- 12 Mar, 2021 26 commits
-
-
git://git.kernel.dk/linux-blockLinus Torvalds authored
Pull io_uring fixes from Jens Axboe: "Not quite as small this week as I had hoped, but at least this should be the end of it. All the little known issues have been ironed out - most of it little stuff, but cancelations being the bigger part. Only minor tweaks and/or regular fixes expected beyond this point. - Fix the creds tracking for async (io-wq and SQPOLL) - Various SQPOLL fixes related to parking, sharing, forking, IOPOLL, completions, and life times. Much simpler now. - Make IO threads unfreezable by default, on account of a bug report that had them spinning on resume. Honestly not quite sure why thawing leaves us with a perpetual signal pending (causing the spin), but for now make them unfreezable like there were in 5.11 and prior. - Move personality_idr to xarray, solving a use-after-free related to removing an entry from the iterator callback. Buffer idr needs the same treatment. - Re-org around and task vs context tracking, enabling the fixing of cancelations, and then cancelation fixes on top. - Various little bits of cleanups and hardening, and removal of now dead parts" * tag 'io_uring-5.12-2021-03-12' of git://git.kernel.dk/linux-block: (34 commits) io_uring: fix OP_ASYNC_CANCEL across tasks io_uring: cancel sqpoll via task_work io_uring: prevent racy sqd->thread checks io_uring: remove useless ->startup completion io_uring: cancel deferred requests in try_cancel io_uring: perform IOPOLL reaping if canceler is thread itself io_uring: force creation of separate context for ATTACH_WQ and non-threads io_uring: remove indirect ctx into sqo injection io_uring: fix invalid ctx->sq_thread_idle kernel: make IO threads unfreezable by default io_uring: always wait for sqd exited when stopping SQPOLL thread io_uring: remove unneeded variable 'ret' io_uring: move all io_kiocb init early in io_init_req() io-wq: fix ref leak for req in case of exit cancelations io_uring: fix complete_post races for linked req io_uring: add io_disarm_next() helper io_uring: fix io_sq_offload_create error handling io-wq: remove unused 'user' member of io_wq io_uring: Convert personality_idr to XArray io_uring: clean R_DISABLED startup mess ... -
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull device properties framework fixes from Rafael Wysocki: "Prevent software nodes from being registered before their parents and fix a recent mistake causing already registered software nodes to be registered again in some cases (Heikki Krogerus)" * tag 'devprop-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: software node: Fix device_add_software_node() software node: Fix node registration
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull power management fixes from Rafael Wysocki: "These fix an operating performance point (OPP) reference counting issue and three issues in ARM cpufreq drivers. Specifics: - Add a flag to mark OPPs that are not referenced by he OPP core any more to prevent OPPs from being freed prematurely by mistake (Beata Michalska). - Add ARM Vexpress platforms to the cpufreq-dt-platdev blacklist since the actual scaling of them is handled elsewhere (Sudeep Holla). - Fix a function return value check and a possible use-after-free in the qcom-hw cpufreq driver (Shawn Guo, Wei Yongjun)" * tag 'pm-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: opp: Don't drop extra references to OPPs accidentally cpufreq: blacklist Arm Vexpress platforms in cpufreq-dt-platdev cpufreq: qcom-hw: Fix return value check in qcom_cpufreq_hw_cpu_init() cpufreq: qcom-hw: fix dereferencing freed memory 'data' -
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "No surprise here, only a collection of device-specific fixes for USB-audio and HD-audio at this time" * tag 'sound-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/hdmi: Cancel pending works before suspend ALSA: hda: Avoid spurious unsol event handling during S3/S4 ALSA: hda: Flush pending unsolicited events before suspend ALSA: usb-audio: fix use after free in usb_audio_disconnect ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support ALSA: hda: Drop the BATCH workaround for AMD controllers ALSA: hda/conexant: Add quirk for mute LED control on HP ZBook G5 ALSA: usb-audio: Apply the control quirk to Plantronics headsets ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar ALSA: hda: ignore invalid NHLT table ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk
-
git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmcLinus Torvalds authored
Pull MMC fixes from Ulf Hansson: "MMC core: - Fix partition switch time for eMMC MMC host: - mmci: Enforce R1B response to fix busy detection for the stm32 variants - cqhci: Fix crash when removing mmc module/card" * tag 'mmc-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: cqhci: Fix random crash when remove mmc module/card mmc: core: Fix partition switch time for eMMC mmc: mmci: Add MMC_CAP_NEED_RSP_BUSY for the stm32 variants -
Linus Torvalds authored
Merge tag 'regulator-fix-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "A small collection fo driver specific fixes that have arrived since the merge window" * tag 'regulator-fix-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: mt6315: Fix off-by-one for .n_voltages regulator: rt4831: Fix return value check in rt4831_regulator_probe() regulator: pca9450: Clear PRESET_EN bit to fix BUCK1/2/3 voltage setting regulator: qcom-rpmh: Use correct buck for S1C regulator regulator: qcom-rpmh: Correct the pmic5_hfsmps515 buck regulator: pca9450: Fix return value when failing to get sd-vsel GPIO regulator: mt6315: Return REGULATOR_MODE_INVALID for invalid mode
-
git://git.infradead.org/users/hch/configfsLinus Torvalds authored
Pull configfs fix from Christoph Hellwig: - fix a use-after-free in __configfs_open_file (Daiyue Zhang) * tag 'configfs-for-5.12' of git://git.infradead.org/users/hch/configfs: configfs: fix a use-after-free in __configfs_open_file
-
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2Linus Torvalds authored
Pull gfs2 fixes from Andreas Gruenbacher: "Various gfs2 fixes" * tag 'gfs2-v5.12-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: bypass log flush if the journal is not live gfs2: bypass signal_our_withdraw if no journal gfs2: fix use-after-free in trans_drain gfs2: make function gfs2_make_fs_ro() to void type
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linuxLinus Torvalds authored
Pull arm64 fixes from Will Deacon: "We've got a smattering of changes all over the place which we've acrued since -rc1. To my knowledge, there aren't any pending issues at the moment, but there's still plenty of time for something else to crop up... Summary: - Fix booting a 52-bit-VA-aware kernel on Qualcomm Amberwing - Fix pfn_valid() not to reject all ZONE_DEVICE memory - Fix memory tagging setup for hotplugged memory regions - Fix KASAN tagging in page_alloc() when DEBUG_VIRTUAL is enabled - Fix accidental truncation of CPU PMU event counters - Fix error code initialisation when failing probe of DMC620 PMU - Fix return value initialisation for sve-ptrace selftest - Drop broken support for CMDLINE_EXTEND" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: perf/arm_dmc620_pmu: Fix error return code in dmc620_pmu_device_probe() arm64: mm: remove unused __cpu_uses_extended_idmap[_level()] arm64: mm: use a 48-bit ID map when possible on 52-bit VA builds arm64: perf: Fix 64-bit event counter read truncation arm64/mm: Fix __enable_mmu() for new TGRAN range values kselftest: arm64: Fix exit code of sve-ptrace arm64: mte: Map hotplugged memory as Normal Tagged arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL arm64/mm: Reorganize pfn_valid() arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory arm64/mm: Drop THP conditionality from FORCE_MAX_ZONEORDER arm64/mm: Drop redundant ARCH_WANT_HUGE_PMD_SHARE arm64: Drop support for CMDLINE_EXTEND arm64: cpufeatures: Fix handling of CONFIG_CMDLINE for idreg overrides
-
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tipLinus Torvalds authored
Pull xen fixes from Juergen Gross: "Two fix series and a single cleanup: - a small cleanup patch to remove unneeded symbol exports - a series to cleanup Xen grant handling (avoiding allocations in some cases, and using common defines for "invalid" values) - a series to address a race issue in Xen event channel handling" * tag 'for-linus-5.12b-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: Xen/gntdev: don't needlessly use kvcalloc() Xen/gnttab: introduce common INVALID_GRANT_{HANDLE,REF} Xen/gntdev: don't needlessly allocate k{,un}map_ops[] Xen: drop exports of {set,clear}_foreign_p2m_mapping() xen/events: avoid handling the same event on two cpus at the same time xen/events: don't unmask an event channel when an eoi is pending xen/events: reset affinity of 2-level event when tearing it down -
Rafael J. Wysocki authored
* pm-opp: opp: Don't drop extra references to OPPs accidentally
-
git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pmRafael J. Wysocki authored
Pull an operating performance points (OPP) framework fix for 5.12 from Viresh Kumar: "Fix OPP refcount issue noticed by Beata." * 'opp/linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm: opp: Don't drop extra references to OPPs accidentally
-
Pavel Begunkov authored
IORING_OP_ASYNC_CANCEL tries io-wq cancellation only for current task. If it fails go over tctx_list and try it out for every single tctx. Signed-off-by:
Pavel Begunkov <asml.silence@gmail.com> Signed-off-by:
Jens Axboe <axboe@kernel.dk>
-
Pavel Begunkov authored
1) The first problem is io_uring_cancel_sqpoll() -> io_uring_cancel_task_requests() basically doing park(); park(); and so hanging. 2) Another one is more subtle, when the master task is doing cancellations, but SQPOLL task submits in-between the end of the cancellation but before finish() requests taking a ref to the ctx, and so eternally locking it up. 3) Yet another is a dying SQPOLL task doing io_uring_cancel_sqpoll() and same io_uring_cancel_sqpoll() from the owner task, they race for tctx->wait events. And there probably more of them. Instead do SQPOLL cancellations from within SQPOLL task context via task_work, see io_sqpoll_cancel_sync(). With that we don't need temporal park()/unpark() during cancellation, which is ugly, subtle and anyway doesn't allow to do io_run_task_work() properly. io_uring_cancel_sqpoll() is called only from SQPOLL task context and under sqd locking, so all parking is removed from there. And so, io_sq_thread_[un]park() and io_sq_thread_stop() are not used now by SQPOLL task, and that spare us from some headache. Also remove ctx->sqd_list early to avoid 2). And kill tctx->sqpoll, which is not used anymore. Signed-off-by:
-
Pavel Begunkov authored
SQPOLL thread to which we're trying to attach may be going away, it's not nice but a more serious problem is if io_sq_offload_create() sees sqd->thread==NULL, and tries to init it with a new thread. There are tons of ways it can be exploited or fail. Signed-off-by:
-
Bob Peterson authored
Patch fe3e3976 ("gfs2: Rework the log space allocation logic") changed gfs2_log_flush to reserve a set of journal blocks in case no transaction is active. However, gfs2_log_flush also gets called in cases where we don't have an active journal, for example, for spectator mounts. In that case, trying to reserve blocks would sleep forever, but we want gfs2_log_flush to be a no-op instead. Fixes: fe3e3976 ("gfs2: Rework the log space allocation logic") Signed-off-by:
Bob Peterson <rpeterso@redhat.com> Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com>
-
Pavel Begunkov authored
We always do complete(&sqd->startup) almost right after sqd->thread creation, either in the success path or in io_sq_thread_finish(). It's specifically created not started for us to be able to set some stuff like sqd->thread and io_uring_alloc_task_context() before following right after wake_up_new_task(). Signed-off-by:
-
Pavel Begunkov authored
As io_uring_cancel_files() and others let SQO to run between io_uring_try_cancel_requests(), SQO may generate new deferred requests, so it's safer to try to cancel them in it. Signed-off-by:
-
Bob Peterson authored
Before this patch, function signal_our_withdraw referenced the journal inode immediately. But corrupt file systems may have some invalid journals, in which case our attempt to read it in will withdraw and the resulting signal_our_withdraw would dereference the NULL value. This patch adds a check to signal_our_withdraw so that if the journal has not yet been initialized, it simply returns and does the old-style withdraw. Thanks, Andy Price, for his analysis. Reported-by: syzbot+50a8a9cf8127f2c6f5df@syzkaller.appspotmail.com Fixes: 601ef0d5 ("gfs2: Force withdraw to replay journals and wait for it to finish") Signed-off-by:
-
Wei Yongjun authored
Fix to return negative error code -ENOMEM from the error handling case instead of 0, as done elsewhere in this function. Fixes: 53c218da ("driver/perf: Add PMU driver for the ARM DMC-620 memory controller") Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Wei Yongjun <weiyongjun1@huawei.com> Link: https://lore.kernel.org/r/20210312080421.277562-1-weiyongjun1@huawei.comSigned-off-by:
Will Deacon <will@kernel.org>
-
Beata Michalska authored
We are required to call dev_pm_opp_put() from outside of the opp_table->lock as debugfs removal needs to happen lock-less to avoid circular dependency issues. commit cf1fac94 ("opp: Reduce the size of critical section in _opp_kref_release()") tried to fix that introducing a new routine _opp_get_next() which keeps returning OPPs that can be freed by the callers and this routine shall be called without holding the opp_table->lock. Though the commit overlooked the fact that the OPPs can be referenced by other users as well and this routine will end up dropping references which were taken by other users and hence freeing the OPPs prematurely. In effect, other users of the OPPs will end up having invalid pointers at hand. We didn't see any crash reports earlier as the exact situation never happened, though it is certainly possible. We need a way to mark which OPPs are no longer referenced by the OPP core, so we don't drop extra references to them accidentally. This commit adds another OPP flag, "removed", which is used to track this. And now we should never end up dropping extra references to the OPPs. Cc: v5.11+ <stable@vger.kernel.org> # v5.11+ Fixes: cf1fac94 ("opp: Reduce the size of critical section in _opp_kref_release()") Signed-off-by:
Beata Michalska <beata.michalska@arm.com> [ Viresh: Almost rewrote entire patch, added new "removed" field, rewrote commit log and added the correct Fixes tag. ] Co-developed-by:
Viresh Kumar <viresh.kumar@linaro.org> Signed-off-by:
-
git://anongit.freedesktop.org/drm/drmLinus Torvalds authored
Pull drm fixes from Dave Airlie: "Regular fixes for rc3. The i915 pull was based on the rc1 tag so I just cherry-picked the single fix from there to avoid it. The misc and amd trees seem to be on okay bases. It's a bunch of fixes across the tree, amdgpu has most of them a few ttm fixes around qxl, and nouveau. core: - Clear holes when converting compat ioctl's between 32-bits and 64-bits. docs: - Use gitlab for drm bugzilla now. ttm: - Fix ttm page pool accounting. fbdev: - Fix oops in drm_fbdev_cleanup() shmem: - Assorted fixes for shmem helpers. qxl: - unpin qxl bos created as pinned when freeing them, and make ttm only warn once on this behavior. - Zero head.surface_id correctly in qxl. atyfb: - Use LCD management for atyfb on PPC_MAC. meson: - Shutdown kms poll helper in meson correctly. nouveau: - fix regression in bo syncing i915: - Wedge the GPU if command parser setup fails amdgpu: - Fix aux backlight control - Add a backlight override parameter - Various display fixes - PCIe DPM fix for vega - Polaris watermark fixes - Additional S0ix fix radeon: - Fix GEM regression - Fix AGP dependency handling" * tag 'drm-fixes-2021-03-12-1' of git://anongit.freedesktop.org/drm/drm: (33 commits) drm/nouveau: fix dma syncing for loops (v2) drm/i915: Wedge the GPU if command parser setup fails drm/compat: Clear bounce structures drm/shmem-helpers: vunmap: Don't put pages for dma-buf drm: meson_drv add shutdown function drm/shmem-helper: Don't remove the offset in vm_area_struct pgoff drm/shmem-helper: Check for purged buffers in fault handler qxl: Fix uninitialised struct field head.surface_id drm/ttm: Fix TTM page pool accounting drm/ttm: soften TTM warnings drm: Use USB controller's DMA mask when importing dmabufs MAINTAINERS: update drm bug reporting URL fbdev: atyfb: use LCD management functions for PPC_PMAC also fbdev: atyfb: always declare aty_{ld,st}_lcd() drm/qxl: fix lockdep issue in qxl_alloc_release_reserved drm/qxl: unpin release objects drm/fb-helper: only unmap if buffer not null drm/amdgpu: fix S0ix handling when the CONFIG_AMD_PMC=m drm/radeon: fix AGP dependency drm/radeon: also init GEM funcs in radeon_gem_prime_import_sg_table ... -
Dave Airlie authored
The index variable should only be increased in one place. Noticed this while trying to track down another oops. v2: use while loop. Fixes: f295c8cf ("drm/nouveau: fix dma syncing warning with debugging on.") Signed-off-by:
Dave Airlie <airlied@redhat.com> Reviewed-by:
Michael J. Ruhl <michael.j.ruhl@intel.com> Signed-off-by:
-
Tvrtko Ursulin authored
Commit 311a50e7 ("drm/i915: Add support for mandatory cmdparsing") introduced mandatory command parsing but setup failures were not translated into wedging the GPU which was probably the intent. Possible errors come in two categories. Either the sanity check on internal tables has failed, which should be caught in CI unless an affected platform would be missed in testing; or memory allocation failure happened during driver load, which should be extremely unlikely but for correctness should still be handled. v2: * Tidy coding style. (Chris) [airlied: cherry-picked to avoid rc1 base] Signed-off-by:
Tvrtko Ursulin <tvrtko.ursulin@intel.com> Fixes: 311a50e7 ("drm/i915: Add support for mandatory cmdparsing") Cc: Jon Bloomfield <jon.bloomfield@intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: Chris Wilson <chris.p.wilson@intel.com> Reviewed-by:
Chris Wilson <chris.p.wilson@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210302114213.1102223-1-tvrtko.ursulin@linux.intel.com (cherry picked from commit 5a1a659762d35a6dc51047c9127c011303c77b7f) Signed-off-by:
Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by:
-
Dave Airlie authored
Merge tag 'amd-drm-fixes-5.12-2021-03-10' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.12-2021-03-10: amdgpu: - Fix aux backlight control - Add a backlight override parameter - Various display fixes - PCIe DPM fix for vega - Polaris watermark fixes - Additional S0ix fix radeon: - Fix GEM regression - Fix AGP dependency handling Signed-off-by:
-
git://anongit.freedesktop.org/drm/drm-miscDave Airlie authored
drm-misc-fixes for rc3, rebased on rc2: - Fix oops in drm_fbdev_cleanup() - unpin qxl bos created as pinned when freeing them, and make ttm only warn once on this behavior. - Use LCD management for atyfb on PPC_MAC. - Use gitlab for drm bugzilla now. - Fix ttm page pool accounting. - Zero head.surface_id correctly in qxl. - Assorted fixes for shmem helpers. - Shutdown kms poll helper in meson correctly. - Clear holes when converting compat ioctl's between 32-bits and 64-bits. Signed-off-by:
-
- 11 Mar, 2021 14 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-mediaLinus Torvalds authored
Pull media fixes from Mauro Carvalho Chehab: "A couple of fixes: - fix a build issue with CEC - fix a deadlock at usbtv driver - fix some null pointer address issues at vsp1 driver - fix a wrong bitmap setting at rkisp1 driver" * tag 'media/v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: media: rkisp1: params: fix wrong bits settings media: v4l: vsp1: Fix uif null pointer access media: v4l: vsp1: Fix bru null pointer access media: usbtv: Fix deadlock on suspend media: rc: compile rc-cec.c into rc-core
-
Jens Axboe authored
We bypass IOPOLL completion polling (and reaping) for the SQPOLL thread, but if it's the thread itself invoking cancelations, then we still need to perform it or no one will. Fixes: 9936c7c2 ("io_uring: deduplicate core cancellations sequence") Signed-off-by:
-
Jens Axboe authored
Earlier kernels had SQPOLL threads that could share across anything, as we grabbed the context we needed on a per-ring basis. This is no longer the case, so only allow attaching directly if we're in the same thread group. That is the common use case. For non-group tasks, just setup a new context and thread as we would've done if sharing wasn't set. This isn't 100% ideal in terms of CPU utilization for the forked and share case, but hopefully that isn't much of a concern. If it is, there are plans in motion for how to improve that. Most importantly, we want to avoid app side regressions where sharing worked before and now doesn't. With this patch, functionality is equivalent to previous kernels that supported IORING_SETUP_ATTACH_WQ with SQPOLL. Reported-by:
Stefan Metzmacher <metze@samba.org> Signed-off-by:
-
Axel Lin authored
The valid selector is 0 ~ 0xbf, so the .n_voltages should be 0xc0. Signed-off-by:
Axel Lin <axel.lin@ingics.com> Link: https://lore.kernel.org/r/20210311020558.579597-1-axel.lin@ingics.comSigned-off-by:
Mark Brown <broonie@kernel.org>
-
Ard Biesheuvel authored
These routines lost all existing users during the latest merge window so we can remove them. This avoids the need to fix them in the context of fixing a regression related to the ID map on 52-bit VA kernels. Signed-off-by:
Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20210310171515.416643-3-ardb@kernel.orgSigned-off-by:
-
Ard Biesheuvel authored
52-bit VA kernels can run on hardware that is only 48-bit capable, but configure the ID map as 52-bit by default. This was not a problem until recently, because the special T0SZ value for a 52-bit VA space was never programmed into the TCR register anwyay, and because a 52-bit ID map happens to use the same number of translation levels as a 48-bit one. This behavior was changed by commit 1401bef7 ("arm64: mm: Always update TCR_EL1 from __cpu_set_tcr_t0sz()"), which causes the unsupported T0SZ value for a 52-bit VA to be programmed into TCR_EL1. While some hardware simply ignores this, Mark reports that Amberwing systems choke on this, resulting in a broken boot. But even before that commit, the unsupported idmap_t0sz value was exposed to KVM and used to program TCR_EL2 incorrectly as well. Given that we already have to deal with address spaces being either 48-bit or 52-bit in size, the cleanest approach seems to be to simply default to a 48-bit VA ID map, and only switch to a 52-bit one if the placement of the kernel in DRAM requires it. This is guaranteed not to happen unless the system is actually 52-bit VA capable. Fixes: 90ec95cd ("arm64: mm: Introduce VA_BITS_MIN") Reported-by:
Mark Salter <msalter@redhat.com> Link: http://lore.kernel.org/r/20210310003216.410037-1-msalter@redhat.comSigned-off-by:
-
Daiyue Zhang authored
Commit b0841eef ("configfs: provide exclusion between IO and removals") uses ->frag_dead to mark the fragment state, thus no bothering with extra refcount on config_item when opening a file. The configfs_get_config_item was removed in __configfs_open_file, but not with config_item_put. So the refcount on config_item will lost its balance, causing use-after-free issues in some occasions like this: Test: 1. Mount configfs on /config with read-only items: drwxrwx--- 289 root root 0 2021-04-01 11:55 /config drwxr-xr-x 2 root root 0 2021-04-01 11:54 /config/a --w--w--w- 1 root root 4096 2021-04-01 11:53 /config/a/1.txt ...... 2. Then run: for file in /config do echo $file grep -R 'key' $file done 3. __configfs_open_file will be called in parallel, the first one got called will do: if (file->f_mode & FMODE_READ) { if (!(inode->i_mode & S_IRUGO)) goto out_put_module; config_item_put(buffer->item); kref_put() package_details_release() kfree() the other one will run into use-after-free issues like this: BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0 Read of size 8 at addr fffffff155f02480 by task grep/13096 CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G W 4.14.116-kasan #1 TGID: 13096 Comm: grep Call trace: dump_stack+0x118/0x160 kasan_report+0x22c/0x294 __asan_load8+0x80/0x88 __configfs_open_file+0x1bc/0x3b0 configfs_open_file+0x28/0x34 do_dentry_open+0x2cc/0x5c0 vfs_open+0x80/0xe0 path_openat+0xd8c/0x2988 do_filp_open+0x1c4/0x2fc do_sys_open+0x23c/0x404 SyS_openat+0x38/0x48 Allocated by task 2138: kasan_kmalloc+0xe0/0x1ac kmem_cache_alloc_trace+0x334/0x394 packages_make_item+0x4c/0x180 configfs_mkdir+0x358/0x740 vfs_mkdir2+0x1bc/0x2e8 SyS_mkdirat+0x154/0x23c el0_svc_naked+0x34/0x38 Freed by task 13096: kasan_slab_free+0xb8/0x194 kfree+0x13c/0x910 package_details_release+0x524/0x56c kref_put+0xc4/0x104 config_item_put+0x24/0x34 __configfs_open_file+0x35c/0x3b0 configfs_open_file+0x28/0x34 do_dentry_open+0x2cc/0x5c0 vfs_open+0x80/0xe0 path_openat+0xd8c/0x2988 do_filp_open+0x1c4/0x2fc do_sys_open+0x23c/0x404 SyS_openat+0x38/0x48 el0_svc_naked+0x34/0x38 To fix this issue, remove the config_item_put in __configfs_open_file to balance the refcount of config_item. Fixes: b0841eef ("configfs: provide exclusion between IO and removals") Signed-off-by:
Daiyue Zhang <zhangdaiyue1@huawei.com> Signed-off-by:
Yi Chen <chenyi77@huawei.com> Signed-off-by:
Ge Qiu <qiuge@huawei.com> Reviewed-by:
Chao Yu <yuchao0@huawei.com> Acked-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
Christoph Hellwig <hch@lst.de>
-
Dafna Hirschfeld authored
The histogram mode is set using 'rkisp1_params_set_bits'. Only the bits of the mode should be the value argument for that function. Otherwise bits outside the mode mask are turned on which is not what was intended. Fixes: bae1155c ("media: staging: rkisp1: add output device for parameters") Signed-off-by:
Dafna Hirschfeld <dafna.hirschfeld@collabora.com> Signed-off-by:
Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by:
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
-
Biju Das authored
RZ/G2L SoC has no UIF. This patch fixes null pointer access, when UIF module is not used. Fixes: 5e824f98("media: v4l: vsp1: Integrate DISCOM in display pipeline") Signed-off-by:
Biju Das <biju.das.jz@bp.renesas.com> Signed-off-by:
-
Biju Das authored
RZ/G2L SoC has only BRS. This patch fixes null pointer access,when only BRS is enabled. Fixes: cbb7fa49("media: v4l: vsp1: Rename BRU to BRx") Signed-off-by:
-
Maxim Mikityanskiy authored
usbtv doesn't support power management, so on system suspend the .disconnect callback of the driver is called. The teardown sequence includes a call to snd_card_free. Its implementation waits until the refcount of the sound card device drops to zero, however, if its file is open, snd_card_file_add takes a reference, which can't be dropped during the suspend, because the userspace processes are already frozen at this point. snd_card_free waits for completion forever, leading to a hang on suspend. This commit fixes this deadlock condition by replacing snd_card_free with snd_card_free_when_closed, that doesn't wait until all references are released, allowing suspend to progress. Fixes: 63ddf68d ("[media] usbtv: add audio support") Signed-off-by:
Maxim Mikityanskiy <maxtram95@gmail.com> Signed-off-by:
-
Hans Verkuil authored
The rc-cec keymap is unusual in that it can't be built as a module, instead it is registered directly in rc-main.c if CONFIG_MEDIA_CEC_RC is set. This is because it can be called from drm_dp_cec_set_edid() via cec_register_adapter() in an asynchronous context, and it is not allowed to use request_module() to load rc-cec.ko in that case. Trying to do so results in a 'WARN_ON_ONCE(wait && current_is_async())'. Since this keymap is only used if CONFIG_MEDIA_CEC_RC is set, we just compile this keymap into the rc-core module and never as a separate module. Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Signed-off-by:
Sean Young <sean@mess.org> Signed-off-by:
-
Daniel Vetter authored
Some of them have gaps, or fields we don't clear. Native ioctl code does full copies plus zero-extends on size mismatch, so nothing can leak. But compat is more hand-rolled so need to be careful. None of these matter for performance, so just memset. Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those are security holes anyway. Acked-by:
Maxime Ripard <mripard@kernel.org> Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by:
Daniel Vetter <daniel.vetter@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch (cherry picked from commit e926c474) Signed-off-by:
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
-
Noralf Trønnes authored
dma-buf importing was reworked in commit 7d2cd72a ("drm/shmem-helpers: Simplify dma-buf importing"). Before that commit drm_gem_shmem_prime_import_sg_table() did set ->pages_use_count=1 and drm_gem_shmem_vunmap_locked() could call drm_gem_shmem_put_pages() unconditionally. Now without the use count set, put pages is called also on dma-bufs. Fix this by only putting pages if it's not imported. Signed-off-by:
Noralf Trønnes <noralf@tronnes.org> Fixes: 7d2cd72a ("drm/shmem-helpers: Simplify dma-buf importing") Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Thomas Zimmermann <tzimmermann@suse.de> Acked-by:
Thomas Zimmermann <tzimmermann@suse.de> Tested-by:
-
