January 2025 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.125 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 17 Jan 2025 10:34:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.125-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.125-rc1 Biju Das <biju.das.jz(a)bp.renesas.com> drm: adv7511: Fix use-after-free in adv7533_attach_dsi() Ahmad Fatoum <a.fatoum(a)pengutronix.de> drm: bridge: adv7511: use dev_err_probe in probe function Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: correct return value of ocfs2_local_free_info() Andrea della Porta <andrea.porta(a)suse.com> of: address: Preserve the flags portion on 1:1 dma-ranges mapping Rob Herring <robh(a)kernel.org> of: address: Store number of bus flag cells rather than bool Herve Codina <herve.codina(a)bootlin.com> of: address: Remove duplicated functions Herve Codina <herve.codina(a)bootlin.com> of: address: Fix address translation when address-size is greater than 2 Rob Herring <robh(a)kernel.org> of/address: Add support for 3 address cell bus Rob Herring <robh(a)kernel.org> of: unittest: Add bus address range parsing tests Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: add hevc power domain clock to rk3328 Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Jesse Taube <Mr.Bossman075(a)gmail.com> ARM: dts: imxrt1050: Fix clocks for mmc Jens Axboe <axboe(a)kernel.dk> io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Disable all channels at probe time Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: inkern: call iio_device_put() only on mapped devices Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: adc: at91: call input_free_device() on allocated iio_dev Fabio Estevam <festevam(a)gmail.com> iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Carlos Song <carlos.song(a)nxp.com> iio: gyro: fxas21002c: Fix missing data update in trigger handler Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: imu: kmx61: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: vcnl4035: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: zpa2326: fix information leak in triggered buffer Akash M <akash.m5(a)samsung.com> usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Ma Ke <make_ruc2021(a)163.com> usb: fix reference leak in usb_new_device() Kai-Heng Feng <kaihengf(a)nvidia.com> USB: core: Disable LPM only for non-suspended ports Jun Yan <jerrysteve1101(a)gmail.com> USB: usblp: return error when setting unsupported protocol Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3-am62: Disable autosuspend during remove Lianqin Hu <hulianqin(a)vivo.com> usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Li Huafei <lihuafei1(a)huawei.com> topology: Keep the cpumask unchanged when printing cpumap André Draszik <andre.draszik(a)linaro.org> usb: dwc3: gadget: fix writing NYET threshold Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add Phoenix Contact UPS Device Lubomir Rintel <lrintel(a)redhat.com> usb-storage: Add max sectors quirk for Nokia 208 Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9832: Correct phase range check Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9834: Correct phase range check Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add Neoway N723-EA support Chukun Pan <amadeus(a)jmu.edu.cn> USB: serial: option: add MeiG Smart SRM815 Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix overloading of MEM_UNINIT's meaning Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add MEM_WRITE attribute Milan Broz <gmazyland(a)gmail.com> dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) Melissa Wen <mwen(a)igalia.com> drm/amd/display: increase MAX_SURFACES to the value supported by hw Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Nam Cao <namcao(a)linutronix.de> riscv: Fix sleeping in invalid context in die() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> thermal: of: fix OF node leak in of_thermal_zone_find() Roman Li <Roman.Li(a)amd.com> drm/amd/display: Add check for granularity in dml ceil/floor helpers Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: udp_port: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: auth_enable: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: rto_min/max: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY Krister Johansen <kjlx(a)templeofstupid.com> dm thin: make get_first_thin use rcu-safe list first function Javier Carrasco <javier.carrasco.cruz(a)gmail.com> cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu He Wang <xw897002528(a)gmail.com> ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked David Howells <dhowells(a)redhat.com> afs: Fix the maximum cell name length Wentao Liang <liangwentao(a)iscas.ac.cn> ksmbd: fix a missing return value check bug Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Add return value check when reading DPCD Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Fix mode valid issue for dp Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Fix YCbCr422 color format issue for DP Arnd Bergmann <arnd(a)arndb.de> drm/mediatek: stop selecting foreign drivers Chenguang Zhao <zhaochenguang(a)kylinos.cn> net/mlx5: Fix variable not being completed when function returns Toke Høiland-Jørgensen <toke(a)redhat.com> sched: sch_cake: add bounds checks to