January 2025 - Linux-stable-mirror

[PATCH v6.1-v5.10] gpiolib: cdev: Fix use after free in lineinfo_changed_notify

by hsimeliere.opensource＠witekio.com

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 02f6b0e1ec7e0e7d059dddc893645816552039da ] The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain. Fixes: 51c1064e82e7 ("gpiolib: add new ioctl() for monitoring changes in line info") Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Link: https://lore.kernel.org/r/20240505141156.2944912-1-quic_zhonhan@quicinc.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/gpio/gpiolib-cdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 55f640ef3fee..897d20996a8c 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -2860,9 +2860,9 @@ static int gpio_chrdev_release(struct inode *inode, struct file *file) struct gpio_chardev_data *cdev = file->private_data; struct gpio_device *gdev = cdev->gdev; - bitmap_free(cdev->watched_lines); blocking_notifier_chain_unregister(&gdev->notifier, &cdev->lineinfo_changed_nb); + bitmap_free(cdev->watched_lines); put_device(&gdev->dev); kfree(cdev); -- 2.43.0

3 weeks, 4 days

2
1
0 0

[PATCH v6.6-v6.1] block: fix uaf for flush rq while iterating tags

by hsimeliere.opensource＠witekio.com

From: Yu Kuai <yukuai3(a)huawei.com> [ Upstream commit 3802f73bd80766d70f319658f334754164075bc3 ] blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1815 [inline] slab_free_freelist_hook mm/slub.c:1841 [inline] slab_free mm/slub.c:3807 [inline] __kmem_cache_free+0xe4/0x520 mm/slub.c:3820 blk_free_flush_queue+0x40/0x60 block/blk-flush.c:520 blk_mq_hw_sysfs_release+0x4a/0x170 block/blk-mq-sysfs.c:37 kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x119/0x140 lib/kobject.c:737 blk_mq_release+0x24f/0x3f0 block/blk-mq.c:4144 blk_free_queue block/blk-core.c:298 [inline] blk_put_queue+0xe2/0x180 block/blk-core.c:314 blkg_free_workfn+0x376/0x6e0 block/blk-cgroup.c:144 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Other than blk_mq_clear_flush_rq_mapping(), the flag is only used in blk_register_queue() from initialization path, hence it's safe not to clear the flag in del_gendisk. And since QUEUE_FLAG_REGISTERED already make sure that queue should only be registered once, there is no need to test the flag as well. Fixes: 6cfeadbff3f8 ("blk-mq: don't clear flush_rq from tags->rqs[]") Depends-on: commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20241104110005.1412161-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: BRUNO VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- block/blk-sysfs.c | 6 ++---- block/genhd.c | 9 +++------ 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index a82bdec923b2..c74e8273511a 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -858,10 +858,8 @@ int blk_register_queue(struct gendisk *disk) * faster to shut down and is made fully functional here as * request_queues for non-existent devices never get registered. */ - if (!blk_queue_init_done(q)) { - blk_queue_flag_set(QUEUE_FLAG_INIT_DONE, q); - percpu_ref_switch_to_percpu(&q->q_usage_counter); - } + blk_queue_flag_set(QUEUE_FLAG_INIT_DONE, q); + percpu_ref_switch_to_percpu(&q->q_usage_counter); return ret; diff --git a/block/genhd.c b/block/genhd.c index 146ce13b192b..8256e11f85b7 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -685,13 +685,10 @@ void del_gendisk(struct gendisk *disk) * If the disk does not own the queue, allow using passthrough requests * again. Else leave the queue frozen to fail all I/O. */ - if (!test_bit(GD_OWNS_QUEUE, &disk->state)) { - blk_queue_flag_clear(QUEUE_FLAG_INIT_DONE, q); + if (!test_bit(GD_OWNS_QUEUE, &disk->state)) __blk_mq_unfreeze_queue(q, true); - } else { - if (queue_is_mq(q)) - blk_mq_exit_queue(q); - } + else if (queue_is_mq(q)) + blk_mq_exit_queue(q); } EXPORT_SYMBOL(del_gendisk); -- 2.43.0

