November 2024 - Linux-stable-mirror

[PATCH 1/2] pmdomain: core: Add missing put_device()

by Ulf Hansson

When removing a genpd we don't clean up the genpd->dev correctly. Let's add the missing put_device() in genpd_free_data() to fix this. Fixes: 401ea1572de9 ("PM / Domain: Add struct device to genpd") Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> --- drivers/pmdomain/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index a6c8b85dd024..4d8b0d18bb4a 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -2183,6 +2183,7 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) static void genpd_free_data(struct generic_pm_domain *genpd) { + put_device(&genpd->dev); if (genpd_is_cpu_domain(genpd)) free_cpumask_var(genpd->cpus); if (genpd->free_states) -- 2.43.0

3 months, 2 weeks

1
0
0 0

[PATCH v2 bpf 2/2] bpf: fix OOB devmap writes when deleting elements

by Maciej Fijalkowski

Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] <TASK> [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] </TASK> Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> --- kernel/bpf/devmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 7878be18e9d2..3aa002a47a96 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -184,7 +184,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) static void dev_map_free(struct bpf_map *map) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); - int i; + u32 i; /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, * so the programs (can be more than one that used this map) were @@ -821,7 +821,7 @@ static long dev_map_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; @@ -838,7 +838,7 @@ static long dev_map_hash_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; unsigned long flags; int ret = -ENOENT; -- 2.34.1

3 months, 2 weeks

1
0
0 0

[PATCH v2 bpf 1/2] xsk: fix OOB map writes when deleting elements

by Maciej Fijalkowski

Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check: if (k >= map->max_entries) return -EINVAL; This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in m->xsk_map[k], which results in an out-of-bounds access. spin_lock_bh(&m->lock); map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry old_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write if (old_xs) xsk_map_sock_delete(old_xs, map_entry); spin_unlock_bh(&m->lock); The xchg operation can then be used to cause an out-of-bounds write. Moreover, the invalid map_entry passed to xsk_map_sock_delete can lead to further memory corruption. " It indeed results in following splat: [76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108 [76612.904330] #PF: supervisor write access in kernel mode [76612.909639] #PF: error_code(0x0002) - not-present page [76612.914855] PGD 0 P4D 0 [76612.917431] Oops: Oops: 0002 [#1] PREEMPT SMP [76612.921859] CPU: 11 UID: 0 PID: 10318 Comm: a.out Not tainted 6.12.0-rc1+ #470 [76612.929189] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [76612.939781] RIP: 0010:xsk_map_delete_elem+0x2d/0x60 [76612.944738] Code: 00 00 41 54 55 53 48 63 2e 3b 6f 24 73 38 4c 8d a7 f8 00 00 00 48 89 fb 4c 89 e7 e8 2d bf 05 00 48 8d b4 eb 00 01 00 00 31 ff <48> 87 3e 48 85 ff 74 05 e8 16 ff ff ff 4c 89 e7 e8 3e bc 05 00 31 [76612.963774] RSP: 0018:ffffc9002e407df8 EFLAGS: 00010246 [76612.969079] RAX: 0000000000000000 RBX: ffffc9002e461000 RCX: 0000000000000000 [76612.976323] RDX: 0000000000000001 RSI: ffffc8fc2e461108 RDI: 0000000000000000 [76612.983569] RBP: ffffffff80000001 R08: 0000000000000000 R09: 0000000000000007 [76612.990812] R10: ffffc9002e407e18 R11: ffff888108a38858 R12: ffffc9002e4610f8 [76612.998060] R13: ffff888108a38858 R14: 00007ffd1ae0ac78 R15: ffffc9002e4610c0 [76613.005303] FS: 00007f80b6f59740(0000) GS:ffff8897e0ec0000(0000) knlGS:0000000000000000 [76613.013517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [76613.019349] CR2: ffffc8fc2e461108 CR3: 000000011e3ef001 CR4: 00000000007726f0 [76613.026595] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [76613.033841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [76613.041086] PKRU: 55555554 [76613.043842] Call Trace: [76613.046331] <TASK> [76613.048468] ? __die+0x20/0x60 [76613.051581] ? page_fault_oops+0x15a/0x450 [76613.055747] ? search_extable+0x22/0x30 [76613.059649] ? search_bpf_extables+0x5f/0x80 [76613.063988] ? exc_page_fault+0xa9/0x140 [76613.067975] ? asm_exc_page_fault+0x22/0x30 [76613.072229] ? xsk_map_delete_elem+0x2d/0x60 [76613.076573] ? xsk_map_delete_elem+0x23/0x60 [76613.080914] __sys_bpf+0x19b7/0x23c0 [76613.084555] __x64_sys_bpf+0x1a/0x20 [76613.088194] do_syscall_64+0x37/0xb0 [76613.091832] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [76613.096962] RIP: 0033:0x7f80b6d1e88d [76613.100592] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [76613.119631] RSP: 002b:00007ffd1ae0ac68 EFLAGS: 00000206 ORIG_RAX: 0000000000000141 [76613.131330] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f80b6d1e88d [76613.142632] RDX: 0000000000000098 RSI: 00007ffd1ae0ad20 RDI: 0000000000000003 [76613.153967] RBP: 00007ffd1ae0adc0 R08: 0000000000000000 R09: 0000000000000000 [76613.166030] R10: 00007f80b6f77040 R11: 0000000000000206 R12: 00007ffd1ae0aed8 [76613.177130] R13: 000055ddf42ce1e9 R14: 000055ddf42d0d98 R15: 00007f80b6fab040 [76613.188129] </TASK> Fix this by simply changing key type from int to u32. Fixes: fbfc504a24f5 ("bpf: introduce new bpf AF_XDP map type BPF_MAP_TYPE_XSKMAP") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> --- net/xdp/xskmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xdp/xskmap.c b/net/xdp/xskmap.c index e1c526f97ce3..afa457506274 100644 --- a/net/xdp/xskmap.c +++ b/net/xdp/xskmap.c @@ -224,7 +224,7 @@ static long xsk_map_delete_elem(struct bpf_map *map, void *key) struct xsk_map *m = container_of(map, struct xsk_map, map); struct xdp_sock __rcu **map_entry; struct xdp_sock *old_xs; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; -- 2.34.1

