I'm announcing the release of the 6.2.14 kernel.
All users of the 6.2 kernel series must upgrade.
The updated 6.2.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.2.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/riscv/vm-layout.rst | 6
Makefile | 2
arch/riscv/include/asm/fixmap.h | 8
arch/riscv/include/asm/pgtable.h | 8
arch/riscv/kernel/setup.c | 6
arch/riscv/mm/init.c | 82 +++-----
arch/x86/Makefile.um | 11 +
drivers/base/dd.c | 7
drivers/gpio/gpiolib-acpi.c | 13 +
drivers/gpu/drm/drm_fb_helper.c | 3
drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 9
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5
drivers/usb/serial/option.c | 6
fs/btrfs/send.c | 2
fs/btrfs/volumes.c | 2
include/linux/mmc/sdio_ids.h | 5
kernel/rcu/tree.c | 27 +-
mm/mempolicy.c | 115 +++++-------
net/bluetooth/hci_sock.c | 9
19 files changed, 193 insertions(+), 133 deletions(-)
Alexandre Ghiti (3):
riscv: Move early dtb mapping into the fixmap region
riscv: Do not set initial_boot_params to the linear address of the dtb
riscv: No need to relocate the dtb as it lies in the fixmap region
Arınç ÜNAL (1):
USB: serial: option: add UNISOC vendor and TOZED LT70C product
Daniel Vetter (1):
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
David Gow (2):
rust: arch/um: Disable FP/SIMD instruction to match x86
um: Only disable SSE on clang to work around old GCC bugs
Genjian Zhang (1):
btrfs: fix uninitialized variable warnings
Greg Kroah-Hartman (1):
Linux 6.2.14
Jisoo Jang (1):
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
Liam R. Howlett (1):
mm/mempolicy: fix use-after-free of VMA iterator
Marek Vasut (1):
wifi: brcmfmac: add Cypress 43439 SDIO ids
Ruihan Li (1):
bluetooth: Perform careful capability checks in hci_sock_ioctl()
Stephen Boyd (1):
driver core: Don't require dynamic_debug for initcall_debug probe timing
Werner Sembach (1):
gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU
Ziwei Dai (1):
rcu/kvfree: Avoid freeing new kfree_rcu() memory after old grace period
I'm announcing the release of the 5.15.110 kernel.
All users of the 5.15 kernel series must upgrade.
The updated 5.15.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/riscv/vm-layout.rst | 2
Makefile | 2
arch/arm64/kvm/mmu.c | 47 +++-----
arch/arm64/kvm/psci.c | 2
arch/riscv/include/asm/fixmap.h | 8 +
arch/riscv/include/asm/pgtable.h | 8 +
arch/riscv/kernel/setup.c | 6 -
arch/riscv/mm/init.c | 68 ++++++------
drivers/base/dd.c | 7 +
drivers/gpu/drm/drm_fb_helper.c | 3
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5
drivers/pci/pci.c | 3
drivers/pci/pci.h | 2
drivers/pci/pcie/aspm.c | 19 ---
drivers/usb/serial/option.c | 6 +
net/bluetooth/hci_sock.c | 9 +
tools/testing/selftests/kselftest/runner.sh | 28 +++-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 2
18 files changed, 123 insertions(+), 104 deletions(-)
Alexandre Ghiti (3):
riscv: Move early dtb mapping into the fixmap region
riscv: Do not set initial_boot_params to the linear address of the dtb
riscv: No need to relocate the dtb as it lies in the fixmap region
Arınç ÜNAL (1):
USB: serial: option: add UNISOC vendor and TOZED LT70C product
Dan Carpenter (1):
KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
Daniel Vetter (1):
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
David Matlack (1):
KVM: arm64: Retry fault if vma_lookup() results become invalid
Greg Kroah-Hartman (1):
Linux 5.15.110
Jisoo Jang (1):
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
Kai-Heng Feng (1):
PCI/ASPM: Remove pcie_aspm_pm_state_change()
Matthieu Baerts (1):
selftests: mptcp: join: fix "invalid address, ADD_ADDR timeout"
Ruihan Li (1):
bluetooth: Perform careful capability checks in hci_sock_ioctl()
SeongJae Park (1):
selftests/kselftest/runner/run_one(): allow running non-executable files
Stephen Boyd (1):
driver core: Don't require dynamic_debug for initcall_debug probe timing
I have a transaction which is of mutual benefits and I would like to share with you. if interested for more information please get back to me via my email: :david.murray606@gmail.com
Regards.
David Murray
The patch titled
Subject: mm/mempolicy: correctly update prev when policy is equal on mbind
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Lorenzo Stoakes <lstoakes(a)gmail.com>
Subject: mm/mempolicy: correctly update prev when policy is equal on mbind
Date: Sun, 30 Apr 2023 16:07:07 +0100
The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free
of VMA iterator") introduces a subtle bug which arises when attempting to
apply a new NUMA policy across a range of VMAs in mbind_range().
The refactoring passes a **prev pointer to keep track of the previous VMA
in order to reduce duplication, and in all but one case it keeps this
correctly updated.
The bug arises when a VMA within the specified range has an equivalent
policy as determined by mpol_equal() - which unlike other cases, does not
update prev.
This can result in a situation where, later in the iteration, a VMA is
found whose policy does need to change. At this point, vma_merge() is
invoked with prev pointing to a VMA which is before the previous VMA.
