January 2025 - Linux-stable-mirror

[PATCH v4] arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma

by Jakob Unterwurzacher

During mass manufacturing, we noticed the mmc_rx_crc_error counter, as reported by "ethtool -S eth0 | grep mmc_rx_crc_error", to increase above zero during nuttcp speedtests. Most of the time, this did not affect the achieved speed, but it prompted this investigation. Cycling through the rx_delay range on six boards (see table below) of various ages shows that there is a large good region from 0x12 to 0x35 where we see zero crc errors on all tested boards. The old rx_delay value (0x10) seems to have always been on the edge for the KSZ9031RNX that is usually placed on Puma. Choose "rx_delay = 0x23" to put us smack in the middle of the good region. This works fine as well with the KSZ9131RNX PHY that was used for a small number of boards during the COVID chip shortages. Board S/N PHY rx_delay good region --------- --- -------------------- Puma TT0069903 KSZ9031RNX 0x11 0x35 Puma TT0157733 KSZ9031RNX 0x11 0x35 Puma TT0681551 KSZ9031RNX 0x12 0x37 Puma TT0681156 KSZ9031RNX 0x10 0x38 Puma 17496030079 KSZ9031RNX 0x10 0x37 (Puma v1.2 from 2017) Puma TT0681720 KSZ9131RNX 0x02 0x39 (alternative PHY used in very few boards) Intersection of good regions = 0x12 0x35 Middle of good region = 0x23 Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") Cc: stable(a)vger.kernel.org Reviewed-by: Quentin Schulz <quentin.schulz(a)cherry.de> Tested-by: Quentin Schulz <quentin.schulz(a)cherry.de> # Puma v2.1 and v2.3 with KSZ9031 Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de> --- v4: drop internal Relates-to tag, add Tested-by, rebase to Linus master, send with b4 v3: use rx_delay = 0x23 instead of 0x11, which was not enough. v2: cc stable, add "Fixes:", add omitted "there" to commit msg, v1: initial submission --- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi index d12e661dfd9917f820284477a215389c16205f46..995b30a7aae01a0326e9f80d6be930f227968539 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi @@ -182,7 +182,7 @@ &gmac { snps,reset-active-low; snps,reset-delays-us = <0 10000 50000>; tx_delay = <0x10>; - rx_delay = <0x10>; + rx_delay = <0x23>; status = "okay"; }; --- base-commit: f932fb9b40749d1c9a539d89bb3e288c077aafe5 change-id: 20241213-puma_rx_delay-fadbcdf09783 Best regards, -- Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de>

1 month

2
1
0 0

Taking a look at the NRF Retail Show 2025

by Rachel Taylor

Hi , Hope this email finds you well I am reaching out to let you know that we have a list of attendees in NRF 2025 Retail's Big Show Attendees count: 20,000 Leads Contact Information: Company Name, Web URL, Contact Name, Title, Direct Email, Phone Number, FAX Number, Mailing Address, Industry, Employee Size, Annual Sales. Please let me know if you are interested in acquiring this list, I can share pricing information for you review I would like to thank you for never keeping me waiting for your reply Regards Rachel Taylor Demand Generation Manager Apollo Leads Hub Inc., Please reply with REMOVE if you don't wish to receive further emails

1 month

1
2
0 0

[PATCH] Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

by Fedor Pchelkin

A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swap bt_sock_alloc() and l2cap_chan_create() calls since they are not interdependent to that moment but then l2cap_chan_create() adds the soon to be deallocated and still dummy-initialized channel to the global list accessible by many L2CAP paths. The channel would be removed from the list in short period of time but be a bit more straight-forward here and just check for NULL instead of changing the order of function calls. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. Fixes: 7c4f78cdb8e7 ("Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- net/bluetooth/l2cap_sock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 3d2553dcdb1b..49f97d4138ea 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1888,7 +1888,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, chan = l2cap_chan_create(); if (!chan) { sk_free(sk); - sock->sk = NULL; + if (sock) + sock->sk = NULL; return NULL; } -- 2.39.5

1 month

4
5
0 0

[PATCH] riscv: kprobes: Fix incorrect address calculation

by Nam Cao

p->ainsn.api.insn is a pointer to u32, therefore arithmetic operations are multiplied by four. This is clearly undesirable for this case. Cast it to (void *) first before any calculation. Below is a sample before/after. The dumped memory is two kprobe slots, the first slot has - c.addiw a0, 0x1c (0x7125) - ebreak (0x00100073) and the second slot has: - c.addiw a0, -4 (0x7135) - ebreak (0x00100073) Before this patch: (gdb) x/16xh 0xff20000000135000 0xff20000000135000: 0x7125 0x0000 0x0000 0x0000 0x7135 0x0010 0x0000 0x0000 0xff20000000135010: 0x0073 0x0010 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 After this patch: (gdb) x/16xh 0xff20000000125000 0xff20000000125000: 0x7125 0x0073 0x0010 0x0000 0x7135 0x0073 0x0010 0x0000 0xff20000000125010: 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 Fixes: b1756750a397 ("riscv: kprobes: Use patch_text_nosync() for insn slots") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- arch/riscv/kernel/probes/kprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/kernel/probes/kprobes.c b/arch/riscv/kernel/probes/kprobes.c index 474a65213657..d2dacea1aedd 100644 --- a/arch/riscv/kernel/probes/kprobes.c +++ b/arch/riscv/kernel/probes/kprobes.c @@ -30,7 +30,7 @@ static void __kprobes arch_prepare_ss_slot(struct kprobe *p) p->ainsn.api.restore = (unsigned long)p->addr + len; patch_text_nosync(p->ainsn.api.insn, &p->opcode, len); - patch_text_nosync(p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn)); + patch_text_nosync((void *)p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn)); } static void __kprobes arch_prepare_simulate(struct kprobe *p) -- 2.39.5

1 month

3
3
0 0

[PATCH] riscv: Fix sleeping in invalid context in die()

by Nam Cao

die() can be called in exception handler, and therefore cannot sleep. However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled. That causes the following warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex preempt_count: 110001, expected: 0 RCU nest depth: 0, expected: 0 CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234 Hardware name: riscv-virtio,qemu (DT) Call Trace: dump_backtrace+0x1c/0x24 show_stack+0x2c/0x38 dump_stack_lvl+0x5a/0x72 dump_stack+0x14/0x1c __might_resched+0x130/0x13a rt_spin_lock+0x2a/0x5c die+0x24/0x112 do_trap_insn_illegal+0xa0/0xea _new_vmalloc_restore_context_a0+0xcc/0xd8 Oops - illegal instruction [#1] Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT enabled. Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- stable backport is probably not needed for versions earlier than 6.12 because PREEMPT_RT is not enabled. But it doesn't hurt.. --- arch/riscv/kernel/traps.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 51ebfd23e007..8ff8e8b36524 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -35,7 +35,7 @@ int show_unhandled_signals = 1; -static DEFINE_SPINLOCK(die_lock); +static DEFINE_RAW_SPINLOCK(die_lock); static int copy_code(struct pt_regs *regs, u16 *val, const u16 *insns) { @@ -81,7 +81,7 @@ void die(struct pt_regs *regs, const char *str) oops_enter(); - spin_lock_irqsave(&die_lock, flags); + raw_spin_lock_irqsave(&die_lock, flags); console_verbose(); bust_spinlocks(1); @@ -100,7 +100,7 @@ void die(struct pt_regs *regs, const char *str) bust_spinlocks(0); add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); - spin_unlock_irqrestore(&die_lock, flags); + raw_spin_unlock_irqrestore(&die_lock, flags); oops_exit(); if (in_interrupt()) -- 2.39.5

1 month

4
3
0 0

[PATCH -stable,5.10 0/1] Netfilter fix for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport fix for 5.10-stable. The following list shows the backported patches, I am using original commit IDs for reference: 1) fca05d4d61e6 ("netfilter: nft_dynset: honor stateful expressions in set definition") without this fix, the default set expression is silently ignored when used from dynamic sets. Please, apply, Thanks Pablo Neira Ayuso (1): netfilter: nft_dynset: honor stateful expressions in set definition include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c | 23 +++++++++++++++++++++++ net/netfilter/nft_dynset.c | 7 ++++++- 3 files changed, 31 insertions(+), 1 deletion(-) -- 2.30.2

1 month

1
0
0 0

[PATCH 6.1.y] bpf, sockmap: Fix race between element replace and close()

by Alva Lan

From: Michal Luczaj <mhal(a)rbox.co> [ Upstream commit ed1fc5d76b81a4d681211333c026202cad4d5649 ] Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_delete_from_link // replace map[0] with s1 map_update_elem(map, 0, s1) sock_map_update_elem (s1!) lock_sock(sk) sock_map_update_common psock = sk_psock(sk) spin_lock(&stab->lock) osk = stab->sks[idx] sock_map_add_link(..., &stab->sks[idx]) sock_map_unref(osk, &stab->sks[idx]) psock = sk_psock(osk) sk_psock_put(sk, psock) if (refcount_dec_and_test(&psock)) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) unlock_sock(sk) __sock_map_delete spin_lock(&stab->lock) sk = *psk // s1 replaced s0; sk == s1 if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch sk = xchg(psk, NULL) if (sk) sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle psock = sk_psock(sk) sk_psock_put(sk, psock) if (refcount_dec_and_test()) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) release_sock(sk) Then close(map) enqueues bpf_map_free_deferred, which finally calls sock_map_free(). This results in some refcount_t warnings along with a KASAN splat [1]. Fix __sock_map_delete(), do not allow sock_map_unref() on elements that may have been replaced. [1]: BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred Call Trace: <TASK> dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 kasan_check_range+0x10f/0x1e0 sock_map_free+0x10e/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1202: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 unix_create1+0x88/0x8a0 unix_create+0xc5/0x180 __sock_create+0x241/0x650 __sys_socketpair+0x1ce/0x420 __x64_sys_socketpair+0x92/0x100 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 46: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 sk_psock_destroy+0x73e/0xa50 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff88811f5b9080 which belongs to the cache UNIX-STREAM of size 1984 The buggy address is located 128 bytes inside of freed 1984-byte region [ffff88811f5b9080, ffff88811f5b9840) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888127d49401 flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 head: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000003 ffffea00047d6e01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88811f5b9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88811f5b9080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88811f5b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88811f5b9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Disabling lock debugging due to kernel taint refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B 6.12.0+ #125 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xce/0x150 Code: 34 73 eb 03 01 e8 82 53 ad fe 0f 0b eb b1 80 3d 27 73 eb 03 00 75 a8 48 c7 c7 80 bd 95 84 c6 05 17 73 eb 03 01 e8 62 53 ad fe <0f> 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xce/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xce/0x150 sock_map_free+0x2e5/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 10741 hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 refcount_t: underflow; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B W 6.12.0+ #125 Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xee/0x150 Code: 17 73 eb 03 01 e8 62 53 ad fe 0f 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 f6 72 eb 03 01 e8 42 53 ad fe <0f> 0b e9 6e ff ff ff 80 3d e6 72 eb 03 00 0f 85 61 ff ff ff 48 c7 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xee/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xee/0x150 sock_map_free+0x2d3/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 10741 hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Michal Luczaj <mhal(a)rbox.co> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox… Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- net/core/sock_map.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index e674a686ff71..f4cca477b047 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -411,15 +411,15 @@ static void *sock_map_lookup_sys(struct bpf_map *map, void *key) static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test, struct sock **psk) { - struct sock *sk; + struct sock *sk = NULL; int err = 0; if (irqs_disabled()) return -EOPNOTSUPP; /* locks here are hardirq-unsafe */ raw_spin_lock_bh(&stab->lock); - sk = *psk; - if (!sk_test || sk_test == sk) + + if (!sk_test || sk_test == *psk) sk = xchg(psk, NULL); if (likely(sk)) -- 2.43.0

1 month

2
1
0 0

[PATCH 5.4 00/93] 5.4.289-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.289 release. There are 93 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.289-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.289-rc1 Seiji Nishikawa <snishika(a)redhat.com> mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Biju Das <biju.das.jz(a)bp.renesas.com> drm: adv7511: Drop dsi single lane support Nikolay Kuratov <kniv(a)yandex-team.ru> net/sctp: Prevent autoclose integer overflow in sctp_association_init() Pascal Hambourg <pascal(a)plouf.fr.eu.org> sky2: Add device ID 11ab:4373 for Marvell 88E8075 Evgenii Shatokhin <e.shatokhin(a)yadro.com> pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking Dan Carpenter <dan.carpenter(a)linaro.org> RDMA/uverbs: Prevent integer overflow issue Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix the missed iteration for the max bit in do_input() Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host Leon Romanovsky <leonro(a)nvidia.com> ARC: build: Try to guess GCC variant of cross compiler Uros Bizjak <ubizjak(a)gmail.com> irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: add Telit FE910C04 compositions Anton Protopopov <aspsk(a)isovalent.com> bpf: fix potential error return Adrian Ratiu <adrian.ratiu(a)collabora.com> sound: usb: format: don't warn that raw DSD is unsupported Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: mac80211: wake the queues in case of failure in resume Eric Dumazet <edumazet(a)google.com> ila: serialize calls to nf_register_net_hooks() Eric Dumazet <edumazet(a)google.com> af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Eric Dumazet <edumazet(a)google.com> af_packet: fix vlan_get_tci() vs MSG_PEEK Tanya Agarwal <tanyaagarwal25699(a)gmail.com> ALSA: usb-audio: US16x08: Initialize array before use Antonio Pastor <antonio.pastor(a)gmail.com> net: llc: reset skb->transport_header Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Gustavo A. R. Silva <gustavo(a)embeddedor.com> netfilter: Replace zero-length array with flexible-array member Ilya Shchipletsov <rabbelkin(a)mail.ru> netrom: check buffer length before accessing it Stefan Ekenberg <stefan.ekenberg(a)axis.com> drm/bridge: adv7511_audio: Update Audio InfoFrame properly Bogdan Togorean <bogdan.togorean(a)analog.com> drm: bridge: adv7511: Enable SPDIF DAI Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix max_qp_wrs reported Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix reporting hw_ver in query_device Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Add check for path mtu in modify_qp Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Enforce same type port association for multiport RoCE Parav Pandit <parav(a)nvidia.com> net/mlx5: Make API mlx5_core_is_ecpf accept const pointer Parav Pandit <parav(a)mellanox.com> IB/mlx5: Introduce and use mlx5_core_is_vf() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet Thiébaud Weksteen <tweek(a)google.com> selinux: ignore unknown extended permissions Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible UAF in ip6_xmit() Vasily Averin <vvs(a)virtuozzo.com> skb_expand_head() adjust skb->truesize incorrectly Filipe Manana <fdmanana(a)suse.com> btrfs: avoid monopolizing a core when activating a swap file Christian Göttsche <cgzones(a)googlemail.com> tracing: Constify string literal data member in struct trace_event_call Jiayuan Chen <mrpre(a)163.com> bpf: fix recursive lock when verdict program return SK_PASS Eric Dumazet <edumazet(a)google.com> ipv6: fix possible UAF in ip6_finish_output2() Vasily Averin <vvs(a)virtuozzo.com> ipv6: use skb_expand_head in ip6_xmit Vasily Averin <vvs(a)virtuozzo.com> ipv6: use skb_expand_head in ip6_finish_output2 Vasily Averin <vvs(a)virtuozzo.com> skbuff: introduce skb_expand_head() Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Probe toolchain support of -msym32 Xuewen Yan <xuewen.yan(a)unisoc.com> epoll: Add synchronous wakeup support for ep_poll_callback Ming Lei <ming.lei(a)redhat.com> virtio-blk: don't keep queue frozen during system suspend Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Armin Wolf <W_Armin(a)gmx.de> platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Mark Brown <broonie(a)kernel.org> regmap: Use correct format specifier for logging range errors Tomas Henzl <thenzl(a)redhat.com> scsi: megaraid_sas: Fix for a potential deadlock Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Dan Carpenter <dan.carpenter(a)linaro.org> mtd: rawnand: fix double free in atmel_pmecc_create_user() Chen Ridong <chenridong(a)huawei.com> dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset Javier Carrasco <javier.carrasco.cruz(a)gmail.com> dmaengine: mv_xor: fix child node refcount handling in early exit Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_phy_destroy() fails to destroy the phy Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_phy_put() fails to release the phy Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix an OF node refcount leakage in _of_phy_get() Zichen Xie <zichenxie0106(a)gmail.com> mtd: diskonchip: Cast an operand to prevent potential overflow NeilBrown <neilb(a)suse.de> nfsd: restore callback functionality for NFSv4.0 Cong Wang <cong.wang(a)bytedance.com> bpf: Check negative offsets in __bpf_skb_min_len() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Zijun Hu <quic_zijuhu(a)quicinc.com> of: Fix refcount leakage for OF node returned by __of_get_dma_parent() Herve Codina <herve.codina(a)bootlin.com> of: Fix error path in of_parse_phandle_with_args_map() Jann Horn <jannh(a)google.com> udmabuf: also check for F_SEAL_FUTURE_WRITE Edward Adam Davis <eadavis(a)qq.com> nilfs2: prevent use of deleted inode Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS/pnfs: Fix a live lock between recalled layouts and layoutget Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: reject inline extent items with 0 ref count Kairui Song <kasong(a)tencent.com> zram: refuse to use zero sized block device as backing device Geert Uytterhoeven <geert+renesas(a)glider.be> sh: clk: Fix clk_enable() to return 0 on NULL clk Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FE910C04 rmnet compositions Jack Wu <wojackbb(a)gmail.com> USB: serial: option: add MediaTek T7XX compositions Mank Wang <mank.wang(a)netprisma.com> USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add MeiG Smart SLM770A Daniel Swanemar <d.swanemar(a)gmail.com> USB: serial: option: add TCL IK512 MBIM & ECM James Bottomley <James.Bottomley(a)HansenPartnership.com> efivarfs: Fix error on non-existent file Geert Uytterhoeven <geert+renesas(a)glider.be> i2c: riic: Always round-up when calculating bus period Dan Carpenter <dan.carpenter(a)linaro.org> chelsio/chtls: prevent potential integer overflow on 32bit Prathamesh Shete <pshete(a)nvidia.com> mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk Phil Sutter <phil(a)nwl.cc> netfilter: ipset: Fix for recursive locking warning Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> net: ethernet: bgmac-platform: fix an OF node reference leak Dan Carpenter <dan.carpenter(a)linaro.org> net: hinic: Fix cleanup in create_rxqs/txqs() Shannon Nelson <shannon.nelson(a)amd.com> ionic: use ee->offset when returning sprom data Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: fix incorrect symlink detection in fast symlink Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: fix order >= MAX_ORDER warning due to crafted negative i_size Jiasheng Jiang <jiashengjiangcool(a)gmail.com> drm/i915: Fix memory leak by correcting cache object name in error handler Vladimir Riabchun <ferr.lambarginio(a)gmail.com> i2c: pnx: Fix timeout in wait functions Ajit Khaparde <ajit.khaparde(a)broadcom.com> PCI: Add ACS quirk for Broadcom BCM5760X NIC Takashi Iwai <tiwai(a)suse.de> ALSA: usb: Fix UBSAN warning in parse_audio_unit() Kai-Heng Feng <kai.heng.feng(a)canonical.com> PCI/AER: Disable AER service on suspend Peng Hongchi <hongchi.peng(a)siengine.com> usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled Lion Ackermann <nnamrec(a)gmail.com> net: sched: fix ordering of qlen adjustment ------------- Diffstat: Makefile | 4 +- arch/arc/Makefile | 2 +- arch/mips/Makefile | 2 +- drivers/base/regmap/regmap.c | 4 +- drivers/block/virtio_blk.c | 7 +- drivers/block/zram/zram_drv.c | 6 ++ drivers/crypto/chelsio/chtls/chtls_main.c | 5 +- drivers/dma-buf/udmabuf.c | 2 +- drivers/dma/at_xdmac.c | 2 + drivers/dma/mv_xor.c | 2 + drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 28 ++++++- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- drivers/gpu/drm/i915/i915_scheduler.c | 2 +- drivers/hv/hv_kvp.c | 6 ++ drivers/hv/hv_snapshot.c | 6 ++ drivers/hv/hv_util.c | 9 +++ drivers/hv/hyperv_vmbus.h | 2 + drivers/i2c/busses/i2c-pnx.c | 4 +- drivers/i2c/busses/i2c-riic.c | 2 +- drivers/infiniband/core/uverbs_cmd.c | 16 ++-- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 +++---- drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 8 +- drivers/irqchip/irq-gic.c | 2 +- drivers/media/dvb-frontends/dib3000mb.c | 2 +- drivers/mmc/host/sdhci-tegra.c | 1 - drivers/mtd/nand/raw/atmel/pmecc.c | 4 +- drivers/mtd/nand/raw/diskonchip.c | 2 +- drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +- drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 + drivers/net/ethernet/marvell/sky2.c | 1 + .../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +- drivers/net/usb/qmi_wwan.c | 3 + drivers/of/address.c | 2 +- drivers/of/base.c | 15 ++-- drivers/of/irq.c | 1 + drivers/pci/pcie/aer.c | 18 +++++ drivers/pci/quirks.c | 4 + drivers/phy/phy-core.c | 15 ++-- drivers/pinctrl/pinctrl-mcp23s08.c | 6 ++ drivers/platform/x86/asus-nb-wmi.c | 1 + drivers/scsi/megaraid/megaraid_sas_base.c | 5 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +- drivers/scsi/qla1280.h | 12 +-- drivers/sh/clk/core.c | 2 +- drivers/usb/dwc2/gadget.c | 4 +- drivers/usb/serial/option.c | 27 +++++++ fs/btrfs/inode.c | 2 + fs/btrfs/tree-checker.c | 27 ++++++- fs/efivarfs/inode.c | 2 +- fs/efivarfs/internal.h | 1 - fs/efivarfs/super.c | 3 - fs/erofs/inode.c | 20 ++--- fs/eventpoll.c | 5 +- fs/nfs/pnfs.c | 2 +- fs/nfsd/nfs4callback.c | 4 +- fs/nilfs2/inode.c | 8 +- fs/nilfs2/namei.c | 5 ++ include/linux/hyperv.h | 1 + include/linux/if_vlan.h | 16 +++- include/linux/mlx5/driver.h | 13 +++- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/x_tables.h | 8 +- include/linux/netfilter_arp/arp_tables.h | 2 +- include/linux/netfilter_bridge/ebtables.h | 2 +- include/linux/netfilter_ipv4/ip_tables.h | 2 +- include/linux/netfilter_ipv6/ip6_tables.h | 2 +- include/linux/skbuff.h | 1 + include/linux/trace_events.h | 2 +- include/linux/wait.h | 1 + include/net/netfilter/nf_conntrack_extend.h | 2 +- include/net/netfilter/nf_conntrack_timeout.h | 2 +- include/net/netfilter/nf_tables.h | 13 ++-- include/uapi/linux/netfilter_bridge/ebt_among.h | 2 +- kernel/bpf/core.c | 6 +- kernel/trace/trace_kprobe.c | 2 +- mm/vmscan.c | 9 ++- net/bridge/netfilter/ebtables.c | 2 +- net/core/filter.c | 21 ++++-- net/core/skbuff.c | 52 +++++++++++++ net/core/skmsg.c | 4 +- net/ipv4/netfilter/arp_tables.c | 4 +- net/ipv4/netfilter/ip_tables.c | 4 +- net/ipv6/ila/ila_xlat.c | 16 ++-- net/ipv6/ip6_output.c | 86 +++++++++------------- net/ipv6/netfilter/ip6_tables.c | 4 +- net/llc/llc_input.c | 2 +- net/mac80211/util.c | 3 + net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +- net/netfilter/ipset/ip_set_bitmap_port.c | 2 +- net/netfilter/ipset/ip_set_hash_gen.h | 4 +- net/netfilter/ipset/ip_set_list_set.c | 3 + net/netfilter/nfnetlink_acct.c | 2 +- net/netfilter/xt_hashlimit.c | 2 +- net/netfilter/xt_recent.c | 4 +- net/netrom/nr_route.c | 6 ++ net/packet/af_packet.c | 28 ++----- net/sched/sch_cake.c | 2 +- net/sched/sch_choke.c | 2 +- net/sctp/associola.c | 3 +- net/smc/af_smc.c | 7 ++ scripts/mod/file2alias.c | 4 +- security/selinux/ss/services.c | 8 +- sound/usb/format.c | 7 +- sound/usb/mixer.c | 7 ++ sound/usb/mixer_us16x08.c | 2 +- 107 files changed, 522 insertions(+), 236 deletions(-)

1 month

8
102
0 0

[PATCH] clk: qcom: clk-rpmh: add explicit casting in clk_rpmh_bcm_recalc_rate

by Anastasia Belova

The result of multiplication of aggr_state and unit fields (rate value) may not fit u32 type. Add explicit casting to a larger type to prevent overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support") Cc: stable(a)vger.kernel.org # v5.4+ Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- drivers/clk/qcom/clk-rpmh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/qcom/clk-rpmh.c b/drivers/clk/qcom/clk-rpmh.c index eefc322ce367..e6c33010cfbf 100644 --- a/drivers/clk/qcom/clk-rpmh.c +++ b/drivers/clk/qcom/clk-rpmh.c @@ -329,7 +329,7 @@ static unsigned long clk_rpmh_bcm_recalc_rate(struct clk_hw *hw, { struct clk_rpmh *c = to_clk_rpmh(hw); - return c->aggr_state * c->unit; + return (unsigned long)c->aggr_state * c->unit; } static const struct clk_ops clk_rpmh_bcm_ops = { -- 2.43.0

1 month

2
2
0 0

[PATCH 0/3] selftests/mm: virtual_address_range: Two bugfixes and a cleanup

by Thomas Weißschuh

The selftest started failing since commit e93d2521b27f ("x86/vdso: Split virtual clock pages into dedicated mapping") was merged. While debugging I stumbled upon another bug and potential cleanup. Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- Thomas Weißschuh (3): selftests/mm: virtual_address_range: Fix error when CommitLimit < 1GiB selftests/mm: virtual_address_range: Avoid reading VVAR mappings selftests/mm: virtual_address_range: Dump to /dev/null tools/testing/selftests/mm/virtual_address_range.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) --- base-commit: fbfd64d25c7af3b8695201ebc85efe90be28c5a3 change-id: 20250107-virtual_address_range-tests-95843766fa97 Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

1 month

3
12
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025