The WinSystems WS16C48 I/O address region spans offsets 0x0 through 0xA,
which is a total of 11 bytes. Fix the WS16C48_EXTENT define to the
correct value of 11 so that access to necessary device registers is
properly requested in the ws16c48_probe() callback by the
devm_request_region() function call.
Fixes: 2c05a0f29f41 ("gpio: ws16c48: Implement and utilize register structures")
Cc: stable(a)vger.kernel.org
Cc: Paul Demetrotion <pdemetrotion(a)winsystems.com>
Signed-off-by: William Breathitt Gray <william.gray(a)linaro.org>
---
drivers/gpio/gpio-ws16c48.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-ws16c48.c b/drivers/gpio/gpio-ws16c48.c
index e73885a4dc32..afb42a8e916f 100644
--- a/drivers/gpio/gpio-ws16c48.c
+++ b/drivers/gpio/gpio-ws16c48.c
@@ -18,7 +18,7 @@
#include <linux/spinlock.h>
#include <linux/types.h>
-#define WS16C48_EXTENT 10
+#define WS16C48_EXTENT 11
#define MAX_NUM_WS16C48 max_num_isa_dev(WS16C48_EXTENT)
static unsigned int base[MAX_NUM_WS16C48];
base-commit: 4827aae061337251bb91801b316157a78b845ec7
--
2.39.2
The Processor _PDC buffer bits notify ACPI of the OS capabilities, and
so ACPI can adjust the return of other Processor methods taking the OS
capabilities into account.
When Linux is running as a Xen dom0, it's the hypervisor the entity
in charge of processor power management, and hence Xen needs to make
sure the capabilities reported in the _PDC buffer match the
capabilities of the driver in Xen.
Introduce a small helper to sanitize the buffer when running as Xen
dom0.
Signed-off-by: Roger Pau Monné <roger.pau(a)citrix.com>
Cc: stable(a)vger.kernel.org
---
arch/x86/include/asm/xen/hypervisor.h | 2 ++
arch/x86/xen/enlighten.c | 17 +++++++++++++++++
drivers/acpi/processor_pdc.c | 8 ++++++++
3 files changed, 27 insertions(+)
diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
index b9f512138043..b4ed90ef5e68 100644
--- a/arch/x86/include/asm/xen/hypervisor.h
+++ b/arch/x86/include/asm/xen/hypervisor.h
@@ -63,12 +63,14 @@ void __init mem_map_via_hcall(struct boot_params *boot_params_p);
#ifdef CONFIG_XEN_DOM0
bool __init xen_processor_present(uint32_t acpi_id);
+void xen_sanitize_pdc(uint32_t *buf);
#else
static inline bool xen_processor_present(uint32_t acpi_id)
{
BUG();
return false;
}
+static inline void xen_sanitize_pdc(uint32_t *buf) { BUG(); }
#endif
#endif /* _ASM_X86_XEN_HYPERVISOR_H */
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
index d4c44361a26c..394dd6675113 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -372,4 +372,21 @@ bool __init xen_processor_present(uint32_t acpi_id)
return false;
}
+
+void xen_sanitize_pdc(uint32_t *buf)
+{
+ struct xen_platform_op op = {
+ .cmd = XENPF_set_processor_pminfo,
+ .interface_version = XENPF_INTERFACE_VERSION,
+ .u.set_pminfo.id = -1,
+ .u.set_pminfo.type = XEN_PM_PDC,
+ };
+ int ret;
+
+ set_xen_guest_handle(op.u.set_pminfo.pdc, buf);
+ ret = HYPERVISOR_platform_op(&op);
+ if (ret)
+ pr_info("sanitize of _PDC buffer bits from Xen failed: %d\n",
+ ret);
+}
#endif
diff --git a/drivers/acpi/processor_pdc.c b/drivers/acpi/processor_pdc.c
index 18fb04523f93..58f4c208517a 100644
--- a/drivers/acpi/processor_pdc.c
+++ b/drivers/acpi/processor_pdc.c
@@ -137,6 +137,14 @@ acpi_processor_eval_pdc(acpi_handle handle, struct acpi_object_list *pdc_in)
buffer[2] &= ~(ACPI_PDC_C_C2C3_FFH | ACPI_PDC_C_C1_FFH);
}
+ if (xen_initial_domain())
+ /*
+ * When Linux is running as Xen dom0 it's the hypervisor the
+ * entity in charge of the processor power management, and so
+ * Xen needs to check the OS capabilities reported in the _PDC
+ * buffer matches what the hypervisor driver supports.
+ */
+ xen_sanitize_pdc((uint32_t *)pdc_in->pointer->buffer.pointer);
status = acpi_evaluate_object(handle, "_PDC", pdc_in, NULL);
if (ACPI_FAILURE(status))
--
2.37.3
From: Hui Li <caelli(a)tencent.com>
We have met a hang on pty device, the reader was blocking
at epoll on master side, the writer was sleeping at wait_woken
inside n_tty_write on slave side, and the write buffer on
tty_port was full, we found that the reader and writer would
never be woken again and blocked forever.
The problem was caused by a race between reader and kworker:
n_tty_read(reader): n_tty_receive_buf_common(kworker):
copy_from_read_buf()|
|room = N_TTY_BUF_SIZE - (ldata->read_head - tail)
|room <= 0
n_tty_kick_worker() |
|ldata->no_room = true
After writing to slave device, writer wakes up kworker to flush
data on tty_port to reader, and the kworker finds that reader
has no room to store data so room <= 0 is met. At this moment,
reader consumes all the data on reader buffer and calls
n_tty_kick_worker to check ldata->no_room which is false and
reader quits reading. Then kworker sets ldata->no_room=true
and quits too.
If write buffer is not full, writer will wake kworker to flush data
again after following writes, but if write buffer is full and writer
goes to sleep, kworker will never be woken again and tty device is
blocked.
This problem can be solved with a check for read buffer size inside
n_tty_receive_buf_common, if read buffer is empty and ldata->no_room
is true, a call to n_tty_kick_worker is necessary to keep flushing
data to reader.
Cc: <stable(a)vger.kernel.org>
Fixes: 42458f41d08f ("n_tty: Ensure reader restarts worker for next reader")
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com>
Signed-off-by: Hui Li <caelli(a)tencent.com>
---
Patch changelogs between v1 and v2:
-add barrier inside n_tty_read and n_tty_receive_buf_common;
-comment why barrier is needed;
-access to ldata->no_room is changed with READ_ONCE and WRITE_ONCE;
Patch changelogs between v2 and v3:
-in function n_tty_receive_buf_common, add unlikely to check
ldata->no_room, eg: if (unlikely(ldata->no_room)), and READ_ONCE
is removed here to get locality;
-change comment for barrier to show the race condition to make
comment easier to understand;
Patch changelogs between v3 and v4:
-change subject from 'tty: fix a possible hang on tty device' to
'tty: fix hang on tty device with no_room set' to make subject
more obvious;
Patch changelogs between v4 and v5:
-name is changed from cael to caelli, li is added as the family
name and caelli is the fullname.
Patch changelogs between v5 and v6:
-change from and Signed-off-by, from 'caelli <juanfengpy(a)gmail.com>'
to 'caelli <caelli(a)tencent.com>', later one is my corporate address.
Patch changelogs between v6 and v7:
-change name from caelli to 'Hui Li', which is my name in chinese.
-the comment for barrier is improved, and a Fixes and Reviewed-by
tags is added.
drivers/tty/n_tty.c | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index c8f56c9b1a1c..8c17304fffcf 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -204,8 +204,8 @@ static void n_tty_kick_worker(struct tty_struct *tty)
struct n_tty_data *ldata = tty->disc_data;
/* Did the input worker stop? Restart it */
- if (unlikely(ldata->no_room)) {
- ldata->no_room = 0;
+ if (unlikely(READ_ONCE(ldata->no_room))) {
+ WRITE_ONCE(ldata->no_room, 0);
WARN_RATELIMIT(tty->port->itty == NULL,
"scheduling with invalid itty\n");
@@ -1698,7 +1698,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
if (overflow && room < 0)
ldata->read_head--;
room = overflow;
- ldata->no_room = flow && !room;
+ WRITE_ONCE(ldata->no_room, flow && !room);
} else
overflow = 0;
@@ -1729,6 +1729,27 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
} else
n_tty_check_throttle(tty);
+ if (unlikely(ldata->no_room)) {
+ /*
+ * Barrier here is to ensure to read the latest read_tail in
+ * chars_in_buffer() and to make sure that read_tail is not loaded
+ * before ldata->no_room is set, otherwise, following race may occur:
+ * n_tty_receive_buf_common()
+ * n_tty_read()
+ * if (!chars_in_buffer(tty))->false
+ * copy_from_read_buf()
+ * read_tail=commit_head
+ * n_tty_kick_worker()
+ * if (ldata->no_room)->false
+ * ldata->no_room = 1
+ * Then both kworker and reader will fail to kick n_tty_kick_worker(),
+ * smp_mb is paired with smp_mb() in n_tty_read().
