- Linux-stable-mirror - lists.linaro.org

[PATCH 5.10 000/208] 5.10.240-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.240 release. There are 208 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.240-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.240-rc1 Borislav Petkov <bp(a)kernel.org> x86/process: Move the buffer clearing before MONITOR Borislav Petkov <bp(a)kernel.org> KVM: SVM: Advertise TSA CPUID bits to guests Borislav Petkov <bp(a)kernel.org> KVM: x86: add support for CPUID leaf 0x80000021 Borislav Petkov <bp(a)kernel.org> x86/bugs: Add a Transient Scheduler Attacks mitigation Borislav Petkov <bp(a)kernel.org> x86/bugs: Rename MDS machinery to something more generic Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: lib_test: add MODULE_LICENSE Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Thomas Gleixner <tglx(a)linutronix.de> x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Fix undefined reference to cpu_wants_rethunk_at() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Josh Poimboeuf <jpoimboe(a)kernel.org> x86/alternatives: Remove faulty optimization Borislav Petkov (AMD) <bp(a)alien8.de> x86/alternative: Optimize returns patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Introduce int3_emulate_jcc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bhi: Define SPEC_CTRL_BHI_DIS_S Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Assign the vsock transport considering the vsock address flags Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add flags field in the vsock address data structure Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Flush queued requests before stopping dbc Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbctty: disable ECHO flag by default Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Ioana Ciornei <ioana.ciornei(a)nxp.com> net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update SINGLE_STEP register access Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update dpni_get_single_step_cfg command Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Benjamin Coddington <bcodding(a)redhat.com> NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Mateusz Jończyk <mat.jonczyk(a)o2.pl> rtc: cmos: use spin_lock_irqsave in cmos_interrupt Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: reject invalid perturb period Niklas Cassel <cassel(a)kernel.org> PCI: cadence-ep: Correct PBA offset in .set_msix() callback Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Vitaly Kuznetsov <vkuznets(a)redhat.com> Drivers: hv: Rename 'alloced' to 'allocated' Haiyang Zhang <haiyangz(a)microsoft.com> Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Alexandru Ardelean <alexandru.ardelean(a)analog.com> uio: uio_hv_generic: use devm_kzalloc() for private data alloc Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix power regulator retrieval during probe Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: add terminating newlines to logging Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: remove redundant assignment Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpci_maxim: Fix uninitialized return variable Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 2 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 28 ++ Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/drivers/vector_kern.c | 42 +-- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 22 +- arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeature.h | 5 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 2 +- arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 50 ++-- arch/x86/include/asm/required-features.h | 2 +- arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 272 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 77 +++++- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/process.c | 15 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/cpuid.c | 31 ++- arch/x86/kvm/cpuid.h | 1 + arch/x86/kvm/svm/vmenter.S | 3 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/base/cpu.c | 10 + drivers/dma-buf/dma-resv.c | 2 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 7 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 38 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 121 +++++--- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 +++- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 33 +++ drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 ++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/m_can/tcan4x5x.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 ++++++++-- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 4 +- drivers/rtc/lib_test.c | 2 + drivers/rtc/rtc-cmos.c | 10 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/vt/vt.c | 1 + drivers/uio/uio_hv_generic.c | 18 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/usb/typec/tcpm/tcpci_maxim.c | 20 +- drivers/vhost/scsi.c | 7 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 17 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/cpu.h | 3 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/module.h | 5 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 30 +- kernel/events/core.c | 2 +- kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 75 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 +++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/sched/sch_sfq.c | 10 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 78 +++++- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/fsl/fsl_asrc.c | 3 +- sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 203 files changed, 2697 insertions(+), 809 deletions(-)

4 hours, 37 minutes

5
213
0 0

[PATCH v3 7/7] Revert "drm/gem-dma: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_dma_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c index b7f033d4352a..4f0320df858f 100644 --- a/drivers/gpu/drm/drm_gem_dma_helper.c +++ b/drivers/gpu/drm/drm_gem_dma_helper.c @@ -230,7 +230,7 @@ void drm_gem_dma_free(struct drm_gem_dma_object *dma_obj) if (drm_gem_is_imported(gem_obj)) { if (dma_obj->vaddr) - dma_buf_vunmap_unlocked(gem_obj->dma_buf, &map); + dma_buf_vunmap_unlocked(gem_obj->import_attach->dmabuf, &map); drm_prime_gem_destroy(gem_obj, dma_obj->sgt); } else if (dma_obj->vaddr) { if (dma_obj->map_noncoherent) -- 2.50.0

4 hours, 56 minutes

1
0
0 0

[PATCH v3 6/7] Revert "drm/gem-shmem: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit 1a148af06000e545e714fe3210af3d77ff903c11. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_shmem_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 8ac0b1fa5287..5d1349c34afd 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -351,7 +351,7 @@ int drm_gem_shmem_vmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - ret = dma_buf_vmap(obj->dma_buf, map); + ret = dma_buf_vmap(obj->import_attach->dmabuf, map); } else { pgprot_t prot = PAGE_KERNEL; @@ -413,7 +413,7 @@ void drm_gem_shmem_vunmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - dma_buf_vunmap(obj->dma_buf, map); + dma_buf_vunmap(obj->import_attach->dmabuf, map); } else { dma_resv_assert_held(shmem->base.resv); -- 2.50.0

4 hours, 56 minutes

1
0
0 0

[PATCH v3 5/7] Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index 618ce725cd75..fefb2a0f6b40 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -420,6 +420,7 @@ EXPORT_SYMBOL(drm_gem_fb_vunmap); static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_data_direction dir, unsigned int num_planes) { + struct dma_buf_attachment *import_attach; struct drm_gem_object *obj; int ret; @@ -428,9 +429,10 @@ static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_dat obj = drm_gem_fb_get_obj(fb, num_planes); if (!obj) continue; + import_attach = obj->import_attach; if (!drm_gem_is_imported(obj)) continue; - ret = dma_buf_end_cpu_access(obj->dma_buf, dir); + ret = dma_buf_end_cpu_access(import_attach->dmabuf, dir); if (ret) drm_err(fb->dev, "dma_buf_end_cpu_access(%u, %d) failed: %d\n", ret, num_planes, dir); @@ -453,6 +455,7 @@ static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_dat */ int drm_gem_fb_begin_cpu_access(struct drm_framebuffer *fb, enum dma_data_direction dir) { + struct dma_buf_attachment *import_attach; struct drm_gem_object *obj; unsigned int i; int ret; @@ -463,9 +466,10 @@ int drm_gem_fb_begin_cpu_access(struct drm_framebuffer *fb, enum dma_data_direct ret = -EINVAL; goto err___drm_gem_fb_end_cpu_access; } + import_attach = obj->import_attach; if (!drm_gem_is_imported(obj)) continue; - ret = dma_buf_begin_cpu_access(obj->dma_buf, dir); + ret = dma_buf_begin_cpu_access(import_attach->dmabuf, dir); if (ret) goto err___drm_gem_fb_end_cpu_access; } -- 2.50.0

4 hours, 56 minutes

1
0
0 0

[PATCH v3 4/7] Revert "drm/prime: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_prime.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index b703f83874e1..a23fc712a8b7 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -453,7 +453,13 @@ struct dma_buf *drm_gem_prime_handle_to_dmabuf(struct drm_device *dev, } mutex_lock(&dev->object_name_lock); - /* re-export the original imported/exported object */ + /* re-export the original imported object */ + if (obj->import_attach) { + dmabuf = obj->import_attach->dmabuf; + get_dma_buf(dmabuf); + goto out_have_obj; + } + if (obj->dma_buf) { get_dma_buf(obj->dma_buf); dmabuf = obj->dma_buf; -- 2.50.0

4 hours, 56 minutes

1
0
0 0

[PATCH v2 1/1] x86/fred: Remove ENDBR64 from FRED entry points

by Xin Li (Intel)

The FRED specification v9.0 states that there is no need for FRED event handlers to begin with ENDBR64, because in the presence of supervisor indirect branch tracking, FRED event delivery does not enter the WAIT_FOR_ENDBRANCH state. As a result, remove ENDBR64 from FRED entry points. Then add ANNOTATE_NOENDBR to indicate that FRED entry points will never be used for indirect calls to suppress an objtool warning. This change implies that any indirect CALL/JMP to FRED entry points causes #CP in the presence of supervisor indirect branch tracking. Credit goes to Jennifer Miller <jmill(a)asu.edu> and other contributors from Arizona State University whose work led to this change. Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: Jennifer Miller <jmill(a)asu.edu> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Andrew Cooper <andrew.cooper3(a)citrix.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: stable(a)vger.kernel.org # v6.9+ --- Change in v2: *) CC stable and add a fixes tag (PeterZ). --- arch/x86/entry/entry_64_fred.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S index 29c5c32c16c3..907bd233c6c1 100644 --- a/arch/x86/entry/entry_64_fred.S +++ b/arch/x86/entry/entry_64_fred.S @@ -16,7 +16,7 @@ .macro FRED_ENTER UNWIND_HINT_END_OF_STACK - ENDBR + ANNOTATE_NOENDBR PUSH_AND_CLEAR_REGS movq %rsp, %rdi /* %rdi -> pt_regs */ .endm -- 2.50.1

5 hours, 2 minutes

1
0
0 0

[PATCH net] hv_netvsc: Switch VF namespace in netvsc_open instead

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the VF namespace switching code from the NETDEV_REGISTER event handler to netvsc_open(). Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Reported-by: Cathy Avery <cavery(a)redhat.com> Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- drivers/net/hyperv/netvsc_drv.c | 43 ++++++++++----------------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 42d98e99566e..074ecc346108 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -135,6 +135,19 @@ static int netvsc_open(struct net_device *net) } if (vf_netdev) { + if (!net_eq(dev_net(net), dev_net(vf_netdev))) { + ret = dev_change_net_namespace(vf_netdev, dev_net(net), + "eth%d"); + if (ret) + netdev_err(vf_netdev, + "Cannot move to same ns as %s: %d\n", + net->name, ret); + else + netdev_info(vf_netdev, + "Moved VF to namespace with: %s\n", + net->name); + } + /* Setting synthetic device up transparently sets * slave as up. If open fails, then slave will be * still be offline (and not used). @@ -2772,31 +2785,6 @@ static struct hv_driver netvsc_drv = { }, }; -/* Set VF's namespace same as the synthetic NIC */ -static void netvsc_event_set_vf_ns(struct net_device *ndev) -{ - struct net_device_context *ndev_ctx = netdev_priv(ndev); - struct net_device *vf_netdev; - int ret; - - vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); - if (!vf_netdev) - return; - - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { - ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), - "eth%d"); - if (ret) - netdev_err(vf_netdev, - "Cannot move to same namespace as %s: %d\n", - ndev->name, ret); - else - netdev_info(vf_netdev, - "Moved VF to namespace with: %s\n", - ndev->name); - } -} - /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2809,11 +2797,6 @@ static int netvsc_netdev_event(struct notifier_block *this, struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); int ret = 0; - if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); - return NOTIFY_DONE; - } - ret = check_dev_is_matching_vf(event_dev); if (ret != 0) return NOTIFY_DONE; -- 2.34.1

5 hours, 5 minutes

3
2
0 0

[PATCH] net: 9p: fix double req put in p9_fd_cancelled

by Nalivayko Sergey

Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: <TASK> p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Add an explicit check for REQ_STATUS_ERROR in p9_fd_cancelled before processing the request. Skip processing if the request is already in the error state, as it has been removed and its resources cleaned up. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- net/9p/trans_fd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a69422366a23..a6054a392a90 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -721,9 +721,9 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req) spin_lock(&m->req_lock); /* Ignore cancelled request if message has been received - * before lock. - */ - if (req->status == REQ_STATUS_RCVD) { + * or cancelled with error before lock. + */ + if (req->status == REQ_STATUS_RCVD || req->status == REQ_STATUS_ERROR) { spin_unlock(&m->req_lock); return 0; } -- 2.30.2

5 hours, 6 minutes

1
0
0 0

[PATCH 1/2] nvmem: layouts: u-boot-env: remove crc32 endianness conversion

by srini＠kernel.org

From: "Michael C. Pratt" <mcpratt(a)pm.me> On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org # 6.12.x Cc: stable(a)vger.kernel.org # 6.6.x: f4cf4e5: Revert "nvmem: add new config option" Cc: stable(a)vger.kernel.org # 6.6.x: 7f38b70: of: device: Export of_device_make_bus_id() Cc: stable(a)vger.kernel.org # 6.6.x: 4a1a402: nvmem: Move of_nvmem_layout_get_container() in another header Cc: stable(a)vger.kernel.org # 6.6.x: fc29fd8: nvmem: core: Rework layouts to become regular devices Cc: stable(a)vger.kernel.org # 6.6.x: 0331c61: nvmem: core: Expose cells through sysfs Cc: stable(a)vger.kernel.org # 6.6.x: 401df0d: nvmem: layouts: refactor .add_cells() callback arguments Cc: stable(a)vger.kernel.org # 6.6.x: 6d0ca4a: nvmem: layouts: store owner from modules with nvmem_layout_driver_register() Cc: stable(a)vger.kernel.org # 6.6.x: 5f15811: nvmem: layouts: add U-Boot env layout Cc: stable(a)vger.kernel.org # 6.6.x Signed-off-by: Michael C. Pratt <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> --- drivers/nvmem/layouts/u-boot-env.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset; -- 2.43.0

5 hours, 11 minutes

3
3
0 0

[PATCH net,v2] hv_netvsc: Switch VF namespace in netvsc_open instead

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the VF namespace switching code from the NETDEV_REGISTER event handler to netvsc_open(). Cc: stable(a)vger.kernel.org Cc: cavery(a)redhat.com Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- v2: verified it's applicable to net, fixed cc list. --- drivers/net/hyperv/netvsc_drv.c | 43 ++++++++++----------------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 42d98e99566e..074ecc346108 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -135,6 +135,19 @@ static int netvsc_open(struct net_device *net) } if (vf_netdev) { + if (!net_eq(dev_net(net), dev_net(vf_netdev))) { + ret = dev_change_net_namespace(vf_netdev, dev_net(net), + "eth%d"); + if (ret) + netdev_err(vf_netdev, + "Cannot move to same ns as %s: %d\n", + net->name, ret); + else + netdev_info(vf_netdev, + "Moved VF to namespace with: %s\n", + net->name); + } + /* Setting synthetic device up transparently sets * slave as up. If open fails, then slave will be * still be offline (and not used). @@ -2772,31 +2785,6 @@ static struct hv_driver netvsc_drv = { }, }; -/* Set VF's namespace same as the synthetic NIC */ -static void netvsc_event_set_vf_ns(struct net_device *ndev) -{ - struct net_device_context *ndev_ctx = netdev_priv(ndev); - struct net_device *vf_netdev; - int ret; - - vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); - if (!vf_netdev) - return; - - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { - ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), - "eth%d"); - if (ret) - netdev_err(vf_netdev, - "Cannot move to same namespace as %s: %d\n", - ndev->name, ret); - else - netdev_info(vf_netdev, - "Moved VF to namespace with: %s\n", - ndev->name); - } -} - /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2809,11 +2797,6 @@ static int netvsc_netdev_event(struct notifier_block *this, struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); int ret = 0; - if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); - return NOTIFY_DONE; - } - ret = check_dev_is_matching_vf(event_dev); if (ret != 0) return NOTIFY_DONE; -- 2.34.1

5 hours, 24 minutes

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror