1. 06 Apr, 2023 1 commit
  2. 03 Apr, 2023 1 commit
    • Xu Kuohai's avatar
      bpf, arm64: Fixed a BTI error on returning to patched function · 738a96c4
      Xu Kuohai authored
      When BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump
      back to the instruction next to call site to call the patched function.
      For BTI-enabled kernel, the instruction next to call site is usually
      PACIASP, in this case, it's safe to jump back with BLR. But when
      the call site is not followed by a PACIASP or bti, a BTI exception
      is triggered.
      
      Here is a fault log:
      
       Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI
       CPU: 0 PID: 263 Comm: test_progs Tainted: GF
       Hardware name: linux,dummy-virt (DT)
       pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)
       pc : bpf_fentry_test1+0xc/0x30
       lr : bpf_trampoline_6442573892_0+0x48/0x1000
       sp : ffff80000c0c3a50
       x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000
       x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050
       x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a
       x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000
       x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0
       x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
       x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528
       x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101
       x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001
       x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001
       Kernel panic - not syncing: Unhandled exception
       CPU: 0 PID: 263 Comm: test_progs Tainted: GF
       Hardware name: linux,dummy-virt (DT)
       Call trace:
        dump_backtrace+0xec/0x144
        show_stack+0x24/0x7c
        dump_stack_lvl+0x8c/0xb8
        dump_stack+0x18/0x34
        panic+0x1cc/0x3ec
        __el0_error_handler_common+0x0/0x130
        el1h_64_sync_handler+0x60/0xd0
        el1h_64_sync+0x78/0x7c
        bpf_fentry_test1+0xc/0x30
        bpf_fentry_test1+0xc/0x30
        bpf_prog_test_run_tracing+0xdc/0x2a0
        __sys_bpf+0x438/0x22a0
        __arm64_sys_bpf+0x30/0x54
        invoke_syscall+0x78/0x110
        el0_svc_common.constprop.0+0x6c/0x1d0
        do_el0_svc+0x38/0xe0
        el0_svc+0x30/0xd0
        el0t_64_sync_handler+0x1ac/0x1b0
        el0t_64_sync+0x1a0/0x1a4
       Kernel Offset: disabled
       CPU features: 0x0000,00034c24,f994fdab
       Memory Limit: none
      
      And the instruction next to call site of bpf_fentry_test1 is ADD,
      not PACIASP:
      
      <bpf_fentry_test1>:
      	bti     c
      	nop
      	nop
      	add     w0, w0, #0x1
      	paciasp
      
      For BPF prog, JIT always puts a PACIASP after call site for BTI-enabled
      kernel, so there is no problem. To fix it, replace BLR with RET to bypass
      the branch target check.
      
      Fixes: efc9909f ("bpf, arm64: Add bpf trampoline for arm64")
      Reported-by: default avatarFlorent Revest <revest@chromium.org>
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Tested-by: default avatarFlorent Revest <revest@chromium.org>
      Acked-by: default avatarFlorent Revest <revest@chromium.org>
      Link: https://lore.kernel.org/bpf/20230401234144.3719742-1-xukuohai@huaweicloud.com
      738a96c4
  3. 28 Mar, 2023 2 commits
  4. 27 Mar, 2023 8 commits
  5. 25 Mar, 2023 11 commits
  6. 24 Mar, 2023 6 commits
    • Josua Mayer's avatar
      net: phy: dp83869: fix default value for tx-/rx-internal-delay · 82e2c39f
      Josua Mayer authored
      dp83869 internally uses a look-up table for mapping supported delays in
      nanoseconds to register values.
      When specific delays are defined in device-tree, phy_get_internal_delay
      does the lookup automatically returning an index.
      
      The default case wrongly assigns the nanoseconds value from the lookup
      table, resulting in numeric value 2000 applied to delay configuration
      register, rather than the expected index values 0-7 (7 for 2000).
      Ultimately this issue broke RX for 1Gbps links.
      
      Fix default delay configuration by assigning the intended index value
      directly.
      
