- Linux-stable-mirror - lists.linaro.org

btrfs task hung in `lock_extent` syzbot report and CVE-2024-35784

by Andrey Kalachev

Hi. I've check c-repro [1] on 6.1.y branch and found that repro still produce the crash on 6.1.y. I notice that syzbot bisection result [2] is incorrect: indeed, the hung was fixed by upstream commit b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking"). Also, I saw CVE-2024-35784 [3][4] vulnerability, that have direct relation with that syzbot report. Therefore, syzbot reproducer provided additional way to check for CVE-2024-35784. I attempted to fix CVE-2024-35784 in stable 6.1.y (over v6.1.157), and found that the initial fix commit b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking") introduced regressions [5][6]. IMHO here is the minimum patch series to eliminate CVE-2024-35784 from 6.1.y: b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking") (Initial fix of the CVE-2024-35784) a1a4a9ca77f1 ("btrfs: fix race between ordered extent completion and fiemap") (Fixes: b0ad381fa769) 978b63f7464a ("btrfs: fix race when detecting delalloc ranges during fiemap") (Fixes: b0ad381fa769) 1cab1375ba6d ("btrfs: reuse cloned extent buffer during fiemap to avoid re-allocations") (Optimization: 978b63f7464a) 53e24158684b ("btrfs: set start on clone before calling copy_extent_buffer_full") (Fixes: 1cab1375ba6d) Required patches attached. Only two patches in the series have minor backport modifications due to v6.1.157 btrfs code differences. The remaining patches are identical to the upstream. Regards, AK Reported-by: syzbot+f8217aae382555004877(a)syzkaller.appspotmail.com ---- [1] https://syzkaller.appspot.com/text?tag=ReproC&x=12b4c88b280000 [2] https://syzkaller.appspot.com/bug?extid=f8217aae382555004877 [3] https://lore.kernel.org/all/2024051704-CVE-2024-35784-6dec@gregkh/ [4] https://cve.org/CVERecord/?id=CVE-2024-35784 [5] https://lore.kernel.org/linux-btrfs/cover.1709202499.git.fdmanana@suse.com/ [6] https://lore.kernel.org/all/20240304211551.880347593@linuxfoundation.org/

6 days, 7 hours

1
12
0 0

[PATCH] clk: renesas: rzg2l: Fix intin variable size

by Chris Brandt

INTIN is a 12-bit register value, so u8 is too small. Fixes: 1561380ee72f ("clk: renesas: rzg2l: Add FOUTPOSTDIV clk support") Cc: stable(a)vger.kernel.org Reported-by: Hugo Villeneuve <hugo(a)hugovil.com> Signed-off-by: Chris Brandt <chris.brandt(a)renesas.com> --- drivers/clk/renesas/rzg2l-cpg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c index 07909e80bae2..4c3f6ce71f2f 100644 --- a/drivers/clk/renesas/rzg2l-cpg.c +++ b/drivers/clk/renesas/rzg2l-cpg.c @@ -122,8 +122,8 @@ struct div_hw_data { struct rzg2l_pll5_param { u32 pl5_fracin; + u16 pl5_intin; u8 pl5_refdiv; - u8 pl5_intin; u8 pl5_postdiv1; u8 pl5_postdiv2; u8 pl5_spread; -- 2.50.1

6 days, 7 hours

1
0
0 0

[PATCH 0/6] Hello,

by Miquel Raynal

Here is a series adding support for 6 Winbond SPI NOR chips. Describing these chips is needed otherwise the block protection feature is not available. Everything else looks fine otherwise. In practice I am only adding 6 very similar IDs but I split the commits because the amount of meta data to show proof that all the chips have been tested and work is pretty big. As the commits simply add an ID, I am Cc'ing stable with the hope to get these backported to LTS kernels as allowed by the stable rules (see link below, but I hope I am doing this right). Link: https://elixir.bootlin.com/linux/v6.17.7/source/Documentation/process/stabl… Thanks, Miquèl --- Miquel Raynal (6): mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips drivers/mtd/spi-nor/winbond.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) --- base-commit: 479ba7fc704936b74a91ee352fe113d6391d562f change-id: 20251105-winbond-v6-18-rc1-spi-nor-7f78cb2785d6 Best regards, -- Miquel Raynal <miquel.raynal(a)bootlin.com>

6 days, 9 hours

4
13
0 0

[PATCH] mm/mmap_lock: Reset maple state on lock_vma_under_rcu() retry

by Liam R. Howlett

The retry in lock_vma_under_rcu() drops the rcu read lock before reacquiring the lock and trying again. This may cause a use-after-free if the maple node the maple state was using was freed. The maple state is protected by the rcu read lock. When the lock is dropped, the state cannot be reused as it tracks pointers to objects that may be freed during the time where the lock was not held. Any time the rcu read lock is dropped, the maple state must be invalidated. Resetting the address and state to MA_START is the safest course of action, which will result in the next operation starting from the top of the tree. Prior to commit 0b16f8bed19c ("mm: change vma_start_read() to drop RCU lock on failure"), the rcu read lock was dropped and NULL was returned, so the retry would not have happened. However, now that the read lock is dropped regardless of the return, we may use a freed maple tree node cached in the maple state on retry. Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: stable(a)vger.kernel.org Fixes: 0b16f8bed19c ("mm: change vma_start_read() to drop RCU lock on failure") Reported-by: syzbot+131f9eb2b5807573275c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=131f9eb2b5807573275c Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> --- mm/mmap_lock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c index 39f341caf32c0..f2532af6208c0 100644 --- a/mm/mmap_lock.c +++ b/mm/mmap_lock.c @@ -257,6 +257,7 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, if (PTR_ERR(vma) == -EAGAIN) { count_vm_vma_lock_event(VMA_LOCK_MISS); /* The area was replaced with another one */ + mas_set(&mas, address); goto retry; } -- 2.47.2

6 days, 10 hours

7
16
0 0

[PATCH RFC 0/2] ASoC: codecs: pm4125: Two minor fixes for potential issues

by Krzysztof Kozlowski

I marked these as fixes, but the issue is not likely to trigger in normal conditions. Not tested on hardware, please kindly provide tested-by, the best with some probe bind/unbind cycle. Best regards, Krzysztof --- Krzysztof Kozlowski (2): ASoC: codecs: pm4125: Fix potential conflict when probing two devices ASoC: codecs: pm4125: Remove irq_chip on component unbind sound/soc/codecs/pm4125.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- base-commit: d22122bd89bc5ce7b3e057d99679ca50a72a8245 change-id: 20251023-asoc-regmap-irq-chip-bb2053c32168 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

6 days, 10 hours

2
4
0 0

[PATCH] amba: tegra-ahb: fix device leak on smmu enable

by Johan Hovold

Make sure to drop the reference taken to the ahb platform device when looking up its driver data while enabling the smmu. Note that holding a reference to a device does not prevent its driver data from going away. Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB") Cc: stable(a)vger.kernel.org # 3.5 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/amba/tegra-ahb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/amba/tegra-ahb.c b/drivers/amba/tegra-ahb.c index c0e8b765522d..f23c3ed01810 100644 --- a/drivers/amba/tegra-ahb.c +++ b/drivers/amba/tegra-ahb.c @@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_node *dn) if (!dev) return -EPROBE_DEFER; ahb = dev_get_drvdata(dev); + put_device(dev); val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL); val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE; gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL); -- 2.49.1

6 days, 10 hours

3
3
0 0

[PATCH] soc/tegra: fuse: Do not register SoC device on ACPI boot

by Kartik Rajput

On Tegra platforms using ACPI, the SMCCC driver already registers the SoC device. This makes the registration performed by the Tegra fuse driver redundant. When booted via ACPI, skip registering the SoC device and suppress printing SKU information from the Tegra fuse driver, as this information is already provided by the SMCCC driver. Fixes: 972167c69080 ("soc/tegra: fuse: Add ACPI support for Tegra194 and Tegra234") Cc: stable(a)vger.kernel.org Signed-off-by: Kartik Rajput <kkartik(a)nvidia.com> --- drivers/soc/tegra/fuse/fuse-tegra.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c index d27667283846..74d2fedea71c 100644 --- a/drivers/soc/tegra/fuse/fuse-tegra.c +++ b/drivers/soc/tegra/fuse/fuse-tegra.c @@ -182,8 +182,6 @@ static int tegra_fuse_probe(struct platform_device *pdev) } fuse->soc->init(fuse); - tegra_fuse_print_sku_info(&tegra_sku_info); - tegra_soc_device_register(); err = tegra_fuse_add_lookups(fuse); if (err) -- 2.43.0

6 days, 12 hours

2
1
0 0

You have (4) important emails awaiting delivery to your inbox

by lists.linaro.org Email Team

6 days, 12 hours

1
0
0 0

[6.17 stable request] netfilter: nft_ct: add seqadj extension for natted connections

by Florian Westphal

Hello Greg, hello Sasha, Could you please queue up 90918e3b6404 ("netfilter: nft_ct: add seqadj extension for natted connections") for 6.17? As-is some more esoteric configurations may not work and provide warning splat: Missing nfct_seqadj_ext_add() setup call WARNING: .. at net/netfilter/nf_conntrack_seqadj.c:41 ... [nf_conntrack] etc. I don't think this fix has risks and I'm not aware of any dependencies. Thanks for maintaining the stable trees!

6 days, 12 hours

2
1
0 0

⏰Gear up — less than 23 Hours Left to Secure Your VIP DUOONE OLED SPAN/FOLD Perk!

by InnLead Innovative

6 days, 12 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror