This project is mirrored from https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10.git.
Pull mirroring updated .
- Mar 24, 2025
-
-
Julio Faracco authored
Signed-off-by:Julio Faracco <jfaracco@redhat.com>
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/607 Description: Update drivers/platform/x86/pmc JIRA: https://issues.redhat.com/browse/RHEL-79463 Build Info: 67045302 Tested: Successful platform test results on Intel (intel-arrowlake-s-02) system. Signed-off-by:
Steve Best <sbest@redhat.com> Approved-by:
Tony Camuso <tcamuso@redhat.com> Approved-by:
David Arcari <darcari@redhat.com> Approved-by:
CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/573 JIRA: https://issues.redhat.com/browse/RHEL-81545 Upstream Status: linux.git CVE: CVE-2025-21791 Signed-off-by:
Guillaume Nault <gnault@redhat.com> Approved-by:
Antoine Tenart <atenart@redhat.com> Approved-by:
Florian Westphal <fwestpha@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/603 Description: Updates for Pseries vas_vm_ops struct JIRA: https://issues.redhat.com/browse/RHEL-83836 Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=67038649 Tested: Verified Brew build test kernel RPMs Signed-off-by:
Mamatha Inamdar <minamdar@redhat.com> commit 05aa156e156ef3168e7ab8a68721945196495c17 Author: Haren Myneni <haren@linux.ibm.com> Date: Fri Dec 13 21:17:58 2024 -0800 powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386.256990] raw: 043ffff800000000 c00000000501c080 0000000000000000 5deadbee00000001 [16386.257003] raw: 0000000000000000 00000000011a011a 00000001fdffffff c0000000ba430001 [16386.257018] page dumped because: kasan: bad access detected This patch adds close() callback in vas_vm_ops vm_operations_struct which will be executed during munmap() before freeing VMA. The VMA address in the VAS window is set to NULL after holding the window mmap_mutex. Fixes: 37e67648 ("powerpc/pseries/vas: Add VAS migration handler") Signed-off-by:
Haren Myneni <haren@linux.ibm.com> Signed-off-by:
Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/20241214051758.997759-1-haren@linux.ibm.com Signed-off-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/600 JIRA: https://issues.redhat.com/browse/RHEL-83951 Upstream Status: All commits are found in Linus's Git tree Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=67027203 Signed-off-by:
Nigel Croxon <ncroxon@redhat.com> Approved-by:
Vladis Dronov <vdronov@redhat.com> Approved-by:
Xiao Ni <xni@redhat.com> Approved-by:
Heinz Mauelshagen <heinzm@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/471 JIRA: https://issues.redhat.com/browse/RHEL-81492 CVE: CVE-2024-58005 ``` commit a3a860bc0fd6c07332e4911cf9a238d20de90173 Author: Jarkko Sakkinen <jarkko@kernel.org> Date: Fri Dec 27 17:39:09 2024 +0200 tpm: Change to kvalloc() in eventlog/acpi.c The following failure was reported on HPE ProLiant D320: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 The above transcript shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by moving from devm_kmalloc() to devm_add_action() and kvmalloc() and devm_add_action(). Suggested-by:
Ard Biesheuvel <ardb@kernel.org> Cc: stable@vger.kernel.org # v2.6.16+ Fixes: 55a82ab3 ("[PATCH] tpm: add bios measurement log") Reported-by:
Andy Liang <andy.liang@hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Reviewed-by:
Stefan Berger <stefanb@linux.ibm.com> Reviewed-by:
Takashi Iwai <tiwai@suse.de> Tested-by:
Jarkko Sakkinen <jarkko@kernel.org>```> Signed-off-by:
CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-02-27 22:44 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small > Approved-by:
Štěpán Horáček <shoracek@redhat.com> Approved-by:
Jerry Snitselaar <jsnitsel@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/551 JIRA: https://issues.redhat.com/browse/RHEL-77874 Patches: `a1afb959add1f ("dpll: add clock quality level attribute and op") ` Signed-off-by:
Petr Oros <poros@redhat.com> Approved-by:
Ivan Vecera <ivecera@redhat.com> Approved-by:
Michal Schmidt <mschmidt@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/614 JIRA: https://issues.redhat.com/browse/RHEL-47425 Build Info: 67070758 Tested: Successful platform test results on Intel (intel-pantherlake-h-02) system. commit bd492b58371295d3ae26162b9666be584abad68a Author: Jarkko Nikula <jarkko.nikula@linux.intel.com> Date: Mon Sep 23 16:27:19 2024 +0300 i2c: i801: Add support for Intel Panther Lake Add SMBus PCI IDs on Intel Panther Lake-P and -U. Signed-off-by:
Jarkko Nikula <jarkko.nikula@linux.intel.com> Signed-off-by:
Andi Shyti <andi.shyti@kernel.org> Signed-off-by:
-
- Mar 21, 2025
-
-
Julio Faracco authored
Signed-off-by: -
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/446 JIRA: https://issues.redhat.com/browse/RHEL-81378 CVE: CVE-2024-57988 ``` commit b88655bc6593c6a7fdc1248b212d17e581c4334e Author: Charles Han <hanchunchao@inspur.com> Date: Fri Dec 27 17:20:46 2024 +0800 Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() devm_kstrdup() can return a NULL pointer on failure,but this returned value in btbcm_get_board_name() is not checked. Add NULL check in btbcm_get_board_name(), to handle kernel NULL pointer dereference error. Fixes: f9183eaa ("Bluetooth: btbcm: Use devm_kstrdup()") Signed-off-by:
Charles Han <hanchunchao@inspur.com> Signed-off-by:
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>```> Signed-off-by:
Bastien Nocera <bnocera@redhat.com> Approved-by:
José Ignacio Tornos Martínez <jtornosm@redhat.com> Approved-by:
-
Julio Faracco authored
Merge: CVE-2024-58013: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/476 JIRA: https://issues.redhat.com/browse/RHEL-81510 CVE: CVE-2024-58013 ``` commit 26fbd3494a7dd26269cb0817c289267dbcfdec06 Author: Mazin Al Haddad <mazin@getstate.dev> Date: Tue Dec 24 05:06:16 2024 +0300 Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961 CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 16026: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 sock_write_iter+0x2d7/0x3f0 net/socket.c:1147 new_sync_write fs/read_write.c:586 [inline] vfs_write+0xaeb/0xd30 fs/read_write.c:679 ksys_write+0x18f/0x2b0 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16022: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1209 sock_ioctl+0x626/0x8e0 net/socket.c:1328 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-by:
<syzbot+479aff51bb361ef5aa18@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=479aff51bb361ef5aa18 Tested-by:
Mazin Al Haddad <mazin@getstate.dev> Signed-off-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/408 JIRA: https://issues.redhat.com/browse/RHEL-77888 CVE: CVE-2025-21652 ``` commit cb358ff94154774d031159b018adf45e17673941 Author: Kuniyuki Iwashima <kuniyu@amazon.com> Date: Mon Jan 6 16:19:11 2025 +0900 ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Freed by task 10200: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x140/0x420 mm/slub.c:4746 kvfree+0x4c/0x68 mm/util.c:693 netdev_release+0x94/0xc8 net/core/net-sysfs.c:2034 device_release+0x98/0x1c0 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2b0/0x438 lib/kobject.c:737 netdev_run_todo+0xdd8/0xf48 net/core/dev.c:10924 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock net/core/rtnetlink.c:209 [inline] rtnl_dellink+0x484/0x680 net/core/rtnetlink.c:3526 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0x410/0x708 net/socket.c:2583 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2672 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000d768c000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 224 bytes inside of freed 4096-byte region [ffff0000d768c000, ffff0000d768d000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117688 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000c77ef981 flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) page_type: f5(slab) raw: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 head: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 head: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 head: 0bfffe0000000003 fffffdffc35da201 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d768bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000d768c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000d768c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000d768c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d768c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 8c55face ("net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down") Reported-by:
syzkaller <syzkaller@googlegroups.com> Suggested-by:
Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/netdev/20250102174400.085fd8ac@kernel.org/ [1] Signed-off-by:
Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250106071911.64355-1-kuniyu@amazon.com Signed-off-by:
Jakub Kicinski <kuba@kernel.org>```> Signed-off-by:
Davide Caratti <dcaratti@redhat.com> Approved-by:
Xin Long <lxin@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/503 JIRA: https://issues.redhat.com/browse/RHEL-81435 CVE: CVE-2025-21742 JIRA: https://issues.redhat.com/browse/RHEL-81349 CVE: CVE-2025-21743 JIRA: https://issues.redhat.com/browse/RHEL-81565 CVE: CVE-2025-21741 Some CVEs for ipheth driver. All the commits here are part of the same series and are interrelated. Signed-off-by:
Desnes Nunes <desnesn@redhat.com> Approved-by:
Corinna Vinschen <vinschen@redhat.com> Approved-by:
mheib <mheib@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/468 JIRA: https://issues.redhat.com/browse/RHEL-81475 CVE: CVE-2025-21786 ``` commit e76946110137703c16423baf6ee177b751a34b7e Author: Lai Jiangshan <jiangshan.ljs@antgroup.com> Date: Thu Jan 23 16:25:35 2025 +0800 workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall. To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool. Reported-by:
cheung wall <zzqq0103.hey@gmail.com> Cc: cheung wall <zzqq0103.hey@gmail.com> Link: https://lore.kernel.org/lkml/CAKHoSAvP3iQW+GwmKzWjEAOoPvzeWeoMO0Gz7Pp3_4kxt-RMoA@mail.gmail.com/ Fixes: 68f83057("workqueue: Reap workers via kthread_stop() and remove detach_completion") Signed-off-by:
Lai Jiangshan <jiangshan.ljs@antgroup.com> Signed-off-by:
Tejun Heo <tj@kernel.org>```> Signed-off-by:
Waiman Long <longman@redhat.com> Approved-by:
Phil Auld <pauld@redhat.com> Approved-by:
-
Julio Faracco authored
Merge: CVE-2025-21826: netfilter: nf_tables: reject mismatching sum of field_len with set key length MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/532 JIRA: https://issues.redhat.com/browse/RHEL-82492 CVE: CVE-2025-21826 ``` commit 1b9335a8000fb70742f7db10af314104b6ace220 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue Jan 28 12:26:33 2025 +0100 netfilter: nf_tables: reject mismatching sum of field_len with set key length The field length description provides the length of each separated key field in the concatenation, each field gets rounded up to 32-bits to calculate the pipapo rule width from pipapo_init(). The set key length provides the total size of the key aligned to 32-bits. Register-based arithmetics still allows for combining mismatching set key length and field length description, eg. set key length 10 and field description [ 5, 4 ] leading to pipapo width of 12. Cc: stable@vger.kernel.org Fixes: 3ce67e37 ("netfilter: nf_tables: do not allow mismatch field size and set key length") Reported-by:
Noam Rathaus <noamr@ssd-disclosure.com> Reviewed-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>```> Signed-off-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/305 JIRA: https://issues.redhat.com/browse/RHEL-77232 CVE: CVE-2025-21680 ``` pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 52a62f86 ("pktgen: Parse internet mix (imix) input") Signed-off-by:
Artem Chernyshev <artem.chernyshev@red-soft.ru> [ fp: allow to fill the array completely; minor changelog cleanup ] Signed-off-by:
Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by:
David S. Miller <davem@davemloft.net> (cherry picked from commit 76201b5979768500bca362871db66d77cb4c225e) ``` Signed-off-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/440 JIRA: https://issues.redhat.com/browse/RHEL-81271 CVE: CVE-2024-57987 ``` commit 3c15082f3567032d196e8760753373332508c2ca Author: Max Chou <max.chou@realtek.com> Date: Tue Dec 31 14:57:19 2024 +0800 Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() If insert an USB dongle which chip is not maintained in ic_id_table, it will hit the NULL point accessed. Add a null point check to avoid the Kernel Oops. Fixes: b39910bb ("Bluetooth: Populate hci_set_hw_info for Intel and Realtek") Reviewed-by:
Alex Lu <alex_lu@realsil.com.cn> Signed-off-by:
Max Chou <max.chou@realtek.com> Signed-off-by:
-
Steve Best authored
JIRA: https://issues.redhat.com/browse/RHEL-47425 Build Info: 67070758 Tested: Successful platform test results on Intel (intel-pantherlake-h-02) system. commit bd492b58371295d3ae26162b9666be584abad68a Author: Jarkko Nikula <jarkko.nikula@linux.intel.com> Date: Mon Sep 23 16:27:19 2024 +0300 i2c: i801: Add support for Intel Panther Lake Add SMBus PCI IDs on Intel Panther Lake-P and -U. Signed-off-by:
-
- Mar 19, 2025
-
-
Steve Best authored
JIRA: https://issues.redhat.com/browse/RHEL-79463 commit 583ef25bb2a094813351a727ddec38b35a15b9f8 Author: Dmitry Kandybka <d.kandybka@gmail.com> Date: Fri Jan 24 01:07:39 2025 +0300 platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() In pmc_core_ltr_show(), promote 'val' to 'u64' to avoid possible integer overflow. Values (10 bit) are multiplied by the scale, the result of expression is in a range from 1 to 34,326,183,936 which is bigger then UINT32_MAX. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by:
Dmitry Kandybka <d.kandybka@gmail.com> Reviewed-by:
Rajneesh Bhardwaj <irenic.rajneesh@gmail.com> Reviewed-by:
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://lore.kernel.org/r/20250123220739.68087-1-d.kandybka@gmail.com Signed-off-by:
-
Steve Best authored
JIRA: https://issues.redhat.com/browse/RHEL-79463 commit 1d7461d0c8330689117286169106af6531a747ed Author: David E. Box <david.e.box@linux.intel.com> Date: Mon Jan 6 09:46:52 2025 -0800 platform/x86: intel/pmc: Fix ioremap() of bad address In pmc_core_ssram_get_pmc(), the physical addresses for hidden SSRAM devices are retrieved from the MMIO region of the primary SSRAM device. If additional devices are not present, the address returned is zero. Currently, the code does not check for this condition, resulting in ioremap() incorrectly attempting to map address 0. Add a check for a zero address and return 0 if no additional devices are found, as it is not an error for the device to be absent. Fixes: a01486dc ("platform/x86/intel/pmc: Cleanup SSRAM discovery") Signed-off-by:
David E. Box <david.e.box@linux.intel.com> Link: https://lore.kernel.org/r/20250106174653.1497128-1-david.e.box@linux.intel.com Reviewed-by:
-
Steve Best authored
JIRA: https://issues.redhat.com/browse/RHEL-79463 commit 030c15b5610cedf7eb428dab5382f73d492a7967 Author: Dave Hansen <dave.hansen@linux.intel.com> Date: Fri Dec 13 12:50:34 2024 -0800 x86/tsc: Move away from TSC leaf magic numbers The TSC code has a bunch of hard-coded references to leaf 0x15. Change them over to the symbolic name. Also zap the 'ART_CPUID_LEAF' definition. It was a duplicate of 'CPUID_TSC_LEAF'. Signed-off-by:
Dave Hansen <dave.hansen@linux.intel.com> Link: https://lore.kernel.org/all/20241213205034.B79D6224%40davehans-spike.ostc.intel.com Signed-off-by:
-
Steve Best authored
JIRA: https://issues.redhat.com/browse/RHEL-79463 commit a86740a77bf0942e618cc5f022336cdd99530d10 Author: Dave Hansen <dave.hansen@linux.intel.com> Date: Fri Dec 13 12:50:33 2024 -0800 x86/cpu: Move TSC CPUID leaf definition Prepare to use the TSC CPUID leaf definition more widely by moving it to the common header. Signed-off-by:
Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/all/20241213205033.68799E53%40davehans-spike.ostc.intel.com Signed-off-by:
-
Julio Faracco authored
Signed-off-by: -
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/539 JIRA: https://issues.redhat.com/browse/RHEL-82479 CVE: CVE-2024-58075 commit 15589bda46830695a3261518bb7627afac61f519 Author: Chen Ridong <chenridong@huawei.com> Date: Mon Nov 11 01:28:27 2024 +0000 crypto: tegra - do not transfer req when tegra init fails The tegra_cmac_init or tegra_sha_init function may return an error when memory is exhausted. It should not transfer the request when they return an error. Fixes: 0880bb3b ("crypto: tegra - Add Tegra Security Engine driver") Signed-off-by:
Chen Ridong <chenridong@huawei.com> Acked-by:
Akhil R <akhilrajeev@nvidia.com> Acked-by:
Thierry Reding <treding@nvidia.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
Herbert Xu <herbert.xu@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/505 JIRA: https://issues.redhat.com/browse/RHEL-81295 CVE: CVE-2025-21795 Signed-off-by:
Olga Kornievskaia <okorniev@redhat.com> Approved-by:
Benjamin Coddington <bcodding@redhat.com> Approved-by:
Scott Mayhew <smayhew@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/247 JIRA: https://issues.redhat.com/browse/RHEL-76329 CVE: CVE-2024-53241 Signed-off-by:
Vitaly Kuznetsov <vkuznets@redhat.com> Approved-by:
Lenny Szubowicz <lszubowi@redhat.com> Approved-by:
Joe Lawrence <joe.lawrence@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/562 Fix data corruption issue in hyperV storvsc driver JIRA: https://issues.redhat.com/browse/RHEL-82461 Signed-off-by:
Cathy Avery <cavery@redhat.com> Approved-by:
Maxim Levitsky <mlevitsk@redhat.com> Approved-by:
Ewan D. Milne <emilne@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/367 JIRA: https://issues.redhat.com/browse/RHEL-78669 MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/367 This MR can greatly improve the performance of the RT debug kernels. It can also slightly improve the performance of the non-RT debug kernels. It does so by enabling the CONFIG_KASAN_INLINE kernel config option for the RT debug kernel which replace many of the external KASAN function calls to inline codes which increase the size of the debug kernel but reduce the execution time. The second change is to disable KASAN instrumentation in the lockdep code which is another heavy performance hit in the debug kernel. As listed in the commit log of patch 2, these two changes can more than double the performance of the RT debug kernel. Signed-off-by:
Herton R. Krzesinski <herton@redhat.com> Approved-by:
Clark Williams <williams@redhat.com> Approved-by:
Rafael Aquini <raquini@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/521 JIRA: https://issues.redhat.com/browse/RHEL-62933 JIRA: https://issues.redhat.com/browse/RHEL-79456 Signed-off-by:
Ming Lei <ming.lei@redhat.com> Approved-by:
Maurizio Lombardi <mlombard@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/535 ``` JIRA: https://issues.redhat.com/browse/RHEL-81557 CVE: CVE-2024-58006 Signed-off-by:
Myron Stowe <mstowe@redhat.com> ``` Approved-by:
John W. Linville <linville@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/567 JIRA: https://issues.redhat.com/browse/RHEL-83186 Upstream Status: all mainline in kernel-ark.git Conflicts: patch applied manually as rhel-10 has no def_variants.yaml for fedora Tested: boot-tested only Signed-off-by:
Jan Stancek <jstancek@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/386 JIRA: https://issues.redhat.com/browse/RHEL-78928 CVE: CVE-2024-53147 ``` commit 184fa506e392eb78364d9283c961217ff2c0617b Author: Yuezhang Mo <Yuezhang.Mo@sony.com> Date: Mon Oct 28 11:23:36 2024 +0800 exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. Cc: stable@vger.kernel.org Signed-off-by:
Yuezhang Mo <Yuezhang.Mo@sony.com> Co-developed-by:
Namjae Jeon <linkinjeon@kernel.org> Signed-off-by:
Namjae Jeon <linkinjeon@kernel.org>```> Signed-off-by:
Pavel Reichl <preichl@redhat.com> Approved-by:
Carlos Maiolino <cmaiolino@redhat.com> Approved-by:
Andrey Albershteyn <aalbersh@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/355 Description: ============ This patch set updates the RDMA core and RDMA ULPs to upstream kernel v6.13. Upstream: ========= Linus's master tree. Issues: ======= JIRA: https://issues.redhat.com/browse/RHEL-77879 Brew: ===== https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66571797 Signed-off-by:
Kamal Heib <kheib@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/546 ``` This series updates RHEL9's PCI subsystem with content from upstream v6.13 - Related post v6.13 (v6.14) Fixes 7ca288760007 PCI: rockchip-ep: Fix error code in rockchip_pcie_ep fd46bc0e0bb3 PCI: rockchip: Add missing fields descriptions for s Merge tag 'pci-v6.13-fixes-3' of git://git.kernel.org/pub/scm https://lkml.org/lkml/2025/1/14/1378 commit 7f5b6a8ec18e3add4c74682f60b90c31bdf849f2 Merge: c3812b15000c 15b8968dcb90 1 file changed, 16 insertions(+), 9 deletions(-) Merge tag 'pci-v6.13-fixes-2' of git://git.kernel.org/pub/scm/l https://lkml.org/lkml/2024/12/21/??? commit a99b4a369a5495dbb625e1dfb5cd7a5ff6ba4bd5 Merge: 78b1346123bb 774c71c52aa4 Merge tag 'pci-v6.13-fixes-1' of git://git.kernel.org/pub/scm/l https://lkml.org/lkml/2024/11/30/474 commit 0cb71708c5816569f8addd5c6f33cb9679e73b5b Merge: 8a6a03ad5b04 5c8418cf4025 1 file changed, 7 insertions(+), 2 deletions(-) Merge tag 'pci-v6.13-changes' of git://git.kernel.org/pub/scm/../git/pci/pci https://lkml.org/lkml/2024/11/25/1200 commit 1746db26f85e4f4b3dd11d7b55f4eff4b0423884 Merge: 1dc707e647bc 10099266dec8 134 files changed, 4173 insertions(+), 1164 deletions(-) There were a number back-ports with conflicts, most were due to out-of-order backporting (with respect to upstream), or patches that were based on old content (i.e., not accounting for recent updates) and so incurred the same conflict as encountered upstream. All such occurrences are noted in the back-port's commit message with the same changes that occurred upstream being made in the back-port to keep things in sync. Of special note: This MR renames a module from pci-pwrctl-pwrseq.ko to pci-pwrctrl-pwrseq.ko. This is done in upstream commit 3f925cd62874 "PCI/pwrctrl: Rename pwrctrl functions and structures", specifically, the last hunk of drivers/pci/pwrctrl/pci-pwrctrl-pwrseq.c. The name change should not impact the customer's ability to use this module. JIRA: https://issues.redhat.com/browse/RHEL-74285 CVE: CVE-2024-56745 CVE: CVE-2024-53152 CVE: CVE-2024-53153 CVE: CVE-2024-57809 CVE: CVE-2024-56561 CVE: CVE-2024-56689 CVE: CVE-2024-53194 Omitted-fix: 1390a33b3d04 Omitted-fix: 1b1bb7b29b10 Omitted-fix: 86a5f32ed881 Signed-off-by:
Eder Zulian <ezulian@redhat.com> Approved-by:
Jarod Wilson <jarod@redhat.com> Approved-by:
Enric Balletbo i Serra <eballetbo@redhat.com> Approved-by:
Brian Masney <bmasney@redhat.com> Approved-by:
-
Mamatha Inamdar authored
JIRA: https://issues.redhat.com/browse/RHEL-83836 commit 05aa156e156ef3168e7ab8a68721945196495c17 Author: Haren Myneni <haren@linux.ibm.com> Date: Fri Dec 13 21:17:58 2024 -0800 powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386.256990] raw: 043ffff800000000 c00000000501c080 0000000000000000 5deadbee00000001 [16386.257003] raw: 0000000000000000 00000000011a011a 00000001fdffffff c0000000ba430001 [16386.257018] page dumped because: kasan: bad access detected This patch adds close() callback in vas_vm_ops vm_operations_struct which will be executed during munmap() before freeing VMA. The VMA address in the VAS window is set to NULL after holding the window mmap_mutex. Fixes: 37e67648 ("powerpc/pseries/vas: Add VAS migration handler") Signed-off-by:
-
- Mar 18, 2025
-
-
Nigel Croxon authored
JIRA: https://issues.redhat.com/browse/RHEL-83951 commit 20238d49448cdb406da2b9bd3e50f892b26da318 Author: Dr. David Alan Gilbert <linux@treblig.org> Date: Sun Sep 29 14:21:48 2024 +0100 async_xor: Remove unused 'async_xor_val' async_xor_val has been unused since commit a7c224a8 ("md/raid5: convert to new xor compution interface") Remove it. Signed-off-by:
Dr. David Alan Gilbert <linux@treblig.org> Signed-off-by:
-
Nigel Croxon authored
JIRA: https://issues.redhat.com/browse/RHEL-83951 commit 3db4404435397a345431b45f57876a3df133f3b4 Author: Xiao Ni <xni@redhat.com> Date: Thu Mar 6 17:49:38 2025 +0800 md/raid10: wait barrier before returning discard request with REQ_NOWAIT raid10_handle_discard should wait barrier before returning a discard bio which has REQ_NOWAIT. And there is no need to print warning calltrace if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks dmesg and reports error if dmesg has warning/error calltrace. Fixes: c9aa889b ("md: raid10 add nowait support") Signed-off-by:
Coly Li <colyli@kernel.org> Link: https://lore.kernel.org/linux-raid/20250306094938.48952-1-xni@redhat.com Signed-off-by:
Yu Kuai <yukuai3@huawei.com> Signed-off-by:
-
Nigel Croxon authored
JIRA: https://issues.redhat.com/browse/RHEL-83951 commit 6130825f34d41718c98a9b1504a79a23e379701e Author: Su Yue <glass.su@suse.com> Date: Mon Mar 3 11:39:18 2025 +0800 md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb In clustermd, separate write-intent-bitmaps are used for each cluster node: 0 4k 8k 12k ------------------------------------------------------------------- | idle | md super | bm super [0] + bits | | bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] | | bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits | | bm bits [3, contd] | | | So in node 1, pg_index in __write_sb_page() could equal to bitmap->storage.file_pages. Then bitmap_limit will be calculated to 0. md_super_write() will be called with 0 size. That means the first 4k sb area of node 1 will never be updated through filemap_write_page(). This bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize. Here use (pg_index % bitmap->storage.file_pages) to make calculation of bitmap_limit correct. Fixes: ab99a875 ("md/md-bitmap: fix writing non bitmap pages") Signed-off-by:
Su Yue <glass.su@suse.com> Reviewed-by:
Heming Zhao <heming.zhao@suse.com> Link: https://lore.kernel.org/linux-raid/20250303033918.32136-1-glass.su@suse.com Signed-off-by:
-
Nigel Croxon authored
JIRA: https://issues.redhat.com/browse/RHEL-83951 commit e879a0d9cb086c8e52ce6c04e5bfa63825a6213c Author: Yu Kuai <yukuai3@huawei.com> Date: Thu Feb 27 20:16:57 2025 +0800 md/raid1,raid10: don't ignore IO flags If blk-wbt is enabled by default, it's found that raid write performance is quite bad because all IO are throttled by wbt of underlying disks, due to flag REQ_IDLE is ignored. And turns out this behaviour exist since blk-wbt is introduced. Other than REQ_IDLE, other flags should not be ignored as well, for example REQ_META can be set for filesystems, clearing it can cause priority reverse problems; And REQ_NOWAIT should not be cleared as well, because io will wait instead of failing directly in underlying disks. Fix those problems by keep IO flags from master bio. Fises: f51d46d0 ("md: add support for REQ_NOWAIT") Fixes: e34cbd30 ("blk-wbt: add general throttling mechanism") Fixes: 5404bc7a ("[PATCH] Allow file systems to differentiate between data and meta reads") Link: https://lore.kernel.org/linux-raid/20250227121657.832356-1-yukuai1@huaweicloud.com Signed-off-by:
-
Nigel Croxon authored
JIRA: https://issues.redhat.com/browse/RHEL-83951 commit 1320fe874175fac395fa693195db68b2001c4d8f Author: Yu Kuai <yukuai3@huawei.com> Date: Thu Feb 27 20:04:52 2025 +0800 md/raid5: merge reshape_progress checking inside get_reshape_loc() During code review, it's found that other than raid5_bitmap_sector(), reshape_progress is always checked before get_reshape_loc(), while raid5_bitmap_sector() should check as well to prevent holding the lock 'conf->device_lock'. Hence merge that checking inside get_reshape_loc(). Link: https://lore.kernel.org/linux-raid/20250227120452.808503-1-yukuai1@huaweicloud.com Signed-off-by:
-
