February 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] memcg: fix use-after-free in uncharge_batch" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f1796544a0ca0f14386a679d3d05fbc69235015e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024022759-crave-busily-bef7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: f1796544a0ca ("memcg: fix use-after-free in uncharge_batch") 1a3e1f40962c ("mm: memcontrol: decouple reference counting from page accounting") 8d22a9351035 ("mm/memcg: fix refcount error while moving and swapping") d9eb1ea2bf87 ("mm: memcontrol: delete unused lrucare handling") 4c6355b25e8b ("mm: memcontrol: charge swapin pages on instantiation") f0e45fb4da29 ("mm: memcontrol: drop unused try/commit/cancel charge API") 9d82c69438d0 ("mm: memcontrol: convert anon and file-thp to new mem_cgroup_charge() API") 468c398233da ("mm: memcontrol: switch to native NR_ANON_THPS counter") be5d0a74c62d ("mm: memcontrol: switch to native NR_ANON_MAPPED counter") 0d1c20722ab3 ("mm: memcontrol: switch to native NR_FILE_PAGES and NR_SHMEM counters") 49e50d277ba2 ("mm: memcontrol: prepare move_account for removal of private page type counters") 9f762dbe19b9 ("mm: memcontrol: prepare uncharging for removal of private page type counters") 3fea5a499d57 ("mm: memcontrol: convert page cache to a new mem_cgroup_charge() API") 6caa6a0703e0 ("mm: memcontrol: move out cgroup swaprate throttling") 14235ab36019 ("mm: shmem: remove rare optimization when swapin races with hole punching") 3fba69a56e16 ("mm: memcontrol: drop @compound parameter from memcg charging API") abb242f57196 ("mm: memcontrol: fix stat-corrupting race in charge moving") f4129ea3591a ("mm: fix NUMA node file count error in replace_page_cache()") ffe945e633b5 ("khugepaged: do not stop collapse if less than half PTEs are referenced") 396bcc5299c2 ("mm: remove CONFIG_TRANSPARENT_HUGE_PAGECACHE") 85b9f46e8ea4 ("mm, thp: track fallbacks due to failed memcg charges separately") dcdf11ee1441 ("mm, shmem: add vmstat for hugepage fallback") 9c315e4d7d8c ("mm: memcg/slab: cache page number in memcg_(un)charge_slab()") 92d0510c3585 ("mm: kmem: switch to nr_pages in (__)memcg_kmem_charge_memcg()") f4b00eab5004 ("mm: kmem: rename memcg_kmem_(un)charge() into memcg_kmem_(un)charge_page()") 50591183fa86 ("mm: kmem: cleanup memcg_kmem_uncharge_memcg() arguments") 10eaec2f63b6 ("mm: kmem: cleanup (__)memcg_kmem_charge_memcg() arguments") 47e29d32afba ("mm/gup: page->hpage_pinned_refcount: exact pin counts for huge pages") 3faa52c03f44 ("mm/gup: track FOLL_PIN pages") 3b78d8347d31 ("mm/gup: pass gup flags to two more routines") c23a0c99793f ("mm/migrate: clean up some minor coding style") 92855270ff08 ("mm/memcontrol.c: cleanup some useless code") f1f6a7dd9b53 ("mm, tree-wide: rename put_user_page*() to unpin_user_page*()") aa4b87fe9ea3 ("powerpc: book3s64: convert to pin_user_pages() and put_user_page()") 19fed0dae94d ("vfio, mm: pin_user_pages (FOLL_PIN) and put_user_page() conversion") 1f815afcfca7 ("media/v4l2-core: pin_user_pages (FOLL_PIN) and put_user_page() conversion") 803e4572d7c5 ("mm/process_vm_access: set FOLL_PIN via pin_user_pages_remote()") 57459435cff5 ("goldish_pipe: convert to pin_user_pages() and put_user_page()") eddb1c228f79 ("mm/gup: introduce pin_user_pages*() and FOLL_PIN") 3c7470b6f684 ("media/v4l2-core: set pages dirty upon releasing DMA buffers") f4000fdf435b ("mm/gup: allow FOLL_FORCE for get_user_pages_fast()") 3567813eae5e ("vfio: fix FOLL_LONGTERM use, simplify get_user_pages_remote() call") c4237f8b1f4f ("mm: fix get_user_pages_remote()'s handling of FOLL_LONGTERM") a707cdd55f0f ("mm/gup: move try_get_compound_head() to top, fix minor issues") a43e982082c2 ("mm/gup: factor out duplicate code from four routines") fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path") f1fe80d4ae33 ("mm, thp: do not queue fully unmapped pages for deferred split") acbfb087e3b1 ("mm/hugetlb: avoid looping to the same hugepage if !pages and !vmas") 867e5e1de14b ("mm: clean up and clarify lruvec lookup procedure") 242c37b459ce ("include/linux/memcontrol.h: fix comments based on per-node memcg") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f1796544a0ca0f14386a679d3d05fbc69235015e Mon Sep 17 00:00:00 2001 From: Michal Hocko <mhocko(a)suse.com> Date: Fri, 4 Sep 2020 16:35:24 -0700 Subject: [PATCH] memcg: fix