- 28 Jul, 2023 11 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufdLinus Torvalds authored
Pull iommufd fixes from Jason Gunthorpe: "Two user triggerable problems: - Syzkaller found a way to trigger a WARN_ON and leak memory by racing destroy with other actions - There is still a bug in the "batch carry" stuff that gets invoked for complex cases with accesses and unmapping of huge pages. The test suite found this (triggers rarely)" * tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd: iommufd: Set end correctly when doing batch carry iommufd: IOMMUFD_DESTROY should not increase the refcount -
Linus Torvalds authored
Merge tag 'for-6.5/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - Fix double free on memory allocation failure in DM integrity target's integrity_recalc() - Fix locking in DM raid target's raid_ctr() and around call to md_stop() - Fix DM cache target's cleaner policy to always allow work to be queued for writeback; even if cache isn't idle. * tag 'for-6.5/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm cache policy smq: ensure IO doesn't prevent cleaner policy progress dm raid: protect md_stop() with 'reconfig_mutex' dm raid: clean up four equivalent goto tags in raid_ctr() dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths dm integrity: fix double free on memory allocation failure
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "A collection of device-specific small fixes such as ASoC Realtek codec fixes for PM issues, ASoC nau8821 quirk additions, and usual HD- and USB-audio quirks" * tag 'sound-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek: Support ASUS G713PV laptop ALSA: usb-audio: Update for native DSD support quirks ALSA: usb-audio: Add quirk for Microsoft Modern Wireless Headset ALSA: hda/relatek: Enable Mute LED on HP 250 G8 ASoC: atmel: Fix the 8K sample parameter in I2SC master ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0 ASoC: rt711: fix for JD event handling in ClockStop Mode0 ASoC: rt722-sdca: fix for JD event handling in ClockStop Mode0 ASoC: rt712-sdca: fix for JD event handling in ClockStop Mode0 ASoc: codecs: ES8316: Fix DMIC config ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0 ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register ASoC: nau8821: Add DMI quirk mechanism for active-high jack-detect ASoC: da7219: Check for failure reading AAD IRQ events ASoC: da7219: Flush pending AAD IRQ when suspending ALSA: seq: remove redundant unsigned comparison to zero ASoC: fsl_spdif: Silence output on stop
-
git://anongit.freedesktop.org/drm/drmLinus Torvalds authored
Pull drm fixes from Dave Airlie: "Regular scheduled fixes, msm and amdgpu leading the way, with some i915 and a single misc fbdev, all seems fine. fbdev: - remove unused function amdgpu: - gfxhub partition fix - Fix error handling in psp_sw_init() - SMU13 fix - DCN 3.1 fix - DCN 3.2 fix - Fix for display PHY programming sequence - DP MST error handling fix - GFX 9.4.3 fix amdkfd: - GFX11 trap handling fix i915: - Use shmem for dpt objects - Fix an error handling path in igt_write_huge() msm: - display: - Fix to correct the UBWC programming for decoder version 4.3 seen on SM8550 - Add the missing flush and fetch bits for DMA4 and DMA5 SSPPs. - Fix to drop the unused dpu_core_perf_data_bus_id enum from the code - Drop the unused dsi_phy_14nm_17mA_regulators from QCM 2290 DSI cfg. - gpu: - Fix warn splat for newer devices without revn - Remove name/revn for a690.. we shouldn't be populating these for newer devices, for consistency, but it slipped through review - Fix a6xx gpu snapshot BINDLESS_DATA size (was listed in bytes instead of dwords, causing AHB faults on a6xx gen4/a660-family) - Disallow submit with fence id 0" * tag 'drm-fixes-2023-07-28' of git://anongit.freedesktop.org/drm/drm: (22 commits) drm/msm: Disallow submit with fence id 0 drm/amdgpu: Restore HQD persistent state register drm/amd/display: Unlock on error path in dm_handle_mst_sideband_msg_ready_event() drm/amd/display: Exit idle optimizations before attempt to access PHY drm/amd/display: Don't apply FIFO resync W/A if rdivider = 0 drm/amd/display: Guard DCN31 PHYD32CLK logic against chip family drm/amd/smu: use AverageGfxclkFrequency* to replace previous GFX Curr Clock drm/amd: Fix an error handling mistake in psp_sw_init() drm/amdgpu: Fix infinite loop in gfxhub_v1_2_xcc_gart_enable (v2) drm/amdkfd: fix trap handling work around for debugging drm/fb-helper: Remove unused inline function drm_fb_helper_defio_init() drm/i915: Fix an error handling path in igt_write_huge() drm/i915/dpt: Use shmem for dpt objects drm/msm: Fix hw_fence error path cleanup drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb() drm/msm/adreno: Fix snapshot BINDLESS_DATA size drm/msm/a690: Remove revn and name drm/msm/adreno: Fix warn splat for devices without revn drm/msm/dsi: Drop unused regulators from QCM2290 14nm DSI PHY config drm/msm/dpu: drop enum dpu_core_perf_data_bus_id ... -
