March 2024 - Linux-stable-mirror

[PATCH] drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()

by Guo Mengqi

commit 73a82b22963d ("drm/atomic: Fix potential use-after-free in nonblocking commits") introduced drm_dev_get/put() to drm_atomic_helper_shutdown(). And this cause problem in vkms driver exit process. vkms_exit() drm_dev_put() vkms_release() drm_atomic_helper_shutdown() drm_dev_get() drm_dev_put() vkms_release() ------ null pointer access Using 4.19 stable x86 image on qemu, below stacktrace can be triggered by load and unload vkms.ko. root:~ # insmod vkms.ko [ 142.135449] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). [ 142.138713] [drm] Driver supports precise vblank timestamp query. [ 142.142390] [drm] Initialized vkms 1.0.0 20180514 for virtual device on minor 0 root:~ # rmmod vkms.ko [ 144.093710] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 [ 144.097491] PGD 800000023624e067 P4D 800000023624e067 PUD 22ab59067 PMD 0 [ 144.100802] Oops: 0000 [#1] SMP PTI [ 144.102502] CPU: 0 PID: 3615 Comm: rmmod Not tainted 4.19.310 #1 [ 144.104452] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 144.107238] RIP: 0010:device_del+0x34/0x3a0 ... [ 144.131323] Call Trace: [ 144.131962] ? __die+0x7d/0xc0 [ 144.132711] ? no_context+0x152/0x3b0 [ 144.133605] ? wake_up_q+0x70/0x70 [ 144.134436] ? __do_page_fault+0x342/0x4b0 [ 144.135445] ? __switch_to_asm+0x41/0x70 [ 144.136416] ? __switch_to_asm+0x35/0x70 [ 144.137366] ? page_fault+0x1e/0x30 [ 144.138214] ? __drm_atomic_state_free+0x51/0x60 [ 144.139331] ? device_del+0x34/0x3a0 [ 144.140197] platform_device_del.part.14+0x19/0x70 [ 144.141348] platform_device_unregister+0xe/0x20 [ 144.142458] vkms_release+0x10/0x30 [vkms] [ 144.143449] __drm_atomic_helper_disable_all.constprop.31+0x13b/0x150 [ 144.144980] drm_atomic_helper_shutdown+0x4b/0x90 [ 144.146102] vkms_release+0x18/0x30 [vkms] [ 144.147107] vkms_exit+0x29/0x8ec [vkms] [ 144.148053] __x64_sys_delete_module+0x155/0x220 [ 144.149168] do_syscall_64+0x43/0x100 [ 144.150056] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 It seems that the proper unload sequence is: drm_atomic_helper_shutdown(); drm_dev_put(); Just put drm_atomic_helper_shutdown() before drm_dev_put() should solve the problem. Fixes: 73a82b22963d ("drm/atomic: Fix potential use-after-free in nonblocking commits") Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/vkms/vkms_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c index b1201c18d3eb..d32e08f17427 100644 --- a/drivers/gpu/drm/vkms/vkms_drv.c +++ b/drivers/gpu/drm/vkms/vkms_drv.c @@ -39,7 +39,6 @@ static void vkms_release(struct drm_device *dev) struct vkms_device *vkms = container_of(dev, struct vkms_device, drm); platform_device_unregister(vkms->platform); - drm_atomic_helper_shutdown(&vkms->drm); drm_mode_config_cleanup(&vkms->drm); drm_dev_fini(&vkms->drm); } @@ -137,6 +136,7 @@ static void __exit vkms_exit(void) } drm_dev_unregister(&vkms_device->drm); + drm_atomic_helper_shutdown(&vkms_device->drm); drm_dev_put(&vkms_device->drm); kfree(vkms_device); -- 2.17.1

9 months, 3 weeks

1
0
0 0

[PATCH] drm/i915/gt: Report full vm address range

by Andi Shyti

Commit 9bb66c179f50 ("drm/i915: Reserve some kernel space per vm") has reserved an object for kernel space usage. Userspace, though, needs to know the full address range. Fixes: 9bb66c179f50 ("drm/i915: Reserve some kernel space per vm") Signed-off-by: Andi Shyti <andi.shyti(a)linux.intel.com> Cc: Andrzej Hajda <andrzej.hajda(a)intel.com> Cc: Chris Wilson <chris.p.wilson(a)linux.intel.com> Cc: Lionel Landwerlin <lionel.g.landwerlin(a)intel.com> Cc: Michal Mrozek <michal.mrozek(a)intel.com> Cc: Nirmoy Das <nirmoy.das(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.2+ --- drivers/gpu/drm/i915/gt/gen8_ppgtt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gt/gen8_ppgtt.c b/drivers/gpu/drm/i915/gt/gen8_ppgtt.c index fa46d2308b0e..d76831f50106 100644 --- a/drivers/gpu/drm/i915/gt/gen8_ppgtt.c +++ b/drivers/gpu/drm/i915/gt/gen8_ppgtt.c @@ -982,8 +982,9 @@ static int gen8_init_rsvd(struct i915_address_space *vm) vm->rsvd.vma = i915_vma_make_unshrinkable(vma); vm->rsvd.obj = obj; - vm->total -= vma->node.size; + return 0; + unref: i915_gem_object_put(obj); return ret; -- 2.43.0

9 months, 3 weeks

4
7
0 0

[PATCH 11/17] wifi: iwlwifi: mvm: handle debugfs names more carefully

by Miri Korenblit

From: Johannes Berg <johannes.berg(a)intel.com> With debugfs=off, we can get here with the dbgfs_dir being an ERR_PTR(). Instead of checking for all this, which is often flagged as a mistake, simply handle the names here more carefully by printing them, then we don't need extra checks. Also, while checking, I noticed theoretically 'buf' is too small, so fix that size as well. Cc: stable(a)vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218422 Fixes: c36235acb34f ("wifi: iwlwifi: mvm: rework debugfs handling") Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> --- drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c index 5485e8bf613e..af56a55063a7 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c @@ -806,7 +806,9 @@ void iwl_mvm_vif_dbgfs_add_link(struct iwl_mvm *mvm, struct ieee80211_vif *vif) { struct dentry *dbgfs_dir = vif->debugfs_dir; struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); - char buf[100]; + char buf[3 * 3 + 11 + (NL80211_WIPHY_NAME_MAXLEN + 1) + + (7 + IFNAMSIZ + 1) + 6 + 1]; + char name[7 + IFNAMSIZ + 1]; /* this will happen in monitor mode */ if (!dbgfs_dir) @@ -819,10 +821,11 @@ void iwl_mvm_vif_dbgfs_add_link(struct iwl_mvm *mvm, struct ieee80211_vif *vif) * find * netdev:wlan0 -> ../../../ieee80211/phy0/netdev:wlan0/iwlmvm/ */ - snprintf(buf, 100, "../../../%pd3/iwlmvm", dbgfs_dir); + snprintf(name, sizeof(name), "%pd", dbgfs_dir); + snprintf(buf, sizeof(buf), "../../../%pd3/iwlmvm", dbgfs_dir); - mvmvif->dbgfs_slink = debugfs_create_symlink(dbgfs_dir->d_name.name, - mvm->debugfs_dir, buf); + mvmvif->dbgfs_slink = + debugfs_create_symlink(name, mvm->debugfs_dir, buf); } void iwl_mvm_vif_dbgfs_rm_link(struct iwl_mvm *mvm, struct ieee80211_vif *vif) -- 2.34.1

9 months, 3 weeks

1
0
0 0

[PATCH] sched/core: fix affine_move_task failure case

by Daniel Vacek

Bill Peters reported CPU hangs while offlining/onlining CPUs on s390. Analyzing the vmcore data shows `stop_one_cpu_nowait()` in `affine_move_task()` can fail when racing with off-/on-lining resulting in a deadlock waiting for the pending migration stop work completion which is never done. Fix this by correctly handling such a condition. Fixes: 9e81889c7648 ("sched: Fix affine_move_task() self-concurrency") Cc: stable(a)vger.kernel.org Reported-by: Bill Peters <wpeters(a)atpco.net> Tested-by: Bill Peters <wpeters(a)atpco.net> Signed-off-by: Daniel Vacek <neelx(a)redhat.com> --- kernel/sched/core.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 9116bcc903467..d0ff5c611a1c8 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -3069,8 +3069,17 @@ static int affine_move_task(struct rq *rq, struct task_struct *p, struct rq_flag preempt_disable(); task_rq_unlock(rq, p, rf); if (!stop_pending) { - stop_one_cpu_nowait(cpu_of(rq), migration_cpu_stop, - &pending->arg, &pending->stop_work); + stop_pending = + stop_one_cpu_nowait(cpu_of(rq), migration_cpu_stop, + &pending->arg, &pending->stop_work); + + if (!stop_pending) { + rq = task_rq_lock(p, rf); + pending->stop_pending = false; + p->migration_pending = NULL; + task_rq_unlock(rq, p, rf); + complete_all(&pending->done); + } } preempt_enable(); -- 2.43.0

9 months, 3 weeks

2
5
0 0

[PATCH 5.15.y] ACPI: CPPC: Use access_width over bit_width for system memory accesses

by Easwar Hariharan

Hi Greg, Sasha, commit 2f4a4d63a193be6fd530d180bb13c3592052904c upstream is marked for 5.15+ with CC: stable(a)vger.kernel.org, but the application will fail with a merge conflict due to missing intermediate feature patches. When you apply the patch to 5.15, could you take the backport below instead? Thanks, Easwar PS: It will apply cleanly to the other stable branches. ----8x-------------------------- From ab7a492bcec34a3ad4ae4e2a6ad0e7e1c4fc783a Mon Sep 17 00:00:00 2001 From: Jarred White <jarredwhite(a)linux.microsoft.com> Date: Fri, 1 Mar 2024 11:25:59 -0800 Subject: [PATCH 1/1] ACPI: CPPC: Use access_width over bit_width for system memory accesses commit 2f4a4d63a193be6fd530d180bb13c3592052904c upstream To align with ACPI 6.3+, since bit_width can be any 8-bit value, it cannot be depended on to be always on a clean 8b boundary. This was uncovered on the Cobalt 100 platform. SError Interrupt on CPU26, code 0xbe000011 -- SError CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : cppc_get_perf_caps+0xec/0x410 lr : cppc_get_perf_caps+0xe8/0x410 sp : ffff8000155ab730 x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078 x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000 x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008 x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006 x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028 x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION Call trace: dump_backtrace+0x0/0x1e0 show_stack+0x24/0x30 dump_stack_lvl+0x8c/0xb8 dump_stack+0x18/0x34 panic+0x16c/0x384 add_taint+0x0/0xc0 arm64_serror_panic+0x7c/0x90 arm64_is_fatal_ras_serror+0x34/0xa4 do_serror+0x50/0x6c el1h_64_error_handler+0x40/0x74 el1h_64_error+0x7c/0x80 cppc_get_perf_caps+0xec/0x410 cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq] cpufreq_online+0x2dc/0xa30 cpufreq_add_dev+0xc0/0xd4 subsys_interface_register+0x134/0x14c cpufreq_register_driver+0x1b0/0x354 cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq] do_one_initcall+0x50/0x250 do_init_module+0x60/0x27c load_module+0x2300/0x2570 __do_sys_finit_module+0xa8/0x114 __arm64_sys_finit_module+0x2c/0x3c invoke_syscall+0x78/0x100 el0_svc_common.constprop.0+0x180/0x1a0 do_el0_svc+0x84/0xa0 el0_svc+0x2c/0xc0 el0t_64_sync_handler+0xa4/0x12c el0t_64_sync+0x1a4/0x1a8 Instead, use access_width to determine the size and use the offset and width to shift and mask the bits to read/write out. Make sure to add a check for system memory since pcc redefines the access_width to subspace id. If access_width is not set, then fall back to using bit_width. Signed-off-by: Jarred White <jarredwhite(a)linux.microsoft.com> Reviewed-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> Cc: 5.15+ <stable(a)vger.kernel.org> # 5.15+ [ rjw: Subject and changelog edits, comment adjustments ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> [ eahariha: Backport to v5.15 by dropping SystemIO bits as commit a2c8f92bea5f is not present ] Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- drivers/acpi/cppc_acpi.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c index 7cc9183c8dc8..408b1fda5702 100644 --- a/drivers/acpi/cppc_acpi.c +++ b/drivers/acpi/cppc_acpi.c @@ -161,6 +161,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_perf_caps, nominal_freq); show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, reference_perf); show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time); +/* Check for valid access_width, otherwise, fallback to using bit_width */ +#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width) + +/* Shift and apply the mask for CPC reads/writes */ +#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \ + GENMASK(((reg)->bit_width), 0))) + static ssize_t show_feedback_ctrs(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { @@ -762,8 +769,10 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr) } else if (gas_t->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { if (gas_t->address) { void __iomem *addr; + size_t access_width; - addr = ioremap(gas_t->address, gas_t->bit_width/8); + access_width = GET_BIT_WIDTH(gas_t) / 8; + addr = ioremap(gas_t->address, access_width); if (!addr) goto out_free; cpc_ptr->cpc_regs[i-2].sys_mem_vaddr = addr; @@ -936,6 +945,7 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val) { int ret_val = 0; void __iomem *vaddr = NULL; + int size; int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); struct cpc_reg *reg = &reg_res->cpc_entry.reg; @@ -955,7 +965,9 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val) return acpi_os_read_memory((acpi_physical_address)reg->address, val, reg->bit_width); - switch (reg->bit_width) { + size = GET_BIT_WIDTH(reg); + + switch (size) { case 8: *val = readb_relaxed(vaddr); break; @@ -974,12 +986,16 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val) ret_val = -EFAULT; } + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + *val = MASK_VAL(reg, *val); + return ret_val; } static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) { int ret_val = 0; + int size; void __iomem *vaddr = NULL; int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); struct cpc_reg *reg = &reg_res->cpc_entry.reg; @@ -994,7 +1010,12 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) return acpi_os_write_memory((acpi_physical_address)reg->address, val, reg->bit_width); - switch (reg->bit_width) { + size = GET_BIT_WIDTH(reg); + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + val = MASK_VAL(reg, val); + + switch (size) { case 8: writeb_relaxed(val, vaddr); break; -- 2.34.1 -----------------------------------x8-------