host bulk flow fairness counts Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: conntrack: clamp maximum hashtable size to INT_MAX Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: imbalance in flowtable binding Daniel Borkmann <daniel(a)iogearbox.net> tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not setting Random Address when required Benjamin Coddington <bcodding(a)redhat.com> tls: Fix tls_sw_sendmsg error handling Przemyslaw Korba <przemyslaw.korba(a)intel.com> ice: fix incorrect PHY settings for 100 GB/s Anumula Murali Mohan Reddy <anumula(a)chelsio.com> cxgb4: Avoid removal of uninserted tid Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix possible memory leak when hwrm_req_replace fails Eric Dumazet <edumazet(a)google.com> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Zhongqiu Duan <dzq.aishenghu0(a)gmail.com> tcp/dccp: allow a connection when sk_max_ack_backlog is zero Jason Xing <kernelxing(a)tencent.com> tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Antonio Pastor <antonio.pastor(a)gmail.com> net: 802: LLC+SNAP OID:PID lookup on start of skb data Keisuke Nishimura <keisuke.nishimura(a)inria.fr> ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: disable buffer pre-allocation Kuan-Wei Chiu <visitorckw(a)gmail.com> scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in __exfat_free_cluster() Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in exfat_readdir() Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix cursor index when skipping across block boundaries Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix unreleased btree blocks on closing a faulty array cursor Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix releasing a faulty array block twice in dm_array_cursor_end Zhang Yi <yi.zhang(a)huawei.com> jbd2: flush filesystem device before updating tail sequence Zhang Yi <yi.zhang(a)huawei.com> jbd2: increase IO priority for writing revoke records Qun-Wei Lin <qun-wei.lin(a)mediatek.com> sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Michal Luczaj <mhal(a)rbox.co> bpf, sockmap: Fix race between element replace and close() Max Kellermann <max.kellermann(a)ionos.com> ceph: give up on paths longer than PATH_MAX ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imxrt1050.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 + arch/riscv/kernel/traps.c | 6 +- block/bfq-iosched.c | 12 +- drivers/acpi/resource.c | 18 +++ drivers/base/topology.c | 24 +++- drivers/cpuidle/cpuidle-riscv-sbi.c | 4 +- drivers/gpu/drm/amd/display/dc/dc.h | 2 +- .../gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 8 +- drivers/gpu/drm/bridge/adv7511/adv7533.c | 22 ++-- drivers/gpu/drm/mediatek/Kconfig | 5 - drivers/gpu/drm/mediatek/mtk_dp.c | 46 ++++--- drivers/iio/adc/ad7124.c | 3 + drivers/iio/adc/at91_adc.c | 2 +- drivers/iio/adc/ti-ads124s08.c | 4 +- drivers/iio/adc/ti-ads8688.c | 2 +- drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- drivers/iio/gyro/fxas21002c_core.c | 11 +- drivers/iio/imu/kmx61.c | 2 +- drivers/iio/inkern.c | 2 +- drivers/iio/light/vcnl4035.c | 2 +- drivers/iio/pressure/zpa2326.c | 2 + drivers/md/dm-ebs-target.c | 2 +- drivers/md/dm-thin.c | 5 +- drivers/md/dm-verity-fec.c | 39 ++++-- drivers/md/persistent-data/dm-array.c | 19 +-- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 +- drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 4 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 1 + drivers/net/ieee802154/ca8210.c | 6 +- drivers/of/address.c | 76 ++++++++--- drivers/of/unittest-data/tests-address.dtsi | 9 +- drivers/of/unittest.c | 109 ++++++++++++++++ drivers/staging/iio/frequency/ad9832.c | 2 +- drivers/staging/iio/frequency/ad9834.c | 2 +- drivers/thermal/thermal_of.c | 1 + drivers/usb/class/usblp.c | 7 +- drivers/usb/core/hub.c | 6 +- drivers/usb/core/port.c | 7 +- drivers/usb/dwc3/core.h | 1 + drivers/usb/dwc3/dwc3-am62.c | 1 + drivers/usb/dwc3/gadget.c | 4 +- drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/gadget/function/f_uac2.c | 1 + drivers/usb/gadget/function/u_serial.c | 8 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 4 +- drivers/usb/storage/unusual_devs.h | 7 ++ fs/afs/afs.h | 2 +- fs/afs/afs_vl.h | 1 + fs/afs/vl_alias.c | 8 +- fs/afs/vlclient.c | 2 +- fs/ceph/mds_client.c | 9 +- fs/exfat/dir.c | 3 +- fs/exfat/fatent.c | 10 ++ fs/jbd2/commit.c | 4 +- fs/jbd2/revoke.c | 2 +- fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 10 +- fs/smb/server/smb2pdu.c | 3 + fs/smb/server/vfs.c | 3 +- include/linux/bpf.h | 14 ++- include/linux/sched/task_stack.h | 2 + include/net/inet_connection_sock.h | 2 +- io_uring/io_uring.c | 13 +- kernel/bpf/helpers.c | 10 +- kernel/bpf/ringbuf.c | 2 +- kernel/bpf/syscall.c | 2 +- kernel/bpf/verifier.c | 76 ++++++----- kernel/trace/bpf_trace.c | 4 +- net/802/psnap.c | 4 +- net/bluetooth/hci_sync.c | 11 +- net/core/filter.c | 4 +- net/core/sock_map.c | 6 +- net/ipv4/tcp_ipv4.c | 2 +- net/netfilter/nf_conntrack_core.c | 5 +- net/netfilter/nf_tables_api.c | 15 ++- net/sched/cls_flow.c | 3 +- net/sched/sch_cake.c | 140 +++++++++++---------- net/sctp/sysctl.c | 14 ++- net/tls/tls_sw.c | 2 +- scripts/sorttable.h | 6 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- 87 files changed, 624 insertions(+), 306 deletions(-)

3 months

11
105
0 0

[PATCH] irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured to fire FIQ

by Nick Chan

The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of several ways, and since Apple A11 one of the method is FIQ. Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured to fire FIQs. Cc: stable(a)vger.kernel.org Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts") Signed-off-by: Nick Chan <towinchenmi(a)gmail.com> --- drivers/irqchip/irq-apple-aic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-apple-aic.c b/drivers/irqchip/irq-apple-aic.c index da5250f0155c..c3d435103d6d 100644 --- a/drivers/irqchip/irq-apple-aic.c +++ b/drivers/irqchip/irq-apple-aic.c @@ -577,7 +577,8 @@ static void __exception_irq_entry aic_handle_fiq(struct pt_regs *regs) AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT)); } - if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) { + if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & + (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) { int irq; if (cpumask_test_cpu(smp_processor_id(), &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff)) base-commit: 40384c840ea1944d7c5a392e8975ed088ecf0b37 -- 2.48.1

3 months

2
2
0 0

Frequent kernel messages related to IR keymap rc-cec with kernel 6.12.10 and HDMI monitor

by Farblos

This is on Debian testing with the following kernel, built from the tarball on kernel.org: Linux sappc1 6.12.10 #4 SMP PREEMPT_DYNAMIC Fri Jan 17 22:17:45 CET 2025 x86_64 GNU/Linux It is running on an 12th gen Intel Framework laptop, with monitor connected through Framework's USB-C-to-HDMI adapter (the 3rd gen one): https://knowledgebase.frame.work/hdmi-expansion-card-generations-Sk7AQKUv2 Since my kernel got upgraded to version 6.12.*, I get frequently journal messages like these: Jan 15 15:24:51 host01 kernel: Registered IR keymap rc-cec Jan 15 15:24:51 host01 kernel: rc rc0: DP-3 as /devices/pci0000:00/0000:00:02.0/rc/rc0 Jan 15 15:24:51 host01 kernel: input: DP-3 as /devices/pci0000:00/0000:00:02.0/rc/rc0/input146 Jan 15 15:24:51 host01 systemd-logind[1456]: Watching system buttons on /dev/input/event11 (DP-3) Jan 15 15:24:51 host01 Xorg[1663]: (II) config/udev: Adding input device DP-3 (/dev/input/event11) I tried to ignore these as long as they have been showing up during boot only or when screen resolution got changed using xrandr, but today I noticed that these repeat every 30 secs or so when my screen saver is active. Which then kind of floods the journal. With the previous 6.11.* kernel series I would see these messages only once, during startup. When using a DisplayPort adapter instead of the HDMI adapter, these messages do not show up either. I guess that it is not the CEC subsystem being responsible here, but rather some other component which triggers it more frequently than earlier. Any help on how to find more about this issue appreciated. Please CC me in replies. Thanks!

3 months

1
1
0 0

6.1.125 build fail was -- Re: [PATCH 6.1 00/92] 6.1.125-rc1 review

by Pavel Machek

Hi! > > > Still building, but we already have failures on risc-v. > > > > > > drivers/usb/core/port.c: In function 'usb_port_shutdown': > > > 2912 > > > drivers/usb/core/port.c:417:26: error: 'struct usb_device' has no member named 'port_is_suspended' > > > 2913 > > > 417 | if (udev && !udev->port_is_suspended) { > > > 2914 > > > | ^~ > > > 2915 > > > make[4]: *** [scripts/Makefile.build:250: drivers/usb/core/port.o] Error 1 > > > 2916 > > > make[4]: *** Waiting for unfinished jobs.... > > > 2917 > > > CC drivers/gpu/drm/radeon/radeon_test.o > > > > And there's similar failure on x86: > > > > https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/1… > > Thanks for testing and letting me know, Ok, so it seems _this_ failure is fixed... but there's new one. Build failure on risc-v. LD .tmp_vmlinux.kallsyms1 2941 riscv64-linux-gnu-ld: drivers/usb/host/xhci-pci.o: in function `xhci_pci_resume': 2942 xhci-pci.c:(.text+0xd8c): undefined reference to `xhci_resume' 2943 riscv64-linux-gnu-ld: xhci-pci.c:(.text+0xe1a): undefined reference to `xhci_suspend' 2944 make[1]: *** [scripts/Makefile.vmlinux:34: vmlinux] Error 1 2945 make: *** [Makefile:1250: vmlinux] Error 2 https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/888318… (I have also 2 runtime failures, I'm retrying those jobs. https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/1… ). I partly reconsructed To:. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

3 months

3
3
0 0

[PATCH] iio: light: apds9306: fix max_scale_nano values

by Javier Carrasco

The two provided max_scale_nano values must be multiplied by 100 and 10 respectively to achieve nano units. According to the comments: Max scale for apds0306 is 16.326432 → the fractional part is 0.326432, which is 326432000 in NANO. The current value is 3264320. Max scale for apds0306-065 is 14.09721 → the fractional part is 0.09712, which is 97120000 in NANO. The current value is 9712000. Update max_scale_nano initialization to use the right NANO fractional parts. Cc: stable(a)vger.kernel.org Fixes: 620d1e6c7a3f ("iio: light: Add support for APDS9306 Light Sensor") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/iio/light/apds9306.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/light/apds9306.c b/drivers/iio/light/apds9306.c index 69a0d609cffc91cc3daba160f309f511270be385..5ed7e17f49e76206609aba83c85e8144c536d17d 100644 --- a/drivers/iio/light/apds9306.c +++ b/drivers/iio/light/apds9306.c @@ -108,11 +108,11 @@ static const struct part_id_gts_multiplier apds9306_gts_mul[] = { { .part_id = 0xB1, .max_scale_int = 16, - .max_scale_nano = 3264320, + .max_scale_nano = 326432000, }, { .part_id = 0xB3, .max_scale_int = 14, - .max_scale_nano = 9712000, + .max_scale_nano = 97120000, }, }; --- base-commit: 577a66e2e634f712384c57a98f504c44ea4b47da change-id: 20241218-apds9306_nano_vals-d880219a82f2 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

3 months

3
2
0 0

backport request

by Ard Biesheuvel

Please backport 0b2c29fb68f8bf3e87a9 efi/zboot: Limit compression options to GZIP and ZSTD to v6.12. Future work on kexec and EFI zboot will only support those compression methods, and currently, only Loongarch on Debian uses this with a different compression method (XZ) and so now is the time to make this change. Thanks, Ard.

3 months

2
1
0 0

[PATCH v10] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug with kvmalloc() and devm_add_action_or_reset(). Suggested-by: Ard Biesheuvel <ardb(a)kernel.org> Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v10: * Had forgotten diff to staging (sorry). v9: * Call devm_add_action() as the last step and execute the plain action in the fallback path: https://lore.kernel.org/linux-integrity/87frlzzx14.wl-tiwai@suse.de/ v8: * Reduced to only to this quick fix. Let HPE reserve 16 MiB if they want to. We have mapping approach backed up in lore. v7: * Use devm_add_action_or_reset(). * Fix tags. v6: * A new patch. --- drivers/char/tpm/eventlog/acpi.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..50770cafa835 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -63,6 +63,11 @@ static bool tpm_is_tpm2_log(void *bios_event_log, u64 len) return n == 0; } +static void tpm_bios_log_free(void *data) +{ + kvfree(data); +} + /* read binary bios log */ int tpm_read_log_acpi(struct tpm_chip *chip) { @@ -136,7 +141,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip) } /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); + log->bios_event_log = kvmalloc(len, GFP_KERNEL); if (!log->bios_event_log) return -ENOMEM; @@ -161,10 +166,14 @@ int tpm_read_log_acpi(struct tpm_chip *chip) goto err; } + ret = devm_add_action(&chip->dev, tpm_bios_log_free, log->bios_event_log); + if (ret) + goto err; + return format; err: - devm_kfree(&chip->dev, log->bios_event_log); + tpm_bios_log_free(log->bios_event_log); log->bios_event_log = NULL; return ret; } -- 2.48.0

3 months

3
6
0 0

[PATCH v4] cdx: Fix possible UAF error in driver_override_show()

by Qiu-ji Chen

Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: Modified the title and description. Removed the changes to cdx_bus_match(). V3: Revised the description to make it clearer. Thanks Greg KH for helpful suggestions. V4: Fixed the incorrect code logic. --- drivers/cdx/cdx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/cdx/cdx.c b/drivers/cdx/cdx.c index 76eac3653b1c..daa0fb62a1f7 100644 --- a/drivers/cdx/cdx.c +++ b/drivers/cdx/cdx.c @@ -470,8 +470,12 @@ static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr, char *buf) { struct cdx_device *cdx_dev = to_cdx_device(dev); + ssize_t len; - return sysfs_emit(buf, "%s\n", cdx_dev->driver_override); + device_lock(dev); + len = sysfs_emit(buf, "%s\n", cdx_dev->driver_override); + device_unlock(dev); + return len; } static DEVICE_ATTR_RW(driver_override); -- 2.43.0

3 months

1
0
0 0

[PATCH] usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI bind retries

by Selvarasu Ganesan

The current implementation sets the wMaxPacketSize of bulk in/out endpoints to 1024 bytes at the end of the f_midi_bind function. However, in cases where there is a failure in the first midi bind attempt, consider rebinding. This scenario may encounter an f_midi_bind issue due to the previous bind setting the bulk endpoint's wMaxPacketSize to 1024 bytes, which exceeds the ep->maxpacket_limit where configured TX/RX FIFO's maxpacket size of 512 bytes for IN/OUT endpoints in support HS speed only. This commit addresses this issue by resetting the wMaxPacketSize before endpoint claim. Fixes: 46decc82ffd5 ("usb: gadget: unconditionally allocate hs/ss descriptor in bind operation") Cc: stable(a)vger.kernel.org Signed-off-by: Selvarasu Ganesan <selvarasu.g(a)samsung.com> --- drivers/usb/gadget/function/f_midi.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 837fcdfa3840..5caa0e4eb07e 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -907,6 +907,15 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f) status = -ENODEV; + /* + * Reset wMaxPacketSize with maximum packet size of FS bulk transfer before + * endpoint claim. This ensures that the wMaxPacketSize does not exceed the + * limit during bind retries where configured TX/RX FIFO's maxpacket size + * of 512 bytes for IN/OUT endpoints in support HS speed only. + */ + bulk_in_desc.wMaxPacketSize = cpu_to_le16(64); + bulk_out_desc.wMaxPacketSize = cpu_to_le16(64); + /* allocate instance-specific endpoints */ midi->in_ep = usb_ep_autoconfig(cdev->gadget, &bulk_in_desc); if (!midi->in_ep) -- 2.17.1

3 months

3
17
0 0

[PATCH] x86/fred: Optimize the FRED entry by prioritizing high-probability event dispatching

by Ethan Zhao

External interrupts (EVENT_TYPE_EXTINT) and system calls (EVENT_TYPE_OTHER) occur more frequently than other events in a typical system. Prioritizing these events saves CPU cycles and optimizes the efficiency of performance- critical paths. When examining the compiler-generated assembly code for event dispatching in the functions fred_entry_from_user() and fred_entry_from_kernel(), it was observed that the compiler intelligently uses a binary search to match all event type values (0-7) and perform dispatching. As a result, even if the following cases: case EVENT_TYPE_EXTINT: return fred_extint(regs); case EVENT_TYPE_OTHER: return fred_other(regs); are placed at the beginning of the switch() statement, the generated assembly code would remain the same, and the expected prioritization would not be achieved. Command line to check the assembly code generated by the compiler for fred_entry_from_user(): $objdump -d vmlinux.o | awk '/<fred_entry_from_user>:/{c=65} c&&c--' 00000000000015a0 <fred_entry_from_user>: 15a0: 0f b6 87 a6 00 00 00 movzbl 0xa6(%rdi),%eax 15a7: 48 8b 77 78 mov 0x78(%rdi),%rsi 15ab: 55 push %rbp 15ac: 48 c7 47 78 ff ff ff movq $0xffffffffffffffff,0x78(%rdi) 15b3: ff 15b4: 83 e0 0f and $0xf,%eax 15b7: 48 89 e5 mov %rsp,%rbp 15ba: 3c 04 cmp $0x4,%al -->> /* match 4(EVENT_TYPE_SWINT) first */ 15bc: 74 78 je 1636 <fred_entry_from_user+0x96> 15be: 77 15 ja 15d5 <fred_entry_from_user+0x35> 15c0: 3c 02 cmp $0x2,%al 15c2: 74 53 je 1617 <fred_entry_from_user+0x77> 15c4: 77 65 ja 162b <fred_entry_from_user+0x8b> 15c6: 84 c0 test %al,%al 15c8: 75 42 jne 160c <fred_entry_from_user+0x6c> 15ca: e8 71 fc ff ff callq 1240 <fred_extint> 15cf: 5d pop %rbp 15d0: e9 00 00 00 00 jmpq 15d5 <fred_entry_from_user+0x35> 15d5: 3c 06 cmp $0x6,%al 15d7: 74 7c je 1655 <fred_entry_from_user+0xb5> 15d9: 72 66 jb 1641 <fred_entry_from_user+0xa1> 15db: 3c 07 cmp $0x7,%al 15dd: 75 2d jne 160c <fred_entry_from_user+0x6c> 15df: 8b 87 a4 00 00 00 mov 0xa4(%rdi),%eax 15e5: 25 ff 00 00 02 and $0x20000ff,%eax 15ea: 3d 01 00 00 02 cmp $0x2000001,%eax 15ef: 75 6f jne 1660 <fred_entry_from_user+0xc0> 15f1: 48 8b 77 50 mov 0x50(%rdi),%rsi 15f5: 48 c7 47 50 da ff ff movq $0xffffffffffffffda,0x50(%rdi) ... ... Command line to check the assembly code generated by the compiler for fred_entry_from_kernel(): $objdump -d vmlinux.o | awk '/<fred_entry_from_kernel>:/{c=65} c&&c--' 00000000000016b0 <fred_entry_from_kernel>: 16b0: 0f b6 87 a6 00 00 00 movzbl 0xa6(%rdi),%eax 16b7: 48 8b 77 78 mov 0x78(%rdi),%rsi 16bb: 55 push %rbp 16bc: 48 c7 47 78 ff ff ff movq $0xffffffffffffffff,0x78(%rdi) 16c3: ff 16c4: 83 e0 0f and $0xf,%eax 16c7: 48 89 e5 mov %rsp,%rbp 16ca: 3c 03 cmp $0x3,%al -->> /* match 3(EVENT_TYPE_HWEXC) first */ 16cc: 74 3c je 170a <fred_entry_from_kernel+0x5a> 16ce: 76 13 jbe 16e3 <fred_entry_from_kernel+0x33> 16d0: 3c 05 cmp $0x5,%al 16d2: 74 41 je 1715 <fred_entry_from_kernel+0x65> 16d4: 3c 06 cmp $0x6,%al 16d6: 75 27 jne 16ff <fred_entry_from_kernel+0x4f> 16d8: e8 73 fe ff ff callq 1550 <fred_swexc.isra.3> 16dd: 5d pop %rbp ... ... Therefore, it is necessary to handle EVENT_TYPE_EXTINT and EVENT_TYPE_OTHER before the switch statement using if-else syntax to ensure the compiler generates the desired code. After applying the patch, the verification results are as follows: $objdump -d vmlinux.o | awk '/<fred_entry_from_user>:/{c=65} c&&c--' 