+ */
+ smp_mb();
+ if (!chars_in_buffer(tty))
+ n_tty_kick_worker(tty);
+ }
+
up_read(&tty->termios_rwsem);
return rcvd;
@@ -2282,8 +2303,25 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
if (time)
timeout = time;
}
- if (old_tail != ldata->read_tail)
+ if (old_tail != ldata->read_tail) {
+ /*
+ * Make sure no_room is not read in n_tty_kick_worker()
+ * before setting ldata->read_tail in copy_from_read_buf(),
+ * otherwise, following race may occur:
+ * n_tty_read()
+ * n_tty_receive_buf_common()
+ * n_tty_kick_worker()
+ * if(ldata->no_room)->false
+ * ldata->no_room = 1
+ * if (!chars_in_buffer(tty))->false
+ * copy_from_read_buf()
+ * read_tail=commit_head
+ * Both reader and kworker will fail to kick tty_buffer_restart_work(),
+ * smp_mb is paired with smp_mb() in n_tty_receive_buf_common().
+ */
+ smp_mb();
n_tty_kick_worker(tty);
+ }
up_read(&tty->termios_rwsem);
remove_wait_queue(&tty->read_wait, &wait);
--
2.27.0
From: Roberto Sassu <roberto.sassu(a)huawei.com>
Changelog:
v4:
- Replace sg_init_table()/sg_set_buf() with sg_init_one() (suggested by
Eric)
v3:
v2:
- Add patch by Herbert to take only the needed bytes for a MPI from the
scatterlist
- Use only one scatterlist for signature and digest (suggested by Eric)
- Rename key variable to buf (suggested by Eric)
- Rename key_max_len variable to buf_len
- Use size_t for the buf_len variable instead of u32
v1:
- Unconditionally copy the signature and digest to the buffer to keep the
code simple (suggested by Eric)
Herbert Xu (1):
lib/mpi: Fix buffer overrun when SG is too long
Roberto Sassu (1):
KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
crypto/asymmetric_keys/public_key.c | 38 ++++++++++++++++-------------
lib/mpi/mpicoder.c | 3 ++-
2 files changed, 23 insertions(+), 18 deletions(-)
--
2.25.1
From: Alexandr Sapozhnikov <alsp705(a)gmail.com>
[ Upstream commit 7245e629dcaaf308f1868aeffa218e9849c77893 ]
After having been compared to NULL value at cirrus.c:455, pointer
'pipe->plane.state->fb' is passed as 1st parameter in call to function
'cirrus_fb_blit_rect' at cirrus.c:461, where it is dereferenced at
cirrus.c:316.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
v2:
* aligned commit message to line-length limits
Signed-off-by: Alexandr Sapozhnikov <alsp705(a)gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20230215171549.16305-1-alsp70…
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/gpu/drm/tiny/cirrus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tiny/cirrus.c b/drivers/gpu/drm/tiny/cirrus.c
index 678c2ef1cae70..ffa7e61dd1835 100644
--- a/drivers/gpu/drm/tiny/cirrus.c
+++ b/drivers/gpu/drm/tiny/cirrus.c
@@ -455,7 +455,7 @@ static void cirrus_pipe_update(struct drm_simple_display_pipe *pipe,
if (state->fb && cirrus->cpp != cirrus_cpp(state->fb))
cirrus_mode_set(cirrus, &crtc->mode, state->fb);
- if (drm_atomic_helper_damage_merged(old_state, state, &rect))
+ if (state->fb && drm_atomic_helper_damage_merged(old_state, state, &rect))
cirrus_fb_blit_rect(state->fb, &shadow_plane_state->data[0], &rect);
}
--
2.39.2
I'm announcing the release of the 5.15.104 kernel.
All users of the 5.15 kernel series must upgrade.
The updated 5.15.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/filesystems/vfs.rst | 2
Makefile | 2
arch/riscv/include/asm/mmu.h | 2
arch/riscv/include/asm/tlbflush.h | 18
arch/riscv/mm/context.c | 40 -
arch/riscv/mm/tlbflush.c | 28 -
arch/s390/boot/ipl_report.c | 8
arch/s390/pci/pci.c | 16
arch/s390/pci/pci_bus.c | 12
arch/s390/pci/pci_bus.h | 3
arch/x86/kernel/cpu/mce/core.c | 1
arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 7
arch/x86/kernel/cpu/resctrl/internal.h | 1
arch/x86/kernel/cpu/resctrl/rdtgroup.c | 25 +
arch/x86/kvm/vmx/nested.c | 10
arch/x86/mm/mem_encrypt_identity.c | 3
drivers/block/loop.c | 25 -
drivers/block/null_blk/main.c | 6
drivers/block/sunvdc.c | 2
drivers/clk/Kconfig | 2
drivers/cpuidle/cpuidle-psci-domain.c | 3
drivers/firmware/xilinx/zynqmp.c | 2
drivers/gpu/drm/amd/amdkfd/kfd_events.c | 9
drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c | 5
drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 43 +-
drivers/gpu/drm/drm_gem_shmem_helper.c | 9
drivers/gpu/drm/i915/display/intel_display_types.h | 2
drivers/gpu/drm/i915/display/intel_psr.c | 207 +++++++---
drivers/gpu/drm/i915/gt/intel_ring.c | 2
drivers/gpu/drm/i915/i915_active.c | 24 -
drivers/gpu/drm/meson/meson_vpp.c | 2
drivers/gpu/drm/panfrost/panfrost_mmu.c | 2
drivers/gpu/drm/sun4i/sun4i_drv.c | 6
drivers/hid/hid-core.c | 18
drivers/hid/uhid.c | 1
drivers/hwmon/adt7475.c | 8
drivers/hwmon/ina3221.c | 2
drivers/hwmon/ltc2992.c | 1
drivers/hwmon/pmbus/adm1266.c | 1
drivers/hwmon/pmbus/ucd9000.c | 75 +++
drivers/hwmon/tmp513.c | 2
drivers/hwmon/xgene-hwmon.c | 1
drivers/interconnect/core.c | 4
drivers/interconnect/samsung/exynos.c | 6
drivers/media/i2c/m5mols/m5mols_core.c | 2
drivers/mmc/host/atmel-mci.c | 3
drivers/mmc/host/sdhci_am654.c | 2
drivers/net/bonding/bond_main.c | 23 -
drivers/net/dsa/mt7530.c | 64 +--
drivers/net/dsa/mv88e6xxx/chip.c | 16
drivers/net/ethernet/intel/i40e/i40e_main.c | 1
drivers/net/ethernet/intel/ice/ice.h | 14
drivers/net/ethernet/intel/ice/ice_main.c | 19
drivers/net/ethernet/intel/ice/ice_xsk.c | 4
drivers/net/ethernet/qlogic/qed/qed_dev.c | 5
drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c | 2
drivers/net/ethernet/renesas/ravb_main.c | 12
drivers/net/ethernet/renesas/sh_eth.c | 12
drivers/net/ethernet/sun/ldmvsw.c | 3
drivers/net/ethernet/sun/sunvnet.c | 3
drivers/net/ipvlan/ipvlan_l3s.c | 1
drivers/net/phy/nxp-c45-tja11xx.c | 2
drivers/net/phy/smsc.c | 5
drivers/net/usb/smsc75xx.c | 7
drivers/nfc/pn533/usb.c | 1
drivers/nfc/st-nci/ndlc.c | 6
drivers/nvme/host/core.c | 28 -
drivers/nvme/host/pci.c | 2
drivers/nvme/target/core.c | 4
drivers/pci/bus.c | 21 +
drivers/pci/pci-driver.c | 4
drivers/pci/pci.c | 57 +-
drivers/pci/pci.h | 16
drivers/pci/pcie/dpc.c | 4
drivers/scsi/hosts.c | 3
drivers/scsi/mpt3sas/mpt3sas_transport.c | 14
drivers/tty/serial/8250/8250_em.c | 4
drivers/tty/serial/8250/8250_fsl.c | 4
drivers/tty/serial/fsl_lpuart.c | 12
drivers/vdpa/vdpa_sim/vdpa_sim.c | 13
drivers/video/fbdev/stifb.c | 27 +
fs/cifs/smb2inode.c | 31 +
fs/cifs/transport.c | 21 -
fs/ext4/inode.c | 18
fs/ext4/namei.c | 4
fs/ext4/super.c | 7
fs/ext4/xattr.c | 11
fs/jffs2/file.c | 15
include/drm/drm_bridge.h | 4
include/linux/hid.h | 3
include/linux/netdevice.h | 6
include/linux/pci.h | 1
include/linux/sh_intc.h | 5
include/linux/tracepoint.h | 15
io_uring/io_uring.c | 4
kernel/events/core.c | 2
kernel/trace/ftrace.c | 3
kernel/trace/trace.c | 2
kernel/trace/trace_events_hist.c | 3
kernel/trace/trace_hwlat.c | 3
mm/huge_memory.c | 6
net/9p/client.c | 2
net/ipv4/fib_frontend.c | 3
net/ipv4/ip_tunnel.c | 12
net/ipv4/tcp_output.c | 2
net/ipv6/ip6_tunnel.c | 4
net/iucv/iucv.c | 2
net/mptcp/pm_netlink.c | 16
net/mptcp/subflow.c | 12
net/netfilter/nft_masq.c | 2
net/netfilter/nft_nat.c | 2
net/netfilter/nft_redir.c | 4
net/smc/smc_cdc.c | 3
net/smc/smc_core.c | 2
net/xfrm/xfrm_state.c | 3
scripts/kconfig/confdata.c | 6
sound/hda/intel-dsp-config.c | 9
sound/pci/hda/hda_intel.c | 5
sound/pci/hda/patch_realtek.c | 1
tools/testing/selftests/net/devlink_port_split.py | 36 +
120 files changed, 919 insertions(+), 439 deletions(-)
Alex Hung (1):
drm/amd/display: fix shift-out-of-bounds in CalculateVMAndRowBytes
Alexandra Winter (1):
net/iucv: Fix size of interrupt data
Arınç ÜNAL (2):
net: dsa: mt7530: remove now incorrect comment regarding port 5
net: dsa: mt7530: set PLL frequency and trgmii only when trgmii is used
Baokun Li (3):
ext4: fail ext4_iget if special inode unallocated
ext4: update s_journal_inum if it changes after journal replay
ext4: fix task hung in ext4_xattr_delete_inode
Bard Liao (1):
ALSA: hda: intel-dsp-config: add MTL PCI id
Bart Van Assche (2):
scsi: core: Fix a procfs host directory removal regression
loop: Fix use-after-free issues
Biju Das (1):
serial: 8250_em: Fix UART port type
Bjorn Helgaas (1):
ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
Breno Leitao (1):
tcp: tcp_make_synack() can be called from process context
Budimir Markovic (1):
perf: Fix check before add_event_to_groups() in perf_group_detach()
Błażej Szczygieł (1):
drm/amd/pm: Fix sienna cichlid incorrect OD volage after resume
Chen Zhongjin (1):
ftrace: Fix invalid address access in lookup_rec() when index is 0
Christian Hewitt (1):
drm/meson: fix 1px pink line on GXM when scaling video overlay
D. Wythe (1):
net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()
Damien Le Moal (2):
block: null_blk: Fix handling of fake timeout request
nvmet: avoid potential UAF in nvmet_req_complete()
Daniil Tatianin (2):
qed/qed_dev: guard against a possible division by zero
qed/qed_mng_tlv: correctly zero out ->min instead of ->hour
Dave Ertman (1):
ice: avoid bonding causing auxiliary plug/unplug under RTNL lock
David Hildenbrand (1):
mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage
Dmitry Osipenko (2):
drm/panfrost: Don't sync rpm suspension after mmu flushing
drm/shmem-helper: Remove another errant put in error path
Elmer Miroslav Mosher Golovin (1):
nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV3000
Eric Dumazet (1):
net: tunnels: annotate lockless accesses to dev->needed_headroom
Eric Van Hensbergen (1):
net/9p: fix bug in client create for .L
Eugenio Pérez (2):
vdpa_sim: not reset state in vdpasim_queue_ready
vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready
Fedor Pchelkin (2):
nfc: pn533: initialize struct pn533_out_arg properly
io_uring: avoid null-ptr-deref in io_arm_poll_handler
Francesco Dolcini (1):
mmc: sdhci_am654: lower power-on failed message severity
Geliang Tang (1):
mptcp: add ro_after_init for tcp{,v6}_prot_override
Glenn Washburn (1):
docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate
Greg Kroah-Hartman (1):
Linux 5.15.104
Guo Ren (1):
riscv: asid: Fixup stale TLB entry cause application crash
Hamidreza H. Fard (1):
ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro
Heiner Kallweit (1):
net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails
Helge Deller (1):
fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks
Herbert Xu (1):
xfrm: Allow transport-mode states with AF_UNSPEC selector
Ido Schimmel (1):
ipv4: Fix incorrect table ID in IOCTL path
Ivan Vecera (1):
i40e: Fix kernel crash during reboot when adapter is in recovery mode
Janusz Krzysztofik (1):
drm/i915/active: Fix misuse of non-idle barriers as fence trackers
Jeremy Sowden (4):
netfilter: nft_nat: correct length for loading protocol registers
netfilter: nft_masq: correct length for loading protocol registers
netfilter: nft_redir: correct length for loading protocol registers
netfilter: nft_redir: correct value of inet type `.maxattrs`
Jianguo Wu (1):
ipvlan: Make skb->skb_iif track skb->dev for l3s mode
Johan Hovold (4):
serial: 8250_fsl: fix handle_irq locking
interconnect: fix mem leak when freeing nodes
interconnect: exynos: fix node leak in probe PM QoS error path
drm/sun4i: fix missing component unbind on bind errors
John Harrison (1):
drm/i915: Don't use stolen memory for ring buffers with LLC
José Roberto de Souza (3):
drm/i915/display: Workaround cursor left overs with PSR2 selective fetch enabled
drm/i915/display/psr: Use drm damage helpers to calculate plane damaged area
drm/i915/display/psr: Handle plane and pipe restrictions at every page flip
Jouni Högander (1):
drm/i915/psr: Use calculated io and fast wake lines
Jurica Vukadin (1):
kconfig: Update config changed flag before calling callback
Krzysztof Kozlowski (1):
hwmon: tmp512: drop of_match_ptr for ID table
Lars-Peter Clausen (3):
hwmon: (ucd90320) Add minimum delay between bus accesses
hwmon: (adm1266) Set `can_sleep` flag for GPIO chip
hwmon: (ltc2992) Set `can_sleep` flag for GPIO chip
Lee Jones (2):
HID: core: Provide new max_buffer_size attribute to over-ride the default
HID: uhid: Over-ride the default maximum data buffer value with our own
Liang He (2):
block: sunvdc: add check for mdesc_grab() returning NULL
ethernet: sun: add check for the mdesc_grab()
Linus Torvalds (1):
media: m5mols: fix off-by-one loop termination error
Liu Ying (1):
drm/bridge: Fix returned array size name for atomic_get_input_bus_fmts kdoc
Lukas Wunner (2):
PCI: Unify delay handling for reset and resume
PCI/DPC: Await readiness of secondary bus after reset
Maciej Fijalkowski (1):
ice: xsk: disable txq irq before flushing hw
Marcus Folkesson (1):
hwmon: (ina3221) return prober error code
Matthieu Baerts (1):
mptcp: avoid setting TCP_CLOSE state twice
Michael Karcher (1):
sh: intc: Avoid spurious sizeof-pointer-div warning
Ming Lei (1):
nvme: fix handling single range discard request
Nikita Zhandarovich (1):
x86/mm: Fix use of uninitialized buffer in sme_enable()
Niklas Schnelle (1):
PCI: s390: Fix use-after-free of PCI resources with per-function hotplug
Nikolay Aleksandrov (2):
bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change
bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails
Paolo Abeni (2):
mptcp: fix possible deadlock in subflow_error_report
mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()
Paolo Bonzini (1):
KVM: nVMX: add missing consistency checks for CR0 and CR4
Po-Hsu Lin (1):
selftests: net: devlink_port_split.py: skip test if no suitable device available
Qu Huang (1):
drm/amdkfd: Fix an illegal memory access
Radu Pirea (OSS) (1):
net: phy: nxp-c45-tja11xx: fix MII_BASIC_CONFIG_REV bit
Randy Dunlap (1):
clk: HI655X: select REGMAP instead of depending on it
Roman Gushchin (1):
firmware: xilinx: don't make a sleepable memory allocation from an atomic context
Sergey Matyukevich (1):
Revert "riscv: mm: notify remote harts about mmu cache updates"
Shawn Guo (1):
cpuidle: psci: Iterate backwards over list in psci_pd_remove()
Shawn Wang (1):
x86/resctrl: Clear staged_config[] before and after it is used
Sherry Sun (1):
tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted
Steven Rostedt (Google) (2):
tracing: Check field value in hist_field_name()
tracing: Make tracepoint lockdep check actually test something
Sung-hun Kim (1):
tracing: Make splice_read available again
Sven Schnelle (1):
s390/ipl: add missing intersection check to ipl_report handling
Szymon Heidrich (2):
net: usb: smsc75xx: Limit packet length to skb->len
net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull
Tero Kristo (1):
trace/hwlat: Do not wipe the contents of per-cpu thread data
Theodore Ts'o (1):
ext4: fix possible double unlock when moving a directory
Tobias Schramm (1):
mmc: atmel-mci: fix race between stop command and start of next command
Tom Rix (1):
drm/i915/display: clean up comments
Tony O'Brien (2):
hwmon: (adt7475) Display smoothing attributes in correct order
hwmon: (adt7475) Fix masking of hysteresis registers
Vladimir Oltean (1):
net: dsa: mv88e6xxx: fix max_mtu of 1492 on 6165, 6191, 6220, 6250, 6290
Volker Lendecke (1):
cifs: Fix smb2_set_path_size()
Wenchao Hao (1):
scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()
Wenjia Zhang (1):
net/smc: fix deadlock triggered by cancel_delayed_work_syn()
Wolfram Sang (2):
ravb: avoid PHY being resumed when interface is not up
sh_eth: avoid PHY being resumed when interface is not up
Yazen Ghannam (1):
x86/mce: Make sure logged MCEs are processed after sysfs update
Yifei Liu (1):
jffs2: correct logic when creating a hole in jffs2_write_begin
Zhang Xiaoxu (1):
cifs: Move the in_send statistic to __smb_send_rqst()
Zheng Wang (2):
nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition
When we are renaming a directory to a different directory, we need to
update '..' entry in the moved directory. However nothing prevents moved
directory from being modified and even converted from the inline format
to the normal format. When such race happens the rename code gets
confused and we crash. Fix the problem by locking the moved directory.
CC: stable(a)vger.kernel.org
Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir")
Signed-off-by: Jan Kara <jack(a)suse.cz>
---
fs/ext4/namei.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index dd28453d6ea3..270fbcba75b6 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3872,9 +3872,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir))
goto end_rename;
}
+ /*
+ * We need to protect against old.inode directory getting
+ * converted from inline directory format into a normal one.
+ */
+ inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
retval = ext4_rename_dir_prepare(handle, &old);
- if (retval)
+ if (retval) {
+ inode_unlock(old.inode);
goto end_rename;
+ }
}
/*
* If we're renaming a file within an inline_data dir and adding or
@@ -4006,6 +4013,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
} else {
ext4_journal_stop(handle);
}
+ if (old.dir_bh)
+ inode_unlock(old.inode);
release_bh:
brelse(old.dir_bh);
brelse(old.bh);
--
2.35.3