January 2025 - Linux-stable-mirror

[PATCH v2 2/2] mm: zswap: disable migration while using per-CPU acomp_ctx

by Yosry Ahmed

In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. This cannot be fixed by holding cpus_read_lock(), as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). It also cannot be fixed by wrapping the usage of acomp_ctx in an SRCU critical section and using synchronize_srcu() in zswap_cpu_comp_dead(), because synchronize_srcu() is not allowed in CPU-hotplug notifiers (see Documentation/RCU/Design/Requirements/Requirements.rst). This can be fixed by refcounting the acomp_ctx, but it involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. Keep things simple for now and just disable migration while using the per-CPU acomp_ctx to block CPU hotunplug until the usage is over. Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Cc: <stable(a)vger.kernel.org> Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… --- mm/zswap.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb236..ecd86153e8a32 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Remain on the CPU while using its acomp_ctx to stop it from going offline */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + migrate_disable(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + migrate_enable(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /********************************* -- 2.47.1.613.gc27f4b7a9f-goog

5 months

6
23
0 0

[PATCH 1/1] usb: pd: fix the SenderResponseTimer conform to specification

by joswang

From: Jos Wang <joswang(a)lenovo.com> According to the USB PD3 CTS specification (https://usb.org/document-library/ usb-power-delivery-compliance-test-specification-0/ USB_PD3_CTS_Q4_2024_OR.zip), the requirements for tSenderResponse are different in PD2 and PD3 modes, see Table 19 Timing Table & Calculations. For PD2 mode, the tSenderResponse min 24ms and max 30ms; for PD3 mode, the tSenderResponse min 27ms and max 33ms. For the "TEST.PD.PROT.SRC.2 Get_Source_Cap No Request" test item, after receiving the Source_Capabilities Message sent by the UUT, the tester deliberately does not send a Request Message in order to force the SenderResponse timer on the Source UUT to timeout. The Tester checks that a Hard Reset is detected between tSenderResponse min and max，the delay is between the last bit of the GoodCRC Message EOP has been sent and the first bit of Hard Reset SOP has been received. The current code does not distinguish between PD2 and PD3 modes, and tSenderResponse defaults to 60ms. This will cause this test item and the following tests to fail: TEST.PD.PROT.SRC3.2 SenderResponseTimer Timeout TEST.PD.PROT.SNK.6 SenderResponseTimer Timeout Set the SenderResponseTimer timeout to 27ms to meet the PD2 and PD3 mode requirements. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable(a)vger.kernel.org Signed-off-by: Jos Wang <joswang(a)lenovo.com> --- include/linux/usb/pd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h index 3068c3084eb6..99ca49bbf376 100644 --- a/include/linux/usb/pd.h +++ b/include/linux/usb/pd.h @@ -475,7 +475,7 @@ static inline unsigned int rdo_max_power(u32 rdo) #define PD_T_NO_RESPONSE 5000 /* 4.5 - 5.5 seconds */ #define PD_T_DB_DETECT 10000 /* 10 - 15 seconds */ #define PD_T_SEND_SOURCE_CAP 150 /* 100 - 200 ms */ -#define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */ +#define PD_T_SENDER_RESPONSE 27 /* 24 - 30 ms */ #define PD_T_RECEIVER_RESPONSE 15 /* 15ms max */ #define PD_T_SOURCE_ACTIVITY 45 #define PD_T_SINK_ACTIVITY 135 -- 2.17.1

5 months

3
4
0 0

[PATCH 6.1 00/81] 6.1.124-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.124 release. There are 81 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.124-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.124-rc1 Paolo Abeni <pabeni(a)redhat.com> mptcp: don't always assume copied data in mptcp_cleanup_rbuf() Paolo Abeni <pabeni(a)redhat.com> mptcp: fix recvbuffer adjust on sleeping rcvmsg Paolo Abeni <pabeni(a)redhat.com> mptcp: fix TCP options overflow. Seiji Nishikawa <snishika(a)redhat.com> mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Yafang Shao <laoar.shao(a)gmail.com> mm/readahead: fix large folio support in async readahead Biju Das <biju.das.jz(a)bp.renesas.com> dt-bindings: display: adi,adv7533: Drop single lane support Biju Das <biju.das.jz(a)bp.renesas.com> drm: adv7511: Drop dsi single lane support Nikolay Kuratov <kniv(a)yandex-team.ru> net/sctp: Prevent autoclose integer overflow in sctp_association_init() Pascal Hambourg <pascal(a)plouf.fr.eu.org> sky2: Add device ID 11ab:4373 for Marvell 88E8075 Evgenii Shatokhin <e.shatokhin(a)yadro.com> pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking Dan Carpenter <dan.carpenter(a)linaro.org> RDMA/uverbs: Prevent integer overflow issue Arnd Bergmann <arnd(a)arndb.de> kcov: mark in_softirq_really() as __always_inline Takashi Iwai <tiwai(a)suse.de> ALSA: seq: oss: Fix races at processing SysEx messages Daniel Schaefer <dhs(a)frame.work> ALSA hda/realtek: Add quirk for Framework F111:000C Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix the missed iteration for the max bit in do_input() Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Avoid queuing redundant Stop Endpoint commands Leon Romanovsky <leon(a)kernel.org> ARC: build: Try to guess GCC variant of cross compiler Uros Bizjak <ubizjak(a)gmail.com> irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix sleeping function called from invalid context Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: add Telit FE910C04 compositions Hobin Woo <hobin.woo(a)samsung.com> ksmbd: retry iterate_dir in smb2_query_dir Anton Protopopov <aspsk(a)isovalent.com> bpf: fix potential error return Adrian Ratiu <adrian.ratiu(a)collabora.com> sound: usb: format: don't warn that raw DSD is unsupported Adrian Ratiu <adrian.ratiu(a)collabora.com> sound: usb: enable DSD output for ddHiFi TC44C Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model Filipe Manana <fdmanana(a)suse.com> btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount Prike Liang <Prike.Liang(a)amd.com> drm/amdkfd: Correct the migration DMA map direction Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: mac80211: wake the queues in case of failure in resume Filipe Manana <fdmanana(a)suse.com> btrfs: fix use-after-free when COWing tree bock and tracing is enabled Filipe Manana <fdmanana(a)suse.com> btrfs: rename and export __btrfs_cow_block() Eric Dumazet <edumazet(a)google.com> ila: serialize calls to nf_register_net_hooks() Eric Dumazet <edumazet(a)google.com> af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Eric Dumazet <edumazet(a)google.com> af_packet: fix vlan_get_tci() vs MSG_PEEK Maciej S. Szmigiero <mail(a)maciej.szmigiero.name> net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init() Eric Dumazet <edumazet(a)google.com> net: restrict SO_REUSEPORT to inet sockets Willem de Bruijn <willemb(a)google.com> net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets Li Zhijian <lizhijian(a)fujitsu.com> RDMA/rtrs: Ensure 'ib_sge list' is accessible Jinjian Song <jinjian.song(a)fibocom.com> net: wwan: t7xx: Fix FSM command timeout issue Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> net: mv643xx_eth: fix an OF node reference leak Vitalii Mordan <mordan(a)ispras.ru> eth: bcmsysport: fix call balance of priv->clk handling routines Tanya Agarwal <tanyaagarwal25699(a)gmail.com> ALSA: usb-audio: US16x08: Initialize array before use Antonio Pastor <antonio.pastor(a)gmail.com> net: llc: reset skb->transport_header Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/i915/dg1: Fix power gate sequence. Ilya Shchipletsov <rabbelkin(a)mail.ru> netrom: check buffer length before accessing it Xiao Liang <shaw.leon(a)gmail.com> net: Fix netns for ip_tunnel_init_flow() Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() Eric Dumazet <edumazet(a)google.com> ip_tunnel: annotate data-races around t->parms.link Christian Ehrig <cehrig(a)cloudflare.com> ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices Wang Liang <wangliang74(a)huawei.com> net: fix memory leak in tcp_conn_request() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> net: stmmac: restructure the error path of stmmac_probe_config_dt() Andrew Halaney <ahalaney(a)redhat.com> net: stmmac: don't create a MDIO bus if unnecessary Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> net: stmmac: platform: provide devm_stmmac_probe_config_dt() Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix missing flush CQE for DWQE Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix warning storm caused by invalid input in IO path wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix mapping error of zero-hop WQE buffer Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Remove unused parameters and variables Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Refactor mtr find Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix LAN937X set_ageing_time function Oleksij Rempel <linux(a)rempel-privat.de> net: dsa: microchip: add ksz_rmw8() function Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix KSZ9477 set_ageing_time function Stefan Ekenberg <stefan.ekenberg(a)axis.com> drm/bridge: adv7511_audio: Update Audio InfoFrame properly Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix the locking while accessing the QP table Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix max_qp_wrs reported Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix reporting hw_ver in query_device Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Add check for path mtu in modify_qp Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Enforce same type port association for multiport RoCE Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: handle skb cleanup on sock_queue failures Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Limit Stop Endpoint retries Michal Pecio <michal.pecio(a)gmail.com> xhci: retry Stop Endpoint on buggy NEC controllers Mario Limonciello <mario.limonciello(a)amd.com> thunderbolt: Don't display nvm_version unless upgrade supported Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Add support for Intel Panther Lake-M/P Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Add support for Intel Lunar Lake Steven Rostedt <rostedt(a)goodmis.org> tracing: Have process_string() also allow arrays Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: fix use-after-free in btrfs_encoded_read_endio() Thiébaud Weksteen <tweek(a)google.com> selinux: ignore unknown extended permissions Naman Jain <namjain(a)linux.microsoft.com> x86/hyperv: Fix hv tsc page based sched_clock for hibernation ------------- Diffstat: .../bindings/display/bridge/adi,adv7533.yaml | 2 +- Makefile | 4 +- arch/arc/Makefile | 2 +- arch/x86/kernel/cpu/mshyperv.c | 58 ++++++++ drivers/clocksource/hyperv_timer.c | 14 +- drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 +- drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 +- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- drivers/gpu/drm/i915/gt/intel_rc6.c | 2 +- drivers/infiniband/core/uverbs_cmd.c | 16 ++- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 ++-- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +- drivers/infiniband/hw/hns/hns_roce_alloc.c | 3 +- drivers/infiniband/hw/hns/hns_roce_cq.c | 11 +- drivers/infiniband/hw/hns/hns_roce_device.h | 12 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 54 +++++--- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 130 ++++++++--------- drivers/infiniband/hw/hns/hns_roce_mr.c | 95 ++++++++----- drivers/infiniband/hw/hns/hns_roce_qp.c | 4 +- drivers/infiniband/hw/hns/hns_roce_srq.c | 4 +- drivers/infiniband/hw/mlx5/main.c | 6 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +- drivers/irqchip/irq-gic.c | 2 +- drivers/net/dsa/microchip/ksz9477.c | 47 +++++-- drivers/net/dsa/microchip/ksz9477_reg.h | 4 +- drivers/net/dsa/microchip/ksz_common.h | 5 + drivers/net/dsa/microchip/lan937x_main.c | 62 ++++++++- drivers/net/dsa/microchip/lan937x_reg.h | 9 +- drivers/net/ethernet/broadcom/bcmsysport.c | 21 ++- drivers/net/ethernet/marvell/mv643xx_eth.c | 14 +- drivers/net/ethernet/marvell/sky2.c | 1 + .../net/ethernet/mellanox/mlxsw/spectrum_span.c | 3 +- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 153 +++++++++++++++------ .../net/ethernet/stmicro/stmmac/stmmac_platform.h | 2 + drivers/net/usb/qmi_wwan.c | 3 + drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2 +- drivers/net/wwan/t7xx/t7xx_state_monitor.c | 26 ++-- drivers/net/wwan/t7xx/t7xx_state_monitor.h | 5 +- drivers/pinctrl/pinctrl-mcp23s08.c | 6 + drivers/thunderbolt/nhi.c | 12 ++ drivers/thunderbolt/nhi.h | 6 + drivers/thunderbolt/retimer.c | 17 ++- drivers/usb/host/xhci-ring.c | 42 +++++- drivers/usb/host/xhci.c | 21 ++- drivers/usb/host/xhci.h | 2 + fs/btrfs/ctree.c | 37 +++-- fs/btrfs/ctree.h | 7 + fs/btrfs/disk-io.c | 9 ++ fs/btrfs/inode.c | 2 +- fs/smb/server/smb2pdu.c | 12 +- fs/smb/server/vfs.h | 1 + include/clocksource/hyperv_timer.h | 2 + include/linux/if_vlan.h | 16 ++- include/linux/mlx5/driver.h | 6 + include/net/bluetooth/hci_core.h | 108 ++++++++++----- include/net/ip_tunnels.h | 28 ++-- include/net/netfilter/nf_tables.h | 7 +- kernel/bpf/core.c | 6 +- kernel/kcov.c | 2 +- kernel/trace/trace_events.c | 12 ++ mm/readahead.c | 6 +- mm/vmscan.c | 9 +- net/bluetooth/hci_core.c | 10 +- net/bluetooth/iso.c | 6 + net/bluetooth/l2cap_core.c | 12 +- net/bluetooth/rfcomm/core.c | 6 + net/bluetooth/sco.c | 12 +- net/core/dev.c | 4 +- net/core/sock.c | 5 +- net/ipv4/ip_tunnel.c | 60 +++++--- net/ipv4/ipip.c | 1 + net/ipv4/tcp_input.c | 1 + net/ipv6/ila/ila_xlat.c | 16 ++- net/ipv6/sit.c | 2 +- net/llc/llc_input.c | 2 +- net/mac80211/util.c | 3 + net/mctp/route.c | 36 +++-- net/mptcp/options.c | 7 + net/mptcp/protocol.c | 22 +-- net/netrom/nr_route.c | 6 + net/packet/af_packet.c | 28 +--- net/sctp/associola.c | 3 +- scripts/mod/file2alias.c | 4 +- security/selinux/ss/services.c | 8 +- sound/core/seq/oss/seq_oss_synth.c | 2 + sound/pci/hda/patch_realtek.c | 2 + sound/usb/format.c | 7 +- sound/usb/mixer_us16x08.c | 2 +- sound/usb/quirks.c | 2 + 90 files changed, 1031 insertions(+), 444 deletions(-)

5 months

12
92
0 0

[PATCH 6.12 000/156] 6.12.9-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.9 release. There are 156 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.9-rc1 Paolo Abeni <pabeni(a)redhat.com> mptcp: don't always assume copied data in mptcp_cleanup_rbuf() Paolo Abeni <pabeni(a)redhat.com> mptcp: fix recvbuffer adjust on sleeping rcvmsg Paolo Abeni <pabeni(a)redhat.com> mptcp: fix TCP options overflow. Liu Shixin <liushixin2(a)huawei.com> mm: hugetlb: independent PMD page table shared count Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: reinstate ability to map write-sealed memfd mappings read-only Seiji Nishikawa <snishika(a)redhat.com> mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Alessandro Carminati <acarmina(a)redhat.com> mm/kmemleak: fix sleeping function called from invalid context at print message Yafang Shao <laoar.shao(a)gmail.com> mm/readahead: fix large folio support in async readahead Joshua Washington <joshwash(a)google.com> gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup Joshua Washington <joshwash(a)google.com> gve: guard XDP xmit NDO on existence of xdp queues Joshua Washington <joshwash(a)google.com> gve: fix XDP allocation path in edge cases Joshua Washington <joshwash(a)google.com> gve: guard XSK operations on the existence of queues Joshua Washington <joshwash(a)google.com> gve: clean XDP queues in gve_tx_stop_ring_gqi Joshua Washington <joshwash(a)google.com> gve: process XSK TX descriptors as part of RX NAPI David Hildenbrand <david(a)redhat.com> fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: shmem: fix incorrect index alignment for within_size policy Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' SeongJae Park <sj(a)kernel.org> mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() SeongJae Park <sj(a)kernel.org> mm/damon/core: fix ignored quota goals and filters of newly committed schemes Siddharth Vadapalli <s-vadapalli(a)ti.com> net: ethernet: ti: am65-cpsw: default to round-robin for host port receive Zilin Guan <zilin(a)seu.edu.cn> fgraph: Add READ_ONCE() when accessing fgraph_array[] Kees Cook <kees(a)kernel.org> wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_* Biju Das <biju.das.jz(a)bp.renesas.com> drm: adv7511: Fix use-after-free in adv7533_attach_dsi() Biju Das <biju.das.jz(a)bp.renesas.com> dt-bindings: display: adi,adv7533: Drop single lane support Biju Das <biju.das.jz(a)bp.renesas.com> drm: adv7511: Drop dsi single lane support Pavel Begunkov <asml.silence(a)gmail.com> io_uring/rw: fix downgraded mshot read Nikolay Kuratov <kniv(a)yandex-team.ru> net/sctp: Prevent autoclose integer overflow in sctp_association_init() Henry Huang <henry.hj(a)antgroup.com> sched_ext: initialize kit->cursor.flags Pascal Hambourg <pascal(a)plouf.fr.eu.org> sky2: Add device ID 11ab:4373 for Marvell 88E8075 Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker Evgenii Shatokhin <e.shatokhin(a)yadro.com> pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking Dan Carpenter <dan.carpenter(a)linaro.org> RDMA/uverbs: Prevent integer overflow issue Tejun Heo <tj(a)kernel.org> sched_ext: Fix invalid irq restore in scx_ops_bypass() Kuan-Wei Chiu <visitorckw(a)gmail.com> scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Nikolaus Voss <nv(a)vosn.de> clk: clk-imx8mp-audiomix: fix function signature Yang Erkun <yangerkun(a)huawei.com> maple_tree: reload mas before the second call for mas_empty_area Arnd Bergmann <arnd(a)arndb.de> kcov: mark in_softirq_really() as __always_inline Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Takashi Iwai <tiwai(a)suse.de> ALSA: seq: oss: Fix races at processing SysEx messages Daniel Schaefer <dhs(a)frame.work> ALSA hda/realtek: Add quirk for Framework F111:000C Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Wait for migration job before unmapping pages Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Use non-interruptible wait when moving BO to system Kohei Enju <enjuk(a)amazon.com> ftrace: Fix function profiler's filtering functionality Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Check UMP support for midi_version change Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: use pre-committed buffer address for non-pollable file Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Enable multiplane mode only when it is supported Takashi Iwai <tiwai(a)suse.de> Revert "ALSA: ump: Don't enumeration invalid groups for legacy rawmidi" Thomas Weißschuh <linux(a)weissschuh.net> kbuild: pacman-pkg: provide versioned linux-api-headers package Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix the missed iteration for the max bit in do_input() Mostafa Saleh <smostafa(a)google.com> scripts/mksysmap: Fix escape chars '$' Maksim Kiselev <bigunclemax(a)gmail.com> clk: thead: Fix TH1520 emmc and shdci clock rate Eduard Zingerman <eddyz87(a)gmail.com> bpf: consider that tail calls invalidate packet pointers Eduard Zingerman <eddyz87(a)gmail.com> bpf: refactor bpf_helper_changes_pkt_data to use helper number Leon Romanovsky <leon(a)kernel.org> ARC: build: Try to guess GCC variant of cross compiler Uros Bizjak <ubizjak(a)gmail.com> irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix sleeping function called from invalid context Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: add Telit FE910C04 compositions Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: destroy cfid_put_wq on module exit Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: set ATTR_CTIME flags when setting mtime Hobin Woo <hobin.woo(a)samsung.com> ksmbd: retry iterate_dir in smb2_query_dir Anton Protopopov <aspsk(a)isovalent.com> bpf: fix potential error return Hardevsinh Palaniya <hardevsinh.palaniya(a)siliconsignals.io> ARC: bpf: Correct conditional check in 'check_jmp_32' Paul E. McKenney <paulmck(a)kernel.org> ARC: build: Use __force to suppress per-CPU cmpxchg warnings Vineet Gupta <vgupta(a)kernel.org> ARC: build: disallow invalid PAE40 + 4K page config Stephen Gordon <gordoste(a)iinet.net.au> ASoC: audio-graph-card: Call of_node_put() on correct node Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA. Adrian Ratiu <adrian.ratiu(a)collabora.com> sound: usb: format: don't warn that raw DSD is unsupported Adrian Ratiu <adrian.ratiu(a)collabora.com> sound: usb: enable DSD output for ddHiFi TC44C Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model Takashi Iwai <tiwai(a)suse.de> ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers Filipe Manana <fdmanana(a)suse.com> btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: handle bio_split() errors Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio Simon Trimmer <simont(a)opensource.cirrus.com> ALSA: hda: cs35l56: Remove calls to cs35l56_force_sync_asp1_registers_from_cache() Prike Liang <Prike.Liang(a)amd.com> drm/amdkfd: Correct the migration DMA map direction Victor Zhao <Victor.Zhao(a)amd.com> drm/amdgpu: use sjt mec fw on gfx943 for sriov Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: mac80211: wake the queues in case of failure in resume Aditya Kumar Singh <quic_adisi(a)quicinc.com> wifi: cfg80211: clear link ID from bitmap during link delete after clean up Issam Hamdi <ih(a)simonwunderlich.de> wifi: mac80211: fix mbss changed flags corruption on 32 bit systems Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Add Arrow Lake U support Filipe Manana <fdmanana(a)suse.com> btrfs: allow swap activation to be interruptible Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix clearing of IEP_CMP_CFG registers during iep_init MD Danish Anwar <danishanwar(a)ti.com> net: ti: icssg-prueth: Fix firmware load sequence. Eric Dumazet <edumazet(a)google.com> ila: serialize calls to nf_register_net_hooks() Eric Dumazet <edumazet(a)google.com> af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Eric Dumazet <edumazet(a)google.com> af_packet: fix vlan_get_tci() vs MSG_PEEK Maciej S. Szmigiero <mail(a)maciej.szmigiero.name> net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init() Eric Dumazet <edumazet(a)google.com> net: restrict SO_REUSEPORT to inet sockets Willem de Bruijn <willemb(a)google.com> net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets Liang Jie <liangjie(a)lixiang.com> net: sfc: Correct key_len for efx_tc_ct_zone_ht_params Jens Axboe <axboe(a)kernel.dk> io_uring/net: always initialize kmsg->msg.msg_inq upfront Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix error recovery sequence Li Zhijian <lizhijian(a)fujitsu.com> RDMA/rtrs: Ensure 'ib_sge list' is accessible Jinjian Song <jinjian.song(a)fibocom.com> net: wwan: t7xx: Fix FSM command timeout issue Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> net: mv643xx_eth: fix an OF node reference leak Vitalii Mordan <mordan(a)ispras.ru> eth: bcmsysport: fix call balance of priv->clk handling routines Tanya Agarwal <tanyaagarwal25699(a)gmail.com> ALSA: usb-audio: US16x08: Initialize array before use Leo Stone <leocstone(a)gmail.com> nvmet: Don't overflow subsysnqn Antonio Pastor <antonio.pastor(a)gmail.com> net: llc: reset skb->transport_header Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Su Hui <suhui(a)nfschina.com> workqueue: add printf attribute to __alloc_workqueue() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/i915/dg1: Fix power gate sequence. Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/cx0_phy: Fix C10 pll programming sequence Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Remove the direct link to net_device Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Keep netdev when leave switchdev for devlink set legacy only Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Skip restore TC rules for vport rep without loaded flag Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: macsec: Maintain TX SA from encoding_sa Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: DR, select MSIX vector 0 for completion queue creation Kory Maincent <kory.maincent(a)bootlin.com> net: pse-pd: tps23881: Fix power on/off issue Ilya Shchipletsov <rabbelkin(a)mail.ru> netrom: check buffer length before accessing it Xiao Liang <shaw.leon(a)gmail.com> net: Fix netns for ip_tunnel_init_flow() Wang Liang <wangliang74(a)huawei.com> net: fix memory leak in tcp_conn_request() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> net: stmmac: restructure the error path of stmmac_probe_config_dt() Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix fault on fd close after unbind Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Use correct function to check LMEM provisioning John Harrison <John.C.Harrison(a)Intel.com> drm/xe: Revert some changes that break a mesa debug tool Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix missing flush CQE for DWQE Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix warning storm caused by invalid input in IO path Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix accessing invalid dip_ctx during destroying QP wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix mapping error of zero-hop WQE buffer Jakub Kicinski <kuba(a)kernel.org> netdev-genl: avoid empty messages in napi get Vladimir Oltean <vladimir.oltean(a)nxp.com> selftests: net: local_termination: require mausezahn Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix LAN937X set_ageing_time function Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix KSZ9477 set_ageing_time function Stefan Ekenberg <stefan.ekenberg(a)axis.com> drm/bridge: adv7511_audio: Update Audio InfoFrame properly Wei Fang <wei.fang(a)nxp.com> net: phy: micrel: Dynamically control external clock of KSZ PHY Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix the locking while accessing the QP table Damodharam Ammepalli <damodharam.ammepalli(a)broadcom.com> RDMA/bnxt_re: Fix MSN table size for variable wqe mode Damodharam Ammepalli <damodharam.ammepalli(a)broadcom.com> RDMA/bnxt_re: Add send queue size check for variable wqe Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Disable use of reserved wqes Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix max_qp_wrs reported Bernard Metzler <bmt(a)zurich.ibm.com> RDMA/siw: Remove direct link to net_device Chiara Meiohas <cmeiohas(a)nvidia.com> RDMA/nldev: Set error code in rdma_nl_notify_event Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix reporting hw_ver in query_device Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Add check for path mtu in modify_qp Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix the check for 9060 condition Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: fix CRF name for Bz Robert Beckett <bob.beckett(a)collabora.com> nvme-pci: 512 byte aligned dma pool segment quirk Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/core: Fix ENODEV error for iWARP test over vlan Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Avoid sending the modify QP workaround for latest adapters Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Avoid initializing the software queue for user queues Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Fix max SGEs for the Work Request Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Enforce same type port association for multiport RoCE guanjing <guanjing(a)cmss.chinamobile.com> sched_ext: fix application of sizeof to pointer Leon Romanovsky <leon(a)kernel.org> RDMA/bnxt_re: Remove always true dattr validity check Christoph Hellwig <hch(a)lst.de> btrfs: use bio_is_zone_append() in the completion handler Christoph Hellwig <hch(a)lst.de> block: lift bio_is_zone_append to bio.h Steven Rostedt <rostedt(a)goodmis.org> tracing: Have process_string() also allow arrays Lucas Stach <l.stach(a)pengutronix.de> pmdomain: core: add dummy release function to genpd device Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() Eric Biggers <ebiggers(a)google.com> mmc: sdhci-msm: fix crypto key eviction Thiébaud Weksteen <tweek(a)google.com> selinux: ignore unknown extended permissions Mingcong Bai <jeffbai(a)aosc.io> platform/x86: hp-wmi: mark 8A15 board for timed OMEN thermal profile Vishnu Sankar <vishnuocv(a)gmail.com> platform/x86: thinkpad-acpi: Add support for hotkey 0x1401 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix backport of commit 73dae652dcac Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> platform/x86: mlx-platform: call pci_dev_put() to balance the refcount ------------- Diffstat: .../admin-guide/laptops/thinkpad-acpi.rst | 10 +- .../bindings/display/bridge/adi,adv7533.yaml | 2 +- Makefile | 4 +- arch/arc/Kconfig | 4 +- arch/arc/Makefile | 2 +- arch/arc/include/asm/cmpxchg.h | 2 +- arch/arc/net/bpf_jit_arcv2.c | 2 +- arch/x86/events/intel/core.c | 1 + block/blk.h | 9 - drivers/clk/imx/clk-imx8mp-audiomix.c | 3 +- drivers/clk/thead/clk-th1520-ap.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 10 +- drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 +- drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 +- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 10 +- drivers/gpu/drm/bridge/adv7511/adv7533.c | 4 +- drivers/gpu/drm/i915/display/intel_cx0_phy.c | 12 +- drivers/gpu/drm/i915/gt/intel_rc6.c | 2 +- drivers/gpu/drm/xe/xe_bo.c | 12 +- drivers/gpu/drm/xe/xe_devcoredump.c | 15 +- drivers/gpu/drm/xe/xe_exec_queue.c | 9 + drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 2 +- drivers/infiniband/core/cma.c | 16 ++ drivers/infiniband/core/nldev.c | 2 +- drivers/infiniband/core/uverbs_cmd.c | 16 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 34 +-- drivers/infiniband/hw/bnxt_re/main.c | 8 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 65 +++-- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 3 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 5 +- drivers/infiniband/hw/bnxt_re/qplib_sp.c | 18 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 43 +++- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 +- drivers/infiniband/hw/hns/hns_roce_mr.c | 5 - drivers/infiniband/hw/mlx5/main.c | 8 +- drivers/infiniband/sw/rxe/rxe.c | 23 +- drivers/infiniband/sw/rxe/rxe.h | 3 +- drivers/infiniband/sw/rxe/rxe_mcast.c | 22 +- drivers/infiniband/sw/rxe/rxe_net.c | 24 +- drivers/infiniband/sw/rxe/rxe_verbs.c | 26 +- drivers/infiniband/sw/rxe/rxe_verbs.h | 11 +- drivers/infiniband/sw/siw/siw.h | 7 +- drivers/infiniband/sw/siw/siw_cm.c | 27 +- drivers/infiniband/sw/siw/siw_main.c | 15 +- drivers/infiniband/sw/siw/siw_verbs.c | 35 ++- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +- drivers/irqchip/irq-gic.c | 2 +- drivers/mmc/host/sdhci-msm.c | 16 +- drivers/net/dsa/microchip/ksz9477.c | 47 +++- drivers/net/dsa/microchip/ksz9477_reg.h | 4 +- drivers/net/dsa/microchip/lan937x_main.c | 62 ++++- drivers/net/dsa/microchip/lan937x_reg.h | 9 +- drivers/net/ethernet/broadcom/bcmsysport.c | 21 +- drivers/net/ethernet/google/gve/gve.h | 1 + drivers/net/ethernet/google/gve/gve_main.c | 63 +++-- drivers/net/ethernet/google/gve/gve_tx.c | 46 ++-- drivers/net/ethernet/marvell/mv643xx_eth.c | 14 +- drivers/net/ethernet/marvell/sky2.c | 1 + .../ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 +- drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 15 ++ .../net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 + .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- .../ethernet/mellanox/mlx5/core/steering/dr_send.c | 4 +- .../net/ethernet/mellanox/mlxsw/spectrum_span.c | 3 +- drivers/net/ethernet/sfc/tc_conntrack.c | 2 +- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 43 ++-- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- drivers/net/ethernet/ti/icssg/icss_iep.c | 8 + drivers/net/ethernet/ti/icssg/icssg_common.c | 25 -- drivers/net/ethernet/ti/icssg/icssg_config.c | 41 ++- drivers/net/ethernet/ti/icssg/icssg_config.h | 1 + drivers/net/ethernet/ti/icssg/icssg_prueth.c | 281 ++++++++++++++------- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 5 +- drivers/net/ethernet/ti/icssg/icssg_prueth_sr1.c | 24 +- drivers/net/phy/micrel.c | 114 ++++++++- drivers/net/pse-pd/tps23881.c | 16 +- drivers/net/usb/qmi_wwan.c | 3 + drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 1 + drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1 + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 14 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 41 ++- drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2 +- drivers/net/wwan/t7xx/t7xx_state_monitor.c | 26 +- drivers/net/wwan/t7xx/t7xx_state_monitor.h | 5 +- drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 9 +- drivers/nvme/target/configfs.c | 11 +- drivers/pinctrl/pinctrl-mcp23s08.c | 6 + drivers/platform/x86/hp/hp-wmi.c | 4 +- drivers/platform/x86/mlx-platform.c | 2 + drivers/platform/x86/thinkpad_acpi.c | 4 +- drivers/pmdomain/core.c | 6 + drivers/pmdomain/imx/gpcv2.c | 4 +- drivers/spi/spi-cadence-quadspi.c | 10 +- fs/btrfs/bio.c | 23 +- fs/btrfs/disk-io.c | 9 + fs/btrfs/inode.c | 5 + fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 1 + fs/proc/task_mmu.c | 2 +- fs/smb/client/cifsfs.c | 1 + fs/smb/server/smb2pdu.c | 22 +- fs/smb/server/vfs.h | 1 + include/linux/bio.h | 17 ++ include/linux/filter.h | 2 +- include/linux/if_vlan.h | 16 +- include/linux/memfd.h | 14 + include/linux/mlx5/driver.h | 7 + include/linux/mlx5/mlx5_ifc.h | 4 +- include/linux/mm.h | 57 +++-- include/linux/mm_types.h | 30 +++ include/net/bluetooth/hci_core.h | 108 +++++--- include/net/netfilter/nf_tables.h | 7 +- include/sound/cs35l56.h | 6 - io_uring/kbuf.c | 4 +- io_uring/net.c | 1 + io_uring/rw.c | 2 + kernel/bpf/core.c | 8 +- kernel/bpf/verifier.c | 2 +- kernel/kcov.c | 2 +- kernel/sched/ext.c | 4 +- kernel/trace/fgraph.c | 2 +- kernel/trace/ftrace.c | 8 +- kernel/trace/trace_events.c | 12 + kernel/workqueue.c | 23 +- lib/maple_tree.c | 1 + mm/damon/core.c | 10 +- mm/hugetlb.c | 16 +- mm/kmemleak.c | 2 +- mm/memfd.c | 2 +- mm/mmap.c | 4 + mm/readahead.c | 6 +- mm/shmem.c | 7 +- mm/vmscan.c | 9 +- net/bluetooth/hci_core.c | 10 +- net/bluetooth/iso.c | 6 + net/bluetooth/l2cap_core.c | 12 +- net/bluetooth/rfcomm/core.c | 6 + net/bluetooth/sco.c | 12 +- net/core/dev.c | 4 +- net/core/filter.c | 63 +++-- net/core/netdev-genl.c | 6 +- net/core/sock.c | 5 +- net/ipv4/ip_tunnel.c | 6 +- net/ipv4/tcp_input.c | 1 + net/ipv6/ila/ila_xlat.c | 16 +- net/llc/llc_input.c | 2 +- net/mac80211/cfg.c | 8 +- net/mac80211/mesh.c | 6 +- net/mac80211/util.c | 3 + net/mptcp/options.c | 7 + net/mptcp/protocol.c | 22 +- net/netrom/nr_route.c | 6 + net/packet/af_packet.c | 28 +- net/sctp/associola.c | 3 +- net/wireless/util.c | 3 +- scripts/mksysmap | 4 +- scripts/mod/file2alias.c | 2 +- scripts/package/PKGBUILD | 2 +- scripts/sorttable.h | 5 +- security/selinux/ss/services.c | 8 +- sound/core/seq/oss/seq_oss_synth.c | 2 + sound/core/seq/seq_clientmgr.c | 14 +- sound/core/ump.c | 2 +- sound/pci/hda/cs35l56_hda.c | 8 - sound/pci/hda/patch_ca0132.c | 37 +-- sound/pci/hda/patch_realtek.c | 24 ++ sound/soc/generic/audio-graph-card2.c | 2 +- sound/usb/format.c | 7 +- sound/usb/mixer_us16x08.c | 2 +- sound/usb/quirks.c | 2 + tools/sched_ext/scx_central.c | 2 +- tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2 + .../selftests/net/forwarding/local_termination.sh | 1 - 177 files changed, 1698 insertions(+), 764 deletions(-)

5 months

19
175
0 0

[PATCH] clk: mmp2: call pm_genpd_init() only after genpd.name is set

by Lubomir Rintel

Setting the genpd's struct device's name with dev_set_name() is happening within pm_genpd_init(). If it remains NULL, things can blow up later, such as when crafting the devfs hierarchy for the power domain: 8<--- cut here --- [please do not actually cut, you'll ruin your display] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read ... Call trace: strlen from start_creating+0x90/0x138 start_creating from debugfs_create_dir+0x20/0x178 debugfs_create_dir from genpd_debug_add.part.0+0x4c/0x144 genpd_debug_add.part.0 from genpd_debug_init+0x74/0x90 genpd_debug_init from do_one_initcall+0x5c/0x244 do_one_initcall from kernel_init_freeable+0x19c/0x1f4 kernel_init_freeable from kernel_init+0x1c/0x12c kernel_init from ret_from_fork+0x14/0x28 Bisecting tracks this crash back to commit 899f44531fe6 ("pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag"), which exchanges use of genpd->name with dev_name(&genpd->dev) in genpd_debug_add.part(). Fixes: 899f44531fe6 ("pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag") Signed-off-by: Lubomir Rintel <lkundrak(a)v3.sk> Cc: stable(a)vger.kernel.org # v6.12+ --- drivers/clk/mmp/pwr-island.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/mmp/pwr-island.c b/drivers/clk/mmp/pwr-island.c index edaa2433a472..eaf5d2c5e593 100644 --- a/drivers/clk/mmp/pwr-island.c +++ b/drivers/clk/mmp/pwr-island.c @@ -106,10 +106,10 @@ struct generic_pm_domain *mmp_pm_domain_register(const char *name, pm_domain->flags = flags; pm_domain->lock = lock; - pm_genpd_init(&pm_domain->genpd, NULL, true); pm_domain->genpd.name = name; pm_domain->genpd.power_on = mmp_pm_domain_power_on; pm_domain->genpd.power_off = mmp_pm_domain_power_off; + pm_genpd_init(&pm_domain->genpd, NULL, true); return &pm_domain->genpd; } -- 2.47.1

5 months

2
3
0 0

[PATCH] USB: serial: cp210x: add Phoenix Contact UPS Device

by Johan Hovold

Phoenix Contact sells UPS Quint devices [1] with a custom datacable [2] that embeds a Silicon Labs converter: Bus 001 Device 003: ID 1b93:1013 Silicon Labs Phoenix Contact UPS Device Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1b93 idProduct 0x1013 bcdDevice 1.00 iManufacturer 1 Silicon Labs iProduct 2 Phoenix Contact UPS Device iSerial 3 <redacted> bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 2 Phoenix Contact UPS Device Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 [1] https://www.phoenixcontact.com/en-pc/products/power-supply-unit-quint-ps-1a… [2] https://www.phoenixcontact.com/en-il/products/data-cable-preassembled-ifs-u… Reported-by: Giuseppe Corbelli <giuseppe.corbelli(a)antaresvision.com> Cc: stable(a)vger.kernel.org Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/serial/cp210x.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c index c24101f0a07a..9960ac2b10b7 100644 --- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -223,6 +223,7 @@ static const struct usb_device_id id_table[] = { { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ + { USB_DEVICE(0x1B93, 0x1013) }, /* Phoenix Contact UPS Device */ { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */ { USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */ -- 2.45.2

5 months

1
0
0 0

[PATCH] gpio: loongson: Fix Loongson-2K2000 ACPI GPIO register offset

by Binbin Zhou

Since commit 3feb70a61740 ("gpio: loongson: add more gpio chip support"), the Loongson-2K2000 GPIO is supported. However, according to the firmware development specification, the Loongson-2K2000 ACPI GPIO register offsets in the driver do not match the register base addresses in the firmware, resulting in the registers not being accessed properly. Now, we fix it to ensure the GPIO function works properly. Cc: stable(a)vger.kernel.org Cc: Yinbo Zhu <zhuyinbo(a)loongson.cn> Fixes: 3feb70a61740 ("gpio: loongson: add more gpio chip support") Co-developed-by: Hongliang Wang <wanghongliang(a)loongson.cn> Signed-off-by: Hongliang Wang <wanghongliang(a)loongson.cn> Signed-off-by: Binbin Zhou <zhoubinbin(a)loongson.cn> --- drivers/gpio/gpio-loongson-64bit.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpio/gpio-loongson-64bit.c b/drivers/gpio/gpio-loongson-64bit.c index 6749d4dd6d64..7f4d78fd800e 100644 --- a/drivers/gpio/gpio-loongson-64bit.c +++ b/drivers/gpio/gpio-loongson-64bit.c @@ -237,9 +237,9 @@ static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data1 = { static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data2 = { .label = "ls2k2000_gpio", .mode = BIT_CTRL_MODE, - .conf_offset = 0x84, - .in_offset = 0x88, - .out_offset = 0x80, + .conf_offset = 0x4, + .in_offset = 0x8, + .out_offset = 0x0, }; static const struct loongson_gpio_chip_data loongson_gpio_ls3a5000_data = { -- 2.43.5

5 months

2
1
0 0

[withdrawn] mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: zswap: disable migration while using per-CPU acomp_ctx has been removed from the -mm tree. Its filename was mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch This patch was dropped because it was withdrawn ------------------------------------------------------ From: Yosry Ahmed <yosryahmed(a)google.com> Subject: mm: zswap: disable migration while using per-CPU acomp_ctx Date: Tue, 7 Jan 2025 22:22:35 +0000 In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. This cannot be fixed by holding cpus_read_lock(), as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). It also cannot be fixed by wrapping the usage of acomp_ctx in an SRCU critical section and using synchronize_srcu() in zswap_cpu_comp_dead(), because synchronize_srcu() is not allowed in CPU-hotplug notifiers (see Documentation/RCU/Design/Requirements/Requirements.rst). This can be fixed by refcounting the acomp_ctx, but it involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. Keep things simple for now and just disable migration while using the per-CPU acomp_ctx to block CPU hotunplug until the usage is over. Link: https://lkml.kernel.org/r/20250107222236.2715883-2-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Cc: Barry Song <baohua(a)kernel.org> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: syzbot <syzkaller(a)googlegroups.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) --- a/mm/zswap.c~mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx +++ a/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned return 0; } +/* Remain on the CPU while using its acomp_ctx to stop it from going offline */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + migrate_disable(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + migrate_enable(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page * gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ unlock: zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswa struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswa if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /********************************* _ Patches currently in -mm which might be from yosryahmed(a)google.com are revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch

5 months

1
0
0 0

[PATCH RESEND 2/2] mm: zswap: use SRCU to synchronize with CPU hotunplug

by Yosry Ahmed

In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Use SRCU to wait for other CPUs using the acomp_ctx of the CPU being hotunplugged. Normal RCU cannot be used as a sleepable context is required. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Cc: <stable(a)vger.kernel.org> Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… --- mm/zswap.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb236..add1406d693b8 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -864,12 +864,22 @@ static int zswap_cpu_comp_prepare(unsigned int cpu, struct hlist_node *node) return ret; } +DEFINE_STATIC_SRCU(acomp_srcu); + static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) { struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node); struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu); if (!IS_ERR_OR_NULL(acomp_ctx)) { + /* + * Even though the acomp_ctx should not be currently in use on + * @cpu, it may still be used by compress/decompress operations + * that started on @cpu and migrated to a different CPU. Wait + * for such usages to complete, any news usages would be a bug. + */ + synchronize_srcu(&acomp_srcu); + if (!IS_ERR_OR_NULL(acomp_ctx->req)) acomp_request_free(acomp_ctx->req); if (!IS_ERR_OR_NULL(acomp_ctx->acomp)) @@ -880,6 +890,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx, + int *srcu_idx) +{ + *srcu_idx = srcu_read_lock(&acomp_srcu); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(int srcu_idx) +{ + srcu_read_unlock(&acomp_srcu, srcu_idx); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -889,12 +911,12 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, unsigned int dlen = PAGE_SIZE; unsigned long handle; struct zpool *zpool; + int srcu_idx; char *buf; gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx, &srcu_idx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +972,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(srcu_idx); return comp_ret == 0 && alloc_ret == 0; } @@ -958,9 +981,10 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct zpool *zpool = entry->pool->zpool; struct scatterlist input, output; struct crypto_acomp_ctx *acomp_ctx; + int srcu_idx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx, &srcu_idx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1014,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(srcu_idx); } /********************************* -- 2.47.1.613.gc27f4b7a9f-goog

5 months

4
10
0 0

+ zram-fix-potential-uaf-of-zram-table.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: zram: fix potential UAF of zram table has been added to the -mm mm-hotfixes-unstable branch. Its filename is zram-fix-potential-uaf-of-zram-table.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: zram: fix potential UAF of zram table Date: Tue, 7 Jan 2025 14:54:46 +0800 If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. Link: https://lkml.kernel.org/r/20250107065446.86928-1-ryncsn@gmail.com Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/block/zram/zram_drv.c~zram-fix-potential-uaf-of-zram-table +++ a/drivers/block/zram/zram_drv.c @@ -1468,6 +1468,7 @@ static bool zram_meta_alloc(struct zram zram->mem_pool = zs_create_pool(zram->disk->disk_name); if (!zram->mem_pool) { vfree(zram->table); + zram->table = NULL; return false; } _ Patches currently in -mm which might be from kasong(a)tencent.com are zram-fix-potential-uaf-of-zram-table.patch mm-memcontrol-avoid-duplicated-memcg-enable-check.patch mm-swap_cgroup-remove-swap_cgroup_cmpxchg.patch mm-swap_cgroup-remove-global-swap-cgroup-lock.patch mm-swap_cgroup-decouple-swap-cgroup-recording-and-clearing.patch mm-swap-minor-clean-up-for-swap-entry-allocation.patch mm-swap-fold-swap_info_get_cont-in-the-only-caller.patch mm-swap-remove-old-allocation-path-for-hdd.patch mm-swap-use-cluster-lock-for-hdd.patch mm-swap-clean-up-device-availability-check.patch mm-swap-clean-up-plist-removal-and-adding.patch mm-swap-hold-a-reference-during-scan-and-cleanup-flag-usage.patch mm-swap-use-an-enum-to-define-all-cluster-flags-and-wrap-flags-changes.patch mm-swap-reduce-contention-on-device-lock.patch mm-swap-simplify-percpu-cluster-updating.patch mm-swap-introduce-a-helper-for-retrieving-cluster-from-offset.patch mm-swap-use-a-global-swap-cluster-for-non-rotation-devices.patch mm-swap_slots-remove-slot-cache-for-freeing-path.patch

5 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025