1. 27 Jun, 2024 22 commits
    • Linus Torvalds's avatar
      Merge tag 's390-6.10-7' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 6d6444ba
      Linus Torvalds authored
      Pull s390 updates from Alexander Gordeev:
      
       - Add missing virt_to_phys() conversion for directed interrupt bit
         vectors
      
       - Fix broken configuration change notifications for virtio-ccw
      
       - Fix sclp_init() cleanup path on failure and as result - fix a list
         double add warning
      
       - Fix unconditional adjusting of GOT entries containing undefined weak
         symbols that resolve to zero
      
      * tag 's390-6.10-7' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/boot: Do not adjust GOT entries for undef weak sym
        s390/sclp: Fix sclp_init() cleanup on failure
        s390/virtio_ccw: Fix config change notifications
        s390/pci: Add missing virt_to_phys() for directed DIBV
      6d6444ba
    • Linus Torvalds's avatar
      Merge tag 'asm-generic-fixes-6.10' of... · adfbe364
      Linus Torvalds authored
      Merge tag 'asm-generic-fixes-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic
      
      Pull asm-generic fixes from Arnd Bergmann:
       "These are some bugfixes for system call ABI issues I found while
        working on a cleanup series. None of these are urgent since these bugs
        have gone unnoticed for many years, but I think we probably want to
        backport them all to stable kernels, so it makes sense to have the
        fixes included as early as possible.
      
        One more fix addresses a compile-time warning in kallsyms that was
        uncovered by a patch I did to enable additional warnings in 6.10. I
        had mistakenly thought that this fix was already merged through the
        module tree, but as Geert pointed out it was still missing"
      
      * tag 'asm-generic-fixes-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
        kallsyms: rework symbol lookup return codes
        linux/syscalls.h: add missing __user annotations
        syscalls: mmap(): use unsigned offset type consistently
        s390: remove native mmap2() syscall
        hexagon: fix fadvise64_64 calling conventions
        csky, hexagon: fix broken sys_sync_file_range
        sh: rework sync_file_range ABI
        powerpc: restore some missing spu syscalls
        parisc: use generic sys_fanotify_mark implementation
        parisc: use correct compat recv/recvfrom syscalls
        sparc: fix compat recv/recvfrom syscalls
        sparc: fix old compat_sys_select()
        syscalls: fix compat_sys_io_pgetevents_time64 usage
        ftruncate: pass a signed offset
      adfbe364
    • Linus Torvalds's avatar
      Merge tag 'for-6.10-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 66e55ff1
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix quota root leak after quota disable failure
      
       - fix condition when checking if a zone can be added as free
      
       - allocate inode in NOFS context during logging or tree-log replay
      
       - handle raid-stripe-tree lookup correctly during scrub
      
      * tag 'for-6.10-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: qgroup: fix quota root leak after quota disable failure
        btrfs: scrub: handle RST lookup error correctly
        btrfs: zoned: fix initial free space detection
        btrfs: use NOFS context when getting inodes during logging and log replay
      66e55ff1
    • Linus Torvalds's avatar
      Merge tag 'net-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · fd19d4a4
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from can, bpf and netfilter.
      
        There are a bunch of regressions addressed here, but hopefully nothing
        spectacular. We are still waiting the driver fix from Intel, mentioned
        by Jakub in the previous networking pull.
      
        Current release - regressions:
      
         - core: add softirq safety to netdev_rename_lock
      
         - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed
           TFO
      
         - batman-adv: fix RCU race at module unload time
      
        Previous releases - regressions:
      
         - openvswitch: get related ct labels from its master if it is not
           confirmed
      
         - eth: bonding: fix incorrect software timestamping report
      
         - eth: mlxsw: fix memory corruptions on spectrum-4 systems
      
         - eth: ionic: use dev_consume_skb_any outside of napi
      
        Previous releases - always broken:
      
         - netfilter: fully validate NFT_DATA_VALUE on store to data registers
      
         - unix: several fixes for OoB data
      
         - tcp: fix race for duplicate reqsk on identical SYN
      
         - bpf:
             - fix may_goto with negative offset
             - fix the corner case with may_goto and jump to the 1st insn
             - fix overrunning reservations in ringbuf
      
         - can:
             - j1939: recover socket queue on CAN bus error during BAM
               transmission
             - mcp251xfd: fix infinite loop when xmit fails
      
         - dsa: microchip: monitor potential faults in half-duplex mode
      
         - eth: vxlan: pull inner IP header in vxlan_xmit_one()
      
         - eth: ionic: fix kernel panic due to multi-buffer handling
      
        Misc:
      
         - selftest: unix tests refactor and a lot of new cases added"
      
      * tag 'net-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (61 commits)
        net: mana: Fix possible double free in error handling path
        selftest: af_unix: Check SIOCATMARK after every send()/recv() in msg_oob.c.
        af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head.
        selftest: af_unix: Check EPOLLPRI after every send()/recv() in msg_oob.c
        selftest: af_unix: Check SIGURG after every send() in msg_oob.c
        selftest: af_unix: Add SO_OOBINLINE test cases in msg_oob.c
        af_unix: Don't stop recv() at consumed ex-OOB skb.
        selftest: af_unix: Add non-TCP-compliant test cases in msg_oob.c.
        af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.
        af_unix: Stop recv(MSG_PEEK) at consumed OOB skb.
        selftest: af_unix: Add msg_oob.c.
        selftest: af_unix: Remove test_unix_oob.c.
        tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()
        netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
        net: usb: qmi_wwan: add Telit FN912 compositions
        tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO
        ionic: use dev_consume_skb_any outside of napi
        net: dsa: microchip: fix wrong register write when masking interrupt
        Fix race for duplicate reqsk on identical SYN
        ibmvnic: Add tx check to prevent skb leak
        ...
      fd19d4a4
    • Linus Torvalds's avatar
      Merge tag 'sound-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 3c1d29e5
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This became bigger than usual, as it receives a pile of pending ASoC
        fixes. Most of changes are for device-specific issues while there are
        a few core fixes that are all rather trivial:
      
         - DMA-engine sync fixes
      
         - Continued MIDI2 conversion fixes
      
         - Various ASoC Intel SOF fixes
      
         - A series of ASoC topology fixes for memory handling
      
         - AMD ACP fix, curing a recent regression, too
      
         - Platform / codec-specific fixes for mediatek, atmel, realtek, etc"
      
