Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v6.6-rc4 2023-10-01T20:33:25Z 2023-10-01T20:33:25Z Linus Torvalds torvalds@linux-foundation.org 2023-10-01T20:33:25Z urn:sha1:d2c5231581d636af8d5af888ee13048dfbb438c7 Pull misc fixes from Andrew Morton: "Fourteen hotfixes, eleven of which are cc:stable. The remainder pertain to issues which were introduced after 6.5" * tag 'mm-hotfixes-stable-2023-10-01-08-34' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: Crash: add lock to serialize crash hotplug handling selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh that may cause error mm: mempolicy: keep VMA walk if both MPOL_MF_STRICT and MPOL_MF_MOVE are specified mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() mm, memcg: reconsider kmem.limit_in_bytes deprecation mm: zswap: fix potential memory corruption on duplicate store arm64: hugetlb: fix set_huge_pte_at() to work with all swap entries mm: hugetlb: add huge page size param to set_huge_pte_at() maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states maple_tree: add mas_is_active() to detect in-tree walks nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() mm: abstract moving to the next PFN mm: report success more often from filemap_map_folio_range() fs: binfmt_elf_efpic: fix personality for ELF-FDPIC 2023-10-01T01:19:02Z Linus Torvalds torvalds@linux-foundation.org 2023-10-01T01:19:02Z urn:sha1:3b347e403210c63d0ba01adf7530da08bc2929f9 Pull tracing fixes from Steven Rostedt: - Make sure 32-bit applications using user events have aligned access when running on a 64-bit kernel. - Add cond_resched in the loop that handles converting enums in print_fmt string is trace events. - Fix premature wake ups of polling processes in the tracing ring buffer. When a task polls waiting for a percentage of the ring buffer to be filled, the writer still will wake it up at every event. Add the polling's percentage to the "shortest_full" list to tell the writer when to wake it up. - For eventfs dir lookups on dynamic events, an event system's only event could be removed, leaving its dentry with no children. This is totally legitimate. But in eventfs_release() it must not access the children array, as it is only allocated when the dentry has children. * tag 'trace-v6.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: eventfs: Test for dentries array allocated in eventfs_release() tracing/user_events: Align set_bit() address for all archs tracing: relax trace_event_eval_update() execution with cond_resched() ring-buffer: Update "shortest_full" in polling 2023-09-30T20:26:04Z Steven Rostedt (Google) rostedt@goodmis.org 2023-09-30T13:01:06Z urn:sha1:2598bd3ca8dcf5bbca1161ee5b271b432398da37 The dcache_dir_open_wrapper() could be called when a dynamic event is being deleted leaving a dentry with no children. In this case the dlist->dentries array will never be allocated. This needs to be checked for in eventfs_release(), otherwise it will trigger a NULL pointer dereference. Link: https://lore.kernel.org/linux-trace-kernel/20230930090106.1c3164e9@rorschach.local.home Cc: Mark Rutland <mark.rutland@arm.com> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Fixes: ef36b4f92868 ("eventfs: Remember what dentries were created on dir open") Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> 2023-09-30T18:01:38Z Linus Torvalds torvalds@linux-foundation.org 2023-09-30T18:01:38Z urn:sha1:25d48d570eeda62cf71e5b9cdad76a37b833f408 Pull iomap fixes from Darrick Wong: - Handle a race between writing and shrinking block devices by returning EIO - Fix a typo in a comment * tag 'iomap-6.6-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: iomap: Spelling s/preceeding/preceding/g iomap: add a workaround for racy i_size updates on block devices 2023-09-30T16:44:48Z Linus Torvalds torvalds@linux-foundation.org 2023-09-30T16:44:48Z urn:sha1:ae213639983a5406849d62d33257dfc076bc48a7 Pull nfsd fix from Chuck Lever: - Fix NFSv4 READ corner case * tag 'nfsd-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: NFSD: Fix zero NFSv4 READ results when RQ_SPLICE_OK is not set 2023-09-30T16:39:23Z Linus Torvalds torvalds@linux-foundation.org 2023-09-30T16:39:23Z urn:sha1:ba77f7a63f4e4d4ffa5ad8c6665a104822992538 Pull smb client fix from Steve French: "Fix for password freeing potential oops (also for stable)" * tag '6.6-rc3-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6: fs/smb/client: Reset password pointer to NULL 2023-09-30T00:20:46Z Pan Bian bianpan2016@163.com 2023-09-21T14:17:31Z urn:sha1:7ee29facd8a9c5a26079148e36bcf07141b3a6bc In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. [konishi.ryusuke@gmail.com: NOTE added to the commit log] Link: https://lkml.kernel.org/r/1543201709-53191-1-git-send-email-bianpan2016@163.com Link: https://lkml.kernel.org/r/20230921141731.10073-1-konishi.ryusuke@gmail.com Fixes: a3d93f709e89 ("nilfs2: block cache for garbage collection") Signed-off-by: Pan Bian <bianpan2016@163.com> Reported-by: Ferry Meng <mengferry@linux.alibaba.com> Closes: https://lkml.kernel.org/r/20230818092022.111054-1-mengferry@linux.alibaba.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2023-09-30T00:20:45Z Greg Ungerer gerg@kernel.org 2023-09-07T01:18:08Z urn:sha1:7c3151585730b7095287be8162b846d31e6eee61 The elf-fdpic loader hard sets the process personality to either PER_LINUX_FDPIC for true elf-fdpic binaries or to PER_LINUX for normal ELF binaries (in this case they would be constant displacement compiled with -pie for example). The problem with that is that it will lose any other bits that may be in the ELF header personality (such as the "bug emulation" bits). On the ARM architecture the ADDR_LIMIT_32BIT flag is used to signify a normal 32bit binary - as opposed to a legacy 26bit address binary. This matters since start_thread() will set the ARM CPSR register as required based on this flag. If the elf-fdpic loader loses this bit the process will be mis-configured and crash out pretty quickly. Modify elf-fdpic loader personality setting so that it preserves the upper three bytes by using the SET_PERSONALITY macro to set it. This macro in the generic case sets PER_LINUX and preserves the upper bytes. Architectures can override this for their specific use case, and ARM does exactly this. The problem shows up quite easily running under qemu using the ARM architecture, but not necessarily on all types of real ARM hardware. If the underlying ARM processor does not support the legacy 26-bit addressing mode then everything will work as expected. Link: https://lkml.kernel.org/r/20230907011808.2985083-1-gerg@kernel.org Fixes: 1bde925d23547 ("fs/binfmt_elf_fdpic.c: provide NOMMU loader for regular ELF binaries") Signed-off-by: Greg Ungerer <gerg@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christian Brauner <brauner@kernel.org> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Greg Ungerer <gerg@kernel.org> Cc: Kees Cook <keescook@chromium.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2023-09-29T23:51:38Z Linus Torvalds torvalds@linux-foundation.org 2023-09-29T23:51:38Z urn:sha1:9f3ebbef746f89f860a90ced99a359202ea86fde Pull smb server fixes from Steve French: "Two SMB3 server fixes for null pointer dereferences: - invalid SMB3 request case (fixes issue found in testing the read compound patch) - iovec error case in response processing" * tag '6.6-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: check iov vector index in ksmbd_conn_write() ksmbd: return invalid parameter error response if smb2 request is invalid 2023-09-29T23:46:24Z Linus Torvalds torvalds@linux-foundation.org 2023-09-29T23:46:24Z urn:sha1:14c06b913d4a11b50351ef5bcb3f112247f647f3 Pull ceph fixes from Ilya Dryomov: "A series that fixes an involved 'double watch error' deadlock in RBD marked for stable and two cleanups" * tag 'ceph-for-6.6-rc4' of https://github.com/ceph/ceph-client: rbd: take header_rwsem in rbd_dev_refresh() only when updating rbd: decouple parent info read-in from updating rbd_dev rbd: decouple header read-in from updating rbd_dev->header rbd: move rbd_dev_refresh() definition Revert "ceph: make members in struct ceph_mds_request_args_ext a union" ceph: remove unnecessary check for NULL in parse_longname()