November 2024 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.63 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/kernel/head.S | 8 arch/arm/mm/mmu.c | 34 +- arch/arm64/include/asm/mman.h | 10 arch/loongarch/include/asm/kasan.h | 2 arch/loongarch/kernel/smp.c | 2 arch/loongarch/mm/kasan_init.c | 41 ++- arch/parisc/include/asm/mman.h | 5 arch/x86/kvm/lapic.c | 29 +- arch/x86/kvm/vmx/nested.c | 30 +- arch/x86/kvm/vmx/vmx.c | 6 arch/x86/mm/ioremap.c | 6 drivers/bluetooth/btintel.c | 5 drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 7 drivers/gpu/drm/bridge/tc358768.c | 21 + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 drivers/infiniband/core/addr.c | 2 drivers/leds/leds-mlxreg.c | 16 - drivers/media/dvb-core/dvbdev.c | 15 - drivers/mmc/host/dw_mmc.c | 4 drivers/mmc/host/sunxi-mmc.c | 6 drivers/net/bonding/bond_main.c | 16 + drivers/net/bonding/bond_options.c | 82 ++++++ drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 15 - drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 40 +-- drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c | 18 - drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 23 - drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h | 1 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 - drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 drivers/net/ethernet/vertexcom/mse102x.c | 4 drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 25 - drivers/vdpa/mlx5/core/mr.c | 8 drivers/vdpa/solidrun/snet_main.c | 14 - drivers/vdpa/virtio_pci/vp_vdpa.c | 10 fs/9p/vfs_inode.c | 17 - fs/nfsd/netns.h | 1 fs/nfsd/nfs4proc.c | 34 +- fs/nfsd/nfs4state.c | 1 fs/nfsd/xdr4.h | 1 fs/nilfs2/btnode.c | 2 fs/nilfs2/gcinode.c | 4 fs/nilfs2/mdt.c | 1 fs/nilfs2/page.c | 2 fs/ocfs2/resize.c | 2 fs/ocfs2/super.c | 13 - include/linux/damon.h | 17 + include/linux/mman.h | 28 +- include/linux/sockptr.h | 4 include/net/bond_options.h | 2 lib/buildid.c | 2 mm/damon/core.c | 84 +++++- mm/damon/dbgfs.c | 3 mm/damon/lru_sort.c | 2 mm/damon/reclaim.c | 2 mm/damon/sysfs-schemes.c | 2 mm/internal.h | 45 +++ mm/mmap.c | 128 +++++----- mm/mprotect.c | 2 mm/nommu.c | 11 mm/page_alloc.c | 3 mm/shmem.c | 5 net/bluetooth/hci_core.c | 2 net/mptcp/pm_netlink.c | 15 - net/mptcp/pm_userspace.c | 77 +++--- net/mptcp/protocol.c | 16 - net/netlink/af_netlink.c | 31 -- net/netlink/af_netlink.h | 2 net/sched/cls_u32.c | 54 ++-- net/sctp/ipv6.c | 19 + net/vmw_vsock/virtio_transport_common.c | 8 samples/pktgen/pktgen_sample01_simple.sh | 2 security/integrity/ima/ima_template_lib.c | 14 - sound/pci/hda/patch_realtek.c | 3 tools/mm/page-types.c | 2 83 files changed, 819 insertions(+), 424 deletions(-) Alexandre Ferrieux (1): net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Andre Przywara (1): mmc: sunxi-mmc: Fix A100 compatible description Andrew Morton (1): mm: revert "mm: shmem: fix data-race in shmem_getattr()" Andy Yan (1): drm/rockchip: vop: Fix a dereferenced before check warning Aurelien Jarno (1): Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Baoquan He (1): x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Dave Airlie (1): nouveau: fw: sync dma after setup is called. Dmitry Antipov (2): ocfs2: uncache inode which has failed entering the group ocfs2: fix UBSAN warning in ocfs2_verify_volume() Dragos Tatulea (1): net/mlx5e: kTLS, Fix incorrect page refcounting Eric Dumazet (1): sctp: fix possible UAF in sctp_v6_available() Eric Van Hensbergen (1): fs/9p: fix uninitialized values during inode evict Francesco Dolcini (1): drm/bridge: tc358768: Fix DSI command tx Geliang Tang (5): mptcp: define more local variables sk mptcp: add userspace_pm_lookup_addr_by_id helper mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry mptcp: drop lookup_by_id in lookup_addr George Stark (1): leds: mlxreg: Use devm_mutex_init() for mutex initialization Greg Kroah-Hartman (1): Linux 6.6.63 Hajime Tazaki (1): nommu: pass NULL argument to vma_iter_prealloc() Hangbin Liu (1): bonding: add ns target multicast address to slave device Harith G (1): ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Huacai Chen (3): LoongArch: Fix early_numa_add_cpu() usage for FDT systems LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits LoongArch: Make KASAN work with 5-level page-tables Jakub Kicinski (1): netlink: terminate outstanding dump on socket close Jinjiang Tu (1): mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Jiri Olsa (1): lib/buildid: Fix build ID parsing logic Jisheng Zhang (3): net: stmmac: dwmac-intel-plat: use devm_stmmac_probe_config_dt() net: stmmac: dwmac-visconti: use devm_stmmac_probe_config_dt() net: stmmac: rename stmmac_pltfr_remove_no_dt to stmmac_pltfr_remove Kailang Yang (1): ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Kiran K (1): Bluetooth: btintel: Direct exception event to bluetooth stack Leon Romanovsky (1): Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Lorenzo Stoakes (5): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor map_deny_write_exec() mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour Luiz Augusto von Dentz (1): Bluetooth: hci_core: Fix calling mgmt_device_connected Maksym Glubokiy (1): ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Mark Bloch (1): net/mlx5: fs, lock FTE when checking if active Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock Mauro Carvalho Chehab (1): media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Meghana Malladi (1): net: ti: icssg-prueth: Fix 1 PPS sync Michal Luczaj (2): virtio/vsock: Fix accept_queue memory leak net: Make copy_safe_from_sockptr() match documentation Moshe Shemesh (1): net/mlx5e: CT: Fix null-ptr-deref in add rule err flow Motiejus JakÅ`tys (1): tools/mm: fix compile error Nícolas F. R. A. Prado (1): net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Paolo Abeni (2): mptcp: error out earlier on disconnect mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Pedro Tammela (1): net/sched: cls_u32: replace int refcounts with proper refcounts Peng Fan (1): pmdomain: imx93-blk-ctrl: correct remove path Philipp Stanner (1): vdpa: solidrun: Fix UB bug with devres Rodrigo Siqueira (1): drm/amd/display: Adjust VSDB parser for replay feature Ryusuke Konishi (2): nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Samasth Norway Ananda (1): ima: fix buffer overrun in ima_eventdigest_init_common Sean Christopherson (3): KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled KVM: x86: Unconditionally set irr_pending when updating APICv state KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN SeongJae Park (5): mm/damon/core: implement scheme-specific apply interval mm/damon/core: handle zero {aggregation,ops_update} intervals mm/damon/core: check apply interval in damon_do_apply_schemes() mm/damon/core: handle zero schemes apply interval mm/damon/core: copy nr_accesses when splitting region Si-Wei Liu (1): vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Stefan Wahren (2): net: vertexcom: mse102x: Fix tx_bytes calculation staging: vchiq_arm: Get the rid off struct vchiq_2835_state Tvrtko Ursulin (1): drm/amd/pm: Vangogh: Fix kernel memory out of bounds write Umang Jain (1): staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Vijendar Mukunda (1): drm/amd: Fix initialization mistake for NBIO 7.7.0 Vitalii Mordan (1): stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Wei Fang (1): samples: pktgen: correct dev to DEV William Tu (1): net/mlx5e: clear xdp features on non-uplink representors Xiaoguang Wang (1): vp_vdpa: fix id_table array not null terminated error

1 month, 2 weeks

1
1
0 0

Linux 6.1.119

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.119 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/kernel/head.S | 8 arch/arm/mm/mmu.c | 34 +- arch/arm64/include/asm/mman.h | 10 arch/parisc/Kconfig | 1 arch/parisc/include/asm/cache.h | 11 arch/x86/kvm/lapic.c | 29 + arch/x86/kvm/vmx/nested.c | 30 + arch/x86/kvm/vmx/vmx.c | 6 arch/x86/mm/ioremap.c | 6 drivers/block/null_blk/main.c | 45 +- drivers/char/xillybus/xillybus_class.c | 7 drivers/char/xillybus/xillyusb.c | 22 + drivers/cxl/core/pci.c | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 drivers/gpu/drm/bridge/tc358768.c | 21 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 drivers/media/dvb-core/dvbdev.c | 15 drivers/mmc/host/dw_mmc.c | 4 drivers/mmc/host/sunxi-mmc.c | 6 drivers/net/bonding/bond_main.c | 16 drivers/net/bonding/bond_options.c | 82 ++++- drivers/net/ethernet/freescale/fec_main.c | 26 - drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 15 drivers/net/ethernet/vertexcom/mse102x.c | 4 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 25 - drivers/vdpa/mlx5/core/mr.c | 8 drivers/vdpa/virtio_pci/vp_vdpa.c | 10 fs/9p/vfs_inode.c | 23 - fs/nfsd/netns.h | 1 fs/nfsd/nfs4proc.c | 34 -- fs/nfsd/nfs4state.c | 1 fs/nfsd/xdr4.h | 1 fs/nilfs2/btnode.c | 2 fs/nilfs2/gcinode.c | 4 fs/nilfs2/mdt.c | 1 fs/nilfs2/page.c | 2 fs/ntfs3/file.c | 12 fs/ocfs2/resize.c | 2 fs/ocfs2/super.c | 13 fs/smb/server/smb2misc.c | 26 + fs/smb/server/smb2pdu.c | 48 +- include/linux/mman.h | 7 include/linux/sockptr.h | 27 + include/net/bond_options.h | 2 lib/buildid.c | 2 mm/internal.h | 19 + mm/mmap.c | 120 +++---- mm/nommu.c | 9 mm/page_alloc.c | 3 mm/shmem.c | 5 mm/util.c | 33 ++ net/bluetooth/hci_core.c | 2 net/bluetooth/hci_event.c | 163 ---------- net/bluetooth/iso.c | 32 - net/mptcp/pm_netlink.c | 15 net/mptcp/pm_userspace.c | 77 +++- net/mptcp/protocol.c | 16 net/netfilter/ipvs/ip_vs_ctl.c | 10 net/netlink/af_netlink.c | 31 - net/netlink/af_netlink.h | 2 net/nfc/llcp_sock.c | 12 net/sched/cls_u32.c | 54 +-- net/sched/sch_taprio.c | 10 net/vmw_vsock/virtio_transport_common.c | 8 samples/pktgen/pktgen_sample01_simple.sh | 2 security/integrity/ima/ima_template_lib.c | 14 sound/pci/hda/patch_realtek.c | 3 tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json | 22 + 72 files changed, 759 insertions(+), 583 deletions(-) Alexandre Ferrieux (1): net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Andre Przywara (1): mmc: sunxi-mmc: Fix A100 compatible description Andrew Morton (1): mm: revert "mm: shmem: fix data-race in shmem_getattr()" Andy Yan (1): drm/rockchip: vop: Fix a dereferenced before check warning Aurelien Jarno (1): Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Baoquan He (1): x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Chen Hanxiao (1): ipvs: properly dereference pe in ip_vs_add_service Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Damien Le Moal (1): null_blk: Fix return value of nullb_device_power_store() Dan Carpenter (1): cxl/pci: fix error code in __cxl_hdm_decode_init() Dmitry Antipov (2): ocfs2: uncache inode which has failed entering the group ocfs2: fix UBSAN warning in ocfs2_verify_volume() Dragos Tatulea (1): net/mlx5e: kTLS, Fix incorrect page refcounting Eli Billauer (2): char: xillybus: Prevent use-after-free due to race condition char: xillybus: Fix trivial bug with mutex Eric Dumazet (2): net: add copy_safe_from_sockptr() helper nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies Eric Van Hensbergen (1): fs/9p: fix uninitialized values during inode evict Francesco Dolcini (1): drm/bridge: tc358768: Fix DSI command tx Geliang Tang (5): mptcp: define more local variables sk mptcp: add userspace_pm_lookup_addr_by_id helper mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry mptcp: drop lookup_by_id in lookup_addr Greg Kroah-Hartman (1): Linux 6.1.119 Hangbin Liu (1): bonding: add ns target multicast address to slave device Harith G (1): ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Jakub Kicinski (1): netlink: terminate outstanding dump on socket close Jinjiang Tu (1): mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Jiri Olsa (1): lib/buildid: Fix build ID parsing logic Kailang Yang (1): ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Konstantin Komarov (1): fs/ntfs3: Additional check in ntfs_file_release Lin.Cao (1): drm/amd: check num of link levels when update pcie param Lorenzo Stoakes (4): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour Luiz Augusto von Dentz (2): Bluetooth: hci_core: Fix calling mgmt_device_connected Bluetooth: ISO: Fix not validating setsockopt user input Lukas Bulwahn (1): Bluetooth: hci_event: Remove code to removed CONFIG_BT_HS Maksym Glubokiy (1): ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Mark Bloch (1): net/mlx5: fs, lock FTE when checking if active Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock Mauro Carvalho Chehab (1): media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Michal Luczaj (2): virtio/vsock: Fix accept_queue memory leak net: Make copy_safe_from_sockptr() match documentation Mikulas Patocka (1): parisc: fix a possible DMA corruption Moshe Shemesh (1): net/mlx5e: CT: Fix null-ptr-deref in add rule err flow Namjae Jeon (2): ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() ksmbd: fix potencial out-of-bounds when buffer offset is invalid Paolo Abeni (2): mptcp: error out earlier on disconnect mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Pedro Tammela (1): net/sched: cls_u32: replace int refcounts with proper refcounts Ryusuke Konishi (2): nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Samasth Norway Ananda (1): ima: fix buffer overrun in ima_eventdigest_init_common Sean Christopherson (3): KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled KVM: x86: Unconditionally set irr_pending when updating APICv state KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Si-Wei Liu (1): vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Stefan Wahren (2): net: vertexcom: mse102x: Fix tx_bytes calculation staging: vchiq_arm: Get the rid off struct vchiq_2835_state Umang Jain (1): staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Vijendar Mukunda (1): drm/amd: Fix initialization mistake for NBIO 7.7.0 Vladimir Oltean (1): net/sched: taprio: extend minimum interval restriction to entire cycle too Wei Fang (2): samples: pktgen: correct dev to DEV net: fec: remove .ndo_poll_controller to avoid deadlocks Xiaoguang Wang (1): vp_vdpa: fix id_table array not null terminated error Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

