- Linux-stable-mirror - lists.linaro.org

[PATCH 1/2] slab: prevent warnings when slab obj_exts vector allocation fails

by Suren Baghdasaryan

When object extension vector allocation fails, we set slab->obj_exts to OBJEXTS_ALLOC_FAIL to indicate the failure. Later, once the vector is successfully allocated, we will use this flag to mark codetag references stored in that vector as empty to avoid codetag warnings. slab_obj_exts() used to retrieve the slab->obj_exts vector pointer checks slab->obj_exts for being either NULL or a pointer with MEMCG_DATA_OBJEXTS bit set. However it does not handle the case when slab->obj_exts equals OBJEXTS_ALLOC_FAIL. Add the missing condition to avoid extra warning. Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations") Reported-by: Shakeel Butt <shakeel.butt(a)linux.dev> Closes: https://lore.kernel.org/all/jftidhymri2af5u3xtcqry3cfu6aqzte3uzlznhlaylgrdz… Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: stable(a)vger.kernel.org # v6.10+ --- mm/slab.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/mm/slab.h b/mm/slab.h index c41a512dd07c..b930193fd94e 100644 --- a/mm/slab.h +++ b/mm/slab.h @@ -526,8 +526,12 @@ static inline struct slabobj_ext *slab_obj_exts(struct slab *slab) unsigned long obj_exts = READ_ONCE(slab->obj_exts); #ifdef CONFIG_MEMCG - VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS), - slab_page(slab)); + /* + * obj_exts should be either NULL, a valid pointer with + * MEMCG_DATA_OBJEXTS bit set or be equal to OBJEXTS_ALLOC_FAIL. + */ + VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS) && + obj_exts != OBJEXTS_ALLOC_FAIL, slab_page(slab)); VM_BUG_ON_PAGE(obj_exts & MEMCG_DATA_KMEM, slab_page(slab)); #endif return (struct slabobj_ext *)(obj_exts & ~OBJEXTS_FLAGS_MASK); -- 2.51.0.384.g4c02a37b29-goog

2 months

2
1
0 0

[PATCH] io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow

by Max Kellermann

Commit 88e6c42e40de ("io_uring/io-wq: add check free worker before create new worker") reused the variable `do_create` for something else, abusing it for the free worker check. This caused the value to effectively always be `true` at the time `nr_workers < max_workers` was checked, but it should really be `false`. This means the `max_workers` setting was ignored, and worse: if the limit had already been reached, incrementing `nr_workers` was skipped even though another worker would be created. When later lots of workers exit, the `nr_workers` field could easily underflow, making the problem worse because more and more workers would be created without incrementing `nr_workers`. The simple solution is to use a different variable for the free worker check instead of using one variable for two different things. Cc: stable(a)vger.kernel.org Fixes: 88e6c42e40de ("io_uring/io-wq: add check free worker before create new worker") Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- io_uring/io-wq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c index 17dfaa0395c4..1d03b2fc4b25 100644 --- a/io_uring/io-wq.c +++ b/io_uring/io-wq.c @@ -352,16 +352,16 @@ static void create_worker_cb(struct callback_head *cb) struct io_wq *wq; struct io_wq_acct *acct; - bool do_create = false; + bool activated_free_worker, do_create = false; worker = container_of(cb, struct io_worker, create_work); wq = worker->wq; acct = worker->acct; rcu_read_lock(); - do_create = !io_acct_activate_free_worker(acct); + activated_free_worker = io_acct_activate_free_worker(acct); rcu_read_unlock(); - if (!do_create) + if (activated_free_worker) goto no_need_create; raw_spin_lock(&acct->workers_lock); -- 2.47.3

2 months

3
2
0 0

[PATCH v3 1/3] vhost-net: unbreak busy polling

by Michael S. Tsirkin

From: Jason Wang <jasowang(a)redhat.com> Commit 67a873df0c41 ("vhost: basic in order support") pass the number of used elem to vhost_net_rx_peek_head_len() to make sure it can signal the used correctly before trying to do busy polling. But it forgets to clear the count, this would cause the count run out of sync with handle_rx() and break the busy polling. Fixing this by passing the pointer of the count and clearing it after the signaling the used. Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: 67a873df0c41 ("vhost: basic in order support") Signed-off-by: Jason Wang <jasowang(a)redhat.com> Message-Id: <20250915024703.2206-1-jasowang(a)redhat.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> --- drivers/vhost/net.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index c6508fe0d5c8..16e39f3ab956 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -1014,7 +1014,7 @@ static int peek_head_len(struct vhost_net_virtqueue *rvq, struct sock *sk) } static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk, - bool *busyloop_intr, unsigned int count) + bool *busyloop_intr, unsigned int *count) { struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX]; struct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX]; @@ -1024,7 +1024,8 @@ static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk, if (!len && rvq->busyloop_timeout) { /* Flush batched heads first */ - vhost_net_signal_used(rnvq, count); + vhost_net_signal_used(rnvq, *count); + *count = 0; /* Both tx vq and rx socket were polled here */ vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true); @@ -1180,7 +1181,7 @@ static void handle_rx(struct vhost_net *net) do { sock_len = vhost_net_rx_peek_head_len(net, sock->sk, - &busyloop_intr, count); + &busyloop_intr, &count); if (!sock_len) break; sock_len += sock_hlen; -- MST

2 months

1
2
0 0

[PATCH] clk: tegra: tegra124-emc: Fix a reference leak in emc_ensure_emc_driver()

by Haoxiang Li

put_device() is only called on the error path, causing a reference leak on the success path. Fix this by calling put_device() once pdev is no longer needed. Fixes: 6d6ef58c2470 ("clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/clk/tegra/clk-tegra124-emc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c index 2a6db0434281..b9f2f47ec6e5 100644 --- a/drivers/clk/tegra/clk-tegra124-emc.c +++ b/drivers/clk/tegra/clk-tegra124-emc.c @@ -197,8 +197,9 @@ static struct tegra_emc *emc_ensure_emc_driver(struct tegra_clk_emc *tegra) tegra->emc_node = NULL; tegra->emc = platform_get_drvdata(pdev); + put_device(&pdev->dev); + if (!tegra->emc) { - put_device(&pdev->dev); pr_err("%s: cannot find EMC driver\n", __func__); return NULL; } -- 2.25.1

2 months

2
1
0 0

Patch "udf: fix uninit-value use in udf_get_fileshortad" missing from stable kernel v5.10

by skulkarni＠mvista.com

Hi Greg/Sasha/All, Patch "udf: fix uninit-value use in udf_get_fileshortad" which is commit 264db9d666ad in the mainline kernel, fixes CVE-2024-50143. The patch from mainline was first backported to stable versions 5.15.170, 6.1.115, 6.6.59, 6.11.6. Ref: https://lore.kernel.org/all/2024110743-CVE-2024-50143-4678@gregkh/ But later on, this patch was backported into v5.4 with https://github.com/gregkh/linux/commit/417bd613bdbe & into v4.19 with https://github.com/gregkh/linux/commit/5eb76fb98b33. But in v5.10, it was missed. When I looked at LKML to find if there were any reported issues which led to dropping this patch in v5.10, I couldn't find any. I guess this might have been missed accidentally. Assuming the backport process would be the same as in other cases, I tried to get the backported patch locally from v5.15. The patch gets applied cleanly, but unfortunately, it generates build warnings. " fs/udf/inode.c: In function ��udf_current_aext��: ./include/linux/overflow.h:70:15: warning: comparison of distinct pointer types lacks a cast 70 | (void) (&__a == &__b); \ | ^~ fs/udf/inode.c:2199:7: note: in expansion of macro ��check_add_overflow�� 2199 | if (check_add_overflow(sizeof(struct allocExtDesc), | ^~~~~~~~~~~~~~~~~~ ./include/linux/overflow.h:71:15: warning: comparison of distinct pointer types lacks a cast 71 | (void) (&__a == __d); \ | ^~ fs/udf/inode.c:2199:7: note: in expansion of macro ��check_add_overflow�� 2199 | if (check_add_overflow(sizeof(struct allocExtDesc), " I had a look at the nearest stable versions v5.4 & v5.15 to check for any dependent patches, but I couldn't find a cleanly applicable dependent patch. I will give it a try to backport this missed patch to v5.10 in the background. I am still new to kernel development & mailing lists, but what I know from Greg's other conversations is that missing a patch in between stable trees can generate regressions. Thus, I thought of reporting this issue first to the mailing list, as I am not sure how big of an impact this would have. Thanks, Shubham

2 months

2
1
0 0

[PATCH] sparc: Fix a reference leak in central_build_irq()

by Haoxiang Li

Call put_device() once central_op is no longer needed, preventing a reference leak. Fixes: 5fce09c6f636 ("sparc: Move irq_trans_init() and support code into seperate file.") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- arch/sparc/kernel/prom_irqtrans.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/sparc/kernel/prom_irqtrans.c b/arch/sparc/kernel/prom_irqtrans.c index 5752bfd73ac0..4cfc27131caa 100644 --- a/arch/sparc/kernel/prom_irqtrans.c +++ b/arch/sparc/kernel/prom_irqtrans.c @@ -733,6 +733,7 @@ static unsigned int central_build_irq(struct device_node *dp, } else if (of_node_name_eq(dp, "clock-board")) { res = &central_op->resource[3]; } else { + put_device(&central_op->dev); return ino; } @@ -747,6 +748,7 @@ static unsigned int central_build_irq(struct device_node *dp, tmp &= ~0x80000000; upa_writel(tmp, imap); + put_device(&central_op->dev); return build_irq(0, iclr, imap); } -- 2.25.1

2 months

2
1
0 0

[PATCH 6.6] net: mdiobus: release reset_gpio in mdiobus_unregister_device()

by Bence Csókás

From: Buday Csaba <buday.csaba(a)prolan.hu> reset_gpio is claimed in mdiobus_register_device(), but it is not released in mdiobus_unregister_device(). It is instead only released when the whole MDIO bus is unregistered. When a device uses the reset_gpio property, it becomes impossible to unregister it and register it again, because the GPIO remains claimed. This patch resolves that issue. Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") # see notes Reviewed-by: Andrew Lunn <andrew(a)lunn.ch> Cc: Csókás Bence <csokas.bence(a)prolan.hu> [ csokas.bence: Resolve rebase conflict and clarify msg ] Signed-off-by: Buday Csaba <buday.csaba(a)prolan.hu> Link: https://patch.msgid.link/20250807135449.254254-2-csokas.bence@prolan.hu Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [ Upstream commit 8ea25274ebaf2f6be8be374633b2ed8348ec0e70 ] [ csokas.bence: Use the v1 patch on top of 6.6, as specified in notes ] Signed-off-by: Bence Csókás <csokas.bence(a)prolan.hu> --- drivers/net/phy/mdio_bus.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c index 25dcaa49ab8b..e8fadd7a14fe 100644 --- a/drivers/net/phy/mdio_bus.c +++ b/drivers/net/phy/mdio_bus.c @@ -99,6 +99,7 @@ int mdiobus_unregister_device(struct mdio_device *mdiodev) if (mdiodev->bus->mdio_map[mdiodev->addr] != mdiodev) return -EINVAL; + gpiod_put(mdiodev->reset_gpio); reset_control_put(mdiodev->reset_ctrl); mdiodev->bus->mdio_map[mdiodev->addr] = NULL; @@ -775,9 +776,6 @@ void mdiobus_unregister(struct mii_bus *bus) if (!mdiodev) continue; - if (mdiodev->reset_gpio) - gpiod_put(mdiodev->reset_gpio); - mdiodev->device_remove(mdiodev); mdiodev->device_free(mdiodev); } -- 2.43.0

2 months

1
0
0 0

[PATCH 6.12] net: mdiobus: release reset_gpio in mdiobus_unregister_device()

by Bence Csókás

From: Buday Csaba <buday.csaba(a)prolan.hu> reset_gpio is claimed in mdiobus_register_device(), but it is not released in mdiobus_unregister_device(). It is instead only released when the whole MDIO bus is unregistered. When a device uses the reset_gpio property, it becomes impossible to unregister it and register it again, because the GPIO remains claimed. This patch resolves that issue. Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") # see notes Reviewed-by: Andrew Lunn <andrew(a)lunn.ch> Cc: Csókás Bence <csokas.bence(a)prolan.hu> [ csokas.bence: Resolve rebase conflict and clarify msg ] Signed-off-by: Buday Csaba <buday.csaba(a)prolan.hu> Link: https://patch.msgid.link/20250807135449.254254-2-csokas.bence@prolan.hu Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [ Upstream commit 8ea25274ebaf2f6be8be374633b2ed8348ec0e70 ] [ csokas.bence: Use the v1 patch on top of 6.12, as specified in notes ] Signed-off-by: Bence Csókás <csokas.bence(a)prolan.hu> --- drivers/net/phy/mdio_bus.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c index 591e8fd33d8e..a508cd81cd4e 100644 --- a/drivers/net/phy/mdio_bus.c +++ b/drivers/net/phy/mdio_bus.c @@ -97,6 +97,7 @@ int mdiobus_unregister_device(struct mdio_device *mdiodev) if (mdiodev->bus->mdio_map[mdiodev->addr] != mdiodev) return -EINVAL; + gpiod_put(mdiodev->reset_gpio); reset_control_put(mdiodev->reset_ctrl); mdiodev->bus->mdio_map[mdiodev->addr] = NULL; @@ -814,9 +815,6 @@ void mdiobus_unregister(struct mii_bus *bus) if (!mdiodev) continue; - if (mdiodev->reset_gpio) - gpiod_put(mdiodev->reset_gpio); - mdiodev->device_remove(mdiodev); mdiodev->device_free(mdiodev); } -- 2.43.0

2 months

1
0
0 0

[PATCH RESEND] fs/ntfs3: Fix a resource leak bug in wnd_extend()

by Haoxiang Li

Add put_bh() to decrease the refcount of 'bh' after the job is finished, preventing a resource leak. Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- fs/ntfs3/bitmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c index 04107b950717..65d05e6a0566 100644 --- a/fs/ntfs3/bitmap.c +++ b/fs/ntfs3/bitmap.c @@ -1371,6 +1371,7 @@ int wnd_extend(struct wnd_bitmap *wnd, size_t new_bits) mark_buffer_dirty(bh); unlock_buffer(bh); /* err = sync_dirty_buffer(bh); */ + put_bh(bh); b0 = 0; bits -= op; -- 2.25.1

2 months

1
0
0 0

[PATCH v2] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer

by Hans de Goede

Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- Changes in v2: - Fix typo in stable email address --- net/rfkill/rfkill-gpio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table)) -- 2.51.0

2 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror