1. 22 Dec, 2023 8 commits
  2. 21 Dec, 2023 24 commits
    • David Howells's avatar
      afs: Fix use-after-free due to get/remove race in volume tree · 9a6b294a
      David Howells authored
      When an afs_volume struct is put, its refcount is reduced to 0 before
      the cell->volume_lock is taken and the volume removed from the
      cell->volumes tree.
      
      Unfortunately, this means that the lookup code can race and see a volume
      with a zero ref in the tree, resulting in a use-after-free:
      
          refcount_t: addition on 0; use-after-free.
          WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
          ...
          RIP: 0010:refcount_warn_saturate+0x7a/0xda
          ...
          Call Trace:
           afs_get_volume+0x3d/0x55
           afs_create_volume+0x126/0x1de
           afs_validate_fc+0xfe/0x130
           afs_get_tree+0x20/0x2e5
           vfs_get_tree+0x1d/0xc9
           do_new_mount+0x13b/0x22e
           do_mount+0x5d/0x8a
           __do_sys_mount+0x100/0x12a
           do_syscall_64+0x3a/0x94
           entry_SYSCALL_64_after_hwframe+0x62/0x6a
      
      Fix this by:
      
       (1) When putting, use a flag to indicate if the volume has been removed
           from the tree and skip the rb_erase if it has.
      
       (2) When looking up, use a conditional ref increment and if it fails
           because the refcount is 0, replace the node in the tree and set the
           removal flag.
      
      Fixes: 20325960 ("afs: Reorganise volume and server trees to be rooted on the cell")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9a6b294a
    • Matthew Wilcox (Oracle)'s avatar
      ida: Fix crash in ida_free when the bitmap is empty · af73483f
      Matthew Wilcox (Oracle) authored
      The IDA usually detects double-frees, but that detection failed to
      consider the case when there are no nearby IDs allocated and so we have a
      NULL bitmap rather than simply having a clear bit.  Add some tests to the
      test-suite to be sure we don't inadvertently reintroduce this problem.
      Unfortunately they're quite noisy so include a message to disregard
      the warnings.
      Reported-by: default avatarZhenghan Wang <wzhmmmmm@gmail.com>
      Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      af73483f
    • David Howells's avatar
      afs: Fix overwriting of result of DNS query · a9e01ac8
      David Howells authored
      In afs_update_cell(), ret is the result of the DNS lookup and the errors
      are to be handled by a switch - however, the value gets clobbered in
      between by setting it to -ENOMEM in case afs_alloc_vlserver_list()
      fails.
      
      Fix this by moving the setting of -ENOMEM into the error handling for
      OOM failure.  Further, only do it if we don't have an alternative error
      to return.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.  Based
      on a patch from Anastasia Belova [1].
      
      Fixes: d5c32c89 ("afs: Fix cell DNS lookup")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      cc: Anastasia Belova <abelova@astralinux.ru>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      cc: lvc-project@linuxtesting.org
      Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1]
      Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a9e01ac8
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20231221' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 937fd403
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
       "Improve the interaction of arbitrary lookups in the AFS dynamic root
        that hit DNS lookup failures [1] where kafs behaves differently from
        openafs and causes some applications to fail that aren't expecting
        that. Further, negative DNS results aren't getting removed and are
        causing failures to persist.
      
         - Always delete unused (particularly negative) dentries as soon as
           possible so that they don't prevent future lookups from retrying.
      
         - Fix the handling of new-style negative DNS lookups in ->lookup() to
           make them return ENOENT so that userspace doesn't get confused when
           stat succeeds but the following open on the looked up file then
           fails.
      
         - Fix key handling so that DNS lookup results are reclaimed almost as
           soon as they expire rather than sitting round either forever or for
           an additional 5 mins beyond a set expiry time returning
           EKEYEXPIRED. They persist for 1s as /bin/ls will do a second stat
           call if the first fails"
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637 [1]
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      
      * tag 'afs-fixes-20231221' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
        afs: Fix dynamic root lookup DNS check
        afs: Fix the dynamic root's d_delete to always delete unused dentries
      937fd403
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.7-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 13b73446
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Fix another kerneldoc warning
      
       - Fix eventfs files to inherit the ownership of its parent directory.
      
         The dynamic creation of dentries in eventfs did not take into account
         if the tracefs file system was mounted with a gid/uid, and would
         still default to the gid/uid of root. This is a regression.
      
       - Fix warning when synthetic event testing is enabled along with
         startup event tracing testing is enabled
      
      * tag 'trace-v6.7-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing / synthetic: Disable events after testing in synth_event_gen_test_init()
        eventfs: Have event files and directories default to parent uid and gid
        tracing/synthetic: fix kernel-doc warnings
      13b73446
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 7c5e046b
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from WiFi and bpf.
      
        Current release - regressions:
      
         - bpf: syzkaller found null ptr deref in unix_bpf proto add
      
         - eth: i40e: fix ST code value for clause 45
      
        Previous releases - regressions:
      
         - core: return error from sk_stream_wait_connect() if sk_wait_event()
           fails
      
         - ipv6: revert remove expired routes with a separated list of routes
      
         - wifi rfkill:
             - set GPIO direction
             - fix crash with WED rx support enabled
      
         - bluetooth:
             - fix deadlock in vhci_send_frame
             - fix use-after-free in bt_sock_recvmsg
      
         - eth: mlx5e: fix a race in command alloc flow
      
         - eth: ice: fix PF with enabled XDP going no-carrier after reset
      
         - eth: bnxt_en: do not map packet buffers twice
      
        Previous releases - always broken:
      
         - core:
             - check vlan filter feature in vlan_vids_add_by_dev() and
               vlan_vids_del_by_dev()
             - check dev->gso_max_size in gso_features_check()
      
         - mptcp: fix inconsistent state on fastopen race
      
         - phy: skip LED triggers on PHYs on SFP modules
      
         - eth: mlx5e:
             - fix double free of encap_header
             - fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()"
      
      * tag 'net-6.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (69 commits)
        net: check dev->gso_max_size in gso_features_check()
        kselftest: rtnetlink.sh: use grep_fail when expecting the cmd fail
        net/ipv6: Revert remove expired routes with a separated list of routes
        net: avoid build bug in skb extension length calculation
        net: ethernet: mtk_wed: fix possible NULL pointer dereference in mtk_wed_wo_queue_tx_clean()
        net: stmmac: fix incorrect flag check in timestamp interrupt
        selftests: add vlan hw filter tests
        net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
        net: hns3: add new maintainer for the HNS3 ethernet driver
        net: mana: select PAGE_POOL
        net: ks8851: Fix TX stall caused by TX buffer overrun
        ice: Fix PF with enabled XDP going no-carrier after reset
        ice: alter feature support check for SRIOV and LAG
        ice: stop trashing VF VSI aggregator node ID information
        mailmap: add entries for Geliang Tang
        mptcp: fill in missing MODULE_DESCRIPTION()
        mptcp: fix inconsistent state on fastopen race
        selftests: mptcp: join: fix subflow_send_ack lookup
        net: phy: skip LED triggers on PHYs on SFP modules
        bpf: Add missing BPF_LINK_TYPE invocations
        ...
      7c5e046b
    • Steven Rostedt (Google)'s avatar
      tracing / synthetic: Disable events after testing in synth_event_gen_test_init() · 88b30c7f
      Steven Rostedt (Google) authored
      The synth_event_gen_test module can be built in, if someone wants to run
      the tests at boot up and not have to load them.
      
      The synth_event_gen_test_init() function creates and enables the synthetic
      events and runs its tests.
      
      The synth_event_gen_test_exit() disables the events it created and
      destroys the events.
      
      If the module is builtin, the events are never disabled. The issue is, the
      events should be disable after the tests are run. This could be an issue
      if the rest of the boot up tests are enabled, as they expect the events to
      be in a known state before testing. That known state happens to be
      disabled.
      
      When CONFIG_SYNTH_EVENT_GEN_TEST=y and CONFIG_EVENT_TRACE_STARTUP_TEST=y
      a warning will trigger:
      
       Running tests on trace events:
       Testing event create_synth_test:
       Enabled event during self test!
       ------------[ cut here ]------------
       WARNING: CPU: 2 PID: 1 at kernel/trace/trace_events.c:4150 event_trace_self_tests+0x1c2/0x480
       Modules linked in:
       CPU: 2 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-test-00031-gb803d7c6-dirty #276
       Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
       RIP: 0010:event_trace_self_tests+0x1c2/0x480
       Code: bb e8 a2 ab 5d fc 48 8d 7b 48 e8 f9 3d 99 fc 48 8b 73 48 40 f6 c6 01 0f 84 d6 fe ff ff 48 c7 c7 20 b6 ad bb e8 7f ab 5d fc 90 <0f> 0b 90 48 89 df e8 d3 3d 99 fc 48 8b 1b 4c 39 f3 0f 85 2c ff ff
       RSP: 0000:ffffc9000001fdc0 EFLAGS: 00010246
       RAX: 0000000000000029 RBX: ffff88810399ca80 RCX: 0000000000000000
       RDX: 0000000000000000 RSI: ffffffffb9f19478 RDI: ffff88823c734e64
       RBP: ffff88810399f300 R08: 0000000000000000 R09: fffffbfff79eb32a
       R10: ffffffffbcf59957 R11: 0000000000000001 R12: ffff888104068090
       R13: ffffffffbc89f0a0 R14: ffffffffbc8a0f08 R15: 0000000000000078
       FS:  0000000000000000(0000) GS:ffff88823c700000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 00000001f6282001 CR4: 0000000000170ef0
       Call Trace:
        <TASK>
        ? __warn+0xa5/0x200
        ? event_trace_self_tests+0x1c2/0x480
        ? report_bug+0x1f6/0x220
        ? handle_bug+0x6f/0x90
        ? exc_invalid_op+0x17/0x50
        ? asm_exc_invalid_op+0x1a/0x20
        ? tracer_preempt_on+0x78/0x1c0
        ? event_trace_self_tests+0x1c2/0x480
        ? __pfx_event_trace_self_tests_init+0x10/0x10
        event_trace_self_tests_init+0x27/0xe0
        do_one_initcall+0xd6/0x3c0
        ? __pfx_do_one_initcall+0x10/0x10
        ? kasan_set_track+0x25/0x30
        ? rcu_is_watching+0x38/0x60
        kernel_init_freeable+0x324/0x450
        ? __pfx_kernel_init+0x10/0x10
        kernel_init+0x1f/0x1e0
        ? _raw_spin_unlock_irq+0x33/0x50
        ret_from_fork+0x34/0x60
        ? __pfx_kernel_init+0x10/0x10
        ret_from_fork_asm+0x1b/0x30
        </TASK>
      
      This is because the synth_event_gen_test_init() left the synthetic events
      that it created enabled. By having it disable them after testing, the
      other selftests will run fine.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20231220111525.2f0f49b0@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Tom Zanussi <zanussi@kernel.org>
      Fixes: 9fe41efa ("tracing: Add synth event generation test module")
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Reported-by: default avatarAlexander Graf <graf@amazon.com>
      Tested-by: default avatarAlexander Graf <graf@amazon.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      88b30c7f
    • Steven Rostedt (Google)'s avatar
      eventfs: Have event files and directories default to parent uid and gid · 0dfc852b
      Steven Rostedt (Google) authored
      Dongliang reported:
      
        I found that in the latest version, the nodes of tracefs have been
        changed to dynamically created.
      
        This has caused me to encounter a problem where the gid I specified in
        the mounting parameters cannot apply to all files, as in the following
        situation:
      
        /data/tmp/events # mount | grep tracefs
        tracefs on /data/tmp type tracefs (rw,seclabel,relatime,gid=3012)
      
        gid 3012 = readtracefs
      
        /data/tmp # ls -lh
        total 0
        -r--r-----   1 root readtracefs 0 1970-01-01 08:00 README
        -r--r-----   1 root readtracefs 0 1970-01-01 08:00 available_events
      
        ums9621_1h10:/data/tmp/events # ls -lh
        total 0
        drwxr-xr-x 2 root root 0 2023-12-19 00:56 alarmtimer
        drwxr-xr-x 2 root root 0 2023-12-19 00:56 asoc
      
        It will prevent certain applications from accessing tracefs properly, I
        try to avoid this issue by making the following modifications.
      
      To fix this, have the files created default to taking the ownership of
      the parent dentry unless the ownership was previously set by the user.
      
      Link: https://lore.kernel.org/linux-trace-kernel/1703063706-30539-1-git-send-email-dongliang.cui@unisoc.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20231220105017.1489d790@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Hongyu Jin  <hongyu.jin@unisoc.com>
      Fixes: 28e12c09 ("eventfs: Save ownership and mode")
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Reported-by: default avatarDongliang Cui <cuidongliang390@gmail.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      0dfc852b
    • David Howells's avatar
      keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry · 39299bdd
      David Howells authored
      If a key has an expiration time, then when that time passes, the key is
      left around for a certain amount of time before being collected (5 mins by
      default) so that EKEYEXPIRED can be returned instead of ENOKEY.  This is a
      problem for DNS keys because we want to redo the DNS lookup immediately at
      that point.
      
      Fix this by allowing key types to be marked such that keys of that type
      don't have this extra period, but are reclaimed as soon as they expire and
      turn this on for dns_resolver-type keys.  To make this easier to handle,
      key->expiry is changed to be permanent if TIME64_MAX rather than 0.
      
      Furthermore, give such new-style negative DNS results a 1s default expiry
      if no other expiry time is set rather than allowing it to stick around
      indefinitely.  This shouldn't be zero as ls will follow a failing stat call
      immediately with a second with AT_SYMLINK_NOFOLLOW added.
      
      Fixes: 1a4240f4 ("DNS: Separate out CIFS DNS Resolver code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarkus Suvanto <markus.suvanto@gmail.com>
      cc: Wang Lei <wang840925@gmail.com>
      cc: Jeff Layton <jlayton@redhat.com>
      cc: Steve French <smfrench@gmail.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: Jarkko Sakkinen <jarkko@kernel.org>
      cc: "David S. Miller" <davem@davemloft.net>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Jakub Kicinski <kuba@kernel.org>
      cc: Paolo Abeni <pabeni@redhat.com>
      cc: linux-afs@lists.infradead.org
      cc: linux-cifs@vger.kernel.org
      cc: linux-nfs@vger.kernel.org
      cc: ceph-devel@vger.kernel.org
      cc: keyrings@vger.kernel.org
      cc: netdev@vger.kernel.org
      39299bdd
    • Paolo Abeni's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 74769d81
      Paolo Abeni authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-12-21
      
      Hi David, hi Jakub, hi Paolo, hi Eric,
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 3 non-merge commits during the last 5 day(s) which contain
      a total of 4 files changed, 45 insertions(+).
      
      The main changes are:
      
      1) Fix a syzkaller splat which triggered an oob issue in bpf_link_show_fdinfo(),
         from Jiri Olsa.
      
      2) Fix another syzkaller-found issue which triggered a NULL pointer dereference
         in BPF sockmap for unconnected unix sockets, from John Fastabend.
      
      bpf-for-netdev
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Add missing BPF_LINK_TYPE invocations
        bpf: sockmap, test for unconnected af_unix sock
        bpf: syzkaller found null ptr deref in unix_bpf proto add
      ====================
      
      Link: https://lore.kernel.org/r/20231221104844.1374-1-daniel@iogearbox.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      74769d81
    • xiongxin's avatar
      gpio: dwapb: mask/unmask IRQ when disable/enale it · 1cc3542c
      xiongxin authored
      In the hardware implementation of the I2C HID driver based on DesignWare
      GPIO IRQ chip, when the user continues to use the I2C HID device in the
      suspend process, the I2C HID interrupt will be masked after the resume
      process is finished.
      
      This is because the disable_irq()/enable_irq() of the DesignWare GPIO
      driver does not synchronize the IRQ mask register state. In normal use
      of the I2C HID procedure, the GPIO IRQ irq_mask()/irq_unmask() functions
      are called in pairs. In case of an exception, i2c_hid_core_suspend()
      calls disable_irq() to disable the GPIO IRQ. With low probability, this
      causes irq_unmask() to not be called, which causes the GPIO IRQ to be
      masked and not unmasked in enable_irq(), raising an exception.
      
      Add synchronization to the masked register state in the
      dwapb_irq_enable()/dwapb_irq_disable() function. mask the GPIO IRQ
      before disabling it. After enabling the GPIO IRQ, unmask the IRQ.
      
      Fixes: 7779b345 ("gpio: add a driver for the Synopsys DesignWare APB GPIO block")
      Cc: stable@kernel.org
      Co-developed-by: default avatarRiwen Lu <luriwen@kylinos.cn>
      Signed-off-by: default avatarRiwen Lu <luriwen@kylinos.cn>
      Signed-off-by: default avatarxiongxin <xiongxin@kylinos.cn>
      Acked-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Reviewed-by: default avatarAndy Shevchenko <andy@kernel.org>
      Signed-off-by: default avatarBartosz Golaszewski <bartosz.golaszewski@linaro.org>
      1cc3542c
    • Kent Gibson's avatar
      gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() · 1d656bd2
      Kent Gibson authored
      While the GPIO cdev gpio_ioctl() call is in progress, the kernel can
      call gpiochip_remove() which will set gdev->chip to NULL, after which
      any subsequent access will cause a crash.
      
      gpio_ioctl() was overlooked by the previous fix to protect syscalls
      (bdbbae24), so add protection for that.
      
      Fixes: bdbbae24 ("gpiolib: protect the GPIO device against being dropped while in use by user-space")
      Fixes: d7c51b47 ("gpio: userspace ABI for reading/writing GPIO lines")
      Fixes: 3c0d9c63 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL")
      Fixes: aad95584 ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL")
      Signed-off-by: default avatarKent Gibson <warthog618@gmail.com>
      Signed-off-by: default avatarBartosz Golaszewski <bartosz.golaszewski@linaro.org>
      1d656bd2
    • Eric Dumazet's avatar
      net: check dev->gso_max_size in gso_features_check() · 24ab059d
      Eric Dumazet authored
      Some drivers might misbehave if TSO packets get too big.
      
      GVE for instance uses a 16bit field in its TX descriptor,
      and will do bad things if a packet is bigger than 2^16 bytes.
      
      Linux TCP stack honors dev->gso_max_size, but there are
      other ways for too big packets to reach an ndo_start_xmit()
      handler : virtio_net, af_packet, GRO...
      
      Add a generic check in gso_features_check() and fallback
      to GSO when needed.
      
      gso_max_size was added in the blamed commit.
      
      Fixes: 82cc1a7a ("[NET]: Add per-connection option to set max TSO frame size")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      24ab059d
    • Hangbin Liu's avatar
      kselftest: rtnetlink.sh: use grep_fail when expecting the cmd fail · b8056f2c
      Hangbin Liu authored
      run_cmd_grep_fail should be used when expecting the cmd fail, or the ret
      will be set to 1, and the total test return 1 when exiting. This would cause
      the result report to fail if run via run_kselftest.sh.
      
      Before fix:
       # ./rtnetlink.sh -t kci_test_addrlft
       PASS: preferred_lft addresses have expired
       # echo $?
       1
      
      After fix:
       # ./rtnetlink.sh -t kci_test_addrlft
       PASS: preferred_lft addresses have expired
       # echo $?
       0
      
      Fixes: 9c2a19f7 ("kselftest: rtnetlink.sh: add verbose flag")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20231219065737.1725120-1-liuhangbin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b8056f2c
    • Alexis Lothoré's avatar
      pinctrl: at91-pio4: use dedicated lock class for IRQ · 14694179
      Alexis Lothoré authored
      Trying to suspend to RAM on SAMA5D27 EVK leads to the following lockdep
      warning:
      
       ============================================
       WARNING: possible recursive locking detected
       6.7.0-rc5-wt+ #532 Not tainted
       --------------------------------------------
       sh/92 is trying to acquire lock:
       c3cf306c (&irq_desc_lock_class){-.-.}-{2:2}, at: __irq_get_desc_lock+0xe8/0x100
      
       but task is already holding lock:
       c3d7c46c (&irq_desc_lock_class){-.-.}-{2:2}, at: __irq_get_desc_lock+0xe8/0x100
      
       other info that might help us debug this:
        Possible unsafe locking scenario:
      
              CPU0
              ----
         lock(&irq_desc_lock_class);
         lock(&irq_desc_lock_class);
      
        *** DEADLOCK ***
      
        May be due to missing lock nesting notation
      
       6 locks held by sh/92:
        #0: c3aa0258 (sb_writers#6){.+.+}-{0:0}, at: ksys_write+0xd8/0x178
        #1: c4c2df44 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x138/0x284
        #2: c32684a0 (kn->active){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x148/0x284
        #3: c232b6d4 (system_transition_mutex){+.+.}-{3:3}, at: pm_suspend+0x13c/0x4e8
        #4: c387b088 (&dev->mutex){....}-{3:3}, at: __device_suspend+0x1e8/0x91c
        #5: c3d7c46c (&irq_desc_lock_class){-.-.}-{2:2}, at: __irq_get_desc_lock+0xe8/0x100
      
       stack backtrace:
       CPU: 0 PID: 92 Comm: sh Not tainted 6.7.0-rc5-wt+ #532
       Hardware name: Atmel SAMA5
        unwind_backtrace from show_stack+0x18/0x1c
        show_stack from dump_stack_lvl+0x34/0x48
        dump_stack_lvl from __lock_acquire+0x19ec/0x3a0c
        __lock_acquire from lock_acquire.part.0+0x124/0x2d0
        lock_acquire.part.0 from _raw_spin_lock_irqsave+0x5c/0x78
        _raw_spin_lock_irqsave from __irq_get_desc_lock+0xe8/0x100
        __irq_get_desc_lock from irq_set_irq_wake+0xa8/0x204
        irq_set_irq_wake from atmel_gpio_irq_set_wake+0x58/0xb4
        atmel_gpio_irq_set_wake from irq_set_irq_wake+0x100/0x204
        irq_set_irq_wake from gpio_keys_suspend+0xec/0x2b8
        gpio_keys_suspend from dpm_run_callback+0xe4/0x248
        dpm_run_callback from __device_suspend+0x234/0x91c
        __device_suspend from dpm_suspend+0x224/0x43c
        dpm_suspend from dpm_suspend_start+0x9c/0xa8
        dpm_suspend_start from suspend_devices_and_enter+0x1e0/0xa84
        suspend_devices_and_enter from pm_suspend+0x460/0x4e8
        pm_suspend from state_store+0x78/0xe4
        state_store from kernfs_fop_write_iter+0x1a0/0x284
        kernfs_fop_write_iter from vfs_write+0x38c/0x6f4
        vfs_write from ksys_write+0xd8/0x178
        ksys_write from ret_fast_syscall+0x0/0x1c
       Exception stack(0xc52b3fa8 to 0xc52b3ff0)
       3fa0:                   00000004 005a0ae8 00000001 005a0ae8 00000004 00000001
       3fc0: 00000004 005a0ae8 00000001 00000004 00000004 b6c616c0 00000020 0059d190
       3fe0: 00000004 b6c61678 aec5a041 aebf1a26
      
      This warning is raised because pinctrl-at91-pio4 uses chained IRQ. Whenever
      a wake up source configures an IRQ through irq_set_irq_wake, it will
      lock the corresponding IRQ desc, and then call irq_set_irq_wake on "parent"
      IRQ which will do the same on its own IRQ desc, but since those two locks
      share the same class, lockdep reports this as an issue.
      
      Fix lockdep false positive by setting a different class for parent and
      children IRQ
      
      Fixes: 77618084 ("pinctrl: introduce driver for Atmel PIO4 controller")
      Signed-off-by: default avatarAlexis Lothoré <alexis.lothore@bootlin.com>
      Link: https://lore.kernel.org/r/20231215-lockdep_warning-v1-1-8137b2510ed5@bootlin.comSigned-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      14694179
    • David Ahern's avatar
      net/ipv6: Revert remove expired routes with a separated list of routes · dade3f6a
      David Ahern authored
      This reverts commit 3dec89b1.
      
      The commit has some race conditions given how expires is managed on a
      fib6_info in relation to gc start, adding the entry to the gc list and
      setting the timer value leading to UAF. Revert the commit and try again
      in a later release.
      
      Fixes: 3dec89b1 ("net/ipv6: Remove expired routes with a separated list of routes")
      Cc: Kui-Feng Lee <thinker.li@gmail.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20231219030243.25687-1-dsahern@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      dade3f6a
    • Paolo Abeni's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · b414020f
      Paolo Abeni authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-18 (ice)
      
      This series contains updates to ice driver only.
      
      Jakes stops clearing of needed aggregator information.
      
      Dave adds a check for LAG device support before initializing the
      associated event handler.
      
      Larysa restores accounting of XDP queues in TC configurations.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: Fix PF with enabled XDP going no-carrier after reset
        ice: alter feature support check for SRIOV and LAG
        ice: stop trashing VF VSI aggregator node ID information
      ====================
      
      Link: https://lore.kernel.org/r/20231218192708.3397702-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b414020f
    • Arnd Bergmann's avatar
      x86/xen: add CPU dependencies for 32-bit build · 93cd0597
      Arnd Bergmann authored
      Xen only supports modern CPUs even when running a 32-bit kernel, and it now
      requires a kernel built for a 64 byte (or larger) cache line:
      
      In file included from <command-line>:
      In function 'xen_vcpu_setup',
          inlined from 'xen_vcpu_setup_restore' at arch/x86/xen/enlighten.c:111:3,
          inlined from 'xen_vcpu_restore' at arch/x86/xen/enlighten.c:141:3:
      include/linux/compiler_types.h:435:45: error: call to '__compiletime_assert_287' declared with attribute error: BUILD_BUG_ON failed: sizeof(*vcpup) > SMP_CACHE_BYTES
      arch/x86/xen/enlighten.c:166:9: note: in expansion of macro 'BUILD_BUG_ON'
        166 |         BUILD_BUG_ON(sizeof(*vcpup) > SMP_CACHE_BYTES);
            |         ^~~~~~~~~~~~
      
      Enforce the dependency with a whitelist of CPU configurations. In normal
      distro kernels, CONFIG_X86_GENERIC is enabled, and this works fine. When this
      is not set, still allow Xen to be built on kernels that target a 64-bit
      capable CPU.
      
      Fixes: db283230 ("x86/xen: fix percpu vcpu_info allocation")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Tested-by: default avatarAlyssa Ross <hi@alyssa.is>
      Link: https://lore.kernel.org/r/20231204084722.3789473-1-arnd@kernel.orgSigned-off-by: default avatarJuergen Gross <jgross@suse.com>
      93cd0597
    • Thomas Weißschuh's avatar
      net: avoid build bug in skb extension length calculation · d6e5794b
      Thomas Weißschuh authored
      GCC seems to incorrectly fail to evaluate skb_ext_total_length() at
      compile time under certain conditions.
      
      The issue even occurs if all values in skb_ext_type_len[] are "0",
      ruling out the possibility of an actual overflow.
      
      As the patch has been in mainline since v6.6 without triggering the
      problem it seems to be a very uncommon occurrence.
      
      As the issue only occurs when -fno-tree-loop-im is specified as part of
      CFLAGS_GCOV, disable the BUILD_BUG_ON() only when building with coverage
      reporting enabled.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202312171924.4FozI5FG-lkp@intel.com/Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/lkml/487cfd35-fe68-416f-9bfd-6bb417f98304@app.fastmail.com/
      Fixes: 5d21d0a6 ("net: generalize calculation of skb extensions length")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarThomas Weißschuh <linux@weissschuh.net>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20231218-net-skbuff-build-bug-v1-1-eefc2fb0a7d3@weissschuh.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d6e5794b
    • Lorenzo Bianconi's avatar
      net: ethernet: mtk_wed: fix possible NULL pointer dereference in mtk_wed_wo_queue_tx_clean() · 7cb8cd4d
      Lorenzo Bianconi authored
      In order to avoid a NULL pointer dereference, check entry->buf pointer before running
      skb_free_frag in mtk_wed_wo_queue_tx_clean routine.
      
      Fixes: 79968444 ("net: ethernet: mtk_wed: introduce wed wo support")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/3c1262464d215faa8acebfc08869798c81c96f4a.1702827359.git.lorenzo@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7cb8cd4d
    • Linus Torvalds's avatar
      posix-timers: Get rid of [COMPAT_]SYS_NI() uses · a4aebe93
      Linus Torvalds authored
      Only the posix timer system calls use this (when the posix timer support
      is disabled, which does not actually happen in any normal case), because
      they had debug code to print out a warning about missing system calls.
      
      Get rid of that special case, and just use the standard COND_SYSCALL
      interface that creates weak system call stubs that return -ENOSYS for
      when the system call does not exist.
      
      This fixes a kCFI issue with the SYS_NI() hackery:
      
        CFI failure at int80_emulation+0x67/0xb0 (target: sys_ni_posix_timers+0x0/0x70; expected type: 0xb02b34d9)
        WARNING: CPU: 0 PID: 48 at int80_emulation+0x67/0xb0
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Reviewed-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Tested-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a4aebe93
    • Linus Torvalds's avatar
      Merge tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · eee7f5b4
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
      
       - two multichannel reconnect fixes, one fixing an important refcounting
         problem that can lead to umount problems
      
       - atime fix
      
       - five fixes for various potential OOB accesses, including a CVE fix,
         and two additional fixes for problems pointed out by Robert Morris's
         fuzzing investigation
      
      * tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: do not let cifs_chan_update_iface deallocate channels
        cifs: fix a pending undercount of srv_count
        fs: cifs: Fix atime update check
        smb: client: fix potential OOB in smb2_dump_detail()
        smb: client: fix potential OOB in cifs_dump_detail()
        smb: client: fix OOB in smbCalcSize()
        smb: client: fix OOB in SMB2_query_info_init()
        smb: client: fix OOB in cifsd when receiving compounded resps
      eee7f5b4
    • Linus Torvalds's avatar
      Merge tag 's390-6.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 1bf5c892
      Linus Torvalds authored
      Pull s390 fixes from Alexander Gordeev:
      
       - Fix virtual vs physical address confusion in Storage Class Memory
         (SCM) block device driver.
      
       - Fix saving and restoring of FPU kernel context, which could lead to
         corruption of vector registers 8-15
      
       - Update defconfigs
      
      * tag 's390-6.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390/vx: fix save/restore of fpu kernel context
        s390/scm: fix virtual vs physical address confusion
      1bf5c892
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 87c71dd6
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "There are only a handful of bugfixes this time, which feels almost too
        small, so I hope we are not missing something important.
      
         - One more mediatek dts warning fix after the previous larger set,
           this should finally result in a clean defconfig build.
      
         - TI OMAP dts fixes for a spurious hang on am335x and invalid data on
           DTA7
      
         - One DTS fix for ethernet on Oriange Pi Zero (Allwinner H616)
      
         - A regression fix for ti-sysc interconnect target module driver to
           not access registers after reset if srst_udelay quirk is needed
      
         - Reset controller driver fixes for a crash during error handling and
           a build warning"
      
      * tag 'soc-fixes-6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        arm64: dts: mediatek: mt8395-genio-1200-evk: add interrupt-parent for mt6360
        ARM: dts: Fix occasional boot hang for am3 usb
        reset: Fix crash when freeing non-existent optional resets
        ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init
        ARM: dts: dra7: Fix DRA7 L3 NoC node register size
        bus: ti-sysc: Flush posted write only after srst_udelay
        reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
        arm64: dts: allwinner: h616: update emac for Orange Pi Zero 3
      87c71dd6
  3. 20 Dec, 2023 8 commits