mirror of
https://github.com/torvalds/linux.git
synced 2024-11-23 12:42:02 +00:00
3d1bec2933
1281032 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Matthew Wilcox (Oracle)
|
3d1bec2933
|
minixfs: Fix minixfs_rename with HIGHMEM
minixfs now uses kmap_local_page(), so we can't call kunmap() to
undo it. This one call was missed as part of the commit this fixes.
Fixes:
|
||
Edward Adam Davis
|
0570730c16
|
hfsplus: fix uninit-value in copy_name
[syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. Reported-and-tested-by: syzbot+efde959319469ff8d4d7@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Link: https://lore.kernel.org/r/tencent_8BBB6433BC9E1C1B7B4BDF1BF52574BA8808@qq.com Reported-and-tested-by: syzbot+01ade747b16e9c8030e0@syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner@kernel.org> |
||
Brian Foster
|
aabfe57eba
|
vfs: don't mod negative dentry count when on shrinker list
The nr_dentry_negative counter is intended to only account negative
dentries that are present on the superblock LRU. Therefore, the LRU
add, remove and isolate helpers modify the counter based on whether
the dentry is negative, but the shrinker list related helpers do not
modify the counter, and the paths that change a dentry between
positive and negative only do so if DCACHE_LRU_LIST is set.
The problem with this is that a dentry on a shrinker list still has
DCACHE_LRU_LIST set to indicate ->d_lru is in use. The additional
DCACHE_SHRINK_LIST flag denotes whether the dentry is on LRU or a
shrink related list. Therefore if a relevant operation (i.e. unlink)
occurs while a dentry is present on a shrinker list, and the
associated codepath only checks for DCACHE_LRU_LIST, then it is
technically possible to modify the negative dentry count for a
dentry that is off the LRU. Since the shrinker list related helpers
do not modify the negative dentry count (because non-LRU dentries
should not be included in the count) when the dentry is ultimately
removed from the shrinker list, this can cause the negative dentry
count to become permanently inaccurate.
This problem can be reproduced via a heavy file create/unlink vs.
drop_caches workload. On an 80xcpu system, I start 80 tasks each
running a 1k file create/delete loop, and one task spinning on
drop_caches. After 10 minutes or so of runtime, the idle/clean cache
negative dentry count increases from somewhere in the range of 5-10
entries to several hundred (and increasingly grows beyond
nr_dentry_unused).
Tweak the logic in the paths that turn a dentry negative or positive
to filter out the case where the dentry is present on a shrink
related list. This allows the above workload to maintain an accurate
negative dentry count.
Fixes:
|
||
Jeff Layton
|
1b3ec4f7c0
|
filelock: fix potential use-after-free in posix_lock_inode
Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
The request pointer had been changed earlier to point to a lock entry
that was added to the inode's list. However, before the tracepoint could
fire, another task raced in and freed that lock.
Fix this by moving the tracepoint inside the spinlock, which should
ensure that this doesn't happen.
Fixes:
|
||
Christian Brauner
|
eeb17984e8
|
Merge patch series "cachefiles: random bugfixes"
libaokun@huaweicloud.com <libaokun@huaweicloud.com> says: This is the third version of this patch series, in which another patch set is subsumed into this one to avoid confusing the two patch sets. (https://patchwork.kernel.org/project/linux-fsdevel/list/?series=854914) We've been testing ondemand mode for cachefiles since January, and we're almost done. We hit a lot of issues during the testing period, and this patch series fixes some of the issues. The patches have passed internal testing without regression. The following is a brief overview of the patches, see the patches for more details. Patch 1-2: Add fscache_try_get_volume() helper function to avoid fscache_volume use-after-free on cache withdrawal. Patch 3: Fix cachefiles_lookup_cookie() and cachefiles_withdraw_cache() concurrency causing cachefiles_volume use-after-free. Patch 4: Propagate error codes returned by vfs_getxattr() to avoid endless loops. Patch 5-7: A read request waiting for reopen could be closed maliciously before the reopen worker is executing or waiting to be scheduled. So ondemand_object_worker() may be called after the info and object and even the cache have been freed and trigger use-after-free. So use cancel_work_sync() in cachefiles_ondemand_clean_object() to cancel the reopen worker or wait for it to finish. Since it makes no sense to wait for the daemon to complete the reopen request, to avoid this pointless operation blocking cancel_work_sync(), Patch 1 avoids request generation by the DROPPING state when the request has not been sent, and Patch 2 flushes the requests of the current object before cancel_work_sync(). Patch 8: Cyclic allocation of msg_id to avoid msg_id reuse misleading the daemon to cause hung. Patch 9: Hold xas_lock during polling to avoid dereferencing reqs causing use-after-free. This issue was triggered frequently in our tests, and we found that anolis 5.10 had fixed it. So to avoid failing the test, this patch is pushed upstream as well. Baokun Li (7): netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume() cachefiles: fix slab-use-after-free in fscache_withdraw_volume() cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop cachefiles: stop sending new request when dropping object cachefiles: cancel all requests for the object that is being dropped cachefiles: cyclic allocation of msg_id to avoid reuse Hou Tao (1): cachefiles: wait for ondemand_object_worker to finish when dropping object Jingbo Xu (1): cachefiles: add missing lock protection when polling fs/cachefiles/cache.c | 45 ++++++++++++++++++++++++++++- fs/cachefiles/daemon.c | 4 +-- fs/cachefiles/internal.h | 3 ++ fs/cachefiles/ondemand.c | 52 ++++++++++++++++++++++++++++++---- fs/cachefiles/volume.c | 1 - fs/cachefiles/xattr.c | 5 +++- fs/netfs/fscache_volume.c | 14 +++++++++ fs/netfs/internal.h | 2 -- include/linux/fscache-cache.h | 6 ++++ include/trace/events/fscache.h | 4 +++ 10 files changed, 123 insertions(+), 13 deletions(-) Link: https://lore.kernel.org/r/20240628062930.2467993-1-libaokun@huaweicloud.com Signed-off-by: Christian Brauner <brauner@kernel.org> |
||
Jingbo Xu
|
cf5bb09e74 |
cachefiles: add missing lock protection when polling
Add missing lock protection in poll routine when iterating xarray,
otherwise:
Even with RCU read lock held, only the slot of the radix tree is
ensured to be pinned there, while the data structure (e.g. struct
cachefiles_req) stored in the slot has no such guarantee. The poll
routine will iterate the radix tree and dereference cachefiles_req
accordingly. Thus RCU read lock is not adequate in this case and
spinlock is needed here.
Fixes:
|
||
Baokun Li
|
19f4f39909 |
cachefiles: cyclic allocation of msg_id to avoid reuse
Reusing the msg_id after a maliciously completed reopen request may cause
a read request to remain unprocessed and result in a hung, as shown below:
t1 | t2 | t3
-------------------------------------------------
cachefiles_ondemand_select_req
cachefiles_ondemand_object_is_close(A)
cachefiles_ondemand_set_object_reopening(A)
queue_work(fscache_object_wq, &info->work)
ondemand_object_worker
cachefiles_ondemand_init_object(A)
cachefiles_ondemand_send_req(OPEN)
// get msg_id 6
wait_for_completion(&req_A->done)
cachefiles_ondemand_daemon_read
// read msg_id 6 req_A
cachefiles_ondemand_get_fd
copy_to_user
// Malicious completion msg_id 6
copen 6,-1
cachefiles_ondemand_copen
complete(&req_A->done)
// will not set the object to close
// because ondemand_id && fd is valid.
// ondemand_object_worker() is done
// but the object is still reopening.
// new open req_B
cachefiles_ondemand_init_object(B)
cachefiles_ondemand_send_req(OPEN)
// reuse msg_id 6
process_open_req
copen 6,A.size
// The expected failed copen was executed successfully
Expect copen to fail, and when it does, it closes fd, which sets the
object to close, and then close triggers reopen again. However, due to
msg_id reuse resulting in a successful copen, the anonymous fd is not
closed until the daemon exits. Therefore read requests waiting for reopen
to complete may trigger hung task.
To avoid this issue, allocate the msg_id cyclically to avoid reusing the
msg_id for a very short duration of time.
Fixes:
|
||
Hou Tao
|
12e009d608 |
cachefiles: wait for ondemand_object_worker to finish when dropping object
When queuing ondemand_object_worker() to re-open the object,
cachefiles_object is not pinned. The cachefiles_object may be freed when
the pending read request is completed intentionally and the related
erofs is umounted. If ondemand_object_worker() runs after the object is
freed, it will incur use-after-free problem as shown below.
process A processs B process C process D
cachefiles_ondemand_send_req()
// send a read req X
// wait for its completion
// close ondemand fd
cachefiles_ondemand_fd_release()
// set object as CLOSE
cachefiles_ondemand_daemon_read()
// set object as REOPENING
queue_work(fscache_wq, &info->ondemand_work)
// close /dev/cachefiles
cachefiles_daemon_release
cachefiles_flush_reqs
complete(&req->done)
// read req X is completed
// umount the erofs fs
cachefiles_put_object()
// object will be freed
cachefiles_ondemand_deinit_obj_info()
kmem_cache_free(object)
// both info and object are freed
ondemand_object_worker()
When dropping an object, it is no longer necessary to reopen the object,
so use cancel_work_sync() to cancel or wait for ondemand_object_worker()
to finish.
Fixes:
|
||
|
Baokun Li
|
751f524635 |
cachefiles: cancel all requests for the object that is being dropped
Because after an object is dropped, requests for that object are useless, cancel them to avoid causing other problems. This prepares for the later addition of cancel_work_sync(). After the reopen requests is generated, cancel it to avoid cancel_work_sync() blocking by waiting for daemon to complete the reopen requests. Signed-off-by: Baokun Li <libaokun1@huawei.com> Link: https://lore.kernel.org/r/20240628062930.2467993-7-libaokun@huaweicloud.com Acked-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com> Signed-off-by: Christian Brauner <brauner@kernel.org> |
||
|
Baokun Li
|
b2415d1f45 |
cachefiles: stop sending new request when dropping object
Added CACHEFILES_ONDEMAND_OBJSTATE_DROPPING indicates that the cachefiles object is being dropped, and is set after the close request for the dropped object completes, and no new requests are allowed to be sent after this state. This prepares for the later addition of cancel_work_sync(). It prevents leftover reopen requests from being sent, to avoid processing unnecessary requests and to avoid cancel_work_sync() blocking by waiting for daemon to complete the reopen requests. Signed-off-by: Baokun Li <libaokun1@huawei.com> Link: https://lore.kernel.org/r/20240628062930.2467993-6-libaokun@huaweicloud.com Acked-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com> Signed-off-by: Christian Brauner <brauner@kernel.org> |
||
|
Baokun Li
|
0ece614a52 |
cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop
In cachefiles_check_volume_xattr(), the error returned by vfs_getxattr()
is not passed to ret, so it ends up returning -ESTALE, which leads to an
endless loop as follows:
cachefiles_acquire_volume
retry:
ret = cachefiles_check_volume_xattr
ret = -ESTALE
xlen = vfs_getxattr // return -EIO
// The ret is not updated when xlen < 0, so -ESTALE is returned.
return ret
// Supposed to jump out of the loop at this judgement.
if (ret != -ESTALE)
goto error_dir;
cachefiles_bury_object
// EIO causes rename failure
goto retry;
Hence propagate the error returned by vfs_getxattr() to avoid the above
issue. Do the same in cachefiles_check_auxdata().
Fixes:
|
||
|
Baokun Li
|
5d8f805789 |
cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()
We got the following issue in our fault injection stress test:
==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600
Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109
CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566
Call Trace:
<TASK>
kasan_report+0x93/0xc0
cachefiles_withdraw_cookie+0x4d9/0x600
fscache_cookie_state_machine+0x5c8/0x1230
fscache_cookie_worker+0x91/0x1c0
process_one_work+0x7fa/0x1800
[...]
Allocated by task 117:
kmalloc_trace+0x1b3/0x3c0
cachefiles_acquire_volume+0xf3/0x9c0
fscache_create_volume_work+0x97/0x150
process_one_work+0x7fa/0x1800
[...]
Freed by task 120301:
kfree+0xf1/0x2c0
cachefiles_withdraw_cache+0x3fa/0x920
cachefiles_put_unbind_pincount+0x1f6/0x250
cachefiles_daemon_release+0x13b/0x290
__fput+0x204/0xa00
task_work_run+0x139/0x230
do_exit+0x87a/0x29b0
[...]
==================================================================
Following is the process that triggers the issue:
p1 | p2
------------------------------------------------------------
fscache_begin_lookup
fscache_begin_volume_access
fscache_cache_is_live(fscache_cache)
cachefiles_daemon_release
cachefiles_put_unbind_pincount
cachefiles_daemon_unbind
cachefiles_withdraw_cache
fscache_withdraw_cache
fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);
cachefiles_withdraw_objects(cache)
fscache_wait_for_objects(fscache)
atomic_read(&fscache_cache->object_count) == 0
fscache_perform_lookup
cachefiles_lookup_cookie
cachefiles_alloc_object
refcount_set(&object->ref, 1);
object->volume = volume
fscache_count_object(vcookie->cache);
atomic_inc(&fscache_cache->object_count)
cachefiles_withdraw_volumes
cachefiles_withdraw_volume
fscache_withdraw_volume
__cachefiles_free_volume
kfree(cachefiles_volume)
fscache_cookie_state_machine
cachefiles_withdraw_cookie
cache = object->volume->cache;
// cachefiles_volume UAF !!!
After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups
to complete first, and then wait for fscache_cache->object_count == 0 to
avoid the cookie exiting after the volume has been freed and triggering
the above issue. Therefore call fscache_withdraw_volume() before calling
cachefiles_withdraw_objects().
This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two
cases will occur:
1) fscache_begin_lookup fails in fscache_begin_volume_access().
2) fscache_withdraw_volume() will ensure that fscache_count_object() has
been executed before calling fscache_wait_for_objects().
Fixes:
|
||
|
Baokun Li
|
522018a0de |
cachefiles: fix slab-use-after-free in fscache_withdraw_volume()
We got the following issue in our fault injection stress test:
==================================================================
BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370
Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798
CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565
Call Trace:
kasan_check_range+0xf6/0x1b0
fscache_withdraw_volume+0x2e1/0x370
cachefiles_withdraw_volume+0x31/0x50
cachefiles_withdraw_cache+0x3ad/0x900
cachefiles_put_unbind_pincount+0x1f6/0x250
cachefiles_daemon_release+0x13b/0x290
__fput+0x204/0xa00
task_work_run+0x139/0x230
Allocated by task 5820:
__kmalloc+0x1df/0x4b0
fscache_alloc_volume+0x70/0x600
__fscache_acquire_volume+0x1c/0x610
erofs_fscache_register_volume+0x96/0x1a0
erofs_fscache_register_fs+0x49a/0x690
erofs_fc_fill_super+0x6c0/0xcc0
vfs_get_super+0xa9/0x140
vfs_get_tree+0x8e/0x300
do_new_mount+0x28c/0x580
[...]
Freed by task 5820:
kfree+0xf1/0x2c0
fscache_put_volume.part.0+0x5cb/0x9e0
erofs_fscache_unregister_fs+0x157/0x1b0
erofs_kill_sb+0xd9/0x1c0
deactivate_locked_super+0xa3/0x100
vfs_get_super+0x105/0x140
vfs_get_tree+0x8e/0x300
do_new_mount+0x28c/0x580
[...]
==================================================================
Following is the process that triggers the issue:
mount failed | daemon exit
------------------------------------------------------------
deactivate_locked_super cachefiles_daemon_release
erofs_kill_sb
erofs_fscache_unregister_fs
fscache_relinquish_volume
__fscache_relinquish_volume
fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)
zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);
cachefiles_put_unbind_pincount
cachefiles_daemon_unbind
cachefiles_withdraw_cache
cachefiles_withdraw_volumes
list_del_init(&volume->cache_link)
fscache_free_volume(fscache_volume)
cache->ops->free_volume
cachefiles_free_volume
list_del_init(&cachefiles_volume->cache_link);
kfree(fscache_volume)
cachefiles_withdraw_volume
fscache_withdraw_volume
fscache_volume->n_accesses
// fscache_volume UAF !!!
The fscache_volume in cache->volumes must not have been freed yet, but its
reference count may be 0. So use the new fscache_try_get_volume() helper
function try to get its reference count.
If the reference count of fscache_volume is 0, fscache_put_volume() is
freeing it, so wait for it to be removed from cache->volumes.
If its reference count is not 0, call cachefiles_withdraw_volume() with
reference count protection to avoid the above issue.
Fixes:
|
||
|
Baokun Li
|
85b08b31a2 |
netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()
Export fscache_put_volume() and add fscache_try_get_volume() helper function to allow cachefiles to get/put fscache_volume via linux/fscache-cache.h. Signed-off-by: Baokun Li <libaokun1@huawei.com> Link: https://lore.kernel.org/r/20240628062930.2467993-2-libaokun@huaweicloud.com Signed-off-by: Christian Brauner <brauner@kernel.org> |
||
Linus Torvalds
|
22a40d14b5 | Linux 6.10-rc6 | ||
|
Linus Torvalds
|
aca7c377d8 |
ata fixes for 6.10-rc6
- Add NOLPM quirk for for all Crucial BX SSD1 models. Considering that we now have had bug reports for 3 different BX SSD1 variants from Crucial with the same product name, make the quirk more inclusive, to catch more device models from the same generation. - Fix a trivial null pointer dereference in the error path for ata_host_release(). - Create a ata_port_free(), so that we don't miss freeing ata_port struct members when freeing a struct ata_port. - Fix a trivial double free in the error path for ata_host_alloc(). - Ensure that we remove the libata "remapped NVMe device count" sysfs entry on .probe() error. -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQRN+ES/c4tHlMch3DzJZDGjmcZNcgUCZoHMzwAKCRDJZDGjmcZN cj4wAP4nHi3Jr/ezwrIahwMGXV/VSlUhxOakj3OADdHe5spIogD/SrR8Uz7/m5QC sMF0Rd2L7tfrQSDdJ/MztBi7cVprtQo= =lnku -----END PGP SIGNATURE----- Merge tag 'ata-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux Pull ata fixes from Niklas Cassel: - Add NOLPM quirk for for all Crucial BX SSD1 models. Considering that we now have had bug reports for 3 different BX SSD1 variants from Crucial with the same product name, make the quirk more inclusive, to catch more device models from the same generation. - Fix a trivial NULL pointer dereference in the error path for ata_host_release(). - Create a ata_port_free(), so that we don't miss freeing ata_port struct members when freeing a struct ata_port. - Fix a trivial double free in the error path for ata_host_alloc(). - Ensure that we remove the libata "remapped NVMe device count" sysfs entry on .probe() error. * tag 'ata-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux: ata: ahci: Clean up sysfs file on error ata: libata-core: Fix double free on error ata,scsi: libata-core: Do not leak memory for ata_port struct members ata: libata-core: Fix null pointer dereference on error ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models |
||
Niklas Cassel
|
eeb25a09c5 |
ata: ahci: Clean up sysfs file on error
.probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however,
if probe() fails after this call, we currently never call
sysfs_remove_file_from_group().
(The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one())
does not help, as .remove() is not called on .probe() error.)
Thus, if probe() fails after the sysfs_add_file_to_group() call, the next
time we insmod the module we will get:
sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme'
CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
sysfs_warn_dup.cold+0x17/0x23
sysfs_add_file_mode_ns+0x11a/0x130
sysfs_add_file_to_group+0x7e/0xc0
ahci_init_one+0x31f/0xd40 [ahci]
Fixes:
|
||
|
Niklas Cassel
|
ab9e0c529e |
ata: libata-core: Fix double free on error
If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
to the err_out label, which will call devres_release_group().
devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host), so executing the kfree(host) in
ata_host_alloc() will lead to a double free:
kernel BUG at mm/slub.c:553!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:kfree+0x2cf/0x2f0
Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? die+0x2e/0x50
? do_trap+0xca/0x110
? do_error_trap+0x6a/0x90
? kfree+0x2cf/0x2f0
? exc_invalid_op+0x50/0x70
? kfree+0x2cf/0x2f0
? asm_exc_invalid_op+0x1a/0x20
? ata_host_alloc+0xf5/0x120 [libata]
? ata_host_alloc+0xf5/0x120 [libata]
? kfree+0x2cf/0x2f0
ata_host_alloc+0xf5/0x120 [libata]
ata_host_alloc_pinfo+0x14/0xa0 [libata]
ahci_init_one+0x6c9/0xd20 [ahci]
Ensure that we will not call kfree(host) twice, by performing the kfree()
only if the devres_open_group() call failed.
Fixes:
|
||
|
Niklas Cassel
|
f6549f538f |
ata,scsi: libata-core: Do not leak memory for ata_port struct members
libsas is currently not freeing all the struct ata_port struct members,
e.g. ncq_sense_buf for a driver supporting Command Duration Limits (CDL).
Add a function, ata_port_free(), that is used to free a ata_port,
including its struct members. It makes sense to keep the code related to
freeing a ata_port in its own function, which will also free all the
struct members of struct ata_port.
Fixes:
|
||
|
Niklas Cassel
|
5d92c7c566 |
ata: libata-core: Fix null pointer dereference on error
If the ata_port_alloc() call in ata_host_alloc() fails,
ata_host_release() will get called.
However, the code in ata_host_release() tries to free ata_port struct
members unconditionally, which can lead to the following:
BUG: unable to handle page fault for address: 0000000000003990
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? page_fault_oops+0x15a/0x2f0
? exc_page_fault+0x7e/0x180
? asm_exc_page_fault+0x26/0x30
? ata_host_release.cold+0x2f/0x6e [libata]
? ata_host_release.cold+0x2f/0x6e [libata]
release_nodes+0x35/0xb0
devres_release_group+0x113/0x140
ata_host_alloc+0xed/0x120 [libata]
ata_host_alloc_pinfo+0x14/0xa0 [libata]
ahci_init_one+0x6c9/0xd20 [ahci]
Do not access ata_port struct members unconditionally.
Fixes:
|
||
|
Linus Torvalds
|
e0b668b070 |
Kbuild fixes for v6.10 (third)
- Remove the executable bit from installed DTB files - Escape $ in subshell execution in the debian-orig target - Fix RPM builds with CONFIG_MODULES=n - Fix xconfig with the O= option - Fix scripts_gdb with the O= option -----BEGIN PGP SIGNATURE----- iQJJBAABCgAzFiEEbmPs18K1szRHjPqEPYsBB53g2wYFAmaBjccVHG1hc2FoaXJv eUBrZXJuZWwub3JnAAoJED2LAQed4NsGkugP+wdEiVWMpps+/CpTJuvSroEv0Kos Qqy0iQO9JP77tHfLnnMG2+tSvJh6nk7weitoiSkUuCfXde/8Y7HfvdldxzJI4kJD HkJF6b0MCbZDPkvAQhj8CCtsGKNy7X020047/qVUK9OrNH1HZiLOvFNirYuN3nrF T4/HK098S1ij8oAcF1F7psB231pXijQmIeMpVJAhjh9T3Kimu3tGENcVi1yu42tg /emZvhgst1eCOz/e02GHt7n8v5SncYnT5/eBPmZ+nd19uW1QMLY0xES6/dpEd/hN /jjMppqPPlJaYewIHXH8qaejcjyom/CBgxc9B6phGRd8IVR4YjK6DzPiwoAHXcvs KWoJUfLX4FV3PvoaW4XiKifW4lnaADy11bZjIXiV2PHSM/PBNNNtS6BZQv/gB+Sa a5qPRGjhc55pDIv63vTdEZ1HekWp8/XO5HkzWAFnInB+Fnuxqtwx8a6taM7Vgadq O1K4b17UedmFMHSB4UUDKra+7pS0ZP6hLXzozGf3AS/TgUHMTvU8mN0+2k4kxJol dA84pJUHBdnn/61SplNw2PBfP7QYhNJWfPU91Mn/noBwF/sMRFatCuFEgscgP2h+ 0itls2RT1Z4dPN/XN7UiJ8s4vdeYkwCJGhMDIfFe/g3JWFYTuGPeKATVPJZ0DWzz 6otCioAfqFFotky7 =JlIv -----END PGP SIGNATURE----- Merge tag 'kbuild-fixes-v6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Remove the executable bit from installed DTB files - Escape $ in subshell execution in the debian-orig target - Fix RPM builds with CONFIG_MODULES=n - Fix xconfig with the O= option - Fix scripts_gdb with the O= option * tag 'kbuild-fixes-v6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: scripts/gdb: bring the "abspath" back kbuild: Use $(obj)/%.cc to fix host C++ module builds kbuild: rpm-pkg: fix build error with CONFIG_MODULES=n kbuild: Fix build target deb-pkg: ln: failed to create hard link kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates kbuild: Install dtb files as 0644 in Makefile.dtbinst |
||
|
Linus Torvalds
|
769327258a |
x86-32: fix cmpxchg8b_emu build error with clang
The kernel test robot reported that clang no longer compiles the 32-bit x86 kernel in some configurations due to commit |
||
|
Linus Torvalds
|
84dd4373d5 |
Char/Misc driver fixes for 6.10-rc6
Here are some small driver fixes for 6.10-rc6. Included in here are: - IIO driver fixes for reported issues - Counter driver fix for a reported problem. All of these have been in linux-next this week with no reported issues Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZoFlrA8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+ymiMQCgkUmsCT9KQDt+/IqClfL+A6nBvUkAn08jRwGA dXjTvroHgHsNCU/VXMwV =FcWr -----END PGP SIGNATURE----- Merge tag 'char-misc-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small driver fixes for 6.10-rc6. Included in here are: - IIO driver fixes for reported issues - Counter driver fix for a reported problem. All of these have been in linux-next this week with no reported issues" * tag 'char-misc-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: counter: ti-eqep: enable clock at probe iio: chemical: bme680: Fix sensor data read operation iio: chemical: bme680: Fix overflows in compensate() functions iio: chemical: bme680: Fix calibration data variable iio: chemical: bme680: Fix pressure value output iio: humidity: hdc3020: fix hysteresis representation iio: dac: fix ad9739a random config compile error iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF iio: adc: ad7266: Fix variable checking bug iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask |
||
|
Linus Torvalds
|
12529aa130 |
Staging driver fixes for 6.10-rc6
Here are 2 small staging driver fixes for 6.10-rc6, both for the vc04_services drivers: - build fix if CONFIG_DEBUGFS was not set - initialization check fix that was much reported. Both of these have been in linux-next this week with no reported issues. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZoFmKA8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+yk5fgCfaPNg7ikwjRrmgUJbN/e9wx99T90AoL+/iJws 4xL+J3dALmGWTPBqBnNA =pIxW -----END PGP SIGNATURE----- Merge tag 'staging-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are two small staging driver fixes for 6.10-rc6, both for the vc04_services drivers: - build fix if CONFIG_DEBUGFS was not set - initialization check fix that was much reported. Both of these have been in linux-next this week with no reported issues" * tag 'staging-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: vchiq_debugfs: Fix build if CONFIG_DEBUG_FS is not set staging: vc04_services: vchiq_arm: Fix initialisation check |
||
|
Linus Torvalds
|
3e334486ec |
TTY/Serial/Console fixes for 6.10-rc6
Here are a bunch of fixes/reverts for 6.10-rc6. Include in here are:
- revert the bunch of tty/serial/console changes that landed in -rc1
that didn't quite work properly yet. Everyone agreed to just revert
them for now and will work on making them better for a future
release instead of trying to quick fix the existing changes this
late in the release cycle
- 8250 driver port count bugfix
- Other tiny serial port bugfixes for reported issues
All of these have been in linux-next this week with no reported issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZoFmvg8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ymziACgvoDTxuDHHfPOd6h/1qrHqYpFK1YAn2IDMJGj
Ng4/I/gwnkJeeHQC5JSn
=g9o4
-----END PGP SIGNATURE-----
Merge tag 'tty-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty / serial / console fixes from Greg KH:
"Here are a bunch of fixes/reverts for 6.10-rc6. Include in here are:
- revert the bunch of tty/serial/console changes that landed in -rc1
that didn't quite work properly yet.
Everyone agreed to just revert them for now and will work on making
them better for a future release instead of trying to quick fix the
existing changes this late in the release cycle
- 8250 driver port count bugfix
- Other tiny serial port bugfixes for reported issues
All of these have been in linux-next this week with no reported
issues"
* tag 'tty-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
Revert "printk: Save console options for add_preferred_console_match()"
Revert "printk: Don't try to parse DEVNAME:0.0 console options"
Revert "printk: Flag register_console() if console is set on command line"
Revert "serial: core: Add support for DEVNAME:0.0 style naming for kernel console"
Revert "serial: core: Handle serial console options"
Revert "serial: 8250: Add preferred console in serial8250_isa_init_ports()"
Revert "Documentation: kernel-parameters: Add DEVNAME:0.0 format for serial ports"
Revert "serial: 8250: Fix add preferred console for serial8250_isa_init_ports()"
Revert "serial: core: Fix ifdef for serial base console functions"
serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()
serial: core: introduce uart_port_tx_limited_flags()
Revert "serial: core: only stop transmit when HW fifo is empty"
serial: imx: set receiver level before starting uart
tty: mcf: MCF54418 has 10 UARTS
serial: 8250_omap: Implementation of Errata i2310
tty: serial: 8250: Fix port count mismatch with the device
|
||
|
Linus Torvalds
|
2c01c3d552 |
USB fixes for 6.10-rc6
Here are a handful of small USB driver fixes for 6.10-rc6 to resolve
some reported issues. Included in here are:
- typec driver bugfixes
- usb gadget driver reverts for commits that were reported to have
problems
- resource leak bugfix
- gadget driver bugfixes
- dwc3 driver bugfixes
- usb atm driver bugfix for when syzbot got loose on it
All of these have been in linux-next this week with no reported issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZoFnUA8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ym3ggCgyM2B+cIOH4FtyWi7FfXj8XjDsjIAoKzX45+o
TO/pSGQhRwx9PeFfDISM
=pFEO
-----END PGP SIGNATURE-----
Merge tag 'usb-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are a handful of small USB driver fixes for 6.10-rc6 to resolve
some reported issues. Included in here are:
- typec driver bugfixes
- usb gadget driver reverts for commits that were reported to have
problems
- resource leak bugfix
- gadget driver bugfixes
- dwc3 driver bugfixes
- usb atm driver bugfix for when syzbot got loose on it
All of these have been in linux-next this week with no reported issues"
* tag 'usb-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
usb: dwc3: core: Workaround for CSR read timeout
Revert "usb: gadget: u_ether: Replace netif_stop_queue with netif_device_detach"
Revert "usb: gadget: u_ether: Re-attach netif device to mirror detachment"
usb: gadget: aspeed_udc: fix device address configuration
usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock
usb: typec: ucsi: glink: fix child node release in probe function
usb: musb: da8xx: fix a resource leak in probe()
usb: typec: ucsi_acpi: Add LG Gram quirk
usb: ucsi: stm32: fix command completion handling
usb: atm: cxacru: fix endpoint checking in cxacru_bind()
usb: gadget: printer: fix races against disable
usb: gadget: printer: SS+ support
|
||
|
Linus Torvalds
|
3ffea9a7a6 |
- Fix "nosmp" and "maxcpus=0" after the parallel CPU bringup work went in and broke them
- Make sure CPU hotplug dynamic prepare states are actually executed -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmaBF4QACgkQEsHwGGHe VUq3JA//UOmjzHAdcRnGNnh6h1dMKyQW4KH98eiQMXaSuvDeBOCAd6Y4tq6YF/Om AIxHgLlhOY5O1OSVJZhtxf/lALkolCAEIAkIvGvn6EpPjog5UtNoIf6XAzwLzMn3 O8WVASO2fkypaAYBY+tUEQoLY6CAfkxogV0lzNA8HGMr6Yf/YWueiK2GO63z9Bgt n0h0362xqACMdUbFnPGrX2wpMDA+WuhHwl8Z1Z1TB0rprYiA/tFCMLcVkT3Fezjh hx7sYMwBM8cunMya8p9ucd4kBUJROrfNo4SfHWfG0lsitW/cflTgRXOfLp4GFLvp z0OI9oeSHQyRATOU9yiXrWcbO8M3rFRw4/YcdRZ+5mlydJWDM00DZPqPcuxs4R3Q nH3gE82CvzWchLU5InHwYhi5oqwNUq1N8mz2bN4T9Yjtaj7zArSLqjqIafhxpJqV 9DllV9gGroAUawlRSgo5dpl2XvPcbr9Sx8bIJqwn36esuBb2qZwL6pOtVJIBr88O QWamnvUH6NnIqweUUR9lRRjO5WjR3Xf2ECpEt5rNnqHXLn92usNaphEhBDo3tvrG +O3pjNER3sTEgF43yYpDX0gMZmHuXfmN+fT6QDcDGk764As+/UawIHStyI3nustI R7gM6SUx8Fv3883LuzZtQ7KNLuhPvLxf8YD2I626HpTtLA9tn5k= =qGvT -----END PGP SIGNATURE----- Merge tag 'smp_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull smp fixes from Borislav Petkov: - Fix "nosmp" and "maxcpus=0" after the parallel CPU bringup work went in and broke them - Make sure CPU hotplug dynamic prepare states are actually executed * tag 'smp_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: cpu: Fix broken cmdline "nosmp" and "maxcpus=0" cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() |
||
|
Linus Torvalds
|
4e41216009 |
- Make sure multi-bridge machines get all eiointc interrupt controllers
initialized even if the number of CPUs has been limited by a cmdline param
- Make sure interrupt lines on liointc hw are configured properly even when
interrupt routing changes
- Avoid use-after-free in the error path of the MSI init code
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmaBFiwACgkQEsHwGGHe
VUpxMA//QjUEdRe93t4jwcdYKjEPgPHEi+JBgL+tpTrrHUS5xrhLRhFGk7oDBG+u
hUMN1NzoPc/Qy8TStjC/rMgwH+NbHyTCb6q0K9ORLtkaZLLz6zlpqQuLiCrd1sMJ
GIztWw4WgvwkZVcFk1MiKfGyIbMBHbicYXEu64ymhkQ30aM1fID/gWvFs8pvaJNg
MnQ3APt45SoywHyqsqNYMr7G1al0Z/OgTf/MTH8R9QDFCnCo99cgWIU83yr9lNQP
z4HZaFSgkIE2Rfc5fsh9wA/K4iqIId06Fx/f4sF5BUXaVPhjUTSv9tIZSVfXfpsS
CuophjzKp5g05LIZUI32DZ+OEZpfR8DVdN6L8bhob5niJ0XqPVhkKf2ctHlmqP+p
FiRN/1SnZaz+ZbLtIV2groyRvD1N/DeDOZfbuCIyj0OhkrxC16XF3Olzb3ayuQXO
n3xXnFMTRmKzTMWQTjS7gMSPEwnImvLsBUhD/Qc7Ka2eiceEm/Q5yziptyYUX+/f
/W0b95rvXcMQMRcCcgwDTHvOV31UOWC0WzDNwZTksyhtNvFXd8MtDmlOE4KAGDyD
hFNNkxJSovtoTB2ogehsUX2QO09yEFirYqntnAmu3Xih56sg3PBcMZOU4O/5dwyw
2nUUJe1p1lvRf5MVd9re9uWxPvv3CYEAiPbHL8S4HEH8etajywg=
=Hh3B
-----END PGP SIGNATURE-----
Merge tag 'irq_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq fixes from Borislav Petkov:
- Make sure multi-bridge machines get all eiointc interrupt controllers
initialized even if the number of CPUs has been limited by a cmdline
param
- Make sure interrupt lines on liointc hw are configured properly even
when interrupt routing changes
- Avoid use-after-free in the error path of the MSI init code
* tag 'irq_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
PCI/MSI: Fix UAF in msi_capability_init
irqchip/loongson-liointc: Set different ISRs for different cores
irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()
|
||
|
Linus Torvalds
|
03c8b0bd46 |
- Warn when an hrtimer doesn't get a callback supplied
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmaBFDwACgkQEsHwGGHe VUqPnw//aRU3MsjXkoBKmK98O7M+6qoHL2rFRGcvw1o0GxzVB4gODgE2mZWeirG7 JLRp/lVX4xhR85NSBpKlmsnnkC8UCDnpXLRpO24ZTdlc84xEyJGsN0gHqJPjpm9M GkBLRPOwDiSEBzL++6IyR/m3f88WDucQJXVyFa/LQIkSiFdzPBbLwX4otuIieD19 6niyXlqQQ+iAyvkDIH7tNELrOHxivPpH3+QQEfAdtE7TWamv5dkQpu9Kbf811vQb DUsaD4E2+kQUY9ulevvz9OnsGpyhd3m30PUOHKdsrUfaE9bM/RTBDpnQ1dR3lPFD kEb4OXsrcM0z++eIUUTBMpRATVjxl17nSgkDg5S6GLTq/Om4KQP33Co7iXE5D4sI ephbA9jlnHAOtaNh/C1/95pIBidMBHw5HE63XcHJGei1x1pRtFx1apI9UezGGc9H IwRzpKR2UorojCcJedZFiXGt54nJL9UUg7d7sybiVurlKOxIxnaB7cfg1MgeG9ke yUGj6ElXvEAoEmnaf7ScAQnQ5VmkyJYTE8PUlR8h8dumQ3tyBEHanOUxqkQAlZ2P TzVqNeCymh8XGChKKs9pHHUeySkQKYMBOZhEGwSGte0kw8JLJuEsTFud+vcONkda 4MqkH73ebPUdsH5pBNDX7eeDFLvrbpwPNh9u3wQtAnpMGLTKH4k= =et0y -----END PGP SIGNATURE----- Merge tag 'timers_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fix from Borislav Petkov: - Warn when an hrtimer doesn't get a callback supplied * tag 'timers_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: hrtimer: Prevent queuing of hrtimer without a function callback |
||
|
Linus Torvalds
|
327fceff3b |
linux-watchdog 6.10-rc-fixes tag
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEABECAAYFAmaBJ/QACgkQ+iyteGJfRsq/IwCeOTeG8ZlISFS9dQA/2sLXATW+ NFMAn0gKRntpeT75JLXWCA1DSIsw/sF/ =uf7m -----END PGP SIGNATURE----- Merge tag 'linux-watchdog-6.10-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog Pull watchdog fixes from Wim Van Sebroeck: - lenovo_se10_wdt: add HAS_IOPORT dependency - add missing MODULE_DESCRIPTION() macros * tag 'linux-watchdog-6.10-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog: watchdog: add missing MODULE_DESCRIPTION() macros watchdog: lenovo_se10_wdt: add HAS_IOPORT dependency |
||
|
Linus Torvalds
|
8282d5af7b |
NFS client bugfixes for Linux 6.10
Bugfixes: - SUNRPC one more fix for the NFSv4.x backchannel timeouts -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEESQctxSBg8JpV8KqEZwvnipYKAPIFAmaAUuUACgkQZwvnipYK APKO2A//XjinP2LBsPPtjNCrZRujWgYZDblymXeFyZKh8LEsORojvaijtE959VXQ loPxmybv5Ht7Zg1p5vxRF00T6MX4eza50JAUfxa7QaUYTDMF7MX2sR1217aG2ht/ ccmWLz4+JiuSbiPyOHYgY044KXMN9jLth1PjaBn6Efw4waQTyL7nI9dm7Mu/miij eyIYzDl2gb2XyB6+qG528XWi3nA57OGV3vHvET8S15Rvq6LwdYdnJykk/cG7uVkp 00ZsdotVBUtnGyrQrcbZulzqVdKRYCYrmWK33UhP9NSDazf9ou89ieTZqyFi2+8m 46rSmLmW2rx6u37he46ZVjly+0PFWGZaO/U/Qj7e19iA5bp5C8Sp5z8igo3dG93p 1SFNGH4SKJ6IuNz3mWfhza25/sV0ZTdVSDgGazzVpf/dHOdBJ24Btjo2ANo9oxct 3BP4k6mXrZyQse967WjOQIhGXC7DAwzU9rw0hLDd6PPQD+SA8KsIn3P4PFJSGqOP VGE5QK2mGRUHUypo/b2YPueXHxLxN2NJv+xLvd/IiAUr0km8hcITnrhOgAf297/j BK1qv2PdKhTFc0NTZ7frXrBV5hpbws98z5JOVq/lkt9spGqEdtjUzSeCd4gpJAWk abHpHI59OZH8Byt9nJllDn/BbNJTDhk//dnytt4iklm1yllKs6k= =c5Ek -----END PGP SIGNATURE----- Merge tag 'nfs-for-6.10-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client fix from Trond Myklebust: - One more SUNRPC fix for the NFSv4.x backchannel timeouts * tag 'nfs-for-6.10-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: SUNRPC: Fix backchannel reply, again |
||
|
Linus Torvalds
|
27b31deb90 |
Bug fixes for 6.10-rc6:
* Always free only post-EOF delayed allocations for files with the
XFS_DIFLAG_PREALLOC or APPEND flags set.
* Do not align cow fork delalloc to cowextsz hint when running low on space.
* Allow zero-size symlinks and directories as long as the link count is
zero.
* Change XFS_IOC_EXCHANGE_RANGE to be a _IOW only ioctl. This was ioctl was
introduced during v6.10 developement cycle.
* xfs_init_new_inode() now creates an attribute fork on a newly created
inode even if ATTR feature flag is not enabled.
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQQjMC4mbgVeU7MxEIYH7y4RirJu9AUCZnvYdwAKCRAH7y4RirJu
9DRmAP9VwmSgBrVGZ459K6LluP12FoIpzUljEYSiQiyjhxuQJgD/fou/8G+/TTQH
3TtdmC8Xo7SWRMq9+wPpH5OywbsvZQM=
=fV8d
-----END PGP SIGNATURE-----
Merge tag 'xfs-6.10-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Chandan Babu:
- Always free only post-EOF delayed allocations for files with the
XFS_DIFLAG_PREALLOC or APPEND flags set.
- Do not align cow fork delalloc to cowextsz hint when running low on
space.
- Allow zero-size symlinks and directories as long as the link count is
zero.
- Change XFS_IOC_EXCHANGE_RANGE to be a _IOW only ioctl. This was ioctl
was introduced during v6.10 developement cycle.
- xfs_init_new_inode() now creates an attribute fork on a newly created
inode even if ATTR feature flag is not enabled.
* tag 'xfs-6.10-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: honor init_xattrs in xfs_init_new_inode for !ATTR fs
xfs: fix direction in XFS_IOC_EXCHANGE_RANGE
xfs: allow unlinked symlinks and dirs with zero size
xfs: restrict when we try to align cow fork delalloc to cowextsz hints
xfs: fix freeing speculative preallocations for preallocated files
|
||
|
Linus Torvalds
|
ebe70b3ace |
Two fixes for the testunit and and a fixup for the code reorganization
of the previous wmt-driver -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmaADYQACgkQFA3kzBSg KbYLHg//Zcm15ojDvBkvGCHnlien/ZwaVQnTmM1zuo8SziwlnNVBST9ib7wz0Mfr SACAs3kGaNw5nSA/ryVxYw5s03YyWoqcwwgnB3rY+JX1lOsOxBv0Jzjh1SumwQHC RGimQv7nU8Ype8HEcy6cy2WKBSH0gEDiHwUfraxDpRBejQTJqREtJGyMXQzNFzEr QM1q6AuXSnhq75t3cpcN3d2xCnmnv6UbFEsxbYB+TWg8XVJkYwcc/hbGLz3wz3kz G/eLgerPaDXDr372LPsTKyaKb07vrk3gCyqCpYFAV3FYtCHHSlaNFnrdJBZtZA+4 1k7QmDDlfoV+Or64oDdfgAhUhvZNqpwSmIlJs7SiNH/1xIqt9RDni3XOomCgi32l IWiYN6XDVJxV81AyObYdI6qFLEgPja7MQCXFe3U06J//hxTuiBRcPnuDoakZVkgr hMrEQKxlwkcQCBoZYIUjgFxEtRStXxp4d15TbjVNa4pLQmBstb7Ax8RHXNgbLQWn 3sIpoutSr1qMBKvb8SFKCZxTfjzScLwMDn+NIS04XmlAt8YZ5m8XwRkx5j/d1wUD N0x7+wvP/O04Z4XfT3V46VD2Yp+bd6xrLx0LJx6W4f1hZCXUj3vaTL/ykFV5Sf6u m07j+zzASprZ7NysGWhPYhn7J3Wxc2ng0ogjYQcP5Pt+saI62S4= =pKpi -----END PGP SIGNATURE----- Merge tag 'i2c-for-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Two fixes for the testunit and and a fixup for the code reorganization of the previous wmt-driver" * tag 'i2c-for-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: testunit: discard write requests while old command is running i2c: testunit: don't erase registers after STOP i2c: viai2c: turn common code into a proper module |
||
|
Linus Torvalds
|
921863fd9f |
platform-drivers-x86 for v6.10-4
Highlights: - Fix lg-laptop driver not working with 2024 LG laptop models - Add missing MODULE_DESCRIPTION() macros to various modules - nvsw-sn2201: Add check for platform_device_add_resources The following is an automated git shortlog grouped by driver: add missing MODULE_DESCRIPTION() macros: - add missing MODULE_DESCRIPTION() macros lg-laptop: - Use ACPI device handle when evaluating WMAB/WMBB - Change ACPI device id - Remove LGEX0815 hotkey handling platform/mellanox: - nvsw-sn2201: Add check for platform_device_add_resources platform/x86/intel: - add missing MODULE_DESCRIPTION() macros platform/x86/siemens: - add missing MODULE_DESCRIPTION() macros wireless-hotkey: - Add support for LG Airplane Button -----BEGIN PGP SIGNATURE----- iQFIBAABCAAyFiEEuvA7XScYQRpenhd+kuxHeUQDJ9wFAmZ/6kUUHGhkZWdvZWRl QHJlZGhhdC5jb20ACgkQkuxHeUQDJ9z+ywf/dQ9UqyJqejtRHrXjYYZqQyT/xXv9 8aCMXA/U7RPxnIP8Fwkb3hQXW4TMUMYrsz3sHxhCWiyb8fXBgEbrVxDVbIjehnf3 HZRVw/JeFqHe/bIp3QmOH05FSMdBWY34hhsm4dPEYyUiUUPN78ec7bekZ7ERMoFi u3+jKUxIKlcqGqO6E0NtpLmz6Ltu07C5SHgvgpafs8FLuWTvr6dnbKMWB5k/1oCo qn8aXopWsBclaPTPI/ehtHvPnWX9bhuTz0oQjZGrGJQmaVoo81guFLe+Ag2nKPNU mhQQUvUKdDg6ojuSX7Hmtb7pBIP0noxHxuAXll0gePQXjpyJ0Pe07HlNMw== =iWe/ -----END PGP SIGNATURE----- Merge tag 'platform-drivers-x86-v6.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Hans de Goede: - Fix lg-laptop driver not working with 2024 LG laptop models - Add missing MODULE_DESCRIPTION() macros to various modules - nvsw-sn2201: Add check for platform_device_add_resources * tag 'platform-drivers-x86-v6.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: add missing MODULE_DESCRIPTION() macros platform/x86/intel: add missing MODULE_DESCRIPTION() macros platform/x86/siemens: add missing MODULE_DESCRIPTION() macros platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB platform/x86: lg-laptop: Change ACPI device id platform/x86: lg-laptop: Remove LGEX0815 hotkey handling platform/x86: wireless-hotkey: Add support for LG Airplane Button platform/mellanox: nvsw-sn2201: Add check for platform_device_add_resources |
||
|
Linus Torvalds
|
a89385800e |
MMC host:
- moxart-mmc: Revert "mmc: moxart-mmc: Use sg_miter for PIO" - sdhci: Do not invert write-protect twice - sdhci: Do not lock spinlock around mmc_gpio_get_ro() - sdhci-pci/sdhci-pci-o2micro: Return proper error codes - sdhci-brcmstb: Fix support for erase/trim/discard -----BEGIN PGP SIGNATURE----- iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmZ/0ZAXHHVsZi5oYW5z c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjClAhQ/+KqsMcO6i4Qjro14ltngYc9CL Gct4k/eV5F2Zf6e7Xyz7E6z6lY9Y7QgHMGD5uxvUPxlunnzIYkFxw6Fj3Yg0/II5 4FfzYAhdRDVysD1leehsodo+AJhEp+v2buGwfbiJf1t6gYQzBKGY5y5KJhGN7Pud v+CeEv9sTkIuRnYcSfn1CrcPZ2tb9nDbkNrcorO8wugXvKIDv2nk2EVhj7joRcUx bL2xU65c+0LgtDlAPu9+v3hxnj4UusSGUMK0mwuGz+KNBv8lCnSa94J2swY2A3wp z9pKdDp9PlGllm5c+FyefhQ+fSDI1YjqJPKrxSrZSRc02pUsQCcYFRlQykwtPd/o HzknBIFc2JzySSeEczf2I3yx6gc85G7xpjDQtD63xacDrQxcTTRYKTpouTYx122j x+R0zvE+s6DqlIgbA6laVYHh3o8lRI9xNAuThqlIsXcAT+KuZHMsUhCWq+faK1uv 2tzBQa0NErIUG0Vo8xgkoxdjgbTbaI/+lDR72Sp8g6k9JFRGVLEFOvB0M+zp1KqX dq3/6fI7IMFntdNEIZw9tUnMUBbPe7hawzOZi1SLsAyeXKY2oE2yO3yFlVCzHEG8 BaSwrgppNtbv1VeqK8X0pj16rVZ4Eh7N68pYyofaURMv72exfSSJmZM0rTSDbXux 6WBy1mZB4CPTabfbriA= =gj1M -----END PGP SIGNATURE----- Merge tag 'mmc-v6.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: - moxart-mmc: Revert "mmc: moxart-mmc: Use sg_miter for PIO" - sdhci: Do not invert write-protect twice - sdhci: Do not lock spinlock around mmc_gpio_get_ro() - sdhci-pci/sdhci-pci-o2micro: Return proper error codes - sdhci-brcmstb: Fix support for erase/trim/discard * tag 'mmc-v6.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() mmc: sdhci: Do not invert write-protect twice Revert "mmc: moxart-mmc: Use sg_miter for PIO" mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard mmc: sdhci-pci-o2micro: Convert PCIBIOS_* return codes to errnos mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos |
||
|
Linus Torvalds
|
de0a9f4486 |
RISC-V Fixes for 6.10-rc6
* A fix for vector load/store instruction decoding, which could result in reserved vector element length encodings decoding as valid vector instructions. * Instruction patching now aggressively flushes the local instruction cache, to avoid situations where patching functions on the flush path results in torn instructions being fetched. * A fix to prevent the stack walker from showing up as part of traces. -----BEGIN PGP SIGNATURE----- iQJHBAABCAAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAmZ+4zUTHHBhbG1lckBk YWJiZWx0LmNvbQAKCRAuExnzX7sYiTXxD/wPSWbHf24Mr4CrFYbKR7lHWjGku+jG 8LQa+B9uUgpA8XjNjeeECg7lsJq/1avbPrUlValRckUIMZPHSWK4U7aFkkPs1WFa 87D5pA4AVkt5U8v/3c5GQ8Tod0Afa7OyFggxdglC3XFvUa5TNdn3pdv0rdE4Mx5l QRijFyLlhRv/D5We+exNAVJmkdHfSXQEEyEjXeb83VK+PsZzAXvHLj3omxCyQ1kH Kt2RyN8QpkUisFNTpSvPHiuoPjUeJvRs0JIyrO1SwBGHyYs4kg6g0KBk4YjTTXG5 xbRVG2tMO9TS2jRRHJS7fdI+yF0X1z+t+WUG1F1WHvKxnqbWczJ0UczFgacaVSkw BM/yO+VPg22f6bM4H85K5GBdhN8PplFDuHDdVQ8/LDGOrQKaByrorXWq3WrbwJcq vVwbnBGW6v4we5COzyHvwnakzl4bEMHoUb2NVTzZM+fFleiEdx4Sg+F5Us8+UlZh PztwjPao8spIm81l/wXStxYzschDyonCt74/odic2LDtFBirZWzDdUInXFVzUZs7 CUxF38XJ6SNQJBVVwQv6qisoWhy6Ca9SGKwY2GwW7Ustx3C4Eh0nrOVmI/DcHRgN 9rGm13Qfm8eUSznTM+buWTTluZvtmZupGpAP2GhvaUgTMDIfK/vttidW9Kf4KsP8 hn+jllIc1WgE6Q== =0bpZ -----END PGP SIGNATURE----- Merge tag 'riscv-for-linus-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - A fix for vector load/store instruction decoding, which could result in reserved vector element length encodings decoding as valid vector instructions. - Instruction patching now aggressively flushes the local instruction cache, to avoid situations where patching functions on the flush path results in torn instructions being fetched. - A fix to prevent the stack walker from showing up as part of traces. * tag 'riscv-for-linus-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: stacktrace: convert arch_stack_walk() to noinstr riscv: patch: Flush the icache right after patching to avoid illegal insns RISC-V: fix vector insn load/store width mask |
||
|
Linus Torvalds
|
b75f947270 |
hardening fixes for v6.10-rc6
- Remove invalid tty __counted_by annotation (Nathan Chancellor) - Add missing MODULE_DESCRIPTION()s for KUnit string tests (Jeff Johnson) - Remove non-functional per-arch kstack entropy filtering -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmZ+4Z4ACgkQiXL039xt wCYUPQ/9Ghbg4CfOIyjl5G7fAYuG+/zLDCkY+kh7XcO2kAn3213KiyRKm0GUAhXY p3N7rDH9NsXedfO2bnQ0YTDR3TU8AWIegKgEyGBsyqvdtjSe0ParwWOoGGpavJZ2 6Op39e6LL2fKGyL4N72lkhRpGPJgGQOqckTljaDl5yQfIHryMpQl0fXzMMjh1HUt TKc39kSRbQxguDdIqU1zHgs+Lu9Kph6A3q9PjVap9qzCcPZ4RjIRms4gDrghP7GK M0POyZbuXUWxaJ8VwRHbqAtEyEGjXdfBW9DgKQM1fg9XWGZbCkucu3PZbPHv+c6e eBGG6O5l6UylmXpmkqLMfIudUekfo8cAEXqcLCBYis8uIuasUWiLMhoTDjdfcvhn HHr6iu25IKR698PZzTHQ5yUiuBP38qjXfXr9DDzXrI2+SUbxjurTfbHxFBWK/FYX YSdrZR4DbeaU/HI1I+I5YghgeRfR6TQ5NGrmj61wW1QnwvEF6Gdlh+MZgUS59SP5 S+T50ggGKEYARZcZj1N6Nz39Co9syn/xlhyPKFPkgsRTXw1QE0z6e841V1jxhr49 cStKFcKAovDeG2UN4bAju49/MWUFlcpkIxn9Y0ZHiu6R6SC9zasXhKi7+xDFolmP B6PmON2ZSSoFNwMr7Fr1SC0gWg7V3TYLmpHITDWz5KL00ReEdJY= =dItV -----END PGP SIGNATURE----- Merge tag 'hardening-v6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening fixes from Kees Cook: - Remove invalid tty __counted_by annotation (Nathan Chancellor) - Add missing MODULE_DESCRIPTION()s for KUnit string tests (Jeff Johnson) - Remove non-functional per-arch kstack entropy filtering * tag 'hardening-v6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: tty: mxser: Remove __counted_by from mxser_board.ports[] randomize_kstack: Remove non-functional per-arch entropy filtering string: kunit: add missing MODULE_DESCRIPTION() macros |
||
|
Linus Torvalds
|
093d9603b6 |
x86: stop playing stack games in profile_pc()
The 'profile_pc()' function is used for timer-based profiling, which isn't really all that relevant any more to begin with, but it also ends up making assumptions based on the stack layout that aren't necessarily valid. Basically, the code tries to account the time spent in spinlocks to the caller rather than the spinlock, and while I support that as a concept, it's not worth the code complexity or the KASAN warnings when no serious profiling is done using timers anyway these days. And the code really does depend on stack layout that is only true in the simplest of cases. We've lost the comment at some point (I think when the 32-bit and 64-bit code was unified), but it used to say: Assume the lock function has either no stack frame or a copy of eflags from PUSHF. which explains why it just blindly loads a word or two straight off the stack pointer and then takes a minimal look at the values to just check if they might be eflags or the return pc: Eflags always has bits 22 and up cleared unlike kernel addresses but that basic stack layout assumption assumes that there isn't any lock debugging etc going on that would complicate the code and cause a stack frame. It causes KASAN unhappiness reported for years by syzkaller [1] and others [2]. With no real practical reason for this any more, just remove the code. Just for historical interest, here's some background commits relating to this code from 2006: |
||
Wolfram Sang
|
c116deafd1 |
i2c: testunit: discard write requests while old command is running
When clearing registers on new write requests was added, the protection
for currently running commands was missed leading to concurrent access
to the testunit registers. Check the flag beforehand.
Fixes:
|
||
|
Wolfram Sang
|
c422b6a630 |
i2c: testunit: don't erase registers after STOP
STOP fallsthrough to WRITE_REQUESTED but this became problematic when
clearing the testunit registers was added to the latter. Actually, there
is no reason to clear the testunit state after STOP. Doing it when a new
WRITE_REQUESTED arrives is enough. So, no need to fallthrough, at all.
Fixes:
|
||
|
Wolfram Sang
|
4e9a1a47c5 |
Fixed a build error following the major refactoring involving the
VIA-I2C modules. Originally, the code was split to group together parts that would be used by different drivers. This caused build issues when two modules linked to the same code. -----BEGIN PGP SIGNATURE----- iIwEABYIADQWIQScDfrjQa34uOld1VLaeAVmJtMtbgUCZn6IhhYcYW5kaS5zaHl0 aUBrZXJuZWwub3JnAAoJENp4BWYm0y1uOekA/2RfIlWh367KrZVl17iOYDZt4PC5 UN8upYT2063exlc5AP953/DQkr0xGBGYYZH7q1xBmkTkYV3G0QSTKKcTwNo6DQ== =tKNc -----END PGP SIGNATURE----- Merge tag 'i2c-host-fixes-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current Fixed a build error following the major refactoring involving the VIA-I2C modules. Originally, the code was split to group together parts that would be used by different drivers. This caused build issues when two modules linked to the same code. |
||
|
Linus Torvalds
|
6c0483dbfe |
nfsd-6.10 fixes:
- Due to a late review, revert and re-fix a recent crasher fix -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEKLLlsBKG3yQ88j7+M2qzM29mf5cFAmZ+zksACgkQM2qzM29m f5ey0Q/+O8Z//rVg8L8V1EI44gZ1LRTiJEeDFoJU1Hktn0dOwTvGQJNzNbfpTBbT zTvvDBd9+cbHQ7Jl2r73+wkqgZbGXsRhMRUCmlA5ur0O7ujkYDo3rpOgQhP4V3LV 1G6o2uOJT9d9UykUF74Demlg97kNrc8CY1QNujXjKrj8jYpQY4KcRCDb91KdYgc9 GSque9zMD2jTJkTkSVRUyfWGEDvYtDxs7/4rdErjixaY30dgkPHae6euRzoQd2sC v3aoKHSt5Y/pvOX+3/c2QzDqOiKPOnm3dLazB+rK6lYrnt4iUeP3CiPcFmqNJZk2 kZ3hpCPN8Le3oQFlMe450EljB8wLj2DqLix+Y/iOGyA732GLxNW6Hu8PkwRVFFwx cGGp6KryrcwO/BNHgxceErfhBG4IPKSgnY6C8Io+mPYKwSRAOKA4su02RoJDWJkA PTf67JgZiKv+bn3EGojeTo9YAvb04EYstttK2yBFUR9xylyew9vaZ9X8mYkqfyHN pZEWf/SI8SExZteo3Ymx9HLcX5FYsBjgvigpow33kUCn2hMhuhfBXEtmLNsxOSYC aEICcAYqnBovFJ+3vbz11IDS04ERIFdprlLQuExtJ21pujIlIM9pOxrIGvgu5pPl ++rsDP31Kh6imuZbSaJ5TFTdtDqcpah587m+mQtlaXAjOQL1qfw= =gwat -----END PGP SIGNATURE----- Merge tag 'nfsd-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fixes from Chuck Lever: - Due to a late review, revert and re-fix a recent crasher fix * tag 'nfsd-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: Revert "nfsd: fix oops when reading pool_stats before server is started" nfsd: initialise nfsd_info.mutex early. |
||
|
Linus Torvalds
|
cd63a278ac |
bcachefs fixes for 6.10-rc6
simple stuff: - null ptr/err ptr deref fixes - fix for getting wedged on shutdown after journal error - fix missing recalc_capacity() call, capacity now changes correctly after a device goes read only however: our capacity calculation still doesn't take into account when we have mixed ro/rw devices and the ro devices have data on them, that's going to be a more involved fix to separate accounting for "capacity used on ro devices" and "capacity used on rw devices" - boring syzbot stuff slightly more involved: - discard, invalidate workers are now per device this has the effect of simplifying how we take device refs in these paths, and the device ref cleanup fixes a longstanding race between the device removal path and the discard path - fixes for how the debugfs code takes refs on btree_trans objects we have debugfs code that prints in use btree_trans objects. It uses closure_get() on trans->ref, which is mainly for the cycle detector, but the debugfs code was using it on a closure that may have hit 0, which is not allowed; for performance reasons we cannot avoid having not-in-use transactions on the global list. introduce some new primitives to fix this and make the synchronization here a whole lot saner -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEKnAFLkS8Qha+jvQrE6szbY3KbnYFAmZ+ye4ACgkQE6szbY3K bnb4shAAqkKdgB2abIaD1t8+KjUiXwt7seRY4EmzwrEaWniW5bDUYMBvV+tew93j uvGmSKMs4ML/r24hcg0zGPJ9GoWrFb3MWhPYizzRS8QspsUjsECJuehNPCe3RPaf QBgQtKahTge1e41y1frzkiGKqaOGOTtUVLOfPIebe+oJAhRCYRnrGY2dkZTms7Ue aXNtBmnlX3Fkmlm0GiKYrTHpAZz3d0kzdX11Pc2vTXvqo/znuJTTVGnjJkdrHzyv 6cz6YnMKFdxLVbYO1KlB/3Hu9y9qt815g1rjvaqym8pDk9ltsGHNM3LcCCCyp7Of btnbLQ6TdfggK5Kf2hNYuJRY2pnjNyfcNxupQF3RNaw/D/4G5EU16zfFElORC6Mw eGwXLvDIGqOSSIvevoRZrgJKAvVptXNg9EtCI5Z5ujQ4ExW8ti1lPHp/r5SVOhyz x0Am14H2ERuz7Vt5jUas3k74+tAck6JWc5OemMQawA5waeH1inMT7QZuBt+Bmrhx Av0zbhaq4aTsHXmm+Xi6ofj3UBaOQ2rNzT7Au0kxdvJgDPe/USjw4tejV5DmjmHA SyRsTG7Zn5xJBi7jc47fcwUgUzlxlffVQGFCVjRUU1vF6u/Ldn7K0zfYbkwSCiKp iWSEyg3j5z5N69Vrgdadma4xTDjL/C5+XsMWh8G8ohf+crhUeSo= =svIi -----END PGP SIGNATURE----- Merge tag 'bcachefs-2024-06-28' of https://evilpiepirate.org/git/bcachefs Pull bcachefs fixes from Kent Overstreet: "Simple stuff: - NULL ptr/err ptr deref fixes - fix for getting wedged on shutdown after journal error - fix missing recalc_capacity() call, capacity now changes correctly after a device goes read only however: our capacity calculation still doesn't take into account when we have mixed ro/rw devices and the ro devices have data on them, that's going to be a more involved fix to separate accounting for "capacity used on ro devices" and "capacity used on rw devices" - boring syzbot stuff Slightly more involved: - discard, invalidate workers are now per device this has the effect of simplifying how we take device refs in these paths, and the device ref cleanup fixes a longstanding race between the device removal path and the discard path - fixes for how the debugfs code takes refs on btree_trans objects we have debugfs code that prints in use btree_trans objects. It uses closure_get() on trans->ref, which is mainly for the cycle detector, but the debugfs code was using it on a closure that may have hit 0, which is not allowed; for performance reasons we cannot avoid having not-in-use transactions on the global list. Introduce some new primitives to fix this and make the synchronization here a whole lot saner" * tag 'bcachefs-2024-06-28' of https://evilpiepirate.org/git/bcachefs: bcachefs: Fix kmalloc bug in __snapshot_t_mut bcachefs: Discard, invalidate workers are now per device bcachefs: Fix shift-out-of-bounds in bch2_blacklist_entries_gc bcachefs: slab-use-after-free Read in bch2_sb_errors_from_cpu bcachefs: Add missing bch2_journal_do_writes() call bcachefs: Fix null ptr deref in journal_pins_to_text() bcachefs: Add missing recalc_capacity() call bcachefs: Fix btree_trans list ordering bcachefs: Fix race between trans_put() and btree_transactions_read() closures: closure_get_not_zero(), closure_return_sync() bcachefs: Make btree_deadlock_to_text() clearer bcachefs: fix seqmutex_relock() bcachefs: Fix freeing of error pointers |
||
|
Linus Torvalds
|
cd17613f46 |
block-6.10-20240628
-----BEGIN PGP SIGNATURE----- iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmZ+0ScQHGF4Ym9lQGtl cm5lbC5kawAKCRD301j7KXHgpqIAEADTcv8PohwiigfCGSGd9ExHgpGzZfLK3KO4 9Mx+AuDEjCrSqIjzPJZcRgZDEeAN6V+aJ9Vz6DVJfljl9UIGz9BliYvb07aqhHsG 4Bo1N2QQOLxoa+VqfRViPz8UB/Ofpd2oTWnHPPGxfT9l7gA/vLq7HoQQhkY+HCoC 3A7DaNwHCR7PH0NQJBDo50ljAAhl2ALG6ubZ7BltcyZng9TK9K4oH7DXLn5SKSG4 orsiiqL5X74y9Wl+vLDFjtyE49XVziRKIvCwTlsF8w1EAGXL0r38mRI6LRwU18Qu cS8963qDhm2KQ/XJD4sabHjBm3kXlQD4ZXKO/sY/omVk4NdRlXb1AGe/mlROIF67 FrQpLejszTgx4jOskZL4SiNLuC5XbB31AnoVlcVo7s26YmZ6xfSRIfH5whEP51aW bwKZ16/9YvSiUUeUjAIjf0AAzeQNZOtb67jKsGhyPkmVFn64wDhApSyHbcS07NAo lsswZCbOia7mS0dKu/pznFmpY9qXvTx2amDxBOGWGL7U+7iDlTu9nW9QJevLbOKm q1v6ZFQi61UYyh3+500TPB7OdK+gSiLUUIqWL5R24TdcVF+HXgJzSzEValFtl2jR lgwrJCbwOQ7bGyyPF0h78zTkci3870tj/Q25srOL3wv2ubUrvA+k/Iokuul0BFKP pO6gQbNZgw== =y1pk -----END PGP SIGNATURE----- Merge tag 'block-6.10-20240628' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "NVMe fixes via Keith: - Fabrics fixes (Hannes) - Missing module description (Jeff) - Clang warning fix (Nathan)" * tag 'block-6.10-20240628' of git://git.kernel.dk/linux: nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[] nvmet: make 'tsas' attribute idempotent for RDMA nvme: fixup comment for nvme RDMA Provider Type nvme-apple: add missing MODULE_DESCRIPTION() nvmet: do not return 'reserved' for empty TSAS values nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA. |
||
|
Linus Torvalds
|
a2316dda07 |
IOMMU Fixes for Linux v6.10-rc5
Including: - Two cache flushing fixes for Intel and AMD drivers - AMD guest translation enabling fix - Update IOMMU tree location in MAINTAINERS file -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEr9jSbILcajRFYWYyK/BELZcBGuMFAmZ+rksACgkQK/BELZcB GuNDBg/+P3yCBVceEUsKpe584bUQpTs2X3M58X9ZKUEosEyjyLd24WnpW1yzdJqz 6kbxDNCIVsde2eSVtw7fNkW7wBdj4nZ4KB8y9jfrGjpDiQczNp2zG3+z53uFfWR+ rt2WnTD/Q+a59AgLBz2v8/tdczttNAgwQZu+H/rdQg4/Q55mtJoeCwU5DT5a5Ab4 VfQSnOPHRm21GIewP9cbZoeTdOjRhE08/eszFpMQxApi20/MC67SYoUJBdUCjjLl kIqogI9CvB6vjiPuziWpnoFoRj0YDZKwzXKlJvZthHbFdSglEpCprNs2JlnW6kA7 P9PIJrMCOAILNX9Cgmw2GVklTdLPUpRQw4chSdkZo8PVxECLozLQyBwmkI6Ic1AL BkTPfRWbYkcja0n+y24xogeETTwnl/g6RWiori3B3aMyRzOfvfnGg9jqbtBG0s54 fRNGyr+dg8Iu27uvwkx4tk6LfO5mIp8YTrpXeRsbEOoD0NwwgBhxAMg9y/nivBh2 y7o3uDYC/N9xsYJb+WHDa1sqF8fC9IB8b87VG3KxgWHd63g4WzEvMN/mRcmltRjL XkyNDYXOZE1oY+/Dh+H/TNUR9C7ErrIg17c7wRTRN8bxNENTjkFN5wUgxdZAcLIA c6SNvwMMwMO79ymvuI1USRYeOAWd8McS82AwOHU8qVdupol0xQo= =iidU -----END PGP SIGNATURE----- Merge tag 'iommu-fixes-v6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux Pull iommu fixes from Joerg Roedel: - Two cache flushing fixes for Intel and AMD drivers - AMD guest translation enabling fix - Update IOMMU tree location in MAINTAINERS file * tag 'iommu-fixes-v6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux: MAINTAINERS: Update IOMMU tree location iommu/amd: Fix GT feature enablement again iommu/vt-d: Fix missed device TLB cache tag iommu/amd: Invalidate cache before removing device from domain list |
||
|
Linus Torvalds
|
1cf0668466 |
gpio fixes for v6.10-rc6
- fix a race condition in i2c transfers by adding a missing i2c lock
section in gpio-pca953x
- validate the number of obtained interrupts in gpio-davinci
- add missing raw_spinlock_init() in gpio-graniterapids
- fix bad character device behavior: disallow GPIO line reconfiguration
without set direction both in v1 and v2 uAPI
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFp3rbAvDxGAT0sefEacuoBRx13IFAmZ+hfEACgkQEacuoBRx
13Kl9Q//TM5RjkPzeWeVCau5zvQSpEc7CvIbrfszjl/5o/RE6+j7tD/WAFCt3EUo
qQQuPggNCzFPCcIiHh57GakhQi2v2VFzhIFrzy78eYpYOBaQ2w5C/ceodpx1xFbb
w3ig005hJI2uM0CsdFNoC9FFMa8XgS3c3TbfYFtMk7smNgx1LFRD3s5x8GGC1lLX
8P2ipLeLEE4CFJsJQ/dSeK9ssM9/+owmrF4bCcFtjZZ+iZPjDZCIKl6LB3H5sK5c
x48PllI/EglXdTOFGZ2BqQ+svFUoNAuDna0+KQMns3CiHbQ8t0KZc6oItSOyDTX8
h1uw1GbxXShxQldrsjASs1Y9erVIoVXbC3XW/rkSD2/WYU/1V3AtsqNNuhWgY1bL
b+WUYyoK03uS9ocpHkm64g3nhStI24POhUsDiWhD1ZYBjqRyrbOZuEbt+Efmi7dL
yF8qz86/QubsuvRbUDbUcvYtFsSwqNAYmV8tNgtubDara7dy4UCN3Z0kp8khANeF
q5cgJMujePGkVKMOwH3mJPWV6y4MoFiayf/BrfZgP2BxU+1Wd8f4Evuq1RCLmbV3
aq3uwUhwXbHmL0/PCeQ1pJ6uYUvz2saC5bFJKslTqgh5VgvqrXMIUertASBXZFEW
cIXjdyIG4rCGRZTdENmXsitQvlKI3dSTI5+FGSqL4QEMXmlfOuY=
=+2t8
-----END PGP SIGNATURE-----
Merge tag 'gpio-fixes-for-v6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio fixes from Bartosz Golaszewski:
"An assortment of driver fixes and two commits addressing a bad
behavior of the GPIO uAPI when reconfiguring requested lines.
- fix a race condition in i2c transfers by adding a missing i2c lock
section in gpio-pca953x
- validate the number of obtained interrupts in gpio-davinci
- add missing raw_spinlock_init() in gpio-graniterapids
- fix bad character device behavior: disallow GPIO line
reconfiguration without set direction both in v1 and v2 uAPI"
* tag 'gpio-fixes-for-v6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
gpiolib: cdev: Ignore reconfiguration without direction
gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)
gpio: graniterapids: Add missing raw_spinlock_init()
gpio: davinci: Validate the obtained number of IRQs
gpio: pca953x: fix pca953x_irq_bus_sync_unlock race
|
||
|
Linus Torvalds
|
9038455948 |
arm64 fixes for -rc6
- Fix spurious page-table warning when clearing PTE_UFFD_WP in a live
pte
- Fix clearing of the idmap pgd when using large addressing modes
-----BEGIN PGP SIGNATURE-----
iQFEBAABCgAuFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAmZ9gJgQHHdpbGxAa2Vy
bmVsLm9yZwAKCRC3rHDchMFjNKEdB/9wDzyoyo+tMp2csPFk66ufbytbsSV2LWys
kvUZdTYLAV4YlI6jTxXJ/3I3rXggc5SsXE/WosDQ1zfb1KsE/3sWaexIURHxeT73
PUUqREUfvA7Ormv65A4zlKbVzfsPlM8VWT7mmSj3k6rV5TvNBkjm53x5t4QEPHxO
VwHRd/JRm+8+JvhXUhPiECFWCalBvJKXxOsCK9Plj1uIOY+eFw3nYp59H2hE30be
VDmdgBQ6u1mZvqgSv8P6jDV9r69qBxRbig5fo9C89E8ptS9u3piHvcBEtg6FAztA
SYyrfxBbYvejM5cN4aEWc035kWW0o1K1MimQgZYpyYlqKNHywTw0
=JzVF
-----END PGP SIGNATURE-----
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
"A pair of small arm64 fixes for -rc6.
One is a fix for the recently merged uffd-wp support (which was
triggering a spurious warning) and the other is a fix to the clearing
of the initial idmap pgd in some configurations
Summary:
- Fix spurious page-table warning when clearing PTE_UFFD_WP in a live
pte
- Fix clearing of the idmap pgd when using large addressing modes"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: Clear the initial ID map correctly before remapping
arm64: mm: Permit PTE SW bits to change in live mappings
|
||
|
Linus Torvalds
|
234458d049 |
Fix three recent minor turbostat regressions.
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEE67dNfPFP+XUaA73mB9BFOha3NhcFAmZ+PUEUHGxlbi5icm93 bkBpbnRlbC5jb20ACgkQB9BFOha3Nhcq4hAAiGPxoZMkTZLVbipLJFo8AZRvG0Wh BGhWJ76L4gfKtYIFnR1nBItPIvrD//5gXvRE48wI2dsylHjDyCPqktEpYivv5ESA SA7oqb47FroXXO4b5u0A5lG+Nzbt3SJK28z0t6GWy9NjQz6HHGT09UAP6X35/ZJH mc2lwLmDH60f2zdaKIJfAYfhUWdOk8VyctnZVeu8LFYnZf6lP9hD54gqhtd1eYB0 1upAWeH4h8oYcr153zuRECAuz2kZMjjgy+mskHBMRLGcGTojtKwROBeVtXiSJo+N 81ds2QsCAG5YtH3Er3eoLCyWTI+pNeraKuZbnVKfgnR943vh+J89CpCA56hSACGT 9DBA6sjngYE6HKB+NxeAxrBHDC3kE0orsfArpaPsWyWeSYj9lxqjP1raH96w5uwS +t0KOgKlfOOxrUyUpfXqor4Z/J7JvpRF2ymvzsDWnhQVTnGIsBhmpyyW+FVn/QYm K38HkMK9eippA0t0wShsg2qF79vVMNhlPMwYhuA9kamTKh0jkOmtn8g9LNP3LBup qLjq5GT+r2dAO1FPZhk88I0OjhHTjAQkzbCeKM+C0++TVi+HQ9Npcv8hkfebb8rw ZP6owRfAho6cniYxJNQSsghUcus51zUs4jVQaKwetQxp3awgMUsuOHu5eUy8V7GL eqjfchtqgWHzxK0= =if6M -----END PGP SIGNATURE----- Merge tag 'v6.10-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux Pull turbostat fixes from Len Brown: "Fix three recent minor turbostat regressions" * tag 'v6.10-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux: tools/power turbostat: Add local build_bug.h header for snapshot target tools/power turbostat: Fix unc freq columns not showing with '-q' or '-l' tools/power turbostat: option '-n' is ambiguous |
||
Nathan Chancellor
|
1c07c9be87 |
tty: mxser: Remove __counted_by from mxser_board.ports[]
Work for __counted_by on generic pointers in structures (not just
flexible array members) has started landing in Clang 19 (current tip of
tree). During the development of this feature, a restriction was added
to __counted_by to prevent the flexible array member's element type from
including a flexible array member itself such as:
struct foo {
int count;
char buf[];
};
struct bar {
int count;
struct foo data[] __counted_by(count);
};
because the size of data cannot be calculated with the standard array
size formula:
sizeof(struct foo) * count
This restriction was downgraded to a warning but due to CONFIG_WERROR,
it can still break the build. The application of __counted_by on the
ports member of 'struct mxser_board' triggers this restriction,
resulting in:
drivers/tty/mxser.c:291:2: error: 'counted_by' should not be applied to an array with element of unknown size because 'struct mxser_port' is a struct type with a flexible array member. This will be an error in a future compiler version [-Werror,-Wbounds-safety-counted-by-elt-type-unknown-size]
291 | struct mxser_port ports[] __counted_by(nports);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Remove this use of __counted_by to fix the warning/error. However,
rather than remove it altogether, leave it commented, as it may be
possible to support this in future compiler releases.
Cc: <stable@vger.kernel.org>
Closes: https://github.com/ClangBuiltLinux/linux/issues/2026
Fixes:
|
||
Kees Cook
|
6db1208bf9 |
randomize_kstack: Remove non-functional per-arch entropy filtering
An unintended consequence of commit |