1. 04 Jul, 2024 4 commits
    • Denis Arefev's avatar
      net: missing check virtio · e269d79c
      Denis Arefev authored
      Two missing check in virtio_net_hdr_to_skb() allowed syzbot
      to crash kernels again
      
      1. After the skb_segment function the buffer may become non-linear
      (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere
      the __skb_linearize function will not be executed, then the buffer will
      remain non-linear. Then the condition (offset >= skb_headlen(skb))
      becomes true, which causes WARN_ON_ONCE in skb_checksum_help.
      
      2. The struct sk_buff and struct virtio_net_hdr members must be
      mathematically related.
      (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.
      (remainder) must be greater than (needed) otherwise WARN_ON_ONCE.
      (remainder) may be 0 if division is without remainder.
      
      offset+2 (4191) > skb_headlen() (1116)
      WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
      Modules linked in:
      CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee2 #0
      Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
      Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef
      RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286
      RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209
      RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001
      RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c
      R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d
      FS:  0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777
       ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584
       ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]
       __ip_finish_output net/ipv4/ip_output.c:308 [inline]
       __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295
       ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
       NF_HOOK_COND include/linux/netfilter.h:303 [inline]
       ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
       dst_output include/net/dst.h:451 [inline]
       ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
       iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
       ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]
       sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076
       __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
       netdev_start_xmit include/linux/netdevice.h:4954 [inline]
       xmit_one net/core/dev.c:3545 [inline]
       dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561
       __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346
       dev_queue_xmit include/linux/netdevice.h:3134 [inline]
       packet_xmit+0x257/0x380 net/packet/af_packet.c:276
       packet_snd net/packet/af_packet.c:3087 [inline]
       packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0xd5/0x180 net/socket.c:745
       __sys_sendto+0x255/0x340 net/socket.c:2190
       __do_sys_sendto net/socket.c:2202 [inline]
       __se_sys_sendto net/socket.c:2198 [inline]
       __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Found by Linux Verification Center (linuxtesting.org) with Syzkaller
      
      Fixes: 0f6925b3 ("virtio_net: Do not pull payload in skb->head")
      Signed-off-by: default avatarDenis Arefev <arefev@swemel.ru>
      Message-Id: <20240613095448.27118-1-arefev@swemel.ru>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      e269d79c
    • Yunseong Kim's avatar
      tools/virtio: creating pipe assertion in vringh_test · ede9c33e
      Yunseong Kim authored
      parallel_test() function in vringh_test needs to verify
      the creation of the guest/host pipe.
      Signed-off-by: default avatarYunseong Kim <yskelg@gmail.com>
      Message-Id: <20240624174905.27980-2-yskelg@gmail.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      ede9c33e
    • Xuan Zhuo's avatar
      virtio_ring: fix KMSAN error for premapped mode · 840b2d39
      Xuan Zhuo authored
      Add kmsan for virtqueue_dma_map_single_attrs to fix:
      
      BUG: KMSAN: uninit-value in receive_buf+0x45ca/0x6990
       receive_buf+0x45ca/0x6990
       virtnet_poll+0x17e0/0x3130
       net_rx_action+0x832/0x26e0
       handle_softirqs+0x330/0x10f0
       [...]
      
      Uninit was created at:
       __alloc_pages_noprof+0x62a/0xe60
       alloc_pages_noprof+0x392/0x830
       skb_page_frag_refill+0x21a/0x5c0
       virtnet_rq_alloc+0x50/0x1500
       try_fill_recv+0x372/0x54c0
       virtnet_open+0x210/0xbe0
       __dev_open+0x56e/0x920
       __dev_change_flags+0x39c/0x2000
       dev_change_flags+0xaa/0x200
       do_setlink+0x197a/0x7420
       rtnl_setlink+0x77c/0x860
       [...]
      Signed-off-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Tested-by: default avatarAlexander Potapenko <glider@google.com>
      Message-Id: <20240606111345.93600-1-xuanzhuo@linux.alibaba.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>  # s390x
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      840b2d39
    • Michael S. Tsirkin's avatar
      vhost/vsock: always initialize seqpacket_allow · 1e1fdcbd
      Michael S. Tsirkin authored
      There are two issues around seqpacket_allow:
      1. seqpacket_allow is not initialized when socket is
         created. Thus if features are never set, it will be
         read uninitialized.
      2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,
         then seqpacket_allow will not be cleared appropriately
         (existing apps I know about don't usually do this but
          it's legal and there's no way to be sure no one relies
          on this).
      
      To fix:
      	- initialize seqpacket_allow after allocation
      	- set it unconditionally in set_features
      
      Reported-by: syzbot+6c21aeb59d0e82eb2782@syzkaller.appspotmail.com
      Reported-by: default avatarJeongjun Park <aha310510@gmail.com>
      Fixes: ced7b713 ("vhost/vsock: support SEQPACKET for transport").
      Tested-by: default avatarArseny Krasnov <arseny.krasnov@kaspersky.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Stefan Hajnoczi <stefanha@redhat.com>
      Message-ID: <20240422100010-mutt-send-email-mst@kernel.org>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Reviewed-by: default avatarEugenio Pérez <eperezma@redhat.com>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      1e1fdcbd
  2. 02 Jul, 2024 7 commits
  3. 01 Jul, 2024 9 commits
    • Linus Torvalds's avatar
      Merge tag 'cxl-fixes-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · 73e93150
      Linus Torvalds authored
      Pull cxl fixes from Dave Jiang:
      
       - Fix no cxl_nvd during pmem region auto-assemble
      
       - Avoid NULLL pointer dereference in region lookup
      
       - Add missing checks to interleave capability
      
       - Add cxl kdoc fix to address document compilation error
      
      * tag 'cxl-fixes-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl: documentation: add missing files to cxl driver-api
        cxl/region: check interleave capability
        cxl/region: Avoid null pointer dereference in region lookup
        cxl/mem: Fix no cxl_nvd during pmem region auto-assembling
      73e93150
    • Linus Torvalds's avatar
      Merge tag 'for-6.10-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · cfbc0ffe
      Linus Torvalds authored
      Pull btrfs fix from David Sterba:
       "A fixup for a recent fix that prevents an infinite loop during block
        group reclaim.
      
        Unfortunately it introduced an unsafe way of updating block group list
        and could race with relocation. This could be hit on fast devices when
        relocation/balance does not have enough space"
      
      * tag 'for-6.10-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix adding block group to a reclaim list and the unused list during reclaim
      cfbc0ffe
    • Linus Torvalds's avatar
      Merge tag 'asm-generic-fixes-6.10-2' of... · 9903efbd
      Linus Torvalds authored
      Merge tag 'asm-generic-fixes-6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic
      
      Pull asm-generic fix from Arnd Bergmann:
       "This fixes up a last minute build regression from the previous set of
        bug fixes"
      
      * tag 'asm-generic-fixes-6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
        syscalls: fix sys_fanotify_mark prototype
      9903efbd
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 651ab781
      Linus Torvalds authored
      Pull SoC fixes from Arnd Bergmann:
       "A number of devicetree fixes came in for the rockchip platforms,
        correcting some of the address information, and reverting a change to
        the MMC controller configuration that caused regressions.
      
        Four drivers have one code change each, addressing minor build issues
        for the optee firmware driver, the litex SoC platform driver and two
        reset drivers.
      
        The riscv fixes as also simple, mainly turning off device nodes in the
        canaan dts files unless they are actually usable on a particular
        board.
      
        Finally, Drew takes over maintaining the THEAD RISC-V SoC platform"
      
      * tag 'arm-fixes-6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        drivers/soc/litex: drop obsolete dependency on COMPILE_TEST
        tee: optee: ffa: Fix missing-field-initializers warning
        arm64: dts: rockchip: Add sound-dai-cells for RK3368
        arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B
        reset: hisilicon: hi6220: add missing MODULE_DESCRIPTION() macro
        reset: gpio: Fix missing gpiolib dependency for GPIO reset controller
        MAINTAINERS: thead: update Maintainer
        arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E
        riscv: dts: starfive: Set EMMC vqmmc maximum voltage to 3.3V on JH7110 boards
        arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A
        Revert "arm64: dts: rockchip: remove redundant cd-gpios from rk3588 sdmmc nodes"
        ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node
        arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on rk3399-gru
        arm64: dts: rockchip: set correct pwm0 pinctrl on rk3588-tiger
        riscv: dts: canaan: Disable I/O devices unless used
        riscv: dts: canaan: Clean up serial aliases
        arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s
        arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s
        arm64: dts: rockchip: Fix rk3308 codec@ff560000 reset-names
        arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B
      651ab781
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 90f4ad03
      Linus Torvalds authored
      Pull mtd fixes from Miquel Raynal:
      
       - Rockchip NAND controller driver was not checking the timings properly
         and the introduction of NV-DDR support broke it.
      
       - The core was also misbehaving in some very specific cases: in case of
         (unlikely) bitflips in the parameter page, the fallback might have
         failed as well but for software reasons.
      
       - Finally, the chosen ECC configuration was no longer properly
         propagated to upper layers, mostly failing an info message at probe
         time.
      
      * tag 'mtd/fixes-for-6.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: rockchip: ensure NVDDR timings are rejected
        mtd: rawnand: Bypass a couple of sanity checks during NAND identification
        mtd: rawnand: Fix the nand_read_data_op() early check
        mtd: rawnand: Ensure ECC configuration is propagated to upper layers
      90f4ad03
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.10-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · 9b458a26
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
       "Misc:
      
         - Don't misleadingly warn during filesystem thaw operations.
      
           It's possible that a block device which was frozen before it was
           mounted can cause a failing thaw operation if someone concurrently
           tried to mount it while that thaw operation was issued and the
           device had already been temporarily claimed for the mount (The
           mount will of course be aborted because the device is frozen).
      
        netfs:
      
         - Fix io_uring based write-through. Make sure that the total request
           length is correctly set.
      
         - Fix partial writes to folio tail.
      
         - Remove some xarray helpers that were intended for bounce buffers
           which got defered to a later patch series.
      
         - Make netfs_page_mkwrite() whether folio->mapping is vallid after
           acquiring the folio lock.
      
         - Make netfs_page_mkrite() flush conflicting data instead of waiting.
      
        fsnotify:
      
         - Ensure that fsnotify creation events are generated before fsnotify
           open events when a file is created via ->atomic_open(). The
           ordering was broken before.
      
         - Ensure that no fsnotify events are generated for O_PATH file
           descriptors. While no fsnotify open events were generated, fsnotify
           close events were. Make it consistent and don't produce any"
      
      * tag 'vfs-6.10-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        netfs: Fix netfs_page_mkwrite() to flush conflicting data, not wait
        netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid
        netfs: Delete some xarray-wangling functions that aren't used
        netfs: Fix early issue of write op on partial write to folio tail
        netfs: Fix io_uring based write-through
        vfs: generate FS_CREATE before FS_OPEN when ->atomic_open used.
        fsnotify: Do not generate events for O_PATH file descriptors
        fs: don't misleadingly warn during thaw operations
      9b458a26
    • Naohiro Aota's avatar
      btrfs: fix adding block group to a reclaim list and the unused list during reclaim · 48f091fd
      Naohiro Aota authored
      There is a potential parallel list adding for retrying in
      btrfs_reclaim_bgs_work and adding to the unused list. Since the block
      group is removed from the reclaim list and it is on a relocation work,
      it can be added into the unused list in parallel. When that happens,
      adding it to the reclaim list will corrupt the list head and trigger
      list corruption like below.
      
      Fix it by taking fs_info->unused_bgs_lock.
      
        [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104
        [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0)
        [177.529][T2585409] ------------[ cut here ]------------
        [177.537][T2585409] kernel BUG at lib/list_debug.c:65!
        [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
        [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G        W          6.10.0-rc5-kts #1
        [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022
        [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs]
        [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72
        [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286
        [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000
        [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40
        [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08
        [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0
        [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000
        [177.687][T2585409] FS:  0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000
        [177.700][T2585409] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0
        [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000
        [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400
        [177.742][T2585409] PKRU: 55555554
        [177.748][T2585409] Call Trace:
        [177.753][T2585409]  <TASK>
        [177.759][T2585409]  ? __die_body.cold+0x19/0x27
        [177.766][T2585409]  ? die+0x2e/0x50
        [177.772][T2585409]  ? do_trap+0x1ea/0x2d0
        [177.779][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
        [177.788][T2585409]  ? do_error_trap+0xa3/0x160
        [177.795][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
        [177.805][T2585409]  ? handle_invalid_op+0x2c/0x40
        [177.812][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
        [177.820][T2585409]  ? exc_invalid_op+0x2d/0x40
        [177.827][T2585409]  ? asm_exc_invalid_op+0x1a/0x20
        [177.834][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
        [177.843][T2585409]  btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]
      
      There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is
      safe, AFAICS. Since the block group was in the unused list, the used bytes
      should be 0 when it was added to the unused list. Then, it checks
      block_group->{used,reserved,pinned} are still 0 under the
      block_group->lock. So, they should be still eligible for the unused list,
      not the reclaim list.
      
      The reason it is safe there it's because because we're holding
      space_info->groups_sem in write mode.
      
      That means no other task can allocate from the block group, so while we
      are at deleted_unused_bgs() it's not possible for other tasks to
      allocate and deallocate extents from the block group, so it can't be
      added to the unused list or the reclaim list by anyone else.
      
      The bug can be reproduced by btrfs/166 after a few rounds. In practice
      this can be hit when relocation cannot find more chunk space and ends
      with ENOSPC.
      Reported-by: default avatarShinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
      Suggested-by: default avatarJohannes Thumshirn <Johannes.Thumshirn@wdc.com>
      Fixes: 4eb4e85c ("btrfs: retry block group reclaim without infinite loop")
      CC: stable@vger.kernel.org # 5.15+
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarJohannes Thumshirn <johannes.thumshirn@wdc.com>
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarNaohiro Aota <naohiro.aota@wdc.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      48f091fd
    • Arnd Bergmann's avatar
      syscalls: fix sys_fanotify_mark prototype · 63e2f40c
      Arnd Bergmann authored
      My earlier fix missed an incorrect function prototype that shows up on
      native 32-bit builds:
      
      In file included from fs/notify/fanotify/fanotify_user.c:14:
      include/linux/syscalls.h:248:25: error: conflicting types for 'sys_fanotify_mark'; have 'long int(int,  unsigned int,  u32,  u32,  int,  const char *)' {aka 'long int(int,  unsigned int,  unsigned int,  unsigned int,  int,  const char *)'}
       1924 | SYSCALL32_DEFINE6(fanotify_mark,
            | ^~~~~~~~~~~~~~~~~
      include/linux/syscalls.h:862:17: note: previous declaration of 'sys_fanotify_mark' with type 'long int(int,  unsigned int,  u64,  int, const char *)' {aka 'long int(int,  unsigned int,  long long unsigned int,  int,  const char *)'}
      
      On x86 and powerpc, the prototype is also wrong but hidden in an #ifdef,
      so it never caused problems.
      
      Add another alternative declaration that matches the conditional function
      definition.
      
      Fixes: 403f17a3 ("parisc: use generic sys_fanotify_mark implementation")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      63e2f40c
    • Arnd Bergmann's avatar
      Merge tag 'v6.10-rockchip-dtsfixes1' of... · 07917ee0
      Arnd Bergmann authored
      Merge tag 'v6.10-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes
      
      Apart from the regular dts fixes for wrong addresses, missing
      or wrong properties, this reverts the previous move away from
      cd-gpios to the mmc-controller's internal card-detect.
      With this change applied, it was reported that boards could not
      detect card anymore, so this go reverted of course.
      
      * tag 'v6.10-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip:
        arm64: dts: rockchip: Add sound-dai-cells for RK3368
        arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B
        arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E
        arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A
        Revert "arm64: dts: rockchip: remove redundant cd-gpios from rk3588 sdmmc nodes"
        ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node
        arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on rk3399-gru
        arm64: dts: rockchip: set correct pwm0 pinctrl on rk3588-tiger
        arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s
        arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s
        arm64: dts: rockchip: Fix rk3308 codec@ff560000 reset-names
        arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B
      
      Link: https://lore.kernel.org/r/10237789.nnTZe4vzsl@diegoSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      07917ee0
  4. 30 Jun, 2024 17 commits
    • Linus Torvalds's avatar
      Linux 6.10-rc6 · 22a40d14
      Linus Torvalds authored
      22a40d14
    • Linus Torvalds's avatar
      Merge tag 'ata-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux · aca7c377
      Linus Torvalds authored
      Pull ata fixes from Niklas Cassel:
      
       - Add NOLPM quirk for for all Crucial BX SSD1 models.
      
         Considering that we now have had bug reports for 3 different BX SSD1
         variants from Crucial with the same product name, make the quirk more
         inclusive, to catch more device models from the same generation.
      
       - Fix a trivial NULL pointer dereference in the error path for
         ata_host_release().
      
       - Create a ata_port_free(), so that we don't miss freeing ata_port
         struct members when freeing a struct ata_port.
      
       - Fix a trivial double free in the error path for ata_host_alloc().
      
       - Ensure that we remove the libata "remapped NVMe device count" sysfs
         entry on .probe() error.
      
      * tag 'ata-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
        ata: ahci: Clean up sysfs file on error
        ata: libata-core: Fix double free on error
        ata,scsi: libata-core: Do not leak memory for ata_port struct members
        ata: libata-core: Fix null pointer dereference on error
        ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models
      aca7c377
    • Niklas Cassel's avatar
      ata: ahci: Clean up sysfs file on error · eeb25a09
      Niklas Cassel authored
      .probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however,
      if probe() fails after this call, we currently never call
      sysfs_remove_file_from_group().
      
      (The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one())
      does not help, as .remove() is not called on .probe() error.)
      
      Thus, if probe() fails after the sysfs_add_file_to_group() call, the next
      time we insmod the module we will get:
      
      sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme'
      CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x5d/0x80
       sysfs_warn_dup.cold+0x17/0x23
       sysfs_add_file_mode_ns+0x11a/0x130
       sysfs_add_file_to_group+0x7e/0xc0
       ahci_init_one+0x31f/0xd40 [ahci]
      
      Fixes: 894fba7f ("ata: ahci: Add sysfs attribute to show remapped NVMe device count")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Link: https://lore.kernel.org/r/20240629124210.181537-10-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      eeb25a09
    • Niklas Cassel's avatar
      ata: libata-core: Fix double free on error · ab9e0c52
      Niklas Cassel authored
      If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
      to the err_out label, which will call devres_release_group().
      devres_release_group() will trigger a call to ata_host_release().
      ata_host_release() calls kfree(host), so executing the kfree(host) in
      ata_host_alloc() will lead to a double free:
      
      kernel BUG at mm/slub.c:553!
      Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      RIP: 0010:kfree+0x2cf/0x2f0
      Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
      RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
      RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
      RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
      RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
      R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
      FS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die_body.cold+0x19/0x27
       ? die+0x2e/0x50
       ? do_trap+0xca/0x110
       ? do_error_trap+0x6a/0x90
       ? kfree+0x2cf/0x2f0
       ? exc_invalid_op+0x50/0x70
       ? kfree+0x2cf/0x2f0
       ? asm_exc_invalid_op+0x1a/0x20
       ? ata_host_alloc+0xf5/0x120 [libata]
       ? ata_host_alloc+0xf5/0x120 [libata]
       ? kfree+0x2cf/0x2f0
       ata_host_alloc+0xf5/0x120 [libata]
       ata_host_alloc_pinfo+0x14/0xa0 [libata]
       ahci_init_one+0x6c9/0xd20 [ahci]
      
      Ensure that we will not call kfree(host) twice, by performing the kfree()
      only if the devres_open_group() call failed.
      
      Fixes: dafd6c49 ("libata: ensure host is free'd on error exit paths")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Link: https://lore.kernel.org/r/20240629124210.181537-9-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      ab9e0c52
    • Niklas Cassel's avatar
      ata,scsi: libata-core: Do not leak memory for ata_port struct members · f6549f53
      Niklas Cassel authored
      libsas is currently not freeing all the struct ata_port struct members,
      e.g. ncq_sense_buf for a driver supporting Command Duration Limits (CDL).
      
      Add a function, ata_port_free(), that is used to free a ata_port,
      including its struct members. It makes sense to keep the code related to
      freeing a ata_port in its own function, which will also free all the
      struct members of struct ata_port.
      
      Fixes: 18bd7718 ("scsi: ata: libata: Handle completion of CDL commands using policy 0xD")
      Reviewed-by: default avatarJohn Garry <john.g.garry@oracle.com>
      Link: https://lore.kernel.org/r/20240629124210.181537-8-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      f6549f53
    • Niklas Cassel's avatar
      ata: libata-core: Fix null pointer dereference on error · 5d92c7c5
      Niklas Cassel authored
      If the ata_port_alloc() call in ata_host_alloc() fails,
      ata_host_release() will get called.
      
      However, the code in ata_host_release() tries to free ata_port struct
      members unconditionally, which can lead to the following:
      
      BUG: unable to handle page fault for address: 0000000000003990
      PGD 0 P4D 0
      Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
      Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
      RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
      RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
      RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
      R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
      R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
      FS:  00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die_body.cold+0x19/0x27
       ? page_fault_oops+0x15a/0x2f0
       ? exc_page_fault+0x7e/0x180
       ? asm_exc_page_fault+0x26/0x30
       ? ata_host_release.cold+0x2f/0x6e [libata]
       ? ata_host_release.cold+0x2f/0x6e [libata]
       release_nodes+0x35/0xb0
       devres_release_group+0x113/0x140
       ata_host_alloc+0xed/0x120 [libata]
       ata_host_alloc_pinfo+0x14/0xa0 [libata]
       ahci_init_one+0x6c9/0xd20 [ahci]
      
      Do not access ata_port struct members unconditionally.
      
      Fixes: 633273a3 ("libata-pmp: hook PMP support and enable it")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Reviewed-by: default avatarJohn Garry <john.g.garry@oracle.com>
      Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      5d92c7c5
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.10-3' of... · e0b668b0
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Remove the executable bit from installed DTB files
      
       - Escape $ in subshell execution in the debian-orig target
      
       - Fix RPM builds with CONFIG_MODULES=n
      
       - Fix xconfig with the O= option
      
       - Fix scripts_gdb with the O= option
      
      * tag 'kbuild-fixes-v6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: scripts/gdb: bring the "abspath" back
        kbuild: Use $(obj)/%.cc to fix host C++ module builds
        kbuild: rpm-pkg: fix build error with CONFIG_MODULES=n
        kbuild: Fix build target deb-pkg: ln: failed to create hard link
        kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates
        kbuild: Install dtb files as 0644 in Makefile.dtbinst
      e0b668b0
    • Linus Torvalds's avatar
      x86-32: fix cmpxchg8b_emu build error with clang · 76932725
      Linus Torvalds authored
      The kernel test robot reported that clang no longer compiles the 32-bit
      x86 kernel in some configurations due to commit 95ece481
      ("locking/atomic/x86: Rewrite x86_32 arch_atomic64_{,fetch}_{and,or,xor}()
      functions").
      
      The build fails with
      
        arch/x86/include/asm/cmpxchg_32.h:149:9: error: inline assembly requires more registers than available
      
      and the reason seems to be that not only does the cmpxchg8b instruction
      need four fixed registers (EDX:EAX and ECX:EBX), with the emulation
      fallback the inline asm also wants a fifth fixed register for the
      address (it uses %esi for that, but that's just a software convention
      with cmpxchg8b_emu).
      
      Avoiding using another pointer input to the asm (and just forcing it to
      use the "0(%esi)" addressing that we end up requiring for the sw
      fallback) seems to fix the issue.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202406230912.F6XFIyA6-lkp@intel.com/
      Fixes: 95ece481 ("locking/atomic/x86: Rewrite x86_32 arch_atomic64_{,fetch}_{and,or,xor}() functions")
      Link: https://lore.kernel.org/all/202406230912.F6XFIyA6-lkp@intel.com/Suggested-by: default avatarUros Bizjak <ubizjak@gmail.com>
      Reviewed-and-Tested-by: default avatarUros Bizjak <ubizjak@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      76932725
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 84dd4373
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small driver fixes for 6.10-rc6. Included in here are:
      
         - IIO driver fixes for reported issues
      
         - Counter driver fix for a reported problem.
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'char-misc-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        counter: ti-eqep: enable clock at probe
        iio: chemical: bme680: Fix sensor data read operation
        iio: chemical: bme680: Fix overflows in compensate() functions
        iio: chemical: bme680: Fix calibration data variable
        iio: chemical: bme680: Fix pressure value output
        iio: humidity: hdc3020: fix hysteresis representation
        iio: dac: fix ad9739a random config compile error
        iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF
        iio: adc: ad7266: Fix variable checking bug
        iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask
      84dd4373
    • Linus Torvalds's avatar
      Merge tag 'staging-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 12529aa1
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are two small staging driver fixes for 6.10-rc6, both for the
        vc04_services drivers:
      
         - build fix if CONFIG_DEBUGFS was not set
      
         - initialization check fix that was much reported.
      
        Both of these have been in linux-next this week with no reported
        issues"
      
      * tag 'staging-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: vchiq_debugfs: Fix build if CONFIG_DEBUG_FS is not set
        staging: vc04_services: vchiq_arm: Fix initialisation check
      12529aa1
    • Linus Torvalds's avatar
      Merge tag 'tty-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 3e334486
      Linus Torvalds authored
      Pull tty / serial / console fixes from Greg KH:
       "Here are a bunch of fixes/reverts for 6.10-rc6.  Include in here are:
      
         - revert the bunch of tty/serial/console changes that landed in -rc1
           that didn't quite work properly yet.
      
           Everyone agreed to just revert them for now and will work on making
           them better for a future release instead of trying to quick fix the
           existing changes this late in the release cycle
      
         - 8250 driver port count bugfix
      
         - Other tiny serial port bugfixes for reported issues
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'tty-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "printk: Save console options for add_preferred_console_match()"
        Revert "printk: Don't try to parse DEVNAME:0.0 console options"
        Revert "printk: Flag register_console() if console is set on command line"
        Revert "serial: core: Add support for DEVNAME:0.0 style naming for kernel console"
        Revert "serial: core: Handle serial console options"
        Revert "serial: 8250: Add preferred console in serial8250_isa_init_ports()"
        Revert "Documentation: kernel-parameters: Add DEVNAME:0.0 format for serial ports"
        Revert "serial: 8250: Fix add preferred console for serial8250_isa_init_ports()"
        Revert "serial: core: Fix ifdef for serial base console functions"
        serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()
        serial: core: introduce uart_port_tx_limited_flags()
        Revert "serial: core: only stop transmit when HW fifo is empty"
        serial: imx: set receiver level before starting uart
        tty: mcf: MCF54418 has 10 UARTS
        serial: 8250_omap: Implementation of Errata i2310
        tty: serial: 8250: Fix port count mismatch with the device
      3e334486
    • Linus Torvalds's avatar
      Merge tag 'usb-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 2c01c3d5
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a handful of small USB driver fixes for 6.10-rc6 to resolve
        some reported issues. Included in here are:
      
         - typec driver bugfixes
      
         - usb gadget driver reverts for commits that were reported to have
           problems
      
         - resource leak bugfix
      
         - gadget driver bugfixes
      
         - dwc3 driver bugfixes
      
         - usb atm driver bugfix for when syzbot got loose on it
      
        All of these have been in linux-next this week with no reported issues"
      
      * tag 'usb-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: dwc3: core: Workaround for CSR read timeout
        Revert "usb: gadget: u_ether: Replace netif_stop_queue with netif_device_detach"
        Revert "usb: gadget: u_ether: Re-attach netif device to mirror detachment"
        usb: gadget: aspeed_udc: fix device address configuration
        usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock
        usb: typec: ucsi: glink: fix child node release in probe function
        usb: musb: da8xx: fix a resource leak in probe()
        usb: typec: ucsi_acpi: Add LG Gram quirk
        usb: ucsi: stm32: fix command completion handling
        usb: atm: cxacru: fix endpoint checking in cxacru_bind()
        usb: gadget: printer: fix races against disable
        usb: gadget: printer: SS+ support
      2c01c3d5
    • Linus Torvalds's avatar
      Merge tag 'smp_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 3ffea9a7
      Linus Torvalds authored
      Pull smp fixes from Borislav Petkov:
      
       - Fix "nosmp" and "maxcpus=0" after the parallel CPU bringup work went
         in and broke them
      
       - Make sure CPU hotplug dynamic prepare states are actually executed
      
      * tag 'smp_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpu: Fix broken cmdline "nosmp" and "maxcpus=0"
        cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()
      3ffea9a7
    • Linus Torvalds's avatar
      Merge tag 'irq_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4e412160
      Linus Torvalds authored
      Pull irq fixes from Borislav Petkov:
      
       - Make sure multi-bridge machines get all eiointc interrupt controllers
         initialized even if the number of CPUs has been limited by a cmdline
         param
      
       - Make sure interrupt lines on liointc hw are configured properly even
         when interrupt routing changes
      
       - Avoid use-after-free in the error path of the MSI init code
      
      * tag 'irq_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        PCI/MSI: Fix UAF in msi_capability_init
        irqchip/loongson-liointc: Set different ISRs for different cores
        irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()
      4e412160
    • Linus Torvalds's avatar
      Merge tag 'timers_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 03c8b0bd
      Linus Torvalds authored
      Pull timer fix from Borislav Petkov:
      
       - Warn when an hrtimer doesn't get a callback supplied
      
      * tag 'timers_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        hrtimer: Prevent queuing of hrtimer without a function callback
      03c8b0bd
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.10-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog · 327fceff
      Linus Torvalds authored
      Pull watchdog fixes from Wim Van Sebroeck:
      
       - lenovo_se10_wdt: add HAS_IOPORT dependency
      
       - add missing MODULE_DESCRIPTION() macros
      
      * tag 'linux-watchdog-6.10-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: add missing MODULE_DESCRIPTION() macros
        watchdog: lenovo_se10_wdt: add HAS_IOPORT dependency
      327fceff
    • Gao Xiang's avatar
      erofs: ensure m_llen is reset to 0 if metadata is invalid · 9b32b063
      Gao Xiang authored
      Sometimes, the on-disk metadata might be invalid due to user
      interrupts, storage failures, or other unknown causes.
      
      In that case, z_erofs_map_blocks_iter() may still return a valid
      m_llen while other fields remain invalid (e.g., m_plen can be 0).
      
      Due to the return value of z_erofs_scan_folio() in some path will
      be ignored on purpose, the following z_erofs_scan_folio() could
      then use the invalid value by accident.
      
      Let's reset m_llen to 0 to prevent this.
      
      Link: https://lore.kernel.org/r/20240629185743.2819229-1-hsiangkao@linux.alibaba.comSigned-off-by: default avatarGao Xiang <hsiangkao@linux.alibaba.com>
      9b32b063
  5. 29 Jun, 2024 3 commits