1 month, 2 weeks

1
1
0 0

Linux 6.12.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.1 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- drivers/media/usb/uvc/uvc_driver.c | 2 +- mm/mmap.c | 13 ++++++++++++- net/vmw_vsock/hyperv_transport.c | 1 + 4 files changed, 15 insertions(+), 3 deletions(-) Benoit Sevens (1): media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Greg Kroah-Hartman (1): Linux 6.12.1 Hyunwoo Kim (1): hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Liam R. Howlett (1): mm/mmap: fix __mmap_region() error handling in rare merge failure case

1 month, 2 weeks

1
1
0 0

[PATCH stable 5.15/5.10 0/2] rcu-tasks: Idle tasks on offline CPUs are in quiescent states

by Krister Johansen

Paul, Neeraj, and Stable Team: I've run into a case with rcu_tasks_postscan where the warning introduced as part of 46aa886c4("rcu-tasks: Fix IPI failure handling in trc_wait_for_one_reader") is getting triggered when trc_wait_for_one_reader sends an IPI to a CPU that is offline. This is occurring on a platform that has hotplug slots available but not populated. I don't believe the bug is caused by this change, but I do think that Paul's commit that confines the postscan operation to just the active CPUs would help prevent this from happening. Would the RCU maintainers be amenable to having this patch backported to the 5.10 and 5.15 branches as well? I've attached cherry-picks of the relevant commits to minimize the additional work needed. Thanks, -K Paul E. McKenney (1): rcu-tasks: Idle tasks on offline CPUs are in quiescent states kernel/rcu/tasks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.25.1

1 month, 2 weeks

2
4
0 0

[PATCH 6.1] net: fix crash when config small gso_max_size/gso_ipv4_max_size

by Bin Lan

From: Wang Liang <wangliang74(a)huawei.com> [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ] Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") Signed-off-by: Wang Liang <wangliang74(a)huawei.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Resolve minor conflicts to fix CVE-2024-50258 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- net/core/rtnetlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index afb52254a47e..45c54fb9ad03 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1939,7 +1939,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = { [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 }, [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 }, [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 }, - [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 }, + [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1), [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH 6.1] serial: sc16is7xx: fix invalid FIFO access with special register set

by Bin Lan

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> [ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ] When enabling access to the special register set, Receiver time-out and RHR interrupts can happen. In this case, the IRQ handler will try to read from the FIFO thru the RHR register at address 0x00, but address 0x00 is mapped to DLL register, resulting in erroneous FIFO reading. Call graph example: sc16is7xx_startup(): entry sc16is7xx_ms_proc(): entry sc16is7xx_set_termios(): entry sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set sc16is7xx_port_irq() entry --> IIR is 0x0C sc16is7xx_handle_rx() entry sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is mapped to DLL (LCR=LCR_CONF_MODE_A) sc16is7xx_set_baud(): exit --> Restore access to general register set Fix the problem by claiming the efr_lock mutex when accessing the Special register set. Fixes: dfeae619d781 ("serial: sc16is7xx") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/tty/serial/sc16is7xx.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index a723df9b37dd..c07baf5d5a9c 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -545,6 +545,9 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) SC16IS7XX_MCR_CLKSEL_BIT, prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + + mutex_lock(&one->efr_lock); + /* Open the LCR divisors for configuration */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, SC16IS7XX_LCR_CONF_MODE_A); @@ -558,6 +561,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) /* Put LCR back to the normal mode */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + mutex_unlock(&one->efr_lock); + return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); } -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH 6.6] serial: sc16is7xx: fix invalid FIFO access with special register set

by Bin Lan

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> [ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ] When enabling access to the special register set, Receiver time-out and RHR interrupts can happen. In this case, the IRQ handler will try to read from the FIFO thru the RHR register at address 0x00, but address 0x00 is mapped to DLL register, resulting in erroneous FIFO reading. Call graph example: sc16is7xx_startup(): entry sc16is7xx_ms_proc(): entry sc16is7xx_set_termios(): entry sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set sc16is7xx_port_irq() entry --> IIR is 0x0C sc16is7xx_handle_rx() entry sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is mapped to DLL (LCR=LCR_CONF_MODE_A) sc16is7xx_set_baud(): exit --> Restore access to general register set Fix the problem by claiming the efr_lock mutex when accessing the Special register set. Fixes: dfeae619d781 ("serial: sc16is7xx") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/tty/serial/sc16is7xx.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 7a9924d9b294..f290fbe21d63 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -545,6 +545,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) SC16IS7XX_MCR_CLKSEL_BIT, prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + mutex_lock(&one->efr_lock); + /* Open the LCR divisors for configuration */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, SC16IS7XX_LCR_CONF_MODE_A); @@ -558,6 +560,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) /* Put LCR back to the normal mode */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + mutex_unlock(&one->efr_lock); + return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); } -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH 1/2] pmdomain: core: Add missing put_device()

by Ulf Hansson

When removing a genpd we don't clean up the genpd->dev correctly. Let's add the missing put_device() in genpd_free_data() to fix this. Fixes: 401ea1572de9 ("PM / Domain: Add struct device to genpd") Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> --- drivers/pmdomain/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index a6c8b85dd024..4d8b0d18bb4a 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -2183,6 +2183,7 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) static void genpd_free_data(struct generic_pm_domain *genpd) { + put_device(&genpd->dev); if (genpd_is_cpu_domain(genpd)) free_cpumask_var(genpd->cpus); if (genpd->free_states) -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v2 bpf 2/2] bpf: fix OOB devmap writes when deleting elements

by Maciej Fijalkowski

Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] <TASK> [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] </TASK> Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> --- kernel/bpf/devmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 7878be18e9d2..3aa002a47a96 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -184,7 +184,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) static void dev_map_free(struct bpf_map *map) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); - int i; + u32 i; /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, * so the programs (can be more than one that used this map) were @@ -821,7 +821,7 @@ static long dev_map_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; @@ -838,7 +838,7 @@ static long dev_map_hash_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; unsigned long flags; int ret = -ENOENT; -- 2.34.1

1 month, 2 weeks

1
0
0 0

[PATCH v2 bpf 1/2] xsk: fix OOB map writes when deleting elements

by Maciej Fijalkowski

Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check: if (k >= map->max_entries) return -EINVAL; This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in m->xsk_map[k], which results in an out-of-bounds access. spin_lock_bh(&m->lock); map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry old_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write if (old_xs) xsk_map_sock_delete(old_xs, map_entry); spin_unlock_bh(&m->lock); The xchg operation can then be used to cause an out-of-bounds write. Moreover, the invalid map_entry passed to xsk_map_sock_delete can lead to further memory corruption. " It indeed results in following splat: [76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108 [76612.904330] #PF: supervisor write access in kernel mode [76612.909639] #PF: error_code(0x0002) - not-present page [76612.914855] PGD 0 P4D 0 [76612.917431] Oops: Oops: 0002 [#1] PREEMPT SMP [76612.921859] CPU: 11 UID: 0 PID: 10318 Comm: a.out Not tainted 6.12.0-rc1+ #470 [76612.929189] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [76612.939781] RIP: 0010:xsk_map_delete_elem+0x2d/0x60 [76612.944738] Code: 00 00 41 54 55 53 48 63 2e 3b 6f 24 73 38 4c 8d a7 f8 00 00 00 48 89 fb 4c 89 e7 e8 2d bf 05 00 48 8d b4 eb 00 01 00 00 31 ff <48> 87 3e 48 85 ff 74 05 e8 16 ff ff ff 4c 89 e7 e8 3e bc 05 00 31 [76612.963774] RSP: 0018:ffffc9002e407df8 EFLAGS: 00010246 [76612.969079] RAX: 0000000000000000 RBX: ffffc9002e461000 RCX: 0000000000000000 [76612.976323] RDX: 0000000000000001 RSI: ffffc8fc2e461108 RDI: 0000000000000000 [76612.983569] RBP: ffffffff80000001 R08: 0000000000000000 R09: 0000000000000007 [76612.990812] R10: ffffc9002e407e18 R11: ffff888108a38858 R12: ffffc9002e4610f8 [76612.998060] R13: ffff888108a38858 R14: 00007ffd1ae0ac78 R15: ffffc9002e4610c0 [76613.005303] FS: 00007f80b6f59740(0000) GS:ffff8897e0ec0000(0000) knlGS:0000000000000000 [76613.013517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [76613.019349] CR2: ffffc8fc2e461108 CR3: 000000011e3ef001 CR4: 00000000007726f0 [76613.026595] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [76613.033841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [76613.041086] PKRU: 55555554 [76613.043842] Call Trace: [76613.046331] <TASK> [76613.048468] ? __die+0x20/0x60 [76613.051581] ? page_fault_oops+0x15a/0x450 [76613.055747] ? search_extable+0x22/0x30 [76613.059649] ? search_bpf_extables+0x5f/0x80 [76613.063988] ? exc_page_fault+0xa9/0x140 [76613.067975] ? asm_exc_page_fault+0x22/0x30 [76613.072229] ? xsk_map_delete_elem+0x2d/0x60 [76613.076573] ? xsk_map_delete_elem+0x23/0x60 [76613.080914] __sys_bpf+0x19b7/0x23c0 [76613.084555] __x64_sys_bpf+0x1a/0x20 [76613.088194] do_syscall_64+0x37/0xb0 [76613.091832] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [76613.096962] RIP: 0033:0x7f80b6d1e88d [76613.100592] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [76613.119631] RSP: 002b:00007ffd1ae0ac68 EFLAGS: 00000206 ORIG_RAX: 0000000000000141 [76613.131330] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f80b6d1e88d [76613.142632] RDX: 0000000000000098 RSI: 00007ffd1ae0ad20 RDI: 0000000000000003 [76613.153967] RBP: 00007ffd1ae0adc0 R08: 0000000000000000 R09: 0000000000000000 [76613.166030] R10: 00007f80b6f77040 R11: 0000000000000206 R12: 00007ffd1ae0aed8 [76613.177130] R13: 000055ddf42ce1e9 R14: 000055ddf42d0d98 R15: 00007f80b6fab040 [76613.188129] </TASK> Fix this by simply changing key type from int to u32. Fixes: fbfc504a24f5 ("bpf: introduce new bpf AF_XDP map type BPF_MAP_TYPE_XSKMAP") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> --- net/xdp/xskmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xdp/xskmap.c b/net/xdp/xskmap.c index e1c526f97ce3..afa457506274 100644 --- a/net/xdp/xskmap.c +++ b/net/xdp/xskmap.c @@ -224,7 +224,7 @@ static long xsk_map_delete_elem(struct bpf_map *map, void *key) struct xsk_map *m = container_of(map, struct xsk_map, map); struct xdp_sock __rcu **map_entry; struct xdp_sock *old_xs; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; -- 2.34.1

1 month, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2024