January 2022 - Linux-stable-mirror

[PATCH -next] xhci: fix two places when dealing with return value of function xhci_check_args

by Hongyu Xie

From: Hongyu Xie <xiehongyu1(a)kylinos.cn> xhci_check_args returns 4 types of value, -ENODEV, -EINVAL, 1 and 0. xhci_urb_enqueue and xhci_check_streams_endpoint return -EINVAL if the return value of xhci_check_args <= 0. This will cause a problem. For example, r8152_submit_rx calling usb_submit_urb in drivers/net/usb/r8152.c. r8152_submit_rx will never get -ENODEV after submiting an urb when xHC is halted, because xhci_urb_enqueue returns -EINVAL in the very beginning. Fixes: 203a86613fb3 ("xhci: Avoid NULL pointer deref when host dies.") Cc: stable(a)vger.kernel.org Signed-off-by: Hongyu Xie <xiehongyu1(a)kylinos.cn> --- drivers/usb/host/xhci.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index dc357cabb265..a7a55dd206fe 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1604,9 +1604,12 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag struct urb_priv *urb_priv; int num_tds; - if (!urb || xhci_check_args(hcd, urb->dev, urb->ep, - true, true, __func__) <= 0) + if (!urb) return -EINVAL; + ret = xhci_check_args(hcd, urb->dev, urb->ep, + true, true, __func__); + if (ret <= 0) + return ret; slot_id = urb->dev->slot_id; ep_index = xhci_get_endpoint_index(&urb->ep->desc); @@ -3323,7 +3326,7 @@ static int xhci_check_streams_endpoint(struct xhci_hcd *xhci, return -EINVAL; ret = xhci_check_args(xhci_to_hcd(xhci), udev, ep, 1, true, __func__); if (ret <= 0) - return -EINVAL; + return ret; if (usb_ss_max_streams(&ep->ss_ep_comp) == 0) { xhci_warn(xhci, "WARN: SuperSpeed Endpoint Companion" " descriptor for ep 0x%x does not support streams\n", -- 2.25.1

2 years, 2 months

5
8
0 0

FAILED: patch "[PATCH] dm: revert partial fix for redundant bio-based IO accounting" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f524d9c95fab54783d0038f7a3e8c014d5b56857 Mon Sep 17 00:00:00 2001 From: Mike Snitzer <snitzer(a)redhat.com> Date: Fri, 28 Jan 2022 10:58:40 -0500 Subject: [PATCH] dm: revert partial fix for redundant bio-based IO accounting Reverts a1e1cb72d9649 ("dm: fix redundant IO accounting for bios that need splitting") because it was too narrow in scope (only addressed redundant 'sectors[]' accounting and not ios, nsecs[], etc). Cc: stable(a)vger.kernel.org Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> Link: https://lore.kernel.org/r/20220128155841.39644-3-snitzer@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/drivers/md/dm.c b/drivers/md/dm.c index c0ae8087c602..9849114b3c08 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -1442,9 +1442,6 @@ static void init_clone_info(struct clone_info *ci, struct mapped_device *md, ci->sector = bio->bi_iter.bi_sector; } -#define __dm_part_stat_sub(part, field, subnd) \ - (part_stat_get(part, field) -= (subnd)) - /* * Entry point to split a bio into clones and submit them to the targets. */ @@ -1480,18 +1477,6 @@ static void __split_and_process_bio(struct mapped_device *md, GFP_NOIO, &md->queue->bio_split); ci.io->orig_bio = b; - /* - * Adjust IO stats for each split, otherwise upon queue - * reentry there will be redundant IO accounting. - * NOTE: this is a stop-gap fix, a proper fix involves - * significant refactoring of DM core's bio splitting - * (by eliminating DM's splitting and just using bio_split) - */ - part_stat_lock(); - __dm_part_stat_sub(dm_disk(md)->part0, - sectors[op_stat_group(bio_op(bio))], ci.sector_count); - part_stat_unlock(); - bio_chain(b, bio); trace_block_split(b, bio->bi_iter.bi_sector); submit_bio_noacct(bio);

2 years, 2 months

2
1
0 0

[PATCH] drm/rockchip: vop: Correct RK3399 VOP register fields

by Brian Norris

Commit 7707f7227f09 ("drm/rockchip: Add support for afbc") switched up the rk3399_vop_big[] register windows, but it did so incorrectly. The biggest problem is in rk3288_win23_data[] vs. rk3368_win23_data[] .format field: RK3288's format: VOP_REG(RK3288_WIN2_CTRL0, 0x7, 1) RK3368's format: VOP_REG(RK3368_WIN2_CTRL0, 0x3, 5) Bits 5:6 (i.e., shift 5, mask 0x3) are correct for RK3399, according to the TRM. There are a few other small differences between the 3288 and 3368 definitions that were swapped in commit 7707f7227f09. I reviewed them to the best of my ability according to the RK3399 TRM and fixed them up. This fixes IOMMU issues (and display errors) when testing with BG24 color formats. Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc") Cc: Andrzej Pietrasiewicz <andrzej.p(a)collabora.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- I'd appreciate notes or testing from Andrzej, since I'm not sure how he tested his original AFBC work. drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c index 1f7353f0684a..798b542e5916 100644 --- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c @@ -902,6 +902,7 @@ static const struct vop_win_phy rk3399_win01_data = { .enable = VOP_REG(RK3288_WIN0_CTRL0, 0x1, 0), .format = VOP_REG(RK3288_WIN0_CTRL0, 0x7, 1), .rb_swap = VOP_REG(RK3288_WIN0_CTRL0, 0x1, 12), + .x_mir_en = VOP_REG(RK3288_WIN0_CTRL0, 0x1, 21), .y_mir_en = VOP_REG(RK3288_WIN0_CTRL0, 0x1, 22), .act_info = VOP_REG(RK3288_WIN0_ACT_INFO, 0x1fff1fff, 0), .dsp_info = VOP_REG(RK3288_WIN0_DSP_INFO, 0x0fff0fff, 0), @@ -912,6 +913,7 @@ static const struct vop_win_phy rk3399_win01_data = { .uv_vir = VOP_REG(RK3288_WIN0_VIR, 0x3fff, 16), .src_alpha_ctl = VOP_REG(RK3288_WIN0_SRC_ALPHA_CTRL, 0xff, 0), .dst_alpha_ctl = VOP_REG(RK3288_WIN0_DST_ALPHA_CTRL, 0xff, 0), + .channel = VOP_REG(RK3288_WIN0_CTRL2, 0xff, 0), }; /* @@ -922,11 +924,11 @@ static const struct vop_win_phy rk3399_win01_data = { static const struct vop_win_data rk3399_vop_win_data[] = { { .base = 0x00, .phy = &rk3399_win01_data, .type = DRM_PLANE_TYPE_PRIMARY }, - { .base = 0x40, .phy = &rk3288_win01_data, + { .base = 0x40, .phy = &rk3368_win01_data, .type = DRM_PLANE_TYPE_OVERLAY }, - { .base = 0x00, .phy = &rk3288_win23_data, + { .base = 0x00, .phy = &rk3368_win23_data, .type = DRM_PLANE_TYPE_OVERLAY }, - { .base = 0x50, .phy = &rk3288_win23_data, + { .base = 0x50, .phy = &rk3368_win23_data, .type = DRM_PLANE_TYPE_CURSOR }, }; -- 2.34.1.703.g22d0c6ccf7-goog

2 years, 2 months

3
2
0 0

[PATCH 1/3] KEYS: asym_tpm: fix buffer overreads in extract_key_parameters()

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> extract_key_parameters() can read past the end of the input buffer due to buggy and missing bounds checks. Fix it as follows: - Before reading each key length field, verify that there are at least 4 bytes remaining. - Avoid integer overflows when validating size fields; 'sz + 12' and '4 + sz' overflowed if 'sz' is near U32_MAX. - Before saving the pointer to the public key, check that it doesn't run past the end of the buffer. Fixes: f8c54e1ac4b8 ("KEYS: asym_tpm: extract key size & public key [ver #2]") Cc: <stable(a)vger.kernel.org> # v4.20+ Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- crypto/asymmetric_keys/asym_tpm.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/crypto/asymmetric_keys/asym_tpm.c b/crypto/asymmetric_keys/asym_tpm.c index 0959613560b9..60d20d44c885 100644 --- a/crypto/asymmetric_keys/asym_tpm.c +++ b/crypto/asymmetric_keys/asym_tpm.c @@ -814,7 +814,6 @@ static int extract_key_parameters(struct tpm_key *tk) { const void *cur = tk->blob; uint32_t len = tk->blob_len; - const void *pub_key; uint32_t sz; uint32_t key_len; @@ -845,14 +844,14 @@ static int extract_key_parameters(struct tpm_key *tk) return -EBADMSG; sz = get_unaligned_be32(cur + 8); - if (len < sz + 12) - return -EBADMSG; /* Move to TPM_RSA_KEY_PARMS */ - len -= 12; cur += 12; + len -= 12; /* Grab the RSA key length */ + if (len < 4) + return -EBADMSG; key_len = get_unaligned_be32(cur); switch (key_len) { @@ -866,29 +865,36 @@ static int extract_key_parameters(struct tpm_key *tk) } /* Move just past TPM_KEY_PARMS */ + if (len < sz) + return -EBADMSG; cur += sz; len -= sz; if (len < 4) return -EBADMSG; - sz = get_unaligned_be32(cur); - if (len < 4 + sz) - return -EBADMSG; + cur += 4; + len -= 4; /* Move to TPM_STORE_PUBKEY */ - cur += 4 + sz; - len -= 4 + sz; + if (len < sz) + return -EBADMSG; + cur += sz; + len -= sz; /* Grab the size of the public key, it should jive with the key size */ + if (len < 4) + return -EBADMSG; sz = get_unaligned_be32(cur); + cur += 4; + len -= 4; if (sz > 256) return -EINVAL; - - pub_key = cur + 4; + if (len < sz) + return -EBADMSG; tk->key_len = key_len; - tk->pub_key = pub_key; + tk->pub_key = cur; tk->pub_key_len = sz; return 0; -- 2.34.1

2 years, 2 months

2
6
0 0

[PATCH] remoteproc: Fix count check in rproc_coredump_write()

by Alistair Delva

Check count for 0, to avoid a potential underflow. Make the check the same as the one in rproc_recovery_write(). Fixes: 3afdc59e4390 ("remoteproc: Add coredump debugfs entry") Signed-off-by: Alistair Delva <adelva(a)google.com> Cc: Rishabh Bhatnagar <rishabhb(a)codeaurora.org> Cc: stable(a)vger.kernel.org Cc: Ohad Ben-Cohen <ohad(a)wizery.com> Cc: Bjorn Andersson <bjorn.andersson(a)linaro.org> Cc: Mathieu Poirier <mathieu.poirier(a)linaro.org> Cc: Sibi Sankar <sibis(a)codeaurora.org> Cc: linux-remoteproc(a)vger.kernel.org Cc: kernel-team(a)android.com --- drivers/remoteproc/remoteproc_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c index b5a1e3b697d9..581930483ef8 100644 --- a/drivers/remoteproc/remoteproc_debugfs.c +++ b/drivers/remoteproc/remoteproc_debugfs.c @@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(struct file *filp, int ret, err = 0; char buf[20]; - if (count > sizeof(buf)) + if (count < 1 || count > sizeof(buf)) return -EINVAL; ret = copy_from_user(buf, user_buf, count); -- 2.30.2

2 years, 2 months

2
2
0 0

[PATCH v2] drm/dp: Fix off-by-one in register cache size

by Kees Cook

The pcon_dsc_dpcd array holds 13 registers (0x92 through 0x9E). Fix the math to calculate the max size. Found from a -Warray-bounds build: drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_pcon_dsc_bpp_incr': drivers/gpu/drm/drm_dp_helper.c:3130:28: error: array subscript 12 is outside array bounds of 'const u8[12]' {aka 'const unsigned char[12]'} [-Werror=array-bounds] 3130 | buf = pcon_dsc_dpcd[DP_PCON_DSC_BPP_INCR - DP_PCON_DSC_ENCODER]; | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/drm_dp_helper.c:3126:39: note: while referencing 'pcon_dsc_dpcd' 3126 | int drm_dp_pcon_dsc_bpp_incr(const u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE]) | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)linux.ie> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Fixes: e2e16da398d9 ("drm/dp_helper: Add support for Configuring DSC for HDMI2.1 Pcon") Cc: stable(a)vger.kernel.org Reviewed-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Link: https://lore.kernel.org/lkml/20211214001849.GA62559@embeddedor/ Signed-off-by: Kees Cook <keescook(a)chromium.org> --- v1: https://lore.kernel.org/lkml/20211203084333.3105038-1-keescook@chromium.org/ v2: - add reviewed-by - add cc:stable --- include/drm/drm_dp_helper.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h index 30359e434c3f..472dac376284 100644 --- a/include/drm/drm_dp_helper.h +++ b/include/drm/drm_dp_helper.h @@ -456,7 +456,7 @@ struct drm_panel; #define DP_FEC_CAPABILITY_1 0x091 /* 2.0 */ /* DP-HDMI2.1 PCON DSC ENCODER SUPPORT */ -#define DP_PCON_DSC_ENCODER_CAP_SIZE 0xC /* 0x9E - 0x92 */ +#define DP_PCON_DSC_ENCODER_CAP_SIZE 0xD /* 0x92 through 0x9E */ #define DP_PCON_DSC_ENCODER 0x092 # define DP_PCON_DSC_ENCODER_SUPPORTED (1 << 0) # define DP_PCON_DSC_PPS_ENC_OVERRIDE (1 << 1) -- 2.30.2

2 years, 2 months

1
1
0 0

[PATCH] coredump: Also dump first pages of non-executable ELF libraries

by Jann Horn

When I rewrote the VMA dumping logic for coredumps, I changed it to recognize ELF library mappings based on the file being executable instead of the mapping having an ELF header. But turns out, distros ship many ELF libraries as non-executable, so the heuristic goes wrong... Restore the old behavior where FILTER(ELF_HEADERS) dumps the first page of any offset-0 readable mapping that starts with the ELF magic. This fix is technically layer-breaking a bit, because it checks for something ELF-specific in fs/coredump.c; but since we probably want to share this between standard ELF and FDPIC ELF anyway, I guess it's fine? And this also keeps the change small for backporting. Cc: stable(a)vger.kernel.org Fixes: 429a22e776a2 ("coredump: rework elf/elf_fdpic vma_dump_size() into common helper") Reported-by: Bill Messmer <wmessmer(a)microsoft.com> Signed-off-by: Jann Horn <jannh(a)google.com> --- @Bill: If you happen to have a kernel tree lying around, you could give this a try and report back whether this solves your issues? But if not, it's also fine, I've tested myself that with this patch applied, the first 0x1000 bytes of non-executable libraries are dumped into the coredump according to "readelf". fs/coredump.c | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/fs/coredump.c b/fs/coredump.c index 1c060c0a2d72..b73817712dd2 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -42,6 +42,7 @@ #include <linux/path.h> #include <linux/timekeeping.h> #include <linux/sysctl.h> +#include <linux/elf.h> #include <linux/uaccess.h> #include <asm/mmu_context.h> @@ -980,6 +981,8 @@ static bool always_dump_vma(struct vm_area_struct *vma) return false; } +#define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1 + /* * Decide how much of @vma's contents should be included in a core dump. */ @@ -1039,9 +1042,20 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, * dump the first page to aid in determining what was mapped here. */ if (FILTER(ELF_HEADERS) && - vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ) && - (READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0) - return PAGE_SIZE; + vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) { + if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0) + return PAGE_SIZE; + + /* + * ELF libraries aren't always executable. + * We'll want to check whether the mapping starts with the ELF + * magic, but not now - we're holding the mmap lock, + * so copy_from_user() doesn't work here. + * Use a placeholder instead, and fix it up later in + * dump_vma_snapshot(). + */ + return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER; + } #undef FILTER @@ -1116,8 +1130,6 @@ int dump_vma_snapshot(struct coredump_params *cprm, int *vma_count, m->end = vma->vm_end; m->flags = vma->vm_flags; m->dump_size = vma_dump_size(vma, cprm->mm_flags); - - vma_data_size += m->dump_size; } mmap_write_unlock(mm); @@ -1127,6 +1139,23 @@ int dump_vma_snapshot(struct coredump_params *cprm, int *vma_count, return -EFAULT; } + for (i = 0; i < *vma_count; i++) { + struct core_vma_metadata *m = (*vma_meta) + i; + + if (m->dump_size == DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) { + char elfmag[SELFMAG]; + + if (copy_from_user(elfmag, (void __user *)m->start, SELFMAG) || + memcmp(elfmag, ELFMAG, SELFMAG) != 0) { + m->dump_size = 0; + } else { + m->dump_size = PAGE_SIZE; + } + } + + vma_data_size += m->dump_size; + } + *vma_data_size_ptr = vma_data_size; return 0; } base-commit: 0280e3c58f92b2fe0e8fbbdf8d386449168de4a8 -- 2.35.0.rc0.227.g00780c9af4-goog

2 years, 2 months

4
5
0 0

[PATCH] Revert "fs/9p: search open fids first"

by Dominique Martinet

This reverts commit 478ba09edc1f2f2ee27180a06150cb2d1a686f9c. That commit was meant as a fix for setattrs with by fd (e.g. ftruncate) to use an open fid instead of the first fid it found on lookup. The proper fix for that is to use the fid associated with the open file struct, available in iattr->ia_file for such operations, and was actually done just before in 66246641609b ("9p: retrieve fid from file when file instance exist.") As such, this commit is no longer required. Furthermore, changing lookup to return open fids first had unwanted side effects, as it turns out the protocol forbids the use of open fids for further walks (e.g. clone_fid) and we broke mounts for some servers enforcing this rule. Note this only reverts to the old working behaviour, but it's still possible for lookup to return open fids if dentry->d_fsdata is not set, so more work is needed to make sure we respect this rule in the future, for example by adding a flag to the lookup functions to only match certain fid open modes depending on caller requirements. Fixes: 478ba09edc1f ("fs/9p: search open fids first") Cc: stable(a)vger.kernel.org # v5.11+ Reported-by: ron minnich <rminnich(a)gmail.com> Reported-by: ng(a)0x80.stream Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> --- I'm sorry I didn't find time to check this properly fixes the clone open fid issues, but Ron reported it did so I'll assume it did for now. I'll try to find time to either implement the check in ganesha or use another server -- if you have a suggestion that'd run either a ramfs or export a local filesystem from linux I'm all ears, I couldn't get go9p to work in the very little time I tried. I did however check that Greg's original open/chmod 0/ftruncate pattern works (while truncate was refused). Also, before revert the truncate by path wasn't refused, and now is again, so that's definitely good. I've also tested open-unlink-ftruncate and it works properly with ganesha, but not with qemu -- it looks like qemu tries to access the file by path in setattr even if the fid has an associated fd, so that'd be a qemu bug, but it's unrelated to this patch anyway. Unless there are issues with this patch I'll send it to Linus around Friday fs/9p/fid.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fs/9p/fid.c b/fs/9p/fid.c index 6aab046c98e2..79df61fe0e59 100644 --- a/fs/9p/fid.c +++ b/fs/9p/fid.c @@ -96,12 +96,8 @@ static struct p9_fid *v9fs_fid_find(struct dentry *dentry, kuid_t uid, int any) dentry, dentry, from_kuid(&init_user_ns, uid), any); ret = NULL; - - if (d_inode(dentry)) - ret = v9fs_fid_find_inode(d_inode(dentry), uid); - /* we'll recheck under lock if there's anything to look in */ - if (!ret && dentry->d_fsdata) { + if (dentry->d_fsdata) { struct hlist_head *h = (struct hlist_head *)&dentry->d_fsdata; spin_lock(&dentry->d_lock); @@ -113,6 +109,9 @@ static struct p9_fid *v9fs_fid_find(struct dentry *dentry, kuid_t uid, int any) } } spin_unlock(&dentry->d_lock); + } else { + if (dentry->d_inode) + ret = v9fs_fid_find_inode(dentry->d_inode, uid); } return ret; -- 2.34.1

2 years, 2 months

3
3
0 0

[PATCH 4.14 0/2] 4.14.264-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.264 release. There are 2 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 29 Jan 2022 18:02:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.264-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.264-rc1 Ziyang Xuan <william.xuanziyang(a)huawei.com> can: bcm: fix UAF of bcm op Tvrtko Ursulin <tvrtko.ursulin(a)intel.com> drm/i915: Flush TLBs before releasing backing store ------------- Diffstat: Makefile | 4 +- drivers/gpu/drm/i915/i915_drv.h | 2 + drivers/gpu/drm/i915/i915_gem.c | 84 +++++++++++++++++++++++++++++++++- drivers/gpu/drm/i915/i915_gem_object.h | 1 + drivers/gpu/drm/i915/i915_reg.h | 6 +++ drivers/gpu/drm/i915/i915_vma.c | 4 ++ net/can/bcm.c | 20 ++++---- 7 files changed, 108 insertions(+), 13 deletions(-)

2 years, 2 months

5
7
0 0

[PATCH 5.10 000/100] 5.10.96-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.96 release. There are 100 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 02 Feb 2022 10:51:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.96-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.96-rc1 OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> block: Fix wrong offset in bio_truncate() Amir Goldstein <amir73il(a)gmail.com> fsnotify: invalidate dcache before IN_DELETE event Dmitry V. Levin <ldv(a)altlinux.org> usr/include/Makefile: add linux/nfc.h to the compile-test coverage Marc Kleine-Budde <mkl(a)pengutronix.de> dt-bindings: can: tcan4x5x: fix mram-cfg RX FIFO config Tim Yi <tim.yi(a)pica8.com> net: bridge: vlan: fix memory leak in __allowed_ingress Eric Dumazet <edumazet(a)google.com> ipv4: remove sparse error in ip_neigh_gw4() Eric Dumazet <edumazet(a)google.com> ipv4: tcp: send zero IPID in SYNACK messages Eric Dumazet <edumazet(a)google.com> ipv4: raw: lock the socket in raw_bind() Nikolay Aleksandrov <nikolay(a)nvidia.com> net: bridge: vlan: fix single net device option dumping Guillaume Nault <gnault(a)redhat.com> Revert "ipv6: Honor all IPv6 PIO Valid Lifetime values" Yufeng Mo <moyufeng(a)huawei.com> net: hns3: handle empty unknown interrupt for VF Toke Høiland-Jørgensen <toke(a)redhat.com> net: cpsw: Properly initialise struct page_pool_params Hangyu Hua <hbh25y(a)gmail.com> yam: fix a memory leak in yam_siocdevprivate() José Expósito <jose.exposito89(a)gmail.com> drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc Miaoqian Lin <linmq006(a)gmail.com> drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy Michael Kelley <mikelley(a)microsoft.com> video: hyperv_fb: Fix validation of screen resolution Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: don't spin in tasklet Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: init ->running_cap_crqs early Jakub Kicinski <kuba(a)kernel.org> ipv4: fix ip option filtering for locally generated fragments Yajun Deng <yajun.deng(a)linux.dev> net: ipv4: Fix the warning for dereference Yajun Deng <yajun.deng(a)linux.dev> net: ipv4: Move ip_options_fragment() out of loop Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Guenter Roeck <linux(a)roeck-us.net> hwmon: (lm90) Mark alert as broken for MAX6654 Mihai Carabas <mihai.carabas(a)oracle.com> efi/libstub: arm64: Fix image check alignment at entry David Howells <dhowells(a)redhat.com> rxrpc: Adjust retransmission backoff Subbaraya Sundeep <sbhatta(a)marvell.com> octeontx2-pf: Forward error codes to VF Marek Behún <kabel(a)kernel.org> phylib: fix potential use-after-free Robert Hancock <robert.hancock(a)calian.com> net: phy: broadcom: hook up soft_reset for BCM54616S Vincent Guittot <vincent.guittot(a)linaro.org> sched/pelt: Relax the sync of util_sum with util_avg Peter Zijlstra <peterz(a)infradead.org> perf: Fix perf_event_read_local() time Randy Dunlap <rdunlap(a)infradead.org> kernel: delete repeated words in comments Florian Westphal <fw(a)strlen.de> netfilter: conntrack: don't increment invalid counter on NF_REPEAT Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Ensure the server has an up to date ctime before renaming Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Ensure the server has an up to date ctime before hardlinking Eric Dumazet <edumazet(a)google.com> ipv6: annotate accesses to fn->fn_sernum José Expósito <jose.exposito89(a)gmail.com> drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable Miaoqian Lin <linmq006(a)gmail.com> drm/msm/dsi: Fix missing put_device() call in dsi_get_phy Xianting Tian <xianting.tian(a)linux.alibaba.com> drm/msm: Fix wrong size calculation Jianguo Wu <wujianguo(a)chinatelecom.cn> net-procfs: show net devices bound packet types Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: nfs_atomic_open() can race when looking up a non-regular file Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Handle case where the lookup of a directory fails Guenter Roeck <linux(a)roeck-us.net> hwmon: (lm90) Reduce maximum conversion rate for G781 Eric Dumazet <edumazet(a)google.com> ipv4: avoid using shared IP generator for connected sockets Xin Long <lucien.xin(a)gmail.com> ping: fix the sk_bound_dev_if match in ping_lookup Guenter Roeck <linux(a)roeck-us.net> hwmon: (lm90) Mark alert as broken for MAX6680 Guenter Roeck <linux(a)roeck-us.net> hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 Congyu Liu <liu3101(a)purdue.edu> net: fix information leakage in /proc/net/ptype sparkhuang <huangshaobo6(a)huawei.com> ARM: 9170/1: fix panic when kasan and kprobe are enabled Ido Schimmel <idosch(a)nvidia.com> ipv6_tunnel: Rate limit warning messages John Meneghini <jmeneghi(a)redhat.com> scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() Matthias Kaehlcke <mka(a)chromium.org> rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev Sujit Kautkar <sujitka(a)chromium.org> rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev Linyu Yuan <quic_linyyuan(a)quicinc.com> usb: roles: fix include/linux/usb/role.h compile issue Joe Damato <jdamato(a)fastly.com> i40e: fix unsigned stat widths Karen Sornek <karen.sornek(a)intel.com> i40e: Fix for failed to init adminq while VF reset Sylwester Dziedziuch <sylwesterx.dziedziuch(a)intel.com> i40e: Fix queues reservation for XDP Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> i40e: Fix issue when maximum queues is exceeded Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> i40e: Increase delay to 1 s after global EMP reset Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/32: Fix boot failure with GCC latent entropy plugin Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/32s: Fix kasan_init_region() for KASAN Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/32s: Allocate one 256k IBAT instead of two consecutives 128k IBATs Yazen Ghannam <yazen.ghannam(a)amd.com> x86/MCE/AMD: Allow thresholding interface updates after init Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> sched/membarrier: Fix membarrier-rseq fence command missing from query bitmask Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix a deadlock when commit trans Joseph Qi <joseph.qi(a)linux.alibaba.com> jbd2: export jbd2_journal_[grab|put]_journal_head Sing-Han Chen <singhanc(a)nvidia.com> ucsi_ccg: Check DEV_INT bit only when starting CCG4 Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpm: Do not disconnect while receiving VBUS off Alan Stern <stern(a)rowland.harvard.edu> USB: core: Fix hang in usb_kill_urb by adding memory barriers Pavankumar Kondeti <quic_pkondeti(a)quicinc.com> usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS Jon Hunter <jonathanh(a)nvidia.com> usb: common: ulpi: Fix crash in ulpi_match() Frank Li <Frank.Li(a)nxp.com> usb: xhci-plat: fix crash when suspend if remote wake enable Alan Stern <stern(a)rowland.harvard.edu> usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge Cameron Williams <cang1(a)live.co.uk> tty: Add support for Brainboxes UC cards. daniel.starke(a)siemens.com <daniel.starke(a)siemens.com> tty: n_gsm: fix SW flow control encoding/handling Valentin Caron <valentin.caron(a)foss.st.com> serial: stm32: fix software flow control transfer Robert Hancock <robert.hancock(a)calian.com> serial: 8250: of: Fix mapped region size when using reg-offset property Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: do not update layer 4 checksum when mangling fragments D Scott Phillips <scott(a)os.amperecomputing.com> arm64: errata: Fix exec handling in erratum 1418040 workaround Like Xu <likexu(a)tencent.com> KVM: x86: Update vCPU's runtime CPUID on write to MSR_IA32_XSS Lucas Stach <l.stach(a)pengutronix.de> drm/etnaviv: relax submit size limits Zhengjun Xing <zhengjun.xing(a)linux.intel.com> perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICX Sean Christopherson <seanjc(a)google.com> Revert "KVM: SVM: avoid infinite loop on NPF from bad address" Amir Goldstein <amir73il(a)gmail.com> fsnotify: fix fsnotify hooks in pseudo filesystems Jeff Layton <jlayton(a)kernel.org> ceph: set pool_ns in new inode layout for async creates Jeff Layton <jlayton(a)kernel.org> ceph: properly put ceph_string reference after async create attempt Tom Zanussi <zanussi(a)kernel.org> tracing: Don't inc err_log entry count if entry allocation fails Xiaoke Wang <xkernel.wang(a)foxmail.com> tracing/histogram: Fix a potential memory leak for kstrdup() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> PM: wakeup: simplify the output logic of pm_show_wakelocks() Ard Biesheuvel <ardb(a)kernel.org> efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Jan Kara <jack(a)suse.cz> udf: Fix NULL ptr deref when converting from inline format Jan Kara <jack(a)suse.cz> udf: Restore i_lenAlloc when inode expansion fails Steffen Maier <maier(a)linux.ibm.com> scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack() Vasily Gorbik <gor(a)linux.ibm.com> s390/hypfs: include z/VM guests with access control group set Ilya Leoshkevich <iii(a)linux.ibm.com> s390/module: fix loading modules with a lot of relocations Mohammad Athari Bin Ismail <mohammad.athari.ismail(a)intel.com> net: stmmac: skip only stmmac_ptp_register when resume from suspend Marek Behún <kabel(a)kernel.org> net: sfp: ignore disabled SFP node Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: core: Drop second v4l2 device unregister Brian Gix <brian.gix(a)intel.com> Bluetooth: refactor malicious adv data check ------------- Diffstat: .../devicetree/bindings/net/can/tcan4x5x.txt | 2 +- Makefile | 4 +- arch/arm/probes/kprobes/Makefile | 3 + arch/arm64/kernel/process.c | 39 ++-- arch/powerpc/include/asm/book3s/32/mmu-hash.h | 2 + arch/powerpc/include/asm/ppc-opcode.h | 1 + arch/powerpc/kernel/Makefile | 1 + arch/powerpc/lib/Makefile | 3 + arch/powerpc/mm/book3s32/mmu.c | 15 +- arch/powerpc/mm/kasan/book3s_32.c | 59 ++--- arch/powerpc/net/bpf_jit_comp64.c | 22 +- arch/powerpc/perf/core-book3s.c | 17 +- arch/s390/hypfs/hypfs_vm.c | 6 +- arch/s390/kernel/module.c | 37 ++- arch/x86/events/intel/uncore_snbep.c | 2 +- arch/x86/kernel/cpu/mce/amd.c | 2 +- arch/x86/kvm/svm/svm.c | 7 - arch/x86/kvm/x86.c | 1 + block/bio.c | 3 +- drivers/firmware/efi/efi.c | 7 + drivers/firmware/efi/libstub/arm64-stub.c | 6 +- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dspp.c | 11 +- drivers/gpu/drm/msm/dsi/dsi.c | 7 +- drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +- drivers/gpu/drm/msm/hdmi/hdmi.c | 7 +- drivers/gpu/drm/msm/msm_drv.c | 2 +- drivers/hwmon/lm90.c | 7 +- drivers/media/platform/qcom/venus/core.c | 2 - .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +- drivers/net/ethernet/ibm/ibmvnic.c | 112 +++++---- drivers/net/ethernet/intel/i40e/i40e.h | 9 +- drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 44 ++-- drivers/net/ethernet/intel/i40e/i40e_register.h | 3 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 103 ++++++++- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 1 + .../net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 7 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 20 +- drivers/net/ethernet/ti/cpsw_priv.c | 2 +- drivers/net/hamradio/yam.c | 4 +- drivers/net/phy/broadcom.c | 1 + drivers/net/phy/phy_device.c | 6 +- drivers/net/phy/sfp-bus.c | 5 + drivers/rpmsg/rpmsg_char.c | 22 +- drivers/s390/scsi/zfcp_fc.c | 13 +- drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 20 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/serial/8250/8250_of.c | 11 +- drivers/tty/serial/8250/8250_pci.c | 100 +++++++- drivers/tty/serial/stm32-usart.c | 2 +- drivers/usb/common/ulpi.c | 7 +- drivers/usb/core/hcd.c | 14 ++ drivers/usb/core/urb.c | 12 + drivers/usb/gadget/function/f_sourcesink.c | 1 + drivers/usb/host/xhci-plat.c | 3 + drivers/usb/storage/unusual_devs.h | 10 + drivers/usb/typec/tcpm/tcpm.c | 3 +- drivers/usb/typec/ucsi/ucsi_ccg.c | 2 +- drivers/video/fbdev/hyperv_fb.c | 16 +- fs/btrfs/ioctl.c | 6 +- fs/ceph/file.c | 9 + fs/configfs/dir.c | 6 +- fs/devpts/inode.c | 2 +- fs/jbd2/journal.c | 2 + fs/namei.c | 10 +- fs/nfs/dir.c | 22 ++ fs/nfsd/nfsctl.c | 5 +- fs/ocfs2/suballoc.c | 25 +- fs/udf/inode.c | 9 +- include/linux/fsnotify.h | 48 +++- include/linux/netdevice.h | 1 + include/linux/perf_event.h | 15 +- include/linux/usb/role.h | 6 + include/net/addrconf.h | 2 + include/net/ip.h | 21 +- include/net/ip6_fib.h | 2 +- include/net/route.h | 2 +- kernel/bpf/stackmap.c | 5 +- kernel/events/core.c | 252 ++++++++++++--------- kernel/events/uprobes.c | 2 +- kernel/locking/rtmutex.c | 4 +- kernel/locking/rwsem.c | 2 +- kernel/locking/semaphore.c | 2 +- kernel/power/wakelock.c | 11 +- kernel/sched/fair.c | 18 +- kernel/sched/membarrier.c | 11 +- kernel/sched/pelt.h | 4 +- kernel/trace/trace.c | 3 +- kernel/trace/trace_events_hist.c | 1 + net/bluetooth/hci_event.c | 10 +- net/bridge/br_vlan.c | 9 +- net/core/net-procfs.c | 38 +++- net/ipv4/ip_output.c | 41 ++-- net/ipv4/ping.c | 3 +- net/ipv4/raw.c | 5 +- net/ipv6/addrconf.c | 27 ++- net/ipv6/ip6_fib.c | 23 +- net/ipv6/ip6_tunnel.c | 8 +- net/ipv6/route.c | 2 +- net/netfilter/nf_conntrack_core.c | 8 +- net/netfilter/nft_payload.c | 3 + net/packet/af_packet.c | 2 + net/rxrpc/call_event.c | 8 +- net/rxrpc/output.c | 2 +- net/sunrpc/rpc_pipe.c | 4 +- usr/include/Makefile | 1 - virt/kvm/kvm_main.c | 1 - 108 files changed, 1018 insertions(+), 530 deletions(-)

2 years, 2 months

11
113
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2022