use-after-free in uncharge_batch syzbot has reported an use-after-free in the uncharge_batch path BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline] BUG: KASAN: use-after-free in atomic64_sub_return include/asm-generic/atomic-instrumented.h:970 [inline] BUG: KASAN: use-after-free in atomic_long_sub_return include/asm-generic/atomic-long.h:113 [inline] BUG: KASAN: use-after-free in page_counter_cancel mm/page_counter.c:54 [inline] BUG: KASAN: use-after-free in page_counter_uncharge+0x3d/0xc0 mm/page_counter.c:155 Write of size 8 at addr ffff8880371c0148 by task syz-executor.0/9304 CPU: 0 PID: 9304 Comm: syz-executor.0 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1f0/0x31e lib/dump_stack.c:118 print_address_description+0x66/0x620 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report+0x132/0x1d0 mm/kasan/report.c:530 check_memory_region_inline mm/kasan/generic.c:183 [inline] check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192 instrument_atomic_write include/linux/instrumented.h:71 [inline] atomic64_sub_return include/asm-generic/atomic-instrumented.h:970 [inline] atomic_long_sub_return include/asm-generic/atomic-long.h:113 [inline] page_counter_cancel mm/page_counter.c:54 [inline] page_counter_uncharge+0x3d/0xc0 mm/page_counter.c:155 uncharge_batch+0x6c/0x350 mm/memcontrol.c:6764 uncharge_page+0x115/0x430 mm/memcontrol.c:6796 uncharge_list mm/memcontrol.c:6835 [inline] mem_cgroup_uncharge_list+0x70/0xe0 mm/memcontrol.c:6877 release_pages+0x13a2/0x1550 mm/swap.c:911 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:242 [inline] tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249 tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:328 exit_mmap+0x296/0x550 mm/mmap.c:3185 __mmput+0x113/0x370 kernel/fork.c:1076 exit_mm+0x4cd/0x550 kernel/exit.c:483 do_exit+0x576/0x1f20 kernel/exit.c:793 do_group_exit+0x161/0x2d0 kernel/exit.c:903 get_signal+0x139b/0x1d30 kernel/signal.c:2743 arch_do_signal+0x33/0x610 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:135 [inline] exit_to_user_mode_prepare+0x8d/0x1b0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x5e/0x1a0 kernel/entry/common.c:241 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Commit 1a3e1f40962c ("mm: memcontrol: decouple reference counting from page accounting") reworked the memcg lifetime to be bound the the struct page rather than charges. It also removed the css_put_many from uncharge_batch and that is causing the above splat. uncharge_batch() is supposed to uncharge accumulated charges for all pages freed from the same memcg. The queuing is done by uncharge_page which however drops the memcg reference after it adds charges to the batch. If the current page happens to be the last one holding the reference for its memcg then the memcg is OK to go and the next page to be freed will trigger batched uncharge which needs to access the memcg which is gone already. Fix the issue by taking a reference for the memcg in the current batch. Fixes: 1a3e1f40962c ("mm: memcontrol: decouple reference counting from page accounting") Reported-by: syzbot+b305848212deec86eabe(a)syzkaller.appspotmail.com Reported-by: syzbot+b5ea6fb6f139c8b9482b(a)syzkaller.appspotmail.com Signed-off-by: Michal Hocko <mhocko(a)suse.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Reviewed-by: Shakeel Butt <shakeelb(a)google.com> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Roman Gushchin <guro(a)fb.com> Cc: Hugh Dickins <hughd(a)google.com> Link: https://lkml.kernel.org/r/20200820090341.GC5033@dhcp22.suse.cz Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> diff --git a/mm/memcontrol.c b/mm/memcontrol.c index b807952b4d43..cfa6cbad21d5 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -6774,6 +6774,9 @@ static void uncharge_batch(const struct uncharge_gather *ug) __this_cpu_add(ug->memcg->vmstats_percpu->nr_page_events, ug->nr_pages); memcg_check_events(ug->memcg, ug->dummy_page); local_irq_restore(flags); + + /* drop reference from uncharge_page */ + css_put(&ug->memcg->css); } static void uncharge_page(struct page *page, struct uncharge_gather *ug) @@ -6797,6 +6800,9 @@ static void uncharge_page(struct page *page, struct uncharge_gather *ug) uncharge_gather_clear(ug); } ug->memcg = page->mem_cgroup; + + /* pairs with css_put in uncharge_batch */ + css_get(&ug->memcg->css); } nr_pages = compound_nr(page);

1 year, 8 months

3
4
0 0

[PATCH v1] net: sfp: add quirks for ODI DFP-34X-2C2

by Shengyu Qu

ODI DFP-34X-2C2 is capable of 2500base-X, but incorrectly report its capabilities in the EEPROM. So use sfp_quirk_2500basex for this module to allow 2500Base-X mode. Signed-off-by: Shengyu Qu <wiagn233(a)outlook.com> --- drivers/net/phy/sfp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c index f75c9eb3958e..2021cb4ff2f6 100644 --- a/drivers/net/phy/sfp.c +++ b/drivers/net/phy/sfp.c @@ -495,6 +495,13 @@ static const struct sfp_quirk sfp_quirks[] = { // 2500MBd NRZ in their EEPROM SFP_QUIRK_M("Lantech", "8330-262D-E", sfp_quirk_2500basex), + // ODI DFP-34X-2C2 can operate at 2500base-X, but incorrectly report 1300MBd + // NRZ in the EEPROM. + // Besides, In early batches, vendor id is set to OEM, but that is fixed in + // newer batches. + SFP_QUIRK_M("ODI", "DFP-34X-2C2", sfp_quirk_2500basex), + SFP_QUIRK_M("OEM", "DFP-34X-2C2", sfp_quirk_2500basex), + SFP_QUIRK_M("UBNT", "UF-INSTANT", sfp_quirk_ubnt_uf_instant), // Walsun HXSX-ATR[CI]-1 don't identify as copper, and use the -- 2.39.2

1 year, 8 months

4
14
0 0

[PATCH -fixes v4 1/3] riscv: Fix enabling cbo.zero when running in M-mode

by Samuel Holland

When the kernel is running in M-mode, the CBZE bit must be set in the menvcfg CSR, not in senvcfg. Cc: <stable(a)vger.kernel.org> Fixes: 43c16d51a19b ("RISC-V: Enable cbo.zero in usermode") Reviewed-by: Andrew Jones <ajones(a)ventanamicro.com> Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> --- (no changes since v1) arch/riscv/include/asm/csr.h | 2 ++ arch/riscv/kernel/cpufeature.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 510014051f5d..2468c55933cd 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -424,6 +424,7 @@ # define CSR_STATUS CSR_MSTATUS # define CSR_IE CSR_MIE # define CSR_TVEC CSR_MTVEC +# define CSR_ENVCFG CSR_MENVCFG # define CSR_SCRATCH CSR_MSCRATCH # define CSR_EPC CSR_MEPC # define CSR_CAUSE CSR_MCAUSE @@ -448,6 +449,7 @@ # define CSR_STATUS CSR_SSTATUS # define CSR_IE CSR_SIE # define CSR_TVEC CSR_STVEC +# define CSR_ENVCFG CSR_SENVCFG # define CSR_SCRATCH CSR_SSCRATCH # define CSR_EPC CSR_SEPC # define CSR_CAUSE CSR_SCAUSE diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c index 89920f84d0a3..c5b13f7dd482 100644 --- a/arch/riscv/kernel/cpufeature.c +++ b/arch/riscv/kernel/cpufeature.c @@ -950,7 +950,7 @@ arch_initcall(check_unaligned_access_all_cpus); void riscv_user_isa_enable(void) { if (riscv_cpu_has_extension_unlikely(smp_processor_id(), RISCV_ISA_EXT_ZICBOZ)) - csr_set(CSR_SENVCFG, ENVCFG_CBZE); + csr_set(CSR_ENVCFG, ENVCFG_CBZE); } #ifdef CONFIG_RISCV_ALTERNATIVE -- 2.43.1

1 year, 8 months

2
1
0 0

[PATCH] Bluetooth: Add device 0bda:4853 to blacklist/quirk table

by WangYuli

This new device is part of a Realtek RTW8852BE chip. Without this change the device utilizes an obsolete version of the firmware that is encoded in it rather than the updated Realtek firmware and config files from the firmware directory. The latter files implement many new features. The device table is as follows: T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0bda ProdID=4853 Rev= 0.00 S: Manufacturer=Realtek S: Product=Bluetooth Radio S: SerialNumber=00e04c000001 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms Link: https://lore.kernel.org/all/20230810144507.9599-1-Larry.Finger@lwfinger.net/ Cc: stable(a)vger.kernel.org Signed-off-by: Larry Finger <Larry.Finger(a)lwfinger.net> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- drivers/bluetooth/btusb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index edfb49bbaa28..5225a6075626 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -542,6 +542,8 @@ static const struct usb_device_id quirks_table[] = { /* Realtek 8852BE Bluetooth devices */ { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK | -- 2.43.0

1 year, 8 months

1
0
0 0

[PATCH] usb: xhci: Add error handling in xhci_map_urb_for_dma

by Prashanth K

Currently xhci_map_urb_for_dma() creates a temporary buffer and copies the SG list to the new linear buffer. But if the kzalloc_node() fails, then the following sg_pcopy_to_buffer() can lead to crash since it tries to memcpy to NULL pointer. So return -EAGAIN if kzalloc returns null pointer. Cc: <stable(a)vger.kernel.org> # 5.11 Fixes: 2017a1e58472 ("usb: xhci: Use temporary buffer to consolidate SG") Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- drivers/usb/host/xhci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index c057c42c36f4..0597a60bec34 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1218,6 +1218,9 @@ static int xhci_map_temp_buffer(struct usb_hcd *hcd, struct urb *urb) temp = kzalloc_node(buf_len, GFP_ATOMIC, dev_to_node(hcd->self.sysdev)); + if (!temp) + return -EAGAIN; + if (usb_urb_dir_out(urb)) sg_pcopy_to_buffer(urb->sg, urb->num_sgs, temp, buf_len, 0); -- 2.25.1

1 year, 8 months

2
2
0 0

[PATCH] mk68k: Fix broken THREAD_SIZE_ORDER

by Dawei Li

Current THREAD_SIZE_ORDER implementation for m68k is incorrect, fix it by ilog2(). Fixes: cddafa3500fd ("m68k/m68knommu: merge MMU and non-MMU thread_info.h") Signed-off-by: Dawei Li <dawei.li(a)shingroup.cn> Cc: stable(a)vger.kernel.org --- arch/m68k/include/asm/thread_info.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/m68k/include/asm/thread_info.h b/arch/m68k/include/asm/thread_info.h index 31be2ad999ca..50faecd6fc5f 100644 --- a/arch/m68k/include/asm/thread_info.h +++ b/arch/m68k/include/asm/thread_info.h @@ -19,7 +19,8 @@ #else #define THREAD_SIZE PAGE_SIZE #endif -#define THREAD_SIZE_ORDER ((THREAD_SIZE / PAGE_SIZE) - 1) + +#define THREAD_SIZE_ORDER ilog2(THREAD_SIZE / PAGE_SIZE) #ifndef __ASSEMBLY__ -- 2.27.0

1 year, 8 months

3
3
0 0

[PATCH v2 vfio 1/2] vfio/pds: Always clear the save/restore FDs on reset

by Brett Creeley

After reset the VFIO device state will always be put in VFIO_DEVICE_STATE_RUNNING, but the save/restore files will only be cleared if the previous state was VFIO_DEVICE_STATE_ERROR. This can/will cause the restore/save files to be leaked if/when the migration state machine transitions through the states that re-allocates these files. Fix this by always clearing the restore/save files for resets. Fixes: 7dabb1bcd177 ("vfio/pds: Add support for firmware recovery") Cc: stable(a)vger.kernel.org Signed-off-by: Brett Creeley <brett.creeley(a)amd.com> Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com> --- drivers/vfio/pci/pds/vfio_dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/vfio/pci/pds/vfio_dev.c b/drivers/vfio/pci/pds/vfio_dev.c index 4c351c59d05a..a286ebcc7112 100644 --- a/drivers/vfio/pci/pds/vfio_dev.c +++ b/drivers/vfio/pci/pds/vfio_dev.c @@ -32,9 +32,9 @@ void pds_vfio_state_mutex_unlock(struct pds_vfio_pci_device *pds_vfio) mutex_lock(&pds_vfio->reset_mutex); if (pds_vfio->deferred_reset) { pds_vfio->deferred_reset = false; + pds_vfio_put_restore_file(pds_vfio); + pds_vfio_put_save_file(pds_vfio); if (pds_vfio->state == VFIO_DEVICE_STATE_ERROR) { - pds_vfio_put_restore_file(pds_vfio); - pds_vfio_put_save_file(pds_vfio); pds_vfio_dirty_disable(pds_vfio, false); } pds_vfio->state = pds_vfio->deferred_reset_state; -- 2.17.1

1 year, 8 months

2
1
0 0

[PATCH 0/3] Support intra-function call validation

by Rui Qi

Since kernel version 5.4.250 LTS, there has been an issue with the kernel live patching feature becoming unavailable. When compiling the sample code for kernel live patching, the following message is displayed when enabled: livepatch: klp_check_stack: kworker/u256:6:23490 has an unreliable stack After investigation, it was found that this is due to objtool not supporting intra-function calls, resulting in incorrect orc entry generation. This patchset adds support for intra-function calls, allowing the kernel live patching feature to work correctly. Alexandre Chartre (2): objtool: is_fentry_call() crashes if call has no destination objtool: Add support for intra-function calls Rui Qi (1): x86/speculation: Support intra-function call validation arch/x86/include/asm/nospec-branch.h | 7 ++ include/linux/frame.h | 11 ++++ .../Documentation/stack-validation.txt | 8 +++ tools/objtool/arch/x86/decode.c | 6 ++ tools/objtool/check.c | 64 +++++++++++++++++-- 5 files changed, 91 insertions(+), 5 deletions(-) -- 2.39.2 (Apple Git-143)

