September 2025 - Linux-stable-mirror

[PATCH] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()

by Haoxiang Li

vpu_get_plat_device() increases the reference count of the returned platform device. However, when devm_kzalloc() fails, the reference is not released, causing a reference leak. Fix this by calling put_device() on fw_pdev->dev before returning on the error path. Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- .../media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c index d7027d600208..1c94316f2d7d 100644 --- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c +++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c @@ -117,8 +117,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_enc_handler, priv, rst_id); fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL); - if (!fw) + if (!fw) { + put_device(&fw_pdev->dev); return ERR_PTR(-ENOMEM); + } fw->type = VPU; fw->ops = &mtk_vcodec_vpu_msg; fw->pdev = fw_pdev; -- 2.25.1

4 days, 13 hours

4
3
0 0

[PATCH 02/29] arm64: hugetlb: Fix flush_hugetlb_tlb_range() invalidation level

by Jia He

From: Ryan Roberts <ryan.roberts(a)arm.com> commit c910f2b65518 ("arm64/mm: Update tlb invalidation routines for FEAT_LPA2") changed the "invalidation level unknown" hint from 0 to TLBI_TTL_UNKNOWN (INT_MAX). But the fallback "unknown level" path in flush_hugetlb_tlb_range() was not updated. So as it stands, when trying to invalidate CONT_PMD_SIZE or CONT_PTE_SIZE hugetlb mappings, we will spuriously try to invalidate at level 0 on LPA2-enabled systems. Fix this so that the fallback passes TLBI_TTL_UNKNOWN, and while we are at it, explicitly use the correct stride and level for CONT_PMD_SIZE and CONT_PTE_SIZE, which should provide a minor optimization. Cc: stable(a)vger.kernel.org Fixes: c910f2b65518 ("arm64/mm: Update tlb invalidation routines for FEAT_LPA2") Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Link: https://lore.kernel.org/r/20250226120656.2400136-4-ryan.roberts@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Jia He <justin.he(a)arm.com> --- arch/arm64/include/asm/hugetlb.h | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/arch/arm64/include/asm/hugetlb.h b/arch/arm64/include/asm/hugetlb.h index 92a5e0879b11..eb413631edea 100644 --- a/arch/arm64/include/asm/hugetlb.h +++ b/arch/arm64/include/asm/hugetlb.h @@ -68,12 +68,22 @@ static inline void flush_hugetlb_tlb_range(struct vm_area_struct *vma, { unsigned long stride = huge_page_size(hstate_vma(vma)); - if (stride == PMD_SIZE) - __flush_tlb_range(vma, start, end, stride, false, 2); - else if (stride == PUD_SIZE) - __flush_tlb_range(vma, start, end, stride, false, 1); - else - __flush_tlb_range(vma, start, end, PAGE_SIZE, false, 0); + switch (stride) { +#ifndef __PAGETABLE_PMD_FOLDED + case PUD_SIZE: + __flush_tlb_range(vma, start, end, PUD_SIZE, false, 1); + break; +#endif + case CONT_PMD_SIZE: + case PMD_SIZE: + __flush_tlb_range(vma, start, end, PMD_SIZE, false, 2); + break; + case CONT_PTE_SIZE: + __flush_tlb_range(vma, start, end, PAGE_SIZE, false, 3); + break; + default: + __flush_tlb_range(vma, start, end, PAGE_SIZE, false, TLBI_TTL_UNKNOWN); + } } #endif /* __ASM_HUGETLB_H */ -- 2.34.1

4 days, 14 hours

1
0
0 0

[PATCH 01/29] arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes

by Jia He

From: Ryan Roberts <ryan.roberts(a)arm.com> arm64 supports multiple huge_pte sizes. Some of the sizes are covered by a single pte entry at a particular level (PMD_SIZE, PUD_SIZE), and some are covered by multiple ptes at a particular level (CONT_PTE_SIZE, CONT_PMD_SIZE). So the function has to figure out the size from the huge_pte pointer. This was previously done by walking the pgtable to determine the level and by using the PTE_CONT bit to determine the number of ptes at the level. But the PTE_CONT bit is only valid when the pte is present. For non-present pte values (e.g. markers, migration entries), the previous implementation was therefore erroneously determining the size. There is at least one known caller in core-mm, move_huge_pte(), which may call huge_ptep_get_and_clear() for a non-present pte. So we must be robust to this case. Additionally the "regular" ptep_get_and_clear() is robust to being called for non-present ptes so it makes sense to follow the behavior. Fix this by using the new sz parameter which is now provided to the function. Additionally when clearing each pte in a contig range, don't gather the access and dirty bits if the pte is not present. An alternative approach that would not require API changes would be to store the PTE_CONT bit in a spare bit in the swap entry pte for the non-present case. But it felt cleaner to follow other APIs' lead and just pass in the size. As an aside, PTE_CONT is bit 52, which corresponds to bit 40 in the swap entry offset field (layout of non-present pte). Since hugetlb is never swapped to disk, this field will only be populated for markers, which always set this bit to 0 and hwpoison swap entries, which set the offset field to a PFN; So it would only ever be 1 for a 52-bit PVA system where memory in that high half was poisoned (I think!). So in practice, this bit would almost always be zero for non-present ptes and we would only clear the first entry if it was actually a contiguous block. That's probably a less severe symptom than if it was always interpreted as 1 and cleared out potentially-present neighboring PTEs. Cc: stable(a)vger.kernel.org Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit") Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Link: https://lore.kernel.org/r/20250226120656.2400136-3-ryan.roberts@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Jia He <justin.he(a)arm.com> --- arch/arm64/mm/hugetlbpage.c | 53 ++++++++++++++----------------------- 1 file changed, 20 insertions(+), 33 deletions(-) diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c index 7a54f8b4164b..d631d52986ec 100644 --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -121,20 +121,11 @@ static int find_num_contig(struct mm_struct *mm, unsigned long addr, static inline int num_contig_ptes(unsigned long size, size_t *pgsize) { - int contig_ptes = 0; + int contig_ptes = 1; *pgsize = size; switch (size) { -#ifndef __PAGETABLE_PMD_FOLDED - case PUD_SIZE: - if (pud_sect_supported()) - contig_ptes = 1; - break; -#endif - case PMD_SIZE: - contig_ptes = 1; - break; case CONT_PMD_SIZE: *pgsize = PMD_SIZE; contig_ptes = CONT_PMDS; @@ -143,6 +134,8 @@ static inline int num_contig_ptes(unsigned long size, size_t *pgsize) *pgsize = PAGE_SIZE; contig_ptes = CONT_PTES; break; + default: + WARN_ON(!__hugetlb_valid_size(size)); } return contig_ptes; @@ -184,24 +177,23 @@ static pte_t get_clear_contig(struct mm_struct *mm, unsigned long pgsize, unsigned long ncontig) { - pte_t orig_pte = __ptep_get(ptep); - unsigned long i; - - for (i = 0; i < ncontig; i++, addr += pgsize, ptep++) { - pte_t pte = __ptep_get_and_clear(mm, addr, ptep); - - /* - * If HW_AFDBM is enabled, then the HW could turn on - * the dirty or accessed bit for any page in the set, - * so check them all. - */ - if (pte_dirty(pte)) - orig_pte = pte_mkdirty(orig_pte); - - if (pte_young(pte)) - orig_pte = pte_mkyoung(orig_pte); + pte_t pte, tmp_pte; + bool present; + + pte = __ptep_get_and_clear(mm, addr, ptep); + present = pte_present(pte); + while (--ncontig) { + ptep++; + addr += pgsize; + tmp_pte = __ptep_get_and_clear(mm, addr, ptep); + if (present) { + if (pte_dirty(tmp_pte)) + pte = pte_mkdirty(pte); + if (pte_young(tmp_pte)) + pte = pte_mkyoung(pte); + } } - return orig_pte; + return pte; } static pte_t get_clear_contig_flush(struct mm_struct *mm, @@ -419,13 +411,8 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, { int ncontig; size_t pgsize; - pte_t orig_pte = __ptep_get(ptep); - - if (!pte_cont(orig_pte)) - return __ptep_get_and_clear(mm, addr, ptep); - - ncontig = find_num_contig(mm, addr, ptep, &pgsize); + ncontig = num_contig_ptes(sz, &pgsize); return get_clear_contig(mm, addr, ptep, pgsize, ncontig); } -- 2.34.1

4 days, 14 hours

1
0
0 0

[PATCH 5.10] btrfs: free exchange changeset on failures

by Denis Arefev

From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> commit da5e817d9d75422eaaa05490d0b9a5e328fc1a51 upstream. Fstests runs on my VMs have show several kmemleak reports like the following. unreferenced object 0xffff88811ae59080 (size 64): comm "xfs_io", pid 12124, jiffies 4294987392 (age 6.368s) hex dump (first 32 bytes): 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................ 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................ backtrace: [<00000000ac0176d2>] ulist_add_merge+0x60/0x150 [btrfs] [<0000000076e9f312>] set_state_bits+0x86/0xc0 [btrfs] [<0000000014fe73d6>] set_extent_bit+0x270/0x690 [btrfs] [<000000004f675208>] set_record_extent_bits+0x19/0x20 [btrfs] [<00000000b96137b1>] qgroup_reserve_data+0x274/0x310 [btrfs] [<0000000057e9dcbb>] btrfs_check_data_free_space+0x5c/0xa0 [btrfs] [<0000000019c4511d>] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs] [<000000006d37e007>] btrfs_dio_iomap_begin+0x415/0x970 [btrfs] [<00000000fb8a74b8>] iomap_iter+0x161/0x1e0 [<0000000071dff6ff>] __iomap_dio_rw+0x1df/0x700 [<000000002567ba53>] iomap_dio_rw+0x5/0x20 [<0000000072e555f8>] btrfs_file_write_iter+0x290/0x530 [btrfs] [<000000005eb3d845>] new_sync_write+0x106/0x180 [<000000003fb505bf>] vfs_write+0x24d/0x2f0 [<000000009bb57d37>] __x64_sys_pwrite64+0x69/0xa0 [<000000003eba3fdf>] do_syscall_64+0x43/0x90 In case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata() fail the allocated extent_changeset will not be freed. So in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space() free the allocated extent_changeset to get rid of the allocated memory. The issue currently only happens in the direct IO write path, but only after 65b3c08606e5 ("btrfs: fix ENOSPC failure when attempting direct IO write into NOCOW range"), and also at defrag_one_locked_target(). Every other place is always calling extent_changeset_free() even if its call to btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has failed. CC: stable(a)vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2021-47508 Link: https://nvd.nist.gov/vuln/detail/cve-2021-47508 --- fs/btrfs/delalloc-space.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/delalloc-space.c b/fs/btrfs/delalloc-space.c index 45b2a5ecd63a..cd12226c3220 100644 --- a/fs/btrfs/delalloc-space.c +++ b/fs/btrfs/delalloc-space.c @@ -143,10 +143,13 @@ int btrfs_check_data_free_space(struct btrfs_inode *inode, /* Use new btrfs_qgroup_reserve_data to reserve precious data space. */ ret = btrfs_qgroup_reserve_data(inode, reserved, start, len); - if (ret < 0) + if (ret < 0) { btrfs_free_reserved_data_space_noquota(fs_info, len); - else + extent_changeset_free(*reserved); + *reserved = NULL; + } else { ret = 0; + } return ret; } @@ -446,8 +449,11 @@ int btrfs_delalloc_reserve_space(struct btrfs_inode *inode, if (ret < 0) return ret; ret = btrfs_delalloc_reserve_metadata(inode, len); - if (ret < 0) + if (ret < 0) { btrfs_free_reserved_data_space(inode, *reserved, start, len); + extent_changeset_free(*reserved); + *reserved = NULL; + } return ret; } -- 2.43.0

4 days, 15 hours

1
0
0 0

[PATCH v2] media: mtk-mdp: Fix some issues in mtk_mdp_core.c

by Haoxiang Li

Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. Also add platform_device_put() in mtk_mdp_remove(). Add mtk_mdp_unregister_m2m_device() on the error handling path. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- Changes in v2: - Add check for vpu_get_plat_device() - Add platform_device_put() in mtk_mdp_remove() - Add mtk_mdp_unregister_m2m_device() on the error handling path. - Modify the patch title and description. I think you are right. Thanks, CJ! --- .../media/platform/mediatek/mdp/mtk_mdp_core.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c index 80fdc6ff57e0..8432833814f3 100644 --- a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c +++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c @@ -194,11 +194,17 @@ static int mtk_mdp_probe(struct platform_device *pdev) } mdp->vpu_dev = vpu_get_plat_device(pdev); + if (!mdp->vpu_dev) { + dev_err(&pdev->dev, "Failed to get vpu device\n"); + ret = -ENODEV; + goto err_vpu_get_dev; + } + ret = vpu_wdt_reg_handler(mdp->vpu_dev, mtk_mdp_reset_handler, mdp, VPU_RST_MDP); if (ret) { dev_err(&pdev->dev, "Failed to register reset handler\n"); - goto err_m2m_register; + goto err_reg_handler; } platform_set_drvdata(pdev, mdp); @@ -206,7 +212,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) ret = vb2_dma_contig_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); if (ret) { dev_err(&pdev->dev, "Failed to set vb2 dma mag seg size\n"); - goto err_m2m_register; + goto err_reg_handler; } pm_runtime_enable(dev); @@ -214,6 +220,12 @@ static int mtk_mdp_probe(struct platform_device *pdev) return 0; +err_reg_handler: + platform_device_put(mdp->vpu_dev); + +err_vpu_get_dev: + mtk_mdp_unregister_m2m_device(mdp); + err_m2m_register: v4l2_device_unregister(&mdp->v4l2_dev); @@ -242,6 +254,7 @@ static void mtk_mdp_remove(struct platform_device *pdev) pm_runtime_disable(&pdev->dev); vb2_dma_contig_clear_max_seg_size(&pdev->dev); + platform_device_put(mdp->vpu_dev); mtk_mdp_unregister_m2m_device(mdp); v4l2_device_unregister(&mdp->v4l2_dev); -- 2.25.1

4 days, 15 hours

1
0
0 0

[PATCH v2] kmsan: Fix out-of-bounds access to shadow memory

by Eric Biggers

Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin(): BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace: <TASK> __msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00 This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped. The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped. To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin. Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- v2: Added test case to kmsan_test. mm/kmsan/core.c | 10 +++++++--- mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/mm/kmsan/core.c b/mm/kmsan/core.c index 1ea711786c522..8bca7fece47f0 100644 --- a/mm/kmsan/core.c +++ b/mm/kmsan/core.c @@ -193,11 +193,12 @@ depot_stack_handle_t kmsan_internal_chain_origin(depot_stack_handle_t id) void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b, u32 origin, bool checked) { u64 address = (u64)addr; - u32 *shadow_start, *origin_start; + void *shadow_start; + u32 *aligned_shadow, *origin_start; size_t pad = 0; KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); shadow_start = kmsan_get_metadata(addr, KMSAN_META_SHADOW); if (!shadow_start) { @@ -212,13 +213,16 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b, } return; } __memset(shadow_start, b, size); - if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + aligned_shadow = shadow_start; + } else { pad = address % KMSAN_ORIGIN_SIZE; address -= pad; + aligned_shadow = shadow_start - pad; size += pad; } size = ALIGN(size, KMSAN_ORIGIN_SIZE); origin_start = (u32 *)kmsan_get_metadata((void *)address, KMSAN_META_ORIGIN); @@ -228,11 +232,11 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b, * and unconditionally overwrite the old origin slot. * If the new origin is zero, overwrite the old origin slot iff the * corresponding shadow slot is zero. */ for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { - if (origin || !shadow_start[i]) + if (origin || !aligned_shadow[i]) origin_start[i] = origin; } } struct page *kmsan_vmalloc_to_page_or_null(void *vaddr) diff --git a/mm/kmsan/kmsan_test.c b/mm/kmsan/kmsan_test.c index c6c5b2bbede0c..902ec48b1e3e6 100644 --- a/mm/kmsan/kmsan_test.c +++ b/mm/kmsan/kmsan_test.c @@ -554,10 +554,25 @@ static void test_memcpy_initialized_gap(struct kunit *test) DEFINE_TEST_MEMSETXX(16) DEFINE_TEST_MEMSETXX(32) DEFINE_TEST_MEMSETXX(64) +/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ +static void test_memset_on_guarded_buffer(struct kunit *test) +{ + void *buf = vmalloc(PAGE_SIZE); + + kunit_info(test, + "memset() on ends of guarded buffer should not crash\n"); + + for (size_t size = 0; size <= 128; size++) { + memset(buf, 0xff, size); + memset(buf + PAGE_SIZE - size, 0xff, size); + } + vfree(buf); +} + static noinline void fibonacci(int *array, int size, int start) { if (start < 2 || (start == size)) return; array[start] = array[start - 1] + array[start - 2]; @@ -675,10 +690,11 @@ static struct kunit_case kmsan_test_cases[] = { KUNIT_CASE(test_memcpy_aligned_to_unaligned), KUNIT_CASE(test_memcpy_initialized_gap), KUNIT_CASE(test_memset16), KUNIT_CASE(test_memset32), KUNIT_CASE(test_memset64), + KUNIT_CASE(test_memset_on_guarded_buffer), KUNIT_CASE(test_long_origin_chain), KUNIT_CASE(test_stackdepot_roundtrip), KUNIT_CASE(test_unpoison_memory), KUNIT_CASE(test_copy_from_kernel_nofault), {}, base-commit: e59a039119c3ec241228adf12dca0dd4398104d0 -- 2.51.0

4 days, 16 hours

2
1
0 0

Please help to cherry-pick 25daf9af0ac1 ("soc: qcom: mdt_loader: Deal with zero e_shentsize") for the 5.4/5.0/5.15/6.1 versions

by Yongqin Liu

Hi, All Please help to cherry-pick the following commit 25daf9af0ac1 ("soc: qcom: mdt_loader: Deal with zero e_shentsize") into the following branches: linux-5.4.y linux-5.10.y linux-5.15.y linux-6.1.y Which is to fix the issue caused by the following commit in the branches already: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header") Just please note, for the linux-6.1.y branch the following commit needs to be cherry-picked first: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()") before the cherry-pick of the 25daf9af0ac1 commit. # if this needs to be in a separate cherry-pick request # please let me know. -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list linaro-android(a)lists.linaro.org http://lists.linaro.org/mailman/listinfo/linaro-android

4 days, 16 hours

2
1
0 0

[PATCH 5.15 00/64] 5.15.192-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.192 release. There are 64 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.192-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.192-rc1 Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Use value to check for invalid delays Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Ian Rogers <irogers(a)google.com> perf bpf-event: Fix use-after-free in synthesis Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Fix attribute addition Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Remove bogus void member Gabor Juhos <j4g8y7(a)gmail.com> arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Hyejeong Choi <hjeong.choi(a)samsung.com> dma-buf: insert memory barrier before updating num_fences Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: pca953x: fix IRQ storm on system wake up Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Alexander Danilenko <al.b.danilenko(a)gmail.com> spi: tegra114: Remove unnecessary NULL-pointer checks Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Jann Horn <jannh(a)google.com> mm/khugepaged: fix ->anon_vma race Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: mscc: Fix memory leak when using one step timestamping Kurt Kanzenbach <kurt(a)linutronix.de> ptp: Add generic PTP is_sync() function Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 9 +- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/kvm/x86.c | 18 ++- arch/x86/mm/init_64.c | 18 +++ drivers/clk/qcom/gdsc.c | 21 ++-- drivers/dma-buf/dma-resv.c | 5 +- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpio/gpio-pca953x.c | 5 + drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 ++ drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/light/opt3001.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +-- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 34 +++--- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/spi/spi-fsl-lpspi.c | 15 +-- drivers/spi/spi-tegra114.c | 18 ++- drivers/tee/tee_shm.c | 6 +- fs/fs-writeback.c | 9 +- include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 134 ++++++++++++++++++--- include/linux/pgtable.h | 16 +++ include/linux/ptp_classify.h | 15 +++ include/linux/vmalloc.h | 16 --- kernel/bpf/arraymap.c | 1 - kernel/bpf/core.c | 83 ++++++++++--- kernel/bpf/syscall.c | 22 ++-- kernel/sched/cpufreq_schedutil.c | 28 ++++- mm/khugepaged.c | 15 ++- mm/slub.c | 7 +- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/core/ptp_classifier.c | 12 ++ net/dsa/tag_ksz.c | 22 +++- net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/netfilter/nf_conntrack_helper.c | 4 +- net/wireless/scan.c | 3 +- scripts/gcc-plugins/gcc-common.h | 32 +++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 ++---- sound/pci/hda/patch_hdmi.c | 1 + sound/usb/mixer_quirks.c | 2 + tools/perf/util/bpf-event.c | 39 ++++-- 66 files changed, 600 insertions(+), 264 deletions(-)

4 days, 16 hours

10
76
0 0

[PATCH 5/7 5.10.y] minmax: allow min()/max()/clamp() if the arguments have the same signedness.

by Eliav Farber

From: David Laight <David.Laight(a)ACULAB.COM> commit d03eba99f5bf7cbc6e2fdde3b6fa36954ad58e09 upstream. The type-check in min()/max() is there to stop unexpected results if a negative value gets converted to a large unsigned value. However it also rejects 'unsigned int' v 'unsigned long' compares which are common and never problematc. Replace the 'same type' check with a 'same signedness' check. The new test isn't itself a compile time error, so use static_assert() to report the error and give a meaningful error message. Due to the way builtin_choose_expr() works detecting the error in the 'non-constant' side (where static_assert() can be used) also detects errors when the arguments are constant. Link: https://lkml.kernel.org/r/fe7e6c542e094bfca655abcd323c1c98@AcuMS.aculab.com Signed-off-by: David Laight <david.laight(a)aculab.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason A. Donenfeld <Jason(a)zx2c4.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> (cherry picked from commit d03eba99f5bf7cbc6e2fdde3b6fa36954ad58e09) Signed-off-by: SeongJae Park <sj(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Eliav Farber <farbere(a)amazon.com> --- include/linux/minmax.h | 60 ++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/include/linux/minmax.h b/include/linux/minmax.h index e8e9642809e0..501fab582d68 100644 --- a/include/linux/minmax.h +++ b/include/linux/minmax.h @@ -11,9 +11,8 @@ * * - avoid multiple evaluations of the arguments (so side-effects like * "x++" happen only once) when non-constant. - * - perform strict type-checking (to generate warnings instead of - * nasty runtime surprises). See the "unnecessary" pointer comparison - * in __typecheck(). + * - perform signed v unsigned type-checking (to generate compile + * errors instead of nasty runtime surprises). * - retain result as a constant expressions when called with only * constant expressions (to avoid tripping VLA warnings in stack * allocation usage). @@ -21,23 +20,30 @@ #define __typecheck(x, y) \ (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) -#define __no_side_effects(x, y) \ - (__is_constexpr(x) && __is_constexpr(y)) +/* is_signed_type() isn't a constexpr for pointer types */ +#define __is_signed(x) \ + __builtin_choose_expr(__is_constexpr(is_signed_type(typeof(x))), \ + is_signed_type(typeof(x)), 0) -#define __safe_cmp(x, y) \ - (__typecheck(x, y) && __no_side_effects(x, y)) +#define __types_ok(x, y) \ + (__is_signed(x) == __is_signed(y)) -#define __cmp(x, y, op) ((x) op (y) ? (x) : (y)) +#define __cmp_op_min < +#define __cmp_op_max > -#define __cmp_once(x, y, unique_x, unique_y, op) ({ \ +#define __cmp(op, x, y) ((x) __cmp_op_##op (y) ? (x) : (y)) + +#define __cmp_once(op, x, y, unique_x, unique_y) ({ \ typeof(x) unique_x = (x); \ typeof(y) unique_y = (y); \ - __cmp(unique_x, unique_y, op); }) + static_assert(__types_ok(x, y), \ + #op "(" #x ", " #y ") signedness error, fix types or consider u" #op "() before " #op "_t()"); \ + __cmp(op, unique_x, unique_y); }) -#define __careful_cmp(x, y, op) \ - __builtin_choose_expr(__safe_cmp(x, y), \ - __cmp(x, y, op), \ - __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op)) +#define __careful_cmp(op, x, y) \ + __builtin_choose_expr(__is_constexpr((x) - (y)), \ + __cmp(op, x, y), \ + __cmp_once(op, x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y))) #define __clamp(val, lo, hi) \ ((val) >= (hi) ? (hi) : ((val) <= (lo) ? (lo) : (val))) @@ -46,17 +52,15 @@ typeof(val) unique_val = (val); \ typeof(lo) unique_lo = (lo); \ typeof(hi) unique_hi = (hi); \ + static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), \ + (lo) <= (hi), true), \ + "clamp() low limit " #lo " greater than high limit " #hi); \ + static_assert(__types_ok(val, lo), "clamp() 'lo' signedness error"); \ + static_assert(__types_ok(val, hi), "clamp() 'hi' signedness error"); \ __clamp(unique_val, unique_lo, unique_hi); }) -#define __clamp_input_check(lo, hi) \ - (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \ - __is_constexpr((lo) > (hi)), (lo) > (hi), false))) - #define __careful_clamp(val, lo, hi) ({ \ - __clamp_input_check(lo, hi) + \ - __builtin_choose_expr(__typecheck(val, lo) && __typecheck(val, hi) && \ - __typecheck(hi, lo) && __is_constexpr(val) && \ - __is_constexpr(lo) && __is_constexpr(hi), \ + __builtin_choose_expr(__is_constexpr((val) - (lo) + (hi)), \ __clamp(val, lo, hi), \ __clamp_once(val, lo, hi, __UNIQUE_ID(__val), \ __UNIQUE_ID(__lo), __UNIQUE_ID(__hi))); }) @@ -66,14 +70,14 @@ * @x: first value * @y: second value */ -#define min(x, y) __careful_cmp(x, y, <) +#define min(x, y) __careful_cmp(min, x, y) /** * max - return maximum of two values of the same or compatible types * @x: first value * @y: second value */ -#define max(x, y) __careful_cmp(x, y, >) +#define max(x, y) __careful_cmp(max, x, y) /** * umin - return minimum of two non-negative values @@ -82,7 +86,7 @@ * @y: second value */ #define umin(x, y) \ - __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <) + __careful_cmp(min, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull) /** * umax - return maximum of two non-negative values @@ -90,7 +94,7 @@ * @y: second value */ #define umax(x, y) \ - __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >) + __careful_cmp(max, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull) /** * min3 - return minimum of three values @@ -142,7 +146,7 @@ * @x: first value * @y: second value */ -#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <) +#define min_t(type, x, y) __careful_cmp(min, (type)(x), (type)(y)) /** * max_t - return maximum of two values, using the specified type @@ -150,7 +154,7 @@ * @x: first value * @y: second value */ -#define max_t(type, x, y) __careful_cmp((type)(x), (type)(y), >) +#define max_t(type, x, y) __careful_cmp(max, (type)(x), (type)(y)) /** * clamp_t - return a value clamped to a given range using a given type -- 2.47.3

4 days, 16 hours

2
1
0 0

[PATCH 5.10 0/4] x86/speculation: Make {JMP,CALL}_NOSPEC Consistent

by Suraj Jitindar Singh

The 4 patches in this series make the JMP_NOSPEC and CALL_NOSPEC macros used in the kernel consistent with what is generated by the compiler. ("x86,nospec: Simplify {JMP,CALL}_NOSPEC") was merged in v6.0 and the remaining 3 patches in this series were merged in v6.15. All 4 were included in kernels v5.15+ as prerequisites for the backport of the ITS mitigations [1]. None of these patches were included in the backport of the ITS mitigations to the 5.10 kernel [2]. They all apply cleanly and are applicable to the 5.10 kernel. Thus I see no reason that they weren't applied here, unless someone can correct me? I am sending them for inclusion in the 5.10 kernel as this kernel is still actively maintained for these kind of vulnerability mitigations and as such having these patches will unify the handling of these cases with subsequent kernel versions easing code understanding and the ease of backports in the future. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [2] https://lore.kernel.org/stable/20250617-its-5-10-v2-0-3e925a1512a1@linux.in… Pawan Gupta (3): x86/speculation: Simplify and make CALL_NOSPEC consistent x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Peter Zijlstra (1): x86,nospec: Simplify {JMP,CALL}_NOSPEC arch/x86/include/asm/nospec-branch.h | 46 ++++++++++++++++++---------- 1 file changed, 30 insertions(+), 16 deletions(-) -- 2.34.1

4 days, 17 hours

4
10
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2025