October 2024 - Linux-stable-mirror

[PATCH 6.1.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

[PATCH] USB: chaoskey: fail open after removal

by Oliver Neukum

chaoskey_open() takes the lock only to increase the counter of openings. That means that the mutual exclusion with chaoskey_disconnect() cannot prevent an increase of the counter and chaoskey_open() returning a success. If that race is hit, chaoskey_disconnect() will happily free all resources associated with the device after it has dropped the lock, as it has read the counter as zero. To prevent this race chaoskey_open() has to check the presence of the device under the lock. However, the current per device lock cannot be used, because it is a part of the data structure to be freed. Hence an additional global mutex is needed. The issue is as old as the driver. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Reported-by: syzbot+422188bce66e76020e55(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=422188bce66e76020e55 Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)") --- drivers/usb/misc/chaoskey.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c index 6fb5140e29b9..e8b63df5f975 100644 --- a/drivers/usb/misc/chaoskey.c +++ b/drivers/usb/misc/chaoskey.c @@ -27,6 +27,8 @@ static struct usb_class_driver chaoskey_class; static int chaoskey_rng_read(struct hwrng *rng, void *data, size_t max, bool wait); +static DEFINE_MUTEX(chaoskey_list_lock); + #define usb_dbg(usb_if, format, arg...) \ dev_dbg(&(usb_if)->dev, format, ## arg) @@ -230,6 +232,7 @@ static void chaoskey_disconnect(struct usb_interface *interface) if (dev->hwrng_registered) hwrng_unregister(&dev->hwrng); + mutex_lock(&chaoskey_list_lock); usb_deregister_dev(interface, &chaoskey_class); usb_set_intfdata(interface, NULL); @@ -244,6 +247,7 @@ static void chaoskey_disconnect(struct usb_interface *interface) } else mutex_unlock(&dev->lock); + mutex_unlock(&chaoskey_list_lock); usb_dbg(interface, "disconnect done"); } @@ -251,6 +255,7 @@ static int chaoskey_open(struct inode *inode, struct file *file) { struct chaoskey *dev; struct usb_interface *interface; + int rv = 0; /* get the interface from minor number and driver information */ interface = usb_find_interface(&chaoskey_driver, iminor(inode)); @@ -266,18 +271,23 @@ static int chaoskey_open(struct inode *inode, struct file *file) } file->private_data = dev; + mutex_lock(&chaoskey_list_lock); mutex_lock(&dev->lock); - ++dev->open; + if (dev->present) + ++dev->open; + else + rv = -ENODEV; mutex_unlock(&dev->lock); + mutex_unlock(&chaoskey_list_lock); - usb_dbg(interface, "open success"); - return 0; + return rv; } static int chaoskey_release(struct inode *inode, struct file *file) { struct chaoskey *dev = file->private_data; struct usb_interface *interface; + int rv = 0; if (dev == NULL) return -ENODEV; @@ -286,14 +296,15 @@ static int chaoskey_release(struct inode *inode, struct file *file) usb_dbg(interface, "release"); + mutex_lock(&chaoskey_list_lock); mutex_lock(&dev->lock); usb_dbg(interface, "open count at release is %d", dev->open); if (dev->open <= 0) { usb_dbg(interface, "invalid open count (%d)", dev->open); - mutex_unlock(&dev->lock); - return -ENODEV; + rv = -ENODEV; + goto bail; } --dev->open; @@ -302,13 +313,15 @@ static int chaoskey_release(struct inode *inode, struct file *file) if (dev->open == 0) { mutex_unlock(&dev->lock); chaoskey_free(dev); - } else - mutex_unlock(&dev->lock); - } else - mutex_unlock(&dev->lock); - + goto destruction; + } + } +bail: + mutex_unlock(&dev->lock); +destruction: + mutex_lock(&chaoskey_list_lock); usb_dbg(interface, "release success"); - return 0; + return rv; } static void chaos_read_callback(struct urb *urb) -- 2.46.1

6 months, 3 weeks

4
4
0 0

[PATCH 6.6.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] zram: free secondary algorithms names" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 684826f8271ad97580b138b9ffd462005e470b99 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100724-used-ventricle-7559@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 684826f8271a ("zram: free secondary algorithms names") f2bac7ad187d ("zram: introduce zcomp_params structure") 1d3100cf148d ("zram: add 842 compression backend support") 84112e314f69 ("zram: add zlib compression backend support") dbf2763cec21 ("zram: pass estimated src size hint to zstd") 73e7d81abbc8 ("zram: add zstd compression backend support") c60a4ef54446 ("zram: add lz4hc compression backend support") 22d651c3b339 ("zram: add lz4 compression backend support") 2152247c55b6 ("zram: add lzo and lzorle compression backends support") 917a59e81c34 ("zram: introduce custom comp backends API") 04cb7502a5d7 ("zsmalloc: use all available 24 bits of page_type") 43d746dc49bb ("mm/zsmalloc: use a proper page type") 8db00ad56461 ("mm: allow reuse of the lower 16 bit of the page type with an actual type") 6d21dde7adc0 ("mm: update _mapcount and page_type documentation") ff202303c398 ("mm: convert page type macros to enum") 46df8e73a4a3 ("mm: free up PG_slab") d99e3140a4d3 ("mm: turn folio_test_hugetlb into a PageType") fd1a745ce03e ("mm: support page_mapcount() on page_has_type() pages") 29cfe7556bfd ("mm: constify more page/folio tests") 443cbaf9e2fd ("crash: split vmcoreinfo exporting code out from crash_core.c") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 684826f8271ad97580b138b9ffd462005e470b99 Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 11 Sep 2024 11:54:56 +0900 Subject: [PATCH] zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 1f1bf175a6c3..0207a7fc0a97 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); }

6 months, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] zram: free secondary algorithms names" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 684826f8271ad97580b138b9ffd462005e470b99 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100723-covenant-chef-b766@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 684826f8271a ("zram: free secondary algorithms names") f2bac7ad187d ("zram: introduce zcomp_params structure") 1d3100cf148d ("zram: add 842 compression backend support") 84112e314f69 ("zram: add zlib compression backend support") dbf2763cec21 ("zram: pass estimated src size hint to zstd") 73e7d81abbc8 ("zram: add zstd compression backend support") c60a4ef54446 ("zram: add lz4hc compression backend support") 22d651c3b339 ("zram: add lz4 compression backend support") 2152247c55b6 ("zram: add lzo and lzorle compression backends support") 917a59e81c34 ("zram: introduce custom comp backends API") 04cb7502a5d7 ("zsmalloc: use all available 24 bits of page_type") 43d746dc49bb ("mm/zsmalloc: use a proper page type") 8db00ad56461 ("mm: allow reuse of the lower 16 bit of the page type with an actual type") 6d21dde7adc0 ("mm: update _mapcount and page_type documentation") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 684826f8271ad97580b138b9ffd462005e470b99 Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 11 Sep 2024 11:54:56 +0900 Subject: [PATCH] zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 1f1bf175a6c3..0207a7fc0a97 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); }

6 months, 3 weeks

2
2
0 0

[PATCH] sched: psi: fix bogus pressure spikes from aggregation race

by Yo-Jung (Leo) Lin

From: Johannes Weiner <hannes(a)cmpxchg.org> Brandon reports sporadic, non-sensical spikes in cumulative pressure time (total=) when reading cpu.pressure at a high rate. This is due to a race condition between reader aggregation and tasks changing states. While it affects all states and all resources captured by PSI, in practice it most likely triggers with CPU pressure, since scheduling events are so frequent compared to other resource events. The race context is the live snooping of ongoing stalls during a pressure read. The read aggregates per-cpu records for stalls that have concluded, but will also incorporate ad-hoc the duration of any active state that hasn't been recorded yet. This is important to get timely measurements of ongoing stalls. Those ad-hoc samples are calculated on-the-fly up to the current time on that CPU; since the stall hasn't concluded, it's expected that this is the minimum amount of stall time that will enter the per-cpu records once it does. The problem is that the path that concludes the state uses a CPU clock read that is not synchronized against aggregators; the clock is read outside of the seqlock protection. This allows aggregators to race and snoop a stall with a longer duration than will actually be recorded. With the recorded stall time being less than the last snapshot remembered by the aggregator, a subsequent sample will underflow and observe a bogus delta value, resulting in an erratic jump in pressure. Fix this by moving the clock read of the state change into the seqlock protection. This ensures no aggregation can snoop live stalls past the time that's recorded when the state concludes. Reported-by: Brandon Duffany <brandon(a)buildbuddy.io> Link: https://bugzilla.kernel.org/show_bug.cgi?id=219194 Link: https://lore.kernel.org/lkml/20240827121851.GB438928@cmpxchg.org/ Fixes: df77430639c9 ("psi: Reduce calls to sched_clock() in psi") Cc: stable(a)vger.kernel.org Signed-off-by: Johannes Weiner <hannes(a)cmpxchg.org> Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> --- kernel/sched/psi.c | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c index 020d58967d4e..84dad1511d1e 100644 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -769,12 +769,13 @@ static void record_times(struct psi_group_cpu *groupc, u64 now) } static void psi_group_change(struct psi_group *group, int cpu, - unsigned int clear, unsigned int set, u64 now, + unsigned int clear, unsigned int set, bool wake_clock) { struct psi_group_cpu *groupc; unsigned int t, m; u32 state_mask; + u64 now; lockdep_assert_rq_held(cpu_rq(cpu)); groupc = per_cpu_ptr(group->pcpu, cpu); @@ -789,6 +790,7 @@ static void psi_group_change(struct psi_group *group, int cpu, * SOME and FULL time these may have resulted in. */ write_seqcount_begin(&groupc->seq); + now = cpu_clock(cpu); /* * Start with TSK_ONCPU, which doesn't have a corresponding @@ -899,18 +901,15 @@ void psi_task_change(struct task_struct *task, int clear, int set) { int cpu = task_cpu(task); struct psi_group *group; - u64 now; if (!task->pid) return; psi_flags_change(task, clear, set); - now = cpu_clock(cpu); - group = task_psi_group(task); do { - psi_group_change(group, cpu, clear, set, now, true); + psi_group_change(group, cpu, clear, set, true); } while ((group = group->parent)); } @@ -919,7 +918,6 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, { struct psi_group *group, *common = NULL; int cpu = task_cpu(prev); - u64 now = cpu_clock(cpu); if (next->pid) { psi_flags_change(next, 0, TSK_ONCPU); @@ -936,7 +934,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, break; } - psi_group_change(group, cpu, 0, TSK_ONCPU, now, true); + psi_group_change(group, cpu, 0, TSK_ONCPU, true); } while ((group = group->parent)); } @@ -974,7 +972,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, do { if (group == common) break; - psi_group_change(group, cpu, clear, set, now, wake_clock); + psi_group_change(group, cpu, clear, set, wake_clock); } while ((group = group->parent)); /* @@ -986,7 +984,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) { clear &= ~TSK_ONCPU; for (; group; group = group->parent) - psi_group_change(group, cpu, clear, set, now, wake_clock); + psi_group_change(group, cpu, clear, set, wake_clock); } } } @@ -997,8 +995,8 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st int cpu = task_cpu(curr); struct psi_group *group; struct psi_group_cpu *groupc; - u64 now, irq; s64 delta; + u64 irq; if (static_branch_likely(&psi_disabled)) return; @@ -1011,7 +1009,6 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st if (prev && task_psi_group(prev) == group) return; - now = cpu_clock(cpu); irq = irq_time_read(cpu); delta = (s64)(irq - rq->psi_irq_time); if (delta < 0) @@ -1019,12 +1016,15 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st rq->psi_irq_time = irq; do { + u64 now; + if (!group->enabled) continue; groupc = per_cpu_ptr(group->pcpu, cpu); write_seqcount_begin(&groupc->seq); + now = cpu_clock(cpu); record_times(groupc, now); groupc->times[PSI_IRQ_FULL] += delta; @@ -1223,11 +1223,9 @@ void psi_cgroup_restart(struct psi_group *group) for_each_possible_cpu(cpu) { struct rq *rq = cpu_rq(cpu); struct rq_flags rf; - u64 now; rq_lock_irq(rq, &rf); - now = cpu_clock(cpu); - psi_group_change(group, cpu, 0, 0, now, true); + psi_group_change(group, cpu, 0, 0, true); rq_unlock_irq(rq, &rf); } } -- 2.43.0

6 months, 3 weeks

1
1
0 0

[PATCH v2 net 0/3] net: enetc: fix some issues of XDP

by Wei Fang

We found some bugs when testing the XDP function of enetc driver, and these bugs are easy to reproduce. This is not only causes XDP to not work, but also the network cannot be restored after exiting the XDP program. So the patch set is mainly to fix these bugs. For details, please see the commit message of each patch. --- v1 link: https://lore.kernel.org/bpf/20240919084104.661180-1-wei.fang@nxp.com/T/ --- Wei Fang (3): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: fix the issues of XDP_REDIRECT feature net: enetc: disable IRQ after Rx and Tx BD rings are disabled drivers/net/ethernet/freescale/enetc/enetc.c | 50 +++++++++++++++----- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + 2 files changed, 38 insertions(+), 13 deletions(-) -- 2.34.1

6 months, 3 weeks

2
8
0 0

[PATCH 6.1 00/63] 6.1.111-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.111 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Sep 2024 11:42:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.111-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.111-rc1 Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Mika Westerberg <mika.westerberg(a)linux.intel.com> pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/i915/guc: prevent a possible int overflow in wq offsets Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Fix incorrect free_irq() sequence Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Undo runtime PM changes at driver exit time Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> spi: geni-qcom: Convert to platform remove callback returning void Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: Silence UBSAN warning T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: make cgroupsv2 matching work with namespaces Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Benjamin Poirier <bpoirier(a)nvidia.com> net/mlx5: Fix bridge mode operations when there are no VFs Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Verify support for scheduling element and TSAR type Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Correct TASR typo into TSAR Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() peng guo <engguopeng(a)buaa.edu.cn> cxl/core: Fix incorrect vendor debug UUID define Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Use kvfree to free memory allocated by kvmalloc Kunwu Chan <chentao(a)kylinos.cn> pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix race in axienet_stop Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a race condition when accessing recalc_sector Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_open() Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add Support for Surface Pro 10 Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for smb2_query_info() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for share path check ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++++- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/mem.c | 2 - drivers/cxl/cxlmem.h | 2 +- drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++ drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/hid/hid-ids.h | 2 + drivers/hid/hid-multitouch.c | 33 ++++ drivers/hwmon/pmbus/pmbus.h | 6 + drivers/hwmon/pmbus/pmbus_core.c | 17 +- drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 9 ++ drivers/input/touchscreen/ads7846.c | 2 +- drivers/md/dm-integrity.c | 4 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- drivers/net/ethernet/intel/ice/ice_switch.c | 2 +- drivers/net/ethernet/intel/igb/igb_main.c | 17 +- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 15 ++ .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 177 ++++++++++++++++++++- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 + .../net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 +++--- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 + drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 + drivers/net/phy/vitesse.c | 14 -- drivers/net/usb/ipheth.c | 5 +- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 + .../platform/surface/surface_aggregator_registry.c | 8 +- drivers/platform/x86/panasonic-laptop.c | 58 +++++-- drivers/soc/ti/omap_prm.c | 2 + drivers/soundwire/stream.c | 8 +- drivers/spi/spi-geni-qcom.c | 22 ++- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 ++- fs/btrfs/inode.c | 1 + fs/nfs/delegation.c | 15 +- fs/nfs/nfs4proc.c | 9 +- fs/nfs/pnfs.c | 5 +- fs/ntfs3/attrlist.c | 4 +- fs/ntfs3/bitmap.c | 4 +- fs/ntfs3/frecord.c | 4 +- fs/ntfs3/super.c | 2 +- fs/smb/server/mgmt/share_config.c | 15 +- fs/smb/server/mgmt/share_config.h | 4 +- fs/smb/server/mgmt/tree_connect.c | 9 +- fs/smb/server/mgmt/tree_connect.h | 4 +- fs/smb/server/smb2pdu.c | 11 +- fs/smb/server/smb_common.c | 9 +- fs/smb/server/smb_common.h | 2 + include/linux/mlx5/mlx5_ifc.h | 12 +- include/linux/virtio_net.h | 3 +- mm/memory.c | 27 +++- net/ipv4/fou.c | 4 +- net/mptcp/pm_netlink.c | 13 +- net/netfilter/nft_socket.c | 48 +++++- scripts/kconfig/merge_config.sh | 2 + sound/soc/meson/axg-card.c | 3 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- 68 files changed, 642 insertions(+), 177 deletions(-)

6 months, 3 weeks

11
77
0 0

[tip: x86/urgent] x86/entry_32: Do not clobber user EFLAGS.ZF

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 Gitweb: https://git.kernel.org/tip/2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Wed, 25 Sep 2024 15:25:38 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 08 Oct 2024 15:16:28 -07:00 x86/entry_32: Do not clobber user EFLAGS.ZF Opportunistic SYSEXIT executes VERW to clear CPU buffers after user EFLAGS are restored. This can clobber user EFLAGS.ZF. Move CLEAR_CPU_BUFFERS before the user EFLAGS are restored. This ensures that the user EFLAGS.ZF is not clobbered. Closes: https://lore.kernel.org/lkml/yVXwe8gvgmPADpRB6lXlicS2fcHoV5OHHxyuFbB_MEleRP… Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Jari Ruusu <jariruusu(a)protonmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-1-1de0daca2d42%40li… --- arch/x86/entry/entry_32.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index d3a814e..9ad6cd8 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -871,6 +871,8 @@ SYM_FUNC_START(entry_SYSENTER_32) /* Now ready to switch the cr3 */ SWITCH_TO_USER_CR3 scratch_reg=%eax + /* Clobbers ZF */ + CLEAR_CPU_BUFFERS /* * Restore all flags except IF. (We restore IF separately because @@ -881,7 +883,6 @@ SYM_FUNC_START(entry_SYSENTER_32) BUG_IF_WRONG_CR3 no_user_check=1 popfl popl %eax - CLEAR_CPU_BUFFERS /* * Return back to the vDSO, which will pop ecx and edx.

6 months, 3 weeks

1
0
0 0

[tip: x86/urgent] x86/entry_32: Clear CPU buffers after register restore in NMI return

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 48a2440d0f20c826b884e04377ccc1e4696c84e9 Gitweb: https://git.kernel.org/tip/48a2440d0f20c826b884e04377ccc1e4696c84e9 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Wed, 25 Sep 2024 15:25:44 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 08 Oct 2024 15:16:28 -07:00 x86/entry_32: Clear CPU buffers after register restore in NMI return CPU buffers are currently cleared after call to exc_nmi, but before register state is restored. This may be okay for MDS mitigation but not for RDFS. Because RDFS mitigation requires CPU buffers to be cleared when registers don't have any sensitive data. Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI. Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-2-1de0daca2d42%40li… --- arch/x86/entry/entry_32.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index 9ad6cd8..20be575 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -1145,7 +1145,6 @@ SYM_CODE_START(asm_exc_nmi) /* Not on SYSENTER stack. */ call exc_nmi - CLEAR_CPU_BUFFERS jmp .Lnmi_return .Lnmi_from_sysenter_stack: @@ -1166,6 +1165,7 @@ SYM_CODE_START(asm_exc_nmi) CHECK_AND_APPLY_ESPFIX RESTORE_ALL_NMI cr3_reg=%edi pop=4 + CLEAR_CPU_BUFFERS jmp .Lirq_return #ifdef CONFIG_X86_ESPFIX32 @@ -1207,6 +1207,7 @@ SYM_CODE_START(asm_exc_nmi) * 1 - orig_ax */ lss (1+5+6)*4(%esp), %esp # back to espfix stack + CLEAR_CPU_BUFFERS jmp .Lirq_return #endif SYM_CODE_END(asm_exc_nmi)

6 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024