3 months, 2 weeks

1
0
0 0

[PATCH] drm/v3d: Stop active perfmon if it is being destroyed

by Christian Gmeiner

From: Christian Gmeiner <cgmeiner(a)igalia.com> If the active performance monitor (v3d->active_perfmon) is being destroyed, stop it first. Currently, the active perfmon is not stopped during destruction, leaving the v3d->active_perfmon pointer stale. This can lead to undefined behavior and instability. This patch ensures that the active perfmon is stopped before being destroyed, aligning with the behavior introduced in commit 7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed"). Cc: stable(a)vger.kernel.org # v5.15+ Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace") Signed-off-by: Christian Gmeiner <cgmeiner(a)igalia.com> --- drivers/gpu/drm/v3d/v3d_perfmon.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_perfmon.c b/drivers/gpu/drm/v3d/v3d_perfmon.c index 00cd081d7873..909288d43f2f 100644 --- a/drivers/gpu/drm/v3d/v3d_perfmon.c +++ b/drivers/gpu/drm/v3d/v3d_perfmon.c @@ -383,6 +383,7 @@ int v3d_perfmon_destroy_ioctl(struct drm_device *dev, void *data, { struct v3d_file_priv *v3d_priv = file_priv->driver_priv; struct drm_v3d_perfmon_destroy *req = data; + struct v3d_dev *v3d = v3d_priv->v3d; struct v3d_perfmon *perfmon; mutex_lock(&v3d_priv->perfmon.lock); @@ -392,6 +393,10 @@ int v3d_perfmon_destroy_ioctl(struct drm_device *dev, void *data, if (!perfmon) return -EINVAL; + /* If the active perfmon is being destroyed, stop it first */ + if (perfmon == v3d->active_perfmon) + v3d_perfmon_stop(v3d, perfmon, false); + v3d_perfmon_put(perfmon); return 0; -- 2.47.0

3 months, 2 weeks

2
1
0 0

[PATCH] fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero

by Jiri Olsa

If iov_iter_zero succeeds after failed copy_from_kernel_nofault, we need to reset the ret value to zero otherwise it will be returned as final return value of read_kcore_iter. This fixes objdump -d dump over /proc/kcore for me. Cc: stable(a)vger.kernel.org Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Fixes: 3d5854d75e31 ("fs/proc/kcore.c: allow translation of physical memory addresses") Signed-off-by: Jiri Olsa <jolsa(a)kernel.org> --- fs/proc/kcore.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index 51446c59388f..c82c408e573e 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -600,6 +600,7 @@ static ssize_t read_kcore_iter(struct kiocb *iocb, struct iov_iter *iter) ret = -EFAULT; goto out; } + ret = 0; /* * We know the bounce buffer is safe to copy from, so * use _copy_to_iter() directly. -- 2.47.0

3 months, 2 weeks

3
2
0 0

[PATCH 0/3] i2c: atr: A few i2c-atr fixes

by Tomi Valkeinen

The first two are perhaps not strictly fixes, as they essentially add support for nested ATRs. The third one is a fix, thus stable is in cc. Tomi Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> --- Cosmin Tanislav (1): i2c: atr: Allow unmapped addresses from nested ATRs Tomi Valkeinen (2): i2c: atr: Fix lockdep for nested ATRs i2c: atr: Fix client detach drivers/i2c/i2c-atr.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) --- base-commit: adc218676eef25575469234709c2d87185ca223a change-id: 20241121-i2c-atr-fixes-6d52b9f5f0c1 Best regards, -- Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>

3 months, 2 weeks

2
2
0 0

[PATCH 6.11 000/107] 6.11.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.10 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:56:14 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.10-rc1 Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: u32: Add test case for systematic hnode IDR leaks Jiri Olsa <jolsa(a)kernel.org> lib/buildid: Fix build ID parsing logic Matthew Auld <matthew.auld(a)intel.com> drm/xe: improve hibernation on igpu Matthew Brost <matthew.brost(a)intel.com> drm/xe: Restore system memory GGTT mappings Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Hamish Claxton <hamishclaxton(a)gmail.com> drm/amd/display: Fix failure to read vram info due to static BP_RESULT Ryan Seto <ryanseto(a)amd.com> drm/amd/display: Handle dml allocation failure to avoid crash Dillon Varone <dillon.varone(a)amd.com> drm/amd/display: Require minimum VBlank size for stutter optimization Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust VSDB parser for replay feature Jack Xiao <Jack.Xiao(a)amd.com> drm/amdgpu/mes12: correct kiq unmap latency Christian König <christian.koenig(a)amd.com> drm/amdgpu: enable GTT fallback handling for dGPUs only Tim Huang <tim.huang(a)amd.com> drm/amd/pm: print pp_dpm_mclk in ascending order on SMU v14.0.0 David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix video caps for H264 and HEVC encode maximum size Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix check in gmc_v9_0_get_vm_pte() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> drm/amd: Fix initialization mistake for NBIO 7.7.0 Dave Airlie <airlied(a)redhat.com> nouveau/dp: handle retries for AUX CH transfers with GSP. Dave Airlie <airlied(a)redhat.com> nouveau: handle EBUSY and EAGAIN for GSP aux errors. Dave Airlie <airlied(a)redhat.com> nouveau: fw: sync dma after setup is called. Sibi Sankar <quic_sibis(a)quicinc.com> pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag Sibi Sankar <quic_sibis(a)quicinc.com> pmdomain: arm: Use FLAG_DEV_NAME_FW to ensure unique names Peng Fan <peng.fan(a)nxp.com> pmdomain: imx93-blk-ctrl: correct remove path Ashutosh Dixit <ashutosh.dixit(a)intel.com> drm/xe/oa: Fix "Missing outer runtime PM protection" warning Matthew Auld <matthew.auld(a)intel.com> drm/xe: handle flat ccs during hibernation on igpu Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: Fix DSI command tx Andre Przywara <andre.przywara(a)arm.com> mmc: sunxi-mmc: Fix A100 compatible description Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Report duplicate opps as firmware bugs Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Skip opp duplicates Sibi Sankar <quic_sibis(a)quicinc.com> mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag Josef Bacik <josef(a)toxicpanda.com> btrfs: fix incorrect comparison for delayed refs Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" Aurelien Jarno <aurelien(a)aurel32.net> Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Donet Tom <donettom(a)linux.ibm.com> selftests: hugetlb_dio: fixup check for initial conditions to skip in the start Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN work with 5-level page-tables Bibo Mao <maobibo(a)loongson.cn> LoongArch: Fix AP booting issue in VM mode Kanglong Wang <wangkanglong(a)loongson.cn> LoongArch: Add WriteCombine shadow mapping in KASAN Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix early_numa_add_cpu() usage for FDT systems Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: fix UBSAN warning in ocfs2_verify_volume() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: use _rcu variant under rcu_read_lock Geliang Tang <geliang(a)kernel.org> mptcp: hold pm lock when deleting entry Geliang Tang <geliang(a)kernel.org> mptcp: update local address flags when setting it Maksym Glubokiy <maxgl.kernel(a)gmail.com> ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Roman Gushchin <roman.gushchin(a)linux.dev> mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Disable TPM on tpm2_create_primary() failure Hajime Tazaki <thehajime(a)gmail.com> nommu: pass NULL argument to vma_iter_prealloc() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Sean Christopherson <seanjc(a)google.com> KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Sean Christopherson <seanjc(a)google.com> KVM: x86: Unconditionally set irr_pending when updating APICv state Sean Christopherson <seanjc(a)google.com> KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Sean Christopherson <seanjc(a)google.com> KVM: selftests: Disable strict aliasing Mateusz Guzik <mjguzik(a)gmail.com> evm: stop avoidably reading i_writecount in evm_file_release Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> ima: fix buffer overrun in ima_eventdigest_init_common Xiaoguang Wang <lege.wang(a)jaguarmicro.com> vp_vdpa: fix id_table array not null terminated error Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Philipp Stanner <pstanner(a)redhat.com> vdpa: solidrun: Fix UB bug with devres Andrew Morton <akpm(a)linux-foundation.org> mm: revert "mm: shmem: fix data-race in shmem_getattr()" Jann Horn <jannh(a)google.com> mm/mremap: fix address wraparound in move_page_tables() Dan Carpenter <dan.carpenter(a)linaro.org> fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() Qun-Wei Lin <qun-wei.lin(a)mediatek.com> sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Dave Vasilevsky <dave(a)vasilevsky.ca> crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32 Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: uncache inode which has failed entering the group Jinjiang Tu <tujinjiang(a)huawei.com> mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Ard Biesheuvel <ardb(a)kernel.org> x86/stackprotector: Work around strict Clang TLS symbol requirements Baoquan He <bhe(a)redhat.com> x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Mario Limonciello <mario.limonciello(a)amd.com> x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix Panel Replay not update screen correctly Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Change some variable name of psr Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Run idle optimizations at end of vblank handler Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/pm: correct the workload setting" Motiejus JakÅ`tys <motiejus(a)jakstys.lt> tools/mm: fix compile error Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> ARM: fix cacheflush with PAN Harith G <harith.g(a)alifsemi.com> ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Hangbin Liu <liuhangbin(a)gmail.com> bonding: add ns target multicast address to slave device Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix 1 PPS sync Chen Ridong <chenridong(a)huawei.com> drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle Vitalii Mordan <mordan(a)ispras.ru> stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Michal Luczaj <mhal(a)rbox.co> net: Make copy_safe_from_sockptr() match documentation Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Wei Fang <wei.fang(a)nxp.com> samples: pktgen: correct dev to DEV Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: ensure PHY momentary link-fails are handled Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Akash Goel <akash.goel(a)arm.com> drm/panthor: Fix handling of partial GPU mapping of BOs Kiran K <kiran.k(a)intel.com> Bluetooth: btintel: Direct exception event to bluetooth stack Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix calling mgmt_device_connected Alexandre Ghiti <alexghiti(a)rivosinc.com> drivers: perf: Fix wrong put_cpu() placement Leon Romanovsky <leon(a)kernel.org> Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Improve MSG_ZEROCOPY error handling Michal Luczaj <mhal(a)rbox.co> vsock: Fix sk_error_queue memory leak Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Fix accept_queue memory leak Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/i915/gsc: ARL-H and ARL-U need a newer GSC FW. Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Disable loopback self-test on multi-PF netdev Moshe Shemesh <moshe(a)nvidia.com> net/mlx5e: CT: Fix null-ptr-deref in add rule err flow William Tu <witu(a)nvidia.com> net/mlx5e: clear xdp features on non-uplink representors Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: kTLS, Fix incorrect page refcounting Mark Bloch <mbloch(a)nvidia.com> net/mlx5: fs, lock FTE when checking if active Parav Pandit <parav(a)nvidia.com> net/mlx5: Fix msix vectors to respect platform limit Paolo Abeni <pabeni(a)redhat.com> mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Paolo Abeni <pabeni(a)redhat.com> mptcp: error out earlier on disconnect Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop: Fix a dereferenced before check warning Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix tx_bytes calculation Eric Dumazet <edumazet(a)google.com> sctp: fix possible UAF in sctp_v6_available() Jakub Kicinski <kuba(a)kernel.org> netlink: terminate outstanding dump on socket close ------------- Diffstat: Makefile | 4 +- arch/arm/Kconfig | 3 + arch/arm/kernel/head.S | 8 +- arch/arm/kernel/traps.c | 3 + arch/arm/mm/mmu.c | 34 +++--- arch/arm64/Kconfig | 3 + arch/arm64/include/asm/mman.h | 10 +- arch/loongarch/Kconfig | 3 + arch/loongarch/include/asm/kasan.h | 13 ++- arch/loongarch/kernel/paravirt.c | 15 +++ arch/loongarch/kernel/smp.c | 2 +- arch/loongarch/mm/kasan_init.c | 46 +++++++- arch/mips/Kconfig | 3 + arch/parisc/include/asm/mman.h | 5 +- arch/powerpc/Kconfig | 4 + arch/riscv/Kconfig | 3 + arch/s390/Kconfig | 3 + arch/sh/Kconfig | 3 + arch/x86/Kconfig | 3 + arch/x86/Makefile | 5 +- arch/x86/entry/entry.S | 16 +++ arch/x86/include/asm/asm-prototypes.h | 3 + arch/x86/kernel/cpu/amd.c | 11 ++ arch/x86/kernel/cpu/common.c | 2 + arch/x86/kernel/vmlinux.lds.S | 3 + arch/x86/kvm/lapic.c | 29 +++-- arch/x86/kvm/vmx/nested.c | 30 +++++- arch/x86/kvm/vmx/vmx.c | 6 +- arch/x86/mm/ioremap.c | 6 +- drivers/bluetooth/btintel.c | 5 +- drivers/char/tpm/tpm2-sessions.c | 7 +- drivers/firmware/arm_scmi/perf.c | 44 +++++--- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 +- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 13 ++- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 ++ drivers/gpu/drm/amd/amdgpu/nv.c | 12 +-- drivers/gpu/drm/amd/amdgpu/soc15.c | 4 +- drivers/gpu/drm/amd/amdgpu/soc21.c | 12 +-- drivers/gpu/drm/amd/amdgpu/soc24.c | 2 +- drivers/gpu/drm/amd/amdgpu/vi.c | 8 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 117 +++++++++++---------- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 17 +-- .../amd/display/amdgpu_dm/amdgpu_dm_irq_params.h | 2 +- drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 +- drivers/gpu/drm/amd/display/dc/core/dc_state.c | 3 + .../dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 11 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 49 +++------ drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 20 +--- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 8 -- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 2 - drivers/gpu/drm/bridge/tc358768.c | 21 +++- drivers/gpu/drm/i915/gt/uc/intel_gsc_fw.c | 50 +++++---- drivers/gpu/drm/i915/i915_drv.h | 8 +- drivers/gpu/drm/i915/intel_device_info.c | 24 ++++- drivers/gpu/drm/i915/intel_device_info.h | 4 +- drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c | 61 ++++++----- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 6 +- drivers/gpu/drm/panthor/panthor_mmu.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 + drivers/gpu/drm/xe/xe_bo.c | 43 ++++---- drivers/gpu/drm/xe/xe_bo_evict.c | 20 ++-- drivers/gpu/drm/xe/xe_oa.c | 2 + drivers/infiniband/core/addr.c | 2 - drivers/mailbox/qcom-cpucp-mbox.c | 2 +- drivers/media/dvb-core/dvbdev.c | 15 +-- drivers/mmc/host/dw_mmc.c | 4 +- drivers/mmc/host/sunxi-mmc.c | 6 +- drivers/net/bonding/bond_main.c | 16 ++- drivers/net/bonding/bond_options.c | 82 ++++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- .../net/ethernet/mellanox/mlx5/core/en_selftest.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 19 +++- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 32 +++++- .../net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 25 +++-- .../net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 ++- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 +++ drivers/net/ethernet/vertexcom/mse102x.c | 4 +- drivers/net/phy/phylink.c | 14 +-- drivers/perf/riscv_pmu_sbi.c | 4 +- drivers/pmdomain/arm/scmi_perf_domain.c | 3 +- drivers/pmdomain/core.c | 49 ++++++--- drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 +- drivers/vdpa/mlx5/core/mr.c | 8 +- drivers/vdpa/solidrun/snet_main.c | 14 ++- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +- fs/btrfs/delayed-ref.c | 2 +- fs/nilfs2/btnode.c | 2 - fs/nilfs2/gcinode.c | 4 +- fs/nilfs2/mdt.c | 1 - fs/nilfs2/page.c | 2 +- fs/ocfs2/resize.c | 2 + fs/ocfs2/super.c | 13 ++- fs/proc/task_mmu.c | 4 +- include/drm/intel/i915_pciids.h | 19 +++- include/linux/mman.h | 7 +- include/linux/pm_domain.h | 6 ++ include/linux/sched/task_stack.h | 2 + include/linux/sockptr.h | 4 +- include/net/bond_options.h | 2 + kernel/Kconfig.kexec | 2 +- lib/buildid.c | 2 +- mm/mmap.c | 2 +- mm/mremap.c | 2 +- mm/nommu.c | 4 +- mm/page_alloc.c | 18 +++- mm/shmem.c | 5 - mm/swap.c | 14 --- net/bluetooth/hci_core.c | 2 - net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mptcp/pm_netlink.c | 3 +- net/mptcp/pm_userspace.c | 15 +++ net/mptcp/protocol.c | 16 ++- net/netlink/af_netlink.c | 31 ++---- net/netlink/af_netlink.h | 2 - net/sched/cls_u32.c | 18 +++- net/sctp/ipv6.c | 19 ++-- net/vmw_vsock/af_vsock.c | 3 + net/vmw_vsock/virtio_transport_common.c | 9 ++ samples/pktgen/pktgen_sample01_simple.sh | 2 +- security/integrity/evm/evm_main.c | 3 +- security/integrity/ima/ima_template_lib.c | 14 ++- sound/pci/hda/patch_realtek.c | 13 ++- tools/mm/page-types.c | 2 +- tools/testing/selftests/kvm/Makefile | 8 +- tools/testing/selftests/mm/hugetlb_dio.c | 7 ++ .../selftests/tc-testing/tc-tests/filters/u32.json | 24 +++++ 143 files changed, 1080 insertions(+), 537 deletions(-)

3 months, 2 weeks

11
117
0 0

[PATCH 6.6 00/82] 6.6.63-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.63 release. There are 82 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:56:17 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.63-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.63-rc1 SeongJae Park <sj(a)kernel.org> mm/damon/core: copy nr_accesses when splitting region SeongJae Park <sj(a)kernel.org> mm/damon/core: handle zero schemes apply interval SeongJae Park <sj(a)kernel.org> mm/damon/core: check apply interval in damon_do_apply_schemes() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: resolve faulty mmap_region() error path behaviour Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor map_deny_write_exec() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: unconditionally close VMAs on error Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: avoid unsafe VMA hook invocation when error arises on mmap hook George Stark <gnstark(a)salutedevices.com> leds: mlxreg: Use devm_mutex_init() for mutex initialization Eric Van Hensbergen <ericvh(a)kernel.org> fs/9p: fix uninitialized values during inode evict Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/amd/pm: Vangogh: Fix kernel memory out of bounds write Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: use _rcu variant under rcu_read_lock Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: drop lookup_by_id in lookup_addr Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: hold pm lock when deleting entry Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: update local address flags when setting it Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: add userspace_pm_lookup_addr_by_id helper Geliang Tang <geliang.tang(a)suse.com> mptcp: define more local variables sk Chuck Lever <chuck.lever(a)oracle.com> NFSD: Never decrement pending_async_copies on error Chuck Lever <chuck.lever(a)oracle.com> NFSD: Initialize struct nfsd4_copy earlier Chuck Lever <chuck.lever(a)oracle.com> NFSD: Limit the number of concurrent async COPY operations Chuck Lever <chuck.lever(a)oracle.com> NFSD: Async COPY result needs to return a write verifier Dai Ngo <dai.ngo(a)oracle.com> NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Jiri Olsa <jolsa(a)kernel.org> lib/buildid: Fix build ID parsing logic Umang Jain <umang.jain(a)ideasonboard.com> staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Stefan Wahren <wahrenst(a)gmx.net> staging: vchiq_arm: Get the rid off struct vchiq_2835_state SeongJae Park <sj(a)kernel.org> mm/damon/core: handle zero {aggregation,ops_update} intervals SeongJae Park <sj(a)kernel.org> mm/damon/core: implement scheme-specific apply interval Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust VSDB parser for replay feature Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> drm/amd: Fix initialization mistake for NBIO 7.7.0 Dave Airlie <airlied(a)redhat.com> nouveau: fw: sync dma after setup is called. Peng Fan <peng.fan(a)nxp.com> pmdomain: imx93-blk-ctrl: correct remove path Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: Fix DSI command tx Andre Przywara <andre.przywara(a)arm.com> mmc: sunxi-mmc: Fix A100 compatible description Aurelien Jarno <aurelien(a)aurel32.net> Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN work with 5-level page-tables Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix early_numa_add_cpu() usage for FDT systems Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: fix UBSAN warning in ocfs2_verify_volume() Maksym Glubokiy <maxgl.kernel(a)gmail.com> ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Hajime Tazaki <thehajime(a)gmail.com> nommu: pass NULL argument to vma_iter_prealloc() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Sean Christopherson <seanjc(a)google.com> KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Sean Christopherson <seanjc(a)google.com> KVM: x86: Unconditionally set irr_pending when updating APICv state Sean Christopherson <seanjc(a)google.com> KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> ima: fix buffer overrun in ima_eventdigest_init_common Xiaoguang Wang <lege.wang(a)jaguarmicro.com> vp_vdpa: fix id_table array not null terminated error Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Philipp Stanner <pstanner(a)redhat.com> vdpa: solidrun: Fix UB bug with devres Andrew Morton <akpm(a)linux-foundation.org> mm: revert "mm: shmem: fix data-race in shmem_getattr()" Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: uncache inode which has failed entering the group Jinjiang Tu <tujinjiang(a)huawei.com> mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Baoquan He <bhe(a)redhat.com> x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Motiejus JakÅ`tys <motiejus(a)jakstys.lt> tools/mm: fix compile error Harith G <harith.g(a)alifsemi.com> ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Hangbin Liu <liuhangbin(a)gmail.com> bonding: add ns target multicast address to slave device Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix 1 PPS sync Vitalii Mordan <mordan(a)ispras.ru> stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: rename stmmac_pltfr_remove_no_dt to stmmac_pltfr_remove Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: dwmac-visconti: use devm_stmmac_probe_config_dt() Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: dwmac-intel-plat: use devm_stmmac_probe_config_dt() Michal Luczaj <mhal(a)rbox.co> net: Make copy_safe_from_sockptr() match documentation Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Wei Fang <wei.fang(a)nxp.com> samples: pktgen: correct dev to DEV Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Pedro Tammela <pctammela(a)mojatatu.com> net/sched: cls_u32: replace int refcounts with proper refcounts Kiran K <kiran.k(a)intel.com> Bluetooth: btintel: Direct exception event to bluetooth stack Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix calling mgmt_device_connected Leon Romanovsky <leon(a)kernel.org> Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Fix accept_queue memory leak Moshe Shemesh <moshe(a)nvidia.com> net/mlx5e: CT: Fix null-ptr-deref in add rule err flow William Tu <witu(a)nvidia.com> net/mlx5e: clear xdp features on non-uplink representors Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: kTLS, Fix incorrect page refcounting Mark Bloch <mbloch(a)nvidia.com> net/mlx5: fs, lock FTE when checking if active Paolo Abeni <pabeni(a)redhat.com> mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Paolo Abeni <pabeni(a)redhat.com> mptcp: error out earlier on disconnect Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop: Fix a dereferenced before check warning Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix tx_bytes calculation Eric Dumazet <edumazet(a)google.com> sctp: fix possible UAF in sctp_v6_available() Jakub Kicinski <kuba(a)kernel.org> netlink: terminate outstanding dump on socket close ------------- Diffstat: Makefile | 4 +- arch/arm/kernel/head.S | 8 +- arch/arm/mm/mmu.c | 34 +++--- arch/arm64/include/asm/mman.h | 10 +- arch/loongarch/include/asm/kasan.h | 2 +- arch/loongarch/kernel/smp.c | 2 +- arch/loongarch/mm/kasan_init.c | 41 ++++++- arch/parisc/include/asm/mman.h | 5 +- arch/x86/kvm/lapic.c | 29 +++-- arch/x86/kvm/vmx/nested.c | 30 ++++- arch/x86/kvm/vmx/vmx.c | 6 +- arch/x86/mm/ioremap.c | 6 +- drivers/bluetooth/btintel.c | 5 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 7 +- drivers/gpu/drm/bridge/tc358768.c | 21 +++- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 +- drivers/infiniband/core/addr.c | 2 - drivers/leds/leds-mlxreg.c | 16 +-- drivers/media/dvb-core/dvbdev.c | 15 +-- drivers/mmc/host/dw_mmc.c | 4 +- drivers/mmc/host/sunxi-mmc.c | 6 +- drivers/net/bonding/bond_main.c | 16 ++- drivers/net/bonding/bond_options.c | 82 ++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 19 ++- .../net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 40 +++---- .../net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 +- .../net/ethernet/stmicro/stmmac/dwmac-visconti.c | 18 +-- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 25 +--- .../net/ethernet/stmicro/stmmac/stmmac_platform.h | 1 - drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 ++- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 ++ drivers/net/ethernet/vertexcom/mse102x.c | 4 +- drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 +- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 25 +--- drivers/vdpa/mlx5/core/mr.c | 8 +- drivers/vdpa/solidrun/snet_main.c | 14 ++- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +- fs/9p/vfs_inode.c | 17 +-- fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++--- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + fs/nilfs2/btnode.c | 2 - fs/nilfs2/gcinode.c | 4 +- fs/nilfs2/mdt.c | 1 - fs/nilfs2/page.c | 2 +- fs/ocfs2/resize.c | 2 + fs/ocfs2/super.c | 13 ++- include/linux/damon.h | 17 ++- include/linux/mman.h | 28 ++++- include/linux/sockptr.h | 4 +- include/net/bond_options.h | 2 + lib/buildid.c | 2 +- mm/damon/core.c | 84 ++++++++++++-- mm/damon/dbgfs.c | 3 +- mm/damon/lru_sort.c | 2 + mm/damon/reclaim.c | 2 + mm/damon/sysfs-schemes.c | 2 +- mm/internal.h | 45 ++++++++ mm/mmap.c | 128 ++++++++++++--------- mm/mprotect.c | 2 +- mm/nommu.c | 11 +- mm/page_alloc.c | 3 +- mm/shmem.c | 5 - net/bluetooth/hci_core.c | 2 - net/mptcp/pm_netlink.c | 15 ++- net/mptcp/pm_userspace.c | 77 ++++++++----- net/mptcp/protocol.c | 16 ++- net/netlink/af_netlink.c | 31 ++--- net/netlink/af_netlink.h | 2 - net/sched/cls_u32.c | 54 +++++---- net/sctp/ipv6.c | 19 ++- net/vmw_vsock/virtio_transport_common.c | 8 ++ samples/pktgen/pktgen_sample01_simple.sh | 2 +- security/integrity/ima/ima_template_lib.c | 14 ++- sound/pci/hda/patch_realtek.c | 3 + tools/mm/page-types.c | 2 +- 83 files changed, 824 insertions(+), 429 deletions(-)

3 months, 2 weeks

10
91
0 0

[PATCH 6.12 0/3] 6.12.1-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.1 release. There are 3 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:40:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.1-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.1-rc1 Liam R. Howlett <Liam.Howlett(a)Oracle.com> mm/mmap: fix __mmap_region() error handling in rare merge failure case Benoit Sevens <bsevens(a)google.com> media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Hyunwoo Kim <v4bel(a)theori.io> hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer ------------- Diffstat: Makefile | 4 ++-- drivers/media/usb/uvc/uvc_driver.c | 2 +- mm/mmap.c | 13 ++++++++++++- net/vmw_vsock/hyperv_transport.c | 1 + 4 files changed, 16 insertions(+), 4 deletions(-)

3 months, 2 weeks

10
12
0 0

+ nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Date: Wed, 20 Nov 2024 02:23:37 +0900 Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is enabled. This is because nilfs_last_byte(), which is called by nilfs_find_entry() and others to calculate the number of valid bytes of directory data in a page from i_size and the page index, loses the upper 32 bits of the 64-bit size information due to an inappropriate type of local variable to which the i_size value is assigned. This caused a large byte offset value due to underflow in the end address calculation in the calling nilfs_find_entry(), resulting in memory access that exceeds the folio/page size. Fix this issue by changing the type of the local variable causing the bit loss from "unsigned int" to "u64". The return value of nilfs_last_byte() is also of type "unsigned int", but it is truncated so as not to exceed PAGE_SIZE and no bit loss occurs, so no change is required. Link: https://lkml.kernel.org/r/20241119172403.9292-1-konishi.ryusuke@gmail.com Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+96d5d14c47d97015c624(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624 Tested-by: syzbot+96d5d14c47d97015c624(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nilfs2/dir.c~nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry +++ a/fs/nilfs2/dir.c @@ -70,7 +70,7 @@ static inline unsigned int nilfs_chunk_s */ static unsigned int nilfs_last_byte(struct inode *inode, unsigned long page_nr) { - unsigned int last_byte = inode->i_size; + u64 last_byte = inode->i_size; last_byte -= page_nr << PAGE_SHIFT; if (last_byte > PAGE_SIZE) _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch

3 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2024