1. 11 Jul, 2024 1 commit
    • David Sterba's avatar
      btrfs: qgroup: do quick checks if quotas are enabled before starting ioctls · 34064fc3
      David Sterba authored
      The ioctls that add relations, create qgroups or set limits start/join
      transaction. When quotas are not enabled this is not necessary, there
      will be errors reported back anyway but this could be also misleading
      and we should really report that quotas are not enabled. For that use
      -ENOTCONN.
      
      The helper is meant to do a quick check before any other standard ioctl
      checks are done. If quota is disabled meanwhile we still rely on proper
      locking inside any active operation changing the qgroup structures.
      Reviewed-by: default avatarAnand Jain <anand.jain@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      34064fc3
  2. 07 Jul, 2024 3 commits
    • Linus Torvalds's avatar
      Linux 6.10-rc7 · 256abd8e
      Linus Torvalds authored
      256abd8e
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 5a4bd506
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A set of clk fixes for the Qualcomm, Mediatek, and Allwinner drivers:
      
         - Fix the Qualcomm Stromer Plus PLL set_rate() clk_op to explicitly
           set the alpha enable bit and not set bits that don't exist
      
         - Mark Qualcomm IPQ9574 crypto clks as voted to avoid stuck clk
           warnings
      
         - Fix the parent of some PLLs on Qualcomm sm6530 so their rate is
           correct
      
         - Fix the min/max rate clamping logic in the Allwinner driver that
           got broken in v6.9
      
         - Limit runtime PM enabling in the Mediatek driver to only
           mt8183-mfgcfg so that system wide resume doesn't break on other
           Mediatek SoCs"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg
        clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common
        clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag
        clk: qcom: apss-ipq-pll: remove 'config_ctl_hi_val' from Stromer pll configs
        clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs
        clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents
      5a4bd506
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · c6653f49
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix unnecessary copy to 0 when kernel is booted at address 0
      
       - Fix usercopy crash when dumping dtl via debugfs
      
       - Avoid possible crash when PCI hotplug races with error handling
      
       - Fix kexec crash caused by scv being disabled before other CPUs
         call-in
      
       - Fix powerpc selftests build with USERCFLAGS set
      
      Thanks to Anjali K, Ganesh Goudar, Gautam Menghani, Jinglin Wen,
      Nicholas Piggin, Sourabh Jain, Srikar Dronamraju, and Vishal Chourasia.
      
      * tag 'powerpc-6.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        selftests/powerpc: Fix build with USERCFLAGS set
        powerpc/pseries: Fix scv instruction crash with kexec
        powerpc/eeh: avoid possible crash when edev->pdev changes
        powerpc/pseries: Whitelist dtl slub object for copying to userspace
        powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0
      c6653f49
  3. 06 Jul, 2024 3 commits
    • Linus Torvalds's avatar
      Merge tag '6.10-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6 · 256fdd4b
      Linus Torvalds authored
      Pull smb client fix from Steve French:
       "Fix for smb3 readahead performance regression"
      
      * tag '6.10-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Fix read-performance regression by dropping readahead expansion
      256fdd4b
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 22f902df
      Linus Torvalds authored
      Pull i2c fix from Wolfram Sang:
       "An i2c driver fix"
      
      * tag 'i2c-for-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
      22f902df
    • Michael Ellerman's avatar
      selftests/powerpc: Fix build with USERCFLAGS set · 8b7f59de
      Michael Ellerman authored
      Currently building the powerpc selftests with USERCFLAGS set to anything
      causes the build to break:
      
        $ make -C tools/testing/selftests/powerpc V=1 USERCFLAGS=-Wno-error
        ...
        gcc -Wno-error    cache_shape.c ...
        cache_shape.c:18:10: fatal error: utils.h: No such file or directory
           18 | #include "utils.h"
              |          ^~~~~~~~~
        compilation terminated.
      
      This happens because the USERCFLAGS are added to CFLAGS in lib.mk, which
      causes the check of CFLAGS in powerpc/flags.mk to skip setting CFLAGS at
      all, resulting in none of the usual CFLAGS being passed. That can
      be seen in the output above, the only flag passed to the compiler is
      -Wno-error.
      
      Fix it by dropping the conditional setting of CFLAGS in flags.mk.
      Instead always set CFLAGS, but also append USERCFLAGS if they are set.
      
      Note that appending to CFLAGS (with +=) wouldn't work, because flags.mk
      is included by multiple Makefiles (to support partial builds), causing
      CFLAGS to be appended to multiple times. Additionally that would place
      the USERCFLAGS prior to the standard CFLAGS, meaning the USERCFLAGS
      couldn't override the standard flags. Being able to override the
      standard flags is desirable, for example for adding -Wno-error.
      
      With the fix in place, the CFLAGS are set correctly, including the
      USERCFLAGS:
      
        $ make -C tools/testing/selftests/powerpc V=1 USERCFLAGS=-Wno-error
        ...
        gcc -std=gnu99 -O2 -Wall -Werror -DGIT_VERSION='"v6.10-rc2-7-gdea17e7e56c3"'
        -I/home/michael/linux/tools/testing/selftests/powerpc/include -Wno-error
        cache_shape.c ...
      
      Fixes: 5553a793 ("selftests/powerpc: Add flags.mk to support pmu buildable")
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/20240706120833.909853-1-mpe@ellerman.id.au
      8b7f59de
  4. 05 Jul, 2024 11 commits
  5. 04 Jul, 2024 22 commits
    • Jarkko Sakkinen's avatar
      tpm: Address !chip->auth in tpm_buf_append_hmac_session*() · 7ca110f2
      Jarkko Sakkinen authored
      Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can
      cause a null derefence in tpm_buf_hmac_session*().  Thus, address
      !chip->auth in tpm_buf_hmac_session*() and remove the fallback
      implementation for !TCG_TPM2_HMAC.
      
      Cc: stable@vger.kernel.org # v6.9+
      Reported-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@linux.ibm.com/
      Fixes: 1085b827 ("tpm: Add the rest of the session HMAC API")
      Tested-by: Michael Ellerman <mpe@ellerman.id.au> # ppc
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      7ca110f2
    • Jarkko Sakkinen's avatar
      tpm: Address !chip->auth in tpm_buf_append_name() · a61809a3
      Jarkko Sakkinen authored
      Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can
      cause a null derefence in tpm_buf_append_name().  Thus, address
      !chip->auth in tpm_buf_append_name() and remove the fallback
      implementation for !TCG_TPM2_HMAC.
      
      Cc: stable@vger.kernel.org # v6.10+
      Reported-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@linux.ibm.com/
      Fixes: d0a25bb9 ("tpm: Add HMAC session name/handle append")
      Tested-by: Michael Ellerman <mpe@ellerman.id.au> # ppc
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      a61809a3
    • Jarkko Sakkinen's avatar
      tpm: Address !chip->auth in tpm2_*_auth_session() · 25ee48a5
      Jarkko Sakkinen authored
      Unless tpm_chip_bootstrap() was called by the driver, !chip->auth can cause
      a null derefence in tpm2_*_auth_session(). Thus, address !chip->auth in
      tpm2_*_auth_session().
      
      Cc: stable@vger.kernel.org # v6.9+
      Reported-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Closes: https://lore.kernel.org/linux-integrity/20240617193408.1234365-1-stefanb@linux.ibm.com/
      Fixes: 699e3efd ("tpm: Add HMAC session start and end functions")
      Tested-by: Michael Ellerman <mpe@ellerman.id.au> # ppc
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      25ee48a5
    • Linus Torvalds's avatar
      Merge tag 'for-6.10-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 661e504d
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix folio refcounting when releasing them (encoded write, dummy
         extent buffer)
      
       - fix out of bounds read when checking qgroup inherit data
      
       - fix how configurable chunk size is handled in zoned mode
      
       - in the ref-verify tool, fix uninitialized return value when checking
         extent owner ref and simple quota are not enabled
      
      * tag 'for-6.10-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix folio refcount in __alloc_dummy_extent_buffer()
        btrfs: fix folio refcount in btrfs_do_encoded_write()
        btrfs: fix uninitialized return value in the ref-verify tool
        btrfs: always do the basic checks for btrfs_qgroup_inherit structure
        btrfs: zoned: fix calc_available_free_space() for zoned mode
      661e504d
    • Linus Torvalds's avatar
      Merge tag 'net-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 033771c0
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, wireless and netfilter.
      
        There's one fix for power management with Intel's e1000e here,
        Thorsten tells us there's another problem that started in v6.9. We're
        trying to wrap that up but I don't think it's blocking.
      
        Current release - new code bugs:
      
         - wifi: mac80211: disable softirqs for queued frame handling
      
         - af_unix: fix uninit-value in __unix_walk_scc(), with the new
           garbage collection algo
      
        Previous releases - regressions:
      
         - Bluetooth:
            - qca: fix BT enable failure for QCA6390 after warm reboot
            - add quirk to ignore reserved PHY bits in LE Extended Adv Report,
              abused by some Broadcom controllers found on Apple machines
      
         - wifi: wilc1000: fix ies_len type in connect path
      
        Previous releases - always broken:
      
         - tcp: fix DSACK undo in fast recovery to call tcp_try_to_open(),
           avoid premature timeouts
      
         - net: make sure skb_datagram_iter maps fragments page by page, in
           case we somehow get compound highmem mixed in
      
         - eth: bnx2x: fix multiple UBSAN array-index-out-of-bounds when more
           queues are used
      
        Misc:
      
         - MAINTAINERS: Remembering Larry Finger"
      
      * tag 'net-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        bnxt_en: Fix the resource check condition for RSS contexts
        mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file
        inet_diag: Initialize pad field in struct inet_diag_req_v2
        tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.
        selftests: make order checking verbose in msg_zerocopy selftest
        selftests: fix OOM in msg_zerocopy selftest
        ice: use proper macro for testing bit
        ice: Reject pin requests with unsupported flags
        ice: Don't process extts if PTP is disabled
        ice: Fix improper extts handling
        selftest: af_unix: Add test case for backtrack after finalising SCC.
        af_unix: Fix uninit-value in __unix_walk_scc()
        bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
        net: rswitch: Avoid use-after-free in rswitch_poll()
        netfilter: nf_tables: unconditionally flush pending work before notifier
        wifi: iwlwifi: mvm: check vif for NULL/ERR_PTR before dereference
        wifi: iwlwifi: mvm: avoid link lookup in statistics
        wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL
        wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK
        wifi: wilc1000: fix ies_len type in connect path
        ...
      033771c0
    • Linus Torvalds's avatar
      Merge tag 's390-6.10-8' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · d470e9f5
      Linus Torvalds authored
      Pull s390 fixes from Heiko Carstens:
      
       - Fix and add physical to virtual address translations in dasd and
         virtio_ccw drivers. For virtio_ccw this is just a minimal fix.
         More code cleanup will follow.
      
       - Small defconfig updates
      
      * tag 's390-6.10-8' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/dasd: Fix invalid dereferencing of indirect CCW data pointer
        s390/vfio_ccw: Fix target addresses of TIC CCWs
        s390: Update defconfigs
      d470e9f5
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.10-5' of... · 2d19be09
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fix from Hans de Goede:
      
       - Fix regression in toshiba_acpi introduced in 6.10-rc1
      
      * tag 'platform-drivers-x86-v6.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: toshiba_acpi: Fix quickstart quirk handling
      2d19be09
    • Linus Torvalds's avatar
      Merge tag 'kselftest-fix-2024-07-04' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux · 4d85acef
      Linus Torvalds authored
      Pull Kselftest fix from Mickaël Salaün:
       "Fix Kselftests timeout.
      
        We can't use CLONE_VFORK, since that blocks the parent - and thus the
        timeout handling - until the child exits or execve's.
      
        Go back to using plain fork()"
      
      * tag 'kselftest-fix-2024-07-04' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
        selftests/harness: Fix tests timeout and race condition
      4d85acef
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2024-07-03-22-23' of... · 8faccfef
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2024-07-03-22-23' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from, Andrew Morton:
       "6 hotfies, all cc:stable. Some fixes for longstanding nilfs2 issues
        and three unrelated MM fixes"
      
      * tag 'mm-hotfixes-stable-2024-07-03-22-23' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        nilfs2: fix incorrect inode allocation from reserved inodes
        nilfs2: add missing check for inode numbers on directory entries
        nilfs2: fix inode number range checks
        mm: avoid overflows in dirty throttling logic
        Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"
        mm: optimize the redundant loop of mm_update_owner_next()
      8faccfef
    • Daniel Vetter's avatar
      Merge tag 'drm-misc-fixes-2024-07-04' of... · 2879b482
      Daniel Vetter authored
      Merge tag 'drm-misc-fixes-2024-07-04' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
      
      drm-misc-fixes for v6.10-rc7:
      - Add panel quirks.
      - Firmware sysfb refcount fix.
      - Another null pointer mode deref fix for nouveau.
      - Panthor sync and uobj fixes.
      - Fix fbdev regression since v6.7.
      - Delay free imported bo in ttm to fix lockdep splat.
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ffba0c63-2798-40b6-948d-361cd3b14e9f@linux.intel.com
      2879b482
    • Daniel Vetter's avatar
      Merge tag 'drm-xe-fixes-2024-07-04' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · cfbce3bc
      Daniel Vetter authored
      Driver Changes:
      - One copy/paste mistake fix.
      - One error path fix causing an error pointer dereference.
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZoZ-wD66lgjiNh72@fedora
      cfbce3bc
    • Pavan Chebbi's avatar
      bnxt_en: Fix the resource check condition for RSS contexts · 5d350dc3
      Pavan Chebbi authored
      While creating a new RSS context, bnxt_rfs_capable() currently
      makes a strict check to see if the required VNICs are already
      available.  If the current VNICs are not what is required,
      either too many or not enough, it will call the firmware to
      reserve the exact number required.
      
      There is a bug in the firmware when the driver tries to
      relinquish some reserved VNICs and RSS contexts.  It will
      cause the default VNIC to lose its RSS configuration and
      cause receive packets to be placed incorrectly.
      
      Workaround this problem by skipping the resource reduction.
      The driver will not reduce the VNIC and RSS context reservations
      when a context is deleted.  The resources will be available for
      use when new contexts are created later.
      
      Potentially, this workaround can cause us to run out of VNIC
      and RSS contexts if there are a lot of VF functions creating
      and deleting RSS contexts.  In the future, we will conditionally
      disable this workaround when the firmware fix is available.
      
      Fixes: 438ba39b ("bnxt_en: Improve RSS context reservation infrastructure")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/netdev/20240625010210.2002310-1-kuba@kernel.org/Reviewed-by: default avatarAndy Gospodarek <andrew.gospodarek@broadcom.com>
      Signed-off-by: default avatarPavan Chebbi <pavan.chebbi@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20240703180112.78590-1-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5d350dc3
    • Aleksandr Mishin's avatar
      mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file · 8ce34dcc
      Aleksandr Mishin authored
      In case of invalid INI file mlxsw_linecard_types_init() deallocates memory
      but doesn't reset pointer to NULL and returns 0. In case of any error
      occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init()
      calls mlxsw_linecard_types_fini() which performs memory deallocation again.
      
      Add pointer reset to NULL.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: b217127e ("mlxsw: core_linecards: Add line card objects and implement provisioning")
      Signed-off-by: default avatarAleksandr Mishin <amishin@t-argos.ru>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarMichal Kubiak <michal.kubiak@intel.com>
      Link: https://patch.msgid.link/20240703203251.8871-1-amishin@t-argos.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8ce34dcc
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2024-07-04' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · eec5969c
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.10
      
      Hopefully the last fixes for v6.10. Fix a regression in wilc1000
      where bitrate Information Elements longer than 255 bytes were broken.
      Few fixes also to mac80211 and iwlwifi.
      
      * tag 'wireless-2024-07-04' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: iwlwifi: mvm: check vif for NULL/ERR_PTR before dereference
        wifi: iwlwifi: mvm: avoid link lookup in statistics
        wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL
        wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK
        wifi: wilc1000: fix ies_len type in connect path
        wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP
      ====================
      
      Link: https://patch.msgid.link/20240704111431.11DEDC3277B@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      eec5969c
    • Daniel Vetter's avatar
      Merge tag 'drm-intel-fixes-2024-07-02' of... · 4931c01b
      Daniel Vetter authored
      Merge tag 'drm-intel-fixes-2024-07-02' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes
      
      drm/i915 fixes for v6.10-rc7:
      - Skip unnecessary MG programming, avoiding warnings (Imre)
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/87frss9ozs.fsf@intel.com
      4931c01b
    • Paolo Abeni's avatar
      Merge tag 'nf-24-07-04' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · e3671971
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following batch contains a oneliner patch to inconditionally flush
      workqueue containing stale objects to be released, syzbot managed to
      trigger UaF. Patch from Florian Westphal.
      
      netfilter pull request 24-07-04
      
      * tag 'nf-24-07-04' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: unconditionally flush pending work before notifier
      ====================
      
      Link: https://patch.msgid.link/20240703223304.1455-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e3671971
    • Shigeru Yoshida's avatar
      inet_diag: Initialize pad field in struct inet_diag_req_v2 · 61cf1c73
      Shigeru Yoshida authored
      KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
      sockets uses the pad field in struct inet_diag_req_v2 for the
      underlying protocol. This field corresponds to the sdiag_raw_protocol
      field in struct inet_diag_req_raw.
      
      inet_diag_get_exact_compat() converts inet_diag_req to
      inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
      occurs when raw_lookup() accesses the sdiag_raw_protocol field.
      
      Fix this by initializing the pad field in
      inet_diag_get_exact_compat(). Also, do the same fix in
      inet_diag_dump_compat() to avoid the similar issue in the future.
      
      [1]
      BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
      BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
       raw_lookup net/ipv4/raw_diag.c:49 [inline]
       raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
       raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
       inet_diag_cmd_exact+0x7d9/0x980
       inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
       inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
       sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
       netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
       sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
       netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
       netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
       netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x332/0x3d0 net/socket.c:745
       ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
       ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
       __sys_sendmsg net/socket.c:2668 [inline]
       __do_sys_sendmsg net/socket.c:2677 [inline]
       __se_sys_sendmsg net/socket.c:2675 [inline]
       __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
       x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Uninit was stored to memory at:
       raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
       raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
       inet_diag_cmd_exact+0x7d9/0x980
       inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
       inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
       sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
       netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
       sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
       netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
       netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
       netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x332/0x3d0 net/socket.c:745
       ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
       ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
       __sys_sendmsg net/socket.c:2668 [inline]
       __do_sys_sendmsg net/socket.c:2677 [inline]
       __se_sys_sendmsg net/socket.c:2675 [inline]
       __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
       x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Local variable req.i created at:
       inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
       inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
       sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
      
      CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d #32
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      
      Fixes: 432490f9 ("net: ip, diag -- Add diag interface for raw sockets")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      61cf1c73
    • Kuniyuki Iwashima's avatar
      tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO. · 4b74726c
      Kuniyuki Iwashima authored
      When we process segments with TCP AO, we don't check it in
      tcp_parse_options().  Thus, opt_rx->saw_unknown is set to 1,
      which unconditionally triggers the BPF TCP option parser.
      
      Let's avoid the unnecessary BPF invocation.
      
      Fixes: 0a3a8090 ("net/tcp: Verify inbound TCP-AO signed segments")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarDmitry Safonov <0x7f454c46@gmail.com>
      Link: https://patch.msgid.link/20240703033508.6321-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4b74726c
    • Matt Roper's avatar
      drm/xe/mcr: Avoid clobbering DSS steering · 1f006470
      Matt Roper authored
      A couple copy/paste mistakes in the code that selects steering targets
      for OADDRM and INSTANCE0 unintentionally clobbered the steering target
      for DSS ranges in some cases.
      
      The OADDRM/INSTANCE0 values were also not assigned as intended, although
      that mistake wound up being harmless since the desired values for those
      specific ranges were '0' which the kzalloc of the GT structure should
      have already taken care of implicitly.
      
      Fixes: dd08ebf6 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
      Signed-off-by: default avatarMatt Roper <matthew.d.roper@intel.com>
      Reviewed-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240626210536.1620176-2-matthew.d.roper@intel.com
      (cherry picked from commit 4f82ac61)
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      1f006470
    • Matthew Auld's avatar
      drm/xe: fix error handling in xe_migrate_update_pgtables · fc932f51
      Matthew Auld authored
      Don't call drm_suballoc_free with sa_bo pointing to PTR_ERR.
      
      References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2120
      Fixes: dd08ebf6 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
      Signed-off-by: default avatarMatthew Auld <matthew.auld@intel.com>
      Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
      Cc: Matthew Brost <matthew.brost@intel.com>
      Cc: <stable@vger.kernel.org> # v6.8+
      Reviewed-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240620102025.127699-2-matthew.auld@intel.com
      (cherry picked from commit ce6b6333)
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      fc932f51
    • Thomas Hellström's avatar
      drm/ttm: Always take the bo delayed cleanup path for imported bos · d99fbd9a
      Thomas Hellström authored
      Bos can be put with multiple unrelated dma-resv locks held. But
      imported bos attempt to grab the bo dma-resv during dma-buf detach
      that typically happens during cleanup. That leads to lockde splats
      similar to the below and a potential ABBA deadlock.
      
      Fix this by always taking the delayed workqueue cleanup path for
      imported bos.
      
      Requesting stable fixes from when the Xe driver was introduced,
      since its usage of drm_exec and wide vm dma_resvs appear to be
      the first reliable trigger of this.
      
      [22982.116427] ============================================
      [22982.116428] WARNING: possible recursive locking detected
      [22982.116429] 6.10.0-rc2+ #10 Tainted: G     U  W
      [22982.116430] --------------------------------------------
      [22982.116430] glxgears:sh0/5785 is trying to acquire lock:
      [22982.116431] ffff8c2bafa539a8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: dma_buf_detach+0x3b/0xf0
      [22982.116438]
                     but task is already holding lock:
      [22982.116438] ffff8c2d9aba6da8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_exec_lock_obj+0x49/0x2b0 [drm_exec]
      [22982.116442]
                     other info that might help us debug this:
      [22982.116442]  Possible unsafe locking scenario:
      
      [22982.116443]        CPU0
      [22982.116444]        ----
      [22982.116444]   lock(reservation_ww_class_mutex);
      [22982.116445]   lock(reservation_ww_class_mutex);
      [22982.116447]
                      *** DEADLOCK ***
      
      [22982.116447]  May be due to missing lock nesting notation
      
      [22982.116448] 5 locks held by glxgears:sh0/5785:
      [22982.116449]  #0: ffff8c2d9aba58c8 (&xef->vm.lock){+.+.}-{3:3}, at: xe_file_close+0xde/0x1c0 [xe]
      [22982.116507]  #1: ffff8c2e28cc8480 (&vm->lock){++++}-{3:3}, at: xe_vm_close_and_put+0x161/0x9b0 [xe]
      [22982.116578]  #2: ffff8c2e31982970 (&val->lock){.+.+}-{3:3}, at: xe_validation_ctx_init+0x6d/0x70 [xe]
      [22982.116647]  #3: ffffacdc469478a8 (reservation_ww_class_acquire){+.+.}-{0:0}, at: xe_vma_destroy_unlocked+0x7f/0xe0 [xe]
      [22982.116716]  #4: ffff8c2d9aba6da8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_exec_lock_obj+0x49/0x2b0 [drm_exec]
      [22982.116719]
                     stack backtrace:
      [22982.116720] CPU: 8 PID: 5785 Comm: glxgears:sh0 Tainted: G     U  W          6.10.0-rc2+ #10
      [22982.116721] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023
      [22982.116723] Call Trace:
      [22982.116724]  <TASK>
      [22982.116725]  dump_stack_lvl+0x77/0xb0
      [22982.116727]  __lock_acquire+0x1232/0x2160
      [22982.116730]  lock_acquire+0xcb/0x2d0
      [22982.116732]  ? dma_buf_detach+0x3b/0xf0
      [22982.116734]  ? __lock_acquire+0x417/0x2160
      [22982.116736]  __ww_mutex_lock.constprop.0+0xd0/0x13b0
      [22982.116738]  ? dma_buf_detach+0x3b/0xf0
      [22982.116741]  ? dma_buf_detach+0x3b/0xf0
      [22982.116743]  ? ww_mutex_lock+0x2b/0x90
      [22982.116745]  ww_mutex_lock+0x2b/0x90
      [22982.116747]  dma_buf_detach+0x3b/0xf0
      [22982.116749]  drm_prime_gem_destroy+0x2f/0x40 [drm]
      [22982.116775]  xe_ttm_bo_destroy+0x32/0x220 [xe]
      [22982.116818]  ? __mutex_unlock_slowpath+0x3a/0x290
      [22982.116821]  drm_exec_unlock_all+0xa1/0xd0 [drm_exec]
      [22982.116823]  drm_exec_fini+0x12/0xb0 [drm_exec]
      [22982.116824]  xe_validation_ctx_fini+0x15/0x40 [xe]
      [22982.116892]  xe_vma_destroy_unlocked+0xb1/0xe0 [xe]
      [22982.116959]  xe_vm_close_and_put+0x41a/0x9b0 [xe]
      [22982.117025]  ? xa_find+0xe3/0x1e0
      [22982.117028]  xe_file_close+0x10a/0x1c0 [xe]
      [22982.117074]  drm_file_free+0x22a/0x280 [drm]
      [22982.117099]  drm_release_noglobal+0x22/0x70 [drm]
      [22982.117119]  __fput+0xf1/0x2d0
      [22982.117122]  task_work_run+0x59/0x90
      [22982.117125]  do_exit+0x330/0xb40
      [22982.117127]  do_group_exit+0x36/0xa0
      [22982.117129]  get_signal+0xbd2/0xbe0
      [22982.117131]  arch_do_signal_or_restart+0x3e/0x240
      [22982.117134]  syscall_exit_to_user_mode+0x1e7/0x290
      [22982.117137]  do_syscall_64+0xa1/0x180
      [22982.117139]  ? lock_acquire+0xcb/0x2d0
      [22982.117140]  ? __set_task_comm+0x28/0x1e0
      [22982.117141]  ? find_held_lock+0x2b/0x80
      [22982.117144]  ? __set_task_comm+0xe1/0x1e0
      [22982.117145]  ? lock_release+0xca/0x290
      [22982.117147]  ? __do_sys_prctl+0x245/0xab0
      [22982.117149]  ? lockdep_hardirqs_on_prepare+0xde/0x190
      [22982.117150]  ? syscall_exit_to_user_mode+0xb0/0x290
      [22982.117152]  ? do_syscall_64+0xa1/0x180
      [22982.117154]  ? __lock_acquire+0x417/0x2160
      [22982.117155]  ? reacquire_held_locks+0xd1/0x1f0
      [22982.117156]  ? do_user_addr_fault+0x30c/0x790
      [22982.117158]  ? lock_acquire+0xcb/0x2d0
      [22982.117160]  ? find_held_lock+0x2b/0x80
      [22982.117162]  ? do_user_addr_fault+0x357/0x790
      [22982.117163]  ? lock_release+0xca/0x290
      [22982.117164]  ? do_user_addr_fault+0x361/0x790
      [22982.117166]  ? trace_hardirqs_off+0x4b/0xc0
      [22982.117168]  ? clear_bhb_loop+0x45/0xa0
      [22982.117170]  ? clear_bhb_loop+0x45/0xa0
      [22982.117172]  ? clear_bhb_loop+0x45/0xa0
      [22982.117174]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
      [22982.117176] RIP: 0033:0x7f943d267169
      [22982.117192] Code: Unable to access opcode bytes at 0x7f943d26713f.
      [22982.117193] RSP: 002b:00007f9430bffc80 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
      [22982.117195] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007f943d267169
      [22982.117196] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 00005622f89579d0
      [22982.117197] RBP: 00007f9430bffcb0 R08: 0000000000000000 R09: 00000000ffffffff
      [22982.117198] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      [22982.117199] R13: 0000000000000000 R14: 0000000000000000 R15: 00005622f89579d0
      [22982.117202]  </TASK>
      
