October 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] tcp: fix mptcp DSS corruption due to large pmtu xmit" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 4dabcdf581217e60690467a37c956a5b8dbc6bd9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101432-shucking-snagged-7c42@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 4dabcdf58121 ("tcp: fix mptcp DSS corruption due to large pmtu xmit") 65249feb6b3d ("net: add support for skbs with unreadable frags") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4dabcdf581217e60690467a37c956a5b8dbc6bd9 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 8 Oct 2024 13:04:53 +0200 Subject: [PATCH] tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> move_skbs_to_msk net/mptcp/protocol.c:811 [inline] mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854 subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490 tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283 tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451 dev_queue_xmit include/linux/netdevice.h:3094 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline] tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015 tcp_push_pending_frames include/net/tcp.h:2107 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline] tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x214/0x350 net/core/sock.c:3072 release_sock+0x61/0x1f0 net/core/sock.c:3626 mptcp_push_release net/mptcp/protocol.c:1486 [inline] __mptcp_push_pending+0x6b5/0x9f0 net/mptcp/protocol.c:1625 mptcp_sendmsg+0x10bb/0x1b10 net/mptcp/protocol.c:1903 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2603 ___sys_sendmsg net/socket.c:2657 [inline] __sys_sendmsg+0x2aa/0x390 net/socket.c:2686 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb06e9317f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe2cfd4f98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fb06e97f468 RCX: 00007fb06e9317f9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005 RBP: 00007fb06e97f446 R08: 0000555500000000 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fb06e97f406 R13: 0000000000000001 R14: 00007ffe2cfd4fe0 R15: 0000000000000003 </TASK> Additionally syzkaller provided a nice reproducer. The repro enables pmtu on the loopback device, leading to tcp_mtu_probe() generating very large probe packets. tcp_can_coalesce_send_queue_head() currently does not check for mptcp-level invariants, and allowed the creation of cross-DSS probes, leading to the mentioned corruption. Address the issue teaching tcp_can_coalesce_send_queue_head() about mptcp using the tcp_skb_can_collapse(), also reducing the code duplication. Fixes: 85712484110d ("tcp: coalesce/collapse must respect MPTCP extensions") Cc: stable(a)vger.kernel.org Reported-by: syzbot+d1bff73460e33101f0e7(a)syzkaller.appspotmail.com Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/513 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Acked-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-2-c6fb8e93e55… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 4fd746bd4d54..68804fd01daf 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2342,10 +2342,7 @@ static bool tcp_can_coalesce_send_queue_head(struct sock *sk, int len) if (len <= skb->len) break; - if (unlikely(TCP_SKB_CB(skb)->eor) || - tcp_has_tx_tstamp(skb) || - !skb_pure_zcopy_same(skb, next) || - skb_frags_readable(skb) != skb_frags_readable(next)) + if (tcp_has_tx_tstamp(skb) || !tcp_skb_can_collapse(skb, next)) return false; len -= skb->len;

2 months, 3 weeks

3
2
0 0

[PATCH 6.1.y 5.15.y] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

by Sherry Yang

From: "Wachowski, Karol" <karol.wachowski(a)intel.com> commit 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 upstream. Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Return -EINVAL early if COW mapping is detected. This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0; Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") Cc: Noralf Trønnes <noralf(a)tronnes.org> Cc: Eric Anholt <eric(a)anholt.net> Cc: Rob Herring <robh(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.2+ Signed-off-by: Wachowski, Karol <karol.wachowski(a)intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20240520100514.925681-1-jacek… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Sherry: bp to fix CVE-2024-39497, ignore context change due to missing commit 21aa27ddc582 ("drm/shmem-helper: Switch to reservation lock")] Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> --- drivers/gpu/drm/drm_gem_shmem_helper.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index e33f06bb66eb..fb8093577245 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -638,6 +638,9 @@ int drm_gem_shmem_mmap(struct drm_gem_shmem_object *shmem, struct vm_area_struct return ret; } + if (is_cow_mapping(vma->vm_flags)) + return -EINVAL; + ret = drm_gem_shmem_get_pages(shmem); if (ret) return ret; -- 2.46.0

2 months, 3 weeks

2
1
0 0

[PATCH 5.15, 5.10, 5.4, 4.19 1/1] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()

by Saeed Mirzamohammadi

From: Breno Leitao <leitao(a)debian.org> commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb upstream. Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") Cc: stable(a)vger.kernel.org # 4.19+ Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> (cherry picked from commit 92c77807d938145c7c3350c944ef9f39d7f6017c) Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- virt/kvm/kvm_main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 801ab0635bc32..8734d5bbd951e 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -3525,12 +3525,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) { struct kvm *kvm = me->kvm; struct kvm_vcpu *vcpu; - int last_boosted_vcpu = me->kvm->last_boosted_vcpu; + int last_boosted_vcpu; int yielded = 0; int try = 3; int pass; int i; + last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); kvm_vcpu_set_in_spin_loop(me, true); /* * We boost the priority of a VCPU that is runnable but not @@ -3561,7 +3562,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) yielded = kvm_vcpu_yield_to(vcpu); if (yielded > 0) { - kvm->last_boosted_vcpu = i; + WRITE_ONCE(kvm->last_boosted_vcpu, i); break; } else if (yielded < 0) { try--; -- 2.46.0

2 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] maple_tree: correct tree corruption on spanning store" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bea07fd63192b61209d48cbb81ef474cc3ee4c62 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101840-army-handstand-92f8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bea07fd63192b61209d48cbb81ef474cc3ee4c62 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Mon, 7 Oct 2024 16:28:32 +0100 Subject: [PATCH] maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree corruption bug that appears to have been in existence since the inception of the algorithm. This bug seems far more likely to happen since commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()"), which is the point at which reports started to be submitted concerning this bug. We were made definitely aware of the bug thanks to the kind efforts of Bert Karwatzki who helped enormously in my being able to track this down and identify the cause of it. The bug arises when an attempt is made to perform a spanning store across two leaf nodes, where the right leaf node is the rightmost child of the shared parent, AND the store completely consumes the right-mode node. This results in mas_wr_spanning_store() mitakenly duplicating the new and existing entries at the maximum pivot within the range, and thus maple tree corruption. The fix patch corrects this by detecting this scenario and disallowing the mistaken duplicate copy. The fix patch commit message goes into great detail as to how this occurs. This series also includes a test which reliably reproduces the issue, and asserts that the fix works correctly. Bert has kindly tested the fix and confirmed it resolved his issues. Also Mikhail Gavrilov kindly reported what appears to be precisely the same bug, which this fix should also resolve. This patch (of 2): There has been a subtle bug present in the maple tree implementation from its inception. This arises from how stores are performed - when a store occurs, it will overwrite overlapping ranges and adjust the tree as necessary to accommodate this. A range may always ultimately span two leaf nodes. In this instance we walk the two leaf nodes, determine which elements are not overwritten to the left and to the right of the start and end of the ranges respectively and then rebalance the tree to contain these entries and the newly inserted one. This kind of store is dubbed a 'spanning store' and is implemented by mas_wr_spanning_store(). In order to reach this stage, mas_store_gfp() invokes mas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to walk the tree and update the object (mas) to traverse to the location where the write should be performed, determining its store type. When a spanning store is required, this function returns false stopping at the parent node which contains the target range, and mas_wr_store_type() marks the mas->store_type as wr_spanning_store to denote this fact. When we go to perform the store in mas_wr_spanning_store(), we first determine the elements AFTER the END of the range we wish to store (that is, to the right of the entry to be inserted) - we do this by walking to the NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we have just determined contains the range over which we intend to write. We then turn our attention to the entries to the left of the entry we are inserting, whose state is represented by l_mas, and copy these into a 'big node', which is a special node which contains enough slots to contain two leaf node's worth of data. We then copy the entry we wish to store immediately after this - the copy and the insertion of the new entry is performed by mas_store_b_node(). After this we copy the elements to the right of the end of the range which we are inserting, if we have not exceeded the length of the node (i.e. r_mas.offset <= r_mas.end). Herein lies the bug - under very specific circumstances, this logic can break and corrupt the maple tree. Consider the following tree: Height 0 Root Node / \ pivot = 0xffff / \ pivot = ULONG_MAX / \ 1 A [-----] ... / \ pivot = 0x4fff / \ pivot = 0xffff / \ 2 (LEAVES) B [-----] [-----] C ^--- Last pivot 0xffff. Now imagine we wish to store an entry in the range [0x4000, 0xffff] (note that all ranges expressed in maple tree code are inclusive): 1. mas_store_gfp() descends the tree, finds node A at <=0xffff, then determines that this is a spanning store across nodes B and C. The mas state is set such that the current node from which we traverse further is node A. 2. In mas_wr_spanning_store() we try to find elements to the right of pivot 0xffff by searching for an index of 0x10000: - mas_wr_walk_index() invokes mas_wr_walk_descend() and mas_wr_node_walk() in turn. - mas_wr_node_walk() loops over entries in node A until EITHER it finds an entry whose pivot equals or exceeds 0x10000 OR it reaches the final entry. - Since no entry has a pivot equal to or exceeding 0x10000, pivot 0xffff is selected, leading to node C. - mas_wr_walk_traverse() resets the mas state to traverse node C. We loop around and invoke mas_wr_walk_descend() and mas_wr_node_walk() in turn once again. - Again, we reach the last entry in node C, which has a pivot of 0xffff. 3. We then copy the elements to the left of 0x4000 in node B to the big node via mas_store_b_node(), and insert the new [0x4000, 0xffff] entry too. 4. We determine whether we have any entries to copy from the right of the end of the range via - and with r_mas set up at the entry at pivot 0xffff, r_mas.offset <= r_mas.end, and then we DUPLICATE the entry at pivot 0xffff. 5. BUG! The maple tree is corrupted with a duplicate entry. This requires a very specific set of circumstances - we must be spanning the last element in a leaf node, which is the last element in the parent node. spanning store across two leaf nodes with a range that ends at that shared pivot. A potential solution to this problem would simply be to reset the walk each time we traverse r_mas, however given the rarity of this situation it seems that would be rather inefficient. Instead, this patch detects if the right hand node is populated, i.e. has anything we need to copy. We do so by only copying elements from the right of the entry being inserted when the maximum value present exceeds the last, rather than basing this on offset position. The patch also updates some comments and eliminates the unused bool return value in mas_wr_walk_index(). The work performed in commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()") seems to have made the probability of this event much more likely, which is the point at which reports started to be submitted concerning this bug. The motivation for this change arose from Bert Karwatzki's report of encountering mm instability after the release of kernel v6.12-rc1 which, after the use of CONFIG_DEBUG_VM_MAPLE_TREE and similar configuration options, was identified as maple tree corruption. After Bert very generously provided his time and ability to reproduce this event consistently, I was able to finally identify that the issue discussed in this commit message was occurring for him. Link: https://lkml.kernel.org/r/cover.1728314402.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/48b349a2a0f7c76e18772712d0997a5e12ab0a3b.17283144… Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/all/20241001023402.3374-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov(a)gmail.com> Closes: https://lore.kernel.org/all/CABXGCsOPwuoNOqSMmAvWO2Fz4TEmPnjFj-b7iF+XFRu1h7… Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov(a)gmail.com> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/lib/maple_tree.c b/lib/maple_tree.c index ce7c7a7a8258..3619301dda2e 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -2196,6 +2196,8 @@ static inline void mas_node_or_none(struct ma_state *mas, /* * mas_wr_node_walk() - Find the correct offset for the index in the @mas. + * If @mas->index cannot be found within the containing + * node, we traverse to the last entry in the node. * @wr_mas: The maple write state * * Uses mas_slot_locked() and does not need to worry about dead nodes. @@ -3532,7 +3534,7 @@ static bool mas_wr_walk(struct ma_wr_state *wr_mas) return true; } -static bool mas_wr_walk_index(struct ma_wr_state *wr_mas) +static void mas_wr_walk_index(struct ma_wr_state *wr_mas) { struct ma_state *mas = wr_mas->mas; @@ -3541,11 +3543,9 @@ static bool mas_wr_walk_index(struct ma_wr_state *wr_mas) wr_mas->content = mas_slot_locked(mas, wr_mas->slots, mas->offset); if (ma_is_leaf(wr_mas->type)) - return true; + return; mas_wr_walk_traverse(wr_mas); - } - return true; } /* * mas_extend_spanning_null() - Extend a store of a %NULL to include surrounding %NULLs. @@ -3765,8 +3765,8 @@ static noinline void mas_wr_spanning_store(struct ma_wr_state *wr_mas) memset(&b_node, 0, sizeof(struct maple_big_node)); /* Copy l_mas and store the value in b_node. */ mas_store_b_node(&l_wr_mas, &b_node, l_mas.end); - /* Copy r_mas into b_node. */ - if (r_mas.offset <= r_mas.end) + /* Copy r_mas into b_node if there is anything to copy. */ + if (r_mas.max > r_mas.last) mas_mab_cp(&r_mas, r_mas.offset, r_mas.end, &b_node, b_node.b_end + 1); else

2 months, 3 weeks

3
2
0 0

[PATCH 2/4] xhci: Mitigate failed set dequeue pointer commands

by Mathias Nyman

Avoid xHC host from processing a cancelled URB by always turning cancelled URB TDs into no-op TRBs before queuing a 'Set TR Deq' command. If the command fails then xHC will start processing the cancelled TD instead of skipping it once endpoint is restarted, causing issues like Babble error. This is not a complete solution as a failed 'Set TR Deq' command does not guarantee xHC TRB caches are cleared. Fixes: 4db356924a50 ("xhci: turn cancelled td cleanup to its own function") Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 4d664ba53fe9..7dedf31bbddd 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1023,7 +1023,7 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) td_to_noop(xhci, ring, cached_td, false); cached_td->cancel_status = TD_CLEARED; } - + td_to_noop(xhci, ring, td, false); td->cancel_status = TD_CLEARING_CACHE; cached_td = td; break; -- 2.25.1

