- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.97 release. There are 22 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 03 Mar 2023 18:06:43 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.97-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.97-rc1 Alan Stern <stern(a)rowland.harvard.edu> USB: core: Don't hold device lock while reading the "descriptors" sysfs file Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: u_serial: Add null pointer check in gserial_resume Florian Zumbiehl <florz(a)florz.de> USB: serial: option: add support for VW/Skoda "Carstick LTE" Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Meteor Lake-M Carlos Llamas <cmllamas(a)google.com> scripts/tags.sh: fix incompatibility with PCRE2 Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> scripts/tags.sh: Invoke 'realpath' via 'xargs' Thomas Weißschuh <linux(a)weissschuh.net> vc_screen: don't clobber return value in vcs_read Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). Martin KaFai Lau <martin.lau(a)kernel.org> bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state Sergio Paracuellos <sergio.paracuellos(a)gmail.com> staging: mt7621-dts: change palmbus address to lower case Kan Liang <kan.liang(a)linux.intel.com> x86/cpu: Add Lunar Lake M Xin Zhao <xnzhao(a)google.com> HID: core: Fix deadloop in hid_apply_multiplier. Julian Anastasov <ja(a)ssi.bg> neigh: make sure used and confirmed times are valid Dean Luick <dean.luick(a)cornelisnetworks.com> IB/hfi1: Assign npages earlier Jack Yu <jack.yu(a)realtek.com> ASoC: rt715-sdca: fix clock stop prepare timeout issue David Sterba <dsterba(a)suse.com> btrfs: send: limit number of clones and allocated memory size Vishal Verma <vishal.l.verma(a)intel.com> ACPI: NFIT: fix a potential deadlock during NFIT teardown Takahiro Fujii <fujii(a)xaxxi.net> HID: elecom: add support for TrackBall 056E:011C Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: add power-domains property to dp node on rk3288 Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc Benedict Wong <benedictwong(a)google.com> Fix XFRM-I support for nested ESP tunnels Neel Patel <neel(a)pensando.io> ionic: refactor use of ionic_rx_fill() ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3288.dtsi | 1 + arch/arm64/boot/dts/rockchip/rk3328-roc-cc.dts | 2 - arch/x86/include/asm/intel-family.h | 2 + drivers/acpi/nfit/core.c | 2 +- drivers/hid/hid-core.c | 3 ++ drivers/hid/hid-elecom.c | 16 ++++++- drivers/hid/hid-ids.h | 3 +- drivers/hid/hid-quirks.c | 3 +- drivers/infiniband/hw/hfi1/user_exp_rcv.c | 9 +--- drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 23 +++++----- drivers/staging/mt7621-dts/gbpc1.dts | 2 +- drivers/tty/vt/vc_screen.c | 7 +-- drivers/usb/core/hub.c | 5 +-- drivers/usb/core/sysfs.c | 5 --- drivers/usb/dwc3/dwc3-pci.c | 4 ++ drivers/usb/gadget/function/u_serial.c | 23 ++++++++-- drivers/usb/serial/option.c | 4 ++ fs/btrfs/send.c | 6 +-- net/caif/caif_socket.c | 1 + net/core/filter.c | 4 +- net/core/neighbour.c | 18 ++++++-- net/core/stream.c | 1 - net/xfrm/xfrm_interface.c | 54 ++++++++++++++++++++++-- net/xfrm/xfrm_policy.c | 3 ++ scripts/tags.sh | 11 +++-- sound/soc/codecs/rt715-sdca-sdw.c | 2 +- 27 files changed, 157 insertions(+), 61 deletions(-)

2 years, 8 months

9
30
0 0

[merged mm-hotfixes-stable] fs-cramfs-inodec-initialize-file_ra_state.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/cramfs/inode.c: initialize file_ra_state has been removed from the -mm tree. Its filename was fs-cramfs-inodec-initialize-file_ra_state.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: fs/cramfs/inode.c: initialize file_ra_state Date: Sun Feb 26 12:31:11 PM PST 2023 file_ra_state_init() assumes that the file_ra_state has been zeroed out. Fixes a KMSAN used-unintialized issue (at least). Fixes: cf948cbc35e80 ("cramfs: read_mapping_page() is synchronous") Reported-by: syzbot <syzbot+8ce7f8308d91e6b8bbe2(a)syzkaller.appspotmail.com> Link: https://lkml.kernel.org/r/0000000000008f74e905f56df987@google.com Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Nicolas Pitre <nico(a)fluxnic.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/fs/cramfs/inode.c~fs-cramfs-inodec-initialize-file_ra_state +++ a/fs/cramfs/inode.c @@ -183,7 +183,7 @@ static void *cramfs_blkdev_read(struct s unsigned int len) { struct address_space *mapping = sb->s_bdev->bd_inode->i_mapping; - struct file_ra_state ra; + struct file_ra_state ra = {}; struct page *pages[BLKS_PER_BUF]; unsigned i, blocknr, buffer; unsigned long devsize; _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are mm-page_alloc-reduce-page-alloc-free-sanity-checks-checkpatch-fixes.patch mm-page_alloc-reduce-page-alloc-free-sanity-checks-fix.patch mm-userfaultfd-support-wp-on-multiple-vmas-fix.patch

2 years, 8 months

1
0
0 0

[merged mm-hotfixes-stable] fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs: hfsplus: fix UAF issue in hfsplus_put_super has been removed from the -mm tree. Its filename was fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Dongliang Mu <mudongliangabcd(a)gmail.com> Subject: fs: hfsplus: fix UAF issue in hfsplus_put_super Date: Sun, 26 Feb 2023 20:49:47 +0800 The current hfsplus_put_super first calls hfs_btree_close on sbi->ext_tree, then invokes iput on sbi->hidden_dir, resulting in an use-after-free issue in hfsplus_release_folio. As shown in hfsplus_fill_super, the error handling code also calls iput before hfs_btree_close. To fix this error, we move all iput calls before hfsplus_btree_close. Note that this patch is tested on Syzbot. Link: https://lkml.kernel.org/r/20230226124948.3175736-1-mudongliangabcd@gmail.com Reported-by: syzbot+57e3e98f7e3b80f64d56(a)syzkaller.appspotmail.com Tested-by: Dongliang Mu <mudongliangabcd(a)gmail.com> Signed-off-by: Dongliang Mu <mudongliangabcd(a)gmail.com> Cc: Bart Van Assche <bvanassche(a)acm.org> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Muchun Song <songmuchun(a)bytedance.com> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: "Theodore Ts'o" <tytso(a)mit.edu> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/fs/hfsplus/super.c~fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super +++ a/fs/hfsplus/super.c @@ -295,11 +295,11 @@ static void hfsplus_put_super(struct sup hfsplus_sync_fs(sb, 1); } + iput(sbi->alloc_file); + iput(sbi->hidden_dir); hfs_btree_close(sbi->attr_tree); hfs_btree_close(sbi->cat_tree); hfs_btree_close(sbi->ext_tree); - iput(sbi->alloc_file); - iput(sbi->hidden_dir); kfree(sbi->s_vhdr_buf); kfree(sbi->s_backup_vhdr_buf); unload_nls(sbi->nls); _ Patches currently in -mm which might be from mudongliangabcd(a)gmail.com are

2 years, 8 months

1
0
0 0

[merged mm-hotfixes-stable] panic-fixes-the-panic_print-nmi-backtrace-setting.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: panic: fix the panic_print NMI backtrace setting has been removed from the -mm tree. Its filename was panic-fixes-the-panic_print-nmi-backtrace-setting.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Guilherme G. Piccoli" <gpiccoli(a)igalia.com> Subject: panic: fix the panic_print NMI backtrace setting Date: Sun, 26 Feb 2023 13:08:38 -0300 Commit 8d470a45d1a6 ("panic: add option to dump all CPUs backtraces in panic_print") introduced a setting for the "panic_print" kernel parameter to allow users to request a NMI backtrace on panic. Problem is that the panic_print handling happens after the secondary CPUs are already disabled, hence this option ended-up being kind of a no-op - kernel skips the NMI trace in idling CPUs, which is the case of offline CPUs. Fix it by checking the NMI backtrace bit in the panic_print prior to the CPU disabling function. Link: https://lkml.kernel.org/r/20230226160838.414257-1-gpiccoli@igalia.com Fixes: 8d470a45d1a6 ("panic: add option to dump all CPUs backtraces in panic_print") Signed-off-by: Guilherme G. Piccoli <gpiccoli(a)igalia.com> Cc: <stable(a)vger.kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: Feng Tang <feng.tang(a)intel.com> Cc: HATAYAMA Daisuke <d.hatayama(a)jp.fujitsu.com> Cc: Hidehiro Kawai <hidehiro.kawai.ez(a)hitachi.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Michael Kelley <mikelley(a)microsoft.com> Cc: Petr Mladek <pmladek(a)suse.com> Cc: Vivek Goyal <vgoyal(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/kernel/panic.c~panic-fixes-the-panic_print-nmi-backtrace-setting +++ a/kernel/panic.c @@ -212,9 +212,6 @@ static void panic_print_sys_info(bool co return; } - if (panic_print & PANIC_PRINT_ALL_CPU_BT) - trigger_all_cpu_backtrace(); - if (panic_print & PANIC_PRINT_TASK_INFO) show_state(); @@ -244,6 +241,30 @@ void check_panic_on_warn(const char *ori origin, limit); } +/* + * Helper that triggers the NMI backtrace (if set in panic_print) + * and then performs the secondary CPUs shutdown - we cannot have + * the NMI backtrace after the CPUs are off! + */ +static void panic_other_cpus_shutdown(bool crash_kexec) +{ + if (panic_print & PANIC_PRINT_ALL_CPU_BT) + trigger_all_cpu_backtrace(); + + /* + * Note that smp_send_stop() is the usual SMP shutdown function, + * which unfortunately may not be hardened to work in a panic + * situation. If we want to do crash dump after notifier calls + * and kmsg_dump, we will need architecture dependent extra + * bits in addition to stopping other CPUs, hence we rely on + * crash_smp_send_stop() for that. + */ + if (!crash_kexec) + smp_send_stop(); + else + crash_smp_send_stop(); +} + /** * panic - halt the system * @fmt: The text string to print @@ -334,23 +355,10 @@ void panic(const char *fmt, ...) * * Bypass the panic_cpu check and call __crash_kexec directly. */ - if (!_crash_kexec_post_notifiers) { + if (!_crash_kexec_post_notifiers) __crash_kexec(NULL); - /* - * Note smp_send_stop is the usual smp shutdown function, which - * unfortunately means it may not be hardened to work in a - * panic situation. - */ - smp_send_stop(); - } else { - /* - * If we want to do crash dump after notifier calls and - * kmsg_dump, we will need architecture dependent extra - * works in addition to stopping other CPUs. - */ - crash_smp_send_stop(); - } + panic_other_cpus_shutdown(_crash_kexec_post_notifiers); /* * Run any panic handlers, including those that might need to _ Patches currently in -mm which might be from gpiccoli(a)igalia.com are

2 years, 8 months

1
0
0 0

RE:

by Lecco logistica

I've been trying to reach you but all to no avail, please contact me on my private Email: Yuansusan-006(a)outlook.com I have an important thing to discuss with you. ? -- ATTENZIONE: Le informazioni contenute in questo messaggio sono confidenziali e non possono essere rivelate o utilizzate se non dal destinatario del messaggio. Se il messaggio è stato ricevuto per errore, prego di comunicarlo immediatamente.

2 years, 8 months

1
0
0 0

+ maple_tree-fix-mas_skip_node-end-slot-detection.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: maple_tree: fix mas_skip_node() end slot detection has been added to the -mm mm-hotfixes-unstable branch. Its filename is maple_tree-fix-mas_skip_node-end-slot-detection.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Subject: maple_tree: fix mas_skip_node() end slot detection Date: Thu, 2 Mar 2023 21:15:39 -0500 mas_skip_node() is used to move the maple state to the node with a higher limit. It does this by walking up the tree and increasing the slot count. Since slot count may not be able to be increased, it may need to walk up multiple times to find room to walk right to a higher limit node. The limit of slots that was being used was the node limit and not the last location of data in the node. This would cause the maple state to be shifted outside actual data and enter an error state, thus returning -EBUSY. The result of the incorrect error state means that mas_awalk() would return an error instead of finding the allocation space. The fix is to use mas_data_end() in mas_skip_node() to detect the nodes data end point and continue walking the tree up until it is safe to move to a node with a higher limit. mas_skip_node() may also be passed a maple state in an error state from mas_anode_descend() when no allocations are available. Return on such an error state immediately. Link: https://lkml.kernel.org/r/20230303021540.1056603-1-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reported-by: Snild Dolkow <snild(a)sony.com> Link: https://lore.kernel.org/linux-mm/cb8dc31a-fef2-1d09-f133-e9f7b9f9e77a@sony.… Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/lib/maple_tree.c~maple_tree-fix-mas_skip_node-end-slot-detection +++ a/lib/maple_tree.c @@ -5099,34 +5099,29 @@ static inline bool mas_rewind_node(struc */ static inline bool mas_skip_node(struct ma_state *mas) { - unsigned char slot, slot_count; unsigned long *pivots; enum maple_type mt; - mt = mte_node_type(mas->node); - slot_count = mt_slots[mt] - 1; + if (mas_is_err(mas)) + return false; + do { if (mte_is_root(mas->node)) { - slot = mas->offset; - if (slot > slot_count) { + if (mas->offset >= mas_data_end(mas)) { mas_set_err(mas, -EBUSY); return false; } } else { mas_ascend(mas); - slot = mas->offset; - mt = mte_node_type(mas->node); - slot_count = mt_slots[mt] - 1; } - } while (slot > slot_count); + } while (mas->offset >= mas_data_end(mas)); - mas->offset = ++slot; + mt = mte_node_type(mas->node); pivots = ma_pivots(mas_mn(mas), mt); - if (slot > 0) - mas->min = pivots[slot - 1] + 1; - - if (slot <= slot_count) - mas->max = pivots[slot]; + mas->min = pivots[mas->offset] + 1; + mas->offset++; + if (mas->offset < mt_slots[mt]) + mas->max = pivots[mas->offset]; return true; } _ Patches currently in -mm which might be from Liam.Howlett(a)oracle.com are mm-mprotect-fix-successful-vma_merge-of-next-in-do_mprotect_pkey.patch maple_tree-fix-mas_skip_node-end-slot-detection.patch test_maple_tree-add-more-testing-for-mas_empty_area.patch maple_tree-be-more-cautious-about-dead-nodes.patch maple_tree-detect-dead-nodes-in-mas_start.patch maple_tree-fix-freeing-of-nodes-in-rcu-mode.patch maple_tree-remove-extra-smp_wmb-from-mas_dead_leaves.patch maple_tree-fix-write-memory-barrier-of-nodes-once-dead-for-rcu-mode.patch maple_tree-add-smp_rmb-to-dead-node-detection.patch maple_tree-add-rcu-lock-checking-to-rcu-callback-functions.patch mm-enable-maple-tree-rcu-mode-by-default.patch

2 years, 8 months

1
0
0 0

+ test_maple_tree-add-more-testing-for-mas_empty_area.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: test_maple_tree: add more testing for mas_empty_area() has been added to the -mm mm-hotfixes-unstable branch. Its filename is test_maple_tree-add-more-testing-for-mas_empty_area.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Subject: test_maple_tree: add more testing for mas_empty_area() Date: Thu, 2 Mar 2023 21:15:40 -0500 Test robust filling of an entire area of the tree, then test one beyond. This is to test the walking back up the tree at the end of nodes and error condition. Test inspired by the reproducer code provided by Snild Dolkow. Link: https://lkml.kernel.org/r/20230303021540.1056603-2-Liam.Howlett@oracle.com Link: https://lore.kernel.org/linux-mm/cb8dc31a-fef2-1d09-f133-e9f7b9f9e77a@sony.… Fixes: e15e06a83923 ("lib/test_maple_tree: add testing for maple tree") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Snild Dolkow <snild(a)sony.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/lib/test_maple_tree.c~test_maple_tree-add-more-testing-for-mas_empty_area +++ a/lib/test_maple_tree.c @@ -2670,6 +2670,36 @@ static noinline void check_empty_area_wi rcu_read_unlock(); } +static noinline void check_empty_area_fill(struct maple_tree *mt) +{ + int loop, shift; + unsigned long max = 0x25D78000; + unsigned long size; + MA_STATE(mas, mt, 0, 0); + + mt_set_non_kernel(99999); + for (shift = 12; shift <= 16; shift++) { + loop = 5000; + size = 1 << shift; + while (loop--) { + mas_lock(&mas); + MT_BUG_ON(mt, mas_empty_area(&mas, 0, max, size) != 0); + MT_BUG_ON(mt, mas.last != mas.index + size - 1); + mas_store_gfp(&mas, &check_empty_area_fill, GFP_KERNEL); + mas_unlock(&mas); + mas_reset(&mas); + } + } + + /* No space left. */ + size = 0x1000; + rcu_read_lock(); + MT_BUG_ON(mt, mas_empty_area(&mas, 0, max, size) != -EBUSY); + rcu_read_unlock(); + + mt_set_non_kernel(0); +} + static DEFINE_MTREE(tree); static int maple_tree_seed(void) { @@ -2926,6 +2956,11 @@ static int maple_tree_seed(void) check_empty_area_window(&tree); mtree_destroy(&tree); + mt_init_flags(&tree, MT_FLAGS_ALLOC_RANGE); + check_empty_area_fill(&tree); + mtree_destroy(&tree); + + #if defined(BENCH) skip: #endif _ Patches currently in -mm which might be from Liam.Howlett(a)oracle.com are mm-mprotect-fix-successful-vma_merge-of-next-in-do_mprotect_pkey.patch maple_tree-fix-mas_skip_node-end-slot-detection.patch test_maple_tree-add-more-testing-for-mas_empty_area.patch maple_tree-be-more-cautious-about-dead-nodes.patch maple_tree-detect-dead-nodes-in-mas_start.patch maple_tree-fix-freeing-of-nodes-in-rcu-mode.patch maple_tree-remove-extra-smp_wmb-from-mas_dead_leaves.patch maple_tree-fix-write-memory-barrier-of-nodes-once-dead-for-rcu-mode.patch maple_tree-add-smp_rmb-to-dead-node-detection.patch maple_tree-add-rcu-lock-checking-to-rcu-callback-functions.patch mm-enable-maple-tree-rcu-mode-by-default.patch

2 years, 8 months

1
0
0 0

[PATCH 5.4] usb: dwc3: dwc3-qcom: Add missing platform_device_put() in dwc3_qcom_acpi_register_core

by Zheng Yejian

From: Miaoqian Lin <linmq006(a)gmail.com> commit fa0ef93868a6062babe1144df2807a8b1d4924d2 upstream. Add the missing platform_device_put() before return from dwc3_qcom_acpi_register_core in the error handling case. Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Link: https://lore.kernel.org/r/20211231113641.31474-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CVE: CVE-2023-22995 Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") [Fix conflict due to lack of 8dc6e6dd1bee39cd65a232a17d51240fc65a0f4a] Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- drivers/usb/dwc3/dwc3-qcom.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c index 2dcdeb52fc29..35f94fd69bba 100644 --- a/drivers/usb/dwc3/dwc3-qcom.c +++ b/drivers/usb/dwc3/dwc3-qcom.c @@ -486,8 +486,10 @@ static int dwc3_qcom_acpi_register_core(struct platform_device *pdev) qcom->dwc3->dev.coherent_dma_mask = dev->coherent_dma_mask; child_res = kcalloc(2, sizeof(*child_res), GFP_KERNEL); - if (!child_res) + if (!child_res) { + platform_device_put(qcom->dwc3); return -ENOMEM; + } res = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (!res) { @@ -519,10 +521,15 @@ static int dwc3_qcom_acpi_register_core(struct platform_device *pdev) } ret = platform_device_add(qcom->dwc3); - if (ret) + if (ret) { dev_err(&pdev->dev, "failed to add device\n"); + goto out; + } + kfree(child_res); + return 0; out: + platform_device_put(qcom->dwc3); kfree(child_res); return ret; } -- 2.25.1

2 years, 8 months

1
0
0 0

[PATCH 5.10] usb: dwc3: dwc3-qcom: Add missing platform_device_put() in dwc3_qcom_acpi_register_core

by Zheng Yejian

From: Miaoqian Lin <linmq006(a)gmail.com> commit fa0ef93868a6062babe1144df2807a8b1d4924d2 upstream. Add the missing platform_device_put() before return from dwc3_qcom_acpi_register_core in the error handling case. Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Link: https://lore.kernel.org/r/20211231113641.31474-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CVE: CVE-2023-22995 Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") [Fix conflict due to lack of 8dc6e6dd1bee39cd65a232a17d51240fc65a0f4a] Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- drivers/usb/dwc3/dwc3-qcom.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c index dac13fe97811..416c94c612f5 100644 --- a/drivers/usb/dwc3/dwc3-qcom.c +++ b/drivers/usb/dwc3/dwc3-qcom.c @@ -613,8 +613,10 @@ static int dwc3_qcom_acpi_register_core(struct platform_device *pdev) qcom->dwc3->dev.coherent_dma_mask = dev->coherent_dma_mask; child_res = kcalloc(2, sizeof(*child_res), GFP_KERNEL); - if (!child_res) + if (!child_res) { + platform_device_put(qcom->dwc3); return -ENOMEM; + } res = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (!res) { @@ -650,10 +652,15 @@ static int dwc3_qcom_acpi_register_core(struct platform_device *pdev) } ret = platform_device_add(qcom->dwc3); - if (ret) + if (ret) { dev_err(&pdev->dev, "failed to add device\n"); + goto out; + } + kfree(child_res); + return 0; out: + platform_device_put(qcom->dwc3); kfree(child_res); return ret; } -- 2.25.1

2 years, 8 months

1
0
0 0

+ mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage Date: Thu, 2 Mar 2023 18:54:23 +0100 Currently, we'd lose the userfaultfd-wp marker when PTE-mapping a huge zeropage, resulting in the next write faults in the PMD range not triggering uffd-wp events. Various actions (partial MADV_DONTNEED, partial mremap, partial munmap, partial mprotect) could trigger this. However, most importantly, un-protecting a single sub-page from the userfaultfd-wp handler when processing a uffd-wp event will PTE-map the shared huge zeropage and lose the uffd-wp bit for the remainder of the PMD. Let's properly propagate the uffd-wp bit to the PMDs. #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <stdbool.h> #include <inttypes.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <poll.h> #include <pthread.h> #include <sys/mman.h> #include <sys/syscall.h> #include <sys/ioctl.h> #include <linux/userfaultfd.h> static size_t pagesize; static int uffd; static volatile bool uffd_triggered; #define barrier() __asm__ __volatile__("": : :"memory") static void uffd_wp_range(char *start, size_t size, bool wp) { struct uffdio_writeprotect uffd_writeprotect; uffd_writeprotect.range.start = (unsigned long) start; uffd_writeprotect.range.len = size; if (wp) { uffd_writeprotect.mode = UFFDIO_WRITEPROTECT_MODE_WP; } else { uffd_writeprotect.mode = 0; } if (ioctl(uffd, UFFDIO_WRITEPROTECT, &uffd_writeprotect)) { fprintf(stderr, "UFFDIO_WRITEPROTECT failed: %d\n", errno); exit(1); } } static void *uffd_thread_fn(void *arg) { static struct uffd_msg msg; ssize_t nread; while (1) { struct pollfd pollfd; int nready; pollfd.fd = uffd; pollfd.events = POLLIN; nready = poll(&pollfd, 1, -1); if (nready == -1) { fprintf(stderr, "poll() failed: %d\n", errno); exit(1); } nread = read(uffd, &msg, sizeof(msg)); if (nread <= 0) continue; if (msg.event != UFFD_EVENT_PAGEFAULT || !(msg.arg.pagefault.flags & UFFD_PAGEFAULT_FLAG_WP)) { printf("FAIL: wrong uffd-wp event fired\n"); exit(1); } /* un-protect the single page. */ uffd_triggered = true; uffd_wp_range((char *)(uintptr_t)msg.arg.pagefault.address, pagesize, false); } return arg; } static int setup_uffd(char *map, size_t size) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t thread; uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); if (uffd < 0) { fprintf(stderr, "syscall() failed: %d\n", errno); return -errno; } uffdio_api.api = UFFD_API; uffdio_api.features = UFFD_FEATURE_PAGEFAULT_FLAG_WP; if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) { fprintf(stderr, "UFFDIO_API failed: %d\n", errno); return -errno; } if (!(uffdio_api.features & UFFD_FEATURE_PAGEFAULT_FLAG_WP)) { fprintf(stderr, "UFFD_FEATURE_WRITEPROTECT missing\n"); return -ENOSYS; } uffdio_register.range.start = (unsigned long) map; uffdio_register.range.len = size; uffdio_register.mode = UFFDIO_REGISTER_MODE_WP; if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) { fprintf(stderr, "UFFDIO_REGISTER failed: %d\n", errno); return -errno; } pthread_create(&thread, NULL, uffd_thread_fn, NULL); return 0; } int main(void) { const size_t size = 4 * 1024 * 1024ull; char *map, *cur; pagesize = getpagesize(); map = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); if (map == MAP_FAILED) { fprintf(stderr, "mmap() failed\n"); return -errno; } if (madvise(map, size, MADV_HUGEPAGE)) { fprintf(stderr, "MADV_HUGEPAGE failed\n"); return -errno; } if (setup_uffd(map, size)) return 1; /* Read the whole range, populating zeropages. */ madvise(map, size, MADV_POPULATE_READ); /* Write-protect the whole range. */ uffd_wp_range(map, size, true); /* Make sure uffd-wp triggers on each page. */ for (cur = map; cur < map + size; cur += pagesize) { uffd_triggered = false; barrier(); /* Trigger a write fault. */ *cur = 1; barrier(); if (!uffd_triggered) { printf("FAIL: uffd-wp did not trigger\n"); return 1; } } printf("PASS: uffd-wp triggered\n"); return 0; } Link: https://lkml.kernel.org/r/20230302175423.589164-1-david@redhat.com Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") Signed-off-by: David Hildenbrand <david(a)redhat.com> Acked-by: Peter Xu <peterx(a)redhat.com> Cc: Mike Rapoport <rppt(a)linux.vnet.ibm.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Jerome Glisse <jglisse(a)redhat.com> Cc: Shaohua Li <shli(a)fb.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/mm/huge_memory.c~mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage +++ a/mm/huge_memory.c @@ -2037,7 +2037,7 @@ static void __split_huge_zero_page_pmd(s { struct mm_struct *mm = vma->vm_mm; pgtable_t pgtable; - pmd_t _pmd; + pmd_t _pmd, old_pmd; int i; /* @@ -2048,7 +2048,7 @@ static void __split_huge_zero_page_pmd(s * * See Documentation/mm/mmu_notifier.rst */ - pmdp_huge_clear_flush(vma, haddr, pmd); + old_pmd = pmdp_huge_clear_flush(vma, haddr, pmd); pgtable = pgtable_trans_huge_withdraw(mm, pmd); pmd_populate(mm, &_pmd, pgtable); @@ -2057,6 +2057,8 @@ static void __split_huge_zero_page_pmd(s pte_t *pte, entry; entry = pfn_pte(my_zero_pfn(haddr), vma->vm_page_prot); entry = pte_mkspecial(entry); + if (pmd_uffd_wp(old_pmd)) + entry = pte_mkuffd_wp(entry); pte = pte_offset_map(&_pmd, haddr); VM_BUG_ON(!pte_none(*pte)); set_pte_at(mm, haddr, pte, entry); _ Patches currently in -mm which might be from david(a)redhat.com are mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch

2 years, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror