hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9TL9N
CVE: NA
--------------------------------
Before commit 738fe30dc41a, the PG_hugetlb is recorded in page->flags,
and will be cleared by clear_compound_page(). Now since PG_hugetlb turned
to record into page_type, we have to clear it by __folio_clear_hugetlb().
Fixes: 738fe30dc41a ("mm: turn folio_test_hugetlb into a PageType")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
---
mm/dynamic_pool.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/dynamic_pool.c b/mm/dynamic_pool.c
index 41a627431ea6..2d41bb61ceb6 100644
--- a/mm/dynamic_pool.c
+++ b/mm/dynamic_pool.c
@@ -353,6 +353,7 @@ static int dpool_promote_gigantic_page(struct pages_pool *src_pool,
for (i = 0; i < nr_pages; i += block_size) {
subpage = pfn_to_page(spage->start_pfn + i);
+ __folio_clear_hugetlb(page_folio(subpage));
clear_compound_page(page_folio(subpage), PMD_ORDER);
__ClearPageDpool(subpage);
list_del(&subpage->lru);
--
2.25.1
From: Teng Qi <starmiku1207184332(a)gmail.com>
stable inclusion
from stable-v5.10.84
commit 22519eff7df2d88adcc2568d86046ce1e2b52803
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S24Z
CVE: CVE-2021-47548
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ]
The if statement:
if (port >= DSAF_GE_NUM)
return;
limits the value of port less than DSAF_GE_NUM (i.e., 8).
However, if the value of port is 6 or 7, an array overflow could occur:
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
To fix this possible array overflow, we first check port and if it is
greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
Reported-by: TOTE Robot <oslab(a)tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332(a)gmail.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com>
---
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
index 8791d4eb1985..13affb9ce0c3 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
@@ -422,6 +422,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
return;
if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
+ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
+ We need check to prevent array overflow */
+ if (port >= DSAF_MAX_PORT_NUM)
+ return;
reg_val_1 = 0x1 << port;
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
/* there is difference between V1 and V2 in register.*/
--
2.25.1
From: Lijo Lazar <lijo.lazar(a)amd.com>
mainline inclusion
from mainline-v5.15-rc3
commit ab39d3cef526ba09c4c6923b4cd7e6ec1c5d4faa
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9TKIT
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
CVE: CVE-2021-47362
--------------------------------
Update the current state as boot state during dpm initialization.
During the subsequent initialization, set_power_state gets called to
transition to the final power state. set_power_state refers to values
from the current state and without current state populated, it could
result in NULL pointer dereference.
For ex: on platforms where PCI speed change is supported through ACPI
ATCS method, the link speed of current state needs to be queried before
deciding on changing to final power state's link speed. The logic to query
ATCS-support was broken on certain platforms. The issue became visible
when broken ATCS-support logic got fixed with commit
f9b7f3703ff9 ("drm/amdgpu/acpi: make ATPX/ATCS structures global (v2)").
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1698
Signed-off-by: Lijo Lazar <lijo.lazar(a)amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang(a)amd.com>
Acked-by: Alex Deucher <alexander.deucher(a)amd.com>
Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com>
Cc: stable(a)vger.kernel.org
Conflicts:
drivers/gpu/drm/amd/pm/powerplay/si_dpm.c
[The conflict occurs because commit e098bc9612c2("drm/amd/pm: optimize
the power related source code layout") is not merged.]
Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com>
---
drivers/gpu/drm/amd/amdgpu/si_dpm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c
index 7c724d3de111..0b80cd38f968 100644
--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c
+++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c
@@ -6888,6 +6888,8 @@ static int si_dpm_enable(struct amdgpu_device *adev)
si_enable_auto_throttle_source(adev, AMDGPU_DPM_AUTO_THROTTLE_SRC_THERMAL, true);
si_thermal_start_thermal_controller(adev);
+ ni_update_current_ps(adev, boot_ps);
+
return 0;
}
--
2.34.1
From: Cosmin Ratiu <cratiu(a)nvidia.com>
stable inclusion
from stable-v5.10.216
commit 3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRLI
CVE: CVE-2024-35960
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 7c6782ad4911cbee874e85630226ed389ff2e453 ]
Previously, add_rule_fg would only add newly created rules from the
handle into the tree when they had a refcount of 1. On the other hand,
create_flow_handle tries hard to find and reference already existing
identical rules instead of creating new ones.
These two behaviors can result in a situation where create_flow_handle
1) creates a new rule and references it, then
2) in a subsequent step during the same handle creation references it
again,
resulting in a rule with a refcount of 2 that is not linked into the
tree, will have a NULL parent and root and will result in a crash when
the flow group is deleted because del_sw_hw_rule, invoked on rule
deletion, assumes node->parent is != NULL.
This happened in the wild, due to another bug related to incorrect
handling of duplicate pkt_reformat ids, which lead to the code in
create_flow_handle incorrectly referencing a just-added rule in the same
flow handle, resulting in the problem described above. Full details are
at [1].
This patch changes add_rule_fg to add new rules without parents into
the tree, properly initializing them and avoiding the crash. This makes
it more consistent with how rules are added to an FTE in
create_flow_handle.
Fixes: 74491de93712 ("net/mlx5: Add multi dest support")
Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com… [1]
Signed-off-by: Cosmin Ratiu <cratiu(a)nvidia.com>
Reviewed-by: Tariq Toukan <tariqt(a)nvidia.com>
Reviewed-by: Mark Bloch <mbloch(a)nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm(a)nvidia.com>
Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com>
Link: https://lore.kernel.org/r/20240409190820.227554-5-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Li Huafei <lihuafei1(a)huawei.com>
---
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index 4e8e3797aed08..074c9eb44ab73 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -1675,8 +1675,9 @@ static struct mlx5_flow_handle *add_rule_fg(struct mlx5_flow_group *fg,
}
trace_mlx5_fs_set_fte(fte, false);
+ /* Link newly added rules into the tree. */
for (i = 0; i < handle->num_rules; i++) {
- if (refcount_read(&handle->rule[i]->node.refcount) == 1) {
+ if (!handle->rule[i]->node.parent) {
tree_add_node(&handle->rule[i]->node, &fte->node);
trace_mlx5_fs_add_rule(handle->rule[i]);
}
--
2.25.1
From: Cosmin Ratiu <cratiu(a)nvidia.com>
stable inclusion
from stable-v4.19.313
commit de0139719cdda82806a47580ca0df06fc85e0bd2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRLI
CVE: CVE-2024-35960
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 7c6782ad4911cbee874e85630226ed389ff2e453 ]
Previously, add_rule_fg would only add newly created rules from the
handle into the tree when they had a refcount of 1. On the other hand,
create_flow_handle tries hard to find and reference already existing
identical rules instead of creating new ones.
These two behaviors can result in a situation where create_flow_handle
1) creates a new rule and references it, then
2) in a subsequent step during the same handle creation references it
again,
resulting in a rule with a refcount of 2 that is not linked into the
tree, will have a NULL parent and root and will result in a crash when
the flow group is deleted because del_sw_hw_rule, invoked on rule
deletion, assumes node->parent is != NULL.
This happened in the wild, due to another bug related to incorrect
handling of duplicate pkt_reformat ids, which lead to the code in
create_flow_handle incorrectly referencing a just-added rule in the same
flow handle, resulting in the problem described above. Full details are
at [1].
This patch changes add_rule_fg to add new rules without parents into
the tree, properly initializing them and avoiding the crash. This makes
it more consistent with how rules are added to an FTE in
create_flow_handle.
Fixes: 74491de93712 ("net/mlx5: Add multi dest support")
Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com… [1]
Signed-off-by: Cosmin Ratiu <cratiu(a)nvidia.com>
Reviewed-by: Tariq Toukan <tariqt(a)nvidia.com>
Reviewed-by: Mark Bloch <mbloch(a)nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm(a)nvidia.com>
Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com>
Link: https://lore.kernel.org/r/20240409190820.227554-5-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Li Huafei <lihuafei1(a)huawei.com>
---
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index a38a0c86705ab..a23323f717a35 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -1450,8 +1450,9 @@ static struct mlx5_flow_handle *add_rule_fg(struct mlx5_flow_group *fg,
}
trace_mlx5_fs_set_fte(fte, false);
+ /* Link newly added rules into the tree. */
for (i = 0; i < handle->num_rules; i++) {
- if (refcount_read(&handle->rule[i]->node.refcount) == 1) {
+ if (!handle->rule[i]->node.parent) {
tree_add_node(&handle->rule[i]->node, &fte->node);
trace_mlx5_fs_add_rule(handle->rule[i]);
}
--
2.25.1