- Linux-stable-mirror - lists.linaro.org

[PATCH AUTOSEL 6.12 01/93] net: macb: Check return value of dma_set_mask_and_coherent()

by Sasha Levin

From: Sergio Perez Gonzalez <sperezglz(a)gmail.com> [ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ] Issue flagged by coverity. Add a safety check for the return value of dma_set_mask_and_coherent, go to a safe exit if it returns error. Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=16… Signed-off-by: Sergio Perez Gonzalez <sperezglz(a)gmail.com> Reviewed-by: Claudiu Beznea <claudiu.beznea(a)tuxon.dev> Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of the commit and the codebase context, here's my assessment: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Code Analysis The commit adds proper error checking for `dma_set_mask_and_coherent()` in the macb network driver. Looking at the specific changes: **Before the fix:** ```c if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); bp->hw_dma_cap |= HW_DMA_CAP_64B; } ``` **After the fix:** ```c if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); if (err) { dev_err(&pdev->dev, "failed to set DMA mask\n"); goto err_out_free_netdev; } bp->hw_dma_cap |= HW_DMA_CAP_64B; } ``` ## Why this should be backported: 1. **Fixes a Real Bug**: The original code ignores the return value of `dma_set_mask_and_coherent()`. If this function fails (which can happen on systems with restricted DMA capabilities), the driver would continue execution assuming 44-bit DMA addressing is available when it's not, leading to potential memory corruption or system crashes. 2. **Small, Contained Fix**: This is a minimal change that only adds proper error checking without changing any core logic or introducing new features. It follows the stable tree principle of being a small, targeted bugfix. 3. **Follows Established Patterns**: Looking at the similar commits provided, this matches exactly the pattern of commits marked "YES" for backporting (commits #1, #2, and #5) which all add proper error checking for DMA mask functions. 4. **Critical Network Driver**: The macb driver is used in production systems, and DMA-related bugs can cause data corruption or system instability, making this a high-priority fix for stable trees. 5. **Proper Error Handling Path**: The fix correctly uses the existing `err_out_free_netdev` label, which properly cleans up allocated resources (line 5373-5383 in macb_main.c), preventing resource leaks when DMA setup fails. 6. **Static Analysis Tool Flagged**: The commit message mentions this was flagged by Coverity, indicating it's a legitimate code quality issue that could manifest as a runtime bug. 7. **Matches Stable Tree Criteria**: - Important bugfix ✓ - Minimal risk of regression ✓ - No architectural changes ✓ - Confined to one driver/subsystem ✓ - Clear side effects (proper cleanup on failure) ✓ This commit addresses the same class of vulnerability as the other "YES" examples: ignoring return values of critical DMA functions that can fail and lead to undefined behavior. The fix is surgical, safe, and addresses a genuine runtime issue in a widely-used network driver. drivers/net/ethernet/cadence/macb_main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index ae100ed8ed6b9..3c2a7919b1289 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -5117,7 +5117,11 @@ static int macb_probe(struct platform_device *pdev) #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { - dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); + err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); + if (err) { + dev_err(&pdev->dev, "failed to set DMA mask\n"); + goto err_out_free_netdev; + } bp->hw_dma_cap |= HW_DMA_CAP_64B; } #endif -- 2.39.5

1 month

1
92
0 0

[PATCH AUTOSEL 6.14 001/108] net: macb: Check return value of dma_set_mask_and_coherent()

by Sasha Levin

From: Sergio Perez Gonzalez <sperezglz(a)gmail.com> [ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ] Issue flagged by coverity. Add a safety check for the return value of dma_set_mask_and_coherent, go to a safe exit if it returns error. Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=16… Signed-off-by: Sergio Perez Gonzalez <sperezglz(a)gmail.com> Reviewed-by: Claudiu Beznea <claudiu.beznea(a)tuxon.dev> Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of the commit and the codebase context, here's my assessment: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Code Analysis The commit adds proper error checking for `dma_set_mask_and_coherent()` in the macb network driver. Looking at the specific changes: **Before the fix:** ```c if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); bp->hw_dma_cap |= HW_DMA_CAP_64B; } ``` **After the fix:** ```c if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); if (err) { dev_err(&pdev->dev, "failed to set DMA mask\n"); goto err_out_free_netdev; } bp->hw_dma_cap |= HW_DMA_CAP_64B; } ``` ## Why this should be backported: 1. **Fixes a Real Bug**: The original code ignores the return value of `dma_set_mask_and_coherent()`. If this function fails (which can happen on systems with restricted DMA capabilities), the driver would continue execution assuming 44-bit DMA addressing is available when it's not, leading to potential memory corruption or system crashes. 2. **Small, Contained Fix**: This is a minimal change that only adds proper error checking without changing any core logic or introducing new features. It follows the stable tree principle of being a small, targeted bugfix. 3. **Follows Established Patterns**: Looking at the similar commits provided, this matches exactly the pattern of commits marked "YES" for backporting (commits #1, #2, and #5) which all add proper error checking for DMA mask functions. 4. **Critical Network Driver**: The macb driver is used in production systems, and DMA-related bugs can cause data corruption or system instability, making this a high-priority fix for stable trees. 5. **Proper Error Handling Path**: The fix correctly uses the existing `err_out_free_netdev` label, which properly cleans up allocated resources (line 5373-5383 in macb_main.c), preventing resource leaks when DMA setup fails. 6. **Static Analysis Tool Flagged**: The commit message mentions this was flagged by Coverity, indicating it's a legitimate code quality issue that could manifest as a runtime bug. 7. **Matches Stable Tree Criteria**: - Important bugfix ✓ - Minimal risk of regression ✓ - No architectural changes ✓ - Confined to one driver/subsystem ✓ - Clear side effects (proper cleanup on failure) ✓ This commit addresses the same class of vulnerability as the other "YES" examples: ignoring return values of critical DMA functions that can fail and lead to undefined behavior. The fix is surgical, safe, and addresses a genuine runtime issue in a widely-used network driver. drivers/net/ethernet/cadence/macb_main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index e3cc26472c2f1..ec7f85cb0cbfa 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -5104,7 +5104,11 @@ static int macb_probe(struct platform_device *pdev) #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { - dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); + err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); + if (err) { + dev_err(&pdev->dev, "failed to set DMA mask\n"); + goto err_out_free_netdev; + } bp->hw_dma_cap |= HW_DMA_CAP_64B; } #endif -- 2.39.5

1 month

1
107
0 0

FAILED: patch "[PATCH] arm64: dts: ti: k3-am62-main: Set eMMC clock parent to" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 3a71cdfec94436079513d9adf4b1d4f7a7edd917 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060230-sacrifice-vexingly-4e21@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3a71cdfec94436079513d9adf4b1d4f7a7edd917 Mon Sep 17 00:00:00 2001 From: Judith Mendez <jm(a)ti.com> Date: Tue, 29 Apr 2025 11:33:35 -0500 Subject: [PATCH] arm64: dts: ti: k3-am62-main: Set eMMC clock parent to default Set eMMC clock parents to the defaults which is MAIN_PLL0_HSDIV5_CLKOUT for eMMC. This change is necessary since DM is not implementing the correct procedure to switch PLL clock source for eMMC and MMC CLK mux is not glich-free. As a preventative action, lets switch back to the defaults. Fixes: c37c58fdeb8a ("arm64: dts: ti: k3-am62: Add more peripheral nodes") Cc: stable(a)vger.kernel.org Signed-off-by: Judith Mendez <jm(a)ti.com> Acked-by: Udit Kumar <u-kumar1(a)ti.com> Acked-by: Bryan Brattlof <bb(a)ti.com> Link: https://lore.kernel.org/r/20250429163337.15634-2-jm@ti.com Signed-off-by: Nishanth Menon <nm(a)ti.com> diff --git a/arch/arm64/boot/dts/ti/k3-am62-main.dtsi b/arch/arm64/boot/dts/ti/k3-am62-main.dtsi index 7d355aa73ea2..0c286f600296 100644 --- a/arch/arm64/boot/dts/ti/k3-am62-main.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am62-main.dtsi @@ -552,8 +552,6 @@ sdhci0: mmc@fa10000 { power-domains = <&k3_pds 57 TI_SCI_PD_EXCLUSIVE>; clocks = <&k3_clks 57 5>, <&k3_clks 57 6>; clock-names = "clk_ahb", "clk_xin"; - assigned-clocks = <&k3_clks 57 6>; - assigned-clock-parents = <&k3_clks 57 8>; bus-width = <8>; mmc-ddr-1_8v; mmc-hs200-1_8v;

1 month

4
3
0 0

[PATCH 6.12.y] f2fs: fix to avoid accessing uninitialized curseg

by alvalan9＠foxmail.com

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 986c50f6bca109c6cf362b4e2babcb85aba958f6 ] syzbot reports a f2fs bug as below: F2FS-fs (loop3): Stopped filesystem due to reason: 7 kworker/u8:7: attempt to access beyond end of device BUG: unable to handle page fault for address: ffffed1604ea3dfa RIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline] RIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline] RIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline] RIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline] RIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649 <TASK> f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline] f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791 write_inode fs/fs-writeback.c:1525 [inline] __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745 writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976 wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156 wb_do_writeback fs/fs-writeback.c:2303 [inline] wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Commit 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT") allows to trigger no free segment fault in allocator, then it will update curseg->segno to NULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed to check the flag, and access invalid curseg->segno directly in below call path, then resulting in panic: - f2fs_write_inode - f2fs_is_checkpoint_ready - has_enough_free_secs - has_not_enough_free_secs - __get_secs_required - has_curseg_enough_space - get_ckpt_valid_blocks : access invalid curseg->segno To avoid this issue, let's: - check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in f2fs_write_inode(). - in has_curseg_enough_space(), save curseg->segno into a temp variable, and verify its validation before use. Fixes: 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT") Reported-by: syzbot+b6b347b7a4ea1b2e29b6(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67973c2b.050a0220.11b1bb.0089.GAE@google.com Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- Build test passed. The kernel booted up successfully with the patch applied. --- fs/f2fs/inode.c | 7 +++++++ fs/f2fs/segment.h | 9 ++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index a60db5e795a4..1061991434b1 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -777,6 +777,13 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc) !is_inode_flag_set(inode, FI_DIRTY_INODE)) return 0; + /* + * no need to update inode page, ultimately f2fs_evict_inode() will + * clear dirty status of inode. + */ + if (f2fs_cp_error(sbi)) + return -EIO; + if (!f2fs_is_checkpoint_ready(sbi)) { f2fs_mark_inode_dirty_sync(inode, true); return -ENOSPC; diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h index 51b2b8c5c749..0c004dd5595b 100644 --- a/fs/f2fs/segment.h +++ b/fs/f2fs/segment.h @@ -562,13 +562,16 @@ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi, unsigned int node_blocks, unsigned int data_blocks, unsigned int dent_blocks) { - unsigned int segno, left_blocks, blocks; int i; /* check current data/node sections in the worst case. */ for (i = CURSEG_HOT_DATA; i < NR_PERSISTENT_LOG; i++) { segno = CURSEG_I(sbi, i)->segno; + + if (unlikely(segno == NULL_SEGNO)) + return false; + left_blocks = CAP_BLKS_PER_SEC(sbi) - get_ckpt_valid_blocks(sbi, segno, true); @@ -579,6 +582,10 @@ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi, /* check current data section for dentry blocks. */ segno = CURSEG_I(sbi, CURSEG_HOT_DATA)->segno; + + if (unlikely(segno == NULL_SEGNO)) + return false; + left_blocks = CAP_BLKS_PER_SEC(sbi) - get_ckpt_valid_blocks(sbi, segno, true); if (dent_blocks > left_blocks) -- 2.34.1

1 month

2
1
0 0

FAILED: patch "[PATCH] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f55c9f087cc2e2252d44ffd9d58def2066fc176e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060218-subdivide-smashing-0ef7@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f55c9f087cc2e2252d44ffd9d58def2066fc176e Mon Sep 17 00:00:00 2001 From: Judith Mendez <jm(a)ti.com> Date: Tue, 29 Apr 2025 12:30:08 -0500 Subject: [PATCH] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 For am65x, add missing ITAPDLYSEL values for Default Speed and High Speed SDR modes to sdhci0 node according to the device datasheet [0]. [0] https://www.ti.com/lit/gpn/am6548 Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values") Cc: stable(a)vger.kernel.org Signed-off-by: Judith Mendez <jm(a)ti.com> Reviewed-by: Moteen Shah <m-shah(a)ti.com> Link: https://lore.kernel.org/r/20250429173009.33994-1-jm@ti.com Signed-off-by: Nishanth Menon <nm(a)ti.com> diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi index 6d3c467d7038..b085e7361116 100644 --- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi @@ -449,6 +449,8 @@ sdhci0: mmc@4f80000 { ti,otap-del-sel-mmc-hs = <0x0>; ti,otap-del-sel-ddr52 = <0x5>; ti,otap-del-sel-hs200 = <0x5>; + ti,itap-del-sel-legacy = <0xa>; + ti,itap-del-sel-mmc-hs = <0x1>; ti,itap-del-sel-ddr52 = <0x0>; dma-coherent; status = "disabled";

1 month

4
3
0 0

FAILED: patch "[PATCH] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f55c9f087cc2e2252d44ffd9d58def2066fc176e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060219-slicing-gargle-f481@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f55c9f087cc2e2252d44ffd9d58def2066fc176e Mon Sep 17 00:00:00 2001 From: Judith Mendez <jm(a)ti.com> Date: Tue, 29 Apr 2025 12:30:08 -0500 Subject: [PATCH] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 For am65x, add missing ITAPDLYSEL values for Default Speed and High Speed SDR modes to sdhci0 node according to the device datasheet [0]. [0] https://www.ti.com/lit/gpn/am6548 Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values") Cc: stable(a)vger.kernel.org Signed-off-by: Judith Mendez <jm(a)ti.com> Reviewed-by: Moteen Shah <m-shah(a)ti.com> Link: https://lore.kernel.org/r/20250429173009.33994-1-jm@ti.com Signed-off-by: Nishanth Menon <nm(a)ti.com> diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi index 6d3c467d7038..b085e7361116 100644 --- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi @@ -449,6 +449,8 @@ sdhci0: mmc@4f80000 { ti,otap-del-sel-mmc-hs = <0x0>; ti,otap-del-sel-ddr52 = <0x5>; ti,otap-del-sel-hs200 = <0x5>; + ti,itap-del-sel-legacy = <0xa>; + ti,itap-del-sel-mmc-hs = <0x1>; ti,itap-del-sel-ddr52 = <0x0>; dma-coherent; status = "disabled";

1 month

4
3
0 0

FAILED: patch "[PATCH] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f55c9f087cc2e2252d44ffd9d58def2066fc176e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060218-borrowing-cartload-20af@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f55c9f087cc2e2252d44ffd9d58def2066fc176e Mon Sep 17 00:00:00 2001 From: Judith Mendez <jm(a)ti.com> Date: Tue, 29 Apr 2025 12:30:08 -0500 Subject: [PATCH] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 For am65x, add missing ITAPDLYSEL values for Default Speed and High Speed SDR modes to sdhci0 node according to the device datasheet [0]. [0] https://www.ti.com/lit/gpn/am6548 Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values") Cc: stable(a)vger.kernel.org Signed-off-by: Judith Mendez <jm(a)ti.com> Reviewed-by: Moteen Shah <m-shah(a)ti.com> Link: https://lore.kernel.org/r/20250429173009.33994-1-jm@ti.com Signed-off-by: Nishanth Menon <nm(a)ti.com> diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi index 6d3c467d7038..b085e7361116 100644 --- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi @@ -449,6 +449,8 @@ sdhci0: mmc@4f80000 { ti,otap-del-sel-mmc-hs = <0x0>; ti,otap-del-sel-ddr52 = <0x5>; ti,otap-del-sel-hs200 = <0x5>; + ti,itap-del-sel-legacy = <0xa>; + ti,itap-del-sel-mmc-hs = <0x1>; ti,itap-del-sel-ddr52 = <0x0>; dma-coherent; status = "disabled";

1 month

4
3
0 0

[PATCH] drm/xe/guc_submit: add back fix

by Matthew Auld

Daniele noticed that the fix in commit 2d2be279f1ca ("drm/xe: fix UAF around queue destruction") looks to have been unintentionally removed as part of handling a conflict in some past merge commit. Add it back. Fixes: ac44ff7cec33 ("Merge tag 'drm-xe-fixes-2024-10-10' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes") Reported-by: Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.12+ --- drivers/gpu/drm/xe/xe_guc_submit.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index 80f748baad3f..2b61d017eeca 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -229,6 +229,17 @@ static bool exec_queue_killed_or_banned_or_wedged(struct xe_exec_queue *q) static void guc_submit_fini(struct drm_device *drm, void *arg) { struct xe_guc *guc = arg; + struct xe_device *xe = guc_to_xe(guc); + struct xe_gt *gt = guc_to_gt(guc); + int ret; + + ret = wait_event_timeout(guc->submission_state.fini_wq, + xa_empty(&guc->submission_state.exec_queue_lookup), + HZ * 5); + + drain_workqueue(xe->destroy_wq); + + xe_gt_assert(gt, ret); xa_destroy(&guc->submission_state.exec_queue_lookup); } -- 2.49.0

1 month

2
1
0 0

[for-linus][PATCH 1/5] ftrace: Fix UAF when lookup kallsym after ftrace disabled

by Steven Rostedt

From: Ye Bin <yebin10(a)huawei.com> The following issue happens with a buggy module: BUG: unable to handle page fault for address: ffffffffc05d0218 PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS RIP: 0010:sized_strscpy+0x81/0x2f0 RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000 RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68 R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038 R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ftrace_mod_get_kallsym+0x1ac/0x590 update_iter_mod+0x239/0x5b0 s_next+0x5b/0xa0 seq_read_iter+0x8c9/0x1070 seq_read+0x249/0x3b0 proc_reg_read+0x1b0/0x280 vfs_read+0x17f/0x920 ksys_read+0xf3/0x1c0 do_syscall_64+0x5f/0x2e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue may happen as follows: (1) Add kprobe tracepoint; (2) insmod test.ko; (3) Module triggers ftrace disabled; (4) rmmod test.ko; (5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed; ftrace_mod_get_kallsym() ... strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); ... The problem is when a module triggers an issue with ftrace and sets ftrace_disable. The ftrace_disable is set when an anomaly is discovered and to prevent any more damage, ftrace stops all text modification. The issue that happened was that the ftrace_disable stops more than just the text modification. When a module is loaded, its init functions can also be traced. Because kallsyms deletes the init functions after a module has loaded, ftrace saves them when the module is loaded and function tracing is enabled. This allows the output of the function trace to show the init function names instead of just their raw memory addresses. When a module is removed, ftrace_release_mod() is called, and if ftrace_disable is set, it just returns without doing anything more. The problem here is that it leaves the mod_list still around and if kallsyms is called, it will call into this code and access the module memory that has already been freed as it will return: strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); Where the "mod" no longer exists and triggers a UAF bug. Link: https://lore.kernel.org/all/20250523135452.626d8dcd@gandalf.local.home/ Cc: stable(a)vger.kernel.org Fixes: aba4b5c22cba ("ftrace: Save module init functions kallsyms symbols for tracing") Link: https://lore.kernel.org/20250529111955.2349189-2-yebin@huaweicloud.com Signed-off-by: Ye Bin <yebin10(a)huawei.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ftrace.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 1af952cba48d..84fd2f8263fa 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -7438,9 +7438,10 @@ void ftrace_release_mod(struct module *mod) mutex_lock(&ftrace_lock); - if (ftrace_disabled) - goto out_unlock; - + /* + * To avoid the UAF problem after the module is unloaded, the + * 'mod_map' resource needs to be released unconditionally. + */ list_for_each_entry_safe(mod_map, n, &ftrace_mod_maps, list) { if (mod_map->mod == mod) { list_del_rcu(&mod_map->list); @@ -7449,6 +7450,9 @@ void ftrace_release_mod(struct module *mod) } } + if (ftrace_disabled) + goto out_unlock; + /* * Each module has its own ftrace_pages, remove * them from the list. -- 2.47.2

1 month

1
0
0 0

[PATCH 6.14 00/73] 6.14.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.14.10 release. There are 73 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 04 Jun 2025 13:42:20 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.14.10-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: use list_first_entry_or_null for opinfo_get_list() Nishanth Menon <nm(a)ti.com> net: ethernet: ti: am65-cpsw: Lower random mac address error print to info Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Ignore battery threshold change event notification Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - restore auto-mute mode for Dell Chrome platform Valtteri Koskivuori <vkoskiv(a)gmail.com> platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid flushing data while holding directory locks in nfs_rename() Purva Yeshi <purvayeshi550(a)gmail.com> char: tpm: tpm-buf: Add sanity check fallback in read helpers Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> drm/xe: Save the gt pointer in lrc and drop the tile Aradhya Bhatia <aradhya.bhatia(a)intel.com> drm/xe/xe2hpg: Add Wa_22021007897 Ilya Guterman <amfernusus(a)gmail.com> nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro Alan Adamson <alan.adamson(a)oracle.com> nvme: all namespaces in a subsystem must adhere to a common atomic write size Alessandro Grassi <alessandro.grassi(a)mailbox.org> spi: spi-sun4i: fix early activation Algea Cao <algea.cao(a)rock-chips.com> phy: phy-rockchip-samsung-hdptx: Fix PHY PLL output 50.25MHz error Hal Feng <hal.feng(a)starfivetech.com> phy: starfive: jh7110-usb: Fix USB 2.0 host occasional detection failure Alan Adamson <alan.adamson(a)oracle.com> nvme: multipath: enable BLK_FEAT_ATOMIC_WRITES for multipathing Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: check stream id dml21 wrapper to get plane_id George Shen <george.shen(a)amd.com> drm/amd/display: fix link_set_dpms_off multi-display MST corner case Markus Burri <markus.burri(a)mt.com> gpio: virtuser: fix potential out-of-bound write Damien Le Moal <dlemoal(a)kernel.org> nvmet: pci-epf: cleanup nvmet_pci_epf_raise_irq() Masahiro Yamada <masahiroy(a)kernel.org> um: let 'make clean' properly clean underlying SUBARCH as well Sami Tolvanen <samitolvanen(a)google.com> kbuild: Require pahole <v1.28 or >v1.29 with GENDWARFKSYMS on X86 John Chau <johnchau(a)0atlas.com> platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS Jeff Layton <jlayton(a)kernel.org> nfs: don't share pNFS DS connections between net namespaces Milton Barrera <miltonjosue2001(a)gmail.com> HID: quirks: Add ADATA XPG alpha wireless mouse support Mario Limonciello <mario.limonciello(a)amd.com> HID: amd_sfh: Avoid clearing reports for SRA sensor Purva Yeshi <purvayeshi550(a)gmail.com> dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open Christian Brauner <brauner(a)kernel.org> coredump: hand a pidfd to the usermode coredump helper Christian Brauner <brauner(a)kernel.org> coredump: fix error handling for replace_fd() Robin Murphy <robin.murphy(a)arm.com> iommu: Handle yet another race around registration Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Add CMN S3 ACPI binding Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Initialise cmn->cpu earlier Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Fix REQ2/SNP2 mixup Pedro Tammela <pctammela(a)mojatatu.com> net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Siddharth Vadapalli <s-vadapalli(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix length of serdes_ln_ctrl Siddharth Vadapalli <s-vadapalli(a)ti.com> arm64: dts: ti: k3-j722s-main: Disable "serdes_wiz0" and "serdes_wiz1" Siddharth Vadapalli <s-vadapalli(a)ti.com> arm64: dts: ti: k3-j722s-evm: Enable "serdes_wiz0" and "serdes_wiz1" Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-j721e-sk: Add requiried voltage supplies for IMX219 Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-j721e-sk: Remove clock-names property from IMX219 overlay Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-am68-sk: Fix regulator hierarchy Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-am62x: Rename I2C switch to I2C mux in OV5640 overlay Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-am62x: Rename I2C switch to I2C mux in IMX219 overlay Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> arm64: dts: ti: k3-am62x: Remove clock-names property from IMX219 overlay Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62p-j722s-common-main: Set eMMC clock parent to default Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62a-main: Set eMMC clock parent to default Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62-main: Set eMMC clock parent to default Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: x1e80100: Fix PCIe 3rd controller DBI size Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100: Add GPU cooling Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100: Apply consistent critical thermal shutdown Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100: Fix video thermal zone Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-yoga-slim7x: mark l12b and l15b always-on Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-qcp: mark l12b and l15b always-on Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100-qcp: Fix vreg_l2j_1p2 voltage Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Fix vreg_l2j_1p2 voltage Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-hp-x14: mark l12b and l15b always-on Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100-hp-omnibook-x14: Fix vreg_l2j_1p2 voltage Juerg Haefliger <juerg.haefliger(a)canonical.com> arm64: dts: qcom: x1e80100-hp-omnibook-x14: Enable SMB2360 0 and 1 Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-dell-xps13-9345: mark l12b and l15b always-on Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e80100-asus-vivobook-s15: Fix vreg_l2j_1p2 voltage Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e001de-devkit: mark l12b and l15b always-on Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1e001de-devkit: Fix vreg_l2j_1p2 voltage Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: sm8650: Add missing properties for cryptobam Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: sm8550: Add missing properties for cryptobam Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: sm8450: Add missing properties for cryptobam Alok Tiwari <alok.a.tiwari(a)oracle.com> arm64: dts: qcom: sm8350: Fix typo in pil_camera_mem node Karthik Sanagavarapu <quic_kartsana(a)quicinc.com> arm64: dts: qcom: sa8775p: Remove cdsp compute-cb@10 Ling Xu <quic_lxu5(a)quicinc.com> arm64: dts: qcom: sa8775p: Remove extra entries from the iommus property Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: sa8775p: Add missing properties for cryptobam Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: ipq9574: Add missing properties for cryptobam Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> arm64: dts: socfpga: agilex5: fix gpio0 address Axel Forsman <axfo(a)kvaser.com> can: kvaser_pciefd: Force IRQ edge in case of nested IRQ ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/intel/socfpga_agilex5.dtsi | 4 +- arch/arm64/boot/dts/qcom/ipq9574.dtsi | 2 + arch/arm64/boot/dts/qcom/sa8775p.dtsi | 248 ++--------------- arch/arm64/boot/dts/qcom/sm8350.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 + arch/arm64/boot/dts/qcom/sm8550.dtsi | 2 + arch/arm64/boot/dts/qcom/sm8650.dtsi | 2 + arch/arm64/boot/dts/qcom/x1e001de-devkit.dts | 6 +- .../boot/dts/qcom/x1e80100-asus-vivobook-s15.dts | 4 +- .../boot/dts/qcom/x1e80100-dell-xps13-9345.dts | 2 + .../boot/dts/qcom/x1e80100-hp-omnibook-x14.dts | 14 +- .../boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts | 7 +- arch/arm64/boot/dts/qcom/x1e80100-qcp.dts | 6 +- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 309 +++++++++++---------- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 40 ++- arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 2 - arch/arm64/boot/dts/ti/k3-am62a-main.dtsi | 2 - .../boot/dts/ti/k3-am62p-j722s-common-main.dtsi | 2 - .../arm64/boot/dts/ti/k3-am62x-sk-csi2-imx219.dtso | 3 +- .../arm64/boot/dts/ti/k3-am62x-sk-csi2-ov5640.dtso | 2 +- .../boot/dts/ti/k3-am62x-sk-csi2-tevi-ov5640.dtso | 2 +- arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 2 + arch/arm64/boot/dts/ti/k3-am68-sk-base-board.dts | 13 +- .../boot/dts/ti/k3-j721e-sk-csi2-dual-imx219.dtso | 35 ++- arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 31 +++ arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 8 + arch/arm64/boot/dts/ti/k3-j722s-main.dtsi | 4 + .../boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 2 +- arch/um/Makefile | 1 + drivers/char/tpm/tpm-buf.c | 6 +- drivers/dma/idxd/cdev.c | 4 +- drivers/gpio/gpio-virtuser.c | 12 +- .../dc/dml2/dml21/dml21_translation_helper.c | 20 +- drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 13 +- drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 + drivers/gpu/drm/xe/xe_lrc.c | 4 +- drivers/gpu/drm/xe/xe_lrc_types.h | 4 +- drivers/gpu/drm/xe/xe_wa.c | 4 + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 5 + drivers/hid/hid-ids.h | 4 + drivers/hid/hid-quirks.c | 2 + drivers/iommu/iommu.c | 26 +- drivers/net/can/kvaser_pciefd.c | 83 +++--- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- drivers/nvme/host/core.c | 30 +- drivers/nvme/host/multipath.c | 3 +- drivers/nvme/host/nvme.h | 3 +- drivers/nvme/host/pci.c | 2 + drivers/nvme/target/pci-epf.c | 10 +- drivers/perf/arm-cmn.c | 11 +- drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 2 + drivers/phy/starfive/phy-jh7110-usb.c | 7 + drivers/platform/x86/fujitsu-laptop.c | 33 ++- drivers/platform/x86/thinkpad_acpi.c | 7 + drivers/spi/spi-sun4i.c | 5 +- fs/coredump.c | 65 ++++- fs/nfs/client.c | 2 + fs/nfs/dir.c | 15 +- fs/nfs/filelayout/filelayoutdev.c | 6 +- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +- fs/nfs/pnfs.h | 4 +- fs/nfs/pnfs_nfs.c | 9 +- fs/smb/server/oplock.c | 7 +- include/linux/coredump.h | 1 + include/linux/iommu.h | 2 + include/linux/nfs_fs_sb.h | 12 +- kernel/module/Kconfig | 5 + net/sched/sch_hfsc.c | 9 +- sound/pci/hda/patch_realtek.c | 5 +- 70 files changed, 674 insertions(+), 540 deletions(-)

1 month

8
80
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror