March 2025 - Linux-stable-mirror

[PATCH v5] i3c: Fix read from unreadable memory at i3c_master_queue_ibi()

by Manjunatha Venkatesh

As part of I3C driver probing sequence for particular device instance, While adding to queue it is trying to access ibi variable of dev which is not yet initialized causing "Unable to handle kernel read from unreadable memory" resulting in kernel panic. Below is the sequence where this issue happened. 1. During boot up sequence IBI is received at host from the slave device before requesting for IBI, Usually will request IBI by calling i3c_device_request_ibi() during probe of slave driver. 2. Since master code trying to access IBI Variable for the particular device instance before actually it initialized by slave driver, due to this randomly accessing the address and causing kernel panic. 3. i3c_device_request_ibi() function invoked by the slave driver where dev->ibi = ibi; assigned as part of function call i3c_dev_request_ibi_locked(). 4. But when IBI request sent by slave device, master code trying to access this variable before its initialized due to this race condition situation kernel panic happened. Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/ Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> --- Changes since v4: - Fix added at generic places master.c which is applicable for all platforms drivers/i3c/master.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c index d5dc4180afbc..c65006aa0684 100644 --- a/drivers/i3c/master.c +++ b/drivers/i3c/master.c @@ -2561,6 +2561,9 @@ static void i3c_master_unregister_i3c_devs(struct i3c_master_controller *master) */ void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot) { + if (!dev->ibi || !slot) + return; + atomic_inc(&dev->ibi->pending_ibis); queue_work(dev->ibi->wq, &slot->work); } -- 2.46.1

2 months, 3 weeks

3
5
0 0

[PATCH] PCI: j721e: Fix the value of linkdown_irq_regfield for J784S4

by Siddharth Vadapalli

Commit under Fixes assigned the value of 'linkdown_irq_regfield' for the J784S4 SoC as 'LINK_DOWN' which corresponds to BIT(1). However, according to the Technical Reference Manual and Register Documentation for the J784S4 SoC [0], BIT(1) corresponds to "ENABLE_SYS_EN_PCIE_DPA_1" which is __NOT__ the field for the link-state interrupt. Instead, it is BIT(10) of the "PCIE_INTD_ENABLE_REG_SYS_2" register that corresponds to the link-state field named as "ENABLE_SYS_EN_PCIE_LINK_STATE". Hence, set 'linkdown_irq_regfield' to the macro 'J7200_LINK_DOWN' which expands to BIT(10) and was first defined for the J7200 SoC. Other SoCs already reuse this macro since it accurately represents the link-state field in their respective "PCIE_INTD_ENABLE_REG_SYS_2" register. [0]: https://www.ti.com/lit/zip/spruj52 Fixes: e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration") Cc: stable(a)vger.kernel.org Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit 48a5eed9ad58 Merge tag 'devicetree-fixes-for-6.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux of the master branch of Linux. Patch has been tested on J784S4-EVM, validating that disconnecting an Endpoint Device connected to J784S4-EVM results in the following message on the J784S4-EVM: j721e-pcie 2900000.pcie: LINK DOWN! which wasn't seen earlier. Regards, Siddharth. drivers/pci/controller/cadence/pci-j721e.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index 0341d51d6aed..1da9d9918d0d 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -376,13 +376,13 @@ static const struct j721e_pcie_data j784s4_pcie_rc_data = { .mode = PCI_MODE_RC, .quirk_retrain_flag = true, .byte_access_allowed = false, - .linkdown_irq_regfield = LINK_DOWN, + .linkdown_irq_regfield = J7200_LINK_DOWN, .max_lanes = 4, }; static const struct j721e_pcie_data j784s4_pcie_ep_data = { .mode = PCI_MODE_EP, - .linkdown_irq_regfield = LINK_DOWN, + .linkdown_irq_regfield = J7200_LINK_DOWN, .max_lanes = 4, }; -- 2.34.1

2 months, 3 weeks

3
15
0 0

FAILED: patch "[PATCH] mm/page_alloc: fix memory accept before watermarks gets" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 800f1059c99e2b39899bdc67a7593a7bea6375d8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032417-prior-uncooked-bf1f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 800f1059c99e2b39899bdc67a7593a7bea6375d8 Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Date: Mon, 10 Mar 2025 10:28:55 +0200 Subject: [PATCH] mm/page_alloc: fix memory accept before watermarks gets initialized Watermarks are initialized during the postcore initcall. Until then, all watermarks are set to zero. This causes cond_accept_memory() to incorrectly skip memory acceptance because a watermark of 0 is always met. This can lead to a premature OOM on boot. To ensure progress, accept one MAX_ORDER page if the watermark is zero. Link: https://lkml.kernel.org/r/20250310082855.2587122-1-kirill.shutemov@linux.in… Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory") Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Tested-by: Farrah Chen <farrah.chen(a)intel.com> Reported-by: Farrah Chen <farrah.chen(a)intel.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Pankaj Gupta <pankaj.gupta(a)amd.com> Cc: Ashish Kalra <ashish.kalra(a)amd.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: "Edgecombe, Rick P" <rick.p.edgecombe(a)intel.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: "Mike Rapoport (IBM)" <rppt(a)kernel.org> Cc: Thomas Lendacky <thomas.lendacky(a)amd.com> Cc: <stable(a)vger.kernel.org> [6.5+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 94917c729120..542d25f77be8 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7004,7 +7004,7 @@ static inline bool has_unaccepted_memory(void) static bool cond_accept_memory(struct zone *zone, unsigned int order) { - long to_accept; + long to_accept, wmark; bool ret = false; if (!has_unaccepted_memory()) @@ -7013,8 +7013,18 @@ static bool cond_accept_memory(struct zone *zone, unsigned int order) if (list_empty(&zone->unaccepted_pages)) return false; + wmark = promo_wmark_pages(zone); + + /* + * Watermarks have not been initialized yet. + * + * Accepting one MAX_ORDER page to ensure progress. + */ + if (!wmark) + return try_to_accept_memory_one(zone); + /* How much to accept to get to promo watermark? */ - to_accept = promo_wmark_pages(zone) - + to_accept = wmark - (zone_page_state(zone, NR_FREE_PAGES) - __zone_watermark_unusable_free(zone, order, 0) - zone_page_state(zone, NR_UNACCEPTED));

2 months, 3 weeks

3
3
0 0

[PATCH] KVM: RISC-V: reset smstateen CSRs

by Radim Krčmář

Hi, I'm sending this early to ventana-sw as we hit the issue in today's slack discussion. I only compile-tested it so far and it will take me a while to trigger a bug and verify the solution. ---8<-- The smstateen CSRs control which stateful features are enabled in VU-mode. SU-mode must properly context switch the state of all enabled features. Reset the smstateen CSRs, because SU-mode might not know that it must context switch the state. Reset unconditionally as it is shorter and safer, and not that much slower. Fixes: 81f0f314fec9 ("RISCV: KVM: Add sstateen0 context save/restore") Cc: stable(a)vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar(a)ventanamicro.com> --- arch/riscv/include/asm/kvm_host.h | 3 +++ arch/riscv/kvm/vcpu.c | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/arch/riscv/include/asm/kvm_host.h b/arch/riscv/include/asm/kvm_host.h index cc33e35cd628..1e9fe3cbecd3 100644 --- a/arch/riscv/include/asm/kvm_host.h +++ b/arch/riscv/include/asm/kvm_host.h @@ -234,6 +234,9 @@ struct kvm_vcpu_arch { /* CPU CSR context upon Guest VCPU reset */ struct kvm_vcpu_csr guest_reset_csr; + /* CPU smstateen CSR context upon Guest VCPU reset */ + struct kvm_vcpu_smstateen_csr reset_smstateen_csr; + /* * VCPU interrupts * diff --git a/arch/riscv/kvm/vcpu.c b/arch/riscv/kvm/vcpu.c index 60d684c76c58..b11b4027a859 100644 --- a/arch/riscv/kvm/vcpu.c +++ b/arch/riscv/kvm/vcpu.c @@ -57,6 +57,8 @@ static void kvm_riscv_reset_vcpu(struct kvm_vcpu *vcpu) struct kvm_vcpu_csr *reset_csr = &vcpu->arch.guest_reset_csr; struct kvm_cpu_context *cntx = &vcpu->arch.guest_context; struct kvm_cpu_context *reset_cntx = &vcpu->arch.guest_reset_context; + struct kvm_vcpu_smstateen_csr *smstateen_csr = &vcpu->arch.smstateen_csr; + struct kvm_vcpu_smstateen_csr *reset_smstateen_csr = &vcpu->arch.reset_smstateen_csr; bool loaded; /** @@ -73,6 +75,8 @@ static void kvm_riscv_reset_vcpu(struct kvm_vcpu *vcpu) memcpy(csr, reset_csr, sizeof(*csr)); + memcpy(smstateen_csr, reset_smstateen_csr, sizeof(*smstateen_csr)); + spin_lock(&vcpu->arch.reset_cntx_lock); memcpy(cntx, reset_cntx, sizeof(*cntx)); spin_unlock(&vcpu->arch.reset_cntx_lock); -- 2.48.1

2 months, 3 weeks

2
4
0 0

[PATCH] jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

by Fedor Pchelkin

Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handle that. The code is ready for propagating the error upwards. KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 Call Trace: jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 call_write_iter include/linux/fs.h:2039 [inline] do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 do_iter_write+0x18c/0x710 fs/read_write.c:866 vfs_writev+0x1db/0x6a0 fs/read_write.c:939 do_pwritev fs/read_write.c:1036 [inline] __do_sys_pwritev fs/read_write.c:1083 [inline] __se_sys_pwritev fs/read_write.c:1078 [inline] __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Similar to https://lore.kernel.org/linux-mtd/20250307163409.13491-2-a.sadovnikov@ispra… but touches two remaining places. fs/jffs2/erase.c | 4 +++- fs/jffs2/scan.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index ef3a1e1b6cb0..fda9f4d6093f 100644 --- a/fs/jffs2/erase.c +++ b/fs/jffs2/erase.c @@ -425,7 +425,9 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb .totlen = cpu_to_je32(c->cleanmarker_size) }; - jffs2_prealloc_raw_node_refs(c, jeb, 1); + ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); + if (ret) + goto filebad; marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4)); diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c index 29671e33a171..62879c218d4b 100644 --- a/fs/jffs2/scan.c +++ b/fs/jffs2/scan.c @@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_info *c) jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n", __func__, skip); - jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + if (ret) + goto out; jffs2_scan_dirty_space(c, c->nextblock, skip); } #endif -- 2.49.0

2 months, 3 weeks

2
1
0 0

[PATCH stable 5.4 v2 0/2] openvswitch port output fixes

by Florian Fainelli

This patch series contains some missing openvswitch port output fixes for the stable 5.4 kernel. Changes in v2: - use BUILD_BUG_ON_INVALID rather than DEBUG_NET_WARN_ON_ONCE which does not exist in Linux 5.4 Felix Huettner (1): net: openvswitch: fix race on port output Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier net/core/dev.c | 1 + net/openvswitch/actions.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.34.1

2 months, 3 weeks

2
4
0 0

[PATCH stable 5.10 v2 0/2] openvswitch port output fixes

by Florian Fainelli

This patch series contains some missing openvswitch port output fixes for the stable 5.10 kernel. Changes in v2: - use BUILD_BUG_ON_INVALID rather than DEBUG_NET_WARN_ON_ONCE which does not exist in Linux 5.10 Felix Huettner (1): net: openvswitch: fix race on port output Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier net/core/dev.c | 1 + net/openvswitch/actions.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.34.1

2 months, 3 weeks

2
4
0 0

[PATCH 5.4.y] virtio-net: Add validation for used length

by Larry Bassel

From: Xie Yongji <xieyongji(a)bytedance.com> commit ad993a95c508 ("virtio-net: Add validation for used length") This adds validation for used length (might come from an untrusted device) to avoid data corruption or loss. Signed-off-by: Xie Yongji <xieyongji(a)bytedance.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> (cherry picked from commit ad993a95c508417acdeb15244109e009e50d8758) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9ce6146ec7b50 virtio_net: Add XDP frame size in two code paths] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- drivers/net/virtio_net.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 182b67270044..215c546bf50a 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -717,6 +717,12 @@ static struct sk_buff *receive_small(struct net_device *dev, len -= vi->hdr_len; stats->bytes += len; + if (unlikely(len > GOOD_PACKET_LEN)) { + pr_debug("%s: rx error: len %u exceeds max size %d\n", + dev->name, len, GOOD_PACKET_LEN); + dev->stats.rx_length_errors++; + goto err_len; + } rcu_read_lock(); xdp_prog = rcu_dereference(rq->xdp_prog); if (xdp_prog) { @@ -819,6 +825,7 @@ static struct sk_buff *receive_small(struct net_device *dev, err_xdp: rcu_read_unlock(); stats->xdp_drops++; +err_len: stats->drops++; put_page(page); xdp_xmit: @@ -871,6 +878,13 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, head_skb = NULL; stats->bytes += len - vi->hdr_len; + truesize = mergeable_ctx_to_truesize(ctx); + if (unlikely(len > truesize)) { + pr_debug("%s: rx error: len %u exceeds truesize %lu\n", + dev->name, len, (unsigned long)ctx); + dev->stats.rx_length_errors++; + goto err_skb; + } rcu_read_lock(); xdp_prog = rcu_dereference(rq->xdp_prog); if (xdp_prog) { @@ -990,14 +1004,6 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, } rcu_read_unlock(); - truesize = mergeable_ctx_to_truesize(ctx); - if (unlikely(len > truesize)) { - pr_debug("%s: rx error: len %u exceeds truesize %lu\n", - dev->name, len, (unsigned long)ctx); - dev->stats.rx_length_errors++; - goto err_skb; - } - head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog, metasize); curr_skb = head_skb; -- 2.46.0

2 months, 3 weeks

4
6
0 0

Exclusive Proposal

by Gen Johan Bruntink

Hello I am keen to exchange thoughts on financial opportunities with you. If it aligns with your preferences, I would appreciate your WhatsApp contact details for a more fluid dialogue. Should that not suit, please let me know a convenient time for us to correspond directly. Thank you for your kind consideration. I eagerly anticipate your reply. Warm regards, General Johanne

2 months, 3 weeks

1
0
0 0

[PATCH] binder: fix offset calculation in debug log

by Carlos Llamas

The vma start address should be substracted from the buffer's user data address and not the other way around. Cc: Tiffany Y. Yang <ynaffit(a)google.com> Cc: stable(a)vger.kernel.org Fixes: 162c79731448 ("binder: avoid user addresses in debug logs") Signed-off-by: Carlos Llamas <cmllamas(a)google.com> --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 76052006bd87..5fc2c8ee61b1 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -6373,7 +6373,7 @@ static void print_binder_transaction_ilocked(struct seq_file *m, seq_printf(m, " node %d", buffer->target_node->debug_id); seq_printf(m, " size %zd:%zd offset %lx\n", buffer->data_size, buffer->offsets_size, - proc->alloc.vm_start - buffer->user_data); + buffer->user_data - proc->alloc.vm_start); } static void print_binder_work_ilocked(struct seq_file *m, -- 2.49.0.395.g12beb8f557-goog

2 months, 3 weeks

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2025