter (1): ALSA: pci: lx6464es: fix a debug loop David Chen (1): Fix page corruption caused by racy check in __free_pages Dean Luick (1): IB/hfi1: Restore allocated resources on failed copyout Devid Antonio Filoni (1): can: j1939: do not wait 250 ms if the same addr was already claimed Dmitry Perchanov (1): iio: hid: fix the retval in accel_3d_capture_sample Dongliang Mu (1): fbdev: smscufx: fix error handling code in ufx_usb_probe Dragos Tatulea (2): IB/IPoIB: Fix legacy IPoIB due to wrong number of queues net/mlx5e: IPoIB, Show unknown speed instead of error Edson Juliano Drosdeck (1): ALSA: hda/realtek: Add Positivo N14KP6-TG Eduard Zingerman (1): bpf: Fix to preserve reg parent/live fields when copying range info Eric Auger (1): vhost/net: Clear the pending messages when the backend is removed Eric Dumazet (1): xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() Fedor Pchelkin (2): squashfs: harden sanity check in squashfs_read_xattr_id_table net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Florian Westphal (1): netfilter: br_netfilter: disable sabotage_in hook after first suppression George Kennedy (1): vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF Greg Kroah-Hartman (1): Linux 5.10.168 Guillaume Pinot (1): ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro 360 Guo Ren (1): riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte Hangbin Liu (1): selftests: forwarding: lib: quote the sysctl values Hans Verkuil (1): drm/vc4: hdmi: make CEC adapter name unique Heiner Kallweit (4): net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive Helge Deller (2): parisc: Fix return code of pdc_iodc_print() parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Herton R. Krzesinski (1): uapi: add missing ip/ipv6 header dependencies for linux/stddef.h Hyunwoo Kim (2): netrom: Fix use-after-free caused by accept on already connected socket net/x25: Fix to not accept on connected socket Ilpo Järvinen (2): serial: 8250_dma: Fix DMA Rx completion race serial: 8250_dma: Fix DMA Rx rearm race Jakub Sitnicki (1): bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener Joel Stanley (1): pinctrl: aspeed: Fix confusing types in return value Joerg Roedel (1): x86/debug: Fix stack recursion caused by wrongly ordered DR7 accesses Johan Hovold (1): nvmem: qcom-spmi-sdam: fix module autoloading Josef Bacik (1): btrfs: limit device extents to the device size Koba Ko (1): platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table Longlong Xia (1): mm/swapfile: add cond_resched() in get_swap_pages() Magnus Karlsson (2): virtio-net: execute xdp_do_flush() before napi_complete_done() qede: execute xdp_do_flush() before napi_complete_done() Mark Brown (1): of/address: Return an error when no valid dma-ranges are found Mark Pearson (1): usb: core: add quirk for Alcor Link AK9563 smartcard reader Martin K. Petersen (1): scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" Martin KaFai Lau (2): bpf: Support <8-byte scalar spill and refill bpf: Do not reject when the stack read size is different from the tracked scalar size Maurizio Lombardi (1): scsi: target: core: Fix warning on RT kernels Maxim Korotkov (1): pinctrl: single: fix potential NULL dereference Miaohe Lin (1): mm/migration: return errno when isolate_huge_page failed Michael Ellerman (1): powerpc/imc-pmu: Revert nest_init_lock to being a mutex Michael Walle (1): nvmem: core: fix cell removal on error Mike Christie (1): scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Mike Kravetz (2): mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps migrate: hugetlb: check for hugetlb shared PMD in node migration Minsuk Kang (1): wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads Natalia Petrova (1): net: qrtr: free memory on error path in radix_tree_insert() Neel Patel (1): ionic: clean interrupt before enabling queue to avoid credit race Neil Armstrong (1): usb: dwc3: qcom: enable vbus override when in OTG dr-mode Olivier Moysan (1): iio: adc: stm32-dfsdm: fill module aliases Parav Pandit (1): virtio-net: Keep stop() to follow mirror sequence of open() Paul Chaignon (1): bpf: Fix incorrect state pruning for <8B spill/fill Phillip Lougher (1): Squashfs: fix handling and sanity checking of xattr_ids count Pierluigi Passaro (1): arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX Pietro Borrello (1): rds: rds_rm_zerocopy_callback() use list_first_entry() Prashant Malani (1): usb: typec: altmodes/displayport: Fix probe pin assign check Qi Zheng (1): bonding: fix error checking in bond_debug_reregister() Randy Dunlap (1): i2c: rk3x: fix a bunch of kernel-doc warnings Rob Clark (1): drm/i915: Fix potential bit_17 double-free Russell King (Oracle) (1): nvmem: core: initialise nvmem->id early Samuel Thibault (1): fbcon: Check font dimension limits Serge Semin (1): spi: dw: Fix wrong FIFO level setting for long xfers Shay Drory (2): net/mlx5: fw_tracer, Clear load bit when freeing string DBs buffers net/mlx5: fw_tracer, Zero consumer index when reloading the tracer Shiju Jose (1): tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw Stefan Wahren (1): i2c: mxs: suppress probe-deferral error message Takashi Sakamoto (1): firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Tom Rix (1): igc: return an error if the mac type is unknown in igc_ptp_systim_to_hwtstamp() Udipto Goswami (1): usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Victor Shyba (1): ALSA: hda/realtek: Add Acer Predator PH315-54 Vladimir Oltean (1): net: mscc: ocelot: fix VCAP filters not matching on MAC with "protocol 802.1Q" Werner Sembach (4): Input: i8042 - move __initconst to fix code styling warning Input: i8042 - merge quirk tables Input: i8042 - add TUXEDO devices to i8042 quirk tables Input: i8042 - add Clevo PCX0DX to i8042 quirk table Wesley Cheng (1): usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API Xiongfeng Wang (1): iio: adc: berlin2-adc: Add missing of_node_put() in error path Xiubo Li (1): ceph: flush cap releases when the session is flushed Yang Yingliang (1): RDMA/usnic: use iommu_map_atomic() under spin_lock() Yonghong Song (1): bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers Yuan Can (1): bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() ZhaoLong Wang (1): cifs: Fix use-after-free in rdata->read_into_pages() Zheng Yongjun (1): fpga: stratix10-soc: Fix return value check in s10_ops_write_init() Ziyang Xuan (1): can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate Íñigo Huguet (1): sfc: correctly advertise tunneled IPv6 segmentation

2 years, 2 months

1
1
0 0

[PATCH 5.15 00/10] xfs backports for 5.15.y

by Leah Rumancik

Hello, Here is the next batch of backports for 5.15.y. These patches have already been ACK'd on the xfs mailing list. Testing included 25 runs of auto group on 12 xfs configs. No regressions were seen. I checked xfs/538 was run without issue as this test was mentioned in 56486f307100. Also, from 86d40f1e49e9, I ran ran xfs/117 with XFS compiled as a module and TEST_FS_MODULE_REOLOAD set, but I was unable to reproduce the issue. Below I've outlined which series the backports came from: series "xfs: intent whiteouts" (1): [01/10] cb512c921639613ce03f87e62c5e93ed9fe8c84d xfs: zero inode fork buffer at allocation [02/10] c230a4a85bcdbfc1a7415deec6caf04e8fca1301 xfs: fix potential log item leak series "xfs: fix random format verification issues" (2): [1/4] dc04db2aa7c9307e740d6d0e173085301c173b1a xfs: detect self referencing btree sibling pointers [2/4] 1eb70f54c445fcbb25817841e774adb3d912f3e8 -> already in 5.15.y xfs: validate inode fork size against fork format [3/4] dd0d2f9755191690541b09e6385d0f8cd8bc9d8f xfs: set XFS_FEAT_NLINK correctly [4/4] f0f5f658065a5af09126ec892e4c383540a1c77f xfs: validate v5 feature fields series "xfs: small fixes for 5.19 cycle" (3): [1/3] 5672225e8f2a872a22b0cecedba7a6644af1fb84 xfs: avoid unnecessary runtime sibling pointer endian conversions [2/3] 5b55cbc2d72632e874e50d2e36bce608e55aaaea fs: don't assert fail on perag references on teardown [2/3] 56486f307100e8fc66efa2ebd8a71941fa10bf6f xfs: assert in xfs_btree_del_cursor should take into account error series "xfs: random fixes for 5.19" (4): [1/2] 86d40f1e49e9a909d25c35ba01bea80dbcd758cb xfs: purge dquots after inode walk fails during quotacheck [2/2] a54f78def73d847cb060b18c4e4a3d1d26c9ca6d xfs: don't leak btree cursor when insrec fails after a split (1) https://lore.kernel.org/all/20220503221728.185449-1-david@fromorbit.com/ (2) https://lore.kernel.org/all/20220502082018.1076561-1-david@fromorbit.com/ (3) https://lore.kernel.org/all/20220524022158.1849458-1-david@fromorbit.com/ (4) https://lore.kernel.org/all/165337056527.993079.1232300816023906959.stgit@m… - Leah Darrick J. Wong (2): xfs: purge dquots after inode walk fails during quotacheck xfs: don't leak btree cursor when insrec fails after a split Dave Chinner (8): xfs: zero inode fork buffer at allocation xfs: fix potential log item leak xfs: detect self referencing btree sibling pointers xfs: set XFS_FEAT_NLINK correctly xfs: validate v5 feature fields xfs: avoid unnecessary runtime sibling pointer endian conversions xfs: don't assert fail on perag references on teardown xfs: assert in xfs_btree_del_cursor should take into account error fs/xfs/libxfs/xfs_ag.c | 3 +- fs/xfs/libxfs/xfs_btree.c | 175 +++++++++++++++++++++++++-------- fs/xfs/libxfs/xfs_inode_fork.c | 12 ++- fs/xfs/libxfs/xfs_sb.c | 70 +++++++++++-- fs/xfs/xfs_bmap_item.c | 2 + fs/xfs/xfs_icreate_item.c | 1 + fs/xfs/xfs_qm.c | 9 +- fs/xfs/xfs_refcount_item.c | 2 + fs/xfs/xfs_rmap_item.c | 2 + 9 files changed, 221 insertions(+), 55 deletions(-) -- 2.39.1.581.gbfd45094c4-goog

2 years, 2 months

3
12
0 0

[CLJ Pharma] [Business proposal]

by CLJ Pharmaceuticals

[Greetings] I'm Dr. Breiner, a research consultant with one of the leading laboratories in the United Kingdom. Our company is one of the most respected indigenous multi-million pharma companies, manufacturing hundreds of lifesaving biopharmaceutical products and medical consumables. Our range includes anti-diabetic, anti-inflammatory, and analgesic drugs, vaccines, antimalarial drugs, and other essential medical consumables. I have a business proposal that will be of interest to you. I'll explain it in detail if you let me know if you'd like to hear more. Please keep in mind that you can decide not to move forward with me at any point during or after my detailed explanation. But please be sure to trust me; you will not experience any regret whatsoever. I look forward to hearing back from you. If you have any questions, please do not hesitate to contact me. Best regards [Dr. Breiner]

2 years, 2 months

1
0
0 0

[PATCH v3] s390/signal: fix endless loop in do_signal

by Sumanth Korikkar

No upstream commit exists: the problem addressed here is that 'commit 75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL")' was backported to 5.10. This commit is broken, but nobody noticed upstream, since shortly after s390 converted to generic entry with 'commit 56e62a737028 ("s390: convert to generic entry")', which implicitly fixed the problem outlined below. Thread flag is set to TIF_NOTIFY_SIGNAL for io_uring work. The io work user or syscall calls do_signal when either one of the TIF_SIGPENDING or TIF_NOTIFY_SIGNAL flag is set. However, do_signal does consider only TIF_SIGPENDING signal and ignores TIF_NOTIFY_SIGNAL condition. This means get_signal is never invoked for TIF_NOTIFY_SIGNAL and hence the flag is not cleared, which results in an endless do_signal loop. Reference: 'commit 788d0824269b ("io_uring: import 5.15-stable io_uring")' Fixes: 75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL") Cc: stable(a)vger.kernel.org # 5.10.162 Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Acked-by: Sven Schnelle <svens(a)linux.ibm.com> Signed-off-by: Sumanth Korikkar <sumanthk(a)linux.ibm.com> --- v2->v3: Correct changelog. v1->v2: Add the changelog. arch/s390/kernel/signal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/kernel/signal.c b/arch/s390/kernel/signal.c index b27b6c1f058d..9e900a8977bd 100644 --- a/arch/s390/kernel/signal.c +++ b/arch/s390/kernel/signal.c @@ -472,7 +472,7 @@ void do_signal(struct pt_regs *regs) current->thread.system_call = test_pt_regs_flag(regs, PIF_SYSCALL) ? regs->int_code : 0; - if (test_thread_flag(TIF_SIGPENDING) && get_signal(&ksig)) { + if (get_signal(&ksig)) { /* Whee! Actually deliver the signal. */ if (current->thread.system_call) { regs->int_code = current->thread.system_call; -- 2.37.2

2 years, 2 months

1
0
0 0

[PATCH 0/1] s390: fix endless loop in do_signal

by Sumanth Korikkar

Hi, This patch fixes the issue for s390 stable kernel starting 5.10.162. The issue was specifically seen after stable version 5.10.162: Following commits can trigger it: 1. stable commit id - 788d0824269b ("io_uring: import 5.15-stable io_uring") can trigger this problem. 2. upstream commit id - 75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL") Problem: qemu and user processes could stall when TIF_NOTIFY_SIGNAL is set from io_uring work. Affected users: The issue was first raised by the debian team, where the s390 bullseye build systems are affected. Upstream commit Id: * The attached patch has no upstream commit. However, the stable kernel 5.10.162+ uses upstream commit id - 75309018a24d ("s390: add support for TIF_NOTIFY_SIGNAL"), which would need this fix * Starting from v5.12, there are s390 generic entry commits 56e62a737028 ("s390: convert to generic entry") and its relevant fixes, which are recommended and should address these problems. Kernel version to be applied: stable kernel 5.10.162+ Thanks. Sumanth Sumanth Korikkar (1): s390/signal: fix endless loop in do_signal arch/s390/kernel/signal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.37.2

2 years, 2 months

3
5
0 0

[PATCH v4] sched/psi: fix use-after-free in ep_remove_wait_queue()

by Munehisa Kamata

If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path. do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit. fput ep_eventpoll_release ep_free ep_remove_wait_queue remove_wait_queue This results in use-after-free as pasted below. The fundamental problem here is that cgroup_file_release() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wake_up_pollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroup_file_release() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this. BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404 CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: <TASK> dump_stack_lvl+0x73/0xa0 print_report+0x16c/0x4e0 ? _printk+0x59/0x80 ? __virt_addr_valid+0xb8/0x130 ? _raw_spin_lock_irqsave+0x60/0xc0 kasan_report+0xc3/0xf0 ? _raw_spin_lock_irqsave+0x60/0xc0 kasan_check_range+0x2d2/0x310 _raw_spin_lock_irqsave+0x60/0xc0 remove_wait_queue+0x1a/0xa0 ep_free+0x12c/0x170 ep_eventpoll_release+0x26/0x30 __fput+0x202/0x400 task_work_run+0x11d/0x170 do_exit+0x495/0x1130 ? update_cfs_rq_load_avg+0x2c2/0x2e0 do_group_exit+0x100/0x100 get_signal+0xd67/0xde0 ? finish_task_switch+0x15f/0x3a0 arch_do_signal_or_restart+0x2a/0x2b0 exit_to_user_mode_prepare+0x94/0x100 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x52/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f8e392bfb91 Code: Unable to access opcode bytes at 0x7f8e392bfb67. RSP: 002b:00007fff261e08d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000022 RAX: fffffffffffffdfe RBX: 0000000000000000 RCX: 00007f8e392bfb91 RDX: 0000000000000001 RSI: 00007fff261e08e8 RDI: 0000000000000004 RBP: 00007fff261e0920 R08: 0000000000400780 R09: 00007f8e3960f240 R10: 00000000000003df R11: 0000000000000246 R12: 00000000004005a0 R13: 00007fff261e0a00 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 4404: kasan_set_track+0x3d/0x60 __kasan_kmalloc+0x85/0x90 psi_trigger_create+0x113/0x3e0 pressure_write+0x146/0x2e0 cgroup_file_write+0x11c/0x250 kernfs_fop_write_iter+0x186/0x220 vfs_write+0x3d8/0x5c0 ksys_write+0x90/0x110 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 4407: kasan_set_track+0x3d/0x60 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x11d/0x170 slab_free_freelist_hook+0x87/0x150 __kmem_cache_free+0xcb/0x180 psi_trigger_destroy+0x2e8/0x310 cgroup_file_release+0x4f/0xb0 kernfs_drain_open_files+0x165/0x1f0 kernfs_drain+0x162/0x1a0 __kernfs_remove+0x1fb/0x310 kernfs_remove_by_name_ns+0x95/0xe0 cgroup_addrm_files+0x67f/0x700 cgroup_destroy_locked+0x283/0x3c0 cgroup_rmdir+0x29/0x100 kernfs_iop_rmdir+0xd1/0x140 vfs_rmdir+0xfe/0x240 do_rmdir+0x13d/0x280 __x64_sys_rmdir+0x2c/0x30 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd v4: updated commit message v3: updated commit message and the comment in the code v2: updated commit message Link: https://lore.kernel.org/lkml/20230106224859.4123476-1-kamatam@amazon.com/ Fixes: 0e94682b73bf ("psi: introduce psi monitor") Cc: stable(a)vger.kernel.org Signed-off-by: Munehisa Kamata <kamatam(a)amazon.com> Signed-off-by: Mengchi Cheng <mengcc(a)amazon.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> --- kernel/sched/psi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c index 8ac8b81bfee6..02e011cabe91 100644 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -1343,10 +1343,11 @@ void psi_trigger_destroy(struct psi_trigger *t) group = t->group; /* - * Wakeup waiters to stop polling. Can happen if cgroup is deleted - * from under a polling process. + * Wakeup waiters to stop polling and clear the queue to prevent it from + * being accessed later. Can happen if cgroup is deleted from under a + * polling process. */ - wake_up_interruptible(&t->event_wait); + wake_up_pollfree(&t->event_wait); mutex_lock(&group->trigger_lock); -- 2.38.1

2 years, 2 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror February 2023