      Fixes: dd08ebf6 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
      Cc: Christian König <christian.koenig@amd.com>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: dri-devel@lists.freedesktop.org
      Cc: intel-xe@lists.freedesktop.org
      Cc: <stable@vger.kernel.org> # v6.8+
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240628153848.4989-1-thomas.hellstrom@linux.intel.com
      d99fbd9a
    • Jakub Kicinski's avatar
      Merge branch 'fix-oom-and-order-check-in-msg_zerocopy-selftest' · aa09b7e0
      Jakub Kicinski authored
      Zijian Zhang says:
      
      ====================
      fix OOM and order check in msg_zerocopy selftest
      
      In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg
      on a socket with MSG_ZEROCOPY flag, and it will recv the notifications
      until the socket is not writable. Typically, it will start the receiving
      process after around 30+ sendmsgs. However, as the introduction of commit
      dfa2f048 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is
      always writable and does not get any chance to run recv notifications.
      The selftest always exits with OUT_OF_MEMORY because the memory used by
      opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a
      different value to trigger OOM on older kernels too.
      
      Thus, we introduce "cfg_notification_limit" to force sender to receive
      notifications after some number of sendmsgs.
      
      And, we find that when lock debugging is on, notifications may not come in
      order. Thus, we have order checking outputs managed by cfg_verbose, to
      avoid too many outputs in this case.
      ====================
      
      Link: https://patch.msgid.link/20240701225349.3395580-1-zijianzhang@bytedance.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa09b7e0