From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75EB7C19F28 for ; Wed, 27 Jul 2022 16:21:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234403AbiG0QVd (ORCPT ); Wed, 27 Jul 2022 12:21:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233758AbiG0QVa (ORCPT ); Wed, 27 Jul 2022 12:21:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 844884B0DD; Wed, 27 Jul 2022 09:21:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1EF9CB821B9; Wed, 27 Jul 2022 16:21:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 60452C433D6; Wed, 27 Jul 2022 16:21:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938884; bh=8xn9SkNodxw1bPbX8y0h2pTKciuSRCgCxEkMiLnTFr0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CKIKe+HuS7rCS/qWGVR1lEIFrzI84fOA20JAUSFJIrF2GJ6lp34X8VHNE+Wby7yHe H9aiFtat3UvdyIVOZGxbxEyVQuaRQTsUHY2ftJxWtYyMyDWV2hcbKlANyskUImMiDE XcE3Lt74j7T0h5R1AhTZRdnyX85dvBOSVWrH0hVA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, yangshukui , Stephen Smalley , Casey Schaufler , Oleg Nesterov , Paul Moore , Alexander Grund Subject: [PATCH 4.9 01/26] security,selinux,smack: kill security_task_wait hook Date: Wed, 27 Jul 2022 18:10:30 +0200 Message-Id: <20220727160959.177769342@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Stephen Smalley commit 3a2f5a59a695a73e0cde9a61e0feae5fa730e936 upstream. As reported by yangshukui, a permission denial from security_task_wait() can lead to a soft lockup in zap_pid_ns_processes() since it only expects sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can in general lead to zombies; in the absence of some way to automatically reparent a child process upon a denial, the hook is not useful. Remove the security hook and its implementations in SELinux and Smack. Smack already removed its check from its hook. Reported-by: yangshukui Signed-off-by: Stephen Smalley Acked-by: Casey Schaufler Acked-by: Oleg Nesterov Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- include/linux/lsm_hooks.h | 7 ------- include/linux/security.h | 6 ------ kernel/exit.c | 19 ++----------------- security/security.c | 6 ------ security/selinux/hooks.c | 6 ------ security/smack/smack_lsm.c | 20 -------------------- 6 files changed, 2 insertions(+), 62 deletions(-) --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -666,11 +666,6 @@ * @sig contains the signal value. * @secid contains the sid of the process where the signal originated * Return 0 if permission is granted. - * @task_wait: - * Check permission before allowing a process to reap a child process @p - * and collect its status information. - * @p contains the task_struct for process. - * Return 0 if permission is granted. * @task_prctl: * Check permission before performing a process control operation on the * current process. @@ -1507,7 +1502,6 @@ union security_list_options { int (*task_movememory)(struct task_struct *p); int (*task_kill)(struct task_struct *p, struct siginfo *info, int sig, u32 secid); - int (*task_wait)(struct task_struct *p); int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void (*task_to_inode)(struct task_struct *p, struct inode *inode); @@ -1768,7 +1762,6 @@ struct security_hook_heads { struct list_head task_getscheduler; struct list_head task_movememory; struct list_head task_kill; - struct list_head task_wait; struct list_head task_prctl; struct list_head task_to_inode; struct list_head ipc_permission; --- a/include/linux/security.h +++ b/include/linux/security.h @@ -332,7 +332,6 @@ int security_task_getscheduler(struct ta int security_task_movememory(struct task_struct *p); int security_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); -int security_task_wait(struct task_struct *p); int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); @@ -979,11 +978,6 @@ static inline int security_task_kill(str { return 0; } - -static inline int security_task_wait(struct task_struct *p) -{ - return 0; -} =20 static inline int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, --- a/kernel/exit.c +++ b/kernel/exit.c @@ -14,7 +14,6 @@ #include #include #include -#include #include #include #include @@ -1342,7 +1341,7 @@ static int wait_task_continued(struct wa * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; * then ->notask_error is 0 if @p is an eligible child, - * or another error from security_task_wait(), or still -ECHILD. + * or still -ECHILD. */ static int wait_consider_task(struct wait_opts *wo, int ptrace, struct task_struct *p) @@ -1362,20 +1361,6 @@ static int wait_consider_task(struct wai if (!ret) return ret; =20 - ret =3D security_task_wait(p); - if (unlikely(ret < 0)) { - /* - * If we have not yet seen any eligible child, - * then let this error code replace -ECHILD. - * A permission error will give the user a clue - * to look for security policy problems, rather - * than for mysterious wait bugs. - */ - if (wo->notask_error) - wo->notask_error =3D ret; - return 0; - } - if (unlikely(exit_state =3D=3D EXIT_TRACE)) { /* * ptrace =3D=3D 0 means we are the natural parent. In this case @@ -1468,7 +1453,7 @@ static int wait_consider_task(struct wai * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; then * ->notask_error is 0 if there were any eligible children, - * or another error from security_task_wait(), or still -ECHILD. + * or still -ECHILD. */ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) { --- a/security/security.c +++ b/security/security.c @@ -1032,11 +1032,6 @@ int security_task_kill(struct task_struc return call_int_hook(task_kill, 0, p, info, sig, secid); } =20 -int security_task_wait(struct task_struct *p) -{ - return call_int_hook(task_wait, 0, p); -} - int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { @@ -1776,7 +1771,6 @@ struct security_hook_heads security_hook .task_movememory =3D LIST_HEAD_INIT(security_hook_heads.task_movememory), .task_kill =3D LIST_HEAD_INIT(security_hook_heads.task_kill), - .task_wait =3D LIST_HEAD_INIT(security_hook_heads.task_wait), .task_prctl =3D LIST_HEAD_INIT(security_hook_heads.task_prctl), .task_to_inode =3D LIST_HEAD_INIT(security_hook_heads.task_to_inode), --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3951,11 +3951,6 @@ static int selinux_task_kill(struct task return rc; } =20 -static int selinux_task_wait(struct task_struct *p) -{ - return task_has_perm(p, current, PROCESS__SIGCHLD); -} - static void selinux_task_to_inode(struct task_struct *p, struct inode *inode) { @@ -6220,7 +6215,6 @@ static struct security_hook_list selinux LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), LSM_HOOK_INIT(task_movememory, selinux_task_movememory), LSM_HOOK_INIT(task_kill, selinux_task_kill), - LSM_HOOK_INIT(task_wait, selinux_task_wait), LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), =20 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2277,25 +2277,6 @@ static int smack_task_kill(struct task_s } =20 /** - * smack_task_wait - Smack access check for waiting - * @p: task to wait for - * - * Returns 0 - */ -static int smack_task_wait(struct task_struct *p) -{ - /* - * Allow the operation to succeed. - * Zombies are bad. - * In userless environments (e.g. phones) programs - * get marked with SMACK64EXEC and even if the parent - * and child shouldn't be talking the parent still - * may expect to know when the child exits. - */ - return 0; -} - -/** * smack_task_to_inode - copy task smack into the inode blob * @p: task to copy from * @inode: inode to copy to @@ -4686,7 +4667,6 @@ static struct security_hook_list smack_h LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), LSM_HOOK_INIT(task_movememory, smack_task_movememory), LSM_HOOK_INIT(task_kill, smack_task_kill), - LSM_HOOK_INIT(task_wait, smack_task_wait), LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), =20 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 311D1C04A68 for ; Wed, 27 Jul 2022 16:22:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235477AbiG0QWs (ORCPT ); Wed, 27 Jul 2022 12:22:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235167AbiG0QWS (ORCPT ); Wed, 27 Jul 2022 12:22:18 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC49D4C62D; Wed, 27 Jul 2022 09:22:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9B224B821B8; Wed, 27 Jul 2022 16:22:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 11643C433C1; Wed, 27 Jul 2022 16:22:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938934; bh=96Yp01INqk4vclDXyo1+6YDE4nH4XzddMCjEGZ5p7rY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=posC507LfQiEf+us8xeeUoCtFNDtHhlRbCZeMsgexfOmwAHAPu7hmWZDv1eZ0/M4g hZF1zCkwhNLbFI1xv9G1xQ6XTCd6sYnTi2AZUZv+VaidBQ8/DcxNTmtpch8RCfAtpN r+2cPpv7NAWnSagZABHAD5pmu48gD98Bpo7kUGYk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Juergen Gross , Demi Marie Obenour , Oleksandr Tyshchenko Subject: [PATCH 4.9 02/26] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Date: Wed, 27 Jul 2022 18:10:31 +0200 Message-Id: <20220727160959.227277100@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Demi Marie Obenour commit 166d3863231667c4f64dee72b77d1102cdfad11f upstream. The error paths of gntdev_mmap() can call unmap_grant_pages() even though not all of the pages have been successfully mapped. This will trigger the WARN_ON()s in __unmap_grant_pages_done(). The number of warnings can be very large; I have observed thousands of lines of warnings in the systemd journal. Avoid this problem by only warning on unmapping failure if the handle being unmapped is not INVALID_GRANT_HANDLE. The handle field of any page that was not successfully mapped will be INVALID_GRANT_HANDLE, so this catches all cases where unmapping can legitimately fail. Fixes: dbe97cff7dd9 ("xen/gntdev: Avoid blocking in unmap_grant_pages()") Cc: stable@vger.kernel.org Suggested-by: Juergen Gross Signed-off-by: Demi Marie Obenour Reviewed-by: Oleksandr Tyshchenko Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220710230522.1563-1-demi@invisiblethingsl= ab.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/xen/gntdev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -390,7 +390,8 @@ static void __unmap_grant_pages_done(int unsigned int offset =3D data->unmap_ops - map->unmap_ops; =20 for (i =3D 0; i < data->count; i++) { - WARN_ON(map->unmap_ops[offset+i].status); + WARN_ON(map->unmap_ops[offset+i].status && + map->unmap_ops[offset+i].handle !=3D -1); pr_debug("unmap handle=3D%d st=3D%d\n", map->unmap_ops[offset+i].handle, map->unmap_ops[offset+i].status); From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 554CDC04A68 for ; Wed, 27 Jul 2022 16:22:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235602AbiG0QW4 (ORCPT ); Wed, 27 Jul 2022 12:22:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234655AbiG0QWT (ORCPT ); Wed, 27 Jul 2022 12:22:19 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F49A31238; Wed, 27 Jul 2022 09:22:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BDD5F617F2; Wed, 27 Jul 2022 16:22:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C9BB8C433D6; Wed, 27 Jul 2022 16:22:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938937; bh=W0lvLWRqYa1fiPWsJ4x6rwuPCznc0fHthtTnPYl25eU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R+IcPuRTzoL2N/qn4yPsjFaZQ5xic8erlMA9uXqPwT2xkWR8dfXooVYmFnjdVU04i fKCs2IZAs0nNpAiL0HgbSPFO8meLlLbxJ+BcBZTSUDZtQIMbWY4Nmf6E+ZgIfg5499 uRpbSbIQkqBnJ9VR/rxPux8LeYMzaiadEdJn9co8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shuah Khan , stable , Sasha Levin Subject: [PATCH 4.9 03/26] misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer Date: Wed, 27 Jul 2022 18:10:32 +0200 Message-Id: <20220727160959.266460602@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Shuah Khan [ Upstream commit eb7f8e28420372787933eec079735c35034bda7d ] rtsx_usb driver allocates coherent dma buffer for urb transfers. This buffer is passed to usb_bulk_msg() and usb core tries to map already mapped buffer running into a dma mapping error. xhci_hcd 0000:01:00.0: rejecting DMA map of vmalloc memory WARNING: CPU: 1 PID: 279 at include/linux/dma-mapping.h:326 usb_ hcd_map_ur= b_for_dma+0x7d6/0x820 ... xhci_map_urb_for_dma+0x291/0x4e0 usb_hcd_submit_urb+0x199/0x12b0 ... usb_submit_urb+0x3b8/0x9e0 usb_start_wait_urb+0xe3/0x2d0 usb_bulk_msg+0x115/0x240 rtsx_usb_transfer_data+0x185/0x1a8 [rtsx_usb] rtsx_usb_send_cmd+0xbb/0x123 [rtsx_usb] rtsx_usb_write_register+0x12c/0x143 [rtsx_usb] rtsx_usb_probe+0x226/0x4b2 [rtsx_usb] Fix it to use kmalloc() to get DMA-able memory region instead. Signed-off-by: Shuah Khan Cc: stable Link: https://lore.kernel.org/r/667d627d502e1ba9ff4f9b94966df3299d2d3c0d.16= 56642167.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/mfd/rtsx_usb.c | 13 +++++++------ include/linux/mfd/rtsx_usb.h | 1 - 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/mfd/rtsx_usb.c b/drivers/mfd/rtsx_usb.c index e94f855eac15..b0ebd2299599 100644 --- a/drivers/mfd/rtsx_usb.c +++ b/drivers/mfd/rtsx_usb.c @@ -642,8 +642,7 @@ static int rtsx_usb_probe(struct usb_interface *intf, =20 ucr->pusb_dev =3D usb_dev; =20 - ucr->iobuf =3D usb_alloc_coherent(ucr->pusb_dev, IOBUF_SIZE, - GFP_KERNEL, &ucr->iobuf_dma); + ucr->iobuf =3D kmalloc(IOBUF_SIZE, GFP_KERNEL); if (!ucr->iobuf) return -ENOMEM; =20 @@ -679,8 +678,9 @@ static int rtsx_usb_probe(struct usb_interface *intf, =20 out_init_fail: usb_set_intfdata(ucr->pusb_intf, NULL); - usb_free_coherent(ucr->pusb_dev, IOBUF_SIZE, ucr->iobuf, - ucr->iobuf_dma); + kfree(ucr->iobuf); + ucr->iobuf =3D NULL; + ucr->cmd_buf =3D ucr->rsp_buf =3D NULL; return ret; } =20 @@ -693,8 +693,9 @@ static void rtsx_usb_disconnect(struct usb_interface *i= ntf) mfd_remove_devices(&intf->dev); =20 usb_set_intfdata(ucr->pusb_intf, NULL); - usb_free_coherent(ucr->pusb_dev, IOBUF_SIZE, ucr->iobuf, - ucr->iobuf_dma); + kfree(ucr->iobuf); + ucr->iobuf =3D NULL; + ucr->cmd_buf =3D ucr->rsp_buf =3D NULL; } =20 #ifdef CONFIG_PM diff --git a/include/linux/mfd/rtsx_usb.h b/include/linux/mfd/rtsx_usb.h index c446e4fd6b5c..d3d231afb17c 100644 --- a/include/linux/mfd/rtsx_usb.h +++ b/include/linux/mfd/rtsx_usb.h @@ -66,7 +66,6 @@ struct rtsx_ucr { struct usb_interface *pusb_intf; struct usb_sg_request current_sg; unsigned char *iobuf; - dma_addr_t iobuf_dma; =20 struct timer_list sg_timer; struct mutex dev_mutex; --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D640C04A68 for ; Wed, 27 Jul 2022 16:23:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235643AbiG0QW7 (ORCPT ); Wed, 27 Jul 2022 12:22:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235089AbiG0QWY (ORCPT ); Wed, 27 Jul 2022 12:22:24 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8DE14BD3F; Wed, 27 Jul 2022 09:22:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 797E1B821B9; Wed, 27 Jul 2022 16:22:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B6CE4C433D6; Wed, 27 Jul 2022 16:22:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938940; bh=wqVnnehyqL07Uxo1ruuI3rShLmuNDpQvGUe5zZS3fY8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AOapQWjYtgjxw/AY5WqBIYDNI/RNdSpxLCsuDNfd3dqfkLM2GBuhWYcvLcjZ8gLud r2ZZRdZsmo5KxWERoWZx3VWlMfQE/wxigtlk63f5HyxZPIGvVyb+1asV3iv7kPqfFX 4Jk++lLqObMmXG4sPei/eqdJgRvZpErLkLMrnWDY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shuah Khan , stable , Sasha Levin Subject: [PATCH 4.9 04/26] misc: rtsx_usb: use separate command and response buffers Date: Wed, 27 Jul 2022 18:10:33 +0200 Message-Id: <20220727160959.317226011@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Shuah Khan [ Upstream commit 3776c78559853fd151be7c41e369fd076fb679d5 ] rtsx_usb uses same buffer for command and response. There could be a potential conflict using the same buffer for both especially if retries and timeouts are involved. Use separate command and response buffers to avoid conflicts. Signed-off-by: Shuah Khan Cc: stable Link: https://lore.kernel.org/r/07e3721804ff07aaab9ef5b39a5691d0718b9ade.16= 56642167.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/mfd/rtsx_usb.c | 26 +++++++++++++++++--------- include/linux/mfd/rtsx_usb.h | 1 - 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/drivers/mfd/rtsx_usb.c b/drivers/mfd/rtsx_usb.c index b0ebd2299599..134c6fbd9c50 100644 --- a/drivers/mfd/rtsx_usb.c +++ b/drivers/mfd/rtsx_usb.c @@ -642,15 +642,18 @@ static int rtsx_usb_probe(struct usb_interface *intf, =20 ucr->pusb_dev =3D usb_dev; =20 - ucr->iobuf =3D kmalloc(IOBUF_SIZE, GFP_KERNEL); - if (!ucr->iobuf) + ucr->cmd_buf =3D kmalloc(IOBUF_SIZE, GFP_KERNEL); + if (!ucr->cmd_buf) return -ENOMEM; =20 + ucr->rsp_buf =3D kmalloc(IOBUF_SIZE, GFP_KERNEL); + if (!ucr->rsp_buf) + goto out_free_cmd_buf; + usb_set_intfdata(intf, ucr); =20 ucr->vendor_id =3D id->idVendor; ucr->product_id =3D id->idProduct; - ucr->cmd_buf =3D ucr->rsp_buf =3D ucr->iobuf; =20 mutex_init(&ucr->dev_mutex); =20 @@ -678,9 +681,11 @@ static int rtsx_usb_probe(struct usb_interface *intf, =20 out_init_fail: usb_set_intfdata(ucr->pusb_intf, NULL); - kfree(ucr->iobuf); - ucr->iobuf =3D NULL; - ucr->cmd_buf =3D ucr->rsp_buf =3D NULL; + kfree(ucr->rsp_buf); + ucr->rsp_buf =3D NULL; +out_free_cmd_buf: + kfree(ucr->cmd_buf); + ucr->cmd_buf =3D NULL; return ret; } =20 @@ -693,9 +698,12 @@ static void rtsx_usb_disconnect(struct usb_interface *= intf) mfd_remove_devices(&intf->dev); =20 usb_set_intfdata(ucr->pusb_intf, NULL); - kfree(ucr->iobuf); - ucr->iobuf =3D NULL; - ucr->cmd_buf =3D ucr->rsp_buf =3D NULL; + + kfree(ucr->cmd_buf); + ucr->cmd_buf =3D NULL; + + kfree(ucr->rsp_buf); + ucr->rsp_buf =3D NULL; } =20 #ifdef CONFIG_PM diff --git a/include/linux/mfd/rtsx_usb.h b/include/linux/mfd/rtsx_usb.h index d3d231afb17c..09b08ff08830 100644 --- a/include/linux/mfd/rtsx_usb.h +++ b/include/linux/mfd/rtsx_usb.h @@ -65,7 +65,6 @@ struct rtsx_ucr { struct usb_device *pusb_dev; struct usb_interface *pusb_intf; struct usb_sg_request current_sg; - unsigned char *iobuf; =20 struct timer_list sg_timer; struct mutex dev_mutex; --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDCD3C19F28 for ; Wed, 27 Jul 2022 16:23:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235303AbiG0QXE (ORCPT ); Wed, 27 Jul 2022 12:23:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235145AbiG0QWZ (ORCPT ); Wed, 27 Jul 2022 12:22:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AA004C616; Wed, 27 Jul 2022 09:22:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9BFD2619BF; Wed, 27 Jul 2022 16:22:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4222C433C1; Wed, 27 Jul 2022 16:22:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938943; bh=Okep6Jt9kN+VW7sygVkWdndpohFXPsorOiiSUiUZ+hg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ChQ7W6KZCqqJAap7GUPP/VWaoB1kEC/bdsPNCqocES1gOCthw5C9JJCMcNvcAk5Bv tST07GjBqjbAcFG8O4lDmec+YkJqWEzA43zSBiDvBvpKsKBlLkNmLOyZmNOFbhhEBX Ld8qIvCMshOMPK5kP9wT5Mj+kXn3jOLzytjMHvt4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , stable , Shuah Khan , Sasha Levin Subject: [PATCH 4.9 05/26] misc: rtsx_usb: set return value in rsp_buf alloc err path Date: Wed, 27 Jul 2022 18:10:34 +0200 Message-Id: <20220727160959.355318920@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Shuah Khan [ Upstream commit 2cd37c2e72449a7add6da1183d20a6247d6db111 ] Set return value in rsp_buf alloc error path before going to error handling. drivers/misc/cardreader/rtsx_usb.c:639:6: warning: variable 'ret' is used u= ninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (!ucr->rsp_buf) ^~~~~~~~~~~~~ drivers/misc/cardreader/rtsx_usb.c:678:9: note: uninitialized use occurs= here return ret; ^~~ drivers/misc/cardreader/rtsx_usb.c:639:2: note: remove the 'if' if its c= ondition is always false if (!ucr->rsp_buf) ^~~~~~~~~~~~~~~~~~ drivers/misc/cardreader/rtsx_usb.c:622:9: note: initialize the variable = 'ret' to silence this warning int ret; ^ =3D 0 Fixes: 3776c7855985 ("misc: rtsx_usb: use separate command and response buf= fers") Reported-by: kernel test robot Cc: stable Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20220701165352.15687-1-skhan@linuxfoundatio= n.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/mfd/rtsx_usb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mfd/rtsx_usb.c b/drivers/mfd/rtsx_usb.c index 134c6fbd9c50..fd859a7872a6 100644 --- a/drivers/mfd/rtsx_usb.c +++ b/drivers/mfd/rtsx_usb.c @@ -647,8 +647,10 @@ static int rtsx_usb_probe(struct usb_interface *intf, return -ENOMEM; =20 ucr->rsp_buf =3D kmalloc(IOBUF_SIZE, GFP_KERNEL); - if (!ucr->rsp_buf) + if (!ucr->rsp_buf) { + ret =3D -ENOMEM; goto out_free_cmd_buf; + } =20 usb_set_intfdata(intf, ucr); =20 --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B139C04A68 for ; Wed, 27 Jul 2022 16:23:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235146AbiG0QXI (ORCPT ); Wed, 27 Jul 2022 12:23:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235148AbiG0QW1 (ORCPT ); Wed, 27 Jul 2022 12:22:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C97654C610; Wed, 27 Jul 2022 09:22:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 67430619C0; Wed, 27 Jul 2022 16:22:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6EB61C433D6; Wed, 27 Jul 2022 16:22:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938945; bh=LU/6JYDmJVCAIJc5hn/I2FwrmPcI5S2waUtTQhLrexc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZKa4Nvu8Or5wp11BxNsgYkSdbIOPuPaHrKPbr5kM2wTubAKTZpgle/cHW+J9Nz9lX C5PA/nVh5XUiJMFFgNgbogM9n39F/GScBDBeUrcLXAbKi9hCr1sa1ZSBpCNL8E4MxD Z9X3V//ozgRbcHwoI/umUv1KumXQ2Z82fipjdK20= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangyu Hua , Steffen Klassert , Sasha Levin Subject: [PATCH 4.9 06/26] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Date: Wed, 27 Jul 2022 18:10:35 +0200 Message-Id: <20220727160959.403628194@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hangyu Hua [ Upstream commit f85daf0e725358be78dfd208dea5fd665d8cb901 ] xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of pols[0]. This refcount can be dropped in xfrm_expand_policies() when xfrm_expand_policies() return error. pols[0]'s refcount is balanced in here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with num_pols =3D=3D 1 to drop this refcount when xfrm_expand_policies() return error. This patch also fix an illegal address access. pols[0] will save a error point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve an illegal address in xfrm_bundle_lookup's error path. Fix these by setting num_pols =3D 0 in xfrm_expand_policies()'s error path. Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing = flows") Signed-off-by: Hangyu Hua Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- net/xfrm/xfrm_policy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 9179b47e8b61..0894108f561c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1819,8 +1819,10 @@ static int xfrm_expand_policies(const struct flowi *= fl, u16 family, *num_xfrms =3D 0; return 0; } - if (IS_ERR(pols[0])) + if (IS_ERR(pols[0])) { + *num_pols =3D 0; return PTR_ERR(pols[0]); + } =20 *num_xfrms =3D pols[0]->xfrm_nr; =20 @@ -1834,6 +1836,7 @@ static int xfrm_expand_policies(const struct flowi *f= l, u16 family, if (pols[1]) { if (IS_ERR(pols[1])) { xfrm_pols_put(pols, *num_pols); + *num_pols =3D 0; return PTR_ERR(pols[1]); } (*num_pols)++; --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFB45C04A68 for ; Wed, 27 Jul 2022 16:23:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235405AbiG0QXO (ORCPT ); Wed, 27 Jul 2022 12:23:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234321AbiG0QWa (ORCPT ); Wed, 27 Jul 2022 12:22:30 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 964A14C60C; Wed, 27 Jul 2022 09:22:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3386F619C2; Wed, 27 Jul 2022 16:22:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 422FBC433C1; Wed, 27 Jul 2022 16:22:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938948; bh=0ZqCx0f3w4xzVKM7hqpvqH6GcIZzjcZOSWtNS/jyHXo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XSV1hdKt6V754sRIH7Vjdw/5fop1z3QY+sxBvQXkkxc2KV+N6YSJxznVRbWcql+ia Ib5Cs0mWWh9986usaB6KUXied3NlTEh3YeCqxHMZvIVCbxKamIdOniSD5mrnzGKukd Xx/fYlxR2du231XZnMhIlcwjLyg4iy5qwIxdBoCg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miaoqian Lin , Linus Walleij , Sebastian Reichel , Sasha Levin Subject: [PATCH 4.9 07/26] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Date: Wed, 27 Jul 2022 18:10:36 +0200 Message-Id: <20220727160959.441094057@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Miaoqian Lin [ Upstream commit 80192eff64eee9b3bc0594a47381937b94b9d65a ] of_find_matching_node_and_match() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 0e545f57b708 ("power: reset: driver for the Versatile syscon reboot") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/power/reset/arm-versatile-reboot.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/power/reset/arm-versatile-reboot.c b/drivers/power/res= et/arm-versatile-reboot.c index 06d34ab47df5..8022c782f6ff 100644 --- a/drivers/power/reset/arm-versatile-reboot.c +++ b/drivers/power/reset/arm-versatile-reboot.c @@ -150,6 +150,7 @@ static int __init versatile_reboot_probe(void) versatile_reboot_type =3D (enum versatile_reboot)reboot_id->data; =20 syscon_regmap =3D syscon_node_to_regmap(np); + of_node_put(np); if (IS_ERR(syscon_regmap)) return PTR_ERR(syscon_regmap); =20 --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9018C04A68 for ; Wed, 27 Jul 2022 16:23:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235415AbiG0QXU (ORCPT ); Wed, 27 Jul 2022 12:23:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235290AbiG0QWe (ORCPT ); Wed, 27 Jul 2022 12:22:34 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C02124C63E; Wed, 27 Jul 2022 09:22:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 164AB619CF; Wed, 27 Jul 2022 16:22:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2147CC433C1; Wed, 27 Jul 2022 16:22:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938951; bh=NMyaYYWxf/ULHaECuZCZVydUJ95hFLVj6k8iREKs9Xg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SlI3SD5N8pldrlS7O5G/iNvRXrvMLFs0SC0CJmWtbxwZMKKWgl1RVlGkh7sn+ljHL Lv1roMvpkmC4kYb/azzFNprUVMaeD9jeyCWQNoLnjQVDrFvCuah7Em/aHwIEf0oe7y fADbOrim+a1rmoSZcMCyfgBa/KPPWEK5QOX1q9Ww= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yang Jihong , "Peter Zijlstra (Intel)" , Sasha Levin Subject: [PATCH 4.9 08/26] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Date: Wed, 27 Jul 2022 18:10:37 +0200 Message-Id: <20220727160959.472445849@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Peter Zijlstra [ Upstream commit 68e3c69803dada336893640110cb87221bb01dcf ] Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest =3D true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress. Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole") Reported-by: Yang Jihong Signed-off-by: Peter Zijlstra (Intel) Tested-by: Yang Jihong Link: https://lkml.kernel.org/r/YsQ3jm2GR38SW7uD@worktop.programming.kicks-= ass.net Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- kernel/events/core.c | 45 ++++++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 2466e2ae54dc..58ef731d52c7 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5291,10 +5291,10 @@ static int perf_mmap(struct file *file, struct vm_a= rea_struct *vma) =20 if (!atomic_inc_not_zero(&event->rb->mmap_count)) { /* - * Raced against perf_mmap_close() through - * perf_event_set_output(). Try again, hope for better - * luck. + * Raced against perf_mmap_close(); remove the + * event and try again. */ + ring_buffer_attach(event, NULL); mutex_unlock(&event->mmap_mutex); goto again; } @@ -9542,14 +9542,25 @@ static int perf_copy_attr(struct perf_event_attr __= user *uattr, goto out; } =20 +static void mutex_lock_double(struct mutex *a, struct mutex *b) +{ + if (b < a) + swap(a, b); + + mutex_lock(a); + mutex_lock_nested(b, SINGLE_DEPTH_NESTING); +} + static int perf_event_set_output(struct perf_event *event, struct perf_event *output_= event) { struct ring_buffer *rb =3D NULL; int ret =3D -EINVAL; =20 - if (!output_event) + if (!output_event) { + mutex_lock(&event->mmap_mutex); goto set; + } =20 /* don't allow circular references */ if (event =3D=3D output_event) @@ -9587,8 +9598,15 @@ perf_event_set_output(struct perf_event *event, stru= ct perf_event *output_event) event->pmu !=3D output_event->pmu) goto out; =20 + /* + * Hold both mmap_mutex to serialize against perf_mmap_close(). Since + * output_event is already on rb->event_list, and the list iteration + * restarts after every removal, it is guaranteed this new event is + * observed *OR* if output_event is already removed, it's guaranteed we + * observe !rb->mmap_count. + */ + mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex); set: - mutex_lock(&event->mmap_mutex); /* Can't redirect output if we've got an active mmap() */ if (atomic_read(&event->mmap_count)) goto unlock; @@ -9598,6 +9616,12 @@ perf_event_set_output(struct perf_event *event, stru= ct perf_event *output_event) rb =3D ring_buffer_get(output_event); if (!rb) goto unlock; + + /* did we race against perf_mmap_close() */ + if (!atomic_read(&rb->mmap_count)) { + ring_buffer_put(rb); + goto unlock; + } } =20 ring_buffer_attach(event, rb); @@ -9605,20 +9629,13 @@ perf_event_set_output(struct perf_event *event, str= uct perf_event *output_event) ret =3D 0; unlock: mutex_unlock(&event->mmap_mutex); + if (output_event) + mutex_unlock(&output_event->mmap_mutex); =20 out: return ret; } =20 -static void mutex_lock_double(struct mutex *a, struct mutex *b) -{ - if (b < a) - swap(a, b); - - mutex_lock(a); - mutex_lock_nested(b, SINGLE_DEPTH_NESTING); -} - static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id) { bool nmi_safe =3D false; --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29DD2C19F28 for ; Wed, 27 Jul 2022 16:23:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235838AbiG0QXW (ORCPT ); Wed, 27 Jul 2022 12:23:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50396 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235361AbiG0QWg (ORCPT ); Wed, 27 Jul 2022 12:22:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C6C04D151; Wed, 27 Jul 2022 09:22:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9F21D617F2; Wed, 27 Jul 2022 16:22:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B00B6C433D7; Wed, 27 Jul 2022 16:22:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938954; bh=FFNPAA1oV66r9wF2ZPiFXCs/NafvjNsgtCw0tpuA1Ls=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yNPj1JALmxyghhyHztMPbvMa9UBPP+65aTDMBPP37fByr1mLmpBCEHoEip40H9174 kEPdVf7VNKKgb2NmYwCqCEwDYSY8+39PLdLTEn6ZMIrqs/d+/ZE56ZxTGNgYNbIGtX HvhPNyowiuDkMwelRIEQ475QmMly6vFf5/bozkIY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 09/26] ip: Fix a data-race around sysctl_fwmark_reflect. Date: Wed, 27 Jul 2022 18:10:38 +0200 Message-Id: <20220727160959.512108187@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 85d0b4dbd74b95cc492b1f4e34497d3f894f5d9a ] While reading sysctl_fwmark_reflect, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- include/net/ip.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/ip.h b/include/net/ip.h index c762fd047ef4..f0e13a256582 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -283,7 +283,7 @@ void ipfrag_init(void); void ip_static_sysctl_init(void); =20 #define IP4_REPLY_MARK(net, mark) \ - ((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0) + (READ_ONCE((net)->ipv4.sysctl_fwmark_reflect) ? (mark) : 0) =20 static inline bool ip_is_fragment(const struct iphdr *iph) { --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A59FC04A68 for ; Wed, 27 Jul 2022 16:21:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234772AbiG0QVf (ORCPT ); Wed, 27 Jul 2022 12:21:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48426 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233600AbiG0QVb (ORCPT ); Wed, 27 Jul 2022 12:21:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40DEB2BB14; Wed, 27 Jul 2022 09:21:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E4009B821B8; Wed, 27 Jul 2022 16:21:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 564FCC433D6; Wed, 27 Jul 2022 16:21:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938887; bh=EOHRt/4AM/Ab3RBnOHd9Utdsb/HFtX8gqBeaSdnh3l8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jWahFHjaM/aH68kVQvBGVM2z5fIIo+V1N/NkRwlSYENwtmkgWp4TV5zaelvdPtXYH upoOWuiLHkYdt+xmMvOQVgnN7xsgCsT4+8ldOhiUJXvAbPul9J0p+hNIrg8UR4hNS6 tRH7uaqMQ43++slFtrhFeA69KoW2zE7fR+Ui6DZ4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 10/26] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. Date: Wed, 27 Jul 2022 18:10:39 +0200 Message-Id: <20220727160959.547072616@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 1a0008f9df59451d0a17806c1ee1a19857032fa8 ] While reading sysctl_tcp_fwmark_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 84f39b08d786 ("net: support marking accepting TCP sockets") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- include/net/inet_sock.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index 6213a90a8cec..f5dbee53fb85 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h @@ -113,7 +113,8 @@ static inline struct inet_request_sock *inet_rsk(const = struct request_sock *sk) =20 static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff = *skb) { - if (!sk->sk_mark && sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept) + if (!sk->sk_mark && + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) return skb->mark; =20 return sk->sk_mark; --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6087DC19F2B for ; Wed, 27 Jul 2022 16:22:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235046AbiG0QWE (ORCPT ); Wed, 27 Jul 2022 12:22:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234962AbiG0QVy (ORCPT ); Wed, 27 Jul 2022 12:21:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92D0D4D147; Wed, 27 Jul 2022 09:21:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CD3E36199B; Wed, 27 Jul 2022 16:21:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBAC3C433D7; Wed, 27 Jul 2022 16:21:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938909; bh=IgPZ4I7XBkIJS9kI5HUMyPbYRE5T9IPv1QQRGDc0AsE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wYcxgTIykf87C8yU1s1pyW81N3MMNKVHXTD6vt3vpa/4bmjHVRWKgWz6ss61NgwQm 8/ACE+HQkbDIOhInaL2QgS/Ds7143/kjTNqUXB6ZJsQCb4CVAaPE5jd3SvydxlY1l/ of5oQJkVRRvXgRB/UvwHRiHJoTolqTHkwTLGcgr0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 11/26] tcp: Fix a data-race around sysctl_tcp_probe_threshold. Date: Wed, 27 Jul 2022 18:10:40 +0200 Message-Id: <20220727160959.587692269@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 92c0aa4175474483d6cf373314343d4e624e882a ] While reading sysctl_tcp_probe_threshold, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 6b58e0a5f32d ("ipv4: Use binary search to choose tcp PMTU probe_size= ") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index e0009cd69da7..5b6d935a028c 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2005,7 +2005,7 @@ static int tcp_mtu_probe(struct sock *sk) * probing process by not resetting search range to its orignal. */ if (probe_size > tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_high) || - interval < net->ipv4.sysctl_tcp_probe_threshold) { + interval < READ_ONCE(net->ipv4.sysctl_tcp_probe_threshold)) { /* Check whether enough time has elaplased for * another round of probing. */ --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 172E8C04A68 for ; Wed, 27 Jul 2022 16:22:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232782AbiG0QWM (ORCPT ); Wed, 27 Jul 2022 12:22:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235148AbiG0QV5 (ORCPT ); Wed, 27 Jul 2022 12:21:57 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C622A4C61B; Wed, 27 Jul 2022 09:21:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7CCF8B821A6; Wed, 27 Jul 2022 16:21:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BDCC2C433D6; Wed, 27 Jul 2022 16:21:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938912; bh=8ihxxbqtwdKbI1YhUaUxR76a6ck1XLoQsIDulE25NPw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Cf/WwwKffonbvVj0iNGihEmJdiYlXCA/XlGrZtdZar46gnwOc/ZuSkFTuwej3mT8u GlIJzq5MfHvIcZ/56UYJYVhzuBNBOlPdR9nRmZRBZnyk7opJNiSR9TVgnU8iGOaAe7 AjgQqiXkKKT4J5sOo3rprkrrROVktTj2HiiXoVHg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Robert Hancock , Shubhrajyoti Datta , Michal Simek , Wolfram Sang , Sasha Levin Subject: [PATCH 4.9 12/26] i2c: cadence: Change large transfer count reset logic to be unconditional Date: Wed, 27 Jul 2022 18:10:41 +0200 Message-Id: <20220727160959.618902682@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Robert Hancock [ Upstream commit 4ca8ca873d454635c20d508261bfc0081af75cf8 ] Problems were observed on the Xilinx ZynqMP platform with large I2C reads. When a read of 277 bytes was performed, the controller NAKed the transfer after only 252 bytes were transferred and returned an ENXIO error on the transfer. There is some code in cdns_i2c_master_isr to handle this case by resetting the transfer count in the controller before it reaches 0, to allow larger transfers to work, but it was conditional on the CDNS_I2C_BROKEN_HOLD_BIT quirk being set on the controller, and ZynqMP uses the r1p14 version of the core where this quirk is not being set. The requirement to do this to support larger reads seems like an inherently required workaround due to the core only having an 8-bit transfer size register, so it does not appear that this should be conditional on the broken HOLD bit quirk which is used elsewhere in the driver. Remove the dependency on the CDNS_I2C_BROKEN_HOLD_BIT for this transfer size reset logic to fix this problem. Fixes: 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq Ultr= ascale+ MPSoC") Signed-off-by: Robert Hancock Reviewed-by: Shubhrajyoti Datta Acked-by: Michal Simek Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/i2c/busses/i2c-cadence.c | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cade= nce.c index 9ab056bb834d..fce1906e7df1 100644 --- a/drivers/i2c/busses/i2c-cadence.c +++ b/drivers/i2c/busses/i2c-cadence.c @@ -203,9 +203,9 @@ static inline bool cdns_is_holdquirk(struct cdns_i2c *i= d, bool hold_wrkaround) */ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) { - unsigned int isr_status, avail_bytes, updatetx; + unsigned int isr_status, avail_bytes; unsigned int bytes_to_send; - bool hold_quirk; + bool updatetx; struct cdns_i2c *id =3D ptr; /* Signal completion only after everything is updated */ int done_flag =3D 0; @@ -224,11 +224,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) * Check if transfer size register needs to be updated again for a * large data receive operation. */ - updatetx =3D 0; - if (id->recv_count > id->curr_recv_count) - updatetx =3D 1; - - hold_quirk =3D (id->quirks & CDNS_I2C_BROKEN_HOLD_BIT) && updatetx; + updatetx =3D id->recv_count > id->curr_recv_count; =20 /* When receiving, handle data interrupt and completion interrupt */ if (id->p_recv_buf && @@ -251,7 +247,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) id->recv_count--; id->curr_recv_count--; =20 - if (cdns_is_holdquirk(id, hold_quirk)) + if (cdns_is_holdquirk(id, updatetx)) break; } =20 @@ -262,7 +258,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) * maintain transfer size non-zero while performing a large * receive operation. */ - if (cdns_is_holdquirk(id, hold_quirk)) { + if (cdns_is_holdquirk(id, updatetx)) { /* wait while fifo is full */ while (cdns_i2c_readreg(CDNS_I2C_XFER_SIZE_OFFSET) !=3D (id->curr_recv_count - CDNS_I2C_FIFO_DEPTH)) @@ -284,22 +280,6 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) CDNS_I2C_XFER_SIZE_OFFSET); id->curr_recv_count =3D id->recv_count; } - } else if (id->recv_count && !hold_quirk && - !id->curr_recv_count) { - - /* Set the slave address in address register*/ - cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK, - CDNS_I2C_ADDR_OFFSET); - - if (id->recv_count > CDNS_I2C_TRANSFER_SIZE) { - cdns_i2c_writereg(CDNS_I2C_TRANSFER_SIZE, - CDNS_I2C_XFER_SIZE_OFFSET); - id->curr_recv_count =3D CDNS_I2C_TRANSFER_SIZE; - } else { - cdns_i2c_writereg(id->recv_count, - CDNS_I2C_XFER_SIZE_OFFSET); - id->curr_recv_count =3D id->recv_count; - } } =20 /* Clear hold (if not repeated start) and signal completion */ --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88FA1C19F2C for ; Wed, 27 Jul 2022 16:22:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235206AbiG0QWV (ORCPT ); Wed, 27 Jul 2022 12:22:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235152AbiG0QV5 (ORCPT ); Wed, 27 Jul 2022 12:21:57 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E66445061; Wed, 27 Jul 2022 09:21:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9C33B6199B; Wed, 27 Jul 2022 16:21:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A3189C433C1; Wed, 27 Jul 2022 16:21:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938915; bh=v2vlsf2/LrtTO8rtOML1NDVHm18NgMDkZBJyarNB4rM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FX2TrrsRVZXW7LjpyT16FpP9afKIsfe04xCmzN2Sl+YISg6UNIn85kZ7l5hsSOwBd 17rQFNDIzhcb/WIuK0PkmkYlEOIP7F/7ae97Y+MsJ3A2OhIemsgfQ3z3GmLffjVj6V zwEoGNZ0DdfCC/mT2QTkZ+rCJG5wls6DJu8Vs2bE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 13/26] igmp: Fix data-races around sysctl_igmp_llm_reports. Date: Wed, 27 Jul 2022 18:10:42 +0200 Message-Id: <20220727160959.660499620@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit f6da2267e71106474fbc0943dc24928b9cb79119 ] While reading sysctl_igmp_llm_reports, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. This test can be packed into a helper, so such changes will be in the follow-up series after net is merged into net-next. if (ipv4_is_local_multicast(pmc->multiaddr) && !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) Fixes: df2cf4a78e48 ("IGMP: Inhibit reports for local multicast groups") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- net/ipv4/igmp.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 75f961425639..6e217424e0ff 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -474,7 +474,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, st= ruct ip_mc_list *pmc, =20 if (pmc->multiaddr =3D=3D IGMP_ALL_HOSTS) return skb; - if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm= _reports) + if (ipv4_is_local_multicast(pmc->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return skb; =20 mtu =3D READ_ONCE(dev->mtu); @@ -600,7 +601,7 @@ static int igmpv3_send_report(struct in_device *in_dev,= struct ip_mc_list *pmc) if (pmc->multiaddr =3D=3D IGMP_ALL_HOSTS) continue; if (ipv4_is_local_multicast(pmc->multiaddr) && - !net->ipv4.sysctl_igmp_llm_reports) + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) continue; spin_lock_bh(&pmc->lock); if (pmc->sfcount[MCAST_EXCLUDE]) @@ -743,7 +744,8 @@ static int igmp_send_report(struct in_device *in_dev, s= truct ip_mc_list *pmc, if (type =3D=3D IGMPV3_HOST_MEMBERSHIP_REPORT) return igmpv3_send_report(in_dev, pmc); =20 - if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) + if (ipv4_is_local_multicast(group) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return 0; =20 if (type =3D=3D IGMP_HOST_LEAVE_MESSAGE) @@ -921,7 +923,8 @@ static bool igmp_heard_report(struct in_device *in_dev,= __be32 group) =20 if (group =3D=3D IGMP_ALL_HOSTS) return false; - if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) + if (ipv4_is_local_multicast(group) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return false; =20 rcu_read_lock(); @@ -1031,7 +1034,7 @@ static bool igmp_heard_query(struct in_device *in_dev= , struct sk_buff *skb, if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) continue; if (ipv4_is_local_multicast(im->multiaddr) && - !net->ipv4.sysctl_igmp_llm_reports) + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) continue; spin_lock_bh(&im->lock); if (im->tm_running) @@ -1272,7 +1275,8 @@ static void igmp_group_dropped(struct ip_mc_list *im) #ifdef CONFIG_IP_MULTICAST if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) return; - if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_= reports) + if (ipv4_is_local_multicast(im->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return; =20 reporter =3D im->reporter; @@ -1309,7 +1313,8 @@ static void igmp_group_added(struct ip_mc_list *im) #ifdef CONFIG_IP_MULTICAST if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) return; - if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_= reports) + if (ipv4_is_local_multicast(im->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return; =20 if (in_dev->dead) @@ -1621,7 +1626,7 @@ static void ip_mc_rejoin_groups(struct in_device *in_= dev) if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) continue; if (ipv4_is_local_multicast(im->multiaddr) && - !net->ipv4.sysctl_igmp_llm_reports) + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) continue; =20 /* a failover is happening and switches --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBAD7C04A68 for ; Wed, 27 Jul 2022 16:22:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235546AbiG0QWx (ORCPT ); Wed, 27 Jul 2022 12:22:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234732AbiG0QWC (ORCPT ); Wed, 27 Jul 2022 12:22:02 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CBAD231238; Wed, 27 Jul 2022 09:22:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id A38FDCE2304; Wed, 27 Jul 2022 16:21:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9F1D9C433C1; Wed, 27 Jul 2022 16:21:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938918; bh=baCgCy56YObxzhgX2L4La7FM8mD+ITUsB5YBk92O+E4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WnLFJbvYmfmgTmfHCuULrJWxPzfXM1FfxM7ysPyd00NLDPUF00rdo5ejKI9v+cHnh Hg6l9kXFhFCBIfYPaF/TWE8TtFikERqVponiOvopIPzE+2RYRXEb4YgHVL8z2fHR/Q MSJ5Q0TlsFwE9WfymxrOjWIJG15L3VrDdc2SdZgs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 14/26] igmp: Fix a data-race around sysctl_igmp_max_memberships. Date: Wed, 27 Jul 2022 18:10:43 +0200 Message-Id: <20220727160959.689789254@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 6305d821e3b9b5379d348528e5b5faf316383bc2 ] While reading sysctl_igmp_max_memberships, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- net/ipv4/igmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 6e217424e0ff..3c09bee931b7 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -2171,7 +2171,7 @@ int ip_mc_join_group(struct sock *sk, struct ip_mreqn= *imr) count++; } err =3D -ENOBUFS; - if (count >=3D net->ipv4.sysctl_igmp_max_memberships) + if (count >=3D READ_ONCE(net->ipv4.sysctl_igmp_max_memberships)) goto done; iml =3D sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL); if (!iml) --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB235C04A68 for ; Wed, 27 Jul 2022 16:22:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235091AbiG0QW0 (ORCPT ); Wed, 27 Jul 2022 12:22:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234649AbiG0QWC (ORCPT ); Wed, 27 Jul 2022 12:22:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5BC42E9EC; Wed, 27 Jul 2022 09:22:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 42C59619A0; Wed, 27 Jul 2022 16:22:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 53D1FC433C1; Wed, 27 Jul 2022 16:22:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938920; bh=O4WxUKLOIbP4YbcycCwkwyd+Sq3DHdQ4vvJJCer2fag=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=awAaHZiNtbCDK1XCCUE+mpO77vPlO6z+DGDHzb963Osu9cmeoTNJVxbb3ZOz0cIEJ Ynva2AXuN42rasgFuiOdaDKrLsHEOYr1qkXzt0CvIbjXsf6gZP0zJplR5famZb4Svh oEiHQcLJH8YuxEQLdZ9tpwftGt4xG/LjIrFp2q4A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 15/26] tcp: Fix a data-race around sysctl_tcp_notsent_lowat. Date: Wed, 27 Jul 2022 18:10:44 +0200 Message-Id: <20220727160959.728471399@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 55be873695ed8912eb77ff46d1d1cadf028bd0f3 ] While reading sysctl_tcp_notsent_lowat, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- include/net/tcp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 97df2f6fcbd7..164dc4f04d0f 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1788,7 +1788,7 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 = saddr, __be32 daddr); static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) { struct net *net =3D sock_net((struct sock *)tp); - return tp->notsent_lowat ?: net->ipv4.sysctl_tcp_notsent_lowat; + return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); } =20 static inline bool tcp_stream_memory_free(const struct sock *sk) --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81904C19F28 for ; Wed, 27 Jul 2022 16:22:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235156AbiG0QW2 (ORCPT ); Wed, 27 Jul 2022 12:22:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234962AbiG0QWF (ORCPT ); Wed, 27 Jul 2022 12:22:05 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5C7CC4B0DD; Wed, 27 Jul 2022 09:22:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id EC85761995; Wed, 27 Jul 2022 16:22:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 090EDC433C1; Wed, 27 Jul 2022 16:22:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938923; bh=WOj+s5vKPdoTepok1yhOUhX1S4XBseNZDgBPvkKvjHk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Om9LuwHireBxHycKymkBrJ7pQt8ov8KZX8FR8OPw4n8GnylUhZ1Y4A3O4OaMKGpm4 uivkhJ5UmwcNvC7LzAc6vccwJ48y2rhoS6bnGKSXGP4JaZDZ6EYc4A8KBrvJ9cemul wU07Kqw00zRIKMsiOsQAh4tgR575Y7zjrwpPkv/M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hristo Venev , Paolo Abeni , Sasha Levin Subject: [PATCH 4.9 16/26] be2net: Fix buffer overflow in be_get_module_eeprom Date: Wed, 27 Jul 2022 18:10:45 +0200 Message-Id: <20220727160959.770313545@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hristo Venev [ Upstream commit d7241f679a59cfe27f92cb5c6272cb429fb1f7ec ] be_cmd_read_port_transceiver_data assumes that it is given a buffer that is at least PAGE_DATA_LEN long, or twice that if the module supports SFF 8472. However, this is not always the case. Fix this by passing the desired offset and length to be_cmd_read_port_transceiver_data so that we only copy the bytes once. Fixes: e36edd9d26cf ("be2net: add ethtool "-m" option support") Signed-off-by: Hristo Venev Link: https://lore.kernel.org/r/20220716085134.6095-1-hristo@venev.name Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/net/ethernet/emulex/benet/be_cmds.c | 10 +++--- drivers/net/ethernet/emulex/benet/be_cmds.h | 2 +- .../net/ethernet/emulex/benet/be_ethtool.c | 31 ++++++++++++------- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethe= rnet/emulex/benet/be_cmds.c index 8887dd3abed7..619cc13ffb55 100644 --- a/drivers/net/ethernet/emulex/benet/be_cmds.c +++ b/drivers/net/ethernet/emulex/benet/be_cmds.c @@ -2291,7 +2291,7 @@ int be_cmd_get_beacon_state(struct be_adapter *adapte= r, u8 port_num, u32 *state) =20 /* Uses sync mcc */ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, - u8 page_num, u8 *data) + u8 page_num, u32 off, u32 len, u8 *data) { struct be_dma_mem cmd; struct be_mcc_wrb *wrb; @@ -2325,10 +2325,10 @@ int be_cmd_read_port_transceiver_data(struct be_ada= pter *adapter, req->port =3D cpu_to_le32(adapter->hba_port_num); req->page_num =3D cpu_to_le32(page_num); status =3D be_mcc_notify_wait(adapter); - if (!status) { + if (!status && len > 0) { struct be_cmd_resp_port_type *resp =3D cmd.va; =20 - memcpy(data, resp->page_data, PAGE_DATA_LEN); + memcpy(data, resp->page_data + off, len); } err: mutex_unlock(&adapter->mcc_lock); @@ -2419,7 +2419,7 @@ int be_cmd_query_cable_type(struct be_adapter *adapte= r) int status; =20 status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - page_data); + 0, PAGE_DATA_LEN, page_data); if (!status) { switch (adapter->phy.interface_type) { case PHY_TYPE_QSFP: @@ -2444,7 +2444,7 @@ int be_cmd_query_sfp_info(struct be_adapter *adapter) int status; =20 status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - page_data); + 0, PAGE_DATA_LEN, page_data); if (!status) { strlcpy(adapter->phy.vendor_name, page_data + SFP_VENDOR_NAME_OFFSET, SFP_VENDOR_NAME_LEN - 1); diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.h b/drivers/net/ethe= rnet/emulex/benet/be_cmds.h index 09da2d82c2f0..8af11a5e49fe 100644 --- a/drivers/net/ethernet/emulex/benet/be_cmds.h +++ b/drivers/net/ethernet/emulex/benet/be_cmds.h @@ -2431,7 +2431,7 @@ int be_cmd_set_beacon_state(struct be_adapter *adapte= r, u8 port_num, u8 beacon, int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num, u32 *state); int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, - u8 page_num, u8 *data); + u8 page_num, u32 off, u32 len, u8 *data); int be_cmd_query_cable_type(struct be_adapter *adapter); int be_cmd_query_sfp_info(struct be_adapter *adapter); int lancer_cmd_read_object(struct be_adapter *adapter, struct be_dma_mem *= cmd, diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/e= thernet/emulex/benet/be_ethtool.c index 56db37d92937..ca7750f483f9 100644 --- a/drivers/net/ethernet/emulex/benet/be_ethtool.c +++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c @@ -1345,7 +1345,7 @@ static int be_get_module_info(struct net_device *netd= ev, return -EOPNOTSUPP; =20 status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - page_data); + 0, PAGE_DATA_LEN, page_data); if (!status) { if (!page_data[SFP_PLUS_SFF_8472_COMP]) { modinfo->type =3D ETH_MODULE_SFF_8079; @@ -1363,25 +1363,32 @@ static int be_get_module_eeprom(struct net_device *= netdev, { struct be_adapter *adapter =3D netdev_priv(netdev); int status; + u32 begin, end; =20 if (!check_privilege(adapter, MAX_PRIVILEGES)) return -EOPNOTSUPP; =20 - status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - data); - if (status) - goto err; + begin =3D eeprom->offset; + end =3D eeprom->offset + eeprom->len; + + if (begin < PAGE_DATA_LEN) { + status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, begin, + min_t(u32, end, PAGE_DATA_LEN) - begin, + data); + if (status) + goto err; + + data +=3D PAGE_DATA_LEN - begin; + begin =3D PAGE_DATA_LEN; + } =20 - if (eeprom->offset + eeprom->len > PAGE_DATA_LEN) { - status =3D be_cmd_read_port_transceiver_data(adapter, - TR_PAGE_A2, - data + - PAGE_DATA_LEN); + if (end > PAGE_DATA_LEN) { + status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A2, + begin - PAGE_DATA_LEN, + end - begin, data); if (status) goto err; } - if (eeprom->offset) - memcpy(data, data + eeprom->offset, eeprom->len); err: return be_cmd_status(status); } --=20 2.35.1 From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2FDEC04A68 for ; Wed, 27 Jul 2022 16:22:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235256AbiG0QWd (ORCPT ); Wed, 27 Jul 2022 12:22:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234884AbiG0QWK (ORCPT ); Wed, 27 Jul 2022 12:22:10 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E45294B0DB; Wed, 27 Jul 2022 09:22:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7621BB821B9; Wed, 27 Jul 2022 16:22:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9E6F6C433D6; Wed, 27 Jul 2022 16:22:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938926; bh=kFhuF2RVQuecvw5Ummki3VCBeoRSPFC+QkKqQkR6Egg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IMnbXG15sMpSh5mqExUgfjWdF5Fj3wXlJnxaHzakbPPQMDt1JbJ8ctIq8kUfgadse +bqYUSEKpd81GoSqalFguYil1YZA/m270LuwZWnxYYyW2+4agG8veJ2CuV5XLyj9yl ti0q+4XIvdcNChdGsZCdqXnra1CiFNEC17ytNe5Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sergey Senozhatsky , Qian Cai , Lech Perczak , Theodore Tso , Sasha Levin , Petr Mladek , John Ogness , kernel test robot , "Jason A. Donenfeld" Subject: [PATCH 4.9 17/26] Revert "Revert "char/random: silence a lockdep splat with printk()"" Date: Wed, 27 Jul 2022 18:10:46 +0200 Message-Id: <20220727160959.806070508@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: "Jason A. Donenfeld" In 2019, Sergey fixed a lockdep splat with 15341b1dd409 ("char/random: silence a lockdep splat with printk()"), but that got reverted soon after from 4.19 because back then it apparently caused various problems. But the issue it was fixing is still there, and more generally, many patches turning printk() into printk_deferred() have landed since, making me suspect it's okay to try this out again. This should fix the following deadlock found by the kernel test robot: [ 18.287691] WARNING: possible circular locking dependency detected [ 18.287692] 4.19.248-00165-g3d1f971aa81f #1 Not tainted [ 18.287693] ------------------------------------------------------ [ 18.287712] stop/202 is trying to acquire lock: [ 18.287713] (ptrval) (console_owner){..-.}, at: console_unlock (??:?) [ 18.287717] [ 18.287718] but task is already holding lock: [ 18.287718] (ptrval) (&(&port->lock)->rlock){-...}, at: pty_write (pty.c= :?) [ 18.287722] [ 18.287722] which lock already depends on the new lock. [ 18.287723] [ 18.287724] [ 18.287725] the existing dependency chain (in reverse order) is: [ 18.287725] [ 18.287726] -> #2 (&(&port->lock)->rlock){-...}: [ 18.287729] validate_chain+0x84a/0xe00 [ 18.287729] __lock_acquire (lockdep.c:?) [ 18.287730] lock_acquire (??:?) [ 18.287731] _raw_spin_lock_irqsave (??:?) [ 18.287732] tty_port_tty_get (??:?) [ 18.287733] tty_port_default_wakeup (tty_port.c:?) [ 18.287734] tty_port_tty_wakeup (??:?) [ 18.287734] uart_write_wakeup (??:?) [ 18.287735] serial8250_tx_chars (??:?) [ 18.287736] serial8250_handle_irq (??:?) [ 18.287737] serial8250_default_handle_irq (8250_port.c:?) [ 18.287738] serial8250_interrupt (8250_core.c:?) [ 18.287738] __handle_irq_event_percpu (??:?) [ 18.287739] handle_irq_event_percpu (??:?) [ 18.287740] handle_irq_event (??:?) [ 18.287741] handle_edge_irq (??:?) [ 18.287742] handle_irq (??:?) [ 18.287742] do_IRQ (??:?) [ 18.287743] common_interrupt (entry_32.o:?) [ 18.287744] _raw_spin_unlock_irqrestore (??:?) [ 18.287745] uart_write (serial_core.c:?) [ 18.287746] process_output_block (n_tty.c:?) [ 18.287747] n_tty_write (n_tty.c:?) [ 18.287747] tty_write (tty_io.c:?) [ 18.287748] __vfs_write (??:?) [ 18.287749] vfs_write (??:?) [ 18.287750] ksys_write (??:?) [ 18.287750] sys_write (??:?) [ 18.287751] do_fast_syscall_32 (??:?) [ 18.287752] entry_SYSENTER_32 (??:?) [ 18.287752] [ 18.287753] -> #1 (&port_lock_key){-.-.}: [ 18.287756] [ 18.287756] -> #0 (console_owner){..-.}: [ 18.287759] check_prevs_add (lockdep.c:?) [ 18.287760] validate_chain+0x84a/0xe00 [ 18.287761] __lock_acquire (lockdep.c:?) [ 18.287761] lock_acquire (??:?) [ 18.287762] console_unlock (??:?) [ 18.287763] vprintk_emit (??:?) [ 18.287764] vprintk_default (??:?) [ 18.287764] vprintk_func (??:?) [ 18.287765] printk (??:?) [ 18.287766] get_random_u32 (??:?) [ 18.287767] shuffle_freelist (slub.c:?) [ 18.287767] allocate_slab (slub.c:?) [ 18.287768] new_slab (slub.c:?) [ 18.287769] ___slab_alloc+0x6d0/0xb20 [ 18.287770] __slab_alloc+0xd6/0x2e0 [ 18.287770] __kmalloc (??:?) [ 18.287771] tty_buffer_alloc (tty_buffer.c:?) [ 18.287772] __tty_buffer_request_room (tty_buffer.c:?) [ 18.287773] tty_insert_flip_string_fixed_flag (??:?) [ 18.287774] pty_write (pty.c:?) [ 18.287775] process_output_block (n_tty.c:?) [ 18.287776] n_tty_write (n_tty.c:?) [ 18.287777] tty_write (tty_io.c:?) [ 18.287778] __vfs_write (??:?) [ 18.287779] vfs_write (??:?) [ 18.287780] ksys_write (??:?) [ 18.287780] sys_write (??:?) [ 18.287781] do_fast_syscall_32 (??:?) [ 18.287782] entry_SYSENTER_32 (??:?) [ 18.287783] [ 18.287783] other info that might help us debug this: [ 18.287784] [ 18.287785] Chain exists of: [ 18.287785] console_owner --> &port_lock_key --> &(&port->lock)->rlock [ 18.287789] [ 18.287790] Possible unsafe locking scenario: [ 18.287790] [ 18.287791] CPU0 CPU1 [ 18.287792] ---- ---- [ 18.287792] lock(&(&port->lock)->rlock); [ 18.287794] lock(&port_lock_key); [ 18.287814] lock(&(&port->lock)->rlock); [ 18.287815] lock(console_owner); [ 18.287817] [ 18.287818] *** DEADLOCK *** [ 18.287818] [ 18.287819] 6 locks held by stop/202: [ 18.287820] #0: (ptrval) (&tty->ldisc_sem){++++}, at: ldsem_down_read (?= ?:?) [ 18.287823] #1: (ptrval) (&tty->atomic_write_lock){+.+.}, at: tty_write_= lock (tty_io.c:?) [ 18.287826] #2: (ptrval) (&o_tty->termios_rwsem/1){++++}, at: n_tty_writ= e (n_tty.c:?) [ 18.287830] #3: (ptrval) (&ldata->output_lock){+.+.}, at: process_output= _block (n_tty.c:?) [ 18.287834] #4: (ptrval) (&(&port->lock)->rlock){-...}, at: pty_write (p= ty.c:?) [ 18.287838] #5: (ptrval) (console_lock){+.+.}, at: console_trylock_spinn= ing (printk.c:?) [ 18.287841] [ 18.287842] stack backtrace: [ 18.287843] CPU: 0 PID: 202 Comm: stop Not tainted 4.19.248-00165-g3d1f9= 71aa81f #1 [ 18.287843] Call Trace: [ 18.287844] dump_stack (??:?) [ 18.287845] print_circular_bug.cold+0x78/0x8b [ 18.287846] check_prev_add+0x66a/0xd20 [ 18.287847] check_prevs_add (lockdep.c:?) [ 18.287848] validate_chain+0x84a/0xe00 [ 18.287848] __lock_acquire (lockdep.c:?) [ 18.287849] lock_acquire (??:?) [ 18.287850] ? console_unlock (??:?) [ 18.287851] console_unlock (??:?) [ 18.287851] ? console_unlock (??:?) [ 18.287852] ? native_save_fl (??:?) [ 18.287853] vprintk_emit (??:?) [ 18.287854] vprintk_default (??:?) [ 18.287855] vprintk_func (??:?) [ 18.287855] printk (??:?) [ 18.287856] get_random_u32 (??:?) [ 18.287857] ? shuffle_freelist (slub.c:?) [ 18.287858] shuffle_freelist (slub.c:?) [ 18.287858] ? page_address (??:?) [ 18.287859] allocate_slab (slub.c:?) [ 18.287860] new_slab (slub.c:?) [ 18.287861] ? pvclock_clocksource_read (??:?) [ 18.287862] ___slab_alloc+0x6d0/0xb20 [ 18.287862] ? kvm_sched_clock_read (kvmclock.c:?) [ 18.287863] ? __slab_alloc+0xbc/0x2e0 [ 18.287864] ? native_wbinvd (paravirt.c:?) [ 18.287865] __slab_alloc+0xd6/0x2e0 [ 18.287865] __kmalloc (??:?) [ 18.287866] ? __lock_acquire (lockdep.c:?) [ 18.287867] ? tty_buffer_alloc (tty_buffer.c:?) [ 18.287868] tty_buffer_alloc (tty_buffer.c:?) [ 18.287869] __tty_buffer_request_room (tty_buffer.c:?) [ 18.287869] tty_insert_flip_string_fixed_flag (??:?) [ 18.287870] pty_write (pty.c:?) [ 18.287871] process_output_block (n_tty.c:?) [ 18.287872] n_tty_write (n_tty.c:?) [ 18.287873] ? print_dl_stats (??:?) [ 18.287874] ? n_tty_ioctl (n_tty.c:?) [ 18.287874] tty_write (tty_io.c:?) [ 18.287875] ? n_tty_ioctl (n_tty.c:?) [ 18.287876] ? tty_write_unlock (tty_io.c:?) [ 18.287877] __vfs_write (??:?) [ 18.287877] vfs_write (??:?) [ 18.287878] ? __fget_light (file.c:?) [ 18.287879] ksys_write (??:?) Cc: Sergey Senozhatsky Cc: Qian Cai Cc: Lech Perczak Cc: Greg Kroah-Hartman Cc: Theodore Ts'o Cc: Sasha Levin Cc: Petr Mladek Cc: John Ogness Reported-by: kernel test robot Link: https://lore.kernel.org/lkml/Ytz+lo4zRQYG3JUR@xsang-OptiPlex-9020 Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/char/random.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -184,8 +184,8 @@ static void __cold process_random_ready_ =20 #define warn_unseeded_randomness() \ if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \ - pr_notice("%s called from %pS with crng_init=3D%d\n", \ - __func__, (void *)_RET_IP_, crng_init) + printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init= =3D%d\n", \ + __func__, (void *)_RET_IP_, crng_init) =20 =20 /********************************************************************* From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AB3CC04A68 for ; Wed, 27 Jul 2022 16:22:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235373AbiG0QWi (ORCPT ); Wed, 27 Jul 2022 12:22:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234075AbiG0QWK (ORCPT ); Wed, 27 Jul 2022 12:22:10 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 017504BD3F; Wed, 27 Jul 2022 09:22:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8A64D619AC; Wed, 27 Jul 2022 16:22:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 96B05C433D6; Wed, 27 Jul 2022 16:22:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938929; bh=XxsZqC5lRPgiVb1BfJ8Az073MMEg2CsJPLRQC8M4CNo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s6emZUhjGR2TFX8gXxNZ9jSq4hPCrZAYo+nYGrW5uSSU+E5Qb0NrdDe7aPaY7xd1b 6yQ7g16pI0sv+x99Yx2XvDIqMpF9RsWJxAY0p+2Saxx2ZNS4OfAdxymyQO4XiuIxtA 5ayUBE5yAai3oy4UHjjwJjrahVLmlKEPiU+Q23/8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wang Cheng , syzbot+217f792c92599518a2ab@syzkaller.appspotmail.com, David Rientjes , Vlastimil Babka , Andrew Morton Subject: [PATCH 4.9 18/26] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Date: Wed, 27 Jul 2022 18:10:47 +0200 Message-Id: <20220727160959.847927953@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Wang Cheng commit 018160ad314d75b1409129b2247b614a9f35894c upstream. mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when pol->mode is MPOL_LOCAL. Check pol->mode before access pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c). BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline] BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 mpol_rebind_policy mm/mempolicy.c:352 [inline] mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline] cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278 cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515 cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline] cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804 __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520 cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539 cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852 kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write fs/read_write.c:503 [inline] vfs_write+0x1318/0x2030 fs/read_write.c:590 ksys_write+0x28b/0x510 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0xdb/0x120 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] slab_alloc mm/slub.c:3259 [inline] kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264 mpol_new mm/mempolicy.c:293 [inline] do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853 kernel_set_mempolicy mm/mempolicy.c:1504 [inline] __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline] __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507 __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae KMSAN: uninit-value in mpol_rebind_task (2) https://syzkaller.appspot.com/bug?id=3Dd6eb90f952c2a5de9ea718a1b873c55cb13b= 59dc This patch seems to fix below bug too. KMSAN: uninit-value in mpol_rebind_mm (2) https://syzkaller.appspot.com/bug?id=3Df2fecd0d7013f54ec4162f60743a2b28df40= 926b The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy(). When syzkaller reproducer runs to the beginning of mpol_new(), mpol_new() mm/mempolicy.c do_mbind() mm/mempolicy.c kernel_mbind() mm/mempolicy.c `mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags` is 0. Then mode =3D MPOL_LOCAL; ... policy->mode =3D mode; policy->flags =3D flags; will be executed. So in mpol_set_nodemask(), mpol_set_nodemask() mm/mempolicy.c do_mbind() kernel_mbind() pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized, which will be accessed in mpol_rebind_policy(). Link: https://lkml.kernel.org/r/20220512123428.fq3wofedp6oiotd4@ppc.localdo= main Signed-off-by: Wang Cheng Reported-by: Tested-by: Cc: David Rientjes Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- mm/mempolicy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -396,7 +396,7 @@ static void mpol_rebind_preferred(struct static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *ne= wmask, enum mpol_rebind_step step) { - if (!pol) + if (!pol || pol->mode =3D=3D MPOL_LOCAL) return; if (!mpol_store_user_nodemask(pol) && step =3D=3D MPOL_REBIND_ONCE && nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2D6FC19F2B for ; Wed, 27 Jul 2022 16:22:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234666AbiG0QWn (ORCPT ); Wed, 27 Jul 2022 12:22:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235144AbiG0QWQ (ORCPT ); Wed, 27 Jul 2022 12:22:16 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ADD02BB04; Wed, 27 Jul 2022 09:22:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E6D22B821B9; Wed, 27 Jul 2022 16:22:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 52D12C433D6; Wed, 27 Jul 2022 16:22:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938931; bh=x7MXIbRyh87EpyP2If66oVAwRiv0rDKPLJvSBv6XxHo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wIMoQXhmwao9Iv7H6mar+kUqwBYVIXUMxG1JBpY08N6PjlLoaeQj1pAev1b+G6UR1 +uTgAfZgJ9iDF/TwBf3SRS6G06S+MFcI6gQEX+FKyAiI3gtIdzCZV0O75Y0wUyQicE pPczKB2RF5zKfK2gT0l5v6FjUIS6SZvrKBMt1x/g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Eric Dumazet , Daniel Borkmann Subject: [PATCH 4.9 19/26] bpf: Make sure mac_header was set before using it Date: Wed, 27 Jul 2022 18:10:48 +0200 Message-Id: <20220727160959.878920967@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit 0326195f523a549e0a9d7fd44c70b26fd7265090 upstream. Classic BPF has a way to load bytes starting from the mac header. Some skbs do not have a mac header, and skb_mac_header() in this case is returning a pointer that 65535 bytes after skb->head. Existing range check in bpf_internal_load_pointer_neg_helper() was properly kicking and no illegal access was happening. New sanity check in skb_mac_header() is firing, so we need to avoid it. WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header in= clude/linux/skbuff.h:2785 [inline] WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load= _pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74 Modules linked in: CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-008= 65-g4874fb9484be #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 06/29/2022 RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline] RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.= c:74 Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 = 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 9= 6 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41 RSP: 0018:ffffc9000309f668 EFLAGS: 00010216 RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000 RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003 RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004 R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000 FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_skb_load_helper_32 net/core/filter.c:276 [inline] bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264 Fixes: f9aefd6b2aa3 ("net: warn if mac header was not set") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.c= om Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- kernel/bpf/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -60,11 +60,13 @@ void *bpf_internal_load_pointer_neg_help { u8 *ptr =3D NULL; =20 - if (k >=3D SKF_NET_OFF) + if (k >=3D SKF_NET_OFF) { ptr =3D skb_network_header(skb) + k - SKF_NET_OFF; - else if (k >=3D SKF_LL_OFF) + } else if (k >=3D SKF_LL_OFF) { + if (unlikely(!skb_mac_header_was_set(skb))) + return NULL; ptr =3D skb_mac_header(skb) + k - SKF_LL_OFF; - + } if (ptr >=3D skb->head && ptr + size <=3D skb_tail_pointer(skb)) return ptr; From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDE24C04A68 for ; Wed, 27 Jul 2022 16:25:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235948AbiG0QZC (ORCPT ); Wed, 27 Jul 2022 12:25:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49950 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235390AbiG0QX6 (ORCPT ); Wed, 27 Jul 2022 12:23:58 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18C184D155; Wed, 27 Jul 2022 09:23:07 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 37607619D0; Wed, 27 Jul 2022 16:22:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3EF3EC43470; Wed, 27 Jul 2022 16:22:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938977; bh=3iCMFHDjs1WQc6tiSgGz2iqgwppC7LL8WG2EUZz6tfg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GU86tkKkFz4n4347T9qqkEyInBhJnW7Ubb4SlxuWK1H9gaXXHgb5k6wu53xw87wU+ PTL6us4EtEpkRDB2rX8h5Clg3KWhRceo4TSNX6mvg+3wlCIokn2IYBMdPN6jtN9X/c nf/EqTOp5B3NNsxoJUEd3NmH6lSJtBmIirLLJaGc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Takashi Iwai Subject: [PATCH 4.9 20/26] ALSA: memalloc: Align buffer allocations in page size Date: Wed, 27 Jul 2022 18:10:49 +0200 Message-Id: <20220727160959.929028820@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai commit 5c1733e33c888a3cb7f576564d8ad543d5ad4a9e upstream. Currently the standard memory allocator (snd_dma_malloc_pages*()) passes the byte size to allocate as is. Most of the backends allocates real pages, hence the actual allocations are aligned in page size. However, the genalloc doesn't seem assuring the size alignment, hence it may result in the access outside the buffer when the whole memory pages are exposed via mmap. For avoiding such inconsistencies, this patch makes the allocation size always to be aligned in page size. Note that, after this change, snd_dma_buffer.bytes field contains the aligned size, not the originally requested size. This value is also used for releasing the pages in return. Reviewed-by: Lars-Peter Clausen Link: https://lore.kernel.org/r/20201218145625.2045-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- sound/core/memalloc.c | 1 + 1 file changed, 1 insertion(+) --- a/sound/core/memalloc.c +++ b/sound/core/memalloc.c @@ -177,6 +177,7 @@ int snd_dma_alloc_pages(int type, struct if (WARN_ON(!dmab)) return -ENXIO; =20 + size =3D PAGE_ALIGN(size); dmab->dev.type =3D type; dmab->dev.dev =3D device; dmab->bytes =3D 0; From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27CE9C04A68 for ; Wed, 27 Jul 2022 16:23:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235327AbiG0QXk (ORCPT ); Wed, 27 Jul 2022 12:23:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235176AbiG0QWy (ORCPT ); Wed, 27 Jul 2022 12:22:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 458A04D156; Wed, 27 Jul 2022 09:22:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F1002B821BA; Wed, 27 Jul 2022 16:22:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 35AF5C433D6; Wed, 27 Jul 2022 16:22:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938959; bh=NOaMqmolZtU2KMqTQcqCC64uDINdooRxukQ0lehgjVQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yM5p0c22micElTXuENHZZ9eg5F2njXHJmPRmlN6TH+TbE13xSR3JfFxa7b3huEQQ+ 8o7/oEg/nmofyOHoPkMmNfGTmm1FJ5x7Cv9NcnF+RuJ764f4exHn0Rpf5cshN4SWo/ bhnpjg6UVni1U8bjytmXe/IPvSKWb+6e7HowGjhk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vladimir Zapolskiy , Johan Hovold , Jiri Slaby Subject: [PATCH 4.9 21/26] tty: drivers/tty/, stop using tty_schedule_flip() Date: Wed, 27 Jul 2022 18:10:50 +0200 Message-Id: <20220727160959.967594096@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiri Slaby commit 5f6a85158ccacc3f09744b3aafe8b11ab3b6c6f6 upstream. Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014, tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). We are going to remove the latter (as it is used less), so call the former in drivers/tty/. Cc: Vladimir Zapolskiy Reviewed-by: Johan Hovold Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211122111648.30379-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/tty/cyclades.c | 6 +++--- drivers/tty/goldfish.c | 2 +- drivers/tty/moxa.c | 4 ++-- drivers/tty/serial/lpc32xx_hs.c | 2 +- drivers/tty/vt/keyboard.c | 6 +++--- drivers/tty/vt/vt.c | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) --- a/drivers/tty/cyclades.c +++ b/drivers/tty/cyclades.c @@ -556,7 +556,7 @@ static void cyy_chip_rx(struct cyclades_ } info->idle_stats.recv_idle =3D jiffies; } - tty_schedule_flip(port); + tty_flip_buffer_push(port); =20 /* end of service */ cyy_writeb(info, CyRIR, save_xir & 0x3f); @@ -998,7 +998,7 @@ static void cyz_handle_rx(struct cyclade jiffies + 1); #endif info->idle_stats.recv_idle =3D jiffies; - tty_schedule_flip(&info->port); + tty_flip_buffer_push(&info->port); =20 /* Update rx_get */ cy_writel(&buf_ctrl->rx_get, new_rx_get); @@ -1174,7 +1174,7 @@ static void cyz_handle_cmd(struct cyclad if (delta_count) wake_up_interruptible(&info->port.delta_msr_wait); if (special_count) - tty_schedule_flip(&info->port); + tty_flip_buffer_push(&info->port); } } =20 --- a/drivers/tty/goldfish.c +++ b/drivers/tty/goldfish.c @@ -85,7 +85,7 @@ static irqreturn_t goldfish_tty_interrup writel(count, base + GOLDFISH_TTY_DATA_LEN); writel(GOLDFISH_TTY_CMD_READ_BUFFER, base + GOLDFISH_TTY_CMD); spin_unlock_irqrestore(&qtty->lock, irq_flags); - tty_schedule_flip(&qtty->port); + tty_flip_buffer_push(&qtty->port); return IRQ_HANDLED; } =20 --- a/drivers/tty/moxa.c +++ b/drivers/tty/moxa.c @@ -1397,7 +1397,7 @@ static int moxa_poll_port(struct moxa_po if (inited && !tty_throttled(tty) && MoxaPortRxQueue(p) > 0) { /* RX */ MoxaPortReadData(p); - tty_schedule_flip(&p->port); + tty_flip_buffer_push(&p->port); } } else { clear_bit(EMPTYWAIT, &p->statusflags); @@ -1422,7 +1422,7 @@ static int moxa_poll_port(struct moxa_po =20 if (tty && (intr & IntrBreak) && !I_IGNBRK(tty)) { /* BREAK */ tty_insert_flip_char(&p->port, 0, TTY_BREAK); - tty_schedule_flip(&p->port); + tty_flip_buffer_push(&p->port); } =20 if (intr & IntrLine) --- a/drivers/tty/serial/lpc32xx_hs.c +++ b/drivers/tty/serial/lpc32xx_hs.c @@ -350,7 +350,7 @@ static irqreturn_t serial_lpc32xx_interr LPC32XX_HSUART_IIR(port->membase)); port->icount.overrun++; tty_insert_flip_char(tport, 0, TTY_OVERRUN); - tty_schedule_flip(tport); + tty_flip_buffer_push(tport); } =20 /* Data received? */ --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -308,7 +308,7 @@ int kbd_rate(struct kbd_repeat *rpt) static void put_queue(struct vc_data *vc, int ch) { tty_insert_flip_char(&vc->port, ch, 0); - tty_schedule_flip(&vc->port); + tty_flip_buffer_push(&vc->port); } =20 static void puts_queue(struct vc_data *vc, char *cp) @@ -317,7 +317,7 @@ static void puts_queue(struct vc_data *v tty_insert_flip_char(&vc->port, *cp, 0); cp++; } - tty_schedule_flip(&vc->port); + tty_flip_buffer_push(&vc->port); } =20 static void applkey(struct vc_data *vc, int key, char mode) @@ -562,7 +562,7 @@ static void fn_inc_console(struct vc_dat static void fn_send_intr(struct vc_data *vc) { tty_insert_flip_char(&vc->port, 0, TTY_BREAK); - tty_schedule_flip(&vc->port); + tty_flip_buffer_push(&vc->port); } =20 static void fn_scroll_forw(struct vc_data *vc) --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1484,7 +1484,7 @@ static void respond_string(const char *p tty_insert_flip_char(port, *p, 0); p++; } - tty_schedule_flip(port); + tty_flip_buffer_push(port); } =20 static void cursor_report(struct vc_data *vc, struct tty_struct *tty) From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57FECC19F2B for ; Wed, 27 Jul 2022 16:23:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235730AbiG0QXn (ORCPT ); Wed, 27 Jul 2022 12:23:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233700AbiG0QWy (ORCPT ); Wed, 27 Jul 2022 12:22:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 478954D178; Wed, 27 Jul 2022 09:22:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D743D617F2; Wed, 27 Jul 2022 16:22:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3607C433D6; Wed, 27 Jul 2022 16:22:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938962; bh=9l/ukxD80M6SYVcKZPl4/IMvtG9p/sFEi5Q5ZtKnaDQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Mjoq0hHJSM7WohfWF0bm3oYsiybxqjvIm00fWo8s46J88WH3C5Epvtlx17lXgo7uc zCEovBnOA/W9E/iwzKDnHznUW6vYT9HXgm/0+LVWlqZBDvWDsy5PY5DyuI6L1ch+h6 MiaZkEnsNusZrmXEGWKkT+yvf/SfPcWCBea/HvN8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Richard Henderson , Ivan Kokshaysky , Matt Turner , William Hubbs , Chris Brannon , Kirk Reiser , Samuel Thibault , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Alexander Gordeev , Johan Hovold , Jiri Slaby Subject: [PATCH 4.9 22/26] tty: the rest, stop using tty_schedule_flip() Date: Wed, 27 Jul 2022 18:10:51 +0200 Message-Id: <20220727161000.015867460@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiri Slaby commit b68b914494df4f79b4e9b58953110574af1cb7a2 upstream. Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014, tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). We are going to remove the latter (as it is used less), so call the former in the rest of the users. Cc: Richard Henderson Cc: Ivan Kokshaysky Cc: Matt Turner Cc: William Hubbs Cc: Chris Brannon Cc: Kirk Reiser Cc: Samuel Thibault Cc: Heiko Carstens Cc: Vasily Gorbik Cc: Christian Borntraeger Cc: Alexander Gordeev Reviewed-by: Johan Hovold Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211122111648.30379-3-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- arch/alpha/kernel/srmcons.c | 2 +- drivers/s390/char/keyboard.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) --- a/arch/alpha/kernel/srmcons.c +++ b/arch/alpha/kernel/srmcons.c @@ -58,7 +58,7 @@ srmcons_do_receive_chars(struct tty_port } while((result.bits.status & 1) && (++loops < 10)); =20 if (count) - tty_schedule_flip(port); + tty_flip_buffer_push(port); =20 return count; } --- a/drivers/s390/char/keyboard.h +++ b/drivers/s390/char/keyboard.h @@ -44,7 +44,7 @@ static inline void kbd_put_queue(struct tty_port *port, int ch) { tty_insert_flip_char(port, ch, 0); - tty_schedule_flip(port); + tty_flip_buffer_push(port); } =20 static inline void @@ -52,5 +52,5 @@ kbd_puts_queue(struct tty_port *port, ch { while (*cp) tty_insert_flip_char(port, *cp++, 0); - tty_schedule_flip(port); + tty_flip_buffer_push(port); } From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DC08C04A68 for ; Wed, 27 Jul 2022 16:23:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234468AbiG0QXr (ORCPT ); Wed, 27 Jul 2022 12:23:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235274AbiG0QXD (ORCPT ); Wed, 27 Jul 2022 12:23:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF7554D4D4; Wed, 27 Jul 2022 09:22:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5543DB821B9; Wed, 27 Jul 2022 16:22:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4C02C433D6; Wed, 27 Jul 2022 16:22:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938965; bh=c/C+6rDGOcAiWqodr+MtJYP73MB91fDH/+G5xugvWGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Bus0qQ9c3vZn99ai2GCnruMdwORC1KfUtkUhW6FiSelrIK/FWKJUWF1rdo1BbgtQ0 4jqvKu79LZhZozswPOzmH5314l60RCxOICLNLvR5j1/r7FpixT3R2BcvrMVwL3Psce OglkFMHkr3oIHlpDZaOLQbOApdNF9dpWUWqZcfLM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Jiri Slaby Subject: [PATCH 4.9 23/26] tty: drop tty_schedule_flip() Date: Wed, 27 Jul 2022 18:10:52 +0200 Message-Id: <20220727161000.053931509@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiri Slaby commit 5db96ef23bda6c2a61a51693c85b78b52d03f654 upstream. Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014, tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). All users were converted in the previous patches, so remove tty_schedule_flip() completely while inlining its body into tty_flip_buffer_push(). One less exported function. Reviewed-by: Johan Hovold Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211122111648.30379-4-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/tty/tty_buffer.c | 30 ++++++++---------------------- include/linux/tty_flip.h | 1 - 2 files changed, 8 insertions(+), 23 deletions(-) --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -389,27 +389,6 @@ int __tty_insert_flip_char(struct tty_po EXPORT_SYMBOL(__tty_insert_flip_char); =20 /** - * tty_schedule_flip - push characters to ldisc - * @port: tty port to push from - * - * Takes any pending buffers and transfers their ownership to the - * ldisc side of the queue. It then schedules those characters for - * processing by the line discipline. - */ - -void tty_schedule_flip(struct tty_port *port) -{ - struct tty_bufhead *buf =3D &port->buf; - - /* paired w/ acquire in flush_to_ldisc(); ensures - * flush_to_ldisc() sees buffer data. - */ - smp_store_release(&buf->tail->commit, buf->tail->used); - queue_work(system_unbound_wq, &buf->work); -} -EXPORT_SYMBOL(tty_schedule_flip); - -/** * tty_prepare_flip_string - make room for characters * @port: tty port * @chars: return pointer for character write area @@ -560,7 +539,14 @@ static void flush_to_ldisc(struct work_s =20 void tty_flip_buffer_push(struct tty_port *port) { - tty_schedule_flip(port); + struct tty_bufhead *buf =3D &port->buf; + + /* + * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees + * buffer data. + */ + smp_store_release(&buf->tail->commit, buf->tail->used); + queue_work(system_unbound_wq, &buf->work); } EXPORT_SYMBOL(tty_flip_buffer_push); =20 --- a/include/linux/tty_flip.h +++ b/include/linux/tty_flip.h @@ -11,7 +11,6 @@ extern int tty_insert_flip_string_fixed_ extern int tty_prepare_flip_string(struct tty_port *port, unsigned char **chars, size_t size); extern void tty_flip_buffer_push(struct tty_port *port); -void tty_schedule_flip(struct tty_port *port); int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char f= lag); =20 static inline int tty_insert_flip_char(struct tty_port *port, From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC408C04A68 for ; Wed, 27 Jul 2022 16:23:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235762AbiG0QXu (ORCPT ); Wed, 27 Jul 2022 12:23:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235738AbiG0QXF (ORCPT ); Wed, 27 Jul 2022 12:23:05 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DAEB4D4DB; Wed, 27 Jul 2022 09:22:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 55E52619CF; Wed, 27 Jul 2022 16:22:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 62B5CC433D6; Wed, 27 Jul 2022 16:22:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938967; bh=UK1VOdXVVn5+yhhI/M4hguhOG81C+djP+Xywz0Dklko=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ia3Fy2vIBKQ4s0c9p1+N3ANyi3443cGd6MyTlAF3o/yuQPt5/4nAx9camR8KzTz8P jsI4uOiAAE25x1qFrChn6pvcf+gYyBAZY4t9Egw79W8nM/RQWWGdJMMeIG/MzI6zD4 8CDy+kz6US+Lrg+VzZ3uXw1v+tS6PiHKcXznuNwA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hillf Danton , =?UTF-8?q?=E4=B8=80=E5=8F=AA=E7=8B=97?= , Dan Carpenter , Jiri Slaby Subject: [PATCH 4.9 24/26] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Date: Wed, 27 Jul 2022 18:10:53 +0200 Message-Id: <20220727161000.083152864@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Slaby commit 716b10580283fda66f2b88140e3964f8a7f9da89 upstream. We will need this new helper in the next patch. Cc: Hillf Danton Cc: =E4=B8=80=E5=8F=AA=E7=8B=97 Cc: Dan Carpenter Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220707082558.9250-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/tty/tty_buffer.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -526,6 +526,15 @@ static void flush_to_ldisc(struct work_s tty_ldisc_deref(disc); } =20 +static inline void tty_flip_buffer_commit(struct tty_buffer *tail) +{ + /* + * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees + * buffer data. + */ + smp_store_release(&tail->commit, tail->used); +} + /** * tty_flip_buffer_push - terminal * @port: tty port to push @@ -541,11 +550,7 @@ void tty_flip_buffer_push(struct tty_por { struct tty_bufhead *buf =3D &port->buf; =20 - /* - * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees - * buffer data. - */ - smp_store_release(&buf->tail->commit, buf->tail->used); + tty_flip_buffer_commit(buf->tail); queue_work(system_unbound_wq, &buf->work); } EXPORT_SYMBOL(tty_flip_buffer_push); From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D9B2C19F2C for ; Wed, 27 Jul 2022 16:24:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235613AbiG0QYo (ORCPT ); Wed, 27 Jul 2022 12:24:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235951AbiG0QXh (ORCPT ); Wed, 27 Jul 2022 12:23:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C79F4C624; Wed, 27 Jul 2022 09:22:59 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A6403617F2; Wed, 27 Jul 2022 16:22:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 26AAAC433D6; Wed, 27 Jul 2022 16:22:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938972; bh=5qi6U/J8lpNHkYSJT47rBq2xJq10SOA9cxnccKqgGDI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vR5xv194SgSj2EfqgBB4e9a5wEPPHZv1jTmw5fQKR/GJYRCU2nvy3WQkBHSKLUV0A Aq+5WEoUO966nj7PHZGAV4pAlqkcrYCW/hKGahf0evIbzvXnw0YGsr+WPOIk8dOnOu H3ali/Tqyh6Z1b9miTcAx3XnX3KmyLbITWt+SViI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?=E4=B8=80=E5=8F=AA=E7=8B=97?= , Dan Carpenter , Hillf Danton , Jiri Slaby Subject: [PATCH 4.9 25/26] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Date: Wed, 27 Jul 2022 18:10:54 +0200 Message-Id: <20220727161000.122591546@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Slaby commit a501ab75e7624d133a5a3c7ec010687c8b961d23 upstream. There is a race in pty_write(). pty_write() can be called in parallel with e.g. ioctl(TIOCSTI) or ioctl(TCXONC) which also inserts chars to the buffer. Provided, tty_flip_buffer_push() in pty_write() is called outside the lock, it can commit inconsistent tail. This can lead to out of bounds writes and other issues. See the Link below. To fix this, we have to introduce a new helper called tty_insert_flip_string_and_push_buffer(). It does both tty_insert_flip_string() and tty_flip_buffer_commit() under the port lock. It also calls queue_work(), but outside the lock. See 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty_write) for the reasons. Keep the helper internal-only (in drivers' tty.h). It is not intended to be used widely. Link: https://seclists.org/oss-sec/2022/q2/155 Fixes: 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty= _write) Cc: =E4=B8=80=E5=8F=AA=E7=8B=97 Cc: Dan Carpenter Suggested-by: Hillf Danton Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220707082558.9250-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/tty/pty.c | 14 ++------------ drivers/tty/tty_buffer.c | 31 +++++++++++++++++++++++++++++++ include/linux/tty_flip.h | 3 +++ 3 files changed, 36 insertions(+), 12 deletions(-) --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -106,21 +106,11 @@ static void pty_unthrottle(struct tty_st static int pty_write(struct tty_struct *tty, const unsigned char *buf, int= c) { struct tty_struct *to =3D tty->link; - unsigned long flags; =20 - if (tty->stopped) + if (tty->stopped || !c) return 0; =20 - if (c > 0) { - spin_lock_irqsave(&to->port->lock, flags); - /* Stuff the data into the input queue of the other end */ - c =3D tty_insert_flip_string(to->port, buf, c); - spin_unlock_irqrestore(&to->port->lock, flags); - /* And shovel */ - if (c) - tty_flip_buffer_push(to->port); - } - return c; + return tty_insert_flip_string_and_push_buffer(to->port, buf, c); } =20 /** --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -556,6 +556,37 @@ void tty_flip_buffer_push(struct tty_por EXPORT_SYMBOL(tty_flip_buffer_push); =20 /** + * tty_insert_flip_string_and_push_buffer - add characters to the tty buff= er and + * push + * @port: tty port + * @chars: characters + * @size: size + * + * The function combines tty_insert_flip_string() and tty_flip_buffer_push= () + * with the exception of properly holding the @port->lock. + * + * To be used only internally (by pty currently). + * + * Returns: the number added. + */ +int tty_insert_flip_string_and_push_buffer(struct tty_port *port, + const unsigned char *chars, size_t size) +{ + struct tty_bufhead *buf =3D &port->buf; + unsigned long flags; + + spin_lock_irqsave(&port->lock, flags); + size =3D tty_insert_flip_string(port, chars, size); + if (size) + tty_flip_buffer_commit(buf->tail); + spin_unlock_irqrestore(&port->lock, flags); + + queue_work(system_unbound_wq, &buf->work); + + return size; +} + +/** * tty_buffer_init - prepare a tty buffer structure * @tty: tty to initialise * --- a/include/linux/tty_flip.h +++ b/include/linux/tty_flip.h @@ -38,4 +38,7 @@ static inline int tty_insert_flip_string extern void tty_buffer_lock_exclusive(struct tty_port *port); extern void tty_buffer_unlock_exclusive(struct tty_port *port); =20 +int tty_insert_flip_string_and_push_buffer(struct tty_port *port, + const unsigned char *chars, size_t cnt); + #endif /* _LINUX_TTY_FLIP_H */ From nobody Wed Apr 15 03:02:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A426C3F6B0 for ; Wed, 27 Jul 2022 16:24:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235791AbiG0QYv (ORCPT ); Wed, 27 Jul 2022 12:24:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235679AbiG0QXm (ORCPT ); Wed, 27 Jul 2022 12:23:42 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DD014D81E; Wed, 27 Jul 2022 09:23:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 42B42B821B8; Wed, 27 Jul 2022 16:22:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85FA3C43470; Wed, 27 Jul 2022 16:22:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658938974; bh=XtGu8TE7CovI0KYOLPZ54gTgLYD3hr7Az98aZLAAFW4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dHm6dllLulQTTGRUexeQIOKnHk0t6fj5sSJW5VEJoAk85LBXF6X5atvl0vboh9GTp LaohSAd/H9jxEG9ePBYbGa+/rVenUt5sO+Mtzsq9mncVnWwZNVKKTYlusaN1VgGKTg n5FnDIC7lrqm1kqE92sgO3TW7HL3BNFGpyPMj5VQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jose Alonso , "David S. Miller" Subject: [PATCH 4.9 26/26] net: usb: ax88179_178a needs FLAG_SEND_ZLP Date: Wed, 27 Jul 2022 18:10:55 +0200 Message-Id: <20220727161000.160421507@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727160959.122591422@linuxfoundation.org> References: <20220727160959.122591422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jose Alonso commit 36a15e1cb134c0395261ba1940762703f778438c upstream. The extra byte inserted by usbnet.c when (length % dev->maxpacket =3D=3D 0) is causing problems to device. This patch sets FLAG_SEND_ZLP to avoid this. Tested with: 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet Problems observed: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1) Using ssh/sshfs. The remote sshd daemon can abort with the message: "message authentication code incorrect" This happens because the tcp message sent is corrupted during the USB "Bulk out". The device calculate the tcp checksum and send a valid tcp message to the remote sshd. Then the encryption detects the error and aborts. 2) NETDEV WATCHDOG: ... (ax88179_178a): transmit queue 0 timed out 3) Stop normal work without any log message. The "Bulk in" continue receiving packets normally. The host sends "Bulk out" and the device responds with -ECONNRESET. (The netusb.c code tx_complete ignore -ECONNRESET) Under normal conditions these errors take days to happen and in intense usage take hours. A test with ping gives packet loss, showing that something is wrong: ping -4 -s 462 {destination} # 462 =3D 512 - 42 - 8 Not all packets fail. My guess is that the device tries to find another packet starting at the extra byte and will fail or not depending on the next bytes (old buffer content). =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Signed-off-by: Jose Alonso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan --- drivers/net/usb/ax88179_178a.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) --- a/drivers/net/usb/ax88179_178a.c +++ b/drivers/net/usb/ax88179_178a.c @@ -1703,7 +1703,7 @@ static const struct driver_info ax88179_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1716,7 +1716,7 @@ static const struct driver_info ax88178a .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1729,7 +1729,7 @@ static const struct driver_info cypress_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1742,7 +1742,7 @@ static const struct driver_info dlink_du .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1755,7 +1755,7 @@ static const struct driver_info sitecom_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1768,7 +1768,7 @@ static const struct driver_info samsung_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1781,7 +1781,7 @@ static const struct driver_info lenovo_i .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, };