- Linux-stable-mirror - lists.linaro.org

[PATCH v3] x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation

by Nikunj A Dadhania

When using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on the nominal P0 frequency, which deviates slightly (typically ~0.2%) from the actual mean TSC frequency due to clocking parameters. Over extended VM uptime, this discrepancy accumulates, causing clock skew between the hypervisor and SEV-SNP VM, leading to early timer interrupts as perceived by the guest. The guest kernel relies on the reported nominal frequency for TSC-based timekeeping, while the actual frequency set during SNP_LAUNCH_START may differ. This mismatch results in inaccurate time calculations, causing the guest to perceive hrtimers as firing earlier than expected. Utilize the TSC_FACTOR from the SEV firmware's secrets page (see "Secrets Page Format" in the SNP Firmware ABI Specification) to calculate the mean TSC frequency, ensuring accurate timekeeping and mitigating clock skew in SEV-SNP VMs. Use early_ioremap_encrypted() to map the secrets page as ioremap_encrypted() uses kmalloc() which is not available during early TSC initialization and causes a panic. Fixes: 73bbf3b0fbba ("x86/tsc: Init the TSC for Secure TSC guests") Cc: stable(a)vger.kernel.org Signed-off-by: Nikunj A Dadhania <nikunj(a)amd.com> --- v3: * Remove unnecessary parenthesis (Ingo) * To avoid type cast, harmonize the types of snp_tsc_freq_khz and securetsc_get_tsc_khz() (Ingo) * Use rdmsr for GUEST_TSC_FREQ and extract BIT[17:0] from lower 32-bit v2: * Move the SNP TSC scaling constant to the header (Dionna) * Drop the unsigned long cast and add in securetsc_get_tsc_khz (Tom) * Drop the RB from Tom as the code has changed --- arch/x86/include/asm/sev.h | 18 +++++++++++++++++- arch/x86/coco/sev/core.c | 22 ++++++++++++++++++---- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index a81769a32eaa..cfa3ace227e6 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -223,6 +223,19 @@ struct snp_tsc_info_resp { u8 rsvd2[100]; } __packed; + +/* + * Obtain the mean TSC frequency by decreasing the nominal TSC frequency with + * TSC_FACTOR as documented in the SNP Firmware ABI specification: + * + * GUEST_TSC_FREQ * (1 - (TSC_FACTOR * 0.00001)) + * + * which is equivalent to: + * + * GUEST_TSC_FREQ -= (GUEST_TSC_FREQ * TSC_FACTOR) / 100000; + */ +#define SNP_SCALE_TSC_FREQ(freq, factor) ((freq) - (freq) * (factor) / 100000) + struct snp_guest_req { void *req_buf; size_t req_sz; @@ -283,8 +296,11 @@ struct snp_secrets_page { u8 svsm_guest_vmpl; u8 rsvd3[3]; + /* The percentage decrease from nominal to mean TSC frequency. */ + u32 tsc_factor; + /* Remainder of page */ - u8 rsvd4[3744]; + u8 rsvd4[3740]; } __packed; struct snp_msg_desc { diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index 46bd89578ec7..115a5750c40d 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -88,7 +88,7 @@ static const char * const sev_status_feat_names[] = { */ static u64 snp_tsc_scale __ro_after_init; static u64 snp_tsc_offset __ro_after_init; -static u64 snp_tsc_freq_khz __ro_after_init; +static unsigned long snp_tsc_freq_khz __ro_after_init; DEFINE_PER_CPU(struct sev_es_runtime_data*, runtime_data); DEFINE_PER_CPU(struct sev_es_save_area *, sev_vmsa); @@ -2174,15 +2174,29 @@ static unsigned long securetsc_get_tsc_khz(void) void __init snp_secure_tsc_init(void) { - unsigned long long tsc_freq_mhz; + unsigned long tsc_freq_mhz, dummy; + struct snp_secrets_page *secrets; + void *mem; if (!cc_platform_has(CC_ATTR_GUEST_SNP_SECURE_TSC)) return; + mem = early_memremap_encrypted(sev_secrets_pa, PAGE_SIZE); + if (!mem) { + pr_err("Unable to get TSC_FACTOR: failed to map the SNP secrets page.\n"); + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_SECURE_TSC); + } + + secrets = (__force struct snp_secrets_page *)mem; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); - rdmsrq(MSR_AMD64_GUEST_TSC_FREQ, tsc_freq_mhz); - snp_tsc_freq_khz = (unsigned long)(tsc_freq_mhz * 1000); + rdmsr(MSR_AMD64_GUEST_TSC_FREQ, tsc_freq_mhz, dummy); + /* Extract the GUEST TSC MHZ from BIT[17:0], rest is reserved space */ + tsc_freq_mhz = tsc_freq_mhz & GENMASK_ULL(17, 0); + snp_tsc_freq_khz = SNP_SCALE_TSC_FREQ(tsc_freq_mhz * 1000, secrets->tsc_factor); x86_platform.calibrate_cpu = securetsc_get_tsc_khz; x86_platform.calibrate_tsc = securetsc_get_tsc_khz; + + early_memunmap(mem, PAGE_SIZE); } base-commit: 4da71e9f8939987cd2063e0b2ab5bb5eafc80a87 -- 2.43.0

1 week, 5 days

2
2
0 0

[PATCH] drm/vmwgfx: handle allocation failure of waiter context

by Fedor Pchelkin

Handle result of kmalloc() to prevent possible NULL pointer dereference. For the sake of not introducing additional layer of indentation, extract seqno_waiter_rm_context creating code into a separate helper function. Judging by commit 0039a3b35b10 ("drm/vmwgfx: Add seqno waiter for sync_files"), possible errors in seqno waiting aren't fatal, thus just skip this block if an allocation failure occurs - no need to propagate upwards. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool. Fixes: 0039a3b35b10 ("drm/vmwgfx: Add seqno waiter for sync_files") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 27 ++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index e831e324e737..12d897eca410 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -4085,6 +4085,23 @@ static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb) kfree(ctx); } +static void seqno_waiter_create(struct dma_fence *f, + struct vmw_private *dev_priv) +{ + struct seqno_waiter_rm_context *ctx; + + ctx = kmalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return; + + ctx->dev_priv = dev_priv; + vmw_seqno_waiter_add(dev_priv); + if (dma_fence_add_callback(f, &ctx->base, seqno_waiter_rm_cb) < 0) { + vmw_seqno_waiter_remove(dev_priv); + kfree(ctx); + } +} + int vmw_execbuf_process(struct drm_file *file_priv, struct vmw_private *dev_priv, void __user *user_commands, void *kernel_commands, @@ -4265,15 +4282,7 @@ int vmw_execbuf_process(struct drm_file *file_priv, } else { /* Link the fence with the FD created earlier */ fd_install(out_fence_fd, sync_file->file); - struct seqno_waiter_rm_context *ctx = - kmalloc(sizeof(*ctx), GFP_KERNEL); - ctx->dev_priv = dev_priv; - vmw_seqno_waiter_add(dev_priv); - if (dma_fence_add_callback(&fence->base, &ctx->base, - seqno_waiter_rm_cb) < 0) { - vmw_seqno_waiter_remove(dev_priv); - kfree(ctx); - } + seqno_waiter_create(&fence->base, dev_priv); } } -- 2.50.0

1 week, 5 days

1
0
0 0

[PATCH AUTOSEL 5.4 1/5] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 06e2fea1ffa92..03b3b9c7c8b5c 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -849,6 +849,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1862,6 +1864,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1876,6 +1880,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 5 days

1
4
0 0

[PATCH AUTOSEL 5.10 1/6] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 25fd73fafb371..89b0ed8e51430 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1863,6 +1865,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1877,6 +1881,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 5 days

1
5
0 0

[PATCH AUTOSEL 5.15 1/7] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 7810f974b2ca9..d9ee20f0048fe 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 5 days

1
6
0 0

[PATCH AUTOSEL 6.1 01/10] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 7810f974b2ca9..d9ee20f0048fe 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 5 days

1
9
0 0

[PATCH AUTOSEL 6.6 01/14] ublk: sanity check add_dev input for underflow

by Sasha Levin

From: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index df3e5aab4b5ac..8c873a8e39cd9 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2323,7 +2323,8 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5

1 week, 5 days

1
13
0 0

[PATCH AUTOSEL 6.12 01/21] ublk: sanity check add_dev input for underflow

by Sasha Levin

From: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 746ef36e58df2..3b1a5cdd63116 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2457,7 +2457,8 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5

1 week, 5 days

1
20
0 0

[PATCH AUTOSEL 6.15 01/23] ublk: sanity check add_dev input for underflow

by Sasha Levin

From: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 8a482853a75ed..0e017eae97fb1 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2710,7 +2710,8 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5

1 week, 5 days

1
22
0 0

[PATCH] media: uvcvideo: fix build error in uvc_ctrl_cleanup_fh

by Desnes Nunes

This fixes the following compilation failure: "error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode" Cc: stable(a)vger.kernel.org Fixes: 221cd51efe45 ("media: uvcvideo: Remove dangling pointers") Signed-off-by: Desnes Nunes <desnesn(a)redhat.com> --- drivers/media/usb/uvc/uvc_ctrl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 44b6513c5264..532615d8484b 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -3260,7 +3260,7 @@ int uvc_ctrl_init_device(struct uvc_device *dev) void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) { struct uvc_entity *entity; - int i; + unsigned int i; guard(mutex)(&handle->chain->ctrl_mutex); @@ -3268,7 +3268,7 @@ void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) return; list_for_each_entry(entity, &handle->chain->dev->entities, list) { - for (unsigned int i = 0; i < entity->ncontrols; ++i) { + for (i = 0; i < entity->ncontrols; ++i) { if (entity->controls[i].handle != handle) continue; uvc_ctrl_set_handle(handle, &entity->controls[i], NULL); -- 2.49.0

1 week, 5 days

4
6
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror