- Linux-stable-mirror - lists.linaro.org

[PATCH 1/1] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> When both THP and MTE are enabled, splitting a THP and replacing its zero-filled subpages with the shared zeropage can cause MTE tag mismatch faults in userspace. Remapping zero-filled subpages to the shared zeropage is unsafe, as the zeropage has a fixed tag of zero, which may not match the tag expected by the userspace pointer. KSM already avoids this problem by using memcmp_pages(), which on arm64 intentionally reports MTE-tagged pages as non-identical to prevent unsafe merging. As suggested by David[1], this patch adopts the same pattern, replacing the memchr_inv() byte-level check with a call to pages_identical(). This leverages existing architecture-specific logic to determine if a page is truly identical to the shared zeropage. Having both the THP shrinker and KSM rely on pages_identical() makes the design more future-proof, IMO. Instead of handling quirks in generic code, we just let the architecture decide what makes two pages identical. [1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com Cc: <stable(a)vger.kernel.org> Reported-by: Qun-wei Lin <Qun-wei.Lin(a)mediatek.com> Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@… Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Suggested-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- Tested on x86_64 and on QEMU for arm64 (with and without MTE support), and the fix works as expected. mm/huge_memory.c | 15 +++------------ mm/migrate.c | 8 +------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 32e0ec2dde36..28d4b02a1aa5 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -4104,29 +4104,20 @@ static unsigned long deferred_split_count(struct shrinker *shrink, static bool thp_underused(struct folio *folio) { int num_zero_pages = 0, num_filled_pages = 0; - void *kaddr; int i; for (i = 0; i < folio_nr_pages(folio); i++) { - kaddr = kmap_local_folio(folio, i * PAGE_SIZE); - if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { - num_zero_pages++; - if (num_zero_pages > khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) return true; - } } else { /* * Another path for early exit once the number * of non-zero filled pages exceeds threshold. */ - num_filled_pages++; - if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) return false; - } } - kunmap_local(kaddr); } return false; } diff --git a/mm/migrate.c b/mm/migrate.c index aee61a980374..ce83c2c3c287 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -300,9 +300,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, unsigned long idx) { struct page *page = folio_page(folio, idx); - bool contains_data; pte_t newpte; - void *addr; if (PageCompound(page)) return false; @@ -319,11 +317,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, * this subpage has been non present. If the subpage is only zero-filled * then map it to the shared zeropage. */ - addr = kmap_local_page(page); - contains_data = memchr_inv(addr, 0, PAGE_SIZE); - kunmap_local(addr); - - if (contains_data) + if (!pages_identical(page, ZERO_PAGE(0))) return false; newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), -- 2.49.0

2 months, 4 weeks

6
21
0 0

Check this out at Amazon

by Votre Expert

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

2 months, 4 weeks

1
0
0 0

Undelivered Mail Returned to Sender

by MAILER-DAEMON＠zihnyunrui.com

This is the mail system at host zihnyunrui.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <linux-stable-mirror(a)lists.linaro.org>: host lists.linaro.org[3.208.193.21] said: 554 5.7.1 Spam message rejected (in reply to end of DATA command)

2 months, 4 weeks

1
0
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

2 months, 4 weeks

2
1
0 0

[PATCH v4] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

by Kaushlendra Kumar

Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") Cc: stable(a)vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> --- Changes in v4: - recipient list adjustment as per kernel patch review process Changes in v3: - Used accurate "function call properties" terminology in commit description (suggested by Markus Elfring) - Added stable backport justification - Removed duplicate marker line per kernel documentation Changes in v2: - Refined description based on documented macro properties (suggested by Markus Elfring) - Added proper Fixes drivers/base/arch_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c index 1037169abb45..e1eff05bea4a 100644 --- a/drivers/base/arch_topology.c +++ b/drivers/base/arch_topology.c @@ -292,7 +292,7 @@ bool __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu) * frequency (by keeping the initial capacity_freq_ref value). */ cpu_clk = of_clk_get(cpu_node, 0); - if (!PTR_ERR_OR_ZERO(cpu_clk)) { + if (!IS_ERR_OR_NULL(cpu_clk)) { per_cpu(capacity_freq_ref, cpu) = clk_get_rate(cpu_clk) / HZ_PER_KHZ; clk_put(cpu_clk); -- 2.34.1

2 months, 4 weeks

2
1
0 0

[PATCH v3] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

by Kaushlendra Kumar

Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") Cc: stable(a)vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> --- Changes in v3: - Used accurate "function call properties" terminology in commit description (suggested by Markus Elfring) - Added stable backport justification - Removed duplicate marker line per kernel documentation Changes in v2: - Refined description based on documented macro properties (suggested by Markus Elfring) - Added proper Fixes drivers/base/arch_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c index 1037169abb45..e1eff05bea4a 100644 --- a/drivers/base/arch_topology.c +++ b/drivers/base/arch_topology.c @@ -292,7 +292,7 @@ bool __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu) * frequency (by keeping the initial capacity_freq_ref value). */ cpu_clk = of_clk_get(cpu_node, 0); - if (!PTR_ERR_OR_ZERO(cpu_clk)) { + if (!IS_ERR_OR_NULL(cpu_clk)) { per_cpu(capacity_freq_ref, cpu) = clk_get_rate(cpu_clk) / HZ_PER_KHZ; clk_put(cpu_clk); -- 2.34.1

2 months, 4 weeks

3
3
0 0

[PATCH 6.6 00/70] 6.6.108-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.108 release. There are 70 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.108-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.108-rc1 Eric Hagberg <ehagberg(a)janestreet.com> Revert "loop: Avoid updating block size under exclusive owner" Linus Torvalds <torvalds(a)linux-foundation.org> minmax: add a few more MIN_T/MAX_T users Linus Torvalds <torvalds(a)linux-foundation.org> minmax: simplify and clarify min_t()/max_t() implementation Linus Torvalds <torvalds(a)linux-foundation.org> minmax: avoid overly complicated constant expressions in VM code Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix SPI command byte for PCF2131 backport Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Rob Herring <robh(a)kernel.org> phy: Use device_get_match_data() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Sankararaman Jayaraman <sankararaman.jayaraman(a)broadcom.com> vmxnet3: unregister xdp rxq info in the reset path Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Jens Axboe <axboe(a)kernel.dk> io_uring: backport io_should_terminate_tw() Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Consider aggregated port speed during rate configuration Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration ------------- Diffstat: Makefile | 4 +- arch/loongarch/Kconfig | 8 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/kernel/env.c | 2 + arch/um/drivers/virtio_uml.c | 6 +- arch/x86/kvm/svm/svm.c | 3 +- arch/x86/mm/pgtable.c | 2 +- crypto/af_alg.c | 10 ++- drivers/block/loop.c | 38 ++------- drivers/edac/sb_edac.c | 4 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 26 +++++- drivers/iommu/intel/iommu.c | 7 +- drivers/md/dm-integrity.c | 6 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++++-- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 85 ++++++++++++++++--- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +++- drivers/net/ethernet/natsemi/ns83820.c | 13 ++- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/vmxnet3/vmxnet3_drv.c | 10 +-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 ++++++--- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 +-- drivers/phy/marvell/phy-berlin-usb.c | 7 +- drivers/phy/ralink/phy-ralink-usb.c | 10 +-- drivers/phy/rockchip/phy-rockchip-pcie.c | 11 +-- drivers/phy/rockchip/phy-rockchip-usb.c | 10 +-- drivers/phy/ti/phy-omap-control.c | 9 +-- drivers/phy/ti/phy-omap-usb2.c | 24 ++++-- drivers/phy/ti/phy-ti-pipe3.c | 14 +--- drivers/power/supply/bq27xxx_battery.c | 4 +- drivers/rtc/rtc-pcf2127.c | 10 +-- drivers/usb/host/xhci-dbgcap.c | 94 +++++++++++++++------- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/smbdirect.c | 4 +- fs/smb/server/transport_rdma.c | 26 ++++-- include/crypto/if_alg.h | 10 ++- include/linux/minmax.h | 26 ++++-- include/linux/mlx5/driver.h | 1 + include/linux/pageblock-flags.h | 2 +- include/uapi/linux/mptcp.h | 6 +- io_uring/io_uring.c | 7 +- io_uring/io_uring.h | 13 +++ io_uring/poll.c | 3 +- io_uring/timeout.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++++++-- net/ipv4/proc.c | 2 +- net/ipv4/tcp.c | 5 ++ net/ipv6/proc.c | 2 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 ++ net/mptcp/protocol.c | 16 ++++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 +++-- net/rfkill/rfkill-gpio.c | 4 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 ++-- net/tls/tls_sw.c | 3 +- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/wm8940.c | 9 ++- sound/soc/codecs/wm8974.c | 8 +- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sof/intel/hda-stream.c | 2 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +-- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 ++-- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 ++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++- 87 files changed, 601 insertions(+), 300 deletions(-)

2 months, 4 weeks

10
79
0 0

[PATCH net RESEND] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> # 6.16 Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- RESEND: - added Cc stable as suggested from kernel test robot net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

2 months, 4 weeks

2
1
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

2 months, 4 weeks

2
2
0 0

[PATCH] lib/genalloc: fix device leak in of_gen_pool_get()

by Johan Hovold

Make sure to drop the reference taken when looking up the genpool platform device in of_gen_pool_get() before returning the pool. Note that holding a reference to a device does typically not prevent its devres managed resources from being released so there is no point in keeping the reference. Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device") Cc: stable(a)vger.kernel.org # 3.10 Cc: Philipp Zabel <p.zabel(a)pengutronix.de> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- lib/genalloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/genalloc.c b/lib/genalloc.c index 4fa5635bf81b..841f29783833 100644 --- a/lib/genalloc.c +++ b/lib/genalloc.c @@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct device_node *np, if (!name) name = of_node_full_name(np_pool); } - if (pdev) + if (pdev) { pool = gen_pool_get(&pdev->dev, name); + put_device(&pdev->dev); + } + of_node_put(np_pool); return pool; -- 2.49.1

2 months, 4 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror