- Linux-stable-mirror - lists.linaro.org

+ kho-warn-and-exit-when-unpreserved-page-wasnt-preserved.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kho: warn and exit when unpreserved page wasn't preserved has been added to the -mm mm-hotfixes-unstable branch. Its filename is kho-warn-and-exit-when-unpreserved-page-wasnt-preserved.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Pratyush Yadav <pratyush(a)kernel.org> Subject: kho: warn and exit when unpreserved page wasn't preserved Date: Mon, 3 Nov 2025 19:02:32 +0100 Calling __kho_unpreserve() on a pair of (pfn, end_pfn) that wasn't preserved is a bug. Currently, if that is done, the physxa or bits can be NULL. This results in a soft lockup since a NULL physxa or bits results in redoing the loop without ever making any progress. Return when physxa or bits are not found, but WARN first to loudly indicate invalid behaviour. Link: https://lkml.kernel.org/r/20251103180235.71409-3-pratyush@kernel.org Fixes: fc33e4b44b271 ("kexec: enable KHO support for memory preservation") Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/kexec_handover.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/kernel/kexec_handover.c~kho-warn-and-exit-when-unpreserved-page-wasnt-preserved +++ a/kernel/kexec_handover.c @@ -171,12 +171,12 @@ static void __kho_unpreserve(struct kho_ const unsigned long pfn_high = pfn >> order; physxa = xa_load(&track->orders, order); - if (!physxa) - continue; + if (WARN_ON_ONCE(!physxa)) + return; bits = xa_load(&physxa->phys_bits, pfn_high / PRESERVE_BITS); - if (!bits) - continue; + if (WARN_ON_ONCE(!bits)) + return; clear_bit(pfn_high % PRESERVE_BITS, bits->preserve); _ Patches currently in -mm which might be from pratyush(a)kernel.org are kho-fix-out-of-bounds-access-of-vmalloc-chunk.patch kho-fix-unpreservation-of-higher-order-vmalloc-preservations.patch kho-warn-and-exit-when-unpreserved-page-wasnt-preserved.patch

2 weeks

1
0
0 0

[PATCH AUTOSEL 6.17-6.6] hwmon: (k10temp) Add device ID for Strix Halo

by Sasha Levin

From: Rong Zhang <i(a)rong.moe> [ Upstream commit e5d1e313d7b6272d6dfda983906d99f97ad9062b ] The device ID of Strix Halo Data Fabric Function 3 has been in the tree since commit 0e640f0a47d8 ("x86/amd_nb: Add new PCI IDs for AMD family 0x1a"), but is somehow missing from k10temp_id_table. Add it so that it works out of the box. Tested on Beelink GTR9 Pro Mini PC. Signed-off-by: Rong Zhang <i(a)rong.moe> Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://lore.kernel.org/r/20250823180443.85512-1-i@rong.moe Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: YES – the added ID lets the existing k10temp driver bind to Strix Halo’s DF3 device so users get temperature readings on that platform. - `drivers/hwmon/k10temp.c:560` gains `PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3`, fixing the current omission that prevents the module from attaching to Strix Halo’s Data Fabric function 3 and leaves its sensors unavailable. - The constant already exists in released kernels (`include/linux/pci_ids.h:587`) and is used by the AMD northbridge driver (`arch/x86/kernel/amd_nb.c:98`), so the new table entry simply connects existing infrastructure; no functional code paths change. - Scope is minimal (one ID entry, no new logic), making regression risk negligible; the patch has been verified on shipping hardware (Beelink GTR9 Pro). - For stable backports, this applies cleanly to branches ≥ v6.10 where the PCI ID is defined; older long-term trees would first need commit 0e640f0a47d8 (or an equivalent definition). Natural next step: backport to the relevant stable lines that already carry the Strix Halo PCI ID definition (6.10.y, upcoming 6.11.y, etc.). drivers/hwmon/k10temp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c index 2f90a2e9ad496..b98d5ec72c4ff 100644 --- a/drivers/hwmon/k10temp.c +++ b/drivers/hwmon/k10temp.c @@ -565,6 +565,7 @@ static const struct pci_device_id k10temp_id_table[] = { { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3) }, { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M50H_DF_F3) }, { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3) }, + { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3) }, { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M90H_DF_F3) }, { PCI_VDEVICE(HYGON, PCI_DEVICE_ID_AMD_17H_DF_F3) }, {} -- 2.51.0

2 weeks

8
130
0 0

Re: Patch "mptcp: move the whole rx path under msk socket lock protection" has been added to the 6.12-stable tree

by Matthieu Baerts

Hi Greg, Sasha, On 03/11/2025 02:29, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > mptcp: move the whole rx path under msk socket lock protection > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > mptcp-move-the-whole-rx-path-under-msk-socket-lock-protection.patch > and it can be found in the queue-6.12 subdirectory. Thank you for the backport! > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch from the 6.12-stable tree: it causes troubles in the MPTCP selftests: MPTCP to TCP connections timeout when MSG_PEEK is used. Likely a dependence is missing, and it might be better to keep only the last patch, and resolve conflicts. I will check that ASAP. In the meantime, can you then drop this patch and the ones that are linked to it please? queue-6.12/mptcp-cleanup-mem-accounting.patch queue-6.12/mptcp-fix-msg_peek-stream-corruption.patch queue-6.12/mptcp-move-the-whole-rx-path-under-msk-socket-lock-protection.patch queue-6.12/mptcp-leverage-skb-deferral-free.patch > From stable+bounces-192095-greg=kroah.com(a)vger.kernel.org Mon Nov 3 08:27:43 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sun, 2 Nov 2025 18:27:32 -0500 > Subject: mptcp: move the whole rx path under msk socket lock protection > To: stable(a)vger.kernel.org > Cc: Paolo Abeni <pabeni(a)redhat.com>, Mat Martineau <martineau(a)kernel.org>, "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org>, Jakub Kicinski <kuba(a)kernel.org>, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20251102232735.3652847-1-sashal(a)kernel.org> > > From: Paolo Abeni <pabeni(a)redhat.com> > > [ Upstream commit bc68b0efa1bf923cef1294a631d8e7416c7e06e4 ] > > After commit c2e6048fa1cf ("mptcp: fix race in release_cb") we can > move the whole MPTCP rx path under the socket lock leveraging the > release_cb. > > We can drop a bunch of spin_lock pairs in the receive functions, use > a single receive queue and invoke __mptcp_move_skbs only when subflows > ask for it. > > This will allow more cleanup in the next patch. > > Some changes are worth specific mention: > > The msk rcvbuf update now always happens under both the msk and the > subflow socket lock: we can drop a bunch of ONCE annotation and > consolidate the checks. > > When the skbs move is delayed at msk release callback time, even the > msk rcvbuf update is delayed; additionally take care of such action in > __mptcp_move_skbs(). > > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> > Reviewed-by: Mat Martineau <martineau(a)kernel.org> > Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> > Link: https://patch.msgid.link/20250218-net-next-mptcp-rx-path-refactor-v1-3-4a47… > Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> > Stable-dep-of: 8e04ce45a8db ("mptcp: fix MSG_PEEK stream corruption") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> (...) Cheers, Matt -- Sponsored by the NGI0 Core fund.

2 weeks

2
1
0 0

[PATCH v3 RESEND] net/dccp: validate Reset/Close/CloseReq in DCCP_REQUESTING

by Yizhou Zhao

Dear maintainers of Linux kernel, this is a resend version of the patch with a clarified commit message based on the previous feedback <CAL+tcoCJf8gHNW9O6B5qX+kM7W6zeVPYqbqji2kMqnDNuGWZww(a)mail.gmail.com>. We haven't received any reply yet, so we resend it again. The code change is the same; only the description is improved to better explain the issue, impact and rationale. Thanks for your time and review. DCCP sockets in DCCP_REQUESTING state do not check the sequence number or acknowledgment number for incoming Reset, CloseReq, and Close packets. As a result, an attacker can send a spoofed Reset packet while the client is in the requesting state. The client will accept the packet without any verification before receiving the reply from server and immediately close the connection, causing a denial of service (DoS) attack. The vulnerability makes the attacker able to drop the pending connection for a specific 5-tuple. Moreover, an off-path attacker with modestly higher outbound bandwidth can continually inject forged control packets to the victim client and prevent connection establishment to a given destination port on a server, causing a port-level DoS. This patch moves the processing of Reset, Close, and CloseReq packets into dccp_rcv_request_sent_state_process() and validates the ack number before accepting them. This patch should be applied to stable versions *only* before Linux 6.16, since DCCP implementation is removed in Linux 6.16. Affected versions include: - 3.1-3.19 - 4.0-4.20 - 5.0-5.19 - 6.0-6.15 We tested it on Ubuntu 24.04 LTS (Linux 6.8) and it worked as expected. Fixes: c0c2015056d7b ("dccp: Clean up slow-path input processing") Signed-off-by: Yizhou Zhao <zhaoyz24(a)mails.tsinghua.edu.cn> Cc: stable(a)vger.kernel.org --- net/dccp/input.c | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/net/dccp/input.c b/net/dccp/input.c index 2cbb757a8..0b1ffb044 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c @@ -397,21 +397,22 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, * / * Response processing continues in Step 10; Reset * processing continues in Step 9 * / */ + struct dccp_sock *dp = dccp_sk(sk); + + if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, + dp->dccps_awl, dp->dccps_awh)) { + dccp_pr_debug("invalid ackno: S.AWL=%llu, " + "P.ackno=%llu, S.AWH=%llu\n", + (unsigned long long)dp->dccps_awl, + (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, + (unsigned long long)dp->dccps_awh); + goto out_invalid_packet; + } + if (dh->dccph_type == DCCP_PKT_RESPONSE) { const struct inet_connection_sock *icsk = inet_csk(sk); - struct dccp_sock *dp = dccp_sk(sk); - long tstamp = dccp_timestamp(); - - if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, - dp->dccps_awl, dp->dccps_awh)) { - dccp_pr_debug("invalid ackno: S.AWL=%llu, " - "P.ackno=%llu, S.AWH=%llu\n", - (unsigned long long)dp->dccps_awl, - (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, - (unsigned long long)dp->dccps_awh); - goto out_invalid_packet; - } + long tstamp = dccp_timestamp(); /* * If option processing (Step 8) failed, return 1 here so that * dccp_v4_do_rcv() sends a Reset. The Reset code depends on @@ -496,6 +497,13 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, } dccp_send_ack(sk); return -1; + } else if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); + return 0; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { + return dccp_rcv_closereq(sk, skb); + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { + return dccp_rcv_close(sk, skb); } out_invalid_packet: @@ -658,17 +666,19 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, * Set TIMEWAIT timer * Drop packet and return */ - if (dh->dccph_type == DCCP_PKT_RESET) { - dccp_rcv_reset(sk, skb); - return 0; - } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ - if (dccp_rcv_closereq(sk, skb)) - return 0; - goto discard; - } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ - if (dccp_rcv_close(sk, skb)) + if (sk->sk_state != DCCP_REQUESTING) { + if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); return 0; - goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ + if (dccp_rcv_closereq(sk, skb)) + return 0; + goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ + if (dccp_rcv_close(sk, skb)) + return 0; + goto discard; + } } switch (sk->sk_state) { -- 2.34.1

2 weeks

2
4
0 0

Optimiza tu reclutamiento con PsicoSmart

by Valeria Pérez

Mejora tus contrataciones con PsicoSmart body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Evalúa talento de forma objetiva y mejora tus contrataciones con PsicoSmart. Hola, , ¿Te ha pasado que un candidato luce perfecto en entrevista, pero en el trabajo no encaja como esperabas? En selección, confiar solo en la percepción puede llevar a decisiones costosas. Por eso quiero presentarte PsicoSmart, una herramienta creada para que los equipos de Recursos Humanos tomen decisiones más objetivas y acertadas. Con PsicoSmart puedes: Aplicar 31 pruebas psicométricas que evalúan liderazgo, honestidad, comunicación e inteligencia. Validar conocimientos técnicos con más de 2,500 exámenes especializados. Supervisar la identidad de quien responde mediante captura fotográfica automática durante la evaluación. Gestionar todo desde una sola plataforma, accesible desde cualquier dispositivo. Si estás buscando mejorar tus contrataciones, podría ser una muy buena opción. Si quieres conocer más puedes responder este correo o simplemente contactarme, mis datos están abajo. Saludos, -------------- Atte.: Valeria Pérez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqqtseup">click aquí</a>

2 weeks

1
0
0 0

[PATCH 1/2] rust: kbuild: treat `build_error` and `rustdoc` as kernel objects

by Miguel Ojeda

Even if normally `build_error` isn't a kernel object, it should still be treated as such so that we pass the same flags. Similarly, `rustdoc` targets are never kernel objects, but we need to treat them as such. Otherwise, starting with Rust 1.91.0 (released 2025-10-30), `rustc` will complain about missing sanitizer flags since `-Zsanitizer` is a target modifier too [1]: error: mixing `-Zsanitizer` will cause an ABI mismatch in crate `build_error` --> rust/build_error.rs:3:1 | 3 | //! Build-time error. | ^ | = help: the `-Zsanitizer` flag modifies the ABI so Rust crates compiled with different values of this flag cannot be used together safely = note: unset `-Zsanitizer` in this crate is incompatible with `-Zsanitizer=kernel-address` in dependency `core` = help: set `-Zsanitizer=kernel-address` in this crate or unset `-Zsanitizer` in `core` = help: if you are sure this will not cause problems, you may use `-Cunsafe-allow-abi-mismatch=sanitizer` to silence this error Thus explicitly mark them as kernel objects. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: https://github.com/rust-lang/rust/pull/138736 [1] Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- rust/Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/rust/Makefile b/rust/Makefile index 23c7ae905bd2..5de103e20841 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -127,9 +127,14 @@ rustdoc-core: private rustc_target_flags = --edition=$(core-edition) $(core-cfgs rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs rustdoc-clean FORCE +$(call if_changed,rustdoc) +# Even if `rustdoc` targets are not kernel objects, they should still be +# treated as such so that we pass the same flags. Otherwise, for instance, +# `rustc` will complain about missing sanitizer flags causing an ABI mismatch. +rustdoc-compiler_builtins: private is-kernel-object := y rustdoc-compiler_builtins: $(src)/compiler_builtins.rs rustdoc-core FORCE +$(call if_changed,rustdoc) +rustdoc-ffi: private is-kernel-object := y rustdoc-ffi: $(src)/ffi.rs rustdoc-core FORCE +$(call if_changed,rustdoc) @@ -147,6 +152,7 @@ rustdoc-pin_init: $(src)/pin-init/src/lib.rs rustdoc-pin_init_internal \ rustdoc-macros FORCE +$(call if_changed,rustdoc) +rustdoc-kernel: private is-kernel-object := y rustdoc-kernel: private rustc_target_flags = --extern ffi --extern pin_init \ --extern build_error --extern macros \ --extern bindings --extern uapi @@ -522,6 +528,10 @@ $(obj)/pin_init.o: $(src)/pin-init/src/lib.rs $(obj)/compiler_builtins.o \ $(obj)/$(libpin_init_internal_name) $(obj)/$(libmacros_name) FORCE +$(call if_changed_rule,rustc_library) +# Even if normally `build_error` is not a kernel object, it should still be +# treated as such so that we pass the same flags. Otherwise, for instance, +# `rustc` will complain about missing sanitizer flags causing an ABI mismatch. +$(obj)/build_error.o: private is-kernel-object := y $(obj)/build_error.o: private skip_gendwarfksyms = 1 $(obj)/build_error.o: $(src)/build_error.rs $(obj)/compiler_builtins.o FORCE +$(call if_changed_rule,rustc_library) -- 2.51.2

2 weeks

4
6
0 0

For stable: [PATCH v2] mfd: kempld: Switch back to earlier ->init() behavior

by Michael Brunner

Mainline patch information (included in 6.18-rc): mfd: kempld: Switch back to earlier ->init() behavior Commit 309e65d151ab9be1e7b01d822880cd8c4e611dff Please consider this patch for all supported stable and longterm versions that include the faulty commit 9e36775c22c7 mentioned in the patch description. This includes all Kernel versions starting with v6.10. Newer Kontron/JUMPtec products are not listed in the kempld drivers DMI table, as they are supposed to be identified using ACPI. Without this patch there is no way to get the driver working with those boards on the affected kernel versions. Thanks in advance, Michael Brunner

2 weeks

2
1
0 0

[PATCH] drm/amd/display: Fix NULL deref in debugfs odm_combine_segments

by Rong Zhang

When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 </TASK> Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx->stream_res.tg before dereferencing. Fixes: 07926ba8a44f ("drm/amd/display: Add debugfs interface for ODM combine info") Cc: stable(a)vger.kernel.org Signed-off-by: Rong Zhang <i(a)rong.moe> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c index f263e1a4537e1..00dac862b665a 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c @@ -1302,7 +1302,8 @@ static int odm_combine_segments_show(struct seq_file *m, void *unused) if (connector->status != connector_status_connected) return -ENODEV; - if (pipe_ctx != NULL && pipe_ctx->stream_res.tg->funcs->get_odm_combine_segments) + if (pipe_ctx && pipe_ctx->stream_res.tg && + pipe_ctx->stream_res.tg->funcs->get_odm_combine_segments) pipe_ctx->stream_res.tg->funcs->get_odm_combine_segments(pipe_ctx->stream_res.tg, &segments); seq_printf(m, "%d\n", segments); base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787 -- 2.51.0

2 weeks

2
2
0 0

[PATCH] lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC

by Nathan Chancellor

Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o for GCC unconditionally because clang-min-version will always evaluate to nothing for GCC. Add a check for CONFIG_CC_IS_GCC to avoid the workaround, which is only needed for clang-17 and older. Additionally, invert the 'ifeq (...,)' into 'ifneq (...,y)', as it is a little easier to read and understand the intention ("if not GCC or at least clang-18, disable KASAN"). Cc: stable(a)vger.kernel.org Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bded351aeace..372b7a12b371 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -90,7 +90,7 @@ else libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-fiat32.o endif # clang versions prior to 18 may blow out the stack with KASAN -ifeq ($(call clang-min-version, 180000),) +ifneq ($(CONFIG_CC_IS_GCC)$(call clang-min-version, 180000),y) KASAN_SANITIZE_curve25519-hacl64.o := n endif --- base-commit: 6146a0f1dfae5d37442a9ddcba012add260bceb0 change-id: 20251102-curve25519-hacl64-fix-kasan-workaround-75fdb8c098fd Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 weeks

2
3
0 0

[PATCH AUTOSEL 6.17-5.10] net: tls: Cancel RX async resync request on rcd_delta overflow

by Sasha Levin

From: Shahar Shitrit <shshitrit(a)nvidia.com> [ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] When a netdev issues a RX async resync request for a TLS connection, the TLS module handles it by logging record headers and attempting to match them to the tcp_sn provided by the device. If a match is found, the TLS module approves the tcp_sn for resynchronization. While waiting for a device response, the TLS module also increments rcd_delta each time a new TLS record is received, tracking the distance from the original resync request. However, if the device response is delayed or fails (e.g due to unstable connection and device getting out of tracking, hardware errors, resource exhaustion etc.), the TLS module keeps logging and incrementing, which can lead to a WARN() when rcd_delta exceeds the threshold. To address this, introduce tls_offload_rx_resync_async_request_cancel() to explicitly cancel resync requests when a device response failure is detected. Call this helper also as a final safeguard when rcd_delta crosses its threshold, as reaching this point implies that earlier cancellation did not occur. Signed-off-by: Shahar Shitrit <shshitrit(a)nvidia.com> Reviewed-by: Sabrina Dubroca <sd(a)queasysnail.net> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.c… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my semantic analysis of the kernel repository, here is my comprehensive assessment: ## **VERDICT: YES** This commit should be backported to stable kernel trees. ## **Detailed Analysis** ### **1. Semantic Code Analysis Tools Used** I used the following semantic analysis tools to examine this commit: - **mcp__semcode__find_function**: Located `tls_device_rx_resync_async`, `tls_device_rx_resync_new_rec`, and `tls_offload_rx_resync_async_request_start` - **mcp__semcode__find_type**: Examined `struct tls_offload_resync_async` structure - **mcp__semcode__find_callers**: Traced the call graph upward from affected functions - **mcp__semcode__find_callchain**: Built complete call chain from user space to the bug location - **Git tools**: Analyzed commit history, dependencies, and related fixes ### **2. Impact Analysis Results** **Call Chain Discovery** (from user-space to bug): ``` User recvmsg() syscall → tls_sw_recvmsg (net/tls/tls_sw.c:2031) → tls_strp_read_sock (net/tls/tls_strp.c:514) → tls_rx_msg_size (net/tls/tls_sw.c:2441) → tls_device_rx_resync_new_rec (net/tls/tls_device.c:767) → tls_device_rx_resync_async (net/tls/tls_device.c:712) ← **BUG HERE** ``` **User-Space Exposure**: This is **100% user-space triggerable**. Any application receiving TLS data with hardware offload enabled can hit this code path. **Affected Hardware**: Only Mellanox/NVIDIA mlx5 NICs currently use async TLS resync (found via semantic search: `drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c`) ### **3. Bug Description** **Current behavior (without patch)**: At line net/tls/tls_device.c:726-727: ```c if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) return false; ``` When `rcd_delta` reaches 65535 (USHRT_MAX): - WARN() fires, polluting kernel logs - Function returns false, BUT doesn't cancel the resync request - `resync_async->req` remains set (still "active") - Every subsequent TLS record continues processing in async mode - Results in continuous WARN() spam and wasted CPU cycles **Fixed behavior (with patch)**: ```c if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { tls_offload_rx_resync_async_request_cancel(resync_async); // ← NEW return false; } ``` The new helper properly cancels the resync by setting `atomic64_set(&resync_async->req, 0)`, preventing further async processing. ### **4. Triggering Conditions** The bug triggers in real-world scenarios: - Packet drops/reordering in the network - Device hardware errors - Device resource exhaustion - Unstable network connections - Device losing track of TLS record state After device fails to respond, the kernel continues logging every TLS record header and incrementing `rcd_delta` until overflow occurs (65,535 TLS records ≈ realistic in high-throughput scenarios). ### **5. Code Change Scope** **Minimal and contained**: - Adds 6-line helper function `tls_offload_rx_resync_async_request_cancel()` - Modifies 2 lines at overflow check (adds braces + function call) - Total: +9 lines, -1 line - Files: `include/net/tls.h`, `net/tls/tls_device.c` ### **6. Dependency Analysis** **Critical**: This commit is a **stable dependency** for commit 426e9da3b284 ("net/mlx5e: kTLS, Cancel RX async resync request in error flows"), which: - Has explicit `Fixes: 0419d8c9d8f8` tag (kTLS RX resync support from ~2019) - Uses the new `tls_offload_rx_resync_async_request_cancel()` helper - Addresses the root cause in the mlx5 driver Without this commit, the mlx5 fix cannot be applied. ### **7. Backport Status** Already being backported: - cd4ff87174242: Backport with "Stable-dep-of: 426e9da3b284" tag - 689074947f008: Another stable backport - Shows active stable tree maintenance ### **8. Stable Tree Compliance** ✅ **Fixes important bug**: Prevents kernel log spam and CPU waste ✅ **No new features**: Pure bug fix ✅ **No architectural changes**: Adds one helper function ✅ **Minimal regression risk**: Only 10 lines, affects rare code path ✅ **Confined to subsystem**: TLS offload only ✅ **Dependency for other fixes**: Required by mlx5 driver fix ✅ **Well-reviewed**: Reviewed-by Sabrina Dubroca (TLS subsystem expert) ✅ **Hardware vendor submission**: NVIDIA engineers with hardware knowledge ### **9. Risk Assessment** **Very low risk**: - Change only affects TLS hardware offload users (small subset) - Only triggers at overflow condition (previously broken anyway) - No modification to hot path - only error handling - Well-tested by NVIDIA (hardware vendor) - Already merged in mainline v6.18-rc4 - Being actively backported to other stable trees ### **Conclusion** This is a textbook example of an ideal stable backport candidate: small, focused, fixes real user-visible issues, has dependencies, low risk, and already has stable tree activity. The semantic analysis confirms user- space can trigger this bug through normal TLS operations with hardware offload enabled. include/net/tls.h | 6 ++++++ net/tls/tls_device.c | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/include/net/tls.h b/include/net/tls.h index b90f3b675c3c4..c7bcdb3afad75 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -467,6 +467,12 @@ tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ); } +static inline void +tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) +{ + atomic64_set(&resync_async->req, 0); +} + static inline void tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) { diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index a82fdcf199690..bb14d9b467f28 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -723,8 +723,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, /* shouldn't get to wraparound: * too long in async stage, something bad happened */ - if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) + if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { + tls_offload_rx_resync_async_request_cancel(resync_async); return false; + } /* asynchronous stage: log all headers seq such that * req_seq <= seq <= end_seq, and wait for real resync request -- 2.51.0

2 weeks

1
19
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror