1. 03 Jul, 2024 1 commit
    • Waiman Long's avatar
      cgroup: Protect css->cgroup write under css_set_lock · 57b56d16
      Waiman Long authored
      The writing of css->cgroup associated with the cgroup root in
      rebind_subsystems() is currently protected only by cgroup_mutex.
      However, the reading of css->cgroup in both proc_cpuset_show() and
      proc_cgroup_show() is protected just by css_set_lock. That makes the
      readers susceptible to racing problems like data tearing or caching.
      It is also a problem that can be reported by KCSAN.
      
      This can be fixed by using READ_ONCE() and WRITE_ONCE() to access
      css->cgroup. Alternatively, the writing of css->cgroup can be moved
      under css_set_lock as well which is done by this patch.
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      57b56d16
  2. 28 Jun, 2024 1 commit
    • Chen Ridong's avatar
      cgroup/cpuset: Prevent UAF in proc_cpuset_show() · 1be59c97
      Chen Ridong authored
      An UAF can happen when /proc/cpuset is read as reported in [1].
      
      This can be reproduced by the following methods:
      1.add an mdelay(1000) before acquiring the cgroup_lock In the
       cgroup_path_ns function.
      2.$cat /proc/<pid>/cpuset   repeatly.
      3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/
      $umount /sys/fs/cgroup/cpuset/   repeatly.
      
      The race that cause this bug can be shown as below:
      
      (umount)		|	(cat /proc/<pid>/cpuset)
      css_release		|	proc_cpuset_show
      css_release_work_fn	|	css = task_get_css(tsk, cpuset_cgrp_id);
      css_free_rwork_fn	|	cgroup_path_ns(css->cgroup, ...);
      cgroup_destroy_root	|	mutex_lock(&cgroup_mutex);
      rebind_subsystems	|
      cgroup_free_root 	|
      			|	// cgrp was freed, UAF
      			|	cgroup_path_ns_locked(cgrp,..);
      
      When the cpuset is initialized, the root node top_cpuset.css.cgrp
      will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will
      allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated
      &cgroup_root.cgrp. When the umount operation is executed,
      top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.
      
      The problem is that when rebinding to cgrp_dfl_root, there are cases
      where the cgroup_root allocated by setting up the root for cgroup v1
      is cached. This could lead to a Use-After-Free (UAF) if it is
      subsequently freed. The descendant cgroups of cgroup v1 can only be
      freed after the css is released. However, the css of the root will never
      be released, yet the cgroup_root should be freed when it is unmounted.
      This means that obtaining a reference to the css of the root does
      not guarantee that css.cgrp->root will not be freed.
      
      Fix this problem by using rcu_read_lock in proc_cpuset_show().
      As cgroup_root is kfree_rcu after commit d23b5c57
      ("cgroup: Make operations on the cgroup root_list RCU safe"),
      css->cgroup won't be freed during the critical section.
      To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to
      replace task_get_css with task_css.
      
      [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
      
      Fixes: a79a908f ("cgroup: introduce cgroup namespaces")
      Signed-off-by: default avatarChen Ridong <chenridong@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      1be59c97
  3. 24 Jun, 2024 2 commits
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 55027e68
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - fixes for ili210x and elantech drivers
      
       - new products IDs added to xpad controller driver
      
       - a tweak to i8042 driver to always keep keyboard in Ayaneo Kun
         handheld in raw mode
      
       - populated "id_table" in ads7846 touchscreen driver to make sure
         non-OF instantiated devices can properly determine the model data.
      
      * tag 'input-for-v6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: ads7846 - use spi_device_id table
        Input: xpad - add support for ASUS ROG RAIKIRI PRO
        Input: ili210x - fix ili251x_read_touch_data() return value
        Input: i8042 - add Ayaneo Kun to i8042 quirk table
        Input: elantech - fix touchpad state on resume for Lenovo N24
      55027e68
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 626737a5
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
      
       - Use flag saving spinlocks in the Renesas rzg2l driver. This fixes up
         PREEMPT_RT problems.
      
       - Remove broken Qualcomm PM8008 that clearly was never working. A new
         version will arrive in the next merge window.
      
       - Add a quirk for LP8764 regmap that was missed and made the TI J7200
         board unusable.
      
       - Fix persistance on the BCM2835 GPIO outputs kernel parameter so this
         remains consisten across a booted kernel.
      
       - Fix a potential deadlock in create_pinctrl()
      
       - Fix some erroneous bitfields and pinmux reset in the Rockchip RK3328
         driver.
      
