- Linux-stable-mirror - lists.linaro.org

[PATCH] mm/huge_memory: Fix to make vma_adjust_trans_huge() use find_vma() correctly

by Jeongjun Park

vma_adjust_trans_huge() uses find_vma() to get the VMA, but find_vma() uses the returned pointer without any verification, even though it may return NULL. In this case, NULL pointer dereference may occur, so to prevent this, vma_adjust_trans_huge() should be fix to verify the return value of find_vma(). Cc: <stable(a)vger.kernel.org> Fixes: 685405020b9f ("mm/khugepaged: stop using vma linked list") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- mm/huge_memory.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 5734d5d5060f..db55b8abae2e 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2941,9 +2941,12 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma, */ if (adjust_next > 0) { struct vm_area_struct *next = find_vma(vma->vm_mm, vma->vm_end); - unsigned long nstart = next->vm_start; - nstart += adjust_next; - split_huge_pmd_if_needed(next, nstart); + + if (likely(next)) { + unsigned long nstart = next->vm_start; + nstart += adjust_next; + split_huge_pmd_if_needed(next, nstart); + } } } --

11 minutes

2
3
0 0

[PATCH] f2fs: fix to drop all discards after creating snapshot on lvm device

by Chao Yu

Piergiorgio reported a bug in bugzilla as below: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330 RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs] Call Trace: __issue_discard_cmd+0x1ca/0x350 [f2fs] issue_discard_thread+0x191/0x480 [f2fs] kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 w/ below testcase, it can reproduce this bug quickly: - pvcreate /dev/vdb - vgcreate myvg1 /dev/vdb - lvcreate -L 1024m -n mylv1 myvg1 - mount /dev/myvg1/mylv1 /mnt/f2fs - dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20 - sync - rm /mnt/f2fs/file - sync - lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1 - umount /mnt/f2fs The root cause is: it will update discard_max_bytes of mounted lvm device to zero after creating snapshot on this lvm device, then, __submit_discard_cmd() will pass parameter @nr_sects w/ zero value to __blkdev_issue_discard(), it returns a NULL bio pointer, result in panic. This patch changes as below for fixing: 1. Let's drop all remained discards in f2fs_unfreeze() if snapshot of lvm device is created. 2. Checking discard_max_bytes before submitting discard during __submit_discard_cmd(). Cc: stable(a)vger.kernel.org Fixes: 35ec7d574884 ("f2fs: split discard command in prior to block layer") Reported-by: Piergiorgio Sartor <piergiorgio.sartor(a)nexgo.de> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219484 Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/segment.c | 16 +++++++++------- fs/f2fs/super.c | 12 ++++++++++++ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 7bdfe08ce9ea..af3fb3f6d9b5 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -1290,16 +1290,18 @@ static int __submit_discard_cmd(struct f2fs_sb_info *sbi, wait_list, issued); return 0; } - - /* - * Issue discard for conventional zones only if the device - * supports discard. - */ - if (!bdev_max_discard_sectors(bdev)) - return -EOPNOTSUPP; } #endif + /* + * stop issuing discard for any of below cases: + * 1. device is conventional zone, but it doesn't support discard. + * 2. device is regulare device, after snapshot it doesn't support + * discard. + */ + if (!bdev_max_discard_sectors(bdev)) + return -EOPNOTSUPP; + trace_f2fs_issue_discard(bdev, dc->di.start, dc->di.len); lstart = dc->di.lstart; diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index c0670cd61956..fc7d463dee15 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -1760,6 +1760,18 @@ static int f2fs_freeze(struct super_block *sb) static int f2fs_unfreeze(struct super_block *sb) { + struct f2fs_sb_info *sbi = F2FS_SB(sb); + + /* + * It will update discard_max_bytes of mounted lvm device to zero + * after creating snapshot on this lvm device, let's drop all + * remained discards. + * We don't need to disable real-time discard because discard_max_bytes + * will recover after removal of snapshot. + */ + if (test_opt(sbi, DISCARD) && !f2fs_hw_support_discard(sbi)) + f2fs_issue_discard_timeout(sbi); + clear_sbi_flag(F2FS_SB(sb), SBI_IS_FREEZING); return 0; } -- 2.40.1

12 minutes

1
0
0 0

[PATCH] usb: ehci-hcd: fix call balance of clocks handling routines

by Vitalii Mordan

If the clocks priv->iclk and priv->fclk were not enabled in ehci_hcd_sh_probe, they should not be disabled in any path. Conversely, if they was enabled in ehci_hcd_sh_probe, they must be disabled in all error paths to ensure proper cleanup. Found by Linux Verification Center (linuxtesting.org) with Klever. Fixes: 63c845522263 ("usb: ehci-hcd: Add support for SuperH EHCI.") Cc: stable(a)vger.kernel.org # ff30bd6a6618: sh: clk: Fix clk_enable() to return 0 on NULL clk Signed-off-by: Vitalii Mordan <mordan(a)ispras.ru> --- drivers/usb/host/ehci-sh.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/usb/host/ehci-sh.c b/drivers/usb/host/ehci-sh.c index d31d9506e41a..77460aac6dbd 100644 --- a/drivers/usb/host/ehci-sh.c +++ b/drivers/usb/host/ehci-sh.c @@ -119,8 +119,12 @@ static int ehci_hcd_sh_probe(struct platform_device *pdev) if (IS_ERR(priv->iclk)) priv->iclk = NULL; - clk_enable(priv->fclk); - clk_enable(priv->iclk); + ret = clk_enable(priv->fclk); + if (ret) + goto fail_request_resource; + ret = clk_enable(priv->iclk); + if (ret) + goto fail_iclk; ret = usb_add_hcd(hcd, irq, IRQF_SHARED); if (ret != 0) { @@ -136,6 +140,7 @@ static int ehci_hcd_sh_probe(struct platform_device *pdev) fail_add_hcd: clk_disable(priv->iclk); +fail_iclk: clk_disable(priv->fclk); fail_request_resource: -- 2.25.1

14 minutes

2
1
0 0

[PATCH 6.12 0/3] 6.12.1-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.1 release. There are 3 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:40:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.1-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.1-rc1 Liam R. Howlett <Liam.Howlett(a)Oracle.com> mm/mmap: fix __mmap_region() error handling in rare merge failure case Benoit Sevens <bsevens(a)google.com> media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Hyunwoo Kim <v4bel(a)theori.io> hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer ------------- Diffstat: Makefile | 4 ++-- drivers/media/usb/uvc/uvc_driver.c | 2 +- mm/mmap.c | 13 ++++++++++++- net/vmw_vsock/hyperv_transport.c | 1 + 4 files changed, 16 insertions(+), 4 deletions(-)

21 minutes

9
11
0 0

tmpfs hang after v6.12-rc6

by Chuck Lever

I've found that NFS access to an exported tmpfs file system hangs indefinitely when the client first performs a GETATTR. The hanging nfsd thread is waiting for the inode lock in shmem_getattr(): task:nfsd state:D stack:0 pid:1775 tgid:1775 ppid:2 flags:0x00004000 Call Trace: <TASK> __schedule+0x770/0x7b0 schedule+0x33/0x50 schedule_preempt_disabled+0x19/0x30 rwsem_down_read_slowpath+0x206/0x230 down_read+0x3f/0x60 shmem_getattr+0x84/0xf0 vfs_getattr_nosec+0x9e/0xc0 vfs_getattr+0x49/0x50 fh_getattr+0x43/0x50 [nfsd] fh_fill_pre_attrs+0x4e/0xd0 [nfsd] nfsd4_open+0x51f/0x910 [nfsd] nfsd4_proc_compound+0x492/0x5d0 [nfsd] nfsd_dispatch+0x117/0x1f0 [nfsd] svc_process_common+0x3b2/0x5e0 [sunrpc] ? __pfx_nfsd_dispatch+0x10/0x10 [nfsd] svc_process+0xcf/0x130 [sunrpc] svc_recv+0x64e/0x750 [sunrpc] ? __wake_up_bit+0x4b/0x60 ? __pfx_nfsd+0x10/0x10 [nfsd] nfsd+0xc6/0xf0 [nfsd] kthread+0xed/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2e/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> I bisected the problem to: d949d1d14fa281ace388b1de978e8f2cd52875cf is the first bad commit commit d949d1d14fa281ace388b1de978e8f2cd52875cf Author: Jeongjun Park <aha310510(a)gmail.com> AuthorDate: Mon Sep 9 21:35:58 2024 +0900 Commit: Andrew Morton <akpm(a)linux-foundation.org> CommitDate: Mon Oct 28 21:40:39 2024 -0700 mm: shmem: fix data-race in shmem_getattr() ... Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> which first appeared in v6.12-rc6, and adds the line that is waiting on the inode lock when my NFS server hangs. I haven't yet found the process that is holding the inode lock for this inode. Because this commit addresses only a KCSAN splat that has been present since v4.3, and does not address a reported behavioral issue, I respectfully request that this commit be reverted immediately so that it does not appear in v6.12 final. Troubleshooting and testing should continue until a fix to the KCSAN issue can be found that does not deadlock NFS exports of tmpfs. -- Chuck Lever

22 minutes

4
11
0 0

[PATCH 6.6] s390/pkey: Wipe copies of clear-key structures on failure

by Bin Lan

From: Holger Dengler <dengler(a)linux.ibm.com> [ Upstream commit d65d76a44ffe74c73298ada25b0f578680576073 ] Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key. Reviewed-by: Harald Freudenberger <freude(a)linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Holger Dengler <dengler(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> [ Resolve minor conflicts to fix CVE-2024-42156 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/s390/crypto/pkey_api.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index d2ffdf2491da..70fcb5c40cfe 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1366,9 +1366,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, kcs.clrkey.clrkey, kcs.seckey.seckey); DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc); - if (rc) - break; - if (copy_to_user(ucs, &kcs, sizeof(kcs))) + if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs))) rc = -EFAULT; memzero_explicit(&kcs, sizeof(kcs)); break; @@ -1401,9 +1399,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, kcp.protkey.protkey, &kcp.protkey.len, &kcp.protkey.type); DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc); - if (rc) - break; - if (copy_to_user(ucp, &kcp, sizeof(kcp))) + if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp))) rc = -EFAULT; memzero_explicit(&kcp, sizeof(kcp)); break; @@ -1555,11 +1551,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (copy_from_user(&kcs, ucs, sizeof(kcs))) return -EFAULT; apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries); - if (IS_ERR(apqns)) + if (IS_ERR(apqns)) { + memzero_explicit(&kcs, sizeof(kcs)); return PTR_ERR(apqns); + } kkey = kzalloc(klen, GFP_KERNEL); if (!kkey) { kfree(apqns); + memzero_explicit(&kcs, sizeof(kcs)); return -ENOMEM; } rc = pkey_clr2seckey2(apqns, kcs.apqn_entries, @@ -1569,15 +1568,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, kfree(apqns); if (rc) { kfree(kkey); + memzero_explicit(&kcs, sizeof(kcs)); break; } if (kcs.key) { if (kcs.keylen < klen) { kfree(kkey); + memzero_explicit(&kcs, sizeof(kcs)); return -EINVAL; } if (copy_to_user(kcs.key, kkey, klen)) { kfree(kkey); + memzero_explicit(&kcs, sizeof(kcs)); return -EFAULT; } } -- 2.43.0

1 hour, 50 minutes

2
1
0 0

[PATCH 6.1] closures: Change BUG_ON() to WARN_ON()

by Bin Lan

From: Kent Overstreet <kent.overstreet(a)linux.dev> [ Upstream commit 339b84ab6b1d66900c27bd999271cb2ae40ce812 ] If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240 closure_put+0x224/0x2a0 03240 bch2_check_for_deadlock+0x910/0x1028 03240 bch2_six_check_for_deadlock+0x1c/0x30 03240 six_lock_slowpath.isra.0+0x29c/0xed0 03240 six_lock_ip_waiter+0xa8/0xf8 03240 __bch2_btree_node_lock_write+0x14c/0x298 03240 bch2_trans_lock_write+0x6d4/0xb10 03240 __bch2_trans_commit+0x135c/0x5520 03240 btree_interior_update_work+0x1248/0x1c10 03240 process_scheduled_works+0x53c/0xd90 03240 worker_thread+0x370/0x8c8 03240 kthread+0x258/0x2e8 03240 ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s Signed-off-by: Kent Overstreet <kent.overstreet(a)linux.dev> [ Resolve minor conflicts to fix CVE-2024-42252 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/md/bcache/closure.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/md/bcache/closure.c b/drivers/md/bcache/closure.c index d8d9394a6beb..18f21d4e9aaa 100644 --- a/drivers/md/bcache/closure.c +++ b/drivers/md/bcache/closure.c @@ -17,10 +17,16 @@ static inline void closure_put_after_sub(struct closure *cl, int flags) { int r = flags & CLOSURE_REMAINING_MASK; - BUG_ON(flags & CLOSURE_GUARD_MASK); - BUG_ON(!r && (flags & ~CLOSURE_DESTRUCTOR)); + if (WARN(flags & CLOSURE_GUARD_MASK, + "closure has guard bits set: %x (%u)", + flags & CLOSURE_GUARD_MASK, (unsigned) __fls(r))) + r &= ~CLOSURE_GUARD_MASK; if (!r) { + WARN(flags & ~CLOSURE_DESTRUCTOR, + "closure ref hit 0 with incorrect flags set: %x (%u)", + flags & ~CLOSURE_DESTRUCTOR, (unsigned) __fls(flags)); + if (cl->fn && !(flags & CLOSURE_DESTRUCTOR)) { atomic_set(&cl->remaining, CLOSURE_REMAINING_INITIALIZER); -- 2.43.0

1 hour, 50 minutes

3
3
0 0

[PATCH 6.11 000/107] 6.11.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.10 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:56:14 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.10-rc1 Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: u32: Add test case for systematic hnode IDR leaks Jiri Olsa <jolsa(a)kernel.org> lib/buildid: Fix build ID parsing logic Matthew Auld <matthew.auld(a)intel.com> drm/xe: improve hibernation on igpu Matthew Brost <matthew.brost(a)intel.com> drm/xe: Restore system memory GGTT mappings Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Hamish Claxton <hamishclaxton(a)gmail.com> drm/amd/display: Fix failure to read vram info due to static BP_RESULT Ryan Seto <ryanseto(a)amd.com> drm/amd/display: Handle dml allocation failure to avoid crash Dillon Varone <dillon.varone(a)amd.com> drm/amd/display: Require minimum VBlank size for stutter optimization Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust VSDB parser for replay feature Jack Xiao <Jack.Xiao(a)amd.com> drm/amdgpu/mes12: correct kiq unmap latency Christian König <christian.koenig(a)amd.com> drm/amdgpu: enable GTT fallback handling for dGPUs only Tim Huang <tim.huang(a)amd.com> drm/amd/pm: print pp_dpm_mclk in ascending order on SMU v14.0.0 David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix video caps for H264 and HEVC encode maximum size Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix check in gmc_v9_0_get_vm_pte() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> drm/amd: Fix initialization mistake for NBIO 7.7.0 Dave Airlie <airlied(a)redhat.com> nouveau/dp: handle retries for AUX CH transfers with GSP. Dave Airlie <airlied(a)redhat.com> nouveau: handle EBUSY and EAGAIN for GSP aux errors. Dave Airlie <airlied(a)redhat.com> nouveau: fw: sync dma after setup is called. Sibi Sankar <quic_sibis(a)quicinc.com> pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag Sibi Sankar <quic_sibis(a)quicinc.com> pmdomain: arm: Use FLAG_DEV_NAME_FW to ensure unique names Peng Fan <peng.fan(a)nxp.com> pmdomain: imx93-blk-ctrl: correct remove path Ashutosh Dixit <ashutosh.dixit(a)intel.com> drm/xe/oa: Fix "Missing outer runtime PM protection" warning Matthew Auld <matthew.auld(a)intel.com> drm/xe: handle flat ccs during hibernation on igpu Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: Fix DSI command tx Andre Przywara <andre.przywara(a)arm.com> mmc: sunxi-mmc: Fix A100 compatible description Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Report duplicate opps as firmware bugs Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Skip opp duplicates Sibi Sankar <quic_sibis(a)quicinc.com> mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag Josef Bacik <josef(a)toxicpanda.com> btrfs: fix incorrect comparison for delayed refs Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" Aurelien Jarno <aurelien(a)aurel32.net> Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Donet Tom <donettom(a)linux.ibm.com> selftests: hugetlb_dio: fixup check for initial conditions to skip in the start Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN work with 5-level page-tables Bibo Mao <maobibo(a)loongson.cn> LoongArch: Fix AP booting issue in VM mode Kanglong Wang <wangkanglong(a)loongson.cn> LoongArch: Add WriteCombine shadow mapping in KASAN Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix early_numa_add_cpu() usage for FDT systems Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: fix UBSAN warning in ocfs2_verify_volume() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: use _rcu variant under rcu_read_lock Geliang Tang <geliang(a)kernel.org> mptcp: hold pm lock when deleting entry Geliang Tang <geliang(a)kernel.org> mptcp: update local address flags when setting it Maksym Glubokiy <maxgl.kernel(a)gmail.com> ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Roman Gushchin <roman.gushchin(a)linux.dev> mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Disable TPM on tpm2_create_primary() failure Hajime Tazaki <thehajime(a)gmail.com> nommu: pass NULL argument to vma_iter_prealloc() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Sean Christopherson <seanjc(a)google.com> KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Sean Christopherson <seanjc(a)google.com> KVM: x86: Unconditionally set irr_pending when updating APICv state Sean Christopherson <seanjc(a)google.com> KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Sean Christopherson <seanjc(a)google.com> KVM: selftests: Disable strict aliasing Mateusz Guzik <mjguzik(a)gmail.com> evm: stop avoidably reading i_writecount in evm_file_release Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> ima: fix buffer overrun in ima_eventdigest_init_common Xiaoguang Wang <lege.wang(a)jaguarmicro.com> vp_vdpa: fix id_table array not null terminated error Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Philipp Stanner <pstanner(a)redhat.com> vdpa: solidrun: Fix UB bug with devres Andrew Morton <akpm(a)linux-foundation.org> mm: revert "mm: shmem: fix data-race in shmem_getattr()" Jann Horn <jannh(a)google.com> mm/mremap: fix address wraparound in move_page_tables() Dan Carpenter <dan.carpenter(a)linaro.org> fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() Qun-Wei Lin <qun-wei.lin(a)mediatek.com> sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Dave Vasilevsky <dave(a)vasilevsky.ca> crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32 Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: uncache inode which has failed entering the group Jinjiang Tu <tujinjiang(a)huawei.com> mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Ard Biesheuvel <ardb(a)kernel.org> x86/stackprotector: Work around strict Clang TLS symbol requirements Baoquan He <bhe(a)redhat.com> x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Mario Limonciello <mario.limonciello(a)amd.com> x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix Panel Replay not update screen correctly Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Change some variable name of psr Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Run idle optimizations at end of vblank handler Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/pm: correct the workload setting" Motiejus JakÅ`tys <motiejus(a)jakstys.lt> tools/mm: fix compile error Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> ARM: fix cacheflush with PAN Harith G <harith.g(a)alifsemi.com> ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Hangbin Liu <liuhangbin(a)gmail.com> bonding: add ns target multicast address to slave device Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix 1 PPS sync Chen Ridong <chenridong(a)huawei.com> drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle Vitalii Mordan <mordan(a)ispras.ru> stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Michal Luczaj <mhal(a)rbox.co> net: Make copy_safe_from_sockptr() match documentation Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Wei Fang <wei.fang(a)nxp.com> samples: pktgen: correct dev to DEV Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: ensure PHY momentary link-fails are handled Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Akash Goel <akash.goel(a)arm.com> drm/panthor: Fix handling of partial GPU mapping of BOs Kiran K <kiran.k(a)intel.com> Bluetooth: btintel: Direct exception event to bluetooth stack Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix calling mgmt_device_connected Alexandre Ghiti <alexghiti(a)rivosinc.com> drivers: perf: Fix wrong put_cpu() placement Leon Romanovsky <leon(a)kernel.org> Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Improve MSG_ZEROCOPY error handling Michal Luczaj <mhal(a)rbox.co> vsock: Fix sk_error_queue memory leak Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Fix accept_queue memory leak Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/i915/gsc: ARL-H and ARL-U need a newer GSC FW. Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Disable loopback self-test on multi-PF netdev Moshe Shemesh <moshe(a)nvidia.com> net/mlx5e: CT: Fix null-ptr-deref in add rule err flow William Tu <witu(a)nvidia.com> net/mlx5e: clear xdp features on non-uplink representors Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: kTLS, Fix incorrect page refcounting Mark Bloch <mbloch(a)nvidia.com> net/mlx5: fs, lock FTE when checking if active Parav Pandit <parav(a)nvidia.com> net/mlx5: Fix msix vectors to respect platform limit Paolo Abeni <pabeni(a)redhat.com> mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Paolo Abeni <pabeni(a)redhat.com> mptcp: error out earlier on disconnect Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop: Fix a dereferenced before check warning Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix tx_bytes calculation Eric Dumazet <edumazet(a)google.com> sctp: fix possible UAF in sctp_v6_available() Jakub Kicinski <kuba(a)kernel.org> netlink: terminate outstanding dump on socket close ------------- Diffstat: Makefile | 4 +- arch/arm/Kconfig | 3 + arch/arm/kernel/head.S | 8 +- arch/arm/kernel/traps.c | 3 + arch/arm/mm/mmu.c | 34 +++--- arch/arm64/Kconfig | 3 + arch/arm64/include/asm/mman.h | 10 +- arch/loongarch/Kconfig | 3 + arch/loongarch/include/asm/kasan.h | 13 ++- arch/loongarch/kernel/paravirt.c | 15 +++ arch/loongarch/kernel/smp.c | 2 +- arch/loongarch/mm/kasan_init.c | 46 +++++++- arch/mips/Kconfig | 3 + arch/parisc/include/asm/mman.h | 5 +- arch/powerpc/Kconfig | 4 + arch/riscv/Kconfig | 3 + arch/s390/Kconfig | 3 + arch/sh/Kconfig | 3 + arch/x86/Kconfig | 3 + arch/x86/Makefile | 5 +- arch/x86/entry/entry.S | 16 +++ arch/x86/include/asm/asm-prototypes.h | 3 + arch/x86/kernel/cpu/amd.c | 11 ++ arch/x86/kernel/cpu/common.c | 2 + arch/x86/kernel/vmlinux.lds.S | 3 + arch/x86/kvm/lapic.c | 29 +++-- arch/x86/kvm/vmx/nested.c | 30 +++++- arch/x86/kvm/vmx/vmx.c | 6 +- arch/x86/mm/ioremap.c | 6 +- drivers/bluetooth/btintel.c | 5 +- drivers/char/tpm/tpm2-sessions.c | 7 +- drivers/firmware/arm_scmi/perf.c | 44 +++++--- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 +- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 13 ++- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 ++ drivers/gpu/drm/amd/amdgpu/nv.c | 12 +-- drivers/gpu/drm/amd/amdgpu/soc15.c | 4 +- drivers/gpu/drm/amd/amdgpu/soc21.c | 12 +-- drivers/gpu/drm/amd/amdgpu/soc24.c | 2 +- drivers/gpu/drm/amd/amdgpu/vi.c | 8 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 117 +++++++++++---------- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 17 +-- .../amd/display/amdgpu_dm/amdgpu_dm_irq_params.h | 2 +- drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 +- drivers/gpu/drm/amd/display/dc/core/dc_state.c | 3 + .../dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 11 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 49 +++------ drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 20 +--- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 8 -- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 2 - drivers/gpu/drm/bridge/tc358768.c | 21 +++- drivers/gpu/drm/i915/gt/uc/intel_gsc_fw.c | 50 +++++---- drivers/gpu/drm/i915/i915_drv.h | 8 +- drivers/gpu/drm/i915/intel_device_info.c | 24 ++++- drivers/gpu/drm/i915/intel_device_info.h | 4 +- drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c | 61 ++++++----- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 6 +- drivers/gpu/drm/panthor/panthor_mmu.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 + drivers/gpu/drm/xe/xe_bo.c | 43 ++++---- drivers/gpu/drm/xe/xe_bo_evict.c | 20 ++-- drivers/gpu/drm/xe/xe_oa.c | 2 + drivers/infiniband/core/addr.c | 2 - drivers/mailbox/qcom-cpucp-mbox.c | 2 +- drivers/media/dvb-core/dvbdev.c | 15 +-- drivers/mmc/host/dw_mmc.c | 4 +- drivers/mmc/host/sunxi-mmc.c | 6 +- drivers/net/bonding/bond_main.c | 16 ++- drivers/net/bonding/bond_options.c | 82 ++++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- .../net/ethernet/mellanox/mlx5/core/en_selftest.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 19 +++- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 32 +++++- .../net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 25 +++-- .../net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 ++- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 +++ drivers/net/ethernet/vertexcom/mse102x.c | 4 +- drivers/net/phy/phylink.c | 14 +-- drivers/perf/riscv_pmu_sbi.c | 4 +- drivers/pmdomain/arm/scmi_perf_domain.c | 3 +- drivers/pmdomain/core.c | 49 ++++++--- drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 +- drivers/vdpa/mlx5/core/mr.c | 8 +- drivers/vdpa/solidrun/snet_main.c | 14 ++- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +- fs/btrfs/delayed-ref.c | 2 +- fs/nilfs2/btnode.c | 2 - fs/nilfs2/gcinode.c | 4 +- fs/nilfs2/mdt.c | 1 - fs/nilfs2/page.c | 2 +- fs/ocfs2/resize.c | 2 + fs/ocfs2/super.c | 13 ++- fs/proc/task_mmu.c | 4 +- include/drm/intel/i915_pciids.h | 19 +++- include/linux/mman.h | 7 +- include/linux/pm_domain.h | 6 ++ include/linux/sched/task_stack.h | 2 + include/linux/sockptr.h | 4 +- include/net/bond_options.h | 2 + kernel/Kconfig.kexec | 2 +- lib/buildid.c | 2 +- mm/mmap.c | 2 +- mm/mremap.c | 2 +- mm/nommu.c | 4 +- mm/page_alloc.c | 18 +++- mm/shmem.c | 5 - mm/swap.c | 14 --- net/bluetooth/hci_core.c | 2 - net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mptcp/pm_netlink.c | 3 +- net/mptcp/pm_userspace.c | 15 +++ net/mptcp/protocol.c | 16 ++- net/netlink/af_netlink.c | 31 ++---- net/netlink/af_netlink.h | 2 - net/sched/cls_u32.c | 18 +++- net/sctp/ipv6.c | 19 ++-- net/vmw_vsock/af_vsock.c | 3 + net/vmw_vsock/virtio_transport_common.c | 9 ++ samples/pktgen/pktgen_sample01_simple.sh | 2 +- security/integrity/evm/evm_main.c | 3 +- security/integrity/ima/ima_template_lib.c | 14 ++- sound/pci/hda/patch_realtek.c | 13 ++- tools/mm/page-types.c | 2 +- tools/testing/selftests/kvm/Makefile | 8 +- tools/testing/selftests/mm/hugetlb_dio.c | 7 ++ .../selftests/tc-testing/tc-tests/filters/u32.json | 24 +++++ 143 files changed, 1080 insertions(+), 537 deletions(-)

2 hours, 51 minutes

8
114
0 0

[PATCH] fs/ceph/mds_client: give up on paths longer than PATH_MAX

by Max Kellermann

If the full path to be built by ceph_mdsc_build_path() happens to be longer than PATH_MAX, then this function will enter an endless (retry) loop, effectively blocking the whole task. Most of the machine becomes unusable, making this a very simple and effective DoS vulnerability. I cannot imagine why this retry was ever implemented, but it seems rather useless and harmful to me. Let's remove it and fail with ENAMETOOLONG instead. Cc: stable(a)vger.kernel.org Reported-by: Dario Weißer <dario(a)cure53.de> Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- fs/ceph/mds_client.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index c4a5fd94bbbb..4f6ac015edcd 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -2808,12 +2808,11 @@ char *ceph_mdsc_build_path(struct ceph_mds_client *mdsc, struct dentry *dentry, if (pos < 0) { /* - * A rename didn't occur, but somehow we didn't end up where - * we thought we would. Throw a warning and try again. + * The path is longer than PATH_MAX and this function + * cannot ever succeed. Creating paths that long is + * possible with Ceph, but Linux cannot use them. */ - pr_warn_client(cl, "did not end path lookup where expected (pos = %d)\n", - pos); - goto retry; + return ERR_PTR(-ENAMETOOLONG); } *pbase = base; -- 2.45.2

3 hours, 41 minutes

5
8
0 0

[PATCH 1/2] PCI/MSI: Add MSIX option to write to ENTRY_DATA before any reads

by dullfire＠yahoo.com

From: Jonathan Currier <dullfire(a)yahoo.com> Commit 7d5ec3d36123 ("PCI/MSI: Mask all unused MSI-X entries") introduces a readl() from ENTRY_VECTOR_CTRL before the writel() to ENTRY_DATA. This is correct, however some hardware, like the Sun Neptune chips, the niu module, will cause an error and/or fatal trap if any MSIX table entry is read before the corresponding ENTRY_DATA field is written to. This patch adds an optional early writel() in msix_prepare_msi_desc(). Cc: stable(a)vger.kernel.org Signed-off-by: Jonathan Currier <dullfire(a)yahoo.com> --- drivers/pci/msi/msi.c | 2 ++ include/linux/pci.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/drivers/pci/msi/msi.c b/drivers/pci/msi/msi.c index 3a45879d85db..50d87fb5e37f 100644 --- a/drivers/pci/msi/msi.c +++ b/drivers/pci/msi/msi.c @@ -611,6 +611,8 @@ void msix_prepare_msi_desc(struct pci_dev *dev, struct msi_desc *desc) if (desc->pci.msi_attrib.can_mask) { void __iomem *addr = pci_msix_desc_addr(desc); + if (dev->dev_flags & PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST) + writel(0, addr + PCI_MSIX_ENTRY_DATA); desc->pci.msix_ctrl = readl(addr + PCI_MSIX_ENTRY_VECTOR_CTRL); } } diff --git a/include/linux/pci.h b/include/linux/pci.h index 37d97bef060f..b8b95b58d522 100644 --- a/include/linux/pci.h +++ b/include/linux/pci.h @@ -245,6 +245,8 @@ enum pci_dev_flags { PCI_DEV_FLAGS_NO_RELAXED_ORDERING = (__force pci_dev_flags_t) (1 << 11), /* Device does honor MSI masking despite saying otherwise */ PCI_DEV_FLAGS_HAS_MSI_MASKING = (__force pci_dev_flags_t) (1 << 12), + /* Device requires write to PCI_MSIX_ENTRY_DATA before any MSIX reads */ + PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST = (__force pci_dev_flags_t) (1 << 13), }; enum pci_irq_reroute_variant { -- 2.45.2

4 hours

3
3
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror