May 2025 - Linux-stable-mirror

FAILED: patch "[PATCH] smb: client: Fix use-after-free in cifs_fill_dirent" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a7a8fe56e932a36f43e031b398aef92341bf5ea0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052432-deafening-parted-13e0@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a7a8fe56e932a36f43e031b398aef92341bf5ea0 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong1(a)huawei.com> Date: Fri, 16 May 2025 17:12:55 +0800 Subject: [PATCH] smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------------------------------------- cifs_readdir /* file->private_data == NULL */ initiate_cifs_search cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL); smb2_query_dir_first ->query_dir_first() SMB2_query_directory SMB2_query_directory_init cifs_send_recv smb2_parse_query_directory srch_inf->ntwrk_buf_start = (char *)rsp; srch_inf->srch_entries_start = (char *)rsp + ... srch_inf->last_entry = (char *)rsp + ... srch_inf->smallBuf = true; find_cifs_entry /* if (cfile->srch_inf.ntwrk_buf_start) */ cifs_small_buf_release(cfile->srch_inf // free cifs_readdir ->iterate_shared() /* file->private_data != NULL */ find_cifs_entry /* in while (...) loop */ smb2_query_dir_next ->query_dir_next() SMB2_query_directory SMB2_query_directory_init cifs_send_recv compound_send_recv smb_send_rqst __smb_send_rqst rc = -ERESTARTSYS; /* if (fatal_signal_pending()) */ goto out; return rc /* if (cfile->srch_inf.last_entry) */ cifs_save_resume_key() cifs_fill_dirent // UAF /* if (rc) */ return -ENOENT; Fix this by ensuring the return code is checked before using pointers from the srch_inf. Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1] Fixes: a364bc0b37f1 ("[CIFS] fix saving of resume key before CIFSFindNext") Cc: stable(a)vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c index 50f96259d9ad..67d7dd64b5e2 100644 --- a/fs/smb/client/readdir.c +++ b/fs/smb/client/readdir.c @@ -756,11 +756,11 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, rc = server->ops->query_dir_next(xid, tcon, &cfile->fid, search_flags, &cfile->srch_inf); + if (rc) + return -ENOENT; /* FindFirst/Next set last_entry to NULL on malformed reply */ if (cfile->srch_inf.last_entry) cifs_save_resume_key(cfile->srch_inf.last_entry, cfile); - if (rc) - return -ENOENT; } if (index_to_find < cfile->srch_inf.index_of_last_entry) { /* we found the buffer that contains the entry */

1 month

2
4
0 0

6.12.30: black screen after waking up from hibernate; bisected

by Rainer Fiebig

With kernel 6.12.30 waking up from hibernate fails in a Ryzen 3 5600G system with the latest BIOS. At the end of the wake-up procedure the screen goes black instead of showing the log-in screen and the system becomes unresponsive. A hard reset is necessary. Seeing messages like the following in the system log, I suspected an amdgpu problem: May 23 19:09:30 LUX kernel: [16885.524496] amdgpu 0000:30:00.0: [drm] *ERROR* flip_done timed out May 23 19:09:30 LUX kernel: [16885.524501] amdgpu 0000:30:00.0: [drm] *ERROR* [CRTC:73:crtc-0] commit wait timed out I don't know whether those messages and the problem are really related but I bisected in 'drivers/gpu/drm/amd' anyway and the result was: > git bisect bad 25e07c8403f4daad35cffc18d96e32a80a2a3222 is the first bad commit commit 25e07c8403f4daad35cffc18d96e32a80a2a3222 (HEAD) Author: Alex Deucher <alexander.deucher(a)amd.com> Date: Thu May 1 13:46:46 2025 -0400 drm/amdgpu: fix pm notifier handling commit 4aaffc85751da5722e858e4333e8cf0aa4b6c78f upstream. Set the s3/s0ix and s4 flags in the pm notifier so that we can skip the resource evictions properly in pm prepare based on whether we are suspending or hibernating. Drop the eviction as processes are not frozen at this time, we we can end up getting stuck trying to evict VRAM while applications continue to submit work which causes the buffers to get pulled back into VRAM. HTH. Thanks. Rainer -- The truth always turns out to be simpler than you thought. Richard Feynman

1 month

3
5
0 0

[PATCH] rtc: pcf2127: add missing semicolon after statement

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Replace comma with semicolon at the end of the statement when setting config.max_register. Fixes: fd28ceb4603f ("rtc: pcf2127: add variant-specific configuration structure") Cc: stable(a)vger.kernel.org Cc: Elena Popa <elena.popa(a)nxp.com> Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/rtc/rtc-pcf2127.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/rtc/rtc-pcf2127.c b/drivers/rtc/rtc-pcf2127.c index 31c7dca8f469..2bfebe3eba0c 100644 --- a/drivers/rtc/rtc-pcf2127.c +++ b/drivers/rtc/rtc-pcf2127.c @@ -1538,7 +1538,7 @@ static int pcf2127_spi_probe(struct spi_device *spi) variant = &pcf21xx_cfg[type]; } - config.max_register = variant->max_register, + config.max_register = variant->max_register; regmap = devm_regmap_init_spi(spi, &config); if (IS_ERR(regmap)) { base-commit: c7622a4e44d9d008e0e5edcc46c71854c50cf4a8 -- 2.39.5

1 month

1
0
0 0

+ mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm: fix uprobe pte be overwritten when expanding vma has been added to the -mm mm-unstable branch. Its filename is mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Pu Lehui <pulehui(a)huawei.com> Subject: mm: fix uprobe pte be overwritten when expanding vma Date: Thu, 29 May 2025 15:56:47 +0000 Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows: BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 And we can reproduce it with the following steps: 1. register uprobe on file at zero offset 2. mmap the file at zero offset: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); 3. mremap part of vma1 to new vma2: addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); 4. mremap back to orig addr1: mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); In step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2 with range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1 to vma2, then unmap the vma1 range [addr1, addr1 + 4096]. In step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the addr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096, addr1 + 8192] still maps the file, it will take vma_merge_new_range to expand the range, and then do uprobe_mmap in vma_complete. Since the merged vma pgoff is also zero offset, it will install uprobe anon page to the merged vma. However, the upcomming move_page_tables step, which use set_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite the newly uprobe pte in the merged vma, and lead that pte to be orphan. Since the uprobe pte will be remapped to the merged vma, we can remove the unnecessary uprobe_mmap upon merged vma. This problem was first found in linux-6.6.y and also exists in the community syzkaller: https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/ Link: https://lkml.kernel.org/r/20250529155650.4017699-1-pulehui@huaweicloud.com Link: https://lkml.kernel.org/r/20250529155650.4017699-2-pulehui@huaweicloud.com Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 20 +++++++++++++++++--- mm/vma.h | 7 +++++++ 2 files changed, 24 insertions(+), 3 deletions(-) --- a/mm/vma.c~mm-fix-uprobe-pte-be-overwritten-when-expanding-vma +++ a/mm/vma.c @@ -169,6 +169,9 @@ static void init_multi_vma_prep(struct v vp->file = vma->vm_file; if (vp->file) vp->mapping = vma->vm_file->f_mapping; + + if (vmg && vmg->skip_vma_uprobe) + vp->skip_vma_uprobe = true; } /* @@ -358,10 +361,13 @@ static void vma_complete(struct vma_prep if (vp->file) { i_mmap_unlock_write(vp->mapping); - uprobe_mmap(vp->vma); - if (vp->adj_next) - uprobe_mmap(vp->adj_next); + if (!vp->skip_vma_uprobe) { + uprobe_mmap(vp->vma); + + if (vp->adj_next) + uprobe_mmap(vp->adj_next); + } } if (vp->remove) { @@ -1830,6 +1836,14 @@ struct vm_area_struct *copy_vma(struct v faulted_in_anon_vma = false; } + /* + * If the VMA we are copying might contain a uprobe PTE, ensure + * that we do not establish one upon merge. Otherwise, when mremap() + * moves page tables, it will orphan the newly created PTE. + */ + if (vma->vm_file) + vmg.skip_vma_uprobe = true; + new_vma = find_vma_prev(mm, addr, &vmg.prev); if (new_vma && new_vma->vm_start < addr + len) return NULL; /* should never get here */ --- a/mm/vma.h~mm-fix-uprobe-pte-be-overwritten-when-expanding-vma +++ a/mm/vma.h @@ -19,6 +19,8 @@ struct vma_prepare { struct vm_area_struct *insert; struct vm_area_struct *remove; struct vm_area_struct *remove2; + + bool skip_vma_uprobe :1; }; struct unlink_vma_file_batch { @@ -120,6 +122,11 @@ struct vma_merge_struct { */ bool give_up_on_oom :1; + /* + * If set, skip uprobe_mmap upon merged vma. + */ + bool skip_vma_uprobe :1; + /* Internal flags set during merge process: */ /* _ Patches currently in -mm which might be from pulehui(a)huawei.com are mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch mm-expose-abnormal-new_pte-during-move_ptes.patch selftests-mm-extract-read_sysfs-and-write_sysfs-into-vm_util.patch selftests-mm-add-test-about-uprobe-pte-be-orphan-during-vma-merge.patch

1 month

1
0
0 0

[PATCH] x86/mm: Fix paging-structure cache flush on kernel table freeing

by Jann Horn

There are several issues in pud_free_pmd_page() and pmd_free_pte_page(), which are used by vmalloc: 1. flush_tlb_kernel_range() does not flush paging-structure caches for inactive PCIDs, but we're using it when freeing kernel page tables. 2. flush_tlb_kernel_range() only flushes paging-structure cache entries that intersect with the flush range, and pud_free_pmd_page() passes in the first PAGE_SIZE bytes of the area covered by the PMD table; but pud_free_pmd_page() is actually designed to also remove PTE tables that were installed in the PMD table, so we need to also flush those. 3. [theoretical issue] invlpgb_kernel_range_flush() expects an exclusive range, it does: `nr = (info->end - addr) >> PAGE_SHIFT;` But pmd_free_pte_page() and pud_free_pmd_page() provide inclusive ranges (`addr, addr + PAGE_SIZE-1`). To fix it: 1. Add a new helper flush_tlb_kernel_pgtable_range() for flushing paging structure caches for kernel page tables, and use that. 2. Flush PUD_SIZE instead of PAGE_SIZE in pud_free_pmd_page(). 3. Remove `-1` in end address calculations. Note that since I'm not touching invlpgb_kernel_range_flush() or invlpgb_flush_addr_nosync() in this patch, the flush on PMD table deletion with INVLPGB might be a bit slow due to using PTE_STRIDE instead of PMD_STRIDE. I don't think that matters. Backport notes: Kernels before 6.16 don't have invlpgb_kernel_range_flush(); for them, kernel_tlb_flush_pgtable() should just unconditionally call flush_tlb_all(). I am marking this as fixing commit 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces"); that is technically incorrect, since back then no paging-structure cache invalidations were performed at all, but probably makes the most sense here. Cc: stable(a)vger.kernel.org Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Jann Horn <jannh(a)google.com> --- arch/x86/include/asm/tlb.h | 4 ++++ arch/x86/include/asm/tlbflush.h | 1 + arch/x86/mm/pgtable.c | 13 +++++++++---- arch/x86/mm/tlb.c | 37 +++++++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/tlb.h b/arch/x86/include/asm/tlb.h index 866ea78ba156..56a4b93a0742 100644 --- a/arch/x86/include/asm/tlb.h +++ b/arch/x86/include/asm/tlb.h @@ -153,6 +153,10 @@ static inline void invlpgb_flush_all(void) /* Flush addr, including globals, for all PCIDs. */ static inline void invlpgb_flush_addr_nosync(unsigned long addr, u16 nr) { + /* + * Don't set INVLPGB_FLAG_FINAL_ONLY here without adjusting + * kernel_tlb_flush_pgtable(). + */ __invlpgb(0, 0, addr, nr, PTE_STRIDE, INVLPGB_FLAG_INCLUDE_GLOBAL); } diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h index e9b81876ebe4..06a4a2b7a9f5 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -318,6 +318,7 @@ extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned int stride_shift, bool freed_tables); extern void flush_tlb_kernel_range(unsigned long start, unsigned long end); +void flush_tlb_kernel_pgtable_range(unsigned long start, unsigned long end); static inline void flush_tlb_page(struct vm_area_struct *vma, unsigned long a) { diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 62777ba4de1a..0779ed02226c 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -745,8 +745,13 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) pud_clear(pud); - /* INVLPG to clear all paging-structure caches */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + /* + * Clear paging-structure caches. + * Note that since this function can remove a PMD table together with the + * PTE tables it points to, we can't just flush the first PAGE_SIZE, we + * must flush PUD_SIZE! + */ + flush_tlb_kernel_pgtable_range(addr, addr + PUD_SIZE); for (i = 0; i < PTRS_PER_PMD; i++) { if (!pmd_none(pmd_sv[i])) { @@ -778,8 +783,8 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) pte = (pte_t *)pmd_page_vaddr(*pmd); pmd_clear(pmd); - /* INVLPG to clear all paging-structure caches */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + /* clear paging-structure caches */ + flush_tlb_kernel_pgtable_range(addr, addr + PAGE_SIZE); free_page((unsigned long)pte); diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 39f80111e6f1..26b78451a7ed 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -1525,6 +1525,22 @@ static void kernel_tlb_flush_range(struct flush_tlb_info *info) on_each_cpu(do_kernel_range_flush, info, 1); } +static void kernel_tlb_flush_pgtable(struct flush_tlb_info *info) +{ + /* + * The special thing about removing kernel page tables is that we can't + * use a flush that just removes global TLB entries; we need one that + * flushes paging structure caches across all PCIDs. + * With INVLPGB, that's explicitly supported. + * Otherwise, there's no good way (INVLPG and INVPCID can't specifically + * target one address across all PCIDs), just throw everything away. + */ + if (cpu_feature_enabled(X86_FEATURE_INVLPGB)) + invlpgb_kernel_range_flush(info); + else + flush_tlb_all(); +} + void flush_tlb_kernel_range(unsigned long start, unsigned long end) { struct flush_tlb_info *info; @@ -1542,6 +1558,27 @@ void flush_tlb_kernel_range(unsigned long start, unsigned long end) put_flush_tlb_info(); } +/* + * Flush paging-structure cache entries for page tables covering the specified + * range and synchronize with concurrent hardware page table walks, in + * preparation for freeing page tables in the region. + * This must not be used for flushing translations to data pages. + */ +void flush_tlb_kernel_pgtable_range(unsigned long start, unsigned long end) +{ + struct flush_tlb_info *info; + + /* We don't synchronize against GUP-fast. */ + VM_WARN_ON(start < TASK_SIZE_MAX); + + guard(preempt)(); + + info = get_flush_tlb_info(NULL, start, end, PMD_SHIFT, true, + TLB_GENERATION_INVALID); + kernel_tlb_flush_pgtable(info); + put_flush_tlb_info(); +} + /* * This can be used from process context to figure out what the value of * CR3 is without needing to do a (slow) __read_cr3(). --- base-commit: b1456f6dc167f7f101746e495bede2bac3d0e19f change-id: 20250528-x86-fix-vmap-pt-del-flush-f9fa4f287c93 -- Jann Horn <jannh(a)google.com>

1 month

2
1
0 0

[PATCH v6.6 00/26] af_unix: Align with upstream to avoid a potential UAF

by Lee Jones

From: Lee Jones <joneslee(a)google.com> This is the second attempt at achieving the same goal. This time, the submission avoids forking the current code base, ensuring it remains easier to maintain over time. The set has been tested using the SCM_RIGHTS test suite [1] using QEMU and has been seen to successfully mitigate a UAF on on a top tier handset. RESULTS: TAP version 13 1..20 # Starting 20 tests from 5 test cases. # RUN scm_rights.dgram.self_ref ... # OK scm_rights.dgram.self_ref ok 1 scm_rights.dgram.self_ref # RUN scm_rights.dgram.triangle ... # OK scm_rights.dgram.triangle ok 2 scm_rights.dgram.triangle # RUN scm_rights.dgram.cross_edge ... # OK scm_rights.dgram.cross_edge ok 3 scm_rights.dgram.cross_edge # RUN scm_rights.dgram.backtrack_from_scc ... # OK scm_rights.dgram.backtrack_from_scc ok 4 scm_rights.dgram.backtrack_from_scc # RUN scm_rights.stream.self_ref ... # OK scm_rights.stream.self_ref ok 5 scm_rights.stream.self_ref # RUN scm_rights.stream.triangle ... # OK scm_rights.stream.triangle ok 6 scm_rights.stream.triangle # RUN scm_rights.stream.cross_edge ... # OK scm_rights.stream.cross_edge ok 7 scm_rights.stream.cross_edge # RUN scm_rights.stream.backtrack_from_scc ... # OK scm_rights.stream.backtrack_from_scc ok 8 scm_rights.stream.backtrack_from_scc # RUN scm_rights.stream_oob.self_ref ... # OK scm_rights.stream_oob.self_ref ok 9 scm_rights.stream_oob.self_ref # RUN scm_rights.stream_oob.triangle ... # OK scm_rights.stream_oob.triangle ok 10 scm_rights.stream_oob.triangle # RUN scm_rights.stream_oob.cross_edge ... # OK scm_rights.stream_oob.cross_edge ok 11 scm_rights.stream_oob.cross_edge # RUN scm_rights.stream_oob.backtrack_from_scc ... # OK scm_rights.stream_oob.backtrack_from_scc ok 12 scm_rights.stream_oob.backtrack_from_scc # RUN scm_rights.stream_listener.self_ref ... # OK scm_rights.stream_listener.self_ref ok 13 scm_rights.stream_listener.self_ref # RUN scm_rights.stream_listener.triangle ... # OK scm_rights.stream_listener.triangle ok 14 scm_rights.stream_listener.triangle # RUN scm_rights.stream_listener.cross_edge ... # OK scm_rights.stream_listener.cross_edge ok 15 scm_rights.stream_listener.cross_edge # RUN scm_rights.stream_listener.backtrack_from_scc ... # OK scm_rights.stream_listener.backtrack_from_scc ok 16 scm_rights.stream_listener.backtrack_from_scc # RUN scm_rights.stream_listener_oob.self_ref ... # OK scm_rights.stream_listener_oob.self_ref ok 17 scm_rights.stream_listener_oob.self_ref # RUN scm_rights.stream_listener_oob.triangle ... # OK scm_rights.stream_listener_oob.triangle ok 18 scm_rights.stream_listener_oob.triangle # RUN scm_rights.stream_listener_oob.cross_edge ... # OK scm_rights.stream_listener_oob.cross_edge ok 19 scm_rights.stream_listener_oob.cross_edge # RUN scm_rights.stream_listener_oob.backtrack_from_scc ... # OK scm_rights.stream_listener_oob.backtrack_from_scc ok 20 scm_rights.stream_listener_oob.backtrack_from_scc # PASSED: 20 / 20 tests passed. # Totals: pass:20 fail:0 xfail:0 xpass:0 skip:0 error:0 [0] https://lore.kernel.org/all/20250304030149.82265-1-kuniyu@amazon.com/ [1] https://lore.kernel.org/all/20240325202425.60930-16-kuniyu@amazon.com/ Kuniyuki Iwashima (24): af_unix: Return struct unix_sock from unix_get_socket(). af_unix: Run GC on only one CPU. af_unix: Try to run GC async. af_unix: Replace BUG_ON() with WARN_ON_ONCE(). af_unix: Remove io_uring code for GC. af_unix: Remove CONFIG_UNIX_SCM. af_unix: Allocate struct unix_vertex for each inflight AF_UNIX fd. af_unix: Allocate struct unix_edge for each inflight AF_UNIX fd. af_unix: Link struct unix_edge when queuing skb. af_unix: Bulk update unix_tot_inflight/unix_inflight when queuing skb. af_unix: Iterate all vertices by DFS. af_unix: Detect Strongly Connected Components. af_unix: Save listener for embryo socket. af_unix: Fix up unix_edge.successor for embryo socket. af_unix: Save O(n) setup of Tarjan's algo. af_unix: Skip GC if no cycle exists. af_unix: Avoid Tarjan's algorithm if unnecessary. af_unix: Assign a unique index to SCC. af_unix: Detect dead SCC. af_unix: Replace garbage collection algorithm. af_unix: Remove lock dance in unix_peek_fds(). af_unix: Try not to hold unix_gc_lock during accept(). af_unix: Don't access successor in unix_del_edges() during GC. af_unix: Add dead flag to struct scm_fp_list. Michal Luczaj (1): af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS Shigeru Yoshida (1): af_unix: Fix uninit-value in __unix_walk_scc() include/net/af_unix.h | 49 ++- include/net/scm.h | 11 + net/Makefile | 2 +- net/core/scm.c | 17 ++ net/unix/Kconfig | 5 - net/unix/Makefile | 2 - net/unix/af_unix.c | 120 +++++--- net/unix/garbage.c | 691 +++++++++++++++++++++++++++++------------- net/unix/scm.c | 161 ---------- net/unix/scm.h | 10 - 10 files changed, 617 insertions(+), 451 deletions(-) delete mode 100644 net/unix/scm.c delete mode 100644 net/unix/scm.h -- 2.49.0.1112.g889b7c5bd8-goog

1 month

3
53
0 0

Backports of 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 for 5.15 and older

by Nathan Chancellor

Hi Greg and Sasha, Please find attached backports of commit 2e43ae7dd71c ("drm/i915/gvt: fix unterminated-string-initialization warning") to address an instance of -Wunterminated-string-initialization that appears in the i915 driver with GCC 15 and Clang 21 due to its use of -Wextra. Please let me know if there are any issues. Cheers, Nathan

1 month

2
1
0 0

[PATCH 6.1.y] selftests/vm: fix split huge page tests

by wndgwang4

From: Zi Yan <ziy(a)nvidia.com> [ upstream commit dd63bd7df41a8f9393a2e3ff9157a441c08eb996 ] Fix two inputs to check_anon_huge() and one if condition, so the tests work as expected. Steps to reproduce the issue. make headers make -C tools/testing/selftests/vm Before patching:test fails with a non-zero exit code ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test | echo 0 2 ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test No THP is allocated After patching: ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test | echo 0 0 ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test Split huge pages successful ... Link: https://lkml.kernel.org/r/20230306160907.16804-1-zi.yan@sent.com Fixes: c07c343cda8e ("selftests/vm: dedup THP helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Zach O'Keefe <zokeefe(a)google.com> Tested-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: wndgwang4 <guangming.wang(a)windriver.com> --- tools/testing/selftests/vm/split_huge_page_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/vm/split_huge_page_test.c b/tools/testing/selftests/vm/split_huge_page_test.c index 76e1c36dd..b8558c7f1 100644 --- a/tools/testing/selftests/vm/split_huge_page_test.c +++ b/tools/testing/selftests/vm/split_huge_page_test.c @@ -106,7 +106,7 @@ void split_pmd_thp(void) for (i = 0; i < len; i++) one_page[i] = (char)i; - if (!check_huge_anon(one_page, 1, pmd_pagesize)) { + if (!check_huge_anon(one_page, 4, pmd_pagesize)) { printf("No THP is allocated\n"); exit(EXIT_FAILURE); } @@ -122,7 +122,7 @@ void split_pmd_thp(void) } - if (check_huge_anon(one_page, 0, pmd_pagesize)) { + if (!check_huge_anon(one_page, 0, pmd_pagesize)) { printf("Still AnonHugePages not split\n"); exit(EXIT_FAILURE); } @@ -169,7 +169,7 @@ void split_pte_mapped_thp(void) for (i = 0; i < len; i++) one_page[i] = (char)i; - if (!check_huge_anon(one_page, 1, pmd_pagesize)) { + if (!check_huge_anon(one_page, 4, pmd_pagesize)) { printf("No THP is allocated\n"); exit(EXIT_FAILURE); } -- 2.34.1

1 month

2
1
0 0

[PATCH net] can: kvaser_pciefd: refine error prone echo_skb_max handling logic

by Marc Kleine-Budde

From: Fedor Pchelkin <pchelkin(a)ispras.ru> echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 8256e0ca6010 ("can: kvaser_pciefd: Fix echo_skb race") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Link: https://patch.msgid.link/20250528192713.63894-1-pchelkin@ispras.ru Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/kvaser_pciefd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index 7d3066691d5d..52301511ed1b 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -966,7 +966,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) u32 status, tx_nr_packets_max; netdev = alloc_candev(sizeof(struct kvaser_pciefd_can), - KVASER_PCIEFD_CAN_TX_MAX_COUNT); + roundup_pow_of_two(KVASER_PCIEFD_CAN_TX_MAX_COUNT)); if (!netdev) return -ENOMEM; @@ -995,7 +995,6 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) can->tx_max_count = min(KVASER_PCIEFD_CAN_TX_MAX_COUNT, tx_nr_packets_max - 1); can->can.clock.freq = pcie->freq; - can->can.echo_skb_max = roundup_pow_of_two(can->tx_max_count); spin_lock_init(&can->lock); can->can.bittiming_const = &kvaser_pciefd_bittiming_const; base-commit: 271683bb2cf32e5126c592b5d5e6a756fa374fd9 -- 2.47.2

1 month

2
1
0 0

[PATCH] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue

by Macpaul Lin

From: Yanqing Wang <ot_yanqing.wang(a)mediatek.com> Identify the cause of the suspend/resume hang: netif_carrier_off() is called during link state changes and becomes stuck while executing linkwatch_work(). To resolve this issue, call netif_device_detach() during the Ethernet suspend process to temporarily detach the network device from the kernel and prevent the suspend/resume hang. Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver") Signed-off-by: Yanqing Wang <ot_yanqing.wang(a)mediatek.com> Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> Signed-off-by: Biao Huang <biao.huang(a)mediatek.com> --- drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c index b175119a6a7d..b83886a41121 100644 --- a/drivers/net/ethernet/mediatek/mtk_star_emac.c +++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c @@ -1463,6 +1463,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev) if (netif_running(ndev)) mtk_star_disable(ndev); + netif_device_detach(ndev); + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); return 0; @@ -1487,6 +1489,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev) clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); } + netif_device_attach(ndev); + return ret; } -- 2.45.2

1 month

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2025