December 2022 - Linux-stable-mirror

[PATCH 0/6] hwpoison, shmem, hugetlb: fix data loss issue 5.10.y

by Mike Kravetz

This is a request for adding the following patches to stable 5.10.y. Poisoned shmem and hugetlb pages are removed from the pagecache. Subsequent access to the offset in the file results in a NEW zero filled page. Application code does not get notified of the data loss, and the only 'clue' is a message in the system log. Data loss has been experienced by real users. This was addressed upstream. Most commits were marked for backports, but some were not. This was discussed here [1] and here [2]. Patches apply cleanly to v5.4.224 and pass tests checking for this specific data loss issue. LTP mm tests show no regressions. All patches except 4 "mm: hwpoison: handle non-anonymous THP correctly" required a small bit of change to apply correctly: mostly for context. linux-mm Cc'ed as it would be great to get at least an ACK from others familiar with this issue. [1] https://lore.kernel.org/linux-mm/Y2UTUNBHVY5U9si2@monkey/ [2] https://lore.kernel.org/stable/20221114131403.GA3807058@u2004/ James Houghton (1): hugetlbfs: don't delete error page from pagecache Yang Shi (5): mm: hwpoison: remove the unnecessary THP check mm: filemap: check if THP has hwpoisoned subpage for PMD page fault mm: hwpoison: refactor refcount check handling mm: hwpoison: handle non-anonymous THP correctly mm: shmem: don't truncate page if memory failure happens fs/hugetlbfs/inode.c | 13 ++-- include/linux/page-flags.h | 23 ++++++ mm/huge_memory.c | 2 + mm/hugetlb.c | 4 + mm/memory-failure.c | 153 ++++++++++++++++++++++++------------- mm/memory.c | 9 +++ mm/page_alloc.c | 4 +- mm/shmem.c | 51 +++++++++++-- 8 files changed, 191 insertions(+), 68 deletions(-) -- 2.38.1