9 months, 3 weeks

2
2
0 0

[PATCH 5.10 000/122] 5.10.211-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.211 release. There are 122 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 29 Feb 2024 13:15:36 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.211-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.211-rc1 Baokun Li <libaokun1(a)huawei.com> ext4: regenerate buddy after block freeing failed if under fc replay Kuniyuki Iwashima <kuniyu(a)amazon.com> arp: Prevent overflow in arp_req_get(). Bart Van Assche <bvanassche(a)acm.org> fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio Michael Schmitz <schmitzmic(a)gmail.com> block: ataflop: more blk-mq refactoring fixes Armin Wolf <W_Armin(a)gmx.de> drm/amd/display: Fix memory leak in dm_sw_fini() Erik Kurzinger <ekurzinger(a)nvidia.com> drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set Christian König <christian.koenig(a)amd.com> drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3 Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: set dormant flag on hook register failure Sabrina Dubroca <sd(a)queasysnail.net> tls: stop recv() if initial process_rx_list gave us non-DATA Jakub Kicinski <kuba(a)kernel.org> tls: rx: drop pointless else after goto Jakub Kicinski <kuba(a)kernel.org> tls: rx: jump to a more appropriate label Jason Gunthorpe <jgg(a)ziepe.ca> s390: use the correct count for __iowrite64_copy() Kees Cook <keescook(a)chromium.org> net: dev: Convert sa_data to flexible array in struct sockaddr Wolfram Sang <wsa+renesas(a)sang-engineering.com> packet: move from strlcpy with unused retval to strscpy Vasiliy Kovalev <kovalev(a)altlinux.org> ipv6: sr: fix possible use-after-free and null-ptr-deref Daniil Dulov <d.dulov(a)aladdin.ru> afs: Increase buffer size in afs_update_volume_status() Eric Dumazet <edumazet(a)google.com> ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid Eric Dumazet <edumazet(a)google.com> ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid Arnd Bergmann <arnd(a)arndb.de> nouveau: fix function cast warnings Randy Dunlap <rdunlap(a)infradead.org> scsi: jazz_esp: Only build if SCSI core is builtin Gianmarco Lusvardi <glusvardi(a)posteo.net> bpf, scripts: Correct GPL license name Arnd Bergmann <arnd(a)arndb.de> RDMA/srpt: fix function pointer cast warnings Heiko Stuebner <heiko.stuebner(a)cherry.de> arm64: dts: rockchip: set num-cs property for spi on px30 Kamal Heib <kheib(a)redhat.com> RDMA/qedr: Fix qedr_create_user_qp error flow Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Support specifying the srpt_service_guid parameter Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return error for SRQ resize Zhipeng Lu <alexious(a)zju.edu.cn> IB/hfi1: Fix a memleak in init_credit_return Paolo Abeni <pabeni(a)redhat.com> mptcp: fix lockless access in subflow ULP diag Xu Yang <xu.yang_2(a)nxp.com> usb: roles: don't get/set_role() when usb_role_switch is unregistered Xu Yang <xu.yang_2(a)nxp.com> usb: roles: fix NULL pointer issue when put module's reference Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs Frank Li <Frank.Li(a)nxp.com> usb: cdns3: fix memory double free when handle zero packet Frank Li <Frank.Li(a)nxp.com> usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() Peter Zijlstra <peterz(a)infradead.org> x86/alternative: Make custom return thunk unconditional Borislav Petkov (AMD) <bp(a)alien8.de> Revert "x86/alternative: Make custom return thunk unconditional" Peter Zijlstra <peterz(a)infradead.org> x86/returnthunk: Allow different return thunks Peter Zijlstra <peterz(a)infradead.org> x86/ftrace: Use alternative RET encoding Peter Zijlstra <peterz(a)infradead.org> x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch() Peter Zijlstra <peterz(a)infradead.org> x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR Borislav Petkov (AMD) <bp(a)alien8.de> Revert "x86/ftrace: Use alternative RET encoding" Nikita Shubin <nikita.shubin(a)maquefel.me> ARM: ep93xx: Add terminator to gpiod_lookup_table Tom Parkin <tparkin(a)katalix.com> l2tp: pass correct message length to ip6_append_data Vidya Sagar <vidyas(a)nvidia.com> PCI/MSI: Prevent MSI hardware interrupt number truncation Vasiliy Kovalev <kovalev(a)altlinux.org> gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler Mikulas Patocka <mpatocka(a)redhat.com> dm-crypt: don't modify the data when using authenticated encryption Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: fix invalid -EBUSY on ccw_device_start Daniel Vacek <neelx(a)redhat.com> IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: fix lz4 inplace decompression Jan Beulich <jbeulich(a)suse.com> x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() Zhihao Cheng <chengzhihao1(a)huawei.com> jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint Zhang Yi <yi.zhang(a)huawei.com> jbd2: recheck chechpointing non-dirty buffer Zhang Yi <yi.zhang(a)huawei.com> jbd2: remove redundant buffer io error checks Johannes Berg <johannes.berg(a)intel.com> iwlwifi: mvm: write queue_sync_state only for sync Johannes Berg <johannes.berg(a)intel.com> iwlwifi: mvm: do more useful queue sync accounting Max Verevkin <me(a)maxverevkin.tk> platform/x86: intel-vbtn: Support for tablet mode on HP Pavilion 13 x360 PC Sergej Bauer <sbauer(a)blackbox.su> lan743x: fix for potential NULL pointer dereference with bare card Filipe Manana <fdmanana(a)suse.com> btrfs: do not pin logs too early during renames Filipe Manana <fdmanana(a)suse.com> btrfs: unify lookup return value when dir entry is missing Marcos Paulo de Souza <mpdesouza(a)suse.com> btrfs: introduce btrfs_lookup_match_dir Josef Bacik <josef(a)toxicpanda.com> btrfs: tree-checker: check for overlapping extent items Borislav Petkov <bp(a)suse.de> task_stack, x86/cea: Force-inline stack helpers Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: boards: get codec device with ACPI instead of bus search Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: boards: harden codec property handling YouChing Lin <ycllin(a)mxic.com.tw> mtd: spinand: macronix: Add support for MX35LFxGE4AD Shyam Prasad N <sprasad(a)microsoft.com> cifs: add a warning when the in-flight count goes negative Benjamin Gray <bgray(a)linux.ibm.com> powerpc/watchpoints: Annotate atomic context in more places Ravi Bangoria <ravi.bangoria(a)linux.ibm.com> powerpc/watchpoint: Workaround P10 DD1 issue with VSX-32 byte instructions Michael Schmitz <schmitzmic(a)gmail.com> block: ataflop: fix breakage introduced at blk-mq refactoring Kees Cook <keescook(a)chromium.org> seccomp: Invalidate seccomp mode to catch death failures Peter Zijlstra <peterz(a)infradead.org> x86/uaccess: Implement macros for CMPXCHG on user addresses Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> hsr: Avoid double remove of a node. Roger Pau Monne <roger.pau(a)citrix.com> hvc/xen: prevent concurrent accesses to the shared ring Dan Carpenter <error27(a)gmail.com> media: av7110: prevent underflow in write_ts_to_decoder() Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_micfil: register platform component before registering cpu dai Xiaolei Wang <xiaolei.wang(a)windriver.com> ARM: dts: imx: Set default tuning step for imx6sx usdhc Jiaxun Yang <jiaxun.yang(a)flygoat.com> irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger Geert Uytterhoeven <geert+renesas(a)glider.be> pmdomain: renesas: r8a77980-sysc: CR7 must be always on Yi Sun <yi.sun(a)unisoc.com> virtio-blk: Ensure no requests in virtqueues before deleting vqs. Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: core: send bus reset promptly on gap count error Hannes Reinecke <hare(a)suse.de> scsi: lpfc: Use unsigned type for num_sge Zhang Rui <rui.zhang(a)intel.com> hwmon: (coretemp) Enlarge per package core count limit Andrew Bresticker <abrestic(a)rivosinc.com> efi: Don't add memblocks for soft-reserved memory Andrew Bresticker <abrestic(a)rivosinc.com> efi: runtime: Fix potential overflow of soft-reserved region size Szilard Fabian <szfabian(a)bluemarch.art> Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table Zhang Yi <yi.zhang(a)huawei.com> ext4: correct the hole length returned by ext4_map_blocks() Daniel Wagner <dwagner(a)suse.de> nvmet-fc: abort command when there is no binding Daniel Wagner <dwagner(a)suse.de> nvmet-fc: release reference on target port Daniel Wagner <dwagner(a)suse.de> nvmet-fcloop: swap the list_add_tail arguments Daniel Wagner <dwagner(a)suse.de> nvme-fc: do not wait in vain when unloading module Xin Long <lucien.xin(a)gmail.com> netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new Wolfram Sang <wsa+renesas(a)sang-engineering.com> spi: sh-msiof: avoid integer overflow in constants Chen-Yu Tsai <wens(a)csie.org> ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616 Guixin Liu <kanie(a)linux.alibaba.com> nvmet-tcp: fix nvme tcp ida memory leak Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> regulator: pwm-regulator: Add validity checks in continuous .get_voltage Kunwu Chan <chentao(a)kylinos.cn> dmaengine: ti: edma: Add some null pointer checks to the edma_probe Baokun Li <libaokun1(a)huawei.com> ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() Baokun Li <libaokun1(a)huawei.com> ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Lennert Buytenhek <kernel(a)wantstofly.org> ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers Conrad Kostecki <conikost(a)gentoo.org> ahci: asm1166: correct count of reported ports Devyn Liu <liudingyuan(a)huawei.com> spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected Fullway Wang <fullwaywang(a)outlook.com> fbdev: sis: Error out if pixclock equals zero Fullway Wang <fullwaywang(a)outlook.com> fbdev: savage: Error out if pixclock equals zero Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix race condition on enabling fast-xmit Michal Kazior <michal(a)plume.com> wifi: cfg80211: fix missing interfaces when dumping Vinod Koul <vkoul(a)kernel.org> dmaengine: fsl-qdma: increase size of 'irq_name' Vinod Koul <vkoul(a)kernel.org> dmaengine: shdma: increase size of 'dev_id' Dmitry Bogdanov <d.bogdanov(a)yadro.com> scsi: target: core: Add TMF to tmr_list handling Cyril Hrubis <chrubis(a)suse.cz> sched/rt: Disallow writing invalid values to sched_rt_period_us Cyril Hrubis <chrubis(a)suse.cz> sched/rt: Fix sysctl_sched_rr_timeslice intial value Damien Le Moal <dlemoal(a)kernel.org> zonefs: Improve error handling Lokesh Gidra <lokeshgidra(a)google.com> userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb Cyril Hrubis <chrubis(a)suse.cz> sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset Paulo Alcantara <pc(a)manguebit.com> smb: client: fix parsing of SMB3.1.1 POSIX create context Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential OOBs in smb2_parse_contexts() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOB in receive_encrypted_standard() Jamal Hadi Salim <jhs(a)mojatatu.com> net/sched: Retire dsmark qdisc Jamal Hadi Salim <jhs(a)mojatatu.com> net/sched: Retire ATM qdisc Jamal Hadi Salim <jhs(a)mojatatu.com> net/sched: Retire CBQ qdisc ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts | 1 - arch/arm/boot/dts/bcm47189-luxul-xap-810.dts | 2 - arch/arm/boot/dts/imx6sx.dtsi | 6 + arch/arm/mach-ep93xx/core.c | 1 + arch/arm64/boot/dts/rockchip/px30.dtsi | 2 + arch/arm64/kvm/vgic/vgic-its.c | 5 + arch/powerpc/kernel/hw_breakpoint.c | 76 +- arch/s390/pci/pci.c | 2 +- arch/x86/include/asm/cpu_entry_area.h | 2 +- arch/x86/include/asm/nospec-branch.h | 2 + arch/x86/include/asm/text-patching.h | 46 +- arch/x86/include/asm/uaccess.h | 142 ++ arch/x86/kernel/alternative.c | 13 +- arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/paravirt.c | 22 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/net/bpf_jit_comp.c | 2 +- drivers/ata/ahci.c | 34 +- drivers/ata/ahci.h | 1 + drivers/block/ataflop.c | 56 +- drivers/block/virtio_blk.c | 7 +- drivers/dma/fsl-qdma.c | 2 +- drivers/dma/sh/shdma.h | 2 +- drivers/dma/ti/edma.c | 10 + drivers/firewire/core-card.c | 18 +- drivers/firmware/efi/arm-runtime.c | 2 +- drivers/firmware/efi/efi-init.c | 19 +- drivers/firmware/efi/riscv-runtime.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + drivers/gpu/drm/drm_syncobj.c | 16 +- drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c | 8 +- drivers/hwmon/coretemp.c | 2 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 5 +- drivers/infiniband/hw/hfi1/pio.c | 6 +- drivers/infiniband/hw/hfi1/sdma.c | 2 +- drivers/infiniband/hw/qedr/verbs.c | 11 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 17 +- drivers/input/serio/i8042-acpipnpio.h | 8 + drivers/irqchip/irq-mips-gic.c | 2 + drivers/md/dm-crypt.c | 6 + drivers/media/pci/ttpci/av7110_av.c | 4 +- drivers/mtd/nand/spi/macronix.c | 20 + drivers/net/ethernet/microchip/lan743x_ethtool.c | 9 +- drivers/net/gtp.c | 10 +- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 14 +- drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 10 +- drivers/nvme/host/fc.c | 47 +- drivers/nvme/target/fc.c | 11 +- drivers/nvme/target/fcloop.c | 6 +- drivers/nvme/target/tcp.c | 1 + drivers/pci/msi.c | 2 +- drivers/platform/x86/intel-vbtn.c | 6 + drivers/regulator/pwm-regulator.c | 3 + drivers/s390/cio/device_ops.c | 6 +- drivers/scsi/Kconfig | 2 +- drivers/scsi/lpfc/lpfc_scsi.c | 12 +- drivers/soc/renesas/r8a77980-sysc.c | 3 +- drivers/spi/spi-hisi-sfc-v3xx.c | 5 + drivers/spi/spi-sh-msiof.c | 16 +- drivers/target/target_core_device.c | 5 - drivers/target/target_core_transport.c | 4 + drivers/tty/hvc/hvc_xen.c | 19 +- drivers/usb/cdns3/gadget.c | 8 +- drivers/usb/gadget/function/f_ncm.c | 10 +- drivers/usb/roles/class.c | 29 +- drivers/video/fbdev/savage/savagefb_driver.c | 3 + drivers/video/fbdev/sis/sis_main.c | 2 + fs/afs/volume.c | 4 +- fs/aio.c | 9 +- fs/btrfs/ctree.h | 2 +- fs/btrfs/dir-item.c | 122 +- fs/btrfs/inode.c | 48 +- fs/btrfs/tree-checker.c | 25 +- fs/btrfs/tree-log.c | 14 +- fs/cifs/smb2ops.c | 19 +- fs/cifs/smb2pdu.c | 95 +- fs/cifs/smb2proto.h | 12 +- fs/erofs/decompressor.c | 24 +- fs/ext4/extents.c | 111 +- fs/ext4/mballoc.c | 33 +- fs/jbd2/checkpoint.c | 137 +- fs/zonefs/super.c | 68 +- include/linux/fs.h | 2 + include/linux/lockdep.h | 5 + include/linux/sched/task_stack.h | 2 +- include/linux/socket.h | 5 +- include/net/tcp.h | 2 +- kernel/sched/rt.c | 10 +- kernel/seccomp.c | 10 + kernel/sysctl.c | 4 + mm/userfaultfd.c | 14 +- net/core/dev.c | 2 +- net/core/dev_ioctl.c | 2 +- net/hsr/hsr_framereg.c | 16 +- net/hsr/hsr_framereg.h | 1 + net/ipv4/arp.c | 3 +- net/ipv4/devinet.c | 21 +- net/ipv6/addrconf.c | 21 +- net/ipv6/seg6.c | 20 +- net/l2tp/l2tp_ip6.c | 2 +- net/mac80211/sta_info.c | 2 + net/mac80211/tx.c | 2 +- net/mptcp/diag.c | 6 +- net/netfilter/nf_conntrack_proto_sctp.c | 2 +- net/netfilter/nf_tables_api.c | 1 + net/packet/af_packet.c | 12 +- net/sched/Kconfig | 42 - net/sched/Makefile | 3 - net/sched/sch_atm.c | 709 -------- net/sched/sch_cbq.c | 1816 --------------------- net/sched/sch_dsmark.c | 521 ------ net/tls/tls_main.c | 2 +- net/tls/tls_sw.c | 12 +- net/wireless/nl80211.c | 1 + scripts/bpf_helpers_doc.py | 2 +- sound/soc/fsl/fsl_micfil.c | 15 +- sound/soc/intel/boards/bytcht_es8316.c | 14 +- sound/soc/intel/boards/bytcr_rt5640.c | 46 +- sound/soc/intel/boards/bytcr_rt5651.c | 41 +- sound/soc/sunxi/sun4i-spdif.c | 5 + 123 files changed, 1267 insertions(+), 3694 deletions(-)

9 months, 3 weeks

12
139
0 0

v4.19 backport request for crypto af_alg

by Ralph Siemsen

I have found a regression in userspace behaviour after commit 67b164a871a got backported into 4.19.306 as commit 19af0310c8767. The regression can be fixed by backporting two additional commits, detailed below. The regression can be reproduced with the following sequence: echo some text > plain.txt openssl enc -k mysecret -aes-256-cbc -in plain.txt -out cipher.txt -engine afalg It fails intermittently with the message "error writing to file", but this error is a bit misleading, the actual problem is that the kernel returns -16 (EBUSY) on the encoding operation. The EBUSY comes from the newly added in-flight check. This check is correct, however it fails on 4.19 kernel, because it is missing two earlier commits: f3c802a1f3001 crypto: algif_aead - Only wake up when ctx->more is zero 21dfbcd1f5cbf crypto: algif_aead - fix uninitialized ctx->init I was able to cherry-pick those into 4.19.y, with just a minor conflict in one case. With those applied, the openssl command no longer fails. Similar fixes are likely needed in 5.4.y, however I did not test this. No change is needed in 5.10 or newer, as the two commits are present. Please add the two commits to 4.19.y (and probably also 5.4.y). Thanks, -Ralph

9 months, 3 weeks

2
1
0 0

Re: [PATCH] crypto: af_alg - Disallow multiple in-flight AIO requests

by Linux regression tracking (Thorsten Leemhuis)

[CCing the stable team, as it looks like two prerequisite changes for a patch already applied are missing in at least 4.19.y] On 15.03.24 18:55, Ralph Siemsen wrote: > > I have found a regression in userspace behaviour after this patch was > merged into the 4.19.y kernel. The fix seems to involve backporting a > few more changes. Could you review details below and confirm if this is > the right approach? FWIW, developers are totally free to not care about stable and longterm kernels series. Not sure if Herbert is among those developers, but it might explain why there is no reply yet. That's why I CCed the stable maintainers, strictly speaking they are responsible. > On Tue, Nov 28, 2023 at 04:25:49PM +0800, Herbert Xu wrote: >> Having multiple in-flight AIO requests results in unpredictable >> output because they all share the same IV. Fix this by only allowing >> one request at a time. > [...] > This change got backported on the 4.19 kernel in January: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… > > Since then, I am seeCiao, ing a regression in a simple openssl encoding test: > > openssl enc -k mysecret -aes-256-cbc -in plain.txt -out cipher.txt > -engine afalg > > It fails intermittently with the message "error writing to file", but > this error is a bit misleading, the actual problem is that the kernel > returns -16 (EBUSY) on the encoding operation. > > This happens only in 4.19, and not under 5.10. The patch seems correct, > however it seems we are missing a couple of other patches on 4.19: > > f3c802a1f3001 crypto: algif_aead - Only wake up when ctx->more is zero > 21dfbcd1f5cbf crypto: algif_aead - fix uninitialized ctx->init > > I was able to cherry-pick those into 4.19.y, with just a minor conflict > in one case. With those applied, the openssl command no longer fails. Some feedback here from Herbert would of course be splendid, but maybe your tests are all the stable team needs to pick those up for a future 4.19.y release. > I suspect similar changes would be needed also in 5.4 kernel, however I > neither checked that, nor have I run any tests on that version. Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page.

9 months, 3 weeks

1
1
0 0

[PATCH v2] irqchip/sifive-plic: enable interrupt if needed before EOI

by Nam Cao

RISC-V PLIC cannot "end-of-interrupt" (EOI) disabled interrupts, as explained in the description of Interrupt Completion in the PLIC spec: "The PLIC signals it has completed executing an interrupt handler by writing the interrupt ID it received from the claim to the claim/complete register. The PLIC does not check whether the completion ID is the same as the last claim ID for that target. If the completion ID does not match an interrupt source that *is currently enabled* for the target, the completion is silently ignored." Commit 69ea463021be ("irqchip/sifive-plic: Fixup EOI failed when masked") ensured that EOI is successful by enabling interrupt first, before EOI. Commit a1706a1c5062 ("irqchip/sifive-plic: Separate the enable and mask operations") removed the interrupt enabling code from the previous commit, because it assumes that interrupt should already be enabled at the point of EOI. However, this is incorrect: there is a window after a hart claiming an interrupt and before irq_desc->lock getting acquired, interrupt can be disabled during this window. Thus, EOI can be invoked while the interrupt is disabled, effectively nullify this EOI. This results in the interrupt never gets asserted again, and the device who uses this interrupt appears frozen. Make sure that interrupt is really enabled before EOI. Fixes: a1706a1c5062 ("irqchip/sifive-plic: Separate the enable and mask operations") Cc: <stable(a)vger.kernel.org> Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- v2: - add unlikely() for optimization - re-word commit message to make it clearer drivers/irqchip/irq-sifive-plic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index e1484905b7bd..0a233e9d9607 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -148,7 +148,13 @@ static void plic_irq_eoi(struct irq_data *d) { struct plic_handler *handler = this_cpu_ptr(&plic_handlers); - writel(d->hwirq, handler->hart_base + CONTEXT_CLAIM); + if (unlikely(irqd_irq_disabled(d))) { + plic_toggle(handler, d->hwirq, 1); + writel(d->hwirq, handler->hart_base + CONTEXT_CLAIM); + plic_toggle(handler, d->hwirq, 0); + } else { + writel(d->hwirq, handler->hart_base + CONTEXT_CLAIM); + } } #ifdef CONFIG_SMP -- 2.39.2

9 months, 3 weeks

4
4
0 0

[PATCH 6.6/6.1 0/1] pppoe: Fix memory leak in pppoe_sendmsg()

by Gavrilov Ilia

syzbot reports a memory leak in pppoe_sendmsg in 6.6 and 6.1 stable releases. The problem has been fixed by the following patch which can be cleanly applied to the 6.6 and 6.1 branches. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller Gavrilov Ilia (1): pppoe: Fix memory leak in pppoe_sendmsg() drivers/net/ppp/pppoe.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) -- 2.39.2

9 months, 3 weeks

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2024