May 2023 - Linux-stable-mirror

[PATCH 4.14] netfilter: nf_tables: fix register ordering

by Andrew Paniakin

From: Florian Westphal <fw(a)strlen.de> commit d209df3e7f7002d9099fdb0f6df0f972b4386a63 upstream [ We hit the trace described in commit message with the kselftest/nft_trans_stress.sh. This patch diverges from the upstream one since kernel 4.14 does not have following symbols: nft_chain_filter_init, nf_tables_flowtable_notifier ] We must register nfnetlink ops last, as that exposes nf_tables to userspace. Without this, we could theoretically get nfnetlink request before net->nft state has been initialized. Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support") Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> [apanyaki: backport to v4.14-stable] Signed-off-by: Andrew Paniakin <apanyaki(a)amazon.com> --- [ 163.471426] Call Trace: [ 163.474901] netlink_dump+0x125/0x2d0 [ 163.479081] __netlink_dump_start+0x16a/0x1c0 [ 163.483589] nf_tables_gettable+0x151/0x180 [nf_tables] [ 163.488561] ? nf_tables_gettable+0x180/0x180 [nf_tables] [ 163.493658] nfnetlink_rcv_msg+0x222/0x250 [nfnetlink] [ 163.498608] ? __skb_try_recv_datagram+0x114/0x180 [ 163.503359] ? nfnetlink_net_exit_batch+0x60/0x60 [nfnetlink] [ 163.508590] netlink_rcv_skb+0x4d/0x130 [ 163.512832] nfnetlink_rcv+0x92/0x780 [nfnetlink] [ 163.517465] ? netlink_recvmsg+0x202/0x3e0 [ 163.521801] ? __kmalloc_node_track_caller+0x31/0x290 [ 163.526635] ? copy_msghdr_from_user+0xd5/0x150 [ 163.531216] ? __netlink_lookup+0xd0/0x130 [ 163.535536] netlink_unicast+0x196/0x240 [ 163.539759] netlink_sendmsg+0x2da/0x400 [ 163.544010] sock_sendmsg+0x36/0x40 [ 163.548030] SYSC_sendto+0x10e/0x140 [ 163.552119] ? __audit_syscall_entry+0xbc/0x110 [ 163.556741] ? syscall_trace_enter+0x1df/0x2e0 [ 163.561315] ? __audit_syscall_exit+0x231/0x2b0 [ 163.565857] do_syscall_64+0x67/0x110 [ 163.569930] entry_SYSCALL_64_after_hwframe+0x59/0xbe Reproduce with debug logs clearly shows the nft initialization issue exactly as in ported patch description: [ 22.600051] nft load start [ 22.600858] nf_tables: (c) 2007-2009 Patrick McHardy <kaber(a)trash.net> [ 22.601241] nf_tables_gettable start: ffff888527c10000 [ 22.601271] register_pernet_subsys ffffffffa02ba0c0 [ 22.601274] netns ops_init ffffffffa02ba0c0 ffffffff821aeec0 [ 22.602506] nf_tables_dump_tables: ffff888527c10000 [ 22.603187] af_info list init done: ffffffff821aeec0 [ 22.604064] nf_tables_dump_tables: afi: (null) [ 22.604077] BUG: unable to handle kernel [ 22.604820] netns ops_init end ffffffffa02ba0c0 ffffffff821aeec0 [ 22.605698] NULL pointer dereference [ 22.606354] netns ops_init ffffffffa02ba0c0 ffff888527c10000 (gdb) p &init_net $2 = (struct net *) 0xffffffff821aeec0 <init_net> ffff888527c10000 is a testns1 namespaces To reproduce this problem and test the fix I scripted following steps: - start Qemu VM - run nft_trans_stress.sh test - check dmesg logs for NULL pointer dereference - reboot via QMP and repeat I tested the fix with our kernel regression tests (including kselftest) also. net/netfilter/nf_tables_api.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c683a45b8ae53..65495b528290b 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6032,18 +6032,25 @@ static int __init nf_tables_module_init(void) goto err1; } - err = nf_tables_core_module_init(); + err = register_pernet_subsys(&nf_tables_net_ops); if (err < 0) goto err2; - err = nfnetlink_subsys_register(&nf_tables_subsys); + err = nf_tables_core_module_init(); if (err < 0) goto err3; + /* must be last */ + err = nfnetlink_subsys_register(&nf_tables_subsys); + if (err < 0) + goto err4; + pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber(a)trash.net>\n"); - return register_pernet_subsys(&nf_tables_net_ops); -err3: + return err; +err4: nf_tables_core_module_exit(); +err3: + unregister_pernet_subsys(&nf_tables_net_ops); err2: kfree(info); err1: -- 2.39.2

1 year, 5 months

2
2
0 0

[PATCH] autofs: use flexible array in ioctl structure

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") introduced a warning for the autofs_dev_ioctl structure: In function 'check_name', inlined from 'validate_dev_ioctl' at fs/autofs/dev-ioctl.c:131:9, inlined from '_autofs_dev_ioctl' at fs/autofs/dev-ioctl.c:624:8: fs/autofs/dev-ioctl.c:33:14: error: 'strchr' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] 33 | if (!strchr(name, '/')) | ^~~~~~~~~~~~~~~~~ In file included from include/linux/auto_dev-ioctl.h:10, from fs/autofs/autofs_i.h:10, from fs/autofs/dev-ioctl.c:14: include/uapi/linux/auto_dev-ioctl.h: In function '_autofs_dev_ioctl': include/uapi/linux/auto_dev-ioctl.h:112:14: note: source object 'path' of size 0 112 | char path[0]; | ^~~~ This is easily fixed by changing the gnu 0-length array into a c99 flexible array. Since this is a uapi structure, we have to be careful about possible regressions but this one should be fine as they are equivalent here. While it would break building with ancient gcc versions that predate c99, it helps building with --std=c99 and -Wpedantic builds in user space, as well as non-gnu compilers. This means we probably also want it fixed in stable kernels. Cc: stable(a)vger.kernel.org Cc: Kees Cook <keescook(a)chromium.org> Cc: Gustavo A. R. Silva" <gustavoars(a)kernel.org> Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- Documentation/filesystems/autofs-mount-control.rst | 2 +- Documentation/filesystems/autofs.rst | 2 +- include/uapi/linux/auto_dev-ioctl.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Documentation/filesystems/autofs-mount-control.rst b/Documentation/filesystems/autofs-mount-control.rst index bf4b511cdbe8..b5a379d25c40 100644 --- a/Documentation/filesystems/autofs-mount-control.rst +++ b/Documentation/filesystems/autofs-mount-control.rst @@ -196,7 +196,7 @@ information and return operation results:: struct args_ismountpoint ismountpoint; }; - char path[0]; + char path[]; }; The ioctlfd field is a mount point file descriptor of an autofs mount diff --git a/Documentation/filesystems/autofs.rst b/Documentation/filesystems/autofs.rst index 4f490278d22f..3b6e38e646cd 100644 --- a/Documentation/filesystems/autofs.rst +++ b/Documentation/filesystems/autofs.rst @@ -467,7 +467,7 @@ Each ioctl is passed a pointer to an `autofs_dev_ioctl` structure:: struct args_ismountpoint ismountpoint; }; - char path[0]; + char path[]; }; For the **OPEN_MOUNT** and **IS_MOUNTPOINT** commands, the target diff --git a/include/uapi/linux/auto_dev-ioctl.h b/include/uapi/linux/auto_dev-ioctl.h index 62e625356dc8..08be539605fc 100644 --- a/include/uapi/linux/auto_dev-ioctl.h +++ b/include/uapi/linux/auto_dev-ioctl.h @@ -109,7 +109,7 @@ struct autofs_dev_ioctl { struct args_ismountpoint ismountpoint; }; - char path[0]; + char path[]; }; static inline void init_autofs_dev_ioctl(struct autofs_dev_ioctl *in) -- 2.39.2

1 year, 5 months

2
1
0 0

[PATCH] scsi: Let scsi_execute_cmd() mark args->sshdr as invalid

by Juergen Gross

Some callers of scsi_execute_cmd() (like e.g. sd_spinup_disk()) are passing an uninitialized struct sshdr and don't look at the return value of scsi_execute_cmd() before looking at the contents of that struct. This can result in false positives when looking for specific error conditions. In order to fix that let scsi_execute_cmd() zero sshdr->response_code, resulting in scsi_sense_valid() returning false. Cc: stable(a)vger.kernel.org Fixes: 3949e2f04262 ("scsi: simplify scsi_execute_req_flags") Signed-off-by: Juergen Gross <jgross(a)suse.com> --- I'm not aware of any real error having happened due to this problem, but I thought it should be fixed anyway. I _think_ 3949e2f04262 was introducing the problem, but I'm not 100% sure it is really the commit to be blamed. --- drivers/scsi/scsi_lib.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index b7c569a42aa4..923336620bff 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -209,11 +209,17 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, struct scsi_cmnd *scmd; int ret; - if (!args) + if (!args) { args = &default_args; - else if (WARN_ON_ONCE(args->sense && - args->sense_len != SCSI_SENSE_BUFFERSIZE)) - return -EINVAL; + } else { + /* Mark sense data to be invalid. */ + if (args->sshdr) + args->sshdr->response_code = 0; + + if (WARN_ON_ONCE(args->sense && + args->sense_len != SCSI_SENSE_BUFFERSIZE)) + return -EINVAL; + } req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags); if (IS_ERR(req)) -- 2.35.3

1 year, 5 months

7
27
0 0

[PATCH net v2] ipv{4,6}/raw: fix output xfrm lookup wrt protocol

by Nicolas Dichtel

With a raw socket bound to IPPROTO_RAW (ie with hdrincl enabled), the protocol field of the flow structure, build by raw_sendmsg() / rawv6_sendmsg()), is set to IPPROTO_RAW. This breaks the ipsec policy lookup when some policies are defined with a protocol in the selector. For ipv6, the sin6_port field from 'struct sockaddr_in6' could be used to specify the protocol. Just accept all values for IPPROTO_RAW socket. For ipv4, the sin_port field of 'struct sockaddr_in' could not be used without breaking backward compatibility (the value of this field was never checked). Let's add a new kind of control message, so that the userland could specify which protocol is used. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") CC: stable(a)vger.kernel.org Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> --- v1 -> v2: - accept only int in cmsg for IP_PROTOCOL include/net/ip.h | 2 ++ include/uapi/linux/in.h | 1 + net/ipv4/ip_sockglue.c | 12 +++++++++++- net/ipv4/raw.c | 5 ++++- net/ipv6/raw.c | 3 ++- 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index c3fffaa92d6e..acec504c469a 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -76,6 +76,7 @@ struct ipcm_cookie { __be32 addr; int oif; struct ip_options_rcu *opt; + __u8 protocol; __u8 ttl; __s16 tos; char priority; @@ -96,6 +97,7 @@ static inline void ipcm_init_sk(struct ipcm_cookie *ipcm, ipcm->sockc.tsflags = inet->sk.sk_tsflags; ipcm->oif = READ_ONCE(inet->sk.sk_bound_dev_if); ipcm->addr = inet->inet_saddr; + ipcm->protocol = inet->inet_num; } #define IPCB(skb) ((struct inet_skb_parm*)((skb)->cb)) diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h index 4b7f2df66b99..e682ab628dfa 100644 --- a/include/uapi/linux/in.h +++ b/include/uapi/linux/in.h @@ -163,6 +163,7 @@ struct in_addr { #define IP_MULTICAST_ALL 49 #define IP_UNICAST_IF 50 #define IP_LOCAL_PORT_RANGE 51 +#define IP_PROTOCOL 52 #define MCAST_EXCLUDE 0 #define MCAST_INCLUDE 1 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index b511ff0adc0a..8e97d8d4cc9d 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -317,7 +317,14 @@ int ip_cmsg_send(struct sock *sk, struct msghdr *msg, struct ipcm_cookie *ipc, ipc->tos = val; ipc->priority = rt_tos2priority(ipc->tos); break; - + case IP_PROTOCOL: + if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) + return -EINVAL; + val = *(int *)CMSG_DATA(cmsg); + if (val < 1 || val > 255) + return -EINVAL; + ipc->protocol = val; + break; default: return -EINVAL; } @@ -1761,6 +1768,9 @@ int do_ip_getsockopt(struct sock *sk, int level, int optname, case IP_LOCAL_PORT_RANGE: val = inet->local_port_range.hi << 16 | inet->local_port_range.lo; break; + case IP_PROTOCOL: + val = inet_sk(sk)->inet_num; + break; default: sockopt_release_sock(sk); return -ENOPROTOOPT; diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index ff712bf2a98d..eadf1c9ef7e4 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -532,6 +532,9 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) } ipcm_init_sk(&ipc, inet); + /* Keep backward compat */ + if (hdrincl) + ipc.protocol = IPPROTO_RAW; if (msg->msg_controllen) { err = ip_cmsg_send(sk, msg, &ipc, false); @@ -599,7 +602,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) flowi4_init_output(&fl4, ipc.oif, ipc.sockc.mark, tos, RT_SCOPE_UNIVERSE, - hdrincl ? IPPROTO_RAW : sk->sk_protocol, + hdrincl ? ipc.protocol : sk->sk_protocol, inet_sk_flowi_flags(sk) | (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), daddr, saddr, 0, 0, sk->sk_uid); diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 7d0adb612bdd..44ee7a2e72ac 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -793,7 +793,8 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) if (!proto) proto = inet->inet_num; - else if (proto != inet->inet_num) + else if (proto != inet->inet_num && + inet->inet_num != IPPROTO_RAW) return -EINVAL; if (proto > 255) -- 2.39.2

1 year, 5 months

2
1
0 0

[PATCH] platform/x86/intel/ifs: Annotate work queue on stack so object debug does not complain

by David Arcari

Object Debug results in the following warning while attempting to load ifs firmware: [ 220.007422] ODEBUG: object 000000003bf952db is on stack 00000000e843994b, but NOT annotated. [ 220.007459] ------------[ cut here ]------------ [ 220.007461] WARNING: CPU: 0 PID: 11774 at lib/debugobjects.c:548 __debug_object_init.cold+0x22e/0x2d5 [ 220.137476] RIP: 0010:__debug_object_init.cold+0x22e/0x2d5 [ 220.254774] Call Trace: [ 220.257641] <TASK> [ 220.265606] scan_chunks_sanity_check+0x368/0x5f0 [intel_ifs] [ 220.288292] ifs_load_firmware+0x2a3/0x400 [intel_ifs] [ 220.332793] current_batch_store+0xea/0x160 [intel_ifs] [ 220.357947] kernfs_fop_write_iter+0x355/0x530 [ 220.363048] new_sync_write+0x28e/0x4a0 [ 220.381226] vfs_write+0x62a/0x920 [ 220.385160] ksys_write+0xf9/0x1d0 [ 220.399421] do_syscall_64+0x59/0x90 [ 220.440635] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 220.566845] ---[ end trace 3a01b299db142b41 ]--- Correct this by calling INIT_WORK_ONSTACK instead of INIT_WORK. Fixes: 684ec215706d ("platform/x86/intel/ifs: Authenticate and copy to secured memory") Signed-off-by: David Arcari <darcari(a)redhat.com> Cc: Jithu Joseph <jithu.joseph(a)intel.com> Cc: Ashok Raj <ashok.raj(a)intel.com> Cc: Tony Luck <tony.luck(a)intel.com> Cc: Hans de Goede <hdegoede(a)redhat.com> Cc: Mark Gross <markgross(a)kernel.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: linux-kernel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- drivers/platform/x86/intel/ifs/load.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/ifs/load.c b/drivers/platform/x86/intel/ifs/load.c index 61dffb4c8a1d..e6ae8265f3a3 100644 --- a/drivers/platform/x86/intel/ifs/load.c +++ b/drivers/platform/x86/intel/ifs/load.c @@ -208,7 +208,7 @@ static int scan_chunks_sanity_check(struct device *dev) continue; reinit_completion(&ifs_done); local_work.dev = dev; - INIT_WORK(&local_work.w, copy_hashes_authenticate_chunks); + INIT_WORK_ONSTACK(&local_work.w, copy_hashes_authenticate_chunks); schedule_work_on(cpu, &local_work.w); wait_for_completion(&ifs_done); if (ifsd->loading_error) { -- 2.27.0

1 year, 5 months

2
1
0 0

[PATCH] ext4: Fix possible corruption when moving a directory

by Jan Kara

When we are renaming a directory to a different directory, we need to update '..' entry in the moved directory. However nothing prevents moved directory from being modified and even converted from the inline format to the normal format. When such race happens the rename code gets confused and we crash. Fix the problem by locking the moved directory. CC: stable(a)vger.kernel.org Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/namei.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index dd28453d6ea3..270fbcba75b6 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3872,9 +3872,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) goto end_rename; } + /* + * We need to protect against old.inode directory getting + * converted from inline directory format into a normal one. + */ + inode_lock_nested(old.inode, I_MUTEX_NONDIR2); retval = ext4_rename_dir_prepare(handle, &old); - if (retval) + if (retval) { + inode_unlock(old.inode); goto end_rename; + } } /* * If we're renaming a file within an inline_data dir and adding or @@ -4006,6 +4013,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, } else { ext4_journal_stop(handle); } + if (old.dir_bh) + inode_unlock(old.inode); release_bh: brelse(old.dir_bh); brelse(old.bh); -- 2.35.3

1 year, 5 months

3
3
0 0

[PATCH -stable,4.14 0/8] more stable fixes for 4.14

by Pablo Neira Ayuso

Hi Greg, Sasha, This is second round of -stable backport fixes for 4.14. This batch includes dependency patches which are not currently in the 4.14 branch. The following list shows the backported patches, I am using original commit IDs for reference: 1) 08a01c11a5bb ("netfilter: nftables: statify nft_parse_register()") 2) 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.") 3) 20a1452c3542 ("netfilter: nf_tables: add nft_setelem_parse_key()") 4) fdb9c405e35b ("netfilter: nf_tables: allow up to 64 bytes in the set element data area") 5) 7e6bc1f6cabc ("netfilter: nf_tables: stricter validation of element data") 6) 215a31f19ded ("netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL") 7) 36d5b2913219 ("netfilter: nf_tables: do not allow RULE_ID to refer to another chain") 8) 470ee20e069a ("netfilter: nf_tables: do not allow SET_ID to refer to another table") Patches #1, #3 and #4 are dependencies. Please, apply. Thanks. Pablo Neira Ayuso (8): netfilter: nftables: statify nft_parse_register() netfilter: nf_tables: validate registers coming from userspace. netfilter: nf_tables: add nft_setelem_parse_key() netfilter: nf_tables: allow up to 64 bytes in the set element data area netfilter: nf_tables: stricter validation of element data netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL netfilter: nf_tables: do not allow RULE_ID to refer to another chain netfilter: nf_tables: do not allow SET_ID to refer to another table include/net/netfilter/nf_tables.h | 7 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- net/netfilter/nf_tables_api.c | 157 ++++++++++++++--------- net/netfilter/nft_dynset.c | 4 +- 4 files changed, 104 insertions(+), 66 deletions(-) -- 2.30.2

1 year, 5 months

2
10
0 0

FAILED: patch "[PATCH] dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a7844528722619d2f97740ae5ec747afff18c4be # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023052249-duplex-pampered-89cb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: a78445287226 ("dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries") f2fb1b50fbac ("dt-bindings: ata: ahci-ceva: convert to yaml") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a7844528722619d2f97740ae5ec747afff18c4be Mon Sep 17 00:00:00 2001 From: Michal Simek <michal.simek(a)amd.com> Date: Fri, 12 May 2023 13:52:04 +0200 Subject: [PATCH] dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries Current only one entry is enabled but IP itself is using 4 different IDs which are already listed in zynqmp.dtsi. sata: ahci@fd0c0000 { compatible = "ceva,ahci-1v84"; ... iommus = <&smmu 0x4c0>, <&smmu 0x4c1>, <&smmu 0x4c2>, <&smmu 0x4c3>; }; Fixes: 8ac47837f0e0 ("arm64: dts: zynqmp: Add missing iommu IDs") Cc: stable(a)vger.kernel.org # v5.12+ Signed-off-by: Michal Simek <michal.simek(a)amd.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Signed-off-by: Damien Le Moal <dlemoal(a)kernel.org> diff --git a/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml b/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml index 9b31f864e071..71364c6081ff 100644 --- a/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml +++ b/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml @@ -32,7 +32,7 @@ properties: maxItems: 1 iommus: - maxItems: 1 + maxItems: 4 power-domains: maxItems: 1

1 year, 5 months

3
3
0 0

[PATCH] iommu/amd/pgtbl_v2: Fix domain max address

by Vasant Hegde

IOMMU v2 page table supports 4 level (47 bit) or 5 level (56 bit) virtual address space. Current code assumes it can support 64bit IOVA address space. If IOVA allocator allocates virtual address > 47/56 bit (depending on page table level) then it will do wrong mapping and cause invalid translation. Hence adjust aperture size to use max address supported by the page table. Reported-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Fixes: aaac38f61487 ("iommu/amd: Initial support for AMD IOMMU v2 page table") Cc: <Stable(a)vger.kernel.org> # v6.0+ Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/iommu.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 5aaa4cf84506..e14c7c666745 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -2128,6 +2128,15 @@ static struct protection_domain *protection_domain_alloc(unsigned int type) return NULL; } +static inline u64 dma_max_address(void) +{ + if (amd_iommu_pgtable == AMD_IOMMU_V1) + return ~0ULL; + + /* V2 with 4/5 level page table */ + return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1); +} + static struct iommu_domain *amd_iommu_domain_alloc(unsigned type) { struct protection_domain *domain; @@ -2144,7 +2153,7 @@ static struct iommu_domain *amd_iommu_domain_alloc(unsigned type) return NULL; domain->domain.geometry.aperture_start = 0; - domain->domain.geometry.aperture_end = ~0ULL; + domain->domain.geometry.aperture_end = dma_max_address(); domain->domain.geometry.force_aperture = true; return &domain->domain; -- 2.31.1

1 year, 5 months

3
3
0 0

[PATCH] mm/hugetlb: revert use of page_cache_next_miss()

by Sidhartha Kumar

As reported by Ackerley[1], the use of page_cache_next_miss() in hugetlbfs_fallocate() introduces a bug where a second fallocate() call to same offset fails with -EEXIST. Revert this change and go back to the previous method of using get from the page cache and then dropping the reference on success. hugetlbfs_pagecache_present() was also refactored to use page_cache_next_miss(), revert the usage there as well. User visible impacts include hugetlb fallocate incorrectly returning EEXIST if pages are already present in the file. In addition, hugetlb pages will not be included in core dumps if they need to be brought in via GUP. userfaultfd UFFDIO_COPY also uses this code and will not notice pages already present in the cache. It may try to allocate a new page and potentially return ENOMEM as opposed to EEXIST. Fixes: d0ce0e47b323 ("mm/hugetlb: convert hugetlb fault paths to use alloc_hugetlb_folio()") Cc: <stable(a)vger.kernel.org> #v6.3+ Reported-by: Ackerley Tng <ackerleytng(a)google.com> Signed-off-by: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> [1] https://lore.kernel.org/linux-mm/cover.1683069252.git.ackerleytng@google.co… --- This patch is meant to fix stable v6.3.1 as safe as possible by doing a simple revert. Patch page cache: fix page_cache_next/prev_miss off by one by Mike is a potential fix that will allow the use of page_cache_next_miss() and is awaiting review. Patch Fix fallocate error in hugetlbfs when fallocating again by Ackerley is another fix but introduces a new function and is also awaiting review. fs/hugetlbfs/inode.c | 8 +++----- mm/hugetlb.c | 11 +++++------ 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 9062da6da5675..6d6cd8f26d76d 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -821,7 +821,6 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, */ struct folio *folio; unsigned long addr; - bool present; cond_resched(); @@ -845,10 +844,9 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, mutex_lock(&hugetlb_fault_mutex_table[hash]); /* See if already present in mapping to avoid alloc/free */ - rcu_read_lock(); - present = page_cache_next_miss(mapping, index, 1) != index; - rcu_read_unlock(); - if (present) { + folio = filemap_get_folio(mapping, index); + if (folio) { + folio_put(folio); mutex_unlock(&hugetlb_fault_mutex_table[hash]); hugetlb_drop_vma_policy(&pseudo_vma); continue; diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 245038a9fe4ea..29ab27d2a3ef5 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5666,13 +5666,12 @@ static bool hugetlbfs_pagecache_present(struct hstate *h, { struct address_space *mapping = vma->vm_file->f_mapping; pgoff_t idx = vma_hugecache_offset(h, vma, address); - bool present; - - rcu_read_lock(); - present = page_cache_next_miss(mapping, idx, 1) != idx; - rcu_read_unlock(); + struct folio *folio; - return present; + folio = filemap_get_folio(mapping, idx); + if (folio) + folio_put(folio); + return folio != NULL; } int hugetlb_add_to_page_cache(struct folio *folio, struct address_space *mapping, -- 2.40.0

1 year, 5 months

3
4
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2023