July 2024 - Linux-stable-mirror

[PATCH] arm64: v6.8: cmdline param >= 146 chars kills kernel

by Tj

This is v6.8 specific; v6.9 is reported as not affected (due to extensive code refactoring). Commit dc3f5aae0638 reworked how early cmdline CPU feature parsing is done, and converted to using memcmp() in preparation for the move to the pi minimal C standard library. As a result it caused a regression where-by a parameter >= 146 characters on the kernel command line would cause a silent panic with no console clues as to why. It is due to memcmp() in include/linux/fortify-string.h detecting an attempted out-of-bounds read. The cause itself is subtle. arch/arm64/kernel/idreg-override.c::__parse_cmdline() compares the struct aliases entries with each parameter via memcmp(). #define FTR_ALIAS_NAME_LEN 30 #define FTR_ALIAS_OPTION_LEN 116 ... static const struct { char alias[FTR_ALIAS_NAME_LEN]; char feature[FTR_ALIAS_OPTION_LEN]; } aliases[] Each element is 146 characters. When a parameter is also 146 characters the call looks like memcmp(buf, aliases[i].alias, len+1) where len is the equivalent of strlen(buf) and +1 to compare including the trailing NUL. That triggers the fortified memcmp()'s: if (p_size < size || q_size < size) fortify_panic(__func__); where q_size == 146, size == 147 The solution here is to not call memcmp() at all unless the two strings have the same length. Initially reported in Ubuntu (and confirmed to affect Debian and Mainline): https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2069534 Signed-off-by: Tj <tj.iam.tj(a)proton.me> --- arch/arm64/kernel/idreg-override.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel/idreg-override.c index e30fd9e32ef3a..9d2c120f378ae 100644 --- a/arch/arm64/kernel/idreg-override.c +++ b/arch/arm64/kernel/idreg-override.c @@ -308,7 +308,8 @@ static __init void __parse_cmdline(const char *cmdline, bool parse_aliases) match_options(buf); for (i = 0; parse_aliases && i < ARRAY_SIZE(aliases); i++) - if (!memcmp(buf, aliases[i].alias, len + 1)) + if (len == strlen(aliases[i].alias) && + !memcmp(buf, aliases[i].alias, len + 1)) __parse_cmdline(aliases[i].feature, false); } while (1); } -- 2.39.2

7 months, 2 weeks

2
1
0 0

[PATCH 5.15 00/87] 5.15.164-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.164 release. There are 87 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 27 Jul 2024 14:27:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.164-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.164-rc1 Jann Horn <jannh(a)google.com> filelock: Fix fcntl/close race recovery compat path Shengjiu Wang <shengjiu.wang(a)nxp.com> ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Seunghun Han <kkamagui(a)gmail.com> ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 lei lu <llfamsec(a)gmail.com> fs/ntfs3: Validate ff offset lei lu <llfamsec(a)gmail.com> jfs: don't walk off the end of ealist lei lu <llfamsec(a)gmail.com> ocfs2: add bounds checking to ocfs2_check_dir_entry() Paolo Abeni <pabeni(a)redhat.com> net: relax socket state check at accept time. Linus Torvalds <torvalds(a)linux-foundation.org> Add gitignore file for samples/fanotify/ subdirectory Gabriel Krisman Bertazi <krisman(a)collabora.com> docs: Fix formatting of literal sections in fanotify docs Gabriel Krisman Bertazi <krisman(a)collabora.com> samples: Make fs-monitor depend on libc and headers Gabriel Krisman Bertazi <krisman(a)collabora.com> samples: Add fs error monitoring example Dan Carpenter <dan.carpenter(a)linaro.org> drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: disable softirqs for queued frame handling SeongJae Park <sj(a)kernel.org> mm/damon/core: merge regions aggressively when max_nr_regions is unmet David Laight <David.Laight(a)ACULAB.COM> minmax: relax check to allow comparison between unsigned arguments and signed constants David Laight <David.Laight(a)ACULAB.COM> minmax: allow comparisons of 'int' against 'unsigned char/short' David Laight <David.Laight(a)ACULAB.COM> minmax: allow min()/max()/clamp() if the arguments have the same signedness. Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> minmax: fix header inclusions Jason A. Donenfeld <Jason(a)zx2c4.com> minmax: clamp more efficiently by avoiding extra comparison Jason A. Donenfeld <Jason(a)zx2c4.com> minmax: sanity check constant bounds when clamping Bart Van Assche <bvanassche(a)acm.org> tracing: Define the is_signed_type() macro once David Lechner <dlechner(a)baylibre.com> spi: mux: set ctlr->bits_per_word_mask Edward Adam Davis <eadavis(a)qq.com> hfsplus: fix uninit-value in copy_name John Hubbard <jhubbard(a)nvidia.com> selftests/vDSO: fix clang build errors and warnings Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices Puranjay Mohan <puranjay(a)kernel.org> riscv: stacktrace: fix usage of ftrace_graph_ret_addr() Christian Brauner <brauner(a)kernel.org> fs: better handle deep ancestor chains in is_subdir() Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/radeon: check bo_va->bo is non-NULL before using it Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Bluetooth: hci_core: cancel all works upon hci_unregister_dev() Xingui Yang <yangxingui(a)huawei.com> scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed Ganesh Goudar <ganeshgr(a)linux.ibm.com> powerpc/eeh: avoid possible crash when edev->pdev changes Anjali K <anjalik(a)linux.ibm.com> powerpc/pseries: Whitelist dtl slub object for copying to userspace Yunshui Jiang <jiangyunshui(a)kylinos.cn> net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: add Telit FN912 compositions Shengjiu Wang <shengjiu.wang(a)nxp.com> ALSA: dmaengine_pcm: terminate dmaengine before synchronize Aivaz Latypov <reichaivaz(a)gmail.com> ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx Filipe Manana <fdmanana(a)suse.com> btrfs: qgroup: fix quota root leak after quota disable failure Armin Wolf <W_Armin(a)gmx.de> platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB Armin Wolf <W_Armin(a)gmx.de> platform/x86: lg-laptop: Change ACPI device id Armin Wolf <W_Armin(a)gmx.de> platform/x86: lg-laptop: Remove LGEX0815 hotkey handling Armin Wolf <W_Armin(a)gmx.de> platform/x86: wireless-hotkey: Add support for LG Airplane Button Heiko Carstens <hca(a)linux.ibm.com> s390/sclp: Fix sclp_init() cleanup on failure Chen Ni <nichen(a)iscas.ac.cn> can: kvaser_usb: fix return value for hif_usb_send_regout Primoz Fiser <primoz.fiser(a)norik.com> ASoC: ti: omap-hdmi: Fix too long driver name Jai Luthra <j-luthra(a)ti.com> ASoC: ti: davinci-mcasp: Set min period size using FIFO config Jai Luthra <j-luthra(a)ti.com> ALSA: dmaengine: Synchronize dma channel after drop() Thomas GENTY <tomlohave(a)gmail.com> bytcr_rt5640 : inverse jack detect for Archos 101 cesium Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> Input: i8042 - add Ayaneo Kun to i8042 quirk table Jonathan Denose <jdenose(a)google.com> Input: elantech - fix touchpad state on resume for Lenovo N24 Arnd Bergmann <arnd(a)arndb.de> mips: fix compat_sys_lseek syscall Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Add more codec ID to no shutup pins list Alexey Makhalov <alexey.makhalov(a)broadcom.com> drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency Michael Ellerman <mpe(a)ellerman.id.au> KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: wext: add extra SIOCSIWSCAN data check Chunguang Xu <chunguang.xu(a)shopee.com> nvme: avoid double free special payload Alexander Usyskin <alexander.usyskin(a)intel.com> mei: demote client disconnect warning on suspend to debug Yuntao Wang <yuntao.wang(a)linux.dev> fs/file: fix the check in find_next_fd() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: remove wrong expr_trans_bool() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: gconf: give a proper initial state to the Save button Andreas Hindborg <a.hindborg(a)samsung.com> null_blk: fix validation of block size Wei Li <liwei391(a)huawei.com> arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process Eric Dumazet <edumazet(a)google.com> ila: block BH in ila_output() Eric Dumazet <edumazet(a)google.com> net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() Hans de Goede <hdegoede(a)redhat.com> Input: silead - Always support 10 fingers Michael Ellerman <mpe(a)ellerman.id.au> selftests/openat2: Fix build warnings on ppc64 Dmitry Antipov <dmantipov(a)yandex.ru> wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() Ayala Beker <ayala.beker(a)intel.com> wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option Yedidya Benshimol <yedidya.ben.shimol(a)intel.com> wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd Yedidya Benshimol <yedidya.ben.shimol(a)intel.com> wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: handle tasklet frames before stopping Nicolas Escande <nico.escande(a)gmail.com> wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata Dhananjay Ugwekar <Dhananjay.Ugwekar(a)amd.com> tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs Armin Wolf <W_Armin(a)gmx.de> ACPI: EC: Avoid returning AE_OK on errors in address space handler Armin Wolf <W_Armin(a)gmx.de> ACPI: EC: Abort address space access upon error Saurav Kashyap <skashyap(a)marvell.com> scsi: qedf: Set qed_slowpath_params to zero before use Saurav Kashyap <skashyap(a)marvell.com> scsi: qedf: Wait for stag work during unload Saurav Kashyap <skashyap(a)marvell.com> scsi: qedf: Don't process stag work during unload and recovery Martin Wilck <martin.wilck(a)suse.com> scsi: core: alua: I/O errors for ALUA state transitions Bart Van Assche <bvanassche(a)acm.org> scsi: core: Fix a use-after-free Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix overrunning reservations in ringbuf Kuan-Wei Chiu <visitorckw(a)gmail.com> ACPI: processor_idle: Fix invalid comparison with insertion sort for latency Masahiro Yamada <masahiroy(a)kernel.org> ARM: 9324/1: fix get_user() broken with veneer Jann Horn <jannh(a)google.com> filelock: Remove locks reliably when fcntl/close race is detected Kees Cook <keescook(a)chromium.org> gcc-plugins: Rename last_stmt() for GCC 14+ ------------- Diffstat: .../admin-guide/filesystem-monitoring.rst | 20 +-- Makefile | 4 +- arch/arm/include/asm/uaccess.h | 14 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 1 + arch/arm64/boot/dts/qcom/sdm630.dtsi | 1 + arch/arm64/kernel/armv8_deprecated.c | 3 + arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +- arch/powerpc/kernel/eeh_pe.c | 7 +- arch/powerpc/kvm/book3s_64_vio.c | 18 ++- arch/powerpc/platforms/pseries/setup.c | 4 +- arch/riscv/kernel/stacktrace.c | 3 +- drivers/acpi/ec.c | 9 +- drivers/acpi/processor_idle.c | 40 +++--- drivers/block/null_blk/main.c | 4 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 2 +- drivers/gpu/drm/radeon/radeon_gem.c | 2 +- drivers/gpu/drm/vmwgfx/Kconfig | 2 +- drivers/input/mouse/elantech.c | 31 +++++ drivers/input/serio/i8042-acpipnpio.h | 18 ++- drivers/input/touchscreen/silead.c | 19 +-- drivers/misc/mei/main.c | 2 +- drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 2 +- drivers/net/usb/qmi_wwan.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 16 ++- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 5 +- drivers/nvme/host/core.c | 1 + drivers/platform/x86/lg-laptop.c | 89 +++++-------- drivers/platform/x86/wireless-hotkey.c | 2 + drivers/s390/char/sclp.c | 1 + drivers/scsi/device_handler/scsi_dh_alua.c | 31 +++-- drivers/scsi/hosts.c | 16 ++- drivers/scsi/libsas/sas_internal.h | 14 ++ drivers/scsi/qedf/qedf.h | 1 + drivers/scsi/qedf/qedf_main.c | 47 ++++++- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_priv.h | 2 +- drivers/scsi/scsi_scan.c | 1 + drivers/scsi/scsi_sysfs.c | 1 + drivers/spi/spi-imx.c | 2 +- drivers/spi/spi-mux.c | 1 + fs/btrfs/qgroup.c | 4 +- fs/dcache.c | 31 ++--- fs/file.c | 4 +- fs/hfsplus/xattr.c | 2 +- fs/jfs/xattr.c | 23 +++- fs/locks.c | 18 ++- fs/ntfs3/fslog.c | 6 +- fs/ocfs2/dir.c | 46 ++++--- include/linux/compiler.h | 6 + include/linux/minmax.h | 87 +++++++++---- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - include/scsi/scsi_host.h | 2 + include/sound/dmaengine_pcm.h | 1 + kernel/bpf/ringbuf.c | 30 ++++- mm/damon/core.c | 21 ++- net/bluetooth/hci_core.c | 4 + net/ipv4/af_inet.c | 4 +- net/ipv6/ila/ila_lwt.c | 7 +- net/ipv6/rpl_iptunnel.c | 14 +- net/mac80211/ieee80211_i.h | 2 + net/mac80211/main.c | 11 +- net/mac80211/mesh.c | 1 + net/mac80211/scan.c | 14 +- net/mac80211/util.c | 4 + net/mac802154/tx.c | 8 +- net/wireless/scan.c | 8 +- samples/Kconfig | 9 ++ samples/Makefile | 1 + samples/fanotify/.gitignore | 1 + samples/fanotify/Makefile | 5 + samples/fanotify/fs-monitor.c | 142 +++++++++++++++++++++ scripts/gcc-plugins/gcc-common.h | 4 + scripts/kconfig/expr.c | 29 ----- scripts/kconfig/expr.h | 1 - scripts/kconfig/gconf.c | 3 +- scripts/kconfig/menu.c | 2 - sound/core/pcm_dmaengine.c | 26 ++++ sound/pci/hda/patch_realtek.c | 7 + sound/soc/intel/boards/bytcr_rt5640.c | 11 ++ sound/soc/soc-generic-dmaengine-pcm.c | 8 ++ sound/soc/ti/davinci-mcasp.c | 9 +- sound/soc/ti/omap-hdmi.c | 6 +- tools/power/cpupower/utils/helpers/amd.c | 26 +++- tools/testing/selftests/openat2/openat2_test.c | 1 + tools/testing/selftests/vDSO/parse_vdso.c | 16 ++- .../selftests/vDSO/vdso_standalone_test_x86.c | 18 ++- 87 files changed, 813 insertions(+), 319 deletions(-)

7 months, 2 weeks

7
97
0 0

[PATCH] ALSA: firewire-lib: fix wrong value as length of header for CIP_NO_HEADER case

by Takashi Sakamoto

In a commit 1d717123bb1a ("ALSA: firewire-lib: Avoid -Wflex-array-member-not-at-end warning"), DEFINE_FLEX() macro was used to handle variable length of array for header field in struct fw_iso_packet structure. The usage of macro has a side effect that the designated initializer assigns the count of array to the given field. Therefore CIP_HEADER_QUADLETS (=2) is assigned to struct fw_iso_packet.header, while the original designated initializer assigns zero to all fields. With CIP_NO_HEADER flag, the change causes invalid length of header in isochronous packet for 1394 OHCI IT context. This bug affects all of devices supported by ALSA fireface driver; RME Fireface 400, 800, UCX, UFX, and 802. This commit fixes the bug by replacing it with the alternative version of macro which corresponds no initializer. Cc: <stable(a)vger.kernel.org> Fixes: 1d717123bb1a ("ALSA: firewire-lib: Avoid -Wflex-array-member-not-at-end warning") Reported-by: Edmund Raile <edmund.raile(a)proton.me> Closes: https://lore.kernel.org/r/rrufondjeynlkx2lniot26ablsltnynfaq2gnqvbiso7ds32i… Signed-off-by: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> --- sound/firewire/amdtp-stream.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sound/firewire/amdtp-stream.c b/sound/firewire/amdtp-stream.c index d35d0a420ee0..1a163bbcabd7 100644 --- a/sound/firewire/amdtp-stream.c +++ b/sound/firewire/amdtp-stream.c @@ -1180,8 +1180,7 @@ static void process_rx_packets(struct fw_iso_context *context, u32 tstamp, size_ (void)fw_card_read_cycle_time(fw_parent_device(s->unit)->card, &curr_cycle_time); for (i = 0; i < packets; ++i) { - DEFINE_FLEX(struct fw_iso_packet, template, header, - header_length, CIP_HEADER_QUADLETS); + DEFINE_RAW_FLEX(struct fw_iso_packet, template, header, CIP_HEADER_QUADLETS); bool sched_irq = false; build_it_pkt_header(s, desc->cycle, template, pkt_header_length, -- 2.43.0

7 months, 2 weeks

3
8
0 0

[PATCH 6.10 00/29] 6.10.2-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.10.2 release. There are 29 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 27 Jul 2024 14:27:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.10.2-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.10.2-rc1 Jann Horn <jannh(a)google.com> filelock: Fix fcntl/close race recovery compat path Takashi Iwai <tiwai(a)suse.de> ALSA: seq: ump: Skip useless ports for static blocks Shengjiu Wang <shengjiu.wang(a)nxp.com> ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sm6115: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sdm845: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sm6350: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: x1e80100-crd: Fix USB PHYs regulators Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: x1e80100-qcp: Fix the PHY regulator for PCIe 6a Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: x1e80100-crd: Fix the PHY regulator for PCIe 6a Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: x1e80100-qcp: Fix USB PHYs regulators Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sc7280: Disable SuperSpeed instances in park mode Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode Seunghun Han <kkamagui(a)gmail.com> ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Shenghao Ding <shenghao-ding(a)ti.com> ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup lei lu <llfamsec(a)gmail.com> fs/ntfs3: Validate ff offset Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Add a check for attr_names and oatbl lei lu <llfamsec(a)gmail.com> jfs: don't walk off the end of ealist lei lu <llfamsec(a)gmail.com> ocfs2: add bounds checking to ocfs2_check_dir_entry() Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception() Dan Carpenter <dan.carpenter(a)linaro.org> drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() ------------- Diffstat: Makefile | 4 +-- arch/arm64/boot/dts/qcom/ipq6018.dtsi | 1 + arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 ++ arch/arm64/boot/dts/qcom/msm8996.dtsi | 1 + arch/arm64/boot/dts/qcom/msm8998.dtsi | 1 + arch/arm64/boot/dts/qcom/qrb2210-rb1.dts | 13 ++++++++- arch/arm64/boot/dts/qcom/qrb4210-rb2.dts | 13 ++++++++- arch/arm64/boot/dts/qcom/sc7180.dtsi | 1 + arch/arm64/boot/dts/qcom/sc7280.dtsi | 1 + arch/arm64/boot/dts/qcom/sdm630.dtsi | 1 + arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 ++ arch/arm64/boot/dts/qcom/sm6115.dtsi | 1 + arch/arm64/boot/dts/qcom/sm6350.dtsi | 1 + arch/arm64/boot/dts/qcom/x1e80100-crd.dts | 17 +++++++++--- arch/arm64/boot/dts/qcom/x1e80100-qcp.dts | 17 +++++++++--- arch/s390/mm/fault.c | 3 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 2 +- drivers/usb/gadget/function/f_midi2.c | 19 +++++++------ fs/jfs/xattr.c | 23 +++++++++++++--- fs/locks.c | 9 +++--- fs/ntfs3/fslog.c | 44 ++++++++++++++++++++++++----- fs/ocfs2/dir.c | 46 +++++++++++++++++++------------ sound/core/pcm_dmaengine.c | 6 +++- sound/core/seq/seq_ump_client.c | 16 +++++++++++ sound/pci/hda/patch_realtek.c | 3 ++ 25 files changed, 191 insertions(+), 56 deletions(-)

7 months, 2 weeks

13
41
0 0

[PATCH] power: supply: qcom_battmgr: return EAGAIN when firmware service is not up

by Neil Armstrong

The driver returns -ENODEV when the firmware battmrg service hasn't started yet, while per-se -ENODEV is fine, we usually use -EAGAIN to tell the user to retry again later. And the power supply core uses -EGAIN when the device isn't initialized, let's use the same return. This notably causes an infinite spam of: thermal thermal_zoneXX: failed to read out thermal zone (-19) because the thermal core doesn't understand -ENODEV, but only considers -EAGAIN as a non-fatal error. While it didn't appear until now, commit [1] fixes thermal core and no more ignores thermal zones returning an error at first temperature update. [1] 5725f40698b9 ("thermal: core: Call monitor_thermal_zone() if zone temperature is invalid") Link: https://lore.kernel.org/all/2ed4c630-204a-4f80-a37f-f2ca838eb455@linaro.org/ Cc: stable(a)vger.kernel.org Fixes: 29e8142b5623 ("power: supply: Introduce Qualcomm PMIC GLINK power supply") Signed-off-by: Neil Armstrong <neil.armstrong(a)linaro.org> --- drivers/power/supply/qcom_battmgr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c index 46f36dcb185c..bde874b5e0e7 100644 --- a/drivers/power/supply/qcom_battmgr.c +++ b/drivers/power/supply/qcom_battmgr.c @@ -486,7 +486,7 @@ static int qcom_battmgr_bat_get_property(struct power_supply *psy, int ret; if (!battmgr->service_up) - return -ENODEV; + return -EAGAIN; if (battmgr->variant == QCOM_BATTMGR_SC8280XP) ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); @@ -683,7 +683,7 @@ static int qcom_battmgr_ac_get_property(struct power_supply *psy, int ret; if (!battmgr->service_up) - return -ENODEV; + return -EAGAIN; ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); if (ret) @@ -748,7 +748,7 @@ static int qcom_battmgr_usb_get_property(struct power_supply *psy, int ret; if (!battmgr->service_up) - return -ENODEV; + return -EAGAIN; if (battmgr->variant == QCOM_BATTMGR_SC8280XP) ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); @@ -867,7 +867,7 @@ static int qcom_battmgr_wls_get_property(struct power_supply *psy, int ret; if (!battmgr->service_up) - return -ENODEV; + return -EAGAIN; if (battmgr->variant == QCOM_BATTMGR_SC8280XP) ret = qcom_battmgr_bat_sc8280xp_update(battmgr, psp); --- base-commit: 91e3b24eb7d297d9d99030800ed96944b8652eaf change-id: 20240715-topic-sm8x50-upstream-fix-battmgr-temp-tz-warn-c5a2f956d28d Best regards, -- Neil Armstrong <neil.armstrong(a)linaro.org>

7 months, 2 weeks

3
2
0 0

[PATCH 1/2] power: supply: axp288_charger: Fix constant_charge_voltage writes

by Hans de Goede

info->max_cv is in millivolts, divide the microvolt value being written to constant_charge_voltage by 1000 *before* clamping it to info->max_cv. Before this fix the code always tried to set constant_charge_voltage to max_cv / 1000 = 4 millivolt, which ends up in setting it to 4.1V which is the lowest supported value. Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/power/supply/axp288_charger.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c index b5903193e2f9..aea17289a178 100644 --- a/drivers/power/supply/axp288_charger.c +++ b/drivers/power/supply/axp288_charger.c @@ -337,8 +337,8 @@ static int axp288_charger_usb_set_property(struct power_supply *psy, } break; case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: - scaled_val = min(val->intval, info->max_cv); - scaled_val = DIV_ROUND_CLOSEST(scaled_val, 1000); + scaled_val = DIV_ROUND_CLOSEST(val->intval, 1000); + scaled_val = min(scaled_val, info->max_cv); ret = axp288_charger_set_cv(info, scaled_val); if (ret < 0) { dev_warn(&info->pdev->dev, "set charge voltage failed\n"); -- 2.45.2

7 months, 2 weeks

2
2
0 0

[merged mm-hotfixes-stable] nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: handle inconsistent state in nilfs_btnode_create_block() has been removed from the -mm tree. Its filename was nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: handle inconsistent state in nilfs_btnode_create_block() Date: Thu, 25 Jul 2024 14:20:07 +0900 Syzbot reported that a buffer state inconsistency was detected in nilfs_btnode_create_block(), triggering a kernel bug. It is not appropriate to treat this inconsistency as a bug; it can occur if the argument block address (the buffer index of the newly created block) is a virtual block number and has been reallocated due to corruption of the bitmap used to manage its allocation state. So, modify nilfs_btnode_create_block() and its callers to treat it as a possible filesystem error, rather than triggering a kernel bug. Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@gmail.com Fixes: a60be987d45d ("nilfs2: B-tree node cache") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+89cc4f2324ed37988b60(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=89cc4f2324ed37988b60 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/btnode.c | 25 ++++++++++++++++++++----- fs/nilfs2/btree.c | 4 ++-- 2 files changed, 22 insertions(+), 7 deletions(-) --- a/fs/nilfs2/btnode.c~nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block +++ a/fs/nilfs2/btnode.c @@ -51,12 +51,21 @@ nilfs_btnode_create_block(struct address bh = nilfs_grab_buffer(inode, btnc, blocknr, BIT(BH_NILFS_Node)); if (unlikely(!bh)) - return NULL; + return ERR_PTR(-ENOMEM); if (unlikely(buffer_mapped(bh) || buffer_uptodate(bh) || buffer_dirty(bh))) { - brelse(bh); - BUG(); + /* + * The block buffer at the specified new address was already + * in use. This can happen if it is a virtual block number + * and has been reallocated due to corruption of the bitmap + * used to manage its allocation state (if not, the buffer + * clearing of an abandoned b-tree node is missing somewhere). + */ + nilfs_error(inode->i_sb, + "state inconsistency probably due to duplicate use of b-tree node block address %llu (ino=%lu)", + (unsigned long long)blocknr, inode->i_ino); + goto failed; } memset(bh->b_data, 0, i_blocksize(inode)); bh->b_bdev = inode->i_sb->s_bdev; @@ -67,6 +76,12 @@ nilfs_btnode_create_block(struct address folio_unlock(bh->b_folio); folio_put(bh->b_folio); return bh; + +failed: + folio_unlock(bh->b_folio); + folio_put(bh->b_folio); + brelse(bh); + return ERR_PTR(-EIO); } int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, @@ -217,8 +232,8 @@ retry: } nbh = nilfs_btnode_create_block(btnc, newkey); - if (!nbh) - return -ENOMEM; + if (IS_ERR(nbh)) + return PTR_ERR(nbh); BUG_ON(nbh == obh); ctxt->newbh = nbh; --- a/fs/nilfs2/btree.c~nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block +++ a/fs/nilfs2/btree.c @@ -63,8 +63,8 @@ static int nilfs_btree_get_new_block(con struct buffer_head *bh; bh = nilfs_btnode_create_block(btnc, ptr); - if (!bh) - return -ENOMEM; + if (IS_ERR(bh)) + return PTR_ERR(bh); set_buffer_nilfs_volatile(bh); *bhp = bh; _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-page_alloc-fix-pcp-count-race-between-drain_pages_zone-vs-__rmqueue_pcplist.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/page_alloc: fix pcp->count race between drain_pages_zone() vs __rmqueue_pcplist() has been removed from the -mm tree. Its filename was mm-page_alloc-fix-pcp-count-race-between-drain_pages_zone-vs-__rmqueue_pcplist.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Li Zhijian <lizhijian(a)fujitsu.com> Subject: mm/page_alloc: fix pcp->count race between drain_pages_zone() vs __rmqueue_pcplist() Date: Tue, 23 Jul 2024 14:44:28 +0800 It's expected that no page should be left in pcp_list after calling zone_pcp_disable() in offline_pages(). Previously, it's observed that offline_pages() gets stuck [1] due to some pages remaining in pcp_list. Cause: There is a race condition between drain_pages_zone() and __rmqueue_pcplist() involving the pcp->count variable. See below scenario: CPU0 CPU1 ---------------- --------------- spin_lock(&pcp->lock); __rmqueue_pcplist() { zone_pcp_disable() { /* list is empty */ if (list_empty(list)) { /* add pages to pcp_list */ alloced = rmqueue_bulk() mutex_lock(&pcp_batch_high_lock) ... __drain_all_pages() { drain_pages_zone() { /* read pcp->count, it's 0 here */ count = READ_ONCE(pcp->count) /* 0 means nothing to drain */ /* update pcp->count */ pcp->count += alloced << order; ... ... spin_unlock(&pcp->lock); In this case, after calling zone_pcp_disable() though, there are still some pages in pcp_list. And these pages in pcp_list are neither movable nor isolated, offline_pages() gets stuck as a result. Solution: Expand the scope of the pcp->lock to also protect pcp->count in drain_pages_zone(), to ensure no pages are left in the pcp list after zone_pcp_disable() [1] https://lore.kernel.org/linux-mm/6a07125f-e720-404c-b2f9-e55f3f166e85@fujit… Link: https://lkml.kernel.org/r/20240723064428.1179519-1-lizhijian@fujitsu.com Fixes: 4b23a68f9536 ("mm/page_alloc: protect PCP lists with a spinlock") Signed-off-by: Li Zhijian <lizhijian(a)fujitsu.com> Reported-by: Yao Xingtao <yaoxt.fnst(a)fujitsu.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) --- a/mm/page_alloc.c~mm-page_alloc-fix-pcp-count-race-between-drain_pages_zone-vs-__rmqueue_pcplist +++ a/mm/page_alloc.c @@ -2343,16 +2343,20 @@ void drain_zone_pages(struct zone *zone, static void drain_pages_zone(unsigned int cpu, struct zone *zone) { struct per_cpu_pages *pcp = per_cpu_ptr(zone->per_cpu_pageset, cpu); - int count = READ_ONCE(pcp->count); - - while (count) { - int to_drain = min(count, pcp->batch << CONFIG_PCP_BATCH_SCALE_MAX); - count -= to_drain; + int count; + do { spin_lock(&pcp->lock); - free_pcppages_bulk(zone, to_drain, pcp, 0); + count = pcp->count; + if (count) { + int to_drain = min(count, + pcp->batch << CONFIG_PCP_BATCH_SCALE_MAX); + + free_pcppages_bulk(zone, to_drain, pcp, 0); + count -= to_drain; + } spin_unlock(&pcp->lock); - } + } while (count); } /* _ Patches currently in -mm which might be from lizhijian(a)fujitsu.com are

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] alloc_tag-outline-and-export-free_reserved_page.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: alloc_tag: outline and export free_reserved_page() has been removed from the -mm tree. Its filename was alloc_tag-outline-and-export-free_reserved_page.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: outline and export free_reserved_page() Date: Wed, 17 Jul 2024 14:28:44 -0700 Outline and export free_reserved_page() because modules use it and it in turn uses page_ext_{get|put} which should not be exported. The same result could be obtained by outlining {get|put}_page_tag_ref() but that would have higher performance impact as these functions are used in more performance critical paths. Link: https://lkml.kernel.org/r/20240717212844.2749975-1-surenb@google.com Fixes: dcfe378c81f7 ("lib: introduce support for page allocation tagging") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202407080044.DWMC9N9I-lkp@intel.com/ Suggested-by: Christoph Hellwig <hch(a)infradead.org> Suggested-by: Vlastimil Babka <vbabka(a)suse.cz> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Kees Cook <keescook(a)chromium.org> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Sourav Panda <souravpanda(a)google.com> Cc: <stable(a)vger.kernel.org> [6.10] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mm.h | 16 +--------------- mm/page_alloc.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 15 deletions(-) --- a/include/linux/mm.h~alloc_tag-outline-and-export-free_reserved_page +++ a/include/linux/mm.h @@ -3130,21 +3130,7 @@ extern void reserve_bootmem_region(phys_ phys_addr_t end, int nid); /* Free the reserved page into the buddy system, so it gets managed. */ -static inline void free_reserved_page(struct page *page) -{ - if (mem_alloc_profiling_enabled()) { - union codetag_ref *ref = get_page_tag_ref(page); - - if (ref) { - set_codetag_empty(ref); - put_page_tag_ref(ref); - } - } - ClearPageReserved(page); - init_page_count(page); - __free_page(page); - adjust_managed_page_count(page, 1); -} +void free_reserved_page(struct page *page); #define free_highmem_page(page) free_reserved_page(page) static inline void mark_page_reserved(struct page *page) --- a/mm/page_alloc.c~alloc_tag-outline-and-export-free_reserved_page +++ a/mm/page_alloc.c @@ -5815,6 +5815,23 @@ unsigned long free_reserved_area(void *s return pages; } +void free_reserved_page(struct page *page) +{ + if (mem_alloc_profiling_enabled()) { + union codetag_ref *ref = get_page_tag_ref(page); + + if (ref) { + set_codetag_empty(ref); + put_page_tag_ref(ref); + } + } + ClearPageReserved(page); + init_page_count(page); + __free_page(page); + adjust_managed_page_count(page, 1); +} +EXPORT_SYMBOL(free_reserved_page); + static int page_alloc_cpu_dead(unsigned int cpu) { struct zone *zone; _ Patches currently in -mm which might be from surenb(a)google.com are

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] decompress_bunzip2-fix-rare-decompression-failure.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: decompress_bunzip2: fix rare decompression failure has been removed from the -mm tree. Its filename was decompress_bunzip2-fix-rare-decompression-failure.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ross Lagerwall <ross.lagerwall(a)citrix.com> Subject: decompress_bunzip2: fix rare decompression failure Date: Wed, 17 Jul 2024 17:20:16 +0100 The decompression code parses a huffman tree and counts the number of symbols for a given bit length. In rare cases, there may be >= 256 symbols with a given bit length, causing the unsigned char to overflow. This causes a decompression failure later when the code tries and fails to find the bit length for a given symbol. Since the maximum number of symbols is 258, use unsigned short instead. Link: https://lkml.kernel.org/r/20240717162016.1514077-1-ross.lagerwall@citrix.com Fixes: bc22c17e12c1 ("bzip2/lzma: library support for gzip, bzip2 and lzma decompression") Signed-off-by: Ross Lagerwall <ross.lagerwall(a)citrix.com> Cc: Alain Knaff <alain(a)knaff.lu> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/decompress_bunzip2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/lib/decompress_bunzip2.c~decompress_bunzip2-fix-rare-decompression-failure +++ a/lib/decompress_bunzip2.c @@ -232,7 +232,8 @@ static int INIT get_next_block(struct bu RUNB) */ symCount = symTotal+2; for (j = 0; j < groupCount; j++) { - unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; + unsigned char length[MAX_SYMBOLS]; + unsigned short temp[MAX_HUFCODE_BITS+1]; int minLen, maxLen, pp; /* Read Huffman code lengths for each symbol. They're stored in a way similar to mtf; record a starting _ Patches currently in -mm which might be from ross.lagerwall(a)citrix.com are

7 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2024