      * tag 'pinctrl-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
        pinctrl: rockchip: use dedicated pinctrl type for RK3328
        pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
        pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
        pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
        pinctrl: bcm2835: Fix permissions of persist_gpio_outputs
        pinctrl: tps6594: add missing support for LP8764 PMIC
        dt-bindings: pinctrl: qcom,pmic-gpio: drop pm8008
        pinctrl: qcom: spmi-gpio: drop broken pm8008 support
        pinctrl: renesas: rzg2l: Use spin_{lock,unlock}_irq{save,restore}
      626737a5
  4. 23 Jun, 2024 8 commits
  5. 22 Jun, 2024 19 commits
  6. 21 Jun, 2024 9 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 35bb670d
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two fixes: one in the ufs driver fixing an obvious memory leak and the
        other (with a core flag based update) trying to prevent USB crashes by
        stopping the core from issuing a request for the I/O Hints mode page"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: usb: uas: Do not query the IO Advice Hints Grouping mode page for USB/UAS devices
        scsi: core: Introduce the BLIST_SKIP_IO_HINTS flag
        scsi: ufs: core: Free memory allocated for model before reinit
      35bb670d
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-06-22' of https://gitlab.freedesktop.org/drm/kernel · d6c94157
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Still pretty quiet, two weeks worth of amdgpu fixes, with one i915 and
        one xe. I didn't get the drm-misc-fixes tree PR this week, but there
        was only one fix queued and I think it can wait another week, so seems
        pretty normal.
      
        xe:
         - Fix for invalid register access
      
        i915:
         - Fix conditions for joiner usage, it's not possible with eDP MSO
      
        amdgpu:
         - Fix display idle optimization race
         - Fix GPUVM TLB flush locking scope
         - IPS fix
         - GFX 9.4.3 harvesting fix
         - Runtime pm fix for shared buffers
         - DCN 3.5.x fixes
         - USB4 fix
         - RISC-V clang fix
         - Silence UBSAN warnings
         - MES11 fix
         - PSP 14.0.x fix"
      
      * tag 'drm-fixes-2024-06-22' of https://gitlab.freedesktop.org/drm/kernel:
        drm/xe/vf: Don't touch GuC irq registers if using memory irqs
        drm/amdgpu: init TA fw for psp v14
        drm/amdgpu: cleanup MES11 command submission
        drm/amdgpu: fix UBSAN warning in kv_dpm.c
        drm/radeon: fix UBSAN warning in kv_dpm.c
        drm/amd/display: Disable CONFIG_DRM_AMD_DC_FP for RISC-V with clang
        drm/amd/display: Attempt to avoid empty TUs when endpoint is DPIA
        drm/amd/display: change dram_clock_latency to 34us for dcn35
        drm/amd/display: Change dram_clock_latency to 34us for dcn351
        drm/amdgpu: revert "take runtime pm reference when we attach a buffer" v2
        drm/amdgpu: Indicate CU havest info to CP
        drm/amd/display: prevent register access while in IPS
        drm/amdgpu: fix locking scope when flushing tlb
        drm/amd/display: Remove redundant idle optimization check
        drm/i915/mso: using joiner is not possible with eDP MSO
      d6c94157
    • Linus Torvalds's avatar
      Merge tag 'ovl-fixes-6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs · 264efe48
      Linus Torvalds authored
      Pull overlayfs fixes from Miklos Szeredi:
       "Fix two bugs, one originating in this cycle and one from 6.6"
      
      * tag 'ovl-fixes-6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs:
        ovl: fix encoding fid for lower only root
        ovl: fix copy-up in tmpfile
      264efe48
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.10-20240621' of git://git.kernel.dk/linux · a502e727
      Linus Torvalds authored
      Pull io_uring fix from Jens Axboe:
       "Just a single cleanup for the fixed buffer iov_iter import.
      
        More cosmetic than anything else, but let's get it cleaned up as it's
        confusing"
      
      * tag 'io_uring-6.10-20240621' of git://git.kernel.dk/linux:
        io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed
      a502e727
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · ffdf504c
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Small bug fixes:
      
         - Prevent a crash in bnxt if the en and rdma drivers disagree on the
           MSI vectors
      
         - Have rxe memcpy inline data from the correct address
      
         - Fix rxe's validation of UD packets
      
         - Several mlx5 mr cache issues: bad lock balancing on error, missing
           propagation of the ATS property to the HW, wrong bucketing of freed
           mrs in some cases
      
         - Incorrect goto error unwind in mlx5 driver probe
      
         - Missed userspace input validation in mlx5 SRQ create
      
         - Incorrect uABI in MANA rejecting valid optional MR creation flags"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/mana_ib: Ignore optional access flags for MRs
        RDMA/mlx5: Add check for srq max_sge attribute
        RDMA/mlx5: Fix unwind flow as part of mlx5_ib_stage_init_init
        RDMA/mlx5: Ensure created mkeys always have a populated rb_key
        RDMA/mlx5: Follow rb_key.ats when creating new mkeys
        RDMA/mlx5: Remove extra unlock on error path
        RDMA/rxe: Fix responder length checking for UD request packets
        RDMA/rxe: Fix data copy for IB_SEND_INLINE
        RDMA/bnxt_re: Fix the max msix vectors macro
      ffdf504c
    • Linus Torvalds's avatar
      Merge tag 'sound-6.10-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 4545981f
      Linus Torvalds authored
      Pull  more sound fixes from Takashi Iwai:
       "A follow-up fix for a random build issue, as well as another trivial
        HD-audio quirk"
      
      * tag 'sound-6.10-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda: Use imply for suggesting CONFIG_SERIAL_MULTI_INSTANTIATE
        ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9
      4545981f
    • Linus Torvalds's avatar
      Merge tag 'acpi-6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 36c07583
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These address a possible NULL pointer dereference in the ACPICA code
        and quirk camera enumeration on multiple platforms where incorrect
        data are present in the platform firmware.
      
        Specifics:
      
         - Undo an ACPICA code change that attempted to keep operation regions
           within a page boundary, but allowed accesses to unmapped memory to
           occur (Raju Rangoju)
      
         - Ignore MIPI camera graph port nodes created with the help of the
           information from the ACPI tables on all Dell Tiger, Alder and
           Raptor Lake models as that information is reported to be invalid on
           the platforms in question (Hans de Goede)
      
         - Use new Intel CPU model matching macros in the MIPI DisCo for
           Imaging part of ACPI device enumeration (Hans de Goede)"
      
      * tag 'acpi-6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: mipi-disco-img: Switch to new Intel CPU model defines
        ACPI: scan: Ignore camera graph port nodes on all Dell Tiger, Alder and Raptor Lake models
        ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
      36c07583
    • Linus Torvalds's avatar
      Merge tag 'thermal-6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · fbe7ef3f
      Linus Torvalds authored
      Pull thermal control fixes from Rafael Wysocki:
       "These fix the Mediatek lvts_thermal driver, the Intel int340x driver,
        and the thermal core (two issues related to system suspend).
      
        Specifics:
      
         - Remove the filtered mode for mt8188 from lvts_thermal as it is not
           supported on this platform and fail the lvts_thermal initialization
           when the golden temperature is zero as that means the efuse data is
           not correctly set (Julien Panis)
      
         - Update the processor_thermal part of the Intel int340x driver to
           support shared interrupts as the processor thermal device interrupt
           may in fact be shared with PCI devices (Srinivas Pandruvada)
      
         - Synchronize the suspend-prepare and post-suspend actions of the
           thermal PM notifier to avoid a destructive race condition and
           change the priority of that notifier to the minimum to avoid
           interference between the work items spawned by it and the other
           PM notifiers during system resume (Rafael Wysocki)"
      
      * tag 'thermal-6.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        thermal: int340x: processor_thermal: Support shared interrupts
        thermal: core: Change PM notifier priority to the minimum
        thermal: core: Synchronize suspend-prepare and post-suspend actions
        thermal/drivers/mediatek/lvts_thermal: Return error in case of invalid efuse data
        thermal/drivers/mediatek/lvts_thermal: Remove filtered mode for mt8188
      fbe7ef3f
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine · 66cc544f
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - kmemleak, error path handling and missing kmem_cache_destroy() fixes
         for ioatdma driver
      
       - use after free fix for idxd driver
      
       - data synchronisation fix for xdma isr handling
      
       - fsl driver channel constraints and linking two fsl module fixes
      
      * tag 'dmaengine-fix-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine:
        dmaengine: ioatdma: Fix missing kmem_cache_destroy()
        dt-bindings: dma: fsl-edma: fix dma-channels constraints
        dmaengine: fsl-edma: avoid linking both modules
        dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe()
        dmaengine: ioatdma: Fix error path in ioat3_dma_probe()
        dmaengine: ioatdma: Fix leaking on version mismatch
        dmaengine: ti: k3-udma-glue: Fix of_k3_udma_glue_parse_chn_by_id()
        dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
        dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr()
      66cc544f