- Linux-stable-mirror - lists.linaro.org

[PATCH v3] mm: slub: avoid deref of free pointer in sanity checks if object is invalid

by Li Qiong

For debugging, object_err() prints free pointer of the object. However, if check_valid_pointer() returns false for a object, dereferncing `object + s->offset` can lead to a crash. Therefore, print the object's address in such cases. Fixes: bb192ed9aa71 ("mm/slub: Convert most struct page to struct slab by spatch") Cc: <stable(a)vger.kernel.org> Signed-off-by: Li Qiong <liqiong(a)nfschina.com> --- v2: - rephrase the commit message, add comment for object_err(). v3: - check object pointer in object_err(). --- mm/slub.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..d3abae5a2193 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,11 @@ static void object_err(struct kmem_cache *s, struct slab *slab, return; slab_bug(s, reason); - print_trailer(s, slab, object); + if (!check_valid_pointer(s, slab, object)) { + print_slab_info(slab); + pr_err("invalid object 0x%p\n", object); + } else + print_trailer(s, slab, object); add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); WARN_ON(1); @@ -1587,7 +1591,7 @@ static inline int alloc_consistency_checks(struct kmem_cache *s, return 0; if (!check_valid_pointer(s, slab, object)) { - object_err(s, slab, object, "Freelist Pointer check fails"); + slab_err(s, slab, "Freelist Pointer(0x%p) check fails", object); return 0; } -- 2.30.2

3 months, 3 weeks

3
4
0 0

"stack state/frame" and "jump dest instruction" errors (was Re: Linux 6.16)

