Kernel
Threads by month
- ----- 2025 -----
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- 20 participants
- 18004 discussions
Backport 5.10.112 LTS patches from upstream.
git cherry-pick v5.10.111..v5.10.112~1 -s
Complicts:
Already merged(10):
80a4df14643f7 hamradio: defer 6pack kfree after unregister_netdev
cfa98ffc42f16 hamradio: remove needs_free_netdev to avoid UAF
5ea00fc60676 ax25: add refcount in ax25_dev to avoid UAF bugs
5ddae8d06441 ax25: fix reference count leaks of ax25_dev
57cc15f5fd55 ax25: fix UAF bugs of net_device caused by rebinding operation
b20a5ab0f5fb ax25: Fix refcount leaks caused by ax25_cb_del()
a4942c6fea87 ax25: fix UAF bug in ax25_send_control()
145ea8d213e8 ax25: fix NPD bug in ax25_disconnect
f934fa478dd1 ax25: Fix NULL pointer dereferences in ax25 timers
5c62d3bf1410 ax25: Fix UAF bugs in ax25 timers
Rejected(1, KABI changed and hard to fix):
845f44ce3d9f net/sched: flower: fix parsing of ethertype following VLAN header
KABI fixes(2):
scsi: iscsi: fix kabi broken in struct iscsi_cls_conn
scsi: iscsi: fix kabi broken in struct iscsi_transport
Total patches: 104 - 10 - 1 + 2 = 95
Adrian Hunter (1):
perf tools: Fix misleading add event PMU debug message
Ajish Koshy (2):
scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63
scsi: pm80xx: Enable upper inbound, outbound queues
Alexey Galakhov (1):
scsi: mvsas: Add PCI ID of RocketRaid 2640
Andy Chiu (1):
net: axienet: setup mdio unconditionally
Anna-Maria Behnsen (1):
timers: Fix warning condition in __run_timers()
Athira Rajeev (1):
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu
set
Aurabindo Pillai (1):
drm/amd: Add USBC connector ID
Benedikt Spranger (1):
net/sched: taprio: Check if socket flags are valid
Borislav Petkov (1):
perf/imx_ddr: Fix undefined behavior due to shift overflowing the
constant
Calvin Johnson (1):
net: mdio: Alphabetically sort header inclusion
Chandrakanth patil (1):
scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
Chao Gao (1):
dma-direct: avoid redundant memory sync for swiotlb
Charlene Liu (1):
drm/amd/display: fix audio format not updated after edid updated
Chiawen Huang (1):
drm/amd/display: FEC check in timing validation
Christian Lamparter (1):
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
Chuck Lever (1):
SUNRPC: Fix the svc_deferred_event trace class
Cristian Marussi (1):
firmware: arm_scmi: Fix sorting of retrieved clock rates
Darrick J. Wong (1):
btrfs: fix fallocate to use file_modified to update permissions
consistently
Dinh Nguyen (1):
net: ethernet: stmmac: fix altr_tse_pcs function when using a
fixed-link
Duoming Zhou (1):
drivers: net: slip: fix NPD bug in sl_tx_timeout()
Fabio M. De Francesco (1):
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
Felix Kuehling (1):
drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu
Guillaume Nault (1):
veth: Ensure eth header is in skb's linear part
Harshit Mogalapalli (1):
cifs: potential buffer overflow in handling symlinks
James Smart (1):
scsi: lpfc: Fix queue failures when recovering from PCI parity error
Jason A. Donenfeld (1):
gcc-plugins: latent_entropy: use /dev/urandom
Jeremy Linton (1):
net: bcmgenet: Revert "Use stronger register read/writes to assure
ordering"
Jia-Ju Bai (1):
btrfs: fix root ref counts in error handling in btrfs_get_root_ref
Joey Gouly (1):
arm64: alternatives: mark patch_alternative() as `noinstr`
Johan Hovold (1):
memory: renesas-rpc-if: fix platform-device leak in error path
Johannes Berg (1):
nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
Jonathan Bakker (1):
regulator: wm8994: Add an off-on delay for WM8994 variant
Josef Bacik (1):
btrfs: do not warn for free space inode in cow_file_range
Juergen Gross (1):
mm, page_alloc: fix build_zonerefs_node()
Karsten Graul (1):
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
Khazhismel Kumykov (1):
dm mpath: only use ktime_get_ns() in historical selector
Kyle Copperfield (1):
media: rockchip/rga: do proper error checking in probe
Leo (Hanghong) Ma (1):
drm/amd/display: Update VTEM Infopacket definition
Leo Ruan (1):
gpu: ipu-v3: Fix dev_dbg frequency output
Li Nan (1):
scsi: iscsi: fix kabi broken in struct iscsi_transport
Lin Ma (1):
nfc: nci: add flush_workqueue to prevent uaf
Linus Torvalds (1):
gpiolib: acpi: use correct format characters
Marcelo Ricardo Leitner (1):
net/sched: fix initialization order when updating chain 0 head
Marcin Kozlowski (1):
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
Mario Limonciello (2):
cpuidle: PSCI: Move the `has_lpi` check to the beginning of the
function
ACPI: processor idle: Check for architectural support for LPI
Martin Leung (1):
drm/amd/display: Revert FEC check in validation
Martin Povišer (1):
i2c: pasemi: Wait for write xfers to finish
Melissa Wen (1):
drm/amd/display: don't ignore alpha property on pre-multiplied mode
Miaoqian Lin (1):
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
Michael Kelley (1):
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
Michael Walle (1):
net: dsa: felix: suppress -EPROBE_DEFER errors
Mike Christie (10):
scsi: iscsi: Stop queueing during ep_disconnect
scsi: iscsi: Force immediate failure during shutdown
scsi: iscsi: Use system_unbound_wq for destroy_work
scsi: iscsi: Rel ref after iscsi_lookup_endpoint()
scsi: iscsi: Fix in-kernel conn failure handling
scsi: iscsi: Move iscsi_ep_disconnect()
scsi: iscsi: Fix offload conn cleanup when iscsid restarts
scsi: iscsi: Fix conn cleanup and stop race during iscsid restart
scsi: iscsi: Fix endpoint reuse regression
scsi: iscsi: Fix unbound endpoint error handling
Mikulas Patocka (1):
dm integrity: fix memory corruption when tag_size is less than digest
size
Minchan Kim (1):
mm: fix unexpected zeroed page mapping with zram swap
Nadav Amit (1):
smp: Fix offline cpu check in flush_smp_call_function_queue()
Naohiro Aota (1):
btrfs: mark resumed async balance as writing
Nathan Chancellor (2):
btrfs: remove unused variable in
btrfs_{start,write}_dirty_block_groups()
ARM: davinci: da850-evm: Avoid NULL pointer dereference
Nicolas Dichtel (1):
ipv6: fix panic when forwarding a pkt with no in6 dev
Patrick Wang (1):
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
Paul Gortmaker (1):
tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
Petr Malat (1):
sctp: Initialize daddr on peeled off socket
QintaoShen (1):
drm/amdkfd: Check for potential null return of kmalloc_array()
Rameshkumar Sundaram (1):
cfg80211: hold bss_lock while updating nontrans_list
Randy Dunlap (1):
net: micrel: fix KS8851_MLL Kconfig
Rei Yamamoto (1):
genirq/affinity: Consider that CPUs on nodes can be unbalanced
Rob Clark (2):
drm/msm: Add missing put_task_struct() in debugfs path
drm/msm: Fix range size vs end confusion
Roman Li (1):
drm/amd/display: Fix allocate_mst_payload assert on resume
Sean Christopherson (1):
KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded
Stephen Boyd (1):
drm/msm/dsi: Use connector directly in
msm_dsi_manager_connector_init()
Steve Capper (1):
tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
Tao Jin (1):
ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers
Tianci Yin (1):
drm/amdgpu/vcn: improve vcn dpg stop procedure
Tim Crawford (1):
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
Toke Høiland-Jørgensen (2):
ath9k: Properly clear TX status area before reporting to mac80211
ath9k: Fix usage of driver-private space in tx_info
Tomasz Moń (1):
drm/amdgpu: Enable gfxoff quirk on MacBook Pro
Tushar Patel (1):
drm/amdkfd: Fix Incorrect VMIDs passed to HWS
Tyrel Datwyler (1):
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
Vadim Pasternak (1):
mlxsw: i2c: Fix initialization error flow
Xiaoguang Wang (1):
scsi: target: tcmu: Fix possible page UAF
Xiaomeng Tong (1):
myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
Zhang Wensheng (1):
scsi: iscsi: fix kabi broken in struct iscsi_cls_conn
arch/arm/mach-davinci/board-da850-evm.c | 4 +-
arch/arm64/kernel/alternative.c | 6 +-
arch/arm64/kernel/cpuidle.c | 6 +-
arch/x86/include/asm/kvm_host.h | 5 +-
arch/x86/kvm/mmu/mmu.c | 20 +-
arch/x86/kvm/x86.c | 20 +-
drivers/acpi/processor_idle.c | 15 +-
drivers/ata/libata-core.c | 3 +
drivers/firmware/arm_scmi/clock.c | 3 +-
drivers/gpio/gpiolib-acpi.c | 4 +-
drivers/gpu/drm/amd/amdgpu/ObjectID.h | 1 +
.../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 10 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 11 +-
drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 +
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-
.../gpu/drm/amd/display/dc/core/dc_resource.c | 4 +-
.../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 14 +-
.../drm/amd/display/dc/dcn20/dcn20_hwseq.c | 14 +-
.../display/modules/info_packet/info_packet.c | 5 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 2 +-
drivers/gpu/drm/msm/dsi/dsi_manager.c | 2 +-
drivers/gpu/drm/msm/msm_gem.c | 1 +
drivers/gpu/ipu-v3/ipu-di.c | 5 +-
drivers/hv/ring_buffer.c | 11 +-
drivers/i2c/busses/i2c-pasemi.c | 6 +
drivers/infiniband/ulp/iser/iscsi_iser.c | 9 +-
drivers/md/dm-historical-service-time.c | 10 +-
drivers/md/dm-integrity.c | 7 +-
drivers/media/platform/rockchip/rga/rga.c | 2 +-
drivers/memory/atmel-ebi.c | 23 +-
drivers/memory/renesas-rpc-if.c | 10 +-
drivers/net/dsa/ocelot/felix_vsc9959.c | 2 +-
.../net/ethernet/broadcom/genet/bcmgenet.c | 4 +-
drivers/net/ethernet/mellanox/mlxsw/i2c.c | 1 +
drivers/net/ethernet/micrel/Kconfig | 1 +
.../net/ethernet/myricom/myri10ge/myri10ge.c | 6 +-
.../ethernet/stmicro/stmmac/altr_tse_pcs.c | 8 -
.../ethernet/stmicro/stmmac/altr_tse_pcs.h | 4 +
.../ethernet/stmicro/stmmac/dwmac-socfpga.c | 13 +-
.../net/ethernet/xilinx/xilinx_axienet_main.c | 13 +-
drivers/net/mdio/mdio-bcm-unimac.c | 16 +-
drivers/net/mdio/mdio-bitbang.c | 4 +-
drivers/net/mdio/mdio-cavium.c | 2 +-
drivers/net/mdio/mdio-gpio.c | 10 +-
drivers/net/mdio/mdio-ipq4019.c | 4 +-
drivers/net/mdio/mdio-ipq8064.c | 4 +-
drivers/net/mdio/mdio-mscc-miim.c | 8 +-
drivers/net/mdio/mdio-mux-bcm-iproc.c | 10 +-
drivers/net/mdio/mdio-mux-gpio.c | 8 +-
drivers/net/mdio/mdio-mux-mmioreg.c | 6 +-
drivers/net/mdio/mdio-mux-multiplexer.c | 2 +-
drivers/net/mdio/mdio-mux.c | 6 +-
drivers/net/mdio/mdio-octeon.c | 8 +-
drivers/net/mdio/mdio-thunder.c | 10 +-
drivers/net/mdio/mdio-xgene.c | 6 +-
drivers/net/mdio/of_mdio.c | 10 +-
drivers/net/slip/slip.c | 2 +-
drivers/net/usb/aqc111.c | 9 +-
drivers/net/veth.c | 2 +-
drivers/net/wireless/ath/ath9k/main.c | 2 +-
drivers/net/wireless/ath/ath9k/xmit.c | 33 +-
drivers/perf/fsl_imx8_ddr_perf.c | 2 +-
drivers/regulator/wm8994-regulator.c | 42 +-
drivers/scsi/be2iscsi/be_iscsi.c | 19 +-
drivers/scsi/be2iscsi/be_main.c | 8 +-
drivers/scsi/bnx2i/bnx2i_iscsi.c | 31 +-
drivers/scsi/cxgbi/cxgb3i/cxgb3i.c | 8 +-
drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 8 +-
drivers/scsi/cxgbi/libcxgbi.c | 12 +-
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
drivers/scsi/libiscsi.c | 70 ++-
drivers/scsi/lpfc/lpfc_init.c | 2 +
drivers/scsi/megaraid/megaraid_sas.h | 3 +
drivers/scsi/megaraid/megaraid_sas_base.c | 7 +
drivers/scsi/mvsas/mv_init.c | 1 +
drivers/scsi/pm8001/pm80xx_hwi.c | 33 +-
drivers/scsi/qedi/qedi_iscsi.c | 32 +-
drivers/scsi/qla4xxx/ql4_os.c | 8 +-
drivers/scsi/scsi_transport_iscsi.c | 587 +++++++++++-------
drivers/target/target_core_user.c | 3 +-
fs/btrfs/block-group.c | 4 -
fs/btrfs/disk-io.c | 5 +-
fs/btrfs/file.c | 13 +-
fs/btrfs/inode.c | 1 -
fs/btrfs/volumes.c | 2 +
fs/cifs/link.c | 3 +
include/asm-generic/tlb.h | 10 +-
include/scsi/iscsi_if.h | 1 +
include/scsi/libiscsi.h | 1 +
include/scsi/scsi_transport_iscsi.h | 39 +-
include/trace/events/sunrpc.h | 7 +-
kernel/dma/direct.h | 3 +-
kernel/irq/affinity.c | 5 +-
kernel/smp.c | 2 +-
kernel/time/tick-sched.c | 2 +-
kernel/time/timer.c | 11 +-
mm/kmemleak.c | 8 +-
mm/page_alloc.c | 2 +-
mm/page_io.c | 54 --
net/ipv6/ip6_output.c | 2 +-
net/nfc/nci/core.c | 4 +
net/sched/cls_api.c | 2 +-
net/sched/sch_taprio.c | 3 +-
net/sctp/socket.c | 2 +-
net/smc/smc_pnet.c | 5 +-
net/wireless/nl80211.c | 3 +-
net/wireless/scan.c | 2 +
scripts/gcc-plugins/latent_entropy_plugin.c | 44 +-
sound/core/pcm_misc.c | 2 +-
sound/pci/hda/patch_realtek.c | 2 +
tools/perf/util/parse-events.c | 5 +-
.../testing/selftests/mqueue/mq_perf_tests.c | 25 +-
115 files changed, 1046 insertions(+), 565 deletions(-)
--
2.20.1
1
95
19 Jul '22
From: Wang Wensheng <wangwensheng4(a)huawei.com>
hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I5DS9S
CVE: NA
--------------------------------------------------
This is not used for THP but the user page table is just like THP. The
user alloc hugepages via a special driver and its vma is not marked with
VM_HUGETLB. This commit allow to share those vma to kernel.
Signed-off-by: Wang Wensheng <wangwensheng4(a)huawei.com>
Reviewed-by: Weilong Chen <chenweilong(a)huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com>
---
include/linux/share_pool.h | 1 +
mm/share_pool.c | 44 +++++++++++++++++++++++++++++++++-----
2 files changed, 40 insertions(+), 5 deletions(-)
diff --git a/include/linux/share_pool.h b/include/linux/share_pool.h
index 6f294911c6af..d95084b8f624 100644
--- a/include/linux/share_pool.h
+++ b/include/linux/share_pool.h
@@ -178,6 +178,7 @@ struct sp_walk_data {
unsigned long uva_aligned;
unsigned long page_size;
bool is_hugepage;
+ bool is_page_type_set;
pmd_t *pmd;
};
diff --git a/mm/share_pool.c b/mm/share_pool.c
index 76088952d0a5..60ad48e238c4 100644
--- a/mm/share_pool.c
+++ b/mm/share_pool.c
@@ -2994,9 +2994,40 @@ EXPORT_SYMBOL_GPL(mg_sp_make_share_k2u);
static int sp_pmd_entry(pmd_t *pmd, unsigned long addr,
unsigned long next, struct mm_walk *walk)
{
+ struct page *page;
struct sp_walk_data *sp_walk_data = walk->private;
+ /*
+ * There exist a scene in DVPP where the pagetable is huge page but its
+ * vma doesn't record it, something like THP.
+ * So we cannot make out whether it is a hugepage map until we access the
+ * pmd here. If mixed size of pages appear, just return an error.
+ */
+ if (pmd_huge(*pmd)) {
+ if (!sp_walk_data->is_page_type_set) {
+ sp_walk_data->is_page_type_set = true;
+ sp_walk_data->is_hugepage = true;
+ } else if (!sp_walk_data->is_hugepage)
+ return -EFAULT;
+
+ /* To skip pte level walk */
+ walk->action = ACTION_CONTINUE;
+
+ page = pmd_page(*pmd);
+ get_page(page);
+ sp_walk_data->pages[sp_walk_data->page_count++] = page;
+
+ return 0;
+ }
+
+ if (!sp_walk_data->is_page_type_set) {
+ sp_walk_data->is_page_type_set = true;
+ sp_walk_data->is_hugepage = false;
+ } else if (sp_walk_data->is_hugepage)
+ return -EFAULT;
+
sp_walk_data->pmd = pmd;
+
return 0;
}
@@ -3140,6 +3171,8 @@ static int __sp_walk_page_range(unsigned long uva, unsigned long size,
sp_walk.pmd_entry = sp_pmd_entry;
}
+ sp_walk_data->is_page_type_set = false;
+ sp_walk_data->page_count = 0;
sp_walk_data->page_size = page_size;
uva_aligned = ALIGN_DOWN(uva, page_size);
sp_walk_data->uva_aligned = uva_aligned;
@@ -3164,8 +3197,12 @@ static int __sp_walk_page_range(unsigned long uva, unsigned long size,
ret = walk_page_range(mm, uva_aligned, uva_aligned + size_aligned,
&sp_walk, sp_walk_data);
- if (ret)
+ if (ret) {
+ while (sp_walk_data->page_count--)
+ put_page(pages[sp_walk_data->page_count]);
kvfree(pages);
+ sp_walk_data->pages = NULL;
+ }
return ret;
}
@@ -3201,9 +3238,7 @@ void *sp_make_share_u2k(unsigned long uva, unsigned long size, int pid)
int ret = 0;
struct mm_struct *mm = current->mm;
void *p = ERR_PTR(-ESRCH);
- struct sp_walk_data sp_walk_data = {
- .page_count = 0,
- };
+ struct sp_walk_data sp_walk_data;
struct vm_struct *area;
check_interrupt_context();
@@ -3544,7 +3579,6 @@ int sp_walk_page_range(unsigned long uva, unsigned long size,
return -ESRCH;
}
- sp_walk_data->page_count = 0;
down_write(&mm->mmap_lock);
if (likely(!mm->core_state))
ret = __sp_walk_page_range(uva, size, mm, sp_walk_data);
--
2.20.1
1
22
Backport 5.10.112 LTS patches from upstream.
git cherry-pick v5.10.111..v5.10.112~1 -s
Complicts:
Already merged(10):
80a4df14643f7 hamradio: defer 6pack kfree after unregister_netdev
cfa98ffc42f16 hamradio: remove needs_free_netdev to avoid UAF
5ea00fc60676 ax25: add refcount in ax25_dev to avoid UAF bugs
5ddae8d06441 ax25: fix reference count leaks of ax25_dev
57cc15f5fd55 ax25: fix UAF bugs of net_device caused by rebinding operation
b20a5ab0f5fb ax25: Fix refcount leaks caused by ax25_cb_del()
a4942c6fea87 ax25: fix UAF bug in ax25_send_control()
145ea8d213e8 ax25: fix NPD bug in ax25_disconnect
f934fa478dd1 ax25: Fix NULL pointer dereferences in ax25 timers
5c62d3bf1410 ax25: Fix UAF bugs in ax25 timers
Total patches: 104 - 10 = 94
Adrian Hunter (1):
perf tools: Fix misleading add event PMU debug message
Ajish Koshy (2):
scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63
scsi: pm80xx: Enable upper inbound, outbound queues
Alexey Galakhov (1):
scsi: mvsas: Add PCI ID of RocketRaid 2640
Andy Chiu (1):
net: axienet: setup mdio unconditionally
Anna-Maria Behnsen (1):
timers: Fix warning condition in __run_timers()
Athira Rajeev (1):
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu
set
Aurabindo Pillai (1):
drm/amd: Add USBC connector ID
Benedikt Spranger (1):
net/sched: taprio: Check if socket flags are valid
Borislav Petkov (1):
perf/imx_ddr: Fix undefined behavior due to shift overflowing the
constant
Calvin Johnson (1):
net: mdio: Alphabetically sort header inclusion
Chandrakanth patil (1):
scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
Chao Gao (1):
dma-direct: avoid redundant memory sync for swiotlb
Charlene Liu (1):
drm/amd/display: fix audio format not updated after edid updated
Chiawen Huang (1):
drm/amd/display: FEC check in timing validation
Christian Lamparter (1):
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
Chuck Lever (1):
SUNRPC: Fix the svc_deferred_event trace class
Cristian Marussi (1):
firmware: arm_scmi: Fix sorting of retrieved clock rates
Darrick J. Wong (1):
btrfs: fix fallocate to use file_modified to update permissions
consistently
Dinh Nguyen (1):
net: ethernet: stmmac: fix altr_tse_pcs function when using a
fixed-link
Duoming Zhou (1):
drivers: net: slip: fix NPD bug in sl_tx_timeout()
Fabio M. De Francesco (1):
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
Felix Kuehling (1):
drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu
Guillaume Nault (1):
veth: Ensure eth header is in skb's linear part
Harshit Mogalapalli (1):
cifs: potential buffer overflow in handling symlinks
James Smart (1):
scsi: lpfc: Fix queue failures when recovering from PCI parity error
Jason A. Donenfeld (1):
gcc-plugins: latent_entropy: use /dev/urandom
Jeremy Linton (1):
net: bcmgenet: Revert "Use stronger register read/writes to assure
ordering"
Jia-Ju Bai (1):
btrfs: fix root ref counts in error handling in btrfs_get_root_ref
Joey Gouly (1):
arm64: alternatives: mark patch_alternative() as `noinstr`
Johan Hovold (1):
memory: renesas-rpc-if: fix platform-device leak in error path
Johannes Berg (1):
nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
Jonathan Bakker (1):
regulator: wm8994: Add an off-on delay for WM8994 variant
Josef Bacik (1):
btrfs: do not warn for free space inode in cow_file_range
Juergen Gross (1):
mm, page_alloc: fix build_zonerefs_node()
Karsten Graul (1):
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
Khazhismel Kumykov (1):
dm mpath: only use ktime_get_ns() in historical selector
Kyle Copperfield (1):
media: rockchip/rga: do proper error checking in probe
Leo (Hanghong) Ma (1):
drm/amd/display: Update VTEM Infopacket definition
Leo Ruan (1):
gpu: ipu-v3: Fix dev_dbg frequency output
Lin Ma (1):
nfc: nci: add flush_workqueue to prevent uaf
Linus Torvalds (1):
gpiolib: acpi: use correct format characters
Marcelo Ricardo Leitner (1):
net/sched: fix initialization order when updating chain 0 head
Marcin Kozlowski (1):
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
Mario Limonciello (2):
cpuidle: PSCI: Move the `has_lpi` check to the beginning of the
function
ACPI: processor idle: Check for architectural support for LPI
Martin Leung (1):
drm/amd/display: Revert FEC check in validation
Martin Povišer (1):
i2c: pasemi: Wait for write xfers to finish
Melissa Wen (1):
drm/amd/display: don't ignore alpha property on pre-multiplied mode
Miaoqian Lin (1):
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
Michael Kelley (1):
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
Michael Walle (1):
net: dsa: felix: suppress -EPROBE_DEFER errors
Mike Christie (10):
scsi: iscsi: Stop queueing during ep_disconnect
scsi: iscsi: Force immediate failure during shutdown
scsi: iscsi: Use system_unbound_wq for destroy_work
scsi: iscsi: Rel ref after iscsi_lookup_endpoint()
scsi: iscsi: Fix in-kernel conn failure handling
scsi: iscsi: Move iscsi_ep_disconnect()
scsi: iscsi: Fix offload conn cleanup when iscsid restarts
scsi: iscsi: Fix conn cleanup and stop race during iscsid restart
scsi: iscsi: Fix endpoint reuse regression
scsi: iscsi: Fix unbound endpoint error handling
Mikulas Patocka (1):
dm integrity: fix memory corruption when tag_size is less than digest
size
Minchan Kim (1):
mm: fix unexpected zeroed page mapping with zram swap
Nadav Amit (1):
smp: Fix offline cpu check in flush_smp_call_function_queue()
Naohiro Aota (1):
btrfs: mark resumed async balance as writing
Nathan Chancellor (2):
btrfs: remove unused variable in
btrfs_{start,write}_dirty_block_groups()
ARM: davinci: da850-evm: Avoid NULL pointer dereference
Nicolas Dichtel (1):
ipv6: fix panic when forwarding a pkt with no in6 dev
Patrick Wang (1):
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
Paul Gortmaker (1):
tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
Petr Malat (1):
sctp: Initialize daddr on peeled off socket
QintaoShen (1):
drm/amdkfd: Check for potential null return of kmalloc_array()
Rameshkumar Sundaram (1):
cfg80211: hold bss_lock while updating nontrans_list
Randy Dunlap (1):
net: micrel: fix KS8851_MLL Kconfig
Rei Yamamoto (1):
genirq/affinity: Consider that CPUs on nodes can be unbalanced
Rob Clark (2):
drm/msm: Add missing put_task_struct() in debugfs path
drm/msm: Fix range size vs end confusion
Roman Li (1):
drm/amd/display: Fix allocate_mst_payload assert on resume
Sean Christopherson (1):
KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded
Stephen Boyd (1):
drm/msm/dsi: Use connector directly in
msm_dsi_manager_connector_init()
Steve Capper (1):
tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
Tao Jin (1):
ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers
Tianci Yin (1):
drm/amdgpu/vcn: improve vcn dpg stop procedure
Tim Crawford (1):
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
Toke Høiland-Jørgensen (2):
ath9k: Properly clear TX status area before reporting to mac80211
ath9k: Fix usage of driver-private space in tx_info
Tomasz Moń (1):
drm/amdgpu: Enable gfxoff quirk on MacBook Pro
Tushar Patel (1):
drm/amdkfd: Fix Incorrect VMIDs passed to HWS
Tyrel Datwyler (1):
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
Vadim Pasternak (1):
mlxsw: i2c: Fix initialization error flow
Vlad Buslov (1):
net/sched: flower: fix parsing of ethertype following VLAN header
Xiaoguang Wang (1):
scsi: target: tcmu: Fix possible page UAF
Xiaomeng Tong (1):
myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
arch/arm/mach-davinci/board-da850-evm.c | 4 +-
arch/arm64/kernel/alternative.c | 6 +-
arch/arm64/kernel/cpuidle.c | 6 +-
arch/x86/include/asm/kvm_host.h | 5 +-
arch/x86/kvm/mmu/mmu.c | 20 +-
arch/x86/kvm/x86.c | 20 +-
drivers/acpi/processor_idle.c | 15 +-
drivers/ata/libata-core.c | 3 +
drivers/firmware/arm_scmi/clock.c | 3 +-
drivers/gpio/gpiolib-acpi.c | 4 +-
drivers/gpu/drm/amd/amdgpu/ObjectID.h | 1 +
.../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 10 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 11 +-
drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 +
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-
.../gpu/drm/amd/display/dc/core/dc_resource.c | 4 +-
.../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 14 +-
.../drm/amd/display/dc/dcn20/dcn20_hwseq.c | 14 +-
.../display/modules/info_packet/info_packet.c | 5 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 2 +-
drivers/gpu/drm/msm/dsi/dsi_manager.c | 2 +-
drivers/gpu/drm/msm/msm_gem.c | 1 +
drivers/gpu/ipu-v3/ipu-di.c | 5 +-
drivers/hv/ring_buffer.c | 11 +-
drivers/i2c/busses/i2c-pasemi.c | 6 +
drivers/infiniband/ulp/iser/iscsi_iser.c | 2 +
drivers/md/dm-historical-service-time.c | 10 +-
drivers/md/dm-integrity.c | 7 +-
drivers/media/platform/rockchip/rga/rga.c | 2 +-
drivers/memory/atmel-ebi.c | 23 +-
drivers/memory/renesas-rpc-if.c | 10 +-
drivers/net/dsa/ocelot/felix_vsc9959.c | 2 +-
.../net/ethernet/broadcom/genet/bcmgenet.c | 4 +-
drivers/net/ethernet/mellanox/mlxsw/i2c.c | 1 +
drivers/net/ethernet/micrel/Kconfig | 1 +
.../net/ethernet/myricom/myri10ge/myri10ge.c | 6 +-
.../ethernet/stmicro/stmmac/altr_tse_pcs.c | 8 -
.../ethernet/stmicro/stmmac/altr_tse_pcs.h | 4 +
.../ethernet/stmicro/stmmac/dwmac-socfpga.c | 13 +-
.../net/ethernet/xilinx/xilinx_axienet_main.c | 13 +-
drivers/net/mdio/mdio-bcm-unimac.c | 16 +-
drivers/net/mdio/mdio-bitbang.c | 4 +-
drivers/net/mdio/mdio-cavium.c | 2 +-
drivers/net/mdio/mdio-gpio.c | 10 +-
drivers/net/mdio/mdio-ipq4019.c | 4 +-
drivers/net/mdio/mdio-ipq8064.c | 4 +-
drivers/net/mdio/mdio-mscc-miim.c | 8 +-
drivers/net/mdio/mdio-mux-bcm-iproc.c | 10 +-
drivers/net/mdio/mdio-mux-gpio.c | 8 +-
drivers/net/mdio/mdio-mux-mmioreg.c | 6 +-
drivers/net/mdio/mdio-mux-multiplexer.c | 2 +-
drivers/net/mdio/mdio-mux.c | 6 +-
drivers/net/mdio/mdio-octeon.c | 8 +-
drivers/net/mdio/mdio-thunder.c | 10 +-
drivers/net/mdio/mdio-xgene.c | 6 +-
drivers/net/mdio/of_mdio.c | 10 +-
drivers/net/slip/slip.c | 2 +-
drivers/net/usb/aqc111.c | 9 +-
drivers/net/veth.c | 2 +-
drivers/net/wireless/ath/ath9k/main.c | 2 +-
drivers/net/wireless/ath/ath9k/xmit.c | 33 +-
drivers/perf/fsl_imx8_ddr_perf.c | 2 +-
drivers/regulator/wm8994-regulator.c | 42 +-
drivers/scsi/be2iscsi/be_iscsi.c | 19 +-
drivers/scsi/be2iscsi/be_main.c | 1 +
drivers/scsi/bnx2i/bnx2i_iscsi.c | 24 +-
drivers/scsi/cxgbi/cxgb3i/cxgb3i.c | 1 +
drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 1 +
drivers/scsi/cxgbi/libcxgbi.c | 12 +-
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
drivers/scsi/libiscsi.c | 70 ++-
drivers/scsi/lpfc/lpfc_init.c | 2 +
drivers/scsi/megaraid/megaraid_sas.h | 3 +
drivers/scsi/megaraid/megaraid_sas_base.c | 7 +
drivers/scsi/mvsas/mv_init.c | 1 +
drivers/scsi/pm8001/pm80xx_hwi.c | 33 +-
drivers/scsi/qedi/qedi_iscsi.c | 26 +-
drivers/scsi/qla4xxx/ql4_os.c | 2 +
drivers/scsi/scsi_transport_iscsi.c | 541 +++++++++++-------
drivers/target/target_core_user.c | 3 +-
fs/btrfs/block-group.c | 4 -
fs/btrfs/disk-io.c | 5 +-
fs/btrfs/file.c | 13 +-
fs/btrfs/inode.c | 1 -
fs/btrfs/volumes.c | 2 +
fs/cifs/link.c | 3 +
include/asm-generic/tlb.h | 10 +-
include/net/flow_dissector.h | 2 +
include/scsi/libiscsi.h | 1 +
include/scsi/scsi_transport_iscsi.h | 14 +-
include/trace/events/sunrpc.h | 7 +-
kernel/dma/direct.h | 3 +-
kernel/irq/affinity.c | 5 +-
kernel/smp.c | 2 +-
kernel/time/tick-sched.c | 2 +-
kernel/time/timer.c | 11 +-
mm/kmemleak.c | 8 +-
mm/page_alloc.c | 2 +-
mm/page_io.c | 54 --
net/core/flow_dissector.c | 1 +
net/ipv6/ip6_output.c | 2 +-
net/nfc/nci/core.c | 4 +
net/sched/cls_api.c | 2 +-
net/sched/cls_flower.c | 18 +-
net/sched/sch_taprio.c | 3 +-
net/sctp/socket.c | 2 +-
net/smc/smc_pnet.c | 5 +-
net/wireless/nl80211.c | 3 +-
net/wireless/scan.c | 2 +
scripts/gcc-plugins/latent_entropy_plugin.c | 44 +-
sound/core/pcm_misc.c | 2 +-
sound/pci/hda/patch_realtek.c | 2 +
tools/perf/util/parse-events.c | 5 +-
.../testing/selftests/mqueue/mq_perf_tests.c | 25 +-
117 files changed, 959 insertions(+), 554 deletions(-)
--
2.20.1
1
94
Backport 5.10.111 LTS patches from upstream.
Complicts:
Already merged(4):
2dc49f58a29c ubifs: Rectify space amount budget for mkdir/tmpfile operations
c688705a3978 Revert "NFSv4: Handle the special Linux file open access mode"
2827328e646d io_uring: fix race between timeout flush and removal
4665722d36ad cgroup: Use open-time credentials for process migraton perm checks
Context conflict(3):
4820847e8bc2 usb: ehci: add pci device support for Aspeed platforms
8a7ada4b8f5d scsi: hisi_sas: Free irq vectors in order for v3 HW
9de98470db6e arm64: Add part number for Arm Cortex-A78AE
Rejected(1):
2f2f017ea873 dm: requeue IO if mapping table not yet available
Implement changed(-1+1):
d36febbcd537 powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
Added(1):
ipv6: fix kabi for mc_forwarding in struct ipv6_devconf
Total patches: 170 - 4 - 1 + 1 - 1 + 1 = 166
Adam Wujek (1):
clk: si5341: fix reported clk_rate when output divider is 2
Adrian Hunter (1):
perf tools: Fix perf's libperf_print callback
Aharon Landau (1):
RDMA/mlx5: Don't remove cache MRs when a delay is needed
Alex Deucher (2):
drm/amdkfd: make CRAT table missing message informational only
drm/amdgpu/smu10: fix SoC/fclk units in auto mode
Alexander Lobakin (1):
MIPS: fix fortify panic when copying asm exception handlers
Amjad Ouled-Ameur (1):
phy: amlogic: meson8b-usb2: Use dev_err_probe()
Anatolii Gerasymenko (2):
ice: Set txq_teid to ICE_INVAL_TEID on ring creation
ice: Do not skip not enabled queues in ice_vc_dis_qs_msg
Andre Przywara (1):
irqchip/gic, gic-v3: Prevent GSI to SGI translations
Andrea Parri (Microsoft) (1):
Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb()
Andreas Gruenbacher (2):
gfs2: Check for active reservation in gfs2_release
gfs2: gfs2_setattr_size error path fix
Andy Gospodarek (1):
bnxt_en: reserve space inside receive page for skb_shared_info
Anisse Astier (1):
drm: Add orientation quirk for GPD Win Max
Arnaldo Carvalho de Melo (4):
perf build: Don't use -ffat-lto-objects in the python feature test
when building with clang-13
perf python: Fix probing for some clang command line options
tools build: Filter out options and warnings not supported by clang
tools build: Use $(shell ) instead of `` to get embedded libperl's
ccopts
Avraham Stern (1):
cfg80211: don't add non transmitted BSS to 6GHz scanned channels
Bob Peterson (1):
gfs2: Fix gfs2_release for non-writers regression
Chanho Park (1):
arm64: Add part number for Arm Cortex-A78AE
Chen-Yu Tsai (1):
net: stmmac: Fix unset max_speed difference between DT and non-DT
platforms
Christian Lamparter (1):
ata: sata_dwc_460ex: Fix crash due to OOB write
Christophe JAILLET (1):
scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
Dale Zhao (1):
drm/amd/display: Add signal type check when verify stream backends
same
Damien Le Moal (5):
scsi: pm8001: Fix pm80xx_pci_mem_copy() interface
scsi: pm8001: Fix pm8001_mpi_task_abort_resp()
scsi: pm8001: Fix task leak in pm8001_send_abort_all()
scsi: pm8001: Fix tag leaks on error
scsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req()
Dan Carpenter (1):
drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire()
David Ahern (1):
ipv6: Fix stats accounting in ip6_pkt_drop
Denis Nikitin (1):
perf session: Remap buf if there is no space for event
Dongli Zhang (1):
xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32
Douglas Miller (1):
RDMA/hfi1: Fix use-after-free bug for mm struct
Dust Li (1):
net/smc: correct settings of RMB window update limit
Eric Dumazet (2):
ipv6: make mc_forwarding atomic
rxrpc: fix a race in rxrpc_exit_net()
Ethan Lien (1):
btrfs: fix qgroup reserve overflow the qgroup limit
Evgeny Boger (1):
power: supply: axp20x_battery: properly report current when
discharging
Fangrui Song (1):
arm64: module: remove (NOLOAD) from linker script
Guilherme G. Piccoli (1):
Drivers: hv: vmbus: Fix potential crash on module unload
Guo Ren (1):
arm64: patch_text: Fixup last cpu should be master
Guo Xuenan (1):
lz4: fix LZ4_decompress_safe_partial read out of bound
H. Nikolaus Schaller (1):
usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
Haimin Zhang (1):
jfs: prevent NULL deref in diFree
Hangyu Hua (2):
mips: ralink: fix a refcount leak in ill_acc_of_setup()
powerpc/secvar: fix refcount leak in format_show()
Hans de Goede (1):
power: supply: axp288-charger: Set Vhold to 4.4V
Harold Huang (1):
tuntap: add sanity checks about msg_controllen in sendmsg
Helge Deller (1):
parisc: Fix CPU affinity for Lasi, WAX and Dino chips
Hou Wenlong (1):
KVM: x86/emulator: Emulate RDPID only if it is enabled in guest
Hou Zhiqiang (1):
PCI: endpoint: Fix alignment fault error in copy tests
Ido Schimmel (1):
ipv4: Invalidate neighbour for broadcast address upon address addition
Ilan Peer (1):
iwlwifi: mvm: Correctly set fragmented EBS
Ilya Maximets (2):
net: openvswitch: don't send internal clone attribute to the
userspace.
net: openvswitch: fix leak of nested actions
Ivan Vecera (1):
ice: Clear default forwarding VSI during VSI release
Jakub Kicinski (2):
net: account alternate interface name memory
net: limit altnames to 64k total
Jakub Sitnicki (1):
bpf: Make dst_port field in struct bpf_sock 16-bit wide
James Clark (1):
perf: arm-spe: Fix perf report --mem-mode
Jamie Bainbridge (1):
qede: confirm skb is allocated before using
Jianglei Nie (1):
scsi: libfc: Fix use after free in fc_exch_abts_resp()
Jiasheng Jiang (2):
rtc: wm8350: Handle error for wm8350_register_irq
drm/imx: imx-ldb: Check for null pointer after calling kmemdup
Jim Mattson (1):
KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs
Jiri Slaby (1):
serial: samsung_tty: do not unlock port->lock for uart_write_wakeup()
John David Anglin (1):
parisc: Fix patch code locking and flushing
Jordy Zomer (1):
dm ioctl: prevent potential spectre v1 gadget
José Expósito (1):
drm/imx: Fix memory leak in imx_pd_connector_get_modes
Kaiwen Hu (1):
btrfs: prevent subvol with swapfile from being deleted
Kalle Valo (1):
ath11k: mhi: use mhi_sync_power_up()
Kamal Dasu (1):
spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op()
Karol Herbst (1):
drm/nouveau/pmu: Add missing callbacks for Tegra devices
Kees Cook (1):
ubsan: remove CONFIG_UBSAN_OBJECT_SIZE
Kefeng Wang (1):
powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
Krzysztof Kozlowski (1):
MIPS: ingenic: correct unit node address
Lee Jones (1):
drm/amdkfd: Create file descriptor after client is added to
smi_clients list
Li Chen (1):
PCI: endpoint: Fix misused goto label
Lorenzo Bianconi (1):
mt76: dma: initialize skip_unmap in mt76_dma_rx_fill
Lucas Denefle (1):
w1: w1_therm: fixes w1_seq for ds28ea00 sensors
Luiz Augusto von Dentz (2):
Bluetooth: Fix not checking for valid hdev on
bt_dev_{info,warn,err,dbg}
Bluetooth: Fix use after free in hci_send_acl
Lv Yunlong (1):
drbd: Fix five use after free bugs in get_initial_state
Maciej Fijalkowski (1):
ice: synchronize_rcu() when terminating rings
Manivannan Sadhasivam (1):
PCI: pciehp: Add Qualcomm quirk for Command Completed erratum
Marc Zyngier (1):
irqchip/gic-v3: Fix GICR_CTLR.RWP polling
Martin Habets (1):
sfc: Do not free an empty page_ring
Mauricio Faria de Oliveira (1):
mm: fix race between MADV_FREE reclaim and blkdev direct IO read
Max Filippov (1):
xtensa: fix DTC warning unit_address_format
Maxim Kiselev (1):
powerpc: dts: t104xrdb: fix phy type for FMAN 4/5
Maxim Mikityanskiy (1):
bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
Maxime Ripard (1):
clk: Enforce that disjoints limits are invalid
Miaohe Lin (1):
mm/mempolicy: fix mpol_new leak in shared_policy_replace
Miaoqian Lin (1):
dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe
Michael Chan (1):
bnxt_en: Eliminate unintended link toggle during FW reset
Michael Walle (2):
net: sfp: add 2500base-X quirk for Lantech SFP module
net: phy: mscc-miim: reject clause 45 register accesses
Minghao Chi (CGEL ZTE) (1):
Bluetooth: use memset avoid memory leaks
Nathan Chancellor (1):
x86/Kconfig: Do not allow CONFIG_X86_X32_ABI=y with llvm-objcopy
Neal Liu (1):
usb: ehci: add pci device support for Aspeed platforms
NeilBrown (5):
SUNRPC/call_alloc: async tasks mustn't block waiting for memory
SUNRPC/xprt: async tasks mustn't block waiting for memory
SUNRPC: remove scheduling boost for "SWAPPER" tasks.
NFS: swap IO handling is slightly different for O_DIRECT IO
NFS: swap-out must always use STABLE writes.
Niels Dossche (1):
IB/rdmavt: add lock to call to rvt_error_qp to prevent a race
condition
Nikolay Aleksandrov (1):
net: ipv4: fix route with nexthop object delete warning
Oliver Hartkopp (1):
can: isotp: set default value for N_As to 50 micro seconds
Pali Rohár (2):
PCI: aardvark: Fix support for MSI interrupts
Revert "mmc: sdhci-xenon: fix annoying 1.8V regulator warning"
Paolo Bonzini (1):
mmmremap.c: avoid pointless invalidate_range_start/end on
mremap(old_size=0)
Pavel Begunkov (1):
io_uring: don't touch scm_fp_list after queueing skb
Pawan Gupta (2):
x86/pm: Save the MSR validity status at context setup
x86/speculation: Restore speculation related MSRs during S3 resume
Peter Xu (1):
mm: don't skip swap entry even if zap_details specified
Qi Liu (1):
scsi: hisi_sas: Free irq vectors in order for v3 HW
Qinghua Jin (1):
minix: fix bug when opening a file with O_DIRECT
Rajneesh Bhardwaj (1):
drm/amdgpu: Fix recursive locking warning
Randy Dunlap (3):
scsi: aha152x: Fix aha152x_setup() __setup handler return value
init/main.c: return 1 from handled __setup() functions
virtio_console: eliminate anonymous module_init & module_exit
Sachin Sant (1):
selftests/cgroup: Fix build on older distros
Sasha Levin (1):
Revert "hv: utils: add PTP_1588_CLOCK to Kconfig to fix build"
Sebastian Andrzej Siewior (1):
tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH.
Shreeya Patel (1):
gpio: Restrict usage of GPIO chip irq members before initialization
Sourabh Jain (1):
powerpc: Set crashkernel offset to mid of RMA region
Stefan Wahren (1):
staging: vchiq_core: handle NULL result of find_service_by_handle
Sven Eckelmann (1):
macvtap: advertise link netns via netlink
Tejun Heo (3):
selftests: cgroup: Make cg_create() use 0755 for permission instead of
0644
selftests: cgroup: Test open-time credential usage for migration
checks
selftests: cgroup: Test open-time cgroup namespace usage for migration
checks
Tony Lindgren (2):
clk: ti: Preserve node in ti_dt_clocks_register()
iommu/omap: Fix regression in probe for NULL pointer dereference
Trond Myklebust (7):
NFSv4: Protect the state recovery thread against direct reclaim
SUNRPC: Fix socket waits for write buffer space
NFS: nfsiod should not block forever in mempool_alloc()
NFS: Avoid writeback threads getting stuck in mempool_alloc()
SUNRPC: Handle ENOMEM in call_transmit_status()
SUNRPC: Handle low memory situations in call_status()
SUNRPC: svc_tcp_sendmsg() should handle errors from xdr_alloc_bvec()
Venkateswara Naralasetty (1):
ath11k: fix kernel panic during unload/load ath11k modules
Vinod Koul (1):
dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on
error"
Waiman Long (1):
mm/sparsemem: fix 'mem_section' will never be NULL gcc 12 warning
Wang Yufen (1):
netlabel: fix out-of-bounds memory accesses
Wayne Chang (2):
usb: gadget: tegra-xudc: Do not program SPARAM
usb: gadget: tegra-xudc: Fix control endpoint's definitions
Wolfram Sang (1):
mmc: renesas_sdhi: don't overwrite TAP settings when HS400 tuning is
complete
Xiaoke Wang (1):
staging: wfx: fix an error handling in wfx_init_common()
Xiaomeng Tong (1):
perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator
Xin Xiong (2):
drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
NFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify()
Xiubo Li (1):
ceph: fix memory leak in ceph_readdir when note_last_dentry returns
error
Yang Guang (3):
ptp: replace snprintf with sysfs_emit
scsi: mvsas: Replace snprintf() with sysfs_emit()
scsi: bfa: Replace snprintf() with sysfs_emit()
Yang Li (1):
mt76: mt7615: Fix assigning negative values to unsigned variable
Yann Gautier (1):
mmc: mmci: stm32: correctly check all elements of sg list
Yonghong Song (1):
libbpf: Fix build issue with llvm-readelf
Zekun Shen (1):
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
Zheng Zengkai (2):
ipv6: fix kabi for mc_forwarding in struct ipv6_devconf
Revert "powerpc: Fix virt_addr_valid() check"
Zhou Guanghui (1):
iommu/arm-smmu-v3: fix event handling soft lockup
Ziyang Xuan (1):
net/tls: fix slab-out-of-bounds bug in decrypt_internal
arch/arm64/include/asm/cputype.h | 2 +
arch/arm64/include/asm/module.lds.h | 6 +-
arch/arm64/kernel/insn.c | 4 +-
arch/arm64/kernel/proton-pack.c | 1 +
arch/mips/boot/dts/ingenic/jz4780.dtsi | 2 +-
arch/mips/include/asm/setup.h | 2 +-
arch/mips/kernel/traps.c | 22 +--
arch/mips/ralink/ill_acc.c | 1 +
arch/parisc/kernel/patch.c | 25 ++-
arch/powerpc/boot/dts/fsl/t104xrdb.dtsi | 4 +-
arch/powerpc/include/asm/page.h | 7 +-
arch/powerpc/kernel/rtas.c | 6 +
arch/powerpc/kernel/secvar-sysfs.c | 9 +-
arch/powerpc/kexec/core.c | 15 +-
arch/x86/Kconfig | 5 +
arch/x86/kvm/emulate.c | 4 +-
arch/x86/kvm/kvm_emulate.h | 1 +
arch/x86/kvm/svm/pmu.c | 8 +-
arch/x86/kvm/x86.c | 6 +
arch/x86/power/cpu.c | 21 ++-
arch/x86/xen/smp_hvm.c | 6 +
arch/x86/xen/time.c | 24 ++-
arch/xtensa/boot/dts/xtfpga-flash-128m.dtsi | 8 +-
arch/xtensa/boot/dts/xtfpga-flash-16m.dtsi | 8 +-
arch/xtensa/boot/dts/xtfpga-flash-4m.dtsi | 4 +-
drivers/ata/sata_dwc_460ex.c | 6 +-
drivers/block/drbd/drbd_int.h | 8 +-
drivers/block/drbd/drbd_nl.c | 41 +++--
drivers/block/drbd/drbd_state.c | 18 +-
drivers/block/drbd/drbd_state_change.h | 8 +-
drivers/char/virtio_console.c | 8 +-
drivers/clk/clk-si5341.c | 16 +-
drivers/clk/clk.c | 24 +++
drivers/clk/ti/clk.c | 13 +-
drivers/dma/sh/shdma-base.c | 4 +-
drivers/gpio/gpiolib.c | 19 ++
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 +-
drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c | 24 ++-
.../gpu/drm/amd/display/dc/core/dc_resource.c | 3 +
.../drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c | 8 +-
.../gpu/drm/drm_panel_orientation_quirks.c | 6 +
drivers/gpu/drm/imx/imx-ldb.c | 2 +
drivers/gpu/drm/imx/parallel-display.c | 4 +-
.../gpu/drm/nouveau/nvkm/subdev/pmu/gm20b.c | 1 +
.../gpu/drm/nouveau/nvkm/subdev/pmu/gp102.c | 2 +-
.../gpu/drm/nouveau/nvkm/subdev/pmu/gp10b.c | 1 +
.../gpu/drm/nouveau/nvkm/subdev/pmu/priv.h | 1 +
drivers/hv/Kconfig | 1 -
drivers/hv/channel_mgmt.c | 6 +-
drivers/hv/vmbus_drv.c | 9 +-
drivers/infiniband/hw/hfi1/mmu_rb.c | 6 +
drivers/infiniband/hw/mlx5/mr.c | 4 +-
drivers/infiniband/sw/rdmavt/qp.c | 6 +-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 1 +
drivers/iommu/omap-iommu.c | 2 +-
drivers/irqchip/irq-gic-v3.c | 14 +-
drivers/irqchip/irq-gic.c | 6 +
drivers/md/dm-ioctl.c | 2 +
drivers/mmc/host/mmci_stm32_sdmmc.c | 6 +-
drivers/mmc/host/renesas_sdhi_core.c | 4 +-
drivers/mmc/host/sdhci-xenon.c | 10 --
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 +-
.../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +-
.../net/ethernet/freescale/dpaa2/dpaa2-ptp.c | 4 +-
drivers/net/ethernet/intel/ice/ice.h | 2 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 3 +
drivers/net/ethernet/intel/ice/ice_main.c | 4 +-
.../net/ethernet/intel/ice/ice_virtchnl_pf.c | 4 +-
drivers/net/ethernet/intel/ice/ice_xsk.c | 4 +-
drivers/net/ethernet/qlogic/qede/qede_fp.c | 3 +
drivers/net/ethernet/sfc/rx_common.c | 3 +
.../ethernet/stmicro/stmmac/stmmac_platform.c | 3 +-
drivers/net/macvtap.c | 6 +
drivers/net/mdio/mdio-mscc-miim.c | 6 +
drivers/net/phy/sfp-bus.c | 6 +
drivers/net/tap.c | 3 +-
drivers/net/tun.c | 3 +-
drivers/net/wireless/ath/ath11k/ahb.c | 2 +
drivers/net/wireless/ath/ath11k/mhi.c | 2 +-
drivers/net/wireless/ath/ath5k/eeprom.c | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 5 +-
drivers/net/wireless/mediatek/mt76/dma.c | 1 +
.../net/wireless/mediatek/mt76/mt7615/mac.c | 2 +-
drivers/parisc/dino.c | 41 ++++-
drivers/parisc/gsc.c | 31 ++++
drivers/parisc/gsc.h | 1 +
drivers/parisc/lasi.c | 7 +-
drivers/parisc/wax.c | 7 +-
drivers/pci/controller/pci-aardvark.c | 16 +-
drivers/pci/endpoint/functions/pci-epf-test.c | 14 +-
drivers/pci/hotplug/pciehp_hpc.c | 2 +
drivers/perf/qcom_l2_pmu.c | 6 +-
drivers/phy/amlogic/phy-meson8b-usb2.c | 5 +-
drivers/power/supply/axp20x_battery.c | 13 +-
drivers/power/supply/axp288_charger.c | 14 +-
drivers/ptp/ptp_sysfs.c | 4 +-
drivers/rtc/rtc-wm8350.c | 11 +-
drivers/scsi/aha152x.c | 6 +-
drivers/scsi/bfa/bfad_attr.c | 26 +--
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 16 +-
drivers/scsi/libfc/fc_exch.c | 1 +
drivers/scsi/mvsas/mv_init.c | 4 +-
drivers/scsi/pm8001/pm8001_hwi.c | 27 ++-
drivers/scsi/pm8001/pm8001_sas.c | 2 +-
drivers/scsi/pm8001/pm80xx_hwi.c | 17 +-
drivers/scsi/zorro7xx.c | 2 +
drivers/spi/spi-bcm-qspi.c | 4 +-
.../interface/vchiq_arm/vchiq_core.c | 6 +
drivers/staging/wfx/main.c | 7 +-
drivers/tty/serial/samsung_tty.c | 5 +-
drivers/usb/dwc3/dwc3-omap.c | 2 +-
drivers/usb/gadget/udc/tegra-xudc.c | 20 +--
drivers/usb/host/ehci-pci.c | 9 +
drivers/vhost/net.c | 1 +
drivers/w1/slaves/w1_therm.c | 8 +-
fs/btrfs/extent_io.h | 2 +-
fs/btrfs/inode.c | 22 +++
fs/ceph/dir.c | 11 +-
fs/gfs2/bmap.c | 2 +-
fs/gfs2/file.c | 3 +-
fs/gfs2/inode.c | 2 +-
fs/gfs2/rgrp.c | 7 +-
fs/gfs2/rgrp.h | 2 +-
fs/gfs2/super.c | 2 +-
fs/io_uring.c | 8 +-
fs/jfs/inode.c | 3 +-
fs/minix/inode.c | 3 +-
fs/nfs/direct.c | 48 +++--
fs/nfs/file.c | 4 +-
fs/nfs/internal.h | 7 +
fs/nfs/nfs42proc.c | 9 +-
fs/nfs/nfs4state.c | 12 ++
fs/nfs/pagelist.c | 10 +-
fs/nfs/pnfs_nfs.c | 8 +-
fs/nfs/write.c | 34 ++--
include/linux/gpio/driver.h | 9 +
include/linux/ipv6.h | 2 +-
include/linux/mmzone.h | 11 +-
include/linux/nfs_fs.h | 10 +-
include/net/arp.h | 1 +
include/net/bluetooth/bluetooth.h | 14 +-
include/uapi/linux/bpf.h | 3 +-
include/uapi/linux/can/isotp.h | 28 ++-
init/main.c | 6 +-
lib/lz4/lz4_decompress.c | 8 +-
lib/test_ubsan.c | 11 --
mm/memory.c | 25 ++-
mm/mempolicy.c | 1 +
mm/mremap.c | 3 +
mm/rmap.c | 25 ++-
net/batman-adv/multicast.c | 2 +-
net/bluetooth/hci_event.c | 3 +-
net/bluetooth/l2cap_core.c | 1 +
net/can/isotp.c | 12 +-
net/core/filter.c | 27 ++-
net/core/rtnetlink.c | 13 +-
net/ipv4/arp.c | 9 +-
net/ipv4/fib_frontend.c | 5 +-
net/ipv4/fib_semantics.c | 7 +-
net/ipv4/inet_hashtables.c | 53 +++---
net/ipv6/addrconf.c | 4 +-
net/ipv6/inet6_hashtables.c | 5 +-
net/ipv6/ip6_input.c | 2 +-
net/ipv6/ip6mr.c | 8 +-
net/ipv6/route.c | 2 +-
net/netlabel/netlabel_kapi.c | 2 +
net/openvswitch/actions.c | 2 +-
net/openvswitch/flow_netlink.c | 99 ++++++++++-
net/rxrpc/net_ns.c | 2 +-
net/smc/smc_core.c | 2 +-
net/sunrpc/clnt.c | 7 +
net/sunrpc/sched.c | 11 +-
net/sunrpc/svcsock.c | 4 +-
net/sunrpc/xprt.c | 16 +-
net/sunrpc/xprtrdma/transport.c | 6 +-
net/sunrpc/xprtsock.c | 54 ++++--
net/tls/tls_sw.c | 2 +-
net/wireless/scan.c | 9 +-
scripts/Makefile.ubsan | 1 -
tools/build/feature/Makefile | 9 +-
tools/lib/bpf/Makefile | 4 +-
tools/perf/Makefile.config | 6 +
tools/perf/arch/arm64/util/arm-spe.c | 6 +
tools/perf/perf.c | 2 +-
tools/perf/util/session.c | 15 +-
tools/perf/util/setup.py | 8 +-
tools/testing/selftests/cgroup/cgroup_util.c | 6 +-
tools/testing/selftests/cgroup/test_core.c | 165 ++++++++++++++++++
191 files changed, 1365 insertions(+), 496 deletions(-)
--
2.20.1
1
165
14 Jul '22
From: Zheng Yejian <zhengyejian1(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: 187209, https://gitee.com/openeuler/kernel/issues/I5GWFT
CVE: NA
--------------------------------
Syzkaller report a softlockup problem, see following logs:
[ 41.463870] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ksoftirqd/0:9]
[ 41.509763] Modules linked in:
[ 41.512295] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.19.90 #13
[ 41.516134] Hardware name: linux,dummy-virt (DT)
[ 41.519182] pstate: 80c00005 (Nzcv daif +PAN +UAO)
[ 41.522415] pc : perf_trace_buf_alloc+0x138/0x238
[ 41.525583] lr : perf_trace_buf_alloc+0x138/0x238
[ 41.528656] sp : ffff8000c137e880
[ 41.531050] x29: ffff8000c137e880 x28: ffff20000850ced0
[ 41.534759] x27: 0000000000000000 x26: ffff8000c137e9c0
[ 41.538456] x25: ffff8000ce5c2ae0 x24: ffff200008358b08
[ 41.542151] x23: 0000000000000000 x22: ffff2000084a50ac
[ 41.545834] x21: ffff8000c137e880 x20: 000000000000001c
[ 41.549516] x19: ffff7dffbfdf88e8 x18: 0000000000000000
[ 41.553202] x17: 0000000000000000 x16: 0000000000000000
[ 41.556892] x15: 1ffff00036e07805 x14: 0000000000000000
[ 41.560592] x13: 0000000000000004 x12: 0000000000000000
[ 41.564315] x11: 1fffefbff7fbf120 x10: ffff0fbff7fbf120
[ 41.568003] x9 : dfff200000000000 x8 : ffff7dffbfdf8904
[ 41.571699] x7 : 0000000000000000 x6 : ffff0fbff7fbf121
[ 41.575398] x5 : ffff0fbff7fbf121 x4 : ffff0fbff7fbf121
[ 41.579086] x3 : ffff20000850cdc8 x2 : 0000000000000008
[ 41.582773] x1 : ffff8000c1376000 x0 : 0000000000000100
[ 41.586495] Call trace:
[ 41.588922] perf_trace_buf_alloc+0x138/0x238
[ 41.591912] perf_ftrace_function_call+0x1ac/0x248
[ 41.595123] ftrace_ops_no_ops+0x3a4/0x488
[ 41.597998] ftrace_graph_call+0x0/0xc
[ 41.600715] rcu_dynticks_curr_cpu_in_eqs+0x14/0x70
[ 41.603962] rcu_is_watching+0xc/0x20
[ 41.606635] ftrace_ops_no_ops+0x240/0x488
[ 41.609530] ftrace_graph_call+0x0/0xc
[ 41.612249] __read_once_size_nocheck.constprop.0+0x1c/0x38
[ 41.615905] unwind_frame+0x140/0x358
[ 41.618597] walk_stackframe+0x34/0x60
[ 41.621359] __save_stack_trace+0x204/0x3b8
[ 41.624328] save_stack_trace+0x2c/0x38
[ 41.627112] __kasan_slab_free+0x120/0x228
[ 41.630018] kasan_slab_free+0x10/0x18
[ 41.632752] kfree+0x84/0x250
[ 41.635107] skb_free_head+0x70/0xb0
[ 41.637772] skb_release_data+0x3f8/0x730
[ 41.640626] skb_release_all+0x50/0x68
[ 41.643350] kfree_skb+0x84/0x278
[ 41.645890] kfree_skb_list+0x4c/0x78
[ 41.648595] __dev_queue_xmit+0x1a4c/0x23a0
[ 41.651541] dev_queue_xmit+0x28/0x38
[ 41.654254] ip6_finish_output2+0xeb0/0x1630
[ 41.657261] ip6_finish_output+0x2d8/0x7f8
[ 41.660174] ip6_output+0x19c/0x348
[ 41.663850] mld_sendpack+0x560/0x9e0
[ 41.666564] mld_ifc_timer_expire+0x484/0x8a8
[ 41.669624] call_timer_fn+0x68/0x4b0
[ 41.672355] expire_timers+0x168/0x498
[ 41.675126] run_timer_softirq+0x230/0x7a8
[ 41.678052] __do_softirq+0x2d0/0xba0
[ 41.680763] run_ksoftirqd+0x110/0x1a0
[ 41.683512] smpboot_thread_fn+0x31c/0x620
[ 41.686429] kthread+0x2c8/0x348
[ 41.688927] ret_from_fork+0x10/0x18
Look into above call stack, we found a recursive call in
'ftrace_graph_call', see a snippet:
__read_once_size_nocheck.constprop.0
ftrace_graph_call
......
rcu_dynticks_curr_cpu_in_eqs
ftrace_graph_call
We analyze that 'rcu_dynticks_curr_cpu_in_eqs' should not be tracable,
and we verify that mark related functions as 'notrace' can avoid the
problem.
Comparing mainline kernel, we find that commit ff5c4f5cad33 ("rcu/tree:
Mark the idle relevant functions noinstr") mark related functions as
'noinstr' which implies notrace, noinline and sticks things in the
.noinstr.text section.
Link: https://lore.kernel.org/all/20200416114706.625340212@infradead.org/
Currently 'noinstr' mechanism has not been introduced, so we would not
directly backport that commit (otherwise more changes may be introduced).
Instead, we mark the functions as 'notrace' where it is 'noinstr' in
that commit.
Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com>
Reviewed-by: Zhen Lei <thunder.leizhen(a)huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com>
---
kernel/rcu/tree.c | 22 +++++++++++-----------
kernel/rcu/tree_plugin.h | 4 ++--
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index 594d6ea99024..ea05c59096a2 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -275,7 +275,7 @@ static DEFINE_PER_CPU(struct rcu_dynticks, rcu_dynticks) = {
* Record entry into an extended quiescent state. This is only to be
* called when not already in an extended quiescent state.
*/
-static void rcu_dynticks_eqs_enter(void)
+static notrace void rcu_dynticks_eqs_enter(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
int seq;
@@ -298,7 +298,7 @@ static void rcu_dynticks_eqs_enter(void)
* Record exit from an extended quiescent state. This is only to be
* called from an extended quiescent state.
*/
-static void rcu_dynticks_eqs_exit(void)
+static notrace void rcu_dynticks_eqs_exit(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
int seq;
@@ -343,7 +343,7 @@ static void rcu_dynticks_eqs_online(void)
*
* No ordering, as we are sampling CPU-local information.
*/
-bool rcu_dynticks_curr_cpu_in_eqs(void)
+static __always_inline bool rcu_dynticks_curr_cpu_in_eqs(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
@@ -706,7 +706,7 @@ static struct rcu_node *rcu_get_root(struct rcu_state *rsp)
* the possibility of usermode upcalls having messed up our count
* of interrupt nesting level during the prior busy period.
*/
-static void rcu_eqs_enter(bool user)
+static notrace void rcu_eqs_enter(bool user)
{
struct rcu_state *rsp;
struct rcu_data *rdp;
@@ -763,7 +763,7 @@ void rcu_idle_enter(void)
* If you add or remove a call to rcu_user_enter(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_user_enter(void)
+notrace void rcu_user_enter(void)
{
lockdep_assert_irqs_disabled();
rcu_eqs_enter(true);
@@ -781,7 +781,7 @@ void rcu_user_enter(void)
* If you add or remove a call to rcu_nmi_exit(), be sure to test
* with CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_nmi_exit(void)
+notrace void rcu_nmi_exit(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
@@ -829,7 +829,7 @@ void rcu_nmi_exit(void)
* If you add or remove a call to rcu_irq_exit(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_irq_exit(void)
+notrace void rcu_irq_exit(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
@@ -864,7 +864,7 @@ void rcu_irq_exit_irqson(void)
* allow for the possibility of usermode upcalls messing up our count of
* interrupt nesting level during the busy period that is just now starting.
*/
-static void rcu_eqs_exit(bool user)
+static notrace void rcu_eqs_exit(bool user)
{
struct rcu_dynticks *rdtp;
long oldval;
@@ -914,7 +914,7 @@ void rcu_idle_exit(void)
* If you add or remove a call to rcu_user_exit(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_user_exit(void)
+void notrace rcu_user_exit(void)
{
rcu_eqs_exit(1);
}
@@ -932,7 +932,7 @@ void rcu_user_exit(void)
* If you add or remove a call to rcu_nmi_enter(), be sure to test
* with CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_nmi_enter(void)
+notrace void rcu_nmi_enter(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
long incby = 2;
@@ -982,7 +982,7 @@ void rcu_nmi_enter(void)
* If you add or remove a call to rcu_irq_enter(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_irq_enter(void)
+notrace void rcu_irq_enter(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
index 5f6de49dc78e..568818bef28f 100644
--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
@@ -2677,7 +2677,7 @@ static void rcu_bind_gp_kthread(void)
}
/* Record the current task on dyntick-idle entry. */
-static void rcu_dynticks_task_enter(void)
+static notrace void rcu_dynticks_task_enter(void)
{
#if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL)
WRITE_ONCE(current->rcu_tasks_idle_cpu, smp_processor_id());
@@ -2685,7 +2685,7 @@ static void rcu_dynticks_task_enter(void)
}
/* Record no current task on dyntick-idle exit. */
-static void rcu_dynticks_task_exit(void)
+static notrace void rcu_dynticks_task_exit(void)
{
#if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL)
WRITE_ONCE(current->rcu_tasks_idle_cpu, -1);
--
2.25.1
1
4
14 Jul '22
From: Zheng Yejian <zhengyejian1(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: 187209, https://gitee.com/openeuler/kernel/issues/I5GWFT
CVE: NA
--------------------------------
Syzkaller report a softlockup problem, see following logs:
[ 41.463870] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ksoftirqd/0:9]
[ 41.509763] Modules linked in:
[ 41.512295] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.19.90 #13
[ 41.516134] Hardware name: linux,dummy-virt (DT)
[ 41.519182] pstate: 80c00005 (Nzcv daif +PAN +UAO)
[ 41.522415] pc : perf_trace_buf_alloc+0x138/0x238
[ 41.525583] lr : perf_trace_buf_alloc+0x138/0x238
[ 41.528656] sp : ffff8000c137e880
[ 41.531050] x29: ffff8000c137e880 x28: ffff20000850ced0
[ 41.534759] x27: 0000000000000000 x26: ffff8000c137e9c0
[ 41.538456] x25: ffff8000ce5c2ae0 x24: ffff200008358b08
[ 41.542151] x23: 0000000000000000 x22: ffff2000084a50ac
[ 41.545834] x21: ffff8000c137e880 x20: 000000000000001c
[ 41.549516] x19: ffff7dffbfdf88e8 x18: 0000000000000000
[ 41.553202] x17: 0000000000000000 x16: 0000000000000000
[ 41.556892] x15: 1ffff00036e07805 x14: 0000000000000000
[ 41.560592] x13: 0000000000000004 x12: 0000000000000000
[ 41.564315] x11: 1fffefbff7fbf120 x10: ffff0fbff7fbf120
[ 41.568003] x9 : dfff200000000000 x8 : ffff7dffbfdf8904
[ 41.571699] x7 : 0000000000000000 x6 : ffff0fbff7fbf121
[ 41.575398] x5 : ffff0fbff7fbf121 x4 : ffff0fbff7fbf121
[ 41.579086] x3 : ffff20000850cdc8 x2 : 0000000000000008
[ 41.582773] x1 : ffff8000c1376000 x0 : 0000000000000100
[ 41.586495] Call trace:
[ 41.588922] perf_trace_buf_alloc+0x138/0x238
[ 41.591912] perf_ftrace_function_call+0x1ac/0x248
[ 41.595123] ftrace_ops_no_ops+0x3a4/0x488
[ 41.597998] ftrace_graph_call+0x0/0xc
[ 41.600715] rcu_dynticks_curr_cpu_in_eqs+0x14/0x70
[ 41.603962] rcu_is_watching+0xc/0x20
[ 41.606635] ftrace_ops_no_ops+0x240/0x488
[ 41.609530] ftrace_graph_call+0x0/0xc
[ 41.612249] __read_once_size_nocheck.constprop.0+0x1c/0x38
[ 41.615905] unwind_frame+0x140/0x358
[ 41.618597] walk_stackframe+0x34/0x60
[ 41.621359] __save_stack_trace+0x204/0x3b8
[ 41.624328] save_stack_trace+0x2c/0x38
[ 41.627112] __kasan_slab_free+0x120/0x228
[ 41.630018] kasan_slab_free+0x10/0x18
[ 41.632752] kfree+0x84/0x250
[ 41.635107] skb_free_head+0x70/0xb0
[ 41.637772] skb_release_data+0x3f8/0x730
[ 41.640626] skb_release_all+0x50/0x68
[ 41.643350] kfree_skb+0x84/0x278
[ 41.645890] kfree_skb_list+0x4c/0x78
[ 41.648595] __dev_queue_xmit+0x1a4c/0x23a0
[ 41.651541] dev_queue_xmit+0x28/0x38
[ 41.654254] ip6_finish_output2+0xeb0/0x1630
[ 41.657261] ip6_finish_output+0x2d8/0x7f8
[ 41.660174] ip6_output+0x19c/0x348
[ 41.663850] mld_sendpack+0x560/0x9e0
[ 41.666564] mld_ifc_timer_expire+0x484/0x8a8
[ 41.669624] call_timer_fn+0x68/0x4b0
[ 41.672355] expire_timers+0x168/0x498
[ 41.675126] run_timer_softirq+0x230/0x7a8
[ 41.678052] __do_softirq+0x2d0/0xba0
[ 41.680763] run_ksoftirqd+0x110/0x1a0
[ 41.683512] smpboot_thread_fn+0x31c/0x620
[ 41.686429] kthread+0x2c8/0x348
[ 41.688927] ret_from_fork+0x10/0x18
Look into above call stack, we found a recursive call in
'ftrace_graph_call', see a snippet:
__read_once_size_nocheck.constprop.0
ftrace_graph_call
......
rcu_dynticks_curr_cpu_in_eqs
ftrace_graph_call
We analyze that 'rcu_dynticks_curr_cpu_in_eqs' should not be tracable,
and we verify that mark related functions as 'notrace' can avoid the
problem.
Comparing mainline kernel, we find that commit ff5c4f5cad33 ("rcu/tree:
Mark the idle relevant functions noinstr") mark related functions as
'noinstr' which implies notrace, noinline and sticks things in the
.noinstr.text section.
Link: https://lore.kernel.org/all/20200416114706.625340212@infradead.org/
Currently 'noinstr' mechanism has not been introduced, so we would not
directly backport that commit (otherwise more changes may be introduced).
Instead, we mark the functions as 'notrace' where it is 'noinstr' in
that commit.
Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com>
Reviewed-by: Zhen Lei <thunder.leizhen(a)huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com>
---
kernel/rcu/tree.c | 22 +++++++++++-----------
kernel/rcu/tree_plugin.h | 4 ++--
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index 594d6ea99024..ea05c59096a2 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -275,7 +275,7 @@ static DEFINE_PER_CPU(struct rcu_dynticks, rcu_dynticks) = {
* Record entry into an extended quiescent state. This is only to be
* called when not already in an extended quiescent state.
*/
-static void rcu_dynticks_eqs_enter(void)
+static notrace void rcu_dynticks_eqs_enter(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
int seq;
@@ -298,7 +298,7 @@ static void rcu_dynticks_eqs_enter(void)
* Record exit from an extended quiescent state. This is only to be
* called from an extended quiescent state.
*/
-static void rcu_dynticks_eqs_exit(void)
+static notrace void rcu_dynticks_eqs_exit(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
int seq;
@@ -343,7 +343,7 @@ static void rcu_dynticks_eqs_online(void)
*
* No ordering, as we are sampling CPU-local information.
*/
-bool rcu_dynticks_curr_cpu_in_eqs(void)
+static __always_inline bool rcu_dynticks_curr_cpu_in_eqs(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
@@ -706,7 +706,7 @@ static struct rcu_node *rcu_get_root(struct rcu_state *rsp)
* the possibility of usermode upcalls having messed up our count
* of interrupt nesting level during the prior busy period.
*/
-static void rcu_eqs_enter(bool user)
+static notrace void rcu_eqs_enter(bool user)
{
struct rcu_state *rsp;
struct rcu_data *rdp;
@@ -763,7 +763,7 @@ void rcu_idle_enter(void)
* If you add or remove a call to rcu_user_enter(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_user_enter(void)
+notrace void rcu_user_enter(void)
{
lockdep_assert_irqs_disabled();
rcu_eqs_enter(true);
@@ -781,7 +781,7 @@ void rcu_user_enter(void)
* If you add or remove a call to rcu_nmi_exit(), be sure to test
* with CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_nmi_exit(void)
+notrace void rcu_nmi_exit(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
@@ -829,7 +829,7 @@ void rcu_nmi_exit(void)
* If you add or remove a call to rcu_irq_exit(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_irq_exit(void)
+notrace void rcu_irq_exit(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
@@ -864,7 +864,7 @@ void rcu_irq_exit_irqson(void)
* allow for the possibility of usermode upcalls messing up our count of
* interrupt nesting level during the busy period that is just now starting.
*/
-static void rcu_eqs_exit(bool user)
+static notrace void rcu_eqs_exit(bool user)
{
struct rcu_dynticks *rdtp;
long oldval;
@@ -914,7 +914,7 @@ void rcu_idle_exit(void)
* If you add or remove a call to rcu_user_exit(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_user_exit(void)
+void notrace rcu_user_exit(void)
{
rcu_eqs_exit(1);
}
@@ -932,7 +932,7 @@ void rcu_user_exit(void)
* If you add or remove a call to rcu_nmi_enter(), be sure to test
* with CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_nmi_enter(void)
+notrace void rcu_nmi_enter(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
long incby = 2;
@@ -982,7 +982,7 @@ void rcu_nmi_enter(void)
* If you add or remove a call to rcu_irq_enter(), be sure to test with
* CONFIG_RCU_EQS_DEBUG=y.
*/
-void rcu_irq_enter(void)
+notrace void rcu_irq_enter(void)
{
struct rcu_dynticks *rdtp = this_cpu_ptr(&rcu_dynticks);
diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
index 5f6de49dc78e..568818bef28f 100644
--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
@@ -2677,7 +2677,7 @@ static void rcu_bind_gp_kthread(void)
}
/* Record the current task on dyntick-idle entry. */
-static void rcu_dynticks_task_enter(void)
+static notrace void rcu_dynticks_task_enter(void)
{
#if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL)
WRITE_ONCE(current->rcu_tasks_idle_cpu, smp_processor_id());
@@ -2685,7 +2685,7 @@ static void rcu_dynticks_task_enter(void)
}
/* Record no current task on dyntick-idle exit. */
-static void rcu_dynticks_task_exit(void)
+static notrace void rcu_dynticks_task_exit(void)
{
#if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL)
WRITE_ONCE(current->rcu_tasks_idle_cpu, -1);
--
2.25.1
1
4
From: Jiri Slaby <jslaby(a)suse.cz>
stable inclusion
from stable-4.19.250
commit b15d5731b708a2190fec836990b8aefbbf36b07a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5GKVX
CVE: CVE-2021-33656
--------------------------------
commit ff2047fb755d4415ec3c70ac799889371151796d upstream.
Drop support for these ioctls:
* PIO_FONT, PIO_FONTX
* GIO_FONT, GIO_FONTX
* PIO_FONTRESET
As was demonstrated by commit 90bfdeef83f1 (tty: make FONTX ioctl use
the tty pointer they were actually passed), these ioctls are not used
from userspace, as:
1) they used to be broken (set up font on current console, not the open
one) and racy (before the commit above)
2) KDFONTOP ioctl is used for years instead
Note that PIO_FONTRESET is defunct on most systems as VGA_CONSOLE is set
on them for ages. That turns on BROKEN_GRAPHICS_PROGRAMS which makes
PIO_FONTRESET just return an error.
We are removing KD_FONT_FLAG_OLD here as it was used only by these
removed ioctls. kd.h header exists both in kernel and uapi headers, so
we can remove the kernel one completely. Everyone includeing kd.h will
now automatically get the uapi one.
There are now unused definitions of the ioctl numbers and "struct
consolefontdesc" in kd.h, but as it is a uapi header, I am not touching
these.
Signed-off-by: Jiri Slaby <jslaby(a)suse.cz>
Link: https://lore.kernel.org/r/20210105120239.28031-8-jslaby@suse.cz
Cc: guodaxing <guodaxing(a)huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi(a)huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com>
---
drivers/tty/vt/vt.c | 39 +---------
drivers/tty/vt/vt_ioctl.c | 149 --------------------------------------
include/linux/kd.h | 8 --
3 files changed, 3 insertions(+), 193 deletions(-)
delete mode 100644 include/linux/kd.h
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 72e3989dffa6..dca627ccece5 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4472,16 +4472,8 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op)
if (op->data && font.charcount > op->charcount)
rc = -ENOSPC;
- if (!(op->flags & KD_FONT_FLAG_OLD)) {
- if (font.width > op->width || font.height > op->height)
- rc = -ENOSPC;
- } else {
- if (font.width != 8)
- rc = -EIO;
- else if ((op->height && font.height > op->height) ||
- font.height > 32)
- rc = -ENOSPC;
- }
+ if (font.width > op->width || font.height > op->height)
+ rc = -ENOSPC;
if (rc)
goto out;
@@ -4509,7 +4501,7 @@ static int con_font_set(struct vc_data *vc, struct console_font_op *op)
return -EINVAL;
if (op->charcount > 512)
return -EINVAL;
- if (op->width <= 0 || op->width > 32 || op->height > 32)
+ if (op->width <= 0 || op->width > 32 || !op->height || op->height > 32)
return -EINVAL;
size = (op->width+7)/8 * 32 * op->charcount;
if (size > max_font_size)
@@ -4519,31 +4511,6 @@ static int con_font_set(struct vc_data *vc, struct console_font_op *op)
if (IS_ERR(font.data))
return PTR_ERR(font.data);
- if (!op->height) { /* Need to guess font height [compat] */
- int h, i;
- u8 *charmap = font.data;
-
- /*
- * If from KDFONTOP ioctl, don't allow things which can be done
- * in userland,so that we can get rid of this soon
- */
- if (!(op->flags & KD_FONT_FLAG_OLD)) {
- kfree(font.data);
- return -EINVAL;
- }
-
- for (h = 32; h > 0; h--)
- for (i = 0; i < op->charcount; i++)
- if (charmap[32*i+h-1])
- goto nonzero;
-
- kfree(font.data);
- return -EINVAL;
-
- nonzero:
- op->height = h;
- }
-
font.charcount = op->charcount;
font.width = op->width;
font.height = op->height;
diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
index 13675008d1c7..915b0173b4f8 100644
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -241,48 +241,6 @@ int vt_waitactive(int n)
#define GPLAST 0x3df
#define GPNUM (GPLAST - GPFIRST + 1)
-
-
-static inline int
-do_fontx_ioctl(struct vc_data *vc, int cmd, struct consolefontdesc __user *user_cfd, int perm, struct console_font_op *op)
-{
- struct consolefontdesc cfdarg;
- int i;
-
- if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc)))
- return -EFAULT;
-
- switch (cmd) {
- case PIO_FONTX:
- if (!perm)
- return -EPERM;
- op->op = KD_FONT_OP_SET;
- op->flags = KD_FONT_FLAG_OLD;
- op->width = 8;
- op->height = cfdarg.charheight;
- op->charcount = cfdarg.charcount;
- op->data = cfdarg.chardata;
- return con_font_op(vc, op);
-
- case GIO_FONTX:
- op->op = KD_FONT_OP_GET;
- op->flags = KD_FONT_FLAG_OLD;
- op->width = 8;
- op->height = cfdarg.charheight;
- op->charcount = cfdarg.charcount;
- op->data = cfdarg.chardata;
- i = con_font_op(vc, op);
- if (i)
- return i;
- cfdarg.charheight = op->height;
- cfdarg.charcount = op->charcount;
- if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))
- return -EFAULT;
- return 0;
- }
- return -EINVAL;
-}
-
static inline int
do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud, int perm, struct vc_data *vc)
{
@@ -918,30 +876,6 @@ int vt_ioctl(struct tty_struct *tty,
break;
}
- case PIO_FONT: {
- if (!perm)
- return -EPERM;
- op.op = KD_FONT_OP_SET;
- op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC; /* Compatibility */
- op.width = 8;
- op.height = 0;
- op.charcount = 256;
- op.data = up;
- ret = con_font_op(vc, &op);
- break;
- }
-
- case GIO_FONT: {
- op.op = KD_FONT_OP_GET;
- op.flags = KD_FONT_FLAG_OLD;
- op.width = 8;
- op.height = 32;
- op.charcount = 256;
- op.data = up;
- ret = con_font_op(vc, &op);
- break;
- }
-
case PIO_CMAP:
if (!perm)
ret = -EPERM;
@@ -953,36 +887,6 @@ int vt_ioctl(struct tty_struct *tty,
ret = con_get_cmap(up);
break;
- case PIO_FONTX:
- case GIO_FONTX:
- ret = do_fontx_ioctl(vc, cmd, up, perm, &op);
- break;
-
- case PIO_FONTRESET:
- {
- if (!perm)
- return -EPERM;
-
-#ifdef BROKEN_GRAPHICS_PROGRAMS
- /* With BROKEN_GRAPHICS_PROGRAMS defined, the default
- font is not saved. */
- ret = -ENOSYS;
- break;
-#else
- {
- op.op = KD_FONT_OP_SET_DEFAULT;
- op.data = NULL;
- ret = con_font_op(vc, &op);
- if (ret)
- break;
- console_lock();
- con_set_default_unimap(vc);
- console_unlock();
- break;
- }
-#endif
- }
-
case KDFONTOP: {
if (copy_from_user(&op, up, sizeof(op))) {
ret = -EFAULT;
@@ -1096,54 +1000,6 @@ void vc_SAK(struct work_struct *work)
#ifdef CONFIG_COMPAT
-struct compat_consolefontdesc {
- unsigned short charcount; /* characters in font (256 or 512) */
- unsigned short charheight; /* scan lines per character (1-32) */
- compat_caddr_t chardata; /* font data in expanded form */
-};
-
-static inline int
-compat_fontx_ioctl(struct vc_data *vc, int cmd,
- struct compat_consolefontdesc __user *user_cfd,
- int perm, struct console_font_op *op)
-{
- struct compat_consolefontdesc cfdarg;
- int i;
-
- if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc)))
- return -EFAULT;
-
- switch (cmd) {
- case PIO_FONTX:
- if (!perm)
- return -EPERM;
- op->op = KD_FONT_OP_SET;
- op->flags = KD_FONT_FLAG_OLD;
- op->width = 8;
- op->height = cfdarg.charheight;
- op->charcount = cfdarg.charcount;
- op->data = compat_ptr(cfdarg.chardata);
- return con_font_op(vc, op);
-
- case GIO_FONTX:
- op->op = KD_FONT_OP_GET;
- op->flags = KD_FONT_FLAG_OLD;
- op->width = 8;
- op->height = cfdarg.charheight;
- op->charcount = cfdarg.charcount;
- op->data = compat_ptr(cfdarg.chardata);
- i = con_font_op(vc, op);
- if (i)
- return i;
- cfdarg.charheight = op->height;
- cfdarg.charcount = op->charcount;
- if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc)))
- return -EFAULT;
- return 0;
- }
- return -EINVAL;
-}
-
struct compat_console_font_op {
compat_uint_t op; /* operation code KD_FONT_OP_* */
compat_uint_t flags; /* KD_FONT_FLAG_* */
@@ -1221,11 +1077,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
/*
* these need special handlers for incompatible data structures
*/
- case PIO_FONTX:
- case GIO_FONTX:
- ret = compat_fontx_ioctl(vc, cmd, up, perm, &op);
- break;
-
case KDFONTOP:
ret = compat_kdfontop_ioctl(up, perm, &op, vc);
break;
diff --git a/include/linux/kd.h b/include/linux/kd.h
deleted file mode 100644
index b130a18f860f..000000000000
--- a/include/linux/kd.h
+++ /dev/null
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef _LINUX_KD_H
-#define _LINUX_KD_H
-
-#include <uapi/linux/kd.h>
-
-#define KD_FONT_FLAG_OLD 0x80000000 /* Invoked via old interface [compat] */
-#endif /* _LINUX_KD_H */
--
2.25.1
1
3
[PATCH openEuler-1.0-LTS] dm thin: Fix crash in dm_sm_register_threshold_callback()
by Yongqiang Liu 13 Jul '22
by Yongqiang Liu 13 Jul '22
13 Jul '22
From: Luo Meng <luomeng12(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5GRX6
CVE: NA
--------------------------------
Fault inject on pool metadata device report:
BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80
Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950
CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_address_description.constprop.0.cold+0xeb/0x3f4
kasan_report.cold+0xe6/0x147
dm_pool_register_metadata_threshold+0x40/0x80
pool_ctr+0xa0a/0x1150
dm_table_add_target+0x2c8/0x640
table_load+0x1fd/0x430
ctl_ioctl+0x2c4/0x5a0
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb3/0xd0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
This can be easy reproduce:
echo offline > /sys/block/sda/device/state
dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10
dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0"
If metadata commit failed, the transaction will be aborted and the metadata
space manager will be destroyed. If load table on this pool, when register the
metadata threshold callback, the UAF will happen on metadata space manager.
So return error when load table if the pool is on FAIL status.
Fixes: ac8c3f3df65e4 ("dm thin: generate event when metadata threshold passed")
Reported-by: Hulk Robot <hulkci(a)huawei.com>
Signed-off-by: Luo Meng <luomeng12(a)huawei.com>
Reviewed-by: Hou Tao <houtao1(a)huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com>
---
drivers/md/dm-thin-metadata.c | 8 +++++++-
drivers/md/dm-thin.c | 4 +++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
index a6a5cee6b943..c3dc171114dc 100644
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -1997,9 +1997,15 @@ int dm_pool_register_metadata_threshold(struct dm_pool_metadata *pmd,
int r;
down_write(&pmd->root_lock);
+ if (pmd->fail_io) {
+ r = -EINVAL;
+ goto out;
+ }
+
r = dm_sm_register_threshold_callback(pmd->metadata_sm, threshold, fn, context);
- up_write(&pmd->root_lock);
+out:
+ up_write(&pmd->root_lock);
return r;
}
diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
index 435a2ee4a392..2b6dd7a275eb 100644
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -3383,8 +3383,10 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv)
calc_metadata_threshold(pt),
metadata_low_callback,
pool);
- if (r)
+ if (r) {
+ ti->error = "Error registering metadata threshold";
goto out_flags_changed;
+ }
pt->callbacks.congested_fn = pool_is_congested;
dm_table_add_target_callbacks(ti->table, &pt->callbacks);
--
2.25.1
1
0
13 Jul '22
From: Li Lingfeng <lilingfeng3(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5DI4S
CVE: NA
Reference: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/commit…
---------------------------
We don't really need the field names to be globally unique, it is enough
when they are unique in the given struct. Since structs do not generally
span mutliple files, using the line number is enough to ensure an unique
identifier. It means that we can't use two KABI_RENAME macros on the same
line but that's not happening anyway.
This allows pahole to deduplicate the type info of structs using KABI
macros, lowering the size of vmlinuz from 26M to 8.5
Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com>
Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com>
---
include/linux/kabi.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/kabi.h b/include/linux/kabi.h
index a52d9fa72cfa..fe3213c0f576 100644
--- a/include/linux/kabi.h
+++ b/include/linux/kabi.h
@@ -393,6 +393,8 @@
# define __KABI_CHECK_SIZE(_item, _size)
#endif
+#define KABI_UNIQUE_ID __PASTE(kabi_hidden_, __LINE__)
+
# define _KABI_DEPRECATE(_type, _orig) _type kabi_reserved_##_orig
# define _KABI_DEPRECATE_FN(_type, _orig, _args...) \
_type (* kabi_reserved_##_orig)(_args)
@@ -402,7 +404,7 @@
_new; \
struct { \
_orig; \
- } __UNIQUE_ID(kabi_hide); \
+ } KABI_UNIQUE_ID; \
__KABI_CHECK_SIZE_ALIGN(_orig, _new); \
}
#else
--
2.20.1
1
20
[PATCH openEuler-1.0-LTS 1/6] xen/blkfront: fix memory allocation flags in blkfront_setup_indirect()
by Yongqiang Liu 13 Jul '22
by Yongqiang Liu 13 Jul '22
13 Jul '22
From: Juergen Gross <jgross(a)suse.com>
stable inclusion
from stable-v4.19.116
commit 5f547e7cbd8435be3aa2a27e2ae594b4fd94865b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5GLXT
CVE: CVE-2022-26365
--------------------------------
commit 3a169c0be75b59dd85d159493634870cdec6d3c4 upstream.
Commit 1d5c76e664333 ("xen-blkfront: switch kcalloc to kvcalloc for
large array allocation") didn't fix the issue it was meant to, as the
flags for allocating the memory are GFP_NOIO, which will lead the
memory allocation falling back to kmalloc().
So instead of GFP_NOIO use GFP_KERNEL and do all the memory allocation
in blkfront_setup_indirect() in a memalloc_noio_{save,restore} section.
Fixes: 1d5c76e664333 ("xen-blkfront: switch kcalloc to kvcalloc for large array allocation")
Cc: stable(a)vger.kernel.org
Signed-off-by: Juergen Gross <jgross(a)suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com>
Acked-by: Roger Pau Monné <roger.pau(a)citrix.com>
Link: https://lore.kernel.org/r/20200403090034.8753-1-jgross@suse.com
Signed-off-by: Juergen Gross <jgross(a)suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: ChenXiaoSong <chenxiaosong2(a)huawei.com>
Reviewed-by: Jason Yan <yanaijie(a)huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com>
---
drivers/block/xen-blkfront.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
index 0e451b17f33a..8059ff5ab4a6 100644
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -47,6 +47,7 @@
#include <linux/bitmap.h>
#include <linux/list.h>
#include <linux/workqueue.h>
+#include <linux/sched/mm.h>
#include <xen/xen.h>
#include <xen/xenbus.h>
@@ -2251,10 +2252,12 @@ static void blkfront_setup_discard(struct blkfront_info *info)
static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
{
- unsigned int psegs, grants;
+ unsigned int psegs, grants, memflags;
int err, i;
struct blkfront_info *info = rinfo->dev_info;
+ memflags = memalloc_noio_save();
+
if (info->max_indirect_segments == 0) {
if (!HAS_EXTRA_REQ)
grants = BLKIF_MAX_SEGMENTS_PER_REQUEST;
@@ -2286,7 +2289,7 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
BUG_ON(!list_empty(&rinfo->indirect_pages));
for (i = 0; i < num; i++) {
- struct page *indirect_page = alloc_page(GFP_NOIO);
+ struct page *indirect_page = alloc_page(GFP_KERNEL);
if (!indirect_page)
goto out_of_memory;
list_add(&indirect_page->lru, &rinfo->indirect_pages);
@@ -2297,15 +2300,15 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
rinfo->shadow[i].grants_used =
kvcalloc(grants,
sizeof(rinfo->shadow[i].grants_used[0]),
- GFP_NOIO);
+ GFP_KERNEL);
rinfo->shadow[i].sg = kvcalloc(psegs,
sizeof(rinfo->shadow[i].sg[0]),
- GFP_NOIO);
+ GFP_KERNEL);
if (info->max_indirect_segments)
rinfo->shadow[i].indirect_grants =
kvcalloc(INDIRECT_GREFS(grants),
sizeof(rinfo->shadow[i].indirect_grants[0]),
- GFP_NOIO);
+ GFP_KERNEL);
if ((rinfo->shadow[i].grants_used == NULL) ||
(rinfo->shadow[i].sg == NULL) ||
(info->max_indirect_segments &&
@@ -2314,6 +2317,7 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
sg_init_table(rinfo->shadow[i].sg, psegs);
}
+ memalloc_noio_restore(memflags);
return 0;
@@ -2333,6 +2337,9 @@ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo)
__free_page(indirect_page);
}
}
+
+ memalloc_noio_restore(memflags);
+
return -ENOMEM;
}
--
2.25.1
1
5