- Linux-stable-mirror - lists.linaro.org

[PATCH] iommu/s390: Fix memory corruption when using identity domain

by Matthew Rosato

zpci_get_iommu_ctrs() returns counter information to be reported as part of device statistics; these counters are stored as part of the s390_domain. The problem, however, is that the identity domain is not backed by an s390_domain and so the conversion via to_s390_domain() yields a bad address that is zero'd initially and read on-demand later via a sysfs read. These counters aren't necessary for the identity domain; just return NULL in this case. This issue was discovered via KASAN with reports that look like: BUG: KASAN: global-out-of-bounds in zpci_fmb_enable_device when using the identity domain for a device on s390. Cc: stable(a)vger.kernel.org Fixes: 64af12c6ec3a ("iommu/s390: implement iommu passthrough via identity domain") Reported-by: Cam Miller <cam(a)linux.ibm.com> Signed-off-by: Matthew Rosato <mjrosato(a)linux.ibm.com> --- drivers/iommu/s390-iommu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/s390-iommu.c b/drivers/iommu/s390-iommu.c index 9c80d61deb2c..d7370347c910 100644 --- a/drivers/iommu/s390-iommu.c +++ b/drivers/iommu/s390-iommu.c @@ -1032,7 +1032,8 @@ struct zpci_iommu_ctrs *zpci_get_iommu_ctrs(struct zpci_dev *zdev) lockdep_assert_held(&zdev->dom_lock); - if (zdev->s390_domain->type == IOMMU_DOMAIN_BLOCKED) + if (zdev->s390_domain->type == IOMMU_DOMAIN_BLOCKED || + zdev->s390_domain->type == IOMMU_DOMAIN_IDENTITY) return NULL; s390_domain = to_s390_domain(zdev->s390_domain); -- 2.50.1

1 day, 5 hours

5
4
0 0

Re: [PATCH] iommu/amd: Fix ivrs_base memleak in early_amd_iommu_init()

by Joerg Roedel

On Fri, Aug 22, 2025 at 10:49:15AM +0800, Zhen Ni wrote: > Fix a permanent ACPI table memory leak in early_amd_iommu_init() when > CMPXCHG16B feature is not supported > > Fixes: 82582f85ed22 ("iommu/amd: Disable AMD IOMMU if CMPXCHG16B feature is not supported") > Cc: stable(a)vger.kernel.org > Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> > --- > drivers/iommu/amd/init.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Applied for -rc, thanks.

1 day, 5 hours

1
0
0 0

[PATCH] crypto: aspeed - Fix dma_unmap_sg() direction

by Thomas Fourier

It seems like everywhere in this file, when the request is not bidirectional, req->src is mapped with DMA_TO_DEVICE and req->src is mapped with DMA_FROM_DEVICE. Fixes: 62f58b1637b7 ("crypto: aspeed - add HACE crypto driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> --- drivers/crypto/aspeed/aspeed-hace-crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/aspeed/aspeed-hace-crypto.c b/drivers/crypto/aspeed/aspeed-hace-crypto.c index a72dfebc53ff..fa201dae1f81 100644 --- a/drivers/crypto/aspeed/aspeed-hace-crypto.c +++ b/drivers/crypto/aspeed/aspeed-hace-crypto.c @@ -346,7 +346,7 @@ static int aspeed_sk_start_sg(struct aspeed_hace_dev *hace_dev) } else { dma_unmap_sg(hace_dev->dev, req->dst, rctx->dst_nents, - DMA_TO_DEVICE); + DMA_FROM_DEVICE); dma_unmap_sg(hace_dev->dev, req->src, rctx->src_nents, DMA_TO_DEVICE); } -- 2.43.0

1 day, 6 hours

1
0
0 0

[PATCH net-next v4] rds: ib: Remove unused extern definition

by Håkon Bugge

In the old days, RDS used FMR (Fast Memory Registration) to register IB MRs to be used by RDMA. A newer and better verbs based registration/de-registration method called FRWR (Fast Registration Work Request) was added to RDS by commit 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") in 2016. Detection and enablement of FRWR was done in commit 2cb2912d6563 ("RDS: IB: add Fastreg MR (FRMR) detection support"). But said commit added an extern bool prefer_frmr, which was not used by said commit - nor used by later commits. Hence, remove it. Signed-off-by: Håkon Bugge <haakon.bugge(a)oracle.com> Reviewed-by: Allison Henderson <allison.henderson(a)oracle.com> --- v3 -> v4: * Added Allison's r-b * Removed indentation for this section v2 -> v3: * As per Jakub's request, removed Cc: and Fixes: tags * Subject to net-next (instead of net) v1 -> v2: * Added commit message * Added Cc: stable(a)vger.kernel.org --- net/rds/ib_mr.h | 1 - 1 file changed, 1 deletion(-) diff --git a/net/rds/ib_mr.h b/net/rds/ib_mr.h index ea5e9aee4959e..5884de8c6f45b 100644 --- a/net/rds/ib_mr.h +++ b/net/rds/ib_mr.h @@ -108,7 +108,6 @@ struct rds_ib_mr_pool { }; extern struct workqueue_struct *rds_ib_mr_wq; -extern bool prefer_frmr; struct rds_ib_mr_pool *rds_ib_create_mr_pool(struct rds_ib_device *rds_dev, int npages); -- 2.43.5

1 day, 7 hours

1
0
0 0

[PATCH v2] i3c: Fix default I2C adapter timeout value

by Jarkko Nikula

Commit 3a379bbcea0a ("i3c: Add core I3C infrastructure") set the default adapter timeout for I2C transfers as 1000 (ms). However that parameter is defined in jiffies not in milliseconds. With mipi-i3c-hci driver this wasn't visible until commit c0a90eb55a69 ("i3c: mipi-i3c-hci: use adapter timeout value for I2C transfers"). Fix this by setting the default timeout as HZ (CONFIG_HZ) not 1000. Fixes: 1b84691e7870 ("i3c: dw: use adapter timeout value for I2C transfers") Fixes: be27ed672878 ("i3c: master: cdns: use adapter timeout value for I2C transfers") Fixes: c0a90eb55a69 ("i3c: mipi-i3c-hci: use adapter timeout value for I2C transfers") Fixes: a747e01adad2 ("i3c: master: svc: use adapter timeout value for I2C transfers") Fixes: d028219a9f14 ("i3c: master: Add basic driver for the Renesas I3C controller") Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") Cc: <stable(a)vger.kernel.org> # 6.17 Signed-off-by: Jarkko Nikula <jarkko.nikula(a)linux.intel.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Reviewed-by: Wolfram Sang <wsa+renesas(a)sang-engineering.com> --- v2: - Stable Cc'ed just in case. While the incorrect default timeout value was introduced back in v5.0 it became visible only due to commits in v6.17-rc1 and if CONFIG_HZ != 1000. - Added Fixes tag for the Renesas I3C controller. Thanks to Wolfram Sang <wsa+renesas(a)sang-engineering.com> for noticing. - Added Reviewed-by tags from Frank and Wolfram. --- drivers/i3c/master.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c index 2ef898a8fd80..67a18e437f83 100644 --- a/drivers/i3c/master.c +++ b/drivers/i3c/master.c @@ -2492,7 +2492,7 @@ static int i3c_master_i2c_adapter_init(struct i3c_master_controller *master) strscpy(adap->name, dev_name(master->dev.parent), sizeof(adap->name)); /* FIXME: Should we allow i3c masters to override these values? */ - adap->timeout = 1000; + adap->timeout = HZ; adap->retries = 3; id = of_alias_get_id(master->dev.of_node, "i2c"); -- 2.47.2

1 day, 8 hours

1
0
0 0

[PATCH] mm/memcg: v1: account event registrations and drop world-writable cgroup.event_control

by Stanislav Fort

In cgroup v1, the legacy cgroup.event_control file is world-writable and allows unprivileged users to register unbounded events and thresholds. Each registration allocates kernel memory without capping or memcg charging, which can be abused to exhaust kernel memory in affected configurations. Make the following minimal changes: - Account allocations with __GFP_ACCOUNT in event and threshold registration. - Remove CFTYPE_WORLD_WRITABLE from cgroup.event_control to make it owner-writable. This does not affect cgroup v2. Allocations are still subject to kmem accounting being enabled, but this reduces unbounded global growth. Reported-by: Stanislav Fort <disclosure(a)aisle.com> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: stable(a)vger.kernel.org Signed-off-by: Stanislav Fort <disclosure(a)aisle.com> --- mm/memcontrol-v1.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 4b94731305b9..9374785319ab 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -761,7 +761,7 @@ static int __mem_cgroup_usage_register_event(struct mem_cgroup *memcg, size = thresholds->primary ? thresholds->primary->size + 1 : 1; /* Allocate memory for new array of thresholds */ - new = kmalloc(struct_size(new, entries, size), GFP_KERNEL); + new = kmalloc(struct_size(new, entries, size), GFP_KERNEL | __GFP_ACCOUNT); if (!new) { ret = -ENOMEM; goto unlock; @@ -924,7 +924,7 @@ static int mem_cgroup_oom_register_event(struct mem_cgroup *memcg, { struct mem_cgroup_eventfd_list *event; - event = kmalloc(sizeof(*event), GFP_KERNEL); + event = kmalloc(sizeof(*event), GFP_KERNEL | __GFP_ACCOUNT); if (!event) return -ENOMEM; @@ -1087,7 +1087,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, CLASS(fd, cfile)(cfd); - event = kzalloc(sizeof(*event), GFP_KERNEL); + event = kzalloc(sizeof(*event), GFP_KERNEL | __GFP_ACCOUNT); if (!event) return -ENOMEM; @@ -2053,7 +2053,7 @@ struct cftype mem_cgroup_legacy_files[] = { { .name = "cgroup.event_control", /* XXX: for compat */ .write = memcg_write_event_control, - .flags = CFTYPE_NO_PREFIX | CFTYPE_WORLD_WRITABLE, + .flags = CFTYPE_NO_PREFIX, }, { .name = "swappiness", -- 2.39.3 (Apple Git-146)

1 day, 8 hours

4
4
0 0

[PATCH 6.1&6.6 0/3] kbuild: Avoid weak external linkage where possible

by Huacai Chen

Backport this series to 6.1&6.6 because LoongArch gets build errors with latest binutils which has commit 599df6e2db17d1c4 ("ld, LoongArch: print error about linking without -fPIC or -fPIE flag in more detail"). CC .vmlinux.export.o UPD include/generated/utsversion.h CC init/version-timestamp.o LD .tmp_vmlinux.kallsyms1 loongarch64-unknown-linux-gnu-ld: kernel/kallsyms.o:(.text+0): relocation R_LARCH_PCALA_HI20 against `kallsyms_markers` can not be used when making a PIE object; recompile with -fPIE loongarch64-unknown-linux-gnu-ld: kernel/crash_core.o:(.init.text+0x984): relocation R_LARCH_PCALA_HI20 against `kallsyms_names` can not be used when making a PIE object; recompile with -fPIE loongarch64-unknown-linux-gnu-ld: kernel/bpf/btf.o:(.text+0xcc7c): relocation R_LARCH_PCALA_HI20 against `__start_BTF` can not be used when making a PIE object; recompile with -fPIE loongarch64-unknown-linux-gnu-ld: BFD (GNU Binutils) 2.43.50.20241126 assertion fail ../../bfd/elfnn-loongarch.c:2673 In theory 5.10&5.15 also need this, but since LoongArch get upstream at 5.19, so I just ignore them because there is no error report about other archs now. Weak external linkage is intended for cases where a symbol reference can remain unsatisfied in the final link. Taking the address of such a symbol should yield NULL if the reference was not satisfied. Given that ordinary RIP or PC relative references cannot produce NULL, some kind of indirection is always needed in such cases, and in position independent code, this results in a GOT entry. In ordinary code, it is arch specific but amounts to the same thing. While unavoidable in some cases, weak references are currently also used to declare symbols that are always defined in the final link, but not in the first linker pass. This means we end up with worse codegen for no good reason. So let's clean this up, by providing preliminary definitions that are only used as a fallback. Ard Biesheuvel (3): kallsyms: Avoid weak references for kallsyms symbols vmlinux: Avoid weak reference to notes section btf: Avoid weak external references Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- include/asm-generic/vmlinux.lds.h | 28 ++++++++++++++++++ kernel/bpf/btf.c | 7 +++-- kernel/bpf/sysfs_btf.c | 6 ++-- kernel/kallsyms.c | 6 ---- kernel/kallsyms_internal.h | 30 ++++++++------------ kernel/ksysfs.c | 4 +-- lib/buildid.c | 4 +-- 7 files changed, 52 insertions(+), 33 deletions(-) --- 2.27.0

1 day, 9 hours

9
19
0 0

[PATCH] PCI: imx: fix device node reference leak in imx_pcie_probe

by Miaoqian Lin

As the doc of of_parse_phandle() states: "The device_node pointer with refcount incremented. Use * of_node_put() on it when done." Add missing of_node_put() after of_parse_phandle() call to properly release the device node reference. Found via static analysis. Fixes: 1df82ec46600 ("PCI: imx: Add workaround for e10728, IMX7d PCIe PLL failure") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/pci/controller/dwc/pci-imx6.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 80e48746bbaf..618bc4b08a8b 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -1636,6 +1636,7 @@ static int imx_pcie_probe(struct platform_device *pdev) struct resource res; ret = of_address_to_resource(np, 0, &res); + of_node_put(np); if (ret) { dev_err(dev, "Unable to map PCIe PHY\n"); return ret; -- 2.35.1

1 day, 9 hours

4
3
0 0

[PATCH v2 1/3] mmc: sdhci: Move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios()

by Ben Chuang

From: Ben Chuang <ben.chuang(a)genesyslogic.com.tw> The sdhci_set_clock() is called in sdhci_set_ios_common() and __sdhci_uhs2_set_ios(). According to Section 3.13.2 "Card Interface Detection Sequence" of the SD Host Controller Standard Specification Version 7.00, the SD clock is supplied after power is supplied, so we only need one in __sdhci_uhs2_set_ios(). Let's move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios(). Fixes: 10c8298a052b ("mmc: sdhci-uhs2: add set_ios()") Cc: stable(a)vger.kernel.org # v6.13+ Signed-off-by: Ben Chuang <ben.chuang(a)genesyslogic.com.tw> --- v2: add this patch v1: None --- drivers/mmc/host/sdhci.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c index 3a17821efa5c..ac7e11f37af7 100644 --- a/drivers/mmc/host/sdhci.c +++ b/drivers/mmc/host/sdhci.c @@ -2367,23 +2367,6 @@ void sdhci_set_ios_common(struct mmc_host *mmc, struct mmc_ios *ios) (ios->power_mode == MMC_POWER_UP) && !(host->quirks2 & SDHCI_QUIRK2_PRESET_VALUE_BROKEN)) sdhci_enable_preset_value(host, false); - - if (!ios->clock || ios->clock != host->clock) { - host->ops->set_clock(host, ios->clock); - host->clock = ios->clock; - - if (host->quirks & SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK && - host->clock) { - host->timeout_clk = mmc->actual_clock ? - mmc->actual_clock / 1000 : - host->clock / 1000; - mmc->max_busy_timeout = - host->ops->get_max_timeout_count ? - host->ops->get_max_timeout_count(host) : - 1 << 27; - mmc->max_busy_timeout /= host->timeout_clk; - } - } } EXPORT_SYMBOL_GPL(sdhci_set_ios_common); @@ -2410,6 +2393,23 @@ void sdhci_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) sdhci_set_ios_common(mmc, ios); + if (!ios->clock || ios->clock != host->clock) { + host->ops->set_clock(host, ios->clock); + host->clock = ios->clock; + + if (host->quirks & SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK && + host->clock) { + host->timeout_clk = mmc->actual_clock ? + mmc->actual_clock / 1000 : + host->clock / 1000; + mmc->max_busy_timeout = + host->ops->get_max_timeout_count ? + host->ops->get_max_timeout_count(host) : + 1 << 27; + mmc->max_busy_timeout /= host->timeout_clk; + } + } + if (host->ops->set_power) host->ops->set_power(host, ios->power_mode, ios->vdd); else -- 2.51.0

1 day, 10 hours

1
2
0 0

[PATCH 6.1.y] drm/amd/display: Check link_res->hpo_dp_link_enc before using it

by alvalan9＠foxmail.com

From: Alex Hung <alex.hung(a)amd.com> [ Upstream commit 0beca868cde8742240cd0038141c30482d2b7eb8 ] [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 2 FORWARD_NULL issues reported by Coverity. Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Signed-off-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ Minor context change fixed. ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c b/drivers/gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c index 153a88381f2c..fd9809b17882 100644 --- a/drivers/gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c +++ b/drivers/gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c @@ -29,6 +29,8 @@ #include "dc_link_dp.h" #include "clk_mgr.h" +#define DC_LOGGER link->ctx->logger + static enum phyd32clk_clock_source get_phyd32clk_src(struct dc_link *link) { switch (link->link_enc->transmitter) { @@ -224,6 +226,11 @@ static void disable_hpo_dp_link_output(struct dc_link *link, const struct link_resource *link_res, enum signal_type signal) { + if (!link_res->hpo_dp_link_enc) { + DC_LOG_ERROR("%s: invalid hpo_dp_link_enc\n", __func__); + return; + } + if (IS_FPGA_MAXIMUS_DC(link->dc->ctx->dce_environment)) { disable_hpo_dp_fpga_link_output(link, link_res, signal); } else { -- 2.34.1

1 day, 11 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror