May 2024 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.92 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 Documentation/sphinx/kernel_include.py | 1 Makefile | 2 arch/arm64/Kconfig | 1 arch/arm64/include/asm/lse.h | 1 drivers/android/binder.c | 2 drivers/android/binder_internal.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 7 drivers/mfd/stpmic1.c | 5 drivers/mmc/core/mmc.c | 9 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 22 - drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 3 drivers/net/ethernet/micrel/ks8851_common.c | 18 - drivers/net/usb/ax88179_178a.c | 37 +- drivers/pinctrl/core.c | 14 drivers/remoteproc/mtk_scp.c | 10 drivers/tty/serial/kgdboc.c | 30 ++ drivers/usb/dwc3/gadget.c | 4 drivers/usb/typec/tipd/core.c | 45 ++- drivers/usb/typec/tipd/tps6598x.h | 11 drivers/usb/typec/ucsi/displayport.c | 4 fs/iomap/buffered-io.c | 254 +++++++++++++++++- fs/iomap/iter.c | 19 + fs/nfs/callback.c | 9 fs/nfsd/nfs4proc.c | 5 fs/nfsd/nfssvc.c | 12 fs/xfs/libxfs/xfs_bmap.c | 8 fs/xfs/libxfs/xfs_errortag.h | 12 fs/xfs/libxfs/xfs_refcount.c | 146 +++++++++- fs/xfs/libxfs/xfs_sb.c | 7 fs/xfs/xfs_aops.c | 37 +- fs/xfs/xfs_bmap_util.c | 10 fs/xfs/xfs_bmap_util.h | 2 fs/xfs/xfs_buf.c | 1 fs/xfs/xfs_buf_item.c | 2 fs/xfs/xfs_error.c | 27 + fs/xfs/xfs_file.c | 2 fs/xfs/xfs_fsops.c | 4 fs/xfs/xfs_icache.c | 6 fs/xfs/xfs_inode.c | 16 - fs/xfs/xfs_ioctl.c | 4 fs/xfs/xfs_iomap.c | 177 +++++++----- fs/xfs/xfs_iomap.h | 6 fs/xfs/xfs_log.c | 53 +-- fs/xfs/xfs_mount.c | 15 + fs/xfs/xfs_pnfs.c | 6 include/linux/iomap.h | 47 ++- net/sunrpc/svc_xprt.c | 16 - security/keys/trusted-keys/trusted_tpm2.c | 25 + 50 files changed, 865 insertions(+), 298 deletions(-) Aidan MacDonald (1): mfd: stpmic1: Fix swapped mask/unmask in irq chip Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 AngeloGioacchino Del Regno (1): remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Carlos Llamas (1): binder: fix max_thread type inconsistency Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Darrick J. Wong (8): xfs: fix incorrect error-out in xfs_remove xfs: invalidate block device page cache during unmount xfs: attach dquots to inode before reading data/cow fork mappings xfs: hoist refcount record merge predicates xfs: estimate post-merge refcounts correctly xfs: invalidate xfs_bufs when allocating cow extents xfs: allow inode inactivation during a ro mount log recovery xfs: fix log recovery when unknown rocompat bits are set Dave Chinner (10): xfs: write page faults in iomap are not buffered writes xfs: punching delalloc extents on write failure is racy xfs: use byte ranges for write cleanup ranges xfs,iomap: move delalloc punching to iomap iomap: buffered write failure should not truncate the page cache xfs: xfs_bmap_punch_delalloc_range() should take a byte range iomap: write iomap validity checks xfs: use iomap_valid method to detect stale cached iomaps xfs: drop write error injection is unfixable, remove it xfs: fix off-by-one-block in xfs_discard_folio() Eric Sandeen (1): xfs: short circuit xfs_growfs_data_private() if delta is zero Greg Kroah-Hartman (1): Linux 6.1.92 Guo Xuenan (2): xfs: wait iclog complete before tearing down AIL xfs: fix super block buf log item UAF during force shutdown Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Hironori Shiina (1): xfs: get root inode correctly at bulkstat Jacob Keller (2): ice: pass VSI pointer into ice_vc_isvalid_q_id ice: remove unnecessary duplicate checks for VF VSI ID Jarkko Sakkinen (2): KEYS: trusted: Fix memory leak in tpm2_key_encode() KEYS: trusted: Do not use WARN when encode fails Javier Carrasco (1): usb: typec: tipd: fix event checking for tps6598x Jose Fernandez (1): drm/amd/display: Fix division by zero in setup_dsc_config Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: fix link status when link is set to down/up Long Li (2): xfs: fix sb write verify for lazysbcount xfs: fix incorrect i_nlink caused by inode racing Mark Rutland (1): arm64: atomics: lse: remove stale dependency on JUMP_LABEL Mengqi Zhang (1): mmc: core: Add HS400 tuning in HS400es initialization NeilBrown (1): nfsd: don't allow nfsd threads to be signalled. Prashanth K (1): usb: dwc3: Wait unconditionally after issuing EndXfer command Ronald Wahl (1): net: ks8851: Fix another TX stall caused by wrong ISR flag handling Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Thomas Weißschuh (1): admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET

1 year, 1 month

1
1
0 0

Linux 5.15.160

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.160 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 Documentation/sphinx/kernel_include.py | 1 Makefile | 2 arch/x86/kvm/x86.c | 11 drivers/android/binder.c | 2 drivers/android/binder_internal.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 7 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 - drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 6 drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 drivers/pinctrl/core.c | 14 - drivers/remoteproc/mtk_scp.c | 10 drivers/tty/serial/kgdboc.c | 30 ++ drivers/usb/typec/ucsi/displayport.c | 4 fs/nfs/callback.c | 9 fs/nfsd/nfs4proc.c | 5 fs/nfsd/nfssvc.c | 12 - include/net/tls.h | 6 net/netlink/af_netlink.c | 23 +- net/sunrpc/svc_xprt.c | 16 - net/tls/tls_sw.c | 199 +++++++++--------- security/keys/trusted-keys/trusted_tpm2.c | 25 +- tools/testing/selftests/vm/map_hugetlb.c | 7 25 files changed, 242 insertions(+), 174 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 AngeloGioacchino Del Regno (1): remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Carlos Llamas (1): binder: fix max_thread type inconsistency Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Doug Berger (2): net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize UMAC_CMD access Eric Dumazet (2): netlink: annotate lockless accesses to nlk->max_recvmsg_len netlink: annotate data-races around sk->sk_err Greg Kroah-Hartman (1): Linux 5.15.160 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Jakub Kicinski (4): tls: rx: simplify async wait net: tls: factor out tls_*crypt_async_wait() tls: fix race between async notify and socket close net: tls: handle backlogging of crypto requests Jarkko Sakkinen (2): KEYS: trusted: Fix memory leak in tpm2_key_encode() KEYS: trusted: Do not use WARN when encode fails Jose Fernandez (1): drm/amd/display: Fix division by zero in setup_dsc_config NeilBrown (1): nfsd: don't allow nfsd threads to be signalled. Sabrina Dubroca (1): tls: extract context alloc/initialization out of tls_set_sw_offload Sean Christopherson (1): KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Thomas Weißschuh (1): admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET

1 year, 1 month

1
1
0 0

Linux 5.10.218

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.218 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/sphinx/kernel_include.py | 1 Makefile | 2 - arch/x86/entry/entry_64.S | 17 +++++------ arch/x86/include/asm/irqflags.h | 7 ---- arch/x86/include/asm/paravirt.h | 5 --- arch/x86/include/asm/paravirt_types.h | 8 ----- arch/x86/kernel/asm-offsets_64.c | 2 - arch/x86/kernel/paravirt.c | 5 --- arch/x86/kernel/paravirt_patch.c | 4 -- arch/x86/kvm/x86.c | 11 ++++++- arch/x86/xen/enlighten_pv.c | 1 arch/x86/xen/xen-asm.S | 21 -------------- arch/x86/xen/xen-ops.h | 2 - drivers/firmware/arm_scmi/reset.c | 6 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 ++ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 +++++++- drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 6 ++++ drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 ++ drivers/pinctrl/core.c | 14 +++++++-- drivers/tty/serial/kgdboc.c | 30 ++++++++++++++++++++- drivers/usb/typec/ucsi/displayport.c | 4 -- fs/btrfs/volumes.c | 1 net/mptcp/protocol.c | 2 + net/netlink/af_netlink.c | 15 ++++++---- security/integrity/ima/ima_policy.c | 29 ++++++++++++++------ tools/testing/selftests/vm/map_hugetlb.c | 7 ---- 27 files changed, 122 insertions(+), 99 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Cristian Marussi (1): firmware: arm_scmi: Harden accesses to the reset domains Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Dominique Martinet (1): btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() Doug Berger (2): net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize UMAC_CMD access Eric Dumazet (1): netlink: annotate lockless accesses to nlk->max_recvmsg_len Greg Kroah-Hartman (1): Linux 5.10.218 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Juergen Gross (1): x86/xen: Drop USERGS_SYSRET64 paravirt call Paolo Abeni (1): mptcp: ensure snd_nxt is properly initialized on connect Sean Christopherson (1): KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() liqiong (1): ima: fix deadlock when traversing "ima_default_rules".

1 year, 1 month

1
1
0 0

Linux 5.4.277

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.277 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/sphinx/kernel_include.py | 1 Makefile | 2 arch/arm64/boot/dts/qcom/msm8998.dtsi | 8 +- drivers/firmware/arm_scmi/reset.c | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++- drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 12 ++- drivers/net/ethernet/broadcom/genet/bcmmii.c | 43 ++--------- drivers/pinctrl/core.c | 14 ++- drivers/tty/serial/kgdboc.c | 30 +++++++ drivers/usb/typec/ucsi/displayport.c | 4 - fs/btrfs/volumes.c | 1 fs/cifs/smb2ops.c | 4 - fs/cifs/smb2pdu.c | 81 +++++++++++++-------- fs/cifs/smb2proto.h | 10 +- fs/ext4/extents.c | 10 +- tools/testing/selftests/vm/map_hugetlb.c | 7 - 18 files changed, 161 insertions(+), 99 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Baokun Li (1): ext4: fix bug_on in __es_tree_search Cristian Marussi (1): firmware: arm_scmi: Harden accesses to the reset domains Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Dominique Martinet (1): btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() Doug Berger (5): Revert "net: bcmgenet: use RGMII loopback for MAC reset" net: bcmgenet: keep MAC in reset until PHY is up net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize use of bcmgenet_set_rx_mode() net: bcmgenet: synchronize UMAC_CMD access Greg Kroah-Hartman (1): Linux 5.4.277 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Paulo Alcantara (1): smb: client: fix potential OOBs in smb2_parse_contexts() Rob Herring (1): arm64: dts: qcom: Fix 'interrupt-map' parent address cells Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

1 year, 1 month

1
1
0 0

Linux 4.19.315

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.315 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/sphinx/kernel_include.py | 1 Makefile | 2 drivers/md/dm-core.h | 2 drivers/md/dm-ioctl.c | 3 drivers/md/dm-table.c | 9 drivers/tty/serial/kgdboc.c | 30 fs/btrfs/volumes.c | 1 include/linux/string.h | 20 include/linux/trace_events.h | 2 kernel/trace/Kconfig | 4 kernel/trace/Makefile | 1 kernel/trace/trace.c | 26 kernel/trace/trace_dynevent.c | 210 ++++++ kernel/trace/trace_dynevent.h | 119 +++ kernel/trace/trace_events.c | 32 kernel/trace/trace_events_hist.c | 1048 ++++++++++++++++++------------- kernel/trace/trace_probe.c | 2 kernel/trace/trace_stack.c | 2 tools/testing/selftests/vm/map_hugetlb.c | 7 19 files changed, 1050 insertions(+), 471 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Dominique Martinet (1): btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() Greg Kroah-Hartman (1): Linux 4.19.315 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Masami Hiramatsu (4): tracing: Simplify creation and deletion of synthetic events tracing: Add unified dynamic event framework tracing: Use dyn_event framework for synthetic events tracing: Remove unneeded synth_event_mutex Mikulas Patocka (1): dm: limit the number of targets and parameter size area Steven Rostedt (VMware) (5): tracing: Consolidate trace_add/remove_event_call back to the nolock functions string.h: Add str_has_prefix() helper function tracing: Use str_has_prefix() helper for histogram code tracing: Use str_has_prefix() instead of using fixed sizes tracing: Have the historgram use the result of str_has_prefix() for len of prefix Tom Zanussi (4): tracing: Refactor hist trigger action code tracing: Split up onmatch action data tracing: Generalize hist trigger onmax and save action tracing: Remove unnecessary var_ref destroy in track_data_destroy()

1 year, 1 month

1
1
0 0

cherry-pick request for "arm64/fpsimd: Avoid erroneous elide of user state reload"

by Florian Klink

Hey, I got encouraged to send another email here from https://github.com/tpwrules/nixos-apple-silicon/issues/200. "arm64/fpsimd: Avoid erroneous elide of user state reload" / https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… fixes a data corruption issue with dm-crypt on aarch64, reproducible on the mainline Linux kernel (not just asahi specific!). This list has been included as Cc on this commit, but it'd be very nice to make sure this already lands in 6.9.2, due to its data corruption nature. Thanks, Florian

1 year, 1 month

2
1
0 0

[tip: irq/urgent] genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()

by tip-bot2 for dicken.ding

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: b84a8aba806261d2f759ccedf4a2a6a80a5e55ba Gitweb: https://git.kernel.org/tip/b84a8aba806261d2f759ccedf4a2a6a80a5e55ba Author: dicken.ding <dicken.ding(a)mediatek.com> AuthorDate: Fri, 24 May 2024 17:17:39 +08:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Fri, 24 May 2024 12:49:35 +02:00 genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() irq_find_at_or_after() dereferences the interrupt descriptor which is returned by mt_find() while neither holding sparse_irq_lock nor RCU read lock, which means the descriptor can be freed between mt_find() and the dereference: CPU0 CPU1 desc = mt_find() delayed_free_desc(desc) irq_desc_get_irq(desc) The use-after-free is reported by KASAN: Call trace: irq_get_next_irq+0x58/0x84 show_stat+0x638/0x824 seq_read_iter+0x158/0x4ec proc_reg_read_iter+0x94/0x12c vfs_read+0x1e0/0x2c8 Freed by task 4471: slab_free_freelist_hook+0x174/0x1e0 __kmem_cache_free+0xa4/0x1dc kfree+0x64/0x128 irq_kobj_release+0x28/0x3c kobject_put+0xcc/0x1e0 delayed_free_desc+0x14/0x2c rcu_do_batch+0x214/0x720 Guard the access with a RCU read lock section. Fixes: 721255b9826b ("genirq: Use a maple tree for interrupt descriptor management") Signed-off-by: dicken.ding <dicken.ding(a)mediatek.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240524091739.31611-1-dicken.ding@mediatek.com --- kernel/irq/irqdesc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c index 88ac365..07e99c9 100644 --- a/kernel/irq/irqdesc.c +++ b/kernel/irq/irqdesc.c @@ -160,7 +160,10 @@ static int irq_find_free_area(unsigned int from, unsigned int cnt) static unsigned int irq_find_at_or_after(unsigned int offset) { unsigned long index = offset; - struct irq_desc *desc = mt_find(&sparse_irqs, &index, nr_irqs); + struct irq_desc *desc; + + guard(rcu)(); + desc = mt_find(&sparse_irqs, &index, nr_irqs); return desc ? irq_desc_get_irq(desc) : nr_irqs; }

1 year, 1 month

2
1
0 0

[PATCH 2/3] KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode

by Marc Zyngier

It appears that we don't allowed a vcpu to be restored in AArch32 System mode, as we *never* included it in the list of valid modes. Just add it to the list of allowed modes. Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/guest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c index d9617b11f7a8..11098eb7eb44 100644 --- a/arch/arm64/kvm/guest.c +++ b/arch/arm64/kvm/guest.c @@ -251,6 +251,7 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) case PSR_AA32_MODE_SVC: case PSR_AA32_MODE_ABT: case PSR_AA32_MODE_UND: + case PSR_AA32_MODE_SYS: if (!vcpu_el1_is_32bit(vcpu)) return -EINVAL; break; -- 2.39.2

1 year, 1 month

2
1
0 0

[PATCH 1/3] KVM: arm64: Fix AArch32 register narrowing on userspace write

by Marc Zyngier

When userspace writes to once of the core registers, we make sure to narrow the corresponding GPRs if PSTATE indicates an AArch32 context. The code tries to check whether the context is EL0 or EL1 so that it narrows the correct registers. But it does so by checking the full PSTATE instead of PSTATE.M. As a consequence, and if we are restoring an AArch32 EL0 context in a 64bit guest, and that PSTATE has *any* bit set outside of PSTATE.M, we narrow *all* registers instead of only the first 15, destroying the 64bit state. Obviously, this is not something the guest is likely to enjoy. Correctly masking PSTATE to only evaluate PSTATE.M fixes it. Fixes: 90c1f934ed71 ("KVM: arm64: Get rid of the AArch32 register mapping code") Reported-by: Nina Schoetterl-Glausch <nsg(a)linux.ibm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/guest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c index e2f762d959bb..d9617b11f7a8 100644 --- a/arch/arm64/kvm/guest.c +++ b/arch/arm64/kvm/guest.c @@ -276,7 +276,7 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) if (*vcpu_cpsr(vcpu) & PSR_MODE32_BIT) { int i, nr_reg; - switch (*vcpu_cpsr(vcpu)) { + switch (*vcpu_cpsr(vcpu) & PSR_AA32_MODE_MASK) { /* * Either we are dealing with user mode, and only the * first 15 registers (+ PC) must be narrowed to 32bit. -- 2.39.2

1 year, 1 month

3
2
0 0

[merged mm-hotfixes-stable] mm-memory-failure-fix-handling-of-dissolved-but-not-taken-off-from-buddy-pages.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages has been removed from the -mm tree. Its filename was mm-memory-failure-fix-handling-of-dissolved-but-not-taken-off-from-buddy-pages.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages Date: Thu, 23 May 2024 15:12:17 +0800 When I did memory failure tests recently, below panic occurs: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) raw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(!PageBuddy(page)) ------------[ cut here ]------------ kernel BUG at include/linux/page-flags.h:1009! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__del_page_from_free_list+0x151/0x180 RSP: 0018:ffffa49c90437998 EFLAGS: 00000046 RAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0 RBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69 R10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80 R13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009 FS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0 Call Trace: <TASK> __rmqueue_pcplist+0x23b/0x520 get_page_from_freelist+0x26b/0xe40 __alloc_pages_noprof+0x113/0x1120 __folio_alloc_noprof+0x11/0xb0 alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130 __alloc_fresh_hugetlb_folio+0xe7/0x140 alloc_pool_huge_folio+0x68/0x100 set_max_huge_pages+0x13d/0x340 hugetlb_sysctl_handler_common+0xe8/0x110 proc_sys_call_handler+0x194/0x280 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff916114887 RSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887 RDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003 RBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0 R10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004 R13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00 </TASK> Modules linked in: mce_inject hwpoison_inject ---[ end trace 0000000000000000 ]--- And before the panic, there had an warning about bad page state: BUG: Bad page state in process page-types pfn:8cee00 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) page_type: 0xffffff7f(buddy) raw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000 page dumped because: nonzero mapcount Modules linked in: mce_inject hwpoison_inject CPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22 Call Trace: <TASK> dump_stack_lvl+0x83/0xa0 bad_page+0x63/0xf0 free_unref_page+0x36e/0x5c0 unpoison_memory+0x50b/0x630 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xcd/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f189a514887 RSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887 RDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003 RBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8 R13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040 </TASK> The root cause should be the below race: memory_failure try_memory_failure_hugetlb me_huge_page __page_handle_poison dissolve_free_hugetlb_folio drain_all_pages -- Buddy page can be isolated e.g. for compaction. take_page_off_buddy -- Failed as page is not in the buddy list. -- Page can be putback into buddy after compaction. page_ref_inc -- Leads to buddy page with refcnt = 1. Then unpoison_memory() can unpoison the page and send the buddy page back into buddy list again leading to the above bad page state warning. And bad_page() will call page_mapcount_reset() to remove PageBuddy from buddy page leading to later VM_BUG_ON_PAGE(!PageBuddy(page)) when trying to allocate this page. Fix this issue by only treating __page_handle_poison() as successful when it returns 1. Link: https://lkml.kernel.org/r/20240523071217.1696196-1-linmiaohe@huawei.com Fixes: ceaf8fbea79a ("mm, hwpoison: skip raw hwpoison page in freeing 1GB hugepage") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/mm/memory-failure.c~mm-memory-failure-fix-handling-of-dissolved-but-not-taken-off-from-buddy-pages +++ a/mm/memory-failure.c @@ -1221,7 +1221,7 @@ static int me_huge_page(struct page_stat * subpages. */ folio_put(folio); - if (__page_handle_poison(p) >= 0) { + if (__page_handle_poison(p) > 0) { page_ref_inc(p); res = MF_RECOVERED; } else { @@ -2091,7 +2091,7 @@ retry: */ if (res == 0) { folio_unlock(folio); - if (__page_handle_poison(p) >= 0) { + if (__page_handle_poison(p) > 0) { page_ref_inc(p); res = MF_RECOVERED; } else { _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are

1 year, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2024