- 08 Jul, 2021 1 commit
-
-
Alexey Gladkov authored
We must properly handle an errors when we increase the rlimit counter and the ucounts reference counter. We have to this with RCU protection to prevent possible use-after-free that could occur due to concurrent put_cred_rcu(). The following reproducer triggers the problem: $ cat testcase.sh case "${STEP:-0}" in 0) ulimit -Si 1 ulimit -Hi 1 STEP=1 unshare -rU "$0" killall sleep ;; 1) for i in 1 2 3 4 5; do unshare -rU sleep 5 & done ;; esac with the KASAN report being along the lines of BUG: KASAN: use-after-free in put_ucounts+0x17/0xa0 Write of size 4 at addr ffff8880045f031c by task swapper/2/0 CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.13.0+ #19 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-alt4 04/01/2014 Call Trace: <IRQ> put_ucounts+0x17/0xa0 put_cred_rcu+0xd5/0x190 rcu_core+0x3bf/0xcb0 __do_softirq+0xe3/0x341 irq_exit_rcu+0xbe/0xe0 sysvec_apic_timer_interrupt+0x6a/0x90 </IRQ> asm_sysvec_apic_timer_interrupt+0x12/0x20 default_idle_call+0x53/0x130 do_idle+0x311/0x3c0 cpu_startup_entry+0x14/0x20 secondary_startup_64_no_verify+0xc2/0xcb Allocated by task 127: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 alloc_ucounts+0x169/0x2b0 set_cred_ucounts+0xbb/0x170 ksys_unshare+0x24c/0x4e0 __x64_sys_unshare+0x16/0x20 do_syscall_64+0x37/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 0: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xeb/0x120 kfree+0xaa/0x460 put_cred_rcu+0xd5/0x190 rcu_core+0x3bf/0xcb0 __do_softirq+0xe3/0x341 The buggy address belongs to the object at ffff8880045f0300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 28 bytes inside of 192-byte region [ffff8880045f0300, ffff8880045f03c0) The buggy address belongs to the page: page:000000008de0a388 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880045f0000 pfn:0x45f0 flags: 0x100000000000200(slab|node=0|zone=1) raw: 0100000000000200 ffffea00000f4640 0000000a0000000a ffff888001042a00 raw: ffff8880045f0000 000000008010000d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880045f0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880045f0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880045f0300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880045f0380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880045f0400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint Fixes: d6469690 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by:Alexey Gladkov <legion@kernel.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
- 07 Jul, 2021 39 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull more ACPI updates from Rafael Wysocki: "These include fixes of the recently introduced support for the Platform Runtime Mechanism (PRM) feature, a new backlight quirk, a suspend-to-idle wakeup fix for non-Intel platforms and a fix for the AMBA bus resource list in /proc/iomem. Specifics: - Fix up the recently added Platform Runtime Mechanism (PRM) support by correnting a couple of implementation mistakes in it and adding a Kconfig help text to describe it (Aubrey Li, Rafael Wysocki). - Add backlight quirk for Dell Vostro 3350 (Hans de Goede). - Avoid spurious wakeups from suspend-to-idle on non-Intel platforms by restricting special EC GPE handling to the Intel ones (Mario Limonciello). - Modify the AMBA bus support in ACPI to avoid adding using resource names in /proc/iomem (Liguang Zhang)" * tag 'acpi-5.14-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: Do not singal PRM support if not enabled ACPI: Correct \_SB._OSC bit definition for PRM ACPI: Kconfig: Provide help text for the ACPI_PRMT option ACPI: PM: Only mark EC GPE for wakeup on Intel systems ACPI: video: Add quirk for the Dell Vostro 3350 ACPI: AMBA: Fix resource name in /proc/iomem -
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull more power management updates from Rafael Wysocki: "These include cpufreq core simplifications and fixes, cpufreq driver updates, cpuidle driver update, a generic power domains (genpd) locking fix and a debug-related simplification of the PM core. Specifics: - Drop the ->stop_cpu() (not really useful) and ->resolve_freq() (unused) cpufreq driver callbacks and modify the users of the former accordingly (Viresh Kumar, Rafael Wysocki). - Add frequency invariance support to the ACPI CPPC cpufreq driver again along with the related fixes and cleanups (Viresh Kumar). - Update the Meditak, qcom and SCMI ARM cpufreq drivers (Fabien Parent, Seiya Wang, Sibi Sankar, Christophe JAILLET). - Rename black/white-lists in the DT cpufreq driver (Viresh Kumar). - Add generic performance domains support to the dvfs DT bindings (Sudeep Holla). - Refine locking in the generic power domains (genpd) support code to avoid lock dependency issues (Stephen Boyd). - Update the MSM and qcom ARM cpuidle drivers (Bartosz Dudziak). - Simplify the PM core debug code by using ktime_us_delta() to compute time interval lengths (Mark-PK Tsai)" * tag 'pm-5.14-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: (21 commits) PM: domains: Shrink locking area of the gpd_list_lock PM: sleep: Use ktime_us_delta() in initcall_debug_report() cpufreq: CPPC: Add support for frequency invariance arch_topology: Avoid use-after-free for scale_freq_data cpufreq: CPPC: Pass structure instance by reference cpufreq: CPPC: Fix potential memleak in cppc_cpufreq_cpu_init cpufreq: Remove ->resolve_freq() cpufreq: Reuse cpufreq_driver_resolve_freq() in __cpufreq_driver_target() cpufreq: Remove the ->stop_cpu() driver callback cpufreq: powernv: Migrate to ->exit() callback instead of ->stop_cpu() cpufreq: CPPC: Migrate to ->exit() callback instead of ->stop_cpu() cpufreq: intel_pstate: Combine ->stop_cpu() and ->offline() cpuidle: qcom: Add SPM register data for MSM8226 dt-bindings: arm: msm: Add SAW2 for MSM8226 dt-bindings: cpufreq: update cpu type and clock name for MT8173 SoC clk: mediatek: remove deprecated CLK_INFRA_CA57SEL for MT8173 SoC cpufreq: dt: Rename black/white-lists cpufreq: scmi: Fix an error message cpufreq: mediatek: add support for mt8365 dt-bindings: dvfs: Add support for generic performance domains ... -
git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supplyLinus Torvalds authored
Pull power supply and reset updates from Sebastian Reichel: "Battery/charger driver changes: - convert charger-manager binding to YAML - drop bd70528-charger driver - drop pm2301-charger driver - introduce rt5033-battery driver - misc improvements and fixes" * tag 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: (42 commits) power: supply: ab8500: Fix an old bug power: supply: axp288_fuel_gauge: remove redundant continue statement power: supply: axp288_fuel_gauge: Make "T3 MRD" no_battery_list DMI entry more generic power: supply: axp288_fuel_gauge: Rename fuel_gauge_blacklist to no_battery_list power: supply: bq24190_charger: drop of_match_ptr() from device ID table drivers: power: add missing MODULE_DEVICE_TABLE in keystone-reset.c power: supply: ab8500: add missing MODULE_DEVICE_TABLE power: supply: charger-manager: add missing MODULE_DEVICE_TABLE power: reset: regulator-poweroff: add missing MODULE_DEVICE_TABLE power: supply: cpcap-charger: get the battery inserted infomation from cpcap-battery power: supply: cpcap-battery: invalidate config when incompatible measurements are read power: supply: axp20x_battery: allow disabling battery charging power: supply: max17040: drop unused platform data support power: supply: max17040: simplify POWER_SUPPLY_PROP_ONLINE power: supply: max17040: remove non-working POWER_SUPPLY_PROP_STATUS power: reset: at91-sama5d2_shdwc: Remove redundant error printing in at91_shdwc_probe() power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE power: supply: rt5033_battery: Fix device tree enumeration dt-bindings: power: supply: Add DT schema for richtek,rt5033-battery power: supply: Drop BD70528 support ...
-
git://www.linux-watchdog.org/linux-watchdogLinus Torvalds authored
Pull watchdog updates from Wim Van Sebroeck: - Add Mstar MSC313e WDT driver - Add support for sama7g5-wdt - Add compatible for SC7280 SoC - Add compatible for Mediatek MT8195 - sbsa: Support architecture version 1 - Removal of the MV64x60 watchdog driver - Extra PCI IDs for hpwdt - Add hrtimer-based pretimeout feature - Add {min,max}_timeout sysfs nodes - keembay timeout and pre-timeout handling - Several fixes, cleanups and improvements * tag 'linux-watchdog-5.14-rc1' of git://www.linux-watchdog.org/linux-watchdog: (56 commits) watchdog: iTCO_wdt: use dev_err() instead of pr_err() watchdog: Add Mstar MSC313e WDT driver dt-bindings: watchdog: Add Mstar MSC313e WDT devicetree bindings documentation watchdog: iTCO_wdt: Account for rebooting on second timeout dt-bindings: watchdog: Convert arm,sbsa-gwdt to DT schema dt-bindings: watchdog: sama5d4-wdt: add compatible for sama7g5-wdt watchdog: sama5d4_wdt: add support for sama7g5-wdt dt-bindings: watchdog: sama5d4-wdt: convert to yaml watchdog: ziirave_wdt: Remove VERSION_FMT defines and add sysfs newlines dt-bindings: watchdog: Add compatible for Mediatek MT8195 dt-bindings: watchdog: dw-wdt: add description for rk3568 watchdog: imx_sc_wdt: fix pretimeout watchdog: diag288_wdt: Remove redundant assignment watchdog: Add hrtimer-based pretimeout feature dt-bindings: watchdog: Add compatible for SC7280 SoC watchdog: qcom: Move suspend/resume to suspend_late/resume_early watchdog: Fix a typo in the file orion_wdt.c watchdog: jz4740: Fix return value check in jz4740_wdt_probe() watchdog: Remove MV64x60 watchdog driver doc: mtk-wdt: support pre-timeout when the bark irq is available ... -
git://linux-nfs.org/~bfields/linuxLinus Torvalds authored
Pull nfsd updates from Bruce Fields: - add tracepoints for callbacks and for client creation and destruction - cache the mounts used for server-to-server copies - expose callback information in /proc/fs/nfsd/clients/*/info - don't hold locks unnecessarily while waiting for commits - update NLM to use xdr_stream, as we have for NFSv2/v3/v4 * tag 'nfsd-5.14' of git://linux-nfs.org/~bfields/linux: (69 commits) nfsd: fix NULL dereference in nfs3svc_encode_getaclres NFSD: Prevent a possible oops in the nfs_dirent() tracepoint nfsd: remove redundant assignment to pointer 'this' nfsd: Reduce contention for the nfsd_file nf_rwsem lockd: Update the NLMv4 SHARE results encoder to use struct xdr_stream lockd: Update the NLMv4 nlm_res results encoder to use struct xdr_stream lockd: Update the NLMv4 TEST results encoder to use struct xdr_stream lockd: Update the NLMv4 void results encoder to use struct xdr_stream lockd: Update the NLMv4 FREE_ALL arguments decoder to use struct xdr_stream lockd: Update the NLMv4 SHARE arguments decoder to use struct xdr_stream lockd: Update the NLMv4 SM_NOTIFY arguments decoder to use struct xdr_stream lockd: Update the NLMv4 nlm_res arguments decoder to use struct xdr_stream lockd: Update the NLMv4 UNLOCK arguments decoder to use struct xdr_stream lockd: Update the NLMv4 CANCEL arguments decoder to use struct xdr_stream lockd: Update the NLMv4 LOCK arguments decoder to use struct xdr_stream lockd: Update the NLMv4 TEST arguments decoder to use struct xdr_stream lockd: Update the NLMv4 void arguments decoder to use struct xdr_stream lockd: Update the NLMv1 SHARE results encoder to use struct xdr_stream lockd: Update the NLMv1 nlm_res results encoder to use struct xdr_stream lockd: Update the NLMv1 TEST results encoder to use struct xdr_stream ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linuxLinus Torvalds authored
Pull module updates from Jessica Yu: - Fix incorrect logic in module_kallsyms_on_each_symbol() - Fix for a Coccinelle warning * tag 'modules-for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux: module: correctly exit module_kallsyms_on_each_symbol when fn() != 0 kernel/module: Use BUG_ON instead of if condition followed by BUG
-
Rafael J. Wysocki authored
* acpi-misc: ACPI: AMBA: Fix resource name in /proc/iomem * acpi-video: ACPI: video: Add quirk for the Dell Vostro 3350 * acpi-prm: ACPI: Do not singal PRM support if not enabled ACPI: Correct \_SB._OSC bit definition for PRM ACPI: Kconfig: Provide help text for the ACPI_PRMT option
-
Rafael J. Wysocki authored
* pm-cpuidle: cpuidle: qcom: Add SPM register data for MSM8226 dt-bindings: arm: msm: Add SAW2 for MSM8226 * pm-sleep: PM: sleep: Use ktime_us_delta() in initcall_debug_report() * pm-domains: PM: domains: Shrink locking area of the gpd_list_lock
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull x86 fpu updates from Thomas Gleixner: "Fixes and improvements for FPU handling on x86: - Prevent sigaltstack out of bounds writes. The kernel unconditionally writes the FPU state to the alternate stack without checking whether the stack is large enough to accomodate it. Check the alternate stack size before doing so and in case it's too small force a SIGSEGV instead of silently corrupting user space data. - MINSIGSTKZ and SIGSTKSZ are constants in signal.h and have never been updated despite the fact that the FPU state which is stored on the signal stack has grown over time which causes trouble in the field when AVX512 is available on a CPU. The kernel does not expose the minimum requirements for the alternate stack size depending on the available and enabled CPU features. ARM already added an aux vector AT_MINSIGSTKSZ for the same reason. Add it to x86 as well. - A major cleanup of the x86 FPU code. The recent discoveries of XSTATE related issues unearthed quite some inconsistencies, duplicated code and other issues. The fine granular overhaul addresses this, makes the code more robust and maintainable, which allows to integrate upcoming XSTATE related features in sane ways" * tag 'x86-fpu-2021-07-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (74 commits) x86/fpu/xstate: Clear xstate header in copy_xstate_to_uabi_buf() again x86/fpu/signal: Let xrstor handle the features to init x86/fpu/signal: Handle #PF in the direct restore path x86/fpu: Return proper error codes from user access functions x86/fpu/signal: Split out the direct restore code x86/fpu/signal: Sanitize copy_user_to_fpregs_zeroing() x86/fpu/signal: Sanitize the xstate check on sigframe x86/fpu/signal: Remove the legacy alignment check x86/fpu/signal: Move initial checks into fpu__restore_sig() x86/fpu: Mark init_fpstate __ro_after_init x86/pkru: Remove xstate fiddling from write_pkru() x86/fpu: Don't store PKRU in xstate in fpu_reset_fpstate() x86/fpu: Remove PKRU handling from switch_fpu_finish() x86/fpu: Mask PKRU from kernel XRSTOR[S] operations x86/fpu: Hook up PKRU into ptrace() x86/fpu: Add PKRU storage outside of task XSAVE buffer x86/fpu: Dont restore PKRU in fpregs_restore_userspace() x86/fpu: Rename xfeatures_mask_user() to xfeatures_mask_uabi() x86/fpu: Move FXSAVE_LEAK quirk info __copy_kernel_to_fpregs() x86/fpu: Rename __fpregs_load_activate() to fpregs_restore_userregs() ... -
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tipLinus Torvalds authored
Pull xen updates from Juergen Gross: "Only two minor patches this time: one cleanup patch and one patch refreshing a Xen header" * tag 'for-linus-5.14-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen: sync include/xen/interface/io/ring.h with Xen's newest version xen: Use DEVICE_ATTR_*() macro
-
Linus Torvalds authored
Merge tag 'Wimplicit-fallthrough-clang-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux Pull more fallthrough fixes from Gustavo Silva: "Fix maore fall-through warnings when building the kernel with clang and '-Wimplicit-fallthrough'" * tag 'Wimplicit-fallthrough-clang-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux: Input: Fix fall-through warning for Clang scsi: aic94xx: Fix fall-through warning for Clang i3c: master: cdns: Fix fall-through warning for Clang net/mlx4: Fix fall-through warning for Clang
-
git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteprocLinus Torvalds authored
Pull hwspinlock updates from Bjorn Andersson: "This adds a driver for the hardware spinlock in Allwinner sun6i" * tag 'hwlock-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc: dt-bindings: hwlock: sun6i: Fix various warnings in binding hwspinlock: add sun6i hardware spinlock support dt-bindings: hwlock: add sun6i_hwspinlock
-
git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteprocLinus Torvalds authored
Pull remoteproc updates from Bjorn Andersson: "This adds support for controlling the PRU and R5F clusters on the TI AM64x, the remote processor in i.MX7ULP, i.MX8MN/P and i.MX8ULP NXP and the audio, compute and modem remoteprocs in the Qualcomm SC8180x platform. It fixes improper ordering of cdev and device creation of the remoteproc control interface and it fixes resource leaks in the error handling path of rproc_add() and the Qualcomm modem and wifi remoteproc drivers. Lastly it fixes a few build warnings and replace the dummy parameter passed in the mailbox api of the stm32 driver to something not living on the stack" * tag 'rproc-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc: (32 commits) remoteproc: qcom: pas: Add SC8180X adsp, cdsp and mpss dt-bindings: remoteproc: qcom: pas: Add SC8180X adsp, cdsp and mpss remoteproc: imx_rproc: support i.MX8ULP dt-bindings: remoteproc: imx_rproc: support i.MX8ULP remoteproc: stm32: fix mbox_send_message call remoteproc: core: Cleanup device in case of failure remoteproc: core: Fix cdev remove and rproc del remoteproc: core: Move validate before device add remoteproc: core: Move cdev add before device add remoteproc: pru: Add support for various PRU cores on K3 AM64x SoCs dt-bindings: remoteproc: pru: Update bindings for K3 AM64x SoCs remoteproc: qcom_wcnss: Use devm_qcom_smem_state_get() remoteproc: qcom_q6v5: Use devm_qcom_smem_state_get() to fix missing put() soc: qcom: smem_state: Add devm_qcom_smem_state_get() dt-bindings: remoteproc: qcom: pas: Fix indentation warnings remoteproc: imx-rproc: Fix IMX_REMOTEPROC configuration remoteproc: imx_rproc: support i.MX8MN/P remoteproc: imx_rproc: support i.MX7ULP remoteproc: imx_rproc: make clk optional remoteproc: imx_rproc: initial support for mutilple start/stop method ...
-
J. Bruce Fields authored
In error cases the dentry may be NULL. Before 20798dfe, the encoder also checked dentry and d_really_is_positive(dentry), but that looks like overkill to me--zero status should be enough to guarantee a positive dentry. This isn't the first time we've seen an error-case NULL dereference hidden in the initialization of a local variable in an xdr encoder. But I went back through the other recent rewrites and didn't spot any similar bugs. Reported-by:
JianHong Yin <jiyin@redhat.com> Reviewed-by:
Chuck Lever III <chuck.lever@oracle.com> Fixes: 20798dfe ("NFSD: Update the NFSv3 GETACL result encoder...") Signed-off-by:
J. Bruce Fields <bfields@redhat.com>
-
Chuck Lever authored
The double copy of the string is a mistake, plus __assign_str() uses strlen(), which is wrong to do on a string that isn't guaranteed to be NUL-terminated. Fixes: 6019ce07 ("NFSD: Add a tracepoint to record directory entry encoding") Signed-off-by:
-
Colin Ian King authored
The pointer 'this' is being initialized with a value that is never read and it is being updated later with a new value. The initialization is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by:Colin Ian King <colin.king@canonical.com> Signed-off-by:
-
Trond Myklebust authored
When flushing out the unstable file writes as part of a COMMIT call, try to perform most of of the data writes and waits outside the semaphore. This means that if the client is sending the COMMIT as part of a memory reclaim operation, then it can continue performing I/O, with contention for the lock occurring only once the data sync is finished. Fixes: 5011af4c ("nfsd: Fix stable writes") Signed-off-by:
Trond Myklebust <trond.myklebust@hammerspace.com> Tested-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
Chuck Lever authored
Signed-off-by:
-
