This is the start of the stable review cycle for the 5.15.39 release.
There are 135 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 12 May 2022 13:07:16 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.39-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.15.39-rc1
Marek Behún <kabel(a)kernel.org>
PCI: aardvark: Update comment about link going down after link-up
Marek Behún <kabel(a)kernel.org>
PCI: aardvark: Drop __maybe_unused from advk_pcie_disable_phy()
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Don't mask irq when mapping
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Remove irq_mask_ack() callback for INTx interrupts
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Use separate INTA interrupt for emulated root bridge
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Fix support for PME requester on emulated bridge
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Add support for PME interrupts
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Optimize writing PCI_EXP_RTCTL_PMEIE and PCI_EXP_RTSTA_PME on emulated bridge
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Add support for ERR interrupt on emulated bridge
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Enable MSI-X support
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Fix setting MSI address
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Add support for masking MSI interrupts
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Refactor unmasking summary MSI interrupt
Marek Behún <kabel(a)kernel.org>
PCI: aardvark: Use dev_fwnode() instead of of_node_to_fwnode(dev->of_node)
Marek Behún <kabel(a)kernel.org>
PCI: aardvark: Make msi_domain_info structure a static driver structure
Marek Behún <kabel(a)kernel.org>
PCI: aardvark: Make MSI irq_chip structures static driver structures
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Check return value of generic_handle_domain_irq() when processing INTx IRQ
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Rewrite IRQ code to chained IRQ handler
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Replace custom PCIE_CORE_INT_* macros with PCI_INTERRUPT_*
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Disable common PHY when unbinding driver
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Disable link training when unbinding driver
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Assert PERST# when unbinding driver
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Fix memory leak in driver unbind
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Mask all interrupts when unbinding driver
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Disable bus mastering when unbinding driver
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Comment actions in driver remove method
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Clear all MSIs at setup
Pali Rohár <pali(a)kernel.org>
PCI: aardvark: Add support for DEVCAP2, DEVCTL2, LNKCAP2 and LNKCTL2 registers on emulated bridge
Pali Rohár <pali(a)kernel.org>
PCI: pci-bridge-emul: Add definitions for missing capabilities registers
Pali Rohár <pali(a)kernel.org>
PCI: pci-bridge-emul: Add description for class_revision field
Frederic Weisbecker <frederic(a)kernel.org>
rcu: Apply callbacks processing time limit only on softirq
Frederic Weisbecker <frederic(a)kernel.org>
rcu: Fix callbacks processing time limit retaining cond_resched()
Helge Deller <deller(a)gmx.de>
Revert "parisc: Mark sched_clock unstable only if clocks are not syncronized"
Ricky WU <ricky_wu(a)realtek.com>
mmc: rtsx: add 74 Clocks in power on flow
Sidhartha Kumar <sidhartha.kumar(a)oracle.com>
selftest/vm: verify remap destination address in mremap_test
Sidhartha Kumar <sidhartha.kumar(a)oracle.com>
selftest/vm: verify mmap addr in mremap_test
Wanpeng Li <wanpengli(a)tencent.com>
KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised
Paolo Bonzini <pbonzini(a)redhat.com>
KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs
Paolo Bonzini <pbonzini(a)redhat.com>
KVM: x86: Do not change ICR on write to APIC_SELF_IPI
Wanpeng Li <wanpengli(a)tencent.com>
x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume
Thomas Huth <thuth(a)redhat.com>
KVM: selftests: Silence compiler warning in the kvm_page_table_test
Paolo Bonzini <pbonzini(a)redhat.com>
kvm: selftests: do not use bitfields larger than 32-bits for PTEs
Hector Martin <marcan(a)marcan.st>
iommu/dart: Add missing module owner to ops structure
Vlad Buslov <vladbu(a)nvidia.com>
net/mlx5e: Lag, Don't skip fib events on current dst
Vlad Buslov <vladbu(a)nvidia.com>
net/mlx5e: Lag, Fix fib_info pointer assignment
Vlad Buslov <vladbu(a)nvidia.com>
net/mlx5e: Lag, Fix use-after-free in fib event handler
Aya Levin <ayal(a)nvidia.com>
net/mlx5: Fix slab-out-of-bounds while reading resource dump menu
Javier Martinez Canillas <javierm(a)redhat.com>
fbdev: Make fb_release() return -ENODEV if fbdev was unregistered
Sandipan Das <sandipan.das(a)amd.com>
kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
Baruch Siach <baruch(a)tkos.co.il>
gpio: mvebu: drop pwm base assignment
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
drm/amdgpu: Ensure HDA function is suspended before ASIC reset
Mario Limonciello <mario.limonciello(a)amd.com>
drm/amdgpu: don't set s3 and s0ix at the same time
Mario Limonciello <mario.limonciello(a)amd.com>
drm/amdgpu: explicitly check for s0ix when evicting resources
Nirmoy Das <nirmoy.das(a)amd.com>
drm/amdgpu: unify BO evicting method in amdgpu_ttm
Filipe Manana <fdmanana(a)suse.com>
btrfs: always log symlinks in full mode
Qu Wenruo <wqu(a)suse.com>
btrfs: force v2 space cache usage for subpage mount
Sergey Shtylyov <s.shtylyov(a)omp.ru>
smsc911x: allow using IRQ0
Vladimir Oltean <vladimir.oltean(a)nxp.com>
selftests: ocelot: tc_flower_chains: specify conform-exceed action for policer
Michael Chan <michael.chan(a)broadcom.com>
bnxt_en: Fix unnecessary dropping of RX packets
Somnath Kotur <somnath.kotur(a)broadcom.com>
bnxt_en: Fix possible bnxt_open() failure caused by wrong RFS flag
Ido Schimmel <idosch(a)nvidia.com>
selftests: mirror_gre_bridge_1q: Avoid changing PVID while interface is operational
David Howells <dhowells(a)redhat.com>
rxrpc: Enable IPv6 checksums on transport socket
Eric Dumazet <edumazet(a)google.com>
mld: respect RCU rules in ip6_mc_source() and ip6_mc_msfilter()
Qiao Ma <mqaio(a)linux.alibaba.com>
hinic: fix bug of wq out of bound access
Filipe Manana <fdmanana(a)suse.com>
btrfs: do not BUG_ON() on failure to update inode when setting xattr
Kuogee Hsieh <quic_khsieh(a)quicinc.com>
drm/msm/dp: remove fail safe mode related code
Marc Kleine-Budde <mkl(a)pengutronix.de>
selftests/net: so_txtime: usage(): fix documentation of default clock
Marc Kleine-Budde <mkl(a)pengutronix.de>
selftests/net: so_txtime: fix parsing of start time stamp on 32 bit systems
Shravya Kumbham <shravya.kumbham(a)xilinx.com>
net: emaclite: Add error handling for of_address_to_resource()
Eric Dumazet <edumazet(a)google.com>
net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
Yang Yingliang <yangyingliang(a)huawei.com>
net: cpsw: add missing of_node_put() in cpsw_probe_dt()
Niels Dossche <dossche.niels(a)gmail.com>
net: mdio: Fix ENOMEM return value in BCM6368 mux bus controller
Yang Yingliang <yangyingliang(a)huawei.com>
