Age | Commit message (Collapse) | Author |
|
This is the 5.10.216 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmYzofkACgkQONu9yGCS
# aT7Y7xAAlqSfBkRxGTdr5zNV8YNB15e9BJqDWvkQMzk14SELcYG31A5txuseRqzV
# B/2JvbLSMdejbJqsTfi2XVus/Vjv4bbxpztFuKEIGe/PcdQmzSyfwKAZGAOPYyvK
# yw+T1uM+5Qr2UszKKt58FNARNjp6EizNtTPoOxfUxUeNBJlla1oZWP1p1Qj11MZx
# e4Gz8sXWmfrxW6WB9DkSaDTAvUtwYYzoX72kD6bti1HB4DB1RtR7HH5p0noCZZq7
# oZqhq/bxTPF/Y1P990QkX+6GXo04cpSvjW6AzV9a2ZdR7nW6cxcLxxsm/ZGBm/vy
# yDmdL3NUyn8ivcCEI/rngtdz/JpM4kP/2ULuWWSuoXMvC68jXBjhznfPawF+wKdH
# A2raG7gWWAusmbhVUGj+ETMuFaTfeerc/xbrFS/BuNTbp4DC8yeCj+1wtcLV6p2L
# CITj80vRZyZVWSDvTzGNJUWp7SdbF+q/APn+DTlfLz0AoEhDEk1mhveGMFbN49x4
# jTwq61ISWYjbBiHlDzDdeXcectG8k1zNrt77WdN7bq67OR+owUx4Pet01fDLBtrr
# 3mzCrz0XkhqtdjUTDu/RFffNo4PrQ+rTQRUGQXLEw4qHQhmyqldP6luaOCwovDBb
# SRI8XjOkxkOodo6q7cLEKIa049gqqe7jrHMhmClbhXkIZtIJjZQ=
# =E79M
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 02 May 2024 10:23:53 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
Linux 5.10.214
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmYDTvYACgkQ3qZv95d3
# LNzsThAAux0/qplp4OIshaClYXCArws4ef+RdjPFzlgbftA82sb+le3uEdXRBGYx
# W/igqdvTXBfKc4QjgArW+PgIfaGgnmgHzXTUDy2/UOkoJFPt73l3v5hKMQkG1NeE
# sbZ5mwhPp7zE/ARsj3W223j86xLzW1um3NfHYmYm9nh28mHMMSzqSeeIN5YmBjtY
# 7UpbYUjPDoJQEA4Jh8UVlW02lNpGg6DDcfv3oLknILEgoGIuXpohWEH2uWEhDVvq
# hwJ3qgNkaGmBxz5USyL0nEB1lexm+BF6yNeX27Xwh9nBJgOegaZb8KyjNFlFUb0l
# m7MJ6LquIh/bnmw8i8XcdbtRjv+eFhayLBUaBV5BLRT0AZq3jooGx4R1dA/VN6VO
# r8QbNE10UGLAOMJRSj+w0WWGSdsHHHlljhnQrToRyYjbXkXbcBz/muhdbNYEJep4
# EX0boAW4Dl+gbSV6U1437eHrDVaffvt1yxKzZxkHAiH4zGHfcwTTALdAKc562Tw3
# HgBU3ng2itTtrXmLAzDin+kvKBMdqARBRtsyRFVW78KqLZddalnTHgMQyIhz9rUr
# WmZ1CiMj2vii9SdwiB/0aHXcvVBVXPi0thLXDDoH71cJhYtmj7VaYGAPQs9KrRqw
# 3oI61MqxtMh7pMNeZdgIS1SmkqF2kF2b/rTbKAVJz95/gxngKkw=
# =ltnq
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 26 Mar 2024 06:40:54 PM EDT
# gpg: using RSA key E27E5D8A3403A2EF66873BBCDEA66FF797772CDC
# gpg: Can't check signature: No public key
|
|
commit 6fe60465e1d53ea321ee909be26d97529e8f746c upstream.
If stack_depot_save_flags() allocates memory it always drops
__GFP_NOLOCKDEP flag. So when KASAN tries to track __GFP_NOLOCKDEP
allocation we may end up with lockdep splat like bellow:
======================================================
WARNING: possible circular locking dependency detected
6.9.0-rc3+ #49 Not tainted
------------------------------------------------------
kswapd0/149 is trying to acquire lock:
ffff88811346a920
(&xfs_nondir_ilock_class){++++}-{4:4}, at: xfs_reclaim_inode+0x3ac/0x590
[xfs]
but task is already holding lock:
ffffffff8bb33100 (fs_reclaim){+.+.}-{0:0}, at:
balance_pgdat+0x5d9/0xad0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (fs_reclaim){+.+.}-{0:0}:
__lock_acquire+0x7da/0x1030
lock_acquire+0x15d/0x400
fs_reclaim_acquire+0xb5/0x100
prepare_alloc_pages.constprop.0+0xc5/0x230
__alloc_pages+0x12a/0x3f0
alloc_pages_mpol+0x175/0x340
stack_depot_save_flags+0x4c5/0x510
kasan_save_stack+0x30/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x83/0x90
kmem_cache_alloc+0x15e/0x4a0
__alloc_object+0x35/0x370
__create_object+0x22/0x90
__kmalloc_node_track_caller+0x477/0x5b0
krealloc+0x5f/0x110
xfs_iext_insert_raw+0x4b2/0x6e0 [xfs]
xfs_iext_insert+0x2e/0x130 [xfs]
xfs_iread_bmbt_block+0x1a9/0x4d0 [xfs]
xfs_btree_visit_block+0xfb/0x290 [xfs]
xfs_btree_visit_blocks+0x215/0x2c0 [xfs]
xfs_iread_extents+0x1a2/0x2e0 [xfs]
xfs_buffered_write_iomap_begin+0x376/0x10a0 [xfs]
iomap_iter+0x1d1/0x2d0
iomap_file_buffered_write+0x120/0x1a0
xfs_file_buffered_write+0x128/0x4b0 [xfs]
vfs_write+0x675/0x890
ksys_write+0xc3/0x160
do_syscall_64+0x94/0x170
entry_SYSCALL_64_after_hwframe+0x71/0x79
Always preserve __GFP_NOLOCKDEP to fix this.
Link: https://lkml.kernel.org/r/20240418141133.22950-1-ryabinin.a.a@gmail.com
Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Reported-by: Xiubo Li <xiubli@redhat.com>
Closes: https://lore.kernel.org/all/a0caa289-ca02-48eb-9bf2-d86fd47b71f4@redhat.com/
Reported-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Closes: https://lore.kernel.org/all/f9ff999a-e170-b66b-7caf-293f2b147ac2@opensource.wdc.com/
Suggested-by: Dave Chinner <david@fromorbit.com>
Tested-by: Xiubo Li <xiubli@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 843a8851e89e2e85db04caaf88d8554818319047 ]
lib/test_blackhole_dev.c sets a variable that is never read, causing
this following building warning:
lib/test_blackhole_dev.c:32:17: warning: variable 'ethh' set but not used [-Wunused-but-set-variable]
Remove the variable struct ethhdr *ethh, which is unused.
Fixes: 509e56b37cc3 ("blackhole_dev: add a selftest")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.210 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmXYTLkACgkQONu9yGCS
# aT4+fhAAqqR/Cvx53ZKMQ8GZTCudAZnr/Dz6kWYwxhhhIbQjDpCaf9mgsrEDaQS2
# ancSZjzYaOUIXq/IsthXxQIUhiZbuM3iuSEi7+odWgSYdkFyzuUt8MWLBGSaB5Er
# ojn+APtq7vPXTSnp7uMwqMC3/BHCKkeYIjRVevhhHBKG5d3lzkV1xU8NcvMkLaly
# CIRxpWXD3w2b7K0GEbb/zN1GQEHDCQcxjuaJoe/5FKGJkqd3T31eyiJTRumCCMcz
# j8vkGkYmcMJpWf04iLgVA1p13I5/HGrXdEBI/GutN8IABIC3Cp42jW8phHYKW5ZM
# a4R25LZG5buND1Ubpq+EDrYn3EaPek5XRki0w8ZAXfNa3rYc+N6mQjkzNSOzhJ/5
# VNsn3EAE1Dwtar5Z3ASe9ugDbh+0bgx85PbfaADK88V+qWb3DVr1TBWmDNu2vfVP
# rv4I0EKu9r3vOE8aNMEBuhAVkIK3mEQUxwab6RKNrMby/5Uwa+ugrrUtQd8V+T1S
# j6r6v7u7aZ8mhYO7d6WSvAKL85lCWGbs3WRIKCJZmDRyqWrWW9tVWRN9wrZ2QnRr
# iaCQKk8P474P7/j1zwnmih8l4wS1oszveNziWwd0fi1Nn/WQYM+JKYQvpuQijmQ+
# J9jLyWo7a59zffIE6mzJdNwFy9hlw9X+VnJmExk/Q88Z7Bt5wPQ=
# =laYd
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 23 Feb 2024 02:43:53 AM EST
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit ba3c5574203034781ac4231acf117da917efcd2a ]
When the mpi_ec_ctx structure is initialized, some fields are not
cleared, causing a crash when referencing the field when the
structure was released. Initially, this issue was ignored because
memory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.
For example, this error will be triggered when calculating the
Za value for SM2 separately.
Fixes: d58bb7e55a8a ("lib/mpi: Introduce ec implementation to MPI library")
Cc: stable@vger.kernel.org # v6.5
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 9bb6362652f3f4d74a87d572a91ee1b38e673ef6 ]
After release of the hashbucket lock the tracking object can be modified or
freed by a concurrent thread. Using it in such a case is error prone, even
for printing the object state:
1. T1 tries to deactivate destroyed object, debugobjects detects it,
hash bucket lock is released.
2. T2 preempts T1 and frees the tracking object.
3. The freed tracking object is allocated and initialized for a
different to be tracked kernel object.
4. T1 resumes and reports error for wrong kernel object.
Create a local copy of the tracking object before releasing the hash bucket
lock and use the local copy for reporting and fixups to prevent this.
Signed-off-by: Andrzej Hajda <andrzej.hajda@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20231025-debugobjects_fix-v3-1-2bc3bf7084c2@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.209 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWy4soACgkQONu9yGCS
# aT5VxA/8DwcU5ST4AJ4EOaaWHUU/HHMV2/bSOLDhVTEl4gEnaj3LeOz2bIrfzNgb
# 9bHBYCtl3PFl+hZxY3wvC55o80SeIjskpU9rHvzQ36y8dd+uIfXjhLHPBHV7AO4m
# Yu6+dEoaJqFpVgyBKn+YFg6x0w8m1sWX5tcrQRkcMt/REak91bqdf8l0JDz1Jd2d
# uiCh3ssy9yNl7UTdPovzgK9IZ4zv0Kk13F9lXcsMEmjmB3awyaQlglBlCG0NEUKj
# wRWzT4uKHHcW4sHg/UyEfVUnKQGZvf7/eOAXK2kEsBFSzcl+QLwZxWSmRDL81dzl
# 1jjivPCQKtEPZqIZnDQuNvtijw5NNT/yJ5yRlJ7qmuCuBA/2VYqecEAVERhd6dYj
# le6oMu3340G5Dyq43XhOtPf+Fm1HkuMtQ49oyK8k/nEZSFGDWlrJ//cuOWYjUbpo
# d/fgCaLCxAm60KPiCnGdC7GQcIDJBbgjC3XDvxYGLA0ee+31XqhHDTlOkeHv+7oP
# 3PwSssT/M4Ppwzb0Imna/qaCO7lKUbS4oQSLahbfGg+fyAKfM7N3No7raF+L4VIE
# RACbvKrSfv2WuTncQBdd/kQ2kvhuGMD4L1WjXNFi2VQzI2JbEcYZcJWYXF5tvCNj
# aotDJumjF0WtGWcEdKg8Cr2AArMm6dHmRS5VVIG+taWpiWIl5lc=
# =iU8L
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 25 Jan 2024 05:38:02 PM EST
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit af73483f4e8b6f5c68c9aa63257bdd929a9c194a ]
The IDA usually detects double-frees, but that detection failed to
consider the case when there are no nearby IDs allocated and so we have a
NULL bitmap rather than simply having a clear bit. Add some tests to the
test-suite to be sure we don't inadvertently reintroduce this problem.
Unfortunately they're quite noisy so include a message to disregard
the warnings.
Reported-by: Zhenghan Wang <wzhmmmmm@gmail.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.206 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWYDlYACgkQONu9yGCS
# aT5i8A//V/cQxM4ABg2SGkOLg9TFEmUC/TsrvbmSjwTTpOgi1XuncuxBxoLz6eb4
# G8nCmFjuh2E8YL2WMXn5Gs891J6enlc+Pg8Iz54NVXKff4RJZy2zP2KEVmHwYS5R
# Bm2uUsfqQFXZ4V6tRUBiUTtk/aLyNKbiJEV/eg/1NL27xoNTfWFICnq8Jr7liCxt
# kedPiN6MAVzHCJ00IPRSFFuVHgofI1lPhCg6qbU0KEmfU/3sXZ3hP4ewBI/QbAIF
# MO3XLXTpWU8QnKqr50cnW30pxhm+Lc/n/TokgRC0Ng1YtDms6zFyLxCX5CDH1FHf
# Y3QhS5HVZmR2x7Ga5wd8gLwoXun/HU7y+GCVD1ToiWch/zF/vUgYK80Hkxsc/0Wf
# UUs8erxkGKpidpOrqNOgHxeTtpLbTVYGi/F8XMoohUW7qmlLvyiezU/wHapJ6EZA
# T93QS/WhY993b2Hz7apu3o7Jm9ZpiVIpoRiniWRkcoLltZM7RdZTqnIHr/0PAZbD
# qtOzQrCDCT5EMZz9rjI45K9K5pOA8cVhjehnQaG93DSiVp0wu+uP/Ib15oZiVA/q
# k+uW5YgT03HZQ8QTcW4d87mLqkl5PqzpWRRBQZw9aN22YQ9wyUEPpjliZgDpjjXE
# lKtr4S2Sudfpt5kiH72MYZbMqsgn8TT56lumL6ZplEvlPH/J76Y=
# =Xj2r
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 05 Jan 2024 09:12:38 AM EST
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit 5c47251e8c4903111608ddcba2a77c0c425c247c upstream.
A refcount issue can appeared in __fwnode_link_del() due to the
pr_debug() call:
WARNING: CPU: 0 PID: 901 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110
Call Trace:
<TASK>
...
of_node_get+0x1e/0x30
of_fwnode_get+0x28/0x40
fwnode_full_name_string+0x34/0x90
fwnode_string+0xdb/0x140
...
vsnprintf+0x17b/0x630
...
__fwnode_link_del+0x25/0xa0
fwnode_links_purge+0x39/0xb0
of_node_release+0xd9/0x180
...
Indeed, an fwnode (of_node) is being destroyed and so, of_node_release()
is called because the of_node refcount reached 0.
From of_node_release() several function calls are done and lead to
a pr_debug() calls with %pfwf to print the fwnode full name.
The issue is not present if we change %pfwf to %pfwP.
To print the full name, %pfwf iterates over the current node and its
parents and obtain/drop a reference to all nodes involved.
In order to allow to print the full name (%pfwf) of a node while it is
being destroyed, do not obtain/drop a reference to this current node.
Fixes: a92eb7621b9f ("lib/vsprintf: Make use of fwnode API to obtain node names and separators")
Cc: stable@vger.kernel.org
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20231114152655.409331-1-herve.codina@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This is the 5.10.203 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyyc8ACgkQONu9yGCS
# aT7u+w//cmCSBElkTYXuLYhEtZhPJGHd9CJZz/+FVLF3SjgZ1UfZhbRk+Crrnajt
# q4RVVZcuMzXqlcuC380fD7d2QMFffJ4ZLmJALZUSsjC4qLiAGqqUuJJYp8coD37p
# +XQhEt40uu3pxLzN3lpa+HUYMmhubFuixJ6gvLdIhd90/eVXowtu2y1rYBhh75yg
# NOpnUfyi7ZVaimvmkHizb2gUxPXMIk8u/Bzy8yzy8czYI0L+uWVme95J5anIYBMQ
# cMrxsiKU/f686uV8neOI7Xl5+f7dcxFvkeXfM9aYJzR/QOMi+VJh4QZrmUHg6Gh6
# jb6saqpnWNh984cSoLublvvz6xUqD5uT40VC0Fty87xaxHWWSowj/wqAPgy7mX2P
# 42t/8MDt2zBGnLuu+hhkGweLAqChNZQuvcTGj7AwxnaCHJJtJXLZpC1ylhmpIuFI
# vhA2t+chCMwQc55p7VA7473/KyVEo7iFBX77R1uStbtuYUDqbjaaPa0d4y3vXa3k
# +/krl0apo5PZmubnXM04C+Q2jAC5PxiJcZvQeINfjLSgqOICK8/xFb1J572Ah5tf
# oYCMQTerS7uUUqZ+XZmQtPXQGFjvvBn6Jnx9ORPi+2t0QA2fGZQcfPiLi2fdaCSw
# YQkKl9XnVMpXrOI8ub9XgdHetw5hf16oNVS4ibVqADI7wF8HjWg=
# =N92F
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 08 Dec 2023 02:46:23 AM EST
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit e5f3e299a2b1e9c3ece24a38adfc089aef307e8a upstream.
Those return codes are only defined for the parisc architecture and
are leftovers from when we wanted to be HP-UX compatible.
They are not returned by any Linux kernel syscall but do trigger
problems with the glibc strerrorname_np() and strerror() functions as
reported in glibc issue #31080.
There is no need to keep them, so simply remove them.
Signed-off-by: Helge Deller <deller@gmx.de>
Reported-by: Bruno Haible <bruno@clisp.org>
Closes: https://sourceware.org/bugzilla/show_bug.cgi?id=31080
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This is the 5.10.201 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVbL8cACgkQONu9yGCS
# aT4jug//XkUEdRFY18syEy8+idsSSjsnPpLXRTCN70DKsjbPynZjzmp7MQIROhG9
# mfowIsnJSjFB0+umb9rFkXRCQW9xJ3Cci9F5viFGps2uVcLRsAMiXVXjJ92Olw22
# WZpMD/6iujoiOV2efdswOE+dKK5I1EAM7VnmM/Q4pTYvYPwiW63zWuj6gcxHZ0Z8
# McHkgx+rd+kNugI8D+TEpmdciXj7+VyD3H3Vjclm5UV9QtJ6kXak1MToOCZiyOJr
# +OuJvI20XLDPNu2HyKiQu97WeXxuOOK2nWFuFnajn5OWYtpD79N1Ibqx16uJUa4U
# B+LB6zysfKPNsIdKJs3Y2eWgyYMTHLu+P0kxNKfkO9GjmTg8PQcJ3g+5gx70qmBM
# ZtHWeKBJcBmqolHYIgL01JzUex65knMlJguxd8rbD0QCYrp1zYDAITvV0YMomPqg
# W9iI/Nf5wrhP7VvU/8FZ17aoqoMjnJpCJSjS6BIo1kLgcwk+pNZyDtoPryNqYLps
# 3FpZkFNEZZOxrS2BgVkgEy2OLEwLfv8N975a9qg/UgBbq/g5iLJR9nUFJUeUDbB2
# 7NH5H8euAR0sWR8+0jgxwIZyQC03lX49SpcuhFwhBoQ7JWUr29hD8KMlIVlmHsTB
# oL7CuKH7VaAbwIuouSb9o7KMHPiTisI2yu6awlddR9uVA+2IR/U=
# =zKbE
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 20 Nov 2023 05:07:03 AM EST
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit e1be43d9b5d0d1310dbd90185a8e5c7145dde40f ]
In order to perform more open-coded replacements of common allocation
size arithmetic, the kernel needs saturating (SIZE_MAX) helpers for
multiplication, addition, and subtraction. For example, it is common in
allocators, especially on realloc, to add to an existing size:
p = krealloc(map->patch,
sizeof(struct reg_sequence) * (map->patch_regs + num_regs),
GFP_KERNEL);
There is no existing saturating replacement for this calculation, and
just leaving the addition open coded inside array_size() could
potentially overflow as well. For example, an overflow in an expression
for a size_t argument might wrap to zero:
array_size(anything, something_at_size_max + 1) == 0
Introduce size_mul(), size_add(), and size_sub() helpers that
implicitly promote arguments to size_t and saturated calculations for
use in allocations. With these helpers it is also possible to redefine
array_size(), array3_size(), flex_array_size(), and struct_size() in
terms of the new helpers.
As with the check_*_overflow() helpers, the new helpers use __must_check,
though what is really desired is a way to make sure that assignment is
only to a size_t lvalue. Without this, it's still possible to introduce
overflow/underflow via type conversion (i.e. from size_t to int).
Enforcing this will currently need to be left to static analysis or
future use of -Wconversion.
Additionally update the overflow unit tests to force runtime evaluation
for the pathological cases.
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Keith Busch <kbusch@kernel.org>
Cc: Len Baker <len.baker@gmx.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Stable-dep-of: d692873cbe86 ("gve: Use size_add() in call to struct_size()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.200 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVLt8IACgkQONu9yGCS
# aT5SXw//ZJPwvVxnv21ldEE7vxdLSuSz/Ond0kV6A74ypBbZDsvqwvRbP0aCMoTx
# zJOARfQIyBMeMrbD2zKvJrhStMxJaFbzMMr2isMDdY0USRPTWkNu5Y18ZOnT3sgu
# 099NOT2pEGNF5IlUxJPS64YTBelf8aD/Vv04AgbpPZ0Zb8n1Xmgg4jP0h5O7ERRU
# tevkdHg7xVrfV3dlI14sQbP4b/CHmS8sRFesUAf3qJ+p/7MwVeCk4u6GzlYnLEF6
# O/2K3hmUcvg0d1J9a7ESNohBrdHJXUpgjW+/hfDuMZ2XAW+2DQGT//aCdrilUbGU
# sWF8G/NKuDwd6bPmm8+u0ZJfwKHk3PAepQxCdQWlAkKeygx3RDjFYDwBjPiqSeJg
# fr1obUGLcwWf7CBrcI2d++oZX+R5Jw7W+c32xfRfHPlX5YFqwtayoKs/z7vhhqox
# VRLwCvgbj/WDSF9/H/4yR+pA7PmYLJiCTLWEDq3eEY9sMEYxWytfdU2D4UcHZ7gM
# iRxlDOkFLjjlYFPo6Nd004YAQW+K2tMJnaGHuv2Lk2Edt3iJLJcUE2+bRY+n2nsc
# DIZ+uZ97/kTRNomyG/XXMuWiJ+2HHgYBnYWDbEBggawhzQPJ/U6KIvMg44Rjn6e7
# 89fv/HxuwcRvNSuxgAs5IL/w9KdwTbmcgCnAn/8wURE3/wH0ybA=
# =SpN0
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 08 Nov 2023 11:30:58 AM EST
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
This is the 5.10.199 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmU45eIACgkQONu9yGCS
# aT6OGw//TD8VOR/VIUsdCH4keamvfoOjW7IdUMI6WWrXGw4TBQhOb1S5OFmUXLIW
# 1TQKvnJSpkukW9oQXChEPiVm9LMXq0dsWOaI11I23HmAzenZQ+cdHLFa8Rod3DeJ
# t17qefmsZxvI3U5nXJiCYRlUcqWF8rgpYR8NaJass8xOOGKEDk9JMXy1hvCG1N8C
# 1Zvth4wJmaDvJxSLHCL0gZkYBQBddePtrHwxWqLJ9vwUJEHGWf6AlwaASFUtRMut
# am2sWYx7aDKQT4w6B4MEJfA3bcTbLAglZG5s85ENhYYAMYW+cX/YtQH182KcpRTx
# mRmDc2vk1tJsSAuuE94OAAESjCdWF7V5SUkk/GLawnRiR7NeOax7vvS634uPtN+g
# LdTOlWMlcum46LmrJd6pu7oLXyZHGrr0/cBPewwYTlcRsmSS+WADUfH1yZL14lDC
# Nf8JASLIj68jrxnTn1lWGtShn8unNV9ZVauA8krsXJzvgjYNpaQSRhxOnltc+Zuy
# GFC0oipwgbzM8Y3lSPfF8rwBA85tmvF397oBM5c4uzZ+ULn7XWPJG+wIYtk7R9N7
# 57rKAKyu+s3hHEUCyF7Z/HF7pHiL6vg4hQzhgIKqDMYkZmyHYV3iIAy5j5jvCkvD
# 8zjBiV3iBC9PYzNYghVRVm5LjRwlXvqSpy88YwgkB1iD+5rZ3RQ=
# =PvGf
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 25 Oct 2023 05:54:42 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit 3bb2a01caa813d3a1845d378bbe4169ef280d394 upstream.
In kobject_get_path(), if kobj->name is changed between calls
get_kobj_path_length() and fill_kobj_path() and the length becomes
longer, then fill_kobj_path() will have an out-of-bounds bug.
The actual current problem occurs when the ixgbe probe.
In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name
length becomes longer, out-of-bounds will occur.
cpu0 cpu1
ixgbe_probe
register_netdev(netdev)
netdev_register_kobject
device_add
kobject_uevent // Sending ADD events
systemd-udevd // rename netdev
dev_change_name
device_rename
kobject_rename
ixgbe_mii_bus_init |
mdiobus_register |
__mdiobus_register |
device_register |
device_add |
kobject_uevent |
kobject_get_path |
len = get_kobj_path_length // old name |
path = kzalloc(len, gfp_mask); |
kobj->name = name;
/* name length becomes
* longer
*/
fill_kobj_path /* kobj path length is
* longer than path,
* resulting in out of
* bounds when filling path
*/
This is the kasan report:
==================================================================
BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0
Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673
Workqueue: events work_for_cpu_fn
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x48
print_address_description.constprop.0+0x86/0x1e7
print_report+0x36/0x4f
kasan_report+0xad/0x130
kasan_check_range+0x35/0x1c0
memcpy+0x39/0x60
fill_kobj_path+0x50/0xc0
kobject_get_path+0x5a/0xc0
kobject_uevent_env+0x140/0x460
device_add+0x5c7/0x910
__mdiobus_register+0x14e/0x490
ixgbe_probe.cold+0x441/0x574 [ixgbe]
local_pci_probe+0x78/0xc0
work_for_cpu_fn+0x26/0x40
process_one_work+0x3b6/0x6a0
worker_thread+0x368/0x520
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
This reproducer triggers that bug:
while:
do
rmmod ixgbe
sleep 0.5
modprobe ixgbe
sleep 0.5
When calling fill_kobj_path() to fill path, if the name length of
kobj becomes longer, return failure and retry. This fixes the problem.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit cc6003916ed46d7a67d91ee32de0f9138047d55f upstream.
In workloads where this_cpu operations are frequently performed,
enabling DEBUG_PREEMPT may result in significant increase in
runtime overhead due to frequent invocation of
__this_cpu_preempt_check() function.
This can be demonstrated through benchmarks such as hackbench where this
configuration results in a 10% reduction in performance, primarily due to
the added overhead within memcg charging path.
Therefore, do not to enable DEBUG_PREEMPT by default and make users aware
of its potential impact on performance in some workloads.
hackbench-process-sockets
debug_preempt no_debug_preempt
Amean 1 0.4743 ( 0.00%) 0.4295 * 9.45%*
Amean 4 1.4191 ( 0.00%) 1.2650 * 10.86%*
Amean 7 2.2677 ( 0.00%) 2.0094 * 11.39%*
Amean 12 3.6821 ( 0.00%) 3.2115 * 12.78%*
Amean 21 6.6752 ( 0.00%) 5.7956 * 13.18%*
Amean 30 9.6646 ( 0.00%) 8.5197 * 11.85%*
Amean 48 15.3363 ( 0.00%) 13.5559 * 11.61%*
Amean 79 24.8603 ( 0.00%) 22.0597 * 11.27%*
Amean 96 30.1240 ( 0.00%) 26.8073 * 11.01%*
Link: https://lkml.kernel.org/r/20230121033942.350387-1-42.hyeyoo@gmail.com
Signed-off-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Ben Segall <bsegall@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Luiz Capitulino <luizcap@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit efb78fa86e95 ("lib/test_meminit: allocate pages up to order
MAX_ORDER") works great in kernels 6.4 and newer thanks to commit
23baf831a32c ("mm, treewide: redefine MAX_ORDER sanely"), but for older
kernels, the loop is off by one, which causes crashes when the test
runs.
Fix this up by changing "<= MAX_ORDER" "< MAX_ORDER" to allow the test
to work properly for older kernel branches.
Fixes: 2a1cf9fe09d9 ("lib/test_meminit: allocate pages up to order MAX_ORDER")
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Xiaoke Wang <xkernel.wang@foxmail.com>
Cc: <stable@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This is the 5.10.197 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUOqXUACgkQONu9yGCS
# aT61cQ//eD8Xrytp1SrUZNpXeCF3d6Ih6wk7it7jJa9rSuFJa/yq3RG1Eni19FNs
# eZodcbmdNz6H27vonI7XDVemlkWWw0g/6JTZAwZho93Nnolz4qS88UqWWLmKYcs5
# rpAkVFgMFcS4HnL/YG6DY3GP6lsbhyummySFnfzXncfJbX3GN/mRk/YzCvziLjr5
# +cwwMUW+kkd5VUSssxrLS0VHSRW25SL+JLGRweQwePlMm8H+WTFpQSPeU5mu2gPM
# b4kFtAKAk2gzH1JzNJSz6mTM3dtAVFcu+3wAY+NSb4VfSB409rB0YI7ne1Ia6mC9
# TQ3qnfo05JYj5HiglE3QMuamfVuPt2mUwpo7I278fVBwbZo9cDXruVZ9099dVzAc
# B0O+xVvGwC6h6rwIKMfh9mzPtULO1CrHlxEVzSLO2szNMAiQk2+hMZDIKbvpBd59
# D08TFP4C4ffCT1K0mWDDhJpp7t37kMumZcB6JiNjYR0YUeDRMhFd4L8oHV5ENfdP
# FvIEwCOl/D69DsgmKq1jV33kspqoUfxyxs6MjJ44/0aQyKk1EoemMxkgrAwBDasn
# P3KNmShfR7XIgqUz1OX27PAnMDMLZj2DiSSbTyWEUOmfaR/TbaZ04fkHQxWfPfFX
# RIa2SFBop87mBfl8H0rhbic0ggQ4c8Io0xiks62pRvXdbcYfNZs=
# =Pws3
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 23 Sep 2023 05:01:41 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
This is the 5.10.195 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUJdfMACgkQONu9yGCS
# aT7i/w//Wbvt3F9hF/9Rmg9A4J23OWl2o07Z8Fi0a4F4B0FJjuQGSPRvpSvKtIWv
# +7taCzOw9+Qi52hTR7BK+QpLpEPgMbv1IdgyPu1gtjL4WHuKk1aOeafISYuQDgeZ
# XSFoV1EGjxkg3wbMZkucnmQVitGxC/iV0ojvxKleiIE9UNzceQclGmmBL0FwmEYp
# c91XKEACZ5K/spSyyxocP4Fw6mbk98ISiju+74op5EDFry9qnIYa2pU/au3gZvh/
# TScOYOQsBojOFTy/wuEfpOiVBK9gLFq8du0J/gHS2aUqswkp/qFcpH7wbS5Po3+l
# Ja9a76o2B4btMCz6UhyhwzB+0QTQ1Gdea35FHRbF3d4ssNJDqDtwBCHqd3zeMUYo
# uTDhyTsSGV40Gm9A5Sojyzjgj4X12rQ0ffL+zcXfXe60flE8SNIxR8DiIXPlAsC+
# pgNQ5l/HcdJE1abRoTkvpsptaT2sNXgwZZij+VOBI3Vp4wr61U69CfP/QWWPZZF5
# ECEh8ZDK1roiEyBjn6njqXmt5vbmNasgI5umgnNPBgKEB2OLXqox6rn9XK0qMJ+X
# /oiCaL9RveU/QL5qNvV6Z2beXPwT51Vdy8+bQBfb5bUFRGQcTVIWaBRG0ZIHeSGm
# pG10/VAnCGtNrC6M/HVGd0Wyih+ur65Jz/rNKbkMX69cvJuxPWk=
# =RAs8
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 19 Sep 2023 06:20:35 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit 4d0fe8c52bb3029d83e323c961221156ab98680b ]
When I register a kset in the following way:
static struct kset my_kset;
kobject_set_name(&my_kset.kobj, "my_kset");
ret = kset_register(&my_kset);
A null pointer dereference exception is occurred:
[ 4453.568337] Unable to handle kernel NULL pointer dereference at \
virtual address 0000000000000028
... ...
[ 4453.810361] Call trace:
[ 4453.813062] kobject_get_ownership+0xc/0x34
[ 4453.817493] kobject_add_internal+0x98/0x274
[ 4453.822005] kset_register+0x5c/0xb4
[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]
... ...
Because I didn't initialize my_kset.kobj.ktype.
According to the description in Documentation/core-api/kobject.rst:
- A ktype is the type of object that embeds a kobject. Every structure
that embeds a kobject needs a corresponding ktype.
So add sanity check to make sure kset->kobj.ktype is not NULL.
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20230805084114.1298-2-thunder.leizhen@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 9e47a758b70167c9301d2b44d2569f86c7796f2d ]
During NVMeTCP Authentication a controller can trigger a kernel
oops by specifying the 8192 bit Diffie Hellman group and passing
a correctly sized, but zeroed Diffie Hellamn value.
mpi_cmp_ui() was detecting this if the second parameter was 0,
but 1 is passed from dh_is_pubkey_valid(). This causes the null
pointer u->d to be dereferenced towards the end of mpi_cmp_ui()
Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ]
The relevant parameter is 'start' and not 'nextid'
Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext")
Signed-off-by: Ariel Marcovitch <arielmarcovitch@gmail.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
commit efb78fa86e95832b78ca0ba60f3706788a818938 upstream.
test_pages() tests the page allocator by calling alloc_pages() with
different orders up to order 10.
However, different architectures and platforms support different maximum
contiguous allocation sizes. The default maximum allocation order
(MAX_ORDER) is 10, but architectures can use CONFIG_ARCH_FORCE_MAX_ORDER
to override this. On platforms where this is less than 10, test_meminit()
will blow up with a WARN(). This is expected, so let's not do that.
Replace the hardcoded "10" with the MAX_ORDER macro so that we test
allocations up to the expected platform limit.
Link: https://lkml.kernel.org/r/20230714015238.47931-1-ajd@linux.ibm.com
Fixes: 5015a300a522 ("lib: introduce test_meminit module")
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Reviewed-by: Alexander Potapenko <glider@google.com>
Cc: Xiaoke Wang <xkernel.wang@foxmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This is the 5.10.193 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmTvUN4ACgkQONu9yGCS
# aT7lPhAAyUQ/VO7lONIwD9LBkFxDIWEJBn4928UNFrweLuxd/ZJWZXoLJ9zMykqS
# HmKjjKcZXO5fHQxHGHz+zfWKaAqNqCTuvOTKe6HKWRFIEOWjNKmNCJ3+tNgFjQLz
# +9G3LXLykpiIc878se7qEZKseiEh56PfE62CCP3+k1cQX6PlIOXCJIq3cntYJJ0j
# feV3nHPyR0S/sHnTGZFJDijhLUXd2NUaR6O4AxNk4QiBcw2j7i6B2I8FLvH2LkHi
# CeBKt0wl1RJtTIraQP4cKsxrnKYvn8yxfEuIoUNlGlLR0tt8R1LfXlV9pZt0yMoX
# 15sS8xkXH8K3+Wau78VuPX8Ar/dckiGU+G1lbrL2Xe4S04dnW3yx/Lq8DoZbFT4s
# 4BADWBy8zSobCdVkOaz7G0DVp8m6a9O/dNiCt62C8xg8hJdPAfurnfySMfTPUGKG
# 5oLVIcGnjDG/kN+R1kDmejpHtTCpMR53NEbkfN0UxVnx9aClpLZj4Vl9teOdP/ir
# mFow0/mNCRZyFlZHV0xU4fwo5xMuwNu3sYee61O12sz3PNA3dgfZawsKfF3vQLy7
# eDPeses8AULl4+IaOwbBXuamtlDiARTM8jcnZ9nZr6LM3040d/2g36XbAkdmhQ/S
# jhwWpj6k9uKbrVLWYPnrR2Cc74toMdn80qJy+0Fu861ILpKCPbs=
# =8h+N
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 30 Aug 2023 10:23:26 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit d59070d1076ec5114edb67c87658aeb1d691d381 upstream.
Recent versions of clang warn about an unused variable, though older
versions saw the 'slot++' as a use and did not warn:
radix-tree.c:1136:50: error: parameter 'slot' set but not used [-Werror,-Wunused-but-set-parameter]
It's clearly not needed any more, so just remove it.
Link: https://lkml.kernel.org/r/20230811131023.2226509-1-arnd@kernel.org
Fixes: 3a08cd52c37c7 ("radix tree: Remove multiorder support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peng Zhang <zhangpeng.00@bytedance.com>
Cc: Rong Tao <rongtao@cestc.cn>
Cc: Tom Rix <trix@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 382d4cd1847517ffcb1800fd462b625db7b2ebea upstream.
The gcc compiler translates on some architectures the 64-bit
__builtin_clzll() function to a call to the libgcc function __clzdi2(),
which should take a 64-bit parameter on 32- and 64-bit platforms.
But in the current kernel code, the built-in __clzdi2() function is
defined to operate (wrongly) on 32-bit parameters if BITS_PER_LONG ==
32, thus the return values on 32-bit kernels are in the range from
[0..31] instead of the expected [0..63] range.
This patch fixes the in-kernel functions __clzdi2() and __ctzdi2() to
take a 64-bit parameter on 32-bit kernels as well, thus it makes the
functions identical for 32- and 64-bit kernels.
This bug went unnoticed since kernel 3.11 for over 10 years, and here
are some possible reasons for that:
a) Some architectures have assembly instructions to count the bits and
which are used instead of calling __clzdi2(), e.g. on x86 the bsr
instruction and on ppc cntlz is used. On such architectures the
wrong __clzdi2() implementation isn't used and as such the bug has
no effect and won't be noticed.
b) Some architectures link to libgcc.a, and the in-kernel weak
functions get replaced by the correct 64-bit variants from libgcc.a.
c) __builtin_clzll() and __clzdi2() doesn't seem to be used in many
places in the kernel, and most likely only in uncritical functions,
e.g. when printing hex values via seq_put_hex_ll(). The wrong return
value will still print the correct number, but just in a wrong
formatting (e.g. with too many leading zeroes).
d) 32-bit kernels aren't used that much any longer, so they are less
tested.
A trivial testcase to verify if the currently running 32-bit kernel is
affected by the bug is to look at the output of /proc/self/maps:
Here the kernel uses a correct implementation of __clzdi2():
root@debian:~# cat /proc/self/maps
00010000-00019000 r-xp 00000000 08:05 787324 /usr/bin/cat
00019000-0001a000 rwxp 00009000 08:05 787324 /usr/bin/cat
0001a000-0003b000 rwxp 00000000 00:00 0 [heap]
f7551000-f770d000 r-xp 00000000 08:05 794765 /usr/lib/hppa-linux-gnu/libc.so.6
...
and this kernel uses the broken implementation of __clzdi2():
root@debian:~# cat /proc/self/maps
0000000010000-0000000019000 r-xp 00000000 000000008:000000005 787324 /usr/bin/cat
0000000019000-000000001a000 rwxp 000000009000 000000008:000000005 787324 /usr/bin/cat
000000001a000-000000003b000 rwxp 00000000 00:00 0 [heap]
00000000f73d1000-00000000f758d000 r-xp 00000000 000000008:000000005 794765 /usr/lib/hppa-linux-gnu/libc.so.6
...
Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: 4df87bb7b6a22 ("lib: add weak clz/ctz functions")
Cc: Chanho Min <chanho.min@lge.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org # v3.11+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This is the 5.10.188 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmTCEmYACgkQONu9yGCS
# aT5ETA/+MGhe+GasO74Gvx1MaSVJrPZgPzInUg5UoYIkf+N3BfNqH9KVrY/zFKfU
# mKNQSQDsli+WG8agHVzoa4lh3ZFHbiUrNx14n+3A8lZ0X5s31fqTLXRvKy9BCu4t
# 8OQW6nuMv22SVDd40F5ciroNmAbDquDfUQK4KbETNRPU2Yzvd5VEZiCY9aQAGFbc
# YnqBbx1Qc5EQKmzoBmEiup2j04SWXwMPQERKdFVZ1jrjC3hC8MFmL62YwfbCH4gY
# faDSZPj++/V5c++bP6oG8QhfrQS+WYGwFmEJpf4GUJ8dxxJC9Ao9CwcXbd2jOjfz
# Tk0gNQ9YPs+a2gexAnaHsJqKXn+dcRvkIMzmArApZv73PET0LgMv8N7s3OB5E9ei
# K2ft+nfXs5NCLRjPFCqL9nAeclj8ZX92B4d4mrpbqHZ+fFBiHMb0H/aGxfCAR0MJ
# BuW1dWQJykR2crhzQ1PJr3OthnL9O4Nl+bBAAuOu6NwqiALFW57uKXQ/2xfhPPbI
# qi0cTyXNYYY28kRdprERyV1w4K8W8V6L2YUt3N8LWuPNsI9pHSSQQDKru2JIR1T5
# rHeC41JSR6iw8rBXtkCj1YhGbH5P8CP3fxlikuKo3Q4PHCjVJo8ZpzYU/Ci8FFCL
# g/g6DLb9/AHtIhJ8WgcRcxbRNkdyGUc2w9uh6c3rBVS4gwFm/44=
# =2pvu
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 27 Jul 2023 02:44:54 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ]
syzbot is reporting false a positive ODEBUG message immediately after
ODEBUG was disabled due to OOM.
[ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled
[ 1062.886755][ T5171] ------------[ cut here ]------------
[ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40
CPU 0 [ T5171] CPU 1 [T22911]
-------------- --------------
debug_object_assert_init() {
if (!debug_objects_enabled)
return;
db = get_bucket(addr);
lookup_object_or_alloc() {
debug_objects_enabled = 0;
return NULL;
}
debug_objects_oom() {
pr_warn("Out of memory. ODEBUG disabled\n");
// all buckets get emptied here, and
}
lookup_object_or_alloc(addr, db, descr, false, true) {
// this bucket is already empty.
return ERR_PTR(-ENOENT);
}
// Emits false positive warning.
debug_print_object(&o, "assert_init");
}
Recheck debug_object_enabled in debug_print_object() to avoid that.
Reported-by: syzbot <syzbot+7937ba6a50bdd00fffdf@syzkaller.appspotmail.com>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp
Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 7dae593cd226a0bca61201cf85ceb9335cf63682 ]
In a couple of situations like
name = kstrndup(buf, count, GFP_KERNEL);
if (!name)
return -ENOSPC;
the error is not actually "No space left on device", but "Out of memory".
It is semantically correct to return -ENOMEM in all failed kstrndup()
and kzalloc() cases in this driver, as it is not a problem with disk
space, but with kernel memory allocator failing allocation.
The semantically correct should be:
name = kstrndup(buf, count, GFP_KERNEL);
if (!name)
return -ENOMEM;
Cc: Dan Carpenter <error27@gmail.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: "Luis R. Rodriguez" <mcgrof@ruslug.rutgers.edu>
Cc: Scott Branden <sbranden@broadcom.com>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Brian Norris <briannorris@chromium.org>
Fixes: c92316bf8e948 ("test_firmware: add batched firmware tests")
Fixes: 0a8adf584759c ("test: add firmware_class loader test")
Fixes: 548193cba2a7d ("test_firmware: add support for firmware_request_platform")
Fixes: eb910947c82f9 ("test: firmware_class: add asynchronous request trigger")
Fixes: 061132d2b9c95 ("test_firmware: add test custom fallback trigger")
Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Message-ID: <20230606070808.9300-1-mirsad.todorovac@alu.unizg.hr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ]
The `shift` variable which indicates the offset in the string at which
to start matching the pattern is initialized to `bm->patlen - 1`, but it
is not reset when a new block is retrieved. This means the implemen-
tation may start looking at later and later positions in each successive
block and miss occurrences of the pattern at the beginning. E.g.,
consider a HTTP packet held in a non-linear skb, where the HTTP request
line occurs in the second block:
[... 52 bytes of packet headers ...]
GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n
and the pattern is "GET /bmtest".
Once the first block comprising the packet headers has been examined,
`shift` will be pointing to somewhere near the end of the block, and so
when the second block is examined the request line at the beginning will
be missed.
Reinitialize the variable for each new block.
Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2")
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.185 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmSS/y4ACgkQONu9yGCS
# aT7AiBAAukB1bg+mF6pAjs8KHjn68ULXFeuwcJIMWWGNVBhvCWrjoZVmOIeGV7pZ
# m2LA9juhyFHgn/s0IvwLvGtYz8emkeZ+LxpPzrWj/DaijelP+tK5nmCm/tdfkS0F
# f+1GRPiAZAjnQG1h38iGQrydUiT9//qOdNou5rRkvxo8p0nHz4o66mgVMVJLDdVw
# 2K5t44qOry1KYBx6/XQmd7RjyXFlkTJg+SUXYGV4aZ7kwzVtYkydJ9x4YPY0X16K
# CXVPKEauJg7kuZB87xRopfldXbDMtBuWqnyvO9WJccgVuxeA65CNkcnRCM7Y95Z9
# TH3ryve6kdEniN1vBGvuQOWHLK7qV62wEFvn1o+jJIko7sHKqmOyfOsHneriFvzE
# 7S4cJSs61TCyfJ448axEbEyi7VZFhdf6TUfdM5X19S6aIoCNT85hBYoV/3Hubk/G
# lsjVCtnJKa8kMFz8lEBWwqV/Svqqzgi1I2HBJhqvILjsi2Kl7JCBuZfajZQC+myH
# zZsGczwUHRFkfs9u2zTCqQ/l4uwL6vMU8rOIBdG5Y2QKwt0roApZXT2QQomWMXtJ
# Az57rySRFyBJlIQszDh+22DpgodwEPNErTPZCu3IHqH4J45uvgFcZURIx0l7wTrW
# 7BbnhENLoAnFO15n7r7DaDgweb/ILk2g9viXJVWnDbXbI0djWXs=
# =6Kc9
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 21 Jun 2023 09:46:22 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit be37bed754ed90b2655382f93f9724b3c1aae847 ]
Dan Carpenter spotted that test_fw_config->reqs will be leaked if
trigger_batched_requests_store() is called two or more times.
The same appears with trigger_batched_requests_async_store().
This bug wasn't trigger by the tests, but observed by Dan's visual
inspection of the code.
The recommended workaround was to return -EBUSY if test_fw_config->reqs
is already allocated.
Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Russ Weight <russell.h.weight@intel.com>
Cc: Tianfei Zhang <tianfei.zhang@intel.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-kselftest@vger.kernel.org
Cc: stable@vger.kernel.org # v5.4
Suggested-by: Dan Carpenter <error27@gmail.com>
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Link: https://lore.kernel.org/r/20230509084746.48259-2-mirsad.todorovac@alu.unizg.hr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 4acfe3dfde685a5a9eaec5555351918e2d7266a1 ]
Dan Carpenter spotted a race condition in a couple of situations like
these in the test_firmware driver:
static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
{
u8 val;
int ret;
ret = kstrtou8(buf, 10, &val);
if (ret)
return ret;
mutex_lock(&test_fw_mutex);
*(u8 *)cfg = val;
mutex_unlock(&test_fw_mutex);
/* Always return full write size even if we didn't consume all */
return size;
}
static ssize_t config_num_requests_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
{
int rc;
mutex_lock(&test_fw_mutex);
if (test_fw_config->reqs) {
pr_err("Must call release_all_firmware prior to changing config\n");
rc = -EINVAL;
mutex_unlock(&test_fw_mutex);
goto out;
}
mutex_unlock(&test_fw_mutex);
rc = test_dev_config_update_u8(buf, count,
&test_fw_config->num_requests);
out:
return rc;
}
static ssize_t config_read_fw_idx_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
{
return test_dev_config_update_u8(buf, count,
&test_fw_config->read_fw_idx);
}
The function test_dev_config_update_u8() is called from both the locked
and the unlocked context, function config_num_requests_store() and
config_read_fw_idx_store() which can both be called asynchronously as
they are driver's methods, while test_dev_config_update_u8() and siblings
change their argument pointed to by u8 *cfg or similar pointer.
To avoid deadlock on test_fw_mutex, the lock is dropped before calling
test_dev_config_update_u8() and re-acquired within test_dev_config_update_u8()
itself, but alas this creates a race condition.
Having two locks wouldn't assure a race-proof mutual exclusion.
This situation is best avoided by the introduction of a new, unlocked
function __test_dev_config_update_u8() which can be called from the locked
context and reducing test_dev_config_update_u8() to:
static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
{
int ret;
mutex_lock(&test_fw_mutex);
ret = __test_dev_config_update_u8(buf, size, cfg);
mutex_unlock(&test_fw_mutex);
return ret;
}
doing the locking and calling the unlocked primitive, which enables both
locked and unlocked versions without duplication of code.
The similar approach was applied to all functions called from the locked
and the unlocked context, which safely mitigates both deadlocks and race
conditions in the driver.
__test_dev_config_update_bool(), __test_dev_config_update_u8() and
__test_dev_config_update_size_t() unlocked versions of the functions
were introduced to be called from the locked contexts as a workaround
without releasing the main driver's lock and thereof causing a race
condition.
The test_dev_config_update_bool(), test_dev_config_update_u8() and
test_dev_config_update_size_t() locked versions of the functions
are being called from driver methods without the unnecessary multiplying
of the locking and unlocking code for each method, and complicating
the code with saving of the return value across lock.
Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Russ Weight <russell.h.weight@intel.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tianfei Zhang <tianfei.zhang@intel.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-kselftest@vger.kernel.org
Cc: stable@vger.kernel.org # v5.4
Suggested-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Link: https://lore.kernel.org/r/20230509084746.48259-1-mirsad.todorovac@alu.unizg.hr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit f7d85515bd21902b218370a1a6301f76e4e636ff ]
strtobool() is the same as kstrtobool().
However, the latter is more used within the kernel.
In order to remove strtobool() and slightly simplify kstrtox.h, switch to
the other function name.
While at it, include the corresponding header file (<linux/kstrtox.h>)
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Link: https://lore.kernel.org/r/34f04735d20e0138695dd4070651bd860a36b81c.1673688120.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 4acfe3dfde68 ("test_firmware: prevent race conditions by a correct implementation of locking")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 4c52729377eab025b238caeed48994a39c3b73f2 ]
kernel.h is being used as a dump for all kinds of stuff for a long time.
Here is the attempt to start cleaning it up by splitting out kstrtox() and
simple_strtox() helpers.
At the same time convert users in header and lib folders to use new
header. Though for time being include new header back to kernel.h to
avoid twisted indirected includes for existing users.
[andy.shevchenko@gmail.com: fix documentation references]
Link: https://lkml.kernel.org/r/20210615220003.377901-1-andy.shevchenko@gmail.com
Link: https://lkml.kernel.org/r/20210611185815.44103-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Francis Laniel <laniel_francis@privacyrequired.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Kars Mulder <kerneldev@karsmulder.nl>
Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: Anna Schumaker <anna.schumaker@netapp.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 4acfe3dfde68 ("test_firmware: prevent race conditions by a correct implementation of locking")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 506dfc9906e5cbf453bbcd5eb627689435583558 ]
Use proper conversion functions. kstrto*() variants exist for all
standard types.
Link: https://lkml.kernel.org/r/20201122123410.GB92364@localhost.localdomain
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 4acfe3dfde68 ("test_firmware: prevent race conditions by a correct implementation of locking")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.184 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmSJhFAACgkQONu9yGCS
# aT7GHw//QBnGbyQpmxFSEYJurIj8d+h4lM+O9hPXLiqgOza5eH8vAsqpArRXyKuH
# u8IrAuiziHIokSt+VZ8S3/5G6XLSy4Mq4nfS6dd3QSaszZKPZjPQCaUaob80Q1tj
# KFnJ0xjoWDPclmeG3/HUzD3fQWa4l48yQuFCqEmGDtCZ0LVeT18DgK2Y93TOO6Gh
# iWXV5I0GFpAsyxzNfZu3YYfFUc53R55dP48G0AS4oadCrLkUXAGhbQd8sa3JZFrD
# IL3f2ceb2sCKdtldH1hipJXQhZIfl1BuET7lzO8DmKSJKwTb2Jw2+/vdJMEUUYcq
# qr/FwRBDxbTef6V3zQ29rbdwhZZze2QklNGl+PmsL5b/+sldxN9ENaDLhKw4H+tq
# YXs/TFyhnJ5/5/6+roXoAyeZqqs+hTrus0oCQuh89nTmt81mr528WUqEVxiloAci
# QLDjytABrmOzHh8PGlMtA4QeHv0+wx0iLxEb1cXwMf/CXipBfPm1y/sXDTsMJq84
# MADvuDo+RMlF9FP2O+9iLDNG2uTLJqr/MmSkLr4fIQyIEORQCc9GNz/TZjYAOrnY
# NUVb1kwhcOswZeADPSuZeLTUmZwVf9K6cUK0z07Sval3SHNt2RPqbtEkhTMFtAbM
# W/0fTdyJsUsOg0tTxjwMEqxfrwqqrngoYuh9sZDwDAzs7MYCww0=
# =Mkte
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 14 Jun 2023 05:11:44 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
[ Upstream commit 7c5d4801ecf0564c860033d89726b99723c55146 ]
irq_cpu_rmap_release() calls cpu_rmap_put(), which may free the rmap.
So we need to clear the pointer to our glue structure in rmap before
doing that, not after.
Fixes: 4e0473f1060a ("lib: cpu_rmap: Avoid use after free on rmap->obj array entries")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/ZHo0vwquhOy3FaXc@decadent.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.183 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmSC4yYACgkQONu9yGCS
# aT68EQ/+OhjtdVu3Dc2Buj8RLz9M21/hrD5ie8O9EkH7eqJYifO19dXp66yM5VGy
# JKiDLBZKWbahM0DMR/NynClL9BO0W9uQMAzP91pTAi/qFuOvAETQ6BwqbaNkp6b+
# W6eGAxyqZCLEUbWzhyPrLj93u2cmI0R1Ih2h7lSOp5C+lWJgIhxcdi1MPPqr7q/o
# Bjxg1auRY/yZuyqvyj7BpfQE/6rWgrlWtmvFCzs8zFPi98Wb+UBwM/uDTCzyUSlF
# 1QfBIVe1sYovFgMgkc3PJohiSXEntLwp9gngNjT8m6JAYqnwOz8Ld9SqCqgvPr3I
# ffA941DsOiVoVDofxce9MiPDVVvk44RPfjo+XYTUk3puJE2BM05/zttJB+lejJ3G
# 4Lvo58pB89br1tJnsGUlxtZCzeWwgpzlNFs8xx9y0zX2NfKPsJo6uCMfWVMyiJCA
# aomGaemH7RNE+4usfc0UT5GheseZnc5Mb61mRjJSzX1HzUTSNT6gHVvhfyJ5o4Me
# AfcCYltARR9hXImR6NkVdmkjmzRz430/f50oCl3a7hYmJoWrVsEx0XKX/BdtkM8E
# 8nD5axx+7+rOszDA8bJerYGkfmgoojkYBnd6T1bfI+d2ax29tLD9TxJfGPkMoXVY
# NGw1JyA9D/I+KRY8tgwanbZnXCY44sILuxWOb7tHRbz9f3+09Q4=
# =43Ik
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 09 Jun 2023 04:30:30 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit 48e156023059e57a8fc68b498439832f7600ffff upstream.
The following kernel memory leak was noticed after running
tools/testing/selftests/firmware/fw_run_tests.sh:
[root@pc-mtodorov firmware]# cat /sys/kernel/debug/kmemleak
.
.
.
unreferenced object 0xffff955389bc3400 (size 1024):
comm "test_firmware-0", pid 5451, jiffies 4294944822 (age 65.652s)
hex dump (first 32 bytes):
47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
[<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
[<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
[<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
[<ffffffff95fd813b>] kthread+0x10b/0x140
[<ffffffff95e033e9>] ret_from_fork+0x29/0x50
unreferenced object 0xffff9553c334b400 (size 1024):
comm "test_firmware-1", pid 5452, jiffies 4294944822 (age 65.652s)
hex dump (first 32 bytes):
47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
[<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
[<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
[<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
[<ffffffff95fd813b>] kthread+0x10b/0x140
[<ffffffff95e033e9>] ret_from_fork+0x29/0x50
unreferenced object 0xffff9553c334f000 (size 1024):
comm "test_firmware-2", pid 5453, jiffies 4294944822 (age 65.652s)
hex dump (first 32 bytes):
47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
[<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
[<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
[<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
[<ffffffff95fd813b>] kthread+0x10b/0x140
[<ffffffff95e033e9>] ret_from_fork+0x29/0x50
unreferenced object 0xffff9553c3348400 (size 1024):
comm "test_firmware-3", pid 5454, jiffies 4294944822 (age 65.652s)
hex dump (first 32 bytes):
47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
[<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
[<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
[<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
[<ffffffff95fd813b>] kthread+0x10b/0x140
[<ffffffff95e033e9>] ret_from_fork+0x29/0x50
[root@pc-mtodorov firmware]#
Note that the size 1024 corresponds to the size of the test firmware
buffer. The actual number of the buffers leaked is around 70-110,
depending on the test run.
The cause of the leak is the following:
request_partial_firmware_into_buf() and request_firmware_into_buf()
provided firmware buffer isn't released on release_firmware(), we
have allocated it and we are responsible for deallocating it manually.
This is introduced in a number of context where previously only
release_firmware() was called, which was insufficient.
Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Dan Carpenter <error27@gmail.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Russ Weight <russell.h.weight@intel.com>
Cc: Tianfei zhang <tianfei.zhang@intel.com>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Zhengchao Shao <shaozhengchao@huawei.com>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>
Cc: Scott Branden <sbranden@broadcom.com>
Cc: Luis R. Rodriguez <mcgrof@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Cc: stable@vger.kernel.org # v5.4
Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Link: https://lore.kernel.org/r/20230509084746.48259-3-mirsad.todorovac@alu.unizg.hr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This is the 5.10.181 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmR15NEACgkQONu9yGCS
# aT53/RAAzq4D4nxVEzuAoluJCIN1eR56Ii20NhPnV3A6nfrlYrLvvCdBlgbI2C6U
# UrhPvARRwgxyIQ5qwhF3F66sXU+ZAjdMDpgTCxDkU7XIKvPIuGAs87Zv/CKTSi/X
# mJbmZQZQnpreunJ2zZGjbde5RP8tKmG2iVQkkDsQjRBYWyXhgMuaode2/OO64RHO
# by5gfFd3jbZMDQNmLZa8xAZ5Dbg0grsGS1r+tfKAaWpDVDDzYAVhRT1foPr0m7Uq
# 8Mp3A7mP0S/24S1BnE0wty8bgx2FcVXYp928BCeA0eZ/a+AY+E7EZAcGlgim+C6X
# ZNr1NtYpJ2kV34A4Lywb4bHU79ng9b4xvvlKB7x1XC9XVFDQ0o0PPnDj+Z/whe5Q
# 5/1wnBEKMPopk7y2nAK/KL815d2gllWqO/HSIM/8ECzUS8cb3VFMAM81+V9o0Txo
# ggABS9GQ6kVuGrbZpD4ZeXc1SgRQStHeuG9jfQ2F5ErFyyGmiU6Qxjk0Rma1idSs
# T6M7GCEezJ+SxjW4J5gBNWHfVqLM1kJEwdjrrguFbtTYHz21qLs87O4l0AinV0gm
# KFZXQAso90wJl+V9m7kQKIM1loiuLGAG+jP/Wv8lH882vvwVLUCrzJoIVBvVvbw1
# L/NW2Fvm5lo1DQBFGvqYHdfmiCSrZx+34Re6VD7R70RNU3dAYpY=
# =66a2
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 30 May 2023 07:58:09 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit eb799279fb1f9c63c520fe8c1c41cb9154252db6 upstream.
syzbot is reporting a lockdep warning in fill_pool() because the allocation
from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM)
and therefore tries to wake up kswapd, which acquires kswapd_wait::lock.
Since fill_pool() might be called with arbitrary locks held, fill_pool()
should not assume that acquiring kswapd_wait::lock is safe.
Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for
!__GFP_DIRECT_RECLAIM allocation.
Fixes: 3ac7fe5a4aab ("infrastructure to debug (dynamic) objects")
Reported-by: syzbot <syzbot+fe0c72f0ccbb93786380@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/6577e1fa-b6ee-f2be-2414-a2b51b1c5e30@I-love.SAKURA.ne.jp
Closes: https://syzkaller.appspot.com/bug?extid=fe0c72f0ccbb93786380
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 4e0473f1060aa49621d40a113afde24818101d37 ]
When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.
Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().
The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Eli Cohen <elic@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 162bd18eb55adf464a0fa2b4144b8d61c75ff7c2 ]
Add return value for dim_calc_stats. This is an indication for the
caller if curr_stats was assigned by the function. Avoid using
curr_stats uninitialized over {rdma/net}_dim, when no time delta between
samples. Coverity reported this potential use of an uninitialized
variable.
Fixes: 4c4dbb4a7363 ("net/mlx5e: Move dynamic interrupt coalescing code to include/linux")
Fixes: cb3c7fd4f839 ("net/mlx5e: Support adaptive RX coalescing")
Signed-off-by: Roy Novich <royno@nvidia.com>
Reviewed-by: Aya Levin <ayal@nvidia.com>
Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Link: https://lore.kernel.org/r/20230507135743.138993-1-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
This is the 5.10.180 stable release
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmRkovEACgkQONu9yGCS
# aT5eiBAAzQvki9byDkrvU+XmupKlyNL4pMHvqhGMF7wIHNKLH+wOxK4lGavwNXEd
# 1Qzg0lurC21dLqOBBuJYR2tPASb5xAeKuuFCcr5TLLojm9X8tz7xAnvWoEJBKlKW
# gpJpG/JRYO+lC28bvx6vZoVqMPe5l8V+8cqXb5tlb9ptZNkdSu8cdecJkSi8dSIl
# S6GZ2TGRIJ22jtFOBdUeqpOT3ZhyEIoGkr3sUmUMl06Ssh4FIHehgS95TgXj0/2h
# TAZeqteuGLrDMPxM6RS+N5O4RD5Vea1XccVrgr+MgmOrgNf8Q/Uo+9eVfV1e8ceO
# ImHyNNH+nizrHcCd0b1SFpTnPJZ4w33KevcXW6KZqT/D4or7cN8egboouLwvOtJ2
# Lh44kdSMMIUNxyEa2v18SHt+S0DnJ/OJbTRm2pSIYzTHOQyneDMsjvuVqBfqwSzt
# eeFUCPTRtFBwuF6JvuJayhP5cc4jejN+KTsJ9+t09qsFB453pzGQEnIr4ht4ta5h
# msczTP3asKEpq50i2bCUqSOY+OTLlw6Bwaq6GFpYbKOEqBWYQvotgSHpGIyqKkin
# hd5PNueAJMq+Mq1+kY83BEfnZLAS8zqE92k32vCd3cRLwLmv7oOP5Ef6iZFC6Ys1
# TD29jtpKEKU63/PwvHAwicEuipWxnoZc+L3vbQ9zEcnRGyQ+pzA=
# =5ZUS
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 17 May 2023 05:48:33 AM EDT
# gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
# gpg: Can't check signature: No public key
|
|
commit 0af462f19e635ad522f28981238334620881badc upstream.
The recent fix to ensure atomicity of lookup and allocation inadvertently
broke the pool refill mechanism.
Prior to that change debug_objects_activate() and debug_objecs_assert_init()
invoked debug_objecs_init() to set up the tracking object for statically
initialized objects. That's not longer the case and debug_objecs_init() is
now the only place which does pool refills.
Depending on the number of statically initialized objects this can be
enough to actually deplete the pool, which was observed by Ido via a
debugobjects OOM warning.
Restore the old behaviour by adding explicit refill opportunities to
debug_objects_activate() and debug_objecs_assert_init().
Fixes: 63a759694eed ("debugobject: Prevent init race with static objects")
Reported-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Link: https://lore.kernel.org/r/871qk05a9d.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 63a759694eed61025713b3e14dd827c8548daadc ]
Statically initialized objects are usually not initialized via the init()
function of the subsystem. They are special cased and the subsystem
provides a function to validate whether an object which is not yet tracked
by debugobjects is statically initialized. This means the object is started
to be tracked on first use, e.g. activation.
This works perfectly fine, unless there are two concurrent operations on
that object. Schspa decoded the problem:
T0 T1
debug_object_assert_init(addr)
lock_hash_bucket()
obj = lookup_object(addr);
if (!obj) {
unlock_hash_bucket();
- > preemption
lock_subsytem_object(addr);
activate_object(addr)
lock_hash_bucket();
obj = lookup_object(addr);
if (!obj) {
unlock_hash_bucket();
if (is_static_object(addr))
init_and_track(addr);
lock_hash_bucket();
obj = lookup_object(addr);
obj->state = ACTIVATED;
unlock_hash_bucket();
subsys function modifies content of addr,
so static object detection does
not longer work.
unlock_subsytem_object(addr);
if (is_static_object(addr)) <- Fails
debugobject emits a warning and invokes the fixup function which
reinitializes the already active object in the worst case.
This race exists forever, but was never observed until mod_timer() got a
debug_object_assert_init() added which is outside of the timer base lock
held section right at the beginning of the function to cover the lockless
early exit points too.
Rework the code so that the lookup, the static object check and the
tracking object association happens atomically under the hash bucket
lock. This prevents the issue completely as all callers are serialized on
the hash bucket lock and therefore cannot observe inconsistent state.
Fixes: 3ac7fe5a4aab ("infrastructure to debug (dynamic) objects")
Reported-by: syzbot+5093ba19745994288b53@syzkaller.appspotmail.com
Debugged-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Link: https://syzkaller.appspot.com/bug?id=22c8a5938eab640d1c6bcc0e3dc7be519d878462
Link: https://lore.kernel.org/lkml/20230303161906.831686-1-schspa@gmail.com
Link: https://lore.kernel.org/r/87zg7dzgao.ffs@tglx
Signed-off-by: Sasha Levin <sashal@kernel.org>
|