by Alan J. Wylie

#regzbot introduced: 6.15.8..6.16 Linus Torvalds <torvalds(a)linux-foundation.org> writes: > It's Sunday afternoon, and the release cycle has come to an end. Last > week was nice and calm, and there were no big show-stopper surprises > to keep us from the regular schedule, so I've tagged and pushed out > 6.16 as planned. Even after a "make mrproper" and "git clean -fxd" I'm seeing lots of warnings and errors. can't find jump dest instruction stack state mismatch return with modified stack frame objtool: can't decode instruction can't find starting instruction gcc (Gentoo Hardened 14.3.0 p8) 14.3.0 I selected "Y" to the new config option "X86_NATIVE_CPU" CPU is AMD FX-8350 .config attached The build is fine on a cross-compile of a minimal kernel for an Intel Atom server. Possibly related to https://lore.kernel.org/lkml/5263a182e608408bf42dc1ed12bc43dee9598ac9.17509… LD [M] arch/x86/events/amd/amd-uncore.o arch/x86/events/amd/amd-uncore.o: warning: objtool: amd_uncore_df_ctx_scan+0x54: can't find jump dest instruction at .text+0x1b6 make[5]: *** [scripts/Makefile.build:502: arch/x86/events/amd/amd-uncore.o] Error 255 make[5]: *** Deleting file 'arch/x86/events/amd/amd-uncore.o' make[4]: *** [scripts/Makefile.build:555: arch/x86/events/amd] Error 2 make[3]: *** [scripts/Makefile.build:555: arch/x86/events] Error 2 make[3]: *** Waiting for unfinished jobs.... CC fs/pidfs.o crypto/cmac.o: warning: objtool: crypto_cmac_digest_setkey+0xc2: stack state mismatch: cfa1=4+32 cfa2=4+24 CC [M] sound/core/device.o crypto/md4.o: warning: objtool: md4_final+0xd1: return with modified stack frame LD [M] block/bfq.o block/bfq.o: warning: objtool: bfq_timeout_sync_store+0x42: can't find jump dest instruction at .text+0x10f9 make[3]: *** [scripts/Makefile.build:502: block/bfq.o] Error 255 make[3]: *** Deleting file 'block/bfq.o' make[2]: *** [scripts/Makefile.build:555: block] Error 2 make[2]: *** Waiting for unfinished jobs.... CC arch/x86/kernel/acpi/madt_wakeup.o crypto/wp512.o: warning: objtool: wp512_init+0x58: return with modified stack frame crypto/wp512.o: warning: objtool: wp512_process_buffer+0x149: stack state mismatch: cfa1=4+288 cfa2=4-352 CC [M] sound/core/vmaster.o crypto/blake2b_generic.o: warning: objtool: crypto_blake2b_setkey+0x68: return with modified stack frame crypto/blake2b_generic.o: warning: objtool: crypto_blake2b_finup.constprop.0.isra.0+0x132: return with modified stack frame CC drivers/pci/pcie/err.o crypto/ccm.o: warning: objtool: crypto_ccm_init_crypt+0x1b6: stack state mismatch: cfa1=4+56 cfa2=4+48 crypto/ccm.o: warning: objtool: crypto_ccm_auth+0x45e: return with modified stack frame CC drivers/pci/pcie/pme.o crypto/cryptd.o: warning: objtool: cryptd_enqueue_request+0x89: can't find jump dest instruction at .text+0x94c make[3]: *** [scripts/Makefile.build:287: crypto/cryptd.o] Error 255 make[3]: *** Deleting file 'crypto/cryptd.o' make[2]: *** [scripts/Makefile.build:555: crypto] Error 2 LD [M] sound/core/snd.o sound/core/snd.o: warning: objtool: snd_ctl_open+0x10c: can't find jump dest instruction at .text+0x47c6 make[4]: *** [scripts/Makefile.build:502: sound/core/snd.o] Error 255 make[4]: *** Deleting file 'sound/core/snd.o' make[4]: *** Waiting for unfinished jobs.... LD [M] sound/core/oss/snd-mixer-oss.o sound/core/oss/snd-mixer-oss.o: warning: objtool: mixer_slot_clear+0x4c: return with modified stack frame CC lib/crypto/mpi/mpi-mod.o sound/core/oss/snd-pcm-oss.o: warning: objtool: mulaw_decode+0xf9: can't find jump dest instruction at .text+0x722b make[5]: *** [scripts/Makefile.build:502: sound/core/oss/snd-pcm-oss.o] Error 255 make[5]: *** Deleting file 'sound/core/oss/snd-pcm-oss.o' make[4]: *** [scripts/Makefile.build:555: sound/core/oss] Error 2 CC arch/x86/kernel/smpboot.o drivers/char/ipmi/ipmi_msghandler.o: warning: objtool: ipmi_set_gets_events+0x155: can't find jump dest instruction at .text+0x21c8 make[4]: *** [scripts/Makefile.build:287: drivers/char/ipmi/ipmi_msghandler.o] Error 255 make[4]: *** Deleting file 'drivers/char/ipmi/ipmi_msghandler.o' make[3]: *** [scripts/Makefile.build:555: drivers/char/ipmi] Error 2 make[3]: *** Waiting for unfinished jobs.... CC kernel/entry/kvm.o lib/crypto/gf128mul.o: warning: objtool: gf128mul_init_64k_bbe+0x94: stack state mismatch: cfa1=5+16 cfa2=4+8 CC [M] sound/core/seq/oss/seq_oss_event.o make[2]: *** [scripts/Makefile.build:555: drivers] Error 2 LD [M] sound/core/seq/snd-seq.o sound/core/seq/snd-seq.o: warning: objtool: snd_seq_open+0xd7: can't find jump dest instruction at .text+0x2224 make[5]: *** [scripts/Makefile.build:502: sound/core/seq/snd-seq.o] Error 255 make[5]: *** Deleting file 'sound/core/seq/snd-seq.o' make[5]: *** Waiting for unfinished jobs.... LD [M] lib/crypto/libdes.o lib/crypto/libdes.o: warning: objtool: des3_ede_encrypt+0x86: can't find jump dest instruction at .text+0xcb8 make[4]: *** [scripts/Makefile.build:502: lib/crypto/libdes.o] Error 255 make[4]: *** Deleting file 'lib/crypto/libdes.o' make[3]: *** [scripts/Makefile.build:555: lib/crypto] Error 2 make[2]: *** [scripts/Makefile.build:555: lib] Error 2 LD [M] sound/core/seq/oss/snd-seq-oss.o sound/core/seq/oss/snd-seq-oss.o: warning: objtool: alloc_seq_queue+0xc7: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: delete_seq_queue.isra.0+0xb5: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_synth_info_user+0xb7: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_midi_info_user+0xa5: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_process_event+0x73c: stack state mismatch: cfa1=4+72 cfa2=4+64 sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_write+0x77: stack state mismatch: cfa1=4+120 cfa2=4+112 sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_synth_setup+0x14c: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_synth_make_info+0x17d: stack state mismatch: cfa1=4+160 cfa2=4+152 make[4]: *** [scripts/Makefile.build:555: sound/core/seq] Error 2 make[3]: *** [scripts/Makefile.build:555: sound/core] Error 2 make[3]: *** Waiting for unfinished jobs.... LD [M] sound/pci/hda/snd-hda-codec.o sound/pci/hda/snd-hda-codec.o: error: objtool: can't decode instruction at .text:0xbf1c make[5]: *** [scripts/Makefile.build:502: sound/pci/hda/snd-hda-codec.o] Error 255 make[5]: *** Deleting file 'sound/pci/hda/snd-hda-codec.o' make[4]: *** [scripts/Makefile.build:555: sound/pci/hda] Error 2 make[3]: *** [scripts/Makefile.build:555: sound/pci] Error 2 make[2]: *** [scripts/Makefile.build:555: sound] Error 2 CC fs/ext4/mballoc.o fs/binfmt_misc.o: warning: objtool: load_misc_binary+0xf4: can't find jump dest instruction at .text+0xf07 make[3]: *** [scripts/Makefile.build:287: fs/binfmt_misc.o] Error 255 make[3]: *** Deleting file 'fs/binfmt_misc.o' make[3]: *** Waiting for unfinished jobs.... LD [M] fs/cramfs/cramfs.o fs/cramfs/cramfs.o: warning: objtool: cramfs_blkdev_fill_super+0x2b2: return with modified stack frame AR arch/x86/kernel/built-in.a make[2]: *** [scripts/Makefile.build:555: arch/x86] Error 2 LD [M] fs/configfs/configfs.o fs/configfs/configfs.o: error: objtool: configfs_create_link(): can't find starting instruction make[4]: *** [scripts/Makefile.build:502: fs/configfs/configfs.o] Error 255 make[4]: *** Deleting file 'fs/configfs/configfs.o' make[3]: *** [scripts/Makefile.build:555: fs/configfs] Error 2 AR fs/ext4/built-in.a make[2]: *** [scripts/Makefile.build:555: fs] Error 2 AR kernel/built-in.a make[1]: *** [/work/src.git/linux/Makefile:2003: .] Error 2 make: *** [Makefile:248: __sub-make] Error 2 -- Alan J. Wylie https://www.wylie.me.uk/ mailto:<alan(a)wylie.me.uk> Dance like no-one's watching. / Encrypt like everyone is. Security is inversely proportional to convenience

3 months, 3 weeks

4
4
0 0

[PATCH 6.12.y] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma

by Jakub Acs

From: Liu Shixin <liushixin2(a)huawei.com> commit f1897f2f08b28ae59476d8b73374b08f856973af upstream. syzkaller reported such a BUG_ON(): ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:1835! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G W 6.13.0-rc6 #22 Tainted: [W]=WARN Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : collapse_file+0xa44/0x1400 lr : collapse_file+0x88/0x1400 sp : ffff80008afe3a60 ... Call trace: collapse_file+0xa44/0x1400 (P) hpage_collapse_scan_file+0x278/0x400 madvise_collapse+0x1bc/0x678 madvise_vma_behavior+0x32c/0x448 madvise_walk_vmas.constprop.0+0xbc/0x140 do_madvise.part.0+0xdc/0x2c8 __arm64_sys_madvise+0x68/0x88 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 This indicates that the pgoff is unaligned. After analysis, I confirm the vma is mapped to /dev/zero. Such a vma certainly has vm_file, but it is set to anonymous by mmap_zero(). So even if it's mmapped by 2m-unaligned, it can pass the check in thp_vma_allowable_order() as it is an anonymous-mmap, but then be collapsed as a file-mmap. It seems the problem has existed for a long time, but actually, since we have khugepaged_max_ptes_none check before, we will skip collapse it as it is /dev/zero and so has no present page. But commit d8ea7cc8547c limit the check for only khugepaged, so the BUG_ON() can be triggered by madvise_collapse(). Add vma_is_anonymous() check to make such vma be processed by hpage_collapse_scan_pmd(). Link: https://lkml.kernel.org/r/20250111034511.2223353-1-liushixin2@huawei.com Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mattew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub: backport, clean apply] Cc: Jakub Acs <acsjakub(a)amazon.de> Cc: linux-mm(a)kvack.org --- Ran into the crash with syzkaller, backporting this patch works - the reproducer no longer crashes. Please let me know if there was a reason not to backport. mm/khugepaged.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index b538c3d48386..abd5764e4864 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2404,7 +2404,7 @@ static unsigned int khugepaged_scan_mm_slot(unsigned int pages, int *result, VM_BUG_ON(khugepaged_scan.address < hstart || khugepaged_scan.address + HPAGE_PMD_SIZE > hend); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, khugepaged_scan.address); @@ -2750,7 +2750,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); nodes_clear(cc->alloc_nmask); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, addr); -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 months, 3 weeks

3
3
0 0

[PATCH v2 6.1.y] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma

by Jakub Acs

From: Liu Shixin <liushixin2(a)huawei.com> commit f1897f2f08b28ae59476d8b73374b08f856973af upstream. syzkaller reported such a BUG_ON(): ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:1835! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G W 6.13.0-rc6 #22 Tainted: [W]=WARN Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : collapse_file+0xa44/0x1400 lr : collapse_file+0x88/0x1400 sp : ffff80008afe3a60 ... Call trace: collapse_file+0xa44/0x1400 (P) hpage_collapse_scan_file+0x278/0x400 madvise_collapse+0x1bc/0x678 madvise_vma_behavior+0x32c/0x448 madvise_walk_vmas.constprop.0+0xbc/0x140 do_madvise.part.0+0xdc/0x2c8 __arm64_sys_madvise+0x68/0x88 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 This indicates that the pgoff is unaligned. After analysis, I confirm the vma is mapped to /dev/zero. Such a vma certainly has vm_file, but it is set to anonymous by mmap_zero(). So even if it's mmapped by 2m-unaligned, it can pass the check in thp_vma_allowable_order() as it is an anonymous-mmap, but then be collapsed as a file-mmap. It seems the problem has existed for a long time, but actually, since we have khugepaged_max_ptes_none check before, we will skip collapse it as it is /dev/zero and so has no present page. But commit d8ea7cc8547c limit the check for only khugepaged, so the BUG_ON() can be triggered by madvise_collapse(). Add vma_is_anonymous() check to make such vma be processed by hpage_collapse_scan_pmd(). Link: https://lkml.kernel.org/r/20250111034511.2223353-1-liushixin2@huawei.com Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mattew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub: backport, clean apply] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: linux-mm(a)kvack.org --- v1 -> v2: fix missing sign-off Ran into the crash with syzkaller, backporting this patch works - the reproducer no longer crashes. Please let me know if there was a reason not to backport. mm/khugepaged.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index b538c3d48386..abd5764e4864 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2404,7 +2404,7 @@ static unsigned int khugepaged_scan_mm_slot(unsigned int pages, int *result, VM_BUG_ON(khugepaged_scan.address < hstart || khugepaged_scan.address + HPAGE_PMD_SIZE > hend); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, khugepaged_scan.address); @@ -2750,7 +2750,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); nodes_clear(cc->alloc_nmask); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, addr); -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 months, 3 weeks

1
0
0 0

[PATCH 1/2] ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx

by edip＠medip.dev

From: Edip Hazuri <edip(a)medip.dev> The mute led on this laptop is using ALC245 but requires a quirk to work This patch enables the existing quirk for the device. Tested on Victus 16-S0063NT Laptop. The LED behaviour works as intended. Cc: <stable(a)vger.kernel.org> Signed-off-by: Edip Hazuri <edip(a)medip.dev> --- sound/hda/codecs/realtek/alc269.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c index 05019fa732..77322ff8a6 100644 --- a/sound/hda/codecs/realtek/alc269.c +++ b/sound/hda/codecs/realtek/alc269.c @@ -6528,6 +6528,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8bbe, "HP Victus 16-r0xxx (MB 8BBE)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8bc8, "HP Victus 15-fa1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bd4, "HP Victus 16-s0xxx (MB 8BD4)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), -- 2.50.1

3 months, 3 weeks

2
2
0 0

[PATCH 5.4.y 0/3] Backport series: "permit write-sealed memfd read-only shared mappings"

by Isaac J. Manjarres

Hello, Until kernel version 6.7, a write-sealed memfd could not be mapped as shared and read-only. This was clearly a bug, and was not inline with the description of F_SEAL_WRITE in the man page for fcntl()[1]. Lorenzo's series [2] fixed that issue and was merged in kernel version 6.7, but was not backported to older kernels. So, this issue is still present on kernels 5.4, 5.10, 5.15, 6.1, and 6.6. This series backports Lorenzo's series to the 5.4 kernel. [1] https://man7.org/linux/man-pages/man2/fcntl.2.html [2] https://lore.kernel.org/all/913628168ce6cce77df7d13a63970bae06a526e0.169711… Lorenzo Stoakes (3): mm: drop the assumption that VM_SHARED always implies writable mm: update memfd seal write check to include F_SEAL_WRITE mm: perform the mapping_map_writable() check after call_mmap() fs/hugetlbfs/inode.c | 2 +- include/linux/fs.h | 4 ++-- include/linux/mm.h | 26 +++++++++++++++++++------- kernel/fork.c | 2 +- mm/filemap.c | 2 +- mm/madvise.c | 2 +- mm/mmap.c | 26 ++++++++++++++++---------- mm/shmem.c | 2 +- 8 files changed, 42 insertions(+), 24 deletions(-) -- 2.50.1.552.g942d659e1b-goog

3 months, 3 weeks

4
8
0 0

[PATCH 6.1] HID: mcp2221: Set driver data before I2C adapter add

by Sumanth Gavini

The process of adding an I2C adapter can invoke I2C accesses on that new adapter (see i2c_detect()). Ensure we have set the adapter's driver data to avoid null pointer dereferences in the xfer functions during the adapter add. This has been noted in the past and the same fix proposed but not completed. See: https://lore.kernel.org/lkml/ef597e73-ed71-168e-52af-0d19b03734ac@vigem.de/ Signed-off-by: Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> Signed-off-by: Sumanth Gavini <sumanth.gavini(a)yahoo.com> --- drivers/hid/hid-mcp2221.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c index de52e9f7bb8c..9973545c1c4b 100644 --- a/drivers/hid/hid-mcp2221.c +++ b/drivers/hid/hid-mcp2221.c @@ -873,12 +873,12 @@ static int mcp2221_probe(struct hid_device *hdev, "MCP2221 usb-i2c bridge on hidraw%d", ((struct hidraw *)hdev->hidraw)->minor); + i2c_set_adapdata(&mcp->adapter, mcp); ret = i2c_add_adapter(&mcp->adapter); if (ret) { hid_err(hdev, "can't add usb-i2c adapter: %d\n", ret); goto err_i2c; } - i2c_set_adapdata(&mcp->adapter, mcp); /* Setup GPIO chip */ mcp->gc = devm_kzalloc(&hdev->dev, sizeof(*mcp->gc), GFP_KERNEL); -- 2.43.0

3 months, 3 weeks

3
5
0 0

[PATCH] kbuild: userprogs: use correct linker when mixing clang and GNU ld

by Thomas Weißschuh

The userprogs infrastructure does not expect clang being used with GNU ld and in that case uses /usr/bin/ld for linking, not the configured $(LD). This fallback is problematic as it will break when cross-compiling. Mixing clang and GNU ld is used for example when building for SPARC64, as ld.lld is not sufficient; see Documentation/kbuild/llvm.rst. Relax the check around --ld-path so it gets used for all linkers. Fixes: dfc1b168a8c4 ("kbuild: userprogs: use correct lld when linking through clang") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- Nathan, you originally proposed the check for $(CONFIG_LD_IS_LLD) [0], could you take a look at this? [0] https://lore.kernel.org/all/20250213175437.GA2756218@ax162/ --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c09766beb7eff4780574682b8ea44475fc0a5188..e300c6546c845c300edb5f0033719963c7da8f9b 100644 --- a/Makefile +++ b/Makefile @@ -1134,7 +1134,7 @@ KBUILD_USERCFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS)) # userspace programs are linked via the compiler, use the correct linker -ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy) +ifneq ($(CONFIG_CC_IS_CLANG),) KBUILD_USERLDFLAGS += --ld-path=$(LD) endif --- base-commit: 6832a9317eee280117cd695fa885b2b7a7a38daf change-id: 20250723-userprogs-clang-gnu-ld-7a1c16fc852d Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

3 months, 3 weeks

3
4
0 0

FAILED: patch "[PATCH] Revert "xfrm: destroy xfrm_state synchronously on net exit" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2a198bbec6913ae1c90ec963750003c6213668c7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072924-postbox-exorcism-f636@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2a198bbec6913ae1c90ec963750003c6213668c7 Mon Sep 17 00:00:00 2001 From: Sabrina Dubroca <sd(a)queasysnail.net> Date: Fri, 4 Jul 2025 16:54:34 +0200 Subject: [PATCH] Revert "xfrm: destroy xfrm_state synchronously on net exit path" This reverts commit f75a2804da391571563c4b6b29e7797787332673. With all states (whether user or kern) removed from the hashtables during deletion, there's no need for synchronous destruction of states. xfrm6_tunnel states still need to have been destroyed (which will be the case when its last user is deleted (not destroyed)) so that xfrm6_tunnel_free_spi removes it from the per-netns hashtable before the netns is destroyed. This has the benefit of skipping one synchronize_rcu per state (in __xfrm_state_destroy(sync=true)) when we exit a netns. Signed-off-by: Sabrina Dubroca <sd(a)queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 91d52a380e37..f3014e4f54fc 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -915,7 +915,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols) xfrm_pol_put(pols[i]); } -void __xfrm_state_destroy(struct xfrm_state *, bool); +void __xfrm_state_destroy(struct xfrm_state *); static inline void __xfrm_state_put(struct xfrm_state *x) { @@ -925,13 +925,7 @@ static inline void __xfrm_state_put(struct xfrm_state *x) static inline void xfrm_state_put(struct xfrm_state *x) { if (refcount_dec_and_test(&x->refcnt)) - __xfrm_state_destroy(x, false); -} - -static inline void xfrm_state_put_sync(struct xfrm_state *x) -{ - if (refcount_dec_and_test(&x->refcnt)) - __xfrm_state_destroy(x, true); + __xfrm_state_destroy(x); } static inline void xfrm_state_hold(struct xfrm_state *x) @@ -1769,7 +1763,7 @@ struct xfrmk_spdinfo { struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num); int xfrm_state_delete(struct xfrm_state *x); -int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync); +int xfrm_state_flush(struct net *net, u8 proto, bool task_valid); int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid); int xfrm_dev_policy_flush(struct net *net, struct net_device *dev, bool task_valid); diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c index 7fd8bc08e6eb..5120a763da0d 100644 --- a/net/ipv6/xfrm6_tunnel.c +++ b/net/ipv6/xfrm6_tunnel.c @@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net) struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); unsigned int i; - xfrm_state_flush(net, 0, false, true); + xfrm_state_flush(net, IPSEC_PROTO_ANY, false); xfrm_flush_gc(); for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++) diff --git a/net/key/af_key.c b/net/key/af_key.c index efc2a91f4c48..b5d761700776 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1766,7 +1766,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m if (proto == 0) return -EINVAL; - err = xfrm_state_flush(net, proto, true, false); + err = xfrm_state_flush(net, proto, true); err2 = unicast_flush_resp(sk, hdr); if (err || err2) { if (err == -ESRCH) /* empty table - go quietly */ diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index f7110a658897..327a1a6f892c 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -592,7 +592,7 @@ void xfrm_state_free(struct xfrm_state *x) } EXPORT_SYMBOL(xfrm_state_free); -static void ___xfrm_state_destroy(struct xfrm_state *x) +static void xfrm_state_gc_destroy(struct xfrm_state *x) { if (x->mode_cbs && x->mode_cbs->destroy_state) x->mode_cbs->destroy_state(x); @@ -631,7 +631,7 @@ static void xfrm_state_gc_task(struct work_struct *work) synchronize_rcu(); hlist_for_each_entry_safe(x, tmp, &gc_list, gclist) - ___xfrm_state_destroy(x); + xfrm_state_gc_destroy(x); } static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me) @@ -795,19 +795,14 @@ void xfrm_dev_state_free(struct xfrm_state *x) } #endif -void __xfrm_state_destroy(struct xfrm_state *x, bool sync) +void __xfrm_state_destroy(struct xfrm_state *x) { WARN_ON(x->km.state != XFRM_STATE_DEAD); - if (sync) { - synchronize_rcu(); - ___xfrm_state_destroy(x); - } else { - spin_lock_bh(&xfrm_state_gc_lock); - hlist_add_head(&x->gclist, &xfrm_state_gc_list); - spin_unlock_bh(&xfrm_state_gc_lock); - schedule_work(&xfrm_state_gc_work); - } + spin_lock_bh(&xfrm_state_gc_lock); + hlist_add_head(&x->gclist, &xfrm_state_gc_list); + spin_unlock_bh(&xfrm_state_gc_lock); + schedule_work(&xfrm_state_gc_work); } EXPORT_SYMBOL(__xfrm_state_destroy); @@ -922,7 +917,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool } #endif -int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync) +int xfrm_state_flush(struct net *net, u8 proto, bool task_valid) { int i, err = 0, cnt = 0; @@ -3283,7 +3278,7 @@ void xfrm_state_fini(struct net *net) unsigned int sz; flush_work(&net->xfrm.state_hash_work); - xfrm_state_flush(net, 0, false, true); + xfrm_state_flush(net, IPSEC_PROTO_ANY, false); flush_work(&xfrm_state_gc_work); WARN_ON(!list_empty(&net->xfrm.state_all)); diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 1db18f470f42..684239018bec 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2635,7 +2635,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, struct xfrm_usersa_flush *p = nlmsg_data(nlh); int err; - err = xfrm_state_flush(net, p->proto, true, false); + err = xfrm_state_flush(net, p->proto, true); if (err) { if (err == -ESRCH) /* empty table */ return 0;

3 months, 3 weeks

3
4
0 0

[PATCH 6.12 0/4] drm/xe: Fix xe_force_wake_get return handling

by Tomita Moeko

This patchset fixes the xe driver probe fail with -ETIMEDOUT issue in linux 6.12.35 and later version. The failure is caused by commit d42b44736ea2 ("drm/xe/gt: Update handling of xe_force_wake_get return"), which incorrectly handles the return value of xe_force_wake_get as "refcounted domain mask" (as introduced in 6.13), rather than status code (as used in 6.12). In 6.12 stable kernel, xe_force_wake_get still returns a status code. The update incorrectly treats the return value as a mask, causing the return value of 0 to be misinterpreted as an error. As a result, the driver probe fails with -ETIMEDOUT in xe_pci_probe -> xe_device_probe -> xe_gt_init_hwconfig -> xe_force_wake_get. [ 1254.323172] xe 0000:00:02.0: [drm] Found ALDERLAKE_P (device ID 46a6) display version 13.00 stepping D0 [ 1254.323175] xe 0000:00:02.0: [drm:xe_pci_probe [xe]] ALDERLAKE_P 46a6:000c dgfx:0 gfx:Xe_LP (12.00) media:Xe_M (12.00) display:yes dma_m_s:39 tc:1 gscfi:0 cscfi:0 [ 1254.323275] xe 0000:00:02.0: [drm:xe_pci_probe [xe]] Stepping = (G:C0, M:C0, B:**) [ 1254.323328] xe 0000:00:02.0: [drm:xe_pci_probe [xe]] SR-IOV support: no (mode: none) [ 1254.323379] xe 0000:00:02.0: [drm:intel_pch_type [xe]] Found Alder Lake PCH [ 1254.323475] xe 0000:00:02.0: probe with driver xe failed with error -110 Similar return handling issue cause by API mismatch are also found in: Commit 95a75ed2b005 ("drm/xe/tests/mocs: Update xe_force_wake_get() return handling") Commit 9ffd6ec2de08 ("drm/xe/devcoredump: Update handling of xe_force_wake_get return") This patchset fixes them by reverting them all. Additionally, commit deb05f8431f3 ("drm/xe/forcewake: Add a helper xe_force_wake_ref_has_domain()") is also reverted as it is not needed in 6.12. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5373 Cc: Badal Nilawar <badal.nilawar(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Nirmoy Das <nirmoy.das(a)intel.com> Tomita Moeko (4): Revert "drm/xe/gt: Update handling of xe_force_wake_get return" Revert "drm/xe/tests/mocs: Update xe_force_wake_get() return handling" Revert "drm/xe/devcoredump: Update handling of xe_force_wake_get return" Revert "drm/xe/forcewake: Add a helper xe_force_wake_ref_has_domain()" drivers/gpu/drm/xe/tests/xe_mocs.c | 21 +++--- drivers/gpu/drm/xe/xe_devcoredump.c | 14 ++-- drivers/gpu/drm/xe/xe_force_wake.h | 16 ----- drivers/gpu/drm/xe/xe_gt.c | 105 +++++++++++++--------------- 4 files changed, 63 insertions(+), 93 deletions(-) -- 2.47.2

3 months, 3 weeks

4
10
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror