- Linux-stable-mirror - lists.linaro.org

[PATCH AUTOSEL 6.12 01/10] ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ] If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename to contain special characters. Reported-by: Philipp Kerling <pkerling(a)casix.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of both the commit message and code changes, examining the Linux kernel repository context: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Nature of the Change This is a **legitimate bug fix** that addresses a functional issue where SMB3.1.1 POSIX extension clients cannot create files with characters that are valid in POSIX filesystems but blocked by ksmbd's Windows- centric filename validation. ## Code Analysis ### Key Changes: 1. **Early POSIX context detection** (lines 2906-2925): The code now checks for SMB2_CREATE_POSIX_CONTEXT early in the function 2. **Conditional validation bypass**: The critical change at lines 3161-3164 where `ksmbd_validate_filename(name)` is only called when `posix_ctxt == false` 3. **Structural improvement**: Moving POSIX context parsing before filename validation, which is the logical order ### What Gets Bypassed: The `ksmbd_validate_filename()` function normally blocks characters like `"`, `<`, `>`, `|`, `?`, `*`, and control characters. For POSIX extensions, these restrictions are inappropriate since POSIX filesystems can safely handle most of these characters. ## Security Assessment ### Low Security Risk: 1. **Limited Scope**: Only affects clients explicitly using SMB3.1.1 POSIX extensions (`tcon->posix_extensions` must be enabled) 2. **VFS Protection**: Linux VFS layer provides underlying security validation 3. **No Path Traversal**: Higher-level path validation still prevents `../` sequences 4. **Standards Compliance**: Aligns with Microsoft's SMB3.1.1 POSIX extension specification ### Justification for the Change: - **User Report**: Philipp Kerling reported this as a functional issue - **Interoperability**: Essential for proper POSIX-aware SMB client functionality - **Standards Adherence**: SMB3.1.1 POSIX extensions are designed to allow POSIX filename semantics ## Comparison with Similar Commits This follows the pattern of other backported ksmbd commits: - **Similar to Commit #4**: Another filename validation fix that was backported (moving leading slash check) - **Similar scope**: Limited, well-contained change to specific subsystem - **Bug fix nature**: Addresses functional issue rather than adding new features ## Stable Tree Criteria Compliance ✅ **Fixes important bug**: Enables legitimate POSIX client functionality ✅ **Small and contained**: Changes only affect POSIX extension code path ✅ **Minimal regression risk**: Protected by existing VFS validation ✅ **Clear side effects**: Well-understood behavior change ✅ **No architectural changes**: Simple conditional logic modification ## Recommendation This commit represents a **low-risk bug fix** that enables proper SMB3.1.1 POSIX extension functionality without introducing significant security vulnerabilities. The change is well-scoped, addresses a legitimate user issue, and maintains appropriate security boundaries through existing VFS-level protections. fs/smb/server/smb2pdu.c | 53 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 08d9a7cfba8cd..815ee5a74901e 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2870,7 +2870,7 @@ int smb2_open(struct ksmbd_work *work) int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0; int contxt_cnt = 0, query_disk_id = 0; - int maximal_access_ctxt = 0, posix_ctxt = 0; + bool maximal_access_ctxt = false, posix_ctxt = false; int s_type = 0; int next_off = 0; char *name = NULL; @@ -2897,6 +2897,27 @@ int smb2_open(struct ksmbd_work *work) return create_smb2_pipe(work); } + if (req->CreateContextsOffset && tcon->posix_extensions) { + context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out2; + } else if (context) { + struct create_posix *posix = (struct create_posix *)context; + + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix) - 4) { + rc = -EINVAL; + goto err_out2; + } + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = true; + } + } + if (req->NameLength) { name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset), le16_to_cpu(req->NameLength), @@ -2919,9 +2940,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out2; } - rc = ksmbd_validate_filename(name); - if (rc < 0) - goto err_out2; + if (posix_ctxt == false) { + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out2; + } if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; @@ -3079,28 +3102,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EBADF; goto err_out2; } - - if (tcon->posix_extensions) { - context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX, 16); - if (IS_ERR(context)) { - rc = PTR_ERR(context); - goto err_out2; - } else if (context) { - struct create_posix *posix = - (struct create_posix *)context; - if (le16_to_cpu(context->DataOffset) + - le32_to_cpu(context->DataLength) < - sizeof(struct create_posix) - 4) { - rc = -EINVAL; - goto err_out2; - } - ksmbd_debug(SMB, "get posix context\n"); - - posix_mode = le32_to_cpu(posix->Mode); - posix_ctxt = 1; - } - } } if (ksmbd_override_fsids(work)) { -- 2.39.5

4 weeks, 1 day

2
11
0 0

[PATCH AUTOSEL 6.6 1/8] ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ] If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename to contain special characters. Reported-by: Philipp Kerling <pkerling(a)casix.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of both the commit message and code changes, examining the Linux kernel repository context: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Nature of the Change This is a **legitimate bug fix** that addresses a functional issue where SMB3.1.1 POSIX extension clients cannot create files with characters that are valid in POSIX filesystems but blocked by ksmbd's Windows- centric filename validation. ## Code Analysis ### Key Changes: 1. **Early POSIX context detection** (lines 2906-2925): The code now checks for SMB2_CREATE_POSIX_CONTEXT early in the function 2. **Conditional validation bypass**: The critical change at lines 3161-3164 where `ksmbd_validate_filename(name)` is only called when `posix_ctxt == false` 3. **Structural improvement**: Moving POSIX context parsing before filename validation, which is the logical order ### What Gets Bypassed: The `ksmbd_validate_filename()` function normally blocks characters like `"`, `<`, `>`, `|`, `?`, `*`, and control characters. For POSIX extensions, these restrictions are inappropriate since POSIX filesystems can safely handle most of these characters. ## Security Assessment ### Low Security Risk: 1. **Limited Scope**: Only affects clients explicitly using SMB3.1.1 POSIX extensions (`tcon->posix_extensions` must be enabled) 2. **VFS Protection**: Linux VFS layer provides underlying security validation 3. **No Path Traversal**: Higher-level path validation still prevents `../` sequences 4. **Standards Compliance**: Aligns with Microsoft's SMB3.1.1 POSIX extension specification ### Justification for the Change: - **User Report**: Philipp Kerling reported this as a functional issue - **Interoperability**: Essential for proper POSIX-aware SMB client functionality - **Standards Adherence**: SMB3.1.1 POSIX extensions are designed to allow POSIX filename semantics ## Comparison with Similar Commits This follows the pattern of other backported ksmbd commits: - **Similar to Commit #4**: Another filename validation fix that was backported (moving leading slash check) - **Similar scope**: Limited, well-contained change to specific subsystem - **Bug fix nature**: Addresses functional issue rather than adding new features ## Stable Tree Criteria Compliance ✅ **Fixes important bug**: Enables legitimate POSIX client functionality ✅ **Small and contained**: Changes only affect POSIX extension code path ✅ **Minimal regression risk**: Protected by existing VFS validation ✅ **Clear side effects**: Well-understood behavior change ✅ **No architectural changes**: Simple conditional logic modification ## Recommendation This commit represents a **low-risk bug fix** that enables proper SMB3.1.1 POSIX extension functionality without introducing significant security vulnerabilities. The change is well-scoped, addresses a legitimate user issue, and maintains appropriate security boundaries through existing VFS-level protections. fs/smb/server/smb2pdu.c | 53 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 9bd817427a345..af360ba237a37 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2861,7 +2861,7 @@ int smb2_open(struct ksmbd_work *work) int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0; int contxt_cnt = 0, query_disk_id = 0; - int maximal_access_ctxt = 0, posix_ctxt = 0; + bool maximal_access_ctxt = false, posix_ctxt = false; int s_type = 0; int next_off = 0; char *name = NULL; @@ -2888,6 +2888,27 @@ int smb2_open(struct ksmbd_work *work) return create_smb2_pipe(work); } + if (req->CreateContextsOffset && tcon->posix_extensions) { + context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out2; + } else if (context) { + struct create_posix *posix = (struct create_posix *)context; + + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix) - 4) { + rc = -EINVAL; + goto err_out2; + } + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = true; + } + } + if (req->NameLength) { name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset), le16_to_cpu(req->NameLength), @@ -2910,9 +2931,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out2; } - rc = ksmbd_validate_filename(name); - if (rc < 0) - goto err_out2; + if (posix_ctxt == false) { + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out2; + } if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; @@ -3070,28 +3093,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EBADF; goto err_out2; } - - if (tcon->posix_extensions) { - context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX, 16); - if (IS_ERR(context)) { - rc = PTR_ERR(context); - goto err_out2; - } else if (context) { - struct create_posix *posix = - (struct create_posix *)context; - if (le16_to_cpu(context->DataOffset) + - le32_to_cpu(context->DataLength) < - sizeof(struct create_posix) - 4) { - rc = -EINVAL; - goto err_out2; - } - ksmbd_debug(SMB, "get posix context\n"); - - posix_mode = le32_to_cpu(posix->Mode); - posix_ctxt = 1; - } - } } if (ksmbd_override_fsids(work)) { -- 2.39.5

4 weeks, 1 day

2
8
0 0

[PATCH AUTOSEL 6.1 1/5] ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ] If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename to contain special characters. Reported-by: Philipp Kerling <pkerling(a)casix.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of both the commit message and code changes, examining the Linux kernel repository context: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Nature of the Change This is a **legitimate bug fix** that addresses a functional issue where SMB3.1.1 POSIX extension clients cannot create files with characters that are valid in POSIX filesystems but blocked by ksmbd's Windows- centric filename validation. ## Code Analysis ### Key Changes: 1. **Early POSIX context detection** (lines 2906-2925): The code now checks for SMB2_CREATE_POSIX_CONTEXT early in the function 2. **Conditional validation bypass**: The critical change at lines 3161-3164 where `ksmbd_validate_filename(name)` is only called when `posix_ctxt == false` 3. **Structural improvement**: Moving POSIX context parsing before filename validation, which is the logical order ### What Gets Bypassed: The `ksmbd_validate_filename()` function normally blocks characters like `"`, `<`, `>`, `|`, `?`, `*`, and control characters. For POSIX extensions, these restrictions are inappropriate since POSIX filesystems can safely handle most of these characters. ## Security Assessment ### Low Security Risk: 1. **Limited Scope**: Only affects clients explicitly using SMB3.1.1 POSIX extensions (`tcon->posix_extensions` must be enabled) 2. **VFS Protection**: Linux VFS layer provides underlying security validation 3. **No Path Traversal**: Higher-level path validation still prevents `../` sequences 4. **Standards Compliance**: Aligns with Microsoft's SMB3.1.1 POSIX extension specification ### Justification for the Change: - **User Report**: Philipp Kerling reported this as a functional issue - **Interoperability**: Essential for proper POSIX-aware SMB client functionality - **Standards Adherence**: SMB3.1.1 POSIX extensions are designed to allow POSIX filename semantics ## Comparison with Similar Commits This follows the pattern of other backported ksmbd commits: - **Similar to Commit #4**: Another filename validation fix that was backported (moving leading slash check) - **Similar scope**: Limited, well-contained change to specific subsystem - **Bug fix nature**: Addresses functional issue rather than adding new features ## Stable Tree Criteria Compliance ✅ **Fixes important bug**: Enables legitimate POSIX client functionality ✅ **Small and contained**: Changes only affect POSIX extension code path ✅ **Minimal regression risk**: Protected by existing VFS validation ✅ **Clear side effects**: Well-understood behavior change ✅ **No architectural changes**: Simple conditional logic modification ## Recommendation This commit represents a **low-risk bug fix** that enables proper SMB3.1.1 POSIX extension functionality without introducing significant security vulnerabilities. The change is well-scoped, addresses a legitimate user issue, and maintains appropriate security boundaries through existing VFS-level protections. fs/smb/server/smb2pdu.c | 53 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 9b1ba4aedbce7..c591255335058 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2685,7 +2685,7 @@ int smb2_open(struct ksmbd_work *work) int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0; int contxt_cnt = 0, query_disk_id = 0; - int maximal_access_ctxt = 0, posix_ctxt = 0; + bool maximal_access_ctxt = false, posix_ctxt = false; int s_type = 0; int next_off = 0; char *name = NULL; @@ -2712,6 +2712,27 @@ int smb2_open(struct ksmbd_work *work) return create_smb2_pipe(work); } + if (req->CreateContextsOffset && tcon->posix_extensions) { + context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out2; + } else if (context) { + struct create_posix *posix = (struct create_posix *)context; + + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix) - 4) { + rc = -EINVAL; + goto err_out2; + } + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = true; + } + } + if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && *(char *)req->Buffer == '\\') { @@ -2743,9 +2764,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out2; } - rc = ksmbd_validate_filename(name); - if (rc < 0) - goto err_out2; + if (posix_ctxt == false) { + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out2; + } if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; @@ -2860,28 +2883,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EBADF; goto err_out2; } - - if (tcon->posix_extensions) { - context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX, 16); - if (IS_ERR(context)) { - rc = PTR_ERR(context); - goto err_out2; - } else if (context) { - struct create_posix *posix = - (struct create_posix *)context; - if (le16_to_cpu(context->DataOffset) + - le32_to_cpu(context->DataLength) < - sizeof(struct create_posix) - 4) { - rc = -EINVAL; - goto err_out2; - } - ksmbd_debug(SMB, "get posix context\n"); - - posix_mode = le32_to_cpu(posix->Mode); - posix_ctxt = 1; - } - } } if (ksmbd_override_fsids(work)) { -- 2.39.5

4 weeks, 1 day

2
5
0 0

[PATCH] net: core: fix UNIX-STREAM alignment in /proc/net/protocols

by moyuanhao3676＠163.com

From: MoYuanhao <moyuanhao3676(a)163.com> Widen protocol name column from %-9s to %-11s to properly display UNIX-STREAM and keep table alignment. before modification： console:/ # cat /proc/net/protocols protocol size sockets memory press maxhdr slab module cl co di ac io in de sh ss gs se re sp bi br ha uh gp em PPPOL2TP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HIDP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n BNEP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n RFCOMM 840 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n KEY 864 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PACKET 1536 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PINGv6 1184 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAWv6 1184 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDPLITEv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n UDPv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n TCPv6 2352 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y PPTP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PPPOE 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n UNIX-STREAM 1024 29 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n y n n UNIX 1024 193 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n n n n UDP-Lite 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n PING 976 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAW 984 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDP 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n TCP 2192 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y SCO 848 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n L2CAP 824 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HCI 888 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n NETLINK 1104 18 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n after modification: console:/ # cat /proc/net/protocols protocol size sockets memory press maxhdr slab module cl co di ac io in de sh ss gs se re sp bi br ha uh gp em PPPOL2TP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HIDP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n BNEP 808 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n RFCOMM 840 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n KEY 864 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PACKET 1536 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PINGv6 1184 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAWv6 1184 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDPLITEv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n UDPv6 1344 0 0 NI 0 yes kernel y y y n y y y n y y y y n n n y y y n TCPv6 2352 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y PPTP 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n PPPOE 920 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n UNIX-STREAM 1024 29 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n y n n UNIX 1024 193 -1 NI 0 yes kernel y n n n n n n n n n n n n n n n n n n UDP-Lite 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n PING 976 0 -1 NI 0 yes kernel y y y n n y n n y y y y n y y y y y n RAW 984 0 -1 NI 0 yes kernel y y y n y y y n y y y y n y y y y n n UDP 1152 0 0 NI 0 yes kernel y y y n y y y n y y y y y n n y y y n TCP 2192 0 0 no 320 yes kernel y y y y y y y y y y y y y n y y y y y SCO 848 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n L2CAP 824 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n HCI 888 0 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n NETLINK 1104 18 -1 NI 0 no kernel n n n n n n n n n n n n n n n n n n n Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: MoYuanhao <moyuanhao3676(a)163.com> --- net/core/sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 3b409bc8ef6d..d2de5459e94f 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -4284,7 +4284,7 @@ static const char *sock_prot_memory_pressure(struct proto *proto) static void proto_seq_printf(struct seq_file *seq, struct proto *proto) { - seq_printf(seq, "%-9s %4u %6d %6ld %-3s %6u %-3s %-10s " + seq_printf(seq, "%-11s %4u %6d %6ld %-3s %6u %-3s %-10s " "%2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c %2c\n", proto->name, proto->obj_size, @@ -4317,7 +4317,7 @@ static void proto_seq_printf(struct seq_file *seq, struct proto *proto) static int proto_seq_show(struct seq_file *seq, void *v) { if (v == &proto_list) - seq_printf(seq, "%-9s %-4s %-8s %-6s %-5s %-7s %-4s %-10s %s", + seq_printf(seq, "%-11s %-4s %-8s %-6s %-5s %-7s %-4s %-10s %s", "protocol", "size", "sockets", -- 2.34.1

4 weeks, 1 day

3
2
0 0

[PATCH AUTOSEL 5.4 1/2] Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices"

by Sasha Levin

From: Lukas Wunner <lukas(a)wunner.de> [ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ] Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") changed IRQ handling on PCI driver probing. It inadvertently broke resume from system sleep on AMD platforms: https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/ This was fixed by two independent commits: * 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled") * cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices") The breaking change and one of these two fixes were subsequently reverted: * fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"") * 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"") This rendered the second fix unnecessary, so revert it as well. It used the match_driver flag in struct pci_dev, which is internal to the PCI core and not supposed to be touched by arbitrary drivers. Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Signed-off-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Acked-by: Joerg Roedel <jroedel(a)suse.de> Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.174557234… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Extensive Analysis:** **1. Context and Purpose:** This commit is part of a coordinated series of reverts addressing regressions introduced by commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") which broke system suspend/resume on AMD platforms in v4.3. The original issue was fixed by two independent commits, one of which (cbbc00be2ce3) added the line `iommu->dev->match_driver = false;` to prevent other PCI drivers from binding to IOMMU devices. **2. Code Change Analysis:** The commit removes exactly one line from `drivers/iommu/amd/init.c:2034`: ```c /* Prevent binding other PCI device drivers to IOMMU devices */ iommu->dev->match_driver = false; ``` This line was setting the `match_driver` field of `struct pci_dev`, which the commit message correctly identifies as "internal to the PCI core and not supposed to be touched by arbitrary drivers." **3. Why This Should Be Backported:** **a) Part of Coordinated Fix Series:** This revert is the logical completion of a series of reverts that fixed major regressions. Looking at the similar commits provided as examples: - Similar Commit #1 (YES): Revert of x86/PCI pcibios-irq allocation - Similar Commit #2 (YES): Revert of PCI IRQ management helpers - Similar Commit #5 (YES): Revert of the original problematic pcibios_alloc_irq implementation All these related reverts were marked for backporting, making this commit part of the same logical fix series. **b) Removes Inappropriate Code:** The commit eliminates code that violates kernel design principles by accessing internal PCI core structures from a driver. The `match_driver` field is not meant to be manipulated by individual drivers. **c) Cleanup After Main Fix:** Once the root cause (commit 991de2e59090) was reverted by commit 6c777e8799a9, the workaround became unnecessary. Keeping unnecessary workaround code, especially code that inappropriately accesses internal structures, is problematic. **d) Minimal Risk:** The change is extremely small and low-risk - it simply removes one line that was setting an internal field inappropriately. **e) Consistency and Completeness:** Since the other reverts in this series addressing the 991de2e59090 regressions were backported, this should be included for consistency and to ensure the cleanup is complete. **4. Stable Tree Criteria Met:** - ✅ Fixes inappropriate driver behavior (accessing internal PCI structures) - ✅ Small and contained change - ✅ Part of a series addressing known regressions - ✅ Minimal risk of introducing new issues - ✅ Consistent with backporting decisions for related commits The commit represents necessary cleanup after a coordinated regression fix and should be backported to maintain consistency with the related reverts and to remove code that inappropriately accesses internal kernel structures. drivers/iommu/amd_iommu_init.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c index de29512c75ccc..cd17deeedf349 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c @@ -1751,9 +1751,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) if (!iommu->dev) return -ENODEV; - /* Prevent binding other PCI device drivers to IOMMU devices */ - iommu->dev->match_driver = false; - /* ACPI _PRT won't have an IRQ for IOMMU */ iommu->dev->irq_managed = 1; -- 2.39.5

4 weeks, 1 day

1
1
0 0

[PATCH AUTOSEL 5.10 1/2] Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices"

by Sasha Levin

From: Lukas Wunner <lukas(a)wunner.de> [ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ] Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") changed IRQ handling on PCI driver probing. It inadvertently broke resume from system sleep on AMD platforms: https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/ This was fixed by two independent commits: * 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled") * cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices") The breaking change and one of these two fixes were subsequently reverted: * fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"") * 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"") This rendered the second fix unnecessary, so revert it as well. It used the match_driver flag in struct pci_dev, which is internal to the PCI core and not supposed to be touched by arbitrary drivers. Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Signed-off-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Acked-by: Joerg Roedel <jroedel(a)suse.de> Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.174557234… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Extensive Analysis:** **1. Context and Purpose:** This commit is part of a coordinated series of reverts addressing regressions introduced by commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()") which broke system suspend/resume on AMD platforms in v4.3. The original issue was fixed by two independent commits, one of which (cbbc00be2ce3) added the line `iommu->dev->match_driver = false;` to prevent other PCI drivers from binding to IOMMU devices. **2. Code Change Analysis:** The commit removes exactly one line from `drivers/iommu/amd/init.c:2034`: ```c /* Prevent binding other PCI device drivers to IOMMU devices */ iommu->dev->match_driver = false; ``` This line was setting the `match_driver` field of `struct pci_dev`, which the commit message correctly identifies as "internal to the PCI core and not supposed to be touched by arbitrary drivers." **3. Why This Should Be Backported:** **a) Part of Coordinated Fix Series:** This revert is the logical completion of a series of reverts that fixed major regressions. Looking at the similar commits provided as examples: - Similar Commit #1 (YES): Revert of x86/PCI pcibios-irq allocation - Similar Commit #2 (YES): Revert of PCI IRQ management helpers - Similar Commit #5 (YES): Revert of the original problematic pcibios_alloc_irq implementation All these related reverts were marked for backporting, making this commit part of the same logical fix series. **b) Removes Inappropriate Code:** The commit eliminates code that violates kernel design principles by accessing internal PCI core structures from a driver. The `match_driver` field is not meant to be manipulated by individual drivers. **c) Cleanup After Main Fix:** Once the root cause (commit 991de2e59090) was reverted by commit 6c777e8799a9, the workaround became unnecessary. Keeping unnecessary workaround code, especially code that inappropriately accesses internal structures, is problematic. **d) Minimal Risk:** The change is extremely small and low-risk - it simply removes one line that was setting an internal field inappropriately. **e) Consistency and Completeness:** Since the other reverts in this series addressing the 991de2e59090 regressions were backported, this should be included for consistency and to ensure the cleanup is complete. **4. Stable Tree Criteria Met:** - ✅ Fixes inappropriate driver behavior (accessing internal PCI structures) - ✅ Small and contained change - ✅ Part of a series addressing known regressions - ✅ Minimal risk of introducing new issues - ✅ Consistent with backporting decisions for related commits The commit represents necessary cleanup after a coordinated regression fix and should be backported to maintain consistency with the related reverts and to remove code that inappropriately accesses internal kernel structures. drivers/iommu/amd/init.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index e09391ab3deb0..752edbf529f5f 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -1876,9 +1876,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) if (!iommu->dev) return -ENODEV; - /* Prevent binding other PCI device drivers to IOMMU devices */ - iommu->dev->match_driver = false; - /* ACPI _PRT won't have an IRQ for IOMMU */ iommu->dev->irq_managed = 1; -- 2.39.5

4 weeks, 1 day

1
1
0 0

[PATCH AUTOSEL 5.15 1/3] ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ] If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename to contain special characters. Reported-by: Philipp Kerling <pkerling(a)casix.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of both the commit message and code changes, examining the Linux kernel repository context: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Nature of the Change This is a **legitimate bug fix** that addresses a functional issue where SMB3.1.1 POSIX extension clients cannot create files with characters that are valid in POSIX filesystems but blocked by ksmbd's Windows- centric filename validation. ## Code Analysis ### Key Changes: 1. **Early POSIX context detection** (lines 2906-2925): The code now checks for SMB2_CREATE_POSIX_CONTEXT early in the function 2. **Conditional validation bypass**: The critical change at lines 3161-3164 where `ksmbd_validate_filename(name)` is only called when `posix_ctxt == false` 3. **Structural improvement**: Moving POSIX context parsing before filename validation, which is the logical order ### What Gets Bypassed: The `ksmbd_validate_filename()` function normally blocks characters like `"`, `<`, `>`, `|`, `?`, `*`, and control characters. For POSIX extensions, these restrictions are inappropriate since POSIX filesystems can safely handle most of these characters. ## Security Assessment ### Low Security Risk: 1. **Limited Scope**: Only affects clients explicitly using SMB3.1.1 POSIX extensions (`tcon->posix_extensions` must be enabled) 2. **VFS Protection**: Linux VFS layer provides underlying security validation 3. **No Path Traversal**: Higher-level path validation still prevents `../` sequences 4. **Standards Compliance**: Aligns with Microsoft's SMB3.1.1 POSIX extension specification ### Justification for the Change: - **User Report**: Philipp Kerling reported this as a functional issue - **Interoperability**: Essential for proper POSIX-aware SMB client functionality - **Standards Adherence**: SMB3.1.1 POSIX extensions are designed to allow POSIX filename semantics ## Comparison with Similar Commits This follows the pattern of other backported ksmbd commits: - **Similar to Commit #4**: Another filename validation fix that was backported (moving leading slash check) - **Similar scope**: Limited, well-contained change to specific subsystem - **Bug fix nature**: Addresses functional issue rather than adding new features ## Stable Tree Criteria Compliance ✅ **Fixes important bug**: Enables legitimate POSIX client functionality ✅ **Small and contained**: Changes only affect POSIX extension code path ✅ **Minimal regression risk**: Protected by existing VFS validation ✅ **Clear side effects**: Well-understood behavior change ✅ **No architectural changes**: Simple conditional logic modification ## Recommendation This commit represents a **low-risk bug fix** that enables proper SMB3.1.1 POSIX extension functionality without introducing significant security vulnerabilities. The change is well-scoped, addresses a legitimate user issue, and maintains appropriate security boundaries through existing VFS-level protections. fs/ksmbd/smb2pdu.c | 53 +++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b21601c0a457c..76334a983cd25 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2679,7 +2679,7 @@ int smb2_open(struct ksmbd_work *work) int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0; int contxt_cnt = 0, query_disk_id = 0; - int maximal_access_ctxt = 0, posix_ctxt = 0; + bool maximal_access_ctxt = false, posix_ctxt = false; int s_type = 0; int next_off = 0; char *name = NULL; @@ -2706,6 +2706,27 @@ int smb2_open(struct ksmbd_work *work) return create_smb2_pipe(work); } + if (req->CreateContextsOffset && tcon->posix_extensions) { + context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out2; + } else if (context) { + struct create_posix *posix = (struct create_posix *)context; + + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix) - 4) { + rc = -EINVAL; + goto err_out2; + } + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = true; + } + } + if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && *(char *)req->Buffer == '\\') { @@ -2737,9 +2758,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out2; } - rc = ksmbd_validate_filename(name); - if (rc < 0) - goto err_out2; + if (posix_ctxt == false) { + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out2; + } if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; @@ -2854,28 +2877,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EBADF; goto err_out2; } - - if (tcon->posix_extensions) { - context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX, 16); - if (IS_ERR(context)) { - rc = PTR_ERR(context); - goto err_out2; - } else if (context) { - struct create_posix *posix = - (struct create_posix *)context; - if (le16_to_cpu(context->DataOffset) + - le32_to_cpu(context->DataLength) < - sizeof(struct create_posix) - 4) { - rc = -EINVAL; - goto err_out2; - } - ksmbd_debug(SMB, "get posix context\n"); - - posix_mode = le32_to_cpu(posix->Mode); - posix_ctxt = 1; - } - } } if (ksmbd_override_fsids(work)) { -- 2.39.5

4 weeks, 1 day

1
2
0 0

[PATCH 6.15.y 0/2] rtc: backport support for handling dates before 1970

by Uwe Kleine-König

Hello, as described in the commit log of the two commits the rtc-mt6397 driver relies on these fixes as soon as it should store dates later than 2027-12-31. On one of the patches has a Fixes line, so this submission is done to ensure that both patches are backported. The patches sent in reply to this mail are (trivial) backports to v6.15.1, they should get backported to the older stable kernels, too, to (somewhat) ensure that in 2028 no surprises happen. `git am` is able to apply the patches as is to 6.14.y, 6.12.y, 6.6.y, 6.1.y and 5.15.y. 5.10 and 5.4 need an adaption, I didn't look into that yet but can follow up with backports for these. The two fixes were accompanied by 3 test updates: 46351921cbe1 ("rtc: test: Emit the seconds-since-1970 value instead of days-since-1970") da62b49830f8 ("rtc: test: Also test time and wday outcome of rtc_time64_to_tm()") ccb2dba3c19f ("rtc: test: Test date conversion for dates starting in 1900") that cover one of the patches. Would you consider it sensible to backport these, too? Best regards Uwe Alexandre Mergnat (2): rtc: Make rtc_time64_to_tm() support dates before 1970 rtc: Fix offset calculation for .start_secs < 0 drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 24 +++++++++++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) base-commit: 3ef49626da6dd67013fc2cf0a4e4c9e158bb59f7 -- 2.47.2

4 weeks, 1 day

3
5
0 0

+ mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: close theoretical race where stale TLB entries could linger has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryan Roberts <ryan.roberts(a)arm.com> Subject: mm: close theoretical race where stale TLB entries could linger Date: Fri, 6 Jun 2025 10:28:07 +0100 Commit 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") described a theoretical race as such: """ Nadav Amit identified a theoretical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows: CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE and also exists for operations that can leave an old TLB entry behind such as munmap, mremap and madvise. """ The solution was to introduce flush_tlb_batched_pending() and call it under the PTL from mprotect/madvise/munmap/mremap to complete any pending tlb flushes. However, while madvise_free_pte_range() and madvise_cold_or_pageout_pte_range() were both retro-fitted to call flush_tlb_batched_pending() immediately after initially acquiring the PTL, they both temporarily release the PTL to split a large folio if they stumble upon one. In this case, where re-acquiring the PTL flush_tlb_batched_pending() must be called again, but it previously was not. Let's fix that. There are 2 Fixes: tags here: the first is the commit that fixed madvise_free_pte_range(). The second is the commit that added madvise_cold_or_pageout_pte_range(), which looks like it copy/pasted the faulty pattern from madvise_free_pte_range(). This is a theoretical bug discovered during code review. Link: https://lkml.kernel.org/r/20250606092809.4194056-1-ryan.roberts@arm.com Fixes: 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") Fixes: 9c276cc65a58 ("mm: introduce MADV_COLD") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Jann Horn <jannh(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mel Gorman <mgorman <mgorman(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/madvise.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/madvise.c~mm-close-theoretical-race-where-stale-tlb-entries-could-linger +++ a/mm/madvise.c @@ -508,6 +508,7 @@ restart: pte_offset_map_lock(mm, pmd, addr, &ptl); if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; @@ -741,6 +742,7 @@ static int madvise_free_pte_range(pmd_t start_pte = pte; if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; _ Patches currently in -mm which might be from ryan.roberts(a)arm.com are mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch

1 month

1
0
0 0

+ mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure Date: Fri, 6 Jun 2025 13:50:32 +0100 While an OOM failure in commit_merge() isn't really feasible due to the allocation which might fail (a maple tree pre-allocation) being 'too small to fail', we do need to handle this case correctly regardless. In vma_merge_existing_range(), we can theoretically encounter failures which result in an OOM error in two ways - firstly dup_anon_vma() might fail with an OOM error, and secondly commit_merge() failing, ultimately, to pre-allocate a maple tree node. The abort logic for dup_anon_vma() resets the VMA iterator to the initial range, ensuring that any logic looping on this iterator will correctly proceed to the next VMA. However the commit_merge() abort logic does not do the same thing. This resulted in a syzbot report occurring because mlockall() iterates through VMAs, is tolerant of errors, but ended up with an incorrect previous VMA being specified due to incorrect iterator state. While making this change, it became apparent we are duplicating logic - the logic introduced in commit 41e6ddcaa0f1 ("mm/vma: add give_up_on_oom option on modify/merge, use in uffd release") duplicates the vmg->give_up_on_oom check in both abort branches. Additionally, we observe that we can perform the anon_dup check safely on dup_anon_vma() failure, as this will not be modified should this call fail. Finally, we need to reset the iterator in both cases, so now we can simply use the exact same code to abort for both. We remove the VM_WARN_ON(err != -ENOMEM) as it would be silly for this to be otherwise and it allows us to implement the abort check more neatly. Link: https://lkml.kernel.org/r/20250606125032.164249-1-lorenzo.stoakes@oracle.com Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: syzbot+d16409ea9ecc16ed261a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/6842cc67.a00a0220.29ac89.003b.GAE@google.c… Reviewed-by: Pedro Falcato <pfalcato(a)suse.de> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) --- a/mm/vma.c~mm-vma-reset-vma-iterator-on-commit_merge-oom-failure +++ a/mm/vma.c @@ -961,26 +961,9 @@ static __must_check struct vm_area_struc err = dup_anon_vma(next, middle, &anon_dup); } - if (err) + if (err || commit_merge(vmg)) goto abort; - err = commit_merge(vmg); - if (err) { - VM_WARN_ON(err != -ENOMEM); - - if (anon_dup) - unlink_anon_vmas(anon_dup); - - /* - * We've cleaned up any cloned anon_vma's, no VMAs have been - * modified, no harm no foul if the user requests that we not - * report this and just give up, leaving the VMAs unmerged. - */ - if (!vmg->give_up_on_oom) - vmg->state = VMA_MERGE_ERROR_NOMEM; - return NULL; - } - khugepaged_enter_vma(vmg->target, vmg->flags); vmg->state = VMA_MERGE_SUCCESS; return vmg->target; @@ -989,6 +972,9 @@ abort: vma_iter_set(vmg->vmi, start); vma_iter_load(vmg->vmi); + if (anon_dup) + unlink_anon_vmas(anon_dup); + /* * This means we have failed to clone anon_vma's correctly, but no * actual changes to VMAs have occurred, so no harm no foul - if the _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch docs-mm-expand-vma-doc-to-highlight-pte-freeing-non-vma-traversal.patch mm-ksm-have-ksm-vma-checks-not-require-a-vma-pointer.patch mm-ksm-refer-to-special-vmas-via-vm_special-in-ksm_compatible.patch mm-prevent-ksm-from-breaking-vma-merging-for-new-vmas.patch tools-testing-selftests-add-vma-merge-tests-for-ksm-merge.patch mm-pagewalk-split-walk_page_range_novma-into-kernel-user-parts.patch

1 month

1
0
0 0

[PATCH v2] iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush

by Sean Nyekjaer

fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [...] _find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290 fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178 fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c irq_thread_fn from irq_thread+0x110/0x1f4 irq_thread from kthread+0xe0/0xfc kthread from ret_from_fork+0x14/0x2c Fixes: 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling") Cc: stable(a)vger.kernel.org Suggested-by: David Lechner <dlechner(a)baylibre.com> Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> --- Changes in v2: - As per David's suggestion; switched to use synchronize_irq() instead. - Link to v1: https://lore.kernel.org/r/20250524-fxlsrace-v1-1-dec506dc87ae@geanix.com --- drivers/iio/accel/fxls8962af-core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/accel/fxls8962af-core.c b/drivers/iio/accel/fxls8962af-core.c index 6d23da3e7aa22c61f2d9348bb91d70cc5719a732..f2558fba491dffa78b26d47d2cd9f1f4d9811f54 100644 --- a/drivers/iio/accel/fxls8962af-core.c +++ b/drivers/iio/accel/fxls8962af-core.c @@ -866,6 +866,8 @@ static int fxls8962af_buffer_predisable(struct iio_dev *indio_dev) if (ret) return ret; + synchronize_irq(data->irq); + ret = __fxls8962af_fifo_set_mode(data, false); if (data->enable_event) --- base-commit: 5c3fcb36c92443a9a037683626a2e43d8825f783 change-id: 20250524-fxlsrace-f4d20e29fb29 Best regards, -- Sean Nyekjaer <sean(a)geanix.com>

1 month

3
3
0 0

[PATCH 6.11 1/1] PCI/ASPM: Disable L1 before disabling L1 PM Substates

by Macpaul Lin

From: Ajay Agarwal <ajayagarwal(a)google.com> [ Upstream commit 7447990137bf06b2aeecad9c6081e01a9f47f2aa ] PCIe r6.2, sec 5.5.4, requires that: If setting either or both of the enable bits for ASPM L1 PM Substates, both ports must be configured as described in this section while ASPM L1 is disabled. Previously, pcie_config_aspm_l1ss() assumed that "setting enable bits" meant "setting them to 1", and it configured L1SS as follows: - Clear L1SS enable bits - Disable L1 - Configure L1SS enable bits as required - Enable L1 if required With this sequence, when disabling L1SS on an ARM A-core with a Synopsys DesignWare PCIe core, the CPU occasionally hangs when reading PCI_L1SS_CTL1, leading to a reboot when the CPU watchdog expires. Move the L1 disable to the caller (pcie_config_aspm_link(), where L1 was already enabled) so L1 is always disabled while updating the L1SS bits: - Disable L1 - Clear L1SS enable bits - Configure L1SS enable bits as required - Enable L1 if required Change pcie_aspm_cap_init() similarly. Link: https://lore.kernel.org/r/20241007032917.872262-1-ajayagarwal@google.com Signed-off-by: Ajay Agarwal <ajayagarwal(a)google.com> [bhelgaas: comments, commit log, compute L1SS setting before config access] Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Tested-by: Johnny-CC Chang <Johnny-CC.Chang(a)mediatek.com> Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- drivers/pci/pcie/aspm.c | 92 ++++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 42 deletions(-) diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c index cee2365e54b8..e943691bc931 100644 --- a/drivers/pci/pcie/aspm.c +++ b/drivers/pci/pcie/aspm.c @@ -805,6 +805,15 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) pcie_capability_read_word(parent, PCI_EXP_LNKCTL, &parent_lnkctl); pcie_capability_read_word(child, PCI_EXP_LNKCTL, &child_lnkctl); + /* Disable L0s/L1 before updating L1SS config */ + if (FIELD_GET(PCI_EXP_LNKCTL_ASPMC, child_lnkctl) || + FIELD_GET(PCI_EXP_LNKCTL_ASPMC, parent_lnkctl)) { + pcie_capability_write_word(child, PCI_EXP_LNKCTL, + child_lnkctl & ~PCI_EXP_LNKCTL_ASPMC); + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, + parent_lnkctl & ~PCI_EXP_LNKCTL_ASPMC); + } + /* * Setup L0s state * @@ -829,6 +838,13 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) aspm_l1ss_init(link); + /* Restore L0s/L1 if they were enabled */ + if (FIELD_GET(PCI_EXP_LNKCTL_ASPMC, child_lnkctl) || + FIELD_GET(PCI_EXP_LNKCTL_ASPMC, parent_lnkctl)) { + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, parent_lnkctl); + pcie_capability_write_word(child, PCI_EXP_LNKCTL, child_lnkctl); + } + /* Save default state */ link->aspm_default = link->aspm_enabled; @@ -845,25 +861,28 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) } } -/* Configure the ASPM L1 substates */ +/* Configure the ASPM L1 substates. Caller must disable L1 first. */ static void pcie_config_aspm_l1ss(struct pcie_link_state *link, u32 state) { - u32 val, enable_req; + u32 val; struct pci_dev *child = link->downstream, *parent = link->pdev; - enable_req = (link->aspm_enabled ^ state) & state; + val = 0; + if (state & PCIE_LINK_STATE_L1_1) + val |= PCI_L1SS_CTL1_ASPM_L1_1; + if (state & PCIE_LINK_STATE_L1_2) + val |= PCI_L1SS_CTL1_ASPM_L1_2; + if (state & PCIE_LINK_STATE_L1_1_PCIPM) + val |= PCI_L1SS_CTL1_PCIPM_L1_1; + if (state & PCIE_LINK_STATE_L1_2_PCIPM) + val |= PCI_L1SS_CTL1_PCIPM_L1_2; /* - * Here are the rules specified in the PCIe spec for enabling L1SS: - * - When enabling L1.x, enable bit at parent first, then at child - * - When disabling L1.x, disable bit at child first, then at parent - * - When enabling ASPM L1.x, need to disable L1 - * (at child followed by parent). - * - The ASPM/PCIPM L1.2 must be disabled while programming timing + * PCIe r6.2, sec 5.5.4, rules for enabling L1 PM Substates: + * - Clear L1.x enable bits at child first, then at parent + * - Set L1.x enable bits at parent first, then at child + * - ASPM/PCIPM L1.2 must be disabled while programming timing * parameters - * - * To keep it simple, disable all L1SS bits first, and later enable - * what is needed. */ /* Disable all L1 substates */ @@ -871,26 +890,6 @@ static void pcie_config_aspm_l1ss(struct pcie_link_state *link, u32 state) PCI_L1SS_CTL1_L1SS_MASK, 0); pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, PCI_L1SS_CTL1_L1SS_MASK, 0); - /* - * If needed, disable L1, and it gets enabled later - * in pcie_config_aspm_link(). - */ - if (enable_req & (PCIE_LINK_STATE_L1_1 | PCIE_LINK_STATE_L1_2)) { - pcie_capability_clear_word(child, PCI_EXP_LNKCTL, - PCI_EXP_LNKCTL_ASPM_L1); - pcie_capability_clear_word(parent, PCI_EXP_LNKCTL, - PCI_EXP_LNKCTL_ASPM_L1); - } - - val = 0; - if (state & PCIE_LINK_STATE_L1_1) - val |= PCI_L1SS_CTL1_ASPM_L1_1; - if (state & PCIE_LINK_STATE_L1_2) - val |= PCI_L1SS_CTL1_ASPM_L1_2; - if (state & PCIE_LINK_STATE_L1_1_PCIPM) - val |= PCI_L1SS_CTL1_PCIPM_L1_1; - if (state & PCIE_LINK_STATE_L1_2_PCIPM) - val |= PCI_L1SS_CTL1_PCIPM_L1_2; /* Enable what we need to enable */ pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, @@ -937,21 +936,30 @@ static void pcie_config_aspm_link(struct pcie_link_state *link, u32 state) dwstream |= PCI_EXP_LNKCTL_ASPM_L1; } + /* + * Per PCIe r6.2, sec 5.5.4, setting either or both of the enable + * bits for ASPM L1 PM Substates must be done while ASPM L1 is + * disabled. Disable L1 here and apply new configuration after L1SS + * configuration has been completed. + * + * Per sec 7.5.3.7, when disabling ASPM L1, software must disable + * it in the Downstream component prior to disabling it in the + * Upstream component, and ASPM L1 must be enabled in the Upstream + * component prior to enabling it in the Downstream component. + * + * Sec 7.5.3.7 also recommends programming the same ASPM Control + * value for all functions of a multi-function device. + */ + list_for_each_entry(child, &linkbus->devices, bus_list) + pcie_config_aspm_dev(child, 0); + pcie_config_aspm_dev(parent, 0); + if (link->aspm_capable & PCIE_LINK_STATE_L1SS) pcie_config_aspm_l1ss(link, state); - /* - * Spec 2.0 suggests all functions should be configured the - * same setting for ASPM. Enabling ASPM L1 should be done in - * upstream component first and then downstream, and vice - * versa for disabling ASPM L1. Spec doesn't mention L0S. - */ - if (state & PCIE_LINK_STATE_L1) - pcie_config_aspm_dev(parent, upstream); + pcie_config_aspm_dev(parent, upstream); list_for_each_entry(child, &linkbus->devices, bus_list) pcie_config_aspm_dev(child, dwstream); - if (!(state & PCIE_LINK_STATE_L1)) - pcie_config_aspm_dev(parent, upstream); link->aspm_enabled = state; -- 2.45.2

1 month

2
1
0 0

UITP Summit - Hamburg 2025 Attendees List

by tammie wells

Hi, I wanted to check if you’d be interested in acquiring the attendees list of UITP Summit - Hamburg 2025? Event Overview: Dates: 15 - 18 Jun 2025 Location: Hamburg, Germany Attendees: 10,126 Exhibitors: 380 Each contact contains: Contact Name, First Name, Last Name, Job Title, Company, Website Address, City, State, Zip, Country Code, Revenue, Employee Size, Email, Phone Number, and Fax Number. This dataset is an excellent asset for companies looking to expand their reach, build partnerships, and strengthen market presence. If you're interested in the list, just reply "Send Counts and Cost"? Best regards, Tammie Wells Senior Marketing Manager To unsubscribe, simply respond with “Not interested.”

1 month

1
0
0 0

[GIT PULL] bcachefs fixes for 6.15 stable

by Kent Overstreet

The following changes since commit 3ef49626da6dd67013fc2cf0a4e4c9e158bb59f7: Linux 6.15.1 (2025-06-04 14:46:27 +0200) are available in the Git repository at: git://evilpiepirate.org/bcachefs.git tags/bcachefs-for-6.15-2025-06-05 for you to fetch changes up to fc9459c9a888766c4c4adff59b072aad1bfbf6ad: bcachefs: Fix subvol to missing root repair (2025-06-05 14:04:58 -0400) ---------------------------------------------------------------- bcachefs fixes for 6.15 stable ---------------------------------------------------------------- Kent Overstreet (5): bcachefs: Kill un-reverted directory i_size code bcachefs: Repair code for directory i_size bcachefs: delete dead code from may_delete_deleted_inode() bcachefs: Run may_delete_deleted_inode() checks in bch2_inode_rm() bcachefs: Fix subvol to missing root repair fs/bcachefs/dirent.c | 12 ++----- fs/bcachefs/dirent.h | 4 +-- fs/bcachefs/errcode.h | 2 ++ fs/bcachefs/fs.c | 8 ++++- fs/bcachefs/fsck.c | 8 +++++ fs/bcachefs/inode.c | 77 ++++++++++++++++++++++++++++-------------- fs/bcachefs/namei.c | 4 +-- fs/bcachefs/sb-errors_format.h | 4 ++- fs/bcachefs/subvolume.c | 19 ++++++++--- 9 files changed, 92 insertions(+), 46 deletions(-)

1 month

2
1
0 0

Request for backporting accel/ivpu PTL patches to 6.12

by Jacek Lawrynowicz

Hi, Please cherry-pick following 9 patches to 6.12: 525a3858aad73 accel/ivpu: Set 500 ns delay between power island TRICKLE and ENABLE 08eb99ce911d3 accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers 755fb86789165 accel/ivpu: Use whole user and shave ranges for preemption buffers 98110eb5924bd accel/ivpu: Increase MS info buffer size c140244f0cfb9 accel/ivpu: Add initial Panther Lake support 88bdd1644ca28 accel/ivpu: Update power island delays ce68f86c44513 accel/ivpu: Do not fail when more than 1 tile is fused 83b6fa5844b53 accel/ivpu: Increase DMA address range e91191efe75a9 accel/ivpu: Move secondary preemption buffer allocation to DMA range These add support for new Panther Lake HW. They should apply without conflicts. Thanks, Jacek

1 month

2
3
0 0

[PATCH v5 0/2] x86/fred: Prevent immediate repeat of single step trap on return from SIGTRAP handler

by Xin Li (Intel)

IDT event delivery has a debug hole in which it does not generate #DB upon returning to userspace before the first userspace instruction is executed if the Trap Flag (TF) is set. FRED closes this hole by introducing a software event flag, i.e., bit 17 of the augmented SS: if the bit is set and ERETU would result in RFLAGS.TF = 1, a single-step trap will be pending upon completion of ERETU. However I overlooked properly setting and clearing the bit in different situations. Thus when FRED is enabled, if the Trap Flag (TF) is set without an external debugger attached, it can lead to an infinite loop in the SIGTRAP handler. To avoid this, the software event flag in the augmented SS must be cleared, ensuring that no single-step trap remains pending when ERETU completes. This patch set combines the fix [1] and its corresponding selftest [2] (requested by Dave Hansen) into one patch set. [1] https://lore.kernel.org/lkml/20250523050153.3308237-1-xin@zytor.com/ [2] https://lore.kernel.org/lkml/20250530230707.2528916-1-xin@zytor.com/ This patch set is based on tip/x86/urgent branch as of today. Link to v4 of this patch set: https://lore.kernel.org/lkml/20250605181020.590459-1-xin@zytor.com/ Changes in v5: *) Accurately rephrase the shortlog (hpa). *) Do "sub $-128, %rsp" rather than "add $128, %rsp", which is more efficient in code size (hpa). *) Add TB from Sohil. *) Add Cc: stable(a)vger.kernel.org to all patches. Xin Li (Intel) (2): x86/fred/signal: Prevent immediate repeat of single step trap on return from SIGTRAP handler selftests/x86: Add a test to detect infinite sigtrap handler loop arch/x86/include/asm/sighandling.h | 22 +++++ arch/x86/kernel/signal_32.c | 4 + arch/x86/kernel/signal_64.c | 4 + tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/sigtrap_loop.c | 98 ++++++++++++++++++++++ 5 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/x86/sigtrap_loop.c base-commit: dd2922dcfaa3296846265e113309e5f7f138839f -- 2.49.0

1 month

3
4
0 0

[PATCH 5.10 000/270] 5.10.238-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.238 release. There are 270 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 04 Jun 2025 13:42:20 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.238-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.238-rc1 Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Initialise cmn->cpu earlier Juergen Gross <jgross(a)suse.com> xen/swiotlb: relax alignment requirements Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Ignore battery threshold change event notification Valtteri Koskivuori <vkoskiv(a)gmail.com> platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys Michal Suchanek <msuchanek(a)suse.de> tpm: tis: Double the timeout B to 4s Alessandro Grassi <alessandro.grassi(a)mailbox.org> spi: spi-sun4i: fix early activation Masahiro Yamada <masahiroy(a)kernel.org> um: let 'make clean' properly clean underlying SUBARCH as well John Chau <johnchau(a)0atlas.com> platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS Jeff Layton <jlayton(a)kernel.org> nfs: don't share pNFS DS connections between net namespaces Milton Barrera <miltonjosue2001(a)gmail.com> HID: quirks: Add ADATA XPG alpha wireless mouse support Christian Brauner <brauner(a)kernel.org> coredump: hand a pidfd to the usermode coredump helper Christian Brauner <brauner(a)kernel.org> fork: use pidfd_prepare() Christian Brauner <brauner(a)kernel.org> pid: add pidfd_prepare() Christian Brauner <brauner(a)kernel.org> coredump: fix error handling for replace_fd() Pedro Tammela <pctammela(a)mojatatu.com> net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Wang Zhaolong <wangzhaolong1(a)huawei.com> smb: client: Reset all search buffer pointers when releasing buffer Wang Zhaolong <wangzhaolong1(a)huawei.com> smb: client: Fix use-after-free in cifs_fill_dirent Jani Nikula <jani.nikula(a)intel.com> drm/i915/gvt: fix unterminated-string-initialization warning Nathan Chancellor <nathan(a)kernel.org> kbuild: Disable -Wdefault-const-init-unsafe Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-dspi: Reset SR flags before sending a new message Bogdan-Gabriel Roman <bogdan-gabriel.roman(a)nxp.com> spi: spi-fsl-dspi: Halt the module after a new message transfer Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-dspi: restrict register range for regmap access Tianyang Zhang <zhangtianyang(a)loongson.cn> mm/page_alloc.c: avoid infinite retries caused by cpuset race Breno Leitao <leitao(a)debian.org> memcg: always call cond_resched() after fn() feijuan.li <feijuan.li(a)samsung.com> drm/edid: fixed the bug that hdr metadata was not reset Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> llc: fix data loss when reading from a socket in llc_ui_recvmsg() Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix race of buffer access at PCM OSS layer Oliver Hartkopp <socketcan(a)hartkopp.net> can: bcm: add missing rcu read protection for procfs content Oliver Hartkopp <socketcan(a)hartkopp.net> can: bcm: add locking for bcm_op runtime updates Dominik Grzegorzek <dominik.grzegorzek(a)oracle.com> padata: do not leak refcount in reorder_work Ivan Pravdin <ipravdin.official(a)gmail.com> crypto: algif_hash - fix double free in hash_accept Wang Liang <wangliang74(a)huawei.com> net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() Paul Kocialkowski <paulk(a)sys-base.io> net: dwmac-sun8i: Use parsed internal PHY address instead of 1 Ido Schimmel <idosch(a)nvidia.com> bridge: netfilter: Fix forwarding of fragmented packets Paul Chaignon <paul.chaignon(a)gmail.com> xfrm: Sanitize marks before insert Al Viro <viro(a)zeniv.linux.org.uk> __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Allow PVH dom0 a non-local xenstore Goldwyn Rodrigues <rgoldwyn(a)suse.de> btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref Alistair Francis <alistair.francis(a)wdc.com> nvmet-tcp: don't restore null sk_state_change Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> pinctrl: meson: define the pull up/down resistor value as 60 kOhm Jessica Zhang <quic_jesszhan(a)quicinc.com> drm: Add valid clones check Simona Vetter <simona.vetter(a)ffwll.ch> drm/atomic: clarify the rules around drm_atomic_state->allow_modeset Isaac Scott <isaac.scott(a)ideasonboard.com> regulator: ad5398: Add device tree support Sean Anderson <sean.anderson(a)linux.dev> spi: zynqmp-gqspi: Always acknowledge interrupts Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate Ravi Bangoria <ravi.bangoria(a)amd.com> perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt Viktor Malik <vmalik(a)redhat.com> bpftool: Fix readlink usage in get_fd_type Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Find VBIOS mode from regular display size junan <junan76(a)163.com> HID: usbkbd: Fix the bit shift number for LED_KANA Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Restore some drive settings after reset Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine Ankur Arora <ankur.a.arora(a)oracle.com> rcu: fix header guard for rcu_all_qs() Ankur Arora <ankur.a.arora(a)oracle.com> rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y Ido Schimmel <idosch(a)nvidia.com> vxlan: Annotate FDB data races Andrey Vatoropin <a.vatoropin(a)crpt.ru> hwmon: (xgene-hwmon) use appropriate type for the latency value Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix download_firmware_validate() for RTL8814AU Kuniyuki Iwashima <kuniyu(a)amazon.com> ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). William Tu <witu(a)nvidia.com> net/mlx5e: reduce rep rxq depth to 256 for ECPF William Tu <witu(a)nvidia.com> net/mlx5e: set the tx_queue_len for pfifo_fast Alexei Lazar <alazar(a)nvidia.com> net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Initial psr_version with correct setting Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> phy: core: don't require set_mode() callback for phy_get_mode() to work Kees Cook <kees(a)kernel.org> net/mlx4_core: Avoid impossible mlx4_db_alloc() order value Sakari Ailus <sakari.ailus(a)linux.intel.com> media: v4l: Memset argument to 0 before calling get_mbus_config pad op Konstantin Andreev <andreev(a)swemel.ru> smack: recognize ipv4 CIPSO w/o categories Valentin Caron <valentin.caron(a)foss.st.com> pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Power up/down amp on mute ops Martin Povišer <povik+lin(a)cutebit.org> ASoC: ops: Enforce platform maximum on initial value Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: Apply rate-limiting to high temperature warning Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: Modify LSB bitmask in temperature event to include only the first bit Xiaofei Tan <tanxiaofei(a)huawei.com> ACPI: HED: Always initialize before evged Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix old_size lower bound in calculate_iosize() too Jakub Kicinski <kuba(a)kernel.org> eth: mlx4: don't try to complete XDP frames in netpoll Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> can: c_can: Use of_property_present() to test existence of DT property Arnd Bergmann <arnd(a)arndb.de> EDAC/ie31200: work around false positive build warning Peter Seiderer <ps.report(a)gmx.net> net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU Shivasharan S <shivasharan.srikanteshwara(a)broadcom.com> scsi: mpt3sas: Send a diag reset if target reset fails Paul Burton <paulburton(a)kernel.org> clocksource: mips-gic-timer: Enable counter when CPUs start Paul Burton <paulburton(a)kernel.org> MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core Bibo Mao <maobibo(a)loongson.cn> MIPS: Use arch specific syscall name match function Nandakumar Edamana <nandakumar(a)nandakumar.co.in> libbpf: Fix out-of-bound read Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: menu: Avoid discarding useful information Waiman Long <longman(a)redhat.com> x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() Andrew Davis <afd(a)ti.com> soc: ti: k3-socinfo: Do not use syscon helper to build regmap Hangbin Liu <liuhangbin(a)gmail.com> bonding: report duplicate MAC address in all situations Arnd Bergmann <arnd(a)arndb.de> net: xgene-v2: remove incorrect ACPI_PTR annotation Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: KFD release_work possible circular locking Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Avoid report two health errors on same syndrome Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Add a softdep to MIP MSI-X driver Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Expand inbound window size up to 64GB Kuhanh Murugasen Krishnan <kuhanh.murugasen.krishnan(a)intel.com> fpga: altera-cvp: Increase credit timeout AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence Alexander Stein <alexander.stein(a)ew.tq-group.com> hwmon: (gpio-fan) Add missing mutex locks Breno Leitao <leitao(a)debian.org> x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 Ahmad Fatoum <a.fatoum(a)pengutronix.de> clk: imx8mp: inform CCF of maximum frequency of clocks Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config(). Peter Seiderer <ps.report(a)gmx.net> net: pktgen: fix mpls maximum labels list parsing Alexander Sverdlin <alexander.sverdlin(a)siemens.com> net: ethernet: ti: cpsw_new: populate netdev of_node Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" Hans Verkuil <hverkuil(a)xs4all.nl> media: cx231xx: set device_caps for 417 Victor Lu <victorchengchi.lu(a)amd.com> drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c Matthew Wilcox (Oracle) <willy(a)infradead.org> orangefs: Do not truncate file size Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: prevent BUG_ON by blocking retries on failed device resumes Markus Elfring <elfring(a)users.sourceforge.net> media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() Svyatoslav Ryhel <clamor95(a)gmail.com> ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> ieee802154: ca8210: Use proper setters and getters for bitwise types Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: ds1307: stop disabling alarms on probe Eric Dumazet <edumazet(a)google.com> tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() Andreas Schwab <schwab(a)linux-m68k.org> powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator Willem de Bruijn <willemb(a)google.com> ipv6: save dontfrag in cork Erick Shepherd <erick.shepherd(a)ni.com> mmc: sdhci: Disable SD card clock before changing parameters Ryan Roberts <ryan.roberts(a)arm.com> arm64/mm: Check PUD_TYPE_TABLE in pud_bad() Nicolas Bouchinet <nicolas.bouchinet(a)ssi.gouv.fr> netfilter: conntrack: Bound nf_conntrack sysctl writes Eric Dumazet <edumazet(a)google.com> posix-timers: Add cond_resched() to posix_timer_add() search loop Frediano Ziglio <frediano.ziglio(a)cloud.com> xen: Add support for XenServer 6.1 platform device Mikulas Patocka <mpatocka(a)redhat.com> dm: restrict dm device size to 2^63-512 bytes Seyediman Seyedarab <imandevel(a)gmail.com> kbuild: fix argument parsing in scripts/config Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: rv3032: fix EERD location Ilpo Järvinen <ij(a)kernel.org> tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: ERASE does not change tape location Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Tighten the page format heuristics with MODE SELECT Christian Göttsche <cgzones(a)googlemail.com> ext4: reorder capability check last Tiwei Bie <tiwei.btw(a)antgroup.com> um: Update min_low_pfn to match changes in uml_reserved Benjamin Berg <benjamin(a)sipsolutions.net> um: Store full CSGSFS and SS register from mcontext Nick Hu <nick.hu(a)sifive.com> clocksource/drivers/timer-riscv: Stop stimecmp when cpu hotplug Filipe Manana <fdmanana(a)suse.com> btrfs: send: return -ENAMETOOLONG when attempting a path that is too long Mark Harmstone <maharmstone(a)fb.com> btrfs: avoid linker error in btrfs_find_create_tree_block() Vitalii Mordan <mordan(a)ispras.ru> i2c: pxa: fix call balance of i2c->clk handling routines Stephan Gerhold <stephan.gerhold(a)kernkonzept.com> i2c: qup: Vote for interconnect bandwidth to DRAM Erick Shepherd <erick.shepherd(a)ni.com> mmc: host: Wait for Vdd to settle on card power off Robert Richter <rrichter(a)amd.com> libnvdimm/labels: Fix divide error in nd_label_data_init() Trond Myklebust <trond.myklebust(a)hammerspace.com> pNFS/flexfiles: Report ENETDOWN as a connection error Ian Rogers <irogers(a)google.com> tools/build: Don't pass test log files to linker Jing Su <jingsusu(a)didiglobal.com> dql: Fix dql->limit value when reset. Alice Guo <alice.guo(a)nxp.com> thermal/drivers/qoriq: Power down TMU on system suspend Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: rpcbind should never reset the port to the value '0' Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: rpc_clnt_set_transport() must not change the autobind setting Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Treat ENETUNREACH errors as fatal for state recovery Zsolt Kajtar <soci(a)c64.rulez.org> fbdev: core: tileblit: Implement missing margin clearing for tileblit Zsolt Kajtar <soci(a)c64.rulez.org> fbcon: Use correct erase colour for clearing in fbcon Shixiong Ou <oushixiong(a)kylinos.cn> fbdev: fsl-diu-fb: add missing device_remove_file() Tudor Ambarus <tudor.ambarus(a)linaro.org> mailbox: use error ret code of of_parse_phandle_with_args() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() Daniel Gomez <da.gomez(a)samsung.com> kconfig: merge_config: use an empty file as initfile gaoxu <gaoxu2(a)honor.com> cgroup: Fix compilation issue due to cgroup_mutex not being exported Marek Szyprowski <m.szyprowski(a)samsung.com> dma-mapping: avoid potential unused data compilation warning Dmitry Bogdanov <d.bogdanov(a)yadro.com> scsi: target: iscsi: Fix timeout on deleted connection Alexander Lobakin <alexandr.lobakin(a)intel.com> ice: arfs: fix use-after-free when freeing @rx_cpu_rmap Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: do not defer rule destruction via call_rcu Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: wait for rcu grace period on net_device removal Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx Filipe Manana <fdmanana(a)suse.com> btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Feng Tang <feng.tang(a)linux.alibaba.com> selftests/mm: compaction_test: support platform with huge mount of memory GONG Ruiqi <gongruiqi1(a)huawei.com> usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() Dan Carpenter <dan.carpenter(a)linaro.org> usb: typec: fix potential array underflow in ucsi_ccg_sync_control() RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group Zack Rusin <zack.rusin(a)broadcom.com> drm/vmwgfx: Fix a deadlock in dma buf fence polling Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> ASoC: q6afe-clocks: fix reprobing of the driver Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy Ronald Wahl <ronald.wahl(a)legrand.com> dmaengine: ti: k3-udma: Add missing locking Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: mt76: disable napi on driver removal Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> phy: renesas: rcar-gen3-usb2: Set timing registers only once Ma Ke <make24(a)iscas.ac.cn> phy: Fix error handling in tegra_xusb_port_init Steven Rostedt <rostedt(a)goodmis.org> tracing: samples: Initialize trace_array_printk() with the correct function Wentao Liang <vulab(a)iscas.ac.cn> ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() Jeremy Linton <jeremy.linton(a)arm.com> ACPI: PPTT: Fix processor subtable walk Nathan Lynch <nathan.lynch(a)amd.com> dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted" Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/pnfs: Reset the layout state after a layoutreturn Abdun Nihaal <abdun.nihaal(a)gmail.com> qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() Geert Uytterhoeven <geert+renesas(a)glider.be> ALSA: sh: SND_AICA should depend on SH_DMA_API Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING Mathieu Othacehe <othacehe(a)gnu.org> net: cadence: macb: Fix a possible deadlock in macb_halt_tx. Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Flush gso_skb list too during ->change() Geert Uytterhoeven <geert+renesas(a)glider.be> spi: loopback-test: Do not split 1024-byte hexdumps Li Lingfeng <lilingfeng3(a)huawei.com> nfs: handle failure of nfs_get_lock_context in unlock path Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug David Lechner <dlechner(a)baylibre.com> iio: chemical: sps30: use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Fix insufficient alignment of timestamp. Hans de Goede <hdegoede(a)redhat.com> platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Eric Dumazet <edumazet(a)google.com> can: gw: use call_rcu() instead of costly synchronize_rcu() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Mike Christie <michael.christie(a)oracle.com> scsi: target: Fix WRITE_SAME No Data Buffer crash Tudor Ambarus <tudor.ambarus(a)linaro.org> dm: fix copying after src array boundaries Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: chipidea: ci_hdrc_imx: use dev_err_probe() Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Thomas Gleixner <tglx(a)linutronix.de> irqchip/gic-v2m: Mark a few functions __init Xiang wangx <wangxiang(a)cdjrlc.com> irqchip/gic-v2m: Add const to of_device_id Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Ioana Ciornei <ioana.ciornei(a)nxp.com> net: phy: microchip: remove the use of .ack_interrupt() Ioana Ciornei <ioana.ciornei(a)nxp.com> net: phy: microchip: implement generic .handle_interrupt() callback Sergey Shtylyov <s.shtylyov(a)omp.ru> of: module: add buffer overflow check in of_modalias() Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Wenpeng Liang <liangwenpeng(a)huawei.com> net/mlx5: Remove return statement exist at the end of void function Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Jakub Kicinski <kuba(a)kernel.org> net/sched: act_mirred: don't override retval if we already lost the skb Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 + Makefile | 16 +- arch/arm/boot/dts/tegra114.dtsi | 2 +- arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi | 2 +- arch/arm64/include/asm/pgtable.h | 3 +- arch/mips/include/asm/ftrace.h | 16 ++ arch/mips/include/asm/ptrace.h | 3 +- arch/mips/kernel/pm-cps.c | 30 +-- arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/kernel/prom_init.c | 4 +- arch/um/Makefile | 1 + arch/um/kernel/mem.c | 1 + arch/x86/events/amd/ibs.c | 3 +- arch/x86/include/asm/nmi.h | 2 + arch/x86/include/asm/perf_event.h | 1 + arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/nmi.c | 42 +++++ arch/x86/kernel/reboot.c | 10 +- arch/x86/um/os-Linux/mcontext.c | 3 +- crypto/algif_hash.c | 4 - drivers/acpi/Kconfig | 2 +- drivers/acpi/hed.c | 7 +- drivers/acpi/pptt.c | 11 +- drivers/char/tpm/tpm_tis_core.h | 2 +- drivers/clk/imx/clk-imx8mp.c | 151 +++++++++++++++ drivers/clocksource/i8253.c | 6 +- drivers/clocksource/mips-gic-timer.c | 6 +- drivers/clocksource/timer-riscv.c | 6 + drivers/cpuidle/governors/menu.c | 13 +- drivers/dma/dmatest.c | 6 +- drivers/dma/ti/k3-udma.c | 10 +- drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/edac/ie31200_edac.c | 28 ++- drivers/fpga/altera-cvp.c | 2 +- drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c | 10 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 16 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 1 + drivers/gpu/drm/ast/ast_mode.c | 10 +- drivers/gpu/drm/drm_atomic_helper.c | 28 +++ drivers/gpu/drm/drm_edid.c | 1 + drivers/gpu/drm/i915/gvt/opregion.c | 8 +- drivers/gpu/drm/mediatek/mtk_dpi.c | 5 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 17 +- drivers/hid/hid-ids.h | 4 + drivers/hid/hid-quirks.c | 2 + drivers/hid/usbhid/usbkbd.c | 2 +- drivers/hwmon/gpio-fan.c | 16 +- drivers/hwmon/xgene-hwmon.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/i2c/busses/i2c-pxa.c | 5 +- drivers/i2c/busses/i2c-qup.c | 36 ++++ drivers/iio/accel/adis16201.c | 4 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/ad7768-1.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/chemical/sps30.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/infiniband/sw/rxe/rxe_cq.c | 5 +- drivers/input/mouse/synaptics.c | 5 + drivers/iommu/amd/init.c | 8 + drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v2m.c | 8 +- drivers/mailbox/mailbox.c | 7 +- drivers/md/dm-cache-target.c | 24 +++ drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 9 +- .../media/platform/sti/c8sectpfe/c8sectpfe-core.c | 3 +- drivers/media/usb/cx231xx/cx231xx-417.c | 2 + drivers/media/v4l2-core/v4l2-subdev.c | 2 + drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/mmc/host/sdhci-pci-core.c | 6 +- drivers/mmc/host/sdhci.c | 9 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/can/c_can/c_can_platform.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- drivers/net/dsa/b53/b53_common.c | 11 +- drivers/net/dsa/sja1105/sja1105_main.c | 6 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 ++- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/apm/xgene-v2/main.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 +++- drivers/net/ethernet/cadence/macb_main.c | 19 +- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 9 +- drivers/net/ethernet/intel/ice/ice_lib.c | 5 +- drivers/net/ethernet/intel/ice/ice_main.c | 20 +- drivers/net/ethernet/mellanox/mlx4/alloc.c | 6 +- drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 5 + .../net/ethernet/mellanox/mlx5/core/en_selftest.c | 3 + .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/events.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/health.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 1 - drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +- drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 +- drivers/net/ethernet/ti/cpsw_new.c | 1 + drivers/net/ieee802154/ca8210.c | 9 +- drivers/net/phy/microchip.c | 30 +-- drivers/net/phy/microchip_t1.c | 28 ++- drivers/net/vxlan/vxlan_core.c | 18 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/mediatek/mt76/dma.c | 1 + drivers/net/wireless/realtek/rtw88/main.c | 40 ++-- drivers/net/wireless/realtek/rtw88/reg.h | 3 +- drivers/net/wireless/realtek/rtw88/rtw8822b.c | 14 +- drivers/net/wireless/realtek/rtw88/util.c | 3 +- drivers/nvdimm/label.c | 3 +- drivers/nvme/host/core.c | 3 +- drivers/nvme/host/tcp.c | 31 ++- drivers/nvme/target/tcp.c | 3 + drivers/of/device.c | 7 +- drivers/pci/controller/dwc/pci-imx6.c | 5 +- drivers/pci/controller/pcie-brcmstb.c | 5 +- drivers/pci/setup-bus.c | 6 +- drivers/perf/arm-cmn.c | 2 +- drivers/phy/phy-core.c | 7 +- drivers/phy/renesas/phy-rcar-gen3-usb2.c | 7 +- drivers/phy/tegra/xusb.c | 8 +- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 44 ++--- drivers/pinctrl/devicetree.c | 10 +- drivers/pinctrl/meson/pinctrl-meson.c | 2 +- drivers/platform/x86/asus-wmi.c | 3 +- drivers/platform/x86/fujitsu-laptop.c | 33 +++- drivers/platform/x86/thinkpad_acpi.c | 7 + drivers/regulator/ad5398.c | 12 +- drivers/rtc/rtc-ds1307.c | 4 +- drivers/rtc/rtc-rv3032.c | 2 +- drivers/scsi/lpfc/lpfc_hbadisc.c | 17 +- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 12 +- drivers/scsi/st.c | 29 ++- drivers/scsi/st.h | 2 + drivers/soc/ti/k3-socinfo.c | 13 +- drivers/spi/spi-fsl-dspi.c | 46 ++++- drivers/spi/spi-loopback-test.c | 2 +- drivers/spi/spi-sun4i.c | 5 +- drivers/spi/spi-zynqmp-gqspi.c | 22 +-- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/target/iscsi/iscsi_target.c | 2 +- drivers/target/target_core_file.c | 3 + drivers/target/target_core_iblock.c | 4 + drivers/target/target_core_sbc.c | 6 + drivers/thermal/qoriq_thermal.c | 13 ++ drivers/usb/chipidea/ci_hdrc_imx.c | 36 ++-- drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/altmodes/displayport.c | 18 +- drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/usb/typec/ucsi/ucsi_ccg.c | 5 + drivers/video/fbdev/core/bitblit.c | 5 +- drivers/video/fbdev/core/fbcon.c | 10 +- drivers/video/fbdev/core/fbcon.h | 38 +--- drivers/video/fbdev/core/fbcon_ccw.c | 5 +- drivers/video/fbdev/core/fbcon_cw.c | 5 +- drivers/video/fbdev/core/fbcon_ud.c | 5 +- drivers/video/fbdev/core/tileblit.c | 45 ++++- drivers/video/fbdev/fsl-diu-fb.c | 1 + drivers/xen/platform-pci.c | 4 + drivers/xen/swiotlb-xen.c | 18 +- drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_probe.c | 14 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/btrfs/extent-tree.c | 25 ++- fs/btrfs/extent_io.c | 7 +- fs/btrfs/send.c | 6 +- fs/cifs/readdir.c | 7 +- fs/coredump.c | 81 +++++++- fs/ext4/balloc.c | 4 +- fs/namespace.c | 9 +- fs/nfs/delegation.c | 3 +- fs/nfs/filelayout/filelayoutdev.c | 6 +- fs/nfs/flexfilelayout/flexfilelayout.c | 1 + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +- fs/nfs/nfs4proc.c | 9 +- fs/nfs/nfs4state.c | 10 +- fs/nfs/pnfs.c | 9 + fs/nfs/pnfs.h | 4 +- fs/nfs/pnfs_nfs.c | 9 +- fs/ocfs2/journal.c | 80 +++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/orangefs/inode.c | 7 +- include/drm/drm_atomic.h | 23 ++- include/linux/binfmts.h | 1 + include/linux/dma-mapping.h | 12 +- include/linux/ipv6.h | 1 + include/linux/mlx4/device.h | 2 +- include/linux/pid.h | 1 + include/linux/rcupdate.h | 3 + include/linux/rcutree.h | 2 +- include/linux/tpm.h | 2 +- include/linux/types.h | 3 +- include/media/v4l2-subdev.h | 4 +- include/net/netfilter/nf_tables.h | 2 +- include/net/sch_generic.h | 15 ++ include/sound/pcm.h | 2 + include/trace/events/btrfs.h | 2 +- include/uapi/linux/types.h | 1 + kernel/cgroup/cgroup.c | 2 +- kernel/fork.c | 98 ++++++++-- kernel/padata.c | 3 +- kernel/params.c | 4 +- kernel/rcu/tree_plugin.h | 11 +- kernel/time/posix-timers.c | 1 + kernel/trace/trace.c | 5 +- lib/dynamic_queue_limits.c | 2 +- mm/memcontrol.c | 6 +- mm/page_alloc.c | 8 + net/bridge/br_nf_core.c | 7 +- net/bridge/br_private.h | 1 + net/can/bcm.c | 79 +++++--- net/can/gw.c | 167 +++++++++------- net/core/pktgen.c | 13 +- net/ipv4/fib_frontend.c | 18 +- net/ipv4/fib_rules.c | 4 +- net/ipv4/fib_trie.c | 22 --- net/ipv4/inet_hashtables.c | 37 ++-- net/ipv4/tcp_input.c | 56 +++--- net/ipv4/udp_offload.c | 61 +++++- net/ipv6/fib6_rules.c | 4 +- net/ipv6/ip6_output.c | 9 +- net/llc/af_llc.c | 8 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/nf_conntrack_standalone.c | 12 +- net/netfilter/nf_tables_api.c | 54 ++++-- net/netfilter/nft_immediate.c | 2 +- net/openvswitch/actions.c | 3 +- net/sched/act_mirred.c | 22 ++- net/sched/sch_codel.c | 2 +- net/sched/sch_drr.c | 9 +- net/sched/sch_ets.c | 9 +- net/sched/sch_fq.c | 2 +- net/sched/sch_fq_codel.c | 2 +- net/sched/sch_fq_pie.c | 2 +- net/sched/sch_hfsc.c | 15 +- net/sched/sch_hhf.c | 2 +- net/sched/sch_pie.c | 2 +- net/sched/sch_qfq.c | 11 +- net/sunrpc/clnt.c | 3 - net/sunrpc/rpcb_clnt.c | 5 +- net/tipc/crypto.c | 5 + net/xfrm/xfrm_policy.c | 3 + net/xfrm/xfrm_state.c | 3 + samples/ftrace/sample-trace-array.c | 2 +- scripts/config | 26 ++- scripts/kconfig/merge_config.sh | 4 +- security/smack/smackfs.c | 4 + sound/core/oss/pcm_oss.c | 3 +- sound/core/pcm_native.c | 11 ++ sound/pci/es1968.c | 6 +- sound/pci/hda/patch_realtek.c | 42 +++++ sound/sh/Kconfig | 2 +- sound/soc/codecs/tas2764.c | 51 +++-- sound/soc/intel/boards/bytcr_rt5640.c | 13 ++ sound/soc/qcom/qdsp6/q6afe-clocks.c | 209 +++++++++++---------- sound/soc/qcom/qdsp6/q6afe.c | 2 +- sound/soc/qcom/qdsp6/q6afe.h | 2 +- sound/soc/soc-dai.c | 8 +- sound/soc/soc-ops.c | 29 ++- sound/usb/format.c | 3 +- tools/bpf/bpftool/common.c | 3 +- tools/build/Makefile.build | 6 +- tools/lib/bpf/libbpf.c | 2 +- tools/testing/selftests/vm/compaction_test.c | 19 +- 284 files changed, 2415 insertions(+), 1075 deletions(-)

1 month

7
285
0 0

[PATCH v3 02/11] platform/x86/intel/pmt: crashlog binary file endpoint

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires an allocated endpoint struct. The crashlog driver does not allocate the endpoint. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Add the endpoint information to the crashlog driver to avoid the NULL pointer exception. Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/crashlog.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/platform/x86/intel/pmt/crashlog.c b/drivers/platform/x86/intel/pmt/crashlog.c index 6a9eb3c4b313..74ce199e59f0 100644 --- a/drivers/platform/x86/intel/pmt/crashlog.c +++ b/drivers/platform/x86/intel/pmt/crashlog.c @@ -252,6 +252,7 @@ static struct intel_pmt_namespace pmt_crashlog_ns = { .xa = &crashlog_array, .attr_grp = &pmt_crashlog_group, .pmt_header_decode = pmt_crashlog_header_decode, + .pmt_add_endpoint = intel_pmt_add_endpoint, }; /* @@ -262,8 +263,12 @@ static void pmt_crashlog_remove(struct auxiliary_device *auxdev) struct pmt_crashlog_priv *priv = auxiliary_get_drvdata(auxdev); int i; - for (i = 0; i < priv->num_entries; i++) - intel_pmt_dev_destroy(&priv->entry[i].entry, &pmt_crashlog_ns); + for (i = 0; i < priv->num_entries; i++) { + struct intel_pmt_entry *entry = &priv->entry[i].entry; + + intel_pmt_release_endpoint(entry->ep); + intel_pmt_dev_destroy(entry, &pmt_crashlog_ns); + } } static int pmt_crashlog_probe(struct auxiliary_device *auxdev, -- 2.49.0

1 month

2
1
0 0

[PATCH RESEND 3/3] HID: wacom: fix kobject reference count leak

by Qasim Ijaz

When sysfs_create_files() fails in wacom_initialize_remotes() the error is returned and the cleanup action will not have been registered yet. As a result the kobject��s refcount is never dropped, so the kobject can never be freed leading to a reference leak. Fix this by calling kobject_put() before returning. Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") Acked-by: Ping Cheng <ping.cheng(a)wacom.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/wacom_sys.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 58cbd43a37e9..1257131b1e34 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2059,6 +2059,7 @@ static int wacom_initialize_remotes(struct wacom *wacom) hid_err(wacom->hdev, "cannot create sysfs group err: %d\n", error); kfifo_free(&remote->remote_fifo); + kobject_put(remote->remote_dir); return error; } -- 2.39.5

1 month

1
0
0 0

[PATCH RESEND 2/3] HID: wacom: fix memory leak on sysfs attribute creation failure

by Qasim Ijaz

When sysfs_create_files() fails during wacom_initialize_remotes() the fifo buffer is not freed leading to a memory leak. Fix this by calling kfifo_free() before returning. Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") Reviewed-by: Ping Cheng <ping.cheng(a)wacom.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/wacom_sys.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index ec5282bc69d6..58cbd43a37e9 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2058,6 +2058,7 @@ static int wacom_initialize_remotes(struct wacom *wacom) if (error) { hid_err(wacom->hdev, "cannot create sysfs group err: %d\n", error); + kfifo_free(&remote->remote_fifo); return error; } -- 2.39.5

1 month

1
0
0 0

[PATCH RESEND 1/3] HID: wacom: fix memory leak on kobject creation failure

by Qasim Ijaz

During wacom_initialize_remotes() a fifo buffer is allocated with kfifo_alloc() and later a cleanup action is registered during devm_add_action_or_reset() to clean it up. However if the code fails to create a kobject and register it with sysfs the code simply returns -ENOMEM before the cleanup action is registered leading to a memory leak. Fix this by ensuring the fifo is freed when the kobject creation and registration process fails. Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") Reviewed-by: Ping Cheng <ping.cheng(a)wacom.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/wacom_sys.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index eaf099b2efdb..ec5282bc69d6 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2048,8 +2048,10 @@ static int wacom_initialize_remotes(struct wacom *wacom) remote->remote_dir = kobject_create_and_add("wacom_remote", &wacom->hdev->dev.kobj); - if (!remote->remote_dir) + if (!remote->remote_dir) { + kfifo_free(&remote->remote_fifo); return -ENOMEM; + } error = sysfs_create_files(remote->remote_dir, remote_unpair_attrs); -- 2.39.5

1 month

1
0
0 0

[PATCH 6.15.y] pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms

by Uwe Kleine-König

From: Nícolas F. R. A. Prado <nfraprado(a)collabora.com> commit 1c9977b263475373b31bbf86af94a5c9ae2be42c upstream. Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") introduced an access to the 'soc' field of struct mtk_pinctrl in mtk_eint_do_init() and for that an include of pinctrl-mtk-common-v2.h. However, pinctrl drivers relying on the v1 common driver include pinctrl-mtk-common.h instead, which provides another definition of struct mtk_pinctrl that does not contain an 'soc' field. Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it will now try to dereference an invalid pointer when called on v1 platforms. This has been observed on Genio 350 EVK (MT8365), which crashes very early in boot (the kernel trace can only be seen with earlycon). In order to fix this, since 'struct mtk_pinctrl' was only needed to get a 'struct mtk_eint_pin', make 'struct mtk_eint_pin' a parameter of mtk_eint_do_init() so that callers need to supply it, removing mtk_eint_do_init()'s dependency on any particular 'struct mtk_pinctrl'. Fixes: 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Nícolas F. R. A. Prado <nfraprado(a)collabora.com> Link: https://lore.kernel.org/20250520-genio-350-eint-null-ptr-deref-fix-v2-1-6a3… Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> [ukleinek: backport to 6.15.y] Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> --- Hello, would be great to have this in 6.15. Further backporting isn't needed as 3ef9f710efcb == v6.15-rc1~106^2 isn't in 6.14. This patch fixes booting on mt8365-evk (and probably a few more machines based on mediatek SoCs. There was an easy conflict with 86dee87f4b2e6ac119b03810e58723d0b27787a4 in drivers/pinctrl/mediatek/mtk-eint.c. Thanks Uwe drivers/pinctrl/mediatek/mtk-eint.c | 26 ++++++++----------- drivers/pinctrl/mediatek/mtk-eint.h | 5 ++-- .../pinctrl/mediatek/pinctrl-mtk-common-v2.c | 2 +- drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 2 +- 4 files changed, 16 insertions(+), 19 deletions(-) diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c index b4eb2beab691..c516c34aaaf6 100644 --- a/drivers/pinctrl/mediatek/mtk-eint.c +++ b/drivers/pinctrl/mediatek/mtk-eint.c @@ -22,7 +22,6 @@ #include <linux/platform_device.h> #include "mtk-eint.h" -#include "pinctrl-mtk-common-v2.h" #define MTK_EINT_EDGE_SENSITIVE 0 #define MTK_EINT_LEVEL_SENSITIVE 1 @@ -505,10 +504,9 @@ int mtk_eint_find_irq(struct mtk_eint *eint, unsigned long eint_n) } EXPORT_SYMBOL_GPL(mtk_eint_find_irq); -int mtk_eint_do_init(struct mtk_eint *eint) +int mtk_eint_do_init(struct mtk_eint *eint, struct mtk_eint_pin *eint_pin) { unsigned int size, i, port, inst = 0; - struct mtk_pinctrl *hw = (struct mtk_pinctrl *)eint->pctl; /* If clients don't assign a specific regs, let's use generic one */ if (!eint->regs) @@ -519,7 +517,15 @@ int mtk_eint_do_init(struct mtk_eint *eint) if (!eint->base_pin_num) return -ENOMEM; - if (eint->nbase == 1) { + if (eint_pin) { + eint->pins = eint_pin; + for (i = 0; i < eint->hw->ap_num; i++) { + inst = eint->pins[i].instance; + if (inst >= eint->nbase) + continue; + eint->base_pin_num[inst]++; + } + } else { size = eint->hw->ap_num * sizeof(struct mtk_eint_pin); eint->pins = devm_kmalloc(eint->dev, size, GFP_KERNEL); if (!eint->pins) @@ -533,16 +539,6 @@ int mtk_eint_do_init(struct mtk_eint *eint) } } - if (hw && hw->soc && hw->soc->eint_pin) { - eint->pins = hw->soc->eint_pin; - for (i = 0; i < eint->hw->ap_num; i++) { - inst = eint->pins[i].instance; - if (inst >= eint->nbase) - continue; - eint->base_pin_num[inst]++; - } - } - eint->pin_list = devm_kmalloc(eint->dev, eint->nbase * sizeof(u16 *), GFP_KERNEL); if (!eint->pin_list) goto err_pin_list; @@ -610,7 +606,7 @@ int mtk_eint_do_init(struct mtk_eint *eint) err_wake_mask: devm_kfree(eint->dev, eint->pin_list); err_pin_list: - if (eint->nbase == 1) + if (!eint_pin) devm_kfree(eint->dev, eint->pins); err_pins: devm_kfree(eint->dev, eint->base_pin_num); diff --git a/drivers/pinctrl/mediatek/mtk-eint.h b/drivers/pinctrl/mediatek/mtk-eint.h index f7f58cca0d5e..23801d4b636f 100644 --- a/drivers/pinctrl/mediatek/mtk-eint.h +++ b/drivers/pinctrl/mediatek/mtk-eint.h @@ -88,7 +88,7 @@ struct mtk_eint { }; #if IS_ENABLED(CONFIG_EINT_MTK) -int mtk_eint_do_init(struct mtk_eint *eint); +int mtk_eint_do_init(struct mtk_eint *eint, struct mtk_eint_pin *eint_pin); int mtk_eint_do_suspend(struct mtk_eint *eint); int mtk_eint_do_resume(struct mtk_eint *eint); int mtk_eint_set_debounce(struct mtk_eint *eint, unsigned long eint_n, @@ -96,7 +96,8 @@ int mtk_eint_set_debounce(struct mtk_eint *eint, unsigned long eint_n, int mtk_eint_find_irq(struct mtk_eint *eint, unsigned long eint_n); #else -static inline int mtk_eint_do_init(struct mtk_eint *eint) +static inline int mtk_eint_do_init(struct mtk_eint *eint, + struct mtk_eint_pin *eint_pin) { return -EOPNOTSUPP; } diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c index d1556b75d9ef..ba13558bfcd7 100644 --- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c @@ -416,7 +416,7 @@ int mtk_build_eint(struct mtk_pinctrl *hw, struct platform_device *pdev) hw->eint->pctl = hw; hw->eint->gpio_xlate = &mtk_eint_xt; - ret = mtk_eint_do_init(hw->eint); + ret = mtk_eint_do_init(hw->eint, hw->soc->eint_pin); if (ret) goto err_free_eint; diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c index 8596f3541265..7289648eaa02 100644 --- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c +++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c @@ -1039,7 +1039,7 @@ static int mtk_eint_init(struct mtk_pinctrl *pctl, struct platform_device *pdev) pctl->eint->pctl = pctl; pctl->eint->gpio_xlate = &mtk_eint_xt; - return mtk_eint_do_init(pctl->eint); + return mtk_eint_do_init(pctl->eint, NULL); } /* This is used as a common probe function */ -- 2.47.2

1 month

1
0
0 0

[for-linus][PATCH 2/3] ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()

by Steven Rostedt

From: Dmitry Antipov <dmantipov(a)yandex.ru> Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Tzvetomir Stoyanov <tz.stoyanov(a)gmail.com> Link: https://lore.kernel.org/20250606112242.1510605-1-dmantipov@yandex.ru Reported-by: syzbot+05d673e83ec640f0ced9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=05d673e83ec640f0ced9 Fixes: f9b94daa542a8 ("ring-buffer: Set new size of the ring buffer sub page") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index e24509bd0af5..00fc38d70e86 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -6795,7 +6795,7 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order) old_size = buffer->subbuf_size; /* prevent another thread from changing buffer sizes */ - mutex_lock(&buffer->mutex); + guard(mutex)(&buffer->mutex); atomic_inc(&buffer->record_disabled); /* Make sure all commits have finished */ @@ -6900,7 +6900,6 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order) } atomic_dec(&buffer->record_disabled); - mutex_unlock(&buffer->mutex); return 0; @@ -6909,7 +6908,6 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order) buffer->subbuf_size = old_size; atomic_dec(&buffer->record_disabled); - mutex_unlock(&buffer->mutex); for_each_buffer_cpu(buffer, cpu) { cpu_buffer = buffer->buffers[cpu]; -- 2.47.2

1 month

1
0
0 0

[for-linus][PATCH 1/3] tracing: Fix regression of filter waiting a long time on RCU synchronization

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> When faultable trace events were added, a trace event may no longer use normal RCU to synchronize but instead used synchronize_rcu_tasks_trace(). This synchronization takes a much longer time to synchronize. The filter logic would free the filters by calling tracepoint_synchronize_unregister() after it unhooked the filter strings and before freeing them. With this function now calling synchronize_rcu_tasks_trace() this increased the time to free a filter tremendously. On a PREEMPT_RT system, it was even more noticeable. # time trace-cmd record -p function sleep 1 [..] real 2m29.052s user 0m0.244s sys 0m20.136s As trace-cmd would clear out all the filters before recording, it could take up to 2 minutes to do a recording of "sleep 1". To find out where the issues was: ~# trace-cmd sqlhist -e -n sched_stack select start.prev_state as state, end.next_comm as comm, TIMESTAMP_DELTA_USECS as delta, start.STACKTRACE as stack from sched_switch as start join sched_switch as end on start.prev_pid = end.next_pid Which will produce the following commands (and -e will also execute them): echo 's:sched_stack s64 state; char comm[16]; u64 delta; unsigned long stack[];' >> /sys/kernel/tracing/dynamic_events echo 'hist:keys=prev_pid:__arg_18057_2=prev_state,__arg_18057_4=common_timestamp.usecs,__arg_18057_7=common_stacktrace' >> /sys/kernel/tracing/events/sched/sched_switch/trigger echo 'hist:keys=next_pid:__state_18057_1=$__arg_18057_2,__comm_18057_3=next_comm,__delta_18057_5=common_timestamp.usecs-$__arg_18057_4,__stack_18057_6=$__arg_18057_7:onmatch(sched.sched_switch).trace(sched_stack,$__state_18057_1,$__comm_18057_3,$__delta_18057_5,$__stack_18057_6)' >> /sys/kernel/tracing/events/sched/sched_switch/trigger The above creates a synthetic event that creates a stack trace when a task schedules out and records it with the time it scheduled back in. Basically the time a task is off the CPU. It also records the state of the task when it left the CPU (running, blocked, sleeping, etc). It also saves the comm of the task as "comm" (needed for the next command). ~# echo 'hist:keys=state,stack.stacktrace:vals=delta:sort=state,delta if comm == "trace-cmd" && state & 3' > /sys/kernel/tracing/events/synthetic/sched_stack/trigger The above creates a histogram with buckets per state, per stack, and the value of the total time it was off the CPU for that stack trace. It filters on tasks with "comm == trace-cmd" and only the sleeping and blocked states (1 - sleeping, 2 - blocked). ~# trace-cmd record -p function sleep 1 ~# cat /sys/kernel/tracing/events/synthetic/sched_stack/hist | tail -18 { state: 2, stack.stacktrace __schedule+0x1545/0x3700 schedule+0xe2/0x390 schedule_timeout+0x175/0x200 wait_for_completion_state+0x294/0x440 __wait_rcu_gp+0x247/0x4f0 synchronize_rcu_tasks_generic+0x151/0x230 apply_subsystem_event_filter+0xa2b/0x1300 subsystem_filter_write+0x67/0xc0 vfs_write+0x1e2/0xeb0 ksys_write+0xff/0x1d0 do_syscall_64+0x7b/0x420 entry_SYSCALL_64_after_hwframe+0x76/0x7e } hitcount: 237 delta: 99756288 <<--------------- Delta is 99 seconds! Totals: Hits: 525 Entries: 21 Dropped: 0 This shows that this particular trace waited for 99 seconds on synchronize_rcu_tasks() in apply_subsystem_event_filter(). In fact, there's a lot of places in the filter code that spends a lot of time waiting for synchronize_rcu_tasks_trace() in order to free the filters. Add helper functions that will use call_rcu*() variants to asynchronously free the filters. This brings the timings back to normal: # time trace-cmd record -p function sleep 1 [..] real 0m14.681s user 0m0.335s sys 0m28.616s And the histogram also shows this: ~# cat /sys/kernel/tracing/events/synthetic/sched_stack/hist | tail -21 { state: 2, stack.stacktrace __schedule+0x1545/0x3700 schedule+0xe2/0x390 schedule_timeout+0x175/0x200 wait_for_completion_state+0x294/0x440 __wait_rcu_gp+0x247/0x4f0 synchronize_rcu_normal+0x3db/0x5c0 tracing_reset_online_cpus+0x8f/0x1e0 tracing_open+0x335/0x440 do_dentry_open+0x4c6/0x17a0 vfs_open+0x82/0x360 path_openat+0x1a36/0x2990 do_filp_open+0x1c5/0x420 do_sys_openat2+0xed/0x180 __x64_sys_openat+0x108/0x1d0 do_syscall_64+0x7b/0x420 } hitcount: 2 delta: 77044 Totals: Hits: 55 Entries: 28 Dropped: 0 Where the total waiting time of synchronize_rcu_tasks_trace() is 77 milliseconds. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: "Paul E. McKenney" <paulmck(a)kernel.org> Cc: "Kiszka, Jan" <jan.kiszka(a)siemens.com> Cc: "Ziegler, Andreas" <ziegler.andreas(a)siemens.com> Cc: "MOESSBAUER, Felix" <felix.moessbauer(a)siemens.com> Link: https://lore.kernel.org/20250605161701.35f7989a@gandalf.local.home Reported-by: "Flot, Julien" <julien.flot(a)siemens.com> Tested-by: Julien Flot <julien.flot(a)siemens.com> Fixes: a363d27cdbc2 ("tracing: Allow system call tracepoints to handle page faults") Closes: https://lore.kernel.org/all/240017f656631c7dd4017aa93d91f41f653788ea.camel@… Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_filter.c | 164 ++++++++++++++++++++++------- 1 file changed, 127 insertions(+), 37 deletions(-) diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 2048560264bb..3ff782d6b522 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -1335,6 +1335,74 @@ static void filter_free_subsystem_preds(struct trace_subsystem_dir *dir, } } +struct filter_list { + struct list_head list; + struct event_filter *filter; +}; + +struct filter_head { + struct list_head list; + struct rcu_head rcu; +}; + + +static void free_filter_list(struct rcu_head *rhp) +{ + struct filter_head *filter_list = container_of(rhp, struct filter_head, rcu); + struct filter_list *filter_item, *tmp; + + list_for_each_entry_safe(filter_item, tmp, &filter_list->list, list) { + __free_filter(filter_item->filter); + list_del(&filter_item->list); + kfree(filter_item); + } + kfree(filter_list); +} + +static void free_filter_list_tasks(struct rcu_head *rhp) +{ + call_rcu(rhp, free_filter_list); +} + +/* + * The tracepoint_synchronize_unregister() is a double rcu call. + * It calls synchronize_rcu_tasks_trace() followed by synchronize_rcu(). + * Instead of waiting for it, simply call these via the call_rcu*() + * variants. + */ +static void delay_free_filter(struct filter_head *head) +{ + call_rcu_tasks_trace(&head->rcu, free_filter_list_tasks); +} + +static void try_delay_free_filter(struct event_filter *filter) +{ + struct filter_head *head; + struct filter_list *item; + + head = kmalloc(sizeof(*head), GFP_KERNEL); + if (!head) + goto free_now; + + INIT_LIST_HEAD(&head->list); + + item = kmalloc(sizeof(*item), GFP_KERNEL); + if (!item) { + kfree(head); + goto free_now; + } + + item->filter = filter; + list_add_tail(&item->list, &head->list); + delay_free_filter(head); + return; + + free_now: + /* Make sure the filter is not being used */ + tracepoint_synchronize_unregister(); + __free_filter(filter); +} + static inline void __free_subsystem_filter(struct trace_event_file *file) { __free_filter(file->filter); @@ -1342,15 +1410,53 @@ static inline void __free_subsystem_filter(struct trace_event_file *file) } static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir, - struct trace_array *tr) + struct trace_array *tr, + struct event_filter *filter) { struct trace_event_file *file; + struct filter_head *head; + struct filter_list *item; + + head = kmalloc(sizeof(*head), GFP_KERNEL); + if (!head) + goto free_now; + + INIT_LIST_HEAD(&head->list); + + item = kmalloc(sizeof(*item), GFP_KERNEL); + if (!item) { + kfree(head); + goto free_now; + } + + item->filter = filter; + list_add_tail(&item->list, &head->list); list_for_each_entry(file, &tr->events, list) { if (file->system != dir) continue; - __free_subsystem_filter(file); + item = kmalloc(sizeof(*item), GFP_KERNEL); + if (!item) + goto free_now; + item->filter = file->filter; + list_add_tail(&item->list, &head->list); + file->filter = NULL; + } + + delay_free_filter(head); + return; + free_now: + tracepoint_synchronize_unregister(); + + if (head) + free_filter_list(&head->rcu); + + list_for_each_entry(file, &tr->events, list) { + if (file->system != dir || !file->filter) + continue; + __free_filter(file->filter); } + __free_filter(filter); } int filter_assign_type(const char *type) @@ -2131,11 +2237,6 @@ static inline void event_clear_filter(struct trace_event_file *file) RCU_INIT_POINTER(file->filter, NULL); } -struct filter_list { - struct list_head list; - struct event_filter *filter; -}; - static int process_system_preds(struct trace_subsystem_dir *dir, struct trace_array *tr, struct filter_parse_error *pe, @@ -2144,11 +2245,16 @@ static int process_system_preds(struct trace_subsystem_dir *dir, struct trace_event_file *file; struct filter_list *filter_item; struct event_filter *filter = NULL; - struct filter_list *tmp; - LIST_HEAD(filter_list); + struct filter_head *filter_list; bool fail = true; int err; + filter_list = kmalloc(sizeof(*filter_list), GFP_KERNEL); + if (!filter_list) + return -ENOMEM; + + INIT_LIST_HEAD(&filter_list->list); + list_for_each_entry(file, &tr->events, list) { if (file->system != dir) @@ -2175,7 +2281,7 @@ static int process_system_preds(struct trace_subsystem_dir *dir, if (!filter_item) goto fail_mem; - list_add_tail(&filter_item->list, &filter_list); + list_add_tail(&filter_item->list, &filter_list->list); /* * Regardless of if this returned an error, we still * replace the filter for the call. @@ -2195,31 +2301,22 @@ static int process_system_preds(struct trace_subsystem_dir *dir, * Do a synchronize_rcu() and to ensure all calls are * done with them before we free them. */ - tracepoint_synchronize_unregister(); - list_for_each_entry_safe(filter_item, tmp, &filter_list, list) { - __free_filter(filter_item->filter); - list_del(&filter_item->list); - kfree(filter_item); - } + delay_free_filter(filter_list); return 0; fail: /* No call succeeded */ - list_for_each_entry_safe(filter_item, tmp, &filter_list, list) { - list_del(&filter_item->list); - kfree(filter_item); - } + free_filter_list(&filter_list->rcu); parse_error(pe, FILT_ERR_BAD_SUBSYS_FILTER, 0); return -EINVAL; fail_mem: __free_filter(filter); + /* If any call succeeded, we still need to sync */ if (!fail) - tracepoint_synchronize_unregister(); - list_for_each_entry_safe(filter_item, tmp, &filter_list, list) { - __free_filter(filter_item->filter); - list_del(&filter_item->list); - kfree(filter_item); - } + delay_free_filter(filter_list); + else + free_filter_list(&filter_list->rcu); + return -ENOMEM; } @@ -2361,9 +2458,7 @@ int apply_event_filter(struct trace_event_file *file, char *filter_string) event_clear_filter(file); - /* Make sure the filter is not being used */ - tracepoint_synchronize_unregister(); - __free_filter(filter); + try_delay_free_filter(filter); return 0; } @@ -2387,11 +2482,8 @@ int apply_event_filter(struct trace_event_file *file, char *filter_string) event_set_filter(file, filter); - if (tmp) { - /* Make sure the call is done with the filter */ - tracepoint_synchronize_unregister(); - __free_filter(tmp); - } + if (tmp) + try_delay_free_filter(tmp); } return err; @@ -2417,9 +2509,7 @@ int apply_subsystem_event_filter(struct trace_subsystem_dir *dir, filter = system->filter; system->filter = NULL; /* Ensure all filters are no longer used */ - tracepoint_synchronize_unregister(); - filter_free_subsystem_filters(dir, tr); - __free_filter(filter); + filter_free_subsystem_filters(dir, tr, filter); return 0; } -- 2.47.2

1 month

1
0
0 0

[PATCH 0/2] mm/memory: fix memory tearing on threaded fork

by Jann Horn

The first patch is a fix with an explanation of the issue, you should read that first. The second patch adds a comment to document the rules because figuring this out from scratch causes brain pain. Accidentally hitting this issue and getting negative consequences from it would require several stars to line up just right; but if someone out there is using a malloc() implementation that uses lockless data structures across threads or such, this could actually be a problem. In case someone wants a testcase, here's a very artificial one: ``` #include <pthread.h> #include <err.h> #include <stdio.h> #include <unistd.h> #include <sys/syscall.h> #include <sys/uio.h> #include <sys/mman.h> #include <sys/wait.h> #include <linux/io_uring.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) #define NUM_SQ_PAGES 4 static int uring_init(struct io_uring_sqe **sqesp, void **cqesp) { struct io_uring_sqe *sqes = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0)); void *cqes = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0)); *(volatile unsigned int *)(cqes+4) = 64 * NUM_SQ_PAGES; struct io_uring_params params = { .flags = IORING_SETUP_NO_MMAP|IORING_SETUP_NO_SQARRAY, .sq_off = { .user_addr = (unsigned long)sqes }, .cq_off = { .user_addr = (unsigned long)cqes } }; int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/10, &params)); if (sqesp) *sqesp = sqes; if (cqesp) *cqesp = cqes; return uring_fd; } static char *bufmem[0x3000] __attribute__((aligned(0x1000))); static void *thread_fn(void *dummy) { unsigned long i = 0; while (1) { *(volatile unsigned long *)(bufmem + 0x0000) = i; *(volatile unsigned long *)(bufmem + 0x0f00) = i; *(volatile unsigned long *)(bufmem + 0x1000) = i; *(volatile unsigned long *)(bufmem + 0x1f00) = i; *(volatile unsigned long *)(bufmem + 0x2000) = i; *(volatile unsigned long *)(bufmem + 0x2f00) = i; i++; } } int main(void) { #if 1 int uring_fd = uring_init(NULL, NULL); struct iovec reg_iov = { .iov_base = bufmem, .iov_len = 0x2000 }; SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_REGISTER_BUFFERS, &reg_iov, 1)); #endif pthread_t thread; if (pthread_create(&thread, NULL, thread_fn, NULL)) errx(1, "pthread_create"); sleep(1); int child = SYSCHK(fork()); if (child == 0) { printf("bufmem values:\n"); printf(" 0x0000: 0x%lx\n", *(volatile unsigned long *)(bufmem + 0x0000)); printf(" 0x0f00: 0x%lx\n", *(volatile unsigned long *)(bufmem + 0x0f00)); printf(" 0x1000: 0x%lx\n", *(volatile unsigned long *)(bufmem + 0x1000)); printf(" 0x1f00: 0x%lx\n", *(volatile unsigned long *)(bufmem + 0x1f00)); printf(" 0x2000: 0x%lx\n", *(volatile unsigned long *)(bufmem + 0x2000)); printf(" 0x2f00: 0x%lx\n", *(volatile unsigned long *)(bufmem + 0x2f00)); return 0; } int wstatus; SYSCHK(wait(&wstatus)); return 0; } ``` Without this series, the child will usually print results that are apart by more than 1, which is not a state that ever occurred in the parent; in my opinion, that counts as a bug. If you change the "#if 1" to "#if 0", the bug won't manifest. Signed-off-by: Jann Horn <jannh(a)google.com> --- Jann Horn (2): mm/memory: ensure fork child sees coherent memory snapshot mm/memory: Document how we make a coherent memory snapshot kernel/fork.c | 34 ++++++++++++++++++++++++++++++++++ mm/memory.c | 18 ++++++++++++++++++ 2 files changed, 52 insertions(+) --- base-commit: 8477ab143069c6b05d6da4a8184ded8b969240f5 change-id: 20250530-fork-tearing-71da211a50cf -- Jann Horn <jannh(a)google.com>

1 month

5
17
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror