From: Sasha Finkelstein <fnkl.kernel(a)gmail.com>
This patch fixes an incorrect loop exit condition in code that replaces
'/' symbols in the board name. There might also be a memory corruption
issue here, but it is unlikely to be a real problem.
Signed-off-by: Sasha Finkelstein <fnkl.kernel(a)gmail.com>
---
drivers/bluetooth/btbcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
index 3006e2a0f37e..43e98a598bd9 100644
--- a/drivers/bluetooth/btbcm.c
+++ b/drivers/bluetooth/btbcm.c
@@ -511,7 +511,7 @@ static const char *btbcm_get_board_name(struct device *dev)
len = strlen(tmp) + 1;
board_type = devm_kzalloc(dev, len, GFP_KERNEL);
strscpy(board_type, tmp, len);
- for (i = 0; i < board_type[i]; i++) {
+ for (i = 0; i < len; i++) {
if (board_type[i] == '/')
board_type[i] = '-';
}
---
base-commit: c9c3395d5e3dcc6daee66c6908354d47bf98cb0c
change-id: 20230224-btbcm-wtf-ff32fed3e930
Best regards,
--
Sasha Finkelstein <fnkl.kernel(a)gmail.com>
This is the start of the stable review cycle for the 5.10.170 release.
There are 26 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 25 Feb 2023 14:15:30 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.170-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.10.170-rc2
Linus Torvalds <torvalds(a)linux-foundation.org>
bpf: add missing header file include
Vladimir Oltean <vladimir.oltean(a)nxp.com>
Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs"
Kees Cook <keescook(a)chromium.org>
ext4: Fix function prototype mismatch for ext4_feat_ktype
Paul Moore <paul(a)paul-moore.com>
audit: update the mailing list in MAINTAINERS
Lukas Wunner <lukas(a)wunner.de>
wifi: mwifiex: Add missing compatible string for SD8787
Zhang Wensheng <zhangwensheng5(a)huawei.com>
nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
Yu Kuai <yukuai3(a)huawei.com>
nbd: fix possible overflow for 'first_minor' in nbd_dev_add()
Yu Kuai <yukuai3(a)huawei.com>
nbd: fix max value for 'first_minor'
Wen Yang <wenyang.linux(a)foxmail.com>
Revert "Revert "block: nbd: add sanity check for first_minor""
Dave Hansen <dave.hansen(a)linux.intel.com>
uaccess: Add speculation barrier to copy_from_user()
Pavel Skripkin <paskripkin(a)gmail.com>
mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
Zheng Wang <zyytlz.wz(a)163.com>
drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
Sean Anderson <sean.anderson(a)seco.com>
powerpc: dts: t208x: Disable 10G on MAC1 and MAC2
Marc Kleine-Budde <mkl(a)pengutronix.de>
can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len
Jim Mattson <jmattson(a)google.com>
KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
Sean Christopherson <seanjc(a)google.com>
KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: always mix cycle counter in add_latent_entropy()
Rahul Tanwar <rtanwar(a)maxlinear.com>
clk: mxl: syscon_node_to_regmap() returns error pointers
Sean Anderson <sean.anderson(a)seco.com>
powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G
Rahul Tanwar <rtanwar(a)maxlinear.com>
clk: mxl: Fix a clk entry by adding relevant flags
Rahul Tanwar <rtanwar(a)maxlinear.com>
clk: mxl: Add option to override gate clks
Rahul Tanwar <rtanwar(a)maxlinear.com>
clk: mxl: Remove redundant spinlocks
Rahul Tanwar <rtanwar(a)maxlinear.com>
clk: mxl: Switch from direct readl/writel based IO to regmap based IO
Bitterblue Smith <rtl8821cerfe2(a)gmail.com>
wifi: rtl8xxxu: gen2: Turn on the rate control
Lucas Stach <l.stach(a)pengutronix.de>
drm/etnaviv: don't truncate physical page address
-------------
Diffstat:
MAINTAINERS | 2 +-
Makefile | 4 +-
arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi | 44 +++++++++
arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi | 44 +++++++++
arch/powerpc/boot/dts/fsl/t2081si-post.dtsi | 20 +++-
arch/x86/kvm/svm/svm.c | 10 +-
arch/x86/kvm/vmx/nested.c | 11 +++
arch/x86/kvm/vmx/vmx.c | 6 +-
arch/x86/kvm/x86.c | 4 +-
drivers/block/nbd.c | 13 ++-
drivers/clk/x86/Kconfig | 5 +-
drivers/clk/x86/clk-cgu-pll.c | 23 ++---
drivers/clk/x86/clk-cgu.c | 106 ++++++---------------
drivers/clk/x86/clk-cgu.h | 46 ++++-----
drivers/clk/x86/clk-lgm.c | 18 ++--
drivers/gpu/drm/etnaviv/etnaviv_mmu.c | 4 +-
drivers/gpu/drm/i915/gvt/gtt.c | 17 +++-
drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 33 +++++--
drivers/net/wireless/marvell/mwifiex/sdio.c | 1 +
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 8 +-
fs/ext4/sysfs.c | 7 +-
include/linux/nospec.h | 4 +
include/linux/random.h | 6 +-
kernel/bpf/core.c | 3 +-
lib/usercopy.c | 7 ++
net/mac80211/ieee80211_i.h | 24 ++++-
net/mac80211/mesh.h | 22 +----
net/mac80211/mesh_pathtbl.c | 89 ++++++-----------
net/sched/sch_taprio.c | 8 +-
29 files changed, 340 insertions(+), 249 deletions(-)
Currently, for operations like memory clear or copy for big
chunks of memory, we generate multiple requests executed in a
chain.