3 weeks, 4 days

2
1
0 0

[PATCH 6.1] Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync

by Vasiliy Kovalev

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> commit 18fd04ad856df07733f5bb07e7f7168e7443d393 upstream. This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30 Cc: stable(a)vger.kernel.org Fixes: e07a06b4eb41 ("Bluetooth: Convert SCO configure_datapath to hci_sync") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [kovalev: inline `hci_conn_valid()` functionality directly into `hci_enhanced_setup_sync()` to avoid dependencies during backporting.] Link: https://lore.kernel.org/all/2024101446-approve-rants-581d@gregkh/ Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-50029 Link: https://www.cve.org/CVERecord/?id=CVE-2024-50029 --- net/bluetooth/hci_conn.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 49b9dd21b73ea6..3906324b99d41a 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -390,9 +390,22 @@ static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) __u16 handle = conn_handle->handle; struct hci_cp_enhanced_setup_sync_conn cp; const struct sco_param *param; + struct hci_conn_hash *hdev_conn_hash = &hdev->conn_hash; + struct hci_conn *hdev_conn; kfree(conn_handle); + rcu_read_lock(); + list_for_each_entry_rcu(hdev_conn, &hdev_conn_hash->list, list) { + if (hdev_conn == conn) { + rcu_read_unlock(); + goto conn_valid; + } + } + rcu_read_unlock(); + return -ECANCELED; + +conn_valid: bt_dev_dbg(hdev, "hcon %p", conn); configure_datapath_sync(hdev, &conn->codec); -- 2.33.8

3 weeks, 4 days

1
0
0 0

[PATCH] Revert v6.2-rc1 and later "ARM: dts: bcm2835-rpi: Use firmware clocks for display"

by H. Nikolaus Schaller

This reverts commit d02f02c28f5561cf5b2345f8b4c910bd98d18553. I tried to upgrade a RasPi 3B+ with Waveshare 7inch HDMI LCD from 6.1.y to 6.6.y but found that the display is broken with this log message: [ 17.776315] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_drm_unregister [vc4]) [ 17.784034] platform 3f806000.vec: deferred probe pending Some tests revealed that while 6.1.y works, 6.2-rc1 is already broken but all newer kernels as well. And a bisect did lead me to this patch. I could repair several versions up to 6.13-rc7 by doing this revert. Newer kernels have just to take care of commit f702475b839c ("ARM: dts: bcm2835-rpi: Move duplicate firmware-clocks to bcm2835-rpi.dtsi") but that is straightforward. Fixes: d02f02c28f55 ("ARM: dts: bcm2835-rpi: Use firmware clocks for display") Signed-off-by: H. Nikolaus Schaller <hns(a)goldelico.com> --- arch/arm/boot/dts/bcm2835-rpi-common.dtsi | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/arch/arm/boot/dts/bcm2835-rpi-common.dtsi b/arch/arm/boot/dts/bcm2835-rpi-common.dtsi index 4e7b4a592da7c..8a55b6cded592 100644 --- a/arch/arm/boot/dts/bcm2835-rpi-common.dtsi +++ b/arch/arm/boot/dts/bcm2835-rpi-common.dtsi @@ -7,23 +7,6 @@ #include <dt-bindings/power/raspberrypi-power.h> -&firmware { - firmware_clocks: clocks { - compatible = "raspberrypi,firmware-clocks"; - #clock-cells = <1>; - }; -}; - -&hdmi { - clocks = <&firmware_clocks 9>, - <&firmware_clocks 13>; - clock-names = "pixel", "hdmi"; -}; - &v3d { power-domains = <&power RPI_POWER_DOMAIN_V3D>; }; - -&vec { - clocks = <&firmware_clocks 15>; -}; -- 2.47.0

3 weeks, 4 days

2
2
0 0

[PATCH 6.1 00/92] 6.1.125-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.125 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 17 Jan 2025 10:34:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.125-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.125-rc1 Biju Das <biju.das.jz(a)bp.renesas.com> drm: adv7511: Fix use-after-free in adv7533_attach_dsi() Ahmad Fatoum <a.fatoum(a)pengutronix.de> drm: bridge: adv7511: use dev_err_probe in probe function Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: correct return value of ocfs2_local_free_info() Andrea della Porta <andrea.porta(a)suse.com> of: address: Preserve the flags portion on 1:1 dma-ranges mapping Rob Herring <robh(a)kernel.org> of: address: Store number of bus flag cells rather than bool Herve Codina <herve.codina(a)bootlin.com> of: address: Remove duplicated functions Herve Codina <herve.codina(a)bootlin.com> of: address: Fix address translation when address-size is greater than 2 Rob Herring <robh(a)kernel.org> of/address: Add support for 3 address cell bus Rob Herring <robh(a)kernel.org> of: unittest: Add bus address range parsing tests Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: add hevc power domain clock to rk3328 Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Jesse Taube <Mr.Bossman075(a)gmail.com> ARM: dts: imxrt1050: Fix clocks for mmc Jens Axboe <axboe(a)kernel.dk> io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Disable all channels at probe time Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: inkern: call iio_device_put() only on mapped devices Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: adc: at91: call input_free_device() on allocated iio_dev Fabio Estevam <festevam(a)gmail.com> iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Carlos Song <carlos.song(a)nxp.com> iio: gyro: fxas21002c: Fix missing data update in trigger handler Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: imu: kmx61: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: vcnl4035: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: zpa2326: fix information leak in triggered buffer Akash M <akash.m5(a)samsung.com> usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Ma Ke <make_ruc2021(a)163.com> usb: fix reference leak in usb_new_device() Kai-Heng Feng <kaihengf(a)nvidia.com> USB: core: Disable LPM only for non-suspended ports Jun Yan <jerrysteve1101(a)gmail.com> USB: usblp: return error when setting unsupported protocol Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3-am62: Disable autosuspend during remove Lianqin Hu <hulianqin(a)vivo.com> usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Li Huafei <lihuafei1(a)huawei.com> topology: Keep the cpumask unchanged when printing cpumap André Draszik <andre.draszik(a)linaro.org> usb: dwc3: gadget: fix writing NYET threshold Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add Phoenix Contact UPS Device Lubomir Rintel <lrintel(a)redhat.com> usb-storage: Add max sectors quirk for Nokia 208 Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9832: Correct phase range check Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9834: Correct phase range check Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add Neoway N723-EA support Chukun Pan <amadeus(a)jmu.edu.cn> USB: serial: option: add MeiG Smart SRM815 Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix overloading of MEM_UNINIT's meaning Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add MEM_WRITE attribute Milan Broz <gmazyland(a)gmail.com> dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) Melissa Wen <mwen(a)igalia.com> drm/amd/display: increase MAX_SURFACES to the value supported by hw Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Nam Cao <namcao(a)linutronix.de> riscv: Fix sleeping in invalid context in die() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> thermal: of: fix OF node leak in of_thermal_zone_find() Roman Li <Roman.Li(a)amd.com> drm/amd/display: Add check for granularity in dml ceil/floor helpers Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: udp_port: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: auth_enable: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: rto_min/max: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY Krister Johansen <kjlx(a)templeofstupid.com> dm thin: make get_first_thin use rcu-safe list first function Javier Carrasco <javier.carrasco.cruz(a)gmail.com> cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu He Wang <xw897002528(a)gmail.com> ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked David Howells <dhowells(a)redhat.com> afs: Fix the maximum cell name length Wentao Liang <liangwentao(a)iscas.ac.cn> ksmbd: fix a missing return value check bug Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Add return value check when reading DPCD Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Fix mode valid issue for dp Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Fix YCbCr422 color format issue for DP Arnd Bergmann <arnd(a)arndb.de> drm/mediatek: stop selecting foreign drivers Chenguang Zhao <zhaochenguang(a)kylinos.cn> net/mlx5: Fix variable not being completed when function returns Toke Høiland-Jørgensen <toke(a)redhat.com> sched: sch_cake: add bounds checks to host bulk flow fairness counts Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: conntrack: clamp maximum hashtable size to INT_MAX Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: imbalance in flowtable binding Daniel Borkmann <daniel(a)iogearbox.net> tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not setting Random Address when required Benjamin Coddington <bcodding(a)redhat.com> tls: Fix tls_sw_sendmsg error handling Przemyslaw Korba <przemyslaw.korba(a)intel.com> ice: fix incorrect PHY settings for 100 GB/s Anumula Murali Mohan Reddy <anumula(a)chelsio.com> cxgb4: Avoid removal of uninserted tid Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix possible memory leak when hwrm_req_replace fails Eric Dumazet <edumazet(a)google.com> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Zhongqiu Duan <dzq.aishenghu0(a)gmail.com> tcp/dccp: allow a connection when sk_max_ack_backlog is zero Jason Xing <kernelxing(a)tencent.com> tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Antonio Pastor <antonio.pastor(a)gmail.com> net: 802: LLC+SNAP OID:PID lookup on start of skb data Keisuke Nishimura <keisuke.nishimura(a)inria.fr> ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: disable buffer pre-allocation Kuan-Wei Chiu <visitorckw(a)gmail.com> scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in __exfat_free_cluster() Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in exfat_readdir() Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix cursor index when skipping across block boundaries Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix unreleased btree blocks on closing a faulty array cursor Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix releasing a faulty array block twice in dm_array_cursor_end Zhang Yi <yi.zhang(a)huawei.com> jbd2: flush filesystem device before updating tail sequence Zhang Yi <yi.zhang(a)huawei.com> jbd2: increase IO priority for writing revoke records Qun-Wei Lin <qun-wei.lin(a)mediatek.com> sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Michal Luczaj <mhal(a)rbox.co> bpf, sockmap: Fix race between element replace and close() Max Kellermann <max.kellermann(a)ionos.com> ceph: give up on paths longer than PATH_MAX ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imxrt1050.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 + arch/riscv/kernel/traps.c | 6 +- block/bfq-iosched.c | 12 +- drivers/acpi/resource.c | 18 +++ drivers/base/topology.c | 24 +++- drivers/cpuidle/cpuidle-riscv-sbi.c | 4 +- drivers/gpu/drm/amd/display/dc/dc.h | 2 +- .../gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 8 +- drivers/gpu/drm/bridge/adv7511/adv7533.c | 22 ++-- drivers/gpu/drm/mediatek/Kconfig | 5 - drivers/gpu/drm/mediatek/mtk_dp.c | 46 ++++--- drivers/iio/adc/ad7124.c | 3 + drivers/iio/adc/at91_adc.c | 2 +- drivers/iio/adc/ti-ads124s08.c | 4 +- drivers/iio/adc/ti-ads8688.c | 2 +- drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- drivers/iio/gyro/fxas21002c_core.c | 11 +- drivers/iio/imu/kmx61.c | 2 +- drivers/iio/inkern.c | 2 +- drivers/iio/light/vcnl4035.c | 2 +- drivers/iio/pressure/zpa2326.c | 2 + drivers/md/dm-ebs-target.c | 2 +- drivers/md/dm-thin.c | 5 +- drivers/md/dm-verity-fec.c | 39 ++++-- drivers/md/persistent-data/dm-array.c | 19 +-- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 +- drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 4 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 1 + drivers/net/ieee802154/ca8210.c | 6 +- drivers/of/address.c | 76 ++++++++--- drivers/of/unittest-data/tests-address.dtsi | 9 +- drivers/of/unittest.c | 109 ++++++++++++++++ drivers/staging/iio/frequency/ad9832.c | 2 +- drivers/staging/iio/frequency/ad9834.c | 2 +- drivers/thermal/thermal_of.c | 1 + drivers/usb/class/usblp.c | 7 +- drivers/usb/core/hub.c | 6 +- drivers/usb/core/port.c | 7 +- drivers/usb/dwc3/core.h | 1 + drivers/usb/dwc3/dwc3-am62.c | 1 + drivers/usb/dwc3/gadget.c | 4 +- drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/gadget/function/f_uac2.c | 1 + drivers/usb/gadget/function/u_serial.c | 8 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 4 +- drivers/usb/storage/unusual_devs.h | 7 ++ fs/afs/afs.h | 2 +- fs/afs/afs_vl.h | 1 + fs/afs/vl_alias.c | 8 +- fs/afs/vlclient.c | 2 +- fs/ceph/mds_client.c | 9 +- fs/exfat/dir.c | 3 +- fs/exfat/fatent.c | 10 ++ fs/jbd2/commit.c | 4 +- fs/jbd2/revoke.c | 2 +- fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 10 +- fs/smb/server/smb2pdu.c | 3 + fs/smb/server/vfs.c | 3 +- include/linux/bpf.h | 14 ++- include/linux/sched/task_stack.h | 2 + include/net/inet_connection_sock.h | 2 +- io_uring/io_uring.c | 13 +- kernel/bpf/helpers.c | 10 +- kernel/bpf/ringbuf.c | 2 +- kernel/bpf/syscall.c | 2 +- kernel/bpf/verifier.c | 76 ++++++----- kernel/trace/bpf_trace.c | 4 +- net/802/psnap.c | 4 +- net/bluetooth/hci_sync.c | 11 +- net/core/filter.c | 4 +- net/core/sock_map.c | 6 +- net/ipv4/tcp_ipv4.c | 2 +- net/netfilter/nf_conntrack_core.c | 5 +- net/netfilter/nf_tables_api.c | 15 ++- net/sched/cls_flow.c | 3 +- net/sched/sch_cake.c | 140 +++++++++++---------- net/sctp/sysctl.c | 14 ++- net/tls/tls_sw.c | 2 +- scripts/sorttable.h | 6 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- 87 files changed, 624 insertions(+), 306 deletions(-)

