February 2025 - Linux-stable-mirror

[PATCH] ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt

by Murad Masimov

If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. An AX25 device can be bound to a socket by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. In both cases the refcounts should be incremented, but in fact it is done only in ax25_bind(). This bug leads to the following issue reported by Syzkaller: ================================================================ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4156 [inline] netdev_put include/linux/netdevice.h:4173 [inline] netdev_put include/linux/netdevice.h:4169 [inline] ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 ... do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Fix the implementation of ax25_setsockopt() by adding increment of refcounts for the new device bound, and decrement of refcounts for the old unbound device. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") Cc: stable(a)vger.kernel.org Reported-by: syzbot+33841dc6aa3e1d86b78a(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=33841dc6aa3e1d86b78a Signed-off-by: Murad Masimov <m.masimov(a)mt-integration.ru> --- net/ax25/af_ax25.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index aa6c714892ec..9f3b8b682adb 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -685,6 +685,15 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; } + if (ax25->ax25_dev) { + if (dev == ax25->ax25_dev->dev) { + rcu_read_unlock(); + break; + } + netdev_put(ax25->ax25_dev->dev, &ax25->dev_tracker); + ax25_dev_put(ax25->ax25_dev); + } + ax25->ax25_dev = ax25_dev_ax25dev(dev); if (!ax25->ax25_dev) { rcu_read_unlock(); @@ -692,6 +701,8 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; } ax25_fillin_cb(ax25, ax25->ax25_dev); + netdev_hold(dev, &ax25->dev_tracker, GFP_ATOMIC); + ax25_dev_hold(ax25->ax25_dev); rcu_read_unlock(); break; -- 2.39.2

5 months, 3 weeks

1
0
0 0

[PATCH v2] arm64: dts: rockchip: Fix broken tsadc pinctrl names for rk3588

by Alexander Shiyan

The tsadc driver does not handle pinctrl "gpio" and "otpout". Let's use the correct pinctrl names "default" and "sleep". Additionally, Alexey Charkov's testing [1] has established that it is necessary for pinctrl state to reference the &tsadc_shut_org configuration rather than &tsadc_shut for the driver to function correctly. [1] https://lkml.org/lkml/2025/1/24/966 Fixes: 32641b8ab1a5 ("arm64: dts: rockchip: add rk3588 thermal sensor") Cc: stable(a)vger.kernel.org Reviewed-by: Dragan Simic <dsimic(a)manjaro.org> Signed-off-by: Alexander Shiyan <eagle.alexander923(a)gmail.com> --- arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi index 8cfa30837ce7..978de506d434 100644 --- a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi @@ -2668,9 +2668,9 @@ tsadc: tsadc@fec00000 { rockchip,hw-tshut-temp = <120000>; rockchip,hw-tshut-mode = <0>; /* tshut mode 0:CRU 1:GPIO */ rockchip,hw-tshut-polarity = <0>; /* tshut polarity 0:LOW 1:HIGH */ - pinctrl-0 = <&tsadc_gpio_func>; - pinctrl-1 = <&tsadc_shut>; - pinctrl-names = "gpio", "otpout"; + pinctrl-0 = <&tsadc_shut_org>; + pinctrl-1 = <&tsadc_gpio_func>; + pinctrl-names = "default", "sleep"; #thermal-sensor-cells = <1>; status = "disabled"; }; -- 2.39.1

5 months, 3 weeks

2
1
0 0

[PATCH] arm64: dts: rockchip: change eth phy mode to rgmii-id for orangepi r1 plus lts

by Tianling Shen

In general the delay should be added by the PHY instead of the MAC, and this improves network stability on some boards which seem to need different delay. Fixes: 387b3bbac5ea ("arm64: dts: rockchip: Add Xunlong OrangePi R1 Plus LTS") Cc: stable(a)vger.kernel.org # 6.6+ Signed-off-by: Tianling Shen <cnsztl(a)gmail.com> --- arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus-lts.dts | 3 +-- arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dts | 1 + arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dtsi | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus-lts.dts b/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus-lts.dts index 67c246ad8b8c..ec2ce894da1f 100644 --- a/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus-lts.dts +++ b/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus-lts.dts @@ -17,8 +17,7 @@ / { &gmac2io { phy-handle = <&yt8531c>; - tx_delay = <0x19>; - rx_delay = <0x05>; + phy-mode = "rgmii-id"; status = "okay"; mdio { diff --git a/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dts b/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dts index 324a8e951f7e..846b931e16d2 100644 --- a/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dts +++ b/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dts @@ -15,6 +15,7 @@ / { &gmac2io { phy-handle = <&rtl8211e>; + phy-mode = "rgmii"; tx_delay = <0x24>; rx_delay = <0x18>; status = "okay"; diff --git a/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dtsi b/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dtsi index 4f193704e5dc..09508e324a28 100644 --- a/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3328-orangepi-r1-plus.dtsi @@ -109,7 +109,6 @@ &gmac2io { assigned-clocks = <&cru SCLK_MAC2IO>, <&cru SCLK_MAC2IO_EXT>; assigned-clock-parents = <&gmac_clk>, <&gmac_clk>; clock_in_out = "input"; - phy-mode = "rgmii"; phy-supply = <&vcc_io>; pinctrl-0 = <&rgmiim1_pins>; pinctrl-names = "default"; -- 2.48.1

5 months, 3 weeks

4
10
0 0

[PATCH v2 3/3] misc: pci_endpoint_test: Fix irq_type to convey the correct type

by Kunihiko Hayashi

There are two variables that indicate the interrupt type to be used in the next test execution, "irq_type" as global and test->irq_type. The global is referenced from pci_endpoint_test_get_irq() to preserve the current type for ioctl(PCITEST_GET_IRQTYPE). The type set in this function isn't reflected in the global "irq_type", so ioctl(PCITEST_GET_IRQTYPE) returns the previous type. As a result, the wrong type will be displayed in "pcitest" as follows: # pcitest -i 0 SET IRQ TYPE TO LEGACY: OKAY # pcitest -I GET IRQ TYPE: MSI Fix this issue by propagating the current type to the global "irq_type". Cc: stable(a)vger.kernel.org Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> --- drivers/misc/pci_endpoint_test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c index a342587fc78a..33058630cd50 100644 --- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -742,6 +742,7 @@ static bool pci_endpoint_test_set_irq(struct pci_endpoint_test *test, if (!pci_endpoint_test_request_irq(test)) goto err; + irq_type = test->irq_type; return true; err: -- 2.25.1

5 months, 3 weeks

3
8
0 0

[PATCH] mm,madvise,hugetlb: check for 0-length range after end address adjustment

by Ricardo Cañuelo Navarro

Add a sanity check to madvise_dontneed_free() to address a corner case in madvise where a race condition causes the current vma being processed to be backed by a different page size. During a madvise(MADV_DONTNEED) call on a memory region registered with a userfaultfd, there's a period of time where the process mm lock is temporarily released in order to send a UFFD_EVENT_REMOVE and let userspace handle the event. During this time, the vma covering the current address range may change due to an explicit mmap done concurrently by another thread. If, after that change, the memory region, which was originally backed by 4KB pages, is now backed by hugepages, the end address is rounded down to a hugepage boundary to avoid data loss (see "Fixes" below). This rounding may cause the end address to be truncated to the same address as the start. Make this corner case follow the same semantics as in other similar cases where the requested region has zero length (ie. return 0). This will make madvise_walk_vmas() continue to the next vma in the range (this time holding the process mm lock) which, due to the prev pointer becoming stale because of the vma change, will be the same hugepage-backed vma that was just checked before. The next time madvise_dontneed_free() runs for this vma, if the start address isn't aligned to a hugepage boundary, it'll return -EINVAL, which is also in line with the madvise api. From userspace perspective, madvise() will return EINVAL because the start address isn't aligned according to the new vma alignment requirements (hugepage), even though it was correctly page-aligned when the call was issued. Fixes: 8ebe0a5eaaeb ("mm,madvise,hugetlb: fix unexpected data loss with MADV_DONTNEED on hugetlbfs") Cc: stable(a)vger.kernel.org Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> --- mm/madvise.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/madvise.c b/mm/madvise.c index 49f3a75046f6..c8e28d51978a 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -933,7 +933,9 @@ static long madvise_dontneed_free(struct vm_area_struct *vma, */ end = vma->vm_end; } - VM_WARN_ON(start >= end); + if (start == end) + return 0; + VM_WARN_ON(start > end); } if (behavior == MADV_DONTNEED || behavior == MADV_DONTNEED_LOCKED) -- 2.48.1

5 months, 3 weeks

2
3
0 0

[PATCH v3 6/6] ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr

by Roberto Sassu

From: Roberto Sassu <roberto.sassu(a)huawei.com> Commit 11c60f23ed13 ("integrity: Remove unused macro IMA_ACTION_RULE_FLAGS") removed the IMA_ACTION_RULE_FLAGS mask, due to it not being used after commit 0d73a55208e9 ("ima: re-introduce own integrity cache lock"). However, it seems that the latter commit mistakenly used the wrong mask when moving the code from ima_inode_post_setattr() to process_measurement(). There is no mention in the commit message about this change and it looks quite important, since changing from IMA_ACTIONS_FLAGS (later renamed to IMA_NONACTION_FLAGS) to IMA_ACTION_RULE_FLAGS was done by commit 42a4c603198f0 ("ima: fix ima_inode_post_setattr"). Restore the original change of resetting only the policy-specific flags and not the new file status, but with new mask 0xfb000000 since the policy-specific flags changed meanwhile. Also rename IMA_ACTION_RULE_FLAGS to IMA_NONACTION_RULE_FLAGS, to be consistent with IMA_NONACTION_FLAGS. Cc: stable(a)vger.kernel.org # v4.16.x Fixes: 11c60f23ed13 ("integrity: Remove unused macro IMA_ACTION_RULE_FLAGS") Reviewed-by: Mimi Zohar <zohar(a)linux.ibm.com> Signed-off-by: Roberto Sassu <roberto.sassu(a)huawei.com> --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index e1a3d1239bee..615900d4150d 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -141,6 +141,7 @@ struct ima_kexec_hdr { /* IMA iint policy rule cache flags */ #define IMA_NONACTION_FLAGS 0xff000000 +#define IMA_NONACTION_RULE_FLAGS 0xfb000000 #define IMA_DIGSIG_REQUIRED 0x01000000 #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000 diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 46adfd524dd8..7173dca20c23 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -275,7 +275,7 @@ static int process_measurement(struct file *file, const struct cred *cred, /* reset appraisal flags if ima_inode_post_setattr was called */ iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | - IMA_NONACTION_FLAGS); + IMA_NONACTION_RULE_FLAGS); /* * Re-evaulate the file if either the xattr has changed or the -- 2.34.1

5 months, 3 weeks

2
1
0 0

Re: TCP Fast Retransmission Issue

by Ahmed, Shehab Sarar

Hello Christian, It will cause problems for real applications if the specific event happens, but that happens with a very low probability. It's more an issue that can be resolved at the author's convenience, but I would be comfortable if the issue I discovered is acknowledged at least, if not addressed. Thanks Shehab ________________________________________ From: Ahmed, Shehab Sarar <shehaba2(a)illinois.edu> Sent: Sunday, February 2, 2025 6:10 PM To: Christian Heusel Cc: stable(a)vger.kernel.org; regressions(a)lists.linux.dev Subject: Re: TCP Fast Retransmission Issue Hello Christian, It will cause problems for real applications if the specific event happens, but that happens with a very low probability. It's more an issue that can be resolved at the author's convenience, but I would be comfortable if the issue I discovered is acknowledged at least, if not addressed. Thanks Shehab ________________________________ From: Christian Heusel Sent: Sunday, February 2, 2025 3:26 AM To: Ahmed, Shehab Sarar Cc: stable(a)vger.kernel.org; regressions(a)lists.linux.dev Subject: Re: TCP Fast Retransmission Issue On 25/02/02 10:26AM, Christian Heusel wrote: > On 25/02/01 07:09PM, Ahmed, Shehab Sarar wrote: > > Hello, > > Hello, > > > While experimenting with bbr protocol, I manipulated the network conditions by maintaining a high RTT for about one second before abruptly reducing it. Some packets sent during the high RTT phase experienced long delays in reaching the destination, while later packets, benefiting from the lower RTT, arrived earlier. This out-of-order arrival triggered the receiver to generate duplicate acknowledgments (dup ACKs). Due to the low RTT, these dup ACKs quickly reached the sender. Upon receiving three dup ACKs, the sender initiated a fast retransmission for an earlier packet that was not lost but was simply taking longer to arrive. Interestingly, despite the fast-retransmitted packet experienced a lower RTT, the original delayed packet still arrived first. When the receiver received this packet, it sent an ACK for the next packet in sequence. However, upon later receiving the fast-retransmitted packet, an issue arose in its logic for updating the acknowledgment number. As a result, even after the next expected packet was received, the acknowledgment number was not updated correctly. The receiver continued sending dup ACKs, ultimately forcing bbr into the retransmission timeout (RTO) phase. > > > > I generated this issue in linux kernel version 5.15.0-117-generic with Ubuntu 20.04. I attempted to confirm whether the issue persists with the latest Linux kernel. However, I discovered that the behavior of bbr has changed in the most recent kernel version, where it now sends chunks of packets instead of sending them one by one over time. As a result, I was unable to reproduce the specific sequence of events that triggered the bug we identified. Consequently, I could not confirm whether the bug still exists in the latest kernel. > > > > I believe that the issue (if still exists) will have to be resolved in the location net/ipv4/tcp_input.c or something like that. There are so many authors here that I do not know who to CC here. So, sending this email to you. Sorry if this is not the best way to report this issue. > > does this cause problems for real applications? To me it sounds a bit > like a constructed issue, but I'm also not really proficient about the > stack mentioned about :p > > I'm asking because this is important for how we treat this report, see > the "Reporting Regression"[0] document for more details on what we > consider to be an regression. > > > Thanks > > Shehab > > Cheers, > Christian (forgot the link) [0]: https://docs.kernel.org/admin-guide/reporting-regressions.html#what-is-a-re…

5 months, 3 weeks

1
0
0 0

[PATCH] net/sctp: Prevent autoclose integer overflow in sctp_association_init()

by Nikolay Kuratov

While by default max_autoclose equals to INT_MAX / HZ, one may set net.sctp.max_autoclose to UINT_MAX. There is code in sctp_association_init() that can consequently trigger overflow. Cc: stable(a)vger.kernel.org Fixes: 9f70f46bd4c7 ("sctp: properly latch and use autoclose value from sock to association") Signed-off-by: Nikolay Kuratov <kniv(a)yandex-team.ru> --- net/sctp/associola.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/sctp/associola.c b/net/sctp/associola.c index c45c192b7878..0b0794f164cf 100644 --- a/net/sctp/associola.c +++ b/net/sctp/associola.c @@ -137,7 +137,8 @@ static struct sctp_association *sctp_association_init( = 5 * asoc->rto_max; asoc->timeouts[SCTP_EVENT_TIMEOUT_SACK] = asoc->sackdelay; - asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = sp->autoclose * HZ; + asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = + (unsigned long)sp->autoclose * HZ; /* Initializes the timers */ for (i = SCTP_EVENT_TIMEOUT_NONE; i < SCTP_NUM_TIMEOUT_TYPES; ++i) -- 2.34.1

5 months, 3 weeks

5
4
0 0

Re: Patch "ARM: dts: aspeed: yosemite4: correct the compatible string for max31790" has been added to the 6.13-stable tree

by Krzysztof Kozlowski

On 02/02/2025 05:23, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > ARM: dts: aspeed: yosemite4: correct the compatible string for max31790 > > to the 6.13-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > arm-dts-aspeed-yosemite4-correct-the-compatible-stri.patch > and it can be found in the queue-6.13 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 64b29da76fb21bbb955e262461996d37865d4ae9 > Author: Ricky CX Wu <ricky.cx.wu.wiwynn(a)gmail.com> > Date: Thu Oct 3 15:42:46 2024 +0800 > > ARM: dts: aspeed: yosemite4: correct the compatible string for max31790 > > [ Upstream commit b1a1ecb669bfa763ee5e86a038d7c9363eee7548 ] > > Fix the compatible string for max31790 to match the binding document. > > Fixes: 2b8d94f4b4a4 ("ARM: dts: aspeed: yosemite4: add Facebook Yosemite 4 BMC") > Signed-off-by: Ricky CX Wu <ricky.cx.wu.wiwynn(a)gmail.com> > Signed-off-by: Delphine CC Chiu <Delphine_CC_Chiu(a)wiwynn.com> > Link: https://patch.msgid.link/20241003074251.3818101-6-Delphine_CC_Chiu@wiwynn.c… > Signed-off-by: Andrew Jeffery <andrew(a)codeconstruct.com.au> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> Sasha, something got broken in your scripts. I received today huge flood (100? 200?) of such stable confirmations, but I am not listed above at all. No tags came here from me, so why I am Cc-ed on all this? Best regards, Krzysztof

5 months, 3 weeks

1
0
0 0

[PATCH v2] seccomp: passthrough uretprobe systemcall without filtering

by Eyal Birger

When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe. The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes. Pass this systemcall through seccomp without depending on configuration. Note: uretprobe isn't supported in i386 and __NR_ia32_rt_tgsigqueueinfo uses the same number as __NR_uretprobe so the syscall isn't forced in the compat bitmap. Fixes: ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe") Reported-by: Rafael Buchbinder <rafi(a)rbk.io> Link: https://lore.kernel.org/lkml/CAHsH6Gs3Eh8DFU0wq58c_LF8A4_+o6z456J7BidmcVY2A… Link: https://lore.kernel.org/lkml/20250121182939.33d05470@gandalf.local.home/T/#… Cc: stable(a)vger.kernel.org Signed-off-by: Eyal Birger <eyal.birger(a)gmail.com> --- v2: use action_cache bitmap and mode1 array to check the syscall The following reproduction script synthetically demonstrates the problem for seccomp filters: cat > /tmp/x.c << EOF char *syscalls[] = { "write", "exit_group", "fstat", }; __attribute__((noinline)) int probed(void) { printf("Probed\n"); return 1; } void apply_seccomp_filter(char **syscalls, int num_syscalls) { scmp_filter_ctx ctx; ctx = seccomp_init(SCMP_ACT_KILL); for (int i = 0; i < num_syscalls; i++) { seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_syscall_resolve_name(syscalls[i]), 0); } seccomp_load(ctx); seccomp_release(ctx); } int main(int argc, char *argv[]) { int num_syscalls = sizeof(syscalls) / sizeof(syscalls[0]); apply_seccomp_filter(syscalls, num_syscalls); probed(); return 0; } EOF cat > /tmp/trace.bt << EOF uretprobe:/tmp/x:probed { printf("ret=%d\n", retval); } EOF gcc -o /tmp/x /tmp/x.c -lseccomp /usr/bin/bpftrace /tmp/trace.bt & sleep 5 # wait for uretprobe attach /tmp/x pkill bpftrace rm /tmp/x /tmp/x.c /tmp/trace.bt --- kernel/seccomp.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 385d48293a5f..23b594a68bc0 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -734,13 +734,13 @@ seccomp_prepare_user_filter(const char __user *user_filter) #ifdef SECCOMP_ARCH_NATIVE /** - * seccomp_is_const_allow - check if filter is constant allow with given data + * seccomp_is_filter_const_allow - check if filter is constant allow with given data * @fprog: The BPF programs * @sd: The seccomp data to check against, only syscall number and arch * number are considered constant. */ -static bool seccomp_is_const_allow(struct sock_fprog_kern *fprog, - struct seccomp_data *sd) +static bool seccomp_is_filter_const_allow(struct sock_fprog_kern *fprog, + struct seccomp_data *sd) { unsigned int reg_value = 0; unsigned int pc; @@ -812,6 +812,21 @@ static bool seccomp_is_const_allow(struct sock_fprog_kern *fprog, return false; } +static bool seccomp_is_const_allow(struct sock_fprog_kern *fprog, + struct seccomp_data *sd) +{ +#ifdef __NR_uretprobe + if (sd->nr == __NR_uretprobe +#ifdef SECCOMP_ARCH_COMPAT + && sd->arch != SECCOMP_ARCH_COMPAT +#endif + ) + return true; +#endif + + return seccomp_is_filter_const_allow(fprog, sd); +} + static void seccomp_cache_prepare_bitmap(struct seccomp_filter *sfilter, void *bitmap, const void *bitmap_prev, size_t bitmap_size, int arch) @@ -1023,6 +1038,9 @@ static inline void seccomp_log(unsigned long syscall, long signr, u32 action, */ static const int mode1_syscalls[] = { __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn, +#ifdef __NR_uretprobe + __NR_uretprobe, +#endif -1, /* negative terminated */ }; -- 2.43.0

5 months, 3 weeks

5
14
0 0

[PATCH 5.4 00/94] 5.4.290-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.290 release. There are 94 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 02 Feb 2025 11:20:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.290-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.290-rc2 Ron Economos <re(a)w6rz.net> Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals Arnd Bergmann <arnd(a)arndb.de> xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals Maíra Canal <mcanal(a)igalia.com> drm/v3d: Assign job pointer to NULL before signaling the fence Jack Greiner <jack(a)emoss.org> Input: xpad - add support for wooting two he (arm) Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add unofficial Xbox 360 wireless receiver clone Mark Pearson <mpearson-lenovo(a)squebb.ca> Input: atkbd - map F23 key to support default copilot shortcut Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Qasim Ijaz <qasdev00(a)gmail.com> USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() Theodore Ts'o <tytso(a)mit.edu> ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: check the bounds of read/write syscalls Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Madhuparna Bhowmik <madhuparnabhowmik04(a)gmail.com> net: xen-netback: hash.c: Use built-in RCU list checking Eric W. Biederman <ebiederm(a)xmission.com> signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die Liam Howlett <liam.howlett(a)oracle.com> m68k: Add missing mmap_read_lock() to sys_cacheflush() Al Viro <viro(a)zeniv.linux.org.uk> m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Philippe Simons <simons.philippe(a)gmail.com> irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Xiang Zhang <hawkxiang.cpp(a)gmail.com> scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8994: Add depends on MFD core Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Suraj Sonawane <surajsonawane0215(a)gmail.com> scsi: sg: Fix slab-use-after-free read in sg_release() Eric Dumazet <edumazet(a)google.com> ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Yajun Deng <yajun.deng(a)linux.dev> net: net_namespace: Optimize the code Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Anup Patel <anup.patel(a)wdc.com> RISC-V: Don't enable all interrupts in trap_init() Paul Walmsley <paul.walmsley(a)sifive.com> riscv: prefix IRQ_ macro names with an RV_ namespace Nam Cao <namcao(a)linutronix.de> riscv: Fix sleeping in invalid context in die() Mattias Nissler <mnissler(a)rivosinc.com> riscv: Avoid enabling interrupts in die() Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: Avoid dereferening NULL regs in die() Rouven Czerwinski <rouven(a)czerwinskis.de> riscv: remove unused handle_exception symbol Christoph Hellwig <hch(a)lst.de> riscv: abstract out CSR names for supervisor vs machine mode Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: rto_min/max: avoid using current->nsproxy Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: correct return value of ocfs2_local_free_info() Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider Vinod Koul <vkoul(a)kernel.org> phy: core: fix code style in devm_of_phy_provider_unregister Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: add hevc power domain clock to rk3328 Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: add #power-domain-cells to power domain nodes Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: fix defines in pd_vio node for rk3399 Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: inkern: call iio_device_put() only on mapped devices Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: adc: at91: call input_free_device() on allocated iio_dev Fabio Estevam <festevam(a)gmail.com> iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Carlos Song <carlos.song(a)nxp.com> iio: gyro: fxas21002c: Fix missing data update in trigger handler Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: imu: kmx61: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: vcnl4035: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: zpa2326: fix information leak in triggered buffer Akash M <akash.m5(a)samsung.com> usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Ma Ke <make_ruc2021(a)163.com> usb: fix reference leak in usb_new_device() Kai-Heng Feng <kaihengf(a)nvidia.com> USB: core: Disable LPM only for non-suspended ports Jun Yan <jerrysteve1101(a)gmail.com> USB: usblp: return error when setting unsupported protocol Lianqin Hu <hulianqin(a)vivo.com> usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add Phoenix Contact UPS Device Lubomir Rintel <lrintel(a)redhat.com> usb-storage: Add max sectors quirk for Nokia 208 Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9832: Correct phase range check Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9834: Correct phase range check Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add Neoway N723-EA support Chukun Pan <amadeus(a)jmu.edu.cn> USB: serial: option: add MeiG Smart SRM815 Melissa Wen <mwen(a)igalia.com> drm/amd/display: increase MAX_SURFACES to the value supported by hw Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Roman Li <Roman.Li(a)amd.com> drm/amd/display: Add check for granularity in dml ceil/floor helpers Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: auth_enable: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Krister Johansen <kjlx(a)templeofstupid.com> dm thin: make get_first_thin use rcu-safe list first function Benjamin Coddington <bcodding(a)redhat.com> tls: Fix tls_sw_sendmsg error handling Eric Dumazet <edumazet(a)google.com> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Zhongqiu Duan <dzq.aishenghu0(a)gmail.com> tcp/dccp: allow a connection when sk_max_ack_backlog is zero Jason Xing <kernelxing(a)tencent.com> tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Antonio Pastor <antonio.pastor(a)gmail.com> net: 802: LLC+SNAP OID:PID lookup on start of skb data Keisuke Nishimura <keisuke.nishimura(a)inria.fr> ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix cursor index when skipping across block boundaries Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix unreleased btree blocks on closing a faulty array cursor Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix releasing a faulty array block twice in dm_array_cursor_end Zhang Yi <yi.zhang(a)huawei.com> jbd2: flush filesystem device before updating tail sequence ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/px30.dtsi | 8 +++ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 4 ++ arch/arm64/boot/dts/rockchip/rk3399.dtsi | 40 ++++++++--- arch/m68k/fpsp040/skeleton.S | 3 +- arch/m68k/kernel/entry.S | 2 + arch/m68k/kernel/sys_m68k.c | 2 + arch/m68k/kernel/traps.c | 2 +- arch/riscv/Kconfig | 4 ++ arch/riscv/include/asm/csr.h | 72 ++++++++++++++++--- arch/riscv/include/asm/irqflags.h | 12 ++-- arch/riscv/include/asm/processor.h | 2 +- arch/riscv/include/asm/ptrace.h | 16 ++--- arch/riscv/include/asm/switch_to.h | 10 +-- arch/riscv/kernel/asm-offsets.c | 8 +-- arch/riscv/kernel/entry.S | 74 +++++++++++-------- arch/riscv/kernel/fpu.S | 8 +-- arch/riscv/kernel/head.S | 12 ++-- arch/riscv/kernel/irq.c | 17 ++--- arch/riscv/kernel/perf_callchain.c | 2 +- arch/riscv/kernel/process.c | 17 ++--- arch/riscv/kernel/signal.c | 21 +++--- arch/riscv/kernel/smp.c | 2 +- arch/riscv/kernel/traps.c | 34 ++++----- arch/riscv/lib/uaccess.S | 12 ++-- arch/riscv/mm/extable.c | 4 +- arch/riscv/mm/fault.c | 6 +- drivers/acpi/resource.c | 18 +++++ drivers/clocksource/timer-riscv.c | 8 +-- drivers/gpu/drm/amd/display/dc/dc.h | 2 +- .../gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 +++ drivers/gpu/drm/v3d/v3d_irq.c | 12 ++++ drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/adc/at91_adc.c | 2 +- drivers/iio/adc/ti-ads124s08.c | 4 +- drivers/iio/adc/ti-ads8688.c | 2 +- drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- drivers/iio/gyro/fxas21002c_core.c | 11 ++- drivers/iio/imu/kmx61.c | 2 +- drivers/iio/inkern.c | 2 +- drivers/iio/light/vcnl4035.c | 2 +- drivers/iio/pressure/zpa2326.c | 2 + drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irq-sifive-plic.c | 11 +-- drivers/irqchip/irq-sunxi-nmi.c | 3 +- drivers/md/dm-thin.c | 5 +- drivers/md/persistent-data/dm-array.c | 19 +++-- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +---- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 ++-- drivers/net/gtp.c | 42 ++++++----- drivers/net/ieee802154/ca8210.c | 6 +- drivers/net/xen-netback/hash.c | 7 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/phy/phy-core.c | 7 +- drivers/scsi/scsi_transport_iscsi.c | 4 +- drivers/scsi/sg.c | 2 +- drivers/staging/iio/frequency/ad9832.c | 2 +- drivers/staging/iio/frequency/ad9834.c | 2 +- drivers/usb/class/usblp.c | 7 +- drivers/usb/core/hub.c | 6 +- drivers/usb/core/port.c | 7 +- drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 4 +- drivers/usb/serial/quatech2.c | 2 +- drivers/usb/storage/unusual_devs.h | 7 ++ drivers/vfio/platform/vfio_platform_common.c | 10 +++ fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 64 ++++++++++++++--- fs/gfs2/file.c | 1 + fs/hfs/super.c | 4 +- fs/jbd2/commit.c | 4 +- fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 10 ++- fs/proc/vmcore.c | 2 + include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 ++- include/linux/usb.h | 3 +- include/linux/usb/hcd.h | 2 - include/net/inet_connection_sock.h | 2 +- include/net/net_namespace.h | 3 + kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 ++- net/802/psnap.c | 4 +- net/core/net_namespace.c | 83 ++++++++++++++-------- net/dccp/ipv6.c | 2 +- net/ipv6/route.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 ++ net/sched/cls_flow.c | 3 +- net/sctp/sysctl.c | 9 +-- net/tls/tls_sw.c | 2 +- sound/soc/codecs/Kconfig | 1 + 97 files changed, 598 insertions(+), 318 deletions(-)

5 months, 3 weeks

7
11
0 0

[PATCH 6.6 00/43] 6.6.75-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.75 release. There are 43 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 01 Feb 2025 13:34:42 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.75-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.75-rc1 Jack Greiner <jack(a)emoss.org> Input: xpad - add support for wooting two he (arm) Matheos Mattsson <matheos.mattsson(a)gmail.com> Input: xpad - add support for Nacon Evol-X Xbox One Controller Leonardo Brondani Schenkel <leonardo(a)schenkel.net> Input: xpad - improve name of 8BitDo controller 2dc8:3106 Pierre-Loup A. Griffais <pgriffais(a)valvesoftware.com> Input: xpad - add QH Electronics VID/PID Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add unofficial Xbox 360 wireless receiver clone Mark Pearson <mpearson-lenovo(a)squebb.ca> Input: atkbd - map F23 key to support default copilot shortcut Nicolas Nobelis <nicolas(a)nobelis.eu> Input: xpad - add support for Nacon Pro Compact Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for USB Audio Device Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Qasim Ijaz <qasdev00(a)gmail.com> USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Easwar Hariharan <eahariha(a)linux.microsoft.com> scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix access to uninitialised lock in fc replay path Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: check the bounds of read/write syscalls Linus Torvalds <torvalds(a)linux-foundation.org> cachestat: fix page cache statistics permission checking Jiri Kosina <jkosina(a)suse.com> Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" Alexey Dobriyan <adobriyan(a)gmail.com> block: fix integer overflow in BLKSECDISCARD Jamal Hadi Salim <jhs(a)mojatatu.com> net: sched: fix ets qdisc OOB Indexing Paulo Alcantara <pc(a)manguebit.com> smb: client: handle lack of EA support in smb2_query_path_info() Chuck Lever <chuck.lever(a)oracle.com> libfs: Use d_children list to iterate simple_offset directories Chuck Lever <chuck.lever(a)oracle.com> libfs: Replace simple_offset end-of-directory detection Chuck Lever <chuck.lever(a)oracle.com> Revert "libfs: Add simple_offset_empty()" Chuck Lever <chuck.lever(a)oracle.com> libfs: Return ENOSPC when the directory offset range is exhausted Chuck Lever <chuck.lever(a)oracle.com> shmem: Fix shmem_rename2() Chuck Lever <chuck.lever(a)oracle.com> libfs: Add simple_offset_rename() API Chuck Lever <chuck.lever(a)oracle.com> libfs: Fix simple_offset_rename_exchange() Chuck Lever <chuck.lever(a)oracle.com> libfs: Add simple_offset_empty() Chuck Lever <chuck.lever(a)oracle.com> libfs: Define a minimum directory offset Chuck Lever <chuck.lever(a)oracle.com> libfs: Re-arrange locking in offset_iterate_dir() Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Omid Ehtemam-Haghighi <omid.ehtemamhaghighi(a)menlosecurity.com> ipv6: Fix soft lockups in fib6_select_path under high next hop churn Anastasia Belova <abelova(a)astralinux.ru> cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value Igor Pylypiv <ipylypiv(a)google.com> ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: samsung: Add missing depends on I2C Russell Harmon <russ(a)har.mn> hwmon: (drivetemp) Set scsi command timeout to 10s Philippe Simons <simons.philippe(a)gmail.com> irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Rob Herring (Arm) <robh(a)kernel.org> of/unittest: Add test that of_address_to_resource() fails on non-translatable address Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 Xiang Zhang <hawkxiang.cpp(a)gmail.com> scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Linus Walleij <linus.walleij(a)linaro.org> seccomp: Stub for !CONFIG_SECCOMP Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: samsung: Add missing selects for MFD_WM8994 Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8994: Add depends on MFD core ------------- Diffstat: Makefile | 4 +- block/ioctl.c | 9 +- drivers/ata/libahci.c | 12 +- drivers/ata/libata-core.c | 8 + drivers/cpufreq/amd-pstate.c | 7 +- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 3 +- drivers/hid/hid-ids.h | 1 - drivers/hid/hid-multitouch.c | 8 +- drivers/hwmon/drivetemp.c | 2 +- drivers/infiniband/hw/bnxt_re/main.c | 10 + drivers/input/joystick/xpad.c | 9 +- drivers/input/keyboard/atkbd.c | 2 +- drivers/irqchip/irq-sunxi-nmi.c | 3 +- drivers/of/unittest-data/tests-platform.dtsi | 13 + drivers/of/unittest.c | 14 ++ drivers/scsi/scsi_transport_iscsi.c | 4 +- drivers/scsi/storvsc_drv.c | 8 +- drivers/usb/gadget/function/u_serial.c | 8 +- drivers/usb/serial/quatech2.c | 2 +- drivers/vfio/platform/vfio_platform_common.c | 10 + fs/ext4/super.c | 3 +- fs/gfs2/file.c | 1 + fs/libfs.c | 177 ++++++++++---- fs/smb/client/smb2inode.c | 104 +++++--- include/linux/fs.h | 2 + include/linux/seccomp.h | 2 +- mm/filemap.c | 19 ++ mm/shmem.c | 3 +- net/ipv4/ip_tunnel.c | 2 +- net/ipv6/ip6_fib.c | 8 +- net/ipv6/route.c | 45 ++-- net/sched/sch_ets.c | 2 + sound/soc/codecs/Kconfig | 1 + sound/soc/samsung/Kconfig | 6 +- sound/usb/quirks.c | 2 + tools/testing/selftests/net/Makefile | 1 + .../selftests/net/ipv6_route_update_soft_lockup.sh | 262 +++++++++++++++++++++ 37 files changed, 640 insertions(+), 137 deletions(-)

5 months, 3 weeks

10
52
0 0

[PATCH 6.12 00/41] 6.12.12-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.12 release. There are 41 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 01 Feb 2025 14:41:19 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.12-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.12-rc2 Jann Horn <jannh(a)google.com> io_uring/rsrc: require cloned buffers to share accounting contexts Jack Greiner <jack(a)emoss.org> Input: xpad - add support for wooting two he (arm) Matheos Mattsson <matheos.mattsson(a)gmail.com> Input: xpad - add support for Nacon Evol-X Xbox One Controller Leonardo Brondani Schenkel <leonardo(a)schenkel.net> Input: xpad - improve name of 8BitDo controller 2dc8:3106 Pierre-Loup A. Griffais <pgriffais(a)valvesoftware.com> Input: xpad - add QH Electronics VID/PID Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add unofficial Xbox 360 wireless receiver clone Mark Pearson <mpearson-lenovo(a)squebb.ca> Input: atkbd - map F23 key to support default copilot shortcut Nicolas Nobelis <nicolas(a)nobelis.eu> Input: xpad - add support for Nacon Pro Compact Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Initialize brightness of LED trigger Hans de Goede <hdegoede(a)redhat.com> wifi: rtl8xxxu: add more missing rtl8192cu USB IDs Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for USB Audio Device Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Qasim Ijaz <qasdev00(a)gmail.com> USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Easwar Hariharan <eahariha(a)linux.microsoft.com> scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: check the bounds of read/write syscalls Linus Torvalds <torvalds(a)linux-foundation.org> cachestat: fix page cache statistics permission checking Jiri Kosina <jikos(a)kernel.org> Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" Jamal Hadi Salim <jhs(a)mojatatu.com> net: sched: fix ets qdisc OOB Indexing Paulo Alcantara <pc(a)manguebit.com> smb: client: handle lack of EA support in smb2_query_path_info() Chuck Lever <chuck.lever(a)oracle.com> libfs: Use d_children list to iterate simple_offset directories Chuck Lever <chuck.lever(a)oracle.com> libfs: Replace simple_offset end-of-directory detection Chuck Lever <chuck.lever(a)oracle.com> Revert "libfs: fix infinite directory reads for offset dir" Chuck Lever <chuck.lever(a)oracle.com> Revert "libfs: Add simple_offset_empty()" Chuck Lever <chuck.lever(a)oracle.com> libfs: Return ENOSPC when the directory offset range is exhausted Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Yosry Ahmed <yosryahmed(a)google.com> mm: zswap: move allocations during CPU init outside the lock Yosry Ahmed <yosryahmed(a)google.com> mm: zswap: properly synchronize freeing resources during CPU hotunplug Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: samsung: Add missing depends on I2C Russell Harmon <russ(a)har.mn> hwmon: (drivetemp) Set scsi command timeout to 10s Philippe Simons <simons.philippe(a)gmail.com> irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> drm/connector: hdmi: Validate supported_formats matches ycbcr_420_allowed Yage Geng <icoderdev(a)gmail.com> ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P Gen5 Rob Herring (Arm) <robh(a)kernel.org> of/unittest: Add test that of_address_to_resource() fails on non-translatable address Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize denominator defaults to 1 Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 Xiang Zhang <hawkxiang.cpp(a)gmail.com> scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: cs42l43: Add codec force suspend/resume ops Linus Walleij <linus.walleij(a)linaro.org> seccomp: Stub for !CONFIG_SECCOMP Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: samsung: Add missing selects for MFD_WM8994 Marian Postevca <posteuca(a)mutex.one> ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8994: Add depends on MFD core ------------- Diffstat: Makefile | 4 +- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 3 +- .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 4 +- drivers/gpu/drm/drm_connector.c | 3 + drivers/hid/hid-ids.h | 1 - drivers/hid/hid-multitouch.c | 8 +- drivers/hid/wacom_sys.c | 24 +-- drivers/hwmon/drivetemp.c | 2 +- drivers/input/joystick/xpad.c | 9 +- drivers/input/keyboard/atkbd.c | 2 +- drivers/irqchip/irq-sunxi-nmi.c | 3 +- drivers/net/wireless/realtek/rtl8xxxu/core.c | 20 +++ drivers/of/unittest-data/tests-platform.dtsi | 13 ++ drivers/of/unittest.c | 14 ++ drivers/scsi/scsi_transport_iscsi.c | 4 +- drivers/scsi/storvsc_drv.c | 8 +- drivers/usb/gadget/function/u_serial.c | 8 +- drivers/usb/serial/quatech2.c | 2 +- drivers/vfio/platform/vfio_platform_common.c | 10 ++ fs/gfs2/file.c | 1 + fs/libfs.c | 162 ++++++++++----------- fs/smb/client/smb2inode.c | 104 +++++++++---- include/linux/fs.h | 1 - include/linux/seccomp.h | 2 +- io_uring/rsrc.c | 7 + mm/filemap.c | 19 +++ mm/shmem.c | 4 +- mm/zswap.c | 90 ++++++++---- net/sched/sch_ets.c | 2 + sound/pci/hda/patch_realtek.c | 4 +- sound/soc/codecs/Kconfig | 1 + sound/soc/codecs/cs42l43.c | 1 + sound/soc/codecs/es8316.c | 10 +- sound/soc/samsung/Kconfig | 6 +- sound/usb/quirks.c | 2 + 35 files changed, 374 insertions(+), 184 deletions(-)

5 months, 3 weeks

14
13
0 0

[PATCH V2] USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI

by Huacai Chen

LS7A EHCI controller doesn't have extended capabilities, so the EECP (EHCI Extended Capabilities Pointer) field of HCCPARAMS register should be 0x0, but it reads as 0xa0 now. This is a hardware flaw and will be fixed in future, now just clear the EECP field to avoid error messages on boot: ...... [ 0.581675] pci 0000:00:04.1: EHCI: unrecognized capability ff [ 0.581699] pci 0000:00:04.1: EHCI: unrecognized capability ff [ 0.581716] pci 0000:00:04.1: EHCI: unrecognized capability ff [ 0.581851] pci 0000:00:04.1: EHCI: unrecognized capability ff ...... [ 0.581916] pci 0000:00:05.1: EHCI: unrecognized capability ff [ 0.581951] pci 0000:00:05.1: EHCI: unrecognized capability ff [ 0.582704] pci 0000:00:05.1: EHCI: unrecognized capability ff [ 0.582799] pci 0000:00:05.1: EHCI: unrecognized capability ff ...... Cc: stable(a)vger.kernel.org Signed-off-by: Baoqi Zhang <zhangbaoqi(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Add a comment and don't touch pci_ids.h. drivers/usb/host/pci-quirks.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c index 1f9c1b1435d8..0404489c2f6a 100644 --- a/drivers/usb/host/pci-quirks.c +++ b/drivers/usb/host/pci-quirks.c @@ -958,6 +958,15 @@ static void quirk_usb_disable_ehci(struct pci_dev *pdev) * booting from USB disk or using a usb keyboard */ hcc_params = readl(base + EHCI_HCC_PARAMS); + + /* LS7A EHCI controller doesn't have extended capabilities, the + * EECP (EHCI Extended Capabilities Pointer) field of HCCPARAMS + * register should be 0x0 but it reads as 0xa0. So clear it to + * avoid error messages on boot. + */ + if (pdev->vendor == PCI_VENDOR_ID_LOONGSON && pdev->device == 0x7a14) + hcc_params &= ~(0xffL << 8); + offset = (hcc_params >> 8) & 0xff; while (offset && --count) { pci_read_config_dword(pdev, offset, &cap); -- 2.47.1

5 months, 3 weeks

3
2
0 0

[PATCH 6.1 00/16] Fixes bpf and rcu

by Alexey Nepomnyashih

Hi, this series backports fix https://syzkaller.appspot.com/bug?id=d4d4abdb121f42913b3a149f2d846a7dd7eeb7… linux-6.1.y Here is the summary with links: - [6.1 01/16] bpf: Add a few bpf mem allocator functions. https://git.kernel.org/bpf/bpf/c/e65a5c6edbc6 - [6.1 02/16] bpf: Factor out a common helper free_all(). https://git.kernel.org/bpf/bpf/c/aa7881fcfe9d - [6.1 03/16] bpf: Rename few bpf_mem_alloc fields. https://git.kernel.org/bpf/bpf/c/12c8d0f4c870 - [6.1 04/16] bpf: Let free_all() return the number of freed elements. https://git.kernel.org/bpf/bpf/c/9de3e81521b4 - [6.1 05/16] bpf: Refactor alloc_bulk(). https://git.kernel.org/bpf/bpf/c/05ae68656a8e - [6.1 07/16] bpf: Use rcu_trace_implies_rcu_gp() in bpf memory allocator. https://git.kernel.org/bpf/bpf/c/59be91e5e70a - [6.1 08/16] bpf: Further refactor alloc_bulk(). https://git.kernel.org/bpf/bpf/c/7468048237b8 - [6.1 09/16] bpf: Change bpf_mem_cache draining process. https://git.kernel.org/bpf/bpf/c/d114dde245f9 - [6.1 10/16] bpf: Add a hint to allocated objects. https://git.kernel.org/bpf/bpf/c/822fb26bdb55 - [6.1 11/16] bpf: Introduce bpf_mem_free_rcu() similar to kfree_rcu(). https://git.kernel.org/bpf/bpf/c/5af6807bdb10 - [6.1 12/16] rcu: Fix missing nocb gp wake on rcu_barrier() https://git.kernel.org/bpf/bpf/c/b8f7aca3f0e0 - [6.1 13/16] rcu: Make call_rcu() lazy to save power https://git.kernel.org/bpf/bpf/c/3cb278e73be5 - [6.1 14/16] rcu: Export rcu_request_urgent_qs_task() https://git.kernel.org/bpf/bpf/c/43a89baecfe2 - [6.1 15/16] bpf: Remove unnecessary check when updating LPM trie https://git.kernel.org/bpf/bpf/c/156c977c539e - [6.1 16/16] bpf: Switch to bpf mem allocator for LPM trie https://git.kernel.org/bpf/bpf/c/3d8dc43eb2a3

5 months, 3 weeks

2
17
0 0

Re: TCP Fast Retransmission Issue

by Ahmed, Shehab Sarar

Hello, While experimenting with bbr protocol, I manipulated the network conditions by maintaining a high RTT for about one second before abruptly reducing it. Some packets sent during the high RTT phase experienced long delays in reaching the destination, while later packets, benefiting from the lower RTT, arrived earlier. This out-of-order arrival triggered the receiver to generate duplicate acknowledgments (dup ACKs). Due to the low RTT, these dup ACKs quickly reached the sender. Upon receiving three dup ACKs, the sender initiated a fast retransmission for an earlier packet that was not lost but was simply taking longer to arrive. Interestingly, despite the fast-retransmitted packet experienced a lower RTT, the original delayed packet still arrived first. When the receiver received this packet, it sent an ACK for the next packet in sequence. However, upon later receiving the fast-retransmitted packet, an issue arose in its logic for updating the acknowledgment number. As a result, even after the next expected packet was received, the acknowledgment number was not updated correctly. The receiver continued sending dup ACKs, ultimately forcing bbr into the retransmission timeout (RTO) phase. I generated this issue in linux kernel version 5.15.0-117-generic with Ubuntu 20.04. I attempted to confirm whether the issue persists with the latest Linux kernel. However, I discovered that the behavior of bbr has changed in the most recent kernel version, where it now sends chunks of packets instead of sending them one by one over time. As a result, I was unable to reproduce the specific sequence of events that triggered the bug we identified. Consequently, I could not confirm whether the bug still exists in the latest kernel. I believe that the issue (if still exists) will have to be resolved in the location net/ipv4/tcp_input.c or something like that. There are so many authors here that I do not know who to CC here. So, sending this email to you. Sorry if this is not the best way to report this issue. Thanks Shehab ________________________________________ From: Ahmed, Shehab Sarar Sent: Saturday, February 1, 2025 1:01 PM To: stable(a)vger.kernel.org Cc: regressions(a)lists.linux.dev Subject: TCP Fast Retransmission Issue Hello, While experimenting with bbr protocol, I manipulated the network conditions by maintaining a high RTT for about one second before abruptly reducing it. Some packets sent during the high RTT phase experienced long delays in reaching the destination, while later packets, benefiting from the lower RTT, arrived earlier. This out-of-order arrival triggered the receiver to generate duplicate acknowledgments (dup ACKs). Due to the low RTT, these dup ACKs quickly reached the sender. Upon receiving three dup ACKs, the sender initiated a fast retransmission for an earlier packet that was not lost but was simply taking longer to arrive. Interestingly, despite the fast-retransmitted packet experienced a lower RTT, the original delayed packet still arrived first. When the receiver received this packet, it sent an ACK for the next packet in sequence. However, upon later receiving the fast-retransmitted packet, an issue arose in its logic for updating the acknowledgment number. As a result, even after the next expected packet was received, the acknowledgment number was not updated correctly. The receiver continued sending dup ACKs, ultimately forcing bbr into the retransmission timeout (RTO) phase. I generated this issue in linux kernel version 5.15.0-117-generic with Ubuntu 20.04. I attempted to confirm whether the issue persists with the latest Linux kernel. However, I discovered that the behavior of bbr has changed in the most recent kernel version, where it now sends chunks of packets instead of sending them one by one over time. As a result, I was unable to reproduce the specific sequence of events that triggered the bug we identified. Consequently, I could not confirm whether the bug still exists in the latest kernel. I believe that the issue (if still exists) will have to be resolved in the location net/ipv4/tcp_input.c or something like that. There are so many authors here that I do not know who to CC here. So, sending this email to you. Sorry if this is not the best way to report this issue. Thanks Shehab

5 months, 3 weeks

2
2
0 0

[PATCH 6.1 00/19] xfs 6.1.y fixes from 6.7

by Leah Rumancik

Returning to focus on 6.1, here is the 6.1 set from the corresponding 6.6 set: https://lore.kernel.org/all/20240208232054.15778-1-catherine.hoang@oracle.c… Two patches are missing from the original set: [01/21] MAINTAINERS: add Catherine as xfs maintainer for 6.6.y 6.6.y-only change [16/21] xfs: fix again select in kconfig XFS_ONLINE_SCRUB_STATS XFS_ONLINE_SCRUB_STATS didn't show up till 6.6 The auto group was run on 10 configs and no regressions were seen. This has been ack'd on the xfs-stable mailing list. Thanks, Leah Catherine Hoang (1): xfs: allow read IO and FICLONE to run concurrently Cheng Lin (1): xfs: introduce protection for drop nlink Christoph Hellwig (4): xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space xfs: only remap the written blocks in xfs_reflink_end_cow_extent xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags xfs: respect the stable writes flag on the RT device Darrick J. Wong (8): xfs: bump max fsgeom struct version xfs: hoist freeing of rt data fork extent mappings xfs: prevent rt growfs when quota is enabled xfs: rt stubs should return negative errnos when rt disabled xfs: fix units conversion error in xfs_bmap_del_extent_delay xfs: make sure maxlen is still congruent with prod when rounding down xfs: clean up dqblk extraction xfs: dquot recovery does not validate the recovered dquot Dave Chinner (1): xfs: inode recovery does not validate the recovered inode Leah Rumancik (1): xfs: up(ic_sema) if flushing data device fails Long Li (2): xfs: factor out xfs_defer_pending_abort xfs: abort intent items when recovery intents fail Omar Sandoval (1): xfs: fix internal error from AGFL exhaustion fs/xfs/libxfs/xfs_alloc.c | 27 ++++++++++++-- fs/xfs/libxfs/xfs_bmap.c | 21 +++-------- fs/xfs/libxfs/xfs_defer.c | 28 +++++++++------ fs/xfs/libxfs/xfs_defer.h | 2 +- fs/xfs/libxfs/xfs_inode_buf.c | 3 ++ fs/xfs/libxfs/xfs_rtbitmap.c | 33 +++++++++++++++++ fs/xfs/libxfs/xfs_sb.h | 2 +- fs/xfs/xfs_bmap_util.c | 24 +++++++------ fs/xfs/xfs_dquot.c | 5 +-- fs/xfs/xfs_dquot_item_recover.c | 21 +++++++++-- fs/xfs/xfs_file.c | 63 ++++++++++++++++++++++++++------- fs/xfs/xfs_inode.c | 24 +++++++++++++ fs/xfs/xfs_inode.h | 17 +++++++++ fs/xfs/xfs_inode_item_recover.c | 14 +++++++- fs/xfs/xfs_ioctl.c | 30 ++++++++++------ fs/xfs/xfs_iops.c | 7 ++++ fs/xfs/xfs_log.c | 23 ++++++------ fs/xfs/xfs_log_recover.c | 2 +- fs/xfs/xfs_reflink.c | 5 +++ fs/xfs/xfs_rtalloc.c | 33 +++++++++++++---- fs/xfs/xfs_rtalloc.h | 27 ++++++++------ 21 files changed, 310 insertions(+), 101 deletions(-) -- 2.48.1.362.g079036d154-goog

5 months, 3 weeks

3
39
0 0

[PATCH 1/1] blk-cgroup: Fix UAF in blkcg_unpin_online()

by ciprietti＠google.com

From: Tejun Heo <tj(a)kernel.org> [ Upstream commit 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af ] blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's. Signed-off-by: Tejun Heo <tj(a)kernel.org> Reported-by: Abagail ren <renzezhongucas(a)gmail.com> Suggested-by: Linus Torvalds <torvalds(a)linuxfoundation.org> Fixes: 4308a434e5e0 ("blkcg: don't offline parent blkcg first") Cc: stable(a)vger.kernel.org # v5.7+ Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Andrea Ciprietti <ciprietti(a)google.com> --- include/linux/blk-cgroup.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/include/linux/blk-cgroup.h b/include/linux/blk-cgroup.h index 0e6e84db06f6..b89099360a86 100644 --- a/include/linux/blk-cgroup.h +++ b/include/linux/blk-cgroup.h @@ -428,10 +428,14 @@ static inline void blkcg_pin_online(struct blkcg *blkcg) static inline void blkcg_unpin_online(struct blkcg *blkcg) { do { + struct blkcg *parent; + if (!refcount_dec_and_test(&blkcg->online_pin)) break; + + parent = blkcg_parent(blkcg); blkcg_destroy_blkgs(blkcg); - blkcg = blkcg_parent(blkcg); + blkcg = parent; } while (blkcg); } -- 2.48.1.262.g85cc9f2d1e-goog

5 months, 3 weeks

4
5
0 0

rk3399 fails to boot since v6.12.7

by Christoph Fritz

Hello Marc, since 773c05f417fa1 ("irqchip/gic-v3: Work around insecure GIC integrations") landed in stable v6.12.7 as 0bf32f482887, here the rk3399 fails to boot (~4 out of 10 times) because OP-TEE panics (gets a secure interrupt that it cannot handle). Setup is: - BL31 proprietary (since mainline TF-A has no DMA) - OP-TEE mainline version: 3.20 - Kernel v6.12.7 <snip> [ 0.000000] GICv3: Broken GIC integration, security disabled <snip> E/TC:4 0 Panic 'Secure interrupt handler not defined' at core/kernel/interrupt.c:139 <itr_core_handler> E/TC:4 0 TEE load address @ 0x30000000 E/TC:4 0 Call stack: E/TC:4 0 0x300091f8 E/TC:4 0 0x30016664 E/TC:4 0 0x30015710 E/TC:4 0 0x30005714 [ 26.087363] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [ 26.087925] rcu: (detected by 2, t=21002 jiffies, g=2233, q=2416 ncpus=6) [ 26.088530] rcu: All QSes seen, last rcu_preempt kthread activity 21002 (4294693363-4294672361), jiffies_till_next_fqs=3, root ->qsmask 0x0 [ 26.089623] rcu: rcu_preempt kthread timer wakeup didn't happen for 20999 jiffies! g2233 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x200 [ 26.090617] rcu: Possible timer handling issue on cpu=4 timer-softirq=293 [ 26.091218] rcu: rcu_preempt kthread starved for 21002 jiffies! g2233 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x200 ->cpu=4 [ 26.092131] rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. [ 26.092926] rcu: RCU grace-period kthread stack dump: [ 26.093369] task:rcu_preempt state:R stack:0 pid:16 tgid:16 ppid:2 flags:0x00000008 [ 26.094192] Call trace: [ 26.094409] __switch_to+0xf0/0x14c [ 26.094728] __schedule+0x264/0xa90 [ 26.095040] schedule+0x34/0x104 [ 26.095329] schedule_timeout+0x80/0xf4 [ 26.095672] rcu_gp_fqs_loop+0x14c/0x4a4 [ 26.096027] rcu_gp_kthread+0x138/0x164 [ 26.096369] kthread+0x114/0x118 [ 26.096661] ret_from_fork+0x10/0x20 [ 26.096982] rcu: Stack dump where RCU GP kthread last ran: [ 26.097463] Sending NMI from CPU 2 to CPUs 4: [ 46.276364] sched: DL replenish lagged too much Is it too late for the kernel to disable the "security" since OP-TEE assumes it is enabled? Any ideas? Thanks -- Christoph

5 months, 3 weeks

2
4
0 0

Linux 6.6.75

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.75 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 block/ioctl.c | 9 drivers/ata/libahci.c | 12 drivers/ata/libata-core.c | 8 drivers/cpufreq/amd-pstate.c | 7 drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 3 drivers/gpu/drm/v3d/v3d_irq.c | 16 drivers/hid/hid-ids.h | 1 drivers/hid/hid-multitouch.c | 8 drivers/hwmon/drivetemp.c | 2 drivers/infiniband/hw/bnxt_re/main.c | 10 drivers/input/joystick/xpad.c | 9 drivers/input/keyboard/atkbd.c | 2 drivers/irqchip/irq-sunxi-nmi.c | 3 drivers/of/unittest-data/tests-platform.dtsi | 13 drivers/of/unittest.c | 14 drivers/scsi/scsi_transport_iscsi.c | 4 drivers/scsi/storvsc_drv.c | 8 drivers/usb/gadget/function/u_serial.c | 8 drivers/usb/serial/quatech2.c | 2 drivers/vfio/platform/vfio_platform_common.c | 10 fs/ext4/super.c | 3 fs/gfs2/file.c | 1 fs/libfs.c | 177 +++++-- fs/smb/client/smb2inode.c | 92 ++- include/linux/fs.h | 2 include/linux/seccomp.h | 2 mm/filemap.c | 19 mm/shmem.c | 3 net/ipv4/ip_tunnel.c | 2 net/ipv6/ip6_fib.c | 8 net/ipv6/route.c | 45 + net/sched/sch_ets.c | 2 sound/soc/codecs/Kconfig | 1 sound/soc/samsung/Kconfig | 6 sound/usb/quirks.c | 2 tools/testing/selftests/net/Makefile | 1 tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh | 262 +++++++++++ 38 files changed, 645 insertions(+), 134 deletions(-) Alex Williamson (1): vfio/platform: check the bounds of read/write syscalls Alexey Dobriyan (1): block: fix integer overflow in BLKSECDISCARD Anastasia Belova (1): cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value Andreas Gruenbacher (1): gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Charles Keepax (3): ASoC: wm8994: Add depends on MFD core ASoC: samsung: Add missing selects for MFD_WM8994 ASoC: samsung: Add missing depends on I2C Chuck Lever (10): libfs: Re-arrange locking in offset_iterate_dir() libfs: Define a minimum directory offset libfs: Add simple_offset_empty() libfs: Fix simple_offset_rename_exchange() libfs: Add simple_offset_rename() API shmem: Fix shmem_rename2() libfs: Return ENOSPC when the directory offset range is exhausted Revert "libfs: Add simple_offset_empty()" libfs: Replace simple_offset end-of-directory detection libfs: Use d_children list to iterate simple_offset directories Easwar Hariharan (1): scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Greg Kroah-Hartman (2): Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Linux 6.6.75 Ido Schimmel (1): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Igor Pylypiv (1): ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf() Jack Greiner (1): Input: xpad - add support for wooting two he (arm) Jamal Hadi Salim (1): net: sched: fix ets qdisc OOB Indexing Jiri Kosina (1): Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" Leonardo Brondani Schenkel (1): Input: xpad - improve name of 8BitDo controller 2dc8:3106 Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for USB Audio Device Linus Torvalds (1): cachestat: fix page cache statistics permission checking Linus Walleij (1): seccomp: Stub for !CONFIG_SECCOMP Luis Henriques (SUSE) (1): ext4: fix access to uninitialised lock in fc replay path Mark Pearson (1): Input: atkbd - map F23 key to support default copilot shortcut Matheos Mattsson (1): Input: xpad - add support for Nacon Evol-X Xbox One Controller Maíra Canal (1): drm/v3d: Assign job pointer to NULL before signaling the fence Nicolas Nobelis (1): Input: xpad - add support for Nacon Pro Compact Nilton Perim Neto (1): Input: xpad - add unofficial Xbox 360 wireless receiver clone Omid Ehtemam-Haghighi (1): ipv6: Fix soft lockups in fib6_select_path under high next hop churn Paulo Alcantara (1): smb: client: handle lack of EA support in smb2_query_path_info() Philippe Simons (1): irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Pierre-Loup A. Griffais (1): Input: xpad - add QH Electronics VID/PID Qasim Ijaz (1): USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Rob Herring (Arm) (1): of/unittest: Add test that of_address_to_resource() fails on non-translatable address Russell Harmon (1): hwmon: (drivetemp) Set scsi command timeout to 10s Selvin Xavier (1): RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Tom Chung (1): drm/amd/display: Use HW lock mgr for PSR1 Xiang Zhang (1): scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request

5 months, 3 weeks

1
1
0 0

Linux 6.12.12

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.12 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 3 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 4 drivers/gpu/drm/drm_connector.c | 3 drivers/gpu/drm/v3d/v3d_irq.c | 16 drivers/hid/hid-ids.h | 1 drivers/hid/hid-multitouch.c | 8 drivers/hid/wacom_sys.c | 24 - drivers/hwmon/drivetemp.c | 2 drivers/input/joystick/xpad.c | 9 drivers/input/keyboard/atkbd.c | 2 drivers/irqchip/irq-sunxi-nmi.c | 3 drivers/net/wireless/realtek/rtl8xxxu/core.c | 20 + drivers/of/unittest-data/tests-platform.dtsi | 13 drivers/of/unittest.c | 14 drivers/scsi/scsi_transport_iscsi.c | 4 drivers/scsi/storvsc_drv.c | 8 drivers/usb/gadget/function/u_serial.c | 8 drivers/usb/serial/quatech2.c | 2 drivers/vfio/platform/vfio_platform_common.c | 10 fs/gfs2/file.c | 1 fs/libfs.c | 162 ++++------ fs/smb/client/smb2inode.c | 92 ++++- include/linux/fs.h | 1 include/linux/seccomp.h | 2 io_uring/rsrc.c | 7 mm/filemap.c | 19 + mm/shmem.c | 4 mm/zswap.c | 90 +++-- net/sched/sch_ets.c | 2 sound/pci/hda/patch_realtek.c | 4 sound/soc/codecs/Kconfig | 1 sound/soc/codecs/cs42l43.c | 1 sound/soc/codecs/es8316.c | 10 sound/soc/samsung/Kconfig | 6 sound/usb/quirks.c | 2 36 files changed, 379 insertions(+), 181 deletions(-) Alex Hung (1): drm/amd/display: Initialize denominator defaults to 1 Alex Williamson (1): vfio/platform: check the bounds of read/write syscalls Andreas Gruenbacher (1): gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Charles Keepax (3): ASoC: wm8994: Add depends on MFD core ASoC: samsung: Add missing selects for MFD_WM8994 ASoC: samsung: Add missing depends on I2C Chuck Lever (5): libfs: Return ENOSPC when the directory offset range is exhausted Revert "libfs: Add simple_offset_empty()" Revert "libfs: fix infinite directory reads for offset dir" libfs: Replace simple_offset end-of-directory detection libfs: Use d_children list to iterate simple_offset directories Cristian Ciocaltea (1): drm/connector: hdmi: Validate supported_formats matches ycbcr_420_allowed Easwar Hariharan (1): scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Greg Kroah-Hartman (2): Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Linux 6.12.12 Hans de Goede (1): wifi: rtl8xxxu: add more missing rtl8192cu USB IDs Jack Greiner (1): Input: xpad - add support for wooting two he (arm) Jamal Hadi Salim (1): net: sched: fix ets qdisc OOB Indexing Jann Horn (1): io_uring/rsrc: require cloned buffers to share accounting contexts Jason Gerecke (1): HID: wacom: Initialize brightness of LED trigger Jiri Kosina (1): Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" Leonardo Brondani Schenkel (1): Input: xpad - improve name of 8BitDo controller 2dc8:3106 Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for USB Audio Device Linus Torvalds (1): cachestat: fix page cache statistics permission checking Linus Walleij (1): seccomp: Stub for !CONFIG_SECCOMP Maciej Strozek (1): ASoC: cs42l43: Add codec force suspend/resume ops Marian Postevca (1): ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK Mark Pearson (1): Input: atkbd - map F23 key to support default copilot shortcut Matheos Mattsson (1): Input: xpad - add support for Nacon Evol-X Xbox One Controller Maíra Canal (1): drm/v3d: Assign job pointer to NULL before signaling the fence Nicolas Nobelis (1): Input: xpad - add support for Nacon Pro Compact Nilton Perim Neto (1): Input: xpad - add unofficial Xbox 360 wireless receiver clone Paulo Alcantara (1): smb: client: handle lack of EA support in smb2_query_path_info() Philippe Simons (1): irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Pierre-Loup A. Griffais (1): Input: xpad - add QH Electronics VID/PID Qasim Ijaz (1): USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Rob Herring (Arm) (1): of/unittest: Add test that of_address_to_resource() fails on non-translatable address Russell Harmon (1): hwmon: (drivetemp) Set scsi command timeout to 10s Tom Chung (1): drm/amd/display: Use HW lock mgr for PSR1 Xiang Zhang (1): scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Yage Geng (1): ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P Gen5 Yosry Ahmed (2): mm: zswap: properly synchronize freeing resources during CPU hotunplug mm: zswap: move allocations during CPU init outside the lock

5 months, 3 weeks

1
1
0 0

Linux 6.1.128

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.128 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 block/ioctl.c | 9 drivers/base/regmap/regmap.c | 12 drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 3 drivers/gpu/drm/v3d/v3d_irq.c | 16 drivers/hid/hid-ids.h | 1 drivers/hid/hid-multitouch.c | 8 drivers/input/joystick/xpad.c | 2 drivers/input/keyboard/atkbd.c | 2 drivers/irqchip/irq-sunxi-nmi.c | 3 drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 9 drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 9 drivers/scsi/scsi_transport_iscsi.c | 4 drivers/scsi/storvsc_drv.c | 8 drivers/usb/gadget/function/u_serial.c | 8 drivers/usb/serial/quatech2.c | 2 drivers/vfio/platform/vfio_platform_common.c | 10 fs/ext4/super.c | 3 fs/gfs2/file.c | 1 fs/smb/client/smb2ops.c | 47 + fs/smb/client/smb2pdu.c | 10 fs/xfs/libxfs/xfs_alloc.c | 27 + fs/xfs/libxfs/xfs_bmap.c | 21 fs/xfs/libxfs/xfs_defer.c | 28 - fs/xfs/libxfs/xfs_defer.h | 2 fs/xfs/libxfs/xfs_inode_buf.c | 3 fs/xfs/libxfs/xfs_rtbitmap.c | 33 + fs/xfs/libxfs/xfs_sb.h | 2 fs/xfs/xfs_bmap_util.c | 24 - fs/xfs/xfs_dquot.c | 5 fs/xfs/xfs_dquot_item_recover.c | 21 fs/xfs/xfs_file.c | 63 ++ fs/xfs/xfs_inode.c | 24 + fs/xfs/xfs_inode.h | 17 fs/xfs/xfs_inode_item_recover.c | 14 fs/xfs/xfs_ioctl.c | 30 - fs/xfs/xfs_iops.c | 7 fs/xfs/xfs_log.c | 23 fs/xfs/xfs_log_recover.c | 2 fs/xfs/xfs_reflink.c | 5 fs/xfs/xfs_rtalloc.c | 33 + fs/xfs/xfs_rtalloc.h | 27 - include/linux/seccomp.h | 2 io_uring/io_uring.c | 4 kernel/softirq.c | 15 net/ipv4/ip_tunnel.c | 2 net/ipv6/ip6_fib.c | 8 net/ipv6/route.c | 45 + net/sched/sch_ets.c | 2 sound/soc/codecs/Kconfig | 1 sound/soc/samsung/Kconfig | 6 sound/soc/samsung/midas_wm1811.c | 24 - sound/usb/quirks.c | 2 tools/testing/selftests/net/Makefile | 1 tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh | 262 +++++++++++ 55 files changed, 767 insertions(+), 187 deletions(-) Alex Williamson (1): vfio/platform: check the bounds of read/write syscalls Alexey Dobriyan (1): block: fix integer overflow in BLKSECDISCARD Alper Nebi Yasak (1): ASoC: samsung: midas_wm1811: Map missing jack kcontrols Andreas Gruenbacher (1): gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Anjaneyulu (1): wifi: iwlwifi: add a few rate index validity checks Catherine Hoang (1): xfs: allow read IO and FICLONE to run concurrently Charles Keepax (3): ASoC: wm8994: Add depends on MFD core ASoC: samsung: Add missing selects for MFD_WM8994 ASoC: samsung: Add missing depends on I2C Cheng Lin (1): xfs: introduce protection for drop nlink Christoph Hellwig (4): xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space xfs: only remap the written blocks in xfs_reflink_end_cow_extent xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags xfs: respect the stable writes flag on the RT device Cosmin Tanislav (1): regmap: detach regmap from dev on regmap_exit Darrick J. Wong (8): xfs: bump max fsgeom struct version xfs: hoist freeing of rt data fork extent mappings xfs: prevent rt growfs when quota is enabled xfs: rt stubs should return negative errnos when rt disabled xfs: fix units conversion error in xfs_bmap_del_extent_delay xfs: make sure maxlen is still congruent with prod when rounding down xfs: clean up dqblk extraction xfs: dquot recovery does not validate the recovered dquot Dave Chinner (1): xfs: inode recovery does not validate the recovered inode Easwar Hariharan (1): scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Enzo Matsumiya (1): smb: client: fix UAF in async decryption Greg Kroah-Hartman (2): Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Linux 6.1.128 Ido Schimmel (1): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Jack Greiner (1): Input: xpad - add support for wooting two he (arm) Jamal Hadi Salim (1): net: sched: fix ets qdisc OOB Indexing Jiri Kosina (1): Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" K Prateek Nayak (1): softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel Leah Rumancik (1): xfs: up(ic_sema) if flushing data device fails Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for USB Audio Device Linus Walleij (1): seccomp: Stub for !CONFIG_SECCOMP Long Li (2): xfs: factor out xfs_defer_pending_abort xfs: abort intent items when recovery intents fail Luis Henriques (SUSE) (1): ext4: fix access to uninitialised lock in fc replay path Marek Szyprowski (1): ASoC: samsung: midas_wm1811: Fix 'Headphone Switch' control creation Mark Pearson (1): Input: atkbd - map F23 key to support default copilot shortcut Maíra Canal (1): drm/v3d: Assign job pointer to NULL before signaling the fence Nilton Perim Neto (1): Input: xpad - add unofficial Xbox 360 wireless receiver clone Omar Sandoval (1): xfs: fix internal error from AGFL exhaustion Omid Ehtemam-Haghighi (1): ipv6: Fix soft lockups in fib6_select_path under high next hop churn Paulo Alcantara (1): smb: client: fix NULL ptr deref in crypto_aead_setkey() Pavel Begunkov (1): io_uring: fix waiters missing wake ups Philippe Simons (1): irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Qasim Ijaz (1): USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Tom Chung (1): drm/amd/display: Use HW lock mgr for PSR1 Xiang Zhang (1): scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request

5 months, 3 weeks

1
1
0 0

Linux 5.15.178

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.178 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- drivers/base/regmap/regmap.c | 12 ++++++++++++ drivers/gpu/drm/v3d/v3d_irq.c | 16 ++++++++++++---- drivers/input/joystick/xpad.c | 2 ++ drivers/input/keyboard/atkbd.c | 2 +- drivers/irqchip/irq-sunxi-nmi.c | 3 ++- drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 7 +++++-- drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 9 ++++++--- drivers/platform/chrome/cros_ec_typec.c | 3 +++ drivers/scsi/scsi_transport_iscsi.c | 4 +++- drivers/scsi/storvsc_drv.c | 8 +++++++- drivers/usb/gadget/function/u_serial.c | 8 ++++---- drivers/usb/serial/quatech2.c | 2 +- drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ fs/gfs2/file.c | 1 + fs/ntfs3/file.c | 12 ++++++++++-- include/linux/seccomp.h | 2 +- include/net/bluetooth/bluetooth.h | 9 +++++++++ net/bluetooth/rfcomm/sock.c | 14 +++++--------- net/bluetooth/sco.c | 19 ++++++++----------- net/ipv4/ip_tunnel.c | 2 +- net/mptcp/protocol.c | 18 +++++++++--------- net/sched/sch_ets.c | 2 ++ sound/soc/codecs/Kconfig | 1 + sound/soc/samsung/Kconfig | 6 ++++-- sound/usb/quirks.c | 2 ++ 26 files changed, 122 insertions(+), 54 deletions(-) Akihiko Odaki (1): platform/chrome: cros_ec_typec: Check for EC driver Alex Williamson (1): vfio/platform: check the bounds of read/write syscalls Andreas Gruenbacher (1): gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Anjaneyulu (1): wifi: iwlwifi: add a few rate index validity checks Charles Keepax (3): ASoC: wm8994: Add depends on MFD core ASoC: samsung: Add missing selects for MFD_WM8994 ASoC: samsung: Add missing depends on I2C Cosmin Tanislav (1): regmap: detach regmap from dev on regmap_exit Easwar Hariharan (1): scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Greg Kroah-Hartman (2): Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Linux 5.15.178 Ido Schimmel (1): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Jack Greiner (1): Input: xpad - add support for wooting two he (arm) Jamal Hadi Salim (1): net: sched: fix ets qdisc OOB Indexing Konstantin Komarov (1): fs/ntfs3: Additional check in ntfs_file_release Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for USB Audio Device Linus Walleij (1): seccomp: Stub for !CONFIG_SECCOMP Luiz Augusto von Dentz (2): Bluetooth: SCO: Fix not validating setsockopt user input Bluetooth: RFCOMM: Fix not validating setsockopt user input Mark Pearson (1): Input: atkbd - map F23 key to support default copilot shortcut Maíra Canal (1): drm/v3d: Assign job pointer to NULL before signaling the fence Nilton Perim Neto (1): Input: xpad - add unofficial Xbox 360 wireless receiver clone Paolo Abeni (1): mptcp: don't always assume copied data in mptcp_cleanup_rbuf() Philippe Simons (1): irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Qasim Ijaz (1): USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Xiang Zhang (1): scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request

5 months, 3 weeks

1
1
0 0

Linux 5.4.290

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.290 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/rockchip/px30.dtsi | 8 + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 4 arch/arm64/boot/dts/rockchip/rk3399.dtsi | 40 ++++++--- arch/m68k/fpsp040/skeleton.S | 3 arch/m68k/kernel/entry.S | 2 arch/m68k/kernel/sys_m68k.c | 2 arch/m68k/kernel/traps.c | 2 drivers/acpi/resource.c | 18 ++++ drivers/gpu/drm/amd/display/dc/dc.h | 2 drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 + drivers/gpu/drm/v3d/v3d_irq.c | 12 ++ drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 drivers/iio/adc/at91_adc.c | 2 drivers/iio/adc/ti-ads124s08.c | 4 drivers/iio/adc/ti-ads8688.c | 2 drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 drivers/iio/gyro/fxas21002c_core.c | 9 +- drivers/iio/imu/kmx61.c | 2 drivers/iio/inkern.c | 2 drivers/iio/light/vcnl4035.c | 2 drivers/iio/pressure/zpa2326.c | 2 drivers/input/joystick/xpad.c | 2 drivers/input/keyboard/atkbd.c | 2 drivers/irqchip/irq-gic-v3.c | 2 drivers/irqchip/irq-sunxi-nmi.c | 3 drivers/md/dm-thin.c | 5 - drivers/md/persistent-data/dm-array.c | 19 ++-- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ---- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 drivers/net/ethernet/ti/cpsw_ale.c | 14 +-- drivers/net/gtp.c | 42 +++++---- drivers/net/ieee802154/ca8210.c | 6 + drivers/net/xen-netback/hash.c | 7 - drivers/nvme/target/io-cmd-bdev.c | 2 drivers/phy/phy-core.c | 7 - drivers/scsi/scsi_transport_iscsi.c | 4 drivers/scsi/sg.c | 2 drivers/staging/iio/frequency/ad9832.c | 2 drivers/staging/iio/frequency/ad9834.c | 2 drivers/usb/class/usblp.c | 7 - drivers/usb/core/hub.c | 6 - drivers/usb/core/port.c | 7 - drivers/usb/gadget/function/f_fs.c | 2 drivers/usb/serial/cp210x.c | 1 drivers/usb/serial/option.c | 4 drivers/usb/serial/quatech2.c | 2 drivers/usb/storage/unusual_devs.h | 7 + drivers/vfio/platform/vfio_platform_common.c | 10 ++ fs/ext4/ext4.h | 1 fs/ext4/extents.c | 64 ++++++++++++-- fs/gfs2/file.c | 1 fs/hfs/super.c | 4 fs/jbd2/commit.c | 4 fs/ocfs2/quota_global.c | 2 fs/ocfs2/quota_local.c | 10 -- fs/proc/vmcore.c | 2 include/linux/hrtimer.h | 1 include/linux/poll.h | 10 ++ include/linux/usb.h | 3 include/linux/usb/hcd.h | 2 include/net/inet_connection_sock.h | 2 include/net/net_namespace.h | 3 kernel/cpu.c | 2 kernel/gen_kheaders.sh | 1 kernel/time/hrtimer.c | 11 ++ net/802/psnap.c | 4 net/core/net_namespace.c | 83 ++++++++++++------- net/dccp/ipv6.c | 2 net/ipv6/route.c | 2 net/ipv6/tcp_ipv6.c | 4 net/mac802154/iface.c | 4 net/sched/cls_flow.c | 3 net/sctp/sysctl.c | 9 +- net/tls/tls_sw.c | 2 sound/soc/codecs/Kconfig | 1 76 files changed, 387 insertions(+), 173 deletions(-) Akash M (1): usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Al Viro (1): m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal Alex Williamson (1): vfio/platform: check the bounds of read/write syscalls Andreas Gruenbacher (1): gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Antonio Pastor (1): net: 802: LLC+SNAP OID:PID lookup on start of skb data Arnd Bergmann (1): xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals Baokun Li (1): ext4: fix slab-use-after-free in ext4_split_extent_at() Benjamin Coddington (1): tls: Fix tls_sw_sendmsg error handling Carlos Song (1): iio: gyro: fxas21002c: Fix missing data update in trigger handler Charles Keepax (1): ASoC: wm8994: Add depends on MFD core Chukun Pan (1): USB: serial: option: add MeiG Smart SRM815 Dan Carpenter (1): nfp: bpf: prevent integer overflow in nfp_bpf_event_output() David Howells (1): kheaders: Ignore silly-rename files Dennis Lam (1): ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Eric Dumazet (4): net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Eric W. Biederman (1): signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die Fabio Estevam (1): iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Greg Kroah-Hartman (2): Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Linux 5.4.290 Hans de Goede (2): ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Heiner Kallweit (1): net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Jack Greiner (1): Input: xpad - add support for wooting two he (arm) Jason Xing (1): tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Javier Carrasco (5): iio: pressure: zpa2326: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: adc: ti-ads8688: fix information leak in triggered buffer Jeongjun Park (1): net/xen-netback: prevent UAF in xenvif_flush_hash() Joe Hattori (2): iio: adc: at91: call input_free_device() on allocated iio_dev iio: inkern: call iio_device_put() only on mapped devices Johan Hovold (1): USB: serial: cp210x: add Phoenix Contact UPS Device Johan Jonker (3): arm64: dts: rockchip: fix defines in pd_vio node for rk3399 arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 arm64: dts: rockchip: add #power-domain-cells to power domain nodes Joseph Qi (1): ocfs2: correct return value of ocfs2_local_free_info() Jun Yan (1): USB: usblp: return error when setting unsupported protocol Kai-Heng Feng (1): USB: core: Disable LPM only for non-suspended ports Keisuke Nishimura (1): ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Koichiro Den (1): hrtimers: Handle CPU state correctly on hotplug Krister Johansen (1): dm thin: make get_first_thin use rcu-safe list first function Kuniyuki Iwashima (2): gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. Leo Stone (1): hfs: Sanity check the root record Liam Howlett (1): m68k: Add missing mmap_read_lock() to sys_cacheflush() Lianqin Hu (1): usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Lizhi Xu (1): mac802154: check local interfaces before deleting sdata list Lubomir Rintel (1): usb-storage: Add max sectors quirk for Nokia 208 Luis Chamberlain (1): nvmet: propagate npwg topology Ma Ke (1): usb: fix reference leak in usb_new_device() Madhuparna Bhowmik (1): net: xen-netback: hash.c: Use built-in RCU list checking Mark Pearson (1): Input: atkbd - map F23 key to support default copilot shortcut Matthieu Baerts (NGI0) (3): sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy sctp: sysctl: auth_enable: avoid using current->nsproxy sctp: sysctl: rto_min/max: avoid using current->nsproxy Maíra Canal (2): drm/v3d: Ensure job pointer is set to NULL after job completion drm/v3d: Assign job pointer to NULL before signaling the fence Melissa Wen (1): drm/amd/display: increase MAX_SURFACES to the value supported by hw Michal Hrusecky (1): USB: serial: option: add Neoway N723-EA support Ming-Hung Tsai (3): dm array: fix releasing a faulty array block twice in dm_array_cursor_end dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix cursor index when skipping across block boundaries Nilton Perim Neto (1): Input: xpad - add unofficial Xbox 360 wireless receiver clone Oleg Nesterov (1): poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Peter Geis (1): arm64: dts: rockchip: add hevc power domain clock to rk3328 Philippe Simons (1): irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Qasim Ijaz (1): USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore (part 2) Roman Li (1): drm/amd/display: Add check for granularity in dml ceil/floor helpers Ron Economos (1): Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals Sudheer Kumar Doredla (1): net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Suraj Sonawane (1): scsi: sg: Fix slab-use-after-free read in sg_release() Theodore Ts'o (1): ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path Vinod Koul (1): phy: core: fix code style in devm_of_phy_provider_unregister Wang Liang (1): net: fix data-races around sk->sk_forward_alloc Wolfram Sang (1): i2c: mux: demux-pinctrl: check initial mux selection, too Xiang Zhang (1): scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Yajun Deng (1): net: net_namespace: Optimize the code Yogesh Lal (1): irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Zhang Yi (1): jbd2: flush filesystem device before updating tail sequence Zhongqiu Duan (1): tcp/dccp: allow a connection when sk_max_ack_backlog is zero Zicheng Qu (2): staging: iio: ad9834: Correct phase range check staging: iio: ad9832: Correct phase range check Zijun Hu (1): phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider

5 months, 3 weeks

1
1
0 0

[PATCH 1/2] efi: Avoid cold plugged memory for placing the kernel

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> UEFI 2.11 introduced EFI_MEMORY_HOT_PLUGGABLE to annotate system memory regions that are 'cold plugged' at boot, i.e., hot pluggable memory that is available from early boot, and described as system RAM by the firmware. Existing loaders and EFI applications running in the boot context will happily use this memory for allocating data structures that cannot be freed or moved at runtime, and this prevents the memory from being unplugged. Going forward, the new EFI_MEMORY_HOT_PLUGGABLE attribute should be tested, and memory annotated as such should be avoided for such allocations. In the EFI stub, there are a couple of occurrences where, instead of the high-level AllocatePages() UEFI boot service, a low-level code sequence is used that traverses the EFI memory map and carves out the requested number of pages from a free region. This is needed, e.g., for allocating as low as possible, or for allocating pages at random. While AllocatePages() should presumably avoid special purpose memory and cold plugged regions, this manual approach needs to incorporate this logic itself, in order to prevent the kernel itself from ending up in a hot unpluggable region, preventing it from being unplugged. So add the EFI_MEMORY_HOTPLUGGABLE macro definition, and check for it where appropriate. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 6 ++++-- drivers/firmware/efi/libstub/randomalloc.c | 3 +++ drivers/firmware/efi/libstub/relocate.c | 3 +++ include/linux/efi.h | 1 + 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 8296bf985d1d..7309394b8fc9 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -934,13 +934,15 @@ char * __init efi_md_typeattr_format(char *buf, size_t size, EFI_MEMORY_WB | EFI_MEMORY_UCE | EFI_MEMORY_RO | EFI_MEMORY_WP | EFI_MEMORY_RP | EFI_MEMORY_XP | EFI_MEMORY_NV | EFI_MEMORY_SP | EFI_MEMORY_CPU_CRYPTO | - EFI_MEMORY_RUNTIME | EFI_MEMORY_MORE_RELIABLE)) + EFI_MEMORY_MORE_RELIABLE | EFI_MEMORY_HOT_PLUGGABLE | + EFI_MEMORY_RUNTIME)) snprintf(pos, size, "|attr=0x%016llx]", (unsigned long long)attr); else snprintf(pos, size, - "|%3s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]", + "|%3s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]", attr & EFI_MEMORY_RUNTIME ? "RUN" : "", + attr & EFI_MEMORY_HOT_PLUGGABLE ? "HP" : "", attr & EFI_MEMORY_MORE_RELIABLE ? "MR" : "", attr & EFI_MEMORY_CPU_CRYPTO ? "CC" : "", attr & EFI_MEMORY_SP ? "SP" : "", diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c index e5872e38d9a4..5a732018be36 100644 --- a/drivers/firmware/efi/libstub/randomalloc.c +++ b/drivers/firmware/efi/libstub/randomalloc.c @@ -25,6 +25,9 @@ static unsigned long get_entry_num_slots(efi_memory_desc_t *md, if (md->type != EFI_CONVENTIONAL_MEMORY) return 0; + if (md->attribute & EFI_MEMORY_HOT_PLUGGABLE) + return 0; + if (efi_soft_reserve_enabled() && (md->attribute & EFI_MEMORY_SP)) return 0; diff --git a/drivers/firmware/efi/libstub/relocate.c b/drivers/firmware/efi/libstub/relocate.c index 99b45d1cd624..d4264bfb6dc1 100644 --- a/drivers/firmware/efi/libstub/relocate.c +++ b/drivers/firmware/efi/libstub/relocate.c @@ -53,6 +53,9 @@ efi_status_t efi_low_alloc_above(unsigned long size, unsigned long align, if (desc->type != EFI_CONVENTIONAL_MEMORY) continue; + if (desc->attribute & EFI_MEMORY_HOT_PLUGGABLE) + continue; + if (efi_soft_reserve_enabled() && (desc->attribute & EFI_MEMORY_SP)) continue; diff --git a/include/linux/efi.h b/include/linux/efi.h index 053c57e61869..db293d7de686 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -128,6 +128,7 @@ typedef struct { #define EFI_MEMORY_RO ((u64)0x0000000000020000ULL) /* read-only */ #define EFI_MEMORY_SP ((u64)0x0000000000040000ULL) /* soft reserved */ #define EFI_MEMORY_CPU_CRYPTO ((u64)0x0000000000080000ULL) /* supports encryption */ +#define EFI_MEMORY_HOT_PLUGGABLE BIT_ULL(20) /* supports unplugging at runtime */ #define EFI_MEMORY_RUNTIME ((u64)0x8000000000000000ULL) /* range requires runtime mapping */ #define EFI_MEMORY_DESCRIPTOR_VERSION 1 -- 2.48.1.362.g079036d154-goog

5 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror February 2025