January 2025 - Linux-stable-mirror

+ mm-zswap-fix-inconsistency-when-zswap_store_page-fails.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/zswap: fix inconsistency when zswap_store_page() fails has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-zswap-fix-inconsistency-when-zswap_store_page-fails.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> Subject: mm/zswap: fix inconsistency when zswap_store_page() fails Date: Wed, 29 Jan 2025 19:08:44 +0900 Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") skips charging any zswap entries when it failed to zswap the entire folio. However, when some base pages are zswapped but it failed to zswap the entire folio, the zswap operation is rolled back. When freeing zswap entries for those pages, zswap_entry_free() uncharges the zswap entries that were not previously charged, causing zswap charging to become inconsistent. This inconsistency triggers two warnings with following steps: # On a machine with 64GiB of RAM and 36GiB of zswap $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng $ sudo reboot The two warnings are: in mm/memcontrol.c:163, function obj_cgroup_release(): WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1)); in mm/page_counter.c:60, function page_counter_cancel(): if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n", new, nr_pages)) zswap_stored_pages also becomes inconsistent in the same way. As suggested by Kanchana, increment zswap_stored_pages and charge zswap entries within zswap_store_page() when it succeeds. This way, zswap_entry_free() will decrement the counter and uncharge the entries when it failed to zswap the entire folio. While this could potentially be optimized by batching objcg charging and incrementing the counter, let's focus on fixing the bug this time and leave the optimization for later after some evaluation. After resolving the inconsistency, the warnings disappear. Link: https://lkml.kernel.org/r/20250129100844.2935-1-42.hyeyoo@gmail.com Fixes: b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") Co-developed-by: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com> Signed-off-by: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com> Signed-off-by: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> Acked-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) --- a/mm/zswap.c~mm-zswap-fix-inconsistency-when-zswap_store_page-fails +++ a/mm/zswap.c @@ -1504,11 +1504,14 @@ static ssize_t zswap_store_page(struct p entry->pool = pool; entry->swpentry = page_swpentry; entry->objcg = objcg; + if (objcg) + obj_cgroup_charge_zswap(objcg, entry->length); entry->referenced = true; if (entry->length) { INIT_LIST_HEAD(&entry->lru); zswap_lru_add(&zswap_list_lru, entry); } + atomic_long_inc(&zswap_stored_pages); return entry->length; @@ -1526,7 +1529,6 @@ bool zswap_store(struct folio *folio) struct obj_cgroup *objcg = NULL; struct mem_cgroup *memcg = NULL; struct zswap_pool *pool; - size_t compressed_bytes = 0; bool ret = false; long index; @@ -1569,15 +1571,11 @@ bool zswap_store(struct folio *folio) bytes = zswap_store_page(page, objcg, pool); if (bytes < 0) goto put_pool; - compressed_bytes += bytes; } - if (objcg) { - obj_cgroup_charge_zswap(objcg, compressed_bytes); + if (objcg) count_objcg_events(objcg, ZSWPOUT, nr_pages); - } - atomic_long_add(nr_pages, &zswap_stored_pages); count_vm_events(ZSWPOUT, nr_pages); ret = true; _ Patches currently in -mm which might be from 42.hyeyoo(a)gmail.com are mm-zsmalloc-add-__maybe_unused-attribute-for-is_first_zpdesc.patch mm-zswap-fix-inconsistency-when-zswap_store_page-fails.patch

2 months, 2 weeks

1
0
0 0

+ jiffies-cast-to-unsigned-long-for-secs_to_jiffies-conversion.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: jiffies: cast to unsigned long for secs_to_jiffies() conversion has been added to the -mm mm-hotfixes-unstable branch. Its filename is jiffies-cast-to-unsigned-long-for-secs_to_jiffies-conversion.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Easwar Hariharan <eahariha(a)linux.microsoft.com> Subject: jiffies: cast to unsigned long for secs_to_jiffies() conversion Date: Thu, 30 Jan 2025 19:26:58 +0000 While converting users of msecs_to_jiffies(), lkp reported that some range checks would always be true because of the mismatch between the implied int value of secs_to_jiffies() vs the unsigned long return value of the msecs_to_jiffies() calls it was replacing. Fix this by casting secs_to_jiffies() values as unsigned long. Link: https://lkml.kernel.org/r/20250130192701.99626-1-eahariha@linux.microsoft.c… Fixes: b35108a51cf7ba ("jiffies: Define secs_to_jiffies()") Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202501301334.NB6NszQR-lkp@intel.com/ Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Anna-Maria Behnsen <anna-maria(a)linutronix.de> Cc: Geert Uytterhoeven <geert(a)linux-m68k.org> Cc: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Cc: Miguel Ojeda <ojeda(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.13+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/jiffies.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/jiffies.h~jiffies-cast-to-unsigned-long-for-secs_to_jiffies-conversion +++ a/include/linux/jiffies.h @@ -537,7 +537,7 @@ static __always_inline unsigned long mse * * Return: jiffies value */ -#define secs_to_jiffies(_secs) ((_secs) * HZ) +#define secs_to_jiffies(_secs) (unsigned long)((_secs) * HZ) extern unsigned long __usecs_to_jiffies(const unsigned int u); #if !(USEC_PER_SEC % HZ) _ Patches currently in -mm which might be from eahariha(a)linux.microsoft.com are jiffies-cast-to-unsigned-long-for-secs_to_jiffies-conversion.patch scsi-lpfc-convert-timeouts-to-secs_to_jiffies.patch accel-habanalabs-convert-timeouts-to-secs_to_jiffies.patch alsa-ac97-convert-timeouts-to-secs_to_jiffies.patch btrfs-convert-timeouts-to-secs_to_jiffies.patch rbd-convert-timeouts-to-secs_to_jiffies.patch libceph-convert-timeouts-to-secs_to_jiffies.patch libata-zpodd-convert-timeouts-to-secs_to_jiffies.patch xfs-convert-timeouts-to-secs_to_jiffies.patch power-supply-da9030-convert-timeouts-to-secs_to_jiffies.patch nvme-convert-timeouts-to-secs_to_jiffies.patch spi-spi-fsl-lpspi-convert-timeouts-to-secs_to_jiffies.patch spi-spi-imx-convert-timeouts-to-secs_to_jiffies.patch platform-x86-amd-pmf-convert-timeouts-to-secs_to_jiffies.patch platform-x86-thinkpad_acpi-convert-timeouts-to-secs_to_jiffies.patch rdma-bnxt_re-convert-timeouts-to-secs_to_jiffies.patch

2 months, 2 weeks

1
0
0 0

[PATCH v2 5.10.y 0/3] scsi: Backport fixes for CVE-2021-47182

by Vasiliy Kovalev

The patch titled "scsi: core: Fix scsi_mode_sense() buffer length handling" addresses CVE-2021-47182, fixing the following issues in `scsi_mode_sense()` buffer length handling: 1. Incorrect handling of the allocation length field in the MODE SENSE(10) command, causing truncation of buffer lengths larger than 255 bytes. 2. Memory corruption when handling small buffer lengths due to lack of proper validation. CVE announcement in linux-cve-announce: https://lore.kernel.org/linux-cve-announce/2024041032-CVE-2021-47182-377e@g… Fixed versions: - Fixed in 5.15.5 with commit e15de347faf4 - Fixed in 5.16 with commit 17b49bcbf835 Official CVE entry: https://cve.org/CVERecord/?id=CVE-2021-47182 --- v2: To ensure consistency and completeness of the fixes, this backport includes all 3 patches from the series [1]. In addition to the first patch that addresses the CVE, the second and third patches are included, which prevent further regressions and align with the fixes already backported and proposed for backporting [2] to the stable 5.15 kernel. [1] https://lore.kernel.org/all/20210820070255.682775-1-damien.lemoal@wdc.com/ [2] https://lore.kernel.org/all/20241209165340.112862-1-kovalev@altlinux.org/ [PATCH 5.10.y 1/3] scsi: core: Fix scsi_mode_sense() buffer length handling [PATCH 5.10.y 2/3] scsi: core: Fix scsi_mode_select() buffer length handling [PATCH 5.10.y 3/3] scsi: sd: Fix sd_do_mode_sense() buffer length handling

2 months, 2 weeks

2
7
0 0

[PATCH stable 5.4] arm64: mm: account for hotplug memory when randomizing the linear region

by Florian Fainelli

From: Ard Biesheuvel <ardb(a)kernel.org> commit 97d6786e0669daa5c2f2d07a057f574e849dfd3e upstream As a hardening measure, we currently randomize the placement of physical memory inside the linear region when KASLR is in effect. Since the random offset at which to place the available physical memory inside the linear region is chosen early at boot, it is based on the memblock description of memory, which does not cover hotplug memory. The consequence of this is that the randomization offset may be chosen such that any hotplugged memory located above memblock_end_of_DRAM() that appears later is pushed off the end of the linear region, where it cannot be accessed. So let's limit this randomization of the linear region to ensure that this can no longer happen, by using the CPU's addressable PA range instead. As it is guaranteed that no hotpluggable memory will appear that falls outside of that range, we can safely put this PA range sized window anywhere in the linear region. Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Steven Price <steven.price(a)arm.com> Cc: Robin Murphy <robin.murphy(a)arm.com> Link: https://lore.kernel.org/r/20201014081857.3288-1-ardb@kernel.org Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> --- arch/arm64/mm/init.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c index cbcac03c0e0d..a6034645d6f7 100644 --- a/arch/arm64/mm/init.c +++ b/arch/arm64/mm/init.c @@ -392,15 +392,18 @@ void __init arm64_memblock_init(void) if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { extern u16 memstart_offset_seed; - u64 range = linear_region_size - - (memblock_end_of_DRAM() - memblock_start_of_DRAM()); + u64 mmfr0 = read_cpuid(ID_AA64MMFR0_EL1); + int parange = cpuid_feature_extract_unsigned_field( + mmfr0, ID_AA64MMFR0_PARANGE_SHIFT); + s64 range = linear_region_size - + BIT(id_aa64mmfr0_parange_to_phys_shift(parange)); /* * If the size of the linear region exceeds, by a sufficient - * margin, the size of the region that the available physical - * memory spans, randomize the linear region as well. + * margin, the size of the region that the physical memory can + * span, randomize the linear region as well. */ - if (memstart_offset_seed > 0 && range >= ARM64_MEMSTART_ALIGN) { + if (memstart_offset_seed > 0 && range >= (s64)ARM64_MEMSTART_ALIGN) { range /= ARM64_MEMSTART_ALIGN; memstart_addr -= ARM64_MEMSTART_ALIGN * ((range * memstart_offset_seed) >> 16); -- 2.43.0

2 months, 2 weeks

4
17
0 0

[tip: x86/urgent] x86/boot: Use '-std=gnu11' to fix build with GCC 15

by tip-bot2 for Nathan Chancellor

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: ee2ab467bddfb2d7f68d996dbab94d7b88f8eaf7 Gitweb: https://git.kernel.org/tip/ee2ab467bddfb2d7f68d996dbab94d7b88f8eaf7 Author: Nathan Chancellor <nathan(a)kernel.org> AuthorDate: Tue, 21 Jan 2025 18:11:33 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Thu, 30 Jan 2025 09:59:24 -08:00 x86/boot: Use '-std=gnu11' to fix build with GCC 15 GCC 15 changed the default C standard version to C23, which should not have impacted the kernel because it requests the gnu11 standard via '-std=' in the main Makefile. However, the x86 compressed boot Makefile uses its own set of KBUILD_CFLAGS without a '-std=' value (i.e., using the default), resulting in errors from the kernel's definitions of bool, true, and false in stddef.h, which are reserved keywords under C23. ./include/linux/stddef.h:11:9: error: expected identifier before ‘false’ 11 | false = 0, ./include/linux/types.h:35:33: error: two or more data types in declaration specifiers 35 | typedef _Bool bool; Set '-std=gnu11' in the x86 compressed boot Makefile to resolve the error and consistently use the same C standard version for the entire kernel. Closes: https://lore.kernel.org/4OAhbllK7x4QJGpZjkYjtBYNLd_2whHx9oFiuZcGwtVR4hIzvdu… Closes: https://lore.kernel.org/Z4467umXR2PZ0M1H@tucnak/ Reported-by: Kostadin Shishmanov <kostadinshishmanov(a)protonmail.com> Reported-by: Jakub Jelinek <jakub(a)redhat.com> Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Ard Biesheuvel <ardb(a)kernel.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250121-x86-use-std-consistently-gcc-15-v1-1-8… --- arch/x86/boot/compressed/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index f205164..606c74f 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -25,6 +25,7 @@ targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \ # avoid errors with '-march=i386', and future flags may depend on the target to # be valid. KBUILD_CFLAGS := -m$(BITS) -O2 $(CLANG_FLAGS) +KBUILD_CFLAGS += -std=gnu11 KBUILD_CFLAGS += -fno-strict-aliasing -fPIE KBUILD_CFLAGS += -Wundef KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING

2 months, 2 weeks

1
0
0 0

[PATCH] usb: gadget: f_midi: fix MIDI Streaming descriptor lengths

by John Keeping

In the two loops before setting the MIDIStreaming descriptors, ms_in_desc.baAssocJackID[] has entries written for "in_ports" values and ms_out_desc.baAssocJackID[] has entries written for "out_ports" values. But the counts and lengths are set the other way round in the descriptors. Fix the descriptors so that the bNumEmbMIDIJack values and the descriptor lengths match the number of entries populated in the trailing arrays. Cc: stable(a)vger.kernel.org Fixes: c8933c3f79568 ("USB: gadget: f_midi: allow a dynamic number of input and output ports") Signed-off-by: John Keeping <jkeeping(a)inmusicbrands.com> --- drivers/usb/gadget/function/f_midi.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 837fcdfa3840f..6cc3d86cb4774 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -1000,11 +1000,11 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f) } /* configure the endpoint descriptors ... */ - ms_out_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->in_ports); - ms_out_desc.bNumEmbMIDIJack = midi->in_ports; + ms_out_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->out_ports); + ms_out_desc.bNumEmbMIDIJack = midi->out_ports; - ms_in_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->out_ports); - ms_in_desc.bNumEmbMIDIJack = midi->out_ports; + ms_in_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->in_ports); + ms_in_desc.bNumEmbMIDIJack = midi->in_ports; /* ... and add them to the list */ endpoint_descriptor_index = i; -- 2.48.1

2 months, 2 weeks

2
6
0 0

[PATCH] kasan, mempool: don't store free stacktrace in io_alloc_cache objects.

by Andrey Ryabinin

Running the testcase liburing/accept-reust.t with CONFIG_KASAN=y and CONFIG_KASAN_EXTRA_INFO=y leads to the following crash: Unable to handle kernel paging request at virtual address 00000c6455008008 ... pc : __kasan_mempool_unpoison_object+0x38/0x170 lr : io_netmsg_cache_free+0x8c/0x180 ... Call trace: __kasan_mempool_unpoison_object+0x38/0x170 (P) io_netmsg_cache_free+0x8c/0x180 io_ring_exit_work+0xd4c/0x13a0 process_one_work+0x52c/0x1000 worker_thread+0x830/0xdc0 kthread+0x2bc/0x348 ret_from_fork+0x10/0x20 Since the commit b556a462eb8d ("kasan: save free stack traces for slab mempools") kasan_mempool_poison_object() stores some info inside an object. It was expected that the object must be reinitialized after kasan_mempool_unpoison_object() call, and this is what happens in the most of use cases. However io_uring code expects that io_alloc_cache_put/get doesn't modify the object, so kasan_mempool_poison_object() end up corrupting it leading to crash later. Add @notrack argument to kasan_mempool_poison_object() call to tell KASAN to avoid storing info in objects for io_uring use case. Reported-by: lizetao <lizetao1(a)huawei.com> Closes: https://lkml.kernel.org/r/ec2a6ca08c614c10853fbb1270296ac4@huawei.com Fixes: b556a462eb8d ("kasan: save free stack traces for slab mempools") Cc: stable(a)vger.kernel.org Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Pavel Begunkov <asml.silence(a)gmail.com> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Eric Dumazet <edumazet(a)google.com> Cc: Jakub Kicinski <kuba(a)kernel.org> Cc: Paolo Abeni <pabeni(a)redhat.com> Cc: Simon Horman <horms(a)kernel.org> Signed-off-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> --- include/linux/kasan.h | 13 +++++++------ io_uring/alloc_cache.h | 2 +- io_uring/net.c | 2 +- io_uring/rw.c | 2 +- mm/kasan/common.c | 11 ++++++----- mm/mempool.c | 2 +- net/core/skbuff.c | 2 +- 7 files changed, 18 insertions(+), 16 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index 890011071f2b..4d0bf4af399d 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -328,18 +328,19 @@ static __always_inline void kasan_mempool_unpoison_pages(struct page *page, __kasan_mempool_unpoison_pages(page, order, _RET_IP_); } -bool __kasan_mempool_poison_object(void *ptr, unsigned long ip); +bool __kasan_mempool_poison_object(void *ptr, bool notrack, unsigned long ip); /** * kasan_mempool_poison_object - Check and poison a mempool slab allocation. * @ptr: Pointer to the slab allocation. + * @notrack: Don't record stack trace of this call in the object. * * This function is intended for kernel subsystems that cache slab allocations * to reuse them instead of freeing them back to the slab allocator (e.g. * mempool). * * This function poisons a slab allocation and saves a free stack trace for it - * without initializing the allocation's memory and without putting it into the - * quarantine (for the Generic mode). + * (if @notrack == false) without initializing the allocation's memory and + * without putting it into the quarantine (for the Generic mode). * * This function also performs checks to detect double-free and invalid-free * bugs and reports them. The caller can use the return value of this function @@ -354,10 +355,10 @@ bool __kasan_mempool_poison_object(void *ptr, unsigned long ip); * * Return: true if the allocation can be safely reused; false otherwise. */ -static __always_inline bool kasan_mempool_poison_object(void *ptr) +static __always_inline bool kasan_mempool_poison_object(void *ptr, bool notrack) { if (kasan_enabled()) - return __kasan_mempool_poison_object(ptr, _RET_IP_); + return __kasan_mempool_poison_object(ptr, notrack, _RET_IP_); return true; } @@ -456,7 +457,7 @@ static inline bool kasan_mempool_poison_pages(struct page *page, unsigned int or return true; } static inline void kasan_mempool_unpoison_pages(struct page *page, unsigned int order) {} -static inline bool kasan_mempool_poison_object(void *ptr) +static inline bool kasan_mempool_poison_object(void *ptr, bool notrack) { return true; } diff --git a/io_uring/alloc_cache.h b/io_uring/alloc_cache.h index a3a8cfec32ce..dd508dddea33 100644 --- a/io_uring/alloc_cache.h +++ b/io_uring/alloc_cache.h @@ -10,7 +10,7 @@ static inline bool io_alloc_cache_put(struct io_alloc_cache *cache, void *entry) { if (cache->nr_cached < cache->max_cached) { - if (!kasan_mempool_poison_object(entry)) + if (!kasan_mempool_poison_object(entry, true)) return false; cache->entries[cache->nr_cached++] = entry; return true; diff --git a/io_uring/net.c b/io_uring/net.c index 85f55fbc25c9..a954e37c7fd3 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -149,7 +149,7 @@ static void io_netmsg_recycle(struct io_kiocb *req, unsigned int issue_flags) iov = hdr->free_iov; if (io_alloc_cache_put(&req->ctx->netmsg_cache, hdr)) { if (iov) - kasan_mempool_poison_object(iov); + kasan_mempool_poison_object(iov, true); req->async_data = NULL; req->flags &= ~REQ_F_ASYNC_DATA; } diff --git a/io_uring/rw.c b/io_uring/rw.c index a9a2733be842..cba475003ba7 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -167,7 +167,7 @@ static void io_rw_recycle(struct io_kiocb *req, unsigned int issue_flags) iov = rw->free_iovec; if (io_alloc_cache_put(&req->ctx->rw_cache, rw)) { if (iov) - kasan_mempool_poison_object(iov); + kasan_mempool_poison_object(iov, true); req->async_data = NULL; req->flags &= ~REQ_F_ASYNC_DATA; } diff --git a/mm/kasan/common.c b/mm/kasan/common.c index ed4873e18c75..e7b54aa9494e 100644 --- a/mm/kasan/common.c +++ b/mm/kasan/common.c @@ -230,7 +230,8 @@ static bool check_slab_allocation(struct kmem_cache *cache, void *object, } static inline void poison_slab_object(struct kmem_cache *cache, void *object, - bool init, bool still_accessible) + bool init, bool still_accessible, + bool notrack) { void *tagged_object = object; @@ -243,7 +244,7 @@ static inline void poison_slab_object(struct kmem_cache *cache, void *object, kasan_poison(object, round_up(cache->object_size, KASAN_GRANULE_SIZE), KASAN_SLAB_FREE, init); - if (kasan_stack_collection_enabled()) + if (kasan_stack_collection_enabled() && !notrack) kasan_save_free_info(cache, tagged_object); } @@ -261,7 +262,7 @@ bool __kasan_slab_free(struct kmem_cache *cache, void *object, bool init, if (!kasan_arch_is_ready() || is_kfence_address(object)) return false; - poison_slab_object(cache, object, init, still_accessible); + poison_slab_object(cache, object, init, still_accessible, true); /* * If the object is put into quarantine, do not let slab put the object @@ -495,7 +496,7 @@ void __kasan_mempool_unpoison_pages(struct page *page, unsigned int order, __kasan_unpoison_pages(page, order, false); } -bool __kasan_mempool_poison_object(void *ptr, unsigned long ip) +bool __kasan_mempool_poison_object(void *ptr, bool notrack, unsigned long ip) { struct folio *folio = virt_to_folio(ptr); struct slab *slab; @@ -519,7 +520,7 @@ bool __kasan_mempool_poison_object(void *ptr, unsigned long ip) if (check_slab_allocation(slab->slab_cache, ptr, ip)) return false; - poison_slab_object(slab->slab_cache, ptr, false, false); + poison_slab_object(slab->slab_cache, ptr, false, false, notrack); return true; } diff --git a/mm/mempool.c b/mm/mempool.c index 3223337135d0..283df5d2b995 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -115,7 +115,7 @@ static inline void poison_element(mempool_t *pool, void *element) static __always_inline bool kasan_poison_element(mempool_t *pool, void *element) { if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) - return kasan_mempool_poison_object(element); + return kasan_mempool_poison_object(element, false); else if (pool->alloc == mempool_alloc_pages) return kasan_mempool_poison_pages(element, (unsigned long)pool->pool_data); diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a441613a1e6c..c9f58a698bb7 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1457,7 +1457,7 @@ static void napi_skb_cache_put(struct sk_buff *skb) struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache); u32 i; - if (!kasan_mempool_poison_object(skb)) + if (!kasan_mempool_poison_object(skb, false)) return; local_lock_nested_bh(&napi_alloc_cache.bh_lock); -- 2.45.3

2 months, 2 weeks

3
5
0 0

FAILED: patch "[PATCH] gpio: xilinx: Convert gpio_lock to raw spinlock" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9860370c2172704b6b4f0075a0c2a29fd84af96a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025012027-shaft-catalyst-2d69@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9860370c2172704b6b4f0075a0c2a29fd84af96a Mon Sep 17 00:00:00 2001 From: Sean Anderson <sean.anderson(a)linux.dev> Date: Fri, 10 Jan 2025 11:33:54 -0500 Subject: [PATCH] gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) Fixes: a32c7caea292 ("gpio: gpio-xilinx: Add interrupt support") Signed-off-by: Sean Anderson <sean.anderson(a)linux.dev> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250110163354.2012654-1-sean.anderson@linux.dev Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> diff --git a/drivers/gpio/gpio-xilinx.c b/drivers/gpio/gpio-xilinx.c index c6a8f2c82680..792d94c49077 100644 --- a/drivers/gpio/gpio-xilinx.c +++ b/drivers/gpio/gpio-xilinx.c @@ -65,7 +65,7 @@ struct xgpio_instance { DECLARE_BITMAP(state, 64); DECLARE_BITMAP(last_irq_read, 64); DECLARE_BITMAP(dir, 64); - spinlock_t gpio_lock; /* For serializing operations */ + raw_spinlock_t gpio_lock; /* For serializing operations */ int irq; DECLARE_BITMAP(enable, 64); DECLARE_BITMAP(rising_edge, 64); @@ -179,14 +179,14 @@ static void xgpio_set(struct gpio_chip *gc, unsigned int gpio, int val) struct xgpio_instance *chip = gpiochip_get_data(gc); int bit = xgpio_to_bit(chip, gpio); - spin_lock_irqsave(&chip->gpio_lock, flags); + raw_spin_lock_irqsave(&chip->gpio_lock, flags); /* Write to GPIO signal and set its direction to output */ __assign_bit(bit, chip->state, val); xgpio_write_ch(chip, XGPIO_DATA_OFFSET, bit, chip->state); - spin_unlock_irqrestore(&chip->gpio_lock, flags); + raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); } /** @@ -210,7 +210,7 @@ static void xgpio_set_multiple(struct gpio_chip *gc, unsigned long *mask, bitmap_remap(hw_mask, mask, chip->sw_map, chip->hw_map, 64); bitmap_remap(hw_bits, bits, chip->sw_map, chip->hw_map, 64); - spin_lock_irqsave(&chip->gpio_lock, flags); + raw_spin_lock_irqsave(&chip->gpio_lock, flags); bitmap_replace(state, chip->state, hw_bits, hw_mask, 64); @@ -218,7 +218,7 @@ static void xgpio_set_multiple(struct gpio_chip *gc, unsigned long *mask, bitmap_copy(chip->state, state, 64); - spin_unlock_irqrestore(&chip->gpio_lock, flags); + raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); } /** @@ -236,13 +236,13 @@ static int xgpio_dir_in(struct gpio_chip *gc, unsigned int gpio) struct xgpio_instance *chip = gpiochip_get_data(gc); int bit = xgpio_to_bit(chip, gpio); - spin_lock_irqsave(&chip->gpio_lock, flags); + raw_spin_lock_irqsave(&chip->gpio_lock, flags); /* Set the GPIO bit in shadow register and set direction as input */ __set_bit(bit, chip->dir); xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir); - spin_unlock_irqrestore(&chip->gpio_lock, flags); + raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); return 0; } @@ -265,7 +265,7 @@ static int xgpio_dir_out(struct gpio_chip *gc, unsigned int gpio, int val) struct xgpio_instance *chip = gpiochip_get_data(gc); int bit = xgpio_to_bit(chip, gpio); - spin_lock_irqsave(&chip->gpio_lock, flags); + raw_spin_lock_irqsave(&chip->gpio_lock, flags); /* Write state of GPIO signal */ __assign_bit(bit, chip->state, val); @@ -275,7 +275,7 @@ static int xgpio_dir_out(struct gpio_chip *gc, unsigned int gpio, int val) __clear_bit(bit, chip->dir); xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir); - spin_unlock_irqrestore(&chip->gpio_lock, flags); + raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); return 0; } @@ -398,7 +398,7 @@ static void xgpio_irq_mask(struct irq_data *irq_data) int bit = xgpio_to_bit(chip, irq_offset); u32 mask = BIT(bit / 32), temp; - spin_lock_irqsave(&chip->gpio_lock, flags); + raw_spin_lock_irqsave(&chip->gpio_lock, flags); __clear_bit(bit, chip->enable); @@ -408,7 +408,7 @@ static void xgpio_irq_mask(struct irq_data *irq_data) temp &= ~mask; xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp); } - spin_unlock_irqrestore(&chip->gpio_lock, flags); + raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); gpiochip_disable_irq(&chip->gc, irq_offset); } @@ -428,7 +428,7 @@ static void xgpio_irq_unmask(struct irq_data *irq_data) gpiochip_enable_irq(&chip->gc, irq_offset); - spin_lock_irqsave(&chip->gpio_lock, flags); + raw_spin_lock_irqsave(&chip->gpio_lock, flags); __set_bit(bit, chip->enable); @@ -447,7 +447,7 @@ static void xgpio_irq_unmask(struct irq_data *irq_data) xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, val); } - spin_unlock_irqrestore(&chip->gpio_lock, flags); + raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); } /** @@ -512,7 +512,7 @@ static void xgpio_irqhandler(struct irq_desc *desc) chained_irq_enter(irqchip, desc); - spin_lock(&chip->gpio_lock); + raw_spin_lock(&chip->gpio_lock); xgpio_read_ch_all(chip, XGPIO_DATA_OFFSET, all); @@ -529,7 +529,7 @@ static void xgpio_irqhandler(struct irq_desc *desc) bitmap_copy(chip->last_irq_read, all, 64); bitmap_or(all, rising, falling, 64); - spin_unlock(&chip->gpio_lock); + raw_spin_unlock(&chip->gpio_lock); dev_dbg(gc->parent, "IRQ rising %*pb falling %*pb\n", 64, rising, 64, falling); @@ -620,7 +620,7 @@ static int xgpio_probe(struct platform_device *pdev) bitmap_set(chip->hw_map, 0, width[0]); bitmap_set(chip->hw_map, 32, width[1]); - spin_lock_init(&chip->gpio_lock); + raw_spin_lock_init(&chip->gpio_lock); chip->gc.base = -1; chip->gc.ngpio = bitmap_weight(chip->hw_map, 64);

2 months, 2 weeks

4
6
0 0

[PATCH] statmount: let unset strings be empty

by Miklos Szeredi

Just like it's normal for unset values to be zero, unset strings should be empty instead of containing random values. It seems to be a typical mistake that the mask returned by statmount is not checked, which can result in various bugs. With this fix, these bugs are prevented, since it is highly likely that userspace would just want to turn the missing mask case into an empty string anyway (most of the recently found cases are of this type). Link: https://lore.kernel.org/all/CAJfpegsVCPfCn2DpM8iiYSS5DpMsLB8QBUCHecoj6s0Vxf… Fixes: 68385d77c05b ("statmount: simplify string option retrieval") Fixes: 46eae99ef733 ("add statmount(2) syscall") Cc: <stable(a)vger.kernel.org> # v6.8 Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> --- fs/namespace.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index a3ed3f2980cb..9c4d307a82cd 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -5191,39 +5191,45 @@ static int statmount_string(struct kstatmount *s, u64 flag) size_t kbufsize; struct seq_file *seq = &s->seq; struct statmount *sm = &s->sm; - u32 start = seq->count; + u32 start, *offp; + + /* Reserve an empty string at the beginning for any unset offsets */ + if (!seq->count) + seq_putc(seq, 0); + + start = seq->count; switch (flag) { case STATMOUNT_FS_TYPE: - sm->fs_type = start; + offp = &sm->fs_type; ret = statmount_fs_type(s, seq); break; case STATMOUNT_MNT_ROOT: - sm->mnt_root = start; + offp = &sm->mnt_root; ret = statmount_mnt_root(s, seq); break; case STATMOUNT_MNT_POINT: - sm->mnt_point = start; + offp = &sm->mnt_point; ret = statmount_mnt_point(s, seq); break; case STATMOUNT_MNT_OPTS: - sm->mnt_opts = start; + offp = &sm->mnt_opts; ret = statmount_mnt_opts(s, seq); break; case STATMOUNT_OPT_ARRAY: - sm->opt_array = start; + offp = &sm->opt_array; ret = statmount_opt_array(s, seq); break; case STATMOUNT_OPT_SEC_ARRAY: - sm->opt_sec_array = start; + offp = &sm->opt_sec_array; ret = statmount_opt_sec_array(s, seq); break; case STATMOUNT_FS_SUBTYPE: - sm->fs_subtype = start; + offp = &sm->fs_subtype; statmount_fs_subtype(s, seq); break; case STATMOUNT_SB_SOURCE: - sm->sb_source = start; + offp = &sm->sb_source; ret = statmount_sb_source(s, seq); break; default: @@ -5251,6 +5257,7 @@ static int statmount_string(struct kstatmount *s, u64 flag) seq->buf[seq->count++] = '\0'; sm->mask |= flag; + *offp = start; return 0; } -- 2.48.1

2 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] io_uring/rsrc: require cloned buffers to share accounting" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 19d340a2988d4f3e673cded9dde405d727d7e248 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025013011-scenic-crazed-e3c8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 19d340a2988d4f3e673cded9dde405d727d7e248 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Tue, 14 Jan 2025 18:49:00 +0100 Subject: [PATCH] io_uring/rsrc: require cloned buffers to share accounting contexts When IORING_REGISTER_CLONE_BUFFERS is used to clone buffers from uring instance A to uring instance B, where A and B use different MMs for accounting, the accounting can go wrong: If uring instance A is closed before uring instance B, the pinned memory counters for uring instance B will be decremented, even though the pinned memory was originally accounted through uring instance A; so the MM of uring instance B can end up with negative locked memory. Cc: stable(a)vger.kernel.org Closes: https://lore.kernel.org/r/CAG48ez1zez4bdhmeGLEFxtbFADY4Czn3CV0u9d_TMcbvRA01… Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method") Signed-off-by: Jann Horn <jannh(a)google.com> Link: https://lore.kernel.org/r/20250114-uring-check-accounting-v1-1-42e4145aa743… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 964a47c8d85e..688e277f0335 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -928,6 +928,13 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx int i, ret, off, nr; unsigned int nbufs; + /* + * Accounting state is shared between the two rings; that only works if + * both rings are accounted towards the same counters. + */ + if (ctx->user != src_ctx->user || ctx->mm_account != src_ctx->mm_account) + return -EINVAL; + /* if offsets are given, must have nr specified too */ if (!arg->nr && (arg->dst_off || arg->src_off)) return -EINVAL;

2 months, 2 weeks

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025