April 2023 - Linux-stable-mirror

[ANNOUNCE] New script that finds partially-backported patchsets

by Eric Biggers

Hi, As I promised on the "AUTOSEL process" centi-thread (https://lore.kernel.org/stable/20230226034256.771769-12-sashal@kernel.org/T…), I've developed some new scripts that can be found at https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/stable-tools.git : - `find-orig-patch`: Finds the original patch email from a git commit. It first checks for a matching "Message-Id:" or "Link:" from the git commit. If that fails, it falls back to a search of https://lore.kernel.org by commit title and uses some heuristics to try to find the right patch email. - `find-orig-series`: Like find-orig-patch but outputs the full series. - `find-missing-prereqs`: Finds commits that were backported without previous patches in their original series also being backported. It accepts a range of git commits. I also added an option to filter the results by AUTOSEL only. For more information, see the README at https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/stable-tools.git/t… Note: since it wasn't clear where to put these or how to integrate them into anything else, for now this is a completely standalone project. Perhaps the find-orig-patch functionality would be a nice feature for b4, but the more stable-kernel-maintenance-specific logic should be in a separate project. BTW, I used the same language and license as b4: Python and GPLv2+. I wrote some regression tests that show that find-missing-prereqs is able to detect the missing patches for a couple examples of missed backports that broke users, including the recent blk-cgroup one (https://lore.kernel.org/linux-block/CAOCAAm4reGhz400DSVrh0BetYD3Ljr2CZen7_3…). For another example, at the end of this email I've also pasted the output of 'find-missing-prereqs v6.1.24..v6.1.26', which covers the last couple weeks of 6.1. I don't immediately see anything super interesting in there, and it picked up a few very long patchsets which is a bit annoying (maybe very long patchsets generally aren't interesting and should be skipped?). But it's just an example. Something that could be built on top of this is a script that applies the patches from the stable-queue repository for each stable kernel version, and generates a report about each one. BTW, I can work on these scripts more, but what I can't commit to doing is manually sending out reports every week... I hope that this can be automated and/or adopted by the stable maintainers. Here's the output of 'find-missing-prereqs v6.1.24..v6.1.26': The following commit(s): [PATCH 24/33] commit 779fd2a575cc ("drm/amd/display: Pass the right info to drm_dp_remove_payload") ... are backported without earlier commit(s) in series: [PATCH 1/33] commit de534c1cb031 ("drm/amd/display: Add height granularity limitation for dsc slice height calculation") [PATCH 2/33] commit aee0c07a74d3 ("drm/amd/display: Unify DC logging for BW Alloc") [PATCH 3/33] commit 67d198da2fd4 ("drm/amd/display: When blanking during init loop to find OPP index") [PATCH 4/33] commit c93aa7f33e94 ("drm/amd/display: 3.2.225") [PATCH 5/33] commit 0db13eae41fc ("drm/amd/display: Add minimum Z8 residency debug option") [PATCH 6/33] commit 0215ce9057ed ("drm/amd/display: Update minimum stutter residency for DCN314 Z8") [PATCH 7/33] commit c0a561d96a28 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDR") [PATCH 8/33] commit 11efe095dfe0 ("drm/amd/display: Fix no-DCN build") [PATCH 9/33] commit ab487ea8910d ("drm/amd/display: fix typo in dc_dsc_config_options structure") [PATCH 10/33] commit 1e88eb1b2c25 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDCP") [PATCH 11/33] commit efa4c4df864e ("drm/amd/display: call remove_stream_from_ctx from res_pool funcs") [PATCH 12/33] commit 84c03df58d8b ("drm/amd/display: Build DSC without DCN config") [PATCH 13/33] commit 36516001a7c9 ("drm/amd/display: move dc_link functions in accessories folder to dc_link_exports") [PATCH 14/33] commit 76f5dc40ebb1 ("drm/amd/display: move dc_link functions in link root folder to dc_link_exports") [PATCH 15/33] commit 6455cb522191 ("drm/amd/display: link link_dp_dpia_bw.o in makefile") [PATCH 16/33] commit 202a3816f37e ("drm/amd/display: move dc_link functions in protocols folder to dc_link_exports") [PATCH 17/33] commit 788c6e2ce5c7 ("drm/amd/display: replace all dc_link function call in link with link functions") [PATCH 18/33] commit 34fd6df78869 ("drm/amd/display: Simplify register offsets") [PATCH 19/33] commit 2b02d746c181 ("drm/amd/display: Keep PHY active for dp config") [PATCH 21/33] commit bf77fda02411 ("drm/amd/display: Drop unnecessary DCN guards") [PATCH 22/33] commit 4652ae7a51b7 ("drm/amd/display: Rename DCN config to FP") [PATCH 23/33] commit de930140bb57 ("drm/amd/display: Update to correct min FCLK when construction BB") Original patch series is "[PATCH 00/33] DC Patches Mar 6th, 2023" (https://lore.kernel.org/r/20230303154022.2667-1-qingqing.zhuo@amd.com) The following commit(s): [PATCH 2/4] commit 3570f3cc4aab ("RDMA/erdma: Update default EQ depth to 4096 and max_send_wr to 8192") [PATCH 3/4] commit d682c9bc41fa ("RDMA/erdma: Inline mtt entries into WQE if supported") [PATCH 4/4] commit 132918e08e86 ("RDMA/erdma: Defer probing if netdevice can not be found") ... are backported without earlier commit(s) in series: [PATCH 1/4] commit 3fe26c0493e4 ("RDMA/erdma: Fix some typos") Original patch series is "[PATCH for-rc 0/4] RDMA/erdma: erdma fixes 3-20-2023" (https://lore.kernel.org/r/20230320084652.16807-1-chengyou@linux.alibaba.com) The following commit(s): [PATCH 15/26] commit 361b02e68181 ("KVM: arm64: Initialise hypervisor copies of host symbols unconditionally") ... are backported without earlier commit(s) in series: [PATCH 1/26] commit 0f4f7ae10ee4 ("KVM: arm64: Move hyp refcount manipulation helpers to common header file") [PATCH 2/26] commit 72a5bc0f153c ("KVM: arm64: Allow attaching of non-coalescable pages to a hyp pool") [PATCH 3/26] commit 8e6bcc3a4502 ("KVM: arm64: Back the hypervisor 'struct hyp_page' array for all memory") [PATCH 4/26] commit 0d16d12eb26e ("KVM: arm64: Fix-up hyp stage-1 refcounts for all pages mapped at EL2") [PATCH 5/26] commit 33bc332d4061 ("KVM: arm64: Unify identifiers used to distinguish host and hypervisor") [PATCH 6/26] commit 1ed5c24c26f4 ("KVM: arm64: Implement do_donate() helper for donating memory") [PATCH 7/26] commit 43c1ff8b7501 ("KVM: arm64: Prevent the donation of no-map pages") [PATCH 8/26] commit 9926cfce8dcb ("KVM: arm64: Add helpers to pin memory shared with the hypervisor at EL2") [PATCH 9/26] commit 4d968b12e6bb ("KVM: arm64: Include asm/kvm_mmu.h in nvhe/mem_protect.h") [PATCH 10/26] commit 1c80002e3264 ("KVM: arm64: Add hyp_spinlock_t static initializer") [PATCH 11/26] commit 5304002dc375 ("KVM: arm64: Rename 'host_kvm' to 'host_mmu'") [PATCH 12/26] commit a1ec5c70d3f6 ("KVM: arm64: Add infrastructure to create and track pKVM instances at EL2") [PATCH 13/26] commit 9d0c063a4d1d ("KVM: arm64: Instantiate pKVM hypervisor VM and vCPU structures from EL1") [PATCH 14/26] commit aa6948f82f0b ("KVM: arm64: Add per-cpu fixmap infrastructure at EL2") Original patch series is "[PATCH v6 00/26] KVM: arm64: Introduce pKVM hyp VM and vCPU state at EL2" (https://lore.kernel.org/r/20221110190259.26861-1-will@kernel.org) The following commit(s): [PATCH 2/2] commit 2fcfd51add22 ("Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt") ... are backported without earlier commit(s) in series: [PATCH 1/2] commit 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm") The following commit(s): [PATCH 3/4] commit 5620eeb379d1 ("tracing: Add trace_array_puts() to write into instance") ... are backported without earlier commit(s) in series: [PATCH 1/4] commit cb1f98c5e574 ("tracing: Add creation of instances at boot command line") [PATCH 2/4] commit c4846480831e ("tracing: Add enabling of events to boot instances") Original patch series is "[PATCH v2 0/4] tracing: Addition of tracing instances via kernel command line" (https://lore.kernel.org/r/20230207172849.461894073@goodmis.org) The following commit(s): [PATCH 36/66] commit 4ac57c3fe2c0 ("drm/amd/display: set dcn315 lb bpp to 48") ... are backported without earlier commit(s) in series: [PATCH 31/66] commit 0b5dfe12755f ("drm/amd/display: fix a divided-by-zero error") [PATCH 35/66] commit 1e994cc0956b ("drm/amd/display: limit timing for single dimm memory") Original patch series is "[PATCH 00/66] DC Patches Apr 17th, 2023" (https://lore.kernel.org/r/20230414155330.5215-1-Qingqing.Zhuo@amd.com)

1 year, 7 months

3
2
0 0

Linux 6.1.27

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.27 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/riscv/vm-layout.rst | 4 Makefile | 2 arch/arm64/kvm/mmu.c | 47 ++-- arch/riscv/include/asm/fixmap.h | 8 arch/riscv/include/asm/pgtable.h | 8 arch/riscv/kernel/setup.c | 6 arch/riscv/mm/init.c | 82 +++----- arch/x86/Makefile.um | 5 drivers/base/dd.c | 7 drivers/gpio/gpiolib-acpi.c | 13 + drivers/gpu/drm/drm_fb_helper.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 drivers/phy/broadcom/phy-brcm-usb.c | 4 drivers/usb/serial/option.c | 6 fs/btrfs/send.c | 2 fs/btrfs/volumes.c | 2 mm/mempolicy.c | 115 +++++------- net/bluetooth/hci_sock.c | 9 net/mptcp/protocol.c | 74 +++++-- net/mptcp/protocol.h | 2 net/mptcp/subflow.c | 80 ++++++++ 21 files changed, 308 insertions(+), 176 deletions(-) Alexandre Ghiti (3): riscv: Move early dtb mapping into the fixmap region riscv: Do not set initial_boot_params to the linear address of the dtb riscv: No need to relocate the dtb as it lies in the fixmap region Arınç ÜNAL (1): USB: serial: option: add UNISOC vendor and TOZED LT70C product Daniel Vetter (1): drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var David Gow (1): um: Only disable SSE on clang to work around old GCC bugs David Matlack (1): KVM: arm64: Retry fault if vma_lookup() results become invalid Florian Fainelli (1): phy: phy-brcm-usb: Utilize platform_get_irq_byname_optional() Genjian Zhang (1): btrfs: fix uninitialized variable warnings Greg Kroah-Hartman (1): Linux 6.1.27 Jisoo Jang (1): wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Liam R. Howlett (1): mm/mempolicy: fix use-after-free of VMA iterator Paolo Abeni (2): mptcp: stops worker on unaccepted sockets at listener close mptcp: fix accept vs worker race Ruihan Li (1): bluetooth: Perform careful capability checks in hci_sock_ioctl() Stephen Boyd (1): driver core: Don't require dynamic_debug for initcall_debug probe timing Werner Sembach (1): gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU

1 year, 7 months

2
3
0 0

[PATCH v3] ceph: fix potential use-after-free bug when trimming caps

by xiubli＠redhat.com

From: Xiubo Li <xiubli(a)redhat.com> When trimming the caps and just after the 'session->s_cap_lock' is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash. We need to check the existence of the cap just after the 'ci->i_ceph_lock' being acquired. And do nothing if it's already removed. Cc: stable(a)vger.kernel.org URL: https://bugzilla.redhat.com/show_bug.cgi?id=2186264 URL: https://tracker.ceph.com/issues/43272 Signed-off-by: Xiubo Li <xiubli(a)redhat.com> --- V3: - Fixed 3 issues, which reported by Luis and kernel test robot <lkp(a)intel.com> fs/ceph/debugfs.c | 7 ++++- fs/ceph/mds_client.c | 68 +++++++++++++++++++++++++++++--------------- fs/ceph/mds_client.h | 2 +- 3 files changed, 52 insertions(+), 25 deletions(-) diff --git a/fs/ceph/debugfs.c b/fs/ceph/debugfs.c index bec3c4549c07..5c0f07df5b02 100644 --- a/fs/ceph/debugfs.c +++ b/fs/ceph/debugfs.c @@ -248,14 +248,19 @@ static int metrics_caps_show(struct seq_file *s, void *p) return 0; } -static int caps_show_cb(struct inode *inode, struct ceph_cap *cap, void *p) +static int caps_show_cb(struct inode *inode, struct rb_node *ci_node, void *p) { + struct ceph_inode_info *ci = ceph_inode(inode); struct seq_file *s = p; + struct ceph_cap *cap; + spin_lock(&ci->i_ceph_lock); + cap = rb_entry(ci_node, struct ceph_cap, ci_node); seq_printf(s, "0x%-17llx%-3d%-17s%-17s\n", ceph_ino(inode), cap->session->s_mds, ceph_cap_string(cap->issued), ceph_cap_string(cap->implemented)); + spin_unlock(&ci->i_ceph_lock); return 0; } diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 294af79c25c9..fb777add2257 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -1786,7 +1786,7 @@ static void cleanup_session_requests(struct ceph_mds_client *mdsc, * Caller must hold session s_mutex. */ int ceph_iterate_session_caps(struct ceph_mds_session *session, - int (*cb)(struct inode *, struct ceph_cap *, + int (*cb)(struct inode *, struct rb_node *ci_node, void *), void *arg) { struct list_head *p; @@ -1799,6 +1799,8 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, spin_lock(&session->s_cap_lock); p = session->s_caps.next; while (p != &session->s_caps) { + struct rb_node *ci_node; + cap = list_entry(p, struct ceph_cap, session_caps); inode = igrab(&cap->ci->netfs.inode); if (!inode) { @@ -1806,6 +1808,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, continue; } session->s_cap_iterator = cap; + ci_node = &cap->ci_node; spin_unlock(&session->s_cap_lock); if (last_inode) { @@ -1817,7 +1820,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, old_cap = NULL; } - ret = cb(inode, cap, arg); + ret = cb(inode, ci_node, arg); last_inode = inode; spin_lock(&session->s_cap_lock); @@ -1850,20 +1853,26 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, return ret; } -static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, +static int remove_session_caps_cb(struct inode *inode, struct rb_node *ci_node, void *arg) { struct ceph_inode_info *ci = ceph_inode(inode); bool invalidate = false; - int iputs; + struct ceph_cap *cap; + int iputs = 0; - dout("removing cap %p, ci is %p, inode is %p\n", - cap, ci, &ci->netfs.inode); spin_lock(&ci->i_ceph_lock); - iputs = ceph_purge_inode_cap(inode, cap, &invalidate); + cap = rb_entry(ci_node, struct ceph_cap, ci_node); + if (cap) { + dout(" removing cap %p, ci is %p, inode is %p\n", + cap, ci, &ci->netfs.inode); + + iputs = ceph_purge_inode_cap(inode, cap, &invalidate); + } spin_unlock(&ci->i_ceph_lock); - wake_up_all(&ci->i_cap_wq); + if (cap) + wake_up_all(&ci->i_cap_wq); if (invalidate) ceph_queue_invalidate(inode); while (iputs--) @@ -1934,8 +1943,7 @@ enum { * * caller must hold s_mutex. */ -static int wake_up_session_cb(struct inode *inode, struct ceph_cap *cap, - void *arg) +static int wake_up_session_cb(struct inode *inode, struct rb_node *ci_node, void *arg) { struct ceph_inode_info *ci = ceph_inode(inode); unsigned long ev = (unsigned long)arg; @@ -1946,12 +1954,14 @@ static int wake_up_session_cb(struct inode *inode, struct ceph_cap *cap, ci->i_requested_max_size = 0; spin_unlock(&ci->i_ceph_lock); } else if (ev == RENEWCAPS) { - if (cap->cap_gen < atomic_read(&cap->session->s_cap_gen)) { - /* mds did not re-issue stale cap */ - spin_lock(&ci->i_ceph_lock); + struct ceph_cap *cap; + + spin_lock(&ci->i_ceph_lock); + cap = rb_entry(ci_node, struct ceph_cap, ci_node); + /* mds did not re-issue stale cap */ + if (cap && cap->cap_gen < atomic_read(&cap->session->s_cap_gen)) cap->issued = cap->implemented = CEPH_CAP_PIN; - spin_unlock(&ci->i_ceph_lock); - } + spin_unlock(&ci->i_ceph_lock); } else if (ev == FORCE_RO) { } wake_up_all(&ci->i_cap_wq); @@ -2113,16 +2123,22 @@ static bool drop_negative_children(struct dentry *dentry) * Yes, this is a bit sloppy. Our only real goal here is to respond to * memory pressure from the MDS, though, so it needn't be perfect. */ -static int trim_caps_cb(struct inode *inode, struct ceph_cap *cap, void *arg) +static int trim_caps_cb(struct inode *inode, struct rb_node *ci_node, void *arg) { int *remaining = arg; struct ceph_inode_info *ci = ceph_inode(inode); int used, wanted, oissued, mine; + struct ceph_cap *cap; if (*remaining <= 0) return -1; spin_lock(&ci->i_ceph_lock); + cap = rb_entry(ci_node, struct ceph_cap, ci_node); + if (!cap) { + spin_unlock(&ci->i_ceph_lock); + return 0; + } mine = cap->issued | cap->implemented; used = __ceph_caps_used(ci); wanted = __ceph_caps_file_wanted(ci); @@ -4265,26 +4281,23 @@ static struct dentry* d_find_primary(struct inode *inode) /* * Encode information about a cap for a reconnect with the MDS. */ -static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, +static int reconnect_caps_cb(struct inode *inode, struct rb_node *ci_node, void *arg) { union { struct ceph_mds_cap_reconnect v2; struct ceph_mds_cap_reconnect_v1 v1; } rec; - struct ceph_inode_info *ci = cap->ci; + struct ceph_inode_info *ci = ceph_inode(inode); struct ceph_reconnect_state *recon_state = arg; struct ceph_pagelist *pagelist = recon_state->pagelist; struct dentry *dentry; + struct ceph_cap *cap; char *path; - int pathlen = 0, err; + int pathlen = 0, err = 0; u64 pathbase; u64 snap_follows; - dout(" adding %p ino %llx.%llx cap %p %lld %s\n", - inode, ceph_vinop(inode), cap, cap->cap_id, - ceph_cap_string(cap->issued)); - dentry = d_find_primary(inode); if (dentry) { /* set pathbase to parent dir when msg_version >= 2 */ @@ -4301,6 +4314,15 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, } spin_lock(&ci->i_ceph_lock); + cap = rb_entry(ci_node, struct ceph_cap, ci_node); + if (!cap) { + spin_unlock(&ci->i_ceph_lock); + goto out_err; + } + dout(" adding %p ino %llx.%llx cap %p %lld %s\n", + inode, ceph_vinop(inode), cap, cap->cap_id, + ceph_cap_string(cap->issued)); + cap->seq = 0; /* reset cap seq */ cap->issue_seq = 0; /* and issue_seq */ cap->mseq = 0; /* and migrate_seq */ diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h index 0f70ca3cdb21..001b69d04307 100644 --- a/fs/ceph/mds_client.h +++ b/fs/ceph/mds_client.h @@ -569,7 +569,7 @@ extern void ceph_queue_cap_reclaim_work(struct ceph_mds_client *mdsc); extern void ceph_reclaim_caps_nr(struct ceph_mds_client *mdsc, int nr); extern int ceph_iterate_session_caps(struct ceph_mds_session *session, int (*cb)(struct inode *, - struct ceph_cap *, void *), + struct rb_node *ci_node, void *), void *arg); extern void ceph_mdsc_pre_umount(struct ceph_mds_client *mdsc); -- 2.39.2

1 year, 7 months

4
6
0 0

Linux 6.3.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.3.1 kernel. All users of the 6.3 kernel series must upgrade. The updated 6.3.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.3.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - drivers/base/dd.c | 7 ++++ drivers/gpio/gpiolib-acpi.c | 13 +++++++++ drivers/gpu/drm/drm_fb_helper.c | 3 ++ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 9 +++++- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++ drivers/usb/serial/option.c | 6 ++++ fs/btrfs/send.c | 2 - fs/btrfs/volumes.c | 2 - fs/verity/enable.c | 17 ++++++++++++ include/linux/mmc/sdio_ids.h | 5 ++- mm/mmap.c | 2 - net/bluetooth/hci_sock.c | 9 +++++- 13 files changed, 74 insertions(+), 8 deletions(-) Arınç ÜNAL (1): USB: serial: option: add UNISOC vendor and TOZED LT70C product Daniel Vetter (1): drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Eric Biggers (2): fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds fsverity: explicitly check for buffer overflow in build_merkle_tree() Genjian Zhang (1): btrfs: fix uninitialized variable warnings Greg Kroah-Hartman (1): Linux 6.3.1 Jisoo Jang (1): wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Marek Vasut (1): wifi: brcmfmac: add Cypress 43439 SDIO ids Ruihan Li (1): bluetooth: Perform careful capability checks in hci_sock_ioctl() Stephen Boyd (1): driver core: Don't require dynamic_debug for initcall_debug probe timing Vlastimil Babka (1): mm/mremap: fix vm_pgoff in vma_merge() case 3 Werner Sembach (1): gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU

1 year, 7 months

1
1
0 0

Linux 6.2.14

by Greg Kroah-Hartman

I'm announcing the release of the 6.2.14 kernel. All users of the 6.2 kernel series must upgrade. The updated 6.2.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.2.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/riscv/vm-layout.rst | 6 Makefile | 2 arch/riscv/include/asm/fixmap.h | 8 arch/riscv/include/asm/pgtable.h | 8 arch/riscv/kernel/setup.c | 6 arch/riscv/mm/init.c | 82 +++----- arch/x86/Makefile.um | 11 + drivers/base/dd.c | 7 drivers/gpio/gpiolib-acpi.c | 13 + drivers/gpu/drm/drm_fb_helper.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 9 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 drivers/usb/serial/option.c | 6 fs/btrfs/send.c | 2 fs/btrfs/volumes.c | 2 include/linux/mmc/sdio_ids.h | 5 kernel/rcu/tree.c | 27 +- mm/mempolicy.c | 115 +++++------- net/bluetooth/hci_sock.c | 9 19 files changed, 193 insertions(+), 133 deletions(-) Alexandre Ghiti (3): riscv: Move early dtb mapping into the fixmap region riscv: Do not set initial_boot_params to the linear address of the dtb riscv: No need to relocate the dtb as it lies in the fixmap region Arınç ÜNAL (1): USB: serial: option: add UNISOC vendor and TOZED LT70C product Daniel Vetter (1): drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var David Gow (2): rust: arch/um: Disable FP/SIMD instruction to match x86 um: Only disable SSE on clang to work around old GCC bugs Genjian Zhang (1): btrfs: fix uninitialized variable warnings Greg Kroah-Hartman (1): Linux 6.2.14 Jisoo Jang (1): wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Liam R. Howlett (1): mm/mempolicy: fix use-after-free of VMA iterator Marek Vasut (1): wifi: brcmfmac: add Cypress 43439 SDIO ids Ruihan Li (1): bluetooth: Perform careful capability checks in hci_sock_ioctl() Stephen Boyd (1): driver core: Don't require dynamic_debug for initcall_debug probe timing Werner Sembach (1): gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU Ziwei Dai (1): rcu/kvfree: Avoid freeing new kfree_rcu() memory after old grace period

1 year, 7 months

1
1
0 0

Linux 5.15.110

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.110 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/riscv/vm-layout.rst | 2 Makefile | 2 arch/arm64/kvm/mmu.c | 47 +++----- arch/arm64/kvm/psci.c | 2 arch/riscv/include/asm/fixmap.h | 8 + arch/riscv/include/asm/pgtable.h | 8 + arch/riscv/kernel/setup.c | 6 - arch/riscv/mm/init.c | 68 ++++++------ drivers/base/dd.c | 7 + drivers/gpu/drm/drm_fb_helper.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 drivers/pci/pci.c | 3 drivers/pci/pci.h | 2 drivers/pci/pcie/aspm.c | 19 --- drivers/usb/serial/option.c | 6 + net/bluetooth/hci_sock.c | 9 + tools/testing/selftests/kselftest/runner.sh | 28 +++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 18 files changed, 123 insertions(+), 104 deletions(-) Alexandre Ghiti (3): riscv: Move early dtb mapping into the fixmap region riscv: Do not set initial_boot_params to the linear address of the dtb riscv: No need to relocate the dtb as it lies in the fixmap region Arınç ÜNAL (1): USB: serial: option: add UNISOC vendor and TOZED LT70C product Dan Carpenter (1): KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Daniel Vetter (1): drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var David Matlack (1): KVM: arm64: Retry fault if vma_lookup() results become invalid Greg Kroah-Hartman (1): Linux 5.15.110 Jisoo Jang (1): wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Kai-Heng Feng (1): PCI/ASPM: Remove pcie_aspm_pm_state_change() Matthieu Baerts (1): selftests: mptcp: join: fix "invalid address, ADD_ADDR timeout" Ruihan Li (1): bluetooth: Perform careful capability checks in hci_sock_ioctl() SeongJae Park (1): selftests/kselftest/runner/run_one(): allow running non-executable files Stephen Boyd (1): driver core: Don't require dynamic_debug for initcall_debug probe timing

1 year, 7 months

1
1
0 0

BUSINESS PROPOSAL!!

by DAVID MURRAY

I have a transaction which is of mutual benefits and I would like to share with you. if interested for more information please get back to me via my email: :david.murray606@gmail.com Regards. David Murray

1 year, 7 months

1
0
0 0

+ mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/mempolicy: correctly update prev when policy is equal on mbind has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lstoakes(a)gmail.com> Subject: mm/mempolicy: correctly update prev when policy is equal on mbind Date: Sun, 30 Apr 2023 16:07:07 +0100 The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") introduces a subtle bug which arises when attempting to apply a new NUMA policy across a range of VMAs in mbind_range(). The refactoring passes a **prev pointer to keep track of the previous VMA in order to reduce duplication, and in all but one case it keeps this correctly updated. The bug arises when a VMA within the specified range has an equivalent policy as determined by mpol_equal() - which unlike other cases, does not update prev. This can result in a situation where, later in the iteration, a VMA is found whose policy does need to change. At this point, vma_merge() is invoked with prev pointing to a VMA which is before the previous VMA. Since vma_merge() discovers the curr VMA by looking for the one immediately after prev, it will now be in a situation where this VMA is incorrect and the merge will not proceed correctly. This is checked in the VM_WARN_ON() invariant case with end > curr->vm_end, which, if a merge is possible, results in a warning (if CONFIG_DEBUG_VM is specified). I note that vma_merge() performs these invariant checks only after merge_prev/merge_next are checked, which is debatable as it hides this issue if no merge is possible even though a buggy situation has arisen. The solution is simply to update the prev pointer even when policies are equal. This caused a bug to arise in the 6.2.y stable tree, and this patch resolves this bug. Link: https://lkml.kernel.org/r/83f1d612acb519d777bebf7f3359317c4e7f4265.16828666… Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") Signed-off-by: Lorenzo Stoakes <lstoakes(a)gmail.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com Cc: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mempolicy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/mempolicy.c~mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind +++ a/mm/mempolicy.c @@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterat vmstart = vma->vm_start; } - if (mpol_equal(vma_policy(vma), new_pol)) + if (mpol_equal(vma_policy(vma), new_pol)) { + *prev = vma; return 0; + } pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT); merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags, _ Patches currently in -mm which might be from lstoakes(a)gmail.com are mm-mempolicy-correctly-update-prev-when-policy-is-equal-on-mbind.patch

1 year, 7 months

1
0
0 0

[PATCH v2] mm/mempolicy: Correctly update prev when policy is equal on mbind

by Lorenzo Stoakes

The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") introduces a subtle bug which arises when attempting to apply a new NUMA policy across a range of VMAs in mbind_range(). The refactoring passes a **prev pointer to keep track of the previous VMA in order to reduce duplication, and in all but one case it keeps this correctly updated. The bug arises when a VMA within the specified range has an equivalent policy as determined by mpol_equal() - which unlike other cases, does not update prev. This can result in a situation where, later in the iteration, a VMA is found whose policy does need to change. At this point, vma_merge() is invoked with prev pointing to a VMA which is before the previous VMA. Since vma_merge() discovers the curr VMA by looking for the one immediately after prev, it will now be in a situation where this VMA is incorrect and the merge will not proceed correctly. This is checked in the VM_WARN_ON() invariant case with end > curr->vm_end, which, if a merge is possible, results in a warning (if CONFIG_DEBUG_VM is specified). I note that vma_merge() performs these invariant checks only after merge_prev/merge_next are checked, which is debatable as it hides this issue if no merge is possible even though a buggy situation has arisen. The solution is simply to update the prev pointer even when policies are equal. This caused a bug to arise in the 6.2.y stable tree, and this patch resolves this bug. Reported-by: kernel test robot <oliver.sang(a)intel.com> Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") Signed-off-by: Lorenzo Stoakes <lstoakes(a)gmail.com> Cc: <stable(a)vger.kernel.org> --- v2: updated to correctly cc the stable list :) v1: https://lore.kernel.org/all/db42467a692d78c654ec5c1953329401bd8a9c34.168285… mm/mempolicy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 2068b594dc88..1756389a0609 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterator *vmi, struct vm_area_struct *vma, vmstart = vma->vm_start; } - if (mpol_equal(vma_policy(vma), new_pol)) + if (mpol_equal(vma_policy(vma), new_pol)) { + *prev = vma; return 0; + } pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT); merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags, -- 2.40.1

1 year, 7 months

1
0
0 0

[PATCH] mm/mempolicy: Correctly update prev when policy is equal on mbind

by Lorenzo Stoakes

The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") introduces a subtle bug which arises when attempting to apply a new NUMA policy across a range of VMAs in mbind_range(). The refactoring passes a **prev pointer to keep track of the previous VMA in order to reduce duplication, and in all but one case it keeps this correctly updated. The bug arises when a VMA within the specified range has an equivalent policy as determined by mpol_equal() - which unlike other cases, does not update prev. This can result in a situation where, later in the iteration, a VMA is found whose policy does need to change. At this point, vma_merge() is invoked with prev pointing to a VMA which is before the previous VMA. Since vma_merge() discovers the curr VMA by looking for the one immediately after prev, it will now be in a situation where this VMA is incorrect and the merge will not proceed correctly. This is checked in the VM_WARN_ON() invariant case with end > curr->vm_end, which, if a merge is possible, results in a warning (if CONFIG_DEBUG_VM is specified). I note that vma_merge() performs these invariant checks only after merge_prev/merge_next are checked, which is debatable as it hides this issue if no merge is possible even though a buggy situation has arisen. The solution is simply to update the prev pointer even when policies are equal. This caused a bug to arise in the 6.2.y stable tree, and this patch resolves this bug. Reported-by: kernel test robot <oliver.sang(a)intel.com> Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") Signed-off-by: Lorenzo Stoakes <lstoakes(a)gmail.com> --- mm/mempolicy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 2068b594dc88..1756389a0609 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterator *vmi, struct vm_area_struct *vma, vmstart = vma->vm_start; } - if (mpol_equal(vma_policy(vma), new_pol)) + if (mpol_equal(vma_policy(vma), new_pol)) { + *prev = vma; return 0; + } pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT); merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags, -- 2.40.1

1 year, 7 months

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2023