May 2024 - Linux-stable-mirror

[PATCH 5.15.y] Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems"

by Harshit Mogalapalli

This reverts commit 0d29b474fb90ff35920642f378d9baace9b47edd. map_hugetlb.c:18:10: fatal error: vm_util.h: No such file or directory 18 | #include "vm_util.h" | ^~~~~~~~~~~ compilation terminated. vm_util.h is not present in 5.15.y, as commit:642bc52aed9c ("selftests: vm: bring common functions to a new file") is not present in stable kernels <=6.1.y Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> --- tools/testing/selftests/vm/map_hugetlb.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tools/testing/selftests/vm/map_hugetlb.c b/tools/testing/selftests/vm/map_hugetlb.c index c65c55b7a789..312889edb84a 100644 --- a/tools/testing/selftests/vm/map_hugetlb.c +++ b/tools/testing/selftests/vm/map_hugetlb.c @@ -15,7 +15,6 @@ #include <unistd.h> #include <sys/mman.h> #include <fcntl.h> -#include "vm_util.h" #define LENGTH (256UL*1024*1024) #define PROTECTION (PROT_READ | PROT_WRITE) @@ -71,16 +70,10 @@ int main(int argc, char **argv) { void *addr; int ret; - size_t hugepage_size; size_t length = LENGTH; int flags = FLAGS; int shift = 0; - hugepage_size = default_huge_page_size(); - /* munmap with fail if the length is not page aligned */ - if (hugepage_size > length) - length = hugepage_size; - if (argc > 1) length = atol(argv[1]) << 20; if (argc > 2) { -- 2.34.1

11 months, 3 weeks

1
0
0 0

[PATCH v3] media: venus: fix use after free in vdec_close

by Dikshita Agarwal

There appears to be a possible use after free with vdec_close(). The firmware will add buffer release work to the work queue through HFI callbacks as a normal part of decoding. Randomly closing the decoder device from userspace during normal decoding can incur a read after free for inst. Fix it by cancelling the work in vdec_close. Cc: stable(a)vger.kernel.org Fixes: af2c3834c ("media: venus: adding core part and helper functions") Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> --- Changes since v2: - fixed email id Changes since v1: - Added fixes and stable tags drivers/media/platform/qcom/venus/vdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c index 29130a9..56f8a25 100644 --- a/drivers/media/platform/qcom/venus/vdec.c +++ b/drivers/media/platform/qcom/venus/vdec.c @@ -1747,6 +1747,7 @@ static int vdec_close(struct file *file) vdec_pm_get(inst); + cancel_work_sync(&inst->delayed_process_work); v4l2_m2m_ctx_release(inst->m2m_ctx); v4l2_m2m_release(inst->m2m_dev); vdec_ctrl_deinit(inst); -- 2.7.4

11 months, 3 weeks

2
1
0 0

[PATCH v4] i2c: acpi: Unbind mux adapters before delete

by Hamish Martin

There is an issue with ACPI overlay table removal specifically related to I2C multiplexers. Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an existing I2C bus. When this table is loaded we see the creation of a device for the overall PCA9548 chip and 8 further devices - one i2c_adapter each for the mux channels. These are all bound to their ACPI equivalents via an eventual invocation of acpi_bind_one(). When we unload the SSDT overlay we run into the problem. The ACPI devices are deleted as normal via acpi_device_del_work_fn() and the acpi_device_del_list. However, the following warning and stack trace is output as the deletion does not go smoothly: ------------[ cut here ]------------ kernfs: can not remove 'physical_node', no directory WARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0 Modules linked in: CPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1 Hardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023 Workqueue: kacpi_hotplug acpi_device_del_work_fn RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0 Code: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000 RDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780 RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff R10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50 R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8 FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0 Call Trace: <TASK> ? kernfs_remove_by_name_ns+0xb9/0xc0 ? __warn+0x7c/0x130 ? kernfs_remove_by_name_ns+0xb9/0xc0 ? report_bug+0x171/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? kernfs_remove_by_name_ns+0xb9/0xc0 ? kernfs_remove_by_name_ns+0xb9/0xc0 acpi_unbind_one+0x108/0x180 device_del+0x18b/0x490 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f device_unregister+0xd/0x30 i2c_del_adapter.part.0+0x1bf/0x250 i2c_mux_del_adapters+0xa1/0xe0 i2c_device_remove+0x1e/0x80 device_release_driver_internal+0x19a/0x200 bus_remove_device+0xbf/0x100 device_del+0x157/0x490 ? __pfx_device_match_fwnode+0x10/0x10 ? srso_return_thunk+0x5/0x5f device_unregister+0xd/0x30 i2c_acpi_notify+0x10f/0x140 notifier_call_chain+0x58/0xd0 blocking_notifier_call_chain+0x3a/0x60 acpi_device_del_work_fn+0x85/0x1d0 process_one_work+0x134/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe3/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> ---[ end trace 0000000000000000 ]--- ... repeated 7 more times, 1 for each channel of the mux ... The issue is that the binding of the ACPI devices to their peer I2C adapters is not correctly cleaned up. Digging deeper into the issue we see that the deletion order is such that the ACPI devices matching the mux channel i2c adapters are deleted first during the SSDT overlay removal. For each of the channels we see a call to i2c_acpi_notify() with ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not actually i2c_clients, nothing is done for them. Later on, after each of the mux channels has been dealt with, we come to delete the i2c_client representing the PCA9548 device. This is the call stack we see above, whereby the kernel cleans up the i2c_client including destruction of the mux and its channel adapters. At this point we do attempt to unbind from the ACPI peers but those peers no longer exist and so we hit the kernfs errors. The fix is to augment i2c_acpi_notify() to handle i2c_adapters. But, given that the life cycle of the adapters is linked to the i2c_client, instead of deleting the i2c_adapters during the i2c_acpi_notify(), we just trigger unbinding of the ACPI device from the adapter device, and allow the clean up of the adapter to continue in the way it always has. Signed-off-by: Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> Reviewed-by: Mika Westerberg <mika.westerberg(a)linux.intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)kernel.org> Fixes: 525e6fabeae2 ("i2c / ACPI: add support for ACPI reconfigure notifications") Cc: <stable(a)vger.kernel.org> # v4.8+ --- Notes: v4: Resolve Build failure noted by: Linux Kernel Functional Testing <lkft(a)linaro.org>, and kernel test robot <lkp(a)intel.com> These failures led to revert of the v3 version of this patch that had been accepted earlier. v3: Add reviewed by tags (Mika Westerberg and Andi Shyti) and Fixes tag. v2: Moved long problem description from cover letter to commit description at Mika's suggestion drivers/i2c/i2c-core-acpi.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c index d6037a328669..14ae0cfc325e 100644 --- a/drivers/i2c/i2c-core-acpi.c +++ b/drivers/i2c/i2c-core-acpi.c @@ -445,6 +445,11 @@ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev) return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev)); } +static struct i2c_adapter *i2c_acpi_find_adapter_by_adev(struct acpi_device *adev) +{ + return i2c_find_adapter_by_fwnode(acpi_fwnode_handle(adev)); +} + static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, void *arg) { @@ -471,11 +476,17 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, break; client = i2c_acpi_find_client_by_adev(adev); - if (!client) - break; + if (client) { + i2c_unregister_device(client); + put_device(&client->dev); + } + + adapter = i2c_acpi_find_adapter_by_adev(adev); + if (adapter) { + acpi_unbind_one(&adapter->dev); + put_device(&adapter->dev); + } - i2c_unregister_device(client); - put_device(&client->dev); break; } -- 2.43.2

11 months, 3 weeks

4
3
0 0

[PATCH v2] media: venus: fix use after free in vdec_close

by Agarwal, Dikshita

From: Dikshita Agarwal <quic_dikshita(a)quicinc.com> There appears to be a possible use after free with vdec_close(). The firmware will add buffer release work to the work queue through HFI callbacks as a normal part of decoding. Randomly closing the decoder device from userspace during normal decoding can incur a read after free for inst. Fix it by cancelling the work in vdec_close. Cc: stable(a)vger.kernel.org Fixes: af2c3834c ("media: venus: adding core part and helper functions") Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> --- Changes since v1: - Added fixes and stable tags drivers/media/platform/qcom/venus/vdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c index 29130a9..56f8a25 100644 --- a/drivers/media/platform/qcom/venus/vdec.c +++ b/drivers/media/platform/qcom/venus/vdec.c @@ -1747,6 +1747,7 @@ static int vdec_close(struct file *file) vdec_pm_get(inst); + cancel_work_sync(&inst->delayed_process_work); v4l2_m2m_ctx_release(inst->m2m_ctx); v4l2_m2m_release(inst->m2m_dev); vdec_ctrl_deinit(inst); -- 2.7.4

11 months, 3 weeks

1
0
0 0

[PATCH stable,5.4 0/2] Revert the patchset for fix CVE-2024-26865

by Zhengchao Shao

There's no "pernet" variable in the struct hashinfo. The "pernet" variable is introduced from v6.1-rc1. Revert pre-patch and post-patch. Zhengchao Shao (2): Revert "tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()" Revert "tcp: Clean up kernel listener's reqsk in inet_twsk_purge()" net/ipv4/inet_timewait_sock.c | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) -- 2.34.1

11 months, 3 weeks

2
3
0 0

[PATCH 5.4 000/107] 5.4.275-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.275 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 May 2024 10:30:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.275-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.275-rc1 Randy Dunlap <rdunlap(a)infradead.org> serial: core: fix kernel-doc for uart_port_unlock_irqrestore() Yick Xie <yick.xie(a)gmail.com> udp: preserve the connected status if only UDP cmsg Mikulas Patocka <mpatocka(a)redhat.com> dm: limit the number of targets and parameter size area Matthew Wilcox (Oracle) <willy(a)infradead.org> bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS Nam Cao <namcao(a)linutronix.de> HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: smbus: fix NULL function pointer dereference Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> idma64: Don't try to serve interrupts when device is powered off Arnd Bergmann <arnd(a)arndb.de> dmaengine: owl: fix register access functions Eric Dumazet <edumazet(a)google.com> tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Clean up kernel listener's reqsk in inet_twsk_purge() Arnd Bergmann <arnd(a)arndb.de> mtd: diskonchip: work around ubsan link failure Andrey Ryabinin <ryabinin.a.a(a)gmail.com> stackdepot: respect __GFP_NOLOCKDEP allocation flag Peter Münster <pm(a)a16n.net> net: b44: set pause params only when interface is up Rahul Rameshbabu <rrameshbabu(a)nvidia.com> ethernet: Add helper for assigning packet type when dest address does not match device address Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Prevent double free on error Mukul Joshi <mukul.joshi(a)amd.com> drm/amdgpu: Fix leak when GPU memory allocation fails Iskander Amara <iskander.amara(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: fix information leak in btrfs_ioctl_logical_to_ino() WangYuli <wangyuli(a)uniontech.com> Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 Nathan Chancellor <nathan(a)kernel.org> Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() Robin H. Johnson <robbat2(a)gentoo.org> tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together Robin H. Johnson <robbat2(a)gentoo.org> tracing: Show size of requested perf buffer Shifeng Li <lishifeng(a)sangfor.com.cn> net/mlx5e: Fix a race in command alloc flow Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "crypto: api - Disallow identical driver names" xinhui pan <xinhui.pan(a)amd.com> drm/amdgpu: validate the parameters of bo mapping operations more clearly Chia-I Wu <olvaffe(a)gmail.com> amdgpu: validate offset_in_bo of drm_amdgpu_gem_va Rajneesh Bhardwaj <rajneesh.bhardwaj(a)amd.com> drm/amdgpu: restrict bo mapping within gpu address limits Emil Kronborg <emil.kronborg(a)protonmail.com> serial: mxs-auart: add spinlock around changing cts state Thomas Gleixner <tglx(a)linutronix.de> serial: core: Provide port lock wrappers Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). Sudheer Mogilappagari <sudheer.mogilappagari(a)intel.com> iavf: Fix TC config comparison with existing adapter TC config Sindhu Devale <sindhu.devale(a)intel.com> i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix incorrect list API usage Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix warning during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix memory leak during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Rate limit error message Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work Hyunwoo Kim <v4bel(a)theori.io> net: openvswitch: Fix Use-After-Free in ovs_ct_exit Ismael Luceno <iluceno(a)suse.de> ipvs: Fix checksumming on GSO of SCTP packets Hyunwoo Kim <v4bel(a)theori.io> net: gtp: Fix Use-After-Free in gtp_dellink Eric Dumazet <edumazet(a)google.com> net: usb: ax88179_178a: stop lying about skb->truesize Paul Geurts <paul_geurts(a)live.nl> NFC: trf7970a: disable all regulators on removal Ido Schimmel <idosch(a)nvidia.com> mlxsw: core: Unregister EMAD trap using FORWARD action David Bauer <mail(a)david-bauer.net> vxlan: drop packets from invalid src-address Alexey Brodkin <Alexey.Brodkin(a)synopsys.com> ARC: [plat-hsdk]: Remove misplaced interrupt-cells property Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt2712: fix validation errors Biao Huang <biao.huang(a)mediatek.com> arm64: dts: mt2712: add ethernet device node Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix ethernet controller "compatible" Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix IR nodename Ikjoon Jang <ikjn(a)chromium.org> arm64: dts: mediatek: mt8183: Add power-domains properity to mfgcfg Quentin Schulz <quentin.schulz(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma Iskander Amara <iskander.amara(a)theobroma-systems.com> arm64: dts: rockchip: fix alphabetical ordering RK3399 puma Vitaly Kuznetsov <vkuznets(a)redhat.com> KVM: async_pf: Cleanup kvm_setup_async_pf() Jeongjun Park <aha310510(a)gmail.com> nilfs2: fix OOB in nilfs_set_de_type Dave Airlie <airlied(a)redhat.com> nouveau: fix instmem race condition around ptr stores Alan Stern <stern(a)rowland.harvard.edu> fs: sysfs: Fix reference leak in sysfs_break_active_protection() Samuel Thibault <samuel.thibault(a)ens-lyon.org> speakup: Avoid crash on very long word Kai-Heng Feng <kai.heng.feng(a)canonical.com> usb: Disable USB3 LPM at shutdown Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: host: Fix dereference issue in DDMA completion flow. Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: cdc-wdm: close race between read and workqueue" Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 rmnet compositions Vanillan Wang <vanillanwang(a)163.com> USB: serial: option: add Rolling RW101-GL and RW135-GL support Jerry Meng <jerry-meng(a)foxmail.com> USB: serial: option: support Quectel EM060K sub-models Coia Prant <coiaprant(a)gmail.com> USB: serial: option: add Lonsung U8300/U9300 product Chuanhong Guo <gch981213(a)gmail.com> USB: serial: option: add support for Fibocom FM650/FG650 bolan wang <bolan.wang(a)fibocom.com> USB: serial: option: add Fibocom FM135-GL variants Finn Thain <fthain(a)linux-m68k.org> serial/pmac_zilog: Remove flawed mitigation for rx irq flood Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> comedi: vmk80xx: fix incomplete endpoint checking Carlos Llamas <cmllamas(a)google.com> binder: check offset alignment in binder_get_object() Eric Biggers <ebiggers(a)google.com> x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ Stephen Boyd <sboyd(a)kernel.org> clk: Get runtime PM before walking tree during disable_unused Stephen Boyd <sboyd(a)kernel.org> clk: Initialize struct clk_core kref earlier Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: Print an info line before disabling unused clocks Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: remove extra empty line Stephen Boyd <sboyd(a)kernel.org> clk: Mark 'all_lists' as const Stephen Boyd <sboyd(a)kernel.org> clk: Remove prepare_lock hold assertion in __clk_release() Mikhail Kobuk <m.kobuk(a)ispras.ru> drm: nv04: Fix out of bounds access Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Fix port number for counter query in multi-port configuration Yanjun.Zhu <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix the problem "mutex_destroy missing" Lei Chen <lei.chen(a)smartx.com> tun: limit printing rate when illegal packet received by tun dev Ziyang Xuan <william.xuanziyang(a)huawei.com> netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Siddh Raman Pant <siddh.raman.pant(a)oracle.com> Revert "tracing/trigger: Fix to return error if failed to alloc snapshot" Zheng Yejian <zhengyejian1(a)huawei.com> kprobes: Fix possible use-after-free issue on kprobe registration Yuanhe Shu <xiangzao(a)linux.alibaba.com> selftests/ftrace: Limit length in subsystem-enable tests Boris Burkov <boris(a)bur.io> btrfs: record delayed inode root in transaction Adam Dunlap <acdunlap(a)google.com> x86/apic: Force native_apic_mem_read() to use the MOV instruction John Stultz <jstultz(a)google.com> selftests: timers: Fix abs() warning in posix_timers test Gavin Shan <gshan(a)redhat.com> vhost: Add smp_rmb() in vhost_vq_avail_empty() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/client: Fully protect modes[] with dev->mode_config.mutex Boris Burkov <boris(a)bur.io> btrfs: qgroup: correctly model root qgroup rsv in convert David Arinzon <darinzon(a)amazon.com> net: ena: Fix potential sign extension issue Michal Luczaj <mhal(a)rbox.co> af_unix: Fix garbage collector racing against connect() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Do not use atomic ops for unix_sk(sk)->inflight. Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Properly link new fs rules into the tree Jiri Benc <jbenc(a)redhat.com> ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Arnd Bergmann <arnd(a)arndb.de> ipv4/route: avoid unused-but-set-variable warning Arnd Bergmann <arnd(a)arndb.de> ipv6: fib: hide unused 'pn' variable Eric Dumazet <edumazet(a)google.com> geneve: fix header validation in geneve[6]_xmit_skb Petr Tesarik <petr(a)tesarici.cz> u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix unwanted error log on timeout policy probing Arnd Bergmann <arnd(a)arndb.de> nouveau: fix function cast warning Dmitry Antipov <dmantipov(a)yandex.ru> Bluetooth: Fix memory leak in hci_req_sync_complete() Sven Eckelmann <sven(a)narfation.org> batman-adv: Avoid infinite loop trying to resize local TT ------------- Diffstat: Makefile | 4 +- arch/arc/boot/dts/hsdk.dts | 1 - arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 78 ++++++++++- arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 68 ++++++++- arch/arm64/boot/dts/mediatek/mt7622.dtsi | 7 +- arch/arm64/boot/dts/mediatek/mt8183.dtsi | 1 + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 29 +++- arch/x86/include/asm/apic.h | 3 +- arch/x86/kernel/cpu/cpuid-deps.c | 6 +- crypto/algapi.c | 1 - drivers/android/binder.c | 4 +- drivers/bluetooth/btusb.c | 2 + drivers/clk/clk.c | 154 ++++++++++++++++----- drivers/dma/idma64.c | 4 + drivers/dma/owl-dma.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 70 ++++++---- drivers/gpu/drm/drm_client_modeset.c | 3 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +- .../gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c | 7 +- drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c | 7 +- drivers/hid/i2c-hid/i2c-hid-core.c | 8 -- drivers/i2c/i2c-core-base.c | 12 +- drivers/infiniband/hw/mlx5/mad.c | 3 +- drivers/infiniband/sw/rxe/rxe.c | 2 + drivers/irqchip/irq-gic-v3-its.c | 9 +- drivers/md/dm-core.h | 2 + drivers/md/dm-ioctl.c | 3 +- drivers/md/dm-table.c | 9 +- drivers/mtd/nand/raw/diskonchip.c | 4 +- drivers/net/ethernet/amazon/ena/ena_com.c | 2 +- drivers/net/ethernet/broadcom/b44.c | 14 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/iavf/iavf_main.c | 30 +++- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 3 +- drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- .../ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 54 ++++++-- drivers/net/geneve.c | 4 +- drivers/net/gtp.c | 3 +- drivers/net/tun.c | 18 +-- drivers/net/usb/ax88179_178a.c | 11 +- drivers/net/vxlan.c | 4 + drivers/nfc/trf7970a.c | 42 +++--- drivers/staging/comedi/drivers/vmk80xx.c | 35 ++--- drivers/staging/speakup/main.c | 2 +- drivers/tty/serial/mxs-auart.c | 8 +- drivers/tty/serial/pmac_zilog.c | 14 -- drivers/usb/class/cdc-wdm.c | 6 +- drivers/usb/core/port.c | 4 +- drivers/usb/dwc2/hcd_ddma.c | 4 +- drivers/usb/serial/option.c | 40 ++++++ drivers/vhost/vhost.c | 14 +- fs/btrfs/backref.c | 12 +- fs/btrfs/delayed-inode.c | 3 + fs/btrfs/qgroup.c | 2 + fs/nilfs2/dir.c | 2 +- fs/sysfs/file.c | 2 + include/linux/etherdevice.h | 25 ++++ include/linux/serial_core.h | 79 +++++++++++ include/linux/trace_events.h | 2 +- include/linux/u64_stats_sync.h | 6 +- include/net/addrconf.h | 4 + include/net/af_unix.h | 5 +- include/net/ip_tunnels.h | 33 +++++ kernel/bounds.c | 2 +- kernel/kprobes.c | 18 ++- kernel/trace/trace_event_perf.c | 3 +- kernel/trace/trace_events_trigger.c | 6 +- lib/stackdepot.c | 4 +- net/batman-adv/translation-table.c | 2 +- net/bluetooth/hci_request.c | 4 +- net/bluetooth/l2cap_sock.c | 7 +- net/bluetooth/sco.c | 7 +- net/ethernet/eth.c | 12 +- net/ipv4/inet_timewait_sock.c | 34 +++-- net/ipv4/route.c | 4 +- net/ipv4/udp.c | 5 +- net/ipv6/addrconf.c | 7 +- net/ipv6/ip6_fib.c | 7 +- net/ipv6/udp.c | 5 +- net/netfilter/ipvs/ip_vs_proto_sctp.c | 6 +- net/netfilter/nf_tables_api.c | 8 +- net/openvswitch/conntrack.c | 9 +- net/unix/af_unix.c | 4 +- net/unix/garbage.c | 35 +++-- net/unix/scm.c | 8 +- .../ftrace/test.d/event/subsystem-enable.tc | 6 +- tools/testing/selftests/timers/posix_timers.c | 2 +- virt/kvm/async_pf.c | 19 +-- 90 files changed, 906 insertions(+), 340 deletions(-)

11 months, 3 weeks

5
113
0 0

[PATCH stable,4.19 0/2] Revert the patchset for fix CVE-2024-26865

by Zhengchao Shao

There's no "pernet" variable in the struct hashinfo. The "pernet" variable is introduced from v6.1-rc1. Revert pre-patch and post-patch. Zhengchao Shao (2): Revert "tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()" Revert "tcp: Clean up kernel listener's reqsk in inet_twsk_purge()" net/ipv4/inet_timewait_sock.c | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) -- 2.34.1

11 months, 3 weeks

1
2
0 0

[PATCH stable,5.10 0/2] Revert the patchset for fix CVE-2024-26865

by Zhengchao Shao

There's no "pernet" variable in the struct hashinfo. The "pernet" variable is introduced from v6.1-rc1. Revert pre-patch and post-patch. Zhengchao Shao (2): Revert "tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()" Revert "tcp: Clean up kernel listener's reqsk in inet_twsk_purge()" net/ipv4/inet_timewait_sock.c | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) -- 2.34.1

11 months, 3 weeks

1
2
0 0

[merged mm-nonmm-stable] kexec-fix-the-unexpected-kexec_dprintk-macro.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kexec: fix the unexpected kexec_dprintk() macro has been removed from the -mm tree. Its filename was kexec-fix-the-unexpected-kexec_dprintk-macro.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Baoquan He <bhe(a)redhat.com> Subject: kexec: fix the unexpected kexec_dprintk() macro Date: Tue, 9 Apr 2024 12:22:38 +0800 Jiri reported that the current kexec_dprintk() always prints out debugging message whenever kexec/kdmmp loading is triggered. That is not wanted. The debugging message is supposed to be printed out when 'kexec -s -d' is specified for kexec/kdump loading. After investigating, the reason is the current kexec_dprintk() takes printk(KERN_INFO) or printk(KERN_DEBUG) depending on whether '-d' is specified. However, distros usually have defaulg log level like below: [~]# cat /proc/sys/kernel/printk 7 4 1 7 So, even though '-d' is not specified, printk(KERN_DEBUG) also always prints out. I thought printk(KERN_DEBUG) is equal to pr_debug(), it's not. Fix it by changing to use pr_info() instead which are expected to work. Link: https://lkml.kernel.org/r/20240409042238.1240462-1-bhe@redhat.com Fixes: cbc2fe9d9cb2 ("kexec_file: add kexec_file flag to control debug printing") Signed-off-by: Baoquan He <bhe(a)redhat.com> Reported-by: Jiri Slaby <jirislaby(a)kernel.org> Closes: https://lore.kernel.org/all/4c775fca-5def-4a2d-8437-7130b02722a2@kernel.org Reviewed-by: Dave Young <dyoung(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/kexec.h | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/include/linux/kexec.h~kexec-fix-the-unexpected-kexec_dprintk-macro +++ a/include/linux/kexec.h @@ -461,10 +461,8 @@ static inline void arch_kexec_pre_free_p extern bool kexec_file_dbg_print; -#define kexec_dprintk(fmt, ...) \ - printk("%s" fmt, \ - kexec_file_dbg_print ? KERN_INFO : KERN_DEBUG, \ - ##__VA_ARGS__) +#define kexec_dprintk(fmt, arg...) \ + do { if (kexec_file_dbg_print) pr_info(fmt, ##arg); } while (0) #else /* !CONFIG_KEXEC_CORE */ struct pt_regs; _ Patches currently in -mm which might be from bhe(a)redhat.com are

11 months, 3 weeks

1
0
0 0

[merged mm-stable] mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix race between __split_huge_pmd_locked() and GUP-fast has been removed from the -mm tree. Its filename was mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryan Roberts <ryan.roberts(a)arm.com> Subject: mm: fix race between __split_huge_pmd_locked() and GUP-fast Date: Wed, 1 May 2024 15:33:10 +0100 __split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Aneesh Kumar K.V <aneesh.kumar(a)kernel.org> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Naveen N. Rao <naveen.n.rao(a)linux.ibm.com> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Documentation/mm/arch_pgtable_helpers.rst | 6 +- arch/powerpc/mm/book3s64/pgtable.c | 1 arch/s390/include/asm/pgtable.h | 4 + arch/sparc/mm/tlb.c | 1 arch/x86/mm/pgtable.c | 2 mm/huge_memory.c | 49 ++++++++++---------- mm/pgtable-generic.c | 2 7 files changed, 39 insertions(+), 26 deletions(-) --- a/arch/powerpc/mm/book3s64/pgtable.c~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_str { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); --- a/arch/s390/include/asm/pgtable.h~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/arch/s390/include/asm/pgtable.h @@ -1769,8 +1769,10 @@ static inline pmd_t pmdp_huge_clear_flus static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } --- a/arch/sparc/mm/tlb.c~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_str { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); --- a/arch/x86/mm/pgtable.c~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_are pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. --- a/Documentation/mm/arch_pgtable_helpers.rst~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ --- a/mm/huge_memory.c~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/mm/huge_memory.c @@ -2430,32 +2430,11 @@ static void __split_huge_pmd_locked(stru return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2466,6 +2445,30 @@ static void __split_huge_pmd_locked(stru soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { --- a/mm/pgtable-generic.c~mm-fix-race-between-__split_huge_pmd_locked-and-gup-fast +++ a/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(st pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_str pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif _ Patches currently in -mm which might be from ryan.roberts(a)arm.com are

11 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2024