git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxlLinus Torvalds authored
Pull cxl fixes from Vishal Verma: - Update MAINTAINERS for cxl - A few static analysis fixes - Fix a Kconfig dependency for CONFIG_FW_LOADER * tag 'cxl-fixes-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: tools/testing/cxl: Remove unused SZ_512G macro cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws() cxl/acpi: Fix a use-after-free in cxl_parse_cfmws() cxl: Update MAINTAINERS cxl/mem: Fix a double shift bug cxl: fix CONFIG_FW_LOADER dependency
-
Mike Rapoport (IBM) authored
This reverts commit 9e46e4dc. kbuild reports a warning in memblock_remove_region() because of a false positive caused by partial reset of the memblock state. Doing the full reset will remove the false positives, but will allow late use of memblock_free() to go unnoticed, so it is better to revert the offending commit. WARNING: CPU: 0 PID: 1 at mm/memblock.c:352 memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc3-00001-g9e46e4dc #2 RIP: 0010:memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) Call Trace: memblock_discard (kbuild/src/x86_64/mm/memblock.c:383) page_alloc_init_late (kbuild/src/x86_64/include/linux/find.h:208 kbuild/src/x86_64/include/linux/nodemask.h:266 kbuild/src/x86_64/mm/mm_init.c:2405) kernel_init_freeable (kbuild/src/x86_64/init/main.c:1325 kbuild/src/x86_64/init/main.c:1546) kernel_init (kbuild/src/x86_64/init/main.c:1439) ret_from_fork (kbuild/src/x86_64/arch/x86/kernel/process.c:145) ret_from_fork_asm (kbuild/src/x86_64/arch/x86/entry/entry_64.S:298) Reported-by:
kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/oe-lkp/202307271656.447aa17e-oliver.sang@intel.comSigned-off-by:
"Mike Rapoport (IBM)" <rppt@kernel.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
Jann Horn authored
mbind() calls down into vma_replace_policy() without taking the per-VMA locks, replaces the VMA's vma->vm_policy pointer, and frees the old policy. That's bad; a concurrent page fault might still be using the old policy (in vma_alloc_folio()), resulting in use-after-free. Normally this will manifest as a use-after-free read first, but it can result in memory corruption, including because vma_alloc_folio() can call mpol_cond_put() on the freed policy, which conditionally changes the policy's refcount member. This bug is specific to CONFIG_NUMA, but it does also affect non-NUMA systems as long as the kernel was built with CONFIG_NUMA. Signed-off-by:
Jann Horn <jannh@google.com> Reviewed-by:
Suren Baghdasaryan <surenb@google.com> Fixes: 5e31275c ("mm: add per-VMA lock and helper functions to control it") Cc: stable@kernel.org Signed-off-by:
-
https://gitlab.freedesktop.org/drm/msmDave Airlie authored
Fixes for v6.5-rc4 Display: + Fix to correct the UBWC programming for decoder version 4.3 seen on SM8550 + Add the missing flush and fetch bits for DMA4 and DMA5 SSPPs. + Fix to drop the unused dpu_core_perf_data_bus_id enum from the code + Drop the unused dsi_phy_14nm_17mA_regulators from QCM 2290 DSI cfg. GPU: + Fix warn splat for newer devices without revn + Remove name/revn for a690.. we shouldn't be populating these for newer devices, for consistency, but it slipped through review + Fix a6xx gpu snapshot BINDLESS_DATA size (was listed in bytes instead of dwords, causing AHB faults on a6xx gen4/a660-family) + Disallow submit with fence id 0 Signed-off-by:
Dave Airlie <airlied@redhat.com> From: Rob Clark <robdclark@gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGs9MwCSfiyv8i7yWAsJKYEzCDyzaTx=ujX80Y23rZd9RA@mail.gmail.com
-
Dave Airlie authored
Merge tag 'amd-drm-fixes-6.5-2023-07-26' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.5-2023-07-26: amdgpu: - gfxhub partition fix - Fix error handling in psp_sw_init() - SMU13 fix - DCN 3.1 fix - DCN 3.2 fix - Fix for display PHY programming sequence - DP MST error handling fix - GFX 9.4.3 fix amdkfd: - GFX11 trap handling fix Signed-off-by:
-
Dave Airlie authored
Merge tag 'drm-intel-fixes-2023-07-27' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Use shmem for dpt objects [dpt] (Radhakrishna Sripada) - Fix an error handling path in igt_write_huge() (Christophe JAILLET) Signed-off-by:
-
git://anongit.freedesktop.org/drm/drm-miscDave Airlie authored
A single patch to remove an unused function. Signed-off-by:
-
- 27 Jul, 2023 19 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds authored
Pull networking fixes from Paolo Abeni: "Including fixes from can, netfilter. Current release - regressions: - core: fix splice_to_socket() for O_NONBLOCK socket - af_unix: fix fortify_panic() in unix_bind_bsd(). - can: raw: fix lockdep issue in raw_release() Previous releases - regressions: - tcp: reduce chance of collisions in inet6_hashfn(). - netfilter: skip immediate deactivate in _PREPARE_ERROR - tipc: stop tipc crypto on failure in tipc_node_create - eth: igc: fix kernel panic during ndo_tx_timeout callback - eth: iavf: fix potential deadlock on allocation failure Previous releases - always broken: - ipv6: fix bug where deleting a mngtmpaddr can create a new temporary address - eth: ice: fix memory management in ice_ethtool_fdir.c - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue - eth: vxlan: calculate correct header length for GPE - eth: stmmac: apply redundant write work around on 4.xx too" * tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits) tipc: stop tipc crypto on failure in tipc_node_create af_unix: Terminate sun_path when bind()ing pathname socket. tipc: check return value of pskb_trim() benet: fix return value check in be_lancer_xmit_workarounds() virtio-net: fix race between set queues and probe net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 splice, net: Fix splice_to_socket() for O_NONBLOCK socket net: fec: tx processing does not call XDP APIs if budget is 0 mptcp: more accurate NL event generation selftests: mptcp: join: only check for ip6tables if needed tools: ynl-gen: fix parse multi-attr enum attribute tools: ynl-gen: fix enum index in _decode_enum(..) netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR netfilter: nft_set_rbtree: fix overlap expiration walk igc: Fix Kernel Panic during ndo_tx_timeout callback net: dsa: qca8k: fix mdb add/del case with 0 VID net: dsa: qca8k: fix broken search_and_del net: dsa: qca8k: fix search_and_insert wrong handling of new rule net: dsa: qca8k: enable use_single_write for qca8xxx ... -
git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwireLinus Torvalds authored
Pull soundwire fixes from Vinod Koul: - Core fix for enumeration completion - Qualcomm driver fix to update status - AMD driver fix for probe error check * tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire: soundwire: amd: Fix a check for errors in probe() soundwire: qcom: update status correctly with mask soundwire: fix enumeration completion
-
git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phyLinus Torvalds authored
Pull phy fixes from Vinod Koul: - Out of bound fix for hisilicon phy - Qualcomm synopsis femto phy for keeping clock enabled during suspend and enabling ref clocks - Mediatek driver fixes for upper limit test and error code * tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code phy: qcom-snps-femto-v2: properly enable ref clock phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend phy: mediatek: hdmi: mt8195: fix prediv bad upper limit test phy: phy-mtk-dp: Fix an error code in probe()
-
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linuxLinus Torvalds authored
Pull btrfs fixes from David Sterba: - fix accounting of global block reserve size when block group tree is enabled - the async discard has been enabled in 6.2 unconditionally, but for zoned mode it does not make that much sense to do it asynchronously as the zones are reset as needed - error handling and proper error value propagation fixes * tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: check for commit error at btrfs_attach_transaction_barrier() btrfs: check if the transaction was aborted at btrfs_wait_for_commit() btrfs: remove BUG_ON()'s in add_new_free_space() btrfs: account block group tree when calculating global reserve size btrfs: zoned: do not enable async discard
-
git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblockLinus Torvalds authored
Pull memblock fix from Mike Rapoport: "A call to memblock_free() or memblock_phys_free() issued after memblock data is discarded will result in use after free in memblock_isolate_range(). Avoid those issues by making sure that memblock_discard points memblock.reserved.regions back at the static buffer" * tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock: mm,memblock: reset memblock.reserved to system init state to prevent UAF
-
Jann Horn authored
lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't be called in the VMA-locked page fault path by ensuring that vma->anon_vma is set. However, this check happens before the VMA is locked, which means a concurrent move_vma() can concurrently call unlink_anon_vmas(), which disassociates the VMA's anon_vma. This means we can get UAF in the following scenario: THREAD 1 THREAD 2 ======== ======== <page fault> lock_vma_under_rcu() rcu_read_lock() mas_walk() check vma->anon_vma mremap() syscall move_vma() vma_start_write() unlink_anon_vmas() <syscall end> handle_mm_fault() __handle_mm_fault() handle_pte_fault() do_pte_missing() do_anonymous_page() anon_vma_prepare() __anon_vma_prepare() find_mergeable_anon_vma() mas_walk() [looks up VMA X] munmap() syscall (deletes VMA X) reusable_anon_vma() [called on freed VMA X] This is a security bug if you can hit it, although an attacker would have to win two races at once where the first race window is only a few instructions wide. This patch is based on some previous discussion with Linus Torvalds on the security list. Cc: stable@vger.kernel.org Fixes: 5e31275c ("mm: add per-VMA lock and helper functions to control it") Signed-off-by: -
Jason Gunthorpe authored
Even though the test suite covers this it somehow became obscured that this wasn't working. The test iommufd_ioas.mock_domain.access_domain_destory would blow up rarely. end should be set to 1 because this just pushed an item, the carry, to the pfns list. Sometimes the test would blow up with: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batch_unpin+0xa2/0x100 [iommufd] Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? page_fault_oops+0x15d/0x440 ? lock_release+0xbc/0x240 ? exc_page_fault+0x4a4/0x970 ? asm_exc_page_fault+0x27/0x30 ? batch_unpin+0xa2/0x100 [iommufd] ? batch_unpin+0xba/0x100 [iommufd] __iopt_area_unfill_domain+0x198/0x430 [iommufd] ? __mutex_lock+0x8c/0xb80 ? __mutex_lock+0x6aa/0xb80 ? xa_erase+0x28/0x30 ? iopt_table_remove_domain+0x162/0x320 [iommufd] ? lock_release+0xbc/0x240 iopt_area_unfill_domain+0xd/0x10 [iommufd] iopt_table_remove_domain+0x195/0x320 [iommufd] iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_device_detach+0xc5/0x140 [iommufd] iommufd_selftest_destroy+0x1f/0x70 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_destroy+0x3a/0x50 [iommufd] iommufd_fops_ioctl+0xfb/0x170 [iommufd] __x64_sys_ioctl+0x40d/0x9a0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Link: https://lore.kernel.org/r/3-v1-85aacb2af554+bc-iommufd_syz3_jgg@nvidia.com Cc: <stable@vger.kernel.org> Fixes: f394576e ("iommufd: PFN handling for iopt_pages") Reviewed-by:
Kevin Tian <kevin.tian@intel.com> Tested-by:
Nicolin Chen <nicolinc@nvidia.com> Reported-by:
Jason Gunthorpe <jgg@nvidia.com>
-
Jason Gunthorpe authored
syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY); if (IS_ERR(obj)) return PTR_ERR(obj); iommufd_ref_to_users(obj); /* See iommufd_ref_to_users() */ if (!iommufd_object_destroy_user(ucmd->ictx, obj)) As part of the sequence to join the two existing primitives together. Allowing the refcount the be elevated without holding the destroy_rwsem violates the assumption that all temporary refcount elevations are protected by destroy_rwsem. Racing IOMMUFD_DESTROY with iommufd_object_destroy_user() will cause spurious failures: WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478 Modules linked in: CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477 Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41 RSP: 0018:ffffc90003067e08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500 R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88 R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0 Call Trace: <TASK> iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline] iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813 iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The solution is to not increment the refcount on the IOMMUFD_DESTROY path at all. Instead use the xa_lock to serialize everything. The refcount check == 1 and xa_erase can be done under a single critical region. This avoids the need for any refcount incrementing. It has the downside that if userspace races destroy with other operations it will get an EBUSY instead of waiting, but this is kind of racing is already dangerous. Fixes: 2ff4bed7 ("iommufd: File descriptor, context, kconfig and makefiles") Link: https://lore.kernel.org/r/2-v1-85aacb2af554+bc-iommufd_syz3_jgg@nvidia.comReviewed-by: -
Takashi Iwai authored
Merge tag 'asoc-fix-v6.5-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.5 A collection of device specific fixes, none particularly remarkable. There's a set of repetitive fixes for the RealTek drivers fixing an issue with suspend that was replicated in multiple drivers.
-
Fedor Pchelkin authored
If tipc_link_bc_create() fails inside tipc_node_create() for a newly allocated tipc node then we should stop its tipc crypto and free the resources allocated with a call to tipc_crypto_start(). As the node ref is initialized to one to that point, just put the ref on tipc_link_bc_create() error case that would lead to tipc_node_free() be eventually executed and properly clean the node and its crypto resources. Found by Linux Verification Center (linuxtesting.org). Fixes: cb8092d7 ("tipc: move bc link creation back to tipc_node_create") Suggested-by:
Xin Long <lucien.xin@gmail.com> Signed-off-by:
Fedor Pchelkin <pchelkin@ispras.ru> Reviewed-by:
Paolo Abeni <pabeni@redhat.com>
-
Kuniyuki Iwashima authored
kernel test robot reported slab-out-of-bounds access in strlen(). [0] Commit 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().") removed unix_mkname_bsd() call in unix_bind_bsd(). If sunaddr->sun_path is not terminated by user and we don't enable CONFIG_INIT_STACK_ALL_ZERO=y, strlen() will do the out-of-bounds access during file creation. Let's go back to strlen()-with-sockaddr_storage way and pack all 108 trickiness into unix_mkname_bsd() with bold comments. [0]: BUG: KASAN: slab-out-of-bounds in strlen (lib/string.c:?) Read of size 1 at addr ffff000015492777 by task fortify_strlen_/168 CPU: 0 PID: 168 Comm: fortify_strlen_ Not tainted 6.5.0-rc1-00333-g3329b603ebba #16 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace (arch/arm64/kernel/stacktrace.c:235) show_stack (arch/arm64/kernel/stacktrace.c:242) dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:365 mm/kasan/report.c:475) kasan_report (mm/kasan/report.c:590) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) strlen (lib/string.c:?) getname_kernel (./include/linux/fortify-string.h:? fs/namei.c:226) kern_path_create (fs/namei.c:3926) unix_bind (net/unix/af_unix.c:1221 net/unix/af_unix.c:1324) __sys_bind (net/socket.c:1792) __arm64_sys_bind (net/socket.c:1801) invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52) el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147) do_el0_svc (arch/arm64/kernel/syscall.c:189) el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?) el0t_64_sync (arch/arm64/kernel/entry.S:591) Allocated by task 168: kasan_set_track (mm/kasan/common.c:45 mm/kasan/common.c:52) kasan_save_alloc_info (mm/kasan/generic.c:512) __kasan_kmalloc (mm/kasan/common.c:383) __kmalloc (mm/slab_common.c:? mm/slab_common.c:998) unix_bind (net/unix/af_unix.c:257 net/unix/af_unix.c:1213 net/unix/af_unix.c:1324) __sys_bind (net/socket.c:1792) __arm64_sys_bind (net/socket.c:1801) invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52) el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147) do_el0_svc (arch/arm64/kernel/syscall.c:189) el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?) el0t_64_sync (arch/arm64/kernel/entry.S:591) The buggy address belongs to the object at ffff000015492700 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes to the right of allocated 119-byte region [ffff000015492700, ffff000015492777) The buggy address belongs to the physical page: page:00000000aeab52ba refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55492 anon flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff) page_type: 0xffffffff() raw: 03fffc0000000200 ffff0000084018c0 fffffc00003d0e00 0000000000000005 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000015492600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff000015492680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff000015492700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fc ^ ffff000015492780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff000015492800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().") Reported-by:
Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by:
Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20230726190828.47874-1-kuniyu@amazon.comSigned-off-by:
-
Yuanjun Gong authored
goto free_skb if an unexpected result is returned by pskb_tirm() in tipc_crypto_rcv_complete(). Fixes: fc1b6d6d ("tipc: introduce TIPC encryption & authentication") Signed-off-by:
Yuanjun Gong <ruc_gongyuanjun@163.com> Reviewed-by:
Tung Nguyen <tung.q.nguyen@dektech.com.au> Link: https://lore.kernel.org/r/20230725064810.5820-1-ruc_gongyuanjun@163.comSigned-off-by:
-
Yuanjun Gong authored
in be_lancer_xmit_workarounds(), it should go to label 'tx_drop' if an unexpected value is returned by pskb_trim(). Fixes: 93040ae5 ("be2net: Fix to trim skb for padded vlan packets to workaround an ASIC Bug") Signed-off-by:
-
Pavel Asyutchenko authored
This laptop has CS35L41 amp connected via I2C. With this patch speakers begin to work if the missing _DSD properties are added to ACPI tables. Signed-off-by:
Pavel Asyutchenko <svenpavel@gmail.com> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20230726223732.20775-1-svenpavel@gmail.comSigned-off-by:
Takashi Iwai <tiwai@suse.de>
-
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nfJakub Kicinski authored
Florian Westphal says: ==================== netfilter fixes for net 1. On-demand overlap detection in 'rbtree' set can cause memory leaks. This is broken since 6.2. 2. An earlier fix in 6.4 to address an imbalance in refcounts during transaction error unwinding was incomplete, from Pablo Neira. 3. Disallow adding a rule to a deleted chain, also from Pablo. Broken since 5.9. * tag 'nf-23-07-26' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR netfilter: nft_set_rbtree: fix overlap expiration walk ==================== Link: https://lore.kernel.org/r/20230726152524.26268-1-fw@strlen.deSigned-off-by:
Jakub Kicinski <kuba@kernel.org>
-
Jason Wang authored
A race were found where set_channels could be called after registering but before virtnet_set_queues() in virtnet_probe(). Fixing this by moving the virtnet_set_queues() before netdevice registering. While at it, use _virtnet_set_queues() to avoid holding rtnl as the device is not even registered at that time. Cc: stable@vger.kernel.org Fixes: a220871b ("virtio-net: correctly enable multiqueue") Signed-off-by:
Jason Wang <jasowang@redhat.com> Acked-by:
Michael S. Tsirkin <mst@redhat.com> Reviewed-by:
Xuan Zhuo <xuanzhuo@linux.alibaba.com> Link: https://lore.kernel.org/r/20230725072049.617289-1-jasowang@redhat.comSigned-off-by:
-
Lin Ma authored
The nla_for_each_nested parsing in function mqprio_parse_nlattr() does not check the length of the nested attribute. This can lead to an out-of-attribute read and allow a malformed nlattr (e.g., length 0) to be viewed as 8 byte integer and passed to priv->max_rate/min_rate. This patch adds the check based on nla_len() when check the nla_type(), which ensures that the length of these two attribute must equals sizeof(u64). Fixes: 4e8b86c0 ("mqprio: Introduce new hardware offload mode and shaper in mqprio") Reviewed-by:
Victor Nogueira <victor@mojatatu.com> Signed-off-by:
Lin Ma <linma@zju.edu.cn> Link: https://lore.kernel.org/r/20230725024227.426561-1-linma@zju.edu.cnSigned-off-by:
-
Jan Stancek authored
LTP sendfile07 [1], which expects sendfile() to return EAGAIN when transferring data from regular file to a "full" O_NONBLOCK socket, started failing after commit 2dc334f1 ("splice, net: Use sendmsg(MSG_SPLICE_PAGES) rather than ->sendpage()"). sendfile() no longer immediately returns, but now blocks. Removed sock_sendpage() handled this case by setting a MSG_DONTWAIT flag, fix new splice_to_socket() to do the same for O_NONBLOCK sockets. [1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/sendfile/sendfile07.c Fixes: 2dc334f1 ("splice, net: Use sendmsg(MSG_SPLICE_PAGES) rather than ->sendpage()") Acked-by:
David Howells <dhowells@redhat.com> Signed-off-by:
Jan Stancek <jstancek@redhat.com> Tested-by:
Xi Ruoyao <xry111@xry111.site> Link: https://lore.kernel.org/r/023c0e21e595e00b93903a813bc0bfb9a5d7e368.1690219914.git.jstancek@redhat.comSigned-off-by:
-
Wei Fang authored
According to the clarification [1] in the latest napi.rst, the tx processing cannot call any XDP (or page pool) APIs if the "budget" is 0. Because NAPI is called with the budget of 0 (such as netpoll) indicates we may be in an IRQ context, however, we cannot use the page pool from IRQ context. [1] https://lore.kernel.org/all/20230720161323.2025379-1-kuba@kernel.org/ Fixes: 20f79739 ("net: fec: recycle pages for transmitted XDP frames") Signed-off-by:
Wei Fang <wei.fang@nxp.com> Suggested-by:
-
- 26 Jul, 2023 10 commits
-
-
Jakub Kicinski authored
Mat Martineau says: ==================== mptcp: More fixes for 6.5 Patch 1: Better detection of ip6tables vs ip6tables-legacy tools for self tests. Fix for 6.4 and newer. Patch 2: Only generate "new listener" event if listen operation succeeds. Fix for 6.2 and newer. ==================== Link: https://lore.kernel.org/r/20230725-send-net-20230725-v1-0-6f60fe7137a9@kernel.orgSigned-off-by:
-
Paolo Abeni authored
Currently the mptcp code generate a "new listener" event even if the actual listen() syscall fails. Address the issue moving the event generation call under the successful branch. Cc: stable@vger.kernel.org Fixes: f8c9dfbd ("mptcp: add pm listener events") Reviewed-by:
Mat Martineau <martineau@kernel.org> Signed-off-by:
-
Matthieu Baerts authored
If 'iptables-legacy' is available, 'ip6tables-legacy' command will be used instead of 'ip6tables'. So no need to look if 'ip6tables' is available in this case. Cc: stable@vger.kernel.org Fixes: 0c4cd3f8 ("selftests: mptcp: join: use 'iptables-legacy' if available") Acked-by:
Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by:
-
Jakub Kicinski authored
Arkadiusz Kubalewski says: ==================== tools: ynl-gen: fix parse multi-attr enum attribute Fix the issues with parsing enums in ynl.py script. ==================== Link: https://lore.kernel.org/r/20230725101642.267248-1-arkadiusz.kubalewski@intel.comSigned-off-by:
-
Arkadiusz Kubalewski authored
When attribute is enum type and marked as multi-attr, the netlink respond is not parsed, fails with stack trace: Traceback (most recent call last): File "/net-next/tools/net/ynl/./test.py", line 520, in <module> main() File "/net-next/tools/net/ynl/./test.py", line 488, in main dplls=dplls_get(282574471561216) File "/net-next/tools/net/ynl/./test.py", line 48, in dplls_get reply=act(args) File "/net-next/tools/net/ynl/./test.py", line 41, in act reply = ynl.dump(args.dump, attrs) File "/net-next/tools/net/ynl/lib/ynl.py", line 598, in dump return self._op(method, vals, dump=True) File "/net-next/tools/net/ynl/lib/ynl.py", line 584, in _op rsp_msg = self._decode(gm.raw_attrs, op.attr_set.name) File "/net-next/tools/net/ynl/lib/ynl.py", line 451, in _decode self._decode_enum(rsp, attr_spec) File "/net-next/tools/net/ynl/lib/ynl.py", line 408, in _decode_enum value = enum.entries_by_val[raw].name TypeError: unhashable type: 'list' error: 1 Redesign _decode_enum(..) to take a enum int value and translate it to either a bitmask or enum name as expected. Signed-off-by:Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Reviewed-by:
Donald Hunter <donald.hunter@gmail.com> Link: https://lore.kernel.org/r/20230725101642.267248-3-arkadiusz.kubalewski@intel.comReviewed-by:
-
Arkadiusz Kubalewski authored
Remove wrong index adjustment, which is leftover from adding support for sparse enums. enum.entries_by_val() function shall not subtract the start-value, as it is indexed with real enum value. Fixes: c311aaa7 ("tools: ynl: fix enum-as-flags in the generic CLI") Signed-off-by:
-
Linus Torvalds authored
Merge tag 'platform-drivers-x86-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Hans de Goede: "Misc small fixes and hw-id additions" * tag 'platform-drivers-x86-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: huawei-wmi: Silence ambient light sensor platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 platform/x86: asus-wmi: Fix setting RGB mode on some TUF laptops platform/x86: think-lmi: Use kfree_sensitive instead of kfree platform/x86/intel/hid: Add HP Dragonfly G2 to VGBS DMI quirks platform/x86: intel: hid: Always call BTNL ACPI method platform/x86/amd/pmf: Notify OS power slider update platform/x86/amd/pmf: reduce verbosity of apmf_get_system_params platform/x86: serial-multi-instantiate: Auto detect IRQ resource for CSC3551 platform/x86/amd: pmc: Use release_mem_region() to undo request_mem_region_muxed() platform/x86: touchscreen_dmi.c: small changes for Archos 101 Cesium Educ tablet
-
git://git.samba.org/ksmbdLinus Torvalds authored
Pull ksmbd server fixes from Steve French: - fixes for two possible out of bounds access (in negotiate, and in decrypt msg) - fix unsigned compared to zero warning - fix path lookup crossing a mountpoint - fix case when first compound request is a tree connect - fix memory leak if reads are compounded * tag '6.5-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: fix out of bounds in init_smb2_rsp_hdr() ksmbd: no response from compound read ksmbd: validate session id and tree id in compound request ksmbd: fix out of bounds in smb3_decrypt_req() ksmbd: check if a mount point is crossed during path lookup ksmbd: Fix unsigned expression compared with zero
-
Jussi Laako authored
Maintenance patch for native DSD support. Remove incorrect T+A device quirks. Move set of device quirks to vendor quirks. Add set of missing device and vendor quirks. Signed-off-by:
Jussi Laako <jussi@sonarnerd.net> Link: https://lore.kernel.org/r/20230726165645.404311-1-jussi@sonarnerd.netSigned-off-by:
-
Linus Torvalds authored
Commit eda00472 ("mm: make the page fault mmap locking killable") intentionally made it much easier to trigger the "page fault fails because a fatal signal is pending" situation, by having the mmap locking fail early in that case. We have long aborted page faults in other fatal cases when the actual IO for a page is interrupted by SIGKILL - which is particularly useful for the traditional case of NFS hanging due to network issues, but local filesystems could cause it too if you happened to get the SIGKILL while waiting for a page to be faulted in (eg lock_folio_maybe_drop_mmap()). So aborting the page fault wasn't a new condition - but it now triggers earlier, before we even get to 'handle_mm_fault()'. And as a result the error doesn't go through our 'fault_signal_pending()' logic, and doesn't get filtered away there. Normally you'd never even notice, because if a fatal signal is pending, the new SIGSEGV we send ends up being ignored anyway. But it turns out that there is one very noticeable exception: if you enable 'show_unhandled_signals', the aborted page fault will be logged in the kernel messages, and you'll get a scary line looking something like this in your logs: pverados[2183248]: segfault at 55e5a00f9ae0 ip 000055e5a00f9ae0 sp 00007ffc0720bea8 error 14 in perl[55e5a00d4000+195000] likely on CPU 10 (core 4, socket 0) which is rather misleading. It's not really a segfault at all, it's just "the thread was killed before the page fault completed, so we aborted the page fault". Fix this by just making it clear that a pending fatal signal means that any new signal coming in after that is implicitly handled. This will avoid the misleading logging, since now the signal isn't 'unhandled' any more. Reported-and-tested-by:
Fiona Ebner <f.ebner@proxmox.com> Tested-by:
Thomas Lamprecht <t.lamprecht@proxmox.com> Link: https://lore.kernel.org/lkml/8d063a26-43f5-0bb7-3203-c6a04dc159f8@proxmox.com/Acked-by:
Oleg Nesterov <oleg@redhat.com> Fixes: eda00472 ("mm: make the page fault mmap locking killable") Signed-off-by:
-
