- Linux-stable-mirror - lists.linaro.org

[REGRESSION] Brightness control does not work after waking up from suspend

by Fernando Ramos

Commit 73dae652dcac776296890da215ee7dec357a1032 (included in 6.13-rc2) was backported to 6.12.5 as 99a02eab82515343d536796aa917dee50aec1551. This causes a problem where brightness control no longer works after waking up from suspend. This is the output of "journalctl -f" when the issue is triggered: > ... > Dec 25 01:37:00 x395 kernel: usb 4-1: reset full-speed USB device number 2 using xhci_hcd > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring gfx uses VM inv eng 0 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.0.0 uses VM inv eng 1 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.1.0 uses VM inv eng 4 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.2.0 uses VM inv eng 5 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.3.0 uses VM inv eng 6 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.0.1 uses VM inv eng 7 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.1.1 uses VM inv eng 8 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.2.1 uses VM inv eng 9 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.3.1 uses VM inv eng 10 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring kiq_0.2.1.0 uses VM inv eng 11 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring sdma0 uses VM inv eng 0 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring vcn_dec uses VM inv eng 1 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring vcn_enc0 uses VM inv eng 4 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring vcn_enc1 uses VM inv eng 5 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring jpeg_dec uses VM inv eng 6 on hub 8 > Dec 25 01:37:00 x395 kernel: irq 7: nobody cared (try booting with the "irqpoll" option) > Dec 25 01:37:00 x395 kernel: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.7-rc1-gc157915828d8 #7 14cb019df871d9dae96d82113f6abf187f110b68 > Dec 25 01:37:00 x395 kernel: Hardware name: LENOVO 20NLCTO1WW/20NLCTO1WW, BIOS R13ET50W(1.24 ) 06/11/2021 > Dec 25 01:37:00 x395 kernel: Call Trace: > Dec 25 01:37:00 x395 kernel: <IRQ> > Dec 25 01:37:00 x395 kernel: dump_stack_lvl+0x5d/0x80 > Dec 25 01:37:00 x395 kernel: __report_bad_irq+0x35/0xa7 > Dec 25 01:37:00 x395 kernel: note_interrupt.cold+0xa/0x62 > Dec 25 01:37:00 x395 kernel: handle_irq_event+0x6f/0x80 > Dec 25 01:37:00 x395 kernel: handle_fasteoi_irq+0x78/0x200 > Dec 25 01:37:00 x395 kernel: __common_interrupt+0x3e/0x90 > Dec 25 01:37:00 x395 kernel: common_interrupt+0x42/0xa0 > Dec 25 01:37:00 x395 kernel: asm_common_interrupt+0x26/0x40 > Dec 25 01:37:00 x395 kernel: RIP: 0010:tmigr_handle_remote+0x87/0x470 > Dec 25 01:37:00 x395 kernel: Code: 24 04 00 0f 84 ac 00 00 00 48 b9 ff ff ff ff ff ff ff 7f 41 0f b6 54 24 10 48 89 4c 24 38 88 54 24 48 49 8b 44 24 08 8b 40 50 <0f> b6 c4 38 c2 74 0e 3c ff 74 0a 49 8b 44 24 18 48 39 c8 74 76 48 > Dec 25 01:37:00 x395 kernel: RSP: 0018:ffffafe000003ea8 EFLAGS: 00000202 > Dec 25 01:37:00 x395 kernel: RAX: 000000003de00141 RBX: 0000000000000002 RCX: 7fffffffffffffff > Dec 25 01:37:00 x395 kernel: RDX: 0000000000000001 RSI: ffffafe000003ed8 RDI: ffffafe000003f10 > Dec 25 01:37:00 x395 kernel: RBP: 0000000000000101 R08: f1c92dc141c95fb9 R09: 263db225b099c5f2 > Dec 25 01:37:00 x395 kernel: R10: f1c92dc141c95fb9 R11: 263db225b099c5f2 R12: ffff989030a26300 > Dec 25 01:37:00 x395 kernel: R13: 0000000000000001 R14: 0000000000000282 R15: 0000000000000001 > Dec 25 01:37:00 x395 kernel: ? srso_return_thunk+0x5/0x5f > Dec 25 01:37:00 x395 kernel: ? __run_timers+0x1fc/0x280 > Dec 25 01:37:00 x395 kernel: handle_softirqs+0xe4/0x2a0 > Dec 25 01:37:00 x395 kernel: __irq_exit_rcu+0x97/0xb0 > Dec 25 01:37:00 x395 kernel: sysvec_apic_timer_interrupt+0x71/0x90 > Dec 25 01:37:00 x395 kernel: </IRQ> > Dec 25 01:37:00 x395 kernel: <TASK> > Dec 25 01:37:00 x395 kernel: asm_sysvec_apic_timer_interrupt+0x1a/0x20 > Dec 25 01:37:00 x395 kernel: RIP: 0010:tick_nohz_idle_enter+0x59/0x70 > Dec 25 01:37:00 x395 kernel: Code: 02 00 01 83 45 7c 01 e8 05 c9 fe ff 48 89 85 80 00 00 00 48 83 8b 00 62 02 00 04 83 45 7c 01 e8 3d 93 f8 ff fb 0f 1f 44 00 00 <5b> 5d e9 10 d1 c8 00 0f 0b eb c6 66 66 2e 0f 1f 84 00 00 00 00 00 > Dec 25 01:37:00 x395 kernel: RSP: 0018:ffffffffa1c03e68 EFLAGS: 00000282 > Dec 25 01:37:00 x395 kernel: RAX: 0000000874467ae1 RBX: ffff989030a00000 RCX: 0000000874467ae1 > Dec 25 01:37:00 x395 kernel: RDX: 0000000874467ae1 RSI: 0000000000001d53 RDI: 0000000874467ae1 > Dec 25 01:37:00 x395 kernel: RBP: ffff989030a26200 R08: 0000000000000002 R09: 0000000000000000 > Dec 25 01:37:00 x395 kernel: R10: 0000000000000001 R11: 0000000000000000 R12: ffff98903efc9ff4 > Dec 25 01:37:00 x395 kernel: R13: 0000000000000000 R14: ffffffffa1c10038 R15: 00000000aafaf000 > Dec 25 01:37:00 x395 kernel: ? tick_nohz_idle_enter+0x53/0x70 > Dec 25 01:37:00 x395 kernel: do_idle+0x3f/0x210 > Dec 25 01:37:00 x395 kernel: cpu_startup_entry+0x29/0x30 > Dec 25 01:37:00 x395 kernel: rest_init+0xcc/0xd0 > Dec 25 01:37:00 x395 kernel: start_kernel+0x9be/0x9c0 > Dec 25 01:37:00 x395 kernel: x86_64_start_reservations+0x24/0x30 > Dec 25 01:37:00 x395 kernel: x86_64_start_kernel+0x95/0xa0 > Dec 25 01:37:00 x395 kernel: common_startup_64+0x13e/0x141 > Dec 25 01:37:00 x395 kernel: </TASK> > Dec 25 01:37:00 x395 kernel: handlers: > Dec 25 01:37:00 x395 kernel: [<00000000d69cbeca>] amd_gpio_irq_handler > Dec 25 01:37:00 x395 kernel: Disabling IRQ #7 > Dec 25 01:37:00 x395 kernel: usb 4-2: reset high-speed USB device number 3 using xhci_hcd > Dec 25 01:37:01 x395 kernel: usb 4-2.1: reset high-speed USB device number 4 using xhci_hcd > Dec 25 01:37:01 x395 kernel: OOM killer enabled. > Dec 25 01:37:01 x395 kernel: Restarting tasks ... > Dec 25 01:37:01 x395 kernel: usb 4-2.2: USB disconnect, device number 5 > Dec 25 01:37:01 x395 kernel: done. > ... The problem only happens in the stable branch (v6.12.y) and not in the main branch. More specifically: Version Problem present ================================================================= v6.12.5 Yes !! v6.12.5 + revert 99a02eab No v6.12.7-rc1 (c157915828d) Yes !! v6.12.7-rc1 (c157915828d) + revert 99a02eab No v6.13-rc4 No

10 months, 1 week

2
2
0 0

[PATCH RFT 6/6] serial: sh-sci: Increment the runtime usage counter for the earlycon device

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> In the sh-sci driver, serial ports are mapped to the sci_ports[] array, with earlycon mapped at index zero. The uart_add_one_port() function eventually calls __device_attach(), which, in turn, calls pm_request_idle(). The identified code path is as follows: uart_add_one_port() -> serial_ctrl_register_port() -> serial_core_register_port() -> serial_core_port_device_add() -> serial_base_port_add() -> device_add() -> bus_probe_device() -> device_initial_probe() -> __device_attach() -> // ... if (dev->p->dead) { // ... } else if (dev->driver) { // ... } else { // ... pm_request_idle(dev); // ... } The earlycon device clocks are enabled by the bootloader. However, the pm_request_idle() call in __device_attach() disables the SCI port clocks while earlycon is still active. The earlycon write function, serial_console_write(), calls sci_poll_put_char() via serial_console_putchar(). If the SCI port clocks are disabled, writing to earlycon may sometimes cause the SR.TDFE bit to remain unset indefinitely, causing the while loop in sci_poll_put_char() to never exit. On single-core SoCs, this can result in the system being blocked during boot when this issue occurs. To resolve this, increment the runtime PM usage counter for the earlycon SCI device before registering the UART port. Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- drivers/tty/serial/sh-sci.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index f74eb68774ca..6acdc8588d2d 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -3435,7 +3435,24 @@ static int sci_probe_single(struct platform_device *dev, sciport->port.flags |= UPF_HARD_FLOW; } + /* + * In case: + * - this is the earlycon port (mapped on index 0 in sci_ports[]) and + * - it now maps to an alias other than zero and + * - the earlycon is still alive (e.g., "earlycon keep_bootcon" is + * available in bootargs) + * + * we need to avoid disabling clocks and PM domains through the runtime + * PM APIs called in __device_attach(). For this, increment the runtime + * PM reference counter (the clocks and PM domains were already enabled + * by the bootloader). Otherwise the earlycon may access the HW when it + * has no clocks enabled leading to failures (infinite loop in + * sci_poll_put_char()). + */ + if (sci_ports[0].earlycon && sci_ports[0].port.mapbase == sci_res->start) { + pm_runtime_get_noresume(&dev->dev); + /* * Skip cleanup up the sci_port[0] in early_console_exit(), this * port is the same as the earlycon one. -- 2.39.2

10 months, 1 week

3
3
0 0

[PATCH] blk-crypto: Add check for mempool_alloc()

by Haoxiang Li

Add check for the return value of mempool_alloc() to catch the potential exception and avoid null pointer dereference. Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- block/blk-crypto-fallback.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/block/blk-crypto-fallback.c b/block/blk-crypto-fallback.c index 29a205482617..47acd7a48767 100644 --- a/block/blk-crypto-fallback.c +++ b/block/blk-crypto-fallback.c @@ -514,6 +514,12 @@ bool blk_crypto_fallback_bio_prep(struct bio **bio_ptr) * bi_end_io appropriately to trigger decryption when the bio is ended. */ f_ctx = mempool_alloc(bio_fallback_crypt_ctx_pool, GFP_NOIO); + + if (!f_ctx) { + bio->bi_status = BLK_STS_RESOURCE; + return false; + } + f_ctx->crypt_ctx = *bc; f_ctx->crypt_iter = bio->bi_iter; f_ctx->bi_private_orig = bio->bi_private; -- 2.25.1

10 months, 1 week

2
1
0 0

[PATCH] iommu/tegra241-cmdqv: Read SMMU IDR1.CMDQS instead of hardcoding

by Nicolin Chen

The hardware limitation "max=19" actually comes from SMMU Command Queue. So, it'd be more natural for tegra241-cmdqv driver to read it out rather than hardcoding it itself. This is not an issue yet for a kernel on a baremetal system, but a guest kernel setting the queue base/size in form of IPA/gPA might result in a noncontiguous queue in the physical address space, if underlying physical pages backing up the guest RAM aren't contiguous entirely: e.g. 2MB-page backed guest RAM cannot guarantee a contiguous queue if it is 8MB (capped to VCMDQ_LOG2SIZE_MAX=19). This might lead to command errors when HW does linear-read from a noncontiguous queue memory. Adding this extra IDR1.CMDQS cap (in the guest kernel) allows VMM to set SMMU's IDR1.CMDQS=17 for the case mentioned above, so a guest-level queue will be capped to maximum 2MB, ensuring a contiguous queue memory. Fixes: a3799717b881 ("iommu/tegra241-cmdqv: Fix alignment failure at max_n_shift") Reported-by: Ian Kalinowski <ikalinowski(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Nicolin Chen <nicolinc(a)nvidia.com> --- drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c index 6e41ddaa24d6..d525ab43a4ae 100644 --- a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c +++ b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c @@ -79,7 +79,6 @@ #define TEGRA241_VCMDQ_PAGE1(q) (TEGRA241_VCMDQ_PAGE1_BASE + 0x80*(q)) #define VCMDQ_ADDR GENMASK(47, 5) #define VCMDQ_LOG2SIZE GENMASK(4, 0) -#define VCMDQ_LOG2SIZE_MAX 19 #define TEGRA241_VCMDQ_BASE 0x00000 #define TEGRA241_VCMDQ_CONS_INDX_BASE 0x00008 @@ -505,12 +504,15 @@ static int tegra241_vcmdq_alloc_smmu_cmdq(struct tegra241_vcmdq *vcmdq) struct arm_smmu_cmdq *cmdq = &vcmdq->cmdq; struct arm_smmu_queue *q = &cmdq->q; char name[16]; + u32 regval; int ret; snprintf(name, 16, "vcmdq%u", vcmdq->idx); - /* Queue size, capped to ensure natural alignment */ - q->llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT, VCMDQ_LOG2SIZE_MAX); + /* Cap queue size to SMMU's IDR1.CMDQS and ensure natural alignment */ + regval = readl_relaxed(smmu->base + ARM_SMMU_IDR1); + q->llq.max_n_shift = + min_t(u32, CMDQ_MAX_SZ_SHIFT, FIELD_GET(IDR1_CMDQS, regval)); /* Use the common helper to init the VCMDQ, and then... */ ret = arm_smmu_init_one_queue(smmu, q, vcmdq->page0, -- 2.43.0

10 months, 1 week

3
2
0 0

[PATCH 6.6.y] f2fs: fix to wait dio completion

by Alva Lan

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d ] It should wait all existing dio write IOs before block removal, otherwise, previous direct write IO may overwrite data in the block which may be reused by other inode. Cc: stable(a)vger.kernel.org Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [ Resolve line conflicts to make it work on 6.6.y ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- fs/f2fs/file.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 196755a34833..ae129044c52f 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -1037,6 +1037,13 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, return err; } + /* + * wait for inflight dio, blocks should be removed after + * IO completion. + */ + if (attr->ia_size < old_size) + inode_dio_wait(inode); + f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); filemap_invalidate_lock(inode->i_mapping); @@ -1873,6 +1880,12 @@ static long f2fs_fallocate(struct file *file, int mode, if (ret) goto out; + /* + * wait for inflight dio, blocks should be removed after IO + * completion. + */ + inode_dio_wait(inode); + if (mode & FALLOC_FL_PUNCH_HOLE) { if (offset >= inode->i_size) goto out; -- 2.43.0

10 months, 1 week

2
1
0 0

Linux 6.12.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.8 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/arch/arm64/silicon-errata.rst | 5 Documentation/devicetree/bindings/sound/realtek,rt5645.yaml | 2 Makefile | 2 arch/arm64/boot/dts/broadcom/bcm2712.dtsi | 8 arch/loongarch/include/asm/inst.h | 12 arch/loongarch/kernel/efi.c | 2 arch/loongarch/kernel/inst.c | 2 arch/loongarch/net/bpf_jit.c | 6 arch/powerpc/platforms/book3s/vas-api.c | 36 ++ arch/x86/events/intel/core.c | 12 arch/x86/events/intel/ds.c | 1 arch/x86/events/intel/uncore.c | 1 arch/x86/kernel/cet.c | 30 ++ block/blk-mq.c | 15 - drivers/acpi/arm64/iort.c | 2 drivers/base/regmap/regmap.c | 4 drivers/block/ublk_drv.c | 26 + drivers/block/virtio_blk.c | 7 drivers/bluetooth/btusb.c | 41 +- drivers/dma/amd/qdma/qdma.c | 28 - drivers/dma/apple-admac.c | 7 drivers/dma/at_xdmac.c | 2 drivers/dma/dw/acpi.c | 6 drivers/dma/dw/internal.h | 8 drivers/dma/dw/pci.c | 4 drivers/dma/fsl-edma-common.h | 1 drivers/dma/fsl-edma-main.c | 41 ++ drivers/dma/ls2x-apb-dma.c | 2 drivers/dma/mv_xor.c | 2 drivers/dma/tegra186-gpc-dma.c | 10 drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 + drivers/gpu/drm/xe/xe_devcoredump.c | 69 ++-- drivers/i2c/busses/i2c-imx.c | 1 drivers/i2c/busses/i2c-microchip-corei2c.c | 122 ++++++-- drivers/media/dvb-frontends/dib3000mb.c | 2 drivers/mtd/nand/raw/arasan-nand-controller.c | 11 drivers/mtd/nand/raw/atmel/pmecc.c | 4 drivers/mtd/nand/raw/diskonchip.c | 2 drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 13 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 28 + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 drivers/pci/msi/irqdomain.c | 7 drivers/pci/msi/msi.c | 4 drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 drivers/phy/phy-core.c | 21 - drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 3 drivers/platform/chrome/cros_ec_lpc.c | 4 drivers/platform/x86/asus-nb-wmi.c | 1 drivers/power/supply/bq24190_charger.c | 12 drivers/power/supply/cros_charge-control.c | 36 +- drivers/power/supply/gpio-charger.c | 8 drivers/scsi/megaraid/megaraid_sas_base.c | 5 drivers/scsi/mpi3mr/mpi3mr.h | 9 drivers/scsi/mpi3mr/mpi3mr_app.c | 36 +- drivers/scsi/mpi3mr/mpi3mr_fw.c | 121 +++----- drivers/scsi/mpi3mr/mpi3mr_os.c | 2 drivers/scsi/mpt3sas/mpt3sas_base.c | 7 drivers/scsi/qla1280.h | 12 drivers/scsi/storvsc_drv.c | 7 drivers/spi/spi-intel-pci.c | 2 drivers/spi/spi-omap2-mcspi.c | 6 drivers/virt/coco/tdx-guest/tdx-guest.c | 4 drivers/watchdog/Kconfig | 1 drivers/watchdog/it87_wdt.c | 39 ++ drivers/watchdog/mtk_wdt.c | 6 drivers/watchdog/rzg2l_wdt.c | 20 + drivers/watchdog/s3c2410_wdt.c | 8 fs/btrfs/ctree.c | 11 fs/btrfs/inode.c | 129 ++++++-- fs/btrfs/qgroup.c | 3 fs/btrfs/relocation.c | 6 fs/btrfs/send.c | 6 fs/btrfs/sysfs.c | 6 fs/ceph/file.c | 2 fs/nfsd/export.c | 31 -- fs/nfsd/export.h | 4 fs/nfsd/nfs4callback.c | 4 fs/smb/client/Kconfig | 1 fs/smb/client/smb2pdu.c | 3 fs/smb/server/smb_common.c | 4 fs/udf/namei.c | 16 + include/linux/platform_data/amd_qdma.h | 2 include/linux/sched.h | 3 include/linux/skmsg.h | 11 include/linux/trace_events.h | 2 include/linux/vmstat.h | 2 include/net/sock.h | 10 include/uapi/linux/stddef.h | 13 io_uring/sqpoll.c | 6 kernel/bpf/verifier.c | 18 - kernel/fork.c | 13 kernel/trace/trace.c | 3 kernel/trace/trace_kprobe.c | 2 net/ceph/osd_client.c | 2 net/core/filter.c | 21 + net/core/skmsg.c | 6 net/ipv4/tcp_bpf.c | 6 sound/core/memalloc.c | 2 sound/core/ump.c | 26 + sound/pci/hda/patch_conexant.c | 28 + sound/sh/sh_dac_audio.c | 5 sound/soc/amd/ps/pci-ps.c | 17 + sound/soc/intel/boards/sof_sdw.c | 23 + sound/soc/sof/intel/hda-dai.c | 25 + sound/soc/sof/intel/hda.h | 2 tools/include/uapi/linux/stddef.h | 15 - tools/objtool/noreturns.h | 1 tools/testing/selftests/bpf/progs/dynptr_fail.c | 22 - tools/testing/selftests/bpf/progs/iters_state_safety.c | 14 tools/testing/selftests/bpf/progs/iters_testmod_seq.c | 4 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 2 tools/testing/selftests/bpf/progs/verifier_bits_iter.c | 4 tools/testing/selftests/bpf/trace_helpers.c | 4 tools/tracing/rtla/src/timerlat_hist.c | 177 ++++++------ 116 files changed, 1166 insertions(+), 545 deletions(-) Aapo Vienamo (1): spi: intel: Add Panther Lake SPI controller support Akhil R (1): dmaengine: tegra: Return correct DMA status when paused Alexander Lobakin (1): stddef: make __struct_group() UAPI C++-friendly Andrea Righi (1): bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP Andy Shevchenko (1): dmaengine: dw: Select only supported masters for ACPI devices Armin Wolf (1): platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Bart Van Assche (1): mm/vmstat: fix a W=1 clang compiler warning Bharath SM (1): smb: fix bytes written value in /proc/fs/cifs/Stats Binbin Zhou (1): dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL Boris Burkov (2): btrfs: check folio mapping after unlock in put_file_data() btrfs: check folio mapping after unlock in relocate_one_folio() Brahmajit Das (1): smb: server: Fix building with GCC 15 Carlos Song (1): i2c: imx: add imx7d compatible string for applying erratum ERR007805 Cathy Avery (1): scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Chen Ridong (2): dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset freezer, sched: Report frozen tasks as 'D' instead of 'R' Chen-Yu Tsai (1): ASoC: dt-bindings: realtek,rt5645: Fix CPVDD voltage comment Chris Lu (4): Bluetooth: btusb: mediatek: move Bluetooth power off command position Bluetooth: btusb: mediatek: add callback function in btusb_disconnect Bluetooth: btusb: mediatek: add intf release flow when usb disconnect Bluetooth: btusb: mediatek: change the conditions for ISO interface Christian Göttsche (1): tracing: Constify string literal data member in struct trace_event_call Chukun Pan (1): phy: rockchip: naneng-combphy: fix phy reset Claudiu Beznea (1): watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler Cong Wang (2): tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() bpf: Check negative offsets in __bpf_skb_min_len() Conor Dooley (2): i2c: microchip-core: actually use repeated sends i2c: microchip-core: fix "ghost" detections Cristian Ciocaltea (1): phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM Dan Carpenter (1): mtd: rawnand: fix double free in atmel_pmecc_create_user() Dimitri Fedrau (1): power: supply: gpio-charger: Fix set charge current limits Dragan Simic (1): smb: client: Deduplicate "select NETFS_SUPPORT" in Kconfig Dustin L. Howett (1): platform/chrome: cros_ec_lpc: fix product identity for early Framework Laptops Emmanuel Grumbach (1): wifi: iwlwifi: be less noisy if the NIC is dead in S3 Fedor Pchelkin (1): ALSA: memalloc: prefer dma_mapping_error() over explicit address checking Filipe Manana (4): btrfs: fix race with memory mapped writes when activating swap file btrfs: avoid monopolizing a core when activating a swap file btrfs: fix swap file activation failure due to extents that used to be shared btrfs: fix use-after-free when COWing tree bock and tracing is enabled Greg Kroah-Hartman (1): Linux 6.12.8 Hans de Goede (1): power: supply: bq24190: Fix BQ24296 Vbus regulator support Haren Myneni (1): powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Huacai Chen (1): LoongArch: Fix reserving screen info memory for above-4G firmware Ilya Dryomov (1): ceph: allocate sparse_ext map only for sparse reads Imre Deak (1): drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() James Hilliard (1): watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Jan Kara (2): udf: Skip parent dir link count update if corrupted udf: Verify inode link counts before performing rename Javier Carrasco (1): dmaengine: mv_xor: fix child node refcount handling in early exit Jerome Marchand (1): selftests/bpf: Fix compilation error in get_uprobe_offset() Joe Hattori (1): dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd() John Harrison (1): drm/xe: Move the coredump registration to the worker thread Julian Sun (1): btrfs: fix transaction atomicity bug when enabling simple quotas Justin Chen (1): phy: usb: Toggle the PHY power during init Kan Liang (3): perf/x86/intel/uncore: Add Clearwater Forest support perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC perf/x86/intel/ds: Add PEBS format 6 Krishna Kurapati (1): phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Kumar Kartikeya Dwivedi (1): bpf: Zero index arg error string for dynptr and iter Li RongQing (1): virt: tdx-guest: Just leak decrypted memory on unrecoverable errors Lizhi Hou (1): dmaengine: amd: qdma: Remove using the private get and set dma_ops APIs Lizhi Xu (1): tracing: Prevent bad count for tracing_cpumask_write Lorenzo Stoakes (1): fork: avoid inappropriate uprobe access to invalid mm Maciej Andrzejewski (2): mtd: rawnand: arasan: Fix double assertion of chip-select mtd: rawnand: arasan: Fix missing de-registration of NAND Magnus Lindholm (1): scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Mark Brown (1): regmap: Use correct format specifier for logging range errors Masami Hiramatsu (Google) (1): tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Matthew Brost (1): drm/xe: Take PM ref in delayed snapshot capture worker Ming Lei (3): virtio-blk: don't keep queue frozen during system suspend blk-mq: register cpuhp callback after hctx is added to xarray table ublk: detach gendisk from ublk device if add_disk() fails NeilBrown (1): nfsd: restore callback functionality for NFSv4.0 Nikita Zhandarovich (1): media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Pavel Begunkov (1): io_uring/sqpoll: fix sqpoll error handling races Peter Griffin (1): Revert "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" Peter Ujfalusi (1): ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP Purushothama Siddaiah (1): spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Qinxin Xia (1): ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A Qu Wenruo (1): btrfs: sysfs: fix direct super block member reads Ranjan Kumar (5): scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time scsi: mpi3mr: Synchronize access to ioctl data buffer scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs scsi: mpi3mr: Start controller indexing from 0 scsi: mpi3mr: Handling of fault code for insufficient power Richard Fitzgerald (2): ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21QA and 21QB ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21Q6 and 21Q7 Sasha Finkelstein (1): dmaengine: apple-admac: Avoid accessing registers in probe Takashi Iwai (6): ALSA: ump: Don't open legacy substream for an inactive group ALSA: ump: Indicate the inactive group in legacy substream names ALSA: ump: Update legacy substream names upon FB info update ALSA: sh: Use standard helper for buffer accesses ALSA: ump: Shut up truncated string warning ALSA: sh: Fix wrong argument order for copy_from_iter() Thomas Gleixner (1): PCI/MSI: Handle lack of irqdomain gracefully Thomas Weißschuh (3): power: supply: cros_charge-control: add mutex for driver data power: supply: cros_charge-control: allow start_threshold == end_threshold power: supply: cros_charge-control: hide start threshold on v2 cmd Tiezhu Yang (1): LoongArch: BPF: Adjust the parameter of emit_jirl() Tomas Glozar (1): rtla/timerlat: Fix histogram ALL for zero samples Tomas Henzl (1): scsi: megaraid_sas: Fix for a potential deadlock Venkata Prasad Potturu (1): ASoC: amd: ps: Fix for enabling DMIC on acp63 platform via _DSD entry Willow Cunningham (1): arm64: dts: broadcom: Fix L2 linesize for Raspberry Pi 5 Xin Li (Intel) (1): x86/fred: Clear WFE in missing-ENDBRANCH #CPs Yang Erkun (1): nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" Yassine Oudjana (1): watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Zichen Xie (1): mtd: diskonchip: Cast an operand to prevent potential overflow Zijian Zhang (1): tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Zijun Hu (5): phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy bo liu (1): ALSA: hda/conexant: fix Z60MR100 startup pop issue chenchangcheng (1): objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns

10 months, 1 week

1
1
0 0

Linux 6.6.69

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.69 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/loongarch/include/asm/inst.h | 12 + arch/loongarch/kernel/efi.c | 2 arch/loongarch/kernel/inst.c | 2 arch/loongarch/net/bpf_jit.c | 6 arch/mips/Makefile | 2 arch/mips/include/asm/mipsregs.h | 13 + arch/powerpc/platforms/book3s/vas-api.c | 36 +++++ arch/x86/include/asm/intel-family.h | 87 ++++++++++++ arch/x86/include/asm/processor.h | 20 ++ arch/x86/kernel/cpu/intel.c | 118 ++++++++--------- arch/x86/kernel/cpu/match.c | 3 block/blk-mq.c | 119 +++++++++++++++-- drivers/base/power/domain.c | 1 drivers/base/regmap/regmap.c | 4 drivers/block/virtio_blk.c | 7 - drivers/dma/apple-admac.c | 7 - drivers/dma/at_xdmac.c | 2 drivers/dma/dw/acpi.c | 6 drivers/dma/dw/internal.h | 8 + drivers/dma/dw/pci.c | 4 drivers/dma/fsl-edma-common.h | 1 drivers/dma/fsl-edma-main.c | 41 +++++- drivers/dma/mv_xor.c | 2 drivers/dma/tegra186-gpc-dma.c | 10 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 22 --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 14 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 9 - drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 8 - drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 28 ++-- drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 15 ++ drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c | 3 drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c | 21 +-- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 32 ++-- drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c | 63 ++++++--- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 43 ++---- drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 44 ++---- drivers/gpu/drm/amd/include/kgd_kfd_interface.h | 14 -- drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 ++- drivers/i2c/busses/i2c-imx.c | 1 drivers/i2c/busses/i2c-microchip-corei2c.c | 122 +++++++++++++----- drivers/media/dvb-frontends/dib3000mb.c | 2 drivers/mtd/nand/raw/arasan-nand-controller.c | 11 + drivers/mtd/nand/raw/atmel/pmecc.c | 4 drivers/mtd/nand/raw/diskonchip.c | 2 drivers/pci/msi/irqdomain.c | 7 - drivers/pci/msi/msi.c | 4 drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 drivers/phy/phy-core.c | 21 +-- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 drivers/platform/x86/asus-nb-wmi.c | 1 drivers/power/supply/gpio-charger.c | 8 + drivers/scsi/megaraid/megaraid_sas_base.c | 5 drivers/scsi/mpt3sas/mpt3sas_base.c | 7 - drivers/scsi/qla1280.h | 12 - drivers/scsi/storvsc_drv.c | 7 - drivers/spi/spi-intel-pci.c | 2 drivers/spi/spi-omap2-mcspi.c | 6 drivers/watchdog/it87_wdt.c | 39 +++++ drivers/watchdog/mtk_wdt.c | 6 fs/btrfs/inode.c | 2 fs/btrfs/sysfs.c | 6 fs/ceph/addr.c | 4 fs/ceph/file.c | 43 +++--- fs/ceph/super.h | 14 ++ fs/nfsd/export.c | 31 ---- fs/nfsd/export.h | 4 fs/nfsd/nfs4callback.c | 4 fs/smb/server/smb_common.c | 4 fs/udf/namei.c | 6 include/linux/ceph/osd_client.h | 7 - include/linux/sched.h | 3 include/linux/sched/task_stack.h | 2 include/linux/skmsg.h | 11 + include/linux/trace_events.h | 2 include/linux/vmstat.h | 2 include/net/sock.h | 10 + include/uapi/linux/stddef.h | 13 + io_uring/sqpoll.c | 6 kernel/trace/trace.c | 3 kernel/trace/trace_kprobe.c | 2 net/ceph/osd_client.c | 2 net/core/filter.c | 21 ++- net/core/skmsg.c | 6 net/ipv4/tcp_bpf.c | 6 sound/pci/hda/patch_conexant.c | 28 ++++ sound/pci/hda/patch_realtek.c | 7 + sound/sh/sh_dac_audio.c | 5 tools/include/uapi/linux/stddef.h | 15 +- 91 files changed, 977 insertions(+), 426 deletions(-) Aapo Vienamo (1): spi: intel: Add Panther Lake SPI controller support Akhil R (1): dmaengine: tegra: Return correct DMA status when paused Alex Deucher (5): drm/amdgpu/hdp4.0: do a posting read when flushing HDP drm/amdgpu/hdp5.0: do a posting read when flushing HDP drm/amdgpu/hdp6.0: do a posting read when flushing HDP drm/amdkfd: reduce stack size in kfd_topology_add_device() drm/amdkfd: drop struct kfd_cu_info Alexander Lobakin (1): stddef: make __struct_group() UAPI C++-friendly Andrew Cooper (1): x86/cpu/intel: Drop stray FAM6 check with new Intel CPU model defines Andy Shevchenko (1): dmaengine: dw: Select only supported masters for ACPI devices Armin Wolf (1): platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Bart Van Assche (1): mm/vmstat: fix a W=1 clang compiler warning Brahmajit Das (1): smb: server: Fix building with GCC 15 Carlos Song (1): i2c: imx: add imx7d compatible string for applying erratum ERR007805 Cathy Avery (1): scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Chen Ridong (2): dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset freezer, sched: Report frozen tasks as 'D' instead of 'R' Chris Chiu (1): ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops Christian Göttsche (1): tracing: Constify string literal data member in struct trace_event_call Chukun Pan (1): phy: rockchip: naneng-combphy: fix phy reset Colin Ian King (1): ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Cong Wang (2): tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() bpf: Check negative offsets in __bpf_skb_min_len() Conor Dooley (2): i2c: microchip-core: actually use repeated sends i2c: microchip-core: fix "ghost" detections Dan Carpenter (1): mtd: rawnand: fix double free in atmel_pmecc_create_user() Dimitri Fedrau (1): power: supply: gpio-charger: Fix set charge current limits Dirk Su (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i Filipe Manana (1): btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman (1): Linux 6.6.69 Haren Myneni (1): powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Huacai Chen (1): LoongArch: Fix reserving screen info memory for above-4G firmware Ilya Dryomov (2): ceph: fix memory leak in ceph_direct_read_write() ceph: allocate sparse_ext map only for sparse reads Imre Deak (1): drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() James Hilliard (1): watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Jan Kara (1): udf: Skip parent dir link count update if corrupted Javier Carrasco (1): dmaengine: mv_xor: fix child node refcount handling in early exit Jesse.zhang(a)amd.com (1): drm/amdkfd: pause autosuspend when creating pdd Jiaxun Yang (2): MIPS: Probe toolchain support of -msym32 MIPS: mipsregs: Set proper ISA level for virt extensions Joe Hattori (1): dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd() Justin Chen (1): phy: usb: Toggle the PHY power during init Krishna Kurapati (1): phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Len Brown (1): x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation Lijo Lazar (1): drm/amdkfd: Use device based logging for errors Lizhi Xu (1): tracing: Prevent bad count for tracing_cpumask_write Maciej Andrzejewski (2): mtd: rawnand: arasan: Fix double assertion of chip-select mtd: rawnand: arasan: Fix missing de-registration of NAND Magnus Lindholm (1): scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Mark Brown (1): regmap: Use correct format specifier for logging range errors Masami Hiramatsu (Google) (1): tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Ming Lei (4): virtio-blk: don't keep queue frozen during system suspend blk-mq: register cpuhp callback after hctx is added to xarray table blk-mq: move cpuhp callback registering out of q->sysfs_lock block: avoid to reuse `hctx` not removed from cpuhp callback list NeilBrown (1): nfsd: restore callback functionality for NFSv4.0 Nikita Zhandarovich (1): media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Pavel Begunkov (1): io_uring/sqpoll: fix sqpoll error handling races Purushothama Siddaiah (1): spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Qu Wenruo (1): btrfs: sysfs: fix direct super block member reads Qun-Wei Lin (1): sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Ranjan Kumar (1): scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Finkelstein (1): dmaengine: apple-admac: Avoid accessing registers in probe Takashi Iwai (2): ALSA: sh: Use standard helper for buffer accesses ALSA: sh: Fix wrong argument order for copy_from_iter() Thomas Gleixner (1): PCI/MSI: Handle lack of irqdomain gracefully Tiezhu Yang (1): LoongArch: BPF: Adjust the parameter of emit_jirl() Tomas Henzl (1): scsi: megaraid_sas: Fix for a potential deadlock Tony Luck (5): x86/cpu: Add model number for Intel Clearwater Forest processor x86/cpu: Add model number for another Intel Arrow Lake mobile processor x86/cpu/vfm: Add/initialize x86_vfm field to struct cpuinfo_x86 x86/cpu/vfm: Update arch/x86/include/asm/intel-family.h x86/cpu/intel: Switch to new Intel CPU model defines Ulf Hansson (1): pmdomain: core: Add missing put_device() Victor Zhao (1): drm/amd/amdgpu: allow use kiq to do hdp flush under sriov Xiubo Li (1): ceph: try to allocate a smaller extent map for sparse read Yang Erkun (1): nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" Yassine Oudjana (1): watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Zichen Xie (1): mtd: diskonchip: Cast an operand to prevent potential overflow Zijian Zhang (1): tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Zijun Hu (5): phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy bo liu (1): ALSA: hda/conexant: fix Z60MR100 startup pop issue

10 months, 1 week

1
1
0 0

Linux 6.1.123

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.123 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/mips/Makefile | 2 arch/mips/include/asm/mipsregs.h | 13 +- arch/powerpc/platforms/book3s/vas-api.c | 36 ++++++ block/blk-mq.c | 15 +- drivers/base/power/domain.c | 1 drivers/base/regmap/regmap.c | 4 drivers/block/virtio_blk.c | 7 - drivers/dma/apple-admac.c | 7 - drivers/dma/at_xdmac.c | 2 drivers/dma/dw/acpi.c | 6 - drivers/dma/dw/internal.h | 8 + drivers/dma/dw/pci.c | 4 drivers/dma/mv_xor.c | 2 drivers/dma/tegra186-gpc-dma.c | 10 + drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 +++- drivers/i2c/busses/i2c-imx.c | 1 drivers/i2c/busses/i2c-microchip-corei2c.c | 122 ++++++++++++++++----- drivers/media/dvb-frontends/dib3000mb.c | 2 drivers/mtd/nand/raw/arasan-nand-controller.c | 11 + drivers/mtd/nand/raw/atmel/pmecc.c | 4 drivers/mtd/nand/raw/diskonchip.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 + drivers/phy/phy-core.c | 21 ++- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 drivers/platform/x86/asus-nb-wmi.c | 1 drivers/power/supply/gpio-charger.c | 8 + drivers/scsi/megaraid/megaraid_sas_base.c | 5 drivers/scsi/mpt3sas/mpt3sas_base.c | 7 + drivers/scsi/qla1280.h | 12 +- drivers/scsi/storvsc_drv.c | 7 + drivers/watchdog/it87_wdt.c | 39 ++++++ fs/btrfs/inode.c | 2 fs/btrfs/sysfs.c | 6 - fs/nfsd/nfs4callback.c | 4 fs/nfsd/nfs4state.c | 2 fs/smb/server/smb_common.c | 4 include/linux/sched.h | 5 include/linux/skmsg.h | 11 + include/linux/trace_events.h | 2 include/linux/vmstat.h | 2 include/net/sock.h | 10 + include/uapi/linux/stddef.h | 13 +- io_uring/sqpoll.c | 6 + kernel/bpf/syscall.c | 13 +- kernel/rcu/tasks.h | 82 ++++---------- kernel/trace/trace.c | 3 kernel/trace/trace_kprobe.c | 2 mm/vmalloc.c | 6 - net/core/filter.c | 21 ++- net/core/skmsg.c | 6 - net/ipv4/tcp_bpf.c | 6 - sound/pci/hda/patch_conexant.c | 28 ++++ sound/pci/hda/patch_realtek.c | 7 + tools/include/uapi/linux/stddef.h | 15 +- 57 files changed, 471 insertions(+), 184 deletions(-) Akhil R (1): dmaengine: tegra: Return correct DMA status when paused Alexander Lobakin (1): stddef: make __struct_group() UAPI C++-friendly Andy Shevchenko (1): dmaengine: dw: Select only supported masters for ACPI devices Armin Wolf (1): platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Bart Van Assche (1): mm/vmstat: fix a W=1 clang compiler warning Brahmajit Das (1): smb: server: Fix building with GCC 15 Carlos Song (1): i2c: imx: add imx7d compatible string for applying erratum ERR007805 Cathy Avery (1): scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Chen Ridong (2): dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset freezer, sched: Report frozen tasks as 'D' instead of 'R' Chris Chiu (1): ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops Christian Göttsche (1): tracing: Constify string literal data member in struct trace_event_call Chukun Pan (1): phy: rockchip: naneng-combphy: fix phy reset Colin Ian King (1): ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Cong Wang (2): tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() bpf: Check negative offsets in __bpf_skb_min_len() Conor Dooley (2): i2c: microchip-core: actually use repeated sends i2c: microchip-core: fix "ghost" detections Cosmin Ratiu (1): net/mlx5e: Don't call cleanup on profile rollback failure Dan Carpenter (1): mtd: rawnand: fix double free in atmel_pmecc_create_user() Dimitri Fedrau (1): power: supply: gpio-charger: Fix set charge current limits Dirk Su (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i Filipe Manana (1): btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman (2): Revert "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()" Linux 6.1.123 Haren Myneni (1): powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Hou Tao (1): bpf: Check validity of link->type in bpf_link_show_fdinfo() Imre Deak (1): drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() James Hilliard (1): watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Javier Carrasco (1): dmaengine: mv_xor: fix child node refcount handling in early exit Jiaxun Yang (2): MIPS: Probe toolchain support of -msym32 MIPS: mipsregs: Set proper ISA level for virt extensions Justin Chen (1): phy: usb: Toggle the PHY power during init Krishna Kurapati (1): phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Lizhi Xu (1): tracing: Prevent bad count for tracing_cpumask_write Maciej Andrzejewski (2): mtd: rawnand: arasan: Fix double assertion of chip-select mtd: rawnand: arasan: Fix missing de-registration of NAND Magnus Lindholm (1): scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Mark Brown (1): regmap: Use correct format specifier for logging range errors Masami Hiramatsu (Google) (1): tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Matthew Wilcox (Oracle) (1): vmalloc: fix accounting with i915 Ming Lei (2): virtio-blk: don't keep queue frozen during system suspend blk-mq: register cpuhp callback after hctx is added to xarray table NeilBrown (2): nfsd: restore callback functionality for NFSv4.0 sched/core: Report correct state for TASK_IDLE | TASK_FREEZABLE Nikita Zhandarovich (1): media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Pavel Begunkov (1): io_uring/sqpoll: fix sqpoll error handling races Qu Wenruo (1): btrfs: sysfs: fix direct super block member reads Ranjan Kumar (1): scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Finkelstein (1): dmaengine: apple-admac: Avoid accessing registers in probe Tomas Henzl (1): scsi: megaraid_sas: Fix for a potential deadlock Ulf Hansson (1): pmdomain: core: Add missing put_device() Yang Erkun (1): nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Zichen Xie (1): mtd: diskonchip: Cast an operand to prevent potential overflow Zijian Zhang (1): tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Zijun Hu (5): phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy bo liu (1): ALSA: hda/conexant: fix Z60MR100 startup pop issue

10 months, 1 week

1
1
0 0

[PATCH 6.1 00/60] 6.1.123-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.123 release. There are 60 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 01 Jan 2025 15:41:48 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.123-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.123-rc1 Colin Ian King <colin.i.king(a)gmail.com> ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()" Yang Erkun <yangerkun(a)huaweicloud.com> nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Qu Wenruo <wqu(a)suse.com> btrfs: sysfs: fix direct super block member reads Filipe Manana <fdmanana(a)suse.com> btrfs: avoid monopolizing a core when activating a swap file Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> power: supply: gpio-charger: Fix set charge current limits Conor Dooley <conor.dooley(a)microchip.com> i2c: microchip-core: fix "ghost" detections Carlos Song <carlos.song(a)nxp.com> i2c: imx: add imx7d compatible string for applying erratum ERR007805 Conor Dooley <conor.dooley(a)microchip.com> i2c: microchip-core: actually use repeated sends Pavel Begunkov <asml.silence(a)gmail.com> io_uring/sqpoll: fix sqpoll error handling races Lizhi Xu <lizhi.xu(a)windriver.com> tracing: Prevent bad count for tracing_cpumask_write Christian Göttsche <cgzones(a)googlemail.com> tracing: Constify string literal data member in struct trace_event_call Chen Ridong <chenridong(a)huawei.com> freezer, sched: Report frozen tasks as 'D' instead of 'R' NeilBrown <neilb(a)suse.de> sched/core: Report correct state for TASK_IDLE | TASK_FREEZABLE Ulf Hansson <ulf.hansson(a)linaro.org> pmdomain: core: Add missing put_device() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops Dirk Su <dirk.su(a)canonical.com> ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i Hou Tao <houtao1(a)huawei.com> bpf: Check validity of link->type in bpf_link_show_fdinfo() Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Don't call cleanup on profile rollback failure Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: mipsregs: Set proper ISA level for virt extensions Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Probe toolchain support of -msym32 Matthew Wilcox (Oracle) <willy(a)infradead.org> vmalloc: fix accounting with i915 Ming Lei <ming.lei(a)redhat.com> blk-mq: register cpuhp callback after hctx is added to xarray table Ming Lei <ming.lei(a)redhat.com> virtio-blk: don't keep queue frozen during system suspend Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() Cathy Avery <cavery(a)redhat.com> scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Armin Wolf <W_Armin(a)gmx.de> platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Mark Brown <broonie(a)kernel.org> regmap: Use correct format specifier for logging range errors Brahmajit Das <brahmajit.xyz(a)gmail.com> smb: server: Fix building with GCC 15 bo liu <bo.liu(a)senarytech.com> ALSA: hda/conexant: fix Z60MR100 startup pop issue Tomas Henzl <thenzl(a)redhat.com> scsi: megaraid_sas: Fix for a potential deadlock Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix hw revision numbering for ISP1020/1040 James Hilliard <james.hilliard1(a)gmail.com> watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Alexander Lobakin <aleksander.lobakin(a)intel.com> stddef: make __struct_group() UAPI C++-friendly Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Dan Carpenter <dan.carpenter(a)linaro.org> mtd: rawnand: fix double free in atmel_pmecc_create_user() Chen Ridong <chenridong(a)huawei.com> dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset Sasha Finkelstein <fnkl.kernel(a)gmail.com> dmaengine: apple-admac: Avoid accessing registers in probe Akhil R <akhilrajeev(a)nvidia.com> dmaengine: tegra: Return correct DMA status when paused Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> dmaengine: dw: Select only supported masters for ACPI devices Javier Carrasco <javier.carrasco.cruz(a)gmail.com> dmaengine: mv_xor: fix child node refcount handling in early exit Chukun Pan <amadeus(a)jmu.edu.cn> phy: rockchip: naneng-combphy: fix phy reset Justin Chen <justin.chen(a)broadcom.com> phy: usb: Toggle the PHY power during init Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_phy_destroy() fails to destroy the phy Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_phy_put() fails to release the phy Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix an OF node refcount leakage in _of_phy_get() Krishna Kurapati <quic_kriskura(a)quicinc.com> phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net> mtd: rawnand: arasan: Fix missing de-registration of NAND Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net> mtd: rawnand: arasan: Fix double assertion of chip-select Zichen Xie <zichenxie0106(a)gmail.com> mtd: diskonchip: Cast an operand to prevent potential overflow NeilBrown <neilb(a)suse.de> nfsd: restore callback functionality for NFSv4.0 Cong Wang <cong.wang(a)bytedance.com> bpf: Check negative offsets in __bpf_skb_min_len() Zijian Zhang <zijianzhang(a)bytedance.com> tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Cong Wang <cong.wang(a)bytedance.com> tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() Bart Van Assche <bvanassche(a)acm.org> mm/vmstat: fix a W=1 clang compiler warning Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg ------------- Diffstat: Makefile | 4 +- arch/mips/Makefile | 2 +- arch/mips/include/asm/mipsregs.h | 13 ++- arch/powerpc/platforms/book3s/vas-api.c | 36 ++++++ block/blk-mq.c | 15 ++- drivers/base/power/domain.c | 1 + drivers/base/regmap/regmap.c | 4 +- drivers/block/virtio_blk.c | 7 +- drivers/dma/apple-admac.c | 7 +- drivers/dma/at_xdmac.c | 2 + drivers/dma/dw/acpi.c | 6 +- drivers/dma/dw/internal.h | 8 ++ drivers/dma/dw/pci.c | 4 +- drivers/dma/mv_xor.c | 2 + drivers/dma/tegra186-gpc-dma.c | 10 ++ drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 +++- drivers/i2c/busses/i2c-imx.c | 1 + drivers/i2c/busses/i2c-microchip-corei2c.c | 126 ++++++++++++++++----- drivers/media/dvb-frontends/dib3000mb.c | 2 +- drivers/mtd/nand/raw/arasan-nand-controller.c | 11 +- drivers/mtd/nand/raw/atmel/pmecc.c | 4 +- drivers/mtd/nand/raw/diskonchip.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +- drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 + drivers/phy/phy-core.c | 21 ++-- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 +- drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 +- drivers/platform/x86/asus-nb-wmi.c | 1 + drivers/power/supply/gpio-charger.c | 8 ++ drivers/scsi/megaraid/megaraid_sas_base.c | 5 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +- drivers/scsi/qla1280.h | 12 +- drivers/scsi/storvsc_drv.c | 7 +- drivers/watchdog/it87_wdt.c | 39 +++++++ fs/btrfs/inode.c | 2 + fs/btrfs/sysfs.c | 6 +- fs/nfsd/nfs4callback.c | 4 +- fs/nfsd/nfs4state.c | 2 +- fs/smb/server/smb_common.c | 4 +- include/linux/sched.h | 5 +- include/linux/skmsg.h | 11 +- include/linux/trace_events.h | 2 +- include/linux/vmstat.h | 2 +- include/net/sock.h | 10 +- include/uapi/linux/stddef.h | 13 ++- io_uring/sqpoll.c | 6 + kernel/bpf/syscall.c | 13 ++- kernel/rcu/tasks.h | 82 +++++--------- kernel/trace/trace.c | 3 + kernel/trace/trace_kprobe.c | 2 +- mm/vmalloc.c | 6 +- net/core/filter.c | 21 +++- net/core/skmsg.c | 6 +- net/ipv4/tcp_bpf.c | 6 +- sound/pci/hda/patch_conexant.c | 28 +++++ sound/pci/hda/patch_realtek.c | 7 ++ tools/include/uapi/linux/stddef.h | 15 ++- 57 files changed, 474 insertions(+), 187 deletions(-)

10 months, 1 week

8
68
0 0

[PATCH v3 1/2] fs/proc: do_task_stat: Fix ESP not readable during coredump

by Nam Cao

The field "eip" (instruction pointer) and "esp" (stack pointer) of a task can be read from /proc/PID/stat. These fields can be interesting for coredump. However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat"), because it is generally unsafe to do so. But it is safe for a coredumping process, and therefore exceptions were made: - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping"). - for all other threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits check the PF_DUMPCORE flag to determine a coredump thread and the PF_EXITING flag for the other threads. Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way to determine threads in a coredumping process. Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. Checking of PF_EXITING was added for coredumping, so it probably can now be removed. But it doesn't hurt to keep. Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Cc: stable(a)vger.kernel.org Cc: Eric W. Biederman <ebiederm(a)xmission.com> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Acked-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 55ed3510d2bb..d6a0369caa93 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, * a program is not able to use ptrace(2) in that case. It is * safe because the task has stopped executing permanently. */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { + if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { if (try_get_task_stack(task)) { eip = KSTK_EIP(task); esp = KSTK_ESP(task); -- 2.39.5

10 months, 1 week

1
0
0 0

[PATCH v1] ftrace: Fix function profiler's filtering functionality

by Kohei Enju

From commit c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering"), function profiler (enabled via function_profil e_enabled) has been showing statistics for all functions, ignoring set_ftra ce_filter settings. While tracers are instantiated, the function profiler is not. Therefore, it should use the global set_ftrace_filter for consistency. This patch modifies the function profiler to use the global filter, fixing the filtering functionality. Before (filtering not working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- schedule 314 22290594 us 70989.15 us 40372231 us x64_sys_call 1527 8762510 us 5738.382 us 3414354 us schedule_hrtimeout_range 176 8665356 us 49234.98 us 405618876 us __x64_sys_ppoll 324 5656635 us 17458.75 us 19203976 us do_sys_poll 324 5653747 us 17449.83 us 19214945 us schedule_timeout 67 5531396 us 82558.15 us 2136740827 us __x64_sys_pselect6 12 3029540 us 252461.7 us 63296940171 us do_pselect.constprop.0 12 3029532 us 252461.0 us 63296952931 us ``` After (filtering working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- vfs_write 462 68476.43 us 148.217 us 25874.48 us vfs_read 641 9611.356 us 14.994 us 28868.07 us vfs_fstat 890 878.094 us 0.986 us 1.667 us vfs_fstatat 227 757.176 us 3.335 us 18.928 us vfs_statx 226 610.610 us 2.701 us 17.749 us vfs_getattr_nosec 1187 460.919 us 0.388 us 0.326 us vfs_statx_path 297 343.287 us 1.155 us 11.116 us vfs_rename 6 291.575 us 48.595 us 9889.236 us ``` Cc: stable(a)vger.kernel.org Fixes: c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering") Signed-off-by: Kohei Enju <enjuk(a)amazon.com> --- kernel/trace/ftrace.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 9b17efb1a87d..2e113f8b13a2 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -902,16 +902,13 @@ static void profile_graph_return(struct ftrace_graph_ret *trace, } static struct fgraph_ops fprofiler_ops = { - .ops = { - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(fprofiler_ops.ops) - }, .entryfunc = &profile_graph_entry, .retfunc = &profile_graph_return, }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&fprofiler_ops.ops); return register_ftrace_graph(&fprofiler_ops); } @@ -922,12 +919,11 @@ static void unregister_ftrace_profiler(void) #else static struct ftrace_ops ftrace_profile_ops __read_mostly = { .func = function_profile_call, - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(ftrace_profile_ops) }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&ftrace_profile_ops); return register_ftrace_function(&ftrace_profile_ops); } -- 2.39.5 (Apple Git-154)

10 months, 1 week

1
0
0 0

[PATCH v1] ftrace: Fix function profiler's filtering functionality

by Kohei Enju

From commit c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering"), function profiler (enabled via function_profil e_enabled) has been showing statistics for all functions, ignoring set_ftra ce_filter settings. While tracers are instantiated, the function profiler is not. Therefore, it should use the global set_ftrace_filter for consistency. This patch modifies the function profiler to use the global filter, fixing the filtering functionality. Before (filtering not working): ``` Function Hit Time Avg s^2 -------- --- ---- --- --- schedule 314 22290594 us 70989.15 us 40372231 us x64_sys_call 1527 8762510 us 5738.382 us 3414354 us schedule_hrtimeout_range 176 8665356 us 49234.98 us 405618876 us __x64_sys_ppoll 324 5656635 us 17458.75 us 19203976 us do_sys_poll 324 5653747 us 17449.83 us 19214945 us schedule_timeout 67 5531396 us 82558.15 us 2136740827 us __x64_sys_pselect6 12 3029540 us 252461.7 us 63296940171 us do_pselect.constprop.0 12 3029532 us 252461.0 us 63296952931 us ``` After (filtering working): ``` Function Hit Time Avg s^2 -------- --- ---- --- --- vfs_write 462 68476.43 us 148.217 us 25874.48 us vfs_read 641 9611.356 us 14.994 us 28868.07 us vfs_fstat 890 878.094 us 0.986 us 1.667 us vfs_fstatat 227 757.176 us 3.335 us 18.928 us vfs_statx 226 610.610 us 2.701 us 17.749 us vfs_getattr_nosec 1187 460.919 us 0.388 us 0.326 us vfs_statx_path 297 343.287 us 1.155 us 11.116 us vfs_rename 6 291.575 us 48.595 us 9889.236 us ``` Cc: stable(a)vger.kernel.org Fixes: c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering") Signed-off-by: Kohei Enju <enjuk(a)amazon.com> --- kernel/trace/ftrace.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 9b17efb1a87d..2e113f8b13a2 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -902,16 +902,13 @@ static void profile_graph_return(struct ftrace_graph_ret *trace, } static struct fgraph_ops fprofiler_ops = { - .ops = { - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(fprofiler_ops.ops) - }, .entryfunc = &profile_graph_entry, .retfunc = &profile_graph_return, }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&fprofiler_ops.ops); return register_ftrace_graph(&fprofiler_ops); } @@ -922,12 +919,11 @@ static void unregister_ftrace_profiler(void) #else static struct ftrace_ops ftrace_profile_ops __read_mostly = { .func = function_profile_call, - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(ftrace_profile_ops) }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&ftrace_profile_ops); return register_ftrace_function(&ftrace_profile_ops); } -- 2.39.5 (Apple Git-154)

10 months, 1 week

1
0
0 0

[PATCH] drm/xe/tracing: Fix a potential TP_printk UAF

by Thomas Hellström

The commit afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") exposes potential UAFs in the xe_bo_move trace event. Fix those by avoiding dereferencing the xe_mem_type_to_name[] array at TP_printk time. Since some code refactoring has taken place, explicit backporting may be needed for kernels older than 6.10. Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces") Cc: Gustavo Sousa <gustavo.sousa(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: Radhakrishna Sripada <radhakrishna.sripada(a)intel.com> Cc: Matt Roper <matthew.d.roper(a)intel.com> Cc: "Thomas Hellström" <thomas.hellstrom(a)linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: intel-xe(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h b/drivers/gpu/drm/xe/xe_trace_bo.h index 1762dd30ba6d..ea50fee50c7d 100644 --- a/drivers/gpu/drm/xe/xe_trace_bo.h +++ b/drivers/gpu/drm/xe/xe_trace_bo.h @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move, TP_STRUCT__entry( __field(struct xe_bo *, bo) __field(size_t, size) - __field(u32, new_placement) - __field(u32, old_placement) + __string(new_placement_name, xe_mem_type_to_name[new_placement]) + __string(old_placement_name, xe_mem_type_to_name[old_placement]) __string(device_id, __dev_name_bo(bo)) __field(bool, move_lacks_source) ), @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move, TP_fast_assign( __entry->bo = bo; __entry->size = bo->size; - __entry->new_placement = new_placement; - __entry->old_placement = old_placement; + __assign_str(new_placement_name); + __assign_str(old_placement_name); __assign_str(device_id); __entry->move_lacks_source = move_lacks_source; ), TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size, - xe_mem_type_to_name[__entry->old_placement], - xe_mem_type_to_name[__entry->new_placement], __get_str(device_id)) + __get_str(old_placement_name), + __get_str(new_placement_name), __get_str(device_id)) ); DECLARE_EVENT_CLASS(xe_vma, -- 2.47.1

10 months, 1 week

4
7
0 0

Linux 6.1.120

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.120 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-bus-pci | 11 Documentation/ABI/testing/sysfs-fs-f2fs | 7 Documentation/RCU/stallwarn.rst | 2 Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml | 22 Documentation/devicetree/bindings/iio/dac/adi,ad3552r.yaml | 2 Documentation/devicetree/bindings/serial/rs485.yaml | 19 Documentation/devicetree/bindings/sound/mt6359.yaml | 10 Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 Documentation/driver-api/fpga/fpga-bridge.rst | 7 Documentation/driver-api/fpga/fpga-mgr.rst | 34 Documentation/filesystems/mount_api.rst | 3 Documentation/locking/seqlock.rst | 2 Documentation/networking/j1939.rst | 2 Makefile | 2 arch/arm/boot/dts/sun9i-a80-cubieboard4.dts | 4 arch/arm/kernel/entry-armv.S | 8 arch/arm/kernel/head.S | 4 arch/arm/kernel/psci_smp.c | 7 arch/arm/mm/idmap.c | 7 arch/arm/mm/ioremap.c | 35 arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi | 3 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi | 2 arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi | 8 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts | 3 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts | 2 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts | 3 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi | 3 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 56 arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi | 4 arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi | 4 arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi | 4 arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 2 arch/arm64/boot/dts/mediatek/mt8195.dtsi | 2 arch/arm64/kernel/fpsimd.c | 1 arch/arm64/kernel/process.c | 2 arch/arm64/kernel/ptrace.c | 6 arch/arm64/kernel/smccc-call.S | 35 arch/arm64/kernel/vmlinux.lds.S | 6 arch/arm64/kvm/arm.c | 2 arch/arm64/kvm/mmio.c | 36 arch/arm64/kvm/pmu-emul.c | 1 arch/arm64/kvm/vgic/vgic-its.c | 32 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 7 arch/arm64/kvm/vgic/vgic.h | 24 arch/arm64/mm/context.c | 4 arch/arm64/net/bpf_jit_comp.c | 47 arch/loongarch/Makefile | 21 arch/loongarch/include/asm/hugetlb.h | 10 arch/loongarch/include/asm/page.h | 5 arch/loongarch/include/asm/percpu.h | 6 arch/loongarch/mm/tlb.c | 2 arch/loongarch/net/bpf_jit.c | 2 arch/loongarch/vdso/Makefile | 2 arch/m68k/coldfire/device.c | 8 arch/m68k/include/asm/mcfgpio.h | 2 arch/m68k/include/asm/mvme147hw.h | 4 arch/m68k/kernel/early_printk.c | 9 arch/m68k/mvme147/config.c | 30 arch/m68k/mvme147/mvme147.h | 6 arch/m68k/mvme16x/config.c | 2 arch/m68k/mvme16x/mvme16x.h | 6 arch/microblaze/kernel/microblaze_ksyms.c | 10 arch/mips/boot/dts/loongson/ls7a-pch.dtsi | 73 arch/mips/include/asm/switch_to.h | 2 arch/parisc/kernel/ftrace.c | 2 arch/powerpc/Kconfig | 4 arch/powerpc/Makefile | 13 arch/powerpc/include/asm/cache.h | 4 arch/powerpc/include/asm/dtl.h | 4 arch/powerpc/include/asm/fadump.h | 7 arch/powerpc/include/asm/page_32.h | 4 arch/powerpc/include/asm/sstep.h | 5 arch/powerpc/include/asm/vdso.h | 1 arch/powerpc/kernel/fadump.c | 23 arch/powerpc/kernel/prom_init.c | 29 arch/powerpc/kernel/setup-common.c | 6 arch/powerpc/kernel/setup_64.c | 1 arch/powerpc/kernel/vdso/Makefile | 57 arch/powerpc/kexec/file_load_64.c | 9 arch/powerpc/kvm/book3s_hv.c | 10 arch/powerpc/kvm/book3s_hv_nested.c | 14 arch/powerpc/lib/sstep.c | 12 arch/powerpc/mm/fault.c | 10 arch/powerpc/platforms/pseries/dtl.c | 8 arch/powerpc/platforms/pseries/lpar.c | 8 arch/s390/kernel/entry.S | 4 arch/s390/kernel/kprobes.c | 6 arch/s390/kernel/perf_cpum_sf.c | 4 arch/s390/kernel/syscalls/Makefile | 2 arch/sh/kernel/cpu/proc.c | 2 arch/um/drivers/net_kern.c | 2 arch/um/drivers/ubd_kern.c | 2 arch/um/drivers/vector_kern.c | 3 arch/um/kernel/physmem.c | 6 arch/um/kernel/process.c | 2 arch/um/kernel/sysrq.c | 2 arch/x86/crypto/aegis128-aesni-asm.S | 29 arch/x86/events/amd/core.c | 10 arch/x86/events/intel/core.c | 34 arch/x86/events/intel/pt.c | 11 arch/x86/events/intel/pt.h | 2 arch/x86/include/asm/amd_nb.h | 5 arch/x86/include/asm/barrier.h | 18 arch/x86/include/asm/cpufeatures.h | 1 arch/x86/include/asm/processor.h | 18 arch/x86/kernel/cpu/amd.c | 3 arch/x86/kernel/cpu/common.c | 7 arch/x86/kernel/cpu/hygon.c | 3 arch/x86/kvm/mmu/mmu.c | 5 arch/x86/kvm/mmu/paging_tmpl.h | 5 arch/x86/kvm/mmu/spte.c | 18 arch/x86/pci/acpi.c | 119 block/blk-merge.c | 10 block/blk-mq.c | 6 block/blk-mq.h | 13 crypto/api.c | 63 crypto/internal.h | 8 crypto/pcrypt.c | 12 drivers/acpi/arm64/gtdt.c | 2 drivers/acpi/cppc_acpi.c | 1 drivers/base/bus.c | 2 drivers/base/core.c | 69 drivers/base/property.c | 6 drivers/base/regmap/regmap-irq.c | 4 drivers/base/regmap/regmap.c | 12 drivers/block/brd.c | 66 drivers/block/ublk_drv.c | 17 drivers/block/virtio_blk.c | 46 drivers/bluetooth/btusb.c | 2 drivers/clk/clk-apple-nco.c | 3 drivers/clk/clk-axi-clkgen.c | 22 drivers/clk/imx/clk-fracn-gppll.c | 10 drivers/clk/imx/clk-lpcg-scu.c | 37 drivers/clk/imx/clk-scu.c | 2 drivers/clk/qcom/gcc-qcs404.c | 1 drivers/clk/renesas/rzg2l-cpg.c | 11 drivers/clk/sunxi-ng/ccu-sun20i-d1.c | 2 drivers/clocksource/Kconfig | 3 drivers/clocksource/timer-ti-dm-systimer.c | 4 drivers/comedi/comedi_fops.c | 12 drivers/counter/stm32-timer-cnt.c | 16 drivers/counter/ti-ecap-capture.c | 7 drivers/cpufreq/cppc_cpufreq.c | 6 drivers/cpufreq/loongson2_cpufreq.c | 4 drivers/cpufreq/mediatek-cpufreq-hw.c | 2 drivers/crypto/bcm/cipher.c | 5 drivers/crypto/caam/caampkc.c | 11 drivers/crypto/caam/qi.c | 2 drivers/crypto/cavium/cpt/cptpf_main.c | 6 drivers/crypto/hisilicon/hpre/hpre_main.c | 35 drivers/crypto/hisilicon/qm.c | 47 drivers/crypto/hisilicon/sec2/sec_main.c | 35 drivers/crypto/hisilicon/zip/zip_main.c | 35 drivers/crypto/inside-secure/safexcel_hash.c | 2 drivers/crypto/qat/qat_common/adf_hw_arbiter.c | 4 drivers/dax/pmem/Makefile | 7 drivers/dax/pmem/pmem.c | 10 drivers/dma-buf/dma-fence-array.c | 28 drivers/dma-buf/dma-fence-unwrap.c | 126 drivers/edac/bluefield_edac.c | 2 drivers/edac/fsl_ddr_edac.c | 22 drivers/edac/igen6_edac.c | 2 drivers/firmware/arm_scpi.c | 3 drivers/firmware/efi/tpm.c | 17 drivers/firmware/google/gsmi.c | 6 drivers/firmware/smccc/smccc.c | 4 drivers/fpga/fpga-bridge.c | 57 drivers/fpga/fpga-mgr.c | 82 drivers/gpio/gpio-exar.c | 10 drivers/gpio/gpio-grgpio.c | 26 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 48 drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 6 drivers/gpu/drm/amd/amdgpu/vega20_ih.c | 27 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 5 drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 14 drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 3 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c | 11 drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 3 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 drivers/gpu/drm/bridge/analogix/anx7625.c | 2 drivers/gpu/drm/bridge/ite-it6505.c | 11 drivers/gpu/drm/bridge/tc358767.c | 7 drivers/gpu/drm/display/drm_dp_dual_mode_helper.c | 4 drivers/gpu/drm/display/drm_dp_mst_topology.c | 55 drivers/gpu/drm/drm_mm.c | 2 drivers/gpu/drm/drm_panel_orientation_quirks.c | 19 drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 3 drivers/gpu/drm/etnaviv/etnaviv_drv.c | 10 drivers/gpu/drm/etnaviv/etnaviv_dump.c | 7 drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 48 drivers/gpu/drm/etnaviv/etnaviv_gpu.h | 21 drivers/gpu/drm/fsl-dcu/Kconfig | 1 drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 15 drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h | 3 drivers/gpu/drm/imx/dcss/dcss-crtc.c | 6 drivers/gpu/drm/imx/ipuv3-crtc.c | 6 drivers/gpu/drm/mcde/mcde_drv.c | 1 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 4 drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c | 2 drivers/gpu/drm/msm/msm_debugfs.c | 12 drivers/gpu/drm/msm/msm_drv.h | 9 drivers/gpu/drm/msm/msm_gpu.h | 15 drivers/gpu/drm/msm/msm_gpu_devfreq.c | 148 drivers/gpu/drm/omapdrm/dss/base.c | 25 drivers/gpu/drm/omapdrm/dss/omapdss.h | 3 drivers/gpu/drm/omapdrm/omap_drv.c | 4 drivers/gpu/drm/omapdrm/omap_gem.c | 10 drivers/gpu/drm/panel/panel-simple.c | 28 drivers/gpu/drm/panfrost/panfrost_gpu.c | 1 drivers/gpu/drm/radeon/r600_cs.c | 2 drivers/gpu/drm/scheduler/sched_main.c | 8 drivers/gpu/drm/sti/sti_cursor.c | 3 drivers/gpu/drm/sti/sti_gdp.c | 3 drivers/gpu/drm/sti/sti_hqvdp.c | 3 drivers/gpu/drm/sti/sti_mixer.c | 2 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/gpu/drm/ttm/ttm_tt.c | 12 drivers/gpu/drm/v3d/v3d_mmu.c | 29 drivers/gpu/drm/v3d/v3d_perfmon.c | 2 drivers/gpu/drm/vc4/vc4_drv.h | 1 drivers/gpu/drm/vc4/vc4_hdmi.c | 6 drivers/gpu/drm/vc4/vc4_hvs.c | 31 drivers/hid/hid-ids.h | 1 drivers/hid/hid-magicmouse.c | 56 drivers/hid/wacom_sys.c | 3 drivers/hid/wacom_wac.c | 4 drivers/hwmon/nct6775-core.c | 7 drivers/hwmon/tps23861.c | 2 drivers/i3c/master.c | 201 drivers/i3c/master/dw-i3c-master.c | 5 drivers/i3c/master/i3c-master-cdns.c | 5 drivers/i3c/master/mipi-i3c-hci/core.c | 4 drivers/i3c/master/mipi-i3c-hci/dma.c | 2 drivers/i3c/master/svc-i3c-master.c | 148 drivers/iio/adc/ad7780.c | 2 drivers/iio/adc/ad7923.c | 4 drivers/iio/inkern.c | 2 drivers/iio/light/al3010.c | 11 drivers/iio/light/ltr501.c | 2 drivers/iio/magnetometer/yamaha-yas530.c | 13 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/hns/hns_roce_cq.c | 4 drivers/infiniband/hw/hns/hns_roce_device.h | 1 drivers/infiniband/hw/hns/hns_roce_hem.c | 76 drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 172 drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 6 drivers/infiniband/hw/hns/hns_roce_mr.c | 11 drivers/infiniband/hw/hns/hns_roce_qp.c | 54 drivers/infiniband/hw/hns/hns_roce_srq.c | 4 drivers/iommu/arm/arm-smmu/arm-smmu.c | 11 drivers/iommu/intel/iommu.c | 40 drivers/iommu/io-pgtable-arm.c | 18 drivers/leds/flash/leds-mt6360.c | 3 drivers/leds/led-class.c | 14 drivers/leds/leds-lp55xx-common.c | 3 drivers/mailbox/arm_mhuv2.c | 8 drivers/mailbox/mtk-cmdq-mailbox.c | 12 drivers/md/bcache/closure.c | 10 drivers/md/bcache/super.c | 2 drivers/md/dm-thin.c | 1 drivers/media/dvb-frontends/ts2020.c | 8 drivers/media/i2c/adv7604.c | 5 drivers/media/i2c/adv7842.c | 13 drivers/media/i2c/dw9768.c | 10 drivers/media/i2c/tc358743.c | 4 drivers/media/platform/allegro-dvt/allegro-core.c | 4 drivers/media/platform/amphion/vpu_drv.c | 2 drivers/media/platform/amphion/vpu_v4l2.c | 2 drivers/media/platform/aspeed/aspeed-video.c | 4 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 4 drivers/media/platform/qcom/venus/core.c | 2 drivers/media/platform/qcom/venus/core.h | 11 drivers/media/platform/qcom/venus/vdec.c | 4 drivers/media/platform/qcom/venus/venc.c | 72 drivers/media/platform/samsung/exynos4-is/media-dev.h | 5 drivers/media/radio/wl128x/fmdrv_common.c | 3 drivers/media/test-drivers/vivid/vivid-vid-cap.c | 15 drivers/media/usb/cx231xx/cx231xx-cards.c | 2 drivers/media/usb/gspca/ov534.c | 2 drivers/media/usb/uvc/uvc_driver.c | 113 drivers/media/v4l2-core/v4l2-dv-timings.c | 132 drivers/memory/renesas-rpc-if.c | 42 drivers/message/fusion/mptsas.c | 4 drivers/mfd/da9052-spi.c | 2 drivers/mfd/intel_soc_pmic_bxtwc.c | 126 drivers/mfd/rt5033.c | 4 drivers/mfd/tps65010.c | 8 drivers/misc/apds990x.c | 12 drivers/misc/eeprom/eeprom_93cx6.c | 10 drivers/mmc/core/bus.c | 2 drivers/mmc/core/card.h | 7 drivers/mmc/core/core.c | 3 drivers/mmc/core/quirks.h | 9 drivers/mmc/core/sd.c | 2 drivers/mmc/host/mmc_spi.c | 9 drivers/mmc/host/mtk-sd.c | 9 drivers/mmc/host/sdhci-pci-core.c | 72 drivers/mmc/host/sdhci-pci.h | 1 drivers/mtd/hyperbus/rpc-if.c | 31 drivers/mtd/nand/raw/atmel/pmecc.c | 8 drivers/mtd/nand/raw/atmel/pmecc.h | 2 drivers/mtd/spi-nor/core.c | 2 drivers/mtd/ubi/attach.c | 12 drivers/mtd/ubi/fastmap-wl.c | 19 drivers/mtd/ubi/wl.c | 11 drivers/mtd/ubi/wl.h | 3 drivers/net/can/c_can/c_can_main.c | 26 drivers/net/can/dev/dev.c | 2 drivers/net/can/ifi_canfd/ifi_canfd.c | 58 drivers/net/can/m_can/m_can.c | 33 drivers/net/can/sja1000/sja1000.c | 67 drivers/net/can/spi/hi311x.c | 50 drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 drivers/net/can/sun4i_can.c | 22 drivers/net/can/usb/ems_usb.c | 58 drivers/net/can/usb/gs_usb.c | 104 drivers/net/dsa/qca/qca8k-8xxx.c | 2 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 9 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 drivers/net/ethernet/broadcom/tg3.c | 3 drivers/net/ethernet/cavium/liquidio/lio_main.c | 11 drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c | 13 drivers/net/ethernet/freescale/fec_mpc52xx_phy.c | 2 drivers/net/ethernet/freescale/fec_ptp.c | 13 drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c | 2 drivers/net/ethernet/google/gve/gve_main.c | 7 drivers/net/ethernet/google/gve/gve_rx.c | 4 drivers/net/ethernet/google/gve/gve_tx.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 4 drivers/net/ethernet/intel/ixgbe/ixgbe_common.h | 2 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 2 drivers/net/ethernet/intel/ixgbevf/ipsec.c | 1 drivers/net/ethernet/marvell/octeontx2/af/rpm.c | 2 drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 5 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 4 drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 5 drivers/net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c | 9 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 10 drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c | 10 drivers/net/ethernet/marvell/pxa168_eth.c | 14 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 13 drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 5 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 4 drivers/net/ethernet/qlogic/qed/qed_mcp.c | 4 drivers/net/ethernet/qlogic/qede/qede_ptp.c | 13 drivers/net/ethernet/realtek/r8169_main.c | 14 drivers/net/ethernet/rocker/rocker_main.c | 2 drivers/net/ethernet/sfc/ptp.c | 7 drivers/net/ethernet/sfc/siena/ptp.c | 7 drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 2 drivers/net/ethernet/ti/am65-cpts.c | 5 drivers/net/geneve.c | 2 drivers/net/mdio/mdio-ipq4019.c | 5 drivers/net/netdevsim/ipsec.c | 11 drivers/net/phy/sfp.c | 3 drivers/net/usb/lan78xx.c | 40 drivers/net/usb/qmi_wwan.c | 1 drivers/net/usb/r8152.c | 1 drivers/net/veth.c | 44 drivers/net/vrf.c | 24 drivers/net/wireless/ath/ath10k/mac.c | 4 drivers/net/wireless/ath/ath5k/pci.c | 2 drivers/net/wireless/ath/ath9k/htc_hst.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 3 drivers/net/wireless/intel/ipw2x00/libipw_rx.c | 8 drivers/net/wireless/intel/iwlwifi/fw/init.c | 4 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 drivers/net/wireless/intersil/p54/p54spi.c | 4 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 drivers/net/wireless/realtek/rtw89/mac80211.c | 4 drivers/net/wireless/realtek/rtw89/util.h | 18 drivers/net/wireless/silabs/wfx/main.c | 17 drivers/nvdimm/dax_devs.c | 4 drivers/nvdimm/nd.h | 7 drivers/nvme/host/pci.c | 55 drivers/pci/controller/dwc/pci-keystone.c | 12 drivers/pci/controller/pcie-rockchip-ep.c | 16 drivers/pci/controller/pcie-rockchip.h | 4 drivers/pci/endpoint/pci-epc-core.c | 13 drivers/pci/hotplug/cpqphp_pci.c | 19 drivers/pci/pci-sysfs.c | 26 drivers/pci/pci.c | 7 drivers/pci/pci.h | 1 drivers/pci/probe.c | 30 drivers/pci/quirks.c | 15 drivers/pci/slot.c | 4 drivers/perf/arm-cmn.c | 4 drivers/perf/arm_smmuv3_pmu.c | 19 drivers/pinctrl/freescale/Kconfig | 2 drivers/pinctrl/pinctrl-k210.c | 2 drivers/pinctrl/pinctrl-zynqmp.c | 1 drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 4 drivers/pinctrl/qcom/pinctrl-spmi-mpp.c | 1 drivers/platform/chrome/cros_ec_typec.c | 1 drivers/platform/x86/dell/dell-smbios-base.c | 1 drivers/platform/x86/dell/dell-wmi-base.c | 6 drivers/platform/x86/intel/bxtwc_tmu.c | 22 drivers/platform/x86/panasonic-laptop.c | 10 drivers/platform/x86/thinkpad_acpi.c | 28 drivers/power/supply/bq27xxx_battery.c | 37 drivers/power/supply/power_supply_core.c | 2 drivers/ptp/ptp_clock.c | 3 drivers/ptp/ptp_dte.c | 5 drivers/pwm/pwm-imx27.c | 98 drivers/regulator/rk808-regulator.c | 2 drivers/remoteproc/qcom_q6v5_mss.c | 6 drivers/remoteproc/qcom_q6v5_pas.c | 44 drivers/rpmsg/qcom_glink_native.c | 101 drivers/rtc/interface.c | 7 drivers/rtc/rtc-ab-eoz9.c | 7 drivers/rtc/rtc-abx80x.c | 2 drivers/rtc/rtc-cmos.c | 31 drivers/rtc/rtc-rzn1.c | 8 drivers/rtc/rtc-st-lpc.c | 5 drivers/s390/cio/cio.c | 6 drivers/s390/cio/device.c | 18 drivers/scsi/bfa/bfad.c | 3 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 1 drivers/scsi/lpfc/lpfc_hbadisc.c | 3 drivers/scsi/lpfc/lpfc_scsi.c | 13 drivers/scsi/lpfc/lpfc_sli.c | 11 drivers/scsi/qedf/qedf_main.c | 1 drivers/scsi/qedi/qedi_main.c | 1 drivers/scsi/qla2xxx/qla_attr.c | 1 drivers/scsi/qla2xxx/qla_bsg.c | 124 drivers/scsi/qla2xxx/qla_mid.c | 1 drivers/scsi/qla2xxx/qla_os.c | 15 drivers/scsi/scsi_debug.c | 2 drivers/scsi/st.c | 31 drivers/sh/intc/core.c | 2 drivers/soc/fsl/rcpm.c | 1 drivers/soc/imx/soc-imx8m.c | 107 drivers/soc/qcom/qcom-geni-se.c | 3 drivers/soc/qcom/socinfo.c | 8 drivers/soc/ti/smartreflex.c | 4 drivers/soc/ti/ti_sci_pm_domains.c | 4 drivers/soc/xilinx/xlnx_event_manager.c | 4 drivers/spi/atmel-quadspi.c | 2 drivers/spi/spi-fsl-lpspi.c | 14 drivers/spi/spi-mpc52xx.c | 1 drivers/spi/spi-rpc-if.c | 14 drivers/spi/spi-tegra210-quad.c | 2 drivers/spi/spi-zynqmp-gqspi.c | 2 drivers/spi/spi.c | 13 drivers/staging/media/atomisp/pci/sh_css_params.c | 2 drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 2 drivers/thermal/thermal_core.c | 2 drivers/tty/serial/8250/8250_dw.c | 5 drivers/tty/serial/8250/8250_fintek.c | 14 drivers/tty/serial/8250/8250_omap.c | 4 drivers/tty/serial/amba-pl011.c | 79 drivers/tty/serial/sc16is7xx.c | 5 drivers/tty/tty_ldisc.c | 2 drivers/ufs/core/ufs-sysfs.c | 6 drivers/ufs/core/ufshcd.c | 11 drivers/ufs/host/ufs-exynos.c | 16 drivers/ufs/host/ufs-renesas.c | 9 drivers/usb/chipidea/udc.c | 2 drivers/usb/dwc3/core.h | 1 drivers/usb/dwc3/ep0.c | 7 drivers/usb/dwc3/gadget.c | 104 drivers/usb/dwc3/gadget.h | 1 drivers/usb/gadget/composite.c | 18 drivers/usb/host/ehci-spear.c | 7 drivers/usb/host/xhci-dbgcap.c | 135 drivers/usb/host/xhci-dbgcap.h | 2 drivers/usb/host/xhci-ring.c | 18 drivers/usb/misc/chaoskey.c | 35 drivers/usb/misc/iowarrior.c | 50 drivers/usb/misc/yurex.c | 5 drivers/usb/musb/musb_gadget.c | 13 drivers/usb/typec/tcpm/wcove.c | 4 drivers/vdpa/mlx5/core/mr.c | 4 drivers/vfio/pci/mlx5/cmd.c | 47 drivers/vfio/pci/vfio_pci_config.c | 16 drivers/video/fbdev/efifb.c | 11 drivers/video/fbdev/sh7760fb.c | 11 drivers/watchdog/apple_wdt.c | 2 drivers/watchdog/iTCO_wdt.c | 21 drivers/watchdog/mtk_wdt.c | 6 drivers/watchdog/rti_wdt.c | 3 drivers/xen/xenbus/xenbus_probe.c | 8 fs/btrfs/ctree.c | 10 fs/btrfs/ctree.h | 2 fs/btrfs/extent-tree.c | 3 fs/btrfs/inode.c | 14 fs/btrfs/ioctl.c | 36 fs/btrfs/ref-verify.c | 1 fs/btrfs/root-tree.c | 10 fs/btrfs/volumes.c | 42 fs/cachefiles/ondemand.c | 4 fs/ceph/super.c | 10 fs/eventpoll.c | 6 fs/exfat/namei.c | 1 fs/ext4/ext4.h | 1 fs/ext4/fsmap.c | 54 fs/ext4/mballoc.c | 18 fs/ext4/mballoc.h | 1 fs/ext4/super.c | 33 fs/f2fs/file.c | 8 fs/f2fs/gc.c | 2 fs/f2fs/inode.c | 4 fs/f2fs/segment.c | 74 fs/f2fs/segment.h | 41 fs/fscache/volume.c | 3 fs/hfsplus/hfsplus_fs.h | 3 fs/hfsplus/wrapper.c | 2 fs/inode.c | 10 fs/jffs2/compr_rtime.c | 3 fs/jffs2/erase.c | 7 fs/jfs/jfs_dmap.c | 6 fs/jfs/jfs_dtree.c | 15 fs/jfs/xattr.c | 2 fs/nfs/internal.h | 2 fs/nfs/nfs4proc.c | 8 fs/nfsd/export.c | 5 fs/nfsd/nfs4callback.c | 16 fs/nfsd/nfs4proc.c | 7 fs/nfsd/nfs4recover.c | 3 fs/nfsd/nfs4state.c | 19 fs/nilfs2/dir.c | 2 fs/notify/fsnotify.c | 23 fs/ntfs3/record.c | 32 fs/ocfs2/aops.h | 2 fs/ocfs2/dlmglue.c | 1 fs/ocfs2/file.c | 4 fs/ocfs2/localalloc.c | 19 fs/ocfs2/namei.c | 4 fs/overlayfs/inode.c | 7 fs/overlayfs/util.c | 3 fs/proc/kcore.c | 11 fs/proc/softirqs.c | 2 fs/quota/dquot.c | 2 fs/smb/client/cached_dir.c | 2 fs/smb/client/cifssmb.c | 2 fs/smb/client/smb2ops.c | 8 fs/smb/server/smb2pdu.c | 6 fs/ubifs/super.c | 6 fs/ubifs/tnc_commit.c | 2 fs/udf/inode.c | 46 fs/unicode/mkutf8data.c | 70 fs/unicode/utf8-core.c | 2 fs/unicode/utf8data.c_shipped | 6703 +++++----- fs/xfs/libxfs/xfs_sb.c | 7 fs/xfs/xfs_log_recover.c | 5 include/drm/display/drm_dp_mst_helper.h | 7 include/drm/ttm/ttm_tt.h | 7 include/linux/arm-smccc.h | 30 include/linux/blkdev.h | 2 include/linux/bpf.h | 7 include/linux/cache.h | 6 include/linux/crypto.h | 1 include/linux/devfreq.h | 7 include/linux/dma-mapping.h | 5 include/linux/eeprom_93cx6.h | 11 include/linux/eventpoll.h | 2 include/linux/fpga/fpga-bridge.h | 10 include/linux/fpga/fpga-mgr.h | 26 include/linux/fwnode.h | 2 include/linux/hisi_acc_qm.h | 8 include/linux/i3c/master.h | 35 include/linux/jiffies.h | 2 include/linux/leds.h | 2 include/linux/lockdep.h | 2 include/linux/mmc/card.h | 1 include/linux/netdevice.h | 30 include/linux/netpoll.h | 2 include/linux/pci-epc.h | 2 include/linux/pci.h | 6 include/linux/property.h | 20 include/linux/rbtree_latch.h | 2 include/linux/scatterlist.h | 2 include/linux/seqlock.h | 107 include/linux/slab.h | 14 include/linux/sock_diag.h | 10 include/linux/util_macros.h | 56 include/media/v4l2-dv-timings.h | 18 include/memory/renesas-rpc-if.h | 18 include/net/bluetooth/hci_sync.h | 12 include/net/sock.h | 2 include/trace/trace_events.h | 36 include/uapi/linux/rtnetlink.h | 2 include/ufs/ufshcd.h | 19 init/initramfs.c | 15 io_uring/io_uring.c | 12 io_uring/tctx.c | 13 ipc/namespace.c | 4 kernel/bpf/devmap.c | 6 kernel/bpf/helpers.c | 6 kernel/bpf/lpm_trie.c | 55 kernel/bpf/syscall.c | 3 kernel/bpf/verifier.c | 41 kernel/cgroup/cgroup.c | 21 kernel/dma/debug.c | 8 kernel/kcsan/debugfs.c | 74 kernel/printk/printk.c | 2 kernel/rcu/tasks.h | 82 kernel/sched/core.c | 4 kernel/sched/fair.c | 2 kernel/time/ntp.c | 2 kernel/time/sched_clock.c | 2 kernel/time/time.c | 2 kernel/time/timekeeping.c | 4 kernel/trace/bpf_trace.c | 6 kernel/trace/ftrace.c | 3 kernel/trace/trace_clock.c | 2 kernel/trace/trace_eprobe.c | 5 kernel/trace/trace_event_perf.c | 6 kernel/trace/trace_syscalls.c | 12 kernel/trace/tracing_map.c | 6 lib/maple_tree.c | 13 lib/stackinit_kunit.c | 1 lib/string_helpers.c | 2 mm/damon/vaddr-test.h | 1 mm/damon/vaddr.c | 4 mm/kasan/report.c | 65 mm/mmap.c | 4 mm/page_alloc.c | 15 mm/swap.c | 20 mm/vmstat.c | 1 net/9p/trans_xen.c | 9 net/bluetooth/hci_core.c | 13 net/bluetooth/hci_sync.c | 132 net/bluetooth/hci_sysfs.c | 15 net/bluetooth/l2cap_sock.c | 1 net/bluetooth/mgmt.c | 61 net/bluetooth/rfcomm/sock.c | 20 net/can/af_can.c | 1 net/can/j1939/transport.c | 2 net/core/dev.c | 61 net/core/filter.c | 95 net/core/gen_estimator.c | 2 net/core/neighbour.c | 1 net/core/netpoll.c | 2 net/core/rtnetlink.c | 2 net/core/skmsg.c | 4 net/core/sock_diag.c | 114 net/dccp/feat.c | 6 net/ethtool/bitset.c | 48 net/hsr/hsr_device.c | 4 net/hsr/hsr_forward.c | 2 net/ieee802154/socket.c | 12 net/ipv4/af_inet.c | 22 net/ipv4/cipso_ipv4.c | 2 net/ipv4/inet_connection_sock.c | 2 net/ipv4/inet_diag.c | 11 net/ipv4/ip_output.c | 13 net/ipv4/ipmr.c | 42 net/ipv4/ipmr_base.c | 3 net/ipv4/tcp.c | 2 net/ipv4/tcp_bpf.c | 18 net/ipv4/tcp_fastopen.c | 7 net/ipv4/udp.c | 2 net/ipv6/addrconf.c | 41 net/ipv6/af_inet6.c | 24 net/ipv6/ip6_fib.c | 2 net/ipv6/ip6_output.c | 13 net/ipv6/ip6mr.c | 38 net/ipv6/ipv6_sockglue.c | 3 net/ipv6/route.c | 16 net/iucv/af_iucv.c | 26 net/llc/af_llc.c | 2 net/mac80211/main.c | 2 net/mptcp/protocol.c | 4 net/netfilter/ipset/ip_set_bitmap_ip.c | 7 net/netfilter/ipset/ip_set_core.c | 5 net/netfilter/ipvs/ip_vs_proto.c | 4 net/netfilter/nf_tables_api.c | 19 net/netfilter/nft_set_hash.c | 16 net/netfilter/nft_socket.c | 2 net/netfilter/xt_LED.c | 4 net/netlink/diag.c | 1 net/packet/af_packet.c | 12 net/packet/diag.c | 1 net/rfkill/rfkill-gpio.c | 8 net/rxrpc/af_rxrpc.c | 7 net/sched/act_api.c | 2 net/sched/cls_flower.c | 5 net/sched/sch_cbs.c | 2 net/sched/sch_tbf.c | 18 net/smc/af_smc.c | 2 net/smc/smc_diag.c | 1 net/sunrpc/cache.c | 4 net/sunrpc/xprtrdma/svc_rdma.c | 40 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 net/sunrpc/xprtsock.c | 1 net/tipc/diag.c | 1 net/tipc/udp_media.c | 2 net/unix/diag.c | 1 net/vmw_vsock/diag.c | 1 net/xdp/xsk_buff_pool.c | 5 net/xdp/xsk_diag.c | 1 net/xdp/xskmap.c | 2 samples/bpf/test_cgrp2_sock.c | 4 samples/bpf/xdp_adjust_tail_kern.c | 1 scripts/mod/file2alias.c | 5 scripts/mod/modpost.c | 4 security/apparmor/capability.c | 2 security/apparmor/policy_unpack_test.c | 6 sound/core/pcm_native.c | 6 sound/hda/intel-dsp-config.c | 4 sound/pci/hda/patch_realtek.c | 157 sound/soc/amd/yc/acp6x-mach.c | 39 sound/soc/codecs/da7219.c | 9 sound/soc/codecs/hdmi-codec.c | 140 sound/soc/fsl/fsl_micfil.c | 4 sound/soc/generic/audio-graph-card2.c | 3 sound/soc/intel/atom/sst/sst_acpi.c | 64 sound/soc/intel/avs/pcm.c | 2 sound/soc/intel/boards/bytcr_rt5640.c | 48 sound/soc/stm/stm32_sai_sub.c | 6 sound/usb/6fire/chip.c | 10 sound/usb/caiaq/audio.c | 10 sound/usb/caiaq/audio.h | 1 sound/usb/caiaq/device.c | 19 sound/usb/caiaq/input.c | 12 sound/usb/caiaq/input.h | 1 sound/usb/clock.c | 24 sound/usb/endpoint.c | 14 sound/usb/mixer.c | 58 sound/usb/mixer_maps.c | 10 sound/usb/quirks-table.h | 14 sound/usb/quirks.c | 58 sound/usb/usbaudio.h | 4 sound/usb/usx2y/us122l.c | 5 sound/usb/usx2y/usbusx2y.c | 2 tools/bpf/bpftool/jit_disasm.c | 51 tools/bpf/bpftool/main.h | 25 tools/bpf/bpftool/map.c | 1 tools/bpf/bpftool/prog.c | 22 tools/lib/bpf/libbpf.c | 4 tools/lib/bpf/linker.c | 2 tools/lib/thermal/Makefile | 4 tools/lib/thermal/commands.c | 52 tools/perf/builtin-ftrace.c | 2 tools/perf/builtin-stat.c | 52 tools/perf/builtin-trace.c | 16 tools/perf/util/cs-etm.c | 25 tools/perf/util/evlist.c | 19 tools/perf/util/evlist.h | 1 tools/perf/util/probe-finder.c | 21 tools/perf/util/probe-finder.h | 4 tools/scripts/Makefile.arch | 4 tools/testing/selftests/arm64/mte/check_tags_inclusion.c | 4 tools/testing/selftests/arm64/mte/mte_common_util.c | 4 tools/testing/selftests/arm64/pauth/pac.c | 3 tools/testing/selftests/bpf/network_helpers.h | 44 tools/testing/selftests/bpf/test_progs.c | 9 tools/testing/selftests/bpf/test_sockmap.c | 165 tools/testing/selftests/mount_setattr/mount_setattr_test.c | 2 tools/testing/selftests/net/pmtu.sh | 2 tools/testing/selftests/resctrl/resctrl_val.c | 3 tools/testing/selftests/vDSO/parse_vdso.c | 3 tools/testing/selftests/watchdog/watchdog-test.c | 6 tools/testing/selftests/wireguard/netns.sh | 1 tools/tracing/rtla/src/utils.c | 4 tools/tracing/rtla/src/utils.h | 2 tools/verification/dot2/automata.py | 18 773 files changed, 11342 insertions(+), 7062 deletions(-) Abel Vesa (1): remoteproc: qcom: q6v5: Use _clk_get_optional for aggre2_clk Adrian Hunter (1): perf/x86/intel/pt: Fix buffer full but size is 0 case Ahmed Ehab (1): locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() Ahsan Atta (1): crypto: qat - remove faulty arbiter config reset Ajay Kaher (1): ptp: Add error handling for adjfine callback in ptp_clock_adjtime Aleksandr Mishin (1): acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block() Alex Deucher (2): drm/amdgpu/hdp5.2: do a posting read when flushing HDP drm/amdgpu: rework resume handling for display (v2) Alex Hung (4): drm/amd/display: Check null-initialized variables drm/amd/display: Initialize denominators' default to 1 drm/amd/display: Check phantom_stream before it is used drm/amd/display: Check BIOS images before it is used Alex Zenla (2): 9p/xen: fix init sequence 9p/xen: fix release of IRQ Alexander Hölzl (1): can: j1939: fix error in J1939 documentation. Alexander Kozhinov (1): can: gs_usb: add usb endpoint address detection at driver probe step Alexander Shiyan (1): media: i2c: tc358743: Fix crash in the probe error path when using polling Alexander Stein (1): spi: spi-fsl-lpspi: downgrade log level for pio mode Alexander Sverdlin (1): watchdog: rti: of: honor timeout-sec property Alexandru Ardelean (1): util_macros.h: fix/rework find_closest() macros Alexis Lothoré (eBPF Foundation) (1): selftests/bpf: add missing header include for htons Alper Nebi Yasak (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Amadeusz Sławiński (1): ASoC: Intel: avs: Fix return status of avs_pcm_hw_constraints_init() Amir Goldstein (1): fsnotify: fix sending inotify event with unexpected filename Amir Mohammadi (1): bpftool: fix potential NULL pointer dereferencing in prog_dump() Andre Przywara (4): kselftest/arm64: mte: fix printf type warnings about __u64 kselftest/arm64: mte: fix printf type warnings about longs ARM: dts: cubieboard4: Fix DCDC5 regulator constraints clk: sunxi-ng: d1: Fix PLL_AUDIO0 preset Andrej Shadura (1): Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() Andrew Lunn (1): dsa: qca8k: Use nested lock to avoid splat Andrey Konovalov (1): kasan: suppress recursive reports for HW_TAGS Andrii Nakryiko (2): libbpf: fix sym_is_subprog() logic for weak global subprogs libbpf: never interpret subprogs in .text as entry programs André Almeida (1): unicode: Fix utf8_load() error path Andy Shevchenko (7): regmap: irq: Set lockdep class for hierarchical IRQ domains drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices device property: Constify device child node APIs iio: light: ltr501: Add LTER0303 to the supported devices Andy-ld Lu (1): mmc: mtk-sd: Fix error handle of probe function Angelo Dureghello (1): dt-bindings: iio: dac: ad3552r: fix maximum spi speed Anil Gurumurthy (1): scsi: qla2xxx: Supported speed displayed incorrectly for VPorts Antonio Quartulli (1): m68k: coldfire/device.c: only build FEC when HW macros are defined Arnaldo Carvalho de Melo (1): perf ftrace latency: Fix unit on histogram first entry when using --use-nsec Arnd Bergmann (2): x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB serial: amba-pl011: fix build regression Artem Sadovnikov (1): jfs: xattr: check invalid xattr size more strictly Avihai Horon (1): vfio/pci: Properly hide first-in-list PCIe extended capability Baochen Qiang (2): wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss1 wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss2 Barnabás Czémán (3): power: supply: bq27xxx: Fix registers of bq27426 pinctrl: qcom-pmic-gpio: add support for PM8937 pinctrl: qcom: spmi-mpp: Add PM8937 compatible Bart Van Assche (2): power: supply: core: Remove might_sleep() from power_supply_put() scsi: ufs: core: Make DMA mask configuration more flexible Bartosz Golaszewski (4): mmc: mmc_spi: drop buggy snprintf() pinctrl: zynqmp: drop excess struct member description lib: string_helpers: silence snprintf() output truncation warning gpio: grgpio: use a helper variable to store the address of ofdev->dev Baruch Siach (1): doc: rcu: update printed dynticks counter bits Ben Greear (1): mac80211: fix user-power when emulating chanctx Benjamin Große (1): usb: add support for new USB device ID 0x17EF:0x3098 for the r8152 driver Benjamin Peterson (3): perf trace: avoid garbage when not printing a trace event's arguments perf trace: Do not lose last events in a race perf trace: Avoid garbage when not printing a syscall's arguments Benoît Monin (1): net: usb: qmi_wwan: add Quectel RG650V Benoît Sevens (1): ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices Bibo Mao (1): LoongArch: Add architecture specific huge_pte_clear() Biju Das (2): mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE clk: renesas: rzg2l: Fix FOUTPOSTDIV clk Bin Liu (1): serial: 8250: omap: Move pm_runtime_get_sync Bjorn Andersson (1): rpmsg: glink: Fix GLINK command prefix Björn Töpel (1): tools: Override makefile ARCH variable if defined, but empty Boris Burkov (2): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations btrfs: do not clear read-only when adding sprout device Borislav Petkov (AMD) (1): x86/barrier: Do not serialize MSR accesses on AMD Brahmajit Das (1): drm/display: Fix building with GCC 15 Breno Leitao (5): ipmr: Fix access to mfc_cache_list without lock held spi: tegra210-quad: Avoid shift-out-of-bounds netpoll: Use rcu_access_pointer() in netpoll_poll_lock perf/x86/amd: Warn only on new bits set netpoll: Use rcu_access_pointer() in __netpoll_setup Callahan Kovacs (1): HID: magicmouse: Apple Magic Trackpad 2 USB-C driver support Carlos Song (2): i3c: master: support to adjust first broadcast address speed i3c: master: svc: use slow speed for first broadcast address Catalin Marinas (4): mm/slab: decouple ARCH_KMALLOC_MINALIGN from ARCH_DMA_MINALIGN powerpc: move the ARCH_DMA_MINALIGN definition to asm/cache.h dma: allow dma_get_cache_alignment() to be overridden by the arch code arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs Chao Yu (2): f2fs: fix to account dirty data in __get_secs_required() f2fs: fix to avoid forcing direct write to use buffered IO on inline_data inode Charles Han (3): soc: qcom: Add check devm_kasprintf() returned value clk: clk-apple-nco: Add NULL check in applnco_probe gpio: grgpio: Add NULL check in grgpio_probe Chen Ridong (4): crypto: caam - add error check to caam_rsa_set_priv_key_form crypto: bcm - add error check in the ahash_hmac_init function Revert "cgroup: Fix memory leak caused by missing cgroup_bpf_offline" cgroup/bpf: only cgroup v2 can be attached by bpf programs Chen-Yu Tsai (6): arm64: dts: mediatek: mt8173-elm-hana: Add vdd-supply to second source trackpad arm64: dts: mediatek: mt8183-kukui-jacuzzi: Fix DP bridge supply names arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add supplies for fixed regulators Revert "arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled" arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled drm/bridge: it6505: Fix inverted reset polarity ChenXiaoSong (1): btrfs: add might_sleep() annotations Cheng Ming Lin (1): mtd: spi-nor: core: replace dummy buswidth from addr to data Chengchang Tang (1): RDMA/hns: Add clear_hem return value to log Chih-Kang Chang (1): wifi: rtw89: avoid to add interface to list twice when SER Christian Brauner (1): epoll: annotate racy check Christian König (1): dma-buf: fix dma_fence_array_signaled v4 Christoph Hellwig (8): nvme-pci: fix freeing of the HMB descriptor table block: fix bio_split_rw_at to take zone_write_granularity into account nvme-pci: reverse request order in nvme_queue_rqs virtio_blk: reverse request order in virtio_queue_rqs f2fs: remove struct segment_allocation default_salloc_ops f2fs: open code allocate_segment_by_default f2fs: remove the unused flush argument to change_curseg block: return unsigned int from bdev_io_min Christophe JAILLET (3): crypto: caam - Fix the pointer passed to caam_qi_shutdown() crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() iio: light: al3010: Fix an error handling path in al3010_probe() Christophe Leroy (2): powerpc/vdso: Flag VDSO64 entry points as functions powerpc/vdso: Refactor CFLAGS for CVDSO build Chuck Lever (5): svcrdma: Address an integer overflow NFSD: Prevent NULL dereference in nfsd4_process_cb_update() NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir() NFSD: Fix nfsd4_shutdown_copy() NFSD: Prevent a potential integer overflow Chun-Tse Shao (1): perf/arm-smmuv3: Fix lockdep assert in ->event_init() Clark Wang (1): pwm: imx27: Workaround of the pwm output bug when decrease the duty cycle Claudiu Beznea (1): serial: sh-sci: Clean sci_ports[0] after at earlycon exit Cosmin Tanislav (1): regmap: detach regmap from dev on regmap_exit Csókás, Bence (1): spi: atmel-quadspi: Fix register name in verbose logging function Damien Le Moal (1): PCI: rockchip-ep: Fix address translation unit programming Dan Carpenter (3): soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() mailbox: arm_mhuv2: clean up loop in get_irq_chan_comb() sh: intc: Fix use-after-free bug in register_intc_controller() Daniel Borkmann (2): bpf: Fix helper writes to read-only maps net: Move {l,t,d}stats allocation to core and convert veth & vrf Daniel Gabay (1): wifi: iwlwifi: mvm: Use the sync timepoint API in suspend Daniel Lezcano (2): tools/lib/thermal: Make more generic the command encoding function thermal/lib: Fix memory leak on error in thermal_genl_auto() Daniel Palmer (2): m68k: mvme147: Fix SCSI controller IRQ numbers m68k: mvme147: Reinstate early console Daolong Zhu (4): arm64: dts: mt8183: fennel: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: burnet: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: cozmo: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: Damu: add i2c2's i2c-scl-internal-delay-ns Dario Binacchi (9): can: c_can: c_can_handle_bus_err(): update statistics if skb allocation fails can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL can: hi311x: hi3110_can_ist(): fix potential use-after-free can: m_can: m_can_handle_lec_err(): fix {rx,tx}_errors statistics can: ifi_canfd: ifi_canfd_handle_lec_err(): fix {rx,tx}_errors statistics can: hi311x: hi3110_can_ist(): fix {rx,tx}_errors statistics can: sja1000: sja1000_err(): fix {rx,tx}_errors statistics can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics can: ems_usb: ems_usb_rx_err(): fix {rx,tx}_errors statistics Dave Stevenson (5): drm/vc4: hvs: Don't write gamma luts on 2711 drm/vc4: hvs: Fix dlist debug not resetting the next entry pointer drm/vc4: hvs: Remove incorrect limit from hvs_dlist debugfs function drm/vc4: hvs: Correct logic on stopping an HVS channel drm/vc4: hvs: Set AXI panic modes for the HVS David Disseldorp (1): initramfs: avoid filename buffer overrun David Given (1): media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera David Thompson (1): EDAC/bluefield: Fix potential integer overflow David Wang (1): proc/softirqs: replace seq_printf with seq_put_decimal_ull_width Defa Li (1): i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock Dikshita Agarwal (1): venus: venc: add handling for VIDIOC_ENCODER_CMD Dinesh Kumar (1): ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max Dipendra Khadka (6): octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c Dmitry Antipov (5): Bluetooth: fix use-after-free in device_for_each_child() ocfs2: fix uninitialized value in ocfs2_file_read_iter() netfilter: x_tables: fix LED ID check in led_tg_check() can: j1939: j1939_session_new(): fix skb reference counting rocker: fix link status detection in rocker_carrier_init() Dmitry Baryshkov (1): remoteproc: qcom: pas: add minidump_id to SM8350 resources Dmitry Kandybka (1): mptcp: fix possible integer overflow in mptcp_reset_tout_timer Dmitry Torokhov (1): rtc: cmos: avoid taking rtc_lock for extended period of time Dom Cobley (2): drm/vc4: hdmi: Avoid hang with debug registers when suspended drm/vc4: hdmi: Avoid log spam for audio start failure Dong Aisheng (1): clk: imx: clk-scu: fix clk enable state save and restore Doug Brown (1): drm/etnaviv: fix power register offset on GC300 Dragan Simic (1): arm64: dts: allwinner: pinephone: Add mount matrix to accelerometer Eduard Zingerman (1): selftests/bpf: Fix backtrace printing for selftests crashes Edward Adam Davis (1): USB: chaoskey: Fix possible deadlock chaoskey_list_lock Elena Salomatkina (1): net/sched: cbs: Fix integer overflow in cbs_set_port_rate() Eric Biggers (1): crypto: x86/aegis128 - access 32-bit arguments as 32-bit Eric Dumazet (7): sock_diag: add module pointer to "struct sock_diag_handler" sock_diag: allow concurrent operations sock_diag: allow concurrent operation in sock_diag_rcv_msg() net: use unrcu_pointer() helper net: hsr: fix hsr_init_sk() vs network/transport headers. net: hsr: avoid potential out-of-bound access in fill_frame_info() geneve: do not assume mac header is set in geneve_xmit_skb() Eryk Zagorski (1): ALSA: usb-audio: Fix Yamaha P-125 Quirk Entry Esben Haabendal (1): pinctrl: freescale: fix COMPILE_TEST error with PINCTRL_IMX_SCU Esther Shimanovich (1): PCI: Detect and trust built-in Thunderbolt chips Everest K.C (1): crypto: cavium - Fix the if condition to exit loop after timeout Filip Brozovic (1): serial: 8250_fintek: Add support for F81216E Filipe Manana (3): btrfs: don't loop for nowait writes when checking for cross references btrfs: ref-verify: fix use-after-free after invalid ref action btrfs: fix missing snapshot drew unlock when root is dead during swap activation Florian Westphal (1): netfilter: nf_tables: must hold rcu read lock while iterating object type list Francesco Dolcini (2): arm64: dts: freescale: imx8mm-verdin: Fix SD regulator startup delay arm64: dts: freescale: imx8mp-verdin: Fix SD regulator startup delay Frank Li (10): i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs() i3c: master: add enable(disable) hot join in sys entry i3c: master: svc: add hot join support i3c: master: fix kernel-doc check warning i3c: master: svc: Modify enabled_events bit 7:0 to act as IBI enable counter i3c: master: Replace hard code 2 with macro I3C_ADDR_SLOT_STATUS_BITS i3c: master: Extend address status bit to 4 and add I3C_ADDR_SLOT_EXT_DESIRED i3c: master: Fix dynamic address leak when 'assigned-address' is present i3c: master: Remove i3c_dev_disable_ibi_locked(olddev) on device hotjoin i3c: master: svc: fix possible assignment of the same address to two devices Fuad Tabba (1): KVM: arm64: Change kvm_handle_mmio_return() return polarity Gabor Juhos (1): clk: qcom: gcc-qcs404: fix initial rate of GPLL3 Gabriele Monaco (1): verification/dot2: Improve dot parser robustness Gaosheng Cui (2): drivers: soc: xilinx: add the missing kfree in xlnx_add_cb_for_suspend() media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() Gautam Menghani (3): KVM: PPC: Book3S HV: Stop using vc->dpdes for nested KVM guests KVM: PPC: Book3S HV: Avoid returning to nested hypervisor on pending doorbells powerpc/pseries: Fix KVM guest detection for disabling hardlockup detector Geert Uytterhoeven (4): m68k: mvme16x: Add and use "mvme16x.h" memory: renesas-rpc-if: Improve Runtime PM handling memory: renesas-rpc-if: Pass device instead of rpcif to rpcif_*() memory: renesas-rpc-if: Remove Runtime PM wrappers Ghanshyam Agrawal (3): jfs: array-index-out-of-bounds fix in dtReadFirst jfs: fix shift-out-of-bounds in dbSplit jfs: fix array-index-out-of-bounds in jfs_readdir Greg Kroah-Hartman (2): Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" Linux 6.1.120 Gregory Price (1): tpm: fix signed/unsigned bug when checking event logs Guilherme G. Piccoli (1): wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures Gwendal Grignou (1): scsi: ufs: core: sysfs: Prevent div by zero Hangbin Liu (3): netdevsim: copy addresses for both in and out paths wireguard: selftests: load nf_conntrack if not present net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged Hans Verkuil (1): media: v4l2-core: v4l2-dv-timings: check cvt/gtf result Hans de Goede (6): ASoC: Intel: bytcr_rt5640: Add support for non ACPI instantiated codec ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet ASoC: Intel: sst: Support LPE0F28 ACPI HID drm: panel-orientation-quirks: Make Lenovo Yoga Tab 3 X90F DMI match less strict ASoC: Intel: sst: Fix used of uninitialized ctx to log an error mmc: sdhci-pci: Add DMI quirk for missing CD GPIO on Vexia Edu Atla 10 tablet Hariprasad Kelam (1): octeontx2-af: RPM: Fix mismatch in lmac type Harith G (1): ARM: 9420/1: smp: Fix SMP for xip kernels Harshit Mogalapalli (1): dax: delete a stale directory pmem Heiner Kallweit (1): r8169: don't apply UDP padding quirk on RTL8126A Heming Zhao (1): ocfs2: Revert "ocfs2: fix the la space leak when unmounting an ocfs2 volume" Herbert Xu (2): crypto: api - Add crypto_tfm_get crypto: api - Add crypto_clone_tfm Hilda Wu (1): Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables Hou Tao (4): bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem bpf: Handle in-place update for full LPM trie correctly bpf: Fix exact match conditions in trie_get_next_key() Hsin-Te Yuan (2): arm64: dts: mt8183: krane: Fix the address of eeprom at i2c4 arm64: dts: mt8183: kukui: Fix the address of eeprom at i2c4 Hsin-Yi Wang (1): arm64: dts: mt8183: jacuzzi: Move panel under aux-bus Huacai Chen (2): sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK LoongArch: Fix sleeping in atomic context for PREEMPT_RT Hubert Wiśniewski (1): usb: musb: Fix hardware lockup on first Rx endpoint request Hugo Villeneuve (1): serial: sc16is7xx: fix invalid FIFO access with special register set Ian Rogers (2): perf stat: Fix affinity memory leaks on error path perf probe: Fix libdw memory leak Ido Schimmel (1): mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path Ignat Korchagin (7): af_packet: avoid erroring out after sock_init_data() in packet_create() Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() net: af_can: do not leave a dangling sk pointer in can_create() net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() net: inet: do not leave a dangling sk pointer in inet_create() net: inet6: do not leave a dangling sk pointer in inet6_create() Igor Artemiev (1): drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check() Igor Prusov (1): dt-bindings: vendor-prefixes: Add NeoFidelity, Inc Ilpo Järvinen (1): PCI: cpqphp: Fix PCIBIOS_* return value confusion Ilya Zverev (1): ASoC: amd: yc: Add a quirk for microfone on Lenovo ThinkPad P14s Gen 5 21MES00B00 Imre Deak (3): drm/dp_mst: Fix MST sideband message body length check drm/dp_mst: Verify request type in the corresponding down message reply drm/dp_mst: Fix resetting msg rx state after topology removal Inochi Amaoto (1): serial: 8250_dw: Add Sophgo SG2044 quirk Ivan Solodovnikov (1): dccp: Fix memory leak in dccp_feat_change_recv Jacob Keller (3): ptp: convert remaining drivers to adjfine interface ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5 ixgbe: downgrade logging of unsupported VF API version to debug Jakob Hauser (1): iio: magnetometer: yas530: use signed integer type for clamp limits Jakub Kicinski (1): net/neighbor: clear error in case strict check is not set James Clark (1): perf cs-etm: Don't flush when packet_queue fills up Jammy Huang (1): media: aspeed: Fix memory overwrite if timing is 1600x900 Jan Kara (3): ext4: make 'abort' mount option handling standard ext4: avoid remount errors with 'abort' mount option udf: Fold udf_getblk() into udf_bread() Jan Stancek (1): tools/rtla: fix collision with glibc sched_attr/sched_set_attr Jann Horn (1): comedi: Flush partial mappings in error case Jared Kangas (1): kasan: make report_lock a raw spinlock Jarkko Nikula (1): i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request Jason Gerecke (1): HID: wacom: Interpret tilt data from Intuos Pro BT as signed values Jason-JH.Lin (1): mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() Javier Carrasco (5): clocksource/drivers/timer-ti-dm: Fix child node refcount handling wifi: brcmfmac: release 'root' node in all execution paths platform/chrome: cros_ec_typec: fix missing fwnode reference decrement soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() leds: flash: mt6360: Fix device_for_each_child_node() refcounting in error paths Jean-Michel Hautbois (1): m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x Jens Axboe (1): io_uring/tctx: work around xa_store() allocation error issue Jeongjun Park (4): wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read() ext4: supress data-race warnings in ext4_free_inodes_{count,set}() netfilter: ipset: add missing range check in bitmap_ip_uadt Jianbo Liu (1): net/mlx5e: Remove workaround to avoid syndrome for internal port Jiapeng Chong (1): wifi: ipw2x00: libipw_rx_any(): fix bad alignment Jiasheng Jiang (2): counter: stm32-timer-cnt: Add check for clk_enable() counter: ti-ecap-capture: Add check for clk_enable() Jiayuan Chen (2): bpf: fix filed access without lock bpf: fix recursive lock when verdict program return SK_PASS Jing Zhang (1): KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* Jinghao Jia (1): ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Jinjie Ruan (22): spi: spi-fsl-lpspi: Use IRQF_NO_AUTOEN flag in request_irq() soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq() spi: zynqmp-gqspi: Undo runtime PM changes at driver exit time wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq() wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq() drm/imx/dcss: Use IRQF_NO_AUTOEN flag in request_irq() drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq() drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq() mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_cost() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_power() misc: apds990x: Fix missing pm_runtime_disable() apparmor: test: Fix memory leak for aa_unpack_strdup() cpufreq: mediatek-hw: Fix wrong return value in mtk_cpufreq_get_cpu_power() rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq() media: i2c: dw9768: Fix pm_runtime_set_suspended() with runtime pm enabled media: amphion: Fix pm_runtime_set_suspended() with runtime pm enabled media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate() i3c: master: svc: Fix pm_runtime_set_suspended() with runtime pm enabled Jiri Olsa (1): fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero Jiri Wiesner (1): net/ipv6: release expired exception dst cached in socket Joaquín Ignacio Aramendía (3): drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model drm: panel-orientation-quirks: Add quirk for AYA NEO Founder edition drm: panel-orientation-quirks: Add quirk for AYA NEO GEEK Joe Hattori (1): media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available Johan Hovold (1): pinctrl: qcom: spmi: fix debugfs drive strength John Garry (1): scsi: scsi_debug: Fix hrtimer support for ndelay John Watts (1): ASoC: audio-graph-card2: Purge absent supplies for device tree nodes Jonas Gorski (1): mips: asm: fix warning when disabling MIPS_FP_SUPPORT Jonas Karlman (1): ASoC: hdmi-codec: reorder channel allocation list Jonathan Cameron (2): device property: Add cleanup.h based fwnode_handle_put() scope based cleanup. device property: Introduce device_for_each_child_node_scoped() Jonathan Marek (1): rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length Jordy Zomer (2): ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write Josef Bacik (1): btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() Josh Poimboeuf (1): parisc/ftrace: Fix function graph tracing disablement Junxian Huang (4): RDMA/hns: Use dev_* printings in hem code instead of ibdev_* RDMA/hns: Remove unnecessary QP type checks RDMA/hns: Fix out-of-order issue of requester when setting FENCE RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() Justin Tee (1): scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths K Prateek Nayak (3): sched/core: Remove the unnecessary need_resched() check in nohz_csd_func() sched/fair: Check idle_cpu() before need_resched() to detect ilb CPU turning busy sched/core: Prevent wakeup of ksoftirqd during idle load balance Kai Mäkisara (2): scsi: st: Don't modify unknown block number in MTIOCGET scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset Kailang Yang (3): ALSA: hda/realtek: Update ALC256 depop procedure ALSA: hda/realtek: Update ALC225 depop procedure ALSA: hda/realtek: Set PCBeep to default value for ALC274 Kaixin Wang (1): i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Kan Liang (1): perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated Kartik Rajput (1): serial: amba-pl011: Fix RX stall when DMA is used Kashyap Desai (1): RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey Kees Cook (2): lib: stackinit: hide never-taken branch from compiler smb: client: memcpy() with surrounding object base address Keita Aihara (1): mmc: core: Add SD card quirk for broken poweroff notification Keith Busch (1): PCI: Add 'reset_subordinate' to reset hierarchy below bridge Kent Overstreet (1): closures: Change BUG_ON() to WARN_ON() Kinsey Moore (1): jffs2: Prevent rtime decompress memory corruption Kishon Vijay Abraham I (2): PCI: keystone: Set mode as Root Complex for "ti,keystone-pcie" compatible PCI: keystone: Add link up check to ks_pcie_other_map_bus() Konstantin Komarov (2): fs/ntfs3: Fixed overflow check in mi_enum_attr() fs/ntfs3: Sequential field availability check in mi_enum_attr() Kory Maincent (1): ethtool: Fix wrong mod state in case of verbose and no_mask bitset Kuan-Wei Chiu (1): tracing: Fix cmp_entries_dup() to respect sort() comparison rules Kuniyuki Iwashima (2): tcp: Fix use-after-free of nreq in reqsk_timer_handler(). tipc: Fix use-after-free of kernel socket in cleanup_bearer(). Kunkun Jiang (2): KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE Kuro Chung (1): drm/bridge: it6505: update usleep_range for RC circuit charge time Kurt Borja (2): platform/x86: dell-smbios-base: Extends support to Alienware products platform/x86: dell-wmi-base: Handle META key Lock/Unlock events Lang Yu (1): drm/amdgpu: refine error handling in amdgpu_ttm_tt_pin_userptr Larysa Zaremba (1): xsk: always clear DMA mapping information when unmapping the pool Leo Yan (1): perf probe: Correct demangled symbols in C++ program Levi Yun (3): trace/trace_event_perf: remove duplicate samples on the first tracepoint event perf stat: Close cork_fd when create_perf_stat_counter() failed dma-debug: fix a possible deadlock on radix_lock Li Huafei (2): crypto: inside-secure - Fix the return value of safexcel_xcbcmac_cra_init() media: atomisp: Add check for rgby_data memory allocation failure Li Lingfeng (1): nfs: ignore SB_RDONLY when mounting nfs Li Zetao (1): media: ts2020: fix null-ptr-deref in ts2020_probe() Li Zhijian (2): selftests/watchdog-test: Fix system accidentally reset after watchdog-test fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name Liao Chen (2): drm/bridge: it6505: Enable module autoloading drm/mcde: Enable module autoloading Liequan Che (1): bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again Lifeng Zheng (1): ACPI: CPPC: Fix _CPC register setting issue Linus Torvalds (1): Revert "unicode: Don't special case ignorable code points" Linus Walleij (3): ARM: 9429/1: ioremap: Sync PGDs for VMALLOC shadow ARM: 9430/1: entry: Do a dummy read from VMAP shadow ARM: 9431/1: mm: Pair atomic_set_release() with _read_acquire() Liu Jian (1): sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport Lizhi Xu (1): btrfs: add a sanity check for btrfs root in btrfs_search_slot() Long Li (1): xfs: remove unknown compat feature check in superblock write validation LongPing Wei (1): f2fs: fix the wrong f2fs_bug_on condition in f2fs_do_replace_block Louis Leseur (1): net/qed: allow old cards not supporting "num_images" to work Lucas Stach (2): drm/etnaviv: hold GPU lock across perfmon sampling drm/etnaviv: flush shader L1 cache after user commandstream Luis Chamberlain (1): sunrpc: simplify two-level sysctl registration for svcrdma_parm_table Luiz Augusto von Dentz (5): Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet Bluetooth: MGMT: Fix possible deadlocks Lukas Wunner (1): PCI: Fix use-after-free of slot->bus on hot remove Lukasz Luba (1): drm/msm/gpu: Check the status of registration to PM QoS Luo Qiu (1): firmware: arm_scpi: Check the DVFS OPP count returned by the firmware Luo Yifan (2): ASoC: stm: Prevent potential division by zero in stm32_sai_mclk_round_rate() ASoC: stm: Prevent potential division by zero in stm32_sai_get_clk_div() Ma Ke (3): drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check drm/sti: avoid potential dereference of error pointers Ma Wupeng (1): ipc: fix memleak if msg_init_ns failed in create_ipc_ns Maciej Fijalkowski (2): bpf: fix OOB devmap writes when deleting elements xsk: fix OOB map writes when deleting elements Macpaul Lin (2): arm64: dts: mt8195: Fix dtbs_check error for infracfg_ao node ASoC: dt-bindings: mt6359: Update generic node name and dmic-mode Manikandan Muralidharan (1): drm/panel: simple: Add Microchip AC69T88A LVDS Display panel Manikanta Mylavarapu (1): soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() Manivannan Sadhasivam (1): PCI: endpoint: Use a separate lock for protecting epc->pci_epf list Marc Kleine-Budde (6): can: gs_usb: remove leading space from goto labels can: gs_usb: gs_usb_probe(): align block comment can: gs_usb: uniformly use "parent" as variable name for struct gs_usb can: gs_usb: add VID/PID for Xylanta SAINT3 product family can: dev: can_set_termination(): allow sleeping GPIOs can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6. Marc Zyngier (1): KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR Marcelo Dalmas (1): ntp: Remove invalid cast in time offset math Marco Elver (3): kcsan, seqlock: Support seqcount_latch_t kcsan, seqlock: Fix incorrect assumption in read_seqbegin() kcsan: Turn report_filterlist_lock into a raw_spinlock Marco Pagani (2): fpga: bridge: add owner module and take its refcount fpga: manager: add owner module and take its refcount Marcus Folkesson (1): mfd: da9052-spi: Change read-mask to write-mask Marek Vasut (1): soc: imx8m: Probe the SoC driver as platform driver Marie Ramlow (1): ALSA: usb-audio: add mixer mapping for Corsair HS80 Mark Brown (3): clocksource/drivers:sp804: Make user selectable kselftest/arm64: Don't leak pipe fds in pac.exec_sign_all() arm64/sve: Discard stale CPU state when handling SVE traps Mark Rutland (2): arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint Markus Petri (1): ASoC: amd: yc: Support dmic on another model of Lenovo Thinkpad E14 Gen 6 Martin Ottens (1): net/sched: tbf: correct backlog statistic for GSO packets Masahiro Yamada (3): arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG s390/syscalls: Avoid creation of arch/arch/ directory modpost: remove incorrect code in do_eisa_entry() Masami Hiramatsu (Google) (1): tracing/eprobe: Fix to release eprobe when failed to add dyn_event Mathias Nyman (1): xhci: dbc: Fix STALL transfer event handling Mathieu Desnoyers (1): tracing/ftrace: disable preemption in syscall probe Matthias Schiffer (1): drm: fsl-dcu: enable PIXCLK on LS1021A Maurice Lambert (1): netlink: typographical error in nlmsg_type constants definition Maxime Chevallier (2): net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken rtc: ab-eoz9: don't fail temperature reads on undervoltage notification Maíra Canal (2): drm/v3d: Address race-condition in MMU flush drm/v3d: Enable Performance Counters before clearing them MengEn Sun (1): vmstat: call fold_vm_zone_numa_events() before show per zone NUMA event Mengyuan Lou (1): PCI: Add ACS quirk for Wangxun FF5xxx NICs Michael Ellerman (3): powerpc/pseries: Fix dtl_access_lock to be a rw_semaphore selftests/mount_setattr: Fix failures on 64K PAGE_SIZE kernels powerpc/prom_init: Fixup missing powermac #size-cells Michael Grzeschik (1): usb: dwc3: ep0: Don't reset resource alloc flag (including ep0) Michal Luczaj (2): llc: Improve setsockopt() handling of malformed user input rxrpc: Improve setsockopt() handling of malformed user input Michal Pecio (1): usb: xhci: Fix TD invalidation under pending Set TR Dequeue Michal Simek (2): microblaze: Export xmb_manager functions dt-bindings: serial: rs485: Fix rs485-rts-delay property Michal Suchanek (1): powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static Michal Vokáč (1): leds: lp55xx: Remove redundant test for invalid channel number Michal Vrastil (1): Revert "usb: gadget: composite: fix OS descriptors w_value logic" Miguel Ojeda (1): time: Fix references to _msecs_to_jiffies() handling of values Mikhail Rudenko (1): regulator: rk808: Add apply_bit for BUCK3 on RK809 Ming Lei (2): ublk: fix ublk_ch_mmap() for 64K page size ublk: fix error code for unsupported command Ming Qian (3): media: amphion: Set video drvdata before register video device media: imx-jpeg: Set video drvdata before register video device media: imx-jpeg: Ensure power suppliers be suspended before detach them Mingwei Zheng (1): net: rfkill: gpio: Add check for clk_enable() Miquel Raynal (1): mtd: rawnand: atmel: Fix possible memory leak Miri Korenblit (1): wifi: iwlwifi: mvm: avoid NULL pointer dereference Mirsad Todorovac (1): fs/proc/kcore.c: fix coccinelle reported ERROR instances Mostafa Saleh (1): iommu/io-pgtable-arm: Fix stage-2 map/unmap for concatenated tables Muchun Song (1): block: fix ordering between checking BLK_MQ_S_STOPPED request adding Mukesh Ojha (1): leds: class: Protect brightness_show() with led_cdev->led_access mutex Murad Masimov (1): hwmon: (tps23861) Fix reporting of negative temperatures Namhyung Kim (1): perf/arm-cmn: Ensure port and device id bits are set properly Namjae Jeon (1): exfat: fix uninit-value in __exfat_get_dentry_set Nathan Chancellor (7): powerpc: Fix stack protector Kconfig test for clang powerpc: Adjust adding stack protector flags to KBUILD_CLAGS for clang powerpc/vdso: Remove unused '-s' flag from ASFLAGS powerpc/vdso: Improve linker flags powerpc/vdso: Remove an unsupported flag from vgettimeofday-32.o with clang powerpc/vdso: Include CLANG_FLAGS explicitly in ldflags-y powerpc/vdso: Drop -mstack-protector-guard flags in 32-bit files with clang Nazar Bilinskyi (1): ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 Nick Chan (1): watchdog: apple: Actually flush writes after requesting watchdog restart Nicolas Bouchinet (1): tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler Nihar Chaithanya (1): jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree Nikolay Kuratov (1): KVM: x86/mmu: Ensure that kvm_release_pfn_clean() takes exact pfn from kvm_faultin_pfn() Nobuhiro Iwamatsu (1): rtc: abx80x: Fix WDT bit position of the status register Norbert van Bolhuis (1): wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() Nuno Sa (3): dt-bindings: clock: axi-clkgen: include AXI clk clk: clk-axi-clkgen: make sure to enable the AXI bus clock iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer Ojaswin Mujoo (1): quota: flush quota_release_work upon quota writeback Oleksandr Ocheretnyi (1): iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call Oleksandr Tymoshenko (1): ovl: properly handle large files in ovl_security_fileattr Oleksij Rempel (3): net: usb: lan78xx: Fix double free issue with interrupt buffer allocation net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration Oliver Neukum (2): usb: yurex: make waiting on yurex_write interruptible USB: chaoskey: fail open after removal Oliver Upton (1): KVM: arm64: Don't retire aborted MMIO instruction Orange Kao (1): EDAC/igen6: Avoid segmentation fault on module unload Pablo Neira Ayuso (3): netfilter: nf_tables: skip transaction if update object is not implemented netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level netfilter: nft_set_hash: skip duplicated elements pending gc run Pali Rohár (1): cifs: Fix buffer overflow when parsing NFS reparse points Paolo Abeni (4): ipv6: release nexthop on device removal selftests: net: really check for bg process completion ip6mr: fix tables suspicious RCU usage ipmr: fix tables suspicious RCU usage Parker Newman (1): misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle Patrick Donnelly (1): ceph: extract entity name from device id Paul Aurich (1): smb: cached directories can be more than root file handle Pavan Chebbi (1): tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets Pavel Begunkov (1): io_uring: wake up optimisations Pei Xiao (3): hwmon: (nct6775-core) Fix overflows seen when writing limit attributes drm/sti: Add __iomem for mixer_dbg_mxn's parameter spi: mpc52xx: Add cancel_work_sync before module remove Peilin Ye (2): bpf: Fix dev's rx stats for bpf_redirect_peer traffic veth: Use tstats per-CPU traffic counters Peng Fan (3): clk: imx: lpcg-scu: SW workaround for errata (e10858) clk: imx: fracn-gppll: correct PLL initialization flow clk: imx: fracn-gppll: fix pll power up Peter Griffin (1): scsi: ufs: exynos: Fix hibern8 notify callbacks Peter Wang (1): scsi: ufs: core: Add missing post notify for power mode change Peter Zijlstra (1): seqlock/latch: Provide raw_read_seqcount_latch_retry() Phil Sutter (1): netfilter: ipset: Hold module reference while requesting a module Philipp Stanner (1): drm/sched: memset() 'job' in drm_sched_job_init() Pin-yen Lin (1): drm/bridge: anx7625: Drop EDID cache on bridge power off Piyush Raj Chouhan (1): ALSA: hda/realtek: Add subwoofer quirk for Infinix ZERO BOOK 13 Pratyush Brahma (1): iommu/arm-smmu: Defer probe of clients after smmu device bound Prike Liang (2): drm/amdgpu: Dereference the ATCS ACPI buffer drm/amdgpu: set the right AMDGPU sg segment limitation Priyanka Singh (1): EDAC/fsl_ddr: Fix bad bit shift operations Qi Han (2): f2fs: compress: fix inconsistent update of i_blocks in release_compress_blocks and reserve_compress_blocks f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode. Qingfang Deng (1): jffs2: fix use of uninitialized variable Qiu-ji Chen (3): xen: Fix the issue of resource not being properly released in xenbus_dev_probe() ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() media: wl128x: Fix atomicity violation in fmc_send_cmd() Qu Wenruo (1): btrfs: avoid unnecessary device path update for the same device Quentin Monnet (1): bpftool: Remove asserts from JIT disassembler Quinn Tran (3): scsi: qla2xxx: Fix abort in bsg timeout scsi: qla2xxx: Fix NVMe and NPIV connect issue scsi: qla2xxx: Fix use after free on unload Rafael J. Wysocki (1): thermal: core: Initialize thermal zones before registering them Raghavendra Rao Ananta (1): KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status Randy Dunlap (3): fs_parser: update mount_api doc to match function signature scatterlist: fix incorrect func name in kernel-doc drm/msm: DEVFREQ_GOV_SIMPLE_ONDEMAND is no longer needed Reinette Chatre (1): selftests/resctrl: Protect against array overrun during iMC config parsing Ricardo Ribalda (1): media: uvcvideo: Stop stream during unregister Richard Weinberger (1): jffs2: Fix rtime decompressor Ritesh Harjani (IBM) (3): powerpc/fadump: Refactor and prepare fadump_cma_init for late init powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() powerpc/mm/fault: Fix kfence page fault reporting Rob Clark (3): drm/msm/gpu: Add devfreq tuning debugfs drm/msm/gpu: Bypass PM QoS constraint for idle clamp PM / devfreq: Fix build issues with devfreq disabled Rohan Barar (1): media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108 Roman Gushchin (1): mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Rosen Penev (3): net: mdio-ipq4019: add missing error check wifi: ath5k: add PCI ID for SX76X wifi: ath5k: add PCI ID for Arcadyan devices Ryusuke Konishi (1): nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Sahas Leelodharry (1): ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) Sai Kumar Cholleti (1): gpio: exar: set value when external pull-up or pull-down is present Saravana Kannan (3): driver core: fw_devlink: Improve logs for cycle detection driver core: Add FWLINK_FLAG_IGNORE to completely ignore a fwnode link driver core: fw_devlink: Stop trying to optimize cycle detection logic Saravanan Vajravel (1): bnxt_en: Reserve rings after PCIe AER recovery if NIC interface is down Sathvika Vasireddy (1): powerpc/vdso: Skip objtool from running on VDSO files Saurav Kashyap (1): scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt Sean Christopherson (1): KVM: x86/mmu: Skip the "try unsync" path iff the old SPTE was a leaf SPTE Sergey Senozhatsky (1): media: venus: provide ctx queue lock for ioctl synchronization Shengjiu Wang (1): ASoC: fsl_micfil: fix regmap_write_bits usage Shengyu Qu (1): net: sfp: change quirks for Alcatel Lucent G-010S-P Shu Han (1): mm: call the security_mmap_file() LSM hook in remap_file_pages() Si-Wei Liu (1): vdpa/mlx5: Fix suboptimal range on iotlb iteration Sibi Sankar (1): remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region Sidraya Jayagond (1): s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() Simon Horman (2): net: fec_mpc52xx_phy: Use %pa to format resource_size_t net: ethernet: fs_enet: Use %pa to format resource_size_t Srinivas Pandruvada (1): thermal: int3400: Fix reading of current_uuid for active policy Srinivasan Shanmugam (4): drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func Stanislav Fomichev (1): selftests/bpf: Add csum helpers Stanislaw Gruszka (1): spi: Fix acpi deferred irq probe Steve French (1): smb3: request handle caching when caching directories Steven Price (1): drm/panfrost: Remove unused id_mask from struct panfrost_model Takashi Iwai (9): ALSA: usx2y: Use snd_card_free_when_closed() at disconnection ALSA: us122l: Use snd_card_free_when_closed() at disconnection ALSA: caiaq: Use snd_card_free_when_closed() at disconnection ALSA: 6fire: Release resources at card release ALSA: usb-audio: Fix out of bounds reads when finding clock sources ALSA: pcm: Add sanity NULL check for the default mmap fault handler ALSA: hda/realtek: Apply quirk for Medion E15433 ALSA: usb-audio: Notify xrun for low-latency mode ALSA: usb-audio: Make mic volume workarounds globally applicable Tetsuo Handa (1): ocfs2: free inode when ocfs2_get_init_inode() fails Thadeu Lima de Souza Cascardo (2): hfsplus: don't query the device logical block size multiple times media: uvcvideo: Require entities to have a non-zero unique ID Theodore Ts'o (1): ext4: fix FS_IOC_GETFSMAP handling Thinh Nguyen (5): usb: dwc3: gadget: Fix checking for number of TRBs left usb: dwc3: gadget: Fix looping of queued SG entries usb: dwc3: gadget: Rewrite endpoint allocation flow usb: dwc3: ep0: Don't clear ep0 DWC3_EP_TRANSFER_STARTED usb: dwc3: ep0: Don't reset resource alloc flag Thomas Gleixner (2): serial: amba-pl011: Use port lock wrappers modpost: Add .irqentry.text to OTHER_SECTIONS Thomas Richter (1): s390/cpum_sf: Handle CPU hotplug remove during sampling Thomas Weißschuh (1): fbdev: efifb: Register sysfs groups through driver core Thomas Zimmermann (1): fbdev/sh7760fb: Alloc DMA memory from hardware device Tiezhu Yang (2): LoongArch: Fix build failure with GCC 15 (-std=gnu23) LoongArch: BPF: Sign-extend return values Tiwei Bie (6): um: ubd: Do not use drvdata in release um: net: Do not use drvdata in release um: vector: Do not use drvdata in release um: Fix potential integer overflow during physmem setup um: Fix the return value of elf_core_copy_task_fpregs um: Always dump trace for specified task in show_stack Todd Kjos (1): PCI: Fix reset_method_store() memory leak Tomi Valkeinen (3): drm/omap: Fix possible NULL dereference drm/omap: Fix locking in omap_gem_new_dmabuf() drm/bridge: tc358767: Fix link properties discovery Tony Ambardar (1): libbpf: Fix output .symtab byte-order during linking Trond Myklebust (1): NFSv4.0: Fix a use-after-free problem in the asynchronous open() Tvrtko Ursulin (2): dma-fence: Fix reference leak on fence merge failure path dma-fence: Use kernel's sort for merging fences Ulf Hansson (1): mmc: core: Further prevent card detect during shutdown Umio Yasuno (1): drm/amd/pm: update current_socclk and current_uclk in gpu_metrics on smu v13.0.7 Uros Bizjak (1): tracing: Use atomic64_inc_return() in trace_clock_counter() Uwe Kleine-König (3): mtd: hyperbus: rpc-if: Convert to platform remove callback returning void i3c: Make i3c_master_unregister() return void ASoC: amd: yc: Add quirk for microphone on Lenovo Thinkpad T14s Gen 6 21M1CTO1WW Vadim Fedorenko (1): net-timestamp: make sk_tskey more predictable in error path Vasiliy Kovalev (1): ovl: Filter invalid inodes with missing lookup function Vasily Gorbik (1): s390/entry: Mark IRQ entries to fix stack depot warnings Venkata Prasad Potturu (1): ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry Victor Lu (1): drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts for vega20_ih Victor Zhao (1): drm/amdgpu: skip amdgpu_device_cache_pci_state under sriov Vineeth Vijayan (1): s390/cio: Do not unregister the subchannel based on DNV Vishnu Sankar (1): platform/x86: thinkpad_acpi: Fix for ThinkPad's with ECFW showing incorrect fan speed Vitalii Mordan (2): marvell: pxa168_eth: fix call balance of pep->clk handling routines usb: ehci-spear: fix call balance of sehci clk handling routines WANG Xuerui (1): LoongArch: Tweak CFLAGS for Clang compatibility Wang Liang (1): net: fix crash when config small gso_max_size/gso_ipv4_max_size WangYuli (1): HID: wacom: fix when get product name maybe null pointer Waqar Hameed (1): ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit Wei Yang (1): maple_tree: refine mas_store_root() on storing NULL Weili Qian (1): crypto: hisilicon/qm - disable same error report before resetting Wen Gu (1): net/smc: fix LGR and link use-after-free issue Wengang Wang (1): ocfs2: update seq_file index in ocfs2_dlm_seq_next Will Deacon (1): arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled Wolfram Sang (1): rtc: rzn1: fix BCD to rtc_time conversion errors Xi Ruoyao (1): MIPS: Loongson64: DTS: Really fix PCIe port nodes for ls7a Xiaolei Wang (1): drm/etnaviv: Request pages from DMA32 zone on addressing_limited Xin Long (1): net: sched: fix erspan_opt settings in cls_flower Xu Kuohai (1): bpf, arm64: Remove garbage frame for struct_ops trampoline Xu Yang (1): usb: chipidea: udc: handle USB Error Interrupt if IOC not set Yang Erkun (4): brd: defer automatic disk creation until module initialization succeeds SUNRPC: make sure cache entry active before cache_show nfsd: make sure exp active before svc_export_show nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur Yao Zi (1): platform/x86: panasonic-laptop: Return errno correctly in show callback Yassine Oudjana (1): watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart() Ye Bin (2): scsi: bfa: Fix use-after-free in bfad_im_module_exit() svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() Yi Yang (2): crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY nvdimm: rectify the illogical code within nd_dax_probe() Yihang Li (1): scsi: hisi_sas: Add cond_resched() for no forced preemption model Yishai Hadas (1): vfio/mlx5: Align the page tracking max message size with the device capability Yongliang Gao (1): rtc: check if __rtc_read_time was successful in rtc_timer_do_work() Yongpeng Yang (1): f2fs: check curseg->inited before write_sum_page in change_curseg Yuan Can (6): firmware: google: Unregister driver_info on failure wifi: wfx: Fix error handling in wfx_core_init() drm/amdkfd: Fix wrong usage of INIT_WORK() cpufreq: loongson2: Unregister platform_driver on failure dm thin: Add missing destroy_work_on_stack() igb: Fix potential invalid memory access in igb_init_module() Yuan Chen (1): bpf: Fix the xdp_adjust_tail sample prog issue Yuli Wang (1): LoongArch: Define a default value for VM_DATA_DEFAULT_FLAGS Zack Rusin (2): drm/ttm: Make sure the mapped tt pages are decrypted when needed drm/ttm: Print the memory decryption status just once Zeng Heng (1): scsi: fusion: Remove unused variable 'rc' Zhang Changzhong (1): mfd: rt5033: Fix missing regmap_del_irq_chip() Zhang Zekun (3): pmdomain: ti-sci: Add missing of_node_put() for args.np powerpc/kexec: Fix return of uninitialized variable Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()" Zhen Lei (3): scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() Zheng Yejian (1): mm/damon/vaddr: fix issue in damon_va_evenly_split_region() Zhenzhong Duan (2): iommu/vt-d: Fix checks and print in dmar_fault_dump_ptes() iommu/vt-d: Fix checks and print in pgtable_walk() Zhiguo Niu (1): f2fs: fix to avoid use GC_AT when setting gc_mode as GC_URGENT_LOW or GC_URGENT_MID Zhihao Cheng (4): ubi: wl: Put source PEB into correct list if trying locking LEB failed ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty ubifs: Correct the total block count by deducting journal reservation ubi: fastmap: Fix duplicate slab cache names while attaching Zhu Jun (1): samples/bpf: Fix a resource leak Zichen Xie (1): drm/msm/dpu: cast crtc_clk calculation to u64 in _dpu_core_perf_calc_clk() Zicheng Qu (2): ad7780: fix division by zero in ad7780_write_raw() iio: Fix fwnode_handle in __fwnode_iio_channel_get_by_name() Zijian Zhang (10): selftests/bpf: Fix msg_verify_data in test_sockmap selftests/bpf: Fix txmsg_redir of test_txmsg_pull in test_sockmap selftests/bpf: Add txmsg_pass to pull/push/pop in test_sockmap selftests/bpf: Fix SENDPAGE data logic in test_sockmap selftests/bpf: Fix total_bytes in msg_loop_rx in test_sockmap selftests/bpf: Add push/pop checking for msg_verify_data in test_sockmap bpf, sockmap: Several fixes to bpf_msg_push_data bpf, sockmap: Several fixes to bpf_msg_pop_data bpf, sockmap: Fix sk_msg_reset_curr tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg Zijun Hu (2): driver core: bus: Fix double free in driver API bus_register() PCI: endpoint: Clear secondary (not primary) EPC in pci_epc_remove_epf() Ziwei Xiao (1): gve: Fixes for napi_poll when budget is 0 Zizhi Wo (2): cachefiles: Fix missing pos updates in cachefiles_ondemand_fd_write_iter() netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING Zqiang (1): rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() chao liu (1): apparmor: fix 'Do simple duplicate message elimination' guoweikang (1): ftrace: Fix regression with module command in stack_trace_filter lei lu (2): ntfs3: Add bounds checking to mi_enum_attr() xfs: add bounds checking to xlog_recover_process_data weiyufeng (1): PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads wenglianfa (2): RDMA/hns: Fix an AEQE overflow error caused by untimely update of eq_db_ci RDMA/hns: Fix cpu stuck caused by printings during reset zhang jiao (2): tools/lib/thermal: Remove the thermal.h soft link when doing make clean pinctrl: k210: Undef K210_PC_DEFAULT

10 months, 1 week

4
8
0 0

[PATCH] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]

by Gustavo Azor

Estimated people: I can confirm what the next patch works: diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 821867de43be..ab4c0e0b6b8e 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -440,6 +440,13 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = { DMI_MATCH(DMI_BOARD_NAME, "S5602ZA"), }, }, + { + /* Asus Vivobook X1504VAP */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_BOARD_NAME, "X1504VAP"), + }, + }, { /* Asus Vivobook X1704VAP */ .matches = { -- 2.47.1 I did all the steps in the tutorial https://docs.fedoraproject.org/en-US/quick-docs/kernel-testing-patches/ and the keyboard Asus Vivobook X1504VAP is working fine!! Please include the patch in future kernels. Thank you very much.

10 months, 1 week

1
0
0 0

[PATCH 1/2] arm64: dts: qcom: sa8775p: Fix the size of 'addr_space' regions

by Manivannan Sadhasivam

For both the controller instances, size of the 'addr_space' region should be 0x1fe00000 as per the hardware memory layout. Otherwise, endpoint drivers cannot request even reasonable BAR size of 1MB. Cc: stable(a)vger.kernel.org # 6.11 Fixes: c5f5de8434ec ("arm64: dts: qcom: sa8775p: Add ep pcie1 controller node") Fixes: 1924f5518224 ("arm64: dts: qcom: sa8775p: Add ep pcie0 controller node") Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- arch/arm64/boot/dts/qcom/sa8775p.dtsi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/sa8775p.dtsi b/arch/arm64/boot/dts/qcom/sa8775p.dtsi index 9f315a51a7c1..368bcf7c9802 100644 --- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi +++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi @@ -6092,7 +6092,7 @@ pcie0_ep: pcie-ep@1c00000 { <0x0 0x40000000 0x0 0xf20>, <0x0 0x40000f20 0x0 0xa8>, <0x0 0x40001000 0x0 0x4000>, - <0x0 0x40200000 0x0 0x100000>, + <0x0 0x40200000 0x0 0x1fe00000>, <0x0 0x01c03000 0x0 0x1000>, <0x0 0x40005000 0x0 0x2000>; reg-names = "parf", "dbi", "elbi", "atu", "addr_space", @@ -6250,7 +6250,7 @@ pcie1_ep: pcie-ep@1c10000 { <0x0 0x60000000 0x0 0xf20>, <0x0 0x60000f20 0x0 0xa8>, <0x0 0x60001000 0x0 0x4000>, - <0x0 0x60200000 0x0 0x100000>, + <0x0 0x60200000 0x0 0x1fe00000>, <0x0 0x01c13000 0x0 0x1000>, <0x0 0x60005000 0x0 0x2000>; reg-names = "parf", "dbi", "elbi", "atu", "addr_space", -- 2.25.1

10 months, 1 week

1
0
0 0

[PATCH 5.10.y] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

by Vasiliy Kovalev

From: Chao Yu <chao(a)kernel.org> [ Upstream commit fc01008c92f40015aeeced94750855a7111b6929 ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing. Reported-by: syzbot+848062ba19c8782ca5c8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [kovalev: Replaced f2fs_err_ratelimited() with printk_ratelimited() to use a supported function] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-44942 Link: https://www.cve.org/CVERecord/?id=CVE-2024-44942 --- fs/f2fs/gc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 19d781a3d305a6..64ff51c2f3d642 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1457,6 +1457,17 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, continue; } + if (f2fs_has_inline_data(inode)) { + iput(inode); + set_sbi_flag(sbi, SBI_NEED_FSCK); + printk_ratelimited("%sF2FS-fs (%s): " + "inode %lx has both inline_data flag and " + "data block, nid=%u, ofs_in_node=%u", + KERN_INFO, sbi->sb->s_id, + inode->i_ino, dni.nid, ofs_in_node); + continue; + } + if (!down_write_trylock( &F2FS_I(inode)->i_gc_rwsem[WRITE])) { iput(inode); -- 2.33.8

10 months, 1 week

1
0
0 0

[PATCH 5.15.y] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

by Vasiliy Kovalev

From: Chao Yu <chao(a)kernel.org> [ Upstream commit fc01008c92f40015aeeced94750855a7111b6929 ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing. Reported-by: syzbot+848062ba19c8782ca5c8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [kovalev: Replaced f2fs_err_ratelimited() with printk_ratelimited() to use a supported function] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-44942 Link: https://www.cve.org/CVERecord/?id=CVE-2024-44942 --- fs/f2fs/gc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 9a57754e6e0c1d..ef09b7fc065fab 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1479,6 +1479,17 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, special_file(inode->i_mode)) continue; + if (f2fs_has_inline_data(inode)) { + iput(inode); + set_sbi_flag(sbi, SBI_NEED_FSCK); + printk_ratelimited("%sF2FS-fs (%s): " + "inode %lx has both inline_data flag and " + "data block, nid=%u, ofs_in_node=%u", + KERN_INFO, sbi->sb->s_id, + inode->i_ino, dni.nid, ofs_in_node); + continue; + } + if (!down_write_trylock( &F2FS_I(inode)->i_gc_rwsem[WRITE])) { iput(inode); -- 2.33.8

10 months, 1 week

1
0
0 0

[PATCH 6.1.y] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

by Vasiliy Kovalev

From: Chao Yu <chao(a)kernel.org> [ Upstream commit fc01008c92f40015aeeced94750855a7111b6929 ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing. Reported-by: syzbot+848062ba19c8782ca5c8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [kovalev: Replaced f2fs_err_ratelimited() with printk_ratelimited() to use a supported function] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-44942 Link: https://www.cve.org/CVERecord/?id=CVE-2024-44942 --- fs/f2fs/gc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 687b2ce82c8542..8e6e91fedbf32a 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1577,6 +1577,17 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, continue; } + if (f2fs_has_inline_data(inode)) { + iput(inode); + set_sbi_flag(sbi, SBI_NEED_FSCK); + printk_ratelimited("%sF2FS-fs (%s): " + "inode %lx has both inline_data flag and " + "data block, nid=%u, ofs_in_node=%u", + KERN_INFO, sbi->sb->s_id, + inode->i_ino, dni.nid, ofs_in_node); + continue; + } + err = f2fs_gc_pinned_control(inode, gc_type, segno); if (err == -EAGAIN) { iput(inode); -- 2.33.8

10 months, 1 week

1
0
0 0

Re:Patch "phy: rockchip: naneng-combphy: fix phy reset" has been added to the 6.12-stable tree

by Chukun Pan

Hi, > This is a note to let you know that I've just added the patch titled > > phy: rockchip: naneng-combphy: fix phy reset > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > phy-rockchip-naneng-combphy-fix-phy-reset.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please backport this commit together: arm64: dts: rockchip: add reset-names for combphy on rk3568 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/… If apply fails, please change arch/arm64/boot/dts/rockchip/rk356x-base.dtsi to arch/arm64/boot/dts/rockchip/rk356x.dtsi. Thanks, Chukun -- 2.25.1

10 months, 1 week

2
4
0 0

[merged mm-hotfixes-stable] scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity has been removed from the -mm tree. Its filename was scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kuan-Wei Chiu <visitorckw(a)gmail.com> Subject: scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Date: Thu, 26 Dec 2024 22:03:32 +0800 The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_TYPE_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_TYPE_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: <chuang(a)cs.nycu.edu.tw> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- scripts/sorttable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/scripts/sorttable.h~scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity +++ a/scripts/sorttable.h @@ -110,7 +110,7 @@ static inline unsigned long orc_ip(const static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -128,6 +128,9 @@ static int orc_sort_cmp(const void *_a, * whitelisted .o files which didn't get objtool generation. */ orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->type == ORC_TYPE_UNDEFINED && orc_b->type == ORC_TYPE_UNDEFINED) + return 0; return orc_a->type == ORC_TYPE_UNDEFINED ? -1 : 1; } _ Patches currently in -mm which might be from visitorckw(a)gmail.com are lib-min_heap-improve-type-safety-in-min_heap-macros-by-using-container_of.patch lib-test_min_heap-use-inline-min-heap-variants-to-reduce-attack-vector.patch lib-min_heap-add-brief-introduction-to-min-heap-api.patch documentation-core-api-min_heap-add-author-information.patch lib-sort-clarify-comparison-function-requirements-in-sort_r.patch lib-list_sort-clarify-comparison-function-requirements-in-sort_r.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix ignored quota goals and filters of newly committed schemes has been removed from the -mm tree. Its filename was mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix ignored quota goals and filters of newly committed schemes Date: Sun, 22 Dec 2024 15:12:22 -0800 damon_commit_schemes() ignores quota goals and filters of the newly committed schemes. This makes users confused about the behaviors. Correctly handle those inputs. Link: https://lkml.kernel.org/r/20241222231222.85060-3-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/mm/damon/core.c~mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes +++ a/mm/damon/core.c @@ -868,6 +868,11 @@ static int damon_commit_schemes(struct d NUMA_NO_NODE); if (!new_scheme) return -ENOMEM; + err = damos_commit(new_scheme, src_scheme); + if (err) { + damon_destroy_scheme(new_scheme); + return err; + } damon_add_scheme(dst, new_scheme); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are samples-add-a-skeleton-of-a-sample-damon-module-for-working-set-size-estimation.patch samples-damon-wsse-start-and-stop-damon-as-the-user-requests.patch samples-damon-wsse-implement-working-set-size-estimation-and-logging.patch samples-damon-introduce-a-skeleton-of-a-smaple-damon-module-for-proactive-reclamation.patch samples-damon-prcl-implement-schemes-setup.patch replace-free-hugepage-folios-after-migration-fix-2.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() has been removed from the -mm tree. Its filename was mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Date: Sun, 22 Dec 2024 15:12:21 -0800 Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". Due to two bugs in damon_commit_targets() and damon_commit_schemes(), which are called from damon_commit_ctx(), some user inputs can be ignored, and some mmeory objects can be leaked. Fix those. Note that only DAMON sysfs interface users are affected. Other DAMON core API user modules that more focused more on simple and dedicated production usages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy function in the way, so not affected. This patch (of 2): When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks. Link: https://lkml.kernel.org/r/20241222231222.85060-2-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets +++ a/mm/damon/core.c @@ -961,8 +961,11 @@ static int damon_commit_targets( return -ENOMEM; err = damon_commit_target(new_target, false, src_target, damon_target_has_pid(src)); - if (err) + if (err) { + damon_destroy_target(new_target); return err; + } + damon_add_target(dst, new_target); } return 0; } _ Patches currently in -mm which might be from sj(a)kernel.org are samples-add-a-skeleton-of-a-sample-damon-module-for-working-set-size-estimation.patch samples-damon-wsse-start-and-stop-damon-as-the-user-requests.patch samples-damon-wsse-implement-working-set-size-estimation-and-logging.patch samples-damon-introduce-a-skeleton-of-a-smaple-damon-module-for-proactive-reclamation.patch samples-damon-prcl-implement-schemes-setup.patch replace-free-hugepage-folios-after-migration-fix-2.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: vmstat: disable vmstat_work on vmstat_cpu_down_prep() has been removed from the -mm tree. Its filename was vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Koichiro Den <koichiro.den(a)canonical.com> Subject: vmstat: disable vmstat_work on vmstat_cpu_down_prep() Date: Sat, 21 Dec 2024 12:33:20 +0900 Even after mm/vmstat:online teardown, shepherd may still queue work for the dying cpu until the cpu is removed from online mask. While it's quite rare, this means that after unbind_workers() unbinds a per-cpu kworker, it potentially runs vmstat_update for the dying CPU on an irrelevant cpu before entering atomic AP states. When CONFIG_DEBUG_PREEMPT=y, it results in the following error with the backtrace. BUG: using smp_processor_id() in preemptible [00000000] code: \ kworker/7:3/1702 caller is refresh_cpu_vm_stats+0x235/0x5f0 CPU: 0 UID: 0 PID: 1702 Comm: kworker/7:3 Tainted: G Tainted: [N]=TEST Workqueue: mm_percpu_wq vmstat_update Call Trace: <TASK> dump_stack_lvl+0x8d/0xb0 check_preemption_disabled+0xce/0xe0 refresh_cpu_vm_stats+0x235/0x5f0 vmstat_update+0x17/0xa0 process_one_work+0x869/0x1aa0 worker_thread+0x5e5/0x1100 kthread+0x29e/0x380 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> So, for mm/vmstat:online, disable vmstat_work reliably on teardown and symmetrically enable it on startup. Link: https://lkml.kernel.org/r/20241221033321.4154409-1-koichiro.den@canonical.c… Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmstat.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/vmstat.c~vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep +++ a/mm/vmstat.c @@ -2148,13 +2148,14 @@ static int vmstat_cpu_online(unsigned in if (!node_state(cpu_to_node(cpu), N_CPU)) { node_set_state(cpu_to_node(cpu), N_CPU); } + enable_delayed_work(&per_cpu(vmstat_work, cpu)); return 0; } static int vmstat_cpu_down_prep(unsigned int cpu) { - cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu)); + disable_delayed_work_sync(&per_cpu(vmstat_work, cpu)); return 0; } _ Patches currently in -mm which might be from koichiro.den(a)canonical.com are hugetlb-prioritize-surplus-allocation-from-current-node.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-shmem-fix-the-update-of-shmem_falloc-nr_unswapped.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' has been removed from the -mm tree. Its filename was mm-shmem-fix-the-update-of-shmem_falloc-nr_unswapped.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Baolin Wang <baolin.wang(a)linux.alibaba.com> Subject: mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' Date: Thu, 19 Dec 2024 15:30:09 +0800 The 'shmem_falloc->nr_unswapped' is used to record how many writepage refused to swap out because fallocate() is allocating, but after shmem supports large folio swap out, the update of 'shmem_falloc->nr_unswapped' does not use the correct number of pages in the large folio, which may lead to fallocate() not exiting as soon as possible. Anyway, this is found through code inspection, and I am not sure whether it would actually cause serious issues. Link: https://lkml.kernel.org/r/f66a0119d0564c2c37c84f045835b870d1b2196f.17345931… Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/shmem.c~mm-shmem-fix-the-update-of-shmem_falloc-nr_unswapped +++ a/mm/shmem.c @@ -1535,7 +1535,7 @@ try_split: !shmem_falloc->waitq && index >= shmem_falloc->start && index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; + shmem_falloc->nr_unswapped += nr_pages; else shmem_falloc = NULL; spin_unlock(&inode->i_lock); _ Patches currently in -mm which might be from baolin.wang(a)linux.alibaba.com are mm-factor-out-the-order-calculation-into-a-new-helper.patch mm-shmem-change-shmem_huge_global_enabled-to-return-huge-order-bitmap.patch mm-shmem-add-large-folio-support-for-tmpfs.patch mm-shmem-add-a-kernel-command-line-to-change-the-default-huge-policy-for-tmpfs.patch docs-tmpfs-drop-fadvise-from-the-documentation.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-shmem-fix-incorrect-index-alignment-for-within_size-policy.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: shmem: fix incorrect index alignment for within_size policy has been removed from the -mm tree. Its filename was mm-shmem-fix-incorrect-index-alignment-for-within_size-policy.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Baolin Wang <baolin.wang(a)linux.alibaba.com> Subject: mm: shmem: fix incorrect index alignment for within_size policy Date: Thu, 19 Dec 2024 15:30:08 +0800 With enabling the shmem per-size within_size policy, using an incorrect 'order' size to round_up() the index can lead to incorrect i_size checks, resulting in an inappropriate large orders being returned. Changing to use '1 << order' to round_up() the index to fix this issue. Additionally, adding an 'aligned_index' variable to avoid affecting the index checks. Link: https://lkml.kernel.org/r/77d8ef76a7d3d646e9225e9af88a76549a68aab1.17345931… Fixes: e7a2ab7b3bb5 ("mm: shmem: add mTHP support for anonymous shmem") Signed-off-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/mm/shmem.c~mm-shmem-fix-incorrect-index-alignment-for-within_size-policy +++ a/mm/shmem.c @@ -1689,6 +1689,7 @@ unsigned long shmem_allowable_huge_order unsigned long mask = READ_ONCE(huge_shmem_orders_always); unsigned long within_size_orders = READ_ONCE(huge_shmem_orders_within_size); unsigned long vm_flags = vma ? vma->vm_flags : 0; + pgoff_t aligned_index; bool global_huge; loff_t i_size; int order; @@ -1723,9 +1724,9 @@ unsigned long shmem_allowable_huge_order /* Allow mTHP that will be fully within i_size. */ order = highest_order(within_size_orders); while (within_size_orders) { - index = round_up(index + 1, order); + aligned_index = round_up(index + 1, 1 << order); i_size = round_up(i_size_read(inode), PAGE_SIZE); - if (i_size >> PAGE_SHIFT >= index) { + if (i_size >> PAGE_SHIFT >= aligned_index) { mask |= within_size_orders; break; } _ Patches currently in -mm which might be from baolin.wang(a)linux.alibaba.com are mm-factor-out-the-order-calculation-into-a-new-helper.patch mm-shmem-change-shmem_huge_global_enabled-to-return-huge-order-bitmap.patch mm-shmem-add-large-folio-support-for-tmpfs.patch mm-shmem-add-a-kernel-command-line-to-change-the-default-huge-policy-for-tmpfs.patch docs-tmpfs-drop-fadvise-from-the-documentation.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: zswap: fix race between [de]compression and CPU hotunplug has been removed from the -mm tree. Its filename was mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yosry Ahmed <yosryahmed(a)google.com> Subject: mm: zswap: fix race between [de]compression and CPU hotunplug Date: Thu, 19 Dec 2024 21:24:37 +0000 In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) --- a/mm/zswap.c~mm-zswap-fix-race-between-compression-and-cpu-hotunplug +++ a/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page * gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ unlock: zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswa struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswa if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /********************************* _ Patches currently in -mm which might be from yosryahmed(a)google.com are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv has been removed from the -mm tree. Its filename was ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Dennis Lam <dennis.lamerice(a)gmail.com> Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Date: Tue, 17 Dec 2024 21:39:25 -0500 When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com> Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) --- a/fs/ocfs2/quota_global.c~ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv +++ a/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct supe int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)) { status = -ESRCH; goto out; } --- a/fs/ocfs2/quota_local.c~ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv +++ a/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ out: brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; } _ Patches currently in -mm which might be from dennis.lamerice(a)gmail.com are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit has been removed from the -mm tree. Its filename was fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit Date: Tue, 17 Dec 2024 20:50:00 +0100 Entries (including flags) are u64, even on 32bit. So right now we are cutting of the flags on 32bit. This way, for example the cow selftest complains about: # ./cow ... Bail Out! read and ioctl return unmatched results for populated: 0 1 Link: https://lkml.kernel.org/r/20241217195000.1734039-1-david@redhat.com Fixes: 2c1f057e5be6 ("fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped THPs") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit +++ a/fs/proc/task_mmu.c @@ -1810,7 +1810,7 @@ static int pagemap_pmd_range(pmd_t *pmdp } for (; addr != end; addr += PAGE_SIZE, idx++) { - unsigned long cur_flags = flags; + u64 cur_flags = flags; pagemap_entry_t pme; if (folio && (flags & PM_PRESENT) && _ Patches currently in -mm which might be from david(a)redhat.com are docs-tmpfs-update-the-large-folios-policy-for-tmpfs-and-shmem.patch mm-memory_hotplug-move-debug_pagealloc_map_pages-into-online_pages_range.patch mm-page_isolation-dont-pass-gfp-flags-to-isolate_single_pageblock.patch mm-page_isolation-dont-pass-gfp-flags-to-start_isolate_page_range.patch mm-page_alloc-make-__alloc_contig_migrate_range-static.patch mm-page_alloc-sort-out-the-alloc_contig_range-gfp-flags-mess.patch mm-page_alloc-forward-the-gfp-flags-from-alloc_contig_range-to-post_alloc_hook.patch powernv-memtrace-use-__gfp_zero-with-alloc_contig_pages.patch mm-hugetlb-dont-map-folios-writable-without-vm_write-when-copying-during-fork.patch fs-proc-vmcore-convert-vmcore_cb_lock-into-vmcore_mutex.patch fs-proc-vmcore-replace-vmcoredd_mutex-by-vmcore_mutex.patch fs-proc-vmcore-disallow-vmcore-modifications-while-the-vmcore-is-open.patch fs-proc-vmcore-prefix-all-pr_-with-vmcore.patch fs-proc-vmcore-move-vmcore-definitions-out-of-kcoreh.patch fs-proc-vmcore-factor-out-allocating-a-vmcore-range-and-adding-it-to-a-list.patch fs-proc-vmcore-factor-out-freeing-a-list-of-vmcore-ranges.patch fs-proc-vmcore-introduce-proc_vmcore_device_ram-to-detect-device-ram-ranges-in-2nd-kernel.patch virtio-mem-mark-device-ready-before-registering-callbacks-in-kdump-mode.patch virtio-mem-remember-usable-region-size.patch virtio-mem-support-config_proc_vmcore_device_ram.patch s390-kdump-virtio-mem-kdump-support-config_proc_vmcore_device_ram.patch mm-page_alloc-dont-use-__gfp_hardwall-when-migrating-pages-via-alloc_contig.patch mm-memory_hotplug-dont-use-__gfp_hardwall-when-migrating-pages-via-memory-offlining.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] kcov-mark-in_softirq_really-as-__always_inline.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kcov: mark in_softirq_really() as __always_inline has been removed from the -mm tree. Its filename was kcov-mark-in_softirq_really-as-__always_inline.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Arnd Bergmann <arnd(a)arndb.de> Subject: kcov: mark in_softirq_really() as __always_inline Date: Tue, 17 Dec 2024 08:18:10 +0100 If gcc decides not to inline in_softirq_really(), objtool warns about a function call with UACCESS enabled: kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc+0x1e: call to in_softirq_really() with UACCESS enabled kernel/kcov.o: warning: objtool: check_kcov_mode+0x11: call to in_softirq_really() with UACCESS enabled Mark this as __always_inline to avoid the problem. Link: https://lkml.kernel.org/r/20241217071814.2261620-1-arnd@kernel.org Fixes: 7d4df2dad312 ("kcov: properly check for softirq context") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Reviewed-by: Marco Elver <elver(a)google.com> Cc: Aleksandr Nogikh <nogikh(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/kcov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/kcov.c~kcov-mark-in_softirq_really-as-__always_inline +++ a/kernel/kcov.c @@ -166,7 +166,7 @@ static void kcov_remote_area_put(struct * Unlike in_serving_softirq(), this function returns false when called during * a hardirq or an NMI that happened in the softirq context. */ -static inline bool in_softirq_really(void) +static __always_inline bool in_softirq_really(void) { return in_serving_softirq() && !in_hardirq() && !in_nmi(); } _ Patches currently in -mm which might be from arnd(a)arndb.de are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/kmemleak: fix sleeping function called from invalid context at print message has been removed from the -mm tree. Its filename was mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Alessandro Carminati <acarmina(a)redhat.com> Subject: mm/kmemleak: fix sleeping function called from invalid context at print message Date: Tue, 17 Dec 2024 14:20:33 +0000 Address a bug in the kernel that triggers a "sleeping function called from invalid context" warning when /sys/kernel/debug/kmemleak is printed under specific conditions: - CONFIG_PREEMPT_RT=y - Set SELinux as the LSM for the system - Set kptr_restrict to 1 - kmemleak buffer contains at least one item BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 6 locks held by cat/136: #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30 #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128 #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0 #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0 #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0 irq event stamp: 136660 hardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8 hardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0 softirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8 softirqs last disabled at (0): [<0000000000000000>] 0x0 Preemption disabled at: [<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0 CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34 Tainted: [E]=UNSIGNED_MODULE Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xa0/0x128 show_stack+0x1c/0x30 dump_stack_lvl+0xe8/0x198 dump_stack+0x18/0x20 rt_spin_lock+0x8c/0x1a8 avc_perm_nonode+0xa0/0x150 cred_has_capability.isra.0+0x118/0x218 selinux_capable+0x50/0x80 security_capable+0x7c/0xd0 has_ns_capability_noaudit+0x94/0x1b0 has_capability_noaudit+0x20/0x30 restricted_pointer+0x21c/0x4b0 pointer+0x298/0x760 vsnprintf+0x330/0xf70 seq_printf+0x178/0x218 print_unreferenced+0x1a4/0x2d0 kmemleak_seq_show+0xd0/0x1e0 seq_read_iter+0x354/0xe30 seq_read+0x250/0x378 full_proxy_read+0xd8/0x148 vfs_read+0x190/0x918 ksys_read+0xf0/0x1e0 __arm64_sys_read+0x70/0xa8 invoke_syscall.constprop.0+0xd4/0x1d8 el0_svc+0x50/0x158 el0t_64_sync+0x17c/0x180 %pS and %pK, in the same back trace line, are redundant, and %pS can void %pK service in certain contexts. %pS alone already provides the necessary information, and if it cannot resolve the symbol, it falls back to printing the raw address voiding the original intent behind the %pK. Additionally, %pK requires a privilege check CAP_SYSLOG enforced through the LSM, which can trigger a "sleeping function called from invalid context" warning under RT_PREEMPT kernels when the check occurs in an atomic context. This issue may also affect other LSMs. This change avoids the unnecessary privilege check and resolves the sleeping function warning without any loss of information. Link: https://lkml.kernel.org/r/20241217142032.55793-1-acarmina@redhat.com Fixes: 3a6f33d86baa ("mm/kmemleak: use %pK to display kernel pointers in backtrace") Signed-off-by: Alessandro Carminati <acarmina(a)redhat.com> Acked-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Acked-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Cl��ment L��ger <clement.leger(a)bootlin.com> Cc: Alessandro Carminati <acarmina(a)redhat.com> Cc: Eric Chanudet <echanude(a)redhat.com> Cc: Gabriele Paoloni <gpaoloni(a)redhat.com> Cc: Juri Lelli <juri.lelli(a)redhat.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Thomas Wei��schuh <thomas.weissschuh(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmemleak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/kmemleak.c~mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message +++ a/mm/kmemleak.c @@ -373,7 +373,7 @@ static void print_unreferenced(struct se for (i = 0; i < nr_entries; i++) { void *ptr = (void *)entries[i]; - warn_or_seq_printf(seq, " [<%pK>] %pS\n", ptr, ptr); + warn_or_seq_printf(seq, " %pS\n", ptr); } } _ Patches currently in -mm which might be from acarmina(a)redhat.com are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-independent-pmd-page-table-shared-count.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: hugetlb: independent PMD page table shared count has been removed from the -mm tree. Its filename was mm-hugetlb-independent-pmd-page-table-shared-count.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Liu Shixin <liushixin2(a)huawei.com> Subject: mm: hugetlb: independent PMD page table shared count Date: Mon, 16 Dec 2024 15:11:47 +0800 The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mm.h | 1 + include/linux/mm_types.h | 30 ++++++++++++++++++++++++++++++ mm/hugetlb.c | 16 +++++++--------- 3 files changed, 38 insertions(+), 9 deletions(-) --- a/include/linux/mm.h~mm-hugetlb-independent-pmd-page-table-shared-count +++ a/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(st if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } --- a/include/linux/mm_types.h~mm-hugetlb-independent-pmd-page-table-shared-count +++ a/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= s const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ --- a/mm/hugetlb.c~mm-hugetlb-independent-pmd-page-table-shared-count +++ a/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct * spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct * (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ out: /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ out: int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; } _ Patches currently in -mm which might be from liushixin2(a)huawei.com are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: maple_tree: reload mas before the second call for mas_empty_area has been removed from the -mm tree. Its filename was maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yang Erkun <yangerkun(a)huawei.com> Subject: maple_tree: reload mas before the second call for mas_empty_area Date: Sat, 14 Dec 2024 17:30:05 +0800 Change the LONG_MAX in simple_offset_add to 1024, and do latter: [root@fedora ~]# mkdir /tmp/dir [root@fedora ~]# for i in {1..1024}; do touch /tmp/dir/$i; done touch: cannot touch '/tmp/dir/1024': Device or resource busy [root@fedora ~]# rm /tmp/dir/123 [root@fedora ~]# touch /tmp/dir/1024 [root@fedora ~]# rm /tmp/dir/100 [root@fedora ~]# touch /tmp/dir/1025 touch: cannot touch '/tmp/dir/1025': Device or resource busy After we delete file 100, actually this is a empty entry, but the latter create failed unexpected. mas_alloc_cyclic has two chance to find empty entry. First find the entry with range range_lo and range_hi, if no empty entry exist, and range_lo > min, retry find with range min and range_hi. However, the first call mas_empty_area may mark mas as EBUSY, and the second call for mas_empty_area will return false directly. Fix this by reload mas before second call for mas_empty_area. [Liam.Howlett(a)Oracle.com: fix mas_alloc_cyclic() second search] Link: https://lore.kernel.org/all/20241216060600.287B4C4CED0@smtp.kernel.org/ Link: https://lkml.kernel.org/r/20241216190113.1226145-2-Liam.Howlett@oracle.com Link: https://lkml.kernel.org/r/20241214093005.72284-1-yangerkun@huaweicloud.com Fixes: 9b6713cc7522 ("maple_tree: Add mtree_alloc_cyclic()") Signed-off-by: Yang Erkun <yangerkun(a)huawei.com> Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Chuck Lever <chuck.lever(a)oracle.com> says: Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/maple_tree.c~maple_tree-reload-mas-before-the-second-call-for-mas_empty_area +++ a/lib/maple_tree.c @@ -4354,6 +4354,7 @@ int mas_alloc_cyclic(struct ma_state *ma ret = 1; } if (ret < 0 && range_lo > min) { + mas_reset(mas); ret = mas_empty_area(mas, min, range_hi, 1); if (ret == 0) ret = 1; _ Patches currently in -mm which might be from yangerkun(a)huawei.com are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-readahead-fix-large-folio-support-in-async-readahead.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/readahead: fix large folio support in async readahead has been removed from the -mm tree. Its filename was mm-readahead-fix-large-folio-support-in-async-readahead.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yafang Shao <laoar.shao(a)gmail.com> Subject: mm/readahead: fix large folio support in async readahead Date: Fri, 6 Dec 2024 16:30:25 +0800 When testing large folio support with XFS on our servers, we observed that only a few large folios are mapped when reading large files via mmap. After a thorough analysis, I identified it was caused by the `/sys/block/*/queue/read_ahead_kb` setting. On our test servers, this parameter is set to 128KB. After I tune it to 2MB, the large folio can work as expected. However, I believe the large folio behavior should not be dependent on the value of read_ahead_kb. It would be more robust if the kernel can automatically adopt to it. With /sys/block/*/queue/read_ahead_kb set to 128KB and performing a sequential read on a 1GB file using MADV_HUGEPAGE, the differences in /proc/meminfo are as follows: - before this patch FileHugePages: 18432 kB FilePmdMapped: 4096 kB - after this patch FileHugePages: 1067008 kB FilePmdMapped: 1048576 kB This shows that after applying the patch, the entire 1GB file is mapped to huge pages. The stable list is CCed, as without this patch, large folios don't function optimally in the readahead path. It's worth noting that if read_ahead_kb is set to a larger value that isn't aligned with huge page sizes (e.g., 4MB + 128KB), it may still fail to map to hugepages. Link: https://lkml.kernel.org/r/20241108141710.9721-1-laoar.shao@gmail.com Link: https://lkml.kernel.org/r/20241206083025.3478-1-laoar.shao@gmail.com Fixes: 4687fdbb805a ("mm/filemap: Support VM_HUGEPAGE for file mappings") Signed-off-by: Yafang Shao <laoar.shao(a)gmail.com> Tested-by: kernel test robot <oliver.sang(a)intel.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/readahead.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/mm/readahead.c~mm-readahead-fix-large-folio-support-in-async-readahead +++ a/mm/readahead.c @@ -646,7 +646,11 @@ void page_cache_async_ra(struct readahea 1UL << order); if (index == expected) { ra->start += ra->size; - ra->size = get_next_ra_size(ra, max_pages); + /* + * In the case of MADV_HUGEPAGE, the actual size might exceed + * the readahead window. + */ + ra->size = max(ra->size, get_next_ra_size(ra, max_pages)); ra->async_size = ra->size; goto readit; } _ Patches currently in -mm which might be from laoar.shao(a)gmail.com are kernel-remove-get_task_comm-and-print-task-comm-directly.patch arch-remove-get_task_comm-and-print-task-comm-directly.patch net-remove-get_task_comm-and-print-task-comm-directly.patch security-remove-get_task_comm-and-print-task-comm-directly.patch drivers-remove-get_task_comm-and-print-task-comm-directly.patch

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() has been removed from the -mm tree. Its filename was mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Seiji Nishikawa <snishika(a)redhat.com> Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Date: Sun, 1 Dec 2024 01:12:34 +0900 The task sometimes continues looping in throttle_direct_reclaim() because allow_direct_reclaim(pgdat) keeps returning false. #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550 #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68 #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98 #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8 #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974 #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4 At this point, the pgdat contains the following two zones: NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32" SIZE: 20480 MIN/LOW/HIGH: 11/28/45 VM_STAT: NR_FREE_PAGES: 359 NR_ZONE_INACTIVE_ANON: 18813 NR_ZONE_ACTIVE_ANON: 0 NR_ZONE_INACTIVE_FILE: 50 NR_ZONE_ACTIVE_FILE: 0 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal" SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264 VM_STAT: NR_FREE_PAGES: 146 NR_ZONE_INACTIVE_ANON: 94668 NR_ZONE_ACTIVE_ANON: 3 NR_ZONE_INACTIVE_FILE: 735 NR_ZONE_ACTIVE_FILE: 78 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of inactive/active file-backed pages calculated in zone_reclaimable_pages() based on the result of zone_page_state_snapshot() is zero. Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped. crash> p nr_swap_pages nr_swap_pages = $1937 = { counter = 0 } As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark. The problem is that the pgdat->kswapd_failures hasn't been incremented. crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures $1935 = 0x0 This is because the node deemed balanced. The node balancing logic in balance_pgdat() evaluates all zones collectively. If one or more zones (e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balance_pgdat() to exit early before incrementing the kswapd_failures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure. The patch ensures that zone_reclaimable_pages() includes free pages (NR_FREE_PAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONE_DMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONE_NORMAL, and prevents infinite loops in throttle_direct_reclaim() caused by allow_direct_reclaim(pgdat) repeatedly returning false. The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages() returning 0 for zones without reclaimable file- backed or anonymous pages, causing zones like ZONE_DMA32 with sufficient free pages to be skipped. The lack of swap or reclaimable pages results in ZONE_DMA32 being ignored during reclaim, masking pressure in other zones. Consequently, pgdat->kswapd_failures remains 0 in balance_pgdat(), preventing fallback mechanisms in allow_direct_reclaim() from being triggered, leading to an infinite loop in throttle_direct_reclaim(). This patch modifies zone_reclaimable_pages() to account for free pages (NR_FREE_PAGES) when no other reclaimable pages exist. This ensures zones with sufficient free pages are not skipped, enabling proper balancing and reclaim behavior. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241130164346.436469-1-snishika@redhat.com Link: https://lkml.kernel.org/r/20241130161236.433747-2-snishika@redhat.com Fixes: 5a1c84b404a7 ("mm: remove reclaim and compaction retry approximations") Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/mm/vmscan.c~mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim +++ a/mm/vmscan.c @@ -374,7 +374,14 @@ unsigned long zone_reclaimable_pages(str if (can_reclaim_anon_pages(NULL, zone_to_nid(zone), NULL)) nr += zone_page_state_snapshot(zone, NR_ZONE_INACTIVE_ANON) + zone_page_state_snapshot(zone, NR_ZONE_ACTIVE_ANON); - + /* + * If there are no reclaimable file-backed or anonymous pages, + * ensure zones with sufficient free pages are not skipped. + * This prevents zones like DMA32 from being ignored in reclaim + * scenarios where they can still help alleviate memory pressure. + */ + if (nr == 0) + nr = zone_page_state_snapshot(zone, NR_FREE_PAGES); return nr; } _ Patches currently in -mm which might be from snishika(a)redhat.com are

10 months, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: reinstate ability to map write-sealed memfd mappings read-only has been removed from the -mm tree. Its filename was mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: reinstate ability to map write-sealed memfd mappings read-only Date: Thu, 28 Nov 2024 15:06:17 +0000 Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/memfd.h | 14 +++++++++ include/linux/mm.h | 58 +++++++++++++++++++++++++++------------- mm/memfd.c | 2 - mm/mmap.c | 4 ++ 4 files changed, 59 insertions(+), 19 deletions(-) --- a/include/linux/memfd.h~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_ { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ --- a/include/linux/mm.h~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/include/linux/mm.h @@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *ob */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; - - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + if (!is_write_sealed(seals)) + return 0; + + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } --- a/mm/memfd.c~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct ad return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; --- a/mm/mmap.c~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ)) _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-vma-move-brk-internals-to-mm-vmac.patch mm-vma-move-brk-internals-to-mm-vmac-fix.patch mm-vma-move-unmapped_area-internals-to-mm-vmac.patch mm-abstract-get_arg_page-stack-expansion-and-mmap-read-lock.patch mm-vma-move-stack-expansion-logic-to-mm-vmac.patch mm-vma-move-__vm_munmap-to-mm-vmac.patch selftests-mm-add-fork-cow-guard-page-test.patch mm-enforce-__must_check-on-vma-merge-and-split.patch mm-perform-all-memfd-seal-checks-in-a-single-place.patch mm-perform-all-memfd-seal-checks-in-a-single-place-fix.patch maintainers-update-memory-mapping-section.patch mm-assert-mmap-write-lock-held-on-do_mmap-mmap_region.patch mm-add-comments-to-do_mmap-mmap_region-and-vm_mmap.patch tools-testing-add-simple-__mmap_region-userland-test.patch

10 months, 1 week

1
0
0 0

[folded-merged] maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: maple_tree: fix mas_alloc_cyclic() second search has been removed from the -mm tree. Its filename was maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch This patch was dropped because it was folded into maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch ------------------------------------------------------ From: "Liam R. Howlett" <Liam.Howlett(a)Oracle.com> Subject: maple_tree: fix mas_alloc_cyclic() second search Date: Mon, 16 Dec 2024 14:01:12 -0500 The first search may leave the maple state in an error state. Reset the maple state before the second search so that the search has a chance of executing correctly after an exhausted first search. Link: https://lore.kernel.org/all/20241216060600.287B4C4CED0@smtp.kernel.org/ Link: https://lkml.kernel.org/r/20241216190113.1226145-2-Liam.Howlett@oracle.com Fixes: 9b6713cc7522 ("maple_tree: Add mtree_alloc_cyclic()") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Chuck Lever <chuck.lever(a)oracle.com> says: Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/lib/maple_tree.c~maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix +++ a/lib/maple_tree.c @@ -4346,7 +4346,6 @@ int mas_alloc_cyclic(struct ma_state *ma { unsigned long min = range_lo; int ret = 0; - struct ma_state m = *mas; range_lo = max(min, *next); ret = mas_empty_area(mas, range_lo, range_hi, 1); @@ -4355,7 +4354,7 @@ int mas_alloc_cyclic(struct ma_state *ma ret = 1; } if (ret < 0 && range_lo > min) { - *mas = m; + mas_reset(mas); ret = mas_empty_area(mas, min, range_hi, 1); if (ret == 0) ret = 1; _ Patches currently in -mm which might be from Liam.Howlett(a)Oracle.com are maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch test_maple_tree-test-exhausted-upper-limit-of-mtree_alloc_cyclic.patch

10 months, 1 week

1
0
0 0

[PATCH net] gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup

by Praveen Kaligineedi

From: Joshua Washington <joshwash(a)google.com> Commit ba0925c34e0f ("gve: process XSK TX descriptors as part of RX NAPI") moved XSK TX processing to be part of the RX NAPI. However, that commit did not include triggering the RX NAPI in gve_xsk_wakeup. This is necessary because the TX NAPI only processes TX completions, meaning that a TX wakeup would not actually trigger XSK descriptor processing. Also, the branch on XDP_WAKEUP_TX was supposed to have been removed, as the NAPI should be scheduled whether the wakeup is for RX or TX. Fixes: ba0925c34e0f ("gve: process XSK TX descriptors as part of RX NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Joshua Washington <joshwash(a)google.com> Signed-off-by: Praveen Kaligineedi <pkaligineedi(a)google.com> --- drivers/net/ethernet/google/gve/gve_main.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index 09fb7f16f73e..8a8f6ab12a98 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -1714,7 +1714,7 @@ static int gve_xsk_pool_disable(struct net_device *dev, static int gve_xsk_wakeup(struct net_device *dev, u32 queue_id, u32 flags) { struct gve_priv *priv = netdev_priv(dev); - int tx_queue_id = gve_xdp_tx_queue_id(priv, queue_id); + struct napi_struct *napi; if (!gve_get_napi_enabled(priv)) return -ENETDOWN; @@ -1722,19 +1722,12 @@ static int gve_xsk_wakeup(struct net_device *dev, u32 queue_id, u32 flags) if (queue_id >= priv->rx_cfg.num_queues || !priv->xdp_prog) return -EINVAL; - if (flags & XDP_WAKEUP_TX) { - struct gve_tx_ring *tx = &priv->tx[tx_queue_id]; - struct napi_struct *napi = - &priv->ntfy_blocks[tx->ntfy_id].napi; - - if (!napi_if_scheduled_mark_missed(napi)) { - /* Call local_bh_enable to trigger SoftIRQ processing */ - local_bh_disable(); - napi_schedule(napi); - local_bh_enable(); - } - - tx->xdp_xsk_wakeup++; + napi = &priv->ntfy_blocks[gve_rx_idx_to_ntfy(priv, queue_id)].napi; + if (!napi_if_scheduled_mark_missed(napi)) { + /* Call local_bh_enable to trigger SoftIRQ processing */ + local_bh_disable(); + napi_schedule(napi); + local_bh_enable(); } return 0; -- 2.47.1.613.gc27f4b7a9f-goog

10 months, 1 week

2
1
0 0

btrfs: lsblk multiple mount point issue on LTS 6.6

by Mike Pagano

Greg, A Gentoo user found an issue with btrfs where: "... upstream commit a5d74fa24752 ("btrfs: avoid unnecessary device path update for the same device") breaks 6.6 LTS kernel behavior where previously lsblk can properly show multiple mount points of the same btrfs" There's a revert on the bug report [1]. The fix by the author can be found on linux-btrfs [2] [1] https://bugs.gentoo.org/947126 [2] https://lore.kernel.org/linux-btrfs/30aefd8b4e8c1f0c5051630b106a1ff3570d28e… Mike -- Mike Pagano Gentoo Developer - Kernel Project E-Mail : mpagano(a)gentoo.org GnuPG FP : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137 Public Key : http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137&op=index

10 months, 1 week

2
1
0 0

[PATCH v2 1/2] fs/proc: do_task_stat: Fix ESP not readable during coredump

by Nam Cao

The field "eip" (instruction pointer) and "esp" (stack pointer) of a task can be read from /proc/PID/stat. These fields can be interesting for coredump. However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat"), because it is generally unsafe to do so. But it is safe for a coredumping process, and therefore exceptions were made: - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping"). - for all other threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits check the PF_DUMPCORE flag to determine a coredump thread and the PF_EXITING flag for the other threads. Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way to determine threads in a coredumping process. Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. Checking of PF_EXITING was added for coredumping, so it probably can now be removed. But it doesn't hurt to keep. Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Cc: stable(a)vger.kernel.org Cc: Eric W. Biederman <ebiederm(a)xmission.com> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 55ed3510d2bb..d6a0369caa93 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, * a program is not able to use ptrace(2) in that case. It is * safe because the task has stopped executing permanently. */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { + if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { if (try_get_task_stack(task)) { eip = KSTK_EIP(task); esp = KSTK_ESP(task); -- 2.39.5

10 months, 1 week

2
1
0 0

Re: [PATCH 6.12 000/114] 6.12.8-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

10 months, 1 week

1
0
0 0

Re: Patch "watchdog: s3c2410_wdt: add support for exynosautov920 SoC" has been added to the 6.12-stable tree

by Krzysztof Kozlowski

On 28/12/2024 15:20, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > watchdog: s3c2410_wdt: add support for exynosautov920 SoC > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > watchdog-s3c2410_wdt-add-support-for-exynosautov920-.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. This is a new device support, depending on several other pieces like syscon support, Exynos PMU and of course arm64/boot/dts patches. It really relies on the rest of SoC support and alone is useless. This is way beyond simple quirks thus I believe it does not meet stable criteria at all. Based on that I recommend to drop this patch from stable backports. Best regards, Krzysztof

10 months, 1 week

2
1
0 0

[PATCH stable 5.15] net:dsa:fix the dsa_ptr null pointer dereference

by jiang.kun2＠zte.com.cn

From: Peilin He<he.peilin(a)zte.com.cn> Upstream commit 6c24a03a61a2 ("net: dsa: improve shutdown sequence") Issue ===== Repeatedly accessing the DSA Ethernet controller via the ethtool command, followed by a system reboot, may trigger a DSA null pointer dereference, causing a kernel panic and preventing the system from rebooting properly. This can lead to data loss or denial-of-service, resulting in serious consequences. The following is the panic log: [ 172.523467] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 172.706923] Call trace: [ 172.709371] dsa_master_get_sset_count+0x24/0xa4 [ 172.714000] ethtool_get_drvinfo+0x8c/0x210 [ 172.718193] dev_ethtool+0x780/0x2120 [ 172.721863] dev_ioctl+0x1b0/0x580 [ 172.725273] sock_do_ioctl+0xc0/0x100 [ 172.728944] sock_ioctl+0x130/0x3c0 [ 172.732440] __arm64_sys_ioctl+0xb4/0x100 [ 172.736460] invoke_syscall+0x50/0x120 [ 172.740219] el0_svc_common.constprop.0+0x4c/0xf4 [ 172.744936] do_el0_svc+0x2c/0xa0 [ 172.748257] el0_svc+0x20/0x60 [ 172.751318] el0t_64_sync_handler+0xe8/0x114 [ 172.755599] el0t_64_sync+0x180/0x184 [ 172.759271] Code: a90153f3 2a0103f4 a9025bf5 f9418015 (f94012b6) [ 172.765383] ---[ end trace 0000000000000002 ]--- Root Cause ========== Based on analysis of the Linux 5.15 stable version, the function dsa_master_get_sset_count() accesses members of the structure pointed to by cpu_dp without checking for a null pointer. If cpu_dp is a null pointer, this will cause a kernel panic. static int dsa_master_get_sset_count(struct net_device *dev, int sset) { struct dsa_port *cpu_dp = dev->dsa_ptr; const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; ... } dev->dsa_ptr is set to NULL in the dsa_switch_shutdown() or dsa_master_teardown() functions. When the DSA module unloads, dsa_master_ethtool_teardown(dev) restores the original copy of the DSA device's ethtool_ops using "dev->ethtool_ops = cpu_dp->orig_ethtool_ops;" before setting dev->dsa_ptr to NULL. This ensures that ethtool_ops remains accessible after DSA unloads. However, dsa_switch_shutdown does not restore the original copy of the DSA device's ethtool_ops, potentially leading to a null pointer dereference of dsa_ptr and causing a system panic. Essentially, when we set master->dsa_ptr to NULL, we need to ensure that no user ports are making requests to the DSA driver. Solution ======== The addition of the netif_device_detach() function is to ensure that ioctls, rtnetlinks and ethtool requests on the user ports no longer propagate down to the driver - we're no longer prepared to handle them. Fixes: ee534378f005 ("net: dsa: fix panic when DSA master device unbinds on shutdown") Suggested-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Signed-off-by: Peilin He <he.peilin(a)zte.com.cn> Reviewed-by: xu xin <xu.xin16(a)zte.com.cn> Signed-off-by: Kun Jiang <jiang.kun2(a)zte.com.cn> Cc: Fan Yu <fan.yu9(a)zte.com.cn> Cc: Yutan Qiu <qiu.yutan(a)zte.com.cn> Cc: Yaxin Wang <wang.yaxin(a)zte.com.cn> Cc: tuqiang <tu.qiang35(a)zte.com.cn> Cc: Yang Yang <yang.yang29(a)zte.com.cn> Cc: ye xingchen <ye.xingchen(a)zte.com.cn> Cc: Yunkai Zhang <zhang.yunkai(a)zte.com.cn> --- net/dsa/dsa2.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c index 543834e31298..bf384b30ec0a 100644 --- a/net/dsa/dsa2.c +++ b/net/dsa/dsa2.c @@ -1656,6 +1656,7 @@ EXPORT_SYMBOL_GPL(dsa_unregister_switch); void dsa_switch_shutdown(struct dsa_switch *ds) { struct net_device *master, *slave_dev; + LIST_HEAD(close_list); struct dsa_port *dp; mutex_lock(&dsa2_mutex); @@ -1665,6 +1666,11 @@ void dsa_switch_shutdown(struct dsa_switch *ds) rtnl_lock(); + dsa_switch_for_each_cpu_port(dp, ds) + list_add(&dp->master->close_list, &close_list); + + dev_close_many(&close_list, true); + list_for_each_entry(dp, &ds->dst->ports, list) { if (dp->ds != ds) continue; @@ -1675,6 +1681,7 @@ void dsa_switch_shutdown(struct dsa_switch *ds) master = dp->cpu_dp->master; slave_dev = dp->slave; + netif_device_detach(slave_dev); netdev_upper_dev_unlink(master, slave_dev); } -- 2.25.1

10 months, 1 week

2
1
0 0

[PATCH 6/6] nvmem: core: improve range check for nvmem_cell_write()

by srinivas.kandagatla＠linaro.org

From: Jennifer Berringer <jberring(a)redhat.com> When __nvmem_cell_entry_write() is called for an nvmem cell that does not need bit shifting, it requires that the len parameter exactly matches the nvmem cell size. However, when the nvmem cell has a nonzero bit_offset, it was skipping this check. Accepting values of len larger than the cell size results in nvmem_cell_prepare_write_buffer() trying to write past the end of a heap buffer that it allocates. Add a check to avoid that problem and instead return -EINVAL when len doesn't match the number of bits expected by the nvmem cell when bit_offset is nonzero. This check uses cell->nbits in order to allow providing the smaller size to cells that are shifted into another byte by bit_offset. For example, a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should accept a 1-byte write here, although no current callers depend on this. Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") Cc: stable(a)vger.kernel.org Signed-off-by: Jennifer Berringer <jberring(a)redhat.com> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- drivers/nvmem/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index d6494dfc20a7..845540b57e68 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -1790,6 +1790,8 @@ static int __nvmem_cell_entry_write(struct nvmem_cell_entry *cell, void *buf, si return -EINVAL; if (cell->bit_offset || cell->nbits) { + if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes) + return -EINVAL; buf = nvmem_cell_prepare_write_buffer(cell, buf, len); if (IS_ERR(buf)) return PTR_ERR(buf); -- 2.25.1

10 months, 1 week

1
0
0 0

[PATCH 5/6] nvmem: qcom-spmi-sdam: Set size in struct nvmem_config

by srinivas.kandagatla＠linaro.org

From: Luca Weiss <luca.weiss(a)fairphone.com> Let the nvmem core know what size the SDAM is, most notably this fixes the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes user space work with that file. ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000080 Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") Cc: stable(a)vger.kernel.org Signed-off-by: Luca Weiss <luca.weiss(a)fairphone.com> Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- drivers/nvmem/qcom-spmi-sdam.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvmem/qcom-spmi-sdam.c b/drivers/nvmem/qcom-spmi-sdam.c index 9aa8f42faa4c..4f1cca6eab71 100644 --- a/drivers/nvmem/qcom-spmi-sdam.c +++ b/drivers/nvmem/qcom-spmi-sdam.c @@ -144,6 +144,7 @@ static int sdam_probe(struct platform_device *pdev) sdam->sdam_config.owner = THIS_MODULE; sdam->sdam_config.add_legacy_fixed_of_cells = true; sdam->sdam_config.stride = 1; + sdam->sdam_config.size = sdam->size; sdam->sdam_config.word_size = 1; sdam->sdam_config.reg_read = sdam_read; sdam->sdam_config.reg_write = sdam_write; -- 2.25.1

10 months, 1 week

1
0
0 0

Request to backport fixes for crash in hci_unregister_dev() to 6.12.y

by Fedor Pchelkin

On 6.12 there is a kernel crash during the release of btusb Mediatek device. list_del corruption, ffff8aae1f024000->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 UID: 0 PID: 3770 Comm: qemu-system-x86 Tainted: G W 6.12.5-200.fc41.x86_64 #1 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__list_del_entry_valid_or_report.cold+0x5c/0x6f Call Trace: <TASK> hci_unregister_dev+0x46/0x1f0 [bluetooth] btusb_disconnect+0x67/0x170 [btusb] usb_unbind_interface+0x95/0x2d0 device_release_driver_internal+0x19c/0x200 proc_ioctl+0x1be/0x230 usbdev_ioctl+0x6bd/0x1430 __x64_sys_ioctl+0x91/0xd0 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Note: Taint is due to the amdgpu warnings, totally unrelated to the issue. The bug has been fixed "silently" in upstream with the following series of 4 commits [1]: ad0c6f603bb0 ("Bluetooth: btusb: mediatek: move Bluetooth power off command position") cea1805f165c ("Bluetooth: btusb: mediatek: add callback function in btusb_disconnect") 489304e67087 ("Bluetooth: btusb: mediatek: add intf release flow when usb disconnect") defc33b5541e ("Bluetooth: btusb: mediatek: change the conditions for ISO interface") These commits can be cleanly cherry-picked to 6.12.y and I may confirm they fix the problem. FWIW, the offending commit is ceac1cb0259d ("Bluetooth: btusb: mediatek: add ISO data transmission functions") and it is present in 6.11.y and 6.12.y. 6.11.y is EOL, so please apply the patches to 6.12.y. [1]: https://lore.kernel.org/linux-bluetooth/20240923084705.14123-1-chris.lu@med… -- Thanks, Fedor

10 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123040-crablike-vision-ad10@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123039-broadside-tuesday-404a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123039-vivacious-clutch-03a5@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123038-headscarf-village-fcdb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123037-theology-zookeeper-1b67@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123036-grout-exposure-3af8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free waiting for encoded read endios" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d29662695ed7c015521e5fc9387df25aab192a2e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123056-thrash-utility-f7d7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d29662695ed7c015521e5fc9387df25aab192a2e Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Date: Wed, 13 Nov 2024 18:16:49 +0100 Subject: [PATCH] btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 94c8809e8170..6baa0269a85b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9078,9 +9078,9 @@ static ssize_t btrfs_encoded_read_inline( } struct btrfs_encoded_read_private { - wait_queue_head_t wait; + struct completion done; void *uring_ctx; - atomic_t pending; + refcount_t pending_refs; blk_status_t status; }; @@ -9099,14 +9099,14 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (atomic_dec_and_test(&priv->pending)) { + if (refcount_dec_and_test(&priv->pending_refs)) { int err = blk_status_to_errno(READ_ONCE(priv->status)); if (priv->uring_ctx) { btrfs_uring_read_extent_endio(priv->uring_ctx, err); kfree(priv); } else { - wake_up(&priv->wait); + complete(&priv->done); } } bio_put(&bbio->bio); @@ -9126,8 +9126,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, if (!priv) return -ENOMEM; - init_waitqueue_head(&priv->wait); - atomic_set(&priv->pending, 1); + init_completion(&priv->done); + refcount_set(&priv->pending_refs, 1); priv->status = 0; priv->uring_ctx = uring_ctx; @@ -9140,7 +9140,7 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE); if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) { - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info, @@ -9155,11 +9155,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, disk_io_size -= bytes; } while (disk_io_size); - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); if (uring_ctx) { - if (atomic_dec_return(&priv->pending) == 0) { + if (refcount_dec_and_test(&priv->pending_refs)) { ret = blk_status_to_errno(READ_ONCE(priv->status)); btrfs_uring_read_extent_endio(uring_ctx, ret); kfree(priv); @@ -9168,8 +9168,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, return -EIOCBQUEUED; } else { - if (atomic_dec_return(&priv->pending) != 0) - io_wait_event(priv->wait, !atomic_read(&priv->pending)); + if (!refcount_dec_and_test(&priv->pending_refs)) + wait_for_completion_io(&priv->done); /* See btrfs_encoded_read_endio() for ordering. */ ret = blk_status_to_errno(READ_ONCE(priv->status)); kfree(priv);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free waiting for encoded read endios" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d29662695ed7c015521e5fc9387df25aab192a2e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123055-unholy-vice-e16b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d29662695ed7c015521e5fc9387df25aab192a2e Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Date: Wed, 13 Nov 2024 18:16:49 +0100 Subject: [PATCH] btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 94c8809e8170..6baa0269a85b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9078,9 +9078,9 @@ static ssize_t btrfs_encoded_read_inline( } struct btrfs_encoded_read_private { - wait_queue_head_t wait; + struct completion done; void *uring_ctx; - atomic_t pending; + refcount_t pending_refs; blk_status_t status; }; @@ -9099,14 +9099,14 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (atomic_dec_and_test(&priv->pending)) { + if (refcount_dec_and_test(&priv->pending_refs)) { int err = blk_status_to_errno(READ_ONCE(priv->status)); if (priv->uring_ctx) { btrfs_uring_read_extent_endio(priv->uring_ctx, err); kfree(priv); } else { - wake_up(&priv->wait); + complete(&priv->done); } } bio_put(&bbio->bio); @@ -9126,8 +9126,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, if (!priv) return -ENOMEM; - init_waitqueue_head(&priv->wait); - atomic_set(&priv->pending, 1); + init_completion(&priv->done); + refcount_set(&priv->pending_refs, 1); priv->status = 0; priv->uring_ctx = uring_ctx; @@ -9140,7 +9140,7 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE); if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) { - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info, @@ -9155,11 +9155,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, disk_io_size -= bytes; } while (disk_io_size); - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); if (uring_ctx) { - if (atomic_dec_return(&priv->pending) == 0) { + if (refcount_dec_and_test(&priv->pending_refs)) { ret = blk_status_to_errno(READ_ONCE(priv->status)); btrfs_uring_read_extent_endio(uring_ctx, ret); kfree(priv); @@ -9168,8 +9168,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, return -EIOCBQUEUED; } else { - if (atomic_dec_return(&priv->pending) != 0) - io_wait_event(priv->wait, !atomic_read(&priv->pending)); + if (!refcount_dec_and_test(&priv->pending_refs)) + wait_for_completion_io(&priv->done); /* See btrfs_encoded_read_endio() for ordering. */ ret = blk_status_to_errno(READ_ONCE(priv->status)); kfree(priv);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free waiting for encoded read endios" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x d29662695ed7c015521e5fc9387df25aab192a2e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123053-neurosis-bounding-947c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d29662695ed7c015521e5fc9387df25aab192a2e Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Date: Wed, 13 Nov 2024 18:16:49 +0100 Subject: [PATCH] btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 94c8809e8170..6baa0269a85b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9078,9 +9078,9 @@ static ssize_t btrfs_encoded_read_inline( } struct btrfs_encoded_read_private { - wait_queue_head_t wait; + struct completion done; void *uring_ctx; - atomic_t pending; + refcount_t pending_refs; blk_status_t status; }; @@ -9099,14 +9099,14 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (atomic_dec_and_test(&priv->pending)) { + if (refcount_dec_and_test(&priv->pending_refs)) { int err = blk_status_to_errno(READ_ONCE(priv->status)); if (priv->uring_ctx) { btrfs_uring_read_extent_endio(priv->uring_ctx, err); kfree(priv); } else { - wake_up(&priv->wait); + complete(&priv->done); } } bio_put(&bbio->bio); @@ -9126,8 +9126,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, if (!priv) return -ENOMEM; - init_waitqueue_head(&priv->wait); - atomic_set(&priv->pending, 1); + init_completion(&priv->done); + refcount_set(&priv->pending_refs, 1); priv->status = 0; priv->uring_ctx = uring_ctx; @@ -9140,7 +9140,7 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE); if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) { - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info, @@ -9155,11 +9155,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, disk_io_size -= bytes; } while (disk_io_size); - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); if (uring_ctx) { - if (atomic_dec_return(&priv->pending) == 0) { + if (refcount_dec_and_test(&priv->pending_refs)) { ret = blk_status_to_errno(READ_ONCE(priv->status)); btrfs_uring_read_extent_endio(uring_ctx, ret); kfree(priv); @@ -9168,8 +9168,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, return -EIOCBQUEUED; } else { - if (atomic_dec_return(&priv->pending) != 0) - io_wait_event(priv->wait, !atomic_read(&priv->pending)); + if (!refcount_dec_and_test(&priv->pending_refs)) + wait_for_completion_io(&priv->done); /* See btrfs_encoded_read_endio() for ordering. */ ret = blk_status_to_errno(READ_ONCE(priv->status)); kfree(priv);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123027-yeah-suitcase-41e7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123025-animal-itunes-c557@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123023-hardy-ravioli-a818@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123021-campus-undoing-7345@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123018-overplant-backwash-53db@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: sysfs: fix direct super block member reads" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123006-unhappy-grudge-df18@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 18 Dec 2024 17:00:56 +1030 Subject: [PATCH] btrfs: sysfs: fix direct super block member reads The following sysfs entries are reading super block member directly, which can have a different endian and cause wrong values: - sys/fs/btrfs/<uuid>/nodesize - sys/fs/btrfs/<uuid>/sectorsize - sys/fs/btrfs/<uuid>/clone_alignment Thankfully those values (nodesize and sectorsize) are always aligned inside the btrfs_super_block, so it won't trigger unaligned read errors, just endian problems. Fix them by using the native cached members instead. Fixes: df93589a1737 ("btrfs: export more from FS_INFO to sysfs") CC: stable(a)vger.kernel.org Reviewed-by: Naohiro Aota <naohiro.aota(a)wdc.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c index fdcbf650ac31..7f09b6c9cc2d 100644 --- a/fs/btrfs/sysfs.c +++ b/fs/btrfs/sysfs.c @@ -1118,7 +1118,7 @@ static ssize_t btrfs_nodesize_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->nodesize); + return sysfs_emit(buf, "%u\n", fs_info->nodesize); } BTRFS_ATTR(, nodesize, btrfs_nodesize_show); @@ -1128,7 +1128,7 @@ static ssize_t btrfs_sectorsize_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->sectorsize); + return sysfs_emit(buf, "%u\n", fs_info->sectorsize); } BTRFS_ATTR(, sectorsize, btrfs_sectorsize_show); @@ -1180,7 +1180,7 @@ static ssize_t btrfs_clone_alignment_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->sectorsize); + return sysfs_emit(buf, "%u\n", fs_info->sectorsize); } BTRFS_ATTR(, clone_alignment, btrfs_clone_alignment_show);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: sysfs: fix direct super block member reads" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123004-opt-riot-9e91@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 18 Dec 2024 17:00:56 +1030 Subject: [PATCH] btrfs: sysfs: fix direct super block member reads The following sysfs entries are reading super block member directly, which can have a different endian and cause wrong values: - sys/fs/btrfs/<uuid>/nodesize - sys/fs/btrfs/<uuid>/sectorsize - sys/fs/btrfs/<uuid>/clone_alignment Thankfully those values (nodesize and sectorsize) are always aligned inside the btrfs_super_block, so it won't trigger unaligned read errors, just endian problems. Fix them by using the native cached members instead. Fixes: df93589a1737 ("btrfs: export more from FS_INFO to sysfs") CC: stable(a)vger.kernel.org Reviewed-by: Naohiro Aota <naohiro.aota(a)wdc.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c index fdcbf650ac31..7f09b6c9cc2d 100644 --- a/fs/btrfs/sysfs.c +++ b/fs/btrfs/sysfs.c @@ -1118,7 +1118,7 @@ static ssize_t btrfs_nodesize_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->nodesize); + return sysfs_emit(buf, "%u\n", fs_info->nodesize); } BTRFS_ATTR(, nodesize, btrfs_nodesize_show); @@ -1128,7 +1128,7 @@ static ssize_t btrfs_sectorsize_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->sectorsize); + return sysfs_emit(buf, "%u\n", fs_info->sectorsize); } BTRFS_ATTR(, sectorsize, btrfs_sectorsize_show); @@ -1180,7 +1180,7 @@ static ssize_t btrfs_clone_alignment_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->sectorsize); + return sysfs_emit(buf, "%u\n", fs_info->sectorsize); } BTRFS_ATTR(, clone_alignment, btrfs_clone_alignment_show);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: sysfs: fix direct super block member reads" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123002-nylon-baffle-a6ad@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 18 Dec 2024 17:00:56 +1030 Subject: [PATCH] btrfs: sysfs: fix direct super block member reads The following sysfs entries are reading super block member directly, which can have a different endian and cause wrong values: - sys/fs/btrfs/<uuid>/nodesize - sys/fs/btrfs/<uuid>/sectorsize - sys/fs/btrfs/<uuid>/clone_alignment Thankfully those values (nodesize and sectorsize) are always aligned inside the btrfs_super_block, so it won't trigger unaligned read errors, just endian problems. Fix them by using the native cached members instead. Fixes: df93589a1737 ("btrfs: export more from FS_INFO to sysfs") CC: stable(a)vger.kernel.org Reviewed-by: Naohiro Aota <naohiro.aota(a)wdc.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c index fdcbf650ac31..7f09b6c9cc2d 100644 --- a/fs/btrfs/sysfs.c +++ b/fs/btrfs/sysfs.c @@ -1118,7 +1118,7 @@ static ssize_t btrfs_nodesize_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->nodesize); + return sysfs_emit(buf, "%u\n", fs_info->nodesize); } BTRFS_ATTR(, nodesize, btrfs_nodesize_show); @@ -1128,7 +1128,7 @@ static ssize_t btrfs_sectorsize_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->sectorsize); + return sysfs_emit(buf, "%u\n", fs_info->sectorsize); } BTRFS_ATTR(, sectorsize, btrfs_sectorsize_show); @@ -1180,7 +1180,7 @@ static ssize_t btrfs_clone_alignment_show(struct kobject *kobj, { struct btrfs_fs_info *fs_info = to_fs_info(kobj); - return sysfs_emit(buf, "%u\n", fs_info->super_copy->sectorsize); + return sysfs_emit(buf, "%u\n", fs_info->sectorsize); } BTRFS_ATTR(, clone_alignment, btrfs_clone_alignment_show);

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix transaction atomicity bug when enabling simple" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f2363e6fcc7938c5f0f6ac066fad0dd247598b51 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123034-luxury-clumsily-dce2@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2363e6fcc7938c5f0f6ac066fad0dd247598b51 Mon Sep 17 00:00:00 2001 From: Julian Sun <sunjunchao2870(a)gmail.com> Date: Wed, 11 Dec 2024 19:13:15 +0800 Subject: [PATCH] btrfs: fix transaction atomicity bug when enabling simple quotas Set squota incompat bit before committing the transaction that enables the feature. With the config CONFIG_BTRFS_ASSERT enabled, an assertion failure occurs regarding the simple quota feature. [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0 [5.604303] <TASK> [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.605538] ? exc_invalid_op+0x56/0x70 [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606066] ? asm_exc_invalid_op+0x1f/0x30 [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.607038] ? try_to_wake_up+0x317/0x760 [5.607286] open_ctree+0xd9c/0x1710 [5.607509] btrfs_get_tree+0x58a/0x7e0 [5.608002] vfs_get_tree+0x2e/0x100 [5.608224] fc_mount+0x16/0x60 [5.608420] btrfs_get_tree+0x2f8/0x7e0 [5.608897] vfs_get_tree+0x2e/0x100 [5.609121] path_mount+0x4c8/0xbc0 [5.609538] __x64_sys_mount+0x10d/0x150 The issue can be easily reproduced using the following reproducer: root@q:linux# cat repro.sh set -e mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfs The issue is that when enabling quotas, at btrfs_quota_enable(), we set BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we commit the transaction used to enable simple quotas. This means that if after that transaction commit we unmount the filesystem without starting and committing any other transaction, or we have a power failure, the next time we mount the filesystem we will find the flag BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an assertion failure at: btrfs_read_qgroup_config() -> qgroup_read_enable_gen() To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE. This ensures that both flags are flushed to disk within the same transaction. Fixes: 182940f4f4db ("btrfs: qgroup: add new quota mode for simple quotas") CC: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index a6f92836c9b1..f9b214992212 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1121,6 +1121,7 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, fs_info->qgroup_flags = BTRFS_QGROUP_STATUS_FLAG_ON; if (simple) { fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE; + btrfs_set_fs_incompat(fs_info, SIMPLE_QUOTA); btrfs_set_qgroup_status_enable_gen(leaf, ptr, trans->transid); } else { fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; @@ -1254,8 +1255,6 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, spin_lock(&fs_info->qgroup_lock); fs_info->quota_root = quota_root; set_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags); - if (simple) - btrfs_set_fs_incompat(fs_info, SIMPLE_QUOTA); spin_unlock(&fs_info->qgroup_lock); /* Skip rescan for simple qgroups. */

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix swap file activation failure due to extents that" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 03018e5d8508254534511d40fb57bc150e6a87f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123028-alibi-limpness-1931@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03018e5d8508254534511d40fb57bc150e6a87f2 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 12:54:14 +0000 Subject: [PATCH] btrfs: fix swap file activation failure due to extents that used to be shared When activating a swap file, to determine if an extent is shared we use can_nocow_extent(), which ends up at btrfs_cross_ref_exist(). That helper is meant to be quick because it's used in the NOCOW write path, when flushing delalloc and when doing a direct IO write, however it does return some false positives, meaning it may indicate that an extent is shared even if it's no longer the case. For the write path this is fine, we just do a unnecessary COW operation instead of doing a more rigorous check which would be too heavy (calling btrfs_is_data_extent_shared()). However when activating a swap file, the false positives simply result in a failure, which is confusing for users/applications. One particular case where this happens is when a data extent only has 1 reference but that reference is not inlined in the extent item located in the extent tree - this happens when we create more than 33 references for an extent and then delete those 33 references plus every other non-inline reference except one. The function check_committed_ref() assumes that if the size of an extent item doesn't match the size of struct btrfs_extent_item plus the size of an inline reference (plus an owner reference in case simple quotas are enabled), then the extent is shared - that is not the case however, we can have a single reference but it's not inlined - the reason we do this is to be fast and avoid inspecting non-inline references which may be located in another leaf of the extent tree, slowing down write paths. The following test script reproduces the bug: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi NUM_CLONES=50 umount $DEV &> /dev/null run_test() { local sync_after_add_reflinks=$1 local sync_after_remove_reflinks=$2 mkfs.btrfs -f $DEV > /dev/null #mkfs.xfs -f $DEV > /dev/null mount $DEV $MNT touch $MNT/foo chmod 0600 $MNT/foo # On btrfs the file must be NOCOW. chattr +C $MNT/foo &> /dev/null xfs_io -s -c "pwrite -b 1M 0 1M" $MNT/foo mkswap $MNT/foo for ((i = 1; i <= $NUM_CLONES; i++)); do touch $MNT/foo_clone_$i chmod 0600 $MNT/foo_clone_$i # On btrfs the file must be NOCOW. chattr +C $MNT/foo_clone_$i &> /dev/null cp --reflink=always $MNT/foo $MNT/foo_clone_$i done if [ $sync_after_add_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Remove the original file and all clones except the last. rm -f $MNT/foo for ((i = 1; i < $NUM_CLONES; i++)); do rm -f $MNT/foo_clone_$i done if [ $sync_after_remove_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Now use the last clone as a swap file. It should work since # its extent are not shared anymore. swapon $MNT/foo_clone_${NUM_CLONES} swapoff $MNT/foo_clone_${NUM_CLONES} umount $MNT } echo -e "\nTest without sync after creating and removing clones" run_test 0 0 echo -e "\nTest with sync after creating clones" run_test 1 0 echo -e "\nTest with sync after removing clones" run_test 0 1 echo -e "\nTest with sync after creating and removing clones" run_test 1 1 Running the test: $ ./test.sh Test without sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0017 sec (556.793 MiB/sec and 556.7929 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=a6b9c29e-5ef4-4689-a8ac-bc199c750f02 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after creating clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0036 sec (271.739 MiB/sec and 271.7391 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=5e9008d6-1f7a-4948-a1b4-3f30aba20a33 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0103 sec (96.665 MiB/sec and 96.6651 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=916c2740-fa9f-4385-9f06-29c3f89e4764 Test with sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0031 sec (314.268 MiB/sec and 314.2678 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=06aab1dd-4d90-49c0-bd9f-3a8db4e2f912 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Fix this by reworking btrfs_swap_activate() to instead of using extent maps and checking for shared extents with can_nocow_extent(), iterate over the inode's file extent items and use the accurate btrfs_is_data_extent_shared(). CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b2abc0aa5300..b87f19630b00 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9799,15 +9799,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, struct btrfs_fs_info *fs_info = root->fs_info; struct extent_io_tree *io_tree = &BTRFS_I(inode)->io_tree; struct extent_state *cached_state = NULL; - struct extent_map *em = NULL; struct btrfs_chunk_map *map = NULL; struct btrfs_device *device = NULL; struct btrfs_swap_info bsi = { .lowest_ppage = (sector_t)-1ULL, }; + struct btrfs_backref_share_check_ctx *backref_ctx = NULL; + struct btrfs_path *path = NULL; int ret = 0; u64 isize; - u64 start; + u64 prev_extent_end = 0; /* * Acquire the inode's mmap lock to prevent races with memory mapped @@ -9846,6 +9847,13 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, goto out_unlock_mmap; } + path = btrfs_alloc_path(); + backref_ctx = btrfs_alloc_backref_share_check_ctx(); + if (!path || !backref_ctx) { + ret = -ENOMEM; + goto out_unlock_mmap; + } + /* * Balance or device remove/replace/resize can move stuff around from * under us. The exclop protection makes sure they aren't running/won't @@ -9904,24 +9912,39 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, isize = ALIGN_DOWN(inode->i_size, fs_info->sectorsize); lock_extent(io_tree, 0, isize - 1, &cached_state); - start = 0; - while (start < isize) { - u64 logical_block_start, physical_block_start; + while (prev_extent_end < isize) { + struct btrfs_key key; + struct extent_buffer *leaf; + struct btrfs_file_extent_item *ei; struct btrfs_block_group *bg; - u64 len = isize - start; + u64 logical_block_start; + u64 physical_block_start; + u64 extent_gen; + u64 disk_bytenr; + u64 len; - em = btrfs_get_extent(BTRFS_I(inode), NULL, start, len); - if (IS_ERR(em)) { - ret = PTR_ERR(em); + key.objectid = btrfs_ino(BTRFS_I(inode)); + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = prev_extent_end; + + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) goto out; - } - if (em->disk_bytenr == EXTENT_MAP_HOLE) { + /* + * If key not found it means we have an implicit hole (NO_HOLES + * is enabled). + */ + if (ret > 0) { btrfs_warn(fs_info, "swapfile must not have holes"); ret = -EINVAL; goto out; } - if (em->disk_bytenr == EXTENT_MAP_INLINE) { + + leaf = path->nodes[0]; + ei = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_file_extent_item); + + if (btrfs_file_extent_type(leaf, ei) == BTRFS_FILE_EXTENT_INLINE) { /* * It's unlikely we'll ever actually find ourselves * here, as a file small enough to fit inline won't be @@ -9933,23 +9956,45 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, ret = -EINVAL; goto out; } - if (extent_map_is_compressed(em)) { + + if (btrfs_file_extent_compression(leaf, ei) != BTRFS_COMPRESS_NONE) { btrfs_warn(fs_info, "swapfile must not be compressed"); ret = -EINVAL; goto out; } - logical_block_start = extent_map_block_start(em) + (start - em->start); - len = min(len, em->len - (start - em->start)); - free_extent_map(em); - em = NULL; + disk_bytenr = btrfs_file_extent_disk_bytenr(leaf, ei); + if (disk_bytenr == 0) { + btrfs_warn(fs_info, "swapfile must not have holes"); + ret = -EINVAL; + goto out; + } - ret = can_nocow_extent(inode, start, &len, NULL, false, true); + logical_block_start = disk_bytenr + btrfs_file_extent_offset(leaf, ei); + extent_gen = btrfs_file_extent_generation(leaf, ei); + prev_extent_end = btrfs_file_extent_end(path); + + if (prev_extent_end > isize) + len = isize - key.offset; + else + len = btrfs_file_extent_num_bytes(leaf, ei); + + backref_ctx->curr_leaf_bytenr = leaf->start; + + /* + * Don't need the path anymore, release to avoid deadlocks when + * calling btrfs_is_data_extent_shared() because when joining a + * transaction it can block waiting for the current one's commit + * which in turn may be trying to lock the same leaf to flush + * delayed items for example. + */ + btrfs_release_path(path); + + ret = btrfs_is_data_extent_shared(BTRFS_I(inode), disk_bytenr, + extent_gen, backref_ctx); if (ret < 0) { goto out; - } else if (ret) { - ret = 0; - } else { + } else if (ret > 0) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); ret = -EINVAL; @@ -9984,7 +10029,6 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, physical_block_start = (map->stripes[0].physical + (logical_block_start - map->start)); - len = min(len, map->chunk_len - (logical_block_start - map->start)); btrfs_free_chunk_map(map); map = NULL; @@ -10025,20 +10069,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (ret) goto out; } - bsi.start = start; + bsi.start = key.offset; bsi.block_start = physical_block_start; bsi.block_len = len; } - - start += len; } if (bsi.block_len) ret = btrfs_add_swap_extent(sis, &bsi); out: - if (!IS_ERR_OR_NULL(em)) - free_extent_map(em); if (!IS_ERR_OR_NULL(map)) btrfs_free_chunk_map(map); @@ -10053,6 +10093,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, out_unlock_mmap: up_write(&BTRFS_I(inode)->i_mmap_lock); + btrfs_free_backref_share_ctx(backref_ctx); + btrfs_free_path(path); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix swap file activation failure due to extents that" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 03018e5d8508254534511d40fb57bc150e6a87f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123021-swimmable-curled-c1b6@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03018e5d8508254534511d40fb57bc150e6a87f2 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 12:54:14 +0000 Subject: [PATCH] btrfs: fix swap file activation failure due to extents that used to be shared When activating a swap file, to determine if an extent is shared we use can_nocow_extent(), which ends up at btrfs_cross_ref_exist(). That helper is meant to be quick because it's used in the NOCOW write path, when flushing delalloc and when doing a direct IO write, however it does return some false positives, meaning it may indicate that an extent is shared even if it's no longer the case. For the write path this is fine, we just do a unnecessary COW operation instead of doing a more rigorous check which would be too heavy (calling btrfs_is_data_extent_shared()). However when activating a swap file, the false positives simply result in a failure, which is confusing for users/applications. One particular case where this happens is when a data extent only has 1 reference but that reference is not inlined in the extent item located in the extent tree - this happens when we create more than 33 references for an extent and then delete those 33 references plus every other non-inline reference except one. The function check_committed_ref() assumes that if the size of an extent item doesn't match the size of struct btrfs_extent_item plus the size of an inline reference (plus an owner reference in case simple quotas are enabled), then the extent is shared - that is not the case however, we can have a single reference but it's not inlined - the reason we do this is to be fast and avoid inspecting non-inline references which may be located in another leaf of the extent tree, slowing down write paths. The following test script reproduces the bug: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi NUM_CLONES=50 umount $DEV &> /dev/null run_test() { local sync_after_add_reflinks=$1 local sync_after_remove_reflinks=$2 mkfs.btrfs -f $DEV > /dev/null #mkfs.xfs -f $DEV > /dev/null mount $DEV $MNT touch $MNT/foo chmod 0600 $MNT/foo # On btrfs the file must be NOCOW. chattr +C $MNT/foo &> /dev/null xfs_io -s -c "pwrite -b 1M 0 1M" $MNT/foo mkswap $MNT/foo for ((i = 1; i <= $NUM_CLONES; i++)); do touch $MNT/foo_clone_$i chmod 0600 $MNT/foo_clone_$i # On btrfs the file must be NOCOW. chattr +C $MNT/foo_clone_$i &> /dev/null cp --reflink=always $MNT/foo $MNT/foo_clone_$i done if [ $sync_after_add_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Remove the original file and all clones except the last. rm -f $MNT/foo for ((i = 1; i < $NUM_CLONES; i++)); do rm -f $MNT/foo_clone_$i done if [ $sync_after_remove_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Now use the last clone as a swap file. It should work since # its extent are not shared anymore. swapon $MNT/foo_clone_${NUM_CLONES} swapoff $MNT/foo_clone_${NUM_CLONES} umount $MNT } echo -e "\nTest without sync after creating and removing clones" run_test 0 0 echo -e "\nTest with sync after creating clones" run_test 1 0 echo -e "\nTest with sync after removing clones" run_test 0 1 echo -e "\nTest with sync after creating and removing clones" run_test 1 1 Running the test: $ ./test.sh Test without sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0017 sec (556.793 MiB/sec and 556.7929 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=a6b9c29e-5ef4-4689-a8ac-bc199c750f02 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after creating clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0036 sec (271.739 MiB/sec and 271.7391 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=5e9008d6-1f7a-4948-a1b4-3f30aba20a33 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0103 sec (96.665 MiB/sec and 96.6651 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=916c2740-fa9f-4385-9f06-29c3f89e4764 Test with sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0031 sec (314.268 MiB/sec and 314.2678 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=06aab1dd-4d90-49c0-bd9f-3a8db4e2f912 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Fix this by reworking btrfs_swap_activate() to instead of using extent maps and checking for shared extents with can_nocow_extent(), iterate over the inode's file extent items and use the accurate btrfs_is_data_extent_shared(). CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b2abc0aa5300..b87f19630b00 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9799,15 +9799,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, struct btrfs_fs_info *fs_info = root->fs_info; struct extent_io_tree *io_tree = &BTRFS_I(inode)->io_tree; struct extent_state *cached_state = NULL; - struct extent_map *em = NULL; struct btrfs_chunk_map *map = NULL; struct btrfs_device *device = NULL; struct btrfs_swap_info bsi = { .lowest_ppage = (sector_t)-1ULL, }; + struct btrfs_backref_share_check_ctx *backref_ctx = NULL; + struct btrfs_path *path = NULL; int ret = 0; u64 isize; - u64 start; + u64 prev_extent_end = 0; /* * Acquire the inode's mmap lock to prevent races with memory mapped @@ -9846,6 +9847,13 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, goto out_unlock_mmap; } + path = btrfs_alloc_path(); + backref_ctx = btrfs_alloc_backref_share_check_ctx(); + if (!path || !backref_ctx) { + ret = -ENOMEM; + goto out_unlock_mmap; + } + /* * Balance or device remove/replace/resize can move stuff around from * under us. The exclop protection makes sure they aren't running/won't @@ -9904,24 +9912,39 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, isize = ALIGN_DOWN(inode->i_size, fs_info->sectorsize); lock_extent(io_tree, 0, isize - 1, &cached_state); - start = 0; - while (start < isize) { - u64 logical_block_start, physical_block_start; + while (prev_extent_end < isize) { + struct btrfs_key key; + struct extent_buffer *leaf; + struct btrfs_file_extent_item *ei; struct btrfs_block_group *bg; - u64 len = isize - start; + u64 logical_block_start; + u64 physical_block_start; + u64 extent_gen; + u64 disk_bytenr; + u64 len; - em = btrfs_get_extent(BTRFS_I(inode), NULL, start, len); - if (IS_ERR(em)) { - ret = PTR_ERR(em); + key.objectid = btrfs_ino(BTRFS_I(inode)); + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = prev_extent_end; + + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) goto out; - } - if (em->disk_bytenr == EXTENT_MAP_HOLE) { + /* + * If key not found it means we have an implicit hole (NO_HOLES + * is enabled). + */ + if (ret > 0) { btrfs_warn(fs_info, "swapfile must not have holes"); ret = -EINVAL; goto out; } - if (em->disk_bytenr == EXTENT_MAP_INLINE) { + + leaf = path->nodes[0]; + ei = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_file_extent_item); + + if (btrfs_file_extent_type(leaf, ei) == BTRFS_FILE_EXTENT_INLINE) { /* * It's unlikely we'll ever actually find ourselves * here, as a file small enough to fit inline won't be @@ -9933,23 +9956,45 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, ret = -EINVAL; goto out; } - if (extent_map_is_compressed(em)) { + + if (btrfs_file_extent_compression(leaf, ei) != BTRFS_COMPRESS_NONE) { btrfs_warn(fs_info, "swapfile must not be compressed"); ret = -EINVAL; goto out; } - logical_block_start = extent_map_block_start(em) + (start - em->start); - len = min(len, em->len - (start - em->start)); - free_extent_map(em); - em = NULL; + disk_bytenr = btrfs_file_extent_disk_bytenr(leaf, ei); + if (disk_bytenr == 0) { + btrfs_warn(fs_info, "swapfile must not have holes"); + ret = -EINVAL; + goto out; + } - ret = can_nocow_extent(inode, start, &len, NULL, false, true); + logical_block_start = disk_bytenr + btrfs_file_extent_offset(leaf, ei); + extent_gen = btrfs_file_extent_generation(leaf, ei); + prev_extent_end = btrfs_file_extent_end(path); + + if (prev_extent_end > isize) + len = isize - key.offset; + else + len = btrfs_file_extent_num_bytes(leaf, ei); + + backref_ctx->curr_leaf_bytenr = leaf->start; + + /* + * Don't need the path anymore, release to avoid deadlocks when + * calling btrfs_is_data_extent_shared() because when joining a + * transaction it can block waiting for the current one's commit + * which in turn may be trying to lock the same leaf to flush + * delayed items for example. + */ + btrfs_release_path(path); + + ret = btrfs_is_data_extent_shared(BTRFS_I(inode), disk_bytenr, + extent_gen, backref_ctx); if (ret < 0) { goto out; - } else if (ret) { - ret = 0; - } else { + } else if (ret > 0) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); ret = -EINVAL; @@ -9984,7 +10029,6 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, physical_block_start = (map->stripes[0].physical + (logical_block_start - map->start)); - len = min(len, map->chunk_len - (logical_block_start - map->start)); btrfs_free_chunk_map(map); map = NULL; @@ -10025,20 +10069,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (ret) goto out; } - bsi.start = start; + bsi.start = key.offset; bsi.block_start = physical_block_start; bsi.block_len = len; } - - start += len; } if (bsi.block_len) ret = btrfs_add_swap_extent(sis, &bsi); out: - if (!IS_ERR_OR_NULL(em)) - free_extent_map(em); if (!IS_ERR_OR_NULL(map)) btrfs_free_chunk_map(map); @@ -10053,6 +10093,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, out_unlock_mmap: up_write(&BTRFS_I(inode)->i_mmap_lock); + btrfs_free_backref_share_ctx(backref_ctx); + btrfs_free_path(path); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix swap file activation failure due to extents that" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 03018e5d8508254534511d40fb57bc150e6a87f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123015-briar-craftily-a6d3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03018e5d8508254534511d40fb57bc150e6a87f2 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 12:54:14 +0000 Subject: [PATCH] btrfs: fix swap file activation failure due to extents that used to be shared When activating a swap file, to determine if an extent is shared we use can_nocow_extent(), which ends up at btrfs_cross_ref_exist(). That helper is meant to be quick because it's used in the NOCOW write path, when flushing delalloc and when doing a direct IO write, however it does return some false positives, meaning it may indicate that an extent is shared even if it's no longer the case. For the write path this is fine, we just do a unnecessary COW operation instead of doing a more rigorous check which would be too heavy (calling btrfs_is_data_extent_shared()). However when activating a swap file, the false positives simply result in a failure, which is confusing for users/applications. One particular case where this happens is when a data extent only has 1 reference but that reference is not inlined in the extent item located in the extent tree - this happens when we create more than 33 references for an extent and then delete those 33 references plus every other non-inline reference except one. The function check_committed_ref() assumes that if the size of an extent item doesn't match the size of struct btrfs_extent_item plus the size of an inline reference (plus an owner reference in case simple quotas are enabled), then the extent is shared - that is not the case however, we can have a single reference but it's not inlined - the reason we do this is to be fast and avoid inspecting non-inline references which may be located in another leaf of the extent tree, slowing down write paths. The following test script reproduces the bug: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi NUM_CLONES=50 umount $DEV &> /dev/null run_test() { local sync_after_add_reflinks=$1 local sync_after_remove_reflinks=$2 mkfs.btrfs -f $DEV > /dev/null #mkfs.xfs -f $DEV > /dev/null mount $DEV $MNT touch $MNT/foo chmod 0600 $MNT/foo # On btrfs the file must be NOCOW. chattr +C $MNT/foo &> /dev/null xfs_io -s -c "pwrite -b 1M 0 1M" $MNT/foo mkswap $MNT/foo for ((i = 1; i <= $NUM_CLONES; i++)); do touch $MNT/foo_clone_$i chmod 0600 $MNT/foo_clone_$i # On btrfs the file must be NOCOW. chattr +C $MNT/foo_clone_$i &> /dev/null cp --reflink=always $MNT/foo $MNT/foo_clone_$i done if [ $sync_after_add_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Remove the original file and all clones except the last. rm -f $MNT/foo for ((i = 1; i < $NUM_CLONES; i++)); do rm -f $MNT/foo_clone_$i done if [ $sync_after_remove_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Now use the last clone as a swap file. It should work since # its extent are not shared anymore. swapon $MNT/foo_clone_${NUM_CLONES} swapoff $MNT/foo_clone_${NUM_CLONES} umount $MNT } echo -e "\nTest without sync after creating and removing clones" run_test 0 0 echo -e "\nTest with sync after creating clones" run_test 1 0 echo -e "\nTest with sync after removing clones" run_test 0 1 echo -e "\nTest with sync after creating and removing clones" run_test 1 1 Running the test: $ ./test.sh Test without sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0017 sec (556.793 MiB/sec and 556.7929 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=a6b9c29e-5ef4-4689-a8ac-bc199c750f02 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after creating clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0036 sec (271.739 MiB/sec and 271.7391 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=5e9008d6-1f7a-4948-a1b4-3f30aba20a33 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0103 sec (96.665 MiB/sec and 96.6651 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=916c2740-fa9f-4385-9f06-29c3f89e4764 Test with sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0031 sec (314.268 MiB/sec and 314.2678 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=06aab1dd-4d90-49c0-bd9f-3a8db4e2f912 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Fix this by reworking btrfs_swap_activate() to instead of using extent maps and checking for shared extents with can_nocow_extent(), iterate over the inode's file extent items and use the accurate btrfs_is_data_extent_shared(). CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b2abc0aa5300..b87f19630b00 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9799,15 +9799,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, struct btrfs_fs_info *fs_info = root->fs_info; struct extent_io_tree *io_tree = &BTRFS_I(inode)->io_tree; struct extent_state *cached_state = NULL; - struct extent_map *em = NULL; struct btrfs_chunk_map *map = NULL; struct btrfs_device *device = NULL; struct btrfs_swap_info bsi = { .lowest_ppage = (sector_t)-1ULL, }; + struct btrfs_backref_share_check_ctx *backref_ctx = NULL; + struct btrfs_path *path = NULL; int ret = 0; u64 isize; - u64 start; + u64 prev_extent_end = 0; /* * Acquire the inode's mmap lock to prevent races with memory mapped @@ -9846,6 +9847,13 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, goto out_unlock_mmap; } + path = btrfs_alloc_path(); + backref_ctx = btrfs_alloc_backref_share_check_ctx(); + if (!path || !backref_ctx) { + ret = -ENOMEM; + goto out_unlock_mmap; + } + /* * Balance or device remove/replace/resize can move stuff around from * under us. The exclop protection makes sure they aren't running/won't @@ -9904,24 +9912,39 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, isize = ALIGN_DOWN(inode->i_size, fs_info->sectorsize); lock_extent(io_tree, 0, isize - 1, &cached_state); - start = 0; - while (start < isize) { - u64 logical_block_start, physical_block_start; + while (prev_extent_end < isize) { + struct btrfs_key key; + struct extent_buffer *leaf; + struct btrfs_file_extent_item *ei; struct btrfs_block_group *bg; - u64 len = isize - start; + u64 logical_block_start; + u64 physical_block_start; + u64 extent_gen; + u64 disk_bytenr; + u64 len; - em = btrfs_get_extent(BTRFS_I(inode), NULL, start, len); - if (IS_ERR(em)) { - ret = PTR_ERR(em); + key.objectid = btrfs_ino(BTRFS_I(inode)); + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = prev_extent_end; + + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) goto out; - } - if (em->disk_bytenr == EXTENT_MAP_HOLE) { + /* + * If key not found it means we have an implicit hole (NO_HOLES + * is enabled). + */ + if (ret > 0) { btrfs_warn(fs_info, "swapfile must not have holes"); ret = -EINVAL; goto out; } - if (em->disk_bytenr == EXTENT_MAP_INLINE) { + + leaf = path->nodes[0]; + ei = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_file_extent_item); + + if (btrfs_file_extent_type(leaf, ei) == BTRFS_FILE_EXTENT_INLINE) { /* * It's unlikely we'll ever actually find ourselves * here, as a file small enough to fit inline won't be @@ -9933,23 +9956,45 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, ret = -EINVAL; goto out; } - if (extent_map_is_compressed(em)) { + + if (btrfs_file_extent_compression(leaf, ei) != BTRFS_COMPRESS_NONE) { btrfs_warn(fs_info, "swapfile must not be compressed"); ret = -EINVAL; goto out; } - logical_block_start = extent_map_block_start(em) + (start - em->start); - len = min(len, em->len - (start - em->start)); - free_extent_map(em); - em = NULL; + disk_bytenr = btrfs_file_extent_disk_bytenr(leaf, ei); + if (disk_bytenr == 0) { + btrfs_warn(fs_info, "swapfile must not have holes"); + ret = -EINVAL; + goto out; + } - ret = can_nocow_extent(inode, start, &len, NULL, false, true); + logical_block_start = disk_bytenr + btrfs_file_extent_offset(leaf, ei); + extent_gen = btrfs_file_extent_generation(leaf, ei); + prev_extent_end = btrfs_file_extent_end(path); + + if (prev_extent_end > isize) + len = isize - key.offset; + else + len = btrfs_file_extent_num_bytes(leaf, ei); + + backref_ctx->curr_leaf_bytenr = leaf->start; + + /* + * Don't need the path anymore, release to avoid deadlocks when + * calling btrfs_is_data_extent_shared() because when joining a + * transaction it can block waiting for the current one's commit + * which in turn may be trying to lock the same leaf to flush + * delayed items for example. + */ + btrfs_release_path(path); + + ret = btrfs_is_data_extent_shared(BTRFS_I(inode), disk_bytenr, + extent_gen, backref_ctx); if (ret < 0) { goto out; - } else if (ret) { - ret = 0; - } else { + } else if (ret > 0) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); ret = -EINVAL; @@ -9984,7 +10029,6 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, physical_block_start = (map->stripes[0].physical + (logical_block_start - map->start)); - len = min(len, map->chunk_len - (logical_block_start - map->start)); btrfs_free_chunk_map(map); map = NULL; @@ -10025,20 +10069,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (ret) goto out; } - bsi.start = start; + bsi.start = key.offset; bsi.block_start = physical_block_start; bsi.block_len = len; } - - start += len; } if (bsi.block_len) ret = btrfs_add_swap_extent(sis, &bsi); out: - if (!IS_ERR_OR_NULL(em)) - free_extent_map(em); if (!IS_ERR_OR_NULL(map)) btrfs_free_chunk_map(map); @@ -10053,6 +10093,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, out_unlock_mmap: up_write(&BTRFS_I(inode)->i_mmap_lock); + btrfs_free_backref_share_ctx(backref_ctx); + btrfs_free_path(path); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix swap file activation failure due to extents that" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 03018e5d8508254534511d40fb57bc150e6a87f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123009-curve-huntsman-5a05@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03018e5d8508254534511d40fb57bc150e6a87f2 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 12:54:14 +0000 Subject: [PATCH] btrfs: fix swap file activation failure due to extents that used to be shared When activating a swap file, to determine if an extent is shared we use can_nocow_extent(), which ends up at btrfs_cross_ref_exist(). That helper is meant to be quick because it's used in the NOCOW write path, when flushing delalloc and when doing a direct IO write, however it does return some false positives, meaning it may indicate that an extent is shared even if it's no longer the case. For the write path this is fine, we just do a unnecessary COW operation instead of doing a more rigorous check which would be too heavy (calling btrfs_is_data_extent_shared()). However when activating a swap file, the false positives simply result in a failure, which is confusing for users/applications. One particular case where this happens is when a data extent only has 1 reference but that reference is not inlined in the extent item located in the extent tree - this happens when we create more than 33 references for an extent and then delete those 33 references plus every other non-inline reference except one. The function check_committed_ref() assumes that if the size of an extent item doesn't match the size of struct btrfs_extent_item plus the size of an inline reference (plus an owner reference in case simple quotas are enabled), then the extent is shared - that is not the case however, we can have a single reference but it's not inlined - the reason we do this is to be fast and avoid inspecting non-inline references which may be located in another leaf of the extent tree, slowing down write paths. The following test script reproduces the bug: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi NUM_CLONES=50 umount $DEV &> /dev/null run_test() { local sync_after_add_reflinks=$1 local sync_after_remove_reflinks=$2 mkfs.btrfs -f $DEV > /dev/null #mkfs.xfs -f $DEV > /dev/null mount $DEV $MNT touch $MNT/foo chmod 0600 $MNT/foo # On btrfs the file must be NOCOW. chattr +C $MNT/foo &> /dev/null xfs_io -s -c "pwrite -b 1M 0 1M" $MNT/foo mkswap $MNT/foo for ((i = 1; i <= $NUM_CLONES; i++)); do touch $MNT/foo_clone_$i chmod 0600 $MNT/foo_clone_$i # On btrfs the file must be NOCOW. chattr +C $MNT/foo_clone_$i &> /dev/null cp --reflink=always $MNT/foo $MNT/foo_clone_$i done if [ $sync_after_add_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Remove the original file and all clones except the last. rm -f $MNT/foo for ((i = 1; i < $NUM_CLONES; i++)); do rm -f $MNT/foo_clone_$i done if [ $sync_after_remove_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Now use the last clone as a swap file. It should work since # its extent are not shared anymore. swapon $MNT/foo_clone_${NUM_CLONES} swapoff $MNT/foo_clone_${NUM_CLONES} umount $MNT } echo -e "\nTest without sync after creating and removing clones" run_test 0 0 echo -e "\nTest with sync after creating clones" run_test 1 0 echo -e "\nTest with sync after removing clones" run_test 0 1 echo -e "\nTest with sync after creating and removing clones" run_test 1 1 Running the test: $ ./test.sh Test without sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0017 sec (556.793 MiB/sec and 556.7929 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=a6b9c29e-5ef4-4689-a8ac-bc199c750f02 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after creating clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0036 sec (271.739 MiB/sec and 271.7391 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=5e9008d6-1f7a-4948-a1b4-3f30aba20a33 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0103 sec (96.665 MiB/sec and 96.6651 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=916c2740-fa9f-4385-9f06-29c3f89e4764 Test with sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0031 sec (314.268 MiB/sec and 314.2678 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=06aab1dd-4d90-49c0-bd9f-3a8db4e2f912 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Fix this by reworking btrfs_swap_activate() to instead of using extent maps and checking for shared extents with can_nocow_extent(), iterate over the inode's file extent items and use the accurate btrfs_is_data_extent_shared(). CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b2abc0aa5300..b87f19630b00 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9799,15 +9799,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, struct btrfs_fs_info *fs_info = root->fs_info; struct extent_io_tree *io_tree = &BTRFS_I(inode)->io_tree; struct extent_state *cached_state = NULL; - struct extent_map *em = NULL; struct btrfs_chunk_map *map = NULL; struct btrfs_device *device = NULL; struct btrfs_swap_info bsi = { .lowest_ppage = (sector_t)-1ULL, }; + struct btrfs_backref_share_check_ctx *backref_ctx = NULL; + struct btrfs_path *path = NULL; int ret = 0; u64 isize; - u64 start; + u64 prev_extent_end = 0; /* * Acquire the inode's mmap lock to prevent races with memory mapped @@ -9846,6 +9847,13 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, goto out_unlock_mmap; } + path = btrfs_alloc_path(); + backref_ctx = btrfs_alloc_backref_share_check_ctx(); + if (!path || !backref_ctx) { + ret = -ENOMEM; + goto out_unlock_mmap; + } + /* * Balance or device remove/replace/resize can move stuff around from * under us. The exclop protection makes sure they aren't running/won't @@ -9904,24 +9912,39 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, isize = ALIGN_DOWN(inode->i_size, fs_info->sectorsize); lock_extent(io_tree, 0, isize - 1, &cached_state); - start = 0; - while (start < isize) { - u64 logical_block_start, physical_block_start; + while (prev_extent_end < isize) { + struct btrfs_key key; + struct extent_buffer *leaf; + struct btrfs_file_extent_item *ei; struct btrfs_block_group *bg; - u64 len = isize - start; + u64 logical_block_start; + u64 physical_block_start; + u64 extent_gen; + u64 disk_bytenr; + u64 len; - em = btrfs_get_extent(BTRFS_I(inode), NULL, start, len); - if (IS_ERR(em)) { - ret = PTR_ERR(em); + key.objectid = btrfs_ino(BTRFS_I(inode)); + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = prev_extent_end; + + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) goto out; - } - if (em->disk_bytenr == EXTENT_MAP_HOLE) { + /* + * If key not found it means we have an implicit hole (NO_HOLES + * is enabled). + */ + if (ret > 0) { btrfs_warn(fs_info, "swapfile must not have holes"); ret = -EINVAL; goto out; } - if (em->disk_bytenr == EXTENT_MAP_INLINE) { + + leaf = path->nodes[0]; + ei = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_file_extent_item); + + if (btrfs_file_extent_type(leaf, ei) == BTRFS_FILE_EXTENT_INLINE) { /* * It's unlikely we'll ever actually find ourselves * here, as a file small enough to fit inline won't be @@ -9933,23 +9956,45 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, ret = -EINVAL; goto out; } - if (extent_map_is_compressed(em)) { + + if (btrfs_file_extent_compression(leaf, ei) != BTRFS_COMPRESS_NONE) { btrfs_warn(fs_info, "swapfile must not be compressed"); ret = -EINVAL; goto out; } - logical_block_start = extent_map_block_start(em) + (start - em->start); - len = min(len, em->len - (start - em->start)); - free_extent_map(em); - em = NULL; + disk_bytenr = btrfs_file_extent_disk_bytenr(leaf, ei); + if (disk_bytenr == 0) { + btrfs_warn(fs_info, "swapfile must not have holes"); + ret = -EINVAL; + goto out; + } - ret = can_nocow_extent(inode, start, &len, NULL, false, true); + logical_block_start = disk_bytenr + btrfs_file_extent_offset(leaf, ei); + extent_gen = btrfs_file_extent_generation(leaf, ei); + prev_extent_end = btrfs_file_extent_end(path); + + if (prev_extent_end > isize) + len = isize - key.offset; + else + len = btrfs_file_extent_num_bytes(leaf, ei); + + backref_ctx->curr_leaf_bytenr = leaf->start; + + /* + * Don't need the path anymore, release to avoid deadlocks when + * calling btrfs_is_data_extent_shared() because when joining a + * transaction it can block waiting for the current one's commit + * which in turn may be trying to lock the same leaf to flush + * delayed items for example. + */ + btrfs_release_path(path); + + ret = btrfs_is_data_extent_shared(BTRFS_I(inode), disk_bytenr, + extent_gen, backref_ctx); if (ret < 0) { goto out; - } else if (ret) { - ret = 0; - } else { + } else if (ret > 0) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); ret = -EINVAL; @@ -9984,7 +10029,6 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, physical_block_start = (map->stripes[0].physical + (logical_block_start - map->start)); - len = min(len, map->chunk_len - (logical_block_start - map->start)); btrfs_free_chunk_map(map); map = NULL; @@ -10025,20 +10069,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (ret) goto out; } - bsi.start = start; + bsi.start = key.offset; bsi.block_start = physical_block_start; bsi.block_len = len; } - - start += len; } if (bsi.block_len) ret = btrfs_add_swap_extent(sis, &bsi); out: - if (!IS_ERR_OR_NULL(em)) - free_extent_map(em); if (!IS_ERR_OR_NULL(map)) btrfs_free_chunk_map(map); @@ -10053,6 +10093,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, out_unlock_mmap: up_write(&BTRFS_I(inode)->i_mmap_lock); + btrfs_free_backref_share_ctx(backref_ctx); + btrfs_free_path(path); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix swap file activation failure due to extents that" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 03018e5d8508254534511d40fb57bc150e6a87f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123002-remedial-drainpipe-efb2@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03018e5d8508254534511d40fb57bc150e6a87f2 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 12:54:14 +0000 Subject: [PATCH] btrfs: fix swap file activation failure due to extents that used to be shared When activating a swap file, to determine if an extent is shared we use can_nocow_extent(), which ends up at btrfs_cross_ref_exist(). That helper is meant to be quick because it's used in the NOCOW write path, when flushing delalloc and when doing a direct IO write, however it does return some false positives, meaning it may indicate that an extent is shared even if it's no longer the case. For the write path this is fine, we just do a unnecessary COW operation instead of doing a more rigorous check which would be too heavy (calling btrfs_is_data_extent_shared()). However when activating a swap file, the false positives simply result in a failure, which is confusing for users/applications. One particular case where this happens is when a data extent only has 1 reference but that reference is not inlined in the extent item located in the extent tree - this happens when we create more than 33 references for an extent and then delete those 33 references plus every other non-inline reference except one. The function check_committed_ref() assumes that if the size of an extent item doesn't match the size of struct btrfs_extent_item plus the size of an inline reference (plus an owner reference in case simple quotas are enabled), then the extent is shared - that is not the case however, we can have a single reference but it's not inlined - the reason we do this is to be fast and avoid inspecting non-inline references which may be located in another leaf of the extent tree, slowing down write paths. The following test script reproduces the bug: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi NUM_CLONES=50 umount $DEV &> /dev/null run_test() { local sync_after_add_reflinks=$1 local sync_after_remove_reflinks=$2 mkfs.btrfs -f $DEV > /dev/null #mkfs.xfs -f $DEV > /dev/null mount $DEV $MNT touch $MNT/foo chmod 0600 $MNT/foo # On btrfs the file must be NOCOW. chattr +C $MNT/foo &> /dev/null xfs_io -s -c "pwrite -b 1M 0 1M" $MNT/foo mkswap $MNT/foo for ((i = 1; i <= $NUM_CLONES; i++)); do touch $MNT/foo_clone_$i chmod 0600 $MNT/foo_clone_$i # On btrfs the file must be NOCOW. chattr +C $MNT/foo_clone_$i &> /dev/null cp --reflink=always $MNT/foo $MNT/foo_clone_$i done if [ $sync_after_add_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Remove the original file and all clones except the last. rm -f $MNT/foo for ((i = 1; i < $NUM_CLONES; i++)); do rm -f $MNT/foo_clone_$i done if [ $sync_after_remove_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Now use the last clone as a swap file. It should work since # its extent are not shared anymore. swapon $MNT/foo_clone_${NUM_CLONES} swapoff $MNT/foo_clone_${NUM_CLONES} umount $MNT } echo -e "\nTest without sync after creating and removing clones" run_test 0 0 echo -e "\nTest with sync after creating clones" run_test 1 0 echo -e "\nTest with sync after removing clones" run_test 0 1 echo -e "\nTest with sync after creating and removing clones" run_test 1 1 Running the test: $ ./test.sh Test without sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0017 sec (556.793 MiB/sec and 556.7929 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=a6b9c29e-5ef4-4689-a8ac-bc199c750f02 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after creating clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0036 sec (271.739 MiB/sec and 271.7391 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=5e9008d6-1f7a-4948-a1b4-3f30aba20a33 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0103 sec (96.665 MiB/sec and 96.6651 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=916c2740-fa9f-4385-9f06-29c3f89e4764 Test with sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0031 sec (314.268 MiB/sec and 314.2678 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=06aab1dd-4d90-49c0-bd9f-3a8db4e2f912 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Fix this by reworking btrfs_swap_activate() to instead of using extent maps and checking for shared extents with can_nocow_extent(), iterate over the inode's file extent items and use the accurate btrfs_is_data_extent_shared(). CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b2abc0aa5300..b87f19630b00 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9799,15 +9799,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, struct btrfs_fs_info *fs_info = root->fs_info; struct extent_io_tree *io_tree = &BTRFS_I(inode)->io_tree; struct extent_state *cached_state = NULL; - struct extent_map *em = NULL; struct btrfs_chunk_map *map = NULL; struct btrfs_device *device = NULL; struct btrfs_swap_info bsi = { .lowest_ppage = (sector_t)-1ULL, }; + struct btrfs_backref_share_check_ctx *backref_ctx = NULL; + struct btrfs_path *path = NULL; int ret = 0; u64 isize; - u64 start; + u64 prev_extent_end = 0; /* * Acquire the inode's mmap lock to prevent races with memory mapped @@ -9846,6 +9847,13 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, goto out_unlock_mmap; } + path = btrfs_alloc_path(); + backref_ctx = btrfs_alloc_backref_share_check_ctx(); + if (!path || !backref_ctx) { + ret = -ENOMEM; + goto out_unlock_mmap; + } + /* * Balance or device remove/replace/resize can move stuff around from * under us. The exclop protection makes sure they aren't running/won't @@ -9904,24 +9912,39 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, isize = ALIGN_DOWN(inode->i_size, fs_info->sectorsize); lock_extent(io_tree, 0, isize - 1, &cached_state); - start = 0; - while (start < isize) { - u64 logical_block_start, physical_block_start; + while (prev_extent_end < isize) { + struct btrfs_key key; + struct extent_buffer *leaf; + struct btrfs_file_extent_item *ei; struct btrfs_block_group *bg; - u64 len = isize - start; + u64 logical_block_start; + u64 physical_block_start; + u64 extent_gen; + u64 disk_bytenr; + u64 len; - em = btrfs_get_extent(BTRFS_I(inode), NULL, start, len); - if (IS_ERR(em)) { - ret = PTR_ERR(em); + key.objectid = btrfs_ino(BTRFS_I(inode)); + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = prev_extent_end; + + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) goto out; - } - if (em->disk_bytenr == EXTENT_MAP_HOLE) { + /* + * If key not found it means we have an implicit hole (NO_HOLES + * is enabled). + */ + if (ret > 0) { btrfs_warn(fs_info, "swapfile must not have holes"); ret = -EINVAL; goto out; } - if (em->disk_bytenr == EXTENT_MAP_INLINE) { + + leaf = path->nodes[0]; + ei = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_file_extent_item); + + if (btrfs_file_extent_type(leaf, ei) == BTRFS_FILE_EXTENT_INLINE) { /* * It's unlikely we'll ever actually find ourselves * here, as a file small enough to fit inline won't be @@ -9933,23 +9956,45 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, ret = -EINVAL; goto out; } - if (extent_map_is_compressed(em)) { + + if (btrfs_file_extent_compression(leaf, ei) != BTRFS_COMPRESS_NONE) { btrfs_warn(fs_info, "swapfile must not be compressed"); ret = -EINVAL; goto out; } - logical_block_start = extent_map_block_start(em) + (start - em->start); - len = min(len, em->len - (start - em->start)); - free_extent_map(em); - em = NULL; + disk_bytenr = btrfs_file_extent_disk_bytenr(leaf, ei); + if (disk_bytenr == 0) { + btrfs_warn(fs_info, "swapfile must not have holes"); + ret = -EINVAL; + goto out; + } - ret = can_nocow_extent(inode, start, &len, NULL, false, true); + logical_block_start = disk_bytenr + btrfs_file_extent_offset(leaf, ei); + extent_gen = btrfs_file_extent_generation(leaf, ei); + prev_extent_end = btrfs_file_extent_end(path); + + if (prev_extent_end > isize) + len = isize - key.offset; + else + len = btrfs_file_extent_num_bytes(leaf, ei); + + backref_ctx->curr_leaf_bytenr = leaf->start; + + /* + * Don't need the path anymore, release to avoid deadlocks when + * calling btrfs_is_data_extent_shared() because when joining a + * transaction it can block waiting for the current one's commit + * which in turn may be trying to lock the same leaf to flush + * delayed items for example. + */ + btrfs_release_path(path); + + ret = btrfs_is_data_extent_shared(BTRFS_I(inode), disk_bytenr, + extent_gen, backref_ctx); if (ret < 0) { goto out; - } else if (ret) { - ret = 0; - } else { + } else if (ret > 0) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); ret = -EINVAL; @@ -9984,7 +10029,6 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, physical_block_start = (map->stripes[0].physical + (logical_block_start - map->start)); - len = min(len, map->chunk_len - (logical_block_start - map->start)); btrfs_free_chunk_map(map); map = NULL; @@ -10025,20 +10069,16 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (ret) goto out; } - bsi.start = start; + bsi.start = key.offset; bsi.block_start = physical_block_start; bsi.block_len = len; } - - start += len; } if (bsi.block_len) ret = btrfs_add_swap_extent(sis, &bsi); out: - if (!IS_ERR_OR_NULL(em)) - free_extent_map(em); if (!IS_ERR_OR_NULL(map)) btrfs_free_chunk_map(map); @@ -10053,6 +10093,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, out_unlock_mmap: up_write(&BTRFS_I(inode)->i_mmap_lock); + btrfs_free_backref_share_ctx(backref_ctx); + btrfs_free_path(path); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] x86/fred: Clear WFE in missing-ENDBRANCH #CPs" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x dc81e556f2a017d681251ace21bf06c126d5a192 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123023-arise-undercook-60f9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc81e556f2a017d681251ace21bf06c126d5a192 Mon Sep 17 00:00:00 2001 From: "Xin Li (Intel)" <xin(a)zytor.com> Date: Wed, 13 Nov 2024 09:59:34 -0800 Subject: [PATCH] x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ] Fixes: a5f6c2ace997 ("x86/shstk: Add user control-protection fault handler") Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Acked-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20241113175934.3897541-1-xin%40zytor.com diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c index d2c732a34e5d..303bf74d175b 100644 --- a/arch/x86/kernel/cet.c +++ b/arch/x86/kernel/cet.c @@ -81,6 +81,34 @@ static void do_user_cp_fault(struct pt_regs *regs, unsigned long error_code) static __ro_after_init bool ibt_fatal = true; +/* + * By definition, all missing-ENDBRANCH #CPs are a result of WFE && !ENDBR. + * + * For the kernel IBT no ENDBR selftest where #CPs are deliberately triggered, + * the WFE state of the interrupted context needs to be cleared to let execution + * continue. Otherwise when the CPU resumes from the instruction that just + * caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU + * enters a dead loop. + * + * This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't + * set WFE. But FRED provides space on the entry stack (in an expanded CS area) + * to save and restore the WFE state, thus the WFE state is no longer clobbered, + * so software must clear it. + */ +static void ibt_clear_fred_wfe(struct pt_regs *regs) +{ + /* + * No need to do any FRED checks. + * + * For IDT event delivery, the high-order 48 bits of CS are pushed + * as 0s into the stack, and later IRET ignores these bits. + * + * For FRED, a test to check if fred_cs.wfe is set would be dropped + * by compilers. + */ + regs->fred_cs.wfe = 0; +} + static void do_kernel_cp_fault(struct pt_regs *regs, unsigned long error_code) { if ((error_code & CP_EC) != CP_ENDBR) { @@ -90,6 +118,7 @@ static void do_kernel_cp_fault(struct pt_regs *regs, unsigned long error_code) if (unlikely(regs->ip == (unsigned long)&ibt_selftest_noendbr)) { regs->ax = 0; + ibt_clear_fred_wfe(regs); return; } @@ -97,6 +126,7 @@ static void do_kernel_cp_fault(struct pt_regs *regs, unsigned long error_code) if (!ibt_fatal) { printk(KERN_DEFAULT CUT_HERE); __warn(__FILE__, __LINE__, (void *)regs->ip, TAINT_WARN, regs, NULL); + ibt_clear_fred_wfe(regs); return; } BUG();

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix race with memory mapped writes when activating" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 0525064bb82e50d59543b62b9d41a606198a4a44 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123012-thyself-commodity-0069@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0525064bb82e50d59543b62b9d41a606198a4a44 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 29 Nov 2024 12:25:30 +0000 Subject: [PATCH] btrfs: fix race with memory mapped writes when activating swap file When activating the swap file we flush all delalloc and wait for ordered extent completion, so that we don't miss any delalloc and extents before we check that the file's extent layout is usable for a swap file and activate the swap file. We are called with the inode's VFS lock acquired, so we won't race with buffered and direct IO writes, however we can still race with memory mapped writes since they don't acquire the inode's VFS lock. The race window is between flushing all delalloc and locking the whole file's extent range, since memory mapped writes lock an extent range with the length of a page. Fix this by acquiring the inode's mmap lock before we flush delalloc. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 6baa0269a85b..b2abc0aa5300 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9809,6 +9809,15 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, u64 isize; u64 start; + /* + * Acquire the inode's mmap lock to prevent races with memory mapped + * writes, as they could happen after we flush delalloc below and before + * we lock the extent range further below. The inode was already locked + * up in the call chain. + */ + btrfs_assert_inode_locked(BTRFS_I(inode)); + down_write(&BTRFS_I(inode)->i_mmap_lock); + /* * If the swap file was just created, make sure delalloc is done. If the * file changes again after this, the user is doing something stupid and @@ -9816,22 +9825,25 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, */ ret = btrfs_wait_ordered_range(BTRFS_I(inode), 0, (u64)-1); if (ret) - return ret; + goto out_unlock_mmap; /* * The inode is locked, so these flags won't change after we check them. */ if (BTRFS_I(inode)->flags & BTRFS_INODE_COMPRESS) { btrfs_warn(fs_info, "swapfile must not be compressed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW)) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { btrfs_warn(fs_info, "swapfile must not be checksummed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* @@ -9846,7 +9858,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (!btrfs_exclop_start(fs_info, BTRFS_EXCLOP_SWAP_ACTIVATE)) { btrfs_warn(fs_info, "cannot activate swapfile while exclusive operation is running"); - return -EBUSY; + ret = -EBUSY; + goto out_unlock_mmap; } /* @@ -9860,7 +9873,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); btrfs_warn(fs_info, "cannot activate swapfile because snapshot creation is in progress"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* * Snapshots can create extents which require COW even if NODATACOW is @@ -9881,7 +9895,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_warn(fs_info, "cannot activate swapfile because subvolume %llu is being deleted", btrfs_root_id(root)); - return -EPERM; + ret = -EPERM; + goto out_unlock_mmap; } atomic_inc(&root->nr_swapfiles); spin_unlock(&root->root_item_lock); @@ -10036,6 +10051,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); +out_unlock_mmap: + up_write(&BTRFS_I(inode)->i_mmap_lock); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix race with memory mapped writes when activating" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0525064bb82e50d59543b62b9d41a606198a4a44 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123011-designed-giving-6a82@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0525064bb82e50d59543b62b9d41a606198a4a44 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 29 Nov 2024 12:25:30 +0000 Subject: [PATCH] btrfs: fix race with memory mapped writes when activating swap file When activating the swap file we flush all delalloc and wait for ordered extent completion, so that we don't miss any delalloc and extents before we check that the file's extent layout is usable for a swap file and activate the swap file. We are called with the inode's VFS lock acquired, so we won't race with buffered and direct IO writes, however we can still race with memory mapped writes since they don't acquire the inode's VFS lock. The race window is between flushing all delalloc and locking the whole file's extent range, since memory mapped writes lock an extent range with the length of a page. Fix this by acquiring the inode's mmap lock before we flush delalloc. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 6baa0269a85b..b2abc0aa5300 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9809,6 +9809,15 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, u64 isize; u64 start; + /* + * Acquire the inode's mmap lock to prevent races with memory mapped + * writes, as they could happen after we flush delalloc below and before + * we lock the extent range further below. The inode was already locked + * up in the call chain. + */ + btrfs_assert_inode_locked(BTRFS_I(inode)); + down_write(&BTRFS_I(inode)->i_mmap_lock); + /* * If the swap file was just created, make sure delalloc is done. If the * file changes again after this, the user is doing something stupid and @@ -9816,22 +9825,25 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, */ ret = btrfs_wait_ordered_range(BTRFS_I(inode), 0, (u64)-1); if (ret) - return ret; + goto out_unlock_mmap; /* * The inode is locked, so these flags won't change after we check them. */ if (BTRFS_I(inode)->flags & BTRFS_INODE_COMPRESS) { btrfs_warn(fs_info, "swapfile must not be compressed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW)) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { btrfs_warn(fs_info, "swapfile must not be checksummed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* @@ -9846,7 +9858,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (!btrfs_exclop_start(fs_info, BTRFS_EXCLOP_SWAP_ACTIVATE)) { btrfs_warn(fs_info, "cannot activate swapfile while exclusive operation is running"); - return -EBUSY; + ret = -EBUSY; + goto out_unlock_mmap; } /* @@ -9860,7 +9873,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); btrfs_warn(fs_info, "cannot activate swapfile because snapshot creation is in progress"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* * Snapshots can create extents which require COW even if NODATACOW is @@ -9881,7 +9895,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_warn(fs_info, "cannot activate swapfile because subvolume %llu is being deleted", btrfs_root_id(root)); - return -EPERM; + ret = -EPERM; + goto out_unlock_mmap; } atomic_inc(&root->nr_swapfiles); spin_unlock(&root->root_item_lock); @@ -10036,6 +10051,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); +out_unlock_mmap: + up_write(&BTRFS_I(inode)->i_mmap_lock); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix race with memory mapped writes when activating" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0525064bb82e50d59543b62b9d41a606198a4a44 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123011-creature-slideshow-d673@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0525064bb82e50d59543b62b9d41a606198a4a44 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 29 Nov 2024 12:25:30 +0000 Subject: [PATCH] btrfs: fix race with memory mapped writes when activating swap file When activating the swap file we flush all delalloc and wait for ordered extent completion, so that we don't miss any delalloc and extents before we check that the file's extent layout is usable for a swap file and activate the swap file. We are called with the inode's VFS lock acquired, so we won't race with buffered and direct IO writes, however we can still race with memory mapped writes since they don't acquire the inode's VFS lock. The race window is between flushing all delalloc and locking the whole file's extent range, since memory mapped writes lock an extent range with the length of a page. Fix this by acquiring the inode's mmap lock before we flush delalloc. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 6baa0269a85b..b2abc0aa5300 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9809,6 +9809,15 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, u64 isize; u64 start; + /* + * Acquire the inode's mmap lock to prevent races with memory mapped + * writes, as they could happen after we flush delalloc below and before + * we lock the extent range further below. The inode was already locked + * up in the call chain. + */ + btrfs_assert_inode_locked(BTRFS_I(inode)); + down_write(&BTRFS_I(inode)->i_mmap_lock); + /* * If the swap file was just created, make sure delalloc is done. If the * file changes again after this, the user is doing something stupid and @@ -9816,22 +9825,25 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, */ ret = btrfs_wait_ordered_range(BTRFS_I(inode), 0, (u64)-1); if (ret) - return ret; + goto out_unlock_mmap; /* * The inode is locked, so these flags won't change after we check them. */ if (BTRFS_I(inode)->flags & BTRFS_INODE_COMPRESS) { btrfs_warn(fs_info, "swapfile must not be compressed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW)) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { btrfs_warn(fs_info, "swapfile must not be checksummed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* @@ -9846,7 +9858,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (!btrfs_exclop_start(fs_info, BTRFS_EXCLOP_SWAP_ACTIVATE)) { btrfs_warn(fs_info, "cannot activate swapfile while exclusive operation is running"); - return -EBUSY; + ret = -EBUSY; + goto out_unlock_mmap; } /* @@ -9860,7 +9873,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); btrfs_warn(fs_info, "cannot activate swapfile because snapshot creation is in progress"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* * Snapshots can create extents which require COW even if NODATACOW is @@ -9881,7 +9895,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_warn(fs_info, "cannot activate swapfile because subvolume %llu is being deleted", btrfs_root_id(root)); - return -EPERM; + ret = -EPERM; + goto out_unlock_mmap; } atomic_inc(&root->nr_swapfiles); spin_unlock(&root->root_item_lock); @@ -10036,6 +10051,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); +out_unlock_mmap: + up_write(&BTRFS_I(inode)->i_mmap_lock); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix race with memory mapped writes when activating" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0525064bb82e50d59543b62b9d41a606198a4a44 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123010-voltage-disobey-16ec@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0525064bb82e50d59543b62b9d41a606198a4a44 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 29 Nov 2024 12:25:30 +0000 Subject: [PATCH] btrfs: fix race with memory mapped writes when activating swap file When activating the swap file we flush all delalloc and wait for ordered extent completion, so that we don't miss any delalloc and extents before we check that the file's extent layout is usable for a swap file and activate the swap file. We are called with the inode's VFS lock acquired, so we won't race with buffered and direct IO writes, however we can still race with memory mapped writes since they don't acquire the inode's VFS lock. The race window is between flushing all delalloc and locking the whole file's extent range, since memory mapped writes lock an extent range with the length of a page. Fix this by acquiring the inode's mmap lock before we flush delalloc. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 6baa0269a85b..b2abc0aa5300 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9809,6 +9809,15 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, u64 isize; u64 start; + /* + * Acquire the inode's mmap lock to prevent races with memory mapped + * writes, as they could happen after we flush delalloc below and before + * we lock the extent range further below. The inode was already locked + * up in the call chain. + */ + btrfs_assert_inode_locked(BTRFS_I(inode)); + down_write(&BTRFS_I(inode)->i_mmap_lock); + /* * If the swap file was just created, make sure delalloc is done. If the * file changes again after this, the user is doing something stupid and @@ -9816,22 +9825,25 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, */ ret = btrfs_wait_ordered_range(BTRFS_I(inode), 0, (u64)-1); if (ret) - return ret; + goto out_unlock_mmap; /* * The inode is locked, so these flags won't change after we check them. */ if (BTRFS_I(inode)->flags & BTRFS_INODE_COMPRESS) { btrfs_warn(fs_info, "swapfile must not be compressed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW)) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { btrfs_warn(fs_info, "swapfile must not be checksummed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* @@ -9846,7 +9858,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (!btrfs_exclop_start(fs_info, BTRFS_EXCLOP_SWAP_ACTIVATE)) { btrfs_warn(fs_info, "cannot activate swapfile while exclusive operation is running"); - return -EBUSY; + ret = -EBUSY; + goto out_unlock_mmap; } /* @@ -9860,7 +9873,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); btrfs_warn(fs_info, "cannot activate swapfile because snapshot creation is in progress"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* * Snapshots can create extents which require COW even if NODATACOW is @@ -9881,7 +9895,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_warn(fs_info, "cannot activate swapfile because subvolume %llu is being deleted", btrfs_root_id(root)); - return -EPERM; + ret = -EPERM; + goto out_unlock_mmap; } atomic_inc(&root->nr_swapfiles); spin_unlock(&root->root_item_lock); @@ -10036,6 +10051,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); +out_unlock_mmap: + up_write(&BTRFS_I(inode)->i_mmap_lock); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix race with memory mapped writes when activating" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0525064bb82e50d59543b62b9d41a606198a4a44 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123009-carbon-thrower-2611@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0525064bb82e50d59543b62b9d41a606198a4a44 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 29 Nov 2024 12:25:30 +0000 Subject: [PATCH] btrfs: fix race with memory mapped writes when activating swap file When activating the swap file we flush all delalloc and wait for ordered extent completion, so that we don't miss any delalloc and extents before we check that the file's extent layout is usable for a swap file and activate the swap file. We are called with the inode's VFS lock acquired, so we won't race with buffered and direct IO writes, however we can still race with memory mapped writes since they don't acquire the inode's VFS lock. The race window is between flushing all delalloc and locking the whole file's extent range, since memory mapped writes lock an extent range with the length of a page. Fix this by acquiring the inode's mmap lock before we flush delalloc. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 6baa0269a85b..b2abc0aa5300 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9809,6 +9809,15 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, u64 isize; u64 start; + /* + * Acquire the inode's mmap lock to prevent races with memory mapped + * writes, as they could happen after we flush delalloc below and before + * we lock the extent range further below. The inode was already locked + * up in the call chain. + */ + btrfs_assert_inode_locked(BTRFS_I(inode)); + down_write(&BTRFS_I(inode)->i_mmap_lock); + /* * If the swap file was just created, make sure delalloc is done. If the * file changes again after this, the user is doing something stupid and @@ -9816,22 +9825,25 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, */ ret = btrfs_wait_ordered_range(BTRFS_I(inode), 0, (u64)-1); if (ret) - return ret; + goto out_unlock_mmap; /* * The inode is locked, so these flags won't change after we check them. */ if (BTRFS_I(inode)->flags & BTRFS_INODE_COMPRESS) { btrfs_warn(fs_info, "swapfile must not be compressed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW)) { btrfs_warn(fs_info, "swapfile must not be copy-on-write"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { btrfs_warn(fs_info, "swapfile must not be checksummed"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* @@ -9846,7 +9858,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, if (!btrfs_exclop_start(fs_info, BTRFS_EXCLOP_SWAP_ACTIVATE)) { btrfs_warn(fs_info, "cannot activate swapfile while exclusive operation is running"); - return -EBUSY; + ret = -EBUSY; + goto out_unlock_mmap; } /* @@ -9860,7 +9873,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); btrfs_warn(fs_info, "cannot activate swapfile because snapshot creation is in progress"); - return -EINVAL; + ret = -EINVAL; + goto out_unlock_mmap; } /* * Snapshots can create extents which require COW even if NODATACOW is @@ -9881,7 +9895,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_warn(fs_info, "cannot activate swapfile because subvolume %llu is being deleted", btrfs_root_id(root)); - return -EPERM; + ret = -EPERM; + goto out_unlock_mmap; } atomic_inc(&root->nr_swapfiles); spin_unlock(&root->root_item_lock); @@ -10036,6 +10051,8 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, btrfs_exclop_finish(fs_info); +out_unlock_mmap: + up_write(&BTRFS_I(inode)->i_mmap_lock); if (ret) return ret;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] tracing: Prevent bad count for tracing_cpumask_write" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123053-acting-chase-d961@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Dec 2024 15:32:38 +0800 Subject: [PATCH] tracing: Prevent bad count for tracing_cpumask_write If a large count is provided, it will trigger a warning in bitmap_parse_user. Also check zero for it. Cc: stable(a)vger.kernel.org Fixes: 9e01c1b74c953 ("cpumask: convert kernel trace functions") Link: https://lore.kernel.org/20241216073238.2573704-1-lizhi.xu@windriver.com Reported-by: syzbot+0aecfd34fb878546f3fd(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0aecfd34fb878546f3fd Tested-by: syzbot+0aecfd34fb878546f3fd(a)syzkaller.appspotmail.com Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 957f941a08e7..f8aebcb01e62 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -5087,6 +5087,9 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf, cpumask_var_t tracing_cpumask_new; int err; + if (count == 0 || count > KMALLOC_MAX_SIZE) + return -EINVAL; + if (!zalloc_cpumask_var(&tracing_cpumask_new, GFP_KERNEL)) return -ENOMEM;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] tracing: Prevent bad count for tracing_cpumask_write" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123047-unfounded-coil-47c5@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Dec 2024 15:32:38 +0800 Subject: [PATCH] tracing: Prevent bad count for tracing_cpumask_write If a large count is provided, it will trigger a warning in bitmap_parse_user. Also check zero for it. Cc: stable(a)vger.kernel.org Fixes: 9e01c1b74c953 ("cpumask: convert kernel trace functions") Link: https://lore.kernel.org/20241216073238.2573704-1-lizhi.xu@windriver.com Reported-by: syzbot+0aecfd34fb878546f3fd(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0aecfd34fb878546f3fd Tested-by: syzbot+0aecfd34fb878546f3fd(a)syzkaller.appspotmail.com Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 957f941a08e7..f8aebcb01e62 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -5087,6 +5087,9 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf, cpumask_var_t tracing_cpumask_new; int err; + if (count == 0 || count > KMALLOC_MAX_SIZE) + return -EINVAL; + if (!zalloc_cpumask_var(&tracing_cpumask_new, GFP_KERNEL)) return -ENOMEM;

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 4b65d5322e1d8994acfdb9b867aa00bdb30d177b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122721-badge-research-e542@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b65d5322e1d8994acfdb9b867aa00bdb30d177b Mon Sep 17 00:00:00 2001 From: Binbin Zhou <zhoubinbin(a)loongson.cn> Date: Mon, 28 Oct 2024 17:34:13 +0800 Subject: [PATCH] dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL Fix the following smatch static checker warning: drivers/dma/loongson2-apb-dma.c:189 ls2x_dma_write_cmd() warn: was expecting a 64 bit value instead of '~(((0)) + (((~((0))) - (((1)) << (0)) + 1) & (~((0)) >> ((8 * 4) - 1 - (4)))))' The GENMASK macro used "unsigned long", which caused build issues when using a 32-bit toolchain because it would try to access bits > 31. This patch switches GENMASK to GENMASK_ULL, which uses "unsigned long long". Fixes: 71e7d3cb6e55 ("dmaengine: ls2x-apb: New driver for the Loongson LS2X APB DMA controller") Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/all/87cdc025-7246-4548-85ca-3d36fdc2be2d@stanley.mo… Signed-off-by: Binbin Zhou <zhoubinbin(a)loongson.cn> Link: https://lore.kernel.org/r/20241028093413.1145820-1-zhoubinbin@loongson.cn Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/loongson2-apb-dma.c b/drivers/dma/loongson2-apb-dma.c index 367ed34ce4da..c528f02b9f84 100644 --- a/drivers/dma/loongson2-apb-dma.c +++ b/drivers/dma/loongson2-apb-dma.c @@ -31,7 +31,7 @@ #define LDMA_ASK_VALID BIT(2) #define LDMA_START BIT(3) /* DMA start operation */ #define LDMA_STOP BIT(4) /* DMA stop operation */ -#define LDMA_CONFIG_MASK GENMASK(4, 0) /* DMA controller config bits mask */ +#define LDMA_CONFIG_MASK GENMASK_ULL(4, 0) /* DMA controller config bits mask */ /* Bitfields in ndesc_addr field of HW descriptor */ #define LDMA_DESC_EN BIT(0) /*1: The next descriptor is valid */

10 months, 1 week

4
4
0 0

[PATCH v5.10] bpf: fix recursive lock when verdict program return SK_PASS

by Srish Srinivasan

From: Jiayuan Chen <mrpre(a)163.com> commit 8ca2a1eeadf09862190b2810697702d803ceef2d upstream. When the stream_verdict program returns SK_PASS, it places the received skb into its own receive queue, but a recursive lock eventually occurs, leading to an operating system deadlock. This issue has been present since v6.9. ''' sk_psock_strp_data_ready write_lock_bh(&sk->sk_callback_lock) strp_data_ready strp_read_sock read_sock -> tcp_read_sock strp_recv cb.rcv_msg -> sk_psock_strp_read # now stream_verdict return SK_PASS without peer sock assign __SK_PASS = sk_psock_map_verd(SK_PASS, NULL) sk_psock_verdict_apply sk_psock_skb_ingress_self sk_psock_skb_ingress_enqueue sk_psock_data_ready read_lock_bh(&sk->sk_callback_lock) <= dead lock ''' This topic has been discussed before, but it has not been fixed. Previous discussion: https://lore.kernel.org/all/6684a5864ec86_403d20898@john.notmuch Fixes: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") Reported-by: Vincent Whitchurch <vincent.whitchurch(a)datadoghq.com> Signed-off-by: Jiayuan Chen <mrpre(a)163.com> Signed-off-by: John Fastabend <john.fastabend(a)gmail.com> Acked-by: Martin KaFai Lau <martin.lau(a)kernel.org> Link: https://patch.msgid.link/20241118030910.36230-2-mrpre@163.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [srish: Apply to stable branch linux-5.10.y] Signed-off-by: Srish Srinivasan <srishwap4(a)gmail.com> --- net/core/skmsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/skmsg.c b/net/core/skmsg.c index 51792dda1..890e16bbc 100644 --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -940,9 +940,9 @@ static void sk_psock_strp_data_ready(struct sock *sk) if (tls_sw_has_ctx_rx(sk)) { psock->parser.saved_data_ready(sk); } else { - write_lock_bh(&sk->sk_callback_lock); + read_lock_bh(&sk->sk_callback_lock); strp_data_ready(&psock->parser.strp); - write_unlock_bh(&sk->sk_callback_lock); + read_unlock_bh(&sk->sk_callback_lock); } } rcu_read_unlock(); -- 2.25.1

10 months, 1 week

2
1
0 0

[PATCH 5.10/5.15/6.1] nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

by Vasiliy Kovalev

From: Yang Erkun <yangerkun(a)huaweicloud.com> [ Upstream commit d5ff2fb2e7167e9483846e34148e60c0c016a1f6 ] In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net. Fixes: 7c24fa225081 ("NFSD: replace delayed_work with work_struct for nfsd_client_shrinker") Signed-off-by: Yang Erkun <yangerkun(a)huaweicloud.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> (cherry picked from commit f965dc0f099a54fca100acf6909abe52d0c85328) Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-50121 Link: https://www.cve.org/CVERecord/?id=CVE-2024-50121 --- fs/nfsd/nfs4state.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 8bceae771c1c75..f6fa719ee32668 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -8208,7 +8208,7 @@ nfs4_state_shutdown_net(struct net *net) struct nfsd_net *nn = net_generic(net, nfsd_net_id); unregister_shrinker(&nn->nfsd_client_shrinker); - cancel_work(&nn->nfsd_shrinker_work); + cancel_work_sync(&nn->nfsd_shrinker_work); cancel_delayed_work_sync(&nn->laundromat_work); locks_end_grace(&nn->nfsd4_manager); -- 2.33.8

10 months, 1 week

2
1
0 0

[tip: x86/urgent] x86/fred: Clear WFE in missing-ENDBRANCH #CPs

by tip-bot2 for Xin Li (Intel)

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: dc81e556f2a017d681251ace21bf06c126d5a192 Gitweb: https://git.kernel.org/tip/dc81e556f2a017d681251ace21bf06c126d5a192 Author: Xin Li (Intel) <xin(a)zytor.com> AuthorDate: Wed, 13 Nov 2024 09:59:34 -08:00 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Sun, 29 Dec 2024 10:18:10 +01:00 x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ] Fixes: a5f6c2ace997 ("x86/shstk: Add user control-protection fault handler") Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Acked-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20241113175934.3897541-1-xin%40zytor.com --- arch/x86/kernel/cet.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c index d2c732a..303bf74 100644 --- a/arch/x86/kernel/cet.c +++ b/arch/x86/kernel/cet.c @@ -81,6 +81,34 @@ static void do_user_cp_fault(struct pt_regs *regs, unsigned long error_code) static __ro_after_init bool ibt_fatal = true; +/* + * By definition, all missing-ENDBRANCH #CPs are a result of WFE && !ENDBR. + * + * For the kernel IBT no ENDBR selftest where #CPs are deliberately triggered, + * the WFE state of the interrupted context needs to be cleared to let execution + * continue. Otherwise when the CPU resumes from the instruction that just + * caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU + * enters a dead loop. + * + * This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't + * set WFE. But FRED provides space on the entry stack (in an expanded CS area) + * to save and restore the WFE state, thus the WFE state is no longer clobbered, + * so software must clear it. + */ +static void ibt_clear_fred_wfe(struct pt_regs *regs) +{ + /* + * No need to do any FRED checks. + * + * For IDT event delivery, the high-order 48 bits of CS are pushed + * as 0s into the stack, and later IRET ignores these bits. + * + * For FRED, a test to check if fred_cs.wfe is set would be dropped + * by compilers. + */ + regs->fred_cs.wfe = 0; +} + static void do_kernel_cp_fault(struct pt_regs *regs, unsigned long error_code) { if ((error_code & CP_EC) != CP_ENDBR) { @@ -90,6 +118,7 @@ static void do_kernel_cp_fault(struct pt_regs *regs, unsigned long error_code) if (unlikely(regs->ip == (unsigned long)&ibt_selftest_noendbr)) { regs->ax = 0; + ibt_clear_fred_wfe(regs); return; } @@ -97,6 +126,7 @@ static void do_kernel_cp_fault(struct pt_regs *regs, unsigned long error_code) if (!ibt_fatal) { printk(KERN_DEFAULT CUT_HERE); __warn(__FILE__, __LINE__, (void *)regs->ip, TAINT_WARN, regs, NULL); + ibt_clear_fred_wfe(regs); return; } BUG();

10 months, 1 week

1
0
0 0

[tip: x86/urgent] virt: tdx-guest: Just leak decrypted memory on unrecoverable errors

by tip-bot2 for Li RongQing

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 27834971f616c5e154423c578fa95e0444444ce1 Gitweb: https://git.kernel.org/tip/27834971f616c5e154423c578fa95e0444444ce1 Author: Li RongQing <lirongqing(a)baidu.com> AuthorDate: Wed, 19 Jun 2024 19:18:01 +08:00 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Sun, 29 Dec 2024 10:18:44 +01:00 virt: tdx-guest: Just leak decrypted memory on unrecoverable errors In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE(). Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using TSM_REPORTS") Signed-off-by: Li RongQing <lirongqing(a)baidu.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Reviewed-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20240619111801.25630-1-lirongqing%40baidu.com --- drivers/virt/coco/tdx-guest/tdx-guest.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c index d7db6c8..224e7dd 100644 --- a/drivers/virt/coco/tdx-guest/tdx-guest.c +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c @@ -124,10 +124,8 @@ static void *alloc_quote_buf(void) if (!addr) return NULL; - if (set_memory_decrypted((unsigned long)addr, count)) { - free_pages_exact(addr, len); + if (set_memory_decrypted((unsigned long)addr, count)) return NULL; - } return addr; }

10 months, 1 week

1
0
0 0

[PATCH v7 1/5] libfs: Return ENOSPC when the directory offset range is exhausted

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Testing shows that the EBUSY error return from mtree_alloc_cyclic() leaks into user space. The ERRORS section of "man creat(2)" says: > EBUSY O_EXCL was specified in flags and pathname refers > to a block device that is in use by the system > (e.g., it is mounted). ENOSPC is closer to what applications expect in this situation. Note that the normal range of simple directory offset values is 2..2^63, so hitting this error is going to be rare to impossible. Fixes: 6faddda69f62 ("libfs: Add directory operations for stable offsets") Cc: <stable(a)vger.kernel.org> # v6.9+ Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/libfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/libfs.c b/fs/libfs.c index 748ac5923154..3da58a92f48f 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -292,8 +292,8 @@ int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry) ret = mtree_alloc_cyclic(&octx->mt, &offset, dentry, DIR_OFFSET_MIN, LONG_MAX, &octx->next_offset, GFP_KERNEL); - if (ret < 0) - return ret; + if (unlikely(ret < 0)) + return ret == -EBUSY ? -ENOSPC : ret; offset_set(dentry, offset); return 0; -- 2.47.0

10 months, 1 week

1
0
0 0

Re: Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex

by Kun Hu

> > >> 2024年12月25日 13:37，Kun Hu <huk23(a)m.fudan.edu.cn> 写道： >> >> Hello, >> >>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 >> >> We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c. >> The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte). >> To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop: >> >> if (sysex->len >= MAX_SYSEX_BUFLEN) { >> sysex->len = 0; >> sysex->skip = 1; >> return -EINVAL; /* Exit early if sysex->len is out of bounds */ >> } >> >> If you fix this issue, please add the following tag to the commit: >> Reported-by: Kun Hu <huk23(a)m.fudan.edu.cn> >> >> ————— >> Thanks, >> Kun Hu >> >>> 2024年12月24日 19:16，Kun Hu <huk23(a)m.fudan.edu.cn> 写道： >>> >>> Hello, >>> >>> When using fuzzer tool to fuzz the latest Linux kernel, the following crash >>> was triggered. >>> >>> HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 >>> git tree: upstream >>> Console output:https://drive.google.com/file/d/17oCyKDW_kNhSW5Bbvm23vnpD1eo0MHFi/vi… >>> Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=… >>> C reproducer: https://drive.google.com/file/d/177HJht6a7-6F3YLudKb_d4kiPGd1VA_i/view?usp=… >>> Syzlang reproducer: https://drive.google.com/file/d/1AuP5UGGc47rEXXPuvjmCKgJ3d0U1P84j/view?usp=… >>> >>> >>> If you fix this issue, please add the following tag to the commit: >>> Reported-by: Kun Hu <huk23(a)m.fudan.edu.cn> >>> >>> ================================================================== >>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 >>> Write of size 1 at addr ff1100000588e288 by task syz-executor411/824 >>> >>> CPU: 2 UID: 0 PID: 824 Comm: syz-executor411 Not tainted 6.13.0-rc3 #5 >>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 >>> Call Trace: >>> <TASK> >>> __dump_stack lib/dump_stack.c:94 [inline] >>> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 >>> print_address_description mm/kasan/report.c:378 [inline] >>> print_report+0xcf/0x5f0 mm/kasan/report.c:489 >>> kasan_report+0x93/0xc0 mm/kasan/report.c:602 >>> snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 >>> snd_seq_oss_process_event+0x46a/0x2620 sound/core/seq/oss/seq_oss_event.c:61 >>> insert_queue sound/core/seq/oss/seq_oss_rw.c:167 [inline] >>> snd_seq_oss_write+0x261/0x7f0 sound/core/seq/oss/seq_oss_rw.c:135 >>> odev_write+0x53/0xa0 sound/core/seq/oss/seq_oss.c:168 >>> vfs_write fs/read_write.c:677 [inline] >>> vfs_write+0x2e3/0x10f0 fs/read_write.c:659 >>> ksys_write+0x122/0x240 fs/read_write.c:731 >>> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>> do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 >>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> > Hello, Is this issue being considered and is it possible that the value of sysex->len in line 509 of the snd_seq_oss_synth_sysex function could exceed 127 and thus be out of bounds? ——— Best Regards, Kun Hu

10 months, 1 week

2
2
0 0

+ mm-kmemleak-fix-percpu-memory-leak-detection-failure.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/kmemleak: fix percpu memory leak detection failure has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-kmemleak-fix-percpu-memory-leak-detection-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Guo Weikang <guoweikang.kernel(a)gmail.com> Subject: mm/kmemleak: fix percpu memory leak detection failure Date: Fri, 27 Dec 2024 17:23:10 +0800 kmemleak_alloc_percpu gives an incorrect min_count parameter, causing percpu memory to be considered a gray object. Link: https://lkml.kernel.org/r/20241227092311.3572500-1-guoweikang.kernel@gmail.… Fixes: 8c8685928910 ("mm/kmemleak: use IS_ERR_PCPU() for pointer in the percpu address space") Signed-off-by: Guo Weikang <guoweikang.kernel(a)gmail.com> Acked-by: Uros Bizjak <ubizjak(a)gmail.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Guo Weikang <guoweikang.kernel(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmemleak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/kmemleak.c~mm-kmemleak-fix-percpu-memory-leak-detection-failure +++ a/mm/kmemleak.c @@ -1093,7 +1093,7 @@ void __ref kmemleak_alloc_percpu(const v pr_debug("%s(0x%px, %zu)\n", __func__, ptr, size); if (kmemleak_enabled && ptr && !IS_ERR_PCPU(ptr)) - create_object_percpu((__force unsigned long)ptr, size, 0, gfp); + create_object_percpu((__force unsigned long)ptr, size, 1, gfp); } EXPORT_SYMBOL_GPL(kmemleak_alloc_percpu); _ Patches currently in -mm which might be from guoweikang.kernel(a)gmail.com are mm-kmemleak-fix-percpu-memory-leak-detection-failure.patch mm-shmem-refactor-to-reuse-vfs_parse_monolithic_sep-for-option-parsing.patch mm-early_ioremap-add-null-pointer-checks-to-prevent-null-pointer-dereference.patch

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mtd: rawnand: arasan: Fix missing de-registration of NAND" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 11e6831fd81468cf48155b9b3c11295c391da723 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122708-spud-properly-0780@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 11e6831fd81468cf48155b9b3c11295c391da723 Mon Sep 17 00:00:00 2001 From: Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net> Date: Mon, 2 Dec 2024 19:58:36 +0100 Subject: [PATCH] mtd: rawnand: arasan: Fix missing de-registration of NAND The NAND chip-selects are registered for the Arasan driver during initialization but are not de-registered when the driver is unloaded. As a result, if the driver is loaded again, the chip-selects remain registered and busy, making them unavailable for use. Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller") Cc: stable(a)vger.kernel.org Signed-off-by: Maciej Andrzejewski ICEYE <maciej.andrzejewski(a)m-works.net> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> diff --git a/drivers/mtd/nand/raw/arasan-nand-controller.c b/drivers/mtd/nand/raw/arasan-nand-controller.c index 26b506107a1a..865754737f5f 100644 --- a/drivers/mtd/nand/raw/arasan-nand-controller.c +++ b/drivers/mtd/nand/raw/arasan-nand-controller.c @@ -1478,8 +1478,15 @@ static int anfc_probe(struct platform_device *pdev) static void anfc_remove(struct platform_device *pdev) { + int i; struct arasan_nfc *nfc = platform_get_drvdata(pdev); + for (i = 0; i < nfc->ncs; i++) { + if (nfc->cs_array[i]) { + gpiod_put(nfc->cs_array[i]); + } + } + anfc_chips_cleanup(nfc); }

10 months, 1 week

1
0
0 0

[PATCH stable 6.1 5.15 5.10] bpf: Check validity of link->type in bpf_link_show_fdinfo()

by Shung-Hsi Yu

From: Hou Tao <houtao1(a)huawei.com> commit 8421d4c8762bd022cb491f2f0f7019ef51b4f0a7 upstream. If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. Signed-off-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/bpf/20241024013558.1135167-3-houtao@huaweicloud.com [ shung-hsi.yu: break up existing seq_printf() call since commit 68b04864ca42 ("bpf: Create links for BPF struct_ops maps.") is not present ] Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- kernel/bpf/syscall.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index f9906e5ad2e5..6455f80099cd 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2816,16 +2816,21 @@ static void bpf_link_show_fdinfo(struct seq_file *m, struct file *filp) { const struct bpf_link *link = filp->private_data; const struct bpf_prog *prog = link->prog; + enum bpf_link_type type = link->type; char prog_tag[sizeof(prog->tag) * 2 + 1] = { }; + if (type < ARRAY_SIZE(bpf_link_type_strs) && bpf_link_type_strs[type]) { + seq_printf(m, "link_type:\t%s\n", bpf_link_type_strs[type]); + } else { + WARN_ONCE(1, "missing BPF_LINK_TYPE(...) for link type %u\n", type); + seq_printf(m, "link_type:\t<%u>\n", type); + } + seq_printf(m, "link_id:\t%u\n", link->id); + bin2hex(prog_tag, prog->tag, sizeof(prog->tag)); seq_printf(m, - "link_type:\t%s\n" - "link_id:\t%u\n" "prog_tag:\t%s\n" "prog_id:\t%u\n", - bpf_link_type_strs[link->type], - link->id, prog_tag, prog->aux->id); if (link->ops->show_fdinfo) -- 2.47.1

10 months, 1 week

2
1
0 0

Many Rx Errors since updating to kernel 6.12.6

by Mike Eddy

since updating from 6.12.5-100.fc40.x86_64 to 6.12.6-100.fc40.x86_64 I am getting many, many: kernel: r8169 0000:01:00.0 enp1s0: Rx ERROR. status = 352ac5ee and some: kernel: r8169 0000:01:00.0 enp1s0: NETDEV WATCHDOG: CPU: 3: transmit queue 0 timed out 5376 ms kernel: r8169 0000:01:00.0: can't disable ASPM; OS doesn't have ASPM control Thanks! Mike Eddy

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] dmaengine: dw: Select only supported masters for ACPI devices" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f0e870a0e9c5521f2952ea9f3ea9d3d122631a89 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122729-array-crusader-3062@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f0e870a0e9c5521f2952ea9f3ea9d3d122631a89 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Date: Mon, 4 Nov 2024 11:50:50 +0200 Subject: [PATCH] dmaengine: dw: Select only supported masters for ACPI devices The recently submitted fix-commit revealed a problem in the iDMA 32-bit platform code. Even though the controller supported only a single master the dw_dma_acpi_filter() method hard-coded two master interfaces with IDs 0 and 1. As a result the sanity check implemented in the commit b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") got incorrect interface data width and thus prevented the client drivers from configuring the DMA-channel with the EINVAL error returned. E.g., the next error was printed for the PXA2xx SPI controller driver trying to configure the requested channels: > [ 164.525604] pxa2xx_spi_pci 0000:00:07.1: DMA slave config failed > [ 164.536105] pxa2xx_spi_pci 0000:00:07.1: failed to get DMA TX descriptor > [ 164.543213] spidev spi-SPT0001:00: SPI transfer failed: -16 The problem would have been spotted much earlier if the iDMA 32-bit controller supported more than one master interfaces. But since it supports just a single master and the iDMA 32-bit specific code just ignores the master IDs in the CTLLO preparation method, the issue has been gone unnoticed so far. Fix the problem by specifying the default master ID for both memory and peripheral devices in the driver data. Thus the issue noticed for the iDMA 32-bit controllers will be eliminated and the ACPI-probed DW DMA controllers will be configured with the correct master ID by default. Cc: stable(a)vger.kernel.org Fixes: b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") Fixes: 199244d69458 ("dmaengine: dw: add support of iDMA 32-bit hardware") Reported-by: Ferry Toth <fntoth(a)gmail.com> Closes: https://lore.kernel.org/dmaengine/ZuXbCKUs1iOqFu51@black.fi.intel.com/ Reported-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Closes: https://lore.kernel.org/dmaengine/ZuXgI-VcHpMgbZ91@black.fi.intel.com/ Tested-by: Ferry Toth <fntoth(a)gmail.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20241104095142.157925-1-andriy.shevchenko@linux.i… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/dw/acpi.c b/drivers/dma/dw/acpi.c index c510c109d2c3..b6452fffa657 100644 --- a/drivers/dma/dw/acpi.c +++ b/drivers/dma/dw/acpi.c @@ -8,13 +8,15 @@ static bool dw_dma_acpi_filter(struct dma_chan *chan, void *param) { + struct dw_dma *dw = to_dw_dma(chan->device); + struct dw_dma_chip_pdata *data = dev_get_drvdata(dw->dma.dev); struct acpi_dma_spec *dma_spec = param; struct dw_dma_slave slave = { .dma_dev = dma_spec->dev, .src_id = dma_spec->slave_id, .dst_id = dma_spec->slave_id, - .m_master = 0, - .p_master = 1, + .m_master = data->m_master, + .p_master = data->p_master, }; return dw_dma_filter(chan, &slave); diff --git a/drivers/dma/dw/internal.h b/drivers/dma/dw/internal.h index 563ce73488db..f1bd06a20cd6 100644 --- a/drivers/dma/dw/internal.h +++ b/drivers/dma/dw/internal.h @@ -51,11 +51,15 @@ struct dw_dma_chip_pdata { int (*probe)(struct dw_dma_chip *chip); int (*remove)(struct dw_dma_chip *chip); struct dw_dma_chip *chip; + u8 m_master; + u8 p_master; }; static __maybe_unused const struct dw_dma_chip_pdata dw_dma_chip_pdata = { .probe = dw_dma_probe, .remove = dw_dma_remove, + .m_master = 0, + .p_master = 1, }; static const struct dw_dma_platform_data idma32_pdata = { @@ -72,6 +76,8 @@ static __maybe_unused const struct dw_dma_chip_pdata idma32_chip_pdata = { .pdata = &idma32_pdata, .probe = idma32_dma_probe, .remove = idma32_dma_remove, + .m_master = 0, + .p_master = 0, }; static const struct dw_dma_platform_data xbar_pdata = { @@ -88,6 +94,8 @@ static __maybe_unused const struct dw_dma_chip_pdata xbar_chip_pdata = { .pdata = &xbar_pdata, .probe = idma32_dma_probe, .remove = idma32_dma_remove, + .m_master = 0, + .p_master = 0, }; #endif /* _DMA_DW_INTERNAL_H */ diff --git a/drivers/dma/dw/pci.c b/drivers/dma/dw/pci.c index ad2d4d012cf7..e8a0eb81726a 100644 --- a/drivers/dma/dw/pci.c +++ b/drivers/dma/dw/pci.c @@ -56,10 +56,10 @@ static int dw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *pid) if (ret) return ret; - dw_dma_acpi_controller_register(chip->dw); - pci_set_drvdata(pdev, data); + dw_dma_acpi_controller_register(chip->dw); + return 0; }

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] phy: usb: Toggle the PHY power during init" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0a92ea87bdd6f77ca4e17fe19649882cf5209edd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122731-scotch-canning-0796@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0a92ea87bdd6f77ca4e17fe19649882cf5209edd Mon Sep 17 00:00:00 2001 From: Justin Chen <justin.chen(a)broadcom.com> Date: Thu, 24 Oct 2024 14:35:40 -0700 Subject: [PATCH] phy: usb: Toggle the PHY power during init When bringing up the PHY, it might be in a bad state if left powered. One case is we lose the PLL lock if the PLL is gated while the PHY is powered. Toggle the PHY power so we can start from a known state. Fixes: 4e5b9c9a73b3 ("phy: usb: Add support for new Synopsys USB controller on the 7216") Signed-off-by: Justin Chen <justin.chen(a)broadcom.com> Acked-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://lore.kernel.org/r/20241024213540.1059412-1-justin.chen@broadcom.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c index 950b7ae1d1a8..dc452610934a 100644 --- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c +++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c @@ -325,6 +325,12 @@ static void usb_init_common_7216(struct brcm_usb_init_params *params) void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; USB_CTRL_UNSET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN); + + /* + * The PHY might be in a bad state if it is already powered + * up. Toggle the power just in case. + */ + USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN); USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN); /* 1 millisecond - for USB clocks to settle down */

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] phy: usb: Toggle the PHY power during init" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0a92ea87bdd6f77ca4e17fe19649882cf5209edd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122729-anemic-selector-ee96@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0a92ea87bdd6f77ca4e17fe19649882cf5209edd Mon Sep 17 00:00:00 2001 From: Justin Chen <justin.chen(a)broadcom.com> Date: Thu, 24 Oct 2024 14:35:40 -0700 Subject: [PATCH] phy: usb: Toggle the PHY power during init When bringing up the PHY, it might be in a bad state if left powered. One case is we lose the PLL lock if the PLL is gated while the PHY is powered. Toggle the PHY power so we can start from a known state. Fixes: 4e5b9c9a73b3 ("phy: usb: Add support for new Synopsys USB controller on the 7216") Signed-off-by: Justin Chen <justin.chen(a)broadcom.com> Acked-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://lore.kernel.org/r/20241024213540.1059412-1-justin.chen@broadcom.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c index 950b7ae1d1a8..dc452610934a 100644 --- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c +++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c @@ -325,6 +325,12 @@ static void usb_init_common_7216(struct brcm_usb_init_params *params) void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; USB_CTRL_UNSET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN); + + /* + * The PHY might be in a bad state if it is already powered + * up. Toggle the power just in case. + */ + USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN); USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN); /* 1 millisecond - for USB clocks to settle down */

10 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] phy: core: Fix that API devm_of_phy_provider_unregister()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x c0b82ab95b4f1fbc3e3aeab9d829d012669524b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122759-prune-pavement-a482@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c0b82ab95b4f1fbc3e3aeab9d829d012669524b6 Mon Sep 17 00:00:00 2001 From: Zijun Hu <quic_zijuhu(a)quicinc.com> Date: Fri, 13 Dec 2024 20:36:42 +0800 Subject: [PATCH] phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider For devm_of_phy_provider_unregister(), its comment says it needs to invoke of_phy_provider_unregister() to unregister the phy provider, but it will not actually invoke the function since devres_destroy() does not call devm_phy_provider_release(), and the missing of_phy_provider_unregister() call will cause: - The phy provider fails to be unregistered. - Leak both memory and the OF node refcount. Fortunately, the faulty API has not been used by current kernel tree. Fix by using devres_release() instead of devres_destroy() within the API. Fixes: ff764963479a ("drivers: phy: add generic PHY framework") Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/stable/20241213-phy_core_fix-v6-2-40ae28f5015a%40qu… Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-2-40ae28f5015a@quicinc.c… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c index f190d7126613..de07e1616b34 100644 --- a/drivers/phy/phy-core.c +++ b/drivers/phy/phy-core.c @@ -1259,12 +1259,12 @@ EXPORT_SYMBOL_GPL(of_phy_provider_unregister); * of_phy_provider_unregister to unregister the phy provider. */ void devm_of_phy_provider_unregister(struct device *dev, - struct phy_provider *phy_provider) + struct phy_provider *phy_provider) { int r; - r = devres_destroy(dev, devm_phy_provider_release, devm_phy_match, - phy_provider); + r = devres_release(dev, devm_phy_provider_release, devm_phy_match, + phy_provider); dev_WARN_ONCE(dev, r, "couldn't find PHY provider device resource\n"); } EXPORT_SYMBOL_GPL(devm_of_phy_provider_unregister);

10 months, 1 week

1
0
0 0

[PATCH] clk: sunxi-ng: a100: enable MMC clock reparenting

by Cody Eksal

While testing the MMC nodes proposed in [1], it was noted that mmc0/1 would fail to initialize, with "mmc: fatal err update clk timeout" in the kernel logs. A closer look at the clock definitions showed that the MMC MPs had the "CLK_SET_RATE_NO_REPARENT" flag set. No reason was given for adding this flag in the first place, and its original purpose is unknown, but it doesn't seem to make sense and results in severe limitations to MMC speeds. Thus, remove this flag from the 3 MMC MPs. [1] https://msgid.link/20241024170540.2721307-10-masterr3c0rd@epochal.quest Fixes: fb038ce4db55 ("clk: sunxi-ng: add support for the Allwinner A100 CCU") Cc: stable(a)vger.kernel.org Signed-off-by: Cody Eksal <masterr3c0rd(a)epochal.quest> Reviewed-by: Andre Przywara <andre.przywara(a)arm.com> --- drivers/clk/sunxi-ng/ccu-sun50i-a100.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/clk/sunxi-ng/ccu-sun50i-a100.c b/drivers/clk/sunxi-ng/ccu-sun50i-a100.c index bbaa82978716..a59e420b195d 100644 --- a/drivers/clk/sunxi-ng/ccu-sun50i-a100.c +++ b/drivers/clk/sunxi-ng/ccu-sun50i-a100.c @@ -436,7 +436,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc0_clk, "mmc0", mmc_parents, 0x830, 24, 2, /* mux */ BIT(31), /* gate */ 2, /* post-div */ - CLK_SET_RATE_NO_REPARENT); + 0); static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc1_clk, "mmc1", mmc_parents, 0x834, 0, 4, /* M */ @@ -444,7 +444,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc1_clk, "mmc1", mmc_parents, 0x834, 24, 2, /* mux */ BIT(31), /* gate */ 2, /* post-div */ - CLK_SET_RATE_NO_REPARENT); + 0); static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc2_clk, "mmc2", mmc_parents, 0x838, 0, 4, /* M */ @@ -452,7 +452,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc2_clk, "mmc2", mmc_parents, 0x838, 24, 2, /* mux */ BIT(31), /* gate */ 2, /* post-div */ - CLK_SET_RATE_NO_REPARENT); + 0); static SUNXI_CCU_GATE(bus_mmc0_clk, "bus-mmc0", "ahb3", 0x84c, BIT(0), 0); static SUNXI_CCU_GATE(bus_mmc1_clk, "bus-mmc1", "ahb3", 0x84c, BIT(1), 0); -- 2.47.0

10 months, 1 week

3
5
0 0

Linux 6.12.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.7 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/kvm/sys_regs.c | 3 arch/hexagon/Makefile | 6 arch/riscv/kvm/aia.c | 2 arch/s390/boot/startup.c | 2 arch/s390/boot/vmem.c | 6 arch/s390/kernel/ipl.c | 2 arch/x86/kernel/cpu/mshyperv.c | 58 ++ arch/x86/kvm/cpuid.c | 31 - arch/x86/kvm/cpuid.h | 1 arch/x86/kvm/svm/svm.c | 9 arch/x86/kvm/x86.c | 4 block/blk-mq-sysfs.c | 16 block/blk-mq.c | 40 - block/blk-sysfs.c | 4 drivers/accel/ivpu/ivpu_gem.c | 2 drivers/accel/ivpu/ivpu_pm.c | 2 drivers/block/zram/zram_drv.c | 15 drivers/clocksource/hyperv_timer.c | 14 drivers/cxl/core/region.c | 25 drivers/cxl/pci.c | 3 drivers/dma-buf/dma-buf.c | 2 drivers/dma-buf/udmabuf.c | 174 +++--- drivers/edac/amd64_edac.c | 32 - drivers/firmware/arm_ffa/bus.c | 15 drivers/firmware/arm_ffa/driver.c | 7 drivers/firmware/arm_scmi/vendors/imx/Kconfig | 1 drivers/firmware/imx/Kconfig | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_dev_coredump.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_0.c | 11 drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 2 drivers/gpu/drm/display/drm_dp_tunnel.c | 10 drivers/gpu/drm/drm_modes.c | 11 drivers/gpu/drm/i915/gt/intel_engine_types.h | 5 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 41 + drivers/gpu/drm/panel/panel-himax-hx83102.c | 2 drivers/gpu/drm/panel/panel-novatek-nt35950.c | 4 drivers/gpu/drm/panel/panel-sitronix-st7701.c | 1 drivers/gpu/drm/panel/panel-synaptics-r63353.c | 2 drivers/hv/hv_kvp.c | 6 drivers/hv/hv_snapshot.c | 6 drivers/hv/hv_util.c | 9 drivers/hv/hyperv_vmbus.h | 2 drivers/hwmon/tmp513.c | 10 drivers/i2c/busses/i2c-pnx.c | 4 drivers/i2c/busses/i2c-riic.c | 2 drivers/irqchip/irq-gic-v3.c | 17 drivers/mmc/host/mtk-sd.c | 2 drivers/mmc/host/sdhci-tegra.c | 1 drivers/net/can/m_can/m_can.c | 36 - drivers/net/can/m_can/m_can.h | 1 drivers/net/can/m_can/m_can_pci.c | 1 drivers/net/ethernet/broadcom/bgmac-platform.c | 5 drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c | 5 drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 drivers/net/ethernet/mscc/ocelot.c | 2 drivers/net/ethernet/oa_tc6.c | 11 drivers/net/ethernet/pensando/ionic/ionic_dev.c | 5 drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 drivers/net/ethernet/renesas/rswitch.c | 74 +- drivers/net/ethernet/renesas/rswitch.h | 13 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 drivers/net/mdio/fwnode_mdio.c | 13 drivers/net/netdevsim/health.c | 2 drivers/net/netdevsim/netdev.c | 4 drivers/net/team/team_core.c | 8 drivers/net/tun.c | 2 drivers/of/address.c | 5 drivers/of/base.c | 15 drivers/of/irq.c | 2 drivers/of/property.c | 2 drivers/platform/x86/p2sb.c | 77 ++ drivers/thunderbolt/nhi.c | 8 drivers/thunderbolt/nhi.h | 4 drivers/thunderbolt/retimer.c | 19 drivers/thunderbolt/tb.c | 41 + drivers/usb/host/xhci-ring.c | 2 drivers/usb/serial/option.c | 27 + fs/btrfs/bio.c | 10 fs/btrfs/ctree.h | 19 fs/btrfs/extent-tree.c | 6 fs/btrfs/tree-checker.c | 27 - fs/ceph/file.c | 77 +- fs/ceph/mds_client.c | 9 fs/ceph/super.c | 2 fs/efivarfs/inode.c | 2 fs/efivarfs/internal.h | 1 fs/efivarfs/super.c | 3 fs/erofs/data.c | 36 - fs/erofs/fileio.c | 9 fs/erofs/fscache.c | 10 fs/erofs/internal.h | 15 fs/erofs/super.c | 78 +- fs/erofs/zdata.c | 4 fs/eventpoll.c | 5 fs/hugetlbfs/inode.c | 2 fs/nfs/pnfs.c | 2 fs/nilfs2/btnode.c | 1 fs/nilfs2/gcinode.c | 2 fs/nilfs2/inode.c | 13 fs/nilfs2/namei.c | 5 fs/nilfs2/nilfs.h | 1 fs/ocfs2/localalloc.c | 8 fs/smb/client/connect.c | 36 - fs/smb/server/connection.c | 18 fs/smb/server/connection.h | 1 fs/smb/server/server.c | 7 fs/smb/server/server.h | 1 fs/smb/server/transport_ipc.c | 5 fs/xfs/libxfs/xfs_ialloc.c | 16 fs/xfs/libxfs/xfs_sb.c | 15 fs/xfs/scrub/agheader.c | 29 + fs/xfs/xfs_fsmap.c | 29 - include/clocksource/hyperv_timer.h | 2 include/linux/alloc_tag.h | 7 include/linux/arm_ffa.h | 13 include/linux/hyperv.h | 1 include/linux/io_uring.h | 4 include/linux/page-flags.h | 12 include/linux/sched.h | 7 include/linux/trace_events.h | 6 include/linux/wait.h | 1 io_uring/io_uring.c | 7 kernel/sched/core.c | 2 kernel/sched/deadline.c | 8 kernel/sched/debug.c | 1 kernel/sched/fair.c | 73 ++ kernel/sched/pelt.c | 2 kernel/sched/sched.h | 13 kernel/trace/fgraph.c | 8 kernel/trace/ring_buffer.c | 6 kernel/trace/trace.c | 264 ++-------- kernel/trace/trace.h | 6 kernel/trace/trace_events.c | 225 ++++++-- kernel/trace/trace_output.c | 6 mm/huge_memory.c | 8 mm/hugetlb.c | 5 mm/memory.c | 8 mm/page_alloc.c | 6 mm/shmem.c | 22 mm/vmalloc.c | 6 net/core/netdev-genl.c | 19 net/dsa/tag.h | 16 net/mctp/route.c | 36 - net/mctp/test/route-test.c | 86 +++ net/netfilter/ipset/ip_set_list_set.c | 3 net/netfilter/ipvs/ip_vs_conn.c | 4 net/psample/psample.c | 9 net/sched/sch_cake.c | 2 net/sched/sch_choke.c | 2 net/smc/af_smc.c | 18 net/smc/smc_clc.c | 17 net/smc/smc_clc.h | 22 net/smc/smc_core.c | 9 sound/soc/fsl/Kconfig | 1 tools/hv/hv_fcopy_uio_daemon.c | 8 tools/hv/hv_set_ifconfig.sh | 2 tools/net/ynl/lib/ynl.py | 6 tools/testing/selftests/bpf/sdt.h | 2 tools/testing/selftests/memfd/memfd_test.c | 14 tools/testing/selftests/net/openvswitch/openvswitch.sh | 6 168 files changed, 1680 insertions(+), 886 deletions(-) Adrian Moreno (2): selftests: openvswitch: fix tcpdump execution psample: adjust size if rate_as_probability is set Alex Deucher (6): drm/amdgpu/nbio7.11: fix IP version check drm/amdgpu/nbio7.7: fix IP version check drm/amdgpu/smu14.0.2: fix IP version check drm/amdgpu/nbio7.0: fix IP version check drm/amdgpu/gfx12: fix IP version check drm/amdgpu/mmhub4.1: fix IP version check Alex Markuze (1): ceph: improve error handling and short/overflow-read logic in __ceph_sync_read() Alexander Gordeev (1): s390/ipl: Fix never less than zero warning Andrea della Porta (1): of: address: Preserve the flags portion on 1:1 dma-ranges mapping Arnd Bergmann (1): firmware: arm_scmi: Fix i.MX build dependency Borislav Petkov (AMD) (1): EDAC/amd64: Simplify ECC check on unified memory controllers Brett Creeley (1): ionic: Fix netdev notifier unregister on failure Christian König (1): drm/amdgpu: fix amdgpu_coredump Christoph Hellwig (1): btrfs: split bios to the fs sector size boundary Dan Carpenter (2): net: hinic: Fix cleanup in create_rxqs/txqs() chelsio/chtls: prevent potential integer overflow on 32bit Daniel Borkmann (1): team: Fix feature exposure when no ports are present Daniel Swanemar (1): USB: serial: option: add TCL IK512 MBIM & ECM Daniele Palmas (1): USB: serial: option: add Telit FE910C04 rmnet compositions Darrick J. Wong (3): xfs: fix off-by-one error in fsmap's end_daddr usage xfs: fix sb_spino_align checks for large fsblock sizes xfs: fix zero byte checking in the superblock scrubber Dave Chinner (2): xfs: sb_spino_align is not verified xfs: fix sparse inode limits on runt AG David Hildenbrand (1): mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy() David Laight (1): ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems Davidlohr Bueso (1): cxl/pci: Fix potential bogus return value upon successful probing Dexuan Cui (1): tools: hv: Fix a complier warning in the fcopy uio daemon Donald Hunter (1): tools/net/ynl: fix sub-message key lookup for nested attributes Edward Adam Davis (2): ring-buffer: Fix overflow in __rb_map_vma nilfs2: prevent use of deleted inode Enzo Matsumiya (1): smb: client: fix TCP timers deadlock after rmmod Eric Dumazet (3): netdevsim: prevent bad user input in nsim_dev_health_break_write() net: netdevsim: fix nsim_pp_hold_write() net: tun: fix tun_napi_alloc_frags() Gao Xiang (5): erofs: fix PSI memstall accounting erofs: add erofs_sb_free() helper erofs: use `struct erofs_device_info` for the primary device erofs: reference `struct erofs_device_info` for erofs_map_dev erofs: use buffered I/O for file-backed mounts by default Geert Uytterhoeven (1): i2c: riic: Always round-up when calculating bus period Greg Kroah-Hartman (1): Linux 6.12.7 Guangguan Wang (6): net/smc: protect link down work from execute after lgr freed net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg net/smc: check smcd_v2_ext_offset when receiving proposal msg net/smc: check return value of sock_recvmsg when draining clc data Heiko Carstens (1): s390/mm: Fix DirectMap accounting Heming Zhao (1): ocfs2: fix the space leak in LA when releasing LA Herve Codina (1): of: Fix error path in of_parse_phandle_with_args_map() Huaisheng Ye (1): cxl/region: Fix region creation for greater than x2 switches Huan Yang (1): udmabuf: udmabuf_create pin folio codestyle cleanup Hugh Dickins (1): mm: shmem: fix ShmemHugePages at swapout Ilya Dryomov (2): ceph: validate snapdirname option length when mounting ceph: fix memory leak in ceph_direct_read_write() Isaac J. Manjarres (1): selftests/memfd: run sysctl tests when PID namespace support is enabled Jacek Lawrynowicz (2): accel/ivpu: Fix general protection fault in ivpu_bo_list() accel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal() Jack Wu (1): USB: serial: option: add MediaTek T7XX compositions Jakub Kicinski (3): netdev: fix repeated netlink messages in queue dump netdev: fix repeated netlink messages in queue stats netdev-genl: avoid empty messages in queue dump James Bottomley (1): efivarfs: Fix error on non-existent file Jann Horn (4): udmabuf: fix memory leak on last export_udmabuf() error path io_uring: Fix registered ring file refcount leak udmabuf: fix racy memfd sealing check udmabuf: also check for F_SEAL_FUTURE_WRITE Jeremy Kerr (1): net: mctp: handle skb cleanup on sock_queue failures Joe Hattori (3): net: ethernet: bgmac-platform: fix an OF node reference leak net: mdiobus: fix an OF node reference leak mmc: mtk-sd: disable wakeup in .remove() and in the error path of .probe() Josef Bacik (1): btrfs: fix improper generation check in snapshot delete K Prateek Nayak (1): sched/fair: Fix NEXT_BUDDY Kairui Song (2): zram: refuse to use zero sized block device as backing device zram: fix uninitialized ZRAM not releasing backing device Kefeng Wang (2): mm: use aligned address in clear_gigantic_page() mm: use aligned address in copy_user_gigantic_page() Krzysztof Karas (1): drm/display: use ERR_PTR on DP tunnel manager creation fail Levi Yun (1): firmware: arm_ffa: Fix the race around setting ffa_dev->properties Lion Ackermann (1): net: sched: fix ordering of qlen adjustment Mank Wang (1): USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready Marc Zyngier (2): irqchip/gic-v3: Work around insecure GIC integrations KVM: arm64: Do not allow ID_AA64MMFR0_EL1.ASIDbits to be overridden Marek Vasut (1): drm/panel: st7701: Add prepare_prev_first flag to drm_panel Mario Limonciello (2): thunderbolt: Don't display nvm_version unless upgrade supported drm/amd: Update strapping for NBIO 2.5.0 Marios Makassikis (2): ksmbd: count all requests in req_running counter ksmbd: fix broken transfers when exceeding max simultaneous operations Mathias Nyman (1): xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic Matthew Wilcox (Oracle) (1): vmalloc: fix accounting with i915 Matthias Schiffer (2): can: m_can: set init flag earlier in probe can: m_can: fix missed interrupts with m_can_pci Max Kellermann (2): ceph: give up on paths longer than PATH_MAX ceph: fix memory leaks in __ceph_sync_read() Michael Kelley (1): Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet Michael Neuling (1): RISC-V: KVM: Fix csr_write -> csr_set for HVIEN PMU overflow bit Michael Trimarchi (1): drm/panel: synaptics-r63353: Fix regulator unbalance Michal Hrusecky (1): USB: serial: option: add MeiG Smart SLM770A Michel Dänzer (1): drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update Mika Westerberg (2): thunderbolt: Add support for Intel Panther Lake-M/P thunderbolt: Improve redrive mode handling Ming Lei (2): block: Revert "block: Fix potential deadlock while freezing queue and acquiring sysfs_lock" block: avoid to reuse `hctx` not removed from cpuhp callback list Murad Masimov (3): hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers hwmon: (tmp513) Fix Current Register value interpretation hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers Naman Jain (1): x86/hyperv: Fix hv tsc page based sched_clock for hibernation Nathan Chancellor (1): hexagon: Disable constant extender optimization for LLVM prior to 19.1.0 Nikita Yushchenko (1): net: renesas: rswitch: rework ts tags management Olaf Hering (1): tools: hv: change permissions of NetworkManager configuration file Parthiban Veerasooran (2): net: ethernet: oa_tc6: fix infinite loop error when tx credits becomes 0 net: ethernet: oa_tc6: fix tx skb race condition between reference pointers Pavel Begunkov (1): io_uring: check if iowq is killed before queuing Peter Zijlstra (1): sched/eevdf: More PELT vs DELAYED_DEQUEUE Phil Sutter (1): netfilter: ipset: Fix for recursive locking warning Pierre-Eric Pelloux-Prayer (1): drm/amdgpu: don't access invalid sched Prathamesh Shete (1): mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk Qu Wenruo (1): btrfs: tree-checker: reject inline extent items with 0 ref count Russell King (Oracle) (1): net: stmmac: fix TSO DMA API usage causing oops Ryusuke Konishi (1): nilfs2: fix buffer head leaks in calls to truncate_inode_pages() Samuel Holland (1): of: property: fw_devlink: Do not use interrupt-parent directly Sean Christopherson (3): KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init KVM: x86: Play nice with protected guests in complete_hypercall_exit() KVM: SVM: Allow guest writes to set MSR_AMD64_DE_CFG bits Shannon Nelson (2): ionic: no double destroy workqueue ionic: use ee->offset when returning sprom data Shin'ichiro Kawasaki (4): p2sb: Factor out p2sb_read_from_cache() p2sb: Introduce the global flag p2sb_hidden_by_bios p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache() p2sb: Do not scan and remove the P2SB device when it is unhidden Steven Rostedt (6): trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers fgraph: Still initialize idle shadow stacks when starting tracing: Fix test_event_printk() to process entire print argument tracing: Add missing helper functions in event pointer dereference check tracing: Add "%s" check in test_event_printk() tracing: Check "%s" dereference via the field and not the TP_printk format Suren Baghdasaryan (1): alloc_tag: fix set_codetag_empty() when !CONFIG_MEM_ALLOC_PROFILING_DEBUG T.J. Mercier (1): dma-buf: Fix __dma_buf_debugfs_list_del argument for !CONFIG_DEBUG_FS Tiezhu Yang (1): selftests/bpf: Use asm constraint "m" for LoongArch Trond Myklebust (1): NFS/pnfs: Fix a live lock between recalled layouts and layoutget Umesh Nerlige Ramappa (3): i915/guc: Reset engine utilization buffer before registration i915/guc: Ensure busyness counter increases motonically i915/guc: Accumulate active runtime on gt reset Usama Arif (1): mm: convert partially_mapped set/clear operations to be atomic Vasily Gorbik (1): s390/mm: Consider KMSAN modules metadata for paging levels Ville Syrjälä (1): drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() Vincent Guittot (1): sched/fair: Fix sched_can_stop_tick() for fair tasks Vineeth Pillai (Google) (2): sched/dlserver: Fix dlserver double enqueue sched/dlserver: Fix dlserver time accounting Vladimir Oltean (2): net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() net: dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic Vladimir Riabchun (1): i2c: pnx: Fix timeout in wait functions Xuewen Yan (1): epoll: Add synchronous wakeup support for ep_poll_callback Yang Yingliang (1): drm/panel: novatek-nt35950: fix return value check in nt35950_probe() Zhang Zekun (1): drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference Zijun Hu (3): of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() of: Fix refcount leakage for OF node returned by __of_get_dma_parent()

10 months, 1 week

1
1
0 0

Linux 6.6.68

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.68 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-fs-xfs | 8 Documentation/devicetree/bindings/net/fsl,fec.yaml | 7 Makefile | 2 arch/hexagon/Makefile | 6 arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dts | 1 arch/x86/kvm/cpuid.c | 31 + arch/x86/kvm/cpuid.h | 1 arch/x86/kvm/x86.c | 4 drivers/block/zram/zram_drv.c | 15 drivers/cxl/core/region.c | 25 - drivers/cxl/pci.c | 3 drivers/dma-buf/udmabuf.c | 2 drivers/edac/amd64_edac.c | 32 - drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 drivers/gpu/drm/drm_modes.c | 11 drivers/gpu/drm/i915/gt/intel_engine_types.h | 5 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 41 +- drivers/gpu/drm/panel/panel-novatek-nt35950.c | 4 drivers/hv/hv_kvp.c | 6 drivers/hv/hv_snapshot.c | 6 drivers/hv/hv_util.c | 9 drivers/hv/hyperv_vmbus.h | 2 drivers/hwmon/tmp513.c | 74 +-- drivers/i2c/busses/i2c-pnx.c | 4 drivers/i2c/busses/i2c-riic.c | 2 drivers/mmc/host/mtk-sd.c | 2 drivers/mmc/host/sdhci-tegra.c | 1 drivers/net/ethernet/broadcom/bgmac-platform.c | 5 drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c | 5 drivers/net/ethernet/freescale/fec_ptp.c | 11 drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 drivers/net/ethernet/mscc/ocelot.c | 2 drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 drivers/net/ethernet/renesas/rswitch.c | 74 +-- drivers/net/ethernet/renesas/rswitch.h | 13 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 drivers/net/mdio/fwnode_mdio.c | 13 drivers/net/netdevsim/health.c | 2 drivers/net/tun.c | 2 drivers/of/address.c | 2 drivers/of/base.c | 15 drivers/of/irq.c | 2 drivers/pci/controller/pci-host-common.c | 4 drivers/pci/controller/vmd.c | 8 drivers/pci/pcie/aer.c | 18 drivers/pci/probe.c | 20 - drivers/pci/quirks.c | 4 drivers/platform/x86/p2sb.c | 92 ++-- drivers/thunderbolt/tb.c | 41 ++ drivers/usb/cdns3/cdns3-ti.c | 15 drivers/usb/cdns3/core.h | 1 drivers/usb/cdns3/drd.c | 10 drivers/usb/cdns3/drd.h | 3 drivers/usb/dwc2/gadget.c | 4 drivers/usb/serial/option.c | 27 + fs/btrfs/tree-checker.c | 27 + fs/ceph/file.c | 34 - fs/ceph/super.c | 2 fs/efivarfs/inode.c | 2 fs/efivarfs/internal.h | 1 fs/efivarfs/super.c | 3 fs/eventpoll.c | 5 fs/nfs/pnfs.c | 2 fs/nilfs2/btnode.c | 1 fs/nilfs2/gcinode.c | 2 fs/nilfs2/inode.c | 13 fs/nilfs2/namei.c | 5 fs/nilfs2/nilfs.h | 1 fs/smb/client/connect.c | 36 + fs/smb/server/connection.c | 18 fs/smb/server/connection.h | 1 fs/smb/server/server.c | 7 fs/smb/server/server.h | 1 fs/smb/server/transport_ipc.c | 5 fs/xfs/Kconfig | 12 fs/xfs/libxfs/xfs_dir2_data.c | 31 + fs/xfs/libxfs/xfs_dir2_priv.h | 7 fs/xfs/libxfs/xfs_quota_defs.h | 2 fs/xfs/libxfs/xfs_trans_resv.c | 28 - fs/xfs/scrub/agheader_repair.c | 2 fs/xfs/scrub/bmap.c | 8 fs/xfs/scrub/trace.h | 10 fs/xfs/xfs.h | 4 fs/xfs/xfs_bmap_util.c | 22 - fs/xfs/xfs_buf_item.c | 32 + fs/xfs/xfs_dquot_item.c | 31 + fs/xfs/xfs_file.c | 33 - fs/xfs/xfs_file.h | 15 fs/xfs/xfs_fsmap.c | 6 fs/xfs/xfs_inode.c | 29 + fs/xfs/xfs_inode.h | 2 fs/xfs/xfs_inode_item.c | 32 + fs/xfs/xfs_ioctl.c | 12 fs/xfs/xfs_iops.c | 1 fs/xfs/xfs_iops.h | 3 fs/xfs/xfs_rtalloc.c | 78 +++ fs/xfs/xfs_symlink.c | 8 include/linux/hyperv.h | 1 include/linux/io_uring.h | 4 include/linux/wait.h | 1 io_uring/io_uring.c | 15 io_uring/io_uring.h | 1 io_uring/rw.c | 31 + kernel/trace/trace_events.c | 197 +++++++--- mm/vmalloc.c | 6 net/netfilter/ipset/ip_set_list_set.c | 3 net/netfilter/ipvs/ip_vs_conn.c | 4 net/sched/sch_cake.c | 2 net/sched/sch_choke.c | 2 net/smc/af_smc.c | 18 net/smc/smc_clc.c | 17 net/smc/smc_clc.h | 22 - net/smc/smc_core.c | 9 sound/soc/intel/boards/sof_sdw.c | 18 tools/hv/hv_set_ifconfig.sh | 2 tools/testing/selftests/bpf/sdt.h | 2 tools/testing/selftests/memfd/memfd_test.c | 14 tools/testing/selftests/net/openvswitch/openvswitch.sh | 6 120 files changed, 1231 insertions(+), 442 deletions(-) Adrian Moreno (1): selftests: openvswitch: fix tcpdump execution Ajit Khaparde (1): PCI: Add ACS quirk for Broadcom BCM5760X NIC Alex Markuze (1): ceph: improve error handling and short/overflow-read logic in __ceph_sync_read() Andy Shevchenko (3): hwmon: (tmp513) Don't use "proxy" headers hwmon: (tmp513) Simplify with dev_err_probe() hwmon: (tmp513) Use SI constants from units.h Borislav Petkov (AMD) (1): EDAC/amd64: Simplify ECC check on unified memory controllers Brett Creeley (1): ionic: Fix netdev notifier unregister on failure Chen Ni (1): xfs: convert comma to semicolon Christoph Hellwig (1): xfs: fix the contact address for the sysfs ABI documentation Dan Carpenter (2): net: hinic: Fix cleanup in create_rxqs/txqs() chelsio/chtls: prevent potential integer overflow on 32bit Daniel Swanemar (1): USB: serial: option: add TCL IK512 MBIM & ECM Daniele Palmas (1): USB: serial: option: add Telit FE910C04 rmnet compositions Darrick J. Wong (10): xfs: verify buffer, inode, and dquot items every tx commit xfs: use consistent uid/gid when grabbing dquots for inodes xfs: declare xfs_file.c symbols in xfs_file.h xfs: create a new helper to return a file's allocation unit xfs: fix file_path handling in tracepoints xfs: attr forks require attr, not attr2 xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code xfs: take m_growlock when running growfsrt xfs: reset rootdir extent size hint after growfsrt David Laight (1): ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems Davidlohr Bueso (1): cxl/pci: Fix potential bogus return value upon successful probing Edward Adam Davis (1): nilfs2: prevent use of deleted inode Enzo Matsumiya (1): smb: client: fix TCP timers deadlock after rmmod Eric Dumazet (2): netdevsim: prevent bad user input in nsim_dev_health_break_write() net: tun: fix tun_napi_alloc_frags() Francesco Dolcini (3): net: fec: refactor PPS channel configuration net: fec: make PPS channel configurable dt-bindings: net: fec: add pps channel property Geert Uytterhoeven (1): i2c: riic: Always round-up when calculating bus period Greg Kroah-Hartman (1): Linux 6.6.68 Guangguan Wang (6): net/smc: protect link down work from execute after lgr freed net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg net/smc: check smcd_v2_ext_offset when receiving proposal msg net/smc: check return value of sock_recvmsg when draining clc data Hans de Goede (1): platform/x86: p2sb: Make p2sb_get_devfn() return void Herve Codina (1): of: Fix error path in of_parse_phandle_with_args_map() Huaisheng Ye (1): cxl/region: Fix region creation for greater than x2 switches Ilya Dryomov (1): ceph: validate snapdirname option length when mounting Isaac J. Manjarres (1): selftests/memfd: run sysctl tests when PID namespace support is enabled Jack Wu (1): USB: serial: option: add MediaTek T7XX compositions James Bottomley (1): efivarfs: Fix error on non-existent file Jann Horn (2): io_uring: Fix registered ring file refcount leak udmabuf: also check for F_SEAL_FUTURE_WRITE Jens Axboe (2): io_uring/rw: split io_read() into a helper io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN Jiaxun Yang (1): MIPS: Loongson64: DTS: Fix msi node for ls7a Jiwei Sun (1): PCI: vmd: Create domain symlink before pci_bus_add_devices() Joe Hattori (3): net: ethernet: bgmac-platform: fix an OF node reference leak net: mdiobus: fix an OF node reference leak mmc: mtk-sd: disable wakeup in .remove() and in the error path of .probe() John Garry (2): xfs: Fix xfs_flush_unmap_range() range for RT xfs: Fix xfs_prepare_shift() range for RT Julian Sun (1): xfs: remove unused parameter in macro XFS_DQUOT_LOGRES Kai-Heng Feng (1): PCI/AER: Disable AER service on suspend Kairui Song (2): zram: refuse to use zero sized block device as backing device zram: fix uninitialized ZRAM not releasing backing device Lion Ackermann (1): net: sched: fix ordering of qlen adjustment Mank Wang (1): USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready Marios Makassikis (2): ksmbd: count all requests in req_running counter ksmbd: fix broken transfers when exceeding max simultaneous operations Matthew Wilcox (Oracle) (1): vmalloc: fix accounting with i915 Max Kellermann (1): ceph: fix memory leaks in __ceph_sync_read() Michael Kelley (1): Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet Michal Hrusecky (1): USB: serial: option: add MeiG Smart SLM770A Michel Dänzer (1): drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update Mika Westerberg (1): thunderbolt: Improve redrive mode handling Murad Masimov (3): hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers hwmon: (tmp513) Fix Current Register value interpretation hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers Nathan Chancellor (1): hexagon: Disable constant extender optimization for LLVM prior to 19.1.0 Nikita Yushchenko (1): net: renesas: rswitch: rework ts tags management Olaf Hering (1): tools: hv: change permissions of NetworkManager configuration file Pavel Begunkov (2): io_uring: check if iowq is killed before queuing io_uring/rw: avoid punting to io-wq directly Peng Hongchi (1): usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled Phil Sutter (1): netfilter: ipset: Fix for recursive locking warning Pierre-Eric Pelloux-Prayer (1): drm/amdgpu: don't access invalid sched Pierre-Louis Bossart (2): ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP ASoC: Intel: sof_sdw: add quirk for Dell SKU 0B8C Prathamesh Shete (1): mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk Qu Wenruo (1): btrfs: tree-checker: reject inline extent items with 0 ref count Roger Quadros (2): usb: cdns3-ti: Add workaround for Errata i2409 usb: cdns3: Add quirk flag to enable suspend residency Russell King (Oracle) (1): net: stmmac: fix TSO DMA API usage causing oops Ryusuke Konishi (1): nilfs2: fix buffer head leaks in calls to truncate_inode_pages() Sean Christopherson (2): KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init KVM: x86: Play nice with protected guests in complete_hypercall_exit() Shannon Nelson (1): ionic: use ee->offset when returning sprom data Shin'ichiro Kawasaki (4): p2sb: Factor out p2sb_read_from_cache() p2sb: Introduce the global flag p2sb_hidden_by_bios p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache() p2sb: Do not scan and remove the P2SB device when it is unhidden Steven Rostedt (3): tracing: Fix test_event_printk() to process entire print argument tracing: Add missing helper functions in event pointer dereference check tracing: Add "%s" check in test_event_printk() Tiezhu Yang (1): selftests/bpf: Use asm constraint "m" for LoongArch Trond Myklebust (1): NFS/pnfs: Fix a live lock between recalled layouts and layoutget Umesh Nerlige Ramappa (3): i915/guc: Reset engine utilization buffer before registration i915/guc: Ensure busyness counter increases motonically i915/guc: Accumulate active runtime on gt reset Vidya Sagar (1): PCI: Use preserve_config in place of pci_flags Ville Syrjälä (1): drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() Vladimir Oltean (1): net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Vladimir Riabchun (1): i2c: pnx: Fix timeout in wait functions Xuewen Yan (1): epoll: Add synchronous wakeup support for ep_poll_callback Yang Yingliang (1): drm/panel: novatek-nt35950: fix return value check in nt35950_probe() Zijun Hu (3): of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() of: Fix refcount leakage for OF node returned by __of_get_dma_parent() Zizhi Wo (1): xfs: Fix the owner setting issue for rmap query in xfs fsmap lei lu (1): xfs: don't walk off the end of a directory data block

10 months, 1 week

1
1
0 0

Linux 6.1.122

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.122 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/hexagon/Makefile | 6 arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dts | 1 arch/x86/kvm/cpuid.c | 31 + arch/x86/kvm/cpuid.h | 1 arch/x86/kvm/x86.c | 4 drivers/block/zram/zram_drv.c | 15 drivers/cxl/core/region.c | 25 - drivers/dma-buf/udmabuf.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 drivers/gpu/drm/drm_modes.c | 11 drivers/gpu/drm/i915/gt/intel_engine_types.h | 5 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 41 +- drivers/gpu/drm/panel/panel-novatek-nt35950.c | 4 drivers/hv/hv_kvp.c | 6 drivers/hv/hv_snapshot.c | 6 drivers/hv/hv_util.c | 9 drivers/hv/hyperv_vmbus.h | 2 drivers/hwmon/tmp513.c | 74 +-- drivers/i2c/busses/i2c-pnx.c | 4 drivers/i2c/busses/i2c-riic.c | 2 drivers/mmc/host/sdhci-tegra.c | 1 drivers/net/ethernet/broadcom/bgmac-platform.c | 5 drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c | 5 drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 drivers/net/ethernet/mscc/ocelot.c | 2 drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 drivers/net/mdio/fwnode_mdio.c | 13 drivers/net/netdevsim/health.c | 2 drivers/of/address.c | 2 drivers/of/base.c | 15 drivers/of/irq.c | 2 drivers/pci/controller/pci-host-common.c | 4 drivers/pci/controller/vmd.c | 8 drivers/pci/pcie/aer.c | 18 drivers/pci/probe.c | 20 - drivers/pci/quirks.c | 4 drivers/platform/x86/p2sb.c | 92 ++-- drivers/sh/clk/core.c | 2 drivers/thunderbolt/tb.c | 41 ++ drivers/usb/cdns3/core.h | 1 drivers/usb/cdns3/drd.c | 10 drivers/usb/cdns3/drd.h | 3 drivers/usb/dwc2/gadget.c | 4 drivers/usb/serial/option.c | 27 + fs/btrfs/tree-checker.c | 27 + fs/ceph/super.c | 2 fs/efivarfs/inode.c | 2 fs/efivarfs/internal.h | 1 fs/efivarfs/super.c | 3 fs/eventpoll.c | 5 fs/nfs/pnfs.c | 2 fs/nilfs2/btnode.c | 1 fs/nilfs2/gcinode.c | 2 fs/nilfs2/inode.c | 13 fs/nilfs2/namei.c | 5 fs/nilfs2/nilfs.h | 1 fs/udf/directory.c | 2 include/linux/hyperv.h | 1 include/linux/io_uring.h | 4 include/linux/pci.h | 15 include/linux/wait.h | 1 io_uring/io_uring.c | 13 io_uring/io_uring.h | 1 io_uring/rw.c | 31 + kernel/trace/trace_events.c | 197 +++++++--- net/netfilter/ipset/ip_set_list_set.c | 3 net/sched/sch_cake.c | 2 net/sched/sch_choke.c | 2 net/smc/af_smc.c | 15 net/smc/smc_clc.c | 9 net/smc/smc_clc.h | 14 net/smc/smc_core.c | 9 sound/soc/intel/boards/sof_sdw.c | 18 tools/testing/selftests/bpf/sdt.h | 2 77 files changed, 723 insertions(+), 232 deletions(-) Ajit Khaparde (1): PCI: Add ACS quirk for Broadcom BCM5760X NIC Andy Shevchenko (4): PCI: Introduce pci_resource_n() hwmon: (tmp513) Don't use "proxy" headers hwmon: (tmp513) Simplify with dev_err_probe() hwmon: (tmp513) Use SI constants from units.h Brett Creeley (1): ionic: Fix netdev notifier unregister on failure Dan Carpenter (2): net: hinic: Fix cleanup in create_rxqs/txqs() chelsio/chtls: prevent potential integer overflow on 32bit Daniel Swanemar (1): USB: serial: option: add TCL IK512 MBIM & ECM Daniele Palmas (1): USB: serial: option: add Telit FE910C04 rmnet compositions Edward Adam Davis (1): nilfs2: prevent use of deleted inode Eric Dumazet (1): netdevsim: prevent bad user input in nsim_dev_health_break_write() Geert Uytterhoeven (2): i2c: riic: Always round-up when calculating bus period sh: clk: Fix clk_enable() to return 0 on NULL clk Greg Kroah-Hartman (1): Linux 6.1.122 Guangguan Wang (5): net/smc: protect link down work from execute after lgr freed net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg net/smc: check smcd_v2_ext_offset when receiving proposal msg net/smc: check return value of sock_recvmsg when draining clc data Hans de Goede (1): platform/x86: p2sb: Make p2sb_get_devfn() return void Herve Codina (1): of: Fix error path in of_parse_phandle_with_args_map() Huaisheng Ye (1): cxl/region: Fix region creation for greater than x2 switches Ilya Dryomov (1): ceph: validate snapdirname option length when mounting Jack Wu (1): USB: serial: option: add MediaTek T7XX compositions James Bottomley (1): efivarfs: Fix error on non-existent file Jan Kara (1): udf: Fix directory iteration for longer tail extents Jann Horn (2): io_uring: Fix registered ring file refcount leak udmabuf: also check for F_SEAL_FUTURE_WRITE Jens Axboe (2): io_uring/rw: split io_read() into a helper io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN Jiaxun Yang (1): MIPS: Loongson64: DTS: Fix msi node for ls7a Jiwei Sun (1): PCI: vmd: Create domain symlink before pci_bus_add_devices() Joe Hattori (2): net: ethernet: bgmac-platform: fix an OF node reference leak net: mdiobus: fix an OF node reference leak Kai-Heng Feng (1): PCI/AER: Disable AER service on suspend Kairui Song (2): zram: refuse to use zero sized block device as backing device zram: fix uninitialized ZRAM not releasing backing device Lion Ackermann (1): net: sched: fix ordering of qlen adjustment Mank Wang (1): USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready Michael Kelley (1): Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet Michal Hrusecky (1): USB: serial: option: add MeiG Smart SLM770A Michel Dänzer (1): drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update Mika Westerberg (1): thunderbolt: Improve redrive mode handling Murad Masimov (3): hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers hwmon: (tmp513) Fix Current Register value interpretation hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers Nathan Chancellor (1): hexagon: Disable constant extender optimization for LLVM prior to 19.1.0 Pavel Begunkov (2): io_uring: check if iowq is killed before queuing io_uring/rw: avoid punting to io-wq directly Peng Hongchi (1): usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled Phil Sutter (1): netfilter: ipset: Fix for recursive locking warning Pierre-Eric Pelloux-Prayer (1): drm/amdgpu: don't access invalid sched Pierre-Louis Bossart (2): ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP ASoC: Intel: sof_sdw: add quirk for Dell SKU 0B8C Prathamesh Shete (1): mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk Qu Wenruo (1): btrfs: tree-checker: reject inline extent items with 0 ref count Roger Quadros (1): usb: cdns3: Add quirk flag to enable suspend residency Ryusuke Konishi (1): nilfs2: fix buffer head leaks in calls to truncate_inode_pages() Sean Christopherson (2): KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init KVM: x86: Play nice with protected guests in complete_hypercall_exit() Shannon Nelson (1): ionic: use ee->offset when returning sprom data Shin'ichiro Kawasaki (4): p2sb: Factor out p2sb_read_from_cache() p2sb: Introduce the global flag p2sb_hidden_by_bios p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache() p2sb: Do not scan and remove the P2SB device when it is unhidden Steven Rostedt (3): tracing: Fix test_event_printk() to process entire print argument tracing: Add missing helper functions in event pointer dereference check tracing: Add "%s" check in test_event_printk() Tiezhu Yang (1): selftests/bpf: Use asm constraint "m" for LoongArch Trond Myklebust (1): NFS/pnfs: Fix a live lock between recalled layouts and layoutget Umesh Nerlige Ramappa (3): i915/guc: Reset engine utilization buffer before registration i915/guc: Ensure busyness counter increases motonically i915/guc: Accumulate active runtime on gt reset Vidya Sagar (1): PCI: Use preserve_config in place of pci_flags Ville Syrjälä (1): drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() Vladimir Oltean (1): net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Vladimir Riabchun (1): i2c: pnx: Fix timeout in wait functions Xuewen Yan (1): epoll: Add synchronous wakeup support for ep_poll_callback Yang Yingliang (1): drm/panel: novatek-nt35950: fix return value check in nt35950_probe() Zijun Hu (3): of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() of: Fix refcount leakage for OF node returned by __of_get_dma_parent()

10 months, 1 week

1
1
0 0

[PATCH] clk: imx8mp: Fix clkout1/2 support

by Marek Vasut

The CLKOUTn may be fed from PLL1/2/3, but the PLL1/2/3 has to be enabled first by setting PLL_CLKE bit 11 in CCM_ANALOG_SYS_PLLn_GEN_CTRL register. The CCM_ANALOG_SYS_PLLn_GEN_CTRL bit 11 is modeled by plln_out clock. Fix the clock tree and place the clkout1/2 under plln_sel instead of plain plln to let the clock subsystem correctly control the bit 11 and enable the PLL in case the CLKOUTn is supplied by PLL1/2/3. Fixes: 43896f56b59e ("clk: imx8mp: add clkout1/2 support") Signed-off-by: Marek Vasut <marex(a)denx.de> --- Cc: Abel Vesa <abelvesa(a)kernel.org> Cc: Fabio Estevam <festevam(a)gmail.com> Cc: Michael Turquette <mturquette(a)baylibre.com> Cc: Peng Fan <peng.fan(a)nxp.com> Cc: Pengutronix Kernel Team <kernel(a)pengutronix.de> Cc: Sascha Hauer <s.hauer(a)pengutronix.de> Cc: Shawn Guo <shawnguo(a)kernel.org> Cc: Stephen Boyd <sboyd(a)kernel.org> Cc: imx(a)lists.linux.dev Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-clk(a)vger.kernel.org Cc: stable(a)vger.kernel.org # v5.18+ --- drivers/clk/imx/clk-imx8mp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c index 516dbd170c8a3..fb18f507f1213 100644 --- a/drivers/clk/imx/clk-imx8mp.c +++ b/drivers/clk/imx/clk-imx8mp.c @@ -399,8 +399,9 @@ static const char * const imx8mp_dram_core_sels[] = {"dram_pll_out", "dram_alt_r static const char * const imx8mp_clkout_sels[] = {"audio_pll1_out", "audio_pll2_out", "video_pll1_out", "dummy", "dummy", "gpu_pll_out", "vpu_pll_out", - "arm_pll_out", "sys_pll1", "sys_pll2", "sys_pll3", - "dummy", "dummy", "osc_24m", "dummy", "osc_32k"}; + "arm_pll_out", "sys_pll1_out", "sys_pll2_out", + "sys_pll3_out", "dummy", "dummy", "osc_24m", + "dummy", "osc_32k"}; static struct clk_hw **hws; static struct clk_hw_onecell_data *clk_hw_data; -- 2.45.2

10 months, 1 week

3
2
0 0

[PATCH 3/5] usb: xhci: Fix NULL pointer dereference on certain command aborts

by Mathias Nyman

From: Michal Pecio <michal.pecio(a)gmail.com> If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes. Link: https://bugzilla.kernel.org/show_bug.cgi?id=219532 Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,") CC: stable(a)vger.kernel.org Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 4cf5363875c7..da26e317ab0c 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -422,7 +422,8 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && !(xhci->xhc_state & XHCI_STATE_DYING)) { xhci->current_cmd = cur_cmd; - xhci_mod_cmd_timer(xhci); + if (cur_cmd) + xhci_mod_cmd_timer(xhci); xhci_ring_cmd_db(xhci); } } -- 2.25.1

10 months, 1 week

1
0
0 0

[PATCH v7 1/2] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug with kvmalloc() and devm_add_action_or_reset(). Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v7: * Use devm_add_action_or_reset(). * Fix tags. v6: * A new patch. --- drivers/char/tpm/eventlog/acpi.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..394c8302cefd 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -63,6 +63,11 @@ static bool tpm_is_tpm2_log(void *bios_event_log, u64 len) return n == 0; } +static void tpm_bios_log_free(void *data) +{ + kvfree(data); +} + /* read binary bios log */ int tpm_read_log_acpi(struct tpm_chip *chip) { @@ -136,10 +141,16 @@ int tpm_read_log_acpi(struct tpm_chip *chip) } /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); + log->bios_event_log = kvmalloc(len, GFP_KERNEL); if (!log->bios_event_log) return -ENOMEM; + ret = devm_add_action_or_reset(&chip->dev, tpm_bios_log_free, log->bios_event_log); + if (ret) { + log->bios_event_log = NULL; + return ret; + } + log->bios_event_log_end = log->bios_event_log + len; virt = acpi_os_map_iomem(start, len); -- 2.47.1

10 months, 2 weeks

1
0
0 0

[PATCH] clk: qcom: clk-alpha-pll: fix alpha mode configuration

by Gabor Juhos

Commit c45ae598fc16 ("clk: qcom: support for alpha mode configuration") added support for configuring alpha mode, but it seems that the feature was never working in practice. The value of the alpha_{en,mode}_mask members of the configuration gets added to the value parameter passed to the regmap_update_bits() function, however the same values are not getting applied to the bitmask. As the result, the respective bits in the USER_CTL register are never modifed which leads to improper configuration of several PLLs. The following table shows the PLL configurations where the 'alpha_en_mask' member is set and which are passed as a parameter for the clk_alpha_pll_configure() function. In the table the 'expected rate' column shows the rate the PLL should run at with the given configuration, and the 'real rate' column shows the rate the PLL runs at actually. The real rates has been verified on hardwareOn IPQ* platforms, on other platforms, those are computed values only. file pll expected rate real rate dispcc-qcm2290.c disp_cc_pll0 768.0 MHz 768.0 MHz dispcc-sm6115.c disp_cc_pll0 768.0 MHz 768.0 MHz gcc-ipq5018.c ubi32_pll 1000.0 MHz != 984.0 MHz gcc-ipq6018.c nss_crypto_pll 1200.0 MHz 1200.0 MHz gcc-ipq6018.c ubi32_pll 1497.6 MHz != 1488.0 MHz gcc-ipq8074.c nss_crypto_pll 1200.0 MHz != 1190.4 MHz gcc-qcm2290.c gpll11 532.0 MHz != 518.4 MHz gcc-qcm2290.c gpll8 533.2 MHz != 518.4 MHz gcc-qcs404.c gpll3 921.6 MHz 921.6 MHz gcc-sm6115.c gpll11 600.0 MHz != 595.2 MHz gcc-sm6115.c gpll8 800.0 MHz != 787.2 MHz gpucc-sdm660.c gpu_cc_pll0 800.0 MHz != 787.2 MHz gpucc-sdm660.c gpu_cc_pll1 740.0 MHz != 729.6 MHz gpucc-sm6115.c gpu_cc_pll0 1200.0 MHz != 1190.4 MHz gpucc-sm6115.c gpu_cc_pll1 640.0 MHz != 633.6 MHz gpucc-sm6125.c gpu_pll0 1020.0 MHz != 1017.6 MHz gpucc-sm6125.c gpu_pll1 930.0 MHz != 921.6 MHz mmcc-sdm660.c mmpll8 930.0 MHz != 921.6 MHz mmcc-sdm660.c mmpll5 825.0 MHz != 806.4 MHz As it can be seen from the above, there are several PLLs which are configured incorrectly. Change the code to apply both 'alpha_en_mask' and 'alpha_mode_mask' values to the bitmask in order to configure the alpha mode correctly. Applying the 'alpha_en_mask' fixes the initial rate of the PLLs showed in the table above. Since the 'alpha_mode_mask' is not used by any driver currently, that part of the change causes no functional changes. Cc: stable(a)vger.kernel.org Fixes: c45ae598fc16 ("clk: qcom: support for alpha mode configuration") Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> --- drivers/clk/qcom/clk-alpha-pll.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/clk/qcom/clk-alpha-pll.c b/drivers/clk/qcom/clk-alpha-pll.c index f9105443d7dbb104e3cb091e59f43df25999f8b3..03cc7aa092480bfdd9eaa986d44f0545944b3b89 100644 --- a/drivers/clk/qcom/clk-alpha-pll.c +++ b/drivers/clk/qcom/clk-alpha-pll.c @@ -421,6 +421,8 @@ void clk_alpha_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap, mask |= config->pre_div_mask; mask |= config->post_div_mask; mask |= config->vco_mask; + mask |= config->alpha_en_mask; + mask |= config->alpha_mode_mask; regmap_update_bits(regmap, PLL_USER_CTL(pll), mask, val); --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241021-fix-alpha-mode-config-8383238a4854 Best regards, -- Gabor Juhos <j4g8y7(a)gmail.com>

10 months, 2 weeks

3
3
0 0

[PATCH] scripts/sorttable: Fix orc_sort_cmp() to maintain symmetry and transitivity

by Kuan-Wei Chiu

The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_TYPE_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_TYPE_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Cc: stable(a)vger.kernel.org Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- scripts/sorttable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/sorttable.h b/scripts/sorttable.h index 7bd0184380d3..a7c5445baf00 100644 --- a/scripts/sorttable.h +++ b/scripts/sorttable.h @@ -110,7 +110,7 @@ static inline unsigned long orc_ip(const int *ip) static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -128,6 +128,9 @@ static int orc_sort_cmp(const void *_a, const void *_b) * whitelisted .o files which didn't get objtool generation. */ orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->type == ORC_TYPE_UNDEFINED && orc_b->type == ORC_TYPE_UNDEFINED) + return 0; return orc_a->type == ORC_TYPE_UNDEFINED ? -1 : 1; } -- 2.34.1

10 months, 2 weeks

2
2
0 0

+ alloc_tag-skip-pgalloc_tag_swap-if-profiling-is-disabled.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: alloc_tag: skip pgalloc_tag_swap if profiling is disabled has been added to the -mm mm-hotfixes-unstable branch. Its filename is alloc_tag-skip-pgalloc_tag_swap-if-profiling-is-disabled.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: skip pgalloc_tag_swap if profiling is disabled Date: Thu, 26 Dec 2024 13:16:39 -0800 When memory allocation profiling is disabled, there is no need to swap allocation tags during migration. Skip it to avoid unnecessary overhead. Link: https://lkml.kernel.org/r/20241226211639.1357704-2-surenb@google.com Fixes: e0a955bf7f61 ("mm/codetag: add pgalloc_tag_copy()") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: David Wang <00107082(a)163.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Yu Zhao <yuzhao(a)google.com> Cc: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/alloc_tag.c | 3 +++ 1 file changed, 3 insertions(+) --- a/lib/alloc_tag.c~alloc_tag-skip-pgalloc_tag_swap-if-profiling-is-disabled +++ a/lib/alloc_tag.c @@ -197,6 +197,9 @@ void pgalloc_tag_swap(struct folio *new, union codetag_ref ref_old, ref_new; struct alloc_tag *tag_old, *tag_new; + if (!mem_alloc_profiling_enabled()) + return; + tag_old = pgalloc_tag_get(&old->page); if (!tag_old) return; _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-avoid-current-alloc_tag-manipulations-when-profiling-is-disabled.patch alloc_tag-skip-pgalloc_tag_swap-if-profiling-is-disabled.patch seqlock-add-raw_seqcount_try_begin.patch mm-convert-mm_lock_seq-to-a-proper-seqcount.patch mm-introduce-mmap_lock_speculate_try_beginretry.patch mm-introduce-vma_start_read_locked_nested-helpers.patch mm-move-per-vma-lock-into-vm_area_struct.patch mm-mark-vma-as-detached-until-its-added-into-vma-tree.patch mm-modify-vma_iter_store_gfp-to-indicate-if-its-storing-a-new-vma.patch mm-mark-vmas-detached-upon-exit.patch mm-nommu-fix-the-last-places-where-vma-is-not-locked-before-being-attached.patch types-move-struct-rcuwait-into-typesh.patch mm-allow-vma_start_read_locked-vma_start_read_locked_nested-to-fail.patch mm-move-mmap_init_lock-out-of-the-header-file.patch mm-uninline-the-main-body-of-vma_start_write.patch refcount-introduce-__refcount_addinc_not_zero_limited.patch mm-replace-vm_lock-and-detached-flag-with-a-reference-count.patch mm-debug-print-vm_refcnt-state-when-dumping-the-vma.patch mm-debug-print-vm_refcnt-state-when-dumping-the-vma-fix.patch mm-remove-extra-vma_numab_state_init-call.patch mm-prepare-lock_vma_under_rcu-for-vma-reuse-possibility.patch mm-make-vma-cache-slab_typesafe_by_rcu.patch docs-mm-document-latest-changes-to-vm_lock.patch

10 months, 2 weeks

1
0
0 0

+ alloc_tag-avoid-current-alloc_tag-manipulations-when-profiling-is-disabled.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: alloc_tag: avoid current->alloc_tag manipulations when profiling is disabled has been added to the -mm mm-hotfixes-unstable branch. Its filename is alloc_tag-avoid-current-alloc_tag-manipulations-when-profiling-is-disabled.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: avoid current->alloc_tag manipulations when profiling is disabled Date: Thu, 26 Dec 2024 13:16:38 -0800 When memory allocation profiling is disabled there is no need to update current->alloc_tag and these manipulations add unnecessary overhead. Fix the overhead by skipping these extra updates. Link: https://lkml.kernel.org/r/20241226211639.1357704-1-surenb@google.com Fixes: b951aaff5035 ("mm: enable page allocation tagging") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: David Wang <00107082(a)163.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Yu Zhao <yuzhao(a)google.com> Cc: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/alloc_tag.h | 11 ++++++++--- lib/alloc_tag.c | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) --- a/include/linux/alloc_tag.h~alloc_tag-avoid-current-alloc_tag-manipulations-when-profiling-is-disabled +++ a/include/linux/alloc_tag.h @@ -224,9 +224,14 @@ static inline void alloc_tag_sub(union c #define alloc_hooks_tag(_tag, _do_alloc) \ ({ \ - struct alloc_tag * __maybe_unused _old = alloc_tag_save(_tag); \ - typeof(_do_alloc) _res = _do_alloc; \ - alloc_tag_restore(_tag, _old); \ + typeof(_do_alloc) _res; \ + if (mem_alloc_profiling_enabled()) { \ + struct alloc_tag * __maybe_unused _old; \ + _old = alloc_tag_save(_tag); \ + _res = _do_alloc; \ + alloc_tag_restore(_tag, _old); \ + } else \ + _res = _do_alloc; \ _res; \ }) --- a/lib/alloc_tag.c~alloc_tag-avoid-current-alloc_tag-manipulations-when-profiling-is-disabled +++ a/lib/alloc_tag.c @@ -29,6 +29,8 @@ EXPORT_SYMBOL(_shared_alloc_tag); DEFINE_STATIC_KEY_MAYBE(CONFIG_MEM_ALLOC_PROFILING_ENABLED_BY_DEFAULT, mem_alloc_profiling_key); +EXPORT_SYMBOL(mem_alloc_profiling_key); + DEFINE_STATIC_KEY_FALSE(mem_profiling_compressed); struct alloc_tag_kernel_section kernel_tags = { NULL, 0 }; _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-avoid-current-alloc_tag-manipulations-when-profiling-is-disabled.patch alloc_tag-skip-pgalloc_tag_swap-if-profiling-is-disabled.patch seqlock-add-raw_seqcount_try_begin.patch mm-convert-mm_lock_seq-to-a-proper-seqcount.patch mm-introduce-mmap_lock_speculate_try_beginretry.patch mm-introduce-vma_start_read_locked_nested-helpers.patch mm-move-per-vma-lock-into-vm_area_struct.patch mm-mark-vma-as-detached-until-its-added-into-vma-tree.patch mm-modify-vma_iter_store_gfp-to-indicate-if-its-storing-a-new-vma.patch mm-mark-vmas-detached-upon-exit.patch mm-nommu-fix-the-last-places-where-vma-is-not-locked-before-being-attached.patch types-move-struct-rcuwait-into-typesh.patch mm-allow-vma_start_read_locked-vma_start_read_locked_nested-to-fail.patch mm-move-mmap_init_lock-out-of-the-header-file.patch mm-uninline-the-main-body-of-vma_start_write.patch refcount-introduce-__refcount_addinc_not_zero_limited.patch mm-replace-vm_lock-and-detached-flag-with-a-reference-count.patch mm-debug-print-vm_refcnt-state-when-dumping-the-vma.patch mm-debug-print-vm_refcnt-state-when-dumping-the-vma-fix.patch mm-remove-extra-vma_numab_state_init-call.patch mm-prepare-lock_vma_under_rcu-for-vma-reuse-possibility.patch mm-make-vma-cache-slab_typesafe_by_rcu.patch docs-mm-document-latest-changes-to-vm_lock.patch

10 months, 2 weeks

1
0
0 0

+ memcg-fix-soft-lockup-in-the-oom-process.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: memcg: fix soft lockup in the OOM process has been added to the -mm mm-unstable branch. Its filename is memcg-fix-soft-lockup-in-the-oom-process.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Chen Ridong <chenridong(a)huawei.com> Subject: memcg: fix soft lockup in the OOM process Date: Tue, 24 Dec 2024 02:52:38 +0000 A soft lockup issue was found in the product with about 56,000 tasks were in the OOM cgroup, it was traversing them when the soft lockup was triggered. watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066] CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G Hardware name: Huawei Cloud OpenStack Nova, BIOS RIP: 0010:console_unlock+0x343/0x540 RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247 RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040 R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0 R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vprintk_emit+0x193/0x280 printk+0x52/0x6e dump_task+0x114/0x130 mem_cgroup_scan_tasks+0x76/0x100 dump_header+0x1fe/0x210 oom_kill_process+0xd1/0x100 out_of_memory+0x125/0x570 mem_cgroup_out_of_memory+0xb5/0xd0 try_charge+0x720/0x770 mem_cgroup_try_charge+0x86/0x180 mem_cgroup_try_charge_delay+0x1c/0x40 do_anonymous_page+0xb5/0x390 handle_mm_fault+0xc4/0x1f0 This is because thousands of processes are in the OOM cgroup, it takes a long time to traverse all of them. As a result, this lead to soft lockup in the OOM process. To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks' function per 1000 iterations. For global OOM, call 'touch_softlockup_watchdog' per 1000 iterations to avoid this issue. Link: https://lkml.kernel.org/r/20241224025238.3768787-1-chenridong@huaweicloud.c… Fixes: 9cbb78bb3143 ("mm, memcg: introduce own oom handler to iterate only over its own threads") Signed-off-by: Chen Ridong <chenridong(a)huawei.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Shakeel Butt <shakeelb(a)google.com> Cc: Muchun Song <songmuchun(a)bytedance.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 7 ++++++- mm/oom_kill.c | 8 +++++++- 2 files changed, 13 insertions(+), 2 deletions(-) --- a/mm/memcontrol.c~memcg-fix-soft-lockup-in-the-oom-process +++ a/mm/memcontrol.c @@ -1161,6 +1161,7 @@ void mem_cgroup_scan_tasks(struct mem_cg { struct mem_cgroup *iter; int ret = 0; + int i = 0; BUG_ON(mem_cgroup_is_root(memcg)); @@ -1169,8 +1170,12 @@ void mem_cgroup_scan_tasks(struct mem_cg struct task_struct *task; css_task_iter_start(&iter->css, CSS_TASK_ITER_PROCS, &it); - while (!ret && (task = css_task_iter_next(&it))) + while (!ret && (task = css_task_iter_next(&it))) { + /* Avoid potential softlockup warning */ + if ((++i & 1023) == 0) + cond_resched(); ret = fn(task, arg); + } css_task_iter_end(&it); if (ret) { mem_cgroup_iter_break(memcg, iter); --- a/mm/oom_kill.c~memcg-fix-soft-lockup-in-the-oom-process +++ a/mm/oom_kill.c @@ -44,6 +44,7 @@ #include <linux/init.h> #include <linux/mmu_notifier.h> #include <linux/cred.h> +#include <linux/nmi.h> #include <asm/tlb.h> #include "internal.h" @@ -430,10 +431,15 @@ static void dump_tasks(struct oom_contro mem_cgroup_scan_tasks(oc->memcg, dump_task, oc); else { struct task_struct *p; + int i = 0; rcu_read_lock(); - for_each_process(p) + for_each_process(p) { + /* Avoid potential softlockup warning */ + if ((++i & 1023) == 0) + touch_softlockup_watchdog(); dump_task(p, oc); + } rcu_read_unlock(); } } _ Patches currently in -mm which might be from chenridong(a)huawei.com are mm-vmscan-retry-folios-written-back-while-isolated-for-traditional-lru.patch memcg-fix-soft-lockup-in-the-oom-process.patch

10 months, 2 weeks

1
0
0 0

[PATCH 0/2] Add missing parent_map to clocks in SM6350 clock drivers

by Luca Weiss

If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate on those clocks. Correct this on clocks in both gcc-sm6350 and dispcc-sm6350. Signed-off-by: Luca Weiss <luca.weiss(a)fairphone.com> --- Luca Weiss (2): clk: qcom: gcc-sm6350: Add missing parent_map for two clocks clk: qcom: dispcc-sm6350: Add missing parent_map for a clock drivers/clk/qcom/dispcc-sm6350.c | 7 +++---- drivers/clk/qcom/gcc-sm6350.c | 22 ++++++++++++++-------- 2 files changed, 17 insertions(+), 12 deletions(-) --- base-commit: 8155b4ef3466f0e289e8fcc9e6e62f3f4dceeac2 change-id: 20241220-sm6350-parent_map-c03e9b61a718 Best regards, -- Luca Weiss <luca.weiss(a)fairphone.com>

10 months, 2 weeks

3
8
0 0

[PATCH] soc: qcom: smem_state: fix missing of_node_put in error path

by Krzysztof Kozlowski

If of_parse_phandle_with_args() succeeds, the OF node reference should be dropped, regardless of number of phandle arguments. Cc: <stable(a)vger.kernel.org> Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/soc/qcom/smem_state.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c index d9bfac6c54fb..cc5be8019b6a 100644 --- a/drivers/soc/qcom/smem_state.c +++ b/drivers/soc/qcom/smem_state.c @@ -112,7 +112,8 @@ struct qcom_smem_state *qcom_smem_state_get(struct device *dev, if (args.args_count != 1) { dev_err(dev, "invalid #qcom,smem-state-cells\n"); - return ERR_PTR(-EINVAL); + state = ERR_PTR(-EINVAL); + goto put; } state = of_node_to_state(args.np); -- 2.43.0

10 months, 2 weeks

2
4
0 0

[PATCH] clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate

by Anastasia Belova

aggr_state and unit fields are u32. The result of their multiplication may not fit in this type. Add explicit casting to prevent overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support") Cc: stable(a)vger.kernel.org # 5.4+ Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- drivers/clk/qcom/clk-rpmh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/qcom/clk-rpmh.c b/drivers/clk/qcom/clk-rpmh.c index eefc322ce367..e6c33010cfbf 100644 --- a/drivers/clk/qcom/clk-rpmh.c +++ b/drivers/clk/qcom/clk-rpmh.c @@ -329,7 +329,7 @@ static unsigned long clk_rpmh_bcm_recalc_rate(struct clk_hw *hw, { struct clk_rpmh *c = to_clk_rpmh(hw); - return c->aggr_state * c->unit; + return (unsigned long)c->aggr_state * c->unit; } static const struct clk_ops clk_rpmh_bcm_ops = { -- 2.30.2

10 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] vmalloc: fix accounting with i915" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a2e740e216f5bf49ccb83b6d490c72a340558a43 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122359-compactly-cranium-ec0b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2e740e216f5bf49ccb83b6d490c72a340558a43 Mon Sep 17 00:00:00 2001 From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Date: Wed, 11 Dec 2024 20:25:37 +0000 Subject: [PATCH] vmalloc: fix accounting with i915 If the caller of vmap() specifies VM_MAP_PUT_PAGES (currently only the i915 driver), we will decrement nr_vmalloc_pages and MEMCG_VMALLOC in vfree(). These counters are incremented by vmalloc() but not by vmap() so this will cause an underflow. Check the VM_MAP_PUT_PAGES flag before decrementing either counter. Link: https://lkml.kernel.org/r/20241211202538.168311-1-willy@infradead.org Fixes: b944afc9d64d ("mm: add a VM_MAP_PUT_PAGES flag for vmap") Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Reviewed-by: Shakeel Butt <shakeel.butt(a)linux.dev> Reviewed-by: Balbir Singh <balbirs(a)nvidia.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index f009b21705c1..5c88d0e90c20 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3374,7 +3374,8 @@ void vfree(const void *addr) struct page *page = vm->pages[i]; BUG_ON(!page); - mod_memcg_page_state(page, MEMCG_VMALLOC, -1); + if (!(vm->flags & VM_MAP_PUT_PAGES)) + mod_memcg_page_state(page, MEMCG_VMALLOC, -1); /* * High-order allocs for huge vmallocs are split, so * can be freed as an array of order-0 allocations @@ -3382,7 +3383,8 @@ void vfree(const void *addr) __free_page(page); cond_resched(); } - atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages); + if (!(vm->flags & VM_MAP_PUT_PAGES)) + atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages); kvfree(vm->pages); kfree(vm); }

10 months, 2 weeks

4
4
0 0

[PATCH 5.4.y 5.10.y 0/4] Backport of CVE-2024-44986 fix to stable 5.4 and 5.10

by Harshvardhan Jha

Following is an attempt to backport fix of CVE-2024-44986 back to stable 5.4 and 5.10. 3 extra pre-requisite patches were required to introduce the skb_expand_head() function and use it in ip6_finish_output2() for the fix patch to be applicable. Eric Dumazet (1): ipv6: fix possible UAF in ip6_finish_output2() Vasily Averin (3): skbuff: introduce skb_expand_head() ipv6: use skb_expand_head in ip6_finish_output2 ipv6: use skb_expand_head in ip6_xmit include/linux/skbuff.h | 1 + net/core/skbuff.c | 42 ++++++++++++++++++++++ net/ipv6/ip6_output.c | 82 ++++++++++++++++-------------------------- 3 files changed, 74 insertions(+), 51 deletions(-) -- 2.46.0

10 months, 2 weeks

2
10
0 0

+ scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity has been added to the -mm mm-hotfixes-unstable branch. Its filename is scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kuan-Wei Chiu <visitorckw(a)gmail.com> Subject: scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Date: Thu, 26 Dec 2024 22:03:32 +0800 The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_TYPE_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_TYPE_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: <chuang(a)cs.nycu.edu.tw> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- scripts/sorttable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/scripts/sorttable.h~scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity +++ a/scripts/sorttable.h @@ -110,7 +110,7 @@ static inline unsigned long orc_ip(const static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -128,6 +128,9 @@ static int orc_sort_cmp(const void *_a, * whitelisted .o files which didn't get objtool generation. */ orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->type == ORC_TYPE_UNDEFINED && orc_b->type == ORC_TYPE_UNDEFINED) + return 0; return orc_a->type == ORC_TYPE_UNDEFINED ? -1 : 1; } _ Patches currently in -mm which might be from visitorckw(a)gmail.com are scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch lib-min_heap-improve-type-safety-in-min_heap-macros-by-using-container_of.patch lib-test_min_heap-use-inline-min-heap-variants-to-reduce-attack-vector.patch lib-min_heap-add-brief-introduction-to-min-heap-api.patch documentation-core-api-min_heap-add-author-information.patch

10 months, 2 weeks

1
0
0 0

[PATCH v6 1/2] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug with kvmalloc() and devres_add(). Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Suggested-by: Matthew Garrett <mjg59(a)srcf.ucam.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v6: * A new patch. --- drivers/char/tpm/eventlog/acpi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..7cd44a46a0d7 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -136,10 +136,12 @@ int tpm_read_log_acpi(struct tpm_chip *chip) } /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); + log->bios_event_log = kvmalloc(len, GFP_KERNEL); if (!log->bios_event_log) return -ENOMEM; + devres_add(&chip->dev, log->bios_event_log); + log->bios_event_log_end = log->bios_event_log + len; virt = acpi_os_map_iomem(start, len); -- 2.47.1

10 months, 2 weeks

1
2
0 0

[PATCH] clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg

by Satya Priya Kakitapalli

Fix cmd_rcgr offset for blsp1_uart6_apps_clk_src on mdm9607 platform. Fixes: 48b7253264ea ("clk: qcom: Add MDM9607 GCC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> --- drivers/clk/qcom/gcc-mdm9607.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/qcom/gcc-mdm9607.c b/drivers/clk/qcom/gcc-mdm9607.c index 6e6068b168e6..07f1b78d737a 100644 --- a/drivers/clk/qcom/gcc-mdm9607.c +++ b/drivers/clk/qcom/gcc-mdm9607.c @@ -535,7 +535,7 @@ static struct clk_rcg2 blsp1_uart5_apps_clk_src = { }; static struct clk_rcg2 blsp1_uart6_apps_clk_src = { - .cmd_rcgr = 0x6044, + .cmd_rcgr = 0x7044, .mnd_width = 16, .hid_width = 5, .parent_map = gcc_xo_gpll0_map, -- 2.25.1

10 months, 2 weeks

3
2
0 0

[PATCH 1/2] clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable()

by Manivannan Sadhasivam

With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This can happen during scenarios such as system suspend and breaks the resume of PCIe controllers from suspend. So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs during gdsc_disable() and allow the hardware to transition the GDSCs to retention when the parent domain enters low power state during system suspend. Cc: stable(a)vger.kernel.org # 6.2 Fixes: 955f2ea3b9e9 ("clk: qcom: Add GCC driver for SM8550") Reported-by: Neil Armstrong <neil.armstrong(a)linaro.org> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- drivers/clk/qcom/gcc-sm8550.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/clk/qcom/gcc-sm8550.c b/drivers/clk/qcom/gcc-sm8550.c index 5abaeddd6afc..862a9bf73bcb 100644 --- a/drivers/clk/qcom/gcc-sm8550.c +++ b/drivers/clk/qcom/gcc-sm8550.c @@ -3003,7 +3003,7 @@ static struct gdsc pcie_0_gdsc = { .pd = { .name = "pcie_0_gdsc", }, - .pwrsts = PWRSTS_OFF_ON, + .pwrsts = PWRSTS_RET_ON, .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, }; @@ -3014,7 +3014,7 @@ static struct gdsc pcie_0_phy_gdsc = { .pd = { .name = "pcie_0_phy_gdsc", }, - .pwrsts = PWRSTS_OFF_ON, + .pwrsts = PWRSTS_RET_ON, .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, }; @@ -3025,7 +3025,7 @@ static struct gdsc pcie_1_gdsc = { .pd = { .name = "pcie_1_gdsc", }, - .pwrsts = PWRSTS_OFF_ON, + .pwrsts = PWRSTS_RET_ON, .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, }; @@ -3036,7 +3036,7 @@ static struct gdsc pcie_1_phy_gdsc = { .pd = { .name = "pcie_1_phy_gdsc", }, - .pwrsts = PWRSTS_OFF_ON, + .pwrsts = PWRSTS_RET_ON, .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, }; -- 2.25.1

10 months, 2 weeks

3
4
0 0

[PATCH] arm64: dts: qcom: sm6350: Fix uart1 interconnect path

by Luca Weiss

The path MASTER_QUP_0 to SLAVE_EBI_CH0 would be qup-memory path and not qup-config. Since the qup-memory path is not part of the qcom,geni-uart bindings, just replace that path with the correct path for qup-config. Fixes: b179f35b887b ("arm64: dts: qcom: sm6350: add uart1 node") Cc: stable(a)vger.kernel.org Signed-off-by: Luca Weiss <luca.weiss(a)fairphone.com> --- arch/arm64/boot/dts/qcom/sm6350.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sm6350.dtsi b/arch/arm64/boot/dts/qcom/sm6350.dtsi index 8d697280249fefcc62ab0848e949b5509deb32a6..7b5c340df5f6f32233f4254db2012f84bdde6be2 100644 --- a/arch/arm64/boot/dts/qcom/sm6350.dtsi +++ b/arch/arm64/boot/dts/qcom/sm6350.dtsi @@ -936,7 +936,7 @@ uart1: serial@884000 { power-domains = <&rpmhpd SM6350_CX>; operating-points-v2 = <&qup_opp_table>; interconnects = <&clk_virt MASTER_QUP_CORE_0 0 &clk_virt SLAVE_QUP_CORE_0 0>, - <&aggre1_noc MASTER_QUP_0 0 &clk_virt SLAVE_EBI_CH0 0>; + <&gem_noc MASTER_AMPSS_M0 0 &config_noc SLAVE_QUP_0 0>; interconnect-names = "qup-core", "qup-config"; status = "disabled"; }; --- base-commit: 8155b4ef3466f0e289e8fcc9e6e62f3f4dceeac2 change-id: 20241220-sm6350-uart1-icc-de4c0ab8413d Best regards, -- Luca Weiss <luca.weiss(a)fairphone.com>

10 months, 2 weeks

3
2
0 0

[PATCH v3] soc: qcom: llcc: Enable LLCC_WRCACHE at boot on X1

by Konrad Dybcio

From: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> The Last Level Cache is split into many slices, each one of which can be toggled on or off. Only certain slices are recommended to be turned on unconditionally, in order to reach optimal performance/latency/power levels. Enable WRCACHE on X1 at boot, in accordance with internal recommendations. No significant performance difference is expected. Fixes: b3cf69a43502 ("soc: qcom: llcc: Add configuration data for X1E80100") Cc: stable(a)vger.kernel.org Reviewed-by: Rajendra Nayak <quic_rjendra(a)quicinc.com> Signed-off-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> --- Changes in v3: - Improve the commit message - Link to v2: https://lore.kernel.org/r/20241212-topic-llcc_x1e_wrcache-v2-1-e44d3058d06c… Changes in v2: - Cc stable - Add more context lines - Pick up r-b - Link to v1: https://lore.kernel.org/r/20241207-topic-llcc_x1e_wrcache-v1-1-232e6aff49e4… --- drivers/soc/qcom/llcc-qcom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c index 32c3bc887cefb87c296e3ba67a730c87fa2fa346..1560db00a01248197e5c2936e785a5ea77f74ad8 100644 --- a/drivers/soc/qcom/llcc-qcom.c +++ b/drivers/soc/qcom/llcc-qcom.c @@ -2997,20 +2997,21 @@ static const struct llcc_slice_config x1e80100_data[] = { .bonus_ways = 0xfff, .cache_mode = 0, }, { .usecase_id = LLCC_WRCACHE, .slice_id = 31, .max_cap = 1024, .priority = 1, .fixed_size = true, .bonus_ways = 0xfff, .cache_mode = 0, + .activate_on_init = true, }, { .usecase_id = LLCC_CAMEXP0, .slice_id = 4, .max_cap = 256, .priority = 4, .fixed_size = true, .bonus_ways = 0x3, .cache_mode = 0, }, { .usecase_id = LLCC_CAMEXP1, --- base-commit: 3e42dc9229c5950e84b1ed705f94ed75ed208228 change-id: 20241207-topic-llcc_x1e_wrcache-647070e2d130 Best regards, -- Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com>

10 months, 2 weeks

3
2
0 0

[PATCH 6.1.y] net/mlx5e: Don't call cleanup on profile rollback failure

by jianqi.ren.cn＠windriver.com

From: Cosmin Ratiu <cratiu(a)nvidia.com> [ Upstream commit 4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0 ] When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b Fixes: 3ef14e463f6e ("net/mlx5e: Separate between netdev objects and mlx5e profiles initialization") Signed-off-by: Cosmin Ratiu <cratiu(a)nvidia.com> Reviewed-by: Dragos Tatulea <dtatulea(a)nvidia.com> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c index 385904502a6b..8ee6a81b42b4 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -5980,7 +5980,9 @@ static void mlx5e_remove(struct auxiliary_device *adev) mlx5e_dcbnl_delete_app(priv); unregister_netdev(priv->netdev); mlx5e_suspend(adev, state); - priv->profile->cleanup(priv); + /* Avoid cleanup if profile rollback failed. */ + if (priv->profile) + priv->profile->cleanup(priv); mlx5e_devlink_port_unregister(priv); mlx5e_destroy_netdev(priv); } -- 2.25.1

10 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] epoll: Add synchronous wakeup support for ep_poll_callback" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 900bbaae67e980945dec74d36f8afe0de7556d5a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122326-viscous-dreaded-d15d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900bbaae67e980945dec74d36f8afe0de7556d5a Mon Sep 17 00:00:00 2001 From: Xuewen Yan <xuewen.yan(a)unisoc.com> Date: Fri, 26 Apr 2024 16:05:48 +0800 Subject: [PATCH] epoll: Add synchronous wakeup support for ep_poll_callback Now, the epoll only use wake_up() interface to wake up task. However, sometimes, there are epoll users which want to use the synchronous wakeup flag to hint the scheduler, such as Android binder driver. So add a wake_up_sync() define, and use the wake_up_sync() when the sync is true in ep_poll_callback(). Co-developed-by: Jing Xia <jing.xia(a)unisoc.com> Signed-off-by: Jing Xia <jing.xia(a)unisoc.com> Signed-off-by: Xuewen Yan <xuewen.yan(a)unisoc.com> Link: https://lore.kernel.org/r/20240426080548.8203-1-xuewen.yan@unisoc.com Tested-by: Brian Geffon <bgeffon(a)google.com> Reviewed-by: Brian Geffon <bgeffon(a)google.com> Reported-by: Benoit Lize <lizeb(a)google.com> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 90fbab6b6f03..1a06e462b6ef 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -1373,7 +1373,10 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v break; } } - wake_up(&ep->wq); + if (sync) + wake_up_sync(&ep->wq); + else + wake_up(&ep->wq); } if (waitqueue_active(&ep->poll_wait)) pwake++; diff --git a/include/linux/wait.h b/include/linux/wait.h index 8aa3372f21a0..2b322a9b88a2 100644 --- a/include/linux/wait.h +++ b/include/linux/wait.h @@ -221,6 +221,7 @@ void __wake_up_pollfree(struct wait_queue_head *wq_head); #define wake_up_all(x) __wake_up(x, TASK_NORMAL, 0, NULL) #define wake_up_locked(x) __wake_up_locked((x), TASK_NORMAL, 1) #define wake_up_all_locked(x) __wake_up_locked((x), TASK_NORMAL, 0) +#define wake_up_sync(x) __wake_up_sync(x, TASK_NORMAL) #define wake_up_interruptible(x) __wake_up(x, TASK_INTERRUPTIBLE, 1, NULL) #define wake_up_interruptible_nr(x, nr) __wake_up(x, TASK_INTERRUPTIBLE, nr, NULL)

10 months, 2 weeks

4
5
0 0

[PATCH 5.10/5.15 1/1] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

by d.privalov

From: Paulo Alcantara <pc(a)manguebit.com> commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream. Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90м [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [d.privalov: Adapt checking status ses->ses_status to use global lock GlobalMid_Lock] Signed-off-by: Dmitriy Privalov <d.privalov(a)omp.ru> --- fs/cifs/cifs_debug.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index 53588d7517b4..c094f44fbbde 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -356,6 +356,11 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + spin_lock(&GlobalMid_Lock); + if (ses->status == CifsExiting) { + spin_unlock(&GlobalMid_Lock); + continue; + } if ((ses->serverDomain == NULL) || (ses->serverOS == NULL) || (ses->serverNOS == NULL)) { @@ -375,6 +380,7 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) ses->capabilities, ses->status); } + spin_unlock(&GlobalMid_Lock); seq_printf(m,"Security type: %s\n", get_security_type_str(server->ops->select_sectype(server, ses->sectype))); -- 2.34.1

10 months, 2 weeks

2
1
0 0

[PATCH v2 0/2] riscv/ptrace: add new regset to access original a0 register

by Celeste Liu

The orig_a0 is missing in struct user_regs_struct of riscv, and there is no way to add it without breaking UAPI. (See Link tag below) Like NT_ARM_SYSTEM_CALL do, we add a new regset name NT_RISCV_ORIG_A0 to access original a0 register from userspace via ptrace API. Link: https://lore.kernel.org/all/59505464-c84a-403d-972f-d4b2055eeaac@gmail.com/ Signed-off-by: Celeste Liu <uwu(a)coelacanthus.name> --- Changes in v2: - Fix integer width. - Add selftest. - Link to v1: https://lore.kernel.org/r/20241201-riscv-new-regset-v1-1-c83c58abcc7b@coela… --- Celeste Liu (1): riscv/ptrace: add new regset to access original a0 register Charlie Jenkins (1): riscv: selftests: Add a ptrace test to verify syscall parameter modification arch/riscv/kernel/ptrace.c | 32 +++++++ include/uapi/linux/elf.h | 1 + tools/testing/selftests/riscv/abi/.gitignore | 1 + tools/testing/selftests/riscv/abi/Makefile | 5 +- tools/testing/selftests/riscv/abi/ptrace.c | 134 +++++++++++++++++++++++++++ 5 files changed, 172 insertions(+), 1 deletion(-) --- base-commit: 0e287d31b62bb53ad81d5e59778384a40f8b6f56 change-id: 20241201-riscv-new-regset-d529b952ad0d Best regards, -- Celeste Liu <uwu(a)coelacanthus.name>

10 months, 2 weeks

5
10
0 0

[PATCH v4 0/2] riscv/ptrace: add new regset to access original a0 register

by Celeste Liu

The orig_a0 is missing in struct user_regs_struct of riscv, and there is no way to add it without breaking UAPI. (See Link tag below) Like NT_ARM_SYSTEM_CALL do, we add a new regset name NT_RISCV_ORIG_A0 to access original a0 register from userspace via ptrace API. Link: https://lore.kernel.org/all/59505464-c84a-403d-972f-d4b2055eeaac@gmail.com/ Signed-off-by: Celeste Liu <uwu(a)coelacanthus.name> --- Changes in v4: - Fix a copy paste error in selftest. (Forget to commit...) - Link to v3: https://lore.kernel.org/r/20241226-riscv-new-regset-v3-0-f5b96465826b@coela… Changes in v3: - Use return 0 directly for readability. - Fix test for modify a0. - Add Fixes: tag - Remove useless Cc: stable. - Selftest will check both a0 and orig_a0, but depends on the correctness of PTRACE_GET_SYSCALL_INFO. - Link to v2: https://lore.kernel.org/r/20241203-riscv-new-regset-v2-0-d37da8c0cba6@coela… Changes in v2: - Fix integer width. - Add selftest. - Link to v1: https://lore.kernel.org/r/20241201-riscv-new-regset-v1-1-c83c58abcc7b@coela… --- Celeste Liu (2): riscv/ptrace: add new regset to access original a0 register riscv: selftests: Add a ptrace test to verify syscall parameter modification arch/riscv/kernel/ptrace.c | 32 ++++++ include/uapi/linux/elf.h | 1 + tools/testing/selftests/riscv/abi/.gitignore | 1 + tools/testing/selftests/riscv/abi/Makefile | 5 +- tools/testing/selftests/riscv/abi/ptrace.c | 151 +++++++++++++++++++++++++++ 5 files changed, 189 insertions(+), 1 deletion(-) --- base-commit: 0e287d31b62bb53ad81d5e59778384a40f8b6f56 change-id: 20241201-riscv-new-regset-d529b952ad0d Best regards, -- Celeste Liu <uwu(a)coelacanthus.name>

10 months, 2 weeks

1
1
0 0

[PATCH v3 0/2] riscv/ptrace: add new regset to access original a0 register

by Celeste Liu

The orig_a0 is missing in struct user_regs_struct of riscv, and there is no way to add it without breaking UAPI. (See Link tag below) Like NT_ARM_SYSTEM_CALL do, we add a new regset name NT_RISCV_ORIG_A0 to access original a0 register from userspace via ptrace API. Link: https://lore.kernel.org/all/59505464-c84a-403d-972f-d4b2055eeaac@gmail.com/ Signed-off-by: Celeste Liu <uwu(a)coelacanthus.name> --- Changes in v3: - Use return 0 directly for readability. - Fix test for modify a0. - Add Fixes: tag - Remove useless Cc: stable. - Selftest will check both a0 and orig_a0, but depends on the correctness of PTRACE_GET_SYSCALL_INFO. - Link to v2: https://lore.kernel.org/r/20241203-riscv-new-regset-v2-0-d37da8c0cba6@coela… Changes in v2: - Fix integer width. - Add selftest. - Link to v1: https://lore.kernel.org/r/20241201-riscv-new-regset-v1-1-c83c58abcc7b@coela… --- Celeste Liu (2): riscv/ptrace: add new regset to access original a0 register riscv: selftests: Add a ptrace test to verify syscall parameter modification arch/riscv/kernel/ptrace.c | 32 ++++++ include/uapi/linux/elf.h | 1 + tools/testing/selftests/riscv/abi/.gitignore | 1 + tools/testing/selftests/riscv/abi/Makefile | 5 +- tools/testing/selftests/riscv/abi/ptrace.c | 151 +++++++++++++++++++++++++++ 5 files changed, 189 insertions(+), 1 deletion(-) --- base-commit: 0e287d31b62bb53ad81d5e59778384a40f8b6f56 change-id: 20241201-riscv-new-regset-d529b952ad0d Best regards, -- Celeste Liu <uwu(a)coelacanthus.name>

10 months, 2 weeks

1
1
0 0

Re: [PATCH 1/2] NFSv4.0: Fix the wake up of the next waiter in nfs_release_seqid()

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Found matching upstream commit: c968fd23c68e9929ab6cad4faffc8ea603e98e5d WARNING: Author mismatch between patch and found commit: Backport author: trondmy(a)kernel.org Commit author: Trond Myklebust <trond.myklebust(a)hammerspace.com> Status in newer kernel trees: 6.12.y | Not found Note: The patch differs from the upstream commit: --- 1: c968fd23c68e ! 1: 4b6aa0b050af NFSv4.0: Fix the wake up of the next waiter in nfs_release_seqid() @@ Commit message seqid being removed is at the head of the list, and so is relinquishing control of the sequence counter to the next entry. - Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> ## fs/nfs/nfs4state.c ## --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Success | Success | | stable/linux-6.1.y | Success | Success | | stable/linux-5.15.y | Success | Success | | stable/linux-5.10.y | Success | Success | | stable/linux-5.4.y | Success | Success |

10 months, 2 weeks

1
0
0 0

[PATCH 6.6] sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers

by Wenshan Lan

From: Qun-Wei Lin <qun-wei.lin(a)mediatek.com> [ Upstream commit fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58 ] When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the object_is_on_stack() function may produce incorrect results due to the presence of tags in the obj pointer, while the stack pointer does not have tags. This discrepancy can lead to incorrect stack object detection and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled. Example of the warning: ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4 Hardware name: linux,dummy-virt (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __debug_object_init+0x330/0x364 lr : __debug_object_init+0x330/0x364 sp : ffff800082ea7b40 x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534 x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0 x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418 x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000 x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800 x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001 x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4 x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050 Call trace: __debug_object_init+0x330/0x364 debug_object_init_on_stack+0x30/0x3c schedule_hrtimeout_range_clock+0xac/0x26c schedule_hrtimeout+0x1c/0x30 wait_task_inactive+0x1d4/0x25c kthread_bind_mask+0x28/0x98 init_rescuer+0x1e8/0x280 workqueue_init+0x1a0/0x3cc kernel_init_freeable+0x118/0x200 kernel_init+0x28/0x1f0 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------ Link: https://lkml.kernel.org/r/20241113042544.19095-1-qun-wei.lin@mediatek.com Signed-off-by: Qun-Wei Lin <qun-wei.lin(a)mediatek.com> Cc: Andrew Yang <andrew.yang(a)mediatek.com> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Cc: Casper Li <casper.li(a)mediatek.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Chinwen Chang <chinwen.chang(a)mediatek.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Matthias Brugger <matthias.bgg(a)gmail.com> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ Resolve line conflicts ] Signed-off-by: Wenshan Lan <jetlan9(a)163.com> --- include/linux/sched/task_stack.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h index f158b025c175..d2117e1c8fa5 100644 --- a/include/linux/sched/task_stack.h +++ b/include/linux/sched/task_stack.h @@ -8,6 +8,7 @@ #include <linux/sched.h> #include <linux/magic.h> +#include <linux/kasan.h> #ifdef CONFIG_THREAD_INFO_IN_TASK @@ -88,6 +89,7 @@ static inline int object_is_on_stack(const void *obj) { void *stack = task_stack_page(current); + obj = kasan_reset_tag(obj); return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } -- 2.43.0

10 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/amdgpu: Handle NULL bo->tbo.resource (again) in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 85230ee36d88e7a09fb062d43203035659dd10a5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122229-excusable-sample-91cf@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 85230ee36d88e7a09fb062d43203035659dd10a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer(a)redhat.com> Date: Tue, 17 Dec 2024 18:22:56 +0100 Subject: [PATCH] drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Third time's the charm, I hope? Fixes: d3116756a710 ("drm/ttm: rename bo->mem and make it a pointer") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3837 Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Michel Dänzer <mdaenzer(a)redhat.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 695c2c745e5dff201b75da8a1d237ce403600d04) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c index ddd7f05e4db9..c9c48b782ec1 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c @@ -1266,10 +1266,9 @@ int amdgpu_vm_bo_update(struct amdgpu_device *adev, struct amdgpu_bo_va *bo_va, * next command submission. */ if (amdgpu_vm_is_bo_always_valid(vm, bo)) { - uint32_t mem_type = bo->tbo.resource->mem_type; - - if (!(bo->preferred_domains & - amdgpu_mem_type_to_domain(mem_type))) + if (bo->tbo.resource && + !(bo->preferred_domains & + amdgpu_mem_type_to_domain(bo->tbo.resource->mem_type))) amdgpu_vm_bo_evicted(&bo_va->base); else amdgpu_vm_bo_idle(&bo_va->base);

10 months, 2 weeks

3
2
0 0

[PATCH 6.1/6.6] MIPS: mipsregs: Set proper ISA level for virt extensions

by WangYuli

From: Jiaxun Yang <jiaxun.yang(a)flygoat.com> [ Upstream commit a640d6762a7d404644201ebf6d2a078e8dc84f97 ] c994a3ec7ecc ("MIPS: set mips32r5 for virt extensions") setted some instructions in virt extensions to ISA level mips32r5. However TLB related vz instructions was leftover, also this shouldn't be done to a R5 or R6 kernel buid. Reorg macros to set ISA level as needed when _ASM_SET_VIRT is called. Signed-off-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com> Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- arch/mips/include/asm/mipsregs.h | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h index 2d53704d9f24..e959a6b1a325 100644 --- a/arch/mips/include/asm/mipsregs.h +++ b/arch/mips/include/asm/mipsregs.h @@ -2078,7 +2078,14 @@ do { \ _ASM_INSN_IF_MIPS(0x4200000c) \ _ASM_INSN32_IF_MM(0x0000517c) #else /* !TOOLCHAIN_SUPPORTS_VIRT */ -#define _ASM_SET_VIRT ".set\tvirt\n\t" +#if MIPS_ISA_REV >= 5 +#define _ASM_SET_VIRT_ISA +#elif defined(CONFIG_64BIT) +#define _ASM_SET_VIRT_ISA ".set\tmips64r5\n\t" +#else +#define _ASM_SET_VIRT_ISA ".set\tmips32r5\n\t" +#endif +#define _ASM_SET_VIRT _ASM_SET_VIRT_ISA ".set\tvirt\n\t" #define _ASM_SET_MFGC0 _ASM_SET_VIRT #define _ASM_SET_DMFGC0 _ASM_SET_VIRT #define _ASM_SET_MTGC0 _ASM_SET_VIRT @@ -2099,7 +2106,6 @@ do { \ ({ int __res; \ __asm__ __volatile__( \ ".set\tpush\n\t" \ - ".set\tmips32r5\n\t" \ _ASM_SET_MFGC0 \ "mfgc0\t%0, " #source ", %1\n\t" \ _ASM_UNSET_MFGC0 \ @@ -2113,7 +2119,6 @@ do { \ ({ unsigned long long __res; \ __asm__ __volatile__( \ ".set\tpush\n\t" \ - ".set\tmips64r5\n\t" \ _ASM_SET_DMFGC0 \ "dmfgc0\t%0, " #source ", %1\n\t" \ _ASM_UNSET_DMFGC0 \ @@ -2127,7 +2132,6 @@ do { \ do { \ __asm__ __volatile__( \ ".set\tpush\n\t" \ - ".set\tmips32r5\n\t" \ _ASM_SET_MTGC0 \ "mtgc0\t%z0, " #register ", %1\n\t" \ _ASM_UNSET_MTGC0 \ @@ -2140,7 +2144,6 @@ do { \ do { \ __asm__ __volatile__( \ ".set\tpush\n\t" \ - ".set\tmips64r5\n\t" \ _ASM_SET_DMTGC0 \ "dmtgc0\t%z0, " #register ", %1\n\t" \ _ASM_UNSET_DMTGC0 \ -- 2.47.1

10 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] vmalloc: fix accounting with i915" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a2e740e216f5bf49ccb83b6d490c72a340558a43 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122300-utensil-parsnip-aaf2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2e740e216f5bf49ccb83b6d490c72a340558a43 Mon Sep 17 00:00:00 2001 From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Date: Wed, 11 Dec 2024 20:25:37 +0000 Subject: [PATCH] vmalloc: fix accounting with i915 If the caller of vmap() specifies VM_MAP_PUT_PAGES (currently only the i915 driver), we will decrement nr_vmalloc_pages and MEMCG_VMALLOC in vfree(). These counters are incremented by vmalloc() but not by vmap() so this will cause an underflow. Check the VM_MAP_PUT_PAGES flag before decrementing either counter. Link: https://lkml.kernel.org/r/20241211202538.168311-1-willy@infradead.org Fixes: b944afc9d64d ("mm: add a VM_MAP_PUT_PAGES flag for vmap") Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Reviewed-by: Shakeel Butt <shakeel.butt(a)linux.dev> Reviewed-by: Balbir Singh <balbirs(a)nvidia.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index f009b21705c1..5c88d0e90c20 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3374,7 +3374,8 @@ void vfree(const void *addr) struct page *page = vm->pages[i]; BUG_ON(!page); - mod_memcg_page_state(page, MEMCG_VMALLOC, -1); + if (!(vm->flags & VM_MAP_PUT_PAGES)) + mod_memcg_page_state(page, MEMCG_VMALLOC, -1); /* * High-order allocs for huge vmallocs are split, so * can be freed as an array of order-0 allocations @@ -3382,7 +3383,8 @@ void vfree(const void *addr) __free_page(page); cond_resched(); } - atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages); + if (!(vm->flags & VM_MAP_PUT_PAGES)) + atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages); kvfree(vm->pages); kfree(vm); }

10 months, 2 weeks

3
2
0 0

Re: [PATCH 2/2] NFSv4.0: Fix a use-after-free problem in the asynchronous open()

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Found matching upstream commit: 2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889 WARNING: Author mismatch between patch and found commit: Backport author: trondmy(a)kernel.org Commit author: Trond Myklebust <trond.myklebust(a)hammerspace.com> Status in newer kernel trees: 6.12.y | Present (different SHA1: b56ae8e71555) Note: The patch differs from the upstream commit: --- Failed to apply patch cleanly, falling back to interdiff... --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.12.y | Failed | N/A | | stable/linux-6.6.y | Failed | N/A | | stable/linux-6.1.y | Failed | N/A | | stable/linux-5.15.y | Failed | N/A | | stable/linux-5.10.y | Failed | N/A | | stable/linux-5.4.y | Failed | N/A |

10 months, 2 weeks

1
0
0 0

Повідомлення від ТОВ Нова Пошта

by Нова Пошта

Доброго дня, між ТОВ «Нова Пошта» та Вашою організацією за укладеним договором № 676131925 організувалася заборгованість у розмірі 64887 гр. , яка до сьогодні не була погашена Вашою організацією. У разі не погашення заборгованості до 27.12.2024, ми будемо змушені звернутися до суду для стягнення з Вашої організації боргу в судовому порядку. Додаток надсилаю копію передсудової претензії, та оновлений рахунок на оплату послуг. З повагою, Відділ досудового врегулювання, ТОВ «Нова Пошта» corp.com(a)novaposhta.ua 044-32-30-222

10 months, 2 weeks

1
0
0 0

Re: [PATCH 1/2] NFSv4.0: Fix the wake up of the next waiter in nfs_release_seqid()

by yangerkun

You need cc stable. 在 2024/12/25 10:50, Li Lingfeng 写道: > Hi, I noticed that [PATCH 2] has been applied to the stable, but [PATCH 1] > has not. > Based on 6.6 where [PATCH 2] was merged, I can still reproduce the > original issue, and [PATCH 1] needs to be applied as well to resolve it. > It may be better to push [PATCH 1] to the stable as well. > Thanks. > > 在 2024/11/9 6:13, trondmy(a)kernel.org 写道: >> From: Trond Myklebust <trond.myklebust(a)hammerspace.com> >> >> There is no need to wake up another waiter on the seqid list unless the >> seqid being removed is at the head of the list, and so is relinquishing >> control of the sequence counter to the next entry. >> >> Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> >> --- >> fs/nfs/nfs4state.c | 10 ++++------ >> 1 file changed, 4 insertions(+), 6 deletions(-) >> >> diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c >> index dafd61186557..9a9f60a2291b 100644 >> --- a/fs/nfs/nfs4state.c >> +++ b/fs/nfs/nfs4state.c >> @@ -1083,14 +1083,12 @@ void nfs_release_seqid(struct nfs_seqid *seqid) >> return; >> sequence = seqid->sequence; >> spin_lock(&sequence->lock); >> - list_del_init(&seqid->list); >> - if (!list_empty(&sequence->list)) { >> - struct nfs_seqid *next; >> - >> - next = list_first_entry(&sequence->list, >> - struct nfs_seqid, list); >> + if (list_is_first(&seqid->list, &sequence->list) && >> + !list_is_singular(&sequence->list)) { >> + struct nfs_seqid *next = list_next_entry(seqid, list); >> rpc_wake_up_queued_task(&sequence->wait, next->task); >> } >> + list_del_init(&seqid->list); >> spin_unlock(&sequence->lock); >> }

10 months, 2 weeks

1
0
0 0

[for-linus][PATCH 2/2] tracing: Prevent bad count for tracing_cpumask_write

by Steven Rostedt

From: Lizhi Xu <lizhi.xu(a)windriver.com> If a large count is provided, it will trigger a warning in bitmap_parse_user. Also check zero for it. Cc: stable(a)vger.kernel.org Fixes: 9e01c1b74c953 ("cpumask: convert kernel trace functions") Link: https://lore.kernel.org/20241216073238.2573704-1-lizhi.xu@windriver.com Reported-by: syzbot+0aecfd34fb878546f3fd(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0aecfd34fb878546f3fd Tested-by: syzbot+0aecfd34fb878546f3fd(a)syzkaller.appspotmail.com Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 957f941a08e7..f8aebcb01e62 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -5087,6 +5087,9 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf, cpumask_var_t tracing_cpumask_new; int err; + if (count == 0 || count > KMALLOC_MAX_SIZE) + return -EINVAL; + if (!zalloc_cpumask_var(&tracing_cpumask_new, GFP_KERNEL)) return -ENOMEM; -- 2.45.2

10 months, 2 weeks

1
0
0 0

[for-linus][PATCH 1/2] tracing: Constify string literal data member in struct trace_event_call

by Steven Rostedt

From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones(a)googlemail.com> The name member of the struct trace_event_call is assigned with generated string literals; declare them pointer to read-only. Reported by clang: security/landlock/syscalls.c:179:1: warning: initializing 'char *' with an expression of type 'const char[34]' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers] 179 | SYSCALL_DEFINE3(landlock_create_ruleset, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 180 | const struct landlock_ruleset_attr __user *const, attr, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 181 | const size_t, size, const __u32, flags) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:226:36: note: expanded from macro 'SYSCALL_DEFINE3' 226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:234:2: note: expanded from macro 'SYSCALL_DEFINEx' 234 | SYSCALL_METADATA(sname, x, __VA_ARGS__) \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:184:2: note: expanded from macro 'SYSCALL_METADATA' 184 | SYSCALL_TRACE_ENTER_EVENT(sname); \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:151:30: note: expanded from macro 'SYSCALL_TRACE_ENTER_EVENT' 151 | .name = "sys_enter"#sname, \ | ^~~~~~~~~~~~~~~~~ Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mickaël Salaün <mic(a)digikod.net> Cc: Günther Noack <gnoack(a)google.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: Nick Desaulniers <ndesaulniers(a)google.com> Cc: Bill Wendling <morbo(a)google.com> Cc: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/20241125105028.42807-1-cgoettsche@seltendoof.de Fixes: b77e38aa240c3 ("tracing: add event trace infrastructure") Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- include/linux/trace_events.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h index 91b8ffbdfa8c..58ad4ead33fc 100644 --- a/include/linux/trace_events.h +++ b/include/linux/trace_events.h @@ -364,7 +364,7 @@ struct trace_event_call { struct list_head list; struct trace_event_class *class; union { - char *name; + const char *name; /* Set TRACE_EVENT_FL_TRACEPOINT flag when using "tp" */ struct tracepoint *tp; }; -- 2.45.2

10 months, 2 weeks

1
0
0 0

[PATCH] platform/chrome: cros_ec_lpc: fix product identity for early Framework Laptops

by Dustin L. Howett

The product names for the Framework Laptop (12th and 13th Generation Intel Core) are incorrect as of 62be134abf42. Fixes: 62be134abf42 ("platform/chrome: cros_ec_lpc: switch primary DMI data for Framework Laptop") Cc: stable(a)vger.kernel.org # 6.12.x --- Signed-off-by: Dustin L. Howett <dustin(a)howett.net> --- drivers/platform/chrome/cros_ec_lpc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c index 588be75aeca16b6150c12d2811e4c9dfc31b904e..69801ace0496dd9ed31bc3d408c43b96ccb71186 100644 --- a/drivers/platform/chrome/cros_ec_lpc.c +++ b/drivers/platform/chrome/cros_ec_lpc.c @@ -707,7 +707,7 @@ static const struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = { /* Framework Laptop (12th Gen Intel Core) */ .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Framework"), - DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "12th Gen Intel Core"), + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Laptop (12th Gen Intel Core)"), }, .driver_data = (void *)&framework_laptop_mec_lpc_driver_data, }, @@ -715,7 +715,7 @@ static const struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = { /* Framework Laptop (13th Gen Intel Core) */ .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Framework"), - DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "13th Gen Intel Core"), + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Laptop (13th Gen Intel Core)"), }, .driver_data = (void *)&framework_laptop_mec_lpc_driver_data, }, --- base-commit: a15ab7a5cc2a17b6a803f624fcf215f4e68d56b6 change-id: 20241224-platform-chrome-cros_ec_lpc-fix-product-identity-for-early-framework-laptops-757474281ace Best regards, -- Dustin L. Howett <dustin(a)howett.net>

10 months, 2 weeks

3
2
0 0

[Linux-6.12.y] XEN: CVE-2024-53241 / XSA-466 and Clang-kCFI

by Sedat Dilek

Hi, Linux v6.12.6 will include XEN CVE fixes from mainline. Here, I use Debian/unstable AMD64 and the SLIM LLVM toolchain 19.1.x from kernel.org. What does it mean in ISSUE DESCRIPTION... Furthermore, the hypercall page has no provision for Control-flow Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply malfunction in such configurations. ...when someone uses Clang-kCFI? My full kernel-config is attached. Thanks in advance. Best regards, -Sedat- https://xenbits.xen.org/xsa/advisory-466.html https://www.phoronix.com/news/Xen-XSA-466-Linux https://mirrors.edge.kernel.org/pub/tools/llvm/files/

10 months, 2 weeks

3
15
0 0

[RESEND PATCH] perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> The released OCR and FRONTEND events utilized more bits on Lunar Lake p-core. The corresponding mask in the extra_regs has to be extended to unblock the extra bits. Add a dedicated intel_lnc_extra_regs. Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support") Reported-by: Andi Kleen <ak(a)linux.intel.com> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/events/intel/core.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index bb284aff7bfd..a347b4323256 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -429,6 +429,16 @@ static struct event_constraint intel_lnc_event_constraints[] = { EVENT_CONSTRAINT_END }; +static struct extra_reg intel_lnc_extra_regs[] __read_mostly = { + INTEL_UEVENT_EXTRA_REG(0x012a, MSR_OFFCORE_RSP_0, 0xfffffffffffull, RSP_0), + INTEL_UEVENT_EXTRA_REG(0x012b, MSR_OFFCORE_RSP_1, 0xfffffffffffull, RSP_1), + INTEL_UEVENT_PEBS_LDLAT_EXTRA_REG(0x01cd), + INTEL_UEVENT_EXTRA_REG(0x02c6, MSR_PEBS_FRONTEND, 0x9, FE), + INTEL_UEVENT_EXTRA_REG(0x03c6, MSR_PEBS_FRONTEND, 0x7fff1f, FE), + INTEL_UEVENT_EXTRA_REG(0x40ad, MSR_PEBS_FRONTEND, 0xf, FE), + INTEL_UEVENT_EXTRA_REG(0x04c2, MSR_PEBS_FRONTEND, 0x8, FE), + EVENT_EXTRA_END +}; EVENT_ATTR_STR(mem-loads, mem_ld_nhm, "event=0x0b,umask=0x10,ldlat=3"); EVENT_ATTR_STR(mem-loads, mem_ld_snb, "event=0xcd,umask=0x1,ldlat=3"); @@ -6422,7 +6432,7 @@ static __always_inline void intel_pmu_init_lnc(struct pmu *pmu) intel_pmu_init_glc(pmu); hybrid(pmu, event_constraints) = intel_lnc_event_constraints; hybrid(pmu, pebs_constraints) = intel_lnc_pebs_event_constraints; - hybrid(pmu, extra_regs) = intel_rwc_extra_regs; + hybrid(pmu, extra_regs) = intel_lnc_extra_regs; } static __always_inline void intel_pmu_init_skt(struct pmu *pmu) -- 2.38.1

10 months, 2 weeks

2
1
0 0

[PATCH v6 0/6] phy: core: Fix bugs for several APIs and simplify an API

by Zijun Hu

This patch series is to fix bugs for below APIs: devm_phy_put() devm_of_phy_provider_unregister() devm_phy_destroy() phy_get() of_phy_get() devm_phy_get() devm_of_phy_get() devm_of_phy_get_by_index() And simplify below API: of_phy_simple_xlate(). Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v6: - Use non-error path solution for patch 6/6. - Remove stable tag for both patch 2/6 and 3/6. - Link to v5: https://lore.kernel.org/r/20241106-phy_core_fix-v5-0-9771652eb88c@quicinc.c… Changes in v5: - s/Fixed/Fix s/case/cause for commit message based on Johan's reminder - Remove unrelated change about code style for patch 4/6 suggested by Johan - Link to v4: https://lore.kernel.org/r/20241102-phy_core_fix-v4-0-4f06439f61b1@quicinc.c… Changes in v4: - Correct commit message for patch 6/6 - Link to v3: https://lore.kernel.org/r/20241030-phy_core_fix-v3-0-19b97c3ec917@quicinc.c… Changes in v3: - Correct commit message based on Johan's suggestions for patches 1/6-3/6. - Use goto label solution suggested by Johan for patch 4/6, also correct commit message and remove the inline comment for it. - Link to v2: https://lore.kernel.org/r/20241024-phy_core_fix-v2-0-fc0c63dbfcf3@quicinc.c… Changes in v2: - Correct title, commit message, and inline comments. - Link to v1: https://lore.kernel.org/r/20241020-phy_core_fix-v1-0-078062f7da71@quicinc.c… --- Zijun Hu (6): phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Simplify API of_phy_simple_xlate() implementation drivers/phy/phy-core.c | 44 +++++++++++++++++++++----------------------- 1 file changed, 21 insertions(+), 23 deletions(-) --- base-commit: 9d23e48654620fdccfcc74cc2cef04eaf7353d07 change-id: 20241020-phy_core_fix-e3ad65db98f7 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

10 months, 2 weeks

3
9
0 0

[PATCH] usb: ehci-hcd: fix call balance of clocks handling routines

by Vitalii Mordan

If the clocks priv->iclk and priv->fclk were not enabled in ehci_hcd_sh_probe, they should not be disabled in any path. Conversely, if they was enabled in ehci_hcd_sh_probe, they must be disabled in all error paths to ensure proper cleanup. Found by Linux Verification Center (linuxtesting.org) with Klever. Fixes: 63c845522263 ("usb: ehci-hcd: Add support for SuperH EHCI.") Cc: stable(a)vger.kernel.org # ff30bd6a6618: sh: clk: Fix clk_enable() to return 0 on NULL clk Signed-off-by: Vitalii Mordan <mordan(a)ispras.ru> --- drivers/usb/host/ehci-sh.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/usb/host/ehci-sh.c b/drivers/usb/host/ehci-sh.c index d31d9506e41a..77460aac6dbd 100644 --- a/drivers/usb/host/ehci-sh.c +++ b/drivers/usb/host/ehci-sh.c @@ -119,8 +119,12 @@ static int ehci_hcd_sh_probe(struct platform_device *pdev) if (IS_ERR(priv->iclk)) priv->iclk = NULL; - clk_enable(priv->fclk); - clk_enable(priv->iclk); + ret = clk_enable(priv->fclk); + if (ret) + goto fail_request_resource; + ret = clk_enable(priv->iclk); + if (ret) + goto fail_iclk; ret = usb_add_hcd(hcd, irq, IRQF_SHARED); if (ret != 0) { @@ -136,6 +140,7 @@ static int ehci_hcd_sh_probe(struct platform_device *pdev) fail_add_hcd: clk_disable(priv->iclk); +fail_iclk: clk_disable(priv->fclk); fail_request_resource: -- 2.25.1

10 months, 2 weeks

5
5
0 0

[PATCH v5 0/8] driver core: class: Fix bug and code improvements for class APIs

by Zijun Hu

This patch series is to fix bugs and improve codes regarding various driver core device iterating APIs Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v5: - Add comments back and correct tile and commit messages for patch 8/8. - Link to v4: https://lore.kernel.org/r/20241218-class_fix-v4-0-3c40f098356b@quicinc.com Changes in v4: - Squich patches 3-5 into one based on Jonathan and Fan comments. - Add one more patch - Link to v3: https://lore.kernel.org/r/20241212-class_fix-v3-0-04e20c4f0971@quicinc.com Changes in v3: - Correct commit message, add fix tag, and correct pr_crit() message for 1st patch - Add more patches regarding driver core device iterating APIs. - Link to v2: https://lore.kernel.org/r/20241112-class_fix-v2-0-73d198d0a0d5@quicinc.com Changes in v2: - Remove both fix and stable tag for patch 1/3 - drop patch 3/3 - Link to v1: https://lore.kernel.org/r/20241105-class_fix-v1-0-80866f9994a5@quicinc.com --- Zijun Hu (8): driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() blk-cgroup: Fix class @block_class's subsystem refcount leakage driver core: Move true expression out of if condition in 3 device finding APIs driver core: Rename declaration parameter name for API device_find_child() cluster driver core: Correct parameter check for API device_for_each_child_reverse_from() driver core: Correct API device_for_each_child_reverse_from() prototype driver core: Introduce device_iter_t for device iterating APIs driver core: Move two simple APIs for finding child device to header block/blk-cgroup.c | 1 + drivers/base/bus.c | 9 +++++--- drivers/base/class.c | 11 ++++++++-- drivers/base/core.c | 49 +++++++++---------------------------------- drivers/base/driver.c | 9 +++++--- drivers/cxl/core/hdm.c | 2 +- drivers/cxl/core/region.c | 2 +- include/linux/device.h | 46 +++++++++++++++++++++++++++++++--------- include/linux/device/bus.h | 7 +++++-- include/linux/device/class.h | 4 ++-- include/linux/device/driver.h | 2 +- 11 files changed, 78 insertions(+), 64 deletions(-) --- base-commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 change-id: 20241104-class_fix-f176bd9eba22 prerequisite-change-id: 20241201-const_dfc_done-aaec71e3bbea:v5 prerequisite-patch-id: 536aa56c0d055f644a1f71ab5c88b7cac9510162 prerequisite-patch-id: 39b0cf088c72853d9ce60c9e633ad2070a0278a8 prerequisite-patch-id: 60b22c42b67ad56a3d2a7b80a30ad588cbe740ec prerequisite-patch-id: 119a167d7248481987b5e015db0e4fdb0d6edab8 prerequisite-patch-id: 133248083f3d3c57beb16473c2a4c62b3abc5fd0 prerequisite-patch-id: 4cda541f55165650bfa69fb19cbe0524eff0cb85 prerequisite-patch-id: 2b4193c6ea6370c07e6b66de04be89fb09448f54 prerequisite-patch-id: 73c675db18330c89fd8ca4790914d1d486ce0db8 prerequisite-patch-id: 88c50fc851fd7077797fd4e63fb12966b1b601bd prerequisite-patch-id: 47b93916c1b5fb809d7c99aeaa05c729b1af01c5 prerequisite-patch-id: 5b58c0292ea5a5e37b08e2c8287d94df958128db prerequisite-patch-id: 52ffb42b5aae69cae708332e0ddc7016139999f1 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

10 months, 2 weeks

1
1
0 0

[PATCH 0/2] dmaengine: mv_xor: fix child node handling and switch to scoped loop

by Javier Carrasco

This series fixes a wrong handling of the child node within the for_each_child_of_node() by adding the missing calls to of_node_put() to make it compatible with stable kernels that don't provide the scoped variant of the macro, which is more secure and was introduced early this year. The switch to the scoped macro is the next patch, which makes the coe more robust and will avoid such issues in new error paths. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): dmaengine: mv_xor: fix child node refcount handling in early exit dmaengine: mv_xor: switch to for_each_child_of_node_scoped() drivers/dma/mv_xor.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- base-commit: d61a00525464bfc5fe92c6ad713350988e492b88 change-id: 20241011-dma_mv_xor_of_node_put-5cc4126746a2 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 2 weeks

2
2
0 0

[tip: x86/urgent] virt: tdx-guest: Just leak decrypted memory on unrecoverable errors

by tip-bot2 for Li RongQing

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 10331a93486ffb7b85ceea9da48a37da8cc16bdf Gitweb: https://git.kernel.org/tip/10331a93486ffb7b85ceea9da48a37da8cc16bdf Author: Li RongQing <lirongqing(a)baidu.com> AuthorDate: Wed, 19 Jun 2024 19:18:01 +08:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Wed, 18 Dec 2024 06:07:55 -08:00 virt: tdx-guest: Just leak decrypted memory on unrecoverable errors In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE(). Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using TSM_REPORTS") Signed-off-by: Li RongQing <lirongqing(a)baidu.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Reviewed-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20240619111801.25630-1-lirongqing%40baidu.com --- drivers/virt/coco/tdx-guest/tdx-guest.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c index d7db6c8..224e7dd 100644 --- a/drivers/virt/coco/tdx-guest/tdx-guest.c +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c @@ -124,10 +124,8 @@ static void *alloc_quote_buf(void) if (!addr) return NULL; - if (set_memory_decrypted((unsigned long)addr, count)) { - free_pages_exact(addr, len); + if (set_memory_decrypted((unsigned long)addr, count)) return NULL; - } return addr; }

10 months, 2 weeks

1
0
0 0

[PATCH V5 1/4] perf/x86/intel/ds: Add PEBS format 6

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> The only difference between 5 and 6 is the new counters snapshotting group, without the following counters snapshotting enabling patches, it's impossible to utilize the feature in a PEBS record. It's safe to share the same code path with format 5. Add format 6, so the end user can at least utilize the legacy PEBS features. Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support") Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- New patch since V4 arch/x86/events/intel/ds.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c index 8dcf90f6fb59..ba74e1198328 100644 --- a/arch/x86/events/intel/ds.c +++ b/arch/x86/events/intel/ds.c @@ -2551,6 +2551,7 @@ void __init intel_ds_init(void) x86_pmu.large_pebs_flags |= PERF_SAMPLE_TIME; break; + case 6: case 5: x86_pmu.pebs_ept = 1; fallthrough; -- 2.38.1

10 months, 2 weeks

2
1
0 0

[PATCH RESEND] phy: Fix error handling in tegra_xusb_port_init

by Ma Ke

The reference count of the device incremented in device_initialize() is not decremented when device_add() fails. Add a put_device() call before returning from the function to decrement reference count for cleanup. Or it could cause memory leak. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support") Signed-off-by: Ma Ke <make_ruc2021(a)163.com> --- drivers/phy/tegra/xusb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c index 79d4814d758d..c89df95aa6ca 100644 --- a/drivers/phy/tegra/xusb.c +++ b/drivers/phy/tegra/xusb.c @@ -548,16 +548,16 @@ static int tegra_xusb_port_init(struct tegra_xusb_port *port, err = dev_set_name(&port->dev, "%s-%u", name, index); if (err < 0) - goto unregister; + goto put_device; err = device_add(&port->dev); if (err < 0) - goto unregister; + goto put_device; return 0; -unregister: - device_unregister(&port->dev); +put_device: + put_device(&port->dev); return err; } -- 2.25.1

10 months, 2 weeks

1
0
0 0

[PATCH] usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

by Akash M

This commit addresses an issue related to below kernel panic where panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON in functionsfs_bind, which easily leads to the following scenarios. 1.adb_write in adbd 2. UDC write via configfs ================= ===================== ->usb_ffs_open_thread() ->UDC write ->open_functionfs() ->configfs_write_iter() ->adb_open() ->gadget_dev_desc_UDC_store() ->adb_write() ->usb_gadget_register_driver_owner ->driver_register() ->StartMonitor() ->bus_add_driver() ->adb_read() ->gadget_bind_driver() <times-out without BIND event> ->configfs_composite_bind() ->usb_add_function() ->open_functionfs() ->ffs_func_bind() ->adb_open() ->functionfs_bind() <ffs->state !=FFS_ACTIVE> The adb_open, adb_read, and adb_write operations are invoked from the daemon, but trying to bind the function is a process that is invoked by UDC write through configfs, which opens up the possibility of a race condition between the two paths. In this race scenario, the kernel panic occurs due to the WARN_ON from functionfs_bind when panic_on_warn is enabled. This commit fixes the kernel panic by removing the unnecessary WARN_ON. Kernel panic - not syncing: kernel: panic_on_warn set ... [ 14.542395] Call trace: [ 14.542464] ffs_func_bind+0x1c8/0x14a8 [ 14.542468] usb_add_function+0xcc/0x1f0 [ 14.542473] configfs_composite_bind+0x468/0x588 [ 14.542478] gadget_bind_driver+0x108/0x27c [ 14.542483] really_probe+0x190/0x374 [ 14.542488] __driver_probe_device+0xa0/0x12c [ 14.542492] driver_probe_device+0x3c/0x220 [ 14.542498] __driver_attach+0x11c/0x1fc [ 14.542502] bus_for_each_dev+0x104/0x160 [ 14.542506] driver_attach+0x24/0x34 [ 14.542510] bus_add_driver+0x154/0x270 [ 14.542514] driver_register+0x68/0x104 [ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 [ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 [ 14.542526] configfs_write_iter+0xf0/0x138 Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") Cc: stable(a)vger.kernel.org Signed-off-by: Akash M <akash.m5(a)samsung.com> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 2920f8000bbd..92c883440e02 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -2285,7 +2285,7 @@ static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev) struct usb_gadget_strings **lang; int first_id; - if (WARN_ON(ffs->state != FFS_ACTIVE + if ((ffs->state != FFS_ACTIVE || test_and_set_bit(FFS_FL_BOUND, &ffs->flags))) return -EBADFD; -- 2.17.1

10 months, 2 weeks

3
2
0 0

[PATCH v2] PCI: fix reference leak in pci_alloc_child_bus()

by Ma Ke

When device_register(&child->dev) failed, calling put_device() to explicitly release child->dev. Otherwise, it could cause double free problem. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible") Signed-off-by: Ma Ke <make_ruc2021(a)163.com> --- Changes in v2: - modified the patch as suggestions. --- drivers/pci/probe.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 2e81ab0f5a25..a61070ce5f88 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -1174,7 +1174,10 @@ static struct pci_bus *pci_alloc_child_bus(struct pci_bus *parent, add_dev: pci_set_bus_msi_domain(child); ret = device_register(&child->dev); - WARN_ON(ret < 0); + if (WARN_ON(ret < 0)) { + put_device(&child->dev); + return ERR_PTR(ret); + } pcibios_add_bus(child); -- 2.25.1

10 months, 2 weeks

1
0
0 0

[PATCH v2 1/2] HID: hid-plantronics: Add mic mute mapping and generalize quirks

by Wade Wang

From: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Add mapping for headset mute key events. Remove PLT_QUIRK_DOUBLE_VOLUME_KEYS quirk and made it generic. The quirk logic did not keep track of the actual previous key so any key event occurring in less than or equal to 5ms was ignored. Remove PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS quirk. It had the same logic issue as the double key quirk and was actually masking the as designed behavior of most of the headsets. It's occurrence should be minimized with the ALSA control naming quirk that is part of the patch set. Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Signed-off-by: Wade Wang <wade.wang(a)hp.com> Cc: stable(a)vger.kernel.org --- V1 -> V2: Optimize out 2 macros - no functional changes drivers/hid/hid-plantronics.c | 144 ++++++++++++++++------------------ 1 file changed, 67 insertions(+), 77 deletions(-) diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c index 25cfd964dc25..acb9eb18f7cc 100644 --- a/drivers/hid/hid-plantronics.c +++ b/drivers/hid/hid-plantronics.c @@ -6,9 +6,6 @@ * Copyright (c) 2015-2018 Terry Junge <terry.junge(a)plantronics.com> */ -/* - */ - #include "hid-ids.h" #include <linux/hid.h> @@ -23,30 +20,28 @@ #define PLT_VOL_UP 0x00b1 #define PLT_VOL_DOWN 0x00b2 +#define PLT_MIC_MUTE 0x00b5 #define PLT1_VOL_UP (PLT_HID_1_0_PAGE | PLT_VOL_UP) #define PLT1_VOL_DOWN (PLT_HID_1_0_PAGE | PLT_VOL_DOWN) +#define PLT1_MIC_MUTE (PLT_HID_1_0_PAGE | PLT_MIC_MUTE) #define PLT2_VOL_UP (PLT_HID_2_0_PAGE | PLT_VOL_UP) #define PLT2_VOL_DOWN (PLT_HID_2_0_PAGE | PLT_VOL_DOWN) +#define PLT2_MIC_MUTE (PLT_HID_2_0_PAGE | PLT_MIC_MUTE) +#define HID_TELEPHONY_MUTE (HID_UP_TELEPHONY | 0x2f) +#define HID_CONSUMER_MUTE (HID_UP_CONSUMER | 0xe2) #define PLT_DA60 0xda60 #define PLT_BT300_MIN 0x0413 #define PLT_BT300_MAX 0x0418 - -#define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \ - (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) - -#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) -#define PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS BIT(1) - #define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ -#define PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT 220 /* ms */ struct plt_drv_data { unsigned long device_type; - unsigned long last_volume_key_ts; - u32 quirks; + unsigned long last_key_ts; + unsigned long double_key_to; + __u16 last_key; }; static int plantronics_input_mapping(struct hid_device *hdev, @@ -58,34 +53,43 @@ static int plantronics_input_mapping(struct hid_device *hdev, unsigned short mapped_key; struct plt_drv_data *drv_data = hid_get_drvdata(hdev); unsigned long plt_type = drv_data->device_type; + int allow_mute = usage->hid == HID_TELEPHONY_MUTE; + int allow_consumer = field->application == HID_CP_CONSUMERCONTROL && + (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER && + usage->hid != HID_CONSUMER_MUTE; /* special case for PTT products */ if (field->application == HID_GD_JOYSTICK) goto defaulted; - /* handle volume up/down mapping */ /* non-standard types or multi-HID interfaces - plt_type is PID */ if (!(plt_type & HID_USAGE_PAGE)) { switch (plt_type) { case PLT_DA60: - if (PLT_ALLOW_CONSUMER) + if (allow_consumer) goto defaulted; - goto ignored; + if (usage->hid == HID_CONSUMER_MUTE) { + mapped_key = KEY_MICMUTE; + goto mapped; + } + break; default: - if (PLT_ALLOW_CONSUMER) + if (allow_consumer || allow_mute) goto defaulted; } + goto ignored; } - /* handle standard types - plt_type is 0xffa0uuuu or 0xffa2uuuu */ - /* 'basic telephony compliant' - allow default consumer page map */ - else if ((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY && - (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) { - if (PLT_ALLOW_CONSUMER) - goto defaulted; - } - /* not 'basic telephony' - apply legacy mapping */ - /* only map if the field is in the device's primary vendor page */ - else if (!((field->application ^ plt_type) & HID_USAGE_PAGE)) { + + /* handle standard consumer control mapping */ + /* and standard telephony mic mute mapping */ + if (allow_consumer || allow_mute) + goto defaulted; + + /* handle vendor unique types - plt_type is 0xffa0uuuu or 0xffa2uuuu */ + /* if not 'basic telephony compliant' - map vendor unique controls */ + if (!((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY && + (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) && + !((field->application ^ plt_type) & HID_USAGE_PAGE)) switch (usage->hid) { case PLT1_VOL_UP: case PLT2_VOL_UP: @@ -95,8 +99,11 @@ static int plantronics_input_mapping(struct hid_device *hdev, case PLT2_VOL_DOWN: mapped_key = KEY_VOLUMEDOWN; goto mapped; + case PLT1_MIC_MUTE: + case PLT2_MIC_MUTE: + mapped_key = KEY_MICMUTE; + goto mapped; } - } /* * Future mapping of call control or other usages, @@ -105,6 +112,8 @@ static int plantronics_input_mapping(struct hid_device *hdev, */ ignored: + hid_dbg(hdev, "usage: %08x (appl: %08x) - ignored\n", + usage->hid, field->application); return -1; defaulted: @@ -123,38 +132,26 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field, struct hid_usage *usage, __s32 value) { struct plt_drv_data *drv_data = hid_get_drvdata(hdev); + unsigned long prev_tsto, cur_ts; + __u16 prev_key, cur_key; - if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) { - unsigned long prev_ts, cur_ts; + /* Usages are filtered in plantronics_usages. */ - /* Usages are filtered in plantronics_usages. */ + /* HZ too low for ms resolution - double key detection disabled */ + /* or it is a key release - handle key presses only. */ + if (!drv_data->double_key_to || !value) + return 0; - if (!value) /* Handle key presses only. */ - return 0; + prev_tsto = drv_data->last_key_ts + drv_data->double_key_to; + cur_ts = drv_data->last_key_ts = jiffies; + prev_key = drv_data->last_key; + cur_key = drv_data->last_key = usage->code; - prev_ts = drv_data->last_volume_key_ts; - cur_ts = jiffies; - if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT) - return 1; /* Ignore the repeated key. */ - - drv_data->last_volume_key_ts = cur_ts; + /* If the same key occurs in <= double_key_to -- ignore it */ + if (prev_key == cur_key && time_before_eq(cur_ts, prev_tsto)) { + hid_dbg(hdev, "double key %d ignored\n", cur_key); + return 1; /* Ignore the repeated key. */ } - if (drv_data->quirks & PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS) { - unsigned long prev_ts, cur_ts; - - /* Usages are filtered in plantronics_usages. */ - - if (!value) /* Handle key presses only. */ - return 0; - - prev_ts = drv_data->last_volume_key_ts; - cur_ts = jiffies; - if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT) - return 1; /* Ignore the followed opposite volume key. */ - - drv_data->last_volume_key_ts = cur_ts; - } - return 0; } @@ -196,12 +193,16 @@ static int plantronics_probe(struct hid_device *hdev, ret = hid_parse(hdev); if (ret) { hid_err(hdev, "parse failed\n"); - goto err; + return ret; } drv_data->device_type = plantronics_device_type(hdev); - drv_data->quirks = id->driver_data; - drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); + drv_data->double_key_to = msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); + drv_data->last_key_ts = jiffies - drv_data->double_key_to; + + /* if HZ does not allow ms resolution - disable double key detection */ + if (drv_data->double_key_to < PLT_DOUBLE_KEY_TIMEOUT) + drv_data->double_key_to = 0; hid_set_drvdata(hdev, drv_data); @@ -210,29 +211,10 @@ static int plantronics_probe(struct hid_device *hdev, if (ret) hid_err(hdev, "hw start failed\n"); -err: return ret; } static const struct hid_device_id plantronics_devices[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES), - .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES), - .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, { } }; @@ -241,6 +223,14 @@ MODULE_DEVICE_TABLE(hid, plantronics_devices); static const struct hid_usage_id plantronics_usages[] = { { HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID }, { HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID }, + { HID_TELEPHONY_MUTE, EV_KEY, HID_ANY_ID }, + { HID_CONSUMER_MUTE, EV_KEY, HID_ANY_ID }, + { PLT2_VOL_UP, EV_KEY, HID_ANY_ID }, + { PLT2_VOL_DOWN, EV_KEY, HID_ANY_ID }, + { PLT2_MIC_MUTE, EV_KEY, HID_ANY_ID }, + { PLT1_VOL_UP, EV_KEY, HID_ANY_ID }, + { PLT1_VOL_DOWN, EV_KEY, HID_ANY_ID }, + { PLT1_MIC_MUTE, EV_KEY, HID_ANY_ID }, { HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR } }; -- 2.43.0

10 months, 2 weeks

1
1
0 0

[PATCH v2 1/2] HID: hid-plantronics: Add mic mute mapping and generalize quirks

by Wade Wang

From: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Add mapping for headset mute key events. Remove PLT_QUIRK_DOUBLE_VOLUME_KEYS quirk and made it generic. The quirk logic did not keep track of the actual previous key so any key event occurring in less than or equal to 5ms was ignored. Remove PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS quirk. It had the same logic issue as the double key quirk and was actually masking the as designed behavior of most of the headsets. It's occurrence should be minimized with the ALSA control naming quirk that is part of the patch set. Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Signed-off-by: Wade Wang <wade.wang(a)hp.com> Cc: stable(a)vger.kernel.org --- V1 -> V2: Optimize out 2 macros - no functional changes drivers/hid/hid-plantronics.c | 144 ++++++++++++++++------------------ 1 file changed, 67 insertions(+), 77 deletions(-) diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c index 25cfd964dc25..acb9eb18f7cc 100644 --- a/drivers/hid/hid-plantronics.c +++ b/drivers/hid/hid-plantronics.c @@ -6,9 +6,6 @@ * Copyright (c) 2015-2018 Terry Junge <terry.junge(a)plantronics.com> */ -/* - */ - #include "hid-ids.h" #include <linux/hid.h> @@ -23,30 +20,28 @@ #define PLT_VOL_UP 0x00b1 #define PLT_VOL_DOWN 0x00b2 +#define PLT_MIC_MUTE 0x00b5 #define PLT1_VOL_UP (PLT_HID_1_0_PAGE | PLT_VOL_UP) #define PLT1_VOL_DOWN (PLT_HID_1_0_PAGE | PLT_VOL_DOWN) +#define PLT1_MIC_MUTE (PLT_HID_1_0_PAGE | PLT_MIC_MUTE) #define PLT2_VOL_UP (PLT_HID_2_0_PAGE | PLT_VOL_UP) #define PLT2_VOL_DOWN (PLT_HID_2_0_PAGE | PLT_VOL_DOWN) +#define PLT2_MIC_MUTE (PLT_HID_2_0_PAGE | PLT_MIC_MUTE) +#define HID_TELEPHONY_MUTE (HID_UP_TELEPHONY | 0x2f) +#define HID_CONSUMER_MUTE (HID_UP_CONSUMER | 0xe2) #define PLT_DA60 0xda60 #define PLT_BT300_MIN 0x0413 #define PLT_BT300_MAX 0x0418 - -#define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \ - (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) - -#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) -#define PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS BIT(1) - #define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ -#define PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT 220 /* ms */ struct plt_drv_data { unsigned long device_type; - unsigned long last_volume_key_ts; - u32 quirks; + unsigned long last_key_ts; + unsigned long double_key_to; + __u16 last_key; }; static int plantronics_input_mapping(struct hid_device *hdev, @@ -58,34 +53,43 @@ static int plantronics_input_mapping(struct hid_device *hdev, unsigned short mapped_key; struct plt_drv_data *drv_data = hid_get_drvdata(hdev); unsigned long plt_type = drv_data->device_type; + int allow_mute = usage->hid == HID_TELEPHONY_MUTE; + int allow_consumer = field->application == HID_CP_CONSUMERCONTROL && + (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER && + usage->hid != HID_CONSUMER_MUTE; /* special case for PTT products */ if (field->application == HID_GD_JOYSTICK) goto defaulted; - /* handle volume up/down mapping */ /* non-standard types or multi-HID interfaces - plt_type is PID */ if (!(plt_type & HID_USAGE_PAGE)) { switch (plt_type) { case PLT_DA60: - if (PLT_ALLOW_CONSUMER) + if (allow_consumer) goto defaulted; - goto ignored; + if (usage->hid == HID_CONSUMER_MUTE) { + mapped_key = KEY_MICMUTE; + goto mapped; + } + break; default: - if (PLT_ALLOW_CONSUMER) + if (allow_consumer || allow_mute) goto defaulted; } + goto ignored; } - /* handle standard types - plt_type is 0xffa0uuuu or 0xffa2uuuu */ - /* 'basic telephony compliant' - allow default consumer page map */ - else if ((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY && - (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) { - if (PLT_ALLOW_CONSUMER) - goto defaulted; - } - /* not 'basic telephony' - apply legacy mapping */ - /* only map if the field is in the device's primary vendor page */ - else if (!((field->application ^ plt_type) & HID_USAGE_PAGE)) { + + /* handle standard consumer control mapping */ + /* and standard telephony mic mute mapping */ + if (allow_consumer || allow_mute) + goto defaulted; + + /* handle vendor unique types - plt_type is 0xffa0uuuu or 0xffa2uuuu */ + /* if not 'basic telephony compliant' - map vendor unique controls */ + if (!((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY && + (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) && + !((field->application ^ plt_type) & HID_USAGE_PAGE)) switch (usage->hid) { case PLT1_VOL_UP: case PLT2_VOL_UP: @@ -95,8 +99,11 @@ static int plantronics_input_mapping(struct hid_device *hdev, case PLT2_VOL_DOWN: mapped_key = KEY_VOLUMEDOWN; goto mapped; + case PLT1_MIC_MUTE: + case PLT2_MIC_MUTE: + mapped_key = KEY_MICMUTE; + goto mapped; } - } /* * Future mapping of call control or other usages, @@ -105,6 +112,8 @@ static int plantronics_input_mapping(struct hid_device *hdev, */ ignored: + hid_dbg(hdev, "usage: %08x (appl: %08x) - ignored\n", + usage->hid, field->application); return -1; defaulted: @@ -123,38 +132,26 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field, struct hid_usage *usage, __s32 value) { struct plt_drv_data *drv_data = hid_get_drvdata(hdev); + unsigned long prev_tsto, cur_ts; + __u16 prev_key, cur_key; - if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) { - unsigned long prev_ts, cur_ts; + /* Usages are filtered in plantronics_usages. */ - /* Usages are filtered in plantronics_usages. */ + /* HZ too low for ms resolution - double key detection disabled */ + /* or it is a key release - handle key presses only. */ + if (!drv_data->double_key_to || !value) + return 0; - if (!value) /* Handle key presses only. */ - return 0; + prev_tsto = drv_data->last_key_ts + drv_data->double_key_to; + cur_ts = drv_data->last_key_ts = jiffies; + prev_key = drv_data->last_key; + cur_key = drv_data->last_key = usage->code; - prev_ts = drv_data->last_volume_key_ts; - cur_ts = jiffies; - if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT) - return 1; /* Ignore the repeated key. */ - - drv_data->last_volume_key_ts = cur_ts; + /* If the same key occurs in <= double_key_to -- ignore it */ + if (prev_key == cur_key && time_before_eq(cur_ts, prev_tsto)) { + hid_dbg(hdev, "double key %d ignored\n", cur_key); + return 1; /* Ignore the repeated key. */ } - if (drv_data->quirks & PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS) { - unsigned long prev_ts, cur_ts; - - /* Usages are filtered in plantronics_usages. */ - - if (!value) /* Handle key presses only. */ - return 0; - - prev_ts = drv_data->last_volume_key_ts; - cur_ts = jiffies; - if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT) - return 1; /* Ignore the followed opposite volume key. */ - - drv_data->last_volume_key_ts = cur_ts; - } - return 0; } @@ -196,12 +193,16 @@ static int plantronics_probe(struct hid_device *hdev, ret = hid_parse(hdev); if (ret) { hid_err(hdev, "parse failed\n"); - goto err; + return ret; } drv_data->device_type = plantronics_device_type(hdev); - drv_data->quirks = id->driver_data; - drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); + drv_data->double_key_to = msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); + drv_data->last_key_ts = jiffies - drv_data->double_key_to; + + /* if HZ does not allow ms resolution - disable double key detection */ + if (drv_data->double_key_to < PLT_DOUBLE_KEY_TIMEOUT) + drv_data->double_key_to = 0; hid_set_drvdata(hdev, drv_data); @@ -210,29 +211,10 @@ static int plantronics_probe(struct hid_device *hdev, if (ret) hid_err(hdev, "hw start failed\n"); -err: return ret; } static const struct hid_device_id plantronics_devices[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES), - .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES), - .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, { } }; @@ -241,6 +223,14 @@ MODULE_DEVICE_TABLE(hid, plantronics_devices); static const struct hid_usage_id plantronics_usages[] = { { HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID }, { HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID }, + { HID_TELEPHONY_MUTE, EV_KEY, HID_ANY_ID }, + { HID_CONSUMER_MUTE, EV_KEY, HID_ANY_ID }, + { PLT2_VOL_UP, EV_KEY, HID_ANY_ID }, + { PLT2_VOL_DOWN, EV_KEY, HID_ANY_ID }, + { PLT2_MIC_MUTE, EV_KEY, HID_ANY_ID }, + { PLT1_VOL_UP, EV_KEY, HID_ANY_ID }, + { PLT1_VOL_DOWN, EV_KEY, HID_ANY_ID }, + { PLT1_MIC_MUTE, EV_KEY, HID_ANY_ID }, { HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR } }; -- 2.43.0

10 months, 2 weeks

1
1
0 0

[PATCH v4] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by mapping the region when needed instead of copying. --- Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Suggested-by: Matthew Garrett <mjg59(a)srcf.ucam.org> Tested-by: Andy Liang <andy.liang(a)hpe.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: * Added tested-by from Andy Liang. v3: * Flag mapping code in tpm{1,2}.c with CONFIG_ACPI (nios2 compilation fix). v2: * There was some extra cruft (irrelevant diff), which is now wiped away. * Added missing tags (fixes, stable). --- drivers/char/tpm/eventlog/acpi.c | 28 +++++++--------------- drivers/char/tpm/eventlog/common.c | 25 +++++++++++++------- drivers/char/tpm/eventlog/common.h | 28 ++++++++++++++++++++++ drivers/char/tpm/eventlog/tpm1.c | 30 ++++++++++++++--------- drivers/char/tpm/eventlog/tpm2.c | 38 +++++++++++++++++------------- include/linux/tpm.h | 1 + 6 files changed, 95 insertions(+), 55 deletions(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..2c4f7355b584 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -70,14 +70,11 @@ int tpm_read_log_acpi(struct tpm_chip *chip) acpi_status status; void __iomem *virt; u64 len, start; - struct tpm_bios_log *log; struct acpi_table_tpm2 *tbl; struct acpi_tpm2_phy *tpm2_phy; int format; int ret; - log = &chip->log; - /* Unfortuntely ACPI does not associate the event log with a specific * TPM, like PPI. Thus all ACPI TPMs will read the same log. */ @@ -135,36 +132,27 @@ int tpm_read_log_acpi(struct tpm_chip *chip) return -EIO; } - /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); - if (!log->bios_event_log) - return -ENOMEM; - - log->bios_event_log_end = log->bios_event_log + len; - virt = acpi_os_map_iomem(start, len); if (!virt) { dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__); /* try EFI log next */ - ret = -ENODEV; - goto err; + return -ENODEV; } - memcpy_fromio(log->bios_event_log, virt, len); - - acpi_os_unmap_iomem(virt, len); - - if (chip->flags & TPM_CHIP_FLAG_TPM2 && - !tpm_is_tpm2_log(log->bios_event_log, len)) { + if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_tpm2_log(virt, len)) { + acpi_os_unmap_iomem(virt, len); /* try EFI log next */ ret = -ENODEV; goto err; } + acpi_os_unmap_iomem(virt, len); + chip->flags |= TPM_CHIP_FLAG_ACPI_LOG; + chip->log.bios_event_log = (void *)start; + chip->log.bios_event_log_end = (void *)start + len; return format; err: - devm_kfree(&chip->dev, log->bios_event_log); - log->bios_event_log = NULL; + acpi_os_unmap_iomem(virt, len); return ret; } diff --git a/drivers/char/tpm/eventlog/common.c b/drivers/char/tpm/eventlog/common.c index 4c0bbba64ee5..44340ca6e2ac 100644 --- a/drivers/char/tpm/eventlog/common.c +++ b/drivers/char/tpm/eventlog/common.c @@ -27,6 +27,7 @@ static int tpm_bios_measurements_open(struct inode *inode, { int err; struct seq_file *seq; + struct tpm_measurements *priv; struct tpm_chip_seqops *chip_seqops; const struct seq_operations *seqops; struct tpm_chip *chip; @@ -42,13 +43,18 @@ static int tpm_bios_measurements_open(struct inode *inode, get_device(&chip->dev); inode_unlock(inode); - /* now register seq file */ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + priv->chip = chip; + err = seq_open(file, seqops); - if (!err) { - seq = file->private_data; - seq->private = chip; - } else { + if (err) { + kfree(priv); put_device(&chip->dev); + } else { + seq = file->private_data; + seq->private = priv; } return err; @@ -58,11 +64,14 @@ static int tpm_bios_measurements_release(struct inode *inode, struct file *file) { struct seq_file *seq = file->private_data; - struct tpm_chip *chip = seq->private; + struct tpm_measurements *priv = seq->private; + int ret; - put_device(&chip->dev); + put_device(&priv->chip->dev); + ret = seq_release(inode, file); + kfree(priv); - return seq_release(inode, file); + return ret; } static const struct file_operations tpm_bios_measurements_ops = { diff --git a/drivers/char/tpm/eventlog/common.h b/drivers/char/tpm/eventlog/common.h index 47ff8136ceb5..b98fd6d9a6e9 100644 --- a/drivers/char/tpm/eventlog/common.h +++ b/drivers/char/tpm/eventlog/common.h @@ -1,12 +1,40 @@ #ifndef __TPM_EVENTLOG_COMMON_H__ #define __TPM_EVENTLOG_COMMON_H__ +#include <linux/acpi.h> #include "../tpm.h" extern const struct seq_operations tpm1_ascii_b_measurements_seqops; extern const struct seq_operations tpm1_binary_b_measurements_seqops; extern const struct seq_operations tpm2_binary_b_measurements_seqops; +struct tpm_measurements { + struct tpm_chip *chip; + void *start; + void *end; +}; + +static inline bool tpm_measurements_map(struct tpm_measurements *measurements) +{ + struct tpm_chip *chip = measurements->chip; + struct tpm_bios_log *log = &chip->log; + size_t size; + + size = log->bios_event_log_end - log->bios_event_log; + measurements->start = log->bios_event_log; + +#ifdef CONFIG_ACPI + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + measurements->start = acpi_os_map_iomem((unsigned long)log->bios_event_log, size); +#endif + + if (!measurements->start) + return false; + + measurements->end = measurements->start + size; + return true; +} + #if defined(CONFIG_ACPI) int tpm_read_log_acpi(struct tpm_chip *chip); #else diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c index 12ee42a31c71..aef6ee39423a 100644 --- a/drivers/char/tpm/eventlog/tpm1.c +++ b/drivers/char/tpm/eventlog/tpm1.c @@ -70,20 +70,23 @@ static const char* tcpa_pc_event_id_strings[] = { static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos) { loff_t i = 0; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *addr = log->bios_event_log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; struct tcpa_event *event; u32 converted_event_size; u32 converted_event_type; + void *addr; + + if (!tpm_measurements_map(priv)) + return NULL; + + addr = priv->start; /* read over *pos measurements */ do { event = addr; /* check if current entry is valid */ - if (addr + sizeof(struct tcpa_event) > limit) + if (addr + sizeof(struct tcpa_event) > priv->end) return NULL; converted_event_size = @@ -93,7 +96,7 @@ static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos) if (((converted_event_type == 0) && (converted_event_size == 0)) || ((addr + sizeof(struct tcpa_event) + converted_event_size) - > limit)) + > priv->end)) return NULL; if (i++ == *pos) @@ -109,9 +112,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, loff_t *pos) { struct tcpa_event *event = v; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; u32 converted_event_size; u32 converted_event_type; @@ -121,7 +122,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, v += sizeof(struct tcpa_event) + converted_event_size; /* now check if current entry is valid */ - if ((v + sizeof(struct tcpa_event)) > limit) + if ((v + sizeof(struct tcpa_event)) > priv->end) return NULL; event = v; @@ -130,7 +131,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, converted_event_type = do_endian_conversion(event->event_type); if (((converted_event_type == 0) && (converted_event_size == 0)) || - ((v + sizeof(struct tcpa_event) + converted_event_size) > limit)) + ((v + sizeof(struct tcpa_event) + converted_event_size) > priv->end)) return NULL; return v; @@ -138,6 +139,13 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, static void tpm1_bios_measurements_stop(struct seq_file *m, void *v) { +#ifdef CONFIG_ACPI + struct tpm_measurements *priv = m->private; + struct tpm_chip *chip = priv->chip; + + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + acpi_os_unmap_iomem(priv->start, priv->end - priv->start); +#endif } static int get_event_name(char *dest, struct tcpa_event *event, diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c index 37a05800980c..6289d8893e46 100644 --- a/drivers/char/tpm/eventlog/tpm2.c +++ b/drivers/char/tpm/eventlog/tpm2.c @@ -41,20 +41,22 @@ static size_t calc_tpm2_event_size(struct tcg_pcr_event2_head *event, static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) { - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *addr = log->bios_event_log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; struct tcg_pcr_event *event_header; struct tcg_pcr_event2_head *event; size_t size; + void *addr; int i; + if (!tpm_measurements_map(priv)) + return NULL; + + addr = priv->start; event_header = addr; size = struct_size(event_header, event, event_header->event_size); if (*pos == 0) { - if (addr + size < limit) { + if (addr + size < priv->end) { if ((event_header->event_type == 0) && (event_header->event_size == 0)) return NULL; @@ -66,7 +68,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) addr += size; event = addr; size = calc_tpm2_event_size(event, event_header); - if ((addr + size >= limit) || (size == 0)) + if ((addr + size >= priv->end) || !size) return NULL; } @@ -74,7 +76,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) event = addr; size = calc_tpm2_event_size(event, event_header); - if ((addr + size >= limit) || (size == 0)) + if ((addr + size >= priv->end) || !size) return NULL; addr += size; } @@ -87,14 +89,12 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, { struct tcg_pcr_event *event_header; struct tcg_pcr_event2_head *event; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; size_t event_size; void *marker; (*pos)++; - event_header = log->bios_event_log; + event_header = priv->start; if (v == SEQ_START_TOKEN) { event_size = struct_size(event_header, event, @@ -109,13 +109,13 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, } marker = marker + event_size; - if (marker >= limit) + if (marker >= priv->end) return NULL; v = marker; event = v; event_size = calc_tpm2_event_size(event, event_header); - if (((v + event_size) >= limit) || (event_size == 0)) + if (((v + event_size) >= priv->end) || !event_size) return NULL; return v; @@ -123,13 +123,19 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, static void tpm2_bios_measurements_stop(struct seq_file *m, void *v) { +#ifdef CONFIG_ACPI + struct tpm_measurements *priv = m->private; + struct tpm_chip *chip = priv->chip; + + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + acpi_os_unmap_iomem(priv->start, priv->end - priv->start); +#endif } static int tpm2_binary_bios_measurements_show(struct seq_file *m, void *v) { - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - struct tcg_pcr_event *event_header = log->bios_event_log; + struct tpm_measurements *priv = m->private; + struct tcg_pcr_event *event_header = priv->start; struct tcg_pcr_event2_head *event = v; void *temp_ptr; size_t size; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 20a40ade8030..f3d12738b93b 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -348,6 +348,7 @@ enum tpm_chip_flags { TPM_CHIP_FLAG_SUSPENDED = BIT(8), TPM_CHIP_FLAG_HWRNG_DISABLED = BIT(9), TPM_CHIP_FLAG_DISABLE = BIT(10), + TPM_CHIP_FLAG_ACPI_LOG = BIT(11), }; #define to_tpm_chip(d) container_of(d, struct tpm_chip, dev) -- 2.47.1

10 months, 2 weeks

1
0
0 0

+ mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: fix ignored quota goals and filters of newly committed schemes has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix ignored quota goals and filters of newly committed schemes Date: Sun, 22 Dec 2024 15:12:22 -0800 damon_commit_schemes() ignores quota goals and filters of the newly committed schemes. This makes users confused about the behaviors. Correctly handle those inputs. Link: https://lkml.kernel.org/r/20241222231222.85060-3-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/mm/damon/core.c~mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes +++ a/mm/damon/core.c @@ -868,6 +868,11 @@ static int damon_commit_schemes(struct d NUMA_NO_NODE); if (!new_scheme) return -ENOMEM; + err = damos_commit(new_scheme, src_scheme); + if (err) { + damon_destroy_scheme(new_scheme); + return err; + } damon_add_scheme(dst, new_scheme); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch samples-add-a-skeleton-of-a-sample-damon-module-for-working-set-size-estimation.patch samples-damon-wsse-start-and-stop-damon-as-the-user-requests.patch samples-damon-wsse-implement-working-set-size-estimation-and-logging.patch samples-damon-introduce-a-skeleton-of-a-smaple-damon-module-for-proactive-reclamation.patch samples-damon-prcl-implement-schemes-setup.patch replace-free-hugepage-folios-after-migration-fix-2.patch

10 months, 2 weeks

1
0
0 0

+ mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Date: Sun, 22 Dec 2024 15:12:21 -0800 Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". Due to two bugs in damon_commit_targets() and damon_commit_schemes(), which are called from damon_commit_ctx(), some user inputs can be ignored, and some mmeory objects can be leaked. Fix those. Note that only DAMON sysfs interface users are affected. Other DAMON core API user modules that more focused more on simple and dedicated production usages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy function in the way, so not affected. This patch (of 2): When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks. Link: https://lkml.kernel.org/r/20241222231222.85060-2-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets +++ a/mm/damon/core.c @@ -961,8 +961,11 @@ static int damon_commit_targets( return -ENOMEM; err = damon_commit_target(new_target, false, src_target, damon_target_has_pid(src)); - if (err) + if (err) { + damon_destroy_target(new_target); return err; + } + damon_add_target(dst, new_target); } return 0; } _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch samples-add-a-skeleton-of-a-sample-damon-module-for-working-set-size-estimation.patch samples-damon-wsse-start-and-stop-damon-as-the-user-requests.patch samples-damon-wsse-implement-working-set-size-estimation-and-logging.patch samples-damon-introduce-a-skeleton-of-a-smaple-damon-module-for-proactive-reclamation.patch samples-damon-prcl-implement-schemes-setup.patch replace-free-hugepage-folios-after-migration-fix-2.patch

10 months, 2 weeks

1
0
0 0

[RFC PATCH] NFSD: Encode COMPOUND operation status on page boundaries

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> J. David reports an odd corruption of a READDIR reply sent to a FreeBSD client. xdr_reserve_space() has to do a special trick when the @nbytes value requests more space than there is in the current page of the XDR buffer. In that case, xdr_reserve_space() returns a pointer to the start of the next page, and then the next call to xdr_reserve_space() invokes __xdr_commit_encode() to copy enough of the data item back into the previous page to make that data item contiguous across the page boundary. But we need to be careful in the case where buffer space is reserved early for a data item that will be inserted into the buffer later. One such caller, nfsd4_encode_operation(), reserves 8 bytes in the encoding buffer for each COMPOUND operation. However, a READDIR result can sometimes encode file names so that there are only 4 bytes left at the end of the current XDR buffer page (though plenty of pages are left to handle the remaining encoding tasks). If a COMPOUND operation follows the READDIR result (say, a GETATTR), then nfsd4_encode_operation() will reserve 8 bytes for the op number (9) and the op status (usually NFS4_OK). In this weird case, xdr_reserve_space() returns a pointer to byte zero of the next buffer page, as it assumes the data item will be copied back into place (in the previous page) on the next call to xdr_reserve_space(). nfsd4_encode_operation() writes the op num into the buffer, then saves the next 4-byte location for the op's status code. The next xdr_reserve_space() call is part of GETATTR encoding, so the op num gets copied back into the previous page, but the saved location for the op status continues to point to the wrong spot in the current XDR buffer page because __xdr_commit_encode() moved that data item. After GETATTR encoding is complete, nfsd4_encode_operation() writes the op status over the first XDR data item in the GETATTR result. The NFS4_OK status code (0) makes it look like there are zero items in the GETATTR's attribute bitmask. The patch description of commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries") [2014] remarks that NFSD "can't handle a new operation starting close to the end of a page." This behavior appears to be one reason for that remark. Break up the reservation of the COMPOUND op num and op status data items into two distinct 4-octet reservations. Thanks to XDR data item alignment restrictions, a 4-octet buffer reservation can never straddle a page boundary. Reported-by: J David <j.david.lists(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/nfsd/nfs4xdr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 53fac037611c..8780da884197 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -5764,10 +5764,11 @@ nfsd4_encode_operation(struct nfsd4_compoundres *resp, struct nfsd4_op *op) nfsd4_enc encoder; __be32 *p; - p = xdr_reserve_space(xdr, 8); + if (xdr_stream_encode_u32(xdr, op->opnum) != XDR_UNIT) + goto release; + p = xdr_reserve_space(xdr, XDR_UNIT); if (!p) goto release; - *p++ = cpu_to_be32(op->opnum); post_err_offset = xdr->buf->len; if (op->opnum == OP_ILLEGAL) -- 2.47.0

10 months, 2 weeks

3
4
0 0

[PATCHSET v6.2 4/5] xfs: realtime reverse-mapping support

by Darrick J. Wong

Hi all, This is the latest revision of a patchset that adds to XFS kernel support for reverse mapping for the realtime device. This time around I've fixed some of the bitrot that I've noticed over the past few months, and most notably have converted rtrmapbt to use the metadata inode directory feature instead of burning more space in the superblock. At the beginning of the set are patches to implement storing B+tree leaves in an inode root, since the realtime rmapbt is rooted in an inode, unlike the regular rmapbt which is rooted in an AG block. Prior to this, the only btree that could be rooted in the inode fork was the block mapping btree; if all the extent records fit in the inode, format would be switched from 'btree' to 'extents'. The next few patches enhance the reverse mapping routines to handle the parts that are specific to rtgroups -- adding the new btree type, adding a new log intent item type, and wiring up the metadata directory tree entries. Finally, implement GETFSMAP with the rtrmapbt and scrub functionality for the rtrmapbt and rtbitmap and online fsck functionality. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=re… xfsprogs git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfsprogs-dev.git/log/?h… fstests git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfstests-dev.git/log/?h… xfsdocs git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-documentation.git/l… --- Commits in this patchset: * xfs: add some rtgroup inode helpers * xfs: prepare rmap btree cursor tracepoints for realtime * xfs: simplify the xfs_rmap_{alloc,free}_extent calling conventions * xfs: introduce realtime rmap btree ondisk definitions * xfs: realtime rmap btree transaction reservations * xfs: add realtime rmap btree operations * xfs: prepare rmap functions to deal with rtrmapbt * xfs: add a realtime flag to the rmap update log redo items * xfs: support recovering rmap intent items targetting realtime extents * xfs: pretty print metadata file types in error messages * xfs: support file data forks containing metadata btrees * xfs: add realtime reverse map inode to metadata directory * xfs: add metadata reservations for realtime rmap btrees * xfs: wire up a new metafile type for the realtime rmap * xfs: wire up rmap map and unmap to the realtime rmapbt * xfs: create routine to allocate and initialize a realtime rmap btree inode * xfs: wire up getfsmap to the realtime reverse mapping btree * xfs: check that the rtrmapbt maxlevels doesn't increase when growing fs * xfs: report realtime rmap btree corruption errors to the health system * xfs: allow queued realtime intents to drain before scrubbing * xfs: scrub the realtime rmapbt * xfs: cross-reference realtime bitmap to realtime rmapbt scrubber * xfs: cross-reference the realtime rmapbt * xfs: scan rt rmap when we're doing an intense rmap check of bmbt mappings * xfs: scrub the metadir path of rt rmap btree files * xfs: walk the rt reverse mapping tree when rebuilding rmap * xfs: online repair of realtime file bmaps * xfs: repair inodes that have realtime extents * xfs: repair rmap btree inodes * xfs: online repair of realtime bitmaps for a realtime group * xfs: support repairing metadata btrees rooted in metadir inodes * xfs: online repair of the realtime rmap btree * xfs: create a shadow rmap btree during realtime rmap repair * xfs: hook live realtime rmap operations during a repair operation * xfs: don't shut down the filesystem for media failures beyond end of log * xfs: react to fsdax failure notifications on the rt device * xfs: enable realtime rmap btree --- fs/xfs/Makefile | 3 fs/xfs/libxfs/xfs_btree.c | 73 +++ fs/xfs/libxfs/xfs_btree.h | 8 fs/xfs/libxfs/xfs_btree_mem.c | 1 fs/xfs/libxfs/xfs_btree_staging.c | 1 fs/xfs/libxfs/xfs_defer.h | 1 fs/xfs/libxfs/xfs_exchmaps.c | 4 fs/xfs/libxfs/xfs_format.h | 28 + fs/xfs/libxfs/xfs_fs.h | 7 fs/xfs/libxfs/xfs_health.h | 4 fs/xfs/libxfs/xfs_inode_buf.c | 32 + fs/xfs/libxfs/xfs_inode_fork.c | 25 + fs/xfs/libxfs/xfs_log_format.h | 6 fs/xfs/libxfs/xfs_log_recover.h | 2 fs/xfs/libxfs/xfs_metafile.c | 18 + fs/xfs/libxfs/xfs_metafile.h | 2 fs/xfs/libxfs/xfs_ondisk.h | 2 fs/xfs/libxfs/xfs_refcount.c | 6 fs/xfs/libxfs/xfs_rmap.c | 171 +++++- fs/xfs/libxfs/xfs_rmap.h | 12 fs/xfs/libxfs/xfs_rtbitmap.c | 2 fs/xfs/libxfs/xfs_rtbitmap.h | 9 fs/xfs/libxfs/xfs_rtgroup.c | 53 +- fs/xfs/libxfs/xfs_rtgroup.h | 49 ++ fs/xfs/libxfs/xfs_rtrmap_btree.c | 1011 +++++++++++++++++++++++++++++++++++++ fs/xfs/libxfs/xfs_rtrmap_btree.h | 210 ++++++++ fs/xfs/libxfs/xfs_sb.c | 6 fs/xfs/libxfs/xfs_shared.h | 14 + fs/xfs/libxfs/xfs_trans_resv.c | 12 fs/xfs/libxfs/xfs_trans_space.h | 13 fs/xfs/scrub/alloc_repair.c | 5 fs/xfs/scrub/bmap.c | 108 +++- fs/xfs/scrub/bmap_repair.c | 129 +++++ fs/xfs/scrub/common.c | 160 ++++++ fs/xfs/scrub/common.h | 23 + fs/xfs/scrub/health.c | 1 fs/xfs/scrub/inode.c | 10 fs/xfs/scrub/inode_repair.c | 136 +++++ fs/xfs/scrub/metapath.c | 3 fs/xfs/scrub/newbt.c | 42 ++ fs/xfs/scrub/newbt.h | 1 fs/xfs/scrub/reap.c | 41 ++ fs/xfs/scrub/reap.h | 2 fs/xfs/scrub/repair.c | 191 +++++++ fs/xfs/scrub/repair.h | 17 + fs/xfs/scrub/rgsuper.c | 6 fs/xfs/scrub/rmap_repair.c | 84 +++ fs/xfs/scrub/rtbitmap.c | 75 ++- fs/xfs/scrub/rtbitmap.h | 55 ++ fs/xfs/scrub/rtbitmap_repair.c | 429 +++++++++++++++- fs/xfs/scrub/rtrmap.c | 271 ++++++++++ fs/xfs/scrub/rtrmap_repair.c | 903 +++++++++++++++++++++++++++++++++ fs/xfs/scrub/rtsummary.c | 17 - fs/xfs/scrub/rtsummary_repair.c | 3 fs/xfs/scrub/scrub.c | 11 fs/xfs/scrub/scrub.h | 14 + fs/xfs/scrub/stats.c | 1 fs/xfs/scrub/tempexch.h | 2 fs/xfs/scrub/tempfile.c | 20 - fs/xfs/scrub/trace.c | 1 fs/xfs/scrub/trace.h | 228 ++++++++ fs/xfs/xfs_buf.c | 1 fs/xfs/xfs_buf_item_recover.c | 4 fs/xfs/xfs_drain.c | 20 - fs/xfs/xfs_drain.h | 7 fs/xfs/xfs_fsmap.c | 174 ++++++ fs/xfs/xfs_fsops.c | 11 fs/xfs/xfs_health.c | 1 fs/xfs/xfs_inode.c | 19 + fs/xfs/xfs_inode_item.c | 2 fs/xfs/xfs_inode_item_recover.c | 44 +- fs/xfs/xfs_log_recover.c | 2 fs/xfs/xfs_mount.c | 5 fs/xfs/xfs_mount.h | 9 fs/xfs/xfs_notify_failure.c | 230 +++++--- fs/xfs/xfs_notify_failure.h | 11 fs/xfs/xfs_qm.c | 8 fs/xfs/xfs_rmap_item.c | 216 +++++++- fs/xfs/xfs_rtalloc.c | 82 ++- fs/xfs/xfs_rtalloc.h | 10 fs/xfs/xfs_stats.c | 4 fs/xfs/xfs_stats.h | 2 fs/xfs/xfs_super.c | 6 fs/xfs/xfs_super.h | 1 fs/xfs/xfs_trace.h | 104 ++-- 85 files changed, 5381 insertions(+), 366 deletions(-) create mode 100644 fs/xfs/libxfs/xfs_rtrmap_btree.c create mode 100644 fs/xfs/libxfs/xfs_rtrmap_btree.h create mode 100644 fs/xfs/scrub/rtrmap.c create mode 100644 fs/xfs/scrub/rtrmap_repair.c create mode 100644 fs/xfs/xfs_notify_failure.h

10 months, 2 weeks

1
1
0 0

[PATCHSET 1/5] xfs: bug fixes for 6.13

by Darrick J. Wong

Hi all, Bug fixes for 6.13. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=xf… xfsprogs git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfsprogs-dev.git/log/?h… --- Commits in this patchset: * xfs: don't over-report free space or inodes in statvfs * xfs: release the dquot buf outside of qli_lock --- fs/xfs/xfs_dquot.c | 12 ++++++++---- fs/xfs/xfs_qm_bhv.c | 27 +++++++++++++++++---------- 2 files changed, 25 insertions(+), 14 deletions(-)

10 months, 2 weeks

1
2
0 0

[GIT PULL 5/8] xfsprogs: new code for 6.13

by Darrick J. Wong

Hi Andrey, Please pull this branch with changes for xfsprogs for 6.11-rc1. As usual, I did a test-merge with the main upstream branch as of a few minutes ago, and didn't see any conflicts. Please let me know if you encounter any problems. --D The following changes since commit 513300e9565b0d446ac8e6a3a990444d766c728b: mkfs: add a utility to generate protofiles (2024-12-23 13:05:10 -0800) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfsprogs-dev.git tags/xfs-6.13-merge_2024-12-23 for you to fetch changes up to 80b81c84f015ee01fed80c32184cc763ee1a655e: xfs: return from xfs_symlink_verify early on V4 filesystems (2024-12-23 13:05:13 -0800) ---------------------------------------------------------------- xfsprogs: new code for 6.13 [05/23] New code for 6.12. This has been running on the djcloud for months with no problems. Enjoy! Signed-off-by: "Darrick J. Wong" <djwong(a)kernel.org> ---------------------------------------------------------------- Christoph Hellwig (9): xfs: add a xfs_bmap_free_rtblocks helper xfs: move RT bitmap and summary information to the rtgroup xfs: support creating per-RTG files in growfs xfs: refactor xfs_rtbitmap_blockcount xfs: refactor xfs_rtsummary_blockcount xfs: make RT extent numbers relative to the rtgroup xfs: add a helper to prevent bmap merges across rtgroup boundaries xfs: make the RT allocator rtgroup aware xfs: don't call xfs_bmap_same_rtgroup in xfs_bmap_add_extent_hole_delay Darrick J. Wong (40): xfs: create incore realtime group structures xfs: define locking primitives for realtime groups xfs: add a lockdep class key for rtgroup inodes xfs: support caching rtgroup metadata inodes libfrog: add memchr_inv xfs: define the format of rt groups xfs: update realtime super every time we update the primary fs super xfs: export realtime group geometry via XFS_FSOP_GEOM xfs: check that rtblock extents do not break rtsupers or rtgroups xfs: add frextents to the lazysbcounters when rtgroups enabled xfs: record rt group metadata errors in the health system xfs: export the geometry of realtime groups to userspace xfs: add block headers to realtime bitmap and summary blocks xfs: encode the rtbitmap in big endian format xfs: encode the rtsummary in big endian format xfs: grow the realtime section when realtime groups are enabled xfs: support logging EFIs for realtime extents xfs: support error injection when freeing rt extents xfs: use realtime EFI to free extents when rtgroups are enabled xfs: don't merge ioends across RTGs xfs: scrub the realtime group superblock xfs: scrub metadir paths for rtgroup metadata xfs: mask off the rtbitmap and summary inodes when metadir in use xfs: create helpers to deal with rounding xfs_fileoff_t to rtx boundaries xfs: create helpers to deal with rounding xfs_filblks_t to rtx boundaries xfs: make xfs_rtblock_t a segmented address like xfs_fsblock_t xfs: adjust min_block usage in xfs_verify_agbno xfs: move the min and max group block numbers to xfs_group xfs: implement busy extent tracking for rtgroups xfs: use metadir for quota inodes xfs: scrub quota file metapaths xfs: enable metadata directory feature xfs: convert struct typedefs in xfs_ondisk.h xfs: separate space btree structures in xfs_ondisk.h xfs: port ondisk structure checks from xfs/122 to the kernel xfs: return a 64-bit block count from xfs_btree_count_blocks xfs: fix error bailout in xfs_rtginode_create xfs: update btree keys correctly when _insrec splits an inode root block xfs: fix sb_spino_align checks for large fsblock sizes xfs: return from xfs_symlink_verify early on V4 filesystems Dave Chinner (1): xfs: fix sparse inode limits on runt AG Jeff Layton (1): xfs: switch to multigrain timestamps Long Li (1): xfs: remove unknown compat feature check in superblock write validation db/block.c | 2 +- db/block.h | 16 - db/convert.c | 1 - db/faddr.c | 1 - include/libxfs.h | 2 + include/platform_defs.h | 33 +++ include/xfs_mount.h | 30 +- include/xfs_trace.h | 7 + include/xfs_trans.h | 1 + libfrog/util.c | 14 + libfrog/util.h | 4 + libxfs/Makefile | 2 + libxfs/init.c | 35 ++- libxfs/libxfs_api_defs.h | 16 + libxfs/libxfs_io.h | 1 + libxfs/libxfs_priv.h | 34 +-- libxfs/rdwr.c | 17 ++ libxfs/trans.c | 29 ++ libxfs/util.c | 8 +- libxfs/xfs_ag.c | 22 +- libxfs/xfs_ag.h | 16 +- libxfs/xfs_alloc.c | 15 +- libxfs/xfs_alloc.h | 12 +- libxfs/xfs_bmap.c | 124 ++++++-- libxfs/xfs_btree.c | 33 ++- libxfs/xfs_btree.h | 2 +- libxfs/xfs_defer.c | 6 + libxfs/xfs_defer.h | 1 + libxfs/xfs_dquot_buf.c | 190 ++++++++++++ libxfs/xfs_format.h | 80 ++++- libxfs/xfs_fs.h | 32 +- libxfs/xfs_group.h | 33 +++ libxfs/xfs_health.h | 42 +-- libxfs/xfs_ialloc.c | 16 +- libxfs/xfs_ialloc_btree.c | 6 +- libxfs/xfs_log_format.h | 6 +- libxfs/xfs_ondisk.h | 186 +++++++++--- libxfs/xfs_quota_defs.h | 43 +++ libxfs/xfs_rtbitmap.c | 405 +++++++++++++++++--------- libxfs/xfs_rtbitmap.h | 247 ++++++++++------ libxfs/xfs_rtgroup.c | 694 ++++++++++++++++++++++++++++++++++++++++++++ libxfs/xfs_rtgroup.h | 284 ++++++++++++++++++ libxfs/xfs_sb.c | 246 ++++++++++++++-- libxfs/xfs_sb.h | 6 +- libxfs/xfs_shared.h | 4 + libxfs/xfs_symlink_remote.c | 4 +- libxfs/xfs_trans_inode.c | 6 +- libxfs/xfs_trans_resv.c | 2 +- libxfs/xfs_types.c | 35 ++- libxfs/xfs_types.h | 8 +- mkfs/proto.c | 33 ++- mkfs/xfs_mkfs.c | 8 + repair/dinode.c | 4 +- repair/phase6.c | 203 +++++++------ repair/rt.c | 34 +-- repair/rt.h | 4 +- 56 files changed, 2728 insertions(+), 617 deletions(-) create mode 100644 libxfs/xfs_rtgroup.c create mode 100644 libxfs/xfs_rtgroup.h

10 months, 2 weeks

1
0
0 0

[PATCHSET 5/8] xfsprogs: new code for 6.13

by Darrick J. Wong

Hi all, New code for 6.12. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=xf… xfsprogs git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfsprogs-dev.git/log/?h… --- Commits in this patchset: * xfs: create incore realtime group structures * xfs: define locking primitives for realtime groups * xfs: add a lockdep class key for rtgroup inodes * xfs: support caching rtgroup metadata inodes * xfs: add a xfs_bmap_free_rtblocks helper * xfs: move RT bitmap and summary information to the rtgroup * xfs: support creating per-RTG files in growfs * xfs: refactor xfs_rtbitmap_blockcount * xfs: refactor xfs_rtsummary_blockcount * xfs: make RT extent numbers relative to the rtgroup * libfrog: add memchr_inv * xfs: define the format of rt groups * xfs: update realtime super every time we update the primary fs super * xfs: export realtime group geometry via XFS_FSOP_GEOM * xfs: check that rtblock extents do not break rtsupers or rtgroups * xfs: add a helper to prevent bmap merges across rtgroup boundaries * xfs: add frextents to the lazysbcounters when rtgroups enabled * xfs: record rt group metadata errors in the health system * xfs: export the geometry of realtime groups to userspace * xfs: add block headers to realtime bitmap and summary blocks * xfs: encode the rtbitmap in big endian format * xfs: encode the rtsummary in big endian format * xfs: grow the realtime section when realtime groups are enabled * xfs: support logging EFIs for realtime extents * xfs: support error injection when freeing rt extents * xfs: use realtime EFI to free extents when rtgroups are enabled * xfs: don't merge ioends across RTGs * xfs: make the RT allocator rtgroup aware * xfs: scrub the realtime group superblock * xfs: scrub metadir paths for rtgroup metadata * xfs: mask off the rtbitmap and summary inodes when metadir in use * xfs: create helpers to deal with rounding xfs_fileoff_t to rtx boundaries * xfs: create helpers to deal with rounding xfs_filblks_t to rtx boundaries * xfs: make xfs_rtblock_t a segmented address like xfs_fsblock_t * xfs: adjust min_block usage in xfs_verify_agbno * xfs: move the min and max group block numbers to xfs_group * xfs: implement busy extent tracking for rtgroups * xfs: use metadir for quota inodes * xfs: scrub quota file metapaths * xfs: enable metadata directory feature * xfs: convert struct typedefs in xfs_ondisk.h * xfs: separate space btree structures in xfs_ondisk.h * xfs: port ondisk structure checks from xfs/122 to the kernel * xfs: remove unknown compat feature check in superblock write validation * xfs: fix sparse inode limits on runt AG * xfs: switch to multigrain timestamps * xfs: don't call xfs_bmap_same_rtgroup in xfs_bmap_add_extent_hole_delay * xfs: return a 64-bit block count from xfs_btree_count_blocks * xfs: fix error bailout in xfs_rtginode_create * xfs: update btree keys correctly when _insrec splits an inode root block * xfs: fix sb_spino_align checks for large fsblock sizes * xfs: return from xfs_symlink_verify early on V4 filesystems --- db/block.c | 2 db/block.h | 16 - db/convert.c | 1 db/faddr.c | 1 include/libxfs.h | 2 include/platform_defs.h | 33 ++ include/xfs_mount.h | 30 +- include/xfs_trace.h | 7 include/xfs_trans.h | 1 libfrog/util.c | 14 + libfrog/util.h | 4 libxfs/Makefile | 2 libxfs/init.c | 35 ++ libxfs/libxfs_api_defs.h | 16 + libxfs/libxfs_io.h | 1 libxfs/libxfs_priv.h | 34 -- libxfs/rdwr.c | 17 + libxfs/trans.c | 29 ++ libxfs/util.c | 8 libxfs/xfs_ag.c | 22 + libxfs/xfs_ag.h | 16 - libxfs/xfs_alloc.c | 15 + libxfs/xfs_alloc.h | 12 + libxfs/xfs_bmap.c | 124 ++++++-- libxfs/xfs_btree.c | 33 ++ libxfs/xfs_btree.h | 2 libxfs/xfs_defer.c | 6 libxfs/xfs_defer.h | 1 libxfs/xfs_dquot_buf.c | 190 ++++++++++++ libxfs/xfs_format.h | 80 +++++ libxfs/xfs_fs.h | 32 ++ libxfs/xfs_group.h | 33 ++ libxfs/xfs_health.h | 42 ++- libxfs/xfs_ialloc.c | 16 + libxfs/xfs_ialloc_btree.c | 6 libxfs/xfs_log_format.h | 6 libxfs/xfs_ondisk.h | 186 +++++++++--- libxfs/xfs_quota_defs.h | 43 +++ libxfs/xfs_rtbitmap.c | 405 +++++++++++++++++-------- libxfs/xfs_rtbitmap.h | 247 ++++++++++----- libxfs/xfs_rtgroup.c | 694 +++++++++++++++++++++++++++++++++++++++++++ libxfs/xfs_rtgroup.h | 284 ++++++++++++++++++ libxfs/xfs_sb.c | 246 ++++++++++++++- libxfs/xfs_sb.h | 6 libxfs/xfs_shared.h | 4 libxfs/xfs_symlink_remote.c | 4 libxfs/xfs_trans_inode.c | 6 libxfs/xfs_trans_resv.c | 2 libxfs/xfs_types.c | 35 ++ libxfs/xfs_types.h | 8 mkfs/proto.c | 33 +- mkfs/xfs_mkfs.c | 8 repair/dinode.c | 4 repair/phase6.c | 203 ++++++------- repair/rt.c | 34 -- repair/rt.h | 4 56 files changed, 2728 insertions(+), 617 deletions(-) create mode 100644 libxfs/xfs_rtgroup.c create mode 100644 libxfs/xfs_rtgroup.h

10 months, 2 weeks

1
6
0 0

[PATCH net] net: ethernet: ti: am65-cpsw: default to round-robin for host port receive

by Siddharth Vadapalli

The Host Port (i.e. CPU facing port) of CPSW receives traffic from Linux via TX DMA Channels which are Hardware Queues consisting of traffic categorized according to their priority. The Host Port is configured to dequeue traffic from these Hardware Queues on the basis of priority i.e. as long as traffic exists on a Hardware Queue of a higher priority, the traffic on Hardware Queues of lower priority isn't dequeued. An alternate operation is also supported wherein traffic can be dequeued by the Host Port in a Round-Robin manner. Until [0], the am65-cpsw driver enabled a single TX DMA Channel, due to which, unless modified by user via "ethtool", all traffic from Linux is transmitted on DMA Channel 0. Therefore, configuring the Host Port for priority based dequeuing or Round-Robin operation is identical since there is a single DMA Channel. Since [0], all 8 TX DMA Channels are enabled by default. Additionally, the default "tc mapping" doesn't take into account the possibility of different traffic profiles which various users might have. This results in traffic starvation at the Host Port due to the priority based dequeuing which has been enabled by default since the inception of the driver. The traffic starvation triggers NETDEV WATCHDOG timeout for all TX DMA Channels that haven't been serviced due to the presence of traffic on the higher priority TX DMA Channels. Fix this by defaulting to Round-Robin dequeuing at the Host Port, which shall ensure that traffic is dequeued from all TX DMA Channels irrespective of the traffic profile. This will address the NETDEV WATCHDOG timeouts. At the same time, users can still switch from Round-Robin to Priority based dequeuing at the Host Port with the help of the "p0-rx-ptype-rrobin" private flag of "ethtool". Users are expected to setup an appropriate "tc mapping" that suits their traffic profile when switching to priority based dequeuing at the Host Port. [0] commit be397ea3473d ("net: ethernet: am65-cpsw: Set default TX channels to maximum") Fixes: be397ea3473d ("net: ethernet: am65-cpsw: Set default TX channels to maximum") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit 8faabc041a00 Merge tag 'net-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net of Mainline Linux. Regards, Siddharth. drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c index 14e1df721f2e..5465bf872734 100644 --- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c +++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c @@ -3551,7 +3551,7 @@ static int am65_cpsw_nuss_probe(struct platform_device *pdev) init_completion(&common->tdown_complete); common->tx_ch_num = AM65_CPSW_DEFAULT_TX_CHNS; common->rx_ch_num_flows = AM65_CPSW_DEFAULT_RX_CHN_FLOWS; - common->pf_p0_rx_ptype_rrobin = false; + common->pf_p0_rx_ptype_rrobin = true; common->default_vlan = 1; common->ports = devm_kcalloc(dev, common->port_num, -- 2.43.0

10 months, 2 weeks

3
3
0 0

[PATCH v3] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by mapping the region when needed instead of copying. Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Suggested-by: Matthew Garrett <mjg59(a)srcf.ucam.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: * Flag mapping code in tpm{1,2}.c with CONFIG_ACPI (nios2 compilation fix). v2: * There was some extra cruft (irrelevant diff), which is now wiped away. * Added missing tags (fixes, stable). --- drivers/char/tpm/eventlog/acpi.c | 28 +++++++--------------- drivers/char/tpm/eventlog/common.c | 25 +++++++++++++------- drivers/char/tpm/eventlog/common.h | 28 ++++++++++++++++++++++ drivers/char/tpm/eventlog/tpm1.c | 30 ++++++++++++++--------- drivers/char/tpm/eventlog/tpm2.c | 38 +++++++++++++++++------------- include/linux/tpm.h | 1 + 6 files changed, 95 insertions(+), 55 deletions(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..2c4f7355b584 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -70,14 +70,11 @@ int tpm_read_log_acpi(struct tpm_chip *chip) acpi_status status; void __iomem *virt; u64 len, start; - struct tpm_bios_log *log; struct acpi_table_tpm2 *tbl; struct acpi_tpm2_phy *tpm2_phy; int format; int ret; - log = &chip->log; - /* Unfortuntely ACPI does not associate the event log with a specific * TPM, like PPI. Thus all ACPI TPMs will read the same log. */ @@ -135,36 +132,27 @@ int tpm_read_log_acpi(struct tpm_chip *chip) return -EIO; } - /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); - if (!log->bios_event_log) - return -ENOMEM; - - log->bios_event_log_end = log->bios_event_log + len; - virt = acpi_os_map_iomem(start, len); if (!virt) { dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__); /* try EFI log next */ - ret = -ENODEV; - goto err; + return -ENODEV; } - memcpy_fromio(log->bios_event_log, virt, len); - - acpi_os_unmap_iomem(virt, len); - - if (chip->flags & TPM_CHIP_FLAG_TPM2 && - !tpm_is_tpm2_log(log->bios_event_log, len)) { + if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_tpm2_log(virt, len)) { + acpi_os_unmap_iomem(virt, len); /* try EFI log next */ ret = -ENODEV; goto err; } + acpi_os_unmap_iomem(virt, len); + chip->flags |= TPM_CHIP_FLAG_ACPI_LOG; + chip->log.bios_event_log = (void *)start; + chip->log.bios_event_log_end = (void *)start + len; return format; err: - devm_kfree(&chip->dev, log->bios_event_log); - log->bios_event_log = NULL; + acpi_os_unmap_iomem(virt, len); return ret; } diff --git a/drivers/char/tpm/eventlog/common.c b/drivers/char/tpm/eventlog/common.c index 4c0bbba64ee5..44340ca6e2ac 100644 --- a/drivers/char/tpm/eventlog/common.c +++ b/drivers/char/tpm/eventlog/common.c @@ -27,6 +27,7 @@ static int tpm_bios_measurements_open(struct inode *inode, { int err; struct seq_file *seq; + struct tpm_measurements *priv; struct tpm_chip_seqops *chip_seqops; const struct seq_operations *seqops; struct tpm_chip *chip; @@ -42,13 +43,18 @@ static int tpm_bios_measurements_open(struct inode *inode, get_device(&chip->dev); inode_unlock(inode); - /* now register seq file */ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + priv->chip = chip; + err = seq_open(file, seqops); - if (!err) { - seq = file->private_data; - seq->private = chip; - } else { + if (err) { + kfree(priv); put_device(&chip->dev); + } else { + seq = file->private_data; + seq->private = priv; } return err; @@ -58,11 +64,14 @@ static int tpm_bios_measurements_release(struct inode *inode, struct file *file) { struct seq_file *seq = file->private_data; - struct tpm_chip *chip = seq->private; + struct tpm_measurements *priv = seq->private; + int ret; - put_device(&chip->dev); + put_device(&priv->chip->dev); + ret = seq_release(inode, file); + kfree(priv); - return seq_release(inode, file); + return ret; } static const struct file_operations tpm_bios_measurements_ops = { diff --git a/drivers/char/tpm/eventlog/common.h b/drivers/char/tpm/eventlog/common.h index 47ff8136ceb5..b98fd6d9a6e9 100644 --- a/drivers/char/tpm/eventlog/common.h +++ b/drivers/char/tpm/eventlog/common.h @@ -1,12 +1,40 @@ #ifndef __TPM_EVENTLOG_COMMON_H__ #define __TPM_EVENTLOG_COMMON_H__ +#include <linux/acpi.h> #include "../tpm.h" extern const struct seq_operations tpm1_ascii_b_measurements_seqops; extern const struct seq_operations tpm1_binary_b_measurements_seqops; extern const struct seq_operations tpm2_binary_b_measurements_seqops; +struct tpm_measurements { + struct tpm_chip *chip; + void *start; + void *end; +}; + +static inline bool tpm_measurements_map(struct tpm_measurements *measurements) +{ + struct tpm_chip *chip = measurements->chip; + struct tpm_bios_log *log = &chip->log; + size_t size; + + size = log->bios_event_log_end - log->bios_event_log; + measurements->start = log->bios_event_log; + +#ifdef CONFIG_ACPI + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + measurements->start = acpi_os_map_iomem((unsigned long)log->bios_event_log, size); +#endif + + if (!measurements->start) + return false; + + measurements->end = measurements->start + size; + return true; +} + #if defined(CONFIG_ACPI) int tpm_read_log_acpi(struct tpm_chip *chip); #else diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c index 12ee42a31c71..aef6ee39423a 100644 --- a/drivers/char/tpm/eventlog/tpm1.c +++ b/drivers/char/tpm/eventlog/tpm1.c @@ -70,20 +70,23 @@ static const char* tcpa_pc_event_id_strings[] = { static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos) { loff_t i = 0; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *addr = log->bios_event_log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; struct tcpa_event *event; u32 converted_event_size; u32 converted_event_type; + void *addr; + + if (!tpm_measurements_map(priv)) + return NULL; + + addr = priv->start; /* read over *pos measurements */ do { event = addr; /* check if current entry is valid */ - if (addr + sizeof(struct tcpa_event) > limit) + if (addr + sizeof(struct tcpa_event) > priv->end) return NULL; converted_event_size = @@ -93,7 +96,7 @@ static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos) if (((converted_event_type == 0) && (converted_event_size == 0)) || ((addr + sizeof(struct tcpa_event) + converted_event_size) - > limit)) + > priv->end)) return NULL; if (i++ == *pos) @@ -109,9 +112,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, loff_t *pos) { struct tcpa_event *event = v; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; u32 converted_event_size; u32 converted_event_type; @@ -121,7 +122,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, v += sizeof(struct tcpa_event) + converted_event_size; /* now check if current entry is valid */ - if ((v + sizeof(struct tcpa_event)) > limit) + if ((v + sizeof(struct tcpa_event)) > priv->end) return NULL; event = v; @@ -130,7 +131,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, converted_event_type = do_endian_conversion(event->event_type); if (((converted_event_type == 0) && (converted_event_size == 0)) || - ((v + sizeof(struct tcpa_event) + converted_event_size) > limit)) + ((v + sizeof(struct tcpa_event) + converted_event_size) > priv->end)) return NULL; return v; @@ -138,6 +139,13 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, static void tpm1_bios_measurements_stop(struct seq_file *m, void *v) { +#ifdef CONFIG_ACPI + struct tpm_measurements *priv = m->private; + struct tpm_chip *chip = priv->chip; + + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + acpi_os_unmap_iomem(priv->start, priv->end - priv->start); +#endif } static int get_event_name(char *dest, struct tcpa_event *event, diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c index 37a05800980c..6289d8893e46 100644 --- a/drivers/char/tpm/eventlog/tpm2.c +++ b/drivers/char/tpm/eventlog/tpm2.c @@ -41,20 +41,22 @@ static size_t calc_tpm2_event_size(struct tcg_pcr_event2_head *event, static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) { - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *addr = log->bios_event_log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; struct tcg_pcr_event *event_header; struct tcg_pcr_event2_head *event; size_t size; + void *addr; int i; + if (!tpm_measurements_map(priv)) + return NULL; + + addr = priv->start; event_header = addr; size = struct_size(event_header, event, event_header->event_size); if (*pos == 0) { - if (addr + size < limit) { + if (addr + size < priv->end) { if ((event_header->event_type == 0) && (event_header->event_size == 0)) return NULL; @@ -66,7 +68,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) addr += size; event = addr; size = calc_tpm2_event_size(event, event_header); - if ((addr + size >= limit) || (size == 0)) + if ((addr + size >= priv->end) || !size) return NULL; } @@ -74,7 +76,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) event = addr; size = calc_tpm2_event_size(event, event_header); - if ((addr + size >= limit) || (size == 0)) + if ((addr + size >= priv->end) || !size) return NULL; addr += size; } @@ -87,14 +89,12 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, { struct tcg_pcr_event *event_header; struct tcg_pcr_event2_head *event; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; size_t event_size; void *marker; (*pos)++; - event_header = log->bios_event_log; + event_header = priv->start; if (v == SEQ_START_TOKEN) { event_size = struct_size(event_header, event, @@ -109,13 +109,13 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, } marker = marker + event_size; - if (marker >= limit) + if (marker >= priv->end) return NULL; v = marker; event = v; event_size = calc_tpm2_event_size(event, event_header); - if (((v + event_size) >= limit) || (event_size == 0)) + if (((v + event_size) >= priv->end) || !event_size) return NULL; return v; @@ -123,13 +123,19 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, static void tpm2_bios_measurements_stop(struct seq_file *m, void *v) { +#ifdef CONFIG_ACPI + struct tpm_measurements *priv = m->private; + struct tpm_chip *chip = priv->chip; + + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + acpi_os_unmap_iomem(priv->start, priv->end - priv->start); +#endif } static int tpm2_binary_bios_measurements_show(struct seq_file *m, void *v) { - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - struct tcg_pcr_event *event_header = log->bios_event_log; + struct tpm_measurements *priv = m->private; + struct tcg_pcr_event *event_header = priv->start; struct tcg_pcr_event2_head *event = v; void *temp_ptr; size_t size; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 20a40ade8030..f3d12738b93b 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -348,6 +348,7 @@ enum tpm_chip_flags { TPM_CHIP_FLAG_SUSPENDED = BIT(8), TPM_CHIP_FLAG_HWRNG_DISABLED = BIT(9), TPM_CHIP_FLAG_DISABLE = BIT(10), + TPM_CHIP_FLAG_ACPI_LOG = BIT(11), }; #define to_tpm_chip(d) container_of(d, struct tpm_chip, dev) -- 2.47.1

10 months, 2 weeks

1
1
0 0

[PATCH v6 1/5] libfs: Return ENOSPC when the directory offset range is exhausted

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Testing shows that the EBUSY error return from mtree_alloc_cyclic() leaks into user space. The ERRORS section of "man creat(2)" says: > EBUSY O_EXCL was specified in flags and pathname refers > to a block device that is in use by the system > (e.g., it is mounted). ENOSPC is closer to what applications expect in this situation. Note that the normal range of simple directory offset values is 2..2^63, so hitting this error is going to be rare to impossible. Fixes: 6faddda69f62 ("libfs: Add directory operations for stable offsets") Cc: <stable(a)vger.kernel.org> # v6.9+ Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/libfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/libfs.c b/fs/libfs.c index 748ac5923154..3da58a92f48f 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -292,8 +292,8 @@ int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry) ret = mtree_alloc_cyclic(&octx->mt, &offset, dentry, DIR_OFFSET_MIN, LONG_MAX, &octx->next_offset, GFP_KERNEL); - if (ret < 0) - return ret; + if (unlikely(ret < 0)) + return ret == -EBUSY ? -ENOSPC : ret; offset_set(dentry, offset); return 0; -- 2.47.0

10 months, 2 weeks

3
2
0 0

Request to port to 6.6.y : c809b0d0e52d ("x86/microcode/AMD: Flush patch buffer mapping after application")

by Thomas De Schampheleire

Hello, Below commit was ported to 6.12, but I would like to request porting to the 6.6 longterm branch we are currently using: commit c809b0d0e52d01c30066367b2952c4c4186b1047 Author: Borislav Petkov (AMD) <bp(a)alien8.de> Date: 2024-11-19 12:21:33 +0100 x86/microcode/AMD: Flush patch buffer mapping after application [...] The patch itself is small, but the consequence of not patching is large on affected systems (tens of seconds to minutes, of boot delay). See original discussion [1] for details. The patch in master relies on a variable 'bsp_cpuid_1_eax' introduced in commit 94838d230a6c ("x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID"), but porting that entire commit seems excessive, especially because there are several 'Fixes' commits for that one (e.g. 5343558a868e, d1744a4c975b, 1d81d85d1a19). I think the simplest prerequisite change is (for Borislav Petkov to confirm): diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c index bbd1dc38ea03..555fa76bd1f3 100644 --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c @@ -96,6 +97,8 @@ struct cont_desc { static u32 ucode_new_rev; +static u32 bsp_cpuid_1_eax __ro_after_init; + /* * Microcode patch container file is prepended to the initrd in cpio * format. See Documentation/arch/x86/microcode.rst @@ -551,6 +566,7 @@ static void apply_ucode_from_containers(unsigned int cpuid_1_eax) void load_ucode_amd_early(unsigned int cpuid_1_eax) { + bsp_cpuid_1_eax = cpuid_1_eax; return apply_ucode_from_containers(cpuid_1_eax); } Thanks, Thomas [1] https://lore.kernel.org/lkml/ZyulbYuvrkshfsd2@antipodes/T/

10 months, 2 weeks

2
5
0 0

[PATCH 6.12] wifi: iwlwifi: be less noisy if the NIC is dead in S3

by Emmanuel Grumbach

commit 0572b7715ffd2cac20aac00333706f3094028180 upstream If the NIC is dead upon resume, try to catch the error earlier and exit earlier. We'll print less error messages and get to the same recovery path as before: reload the firmware. Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20241028135215.3a18682261e5.I18f336a4537378a4c1a85… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219597 --- .../net/wireless/intel/iwlwifi/iwl-trans.h | 13 +++++---- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 28 ++++++++++++++----- .../net/wireless/intel/iwlwifi/pcie/trans.c | 2 ++ 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h index e95ffe303547..c70da7281551 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h +++ b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h @@ -1074,12 +1074,13 @@ int iwl_trans_read_config32(struct iwl_trans *trans, u32 ofs, void iwl_trans_debugfs_cleanup(struct iwl_trans *trans); #endif -#define iwl_trans_read_mem_bytes(trans, addr, buf, bufsize) \ - do { \ - if (__builtin_constant_p(bufsize)) \ - BUILD_BUG_ON((bufsize) % sizeof(u32)); \ - iwl_trans_read_mem(trans, addr, buf, (bufsize) / sizeof(u32));\ - } while (0) +#define iwl_trans_read_mem_bytes(trans, addr, buf, bufsize) \ + ({ \ + if (__builtin_constant_p(bufsize)) \ + BUILD_BUG_ON((bufsize) % sizeof(u32)); \ + iwl_trans_read_mem(trans, addr, buf, \ + (bufsize) / sizeof(u32)); \ + }) int iwl_trans_write_imr_mem(struct iwl_trans *trans, u32 dst_addr, u64 src_addr, u32 byte_cnt); diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c index 244ca8cab9d1..1a814eb6743e 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -3032,13 +3032,18 @@ static bool iwl_mvm_rt_status(struct iwl_trans *trans, u32 base, u32 *err_id) /* cf. struct iwl_error_event_table */ u32 valid; __le32 err_id; - } err_info; + } err_info = {}; + int ret; if (!base) return false; - iwl_trans_read_mem_bytes(trans, base, - &err_info, sizeof(err_info)); + ret = iwl_trans_read_mem_bytes(trans, base, + &err_info, sizeof(err_info)); + + if (ret) + return true; + if (err_info.valid && err_id) *err_id = le32_to_cpu(err_info.err_id); @@ -3635,22 +3640,31 @@ int iwl_mvm_fast_resume(struct iwl_mvm *mvm) iwl_fw_dbg_read_d3_debug_data(&mvm->fwrt); if (iwl_mvm_check_rt_status(mvm, NULL)) { + IWL_ERR(mvm, + "iwl_mvm_check_rt_status failed, device is gone during suspend\n"); set_bit(STATUS_FW_ERROR, &mvm->trans->status); iwl_mvm_dump_nic_error_log(mvm); iwl_dbg_tlv_time_point(&mvm->fwrt, IWL_FW_INI_TIME_POINT_FW_ASSERT, NULL); iwl_fw_dbg_collect_desc(&mvm->fwrt, &iwl_dump_desc_assert, false, 0); - return -ENODEV; + mvm->trans->state = IWL_TRANS_NO_FW; + ret = -ENODEV; + + goto out; } ret = iwl_mvm_d3_notif_wait(mvm, &d3_data); + + if (ret) { + IWL_ERR(mvm, "Couldn't get the d3 notif %d\n", ret); + mvm->trans->state = IWL_TRANS_NO_FW; + } + +out: clear_bit(IWL_MVM_STATUS_IN_D3, &mvm->status); mvm->trans->system_pm_mode = IWL_PLAT_PM_MODE_DISABLED; mvm->fast_resume = false; - if (ret) - IWL_ERR(mvm, "Couldn't get the d3 notif %d\n", ret); - return ret; } diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c index 3b9943eb6934..d19b3bd0866b 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c @@ -1643,6 +1643,8 @@ int iwl_trans_pcie_d3_resume(struct iwl_trans *trans, out: if (*status == IWL_D3_STATUS_ALIVE) ret = iwl_pcie_d3_handshake(trans, false); + else + trans->state = IWL_TRANS_NO_FW; return ret; } -- 2.47.1

10 months, 2 weeks

3
2
0 0

[PATCH] Revert "drm/mediatek: Switch to for_each_child_of_node_scoped()"

by Chun-Kuang Hu

This reverts commit fd620fc25d88a1e490eaa9f72bc31962be1b4741. Boot failures reported by KernelCI: [ 4.395400] mediatek-drm mediatek-drm.5.auto: bound 1c014000.merge (ops 0xffffd35fd12975f8) [ 4.396155] mediatek-drm mediatek-drm.5.auto: bound 1c000000.ovl (ops 0xffffd35fd12977b8) [ 4.411951] mediatek-drm mediatek-drm.5.auto: bound 1c002000.rdma (ops 0xffffd35fd12989c0) [ 4.536837] mediatek-drm mediatek-drm.5.auto: bound 1c004000.ccorr (ops 0xffffd35fd1296cf0) [ 4.545181] mediatek-drm mediatek-drm.5.auto: bound 1c005000.aal (ops 0xffffd35fd1296a80) [ 4.553344] mediatek-drm mediatek-drm.5.auto: bound 1c006000.gamma (ops 0xffffd35fd12972b0) [ 4.561680] mediatek-drm mediatek-drm.5.auto: bound 1c014000.merge (ops 0xffffd35fd12975f8) [ 4.570025] ------------[ cut here ]------------ [ 4.574630] refcount_t: underflow; use-after-free. [ 4.579416] WARNING: CPU: 6 PID: 81 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 [ 4.587670] Modules linked in: [ 4.590714] CPU: 6 UID: 0 PID: 81 Comm: kworker/u32:3 Tainted: G W 6.12.0 #1 cab58e2e59020ebd4be8ada89a65f465a316c742 [ 4.602695] Tainted: [W]=WARN [ 4.605649] Hardware name: Acer Tomato (rev2) board (DT) [ 4.610947] Workqueue: events_unbound deferred_probe_work_func [ 4.616768] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.623715] pc : refcount_warn_saturate+0xf4/0x148 [ 4.628493] lr : refcount_warn_saturate+0xf4/0x148 [ 4.633270] sp : ffff8000807639c0 [ 4.636571] x29: ffff8000807639c0 x28: ffff34ff4116c640 x27: ffff34ff4368e080 [ 4.643693] x26: ffffd35fd1299ac8 x25: ffff34ff46c8c410 x24: 0000000000000000 [ 4.650814] x23: ffff34ff4368e080 x22: 00000000fffffdfb x21: 0000000000000002 [ 4.657934] x20: ffff34ff470c6000 x19: ffff34ff410c7c10 x18: 0000000000000006 [ 4.665055] x17: 666678302073706f x16: 2820656772656d2e x15: ffff800080763440 [ 4.672176] x14: 0000000000000000 x13: 2e656572662d7265 x12: ffffd35fd2ed14f0 [ 4.679297] x11: 0000000000000001 x10: 0000000000000001 x9 : ffffd35fd0342150 [ 4.686418] x8 : c0000000ffffdfff x7 : ffffd35fd2e21450 x6 : 00000000000affa8 [ 4.693539] x5 : ffffd35fd2ed1498 x4 : 0000000000000000 x3 : 0000000000000000 [ 4.700660] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff34ff40932580 [ 4.707781] Call trace: [ 4.710216] refcount_warn_saturate+0xf4/0x148 (P) [ 4.714993] refcount_warn_saturate+0xf4/0x148 (L) [ 4.719772] kobject_put+0x110/0x118 [ 4.723335] put_device+0x1c/0x38 [ 4.726638] mtk_drm_bind+0x294/0x5c0 [ 4.730289] try_to_bring_up_aggregate_device+0x16c/0x1e0 [ 4.735673] __component_add+0xbc/0x1c0 [ 4.739495] component_add+0x1c/0x30 [ 4.743058] mtk_disp_rdma_probe+0x140/0x210 [ 4.747314] platform_probe+0x70/0xd0 [ 4.750964] really_probe+0xc4/0x2a8 [ 4.754527] __driver_probe_device+0x80/0x140 [ 4.758870] driver_probe_device+0x44/0x120 [ 4.763040] __device_attach_driver+0xc0/0x108 [ 4.767470] bus_for_each_drv+0x8c/0xf0 [ 4.771294] __device_attach+0xa4/0x198 [ 4.775117] device_initial_probe+0x1c/0x30 [ 4.779286] bus_probe_device+0xb4/0xc0 [ 4.783109] deferred_probe_work_func+0xb0/0x100 [ 4.787714] process_one_work+0x18c/0x420 [ 4.791712] worker_thread+0x30c/0x418 [ 4.795449] kthread+0x128/0x138 [ 4.798665] ret_from_fork+0x10/0x20 [ 4.802229] ---[ end trace 0000000000000000 ]--- Fixes: fd620fc25d88 ("drm/mediatek: Switch to for_each_child_of_node_scoped()") Cc: stable(a)vger.kernel.org Cc: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Reported-by: Sasha Levin <sashal(a)kernel.org> Closes: https://lore.kernel.org/lkml/Z0lNHdwQ3rODHQ2c@sashalap/T/#mfaa6343cfd4d59aa… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 9a8ef8558da9..12cf3d9872ea 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -373,11 +373,12 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) struct mtk_drm_private *temp_drm_priv; struct device_node *phandle = dev->parent->of_node; const struct of_device_id *of_id; + struct device_node *node; struct device *drm_dev; unsigned int cnt = 0; int i, j; - for_each_child_of_node_scoped(phandle->parent, node) { + for_each_child_of_node(phandle->parent, node) { struct platform_device *pdev; of_id = of_match_node(mtk_drm_of_ids, node); @@ -406,8 +407,10 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) if (temp_drm_priv->mtk_drm_bound) cnt++; - if (cnt == MAX_CRTC) + if (cnt == MAX_CRTC) { + of_node_put(node); break; + } } if (drm_priv->data->mmsys_dev_num == cnt) { -- 2.34.1

10 months, 2 weeks

1
0
0 0

[PATCH 6.6 0/3] Fix PPS channel routing

by Csókás, Bence

On certain i.MX8 series parts [1], the PPS channel 0 is routed internally to eDMA, and the external PPS pin is available on channel 1. In addition, on certain boards, the PPS may be wired on the PCB to an EVENTOUTn pin other than 0. On these systems it is necessary that the PPS channel be able to be configured from the Device Tree. [1] https://lore.kernel.org/all/ZrPYOWA3FESx197L@lizhi-Precision-Tower-5810/ Now that these patches are applied to 6.12.y, it is time to include it in the upcoming 6.6.67. This series is picked onto 6.6.66. Francesco Dolcini (3): dt-bindings: net: fec: add pps channel property net: fec: refactor PPS channel configuration net: fec: make PPS channel configurable Documentation/devicetree/bindings/net/fsl,fec.yaml | 7 +++++++ drivers/net/ethernet/freescale/fec_ptp.c | 11 ++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) -- 2.34.1

10 months, 2 weeks

2
4
0 0

6.6-stable backports

by Jens Axboe

Hi, Can you guys queue up these patches for 6.6-stable? Thanks! -- Jens Axboe

10 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7f05e20b989ac33c9c0f8c2028ec0a566493548f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122321-region-charger-ed44@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f05e20b989ac33c9c0f8c2028ec0a566493548f Mon Sep 17 00:00:00 2001 From: Andrea della Porta <andrea.porta(a)suse.com> Date: Sun, 24 Nov 2024 11:05:37 +0100 Subject: [PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges mapping A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable(a)vger.kernel.org Signed-off-by: Andrea della Porta <andrea.porta(a)suse.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.17324418… Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/address.c b/drivers/of/address.c index c5b925ac469f..5b7ee3ed5296 100644 --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -459,7 +459,8 @@ static int of_translate_one(const struct device_node *parent, const struct of_bu } if (ranges == NULL || rlen == 0) { offset = of_read_number(addr, na); - memset(addr, 0, pna * 4); + /* set address to zero, pass flags through */ + memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); pr_debug("empty ranges; 1:1 translation\n"); goto finish; }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7f05e20b989ac33c9c0f8c2028ec0a566493548f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122321-uptake-awhile-44ab@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f05e20b989ac33c9c0f8c2028ec0a566493548f Mon Sep 17 00:00:00 2001 From: Andrea della Porta <andrea.porta(a)suse.com> Date: Sun, 24 Nov 2024 11:05:37 +0100 Subject: [PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges mapping A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable(a)vger.kernel.org Signed-off-by: Andrea della Porta <andrea.porta(a)suse.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.17324418… Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/address.c b/drivers/of/address.c index c5b925ac469f..5b7ee3ed5296 100644 --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -459,7 +459,8 @@ static int of_translate_one(const struct device_node *parent, const struct of_bu } if (ranges == NULL || rlen == 0) { offset = of_read_number(addr, na); - memset(addr, 0, pna * 4); + /* set address to zero, pass flags through */ + memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); pr_debug("empty ranges; 1:1 translation\n"); goto finish; }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 7f05e20b989ac33c9c0f8c2028ec0a566493548f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122356-overdress-spoiler-5b36@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f05e20b989ac33c9c0f8c2028ec0a566493548f Mon Sep 17 00:00:00 2001 From: Andrea della Porta <andrea.porta(a)suse.com> Date: Sun, 24 Nov 2024 11:05:37 +0100 Subject: [PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges mapping A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable(a)vger.kernel.org Signed-off-by: Andrea della Porta <andrea.porta(a)suse.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.17324418… Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/address.c b/drivers/of/address.c index c5b925ac469f..5b7ee3ed5296 100644 --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -459,7 +459,8 @@ static int of_translate_one(const struct device_node *parent, const struct of_bu } if (ranges == NULL || rlen == 0) { offset = of_read_number(addr, na); - memset(addr, 0, pna * 4); + /* set address to zero, pass flags through */ + memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); pr_debug("empty ranges; 1:1 translation\n"); goto finish; }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 7f05e20b989ac33c9c0f8c2028ec0a566493548f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122356-zen-badland-29c9@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f05e20b989ac33c9c0f8c2028ec0a566493548f Mon Sep 17 00:00:00 2001 From: Andrea della Porta <andrea.porta(a)suse.com> Date: Sun, 24 Nov 2024 11:05:37 +0100 Subject: [PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges mapping A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable(a)vger.kernel.org Signed-off-by: Andrea della Porta <andrea.porta(a)suse.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.17324418… Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/address.c b/drivers/of/address.c index c5b925ac469f..5b7ee3ed5296 100644 --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -459,7 +459,8 @@ static int of_translate_one(const struct device_node *parent, const struct of_bu } if (ranges == NULL || rlen == 0) { offset = of_read_number(addr, na); - memset(addr, 0, pna * 4); + /* set address to zero, pass flags through */ + memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); pr_debug("empty ranges; 1:1 translation\n"); goto finish; }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 7f05e20b989ac33c9c0f8c2028ec0a566493548f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122347-fiscally-slacks-e686@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f05e20b989ac33c9c0f8c2028ec0a566493548f Mon Sep 17 00:00:00 2001 From: Andrea della Porta <andrea.porta(a)suse.com> Date: Sun, 24 Nov 2024 11:05:37 +0100 Subject: [PATCH] of: address: Preserve the flags portion on 1:1 dma-ranges mapping A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable(a)vger.kernel.org Signed-off-by: Andrea della Porta <andrea.porta(a)suse.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.17324418… Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/address.c b/drivers/of/address.c index c5b925ac469f..5b7ee3ed5296 100644 --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -459,7 +459,8 @@ static int of_translate_one(const struct device_node *parent, const struct of_bu } if (ranges == NULL || rlen == 0) { offset = of_read_number(addr, na); - memset(addr, 0, pna * 4); + /* set address to zero, pass flags through */ + memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); pr_debug("empty ranges; 1:1 translation\n"); goto finish; }

10 months, 2 weeks

1
0
0 0

[PATCH stable] udf: Fix directory iteration for longer tail extents

by Shreenidhi Shedi

Hello, Please consider applying the following patch to the 6.1.y stable tree. Commit: 1ea1cd11c72d1405a6b98440a9d5ea82dfa07166 Subject: udf: Fix directory iteration for longer tail extents Kernel Versions: 6.1.y Reason for inclusion: This patch resolves a performance issue that slows down directory traversal in UDF ISO images. The problem affects systems running kernel version 6.1.y. The fix has been merged into the mainline as commit 1ea1cd11c. No prep patches are needed. Link to upstream commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -- Shedi

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ceph: fix memory leak in ceph_direct_read_write()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 66e0c4f91461d17d48071695271c824620bed4ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122357-underuse-trousers-8f4d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 66e0c4f91461d17d48071695271c824620bed4ef Mon Sep 17 00:00:00 2001 From: Ilya Dryomov <idryomov(a)gmail.com> Date: Fri, 6 Dec 2024 17:32:59 +0100 Subject: [PATCH] ceph: fix memory leak in ceph_direct_read_write() The bvecs array which is allocated in iter_get_bvecs_alloc() is leaked and pages remain pinned if ceph_alloc_sparse_ext_map() fails. There is no need to delay the allocation of sparse_ext map until after the bvecs array is set up, so fix this by moving sparse_ext allocation a bit earlier. Also, make a similar adjustment in __ceph_sync_read() for consistency (a leak of the same kind in __ceph_sync_read() has been addressed differently). Cc: stable(a)vger.kernel.org Fixes: 03bc06c7b0bd ("ceph: add new mount option to enable sparse reads") Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Reviewed-by: Alex Markuze <amarkuze(a)redhat.com> diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 8e0400d461a2..67468d88f139 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -1116,6 +1116,16 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos, len = read_off + read_len - off; more = len < iov_iter_count(to); + op = &req->r_ops[0]; + if (sparse) { + extent_cnt = __ceph_sparse_read_ext_count(inode, read_len); + ret = ceph_alloc_sparse_ext_map(op, extent_cnt); + if (ret) { + ceph_osdc_put_request(req); + break; + } + } + num_pages = calc_pages_for(read_off, read_len); page_off = offset_in_page(off); pages = ceph_alloc_page_vector(num_pages, GFP_KERNEL); @@ -1129,16 +1139,6 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos, offset_in_page(read_off), false, true); - op = &req->r_ops[0]; - if (sparse) { - extent_cnt = __ceph_sparse_read_ext_count(inode, read_len); - ret = ceph_alloc_sparse_ext_map(op, extent_cnt); - if (ret) { - ceph_osdc_put_request(req); - break; - } - } - ceph_osdc_start_request(osdc, req); ret = ceph_osdc_wait_request(osdc, req); @@ -1551,6 +1551,16 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, break; } + op = &req->r_ops[0]; + if (sparse) { + extent_cnt = __ceph_sparse_read_ext_count(inode, size); + ret = ceph_alloc_sparse_ext_map(op, extent_cnt); + if (ret) { + ceph_osdc_put_request(req); + break; + } + } + len = iter_get_bvecs_alloc(iter, size, &bvecs, &num_pages); if (len < 0) { ceph_osdc_put_request(req); @@ -1560,6 +1570,8 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, if (len != size) osd_req_op_extent_update(req, 0, len); + osd_req_op_extent_osd_data_bvecs(req, 0, bvecs, num_pages, len); + /* * To simplify error handling, allow AIO when IO within i_size * or IO can be satisfied by single OSD request. @@ -1591,17 +1603,6 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, req->r_mtime = mtime; } - osd_req_op_extent_osd_data_bvecs(req, 0, bvecs, num_pages, len); - op = &req->r_ops[0]; - if (sparse) { - extent_cnt = __ceph_sparse_read_ext_count(inode, size); - ret = ceph_alloc_sparse_ext_map(op, extent_cnt); - if (ret) { - ceph_osdc_put_request(req); - break; - } - } - if (aio_req) { aio_req->total_len += len; aio_req->num_reqs++;

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: property: fw_devlink: Do not use interrupt-parent" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x bc7acc0bd0f94c26bc0defc902311794a3d0fae9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122323-online-freemason-996f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bc7acc0bd0f94c26bc0defc902311794a3d0fae9 Mon Sep 17 00:00:00 2001 From: Samuel Holland <samuel.holland(a)sifive.com> Date: Wed, 20 Nov 2024 15:31:16 -0800 Subject: [PATCH] of: property: fw_devlink: Do not use interrupt-parent directly commit 7f00be96f125 ("of: property: Add device link support for interrupt-parent, dmas and -gpio(s)") started adding device links for the interrupt-parent property. commit 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") and commit f265f06af194 ("of: property: Fix fw_devlink handling of interrupts/interrupts-extended") later added full support for parsing the interrupts and interrupts-extended properties, which includes looking up the node of the parent domain. This made the handler for the interrupt-parent property redundant. In fact, creating device links based solely on interrupt-parent is problematic, because it can create spurious cycles. A node may have this property without itself being an interrupt controller or consumer. For example, this property is often present in the root node or a /soc bus node to set the default interrupt parent for child nodes. However, it is incorrect for the bus to depend on the interrupt controller, as some of the bus's children may not be interrupt consumers at all or may have a different interrupt parent. Resolving these spurious dependency cycles can cause an incorrect probe order for interrupt controller drivers. This was observed on a RISC-V system with both an APLIC and IMSIC under /soc, where interrupt-parent in /soc points to the APLIC, and the APLIC msi-parent points to the IMSIC. fw_devlink found three dependency cycles and attempted to probe the APLIC before the IMSIC. After applying this patch, there were no dependency cycles and the probe order was correct. Acked-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Fixes: 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> Link: https://lore.kernel.org/r/20241120233124.3649382-1-samuel.holland@sifive.com Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/property.c b/drivers/of/property.c index 519bf9229e61..cfc8aea002e4 100644 --- a/drivers/of/property.c +++ b/drivers/of/property.c @@ -1286,7 +1286,6 @@ DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells") DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells") DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells") DEFINE_SIMPLE_PROP(io_backends, "io-backends", "#io-backend-cells") -DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL) DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells") DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells") DEFINE_SIMPLE_PROP(hwlocks, "hwlocks", "#hwlock-cells") @@ -1432,7 +1431,6 @@ static const struct supplier_bindings of_supplier_bindings[] = { { .parse_prop = parse_mboxes, }, { .parse_prop = parse_io_channels, }, { .parse_prop = parse_io_backends, }, - { .parse_prop = parse_interrupt_parent, }, { .parse_prop = parse_dmas, .optional = true, }, { .parse_prop = parse_power_domains, }, { .parse_prop = parse_hwlocks, },

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: property: fw_devlink: Do not use interrupt-parent" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bc7acc0bd0f94c26bc0defc902311794a3d0fae9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122322-tartly-crowbar-8f79@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bc7acc0bd0f94c26bc0defc902311794a3d0fae9 Mon Sep 17 00:00:00 2001 From: Samuel Holland <samuel.holland(a)sifive.com> Date: Wed, 20 Nov 2024 15:31:16 -0800 Subject: [PATCH] of: property: fw_devlink: Do not use interrupt-parent directly commit 7f00be96f125 ("of: property: Add device link support for interrupt-parent, dmas and -gpio(s)") started adding device links for the interrupt-parent property. commit 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") and commit f265f06af194 ("of: property: Fix fw_devlink handling of interrupts/interrupts-extended") later added full support for parsing the interrupts and interrupts-extended properties, which includes looking up the node of the parent domain. This made the handler for the interrupt-parent property redundant. In fact, creating device links based solely on interrupt-parent is problematic, because it can create spurious cycles. A node may have this property without itself being an interrupt controller or consumer. For example, this property is often present in the root node or a /soc bus node to set the default interrupt parent for child nodes. However, it is incorrect for the bus to depend on the interrupt controller, as some of the bus's children may not be interrupt consumers at all or may have a different interrupt parent. Resolving these spurious dependency cycles can cause an incorrect probe order for interrupt controller drivers. This was observed on a RISC-V system with both an APLIC and IMSIC under /soc, where interrupt-parent in /soc points to the APLIC, and the APLIC msi-parent points to the IMSIC. fw_devlink found three dependency cycles and attempted to probe the APLIC before the IMSIC. After applying this patch, there were no dependency cycles and the probe order was correct. Acked-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Fixes: 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> Link: https://lore.kernel.org/r/20241120233124.3649382-1-samuel.holland@sifive.com Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/property.c b/drivers/of/property.c index 519bf9229e61..cfc8aea002e4 100644 --- a/drivers/of/property.c +++ b/drivers/of/property.c @@ -1286,7 +1286,6 @@ DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells") DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells") DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells") DEFINE_SIMPLE_PROP(io_backends, "io-backends", "#io-backend-cells") -DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL) DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells") DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells") DEFINE_SIMPLE_PROP(hwlocks, "hwlocks", "#hwlock-cells") @@ -1432,7 +1431,6 @@ static const struct supplier_bindings of_supplier_bindings[] = { { .parse_prop = parse_mboxes, }, { .parse_prop = parse_io_channels, }, { .parse_prop = parse_io_backends, }, - { .parse_prop = parse_interrupt_parent, }, { .parse_prop = parse_dmas, .optional = true, }, { .parse_prop = parse_power_domains, }, { .parse_prop = parse_hwlocks, },

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] of: property: fw_devlink: Do not use interrupt-parent" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bc7acc0bd0f94c26bc0defc902311794a3d0fae9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122321-plug-barrel-3b60@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bc7acc0bd0f94c26bc0defc902311794a3d0fae9 Mon Sep 17 00:00:00 2001 From: Samuel Holland <samuel.holland(a)sifive.com> Date: Wed, 20 Nov 2024 15:31:16 -0800 Subject: [PATCH] of: property: fw_devlink: Do not use interrupt-parent directly commit 7f00be96f125 ("of: property: Add device link support for interrupt-parent, dmas and -gpio(s)") started adding device links for the interrupt-parent property. commit 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") and commit f265f06af194 ("of: property: Fix fw_devlink handling of interrupts/interrupts-extended") later added full support for parsing the interrupts and interrupts-extended properties, which includes looking up the node of the parent domain. This made the handler for the interrupt-parent property redundant. In fact, creating device links based solely on interrupt-parent is problematic, because it can create spurious cycles. A node may have this property without itself being an interrupt controller or consumer. For example, this property is often present in the root node or a /soc bus node to set the default interrupt parent for child nodes. However, it is incorrect for the bus to depend on the interrupt controller, as some of the bus's children may not be interrupt consumers at all or may have a different interrupt parent. Resolving these spurious dependency cycles can cause an incorrect probe order for interrupt controller drivers. This was observed on a RISC-V system with both an APLIC and IMSIC under /soc, where interrupt-parent in /soc points to the APLIC, and the APLIC msi-parent points to the IMSIC. fw_devlink found three dependency cycles and attempted to probe the APLIC before the IMSIC. After applying this patch, there were no dependency cycles and the probe order was correct. Acked-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Fixes: 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> Link: https://lore.kernel.org/r/20241120233124.3649382-1-samuel.holland@sifive.com Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> diff --git a/drivers/of/property.c b/drivers/of/property.c index 519bf9229e61..cfc8aea002e4 100644 --- a/drivers/of/property.c +++ b/drivers/of/property.c @@ -1286,7 +1286,6 @@ DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells") DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells") DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells") DEFINE_SIMPLE_PROP(io_backends, "io-backends", "#io-backend-cells") -DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL) DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells") DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells") DEFINE_SIMPLE_PROP(hwlocks, "hwlocks", "#hwlock-cells") @@ -1432,7 +1431,6 @@ static const struct supplier_bindings of_supplier_bindings[] = { { .parse_prop = parse_mboxes, }, { .parse_prop = parse_io_channels, }, { .parse_prop = parse_io_backends, }, - { .parse_prop = parse_interrupt_parent, }, { .parse_prop = parse_dmas, .optional = true, }, { .parse_prop = parse_power_domains, }, { .parse_prop = parse_hwlocks, },

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] udmabuf: fix racy memfd sealing check" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122349-unhinge-seduce-70ff@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 4 Dec 2024 17:26:19 +0100 Subject: [PATCH] udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV… Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-2… diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d3..c1d8c2766d6d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] udmabuf: fix racy memfd sealing check" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122349-avalanche-wriggle-a30e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 4 Dec 2024 17:26:19 +0100 Subject: [PATCH] udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV… Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-2… diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d3..c1d8c2766d6d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] udmabuf: fix racy memfd sealing check" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122348-endeared-emptier-9ba3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 4 Dec 2024 17:26:19 +0100 Subject: [PATCH] udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV… Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-2… diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d3..c1d8c2766d6d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] udmabuf: fix racy memfd sealing check" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122347-uncivil-decimal-1a11@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 4 Dec 2024 17:26:19 +0100 Subject: [PATCH] udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV… Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-2… diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d3..c1d8c2766d6d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] udmabuf: fix racy memfd sealing check" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122346-scion-scored-b379@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 4 Dec 2024 17:26:19 +0100 Subject: [PATCH] udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV… Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-2… diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8ce1f074c2d3..c1d8c2766d6d 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device, goto err; } + /* + * Take the inode lock to protect against concurrent + * memfd_add_seals(), which takes this lock in write mode. + */ + inode_lock_shared(file_inode(memfd)); ret = check_memfd_seals(memfd); - if (ret < 0) { - fput(memfd); - goto err; - } + if (ret) + goto out_unlock; ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset, list[i].size, folios); +out_unlock: + inode_unlock_shared(file_inode(memfd)); fput(memfd); if (ret) goto err;

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: use bio_is_zone_append() in the completion handler" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 6c3864e055486fadb5b97793b57688082e14b43b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122301-ouch-willfully-ae9c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3864e055486fadb5b97793b57688082e14b43b Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Mon, 4 Nov 2024 07:26:32 +0100 Subject: [PATCH] btrfs: use bio_is_zone_append() in the completion handler Otherwise it won't catch bios turned into regular writes by the block level zone write plugging. The additional test it adds is for emulated zone append. Fixes: 9b1ce7f0c6f8 ("block: Implement zone append emulation") CC: stable(a)vger.kernel.org # 6.12 Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c index 1f216d07eff6..011cc97be3b5 100644 --- a/fs/btrfs/bio.c +++ b/fs/btrfs/bio.c @@ -355,7 +355,7 @@ static void btrfs_simple_end_io(struct bio *bio) INIT_WORK(&bbio->end_io_work, btrfs_end_bio_work); queue_work(btrfs_end_io_wq(fs_info, bio), &bbio->end_io_work); } else { - if (bio_op(bio) == REQ_OP_ZONE_APPEND && !bio->bi_status) + if (bio_is_zone_append(bio) && !bio->bi_status) btrfs_record_physical_zoned(bbio); btrfs_bio_end_io(bbio, bbio->bio.bi_status); } @@ -398,7 +398,7 @@ static void btrfs_orig_write_end_io(struct bio *bio) else bio->bi_status = BLK_STS_OK; - if (bio_op(bio) == REQ_OP_ZONE_APPEND && !bio->bi_status) + if (bio_is_zone_append(bio) && !bio->bi_status) stripe->physical = bio->bi_iter.bi_sector << SECTOR_SHIFT; btrfs_bio_end_io(bbio, bbio->bio.bi_status); @@ -412,7 +412,7 @@ static void btrfs_clone_write_end_io(struct bio *bio) if (bio->bi_status) { atomic_inc(&stripe->bioc->error); btrfs_log_dev_io_error(bio, stripe->dev); - } else if (bio_op(bio) == REQ_OP_ZONE_APPEND) { + } else if (bio_is_zone_append(bio)) { stripe->physical = bio->bi_iter.bi_sector << SECTOR_SHIFT; }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] io_uring: check if iowq is killed before queuing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x dbd2ca9367eb19bc5e269b8c58b0b1514ada9156 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122314-twice-deuce-e49d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dbd2ca9367eb19bc5e269b8c58b0b1514ada9156 Mon Sep 17 00:00:00 2001 From: Pavel Begunkov <asml.silence(a)gmail.com> Date: Thu, 19 Dec 2024 19:52:58 +0000 Subject: [PATCH] io_uring: check if iowq is killed before queuing task work can be executed after the task has gone through io_uring termination, whether it's the final task_work run or the fallback path. In this case, task work will find ->io_wq being already killed and null'ed, which is a problem if it then tries to forward the request to io_queue_iowq(). Make io_queue_iowq() fail requests in this case. Note that it also checks PF_KTHREAD, because the user can first close a DEFER_TASKRUN ring and shortly after kill the task, in which case ->iowq check would race. Cc: stable(a)vger.kernel.org Fixes: 50c52250e2d74 ("block: implement async io_uring discard cmd") Fixes: 773af69121ecc ("io_uring: always reissue from task_work context") Reported-by: Will <willsroot(a)protonmail.com> Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Link: https://lore.kernel.org/r/63312b4a2c2bb67ad67b857d17a300e1d3b078e8.17346379… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 432b95ca9c85..d3403c8216db 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -514,7 +514,11 @@ static void io_queue_iowq(struct io_kiocb *req) struct io_uring_task *tctx = req->tctx; BUG_ON(!tctx); - BUG_ON(!tctx->io_wq); + + if ((current->flags & PF_KTHREAD) || !tctx->io_wq) { + io_req_task_queue_fail(req, -ECANCELED); + return; + } /* init ->work of the whole link before punting */ io_prep_async_link(req);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tracing: Check "%s" dereference via the field and not the" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x afd2627f727b89496d79a6b934a025fc916d4ded # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122317-espionage-overbite-d59e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From afd2627f727b89496d79a6b934a025fc916d4ded Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Mon, 16 Dec 2024 21:41:22 -0500 Subject: [PATCH] tracing: Check "%s" dereference via the field and not the TP_printk format The TP_printk() portion of a trace event is executed at the time a event is read from the trace. This can happen seconds, minutes, hours, days, months, years possibly later since the event was recorded. If the print format contains a dereference to a string via "%s", and that string was allocated, there's a chance that string could be freed before it is read by the trace file. To protect against such bugs, there are two functions that verify the event. The first one is test_event_printk(), which is called when the event is created. It reads the TP_printk() format as well as its arguments to make sure nothing may be dereferencing a pointer that was not copied into the ring buffer along with the event. If it is, it will trigger a WARN_ON(). For strings that use "%s", it is not so easy. The string may not reside in the ring buffer but may still be valid. Strings that are static and part of the kernel proper which will not be freed for the life of the running system, are safe to dereference. But to know if it is a pointer to a static string or to something on the heap can not be determined until the event is triggered. This brings us to the second function that tests for the bad dereferencing of strings, trace_check_vprintf(). It would walk through the printf format looking for "%s", and when it finds it, it would validate that the pointer is safe to read. If not, it would produces a WARN_ON() as well and write into the ring buffer "[UNSAFE-MEMORY]". The problem with this is how it used va_list to have vsnprintf() handle all the cases that it didn't need to check. Instead of re-implementing vsnprintf(), it would make a copy of the format up to the %s part, and call vsnprintf() with the current va_list ap variable, where the ap would then be ready to point at the string in question. For architectures that passed va_list by reference this was possible. For architectures that passed it by copy it was not. A test_can_verify() function was used to differentiate between the two, and if it wasn't possible, it would disable it. Even for architectures where this was feasible, it was a stretch to rely on such a method that is undocumented, and could cause issues later on with new optimizations of the compiler. Instead, the first function test_event_printk() was updated to look at "%s" as well. If the "%s" argument is a pointer outside the event in the ring buffer, it would find the field type of the event that is the problem and mark the structure with a new flag called "needs_test". The event itself will be marked by TRACE_EVENT_FL_TEST_STR to let it be known that this event has a field that needs to be verified before the event can be printed using the printf format. When the event fields are created from the field type structure, the fields would copy the field type's "needs_test" value. Finally, before being printed, a new function ignore_event() is called which will check if the event has the TEST_STR flag set (if not, it returns false). If the flag is set, it then iterates through the events fields looking for the ones that have the "needs_test" flag set. Then it uses the offset field from the field structure to find the pointer in the ring buffer event. It runs the tests to make sure that pointer is safe to print and if not, it triggers the WARN_ON() and also adds to the trace output that the event in question has an unsafe memory access. The ignore_event() makes the trace_check_vprintf() obsolete so it is removed. Link: https://lore.kernel.org/all/CAHk-=wh3uOnqnZPpR0PeLZZtyWbZLboZ7cHLCKRWsocvs9… Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Al Viro <viro(a)ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/20241217024720.848621576@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h index 2a5df5b62cfc..91b8ffbdfa8c 100644 --- a/include/linux/trace_events.h +++ b/include/linux/trace_events.h @@ -273,7 +273,8 @@ struct trace_event_fields { const char *name; const int size; const int align; - const int is_signed; + const unsigned int is_signed:1; + unsigned int needs_test:1; const int filter_type; const int len; }; @@ -324,6 +325,7 @@ enum { TRACE_EVENT_FL_EPROBE_BIT, TRACE_EVENT_FL_FPROBE_BIT, TRACE_EVENT_FL_CUSTOM_BIT, + TRACE_EVENT_FL_TEST_STR_BIT, }; /* @@ -340,6 +342,7 @@ enum { * CUSTOM - Event is a custom event (to be attached to an exsiting tracepoint) * This is set when the custom event has not been attached * to a tracepoint yet, then it is cleared when it is. + * TEST_STR - The event has a "%s" that points to a string outside the event */ enum { TRACE_EVENT_FL_CAP_ANY = (1 << TRACE_EVENT_FL_CAP_ANY_BIT), @@ -352,6 +355,7 @@ enum { TRACE_EVENT_FL_EPROBE = (1 << TRACE_EVENT_FL_EPROBE_BIT), TRACE_EVENT_FL_FPROBE = (1 << TRACE_EVENT_FL_FPROBE_BIT), TRACE_EVENT_FL_CUSTOM = (1 << TRACE_EVENT_FL_CUSTOM_BIT), + TRACE_EVENT_FL_TEST_STR = (1 << TRACE_EVENT_FL_TEST_STR_BIT), }; #define TRACE_EVENT_FL_UKPROBE (TRACE_EVENT_FL_KPROBE | TRACE_EVENT_FL_UPROBE) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index be62f0ea1814..7cc18b9bce27 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3611,17 +3611,12 @@ char *trace_iter_expand_format(struct trace_iterator *iter) } /* Returns true if the string is safe to dereference from an event */ -static bool trace_safe_str(struct trace_iterator *iter, const char *str, - bool star, int len) +static bool trace_safe_str(struct trace_iterator *iter, const char *str) { unsigned long addr = (unsigned long)str; struct trace_event *trace_event; struct trace_event_call *event; - /* Ignore strings with no length */ - if (star && !len) - return true; - /* OK if part of the event data */ if ((addr >= (unsigned long)iter->ent) && (addr < (unsigned long)iter->ent + iter->ent_size)) @@ -3661,181 +3656,69 @@ static bool trace_safe_str(struct trace_iterator *iter, const char *str, return false; } -static DEFINE_STATIC_KEY_FALSE(trace_no_verify); - -static int test_can_verify_check(const char *fmt, ...) -{ - char buf[16]; - va_list ap; - int ret; - - /* - * The verifier is dependent on vsnprintf() modifies the va_list - * passed to it, where it is sent as a reference. Some architectures - * (like x86_32) passes it by value, which means that vsnprintf() - * does not modify the va_list passed to it, and the verifier - * would then need to be able to understand all the values that - * vsnprintf can use. If it is passed by value, then the verifier - * is disabled. - */ - va_start(ap, fmt); - vsnprintf(buf, 16, "%d", ap); - ret = va_arg(ap, int); - va_end(ap); - - return ret; -} - -static void test_can_verify(void) -{ - if (!test_can_verify_check("%d %d", 0, 1)) { - pr_info("trace event string verifier disabled\n"); - static_branch_inc(&trace_no_verify); - } -} - /** - * trace_check_vprintf - Check dereferenced strings while writing to the seq buffer + * ignore_event - Check dereferenced fields while writing to the seq buffer * @iter: The iterator that holds the seq buffer and the event being printed - * @fmt: The format used to print the event - * @ap: The va_list holding the data to print from @fmt. * - * This writes the data into the @iter->seq buffer using the data from - * @fmt and @ap. If the format has a %s, then the source of the string - * is examined to make sure it is safe to print, otherwise it will - * warn and print "[UNSAFE MEMORY]" in place of the dereferenced string - * pointer. + * At boot up, test_event_printk() will flag any event that dereferences + * a string with "%s" that does exist in the ring buffer. It may still + * be valid, as the string may point to a static string in the kernel + * rodata that never gets freed. But if the string pointer is pointing + * to something that was allocated, there's a chance that it can be freed + * by the time the user reads the trace. This would cause a bad memory + * access by the kernel and possibly crash the system. + * + * This function will check if the event has any fields flagged as needing + * to be checked at runtime and perform those checks. + * + * If it is found that a field is unsafe, it will write into the @iter->seq + * a message stating what was found to be unsafe. + * + * @return: true if the event is unsafe and should be ignored, + * false otherwise. */ -void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, - va_list ap) +bool ignore_event(struct trace_iterator *iter) { - long text_delta = 0; - long data_delta = 0; - const char *p = fmt; - const char *str; - bool good; - int i, j; + struct ftrace_event_field *field; + struct trace_event *trace_event; + struct trace_event_call *event; + struct list_head *head; + struct trace_seq *seq; + const void *ptr; - if (WARN_ON_ONCE(!fmt)) - return; + trace_event = ftrace_find_event(iter->ent->type); - if (static_branch_unlikely(&trace_no_verify)) - goto print; + seq = &iter->seq; - /* - * When the kernel is booted with the tp_printk command line - * parameter, trace events go directly through to printk(). - * It also is checked by this function, but it does not - * have an associated trace_array (tr) for it. - */ - if (iter->tr) { - text_delta = iter->tr->text_delta; - data_delta = iter->tr->data_delta; + if (!trace_event) { + trace_seq_printf(seq, "EVENT ID %d NOT FOUND?\n", iter->ent->type); + return true; } - /* Don't bother checking when doing a ftrace_dump() */ - if (iter->fmt == static_fmt_buf) - goto print; + event = container_of(trace_event, struct trace_event_call, event); + if (!(event->flags & TRACE_EVENT_FL_TEST_STR)) + return false; - while (*p) { - bool star = false; - int len = 0; + head = trace_get_fields(event); + if (!head) { + trace_seq_printf(seq, "FIELDS FOR EVENT '%s' NOT FOUND?\n", + trace_event_name(event)); + return true; + } - j = 0; + /* Offsets are from the iter->ent that points to the raw event */ + ptr = iter->ent; - /* - * We only care about %s and variants - * as well as %p[sS] if delta is non-zero - */ - for (i = 0; p[i]; i++) { - if (i + 1 >= iter->fmt_size) { - /* - * If we can't expand the copy buffer, - * just print it. - */ - if (!trace_iter_expand_format(iter)) - goto print; - } + list_for_each_entry(field, head, link) { + const char *str; + bool good; - if (p[i] == '\\' && p[i+1]) { - i++; - continue; - } - if (p[i] == '%') { - /* Need to test cases like %08.*s */ - for (j = 1; p[i+j]; j++) { - if (isdigit(p[i+j]) || - p[i+j] == '.') - continue; - if (p[i+j] == '*') { - star = true; - continue; - } - break; - } - if (p[i+j] == 's') - break; - - if (text_delta && p[i+1] == 'p' && - ((p[i+2] == 's' || p[i+2] == 'S'))) - break; - - star = false; - } - j = 0; - } - /* If no %s found then just print normally */ - if (!p[i]) - break; - - /* Copy up to the %s, and print that */ - strncpy(iter->fmt, p, i); - iter->fmt[i] = '\0'; - trace_seq_vprintf(&iter->seq, iter->fmt, ap); - - /* Add delta to %pS pointers */ - if (p[i+1] == 'p') { - unsigned long addr; - char fmt[4]; - - fmt[0] = '%'; - fmt[1] = 'p'; - fmt[2] = p[i+2]; /* Either %ps or %pS */ - fmt[3] = '\0'; - - addr = va_arg(ap, unsigned long); - addr += text_delta; - trace_seq_printf(&iter->seq, fmt, (void *)addr); - - p += i + 3; + if (!field->needs_test) continue; - } - /* - * If iter->seq is full, the above call no longer guarantees - * that ap is in sync with fmt processing, and further calls - * to va_arg() can return wrong positional arguments. - * - * Ensure that ap is no longer used in this case. - */ - if (iter->seq.full) { - p = ""; - break; - } + str = *(const char **)(ptr + field->offset); - if (star) - len = va_arg(ap, int); - - /* The ap now points to the string data of the %s */ - str = va_arg(ap, const char *); - - good = trace_safe_str(iter, str, star, len); - - /* Could be from the last boot */ - if (data_delta && !good) { - str += data_delta; - good = trace_safe_str(iter, str, star, len); - } + good = trace_safe_str(iter, str); /* * If you hit this warning, it is likely that the @@ -3846,44 +3729,14 @@ void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, * instead. See samples/trace_events/trace-events-sample.h * for reference. */ - if (WARN_ONCE(!good, "fmt: '%s' current_buffer: '%s'", - fmt, seq_buf_str(&iter->seq.seq))) { - int ret; - - /* Try to safely read the string */ - if (star) { - if (len + 1 > iter->fmt_size) - len = iter->fmt_size - 1; - if (len < 0) - len = 0; - ret = copy_from_kernel_nofault(iter->fmt, str, len); - iter->fmt[len] = 0; - star = false; - } else { - ret = strncpy_from_kernel_nofault(iter->fmt, str, - iter->fmt_size); - } - if (ret < 0) - trace_seq_printf(&iter->seq, "(0x%px)", str); - else - trace_seq_printf(&iter->seq, "(0x%px:%s)", - str, iter->fmt); - str = "[UNSAFE-MEMORY]"; - strcpy(iter->fmt, "%s"); - } else { - strncpy(iter->fmt, p + i, j + 1); - iter->fmt[j+1] = '\0'; + if (WARN_ONCE(!good, "event '%s' has unsafe pointer field '%s'", + trace_event_name(event), field->name)) { + trace_seq_printf(seq, "EVENT %s: HAS UNSAFE POINTER FIELD '%s'\n", + trace_event_name(event), field->name); + return true; } - if (star) - trace_seq_printf(&iter->seq, iter->fmt, len, str); - else - trace_seq_printf(&iter->seq, iter->fmt, str); - - p += i + j + 1; } - print: - if (*p) - trace_seq_vprintf(&iter->seq, p, ap); + return false; } const char *trace_event_format(struct trace_iterator *iter, const char *fmt) @@ -10777,8 +10630,6 @@ __init static int tracer_alloc_buffers(void) register_snapshot_cmd(); - test_can_verify(); - return 0; out_free_pipe_cpumask: diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 266740b4e121..9691b47b5f3d 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -667,9 +667,8 @@ void trace_buffer_unlock_commit_nostack(struct trace_buffer *buffer, bool trace_is_tracepoint_string(const char *str); const char *trace_event_format(struct trace_iterator *iter, const char *fmt); -void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, - va_list ap) __printf(2, 0); char *trace_iter_expand_format(struct trace_iterator *iter); +bool ignore_event(struct trace_iterator *iter); int trace_empty(struct trace_iterator *iter); @@ -1413,7 +1412,8 @@ struct ftrace_event_field { int filter_type; int offset; int size; - int is_signed; + unsigned int is_signed:1; + unsigned int needs_test:1; int len; }; diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 521ad2fd1fe7..1545cc8b49d0 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -82,7 +82,7 @@ static int system_refcount_dec(struct event_subsystem *system) } static struct ftrace_event_field * -__find_event_field(struct list_head *head, char *name) +__find_event_field(struct list_head *head, const char *name) { struct ftrace_event_field *field; @@ -114,7 +114,8 @@ trace_find_event_field(struct trace_event_call *call, char *name) static int __trace_define_field(struct list_head *head, const char *type, const char *name, int offset, int size, - int is_signed, int filter_type, int len) + int is_signed, int filter_type, int len, + int need_test) { struct ftrace_event_field *field; @@ -133,6 +134,7 @@ static int __trace_define_field(struct list_head *head, const char *type, field->offset = offset; field->size = size; field->is_signed = is_signed; + field->needs_test = need_test; field->len = len; list_add(&field->link, head); @@ -151,13 +153,13 @@ int trace_define_field(struct trace_event_call *call, const char *type, head = trace_get_fields(call); return __trace_define_field(head, type, name, offset, size, - is_signed, filter_type, 0); + is_signed, filter_type, 0, 0); } EXPORT_SYMBOL_GPL(trace_define_field); static int trace_define_field_ext(struct trace_event_call *call, const char *type, const char *name, int offset, int size, int is_signed, - int filter_type, int len) + int filter_type, int len, int need_test) { struct list_head *head; @@ -166,13 +168,13 @@ static int trace_define_field_ext(struct trace_event_call *call, const char *typ head = trace_get_fields(call); return __trace_define_field(head, type, name, offset, size, - is_signed, filter_type, len); + is_signed, filter_type, len, need_test); } #define __generic_field(type, item, filter_type) \ ret = __trace_define_field(&ftrace_generic_fields, #type, \ #item, 0, 0, is_signed_type(type), \ - filter_type, 0); \ + filter_type, 0, 0); \ if (ret) \ return ret; @@ -181,7 +183,8 @@ static int trace_define_field_ext(struct trace_event_call *call, const char *typ "common_" #item, \ offsetof(typeof(ent), item), \ sizeof(ent.item), \ - is_signed_type(type), FILTER_OTHER, 0); \ + is_signed_type(type), FILTER_OTHER, \ + 0, 0); \ if (ret) \ return ret; @@ -332,6 +335,7 @@ static bool process_pointer(const char *fmt, int len, struct trace_event_call *c /* Return true if the string is safe */ static bool process_string(const char *fmt, int len, struct trace_event_call *call) { + struct trace_event_fields *field; const char *r, *e, *s; e = fmt + len; @@ -372,8 +376,16 @@ static bool process_string(const char *fmt, int len, struct trace_event_call *ca if (process_pointer(fmt, len, call)) return true; - /* Make sure the field is found, and consider it OK for now if it is */ - return find_event_field(fmt, call) != NULL; + /* Make sure the field is found */ + field = find_event_field(fmt, call); + if (!field) + return false; + + /* Test this field's string before printing the event */ + call->flags |= TRACE_EVENT_FL_TEST_STR; + field->needs_test = 1; + + return true; } /* @@ -2586,7 +2598,7 @@ event_define_fields(struct trace_event_call *call) ret = trace_define_field_ext(call, field->type, field->name, offset, field->size, field->is_signed, field->filter_type, - field->len); + field->len, field->needs_test); if (WARN_ON_ONCE(ret)) { pr_err("error code is %d\n", ret); break; diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c index da748b7cbc4d..03d56f711ad1 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -317,10 +317,14 @@ EXPORT_SYMBOL(trace_raw_output_prep); void trace_event_printf(struct trace_iterator *iter, const char *fmt, ...) { + struct trace_seq *s = &iter->seq; va_list ap; + if (ignore_event(iter)) + return; + va_start(ap, fmt); - trace_check_vprintf(iter, trace_event_format(iter, fmt), ap); + trace_seq_vprintf(s, trace_event_format(iter, fmt), ap); va_end(ap); } EXPORT_SYMBOL(trace_event_printf);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tracing: Check "%s" dereference via the field and not the" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x afd2627f727b89496d79a6b934a025fc916d4ded # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122315-repeal-enforced-8d7c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From afd2627f727b89496d79a6b934a025fc916d4ded Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Mon, 16 Dec 2024 21:41:22 -0500 Subject: [PATCH] tracing: Check "%s" dereference via the field and not the TP_printk format The TP_printk() portion of a trace event is executed at the time a event is read from the trace. This can happen seconds, minutes, hours, days, months, years possibly later since the event was recorded. If the print format contains a dereference to a string via "%s", and that string was allocated, there's a chance that string could be freed before it is read by the trace file. To protect against such bugs, there are two functions that verify the event. The first one is test_event_printk(), which is called when the event is created. It reads the TP_printk() format as well as its arguments to make sure nothing may be dereferencing a pointer that was not copied into the ring buffer along with the event. If it is, it will trigger a WARN_ON(). For strings that use "%s", it is not so easy. The string may not reside in the ring buffer but may still be valid. Strings that are static and part of the kernel proper which will not be freed for the life of the running system, are safe to dereference. But to know if it is a pointer to a static string or to something on the heap can not be determined until the event is triggered. This brings us to the second function that tests for the bad dereferencing of strings, trace_check_vprintf(). It would walk through the printf format looking for "%s", and when it finds it, it would validate that the pointer is safe to read. If not, it would produces a WARN_ON() as well and write into the ring buffer "[UNSAFE-MEMORY]". The problem with this is how it used va_list to have vsnprintf() handle all the cases that it didn't need to check. Instead of re-implementing vsnprintf(), it would make a copy of the format up to the %s part, and call vsnprintf() with the current va_list ap variable, where the ap would then be ready to point at the string in question. For architectures that passed va_list by reference this was possible. For architectures that passed it by copy it was not. A test_can_verify() function was used to differentiate between the two, and if it wasn't possible, it would disable it. Even for architectures where this was feasible, it was a stretch to rely on such a method that is undocumented, and could cause issues later on with new optimizations of the compiler. Instead, the first function test_event_printk() was updated to look at "%s" as well. If the "%s" argument is a pointer outside the event in the ring buffer, it would find the field type of the event that is the problem and mark the structure with a new flag called "needs_test". The event itself will be marked by TRACE_EVENT_FL_TEST_STR to let it be known that this event has a field that needs to be verified before the event can be printed using the printf format. When the event fields are created from the field type structure, the fields would copy the field type's "needs_test" value. Finally, before being printed, a new function ignore_event() is called which will check if the event has the TEST_STR flag set (if not, it returns false). If the flag is set, it then iterates through the events fields looking for the ones that have the "needs_test" flag set. Then it uses the offset field from the field structure to find the pointer in the ring buffer event. It runs the tests to make sure that pointer is safe to print and if not, it triggers the WARN_ON() and also adds to the trace output that the event in question has an unsafe memory access. The ignore_event() makes the trace_check_vprintf() obsolete so it is removed. Link: https://lore.kernel.org/all/CAHk-=wh3uOnqnZPpR0PeLZZtyWbZLboZ7cHLCKRWsocvs9… Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Al Viro <viro(a)ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/20241217024720.848621576@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h index 2a5df5b62cfc..91b8ffbdfa8c 100644 --- a/include/linux/trace_events.h +++ b/include/linux/trace_events.h @@ -273,7 +273,8 @@ struct trace_event_fields { const char *name; const int size; const int align; - const int is_signed; + const unsigned int is_signed:1; + unsigned int needs_test:1; const int filter_type; const int len; }; @@ -324,6 +325,7 @@ enum { TRACE_EVENT_FL_EPROBE_BIT, TRACE_EVENT_FL_FPROBE_BIT, TRACE_EVENT_FL_CUSTOM_BIT, + TRACE_EVENT_FL_TEST_STR_BIT, }; /* @@ -340,6 +342,7 @@ enum { * CUSTOM - Event is a custom event (to be attached to an exsiting tracepoint) * This is set when the custom event has not been attached * to a tracepoint yet, then it is cleared when it is. + * TEST_STR - The event has a "%s" that points to a string outside the event */ enum { TRACE_EVENT_FL_CAP_ANY = (1 << TRACE_EVENT_FL_CAP_ANY_BIT), @@ -352,6 +355,7 @@ enum { TRACE_EVENT_FL_EPROBE = (1 << TRACE_EVENT_FL_EPROBE_BIT), TRACE_EVENT_FL_FPROBE = (1 << TRACE_EVENT_FL_FPROBE_BIT), TRACE_EVENT_FL_CUSTOM = (1 << TRACE_EVENT_FL_CUSTOM_BIT), + TRACE_EVENT_FL_TEST_STR = (1 << TRACE_EVENT_FL_TEST_STR_BIT), }; #define TRACE_EVENT_FL_UKPROBE (TRACE_EVENT_FL_KPROBE | TRACE_EVENT_FL_UPROBE) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index be62f0ea1814..7cc18b9bce27 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3611,17 +3611,12 @@ char *trace_iter_expand_format(struct trace_iterator *iter) } /* Returns true if the string is safe to dereference from an event */ -static bool trace_safe_str(struct trace_iterator *iter, const char *str, - bool star, int len) +static bool trace_safe_str(struct trace_iterator *iter, const char *str) { unsigned long addr = (unsigned long)str; struct trace_event *trace_event; struct trace_event_call *event; - /* Ignore strings with no length */ - if (star && !len) - return true; - /* OK if part of the event data */ if ((addr >= (unsigned long)iter->ent) && (addr < (unsigned long)iter->ent + iter->ent_size)) @@ -3661,181 +3656,69 @@ static bool trace_safe_str(struct trace_iterator *iter, const char *str, return false; } -static DEFINE_STATIC_KEY_FALSE(trace_no_verify); - -static int test_can_verify_check(const char *fmt, ...) -{ - char buf[16]; - va_list ap; - int ret; - - /* - * The verifier is dependent on vsnprintf() modifies the va_list - * passed to it, where it is sent as a reference. Some architectures - * (like x86_32) passes it by value, which means that vsnprintf() - * does not modify the va_list passed to it, and the verifier - * would then need to be able to understand all the values that - * vsnprintf can use. If it is passed by value, then the verifier - * is disabled. - */ - va_start(ap, fmt); - vsnprintf(buf, 16, "%d", ap); - ret = va_arg(ap, int); - va_end(ap); - - return ret; -} - -static void test_can_verify(void) -{ - if (!test_can_verify_check("%d %d", 0, 1)) { - pr_info("trace event string verifier disabled\n"); - static_branch_inc(&trace_no_verify); - } -} - /** - * trace_check_vprintf - Check dereferenced strings while writing to the seq buffer + * ignore_event - Check dereferenced fields while writing to the seq buffer * @iter: The iterator that holds the seq buffer and the event being printed - * @fmt: The format used to print the event - * @ap: The va_list holding the data to print from @fmt. * - * This writes the data into the @iter->seq buffer using the data from - * @fmt and @ap. If the format has a %s, then the source of the string - * is examined to make sure it is safe to print, otherwise it will - * warn and print "[UNSAFE MEMORY]" in place of the dereferenced string - * pointer. + * At boot up, test_event_printk() will flag any event that dereferences + * a string with "%s" that does exist in the ring buffer. It may still + * be valid, as the string may point to a static string in the kernel + * rodata that never gets freed. But if the string pointer is pointing + * to something that was allocated, there's a chance that it can be freed + * by the time the user reads the trace. This would cause a bad memory + * access by the kernel and possibly crash the system. + * + * This function will check if the event has any fields flagged as needing + * to be checked at runtime and perform those checks. + * + * If it is found that a field is unsafe, it will write into the @iter->seq + * a message stating what was found to be unsafe. + * + * @return: true if the event is unsafe and should be ignored, + * false otherwise. */ -void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, - va_list ap) +bool ignore_event(struct trace_iterator *iter) { - long text_delta = 0; - long data_delta = 0; - const char *p = fmt; - const char *str; - bool good; - int i, j; + struct ftrace_event_field *field; + struct trace_event *trace_event; + struct trace_event_call *event; + struct list_head *head; + struct trace_seq *seq; + const void *ptr; - if (WARN_ON_ONCE(!fmt)) - return; + trace_event = ftrace_find_event(iter->ent->type); - if (static_branch_unlikely(&trace_no_verify)) - goto print; + seq = &iter->seq; - /* - * When the kernel is booted with the tp_printk command line - * parameter, trace events go directly through to printk(). - * It also is checked by this function, but it does not - * have an associated trace_array (tr) for it. - */ - if (iter->tr) { - text_delta = iter->tr->text_delta; - data_delta = iter->tr->data_delta; + if (!trace_event) { + trace_seq_printf(seq, "EVENT ID %d NOT FOUND?\n", iter->ent->type); + return true; } - /* Don't bother checking when doing a ftrace_dump() */ - if (iter->fmt == static_fmt_buf) - goto print; + event = container_of(trace_event, struct trace_event_call, event); + if (!(event->flags & TRACE_EVENT_FL_TEST_STR)) + return false; - while (*p) { - bool star = false; - int len = 0; + head = trace_get_fields(event); + if (!head) { + trace_seq_printf(seq, "FIELDS FOR EVENT '%s' NOT FOUND?\n", + trace_event_name(event)); + return true; + } - j = 0; + /* Offsets are from the iter->ent that points to the raw event */ + ptr = iter->ent; - /* - * We only care about %s and variants - * as well as %p[sS] if delta is non-zero - */ - for (i = 0; p[i]; i++) { - if (i + 1 >= iter->fmt_size) { - /* - * If we can't expand the copy buffer, - * just print it. - */ - if (!trace_iter_expand_format(iter)) - goto print; - } + list_for_each_entry(field, head, link) { + const char *str; + bool good; - if (p[i] == '\\' && p[i+1]) { - i++; - continue; - } - if (p[i] == '%') { - /* Need to test cases like %08.*s */ - for (j = 1; p[i+j]; j++) { - if (isdigit(p[i+j]) || - p[i+j] == '.') - continue; - if (p[i+j] == '*') { - star = true; - continue; - } - break; - } - if (p[i+j] == 's') - break; - - if (text_delta && p[i+1] == 'p' && - ((p[i+2] == 's' || p[i+2] == 'S'))) - break; - - star = false; - } - j = 0; - } - /* If no %s found then just print normally */ - if (!p[i]) - break; - - /* Copy up to the %s, and print that */ - strncpy(iter->fmt, p, i); - iter->fmt[i] = '\0'; - trace_seq_vprintf(&iter->seq, iter->fmt, ap); - - /* Add delta to %pS pointers */ - if (p[i+1] == 'p') { - unsigned long addr; - char fmt[4]; - - fmt[0] = '%'; - fmt[1] = 'p'; - fmt[2] = p[i+2]; /* Either %ps or %pS */ - fmt[3] = '\0'; - - addr = va_arg(ap, unsigned long); - addr += text_delta; - trace_seq_printf(&iter->seq, fmt, (void *)addr); - - p += i + 3; + if (!field->needs_test) continue; - } - /* - * If iter->seq is full, the above call no longer guarantees - * that ap is in sync with fmt processing, and further calls - * to va_arg() can return wrong positional arguments. - * - * Ensure that ap is no longer used in this case. - */ - if (iter->seq.full) { - p = ""; - break; - } + str = *(const char **)(ptr + field->offset); - if (star) - len = va_arg(ap, int); - - /* The ap now points to the string data of the %s */ - str = va_arg(ap, const char *); - - good = trace_safe_str(iter, str, star, len); - - /* Could be from the last boot */ - if (data_delta && !good) { - str += data_delta; - good = trace_safe_str(iter, str, star, len); - } + good = trace_safe_str(iter, str); /* * If you hit this warning, it is likely that the @@ -3846,44 +3729,14 @@ void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, * instead. See samples/trace_events/trace-events-sample.h * for reference. */ - if (WARN_ONCE(!good, "fmt: '%s' current_buffer: '%s'", - fmt, seq_buf_str(&iter->seq.seq))) { - int ret; - - /* Try to safely read the string */ - if (star) { - if (len + 1 > iter->fmt_size) - len = iter->fmt_size - 1; - if (len < 0) - len = 0; - ret = copy_from_kernel_nofault(iter->fmt, str, len); - iter->fmt[len] = 0; - star = false; - } else { - ret = strncpy_from_kernel_nofault(iter->fmt, str, - iter->fmt_size); - } - if (ret < 0) - trace_seq_printf(&iter->seq, "(0x%px)", str); - else - trace_seq_printf(&iter->seq, "(0x%px:%s)", - str, iter->fmt); - str = "[UNSAFE-MEMORY]"; - strcpy(iter->fmt, "%s"); - } else { - strncpy(iter->fmt, p + i, j + 1); - iter->fmt[j+1] = '\0'; + if (WARN_ONCE(!good, "event '%s' has unsafe pointer field '%s'", + trace_event_name(event), field->name)) { + trace_seq_printf(seq, "EVENT %s: HAS UNSAFE POINTER FIELD '%s'\n", + trace_event_name(event), field->name); + return true; } - if (star) - trace_seq_printf(&iter->seq, iter->fmt, len, str); - else - trace_seq_printf(&iter->seq, iter->fmt, str); - - p += i + j + 1; } - print: - if (*p) - trace_seq_vprintf(&iter->seq, p, ap); + return false; } const char *trace_event_format(struct trace_iterator *iter, const char *fmt) @@ -10777,8 +10630,6 @@ __init static int tracer_alloc_buffers(void) register_snapshot_cmd(); - test_can_verify(); - return 0; out_free_pipe_cpumask: diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 266740b4e121..9691b47b5f3d 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -667,9 +667,8 @@ void trace_buffer_unlock_commit_nostack(struct trace_buffer *buffer, bool trace_is_tracepoint_string(const char *str); const char *trace_event_format(struct trace_iterator *iter, const char *fmt); -void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, - va_list ap) __printf(2, 0); char *trace_iter_expand_format(struct trace_iterator *iter); +bool ignore_event(struct trace_iterator *iter); int trace_empty(struct trace_iterator *iter); @@ -1413,7 +1412,8 @@ struct ftrace_event_field { int filter_type; int offset; int size; - int is_signed; + unsigned int is_signed:1; + unsigned int needs_test:1; int len; }; diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 521ad2fd1fe7..1545cc8b49d0 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -82,7 +82,7 @@ static int system_refcount_dec(struct event_subsystem *system) } static struct ftrace_event_field * -__find_event_field(struct list_head *head, char *name) +__find_event_field(struct list_head *head, const char *name) { struct ftrace_event_field *field; @@ -114,7 +114,8 @@ trace_find_event_field(struct trace_event_call *call, char *name) static int __trace_define_field(struct list_head *head, const char *type, const char *name, int offset, int size, - int is_signed, int filter_type, int len) + int is_signed, int filter_type, int len, + int need_test) { struct ftrace_event_field *field; @@ -133,6 +134,7 @@ static int __trace_define_field(struct list_head *head, const char *type, field->offset = offset; field->size = size; field->is_signed = is_signed; + field->needs_test = need_test; field->len = len; list_add(&field->link, head); @@ -151,13 +153,13 @@ int trace_define_field(struct trace_event_call *call, const char *type, head = trace_get_fields(call); return __trace_define_field(head, type, name, offset, size, - is_signed, filter_type, 0); + is_signed, filter_type, 0, 0); } EXPORT_SYMBOL_GPL(trace_define_field); static int trace_define_field_ext(struct trace_event_call *call, const char *type, const char *name, int offset, int size, int is_signed, - int filter_type, int len) + int filter_type, int len, int need_test) { struct list_head *head; @@ -166,13 +168,13 @@ static int trace_define_field_ext(struct trace_event_call *call, const char *typ head = trace_get_fields(call); return __trace_define_field(head, type, name, offset, size, - is_signed, filter_type, len); + is_signed, filter_type, len, need_test); } #define __generic_field(type, item, filter_type) \ ret = __trace_define_field(&ftrace_generic_fields, #type, \ #item, 0, 0, is_signed_type(type), \ - filter_type, 0); \ + filter_type, 0, 0); \ if (ret) \ return ret; @@ -181,7 +183,8 @@ static int trace_define_field_ext(struct trace_event_call *call, const char *typ "common_" #item, \ offsetof(typeof(ent), item), \ sizeof(ent.item), \ - is_signed_type(type), FILTER_OTHER, 0); \ + is_signed_type(type), FILTER_OTHER, \ + 0, 0); \ if (ret) \ return ret; @@ -332,6 +335,7 @@ static bool process_pointer(const char *fmt, int len, struct trace_event_call *c /* Return true if the string is safe */ static bool process_string(const char *fmt, int len, struct trace_event_call *call) { + struct trace_event_fields *field; const char *r, *e, *s; e = fmt + len; @@ -372,8 +376,16 @@ static bool process_string(const char *fmt, int len, struct trace_event_call *ca if (process_pointer(fmt, len, call)) return true; - /* Make sure the field is found, and consider it OK for now if it is */ - return find_event_field(fmt, call) != NULL; + /* Make sure the field is found */ + field = find_event_field(fmt, call); + if (!field) + return false; + + /* Test this field's string before printing the event */ + call->flags |= TRACE_EVENT_FL_TEST_STR; + field->needs_test = 1; + + return true; } /* @@ -2586,7 +2598,7 @@ event_define_fields(struct trace_event_call *call) ret = trace_define_field_ext(call, field->type, field->name, offset, field->size, field->is_signed, field->filter_type, - field->len); + field->len, field->needs_test); if (WARN_ON_ONCE(ret)) { pr_err("error code is %d\n", ret); break; diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c index da748b7cbc4d..03d56f711ad1 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -317,10 +317,14 @@ EXPORT_SYMBOL(trace_raw_output_prep); void trace_event_printf(struct trace_iterator *iter, const char *fmt, ...) { + struct trace_seq *s = &iter->seq; va_list ap; + if (ignore_event(iter)) + return; + va_start(ap, fmt); - trace_check_vprintf(iter, trace_event_format(iter, fmt), ap); + trace_seq_vprintf(s, trace_event_format(iter, fmt), ap); va_end(ap); } EXPORT_SYMBOL(trace_event_printf);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tracing: Check "%s" dereference via the field and not the" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x afd2627f727b89496d79a6b934a025fc916d4ded # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122308-scrunch-gag-a448@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From afd2627f727b89496d79a6b934a025fc916d4ded Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Mon, 16 Dec 2024 21:41:22 -0500 Subject: [PATCH] tracing: Check "%s" dereference via the field and not the TP_printk format The TP_printk() portion of a trace event is executed at the time a event is read from the trace. This can happen seconds, minutes, hours, days, months, years possibly later since the event was recorded. If the print format contains a dereference to a string via "%s", and that string was allocated, there's a chance that string could be freed before it is read by the trace file. To protect against such bugs, there are two functions that verify the event. The first one is test_event_printk(), which is called when the event is created. It reads the TP_printk() format as well as its arguments to make sure nothing may be dereferencing a pointer that was not copied into the ring buffer along with the event. If it is, it will trigger a WARN_ON(). For strings that use "%s", it is not so easy. The string may not reside in the ring buffer but may still be valid. Strings that are static and part of the kernel proper which will not be freed for the life of the running system, are safe to dereference. But to know if it is a pointer to a static string or to something on the heap can not be determined until the event is triggered. This brings us to the second function that tests for the bad dereferencing of strings, trace_check_vprintf(). It would walk through the printf format looking for "%s", and when it finds it, it would validate that the pointer is safe to read. If not, it would produces a WARN_ON() as well and write into the ring buffer "[UNSAFE-MEMORY]". The problem with this is how it used va_list to have vsnprintf() handle all the cases that it didn't need to check. Instead of re-implementing vsnprintf(), it would make a copy of the format up to the %s part, and call vsnprintf() with the current va_list ap variable, where the ap would then be ready to point at the string in question. For architectures that passed va_list by reference this was possible. For architectures that passed it by copy it was not. A test_can_verify() function was used to differentiate between the two, and if it wasn't possible, it would disable it. Even for architectures where this was feasible, it was a stretch to rely on such a method that is undocumented, and could cause issues later on with new optimizations of the compiler. Instead, the first function test_event_printk() was updated to look at "%s" as well. If the "%s" argument is a pointer outside the event in the ring buffer, it would find the field type of the event that is the problem and mark the structure with a new flag called "needs_test". The event itself will be marked by TRACE_EVENT_FL_TEST_STR to let it be known that this event has a field that needs to be verified before the event can be printed using the printf format. When the event fields are created from the field type structure, the fields would copy the field type's "needs_test" value. Finally, before being printed, a new function ignore_event() is called which will check if the event has the TEST_STR flag set (if not, it returns false). If the flag is set, it then iterates through the events fields looking for the ones that have the "needs_test" flag set. Then it uses the offset field from the field structure to find the pointer in the ring buffer event. It runs the tests to make sure that pointer is safe to print and if not, it triggers the WARN_ON() and also adds to the trace output that the event in question has an unsafe memory access. The ignore_event() makes the trace_check_vprintf() obsolete so it is removed. Link: https://lore.kernel.org/all/CAHk-=wh3uOnqnZPpR0PeLZZtyWbZLboZ7cHLCKRWsocvs9… Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Al Viro <viro(a)ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/20241217024720.848621576@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h index 2a5df5b62cfc..91b8ffbdfa8c 100644 --- a/include/linux/trace_events.h +++ b/include/linux/trace_events.h @@ -273,7 +273,8 @@ struct trace_event_fields { const char *name; const int size; const int align; - const int is_signed; + const unsigned int is_signed:1; + unsigned int needs_test:1; const int filter_type; const int len; }; @@ -324,6 +325,7 @@ enum { TRACE_EVENT_FL_EPROBE_BIT, TRACE_EVENT_FL_FPROBE_BIT, TRACE_EVENT_FL_CUSTOM_BIT, + TRACE_EVENT_FL_TEST_STR_BIT, }; /* @@ -340,6 +342,7 @@ enum { * CUSTOM - Event is a custom event (to be attached to an exsiting tracepoint) * This is set when the custom event has not been attached * to a tracepoint yet, then it is cleared when it is. + * TEST_STR - The event has a "%s" that points to a string outside the event */ enum { TRACE_EVENT_FL_CAP_ANY = (1 << TRACE_EVENT_FL_CAP_ANY_BIT), @@ -352,6 +355,7 @@ enum { TRACE_EVENT_FL_EPROBE = (1 << TRACE_EVENT_FL_EPROBE_BIT), TRACE_EVENT_FL_FPROBE = (1 << TRACE_EVENT_FL_FPROBE_BIT), TRACE_EVENT_FL_CUSTOM = (1 << TRACE_EVENT_FL_CUSTOM_BIT), + TRACE_EVENT_FL_TEST_STR = (1 << TRACE_EVENT_FL_TEST_STR_BIT), }; #define TRACE_EVENT_FL_UKPROBE (TRACE_EVENT_FL_KPROBE | TRACE_EVENT_FL_UPROBE) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index be62f0ea1814..7cc18b9bce27 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3611,17 +3611,12 @@ char *trace_iter_expand_format(struct trace_iterator *iter) } /* Returns true if the string is safe to dereference from an event */ -static bool trace_safe_str(struct trace_iterator *iter, const char *str, - bool star, int len) +static bool trace_safe_str(struct trace_iterator *iter, const char *str) { unsigned long addr = (unsigned long)str; struct trace_event *trace_event; struct trace_event_call *event; - /* Ignore strings with no length */ - if (star && !len) - return true; - /* OK if part of the event data */ if ((addr >= (unsigned long)iter->ent) && (addr < (unsigned long)iter->ent + iter->ent_size)) @@ -3661,181 +3656,69 @@ static bool trace_safe_str(struct trace_iterator *iter, const char *str, return false; } -static DEFINE_STATIC_KEY_FALSE(trace_no_verify); - -static int test_can_verify_check(const char *fmt, ...) -{ - char buf[16]; - va_list ap; - int ret; - - /* - * The verifier is dependent on vsnprintf() modifies the va_list - * passed to it, where it is sent as a reference. Some architectures - * (like x86_32) passes it by value, which means that vsnprintf() - * does not modify the va_list passed to it, and the verifier - * would then need to be able to understand all the values that - * vsnprintf can use. If it is passed by value, then the verifier - * is disabled. - */ - va_start(ap, fmt); - vsnprintf(buf, 16, "%d", ap); - ret = va_arg(ap, int); - va_end(ap); - - return ret; -} - -static void test_can_verify(void) -{ - if (!test_can_verify_check("%d %d", 0, 1)) { - pr_info("trace event string verifier disabled\n"); - static_branch_inc(&trace_no_verify); - } -} - /** - * trace_check_vprintf - Check dereferenced strings while writing to the seq buffer + * ignore_event - Check dereferenced fields while writing to the seq buffer * @iter: The iterator that holds the seq buffer and the event being printed - * @fmt: The format used to print the event - * @ap: The va_list holding the data to print from @fmt. * - * This writes the data into the @iter->seq buffer using the data from - * @fmt and @ap. If the format has a %s, then the source of the string - * is examined to make sure it is safe to print, otherwise it will - * warn and print "[UNSAFE MEMORY]" in place of the dereferenced string - * pointer. + * At boot up, test_event_printk() will flag any event that dereferences + * a string with "%s" that does exist in the ring buffer. It may still + * be valid, as the string may point to a static string in the kernel + * rodata that never gets freed. But if the string pointer is pointing + * to something that was allocated, there's a chance that it can be freed + * by the time the user reads the trace. This would cause a bad memory + * access by the kernel and possibly crash the system. + * + * This function will check if the event has any fields flagged as needing + * to be checked at runtime and perform those checks. + * + * If it is found that a field is unsafe, it will write into the @iter->seq + * a message stating what was found to be unsafe. + * + * @return: true if the event is unsafe and should be ignored, + * false otherwise. */ -void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, - va_list ap) +bool ignore_event(struct trace_iterator *iter) { - long text_delta = 0; - long data_delta = 0; - const char *p = fmt; - const char *str; - bool good; - int i, j; + struct ftrace_event_field *field; + struct trace_event *trace_event; + struct trace_event_call *event; + struct list_head *head; + struct trace_seq *seq; + const void *ptr; - if (WARN_ON_ONCE(!fmt)) - return; + trace_event = ftrace_find_event(iter->ent->type); - if (static_branch_unlikely(&trace_no_verify)) - goto print; + seq = &iter->seq; - /* - * When the kernel is booted with the tp_printk command line - * parameter, trace events go directly through to printk(). - * It also is checked by this function, but it does not - * have an associated trace_array (tr) for it. - */ - if (iter->tr) { - text_delta = iter->tr->text_delta; - data_delta = iter->tr->data_delta; + if (!trace_event) { + trace_seq_printf(seq, "EVENT ID %d NOT FOUND?\n", iter->ent->type); + return true; } - /* Don't bother checking when doing a ftrace_dump() */ - if (iter->fmt == static_fmt_buf) - goto print; + event = container_of(trace_event, struct trace_event_call, event); + if (!(event->flags & TRACE_EVENT_FL_TEST_STR)) + return false; - while (*p) { - bool star = false; - int len = 0; + head = trace_get_fields(event); + if (!head) { + trace_seq_printf(seq, "FIELDS FOR EVENT '%s' NOT FOUND?\n", + trace_event_name(event)); + return true; + } - j = 0; + /* Offsets are from the iter->ent that points to the raw event */ + ptr = iter->ent; - /* - * We only care about %s and variants - * as well as %p[sS] if delta is non-zero - */ - for (i = 0; p[i]; i++) { - if (i + 1 >= iter->fmt_size) { - /* - * If we can't expand the copy buffer, - * just print it. - */ - if (!trace_iter_expand_format(iter)) - goto print; - } + list_for_each_entry(field, head, link) { + const char *str; + bool good; - if (p[i] == '\\' && p[i+1]) { - i++; - continue; - } - if (p[i] == '%') { - /* Need to test cases like %08.*s */ - for (j = 1; p[i+j]; j++) { - if (isdigit(p[i+j]) || - p[i+j] == '.') - continue; - if (p[i+j] == '*') { - star = true; - continue; - } - break; - } - if (p[i+j] == 's') - break; - - if (text_delta && p[i+1] == 'p' && - ((p[i+2] == 's' || p[i+2] == 'S'))) - break; - - star = false; - } - j = 0; - } - /* If no %s found then just print normally */ - if (!p[i]) - break; - - /* Copy up to the %s, and print that */ - strncpy(iter->fmt, p, i); - iter->fmt[i] = '\0'; - trace_seq_vprintf(&iter->seq, iter->fmt, ap); - - /* Add delta to %pS pointers */ - if (p[i+1] == 'p') { - unsigned long addr; - char fmt[4]; - - fmt[0] = '%'; - fmt[1] = 'p'; - fmt[2] = p[i+2]; /* Either %ps or %pS */ - fmt[3] = '\0'; - - addr = va_arg(ap, unsigned long); - addr += text_delta; - trace_seq_printf(&iter->seq, fmt, (void *)addr); - - p += i + 3; + if (!field->needs_test) continue; - } - /* - * If iter->seq is full, the above call no longer guarantees - * that ap is in sync with fmt processing, and further calls - * to va_arg() can return wrong positional arguments. - * - * Ensure that ap is no longer used in this case. - */ - if (iter->seq.full) { - p = ""; - break; - } + str = *(const char **)(ptr + field->offset); - if (star) - len = va_arg(ap, int); - - /* The ap now points to the string data of the %s */ - str = va_arg(ap, const char *); - - good = trace_safe_str(iter, str, star, len); - - /* Could be from the last boot */ - if (data_delta && !good) { - str += data_delta; - good = trace_safe_str(iter, str, star, len); - } + good = trace_safe_str(iter, str); /* * If you hit this warning, it is likely that the @@ -3846,44 +3729,14 @@ void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, * instead. See samples/trace_events/trace-events-sample.h * for reference. */ - if (WARN_ONCE(!good, "fmt: '%s' current_buffer: '%s'", - fmt, seq_buf_str(&iter->seq.seq))) { - int ret; - - /* Try to safely read the string */ - if (star) { - if (len + 1 > iter->fmt_size) - len = iter->fmt_size - 1; - if (len < 0) - len = 0; - ret = copy_from_kernel_nofault(iter->fmt, str, len); - iter->fmt[len] = 0; - star = false; - } else { - ret = strncpy_from_kernel_nofault(iter->fmt, str, - iter->fmt_size); - } - if (ret < 0) - trace_seq_printf(&iter->seq, "(0x%px)", str); - else - trace_seq_printf(&iter->seq, "(0x%px:%s)", - str, iter->fmt); - str = "[UNSAFE-MEMORY]"; - strcpy(iter->fmt, "%s"); - } else { - strncpy(iter->fmt, p + i, j + 1); - iter->fmt[j+1] = '\0'; + if (WARN_ONCE(!good, "event '%s' has unsafe pointer field '%s'", + trace_event_name(event), field->name)) { + trace_seq_printf(seq, "EVENT %s: HAS UNSAFE POINTER FIELD '%s'\n", + trace_event_name(event), field->name); + return true; } - if (star) - trace_seq_printf(&iter->seq, iter->fmt, len, str); - else - trace_seq_printf(&iter->seq, iter->fmt, str); - - p += i + j + 1; } - print: - if (*p) - trace_seq_vprintf(&iter->seq, p, ap); + return false; } const char *trace_event_format(struct trace_iterator *iter, const char *fmt) @@ -10777,8 +10630,6 @@ __init static int tracer_alloc_buffers(void) register_snapshot_cmd(); - test_can_verify(); - return 0; out_free_pipe_cpumask: diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 266740b4e121..9691b47b5f3d 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -667,9 +667,8 @@ void trace_buffer_unlock_commit_nostack(struct trace_buffer *buffer, bool trace_is_tracepoint_string(const char *str); const char *trace_event_format(struct trace_iterator *iter, const char *fmt); -void trace_check_vprintf(struct trace_iterator *iter, const char *fmt, - va_list ap) __printf(2, 0); char *trace_iter_expand_format(struct trace_iterator *iter); +bool ignore_event(struct trace_iterator *iter); int trace_empty(struct trace_iterator *iter); @@ -1413,7 +1412,8 @@ struct ftrace_event_field { int filter_type; int offset; int size; - int is_signed; + unsigned int is_signed:1; + unsigned int needs_test:1; int len; }; diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 521ad2fd1fe7..1545cc8b49d0 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -82,7 +82,7 @@ static int system_refcount_dec(struct event_subsystem *system) } static struct ftrace_event_field * -__find_event_field(struct list_head *head, char *name) +__find_event_field(struct list_head *head, const char *name) { struct ftrace_event_field *field; @@ -114,7 +114,8 @@ trace_find_event_field(struct trace_event_call *call, char *name) static int __trace_define_field(struct list_head *head, const char *type, const char *name, int offset, int size, - int is_signed, int filter_type, int len) + int is_signed, int filter_type, int len, + int need_test) { struct ftrace_event_field *field; @@ -133,6 +134,7 @@ static int __trace_define_field(struct list_head *head, const char *type, field->offset = offset; field->size = size; field->is_signed = is_signed; + field->needs_test = need_test; field->len = len; list_add(&field->link, head); @@ -151,13 +153,13 @@ int trace_define_field(struct trace_event_call *call, const char *type, head = trace_get_fields(call); return __trace_define_field(head, type, name, offset, size, - is_signed, filter_type, 0); + is_signed, filter_type, 0, 0); } EXPORT_SYMBOL_GPL(trace_define_field); static int trace_define_field_ext(struct trace_event_call *call, const char *type, const char *name, int offset, int size, int is_signed, - int filter_type, int len) + int filter_type, int len, int need_test) { struct list_head *head; @@ -166,13 +168,13 @@ static int trace_define_field_ext(struct trace_event_call *call, const char *typ head = trace_get_fields(call); return __trace_define_field(head, type, name, offset, size, - is_signed, filter_type, len); + is_signed, filter_type, len, need_test); } #define __generic_field(type, item, filter_type) \ ret = __trace_define_field(&ftrace_generic_fields, #type, \ #item, 0, 0, is_signed_type(type), \ - filter_type, 0); \ + filter_type, 0, 0); \ if (ret) \ return ret; @@ -181,7 +183,8 @@ static int trace_define_field_ext(struct trace_event_call *call, const char *typ "common_" #item, \ offsetof(typeof(ent), item), \ sizeof(ent.item), \ - is_signed_type(type), FILTER_OTHER, 0); \ + is_signed_type(type), FILTER_OTHER, \ + 0, 0); \ if (ret) \ return ret; @@ -332,6 +335,7 @@ static bool process_pointer(const char *fmt, int len, struct trace_event_call *c /* Return true if the string is safe */ static bool process_string(const char *fmt, int len, struct trace_event_call *call) { + struct trace_event_fields *field; const char *r, *e, *s; e = fmt + len; @@ -372,8 +376,16 @@ static bool process_string(const char *fmt, int len, struct trace_event_call *ca if (process_pointer(fmt, len, call)) return true; - /* Make sure the field is found, and consider it OK for now if it is */ - return find_event_field(fmt, call) != NULL; + /* Make sure the field is found */ + field = find_event_field(fmt, call); + if (!field) + return false; + + /* Test this field's string before printing the event */ + call->flags |= TRACE_EVENT_FL_TEST_STR; + field->needs_test = 1; + + return true; } /* @@ -2586,7 +2598,7 @@ event_define_fields(struct trace_event_call *call) ret = trace_define_field_ext(call, field->type, field->name, offset, field->size, field->is_signed, field->filter_type, - field->len); + field->len, field->needs_test); if (WARN_ON_ONCE(ret)) { pr_err("error code is %d\n", ret); break; diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c index da748b7cbc4d..03d56f711ad1 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -317,10 +317,14 @@ EXPORT_SYMBOL(trace_raw_output_prep); void trace_event_printf(struct trace_iterator *iter, const char *fmt, ...) { + struct trace_seq *s = &iter->seq; va_list ap; + if (ignore_event(iter)) + return; + va_start(ap, fmt); - trace_check_vprintf(iter, trace_event_format(iter, fmt), ap); + trace_seq_vprintf(s, trace_event_format(iter, fmt), ap); va_end(ap); } EXPORT_SYMBOL(trace_event_printf);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Drivers: hv: util: Avoid accessing a ringbuffer not" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 07a756a49f4b4290b49ea46e089cbe6f79ff8d26 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122355-diligence-trapper-0972@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07a756a49f4b4290b49ea46e089cbe6f79ff8d26 Mon Sep 17 00:00:00 2001 From: Michael Kelley <mhklinux(a)outlook.com> Date: Wed, 6 Nov 2024 07:42:47 -0800 Subject: [PATCH] Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below: hv_utils: Registering HyperV Utility Driver hv_vmbus: registering driver hv_utils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Call Trace: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 </IRQ> <TASK> asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hv_kvp_init() -> hvutil_transport_init() creates /dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVP_OP_REGISTER1 to the file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and reading the file for the driver's response, which is handled by hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done(). 2) the problem with kvp_register_done() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, util_probe()-> vmbus_open() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference. To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbus_open(), just before the first hv_ringbuffer_init(), and then we unload and reload the driver hv_utils, and run the daemon manually within the 10 seconds. Fix the panic by reordering the steps in util_probe() so the char dev entry used by the KVP or VSS daemon is not created until after vmbus_open() has completed. This reordering prevents the race condition from happening. Reported-by: Dexuan Cui <decui(a)microsoft.com> Fixes: e0fa3e5e7df6 ("Drivers: hv: utils: fix a race on userspace daemons registration") Cc: stable(a)vger.kernel.org Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Acked-by: Wei Liu <wei.liu(a)kernel.org> Link: https://lore.kernel.org/r/20241106154247.2271-3-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20241106154247.2271-3-mhklinux(a)outlook.com> diff --git a/drivers/hv/hv_kvp.c b/drivers/hv/hv_kvp.c index 29e01247a087..7400a5a4d2bd 100644 --- a/drivers/hv/hv_kvp.c +++ b/drivers/hv/hv_kvp.c @@ -767,6 +767,12 @@ hv_kvp_init(struct hv_util_service *srv) */ kvp_transaction.state = HVUTIL_DEVICE_INIT; + return 0; +} + +int +hv_kvp_init_transport(void) +{ hvt = hvutil_transport_init(kvp_devname, CN_KVP_IDX, CN_KVP_VAL, kvp_on_msg, kvp_on_reset); if (!hvt) diff --git a/drivers/hv/hv_snapshot.c b/drivers/hv/hv_snapshot.c index 86d87486ed40..bde637a96c37 100644 --- a/drivers/hv/hv_snapshot.c +++ b/drivers/hv/hv_snapshot.c @@ -389,6 +389,12 @@ hv_vss_init(struct hv_util_service *srv) */ vss_transaction.state = HVUTIL_DEVICE_INIT; + return 0; +} + +int +hv_vss_init_transport(void) +{ hvt = hvutil_transport_init(vss_devname, CN_VSS_IDX, CN_VSS_VAL, vss_on_msg, vss_on_reset); if (!hvt) { diff --git a/drivers/hv/hv_util.c b/drivers/hv/hv_util.c index 370722220134..36ee89c0358b 100644 --- a/drivers/hv/hv_util.c +++ b/drivers/hv/hv_util.c @@ -141,6 +141,7 @@ static struct hv_util_service util_heartbeat = { static struct hv_util_service util_kvp = { .util_cb = hv_kvp_onchannelcallback, .util_init = hv_kvp_init, + .util_init_transport = hv_kvp_init_transport, .util_pre_suspend = hv_kvp_pre_suspend, .util_pre_resume = hv_kvp_pre_resume, .util_deinit = hv_kvp_deinit, @@ -149,6 +150,7 @@ static struct hv_util_service util_kvp = { static struct hv_util_service util_vss = { .util_cb = hv_vss_onchannelcallback, .util_init = hv_vss_init, + .util_init_transport = hv_vss_init_transport, .util_pre_suspend = hv_vss_pre_suspend, .util_pre_resume = hv_vss_pre_resume, .util_deinit = hv_vss_deinit, @@ -611,6 +613,13 @@ static int util_probe(struct hv_device *dev, if (ret) goto error; + if (srv->util_init_transport) { + ret = srv->util_init_transport(); + if (ret) { + vmbus_close(dev->channel); + goto error; + } + } return 0; error: diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index d2856023d53c..52cb744b4d7f 100644 --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -370,12 +370,14 @@ void vmbus_on_event(unsigned long data); void vmbus_on_msg_dpc(unsigned long data); int hv_kvp_init(struct hv_util_service *srv); +int hv_kvp_init_transport(void); void hv_kvp_deinit(void); int hv_kvp_pre_suspend(void); int hv_kvp_pre_resume(void); void hv_kvp_onchannelcallback(void *context); int hv_vss_init(struct hv_util_service *srv); +int hv_vss_init_transport(void); void hv_vss_deinit(void); int hv_vss_pre_suspend(void); int hv_vss_pre_resume(void); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 22c22fb91042..02a226bcf0ed 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -1559,6 +1559,7 @@ struct hv_util_service { void *channel; void (*util_cb)(void *); int (*util_init)(struct hv_util_service *); + int (*util_init_transport)(void); void (*util_deinit)(void); int (*util_pre_suspend)(void); int (*util_pre_resume)(void);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122322-bamboo-diffuser-35cc@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek(a)google.com> Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek(a)google.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122322-wasp-anthem-adcd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek(a)google.com> Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek(a)google.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122321-atlas-upcoming-427e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek(a)google.com> Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek(a)google.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122321-blubber-backer-885c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek(a)google.com> Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek(a)google.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122320-ripening-browsing-fdaa@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek(a)google.com> Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek(a)google.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: split bios to the fs sector size boundary" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x be691b5e593f2cc8cef67bbc59c1fb91b74a86a9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122335-devouring-gone-1855@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be691b5e593f2cc8cef67bbc59c1fb91b74a86a9 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Mon, 4 Nov 2024 07:26:33 +0100 Subject: [PATCH] btrfs: split bios to the fs sector size boundary Btrfs like other file systems can't really deal with I/O not aligned to it's internal block size (which strangely is called sector size in btrfs, for historical reasons), but the block layer split helper doesn't even know about that. Round down the split boundary so that all I/Os are aligned. Fixes: d5e4377d5051 ("btrfs: split zone append bios in btrfs_submit_bio") CC: stable(a)vger.kernel.org # 6.12 Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c index 011cc97be3b5..78f5606baacb 100644 --- a/fs/btrfs/bio.c +++ b/fs/btrfs/bio.c @@ -649,8 +649,14 @@ static u64 btrfs_append_map_length(struct btrfs_bio *bbio, u64 map_length) map_length = min(map_length, bbio->fs_info->max_zone_append_size); sector_offset = bio_split_rw_at(&bbio->bio, &bbio->fs_info->limits, &nr_segs, map_length); - if (sector_offset) - return sector_offset << SECTOR_SHIFT; + if (sector_offset) { + /* + * bio_split_rw_at() could split at a size smaller than our + * sectorsize and thus cause unaligned I/Os. Fix that by + * always rounding down to the nearest boundary. + */ + return ALIGN_DOWN(sector_offset << SECTOR_SHIFT, bbio->fs_info->sectorsize); + } return map_length; }

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] zram: fix uninitialized ZRAM not releasing backing device" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 74363ec674cb172d8856de25776c8f3103f05e2f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122336-lustfully-gurgle-a07f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 74363ec674cb172d8856de25776c8f3103f05e2f Mon Sep 17 00:00:00 2001 From: Kairui Song <kasong(a)tencent.com> Date: Tue, 10 Dec 2024 00:57:16 +0800 Subject: [PATCH] zram: fix uninitialized ZRAM not releasing backing device Setting backing device is done before ZRAM initialization. If we set the backing device, then remove the ZRAM module without initializing the device, the backing device reference will be leaked and the device will be hold forever. Fix this by always reset the ZRAM fully on rmmod or reset store. Link: https://lkml.kernel.org/r/20241209165717.94215-3-ryncsn@gmail.com Fixes: 013bf95a83ec ("zram: add interface to specif backing device") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reported-by: Desheng Wu <deshengwu(a)tencent.com> Suggested-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index e86cc3d2f4d2..45df5eeabc5e 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1444,12 +1444,16 @@ static void zram_meta_free(struct zram *zram, u64 disksize) size_t num_pages = disksize >> PAGE_SHIFT; size_t index; + if (!zram->table) + return; + /* Free all pages that are still in this zram device */ for (index = 0; index < num_pages; index++) zram_free_page(zram, index); zs_destroy_pool(zram->mem_pool); vfree(zram->table); + zram->table = NULL; } static bool zram_meta_alloc(struct zram *zram, u64 disksize) @@ -2326,11 +2330,6 @@ static void zram_reset_device(struct zram *zram) zram->limit_pages = 0; - if (!init_done(zram)) { - up_write(&zram->init_lock); - return; - } - set_capacity_and_notify(zram->disk, 0); part_stat_set_all(zram->disk->part0, 0);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] zram: fix uninitialized ZRAM not releasing backing device" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 74363ec674cb172d8856de25776c8f3103f05e2f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122336-italicize-cusp-3f6c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 74363ec674cb172d8856de25776c8f3103f05e2f Mon Sep 17 00:00:00 2001 From: Kairui Song <kasong(a)tencent.com> Date: Tue, 10 Dec 2024 00:57:16 +0800 Subject: [PATCH] zram: fix uninitialized ZRAM not releasing backing device Setting backing device is done before ZRAM initialization. If we set the backing device, then remove the ZRAM module without initializing the device, the backing device reference will be leaked and the device will be hold forever. Fix this by always reset the ZRAM fully on rmmod or reset store. Link: https://lkml.kernel.org/r/20241209165717.94215-3-ryncsn@gmail.com Fixes: 013bf95a83ec ("zram: add interface to specif backing device") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reported-by: Desheng Wu <deshengwu(a)tencent.com> Suggested-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index e86cc3d2f4d2..45df5eeabc5e 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1444,12 +1444,16 @@ static void zram_meta_free(struct zram *zram, u64 disksize) size_t num_pages = disksize >> PAGE_SHIFT; size_t index; + if (!zram->table) + return; + /* Free all pages that are still in this zram device */ for (index = 0; index < num_pages; index++) zram_free_page(zram, index); zs_destroy_pool(zram->mem_pool); vfree(zram->table); + zram->table = NULL; } static bool zram_meta_alloc(struct zram *zram, u64 disksize) @@ -2326,11 +2330,6 @@ static void zram_reset_device(struct zram *zram) zram->limit_pages = 0; - if (!init_done(zram)) { - up_write(&zram->init_lock); - return; - } - set_capacity_and_notify(zram->disk, 0); part_stat_set_all(zram->disk->part0, 0);

10 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] zram: fix uninitialized ZRAM not releasing backing device" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 74363ec674cb172d8856de25776c8f3103f05e2f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122335-italicize-barge-aaae@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 74363ec674cb172d8856de25776c8f3103f05e2f Mon Sep 17 00:00:00 2001 From: Kairui Song <kasong(a)tencent.com> Date: Tue, 10 Dec 2024 00:57:16 +0800 Subject: [PATCH] zram: fix uninitialized ZRAM not releasing backing device Setting backing device is done before ZRAM initialization. If we set the backing device, then remove the ZRAM module without initializing the device, the backing device reference will be leaked and the device will be hold forever. Fix this by always reset the ZRAM fully on rmmod or reset store. Link: https://lkml.kernel.org/r/20241209165717.94215-3-ryncsn@gmail.com Fixes: 013bf95a83ec ("zram: add interface to specif backing device") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reported-by: Desheng Wu <deshengwu(a)tencent.com> Suggested-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index e86cc3d2f4d2..45df5eeabc5e 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1444,12 +1444,16 @@ static void zram_meta_free(struct zram *zram, u64 disksize) size_t num_pages = disksize >> PAGE_SHIFT; size_t index; + if (!zram->table) + return; + /* Free all pages that are still in this zram device */ for (index = 0; index < num_pages; index++) zram_free_page(zram, index); zs_destroy_pool(zram->mem_pool); vfree(zram->table); + zram->table = NULL; } static bool zram_meta_alloc(struct zram *zram, u64 disksize) @@ -2326,11 +2330,6 @@ static void zram_reset_device(struct zram *zram) zram->limit_pages = 0; - if (!init_done(zram)) { - up_write(&zram->init_lock); - return; - } - set_capacity_and_notify(zram->disk, 0); part_stat_set_all(zram->disk->part0, 0);

10 months, 2 weeks

1
0
0 0

Re: [PATCH net] mptcp: fix TCP options overflow.

by Matthieu Baerts

Hi Paolo, On 21/12/2024 09:51, Paolo Abeni wrote: > Syzbot reported the following splat: (...) > Eric noted a probable shinfo->nr_frags corruption, which indeed > occurs. > > The root cause is a buggy MPTCP option len computation in some > circumstances: the ADD_ADDR option should be mutually exclusive > with DSS since the blamed commit. > > Still, mptcp_established_options_add_addr() tries to set the > relevant info in mptcp_out_options, if the remaining space is > large enough even when DSS is present. > > Since the ADD_ADDR infos and the DSS share the same union > fields, adding first corrupts the latter. In the worst-case > scenario, such corruption increases the DSS binary layout, > exceeding the computed length and possibly overwriting the > skb shared info. > > Address the issue by enforcing mutual exclusion in > mptcp_established_options_add_addr(), too. Thank you for the investigation and the fix, it looks good to me: Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> > Reported-by: syzbot+38a095a81f30d82884c1(a)syzkaller.appspotmail.com If you don't mind, can you please add these two tags when applying the patches to help to track the backports? Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538 Cc: stable(a)vger.kernel.org > Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Cheers, Matt -- Sponsored by the NGI0 Core fund.

10 months, 2 weeks

2
1
0 0

[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug

by Yosry Ahmed

In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Cc: <stable(a)vger.kernel.org> Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> --- mm/zswap.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb236..5a27af8d86ea9 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /********************************* -- 2.47.1.613.gc27f4b7a9f-goog

10 months, 2 weeks

4
3
0 0

[PATCH 2/2] mm/damon/core: fix ignored quota goals and filters of newly committed schemes

by SeongJae Park

damon_commit_schemes() ignores quota goals and filters of the newly committed schemes. This makes users confused about the behaviors. Correctly handle those inputs. Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Cc: <stable(a)vger.kernel.org> Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mm/damon/core.c b/mm/damon/core.c index 931e8e4b1333..5192ee29f6cf 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -868,6 +868,11 @@ static int damon_commit_schemes(struct damon_ctx *dst, struct damon_ctx *src) NUMA_NO_NODE); if (!new_scheme) return -ENOMEM; + err = damos_commit(new_scheme, src_scheme); + if (err) { + damon_destroy_scheme(new_scheme); + return err; + } damon_add_scheme(dst, new_scheme); } return 0; -- 2.39.5

10 months, 2 weeks

1
0
0 0

[PATCH 1/2] mm/damon/core: fix new damon_target objects leaks on damon_commit_targets()

by SeongJae Park

When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks. Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Cc: <stable(a)vger.kernel.org> Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index a71703e05300..931e8e4b1333 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -961,8 +961,11 @@ static int damon_commit_targets( return -ENOMEM; err = damon_commit_target(new_target, false, src_target, damon_target_has_pid(src)); - if (err) + if (err) { + damon_destroy_target(new_target); return err; + } + damon_add_target(dst, new_target); } return 0; } -- 2.39.5

10 months, 2 weeks

1
0
0 0

netfilter regression on aarch64 16k page size

by Amby ＠ Hyperbeam

Greetings, We are seeing a regression in 6.6.66 which I have narrowed down to this commit: stable: 86c27603514cb8ead29857365cdd145404ee9706 upstream: 7ffc7481153bbabf3332c6a19b289730c7e1edf5 Kernel version: 6.6.66 on aarch64 with 16k page size Last known good version: 6.6.65 Steps to repro: - run a 16k page size kernel (check with getconf PAGESIZE) - try to load an nftables config file on the problem Expected: - no errors Actual: - system enters a broken state, with the following trace in dmesg: [ 40.939230] Unable to handle kernel paging request at virtual address ffff00015ad7e4cc [ 40.939841] Mem abort info: [ 40.940079] ESR = 0x0000000096000021 [ 40.940389] EC = 0x25: DABT (current EL), IL = 32 bits [ 40.940820] SET = 0, FnV = 0 [ 40.941042] EA = 0, S1PTW = 0 [ 40.941289] FSC = 0x21: alignment fault [ 40.941570] Data abort info: [ 40.941805] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 40.942229] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 40.942857] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 40.943313] swapper pgtable: 16k pages, 48-bit VAs, pgdp=00000000474f0000 [ 40.943865] [ffff00015ad7e4cc] pgd=180000043f7e8003, p4d=180000043f7e8003, pud=180000043f7e4003, pmd=180000043f52c003, pte=006800019ad7cf07 [ 40.945664] Internal error: Oops: 0000000096000021 [#1] SMP [ 40.946055] Modules linked in: zstd zram zsmalloc nf_log_syslog nft_log nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables crct10dif_ce polyval_ce polyval_generic ghash_ce tcp_bbr sch_fq fuse nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock bpf_preload qemu_fw_cfg ip_tables squashfs virtio_net net_failover virtio_blk gpio_keys failover virtio_mmio virtio_scsi virtio_console virtio_balloon virtio_gpu virtio_dma_buf megaraid_sas [ 40.950262] CPU: 7 PID: 116 Comm: kworker/7:1 Not tainted 6.6.67-1-lts #1 [ 40.951542] Hardware name: netcup KVM Server, BIOS VPS 2000 ARM G11 08/07/2024 [ 40.952287] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 40.952798] pstate: 20401005 (nzCv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--) [ 40.953401] pc : nft_rhash_gc+0x208/0x2c0 [nf_tables] [ 40.954054] lr : nft_rhash_gc+0x134/0x2c0 [nf_tables] [ 40.954806] sp : ffff800081fb3cf0 [ 40.955138] x29: ffff800081fb3d50 x28: 0000000000000000 x27: 0000000000000000 [ 40.955974] x26: ffff0000cc760ef0 x25: ffff0000ccba9c80 x24: ffff0000cc758f78 [ 40.956750] x23: 0000000000000010 x22: ffff0000ca789000 x21: ffff0000cc760f78 [ 40.957455] x20: ffffd62d3ac3be40 x19: ffff00015ad7e4c0 x18: 0000000000000000 [ 40.959005] x17: 0000000000000000 x16: ffffd62d37926880 x15: 000000400002fef8 [ 40.959614] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000cc760ef0 [ 40.960197] x11: 0000000000000000 x10: ffff800081fb3d08 x9 : ffff0000cba89fe0 [ 40.960739] x8 : 0000000000000003 x7 : 0000000000000000 x6 : 0000000000000000 [ 40.961287] x5 : 0000000000000040 x4 : ffff0000cba89ff0 x3 : ffff00015ad7e4c0 [ 40.961814] x2 : ffff00015ad7e4cc x1 : ffff00015ad7e4cc x0 : 0000000000000004 [ 40.962339] Call trace: [ 40.962531] nft_rhash_gc+0x208/0x2c0 [nf_tables] [ 40.962911] process_one_work+0x178/0x3e0 [ 40.963710] worker_thread+0x2ac/0x3e0 [ 40.964530] kthread+0xf0/0x108 [ 40.966259] ret_from_fork+0x10/0x20 [ 40.967287] Code: 54fff9a4 d503201f d2800080 91003261 (f820303f) [ 40.968245] ---[ end trace 0000000000000000 ]--- faddr2line gave me the following: nft_rhash_gc+0x208/0x2c0: __lse_atomic64_or at /root/gg/setup/linux-lts/src/linux-6.6.67/./arch/arm64/include/asm/atomic_lse.h:132 (inlined by) arch_atomic64_or at /root/gg/setup/linux-lts/src/linux-6.6.67/./arch/arm64/include/asm/atomic.h:65 (inlined by) raw_atomic64_or at /root/gg/setup/linux-lts/src/linux-6.6.67/./include/linux/atomic/atomic-arch-fallback.h:3771 (inlined by) raw_atomic_long_or at /root/gg/setup/linux-lts/src/linux-6.6.67/./include/linux/atomic/atomic-long.h:1069 (inlined by) arch_set_bit at /root/gg/setup/linux-lts/src/linux-6.6.67/./include/asm-generic/bitops/atomic.h:18 (inlined by) set_bit at /root/gg/setup/linux-lts/src/linux-6.6.67/./include/asm-generic/bitops/instrumented-atomic.h:29 (inlined by) nft_set_elem_dead at /root/gg/setup/linux-lts/src/linux-6.6.67/./include/net/netfilter/nf_tables.h:1576 (inlined by) nft_rhash_gc at /root/gg/setup/linux-lts/src/linux-6.6.67/net/netfilter/nft_set_hash.c:375 By looking at the diff between 6.6.65 and 6.6.66 I was able to narrow it down to the above commit and I can confirm that reverting it fixes the issue. Best -- Amby Balaji Co-founder & CTO Hyperbeam, Inc.

10 months, 2 weeks

2
5
0 0

[PATCH 1/2] fs/proc: do_task_stat: Fix ESP not readable during coredump

by Nam Cao

Commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat") disabled stack pointer reading, because it is generally dangerous to do so. Commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping") made an exception for coredumping thread, because for this case it is safe. The exception was later extended to all threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits determine if a task is core dumping by checking the PF_EXITING and PF_DUMPCORE flags. However, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, the check of the PF_EXITING flag no longer works. Instead, use task->signal->core_state to determine if coredump is happening. This pointer is set at the beginning of coredump and is cleared once coredump is done. Thus, while this pointer is not NULL, it is safe to read ESP. Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Cc: Eric W. Biederman <ebiederm(a)xmission.com> --- fs/proc/array.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 34a47fb0c57f..2f1dbfcf143d 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -489,25 +489,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, vsize = eip = esp = 0; permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); mm = get_task_mm(task); - if (mm) { + if (mm) vsize = task_vsize(mm); - /* - * esp and eip are intentionally zeroed out. There is no - * non-racy way to read them without freezing the task. - * Programs that need reliable values can use ptrace(2). - * - * The only exception is if the task is core dumping because - * a program is not able to use ptrace(2) in that case. It is - * safe because the task has stopped executing permanently. - */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { - if (try_get_task_stack(task)) { - eip = KSTK_EIP(task); - esp = KSTK_ESP(task); - put_task_stack(task); - } - } - } sigemptyset(&sigign); sigemptyset(&sigcatch); @@ -534,6 +517,23 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, ppid = task_tgid_nr_ns(task->real_parent, ns); pgid = task_pgrp_nr_ns(task, ns); + /* + * esp and eip are intentionally zeroed out. There is no + * non-racy way to read them without freezing the task. + * Programs that need reliable values can use ptrace(2). + * + * The only exception is if the task is core dumping because + * a program is not able to use ptrace(2) in that case. It is + * safe because the task has stopped executing permanently. + */ + if (permitted && task->signal->core_state) { + if (try_get_task_stack(task)) { + eip = KSTK_EIP(task); + esp = KSTK_ESP(task); + put_task_stack(task); + } + } + unlock_task_sighand(task, &flags); } -- 2.39.5

10 months, 2 weeks

4
6
0 0

[PATCH v2, 2/2] usb: typec: tcpm: fix the sender response time issue

by joswang

From: Jos Wang <joswang(a)lenovo.com> According to the USB PD3 CTS specification (https://usb.org/document-library/ usb-power-delivery-compliance-test-specification-0/ USB_PD3_CTS_Q4_2024_OR.zip), the requirements for tSenderResponse are different in PD2 and PD3 modes, see Table 19 Timing Table & Calculations. For PD2 mode, the tSenderResponse min 24ms and max 30ms; for PD3 mode, the tSenderResponse min 27ms and max 33ms. For the "TEST.PD.PROT.SRC.2 Get_Source_Cap No Request" test item, after receiving the Source_Capabilities Message sent by the UUT, the tester deliberately does not send a Request Message in order to force the SenderResponse timer on the Source UUT to timeout. The Tester checks that a Hard Reset is detected between tSenderResponse min and max，the delay is between the last bit of the GoodCRC Message EOP has been sent and the first bit of Hard Reset SOP has been received. The current code does not distinguish between PD2 and PD3 modes, and tSenderResponse defaults to 60ms. This will cause this test item and the following tests to fail: TEST.PD.PROT.SRC3.2 SenderResponseTimer Timeout TEST.PD.PROT.SNK.6 SenderResponseTimer Timeout Considering factors such as SOC performance, i2c rate, and the speed of PD chip sending data, "pd2-sender-response-time-ms" and "pd3-sender-response-time-ms" DT time properties are added to allow users to define platform timing. For values that have not been explicitly defined in DT using this property, a default value of 27ms for PD2 tSenderResponse and 30ms for PD3 tSenderResponse is set. Fixes: 2eadc33f40d4 ("typec: tcpm: Add core support for sink side PPS") Cc: stable(a)vger.kernel.org Signed-off-by: Jos Wang <joswang(a)lenovo.com> --- v1 -> v2: - modify the commit message - patch 1/2 and patch 2/2 are placed in the same thread drivers/usb/typec/tcpm/tcpm.c | 50 +++++++++++++++++++++++------------ include/linux/usb/pd.h | 3 ++- 2 files changed, 35 insertions(+), 18 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 6021eeb903fe..3a159bfcf382 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -314,12 +314,16 @@ struct pd_data { * @sink_wait_cap_time: Deadline (in ms) for tTypeCSinkWaitCap timer * @ps_src_wait_off_time: Deadline (in ms) for tPSSourceOff timer * @cc_debounce_time: Deadline (in ms) for tCCDebounce timer + * @pd2_sender_response_time: Deadline (in ms) for pd20 tSenderResponse timer + * @pd3_sender_response_time: Deadline (in ms) for pd30 tSenderResponse timer */ struct pd_timings { u32 sink_wait_cap_time; u32 ps_src_off_time; u32 cc_debounce_time; u32 snk_bc12_cmpletion_time; + u32 pd2_sender_response_time; + u32 pd3_sender_response_time; }; struct tcpm_port { @@ -3776,7 +3780,9 @@ static bool tcpm_send_queued_message(struct tcpm_port *port) } else if (port->pwr_role == TYPEC_SOURCE) { tcpm_ams_finish(port); tcpm_set_state(port, HARD_RESET_SEND, - PD_T_SENDER_RESPONSE); + port->negotiated_rev >= PD_REV30 ? + port->timings.pd3_sender_response_time : + port->timings.pd2_sender_response_time); } else { tcpm_ams_finish(port); } @@ -4619,6 +4625,9 @@ static void run_state_machine(struct tcpm_port *port) enum typec_pwr_opmode opmode; unsigned int msecs; enum tcpm_state upcoming_state; + u32 sender_response_time = port->negotiated_rev >= PD_REV30 ? + port->timings.pd3_sender_response_time : + port->timings.pd2_sender_response_time; if (port->tcpc->check_contaminant && port->state != CHECK_CONTAMINANT) port->potential_contaminant = ((port->enter_state == SRC_ATTACH_WAIT && @@ -5113,7 +5122,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state(port, SNK_WAIT_CAPABILITIES, 0); } else { tcpm_set_state_cond(port, hard_reset_state(port), - PD_T_SENDER_RESPONSE); + sender_response_time); } break; case SNK_NEGOTIATE_PPS_CAPABILITIES: @@ -5135,7 +5144,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state(port, SNK_READY, 0); } else { tcpm_set_state_cond(port, hard_reset_state(port), - PD_T_SENDER_RESPONSE); + sender_response_time); } break; case SNK_TRANSITION_SINK: @@ -5387,7 +5396,7 @@ static void run_state_machine(struct tcpm_port *port) port->message_id_prime = 0; port->rx_msgid_prime = -1; tcpm_pd_send_control(port, PD_CTRL_SOFT_RESET, TCPC_TX_SOP_PRIME); - tcpm_set_state_cond(port, ready_state(port), PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, ready_state(port), sender_response_time); } else { port->message_id = 0; port->rx_msgid = -1; @@ -5398,7 +5407,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state_cond(port, hard_reset_state(port), 0); else tcpm_set_state_cond(port, hard_reset_state(port), - PD_T_SENDER_RESPONSE); + sender_response_time); } break; @@ -5409,8 +5418,7 @@ static void run_state_machine(struct tcpm_port *port) port->send_discover = true; port->send_discover_prime = false; } - tcpm_set_state_cond(port, DR_SWAP_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, DR_SWAP_SEND_TIMEOUT, sender_response_time); break; case DR_SWAP_ACCEPT: tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP); @@ -5444,7 +5452,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state(port, ERROR_RECOVERY, 0); break; } - tcpm_set_state_cond(port, FR_SWAP_SEND_TIMEOUT, PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, FR_SWAP_SEND_TIMEOUT, sender_response_time); break; case FR_SWAP_SEND_TIMEOUT: tcpm_set_state(port, ERROR_RECOVERY, 0); @@ -5475,8 +5483,7 @@ static void run_state_machine(struct tcpm_port *port) break; case PR_SWAP_SEND: tcpm_pd_send_control(port, PD_CTRL_PR_SWAP, TCPC_TX_SOP); - tcpm_set_state_cond(port, PR_SWAP_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, PR_SWAP_SEND_TIMEOUT, sender_response_time); break; case PR_SWAP_SEND_TIMEOUT: tcpm_swap_complete(port, -ETIMEDOUT); @@ -5574,8 +5581,7 @@ static void run_state_machine(struct tcpm_port *port) break; case VCONN_SWAP_SEND: tcpm_pd_send_control(port, PD_CTRL_VCONN_SWAP, TCPC_TX_SOP); - tcpm_set_state(port, VCONN_SWAP_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state(port, VCONN_SWAP_SEND_TIMEOUT, sender_response_time); break; case VCONN_SWAP_SEND_TIMEOUT: tcpm_swap_complete(port, -ETIMEDOUT); @@ -5656,23 +5662,21 @@ static void run_state_machine(struct tcpm_port *port) break; case GET_STATUS_SEND: tcpm_pd_send_control(port, PD_CTRL_GET_STATUS, TCPC_TX_SOP); - tcpm_set_state(port, GET_STATUS_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state(port, GET_STATUS_SEND_TIMEOUT, sender_response_time); break; case GET_STATUS_SEND_TIMEOUT: tcpm_set_state(port, ready_state(port), 0); break; case GET_PPS_STATUS_SEND: tcpm_pd_send_control(port, PD_CTRL_GET_PPS_STATUS, TCPC_TX_SOP); - tcpm_set_state(port, GET_PPS_STATUS_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state(port, GET_PPS_STATUS_SEND_TIMEOUT, sender_response_time); break; case GET_PPS_STATUS_SEND_TIMEOUT: tcpm_set_state(port, ready_state(port), 0); break; case GET_SINK_CAP: tcpm_pd_send_control(port, PD_CTRL_GET_SINK_CAP, TCPC_TX_SOP); - tcpm_set_state(port, GET_SINK_CAP_TIMEOUT, PD_T_SENDER_RESPONSE); + tcpm_set_state(port, GET_SINK_CAP_TIMEOUT, sender_response_time); break; case GET_SINK_CAP_TIMEOUT: port->sink_cap_done = true; @@ -7109,6 +7113,18 @@ static void tcpm_fw_get_timings(struct tcpm_port *port, struct fwnode_handle *fw ret = fwnode_property_read_u32(fwnode, "sink-bc12-completion-time-ms", &val); if (!ret) port->timings.snk_bc12_cmpletion_time = val; + + ret = fwnode_property_read_u32(fwnode, "pd2-sender-response-time-ms", &val); + if (!ret) + port->timings.pd2_sender_response_time = val; + else + port->timings.pd2_sender_response_time = PD_T_PD2_SENDER_RESPONSE; + + ret = fwnode_property_read_u32(fwnode, "pd3-sender-response-time-ms", &val); + if (!ret) + port->timings.pd3_sender_response_time = val; + else + port->timings.pd3_sender_response_time = PD_T_PD3_SENDER_RESPONSE; } static int tcpm_fw_get_caps(struct tcpm_port *port, struct fwnode_handle *fwnode) diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h index d50098fb16b5..9c599e851b9a 100644 --- a/include/linux/usb/pd.h +++ b/include/linux/usb/pd.h @@ -457,7 +457,6 @@ static inline unsigned int rdo_max_power(u32 rdo) #define PD_T_NO_RESPONSE 5000 /* 4.5 - 5.5 seconds */ #define PD_T_DB_DETECT 10000 /* 10 - 15 seconds */ #define PD_T_SEND_SOURCE_CAP 150 /* 100 - 200 ms */ -#define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */ #define PD_T_RECEIVER_RESPONSE 15 /* 15ms max */ #define PD_T_SOURCE_ACTIVITY 45 #define PD_T_SINK_ACTIVITY 135 @@ -491,6 +490,8 @@ static inline unsigned int rdo_max_power(u32 rdo) #define PD_T_CC_DEBOUNCE 200 /* 100 - 200 ms */ #define PD_T_PD_DEBOUNCE 20 /* 10 - 20 ms */ #define PD_T_TRY_CC_DEBOUNCE 15 /* 10 - 20 ms */ +#define PD_T_PD2_SENDER_RESPONSE 27 /* PD20 spec 24 - 30 ms */ +#define PD_T_PD3_SENDER_RESPONSE 30 /* PD30 spec 27 - 33 ms */ #define PD_N_CAPS_COUNT (PD_T_NO_RESPONSE / PD_T_SEND_SOURCE_CAP) #define PD_N_HARD_RESET_COUNT 2 -- 2.17.1

10 months, 2 weeks

1
0
0 0

[PATCH v2] tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN

by Günther Noack

With this, processes without CAP_SYS_ADMIN are able to use TIOCLINUX with subcode TIOCL_SETSEL, in the selection modes TIOCL_SETPOINTER, TIOCL_SELCLEAR and TIOCL_SELMOUSEREPORT. TIOCL_SETSEL was previously changed to require CAP_SYS_ADMIN, as this IOCTL let callers change the selection buffer and could be used to simulate keypresses. These three TIOCL_SETSEL selection modes, however, are safe to use, as they do not modify the selection buffer. This fixes a mouse support regression that affected Emacs (invisible mouse cursor). Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/ee3ec63269b43b34e1c90dd8c9743bf8@finder.org Fixes: 8d1b43f6a6df ("tty: Restrict access to TIOCLINUX' copy-and-paste subcommands") Signed-off-by: Günther Noack <gnoack(a)google.com> --- drivers/tty/vt/selection.c | 14 ++++++++++++++ drivers/tty/vt/vt.c | 2 -- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c index 564341f1a74f..0bd6544e30a6 100644 --- a/drivers/tty/vt/selection.c +++ b/drivers/tty/vt/selection.c @@ -192,6 +192,20 @@ int set_selection_user(const struct tiocl_selection __user *sel, if (copy_from_user(&v, sel, sizeof(*sel))) return -EFAULT; + /* + * TIOCL_SELCLEAR, TIOCL_SELPOINTER and TIOCL_SELMOUSEREPORT are OK to + * use without CAP_SYS_ADMIN as they do not modify the selection. + */ + switch (v.sel_mode) { + case TIOCL_SELCLEAR: + case TIOCL_SELPOINTER: + case TIOCL_SELMOUSEREPORT: + break; + default: + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + } + return set_selection_kernel(&v, tty); } diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 96842ce817af..be5564ed8c01 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3345,8 +3345,6 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) switch (type) { case TIOCL_SETSEL: - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; return set_selection_user(param, tty); case TIOCL_PASTESEL: if (!capable(CAP_SYS_ADMIN)) -- 2.47.1.613.gc27f4b7a9f-goog

10 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/amdgpu: Handle NULL bo->tbo.resource (again) in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 85230ee36d88e7a09fb062d43203035659dd10a5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122231-punk-caption-dc11@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 85230ee36d88e7a09fb062d43203035659dd10a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer(a)redhat.com> Date: Tue, 17 Dec 2024 18:22:56 +0100 Subject: [PATCH] drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Third time's the charm, I hope? Fixes: d3116756a710 ("drm/ttm: rename bo->mem and make it a pointer") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3837 Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Michel Dänzer <mdaenzer(a)redhat.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 695c2c745e5dff201b75da8a1d237ce403600d04) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c index ddd7f05e4db9..c9c48b782ec1 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c @@ -1266,10 +1266,9 @@ int amdgpu_vm_bo_update(struct amdgpu_device *adev, struct amdgpu_bo_va *bo_va, * next command submission. */ if (amdgpu_vm_is_bo_always_valid(vm, bo)) { - uint32_t mem_type = bo->tbo.resource->mem_type; - - if (!(bo->preferred_domains & - amdgpu_mem_type_to_domain(mem_type))) + if (bo->tbo.resource && + !(bo->preferred_domains & + amdgpu_mem_type_to_domain(bo->tbo.resource->mem_type))) amdgpu_vm_bo_evicted(&bo_va->base); else amdgpu_vm_bo_idle(&bo_va->base);

10 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror