- Linux-stable-mirror - lists.linaro.org

[PATCH AUTOSEL 6.1 01/24] media: mdp3: Fix resource leaks in of_find_device_by_node

by Sasha Levin

From: Lu Hongfei <luhongfei(a)vivo.com> [ Upstream commit 35ca8ce495366909b4c2e701d1356570dd40c4e2 ] Use put_device to release the object get through of_find_device_by_node, avoiding resource leaks. Signed-off-by: Lu Hongfei <luhongfei(a)vivo.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c index 7bc05f42a23c1..9a3f46c1f6ba3 100644 --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c @@ -775,11 +775,13 @@ static int mdp_get_subsys_id(struct device *dev, struct device_node *node, ret = cmdq_dev_get_client_reg(&comp_pdev->dev, &cmdq_reg, index); if (ret != 0) { dev_err(&comp_pdev->dev, "cmdq_dev_get_subsys fail!\n"); + put_device(&comp_pdev->dev); return -EINVAL; } comp->subsys_id = cmdq_reg.subsys; dev_dbg(&comp_pdev->dev, "subsys id=%d\n", cmdq_reg.subsys); + put_device(&comp_pdev->dev); return 0; } -- 2.40.1

2 years, 1 month

1
23
0 0

[PATCH AUTOSEL 6.5 01/28] media: mdp3: Fix resource leaks in of_find_device_by_node

by Sasha Levin

From: Lu Hongfei <luhongfei(a)vivo.com> [ Upstream commit 35ca8ce495366909b4c2e701d1356570dd40c4e2 ] Use put_device to release the object get through of_find_device_by_node, avoiding resource leaks. Signed-off-by: Lu Hongfei <luhongfei(a)vivo.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c index a605e80c7dc36..b0ca2b3a8a739 100644 --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c @@ -892,11 +892,13 @@ static int mdp_get_subsys_id(struct mdp_dev *mdp, struct device *dev, ret = cmdq_dev_get_client_reg(&comp_pdev->dev, &cmdq_reg, index); if (ret != 0) { dev_err(&comp_pdev->dev, "cmdq_dev_get_subsys fail!\n"); + put_device(&comp_pdev->dev); return -EINVAL; } comp->subsys_id = cmdq_reg.subsys; dev_dbg(&comp_pdev->dev, "subsys id=%d\n", cmdq_reg.subsys); + put_device(&comp_pdev->dev); return 0; } -- 2.40.1

2 years, 1 month

1
27
0 0

[PATCH AUTOSEL 5.4 1/6] fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

by Sasha Levin

From: Andrew Kanner <andrew.kanner(a)gmail.com> [ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/jfs/jfs_dmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 8e8d53241386f..a785c747a8cbb 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) /* free the memory for the in-memory bmap. */ kfree(bmp); + JFS_SBI(ipbmap->i_sb)->bmap = NULL; return (0); } -- 2.40.1

2 years, 1 month

1
5
0 0

[PATCH AUTOSEL 5.10 1/5] fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

by Sasha Levin

From: Andrew Kanner <andrew.kanner(a)gmail.com> [ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/jfs/jfs_dmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index cef3303d94995..a9c078fc2302a 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) /* free the memory for the in-memory bmap. */ kfree(bmp); + JFS_SBI(ipbmap->i_sb)->bmap = NULL; return (0); } -- 2.40.1

2 years, 1 month

1
4
0 0

[PATCH AUTOSEL 5.15 1/7] fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

by Sasha Levin

From: Andrew Kanner <andrew.kanner(a)gmail.com> [ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/jfs/jfs_dmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index f235a3d270a01..da4f9c3b714fe 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) /* free the memory for the in-memory bmap. */ kfree(bmp); + JFS_SBI(ipbmap->i_sb)->bmap = NULL; return (0); } -- 2.40.1

2 years, 1 month

1
6
0 0

[PATCH AUTOSEL 6.1 1/9] fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

by Sasha Levin

From: Andrew Kanner <andrew.kanner(a)gmail.com> [ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/jfs/jfs_dmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index bd4ef43b02033..e9d075cbd71ad 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) /* free the memory for the in-memory bmap. */ kfree(bmp); + JFS_SBI(ipbmap->i_sb)->bmap = NULL; return (0); } -- 2.40.1

2 years, 1 month

1
8
0 0

[PATCH AUTOSEL 6.4 01/11] fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

by Sasha Levin

From: Andrew Kanner <andrew.kanner(a)gmail.com> [ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/jfs/jfs_dmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index bd4ef43b02033..e9d075cbd71ad 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) /* free the memory for the in-memory bmap. */ kfree(bmp); + JFS_SBI(ipbmap->i_sb)->bmap = NULL; return (0); } -- 2.40.1

2 years, 1 month

1
10
0 0

[PATCH AUTOSEL 6.5 01/11] fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

by Sasha Levin

From: Andrew Kanner <andrew.kanner(a)gmail.com> [ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/jfs/jfs_dmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index a14a0f18a4c40..88afd108c2dd2 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) /* free the memory for the in-memory bmap. */ kfree(bmp); + JFS_SBI(ipbmap->i_sb)->bmap = NULL; return (0); } -- 2.40.1

2 years, 1 month

1
10
0 0

[PATCH v7 0/4] kexec: Fix kexec_file_load for llvm16 with PGO

by Ricardo Ribalda

When upreving llvm I realised that kexec stopped working on my test platform. The reason seems to be that due to PGO there are multiple .text sections on the purgatory, and kexec does not supports that. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v7: - Fix $SUBJECT of riscv patch - Rename PGO as Profile-guided optimization - Link to v6: https://lore.kernel.org/r/20230321-kexec_clang16-v6-0-a2255e81ab45@chromium… Changes in v6: - Replace linker script with Makefile rule. Thanks Nick - Link to v5: https://lore.kernel.org/r/20230321-kexec_clang16-v5-0-5563bf7c4173@chromium… Changes in v5: - Add warning when multiple text sections are found. Thanks Simon! - Add Fixes tag. - Link to v4: https://lore.kernel.org/r/20230321-kexec_clang16-v4-0-1340518f98e9@chromium… Changes in v4: - Add Cc: stable - Add linker script for x86 - Add a warning when the kernel image has overlapping sections. - Link to v3: https://lore.kernel.org/r/20230321-kexec_clang16-v3-0-5f016c8d0e87@chromium… Changes in v3: - Fix initial value. Thanks Ross! - Link to v2: https://lore.kernel.org/r/20230321-kexec_clang16-v2-0-d10e5d517869@chromium… Changes in v2: - Fix if condition. Thanks Steven!. - Update Philipp email. Thanks Baoquan. - Link to v1: https://lore.kernel.org/r/20230321-kexec_clang16-v1-0-a768fc2c7c4d@chromium… --- Ricardo Ribalda (4): kexec: Support purgatories with .text.hot sections x86/purgatory: Remove PGO flags powerpc/purgatory: Remove PGO flags riscv/purgatory: Remove PGO flags arch/powerpc/purgatory/Makefile | 5 +++++ arch/riscv/purgatory/Makefile | 5 +++++ arch/x86/purgatory/Makefile | 5 +++++ kernel/kexec_file.c | 14 +++++++++++++- 4 files changed, 28 insertions(+), 1 deletion(-) --- base-commit: 58390c8ce1bddb6c623f62e7ed36383e7fa5c02f change-id: 20230321-kexec_clang16-4510c23d129c Best regards, -- Ricardo Ribalda Delgado <ribalda(a)chromium.org>

2 years, 1 month

3
10
0 0

[PATCH 1/1] btrfs: file_remove_privs needs an exclusive lock

by Bernd Schubert

file_remove_privs might call into notify_change(), which requires to hold an exclusive lock. Fixes: e9adabb9712e ("btrfs: use shared lock for direct writes within EOF") Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Goldwyn Rodrigues <rgoldwyn(a)suse.com> Cc: Miklos Szeredi <miklos(a)szeredi.hu> Cc: Dharmendra Singh <dsingh(a)ddn.com> Cc: David Sterba <dsterba(a)suse.com> Cc: linux-btrfs(a)vger.kernel.org Cc: linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org Signed-off-by: Bernd Schubert <bschubert(a)ddn.com> --- fs/btrfs/file.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index fd03e689a6be..c4b304a2948e 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -1466,8 +1466,12 @@ static ssize_t btrfs_direct_write(struct kiocb *iocb, struct iov_iter *from) if (iocb->ki_flags & IOCB_NOWAIT) ilock_flags |= BTRFS_ILOCK_TRY; - /* If the write DIO is within EOF, use a shared lock */ - if (iocb->ki_pos + iov_iter_count(from) <= i_size_read(inode)) + /* If the write DIO is within EOF, use a shared lock and also only + * if security bits will likely not be dropped. Either will need + * to be rechecked after the lock was acquired. + */ + if (iocb->ki_pos + iov_iter_count(from) <= i_size_read(inode) && + IS_NOSEC(inode)) ilock_flags |= BTRFS_ILOCK_SHARED; relock: @@ -1475,6 +1479,12 @@ static ssize_t btrfs_direct_write(struct kiocb *iocb, struct iov_iter *from) if (err < 0) return err; + if (ilock_flags & BTRFS_ILOCK_SHARED && !IS_NOSEC(inode)) { + btrfs_inode_unlock(BTRFS_I(inode), ilock_flags); + ilock_flags &= ~BTRFS_ILOCK_SHARED; + goto relock; + } + err = generic_write_checks(iocb, from); if (err <= 0) { btrfs_inode_unlock(BTRFS_I(inode), ilock_flags); -- 2.39.2

2 years, 1 month

4
3
0 0

[PATCH AUTOSEL 5.15 01/15] devlink: remove reload failed checks in params get/set callbacks

by Sasha Levin

From: Jiri Pirko <jiri(a)nvidia.com> [ Upstream commit 633d76ad01ad0321a1ace3e5cc4fed06753d7ac4 ] The checks in question were introduced by: commit 6b4db2e528f6 ("devlink: Fix use-after-free after a failed reload"). That fixed an issue of reload with mlxsw driver. Back then, that was a valid fix, because there was a limitation in place that prevented drivers from registering/unregistering params when devlink instance was registered. It was possible to do the fix differently by changing drivers to register/unregister params in appropriate places making sure the ops operate only on memory which is allocated and initialized. But that, as a dependency, would require to remove the limitation mentioned above. Eventually, this limitation was lifted by: commit 1d18bb1a4ddd ("devlink: allow registering parameters after the instance") Also, the alternative fix (which also fixed another issue) was done by: commit 74cbc3c03c82 ("mlxsw: spectrum_acl_tcam: Move devlink param to TCAM code"). Therefore, the checks are no longer relevant. Each driver should make sure to have the params registered only when the memory the ops are working with is allocated and initialized. So remove the checks. Signed-off-by: Jiri Pirko <jiri(a)nvidia.com> Reviewed-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/core/devlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/devlink.c b/net/core/devlink.c index b4d7a7f749c18..db76c55e1a6d7 100644 --- a/net/core/devlink.c +++ b/net/core/devlink.c @@ -4413,7 +4413,7 @@ static int devlink_param_get(struct devlink *devlink, const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->get || devlink->reload_failed) + if (!param->get) return -EOPNOTSUPP; return param->get(devlink, param->id, ctx); } @@ -4422,7 +4422,7 @@ static int devlink_param_set(struct devlink *devlink, const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->set || devlink->reload_failed) + if (!param->set) return -EOPNOTSUPP; return param->set(devlink, param->id, ctx); } -- 2.40.1

2 years, 1 month

2
15
0 0

RE: AWS re:Invent Attendees Email list- 2023

by Kimberly Taylor

Hi, Would you be interested in acquiring AWS re:Invent Attendees Data List 2023? List contains: Company Name, Contact Name, First Name, Middle Name, Last Name, Title, Address, Street, City, Zip code, State, Country, Telephone, Email address and more, No of Contacts: - 40,777 Cost: $1,977 Kind Regards, Kimberly Taylor Marketing Coordinator

2 years, 1 month

1
0
0 0

[PATCH AUTOSEL 5.4 01/10] devlink: remove reload failed checks in params get/set callbacks

by Sasha Levin

From: Jiri Pirko <jiri(a)nvidia.com> [ Upstream commit 633d76ad01ad0321a1ace3e5cc4fed06753d7ac4 ] The checks in question were introduced by: commit 6b4db2e528f6 ("devlink: Fix use-after-free after a failed reload"). That fixed an issue of reload with mlxsw driver. Back then, that was a valid fix, because there was a limitation in place that prevented drivers from registering/unregistering params when devlink instance was registered. It was possible to do the fix differently by changing drivers to register/unregister params in appropriate places making sure the ops operate only on memory which is allocated and initialized. But that, as a dependency, would require to remove the limitation mentioned above. Eventually, this limitation was lifted by: commit 1d18bb1a4ddd ("devlink: allow registering parameters after the instance") Also, the alternative fix (which also fixed another issue) was done by: commit 74cbc3c03c82 ("mlxsw: spectrum_acl_tcam: Move devlink param to TCAM code"). Therefore, the checks are no longer relevant. Each driver should make sure to have the params registered only when the memory the ops are working with is allocated and initialized. So remove the checks. Signed-off-by: Jiri Pirko <jiri(a)nvidia.com> Reviewed-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/core/devlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/devlink.c b/net/core/devlink.c index b4dabe5d89f72..5bd6330ab4275 100644 --- a/net/core/devlink.c +++ b/net/core/devlink.c @@ -2953,7 +2953,7 @@ static int devlink_param_get(struct devlink *devlink, const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->get || devlink->reload_failed) + if (!param->get) return -EOPNOTSUPP; return param->get(devlink, param->id, ctx); } @@ -2962,7 +2962,7 @@ static int devlink_param_set(struct devlink *devlink, const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->set || devlink->reload_failed) + if (!param->set) return -EOPNOTSUPP; return param->set(devlink, param->id, ctx); } -- 2.40.1

2 years, 1 month

2
10
0 0

[PATCH AUTOSEL 4.19 1/3] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()

by Sasha Levin

From: Tuo Li <islituo(a)gmail.com> [ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ] The variable crtc->state->event is often protected by the lock crtc->dev->event_lock when is accessed. However, it is accessed as a condition of an if statement in exynos_drm_crtc_atomic_disable() without holding the lock: if (crtc->state->event && !crtc->state->active) However, if crtc->state->event is changed to NULL by another thread right after the conditions of the if statement is checked to be true, a null-pointer dereference can occur in drm_crtc_send_vblank_event(): e->pipe = pipe; To fix this possible null-pointer dereference caused by data race, the spin lock coverage is extended to protect the if statement as well as the function call to drm_crtc_send_vblank_event(). Reported-by: BassCheck <bass(a)buaa.edu.cn> Link: https://sites.google.com/view/basscheck/home Signed-off-by: Tuo Li <islituo(a)gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Added relevant link. Signed-off-by: Inki Dae <inki.dae(a)samsung.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c index 2696289ecc78f..b3e23ace5869c 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c @@ -43,13 +43,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc, if (exynos_crtc->ops->disable) exynos_crtc->ops->disable(exynos_crtc); + spin_lock_irq(&crtc->dev->event_lock); if (crtc->state->event && !crtc->state->active) { - spin_lock_irq(&crtc->dev->event_lock); drm_crtc_send_vblank_event(crtc, crtc->state->event); - spin_unlock_irq(&crtc->dev->event_lock); - crtc->state->event = NULL; } + spin_unlock_irq(&crtc->dev->event_lock); } static int exynos_crtc_atomic_check(struct drm_crtc *crtc, -- 2.40.1

2 years, 1 month

1
2
0 0

[PATCH AUTOSEL 5.4 1/4] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()

by Sasha Levin

From: Tuo Li <islituo(a)gmail.com> [ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ] The variable crtc->state->event is often protected by the lock crtc->dev->event_lock when is accessed. However, it is accessed as a condition of an if statement in exynos_drm_crtc_atomic_disable() without holding the lock: if (crtc->state->event && !crtc->state->active) However, if crtc->state->event is changed to NULL by another thread right after the conditions of the if statement is checked to be true, a null-pointer dereference can occur in drm_crtc_send_vblank_event(): e->pipe = pipe; To fix this possible null-pointer dereference caused by data race, the spin lock coverage is extended to protect the if statement as well as the function call to drm_crtc_send_vblank_event(). Reported-by: BassCheck <bass(a)buaa.edu.cn> Link: https://sites.google.com/view/basscheck/home Signed-off-by: Tuo Li <islituo(a)gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Added relevant link. Signed-off-by: Inki Dae <inki.dae(a)samsung.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c index 77ce78986408b..c10eea6db9a80 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c @@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc, if (exynos_crtc->ops->disable) exynos_crtc->ops->disable(exynos_crtc); + spin_lock_irq(&crtc->dev->event_lock); if (crtc->state->event && !crtc->state->active) { - spin_lock_irq(&crtc->dev->event_lock); drm_crtc_send_vblank_event(crtc, crtc->state->event); - spin_unlock_irq(&crtc->dev->event_lock); - crtc->state->event = NULL; } + spin_unlock_irq(&crtc->dev->event_lock); } static int exynos_crtc_atomic_check(struct drm_crtc *crtc, -- 2.40.1

2 years, 1 month

1
3
0 0

[PATCH AUTOSEL 5.15 01/13] drm/bridge: tc358762: Instruct DSI host to generate HSE packets

by Sasha Levin

From: Marek Vasut <marex(a)denx.de> [ Upstream commit 362fa8f6e6a05089872809f4465bab9d011d05b3 ] This bridge seems to need the HSE packet, otherwise the image is shifted up and corrupted at the bottom. This makes the bridge work with Samsung DSIM on i.MX8MM and i.MX8MP. Signed-off-by: Marek Vasut <marex(a)denx.de> Reviewed-by: Sam Ravnborg <sam(a)ravnborg.org> Signed-off-by: Robert Foss <rfoss(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20230615201902.566182-3-marex… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/bridge/tc358762.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/tc358762.c b/drivers/gpu/drm/bridge/tc358762.c index 1bfdfc6affafe..21c57d3435687 100644 --- a/drivers/gpu/drm/bridge/tc358762.c +++ b/drivers/gpu/drm/bridge/tc358762.c @@ -224,7 +224,7 @@ static int tc358762_probe(struct mipi_dsi_device *dsi) dsi->lanes = 1; dsi->format = MIPI_DSI_FMT_RGB888; dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE | - MIPI_DSI_MODE_LPM; + MIPI_DSI_MODE_LPM | MIPI_DSI_MODE_VIDEO_HSE; ret = tc358762_parse_dt(ctx); if (ret < 0) -- 2.40.1

2 years, 1 month

1
12
0 0

[PATCH AUTOSEL 4.19 1/7] wifi: ath9k: fix printk specifier

by Sasha Levin

From: Dongliang Mu <dzm91(a)hust.edu.cn> [ Upstream commit 061115fbfb2ce5870c9a004d68dc63138c07c782 ] Smatch reports: ath_pci_probe() warn: argument 4 to %lx specifier is cast from pointer ath_ahb_probe() warn: argument 4 to %lx specifier is cast from pointer Fix it by modifying %lx to %p in the printk format string. Note that with this change, the pointer address will be printed as a hashed value by default. This is appropriate because the kernel should not leak kernel pointers to user space in an informational message. If someone wants to see the real address for debugging purposes, this can be achieved with the no_hash_pointers kernel option. Signed-off-by: Dongliang Mu <dzm91(a)hust.edu.cn> Acked-by: Toke Høiland-Jørgensen <toke(a)toke.dk> Signed-off-by: Kalle Valo <quic_kvalo(a)quicinc.com> Link: https://lore.kernel.org/r/20230723040403.296723-1-dzm91@hust.edu.cn Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/ath/ath9k/ahb.c | 4 ++-- drivers/net/wireless/ath/ath9k/pci.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/ahb.c b/drivers/net/wireless/ath/ath9k/ahb.c index 63019c3de034d..26023e3b4b9df 100644 --- a/drivers/net/wireless/ath/ath9k/ahb.c +++ b/drivers/net/wireless/ath/ath9k/ahb.c @@ -136,8 +136,8 @@ static int ath_ahb_probe(struct platform_device *pdev) ah = sc->sc_ah; ath9k_hw_name(ah, hw_name, sizeof(hw_name)); - wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n", - hw_name, (unsigned long)mem, irq); + wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n", + hw_name, mem, irq); return 0; diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c index 92b2dd396436a..cb3318bd3cad2 100644 --- a/drivers/net/wireless/ath/ath9k/pci.c +++ b/drivers/net/wireless/ath/ath9k/pci.c @@ -993,8 +993,8 @@ static int ath_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) sc->sc_ah->msi_reg = 0; ath9k_hw_name(sc->sc_ah, hw_name, sizeof(hw_name)); - wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n", - hw_name, (unsigned long)sc->mem, pdev->irq); + wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n", + hw_name, sc->mem, pdev->irq); return 0; -- 2.40.1

2 years, 1 month

1
6
0 0

[PATCH AUTOSEL 6.4 01/41] devlink: remove reload failed checks in params get/set callbacks

by Sasha Levin

From: Jiri Pirko <jiri(a)nvidia.com> [ Upstream commit 633d76ad01ad0321a1ace3e5cc4fed06753d7ac4 ] The checks in question were introduced by: commit 6b4db2e528f6 ("devlink: Fix use-after-free after a failed reload"). That fixed an issue of reload with mlxsw driver. Back then, that was a valid fix, because there was a limitation in place that prevented drivers from registering/unregistering params when devlink instance was registered. It was possible to do the fix differently by changing drivers to register/unregister params in appropriate places making sure the ops operate only on memory which is allocated and initialized. But that, as a dependency, would require to remove the limitation mentioned above. Eventually, this limitation was lifted by: commit 1d18bb1a4ddd ("devlink: allow registering parameters after the instance") Also, the alternative fix (which also fixed another issue) was done by: commit 74cbc3c03c82 ("mlxsw: spectrum_acl_tcam: Move devlink param to TCAM code"). Therefore, the checks are no longer relevant. Each driver should make sure to have the params registered only when the memory the ops are working with is allocated and initialized. So remove the checks. Signed-off-by: Jiri Pirko <jiri(a)nvidia.com> Reviewed-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/devlink/leftover.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c index 790e61b2a9404..fa4705e509e3c 100644 --- a/net/devlink/leftover.c +++ b/net/devlink/leftover.c @@ -3982,7 +3982,7 @@ static int devlink_param_get(struct devlink *devlink, const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->get || devlink->reload_failed) + if (!param->get) return -EOPNOTSUPP; return param->get(devlink, param->id, ctx); } @@ -3991,7 +3991,7 @@ static int devlink_param_set(struct devlink *devlink, const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->set || devlink->reload_failed) + if (!param->set) return -EOPNOTSUPP; return param->set(devlink, param->id, ctx); } -- 2.40.1

2 years, 1 month

1
40
0 0

[PATCH AUTOSEL 4.14 1/3] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index a402ad772a1e5..c561d35d441bb 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -637,7 +637,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
2
0 0

[PATCH AUTOSEL 4.19 1/3] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index 8d7dc98bad17b..ca01e02af9cba 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
2
0 0

[PATCH AUTOSEL 5.4 1/5] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index 43775c5ce17c5..2f9b226ec4f63 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
4
0 0

[PATCH AUTOSEL 5.15 1/9] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index 3e80eb1a5f35c..590326c200a28 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
8
0 0

[PATCH AUTOSEL 6.1 01/10] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index bef69e87a0a29..8c34c0ffb1d93 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
9
0 0

[PATCH AUTOSEL 6.4 01/13] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index 09029fe545f14..39e31030e5f49 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
12
0 0

[PATCH AUTOSEL 6.5 01/16] ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer

by Sasha Levin

From: Abhishek Mainkar <abmainkar(a)nvidia.com> [ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] Link: https://github.com/acpica/acpica/commit/90310989 Signed-off-by: Abhishek Mainkar <abmainkar(a)nvidia.com> Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/acpi/acpica/psopcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c index 09029fe545f14..39e31030e5f49 100644 --- a/drivers/acpi/acpica/psopcode.c +++ b/drivers/acpi/acpica/psopcode.c @@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, - AML_FLAGS_EXEC_0A_0T_1R), + AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), /* ACPI 5.0 opcodes */ -- 2.40.1

2 years, 1 month

1
15
0 0

[PATCH v2] acpi/processor: sanitize _PDC buffer bits when running as Xen dom0

by Jason Andryuk

From: Roger Pau Monne <roger.pau(a)citrix.com> The Processor _PDC buffer bits notify ACPI of the OS capabilities, and so ACPI can adjust the return of other Processor methods taking the OS capabilities into account. When Linux is running as a Xen dom0, it's the hypervisor the entity in charge of processor power management, and hence Xen needs to make sure the capabilities reported in the _PDC buffer match the capabilities of the driver in Xen. Introduce a small helper to sanitize the buffer when running as Xen dom0. When Xen supports HWP, this serves as the equivalent of commit a21211672c9a ("ACPI / processor: Request native thermal interrupt handling via _OSC") to avoid SMM crashes. Xen will set bit 12 in the _PDC bits and the _PDC call will apply it. [ jandryuk: Mention Xen HWP's need. Move local variables ] Signed-off-by: Roger Pau Monné <roger.pau(a)citrix.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jandryuk(a)gmail.com> --- v2: Move local variables in acpi_processor_eval_pdc() to reuse in both conditions. --- arch/x86/include/asm/xen/hypervisor.h | 6 ++++++ arch/x86/xen/enlighten.c | 19 +++++++++++++++++++ drivers/acpi/processor_pdc.c | 22 ++++++++++++++++------ 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h index 5fc35f889cd1..0f88a7e450d3 100644 --- a/arch/x86/include/asm/xen/hypervisor.h +++ b/arch/x86/include/asm/xen/hypervisor.h @@ -63,4 +63,10 @@ void __init xen_pvh_init(struct boot_params *boot_params); void __init mem_map_via_hcall(struct boot_params *boot_params_p); #endif +#ifdef CONFIG_XEN_DOM0 +void xen_sanitize_pdc(uint32_t *buf); +#else +static inline void xen_sanitize_pdc(uint32_t *buf) { BUG(); } +#endif + #endif /* _ASM_X86_XEN_HYPERVISOR_H */ diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c index b8db2148c07d..9f7fc11330a3 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -346,3 +346,22 @@ void xen_arch_unregister_cpu(int num) } EXPORT_SYMBOL(xen_arch_unregister_cpu); #endif + +#ifdef CONFIG_XEN_DOM0 +void xen_sanitize_pdc(uint32_t *buf) +{ + struct xen_platform_op op = { + .cmd = XENPF_set_processor_pminfo, + .interface_version = XENPF_INTERFACE_VERSION, + .u.set_pminfo.id = -1, + .u.set_pminfo.type = XEN_PM_PDC, + }; + int ret; + + set_xen_guest_handle(op.u.set_pminfo.pdc, buf); + ret = HYPERVISOR_platform_op(&op); + if (ret) + pr_info("sanitize of _PDC buffer bits from Xen failed: %d\n", + ret); +} +#endif diff --git a/drivers/acpi/processor_pdc.c b/drivers/acpi/processor_pdc.c index 18fb04523f93..9393dd4a3158 100644 --- a/drivers/acpi/processor_pdc.c +++ b/drivers/acpi/processor_pdc.c @@ -122,6 +122,11 @@ static acpi_status acpi_processor_eval_pdc(acpi_handle handle, struct acpi_object_list *pdc_in) { acpi_status status = AE_OK; + union acpi_object *obj; + u32 *buffer = NULL; + + obj = pdc_in->pointer; + buffer = (u32 *)(obj->buffer.pointer); if (boot_option_idle_override == IDLE_NOMWAIT) { /* @@ -129,14 +134,19 @@ acpi_processor_eval_pdc(acpi_handle handle, struct acpi_object_list *pdc_in) * mode will be disabled in the parameter of _PDC object. * Of course C1_FFH access mode will also be disabled. */ - union acpi_object *obj; - u32 *buffer = NULL; - - obj = pdc_in->pointer; - buffer = (u32 *)(obj->buffer.pointer); buffer[2] &= ~(ACPI_PDC_C_C2C3_FFH | ACPI_PDC_C_C1_FFH); - } + + if (xen_initial_domain()) { + /* + * When Linux is running as Xen dom0, the hypervisor is the + * entity in charge of the processor power management, and so + * Xen needs to check the OS capabilities reported in the _PDC + * buffer matches what the hypervisor driver supports. + */ + xen_sanitize_pdc(buffer); + } + status = acpi_evaluate_object(handle, "_PDC", pdc_in, NULL); if (ACPI_FAILURE(status)) -- 2.41.0

2 years, 1 month

3
4
0 0

Apply 13e07691a16f and co. to linux-6.1.y

by Nathan Chancellor

Hi Greg and Sasha, Please consider applying the following commits to 6.1 (they all picked cleanly for me): 630ae80ea1dd ("tools lib subcmd: Add install target") 77dce6890a2a ("tools lib subcmd: Make install_headers clearer") 5d890591db6b ("tools lib subcmd: Add dependency test to install_headers") 0e43662e61f2 ("tools/resolve_btfids: Use pkg-config to locate libelf") af03299d8536 ("tools/resolve_btfids: Install subcmd headers") 13e07691a16f ("tools/resolve_btfids: Alter how HOSTCC is forced") 56a2df7615fa ("tools/resolve_btfids: Compile resolve_btfids as host program") e0975ab92f24 ("tools/resolve_btfids: Tidy HOST_OVERRIDES") 2531ba0e4ae6 ("tools/resolve_btfids: Pass HOSTCFLAGS as EXTRA_CFLAGS to prepare targets") edd75c802855 ("tools/resolve_btfids: Fix setting HOSTCFLAGS") The most critical change is 13e07691a16f, which resolves a missing EXTRA_CFLAGS to the libsubcmd build. Without that EXTRA_CFLAGS, the Android hermetic toolchain kernel build fails on host distributions using glibc 2.38 and newer. The majority of those commits are strictly needed due to dependency/fixes requirements, the few that are not still seem to be worth bringing in for ease of backporting the rest and do not appear to cause any problems. I proposed another solution downstream, which may be more palatable if people have concerns about this list of changes and the risk of regressions, but Ian seemed to have some concerns on that thread around that path and suggested this series of backports instead: https://android-review.googlesource.com/c/kernel/common/+/2745896 While the number of patches seems large, the final changes are pretty well self-contained. Cheers, Nathan

2 years, 1 month

2
1
0 0

Re: [PATCH v2] virtio-mmio: fix memory leak of vm_dev

by Catalin Marinas

On Thu, Sep 07, 2023 at 02:17:16PM +0000, Maximilian Heyne wrote: > With the recent removal of vm_dev from devres its memory is only freed > via the callback virtio_mmio_release_dev. However, this only takes > effect after device_add is called by register_virtio_device. Until then > it's an unmanaged resource and must be explicitly freed on error exit. > > This bug was discovered and resolved using Coverity Static Analysis > Security Testing (SAST) by Synopsys, Inc. > > Cc: <stable(a)vger.kernel.org> > Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") > Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Tested-by: Catalin Marinas <catalin.marinas(a)arm.com> Thanks. -- Catalin

2 years, 1 month

2
2
0 0

[PATCH] Documentation: netdev: fix dead link in ax25.rst

by Peter Lafreniere

http://linux-ax25.org has been down for nearly a year. Its official replacement is https://linux-ax25.in-berlin.de. Update the documentation to point there instead. And acknowledge that while the linux-hams list isn't entirely dead, it isn't what most would call 'active'. Remove that word. Link: https://marc.info/?m=166792551600315 Cc: stable(a)vger.kernel.org Signed-off-by: Peter Lafreniere <peter(a)n8pjl.ca> --- Documentation/networking/ax25.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/networking/ax25.rst b/Documentation/networking/ax25.rst index f060cfb1445a..605e72c6c877 100644 --- a/Documentation/networking/ax25.rst +++ b/Documentation/networking/ax25.rst @@ -7,9 +7,9 @@ AX.25 To use the amateur radio protocols within Linux you will need to get a suitable copy of the AX.25 Utilities. More detailed information about AX.25, NET/ROM and ROSE, associated programs and utilities can be -found on http://www.linux-ax25.org. +found on https://linux-ax25.in-berlin.de. -There is an active mailing list for discussing Linux amateur radio matters +There is a mailing list for discussing Linux amateur radio matters called linux-hams(a)vger.kernel.org. To subscribe to it, send a message to majordomo(a)vger.kernel.org with the words "subscribe linux-hams" in the body of the message, the subject field is ignored. You don't need to be -- 2.42.0

2 years, 1 month

1
0
0 0

[PATCH v2] bcache: fixup lock c->root error

by Mingzhe Zou

We had a problem with io hung because it was waiting for c->root to release the lock. crash> cache_set.root -l cache_set.list ffffa03fde4c0050 root = 0xffff802ef454c800 crash> btree -o 0xffff802ef454c800 | grep rw_semaphore [ffff802ef454c858] struct rw_semaphore lock; crash> struct rw_semaphore ffff802ef454c858 struct rw_semaphore { count = { counter = -4294967297 }, wait_list = { next = 0xffff00006786fc28, prev = 0xffff00005d0efac8 }, wait_lock = { raw_lock = { { val = { counter = 0 }, { locked = 0 '\000', pending = 0 '\000' }, { locked_pending = 0, tail = 0 } } } }, osq = { tail = { counter = 0 } }, owner = 0xffffa03fdc586603 } The "counter = -4294967297" means that lock count is -1 and a write lock is being attempted. Then, we found that there is a btree with a counter of 1 in btree_cache_freeable. crash> cache_set -l cache_set.list ffffa03fde4c0050 -o|grep btree_cache [ffffa03fde4c1140] struct list_head btree_cache; [ffffa03fde4c1150] struct list_head btree_cache_freeable; [ffffa03fde4c1160] struct list_head btree_cache_freed; [ffffa03fde4c1170] unsigned int btree_cache_used; [ffffa03fde4c1178] wait_queue_head_t btree_cache_wait; [ffffa03fde4c1190] struct task_struct *btree_cache_alloc_lock; crash> list -H ffffa03fde4c1140|wc -l 973 crash> list -H ffffa03fde4c1150|wc -l 1123 crash> cache_set.btree_cache_used -l cache_set.list ffffa03fde4c0050 btree_cache_used = 2097 crash> list -s btree -l btree.list -H ffffa03fde4c1140|grep -E -A2 "^ lock = {" > btree_cache.txt crash> list -s btree -l btree.list -H ffffa03fde4c1150|grep -E -A2 "^ lock = {" > btree_cache_freeable.txt [root@node-3 127.0.0.1-2023-08-04-16:40:28]# pwd /var/crash/127.0.0.1-2023-08-04-16:40:28 [root@node-3 127.0.0.1-2023-08-04-16:40:28]# cat btree_cache.txt|grep counter|grep -v "counter = 0" [root@node-3 127.0.0.1-2023-08-04-16:40:28]# cat btree_cache_freeable.txt|grep counter|grep -v "counter = 0" counter = 1 We found that this is a bug in bch_sectors_dirty_init() when locking c->root: (1). Thread X has locked c->root(A) write. (2). Thread Y failed to lock c->root(A), waiting for the lock(c->root A). (3). Thread X bch_btree_set_root() changes c->root from A to B. (4). Thread X releases the lock(c->root A). (5). Thread Y successfully locks c->root(A). (6). Thread Y releases the lock(c->root B). down_write locked ---(1)----------------------┐ | | | down_read waiting ---(2)----┐ | | | ┌-------------┐ ┌-------------┐ bch_btree_set_root ===(3)========>> | c->root A | | c->root B | | | └-------------┘ └-------------┘ up_write ---(4)---------------------┘ | | | | | down_read locked ---(5)-----------┘ | | | up_read ---(6)-----------------------------┘ Since c->root may change, the correct steps to lock c->root should be the same as bch_root_usage(), compare after locking. static unsigned int bch_root_usage(struct cache_set *c) { unsigned int bytes = 0; struct bkey *k; struct btree *b; struct btree_iter iter; goto lock_root; do { rw_unlock(false, b); lock_root: b = c->root; rw_lock(false, b, b->level); } while (b != c->root); for_each_key_filter(&b->keys, k, &iter, bch_ptr_bad) bytes += bkey_bytes(k); rw_unlock(false, b); return (bytes * 100) / btree_bytes(c); } Fixes: b144e45fc576 ("bcache: make bch_sectors_dirty_init() to be multithreaded") Signed-off-by: Mingzhe Zou <mingzhe.zou(a)easystack.cn> Cc: stable(a)vger.kernel.org --- drivers/md/bcache/writeback.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c index 24c049067f61..bac916ba08c8 100644 --- a/drivers/md/bcache/writeback.c +++ b/drivers/md/bcache/writeback.c @@ -977,14 +977,22 @@ static int bch_btre_dirty_init_thread_nr(void) void bch_sectors_dirty_init(struct bcache_device *d) { int i; + struct btree *b = NULL; struct bkey *k = NULL; struct btree_iter iter; struct sectors_dirty_init op; struct cache_set *c = d->c; struct bch_dirty_init_state state; +retry_lock: + b = c->root; + rw_lock(0, b, b->level); + if (b != c->root) { + rw_unlock(0, b); + goto retry_lock; + } + /* Just count root keys if no leaf node */ - rw_lock(0, c->root, c->root->level); if (c->root->level == 0) { bch_btree_op_init(&op.op, -1); op.inode = d->id; @@ -994,7 +1002,7 @@ void bch_sectors_dirty_init(struct bcache_device *d) k, &iter, bch_ptr_invalid) sectors_dirty_init_fn(&op.op, c->root, k); - rw_unlock(0, c->root); + rw_unlock(0, b); return; } @@ -1030,7 +1038,7 @@ void bch_sectors_dirty_init(struct bcache_device *d) out: /* Must wait for all threads to stop. */ wait_event(state.wait, atomic_read(&state.started) == 0); - rw_unlock(0, c->root); + rw_unlock(0, b); } void bch_cached_dev_writeback_init(struct cached_dev *dc) -- 2.17.1.windows.2

2 years, 1 month

2
1
0 0

[PATCH 6.5 00/34] 6.5.2-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.5.2 release. There are 34 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 06 Sep 2023 18:29:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.2-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.5.2-rc1 Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Don't show `Invalid config param` errors Marco Felsch <m.felsch(a)pengutronix.de> usb: typec: tcpci: clear the fault status bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Brian Foster <bfoster(a)redhat.com> tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY Hugo Villeneuve <hvilleneuve(a)dimonoff.com> dt-bindings: sc16is7xx: Add property to change GPIO function Badhri Jagan Sridharan <badhri(a)google.com> tcpm: Avoid soft reset when partner does not support get_status Juerg Haefliger <juerg.haefliger(a)canonical.com> fsi: master-ast-cf: Add MODULE_FIRMWARE macro Wang Ming <machel(a)vivo.com> firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug when first setting GPIO direction Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix broken port 0 uart init Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix opp vote on shutdown Sven Eckelmann <sven(a)narfation.org> wifi: ath11k: Cleanup mac80211 references on failure during tx_complete Sven Eckelmann <sven(a)narfation.org> wifi: ath11k: Don't drop tx_status when peer cannot be found Sascha Hauer <s.hauer(a)pengutronix.de> wifi: rtw88: usb: kill and free rx urbs on probe failure Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: do not support one stream on secondary antenna only Nam Cao <namcaov(a)gmail.com> staging: rtl8712: fix race condition Aaron Armstrong Skomra <aaron.skomra(a)wacom.com> HID: wacom: remove the battery when the EKR is off Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Luke Lu <luke.lu(a)libre.computer> usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix init call orders for UAC1 Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add FOXCONN T99W368/T99W373 product Martin Kohn <m.kohn(a)welotec.com> USB: serial: option: add Quectel EM05G variant (0x030e) Christoph Hellwig <hch(a)lst.de> modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Christoph Hellwig <hch(a)lst.de> rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff Christoph Hellwig <hch(a)lst.de> net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index Christoph Hellwig <hch(a)lst.de> mmc: au1xmmc: force non-modular build and remove symbol_get usage Arnd Bergmann <arnd(a)arndb.de> ARM: pxa: remove use of symbol_get() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: reduce descriptor size if remaining bytes is less than request size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix wrong DataOffset validation of create context Gao Xiang <xiang(a)kernel.org> erofs: ensure that the post-EOF tails are all zeroed Lang Yu <Lang.Yu(a)amd.com> drm/amdgpu: correct vmhub index in GMC v10/11 ------------- Diffstat: .../devicetree/bindings/serial/nxp,sc16is7xx.txt | 46 ++++++++++++++++++++++ Makefile | 4 +- arch/arm/mach-pxa/sharpsl_pm.c | 2 - arch/arm/mach-pxa/spitz.c | 14 +------ arch/mips/alchemy/devboards/db1000.c | 8 +--- arch/mips/alchemy/devboards/db1200.c | 19 +-------- arch/mips/alchemy/devboards/db1300.c | 10 +---- drivers/firmware/stratix10-svc.c | 2 +- drivers/fsi/fsi-master-ast-cf.c | 1 + drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 4 +- drivers/hid/wacom.h | 1 + drivers/hid/wacom_sys.c | 25 ++++++++++-- drivers/hid/wacom_wac.c | 1 + drivers/hid/wacom_wac.h | 1 + drivers/mmc/host/Kconfig | 5 ++- drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 +- drivers/net/wireless/ath/ath11k/dp_tx.c | 10 ++--- .../net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 +++- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/net/wireless/realtek/rtw88/usb.c | 5 ++- drivers/pinctrl/pinctrl-amd.c | 4 +- drivers/rtc/rtc-ds1685.c | 2 +- drivers/staging/rtl8712/os_intfs.c | 1 + drivers/staging/rtl8712/usb_intf.c | 1 - drivers/tty/serial/qcom_geni_serial.c | 5 +++ drivers/tty/serial/sc16is7xx.c | 17 +++++++- drivers/usb/chipidea/ci_hdrc_imx.c | 10 +++-- drivers/usb/chipidea/usbmisc_imx.c | 6 ++- drivers/usb/dwc3/dwc3-meson-g12a.c | 6 +++ drivers/usb/serial/option.c | 7 ++++ drivers/usb/typec/tcpm/tcpci.c | 4 ++ drivers/usb/typec/tcpm/tcpm.c | 7 ++++ fs/erofs/zdata.c | 2 + fs/nilfs2/alloc.c | 3 +- fs/nilfs2/inode.c | 7 +++- fs/smb/server/auth.c | 3 ++ fs/smb/server/oplock.c | 2 +- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb2pdu.h | 2 +- fs/smb/server/transport_rdma.c | 25 ++++++++---- include/linux/usb/tcpci.h | 1 + kernel/module/main.c | 14 +++++-- kernel/trace/trace.c | 4 +- sound/usb/stream.c | 11 +++++- 45 files changed, 220 insertions(+), 99 deletions(-)

2 years, 1 month

14
53
0 0

[PATCH] Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()

by Denis Efremov (Oracle)

From: Duoming Zhou <duoming(a)zju.edu.cn> The watchdog_timer can schedule tx_timeout_task and watchdog_work can also arm watchdog_timer. The process is shown below: ----------- timer schedules work ------------ cyttsp4_watchdog_timer() //timer handler schedule_work(&cd->watchdog_work) ----------- work arms timer ------------ cyttsp4_watchdog_work() //workqueue callback function cyttsp4_start_wd_timer() mod_timer(&cd->watchdog_timer, ...) Although del_timer_sync() and cancel_work_sync() are called in cyttsp4_remove(), the timer and workqueue could still be rearmed. As a result, the possible use after free bugs could happen. The process is shown below: (cleanup routine) | (timer and workqueue routine) cyttsp4_remove() | cyttsp4_watchdog_timer() //timer cyttsp4_stop_wd_timer() | schedule_work() del_timer_sync() | | cyttsp4_watchdog_work() //worker | cyttsp4_start_wd_timer() | mod_timer() cancel_work_sync() | | cyttsp4_watchdog_timer() //timer | schedule_work() del_timer_sync() | kfree(cd) //FREE | | cyttsp4_watchdog_work() // reschedule! | cd-> //USE This patch changes del_timer_sync() to timer_shutdown_sync(), which could prevent rearming of the timer from the workqueue. Cc: stable(a)vger.kernel.org Fixes: CVE-2023-4134 Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices") Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@zju.edu.cn Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Denis Efremov (Oracle) <efremov(a)linux.com> --- I've only added Cc: stable and Fixes tag. drivers/input/touchscreen/cyttsp4_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c index dccbcb942fe5..f999265896f4 100644 --- a/drivers/input/touchscreen/cyttsp4_core.c +++ b/drivers/input/touchscreen/cyttsp4_core.c @@ -1263,9 +1263,8 @@ static void cyttsp4_stop_wd_timer(struct cyttsp4 *cd) * Ensure we wait until the watchdog timer * running on a different CPU finishes */ - del_timer_sync(&cd->watchdog_timer); + timer_shutdown_sync(&cd->watchdog_timer); cancel_work_sync(&cd->watchdog_work); - del_timer_sync(&cd->watchdog_timer); } static void cyttsp4_watchdog_timer(struct timer_list *t) -- 2.42.0

2 years, 1 month

2
2
0 0

FAILED: patch "[PATCH] Bluetooth: btrtl: Load FW v2 otherwise FW v1 for RTL8852C" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x bd003fb338afee97c76f13c3e9144a7e4ad37179 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023083021-unease-catfish-92ad@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd003fb338afee97c76f13c3e9144a7e4ad37179 Mon Sep 17 00:00:00 2001 From: Max Chou <max.chou(a)realtek.com> Date: Mon, 7 Aug 2023 19:42:59 +0800 Subject: [PATCH] Bluetooth: btrtl: Load FW v2 otherwise FW v1 for RTL8852C In this commit, prefer to load FW v2 if available. Fallback to FW v1 otherwise. This behavior is only for RTL8852C. Fixes: 9a24ce5e29b1 ("Bluetooth: btrtl: Firmware format v2 support") Cc: stable(a)vger.kernel.org Suggested-by: Juerg Haefliger <juerg.haefliger(a)canonical.com> Tested-by: Hilda Wu <hildawu(a)realtek.com> Signed-off-by: Max Chou <max.chou(a)realtek.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index ddae6524106d..84c2c2e1122f 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -104,7 +104,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8723A, 0xb, 0x6, HCI_USB), .config_needed = false, .has_rom_version = false, - .fw_name = "rtl_bt/rtl8723a_fw.bin", + .fw_name = "rtl_bt/rtl8723a_fw", .cfg_name = NULL, .hw_info = "rtl8723au" }, @@ -112,7 +112,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_UART), .config_needed = true, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723bs_fw.bin", + .fw_name = "rtl_bt/rtl8723bs_fw", .cfg_name = "rtl_bt/rtl8723bs_config", .hw_info = "rtl8723bs" }, @@ -120,7 +120,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_USB), .config_needed = false, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723b_fw.bin", + .fw_name = "rtl_bt/rtl8723b_fw", .cfg_name = "rtl_bt/rtl8723b_config", .hw_info = "rtl8723bu" }, @@ -132,7 +132,7 @@ static const struct id_table ic_id_table[] = { .hci_bus = HCI_UART, .config_needed = true, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723cs_cg_fw.bin", + .fw_name = "rtl_bt/rtl8723cs_cg_fw", .cfg_name = "rtl_bt/rtl8723cs_cg_config", .hw_info = "rtl8723cs-cg" }, @@ -144,7 +144,7 @@ static const struct id_table ic_id_table[] = { .hci_bus = HCI_UART, .config_needed = true, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723cs_vf_fw.bin", + .fw_name = "rtl_bt/rtl8723cs_vf_fw", .cfg_name = "rtl_bt/rtl8723cs_vf_config", .hw_info = "rtl8723cs-vf" }, @@ -156,7 +156,7 @@ static const struct id_table ic_id_table[] = { .hci_bus = HCI_UART, .config_needed = true, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723cs_xx_fw.bin", + .fw_name = "rtl_bt/rtl8723cs_xx_fw", .cfg_name = "rtl_bt/rtl8723cs_xx_config", .hw_info = "rtl8723cs" }, @@ -164,7 +164,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_USB), .config_needed = true, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723d_fw.bin", + .fw_name = "rtl_bt/rtl8723d_fw", .cfg_name = "rtl_bt/rtl8723d_config", .hw_info = "rtl8723du" }, @@ -172,7 +172,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_UART), .config_needed = true, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8723ds_fw.bin", + .fw_name = "rtl_bt/rtl8723ds_fw", .cfg_name = "rtl_bt/rtl8723ds_config", .hw_info = "rtl8723ds" }, @@ -180,7 +180,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8821A, 0xa, 0x6, HCI_USB), .config_needed = false, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8821a_fw.bin", + .fw_name = "rtl_bt/rtl8821a_fw", .cfg_name = "rtl_bt/rtl8821a_config", .hw_info = "rtl8821au" }, @@ -189,7 +189,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8821c_fw.bin", + .fw_name = "rtl_bt/rtl8821c_fw", .cfg_name = "rtl_bt/rtl8821c_config", .hw_info = "rtl8821cu" }, @@ -198,7 +198,7 @@ static const struct id_table ic_id_table[] = { .config_needed = true, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8821cs_fw.bin", + .fw_name = "rtl_bt/rtl8821cs_fw", .cfg_name = "rtl_bt/rtl8821cs_config", .hw_info = "rtl8821cs" }, @@ -206,7 +206,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8761A, 0xa, 0x6, HCI_USB), .config_needed = false, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8761a_fw.bin", + .fw_name = "rtl_bt/rtl8761a_fw", .cfg_name = "rtl_bt/rtl8761a_config", .hw_info = "rtl8761au" }, @@ -215,7 +215,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8761b_fw.bin", + .fw_name = "rtl_bt/rtl8761b_fw", .cfg_name = "rtl_bt/rtl8761b_config", .hw_info = "rtl8761btv" }, @@ -223,7 +223,7 @@ static const struct id_table ic_id_table[] = { { IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_USB), .config_needed = false, .has_rom_version = true, - .fw_name = "rtl_bt/rtl8761bu_fw.bin", + .fw_name = "rtl_bt/rtl8761bu_fw", .cfg_name = "rtl_bt/rtl8761bu_config", .hw_info = "rtl8761bu" }, @@ -232,7 +232,7 @@ static const struct id_table ic_id_table[] = { .config_needed = true, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8822cs_fw.bin", + .fw_name = "rtl_bt/rtl8822cs_fw", .cfg_name = "rtl_bt/rtl8822cs_config", .hw_info = "rtl8822cs" }, @@ -241,7 +241,7 @@ static const struct id_table ic_id_table[] = { .config_needed = true, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8822cs_fw.bin", + .fw_name = "rtl_bt/rtl8822cs_fw", .cfg_name = "rtl_bt/rtl8822cs_config", .hw_info = "rtl8822cs" }, @@ -250,7 +250,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8822cu_fw.bin", + .fw_name = "rtl_bt/rtl8822cu_fw", .cfg_name = "rtl_bt/rtl8822cu_config", .hw_info = "rtl8822cu" }, @@ -259,7 +259,7 @@ static const struct id_table ic_id_table[] = { .config_needed = true, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8822b_fw.bin", + .fw_name = "rtl_bt/rtl8822b_fw", .cfg_name = "rtl_bt/rtl8822b_config", .hw_info = "rtl8822bu" }, @@ -268,7 +268,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8852au_fw.bin", + .fw_name = "rtl_bt/rtl8852au_fw", .cfg_name = "rtl_bt/rtl8852au_config", .hw_info = "rtl8852au" }, @@ -277,7 +277,7 @@ static const struct id_table ic_id_table[] = { .config_needed = true, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8852bs_fw.bin", + .fw_name = "rtl_bt/rtl8852bs_fw", .cfg_name = "rtl_bt/rtl8852bs_config", .hw_info = "rtl8852bs" }, @@ -286,7 +286,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8852bu_fw.bin", + .fw_name = "rtl_bt/rtl8852bu_fw", .cfg_name = "rtl_bt/rtl8852bu_config", .hw_info = "rtl8852bu" }, @@ -295,7 +295,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = true, - .fw_name = "rtl_bt/rtl8852cu_fw.bin", + .fw_name = "rtl_bt/rtl8852cu_fw", .cfg_name = "rtl_bt/rtl8852cu_config", .hw_info = "rtl8852cu" }, @@ -304,7 +304,7 @@ static const struct id_table ic_id_table[] = { .config_needed = false, .has_rom_version = true, .has_msft_ext = false, - .fw_name = "rtl_bt/rtl8851bu_fw.bin", + .fw_name = "rtl_bt/rtl8851bu_fw", .cfg_name = "rtl_bt/rtl8851bu_config", .hw_info = "rtl8851bu" }, }; @@ -1045,6 +1045,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, struct sk_buff *skb; struct hci_rp_read_local_version *resp; struct hci_command_hdr *cmd; + char fw_name[40]; char cfg_name[40]; u16 hci_rev, lmp_subver; u8 hci_ver, lmp_ver, chip_type = 0; @@ -1154,8 +1155,26 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, goto err_free; } - btrtl_dev->fw_len = rtl_load_file(hdev, btrtl_dev->ic_info->fw_name, - &btrtl_dev->fw_data); + if (!btrtl_dev->ic_info->fw_name) { + ret = -ENOMEM; + goto err_free; + } + + btrtl_dev->fw_len = -EIO; + if (lmp_subver == RTL_ROM_LMP_8852A && hci_rev == 0x000c) { + snprintf(fw_name, sizeof(fw_name), "%s_v2.bin", + btrtl_dev->ic_info->fw_name); + btrtl_dev->fw_len = rtl_load_file(hdev, fw_name, + &btrtl_dev->fw_data); + } + + if (btrtl_dev->fw_len < 0) { + snprintf(fw_name, sizeof(fw_name), "%s.bin", + btrtl_dev->ic_info->fw_name); + btrtl_dev->fw_len = rtl_load_file(hdev, fw_name, + &btrtl_dev->fw_data); + } + if (btrtl_dev->fw_len < 0) { rtl_dev_err(hdev, "firmware file %s not found", btrtl_dev->ic_info->fw_name); @@ -1491,4 +1510,5 @@ MODULE_FIRMWARE("rtl_bt/rtl8852bs_config.bin"); MODULE_FIRMWARE("rtl_bt/rtl8852bu_fw.bin"); MODULE_FIRMWARE("rtl_bt/rtl8852bu_config.bin"); MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw.bin"); +MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw_v2.bin"); MODULE_FIRMWARE("rtl_bt/rtl8852cu_config.bin");

2 years, 1 month

3
3
0 0

Re: [PATCH v2] virtio-mmio: fix memory leak of vm_dev

by Xuan Zhuo

On Thu, 7 Sep 2023 14:17:16 +0000, Maximilian Heyne <mheyne(a)amazon.de> wrote: > With the recent removal of vm_dev from devres its memory is only freed > via the callback virtio_mmio_release_dev. However, this only takes > effect after device_add is called by register_virtio_device. Until then > it's an unmanaged resource and must be explicitly freed on error exit. > > This bug was discovered and resolved using Coverity Static Analysis > Security Testing (SAST) by Synopsys, Inc. > > Cc: <stable(a)vger.kernel.org> > Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") > Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> Reviewed-by: Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> > --- > drivers/virtio/virtio_mmio.c | 19 ++++++++++++++----- > 1 file changed, 14 insertions(+), 5 deletions(-) > > diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c > index 97760f611295..59892a31cf76 100644 > --- a/drivers/virtio/virtio_mmio.c > +++ b/drivers/virtio/virtio_mmio.c > @@ -631,14 +631,17 @@ static int virtio_mmio_probe(struct platform_device *pdev) > spin_lock_init(&vm_dev->lock); > > vm_dev->base = devm_platform_ioremap_resource(pdev, 0); > - if (IS_ERR(vm_dev->base)) > - return PTR_ERR(vm_dev->base); > + if (IS_ERR(vm_dev->base)) { > + rc = PTR_ERR(vm_dev->base); > + goto free_vm_dev; > + } > > /* Check magic value */ > magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE); > if (magic != ('v' | 'i' << 8 | 'r' << 16 | 't' << 24)) { > dev_warn(&pdev->dev, "Wrong magic value 0x%08lx!\n", magic); > - return -ENODEV; > + rc = -ENODEV; > + goto free_vm_dev; > } > > /* Check device version */ > @@ -646,7 +649,8 @@ static int virtio_mmio_probe(struct platform_device *pdev) > if (vm_dev->version < 1 || vm_dev->version > 2) { > dev_err(&pdev->dev, "Version %ld not supported!\n", > vm_dev->version); > - return -ENXIO; > + rc = -ENXIO; > + goto free_vm_dev; > } > > vm_dev->vdev.id.device = readl(vm_dev->base + VIRTIO_MMIO_DEVICE_ID); > @@ -655,7 +659,8 @@ static int virtio_mmio_probe(struct platform_device *pdev) > * virtio-mmio device with an ID 0 is a (dummy) placeholder > * with no function. End probing now with no error reported. > */ > - return -ENODEV; > + rc = -ENODEV; > + goto free_vm_dev; > } > vm_dev->vdev.id.vendor = readl(vm_dev->base + VIRTIO_MMIO_VENDOR_ID); > > @@ -685,6 +690,10 @@ static int virtio_mmio_probe(struct platform_device *pdev) > put_device(&vm_dev->vdev.dev); > > return rc; > + > +free_vm_dev: > + kfree(vm_dev); > + return rc; > } > > static int virtio_mmio_remove(struct platform_device *pdev) > -- > 2.40.1 > > > > > Amazon Development Center Germany GmbH > Krausenstr. 38 > 10117 Berlin > Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss > Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B > Sitz: Berlin > Ust-ID: DE 289 237 879 > > >

2 years, 1 month

1
0
0 0

[PATCH v3 1/2] mm/vmalloc: Add a safer version of find_vm_area() for debug

by Joel Fernandes (Google)

It is unsafe to dump vmalloc area information when trying to do so from some contexts. Add a safer trylock version of the same function to do a best-effort VMA finding and use it from vmalloc_dump_obj(). [applied test robot feedback on unused function fix.] [applied Uladzislau feedback on locking.] Reported-by: Zhen Lei <thunder.leizhen(a)huaweicloud.com> Cc: Paul E. McKenney <paulmck(a)kernel.org> Cc: rcu(a)vger.kernel.org Cc: Zqiang <qiang.zhang1211(a)gmail.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory") Cc: stable(a)vger.kernel.org Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> --- mm/vmalloc.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 93cf99aba335..2c6a0e2ff404 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4274,14 +4274,32 @@ void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms) #ifdef CONFIG_PRINTK bool vmalloc_dump_obj(void *object) { - struct vm_struct *vm; void *objp = (void *)PAGE_ALIGN((unsigned long)object); + const void *caller; + struct vm_struct *vm; + struct vmap_area *va; + unsigned long addr; + unsigned int nr_pages; - vm = find_vm_area(objp); - if (!vm) + if (!spin_trylock(&vmap_area_lock)) + return false; + va = __find_vmap_area((unsigned long)objp, &vmap_area_root); + if (!va) { + spin_unlock(&vmap_area_lock); return false; + } + + vm = va->vm; + if (!vm) { + spin_unlock(&vmap_area_lock); + return false; + } + addr = (unsigned long)vm->addr; + caller = vm->caller; + nr_pages = vm->nr_pages; + spin_unlock(&vmap_area_lock); pr_cont(" %u-page vmalloc region starting at %#lx allocated at %pS\n", - vm->nr_pages, (unsigned long)vm->addr, vm->caller); + nr_pages, addr, caller); return true; } #endif -- 2.42.0.283.g2d96d420d3-goog

2 years, 1 month

5
16
0 0

[PATCH v2 1/2] nvme: fix memory corruption for passthrough metadata

by Kanchan Joshi

User can specify a smaller meta buffer than what the device is wired to update/access. This may lead to Device doing a larger DMA operation, overwriting unrelated kernel memory. Detect this situation for uring passthrough, and bail out. Fixes: 456cba386e94 ("nvme: wire-up uring-cmd support for io-passthru on char-device") Cc: stable(a)vger.kernel.org Reported-by: Vincent Fu <vincent.fu(a)samsung.com> Signed-off-by: Kanchan Joshi <joshi.k(a)samsung.com> --- drivers/nvme/host/ioctl.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index 19a5177bc360..717c7effaf8a 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -320,6 +320,35 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio) meta_len, lower_32_bits(io.slba), NULL, 0, 0); } +static bool nvme_validate_passthru_meta(struct nvme_ctrl *ctrl, + struct nvme_ns *ns, + struct nvme_command *c, + __u64 meta, __u32 meta_len) +{ + /* + * User may specify smaller meta-buffer with a larger data-buffer. + * Driver allocated meta buffer will also be small. + * Device can do larger dma into that, overwriting unrelated kernel + * memory. + */ + if (ns && (meta_len || meta)) { + u16 nlb = lower_16_bits(le32_to_cpu(c->common.cdw12)); + u16 control = upper_16_bits(le32_to_cpu(c->common.cdw12)); + + /* meta transfer from/to host is not done */ + if (control & NVME_RW_PRINFO_PRACT && ns->ms == ns->pi_size) + return true; + + if (meta_len != (nlb + 1) * ns->ms) { + dev_err(ctrl->device, + "%s: metadata length does not match!\n", current->comm); + return false; + } + } + + return true; +} + static bool nvme_validate_passthru_nsid(struct nvme_ctrl *ctrl, struct nvme_ns *ns, __u32 nsid) { @@ -593,6 +622,10 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, d.metadata_len = READ_ONCE(cmd->metadata_len); d.timeout_ms = READ_ONCE(cmd->timeout_ms); + if (!nvme_validate_passthru_meta(ctrl, ns, &c, d.metadata, + d.metadata_len)) + return -EINVAL; + if (issue_flags & IO_URING_F_NONBLOCK) { rq_flags |= REQ_NOWAIT; blk_flags = BLK_MQ_REQ_NOWAIT; -- 2.25.1

2 years, 1 month

5
8
0 0

[PATCH AUTOSEL 6.5 1/6] iomap: Fix possible overflow condition in iomap_write_delalloc_scan

by Sasha Levin

From: "Ritesh Harjani (IBM)" <ritesh.list(a)gmail.com> [ Upstream commit eee2d2e6ea5550118170dbd5bb1316ceb38455fb ] folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. Suggested-by: Matthew Wilcox <willy(a)infradead.org> Signed-off-by: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/iomap/buffered-io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c index aa8967cca1a31..4dc4bbc4be10a 100644 --- a/fs/iomap/buffered-io.c +++ b/fs/iomap/buffered-io.c @@ -932,7 +932,7 @@ static int iomap_write_delalloc_scan(struct inode *inode, * the end of this data range, not the end of the folio. */ *punch_start_byte = min_t(loff_t, end_byte, - folio_next_index(folio) << PAGE_SHIFT); + folio_pos(folio) + folio_size(folio)); } /* move offset to start of next folio in range */ -- 2.40.1

2 years, 1 month

2
6
0 0

[PATCH AUTOSEL 6.4 1/5] iomap: Fix possible overflow condition in iomap_write_delalloc_scan

by Sasha Levin

From: "Ritesh Harjani (IBM)" <ritesh.list(a)gmail.com> [ Upstream commit eee2d2e6ea5550118170dbd5bb1316ceb38455fb ] folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. Suggested-by: Matthew Wilcox <willy(a)infradead.org> Signed-off-by: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/iomap/buffered-io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c index 063133ec77f49..5e5bffa384976 100644 --- a/fs/iomap/buffered-io.c +++ b/fs/iomap/buffered-io.c @@ -929,7 +929,7 @@ static int iomap_write_delalloc_scan(struct inode *inode, * the end of this data range, not the end of the folio. */ *punch_start_byte = min_t(loff_t, end_byte, - folio_next_index(folio) << PAGE_SHIFT); + folio_pos(folio) + folio_size(folio)); } /* move offset to start of next folio in range */ -- 2.40.1

2 years, 1 month

2
5
0 0

[PATCH] net: Avoid address overwrite in kernel_connect

by Jordan Rife

commit 0bdf399 upstream. This fix applies to all stable kernel versions 4.19+. BPF programs that run on connect can rewrite the connect address. For the connect system call this isn't a problem, because a copy of the address is made when it is moved into kernel space. However, kernel_connect simply passes through the address it is given, so the caller may observe its address value unexpectedly change. A practical example where this is problematic is where NFS is combined with a system such as Cilium which implements BPF-based load balancing. A common pattern in software-defined storage systems is to have an NFS mount that connects to a persistent virtual IP which in turn maps to an ephemeral server IP. This is usually done to achieve high availability: if your server goes down you can quickly spin up a replacement and remap the virtual IP to that endpoint. With BPF-based load balancing, mounts will forget the virtual IP address when the address rewrite occurs because a pointer to the only copy of that address is passed down the stack. Server failover then breaks, because clients have forgotten the virtual IP address. Reconnects fail and mounts remain broken. This patch was tested by setting up a scenario like this and ensuring that NFS reconnects worked after applying the patch. Signed-off-by: Jordan Rife <jrife(a)google.com> --- net/socket.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/socket.c b/net/socket.c index ce70c01eb2f3e..db9d908198f21 100644 --- a/net/socket.c +++ b/net/socket.c @@ -3468,7 +3468,11 @@ EXPORT_SYMBOL(kernel_accept); int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen, int flags) { - return sock->ops->connect(sock, addr, addrlen, flags); + struct sockaddr_storage address; + + memcpy(&address, addr, addrlen); + + return sock->ops->connect(sock, (struct sockaddr *)&address, addrlen, flags); } EXPORT_SYMBOL(kernel_connect); -- 2.42.0.283.g2d96d420d3-goog

2 years, 1 month

2
2
0 0

[PATCH AUTOSEL 4.14 1/2] autofs: fix memory leak of waitqueues in autofs_catatonic_mode

by Sasha Levin

From: Fedor Pchelkin <pchelkin(a)ispras.ru> [ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c(a)syzkaller.appspotmail.com Suggested-by: Takeshi Misawa <jeliantsurux(a)gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Ian Kent <raven(a)themaw.net> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: autofs(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Message-Id: <169112719161.7590.6700123246297365841.stgit(a)donald.themaw.net> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/autofs4/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c index 961a12dc6dc81..5863532675e3c 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c @@ -42,8 +42,9 @@ void autofs4_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ -- 2.40.1

2 years, 1 month

1
1
0 0

[PATCH AUTOSEL 4.19 1/2] autofs: fix memory leak of waitqueues in autofs_catatonic_mode

by Sasha Levin

From: Fedor Pchelkin <pchelkin(a)ispras.ru> [ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c(a)syzkaller.appspotmail.com Suggested-by: Takeshi Misawa <jeliantsurux(a)gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Ian Kent <raven(a)themaw.net> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: autofs(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Message-Id: <169112719161.7590.6700123246297365841.stgit(a)donald.themaw.net> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/autofs/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index f6385c6ef0a56..44ba0cd4ebc4f 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -35,8 +35,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ -- 2.40.1

2 years, 1 month

1
1
0 0

[PATCH AUTOSEL 5.4 1/3] autofs: fix memory leak of waitqueues in autofs_catatonic_mode

by Sasha Levin

From: Fedor Pchelkin <pchelkin(a)ispras.ru> [ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c(a)syzkaller.appspotmail.com Suggested-by: Takeshi Misawa <jeliantsurux(a)gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Ian Kent <raven(a)themaw.net> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: autofs(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Message-Id: <169112719161.7590.6700123246297365841.stgit(a)donald.themaw.net> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/autofs/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index b04c528b19d34..1230bdf329898 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -32,8 +32,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ -- 2.40.1

2 years, 1 month

1
2
0 0

[PATCH AUTOSEL 5.10 1/3] autofs: fix memory leak of waitqueues in autofs_catatonic_mode

by Sasha Levin

From: Fedor Pchelkin <pchelkin(a)ispras.ru> [ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c(a)syzkaller.appspotmail.com Suggested-by: Takeshi Misawa <jeliantsurux(a)gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Ian Kent <raven(a)themaw.net> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: autofs(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Message-Id: <169112719161.7590.6700123246297365841.stgit(a)donald.themaw.net> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/autofs/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index 5ced859dac539..dd479198310e8 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -32,8 +32,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ -- 2.40.1

2 years, 1 month

1
2
0 0

[PATCH AUTOSEL 5.15 1/3] autofs: fix memory leak of waitqueues in autofs_catatonic_mode

by Sasha Levin

From: Fedor Pchelkin <pchelkin(a)ispras.ru> [ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c(a)syzkaller.appspotmail.com Suggested-by: Takeshi Misawa <jeliantsurux(a)gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Ian Kent <raven(a)themaw.net> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: autofs(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Message-Id: <169112719161.7590.6700123246297365841.stgit(a)donald.themaw.net> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/autofs/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index 54c1f8b8b0757..efdc76732faed 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -32,8 +32,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name - wq->offset); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ -- 2.40.1

2 years, 1 month

1
2
0 0

FAILED: patch "[PATCH] memfd: replace ratcheting feature from vm.memfd_noexec with" failed to apply to 6.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.4.y git checkout FETCH_HEAD git cherry-pick -x 9876cfe8ec1cb3c88de31f4d58d57b0e7e22bcc4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090700-zippy-raven-214b@gregkh' --subject-prefix 'PATCH 6.4.y' HEAD^.. Possible dependencies: 9876cfe8ec1c ("memfd: replace ratcheting feature from vm.memfd_noexec with hierarchy") 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 3efd33b75358 ("kernel: pid_namespace: remove unused set_memfd_noexec_scope()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9876cfe8ec1cb3c88de31f4d58d57b0e7e22bcc4 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Mon, 14 Aug 2023 18:41:00 +1000 Subject: [PATCH] memfd: replace ratcheting feature from vm.memfd_noexec with hierarchy This sysctl has the very unusual behaviour of not allowing any user (even CAP_SYS_ADMIN) to reduce the restriction setting, meaning that if you were to set this sysctl to a more restrictive option in the host pidns you would need to reboot your machine in order to reset it. The justification given in [1] is that this is a security feature and thus it should not be possible to disable. Aside from the fact that we have plenty of security-related sysctls that can be disabled after being enabled (fs.protected_symlinks for instance), the protection provided by the sysctl is to stop users from being able to create a binary and then execute it. A user with CAP_SYS_ADMIN can trivially do this without memfd_create(2): % cat mount-memfd.c #include <fcntl.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <linux/mount.h> #define SHELLCODE "#!/bin/echo this file was executed from this totally private tmpfs:" int main(void) { int fsfd = fsopen("tmpfs", FSOPEN_CLOEXEC); assert(fsfd >= 0); assert(!fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 2)); int dfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); assert(dfd >= 0); int execfd = openat(dfd, "exe", O_CREAT | O_RDWR | O_CLOEXEC, 0782); assert(execfd >= 0); assert(write(execfd, SHELLCODE, strlen(SHELLCODE)) == strlen(SHELLCODE)); assert(!close(execfd)); char *execpath = NULL; char *argv[] = { "bad-exe", NULL }, *envp[] = { NULL }; execfd = openat(dfd, "exe", O_PATH | O_CLOEXEC); assert(execfd >= 0); assert(asprintf(&execpath, "/proc/self/fd/%d", execfd) > 0); assert(!execve(execpath, argv, envp)); } % ./mount-memfd this file was executed from this totally private tmpfs: /proc/self/fd/5 % Given that it is possible for CAP_SYS_ADMIN users to create executable binaries without memfd_create(2) and without touching the host filesystem (not to mention the many other things a CAP_SYS_ADMIN process would be able to do that would be equivalent or worse), it seems strange to cause a fair amount of headache to admins when there doesn't appear to be an actual security benefit to blocking this. There appear to be concerns about confused-deputy-esque attacks[2] but a confused deputy that can write to arbitrary sysctls is a bigger security issue than executable memfds. /* New API */ The primary requirement from the original author appears to be more based on the need to be able to restrict an entire system in a hierarchical manner[3], such that child namespaces cannot re-enable executable memfds. So, implement that behaviour explicitly -- the vm.memfd_noexec scope is evaluated up the pidns tree to &init_pid_ns and you have the most restrictive value applied to you. The new lower limit you can set vm.memfd_noexec is whatever limit applies to your parent. Note that a pidns will inherit a copy of the parent pidns's effective vm.memfd_noexec setting at unshare() time. This matches the existing behaviour, and it also ensures that a pidns will never have its vm.memfd_noexec setting *lowered* behind its back (but it will be raised if the parent raises theirs). /* Backwards Compatibility */ As the previous version of the sysctl didn't allow you to lower the setting at all, there are no backwards compatibility issues with this aspect of the change. However it should be noted that now that the setting is completely hierarchical. Previously, a cloned pidns would just copy the current pidns setting, meaning that if the parent's vm.memfd_noexec was changed it wouldn't propoagate to existing pid namespaces. Now, the restriction applies recursively. This is a uAPI change, however: * The sysctl is very new, having been merged in 6.3. * Several aspects of the sysctl were broken up until this patchset and the other patchset by Jeff Xu last month. And thus it seems incredibly unlikely that any real users would run into this issue. In the worst case, if this causes userspace isues we could make it so that modifying the setting follows the hierarchical rules but the restriction checking uses the cached copy. [1]: https://lore.kernel.org/CABi2SkWnAgHK1i6iqSqPMYuNEhtHBkO8jUuCvmG3RmUB5TKHJw… [2]: https://lore.kernel.org/CALmYWFs_dNCzw_pW1yRAo4bGCPEtykroEQaowNULp7svwMLjOg… [3]: https://lore.kernel.org/CALmYWFuahdUF7cT4cm7_TGLqPanuHXJ-hVSfZt7vpTnc18DPrw… Link: https://lkml.kernel.org/r/20230814-memfd-vm-noexec-uapi-fixes-v2-4-7ff9e3e1… Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Jeff Xu <jeffxu(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index 53974d79d98e..f9f9931e02d6 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -39,7 +39,6 @@ struct pid_namespace { int reboot; /* group exit code if this pidns was rebooted */ struct ns_common ns; #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) - /* sysctl for vm.memfd_noexec */ int memfd_noexec_scope; #endif } __randomize_layout; @@ -56,6 +55,23 @@ static inline struct pid_namespace *get_pid_ns(struct pid_namespace *ns) return ns; } +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) +static inline int pidns_memfd_noexec_scope(struct pid_namespace *ns) +{ + int scope = MEMFD_NOEXEC_SCOPE_EXEC; + + for (; ns; ns = ns->parent) + scope = max(scope, READ_ONCE(ns->memfd_noexec_scope)); + + return scope; +} +#else +static inline int pidns_memfd_noexec_scope(struct pid_namespace *ns) +{ + return 0; +} +#endif + extern struct pid_namespace *copy_pid_ns(unsigned long flags, struct user_namespace *user_ns, struct pid_namespace *ns); extern void zap_pid_ns_processes(struct pid_namespace *pid_ns); @@ -70,6 +86,11 @@ static inline struct pid_namespace *get_pid_ns(struct pid_namespace *ns) return ns; } +static inline int pidns_memfd_noexec_scope(struct pid_namespace *ns) +{ + return 0; +} + static inline struct pid_namespace *copy_pid_ns(unsigned long flags, struct user_namespace *user_ns, struct pid_namespace *ns) { diff --git a/kernel/pid.c b/kernel/pid.c index 6a1d23a11026..fee14a4486a3 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -83,6 +83,9 @@ struct pid_namespace init_pid_ns = { #ifdef CONFIG_PID_NS .ns.ops = &pidns_operations, #endif +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) + .memfd_noexec_scope = MEMFD_NOEXEC_SCOPE_EXEC, +#endif }; EXPORT_SYMBOL_GPL(init_pid_ns); diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index 0bf44afe04dd..619972c78774 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c @@ -110,9 +110,9 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns ns->user_ns = get_user_ns(user_ns); ns->ucounts = ucounts; ns->pid_allocated = PIDNS_ADDING; - - initialize_memfd_noexec_scope(ns); - +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) + ns->memfd_noexec_scope = pidns_memfd_noexec_scope(parent_pid_ns); +#endif return ns; out_free_idr: diff --git a/kernel/pid_sysctl.h b/kernel/pid_sysctl.h index b26e027fc9cd..2ee41a3a1dfd 100644 --- a/kernel/pid_sysctl.h +++ b/kernel/pid_sysctl.h @@ -5,33 +5,30 @@ #include <linux/pid_namespace.h> #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) -static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) -{ - ns->memfd_noexec_scope = - task_active_pid_ns(current)->memfd_noexec_scope; -} - static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, int write, void *buf, size_t *lenp, loff_t *ppos) { struct pid_namespace *ns = task_active_pid_ns(current); struct ctl_table table_copy; + int err, scope, parent_scope; if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) return -EPERM; table_copy = *table; - if (ns != &init_pid_ns) - table_copy.data = &ns->memfd_noexec_scope; - /* - * set minimum to current value, the effect is only bigger - * value is accepted. - */ - if (*(int *)table_copy.data > *(int *)table_copy.extra1) - table_copy.extra1 = table_copy.data; + /* You cannot set a lower enforcement value than your parent. */ + parent_scope = pidns_memfd_noexec_scope(ns->parent); + /* Equivalent to pidns_memfd_noexec_scope(ns). */ + scope = max(READ_ONCE(ns->memfd_noexec_scope), parent_scope); + + table_copy.data = &scope; + table_copy.extra1 = &parent_scope; - return proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); + err = proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); + if (!err && write) + WRITE_ONCE(ns->memfd_noexec_scope, scope); + return err; } static struct ctl_table pid_ns_ctl_table_vm[] = { @@ -51,7 +48,6 @@ static inline void register_pid_ns_sysctl_table_vm(void) register_sysctl("vm", pid_ns_ctl_table_vm); } #else -static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) {} static inline void register_pid_ns_sysctl_table_vm(void) {} #endif diff --git a/mm/memfd.c b/mm/memfd.c index aa46521057ab..1cad1904fc26 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -271,7 +271,8 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg) static int check_sysctl_memfd_noexec(unsigned int *flags) { #ifdef CONFIG_SYSCTL - int sysctl = task_active_pid_ns(current)->memfd_noexec_scope; + struct pid_namespace *ns = task_active_pid_ns(current); + int sysctl = pidns_memfd_noexec_scope(ns); if (!(*flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { if (sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL)

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] memfd: replace ratcheting feature from vm.memfd_noexec with" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x 9876cfe8ec1cb3c88de31f4d58d57b0e7e22bcc4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090753-unashamed-carnival-1476@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: 9876cfe8ec1c ("memfd: replace ratcheting feature from vm.memfd_noexec with hierarchy") 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9876cfe8ec1cb3c88de31f4d58d57b0e7e22bcc4 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Mon, 14 Aug 2023 18:41:00 +1000 Subject: [PATCH] memfd: replace ratcheting feature from vm.memfd_noexec with hierarchy This sysctl has the very unusual behaviour of not allowing any user (even CAP_SYS_ADMIN) to reduce the restriction setting, meaning that if you were to set this sysctl to a more restrictive option in the host pidns you would need to reboot your machine in order to reset it. The justification given in [1] is that this is a security feature and thus it should not be possible to disable. Aside from the fact that we have plenty of security-related sysctls that can be disabled after being enabled (fs.protected_symlinks for instance), the protection provided by the sysctl is to stop users from being able to create a binary and then execute it. A user with CAP_SYS_ADMIN can trivially do this without memfd_create(2): % cat mount-memfd.c #include <fcntl.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <linux/mount.h> #define SHELLCODE "#!/bin/echo this file was executed from this totally private tmpfs:" int main(void) { int fsfd = fsopen("tmpfs", FSOPEN_CLOEXEC); assert(fsfd >= 0); assert(!fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 2)); int dfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); assert(dfd >= 0); int execfd = openat(dfd, "exe", O_CREAT | O_RDWR | O_CLOEXEC, 0782); assert(execfd >= 0); assert(write(execfd, SHELLCODE, strlen(SHELLCODE)) == strlen(SHELLCODE)); assert(!close(execfd)); char *execpath = NULL; char *argv[] = { "bad-exe", NULL }, *envp[] = { NULL }; execfd = openat(dfd, "exe", O_PATH | O_CLOEXEC); assert(execfd >= 0); assert(asprintf(&execpath, "/proc/self/fd/%d", execfd) > 0); assert(!execve(execpath, argv, envp)); } % ./mount-memfd this file was executed from this totally private tmpfs: /proc/self/fd/5 % Given that it is possible for CAP_SYS_ADMIN users to create executable binaries without memfd_create(2) and without touching the host filesystem (not to mention the many other things a CAP_SYS_ADMIN process would be able to do that would be equivalent or worse), it seems strange to cause a fair amount of headache to admins when there doesn't appear to be an actual security benefit to blocking this. There appear to be concerns about confused-deputy-esque attacks[2] but a confused deputy that can write to arbitrary sysctls is a bigger security issue than executable memfds. /* New API */ The primary requirement from the original author appears to be more based on the need to be able to restrict an entire system in a hierarchical manner[3], such that child namespaces cannot re-enable executable memfds. So, implement that behaviour explicitly -- the vm.memfd_noexec scope is evaluated up the pidns tree to &init_pid_ns and you have the most restrictive value applied to you. The new lower limit you can set vm.memfd_noexec is whatever limit applies to your parent. Note that a pidns will inherit a copy of the parent pidns's effective vm.memfd_noexec setting at unshare() time. This matches the existing behaviour, and it also ensures that a pidns will never have its vm.memfd_noexec setting *lowered* behind its back (but it will be raised if the parent raises theirs). /* Backwards Compatibility */ As the previous version of the sysctl didn't allow you to lower the setting at all, there are no backwards compatibility issues with this aspect of the change. However it should be noted that now that the setting is completely hierarchical. Previously, a cloned pidns would just copy the current pidns setting, meaning that if the parent's vm.memfd_noexec was changed it wouldn't propoagate to existing pid namespaces. Now, the restriction applies recursively. This is a uAPI change, however: * The sysctl is very new, having been merged in 6.3. * Several aspects of the sysctl were broken up until this patchset and the other patchset by Jeff Xu last month. And thus it seems incredibly unlikely that any real users would run into this issue. In the worst case, if this causes userspace isues we could make it so that modifying the setting follows the hierarchical rules but the restriction checking uses the cached copy. [1]: https://lore.kernel.org/CABi2SkWnAgHK1i6iqSqPMYuNEhtHBkO8jUuCvmG3RmUB5TKHJw… [2]: https://lore.kernel.org/CALmYWFs_dNCzw_pW1yRAo4bGCPEtykroEQaowNULp7svwMLjOg… [3]: https://lore.kernel.org/CALmYWFuahdUF7cT4cm7_TGLqPanuHXJ-hVSfZt7vpTnc18DPrw… Link: https://lkml.kernel.org/r/20230814-memfd-vm-noexec-uapi-fixes-v2-4-7ff9e3e1… Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Jeff Xu <jeffxu(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index 53974d79d98e..f9f9931e02d6 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -39,7 +39,6 @@ struct pid_namespace { int reboot; /* group exit code if this pidns was rebooted */ struct ns_common ns; #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) - /* sysctl for vm.memfd_noexec */ int memfd_noexec_scope; #endif } __randomize_layout; @@ -56,6 +55,23 @@ static inline struct pid_namespace *get_pid_ns(struct pid_namespace *ns) return ns; } +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) +static inline int pidns_memfd_noexec_scope(struct pid_namespace *ns) +{ + int scope = MEMFD_NOEXEC_SCOPE_EXEC; + + for (; ns; ns = ns->parent) + scope = max(scope, READ_ONCE(ns->memfd_noexec_scope)); + + return scope; +} +#else +static inline int pidns_memfd_noexec_scope(struct pid_namespace *ns) +{ + return 0; +} +#endif + extern struct pid_namespace *copy_pid_ns(unsigned long flags, struct user_namespace *user_ns, struct pid_namespace *ns); extern void zap_pid_ns_processes(struct pid_namespace *pid_ns); @@ -70,6 +86,11 @@ static inline struct pid_namespace *get_pid_ns(struct pid_namespace *ns) return ns; } +static inline int pidns_memfd_noexec_scope(struct pid_namespace *ns) +{ + return 0; +} + static inline struct pid_namespace *copy_pid_ns(unsigned long flags, struct user_namespace *user_ns, struct pid_namespace *ns) { diff --git a/kernel/pid.c b/kernel/pid.c index 6a1d23a11026..fee14a4486a3 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -83,6 +83,9 @@ struct pid_namespace init_pid_ns = { #ifdef CONFIG_PID_NS .ns.ops = &pidns_operations, #endif +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) + .memfd_noexec_scope = MEMFD_NOEXEC_SCOPE_EXEC, +#endif }; EXPORT_SYMBOL_GPL(init_pid_ns); diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index 0bf44afe04dd..619972c78774 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c @@ -110,9 +110,9 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns ns->user_ns = get_user_ns(user_ns); ns->ucounts = ucounts; ns->pid_allocated = PIDNS_ADDING; - - initialize_memfd_noexec_scope(ns); - +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) + ns->memfd_noexec_scope = pidns_memfd_noexec_scope(parent_pid_ns); +#endif return ns; out_free_idr: diff --git a/kernel/pid_sysctl.h b/kernel/pid_sysctl.h index b26e027fc9cd..2ee41a3a1dfd 100644 --- a/kernel/pid_sysctl.h +++ b/kernel/pid_sysctl.h @@ -5,33 +5,30 @@ #include <linux/pid_namespace.h> #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) -static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) -{ - ns->memfd_noexec_scope = - task_active_pid_ns(current)->memfd_noexec_scope; -} - static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, int write, void *buf, size_t *lenp, loff_t *ppos) { struct pid_namespace *ns = task_active_pid_ns(current); struct ctl_table table_copy; + int err, scope, parent_scope; if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) return -EPERM; table_copy = *table; - if (ns != &init_pid_ns) - table_copy.data = &ns->memfd_noexec_scope; - /* - * set minimum to current value, the effect is only bigger - * value is accepted. - */ - if (*(int *)table_copy.data > *(int *)table_copy.extra1) - table_copy.extra1 = table_copy.data; + /* You cannot set a lower enforcement value than your parent. */ + parent_scope = pidns_memfd_noexec_scope(ns->parent); + /* Equivalent to pidns_memfd_noexec_scope(ns). */ + scope = max(READ_ONCE(ns->memfd_noexec_scope), parent_scope); + + table_copy.data = &scope; + table_copy.extra1 = &parent_scope; - return proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); + err = proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); + if (!err && write) + WRITE_ONCE(ns->memfd_noexec_scope, scope); + return err; } static struct ctl_table pid_ns_ctl_table_vm[] = { @@ -51,7 +48,6 @@ static inline void register_pid_ns_sysctl_table_vm(void) register_sysctl("vm", pid_ns_ctl_table_vm); } #else -static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) {} static inline void register_pid_ns_sysctl_table_vm(void) {} #endif diff --git a/mm/memfd.c b/mm/memfd.c index aa46521057ab..1cad1904fc26 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -271,7 +271,8 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg) static int check_sysctl_memfd_noexec(unsigned int *flags) { #ifdef CONFIG_SYSCTL - int sysctl = task_active_pid_ns(current)->memfd_noexec_scope; + struct pid_namespace *ns = task_active_pid_ns(current); + int sysctl = pidns_memfd_noexec_scope(ns); if (!(*flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { if (sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL)

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] memfd: do not -EACCES old memfd_create() users with" failed to apply to 6.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.4.y git checkout FETCH_HEAD git cherry-pick -x 202e14222fadb246dfdf182e67de1518e86a1e20 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090747-scant-detest-aeed@gregkh' --subject-prefix 'PATCH 6.4.y' HEAD^.. Possible dependencies: 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 202e14222fadb246dfdf182e67de1518e86a1e20 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Mon, 14 Aug 2023 18:40:58 +1000 Subject: [PATCH] memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2 Given the difficulty of auditing all of userspace to figure out whether every memfd_create() user has switched to passing MFD_EXEC and MFD_NOEXEC_SEAL flags, it seems far less distruptive to make it possible for older programs that don't make use of executable memfds to run under vm.memfd_noexec=2. Otherwise, a small dependency change can result in spurious errors. For programs that don't use executable memfds, passing MFD_NOEXEC_SEAL is functionally a no-op and thus having the same In addition, every failure under vm.memfd_noexec=2 needs to print to the kernel log so that userspace can figure out where the error came from. The concerns about pr_warn_ratelimited() spam that caused the switch to pr_warn_once()[1,2] do not apply to the vm.memfd_noexec=2 case. This is a user-visible API change, but as it allows programs to do something that would be blocked before, and the sysctl itself was broken and recently released, it seems unlikely this will cause any issues. [1]: https://lore.kernel.org/Y5yS8wCnuYGLHMj4@x1n/ [2]: https://lore.kernel.org/202212161233.85C9783FB@keescook/ Link: https://lkml.kernel.org/r/20230814-memfd-vm-noexec-uapi-fixes-v2-2-7ff9e3e1… Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Jeff Xu <jeffxu(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index c758809d5bcf..53974d79d98e 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -17,18 +17,10 @@ struct fs_pin; #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) -/* - * sysctl for vm.memfd_noexec - * 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL - * acts like MFD_EXEC was set. - * 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL - * acts like MFD_NOEXEC_SEAL was set. - * 2: memfd_create() without MFD_NOEXEC_SEAL will be - * rejected. - */ -#define MEMFD_NOEXEC_SCOPE_EXEC 0 -#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 -#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 +/* modes for vm.memfd_noexec sysctl */ +#define MEMFD_NOEXEC_SCOPE_EXEC 0 /* MFD_EXEC implied if unset */ +#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 /* MFD_NOEXEC_SEAL implied if unset */ +#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 /* same as 1, except MFD_EXEC rejected */ #endif struct pid_namespace { diff --git a/mm/memfd.c b/mm/memfd.c index 0bdbd2335af7..d65485c762de 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -271,30 +271,22 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg) static int check_sysctl_memfd_noexec(unsigned int *flags) { #ifdef CONFIG_SYSCTL - char comm[TASK_COMM_LEN]; - int sysctl = MEMFD_NOEXEC_SCOPE_EXEC; - struct pid_namespace *ns; - - ns = task_active_pid_ns(current); - if (ns) - sysctl = ns->memfd_noexec_scope; + int sysctl = task_active_pid_ns(current)->memfd_noexec_scope; if (!(*flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - if (sysctl == MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) + if (sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) *flags |= MFD_NOEXEC_SEAL; else *flags |= MFD_EXEC; } - if (*flags & MFD_EXEC && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) { - pr_warn_once( - "memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n", - task_pid_nr(current), get_task_comm(comm, current)); - + if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) { + pr_err_ratelimited( + "%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n", + current->comm, task_pid_nr(current), sysctl); return -EACCES; } #endif - return 0; } @@ -302,7 +294,6 @@ SYSCALL_DEFINE2(memfd_create, const char __user *, uname, unsigned int, flags) { - char comm[TASK_COMM_LEN]; unsigned int *file_seals; struct file *file; int fd, error; @@ -325,12 +316,13 @@ SYSCALL_DEFINE2(memfd_create, if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { pr_warn_once( - "memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d '%s'\n", - task_pid_nr(current), get_task_comm(comm, current)); + "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", + current->comm, task_pid_nr(current)); } - if (check_sysctl_memfd_noexec(&flags) < 0) - return -EACCES; + error = check_sysctl_memfd_noexec(&flags); + if (error < 0) + return error; /* length includes terminating zero */ len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1); diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 8eb49204f9ea..8b7390ad81d1 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1145,11 +1145,23 @@ static void test_sysctl_child(void) printf("%s sysctl 2\n", memfd_str); sysctl_assert_write("2"); - mfd_fail_new("kern_memfd_sysctl_2", - MFD_CLOEXEC | MFD_ALLOW_SEALING); - mfd_fail_new("kern_memfd_sysctl_2_MFD_EXEC", - MFD_CLOEXEC | MFD_EXEC); - fd = mfd_assert_new("", 0, MFD_NOEXEC_SEAL); + mfd_fail_new("kern_memfd_sysctl_2_exec", + MFD_EXEC | MFD_CLOEXEC | MFD_ALLOW_SEALING); + + fd = mfd_assert_new("kern_memfd_sysctl_2_dfl", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); + close(fd); + + fd = mfd_assert_new("kern_memfd_sysctl_2_noexec_seal", + mfd_def_size, + MFD_NOEXEC_SEAL | MFD_CLOEXEC | MFD_ALLOW_SEALING); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); close(fd); sysctl_fail_write("0");

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] memfd: do not -EACCES old memfd_create() users with" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x 202e14222fadb246dfdf182e67de1518e86a1e20 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090745-depict-kinswoman-9083@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 202e14222fadb246dfdf182e67de1518e86a1e20 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Mon, 14 Aug 2023 18:40:58 +1000 Subject: [PATCH] memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2 Given the difficulty of auditing all of userspace to figure out whether every memfd_create() user has switched to passing MFD_EXEC and MFD_NOEXEC_SEAL flags, it seems far less distruptive to make it possible for older programs that don't make use of executable memfds to run under vm.memfd_noexec=2. Otherwise, a small dependency change can result in spurious errors. For programs that don't use executable memfds, passing MFD_NOEXEC_SEAL is functionally a no-op and thus having the same In addition, every failure under vm.memfd_noexec=2 needs to print to the kernel log so that userspace can figure out where the error came from. The concerns about pr_warn_ratelimited() spam that caused the switch to pr_warn_once()[1,2] do not apply to the vm.memfd_noexec=2 case. This is a user-visible API change, but as it allows programs to do something that would be blocked before, and the sysctl itself was broken and recently released, it seems unlikely this will cause any issues. [1]: https://lore.kernel.org/Y5yS8wCnuYGLHMj4@x1n/ [2]: https://lore.kernel.org/202212161233.85C9783FB@keescook/ Link: https://lkml.kernel.org/r/20230814-memfd-vm-noexec-uapi-fixes-v2-2-7ff9e3e1… Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Jeff Xu <jeffxu(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index c758809d5bcf..53974d79d98e 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -17,18 +17,10 @@ struct fs_pin; #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) -/* - * sysctl for vm.memfd_noexec - * 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL - * acts like MFD_EXEC was set. - * 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL - * acts like MFD_NOEXEC_SEAL was set. - * 2: memfd_create() without MFD_NOEXEC_SEAL will be - * rejected. - */ -#define MEMFD_NOEXEC_SCOPE_EXEC 0 -#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 -#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 +/* modes for vm.memfd_noexec sysctl */ +#define MEMFD_NOEXEC_SCOPE_EXEC 0 /* MFD_EXEC implied if unset */ +#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 /* MFD_NOEXEC_SEAL implied if unset */ +#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 /* same as 1, except MFD_EXEC rejected */ #endif struct pid_namespace { diff --git a/mm/memfd.c b/mm/memfd.c index 0bdbd2335af7..d65485c762de 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -271,30 +271,22 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg) static int check_sysctl_memfd_noexec(unsigned int *flags) { #ifdef CONFIG_SYSCTL - char comm[TASK_COMM_LEN]; - int sysctl = MEMFD_NOEXEC_SCOPE_EXEC; - struct pid_namespace *ns; - - ns = task_active_pid_ns(current); - if (ns) - sysctl = ns->memfd_noexec_scope; + int sysctl = task_active_pid_ns(current)->memfd_noexec_scope; if (!(*flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - if (sysctl == MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) + if (sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) *flags |= MFD_NOEXEC_SEAL; else *flags |= MFD_EXEC; } - if (*flags & MFD_EXEC && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) { - pr_warn_once( - "memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n", - task_pid_nr(current), get_task_comm(comm, current)); - + if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) { + pr_err_ratelimited( + "%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n", + current->comm, task_pid_nr(current), sysctl); return -EACCES; } #endif - return 0; } @@ -302,7 +294,6 @@ SYSCALL_DEFINE2(memfd_create, const char __user *, uname, unsigned int, flags) { - char comm[TASK_COMM_LEN]; unsigned int *file_seals; struct file *file; int fd, error; @@ -325,12 +316,13 @@ SYSCALL_DEFINE2(memfd_create, if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { pr_warn_once( - "memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d '%s'\n", - task_pid_nr(current), get_task_comm(comm, current)); + "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", + current->comm, task_pid_nr(current)); } - if (check_sysctl_memfd_noexec(&flags) < 0) - return -EACCES; + error = check_sysctl_memfd_noexec(&flags); + if (error < 0) + return error; /* length includes terminating zero */ len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1); diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 8eb49204f9ea..8b7390ad81d1 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1145,11 +1145,23 @@ static void test_sysctl_child(void) printf("%s sysctl 2\n", memfd_str); sysctl_assert_write("2"); - mfd_fail_new("kern_memfd_sysctl_2", - MFD_CLOEXEC | MFD_ALLOW_SEALING); - mfd_fail_new("kern_memfd_sysctl_2_MFD_EXEC", - MFD_CLOEXEC | MFD_EXEC); - fd = mfd_assert_new("", 0, MFD_NOEXEC_SEAL); + mfd_fail_new("kern_memfd_sysctl_2_exec", + MFD_EXEC | MFD_CLOEXEC | MFD_ALLOW_SEALING); + + fd = mfd_assert_new("kern_memfd_sysctl_2_dfl", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); + close(fd); + + fd = mfd_assert_new("kern_memfd_sysctl_2_noexec_seal", + mfd_def_size, + MFD_NOEXEC_SEAL | MFD_CLOEXEC | MFD_ALLOW_SEALING); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); close(fd); sysctl_fail_write("0");

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] memfd: improve userspace warnings for missing exec-related" failed to apply to 6.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.4.y git checkout FETCH_HEAD git cherry-pick -x 434ed3350f57c03a9654fe0619755cc137a58935 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090742-velocity-perjury-fa80@gregkh' --subject-prefix 'PATCH 6.4.y' HEAD^.. Possible dependencies: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 434ed3350f57c03a9654fe0619755cc137a58935 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Mon, 14 Aug 2023 18:40:59 +1000 Subject: [PATCH] memfd: improve userspace warnings for missing exec-related flags In order to incentivise userspace to switch to passing MFD_EXEC and MFD_NOEXEC_SEAL, we need to provide a warning on each attempt to call memfd_create() without the new flags. pr_warn_once() is not useful because on most systems the one warning is burned up during the boot process (on my system, systemd does this within the first second of boot) and thus userspace will in practice never see the warnings to push them to switch to the new flags. The original patchset[1] used pr_warn_ratelimited(), however there were concerns about the degree of spam in the kernel log[2,3]. The resulting inability to detect every case was flagged as an issue at the time[4]. While we could come up with an alternative rate-limiting scheme such as only outputting the message if vm.memfd_noexec has been modified, or only outputting the message once for a given task, these alternatives have downsides that don't make sense given how low-stakes a single kernel warning message is. Switching to pr_info_ratelimited() instead should be fine -- it's possible some monitoring tool will be unhappy with a stream of warning-level messages but there's already plenty of info-level message spam in dmesg. [1]: https://lore.kernel.org/20221215001205.51969-4-jeffxu@google.com/ [2]: https://lore.kernel.org/202212161233.85C9783FB@keescook/ [3]: https://lore.kernel.org/Y5yS8wCnuYGLHMj4@x1n/ [4]: https://lore.kernel.org/f185bb42-b29c-977e-312e-3349eea15383@linuxfoundatio… Link: https://lkml.kernel.org/r/20230814-memfd-vm-noexec-uapi-fixes-v2-3-7ff9e3e1… Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memfd.c b/mm/memfd.c index d65485c762de..aa46521057ab 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -315,7 +315,7 @@ SYSCALL_DEFINE2(memfd_create, return -EINVAL; if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - pr_warn_once( + pr_info_ratelimited( "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", current->comm, task_pid_nr(current)); }

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] memfd: improve userspace warnings for missing exec-related" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x 434ed3350f57c03a9654fe0619755cc137a58935 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090740-subfloor-legal-0e0a@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 434ed3350f57c03a9654fe0619755cc137a58935 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Mon, 14 Aug 2023 18:40:59 +1000 Subject: [PATCH] memfd: improve userspace warnings for missing exec-related flags In order to incentivise userspace to switch to passing MFD_EXEC and MFD_NOEXEC_SEAL, we need to provide a warning on each attempt to call memfd_create() without the new flags. pr_warn_once() is not useful because on most systems the one warning is burned up during the boot process (on my system, systemd does this within the first second of boot) and thus userspace will in practice never see the warnings to push them to switch to the new flags. The original patchset[1] used pr_warn_ratelimited(), however there were concerns about the degree of spam in the kernel log[2,3]. The resulting inability to detect every case was flagged as an issue at the time[4]. While we could come up with an alternative rate-limiting scheme such as only outputting the message if vm.memfd_noexec has been modified, or only outputting the message once for a given task, these alternatives have downsides that don't make sense given how low-stakes a single kernel warning message is. Switching to pr_info_ratelimited() instead should be fine -- it's possible some monitoring tool will be unhappy with a stream of warning-level messages but there's already plenty of info-level message spam in dmesg. [1]: https://lore.kernel.org/20221215001205.51969-4-jeffxu@google.com/ [2]: https://lore.kernel.org/202212161233.85C9783FB@keescook/ [3]: https://lore.kernel.org/Y5yS8wCnuYGLHMj4@x1n/ [4]: https://lore.kernel.org/f185bb42-b29c-977e-312e-3349eea15383@linuxfoundatio… Link: https://lkml.kernel.org/r/20230814-memfd-vm-noexec-uapi-fixes-v2-3-7ff9e3e1… Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memfd.c b/mm/memfd.c index d65485c762de..aa46521057ab 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -315,7 +315,7 @@ SYSCALL_DEFINE2(memfd_create, return -EINVAL; if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - pr_warn_once( + pr_info_ratelimited( "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", current->comm, task_pid_nr(current)); }

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] revert "memfd: improve userspace warnings for missing" failed to apply to 6.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.4.y git checkout FETCH_HEAD git cherry-pick -x 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090735-lyrically-fabulous-bbb1@gregkh' --subject-prefix 'PATCH 6.4.y' HEAD^.. Possible dependencies: 2562d67b1bdf ("revert "memfd: improve userspace warnings for missing exec-related flags".") 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0 Mon Sep 17 00:00:00 2001 From: Andrew Morton <akpm(a)linux-foundation.org> Date: Sat, 2 Sep 2023 15:59:31 -0700 Subject: [PATCH] revert "memfd: improve userspace warnings for missing exec-related flags". This warning is telling userspace developers to pass MFD_EXEC and MFD_NOEXEC_SEAL to memfd_create(). Commit 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") made the warning more frequent and visible in the hope that this would accelerate the fixing of errant userspace. But the overall effect is to generate far too much dmesg noise. Fixes: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") Reported-by: Damian Tometzki <dtometzki(a)fedoraproject.org> Closes: https://lkml.kernel.org/r/ZPFzCSIgZ4QuHsSC@fedora.fritz.box Cc: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Jeff Xu <jeffxu(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memfd.c b/mm/memfd.c index 1cad1904fc26..2dba2cb6f0d0 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -316,7 +316,7 @@ SYSCALL_DEFINE2(memfd_create, return -EINVAL; if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - pr_info_ratelimited( + pr_warn_once( "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", current->comm, task_pid_nr(current)); }

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] revert "memfd: improve userspace warnings for missing" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023090734-sudoku-catalyze-ef01@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: 2562d67b1bdf ("revert "memfd: improve userspace warnings for missing exec-related flags".") 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") 202e14222fad ("memfd: do not -EACCES old memfd_create() users with vm.memfd_noexec=2") badbbcd76545 ("selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") 72de25913022 ("mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0 Mon Sep 17 00:00:00 2001 From: Andrew Morton <akpm(a)linux-foundation.org> Date: Sat, 2 Sep 2023 15:59:31 -0700 Subject: [PATCH] revert "memfd: improve userspace warnings for missing exec-related flags". This warning is telling userspace developers to pass MFD_EXEC and MFD_NOEXEC_SEAL to memfd_create(). Commit 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") made the warning more frequent and visible in the hope that this would accelerate the fixing of errant userspace. But the overall effect is to generate far too much dmesg noise. Fixes: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags") Reported-by: Damian Tometzki <dtometzki(a)fedoraproject.org> Closes: https://lkml.kernel.org/r/ZPFzCSIgZ4QuHsSC@fedora.fritz.box Cc: Aleksa Sarai <cyphar(a)cyphar.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Daniel Verkamp <dverkamp(a)chromium.org> Cc: Jeff Xu <jeffxu(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memfd.c b/mm/memfd.c index 1cad1904fc26..2dba2cb6f0d0 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -316,7 +316,7 @@ SYSCALL_DEFINE2(memfd_create, return -EINVAL; if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - pr_info_ratelimited( + pr_warn_once( "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", current->comm, task_pid_nr(current)); }

2 years, 1 month

1
0
0 0

[PATCH v2 2/2] ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates

by Sameer Pujar

Tegra audio graph card has many DAI links which connects internal AHUB modules and external audio codecs. Since these are DPCM links, hw_params() call in the machine driver happens for each connected BE link and PLLA is updated every time. This is not really needed for all links as only I/O link DAIs derive respective clocks from PLLA_OUT0 and thus from PLLA. Hence add checks to limit the clock updates to DAIs over I/O links. This found to be fixing a DMIC clock discrepancy which is suspected to happen because of back to back quick PLLA and PLLA_OUT0 rate updates. This was observed on Jetson TX2 platform where DMIC clock ended up with unexpected value. Fixes: 202e2f774543 ("ASoC: tegra: Add audio graph based card driver") Cc: stable(a)vger.kernel.org Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> --- sound/soc/tegra/tegra_audio_graph_card.c | 30 ++++++++++++++---------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/sound/soc/tegra/tegra_audio_graph_card.c b/sound/soc/tegra/tegra_audio_graph_card.c index 1f2c5018bf5a..4737e776d383 100644 --- a/sound/soc/tegra/tegra_audio_graph_card.c +++ b/sound/soc/tegra/tegra_audio_graph_card.c @@ -10,6 +10,7 @@ #include <linux/platform_device.h> #include <sound/graph_card.h> #include <sound/pcm_params.h> +#include <sound/soc-dai.h> #define MAX_PLLA_OUT0_DIV 128 @@ -44,6 +45,21 @@ struct tegra_audio_cdata { unsigned int plla_out0_rates[NUM_RATE_TYPE]; }; +static bool need_clk_update(struct snd_soc_dai *dai) +{ + if (snd_soc_dai_is_dummy(dai) || + !dai->driver->ops || + !dai->driver->name) + return false; + + if (strstr(dai->driver->name, "I2S") || + strstr(dai->driver->name, "DMIC") || + strstr(dai->driver->name, "DSPK")) + return true; + + return false; +} + /* Setup PLL clock as per the given sample rate */ static int tegra_audio_graph_update_pll(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params) @@ -140,19 +156,7 @@ static int tegra_audio_graph_hw_params(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai = asoc_rtd_to_cpu(rtd, 0); int err; - /* - * This gets called for each DAI link (FE or BE) when DPCM is used. - * We may not want to update PLLA rate for each call. So PLLA update - * must be restricted to external I/O links (I2S, DMIC or DSPK) since - * they actually depend on it. I/O modules update their clocks in - * hw_param() of their respective component driver and PLLA rate - * update here helps them to derive appropriate rates. - * - * TODO: When more HW accelerators get added (like sample rate - * converter, volume gain controller etc., which don't really - * depend on PLLA) we need a better way to filter here. - */ - if (cpu_dai->driver->ops && rtd->dai_link->no_pcm) { + if (need_clk_update(cpu_dai)) { err = tegra_audio_graph_update_pll(substream, params); if (err) return err; -- 2.17.1

2 years, 1 month

1
0
0 0

[PATCH 5.10/5.15/6.1 1/1] udf: Check consistency of Space Bitmap Descriptor

by Vladislav Efanov

From: Vladislav Efanov <VEfanov(a)ispras.ru> commit 1e0d4adf17e7ef03281d7b16555e7c1508c8ed2d upstream Bits, which are related to Bitmap Descriptor logical blocks, are not reset when buffer headers are allocated for them. As the result, these logical blocks can be treated as free and be used for other blocks.This can cause usage of one buffer header for several types of data. UDF issues WARNING in this situation: WARNING: CPU: 0 PID: 2703 at fs/udf/inode.c:2014 __udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014 RIP: 0010:__udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014 Call Trace: udf_setup_indirect_aext+0x573/0x880 fs/udf/inode.c:1980 udf_add_aext+0x208/0x2e0 fs/udf/inode.c:2067 udf_insert_aext fs/udf/inode.c:2233 [inline] udf_update_extents fs/udf/inode.c:1181 [inline] inode_getblk+0x1981/0x3b70 fs/udf/inode.c:885 Found by Linux Verification Center (linuxtesting.org) with syzkaller. [JK: Somewhat cleaned up the boundary checks] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Vladislav Efanov <VEfanov(a)ispras.ru> Signed-off-by: Jan Kara <jack(a)suse.cz> --- Syzkaller reports this problem in 5.10 stable release. The problem has been fixed by the following patch which can be cleanly applied to the 5.10/5.15/6.1 branches. fs/udf/balloc.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c index 8e597db4d971..ef50fd263315 100644 --- a/fs/udf/balloc.c +++ b/fs/udf/balloc.c @@ -36,18 +36,41 @@ static int read_block_bitmap(struct super_block *sb, unsigned long bitmap_nr) { struct buffer_head *bh = NULL; - int retval = 0; + int i; + int max_bits, off, count; struct kernel_lb_addr loc; loc.logicalBlockNum = bitmap->s_extPosition; loc.partitionReferenceNum = UDF_SB(sb)->s_partition; bh = udf_tread(sb, udf_get_lb_pblock(sb, &loc, block)); + bitmap->s_block_bitmap[bitmap_nr] = bh; if (!bh) - retval = -EIO; + return -EIO; - bitmap->s_block_bitmap[bitmap_nr] = bh; - return retval; + /* Check consistency of Space Bitmap buffer. */ + max_bits = sb->s_blocksize * 8; + if (!bitmap_nr) { + off = sizeof(struct spaceBitmapDesc) << 3; + count = min(max_bits - off, bitmap->s_nr_groups); + } else { + /* + * Rough check if bitmap number is too big to have any bitmap + * blocks reserved. + */ + if (bitmap_nr > + (bitmap->s_nr_groups >> (sb->s_blocksize_bits + 3)) + 2) + return 0; + off = 0; + count = bitmap->s_nr_groups - bitmap_nr * max_bits + + (sizeof(struct spaceBitmapDesc) << 3); + count = min(count, max_bits); + } + + for (i = 0; i < count; i++) + if (udf_test_bit(i + off, bh->b_data)) + return -EFSCORRUPTED; + return 0; } static int __load_block_bitmap(struct super_block *sb, -- 2.34.1

2 years, 1 month

2
1
0 0

Please apply b51ba4fe2e13 to 4.14/4.19/5.4/5.9

by Christophe Leroy

Hi, Could you please apply commit b51ba4fe2e13 ("powerpc/32s: Fix assembler warning about r0") to kernels 4.14/4.19/5.4/5.9 so that we avoid having the related warning. Thanks Christophe

2 years, 1 month

2
2
0 0

Please apply 98ecc6768e8fd to 4.14 and 4.19

by Christophe Leroy

Hi, Could you please apply commit 98ecc6768e8f ("powerpc/32: Include .branch_lt in data section") to kernels 4.14 and 4.19 so that we avoid having the related warnings. Thanks Christophe

2 years, 1 month

2
1
0 0

Kernel 6.5 black screen regression

by Mario Limonciello

Hi, The following patch fixes a regression reported by Michael Larabel on an Acer Phoenix laptop where there is a black screen in GNOME with kernel 6.5. It's marked CC to stable, but I checked the stable queue and didn't see it so I wanted to make sure it wasn't missed. a7c0cad0dc06 ("drm/amd/display: ensure async flips are only accepted for fast updates") Reported-by: Michael Larabel <Michael(a)MichaelLarabel.com> Thanks!

2 years, 1 month

2
3
0 0

[PATCH 2/2] ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates

by Sameer Pujar

Tegra audio graph card has many DAI links which connects internal AHUB modules and external audio codecs. Since these are DPCM links, hw_params() call in the machine driver happens for each connected BE link and PLLA is updated every time. This is not really needed for all links as only I/O link DAIs derive respective clocks from PLLA_OUT0 and thus from PLLA. Hence add checks to limit the clock updates to DAIs over I/O links. Fixes: 202e2f774543 ("ASoC: tegra: Add audio graph based card driver") Cc: stable(a)vger.kernel.org Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> --- sound/soc/tegra/tegra_audio_graph_card.c | 30 ++++++++++++++---------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/sound/soc/tegra/tegra_audio_graph_card.c b/sound/soc/tegra/tegra_audio_graph_card.c index 1f2c5018bf5a..4737e776d383 100644 --- a/sound/soc/tegra/tegra_audio_graph_card.c +++ b/sound/soc/tegra/tegra_audio_graph_card.c @@ -10,6 +10,7 @@ #include <linux/platform_device.h> #include <sound/graph_card.h> #include <sound/pcm_params.h> +#include <sound/soc-dai.h> #define MAX_PLLA_OUT0_DIV 128 @@ -44,6 +45,21 @@ struct tegra_audio_cdata { unsigned int plla_out0_rates[NUM_RATE_TYPE]; }; +static bool need_clk_update(struct snd_soc_dai *dai) +{ + if (snd_soc_dai_is_dummy(dai) || + !dai->driver->ops || + !dai->driver->name) + return false; + + if (strstr(dai->driver->name, "I2S") || + strstr(dai->driver->name, "DMIC") || + strstr(dai->driver->name, "DSPK")) + return true; + + return false; +} + /* Setup PLL clock as per the given sample rate */ static int tegra_audio_graph_update_pll(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params) @@ -140,19 +156,7 @@ static int tegra_audio_graph_hw_params(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai = asoc_rtd_to_cpu(rtd, 0); int err; - /* - * This gets called for each DAI link (FE or BE) when DPCM is used. - * We may not want to update PLLA rate for each call. So PLLA update - * must be restricted to external I/O links (I2S, DMIC or DSPK) since - * they actually depend on it. I/O modules update their clocks in - * hw_param() of their respective component driver and PLLA rate - * update here helps them to derive appropriate rates. - * - * TODO: When more HW accelerators get added (like sample rate - * converter, volume gain controller etc., which don't really - * depend on PLLA) we need a better way to filter here. - */ - if (cpu_dai->driver->ops && rtd->dai_link->no_pcm) { + if (need_clk_update(cpu_dai)) { err = tegra_audio_graph_update_pll(substream, params); if (err) return err; -- 2.17.1

2 years, 1 month

2
3
0 0

[PATCH 5.15] of: kexec: Mark ima_{free,stable}_kexec_buffer() as __init

by Nathan Chancellor

This commit has no direct upstream equivalent. After commit d48016d74836 ("mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer") in 5.15, there is a modpost warning for certain configurations: WARNING: modpost: vmlinux.o(.text+0xb14064): Section mismatch in reference from the function ima_free_kexec_buffer() to the function .init.text:__memblock_free_late() The function ima_free_kexec_buffer() references the function __init __memblock_free_late(). This is often because ima_free_kexec_buffer lacks a __init annotation or the annotation of __memblock_free_late is wrong. In mainline, there is no issue because ima_free_kexec_buffer() is marked as __init, which was done as part of commit b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec") in 6.0, which is not suitable for stable. Mark ima_free_kexec_buffer() and its single caller ima_load_kexec_buffer() as __init in 5.15, as ima_load_kexec_buffer() is only called from ima_init(), which is __init, clearing up the warning. Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/of/kexec.c | 2 +- include/linux/of.h | 2 +- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_kexec.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c index 3a07cc58e7d7..d10fd54415c2 100644 --- a/drivers/of/kexec.c +++ b/drivers/of/kexec.c @@ -165,7 +165,7 @@ int ima_get_kexec_buffer(void **addr, size_t *size) /** * ima_free_kexec_buffer - free memory used by the IMA buffer */ -int ima_free_kexec_buffer(void) +int __init ima_free_kexec_buffer(void) { int ret; unsigned long addr; diff --git a/include/linux/of.h b/include/linux/of.h index 140671cb746a..6f15e8b0f9d1 100644 --- a/include/linux/of.h +++ b/include/linux/of.h @@ -574,7 +574,7 @@ void *of_kexec_alloc_and_setup_fdt(const struct kimage *image, unsigned long initrd_len, const char *cmdline, size_t extra_fdt_size); int ima_get_kexec_buffer(void **addr, size_t *size); -int ima_free_kexec_buffer(void); +int __init ima_free_kexec_buffer(void); #else /* CONFIG_OF */ static inline void of_core_init(void) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index be965a8715e4..0afe413dda68 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -122,7 +122,7 @@ struct ima_kexec_hdr { extern const int read_idmap[]; #ifdef CONFIG_HAVE_IMA_KEXEC -void ima_load_kexec_buffer(void); +void __init ima_load_kexec_buffer(void); #else static inline void ima_load_kexec_buffer(void) {} #endif /* CONFIG_HAVE_IMA_KEXEC */ diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index f799cc278a9a..f3b10851bbbf 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -137,7 +137,7 @@ void ima_add_kexec_buffer(struct kimage *image) /* * Restore the measurement list from the previous kernel. */ -void ima_load_kexec_buffer(void) +void __init ima_load_kexec_buffer(void) { void *kexec_buffer = NULL; size_t kexec_buffer_size = 0; --- base-commit: 8f790700c974345ab78054e109beddd84539f319 change-id: 20230905-5-15-of-kexec-modpost-warning-6a6b48f30ebf Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 years, 1 month

3
2
0 0

[PATH 6.1.y 0/2] Backport KVM's nx_huge_pages=never module parameter

by Luiz Capitulino

Hi, As part of the mitigation for the iTLB multihit vulnerability, KVM creates a worker thread in KVM_CREATE_VM ioctl(). This thread calls cgroup_attach_task_all() which takes cgroup_threadgroup_rwsem for writing which may incur 100ms+ latency since upstream commit 6a010a49b63ac8465851a79185d8deff966f8e1a. However, if the CPU is not vulnerable to iTLB multihit one could just disable the mitigation (and the worker thread creation) with the newly added KVM module parameter nx_huge_pages=never. This avoids the issue altogether. While there's an alternative solution for this issue already supported in 6.1-stable (ie. cgroup's favordynmods), disabling the mitigation in KVM is probably preferable if the workload is not impacted by dynamic cgroup operations since one doesn't need to decide between the trade-off in using favordynmods, the thread creation code path is avoided at KVM_CREATE_VM and you avoid creating a thread which does nothing. Tests performed: * Measured KVM_CREATE_VM latency and confirmed it goes down to less than 1ms * We've been performing latency measurements internally w/ this parameter for some weeks now Christophe JAILLET (1): KVM: x86/mmu: Use kstrtobool() instead of strtobool() Sean Christopherson (1): KVM: x86/mmu: Add "never" option to allow sticky disabling of nx_huge_pages arch/x86/kvm/mmu/mmu.c | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) -- 2.40.1

2 years, 1 month

4
7
0 0

[STABLE PATCH 5.15.y] arm64: lib: Import latest version of Arm Optimized Routines' strncmp

by Will Deacon

From: Joey Gouly <joey.gouly(a)arm.com> commit 387d828adffcf1eb949f3141079c479793c59aac upstream. Import the latest version of the Arm Optimized Routines strncmp function based on the upstream code of string/aarch64/strncmp.S at commit 189dfefe37d5 from: https://github.com/ARM-software/optimized-routines This latest version includes MTE support. Note that for simplicity Arm have chosen to contribute this code to Linux under GPLv2 rather than the original MIT OR Apache-2.0 WITH LLVM-exception license. Arm is the sole copyright holder for this code. Signed-off-by: Joey Gouly <joey.gouly(a)arm.com> Cc: Robin Murphy <robin.murphy(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Acked-by: Mark Rutland <mark.rutland(a)arm.com> Acked-by: Catalin Marinas <catalin.marinas(a)arm.com> Link: https://lore.kernel.org/r/20220301101435.19327-3-joey.gouly@arm.com (cherry picked from commit 387d828adffcf1eb949f3141079c479793c59aac) Cc: <stable(a)vger.kernel.org> # 5.15.y only Fixes: 020b199bc70d ("arm64: Import latest version of Cortex Strings' strncmp") Reported-by: John Hsu <John.Hsu(a)mediatek.com> Link: https://lore.kernel.org/all/e9f30f7d5b7d72a3521da31ab2002b49a26f542e.camel@… Signed-off-by: Will Deacon <will(a)kernel.org> --- This is a clean cherry-pick of the latest MTE-safe strncmp() implementation for arm64 which landed in v5.18 and somewhat accidentally fixed an out-of-bounds read introduced in v5.14. An alternative would be to disable the optimised code altogether, but given that this is self-contained and applies cleanly, I'd favour being consistent with more recent kernels. arch/arm64/lib/strncmp.S | 244 +++++++++++++++++++++++---------------- 1 file changed, 146 insertions(+), 98 deletions(-) diff --git a/arch/arm64/lib/strncmp.S b/arch/arm64/lib/strncmp.S index e42bcfcd37e6..a4884b97e9a8 100644 --- a/arch/arm64/lib/strncmp.S +++ b/arch/arm64/lib/strncmp.S @@ -1,9 +1,9 @@ /* SPDX-License-Identifier: GPL-2.0-only */ /* - * Copyright (c) 2013-2021, Arm Limited. + * Copyright (c) 2013-2022, Arm Limited. * * Adapted from the original at: - * https://github.com/ARM-software/optimized-routines/blob/e823e3abf5f89ecb/st… + * https://github.com/ARM-software/optimized-routines/blob/189dfefe37d54c5b/st… */ #include <linux/linkage.h> @@ -11,14 +11,14 @@ /* Assumptions: * - * ARMv8-a, AArch64 + * ARMv8-a, AArch64. + * MTE compatible. */ #define L(label) .L ## label #define REP8_01 0x0101010101010101 #define REP8_7f 0x7f7f7f7f7f7f7f7f -#define REP8_80 0x8080808080808080 /* Parameters and result. */ #define src1 x0 @@ -39,10 +39,24 @@ #define tmp3 x10 #define zeroones x11 #define pos x12 -#define limit_wd x13 -#define mask x14 -#define endloop x15 +#define mask x13 +#define endloop x14 #define count mask +#define offset pos +#define neg_offset x15 + +/* Define endian dependent shift operations. + On big-endian early bytes are at MSB and on little-endian LSB. + LS_FW means shifting towards early bytes. + LS_BK means shifting towards later bytes. + */ +#ifdef __AARCH64EB__ +#define LS_FW lsl +#define LS_BK lsr +#else +#define LS_FW lsr +#define LS_BK lsl +#endif SYM_FUNC_START_WEAK_PI(strncmp) cbz limit, L(ret0) @@ -52,9 +66,6 @@ SYM_FUNC_START_WEAK_PI(strncmp) and count, src1, #7 b.ne L(misaligned8) cbnz count, L(mutual_align) - /* Calculate the number of full and partial words -1. */ - sub limit_wd, limit, #1 /* limit != 0, so no underflow. */ - lsr limit_wd, limit_wd, #3 /* Convert to Dwords. */ /* NUL detection works on the principle that (X - 1) & (~X) & 0x80 (=> (X - 1) & ~(X | 0x7f)) is non-zero iff a byte is zero, and @@ -64,30 +75,45 @@ L(loop_aligned): ldr data1, [src1], #8 ldr data2, [src2], #8 L(start_realigned): - subs limit_wd, limit_wd, #1 + subs limit, limit, #8 sub tmp1, data1, zeroones orr tmp2, data1, #REP8_7f eor diff, data1, data2 /* Non-zero if differences found. */ - csinv endloop, diff, xzr, pl /* Last Dword or differences. */ + csinv endloop, diff, xzr, hi /* Last Dword or differences. */ bics has_nul, tmp1, tmp2 /* Non-zero if NUL terminator. */ ccmp endloop, #0, #0, eq b.eq L(loop_aligned) /* End of main loop */ - /* Not reached the limit, must have found the end or a diff. */ - tbz limit_wd, #63, L(not_limit) - - /* Limit % 8 == 0 => all bytes significant. */ - ands limit, limit, #7 - b.eq L(not_limit) - - lsl limit, limit, #3 /* Bits -> bytes. */ - mov mask, #~0 -#ifdef __AARCH64EB__ - lsr mask, mask, limit +L(full_check): +#ifndef __AARCH64EB__ + orr syndrome, diff, has_nul + add limit, limit, 8 /* Rewind limit to before last subs. */ +L(syndrome_check): + /* Limit was reached. Check if the NUL byte or the difference + is before the limit. */ + rev syndrome, syndrome + rev data1, data1 + clz pos, syndrome + rev data2, data2 + lsl data1, data1, pos + cmp limit, pos, lsr #3 + lsl data2, data2, pos + /* But we need to zero-extend (char is unsigned) the value and then + perform a signed 32-bit subtraction. */ + lsr data1, data1, #56 + sub result, data1, data2, lsr #56 + csel result, result, xzr, hi + ret #else - lsl mask, mask, limit -#endif + /* Not reached the limit, must have found the end or a diff. */ + tbz limit, #63, L(not_limit) + add tmp1, limit, 8 + cbz limit, L(not_limit) + + lsl limit, tmp1, #3 /* Bits -> bytes. */ + mov mask, #~0 + lsr mask, mask, limit bic data1, data1, mask bic data2, data2, mask @@ -95,25 +121,6 @@ L(start_realigned): orr has_nul, has_nul, mask L(not_limit): - orr syndrome, diff, has_nul - -#ifndef __AARCH64EB__ - rev syndrome, syndrome - rev data1, data1 - /* The MS-non-zero bit of the syndrome marks either the first bit - that is different, or the top bit of the first zero byte. - Shifting left now will bring the critical information into the - top bits. */ - clz pos, syndrome - rev data2, data2 - lsl data1, data1, pos - lsl data2, data2, pos - /* But we need to zero-extend (char is unsigned) the value and then - perform a signed 32-bit subtraction. */ - lsr data1, data1, #56 - sub result, data1, data2, lsr #56 - ret -#else /* For big-endian we cannot use the trick with the syndrome value as carry-propagation can corrupt the upper bits if the trailing bytes in the string contain 0x01. */ @@ -134,10 +141,11 @@ L(not_limit): rev has_nul, has_nul orr syndrome, diff, has_nul clz pos, syndrome - /* The MS-non-zero bit of the syndrome marks either the first bit - that is different, or the top bit of the first zero byte. + /* The most-significant-non-zero bit of the syndrome marks either the + first bit that is different, or the top bit of the first zero byte. Shifting left now will bring the critical information into the top bits. */ +L(end_quick): lsl data1, data1, pos lsl data2, data2, pos /* But we need to zero-extend (char is unsigned) the value and then @@ -159,22 +167,12 @@ L(mutual_align): neg tmp3, count, lsl #3 /* 64 - bits(bytes beyond align). */ ldr data2, [src2], #8 mov tmp2, #~0 - sub limit_wd, limit, #1 /* limit != 0, so no underflow. */ -#ifdef __AARCH64EB__ - /* Big-endian. Early bytes are at MSB. */ - lsl tmp2, tmp2, tmp3 /* Shift (count & 63). */ -#else - /* Little-endian. Early bytes are at LSB. */ - lsr tmp2, tmp2, tmp3 /* Shift (count & 63). */ -#endif - and tmp3, limit_wd, #7 - lsr limit_wd, limit_wd, #3 - /* Adjust the limit. Only low 3 bits used, so overflow irrelevant. */ - add limit, limit, count - add tmp3, tmp3, count + LS_FW tmp2, tmp2, tmp3 /* Shift (count & 63). */ + /* Adjust the limit and ensure it doesn't overflow. */ + adds limit, limit, count + csinv limit, limit, xzr, lo orr data1, data1, tmp2 orr data2, data2, tmp2 - add limit_wd, limit_wd, tmp3, lsr #3 b L(start_realigned) .p2align 4 @@ -197,13 +195,11 @@ L(done): /* Align the SRC1 to a dword by doing a bytewise compare and then do the dword loop. */ L(try_misaligned_words): - lsr limit_wd, limit, #3 - cbz count, L(do_misaligned) + cbz count, L(src1_aligned) neg count, count and count, count, #7 sub limit, limit, count - lsr limit_wd, limit, #3 L(page_end_loop): ldrb data1w, [src1], #1 @@ -214,48 +210,100 @@ L(page_end_loop): subs count, count, #1 b.hi L(page_end_loop) -L(do_misaligned): - /* Prepare ourselves for the next page crossing. Unlike the aligned - loop, we fetch 1 less dword because we risk crossing bounds on - SRC2. */ - mov count, #8 - subs limit_wd, limit_wd, #1 - b.lo L(done_loop) + /* The following diagram explains the comparison of misaligned strings. + The bytes are shown in natural order. For little-endian, it is + reversed in the registers. The "x" bytes are before the string. + The "|" separates data that is loaded at one time. + src1 | a a a a a a a a | b b b c c c c c | . . . + src2 | x x x x x a a a a a a a a b b b | c c c c c . . . + + After shifting in each step, the data looks like this: + STEP_A STEP_B STEP_C + data1 a a a a a a a a b b b c c c c c b b b c c c c c + data2 a a a a a a a a b b b 0 0 0 0 0 0 0 0 c c c c c + + The bytes with "0" are eliminated from the syndrome via mask. + + Align SRC2 down to 16 bytes. This way we can read 16 bytes at a + time from SRC2. The comparison happens in 3 steps. After each step + the loop can exit, or read from SRC1 or SRC2. */ +L(src1_aligned): + /* Calculate offset from 8 byte alignment to string start in bits. No + need to mask offset since shifts are ignoring upper bits. */ + lsl offset, src2, #3 + bic src2, src2, #0xf + mov mask, -1 + neg neg_offset, offset + ldr data1, [src1], #8 + ldp tmp1, tmp2, [src2], #16 + LS_BK mask, mask, neg_offset + and neg_offset, neg_offset, #63 /* Need actual value for cmp later. */ + /* Skip the first compare if data in tmp1 is irrelevant. */ + tbnz offset, 6, L(misaligned_mid_loop) + L(loop_misaligned): - and tmp2, src2, #0xff8 - eor tmp2, tmp2, #0xff8 - cbz tmp2, L(page_end_loop) + /* STEP_A: Compare full 8 bytes when there is enough data from SRC2.*/ + LS_FW data2, tmp1, offset + LS_BK tmp1, tmp2, neg_offset + subs limit, limit, #8 + orr data2, data2, tmp1 /* 8 bytes from SRC2 combined from two regs.*/ + sub has_nul, data1, zeroones + eor diff, data1, data2 /* Non-zero if differences found. */ + orr tmp3, data1, #REP8_7f + csinv endloop, diff, xzr, hi /* If limit, set to all ones. */ + bic has_nul, has_nul, tmp3 /* Non-zero if NUL byte found in SRC1. */ + orr tmp3, endloop, has_nul + cbnz tmp3, L(full_check) ldr data1, [src1], #8 - ldr data2, [src2], #8 - sub tmp1, data1, zeroones - orr tmp2, data1, #REP8_7f - eor diff, data1, data2 /* Non-zero if differences found. */ - bics has_nul, tmp1, tmp2 /* Non-zero if NUL terminator. */ - ccmp diff, #0, #0, eq - b.ne L(not_limit) - subs limit_wd, limit_wd, #1 - b.pl L(loop_misaligned) +L(misaligned_mid_loop): + /* STEP_B: Compare first part of data1 to second part of tmp2. */ + LS_FW data2, tmp2, offset +#ifdef __AARCH64EB__ + /* For big-endian we do a byte reverse to avoid carry-propagation + problem described above. This way we can reuse the has_nul in the + next step and also use syndrome value trick at the end. */ + rev tmp3, data1 + #define data1_fixed tmp3 +#else + #define data1_fixed data1 +#endif + sub has_nul, data1_fixed, zeroones + orr tmp3, data1_fixed, #REP8_7f + eor diff, data2, data1 /* Non-zero if differences found. */ + bic has_nul, has_nul, tmp3 /* Non-zero if NUL terminator. */ +#ifdef __AARCH64EB__ + rev has_nul, has_nul +#endif + cmp limit, neg_offset, lsr #3 + orr syndrome, diff, has_nul + bic syndrome, syndrome, mask /* Ignore later bytes. */ + csinv tmp3, syndrome, xzr, hi /* If limit, set to all ones. */ + cbnz tmp3, L(syndrome_check) -L(done_loop): - /* We found a difference or a NULL before the limit was reached. */ - and limit, limit, #7 - cbz limit, L(not_limit) - /* Read the last word. */ - sub src1, src1, 8 - sub src2, src2, 8 - ldr data1, [src1, limit] - ldr data2, [src2, limit] - sub tmp1, data1, zeroones - orr tmp2, data1, #REP8_7f - eor diff, data1, data2 /* Non-zero if differences found. */ - bics has_nul, tmp1, tmp2 /* Non-zero if NUL terminator. */ - ccmp diff, #0, #0, eq - b.ne L(not_limit) + /* STEP_C: Compare second part of data1 to first part of tmp1. */ + ldp tmp1, tmp2, [src2], #16 + cmp limit, #8 + LS_BK data2, tmp1, neg_offset + eor diff, data2, data1 /* Non-zero if differences found. */ + orr syndrome, diff, has_nul + and syndrome, syndrome, mask /* Ignore earlier bytes. */ + csinv tmp3, syndrome, xzr, hi /* If limit, set to all ones. */ + cbnz tmp3, L(syndrome_check) + + ldr data1, [src1], #8 + sub limit, limit, #8 + b L(loop_misaligned) + +#ifdef __AARCH64EB__ +L(syndrome_check): + clz pos, syndrome + cmp pos, limit, lsl #3 + b.lo L(end_quick) +#endif L(ret0): mov result, #0 ret - SYM_FUNC_END_PI(strncmp) EXPORT_SYMBOL_NOHWKASAN(strncmp) -- 2.42.0.283.g2d96d420d3-goog

2 years, 1 month

3
2
0 0

Consider picking up "tpm: Enable hwrng only for Pluton on AMD CPUs" rather sooner than later

by Thorsten Leemhuis

Hi stable team, JFYI, the recently mainline commit 8f7f35e5aa6f21 ("tpm: Enable hwrng only for Pluton on AMD CPUs") from Jarkko contains a stable tag, but it might be worth picking up rather sooner than later, as it fixes a regression that seems to annoy quite a few users of 6.1.y, 6.4.y and 6.5; that's why at least Fedora is already working on picking the fix up ahead of the stable-tree. Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr That page also explains what to do if mails like this annoy you.

2 years, 1 month

2
1
0 0

Bug in rsa-pkcs1pad in 6.1 and 5.15

by Giovanni Cabiddu

There is a missing backport in the stables 6.1.x and 5.15.x that combined with a backported patch as a dependency in the QAT driver causes a kernel crash at boot under certain conditions. In 6.1/5.15, the function pkcs1pad_create() in rsa-pkcs1pad.c [1] sets the reqsize of its akcipher_instance using the value in the akcipher_alg of the selected akcipher implementation. This assumes that the reqsize field has been set for the akcipher implementation when the akcipher_alg has been instantiated. The reqsize field is then used to allocate to allocate memory for pkcs1pad requests. In commit 80e62ad58db0 ("crypto: qat - Use helper to set reqsize"), the reqsize for the rsa implementation in the QAT driver is moved from being set in the akcipher_alg to being set when the tfm is initialized. This means that the implementation of rsa-pkcs1pad won’t allocate any space for the akcipher request when using the QAT driver. This issue occurs only when CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set. When the crypto self-test is run, the correct value of the reqsize is stored in the akcipher_alg in the qat driver by the first call to akcipher_set_reqsize() and then when pkcs1pad_create() is executed, it finds the correct value. Options: 1. Cherry-pick 5b11d1a360ea ("crypto: rsa-pkcs1pad - Use helper to set reqsize") to both 6.1.x and 5.15.x trees. 2. Revert upstream commit 80e62ad58db0 ("crypto: qat - Use helper to set reqsize"). In 6.1 revert da1729e6619c414f34ce679247721603ebb957dc In 5.15 revert 3894f5880f968f81c6f3ed37d96bdea01441a8b7 Option #1 is preferred as the same problem might be impacting other akcipher implementations besides QAT. Option #2 is just specific to the QAT driver. @Herbert, can you have a quick look in case I missed something? I tried both options in 6.1.51 and they appear to resolve the problem. Thanks, [1] https://elixir.bootlin.com/linux/v6.1.51/source/crypto/rsa-pkcs1pad.c#L673 -- Giovanni

2 years, 1 month

3
4
0 0

[PATCH] cpufreq: intel_pstate: set stale CPU frequency to minimum

by Keyon Jie

From: Doug Smythies <dsmythies(a)telus.net> commit d51847acb018d83186e4af67bc93f9a00a8644f7 upstream. This fix applies to all stable kernel versions 5.18+. The intel_pstate CPU frequency scaling driver does not use policy->cur and it is 0. When the CPU frequency is outdated arch_freq_get_on_cpu() will default to the nominal clock frequency when its call to cpufreq_quick_getpolicy_cur returns the never updated 0. Thus, the listed frequency might be outside of currently set limits. Some users are complaining about the high reported frequency, albeit stale, when their system is idle and/or it is above the reduced maximum they have set. This patch will maintain policy_cur for the intel_pstate driver at the current minimum CPU frequency. Reported-by: Yang Jie <yang.jie(a)linux.intel.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217597 Signed-off-by: Doug Smythies <dsmythies(a)telus.net> [ rjw: White space damage fixes and comment adjustment ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Keyon Jie <yang.jie(a)linux.intel.com> --- drivers/cpufreq/intel_pstate.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c index d51f90f55c05..fbe3a4098743 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -2574,6 +2574,11 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy) intel_pstate_clear_update_util_hook(policy->cpu); intel_pstate_hwp_set(policy->cpu); } + /* + * policy->cur is never updated with the intel_pstate driver, but it + * is used as a stale frequency value. So, keep it within limits. + */ + policy->cur = policy->min; mutex_unlock(&intel_pstate_limits_lock); -- 2.34.1

2 years, 1 month

2
3
0 0

of: property: Simplify of_link_to_phandle()

by Adam Ford

Stable Group, Please apply commit 4a032827daa8 ("of: property: Simplify of_link_to_phandle()") to the 6.1.y stable branch. It was originally part of a series that was only partially applied to 6.1. Being partially applied left 6.1.y in a state where a bunch of peripherals were deferred indefinitely on the am3517-evm. wl12xx_buf platform: supplier 48002000.scm not ready wl12xx_vmmc2 platform: supplier wl12xx_buf not ready 48050000.dss platform: supplier display@0 not ready 48064800.ehci platform: supplier hsusb1_phy not ready backlight platform: supplier 48002000.scm not ready display@0 platform: supplier backlight not ready dmtimer-pwm@11 platform: supplier 48002000.scm not ready hsusb1_phy platform: supplier 48002000.scm not ready gpio-leds platform: supplier 48002000.scm not ready 480b4000.mmc platform: supplier wl12xx_vmmc2 not ready With the above commit applied, it appears to address most of the deferred peripherals. Fixes: eaf9b5612a47 ("driver core: fw_devlink: Don't purge child fwnode's consumer links") Signed-off-by: Adam Ford <aford173(a)gmail.com>

2 years, 1 month

2
1
0 0

6.4-stable backport request

by Jens Axboe

Hi Greg / stable team, Can you queue up this commit: commit 106397376c0369fcc01c58dd189ff925a2724a57 Author: David Jeffery <djeffery(a)redhat.com> Date: Fri Jul 21 17:57:15 2023 +0800 sbitmap: fix batching wakeup for 6.4-stable? It'll cherry pick cleanly. Thanks, -- Jens Axboe

2 years, 1 month

2
1
0 0

[PATCH 1/4] arm64: dts: mediatek: mt8195-demo: fix the memory size to 8GB

by Macpaul Lin

The onboard dram of mt8195-demo board is 8GB. Cc: stable(a)vger.kernel.org # 6.1, 6.4 Fixes: 6147314aeedc ("arm64: dts: mediatek: Add device-tree for MT8195 Demo board") Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- arch/arm64/boot/dts/mediatek/mt8195-demo.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/mediatek/mt8195-demo.dts b/arch/arm64/boot/dts/mediatek/mt8195-demo.dts index b2485ddfd33b..ff363ab925e9 100644 --- a/arch/arm64/boot/dts/mediatek/mt8195-demo.dts +++ b/arch/arm64/boot/dts/mediatek/mt8195-demo.dts @@ -48,7 +48,7 @@ memory@40000000 { device_type = "memory"; - reg = <0 0x40000000 0 0x80000000>; + reg = <0 0x40000000 0x2 0x00000000>; }; reserved-memory { -- 2.18.0

2 years, 1 month

2
9
0 0

[RFC] thermal/drivers/mediatek: fix temperature on mt7986

by Frank Wunderlich

From: Frank Wunderlich <frank-w(a)public-files.de> Reading thermal sensor on mt7986 devices returns invalid temperature: bpi-r3 ~ # cat /sys/class/thermal/thermal_zone0/temp -274000 Fix this by adding missing members in mtk_thermal_data struct which were used in mtk_thermal_turn_on_buffer after commit 33140e668b10. Cc: stable(a)vger.kernel.org Fixes: 33140e668b10 ("thermal/drivers/mediatek: Control buffer enablement tweaks") Signed-off-by: Frank Wunderlich <frank-w(a)public-files.de> --- drivers/thermal/mediatek/auxadc_thermal.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/thermal/mediatek/auxadc_thermal.c b/drivers/thermal/mediatek/auxadc_thermal.c index f59d36de20a0..ed08767eaa60 100644 --- a/drivers/thermal/mediatek/auxadc_thermal.c +++ b/drivers/thermal/mediatek/auxadc_thermal.c @@ -691,6 +691,9 @@ static const struct mtk_thermal_data mt7986_thermal_data = { .adcpnp = mt7986_adcpnp, .sensor_mux_values = mt7986_mux_values, .version = MTK_THERMAL_V3, + .apmixed_buffer_ctl_reg = APMIXED_SYS_TS_CON1, + .apmixed_buffer_ctl_mask = GENMASK(31, 6) | BIT(3), + .apmixed_buffer_ctl_set = BIT(0), }; static bool mtk_thermal_temp_is_valid(int temp) -- 2.34.1

2 years, 1 month

2
1
0 0

Leasing sprzętu IT

by Adam Halbert

Dzień dobry, możemy zaproponować Państwu laptopy, komputery stacjonarne, monitory, drukarki (fabrycznie nowy sprzęt) i inne rozwiązania sprzętowe w znacznie niższej cenie i możliwością bezpłatnej konfiguracji według potrzeb użytkowników (Ram, dysk, modem WWAN). Zapewniamy różne formy finansowania – leasing, najem długoterminowy czy odroczony termin płatności. Gwarantujemy szybką reakcję na zapotrzebowanie i profesjonalny serwis posprzedażowy. Chcieliby Państwo sprawdzić co możemy zaoferować? Z pozdrowieniami Adam Halbert

2 years, 1 month

1
0
0 0

[PATCH] wifi: rtw88: rtw8723d: Fix MAC address offset in EEPROM

by Sascha Hauer

The MAC address is stored at offset 0x107 in the EEPROM, like correctly stated in the comment. Add a two bytes reserved field right before the MAC address to shift it from offset 0x105 to 0x107. With this the MAC address returned from my RTL8723du wifi stick can be correctly decoded as "Shenzhen Four Seas Global Link Network Technology Co., Ltd." Signed-off-by: Sascha Hauer <s.hauer(a)pengutronix.de> Reported-by: Yanik Fuchs <Yanik.fuchs(a)mbv.ch> Cc: stable(a)vger.kernel.org --- drivers/net/wireless/realtek/rtw88/rtw8723d.h | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/realtek/rtw88/rtw8723d.h b/drivers/net/wireless/realtek/rtw88/rtw8723d.h index 3642a2c7f80c9..2434e2480cbe2 100644 --- a/drivers/net/wireless/realtek/rtw88/rtw8723d.h +++ b/drivers/net/wireless/realtek/rtw88/rtw8723d.h @@ -46,6 +46,7 @@ struct rtw8723du_efuse { u8 vender_id[2]; /* 0x100 */ u8 product_id[2]; /* 0x102 */ u8 usb_option; /* 0x104 */ + u8 res5[2]; /* 0x105 */ u8 mac_addr[ETH_ALEN]; /* 0x107 */ }; -- 2.39.2

2 years, 1 month

1
0
0 0

[PATCH] drm/radeon: make fence wait in suballocator uninterrruptable

by Alex Deucher

Commit 254986e324ad ("drm/radeon: Use the drm suballocation manager implementation.") made the fence wait in amdgpu_sa_bo_new() interruptible but there is no code to handle an interrupt. This caused the kernel to randomly explode in high-VRAM-pressure situations so make it uninterruptible again. Fixes: 254986e324ad ("drm/radeon: Use the drm suballocation manager implementation.") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2769 Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> CC: stable(a)vger.kernel.org # 6.4+ CC: Simon Pilkington <simonp.git(a)gmail.com> --- drivers/gpu/drm/radeon/radeon_sa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c index c87a57c9c592..22dd8b445685 100644 --- a/drivers/gpu/drm/radeon/radeon_sa.c +++ b/drivers/gpu/drm/radeon/radeon_sa.c @@ -123,7 +123,7 @@ int radeon_sa_bo_new(struct radeon_sa_manager *sa_manager, unsigned int size, unsigned int align) { struct drm_suballoc *sa = drm_suballoc_new(&sa_manager->base, size, - GFP_KERNEL, true, align); + GFP_KERNEL, false, align); if (IS_ERR(sa)) { *sa_bo = NULL; -- 2.41.0

2 years, 1 month

2
1
0 0

AM3517 Timer busy regression on 6.1.y branch

by Adam Ford

Tony et al , I am trying to run the 6.1.y branch on an AM3517-EVM. There are two GPT that throw an error: ti-sysc: probe of 48318000.target-module failed with error -16 ti-sysc: probe of 49032000.target-module failed with error -16 I did some minor investigation and found sysc_check_active_timer() is returning the busy condition. I tracked this back a bit further and found that if I revert commit a12315d6d270 ("bus: ti-sysc: Make omap3 gpt12 quirk handling SoC specific"), this error condition goes away. It almost looks to me like sysc_check_active_timer is defaulting to -EBUSY when the SoC is not 3430, but the sysc_soc_match[] doesn't appear to match to AM3517. I think the proper solution is to treat the AM35* as 3430. Do you agree with that approach? If so, I'll submit a patch with a fixes tag. I am also wondering how far back I should mark the fixes tag. adam

2 years, 1 month

2
3
0 0

stable/linux-6.1.y baseline: 111 runs, 10 regressions (v6.1.52)

by kernelci.org bot

stable/linux-6.1.y baseline: 111 runs, 10 regressions (v6.1.52) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ acer-chromebox-cxi4-puff | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 asus-C436FA-Flip-hatch | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 asus-CM1400CXA-dalboz | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 asus-cx9400-volteer | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 hp-x360-12b-c...4020-octopus | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 hp-x360-14a-cb0001xx-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 lenovo-TPad-C13-Yoga-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 r8a77960-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 sun50i-h6-pine-h64 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/job/stable/branch/linux-6.1.y/kernel/v6.1.52/plan… Test: baseline Tree: stable Branch: linux-6.1.y Describe: v6.1.52 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git SHA: 59b13c2b647e464dd85622c89d7f16c15d681e96 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ acer-chromebox-cxi4-puff | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f9128a295f8c0ef9286d86 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f9128a295f8c0ef9286d87 failing since 10 days (last pass: v6.1.48, first fail: v6.1.49) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-C436FA-Flip-hatch | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f9124cf60a2a91a6286d89 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f9124df60a2a91a6286d92 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T23:58:08.854410 <8>[ 9.785915] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451993_1.4.2.3.1> 2023-09-06T23:58:08.857916 + set +x 2023-09-06T23:58:08.962775 # 2023-09-06T23:58:08.963820 2023-09-06T23:58:09.065495 / # #export SHELL=/bin/sh 2023-09-06T23:58:09.066154 2023-09-06T23:58:09.167348 / # export SHELL=/bin/sh. /lava-11451993/environment 2023-09-06T23:58:09.167539 2023-09-06T23:58:09.268069 / # . /lava-11451993/environment/lava-11451993/bin/lava-test-runner /lava-11451993/1 2023-09-06T23:58:09.268313 ... (13 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-CM1400CXA-dalboz | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f9122e9ee60ba4fb286d6e Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f9122f9ee60ba4fb286d77 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T23:58:02.339616 + set<8>[ 11.412198] <LAVA_SIGNAL_ENDRUN 0_dmesg 11452001_1.4.2.3.1> 2023-09-06T23:58:02.340109 +x 2023-09-06T23:58:02.446634 / # # 2023-09-06T23:58:02.548702 export SHELL=/bin/sh 2023-09-06T23:58:02.549463 # 2023-09-06T23:58:02.650870 / # export SHELL=/bin/sh. /lava-11452001/environment 2023-09-06T23:58:02.651577 2023-09-06T23:58:02.752944 / # . /lava-11452001/environment/lava-11452001/bin/lava-test-runner /lava-11452001/1 2023-09-06T23:58:02.754425 2023-09-06T23:58:02.759230 / # /lava-11452001/bin/lava-test-runner /lava-11452001/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-cx9400-volteer | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f912421bdf2070c4286d77 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f912431bdf2070c4286d80 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T23:58:11.741051 <8>[ 10.451922] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451970_1.4.2.3.1> 2023-09-06T23:58:11.744794 + set +x 2023-09-06T23:58:11.846353 2023-09-06T23:58:11.946910 / # #export SHELL=/bin/sh 2023-09-06T23:58:11.947098 2023-09-06T23:58:12.047652 / # export SHELL=/bin/sh. /lava-11451970/environment 2023-09-06T23:58:12.047833 2023-09-06T23:58:12.148330 / # . /lava-11451970/environment/lava-11451970/bin/lava-test-runner /lava-11451970/1 2023-09-06T23:58:12.148634 2023-09-06T23:58:12.153561 / # /lava-11451970/bin/lava-test-runner /lava-11451970/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-12b-c...4020-octopus | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f91217fa7b7ae317286d6c Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f91218fa7b7ae317286d75 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T23:59:02.252453 + set +x 2023-09-06T23:59:02.258856 <8>[ 11.061342] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451982_1.4.2.3.1> 2023-09-06T23:59:02.363312 / # # 2023-09-06T23:59:02.463997 export SHELL=/bin/sh 2023-09-06T23:59:02.464198 # 2023-09-06T23:59:02.564700 / # export SHELL=/bin/sh. /lava-11451982/environment 2023-09-06T23:59:02.564895 2023-09-06T23:59:02.665430 / # . /lava-11451982/environment/lava-11451982/bin/lava-test-runner /lava-11451982/1 2023-09-06T23:59:02.665708 2023-09-06T23:59:02.670260 / # /lava-11451982/bin/lava-test-runner /lava-11451982/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-14a-cb0001xx-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f9124ae489db9e5b286d6c Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f9124ce489db9e5b286d75 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T23:58:06.243165 + set<8>[ 8.700895] <LAVA_SIGNAL_ENDRUN 0_dmesg 11452012_1.4.2.3.1> 2023-09-06T23:58:06.243249 +x 2023-09-06T23:58:06.347672 / # # 2023-09-06T23:58:06.449235 export SHELL=/bin/sh 2023-09-06T23:58:06.449960 # 2023-09-06T23:58:06.551641 / # export SHELL=/bin/sh. /lava-11452012/environment 2023-09-06T23:58:06.552469 2023-09-06T23:58:06.653926 / # . /lava-11452012/environment/lava-11452012/bin/lava-test-runner /lava-11452012/1 2023-09-06T23:58:06.654944 2023-09-06T23:58:06.660337 / # /lava-11452012/bin/lava-test-runner /lava-11452012/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ lenovo-TPad-C13-Yoga-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f911fdb9b2bd5bee286da3 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/x86_64/x86_64_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f911feb9b2bd5bee286dac failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T23:57:42.284448 + set +x<8>[ 11.820769] <LAVA_SIGNAL_ENDRUN 0_dmesg 11452006_1.4.2.3.1> 2023-09-06T23:57:42.285071 2023-09-06T23:57:42.393020 / # # 2023-09-06T23:57:42.495622 export SHELL=/bin/sh 2023-09-06T23:57:42.496444 # 2023-09-06T23:57:42.598264 / # export SHELL=/bin/sh. /lava-11452006/environment 2023-09-06T23:57:42.599074 2023-09-06T23:57:42.700788 / # . /lava-11452006/environment/lava-11452006/bin/lava-test-runner /lava-11452006/1 2023-09-06T23:57:42.702138 2023-09-06T23:57:42.707078 / # /lava-11452006/bin/lava-test-runner /lava-11452006/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a77960-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f91a522238b2d83f286da1 Results: 4 PASS, 2 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/arm64/defconfig/gc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/arm64/defconfig/gc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f91a532238b2d83f286daa failing since 49 days (last pass: v6.1.38, first fail: v6.1.39) 2023-09-07T00:34:37.752753 / # # 2023-09-07T00:34:37.854930 export SHELL=/bin/sh 2023-09-07T00:34:37.855583 # 2023-09-07T00:34:37.956868 / # export SHELL=/bin/sh. /lava-11452189/environment 2023-09-07T00:34:37.957620 2023-09-07T00:34:38.059062 / # . /lava-11452189/environment/lava-11452189/bin/lava-test-runner /lava-11452189/1 2023-09-07T00:34:38.060167 2023-09-07T00:34:38.077131 / # /lava-11452189/bin/lava-test-runner /lava-11452189/1 2023-09-07T00:34:38.125218 + export 'TESTRUN_ID=1_bootrr' 2023-09-07T00:34:38.125755 + cd /lav<8>[ 19.018553] <LAVA_SIGNAL_STARTRUN 1_bootrr 11452189_1.5.2.4.5> ... (28 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f91a860bd5b04151286dfe Results: 5 PASS, 1 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/arm64/defconfig/gc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/arm64/defconfig/gc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f91a860bd5b04151286e07 failing since 49 days (last pass: v6.1.38, first fail: v6.1.39) 2023-09-07T00:35:15.778095 / # # 2023-09-07T00:35:16.858745 export SHELL=/bin/sh 2023-09-07T00:35:16.860542 # 2023-09-07T00:35:18.351870 / # export SHELL=/bin/sh. /lava-11452191/environment 2023-09-07T00:35:18.353754 2023-09-07T00:35:21.079197 / # . /lava-11452191/environment/lava-11452191/bin/lava-test-runner /lava-11452191/1 2023-09-07T00:35:21.081695 2023-09-07T00:35:21.086368 / # /lava-11452191/bin/lava-test-runner /lava-11452191/1 2023-09-07T00:35:21.149777 + export 'TESTRUN_ID=1_bootrr' 2023-09-07T00:35:21.150290 + cd /lava-114521<8>[ 28.488227] <LAVA_SIGNAL_STARTRUN 1_bootrr 11452191_1.5.2.4.5> ... (44 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ sun50i-h6-pine-h64 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f91a530bd5b04151286da5 Results: 5 PASS, 1 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/arm64/defconfig/gc… HTML log: https://storage.kernelci.org//stable/linux-6.1.y/v6.1.52/arm64/defconfig/gc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f91a540bd5b04151286dae failing since 49 days (last pass: v6.1.38, first fail: v6.1.39) 2023-09-07T00:34:50.861104 / # # 2023-09-07T00:34:50.961652 export SHELL=/bin/sh 2023-09-07T00:34:50.961788 # 2023-09-07T00:34:51.062379 / # export SHELL=/bin/sh. /lava-11452193/environment 2023-09-07T00:34:51.062500 2023-09-07T00:34:51.163008 / # . /lava-11452193/environment/lava-11452193/bin/lava-test-runner /lava-11452193/1 2023-09-07T00:34:51.163208 2023-09-07T00:34:51.208959 / # /lava-11452193/bin/lava-test-runner /lava-11452193/1 2023-09-07T00:34:51.209042 + export 'TESTRUN_ID=1_bootrr' 2023-09-07T00:34:51.243374 + cd /lava-11452193/1/tests/1_boot<8>[ 16.910402] <LAVA_SIGNAL_STARTRUN 1_bootrr 11452193_1.5.2.4.5> ... (11 line(s) more)

2 years, 1 month

1
0
0 0

stable-rc/linux-4.14.y baseline: 95 runs, 18 regressions (v4.14.325)

by kernelci.org bot

stable-rc/linux-4.14.y baseline: 95 runs, 18 regressions (v4.14.325) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2 | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv2 | arm64 | lab-broonie | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv2 | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv2 | arm64 | lab-collabora | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv2-uefi | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv2-uefi | arm64 | lab-broonie | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv2-uefi | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv2-uefi | arm64 | lab-collabora | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv3 | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv3 | arm64 | lab-broonie | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv3 | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv3 | arm64 | lab-collabora | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv3-uefi | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv3-uefi | arm64 | lab-broonie | gcc-10 | defconfig | 1 qemu_arm64-virt-gicv3-uefi | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 qemu_arm64-virt-gicv3-uefi | arm64 | lab-collabora | gcc-10 | defconfig | 1 rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 2 Details: https://kernelci.org/test/job/stable-rc/branch/linux-4.14.y/kernel/v4.14.32… Test: baseline Tree: stable-rc Branch: linux-4.14.y Describe: v4.14.325 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: d6c4816748dd21e69b7dd79faf282a57d0378680 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2 | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2fa06430209099e286d92 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fa06430209099e286d93 failing since 382 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.290-154-gc3e4c291190ba) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2 | arm64 | lab-broonie | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2fb4d3a1befa736286d6f Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fb4d3a1befa736286d70 failing since 375 days (last pass: v4.14.266-45-gce409501ca5f, first fail: v4.14.290-230-g4d54ef55c38e) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2 | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2f9930e6bff1e91286d78 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f9930e6bff1e91286d79 failing since 382 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.290-154-gc3e4c291190ba) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2fa0f430209099e286e33 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fa0f430209099e286e34 failing since 375 days (last pass: v4.14.266-45-gce409501ca5f, first fail: v4.14.290-230-g4d54ef55c38e) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2-uefi | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2fa6a9ea61cda0d286d93 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fa6a9ea61cda0d286d94 failing since 364 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.291-43-g3eabc273fb308) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2-uefi | arm64 | lab-broonie | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2fb348612ec2985286d98 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fb348612ec2985286d99 failing since 396 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.289-48-gdea72dca89ea9) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2-uefi | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2f99452f81a4bc0286da5 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f99452f81a4bc0286da6 failing since 364 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.291-43-g3eabc273fb308) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv2-uefi | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2f997bd5d2ea2f2286d76 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f997bd5d2ea2f2286d77 failing since 396 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.289-48-gdea72dca89ea9) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3 | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2f9ca04959ed90b286e14 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f9ca04959ed90b286e15 failing since 364 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.291-43-g3eabc273fb308) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3 | arm64 | lab-broonie | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2fb6e20ab543cf6286dc3 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fb6e20ab543cf6286dc4 failing since 375 days (last pass: v4.14.266-45-gce409501ca5f, first fail: v4.14.290-230-g4d54ef55c38e) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3 | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2f996bd5d2ea2f2286d73 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f996bd5d2ea2f2286d74 failing since 364 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.291-43-g3eabc273fb308) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2fa32430209099e286e3a Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2fa32430209099e286e3b failing since 375 days (last pass: v4.14.266-45-gce409501ca5f, first fail: v4.14.290-230-g4d54ef55c38e) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3-uefi | arm64 | lab-broonie | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2f9e45e58963ad1286d7a Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f9e45e58963ad1286d7b failing since 382 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.290-176-g1ee5c98a9d0bc) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3-uefi | arm64 | lab-broonie | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2faa6de0251efa9286d86 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2faa6de0251efa9286d87 failing since 380 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.290) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3-uefi | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f2f9920e6bff1e91286d72 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f9920e6bff1e91286d73 failing since 382 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.290-176-g1ee5c98a9d0bc) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ qemu_arm64-virt-gicv3-uefi | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f2f996bd5d2ea2f2286d70 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f2f996bd5d2ea2f2286d71 failing since 380 days (last pass: v4.14.267-33-g871c9e115feb, first fail: v4.14.290) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+----------------------------+------------ rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig+arm64-chromebook | 2 Details: https://kernelci.org/test/plan/id/64f2f8c729b8cdda22286d95 Results: 49 PASS, 23 FAIL, 2 SKIP Full config: defconfig+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… HTML log: https://storage.kernelci.org//stable-rc/linux-4.14.y/v4.14.325/arm64/defcon… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.rockchip-usb2phy1-probed: https://kernelci.org/test/case/id/64f2f8c729b8cdda22286d9f failing since 172 days (last pass: v4.14.308, first fail: v4.14.308-4-ge7a701196c571) 2023-09-07T00:58:48.316332 [ 49.452460] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=rockchip-usb2phy0-probed RESULT=fail> 2023-09-07T00:58:49.329170 /lava-11452298/1/../bin/lava-test-case * baseline.bootrr.rockchip-usb2phy0-probed: https://kernelci.org/test/case/id/64f2f8c729b8cdda22286da0 failing since 172 days (last pass: v4.14.308, first fail: v4.14.308-4-ge7a701196c571) 2023-09-07T00:58:47.291972 [ 48.427550] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=rockchip-usb2phy-driver-present RESULT=pass> 2023-09-07T00:58:48.305140 /lava-11452298/1/../bin/lava-test-case

2 years, 1 month

1
0
0 0

[PATCH 6/6] tracing: Have event inject files inc the trace array ref count

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> The event inject files add events for a specific trace array. For an instance, if the file is opened and the instance is deleted, reading or writing to the file will cause a use after free. Up the ref count of the trace_array when a event inject file is opened. Link: https://lore.kernel.org/all/1cb3aee2-19af-c472-e265-05176fe9bd84@huawei.com/ Cc: stable(a)vger.kernel.org Fixes: 6c3edaf9fd6a ("tracing: Introduce trace event injection") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_inject.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace_events_inject.c b/kernel/trace/trace_events_inject.c index abe805d471eb..8650562bdaa9 100644 --- a/kernel/trace/trace_events_inject.c +++ b/kernel/trace/trace_events_inject.c @@ -328,7 +328,8 @@ event_inject_read(struct file *file, char __user *buf, size_t size, } const struct file_operations event_inject_fops = { - .open = tracing_open_generic, + .open = tracing_open_file_tr, .read = event_inject_read, .write = event_inject_write, + .release = tracing_release_file_tr, }; -- 2.40.1

2 years, 1 month

1
0
0 0

[PATCH 5/6] tracing: Have option files inc the trace array ref count

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> The option files update the options for a given trace array. For an instance, if the file is opened and the instance is deleted, reading or writing to the file will cause a use after free. Up the ref count of the trace_array when an option file is opened. Link: https://lore.kernel.org/all/1cb3aee2-19af-c472-e265-05176fe9bd84@huawei.com/ Cc: stable(a)vger.kernel.org Fixes: 8530dec63e7b4 ("tracing: Add tracing_check_open_get_tr()") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index b82df33d20ff..0608ad20cf30 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -8988,12 +8988,33 @@ trace_options_write(struct file *filp, const char __user *ubuf, size_t cnt, return cnt; } +static int tracing_open_options(struct inode *inode, struct file *filp) +{ + struct trace_option_dentry *topt = inode->i_private; + int ret; + + ret = tracing_check_open_get_tr(topt->tr); + if (ret) + return ret; + + filp->private_data = inode->i_private; + return 0; +} + +static int tracing_release_options(struct inode *inode, struct file *file) +{ + struct trace_option_dentry *topt = file->private_data; + + trace_array_put(topt->tr); + return 0; +} static const struct file_operations trace_options_fops = { - .open = tracing_open_generic, + .open = tracing_open_options, .read = trace_options_read, .write = trace_options_write, .llseek = generic_file_llseek, + .release = tracing_release_options, }; /* -- 2.40.1

2 years, 1 month

1
0
0 0

[PATCH 4/6] tracing: Have current_trace inc the trace array ref count

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> The current_trace updates the trace array tracer. For an instance, if the file is opened and the instance is deleted, reading or writing to the file will cause a use after free. Up the ref count of the trace array when current_trace is opened. Link: https://lore.kernel.org/all/1cb3aee2-19af-c472-e265-05176fe9bd84@huawei.com/ Cc: stable(a)vger.kernel.org Fixes: 8530dec63e7b4 ("tracing: Add tracing_check_open_get_tr()") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index c8b8b4c6feaf..b82df33d20ff 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7791,10 +7791,11 @@ static const struct file_operations tracing_max_lat_fops = { #endif static const struct file_operations set_tracer_fops = { - .open = tracing_open_generic, + .open = tracing_open_generic_tr, .read = tracing_set_trace_read, .write = tracing_set_trace_write, .llseek = generic_file_llseek, + .release = tracing_release_generic_tr, }; static const struct file_operations tracing_pipe_fops = { -- 2.40.1

2 years, 1 month

1
0
0 0

[PATCH 3/6] tracing: Have tracing_max_latency inc the trace array ref count

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> The tracing_max_latency file points to the trace_array max_latency field. For an instance, if the file is opened and the instance is deleted, reading or writing to the file will cause a use after free. Up the ref count of the trace_array when tracing_max_latency is opened. Link: https://lore.kernel.org/all/1cb3aee2-19af-c472-e265-05176fe9bd84@huawei.com/ Cc: stable(a)vger.kernel.org Fixes: 8530dec63e7b4 ("tracing: Add tracing_check_open_get_tr()") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0827037ee3b8..c8b8b4c6feaf 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -1772,7 +1772,7 @@ static void trace_create_maxlat_file(struct trace_array *tr, init_irq_work(&tr->fsnotify_irqwork, latency_fsnotify_workfn_irq); tr->d_max_latency = trace_create_file("tracing_max_latency", TRACE_MODE_WRITE, - d_tracer, &tr->max_latency, + d_tracer, tr, &tracing_max_lat_fops); } @@ -1805,7 +1805,7 @@ void latency_fsnotify(struct trace_array *tr) #define trace_create_maxlat_file(tr, d_tracer) \ trace_create_file("tracing_max_latency", TRACE_MODE_WRITE, \ - d_tracer, &tr->max_latency, &tracing_max_lat_fops) + d_tracer, tr, &tracing_max_lat_fops) #endif @@ -6717,14 +6717,18 @@ static ssize_t tracing_max_lat_read(struct file *filp, char __user *ubuf, size_t cnt, loff_t *ppos) { - return tracing_nsecs_read(filp->private_data, ubuf, cnt, ppos); + struct trace_array *tr = filp->private_data; + + return tracing_nsecs_read(&tr->max_latency, ubuf, cnt, ppos); } static ssize_t tracing_max_lat_write(struct file *filp, const char __user *ubuf, size_t cnt, loff_t *ppos) { - return tracing_nsecs_write(filp->private_data, ubuf, cnt, ppos); + struct trace_array *tr = filp->private_data; + + return tracing_nsecs_write(&tr->max_latency, ubuf, cnt, ppos); } #endif @@ -7778,10 +7782,11 @@ static const struct file_operations tracing_thresh_fops = { #ifdef CONFIG_TRACER_MAX_TRACE static const struct file_operations tracing_max_lat_fops = { - .open = tracing_open_generic, + .open = tracing_open_generic_tr, .read = tracing_max_lat_read, .write = tracing_max_lat_write, .llseek = generic_file_llseek, + .release = tracing_release_generic_tr, }; #endif -- 2.40.1

2 years, 1 month

1
0
0 0

[PATCH 2/6] tracing: Increase trace array ref count on enable and filter files

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> When the trace event enable and filter files are opened, increment the trace array ref counter, otherwise they can be accessed when the trace array is being deleted. The ref counter keeps the trace array from being deleted while those files are opened. Link: https://lore.kernel.org/all/1cb3aee2-19af-c472-e265-05176fe9bd84@huawei.com/ Cc: stable(a)vger.kernel.org Fixes: 8530dec63e7b4 ("tracing: Add tracing_check_open_get_tr()") Reported-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 27 +++++++++++++++++++++++++++ kernel/trace/trace.h | 2 ++ kernel/trace/trace_events.c | 6 ++++-- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 35783a7baf15..0827037ee3b8 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -4973,6 +4973,33 @@ int tracing_open_generic_tr(struct inode *inode, struct file *filp) return 0; } +/* + * The private pointer of the inode is the trace_event_file. + * Update the tr ref count associated to it. + */ +int tracing_open_file_tr(struct inode *inode, struct file *filp) +{ + struct trace_event_file *file = inode->i_private; + int ret; + + ret = tracing_check_open_get_tr(file->tr); + if (ret) + return ret; + + filp->private_data = inode->i_private; + + return 0; +} + +int tracing_release_file_tr(struct inode *inode, struct file *filp) +{ + struct trace_event_file *file = inode->i_private; + + trace_array_put(file->tr); + + return 0; +} + static int tracing_mark_open(struct inode *inode, struct file *filp) { stream_open(inode, filp); diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 5669dd1f90d9..77debe53f07c 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -610,6 +610,8 @@ void tracing_reset_all_online_cpus(void); void tracing_reset_all_online_cpus_unlocked(void); int tracing_open_generic(struct inode *inode, struct file *filp); int tracing_open_generic_tr(struct inode *inode, struct file *filp); +int tracing_open_file_tr(struct inode *inode, struct file *filp); +int tracing_release_file_tr(struct inode *inode, struct file *filp); bool tracing_is_disabled(void); bool tracer_tracing_is_on(struct trace_array *tr); void tracer_tracing_on(struct trace_array *tr); diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index ed367d713be0..2af92177b765 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -2103,9 +2103,10 @@ static const struct file_operations ftrace_set_event_notrace_pid_fops = { }; static const struct file_operations ftrace_enable_fops = { - .open = tracing_open_generic, + .open = tracing_open_file_tr, .read = event_enable_read, .write = event_enable_write, + .release = tracing_release_file_tr, .llseek = default_llseek, }; @@ -2122,9 +2123,10 @@ static const struct file_operations ftrace_event_id_fops = { }; static const struct file_operations ftrace_event_filter_fops = { - .open = tracing_open_generic, + .open = tracing_open_file_tr, .read = event_filter_read, .write = event_filter_write, + .release = tracing_release_file_tr, .llseek = default_llseek, }; -- 2.40.1

2 years, 1 month

1
0
0 0

stable/linux-5.15.y baseline: 133 runs, 22 regressions (v5.15.131)

by kernelci.org bot

stable/linux-5.15.y baseline: 133 runs, 22 regressions (v5.15.131) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-C436FA-Flip-hatch | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 asus-CM1400CXA-dalboz | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 asus-cx9400-volteer | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 bcm2836-rpi-2-b | arm | lab-collabora | gcc-10 | bcm2835_defconfig | 1 fsl-ls1028a-rdb | arm64 | lab-nxp | gcc-10 | defconfig+kselftest | 1 fsl-ls1088a-rdb | arm64 | lab-nxp | gcc-10 | defconfig+kselftest | 1 fsl-ls2088a-rdb | arm64 | lab-nxp | gcc-10 | defconfig+kselftest | 1 hp-x360-12b-c...4020-octopus | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 hp-x360-14-G1-sona | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 hp-x360-14a-cb0001xx-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 kontron-kbox-a-230-ls | arm64 | lab-kontron | gcc-10 | defconfig+kselftest | 1 kontron-sl28-var3-ads2 | arm64 | lab-kontron | gcc-10 | defconfig+kselftest | 1 lenovo-TPad-C13-Yoga-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 meson-gxl-s905x-libretech-cc | arm64 | lab-broonie | gcc-10 | defconfig+kselftest | 1 mt8173-elm-hana | arm64 | lab-collabora | gcc-10 | defconfig+arm...ok+kselftest | 1 r8a77960-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig+kselftest | 1 rk3399-rock-pi-4b | arm64 | lab-collabora | gcc-10 | defconfig+kselftest | 1 sun50i-a64-pine64-plus | arm64 | lab-broonie | gcc-10 | defconfig+kselftest | 1 sun50i-h5-lib...ch-all-h3-cc | arm64 | lab-broonie | gcc-10 | defconfig+kselftest | 1 sun50i-h6-pine-h64 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/job/stable/branch/linux-5.15.y/kernel/v5.15.131/p… Test: baseline Tree: stable Branch: linux-5.15.y Describe: v5.15.131 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git SHA: aff03380bda4d25717170b42c92b54143aec0a36 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-C436FA-Flip-hatch | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fa73a3d24913d0286dbc Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fa73a3d24913d0286dc1 failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:18:09.897131 <8>[ 12.244700] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451342_1.4.2.3.1> 2023-09-06T22:18:09.900939 + set +x 2023-09-06T22:18:10.006494 # 2023-09-06T22:18:10.007869 2023-09-06T22:18:10.109544 / # #export SHELL=/bin/sh 2023-09-06T22:18:10.110206 2023-09-06T22:18:10.211572 / # export SHELL=/bin/sh. /lava-11451342/environment 2023-09-06T22:18:10.212306 2023-09-06T22:18:10.313689 / # . /lava-11451342/environment/lava-11451342/bin/lava-test-runner /lava-11451342/1 2023-09-06T22:18:10.314810 ... (13 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-CM1400CXA-dalboz | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fa72a3d24913d0286da6 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fa72a3d24913d0286dab failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:17:08.431681 <8>[ 12.236744] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451352_1.4.2.3.1> 2023-09-06T22:17:08.540194 / # # 2023-09-06T22:17:08.642513 export SHELL=/bin/sh 2023-09-06T22:17:08.643268 # 2023-09-06T22:17:08.744631 / # export SHELL=/bin/sh. /lava-11451352/environment 2023-09-06T22:17:08.745319 2023-09-06T22:17:08.846736 / # . /lava-11451352/environment/lava-11451352/bin/lava-test-runner /lava-11451352/1 2023-09-06T22:17:08.847814 2023-09-06T22:17:08.852800 / # /lava-11451352/bin/lava-test-runner /lava-11451352/1 2023-09-06T22:17:08.865593 + export 'TESTRUN_ID=1_bootrr' ... (11 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-cx9400-volteer | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fcac03ec45a990286d8f Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fcac03ec45a990286d94 failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:26:27.231382 <8>[ 11.043472] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451354_1.4.2.3.1> 2023-09-06T22:26:27.234795 + set +x 2023-09-06T22:26:27.341098 2023-09-06T22:26:27.442907 / # #export SHELL=/bin/sh 2023-09-06T22:26:27.443666 2023-09-06T22:26:27.545302 / # export SHELL=/bin/sh. /lava-11451354/environment 2023-09-06T22:26:27.546189 2023-09-06T22:26:27.647728 / # . /lava-11451354/environment/lava-11451354/bin/lava-test-runner /lava-11451354/1 2023-09-06T22:26:27.649064 2023-09-06T22:26:27.654162 / # /lava-11451354/bin/lava-test-runner /lava-11451354/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ bcm2836-rpi-2-b | arm | lab-collabora | gcc-10 | bcm2835_defconfig | 1 Details: https://kernelci.org/test/plan/id/64f8faaa7b61e09b88286d7b Results: 5 PASS, 1 FAIL, 1 SKIP Full config: bcm2835_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm/bcm2835_def… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm/bcm2835_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8faaa7b61e09b88286d80 failing since 41 days (last pass: v5.15.119, first fail: v5.15.123) 2023-09-06T22:19:37.519524 / # # 2023-09-06T22:19:37.621822 export SHELL=/bin/sh 2023-09-06T22:19:37.622547 # 2023-09-06T22:19:37.723954 / # export SHELL=/bin/sh. /lava-11451369/environment 2023-09-06T22:19:37.724683 2023-09-06T22:19:37.826159 / # . /lava-11451369/environment/lava-11451369/bin/lava-test-runner /lava-11451369/1 2023-09-06T22:19:37.827292 2023-09-06T22:19:37.869487 / # /lava-11451369/bin/lava-test-runner /lava-11451369/1 2023-09-06T22:19:37.952413 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:19:37.952949 + cd /lava-11451369/1/tests/1_bootrr ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ fsl-ls1028a-rdb | arm64 | lab-nxp | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f906667ef18915af286d6e Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f906677ef18915af286d6f failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ fsl-ls1088a-rdb | arm64 | lab-nxp | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f906526eb01202d3286d7a Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f906526eb01202d3286d7b failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ fsl-ls2088a-rdb | arm64 | lab-nxp | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f906696eb01202d3286d80 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f906696eb01202d3286d81 failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-12b-c...4020-octopus | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fc0a18c05b8baa286d6d Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fc0a18c05b8baa286d72 failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:23:47.461650 + set +x 2023-09-06T22:23:47.467892 <8>[ 12.434867] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451346_1.4.2.3.1> 2023-09-06T22:23:47.575369 / # # 2023-09-06T22:23:47.677973 export SHELL=/bin/sh 2023-09-06T22:23:47.678657 # 2023-09-06T22:23:47.780376 / # export SHELL=/bin/sh. /lava-11451346/environment 2023-09-06T22:23:47.781156 2023-09-06T22:23:47.882728 / # . /lava-11451346/environment/lava-11451346/bin/lava-test-runner /lava-11451346/1 2023-09-06T22:23:47.883907 2023-09-06T22:23:47.888833 / # /lava-11451346/bin/lava-test-runner /lava-11451346/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-14-G1-sona | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fa3ad2dde92fae286d6f Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fa3ad2dde92fae286d74 failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:16:17.612074 + set +x 2023-09-06T22:16:17.618388 <8>[ 11.430984] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451335_1.4.2.3.1> 2023-09-06T22:16:17.722773 / # # 2023-09-06T22:16:17.823438 export SHELL=/bin/sh 2023-09-06T22:16:17.823704 # 2023-09-06T22:16:17.924218 / # export SHELL=/bin/sh. /lava-11451335/environment 2023-09-06T22:16:17.924424 2023-09-06T22:16:18.024940 / # . /lava-11451335/environment/lava-11451335/bin/lava-test-runner /lava-11451335/1 2023-09-06T22:16:18.025273 2023-09-06T22:16:18.030744 / # /lava-11451335/bin/lava-test-runner /lava-11451335/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-14a-cb0001xx-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fa6ea3d24913d0286d87 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fa6ea3d24913d0286d8c failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:16:59.177351 + <8>[ 12.149639] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451361_1.4.2.3.1> 2023-09-06T22:16:59.177745 set +x 2023-09-06T22:16:59.284846 / # # 2023-09-06T22:16:59.386828 export SHELL=/bin/sh 2023-09-06T22:16:59.387037 # 2023-09-06T22:16:59.487743 / # export SHELL=/bin/sh. /lava-11451361/environment 2023-09-06T22:16:59.488445 2023-09-06T22:16:59.589831 / # . /lava-11451361/environment/lava-11451361/bin/lava-test-runner /lava-11451361/1 2023-09-06T22:16:59.590926 2023-09-06T22:16:59.595707 / # /lava-11451361/bin/lava-test-runner /lava-11451361/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ kontron-kbox-a-230-ls | arm64 | lab-kontron | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f90620b5c16b6bec286d76 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f90620b5c16b6bec286d77 failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ kontron-sl28-var3-ads2 | arm64 | lab-kontron | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f906226bfe8d57fe286d85 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f906226bfe8d57fe286d86 new failure (last pass: v5.15.128) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ lenovo-TPad-C13-Yoga-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f8fa5ad2dde92fae286d98 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook+kselftest Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fa5ad2dde92fae286d9d failing since 160 days (last pass: v5.15.104, first fail: v5.15.105) 2023-09-06T22:16:44.398642 + <8>[ 13.402062] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451353_1.4.2.3.1> 2023-09-06T22:16:44.398762 set +x 2023-09-06T22:16:44.503378 / # # 2023-09-06T22:16:44.604110 export SHELL=/bin/sh 2023-09-06T22:16:44.604343 # 2023-09-06T22:16:44.704849 / # export SHELL=/bin/sh. /lava-11451353/environment 2023-09-06T22:16:44.705087 2023-09-06T22:16:44.805630 / # . /lava-11451353/environment/lava-11451353/bin/lava-test-runner /lava-11451353/1 2023-09-06T22:16:44.805993 2023-09-06T22:16:44.811453 / # /lava-11451353/bin/lava-test-runner /lava-11451353/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ meson-gxl-s905x-libretech-cc | arm64 | lab-broonie | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f90606b5c16b6bec286d6c Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f90606b5c16b6bec286d6d failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ mt8173-elm-hana | arm64 | lab-collabora | gcc-10 | defconfig+arm...ok+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f903b9571cb73ce3286d6e Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+arm64-chromebook+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f903b9571cb73ce3286d6f failing since 225 days (last pass: v5.15.89, first fail: v5.15.90) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a77960-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f9022f5dea1f9047286d6c Results: 4 PASS, 2 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f9022f5dea1f9047286d75 failing since 41 days (last pass: v5.15.119, first fail: v5.15.123) 2023-09-06T22:51:47.560074 / # # 2023-09-06T22:51:47.660684 export SHELL=/bin/sh 2023-09-06T22:51:47.660854 # 2023-09-06T22:51:47.761403 / # export SHELL=/bin/sh. /lava-11451665/environment 2023-09-06T22:51:47.761620 2023-09-06T22:51:47.862241 / # . /lava-11451665/environment/lava-11451665/bin/lava-test-runner /lava-11451665/1 2023-09-06T22:51:47.862549 2023-09-06T22:51:47.873565 / # /lava-11451665/bin/lava-test-runner /lava-11451665/1 2023-09-06T22:51:47.917027 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:51:47.932619 + cd /lav<8>[ 15.917732] <LAVA_SIGNAL_STARTRUN 1_bootrr 11451665_1.5.2.4.5> ... (28 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f9026671e545a088286d6e Results: 5 PASS, 1 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f9026771e545a088286d77 failing since 41 days (last pass: v5.15.119, first fail: v5.15.123) 2023-09-06T22:51:09.068551 / # # 2023-09-06T22:51:10.146178 export SHELL=/bin/sh 2023-09-06T22:51:10.147410 # 2023-09-06T22:51:11.633856 / # export SHELL=/bin/sh. /lava-11451653/environment 2023-09-06T22:51:11.635796 2023-09-06T22:51:14.359316 / # . /lava-11451653/environment/lava-11451653/bin/lava-test-runner /lava-11451653/1 2023-09-06T22:51:14.361475 2023-09-06T22:51:14.376240 / # /lava-11451653/bin/lava-test-runner /lava-11451653/1 2023-09-06T22:51:14.392485 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:51:14.435265 + cd /lava-114516<8>[ 25.483863] <LAVA_SIGNAL_STARTRUN 1_bootrr 11451653_1.5.2.4.5> ... (38 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f90622b5c16b6bec286d7b Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f90622b5c16b6bec286d7c failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ rk3399-rock-pi-4b | arm64 | lab-collabora | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f906206eb01202d3286d71 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f906206eb01202d3286d72 failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ sun50i-a64-pine64-plus | arm64 | lab-broonie | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f906066bfe8d57fe286d7a Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f906066bfe8d57fe286d7b failing since 4 days (last pass: v5.15.128, first fail: v5.15.130) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ sun50i-h5-lib...ch-all-h3-cc | arm64 | lab-broonie | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/64f90608b5c16b6bec286d70 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f90608b5c16b6bec286d71 new failure (last pass: v5.15.128) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ sun50i-h6-pine-h64 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f90240ca12ae41cf286d6d Results: 5 PASS, 1 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-5.15.y/v5.15.131/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f90240ca12ae41cf286d76 failing since 41 days (last pass: v5.15.119, first fail: v5.15.123) 2023-09-06T22:52:04.186005 / # # 2023-09-06T22:52:04.287891 export SHELL=/bin/sh 2023-09-06T22:52:04.288102 # 2023-09-06T22:52:04.388613 / # export SHELL=/bin/sh. /lava-11451662/environment 2023-09-06T22:52:04.388746 2023-09-06T22:52:04.489212 / # . /lava-11451662/environment/lava-11451662/bin/lava-test-runner /lava-11451662/1 2023-09-06T22:52:04.489415 2023-09-06T22:52:04.499380 / # /lava-11451662/bin/lava-test-runner /lava-11451662/1 2023-09-06T22:52:04.561461 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:52:04.561570 + cd /lava-1145166<8>[ 16.846109] <LAVA_SIGNAL_STARTRUN 1_bootrr 11451662_1.5.2.4.5> ... (10 line(s) more)

2 years, 1 month

1
0
0 0

stable-rc/linux-6.1.y baseline: 112 runs, 10 regressions (v6.1.52)

by kernelci.org bot

stable-rc/linux-6.1.y baseline: 112 runs, 10 regressions (v6.1.52) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ acer-chromebox-cxi4-puff | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 asus-C436FA-Flip-hatch | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 asus-CM1400CXA-dalboz | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 asus-cx9400-volteer | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 hp-x360-12b-c...4020-octopus | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 hp-x360-14a-cb0001xx-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 lenovo-TPad-C13-Yoga-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 r8a77960-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 sun50i-h6-pine-h64 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/linux-6.1.y/kernel/v6.1.52/p… Test: baseline Tree: stable-rc Branch: linux-6.1.y Describe: v6.1.52 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 59b13c2b647e464dd85622c89d7f16c15d681e96 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ acer-chromebox-cxi4-puff | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8f745885bf7e877286d88 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.login: https://kernelci.org/test/case/id/64f8f745885bf7e877286d89 failing since 4 days (last pass: v6.1.50-11-g1767553758a66, first fail: v6.1.51) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-C436FA-Flip-hatch | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8f719e826411416286d88 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8f719e826411416286d8d failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T22:03:53.514764 <8>[ 10.456042] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451215_1.4.2.3.1> 2023-09-06T22:03:53.518034 + set +x 2023-09-06T22:03:53.619412 # 2023-09-06T22:03:53.720242 / # #export SHELL=/bin/sh 2023-09-06T22:03:53.720447 2023-09-06T22:03:53.820973 / # export SHELL=/bin/sh. /lava-11451215/environment 2023-09-06T22:03:53.821172 2023-09-06T22:03:53.921708 / # . /lava-11451215/environment/lava-11451215/bin/lava-test-runner /lava-11451215/1 2023-09-06T22:03:53.922016 2023-09-06T22:03:53.928019 / # /lava-11451215/bin/lava-test-runner /lava-11451215/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-CM1400CXA-dalboz | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8f97d2441d083c5286dae Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8f97d2441d083c5286db3 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T22:12:56.591196 + set<8>[ 11.175173] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451227_1.4.2.3.1> 2023-09-06T22:12:56.591620 +x 2023-09-06T22:12:56.698649 / # # 2023-09-06T22:12:56.800661 export SHELL=/bin/sh 2023-09-06T22:12:56.801517 # 2023-09-06T22:12:56.903198 / # export SHELL=/bin/sh. /lava-11451227/environment 2023-09-06T22:12:56.903849 2023-09-06T22:12:57.005347 / # . /lava-11451227/environment/lava-11451227/bin/lava-test-runner /lava-11451227/1 2023-09-06T22:12:57.006817 2023-09-06T22:12:57.011754 / # /lava-11451227/bin/lava-test-runner /lava-11451227/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ asus-cx9400-volteer | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8fc8218c05b8baa286ec3 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fc8218c05b8baa286ec8 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T22:25:46.633046 <8>[ 11.077347] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451199_1.4.2.3.1> 2023-09-06T22:25:46.636431 + set +x 2023-09-06T22:25:46.739076 2023-09-06T22:25:46.840806 / # #export SHELL=/bin/sh 2023-09-06T22:25:46.841633 2023-09-06T22:25:46.943250 / # export SHELL=/bin/sh. /lava-11451199/environment 2023-09-06T22:25:46.944059 2023-09-06T22:25:47.045816 / # . /lava-11451199/environment/lava-11451199/bin/lava-test-runner /lava-11451199/1 2023-09-06T22:25:47.047075 2023-09-06T22:25:47.052692 / # /lava-11451199/bin/lava-test-runner /lava-11451199/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-12b-c...4020-octopus | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8fc14fb1a91fe79286e3c Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fc14fb1a91fe79286e41 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T22:24:55.777219 + set +x 2023-09-06T22:24:55.784132 <8>[ 10.864746] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451205_1.4.2.3.1> 2023-09-06T22:24:55.892479 / # # 2023-09-06T22:24:55.995021 export SHELL=/bin/sh 2023-09-06T22:24:55.995772 # 2023-09-06T22:24:56.097308 / # export SHELL=/bin/sh. /lava-11451205/environment 2023-09-06T22:24:56.098206 2023-09-06T22:24:56.199982 / # . /lava-11451205/environment/lava-11451205/bin/lava-test-runner /lava-11451205/1 2023-09-06T22:24:56.201082 2023-09-06T22:24:56.206062 / # /lava-11451205/bin/lava-test-runner /lava-11451205/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ hp-x360-14a-cb0001xx-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8f721a62e1fbadc286d6f Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8f721a62e1fbadc286d74 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T22:02:56.195970 + set<8>[ 8.591876] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451187_1.4.2.3.1> 2023-09-06T22:02:56.196084 +x 2023-09-06T22:02:56.300275 / # # 2023-09-06T22:02:56.400976 export SHELL=/bin/sh 2023-09-06T22:02:56.401202 # 2023-09-06T22:02:56.501762 / # export SHELL=/bin/sh. /lava-11451187/environment 2023-09-06T22:02:56.501966 2023-09-06T22:02:56.602477 / # . /lava-11451187/environment/lava-11451187/bin/lava-test-runner /lava-11451187/1 2023-09-06T22:02:56.602785 2023-09-06T22:02:56.607096 / # /lava-11451187/bin/lava-test-runner /lava-11451187/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ lenovo-TPad-C13-Yoga-zork | x86_64 | lab-collabora | gcc-10 | x86_64_defcon...6-chromebook | 1 Details: https://kernelci.org/test/plan/id/64f8f97c2441d083c5286da1 Results: 6 PASS, 1 FAIL, 0 SKIP Full config: x86_64_defconfig+x86-chromebook Compiler: gcc-10 (gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/x86_64/x86_64_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8f97c2441d083c5286da6 failing since 160 days (last pass: v6.1.21, first fail: v6.1.22) 2023-09-06T22:12:58.775689 + set<8>[ 11.169326] <LAVA_SIGNAL_ENDRUN 0_dmesg 11451208_1.4.2.3.1> 2023-09-06T22:12:58.776308 +x 2023-09-06T22:12:58.884172 / # # 2023-09-06T22:12:58.986563 export SHELL=/bin/sh 2023-09-06T22:12:58.987338 # 2023-09-06T22:12:59.089078 / # export SHELL=/bin/sh. /lava-11451208/environment 2023-09-06T22:12:59.089880 2023-09-06T22:12:59.191789 / # . /lava-11451208/environment/lava-11451208/bin/lava-test-runner /lava-11451208/1 2023-09-06T22:12:59.193105 2023-09-06T22:12:59.198427 / # /lava-11451208/bin/lava-test-runner /lava-11451208/1 ... (12 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a77960-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f8fb85a46b2c266c286d6d Results: 4 PASS, 2 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/arm64/defconfig… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fb85a46b2c266c286d72 failing since 51 days (last pass: v6.1.38-393-gb6386e7314b4, first fail: v6.1.38-590-gce7ec1011187) 2023-09-06T22:23:11.465704 / # # 2023-09-06T22:23:11.566456 export SHELL=/bin/sh 2023-09-06T22:23:11.566725 # 2023-09-06T22:23:11.667287 / # export SHELL=/bin/sh. /lava-11451451/environment 2023-09-06T22:23:11.667574 2023-09-06T22:23:11.768422 / # . /lava-11451451/environment/lava-11451451/bin/lava-test-runner /lava-11451451/1 2023-09-06T22:23:11.769639 2023-09-06T22:23:11.774288 / # /lava-11451451/bin/lava-test-runner /lava-11451451/1 2023-09-06T22:23:11.834595 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:23:11.835097 + cd /lav<8>[ 19.134982] <LAVA_SIGNAL_STARTRUN 1_bootrr 11451451_1.5.2.4.5> ... (28 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ r8a779m1-ulcb | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f8fbabee72ec8051286d96 Results: 5 PASS, 1 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/arm64/defconfig… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fbabee72ec8051286d9b failing since 51 days (last pass: v6.1.38-393-gb6386e7314b4, first fail: v6.1.38-590-gce7ec1011187) 2023-09-06T22:23:46.099603 / # # 2023-09-06T22:23:47.178402 export SHELL=/bin/sh 2023-09-06T22:23:47.180163 # 2023-09-06T22:23:48.668765 / # export SHELL=/bin/sh. /lava-11451447/environment 2023-09-06T22:23:48.670543 2023-09-06T22:23:51.387929 / # . /lava-11451447/environment/lava-11451447/bin/lava-test-runner /lava-11451447/1 2023-09-06T22:23:51.390073 2023-09-06T22:23:51.391174 / # /lava-11451447/bin/lava-test-runner /lava-11451447/1 2023-09-06T22:23:51.458085 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:23:51.458571 + cd /lava-114514<8>[ 28.471552] <LAVA_SIGNAL_STARTRUN 1_bootrr 11451447_1.5.2.4.5> ... (39 line(s) more) platform | arch | lab | compiler | defconfig | regressions -----------------------------+--------+---------------+----------+------------------------------+------------ sun50i-h6-pine-h64 | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/64f8fb876d166516c5286dfc Results: 5 PASS, 1 FAIL, 1 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/arm64/defconfig… HTML log: https://storage.kernelci.org//stable-rc/linux-6.1.y/v6.1.52/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2023… * baseline.bootrr.deferred-probe-empty: https://kernelci.org/test/case/id/64f8fb876d166516c5286e01 failing since 51 days (last pass: v6.1.38-393-gb6386e7314b4, first fail: v6.1.38-590-gce7ec1011187) 2023-09-06T22:23:24.619383 / # # 2023-09-06T22:23:24.721565 export SHELL=/bin/sh 2023-09-06T22:23:24.722269 # 2023-09-06T22:23:24.823682 / # export SHELL=/bin/sh. /lava-11451453/environment 2023-09-06T22:23:24.824393 2023-09-06T22:23:24.925817 / # . /lava-11451453/environment/lava-11451453/bin/lava-test-runner /lava-11451453/1 2023-09-06T22:23:24.926902 2023-09-06T22:23:24.943665 / # /lava-11451453/bin/lava-test-runner /lava-11451453/1 2023-09-06T22:23:25.009642 + export 'TESTRUN_ID=1_bootrr' 2023-09-06T22:23:25.010162 + cd /lava-1145145<8>[ 17.037107] <LAVA_SIGNAL_STARTRUN 1_bootrr 11451453_1.5.2.4.5> ... (11 line(s) more)

2 years, 1 month

1
0
0 0

[PATCH v3] LoongArch: add p?d_leaf() definitions

by Hongchen Zhang

When I do LTP test, LTP test case ksm06 caused panic at break_ksm_pmd_entry -> pmd_leaf (Huge page table but False) -> pte_present (panic) The reason is pmd_leaf is not defined, So like commit 501b81046701 ("mips: mm: add p?d_leaf() definitions") add p?d_leaf() definition for LoongArch. Fixes: 09cfefb7fa70 ("LoongArch: Add memory management") Cc: stable(a)vger.kernel.org Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- v2->v3: add Cc: stable(a)vger.kernel.org v1->v2: add Fixes in commit message --- arch/loongarch/include/asm/pgtable.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/loongarch/include/asm/pgtable.h b/arch/loongarch/include/asm/pgtable.h index 370c6568ceb8..ea54653b7aab 100644 --- a/arch/loongarch/include/asm/pgtable.h +++ b/arch/loongarch/include/asm/pgtable.h @@ -243,6 +243,9 @@ static inline void pmd_clear(pmd_t *pmdp) #define pmd_phys(pmd) PHYSADDR(pmd_val(pmd)) +#define pmd_leaf(pmd) ((pmd_val(pmd) & _PAGE_HUGE) != 0) +#define pud_leaf(pud) ((pud_val(pud) & _PAGE_HUGE) != 0) + #ifndef CONFIG_TRANSPARENT_HUGEPAGE #define pmd_page(pmd) (pfn_to_page(pmd_phys(pmd) >> PAGE_SHIFT)) #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ -- 2.33.0

2 years, 1 month

3
2
0 0

GET BACK TO ME

by Johnson Martins

Greetings, I saw your profile and decided that you could cooperate with me in this proposition. My client Mr. William who died as a result of a heart-related condition. I contacted you to assist in getting the fund left behind as the next-of-kin Kindly indicate your interest. Best Regards, Johnson Martins.

2 years, 1 month

1
0
0 0

[PATCH] ceph: remove the incorrect caps check in _file_size()

by xiubli＠redhat.com

From: Xiubo Li <xiubli(a)redhat.com> When truncating the inode the MDS will acquire the xlock for the ifile Locker, which will revoke the 'Frwsxl' caps from the clients. But when the client just releases and flushes the 'Fw' caps to MDS, for exmaple, and once the MDS receives the caps flushing msg it just thought the revocation has finished. Then the MDS will continue truncating the inode and then issued the truncate notification to all the clients. While just before the clients receives the cap flushing ack they receive the truncation notification, the clients will detecte that the 'issued | dirty' is still holding the 'Fw' caps. Cc: stable(a)vger.kernel.org URL: https://tracker.ceph.com/issues/56693 Signed-off-by: Xiubo Li <xiubli(a)redhat.com> --- fs/ceph/inode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index ea6f966dacd5..8017b9e5864f 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -769,9 +769,7 @@ int ceph_fill_file_size(struct inode *inode, int issued, ci->i_truncate_seq = truncate_seq; /* the MDS should have revoked these caps */ - WARN_ON_ONCE(issued & (CEPH_CAP_FILE_EXCL | - CEPH_CAP_FILE_RD | - CEPH_CAP_FILE_WR | + WARN_ON_ONCE(issued & (CEPH_CAP_FILE_RD | CEPH_CAP_FILE_LAZYIO)); /* * If we hold relevant caps, or in the case where we're -- 2.41.0

2 years, 1 month

3
2
0 0

[merged mm-hotfixes-stable] mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/vmalloc: add a safer version of find_vm_area() for debug has been removed from the -mm tree. Its filename was mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Joel Fernandes (Google)" <joel(a)joelfernandes.org> Subject: mm/vmalloc: add a safer version of find_vm_area() for debug Date: Mon, 4 Sep 2023 18:08:04 +0000 It is unsafe to dump vmalloc area information when trying to do so from some contexts. Add a safer trylock version of the same function to do a best-effort VMA finding and use it from vmalloc_dump_obj(). [applied test robot feedback on unused function fix.] [applied Uladzislau feedback on locking.] Link: https://lkml.kernel.org/r/20230904180806.1002832-1-joel@joelfernandes.org Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory") Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Reported-by: Zhen Lei <thunder.leizhen(a)huaweicloud.com> Cc: Paul E. McKenney <paulmck(a)kernel.org> Cc: Zqiang <qiang.zhang1211(a)gmail.com> Cc: <stable(a)vger.kernel.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) --- a/mm/vmalloc.c~mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug +++ a/mm/vmalloc.c @@ -4278,14 +4278,32 @@ void pcpu_free_vm_areas(struct vm_struct #ifdef CONFIG_PRINTK bool vmalloc_dump_obj(void *object) { - struct vm_struct *vm; void *objp = (void *)PAGE_ALIGN((unsigned long)object); + const void *caller; + struct vm_struct *vm; + struct vmap_area *va; + unsigned long addr; + unsigned int nr_pages; + + if (!spin_trylock(&vmap_area_lock)) + return false; + va = __find_vmap_area((unsigned long)objp, &vmap_area_root); + if (!va) { + spin_unlock(&vmap_area_lock); + return false; + } - vm = find_vm_area(objp); - if (!vm) + vm = va->vm; + if (!vm) { + spin_unlock(&vmap_area_lock); return false; + } + addr = (unsigned long)vm->addr; + caller = vm->caller; + nr_pages = vm->nr_pages; + spin_unlock(&vmap_area_lock); pr_cont(" %u-page vmalloc region starting at %#lx allocated at %pS\n", - vm->nr_pages, (unsigned long)vm->addr, vm->caller); + nr_pages, addr, caller); return true; } #endif _ Patches currently in -mm which might be from joel(a)joelfernandes.org are

2 years, 1 month

3
2
0 0

stable-rc/linux-6.1.y build: 20 builds: 0 failed, 20 passed, 1 warning (v6.1.52)

by kernelci.org bot

stable-rc/linux-6.1.y build: 20 builds: 0 failed, 20 passed, 1 warning (v6.1.52) Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-6.1.y/kernel/v6.1.52/ Tree: stable-rc Branch: linux-6.1.y Git Describe: v6.1.52 Git Commit: 59b13c2b647e464dd85622c89d7f16c15d681e96 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Built: 7 unique architectures Warnings Detected: arc: arm64: arm: i386: mips: 32r2el_defconfig (gcc-10): 1 warning riscv: x86_64: Warnings summary: 1 arch/mips/boot/dts/img/boston.dts:128.19-178.5: Warning (pci_device_reg): /pci@14000000/pci2_root@0,0,0: PCI unit address format error, expected "0,0" ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- 32r2el_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches Warnings: arch/mips/boot/dts/img/boston.dts:128.19-178.5: Warning (pci_device_reg): /pci@14000000/pci2_root@0,0,0: PCI unit address format error, expected "0,0" -------------------------------------------------------------------------------- allnoconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- allnoconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- haps_hs_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nommu_k210_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nommu_k210_sdcard_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- rv32_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

2 years, 1 month

1
0
0 0

[tip: x86/urgent] x86/sgx: Break up long non-preemptible delays in sgx_vepc_release()

by tip-bot2 for Jack Wang

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 3d7d72a34e05b23e21bafc8bfb861e73c86b31f3 Gitweb: https://git.kernel.org/tip/3d7d72a34e05b23e21bafc8bfb861e73c86b31f3 Author: Jack Wang <jinpu.wang(a)ionos.com> AuthorDate: Wed, 06 Sep 2023 15:17:12 +02:00 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Wed, 06 Sep 2023 23:55:09 +02:00 x86/sgx: Break up long non-preemptible delays in sgx_vepc_release() On large enclaves we hit the softlockup warning with following call trace: xa_erase() sgx_vepc_release() __fput() task_work_run() do_exit() The latency issue is similar to the one fixed in: 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves") The test system has 64GB of enclave memory, and all is assigned to a single VM. Release of 'vepc' takes a longer time and causes long latencies, which triggers the softlockup warning. Add cond_resched() to give other tasks a chance to run and reduce latencies, which also avoids the softlockup detector. [ mingo: Rewrote the changelog. ] Fixes: 540745ddbc70 ("x86/sgx: Introduce virtual EPC for use by KVM guests") Reported-by: Yu Zhang <yu.zhang(a)ionos.com> Signed-off-by: Jack Wang <jinpu.wang(a)ionos.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Yu Zhang <yu.zhang(a)ionos.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Acked-by: Haitao Huang <haitao.huang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/cpu/sgx/virt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/cpu/sgx/virt.c b/arch/x86/kernel/cpu/sgx/virt.c index c3e37ea..7aaa365 100644 --- a/arch/x86/kernel/cpu/sgx/virt.c +++ b/arch/x86/kernel/cpu/sgx/virt.c @@ -204,6 +204,7 @@ static int sgx_vepc_release(struct inode *inode, struct file *file) continue; xa_erase(&vepc->page_array, index); + cond_resched(); } /* @@ -222,6 +223,7 @@ static int sgx_vepc_release(struct inode *inode, struct file *file) list_add_tail(&epc_page->list, &secs_pages); xa_erase(&vepc->page_array, index); + cond_resched(); } /* @@ -243,6 +245,7 @@ static int sgx_vepc_release(struct inode *inode, struct file *file) if (sgx_vepc_free_page(epc_page)) list_add_tail(&epc_page->list, &secs_pages); + cond_resched(); } if (!list_empty(&secs_pages))

2 years, 1 month

1
0
0 0

[PATCHv4] x86/sgx: Avoid softlockup from sgx_vepc_release

by Jack Wang

We hit softlocup with following call trace: ? asm_sysvec_apic_timer_interrupt+0x16/0x20 xa_erase+0x21/0xb0 ? sgx_free_epc_page+0x20/0x50 sgx_vepc_release+0x75/0x220 __fput+0x89/0x250 task_work_run+0x59/0x90 do_exit+0x337/0x9a0 Similar like commit 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves"). The test system has 64GB of enclave memory, and all assigned to a single VM. Release vepc take longer time and triggers the softlockup warning. Add cond_resched() to give other tasks a chance to run and placate the softlockup detector. Cc: Jarkko Sakkinen <jarkko(a)kernel.org> Cc: Haitao Huang <haitao.huang(a)linux.intel.com> Cc: stable(a)vger.kernel.org Cc: x86(a)kernel.org Fixes: 540745ddbc70 ("x86/sgx: Introduce virtual EPC for use by KVM guests") Reported-by: Yu Zhang <yu.zhang(a)ionos.com> Tested-by: Yu Zhang <yu.zhang(a)ionos.com> Acked-by: Haitao Huang <haitao.huang(a)linux.intel.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Signed-off-by: Jack Wang <jinpu.wang(a)ionos.com> --- v4: add rob from Kai. arch/x86/kernel/cpu/sgx/virt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/cpu/sgx/virt.c b/arch/x86/kernel/cpu/sgx/virt.c index c3e37eaec8ec..7aaa3652e31d 100644 --- a/arch/x86/kernel/cpu/sgx/virt.c +++ b/arch/x86/kernel/cpu/sgx/virt.c @@ -204,6 +204,7 @@ static int sgx_vepc_release(struct inode *inode, struct file *file) continue; xa_erase(&vepc->page_array, index); + cond_resched(); } /* @@ -222,6 +223,7 @@ static int sgx_vepc_release(struct inode *inode, struct file *file) list_add_tail(&epc_page->list, &secs_pages); xa_erase(&vepc->page_array, index); + cond_resched(); } /* @@ -243,6 +245,7 @@ static int sgx_vepc_release(struct inode *inode, struct file *file) if (sgx_vepc_free_page(epc_page)) list_add_tail(&epc_page->list, &secs_pages); + cond_resched(); } if (!list_empty(&secs_pages)) -- 2.34.1

2 years, 1 month

2
1
0 0

Linux 6.1.52

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.52 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/nxp,sc16is7xx.txt | 46 +++++++++++++ Makefile | 2 arch/arm/mach-pxa/sharpsl_pm.c | 2 arch/arm/mach-pxa/spitz.c | 14 --- arch/mips/alchemy/devboards/db1000.c | 8 -- arch/mips/alchemy/devboards/db1200.c | 19 ----- arch/mips/alchemy/devboards/db1300.c | 10 -- drivers/bluetooth/btsdio.c | 1 drivers/firmware/stratix10-svc.c | 2 drivers/fsi/fsi-master-ast-cf.c | 1 drivers/hid/wacom.h | 1 drivers/hid/wacom_sys.c | 25 +++++-- drivers/hid/wacom_wac.c | 1 drivers/hid/wacom_wac.h | 1 drivers/mmc/host/Kconfig | 5 - drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/pinctrl/pinctrl-amd.c | 4 - drivers/rtc/rtc-ds1685.c | 2 drivers/staging/rtl8712/os_intfs.c | 1 drivers/staging/rtl8712/usb_intf.c | 1 drivers/tty/serial/qcom_geni_serial.c | 5 + drivers/tty/serial/sc16is7xx.c | 17 ++++ drivers/usb/chipidea/ci_hdrc_imx.c | 10 +- drivers/usb/chipidea/usbmisc_imx.c | 6 + drivers/usb/dwc3/dwc3-meson-g12a.c | 6 + drivers/usb/serial/option.c | 7 + drivers/usb/typec/tcpm/tcpci.c | 4 + drivers/usb/typec/tcpm/tcpm.c | 7 + fs/erofs/zdata.c | 2 fs/nilfs2/alloc.c | 3 fs/nilfs2/inode.c | 7 + fs/nilfs2/segment.c | 5 + fs/smb/server/auth.c | 3 fs/smb/server/oplock.c | 2 fs/smb/server/smb2pdu.c | 2 fs/smb/server/smb2pdu.h | 2 fs/smb/server/transport_rdma.c | 25 +++++-- include/linux/usb/tcpci.h | 1 kernel/module/main.c | 14 +++ sound/usb/stream.c | 11 ++- 42 files changed, 208 insertions(+), 88 deletions(-) Aaron Armstrong Skomra (1): HID: wacom: remove the battery when the EKR is off Arnd Bergmann (1): ARM: pxa: remove use of symbol_get() Badhri Jagan Sridharan (1): tcpm: Avoid soft reset when partner does not support get_status Christoph Hellwig (4): mmc: au1xmmc: force non-modular build and remove symbol_get usage net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Deren Wu (2): wifi: mt76: mt7921: do not support one stream on secondary antenna only wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU Gao Xiang (1): erofs: ensure that the post-EOF tails are all zeroed Greg Kroah-Hartman (1): Linux 6.1.52 Hugo Villeneuve (3): serial: sc16is7xx: fix broken port 0 uart init serial: sc16is7xx: fix bug when first setting GPIO direction dt-bindings: sc16is7xx: Add property to change GPIO function Johan Hovold (1): serial: qcom-geni: fix opp vote on shutdown Juerg Haefliger (1): fsi: master-ast-cf: Add MODULE_FIRMWARE macro Luke Lu (1): usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Marco Felsch (1): usb: typec: tcpci: clear the fault status bit Mario Limonciello (1): pinctrl: amd: Don't show `Invalid config param` errors Martin Kohn (1): USB: serial: option: add Quectel EM05G variant (0x030e) Nam Cao (1): staging: rtl8712: fix race condition Namjae Jeon (4): ksmbd: fix wrong DataOffset validation of create context ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() ksmbd: replace one-element array with flex-array member in struct smb2_ea_info ksmbd: reduce descriptor size if remaining bytes is less than request size Ryusuke Konishi (2): nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Slark Xiao (1): USB: serial: option: add FOXCONN T99W368/T99W373 product Takashi Iwai (1): ALSA: usb-audio: Fix init call orders for UAC1 Wang Ming (1): firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Xu Yang (1): usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Zheng Wang (1): Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

2 years, 1 month

1
1
0 0

Linux 5.15.131

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.131 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/mach-pxa/sharpsl_pm.c | 2 arch/arm/mach-pxa/spitz.c | 14 - arch/mips/alchemy/devboards/db1000.c | 8 arch/mips/alchemy/devboards/db1200.c | 19 -- arch/mips/alchemy/devboards/db1300.c | 10 - drivers/bluetooth/btsdio.c | 1 drivers/firmware/stratix10-svc.c | 2 drivers/fsi/fsi-master-ast-cf.c | 1 drivers/hid/wacom.h | 1 drivers/hid/wacom_sys.c | 25 ++ drivers/hid/wacom_wac.c | 1 drivers/hid/wacom_wac.h | 1 drivers/mmc/host/Kconfig | 5 drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/pinctrl/pinctrl-amd.c | 4 drivers/rtc/rtc-ds1685.c | 2 drivers/staging/rtl8712/os_intfs.c | 1 drivers/staging/rtl8712/usb_intf.c | 1 drivers/tty/serial/qcom_geni_serial.c | 5 drivers/tty/serial/sc16is7xx.c | 17 + drivers/usb/chipidea/ci_hdrc_imx.c | 10 - drivers/usb/chipidea/usbmisc_imx.c | 6 drivers/usb/dwc3/dwc3-meson-g12a.c | 6 drivers/usb/serial/option.c | 7 drivers/usb/typec/tcpm/tcpci.c | 7 drivers/usb/typec/tcpm/tcpci.h | 209 ---------------------- drivers/usb/typec/tcpm/tcpci_maxim.c | 3 drivers/usb/typec/tcpm/tcpci_mt6360.c | 3 drivers/usb/typec/tcpm/tcpci_rt1711h.c | 2 drivers/usb/typec/tcpm/tcpm.c | 7 fs/erofs/zdata.c | 2 fs/ksmbd/oplock.c | 2 fs/ksmbd/smb2pdu.c | 2 fs/ksmbd/smb2pdu.h | 2 fs/nilfs2/alloc.c | 3 fs/nilfs2/inode.c | 7 fs/nilfs2/segment.c | 5 include/linux/usb/tcpci.h | 211 +++++++++++++++++++++++ kernel/module.c | 14 + sound/usb/stream.c | 11 + 42 files changed, 350 insertions(+), 295 deletions(-) Aaron Armstrong Skomra (1): HID: wacom: remove the battery when the EKR is off Arnd Bergmann (1): ARM: pxa: remove use of symbol_get() Badhri Jagan Sridharan (1): tcpm: Avoid soft reset when partner does not support get_status Christoph Hellwig (4): mmc: au1xmmc: force non-modular build and remove symbol_get usage net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Deren Wu (1): wifi: mt76: mt7921: do not support one stream on secondary antenna only Gao Xiang (1): erofs: ensure that the post-EOF tails are all zeroed Greg Kroah-Hartman (1): Linux 5.15.131 Hugo Villeneuve (2): serial: sc16is7xx: fix broken port 0 uart init serial: sc16is7xx: fix bug when first setting GPIO direction Johan Hovold (1): serial: qcom-geni: fix opp vote on shutdown Juerg Haefliger (1): fsi: master-ast-cf: Add MODULE_FIRMWARE macro Luke Lu (1): usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Marco Felsch (1): usb: typec: tcpci: clear the fault status bit Mario Limonciello (1): pinctrl: amd: Don't show `Invalid config param` errors Martin Kohn (1): USB: serial: option: add Quectel EM05G variant (0x030e) Nam Cao (1): staging: rtl8712: fix race condition Namjae Jeon (2): ksmbd: fix wrong DataOffset validation of create context ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Ryusuke Konishi (2): nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Slark Xiao (1): USB: serial: option: add FOXCONN T99W368/T99W373 product Takashi Iwai (1): ALSA: usb-audio: Fix init call orders for UAC1 Wang Ming (1): firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Xin Ji (1): usb: typec: tcpci: move tcpci.h to include/linux/usb/ Xu Yang (1): usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Zheng Wang (1): Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

2 years, 1 month

1
1
0 0

Linux 6.4.15

by Greg Kroah-Hartman

I'm announcing the release of the 6.4.15 kernel. All users of the 6.4 kernel series must upgrade. The updated 6.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/nxp,sc16is7xx.txt | 46 +++++++++++++ Makefile | 2 arch/arm/mach-pxa/sharpsl_pm.c | 2 arch/arm/mach-pxa/spitz.c | 14 --- arch/mips/alchemy/devboards/db1000.c | 8 -- arch/mips/alchemy/devboards/db1200.c | 19 ----- arch/mips/alchemy/devboards/db1300.c | 10 -- drivers/firmware/stratix10-svc.c | 2 drivers/fsi/fsi-master-ast-cf.c | 1 drivers/hid/wacom.h | 1 drivers/hid/wacom_sys.c | 25 +++++-- drivers/hid/wacom_wac.c | 1 drivers/hid/wacom_wac.h | 1 drivers/mmc/host/Kconfig | 5 - drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 drivers/net/wireless/ath/ath11k/dp_tx.c | 10 +- drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/net/wireless/realtek/rtw88/usb.c | 5 + drivers/pinctrl/pinctrl-amd.c | 4 - drivers/rtc/rtc-ds1685.c | 2 drivers/staging/rtl8712/os_intfs.c | 1 drivers/staging/rtl8712/usb_intf.c | 1 drivers/tty/serial/qcom_geni_serial.c | 5 + drivers/tty/serial/sc16is7xx.c | 17 ++++ drivers/usb/chipidea/ci_hdrc_imx.c | 10 +- drivers/usb/chipidea/usbmisc_imx.c | 6 + drivers/usb/dwc3/dwc3-meson-g12a.c | 6 + drivers/usb/serial/option.c | 7 + drivers/usb/typec/tcpm/tcpci.c | 4 + drivers/usb/typec/tcpm/tcpm.c | 7 + fs/erofs/zdata.c | 2 fs/nilfs2/alloc.c | 3 fs/nilfs2/inode.c | 7 + fs/smb/server/auth.c | 3 fs/smb/server/oplock.c | 2 fs/smb/server/smb2pdu.c | 2 fs/smb/server/smb2pdu.h | 2 fs/smb/server/transport_rdma.c | 25 +++++-- include/linux/usb/tcpci.h | 1 kernel/module/main.c | 14 +++ sound/usb/stream.c | 11 ++- 42 files changed, 211 insertions(+), 94 deletions(-) Aaron Armstrong Skomra (1): HID: wacom: remove the battery when the EKR is off Arnd Bergmann (1): ARM: pxa: remove use of symbol_get() Badhri Jagan Sridharan (1): tcpm: Avoid soft reset when partner does not support get_status Christoph Hellwig (4): mmc: au1xmmc: force non-modular build and remove symbol_get usage net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Deren Wu (2): wifi: mt76: mt7921: do not support one stream on secondary antenna only wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU Gao Xiang (1): erofs: ensure that the post-EOF tails are all zeroed Greg Kroah-Hartman (1): Linux 6.4.15 Hugo Villeneuve (3): serial: sc16is7xx: fix broken port 0 uart init serial: sc16is7xx: fix bug when first setting GPIO direction dt-bindings: sc16is7xx: Add property to change GPIO function Johan Hovold (1): serial: qcom-geni: fix opp vote on shutdown Juerg Haefliger (1): fsi: master-ast-cf: Add MODULE_FIRMWARE macro Luke Lu (1): usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Marco Felsch (1): usb: typec: tcpci: clear the fault status bit Mario Limonciello (1): pinctrl: amd: Don't show `Invalid config param` errors Martin Kohn (1): USB: serial: option: add Quectel EM05G variant (0x030e) Nam Cao (1): staging: rtl8712: fix race condition Namjae Jeon (4): ksmbd: fix wrong DataOffset validation of create context ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() ksmbd: replace one-element array with flex-array member in struct smb2_ea_info ksmbd: reduce descriptor size if remaining bytes is less than request size Ryusuke Konishi (1): nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Sascha Hauer (1): wifi: rtw88: usb: kill and free rx urbs on probe failure Slark Xiao (1): USB: serial: option: add FOXCONN T99W368/T99W373 product Sven Eckelmann (2): wifi: ath11k: Don't drop tx_status when peer cannot be found wifi: ath11k: Cleanup mac80211 references on failure during tx_complete Takashi Iwai (1): ALSA: usb-audio: Fix init call orders for UAC1 Wang Ming (1): firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Xu Yang (1): usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0

2 years, 1 month

1
1
0 0

Linux 6.5.2

by Greg Kroah-Hartman

I'm announcing the release of the 6.5.2 kernel. All users of the 6.5 kernel series must upgrade. The updated 6.5.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.5.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/nxp,sc16is7xx.txt | 46 +++++++++++++ Makefile | 2 arch/arm/mach-pxa/sharpsl_pm.c | 2 arch/arm/mach-pxa/spitz.c | 14 --- arch/mips/alchemy/devboards/db1000.c | 8 -- arch/mips/alchemy/devboards/db1200.c | 19 ----- arch/mips/alchemy/devboards/db1300.c | 10 -- drivers/firmware/stratix10-svc.c | 2 drivers/fsi/fsi-master-ast-cf.c | 1 drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 4 - drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 4 - drivers/hid/wacom.h | 1 drivers/hid/wacom_sys.c | 25 +++++-- drivers/hid/wacom_wac.c | 1 drivers/hid/wacom_wac.h | 1 drivers/mmc/host/Kconfig | 5 - drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 drivers/net/wireless/ath/ath11k/dp_tx.c | 10 +- drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/net/wireless/realtek/rtw88/usb.c | 5 + drivers/pinctrl/pinctrl-amd.c | 4 - drivers/rtc/rtc-ds1685.c | 2 drivers/staging/rtl8712/os_intfs.c | 1 drivers/staging/rtl8712/usb_intf.c | 1 drivers/tty/serial/qcom_geni_serial.c | 5 + drivers/tty/serial/sc16is7xx.c | 17 ++++ drivers/usb/chipidea/ci_hdrc_imx.c | 10 +- drivers/usb/chipidea/usbmisc_imx.c | 6 + drivers/usb/dwc3/dwc3-meson-g12a.c | 6 + drivers/usb/serial/option.c | 7 + drivers/usb/typec/tcpm/tcpci.c | 4 + drivers/usb/typec/tcpm/tcpm.c | 7 + fs/erofs/zdata.c | 2 fs/nilfs2/alloc.c | 3 fs/nilfs2/inode.c | 7 + fs/smb/server/auth.c | 3 fs/smb/server/oplock.c | 2 fs/smb/server/smb2pdu.c | 2 fs/smb/server/smb2pdu.h | 2 fs/smb/server/transport_rdma.c | 25 +++++-- include/linux/usb/tcpci.h | 1 kernel/module/main.c | 14 +++ kernel/trace/trace.c | 4 - sound/usb/stream.c | 11 ++- 45 files changed, 219 insertions(+), 98 deletions(-) Aaron Armstrong Skomra (1): HID: wacom: remove the battery when the EKR is off Arnd Bergmann (1): ARM: pxa: remove use of symbol_get() Badhri Jagan Sridharan (1): tcpm: Avoid soft reset when partner does not support get_status Brian Foster (1): tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY Christoph Hellwig (4): mmc: au1xmmc: force non-modular build and remove symbol_get usage net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Deren Wu (2): wifi: mt76: mt7921: do not support one stream on secondary antenna only wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU Gao Xiang (1): erofs: ensure that the post-EOF tails are all zeroed Greg Kroah-Hartman (1): Linux 6.5.2 Hugo Villeneuve (3): serial: sc16is7xx: fix broken port 0 uart init serial: sc16is7xx: fix bug when first setting GPIO direction dt-bindings: sc16is7xx: Add property to change GPIO function Johan Hovold (1): serial: qcom-geni: fix opp vote on shutdown Juerg Haefliger (1): fsi: master-ast-cf: Add MODULE_FIRMWARE macro Lang Yu (1): drm/amdgpu: correct vmhub index in GMC v10/11 Luke Lu (1): usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Marco Felsch (1): usb: typec: tcpci: clear the fault status bit Mario Limonciello (1): pinctrl: amd: Don't show `Invalid config param` errors Martin Kohn (1): USB: serial: option: add Quectel EM05G variant (0x030e) Nam Cao (1): staging: rtl8712: fix race condition Namjae Jeon (4): ksmbd: fix wrong DataOffset validation of create context ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() ksmbd: replace one-element array with flex-array member in struct smb2_ea_info ksmbd: reduce descriptor size if remaining bytes is less than request size Ryusuke Konishi (1): nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Sascha Hauer (1): wifi: rtw88: usb: kill and free rx urbs on probe failure Slark Xiao (1): USB: serial: option: add FOXCONN T99W368/T99W373 product Sven Eckelmann (2): wifi: ath11k: Don't drop tx_status when peer cannot be found wifi: ath11k: Cleanup mac80211 references on failure during tx_complete Takashi Iwai (1): ALSA: usb-audio: Fix init call orders for UAC1 Wang Ming (1): firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Xu Yang (1): usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0

2 years, 1 month

1
1
0 0

[PATCH v2] powercap: intel_rapl: Fix invalid setting of Power Limit 4

by Srinivas Pandruvada

System runs at minimum performance, once powercap RAPL package domain enabled flag is changed from 1 to 0 to 1. Setting RAPL package domain enabled flag to 0, results in setting of power limit 4 (PL4) MSR 0x601 to 0. This implies disabling PL4 limit. The PL4 limit controls the peak power. So setting 0, results in some undesirable performance, which depends on hardware implementation. Even worse, when the enabled flag is set to 1 again. This will set PL4 MSR value to 0x01, which means reduce peak power to 0.125W. This will force system to run at the lowest possible performance on every PL4 supported system. Setting enabled flag should only affect the "enable" bit, not other bits. Here it is changing power limit. This is caused by a change which assumes that there is an enable bit in the PL4 MSR like other power limits. Although PL4 enable/disable bit is present with TPMI RAPL interface, it is not present with the MSR interface. There is a rapl_primitive_info defined for non existent PL4 enable bit and then it is used with the commit 9050a9cd5e4c ("powercap: intel_rapl: Cleanup Power Limits support") to enable PL4. This is wrong, hence remove this rapl primitive for PL4. Also in the function rapl_detect_powerlimit(), PL_ENABLE is used to check for the presence of power limits. Replace PL_ENABLE with PL_LIMIT, as PL_LIMIT must be present. Without this change, PL4 controls will not be available in the sysfs once rapl primitive for PL4 is removed. Fixes: 9050a9cd5e4c ("powercap: intel_rapl: Cleanup Power Limits support") Suggested-by: Zhang Rui <rui.zhang(a)intel.com> Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Tested-by: Sumeet Pawnikar <sumeet.r.pawnikar(a)intel.com> Cc: stable(a)vger.kernel.org # v6.5+ --- v2 - Remove RAPL primitive for PL4 instead as suggedted by Rui - Replace PL_ENABLE with PL_LIMIT for domain detect - Update change log and header drivers/powercap/intel_rapl_common.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c index 5c2e6d5eea2a..40a2cc649c79 100644 --- a/drivers/powercap/intel_rapl_common.c +++ b/drivers/powercap/intel_rapl_common.c @@ -658,8 +658,6 @@ static struct rapl_primitive_info rpi_msr[NR_RAPL_PRIMITIVES] = { RAPL_DOMAIN_REG_LIMIT, ARBITRARY_UNIT, 0), [PL2_CLAMP] = PRIMITIVE_INFO_INIT(PL2_CLAMP, POWER_LIMIT2_CLAMP, 48, RAPL_DOMAIN_REG_LIMIT, ARBITRARY_UNIT, 0), - [PL4_ENABLE] = PRIMITIVE_INFO_INIT(PL4_ENABLE, POWER_LIMIT4_MASK, 0, - RAPL_DOMAIN_REG_PL4, ARBITRARY_UNIT, 0), [TIME_WINDOW1] = PRIMITIVE_INFO_INIT(TIME_WINDOW1, TIME_WINDOW1_MASK, 17, RAPL_DOMAIN_REG_LIMIT, TIME_UNIT, 0), [TIME_WINDOW2] = PRIMITIVE_INFO_INIT(TIME_WINDOW2, TIME_WINDOW2_MASK, 49, @@ -1458,7 +1456,7 @@ static void rapl_detect_powerlimit(struct rapl_domain *rd) } } - if (rapl_read_pl_data(rd, i, PL_ENABLE, false, &val64)) + if (rapl_read_pl_data(rd, i, PL_LIMIT, false, &val64)) rd->rpl[i].name = NULL; } } -- 2.34.1

2 years, 1 month

2
1
0 0

[PATCH] PCI: Free released resource

by Ross Lagerwall

release_resource() doesn't actually free the resource or resource list entry so free the resource list entry to avoid a leak. Fixes: e54223275ba1 ("PCI: Release resource invalidated by coalescing") Signed-off-by: Ross Lagerwall <ross.lagerwall(a)citrix.com> Reported-by: Kalle Valo <kvalo(a)kernel.org> Closes: https://lore.kernel.org/r/878r9sga1t.fsf@kernel.org/ Tested-by: Kalle Valo <kvalo(a)kernel.org> Cc: stable(a)vger.kernel.org # v5.16+ --- drivers/pci/probe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index ab2a4a3a4c06..795534589b98 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -997,6 +997,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) res = window->res; if (!res->flags && !res->start && !res->end) { release_resource(res); + resource_list_destroy_entry(window); continue; } -- 2.41.0

2 years, 1 month

2
1
0 0

[PATCH] powercap: intel_rapl: Fix setting of Power Limit 4 to 0

by Srinivas Pandruvada

System runs at minimum performance, once powercap RAPL package domain "enabled" flag is toggled. Setting RAPL package domain enabled flag to 0, results in setting of power limit 4 (PL4) MSR 0x601 to 0. This implies disabling PL4 limit. The PL4 limit controls the peak power. This can significantly change the performance. Even worse, when the enabled flag is set to 1 again. This will set PL4 MSR value to 0x01, which means reduce peak power to 0.125W. This will force the system to run at the lowest possible performance. This is caused by a change which assumes that there is an enable bit in the PL4 MSR like other power limits. In functions set_floor_freq_default() and rapl_remove_package(), call rapl_write_pl_data with PL_ENABLE and PL_CLAMP for only power limit 1 and 2. Similarly don't read PL_ENABLE for PL4 to check the presence of power limit 4. Power limit 4 support is based on CPU model in this driver. No additional checks can be done. Fixes: 9050a9cd5e4c ("powercap: intel_rapl: Cleanup Power Limits support") Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Cc: stable(a)vger.kernel.org # v6.5+ --- drivers/powercap/intel_rapl_common.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c index 5c2e6d5eea2a..0afedf7ad872 100644 --- a/drivers/powercap/intel_rapl_common.c +++ b/drivers/powercap/intel_rapl_common.c @@ -184,8 +184,6 @@ static int get_pl_prim(struct rapl_domain *rd, int pl, enum pl_prims prim) case POWER_LIMIT4: if (prim == PL_LIMIT) return POWER_LIMIT4; - if (prim == PL_ENABLE) - return PL4_ENABLE; /* PL4 would be around two times PL2, use same prim as PL2. */ if (prim == PL_MAX_POWER) return MAX_POWER; @@ -1033,17 +1031,13 @@ static void package_power_limit_irq_restore(struct rapl_package *rp) static void set_floor_freq_default(struct rapl_domain *rd, bool mode) { - int i; - /* always enable clamp such that p-state can go below OS requested * range. power capping priority over guranteed frequency. */ rapl_write_pl_data(rd, POWER_LIMIT1, PL_CLAMP, mode); - for (i = POWER_LIMIT2; i < NR_POWER_LIMITS; i++) { - rapl_write_pl_data(rd, i, PL_ENABLE, mode); - rapl_write_pl_data(rd, i, PL_CLAMP, mode); - } + rapl_write_pl_data(rd, POWER_LIMIT2, PL_ENABLE, mode); + rapl_write_pl_data(rd, POWER_LIMIT2, PL_CLAMP, mode); } static void set_floor_freq_atom(struct rapl_domain *rd, bool enable) @@ -1458,7 +1452,7 @@ static void rapl_detect_powerlimit(struct rapl_domain *rd) } } - if (rapl_read_pl_data(rd, i, PL_ENABLE, false, &val64)) + if (i != POWER_LIMIT4 && rapl_read_pl_data(rd, i, PL_ENABLE, false, &val64)) rd->rpl[i].name = NULL; } } @@ -1510,7 +1504,7 @@ void rapl_remove_package(struct rapl_package *rp) for (rd = rp->domains; rd < rp->domains + rp->nr_domains; rd++) { int i; - for (i = POWER_LIMIT1; i < NR_POWER_LIMITS; i++) { + for (i = POWER_LIMIT1; i <= POWER_LIMIT2; i++) { rapl_write_pl_data(rd, i, PL_ENABLE, 0); rapl_write_pl_data(rd, i, PL_CLAMP, 0); } -- 2.34.1

2 years, 1 month

4
3
0 0

[PATCH 5.15 00/28] 5.15.131-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.131 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 06 Sep 2023 18:29:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.131-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.131-rc1 Marco Felsch <m.felsch(a)pengutronix.de> usb: typec: tcpci: clear the fault status bit Xin Ji <xji(a)analogixsemi.com> usb: typec: tcpci: move tcpci.h to include/linux/usb/ Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Don't show `Invalid config param` errors Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() Badhri Jagan Sridharan <badhri(a)google.com> tcpm: Avoid soft reset when partner does not support get_status Juerg Haefliger <juerg.haefliger(a)canonical.com> fsi: master-ast-cf: Add MODULE_FIRMWARE macro Wang Ming <machel(a)vivo.com> firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug when first setting GPIO direction Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix broken port 0 uart init Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix opp vote on shutdown Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: do not support one stream on secondary antenna only Zheng Wang <zyytlz.wz(a)163.com> Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition Nam Cao <namcaov(a)gmail.com> staging: rtl8712: fix race condition Aaron Armstrong Skomra <aaron.skomra(a)wacom.com> HID: wacom: remove the battery when the EKR is off Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Luke Lu <luke.lu(a)libre.computer> usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix init call orders for UAC1 Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add FOXCONN T99W368/T99W373 product Martin Kohn <m.kohn(a)welotec.com> USB: serial: option: add Quectel EM05G variant (0x030e) Christoph Hellwig <hch(a)lst.de> modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Christoph Hellwig <hch(a)lst.de> rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff Christoph Hellwig <hch(a)lst.de> net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index Christoph Hellwig <hch(a)lst.de> mmc: au1xmmc: force non-modular build and remove symbol_get usage Arnd Bergmann <arnd(a)arndb.de> ARM: pxa: remove use of symbol_get() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix wrong DataOffset validation of create context Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: ensure that the post-EOF tails are all zeroed ------------- Diffstat: Makefile | 4 ++-- arch/arm/mach-pxa/sharpsl_pm.c | 2 -- arch/arm/mach-pxa/spitz.c | 14 +----------- arch/mips/alchemy/devboards/db1000.c | 8 +------ arch/mips/alchemy/devboards/db1200.c | 19 ++-------------- arch/mips/alchemy/devboards/db1300.c | 10 +-------- drivers/bluetooth/btsdio.c | 1 + drivers/firmware/stratix10-svc.c | 2 +- drivers/fsi/fsi-master-ast-cf.c | 1 + drivers/hid/wacom.h | 1 + drivers/hid/wacom_sys.c | 25 ++++++++++++++++++---- drivers/hid/wacom_wac.c | 1 + drivers/hid/wacom_wac.h | 1 + drivers/mmc/host/Kconfig | 5 +++-- drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/pinctrl/pinctrl-amd.c | 4 ++-- drivers/rtc/rtc-ds1685.c | 2 +- drivers/staging/rtl8712/os_intfs.c | 1 + drivers/staging/rtl8712/usb_intf.c | 1 - drivers/tty/serial/qcom_geni_serial.c | 5 +++++ drivers/tty/serial/sc16is7xx.c | 17 ++++++++++++++- drivers/usb/chipidea/ci_hdrc_imx.c | 10 +++++---- drivers/usb/chipidea/usbmisc_imx.c | 6 ++++-- drivers/usb/dwc3/dwc3-meson-g12a.c | 6 ++++++ drivers/usb/serial/option.c | 7 ++++++ drivers/usb/typec/tcpm/tcpci.c | 7 ++++-- drivers/usb/typec/tcpm/tcpci_maxim.c | 3 +-- drivers/usb/typec/tcpm/tcpci_mt6360.c | 3 +-- drivers/usb/typec/tcpm/tcpci_rt1711h.c | 2 +- drivers/usb/typec/tcpm/tcpm.c | 7 ++++++ fs/erofs/zdata.c | 2 ++ fs/ksmbd/oplock.c | 2 +- fs/ksmbd/smb2pdu.c | 2 +- fs/ksmbd/smb2pdu.h | 2 +- fs/nilfs2/alloc.c | 3 ++- fs/nilfs2/inode.c | 7 ++++-- fs/nilfs2/segment.c | 5 +++++ .../usb/typec/tcpm => include/linux/usb}/tcpci.h | 2 ++ kernel/module.c | 14 +++++++++--- sound/usb/stream.c | 11 +++++++++- 41 files changed, 142 insertions(+), 87 deletions(-)

2 years, 1 month

13
40
0 0

[PATCH v2 3/5] mm/memory_hotplug: use nth_page() in place of direct struct page manipulation.

by Zi Yan

From: Zi Yan <ziy(a)nvidia.com> When dealing with hugetlb pages, manipulating struct page pointers directly can get to wrong struct page, since struct page is not guaranteed to be contiguous on SPARSEMEM without VMEMMAP. Use nth_page() to handle it properly. Fixes: eeb0efd071d8 ("mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages") Cc: <stable(a)vger.kernel.org> Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Muchun Song <songmuchun(a)bytedance.com> --- mm/memory_hotplug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c index 1b03f4ec6fd2..3b301c4023ff 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c @@ -1689,7 +1689,7 @@ static int scan_movable_pages(unsigned long start, unsigned long end, */ if (HPageMigratable(head)) goto found; - skip = compound_nr(head) - (page - head); + skip = compound_nr(head) - (pfn - page_to_pfn(head)); pfn += skip - 1; } return -ENOENT; -- 2.40.1

2 years, 1 month

3
3
0 0

[PATCH 6.4 00/32] 6.4.15-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.4.15 release. There are 32 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 06 Sep 2023 18:29:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.4.15-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.4.15-rc1 Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Don't show `Invalid config param` errors Marco Felsch <m.felsch(a)pengutronix.de> usb: typec: tcpci: clear the fault status bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Hugo Villeneuve <hvilleneuve(a)dimonoff.com> dt-bindings: sc16is7xx: Add property to change GPIO function Badhri Jagan Sridharan <badhri(a)google.com> tcpm: Avoid soft reset when partner does not support get_status Juerg Haefliger <juerg.haefliger(a)canonical.com> fsi: master-ast-cf: Add MODULE_FIRMWARE macro Wang Ming <machel(a)vivo.com> firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug when first setting GPIO direction Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix broken port 0 uart init Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix opp vote on shutdown Sven Eckelmann <sven(a)narfation.org> wifi: ath11k: Cleanup mac80211 references on failure during tx_complete Sven Eckelmann <sven(a)narfation.org> wifi: ath11k: Don't drop tx_status when peer cannot be found Sascha Hauer <s.hauer(a)pengutronix.de> wifi: rtw88: usb: kill and free rx urbs on probe failure Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: do not support one stream on secondary antenna only Nam Cao <namcaov(a)gmail.com> staging: rtl8712: fix race condition Aaron Armstrong Skomra <aaron.skomra(a)wacom.com> HID: wacom: remove the battery when the EKR is off Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Luke Lu <luke.lu(a)libre.computer> usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix init call orders for UAC1 Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add FOXCONN T99W368/T99W373 product Martin Kohn <m.kohn(a)welotec.com> USB: serial: option: add Quectel EM05G variant (0x030e) Christoph Hellwig <hch(a)lst.de> modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Christoph Hellwig <hch(a)lst.de> rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff Christoph Hellwig <hch(a)lst.de> net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index Christoph Hellwig <hch(a)lst.de> mmc: au1xmmc: force non-modular build and remove symbol_get usage Arnd Bergmann <arnd(a)arndb.de> ARM: pxa: remove use of symbol_get() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: reduce descriptor size if remaining bytes is less than request size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix wrong DataOffset validation of create context Gao Xiang <xiang(a)kernel.org> erofs: ensure that the post-EOF tails are all zeroed ------------- Diffstat: .../devicetree/bindings/serial/nxp,sc16is7xx.txt | 46 ++++++++++++++++++++++ Makefile | 4 +- arch/arm/mach-pxa/sharpsl_pm.c | 2 - arch/arm/mach-pxa/spitz.c | 14 +------ arch/mips/alchemy/devboards/db1000.c | 8 +--- arch/mips/alchemy/devboards/db1200.c | 19 +-------- arch/mips/alchemy/devboards/db1300.c | 10 +---- drivers/firmware/stratix10-svc.c | 2 +- drivers/fsi/fsi-master-ast-cf.c | 1 + drivers/hid/wacom.h | 1 + drivers/hid/wacom_sys.c | 25 ++++++++++-- drivers/hid/wacom_wac.c | 1 + drivers/hid/wacom_wac.h | 1 + drivers/mmc/host/Kconfig | 5 ++- drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 +- drivers/net/wireless/ath/ath11k/dp_tx.c | 10 ++--- .../net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 +++- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/net/wireless/realtek/rtw88/usb.c | 5 ++- drivers/pinctrl/pinctrl-amd.c | 4 +- drivers/rtc/rtc-ds1685.c | 2 +- drivers/staging/rtl8712/os_intfs.c | 1 + drivers/staging/rtl8712/usb_intf.c | 1 - drivers/tty/serial/qcom_geni_serial.c | 5 +++ drivers/tty/serial/sc16is7xx.c | 17 +++++++- drivers/usb/chipidea/ci_hdrc_imx.c | 10 +++-- drivers/usb/chipidea/usbmisc_imx.c | 6 ++- drivers/usb/dwc3/dwc3-meson-g12a.c | 6 +++ drivers/usb/serial/option.c | 7 ++++ drivers/usb/typec/tcpm/tcpci.c | 4 ++ drivers/usb/typec/tcpm/tcpm.c | 7 ++++ fs/erofs/zdata.c | 2 + fs/nilfs2/alloc.c | 3 +- fs/nilfs2/inode.c | 7 +++- fs/smb/server/auth.c | 3 ++ fs/smb/server/oplock.c | 2 +- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb2pdu.h | 2 +- fs/smb/server/transport_rdma.c | 25 ++++++++---- include/linux/usb/tcpci.h | 1 + kernel/module/main.c | 14 +++++-- sound/usb/stream.c | 11 +++++- 42 files changed, 212 insertions(+), 95 deletions(-)

2 years, 1 month

12
43
0 0

[PATCH 6.1 00/31] 6.1.52-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.52 release. There are 31 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 06 Sep 2023 18:29:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.52-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.52-rc1 Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Don't show `Invalid config param` errors Marco Felsch <m.felsch(a)pengutronix.de> usb: typec: tcpci: clear the fault status bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() Hugo Villeneuve <hvilleneuve(a)dimonoff.com> dt-bindings: sc16is7xx: Add property to change GPIO function Badhri Jagan Sridharan <badhri(a)google.com> tcpm: Avoid soft reset when partner does not support get_status Juerg Haefliger <juerg.haefliger(a)canonical.com> fsi: master-ast-cf: Add MODULE_FIRMWARE macro Wang Ming <machel(a)vivo.com> firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug when first setting GPIO direction Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix broken port 0 uart init Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix opp vote on shutdown Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: do not support one stream on secondary antenna only Zheng Wang <zyytlz.wz(a)163.com> Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition Nam Cao <namcaov(a)gmail.com> staging: rtl8712: fix race condition Aaron Armstrong Skomra <aaron.skomra(a)wacom.com> HID: wacom: remove the battery when the EKR is off Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 Luke Lu <luke.lu(a)libre.computer> usb: dwc3: meson-g12a: do post init to fix broken usb after resumption Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix init call orders for UAC1 Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add FOXCONN T99W368/T99W373 product Martin Kohn <m.kohn(a)welotec.com> USB: serial: option: add Quectel EM05G variant (0x030e) Christoph Hellwig <hch(a)lst.de> modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules Christoph Hellwig <hch(a)lst.de> rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff Christoph Hellwig <hch(a)lst.de> net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index Christoph Hellwig <hch(a)lst.de> mmc: au1xmmc: force non-modular build and remove symbol_get usage Arnd Bergmann <arnd(a)arndb.de> ARM: pxa: remove use of symbol_get() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: reduce descriptor size if remaining bytes is less than request size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: replace one-element array with flex-array member in struct smb2_ea_info Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix wrong DataOffset validation of create context Gao Xiang <xiang(a)kernel.org> erofs: ensure that the post-EOF tails are all zeroed ------------- Diffstat: .../devicetree/bindings/serial/nxp,sc16is7xx.txt | 46 ++++++++++++++++++++++ Makefile | 4 +- arch/arm/mach-pxa/sharpsl_pm.c | 2 - arch/arm/mach-pxa/spitz.c | 14 +------ arch/mips/alchemy/devboards/db1000.c | 8 +--- arch/mips/alchemy/devboards/db1200.c | 19 +-------- arch/mips/alchemy/devboards/db1300.c | 10 +---- drivers/bluetooth/btsdio.c | 1 + drivers/firmware/stratix10-svc.c | 2 +- drivers/fsi/fsi-master-ast-cf.c | 1 + drivers/hid/wacom.h | 1 + drivers/hid/wacom_sys.c | 25 ++++++++++-- drivers/hid/wacom_wac.c | 1 + drivers/hid/wacom_wac.h | 1 + drivers/mmc/host/Kconfig | 5 ++- drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 +- .../net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 +++- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/pinctrl/pinctrl-amd.c | 4 +- drivers/rtc/rtc-ds1685.c | 2 +- drivers/staging/rtl8712/os_intfs.c | 1 + drivers/staging/rtl8712/usb_intf.c | 1 - drivers/tty/serial/qcom_geni_serial.c | 5 +++ drivers/tty/serial/sc16is7xx.c | 17 +++++++- drivers/usb/chipidea/ci_hdrc_imx.c | 10 +++-- drivers/usb/chipidea/usbmisc_imx.c | 6 ++- drivers/usb/dwc3/dwc3-meson-g12a.c | 6 +++ drivers/usb/serial/option.c | 7 ++++ drivers/usb/typec/tcpm/tcpci.c | 4 ++ drivers/usb/typec/tcpm/tcpm.c | 7 ++++ fs/erofs/zdata.c | 2 + fs/nilfs2/alloc.c | 3 +- fs/nilfs2/inode.c | 7 +++- fs/nilfs2/segment.c | 5 +++ fs/smb/server/auth.c | 3 ++ fs/smb/server/oplock.c | 2 +- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb2pdu.h | 2 +- fs/smb/server/transport_rdma.c | 25 ++++++++---- include/linux/usb/tcpci.h | 1 + kernel/module/main.c | 14 +++++-- sound/usb/stream.c | 11 +++++- 42 files changed, 209 insertions(+), 89 deletions(-)

2 years, 1 month

12
42
0 0

[PATCH] virtio-mmio: fix memory leak of vm_dev

by Maximilian Heyne

With the recent removal of vm_dev from devres its memory is only freed via the callback virtio_mmio_release_dev. However, this only takes effect after device_add is called by register_virtio_device. Until then it's an unmanaged resource and must be explicitly freed on error exit. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Cc: stable(a)vger.kernel.org Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> --- Please note that I have only compile tested this code. drivers/virtio/virtio_mmio.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c index 97760f611295..b2a48d07e973 100644 --- a/drivers/virtio/virtio_mmio.c +++ b/drivers/virtio/virtio_mmio.c @@ -631,13 +631,16 @@ static int virtio_mmio_probe(struct platform_device *pdev) spin_lock_init(&vm_dev->lock); vm_dev->base = devm_platform_ioremap_resource(pdev, 0); - if (IS_ERR(vm_dev->base)) + if (IS_ERR(vm_dev->base)) { + kfree(vm_dev); return PTR_ERR(vm_dev->base); + } /* Check magic value */ magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE); if (magic != ('v' | 'i' << 8 | 'r' << 16 | 't' << 24)) { dev_warn(&pdev->dev, "Wrong magic value 0x%08lx!\n", magic); + kfree(vm_dev); return -ENODEV; } @@ -646,6 +649,7 @@ static int virtio_mmio_probe(struct platform_device *pdev) if (vm_dev->version < 1 || vm_dev->version > 2) { dev_err(&pdev->dev, "Version %ld not supported!\n", vm_dev->version); + kfree(vm_dev); return -ENXIO; } @@ -655,6 +659,7 @@ static int virtio_mmio_probe(struct platform_device *pdev) * virtio-mmio device with an ID 0 is a (dummy) placeholder * with no function. End probing now with no error reported. */ + kfree(vm_dev); return -ENODEV; } vm_dev->vdev.id.vendor = readl(vm_dev->base + VIRTIO_MMIO_VENDOR_ID); -- 2.40.1 Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879

2 years, 1 month

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror