March 2024 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.212 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/riscv/include/asm/pgtable.h | 2 arch/x86/kernel/cpu/intel.c | 178 ++++++++++---------- drivers/crypto/virtio/virtio_crypto_akcipher_algs.c | 5 drivers/dma/fsl-qdma.c | 21 +- drivers/firmware/efi/capsule-loader.c | 2 drivers/gpio/gpio-74x164.c | 4 drivers/gpio/gpiolib.c | 10 - drivers/mmc/core/mmc.c | 2 drivers/mmc/host/sdhci-xenon-phy.c | 48 ++++- drivers/mtd/nand/spi/gigadevice.c | 81 +++++++-- drivers/net/gtp.c | 12 - drivers/net/tun.c | 1 drivers/net/usb/dm9601.c | 2 drivers/net/usb/lan78xx.c | 3 drivers/platform/x86/touchscreen_dmi.c | 4 drivers/power/supply/bq27xxx_battery_i2c.c | 4 drivers/soc/qcom/rpmhpd.c | 7 fs/afs/dir.c | 4 fs/btrfs/dev-replace.c | 24 ++ fs/cachefiles/bind.c | 3 fs/ext4/mballoc.c | 39 ++-- fs/hugetlbfs/inode.c | 6 net/bluetooth/hci_core.c | 7 net/bluetooth/hci_event.c | 13 + net/bluetooth/l2cap_core.c | 8 net/core/rtnetlink.c | 11 - net/ipv4/ip_tunnel.c | 28 ++- net/ipv6/addrconf.c | 7 net/mptcp/diag.c | 3 net/mptcp/protocol.c | 49 +++++ net/netfilter/nft_compat.c | 20 ++ net/netlink/af_netlink.c | 2 net/wireless/nl80211.c | 2 security/tomoyo/common.c | 3 sound/core/Makefile | 1 36 files changed, 426 insertions(+), 192 deletions(-) Alexander Ofitserov (1): gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Andy Shevchenko (1): gpiolib: Fix the error path order in gpiochip_add_data_with_key() Arnd Bergmann (1): efi/capsule-loader: fix incorrect allocation size Arturas Moskvinas (1): gpio: 74x164: Enable output pins after registers are reset Baokun Li (2): ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() cachefiles: fix memory leak in cachefiles_add_cache() Bartosz Golaszewski (1): gpio: fix resource unwinding order in error path Bjorn Andersson (1): pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation Chuanhong Guo (1): mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG Curtis Klein (1): dmaengine: fsl-qdma: init irq after reg initialization David Howells (1): afs: Fix endless loop in directory parsing David Sterba (1): btrfs: dev-replace: properly validate device names Davide Caratti (1): mptcp: fix double-free on socket dismantle Dimitris Vlachos (1): riscv: Sparse-Memory/vmemmap out-of-bounds fix Elad Nachman (2): mmc: sdhci-xenon: add timeout for PHY init complete mmc: sdhci-xenon: fix PHY init clock stability Eric Dumazet (1): ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Florian Westphal (1): net: ip_tunnel: prevent perpetual headroom growth Greg Kroah-Hartman (1): Linux 5.10.212 Han Xu (1): mtd: spinand: gigadevice: Fix the get ecc status issue Hans de Goede (2): platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names power: supply: bq27xxx-i2c: Do not free non existing IRQ Ignat Korchagin (1): netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Ivan Semenov (1): mmc: core: Fix eMMC initialization with 1-bit bus connection Javier Carrasco (1): net: usb: dm9601: fix wrong return value in dm9601_mdio_read Johannes Berg (1): wifi: nl80211: reject iftype change with mesh ID change Kai-Heng Feng (1): Bluetooth: Enforce validation on max value of connection interval Lin Ma (1): rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Oleksij Rempel (1): lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Oscar Salvador (1): fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Paolo Abeni (1): mptcp: fix possible deadlock in subflow diag Paolo Bonzini (1): x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Peng Ma (1): dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read Reto Schneider (1): mtd: spinand: gigadevice: Support GD5F1GQ5UExxG Ryosuke Yasuoka (1): netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Takashi Iwai (1): ALSA: Drop leftover snd-rtctimer stuff from Makefile Tetsuo Handa (1): tomoyo: fix UAF write bug in tomoyo_write_control() Ying Hsu (1): Bluetooth: Avoid potential use-after-free in hci_error_reset Yunjian Wang (1): tun: Fix xdp_rxq_info's queue_index when detaching Zijun Hu (1): Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR zhenwei pi (1): crypto: virtio/akcipher - Fix stack overflow on memcpy

1 year

1
1
0 0

Linux 5.4.271

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.271 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/kernel/cpu/intel.c | 178 ++++++++++++++--------------- drivers/dma/fsl-qdma.c | 21 +-- drivers/firmware/efi/capsule-loader.c | 2 drivers/gpio/gpio-74x164.c | 4 drivers/mmc/core/mmc.c | 2 drivers/net/gtp.c | 12 - drivers/net/tun.c | 1 drivers/net/usb/dm9601.c | 2 drivers/net/usb/lan78xx.c | 3 drivers/power/supply/bq27xxx_battery_i2c.c | 4 fs/afs/dir.c | 4 fs/btrfs/dev-replace.c | 24 +++ fs/cachefiles/bind.c | 3 fs/hugetlbfs/inode.c | 6 net/bluetooth/hci_core.c | 7 - net/bluetooth/hci_event.c | 9 + net/bluetooth/l2cap_core.c | 8 + net/core/rtnetlink.c | 11 - net/ipv4/ip_tunnel.c | 28 +++- net/ipv6/addrconf.c | 7 - net/netfilter/nft_compat.c | 20 +++ net/netlink/af_netlink.c | 2 net/wireless/nl80211.c | 2 sound/core/Makefile | 1 25 files changed, 223 insertions(+), 140 deletions(-) Alexander Ofitserov (1): gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Arnd Bergmann (1): efi/capsule-loader: fix incorrect allocation size Arturas Moskvinas (1): gpio: 74x164: Enable output pins after registers are reset Baokun Li (1): cachefiles: fix memory leak in cachefiles_add_cache() Curtis Klein (1): dmaengine: fsl-qdma: init irq after reg initialization David Howells (1): afs: Fix endless loop in directory parsing David Sterba (1): btrfs: dev-replace: properly validate device names Eric Dumazet (1): ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Florian Westphal (1): net: ip_tunnel: prevent perpetual headroom growth Greg Kroah-Hartman (1): Linux 5.4.271 Hans de Goede (1): power: supply: bq27xxx-i2c: Do not free non existing IRQ Ignat Korchagin (1): netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Ivan Semenov (1): mmc: core: Fix eMMC initialization with 1-bit bus connection Javier Carrasco (1): net: usb: dm9601: fix wrong return value in dm9601_mdio_read Johannes Berg (1): wifi: nl80211: reject iftype change with mesh ID change Kai-Heng Feng (1): Bluetooth: Enforce validation on max value of connection interval Lin Ma (1): rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Oleksij Rempel (1): lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Oscar Salvador (1): fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Paolo Bonzini (1): x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Peng Ma (1): dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read Ryosuke Yasuoka (1): netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Takashi Iwai (1): ALSA: Drop leftover snd-rtctimer stuff from Makefile Ying Hsu (1): Bluetooth: Avoid potential use-after-free in hci_error_reset Yunjian Wang (1): tun: Fix xdp_rxq_info's queue_index when detaching

1 year

1
1
0 0

Linux 4.19.309

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.309 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- drivers/firmware/efi/capsule-loader.c | 2 +- drivers/gpio/gpio-74x164.c | 4 ++-- drivers/mmc/core/mmc.c | 2 ++ drivers/net/gtp.c | 12 ++++++------ drivers/net/tun.c | 1 + drivers/net/usb/dm9601.c | 2 +- drivers/net/usb/lan78xx.c | 3 ++- drivers/power/supply/bq27xxx_battery_i2c.c | 4 +++- fs/btrfs/dev-replace.c | 24 ++++++++++++++++++++---- fs/cachefiles/bind.c | 3 +++ net/bluetooth/hci_core.c | 7 ++++--- net/bluetooth/hci_event.c | 9 ++++++++- net/bluetooth/l2cap_core.c | 8 +++++++- net/netlink/af_netlink.c | 2 +- net/wireless/nl80211.c | 2 ++ sound/core/Makefile | 1 - 17 files changed, 64 insertions(+), 24 deletions(-) Alexander Ofitserov (1): gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Arnd Bergmann (1): efi/capsule-loader: fix incorrect allocation size Arturas Moskvinas (1): gpio: 74x164: Enable output pins after registers are reset Baokun Li (1): cachefiles: fix memory leak in cachefiles_add_cache() David Sterba (1): btrfs: dev-replace: properly validate device names Greg Kroah-Hartman (1): Linux 4.19.309 Hans de Goede (1): power: supply: bq27xxx-i2c: Do not free non existing IRQ Ivan Semenov (1): mmc: core: Fix eMMC initialization with 1-bit bus connection Javier Carrasco (1): net: usb: dm9601: fix wrong return value in dm9601_mdio_read Johannes Berg (1): wifi: nl80211: reject iftype change with mesh ID change Kai-Heng Feng (1): Bluetooth: Enforce validation on max value of connection interval Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Oleksij Rempel (1): lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Ryosuke Yasuoka (1): netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Takashi Iwai (1): ALSA: Drop leftover snd-rtctimer stuff from Makefile Ying Hsu (1): Bluetooth: Avoid potential use-after-free in hci_error_reset Yunjian Wang (1): tun: Fix xdp_rxq_info's queue_index when detaching

1 year

1
1
0 0

[PATCH 6.7 000/163] 6.7.9-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.7.9 release. There are 163 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 07 Mar 2024 07:46:26 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.7.9-rc2.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.7.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.7.9-rc2 Danilo Krummrich <dakr(a)redhat.com> drm/nouveau: don't fini scheduler before entity flush Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: rm subflow with v4/v4mapped addr Geliang Tang <geliang.tang(a)linux.dev> selftests: mptcp: add mptcp_lib_is_v6 Geliang Tang <geliang.tang(a)linux.dev> selftests: mptcp: update userspace pm test helpers Geliang Tang <geliang.tang(a)linux.dev> selftests: mptcp: add chk_subflows_total helper Geliang Tang <geliang.tang(a)linux.dev> selftests: mptcp: add evts_get_info helper Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> KVM/VMX: Move VERW closer to VMentry for MDS mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Add VERW just before userspace transition Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_64: Add VERW just before userspace transition Ming Lei <ming.lei(a)redhat.com> block: define bvec_iter as __packed __aligned(4) Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: fix resource unwinding order in error path Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: Fix the error path order in gpiochip_add_data_with_key() Arturas Moskvinas <arturas.moskvinas(a)gmail.com> gpio: 74x164: Enable output pins after registers are reset Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/rtas: use correct function name for resetting TCE tables Gaurav Batra <gbatra(a)linux.vnet.ibm.com> powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV Fenghua Yu <fenghua.yu(a)intel.com> dmaengine: idxd: Ensure safe user copy of completion record Fenghua Yu <fenghua.yu(a)intel.com> dmaengine: idxd: Remove shadow Event Log head stored in idxd Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> phy: qcom-qmp-usb: fix v3 offsets data Yang Yingliang <yangyingliang(a)huawei.com> phy: qcom: phy-qcom-m31: fix wrong pointer pass to PTR_ERR() Alexander Stein <alexander.stein(a)ew.tq-group.com> phy: freescale: phy-fsl-imx8-mipi-dphy: Fix alias name to use dashes Kory Maincent <kory.maincent(a)bootlin.com> dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup Kory Maincent <kory.maincent(a)bootlin.com> dmaengine: dw-edma: HDMA: Add sync read before starting the DMA transfer in remote setup Kory Maincent <kory.maincent(a)bootlin.com> dmaengine: dw-edma: Add HDMA remote interrupt configuration Kory Maincent <kory.maincent(a)bootlin.com> dmaengine: dw-edma: HDMA_V0_REMOTEL_STOP_INT_EN typo fix Kory Maincent <kory.maincent(a)bootlin.com> dmaengine: dw-edma: Fix wrong interrupt bit set for HDMA Kory Maincent <kory.maincent(a)bootlin.com> dmaengine: dw-edma: Fix the ch_count hdma callback Dan Carpenter <dan.carpenter(a)linaro.org> ASoC: cs35l56: fix reversed if statement in cs35l56_dspwait_asp1tx_put() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Drop oob_skb ref before purging queue in GC. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix task hung while purging oob_skb in GC. NeilBrown <neilb(a)suse.de> NFS: Fix data corruption caused by congestion. Peter Ujfalusi <peter.ujfalusi(a)gmail.com> mfd: twl6030-irq: Revert to use of_match_device() Paolo Abeni <pabeni(a)redhat.com> mptcp: fix possible deadlock in subflow diag Davide Caratti <dcaratti(a)redhat.com> mptcp: fix double-free on socket dismantle Paolo Abeni <pabeni(a)redhat.com> mptcp: fix potential wake-up event loss Paolo Abeni <pabeni(a)redhat.com> mptcp: fix snd_wnd initialization for passive socket Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: join: add ss mptcp support check Paolo Abeni <pabeni(a)redhat.com> mptcp: push at DSS boundaries Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: avoid printing warning once on client side Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: map v4 address to v6 when destroying subflow Paolo Bonzini <pbonzini(a)redhat.com> x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Paolo Bonzini <pbonzini(a)redhat.com> x86/cpu: Allow reducing x86_phys_bits during early_identify_cpu() Jiri Bohac <jbohac(a)suse.cz> x86/e820: Don't reserve SETUP_RNG_SEED in e820 Byungchul Park <byungchul(a)sk.com> mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index Aneesh Kumar K.V (IBM) <aneesh.kumar(a)kernel.org> mm/debug_vm_pgtable: fix BUG_ON with pud advanced test Masami Hiramatsu (Google) <mhiramat(a)kernel.org> fprobe: Fix to allocate entry_data_size buffer with rethook instances Bjorn Andersson <quic_bjorande(a)quicinc.com> pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation Cristian Marussi <cristian.marussi(a)arm.com> pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal Tim Schumacher <timschumi(a)gmx.de> efivarfs: Request at most 512 bytes for variable names Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix protection fault in iommufd_test_syz_conv_iova Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix iopt_access_list_id overwrite bug Nathan Chancellor <nathan(a)kernel.org> kbuild: Add -Wa,--fatal-warnings to as-instr invocation Thomas Weißschuh <linux(a)weissschuh.net> power: supply: mm8013: select REGMAP_I2C Samuel Holland <samuel.holland(a)sifive.com> riscv: Save/restore envcfg CSR during CPU suspend Samuel Holland <samuel.holland(a)sifive.com> riscv: Add a custom ISA extension for the [ms]envcfg CSR Samuel Holland <samuel.holland(a)sifive.com> riscv: Fix enabling cbo.zero when running in M-mode Zong Li <zong.li(a)sifive.com> riscv: add CALLER_ADDRx support Nathan Chancellor <nathan(a)kernel.org> RISC-V: Drop invalid test from CONFIG_AS_HAS_OPTION_ARCH Xiubo Li <xiubli(a)redhat.com> ceph: switch to corrected encoding of max_xattr_size in mdsmap Elad Nachman <enachman(a)marvell.com> mmc: sdhci-xenon: fix PHY init clock stability Elad Nachman <enachman(a)marvell.com> mmc: sdhci-xenon: add timeout for PHY init complete Ivan Semenov <ivan(a)semenov.dev> mmc: core: Fix eMMC initialization with 1-bit bus connection Christophe Kerello <christophe.kerello(a)foss.st.com> mmc: mmci: stm32: fix DMA API overlapping mappings warning Curtis Klein <curtis.klein(a)hpe.com> dmaengine: fsl-qdma: init irq after reg initialization Joy Zou <joy.zou(a)nxp.com> dmaengine: fsl-edma: correct calculation of 'nbytes' in multi-fifo scenario Tadeusz Struk <tstruk(a)gigaio.com> dmaengine: ptdma: use consistent DMA masks Ard Biesheuvel <ardb(a)kernel.org> crypto: arm64/neonbs - fix out-of-bounds access on short input Peng Ma <peng.ma(a)nxp.com> dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read Rob Clark <robdclark(a)chromium.org> soc: qcom: pmic_glink: Fix boot when QRTR=m Ryan Lin <tsung-hua.lin(a)amd.com> drm/amd/display: Add monitor patch for specific eDP Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu/pm: Fix the power1_min_cap value Matthew Auld <matthew.auld(a)intel.com> drm/buddy: fix range bias Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/pm: resolve reboot exception for si oland" Filipe Manana <fdmanana(a)suse.com> btrfs: send: don't issue unnecessary zero writes for trailing hole David Sterba <dsterba(a)suse.com> btrfs: dev-replace: properly validate device names Filipe Manana <fdmanana(a)suse.com> btrfs: fix double free of anonymous device after snapshot creation failure Johannes Berg <johannes.berg(a)intel.com> wifi: nl80211: reject iftype change with mesh ID change Elad Nachman <enachman(a)marvell.com> mtd: rawnand: marvell: fix layouts Nhat Pham <nphamcs(a)gmail.com> mm: cachestat: fix folio read-after-free in cache walk Alexander Ofitserov <oficerovas(a)altlinux.org> gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Mickaël Salaün <mic(a)digikod.net> landlock: Fix asymmetric private inodes referring Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: hci_bcm4377: do not mark valid bd_addr as invalid Willian Wang <git(a)willian.wang> ALSA: hda/realtek: Add special fixup for Lenovo 14IRP8 Eniac Zhang <eniac-xw.zhang(a)hp.com> ALSA: hda/realtek: fix mute/micmute LED For HP mt440 Hans Peter <flurry123(a)gmx.ch> ALSA: hda/realtek: Enable Mute LED on HP 840 G8 (MB 8AB8) Gergo Koteles <soyer(a)irl.hu> ALSA: hda/realtek: tas2781: enable subwoofer volume control Jay Ajit Mate <jay.mate15(a)gmail.com> ALSA: hda/realtek: Fix top speaker connection on Dell Inspiron 16 Plus 7630 Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix the discard error code from snd_ump_legacy_open() Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-lib: fix to check cycle continuity Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fix UAF write bug in tomoyo_write_control() Saravana Kannan <saravanak(a)google.com> of: property: fw_devlink: Fix stupid bug in remote-endpoint parsing Sid Pranjale <sidpranjale127(a)protonmail.com> drm/nouveau: keep DMA buffers required for suspend/resume Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between ordered extent completion and fiemap Dimitris Vlachos <dvlachos(a)ics.forth.gr> riscv: Sparse-Memory/vmemmap out-of-bounds fix Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix pte_leaf_size() for NAPOT Alexandre Ghiti <alexghiti(a)rivosinc.com> Revert "riscv: mm: support Svnapot in huge vmap" Vadim Shakirov <vadim.shakirov(a)syntacore.com> drivers: perf: ctr_get_width function for legacy is not defined Vadim Shakirov <vadim.shakirov(a)syntacore.com> drivers: perf: added capabilities for legacy PMU Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Prevent potential buffer overflow in map_hw_resources David Howells <dhowells(a)redhat.com> afs: Fix endless loop in directory parsing Jiri Slaby (SUSE) <jirislaby(a)kernel.org> fbcon: always restore the old font data in fbcon_do_set_font() Thierry Reding <treding(a)nvidia.com> drm/tegra: Remove existing framebuffer only if we support display Conor Dooley <conor(a)kernel.org> RISC-V: Ignore V from the riscv,isa DT property on older T-Head CPUs Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: soc-card: Fix missing locking in snd_soc_card_get_kcontrol() Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: Fix deadlock in ASP1 mixer register initialization Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: Fix misuse of wm_adsp 'part' string for silicon revision Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: Fix for initializing ASP1 mixer registers Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: Don't add the same register patch multiple times Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: cs35l56_component_remove() must clean up wm_adsp Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: cs35l56_component_remove() must clear cs35l56->component Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix build error if !CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION Yangyu Chen <cyy(a)cyyself.name> riscv: mm: fix NOCACHE_THEAD does not set bit[61] correctly Mikko Perttunen <mperttunen(a)nvidia.com> gpu: host1x: Skip reset assert on Tegra186 Colin Ian King <colin.i.king(a)gmail.com> ASoC: qcom: Fix uninitialized pointer dmactl Takashi Iwai <tiwai(a)suse.de> ALSA: Drop leftover snd-rtctimer stuff from Makefile Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: Must clear HALO_STATE before issuing SYSTEM_RESET Hans de Goede <hdegoede(a)redhat.com> power: supply: bq27xxx-i2c: Do not free non existing IRQ Arnd Bergmann <arnd(a)arndb.de> efi/capsule-loader: fix incorrect allocation size Jisheng Zhang <jszhang(a)kernel.org> riscv: tlb: fix __p*d_free_tlb() Sabrina Dubroca <sd(a)queasysnail.net> tls: fix use-after-free on failed backlog decryption Sabrina Dubroca <sd(a)queasysnail.net> tls: separate no-async decryption request handling from async Sabrina Dubroca <sd(a)queasysnail.net> tls: fix peeking with sync+async decryption Sabrina Dubroca <sd(a)queasysnail.net> tls: decrement decrypt_pending if no async completion will be called Lukasz Majewski <lukma(a)denx.de> net: hsr: Use correct offset for HSR TLV values in supervisory HSR frames Oleksij Rempel <o.rempel(a)pengutronix.de> igb: extend PTP timestamp adjustments to i211 Lin Ma <linma(a)zju.edu.cn> rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Jakub Kicinski <kuba(a)kernel.org> tools: ynl: fix handling of multiple mcast groups Florian Westphal <fw(a)strlen.de> netfilter: bridge: confirm multicast packets before passing them up the stack Ignat Korchagin <ignat(a)cloudflare.com> netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: qca: Fix triggering coredump implementation Janaki Ramaiah Thota <quic_janathot(a)quicinc.com> Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: qca: Fix wrong event type for patch config command Kai-Heng Feng <kai.heng.feng(a)canonical.com> Bluetooth: Enforce validation on max value of connection interval Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix accept_list when attempting to suspend Ying Hsu <yinghsu(a)chromium.org> Bluetooth: Avoid potential use-after-free in hci_error_reset Jonas Dreßler <verdre(a)v0yd.nl> Bluetooth: hci_sync: Check the correct flag before starting a scan Jakub Raczynski <j.raczynski(a)samsung.com> stmmac: Clear variable when destroying workqueue Justin Iurman <justin.iurman(a)uliege.be> uapi: in6: replace temporary label with rfc9486 Oleksij Rempel <o.rempel(a)pengutronix.de> net: lan78xx: fix "softirq work is pending" error Javier Carrasco <javier.carrasco.cruz(a)gmail.com> net: usb: dm9601: fix wrong return value in dm9601_mdio_read Jakub Kicinski <kuba(a)kernel.org> veth: try harder when allocating queue memory Oleksij Rempel <o.rempel(a)pengutronix.de> lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Eric Dumazet <edumazet(a)google.com> ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Jakub Kicinski <kuba(a)kernel.org> net: veth: clear GRO when clearing XDP even when down Doug Smythies <dsmythies(a)telus.net> cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back Yunjian Wang <wangyunjian(a)huawei.com> tun: Fix xdp_rxq_info's queue_index when detaching Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dpaa: fman_memac: accept phy-interface-type = "10gbase-r" in the device tree Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: take ownership of skb in mctp_local_output Florian Westphal <fw(a)strlen.de> net: ip_tunnel: prevent perpetual headroom growth Florian Westphal <fw(a)strlen.de> netlink: add nla be16/32 types to minlen array Ryosuke Yasuoka <ryasuoka(a)redhat.com> netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Théo Lebrun <theo.lebrun(a)bootlin.com> spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks Théo Lebrun <theo.lebrun(a)bootlin.com> spi: cadence-qspi: fix pointer reference in runtime PM hooks Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> ice: fix pin phase adjust updates on PF reset Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> ice: fix dpll periodic work data updates on PF reset Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> ice: fix dpll and dpll_pin data access on PF reset Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> ice: fix dpll input pin phase_adjust value updates Yochai Hagvi <yochai.hagvi(a)intel.com> ice: fix connection state of DPLL and out pin Han Xu <han.xu(a)nxp.com> mtd: spinand: gigadevice: Fix the get ecc status issue Josef Bacik <josef(a)toxicpanda.com> btrfs: fix deadlock with fiemap and extent locking ------------- Diffstat: Documentation/arch/x86/mds.rst | 34 +++- Makefile | 4 +- arch/arm64/crypto/aes-neonbs-glue.c | 11 ++ arch/powerpc/include/asm/rtas.h | 4 +- arch/powerpc/kernel/rtas.c | 9 +- arch/powerpc/platforms/pseries/iommu.c | 156 +++++++++++------ arch/riscv/Kconfig | 1 - arch/riscv/include/asm/csr.h | 2 + arch/riscv/include/asm/ftrace.h | 5 + arch/riscv/include/asm/hugetlb.h | 2 + arch/riscv/include/asm/hwcap.h | 2 + arch/riscv/include/asm/pgalloc.h | 20 ++- arch/riscv/include/asm/pgtable-64.h | 2 +- arch/riscv/include/asm/pgtable.h | 6 +- arch/riscv/include/asm/suspend.h | 1 + arch/riscv/include/asm/vmalloc.h | 61 +------ arch/riscv/kernel/Makefile | 2 + arch/riscv/kernel/cpufeature.c | 31 +++- arch/riscv/kernel/return_address.c | 48 +++++ arch/riscv/kernel/suspend.c | 4 + arch/riscv/mm/hugetlbpage.c | 2 + arch/x86/entry/entry_32.S | 3 + arch/x86/entry/entry_64.S | 11 ++ arch/x86/entry/entry_64_compat.S | 1 + arch/x86/include/asm/entry-common.h | 1 - arch/x86/include/asm/nospec-branch.h | 12 -- arch/x86/kernel/cpu/bugs.c | 15 +- arch/x86/kernel/cpu/common.c | 4 +- arch/x86/kernel/cpu/intel.c | 178 ++++++++++--------- arch/x86/kernel/e820.c | 8 +- arch/x86/kernel/nmi.c | 3 - arch/x86/kvm/vmx/run_flags.h | 7 +- arch/x86/kvm/vmx/vmenter.S | 9 +- arch/x86/kvm/vmx/vmx.c | 20 ++- drivers/bluetooth/btqca.c | 2 +- drivers/bluetooth/hci_bcm4377.c | 3 +- drivers/bluetooth/hci_qca.c | 22 ++- drivers/cpufreq/intel_pstate.c | 3 + drivers/dma/dw-edma/dw-edma-v0-core.c | 17 ++ drivers/dma/dw-edma/dw-hdma-v0-core.c | 39 +++-- drivers/dma/dw-edma/dw-hdma-v0-regs.h | 2 +- drivers/dma/fsl-edma-common.c | 2 +- drivers/dma/fsl-qdma.c | 25 +-- drivers/dma/idxd/cdev.c | 2 +- drivers/dma/idxd/debugfs.c | 2 +- drivers/dma/idxd/idxd.h | 1 - drivers/dma/idxd/init.c | 15 +- drivers/dma/idxd/irq.c | 3 +- drivers/dma/ptdma/ptdma-dmaengine.c | 2 - drivers/firmware/efi/capsule-loader.c | 2 +- drivers/gpio/gpio-74x164.c | 4 +- drivers/gpio/gpiolib.c | 12 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 6 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 5 + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 29 +++ drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 9 +- drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 9 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 9 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 9 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 9 +- drivers/gpu/drm/drm_buddy.c | 10 ++ drivers/gpu/drm/nouveau/nouveau_drm.c | 5 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 4 +- drivers/gpu/drm/tegra/drm.c | 23 ++- drivers/gpu/host1x/dev.c | 15 +- drivers/gpu/host1x/dev.h | 6 + drivers/iommu/iommufd/io_pagetable.c | 9 +- drivers/iommu/iommufd/selftest.c | 27 ++- drivers/mfd/twl6030-irq.c | 10 +- drivers/mmc/core/mmc.c | 2 + drivers/mmc/host/mmci_stm32_sdmmc.c | 24 +++ drivers/mmc/host/sdhci-xenon-phy.c | 48 ++++- drivers/mtd/nand/raw/marvell_nand.c | 13 +- drivers/mtd/nand/spi/gigadevice.c | 6 +- drivers/net/ethernet/freescale/fman/fman_memac.c | 18 +- drivers/net/ethernet/intel/ice/ice_dpll.c | 91 ++++++++-- drivers/net/ethernet/intel/igb/igb_ptp.c | 5 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +- drivers/net/gtp.c | 12 +- drivers/net/tun.c | 1 + drivers/net/usb/dm9601.c | 2 +- drivers/net/usb/lan78xx.c | 5 +- drivers/net/veth.c | 40 ++--- drivers/of/property.c | 2 +- drivers/perf/riscv_pmu.c | 18 +- drivers/perf/riscv_pmu_legacy.c | 10 +- drivers/phy/freescale/phy-fsl-imx8-mipi-dphy.c | 2 +- drivers/phy/qualcomm/phy-qcom-m31.c | 2 +- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 10 +- drivers/pmdomain/arm/scmi_perf_domain.c | 3 + drivers/pmdomain/qcom/rpmhpd.c | 7 +- drivers/power/supply/Kconfig | 1 + drivers/power/supply/bq27xxx_battery_i2c.c | 4 +- drivers/soc/qcom/pmic_glink.c | 21 +-- drivers/spi/spi-cadence-quadspi.c | 11 +- drivers/video/fbdev/core/fbcon.c | 8 +- fs/afs/dir.c | 4 +- fs/btrfs/dev-replace.c | 24 ++- fs/btrfs/disk-io.c | 22 +-- fs/btrfs/disk-io.h | 2 +- fs/btrfs/extent_io.c | 165 ++++++++++++++--- fs/btrfs/ioctl.c | 2 +- fs/btrfs/send.c | 17 +- fs/btrfs/transaction.c | 2 +- fs/ceph/mdsmap.c | 7 +- fs/ceph/mdsmap.h | 6 +- fs/efivarfs/vars.c | 17 +- fs/nfs/write.c | 4 +- include/linux/bvec.h | 2 +- include/linux/netfilter.h | 1 + include/net/mctp.h | 1 + include/sound/soc-card.h | 2 + include/uapi/linux/in6.h | 2 +- kernel/trace/fprobe.c | 14 +- lib/nlattr.c | 4 + mm/debug_vm_pgtable.c | 8 + mm/filemap.c | 51 +++--- mm/migrate.c | 8 + net/bluetooth/hci_core.c | 7 +- net/bluetooth/hci_event.c | 13 +- net/bluetooth/hci_sync.c | 7 +- net/bluetooth/l2cap_core.c | 8 +- net/bridge/br_netfilter_hooks.c | 96 ++++++++++ net/bridge/netfilter/nf_conntrack_bridge.c | 30 ++++ net/core/rtnetlink.c | 11 +- net/hsr/hsr_forward.c | 2 +- net/ipv4/ip_tunnel.c | 28 ++- net/ipv6/addrconf.c | 7 +- net/mctp/route.c | 10 +- net/mptcp/diag.c | 3 + net/mptcp/options.c | 2 +- net/mptcp/pm_userspace.c | 10 ++ net/mptcp/protocol.c | 52 +++++- net/mptcp/protocol.h | 21 +-- net/netfilter/nf_conntrack_core.c | 1 + net/netfilter/nft_compat.c | 20 +++ net/netlink/af_netlink.c | 2 +- net/tls/tls_sw.c | 40 +++-- net/unix/garbage.c | 21 +-- net/wireless/nl80211.c | 2 + scripts/Kconfig.include | 2 +- scripts/Makefile.compiler | 2 +- security/landlock/fs.c | 4 +- security/tomoyo/common.c | 3 +- sound/core/Makefile | 1 - sound/core/ump.c | 4 +- sound/firewire/amdtp-stream.c | 2 +- sound/pci/hda/patch_realtek.c | 33 +++- sound/soc/codecs/cs35l45.c | 2 +- sound/soc/codecs/cs35l56-shared.c | 8 +- sound/soc/codecs/cs35l56.c | 195 ++++++++++++++++++--- sound/soc/codecs/cs35l56.h | 1 + sound/soc/fsl/fsl_xcvr.c | 12 +- sound/soc/qcom/lpass-cdc-dma.c | 2 +- sound/soc/soc-card.c | 24 ++- tools/net/ynl/lib/ynl.c | 1 + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 16 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 192 ++++++++++++-------- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 15 ++ tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 8 +- tools/testing/selftests/net/mptcp/userspace_pm.sh | 86 +++++---- 161 files changed, 1941 insertions(+), 831 deletions(-)

1 year

6
14
0 0

[PATCH v2] mm: swap: Fix race between free_swap_and_cache() and swapoff()

by Ryan Roberts

There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<----- Fixes: 7c00bafee87c ("mm/swap: free swap slots in batch") Closes: https://lore.kernel.org/linux-mm/65a66eb9-41f8-4790-8db2-0c70ea15979f@redha… Cc: stable(a)vger.kernel.org Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> --- Hi Andrew, Please replace v1 of this patch in mm-unstable with this version. Changes since v1: - Added comments for get_swap_device() as suggested by David - Moved check that swap entry is not free from get_swap_device() to free_swap_and_cache() since there are some paths that legitimately call with a free offset. I haven't addressed the recommendation by Huang Ying [1] to also revert commit 23b230ba8ac3 ("mm/swap: print bad swap offset entry in get_swap_device"). It should be done separately to this, and and we need to conclude discussion first. [1] https://lore.kernel.org/all/875xy0842q.fsf@yhuang6-desk2.ccr.corp.intel.com/ Thanks, Ryan mm/swapfile.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/mm/swapfile.c b/mm/swapfile.c index 2b3a2d85e350..1155a6304119 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -1232,6 +1232,11 @@ static unsigned char __swap_entry_free_locked(struct swap_info_struct *p, * with get_swap_device() and put_swap_device(), unless the swap * functions call get/put_swap_device() by themselves. * + * Note that when only holding the PTL, swapoff might succeed immediately + * after freeing a swap entry. Therefore, immediately after + * __swap_entry_free(), the swap info might become stale and should not + * be touched without a prior get_swap_device(). + * * Check whether swap entry is valid in the swap device. If so, * return pointer to swap_info_struct, and keep the swap entry valid * via preventing the swap device from being swapoff, until @@ -1609,13 +1614,19 @@ int free_swap_and_cache(swp_entry_t entry) if (non_swap_entry(entry)) return 1; - p = _swap_info_get(entry); + p = get_swap_device(entry); if (p) { + if (WARN_ON(data_race(!p->swap_map[swp_offset(entry)]))) { + put_swap_device(p); + return 0; + } + count = __swap_entry_free(p, entry); if (count == SWAP_HAS_CACHE && !swap_page_trans_huge_swapped(p, entry)) __try_to_reclaim_swap(p, swp_offset(entry), TTRS_UNMAPPED | TTRS_FULL); + put_swap_device(p); } return p != NULL; } -- 2.25.1

1 year

1
0
0 0

[PATCH 5.10 00/41] 5.10.212-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.212 release. There are 41 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 07 Mar 2024 11:31:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.212-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.212-rc2 Davide Caratti <dcaratti(a)redhat.com> mptcp: fix double-free on socket dismantle Chuanhong Guo <gch981213(a)gmail.com> mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: fix resource unwinding order in error path Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: Fix the error path order in gpiochip_add_data_with_key() Arturas Moskvinas <arturas.moskvinas(a)gmail.com> gpio: 74x164: Enable output pins after registers are reset Oscar Salvador <osalvador(a)suse.de> fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Baokun Li <libaokun1(a)huawei.com> cachefiles: fix memory leak in cachefiles_add_cache() Baokun Li <libaokun1(a)huawei.com> ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() Paolo Abeni <pabeni(a)redhat.com> mptcp: fix possible deadlock in subflow diag Paolo Bonzini <pbonzini(a)redhat.com> x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Bjorn Andersson <quic_bjorande(a)quicinc.com> pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation Elad Nachman <enachman(a)marvell.com> mmc: sdhci-xenon: fix PHY init clock stability Elad Nachman <enachman(a)marvell.com> mmc: sdhci-xenon: add timeout for PHY init complete Ivan Semenov <ivan(a)semenov.dev> mmc: core: Fix eMMC initialization with 1-bit bus connection Curtis Klein <curtis.klein(a)hpe.com> dmaengine: fsl-qdma: init irq after reg initialization Peng Ma <peng.ma(a)nxp.com> dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read David Sterba <dsterba(a)suse.com> btrfs: dev-replace: properly validate device names Johannes Berg <johannes.berg(a)intel.com> wifi: nl80211: reject iftype change with mesh ID change Alexander Ofitserov <oficerovas(a)altlinux.org> gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fix UAF write bug in tomoyo_write_control() Dimitris Vlachos <dvlachos(a)ics.forth.gr> riscv: Sparse-Memory/vmemmap out-of-bounds fix David Howells <dhowells(a)redhat.com> afs: Fix endless loop in directory parsing Takashi Iwai <tiwai(a)suse.de> ALSA: Drop leftover snd-rtctimer stuff from Makefile Hans de Goede <hdegoede(a)redhat.com> power: supply: bq27xxx-i2c: Do not free non existing IRQ Arnd Bergmann <arnd(a)arndb.de> efi/capsule-loader: fix incorrect allocation size Lin Ma <linma(a)zju.edu.cn> rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Ignat Korchagin <ignat(a)cloudflare.com> netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Kai-Heng Feng <kai.heng.feng(a)canonical.com> Bluetooth: Enforce validation on max value of connection interval Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR Ying Hsu <yinghsu(a)chromium.org> Bluetooth: Avoid potential use-after-free in hci_error_reset Javier Carrasco <javier.carrasco.cruz(a)gmail.com> net: usb: dm9601: fix wrong return value in dm9601_mdio_read Oleksij Rempel <linux(a)rempel-privat.de> lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Eric Dumazet <edumazet(a)google.com> ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Yunjian Wang <wangyunjian(a)huawei.com> tun: Fix xdp_rxq_info's queue_index when detaching Florian Westphal <fw(a)strlen.de> net: ip_tunnel: prevent perpetual headroom growth Ryosuke Yasuoka <ryasuoka(a)redhat.com> netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Han Xu <han.xu(a)nxp.com> mtd: spinand: gigadevice: Fix the get ecc status issue Reto Schneider <reto.schneider(a)husqvarnagroup.com> mtd: spinand: gigadevice: Support GD5F1GQ5UExxG zhenwei pi <pizhenwei(a)bytedance.com> crypto: virtio/akcipher - Fix stack overflow on memcpy Hans de Goede <hdegoede(a)redhat.com> platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names ------------- Diffstat: Makefile | 4 +- arch/riscv/include/asm/pgtable.h | 2 +- arch/x86/kernel/cpu/intel.c | 178 +++++++++++---------- .../crypto/virtio/virtio_crypto_akcipher_algs.c | 5 +- drivers/dma/fsl-qdma.c | 25 +-- drivers/firmware/efi/capsule-loader.c | 2 +- drivers/gpio/gpio-74x164.c | 4 +- drivers/gpio/gpiolib.c | 12 +- drivers/mmc/core/mmc.c | 2 + drivers/mmc/host/sdhci-xenon-phy.c | 48 ++++-- drivers/mtd/nand/spi/gigadevice.c | 81 ++++++++-- drivers/net/gtp.c | 12 +- drivers/net/tun.c | 1 + drivers/net/usb/dm9601.c | 2 +- drivers/net/usb/lan78xx.c | 3 +- drivers/platform/x86/touchscreen_dmi.c | 4 +- drivers/power/supply/bq27xxx_battery_i2c.c | 4 +- drivers/soc/qcom/rpmhpd.c | 7 +- fs/afs/dir.c | 4 +- fs/btrfs/dev-replace.c | 24 ++- fs/cachefiles/bind.c | 3 + fs/ext4/mballoc.c | 39 ++--- fs/hugetlbfs/inode.c | 6 +- net/bluetooth/hci_core.c | 7 +- net/bluetooth/hci_event.c | 13 +- net/bluetooth/l2cap_core.c | 8 +- net/core/rtnetlink.c | 11 +- net/ipv4/ip_tunnel.c | 28 +++- net/ipv6/addrconf.c | 7 +- net/mptcp/diag.c | 3 + net/mptcp/protocol.c | 49 ++++++ net/netfilter/nft_compat.c | 20 +++ net/netlink/af_netlink.c | 2 +- net/wireless/nl80211.c | 2 + security/tomoyo/common.c | 3 +- sound/core/Makefile | 1 - 36 files changed, 430 insertions(+), 196 deletions(-)

1 year

6
5
0 0

[PATCH STABLE v6.1.y] mm/migrate: set swap entry values of THP tail pages properly.

by Zi Yan

From: Zi Yan <ziy(a)nvidia.com> The tail pages in a THP can have swap entry information stored in their private field. When migrating to a new page, all tail pages of the new page need to update ->private to avoid future data corruption. Signed-off-by: Zi Yan <ziy(a)nvidia.com> --- mm/migrate.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mm/migrate.c b/mm/migrate.c index c93dd6a31c31..c5968021fde0 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -423,8 +423,12 @@ int folio_migrate_mapping(struct address_space *mapping, if (folio_test_swapbacked(folio)) { __folio_set_swapbacked(newfolio); if (folio_test_swapcache(folio)) { + int i; + folio_set_swapcache(newfolio); - newfolio->private = folio_get_private(folio); + for (i = 0; i < nr; i++) + set_page_private(folio_page(newfolio, i), + page_private(folio_page(folio, i))); } entries = nr; } else { -- 2.43.0

1 year

5
9
0 0

[PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands

by Mikhail Ukhin

Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in ata_scsi_pass_thru. The error is fixed in 5.18 by commit ce70fd9a551af7424a7dace2a1ba05a7de8eae27. Backporting this commit would require significant changes to the code so it is bettter to use a simple fix for that particular error. The problem is that the length of the received SCSI command is not validated if scsi_op == VARIABLE_LENGTH_CMD. It can lead to out-of-bounds reading if the user sends a request with SCSI command of length less than 32. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Signed-off-by: Artem Sadovnikov <ancowi69(a)gmail.com> Signed-off-by: Mikhail Ivanov <iwanov-23(a)bk.ru> --- drivers/ata/libata-scsi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index dfa090ccd21c..77589e911d3d 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -4065,6 +4065,9 @@ int __ata_scsi_queuecmd(struct scsi_cmnd *scmd, struct ata_device *dev) if (unlikely(!scmd->cmd_len)) goto bad_cdb_len; + + if (scsi_op == VARIABLE_LENGTH_CMD && scmd->cmd_len < 32) + goto bad_cdb_len; if (dev->class == ATA_DEV_ATA || dev->class == ATA_DEV_ZAC) { if (unlikely(scmd->cmd_len > dev->cdb_len)) -- 2.25.1

1 year

2
1
0 0

[PATCH 2/3] drm/i915/dsb: Fix DSB vblank waits when using VRR

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Looks like the undelayed vblank gets signalled exactly when the active period ends. That is a problem for DSB+VRR when we are already in vblank and expect DSB to start executing as soon as we send the push. Instead of starting the DSB just keeps on waiting for the undelayed vblank which won't signal until the end of the next frame's active period, which is far too late. The end result is that DSB won't have even started executing by the time the flips/etc. have completed. We then wait for an extra 1ms, after which we terminate the DSB and report a timeout: [drm] *ERROR* [CRTC:80:pipe A] DSB 0 timed out waiting for idle (current head=0xfedf4000, head=0x0, tail=0x1080) To fix this let's configure DSB to use the so called VRR "safe window" instead of the undelayed vblank to trigger the DSB vblank logic, when VRR is enabled. Cc: stable(a)vger.kernel.org Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates") Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9927 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_dsb.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_dsb.c b/drivers/gpu/drm/i915/display/intel_dsb.c index d62e050185e7..e4515bf92038 100644 --- a/drivers/gpu/drm/i915/display/intel_dsb.c +++ b/drivers/gpu/drm/i915/display/intel_dsb.c @@ -340,6 +340,17 @@ static int intel_dsb_dewake_scanline(const struct intel_crtc_state *crtc_state) return max(0, vblank_start - intel_usecs_to_scanlines(adjusted_mode, latency)); } +static u32 dsb_chicken(struct intel_crtc *crtc) +{ + if (crtc->mode_flags & I915_MODE_FLAG_VRR) + return DSB_CTRL_WAIT_SAFE_WINDOW | + DSB_CTRL_NO_WAIT_VBLANK | + DSB_INST_WAIT_SAFE_WINDOW | + DSB_INST_NO_WAIT_VBLANK; + else + return 0; +} + static void _intel_dsb_commit(struct intel_dsb *dsb, u32 ctrl, int dewake_scanline) { @@ -361,6 +372,9 @@ static void _intel_dsb_commit(struct intel_dsb *dsb, u32 ctrl, intel_de_write_fw(dev_priv, DSB_CTRL(pipe, dsb->id), ctrl | DSB_ENABLE); + intel_de_write_fw(dev_priv, DSB_CHICKEN(pipe, dsb->id), + dsb_chicken(crtc)); + intel_de_write_fw(dev_priv, DSB_HEAD(pipe, dsb->id), intel_dsb_buffer_ggtt_offset(&dsb->dsb_buf)); -- 2.43.0

1 year

2
1
0 0

[PATCH 1/3] drm/i915/vrr: Generate VRR "safe window" for DSB

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Looks like TRANS_CHICKEN bit 31 means something totally different depending on the platform: TGL: generate VRR "safe window" for DSB ADL/DG2: make TRANS_SET_CONTEXT_LATENCY effective with VRR So far we've only set this on ADL/DG2, but when using DSB+VRR we also need to set it on TGL. And a quick test on MTL says it doesn't need this bit for either of those purposes, even though it's still documented as valid in bspec. Cc: stable(a)vger.kernel.org Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates") Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9927 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_vrr.c | 7 ++++--- drivers/gpu/drm/i915/i915_reg.h | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_vrr.c b/drivers/gpu/drm/i915/display/intel_vrr.c index 5d905f932cb4..eb5bd0743902 100644 --- a/drivers/gpu/drm/i915/display/intel_vrr.c +++ b/drivers/gpu/drm/i915/display/intel_vrr.c @@ -187,10 +187,11 @@ void intel_vrr_set_transcoder_timings(const struct intel_crtc_state *crtc_state) enum transcoder cpu_transcoder = crtc_state->cpu_transcoder; /* - * TRANS_SET_CONTEXT_LATENCY with VRR enabled - * requires this chicken bit on ADL/DG2. + * This bit seems to have two meanings depending on the platform: + * TGL: generate VRR "safe window" for DSB vblank waits + * ADL/DG2: make TRANS_SET_CONTEXT_LATENCY effective with VRR */ - if (DISPLAY_VER(dev_priv) == 13) + if (IS_DISPLAY_VER(dev_priv, 12, 13)) intel_de_rmw(dev_priv, CHICKEN_TRANS(cpu_transcoder), 0, PIPE_VBLANK_WITH_DELAY); diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h index e00557e1a57f..3b2e49ce29ba 100644 --- a/drivers/gpu/drm/i915/i915_reg.h +++ b/drivers/gpu/drm/i915/i915_reg.h @@ -4599,7 +4599,7 @@ #define MTL_CHICKEN_TRANS(trans) _MMIO_TRANS((trans), \ _MTL_CHICKEN_TRANS_A, \ _MTL_CHICKEN_TRANS_B) -#define PIPE_VBLANK_WITH_DELAY REG_BIT(31) /* ADL/DG2 */ +#define PIPE_VBLANK_WITH_DELAY REG_BIT(31) /* tgl+ */ #define SKL_UNMASK_VBL_TO_PIPE_IN_SRD REG_BIT(30) /* skl+ */ #define HSW_FRAME_START_DELAY_MASK REG_GENMASK(28, 27) #define HSW_FRAME_START_DELAY(x) REG_FIELD_PREP(HSW_FRAME_START_DELAY_MASK, x) -- 2.43.0

1 year

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2024