      * tag 'sound-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (40 commits)
        ASoC: rt5645: fix issue of random interrupt from push-button
        ALSA: seq: Fix missing MSB in MIDI2 SPP conversion
        ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA
        ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook 645/665 G11.
        ALSA: hda/realtek: Fix conflicting quirk for PCI SSID 17aa:3820
        ALSA: dmaengine_pcm: terminate dmaengine before synchronize
        ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx
        ALSA: PCM: Allow resume only for suspended streams
        ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages
        ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link
        ASoC: fsl-asoc-card: set priv->pdev before using it
        ASoC: amd: acp: move chip->flag variable assignment
        ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe()
        ASoC: amd: acp: add a null check for chip_pdev structure
        ASoC: Intel: soc-acpi: mtl: fix speaker no sound on Dell SKU 0C64
        ASoC: q6apm-lpass-dai: close graph on prepare errors
        ASoC: cs35l56: Disconnect ASP1 TX sources when ASP1 DAI is hooked up
        ASoC: topology: Fix route memory corruption
        ASoC: rt722-sdca-sdw: add debounce time for type detection
        ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback
        ...
      3c1d29e5
    • Arnd Bergmann's avatar
      kallsyms: rework symbol lookup return codes · 7e1f4eb9
      Arnd Bergmann authored
      Building with W=1 in some configurations produces a false positive
      warning for kallsyms:
      
      kernel/kallsyms.c: In function '__sprint_symbol.isra':
      kernel/kallsyms.c:503:17: error: 'strcpy' source argument is the same as destination [-Werror=restrict]
        503 |                 strcpy(buffer, name);
            |                 ^~~~~~~~~~~~~~~~~~~~
      
      This originally showed up while building with -O3, but later started
      happening in other configurations as well, depending on inlining
      decisions. The underlying issue is that the local 'name' variable is
      always initialized to the be the same as 'buffer' in the called functions
      that fill the buffer, which gcc notices while inlining, though it could
      see that the address check always skips the copy.
      
      The calling conventions here are rather unusual, as all of the internal
      lookup functions (bpf_address_lookup, ftrace_mod_address_lookup,
      ftrace_func_address_lookup, module_address_lookup and
      kallsyms_lookup_buildid) already use the provided buffer and either return
      the address of that buffer to indicate success, or NULL for failure,
      but the callers are written to also expect an arbitrary other buffer
      to be returned.
      
      Rework the calling conventions to return the length of the filled buffer
      instead of its address, which is simpler and easier to follow as well
      as avoiding the warning. Leave only the kallsyms_lookup() calling conventions
      unchanged, since that is called from 16 different functions and
      adapting this would be a much bigger change.
      
      Link: https://lore.kernel.org/lkml/20200107214042.855757-1-arnd@arndb.de/
      Link: https://lore.kernel.org/lkml/20240326130647.7bfb1d92@gandalf.local.home/Tested-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Acked-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      7e1f4eb9
    • Paolo Abeni's avatar
      Merge tag 'nf-24-06-27' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · b62cb6a7
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains two Netfilter fixes for net:
      
      Patch #1 fixes CONFIG_SYSCTL=n for a patch coming in the previous PR
      	 to move the sysctl toggle to enable SRv6 netfilter hooks from
      	 nf_conntrack to the core, from Jianguo Wu.
      
      Patch #2 fixes a possible pointer leak to userspace due to insufficient
      	 validation of NFT_DATA_VALUE.
      
      Linus found this pointer leak to userspace via zdi-disclosures@ and
      forwarded the notice to Netfilter maintainers, he appears as reporter
      because whoever found this issue never approached Netfilter
      maintainers neither via security@ nor in private.
      
      netfilter pull request 24-06-27
      
      * tag 'nf-24-06-27' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
        netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when CONFIG_SYSCTL=n
      ====================
      
      Link: https://patch.msgid.link/20240626233845.151197-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b62cb6a7
    • Ma Ke's avatar
      net: mana: Fix possible double free in error handling path · 1864b822
      Ma Ke authored
      When auxiliary_device_add() returns error and then calls
      auxiliary_device_uninit(), callback function adev_release
      calls kfree(madev). We shouldn't call kfree(madev) again
      in the error handling path. Set 'madev' to NULL.
      
      Fixes: a69839d4 ("net: mana: Add support for auxiliary device")
      Signed-off-by: default avatarMa Ke <make24@iscas.ac.cn>
      Link: https://patch.msgid.link/20240625130314.2661257-1-make24@iscas.ac.cnSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1864b822
    • Paolo Abeni's avatar
      Merge branch 'af_unix-fix-bunch-of-msg_oob-bugs-and-add-new-tests' · 3f4d9e4f
      Paolo Abeni authored
      Kuniyuki Iwashima says:
      
      ====================
      af_unix: Fix bunch of MSG_OOB bugs and add new tests.
      
      This series rewrites the selftest for AF_UNIX MSG_OOB and fixes
      bunch of bugs that AF_UNIX behaves differently compared to TCP.
      
      Note that the test discovered few more bugs in TCP side, which
      will be fixed in another series.
      ====================
      
      Link: https://lore.kernel.org/r/20240625013645.45034-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      3f4d9e4f
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Check SIOCATMARK after every send()/recv() in msg_oob.c. · 91b7186c
      Kuniyuki Iwashima authored
      To catch regression, let's check ioctl(SIOCATMARK) after every
      send() and recv() calls.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      91b7186c
    • Kuniyuki Iwashima's avatar
      af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head. · e400cfa3
      Kuniyuki Iwashima authored
      Even if OOB data is recv()ed, ioctl(SIOCATMARK) must return 1 when the
      OOB skb is at the head of the receive queue and no new OOB data is queued.
      
      Without fix:
      
        #  RUN           msg_oob.no_peek.oob ...
        # msg_oob.c:305:oob:Expected answ[0] (0) == oob_head (1)
        # oob: Test terminated by assertion
        #          FAIL  msg_oob.no_peek.oob
        not ok 2 msg_oob.no_peek.oob
      
      With fix:
      
        #  RUN           msg_oob.no_peek.oob ...
        #            OK  msg_oob.no_peek.oob
        ok 2 msg_oob.no_peek.oob
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e400cfa3
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Check EPOLLPRI after every send()/recv() in msg_oob.c · 48a99837
      Kuniyuki Iwashima authored
      When OOB data is in recvq, we can detect it with epoll by checking
      EPOLLPRI.
      
      This patch add checks for EPOLLPRI after every send() and recv() in
      all test cases.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      48a99837
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Check SIGURG after every send() in msg_oob.c · d02689e6
      Kuniyuki Iwashima authored
      When data is sent with MSG_OOB, SIGURG is sent to a process if the
      receiver socket has set its owner to the process by ioctl(FIOSETOWN)
      or fcntl(F_SETOWN).
      
      This patch adds SIGURG check after every send(MSG_OOB) call.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d02689e6
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Add SO_OOBINLINE test cases in msg_oob.c · 436352e8
      Kuniyuki Iwashima authored
      When SO_OOBINLINE is enabled on a socket, MSG_OOB can be recv()ed
      without MSG_OOB flag, and ioctl(SIOCATMARK) will behaves differently.
      
      This patch adds some test cases for SO_OOBINLINE.
      
      Note the new test cases found two bugs in TCP.
      
        1) After reading OOB data with non-inline mode, we can re-read
           the data by setting SO_OOBINLINE.
      
        #  RUN           msg_oob.no_peek.inline_oob_ahead_break ...
        # msg_oob.c:146:inline_oob_ahead_break:AF_UNIX :world
        # msg_oob.c:147:inline_oob_ahead_break:TCP     :oworld
        #            OK  msg_oob.no_peek.inline_oob_ahead_break
        ok 14 msg_oob.no_peek.inline_oob_ahead_break
      
        2) The head OOB data is dropped if SO_OOBINLINE is disabled
           if a new OOB data is queued.
      
        #  RUN           msg_oob.no_peek.inline_ex_oob_drop ...
        # msg_oob.c:171:inline_ex_oob_drop:AF_UNIX :x
        # msg_oob.c:172:inline_ex_oob_drop:TCP     :y
        # msg_oob.c:146:inline_ex_oob_drop:AF_UNIX :y
        # msg_oob.c:147:inline_ex_oob_drop:TCP     :Resource temporarily unavailable
        #            OK  msg_oob.no_peek.inline_ex_oob_drop
        ok 17 msg_oob.no_peek.inline_ex_oob_drop
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      436352e8
    • Kuniyuki Iwashima's avatar
      af_unix: Don't stop recv() at consumed ex-OOB skb. · 36893ef0
      Kuniyuki Iwashima authored
      Currently, recv() is stopped at a consumed OOB skb even if a new
      OOB skb is queued and we can ignore the old OOB skb.
      
        >>> from socket import *
        >>> c1, c2 = socket(AF_UNIX, SOCK_STREAM)
        >>> c1.send(b'hellowor', MSG_OOB)
        8
        >>> c2.recv(1, MSG_OOB)  # consume OOB data stays at middle of recvq.
        b'r'
        >>> c1.send(b'ld', MSG_OOB)
        2
        >>> c2.recv(10)          # recv() stops at the old consumed OOB
        b'hellowo'               # should be 'hellowol'
      
      manage_oob() should not stop recv() at the old consumed OOB skb if
      there is a new OOB data queued.
      
      Note that TCP behaviour is apparently wrong in this test case because
      we can recv() the same OOB data twice.
      
      Without fix:
      
        #  RUN           msg_oob.no_peek.ex_oob_ahead_break ...
        # msg_oob.c:138:ex_oob_ahead_break:AF_UNIX :hellowo
        # msg_oob.c:139:ex_oob_ahead_break:Expected:hellowol
        # msg_oob.c:141:ex_oob_ahead_break:Expected ret[0] (7) == expected_len (8)
        # ex_oob_ahead_break: Test terminated by assertion
        #          FAIL  msg_oob.no_peek.ex_oob_ahead_break
        not ok 11 msg_oob.no_peek.ex_oob_ahead_break
      
      With fix:
      
        #  RUN           msg_oob.no_peek.ex_oob_ahead_break ...
        # msg_oob.c:146:ex_oob_ahead_break:AF_UNIX :hellowol
        # msg_oob.c:147:ex_oob_ahead_break:TCP     :helloworl
        #            OK  msg_oob.no_peek.ex_oob_ahead_break
        ok 11 msg_oob.no_peek.ex_oob_ahead_break
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      36893ef0
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Add non-TCP-compliant test cases in msg_oob.c. · f5ea0768
      Kuniyuki Iwashima authored
      While testing, I found some weird behaviour on the TCP side as well.
      
      For example, TCP drops the preceding OOB data when queueing a new
      OOB data if the old OOB data is at the head of recvq.
      
        #  RUN           msg_oob.no_peek.ex_oob_drop ...
        # msg_oob.c:146:ex_oob_drop:AF_UNIX :x
        # msg_oob.c:147:ex_oob_drop:TCP     :Resource temporarily unavailable
        # msg_oob.c:146:ex_oob_drop:AF_UNIX :y
        # msg_oob.c:147:ex_oob_drop:TCP     :Invalid argument
        #            OK  msg_oob.no_peek.ex_oob_drop
        ok 9 msg_oob.no_peek.ex_oob_drop
      
        #  RUN           msg_oob.no_peek.ex_oob_drop_2 ...
        # msg_oob.c:146:ex_oob_drop_2:AF_UNIX :x
        # msg_oob.c:147:ex_oob_drop_2:TCP     :Resource temporarily unavailable
        #            OK  msg_oob.no_peek.ex_oob_drop_2
        ok 10 msg_oob.no_peek.ex_oob_drop_2
      
      This patch allows AF_UNIX's MSG_OOB implementation to produce different
      results from TCP when operations are guarded with tcp_incompliant{}.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f5ea0768
    • Kuniyuki Iwashima's avatar
      af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head. · 93c99f21
      Kuniyuki Iwashima authored
      Let's say a socket send()s "hello" with MSG_OOB and "world" without flags,
      
        >>> from socket import *
        >>> c1, c2 = socketpair(AF_UNIX)
        >>> c1.send(b'hello', MSG_OOB)
        5
        >>> c1.send(b'world')
        5
      
      and its peer recv()s "hell" and "o".
      
        >>> c2.recv(10)
        b'hell'
        >>> c2.recv(1, MSG_OOB)
        b'o'
      
      Now the consumed OOB skb stays at the head of recvq to return a correct
      value for ioctl(SIOCATMARK), which is broken now and fixed by a later
      patch.
      
      Then, if peer issues recv() with MSG_DONTWAIT, manage_oob() returns NULL,
      so recv() ends up with -EAGAIN.
      
        >>> c2.setblocking(False)  # This causes -EAGAIN even with available data
        >>> c2.recv(5)
        Traceback (most recent call last):
          File "<stdin>", line 1, in <module>
        BlockingIOError: [Errno 11] Resource temporarily unavailable
      
      However, next recv() will return the following available data, "world".
      
        >>> c2.recv(5)
        b'world'
      
      When the consumed OOB skb is at the head of the queue, we need to fetch
      the next skb to fix the weird behaviour.
      
      Note that the issue does not happen without MSG_DONTWAIT because we can
      retry after manage_oob().
      
      This patch also adds a test case that covers the issue.
      
      Without fix:
      
        #  RUN           msg_oob.no_peek.ex_oob_break ...
        # msg_oob.c:134:ex_oob_break:AF_UNIX :Resource temporarily unavailable
        # msg_oob.c:135:ex_oob_break:Expected:ld
        # msg_oob.c:137:ex_oob_break:Expected ret[0] (-1) == expected_len (2)
        # ex_oob_break: Test terminated by assertion
        #          FAIL  msg_oob.no_peek.ex_oob_break
        not ok 8 msg_oob.no_peek.ex_oob_break
      
      With fix:
      
        #  RUN           msg_oob.no_peek.ex_oob_break ...
        #            OK  msg_oob.no_peek.ex_oob_break
        ok 8 msg_oob.no_peek.ex_oob_break
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      93c99f21
    • Kuniyuki Iwashima's avatar
      af_unix: Stop recv(MSG_PEEK) at consumed OOB skb. · b94038d8
      Kuniyuki Iwashima authored
      After consuming OOB data, recv() reading the preceding data must break at
      the OOB skb regardless of MSG_PEEK.
      
      Currently, MSG_PEEK does not stop recv() for AF_UNIX, and the behaviour is
      not compliant with TCP.
      
        >>> from socket import *
        >>> c1, c2 = socketpair(AF_UNIX)
        >>> c1.send(b'hello', MSG_OOB)
        5
        >>> c1.send(b'world')
        5
        >>> c2.recv(1, MSG_OOB)
        b'o'
        >>> c2.recv(9, MSG_PEEK)  # This should return b'hell'
        b'hellworld'              # even with enough buffer.
      
      Let's fix it by returning NULL for consumed skb and unlinking it only if
      MSG_PEEK is not specified.
      
      This patch also adds test cases that add recv(MSG_PEEK) before each recv().
      
      Without fix:
      
        #  RUN           msg_oob.peek.oob_ahead_break ...
        # msg_oob.c:134:oob_ahead_break:AF_UNIX :hellworld
        # msg_oob.c:135:oob_ahead_break:Expected:hell
        # msg_oob.c:137:oob_ahead_break:Expected ret[0] (9) == expected_len (4)
        # oob_ahead_break: Test terminated by assertion
        #          FAIL  msg_oob.peek.oob_ahead_break
        not ok 13 msg_oob.peek.oob_ahead_break
      
      With fix:
      
        #  RUN           msg_oob.peek.oob_ahead_break ...
        #            OK  msg_oob.peek.oob_ahead_break
        ok 13 msg_oob.peek.oob_ahead_break
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b94038d8
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Add msg_oob.c. · d098d772
      Kuniyuki Iwashima authored
      AF_UNIX's MSG_OOB functionality lacked thorough testing, and we found
      some bizarre behaviour.
      
      The new selftest validates every MSG_OOB operation against TCP as a
      reference implementation.
      
      This patch adds only a few tests with basic send() and recv() that
      do not fail.
      
      The following patches will add more test cases for SO_OOBINLINE, SIGURG,
      EPOLLPRI, and SIOCATMARK.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d098d772
    • Kuniyuki Iwashima's avatar
      selftest: af_unix: Remove test_unix_oob.c. · 7d139181
      Kuniyuki Iwashima authored
      test_unix_oob.c does not fully cover AF_UNIX's MSG_OOB functionality,
      thus there are discrepancies between TCP behaviour.
      
      Also, the test uses fork() to create message producer, and it's not
      easy to understand and add more test cases.
      
      Let's remove test_unix_oob.c and rewrite a new test.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7d139181
    • Yunseong Kim's avatar
      tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() · bab49231
      Yunseong Kim authored
      In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from
      
       qdisc->dev_queue->dev <NULL> ->name
      
      This situation simulated from bunch of veths and Bluetooth disconnection
      and reconnection.
      
      During qdisc initialization, qdisc was being set to noop_queue.
      In veth_init_queue, the initial tx_num was reduced back to one,
      causing the qdisc reset to be called with noop, which led to the kernel
      panic.
      
      I've attached the GitHub gist link that C converted syz-execprogram
      source code and 3 log of reproduced vmcore-dmesg.
      
       https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740
      
      Yeoreum and I use two fuzzing tool simultaneously.
      
      One process with syz-executor : https://github.com/google/syzkaller
      
       $ ./syz-execprog -executor=./syz-executor -repeat=1 -sandbox=setuid \
          -enable=none -collide=false log1
      
      The other process with perf fuzzer:
       https://github.com/deater/perf_event_tests/tree/master/fuzzer
      
       $ perf_event_tests/fuzzer/perf_fuzzer
      
      I think this will happen on the kernel version.
      
       Linux kernel version +v6.7.10, +v6.8, +v6.9 and it could happen in v6.10.
      
      This occurred from 51270d57. I think this patch is absolutely
      necessary. Previously, It was showing not intended string value of name.
      
      I've reproduced 3 time from my fedora 40 Debug Kernel with any other module
      or patched.
      
       version: 6.10.0-0.rc2.20240608gitdc772f82.29.fc41.aarch64+debug
      
      [ 5287.164555] veth0_vlan: left promiscuous mode
      [ 5287.164929] veth1_macvtap: left promiscuous mode
      [ 5287.164950] veth0_macvtap: left promiscuous mode
      [ 5287.164983] veth1_vlan: left promiscuous mode
      [ 5287.165008] veth0_vlan: left promiscuous mode
      [ 5287.165450] veth1_macvtap: left promiscuous mode
      [ 5287.165472] veth0_macvtap: left promiscuous mode
      [ 5287.165502] veth1_vlan: left promiscuous mode
      …
      [ 5297.598240] bridge0: port 2(bridge_slave_1) entered blocking state
      [ 5297.598262] bridge0: port 2(bridge_slave_1) entered forwarding state
      [ 5297.598296] bridge0: port 1(bridge_slave_0) entered blocking state
      [ 5297.598313] bridge0: port 1(bridge_slave_0) entered forwarding state
      [ 5297.616090] 8021q: adding VLAN 0 to HW filter on device bond0
      [ 5297.620405] bridge0: port 1(bridge_slave_0) entered disabled state
      [ 5297.620730] bridge0: port 2(bridge_slave_1) entered disabled state
      [ 5297.627247] 8021q: adding VLAN 0 to HW filter on device team0
      [ 5297.629636] bridge0: port 1(bridge_slave_0) entered blocking state
      …
      [ 5298.002798] bridge_slave_0: left promiscuous mode
      [ 5298.002869] bridge0: port 1(bridge_slave_0) entered disabled state
      [ 5298.309444] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
      [ 5298.315206] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
      [ 5298.320207] bond0 (unregistering): Released all slaves
      [ 5298.354296] hsr_slave_0: left promiscuous mode
      [ 5298.360750] hsr_slave_1: left promiscuous mode
      [ 5298.374889] veth1_macvtap: left promiscuous mode
      [ 5298.374931] veth0_macvtap: left promiscuous mode
      [ 5298.374988] veth1_vlan: left promiscuous mode
      [ 5298.375024] veth0_vlan: left promiscuous mode
      [ 5299.109741] team0 (unregistering): Port device team_slave_1 removed
      [ 5299.185870] team0 (unregistering): Port device team_slave_0 removed
      …
      [ 5300.155443] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
      [ 5300.155724] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
      [ 5300.155988] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
      ….
      [ 5301.075531] team0: Port device team_slave_1 added
      [ 5301.085515] bridge0: port 1(bridge_slave_0) entered blocking state
      [ 5301.085531] bridge0: port 1(bridge_slave_0) entered disabled state
      [ 5301.085588] bridge_slave_0: entered allmulticast mode
      [ 5301.085800] bridge_slave_0: entered promiscuous mode
      [ 5301.095617] bridge0: port 1(bridge_slave_0) entered blocking state
      [ 5301.095633] bridge0: port 1(bridge_slave_0) entered disabled state
      …
      [ 5301.149734] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
      [ 5301.173234] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
      [ 5301.180517] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
      [ 5301.193481] hsr_slave_0: entered promiscuous mode
      [ 5301.204425] hsr_slave_1: entered promiscuous mode
      [ 5301.210172] debugfs: Directory 'hsr0' with parent 'hsr' already present!
      [ 5301.210185] Cannot create hsr debugfs directory
      [ 5301.224061] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
      [ 5301.246901] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
      [ 5301.255934] team0: Port device team_slave_0 added
      [ 5301.256480] team0: Port device team_slave_1 added
      [ 5301.256948] team0: Port device team_slave_0 added
      …
      [ 5301.435928] hsr_slave_0: entered promiscuous mode
      [ 5301.446029] hsr_slave_1: entered promiscuous mode
      [ 5301.455872] debugfs: Directory 'hsr0' with parent 'hsr' already present!
      [ 5301.455884] Cannot create hsr debugfs directory
      [ 5301.502664] hsr_slave_0: entered promiscuous mode
      [ 5301.513675] hsr_slave_1: entered promiscuous mode
      [ 5301.526155] debugfs: Directory 'hsr0' with parent 'hsr' already present!
      [ 5301.526164] Cannot create hsr debugfs directory
      [ 5301.563662] hsr_slave_0: entered promiscuous mode
      [ 5301.576129] hsr_slave_1: entered promiscuous mode
      [ 5301.580259] debugfs: Directory 'hsr0' with parent 'hsr' already present!
      [ 5301.580270] Cannot create hsr debugfs directory
      [ 5301.590269] 8021q: adding VLAN 0 to HW filter on device bond0
      
      [ 5301.595872] KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137]
      [ 5301.595877] Mem abort info:
      [ 5301.595881]   ESR = 0x0000000096000006
      [ 5301.595885]   EC = 0x25: DABT (current EL), IL = 32 bits
      [ 5301.595889]   SET = 0, FnV = 0
      [ 5301.595893]   EA = 0, S1PTW = 0
      [ 5301.595896]   FSC = 0x06: level 2 translation fault
      [ 5301.595900] Data abort info:
      [ 5301.595903]   ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
      [ 5301.595907]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
      [ 5301.595911]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
      [ 5301.595915] [dfff800000000026] address between user and kernel address ranges
      [ 5301.595971] Internal error: Oops: 0000000096000006 [#1] SMP
      …
      [ 5301.596076] CPU: 2 PID: 102769 Comm:
      syz-executor.3 Kdump: loaded Tainted:
       G        W         -------  ---  6.10.0-0.rc2.20240608gitdc772f82.29.fc41.aarch64+debug #1
      [ 5301.596080] Hardware name: VMware, Inc. VMware20,1/VBSA,
       BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023
      [ 5301.596082] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
      [ 5301.596085] pc : strnlen+0x40/0x88
      [ 5301.596114] lr : trace_event_get_offsets_qdisc_reset+0x6c/0x2b0
      [ 5301.596124] sp : ffff8000beef6b40
      [ 5301.596126] x29: ffff8000beef6b40 x28: dfff800000000000 x27: 0000000000000001
      [ 5301.596131] x26: 6de1800082c62bd0 x25: 1ffff000110aa9e0 x24: ffff800088554f00
      [ 5301.596136] x23: ffff800088554ec0 x22: 0000000000000130 x21: 0000000000000140
      [ 5301.596140] x20: dfff800000000000 x19: ffff8000beef6c60 x18: ffff7000115106d8
      [ 5301.596143] x17: ffff800121bad000 x16: ffff800080020000 x15: 0000000000000006
      [ 5301.596147] x14: 0000000000000002 x13: ffff0001f3ed8d14 x12: ffff700017ddeda5
      [ 5301.596151] x11: 1ffff00017ddeda4 x10: ffff700017ddeda4 x9 : ffff800082cc5eec
      [ 5301.596155] x8 : 0000000000000004 x7 : 00000000f1f1f1f1 x6 : 00000000f2f2f200
      [ 5301.596158] x5 : 00000000f3f3f3f3 x4 : ffff700017dded80 x3 : 00000000f204f1f1
      [ 5301.596162] x2 : 0000000000000026 x1 : 0000000000000000 x0 : 0000000000000130
      [ 5301.596166] Call trace:
      [ 5301.596175]  strnlen+0x40/0x88
      [ 5301.596179]  trace_event_get_offsets_qdisc_reset+0x6c/0x2b0
      [ 5301.596182]  perf_trace_qdisc_reset+0xb0/0x538
      [ 5301.596184]  __traceiter_qdisc_reset+0x68/0xc0
      [ 5301.596188]  qdisc_reset+0x43c/0x5e8
      [ 5301.596190]  netif_set_real_num_tx_queues+0x288/0x770
      [ 5301.596194]  veth_init_queues+0xfc/0x130 [veth]
      [ 5301.596198]  veth_newlink+0x45c/0x850 [veth]
      [ 5301.596202]  rtnl_newlink_create+0x2c8/0x798
      [ 5301.596205]  __rtnl_newlink+0x92c/0xb60
      [ 5301.596208]  rtnl_newlink+0xd8/0x130
      [ 5301.596211]  rtnetlink_rcv_msg+0x2e0/0x890
      [ 5301.596214]  netlink_rcv_skb+0x1c4/0x380
      [ 5301.596225]  rtnetlink_rcv+0x20/0x38
      [ 5301.596227]  netlink_unicast+0x3c8/0x640
      [ 5301.596231]  netlink_sendmsg+0x658/0xa60
      [ 5301.596234]  __sock_sendmsg+0xd0/0x180
      [ 5301.596243]  __sys_sendto+0x1c0/0x280
      [ 5301.596246]  __arm64_sys_sendto+0xc8/0x150
      [ 5301.596249]  invoke_syscall+0xdc/0x268
      [ 5301.596256]  el0_svc_common.constprop.0+0x16c/0x240
      [ 5301.596259]  do_el0_svc+0x48/0x68
      [ 5301.596261]  el0_svc+0x50/0x188
      [ 5301.596265]  el0t_64_sync_handler+0x120/0x130
      [ 5301.596268]  el0t_64_sync+0x194/0x198
      [ 5301.596272] Code: eb15001f 54000120 d343fc02 12000801 (38f46842)
      [ 5301.596285] SMP: stopping secondary CPUs
      [ 5301.597053] Starting crashdump kernel...
      [ 5301.597057] Bye!
      
      After applying our patch, I didn't find any kernel panic errors.
      
      We've found a simple reproducer
      
       # echo 1 > /sys/kernel/debug/tracing/events/qdisc/qdisc_reset/enable
      
       # ip link add veth0 type veth peer name veth1
      
       Error: Unknown device type.
      
      However, without our patch applied, I tested upstream 6.10.0-rc3 kernel
      using the qdisc_reset event and the ip command on my qemu virtual machine.
      
      This 2 commands makes always kernel panic.
      
      Linux version: 6.10.0-rc3
      
      [    0.000000] Linux version 6.10.0-rc3-00164-g44ef20ba-dirty
      (paran@fedora) (gcc (GCC) 14.1.1 20240522 (Red Hat 14.1.1-4), GNU ld
      version 2.41-34.fc40) #20 SMP PREEMPT Sat Jun 15 16:51:25 KST 2024
      
      Kernel panic message:
      
      [  615.236484] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
      [  615.237250] Dumping ftrace buffer:
      [  615.237679]    (ftrace buffer empty)
      [  615.238097] Modules linked in: veth crct10dif_ce virtio_gpu
      virtio_dma_buf drm_shmem_helper drm_kms_helper zynqmp_fpga xilinx_can
      xilinx_spi xilinx_selectmap xilinx_core xilinx_pr_decoupler versal_fpga
      uvcvideo uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev
      videobuf2_common mc usbnet deflate zstd ubifs ubi rcar_canfd rcar_can
      omap_mailbox ntb_msi_test ntb_hw_epf lattice_sysconfig_spi
      lattice_sysconfig ice40_spi gpio_xilinx dwmac_altr_socfpga mdio_regmap
      stmmac_platform stmmac pcs_xpcs dfl_fme_region dfl_fme_mgr dfl_fme_br
      dfl_afu dfl fpga_region fpga_bridge can can_dev br_netfilter bridge stp
      llc atl1c ath11k_pci mhi ath11k_ahb ath11k qmi_helpers ath10k_sdio
      ath10k_pci ath10k_core ath mac80211 libarc4 cfg80211 drm fuse backlight ipv6
      Jun 22 02:36:5[3   6k152.62-4sm98k4-0k]v  kCePUr:n e1l :P IUDn:a b4le6
      8t oC ohmma: nidpl eN oketr nteali nptaedg i6n.g1 0re.0q-urecs3t- 0at0
      1v6i4r-tgu4a4le fa2d0dbraeeds0se-dir tyd f#f2f08
        615.252376] Hardware name: linux,dummy-virt (DT)
      [  615.253220] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS
      BTYPE=--)
      [  615.254433] pc : strnlen+0x6c/0xe0
      [  615.255096] lr : trace_event_get_offsets_qdisc_reset+0x94/0x3d0
      [  615.256088] sp : ffff800080b269a0
      [  615.256615] x29: ffff800080b269a0 x28: ffffc070f3f98500 x27:
      0000000000000001
      [  615.257831] x26: 0000000000000010 x25: ffffc070f3f98540 x24:
      ffffc070f619cf60
      [  615.259020] x23: 0000000000000128 x22: 0000000000000138 x21:
      dfff800000000000
      [  615.260241] x20: ffffc070f631ad00 x19: 0000000000000128 x18:
      ffffc070f448b800
      [  615.261454] x17: 0000000000000000 x16: 0000000000000001 x15:
      ffffc070f4ba2a90
      [  615.262635] x14: ffff700010164d73 x13: 1ffff80e1e8d5eb3 x12:
      1ffff00010164d72
      [  615.263877] x11: ffff700010164d72 x10: dfff800000000000 x9 :
      ffffc070e85d6184
      [  615.265047] x8 : ffffc070e4402070 x7 : 000000000000f1f1 x6 :
      000000001504a6d3
      [  615.266336] x5 : ffff28ca21122140 x4 : ffffc070f5043ea8 x3 :
      0000000000000000
      [  615.267528] x2 : 0000000000000025 x1 : 0000000000000000 x0 :
      0000000000000000
      [  615.268747] Call trace:
      [  615.269180]  strnlen+0x6c/0xe0
      [  615.269767]  trace_event_get_offsets_qdisc_reset+0x94/0x3d0
      [  615.270716]  trace_event_raw_event_qdisc_reset+0xe8/0x4e8
      [  615.271667]  __traceiter_qdisc_reset+0xa0/0x140
      [  615.272499]  qdisc_reset+0x554/0x848
      [  615.273134]  netif_set_real_num_tx_queues+0x360/0x9a8
      [  615.274050]  veth_init_queues+0x110/0x220 [veth]
      [  615.275110]  veth_newlink+0x538/0xa50 [veth]
      [  615.276172]  __rtnl_newlink+0x11e4/0x1bc8
      [  615.276944]  rtnl_newlink+0xac/0x120
      [  615.277657]  rtnetlink_rcv_msg+0x4e4/0x1370
      [  615.278409]  netlink_rcv_skb+0x25c/0x4f0
      [  615.279122]  rtnetlink_rcv+0x48/0x70
      [  615.279769]  netlink_unicast+0x5a8/0x7b8
      [  615.280462]  netlink_sendmsg+0xa70/0x1190
      
      Yeoreum and I don't know if the patch we wrote will fix the underlying
      cause, but we think that priority is to prevent kernel panic happening.
      So, we're sending this patch.
      
      Fixes: 51270d57 ("tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string")
      Link: https://lore.kernel.org/lkml/20240229143432.273b4871@gandalf.local.home/t/
      Cc: netdev@vger.kernel.org
      Tested-by: default avatarYunseong Kim <yskelg@gmail.com>
      Signed-off-by: default avatarYunseong Kim <yskelg@gmail.com>
      Signed-off-by: default avatarYeoreum Yun <yeoreum.yun@arm.com>
      Link: https://lore.kernel.org/r/20240624173320.24945-4-yskelg@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      bab49231
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2024-06-26-17-28' of... · afcd4813
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2024-06-26-17-28' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from Andrew Morton:
       "13 hotfixes, 7 are cc:stable.
      
        All are MM related apart from a MAINTAINERS update. There is no
        identifiable theme here - just singleton patches in various places"
      
      * tag 'mm-hotfixes-stable-2024-06-26-17-28' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        mm/memory: don't require head page for do_set_pmd()
        mm/page_alloc: Separate THP PCP into movable and non-movable categories
        nfs: drop the incorrect assertion in nfs_swap_rw()
        mm/migrate: make migrate_pages_batch() stats consistent
        MAINTAINERS: TPM DEVICE DRIVER: update the W-tag
        selftests/mm:fix test_prctl_fork_exec return failure
        mm: convert page type macros to enum
        ocfs2: fix DIO failure due to insufficient transaction credits
        kasan: fix bad call to unpoison_slab_object
        mm: handle profiling for fake memory allocations during compaction
        mm/slab: fix 'variable obj_exts set but not used' warning
        /proc/pid/smaps: add mseal info for vma
        mm: fix incorrect vbq reference in purge_fragmented_block
      afcd4813
  2. 26 Jun, 2024 10 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers · 7931d329
      Pablo Neira Ayuso authored
      register store validation for NFT_DATA_VALUE is conditional, however,
      the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
      only requires a new helper function to infer the register type from the
      set datatype so this conditional check can be removed. Otherwise,
      pointer to chain object can be leaked through the registers.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Reported-by: default avatarLinus Torvalds <torvalds@linuxfoundation.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7931d329
    • Linus Torvalds's avatar
      Merge tag 'wq-for-6.10-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 24ca36a5
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "Two patches to fix kworker name formatting"
      
      * tag 'wq-for-6.10-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: Increase worker desc's length to 32
        workqueue: Refactor worker ID formatting and make wq_worker_comm() use full ID string
      24ca36a5
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v6.10-rc5' of... · 4b3e3810
      Takashi Iwai authored
      Merge tag 'asoc-fix-v6.10-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v6.10
      
      A relatively large batch of updates, largely due to the long interval
      since I last sent fixes due to various travel and holidays.  There's a
      lot of driver specific fixes and quirks in here, none of them too major,
      and also some fixes for recently introduced memory safety issues in the
      topology code.
      4b3e3810
    • Jack Yu's avatar
      ASoC: rt5645: fix issue of random interrupt from push-button · 68f97fe3
      Jack Yu authored
      Modify register setting sequence of enabling inline command
      to fix issue of random interrupt from push-button.
      Signed-off-by: default avatarJack Yu <jack.yu@realtek.com>
      Link: https://patch.msgid.link/9a7a3a66cbcb426487ca6f558f45e922@realtek.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      68f97fe3
    • Takashi Iwai's avatar
      ALSA: seq: Fix missing MSB in MIDI2 SPP conversion · 9d65ab60
      Takashi Iwai authored
      The conversion of SPP to MIDI2 UMP called a wrong function, and the
      secondary argument wasn't taken.  As a result, MSB of SPP was always
      zero.  Fix to call the right function.
      
      Fixes: e9e02819 ("ALSA: seq: Automatic conversion of UMP events")
      Link: https://patch.msgid.link/20240626145141.16648-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9d65ab60
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit FN912 compositions · 77453e2b
      Daniele Palmas authored
      Add the following Telit FN912 compositions:
      
      0x3000: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag)
      T:  Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#=  8 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=3000 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN912
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      
      0x3001: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb
      T:  Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#=  7 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=3001 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN912
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:  If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Link: https://patch.msgid.link/20240625102236.69539-1-dnlplm@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      77453e2b
    • Vyacheslav Frantsishko's avatar
      ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA · 63b47f02
      Vyacheslav Frantsishko authored
      The Vivobook S 16X IPS needs a quirks-table entry for the internal microphone to function properly.
      Signed-off-by: default avatarVyacheslav Frantsishko <itmymaill@gmail.com>
      Reviewed-by: default avatarMario Limonciello <mario.limonciello@amd.com>
      Link: https://patch.msgid.link/20240626070334.45633-1-itmymaill@gmail.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      63b47f02
    • Dirk Su's avatar
      ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook 645/665 G11. · 3cd59d8e
      Dirk Su authored
      HP EliteBook 645/665 G11 needs ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to
      make mic-mute/audio-mute working.
      Signed-off-by: default avatarDirk Su <dirk.su@canonical.com>
      Cc: <stable@vger.kernel.org>
      Link: https://patch.msgid.link/20240626021437.77039-1-dirk.su@canonical.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      3cd59d8e
    • Takashi Iwai's avatar
      ALSA: hda/realtek: Fix conflicting quirk for PCI SSID 17aa:3820 · d3710853
      Takashi Iwai authored
      The recent fix for Lenovo IdeaPad 330-17IKB replaced the quirk entry,
      and this eventually breaks the existing quirk for Lenovo Yoga Duet 7
      13ITL6 equipped with the same PCI SSID 17aa:3820.
      
      For applying a proper quirk for each model, check the codec SSID
      additionally.  Fortunately Yoga Duet has a different codec SSID,
      0x17aa3802.
      
      (Interestingly, 17aa:3802 has another conflict of SSID between another
      Yoga model vs 14IRP8 which we had to work around similarly.)
      
      Fixes: b1fd0d12 ("ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM")
      Link: https://patch.msgid.link/20240625155217.18767-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d3710853
    • Neal Cardwell's avatar
      tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO · 5dfe9d27
      Neal Cardwell authored
      Testing determined that the recent commit 9e046bb1 ("tcp: clear
      tp->retrans_stamp in tcp_rcv_fastopen_synack()") has a race, and does
      not always ensure retrans_stamp is 0 after a TFO payload retransmit.
      
      If transmit completion for the SYN+data skb happens after the client
      TCP stack receives the SYNACK (which sometimes happens), then
      retrans_stamp can erroneously remain non-zero for the lifetime of the
      connection, causing a premature ETIMEDOUT later.
      
      Testing and tracing showed that the buggy scenario is the following
      somewhat tricky sequence:
      
      + Client attempts a TFO handshake. tcp_send_syn_data() sends SYN + TFO
        cookie + data in a single packet in the syn_data skb. It hands the
        syn_data skb to tcp_transmit_skb(), which makes a clone. Crucially,
        it then reuses the same original (non-clone) syn_data skb,
        transforming it by advancing the seq by one byte and removing the
        FIN bit, and enques the resulting payload-only skb in the
        sk->tcp_rtx_queue.
      
      + Client sets retrans_stamp to the start time of the three-way
        handshake.
      
      + Cookie mismatches or server has TFO disabled, and server only ACKs
        SYN.
      
      + tcp_ack() sees SYN is acked, tcp_clean_rtx_queue() clears
        retrans_stamp.
      
      + Since the client SYN was acked but not the payload, the TFO failure
        code path in tcp_rcv_fastopen_synack() tries to retransmit the
        payload skb.  However, in some cases the transmit completion for the
        clone of the syn_data (which had SYN + TFO cookie + data) hasn't
        happened.  In those cases, skb_still_in_host_queue() returns true
        for the retransmitted TFO payload, because the clone of the syn_data
        skb has not had its tx completetion.
      
      + Because skb_still_in_host_queue() finds skb_fclone_busy() is true,
        it sets the TSQ_THROTTLED bit and the retransmit does not happen in
        the tcp_rcv_fastopen_synack() call chain.
      
      + The tcp_rcv_fastopen_synack() code next implicitly assumes the
        retransmit process is finished, and sets retrans_stamp to 0 to clear
        it, but this is later overwritten (see below).
      
      + Later, upon tx completion, tcp_tsq_write() calls
        tcp_xmit_retransmit_queue(), which puts the retransmit in flight and
        sets retrans_stamp to a non-zero value.
      
      + The client receives an ACK for the retransmitted TFO payload data.
      
      + Since we're in CA_Open and there are no dupacks/SACKs/DSACKs/ECN to
        make tcp_ack_is_dubious() true and make us call
        tcp_fastretrans_alert() and reach a code path that clears
        retrans_stamp, retrans_stamp stays nonzero.
      
      + Later, if there is a TLP, RTO, RTO sequence, then the connection
        will suffer an early ETIMEDOUT due to the erroneously ancient
        retrans_stamp.
      
      The fix: this commit refactors the code to have
      tcp_rcv_fastopen_synack() retransmit by reusing the relevant parts of
      tcp_simple_retransmit() that enter CA_Loss (without changing cwnd) and
      call tcp_xmit_retransmit_queue(). We have tcp_simple_retransmit() and
      tcp_rcv_fastopen_synack() share code in this way because in both cases
      we get a packet indicating non-congestion loss (MTU reduction or TFO
      failure) and thus in both cases we want to retransmit as many packets
      as cwnd allows, without reducing cwnd. And given that retransmits will
      set retrans_stamp to a non-zero value (and may do so in a later
      calling context due to TSQ), we also want to enter CA_Loss so that we
      track when all retransmitted packets are ACked and clear retrans_stamp
      when that happens (to ensure later recurring RTOs are using the
      correct retrans_stamp and don't declare ETIMEDOUT prematurely).
      
      Fixes: 9e046bb1 ("tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()")
      Fixes: a7abf3cd ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()")
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Link: https://patch.msgid.link/20240624144323.2371403-1-ncardwell.sw@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5dfe9d27
  3. 25 Jun, 2024 8 commits
    • Shannon Nelson's avatar
      ionic: use dev_consume_skb_any outside of napi · 84b767f9
      Shannon Nelson authored
      If we're not in a NAPI softirq context, we need to be careful
      about how we call napi_consume_skb(), specifically we need to
      call it with budget==0 to signal to it that we're not in a
      safe context.
      
      This was found while running some configuration stress testing
      of traffic and a change queue config loop running, and this
      curious note popped out:
      
      [ 4371.402645] BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/20545
      [ 4371.402897] caller is napi_skb_cache_put+0x16/0x80
      [ 4371.403120] CPU: 25 PID: 20545 Comm: ethtool Kdump: loaded Tainted: G           OE      6.10.0-rc3-netnext+ #8
      [ 4371.403302] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 01/23/2021
      [ 4371.403460] Call Trace:
      [ 4371.403613]  <TASK>
      [ 4371.403758]  dump_stack_lvl+0x4f/0x70
      [ 4371.403904]  check_preemption_disabled+0xc1/0xe0
      [ 4371.404051]  napi_skb_cache_put+0x16/0x80
      [ 4371.404199]  ionic_tx_clean+0x18a/0x240 [ionic]
      [ 4371.404354]  ionic_tx_cq_service+0xc4/0x200 [ionic]
      [ 4371.404505]  ionic_tx_flush+0x15/0x70 [ionic]
      [ 4371.404653]  ? ionic_lif_qcq_deinit.isra.23+0x5b/0x70 [ionic]
      [ 4371.404805]  ionic_txrx_deinit+0x71/0x190 [ionic]
      [ 4371.404956]  ionic_reconfigure_queues+0x5f5/0xff0 [ionic]
      [ 4371.405111]  ionic_set_ringparam+0x2e8/0x3e0 [ionic]
      [ 4371.405265]  ethnl_set_rings+0x1f1/0x300
      [ 4371.405418]  ethnl_default_set_doit+0xbb/0x160
      [ 4371.405571]  genl_family_rcv_msg_doit+0xff/0x130
      	[...]
      
      I found that ionic_tx_clean() calls napi_consume_skb() which calls
      napi_skb_cache_put(), but before that last call is the note
          /* Zero budget indicate non-NAPI context called us, like netpoll */
      and
          DEBUG_NET_WARN_ON_ONCE(!in_softirq());
      
      Those are pretty big hints that we're doing it wrong.  We can pass a
      context hint down through the calls to let ionic_tx_clean() know what
      we're doing so it can call napi_consume_skb() correctly.
      
      Fixes: 386e6986 ("ionic: Make use napi_consume_skb")
      Signed-off-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Link: https://patch.msgid.link/20240624175015.4520-1-shannon.nelson@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      84b767f9
    • Arnd Bergmann's avatar
      linux/syscalls.h: add missing __user annotations · 0fa8ab5f
      Arnd Bergmann authored
      A couple of declarations in linux/syscalls.h are missing __user
      annotations on their pointers, which can lead to warnings from
      sparse because these don't match the implementation that have
      the correct address space annotations.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      0fa8ab5f
    • Arnd Bergmann's avatar
      syscalls: mmap(): use unsigned offset type consistently · 295f1006
      Arnd Bergmann authored
      Most architectures that implement the old-style mmap() with byte offset
      use 'unsigned long' as the type for that offset, but microblaze and
      riscv have the off_t type that is shared with userspace, matching the
      prototype in include/asm-generic/syscalls.h.
      
      Make this consistent by using an unsigned argument everywhere. This
      changes the behavior slightly, as the argument is shifted to a page
      number, and an user input with the top bit set would result in a
      negative page offset rather than a large one as we use elsewhere.
      
      For riscv, the 32-bit sys_mmap2() definition actually used a custom
      type that is different from the global declaration, but this was
      missed due to an incorrect type check.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      295f1006
    • Arnd Bergmann's avatar
      s390: remove native mmap2() syscall · 5daf62da
      Arnd Bergmann authored
      The mmap2() syscall has never been used on 64-bit s390x and should
      have been removed as part of 5a79859a ("s390: remove 31 bit
      support").
      
      Remove it now.
      Acked-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      5daf62da
    • Arnd Bergmann's avatar
      hexagon: fix fadvise64_64 calling conventions · 89684228
      Arnd Bergmann authored
      fadvise64_64() has two 64-bit arguments at the wrong alignment
      for hexagon, which turns them into a 7-argument syscall that is
      not supported by Linux.
      
      The downstream musl port for hexagon actually asks for a 6-argument
      version the same way we do it on arm, csky, powerpc, so make the
      kernel do it the same way to avoid having to change both.
      
      Link: https://github.com/quic/musl/blob/hexagon/arch/hexagon/syscall_arch.h#L78
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      89684228
    • Arnd Bergmann's avatar
      csky, hexagon: fix broken sys_sync_file_range · 3339b99e
      Arnd Bergmann authored
      Both of these architectures require u64 function arguments to be
      passed in even/odd pairs of registers or stack slots, which in case of
      sync_file_range would result in a seven-argument system call that is
      not currently possible. The system call is therefore incompatible with
      all existing binaries.
      
      While it would be possible to implement support for seven arguments
      like on mips, it seems better to use a six-argument version, either
      with the normal argument order but misaligned as on most architectures
      or with the reordered sync_file_range2() calling conventions as on
      arm and powerpc.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarGuo Ren <guoren@kernel.org>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      3339b99e
    • Arnd Bergmann's avatar
      sh: rework sync_file_range ABI · 30766f11
      Arnd Bergmann authored
      The unusual function calling conventions on SuperH ended up causing
      sync_file_range to have the wrong argument order, with the 'flags'
      argument getting sorted before 'nbytes' by the compiler.
      
      In userspace, I found that musl, glibc, uclibc and strace all expect the
      normal calling conventions with 'nbytes' last, so changing the kernel
      to match them should make all of those work.
      
      In order to be able to also fix libc implementations to work with existing
      kernels, they need to be able to tell which ABI is used. An easy way
      to do this is to add yet another system call using the sync_file_range2
      ABI that works the same on all architectures.
      
      Old user binaries can now work on new kernels, and new binaries can
      try the new sync_file_range2() to work with new kernels or fall back
      to the old sync_file_range() version if that doesn't exist.
      
      Cc: stable@vger.kernel.org
      Fixes: 75c92acd ("sh: Wire up new syscalls.")
      Acked-by: default avatarJohn Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      30766f11
    • Arnd Bergmann's avatar
      powerpc: restore some missing spu syscalls · b1e31c13
      Arnd Bergmann authored
      A couple of system calls were inadventently removed from the table during
      a bugfix for 32-bit powerpc entry. Restore the original behavior.
      
      Fixes: e2375062 ("powerpc/32: fix syscall wrappers with 64-bit arguments of unaligned register-pairs")
      Acked-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      b1e31c13