June 2024 - Linux-stable-mirror

[PATCH] perf stat: Fix the hard-coded metrics calculation on the hybrid

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> The hard-coded metrics is wrongly calculated on the hybrid machine. $ perf stat -e cycles,instructions -a sleep 1 Performance counter stats for 'system wide': 18,205,487 cpu_atom/cycles/ 9,733,603 cpu_core/cycles/ 9,423,111 cpu_atom/instructions/ # 0.52 insn per cycle 4,268,965 cpu_core/instructions/ # 0.23 insn per cycle The insn per cycle for cpu_core should be 4,268,965 / 9,733,603 = 0.44. When finding the metric events, the find_stat() doesn't take the PMU type into account. The cpu_atom/cycles/ is wrongly used to calculate the IPC of the cpu_core. Fixes: 0a57b910807a ("perf stat: Use counts rather than saved_value") Reported-by: "Khalil, Amiri" <amiri.khalil(a)intel.com> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- tools/perf/util/stat-shadow.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c index 3466aa952442..4d0edc061f1a 100644 --- a/tools/perf/util/stat-shadow.c +++ b/tools/perf/util/stat-shadow.c @@ -176,6 +176,10 @@ static double find_stat(const struct evsel *evsel, int aggr_idx, enum stat_type if (type != evsel__stat_type(cur)) continue; + /* Ignore if not the PMU we're looking for. */ + if (evsel->pmu != cur->pmu) + continue; + aggr = &cur->stats->aggr[aggr_idx]; if (type == STAT_NSECS) return aggr->counts.val; -- 2.35.1

1 year, 4 months

4
3
0 0

Re: Patch "arm64: fpsimd: Drop unneeded 'busy' flag" has been added to the 6.6-stable tree

by Ard Biesheuvel

On Thu, 30 May 2024 at 21:11, Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > arm64: fpsimd: Drop unneeded 'busy' flag > > to the 6.6-stable tree Why? > which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > arm64-fpsimd-drop-unneeded-busy-flag.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 37f2773a1ef05374538d5e4ed26cbacebe363241 > Author: Ard Biesheuvel <ardb(a)kernel.org> > Date: Fri Dec 8 12:32:20 2023 +0100 > > arm64: fpsimd: Drop unneeded 'busy' flag > > [ Upstream commit 9b19700e623f96222c69ecb2adecb1a3e3664cc0 ] > > Kernel mode NEON will preserve the user mode FPSIMD state by saving it > into the task struct before clobbering the registers. In order to avoid > the need for preserving kernel mode state too, we disallow nested use of > kernel mode NEON, i..e, use in softirq context while the interrupted > task context was using kernel mode NEON too. > > Originally, this policy was implemented using a per-CPU flag which was > exposed via may_use_simd(), requiring the users of the kernel mode NEON > to deal with the possibility that it might return false, and having NEON > and non-NEON code paths. This policy was changed by commit > 13150149aa6ded1 ("arm64: fpsimd: run kernel mode NEON with softirqs > disabled"), and now, softirq processing is disabled entirely instead, > and so may_use_simd() can never fail when called from task or softirq > context. > > This means we can drop the fpsimd_context_busy flag entirely, and > instead, ensure that we disable softirq processing in places where we > formerly relied on the flag for preventing races in the FPSIMD preserve > routines. > > Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> > Reviewed-by: Mark Brown <broonie(a)kernel.org> > Tested-by: Geert Uytterhoeven <geert+renesas(a)glider.be> > Link: https://lore.kernel.org/r/20231208113218.3001940-7-ardb@google.com > [will: Folded in fix from CAMj1kXFhzbJRyWHELCivQW1yJaF=p07LLtbuyXYX3G1WtsdyQg(a)mail.gmail.com] > Signed-off-by: Will Deacon <will(a)kernel.org> > Stable-dep-of: b8995a184170 ("Revert "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD"") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/arch/arm64/include/asm/simd.h b/arch/arm64/include/asm/simd.h > index 6a75d7ecdcaa2..8e86c9e70e483 100644 > --- a/arch/arm64/include/asm/simd.h > +++ b/arch/arm64/include/asm/simd.h > @@ -12,8 +12,6 @@ > #include <linux/preempt.h> > #include <linux/types.h> > > -DECLARE_PER_CPU(bool, fpsimd_context_busy); > - > #ifdef CONFIG_KERNEL_MODE_NEON > > /* > @@ -28,17 +26,10 @@ static __must_check inline bool may_use_simd(void) > /* > * We must make sure that the SVE has been initialized properly > * before using the SIMD in kernel. > - * fpsimd_context_busy is only set while preemption is disabled, > - * and is clear whenever preemption is enabled. Since > - * this_cpu_read() is atomic w.r.t. preemption, fpsimd_context_busy > - * cannot change under our feet -- if it's set we cannot be > - * migrated, and if it's clear we cannot be migrated to a CPU > - * where it is set. > */ > return !WARN_ON(!system_capabilities_finalized()) && > system_supports_fpsimd() && > - !in_hardirq() && !irqs_disabled() && !in_nmi() && > - !this_cpu_read(fpsimd_context_busy); > + !in_hardirq() && !irqs_disabled() && !in_nmi(); > } > > #else /* ! CONFIG_KERNEL_MODE_NEON */ > diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c > index 5cdfcc9e3e54b..b805bdab284c4 100644 > --- a/arch/arm64/kernel/fpsimd.c > +++ b/arch/arm64/kernel/fpsimd.c > @@ -85,13 +85,13 @@ > * softirq kicks in. Upon vcpu_put(), KVM will save the vcpu FP state and > * flag the register state as invalid. > * > - * In order to allow softirq handlers to use FPSIMD, kernel_neon_begin() may > - * save the task's FPSIMD context back to task_struct from softirq context. > - * To prevent this from racing with the manipulation of the task's FPSIMD state > - * from task context and thereby corrupting the state, it is necessary to > - * protect any manipulation of a task's fpsimd_state or TIF_FOREIGN_FPSTATE > - * flag with {, __}get_cpu_fpsimd_context(). This will still allow softirqs to > - * run but prevent them to use FPSIMD. > + * In order to allow softirq handlers to use FPSIMD, kernel_neon_begin() may be > + * called from softirq context, which will save the task's FPSIMD context back > + * to task_struct. To prevent this from racing with the manipulation of the > + * task's FPSIMD state from task context and thereby corrupting the state, it > + * is necessary to protect any manipulation of a task's fpsimd_state or > + * TIF_FOREIGN_FPSTATE flag with get_cpu_fpsimd_context(), which will suspend > + * softirq servicing entirely until put_cpu_fpsimd_context() is called. > * > * For a certain task, the sequence may look something like this: > * - the task gets scheduled in; if both the task's fpsimd_cpu field > @@ -209,27 +209,14 @@ static inline void sme_free(struct task_struct *t) { } > > #endif > > -DEFINE_PER_CPU(bool, fpsimd_context_busy); > -EXPORT_PER_CPU_SYMBOL(fpsimd_context_busy); > - > static void fpsimd_bind_task_to_cpu(void); > > -static void __get_cpu_fpsimd_context(void) > -{ > - bool busy = __this_cpu_xchg(fpsimd_context_busy, true); > - > - WARN_ON(busy); > -} > - > /* > * Claim ownership of the CPU FPSIMD context for use by the calling context. > * > * The caller may freely manipulate the FPSIMD context metadata until > * put_cpu_fpsimd_context() is called. > * > - * The double-underscore version must only be called if you know the task > - * can't be preempted. > - * > * On RT kernels local_bh_disable() is not sufficient because it only > * serializes soft interrupt related sections via a local lock, but stays > * preemptible. Disabling preemption is the right choice here as bottom > @@ -242,14 +229,6 @@ static void get_cpu_fpsimd_context(void) > local_bh_disable(); > else > preempt_disable(); > - __get_cpu_fpsimd_context(); > -} > - > -static void __put_cpu_fpsimd_context(void) > -{ > - bool busy = __this_cpu_xchg(fpsimd_context_busy, false); > - > - WARN_ON(!busy); /* No matching get_cpu_fpsimd_context()? */ > } > > /* > @@ -261,18 +240,12 @@ static void __put_cpu_fpsimd_context(void) > */ > static void put_cpu_fpsimd_context(void) > { > - __put_cpu_fpsimd_context(); > if (!IS_ENABLED(CONFIG_PREEMPT_RT)) > local_bh_enable(); > else > preempt_enable(); > } > > -static bool have_cpu_fpsimd_context(void) > -{ > - return !preemptible() && __this_cpu_read(fpsimd_context_busy); > -} > - > unsigned int task_get_vl(const struct task_struct *task, enum vec_type type) > { > return task->thread.vl[type]; > @@ -383,7 +356,7 @@ static void task_fpsimd_load(void) > bool restore_ffr; > > WARN_ON(!system_supports_fpsimd()); > - WARN_ON(!have_cpu_fpsimd_context()); > + WARN_ON(preemptible()); > > if (system_supports_sve() || system_supports_sme()) { > switch (current->thread.fp_type) { > @@ -467,7 +440,7 @@ static void fpsimd_save(void) > unsigned int vl; > > WARN_ON(!system_supports_fpsimd()); > - WARN_ON(!have_cpu_fpsimd_context()); > + WARN_ON(preemptible()); > > if (test_thread_flag(TIF_FOREIGN_FPSTATE)) > return; > @@ -1583,7 +1556,7 @@ void fpsimd_thread_switch(struct task_struct *next) > if (!system_supports_fpsimd()) > return; > > - __get_cpu_fpsimd_context(); > + WARN_ON_ONCE(!irqs_disabled()); > > /* Save unsaved fpsimd state, if any: */ > fpsimd_save(); > @@ -1599,8 +1572,6 @@ void fpsimd_thread_switch(struct task_struct *next) > > update_tsk_thread_flag(next, TIF_FOREIGN_FPSTATE, > wrong_task || wrong_cpu); > - > - __put_cpu_fpsimd_context(); > } > > static void fpsimd_flush_thread_vl(enum vec_type type) > @@ -1892,13 +1863,15 @@ static void fpsimd_flush_cpu_state(void) > */ > void fpsimd_save_and_flush_cpu_state(void) > { > + unsigned long flags; > + > if (!system_supports_fpsimd()) > return; > WARN_ON(preemptible()); > - __get_cpu_fpsimd_context(); > + local_irq_save(flags); > fpsimd_save(); > fpsimd_flush_cpu_state(); > - __put_cpu_fpsimd_context(); > + local_irq_restore(flags); > } > > #ifdef CONFIG_KERNEL_MODE_NEON

1 year, 4 months

2
3
0 0

v6.6.33-rc1 build failure

by Mark Brown

I'm not seeing a test mail for v6.6.33-rc1 but it's in the stable-rc git and I'm seeing build failures in the KVM selftests for arm64 with it: /usr/bin/ld: /build/stage/build-work/kselftest/kvm/aarch64/vgic_init.o: in funct ion `test_v2_uaccess_cpuif_no_vcpus': /build/stage/linux/tools/testing/selftests/kvm/aarch64/vgic_init.c:388:(.text+0x 1234): undefined reference to `FIELD_PREP' /usr/bin/ld: /build/stage/linux/tools/testing/selftests/kvm/aarch64/vgic_init.c: 388:(.text+0x1244): undefined reference to `FIELD_PREP' /usr/bin/ld: /build/stage/linux/tools/testing/selftests/kvm/aarch64/vgic_init.c: 393:(.text+0x12a4): undefined reference to `FIELD_PREP' /usr/bin/ld: /build/stage/linux/tools/testing/selftests/kvm/aarch64/vgic_init.c: 393:(.text+0x12b4): undefined reference to `FIELD_PREP' /usr/bin/ld: /build/stage/linux/tools/testing/selftests/kvm/aarch64/vgic_init.c: 398:(.text+0x1308): undefined reference to `FIELD_PREP' due to 12237178b318fb3 ("KVM: selftests: Add test for uaccesses to non-existent vgic-v2 CPUIF") which was backported from 160933e330f4c5a13931d725a4d952a4b9aefa71.

1 year, 4 months

3
2
0 0

[PATCH 6.8.y-and-older] ALSA: timer: Set lower bound of start tick time

by Takashi Iwai

commit 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e upstream. Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow. [ backport note: the error handling is changed, as the original commit is based on the recent cleanup with guard() in commit beb45974dd49 -- tiwai ] Reported-by: syzbot+43120c2af6ca2938cc38(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/000000000000fa00a1061740ab6d@google.com Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20240514182745.4015-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- Greg, this is an alternative fix to the original cherry-pick; apply to 6.8.y and older stable kernels. Thanks! sound/core/timer.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sound/core/timer.c b/sound/core/timer.c index e6e551d4a29e..a0b515981ee9 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -553,6 +553,16 @@ static int snd_timer_start1(struct snd_timer_instance *timeri, goto unlock; } + /* check the actual time for the start tick; + * bail out as error if it's way too low (< 100us) + */ + if (start) { + if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) { + result = -EINVAL; + goto unlock; + } + } + if (start) timeri->ticks = timeri->cticks = ticks; else if (!timeri->cticks) -- 2.43.0

1 year, 4 months

2
1
0 0

[PATCH 5.10/5.15/6.1] clk: mediatek: Add memory allocation fail handling in clk_mt2712_top_init_early()

by Aleksandr Mishin

No upstream commit exists for this commit. The issue was introduced with commit e2f744a82d72 ("clk: mediatek: Add MT2712 clock support") In case of memory allocation fail in clk_mt2712_top_init_early() 'top_clk_data' will be set to NULL and later dereferenced without check. Fix this bug by adding NULL-return check. Upstream branch code has been significantly refactored and can't be backported directly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> --- drivers/clk/mediatek/clk-mt2712.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/clk/mediatek/clk-mt2712.c b/drivers/clk/mediatek/clk-mt2712.c index a0f0c9ed48d1..1830bae661dc 100644 --- a/drivers/clk/mediatek/clk-mt2712.c +++ b/drivers/clk/mediatek/clk-mt2712.c @@ -1277,6 +1277,11 @@ static void clk_mt2712_top_init_early(struct device_node *node) if (!top_clk_data) { top_clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK); + if (!top_clk_data) { + pr_err("%s(): could not register clock provider: %d\n", + __func__, -ENOMEM); + return; + } for (i = 0; i < CLK_TOP_NR_CLK; i++) top_clk_data->hws[i] = ERR_PTR(-EPROBE_DEFER); -- 2.30.2

1 year, 4 months

2
2
0 0

[PATCH 5.10/5.15/6.1] clk: mediatek: mt8183: Add memory

by Aleksandr Mishin

No upstream commit exists for this commit. The issue was introduced with commit c93d059a8045 ("clk: mediatek: mt8183: Register 13MHz clock earlier for clocksource") In case of memory allocation fail in clk_mt8183_top_init_early() 'top_clk_data' will be set to NULL and later dereferenced without check. Fix this bug by adding NULL-return check. Upstream branch code has been significantly refactored and can't be backported directly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> --- drivers/clk/mediatek/clk-mt8183.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/clk/mediatek/clk-mt8183.c b/drivers/clk/mediatek/clk-mt8183.c index 78620244144e..8377a877d9e3 100644 --- a/drivers/clk/mediatek/clk-mt8183.c +++ b/drivers/clk/mediatek/clk-mt8183.c @@ -1185,6 +1185,11 @@ static void clk_mt8183_top_init_early(struct device_node *node) int i; top_clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK); + if (!top_clk_data) { + pr_err("%s(): could not register clock provider: %d\n", + __func__, -ENOMEM); + return; + } for (i = 0; i < CLK_TOP_NR_CLK; i++) top_clk_data->hws[i] = ERR_PTR(-EPROBE_DEFER); -- 2.30.2

1 year, 4 months

2
2
0 0

[PATCH stable 6.9] vxlan: Fix regression when dropping packets due to invalid src addresses

by Daniel Borkmann

[ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ] Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") has recently been added to vxlan mainly in the context of source address snooping/learning so that when it is enabled, an entry in the FDB is not being created for an invalid address for the corresponding tunnel endpoint. Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in that it passed through whichever macs were set in the L2 header. It turns out that this change in behavior breaks setups, for example, Cilium with netkit in L3 mode for Pods as well as tunnel mode has been passing before the change in f58f45c1e5b9 for both vxlan and geneve. After mentioned change it is only passing for geneve as in case of vxlan packets are dropped due to vxlan_set_mac() returning false as source and destination macs are zero which for E/W traffic via tunnel is totally fine. Fix it by only opting into the is_valid_ether_addr() check in vxlan_set_mac() when in fact source address snooping/learning is actually enabled in vxlan. This is done by moving the check into vxlan_snoop(). With this change, the Cilium connectivity test suite passes again for both tunnel flavors. Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Cc: David Bauer <mail(a)david-bauer.net> Cc: Ido Schimmel <idosch(a)nvidia.com> Cc: Nikolay Aleksandrov <razor(a)blackwall.org> Cc: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Nikolay Aleksandrov <razor(a)blackwall.org> Reviewed-by: David Bauer <mail(a)david-bauer.net> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> --- drivers/net/vxlan/vxlan_core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c index 3a9148fb1422..eccf09c81df2 100644 --- a/drivers/net/vxlan/vxlan_core.c +++ b/drivers/net/vxlan/vxlan_core.c @@ -1446,6 +1446,10 @@ static bool vxlan_snoop(struct net_device *dev, struct vxlan_fdb *f; u32 ifindex = 0; + /* Ignore packets from invalid src-address */ + if (!is_valid_ether_addr(src_mac)) + return true; + #if IS_ENABLED(CONFIG_IPV6) if (src_ip->sa.sa_family == AF_INET6 && (ipv6_addr_type(&src_ip->sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL)) @@ -1615,10 +1619,6 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) return false; - /* Ignore packets from invalid src-address */ - if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) - return false; - /* Get address from the outer IP header */ if (vxlan_get_sk_family(vs) == AF_INET) { saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr; -- 2.34.1

1 year, 4 months

1
0
0 0

[PATCH v2] mpt3sas: Avoid test/set_bit() operating in non-allocated memory

by Breno Leitao

There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/ Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path") Cc: stable(a)vger.kernel.org Suggested-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Breno Leitao <leitao(a)debian.org> --- Changelog: v2: * Do the same protection in krealloc() in _base_check_ioc_facts_changes, as suggested by Keith. --- drivers/scsi/mpt3sas/mpt3sas_base.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 258647fc6bdd..cc17204721c2 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -8512,6 +8512,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pd_handles_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pd_handles_sz++; + /* pd_handles_sz should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory touch + * may occur + */ + ioc->pd_handles_sz = ALIGN(ioc->pd_handles_sz, sizeof(unsigned long)); + ioc->pd_handles = kzalloc(ioc->pd_handles_sz, GFP_KERNEL); if (!ioc->pd_handles) { @@ -8529,6 +8535,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pend_os_device_add_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pend_os_device_add_sz++; + + /* pend_os_device_add_sz should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory may occur + */ + ioc->pend_os_device_add_sz = ALIGN(ioc->pend_os_device_add_sz, + sizeof(unsigned long)); ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz, GFP_KERNEL); if (!ioc->pend_os_device_add) { @@ -8820,6 +8832,11 @@ _base_check_ioc_facts_changes(struct MPT3SAS_ADAPTER *ioc) if (ioc->facts.MaxDevHandle % 8) pd_handles_sz++; + /* pd_handles should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory touch + * may occur + */ + pd_handles_sz = ALIGN(pd_handles_sz, sizeof(unsigned long)); pd_handles = krealloc(ioc->pd_handles, pd_handles_sz, GFP_KERNEL); if (!pd_handles) { -- 2.43.0

1 year, 4 months

4
3
0 0

[PATCH v3 5.10/5.15] ata: libata-scsi: check cdb length for VARIABLE_LENGTH_CMD commands

by Mikhail Ukhin

No upstream commit exists for this patch. Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in ata_scsi_pass_thru. The error is fixed in 5.18 by commit ce70fd9a551a ("scsi: core: Remove the cmd field from struct scsi_request") upstream. Backporting this commit would require significant changes to the code so it is bettter to use a simple fix for that particular error. The problem is that the length of the received SCSI command is not validated if scsi_op == VARIABLE_LENGTH_CMD. It can lead to out-of-bounds reading if the user sends a request with SCSI command of length less than 32. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Signed-off-by: Artem Sadovnikov <ancowi69(a)gmail.com> Signed-off-by: Mikhail Ivanov <iwanov-23(a)bk.ru> Signed-off-by: Mikhail Ukhin <mish.uxin2012(a)yandex.ru> --- v2: The new addresses were added and the text was updated. v3: Checking has been moved to the function ata_scsi_var_len_cdb_xlat at the request of Damien Le Moal drivers/ata/libata-scsi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index dfa090ccd21c..38488bd813d1 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3948,7 +3948,11 @@ static unsigned int ata_scsi_var_len_cdb_xlat(struct ata_queued_cmd *qc) struct scsi_cmnd *scmd = qc->scsicmd; const u8 *cdb = scmd->cmnd; const u16 sa = get_unaligned_be16(&cdb[8]); + u8 scsi_op = scmd->cmnd[0]; + if (scsi_op == VARIABLE_LENGTH_CMD && scmd->cmd_len < 32) + return 1; + /* * if service action represents a ata pass-thru(32) command, * then pass it to ata_scsi_pass_thru handler. -- 2.25.1

1 year, 4 months

2
1
0 0

[PATCH] KVM: arm64: Disassociate vcpus from redistributor region on teardown

by Marc Zyngier

When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. Fixes: e5a35635464b ("kvm: arm64: vgic-v3: Introduce vgic_v3_free_redist_region()") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/vgic/vgic-init.c | 2 +- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 +++++++++++++-- arch/arm64/kvm/vgic/vgic.h | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c index 8f5b7a3e7009..7f68cf58b978 100644 --- a/arch/arm64/kvm/vgic/vgic-init.c +++ b/arch/arm64/kvm/vgic/vgic-init.c @@ -391,7 +391,7 @@ static void kvm_vgic_dist_destroy(struct kvm *kvm) if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { list_for_each_entry_safe(rdreg, next, &dist->rd_regions, list) - vgic_v3_free_redist_region(rdreg); + vgic_v3_free_redist_region(kvm, rdreg); INIT_LIST_HEAD(&dist->rd_regions); } else { dist->vgic_cpu_base = VGIC_ADDR_UNDEF; diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c index a3983a631b5a..9e50928f5d7d 100644 --- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c +++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c @@ -919,8 +919,19 @@ static int vgic_v3_alloc_redist_region(struct kvm *kvm, uint32_t index, return ret; } -void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg) +void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg) { + struct kvm_vcpu *vcpu; + unsigned long c; + + lockdep_assert_held(&kvm->arch.config_lock); + + /* Garbage collect the region */ + kvm_for_each_vcpu(c, vcpu, kvm) { + if (vcpu->arch.vgic_cpu.rdreg == rdreg) + vcpu->arch.vgic_cpu.rdreg = NULL; + } + list_del(&rdreg->list); kfree(rdreg); } @@ -945,7 +956,7 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count) mutex_lock(&kvm->arch.config_lock); rdreg = vgic_v3_rdist_region_from_index(kvm, index); - vgic_v3_free_redist_region(rdreg); + vgic_v3_free_redist_region(kvm, rdreg); mutex_unlock(&kvm->arch.config_lock); return ret; } diff --git a/arch/arm64/kvm/vgic/vgic.h b/arch/arm64/kvm/vgic/vgic.h index 6106ebd5ba42..03d356a12377 100644 --- a/arch/arm64/kvm/vgic/vgic.h +++ b/arch/arm64/kvm/vgic/vgic.h @@ -316,7 +316,7 @@ vgic_v3_rd_region_size(struct kvm *kvm, struct vgic_redist_region *rdreg) struct vgic_redist_region *vgic_v3_rdist_region_from_index(struct kvm *kvm, u32 index); -void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg); +void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg); bool vgic_v3_rdist_overlap(struct kvm *kvm, gpa_t base, size_t size); -- 2.39.2

1 year, 4 months

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2024