1 year, 8 months

5
8
0 0

[PATCH v2 0/2] x86/cpu: fix invalid MTRR mask values for SEV or TME

by Paolo Bonzini

Supersedes: <20240130180400.1698136-1-pbonzini(a)redhat.com> MKTME repurposes the high bit of physical address to key id for encryption key and, even though MAXPHYADDR in CPUID[0x80000008] remains the same, the valid bits in the MTRR mask register are based on the reduced number of physical address bits. This breaks boot on machines that have TME enabled and do something to cleanup MTRRs, unless "disable_mtrr_cleanup" is passed on the command line. The fix is to move the check to early CPU initialization, which runs before Linux sets up MTRRs. However, as noticed by Kirill, the patch I sent as v1 actually works only until Linux 6.6. In Linux 6.7, commit fbf6449f84bf ("x86/sev-es: Set x86_virt_bits to the correct value straight away, instead of a two-phase approach") reorganized the initialization of c->x86_phys_bits in a way that broke the patch. But even in 6.7 AMD processors, which did try to reduce it in this_cpu->c_early_init(c), had their x86_phys_bits value overwritten by get_cpu_address_sizes(), so that early_identify_cpu() left the wrong value in x86_phys_bits. This probably went unnoticed because on AMD processors you need not apply the reduced MAXPHYADDR to MTRR masks. Therefore, this v2 prepends the fix for this issue in commit fbf6449f84bf. Apologies for the oversight. Tested on an AMD Epyc machine (where I resorted to dumping mtrr_state) and on the problematic Intel Emerald Rapids machine. Thanks, Paolo Paolo Bonzini (2): x86/cpu: allow reducing x86_phys_bits during early_identify_cpu() x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers arch/x86/kernel/cpu/common.c | 4 +- arch/x86/kernel/cpu/intel.c | 178 ++++++++++++++++++----------------- 2 files changed, 93 insertions(+), 89 deletions(-) -- 2.43.0

1 year, 8 months

5
23
0 0

[PATCH v1] usb: typec: tpcm: Fix PORT_RESET behavior for self powered devices

by Badhri Jagan Sridharan

While commit 69f89168b310 ("usb: typec: tpcm: Fix issues with power being removed during reset") fixes the boot issues for bus powered devices such as LibreTech Renegade Elite/Firefly, it trades off the CC pins NOT being Hi-Zed during errory recovery (i.e PORT_RESET) for devices which are NOT bus powered(a.k.a self powered). This change Hi-Zs the CC pins only for self powered devices, thus preventing brown out for bus powered devices Adhering to spec is gaining more importance due to the Common charger initiative enforced by the European Union. Quoting from the spec: 4.5.2.2.2.1 ErrorRecovery State Requirements The port shall not drive VBUS or VCONN, and shall present a high-impedance to ground (above zOPEN) on its CC1 and CC2 pins. Hi-Zing the CC pins is the inteded behavior for PORT_RESET. CC pins are set to default state after tErrorRecovery in PORT_RESET_WAIT_OFF. 4.5.2.2.2.2 Exiting From ErrorRecovery State A Sink shall transition to Unattached.SNK after tErrorRecovery. A Source shall transition to Unattached.SRC after tErrorRecovery. Fixes: 69f89168b310 ("usb: typec: tpcm: Fix issues with power being removed during reset") Cc: stable(a)kernel.org Cc: Mark Brown <broonie(a)kernel.org> Signed-off-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index c9a78f55ca48..bbe1381232eb 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -5593,8 +5593,11 @@ static void run_state_machine(struct tcpm_port *port) break; case PORT_RESET: tcpm_reset_port(port); - tcpm_set_cc(port, tcpm_default_state(port) == SNK_UNATTACHED ? - TYPEC_CC_RD : tcpm_rp_cc(port)); + if (port->self_powered) + tcpm_set_cc(port, TYPEC_CC_OPEN); + else + tcpm_set_cc(port, tcpm_default_state(port) == SNK_UNATTACHED ? + TYPEC_CC_RD : tcpm_rp_cc(port)); tcpm_set_state(port, PORT_RESET_WAIT_OFF, PD_T_ERROR_RECOVERY); break; base-commit: a560a5672826fc1e057068bda93b3d4c98d037a2 -- 2.44.0.rc1.240.g4c46232300-goog

1 year, 8 months

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror February 2024