2 months, 3 weeks

2
4
0 0

[PATCH v2 08/13] media: ar0521: don't overflow when checking PLL values

by Mauro Carvalho Chehab

The PLL checks are comparing 64 bit integers with 32 bit ones, as reported by Coverity. Depending on the values of the variables, this may underflow. Fix it ensuring that both sides of the expression are u64. Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Acked-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> --- drivers/media/i2c/ar0521.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/ar0521.c b/drivers/media/i2c/ar0521.c index fc27238dd4d3..24873149096c 100644 --- a/drivers/media/i2c/ar0521.c +++ b/drivers/media/i2c/ar0521.c @@ -255,10 +255,10 @@ static u32 calc_pll(struct ar0521_dev *sensor, u32 freq, u16 *pre_ptr, u16 *mult continue; /* Minimum value */ if (new_mult > 254) break; /* Maximum, larger pre won't work either */ - if (sensor->extclk_freq * (u64)new_mult < AR0521_PLL_MIN * + if (sensor->extclk_freq * (u64)new_mult < (u64)AR0521_PLL_MIN * new_pre) continue; - if (sensor->extclk_freq * (u64)new_mult > AR0521_PLL_MAX * + if (sensor->extclk_freq * (u64)new_mult > (u64)AR0521_PLL_MAX * new_pre) break; /* Larger pre won't work either */ new_pll = div64_round_up(sensor->extclk_freq * (u64)new_mult, -- 2.47.0

2 months, 3 weeks

2
1
0 0

[PATCH 5.10 0/1] iommu/amd: Prepare for multiple DMA domain types

by Daniil Dulov

Svacer reports possible dereference of a NULL-pointer in amd_iommu_probe_finalize(). The problem is present in 5.10 stable release and can be fixed by the following upstream patch. In order to apply this patch, the incoming changes had to be manually accepted. This action was necessary due to some differences in the code of amd_iommu_probe_finalize() of the upstream version and 5.10 version of the kernel.

2 months, 3 weeks

2
2
0 0

[PATCH 6.6 000/211] 6.6.57-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.57 release. There are 211 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Oct 2024 11:22:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.57-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.57-rc2 Johan Hovold <johan+linaro(a)kernel.org> scsi: Revert "scsi: sd: Do not repeat the starting disk message" Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix force smbus during suspend flow Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Restore TSO support Patrick Roy <roypat(a)amazon.co.uk> secretmem: disable memfd_secret() if arch cannot set direct map Alexander Gordeev <agordeev(a)linux.ibm.com> fs/proc/kcore.c: allow translation of physical memory addresses Frederic Weisbecker <frederic(a)kernel.org> kthread: unpark only parked kthread Luca Stefani <luca.stefani.ge1(a)gmail.com> btrfs: split remaining space to discard in chunks Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> selftests/rseq: Fix mm_cid test failure Donet Tom <donettom(a)linux.ibm.com> selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Zhang Rui <rui.zhang(a)intel.com> powercap: intel_rapl_tpmi: Fix bogus register reading Yonatan Maman <Ymaman(a)Nvidia.com> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Kun(llfl) <llfl(a)linux.alibaba.com> device-dax: correct pgoff align in dax_set_mapping() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: do not remove closing subflows Paolo Abeni <pabeni(a)redhat.com> mptcp: handle consistently DSS corruption Christian Marangi <ansuelsmth(a)gmail.com> net: phy: Remove LED entry from LEDs list on unregister Anatolij Gustschin <agust(a)denx.de> net: dsa: lan9303: ensure chip reset and wait for READY status Anastasia Kovaleva <a.kovaleva(a)yadro.com> net: Fix an unsafe loop on the list Ignat Korchagin <ignat(a)cloudflare.com> net: explicitly clear the sk pointer, when pf->create fails Niklas Cassel <cassel(a)kernel.org> ata: libata: avoid superfluous disk spin down + spin up during hibernation Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: fallback when MPTCP opts are dropped after 1st data Avri Altman <avri.altman(a)wdc.com> scsi: ufs: Use pre-calculated offsets in ufshcd_init_lrb() Daniel Palmer <daniel(a)0x0f.com> scsi: wd33c93: Don't use stale scsi_pointer value Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync Jani Nikula <jani.nikula(a)intel.com> drm/i915/hdcp: fix connector refcounting Maíra Canal <mcanal(a)igalia.com> drm/vc4: Stop the active perfmon before being destroyed Maíra Canal <mcanal(a)igalia.com> drm/v3d: Stop the active perfmon before being destroyed SurajSonawane2415 <surajsonawane0215(a)gmail.com> hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma John Keeping <jkeeping(a)inmusicbrands.com> usb: gadget: core: force synchronous registration Icenowy Zheng <uwu(a)icenowy.me> usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Jose Alberto Reguero <jose.alberto.reguero(a)gmail.com> usb: xhci: Fix problem with xhci resume from suspend Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: core: Stop processing of pending events if controller is halted Oliver Neukum <oneukum(a)suse.com> Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" Wade Wang <wade.wang(a)hp.com> HID: plantronics: Workaround for an unexcepted opposite volume key He Lugang <helugang(a)uniontech.com> HID: multitouch: Add support for lenovo Y9000P Touchpad Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> HID: amd_sfh: Switch to device-managed dmam_alloc_coherent() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (adt7470) Add missing dependency on REGMAP_I2C Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (adm9240) Add missing dependency on REGMAP_I2C Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (mc34vr500) Add missing dependency on REGMAP_I2C Guenter Roeck <linux(a)roeck-us.net> hwmon: (tmp513) Add missing dependency on REGMAP_I2C Peter Colberg <peter.colberg(a)intel.com> hwmon: intel-m10-bmc-hwmon: relabel Columbiaville to CVL Die Temperature Kenton Groombridge <concord(a)gentoo.org> wifi: mac80211: Avoid address calculations via out of bounds array indexing Luke D. Jones <luke(a)ljones.dev> hid-asus: add ROG Ally X prod ID to quirk list Luke D. Jones <luke(a)ljones.dev> HID: asus: add ROG Z13 lightbar Luke D. Jones <luke(a)ljones.dev> HID: asus: add ROG Ally N-Key ID and keycodes Kai-Heng Feng <kai.heng.feng(a)canonical.com> HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend Hans de Goede <hdegoede(a)redhat.com> HID: i2c-hid: Renumber I2C_HID_QUIRK_ defines Hans de Goede <hdegoede(a)redhat.com> HID: i2c-hid: Remove I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV quirk Johannes Roith <johannes(a)gnu-linux.rocks> HID: mcp2200: added driver for GPIOs of MCP2200 Frederic Weisbecker <frederic(a)kernel.org> rcu/nocb: Fix rcuog wake-up from offline softirq Frederic Weisbecker <frederic(a)kernel.org> rcu/nocb: Make IRQs disablement symmetric Eric Dumazet <edumazet(a)google.com> slip: make slhc_remember() more robust against malicious packets Eric Dumazet <edumazet(a)google.com> ppp: fix ppp_async_encode() illegal access Kuniyuki Iwashima <kuniyu(a)amazon.com> phonet: Handle error of rtnl_register_module(). Eric Dumazet <edumazet(a)google.com> phonet: no longer hold RTNL in route_dumpit() Kuniyuki Iwashima <kuniyu(a)amazon.com> mpls: Handle error of rtnl_register_module(). Eric Dumazet <edumazet(a)google.com> mpls: no longer hold RTNL in mpls_netconf_dump_devconf() Eric Dumazet <edumazet(a)google.com> rtnetlink: add RTNL_FLAG_DUMP_UNLOCKED flag Eric Dumazet <edumazet(a)google.com> rtnetlink: change nlk->cb_mutex role Kuniyuki Iwashima <kuniyu(a)amazon.com> mctp: Handle error of rtnl_register_module(). Kuniyuki Iwashima <kuniyu(a)amazon.com> bridge: Handle error of rtnl_register_module(). Kuniyuki Iwashima <kuniyu(a)amazon.com> vxlan: Handle error of rtnl_register_module(). Kuniyuki Iwashima <kuniyu(a)amazon.com> rtnetlink: Add bulk registration helpers for rtnetlink message handlers. Eric Dumazet <edumazet(a)google.com> net: do not delay dst_entries_add() in dst_release() Florian Westphal <fw(a)strlen.de> netfilter: fib: check correct rtable in vrf setups Florian Westphal <fw(a)strlen.de> netfilter: xtables: avoid NFPROTO_UNSPEC where needed Xin Long <lucien.xin(a)gmail.com> sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start Filipe Manana <fdmanana(a)suse.com> btrfs: zoned: fix missing RCU locking in error message when loading zone info Rosen Penev <rosenp(a)gmail.com> net: ibm: emac: mal: fix wrong goto Eric Dumazet <edumazet(a)google.com> net/sched: accept TCA_STAB only for root qdisc Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: change I219 (19) devices to ADP Mohamed Khalfella <mkhalfella(a)purestorage.com> igb: Do not bring the device up after non-fatal error Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: Fix macvlan leak by synchronizing access to mac_filter_hash Wojciech Drewek <wojciech.drewek(a)intel.com> ice: Flush FDB entries before reset Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> ice: rename switchdev to eswitch Marcin Szycik <marcin.szycik(a)linux.intel.com> ice: Fix netif_is_ice() in Safe Mode Zhang Rui <rui.zhang(a)intel.com> powercap: intel_rapl_tpmi: Ignore minor version change Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel/tpmi: Add defines to get version information Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Use devm_clk api to manage clock source Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Add the flush write to ensure the write complete. Yonatan Maman <Ymaman(a)Nvidia.com> nouveau/dmem: Fix privileged error in copy engine channel Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau: pass cli to nouveau_channel_new() instead of drm+device Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix jumbo frames on 10/100 ports Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow lower MTUs on BCM5325/5365 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix max MTU for BCM5325/BCM5365 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix max MTU for 1g switches Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix jumbo frame mtu check Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: ethernet: adi: adin1110: Fix some error handling path in adin1110_read_fifo() Jakub Kicinski <kuba(a)kernel.org> Revert "net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled" Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Fix warning during module unload Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: int340x: processor_thermal: Set feature mask before proc_thermal_add Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: phy: bcm84881: Fix some error handling paths Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Kacper Ludwinski <kac.ludwinski(a)icloud.com> selftests: net: no_forwarding: fix VID for $swp2 in one_bridge_two_pvids() test Andy Roulin <aroulin(a)nvidia.com> netfilter: br_netfilter: fix panic with metadata_dst skb David Howells <dhowells(a)redhat.com> rxrpc: Fix uninitialised variable in rxrpc_send_data() Neal Cardwell <ncardwell(a)google.com> tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out Aananth V <aananthv(a)google.com> tcp: new TCP_INFO stats for RTO events Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe Neal Cardwell <ncardwell(a)google.com> tcp: fix to allow timestamp undo if no retransmits were sent Ingo van Lil <inguin(a)gmx.de> net: phy: dp83869: fix memory corruption when enabling fiber Yanjun Zhang <zhangyanjun(a)cestc.cn> NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() Dan Carpenter <dan.carpenter(a)linaro.org> SUNRPC: Fix integer overflow in decode_rc_list() Dave Ertman <david.m.ertman(a)intel.com> ice: fix VLAN replay after reset Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> ice: set correct dst VSI in only LAN filters Chuck Lever <chuck.lever(a)oracle.com> NFSD: Mark filecache "down" if init fails Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> x86/amd_nb: Add new PCI IDs for AMD family 0x1a Andrey Shumilin <shum.sdl(a)nppct.ru> fbdev: sisfb: Fix strbuf array overflow Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: fix UAF in async decryption Qianqiang Liu <qianqiang.liu(a)163.com> fbcon: Fix a NULL pointer dereference issue in fbcon_putcs Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointer before dereferencing se Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Add ELS_RSP cmd to the list of WQEs to flush in lpfc_els_flush_cmd() Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: bus: Fix double free in driver API bus_register() Riyan Dhiman <riyandhiman14(a)gmail.com> staging: vme_user: added bound check to geoid Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/iio: Add memory allocation failure check for trigger_name Philip Chen <philipchen(a)chromium.org> virtio_pmem: Check device status before requesting flush Simon Horman <horms(a)kernel.org> netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n Florian Westphal <fw(a)strlen.de> netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash Wentao Guan <guanwentao(a)uniontech.com> LoongArch: Fix memleak in pci_acpi_scan_root() Ruffalo Lavoisier <ruffalolavoisier(a)gmail.com> comedi: ni_routing: tools: Check when the file could not be opened Shawn Shao <shawn.shao(a)jaguarmicro.com> usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: udc: enable suspend interrupt after usb reset Wadim Egorov <w.egorov(a)phytec.de> usb: typec: tipd: Free IRQ only if it was requested before Jiri Slaby (SUSE) <jirislaby(a)kernel.org> serial: protect uart_port_dtr_rts() in uart_shutdown() too Peng Fan <peng.fan(a)nxp.com> clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table Yunke Cao <yunkec(a)chromium.org> media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Ying Sun <sunying(a)isrc.iscas.ac.cn> riscv/kexec_file: Fix relocation type R_RISCV_ADD16 and R_RISCV_SUB16 unknown Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> soundwire: cadence: re-check Peripheral status with delayed_work Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Enforce umem boundaries for explicit ODP page faults Jisheng Zhang <jszhang(a)kernel.org> riscv: avoid Imbalance in RAS Hans de Goede <hdegoede(a)redhat.com> mfd: intel_soc_pmic_chtwc: Make Lenovo Yoga Tab 3 X90F DMI match less strict Kaixin Wang <kxwang23(a)m.fudan.edu.cn> ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition Jens Axboe <axboe(a)kernel.dk> io_uring: check if we need to reschedule during overflow flush Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: Don't have MAX_PHYSMEM_BITS exceed phys_addr_t Kaixin Wang <kxwang23(a)m.fudan.edu.cn> i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition Alex Williamson <alex.williamson(a)redhat.com> PCI: Mark Creative Labs EMU20k2 INTx masking as broken Hans de Goede <hdegoede(a)redhat.com> i2c: i801: Use a different adapter-name for IDF adapters Subramanian Ananthanarayanan <quic_skananth(a)quicinc.com> PCI: Add ACS quirk for Qualcomm SA8775P Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> clk: bcm: bcm53573: fix OF node leak in init Md Haris Iqbal <haris.iqbal(a)ionos.com> RDMA/rtrs-srv: Avoid null pointer deref during path establishment WangYuli <wangyuli(a)uniontech.com> PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> soundwire: intel_bus_common: enable interrupts before exiting reset Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/mad: Improve handling of timed out WRs of mad agent Daniel Jordan <daniel.m.jordan(a)oracle.com> ktest.pl: Avoid false positives with grub2 skip regex Xu Kuohai <xukuohai(a)huawei.com> bpf: Prevent tail call between progs attached to different hooks Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_sf: Remove WARN_ON_ONCE statements Wojciech Gładysz <wojciech.gladysz(a)infogain.com> ext4: nested locking for xattr inode Jan Kara <jack(a)suse.cz> ext4: don't set SB_RDONLY after filesystem errors Yonghong Song <yonghong.song(a)linux.dev> bpf, x64: Fix a jit convergence issue Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Add cond_resched() to cmm_alloc/free_pages() Heiko Carstens <hca(a)linux.ibm.com> s390/facility: Disable compile time optimization for decompressor code Tao Chen <chen.dylane(a)gmail.com> bpf: Check percpu map value size first Daniel Borkmann <daniel(a)iogearbox.net> selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test Mathias Krause <minipli(a)grsecurity.net> Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Andrey Skvortsov <andrej.skvortzov(a)gmail.com> zram: don't free statically defined names Sergey Senozhatsky <senozhatsky(a)chromium.org> zram: free secondary algorithms names Diogo Jahchan Koike <djahchankoike(a)gmail.com> ntfs3: Change to non-blocking allocation in ntfs_d_hash Michael S. Tsirkin <mst(a)redhat.com> virtio_console: fix misc probe bugs Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Refactor enum_rstbl to suppress static checker Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix sparse warning in ni_fiemap Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Do not call file_modified if collapse range failed Alex Hung <alex.hung(a)amd.com> drm/amd/display: Revert "Check HDCP returned status" Wenjing Liu <wenjing.liu(a)amd.com> drm/amd/display: Remove a redundant check in authenticated_dp Paul Menzel <pmenzel(a)molgen.mpg.de> lib/build_OID_registry: avoid non-destructive substitution for Perl < 5.13.2 compat Randy Dunlap <rdunlap(a)infradead.org> jbd2: fix kernel-doc for j_transaction_overhead_buffers Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: Fix usage of __hci_cmd_sync_status Benjamin Poirier <bpoirier(a)nvidia.com> selftests: Introduce Makefile variable to list shared bash scripts Benjamin Poirier <bpoirier(a)nvidia.com> selftests: net: Remove executable bits from library scripts Aditya Gupta <adityag(a)linux.ibm.com> libsubcmd: Don't free the usage string Yang Jihong <yangjihong1(a)huawei.com> perf sched: Move curr_pid and cpu_last_switched initialization to perf_sched__{lat|map|replay}() Yang Jihong <yangjihong1(a)huawei.com> perf sched: Move curr_thread initialization to perf_sched__map() Yang Jihong <yangjihong1(a)huawei.com> perf sched: Fix memory leak in perf_sched__map() Yang Jihong <yangjihong1(a)huawei.com> perf sched: Move start_work_mutex and work_done_wait_mutex initialization to perf_sched__replay() Masami Hiramatsu (Google) <mhiramat(a)kernel.org> bootconfig: Fix the kerneldoc of _xbc_exit() Hui Wang <hui.wang(a)canonical.com> e1000e: move force SMBUS near the end of enable_ulp function Tony Nguyen <anthony.l.nguyen(a)intel.com> i40e: Include types.h to some headers Ivan Vecera <ivecera(a)redhat.com> i40e: Fix ST code value for Clause 45 Damien Le Moal <dlemoal(a)kernel.org> scsi: sd: Do not repeat the starting disk message Damien Le Moal <dlemoal(a)kernel.org> scsi: Remove scsi device no_start_on_resume flag Gergo Koteles <soyer(a)irl.hu> ASoC: tas2781: mark dvc_tlv with __maybe_unused Damien Le Moal <dlemoal(a)kernel.org> ata: ahci: Add mask_port_map module parameter Carlos Song <carlos.song(a)nxp.com> spi: spi-fsl-lpspi: remove redundant spi_controller_put call Charlie Jenkins <charlie(a)rivosinc.com> riscv: cpufeature: Fix thead vector hwcap removal Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Have saved_cmdlines arrays all in one allocation Xiubo Li <xiubli(a)redhat.com> libceph: init the cursor when preparing sparse read in msgr2 Shannon Nelson <shannon.nelson(a)amd.com> pds_core: no health-thread in VF path Geoff Levand <geoff(a)infradead.org> Revert "powerpc/ps3_defconfig: Disable PPC64_BIG_ENDIAN_ELF_ABI_V2" Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Do not allocate memory for MHI objects from DMA zone Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Add support for async DMA read operation Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Add support for async DMA write operation Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Introduce async read/write callbacks Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: ep: Rename read_from_host() and write_to_host() APIs Rob Clark <robdclark(a)chromium.org> drm/crtc: fix uninitialized variable use even harder Jean-Loïc Charroud <lagiraudiere+linux(a)free.fr> ALSA: hda/realtek: cs35l41: Fix device ID / model name Jean-Loïc Charroud <lagiraudiere+linux(a)free.fr> ALSA: hda/realtek: cs35l41: Fix order and duplicates in quirks table Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Remove precision vsnprintf() check from print event Cong Yang <yangcong5(a)huaqin.corp-partner.google.com> drm/panel: boe-tv101wum-nl6: Fine tune Himax83102-j02 panel HFP and HBP (again) Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Drop TSO support Song Shuai <songshuaishuai(a)tinylab.org> riscv: Remove SHADOW_OVERFLOW_STACK_SIZE macro Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Revert "ignore negated quota changes" Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: qd_check_sync cleanups Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Revert "introduce qd_bh_get_or_undo" Abel Vesa <abel.vesa(a)linaro.org> phy: qualcomm: eusb2-repeater: Rework init to drop redundant zero-out loop Konrad Dybcio <konrad.dybcio(a)linaro.org> phy: qualcomm: phy-qcom-eusb2-repeater: Add tuning overrides Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: Load tunings for the correct speaker models Bjorn Helgaas <bhelgaas(a)google.com> Revert "PCI/MSI: Provide stubs for IMS functions" Wei Fang <wei.fang(a)nxp.com> net: fec: don't save PTP state if PTP is unsupported Gabriel Krisman Bertazi <krisman(a)suse.de> unicode: Don't special case ignorable code points ------------- Diffstat: Documentation/dev-tools/kselftest.rst | 12 + Makefile | 4 +- arch/loongarch/pci/acpi.c | 1 + arch/powerpc/configs/ps3_defconfig | 1 - arch/riscv/include/asm/sbi.h | 2 + arch/riscv/include/asm/sparsemem.h | 2 +- arch/riscv/include/asm/thread_info.h | 1 - arch/riscv/kernel/cpu.c | 40 +- arch/riscv/kernel/cpufeature.c | 8 +- arch/riscv/kernel/elf_kexec.c | 6 + arch/riscv/kernel/entry.S | 4 +- arch/s390/include/asm/facility.h | 6 +- arch/s390/include/asm/io.h | 2 + arch/s390/kernel/perf_cpum_sf.c | 12 +- arch/s390/mm/cmm.c | 18 +- arch/x86/kernel/amd_nb.c | 4 + arch/x86/net/bpf_jit_comp.c | 54 +- drivers/ata/ahci.c | 85 + drivers/ata/libata-eh.c | 18 +- drivers/base/bus.c | 8 +- drivers/block/zram/zram_drv.c | 7 + drivers/bus/mhi/ep/internal.h | 1 + drivers/bus/mhi/ep/main.c | 248 +- drivers/bus/mhi/ep/ring.c | 8 +- drivers/char/virtio_console.c | 18 +- drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +- drivers/clk/imx/clk-imx7d.c | 4 +- .../drivers/ni_routing/tools/convert_c_to_py.c | 5 + drivers/dax/device.c | 2 +- drivers/gpio/gpio-aspeed.c | 4 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- .../drm/amd/display/modules/hdcp/hdcp1_execution.c | 27 +- drivers/gpu/drm/drm_crtc.c | 1 + drivers/gpu/drm/i915/display/intel_hdcp.c | 10 +- drivers/gpu/drm/nouveau/dispnv04/crtc.c | 2 +- drivers/gpu/drm/nouveau/nouveau_abi16.c | 2 +- drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +- drivers/gpu/drm/nouveau/nouveau_chan.c | 21 +- drivers/gpu/drm/nouveau/nouveau_chan.h | 3 +- drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 4 +- drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 8 +- drivers/gpu/drm/v3d/v3d_perfmon.c | 9 +- drivers/gpu/drm/vc4/vc4_perfmon.c | 7 +- drivers/hid/Kconfig | 9 + drivers/hid/Makefile | 1 + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 14 +- drivers/hid/hid-asus.c | 14 +- drivers/hid/hid-ids.h | 10 + drivers/hid/hid-mcp2200.c | 392 ++ drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-plantronics.c | 23 + drivers/hid/i2c-hid/i2c-hid-core.c | 22 +- drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 2 +- drivers/hwmon/Kconfig | 4 + drivers/hwmon/intel-m10-bmc-hwmon.c | 2 +- drivers/hwmon/k10temp.c | 1 + drivers/i2c/busses/i2c-i801.c | 9 +- drivers/i3c/master/i3c-master-cdns.c | 1 + drivers/infiniband/core/mad.c | 14 +- drivers/infiniband/hw/mlx5/odp.c | 25 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 13 +- drivers/input/rmi4/rmi_driver.c | 6 +- drivers/media/common/videobuf2/videobuf2-core.c | 8 +- drivers/mfd/intel_soc_pmic_chtwc.c | 1 - drivers/net/dsa/b53/b53_common.c | 17 +- drivers/net/dsa/lan9303-core.c | 29 + drivers/net/ethernet/adi/adin1110.c | 4 +- drivers/net/ethernet/amd/pds_core/main.c | 6 + drivers/net/ethernet/cortina/gemini.c | 32 +- drivers/net/ethernet/freescale/fec_main.c | 6 +- drivers/net/ethernet/ibm/emac/mal.c | 2 +- drivers/net/ethernet/intel/e1000e/hw.h | 4 +- drivers/net/ethernet/intel/e1000e/ich8lan.c | 55 + drivers/net/ethernet/intel/e1000e/netdev.c | 22 +- drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h | 1 + drivers/net/ethernet/intel/i40e/i40e_diag.h | 1 + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + drivers/net/ethernet/intel/i40e/i40e_register.h | 2 +- drivers/net/ethernet/intel/i40e/i40e_type.h | 4 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 + drivers/net/ethernet/intel/ice/ice.h | 6 +- drivers/net/ethernet/intel/ice/ice_eswitch.c | 63 +- drivers/net/ethernet/intel/ice/ice_eswitch_br.c | 17 +- drivers/net/ethernet/intel/ice/ice_eswitch_br.h | 1 + drivers/net/ethernet/intel/ice/ice_main.c | 27 +- drivers/net/ethernet/intel/ice/ice_switch.c | 2 - drivers/net/ethernet/intel/ice/ice_tc_lib.c | 15 +- drivers/net/ethernet/intel/igb/igb_main.c | 4 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/phy/bcm84881.c | 4 +- drivers/net/phy/dp83869.c | 1 - drivers/net/phy/phy_device.c | 5 +- drivers/net/ppp/ppp_async.c | 2 +- drivers/net/slip/slhc.c | 57 +- drivers/net/vxlan/vxlan_core.c | 6 +- drivers/net/vxlan/vxlan_private.h | 2 +- drivers/net/vxlan/vxlan_vnifilter.c | 19 +- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 + drivers/nvdimm/nd_virtio.c | 9 + drivers/pci/endpoint/functions/pci-epf-mhi.c | 8 +- drivers/pci/quirks.c | 8 + drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 145 +- drivers/powercap/intel_rapl_tpmi.c | 19 +- drivers/remoteproc/imx_rproc.c | 13 +- drivers/scsi/lpfc/lpfc_ct.c | 12 + drivers/scsi/lpfc/lpfc_disc.h | 7 + drivers/scsi/lpfc/lpfc_els.c | 7 +- drivers/scsi/lpfc/lpfc_vport.c | 43 +- drivers/scsi/sd.c | 9 +- drivers/scsi/wd33c93.c | 2 +- drivers/soundwire/cadence_master.c | 39 +- drivers/soundwire/cadence_master.h | 5 + drivers/soundwire/intel.h | 2 + drivers/soundwire/intel_auxdevice.c | 1 + drivers/soundwire/intel_bus_common.c | 35 +- drivers/spi/spi-fsl-lpspi.c | 14 +- drivers/staging/vme_user/vme_fake.c | 6 + drivers/staging/vme_user/vme_tsi148.c | 6 + .../int340x_thermal/processor_thermal_device_pci.c | 23 +- drivers/tty/serial/serial_core.c | 16 +- drivers/ufs/core/ufshcd.c | 5 +- drivers/usb/chipidea/udc.c | 8 +- drivers/usb/dwc2/platform.c | 26 +- drivers/usb/dwc3/core.c | 22 +- drivers/usb/dwc3/core.h | 4 - drivers/usb/dwc3/gadget.c | 11 - drivers/usb/gadget/udc/core.c | 1 + drivers/usb/host/xhci-pci.c | 5 + drivers/usb/misc/yurex.c | 19 +- drivers/usb/storage/unusual_devs.h | 11 + drivers/usb/typec/tipd/core.c | 2 + drivers/video/fbdev/core/fbcon.c | 2 + drivers/video/fbdev/sis/sis_main.c | 2 +- fs/btrfs/extent-tree.c | 19 +- fs/btrfs/volumes.h | 6 + fs/btrfs/zoned.c | 2 +- fs/ext4/super.c | 9 +- fs/ext4/xattr.c | 4 +- fs/gfs2/quota.c | 59 +- fs/nfs/callback_xdr.c | 2 + fs/nfs/client.c | 1 + fs/nfs/nfs42proc.c | 2 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/filecache.c | 4 +- fs/ntfs3/file.c | 4 +- fs/ntfs3/frecord.c | 21 +- fs/ntfs3/fslog.c | 19 +- fs/ntfs3/namei.c | 4 +- fs/proc/kcore.c | 36 +- fs/smb/client/smb2ops.c | 47 +- fs/smb/client/smb2pdu.c | 6 + fs/unicode/mkutf8data.c | 70 - fs/unicode/utf8data.c_shipped | 6703 ++++++++++---------- include/linux/bpf.h | 1 + include/linux/intel_tpmi.h | 6 + include/linux/jbd2.h | 2 +- include/linux/mhi_ep.h | 21 +- include/linux/netlink.h | 2 + include/linux/nfs_fs_sb.h | 1 + include/linux/pci.h | 34 +- include/linux/pci_ids.h | 4 + include/linux/tcp.h | 8 + include/net/mctp.h | 2 +- include/net/rtnetlink.h | 18 + include/net/sch_generic.h | 1 - include/net/sock.h | 2 + include/scsi/scsi_device.h | 1 - include/sound/cs35l56.h | 1 + include/sound/tas2781-tlv.h | 2 +- include/uapi/linux/tcp.h | 12 + io_uring/io_uring.c | 15 + kernel/bpf/arraymap.c | 3 + kernel/bpf/core.c | 21 +- kernel/bpf/hashtab.c | 3 + kernel/kthread.c | 2 + kernel/rcu/tree.c | 9 +- kernel/rcu/tree_nocb.h | 28 +- kernel/trace/trace.c | 18 +- kernel/trace/trace_output.c | 6 +- lib/bootconfig.c | 3 +- lib/build_OID_registry | 4 +- mm/secretmem.c | 4 +- net/bluetooth/hci_conn.c | 3 + net/bluetooth/hci_core.c | 27 +- net/bluetooth/rfcomm/sock.c | 2 - net/bridge/br_netfilter_hooks.c | 5 + net/bridge/br_netlink.c | 6 +- net/bridge/br_private.h | 5 +- net/bridge/br_vlan.c | 19 +- net/ceph/messenger_v2.c | 3 + net/core/dst.c | 17 +- net/core/rtnetlink.c | 31 + net/ipv4/netfilter/nf_reject_ipv4.c | 10 +- net/ipv4/netfilter/nft_fib_ipv4.c | 4 +- net/ipv4/tcp.c | 9 + net/ipv4/tcp_input.c | 57 +- net/ipv4/tcp_minisocks.c | 4 + net/ipv4/tcp_timer.c | 17 +- net/ipv6/netfilter/nf_reject_ipv6.c | 5 +- net/ipv6/netfilter/nft_fib_ipv6.c | 5 +- net/mac80211/scan.c | 17 +- net/mctp/af_mctp.c | 6 +- net/mctp/device.c | 32 +- net/mctp/neigh.c | 29 +- net/mctp/route.c | 33 +- net/mpls/af_mpls.c | 87 +- net/mptcp/mib.c | 2 + net/mptcp/mib.h | 2 + net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.c | 24 +- net/mptcp/subflow.c | 6 +- net/netfilter/nf_nat_core.c | 120 +- net/netfilter/xt_CHECKSUM.c | 33 +- net/netfilter/xt_CLASSIFY.c | 16 +- net/netfilter/xt_CONNSECMARK.c | 36 +- net/netfilter/xt_CT.c | 148 +- net/netfilter/xt_IDLETIMER.c | 59 +- net/netfilter/xt_LED.c | 39 +- net/netfilter/xt_NFLOG.c | 36 +- net/netfilter/xt_RATEEST.c | 39 +- net/netfilter/xt_SECMARK.c | 27 +- net/netfilter/xt_TRACE.c | 35 +- net/netfilter/xt_addrtype.c | 15 +- net/netfilter/xt_cluster.c | 33 +- net/netfilter/xt_connbytes.c | 4 +- net/netfilter/xt_connlimit.c | 39 +- net/netfilter/xt_connmark.c | 28 +- net/netfilter/xt_mark.c | 42 +- net/netlink/af_netlink.c | 38 +- net/netlink/af_netlink.h | 5 +- net/phonet/pn_netlink.c | 43 +- net/rxrpc/sendmsg.c | 10 +- net/sched/sch_api.c | 7 +- net/sctp/socket.c | 18 +- net/socket.c | 7 +- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_realtek.c | 7 +- sound/soc/codecs/cs35l56-shared.c | 36 + sound/soc/codecs/cs35l56.c | 32 +- sound/soc/codecs/cs35l56.h | 1 + tools/iio/iio_generic_buffer.c | 4 + tools/lib/subcmd/parse-options.c | 8 +- tools/perf/builtin-kmem.c | 2 + tools/perf/builtin-kvm.c | 3 + tools/perf/builtin-kwork.c | 3 + tools/perf/builtin-lock.c | 3 + tools/perf/builtin-mem.c | 3 + tools/perf/builtin-sched.c | 164 +- tools/testing/ktest/ktest.pl | 2 +- tools/testing/selftests/Makefile | 7 +- .../testing/selftests/bpf/progs/verifier_int_ptr.c | 5 +- tools/testing/selftests/lib.mk | 19 + tools/testing/selftests/mm/hmm-tests.c | 2 +- .../selftests/net/forwarding/no_forwarding.sh | 2 +- tools/testing/selftests/net/setup_loopback.sh | 0 tools/testing/selftests/rseq/rseq.c | 110 +- tools/testing/selftests/rseq/rseq.h | 10 +- 258 files changed, 6561 insertions(+), 4700 deletions(-)

2 months, 3 weeks

10
9
0 0

[PATCH v2 2/7] serial: qcom-geni: fix shutdown race

by Johan Hovold

A commit adding back the stopping of tx on port shutdown failed to add back the locking which had also been removed by commit e83766334f96 ("tty: serial: qcom_geni_serial: No need to stop tx/rx on UART shutdown"). Holding the port lock is needed to serialise against the console code, which may update the interrupt enable register and access the port state. Fixes: d8aca2f96813 ("tty: serial: qcom-geni-serial: stop operations in progress at shutdown") Fixes: 947cc4ecc06c ("serial: qcom-geni: fix soft lockup on sw flow control and suspend") Cc: stable(a)vger.kernel.org # 6.3 Cc: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 9ea6bd09e665..b6a8729cee6d 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1096,10 +1096,12 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) { disable_irq(uport->irq); + uart_port_lock_irq(uport); qcom_geni_serial_stop_tx(uport); qcom_geni_serial_stop_rx(uport); qcom_geni_serial_cancel_tx_cmd(uport); + uart_port_unlock_irq(uport); } static void qcom_geni_serial_flush_buffer(struct uart_port *uport) -- 2.45.2

2 months, 3 weeks

4
8
0 0

FAILED: patch "[PATCH] maple_tree: correct tree corruption on spanning store" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bea07fd63192b61209d48cbb81ef474cc3ee4c62 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101818-ducky-dallying-2814@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bea07fd63192b61209d48cbb81ef474cc3ee4c62 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Mon, 7 Oct 2024 16:28:32 +0100 Subject: [PATCH] maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree corruption bug that appears to have been in existence since the inception of the algorithm. This bug seems far more likely to happen since commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()"), which is the point at which reports started to be submitted concerning this bug. We were made definitely aware of the bug thanks to the kind efforts of Bert Karwatzki who helped enormously in my being able to track this down and identify the cause of it. The bug arises when an attempt is made to perform a spanning store across two leaf nodes, where the right leaf node is the rightmost child of the shared parent, AND the store completely consumes the right-mode node. This results in mas_wr_spanning_store() mitakenly duplicating the new and existing entries at the maximum pivot within the range, and thus maple tree corruption. The fix patch corrects this by detecting this scenario and disallowing the mistaken duplicate copy. The fix patch commit message goes into great detail as to how this occurs. This series also includes a test which reliably reproduces the issue, and asserts that the fix works correctly. Bert has kindly tested the fix and confirmed it resolved his issues. Also Mikhail Gavrilov kindly reported what appears to be precisely the same bug, which this fix should also resolve. This patch (of 2): There has been a subtle bug present in the maple tree implementation from its inception. This arises from how stores are performed - when a store occurs, it will overwrite overlapping ranges and adjust the tree as necessary to accommodate this. A range may always ultimately span two leaf nodes. In this instance we walk the two leaf nodes, determine which elements are not overwritten to the left and to the right of the start and end of the ranges respectively and then rebalance the tree to contain these entries and the newly inserted one. This kind of store is dubbed a 'spanning store' and is implemented by mas_wr_spanning_store(). In order to reach this stage, mas_store_gfp() invokes mas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to walk the tree and update the object (mas) to traverse to the location where the write should be performed, determining its store type. When a spanning store is required, this function returns false stopping at the parent node which contains the target range, and mas_wr_store_type() marks the mas->store_type as wr_spanning_store to denote this fact. When we go to perform the store in mas_wr_spanning_store(), we first determine the elements AFTER the END of the range we wish to store (that is, to the right of the entry to be inserted) - we do this by walking to the NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we have just determined contains the range over which we intend to write. We then turn our attention to the entries to the left of the entry we are inserting, whose state is represented by l_mas, and copy these into a 'big node', which is a special node which contains enough slots to contain two leaf node's worth of data. We then copy the entry we wish to store immediately after this - the copy and the insertion of the new entry is performed by mas_store_b_node(). After this we copy the elements to the right of the end of the range which we are inserting, if we have not exceeded the length of the node (i.e. r_mas.offset <= r_mas.end). Herein lies the bug - under very specific circumstances, this logic can break and corrupt the maple tree. Consider the following tree: Height 0 Root Node / \ pivot = 0xffff / \ pivot = ULONG_MAX / \ 1 A [-----] ... / \ pivot = 0x4fff / \ pivot = 0xffff / \ 2 (LEAVES) B [-----] [-----] C ^--- Last pivot 0xffff. Now imagine we wish to store an entry in the range [0x4000, 0xffff] (note that all ranges expressed in maple tree code are inclusive): 1. mas_store_gfp() descends the tree, finds node A at <=0xffff, then determines that this is a spanning store across nodes B and C. The mas state is set such that the current node from which we traverse further is node A. 2. In mas_wr_spanning_store() we try to find elements to the right of pivot 0xffff by searching for an index of 0x10000: - mas_wr_walk_index() invokes mas_wr_walk_descend() and mas_wr_node_walk() in turn. - mas_wr_node_walk() loops over entries in node A until EITHER it finds an entry whose pivot equals or exceeds 0x10000 OR it reaches the final entry. - Since no entry has a pivot equal to or exceeding 0x10000, pivot 0xffff is selected, leading to node C. - mas_wr_walk_traverse() resets the mas state to traverse node C. We loop around and invoke mas_wr_walk_descend() and mas_wr_node_walk() in turn once again. - Again, we reach the last entry in node C, which has a pivot of 0xffff. 3. We then copy the elements to the left of 0x4000 in node B to the big node via mas_store_b_node(), and insert the new [0x4000, 0xffff] entry too. 4. We determine whether we have any entries to copy from the right of the end of the range via - and with r_mas set up at the entry at pivot 0xffff, r_mas.offset <= r_mas.end, and then we DUPLICATE the entry at pivot 0xffff. 5. BUG! The maple tree is corrupted with a duplicate entry. This requires a very specific set of circumstances - we must be spanning the last element in a leaf node, which is the last element in the parent node. spanning store across two leaf nodes with a range that ends at that shared pivot. A potential solution to this problem would simply be to reset the walk each time we traverse r_mas, however given the rarity of this situation it seems that would be rather inefficient. Instead, this patch detects if the right hand node is populated, i.e. has anything we need to copy. We do so by only copying elements from the right of the entry being inserted when the maximum value present exceeds the last, rather than basing this on offset position. The patch also updates some comments and eliminates the unused bool return value in mas_wr_walk_index(). The work performed in commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()") seems to have made the probability of this event much more likely, which is the point at which reports started to be submitted concerning this bug. The motivation for this change arose from Bert Karwatzki's report of encountering mm instability after the release of kernel v6.12-rc1 which, after the use of CONFIG_DEBUG_VM_MAPLE_TREE and similar configuration options, was identified as maple tree corruption. After Bert very generously provided his time and ability to reproduce this event consistently, I was able to finally identify that the issue discussed in this commit message was occurring for him. Link: https://lkml.kernel.org/r/cover.1728314402.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/48b349a2a0f7c76e18772712d0997a5e12ab0a3b.17283144… Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/all/20241001023402.3374-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov(a)gmail.com> Closes: https://lore.kernel.org/all/CABXGCsOPwuoNOqSMmAvWO2Fz4TEmPnjFj-b7iF+XFRu1h7… Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov(a)gmail.com> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/lib/maple_tree.c b/lib/maple_tree.c index ce7c7a7a8258..3619301dda2e 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -2196,6 +2196,8 @@ static inline void mas_node_or_none(struct ma_state *mas, /* * mas_wr_node_walk() - Find the correct offset for the index in the @mas. + * If @mas->index cannot be found within the containing + * node, we traverse to the last entry in the node. * @wr_mas: The maple write state * * Uses mas_slot_locked() and does not need to worry about dead nodes. @@ -3532,7 +3534,7 @@ static bool mas_wr_walk(struct ma_wr_state *wr_mas) return true; } -static bool mas_wr_walk_index(struct ma_wr_state *wr_mas) +static void mas_wr_walk_index(struct ma_wr_state *wr_mas) { struct ma_state *mas = wr_mas->mas; @@ -3541,11 +3543,9 @@ static bool mas_wr_walk_index(struct ma_wr_state *wr_mas) wr_mas->content = mas_slot_locked(mas, wr_mas->slots, mas->offset); if (ma_is_leaf(wr_mas->type)) - return true; + return; mas_wr_walk_traverse(wr_mas); - } - return true; } /* * mas_extend_spanning_null() - Extend a store of a %NULL to include surrounding %NULLs. @@ -3765,8 +3765,8 @@ static noinline void mas_wr_spanning_store(struct ma_wr_state *wr_mas) memset(&b_node, 0, sizeof(struct maple_big_node)); /* Copy l_mas and store the value in b_node. */ mas_store_b_node(&l_wr_mas, &b_node, l_mas.end); - /* Copy r_mas into b_node. */ - if (r_mas.offset <= r_mas.end) + /* Copy r_mas into b_node if there is anything to copy. */ + if (r_mas.max > r_mas.last) mas_mab_cp(&r_mas, r_mas.offset, r_mas.end, &b_node, b_node.b_end + 1); else

2 months, 3 weeks

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024