3 weeks, 5 days

11
105
0 0

[PATCH] irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured to fire FIQ

by Nick Chan

The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of several ways, and since Apple A11 one of the method is FIQ. Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured to fire FIQs. Cc: stable(a)vger.kernel.org Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts") Signed-off-by: Nick Chan <towinchenmi(a)gmail.com> --- drivers/irqchip/irq-apple-aic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-apple-aic.c b/drivers/irqchip/irq-apple-aic.c index da5250f0155c..c3d435103d6d 100644 --- a/drivers/irqchip/irq-apple-aic.c +++ b/drivers/irqchip/irq-apple-aic.c @@ -577,7 +577,8 @@ static void __exception_irq_entry aic_handle_fiq(struct pt_regs *regs) AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT)); } - if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) { + if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & + (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) { int irq; if (cpumask_test_cpu(smp_processor_id(), &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff)) base-commit: 40384c840ea1944d7c5a392e8975ed088ecf0b37 -- 2.48.1

3 weeks, 5 days

2
2
0 0

Frequent kernel messages related to IR keymap rc-cec with kernel 6.12.10 and HDMI monitor

by Farblos

This is on Debian testing with the following kernel, built from the tarball on kernel.org: Linux sappc1 6.12.10 #4 SMP PREEMPT_DYNAMIC Fri Jan 17 22:17:45 CET 2025 x86_64 GNU/Linux It is running on an 12th gen Intel Framework laptop, with monitor connected through Framework's USB-C-to-HDMI adapter (the 3rd gen one): https://knowledgebase.frame.work/hdmi-expansion-card-generations-Sk7AQKUv2 Since my kernel got upgraded to version 6.12.*, I get frequently journal messages like these: Jan 15 15:24:51 host01 kernel: Registered IR keymap rc-cec Jan 15 15:24:51 host01 kernel: rc rc0: DP-3 as /devices/pci0000:00/0000:00:02.0/rc/rc0 Jan 15 15:24:51 host01 kernel: input: DP-3 as /devices/pci0000:00/0000:00:02.0/rc/rc0/input146 Jan 15 15:24:51 host01 systemd-logind[1456]: Watching system buttons on /dev/input/event11 (DP-3) Jan 15 15:24:51 host01 Xorg[1663]: (II) config/udev: Adding input device DP-3 (/dev/input/event11) I tried to ignore these as long as they have been showing up during boot only or when screen resolution got changed using xrandr, but today I noticed that these repeat every 30 secs or so when my screen saver is active. Which then kind of floods the journal. With the previous 6.11.* kernel series I would see these messages only once, during startup. When using a DisplayPort adapter instead of the HDMI adapter, these messages do not show up either. I guess that it is not the CEC subsystem being responsible here, but rather some other component which triggers it more frequently than earlier. Any help on how to find more about this issue appreciated. Please CC me in replies. Thanks!

3 weeks, 5 days

1
1
0 0

6.1.125 build fail was -- Re: [PATCH 6.1 00/92] 6.1.125-rc1 review

by Pavel Machek

Hi! > > > Still building, but we already have failures on risc-v. > > > > > > drivers/usb/core/port.c: In function 'usb_port_shutdown': > > > 2912 > > > drivers/usb/core/port.c:417:26: error: 'struct usb_device' has no member named 'port_is_suspended' > > > 2913 > > > 417 | if (udev && !udev->port_is_suspended) { > > > 2914 > > > | ^~ > > > 2915 > > > make[4]: *** [scripts/Makefile.build:250: drivers/usb/core/port.o] Error 1 > > > 2916 > > > make[4]: *** Waiting for unfinished jobs.... > > > 2917 > > > CC drivers/gpu/drm/radeon/radeon_test.o > > > > And there's similar failure on x86: > > > > https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/1… > > Thanks for testing and letting me know, Ok, so it seems _this_ failure is fixed... but there's new one. Build failure on risc-v. LD .tmp_vmlinux.kallsyms1 2941 riscv64-linux-gnu-ld: drivers/usb/host/xhci-pci.o: in function `xhci_pci_resume': 2942 xhci-pci.c:(.text+0xd8c): undefined reference to `xhci_resume' 2943 riscv64-linux-gnu-ld: xhci-pci.c:(.text+0xe1a): undefined reference to `xhci_suspend' 2944 make[1]: *** [scripts/Makefile.vmlinux:34: vmlinux] Error 1 2945 make: *** [Makefile:1250: vmlinux] Error 2 https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/888318… (I have also 2 runtime failures, I'm retrying those jobs. https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/1… ). I partly reconsructed To:. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

3 weeks, 5 days

3
3
0 0

[PATCH] iio: light: apds9306: fix max_scale_nano values

by Javier Carrasco

The two provided max_scale_nano values must be multiplied by 100 and 10 respectively to achieve nano units. According to the comments: Max scale for apds0306 is 16.326432 → the fractional part is 0.326432, which is 326432000 in NANO. The current value is 3264320. Max scale for apds0306-065 is 14.09721 → the fractional part is 0.09712, which is 97120000 in NANO. The current value is 9712000. Update max_scale_nano initialization to use the right NANO fractional parts. Cc: stable(a)vger.kernel.org Fixes: 620d1e6c7a3f ("iio: light: Add support for APDS9306 Light Sensor") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/iio/light/apds9306.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/light/apds9306.c b/drivers/iio/light/apds9306.c index 69a0d609cffc91cc3daba160f309f511270be385..5ed7e17f49e76206609aba83c85e8144c536d17d 100644 --- a/drivers/iio/light/apds9306.c +++ b/drivers/iio/light/apds9306.c @@ -108,11 +108,11 @@ static const struct part_id_gts_multiplier apds9306_gts_mul[] = { { .part_id = 0xB1, .max_scale_int = 16, - .max_scale_nano = 3264320, + .max_scale_nano = 326432000, }, { .part_id = 0xB3, .max_scale_int = 14, - .max_scale_nano = 9712000, + .max_scale_nano = 97120000, }, }; --- base-commit: 577a66e2e634f712384c57a98f504c44ea4b47da change-id: 20241218-apds9306_nano_vals-d880219a82f2 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

3 weeks, 5 days

3
2
0 0

backport request

by Ard Biesheuvel

Please backport 0b2c29fb68f8bf3e87a9 efi/zboot: Limit compression options to GZIP and ZSTD to v6.12. Future work on kexec and EFI zboot will only support those compression methods, and currently, only Loongarch on Debian uses this with a different compression method (XZ) and so now is the time to make this change. Thanks, Ard.

3 weeks, 5 days

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025