Since vma_merge() discovers the curr VMA by looking for the one
immediately after prev, it will now be in a situation where this VMA is
incorrect and the merge will not proceed correctly.
This is checked in the VM_WARN_ON() invariant case with end >
curr->vm_end, which, if a merge is possible, results in a warning (if
CONFIG_DEBUG_VM is specified).
I note that vma_merge() performs these invariant checks only after
merge_prev/merge_next are checked, which is debatable as it hides this
issue if no merge is possible even though a buggy situation has arisen.
The solution is simply to update the prev pointer even when policies are
equal.
This caused a bug to arise in the 6.2.y stable tree, and this patch
resolves this bug.
Link: https://lkml.kernel.org/r/83f1d612acb519d777bebf7f3359317c4e7f4265.16828666…
Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator")
Signed-off-by: Lorenzo Stoakes <lstoakes(a)gmail.com>
Reported-by: kernel test robot <oliver.sang(a)intel.com>
Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com
Cc: Liam R. Howlett <Liam.Howlett(a)oracle.com>
Cc: Mel Gorman <mgorman(a)suse.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/mempolicy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/mm/mempolicy.c~mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind
+++ a/mm/mempolicy.c
@@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterat
vmstart = vma->vm_start;
}
- if (mpol_equal(vma_policy(vma), new_pol))
+ if (mpol_equal(vma_policy(vma), new_pol)) {
+ *prev = vma;
return 0;
+ }
pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT);
merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags,
_
Patches currently in -mm which might be from lstoakes(a)gmail.com are
mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind.patch
The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free
of VMA iterator") introduces a subtle bug which arises when attempting to
apply a new NUMA policy across a range of VMAs in mbind_range().
The refactoring passes a **prev pointer to keep track of the previous VMA
in order to reduce duplication, and in all but one case it keeps this
correctly updated.
The bug arises when a VMA within the specified range has an equivalent
policy as determined by mpol_equal() - which unlike other cases, does not
update prev.
This can result in a situation where, later in the iteration, a VMA is
found whose policy does need to change. At this point, vma_merge() is
invoked with prev pointing to a VMA which is before the previous VMA.
Since vma_merge() discovers the curr VMA by looking for the one immediately
after prev, it will now be in a situation where this VMA is incorrect and
the merge will not proceed correctly.
This is checked in the VM_WARN_ON() invariant case with end > curr->vm_end,
which, if a merge is possible, results in a warning (if CONFIG_DEBUG_VM is
specified).
I note that vma_merge() performs these invariant checks only after
merge_prev/merge_next are checked, which is debatable as it hides this
issue if no merge is possible even though a buggy situation has arisen.
The solution is simply to update the prev pointer even when policies are
equal.
This caused a bug to arise in the 6.2.y stable tree, and this patch
resolves this bug.
Reported-by: kernel test robot <oliver.sang(a)intel.com>
Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com
Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator")
Signed-off-by: Lorenzo Stoakes <lstoakes(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
---
v2: updated to correctly cc the stable list :)
v1:
https://lore.kernel.org/all/db42467a692d78c654ec5c1953329401bd8a9c34.168285…
mm/mempolicy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 2068b594dc88..1756389a0609 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterator *vmi, struct vm_area_struct *vma,
vmstart = vma->vm_start;
}
- if (mpol_equal(vma_policy(vma), new_pol))
+ if (mpol_equal(vma_policy(vma), new_pol)) {
+ *prev = vma;
return 0;
+ }
pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT);
merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags,
--
2.40.1
The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free
of VMA iterator") introduces a subtle bug which arises when attempting to
apply a new NUMA policy across a range of VMAs in mbind_range().
The refactoring passes a **prev pointer to keep track of the previous VMA
in order to reduce duplication, and in all but one case it keeps this
correctly updated.
The bug arises when a VMA within the specified range has an equivalent
policy as determined by mpol_equal() - which unlike other cases, does not
update prev.
This can result in a situation where, later in the iteration, a VMA is
found whose policy does need to change. At this point, vma_merge() is
invoked with prev pointing to a VMA which is before the previous VMA.
Since vma_merge() discovers the curr VMA by looking for the one immediately
after prev, it will now be in a situation where this VMA is incorrect and
the merge will not proceed correctly.
This is checked in the VM_WARN_ON() invariant case with end > curr->vm_end,
which, if a merge is possible, results in a warning (if CONFIG_DEBUG_VM is
specified).
I note that vma_merge() performs these invariant checks only after
merge_prev/merge_next are checked, which is debatable as it hides this
issue if no merge is possible even though a buggy situation has arisen.
The solution is simply to update the prev pointer even when policies are
equal.
This caused a bug to arise in the 6.2.y stable tree, and this patch
resolves this bug.
Reported-by: kernel test robot <oliver.sang(a)intel.com>
Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com
Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator")
Signed-off-by: Lorenzo Stoakes <lstoakes(a)gmail.com>
---
mm/mempolicy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 2068b594dc88..1756389a0609 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterator *vmi, struct vm_area_struct *vma,
vmstart = vma->vm_start;
}
- if (mpol_equal(vma_policy(vma), new_pol))
+ if (mpol_equal(vma_policy(vma), new_pol)) {
+ *prev = vma;
return 0;
+ }
pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT);
merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags,
--
2.40.1