net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux()
Yang Yingliang <yangyingliang(a)huawei.com>
net: dsa: mt7530: add missing of_node_put() in mt7530_setup()
Yang Yingliang <yangyingliang(a)huawei.com>
net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init()
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFSv4: Don't invalidate inode attributes on delegation return
Mustafa Ismail <mustafa.ismail(a)intel.com>
RDMA/irdma: Fix possible crash due to NULL netdev in notifier
Shiraz Saleem <shiraz.saleem(a)intel.com>
RDMA/irdma: Reduce iWARP QP destroy time
Tatyana Nikolova <tatyana.e.nikolova(a)intel.com>
RDMA/irdma: Flush iWARP QP if modified to ERR from RTR state
Cheng Xu <chengyou(a)linux.alibaba.com>
RDMA/siw: Fix a condition race issue in MPA request processing
Olga Kornievskaia <kolga(a)netapp.com>
SUNRPC release the transport of a relocated task with an assigned transport
Jann Horn <jannh(a)google.com>
selftests/seccomp: Don't call read() on TTY from background pgrp
Moshe Shemesh <moshe(a)nvidia.com>
net/mlx5: Fix deadlock in sync reset flow
Moshe Shemesh <moshe(a)nvidia.com>
net/mlx5: Avoid double clear or set of sync reset requested
Mark Zhang <markzhang(a)nvidia.com>
net/mlx5e: Fix the calling of update_buffer_lossy() API
Paul Blakey <paulb(a)nvidia.com>
net/mlx5e: CT: Fix queued up restore put() executing after relevant ft release
Vlad Buslov <vladbu(a)nvidia.com>
net/mlx5e: Don't match double-vlan packets if cvlan is not set
Moshe Tal <moshet(a)nvidia.com>
net/mlx5e: Fix trust state reset in reload
Yang Yingliang <yangyingliang(a)huawei.com>
iommu/dart: check return value after calling platform_get_resource()
Lu Baolu <baolu.lu(a)linux.intel.com>
iommu/vt-d: Drop stop marker messages
Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com>
ASoC: soc-ops: fix error handling
Codrin Ciubotariu <codrin.ciubotariu(a)microchip.com>
ASoC: dmaengine: Restore NULL prepare_slave_config() callback
Adam Wujek <dev_public(a)wujek.eu>
hwmon: (pmbus) disable PEC if not enabled
Armin Wolf <W_Armin(a)gmx.de>
hwmon: (adt7470) Fix warning on module removal
Puyou Lu <puyou.lu(a)gmail.com>
gpio: pca953x: fix irq_stat not updated when irq is disabled (irq_mask not set)
Nobuhiro Iwamatsu <nobuhiro1.iwamatsu(a)toshiba.co.jp>
gpio: visconti: Fix fwnode of GPIO IRQ
Duoming Zhou <duoming(a)zju.edu.cn>
NFC: netlink: fix sleep in atomic bug when firmware download timeout
Duoming Zhou <duoming(a)zju.edu.cn>
nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs
Duoming Zhou <duoming(a)zju.edu.cn>
nfc: replace improper check device_is_registered() in netlink related functions
Andreas Larsson <andreas(a)gaisler.com>
can: grcan: only use the NAPI poll budget for RX
Andreas Larsson <andreas(a)gaisler.com>
can: grcan: grcan_probe(): fix broken system id check for errata workaround needs
Daniel Hellstrom <daniel(a)gaisler.com>
can: grcan: use ofdev->dev when allocating DMA memory
Oliver Hartkopp <socketcan(a)hartkopp.net>
can: isotp: remove re-binding of bound socket
Duoming Zhou <duoming(a)zju.edu.cn>
can: grcan: grcan_close(): fix deadlock
Jan Höppner <hoeppner(a)linux.ibm.com>
s390/dasd: Fix read inconsistency for ESE DASD devices
Jan Höppner <hoeppner(a)linux.ibm.com>
s390/dasd: Fix read for ESE with blksize < 4k
Stefan Haberland <sth(a)linux.ibm.com>
s390/dasd: prevent double format of tracks for ESE devices
Stefan Haberland <sth(a)linux.ibm.com>
s390/dasd: fix data corruption for ESE devices
Mark Brown <broonie(a)kernel.org>
ASoC: meson: Fix event generation for AUI CODEC mux
Mark Brown <broonie(a)kernel.org>
ASoC: meson: Fix event generation for G12A tohdmi mux
Mark Brown <broonie(a)kernel.org>
ASoC: meson: Fix event generation for AUI ACODEC mux
Mark Brown <broonie(a)kernel.org>
ASoC: wm8958: Fix change notifications for DSP controls
Mark Brown <broonie(a)kernel.org>
ASoC: da7219: Fix change notifications for tone generator frequency
Thomas Pfaff <tpfaff(a)pcs.com>
genirq: Synchronize interrupt thread startup
Tan Tee Min <tee.min.tan(a)linux.intel.com>
net: stmmac: disable Split Header (SPH) for Intel platforms
Niels Dossche <dossche.niels(a)gmail.com>
firewire: core: extend card->lock in fw_core_handle_bus_reset
Jakob Koschel <jakobkoschel(a)gmail.com>
firewire: remove check of list iterator against head past the loop body
Chengfeng Ye <cyeaa(a)connect.ust.hk>
firewire: fix potential uaf in outbound_phy_packet_callback()
Kurt Kanzenbach <kurt(a)linutronix.de>
timekeeping: Mark NMI safe time accessors as notrace
Trond Myklebust <trond.myklebust(a)hammerspace.com>
Revert "SUNRPC: attempt AF_LOCAL connect on setup"
Nick Kossifidis <mick(a)ics.forth.gr>
RISC-V: relocate DTB if it's outside memory region
Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com>
drm/amdgpu: do not use passthrough mode in Xen dom0
Harry Wentland <harry.wentland(a)amd.com>
drm/amd/display: Avoid reading audio pattern past AUDIO_CHANNELS_COUNT
Nicolin Chen <nicolinc(a)nvidia.com>
iommu/arm-smmu-v3: Fix size calculation in arm_smmu_mm_invalidate_range()
David Stevens <stevensd(a)chromium.org>
iommu/vt-d: Calculate mask for non-aligned flushes
Kyle Huey <me(a)kylehuey.com>
KVM: x86/svm: Account for family 17h event renumberings in amd_pmc_perf_hw_id
Thomas Gleixner <tglx(a)linutronix.de>
x86/fpu: Prevent FPU state corruption
Andrei Lalaev <andrei.lalaev(a)emlid.com>
gpiolib: of: fix bounds check for 'gpio-reserved-ranges'
Brian Norris <briannorris(a)chromium.org>
mmc: core: Set HS clock speed before sending HS CMD13
Samuel Holland <samuel(a)sholland.org>
mmc: sunxi-mmc: Fix DMA descriptors allocated above 32 bits
Shaik Sajida Bhanu <quic_c_sbhanu(a)quicinc.com>
mmc: sdhci-msm: Reset GCC_SDCC_BCR register for SDHC
Takashi Sakamoto <o-takashi(a)sakamocchi.jp>
ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes
Zihao Wang <wzhd(a)ustc.edu>
ALSA: hda/realtek: Add quirk for Yoga Duet 7 13ITL6 speakers
Helge Deller <deller(a)gmx.de>
parisc: Merge model and model name into one line in /proc/cpuinfo
Maciej W. Rozycki <macro(a)orcam.me.uk>
MIPS: Fix CP0 counter erratum detection for R4k CPUs
-------------
Diffstat:
Makefile | 4 +-
arch/mips/include/asm/timex.h | 8 +-
arch/mips/kernel/time.c | 11 +-
arch/parisc/kernel/processor.c | 3 +-
arch/parisc/kernel/setup.c | 2 +
arch/parisc/kernel/time.c | 6 +-
arch/riscv/mm/init.c | 21 +-
arch/x86/kernel/fpu/core.c | 67 ++--
arch/x86/kernel/kvm.c | 13 +
arch/x86/kvm/cpuid.c | 5 +
arch/x86/kvm/lapic.c | 10 +-
arch/x86/kvm/mmu/mmu.c | 2 +
arch/x86/kvm/svm/pmu.c | 28 +-
drivers/firewire/core-card.c | 3 +
drivers/firewire/core-cdev.c | 4 +-
drivers/firewire/core-topology.c | 9 +-
drivers/firewire/core-transaction.c | 30 +-
drivers/firewire/sbp2.c | 13 +-
drivers/gpio/gpio-mvebu.c | 7 -
drivers/gpio/gpio-pca953x.c | 4 +-
drivers/gpio/gpio-visconti.c | 7 +-
drivers/gpio/gpiolib-of.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 30 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 24 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 23 --
drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 1 -
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 30 ++
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 +-
drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 +-
drivers/gpu/drm/msm/dp/dp_display.c | 6 -
drivers/gpu/drm/msm/dp/dp_panel.c | 11 -
drivers/gpu/drm/msm/dp/dp_panel.h | 1 -
drivers/hwmon/adt7470.c | 4 +-
drivers/hwmon/pmbus/pmbus_core.c | 3 +
drivers/infiniband/hw/irdma/cm.c | 26 +-
drivers/infiniband/hw/irdma/utils.c | 21 +-
drivers/infiniband/hw/irdma/verbs.c | 4 +-
drivers/infiniband/sw/siw/siw_cm.c | 7 +-
drivers/iommu/apple-dart.c | 10 +-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 9 +-
drivers/iommu/intel/iommu.c | 27 +-
drivers/iommu/intel/svm.c | 4 +
drivers/mmc/core/mmc.c | 23 +-
drivers/mmc/host/rtsx_pci_sdmmc.c | 29 +-
drivers/mmc/host/sdhci-msm.c | 42 ++
drivers/mmc/host/sunxi-mmc.c | 5 +-
drivers/net/can/grcan.c | 46 +--
drivers/net/dsa/mt7530.c | 1 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 +-
drivers/net/ethernet/huawei/hinic/hinic_hw_wq.c | 7 +-
drivers/net/ethernet/mediatek/mtk_sgmii.c | 1 +
.../ethernet/mellanox/mlx5/core/diag/rsc_dump.c | 31 +-
.../ethernet/mellanox/mlx5/core/en/port_buffer.c | 4 +-
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 +
drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 10 +
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 11 +
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 60 +--
drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c | 38 +-
drivers/net/ethernet/mellanox/mlx5/core/lag_mp.h | 7 +-
drivers/net/ethernet/smsc/smsc911x.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 1 +
drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 1 +
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
drivers/net/ethernet/ti/cpsw_new.c | 5 +-
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 15 +-
drivers/net/mdio/mdio-mux-bcm6368.c | 2 +-
drivers/nfc/nfcmrvl/main.c | 2 +-
drivers/pci/controller/pci-aardvark.c | 428 ++++++++++++++++-----
drivers/pci/pci-bridge-emul.c | 49 ++-
drivers/s390/block/dasd.c | 18 +-
drivers/s390/block/dasd_eckd.c | 28 +-
drivers/s390/block/dasd_int.h | 14 +
drivers/video/fbdev/core/fbmem.c | 5 +-
fs/btrfs/disk-io.c | 11 +
fs/btrfs/tree-log.c | 14 +-
fs/btrfs/xattr.c | 6 +-
fs/nfs/nfs4proc.c | 12 +-
include/linux/stmmac.h | 1 +
kernel/irq/internals.h | 2 +
kernel/irq/irqdesc.c | 2 +
kernel/irq/manage.c | 39 +-
kernel/rcu/tree.c | 31 +-
kernel/time/timekeeping.c | 4 +-
net/can/isotp.c | 22 +-
net/ipv4/igmp.c | 9 +-
net/ipv6/mcast.c | 8 +-
net/nfc/core.c | 29 +-
net/nfc/netlink.c | 4 +-
net/rxrpc/local_object.c | 3 +
net/sunrpc/clnt.c | 11 +-
net/sunrpc/xprtsock.c | 3 -
sound/firewire/fireworks/fireworks_hwdep.c | 1 +
sound/pci/hda/patch_realtek.c | 1 +
sound/soc/codecs/da7219.c | 14 +-
sound/soc/codecs/wm8958-dsp2.c | 8 +-
sound/soc/meson/aiu-acodec-ctrl.c | 2 +-
sound/soc/meson/aiu-codec-ctrl.c | 2 +-
sound/soc/meson/g12a-tohdmitx.c | 2 +-
sound/soc/soc-generic-dmaengine-pcm.c | 6 +-
sound/soc/soc-ops.c | 2 +-
.../drivers/net/ocelot/tc_flower_chains.sh | 2 +-
.../selftests/kvm/include/x86_64/processor.h | 15 +
tools/testing/selftests/kvm/kvm_page_table_test.c | 2 +-
tools/testing/selftests/kvm/lib/x86_64/processor.c | 192 ++++-----
.../net/forwarding/mirror_gre_bridge_1q.sh | 3 +
tools/testing/selftests/net/so_txtime.c | 4 +-
tools/testing/selftests/seccomp/seccomp_bpf.c | 10 +-
tools/testing/selftests/vm/mremap_test.c | 53 +++
110 files changed, 1293 insertions(+), 656 deletions(-)
The patch below does not apply to the 4.9-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 2e8e79c416aae1de224c0f1860f2e3350fa171f8 Mon Sep 17 00:00:00 2001
From: Marc Kleine-Budde <mkl(a)pengutronix.de>
Date: Thu, 17 Mar 2022 08:57:35 +0100
Subject: [PATCH] can: m_can: m_can_tx_handler(): fix use after free of skb
can_put_echo_skb() will clone skb then free the skb. Move the
can_put_echo_skb() for the m_can version 3.0.x directly before the
start of the xmit in hardware, similar to the 3.1.x branch.
Fixes: 80646733f11c ("can: m_can: update to support CAN FD features")
Link: https://lore.kernel.org/all/20220317081305.739554-1-mkl@pengutronix.de
Cc: stable(a)vger.kernel.org
Reported-by: Hangyu Hua <hbh25y(a)gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de>
diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index 1a4b56f6fa8c..b3b5bc1c803b 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1637,8 +1637,6 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
if (err)
goto out_fail;
- can_put_echo_skb(skb, dev, 0, 0);
-
if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
cccr = m_can_read(cdev, M_CAN_CCCR);
cccr &= ~CCCR_CMR_MASK;
@@ -1655,6 +1653,9 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
m_can_write(cdev, M_CAN_CCCR, cccr);
}
m_can_write(cdev, M_CAN_TXBTIE, 0x1);
+
+ can_put_echo_skb(skb, dev, 0, 0);
+
m_can_write(cdev, M_CAN_TXBAR, 0x1);
/* End of xmit function for version 3.0.x */
} else {
The patch below does not apply to the 4.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 2e8e79c416aae1de224c0f1860f2e3350fa171f8 Mon Sep 17 00:00:00 2001
From: Marc Kleine-Budde <mkl(a)pengutronix.de>
Date: Thu, 17 Mar 2022 08:57:35 +0100
Subject: [PATCH] can: m_can: m_can_tx_handler(): fix use after free of skb
can_put_echo_skb() will clone skb then free the skb. Move the
can_put_echo_skb() for the m_can version 3.0.x directly before the
start of the xmit in hardware, similar to the 3.1.x branch.
Fixes: 80646733f11c ("can: m_can: update to support CAN FD features")
Link: https://lore.kernel.org/all/20220317081305.739554-1-mkl@pengutronix.de
Cc: stable(a)vger.kernel.org
Reported-by: Hangyu Hua <hbh25y(a)gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de>
diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index 1a4b56f6fa8c..b3b5bc1c803b 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1637,8 +1637,6 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
if (err)
goto out_fail;
- can_put_echo_skb(skb, dev, 0, 0);
-
if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
cccr = m_can_read(cdev, M_CAN_CCCR);
cccr &= ~CCCR_CMR_MASK;
@@ -1655,6 +1653,9 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
m_can_write(cdev, M_CAN_CCCR, cccr);
}
m_can_write(cdev, M_CAN_TXBTIE, 0x1);
+
+ can_put_echo_skb(skb, dev, 0, 0);
+
m_can_write(cdev, M_CAN_TXBAR, 0x1);
/* End of xmit function for version 3.0.x */
} else {
The patch below does not apply to the 4.9-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From e53ac7374e64dede04d745ff0e70ff5048378d1f Mon Sep 17 00:00:00 2001
From: Rik van Riel <riel(a)surriel.com>
Date: Tue, 22 Mar 2022 14:44:09 -0700
Subject: [PATCH] mm: invalidate hwpoison page cache page in fault path
Sometimes the page offlining code can leave behind a hwpoisoned clean
page cache page. This can lead to programs being killed over and over
and over again as they fault in the hwpoisoned page, get killed, and
then get re-spawned by whatever wanted to run them.
This is particularly embarrassing when the page was offlined due to
having too many corrected memory errors. Now we are killing tasks due
to them trying to access memory that probably isn't even corrupted.
This problem can be avoided by invalidating the page from the page fault
handler, which already has a branch for dealing with these kinds of
pages. With this patch we simply pretend the page fault was successful
if the page was invalidated, return to userspace, incur another page
fault, read in the file from disk (to a new memory page), and then
everything works again.
Link: https://lkml.kernel.org/r/20220212213740.423efcea@imladris.surriel.com
Signed-off-by: Rik van Riel <riel(a)surriel.com>
Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi(a)nec.com>
Reviewed-by: Oscar Salvador <osalvador(a)suse.de>
Cc: John Hubbard <jhubbard(a)nvidia.com>
Cc: Mel Gorman <mgorman(a)suse.de>
Cc: Johannes Weiner <hannes(a)cmpxchg.org>
Cc: Matthew Wilcox <willy(a)infradead.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org>
diff --git a/mm/memory.c b/mm/memory.c
index c96281458c83..1a55b4c5b5db 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3877,11 +3877,16 @@ static vm_fault_t __do_fault(struct vm_fault *vmf)
return ret;
if (unlikely(PageHWPoison(vmf->page))) {
- if (ret & VM_FAULT_LOCKED)
+ vm_fault_t poisonret = VM_FAULT_HWPOISON;
+ if (ret & VM_FAULT_LOCKED) {
+ /* Retry if a clean page was removed from the cache. */
+ if (invalidate_inode_page(vmf->page))
+ poisonret = 0;
unlock_page(vmf->page);
+ }
put_page(vmf->page);
vmf->page = NULL;
- return VM_FAULT_HWPOISON;
+ return poisonret;
}
if (unlikely(!(ret & VM_FAULT_LOCKED)))
From: Casey Schaufler <casey(a)schaufler-ca.com>
[ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ]
The usual LSM hook "bail on fail" scheme doesn't work for cases where
a security module may return an error code indicating that it does not
recognize an input. In this particular case Smack sees a mount option
that it recognizes, and returns 0. A call to a BPF hook follows, which
returns -ENOPARAM, which confuses the caller because Smack has processed
its data.
The SELinux hook incorrectly returns 1 on success. There was a time
when this was correct, however the current expectation is that it
return 0 on success. This is repaired.
Reported-by: syzbot+d1e3b1d92d25abf97943(a)syzkaller.appspotmail.com
Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com>
Acked-by: James Morris <jamorris(a)linux.microsoft.com>
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
security/security.c | 17 +++++++++++++++--
security/selinux/hooks.c | 5 ++---
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/security/security.c b/security/security.c
index 22261d79f333..f101a53a63ed 100644
--- a/security/security.c
+++ b/security/security.c
@@ -884,9 +884,22 @@ int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)
return call_int_hook(fs_context_dup, 0, fc, src_fc);
}
-int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param)
+int security_fs_context_parse_param(struct fs_context *fc,
+ struct fs_parameter *param)
{
- return call_int_hook(fs_context_parse_param, -ENOPARAM, fc, param);
+ struct security_hook_list *hp;
+ int trc;
+ int rc = -ENOPARAM;
+
+ hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param,
+ list) {
+ trc = hp->hook.fs_context_parse_param(fc, param);
+ if (trc == 0)
+ rc = 0;
+ else if (trc != -ENOPARAM)
+ return trc;
+ }
+ return rc;
}
int security_sb_alloc(struct super_block *sb)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5b6895e4fc29..371f67a37f9a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2860,10 +2860,9 @@ static int selinux_fs_context_parse_param(struct fs_context *fc,
return opt;
rc = selinux_add_opt(opt, param->string, &fc->security);
- if (!rc) {
+ if (!rc)
param->string = NULL;
- rc = 1;
- }
+
return rc;
}
--
2.34.1
The quilt patch titled
Subject: fs: sendfile handles O_NONBLOCK of out_fd
has been removed from the -mm tree. Its filename was
fs-sendfile-handles-o_nonblock-of-out_fd.patch
This patch was dropped because it was merged into the mm-nonmm-stable branch\nof git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
------------------------------------------------------
From: Andrei Vagin <avagin(a)gmail.com>
Subject: fs: sendfile handles O_NONBLOCK of out_fd
sendfile has to return EAGAIN if out_fd is nonblocking and the write into
it would block.
Here is a small reproducer for the problem:
#define _GNU_SOURCE /* See feature_test_macros(7) */
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/sendfile.h>
#define FILE_SIZE (1UL << 30)
int main(int argc, char **argv) {
int p[2], fd;
if (pipe2(p, O_NONBLOCK))
return 1;
fd = open(argv[1], O_RDWR | O_TMPFILE, 0666);
if (fd < 0)
return 1;
ftruncate(fd, FILE_SIZE);
if (sendfile(p[1], fd, 0, FILE_SIZE) == -1) {
fprintf(stderr, "FAIL\n");
}
if (sendfile(p[1], fd, 0, FILE_SIZE) != -1 || errno != EAGAIN) {
fprintf(stderr, "FAIL\n");
}
return 0;
}
It worked before b964bf53e540, it is stuck after b964bf53e540, and it
works again with this fix.
This regression occurred because do_splice_direct() calls pipe_write
that handles O_NONBLOCK. Here is a trace log from the reproducer:
1) | __x64_sys_sendfile64() {
1) | do_sendfile() {
1) | __fdget()
1) | rw_verify_area()
1) | __fdget()
1) | rw_verify_area()
1) | do_splice_direct() {
1) | rw_verify_area()
1) | splice_direct_to_actor() {
1) | do_splice_to() {
1) | rw_verify_area()
1) | generic_file_splice_read()
1) + 74.153 us | }
1) | direct_splice_actor() {
1) | iter_file_splice_write() {
1) | __kmalloc()
1) 0.148 us | pipe_lock();
1) 0.153 us | splice_from_pipe_next.part.0();
1) 0.162 us | page_cache_pipe_buf_confirm();
... 16 times
1) 0.159 us | page_cache_pipe_buf_confirm();
1) | vfs_iter_write() {
1) | do_iter_write() {
1) | rw_verify_area()
1) | do_iter_readv_writev() {
1) | pipe_write() {
1) | mutex_lock()
1) 0.153 us | mutex_unlock();
1) 1.368 us | }
1) 1.686 us | }
1) 5.798 us | }
1) 6.084 us | }
1) 0.174 us | kfree();
1) 0.152 us | pipe_unlock();
1) + 14.461 us | }
1) + 14.783 us | }
1) 0.164 us | page_cache_pipe_buf_release();
... 16 times
1) 0.161 us | page_cache_pipe_buf_release();
1) | touch_atime()
1) + 95.854 us | }
1) + 99.784 us | }
1) ! 107.393 us | }
1) ! 107.699 us | }
Link: https://lkml.kernel.org/r/20220415005015.525191-1-avagin@gmail.com
Fixes: b964bf53e540 ("teach sendfile(2) to handle send-to-pipe directly")
Signed-off-by: Andrei Vagin <avagin(a)gmail.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
fs/read_write.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/read_write.c~fs-sendfile-handles-o_nonblock-of-out_fd
+++ a/fs/read_write.c
@@ -1247,6 +1247,9 @@ static ssize_t do_sendfile(int out_fd, i
count, fl);
file_end_write(out.file);
} else {
+ if (out.file->f_flags & O_NONBLOCK)
+ fl |= SPLICE_F_NONBLOCK;
+
retval = splice_file_to_pipe(in.file, opipe, &pos, count, fl);
}
_
Patches currently in -mm which might be from avagin(a)gmail.com are