1 year, 2 months

2
7
0 0

[PATCH 5.4 00/67] 5.4.227-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.227 release. There are 67 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 Dec 2022 13:08:57 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.227-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.227-rc1 Frank Jungclaus <frank.jungclaus(a)esd.eu> can: esd_usb: Allow REC and TEC to return to zero Dan Carpenter <error27(a)gmail.com> net: mvneta: Fix an out of bounds check Eric Dumazet <edumazet(a)google.com> ipv6: avoid use-after-free in ip6_fragment() Yang Yingliang <yangyingliang(a)huawei.com> net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() Juergen Gross <jgross(a)suse.com> xen/netback: fix build warning Zhang Changzhong <zhangchangzhong(a)huawei.com> ethernet: aeroflex: fix potential skb leak in greth_init_rings() Ido Schimmel <idosch(a)nvidia.com> ipv4: Fix incorrect route flushing when table ID 0 is used Ido Schimmel <idosch(a)nvidia.com> ipv4: Fix incorrect route flushing when source address is deleted YueHaibing <yuehaibing(a)huawei.com> tipc: Fix potential OOB in tipc_link_proto_rcv() Liu Jian <liujian56(a)huawei.com> net: hisilicon: Fix potential use-after-free in hix5hd2_rx() Liu Jian <liujian56(a)huawei.com> net: hisilicon: Fix potential use-after-free in hisi_femac_rx() Yongqiang Liu <liuyongqiang13(a)huawei.com> net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: fix "snps,axi-config" node property parsing Pankaj Raghav <p.raghav(a)samsung.com> nvme initialize core quirks before calling nvme_init_subsystem Kees Cook <keescook(a)chromium.org> NFC: nci: Bounds check struct nfc_target arrays Przemyslaw Patynowski <przemyslawx.patynowski(a)intel.com> i40e: Disallow ip4 and ip6 l4_4_bytes Sylwester Dziedziuch <sylwesterx.dziedziuch(a)intel.com> i40e: Fix for VF MAC address 0 Michal Jaron <michalx.jaron(a)intel.com> i40e: Fix not setting default xps_cpus after reset Dan Carpenter <error27(a)gmail.com> net: mvneta: Prevent out of bounds read in mvneta_config_rss() Lin Liu <lin.liu(a)citrix.com> xen-netfront: Fix NULL sring after live migration Valentina Goncharenko <goncharenko.vp(a)ispras.ru> net: encx24j600: Fix invalid logic in reading of MISTAT register Valentina Goncharenko <goncharenko.vp(a)ispras.ru> net: encx24j600: Add parentheses to fix precedence Wei Yongjun <weiyongjun1(a)huawei.com> mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Zhengchao Shao <shaozhengchao(a)huawei.com> selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload Artem Chernyshev <artem.chernyshev(a)red-soft.ru> net: dsa: ksz: Check return value Chen Zhongjin <chenzhongjin(a)huawei.com> Bluetooth: Fix not cleanup led when bt_init fails Wang ShaoBo <bobo.shaobowang(a)huawei.com> Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Get user_ns from in_skb in unix_diag_get_exact(). Akihiko Odaki <akihiko.odaki(a)daynix.com> igb: Allocate MSI-X vector when testing Akihiko Odaki <akihiko.odaki(a)daynix.com> e1000e: Fix TX dispatch condition Xiongfeng Wang <wangxiongfeng2(a)huawei.com> gpio: amd8111: Fix PCI device reference count leak Qiqi Zhang <eddy.zhang(a)rock-chips.com> drm/bridge: ti-sn65dsi86: Fix output polarity setting bug Hauke Mehrtens <hauke(a)hauke-m.de> ca8210: Fix crash by zero initializing data Ziyang Xuan <william.xuanziyang(a)huawei.com> ieee802154: cc2520: Fix error return code in cc2520_hw_init() Baolin Wang <baolin.wang(a)linux.alibaba.com> mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page Oliver Hartkopp <socketcan(a)hartkopp.net> can: af_can: fix NULL pointer dereference in can_rcv_filter ZhangPeng <zhangpeng362(a)huawei.com> HID: core: fix shift-out-of-bounds in hid_report_raw_event Anastasia Belova <abelova(a)astralinux.ru> HID: hid-lg4ff: Add check for empty lbuf Ankit Patel <anpatel(a)nvidia.com> HID: usbhid: Add ALWAYS_POLL quirk for some mice Rob Clark <robdclark(a)chromium.org> drm/shmem-helper: Remove errant put in error path Thomas Huth <thuth(a)redhat.com> KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field John Starks <jostarks(a)microsoft.com> mm/gup: fix gup_pud_range() for dax Tejun Heo <tj(a)kernel.org> memcg: fix possible use-after-free in memcg_write_event_control() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: v4l2-dv-timings.c: fix too strict blanking sanity checks Rafał Miłecki <rafal(a)milecki.pl> Revert "net: dsa: b53: Fix valid setting for MDB entries" Juergen Gross <jgross(a)suse.com> xen/netback: don't call kfree_skb() with interrupts disabled Juergen Gross <jgross(a)suse.com> xen/netback: do some code cleanup Ross Lagerwall <ross.lagerwall(a)citrix.com> xen/netback: Ensure protocol headers don't fall in the non-linear area Jann Horn <jannh(a)google.com> mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Jann Horn <jannh(a)google.com> mm/khugepaged: fix GUP-fast interaction by sending IPI Jann Horn <jannh(a)google.com> mm/khugepaged: take the right locks for page table retraction Davide Tronchin <davide.tronchin.94(a)gmail.com> net: usb: qmi_wwan: add u-blox 0x1342 composition Dominique Martinet <asmadeus(a)codewreck.org> 9p/xen: check logical size for buffer size Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> fbcon: Use kzalloc() in fbcon_prepare_logo() Andreas Kemnade <andreas(a)kemnade.info> regulator: twl6030: fix get status of twl6032 regulators Srinivasa Rao Mandadapu <quic_srivasam(a)quicinc.com> ASoC: soc-pcm: Add NULL check in BE reparenting Filipe Manana <fdmanana(a)suse.com> btrfs: send: avoid unaligned encoded writes when attempting to clone range Kees Cook <keescook(a)chromium.org> ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Konrad Dybcio <konrad.dybcio(a)linaro.org> regulator: slg51000: Wait after asserting CS pin GUO Zihua <guozihua(a)huawei.com> 9p/fd: Use P9_HDRSZ for header size Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 Giulio Benetti <giulio.benetti(a)benettiengineering.com> ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation Tomislav Novak <tnovak(a)fb.com> ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: rk3188: fix lcdc1-rgb24 node name Johan Jonker <jbx6244(a)gmail.com> ARM: dts: rockchip: fix ir-receiver node names Sebastian Reichel <sebastian.reichel(a)collabora.com> arm: dts: rockchip: fix node name for hym8563 rtc FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: keep I2S1 disabled for GPIO function on ROCK Pi 4 series ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3036-evb.dts | 2 +- arch/arm/boot/dts/rk3188-radxarock.dts | 2 +- arch/arm/boot/dts/rk3188.dtsi | 3 +- arch/arm/boot/dts/rk3288-evb-act8846.dts | 2 +- arch/arm/boot/dts/rk3288-firefly.dtsi | 2 +- arch/arm/boot/dts/rk3288-miqi.dts | 2 +- arch/arm/boot/dts/rk3288-rock2-square.dts | 2 +- arch/arm/boot/dts/rk3xxx.dtsi | 7 + arch/arm/include/asm/perf_event.h | 2 +- arch/arm/include/asm/pgtable-nommu.h | 6 - arch/arm/include/asm/pgtable.h | 16 +- arch/arm/mm/nommu.c | 19 + arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dts | 1 - arch/s390/kvm/vsie.c | 4 +- drivers/gpio/gpio-amd8111.c | 4 + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +- drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +- drivers/hid/hid-core.c | 3 + drivers/hid/hid-ids.h | 3 + drivers/hid/hid-lg4ff.c | 6 + drivers/hid/hid-quirks.c | 3 + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 +- drivers/net/can/usb/esd_usb2.c | 6 + drivers/net/dsa/b53/b53_common.c | 1 + drivers/net/ethernet/aeroflex/greth.c | 1 + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 +- drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- drivers/net/ethernet/intel/e1000e/netdev.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 6 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 19 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 + drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 + drivers/net/ethernet/marvell/mvneta.c | 2 +- drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 +- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 +- drivers/net/ieee802154/ca8210.c | 2 +- drivers/net/ieee802154/cc2520.c | 2 +- drivers/net/plip/plip.c | 4 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/xen-netback/common.h | 14 +- drivers/net/xen-netback/interface.c | 22 +- drivers/net/xen-netback/netback.c | 229 +-- drivers/net/xen-netback/rx.c | 10 +- drivers/net/xen-netfront.c | 6 + drivers/nvme/host/core.c | 8 +- drivers/regulator/slg51000-regulator.c | 2 + drivers/regulator/twl6030-regulator.c | 15 +- drivers/video/fbdev/core/fbcon.c | 2 +- fs/btrfs/send.c | 24 +- include/asm-generic/tlb.h | 4 + include/linux/cgroup.h | 1 + include/linux/hugetlb.h | 6 +- kernel/cgroup/cgroup-internal.h | 1 - mm/gup.c | 15 +- mm/hugetlb.c | 28 +- mm/khugepaged.c | 47 +- mm/memcontrol.c | 15 +- mm/mmu_gather.c | 5 + net/9p/trans_fd.c | 6 +- net/9p/trans_xen.c | 9 + net/bluetooth/6lowpan.c | 1 + net/bluetooth/af_bluetooth.c | 4 +- net/can/af_can.c | 4 +- net/dsa/tag_ksz.c | 3 +- net/ipv4/fib_frontend.c | 3 + net/ipv4/fib_semantics.c | 1 + net/ipv6/ip6_output.c | 5 + net/mac802154/iface.c | 1 + net/nfc/nci/ntf.c | 6 + net/tipc/link.c | 4 +- net/unix/diag.c | 20 +- sound/core/seq/seq_memory.c | 11 +- sound/soc/soc-pcm.c | 2 + tools/testing/selftests/net/fib_tests.sh | 1727 -------------------- tools/testing/selftests/net/rtnetlink.sh | 2 +- 77 files changed, 476 insertions(+), 1980 deletions(-)

1 year, 2 months

9
85
0 0

crypto-rockchip patches queued for 6.1

by Diederik de Haas

Hi, I couldn't find an existing mail with "[PATCH AUTOSEL 6.1 N/M] XYZ" to reply to, so I'm just sending an email like this. Hope that's ok. In https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/ tree/queue-6.1 there are a number of patches which start with: crypto-rockchip- like crypto-rockchip-add-fallback-for-ahash.patch I guess they were (auto) selected as they contain a "Fixes: <commitid>" line. Those 7 patches are actually part of a larger patch set, see here: https://lore.kernel.org/all/20220927075511.3147847-1-clabbe@baylibre.com/ All those patches have been merged into Linus' tree for 6.2 and there's a hotfix planned to be submitted for 6.2 here: https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip.git/ commit/?h=v6.2-armsoc/dtsfixes&id=53e8e1e6e9c1653095211a8edf17912f2374bb03 Wouldn't it make more sense to queue the whole patch set for 6.1? Or (at least) the whole crypto rockchip part as mentioned here: https://lore.kernel.org/all/Y5mGGrBJaDL6mnQJ@gondor.apana.org.au/ under the "Corentin Labbe (32):" label? Cheers, Diederik

1 year, 2 months

2
6
0 0

[PATCH v2] KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID

by Paolo Bonzini

Passing the host topology to the guest is almost certainly wrong and will confuse the scheduler. In addition, several fields of these CPUID leaves vary on each processor; it is simply impossible to return the right values from KVM_GET_SUPPORTED_CPUID in such a way that they can be passed to KVM_SET_CPUID2. The values that will most likely prevent confusion are all zeroes. Userspace will have to override it anyway if it wishes to present a specific topology to the guest. Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> --- Documentation/virt/kvm/api.rst | 14 ++++++++++++++ arch/x86/kvm/cpuid.c | 32 ++++++++++++++++---------------- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index eee9f857a986..20f4f6b302ff 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -8249,6 +8249,20 @@ CPU[EAX=1]:ECX[24] (TSC_DEADLINE) is not reported by ``KVM_GET_SUPPORTED_CPUID`` It can be enabled if ``KVM_CAP_TSC_DEADLINE_TIMER`` is present and the kernel has enabled in-kernel emulation of the local APIC. +CPU topology +~~~~~~~~~~~~ + +Several CPUID values include topology information for the host CPU: +0x0b and 0x1f for Intel systems, 0x8000001e for AMD systems. Different +versions of KVM return different values for this information and userspace +should not rely on it. Currently they return all zeroes. + +If userspace wishes to set up a guest topology, it should be careful that +the values of these three leaves differ for each CPU. In particular, +the APIC ID is found in EDX for all subleaves of 0x0b and 0x1f, and in EAX +for 0x8000001e; the latter also encodes the core id and node id in bits +7:0 of EBX and ECX respectively. + Obsolete ioctls and capabilities ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 0810e93cbedc..164bfb7e7a16 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -759,16 +759,22 @@ struct kvm_cpuid_array { int nent; }; +static struct kvm_cpuid_entry2 *get_next_cpuid(struct kvm_cpuid_array *array) +{ + if (array->nent >= array->maxnent) + return NULL; + + return &array->entries[array->nent++]; +} + static struct kvm_cpuid_entry2 *do_host_cpuid(struct kvm_cpuid_array *array, u32 function, u32 index) { - struct kvm_cpuid_entry2 *entry; + struct kvm_cpuid_entry2 *entry = get_next_cpuid(array); - if (array->nent >= array->maxnent) + if (!entry) return NULL; - entry = &array->entries[array->nent++]; - memset(entry, 0, sizeof(*entry)); entry->function = function; entry->index = index; @@ -945,22 +951,13 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function) entry->edx = edx.full; break; } - /* - * Per Intel's SDM, the 0x1f is a superset of 0xb, - * thus they can be handled by common code. - */ case 0x1f: case 0xb: /* - * Populate entries until the level type (ECX[15:8]) of the - * previous entry is zero. Note, CPUID EAX.{0x1f,0xb}.0 is - * the starting entry, filled by the primary do_host_cpuid(). + * No topology; a valid topology is indicated by the presence + * of subleaf 1. */ - for (i = 1; entry->ecx & 0xff00; ++i) { - entry = do_host_cpuid(array, function, i); - if (!entry) - goto out; - } + entry->eax = entry->ebx = entry->ecx = 0; break; case 0xd: { u64 permitted_xcr0 = kvm_caps.supported_xcr0 & xstate_get_guest_group_perm(); @@ -1193,6 +1190,9 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function) entry->ebx = entry->ecx = entry->edx = 0; break; case 0x8000001e: + /* Do not return host topology information. */ + entry->eax = entry->ebx = entry->ecx = 0; + entry->edx = 0; /* reserved */ break; case 0x8000001F: if (!kvm_cpu_cap_has(X86_FEATURE_SEV)) { -- 2.31.1

1 year, 3 months

3
12
0 0

[PATCH] clk: ingenic: jz4760: Update M/N/OD calculation algorithm

by Paul Cercueil

The previous algorithm was pretty broken. - The inner loop had a '(m > m_max)' condition, and the value of 'm' would increase in each iteration; - Each iteration would actually multiply 'm' by two, so it is not needed to re-compute the whole equation at each iteration; - It would loop until (m & 1) == 0, which means it would loop at most once. - The outer loop would divide the 'n' value by two at the end of each iteration. This meant that for a 12 MHz parent clock and a 1.2 GHz requested clock, it would first try n=12, then n=6, then n=3, then n=1, none of which would work; the only valid value is n=2 in this case. Simplify this algorithm with a single for loop, which decrements 'n' after each iteration, addressing all of the above problems. Fixes: bdbfc029374f ("clk: ingenic: Add support for the JZ4760") Cc: <stable(a)vger.kernel.org> Signed-off-by: Paul Cercueil <paul(a)crapouillou.net> --- drivers/clk/ingenic/jz4760-cgu.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/drivers/clk/ingenic/jz4760-cgu.c b/drivers/clk/ingenic/jz4760-cgu.c index ecd395ac8a28..e407f00bd594 100644 --- a/drivers/clk/ingenic/jz4760-cgu.c +++ b/drivers/clk/ingenic/jz4760-cgu.c @@ -58,7 +58,7 @@ jz4760_cgu_calc_m_n_od(const struct ingenic_cgu_pll_info *pll_info, unsigned long rate, unsigned long parent_rate, unsigned int *pm, unsigned int *pn, unsigned int *pod) { - unsigned int m, n, od, m_max = (1 << pll_info->m_bits) - 2; + unsigned int m, n, od, m_max = (1 << pll_info->m_bits) - 1; /* The frequency after the N divider must be between 1 and 50 MHz. */ n = parent_rate / (1 * MHZ); @@ -66,19 +66,17 @@ jz4760_cgu_calc_m_n_od(const struct ingenic_cgu_pll_info *pll_info, /* The N divider must be >= 2. */ n = clamp_val(n, 2, 1 << pll_info->n_bits); - for (;; n >>= 1) { - od = (unsigned int)-1; + rate /= MHZ; + parent_rate /= MHZ; - do { - m = (rate / MHZ) * (1 << ++od) * n / (parent_rate / MHZ); - } while ((m > m_max || m & 1) && (od < 4)); - - if (od < 4 && m >= 4 && m <= m_max) - break; + for (m = m_max; m >= m_max && n >= 2; n--) { + m = rate * n / parent_rate; + od = m & 1; + m <<= od; } *pm = m; - *pn = n; + *pn = n + 1; *pod = 1 << od; } -- 2.35.1

1 year, 3 months

2
1
0 0

[PATCH v1] KVM: destruct kvm_io_device while unregistering it from kvm_io_bus

by Wei Wang

Current usage of kvm_io_device requires users to destruct it with an extra call of kvm_iodevice_destructor after the device gets unregistered from the kvm_io_bus. This is not necessary and can cause errors if a user forgot to make the extra call. Simplify the usage by combining kvm_iodevice_destructor into kvm_io_bus_unregister_dev. This reduces LOCs a bit for users and can avoid the leakage of destructing the device explicitly. The fix was originally provided by Sean Christopherson. Link: https://lore.kernel.org/lkml/DS0PR11MB6373F27D0EE6CD28C784478BDCEC9@DS0PR11… Fixes: 5d3c4c79384a ("KVM: Stop looking for coalesced MMIO zones if the bus is destroyed") Cc: stable(a)vger.kernel.org Reported-by: �� <liujingfeng(a)qianxin.com> Signed-off-by: Wei Wang <wei.w.wang(a)intel.com> --- include/kvm/iodev.h | 6 ------ virt/kvm/coalesced_mmio.c | 1 - virt/kvm/eventfd.c | 1 - virt/kvm/kvm_main.c | 24 +++++++++++++++--------- 4 files changed, 15 insertions(+), 17 deletions(-) diff --git a/include/kvm/iodev.h b/include/kvm/iodev.h index d75fc4365746..56619e33251e 100644 --- a/include/kvm/iodev.h +++ b/include/kvm/iodev.h @@ -55,10 +55,4 @@ static inline int kvm_iodevice_write(struct kvm_vcpu *vcpu, : -EOPNOTSUPP; } -static inline void kvm_iodevice_destructor(struct kvm_io_device *dev) -{ - if (dev->ops->destructor) - dev->ops->destructor(dev); -} - #endif /* __KVM_IODEV_H__ */ diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c index 0be80c213f7f..d7135a5e76f8 100644 --- a/virt/kvm/coalesced_mmio.c +++ b/virt/kvm/coalesced_mmio.c @@ -195,7 +195,6 @@ int kvm_vm_ioctl_unregister_coalesced_mmio(struct kvm *kvm, */ if (r) break; - kvm_iodevice_destructor(&dev->dev); } } diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c index 2a3ed401ce46..1b277afb545b 100644 --- a/virt/kvm/eventfd.c +++ b/virt/kvm/eventfd.c @@ -898,7 +898,6 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx, bus = kvm_get_bus(kvm, bus_idx); if (bus) bus->ioeventfd_count--; - ioeventfd_release(p); ret = 0; break; } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 13e88297f999..582757ebdce6 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -5200,6 +5200,12 @@ static struct notifier_block kvm_reboot_notifier = { .priority = 0, }; +static void kvm_iodevice_destructor(struct kvm_io_device *dev) +{ + if (dev->ops->destructor) + dev->ops->destructor(dev); +} + static void kvm_io_bus_destroy(struct kvm_io_bus *bus) { int i; @@ -5423,7 +5429,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, struct kvm_io_device *dev) { - int i, j; + int i; struct kvm_io_bus *new_bus, *bus; lockdep_assert_held(&kvm->slots_lock); @@ -5453,18 +5459,18 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, rcu_assign_pointer(kvm->buses[bus_idx], new_bus); synchronize_srcu_expedited(&kvm->srcu); - /* Destroy the old bus _after_ installing the (null) bus. */ + /* + * If (null) bus is installed, destroy the old bus, including all the + * attached devices. Otherwise, destroy the caller's device only. + */ if (!new_bus) { pr_err("kvm: failed to shrink bus, removing it completely\n"); - for (j = 0; j < bus->dev_count; j++) { - if (j == i) - continue; - kvm_iodevice_destructor(bus->range[j].dev); - } + kvm_io_bus_destroy(bus); + return -ENOMEM; } - kfree(bus); - return new_bus ? 0 : -ENOMEM; + kvm_iodevice_destructor(dev); + return 0; } struct kvm_io_device *kvm_io_bus_get_dev(struct kvm *kvm, enum kvm_bus bus_idx, -- 2.27.0

1 year, 3 months

4
5
0 0

[PATCH v2] security: Restore passing final prot to ima_file_mmap()

by Roberto Sassu

From: Roberto Sassu <roberto.sassu(a)huawei.com> Commit 98de59bfe4b2f ("take calculation of final prot in security_mmap_file() into a helper") moved the code to update prot with the actual protection flags to be granted to the requestor by the kernel to a helper called mmap_prot(). However, the patch didn't update the argument passed to ima_file_mmap(), making it receive the requested prot instead of the final computed prot. A possible consequence is that files mmapped as executable might not be measured/appraised if PROT_EXEC is not requested but subsequently added in the final prot. Replace prot with mmap_prot(file, prot) as the second argument of ima_file_mmap() to restore the original behavior. Cc: stable(a)vger.kernel.org Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") Signed-off-by: Roberto Sassu <roberto.sassu(a)huawei.com> --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index d1571900a8c7..0d2359d588a1 100644 --- a/security/security.c +++ b/security/security.c @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, mmap_prot(file, prot), flags); if (ret) return ret; - return ima_file_mmap(file, prot); + return ima_file_mmap(file, mmap_prot(file, prot)); } int security_mmap_addr(unsigned long addr) -- 2.25.1

1 year, 3 months

3
10
0 0

[PATCH AUTOSEL 6.1 01/28] fs/ntfs3: Validate BOOT record_size

by Sasha Levin

From: edward lo <edward.lo(a)ambergroup.io> [ Upstream commit 0b66046266690454dc04e6307bcff4a5605b42a1 ] When the NTFS BOOT record_size field < 0, it represents a shift value. However, there is no sanity check on the shift result and the sbi->record_bits calculation through blksize_bits() assumes the size always > 256, which could lead to NPD while mounting a malformed NTFS image. [ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 318.675682] #PF: supervisor read access in kernel mode [ 318.675869] #PF: error_code(0x0000) - not-present page [ 318.676246] PGD 0 P4D 0 [ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5 [ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0 [ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 [ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 [ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 [ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 [ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 [ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 [ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 [ 318.685623] Call Trace: [ 318.686607] <TASK> [ 318.686872] ? ntfs_alloc_inode+0x1a/0x60 [ 318.687235] attr_load_runs_vcn+0x2b/0xa0 [ 318.687468] mi_read+0xbb/0x250 [ 318.687576] ntfs_iget5+0x114/0xd90 [ 318.687750] ntfs_fill_super+0x588/0x11b0 [ 318.687953] ? put_ntfs+0x130/0x130 [ 318.688065] ? snprintf+0x49/0x70 [ 318.688164] ? put_ntfs+0x130/0x130 [ 318.688256] get_tree_bdev+0x16a/0x260 [ 318.688407] vfs_get_tree+0x20/0xb0 [ 318.688519] path_mount+0x2dc/0x9b0 [ 318.688877] do_mount+0x74/0x90 [ 318.689142] __x64_sys_mount+0x89/0xd0 [ 318.689636] do_syscall_64+0x3b/0x90 [ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 318.690318] RIP: 0033:0x7fd9e133c48a [ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a [ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0 [ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020 [ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0 [ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff [ 318.693007] </TASK> [ 318.693271] Modules linked in: [ 318.693614] CR2: 0000000000000158 [ 318.694446] ---[ end trace 0000000000000000 ]--- [ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0 [ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 [ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 [ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 [ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 [ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 [ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 [ 318.701688] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 318.702190] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 [ 318.726510] mount (259) used greatest stack depth: 13320 bytes left This patch adds a sanity check. Signed-off-by: edward lo <edward.lo(a)ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/ntfs3/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 47012c9bf505..d998cb083d95 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -789,7 +789,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, : (u32)boot->record_size << sbi->cluster_bits; - if (record_size > MAXIMUM_BYTES_PER_MFT) + if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE) goto out; sbi->record_bits = blksize_bits(record_size); -- 2.35.1

1 year, 3 months

2
28
0 0

[PATCH 5.15 5.10 5.4 v2] kbuild: fix Build ID if CONFIG_MODVERSIONS

by Tom Saeger

Backport of: commit 0d362be5b142 ("Makefile: link with -z noexecstack --no-warn-rwx-segments") breaks arm64 Build ID when CONFIG_MODVERSIONS=y for all kernels from: commit e4484a495586 ("Merge tag 'kbuild-fixes-v5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild") until: commit df202b452fe6 ("Merge tag 'kbuild-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild") Linus's tree doesn't have this issue since 0d362be5b142 was merged after df202b452fe6 which included: commit 7b4537199a4a ("kbuild: link symbol CRCs at final link, removing CONFIG_MODULE_REL_CRCS") This kernel's KBUILD CONFIG_MODVERSIONS tooling compiles and links .S targets with relocatable (-r) and now (-z noexecstack) which results in ld adding a .note.GNU-stack section to .o files. Final linking of vmlinux should add a .NOTES segment containing the Build ID, but does NOT (on some architectures like arm64) if a .note.GNU-stack section is found in .o's supplied during link of vmlinux. DISCARD .note.GNU-stack sections of .S targets. Final link of vmlinux then properly adds .NOTES segment containing Build ID that can be read using tools like 'readelf -n'. Fixes: 0d362be5b142 ("Makefile: link with -z noexecstack --no-warn-rwx-segments") Cc: <stable(a)vger.kernel.org> # 5.15, 5.10, 5.4 Cc: <linux-kbuild(a)vger.kernel.org> Cc: Nick Desaulniers <ndesaulniers(a)google.com> Cc: Masahiro Yamada <masahiroy(a)kernel.org> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Michal Marek <michal.lkml(a)markovi.net> Cc: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Tom Saeger <tom.saeger(a)oracle.com> --- v2: - Changed approach to append DISCARD section to generated linker script. - ld no longer emits warning (which was intent of 0d362b35b142) this addresses Nick's v1 feedback. - this is applied to all arches, not just arm64 - added commit refs and notes why this doesn't occur in Linus's tree to address Greg's v1 feedback. - added Fixes: 0d362b35b142 requested by Nick - added note to changelog for 7b4537199a4a requested by Nick - build tested on arm64 and x86 version works(vmlinux contains Build ID) v4.14.302 x86, arm64 v4.14.302.patched x86, arm64 v4.19.269 x86, arm64 v4.19.269.patched x86, arm64 v5.4.227 x86 v5.4.227.patched x86, arm64 v5.10.159 x86 v5.10.159.patched x86, arm64 v5.15.83 x86 v5.15.83.patched x86, arm64 v1: https://lore.kernel.org/all/cover.1670358255.git.tom.saeger@oracle.com/ scripts/Makefile.build | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/Makefile.build b/scripts/Makefile.build index 17aa8ef2d52a..e3939676eeb5 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -379,6 +379,8 @@ cmd_modversions_S = \ if $(OBJDUMP) -h $@ | grep -q __ksymtab; then \ $(call cmd_gensymtypes_S,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \ > $(@D)/.tmp_$(@F:.o=.ver); \ + echo "SECTIONS { /DISCARD/ : { *(.note.GNU-stack) } }" \ + >> $(@D)/.tmp_$(@F:.o=.ver); \ \ $(LD) $(KBUILD_LDFLAGS) -r -o $(@D)/.tmp_$(@F) $@ \ -T $(@D)/.tmp_$(@F:.o=.ver); \ base-commit: fd6d66840b4269da4e90e1ea807ae3197433bc66 -- 2.38.1

1 year, 3 months

4
22
0 0

[PATCH v6 1/6] locking/rwsem: Prevent non-first waiter from spinning in down_write() slowpath

by Waiman Long

A non-first waiter can potentially spin in the for loop of rwsem_down_write_slowpath() without sleeping but fail to acquire the lock even if the rwsem is free if the following sequence happens: Non-first RT waiter First waiter Lock holder ------------------- ------------ ----------- Acquire wait_lock rwsem_try_write_lock(): Set handoff bit if RT or wait too long Set waiter->handoff_set Release wait_lock Acquire wait_lock Inherit waiter->handoff_set Release wait_lock Clear owner Release lock if (waiter.handoff_set) { rwsem_spin_on_owner((); if (OWNER_NULL) goto trylock_again; } trylock_again: Acquire wait_lock rwsem_try_write_lock(): if (first->handoff_set && (waiter != first)) return false; Release wait_lock A non-first waiter cannot really acquire the rwsem even if it mistakenly believes that it can spin on OWNER_NULL value. If that waiter happens to be an RT task running on the same CPU as the first waiter, it can block the first waiter from acquiring the rwsem leading to live lock. Fix this problem by making sure that a non-first waiter cannot spin in the slowpath loop without sleeping. Fixes: d257cc8cb8d5 ("locking/rwsem: Make handoff bit handling more consistent") Reviewed-and-tested-by: Mukesh Ojha <quic_mojha(a)quicinc.com> Signed-off-by: Waiman Long <longman(a)redhat.com> Cc: stable(a)vger.kernel.org --- kernel/locking/rwsem.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c index 44873594de03..be2df9ea7c30 100644 --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -624,18 +624,16 @@ static inline bool rwsem_try_write_lock(struct rw_semaphore *sem, */ if (first->handoff_set && (waiter != first)) return false; - - /* - * First waiter can inherit a previously set handoff - * bit and spin on rwsem if lock acquisition fails. - */ - if (waiter == first) - waiter->handoff_set = true; } new = count; if (count & RWSEM_LOCK_MASK) { + /* + * A waiter (first or not) can set the handoff bit + * if it is an RT task or wait in the wait queue + * for too long. + */ if (has_handoff || (!rt_task(waiter->task) && !time_after(jiffies, waiter->timeout))) return false; @@ -651,11 +649,12 @@ static inline bool rwsem_try_write_lock(struct rw_semaphore *sem, } while (!atomic_long_try_cmpxchg_acquire(&sem->count, &count, new)); /* - * We have either acquired the lock with handoff bit cleared or - * set the handoff bit. + * We have either acquired the lock with handoff bit cleared or set + * the handoff bit. Only the first waiter can have its handoff_set + * set here to enable optimistic spinning in slowpath loop. */ if (new & RWSEM_FLAG_HANDOFF) { - waiter->handoff_set = true; + first->handoff_set = true; lockevent_inc(rwsem_wlock_handoff); return false; } -- 2.31.1

1 year, 3 months

2
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2022