      Cc: stable@vger.kernel.org
      Fixes: 736b25af ("net: dp83869: Add RGMII internal delay configuration")
      Co-developed-by: default avatarYazan Shhady <yazan.shhady@solid-run.com>
      Signed-off-by: default avatarYazan Shhady <yazan.shhady@solid-run.com>
      Signed-off-by: default avatarJosua Mayer <josua@solid-run.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230323102536.31988-1-josua@solid-run.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      82e2c39f
    • Íñigo Huguet's avatar
      sfc: ef10: don't overwrite offload features at NIC reset · ca4a80e4
      Íñigo Huguet authored
      At NIC reset, some offload features related to encapsulated traffic
      might have changed (this mainly happens if the firmware-variant is
      changed with the sfboot userspace tool). Because of this, features are
      checked and set again at reset time.
      
      However, this was not done right, and some features were improperly
      overwritten at NIC reset:
      - Tunneled IPv6 segmentation was always disabled
      - Features disabled with ethtool were reenabled
      - Features that becomes unsupported after the reset were not disabled
      
      Also, checking if the device supports IPV6_CSUM to enable TSO6 is no
      longer necessary because all currently supported devices support it.
      Additionally, move the assignment of some other features to the
      EF10_OFFLOAD_FEATURES macro, like it is done in ef100, leaving the
      selection of features in efx_pci_probe_post_io a bit cleaner.
      
      Fixes: ffffd245 ("sfc: correctly advertise tunneled IPv6 segmentation")
      Fixes: 24b2c375 ("sfc: advertise encapsulated offloads on EF10")
      Reported-by: default avatarTianhao Zhao <tizhao@redhat.com>
      Suggested-by: default avatarJonathan Cooper <jonathan.s.cooper@amd.com>
      Tested-by: default avatarJonathan Cooper <jonathan.s.cooper@amd.com>
      Signed-off-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Acked-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/20230323083417.7345-1-ihuguet@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ca4a80e4
    • Jiawen Wu's avatar
      net: wangxun: Fix vector length of interrupt cause · 59513714
      Jiawen Wu authored
      There is 64-bit interrupt cause register for txgbe. Fix to clear upper
      32 bits.
      
      Fixes: 3f703186 ("net: libwx: Add irq flow functions")
      Signed-off-by: default avatarJiawen Wu <jiawenwu@trustnetic.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20230322103632.132011-1-jiawenwu@trustnetic.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      59513714
    • Linus Torvalds's avatar
      Merge tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 608f1b13
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, wifi and bluetooth.
      
        Current release - regressions:
      
         - wifi: mt76: mt7915: add back 160MHz channel width support for
           MT7915
      
         - libbpf: revert poisoning of strlcpy, it broke uClibc-ng
      
        Current release - new code bugs:
      
         - bpf: improve the coverage of the "allow reads from uninit stack"
           feature to fix verification complexity problems
      
         - eth: am65-cpts: reset PPS genf adj settings on enable
      
        Previous releases - regressions:
      
         - wifi: mac80211: serialize ieee80211_handle_wake_tx_queue()
      
         - wifi: mt76: do not run mt76_unregister_device() on unregistered hw,
           fix null-deref
      
         - Bluetooth: btqcomsmd: fix command timeout after setting BD address
      
         - eth: igb: revert rtnl_lock() that causes a deadlock
      
         - dsa: mscc: ocelot: fix device specific statistics
      
        Previous releases - always broken:
      
         - xsk: add missing overflow check in xdp_umem_reg()
      
         - wifi: mac80211:
            - fix QoS on mesh interfaces
            - fix mesh path discovery based on unicast packets
      
         - Bluetooth:
            - ISO: fix timestamped HCI ISO data packet parsing
            - remove "Power-on" check from Mesh feature
      
         - usbnet: more fixes to drivers trusting packet length
      
         - wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
      
         - Bluetooth: btintel: iterate only bluetooth device ACPI entries
      
         - eth: iavf: fix inverted Rx hash condition leading to disabled hash
      
         - eth: igc: fix the validation logic for taprio's gate list
      
         - dsa: tag_brcm: legacy: fix daisy-chained switches
      
        Misc:
      
         - bpf: adjust insufficient default bpf_jit_limit to account for
           growth of BPF use over the last 5 years
      
         - xdp: bpf_xdp_metadata() use EOPNOTSUPP as unique errno indicating
           no driver support"
      
      * tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        Bluetooth: HCI: Fix global-out-of-bounds
        Bluetooth: mgmt: Fix MGMT add advmon with RSSI command
        Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
        Bluetooth: L2CAP: Fix responding with wrong PDU type
        Bluetooth: btqcomsmd: Fix command timeout after setting BD address
        Bluetooth: btinel: Check ACPI handle for NULL before accessing
        net: mdio: thunder: Add missing fwnode_handle_put()
        net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII case
        net: dsa: mt7530: move lowering TRGMII driving to mt7530_setup()
        net: dsa: mt7530: move enabling disabling core clock to mt7530_pll_setup()
        net: asix: fix modprobe "sysfs: cannot create duplicate filename"
        gve: Cache link_speed value from device
        tools: ynl: Fix genlmsg header encoding formats
        net: enetc: fix aggregate RMON counters not showing the ranges
        Bluetooth: Remove "Power-on" check from Mesh feature
        Bluetooth: Fix race condition in hci_cmd_sync_clear
        Bluetooth: btintel: Iterate only bluetooth device ACPI entries
        Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
        Bluetooth: btusb: Remove detection of ISO packets over bulk
        Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet
        ...
      608f1b13
    • Linus Torvalds's avatar
      Merge tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 28506304
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A few more fixes, the zoned accounting fix is spread across a few
        patches, preparatory and the actual fixes:
      
         - zoned mode:
            - fix accounting of unusable zone space
            - fix zone activation condition for DUP profile
            - preparatory patches
      
         - improved error handling of missing chunks
      
         - fix compiler warning"
      
      * tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: zoned: drop space_info->active_total_bytes
        btrfs: zoned: count fresh BG region as zone unusable
        btrfs: use temporary variable for space_info in btrfs_update_block_group
        btrfs: rename BTRFS_FS_NO_OVERCOMMIT to BTRFS_FS_ACTIVE_ZONE_TRACKING
        btrfs: zoned: fix btrfs_can_activate_zone() to support DUP profile
        btrfs: fix compiler warning on SPARC/PA-RISC handling fscrypt_setup_filename
        btrfs: handle missing chunk mapping more gracefully
      28506304
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 6dd74c51
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Four small fixes, three in drivers.
      
        The core fix adds a UFS device to an existing quirk to avoid a huge
        delay on boot"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
        scsi: qla2xxx: Synchronize the IOCB count to be in order
        scsi: qla2xxx: Perform lockless command completion in abort path
        scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
      6dd74c51
  7. 23 Mar, 2023 11 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 1b4ae19e
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-03-23
      
      We've added 8 non-merge commits during the last 13 day(s) which contain
      a total of 21 files changed, 238 insertions(+), 161 deletions(-).
      
      The main changes are:
      
      1) Fix verification issues in some BPF programs due to their stack usage
         patterns, from Eduard Zingerman.
      
      2) Fix to add missing overflow checks in xdp_umem_reg and return an error
         in such case, from Kal Conley.
      
      3) Fix and undo poisoning of strlcpy in libbpf given it broke builds for
         libcs which provided the former like uClibc-ng, from Jesus Sanchez-Palencia.
      
      4) Fix insufficient bpf_jit_limit default to avoid users running into hard
         to debug seccomp BPF errors, from Daniel Borkmann.
      
      5) Fix driver return code when they don't support a bpf_xdp_metadata kfunc
         to make it unambiguous from other errors, from Jesper Dangaard Brouer.
      
      6) Two BPF selftest fixes to address compilation errors from recent changes
         in kernel structures, from Alexei Starovoitov.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        xdp: bpf_xdp_metadata use EOPNOTSUPP for no driver support
        bpf: Adjust insufficient default bpf_jit_limit
        xsk: Add missing overflow check in xdp_umem_reg
        selftests/bpf: Fix progs/test_deny_namespace.c issues.
        selftests/bpf: Fix progs/find_vma_fail1.c build error.
        libbpf: Revert poisoning of strlcpy
        selftests/bpf: Tests for uninitialized stack reads
        bpf: Allow reads from uninit stack
      ====================
      
      Link: https://lore.kernel.org/r/20230323225221.6082-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1b4ae19e
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 2e63a2df
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix MGMT add advmon with RSSI command
       - L2CAP: Fix responding with wrong PDU type
       - Fix race condition in hci_cmd_sync_clear
       - ISO: Fix timestamped HCI ISO data packet parsing
       - HCI: Fix global-out-of-bounds
       - hci_sync: Resume adv with no RPA when active scan
      
      * tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: HCI: Fix global-out-of-bounds
        Bluetooth: mgmt: Fix MGMT add advmon with RSSI command
        Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
        Bluetooth: L2CAP: Fix responding with wrong PDU type
        Bluetooth: btqcomsmd: Fix command timeout after setting BD address
        Bluetooth: btinel: Check ACPI handle for NULL before accessing
        Bluetooth: Remove "Power-on" check from Mesh feature
        Bluetooth: Fix race condition in hci_cmd_sync_clear
        Bluetooth: btintel: Iterate only bluetooth device ACPI entries
        Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
        Bluetooth: btusb: Remove detection of ISO packets over bulk
        Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet
        Bluetooth: hci_sync: Resume adv with no RPA when active scan
      ====================
      
      Link: https://lore.kernel.org/r/20230323202335.3380841-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2e63a2df
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 4f44d326
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.3
      
      Third set of fixes for v6.3. mt76 has two kernel crash fixes and
      adding back 160 MHz channel support for mt7915. mac80211 has fixes for
      a race in transmit path and two mesh related fixes. iwlwifi also has
      fixes for races.
      
      * tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: mac80211: fix mesh path discovery based on unicast packets
        wifi: mac80211: fix qos on mesh interfaces
        wifi: iwlwifi: mvm: protect TXQ list manipulation
        wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
        wifi: mac80211: Serialize ieee80211_handle_wake_tx_queue()
        wifi: mwifiex: mark OF related data as maybe unused
        wifi: mt76: connac: do not check WED status for non-mmio devices
        wifi: mt76: mt7915: add back 160MHz channel width support for MT7915
        wifi: mt76: do not run mt76_unregister_device() on unregistered hw
      ====================
      
      Link: https://lore.kernel.org/r/20230323110332.C4FE4C433D2@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f44d326
    • Linus Torvalds's avatar
      Merge tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · 1e760fa3
      Linus Torvalds authored
      Pull gfs2 fix from Andreas Gruenbacher:
      
       - Reinstate commit 970343cd ("GFS2: free disk inode which is
         deleted by remote node -V2") as reverting that commit could cause
         gfs2_put_super() to hang.
      
      * tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        Reinstate "GFS2: free disk inode which is deleted by remote node -V2"
      1e760fa3
    • Sungwoo Kim's avatar
      Bluetooth: HCI: Fix global-out-of-bounds · bce56405
      Sungwoo Kim authored
      To loop a variable-length array, hci_init_stage_sync(stage) considers
      that stage[i] is valid as long as stage[i-1].func is valid.
      Thus, the last element of stage[].func should be intentionally invalid
      as hci_init0[], le_init2[], and others did.
      However, amp_init1[] and amp_init2[] have no invalid element, letting
      hci_init_stage_sync() keep accessing amp_init1[] over its valid range.
      This patch fixes this by adding {} in the last of amp_init1[] and
      amp_init2[].
      
      ==================================================================
      BUG: KASAN: global-out-of-bounds in hci_dev_open_sync (
      /v6.2-bzimage/net/bluetooth/hci_sync.c:3154
      /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032
      CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04
      Workqueue: hci1 hci_power_on
      Call Trace:
       <TASK>
      dump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1))
      print_report (/v6.2-bzimage/mm/kasan/report.c:307
        /v6.2-bzimage/mm/kasan/report.c:417)
      ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      kasan_report (/v6.2-bzimage/mm/kasan/report.c:184
        /v6.2-bzimage/mm/kasan/report.c:519)
      ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      ? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635)
      ? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190
        /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443
        /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781
        /v6.2-bzimage/kernel/locking/mutex.c:171
        /v6.2-bzimage/kernel/locking/mutex.c:285)
      ? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)
      hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485
        /v6.2-bzimage/net/bluetooth/hci_core.c:984)
      ? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969)
      ? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)
      ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62
        /v6.2-bzimage/lib/string.c:161)
      process_one_work (/v6.2-bzimage/kernel/workqueue.c:2294)
      worker_thread (/v6.2-bzimage/./include/linux/list.h:292
        /v6.2-bzimage/kernel/workqueue.c:2437)
      ? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379)
      kthread (/v6.2-bzimage/kernel/kthread.c:376)
      ? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331)
      ret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314)
       </TASK>
      The buggy address belongs to the variable:
      amp_init1+0x30/0x60
      The buggy address belongs to the physical page:
      page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia
      flags: 0x200000000001000(reserved|node=0|zone=2)
      raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000
      raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
       ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      >ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
                                                                   ^
       ffffffffaed1ab80: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 f9
       ffffffffaed1ac00: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9
      
      This bug is found by FuzzBT, a modified version of Syzkaller.
      Other contributors for this bug are Ruoyu Wu and Peng Hui.
      
      Fixes: d0b13706 ("Bluetooth: hci_sync: Rework init stages")
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      bce56405
    • Howard Chung's avatar
      Bluetooth: mgmt: Fix MGMT add advmon with RSSI command · 1a0291f8
      Howard Chung authored
      The MGMT command: MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI uses variable
      length argument. This causes host not able to register advmon with rssi.
      
      This patch has been locally tested by adding monitor with rssi via
      btmgmt on a kernel 6.1 machine.
      Reviewed-by: default avatarArchie Pusaka <apusaka@chromium.org>
      Fixes: b338d917 ("Bluetooth: Implement support for Mesh")
      Signed-off-by: default avatarHoward Chung <howardchung@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1a0291f8
    • Zheng Wang's avatar
      Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work · 1e9ac114
      Zheng Wang authored
      In btsdio_probe, &data->work was bound with btsdio_work.In
      btsdio_send_frame, it was started by schedule_work.
      
      If we call btsdio_remove with an unfinished job, there may
      be a race condition and cause UAF bug on hdev.
      
      Fixes: ddbaf13e ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
      Signed-off-by: default avatarZheng Wang <zyytlz.wz@163.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1e9ac114
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix responding with wrong PDU type · 9aa9d947
      Luiz Augusto von Dentz authored
      L2CAP_ECRED_CONN_REQ shall be responded with L2CAP_ECRED_CONN_RSP not
      L2CAP_LE_CONN_RSP:
      
      L2CAP LE EATT Server - Reject - run
        Listening for connections
        New client connection with handle 0x002a
        Sending L2CAP Request from client
        Client received response code 0x15
        Unexpected L2CAP response code (expected 0x18)
      L2CAP LE EATT Server - Reject - test failed
      
      > ACL Data RX: Handle 42 flags 0x02 dlen 26
            LE L2CAP: Enhanced Credit Connection Request (0x17) ident 1 len 18
              PSM: 39 (0x0027)
              MTU: 64
              MPS: 64
              Credits: 5
              Source CID: 65
              Source CID: 66
              Source CID: 67
              Source CID: 68
              Source CID: 69
      < ACL Data TX: Handle 42 flags 0x00 dlen 16
            LE L2CAP: LE Connection Response (0x15) ident 1 len 8
              invalid size
              00 00 00 00 00 00 06 00
      
      L2CAP LE EATT Server - Reject - run
        Listening for connections
        New client connection with handle 0x002a
        Sending L2CAP Request from client
        Client received response code 0x18
      L2CAP LE EATT Server - Reject - test passed
      
      Fixes: 15f02b91 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      9aa9d947
    • Stephan Gerhold's avatar
      Bluetooth: btqcomsmd: Fix command timeout after setting BD address · 5d44ab9e
      Stephan Gerhold authored
      On most devices using the btqcomsmd driver (e.g. the DragonBoard 410c
      and other devices based on the Qualcomm MSM8916/MSM8909/... SoCs)
      the Bluetooth firmware seems to become unresponsive for a while after
      setting the BD address. On recent kernel versions (at least 5.17+)
      this often causes timeouts for subsequent commands, e.g. the HCI reset
      sent by the Bluetooth core during initialization:
      
          Bluetooth: hci0: Opcode 0x c03 failed: -110
      
      Unfortunately this behavior does not seem to be documented anywhere.
      Experimentation suggests that the minimum necessary delay to avoid
      the problem is ~150us. However, to be sure add a sleep for > 1ms
      in case it is a bit longer on other firmware versions.
      
      Older kernel versions are likely also affected, although perhaps with
      slightly different errors or less probability. Side effects can easily
      hide the issue in most cases, e.g. unrelated incoming interrupts that
      cause the necessary delay.
      
      Fixes: 1511cc75 ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver")
      Signed-off-by: default avatarStephan Gerhold <stephan.gerhold@kernkonzept.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      5d44ab9e
    • Kiran K's avatar
      Bluetooth: btinel: Check ACPI handle for NULL before accessing · 902160cd
      Kiran K authored
      Older platforms and Virtual platforms which doesn't have support for
      bluetooth device in ACPI firmware will not have valid ACPI handle.
      Check for validity of handle before accessing.
      
      dmesg log from simics environment (virtual platform):
      
      BUG: unable to handle kernel NULL pointer dereference at
      0000000000000018
      IP: acpi_ns_walk_namespace+0x5c/0x278
      PGD 0 P4D 0
      Oops: 0000 [#1] SMP PTI
      Modules linked in: bnep intel_powerclamp coretemp kvm_intel
      kvm irqbypass intel_cstate input_leds joydev serio_raw mac_hid
      btusb(OE) btintel(OE) bluetooth(OE) lpc_ich compat(OE) ecdh_generic
      i7core_edac i5500_temp shpchp binfmt_misc sch_fq_codel parport_pc ppdev
      lp parport ip_tables x_tables autofs4 hid_generic usbhid hid e1000e
      psmouse ahci pata_acpi libahci ptp pps_core floppy
      CPU: 0 PID: 35 Comm: kworker/u3:0 Tainted: G           OE
      4.15.0-140-generic #144-Ubuntu
      Hardware name: Simics Simics, BIOS Simics 01/01/2011
      Workqueue: hci0 hci_power_on [bluetooth]
      RIP: 0010:acpi_ns_walk_namespace+0x5c/0x278
      RSP: 0000:ffffaa9c0049bba8 EFLAGS: 00010246
      RAX: 0000000000000001 RBX: 0000000000001001 RCX: 0000000000000010
      RDX: ffffffff92ea7e27 RSI: ffffffff92ea7e10 RDI: 00000000000000c8
      RBP: ffffaa9c0049bbf8 R08: 0000000000000000 R09: ffffffffc05b39d0
      R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
      R13: 0000000000000000 R14: ffffffffc05b39d0 R15: ffffaa9c0049bc70
      FS:  0000000000000000(0000) GS:ffff8be73fc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000018 CR3: 0000000075f0e000 CR4: 00000000000006f0
      
      Fixes: 294d749b ("Bluetooth: btintel: Iterate only bluetooth device ACPI entries")
      Signed-off-by: default avatarKiran K <kiran.k@intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      902160cd
    • Bob Peterson's avatar
      Reinstate "GFS2: free disk inode which is deleted by remote node -V2" · 260595b4
      Bob Peterson authored
      It turns out that reverting commit 970343cd ("GFS2: free disk inode
      which is deleted by remote node -V2") causes a regression related to
      evicting inodes that were unlinked on a different cluster node.
      
      We could also have simply added a call to d_mark_dontcache() to function
      gfs2_try_evict(), but the original pre-revert code is better tested and
      proven.
      
      This reverts commit 445cb127.
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      260595b4