- Linux-stable-mirror - lists.linaro.org

[PATCH RESEND] drm/kmb: Fix error handling in kmb_probe

by Ma Ke

kmb_probe() obtain a reference to a platform device by of_find_device_by_node(). This call increases the reference count of the returned device, which should be dropped by calling put_device() when the device is no longer needed. However, the code fails to call put_device() in several error handling paths and the normal device removal path. This could result in reference count leaks that prevent the proper cleanup of the platform device when the driver is unloaded or during error recovery. Add put_device() in all code paths where dsi_pdev is no longer needed, including error paths and the normal removal path. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 7f7b96a8a0a1 ("drm/kmb: Add support for KeemBay Display") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/kmb/kmb_drv.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c index 7c2eb1152fc2..9733337abe92 100644 --- a/drivers/gpu/drm/kmb/kmb_drv.c +++ b/drivers/gpu/drm/kmb/kmb_drv.c @@ -474,6 +474,8 @@ static void kmb_remove(struct platform_device *pdev) /* Unregister DSI host */ kmb_dsi_host_unregister(kmb->kmb_dsi); + if (kmb->kmb_dsi && kmb->kmb_dsi->pdev) + put_device(&kmb->kmb_dsi->pdev->dev); drm_atomic_helper_shutdown(drm); } @@ -518,17 +520,20 @@ static int kmb_probe(struct platform_device *pdev) ret = kmb_dsi_host_bridge_init(get_device(&dsi_pdev->dev)); if (ret == -EPROBE_DEFER) { - return -EPROBE_DEFER; + ret = -EPROBE_DEFER; + goto err_free2; } else if (ret) { DRM_ERROR("probe failed to initialize DSI host bridge\n"); - return ret; + goto err_free2; } /* Create DRM device */ kmb = devm_drm_dev_alloc(dev, &kmb_driver, struct kmb_drm_private, drm); - if (IS_ERR(kmb)) - return PTR_ERR(kmb); + if (IS_ERR(kmb)) { + ret = PTR_ERR(kmb); + goto err_free2; + } dev_set_drvdata(dev, &kmb->drm); @@ -577,7 +582,8 @@ static int kmb_probe(struct platform_device *pdev) err_free1: dev_set_drvdata(dev, NULL); kmb_dsi_host_unregister(kmb->kmb_dsi); - +err_free2: + put_device(&dsi_pdev->dev); return ret; } -- 2.17.1

1 week, 1 day

1
0
0 0

[tip: x86/boot] x86/acpi/boot: Correct acpi_is_processor_usable() check again

by tip-bot2 for Yazen Ghannam

The following commit has been merged into the x86/boot branch of tip: Commit-ID: adbf61cc47cb72b102682e690ad323e1eda652c2 Gitweb: https://git.kernel.org/tip/adbf61cc47cb72b102682e690ad323e1eda652c2 Author: Yazen Ghannam <yazen.ghannam(a)amd.com> AuthorDate: Tue, 11 Nov 2025 14:53:57 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Sun, 14 Dec 2025 09:19:03 +01:00 x86/acpi/boot: Correct acpi_is_processor_usable() check again ACPI v6.3 defined a new "Online Capable" MADT LAPIC flag. This bit is used in conjunction with the "Enabled" MADT LAPIC flag to determine if a CPU can be enabled/hotplugged by the OS after boot. Before the new bit was defined, the "Enabled" bit was explicitly described like this (ACPI v6.0 wording provided): "If zero, this processor is unusable, and the operating system support will not attempt to use it" This means that CPU hotplug (based on MADT) is not possible. Many BIOS implementations follow this guidance. They may include LAPIC entries in MADT for unavailable CPUs, but since these entries are marked with "Enabled=0" it is expected that the OS will completely ignore these entries. However, QEMU will do the same (include entries with "Enabled=0") for the purpose of allowing CPU hotplug within the guest. Comment from QEMU function pc_madt_cpu_entry(): /* ACPI spec says that LAPIC entry for non present * CPU may be omitted from MADT or it must be marked * as disabled. However omitting non present CPU from * MADT breaks hotplug on linux. So possible CPUs * should be put in MADT but kept disabled. */ Recent Linux topology changes broke the QEMU use case. A following fix for the QEMU use case broke bare metal topology enumeration. Rework the Linux MADT LAPIC flags check to allow the QEMU use case only for guests and to maintain the ACPI spec behavior for bare metal. Remove an unnecessary check added to fix a bare metal case introduced by the QEMU "fix". [ bp: Change logic as Michal suggested. ] [ mingo: Removed misapplied -stable tag. ] Fixes: fed8d8773b8e ("x86/acpi/boot: Correct acpi_is_processor_usable() check") Fixes: f0551af02130 ("x86/topology: Ignore non-present APIC IDs in a present package") Closes: https://lore.kernel.org/r/20251024204658.3da9bf3f.michal.pecio@gmail.com Reported-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Michal Pecio <michal.pecio(a)gmail.com> Tested-by: Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> Link: https://lore.kernel.org/20251111145357.4031846-1-yazen.ghannam@amd.com Cc: stable(a)vger.kernel.org --- arch/x86/kernel/acpi/boot.c | 12 ++++++++---- arch/x86/kernel/cpu/topology.c | 15 --------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c index 9fa321a..d6138b2 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -35,6 +35,7 @@ #include <asm/smp.h> #include <asm/i8259.h> #include <asm/setup.h> +#include <asm/hypervisor.h> #include "sleep.h" /* To include x86_acpi_suspend_lowlevel */ static int __initdata acpi_force = 0; @@ -164,11 +165,14 @@ static bool __init acpi_is_processor_usable(u32 lapic_flags) if (lapic_flags & ACPI_MADT_ENABLED) return true; - if (!acpi_support_online_capable || - (lapic_flags & ACPI_MADT_ONLINE_CAPABLE)) - return true; + if (acpi_support_online_capable) + return lapic_flags & ACPI_MADT_ONLINE_CAPABLE; - return false; + /* + * QEMU expects legacy "Enabled=0" LAPIC entries to be counted as usable + * in order to support CPU hotplug in guests. + */ + return !hypervisor_is_type(X86_HYPER_NATIVE); } static int __init diff --git a/arch/x86/kernel/cpu/topology.c b/arch/x86/kernel/cpu/topology.c index f55ea3c..23190a7 100644 --- a/arch/x86/kernel/cpu/topology.c +++ b/arch/x86/kernel/cpu/topology.c @@ -27,7 +27,6 @@ #include <xen/xen.h> #include <asm/apic.h> -#include <asm/hypervisor.h> #include <asm/io_apic.h> #include <asm/mpspec.h> #include <asm/msr.h> @@ -236,20 +235,6 @@ static __init void topo_register_apic(u32 apic_id, u32 acpi_id, bool present) cpuid_to_apicid[cpu] = apic_id; topo_set_cpuids(cpu, apic_id, acpi_id); } else { - u32 pkgid = topo_apicid(apic_id, TOPO_PKG_DOMAIN); - - /* - * Check for present APICs in the same package when running - * on bare metal. Allow the bogosity in a guest. - */ - if (hypervisor_is_type(X86_HYPER_NATIVE) && - topo_unit_count(pkgid, TOPO_PKG_DOMAIN, phys_cpu_present_map)) { - pr_info_once("Ignoring hot-pluggable APIC ID %x in present package.\n", - apic_id); - topo_info.nr_rejected_cpus++; - return; - } - topo_info.nr_disabled_cpus++; }

1 week, 2 days

1
0
0 0

[PATCH] erspan: Initialize options_len before referencing options.

by Frode Nordahl

The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. In the normal case the ip_tunnel_info_opts_set() helper is used which would initialize options_len properly, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… Reported-at: https://launchpad.net/bugs/2129580 Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info") Signed-off-by: Frode Nordahl <fnordahl(a)ubuntu.com> --- net/ipv4/ip_gre.c | 18 ++++++++++++++++-- net/ipv6/ip6_gre.c | 18 ++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 761a53c6a89a..285a656c9e41 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -330,6 +330,22 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!tun_dst) return PACKET_REJECT; + /* The struct ip_tunnel_info has a flexible array member named + * options that is protected by a counted_by(options_len) + * attribute. + * + * The compiler will use this information to enforce runtime bounds + * checking deployed by FORTIFY_SOURCE string helpers. + * + * As laid out in the GCC documentation, the counter must be + * initialized before the first reference to the flexible array + * member. + * + * Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… + */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -344,10 +360,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); - info = &tun_dst->u.tun_info; __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); } skb_reset_mac_header(skb); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c82a75510c0e..eb840a11b93b 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -535,6 +535,22 @@ static int ip6erspan_rcv(struct sk_buff *skb, if (!tun_dst) return PACKET_REJECT; + /* The struct ip_tunnel_info has a flexible array member named + * options that is protected by a counted_by(options_len) + * attribute. + * + * The compiler will use this information to enforce runtime bounds + * checking deployed by FORTIFY_SOURCE string helpers. + * + * As laid out in the GCC documentation, the counter must be + * initialized before the first reference to the flexible array + * member. + * + * Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… + */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -543,7 +559,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, skb_network_header_len(skb); pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + sizeof(*ershdr)); - info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; md2 = &md->u.md2; @@ -551,7 +566,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, ERSPAN_V2_MDSIZE); __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); ip6_tnl_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error); -- 2.43.0

1 week, 2 days

4
6
0 0

[PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation

by Huacai Chen

Commit 863a320dc6fd7c855f47da4b ("LoongArch: Mask all interrupts during kexec/kdump") is backported to LTS branches, but they lack a generic machine_kexec_mask_interrupts() implementation, so add an arch-specific one. Signed-off-by: Tianyang Zhang <zhangtianyang(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- 6.6LTS also need it if commit 863a320dc6fd7c855f47da4b is backported. arch/loongarch/kernel/machine_kexec.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/arch/loongarch/kernel/machine_kexec.c b/arch/loongarch/kernel/machine_kexec.c index 8ef4e4595d61..19bd763263d3 100644 --- a/arch/loongarch/kernel/machine_kexec.c +++ b/arch/loongarch/kernel/machine_kexec.c @@ -136,6 +136,28 @@ void kexec_reboot(void) BUG(); } +static void machine_kexec_mask_interrupts(void) +{ + unsigned int i; + struct irq_desc *desc; + + for_each_irq_desc(i, desc) { + struct irq_chip *chip; + + chip = irq_desc_get_chip(desc); + if (!chip) + continue; + + if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data)) + chip->irq_eoi(&desc->irq_data); + + if (chip->irq_mask) + chip->irq_mask(&desc->irq_data); + + if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data)) + chip->irq_disable(&desc->irq_data); + } +} #ifdef CONFIG_SMP static void kexec_shutdown_secondary(void *regs) -- 2.47.3

1 week, 3 days

2
1
0 0

[PATCH] input: synaptics_i2c - cancel delayed work before freeing device

by Minseong Kim

synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). The delayed work performs I2C transactions and may still be running (or get queued) when the device is removed. synaptics_i2c_remove() currently frees 'touch' without canceling touch->dwork. If removal happens while the work is pending/running, the work handler may dereference freed memory, leading to a potential use-after-free. Cancel the delayed work synchronously before unregistering/freeing the device. Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad Reported-by: Minseong Kim <ii4gsp(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Minseong Kim <ii4gsp(a)gmail.com> --- drivers/input/mouse/synaptics_i2c.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c index a0d707e47d93..fe30bf9aea3a 100644 --- a/drivers/input/mouse/synaptics_i2c.c +++ b/drivers/input/mouse/synaptics_i2c.c @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) if (!polling_req) free_irq(client->irq, touch); + cancel_delayed_work_sync(&touch->dwork); + input_unregister_device(touch->input); kfree(touch); } -- 2.39.5

1 week, 3 days

3
4
0 0

[PATCH 1/2] scsi: sd: fix write_same(16/10) to enable sector size > PAGE_SIZE

by sw.prabhu6＠gmail.com

From: Swarna Prabhu <sw.prabhu6(a)gmail.com> The WRITE SAME(16) and WRITE SAME(10) scsi commands uses a page from a dedicated mempool('sd_page_pool') for its payload. This pool was initialized to allocate single pages, which was sufficient as long as the device sector size did not exceed the PAGE_SIZE. Given that block layer now supports block size upto 64K ie beyond PAGE_SIZE, adapt sd_set_special_bvec() to accommodate that. With the above fix, enable sector sizes > PAGE_SIZE in scsi sd driver. Cc: stable(a)vger.kernel.org Signed-off-by: Swarna Prabhu <s.prabhu(a)samsung.com> Co-developed-by: Pankaj Raghav <p.raghav(a)samsung.com> Signed-off-by: Pankaj Raghav <p.raghav(a)samsung.com> --- Note: We are allocating pages of order aligned to BLK_MAX_BLOCK_SIZE for the mempool page allocator 'sd_page_pool' all the time. This is because we only know that a bigger sector size device is attached at sd_probe and it might be too late to reallocate mempool with order >0. drivers/scsi/sd.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed1..17b5c1589eb2 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -892,14 +892,24 @@ static void sd_config_discard(struct scsi_disk *sdkp, struct queue_limits *lim, (logical_block_size >> SECTOR_SHIFT); } -static void *sd_set_special_bvec(struct request *rq, unsigned int data_len) +static void *sd_set_special_bvec(struct scsi_cmnd *cmd, unsigned int data_len) { struct page *page; + struct request *rq = scsi_cmd_to_rq(cmd); + struct scsi_device *sdp = cmd->device; + unsigned sector_size = sdp->sector_size; + unsigned int nr_pages = DIV_ROUND_UP(sector_size, PAGE_SIZE); + int n = 0; page = mempool_alloc(sd_page_pool, GFP_ATOMIC); if (!page) return NULL; - clear_highpage(page); + + do { + clear_highpage(page + n); + n++; + } while (n < nr_pages); + bvec_set_page(&rq->special_vec, page, data_len, 0); rq->rq_flags |= RQF_SPECIAL_PAYLOAD; return bvec_virt(&rq->special_vec); @@ -915,7 +925,7 @@ static blk_status_t sd_setup_unmap_cmnd(struct scsi_cmnd *cmd) unsigned int data_len = 24; char *buf; - buf = sd_set_special_bvec(rq, data_len); + buf = sd_set_special_bvec(cmd, data_len); if (!buf) return BLK_STS_RESOURCE; @@ -1004,7 +1014,7 @@ static blk_status_t sd_setup_write_same16_cmnd(struct scsi_cmnd *cmd, u32 nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); u32 data_len = sdp->sector_size; - if (!sd_set_special_bvec(rq, data_len)) + if (!sd_set_special_bvec(cmd, data_len)) return BLK_STS_RESOURCE; cmd->cmd_len = 16; @@ -1031,7 +1041,7 @@ static blk_status_t sd_setup_write_same10_cmnd(struct scsi_cmnd *cmd, u32 nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); u32 data_len = sdp->sector_size; - if (!sd_set_special_bvec(rq, data_len)) + if (!sd_set_special_bvec(cmd, data_len)) return BLK_STS_RESOURCE; cmd->cmd_len = 10; @@ -2880,10 +2890,7 @@ sd_read_capacity(struct scsi_disk *sdkp, struct queue_limits *lim, "assuming 512.\n"); } - if (sector_size != 512 && - sector_size != 1024 && - sector_size != 2048 && - sector_size != 4096) { + if (blk_validate_block_size(sector_size)) { sd_printk(KERN_NOTICE, sdkp, "Unsupported sector size %d.\n", sector_size); /* @@ -4368,7 +4375,7 @@ static int __init init_sd(void) if (err) goto err_out; - sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, 0); + sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, get_order(BLK_MAX_BLOCK_SIZE)); if (!sd_page_pool) { printk(KERN_ERR "sd: can't init discard page pool\n"); err = -ENOMEM; -- 2.51.0

1 week, 3 days

3
3
0 0

[PATCH v2 04/13] KVM: nSVM: Fix consistency checks for NP_ENABLE

by Yosry Ahmed

KVM currenty fails a nested VMRUN and injects VMEXIT_INVALID (aka SVM_EXIT_ERR) if L1 sets NP_ENABLE and the host does not support NPTs. On first glance, it seems like the check should actually be for guest_cpu_cap_has(X86_FEATURE_NPT) instead, as it is possible for the host to support NPTs but the guest CPUID to not advertise it. However, the consistency check is not architectural to begin with. The APM does not mention VMEXIT_INVALID if NP_ENABLE is set on a processor that does not have X86_FEATURE_NPT. Hence, NP_ENABLE should be ignored if X86_FEATURE_NPT is not available for L1. Apart from the consistency check, this is currently the case because NP_ENABLE is actually copied from VMCB01 to VMCB02, not from VMCB12. On the other hand, the APM does mention two other consistency checks for NP_ENABLE, both of which are missing (paraphrased): In Volume #2, 15.25.3 (24593—Rev. 3.42—March 2024): If VMRUN is executed with hCR0.PG cleared to zero and NP_ENABLE set to 1, VMRUN terminates with #VMEXIT(VMEXIT_INVALID) In Volume #2, 15.25.4 (24593—Rev. 3.42—March 2024): When VMRUN is executed with nested paging enabled (NP_ENABLE = 1), the following conditions are considered illegal state combinations, in addition to those mentioned in “Canonicalization and Consistency Checks”: • Any MBZ bit of nCR3 is set. • Any G_PAT.PA field has an unsupported type encoding or any reserved field in G_PAT has a nonzero value. Replace the existing consistency check with consistency checks on hCR0.PG and nCR3. Only perform the consistency checks if L1 has X86_FEATURE_NPT and NP_ENABLE is set in VMCB12. The G_PAT consistency check will be addressed separately. As it is now possible for an L1 to run L2 with NP_ENABLE set but ignored, also check that L1 has X86_FEATURE_NPT in nested_npt_enabled(). Pass L1's CR0 to __nested_vmcb_check_controls(). In nested_vmcb_check_controls(), L1's CR0 is available through kvm_read_cr0(), as vcpu->arch.cr0 is not updated to L2's CR0 until later through nested_vmcb02_prepare_save() -> svm_set_cr0(). In svm_set_nested_state(), L1's CR0 is available in the captured save area, as svm_get_nested_state() captures L1's save area when running L2, and L1's CR0 is stashed in VMCB01 on nested VMRUN (in nested_svm_vmrun()). Fixes: 4b16184c1cca ("KVM: SVM: Initialize Nested Nested MMU context on VMRUN") Cc: stable(a)vger.kernel.org Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> --- arch/x86/kvm/svm/nested.c | 21 ++++++++++++++++----- arch/x86/kvm/svm/svm.h | 3 ++- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 74211c5c68026..87bcc5eff96e8 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -325,7 +325,8 @@ static bool nested_svm_check_bitmap_pa(struct kvm_vcpu *vcpu, u64 pa, u32 size) } static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu, - struct vmcb_ctrl_area_cached *control) + struct vmcb_ctrl_area_cached *control, + unsigned long l1_cr0) { if (CC(!vmcb12_is_intercept(control, INTERCEPT_VMRUN))) return false; @@ -333,8 +334,12 @@ static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu, if (CC(control->asid == 0)) return false; - if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && !npt_enabled)) - return false; + if (nested_npt_enabled(to_svm(vcpu))) { + if (CC(!kvm_vcpu_is_legal_gpa(vcpu, control->nested_cr3))) + return false; + if (CC(!(l1_cr0 & X86_CR0_PG))) + return false; + } if (CC(!nested_svm_check_bitmap_pa(vcpu, control->msrpm_base_pa, MSRPM_SIZE))) @@ -400,7 +405,12 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu) struct vcpu_svm *svm = to_svm(vcpu); struct vmcb_ctrl_area_cached *ctl = &svm->nested.ctl; - return __nested_vmcb_check_controls(vcpu, ctl); + /* + * Make sure we did not enter guest mode yet, in which case + * kvm_read_cr0() could return L2's CR0. + */ + WARN_ON_ONCE(is_guest_mode(vcpu)); + return __nested_vmcb_check_controls(vcpu, ctl, kvm_read_cr0(vcpu)); } static @@ -1831,7 +1841,8 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu, ret = -EINVAL; __nested_copy_vmcb_control_to_cache(vcpu, &ctl_cached, ctl); - if (!__nested_vmcb_check_controls(vcpu, &ctl_cached)) + /* 'save' contains L1 state saved from before VMRUN */ + if (!__nested_vmcb_check_controls(vcpu, &ctl_cached, save->cr0)) goto out_free; /* diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index f6fb70ddf7272..3e805a43ffcdb 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -552,7 +552,8 @@ static inline bool gif_set(struct vcpu_svm *svm) static inline bool nested_npt_enabled(struct vcpu_svm *svm) { - return svm->nested.ctl.nested_ctl & SVM_NESTED_CTL_NP_ENABLE; + return guest_cpu_cap_has(&svm->vcpu, X86_FEATURE_NPT) && + svm->nested.ctl.nested_ctl & SVM_NESTED_CTL_NP_ENABLE; } static inline bool nested_vnmi_enabled(struct vcpu_svm *svm) -- 2.51.2.1041.gc1ab5b90ca-goog

1 week, 3 days

2
9
0 0

[PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in

by Ilya Krutskih

'card_idx' can be overflowed when fealnx_init_one() will be called more than INT_MAX times. Check before incremention is required. Fixes: 15c037d6423e ("fealnx: Move the Myson driver") Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Ilya Krutskih <devsec(a)tpz.ru> --- drivers/net/ethernet/fealnx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c index 6ac8547ef9b8..7eb6e42b4551 100644 --- a/drivers/net/ethernet/fealnx.c +++ b/drivers/net/ethernet/fealnx.c @@ -489,7 +489,10 @@ static int fealnx_init_one(struct pci_dev *pdev, int bar = 1; #endif - card_idx++; + if (card_idx == INT_MAX) + return -EINVAL; + else + card_idx++; sprintf(boardname, "fealnx%d", card_idx); option = card_idx < MAX_UNITS ? options[card_idx] : 0; -- 2.43.0

1 week, 3 days

5
5
0 0

Linux 6.18.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.18.1 kernel. All users of the 6.18 kernel series must upgrade. The updated 6.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.18.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/renesas,rsci.yaml | 2 Documentation/process/2.Process.rst | 6 Documentation/tools/rtla/common_appendix.rst | 24 -- Documentation/tools/rtla/common_appendix.txt | 24 ++ Documentation/tools/rtla/common_hist_options.rst | 23 -- Documentation/tools/rtla/common_hist_options.txt | 23 ++ Documentation/tools/rtla/common_options.rst | 119 ------------- Documentation/tools/rtla/common_options.txt | 119 +++++++++++++ Documentation/tools/rtla/common_osnoise_description.rst | 8 Documentation/tools/rtla/common_osnoise_description.txt | 8 Documentation/tools/rtla/common_osnoise_options.rst | 39 ---- Documentation/tools/rtla/common_osnoise_options.txt | 39 ++++ Documentation/tools/rtla/common_timerlat_aa.rst | 7 Documentation/tools/rtla/common_timerlat_aa.txt | 7 Documentation/tools/rtla/common_timerlat_description.rst | 18 - Documentation/tools/rtla/common_timerlat_description.txt | 18 + Documentation/tools/rtla/common_timerlat_options.rst | 67 ------- Documentation/tools/rtla/common_timerlat_options.txt | 67 +++++++ Documentation/tools/rtla/common_top_options.rst | 3 Documentation/tools/rtla/common_top_options.txt | 3 Documentation/tools/rtla/rtla-hwnoise.rst | 8 Documentation/tools/rtla/rtla-osnoise-hist.rst | 10 - Documentation/tools/rtla/rtla-osnoise-top.rst | 10 - Documentation/tools/rtla/rtla-osnoise.rst | 4 Documentation/tools/rtla/rtla-timerlat-hist.rst | 12 - Documentation/tools/rtla/rtla-timerlat-top.rst | 12 - Documentation/tools/rtla/rtla-timerlat.rst | 4 Documentation/tools/rtla/rtla.rst | 2 Makefile | 2 arch/x86/include/asm/kvm_host.h | 9 arch/x86/kvm/svm/svm.c | 24 +- arch/x86/kvm/x86.c | 21 ++ crypto/zstd.c | 7 drivers/android/binder/node.rs | 6 drivers/comedi/comedi_fops.c | 42 +++- drivers/comedi/drivers/c6xdigio.c | 46 +++-- drivers/comedi/drivers/multiq3.c | 9 drivers/comedi/drivers/pcl818.c | 5 drivers/iio/adc/ad4080.c | 9 drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 - drivers/tty/serial/8250/8250_pci.c | 37 ++++ drivers/tty/serial/sh-sci.c | 12 + drivers/usb/serial/belkin_sa.c | 28 +-- drivers/usb/serial/ftdi_sio.c | 72 ++----- drivers/usb/serial/kobil_sct.c | 18 - drivers/usb/serial/option.c | 22 ++ fs/ext4/inline.c | 14 + fs/jbd2/transaction.c | 19 +- fs/smb/server/transport_ipc.c | 7 kernel/locking/spinlock_debug.c | 4 53 files changed, 650 insertions(+), 481 deletions(-) Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alice Ryhl (1): rust_binder: fix race condition on death_list Antoniu Miclaus (1): iio: adc: ad4080: fix chip identification Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Biju Das (2): dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Giovanni Cabiddu (1): crypto: zstd - fix double-free in per-CPU stream cleanup Gopi Krishna Menon (1): Documentation/rtla: rename common_xxx.rst files to common_xxx.txt Greg Kroah-Hartman (1): Linux 6.18.1 Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Magne Bruno (1): serial: add support of CPCI cards Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1

1 week, 3 days

1
1
0 0

Linux 6.17.12

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.12 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/renesas,rsci.yaml | 2 Documentation/process/2.Process.rst | 6 Makefile | 2 arch/arm64/include/asm/alternative.h | 7 arch/arm64/kernel/alternative.c | 19 +- arch/arm64/kernel/module.c | 9 - arch/loongarch/kernel/machine_kexec.c | 2 arch/x86/include/asm/kvm_host.h | 9 + arch/x86/kvm/svm/svm.c | 24 +-- arch/x86/kvm/x86.c | 21 ++ crypto/zstd.c | 7 drivers/acpi/acpi_mrrm.c | 43 ++++- drivers/bluetooth/btrtl.c | 24 +-- drivers/comedi/comedi_fops.c | 42 +++++ drivers/comedi/drivers/c6xdigio.c | 46 ++++-- drivers/comedi/drivers/multiq3.c | 9 + drivers/comedi/drivers/pcl818.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 - drivers/hid/hid-apple.c | 1 drivers/hid/hid-elecom.c | 6 drivers/hid/hid-ids.h | 4 drivers/hid/hid-input.c | 5 drivers/hid/hid-lenovo.c | 17 ++ drivers/hid/hid-quirks.c | 3 drivers/iio/adc/ad4080.c | 9 - drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/nvme/host/core.c | 3 drivers/pinctrl/qcom/pinctrl-msm.c | 2 drivers/platform/x86/acer-wmi.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 +++ drivers/platform/x86/amd/pmc/pmc.c | 3 drivers/platform/x86/amd/pmc/pmc.h | 1 drivers/platform/x86/hp/hp-wmi.c | 6 drivers/platform/x86/huawei-wmi.c | 4 drivers/platform/x86/intel/hid.c | 1 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 4 drivers/spi/spi-imx.c | 15 +- drivers/spi/spi-xilinx.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 + drivers/tty/serial/8250/8250_pci.c | 37 +++++ drivers/tty/serial/sh-sci.c | 12 + drivers/usb/serial/belkin_sa.c | 28 ++- drivers/usb/serial/ftdi_sio.c | 72 +++------- drivers/usb/serial/kobil_sct.c | 18 +- drivers/usb/serial/option.c | 22 ++- fs/bfs/inode.c | 19 ++ fs/ext4/inline.c | 14 + fs/jbd2/transaction.c | 19 +- fs/smb/client/fs_context.c | 2 fs/smb/server/transport_ipc.c | 7 kernel/locking/spinlock_debug.c | 4 kernel/sched/ext.c | 4 kernel/trace/ftrace.c | 40 ++++- samples/vfs/test-statx.c | 6 samples/watch_queue/watch_test.c | 6 sound/hda/codecs/realtek/alc269.c | 9 + sound/soc/sdca/sdca_functions.c | 3 sound/usb/quirks.c | 6 61 files changed, 559 insertions(+), 207 deletions(-) Adrian Barnaś (1): arm64: Reject modules with internal alternative callbacks Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alvaro Gamez Machado (1): spi: xilinx: increase number of retries before declaring stall Antheas Kapenekakis (3): platform/x86/amd/pmc: Add support for Van Gogh SoC platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Antoniu Miclaus (1): iio: adc: ad4080: fix chip identification April Grimoire (1): HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf (1): platform/x86: acer-wmi: Ignore backlight event Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Baojun Xu (1): ALSA: hda/tas2781: Add new quirk for HP new projects Biju Das (2): dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Edip Hazuri (1): platform/x86: hp-wmi: mark Victus 16-r0 and 16-s0 for victus_s fan and thermal profile support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Giovanni Cabiddu (1): crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman (1): Linux 6.17.12 Harish Kasiviswanathan (1): drm/amdkfd: Fix GPU mappings for APU after prefetch Huacai Chen (1): LoongArch: Mask all interrupts during kexec/kdump Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Ian Forbes (1): drm/vmwgfx: Use kref in vmw_bo_dirty Jia Ston (1): platform/x86: huawei-wmi: add keys for HONOR models Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Kaushlendra Kumar (1): ACPI: MRRM: Fix memory leaks and improve error handling Keith Busch (1): nvme: fix admin request_queue lifetime Krishna Chomal (1): platform/x86: hp-wmi: Add Omen 16-wf1xxx fan support Kuppuswamy Sathyanarayanan (1): platform/x86: intel-uncore-freq: Add additional client processors Lauri Tirkkonen (1): HID: lenovo: fixup Lenovo Yoga Slim 7x Keyboard rdesc Linus Torvalds (1): samples: work around glibc redefining some of our defines wrong Lushih Hsieh (1): ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Magne Bruno (1): serial: add support of CPCI cards Marcos Vega (1): platform/x86: hp-wmi: Add Omen MAX 16-ah0xx fan support and thermal profile Mario Limonciello (AMD) (1): HID: hid-input: Extend Elan ignore battery quirk to USB Max Chou (1): Bluetooth: btrtl: Avoid loading the config file on security chips Naoki Ueki (1): HID: elecom: Add support for ELECOM M-XT3URBK (018F) Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Niranjan H Y (1): ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Praveen Talari (1): pinctrl: qcom: msm: Fix deadlock in pinmux configuration Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Robin Gong (1): spi: imx: keep dma request disabled before dma transfer setup Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Song Liu (1): ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Srinivas Pandruvada (1): platform/x86/intel/hid: Add Nova Lake support Tetsuo Handa (1): bfs: Reconstruct file type when loading from disk Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Yiqi Sun (1): smb: fix invalid username check in smb3_fs_context_parse_param() Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Zqiang (2): sched_ext: Fix possible deadlock in the deferred_irq_workfn() sched_ext: Use IRQ_WORK_INIT_HARD() to initialize rq->scx.kick_cpus_irq_work

1 week, 3 days

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror