- Linux-stable-mirror - lists.linaro.org

+ kasan-refactor-pcpu-kasan-vmalloc-unpoison.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: refactor pcpu kasan vmalloc unpoison has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-refactor-pcpu-kasan-vmalloc-unpoison.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Subject: kasan: refactor pcpu kasan vmalloc unpoison Date: Thu, 04 Dec 2025 19:00:04 +0000 A KASAN tag mismatch, possibly causing a kernel panic, can be observed on systems with a tag-based KASAN enabled and with multiple NUMA nodes. It was reported on arm64 and reproduced on x86. It can be explained in the following points: 1. There can be more than one virtual memory chunk. 2. Chunk's base address has a tag. 3. The base address points at the first chunk and thus inherits the tag of the first chunk. 4. The subsequent chunks will be accessed with the tag from the first chunk. 5. Thus, the subsequent chunks need to have their tag set to match that of the first chunk. Refactor code by reusing __kasan_unpoison_vmalloc in a new helper in preparation for the actual fix. Link: https://lkml.kernel.org/r/eb61d93b907e262eefcaa130261a08bcb6c5ce51.17648745… Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS") Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Jiayuan Chen <jiayuan.chen(a)linux.dev> Cc: Kees Cook <kees(a)kernel.org> Cc: Marco Elver <elver(a)google.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> [6.1+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/kasan.h | 15 +++++++++++++++ mm/kasan/common.c | 17 +++++++++++++++++ mm/vmalloc.c | 4 +--- 3 files changed, 33 insertions(+), 3 deletions(-) --- a/include/linux/kasan.h~kasan-refactor-pcpu-kasan-vmalloc-unpoison +++ a/include/linux/kasan.h @@ -615,6 +615,16 @@ static __always_inline void kasan_poison __kasan_poison_vmalloc(start, size); } +void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags); +static __always_inline void +kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags) +{ + if (kasan_enabled()) + __kasan_unpoison_vmap_areas(vms, nr_vms, flags); +} + #else /* CONFIG_KASAN_VMALLOC */ static inline void kasan_populate_early_vm_area_shadow(void *start, @@ -639,6 +649,11 @@ static inline void *kasan_unpoison_vmall static inline void kasan_poison_vmalloc(const void *start, unsigned long size) { } +static __always_inline void +kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags) +{ } + #endif /* CONFIG_KASAN_VMALLOC */ #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ --- a/mm/kasan/common.c~kasan-refactor-pcpu-kasan-vmalloc-unpoison +++ a/mm/kasan/common.c @@ -28,6 +28,7 @@ #include <linux/string.h> #include <linux/types.h> #include <linux/bug.h> +#include <linux/vmalloc.h> #include "kasan.h" #include "../slab.h" @@ -582,3 +583,19 @@ bool __kasan_check_byte(const void *addr } return true; } + +#ifdef CONFIG_KASAN_VMALLOC +void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms, + kasan_vmalloc_flags_t flags) +{ + unsigned long size; + void *addr; + int area; + + for (area = 0 ; area < nr_vms ; area++) { + size = vms[area]->size; + addr = vms[area]->addr; + vms[area]->addr = __kasan_unpoison_vmalloc(addr, size, flags); + } +} +#endif --- a/mm/vmalloc.c~kasan-refactor-pcpu-kasan-vmalloc-unpoison +++ a/mm/vmalloc.c @@ -4872,9 +4872,7 @@ retry: * With hardware tag-based KASAN, marking is skipped for * non-VM_ALLOC mappings, see __kasan_unpoison_vmalloc(). */ - for (area = 0; area < nr_vms; area++) - vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr, - vms[area]->size, KASAN_VMALLOC_PROT_NORMAL); + kasan_unpoison_vmap_areas(vms, nr_vms, KASAN_VMALLOC_PROT_NORMAL); kfree(vas); return vms; _ Patches currently in -mm which might be from maciej.wieczor-retman(a)intel.com are kasan-refactor-pcpu-kasan-vmalloc-unpoison.patch kasan-unpoison-vms-addresses-with-a-common-tag.patch

3 days, 15 hours

1
0
0 0

+ mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Subject: mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN Date: Thu, 04 Dec 2025 18:59:55 +0000 Patch series "kasan: vmalloc: Fixes for the percpu allocator and vrealloc", v3. Patches fix two issues related to KASAN and vmalloc. The first one, a KASAN tag mismatch, possibly resulting in a kernel panic, can be observed on systems with a tag-based KASAN enabled and with multiple NUMA nodes. Initially it was only noticed on x86 [1] but later a similar issue was also reported on arm64 [2]. Specifically the problem is related to how vm_structs interact with pcpu_chunks - both when they are allocated, assigned and when pcpu_chunk addresses are derived. When vm_structs are allocated they are unpoisoned, each with a different random tag, if vmalloc support is enabled along the KASAN mode. Later when first pcpu chunk is allocated it gets its 'base_addr' field set to the first allocated vm_struct. With that it inherits that vm_struct's tag. When pcpu_chunk addresses are later derived (by pcpu_chunk_addr(), for example in pcpu_alloc_noprof()) the base_addr field is used and offsets are added to it. If the initial conditions are satisfied then some of the offsets will point into memory allocated with a different vm_struct. So while the lower bits will get accurately derived the tag bits in the top of the pointer won't match the shadow memory contents. The solution (proposed at v2 of the x86 KASAN series [3]) is to unpoison the vm_structs with the same tag when allocating them for the per cpu allocator (in pcpu_get_vm_areas()). The second one reported by syzkaller [4] is related to vrealloc and happens because of random tag generation when unpoisoning memory without allocating new pages. This breaks shadow memory tracking and needs to reuse the existing tag instead of generating a new one. At the same time an inconsistency in used flags is corrected. This patch (of 3): Syzkaller reported a memory out-of-bounds bug [4]. This patch fixes two issues: 1. In vrealloc the KASAN_VMALLOC_VM_ALLOC flag is missing when unpoisoning the extended region. This flag is required to correctly associate the allocation with KASAN's vmalloc tracking. Note: In contrast, vzalloc (via __vmalloc_node_range_noprof) explicitly sets KASAN_VMALLOC_VM_ALLOC and calls kasan_unpoison_vmalloc() with it. vrealloc must behave consistently -- especially when reusing existing vmalloc regions -- to ensure KASAN can track allocations correctly. 2. When vrealloc reuses an existing vmalloc region (without allocating new pages) KASAN generates a new tag, which breaks tag-based memory access tracking. Introduce KASAN_VMALLOC_KEEP_TAG, a new KASAN flag that allows reusing the tag already attached to the pointer, ensuring consistent tag behavior during reallocation. Pass KASAN_VMALLOC_KEEP_TAG and KASAN_VMALLOC_VM_ALLOC to the kasan_unpoison_vmalloc inside vrealloc_node_align_noprof(). Link: https://lkml.kernel.org/r/38dece0a4074c43e48150d1e242f8242c73bf1a5.17648745… Link: https://lore.kernel.org/all/e7e04692866d02e6d3b32bb43b998e5d17092ba4.173868… [1] Link: https://lore.kernel.org/all/aMUrW1Znp1GEj7St@MiWiFi-R3L-srv/ [2] Link: https://lore.kernel.org/all/CAPAsAGxDRv_uFeMYu9TwhBVWHCCtkSxoWY4xmFB_vowMbi… [3] Link: https://syzkaller.appspot.com/bug?extid=3D997752115a851cb0cf36 [4] Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Co-developed-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Fixes: a0309faf1cb0 ("mm: vmalloc: support more granular vrealloc() sizing" ) Reported-by: syzbot+997752115a851cb0cf36(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e243a2.050a0220.1696c6.007d.GAE@google.com/T/ Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: Marco Elver <elver(a)google.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/kasan.h | 1 + mm/kasan/hw_tags.c | 2 +- mm/kasan/shadow.c | 4 +++- mm/vmalloc.c | 4 +++- 4 files changed, 8 insertions(+), 3 deletions(-) --- a/include/linux/kasan.h~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/include/linux/kasan.h @@ -28,6 +28,7 @@ typedef unsigned int __bitwise kasan_vma #define KASAN_VMALLOC_INIT ((__force kasan_vmalloc_flags_t)0x01u) #define KASAN_VMALLOC_VM_ALLOC ((__force kasan_vmalloc_flags_t)0x02u) #define KASAN_VMALLOC_PROT_NORMAL ((__force kasan_vmalloc_flags_t)0x04u) +#define KASAN_VMALLOC_KEEP_TAG ((__force kasan_vmalloc_flags_t)0x08u) #define KASAN_VMALLOC_PAGE_RANGE 0x1 /* Apply exsiting page range */ #define KASAN_VMALLOC_TLB_FLUSH 0x2 /* TLB flush */ --- a/mm/kasan/hw_tags.c~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/mm/kasan/hw_tags.c @@ -361,7 +361,7 @@ void *__kasan_unpoison_vmalloc(const voi return (void *)start; } - tag = kasan_random_tag(); + tag = (flags & KASAN_VMALLOC_KEEP_TAG) ? get_tag(start) : kasan_random_tag(); start = set_tag(start, tag); /* Unpoison and initialize memory up to size. */ --- a/mm/kasan/shadow.c~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/mm/kasan/shadow.c @@ -648,7 +648,9 @@ void *__kasan_unpoison_vmalloc(const voi !(flags & KASAN_VMALLOC_PROT_NORMAL)) return (void *)start; - start = set_tag(start, kasan_random_tag()); + if (unlikely(!(flags & KASAN_VMALLOC_KEEP_TAG))) + start = set_tag(start, kasan_random_tag()); + kasan_unpoison(start, size, false); return (void *)start; } --- a/mm/vmalloc.c~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/mm/vmalloc.c @@ -4176,7 +4176,9 @@ void *vrealloc_node_align_noprof(const v */ if (size <= alloced_size) { kasan_unpoison_vmalloc(p + old_size, size - old_size, - KASAN_VMALLOC_PROT_NORMAL); + KASAN_VMALLOC_PROT_NORMAL | + KASAN_VMALLOC_VM_ALLOC | + KASAN_VMALLOC_KEEP_TAG); /* * No need to zero memory here, as unused memory will have * already been zeroed at initial allocation time or during _ Patches currently in -mm which might be from jiayuan.chen(a)linux.dev are mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan.patch

3 days, 15 hours

1
0
0 0

+ revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "mm: fix MAX_FOLIO_ORDER on powerpc configs with hugetlb" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Shuah Khan <skhan(a)linuxfoundation.org> Subject: Revert "mm: fix MAX_FOLIO_ORDER on powerpc configs with hugetlb" Date: Wed, 3 Dec 2025 19:33:56 -0700 This reverts commit 39231e8d6ba7f794b566fd91ebd88c0834a23b98. Enabling HAVE_GIGANTIC_FOLIOS broke kernel build and git clone on two systems. git fetch-pack fails when cloning large repos and make hangs or errors out of Makefile.build with Error: 139. These failures are random with git clone failing after fetching 1% of the objects, and make hangs while compiling random files. Below is is one of the git clone failures: git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux_6.19 Cloning into 'linux_6.19'... remote: Enumerating objects: 11173575, done. remote: Counting objects: 100% (785/785), done. remote: Compressing objects: 100% (373/373), done. remote: Total 11173575 (delta 534), reused 505 (delta 411), pack-reused 11172790 (from 1) Receiving objects: 100% (11173575/11173575), 3.00 GiB | 7.08 MiB/s, done. Resolving deltas: 100% (9195212/9195212), done. fatal: did not receive expected object 0002003e951b5057c16de5a39140abcbf6e44e50 fatal: fetch-pack: invalid index-pack output (akpm: reverting this probably just hides a bug, but let's do that for now while the bug is being worked on). Link: https://lkml.kernel.org/r/20251204023358.54107-1-skhan@linuxfoundation.org Fixes: 39231e8d6ba7 ("mm: fix MAX_FOLIO_ORDER on powerpc configs with hugetlb") Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Madhavan Srinivasan <maddy(a)linux.ibm.com> Cc: Masahiro Yamada <masahiroy(a)kernel.org> Cc: Michael Ellerman <mpe(a)ellerman.id.au> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Linus Torvalds <torvalds(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/powerpc/Kconfig | 1 - arch/powerpc/platforms/Kconfig.cputype | 1 + include/linux/mm.h | 13 +++---------- mm/Kconfig | 7 ------- 4 files changed, 4 insertions(+), 18 deletions(-) --- a/arch/powerpc/Kconfig~revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb +++ a/arch/powerpc/Kconfig @@ -137,7 +137,6 @@ config PPC select ARCH_HAS_DMA_OPS if PPC64 select ARCH_HAS_FORTIFY_SOURCE select ARCH_HAS_GCOV_PROFILE_ALL - select ARCH_HAS_GIGANTIC_PAGE if ARCH_SUPPORTS_HUGETLBFS select ARCH_HAS_KCOV select ARCH_HAS_KERNEL_FPU_SUPPORT if PPC64 && PPC_FPU select ARCH_HAS_MEMBARRIER_CALLBACKS --- a/arch/powerpc/platforms/Kconfig.cputype~revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb +++ a/arch/powerpc/platforms/Kconfig.cputype @@ -423,6 +423,7 @@ config PPC_64S_HASH_MMU config PPC_RADIX_MMU bool "Radix MMU Support" depends on PPC_BOOK3S_64 + select ARCH_HAS_GIGANTIC_PAGE default y help Enable support for the Power ISA 3.0 Radix style MMU. Currently this --- a/include/linux/mm.h~revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb +++ a/include/linux/mm.h @@ -2074,7 +2074,7 @@ static inline unsigned long folio_nr_pag return folio_large_nr_pages(folio); } -#if !defined(CONFIG_HAVE_GIGANTIC_FOLIOS) +#if !defined(CONFIG_ARCH_HAS_GIGANTIC_PAGE) /* * We don't expect any folios that exceed buddy sizes (and consequently * memory sections). @@ -2087,17 +2087,10 @@ static inline unsigned long folio_nr_pag * pages are guaranteed to be contiguous. */ #define MAX_FOLIO_ORDER PFN_SECTION_SHIFT -#elif defined(CONFIG_HUGETLB_PAGE) -/* - * There is no real limit on the folio size. We limit them to the maximum we - * currently expect (see CONFIG_HAVE_GIGANTIC_FOLIOS): with hugetlb, we expect - * no folios larger than 16 GiB on 64bit and 1 GiB on 32bit. - */ -#define MAX_FOLIO_ORDER get_order(IS_ENABLED(CONFIG_64BIT) ? SZ_16G : SZ_1G) #else /* - * Without hugetlb, gigantic folios that are bigger than a single PUD are - * currently impossible. + * There is no real limit on the folio size. We limit them to the maximum we + * currently expect (e.g., hugetlb, dax). */ #define MAX_FOLIO_ORDER PUD_ORDER #endif --- a/mm/Kconfig~revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb +++ a/mm/Kconfig @@ -908,13 +908,6 @@ config PAGE_MAPCOUNT config PGTABLE_HAS_HUGE_LEAVES def_bool TRANSPARENT_HUGEPAGE || HUGETLB_PAGE -# -# We can end up creating gigantic folio. -# -config HAVE_GIGANTIC_FOLIOS - def_bool (HUGETLB_PAGE && ARCH_HAS_GIGANTIC_PAGE) || \ - (ZONE_DEVICE && HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD) - # TODO: Allow to be enabled without THP config ARCH_SUPPORTS_HUGE_PFNMAP def_bool n _ Patches currently in -mm which might be from skhan(a)linuxfoundation.org are revert-mm-fix-max_folio_order-on-powerpc-configs-with-hugetlb.patch

3 days, 15 hours

1
0
0 0

[PATCH v1 3/3] io_uring/rsrc: fix lost entries after cloned range

by Joanne Koong

When cloning with node replacements (IORING_REGISTER_DST_REPLACE), destination entries after the cloned range are not copied over. Add logic to copy them over to the new destination table. Fixes: c1329532d5aa ("io_uring/rsrc: allow cloning with node replacements") Cc: stable(a)vger.kernel.org Signed-off-by: Joanne Koong <joannelkoong(a)gmail.com> --- io_uring/rsrc.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 04f56212398a..a63474b331bf 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -1205,7 +1205,7 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx if (ret) return ret; - /* Fill entries in data from dst that won't overlap with src */ + /* Copy original dst nodes from before the cloned range */ for (i = 0; i < min(arg->dst_off, ctx->buf_table.nr); i++) { struct io_rsrc_node *node = ctx->buf_table.nodes[i]; @@ -1238,6 +1238,16 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx i++; } + /* Copy original dst nodes from after the cloned range */ + for (i = nbufs; i < ctx->buf_table.nr; i++) { + struct io_rsrc_node *node = ctx->buf_table.nodes[i]; + + if (node) { + data.nodes[i] = node; + node->refs++; + } + } + /* * If asked for replace, put the old table. data->nodes[] holds both * old and new nodes at this point. -- 2.47.3

3 days, 15 hours

1
0
0 0

[PATCH 5.10 000/300] 5.10.247-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.247 release. There are 300 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.247-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.247-rc1 Florian Westphal <fw(a)strlen.de> netfilter: nf_set_pipapo_avx2: fix initial map fill Vasiliy Kovalev <kovalev(a)altlinux.org> ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up Owen Gu <guhuinan(a)xiaomi.com> usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Fix synchronous external abort on unbind Jameson Thies <jthies(a)google.com> usb: typec: ucsi: psy: Set max current to zero when disconnected Paulo Alcantara <pc(a)manguebit.org> smb: client: fix memory leak in cifs_construct_tcon() Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Fix proto fallback detection with BPF Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy->enable_completion only when we Florian Westphal <fw(a)strlen.de> netfilter: nf_set_pipapo: fix initial map fill Alex Lu <alex_lu(a)realsil.com.cn> Bluetooth: Add more enc key size check Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix potential use-after-free in have_mon_and_osd_map() Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check NULL before accessing Johan Hovold <johan(a)kernel.org> drm: sti: fix device leaks at component probe Vanillan Wang <vanillanwang(a)163.com> USB: serial: option: add support for Rolling RW101R-GL Oleksandr Suvorov <cryosay(a)gmail.com> USB: serial: ftdi_sio: add support for u-blox EVK-M101 Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Manish Nagar <manish.nagar(a)oss.qualcomm.com> usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Tianchu Chen <flynnnchen(a)tencent.com> usb: storage: sddr55: Reject out-of-bound new_pba Alan Stern <stern(a)rowland.harvard.edu> USB: storage: Remove subclass and protocol overrides from Novatek quirk Desnes Nunes <desnesn(a)redhat.com> usb: storage: Fix memory leak in USB bulk transport Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_eem: Fix memory leak in eem_unwrap Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: Fix double resource release in cdns3_pci_probe Johan Hovold <johan(a)kernel.org> most: usb: fix double free on late probe failure Miaoqian Lin <linmq006(a)gmail.com> serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> firmware: stratix10-svc: fix bug in saving controller data Miaoqian Lin <linmq006(a)gmail.com> slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Alan Borzeszkowski <alan.borzeszkowski(a)linux.intel.com> thunderbolt: Add support for Intel Wildcat Lake Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix unreliable memory allocation Marc Kleine-Budde <mkl(a)pengutronix.de> can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling Thomas Mühlbacher <tmuehlbacher(a)posteo.net> can: sja1000: fix max irq loop handling Gui-Dong Han <hanguidong02(a)gmail.com> atm/fore200e: Fix possible data race in fore200e_open() Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio:common:ssp_sensors: Fix an error handling path ssp_probe() Francesco Lavra <flavra(a)baylibre.com> iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Jiri Olsa <jolsa(a)kernel.org> Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Hang Zhou <929513338(a)qq.com> spi: bcm63xx: fix premature CS deassertion on RX-only transactions Haotian Zhang <vulab(a)iscas.ac.cn> mailbox: mailbox-test: Fix debugfs_create_dir error checking Jiefeng Zhang <jiefeng.z.zhang(a)gmail.com> net: atlantic: fix fragment overflow handling in RX path Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> net: sxgbe: fix potential NULL dereference in sxgbe_rx() Danielle Costantino <dcostantino(a)meta.com> net/mlx5e: Fix validation logic in rate limiting Kai-Heng Feng <kaihengf(a)nvidia.com> net: aquantia: Add missing descriptor cache invalidation on ATL2 Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix not generating mackey and ltk when repairing Seungjin Bae <eeodqql09(a)gmail.com> can: kvaser_usb: leaf: Fix potential infinite loop in command parsers Seungjin Bae <eeodqql09(a)gmail.com> Input: pegasus-notetaker - fix potential out-of-bounds access Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Input: remove third argument of usb_maxpacket() Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> usb: deprecate the third argument of usb_maxpacket() Paolo Abeni <pabeni(a)redhat.com> mptcp: do not fallback when OoO is present Eric Dumazet <edumazet(a)google.com> mptcp: fix a race in mptcp_pm_del_add_timer() Vlastimil Babka <vbabka(a)suse.cz> mm/mempool: fix poisoning order>0 pages with HIGHMEM Fabio M. De Francesco <fabio.maria.de.francesco(a)linux.intel.com> mm/mempool: replace kmap_atomic() with kmap_local_page() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Eric Dumazet <edumazet(a)google.com> mptcp: fix race condition in mptcp_schedule_work() Paolo Abeni <pabeni(a)redhat.com> mptcp: introduce mptcp_schedule_work Niklas Cassel <cassel(a)kernel.org> ata: libata-scsi: Fix system suspend for a security locked drive Sudeep Holla <sudeep.holla(a)arm.com> pmdomain: arm: scmi: Fix genpd leak on provider registration failure Miaoqian Lin <linmq006(a)gmail.com> pmdomain: imx: Fix reference count leak in imx_gpc_remove Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Breno Leitao <leitao(a)debian.org> net: netpoll: fix incorrect refcount handling causing incorrect cleanup Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity" Nick Desaulniers <ndesaulniers(a)google.com> Makefile.compiler: replace cc-ifversion with compiler-specific macros Nathan Chancellor <nathan(a)kernel.org> net: qede: Initialize qede_ll_ops with designated initializer Long Li <longli(a)microsoft.com> uio_hv_generic: Set event for all channels on the device Nishanth Menon <nm(a)ti.com> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error René Rebe <rene(a)exactco.de> ALSA: usb-audio: fix uac2 clock source at terminal parser Isaac J. Manjarres <isaacmanjarres(a)google.com> mm/mm_init: fix hash table order logging in alloc_large_system_hash() Jakub Horký <jakub.git(a)horky.net> kconfig/nconf: Initialize the default locale at startup Jakub Horký <jakub.git(a)horky.net> kconfig/mconf: Initialize the default locale at startup Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Cancel RX async resync request on rcd_delta overflow Bart Van Assche <bvanassche(a)acm.org> scsi: core: Fix a regression triggered by scsi_host_busy() Michal Luczaj <mhal(a)rbox.co> vsock: Ignore signal/timeout on connect() if already established Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> s390/ctcm: Fix double-kfree Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove never-working support for setting nsh fields Zilin Guan <zilin(a)seu.edu.cn> mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() Ma Ke <make24(a)iscas.ac.cn> drm/tegra: dc: Fix reference leak in tegra_dc_couple() Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Malta: Fix !EVA SOC-it PCI MMIO Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Bart Van Assche <bvanassche(a)acm.org> scsi: sg: Do not sleep in atomic context Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Dan Carpenter <dan.carpenter(a)linaro.org> Input: imx_sc_key - fix memory corruption on unload Tzung-Bi Shih <tzungbi(a)kernel.org> Input: cros_ec_keyb - fix an invalid memory access Andrey Vatoropin <a.vatoropin(a)crpt.ru> be2net: pass wrb_params in case of OS2BMC Yongpeng Yang <yangyongpeng(a)xiaomi.com> exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> mtd: rawnand: cadence: fix DMA device NULL pointer dereference Zhang Heng <zhangheng(a)kylinos.cn> HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Abdun Nihaal <nihaal(a)cse.iitm.ac.in> isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Handle OCRAM ECC enable after warm reset Hans de Goede <hansg(a)kernel.org> spi: Try to get ACPI GPIO IRQ earlier Wei Yang <albinwyang(a)tencent.com> fs/proc: fix uaf in proc_readdir_de() Chuang Wang <nashuiliang(a)gmail.com> ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Nate Karstens <nate.karstens(a)garmin.com> strparser: Fix signed/unsigned mismatch bug Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 15 Olga Kornievskaia <okorniev(a)redhat.com> NFSD: free copynotify stateid in nfs4_free_ol_stateid() Masami Ichikawa <masami256(a)gmail.com> HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject duplicate device on updates Dan Carpenter <dan.carpenter(a)linaro.org> mtd: onenand: Pass correct pointer to IRQ handler Eric Biggers <ebiggers(a)kernel.org> lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Jakub Acs <acsjakub(a)amazon.de> mm/ksm: fix flag-dropping behavior in ksm_madvise Christoph Hellwig <hch(a)lst.de> fsdax: mark the iomap argument to dax_iomap_sector as const Haein Lee <lhi0729(a)kaist.ac.kr> ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: cs4271: Fix regulator leak on probe failure Haotian Zhang <vulab(a)iscas.ac.cn> regulator: fixed: fix GPIO descriptor leak on register failure Chris Morgan <macromorgan(a)hotmail.com> regulator: fixed: use dev_err_probe for register Shuai Xue <xueshuai(a)linux.alibaba.com> acpi,srat: Fix incorrect device handle check for Generic Initiator Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: export l2cap_chan_hold for modules Felix Maurer <fmaurer(a)redhat.com> hsr: Fix supervision frame sending on HSRv0 Eric Dumazet <edumazet(a)google.com> net_sched: limit try_bulk_dequeue_skb() batches Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix maxrate wraparound in threshold between units Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: skip rate verification for not captured PSDUs Buday Csaba <buday.csaba(a)prolan.hu> net: mdio: fix resource leak in mdiobus_register_device() Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_mon_reinit_self(). D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix mismatch between CLC header and proposal Eric Dumazet <edumazet(a)google.com> sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Wei Fang <wei.fang(a)nxp.com> net: fec: correct rx_bytes statistic for the case SHIFT16 is set Sharique Mohammad <sharq0406(a)gmail.com> ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Tristan Lobb <tristan.lobb(a)it-lobb.de> HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Joshua Watt <jpewhacker(a)gmail.com> NFS4: Fix state renewals missing after boot Danil Skrebenkov <danil.skrebenkov(a)cloudbear.ru> RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Peter Zijlstra <peterz(a)infradead.org> compiler_types: Move unused static inline functions warning to W=2 Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> extcon: adc-jack: Cleanup wakeup source only if it was enabled Nathan Chancellor <nathan(a)kernel.org> lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC Zilin Guan <zilin(a)seu.edu.cn> tracing: Fix memory leaks in create_field_var() Qendrim Maxhuni <qendrim.maxhuni(a)garderos.com> net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Hold sock lock while iterating over address list Xin Long <lucien.xin(a)gmail.com> sctp: hold endpoint before calling cb in sctp_transport_lookup_process Yajun Deng <yajun.deng(a)linux.dev> net: Use nlmsg_unicast() instead of netlink_unicast() Lu Wei <luwei32(a)huawei.com> net: sctp: Fix some typos Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Prevent TOCTOU out-of-bounds write Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Hold RCU read lock while iterating over address list Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: stop reading ARL entries if search is done Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix enabling ip multicast Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix resetting speed and pause on forced link Hangbin Liu <liuhangbin(a)gmail.com> net: vlan: sync VLAN features with lower device Josephine Pfeiffer <hi(a)josie.lol> riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: add checking of wait_for_completion_killable() return value Valerio Setti <vsetti(a)baylibre.com> ASoC: meson: aiu-encoder-i2s: fix bit clock polarity Albin Babu Varghese <albinbabuvarghese20(a)gmail.com> fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Ian Rogers <irogers(a)google.com> tools bitmap: Add missing asm-generic/bitsperlong.h include Sakari Ailus <sakari.ailus(a)linux.intel.com> ACPI: property: Return present device nodes only on fwnode interface Randall P. Embry <rpembry(a)gmail.com> 9p: sysfs_init: don't hardcode error to ENOMEM Randall P. Embry <rpembry(a)gmail.com> 9p: fix /sys/fs/9p/caches overwriting itself Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: save and restore ACR during PLL disable/enable Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix help message for ssl-non-raw Yikang Yue <yikangy2(a)illinois.edu> fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink austinchang <austinchang(a)synology.com> btrfs: mark dirty extent range for out of bound prealloc extents Saket Dumbre <saket.dumbre(a)intel.com> ACPICA: Update dsmethod.c to get rid of unused variable warning Mike Marshall <hubcap(a)omnibond.com> orangefs: fix xattr related buffer overflow... Dragos Tatulea <dtatulea(a)nvidia.com> page_pool: Clamp pool size to max 16K pages Chi Zhiling <chizhiling(a)kylinos.cn> exfat: limit log print for IO error Roy Vegard Ovesen <roy.vegard.ovesen(a)gmail.com> ALSA: usb-audio: add mono main switch to Presonus S1824c Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: bcsp: receive data only if registered Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SCO: Fix UAF on sco_conn_free Théo Lebrun <theo.lebrun(a)bootlin.com> net: macb: avoid dealing with endianness in macb_set_hwaddr() chuguangqing <chuguangqing(a)inspur.com> fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock Al Viro <viro(a)zeniv.linux.org.uk> nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Anthony Iliopoulos <ailiop(a)suse.com> NFSv4.1: fix mount hang after CREATE_SESSION failure Olga Kornievskaia <okorniev(a)redhat.com> NFSv4: handle ERR_GRACE on delegation recalls Stephan Gerhold <stephan.gerhold(a)linaro.org> remoteproc: qcom: q6v5: Avoid handling handover twice Koakuma <koachan(a)protonmail.com> sparc/module: Add R_SPARC_UA64 relocation handling Chen Wang <unicorn_wang(a)outlook.com> PCI: cadence: Check for the existence of cdns_pcie::ops before using it ChunHao Lin <hau(a)realtek.com> r8169: set EEE speed down ratio to 1 Brahmajit Das <listout(a)listout.xyz> net: intel: fm10k: Fix parameter idx set but not used Loic Poulain <loic.poulain(a)oss.qualcomm.com> wifi: ath10k: Fix connection after GTK rekeying Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> jfs: fix uninitialized waitqueue in transaction manager Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> jfs: Verify inode mode when loading from disk Eric Dumazet <edumazet(a)google.com> ipv6: np->rxpmtu race annotation Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Forest Crossman <cyrozap(a)gmail.com> usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Al Viro <viro(a)zeniv.linux.org.uk> allow finish_no_open(file, ERR_PTR(-E...)) Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Define size of debugfs entry for xri rebalancing Nai-Chen Cheng <bleach1827(a)gmail.com> selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Yafang Shao <laoar.shao(a)gmail.com> net/cls_cgroup: Fix task_get_classid() during qdisc run Alok Tiwari <alok.a.tiwari(a)oracle.com> udp_tunnel: use netdev_warn() instead of netdev_WARN() David Ahern <dsahern(a)kernel.org> selftests: Replace sleep with slowwait Daniel Palmer <daniel(a)thingy.jp> eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP David Ahern <dsahern(a)kernel.org> selftests: Disable dad for ipv6 in fcnal-test.sh Li RongQing <lirongqing(a)baidu.com> x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT Ido Schimmel <idosch(a)nvidia.com> selftests: traceroute: Use require_command() Qianfeng Rong <rongqianfeng(a)vivo.com> media: redrat3: use int type to store negative error codes Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: sh_eth: Disable WoL if system can not suspend Harikrishna Shenoy <h-shenoy(a)ti.com> phy: cadence: cdns-dphy: Enable lower resolutions in dphy Rohan G Thomas <rohan.g.thomas(a)altera.com> net: phy: marvell: Fix 88e1510 downshift counter errata William Wu <william.wu(a)rock-chips.com> usb: gadget: f_hid: Fix zero length packet transfer Ashish Kalra <ashish.kalra(a)amd.com> iommu/amd: Skip enabling command/event buffers for kdump Eric Dumazet <edumazet(a)google.com> net: call cond_resched() less often in __release_sock() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: apply quirk for MOONDROP Quark2 Juraj Šarinay <juraj(a)sarinay.com> net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Yue Haibing <yuehaibing(a)huawei.com> ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled Devendra K Verma <devverma(a)amd.com> dmaengine: dw-edma: Set status for callback_result Rosen Penev <rosenp(a)gmail.com> dmaengine: mv_xor: match alloc_wc and free_wc Thomas Andreatta <thomasandreatta2000(a)gmail.com> dmaengine: sh: setup_xref error handling Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: pm8001: Use int instead of u32 to store error codes Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: xway: sysctrl: rename stp clock Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add missing device_type in pci node Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add missing properties to cpu node Chelsy Ratnawat <chelsyratnawat2001(a)gmail.com> media: fix uninitialized symbol warnings Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> extcon: adc-jack: Fix wakeup source leaks on device unbind Francisco Gutierrez <frankramirez(a)google.com> scsi: pm80xx: Fix race condition caused by static variables Ujwal Kundur <ujwal.kundur(a)gmail.com> rds: Fix endianness annotation for RDS_MPATH_HASH Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add validation of UAC2/UAC3 effect units Sungho Kim <sungho.kim(a)furiosa.ai> PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Kuniyuki Iwashima <kuniyu(a)google.com> net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. Christoph Paasch <cpaasch(a)openai.com> net: When removing nexthops, don't call synchronize_net if it is not necessary Zijun Hu <zijun.hu(a)oss.qualcomm.com> char: misc: Does not request module for miscdevice with dynamic minor raub camaioni <raubcameo(a)gmail.com> usb: gadget: f_ncm: Fix MAC assignment NCM ethernet Rodrigo Gobbi <rodrigo.gobbi.7(a)gmail.com> iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> media: imon: make send_packet() more robust Charalampos Mitrodimas <charmitro(a)posteo.net> net: ipv6: fix field-spanning memcpy warning in AH output Ido Schimmel <idosch(a)nvidia.com> bridge: Redirect to backup port when port is administratively down Niklas Schnelle <schnelle(a)linux.ibm.com> powerpc/eeh: Use result of error_detected() in uevent Tiezhu Yang <yangtiezhu(a)loongson.cn> net: stmmac: Check stmmac_hw_setup() in stmmac_resume() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Use the crtc_* timings when programming the HW Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: pci: ivtv: Don't create fake v4l2_fh Geoffrey McRae <geoffrey.mcrae(a)amd.com> drm/amdkfd: return -ENOTTY for unsupported IOCTLs Wake Liu <wakel(a)google.com> selftests/net: Ensure assert() triggers in psock_tpacket.c Wake Liu <wakel(a)google.com> selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 Marcos Del Sol Vives <marcos(a)orca.pet> PCI: Disable MSI on RDC PCI to PCIe bridges Seyediman Seyedarab <imandevel(a)gmail.com> drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Use cached metrics data on arcturus Jens Kehne <jens.kehne(a)agilent.com> mfd: da9063: Split chip variant reading in two bus transactions Arnd Bergmann <arnd(a)arndb.de> mfd: madera: Work around false-positive -Wininitialized warning Alexander Stein <alexander.stein(a)ew.tq-group.com> mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexander Stein <alexander.stein(a)ew.tq-group.com> mfd: stmpe: Remove IRQ domain upon removal Len Brown <len.brown(a)intel.com> tools/power x86_energy_perf_policy: Prefer driver HWP limits Len Brown <len.brown(a)intel.com> tools/power x86_energy_perf_policy: Enhance HWP enable Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/cpupower: Fix incorrect size in cpuidle_state_disable() Armin Wolf <W_Armin(a)gmx.de> hwmon: (dell-smm) Add support for Dell OptiPlex 7040 Jiri Olsa <jolsa(a)kernel.org> uprobe: Do not emulate/sstep original instruction when ip is changed Daniel Lezcano <daniel.lezcano(a)linaro.org> clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: Fail cpuidle device registration if there is one already Svyatoslav Ryhel <clamor95(a)gmail.com> video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Daniel Wagner <wagi(a)kernel.org> nvme-fc: use lock accessing port_state and rport state Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> tee: allow a driver to allocate a tee_device without a pool Hans de Goede <hansg(a)kernel.org> ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() Sarthak Garg <quic_sartgarg(a)quicinc.com> mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Svyatoslav Ryhel <clamor95(a)gmail.com> soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups Christian Bruel <christian.bruel(a)foss.st.com> irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment Kees Cook <kees(a)kernel.org> arc: Fix __fls() const-foldability via __builtin_clzl() Dennis Beier <nanovim(a)gmail.com> cpufreq/longhaul: handle NULL policy in longhaul_exit Ricardo B. Marlière <rbm(a)suse.com> selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 Mario Limonciello (AMD) <superm1(a)kernel.org> ACPI: video: force native for Lenovo 82K8 Jiayi Li <lijiayi(a)kylinos.cn> memstick: Add timeout to prevent indefinite waiting Biju Das <biju.das.jz(a)bp.renesas.com> mmc: host: renesas_sdhi: Fix the actual clock Chi Zhang <chizhang(a)asrmicro.com> pinctrl: single: fix bias pull up/down handling in pin_config_set Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> bpf: Don't use %pK through printk Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> soc: ti: pruss: don't use %pK through printk Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> spi: loopback-test: Don't use %pK through printk Jens Reidel <adrian(a)mainlining.org> soc: qcom: smem: Fix endian-unaware access of num_entries Damien Le Moal <dlemoal(a)kernel.org> block: make REQ_OP_ZONE_OPEN a write operation Owen Gu <guhuinan(a)xiaomi.com> usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Matthieu Baerts (NGI0) <matttbe(a)kernel.org> tracing: fix declaration-after-statement warning Matthieu Baerts (NGI0) <matttbe(a)kernel.org> arch: back to -std=gnu89 in < v5.18 Alexey Dobriyan <adobriyan(a)gmail.com> x86/boot: Compile boot code with -std=gnu11 too Babu Moger <babu.moger(a)amd.com> x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Artem Shimko <a.shimko.dev(a)gmail.com> serial: 8250_dw: handle reset control deassert error Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: 8250_dw: Use devm_add_action_or_reset() Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: increase max interface to U8_MAX Maarten Lankhorst <dev(a)lankhorst.se> devcoredump: Fix circular locking dependency with devcd->mutex. Darrick J. Wong <djwong(a)kernel.org> xfs: always warn about deprecated mount options Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: ravb: Enforce descriptor type ordering Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> net: phy: dp83867: Disable EEE support as not implemented Alexey Klimov <alexey.klimov(a)linaro.org> regmap: slimbus: fix bus_context pointer in regmap init calls Damien Le Moal <dlemoal(a)kernel.org> block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL John Smith <itistotalbotnet(a)gmail.com> drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland John Smith <itistotalbotnet(a)gmail.com> drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji Yang Wang <kevinyang.wang(a)amd.com> drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() Tomeu Vizoso <tomeu(a)tomeuvizoso.net> drm/etnaviv: fix flush sequence logic Lizhi Xu <lizhi.xu(a)windriver.com> usbnet: Prevents free active kevent Noorain Eqbal <nooraineqbal(a)gmail.com> bpf: Sync pending IRQ work before freeing ring buffer Roy Vegard Ovesen <roy.vegard.ovesen(a)gmail.com> ALSA: usb-audio: fix control pipe direction Akhil P Oommen <akhilpo(a)oss.qualcomm.com> drm/msm/a6xx: Fix GMU firmware parser Loic Poulain <loic.poulain(a)oss.qualcomm.com> wifi: ath10k: Fix memory leak on unsupported WMI command Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> ASoC: qdsp6: q6asm: do not sleep while atomic Miaoqian Lin <linmq006(a)gmail.com> fbdev: valkyriefb: Fix reference count leak in valkyriefb_init Florian Fuchs <fuchsfl(a)gmail.com> fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Junjie Cao <junjie.cao(a)intel.com> fbdev: bitblit: bound-check glyph index in bit_putcs* Yuhao Jiang <danisjiang(a)gmail.com> ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Daniel Palmer <daniel(a)0x0f.com> fbdev: atyfb: Check if pll_ops->init_pll failed Miaoqian Lin <linmq006(a)gmail.com> net: usb: asix_devices: Check return value of usbnet_get_endpoints Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix crash in nfsd4_read_release() Filipe Manana <fdmanana(a)suse.com> btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Filipe Manana <fdmanana(a)suse.com> btrfs: always drop log root tree reference in btrfs_replay_log() David Kaplan <david.kaplan(a)amd.com> x86/bugs: Fix reporting of LFENCE retpoline Xiang Mei <xmei5(a)asu.edu> net/sched: sch_qfq: Fix null-deref in agg_dequeue ------------- Diffstat: .../bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 ++-- Documentation/kbuild/makefiles.rst | 29 +++-- Makefile | 8 +- arch/arc/include/asm/bitops.h | 2 + arch/arm/crypto/Kconfig | 2 +- arch/arm/mach-at91/pm_suspend.S | 8 +- arch/mips/boot/dts/lantiq/danube.dtsi | 6 + arch/mips/lantiq/xway/sysctrl.c | 2 +- arch/mips/loongson64/Platform | 2 +- arch/mips/mm/tlb-r4k.c | 118 ++++++++++++------ arch/mips/mti-malta/malta-init.c | 20 +-- arch/parisc/boot/compressed/Makefile | 2 +- arch/powerpc/Makefile | 4 +- arch/powerpc/kernel/eeh_driver.c | 2 +- arch/riscv/kernel/cpu-hotplug.c | 1 + arch/riscv/mm/ptdump.c | 2 +- arch/s390/Makefile | 6 +- arch/s390/purgatory/Makefile | 2 +- arch/sparc/include/asm/elf_64.h | 1 + arch/sparc/kernel/module.c | 1 + arch/um/drivers/ssl.c | 5 +- arch/x86/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 2 +- arch/x86/entry/vsyscall/vsyscall_64.c | 17 ++- arch/x86/events/core.c | 10 +- arch/x86/kernel/cpu/bugs.c | 5 +- arch/x86/kernel/cpu/resctrl/monitor.c | 10 +- arch/x86/kernel/kvm.c | 20 +-- drivers/acpi/acpi_video.c | 4 +- drivers/acpi/acpica/dsmethod.c | 10 +- drivers/acpi/numa/srat.c | 2 +- drivers/acpi/property.c | 24 +++- drivers/acpi/video_detect.c | 8 ++ drivers/ata/libata-scsi.c | 8 ++ drivers/atm/fore200e.c | 2 + drivers/base/devcoredump.c | 138 +++++++++++++-------- drivers/base/regmap/regmap-slimbus.c | 6 +- drivers/bluetooth/btusb.c | 13 +- drivers/bluetooth/hci_bcsp.c | 3 + drivers/char/misc.c | 8 +- drivers/clocksource/timer-vf-pit.c | 22 ++-- drivers/cpufreq/longhaul.c | 3 + drivers/cpuidle/cpuidle.c | 8 +- drivers/dma/dw-edma/dw-edma-core.c | 22 ++++ drivers/dma/mv_xor.c | 4 +- drivers/dma/sh/shdma-base.c | 25 +++- drivers/dma/sh/shdmac.c | 17 ++- drivers/edac/altera_edac.c | 22 +++- drivers/extcon/extcon-adc-jack.c | 2 + drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 +- drivers/firmware/efi/libstub/Makefile | 2 +- drivers/firmware/stratix10-svc.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 6 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 8 +- drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 9 +- drivers/gpu/drm/amd/display/dc/calcs/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 11 +- drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dcn30/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dml/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dsc/Makefile | 2 +- .../gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- .../drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- drivers/gpu/drm/bridge/display-connector.c | 3 +- drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 +- drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 +- drivers/gpu/drm/sti/sti_vtg.c | 7 +- drivers/gpu/drm/tegra/dc.c | 1 + drivers/gpu/drm/tidss/tidss_crtc.c | 2 +- drivers/gpu/drm/tidss/tidss_dispc.c | 16 +-- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 + drivers/hid/hid-ids.h | 7 +- drivers/hid/hid-ntrig.c | 7 +- drivers/hid/hid-quirks.c | 14 ++- drivers/hwmon/dell-smm-hwmon.c | 7 ++ drivers/iio/adc/spear_adc.c | 9 +- drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 22 ++-- drivers/input/keyboard/cros_ec_keyb.c | 6 + drivers/input/keyboard/imx_sc_key.c | 2 +- drivers/input/misc/ati_remote2.c | 2 +- drivers/input/misc/cm109.c | 2 +- drivers/input/misc/powermate.c | 2 +- drivers/input/misc/yealink.c | 2 +- drivers/input/tablet/acecad.c | 2 +- drivers/input/tablet/pegasus_notetaker.c | 11 +- drivers/iommu/amd/init.c | 28 +++-- drivers/irqchip/irq-gic-v2m.c | 13 +- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 ++- drivers/mailbox/mailbox-test.c | 2 +- drivers/md/dm-verity-fec.c | 6 +- drivers/media/i2c/ir-kbd-i2c.c | 6 +- drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 - drivers/media/pci/ivtv/ivtv-driver.h | 3 +- drivers/media/pci/ivtv/ivtv-fileops.c | 18 +-- drivers/media/pci/ivtv/ivtv-irq.c | 4 +- drivers/media/rc/imon.c | 61 +++++---- drivers/media/rc/redrat3.c | 2 +- drivers/media/tuners/xc4000.c | 8 +- drivers/media/tuners/xc5000.c | 12 +- drivers/memstick/core/memstick.c | 8 +- drivers/mfd/da9063-i2c.c | 27 +++- drivers/mfd/madera-core.c | 4 +- drivers/mfd/stmpe-i2c.c | 1 + drivers/mfd/stmpe.c | 3 + drivers/mmc/host/renesas_sdhi_core.c | 6 +- drivers/mmc/host/sdhci-msm.c | 15 +++ drivers/most/most_usb.c | 14 +-- drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- drivers/mtd/nand/raw/cadence-nand-controller.c | 3 +- drivers/net/can/sja1000/sja1000.c | 4 +- drivers/net/can/sun4i_can.c | 4 +- drivers/net/can/usb/gs_usb.c | 23 ++-- drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 +- drivers/net/dsa/b53/b53_common.c | 15 ++- drivers/net/dsa/b53/b53_regs.h | 3 +- .../net/ethernet/aquantia/atlantic/aq_hw_utils.c | 22 ++++ .../net/ethernet/aquantia/atlantic/aq_hw_utils.h | 1 + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 19 +-- .../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 2 +- drivers/net/ethernet/cadence/macb_main.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 7 +- drivers/net/ethernet/freescale/fec_main.c | 2 + drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 +- drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 15 ++- .../net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- drivers/net/ethernet/realtek/Kconfig | 2 +- drivers/net/ethernet/realtek/r8169_main.c | 6 +- drivers/net/ethernet/renesas/ravb_main.c | 16 ++- drivers/net/ethernet/renesas/sh_eth.c | 4 + drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 4 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +- drivers/net/ethernet/ti/netcp_core.c | 10 +- drivers/net/phy/dp83867.c | 6 + drivers/net/phy/marvell.c | 39 +++++- drivers/net/phy/mdio_bus.c | 5 +- drivers/net/usb/asix_devices.c | 12 +- drivers/net/usb/qmi_wwan.c | 6 + drivers/net/usb/usbnet.c | 2 + drivers/net/wireless/ath/ath10k/mac.c | 12 +- drivers/net/wireless/ath/ath10k/wmi.c | 1 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +- .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 ++--- .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 +- drivers/nvme/host/fc.c | 12 +- drivers/pci/controller/cadence/pcie-cadence-host.c | 2 +- drivers/pci/controller/cadence/pcie-cadence.c | 4 +- drivers/pci/controller/cadence/pcie-cadence.h | 6 +- drivers/pci/p2pdma.c | 2 +- drivers/pci/quirks.c | 1 + drivers/phy/cadence/cdns-dphy.c | 4 +- drivers/pinctrl/pinctrl-single.c | 4 +- drivers/regulator/fixed.c | 6 +- drivers/remoteproc/qcom_q6v5.c | 5 + drivers/s390/net/ctcm_mpc.c | 1 - drivers/scsi/hosts.c | 5 +- drivers/scsi/lpfc/lpfc_debugfs.h | 3 + drivers/scsi/pm8001/pm8001_ctl.c | 24 ++-- drivers/scsi/pm8001/pm8001_init.c | 1 + drivers/scsi/pm8001/pm8001_sas.c | 4 +- drivers/scsi/pm8001/pm8001_sas.h | 4 + drivers/scsi/sg.c | 10 +- drivers/slimbus/qcom-ngd-ctrl.c | 1 + drivers/soc/imx/gpc.c | 2 + drivers/soc/qcom/smem.c | 2 +- drivers/soc/tegra/fuse/fuse-tegra30.c | 122 ++++++++++++++++++ drivers/soc/ti/knav_dma.c | 14 +-- drivers/soc/ti/pruss.c | 2 +- drivers/spi/spi-bcm63xx.c | 14 +++ drivers/spi/spi-loopback-test.c | 12 +- drivers/spi/spi.c | 10 ++ drivers/target/loopback/tcm_loop.c | 3 + drivers/tee/tee_core.c | 2 +- drivers/thunderbolt/nhi.c | 2 + drivers/thunderbolt/nhi.h | 1 + drivers/tty/serial/8250/8250_dw.c | 67 +++++----- drivers/tty/serial/amba-pl011.c | 2 +- drivers/uio/uio_hv_generic.c | 21 +++- drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +- drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 ++ drivers/usb/gadget/function/f_eem.c | 7 +- drivers/usb/gadget/function/f_fs.c | 8 +- drivers/usb/gadget/function/f_hid.c | 4 +- drivers/usb/gadget/function/f_ncm.c | 3 +- drivers/usb/host/xhci-dbgcap.h | 1 + drivers/usb/host/xhci-dbgtty.c | 17 ++- drivers/usb/host/xhci-plat.c | 1 + drivers/usb/mon/mon_bin.c | 14 ++- drivers/usb/renesas_usbhs/common.c | 14 +-- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 1 + drivers/usb/serial/option.c | 10 +- drivers/usb/storage/sddr55.c | 6 + drivers/usb/storage/transport.c | 16 +++ drivers/usb/storage/uas.c | 7 +- drivers/usb/storage/unusual_devs.h | 2 +- drivers/usb/typec/ucsi/psy.c | 5 + drivers/video/backlight/lp855x_bl.c | 2 +- drivers/video/fbdev/aty/atyfb_base.c | 8 +- drivers/video/fbdev/core/bitblit.c | 33 ++++- drivers/video/fbdev/pvr2fb.c | 2 +- drivers/video/fbdev/valkyriefb.c | 2 + fs/9p/v9fs.c | 9 +- fs/btrfs/disk-io.c | 2 +- fs/btrfs/file.c | 10 ++ fs/btrfs/transaction.c | 2 +- fs/btrfs/tree-log.c | 1 - fs/ceph/locks.c | 5 +- fs/cifs/connect.c | 1 + fs/dax.c | 2 +- fs/exfat/fatent.c | 11 +- fs/exfat/super.c | 5 +- fs/ext4/xattr.c | 2 +- fs/fs-writeback.c | 7 +- fs/hpfs/namei.c | 18 ++- fs/jfs/inode.c | 8 +- fs/jfs/jfs_txnmgr.c | 9 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4client.c | 1 + fs/nfs/nfs4proc.c | 7 +- fs/nfs/nfs4state.c | 3 + fs/nfsd/nfs4proc.c | 7 +- fs/nfsd/nfs4state.c | 3 +- fs/open.c | 10 +- fs/orangefs/xattr.c | 12 +- fs/overlayfs/copy_up.c | 2 +- fs/proc/generic.c | 12 +- fs/xfs/xfs_super.c | 33 +++-- include/linux/ata.h | 1 + include/linux/blk_types.h | 11 +- include/linux/compiler_types.h | 5 +- include/linux/filter.h | 2 +- include/linux/mm.h | 2 +- include/linux/shdma-base.h | 2 +- include/linux/usb.h | 16 +-- include/net/cls_cgroup.h | 2 +- include/net/nfc/nci_core.h | 2 +- include/net/pkt_sched.h | 25 +++- include/net/sctp/sctp.h | 3 +- include/net/tls.h | 6 + kernel/bpf/ringbuf.c | 2 + kernel/events/uprobes.c | 7 ++ kernel/gcov/gcc_4_7.c | 4 +- kernel/trace/trace_events_hist.c | 6 +- kernel/trace/trace_events_synth.c | 3 +- lib/crypto/Makefile | 2 +- mm/mempool.c | 32 ++++- mm/page_alloc.c | 2 +- net/8021q/vlan.c | 2 + net/bluetooth/6lowpan.c | 103 ++++++++++----- net/bluetooth/hci_event.c | 21 +++- net/bluetooth/l2cap_core.c | 1 + net/bluetooth/sco.c | 7 ++ net/bluetooth/smp.c | 31 ++--- net/bridge/br_forward.c | 3 +- net/ceph/ceph_common.c | 53 ++++---- net/ceph/debugfs.c | 16 ++- net/core/netpoll.c | 7 +- net/core/page_pool.c | 6 +- net/core/sock.c | 15 ++- net/hsr/hsr_device.c | 3 + net/ipv4/fib_frontend.c | 2 +- net/ipv4/inet_diag.c | 5 +- net/ipv4/nexthop.c | 6 + net/ipv4/raw_diag.c | 7 +- net/ipv4/route.c | 5 + net/ipv4/udp_diag.c | 6 +- net/ipv4/udp_tunnel_nic.c | 2 +- net/ipv6/addrconf.c | 4 +- net/ipv6/ah6.c | 50 +++++--- net/ipv6/raw.c | 2 +- net/ipv6/udp.c | 2 +- net/mac80211/rx.c | 10 +- net/mptcp/mptcp_diag.c | 6 +- net/mptcp/pm.c | 3 +- net/mptcp/pm_netlink.c | 20 +-- net/mptcp/protocol.c | 59 ++++++--- net/mptcp/protocol.h | 1 + net/netfilter/nf_tables_api.c | 15 +++ net/netfilter/nft_set_pipapo.c | 4 +- net/netfilter/nft_set_pipapo.h | 21 ++++ net/netfilter/nft_set_pipapo_avx2.c | 31 ++++- net/netlink/af_netlink.c | 2 +- net/openvswitch/actions.c | 68 +--------- net/openvswitch/flow_netlink.c | 64 ++-------- net/openvswitch/flow_netlink.h | 2 - net/rds/rds.h | 2 +- net/sched/act_ife.c | 12 +- net/sched/sch_api.c | 10 -- net/sched/sch_generic.c | 17 +-- net/sched/sch_hfsc.c | 16 --- net/sched/sch_qfq.c | 2 +- net/sctp/diag.c | 73 ++++++----- net/sctp/sm_make_chunk.c | 2 +- net/sctp/socket.c | 24 ++-- net/sctp/transport.c | 13 +- net/smc/smc_clc.c | 1 + net/strparser/strparser.c | 2 +- net/tipc/net.c | 2 + net/tls/tls_device.c | 4 +- net/unix/diag.c | 6 +- net/vmw_vsock/af_vsock.c | 40 ++++-- scripts/Kbuild.include | 10 +- scripts/kconfig/mconf.c | 3 + scripts/kconfig/nconf.c | 3 + sound/pci/hda/patch_realtek.c | 17 +-- sound/soc/codecs/cs4271.c | 10 +- sound/soc/codecs/max98090.c | 6 +- sound/soc/meson/aiu-encoder-i2s.c | 9 +- sound/soc/qcom/qdsp6/q6asm.c | 2 +- sound/usb/endpoint.c | 5 + sound/usb/mixer.c | 11 +- sound/usb/mixer_s1810c.c | 28 ++++- sound/usb/validate.c | 9 +- tools/include/linux/bitmap.h | 1 + tools/power/cpupower/lib/cpuidle.c | 5 +- .../x86_energy_perf_policy.c | 30 +++-- tools/testing/selftests/Makefile | 2 +- tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 +- tools/testing/selftests/net/fcnal-test.sh | 4 +- tools/testing/selftests/net/psock_tpacket.c | 4 +- tools/testing/selftests/net/traceroute.sh | 13 +- 332 files changed, 2243 insertions(+), 1164 deletions(-)

3 days, 15 hours

9
310
0 0

[PATCH 5.15.y RESEND] KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning

by Justin Stitt

A new warning in Clang 22 [1] complains that @clidr passed to get_clidr_el1() is an uninitialized const pointer. get_clidr_el1() doesn't really care since it casts away the const-ness anyways -- it is a false positive. | ../arch/arm64/kvm/sys_regs.c:2838:23: warning: variable 'clidr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] | 2838 | get_clidr_el1(NULL, &clidr); /* Ugly... */ | | ^~~~~ This patch isn't needed for anything past 6.1 as this code section was reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache configuration"). Since there is no upstream equivalent, this patch just needs to be applied to 5.15. Disable this warning for sys_regs.o with an iron fist as it doesn't make sense to waste maintainer's time or potentially break builds by backporting large changelists from 6.2+. Cc: stable(a)vger.kernel.org Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Justin Stitt <justinstitt(a)google.com> --- Resending this with Nathan's RB tag, an updated commit log and better recipients from checkpatch.pl. I'm also sending a similar patch resend for 6.1. --- arch/arm64/kvm/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/kvm/Makefile b/arch/arm64/kvm/Makefile index 989bb5dad2c8..109cca425d3e 100644 --- a/arch/arm64/kvm/Makefile +++ b/arch/arm64/kvm/Makefile @@ -25,3 +25,6 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coalesced_mmio.o $(KVM)/eventfd.o \ vgic/vgic-its.o vgic/vgic-debug.o kvm-$(CONFIG_HW_PERF_EVENTS) += pmu-emul.o + +# Work around a false positive Clang 22 -Wuninitialized-const-pointer warning +CFLAGS_sys_regs.o := $(call cc-disable-warning, uninitialized-const-pointer) --- base-commit: 8bb7eca972ad531c9b149c0a51ab43a417385813 change-id: 20250728-b4-stable-disable-uninit-ptr-warn-5-15-c0c9db3df206 Best regards, -- Justin Stitt <justinstitt(a)google.com>

3 days, 16 hours

1
0
0 0

Optimiza tu reclutamiento con PsicoSmart

by Valeria Pérez

Mejora tus contrataciones con PsicoSmart body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Evalúa talento de forma objetiva y mejora tus contrataciones con PsicoSmart. Hola, , ¿Te ha pasado que un candidato luce perfecto en entrevista, pero en el trabajo no encaja como esperabas? En selección, confiar solo en la percepción puede llevar a decisiones costosas. Por eso quiero presentarte PsicoSmart, una herramienta creada para que los equipos de Recursos Humanos tomen decisiones más objetivas y acertadas. Con PsicoSmart puedes: Aplicar 31 pruebas psicométricas que evalúan liderazgo, honestidad, comunicación e inteligencia. Validar conocimientos técnicos con más de 2,500 exámenes especializados. Supervisar la identidad de quien responde mediante captura fotográfica automática durante la evaluación. Gestionar todo desde una sola plataforma, accesible desde cualquier dispositivo. Si estás buscando mejorar tus contrataciones, podría ser una muy buena opción. Si quieres conocer más puedes responder este correo o simplemente contactarme, mis datos están abajo. Saludos, -------------- Atte.: Valeria Pérez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqruseup">click aquí</a>

3 days, 17 hours

1
0
0 0

[PATCH v4 2/4] tpm2-sessions: Fix tpm2_read_public range checks

by Jarkko Sakkinen

tpm2_read_public() has some rudimentary range checks but the function does not ensure that the response buffer has enough bytes for the full TPMT_HA payload. Re-implement the function with necessary checks and validation, and return name and name size for all handle types back to the caller. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append") Reviewed-by: Jonathan McDowell <noodles(a)meta.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: - Rename 'rc2' as 'name_size_alg'. - It makes a lot of sense to add additional robustness in name handling to tpm2_read_public. Thus also process handles whose handle name is the handle itself, and return name size back to the caller. v3: - No changes. v2: - Made the fix localized instead of spread all over the place. --- drivers/char/tpm/tpm2-cmd.c | 3 + drivers/char/tpm/tpm2-sessions.c | 94 +++++++++++++++++--------------- 2 files changed, 53 insertions(+), 44 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index be4a9c7f2e1a..34e3599f094f 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -11,8 +11,11 @@ * used by the kernel internally. */ +#include "linux/dev_printk.h" +#include "linux/tpm.h" #include "tpm.h" #include <crypto/hash_info.h> +#include <linux/unaligned.h> static bool disable_pcr_integrity; module_param(disable_pcr_integrity, bool, 0444); diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 385014dbca39..3f389e2f6f58 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -163,53 +163,61 @@ static int name_size(const u8 *name) } } -static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) +static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name) { - struct tpm_header *head = (struct tpm_header *)buf->data; + u32 mso = tpm2_handle_mso(handle); off_t offset = TPM_HEADER_SIZE; - u32 tot_len = be32_to_cpu(head->length); - int ret; - u32 val; - - /* we're starting after the header so adjust the length */ - tot_len -= TPM_HEADER_SIZE; - - /* skip public */ - val = tpm_buf_read_u16(buf, &offset); - if (val > tot_len) - return -EINVAL; - offset += val; - /* name */ - val = tpm_buf_read_u16(buf, &offset); - ret = name_size(&buf->data[offset]); - if (ret < 0) - return ret; - - if (val != ret) - return -EINVAL; - - memcpy(name, &buf->data[offset], val); - /* forget the rest */ - return 0; -} - -static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) -{ + int rc, name_size_alg; struct tpm_buf buf; - int rc; + + if (mso != TPM2_MSO_PERSISTENT && mso != TPM2_MSO_VOLATILE && + mso != TPM2_MSO_NVRAM) { + memcpy(name, &handle, sizeof(u32)); + return sizeof(u32); + } rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); if (rc) return rc; tpm_buf_append_u32(&buf, handle); - rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); - if (rc == TPM2_RC_SUCCESS) - rc = tpm2_parse_read_public(name, &buf); - tpm_buf_destroy(&buf); + rc = tpm_transmit_cmd(chip, &buf, 0, "TPM2_ReadPublic"); + if (rc) { + tpm_buf_destroy(&buf); + return tpm_ret_to_err(rc); + } - return rc; + /* Skip TPMT_PUBLIC: */ + offset += tpm_buf_read_u16(&buf, &offset); + + /* + * Ensure space for the length field of TPM2B_NAME and hashAlg field of + * TPMT_HA (the extra four bytes). + */ + if (offset + 4 > tpm_buf_length(&buf)) { + tpm_buf_destroy(&buf); + return -EIO; + } + + rc = tpm_buf_read_u16(&buf, &offset); + name_size_alg = name_size(&buf.data[offset]); + + if (name_size_alg < 0) + return name_size_alg; + + if (rc != name_size_alg) { + tpm_buf_destroy(&buf); + return -EIO; + } + + if (offset + rc > tpm_buf_length(&buf)) { + tpm_buf_destroy(&buf); + return -EIO; + } + + memcpy(name, &buf.data[offset], rc); + return name_size_alg; } #endif /* CONFIG_TCG_TPM2_HMAC */ @@ -243,6 +251,7 @@ int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, #ifdef CONFIG_TCG_TPM2_HMAC enum tpm2_mso_type mso = tpm2_handle_mso(handle); struct tpm2_auth *auth; + u16 name_size_alg; int slot; int ret; #endif @@ -273,8 +282,10 @@ int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, mso == TPM2_MSO_NVRAM) { if (!name) { ret = tpm2_read_public(chip, handle, auth->name[slot]); - if (ret) + if (ret < 0) goto err; + + name_size_alg = ret; } } else { if (name) { @@ -286,13 +297,8 @@ int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, } auth->name_h[slot] = handle; - if (name) { - ret = name_size(name); - if (ret < 0) - goto err; - - memcpy(auth->name[slot], name, ret); - } + if (name) + memcpy(auth->name[slot], name, name_size_alg); #endif return 0; -- 2.52.0

3 days, 17 hours

1
0
0 0

[PATCH v4 1/4] tpm2-sessions: Fix out of range indexing in name_size

by Jarkko Sakkinen

'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API") Reviewed-by: Jonathan McDowell <noodles(a)meta.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Removed spurious empty line. v3: - Fix pr_warn() format string in name_size(). - Fix !CONFIG_TPM2_HMAC compilation. v2: - Wrote a better short summary. - Addressed remarks in https://lore.kernel.org/linux-integrity/aS8TIeviaippVAha@earth.li/ - Use -EIO consistently in tpm2_fill_hmac_session. These are not input value errors. They could only spun from malformed (kernel) state. - name_size did not have a proper default-case. Reorganize the fallback into that. --- drivers/char/tpm/tpm2-cmd.c | 23 +++- drivers/char/tpm/tpm2-sessions.c | 132 +++++++++++++++------- include/linux/tpm.h | 13 ++- security/keys/trusted-keys/trusted_tpm2.c | 29 ++++- 4 files changed, 142 insertions(+), 55 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index dd502322f499..be4a9c7f2e1a 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -199,7 +199,11 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, } if (!disable_pcr_integrity) { - tpm_buf_append_name(chip, &buf, pcr_idx, NULL); + rc = tpm_buf_append_name(chip, &buf, pcr_idx, NULL); + if (rc) { + tpm_buf_destroy(&buf); + return rc; + } tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0); } else { tpm_buf_append_handle(chip, &buf, pcr_idx); @@ -214,8 +218,14 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, chip->allocated_banks[i].digest_size); } - if (!disable_pcr_integrity) - tpm_buf_fill_hmac_session(chip, &buf); + if (!disable_pcr_integrity) { + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) { + tpm_buf_destroy(&buf); + return rc; + } + } + rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value"); if (!disable_pcr_integrity) rc = tpm_buf_check_hmac_response(chip, &buf, rc); @@ -273,7 +283,12 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) | TPM2_SA_CONTINUE_SESSION, NULL, 0); tpm_buf_append_u16(&buf, num_bytes); - tpm_buf_fill_hmac_session(chip, &buf); + err = tpm_buf_fill_hmac_session(chip, &buf); + if (err) { + tpm_buf_destroy(&buf); + return err; + } + err = tpm_transmit_cmd(chip, &buf, offsetof(struct tpm2_get_random_out, buffer), diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6d03c224e6b2..385014dbca39 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -144,16 +144,23 @@ struct tpm2_auth { /* * Name Size based on TPM algorithm (assumes no hash bigger than 255) */ -static u8 name_size(const u8 *name) +static int name_size(const u8 *name) { - static u8 size_map[] = { - [TPM_ALG_SHA1] = SHA1_DIGEST_SIZE, - [TPM_ALG_SHA256] = SHA256_DIGEST_SIZE, - [TPM_ALG_SHA384] = SHA384_DIGEST_SIZE, - [TPM_ALG_SHA512] = SHA512_DIGEST_SIZE, - }; - u16 alg = get_unaligned_be16(name); - return size_map[alg] + 2; + u16 hash_alg = get_unaligned_be16(name); + + switch (hash_alg) { + case TPM_ALG_SHA1: + return SHA1_DIGEST_SIZE + 2; + case TPM_ALG_SHA256: + return SHA256_DIGEST_SIZE + 2; + case TPM_ALG_SHA384: + return SHA384_DIGEST_SIZE + 2; + case TPM_ALG_SHA512: + return SHA512_DIGEST_SIZE + 2; + default: + pr_warn("tpm: unsupported name algorithm: 0x%04x\n", hash_alg); + return -EINVAL; + } } static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) @@ -161,6 +168,7 @@ static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) struct tpm_header *head = (struct tpm_header *)buf->data; off_t offset = TPM_HEADER_SIZE; u32 tot_len = be32_to_cpu(head->length); + int ret; u32 val; /* we're starting after the header so adjust the length */ @@ -173,8 +181,13 @@ static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) offset += val; /* name */ val = tpm_buf_read_u16(buf, &offset); - if (val != name_size(&buf->data[offset])) + ret = name_size(&buf->data[offset]); + if (ret < 0) + return ret; + + if (val != ret) return -EINVAL; + memcpy(name, &buf->data[offset], val); /* forget the rest */ return 0; @@ -221,46 +234,72 @@ static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) * As with most tpm_buf operations, success is assumed because failure * will be caused by an incorrect programming model and indicated by a * kernel message. + * + * Ends the authorization session on failure. */ -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name) +int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name) { #ifdef CONFIG_TCG_TPM2_HMAC enum tpm2_mso_type mso = tpm2_handle_mso(handle); struct tpm2_auth *auth; int slot; + int ret; #endif if (!tpm2_chip_auth(chip)) { tpm_buf_append_handle(chip, buf, handle); - return; + return 0; } #ifdef CONFIG_TCG_TPM2_HMAC slot = (tpm_buf_length(buf) - TPM_HEADER_SIZE) / 4; if (slot >= AUTH_MAX_NAMES) { - dev_err(&chip->dev, "TPM: too many handles\n"); - return; + dev_err(&chip->dev, "too many handles\n"); + ret = -EIO; + goto err; } auth = chip->auth; - WARN(auth->session != tpm_buf_length(buf), - "name added in wrong place\n"); + if (auth->session != tpm_buf_length(buf)) { + dev_err(&chip->dev, "session state malformed"); + ret = -EIO; + goto err; + } tpm_buf_append_u32(buf, handle); auth->session += 4; if (mso == TPM2_MSO_PERSISTENT || mso == TPM2_MSO_VOLATILE || mso == TPM2_MSO_NVRAM) { - if (!name) - tpm2_read_public(chip, handle, auth->name[slot]); + if (!name) { + ret = tpm2_read_public(chip, handle, auth->name[slot]); + if (ret) + goto err; + } } else { - if (name) - dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n"); + if (name) { + dev_err(&chip->dev, "handle 0x%08x does not use a name\n", + handle); + ret = -EIO; + goto err; + } } auth->name_h[slot] = handle; - if (name) - memcpy(auth->name[slot], name, name_size(name)); + if (name) { + ret = name_size(name); + if (ret < 0) + goto err; + + memcpy(auth->name[slot], name, ret); + } +#endif + return 0; + +#ifdef CONFIG_TCG_TPM2_HMAC +err: + tpm2_end_auth_session(chip); + return tpm_ret_to_err(ret); #endif } EXPORT_SYMBOL_GPL(tpm_buf_append_name); @@ -533,11 +572,9 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip, * encryption key and encrypts the first parameter of the command * buffer with it. * - * As with most tpm_buf operations, success is assumed because failure - * will be caused by an incorrect programming model and indicated by a - * kernel message. + * Ends the authorization session on failure. */ -void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) +int tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) { u32 cc, handles, val; struct tpm2_auth *auth = chip->auth; @@ -549,9 +586,12 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) u8 cphash[SHA256_DIGEST_SIZE]; struct sha256_ctx sctx; struct hmac_sha256_ctx hctx; + int ret; - if (!auth) - return; + if (!auth) { + ret = -EIO; + goto err; + } /* save the command code in BE format */ auth->ordinal = head->ordinal; @@ -560,9 +600,11 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) i = tpm2_find_cc(chip, cc); if (i < 0) { - dev_err(&chip->dev, "Command 0x%x not found in TPM\n", cc); - return; + dev_err(&chip->dev, "command 0x%08x not found\n", cc); + ret = -EIO; + goto err; } + attrs = chip->cc_attrs_tbl[i]; handles = (attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0); @@ -576,9 +618,9 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) u32 handle = tpm_buf_read_u32(buf, &offset_s); if (auth->name_h[i] != handle) { - dev_err(&chip->dev, "TPM: handle %d wrong for name\n", - i); - return; + dev_err(&chip->dev, "invalid handle 0x%08x\n", handle); + ret = -EIO; + goto err; } } /* point offset_s to the start of the sessions */ @@ -609,12 +651,14 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) offset_s += len; } if (offset_s != offset_p) { - dev_err(&chip->dev, "TPM session length is incorrect\n"); - return; + dev_err(&chip->dev, "session length is incorrect\n"); + ret = -EIO; + goto err; } if (!hmac) { - dev_err(&chip->dev, "TPM could not find HMAC session\n"); - return; + dev_err(&chip->dev, "could not find HMAC session\n"); + ret = -EIO; + goto err; } /* encrypt before HMAC */ @@ -646,8 +690,11 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) if (mso == TPM2_MSO_PERSISTENT || mso == TPM2_MSO_VOLATILE || mso == TPM2_MSO_NVRAM) { - sha256_update(&sctx, auth->name[i], - name_size(auth->name[i])); + ret = name_size(auth->name[i]); + if (ret < 0) + goto err; + + sha256_update(&sctx, auth->name[i], ret); } else { __be32 h = cpu_to_be32(auth->name_h[i]); @@ -668,6 +715,11 @@ void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf) hmac_sha256_update(&hctx, auth->tpm_nonce, sizeof(auth->tpm_nonce)); hmac_sha256_update(&hctx, &auth->attrs, 1); hmac_sha256_final(&hctx, hmac); + return 0; + +err: + tpm2_end_auth_session(chip); + return ret; } EXPORT_SYMBOL(tpm_buf_fill_hmac_session); diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 3d8f7d1ce2b8..aa816b144ab3 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -529,8 +529,8 @@ static inline struct tpm2_auth *tpm2_chip_auth(struct tpm_chip *chip) #endif } -void tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, - u32 handle, u8 *name); +int tpm_buf_append_name(struct tpm_chip *chip, struct tpm_buf *buf, + u32 handle, u8 *name); void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, u8 attributes, u8 *passphrase, int passphraselen); @@ -563,7 +563,7 @@ static inline void tpm_buf_append_hmac_session_opt(struct tpm_chip *chip, #ifdef CONFIG_TCG_TPM2_HMAC int tpm2_start_auth_session(struct tpm_chip *chip); -void tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf); +int tpm_buf_fill_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf); int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, int rc); void tpm2_end_auth_session(struct tpm_chip *chip); @@ -577,10 +577,13 @@ static inline int tpm2_start_auth_session(struct tpm_chip *chip) static inline void tpm2_end_auth_session(struct tpm_chip *chip) { } -static inline void tpm_buf_fill_hmac_session(struct tpm_chip *chip, - struct tpm_buf *buf) + +static inline int tpm_buf_fill_hmac_session(struct tpm_chip *chip, + struct tpm_buf *buf) { + return 0; } + static inline int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, int rc) diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 8bc6efa8accb..5b205279584b 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -268,7 +268,10 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out_put; } - tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + if (rc) + goto out; + tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_DECRYPT, options->keyauth, TPM_DIGEST_SIZE); @@ -316,7 +319,10 @@ int tpm2_seal_trusted(struct tpm_chip *chip, goto out; } - tpm_buf_fill_hmac_session(chip, &buf); + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) + goto out; + rc = tpm_transmit_cmd(chip, &buf, 4, "sealing data"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); if (rc) @@ -427,7 +433,10 @@ static int tpm2_load_cmd(struct tpm_chip *chip, return rc; } - tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + if (rc) + goto out; + tpm_buf_append_hmac_session(chip, &buf, 0, options->keyauth, TPM_DIGEST_SIZE); @@ -439,7 +448,10 @@ static int tpm2_load_cmd(struct tpm_chip *chip, goto out; } - tpm_buf_fill_hmac_session(chip, &buf); + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) + goto out; + rc = tpm_transmit_cmd(chip, &buf, 4, "loading blob"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); if (!rc) @@ -484,7 +496,9 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, return rc; } - tpm_buf_append_name(chip, &buf, blob_handle, NULL); + rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); + if (rc) + goto out; if (!options->policyhandle) { tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_ENCRYPT, @@ -509,7 +523,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, NULL, 0); } - tpm_buf_fill_hmac_session(chip, &buf); + rc = tpm_buf_fill_hmac_session(chip, &buf); + if (rc) + goto out; + rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); -- 2.52.0

3 days, 17 hours

1
0
0 0

[PATCH v3 2/4] tpm2-sessions: Fix tpm2_read_public range checks

by Jarkko Sakkinen

'tpm2_read_public' has some rudimentary range checks but the function does not ensure that the response buffer has enough bytes for the full TPMT_HA payload. Re-implement the function with necessary checks and validation. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> v2: - Made the fix localized instead of spread all over the place. --- drivers/char/tpm/tpm2-cmd.c | 3 ++ drivers/char/tpm/tpm2-sessions.c | 77 +++++++++++++++++--------------- 2 files changed, 44 insertions(+), 36 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index be4a9c7f2e1a..34e3599f094f 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -11,8 +11,11 @@ * used by the kernel internally. */ +#include "linux/dev_printk.h" +#include "linux/tpm.h" #include "tpm.h" #include <crypto/hash_info.h> +#include <linux/unaligned.h> static bool disable_pcr_integrity; module_param(disable_pcr_integrity, bool, 0444); diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a265e9752a5e..e9f439be3916 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -163,54 +163,59 @@ static int name_size(const u8 *name) } } -static int tpm2_parse_read_public(char *name, struct tpm_buf *buf) +static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name) { - struct tpm_header *head = (struct tpm_header *)buf->data; + u32 mso = tpm2_handle_mso(handle); off_t offset = TPM_HEADER_SIZE; - u32 tot_len = be32_to_cpu(head->length); - int ret; - u32 val; - - /* we're starting after the header so adjust the length */ - tot_len -= TPM_HEADER_SIZE; - - /* skip public */ - val = tpm_buf_read_u16(buf, &offset); - if (val > tot_len) - return -EINVAL; - offset += val; - /* name */ - - val = tpm_buf_read_u16(buf, &offset); - ret = name_size(&buf->data[offset]); - if (ret < 0) - return ret; + struct tpm_buf buf; + int rc, rc2; - if (val != ret) + if (mso != TPM2_MSO_PERSISTENT && mso != TPM2_MSO_VOLATILE && + mso != TPM2_MSO_NVRAM) return -EINVAL; - memcpy(name, &buf->data[offset], val); - /* forget the rest */ - return 0; -} - -static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name) -{ - struct tpm_buf buf; - int rc; - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC); if (rc) return rc; tpm_buf_append_u32(&buf, handle); - rc = tpm_transmit_cmd(chip, &buf, 0, "read public"); - if (rc == TPM2_RC_SUCCESS) - rc = tpm2_parse_read_public(name, &buf); - tpm_buf_destroy(&buf); + rc = tpm_transmit_cmd(chip, &buf, 0, "TPM2_ReadPublic"); + if (rc) { + tpm_buf_destroy(&buf); + return tpm_ret_to_err(rc); + } - return rc; + /* Skip TPMT_PUBLIC: */ + offset += tpm_buf_read_u16(&buf, &offset); + + /* + * Ensure space for the length field of TPM2B_NAME and hashAlg field of + * TPMT_HA (the extra four bytes). + */ + if (offset + 4 > tpm_buf_length(&buf)) { + tpm_buf_destroy(&buf); + return -EIO; + } + + rc = tpm_buf_read_u16(&buf, &offset); + rc2 = name_size(&buf.data[offset]); + + if (rc2 < 0) + return rc2; + + if (rc != rc2) { + tpm_buf_destroy(&buf); + return -EIO; + } + + if (offset + rc > tpm_buf_length(&buf)) { + tpm_buf_destroy(&buf); + return -EIO; + } + + memcpy(name, &buf.data[offset], rc); + return 0; } #endif /* CONFIG_TCG_TPM2_HMAC */ -- 2.52.0

3 days, 18 hours

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror