January 2023 - Linux-stable-mirror

[PATCH UEK4-U7] scsi: qla2xxx: Fix use after free in eh_abort path

by Rajan Shanmugavelu

From: Quinn Tran <qutran(a)marvell.com> In eh_abort path driver prematurely exits the call to upper layer. Check whether command is aborted / completed by firmware before exiting the call. 9 [ffff8b1ebf803c00] page_fault at ffffffffb0389778 [exception RIP: qla2x00_status_entry+0x48d] RIP: ffffffffc04fa62d RSP: ffff8b1ebf803cb0 RFLAGS: 00010082 RAX: 00000000ffffffff RBX: 00000000000e0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 00000000000013d8 RDI: fffff3253db78440 RBP: ffff8b1ebf803dd0 R8: ffff8b1ebcd9b0c0 R9: 0000000000000000 R10: ffff8b1e38a30808 R11: 0000000000001000 R12: 00000000000003e9 R13: 0000000000000000 R14: ffff8b1ebcd9d740 R15: 0000000000000028 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 10 [ffff8b1ebf803cb0] enqueue_entity at ffffffffafce708f 11 [ffff8b1ebf803d00] enqueue_task_fair at ffffffffafce7b88 12 [ffff8b1ebf803dd8] qla24xx_process_response_queue at ffffffffc04fc9a6 [qla2xxx] 13 [ffff8b1ebf803e78] qla24xx_msix_rsp_q at ffffffffc04ff01b [qla2xxx] 14 [ffff8b1ebf803eb0] __handle_irq_event_percpu at ffffffffafd50714 Link: https://lore.kernel.org/r/20210908164622.19240-10-njavali@marvell.com Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path") Cc: stable(a)vger.kernel.org Reviewed-by: Himanshu Madhani <himanshu.madhani(a)oracle.com> Co-developed-by: David Jeffery <djeffery(a)redhat.com> Signed-off-by: David Jeffery <djeffery(a)redhat.com> Co-developed-by: Laurence Oberman <loberman(a)redhat.com> Signed-off-by: Laurence Oberman <loberman(a)redhat.com> Signed-off-by: Quinn Tran <qutran(a)marvell.com> Signed-off-by: Nilesh Javali <njavali(a)marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Orabug: 34970763 (cherry picked from commit 3d33b303d4f3b74a71bede5639ebba3cfd2a2b4d) Signed-off-by: Rajan Shanmugavelu <rajan.shanmugavelu(a)oracle.com> --- drivers/scsi/qla2xxx/qla_os.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c index 71d4e83..1973e53 100644 --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c @@ -1210,6 +1210,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) uint32_t ratov_j; struct qla_qpair *qpair; unsigned long flags; + int fast_fail_status = SUCCESS; if (qla2x00_isp_reg_stat(ha)) { ql_log(ql_log_info, vha, 0x8042, @@ -1217,15 +1218,16 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) return FAILED; } + /* Save any FAST_IO_FAIL value to return later if abort succeeds */ ret = fc_block_scsi_eh(cmd); if (ret != 0) - return ret; + fast_fail_status = ret; sp = scsi_cmd_priv(cmd); qpair = sp->qpair; if ((sp->fcport && sp->fcport->deleted) || !qpair) - return SUCCESS; + return fast_fail_status != SUCCESS ? fast_fail_status : FAILED; spin_lock_irqsave(qpair->qp_lock_ptr, flags); if (sp->completed) { @@ -1276,7 +1278,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) __func__, ha->r_a_tov/10); ret = FAILED; } else { - ret = SUCCESS; + ret = fast_fail_status; } break; default: -- 1.8.3.1

2 years, 1 month

2
1
0 0

[PATCH net v2 1/1] net: stmmac: add aux timestamps fifo clearance wait

by Noor Azura Ahmad Tarmizi

Add timeout polling wait for auxiliary timestamps snapshot FIFO clear bit (ATSFC) to clear. This is to ensure no residue fifo value is being read erroneously. Fixes: f4da56529da6 ("net: stmmac: Add support for external trigger timestamping") Cc: <stable(a)vger.kernel.org> # 5.10.x Signed-off-by: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi(a)intel.com> --- drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c index fc06ddeac0d5..b4388ca8d211 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c @@ -210,7 +210,10 @@ static int stmmac_enable(struct ptp_clock_info *ptp, } writel(acr_value, ptpaddr + PTP_ACR); mutex_unlock(&priv->aux_ts_lock); - ret = 0; + /* wait for auxts fifo clear to finish */ + ret = readl_poll_timeout(ptpaddr + PTP_ACR, acr_value, + !(acr_value & PTP_ACR_ATSFC), + 10, 10000); break; default: -- 2.17.1

2 years, 1 month

2
1
0 0

[PATCH 6.1 000/159] 6.1.5-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.5 release. There are 159 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 12 Jan 2023 17:59:42 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.5-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.5-rc1 Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: Send PME message during wakeup from D3cold Ard Biesheuvel <ardb(a)kernel.org> efi: random: combine bootloader provided RNG seed with RNG protocol output Jani Nikula <jani.nikula(a)intel.com> drm/i915/dsi: fix MIPI_BKLT_EN_1 native GPIO index Jani Nikula <jani.nikula(a)intel.com> drm/i915/dsi: add support for ICL+ native MIPI GPIO sequence William Liu <will(a)willsroot.io> ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob Marios Makassikis <mmakassikis(a)freebox.fr> ksmbd: send proper error response in smb2_tree_connect() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix infinite loop in ksmbd_conn_handler_loop() Qu Wenruo <wqu(a)suse.com> btrfs: handle case when repair happens with dev-replace Samson Tam <samson.tam(a)amd.com> drm/amd/display: Uninitialized variables causing 4k60 UCLK to stay at DPM1 and not DPM0 Dillon Varone <Dillon.Varone(a)amd.com> drm/amd/display: Add check for DET fetch latency hiding for dcn32 Rafael Mendonca <rafaelmendsr(a)gmail.com> virtio_blk: Fix signedness bug in virtblk_prep_rq() Dmitry Fomichev <dmitry.fomichev(a)wdc.com> virtio-blk: use a helper to handle request queuing errors Zhenyu Wang <zhenyuw(a)linux.intel.com> drm/i915/gvt: fix vgpu debugfs clean in remove Zhenyu Wang <zhenyuw(a)linux.intel.com> drm/i915/gvt: fix gvt debugfs destroy Mukul Joshi <mukul.joshi(a)amd.com> drm/amdkfd: Fix kernel warning during topology setup Ma Jun <majun(a)amd.com> drm/plane-helper: Add the missing declaration of drm_atomic_state Andreas Rammhold <andreas(a)rammhold.de> of/fdt: run soc memory setup when early_init_dt_scan_memory fails Björn Töpel <bjorn(a)rivosinc.com> riscv, kprobes: Stricter c.jr/c.jalr decoding Ben Dooks <ben-linux(a)fluff.org> riscv: uaccess: fix type of 0 variable on error in get_user() Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: int340x: Add missing attribute for data rate base Cindy Lu <lulu(a)redhat.com> vhost_vdpa: fix the crash in unmap a large memory Jason A. Donenfeld <Jason(a)zx2c4.com> tpm: Allow system suspend to continue when TPM suspend fails Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix CQ waiting timeout handling Pavel Begunkov <asml.silence(a)gmail.com> io_uring: pin context while queueing deferred tw Jens Axboe <axboe(a)kernel.dk> block: don't allow splitting of a REQ_NOWAIT bio Christian Marangi <ansuelsmth(a)gmail.com> net: dsa: tag_qca: fix wrong MGMT_DATA2 size Christian Marangi <ansuelsmth(a)gmail.com> net: dsa: qca8k: fix wrong length value for mgmt eth packet Christian Marangi <ansuelsmth(a)gmail.com> Revert "net: dsa: qca8k: cache lo and hi for mdio write" Michel Dänzer <mdaenzer(a)redhat.com> Revert "drm/amd/display: Enable Freesync Video Mode by default" Chuang Wang <nashuiliang(a)gmail.com> bpf: Fix panic due to wrong pageattr of im->image Paul Menzel <pmenzel(a)molgen.mpg.de> fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB Jeff Layton <jlayton(a)kernel.org> nfsd: fix handling of readdir in v4root vs. mount upcall timeout Rodrigo Branco <bsdaemon(a)google.com> x86/bugs: Flush IBP in ib_prctl_set() Takashi Iwai <tiwai(a)suse.de> x86/kexec: Fix double-free of elf header buffer Kai Vehmanen <kai.vehmanen(a)linux.intel.com> ASoC: SOF: Intel: pci-tgl: unblock S5 entry if DMA stop has failed" Christoph Hellwig <hch(a)lst.de> nvme: also return I/O command effects from nvme_command_effects Christoph Hellwig <hch(a)lst.de> nvmet: use NVME_CMD_EFFECTS_CSUPP instead of open coding it YoungJun.park <her0gyugyu(a)gmail.com> kunit: alloc_string_stream_fragment error handling bug fix Jens Axboe <axboe(a)kernel.dk> io_uring: check for valid register opcode earlier Mario Limonciello <mario.limonciello(a)amd.com> ACPI: video: Don't enable fallback path for creating ACPI backlight by default Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Report to ACPI video if no panels were found Mario Limonciello <mario.limonciello(a)amd.com> ACPI: video: Allow GPU drivers to report no panels Yanjun Zhang <zhangyanjun(a)cestc.cn> nvme: fix multipath crash caused by flush request when blktrace is enabled Jens Axboe <axboe(a)kernel.dk> io_uring/cancel: re-grab ctx mutex after finishing wait Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix double release compute pasid Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix kfd_process_device_init_vm error handling Luben Tuikov <luben.tuikov(a)amd.com> drm/amdgpu: Fix size validation for non-exclusive domains (v4) YC Hung <yc.hung(a)mediatek.com> ASoC: SOF: mediatek: initialize panic_info to zero Hans de Goede <hdegoede(a)redhat.com> ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet Dominique Martinet <asmadeus(a)codewreck.org> 9p/client: fix data race on req->status Kai Vehmanen <kai.vehmanen(a)linux.intel.com> ASoC: SOF: Revert: "core: unregister clients and machine drivers in .shutdown" Linus Torvalds <torvalds(a)linux-foundation.org> hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Arnd Bergmann <arnd(a)arndb.de> usb: dwc3: xilinx: include linux/gpio/consumer.h Jan Kara <jack(a)suse.cz> udf: Fix extension of the last extent in the file Zhengchao Shao <shaozhengchao(a)huawei.com> caif: fix memory leak in cfctrl_linkup_request() Paolo Abeni <pabeni(a)redhat.com> net/ulp: prevent ULP without clone op from entering the LISTEN status Caleb Sander <csander(a)purestorage.com> qed: allow sleep in qed_mcp_trace_dump() Ming Lei <ming.lei(a)redhat.com> ublk: honor IO_URING_F_NONBLOCK for handling control command Zheng Wang <zyytlz.wz(a)163.com> drm/i915/gvt: fix double free bug in split_2MB_gtt_entry Dan Carpenter <error27(a)gmail.com> drm/i915: unpin on error in intel_vgpu_shadow_mm_pin() Namhyung Kim <namhyung(a)kernel.org> perf stat: Fix handling of --for-each-cgroup with --bpf-counters to match non BPF mode Namhyung Kim <namhyung(a)kernel.org> perf stat: Fix handling of unsupported cgroup events when using BPF counters Thomas Richter <tmricht(a)linux.ibm.com> perf lock contention: Fix core dump related to not finding the "__sched_text_end" symbol on s/390 Szymon Heidrich <szymon.heidrich(a)gmail.com> usb: rndis_host: Secure rndis_query check against int overflow Geetha sowjanya <gakula(a)marvell.com> octeontx2-pf: Fix lmtst ID used in aura free Daniil Tatianin <d-tatianin(a)yandex-team.ru> drivers/net/bonding/bond_3ad: return when there's no aggregator Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> fs/ntfs3: don't hold ni_lock when calling truncate_setsize() Philipp Zabel <p.zabel(a)pengutronix.de> drm/imx: ipuv3-plane: Fix overlay plane width Miaoqian Lin <linmq006(a)gmail.com> perf tools: Fix resources leak in perf_data__open_dir() Xiu Jianfeng <xiujianfeng(a)huawei.com> drm/virtio: Fix memory leak in virtio_gpu_object_create() Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: Rework long task execution when adding/deleting entries Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix hash:net,port,net hang with /0 subnet Horatiu Vultur <horatiu.vultur(a)microchip.com> net: sparx5: Fix reading of the MAC address Ido Schimmel <idosch(a)nvidia.com> vxlan: Fix memory leaks in error path Jamal Hadi Salim <jhs(a)mojatatu.com> net: sched: cbq: dont intepret cls results when asked to drop Jamal Hadi Salim <jhs(a)mojatatu.com> net: sched: atm: dont intepret cls results when asked to drop Miaoqian Lin <linmq006(a)gmail.com> gpio: sifive: Fix refcount leak in sifive_gpio_probe Xiubo Li <xiubli(a)redhat.com> ceph: switch to vfs_inode_has_locks() to fix file lock bug Jeff Layton <jlayton(a)kernel.org> filelock: new helper: vfs_inode_has_locks Carlo Caione <ccaione(a)baylibre.com> drm/meson: Reduce the FIFO lines held when AFBC is not used Po-Hsu Lin <po-hsu.lin(a)canonical.com> selftests: net: return non-zero for failures reported in arp_ndisc_evict_nocarrier Po-Hsu Lin <po-hsu.lin(a)canonical.com> selftests: net: fix cleanup_v6() for arp_ndisc_evict_nocarrier Maor Gottlieb <maorg(a)nvidia.com> RDMA/mlx5: Fix validation of max_rd_atomic caps for DC Shay Drory <shayd(a)nvidia.com> RDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device Haibo Chen <haibo.chen(a)nxp.com> gpio: pca953x: avoid to use uninitialized value pinctrl Miaoqian Lin <linmq006(a)gmail.com> net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe David Arinzon <darinzon(a)amazon.com> net: ena: Update NUMA TPH hint register upon NUMA node update David Arinzon <darinzon(a)amazon.com> net: ena: Set default value for RX interrupt moderation David Arinzon <darinzon(a)amazon.com> net: ena: Fix rx_copybreak value update David Arinzon <darinzon(a)amazon.com> net: ena: Use bitmask to indicate packet redirection David Arinzon <darinzon(a)amazon.com> net: ena: Account for the number of processed bytes in XDP David Arinzon <darinzon(a)amazon.com> net: ena: Don't register memory info on XDP exchange David Arinzon <darinzon(a)amazon.com> net: ena: Fix toeplitz initial hash value Jiguang Xiao <jiguang.xiao(a)windriver.com> net: amd-xgbe: add missed tasklet_kill Jian Shen <shenjian15(a)huawei.com> net: hns3: refine the handling for VF heartbeat Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Add TIME_WAIT sockets in bhash2. Kees Cook <keescook(a)chromium.org> bpf: Always use maximal size for copy_array() Eli Cohen <elic(a)nvidia.com> net/mlx5: Lag, fix failure to cancel delayed bond work Maor Dickman <maord(a)nvidia.com> net/mlx5e: Set geneve_tlv_option_0_exist when matching on geneve option Adham Faris <afaris(a)nvidia.com> net/mlx5e: Fix hw mtu initializing at XDP SQ allocation Chris Mi <cmi(a)nvidia.com> net/mlx5e: Always clear dest encap in neigh-update-del Chris Mi <cmi(a)nvidia.com> net/mlx5e: CT: Fix ct debugfs folder name Tariq Toukan <tariqt(a)nvidia.com> net/mlx5e: Fix RX reporter for XSK RQs Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: IPoIB, Don't allow CQE compression to be turned on by default Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix RoCE setting at HCA level Shay Drory <shayd(a)nvidia.com> net/mlx5: Avoid recovery in probe flows Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix io_eq_size and event_eq_size params validation Jiri Pirko <jiri(a)nvidia.com> net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: E-Switch, properly handle ingress tagged packets on VST Jason Wang <jasowang(a)redhat.com> vdpasim: fix memory leak when freeing IOTLBs Rong Wang <wangrong68(a)huawei.com> vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove Wei Yongjun <weiyongjun1(a)huawei.com> virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() Stefano Garzarella <sgarzare(a)redhat.com> vdpa_sim: fix vringh initialization in vdpasim_queue_ready() Stefano Garzarella <sgarzare(a)redhat.com> vhost-vdpa: fix an iotlb memory leak Stefano Garzarella <sgarzare(a)redhat.com> vhost: fix range used in translate_desc() Stefano Garzarella <sgarzare(a)redhat.com> vringh: fix range used in iotlb_translate() Yuan Can <yuancan(a)huawei.com> vhost/vsock: Fix error handling in vhost_vsock_init() ruanjinjie <ruanjinjie(a)huawei.com> vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init() Eli Cohen <elic(a)nvidia.com> vdpa/mlx5: Fix wrong mac address deletion Eli Cohen <elic(a)nvidia.com> vdpa/mlx5: Fix rule forwarding VLAN to TIR Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix HDS and jumbo thresholds for RX packets Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix first buffer size calculations for XDP multi-buffer Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix XDP RX path Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Simplify bnxt_xdp_buff_init() Miaoqian Lin <linmq006(a)gmail.com> nfc: Fix potential resource leaks Johnny S. Lee <foss(a)jsl.io> net: dsa: mv88e6xxx: depend on PTP conditionally Daniil Tatianin <d-tatianin(a)yandex-team.ru> qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure Hawkins Jiawei <yin31149(a)gmail.com> net: sched: fix memory leak in tcindex_set_parms Jian Shen <shenjian15(a)huawei.com> net: hns3: fix VF promisc mode not update when mac table full Jian Shen <shenjian15(a)huawei.com> net: hns3: fix miss L3E checking for rx packet Jie Wang <wangjie125(a)huawei.com> net: hns3: add interrupts re-initialization while doing VF FLR Jeff Layton <jlayton(a)kernel.org> nfsd: shut down the NFSv4 state objects before the filecache Shawn Bohrer <sbohrer(a)cloudflare.com> veth: Fix race with AF_XDP exposing old or uninitialized descriptors Horatiu Vultur <horatiu.vultur(a)microchip.com> net: lan966x: Fix configuration of the PCS Eric Dumazet <edumazet(a)google.com> bonding: fix lockdep splat in bond_miimon_commit() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: honor set timeout and garbage collection updates Paolo Abeni <pabeni(a)redhat.com> mptcp: fix lockdep false positive Paolo Abeni <pabeni(a)redhat.com> mptcp: fix deadlock in fastopen error path Ronak Doshi <doshir(a)vmware.com> vmxnet3: correctly report csum_level for encapsulated packet Antoine Tenart <atenart(a)kernel.org> net: vrf: determine the dst using the original ifindex for multicast Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: xsk: do not use xdp_return_frame() on tx_buf->raw_buf Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: perform type checking for existing sets Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: add function to create set stateful expressions Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: consolidate set description Steven Price <steven.price(a)arm.com> drm/panfrost: Fix GEM handle creation ref-counting Jakub Kicinski <kuba(a)kernel.org> bpf: pull before calling skb_postpull_rcsum() Arnd Bergmann <arnd(a)arndb.de> wifi: ath9k: use proper statements in conditionals minoura makoto <minoura(a)valinux.co.jp> SUNRPC: ensure the matching upcall is in-flight upon downcall Sasha Levin <sashal(a)kernel.org> btrfs: fix an error handling path in btrfs_defrag_leaves() Johan Hovold <johan+linaro(a)kernel.org> phy: qcom-qmp-combo: fix broken power on Masami Hiramatsu (Google) <mhiramat(a)kernel.org> perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data Masami Hiramatsu (Google) <mhiramat(a)kernel.org> perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor Qu Wenruo <wqu(a)suse.com> btrfs: fix compat_ro checks against remount Filipe Manana <fdmanana(a)suse.com> btrfs: fix off-by-one in delalloc search during lseek Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: gadget: Ignore End Transfer delay on teardown Shyam Prasad N <sprasad(a)microsoft.com> cifs: refcount only the selected iface during interface update Shyam Prasad N <sprasad(a)microsoft.com> cifs: fix interface count calculation during refresh Sasha Levin <sashal(a)kernel.org> btrfs: replace strncpy() with strscpy() Jens Axboe <axboe(a)kernel.dk> ARM: renumber bits related to _TIF_WORK_MASK ------------- Diffstat: Makefile | 4 +- arch/arm/include/asm/thread_info.h | 13 +- arch/mips/ralink/of.c | 2 +- arch/riscv/include/asm/uaccess.h | 2 +- arch/riscv/kernel/probes/simulate-insn.h | 4 +- arch/x86/kernel/cpu/bugs.c | 2 + arch/x86/kernel/crash.c | 4 +- block/blk-merge.c | 10 + drivers/acpi/acpi_video.c | 17 +- drivers/block/ublk_drv.c | 3 + drivers/block/virtio_blk.c | 33 +-- drivers/char/tpm/tpm-interface.c | 4 +- .../crypto/virtio/virtio_crypto_skcipher_algs.c | 3 +- drivers/firmware/efi/efi.c | 4 +- drivers/firmware/efi/libstub/efistub.h | 2 + drivers/firmware/efi/libstub/random.c | 42 +++- drivers/gpio/gpio-pca953x.c | 3 + drivers/gpio/gpio-sifive.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 39 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 27 +++ drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 19 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 24 +- drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 +- .../amd/display/dc/dml/dcn32/display_mode_vba_32.c | 39 +++ .../dc/dml/dcn32/display_mode_vba_util_32.c | 69 ++++++ .../dc/dml/dcn32/display_mode_vba_util_32.h | 18 ++ .../gpu/drm/amd/display/dc/dml/display_mode_vba.h | 2 + drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 94 +++++++- drivers/gpu/drm/i915/gvt/debugfs.c | 17 +- drivers/gpu/drm/i915/gvt/gtt.c | 17 +- drivers/gpu/drm/i915/gvt/scheduler.c | 1 + drivers/gpu/drm/i915/i915_irq.c | 3 + drivers/gpu/drm/i915/i915_reg.h | 1 + drivers/gpu/drm/imx/ipuv3-plane.c | 14 +- drivers/gpu/drm/meson/meson_viu.c | 5 +- drivers/gpu/drm/panfrost/panfrost_drv.c | 27 ++- drivers/gpu/drm/panfrost/panfrost_gem.c | 16 +- drivers/gpu/drm/panfrost/panfrost_gem.h | 5 +- drivers/gpu/drm/virtio/virtgpu_object.c | 6 +- drivers/infiniband/hw/mlx5/counters.c | 6 +- drivers/infiniband/hw/mlx5/qp.c | 49 ++-- drivers/net/bonding/bond_3ad.c | 1 + drivers/net/bonding/bond_main.c | 8 +- drivers/net/dsa/mv88e6xxx/Kconfig | 4 +- drivers/net/dsa/qca/qca8k-8xxx.c | 106 ++++----- drivers/net/dsa/qca/qca8k.h | 5 - drivers/net/ethernet/amazon/ena/ena_com.c | 29 +-- drivers/net/ethernet/amazon/ena/ena_ethtool.c | 6 +- drivers/net/ethernet/amazon/ena/ena_netdev.c | 83 +++++-- drivers/net/ethernet/amazon/ena/ena_netdev.h | 17 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 3 + drivers/net/ethernet/amd/xgbe/xgbe-i2c.c | 4 +- drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 22 +- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 15 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 20 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 6 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 10 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 132 +++++++---- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.h | 7 + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 71 +++++- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +- drivers/net/ethernet/intel/ice/ice_xsk.c | 2 +- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 30 ++- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 4 +- .../ethernet/mellanox/mlx5/core/en/reporter_rx.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 7 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 9 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c | 5 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- .../mellanox/mlx5/core/esw/acl/egress_lgcy.c | 7 +- .../mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 33 ++- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 30 ++- drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 6 + drivers/net/ethernet/mellanox/mlx5/core/health.c | 6 + .../net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/main.c | 4 +- .../net/ethernet/microchip/lan966x/lan966x_port.c | 2 +- .../net/ethernet/microchip/sparx5/sparx5_main.c | 2 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 28 ++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 8 +- drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h | 10 +- drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 8 +- drivers/net/phy/xilinx_gmii2rgmii.c | 1 + drivers/net/usb/rndis_host.c | 3 +- drivers/net/veth.c | 5 +- drivers/net/vmxnet3/vmxnet3_drv.c | 8 + drivers/net/vrf.c | 6 +- drivers/net/vxlan/vxlan_core.c | 19 +- drivers/net/wireless/ath/ath11k/qmi.c | 3 + drivers/net/wireless/ath/ath9k/htc.h | 14 +- drivers/nvme/host/core.c | 32 ++- drivers/nvme/host/nvme.h | 2 +- drivers/nvme/target/admin-cmd.c | 35 +-- drivers/of/fdt.c | 6 +- drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 20 +- .../intel/int340x_thermal/processor_thermal_rfim.c | 4 + drivers/usb/dwc3/dwc3-xilinx.c | 1 + drivers/usb/dwc3/gadget.c | 5 +- drivers/vdpa/mlx5/net/mlx5_vnet.c | 10 +- drivers/vdpa/vdpa_sim/vdpa_sim.c | 7 +- drivers/vdpa/vdpa_sim/vdpa_sim_blk.c | 4 +- drivers/vdpa/vdpa_sim/vdpa_sim_net.c | 4 +- drivers/vdpa/virtio_pci/vp_vdpa.c | 2 +- drivers/vhost/vdpa.c | 52 ++-- drivers/vhost/vhost.c | 4 +- drivers/vhost/vringh.c | 5 +- drivers/vhost/vsock.c | 9 +- drivers/video/fbdev/matrox/matroxfb_base.c | 4 +- fs/btrfs/disk-io.c | 8 +- fs/btrfs/disk-io.h | 2 +- fs/btrfs/extent-io-tree.c | 2 +- fs/btrfs/extent_io.c | 11 +- fs/btrfs/file.c | 2 +- fs/btrfs/ioctl.c | 9 +- fs/btrfs/rcu-string.h | 6 +- fs/btrfs/super.c | 2 +- fs/btrfs/tree-defrag.c | 6 +- fs/ceph/caps.c | 2 +- fs/ceph/locks.c | 4 - fs/ceph/super.h | 1 - fs/cifs/sess.c | 3 +- fs/cifs/smb2ops.c | 3 +- fs/hfs/inode.c | 15 +- fs/ksmbd/auth.c | 3 +- fs/ksmbd/connection.c | 7 +- fs/ksmbd/smb2pdu.c | 7 +- fs/ksmbd/transport_tcp.c | 5 +- fs/locks.c | 23 ++ fs/nfsd/nfs4xdr.c | 11 + fs/nfsd/nfssvc.c | 2 +- fs/ntfs3/file.c | 4 +- fs/udf/inode.c | 2 +- include/acpi/video.h | 2 + include/drm/drm_plane_helper.h | 1 + include/linux/dsa/tag_qca.h | 4 +- include/linux/efi.h | 2 - include/linux/fs.h | 6 + include/linux/mlx5/device.h | 5 + include/linux/mlx5/mlx5_ifc.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/sunrpc/rpc_pipe_fs.h | 5 + include/net/inet_hashtables.h | 4 + include/net/inet_timewait_sock.h | 5 + include/net/netfilter/nf_tables.h | 25 +- io_uring/cancel.c | 9 +- io_uring/io_uring.c | 19 +- kernel/bpf/trampoline.c | 4 + kernel/bpf/verifier.c | 12 +- lib/kunit/string-stream.c | 4 +- net/9p/client.c | 15 +- net/9p/trans_fd.c | 12 +- net/9p/trans_rdma.c | 4 +- net/9p/trans_virtio.c | 9 +- net/9p/trans_xen.c | 4 +- net/caif/cfctrl.c | 6 +- net/core/filter.c | 7 +- net/ipv4/inet_connection_sock.c | 40 +++- net/ipv4/inet_hashtables.c | 8 +- net/ipv4/inet_timewait_sock.c | 31 ++- net/ipv4/tcp_ulp.c | 4 + net/mptcp/protocol.c | 20 +- net/mptcp/protocol.h | 4 +- net/mptcp/subflow.c | 19 +- net/netfilter/ipset/ip_set_core.c | 7 +- net/netfilter/ipset/ip_set_hash_ip.c | 14 +- net/netfilter/ipset/ip_set_hash_ipmark.c | 13 +- net/netfilter/ipset/ip_set_hash_ipport.c | 13 +- net/netfilter/ipset/ip_set_hash_ipportip.c | 13 +- net/netfilter/ipset/ip_set_hash_ipportnet.c | 13 +- net/netfilter/ipset/ip_set_hash_net.c | 17 +- net/netfilter/ipset/ip_set_hash_netiface.c | 15 +- net/netfilter/ipset/ip_set_hash_netnet.c | 23 +- net/netfilter/ipset/ip_set_hash_netport.c | 19 +- net/netfilter/ipset/ip_set_hash_netportnet.c | 40 ++-- net/netfilter/nf_tables_api.c | 261 ++++++++++++++------- net/nfc/netlink.c | 52 ++-- net/sched/cls_tcindex.c | 12 +- net/sched/sch_atm.c | 5 +- net/sched/sch_cbq.c | 4 +- net/sunrpc/auth_gss/auth_gss.c | 19 +- sound/soc/intel/boards/bytcr_rt5640.c | 15 ++ sound/soc/sof/core.c | 9 - sound/soc/sof/intel/hda-dsp.c | 72 ++++++ sound/soc/sof/intel/hda.h | 1 + sound/soc/sof/intel/tgl.c | 2 +- sound/soc/sof/mediatek/mtk-adsp-common.c | 2 +- tools/perf/builtin-lock.c | 2 + tools/perf/util/bpf_counter_cgroup.c | 14 +- tools/perf/util/cgroup.c | 23 +- tools/perf/util/data.c | 2 + tools/perf/util/dwarf-aux.c | 23 +- .../selftests/net/arp_ndisc_evict_nocarrier.sh | 15 +- 197 files changed, 1988 insertions(+), 876 deletions(-)

2 years, 1 month

16
175
0 0

[merged mm-hotfixes-stable] nommu-fix-split_vma-map_count-error.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nommu: fix split_vma() map_count error has been removed from the -mm tree. Its filename was nommu-fix-split_vma-map_count-error.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Liam Howlett <liam.howlett(a)oracle.com> Subject: nommu: fix split_vma() map_count error Date: Mon, 9 Jan 2023 20:58:20 +0000 During the maple tree conversion of nommu, an error in counting the VMAs was introduced by counting the existing VMA again. The counting used to be decremented by one and incremented by two, but now it only increments by two. Fix the counting error by moving the increment outside the setup_vma_to_mm() function to the callers. Link: https://lkml.kernel.org/r/20230109205809.956325-1-Liam.Howlett@oracle.com Fixes: 8220543df148 ("nommu: remove uses of VMA linked list") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/nommu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/nommu.c~nommu-fix-split_vma-map_count-error +++ a/mm/nommu.c @@ -559,7 +559,6 @@ void vma_mas_remove(struct vm_area_struc static void setup_vma_to_mm(struct vm_area_struct *vma, struct mm_struct *mm) { - mm->map_count++; vma->vm_mm = mm; /* add the VMA to the mapping */ @@ -587,6 +586,7 @@ static void mas_add_vma_to_mm(struct ma_ BUG_ON(!vma->vm_region); setup_vma_to_mm(vma, mm); + mm->map_count++; /* add the VMA to the tree */ vma_mas_store(vma, mas); @@ -1347,6 +1347,7 @@ int split_vma(struct mm_struct *mm, stru if (vma->vm_file) return -ENOMEM; + mm = vma->vm_mm; if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; @@ -1398,6 +1399,7 @@ int split_vma(struct mm_struct *mm, stru mas_set_range(&mas, vma->vm_start, vma->vm_end - 1); mas_store(&mas, vma); vma_mas_store(new, &mas); + mm->map_count++; return 0; err_mas_preallocate: _ Patches currently in -mm which might be from liam.howlett(a)oracle.com are maple_tree-fix-mas_empty_area_rev-lower-bound-validation.patch maple_tree-remove-gfp_zero-from-kmem_cache_alloc-and-kmem_cache_alloc_bulk.patch

2 years, 1 month

1
0
0 0

[merged mm-hotfixes-stable] nommu-fix-do_munmap-error-path.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nommu: fix do_munmap() error path has been removed from the -mm tree. Its filename was nommu-fix-do_munmap-error-path.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Liam Howlett <liam.howlett(a)oracle.com> Subject: nommu: fix do_munmap() error path Date: Mon, 9 Jan 2023 20:57:21 +0000 When removing a VMA from the tree fails due to no memory, do not free the VMA since a reference still exists. Link: https://lkml.kernel.org/r/20230109205708.956103-1-Liam.Howlett@oracle.com Fixes: 8220543df148 ("nommu: remove uses of VMA linked list") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/nommu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/nommu.c~nommu-fix-do_munmap-error-path +++ a/mm/nommu.c @@ -1509,7 +1509,8 @@ int do_munmap(struct mm_struct *mm, unsi erase_whole_vma: if (delete_vma_from_mm(vma)) ret = -ENOMEM; - delete_vma(mm, vma); + else + delete_vma(mm, vma); return ret; } _ Patches currently in -mm which might be from liam.howlett(a)oracle.com are maple_tree-fix-mas_empty_area_rev-lower-bound-validation.patch maple_tree-remove-gfp_zero-from-kmem_cache_alloc-and-kmem_cache_alloc_bulk.patch

2 years, 1 month

1
0
0 0

[merged mm-hotfixes-stable] nommu-fix-memory-leak-in-do_mmap-error-path.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nommu: fix memory leak in do_mmap() error path has been removed from the -mm tree. Its filename was nommu-fix-memory-leak-in-do_mmap-error-path.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Liam Howlett <liam.howlett(a)oracle.com> Subject: nommu: fix memory leak in do_mmap() error path Date: Mon, 9 Jan 2023 20:55:21 +0000 The preallocation of the maple tree nodes may leak if the error path to "error_just_free" is taken. Fix this by moving the freeing of the maple tree nodes to a shared location for all error paths. Link: https://lkml.kernel.org/r/20230109205507.955577-1-Liam.Howlett@oracle.com Fixes: 8220543df148 ("nommu: remove uses of VMA linked list") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/nommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/nommu.c~nommu-fix-memory-leak-in-do_mmap-error-path +++ a/mm/nommu.c @@ -1240,6 +1240,7 @@ share: error_just_free: up_write(&nommu_region_sem); error: + mas_destroy(&mas); if (region->vm_file) fput(region->vm_file); kmem_cache_free(vm_region_jar, region); @@ -1250,7 +1251,6 @@ error: sharing_violation: up_write(&nommu_region_sem); - mas_destroy(&mas); pr_warn("Attempt to share mismatched mappings\n"); ret = -EINVAL; goto error; _ Patches currently in -mm which might be from liam.howlett(a)oracle.com are maple_tree-fix-mas_empty_area_rev-lower-bound-validation.patch maple_tree-remove-gfp_zero-from-kmem_cache_alloc-and-kmem_cache_alloc_bulk.patch