But if one of the requests generated fails we would not know it
to unless it happens to the last request, because errors are not
properly propagated.
For this we need to keep propagating the chain of fence
notification in order to always reach the final fence associated
to the final request.
This way we would know that the memory operation has failed and
whether the memory is still invalid.
On copy and clear migration signal fences upon completion.
Fixes: cf586021642d80 ("drm/i915/gt: Pipelined page migration")
Reported-by: Matthew Auld <matthew.auld(a)intel.com>
Suggested-by: Chris Wilson <chris(a)chris-wilson.co.uk>
Signed-off-by: Andi Shyti <andi.shyti(a)linux.intel.com>
Cc: stable(a)vger.kernel.org
---
drivers/gpu/drm/i915/gt/intel_migrate.c | 31 +++++++++++++++++--------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/intel_migrate.c b/drivers/gpu/drm/i915/gt/intel_migrate.c
index 3f638f1987968..8a293045a7b96 100644
--- a/drivers/gpu/drm/i915/gt/intel_migrate.c
+++ b/drivers/gpu/drm/i915/gt/intel_migrate.c
@@ -748,7 +748,7 @@ intel_context_migrate_copy(struct intel_context *ce,
rq = i915_request_create(ce);
if (IS_ERR(rq)) {
err = PTR_ERR(rq);
- goto out_ce;
+ break;
}
if (deps) {
@@ -878,10 +878,14 @@ intel_context_migrate_copy(struct intel_context *ce,
/* Arbitration is re-enabled between requests. */
out_rq:
- if (*out)
- i915_request_put(*out);
- *out = i915_request_get(rq);
+ i915_sw_fence_await(&rq->submit);
+ i915_request_get(rq);
i915_request_add(rq);
+ if (*out) {
+ i915_sw_fence_complete(&(*out)->submit);
+ i915_request_put(*out);
+ }
+ *out = rq;
if (err)
break;
@@ -905,7 +909,8 @@ intel_context_migrate_copy(struct intel_context *ce,
cond_resched();
} while (1);
-out_ce:
+ if (*out)
+ i915_sw_fence_complete(&(*out)->submit);
return err;
}
@@ -1005,7 +1010,7 @@ intel_context_migrate_clear(struct intel_context *ce,
rq = i915_request_create(ce);
if (IS_ERR(rq)) {
err = PTR_ERR(rq);
- goto out_ce;
+ break;
}
if (deps) {
@@ -1056,17 +1061,23 @@ intel_context_migrate_clear(struct intel_context *ce,
/* Arbitration is re-enabled between requests. */
out_rq:
- if (*out)
- i915_request_put(*out);
- *out = i915_request_get(rq);
+ i915_sw_fence_await(&rq->submit);
+ i915_request_get(rq);
i915_request_add(rq);
+ if (*out) {
+ i915_sw_fence_complete(&(*out)->submit);
+ i915_request_put(*out);
+ }
+ *out = rq;
+
if (err || !it.sg || !sg_dma_len(it.sg))
break;
cond_resched();
} while (1);
-out_ce:
+ if (*out)
+ i915_sw_fence_complete(&(*out)->submit);
return err;
}
--
2.39.1
Thadeu Lima de Souza Cascardo originally sent this patch but it failed to
merge because of a compilation error:
https://lore.kernel.org/bpf/20210830183211.339054-1-cascardo@canonical.com/…
v2:
Removed redefinition of tmp to fix compilation with CONFIG_BPF_JIT_ALWAYS_ON
enabled.
-Edward
==
The upstream changes necessary to fix these CVEs rely on the presence of JMP32,
which is not a small backport and brings its own potential set of necessary
follow-ups.
Daniel Borkmann, John Fastabend and Alexei Starovoitov came up with a fix
involving the use of the AX register.
This has been tested against the test_verifier in 4.14.y tree and some tests
specific to the two referred CVEs. The test_bpf module was also tested.
Daniel Borkmann (4):
bpf: Do not use ax register in interpreter on div/mod
bpf: fix subprog verifier bypass by div/mod by 0 exception
bpf: Fix 32 bit src register truncation on div/mod
bpf: Fix truncation handling for mod32 dst reg wrt zero
include/linux/filter.h | 24 ++++++++++++++++++++++++
kernel/bpf/core.c | 39 ++++++++++++++-------------------------
kernel/bpf/verifier.c | 39 +++++++++++++++++++++++++++++++--------
net/core/filter.c | 9 ++++++++-
4 files changed, 77 insertions(+), 34 deletions(-)
base-commit: a8ad60f2af5884921167e8cede5784c7849884b2
--
2.39.2.637.g21b0678d19-goog