From: Sean Christopherson <seanjc(a)google.com>
[ Upstream commit 4b7c3f6d04bd53f2e5b228b6821fb8f5d1ba3071 ]
Ignore the userspace provided x2APIC ID when fixing up APIC state for
KVM_SET_LAPIC, i.e. make the x2APIC fully readonly in KVM. Commit
a92e2543d6a8 ("KVM: x86: use hardware-compatible format for APIC ID
register"), which added the fixup, didn't intend to allow userspace to
modify the x2APIC ID. In fact, that commit is when KVM first started
treating the x2APIC ID as readonly, apparently to fix some race:
static inline u32 kvm_apic_id(struct kvm_lapic *apic)
{
- return (kvm_lapic_get_reg(apic, APIC_ID) >> 24) & 0xff;
+ /* To avoid a race between apic_base and following APIC_ID update when
+ * switching to x2apic_mode, the x2apic mode returns initial x2apic id.
+ */
+ if (apic_x2apic_mode(apic))
+ return apic->vcpu->vcpu_id;
+
+ return kvm_lapic_get_reg(apic, APIC_ID) >> 24;
}
Furthermore, KVM doesn't support delivering interrupts to vCPUs with a
modified x2APIC ID, but KVM *does* return the modified value on a guest
RDMSR and for KVM_GET_LAPIC. I.e. no remotely sane setup can actually
work with a modified x2APIC ID.
Making the x2APIC ID fully readonly fixes a WARN in KVM's optimized map
calculation, which expects the LDR to align with the x2APIC ID.
WARNING: CPU: 2 PID: 958 at arch/x86/kvm/lapic.c:331 kvm_recalculate_apic_map+0x609/0xa00 [kvm]
CPU: 2 PID: 958 Comm: recalc_apic_map Not tainted 6.4.0-rc3-vanilla+ #35
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.2-1-1 04/01/2014
RIP: 0010:kvm_recalculate_apic_map+0x609/0xa00 [kvm]
Call Trace:
<TASK>
kvm_apic_set_state+0x1cf/0x5b0 [kvm]
kvm_arch_vcpu_ioctl+0x1806/0x2100 [kvm]
kvm_vcpu_ioctl+0x663/0x8a0 [kvm]
__x64_sys_ioctl+0xb8/0xf0
do_syscall_64+0x56/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fade8b9dd6f
Unfortunately, the WARN can still trigger for other CPUs than the current
one by racing against KVM_SET_LAPIC, so remove it completely.
Reported-by: Michal Luczaj <mhal(a)rbox.co>
Closes: https://lore.kernel.org/all/814baa0c-1eaa-4503-129f-059917365e80@rbox.co
Reported-by: Haoyu Wu <haoyuwu254(a)gmail.com>
Closes: https://lore.kernel.org/all/20240126161633.62529-1-haoyuwu254@gmail.com
Reported-by: syzbot+545f1326f405db4e1c3e(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000c2a6b9061cbca3c3@google.com
Signed-off-by: Sean Christopherson <seanjc(a)google.com>
Message-ID: <20240802202941.344889-2-seanjc(a)google.com>
Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com>
Signed-off-by: Gavin Guo <gavinguo(a)igalia.com>
---
arch/x86/kvm/lapic.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 34766abbabd8..cd9c1e1f6fd3 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -338,10 +338,8 @@ static void kvm_recalculate_logical_map(struct kvm_apic_map *new,
* reversing the LDR calculation to get cluster of APICs, i.e. no
* additional work is required.
*/
- if (apic_x2apic_mode(apic)) {
- WARN_ON_ONCE(ldr != kvm_apic_calc_x2apic_ldr(kvm_x2apic_id(apic)));
+ if (apic_x2apic_mode(apic))
return;
- }
if (WARN_ON_ONCE(!kvm_apic_map_get_logical_dest(new, ldr,
&cluster, &mask))) {
@@ -2964,18 +2962,28 @@ static int kvm_apic_state_fixup(struct kvm_vcpu *vcpu,
struct kvm_lapic_state *s, bool set)
{
if (apic_x2apic_mode(vcpu->arch.apic)) {
+ u32 x2apic_id = kvm_x2apic_id(vcpu->arch.apic);
u32 *id = (u32 *)(s->regs + APIC_ID);
u32 *ldr = (u32 *)(s->regs + APIC_LDR);
u64 icr;
if (vcpu->kvm->arch.x2apic_format) {
- if (*id != vcpu->vcpu_id)
+ if (*id != x2apic_id)
return -EINVAL;
} else {
+ /*
+ * Ignore the userspace value when setting APIC state.
+ * KVM's model is that the x2APIC ID is readonly, e.g.
+ * KVM only supports delivering interrupts to KVM's
+ * version of the x2APIC ID. However, for backwards
+ * compatibility, don't reject attempts to set a
+ * mismatched ID for userspace that hasn't opted into
+ * x2apic_format.
+ */
if (set)
- *id >>= 24;
+ *id = x2apic_id;
else
- *id <<= 24;
+ *id = x2apic_id << 24;
}
/*
@@ -2984,7 +2992,7 @@ static int kvm_apic_state_fixup(struct kvm_vcpu *vcpu,
* split to ICR+ICR2 in userspace for backwards compatibility.
*/
if (set) {
- *ldr = kvm_apic_calc_x2apic_ldr(*id);
+ *ldr = kvm_apic_calc_x2apic_ldr(x2apic_id);
icr = __kvm_lapic_get_reg(s->regs, APIC_ICR) |
(u64)__kvm_lapic_get_reg(s->regs, APIC_ICR2) << 32;
--
2.43.0
The current implementation sets the wMaxPacketSize of bulk in/out
endpoints to 1024 bytes at the end of the f_midi_bind function. However,
in cases where there is a failure in the first midi bind attempt,
consider rebinding. This scenario may encounter an f_midi_bind issue due
to the previous bind setting the bulk endpoint's wMaxPacketSize to 1024
bytes, which exceeds the ep->maxpacket_limit where configured TX/RX
FIFO's maxpacket size of 512 bytes for IN/OUT endpoints in support HS
speed only.
This commit addresses this issue by resetting the wMaxPacketSize before
endpoint claim.
Fixes: 46decc82ffd5 ("usb: gadget: unconditionally allocate hs/ss descriptor in bind operation")
Cc: stable(a)vger.kernel.org
Signed-off-by: Selvarasu Ganesan <selvarasu.g(a)samsung.com>
---
drivers/usb/gadget/function/f_midi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
index 837fcdfa3840..5caa0e4eb07e 100644
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -907,6 +907,15 @@ static int f_midi_bind(struct usb_configuration *c, struct usb_function *f)
status = -ENODEV;
+ /*
+ * Reset wMaxPacketSize with maximum packet size of FS bulk transfer before
+ * endpoint claim. This ensures that the wMaxPacketSize does not exceed the
+ * limit during bind retries where configured TX/RX FIFO's maxpacket size
+ * of 512 bytes for IN/OUT endpoints in support HS speed only.
+ */
+ bulk_in_desc.wMaxPacketSize = cpu_to_le16(64);
+ bulk_out_desc.wMaxPacketSize = cpu_to_le16(64);
+
/* allocate instance-specific endpoints */
midi->in_ep = usb_ep_autoconfig(cdev->gadget, &bulk_in_desc);
if (!midi->in_ep)
--
2.17.1
I am using an Acer Aspire A115-31 laptop. When running newer kernel
versions, sound played through headphones is distorted, but when running
older versions, it is not.
Kernel version: Linux version 6.12.5 (user@hostname) (gcc (Debian
14.2.0-8) 14.2.0, GNU ld (GNU Binutils for Debian) 2.43.50.20241210) #1
SMP PREEMPT_DYNAMIC Sun Dec 15 05:09:16 IST 2024
Operating System: Debian GNU/Linux trixie/sid
No special actions are needed to reproduce the issue. The sound is
distorted all the time, and it doesn't depend on anything besides using
an affected kernel version.
It seems to be caused by commit 34ab5bbc6e82214d7f7393eba26d164b303ebb4e
(ALSA: hda/realtek - Add Headset Mic supported Acer NB platform).