00000000000015a0 <fred_entry_from_user>: 15a0: 0f b6 87 a6 00 00 00 movzbl 0xa6(%rdi),%eax 15a7: 48 8b 77 78 mov 0x78(%rdi),%rsi 15ab: 55 push %rbp 15ac: 48 c7 47 78 ff ff ff movq $0xffffffffffffffff,0x78(%rdi) 15b3: ff 15b4: 48 89 e5 mov %rsp,%rbp 15b7: 83 e0 0f and $0xf,%eax 15ba: 74 34 je 15f0 <fred_entry_from_user+0x50> -->> /* match 0(EVENT_TYPE_EXTINT) first */ 15bc: 3c 07 cmp $0x7,%al -->> /* match 7(EVENT_TYPE_OTHER) second * 15be: 74 6e je 162e <fred_entry_from_user+0x8e> 15c0: 3c 04 cmp $0x4,%al 15c2: 0f 84 93 00 00 00 je 165b <fred_entry_from_user+0xbb> 15c8: 76 13 jbe 15dd <fred_entry_from_user+0x3d> 15ca: 3c 05 cmp $0x5,%al 15cc: 74 41 je 160f <fred_entry_from_user+0x6f> 15ce: 3c 06 cmp $0x6,%al 15d0: 75 51 jne 1623 <fred_entry_from_user+0x83> 15d2: e8 79 ff ff ff callq 1550 <fred_swexc.isra.3> 15d7: 5d pop %rbp 15d8: e9 00 00 00 00 jmpq 15dd <fred_entry_from_user+0x3d> 15dd: 3c 02 cmp $0x2,%al 15df: 74 1a je 15fb <fred_entry_from_user+0x5b> 15e1: 3c 03 cmp $0x3,%al 15e3: 75 3e jne 1623 <fred_entry_from_user+0x83> ... ... The same desired code in fred_entry_from_kernel is no longer repeated. While the C code with if-else placed before switch() may appear ugly, it works. Additionally, using a jump table is not advisable; even if the jump table resides in the L1 cache, the cost of loading it is over 10 times the latency of a cmp instruction. Signed-off-by: Ethan Zhao <haifeng.zhao(a)linux.intel.com> --- base commit: 619f0b6fad524f08d493a98d55bac9ab8895e3a6 --- arch/x86/entry/entry_fred.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/arch/x86/entry/entry_fred.c b/arch/x86/entry/entry_fred.c index f004a4dc74c2..591f47771ecf 100644 --- a/arch/x86/entry/entry_fred.c +++ b/arch/x86/entry/entry_fred.c @@ -228,9 +228,18 @@ __visible noinstr void fred_entry_from_user(struct pt_regs *regs) /* Invalidate orig_ax so that syscall_get_nr() works correctly */ regs->orig_ax = -1; - switch (regs->fred_ss.type) { - case EVENT_TYPE_EXTINT: + if (regs->fred_ss.type == EVENT_TYPE_EXTINT) return fred_extint(regs); + else if (regs->fred_ss.type == EVENT_TYPE_OTHER) + return fred_other(regs); + + /* + * Dispatch EVENT_TYPE_EXTINT and EVENT_TYPE_OTHER(syscall) type events + * first due to their high probability and let the compiler create binary search + * dispatching for the remaining events + */ + + switch (regs->fred_ss.type) { case EVENT_TYPE_NMI: if (likely(regs->fred_ss.vector == X86_TRAP_NMI)) return fred_exc_nmi(regs); @@ -245,8 +254,6 @@ __visible noinstr void fred_entry_from_user(struct pt_regs *regs) break; case EVENT_TYPE_SWEXC: return fred_swexc(regs, error_code); - case EVENT_TYPE_OTHER: - return fred_other(regs); default: break; } @@ -260,9 +267,15 @@ __visible noinstr void fred_entry_from_kernel(struct pt_regs *regs) /* Invalidate orig_ax so that syscall_get_nr() works correctly */ regs->orig_ax = -1; - switch (regs->fred_ss.type) { - case EVENT_TYPE_EXTINT: + if (regs->fred_ss.type == EVENT_TYPE_EXTINT) return fred_extint(regs); + + /* + * Dispatch EVENT_TYPE_EXTINT type event first due to its high probability + * and let the compiler do binary search dispatching for the other events + */ + + switch (regs->fred_ss.type) { case EVENT_TYPE_NMI: if (likely(regs->fred_ss.vector == X86_TRAP_NMI)) return fred_exc_nmi(regs); -- 2.31.1

3 months

6
27
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025