2 years, 1 month

1
0
0 0

[merged mm-hotfixes-stable] proc-fix-pie-proc-empty-vm-proc-pid-vm-tests.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: proc: fix PIE proc-empty-vm, proc-pid-vm tests has been removed from the -mm tree. Its filename was proc-fix-pie-proc-empty-vm-proc-pid-vm-tests.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Alexey Dobriyan <adobriyan(a)gmail.com> Subject: proc: fix PIE proc-empty-vm, proc-pid-vm tests Date: Fri, 6 Jan 2023 22:30:14 +0300 vsyscall detection code uses direct call to the beginning of the vsyscall page: asm ("call %P0" :: "i" (0xffffffffff600000)) It generates "call rel32" instruction but it is not relocated if binary is PIE, so binary segfaults into random userspace address and vsyscall page status is detected incorrectly. Do more direct: asm ("call *%rax") which doesn't do need any relocaltions. Mark g_vsyscall as volatile for a good measure, I didn't find instruction setting it to 0. Now the code is obviously correct: xor eax, eax mov rdi, rbp mov rsi, rbp mov DWORD PTR [rip+0x2d15], eax # g_vsyscall = 0 mov rax, 0xffffffffff600000 call rax mov DWORD PTR [rip+0x2d02], 1 # g_vsyscall = 1 mov eax, DWORD PTR ds:0xffffffffff600000 mov DWORD PTR [rip+0x2cf1], 2 # g_vsyscall = 2 mov edi, [rip+0x2ceb] # exit(g_vsyscall) call exit Note: fixed proc-empty-vm test oopses 5.19.0-28-generic kernel but this is separate story. Link: https://lkml.kernel.org/r/Y7h2xvzKLg36DSq8@p183 Fixes: 5bc73bb3451b9 ("proc: test how it holds up with mapping'less process") Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Reported-by: Mirsad Goran Todorovac <mirsad.todorovac(a)alu.unizg.hr> Tested-by: Mirsad Goran Todorovac <mirsad.todorovac(a)alu.unizg.hr> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/proc/proc-empty-vm.c | 12 +++++++----- tools/testing/selftests/proc/proc-pid-vm.c | 9 +++++---- 2 files changed, 12 insertions(+), 9 deletions(-) --- a/tools/testing/selftests/proc/proc-empty-vm.c~proc-fix-pie-proc-empty-vm-proc-pid-vm-tests +++ a/tools/testing/selftests/proc/proc-empty-vm.c @@ -25,6 +25,7 @@ #undef NDEBUG #include <assert.h> #include <errno.h> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -41,7 +42,7 @@ * 1: vsyscall VMA is --xp vsyscall=xonly * 2: vsyscall VMA is r-xp vsyscall=emulate */ -static int g_vsyscall; +static volatile int g_vsyscall; static const char *g_proc_pid_maps_vsyscall; static const char *g_proc_pid_smaps_vsyscall; @@ -147,11 +148,12 @@ static void vsyscall(void) g_vsyscall = 0; /* gettimeofday(NULL, NULL); */ + uint64_t rax = 0xffffffffff600000; asm volatile ( - "call %P0" - : - : "i" (0xffffffffff600000), "D" (NULL), "S" (NULL) - : "rax", "rcx", "r11" + "call *%[rax]" + : [rax] "+a" (rax) + : "D" (NULL), "S" (NULL) + : "rcx", "r11" ); g_vsyscall = 1; --- a/tools/testing/selftests/proc/proc-pid-vm.c~proc-fix-pie-proc-empty-vm-proc-pid-vm-tests +++ a/tools/testing/selftests/proc/proc-pid-vm.c @@ -257,11 +257,12 @@ static void vsyscall(void) g_vsyscall = 0; /* gettimeofday(NULL, NULL); */ + uint64_t rax = 0xffffffffff600000; asm volatile ( - "call %P0" - : - : "i" (0xffffffffff600000), "D" (NULL), "S" (NULL) - : "rax", "rcx", "r11" + "call *%[rax]" + : [rax] "+a" (rax) + : "D" (NULL), "S" (NULL) + : "rcx", "r11" ); g_vsyscall = 1; _ Patches currently in -mm which might be from adobriyan(a)gmail.com are proc-mark-proc-cmdline-as-permanent.patch

2 years, 1 month

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix general protection fault in nilfs_btree_insert() has been removed from the -mm tree. Its filename was nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix general protection fault in nilfs_btree_insert() Date: Thu, 5 Jan 2023 14:53:56 +0900 If nilfs2 reads a corrupted disk image and tries to reads a b-tree node block by calling __nilfs_btree_get_block() against an invalid virtual block address, it returns -ENOENT because conversion of the virtual block address to a disk block address fails. However, this return value is the same as the internal code that b-tree lookup routines return to indicate that the block being searched does not exist, so functions that operate on that b-tree may misbehave. When nilfs_btree_insert() receives this spurious 'not found' code from nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was successful and continues the insert operation using incomplete lookup path data, causing the following crash: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 ... Call Trace: <TASK> nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [inline] block_write_begin+0x93/0x1e0 fs/buffer.c:2102 nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 call_write_iter include/linux/fs.h:2186 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... </TASK> This patch fixes the root cause of this problem by replacing the error code that __nilfs_btree_get_block() returns on block address conversion failure from -ENOENT to another internal code -EINVAL which means that the b-tree metadata is corrupted. By returning -EINVAL, it propagates without glitches, and for all relevant b-tree operations, functions in the upper bmap layer output an error message indicating corrupted b-tree metadata via nilfs_bmap_convert_error(), and code -EIO will be eventually returned as it should be. Link: https://lkml.kernel.org/r/000000000000bd89e205f0e38355@google.com Link: https://lkml.kernel.org/r/20230105055356.8811-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+ede796cecd5296353515(a)syzkaller.appspotmail.com Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/btree.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) --- a/fs/nilfs2/btree.c~nilfs2-fix-general-protection-fault-in-nilfs_btree_insert +++ a/fs/nilfs2/btree.c @@ -480,9 +480,18 @@ static int __nilfs_btree_get_block(const ret = nilfs_btnode_submit_block(btnc, ptr, 0, REQ_OP_READ, &bh, &submit_ptr); if (ret) { - if (ret != -EEXIST) - return ret; - goto out_check; + if (likely(ret == -EEXIST)) + goto out_check; + if (ret == -ENOENT) { + /* + * Block address translation failed due to invalid + * value of 'ptr'. In this case, return internal code + * -EINVAL (broken bmap) to notify bmap layer of fatal + * metadata corruption. + */ + ret = -EINVAL; + } + return ret; } if (ra) { _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

2 years, 1 month

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-pre-allocate-pgtable-pages-for-uffd-wr-protects.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: pre-allocate pgtable pages for uffd wr-protects has been removed from the -mm tree. Its filename was mm-hugetlb-pre-allocate-pgtable-pages-for-uffd-wr-protects.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Peter Xu <peterx(a)redhat.com> Subject: mm/hugetlb: pre-allocate pgtable pages for uffd wr-protects Date: Wed, 4 Jan 2023 17:52:05 -0500 Userfaultfd-wp uses pte markers to mark wr-protected pages for both shmem and hugetlb. Shmem has pre-allocation ready for markers, but hugetlb path was overlooked. Doing so by calling huge_pte_alloc() if the initial pgtable walk fails to find the huge ptep. It's possible that huge_pte_alloc() can fail with high memory pressure, in that case stop the loop immediately and fail silently. This is not the most ideal solution but it matches with what we do with shmem meanwhile it avoids the splat in dmesg. Link: https://lkml.kernel.org/r/20230104225207.1066932-2-peterx@redhat.com Fixes: 60dfaad65aa9 ("mm/hugetlb: allow uffd wr-protect none ptes") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: James Houghton <jthoughton(a)google.com> Reviewed-by: Mike Kravetz <mike.kravetz(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: James Houghton <jthoughton(a)google.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Muchun Song <songmuchun(a)bytedance.com> Cc: Nadav Amit <nadav.amit(a)gmail.com> Cc: <stable(a)vger.kernel.org> [5.19+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-pre-allocate-pgtable-pages-for-uffd-wr-protects +++ a/mm/hugetlb.c @@ -6660,8 +6660,17 @@ unsigned long hugetlb_change_protection( spinlock_t *ptl; ptep = huge_pte_offset(mm, address, psize); if (!ptep) { - address |= last_addr_mask; - continue; + if (!uffd_wp) { + address |= last_addr_mask; + continue; + } + /* + * Userfaultfd wr-protect requires pgtable + * pre-allocations to install pte markers. + */ + ptep = huge_pte_alloc(mm, vma, address, psize); + if (!ptep) + break; } ptl = huge_pte_lock(h, mm, ptep); if (huge_pmd_unshare(mm, vma, address, ptep)) { _ Patches currently in -mm which might be from peterx(a)redhat.com are mm-uffd-fix-pte-marker-when-fork-without-fork-event.patch mm-fix-a-few-rare-cases-of-using-swapin-error-pte-marker.patch mm-uffd-always-wr-protect-pte-in-ptepmd_mkuffd_wp.patch mm-hugetlb-let-vma_offset_start-to-return-start.patch mm-hugetlb-dont-wait-for-migration-entry-during-follow-page.patch mm-hugetlb-document-huge_pte_offset-usage.patch mm-hugetlb-move-swap-entry-handling-into-vma-lock-when-faulted.patch mm-hugetlb-make-userfaultfd_huge_must_wait-safe-to-pmd-unshare.patch mm-hugetlb-make-hugetlb_follow_page_mask-safe-to-pmd-unshare.patch mm-hugetlb-make-follow_hugetlb_page-safe-to-pmd-unshare.patch mm-hugetlb-make-walk_hugetlb_range-safe-to-pmd-unshare.patch mm-hugetlb-introduce-hugetlb_walk.patch mm-mprotect-use-long-for-page-accountings-and-retval.patch mm-uffd-detect-pgtable-allocation-failures.patch

2 years, 1 month

1
0
0 0

[merged mm-hotfixes-stable] hugetlb-unshare-some-pmds-when-splitting-vmas.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: hugetlb: unshare some PMDs when splitting VMAs has been removed from the -mm tree. Its filename was hugetlb-unshare-some-pmds-when-splitting-vmas.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: James Houghton <jthoughton(a)google.com> Subject: hugetlb: unshare some PMDs when splitting VMAs Date: Wed, 4 Jan 2023 23:19:10 +0000 PMD sharing can only be done in PUD_SIZE-aligned pieces of VMAs; however, it is possible that HugeTLB VMAs are split without unsharing the PMDs first. Without this fix, it is possible to hit the uffd-wp-related WARN_ON_ONCE in hugetlb_change_protection [1]. The key there is that hugetlb_unshare_all_pmds will not attempt to unshare PMDs in non-PUD_SIZE-aligned sections of the VMA. It might seem ideal to unshare in hugetlb_vm_op_open, but we need to unshare in both the new and old VMAs, so unsharing in hugetlb_vm_op_split seems natural. [1]: https://lore.kernel.org/linux-mm/CADrL8HVeOkj0QH5VZZbRzybNE8CG-tEGFshnA+bG9… Link: https://lkml.kernel.org/r/20230104231910.1464197-1-jthoughton@google.com Fixes: 6dfeaff93be1 ("hugetlb/userfaultfd: unshare all pmds for hugetlbfs when register wp") Signed-off-by: James Houghton <jthoughton(a)google.com> Reviewed-by: Mike Kravetz <mike.kravetz(a)oracle.com> Acked-by: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Muchun Song <songmuchun(a)bytedance.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 44 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 9 deletions(-) --- a/mm/hugetlb.c~hugetlb-unshare-some-pmds-when-splitting-vmas +++ a/mm/hugetlb.c @@ -94,6 +94,8 @@ static int hugetlb_acct_memory(struct hs static void hugetlb_vma_lock_free(struct vm_area_struct *vma); static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma); static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma); +static void hugetlb_unshare_pmds(struct vm_area_struct *vma, + unsigned long start, unsigned long end); static inline bool subpool_is_free(struct hugepage_subpool *spool) { @@ -4834,6 +4836,25 @@ static int hugetlb_vm_op_split(struct vm { if (addr & ~(huge_page_mask(hstate_vma(vma)))) return -EINVAL; + + /* + * PMD sharing is only possible for PUD_SIZE-aligned address ranges + * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this + * split, unshare PMDs in the PUD_SIZE interval surrounding addr now. + */ + if (addr & ~PUD_MASK) { + /* + * hugetlb_vm_op_split is called right before we attempt to + * split the VMA. We will need to unshare PMDs in the old and + * new VMAs, so let's unshare before we split. + */ + unsigned long floor = addr & PUD_MASK; + unsigned long ceil = floor + PUD_SIZE; + + if (floor >= vma->vm_start && ceil <= vma->vm_end) + hugetlb_unshare_pmds(vma, floor, ceil); + } + return 0; } @@ -7322,26 +7343,21 @@ void move_hugetlb_state(struct folio *ol } } -/* - * This function will unconditionally remove all the shared pmd pgtable entries - * within the specific vma for a hugetlbfs memory range. - */ -void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) +static void hugetlb_unshare_pmds(struct vm_area_struct *vma, + unsigned long start, + unsigned long end) { struct hstate *h = hstate_vma(vma); unsigned long sz = huge_page_size(h); struct mm_struct *mm = vma->vm_mm; struct mmu_notifier_range range; - unsigned long address, start, end; + unsigned long address; spinlock_t *ptl; pte_t *ptep; if (!(vma->vm_flags & VM_MAYSHARE)) return; - start = ALIGN(vma->vm_start, PUD_SIZE); - end = ALIGN_DOWN(vma->vm_end, PUD_SIZE); - if (start >= end) return; @@ -7373,6 +7389,16 @@ void hugetlb_unshare_all_pmds(struct vm_ mmu_notifier_invalidate_range_end(&range); } +/* + * This function will unconditionally remove all the shared pmd pgtable entries + * within the specific vma for a hugetlbfs memory range. + */ +void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) +{ + hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), + ALIGN_DOWN(vma->vm_end, PUD_SIZE)); +} + #ifdef CONFIG_CMA static bool cma_reserve_called __initdata; _ Patches currently in -mm which might be from jthoughton(a)google.com are

2 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2023