Indeed, if I remove the entry that this commit adds, the issue disappears.
lspci output for the device in question:
00:0e.0 Multimedia audio controller [0401]: Intel Corporation
Celeron/Pentium Silver Processor High Definition Audio [8086:3198] (rev 06)
Subsystem: Acer Incorporated [ALI] Device [1025:1360]
Flags: bus master, fast devsel, latency 0, IRQ 130
Memory at a1214000 (64-bit, non-prefetchable) [size=16K]
Memory at a1000000 (64-bit, non-prefetchable) [size=1M]
Capabilities: [50] Power Management version 3
Capabilities: [80] Vendor Specific Information: Len=14 <?>
Capabilities: [60] MSI: Enable+ Count=1/1 Maskable- 64bit+
Capabilities: [70] Express Root Complex Integrated Endpoint,
IntMsgNum 0
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel, snd_soc_avs, snd_sof_pci_intel_apl
From: Roberto Sassu <roberto.sassu(a)huawei.com>
Commit 11c60f23ed13 ("integrity: Remove unused macro
IMA_ACTION_RULE_FLAGS") removed the IMA_ACTION_RULE_FLAGS mask, due to it
not being used after commit 0d73a55208e9 ("ima: re-introduce own integrity
cache lock").
However, it seems that the latter commit mistakenly used the wrong mask
when moving the code from ima_inode_post_setattr() to
process_measurement(). There is no mention in the commit message about this
change and it looks quite important, since changing from IMA_ACTIONS_FLAGS
(later renamed to IMA_NONACTION_FLAGS) to IMA_ACTION_RULE_FLAGS was done by
commit 42a4c603198f0 ("ima: fix ima_inode_post_setattr").
Restore the original change, but with new mask 0xfb000000 since the
policy-specific flags changed meanwhile, and rename IMA_ACTION_RULE_FLAGS
to IMA_NONACTION_RULE_FLAGS, to be consistent with IMA_NONACTION_FLAGS.
Cc: stable(a)vger.kernel.org # v4.16.x
Fixes: 11c60f23ed13 ("integrity: Remove unused macro IMA_ACTION_RULE_FLAGS")
Signed-off-by: Roberto Sassu <roberto.sassu(a)huawei.com>
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_main.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 22c3b87cfcac..32ffef2cc92a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -141,6 +141,7 @@ struct ima_kexec_hdr {
/* IMA iint policy rule cache flags */
#define IMA_NONACTION_FLAGS 0xff000000
+#define IMA_NONACTION_RULE_FLAGS 0xfb000000
#define IMA_DIGSIG_REQUIRED 0x01000000
#define IMA_PERMIT_DIRECTIO 0x02000000
#define IMA_NEW_FILE 0x04000000
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 712c3a522e6c..83e467ad18d4 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -277,7 +277,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
/* reset appraisal flags if ima_inode_post_setattr was called */
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
- IMA_NONACTION_FLAGS);
+ IMA_NONACTION_RULE_FLAGS);
/*
* Re-evaulate the file if either the xattr has changed or the
--
2.47.0.118.gfd3785337b
This is the start of the stable review cycle for the 6.12.8 release.
There are 114 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 01 Jan 2025 15:41:48 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.8-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.12.8-rc1
Takashi Iwai <tiwai(a)suse.de>
ALSA: sh: Fix wrong argument order for copy_from_iter()
Takashi Iwai <tiwai(a)suse.de>
ALSA: ump: Shut up truncated string warning
Chris Lu <chris.lu(a)mediatek.com>
Bluetooth: btusb: mediatek: change the conditions for ISO interface
Chris Lu <chris.lu(a)mediatek.com>
Bluetooth: btusb: mediatek: add intf release flow when usb disconnect
Chris Lu <chris.lu(a)mediatek.com>
Bluetooth: btusb: mediatek: add callback function in btusb_disconnect
Chris Lu <chris.lu(a)mediatek.com>
Bluetooth: btusb: mediatek: move Bluetooth power off command position
Boris Burkov <boris(a)bur.io>
btrfs: check folio mapping after unlock in relocate_one_folio()
Boris Burkov <boris(a)bur.io>
btrfs: check folio mapping after unlock in put_file_data()
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
Qu Wenruo <wqu(a)suse.com>
btrfs: sysfs: fix direct super block member reads
Julian Sun <sunjunchao2870(a)gmail.com>
btrfs: fix transaction atomicity bug when enabling simple quotas
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix swap file activation failure due to extents that used to be shared
Filipe Manana <fdmanana(a)suse.com>
btrfs: avoid monopolizing a core when activating a swap file
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix race with memory mapped writes when activating swap file
Dimitri Fedrau <dimitri.fedrau(a)liebherr.com>
power: supply: gpio-charger: Fix set charge current limits
Thomas Weißschuh <linux(a)weissschuh.net>
power: supply: cros_charge-control: hide start threshold on v2 cmd
Thomas Weißschuh <linux(a)weissschuh.net>
power: supply: cros_charge-control: allow start_threshold == end_threshold
Thomas Weißschuh <linux(a)weissschuh.net>
power: supply: cros_charge-control: add mutex for driver data
Kan Liang <kan.liang(a)linux.intel.com>
perf/x86/intel/ds: Add PEBS format 6
Conor Dooley <conor.dooley(a)microchip.com>
i2c: microchip-core: fix "ghost" detections
Carlos Song <carlos.song(a)nxp.com>
i2c: imx: add imx7d compatible string for applying erratum ERR007805
Kan Liang <kan.liang(a)linux.intel.com>
perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC
Thomas Gleixner <tglx(a)linutronix.de>
PCI/MSI: Handle lack of irqdomain gracefully
Li RongQing <lirongqing(a)baidu.com>
virt: tdx-guest: Just leak decrypted memory on unrecoverable errors
Xin Li (Intel) <xin(a)zytor.com>
x86/fred: Clear WFE in missing-ENDBRANCH #CPs
Conor Dooley <conor.dooley(a)microchip.com>
i2c: microchip-core: actually use repeated sends
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring/sqpoll: fix sqpoll error handling races
Tomas Glozar <tglozar(a)redhat.com>
rtla/timerlat: Fix histogram ALL for zero samples
Lizhi Xu <lizhi.xu(a)windriver.com>
tracing: Prevent bad count for tracing_cpumask_write
Christian Göttsche <cgzones(a)googlemail.com>
tracing: Constify string literal data member in struct trace_event_call
Kan Liang <kan.liang(a)linux.intel.com>
perf/x86/intel/uncore: Add Clearwater Forest support
Binbin Zhou <zhoubinbin(a)loongson.cn>
dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL
Chen Ridong <chenridong(a)huawei.com>
freezer, sched: Report frozen tasks as 'D' instead of 'R'
chenchangcheng <ccc194101(a)163.com>
objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns
John Harrison <John.C.Harrison(a)Intel.com>
drm/xe: Move the coredump registration to the worker thread
Matthew Brost <matthew.brost(a)intel.com>
drm/xe: Take PM ref in delayed snapshot capture worker
Ming Lei <ming.lei(a)redhat.com>
ublk: detach gendisk from ublk device if add_disk() fails
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: iwlwifi: be less noisy if the NIC is dead in S3
Ming Lei <ming.lei(a)redhat.com>
blk-mq: register cpuhp callback after hctx is added to xarray table
Ming Lei <ming.lei(a)redhat.com>
virtio-blk: don't keep queue frozen during system suspend
Imre Deak <imre.deak(a)intel.com>
drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
Purushothama Siddaiah <psiddaiah(a)mvista.com>
spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled()
Qinxin Xia <xiaqinxin(a)huawei.com>
ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A
Cathy Avery <cavery(a)redhat.com>
scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpi3mr: Handling of fault code for insufficient power
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpi3mr: Start controller indexing from 0
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpi3mr: Synchronize access to ioctl data buffer
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Aapo Vienamo <aapo.vienamo(a)iki.fi>
spi: intel: Add Panther Lake SPI controller support
Kumar Kartikeya Dwivedi <memxor(a)gmail.com>
bpf: Zero index arg error string for dynptr and iter
Armin Wolf <W_Armin(a)gmx.de>
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Tiezhu Yang <yangtiezhu(a)loongson.cn>
LoongArch: BPF: Adjust the parameter of emit_jirl()
Huacai Chen <chenhuacai(a)kernel.org>
LoongArch: Fix reserving screen info memory for above-4G firmware
Mark Brown <broonie(a)kernel.org>
regmap: Use correct format specifier for logging range errors
Brahmajit Das <brahmajit.xyz(a)gmail.com>
smb: server: Fix building with GCC 15
Takashi Iwai <tiwai(a)suse.de>
ALSA: sh: Use standard helper for buffer accesses
bo liu <bo.liu(a)senarytech.com>
ALSA: hda/conexant: fix Z60MR100 startup pop issue
Takashi Iwai <tiwai(a)suse.de>
ALSA: ump: Update legacy substream names upon FB info update
Takashi Iwai <tiwai(a)suse.de>
ALSA: ump: Indicate the inactive group in legacy substream names
Takashi Iwai <tiwai(a)suse.de>
ALSA: ump: Don't open legacy substream for an inactive group
Jan Kara <jack(a)suse.cz>
udf: Verify inode link counts before performing rename
Jan Kara <jack(a)suse.cz>
udf: Skip parent dir link count update if corrupted
Tomas Henzl <thenzl(a)redhat.com>
scsi: megaraid_sas: Fix for a potential deadlock
Magnus Lindholm <linmag7(a)gmail.com>
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
Yassine Oudjana <y.oudjana(a)protonmail.com>
watchdog: mediatek: Add support for MT6735 TOPRGU/WDT
Peter Griffin <peter.griffin(a)linaro.org>
Revert "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs"
Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com>
watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler
James Hilliard <james.hilliard1(a)gmail.com>
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
Masami Hiramatsu (Google) <mhiramat(a)kernel.org>
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Alexander Lobakin <aleksander.lobakin(a)intel.com>
stddef: make __struct_group() UAPI C++-friendly
Hans de Goede <hdegoede(a)redhat.com>
power: supply: bq24190: Fix BQ24296 Vbus regulator support
Haren Myneni <haren(a)linux.ibm.com>
powerpc/pseries/vas: Add close() callback in vas_vm_ops struct
Richard Fitzgerald <rf(a)opensource.cirrus.com>
ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21Q6 and 21Q7
Chen-Yu Tsai <wenst(a)chromium.org>
ASoC: dt-bindings: realtek,rt5645: Fix CPVDD voltage comment
Richard Fitzgerald <rf(a)opensource.cirrus.com>
ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21QA and 21QB
Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com>
ASoC: amd: ps: Fix for enabling DMIC on acp63 platform via _DSD entry
Dan Carpenter <dan.carpenter(a)linaro.org>
mtd: rawnand: fix double free in atmel_pmecc_create_user()
Dustin L. Howett <dustin(a)howett.net>
platform/chrome: cros_ec_lpc: fix product identity for early Framework Laptops
Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com>
ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP
Chen Ridong <chenridong(a)huawei.com>
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Sasha Finkelstein <fnkl.kernel(a)gmail.com>
dmaengine: apple-admac: Avoid accessing registers in probe
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd()
Lizhi Hou <lizhi.hou(a)amd.com>
dmaengine: amd: qdma: Remove using the private get and set dma_ops APIs
Akhil R <akhilrajeev(a)nvidia.com>
dmaengine: tegra: Return correct DMA status when paused
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
dmaengine: dw: Select only supported masters for ACPI devices
Javier Carrasco <javier.carrasco.cruz(a)gmail.com>
dmaengine: mv_xor: fix child node refcount handling in early exit
Fedor Pchelkin <pchelkin(a)ispras.ru>
ALSA: memalloc: prefer dma_mapping_error() over explicit address checking
Chukun Pan <amadeus(a)jmu.edu.cn>
phy: rockchip: naneng-combphy: fix phy reset
Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com>
phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM
Justin Chen <justin.chen(a)broadcom.com>
phy: usb: Toggle the PHY power during init
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_put() fails to release the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in _of_phy_get()
Krishna Kurapati <quic_kriskura(a)quicinc.com>
phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP
Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net>
mtd: rawnand: arasan: Fix missing de-registration of NAND
Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net>
mtd: rawnand: arasan: Fix double assertion of chip-select
Zichen Xie <zichenxie0106(a)gmail.com>
mtd: diskonchip: Cast an operand to prevent potential overflow
NeilBrown <neilb(a)suse.de>
nfsd: restore callback functionality for NFSv4.0
Yang Erkun <yangerkun(a)huawei.com>
nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work"
Cong Wang <cong.wang(a)bytedance.com>
bpf: Check negative offsets in __bpf_skb_min_len()
Zijian Zhang <zijianzhang(a)bytedance.com>
tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection
Cong Wang <cong.wang(a)bytedance.com>
tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress()
Bharath SM <bharathsm.hsk(a)gmail.com>
smb: fix bytes written value in /proc/fs/cifs/Stats
Dragan Simic <dsimic(a)manjaro.org>
smb: client: Deduplicate "select NETFS_SUPPORT" in Kconfig
Jerome Marchand <jmarchan(a)redhat.com>
selftests/bpf: Fix compilation error in get_uprobe_offset()
Bart Van Assche <bvanassche(a)acm.org>
mm/vmstat: fix a W=1 clang compiler warning
Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
fork: avoid inappropriate uprobe access to invalid mm
Andrea Righi <arighi(a)nvidia.com>
bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP
Willow Cunningham <willow.e.cunningham(a)gmail.com>
arm64: dts: broadcom: Fix L2 linesize for Raspberry Pi 5
Ilya Dryomov <idryomov(a)gmail.com>
ceph: allocate sparse_ext map only for sparse reads
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
-------------
Diffstat:
Documentation/arch/arm64/silicon-errata.rst | 5 +-
.../devicetree/bindings/sound/realtek,rt5645.yaml | 2 +-
Makefile | 4 +-
arch/arm64/boot/dts/broadcom/bcm2712.dtsi | 8 +-
arch/loongarch/include/asm/inst.h | 12 +-
arch/loongarch/kernel/efi.c | 2 +-
arch/loongarch/kernel/inst.c | 2 +-
arch/loongarch/net/bpf_jit.c | 6 +-
arch/powerpc/platforms/book3s/vas-api.c | 36 +++++
arch/x86/events/intel/core.c | 12 +-
arch/x86/events/intel/ds.c | 1 +
arch/x86/events/intel/uncore.c | 1 +
arch/x86/kernel/cet.c | 30 ++++
block/blk-mq.c | 15 +-
drivers/acpi/arm64/iort.c | 2 +
drivers/base/regmap/regmap.c | 4 +-
drivers/block/ublk_drv.c | 26 +--
drivers/block/virtio_blk.c | 7 +-
drivers/bluetooth/btusb.c | 41 +++--
drivers/dma/amd/qdma/qdma.c | 28 ++--
drivers/dma/apple-admac.c | 7 +-
drivers/dma/at_xdmac.c | 2 +
drivers/dma/dw/acpi.c | 6 +-
drivers/dma/dw/internal.h | 8 +
drivers/dma/dw/pci.c | 4 +-
drivers/dma/fsl-edma-common.h | 1 +
drivers/dma/fsl-edma-main.c | 41 ++++-
drivers/dma/ls2x-apb-dma.c | 2 +-
drivers/dma/mv_xor.c | 2 +
drivers/dma/tegra186-gpc-dma.c | 10 ++
drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 ++-
drivers/gpu/drm/xe/xe_devcoredump.c | 69 ++++----
drivers/i2c/busses/i2c-imx.c | 1 +
drivers/i2c/busses/i2c-microchip-corei2c.c | 126 +++++++++++----
drivers/media/dvb-frontends/dib3000mb.c | 2 +-
drivers/mtd/nand/raw/arasan-nand-controller.c | 11 +-
drivers/mtd/nand/raw/atmel/pmecc.c | 4 +-
drivers/mtd/nand/raw/diskonchip.c | 2 +-
drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 13 +-
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 28 +++-
drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +
drivers/pci/msi/irqdomain.c | 7 +-
drivers/pci/msi/msi.c | 4 +
drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 +
drivers/phy/phy-core.c | 21 ++-
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 +-
drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 +-
drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 3 +-
drivers/platform/chrome/cros_ec_lpc.c | 4 +-
drivers/platform/x86/asus-nb-wmi.c | 1 +
drivers/power/supply/bq24190_charger.c | 12 +-
drivers/power/supply/cros_charge-control.c | 36 +++--
drivers/power/supply/gpio-charger.c | 8 +
drivers/scsi/megaraid/megaraid_sas_base.c | 5 +-
drivers/scsi/mpi3mr/mpi3mr.h | 9 --
drivers/scsi/mpi3mr/mpi3mr_app.c | 36 +++--
drivers/scsi/mpi3mr/mpi3mr_fw.c | 121 ++++++--------
drivers/scsi/mpi3mr/mpi3mr_os.c | 2 +-
drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +-
drivers/scsi/qla1280.h | 12 +-
drivers/scsi/storvsc_drv.c | 7 +-
drivers/spi/spi-intel-pci.c | 2 +
drivers/spi/spi-omap2-mcspi.c | 6 +-
drivers/virt/coco/tdx-guest/tdx-guest.c | 4 +-
drivers/watchdog/Kconfig | 1 +
drivers/watchdog/it87_wdt.c | 39 +++++
drivers/watchdog/mtk_wdt.c | 6 +
drivers/watchdog/rzg2l_wdt.c | 20 ++-
drivers/watchdog/s3c2410_wdt.c | 8 +-
fs/btrfs/ctree.c | 11 +-
fs/btrfs/inode.c | 129 +++++++++++----
fs/btrfs/qgroup.c | 3 +-
fs/btrfs/relocation.c | 6 +
fs/btrfs/send.c | 6 +
fs/btrfs/sysfs.c | 6 +-
fs/ceph/file.c | 2 +-
fs/nfsd/export.c | 31 +---
fs/nfsd/export.h | 4 +-
fs/nfsd/nfs4callback.c | 4 +-
fs/smb/client/Kconfig | 1 -
fs/smb/client/smb2pdu.c | 3 +
fs/smb/server/smb_common.c | 4 +-
fs/udf/namei.c | 16 +-
include/linux/platform_data/amd_qdma.h | 2 +
include/linux/sched.h | 3 +-
include/linux/skmsg.h | 11 +-
include/linux/trace_events.h | 2 +-
include/linux/vmstat.h | 2 +-
include/net/sock.h | 10 +-
include/uapi/linux/stddef.h | 13 +-
io_uring/sqpoll.c | 6 +
kernel/bpf/verifier.c | 18 ++-
kernel/fork.c | 13 +-
kernel/trace/trace.c | 3 +
kernel/trace/trace_kprobe.c | 2 +-
net/ceph/osd_client.c | 2 +
net/core/filter.c | 21 ++-
net/core/skmsg.c | 6 +-
net/ipv4/tcp_bpf.c | 6 +-
sound/core/memalloc.c | 2 +-
sound/core/ump.c | 26 ++-
sound/pci/hda/patch_conexant.c | 28 ++++
sound/sh/sh_dac_audio.c | 5 +-
sound/soc/amd/ps/pci-ps.c | 17 +-
sound/soc/intel/boards/sof_sdw.c | 23 ++-
sound/soc/sof/intel/hda-dai.c | 25 ++-
sound/soc/sof/intel/hda.h | 2 -
tools/include/uapi/linux/stddef.h | 15 +-
tools/objtool/noreturns.h | 1 +
tools/testing/selftests/bpf/progs/dynptr_fail.c | 22 +--
.../selftests/bpf/progs/iters_state_safety.c | 14 +-
.../selftests/bpf/progs/iters_testmod_seq.c | 4 +-
.../selftests/bpf/progs/test_kfunc_dynptr_param.c | 2 +-
.../selftests/bpf/progs/verifier_bits_iter.c | 4 +-
tools/testing/selftests/bpf/trace_helpers.c | 4 +
tools/tracing/rtla/src/timerlat_hist.c | 177 +++++++++++----------
116 files changed, 1169 insertions(+), 548 deletions(-)
The following call-chain leads to misuse of spinlock_irq
when spinlock_irqsave was hold.
irq_set_vcpu_affinity
-> irq_get_desc_lock (spinlock_irqsave)
-> its_irq_set_vcpu_affinity
-> guard(raw_spin_lock_irq) <--- this enables interrupts
-> irq_put_desc_unlock // <--- WARN IRQs enabled
Fix the issue by using guard(raw_spinlock), since the function is
already called with irqsave and raw_spin_lock was used before the commit
b97e8a2f7130 ("irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()")
introducing the guard as well.
This was discovered through the lock debugging, and the corresponding
log is as follows:
raw_local_irq_restore() called with IRQs enabled
WARNING: CPU: 38 PID: 444 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x2c/0x38
Call trace:
warn_bogus_irq_restore+0x2c/0x38
_raw_spin_unlock_irqrestore+0x68/0x88
__irq_put_desc_unlock+0x1c/0x48
irq_set_vcpu_affinity+0x74/0xc0
its_map_vlpi+0x44/0x88
kvm_vgic_v4_set_forwarding+0x148/0x230
kvm_arch_irq_bypass_add_producer+0x20/0x28
__connect+0x98/0xb8
irq_bypass_register_consumer+0x150/0x178
kvm_irqfd+0x6dc/0x744
kvm_vm_ioctl+0xe44/0x16b0
Fixes: b97e8a2f7130 ("irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()")
Signed-off-by: Tomas Krcka <krckatom(a)amazon.de>
Reviewed-by: Marc Zyngier <maz(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
drivers/irqchip/irq-gic-v3-its.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 92244cfa0464..8c3ec5734f1e 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -2045,7 +2045,7 @@ static int its_irq_set_vcpu_affinity(struct irq_data *d, void *vcpu_info)
if (!is_v4(its_dev->its))
return -EINVAL;
- guard(raw_spinlock_irq)(&its_dev->event_map.vlpi_lock);
+ guard(raw_spinlock)(&its_dev->event_map.vlpi_lock);
/* Unmap request? */
if (!info)
--
2.40.1
Amazon Web Services Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
There is a data race between the functions driver_override_show() and
driver_override_store(). In the driver_override_store() function, the
assignment to ret calls driver_set_override(), which frees the old value
while writing the new value to dev. If a race occurs, it may cause a
use-after-free (UAF) error in driver_override_show().
To fix this issue, we adopt a logic similar to the driver_override_show()
function in vmbus_drv.c, protecting dev within a lock to ensure its value
remains unchanged.
This possible bug is found by an experimental static analysis tool
developed by our team. This tool analyzes the locking APIs to extract
function pairs that can be concurrently executed, and then analyzes the
instructions in the paired functions to identify possible concurrency bugs
including data races and atomicity violations.
Fixes: 48a6c7bced2a ("cdx: add device attributes")
Cc: stable(a)vger.kernel.org
Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com>
---
V2:
Modified the title and description.
Removed the changes to cdx_bus_match().
---
drivers/cdx/cdx.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/cdx/cdx.c b/drivers/cdx/cdx.c
index 07371cb653d3..4af1901c9d52 100644
--- a/drivers/cdx/cdx.c
+++ b/drivers/cdx/cdx.c
@@ -470,8 +470,12 @@ static ssize_t driver_override_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct cdx_device *cdx_dev = to_cdx_device(dev);
+ ssize_t len;
- return sysfs_emit(buf, "%s\n", cdx_dev->driver_override);
+ device_lock(dev);
+ len = sysfs_emit(buf, "%s\n", cdx_dev->driver_override);
+ device_unlock(dev);
+ return len;
}
static DEVICE_ATTR_RW(driver_override);
--
2.34.1
#regzbot introduced: 63a1f8454962
Dear maintainer,
I think I have found a regression in kernels version 6.10 and newer,
including the latest mainline v6.13-rc4:
fastboot (the tool for communicating with Android bootloaders) now fails to
perform various operations over USB.
The problem manifests as an error when attempting to 'fastboot flash' an
image (e.g. a new kernel containing security updates) to a LineageOS phone.
It also manifests with simpler operations like reading a variable from the
bootloader. For example:
fastboot getvar kernel
A typical error message when the failure occurs:
getvar:kernel FAILED (remote: 'GetVar Variable Not found')
I can reproduce this at will. It happens about 50% of the time when I
run the above getvar command, and almost all the time when I try to push
a new kernel to a device.
A git bisect reveals this:
63a1f8454962a64746a59441687dc2401290326c is the first bad commit
commit 63a1f8454962a64746a59441687dc2401290326c
Author: Mathias Nyman <mathias.nyman(a)linux.intel.com>
Date: Mon Apr 29 17:02:28 2024 +0300
xhci: stored cached port capability values in one place