From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41915C32793 for ; Tue, 23 Aug 2022 08:07:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241688AbiHWIH1 (ORCPT ); Tue, 23 Aug 2022 04:07:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241667AbiHWIHF (ORCPT ); Tue, 23 Aug 2022 04:07:05 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0336D6B16E; Tue, 23 Aug 2022 01:04:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CDE35B81C23; Tue, 23 Aug 2022 08:04:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3BF6BC43470; Tue, 23 Aug 2022 08:04:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661241876; bh=kdPL3g2CjXmW+leFpkfRi9ykmpgXxMAcByYpZjf6mX4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Qw/lRnk7rdVTAM63zXeGdOl7ZS6Aw09EcbM4/jFOW8+i8dbbA6TC2S0F17XteSqeb ewng0vTkxXuQJIbAzYm1erDfD9KIbkfaha9CDoTBDNP0pk9GX0ehdIucQ0qUaUAlZm cEaiuwN3ro0DM5E6/URXm0atrOlx+rqntjFqqO+w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Lee Jones , Luiz Augusto von Dentz Subject: [PATCH 4.9 001/101] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Date: Tue, 23 Aug 2022 10:02:34 +0200 Message-Id: <20220823080034.635318372@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream. This fixes the following trace which is caused by hci_rx_work starting up *after* the final channel reference has been put() during sock_close() but *before* the references to the channel have been destroyed, so instead the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. refcount_t: increment on 0; use-after-free. BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W 4.14.234-00003-g1fb6d0bd49a4-dirty #28 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame DVT (DT) Workqueue: hci0 hci_rx_work Call trace: dump_backtrace+0x0/0x378 show_stack+0x20/0x2c dump_stack+0x124/0x148 print_address_description+0x80/0x2e8 __kasan_report+0x168/0x188 kasan_report+0x10/0x18 __asan_load4+0x84/0x8c refcount_dec_and_test+0x20/0xd0 l2cap_chan_put+0x48/0x12c l2cap_recv_frame+0x4770/0x6550 l2cap_recv_acldata+0x44c/0x7a4 hci_acldata_packet+0x100/0x188 hci_rx_work+0x178/0x23c process_one_work+0x35c/0x95c worker_thread+0x4cc/0x960 kthread+0x1a8/0x1c4 ret_from_fork+0x10/0x18 Cc: stable@kernel.org Reported-by: Lee Jones Signed-off-by: Luiz Augusto von Dentz Tested-by: Lee Jones Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/net/bluetooth/l2cap.h | 1=20 net/bluetooth/l2cap_core.c | 61 +++++++++++++++++++++++++++++++++----= ----- 2 files changed, 49 insertions(+), 13 deletions(-) --- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h @@ -798,6 +798,7 @@ enum { }; =20 void l2cap_chan_hold(struct l2cap_chan *c); +struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c); void l2cap_chan_put(struct l2cap_chan *c); =20 static inline void l2cap_chan_lock(struct l2cap_chan *chan) --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -113,7 +113,8 @@ static struct l2cap_chan *__l2cap_get_ch } =20 /* Find channel with given SCID. - * Returns locked channel. */ + * Returns a reference locked channel. + */ static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid) { @@ -121,15 +122,19 @@ static struct l2cap_chan *l2cap_get_chan =20 mutex_lock(&conn->chan_lock); c =3D __l2cap_get_chan_by_scid(conn, cid); - if (c) - l2cap_chan_lock(c); + if (c) { + /* Only lock if chan reference is not 0 */ + c =3D l2cap_chan_hold_unless_zero(c); + if (c) + l2cap_chan_lock(c); + } mutex_unlock(&conn->chan_lock); =20 return c; } =20 /* Find channel with given DCID. - * Returns locked channel. + * Returns a reference locked channel. */ static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) @@ -138,8 +143,12 @@ static struct l2cap_chan *l2cap_get_chan =20 mutex_lock(&conn->chan_lock); c =3D __l2cap_get_chan_by_dcid(conn, cid); - if (c) - l2cap_chan_lock(c); + if (c) { + /* Only lock if chan reference is not 0 */ + c =3D l2cap_chan_hold_unless_zero(c); + if (c) + l2cap_chan_lock(c); + } mutex_unlock(&conn->chan_lock); =20 return c; @@ -164,8 +173,12 @@ static struct l2cap_chan *l2cap_get_chan =20 mutex_lock(&conn->chan_lock); c =3D __l2cap_get_chan_by_ident(conn, ident); - if (c) - l2cap_chan_lock(c); + if (c) { + /* Only lock if chan reference is not 0 */ + c =3D l2cap_chan_hold_unless_zero(c); + if (c) + l2cap_chan_lock(c); + } mutex_unlock(&conn->chan_lock); =20 return c; @@ -491,6 +504,16 @@ void l2cap_chan_hold(struct l2cap_chan * kref_get(&c->kref); } =20 +struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) +{ + BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); + + if (!kref_get_unless_zero(&c->kref)) + return NULL; + + return c; +} + void l2cap_chan_put(struct l2cap_chan *c) { BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount)); @@ -1803,7 +1826,10 @@ static struct l2cap_chan *l2cap_global_c src_match =3D !bacmp(&c->src, src); dst_match =3D !bacmp(&c->dst, dst); if (src_match && dst_match) { - l2cap_chan_hold(c); + c =3D l2cap_chan_hold_unless_zero(c); + if (!c) + continue; + read_unlock(&chan_list_lock); return c; } @@ -1818,7 +1844,7 @@ static struct l2cap_chan *l2cap_global_c } =20 if (c1) - l2cap_chan_hold(c1); + c1 =3D l2cap_chan_hold_unless_zero(c1); =20 read_unlock(&chan_list_lock); =20 @@ -4194,6 +4220,7 @@ static inline int l2cap_config_req(struc =20 unlock: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); return err; } =20 @@ -4306,6 +4333,7 @@ static inline int l2cap_config_rsp(struc =20 done: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); return err; } =20 @@ -5034,6 +5062,7 @@ send_move_response: l2cap_send_move_chan_rsp(chan, result); =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -5126,6 +5155,7 @@ static void l2cap_move_continue(struct l } =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); } =20 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, @@ -5155,6 +5185,7 @@ static void l2cap_move_fail(struct l2cap l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); } =20 static int l2cap_move_channel_rsp(struct l2cap_conn *conn, @@ -5218,6 +5249,7 @@ static int l2cap_move_channel_confirm(st l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -5253,6 +5285,7 @@ static inline int l2cap_move_channel_con } =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -5625,12 +5658,11 @@ static inline int l2cap_le_credits(struc if (credits > max_credits) { BT_ERR("LE credits overflow"); l2cap_send_disconn_req(chan, ECONNRESET); - l2cap_chan_unlock(chan); =20 /* Return 0 so that we don't trigger an unnecessary * command reject packet. */ - return 0; + goto unlock; } =20 chan->tx_credits +=3D credits; @@ -5643,7 +5675,9 @@ static inline int l2cap_le_credits(struc if (chan->tx_credits) chan->ops->resume(chan); =20 +unlock: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -6941,6 +6975,7 @@ drop: =20 done: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); } =20 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, @@ -7345,7 +7380,7 @@ static struct l2cap_chan *l2cap_global_f if (src_type !=3D c->src_type) continue; =20 - l2cap_chan_hold(c); + c =3D l2cap_chan_hold_unless_zero(c); read_unlock(&chan_list_lock); return c; } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F976C32793 for ; Tue, 23 Aug 2022 08:12:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241830AbiHWIMV (ORCPT ); Tue, 23 Aug 2022 04:12:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241871AbiHWIJr (ORCPT ); Tue, 23 Aug 2022 04:09:47 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98FF46613E; Tue, 23 Aug 2022 01:06:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 36D90B81C19; Tue, 23 Aug 2022 08:06:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8507CC433D6; Tue, 23 Aug 2022 08:06:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661241985; bh=yagiaS4psLuXibb3+PS+oAKKqpiYlNe2XinfS2S4DwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=05NYHVWaqf9wAKqL/elLWcKbhoKYIOkA5pRgGSaUrJAJjhapZjIRB6B+tiAc6ItUm YcJUNyM/TKb/LxFJpxmzBP5awokhTKzxiR/vdVLMYQqSpCfoltqtPYSnKSjP+HTdgH e9jEWZH7EIKRzy0cYNXidWGHG6g9ruI0pr5kPeD8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, ChenXiaoSong , Hawkins Jiawei , Anton Altaparmakov , Yongqiang Liu , Zhang Yi , Zhang Xiaoxu , Andrew Morton Subject: [PATCH 4.9 002/101] ntfs: fix use-after-free in ntfs_ucsncmp() Date: Tue, 23 Aug 2022 10:02:35 +0200 Message-Id: <20220823080034.685941140@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: ChenXiaoSong commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream. Syzkaller reported use-after-free bug as follows: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 Read of size 2 at addr ffff8880751acee8 by task a.out/879 CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5= 218c8bd2c-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd= 239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1c0/0x2b0 print_address_description.constprop.0.cold+0xd4/0x484 print_report.cold+0x55/0x232 kasan_report+0xbf/0xf0 ntfs_ucsncmp+0x123/0x130 ntfs_are_names_equal.cold+0x2b/0x41 ntfs_attr_find+0x43b/0xb90 ntfs_attr_lookup+0x16d/0x1e0 ntfs_read_locked_attr_inode+0x4aa/0x2360 ntfs_attr_iget+0x1af/0x220 ntfs_read_locked_inode+0x246c/0x5120 ntfs_iget+0x132/0x180 load_system_files+0x1cc6/0x3480 ntfs_fill_super+0xa66/0x1cf0 mount_bdev+0x38d/0x460 legacy_get_tree+0x10d/0x220 vfs_get_tree+0x93/0x300 do_new_mount+0x2da/0x6d0 path_mount+0x496/0x19d0 __x64_sys_mount+0x284/0x300 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3f2118d9ea Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 = 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff f= f 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the physical page: page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:= 0x555c6a81d pfn:0x751ac memcg:ffff888101f7e180 anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=3D0|z= one=3D1|lastcpupid=3D0x1fffff) raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The reason is that struct ATTR_RECORD->name_offset is 6485, end address of name string is out of bounds. Fix this by adding sanity check on end address of attribute name string. [akpm@linux-foundation.org: coding-style cleanups] [chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@hu= awei.com Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huaw= ei.com Signed-off-by: ChenXiaoSong Signed-off-by: Hawkins Jiawei Cc: Anton Altaparmakov Cc: ChenXiaoSong Cc: Yongqiang Liu Cc: Zhang Yi Cc: Zhang Xiaoxu Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ntfs/attrib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -606,8 +606,12 @@ static int ntfs_attr_find(const ATTR_TYP a =3D (ATTR_RECORD*)((u8*)ctx->attr + le32_to_cpu(ctx->attr->length)); for (;; a =3D (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) { - if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec + - le32_to_cpu(ctx->mrec->bytes_allocated)) + u8 *mrec_end =3D (u8 *)ctx->mrec + + le32_to_cpu(ctx->mrec->bytes_allocated); + u8 *name_end =3D (u8 *)a + le16_to_cpu(a->name_offset) + + a->name_length * sizeof(ntfschar); + if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end || + name_end > mrec_end) break; ctx->attr =3D a; if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) || From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 427D0C32789 for ; Tue, 23 Aug 2022 08:12:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242126AbiHWIMa (ORCPT ); Tue, 23 Aug 2022 04:12:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240165AbiHWIJs (ORCPT ); Tue, 23 Aug 2022 04:09:48 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A00EA67CBA; Tue, 23 Aug 2022 01:06:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B43A8611A8; Tue, 23 Aug 2022 08:06:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B950BC433D6; Tue, 23 Aug 2022 08:06:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661241991; bh=iulYAl+pYZdrIyCxSiw/cLHIeTOyzhJvoonrV7c/uLI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZsptSfGiBpNTHL58WPGHGXLBiqiof8mfXEaQZwEm2ECopsyNsJzjSt4SFDSwx6G+M 4Xrii4wlfq0lDW77V6R3AjQGDKDsHZ0VqLYFKgiNSil55AqzQGzJh9zZ6S4iv4u9/o H0Gt789eJ3Mw7vkhyIpWFjxKuHdZgdHe9E+ZnLok= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bart Van Assche , Liang He , "Martin K. Petersen" Subject: [PATCH 4.9 003/101] scsi: ufs: host: Hold reference returned by of_parse_phandle() Date: Tue, 23 Aug 2022 10:02:36 +0200 Message-Id: <20220823080034.726420269@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream. In ufshcd_populate_vreg(), we should hold the reference returned by of_parse_phandle() and then use it to call of_node_put() for refcount balance. Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com Fixes: aa4976130934 ("ufs: Add regulator enable support") Reviewed-by: Bart Van Assche Signed-off-by: Liang He Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/drivers/scsi/ufs/ufshcd-pltfrm.c +++ b/drivers/scsi/ufs/ufshcd-pltfrm.c @@ -126,9 +126,20 @@ out: return ret; } =20 +static bool phandle_exists(const struct device_node *np, + const char *phandle_name, int index) +{ + struct device_node *parse_np =3D of_parse_phandle(np, phandle_name, index= ); + + if (parse_np) + of_node_put(parse_np); + + return parse_np !=3D NULL; +} + #define MAX_PROP_SIZE 32 static int ufshcd_populate_vreg(struct device *dev, const char *name, - struct ufs_vreg **out_vreg) + struct ufs_vreg **out_vreg) { int ret =3D 0; char prop_name[MAX_PROP_SIZE]; @@ -141,7 +152,7 @@ static int ufshcd_populate_vreg(struct d } =20 snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name); - if (!of_parse_phandle(np, prop_name, 0)) { + if (!phandle_exists(np, prop_name, 0)) { dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n", __func__, prop_name); goto out; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5589FC32789 for ; Tue, 23 Aug 2022 08:12:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242155AbiHWIMj (ORCPT ); Tue, 23 Aug 2022 04:12:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241895AbiHWIJz (ORCPT ); Tue, 23 Aug 2022 04:09:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7943066A63; Tue, 23 Aug 2022 01:06:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id DE0B5611A8; Tue, 23 Aug 2022 08:06:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3F7DC433C1; Tue, 23 Aug 2022 08:06:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661241997; bh=/ODTD0O7fQD4A3C/m++wcdxQNuXQy8jviAc/KAbiH+U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Lt41+GJDYlNPVHgBqXAjLOdSJSf62FP03HW1kCh1oFg5xYSu0+/2ixy/umQwcw/4S Wc8vjp2K65Y758k7TksG/asueC+RTSo2MiHkifXokHLP7/UY5DFWhkaCqIR4I9/SEN aC0z0rgZ23WYMKO0gfC8vyEtDUR/KdWHQCcGD8Po= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com, Ayushman Dutta , Kuniyuki Iwashima , David Ahern , Eric Dumazet , Jakub Kicinski Subject: [PATCH 4.9 004/101] net: ping6: Fix memleak in ipv6_renew_options(). Date: Tue, 23 Aug 2022 10:02:37 +0200 Message-Id: <20220823080034.756595930@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream. When we close ping6 sockets, some resources are left unfreed because pingv6_prot is missing sk->sk_prot->destroy(). As reported by syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. struct ipv6_sr_hdr *hdr; char data[24] =3D {0}; int fd; hdr =3D (struct ipv6_sr_hdr *)data; hdr->hdrlen =3D 2; hdr->type =3D IPV6_SRCRT_TYPE_4; fd =3D socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); close(fd); To fix memory leaks, let's add a destroy function. Note the socket() syscall checks if the GID is within the range of net.ipv4.ping_group_range. The default value is [1, 0] so that no GID meets the condition (1 <=3D GID <=3D 0). Thus, the local DoS does not succeed until we change the default value. However, at least Ubuntu/Fedora/RHEL loosen it. $ cat /usr/lib/sysctl.d/50-default.conf ... -net.ipv4.ping_group_range =3D 0 2147483647 Also, there could be another path reported with these options, and some of them require CAP_NET_RAW. setsockopt IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) IPV6_HOPOPTS (inet6_sk(sk)->opt) IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) IPV6_RTHDR (inet6_sk(sk)->opt) IPV6_DSTOPTS (inet6_sk(sk)->opt) IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) getsockopt IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) For the record, I left a different splat with syzbot's one. unreferenced object 0xffff888006270c60 (size 96): comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) hex dump (first 32 bytes): 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock= .c:2554) [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_so= ckglue.c:715) [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/sock= et.c:2262 net/socket.c:2262) [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x= 86/entry/common.c:80) [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/e= ntry_64.S:120) [0]: https://syzkaller.appspot.com/bug?extid=3Da8430774139ec3ab7176 Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com Reported-by: Ayushman Dutta Signed-off-by: Kuniyuki Iwashima Reviewed-by: David Ahern Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/ipv6/ping.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c @@ -26,6 +26,11 @@ #include #include =20 +static void ping_v6_destroy(struct sock *sk) +{ + inet6_destroy_sock(sk); +} + /* Compatibility glue so we can support IPv6 when it's compiled as a modul= e */ static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int = len, int *addr_len) @@ -179,6 +184,7 @@ struct proto pingv6_prot =3D { .owner =3D THIS_MODULE, .init =3D ping_init_sock, .close =3D ping_close, + .destroy =3D ping_v6_destroy, .connect =3D ip6_datagram_connect_v6_only, .disconnect =3D __udp_disconnect, .setsockopt =3D ipv6_setsockopt, From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86673C32774 for ; Tue, 23 Aug 2022 08:12:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242186AbiHWIMu (ORCPT ); Tue, 23 Aug 2022 04:12:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241953AbiHWIKV (ORCPT ); Tue, 23 Aug 2022 04:10:21 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03E6A62EC; Tue, 23 Aug 2022 01:06:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B7C88B81C18; Tue, 23 Aug 2022 08:06:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1362EC433D6; Tue, 23 Aug 2022 08:06:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242003; bh=J+DXR96l9REwJRWay4rK1UgGsMv0u7hfihps0sdhl/Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ygvrIzZPwCuaZ8NUUtd3HrE7hcrOWHagVIgqKwF+zsLfdeyA5shLV3uViuIVCfLTW 4F5P0dSvhHgh4kZ3faYz+Cud5elxL5yONKTZn2Yqz63vtfSJIDfMAmV1qeSZ47uWkd jGqNAgBqjifwmfAL8T/elhb6yuUIECBO6MqRxIas= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Liang He , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.9 005/101] net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() Date: Tue, 23 Aug 2022 10:02:38 +0200 Message-Id: <20220823080034.798652429@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He [ Upstream commit ebbbe23fdf6070e31509638df3321688358cc211 ] In bcm5421_init(), we should call of_node_put() for the reference returned by of_get_parent() which has increased the refcount. Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/sungem_phy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/sungem_phy.c b/drivers/net/sungem_phy.c index 92578d72e4ee..c5efdde21c2e 100644 --- a/drivers/net/sungem_phy.c +++ b/drivers/net/sungem_phy.c @@ -453,6 +453,7 @@ static int bcm5421_init(struct mii_phy* phy) int can_low_power =3D 1; if (np =3D=3D NULL || of_get_property(np, "no-autolowpower", NULL)) can_low_power =3D 0; + of_node_put(np); if (can_low_power) { /* Enable automatic low-power */ sungem_phy_write(phy, 0x1c, 0x9002); --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F4D0C32774 for ; Tue, 23 Aug 2022 08:13:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241846AbiHWINO (ORCPT ); Tue, 23 Aug 2022 04:13:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241997AbiHWIK1 (ORCPT ); Tue, 23 Aug 2022 04:10:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 522FF66A4C; Tue, 23 Aug 2022 01:06:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id ED5EBB81C20; Tue, 23 Aug 2022 08:06:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 46C48C433D6; Tue, 23 Aug 2022 08:06:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242012; bh=oVWkrboSkv9Bnu5R4qvw2tZvMFAhnopG10Deyehvyss=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tGalO4DRbtG+fp27SwhzI5kz7QvXz6At3RvoOPAgvJvn4uysBWULP9SackP5nF0bT f+4qDKxPhjM54Uum7Lif1WAkOBIv7y+jubYS2/qGUPlfLVSkGufBNIR2I6/rb8dixK Dzy4rIBUZSEdx2QNMFeIpI8gHEinBvoGEXCyFur8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Domingo Dirutigliano , Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.9 006/101] netfilter: nf_queue: do not allow packet truncation below transport header offset Date: Tue, 23 Aug 2022 10:02:39 +0200 Message-Id: <20220823080034.838634482@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Florian Westphal [ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ] Domingo Dirutigliano and Nicola Guerrera report kernel panic when sending nf_queue verdict with 1-byte nfta_payload attribute. The IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. If user truncates the packet below the header size, this skb_pull() will result in a malformed skb (skb->len < 0). Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue ha= ndler over nfnetlink") Reported-by: Domingo Dirutigliano Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/netfilter/nfnetlink_queue.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queu= e.c index 66814a9d030c..80715b495d7c 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -807,11 +807,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, un= signed int queuenum) } =20 static int -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, = int diff) { struct sk_buff *nskb; =20 if (diff < 0) { + unsigned int min_len =3D skb_transport_offset(e->skb); + + if (data_len < min_len) + return -EINVAL; + if (pskb_trim(e->skb, data_len)) return -ENOMEM; } else if (diff > 0) { --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99EBCC32789 for ; Tue, 23 Aug 2022 08:13:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242252AbiHWINY (ORCPT ); Tue, 23 Aug 2022 04:13:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242010AbiHWIK1 (ORCPT ); Tue, 23 Aug 2022 04:10:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 174EEF72; Tue, 23 Aug 2022 01:07:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C89FFB81BF8; Tue, 23 Aug 2022 08:07:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 185B5C433D6; Tue, 23 Aug 2022 08:07:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242021; bh=ljrqwzOrbT0JrmQUw2UjpfLFC5dyyN3a2eOKGBHBJcM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=osnCGq9MYk4S0aLIPgtIif1i+A4inue4Z5vSImTXHoCIdtEbm3PPLSEUET84Gjn9k Q7mqEpv3l5Mnr7VG6dA/3FPXKo5oJWzr07KSH0i8TyzP8yIxK1ci5bXWJeHXP2AgKI SB/qbhD7nONej5QB03ps7Pu/C6KkMJui6u0vZLcs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , "Jason A. Donenfeld" , "Justin M. Forbes" , Ard Biesheuvel , Arnd Bergmann , Nicolas Pitre , Nathan Chancellor , Nick Desaulniers Subject: [PATCH 4.9 007/101] ARM: crypto: comment out gcc warning that breaks clang builds Date: Tue, 23 Aug 2022 10:02:40 +0200 Message-Id: <20220823080034.874885836@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Greg Kroah-Hartman The gcc build warning prevents all clang-built kernels from working properly, so comment it out to fix the build. This is a -stable kernel only patch for now, it will be resolved differently in mainline releases in the future. Cc: "Jason A. Donenfeld" Cc: "Justin M. Forbes" Cc: Ard Biesheuvel Acked-by: Arnd Bergmann Cc: Nicolas Pitre Cc: Nathan Chancellor Cc: Nick Desaulniers Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/arm/lib/xor-neon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/arm/lib/xor-neon.c +++ b/arch/arm/lib/xor-neon.c @@ -29,8 +29,9 @@ MODULE_LICENSE("GPL"); * While older versions of GCC do not generate incorrect code, they fail to * recognize the parallel nature of these functions, and emit plain ARM co= de, * which is known to be slower than the optimized ARM code in asm-arm/xor.= h. + * + * #warning This code requires at least version 4.6 of GCC */ -#warning This code requires at least version 4.6 of GCC #endif =20 #pragma GCC diagnostic ignored "-Wunused-variable" From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 422C9C32774 for ; Tue, 23 Aug 2022 08:13:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242116AbiHWINq (ORCPT ); Tue, 23 Aug 2022 04:13:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242012AbiHWIK1 (ORCPT ); Tue, 23 Aug 2022 04:10:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94E3C658D; Tue, 23 Aug 2022 01:07:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2F91B611A8; Tue, 23 Aug 2022 08:07:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25B63C433D6; Tue, 23 Aug 2022 08:07:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242027; bh=bkzWdmz2JVM+wLTXYPbUAq4Q+S3Ie5HmYb7fg2zOyJ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SfzBlHnZTuMBetB2+4MDNQuJFWwUsHAdBjsQBO7wEA4nfGTL4/TdDnnjgg6ErRP2L uWvHQRPE3xXIsC78KGmQlgpg170ZhrUL/1z5yaG2jb2ZBkKcsjGxBD71wtGLxHPudF ex1os4UQd07SHe7dv8o+8eV/3d2eLsVlGrSN1h7I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wei Mingzhi , Jakub Kicinski , Kalle Valo , Yan Xinyu Subject: [PATCH 4.9 008/101] mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. Date: Tue, 23 Aug 2022 10:02:41 +0200 Message-Id: <20220823080034.914913887@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Wei Mingzhi commit 829eea7c94e0bac804e65975639a2f2e5f147033 upstream. USB device ID of some versions of XiaoDu WiFi Dongle is 2955:1003 instead of 2955:1001. Both are the same mt7601u hardware. Signed-off-by: Wei Mingzhi Acked-by: Jakub Kicinski Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210618160840.305024-1-whistler@member.fsf= .org Cc: Yan Xinyu Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/wireless/mediatek/mt7601u/usb.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/wireless/mediatek/mt7601u/usb.c +++ b/drivers/net/wireless/mediatek/mt7601u/usb.c @@ -34,6 +34,7 @@ static struct usb_device_id mt7601u_devi { USB_DEVICE(0x2717, 0x4106) }, { USB_DEVICE(0x2955, 0x0001) }, { USB_DEVICE(0x2955, 0x1001) }, + { USB_DEVICE(0x2955, 0x1003) }, { USB_DEVICE(0x2a5f, 0x1000) }, { USB_DEVICE(0x7392, 0x7710) }, { 0, } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B536DC32774 for ; Tue, 23 Aug 2022 08:13:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242300AbiHWINy (ORCPT ); Tue, 23 Aug 2022 04:13:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242032AbiHWIK3 (ORCPT ); Tue, 23 Aug 2022 04:10:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BAF94D26D; Tue, 23 Aug 2022 01:07:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 34378611A8; Tue, 23 Aug 2022 08:07:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 40B4BC433D7; Tue, 23 Aug 2022 08:07:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242033; bh=QAUfSsC9KYdgVc/yLgZVFvSM3OJFgxmGWfCvmlPxxBY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KUw3GsWsoLfmVns6TXXuDxT006pBrbph3KxF4dPQRSyyYhAZ3UyNdHEm6cIyQ7wll x8G3Ojr6pH59LZgXBHn4tHOXXJQjLim37lQAhvRhv08LSzTHdlJa4w8CoY9QCPNedH dH8rwObTT4qNzSm4TB+zOqZA6AQD/YWsEMbUOZ8I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , Nathan Chancellor Subject: [PATCH 4.9 009/101] ion: Make user_ion_handle_put_nolock() a void function Date: Tue, 23 Aug 2022 10:02:42 +0200 Message-Id: <20220823080034.945293377@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nathan Chancellor Clang warns: drivers/staging/android/ion/ion-ioctl.c:71:6: warning: variable 'ret' is = used uninitialized whenever 'if' condition is false [-Wsometimes-uninitiali= zed] if (--handle->user_ref_count =3D=3D 0) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/staging/android/ion/ion-ioctl.c:74:9: note: uninitialized use occ= urs here return ret; ^~~ drivers/staging/android/ion/ion-ioctl.c:71:2: note: remove the 'if' if it= s condition is always true if (--handle->user_ref_count =3D=3D 0) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/staging/android/ion/ion-ioctl.c:69:9: note: initialize the variab= le 'ret' to silence this warning int ret; ^ =3D 0 1 warning generated. The return value of user_ion_handle_put_nolock() is not checked in its one call site in user_ion_free_nolock() so just make user_ion_handle_put_nolock() return void to remove the warning. Fixes: a8200613c8c9 ("ion: Protect kref from userspace manipulation") Reported-by: kernel test robot Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/staging/android/ion/ion-ioctl.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/drivers/staging/android/ion/ion-ioctl.c +++ b/drivers/staging/android/ion/ion-ioctl.c @@ -64,14 +64,10 @@ static struct ion_handle *pass_to_user(s } =20 /* Must hold the client lock */ -static int user_ion_handle_put_nolock(struct ion_handle *handle) +static void user_ion_handle_put_nolock(struct ion_handle *handle) { - int ret; - if (--handle->user_ref_count =3D=3D 0) - ret =3D ion_handle_put_nolock(handle); - - return ret; + ion_handle_put_nolock(handle); } =20 static void user_ion_free_nolock(struct ion_client *client, From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06B0FC32774 for ; Tue, 23 Aug 2022 08:14:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242312AbiHWIOD (ORCPT ); Tue, 23 Aug 2022 04:14:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242047AbiHWIKc (ORCPT ); Tue, 23 Aug 2022 04:10:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE8CEF3B; Tue, 23 Aug 2022 01:07:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5D62E610AA; Tue, 23 Aug 2022 08:07:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4FC2FC433D6; Tue, 23 Aug 2022 08:07:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242039; bh=t4F7UxwgqjJIxKuZKRMLCgcA54hql5brZfQwsEScR3c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xq+APEnbMWFsk5wySC1a6MaH81N0DtDziN6aE6gSJHeFkjMxRMhPlz3/hEESJicdf 9t4H/FLvgevq7XYGhap3yg2/DiXeBVWrJLDbcBqBt0QXrEHZpnDNSFtXukPnxlTVi3 hDERDk3u3bTekL71Y0p7BPioNjB/5Bx2lzg/WYos= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andreas Gruenbacher , Paul Moore , Alexander Grund Subject: [PATCH 4.9 010/101] selinux: Minor cleanups Date: Tue, 23 Aug 2022 10:02:43 +0200 Message-Id: <20220823080034.977764462@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andreas Gruenbacher commit 420591128cb206201dc444c2d42fb6f299b2ecd0 upstream. Fix the comment for function __inode_security_revalidate, which returns an integer. Use the LABEL_* constants consistently for isec->initialized. Signed-off-by: Andreas Gruenbacher Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- security/selinux/hooks.c | 3 ++- security/selinux/selinuxfs.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -237,6 +237,7 @@ static int inode_alloc_security(struct i isec->sid =3D SECINITSID_UNLABELED; isec->sclass =3D SECCLASS_FILE; isec->task_sid =3D sid; + isec->initialized =3D LABEL_INVALID; inode->i_security =3D isec; =20 return 0; @@ -247,7 +248,7 @@ static int inode_doinit_with_dentry(stru /* * Try reloading inode security labels that have been marked as invalid. = The * @may_sleep parameter indicates when sleeping and thus reloading labels = is - * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is + * allowed; when set to false, returns -ECHILD when the label is * invalid. The @opt_dentry parameter should be set to a dentry of the in= ode; * when no dentry is available, set it to NULL instead. */ --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1301,7 +1301,7 @@ static int sel_make_bools(void) goto out; =20 isec->sid =3D sid; - isec->initialized =3D 1; + isec->initialized =3D LABEL_INITIALIZED; inode->i_fop =3D &sel_bool_ops; inode->i_ino =3D i|SEL_BOOL_INO_OFFSET; d_add(dentry, inode); @@ -1835,7 +1835,7 @@ static int sel_fill_super(struct super_b isec =3D (struct inode_security_struct *)inode->i_security; isec->sid =3D SECINITSID_DEVNULL; isec->sclass =3D SECCLASS_CHR_FILE; - isec->initialized =3D 1; + isec->initialized =3D LABEL_INITIALIZED; =20 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3= )); d_add(dentry, inode); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85B07C32793 for ; Tue, 23 Aug 2022 08:14:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242338AbiHWIOJ (ORCPT ); Tue, 23 Aug 2022 04:14:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242067AbiHWIKe (ORCPT ); Tue, 23 Aug 2022 04:10:34 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74E21DBC; Tue, 23 Aug 2022 01:07:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0FE7D611A8; Tue, 23 Aug 2022 08:07:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0E8CC433D6; Tue, 23 Aug 2022 08:07:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242046; bh=Nzx5ZWZeMQOcVPQf6W0t1rCPGf/p4QNBpJqKq6sU2FI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ePyXVgq6ILa8pY7Ec227kUFN8/4hEhqk9T8usxZXsHMM8jANF/iKxzrwwPPObQMqd 1Wb2wZnfKKCTuNXY9k0WksDPt3VQKBTM59fvwDRux7nxdzK5001AhhRLlab7jVuSex Ky5TYe0H17o5hCh72MKOMyH/SFAW8pBPdh5zP9v8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andreas Gruenbacher , Paul Moore , Alexander Grund Subject: [PATCH 4.9 011/101] proc: Pass file mode to proc_pid_make_inode Date: Tue, 23 Aug 2022 10:02:44 +0200 Message-Id: <20220823080035.008665489@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andreas Gruenbacher commit db978da8fa1d0819b210c137d31a339149b88875 upstream. Pass the file mode of the proc inode to be created to proc_pid_make_inode. In proc_pid_make_inode, initialize inode->i_mode before calling security_task_to_inode. This allows selinux to set isec->sclass right away without introducing "half-initialized" inode security structs. Signed-off-by: Andreas Gruenbacher Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/proc/base.c | 23 +++++++++-------------- fs/proc/fd.c | 6 ++---- fs/proc/internal.h | 2 +- fs/proc/namespaces.c | 3 +-- security/selinux/hooks.c | 1 + 5 files changed, 14 insertions(+), 21 deletions(-) --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1676,7 +1676,8 @@ const struct inode_operations proc_pid_l =20 /* building an inode */ =20 -struct inode *proc_pid_make_inode(struct super_block * sb, struct task_str= uct *task) +struct inode *proc_pid_make_inode(struct super_block * sb, + struct task_struct *task, umode_t mode) { struct inode * inode; struct proc_inode *ei; @@ -1690,6 +1691,7 @@ struct inode *proc_pid_make_inode(struct =20 /* Common stuff */ ei =3D PROC_I(inode); + inode->i_mode =3D mode; inode->i_ino =3D get_next_ino(); inode->i_mtime =3D inode->i_atime =3D inode->i_ctime =3D current_time(ino= de); inode->i_op =3D &proc_def_inode_operations; @@ -2041,7 +2043,9 @@ proc_map_files_instantiate(struct inode struct proc_inode *ei; struct inode *inode; =20 - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, S_IFLNK | + ((mode & FMODE_READ ) ? S_IRUSR : 0) | + ((mode & FMODE_WRITE) ? S_IWUSR : 0)); if (!inode) return -ENOENT; =20 @@ -2050,12 +2054,6 @@ proc_map_files_instantiate(struct inode =20 inode->i_op =3D &proc_map_files_link_inode_operations; inode->i_size =3D 64; - inode->i_mode =3D S_IFLNK; - - if (mode & FMODE_READ) - inode->i_mode |=3D S_IRUSR; - if (mode & FMODE_WRITE) - inode->i_mode |=3D S_IWUSR; =20 d_set_d_op(dentry, &tid_map_files_dentry_operations); d_add(dentry, inode); @@ -2409,12 +2407,11 @@ static int proc_pident_instantiate(struc struct inode *inode; struct proc_inode *ei; =20 - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, p->mode); if (!inode) goto out; =20 ei =3D PROC_I(inode); - inode->i_mode =3D p->mode; if (S_ISDIR(inode->i_mode)) set_nlink(inode, 2); /* Use getattr to fix if necessary */ if (p->iop) @@ -3109,11 +3106,10 @@ static int proc_pid_instantiate(struct i { struct inode *inode; =20 - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | S_IXUG= O); if (!inode) goto out; =20 - inode->i_mode =3D S_IFDIR|S_IRUGO|S_IXUGO; inode->i_op =3D &proc_tgid_base_inode_operations; inode->i_fop =3D &proc_tgid_base_operations; inode->i_flags|=3DS_IMMUTABLE; @@ -3404,11 +3400,10 @@ static int proc_task_instantiate(struct struct dentry *dentry, struct task_struct *task, const void *ptr) { struct inode *inode; - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | S_IXUG= O); =20 if (!inode) goto out; - inode->i_mode =3D S_IFDIR|S_IRUGO|S_IXUGO; inode->i_op =3D &proc_tid_base_inode_operations; inode->i_fop =3D &proc_tid_base_operations; inode->i_flags|=3DS_IMMUTABLE; --- a/fs/proc/fd.c +++ b/fs/proc/fd.c @@ -183,14 +183,13 @@ proc_fd_instantiate(struct inode *dir, s struct proc_inode *ei; struct inode *inode; =20 - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, S_IFLNK); if (!inode) goto out; =20 ei =3D PROC_I(inode); ei->fd =3D fd; =20 - inode->i_mode =3D S_IFLNK; inode->i_op =3D &proc_pid_link_inode_operations; inode->i_size =3D 64; =20 @@ -322,14 +321,13 @@ proc_fdinfo_instantiate(struct inode *di struct proc_inode *ei; struct inode *inode; =20 - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, S_IFREG | S_IRUSR); if (!inode) goto out; =20 ei =3D PROC_I(inode); ei->fd =3D fd; =20 - inode->i_mode =3D S_IFREG | S_IRUSR; inode->i_fop =3D &proc_fdinfo_file_operations; =20 d_set_d_op(dentry, &tid_fd_dentry_operations); --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -163,7 +163,7 @@ extern int proc_pid_statm(struct seq_fil extern const struct dentry_operations pid_dentry_operations; extern int pid_getattr(struct vfsmount *, struct dentry *, struct kstat *); extern int proc_setattr(struct dentry *, struct iattr *); -extern struct inode *proc_pid_make_inode(struct super_block *, struct task= _struct *); +extern struct inode *proc_pid_make_inode(struct super_block *, struct task= _struct *, umode_t); extern int pid_revalidate(struct dentry *, unsigned int); extern int pid_delete_dentry(const struct dentry *); extern int proc_pid_readdir(struct file *, struct dir_context *); --- a/fs/proc/namespaces.c +++ b/fs/proc/namespaces.c @@ -92,12 +92,11 @@ static int proc_ns_instantiate(struct in struct inode *inode; struct proc_inode *ei; =20 - inode =3D proc_pid_make_inode(dir->i_sb, task); + inode =3D proc_pid_make_inode(dir->i_sb, task, S_IFLNK | S_IRWXUGO); if (!inode) goto out; =20 ei =3D PROC_I(inode); - inode->i_mode =3D S_IFLNK|S_IRWXUGO; inode->i_op =3D &proc_ns_link_inode_operations; ei->ns_ops =3D ns_ops; =20 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3958,6 +3958,7 @@ static void selinux_task_to_inode(struct struct inode_security_struct *isec =3D inode->i_security; u32 sid =3D task_sid(p); =20 + isec->sclass =3D inode_mode_to_security_class(inode->i_mode); isec->sid =3D sid; isec->initialized =3D LABEL_INITIALIZED; } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3941EC32789 for ; Tue, 23 Aug 2022 08:14:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242230AbiHWIOW (ORCPT ); Tue, 23 Aug 2022 04:14:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242088AbiHWIKg (ORCPT ); Tue, 23 Aug 2022 04:10:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E1C869F4B; Tue, 23 Aug 2022 01:07:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 38CB9B81BF8; Tue, 23 Aug 2022 08:07:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7C10DC433C1; Tue, 23 Aug 2022 08:07:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242056; bh=Vh/TLHB55jz6Qfv0o55O44R0jumQnALWfdNVxIVP/nQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f6qsvuXD34NQ51ff1lBCCSjBASyxu7I6jZ4e9J0QJrEXnkDyvSpgdoMUzEKNbdPkV Hx0ubhwe4pC2j5w+zJxGVnhngkCGDZ4svYbQDmth5HKQvRlsyjRzQ6K1bk9TUBbD53 k8SMdt1kk7RAbYKFAq8mbmkOfcZIdhd6sNnrgmmw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andreas Gruenbacher , Paul Moore , Alexander Grund Subject: [PATCH 4.9 012/101] selinux: Clean up initialization of isec->sclass Date: Tue, 23 Aug 2022 10:02:45 +0200 Message-Id: <20220823080035.044590894@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andreas Gruenbacher commit 13457d073c29da92001f6ee809075eaa8757fb96 upstream. Now that isec->initialized =3D=3D LABEL_INITIALIZED implies that isec->sclass is valid, skip such inodes immediately in inode_doinit_with_dentry. For the remaining inodes, initialize isec->sclass at the beginning of inode_doinit_with_dentry to simplify the code. Signed-off-by: Andreas Gruenbacher Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- security/selinux/hooks.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1395,12 +1395,15 @@ static int inode_doinit_with_dentry(stru int rc =3D 0; =20 if (isec->initialized =3D=3D LABEL_INITIALIZED) - goto out; + return 0; =20 mutex_lock(&isec->lock); if (isec->initialized =3D=3D LABEL_INITIALIZED) goto out_unlock; =20 + if (isec->sclass =3D=3D SECCLASS_FILE) + isec->sclass =3D inode_mode_to_security_class(inode->i_mode); + sbsec =3D inode->i_sb->s_security; if (!(sbsec->flags & SE_SBINITIALIZED)) { /* Defer initialization until selinux_complete_init, @@ -1518,7 +1521,6 @@ static int inode_doinit_with_dentry(stru isec->sid =3D sbsec->sid; =20 /* Try to obtain a transition SID. */ - isec->sclass =3D inode_mode_to_security_class(inode->i_mode); rc =3D security_transition_sid(isec->task_sid, sbsec->sid, isec->sclass, NULL, &sid); if (rc) @@ -1554,7 +1556,6 @@ static int inode_doinit_with_dentry(stru */ if (!dentry) goto out_unlock; - isec->sclass =3D inode_mode_to_security_class(inode->i_mode); rc =3D selinux_genfs_get_sid(dentry, isec->sclass, sbsec->flags, &sid); dput(dentry); @@ -1569,9 +1570,6 @@ static int inode_doinit_with_dentry(stru =20 out_unlock: mutex_unlock(&isec->lock); -out: - if (isec->sclass =3D=3D SECCLASS_FILE) - isec->sclass =3D inode_mode_to_security_class(inode->i_mode); return rc; } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76173C32774 for ; Tue, 23 Aug 2022 08:14:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242380AbiHWIOh (ORCPT ); Tue, 23 Aug 2022 04:14:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242097AbiHWIKh (ORCPT ); Tue, 23 Aug 2022 04:10:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C82869F50; Tue, 23 Aug 2022 01:07:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 662F86125A; Tue, 23 Aug 2022 08:07:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66B54C433C1; Tue, 23 Aug 2022 08:07:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242061; bh=4N9AcPigy1UGJGRo7sTsLORTRnWlZmrSq/qM6X6kAEo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YmA3ezIA9L9LfOCrNtpr91+0vnN/xKjI2+/+PQIBFFJ11qRCIiP9l1vXOTtDtuZH/ Ea6TM56MPoNJJjne/YlTeFxJTnz3UPJVuTE4o5RS3Ii7qi9eVR8GIQxvaDR/P9C2a2 +RG3Cs3patOVel2V7W0Nx2qPfPT9tsGY+sSXLYkQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andreas Gruenbacher , Paul Moore , Alexander Grund Subject: [PATCH 4.9 013/101] selinux: Convert isec->lock into a spinlock Date: Tue, 23 Aug 2022 10:02:46 +0200 Message-Id: <20220823080035.086186727@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andreas Gruenbacher commit 9287aed2ad1ff1bde5eb190bcd6dccd5f1cf47d3 upstream. Convert isec->lock from a mutex into a spinlock. Instead of holding the lock while sleeping in inode_doinit_with_dentry, set isec->initialized to LABEL_PENDING and release the lock. Then, when the sid has been determined, re-acquire the lock. If isec->initialized is still set to LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime. This fixes a deadlock on gfs2 where * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds isec->lock, and tries to acquire the inode's glock, and * another task is in do_xmote -> inode_go_inval -> selinux_inode_invalidate_secctx, holds the inode's glock, and tries to acquire isec->lock. Signed-off-by: Andreas Gruenbacher [PM: minor tweaks to keep checkpatch.pl happy] Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- security/selinux/hooks.c | 101 +++++++++++++++++++++++----------= ----- security/selinux/include/objsec.h | 5 + 2 files changed, 66 insertions(+), 40 deletions(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -231,7 +231,7 @@ static int inode_alloc_security(struct i if (!isec) return -ENOMEM; =20 - mutex_init(&isec->lock); + spin_lock_init(&isec->lock); INIT_LIST_HEAD(&isec->list); isec->inode =3D inode; isec->sid =3D SECINITSID_UNLABELED; @@ -1387,7 +1387,8 @@ static int inode_doinit_with_dentry(stru { struct superblock_security_struct *sbsec =3D NULL; struct inode_security_struct *isec =3D inode->i_security; - u32 sid; + u32 task_sid, sid =3D 0; + u16 sclass; struct dentry *dentry; #define INITCONTEXTLEN 255 char *context =3D NULL; @@ -1397,7 +1398,7 @@ static int inode_doinit_with_dentry(stru if (isec->initialized =3D=3D LABEL_INITIALIZED) return 0; =20 - mutex_lock(&isec->lock); + spin_lock(&isec->lock); if (isec->initialized =3D=3D LABEL_INITIALIZED) goto out_unlock; =20 @@ -1416,12 +1417,18 @@ static int inode_doinit_with_dentry(stru goto out_unlock; } =20 + sclass =3D isec->sclass; + task_sid =3D isec->task_sid; + sid =3D isec->sid; + isec->initialized =3D LABEL_PENDING; + spin_unlock(&isec->lock); + switch (sbsec->behavior) { case SECURITY_FS_USE_NATIVE: break; case SECURITY_FS_USE_XATTR: if (!(inode->i_opflags & IOP_XATTR)) { - isec->sid =3D sbsec->def_sid; + sid =3D sbsec->def_sid; break; } /* Need a dentry, since the xattr API requires one. @@ -1443,7 +1450,7 @@ static int inode_doinit_with_dentry(stru * inode_doinit with a dentry, before these inodes could * be used again by userspace. */ - goto out_unlock; + goto out; } =20 len =3D INITCONTEXTLEN; @@ -1451,7 +1458,7 @@ static int inode_doinit_with_dentry(stru if (!context) { rc =3D -ENOMEM; dput(dentry); - goto out_unlock; + goto out; } context[len] =3D '\0'; rc =3D __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); @@ -1462,14 +1469,14 @@ static int inode_doinit_with_dentry(stru rc =3D __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); if (rc < 0) { dput(dentry); - goto out_unlock; + goto out; } len =3D rc; context =3D kmalloc(len+1, GFP_NOFS); if (!context) { rc =3D -ENOMEM; dput(dentry); - goto out_unlock; + goto out; } context[len] =3D '\0'; rc =3D __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); @@ -1481,7 +1488,7 @@ static int inode_doinit_with_dentry(stru "%d for dev=3D%s ino=3D%ld\n", __func__, -rc, inode->i_sb->s_id, inode->i_ino); kfree(context); - goto out_unlock; + goto out; } /* Map ENODATA to the default file SID */ sid =3D sbsec->def_sid; @@ -1511,28 +1518,25 @@ static int inode_doinit_with_dentry(stru } } kfree(context); - isec->sid =3D sid; break; case SECURITY_FS_USE_TASK: - isec->sid =3D isec->task_sid; + sid =3D task_sid; break; case SECURITY_FS_USE_TRANS: /* Default to the fs SID. */ - isec->sid =3D sbsec->sid; + sid =3D sbsec->sid; =20 /* Try to obtain a transition SID. */ - rc =3D security_transition_sid(isec->task_sid, sbsec->sid, - isec->sclass, NULL, &sid); + rc =3D security_transition_sid(task_sid, sid, sclass, NULL, &sid); if (rc) - goto out_unlock; - isec->sid =3D sid; + goto out; break; case SECURITY_FS_USE_MNTPOINT: - isec->sid =3D sbsec->mntpoint_sid; + sid =3D sbsec->mntpoint_sid; break; default: /* Default to the fs superblock SID. */ - isec->sid =3D sbsec->sid; + sid =3D sbsec->sid; =20 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { /* We must have a dentry to determine the label on @@ -1555,21 +1559,30 @@ static int inode_doinit_with_dentry(stru * could be used again by userspace. */ if (!dentry) - goto out_unlock; - rc =3D selinux_genfs_get_sid(dentry, isec->sclass, + goto out; + rc =3D selinux_genfs_get_sid(dentry, sclass, sbsec->flags, &sid); dput(dentry); if (rc) - goto out_unlock; - isec->sid =3D sid; + goto out; } break; } =20 - isec->initialized =3D LABEL_INITIALIZED; +out: + spin_lock(&isec->lock); + if (isec->initialized =3D=3D LABEL_PENDING) { + if (!sid || rc) { + isec->initialized =3D LABEL_INVALID; + goto out_unlock; + } + + isec->initialized =3D LABEL_INITIALIZED; + isec->sid =3D sid; + } =20 out_unlock: - mutex_unlock(&isec->lock); + spin_unlock(&isec->lock); return rc; } =20 @@ -3199,9 +3212,11 @@ static void selinux_inode_post_setxattr( } =20 isec =3D backing_inode_security(dentry); + spin_lock(&isec->lock); isec->sclass =3D inode_mode_to_security_class(inode->i_mode); isec->sid =3D newsid; isec->initialized =3D LABEL_INITIALIZED; + spin_unlock(&isec->lock); =20 return; } @@ -3298,9 +3313,11 @@ static int selinux_inode_setsecurity(str if (rc) return rc; =20 + spin_lock(&isec->lock); isec->sclass =3D inode_mode_to_security_class(inode->i_mode); isec->sid =3D newsid; isec->initialized =3D LABEL_INITIALIZED; + spin_unlock(&isec->lock); return 0; } =20 @@ -3956,9 +3973,11 @@ static void selinux_task_to_inode(struct struct inode_security_struct *isec =3D inode->i_security; u32 sid =3D task_sid(p); =20 + spin_lock(&isec->lock); isec->sclass =3D inode_mode_to_security_class(inode->i_mode); isec->sid =3D sid; isec->initialized =3D LABEL_INITIALIZED; + spin_unlock(&isec->lock); } =20 /* Returns error only if unable to parse addresses */ @@ -4277,24 +4296,24 @@ static int selinux_socket_post_create(st const struct task_security_struct *tsec =3D current_security(); struct inode_security_struct *isec =3D inode_security_novalidate(SOCK_INO= DE(sock)); struct sk_security_struct *sksec; + u16 sclass =3D socket_type_to_security_class(family, type, protocol); + u32 sid =3D SECINITSID_KERNEL; int err =3D 0; =20 - isec->sclass =3D socket_type_to_security_class(family, type, protocol); - - if (kern) - isec->sid =3D SECINITSID_KERNEL; - else { - err =3D socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); + if (!kern) { + err =3D socket_sockcreate_sid(tsec, sclass, &sid); if (err) return err; } =20 + isec->sclass =3D sclass; + isec->sid =3D sid; isec->initialized =3D LABEL_INITIALIZED; =20 if (sock->sk) { sksec =3D sock->sk->sk_security; - sksec->sid =3D isec->sid; - sksec->sclass =3D isec->sclass; + sksec->sclass =3D sclass; + sksec->sid =3D sid; err =3D selinux_netlbl_socket_post_create(sock->sk, family); } =20 @@ -4478,16 +4497,22 @@ static int selinux_socket_accept(struct int err; struct inode_security_struct *isec; struct inode_security_struct *newisec; + u16 sclass; + u32 sid; =20 err =3D sock_has_perm(current, sock->sk, SOCKET__ACCEPT); if (err) return err; =20 - newisec =3D inode_security_novalidate(SOCK_INODE(newsock)); - isec =3D inode_security_novalidate(SOCK_INODE(sock)); - newisec->sclass =3D isec->sclass; - newisec->sid =3D isec->sid; + spin_lock(&isec->lock); + sclass =3D isec->sclass; + sid =3D isec->sid; + spin_unlock(&isec->lock); + + newisec =3D inode_security_novalidate(SOCK_INODE(newsock)); + newisec->sclass =3D sclass; + newisec->sid =3D sid; newisec->initialized =3D LABEL_INITIALIZED; =20 return 0; @@ -6010,9 +6035,9 @@ static void selinux_inode_invalidate_sec { struct inode_security_struct *isec =3D inode->i_security; =20 - mutex_lock(&isec->lock); + spin_lock(&isec->lock); isec->initialized =3D LABEL_INVALID; - mutex_unlock(&isec->lock); + spin_unlock(&isec->lock); } =20 /* --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -39,7 +39,8 @@ struct task_security_struct { =20 enum label_initialized { LABEL_INVALID, /* invalid or not initialized */ - LABEL_INITIALIZED /* initialized */ + LABEL_INITIALIZED, /* initialized */ + LABEL_PENDING }; =20 struct inode_security_struct { @@ -52,7 +53,7 @@ struct inode_security_struct { u32 sid; /* SID of this object */ u16 sclass; /* security class of this object */ unsigned char initialized; /* initialization flag */ - struct mutex lock; + spinlock_t lock; }; =20 struct file_security_struct { From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB03FC32789 for ; Tue, 23 Aug 2022 08:14:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242122AbiHWIOp (ORCPT ); Tue, 23 Aug 2022 04:14:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242111AbiHWIKk (ORCPT ); Tue, 23 Aug 2022 04:10:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F89169F68; Tue, 23 Aug 2022 01:07:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A162461257; Tue, 23 Aug 2022 08:07:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A9B6EC433D6; Tue, 23 Aug 2022 08:07:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242068; bh=LVQCqq3fPPBeojXbpVMFwyVEGNh3B23jnxi6VGPH+yo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=puUJs5RyuI7an0aDAXhSXGv9DgyVfQZgst5zEwn37DujkvxYAGcSCqx0Vy1+fM7w5 RWFlGh8wcgPqa+EDxM5LdMDPj8sIG6zPkw7rBkHd5CvoOH70xCINyRupKc4nhhj8tf M/KRfsDYCJWuWdxztwRINYR1ixL859lPd5UFfgCY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tianyue Ren , Paul Moore , Alexander Grund Subject: [PATCH 4.9 014/101] selinux: fix error initialization in inode_doinit_with_dentry() Date: Tue, 23 Aug 2022 10:02:47 +0200 Message-Id: <20220823080035.116874434@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Tianyue Ren commit 83370b31a915493231e5b9addc72e4bef69f8d31 upstream. Mark the inode security label as invalid if we cannot find a dentry so that we will retry later rather than marking it initialized with the unlabeled SID. Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock") Signed-off-by: Tianyue Ren [PM: minor comment tweaks] Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- security/selinux/hooks.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1450,7 +1450,13 @@ static int inode_doinit_with_dentry(stru * inode_doinit with a dentry, before these inodes could * be used again by userspace. */ - goto out; + isec->initialized =3D LABEL_INVALID; + /* + * There is nothing useful to jump to the "out" + * label, except a needless spin lock/unlock + * cycle. + */ + return 0; } =20 len =3D INITCONTEXTLEN; @@ -1558,8 +1564,15 @@ static int inode_doinit_with_dentry(stru * inode_doinit() with a dentry, before these inodes * could be used again by userspace. */ - if (!dentry) - goto out; + if (!dentry) { + isec->initialized =3D LABEL_INVALID; + /* + * There is nothing useful to jump to the "out" + * label, except a needless spin lock/unlock + * cycle. + */ + return 0; + } rc =3D selinux_genfs_get_sid(dentry, sclass, sbsec->flags, &sid); dput(dentry); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 589B2C32774 for ; Tue, 23 Aug 2022 08:15:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242179AbiHWIPF (ORCPT ); Tue, 23 Aug 2022 04:15:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242132AbiHWIKn (ORCPT ); Tue, 23 Aug 2022 04:10:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 785FF69F6C; Tue, 23 Aug 2022 01:07:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 14CA26123F; Tue, 23 Aug 2022 08:07:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A7FFC433C1; Tue, 23 Aug 2022 08:07:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242074; bh=HGZuHszCVXMKiPLMwr7I2qv6J3qZJWqweO7wKCDi7TU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eWBkwSH5vctso18R54dKOKIMCC6sGN4R5dwTiHh8t7dKj9Z4KWtL4BEzeerE57kp3 T2/GcxGkvuqcn38NcdcdzEgOy3VmwO9vfGhbrUpYHQOIjqXtYIDQPJ2aBL7hx/T2B5 CZx3XMeybHjhQhQ07JvgsevgU87RZTu3kgvfRlUY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sven Schnelle , Ondrej Mosnacek , Paul Moore , Alexander Grund Subject: [PATCH 4.9 015/101] selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling Date: Tue, 23 Aug 2022 10:02:48 +0200 Message-Id: <20220823080035.146702826@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Paul Moore commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 upstream. A previous fix, commit 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()"), changed how failures were handled before a SELinux policy was loaded. Unfortunately that patch was potentially problematic for two reasons: it set the isec->initialized state without holding a lock, and it didn't set the inode's SELinux label to the "default" for the particular filesystem. The later can be a problem if/when a later attempt to revalidate the inode fails and SELinux reverts to the existing inode label. This patch should restore the default inode labeling that existed before the original fix, without affecting the LABEL_INVALID marking such that revalidation will still be attempted in the future. Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_wit= h_dentry()") Reported-by: Sven Schnelle Tested-by: Sven Schnelle Reviewed-by: Ondrej Mosnacek Signed-off-by: Paul Moore Signed-off-by: Alexander Grund Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- security/selinux/hooks.c | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1450,13 +1450,7 @@ static int inode_doinit_with_dentry(stru * inode_doinit with a dentry, before these inodes could * be used again by userspace. */ - isec->initialized =3D LABEL_INVALID; - /* - * There is nothing useful to jump to the "out" - * label, except a needless spin lock/unlock - * cycle. - */ - return 0; + goto out_invalid; } =20 len =3D INITCONTEXTLEN; @@ -1564,15 +1558,8 @@ static int inode_doinit_with_dentry(stru * inode_doinit() with a dentry, before these inodes * could be used again by userspace. */ - if (!dentry) { - isec->initialized =3D LABEL_INVALID; - /* - * There is nothing useful to jump to the "out" - * label, except a needless spin lock/unlock - * cycle. - */ - return 0; - } + if (!dentry) + goto out_invalid; rc =3D selinux_genfs_get_sid(dentry, sclass, sbsec->flags, &sid); dput(dentry); @@ -1585,11 +1572,10 @@ static int inode_doinit_with_dentry(stru out: spin_lock(&isec->lock); if (isec->initialized =3D=3D LABEL_PENDING) { - if (!sid || rc) { + if (rc) { isec->initialized =3D LABEL_INVALID; goto out_unlock; } - isec->initialized =3D LABEL_INITIALIZED; isec->sid =3D sid; } @@ -1597,6 +1583,15 @@ out: out_unlock: spin_unlock(&isec->lock); return rc; + +out_invalid: + spin_lock(&isec->lock); + if (isec->initialized =3D=3D LABEL_PENDING) { + isec->initialized =3D LABEL_INVALID; + isec->sid =3D sid; + } + spin_unlock(&isec->lock); + return 0; } =20 /* Convert a Linux signal to an access vector. */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 549A5C32774 for ; Tue, 23 Aug 2022 08:15:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242318AbiHWIO5 (ORCPT ); Tue, 23 Aug 2022 04:14:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242168AbiHWIKt (ORCPT ); Tue, 23 Aug 2022 04:10:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2465B6A49A; Tue, 23 Aug 2022 01:08:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A0594B81C17; Tue, 23 Aug 2022 08:08:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C04F8C433D7; Tue, 23 Aug 2022 08:07:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242080; bh=teKc3lF5mfoEsKS9IbpH7Y4FTQyLnvHdoT5FLMkSxxk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c0+QzzjjVNetgG9FuSWeDhNMoxdLtDXwfa5km2KVvO39IxGi6o6hFCow0nCHbfJZq oYPXTUzCbMUfvC+nV7n+GzEVphH88XJoa3kRqnq1lN7EpImTtJbISfjX2d8wweRvPa 9a2pL2VNILayqt83ZM4CWC5/t84KOQr/VjS27Orw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Christian Borntraeger , Yury Norov , Allison Randal , Joe Perches , Thomas Gleixner , William Breathitt Gray , Torsten Hilbrich , Andrew Morton , Linus Torvalds , Hans-Christian Noren Egtvedt Subject: [PATCH 4.9 016/101] include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap Date: Tue, 23 Aug 2022 10:02:49 +0200 Message-Id: <20220823080035.188734677@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Christian Borntraeger commit 467d12f5c7842896d2de3ced74e4147ee29e97c8 upstream. QEMU has a funny new build error message when I use the upstream kernel headers: CC block/file-posix.o In file included from /home/cborntra/REPOS/qemu/include/qemu/timer.h:4, from /home/cborntra/REPOS/qemu/include/qemu/timed-aver= age.h:29, from /home/cborntra/REPOS/qemu/include/block/accountin= g.h:28, from /home/cborntra/REPOS/qemu/include/block/block_int= .h:27, from /home/cborntra/REPOS/qemu/block/file-posix.c:30: /usr/include/linux/swab.h: In function `__swab': /home/cborntra/REPOS/qemu/include/qemu/bitops.h:20:34: error: "sizeof" = is not defined, evaluates to 0 [-Werror=3Dundef] 20 | #define BITS_PER_LONG (sizeof (unsigned long) * BITS_= PER_BYTE) | ^~~~~~ /home/cborntra/REPOS/qemu/include/qemu/bitops.h:20:41: error: missing b= inary operator before token "(" 20 | #define BITS_PER_LONG (sizeof (unsigned long) * BITS_= PER_BYTE) | ^ cc1: all warnings being treated as errors make: *** [/home/cborntra/REPOS/qemu/rules.mak:69: block/file-posix.o] = Error 1 rm tests/qemu-iotests/socket_scm_helper.o This was triggered by commit d5767057c9a ("uapi: rename ext2_swab() to swab() and share globally in swab.h"). That patch is doing #include but it uses BITS_PER_LONG. The kernel file asm/bitsperlong.h provide only __BITS_PER_LONG. Let us use the __ variant in swap.h Link: http://lkml.kernel.org/r/20200213142147.17604-1-borntraeger@de.ibm.com Fixes: d5767057c9a ("uapi: rename ext2_swab() to swab() and share globally = in swab.h") Signed-off-by: Christian Borntraeger Cc: Yury Norov Cc: Allison Randal Cc: Joe Perches Cc: Thomas Gleixner Cc: William Breathitt Gray Cc: Torsten Hilbrich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Hans-Christian Noren Egtvedt Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/uapi/linux/swab.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/include/uapi/linux/swab.h +++ b/include/uapi/linux/swab.h @@ -134,9 +134,9 @@ static inline __attribute_const__ __u32 =20 static __always_inline unsigned long __swab(const unsigned long y) { -#if BITS_PER_LONG =3D=3D 64 +#if __BITS_PER_LONG =3D=3D 64 return __swab64(y); -#else /* BITS_PER_LONG =3D=3D 32 */ +#else /* __BITS_PER_LONG =3D=3D 32 */ return __swab32(y); #endif } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48558C32793 for ; Tue, 23 Aug 2022 08:16:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242499AbiHWIP0 (ORCPT ); Tue, 23 Aug 2022 04:15:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242224AbiHWIKy (ORCPT ); Tue, 23 Aug 2022 04:10:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D919BC6D; Tue, 23 Aug 2022 01:08:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2DB0BB81C24; Tue, 23 Aug 2022 08:08:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66394C433D6; Tue, 23 Aug 2022 08:08:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242089; bh=XV+sDCF2H0TMW3uVGya0oLcmGejz6RfqmHqZJx6l0Ig=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hV0CNtp1ft7qPG4hjm2UuQzyYdBZKAGSE3XGnZzMXZ5VlGweF/Hoohde3RHXB6fg4 ioE43gv3UvyH1pJCD2VUdCUF6RwrLUo1/qnKJXfkb3jJJYR3eHwmudyDr5GxYnoyhR 5MehmXa3Uu7aBCSVzvOe4rcTR8+NSqpMf69Y/ns8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Viresh Kumar , Jiri Kosina , Hans-Christian Noren Egtvedt Subject: [PATCH 4.9 017/101] init/main: Fix double "the" in comment Date: Tue, 23 Aug 2022 10:02:50 +0200 Message-Id: <20220823080035.225456988@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Viresh Kumar commit 6623f1c6150c09ce946c8e27a4c814d64919495b upstream. s/the\ the/the Signed-off-by: Viresh Kumar Signed-off-by: Jiri Kosina Signed-off-by: Hans-Christian Noren Egtvedt Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- init/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/init/main.c +++ b/init/main.c @@ -488,7 +488,7 @@ asmlinkage __visible void __init start_k debug_objects_early_init(); =20 /* - * Set up the the initial canary ASAP: + * Set up the initial canary ASAP: */ add_latent_entropy(); boot_init_stack_canary(); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76AB7C3F6B0 for ; Tue, 23 Aug 2022 08:16:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242591AbiHWIPf (ORCPT ); Tue, 23 Aug 2022 04:15:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242282AbiHWILB (ORCPT ); Tue, 23 Aug 2022 04:11:01 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D4D46438; Tue, 23 Aug 2022 01:08:19 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 52A2FB81BF8; Tue, 23 Aug 2022 08:08:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9E06BC433D7; Tue, 23 Aug 2022 08:08:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242096; bh=gFXQRxtXqz+RRD14GNlAxmJ1RuaEsq6DD8fkF1qEdK0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JqT/Jwlydi89EKlKfhRunNOQjqTq0nT0bjcweT01S2/GveqdhWM5QsI3jYRsudbrc 14IwfIHtgX4ftyApbecVDKlnxBvXZUFOyNyJOnjckhtY9p8FPSHmR1oEP0AgYEXH7c WHv7G0kq8lkmje/fzLc/PeG7+STNv2RKcwGl1ZT8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Viresh Kumar , Jiri Kosina , Hans-Christian Noren Egtvedt Subject: [PATCH 4.9 018/101] init/main: properly align the multi-line comment Date: Tue, 23 Aug 2022 10:02:51 +0200 Message-Id: <20220823080035.269099048@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Viresh Kumar commit 1b3b3b49b9961401331a1b496db5bec5c7b41ae6 upstream. Add a tab before it to follow standard practices. Also add the missing full stop '.'. Signed-off-by: Viresh Kumar Signed-off-by: Jiri Kosina Signed-off-by: Hans-Christian Noren Egtvedt Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- init/main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/init/main.c +++ b/init/main.c @@ -498,10 +498,10 @@ asmlinkage __visible void __init start_k local_irq_disable(); early_boot_irqs_disabled =3D true; =20 -/* - * Interrupts are still disabled. Do necessary setups, then - * enable them - */ + /* + * Interrupts are still disabled. Do necessary setups, then + * enable them. + */ boot_cpu_init(); page_address_init(); pr_notice("%s", linux_banner); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89BD1C32793 for ; Tue, 23 Aug 2022 08:17:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242422AbiHWIRJ (ORCPT ); Tue, 23 Aug 2022 04:17:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59214 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242461AbiHWILU (ORCPT ); Tue, 23 Aug 2022 04:11:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 148172CDFC; Tue, 23 Aug 2022 01:08:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C81FCB81C25; Tue, 23 Aug 2022 08:08:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF4D4C433C1; Tue, 23 Aug 2022 08:08:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242102; bh=lMQfg4bXnS5R49GvVs8vjfw+34XXX8JWBNWJFGQl7e8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U2pSZ7pUDgjmaNNjrv+CH4q5KKFPiE1TFZCcnBAIBo00rHKyGdDP1Rzn07oNYkKDE 2OnGnPmbURHBBPlAeNrsazCzQ/IexLHy4lqrQJKhg2dzo3wvA+v1CEjKr3FTw5als/ CLsCNnfcMUlr7/IXJkUXG5u6gwhflmogd95uxj9k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Laura Abbott , Laura Abbott , Kees Cook , "Theodore Tso" , Daniel Micay , Nick Kralevich , Andrew Morton , Linus Torvalds , Hans-Christian Noren Egtvedt Subject: [PATCH 4.9 019/101] init: move stack canary initialization after setup_arch Date: Tue, 23 Aug 2022 10:02:52 +0200 Message-Id: <20220823080035.308410843@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Laura Abbott commit 121388a31362b0d3176dc1190ac8064b98a61b20 upstream. Patch series "Command line randomness", v3. A series to add the kernel command line as a source of randomness. This patch (of 2): Stack canary intialization involves getting a random number. Getting this random number may involve accessing caches or other architectural specific features which are not available until after the architecture is setup. Move the stack canary initialization later to accommodate this. Link: http://lkml.kernel.org/r/20170816231458.2299-2-labbott@redhat.com Signed-off-by: Laura Abbott Signed-off-by: Laura Abbott Acked-by: Kees Cook Cc: "Theodore Ts'o" Cc: Daniel Micay Cc: Nick Kralevich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Hans-Christian Noren Egtvedt Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- init/main.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) --- a/init/main.c +++ b/init/main.c @@ -487,12 +487,6 @@ asmlinkage __visible void __init start_k smp_setup_processor_id(); debug_objects_early_init(); =20 - /* - * Set up the initial canary ASAP: - */ - add_latent_entropy(); - boot_init_stack_canary(); - cgroup_init_early(); =20 local_irq_disable(); @@ -506,6 +500,11 @@ asmlinkage __visible void __init start_k page_address_init(); pr_notice("%s", linux_banner); setup_arch(&command_line); + /* + * Set up the the initial canary and entropy after arch + */ + add_latent_entropy(); + boot_init_stack_canary(); mm_init_cpumask(&init_mm); setup_command_line(command_line); setup_nr_cpu_ids(); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3F6CC38145 for ; Tue, 23 Aug 2022 08:16:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242684AbiHWIPo (ORCPT ); Tue, 23 Aug 2022 04:15:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242404AbiHWILP (ORCPT ); Tue, 23 Aug 2022 04:11:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 177DC3D590; Tue, 23 Aug 2022 01:08:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E5CF8B81C22; Tue, 23 Aug 2022 08:08:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25838C433C1; Tue, 23 Aug 2022 08:08:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242108; bh=facbOoCrP315Ov+dCDx6pIKj0Bnsu110lcnOM1sX4Aw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2iH7nQZZ3j8ILmuTqDBLgjydf9QCjR6sFXPx4jleREy61gvV1GtJqp62Zv0CT93Kc mXE2HARDqKThBOmNAzA1UN/ognOA/FIzrfwoovkmkqxLAs0gtyTECl4QSUAdV44Ims sf5vyJuE7TXXsNswT8SRdKN9u9xNIxCFbpLLxtnQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Micay , Laura Abbott , Kees Cook , "Theodore Tso" , Laura Abbott , Nick Kralevich , Andrew Morton , Linus Torvalds , Hans-Christian Noren Egtvedt Subject: [PATCH 4.9 020/101] init/main.c: extract early boot entropy from the passed cmdline Date: Tue, 23 Aug 2022 10:02:53 +0200 Message-Id: <20220823080035.337391991@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Daniel Micay commit 33d72f3822d7ff8a9e45bd7413c811085cb87aa5 upstream. Feed the boot command-line as to the /dev/random entropy pool Existing Android bootloaders usually pass data which may not be known by an external attacker on the kernel command-line. It may also be the case on other embedded systems. Sample command-line from a Google Pixel running CopperheadOS.... console=3DttyHSL0,115200,n8 androidboot.console=3DttyHSL0 androidboot.hardware=3Dsailfish user_debug=3D31 ehci-hcd.park=3D3 lpm_levels.sleep_disabled=3D1 cma=3D32M@0-0xffffffff buildvariant=3Duser veritykeyid=3Did:dfcb9db0089e5b3b4090a592415c28e1cb4545ab androidboot.bootdevice=3D624000.ufshc androidboot.verifiedbootstate=3Dy= ellow androidboot.veritymode=3Denforcing androidboot.keymaster=3D1 androidboot.serialno=3DFA6CE0305299 androidboot.baseband=3Dmsm mdss_mdp.panel=3D1:dsi:0:qcom,mdss_dsi_samsung_ea8064tg_1080p_cmd:1:non= e:cfg:single_dsi androidboot.slot_suffix=3D_b fpsimd.fpsimd_settings=3D0 app_setting.use_app_setting=3D0 kernelflag=3D0x00000000 debugflag=3D0x0= 0000000 androidboot.hardware.revision=3DPVT radioflag=3D0x00000000 radioflagex1=3D0x00000000 radioflagex2=3D0x00000000 cpumask=3D0x00000000 androidboot.hardware.ddr=3D4096MB,Hynix,LPDDR4 androidboot.ddrinfo=3D00= 000006 androidboot.ddrsize=3D4GB androidboot.hardware.color=3DGRA00 androidboot.hardware.ufs=3D32GB,Samsung androidboot.msm.hw_ver_id=3D268= 824801 androidboot.qf.st=3D2 androidboot.cid=3D11111111 androidboot.mid=3DG-2P= W4100 androidboot.bootloader=3D8996-012001-1704121145 androidboot.oem_unlock_support=3D1 androidboot.fp_src=3D1 androidboot.htc.hrdump=3Ddetected androidboot.ramdump.opt=3Dmem@2g:2g,m= em@4g:2g androidboot.bootreason=3Dreboot androidboot.ramdump_enable=3D0 ro root=3D/dev/dm-0 dm=3D"system none ro,0 1 android-verity /dev/sda34" rootwait skip_initramfs init=3D/init androidboot.wificountrycode=3DUS androidboot.boottime=3D1BLL:85,1BLE:669,2BLL:0,2BLE:1777,SW:6,KL:8136 Among other things, it contains a value unique to the device (androidboot.serialno=3DFA6CE0305299), unique to the OS builds for the device variant (veritykeyid=3Did:dfcb9db0089e5b3b4090a592415c28e1cb4545ab) and timings from the bootloader stages in milliseconds (androidboot.boottime=3D1BLL:85,1BLE:669,2BLL:0,2BLE:1777,SW:6,KL:8136). [tytso@mit.edu: changelog tweak] [labbott@redhat.com: line-wrapped command line] Link: http://lkml.kernel.org/r/20170816231458.2299-3-labbott@redhat.com Signed-off-by: Daniel Micay Signed-off-by: Laura Abbott Acked-by: Kees Cook Cc: "Theodore Ts'o" Cc: Laura Abbott Cc: Nick Kralevich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Hans-Christian Noren Egtvedt Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- init/main.c | 2 ++ 1 file changed, 2 insertions(+) --- a/init/main.c +++ b/init/main.c @@ -502,8 +502,10 @@ asmlinkage __visible void __init start_k setup_arch(&command_line); /* * Set up the the initial canary and entropy after arch + * and after adding latent and command line entropy. */ add_latent_entropy(); + add_device_randomness(command_line, strlen(command_line)); boot_init_stack_canary(); mm_init_cpumask(&init_mm); setup_command_line(command_line); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1FABC32774 for ; Tue, 23 Aug 2022 08:17:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242538AbiHWIRs (ORCPT ); Tue, 23 Aug 2022 04:17:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59420 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242511AbiHWIL1 (ORCPT ); Tue, 23 Aug 2022 04:11:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95A19641F; Tue, 23 Aug 2022 01:08:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E1D49B81C28; Tue, 23 Aug 2022 08:08:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C30A2C433C1; Tue, 23 Aug 2022 08:08:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242115; bh=VgfD82FDMnVQPgul32TgZhr3cf/IS1Hgbc5o8I1YtSE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MKxneXVxAvj+1BSHH1/Fd6I+ZXGGE9q89uIfVMSwj4q+kI6lxw4sM/qYOGXTUC1S9 HOgYUuN+8eW+9q8gF0Wg/YHOIEtJKeIgCKdkmQx8z1qJkXVCLI+8c9FvUgPLBvSlPR YqXUzE8Ja/Yvk7nqtKXO3zVLCVXZyNknxvRnJ4VY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Werner Sembach , Hans de Goede , "Rafael J. Wysocki" Subject: [PATCH 4.9 021/101] ACPI: video: Force backlight native for some TongFang devices Date: Tue, 23 Aug 2022 10:02:54 +0200 Message-Id: <20220823080035.367723380@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Werner Sembach commit c752089f7cf5b5800c6ace4cdd1a8351ee78a598 upstream. The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2: They have a working native and video interface. However the default detection mechanism first registers the video interface before unregistering it again and switching to the native interface during boot. This results in a dangling SBIOS request for backlight change for some reason, causing the backlight to switch to ~2% once per boot on the first power cord connect or disconnect event. Setting the native interface explicitly circumvents this buggy behaviour by avoiding the unregistering process. Signed-off-by: Werner Sembach Cc: All applicable Reviewed-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/acpi/video_detect.c | 51 +++++++++++++++++++++++++++++++++++++++= ++++- 1 file changed, 50 insertions(+), 1 deletion(-) --- a/drivers/acpi/video_detect.c +++ b/drivers/acpi/video_detect.c @@ -210,7 +210,56 @@ static const struct dmi_system_id video_ DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), }, }, - + /* + * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, + * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo + * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description + * above. + */ + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5PU1G", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF4NU1F", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF4NU1F", + .matches =3D { + DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), + DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5NU1G", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5NU1G", + .matches =3D { + DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), + DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5LUXG", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"), + }, + }, /* * These models have a working acpi_video backlight control, and using * native backlight causes a regression where backlight does not work From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6AEFFC3F6B0 for ; Tue, 23 Aug 2022 08:17:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242482AbiHWIRZ (ORCPT ); Tue, 23 Aug 2022 04:17:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242542AbiHWILb (ORCPT ); Tue, 23 Aug 2022 04:11:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B71AA4C603; Tue, 23 Aug 2022 01:08:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 95726B81BF8; Tue, 23 Aug 2022 08:08:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E61F8C433D7; Tue, 23 Aug 2022 08:08:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242125; bh=vLgp0CHZ1YqZI9BsiEypEmU+NLd3HoKiXZv/xrBOgBU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NCxEMAmQUjXaMoc3he7Gl9Xu6850DC9vcjiRH/UhCSQzolKjvVZgbmMU9CRHx2Mcf f00fgWH86GBuyprPChv5MbQuqQgcnTRDtEvwYYo6tDe+dxe5KmFxkdjceXPetobGjP dJt0RVdh3E9R/gxFMyBnBDwxYvjJ8LB7JSnWD5kU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Werner Sembach , Hans de Goede , "Rafael J. Wysocki" Subject: [PATCH 4.9 022/101] ACPI: video: Shortening quirk list by identifying Clevo by board_name only Date: Tue, 23 Aug 2022 10:02:55 +0200 Message-Id: <20220823080035.413929654@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Werner Sembach commit f0341e67b3782603737f7788e71bd3530012a4f4 upstream. Taking a recent change in the i8042 quirklist to this one: Clevo board_names are somewhat unique, and if not: The generic Board_-/Sys_Vendor string "Notebook" doesn't help much anyway. So identifying the devices just by the board_name helps keeping the list significantly shorter and might even hit more devices requiring the fix. Signed-off-by: Werner Sembach Fixes: c844d22fe0c0 ("ACPI: video: Force backlight native for Clevo NL5xRU = and NL5xNU") Cc: All applicable Reviewed-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/acpi/video_detect.c | 34 ---------------------------------- 1 file changed, 34 deletions(-) --- a/drivers/acpi/video_detect.c +++ b/drivers/acpi/video_detect.c @@ -150,23 +150,6 @@ static const struct dmi_system_id video_ .callback =3D video_detect_force_native, .ident =3D "Clevo NL5xRU", .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xRU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xRU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), }, }, @@ -190,23 +173,6 @@ static const struct dmi_system_id video_ .callback =3D video_detect_force_native, .ident =3D "Clevo NL5xNU", .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xNU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xNU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), }, }, From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D96AC32774 for ; Tue, 23 Aug 2022 08:17:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242507AbiHWIRf (ORCPT ); Tue, 23 Aug 2022 04:17:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241809AbiHWILl (ORCPT ); Tue, 23 Aug 2022 04:11:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09E086B64F; Tue, 23 Aug 2022 01:08:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 22CA8611A8; Tue, 23 Aug 2022 08:08:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E5ADC433C1; Tue, 23 Aug 2022 08:08:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242131; bh=sVRq6GYr36EyWxxaM/Q4HPEpxh0pt9Zt099fApkr6Ow=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zOvHfCOZ84H8McuFHwspe35LOILoIXGLB1RzvExAPda9fMG7QGLy8waBbjSjX3r5S 2dNy2p91Lib2DqpG5GyVjkU0OfrkS1vJL1zFEc23+O1zJr3nB3UOx8n6/Xjx2Dh1Y9 TwTqOVRwvoIopO7sxZJZaxV7dUI2Uhal+y+qd8hA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hans-Christian Noren Egtvedt Subject: [PATCH 4.9 023/101] random: only call boot_init_stack_canary() once Date: Tue, 23 Aug 2022 10:02:56 +0200 Message-Id: <20220823080035.453767597@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hans-Christian Noren Egtvedt In commit 166a592cad36 ("random: move rand_initialize() earlier") the boot_init_stack_canary() call was added after the new random_init() call. However, the upstream commit d55535232c3d ("random: move rand_initialize() earlier") also included removing the earlier call to boot_init_stack_canary(), making sure this call is done after random_init(). Hence fix what I assume is a wrong merge conflict resolution on the linux-4.9.y stable branch. Signed-off-by: Hans-Christian Noren Egtvedt Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- init/main.c | 7 ------- 1 file changed, 7 deletions(-) --- a/init/main.c +++ b/init/main.c @@ -500,13 +500,6 @@ asmlinkage __visible void __init start_k page_address_init(); pr_notice("%s", linux_banner); setup_arch(&command_line); - /* - * Set up the the initial canary and entropy after arch - * and after adding latent and command line entropy. - */ - add_latent_entropy(); - add_device_randomness(command_line, strlen(command_line)); - boot_init_stack_canary(); mm_init_cpumask(&init_mm); setup_command_line(command_line); setup_nr_cpu_ids(); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E7B4C32774 for ; Tue, 23 Aug 2022 08:19:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242932AbiHWITt (ORCPT ); Tue, 23 Aug 2022 04:19:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242649AbiHWIPk (ORCPT ); Tue, 23 Aug 2022 04:15:40 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 921A466A65; Tue, 23 Aug 2022 01:10:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DD040B81C21; Tue, 23 Aug 2022 08:10:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19EADC4314A; Tue, 23 Aug 2022 08:10:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242219; bh=ILbPMOQbFyLbh5VCUsfrIbZlF3LCB7BWQGXK6iP0Qqg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tqfEpZnUJkylwYDs2gQYK1lig5w7y4FF5C3rI4DxC4e1u6Z5dJCipwiRcefvv4Dxh Mbd7gf0b3iMmb+jDtqfEpG4GZJAWZLHE7CseHi2i8o4bbOTc6mQagVyf8K1myCnRh8 zd2K4BmO8FegYTFzvav4C8o25FJPxOgGEeus6+NE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable , Ning Qiang , Kees Cook , Benjamin Herrenschmidt , Michael Ellerman Subject: [PATCH 4.9 024/101] macintosh/adb: fix oob read in do_adb_query() function Date: Tue, 23 Aug 2022 10:02:57 +0200 Message-Id: <20220823080035.503695020@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ning Qiang commit fd97e4ad6d3b0c9fce3bca8ea8e6969d9ce7423b upstream. In do_adb_query() function of drivers/macintosh/adb.c, req->data is copied form userland. The parameter "req->data[2]" is missing check, the array size of adb_handler[] is 16, so adb_handler[req->data[2]].original_address = and adb_handler[req->data[2]].handler_id will lead to oob read. Cc: stable Signed-off-by: Ning Qiang Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Acked-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220713153734.2248-1-sohu0106@126.com Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/macintosh/adb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/macintosh/adb.c +++ b/drivers/macintosh/adb.c @@ -650,7 +650,7 @@ do_adb_query(struct adb_request *req) =20 switch(req->data[1]) { case ADB_QUERY_GETDEVINFO: - if (req->nbytes < 3) + if (req->nbytes < 3 || req->data[2] >=3D 16) break; mutex_lock(&adb_handler_mutex); req->reply[0] =3D adb_handler[req->data[2]].original_address; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6AD2C32774 for ; Tue, 23 Aug 2022 08:23:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243163AbiHWIXU (ORCPT ); Tue, 23 Aug 2022 04:23:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243092AbiHWIQf (ORCPT ); Tue, 23 Aug 2022 04:16:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B75B72BD2; Tue, 23 Aug 2022 01:11:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 534296129B; Tue, 23 Aug 2022 08:11:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 543C0C433D6; Tue, 23 Aug 2022 08:11:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242287; bh=2+sQkRXsD0AeFSz1VPilz17J+suFYLIeRqzV6+TbAvw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YQDDrPT1s05JAD7z1qA3kt4WV5qkv16n115Ms5ZFh2OdpSKH13U6dClGuYu8FYo1y mQBrBHSU+hD7e5ZRbCC6P6BOLcsStuYTWRlp5KBbL7Y0esnQYy9231PFGFFT9/21Ij jkCoQ2iw3kO8rwlTvfEKRQ8A2AqYVNE6k6ROdOu8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Fangrui Song , Nick Desaulniers , Linus Torvalds , Jens Axboe Subject: [PATCH 4.9 025/101] Makefile: link with -z noexecstack --no-warn-rwx-segments Date: Tue, 23 Aug 2022 10:02:58 +0200 Message-Id: <20220823080035.534613756@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nick Desaulniers commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream. Users of GNU ld (BFD) from binutils 2.39+ will observe multiple instances of a new warning when linking kernels in the form: ld: warning: vmlinux: missing .note.GNU-stack section implies executable = stack ld: NOTE: This behaviour is deprecated and will be removed in a future ve= rsion of the linker ld: warning: vmlinux has a LOAD segment with RWX permissions Generally, we would like to avoid the stack being executable. Because there could be a need for the stack to be executable, assembler sources have to opt-in to this security feature via explicit creation of the .note.GNU-stack feature (which compilers create by default) or command line flag --noexecstack. Or we can simply tell the linker the production of such sections is irrelevant and to link the stack as --noexecstack. LLVM's LLD linker defaults to -z noexecstack, so this flag isn't strictly necessary when linking with LLD, only BFD, but it doesn't hurt to be explicit here for all linkers IMO. --no-warn-rwx-segments is currently BFD specific and only available in the current latest release, so it's wrapped in an ld-option check. While the kernel makes extensive usage of ELF sections, it doesn't use permissions from ELF segments. Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06= f73@kernel.dk/ Link: https://sourceware.org/git/?p=3Dbinutils-gdb.git;a=3Dcommit;h=3Dba951= afb99912da01a6e8434126b8fac7aa75107 Link: https://github.com/llvm/llvm-project/issues/57009 Reported-and-tested-by: Jens Axboe Suggested-by: Fangrui Song Signed-off-by: Nick Desaulniers Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- Makefile | 3 +++ 1 file changed, 3 insertions(+) --- a/Makefile +++ b/Makefile @@ -870,6 +870,9 @@ ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATI LDFLAGS_vmlinux +=3D $(call ld-option, --gc-sections,) endif =20 +LDFLAGS +=3D -z noexecstack +LDFLAGS +=3D $(call ld-option,--no-warn-rwx-segments) + ifeq ($(CONFIG_STRIP_ASM_SYMS),y) LDFLAGS_vmlinux +=3D $(call ld-option, -X,) endif From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A90CC32772 for ; Tue, 23 Aug 2022 08:25:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243398AbiHWIZE (ORCPT ); Tue, 23 Aug 2022 04:25:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33298 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243387AbiHWIVG (ORCPT ); Tue, 23 Aug 2022 04:21:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 715C06EF18; Tue, 23 Aug 2022 01:12:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F3C29B81C39; Tue, 23 Aug 2022 08:12:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39ECAC433C1; Tue, 23 Aug 2022 08:12:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242333; bh=MXJA4XP/6MA/jfd/hdNxnLp74hF+sgH6B5duzX+EI6I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v+r2MdEibRe4Lxvp1RfXkZNV/3eL5gi73hSmJV+EzPURHSIGjyTcMulC8Ss/VUTok guV7p1/s8rSj8lZ+1Npqa3Ri1cvwLxoI0b5QFBVMGR4GBnX922QGMEKes0j26wnnDZ xEtgM9Am9YeTyqa8UZfEmmLlQD22gkYUhs+1J9x8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Fangrui Song , Nick Desaulniers , Linus Torvalds , Jens Axboe Subject: [PATCH 4.9 026/101] x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments Date: Tue, 23 Aug 2022 10:02:59 +0200 Message-Id: <20220823080035.574198870@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nick Desaulniers commit ffcf9c5700e49c0aee42dcba9a12ba21338e8136 upstream. Users of GNU ld (BFD) from binutils 2.39+ will observe multiple instances of a new warning when linking kernels in the form: ld: warning: arch/x86/boot/pmjump.o: missing .note.GNU-stack section impl= ies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future ve= rsion of the linker ld: warning: arch/x86/boot/compressed/vmlinux has a LOAD segment with RWX= permissions Generally, we would like to avoid the stack being executable. Because there could be a need for the stack to be executable, assembler sources have to opt-in to this security feature via explicit creation of the .note.GNU-stack feature (which compilers create by default) or command line flag --noexecstack. Or we can simply tell the linker the production of such sections is irrelevant and to link the stack as --noexecstack. LLVM's LLD linker defaults to -z noexecstack, so this flag isn't strictly necessary when linking with LLD, only BFD, but it doesn't hurt to be explicit here for all linkers IMO. --no-warn-rwx-segments is currently BFD specific and only available in the current latest release, so it's wrapped in an ld-option check. While the kernel makes extensive usage of ELF sections, it doesn't use permissions from ELF segments. Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06= f73@kernel.dk/ Link: https://sourceware.org/git/?p=3Dbinutils-gdb.git;a=3Dcommit;h=3Dba951= afb99912da01a6e8434126b8fac7aa75107 Link: https://github.com/llvm/llvm-project/issues/57009 Reported-and-tested-by: Jens Axboe Suggested-by: Fangrui Song Signed-off-by: Nick Desaulniers Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 4 ++++ arch/x86/entry/vdso/Makefile | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile @@ -100,7 +100,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmli AFLAGS_header.o +=3D -I$(objtree)/$(obj) $(obj)/header.o: $(obj)/zoffset.h =20 -LDFLAGS_setup.elf :=3D -m elf_i386 -T +LDFLAGS_setup.elf :=3D -m elf_i386 -z noexecstack -T $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE $(call if_changed,ld) =20 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -54,6 +54,10 @@ else LDFLAGS +=3D $(shell $(LD) --help 2>&1 | grep -q "\-z noreloc-overflow" \ && echo "-z noreloc-overflow -pie --no-dynamic-linker") endif + +LDFLAGS +=3D -z noexecstack +LDFLAGS +=3D $(call ld-option,--no-warn-rwx-segments) + LDFLAGS_vmlinux :=3D -T =20 hostprogs-y :=3D mkpiggy --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -168,7 +168,7 @@ quiet_cmd_vdso =3D VDSO $@ =20 VDSO_LDFLAGS =3D -shared $(call ld-option, --hash-style=3Dboth) \ $(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \ - -Bsymbolic + -Bsymbolic -z noexecstack GCOV_PROFILE :=3D n =20 # From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C43FC32792 for ; Tue, 23 Aug 2022 08:25:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243321AbiHWIY6 (ORCPT ); Tue, 23 Aug 2022 04:24:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243384AbiHWIVG (ORCPT ); Tue, 23 Aug 2022 04:21:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 283386E2F1; Tue, 23 Aug 2022 01:12:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 07486B81C29; Tue, 23 Aug 2022 08:12:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5101BC4314B; Tue, 23 Aug 2022 08:12:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242339; bh=JUhaiOGWDcEAMF8DMihsqjmaImozx2hlqt1jiblz/7Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Vk2Z2EqlLRdXVnd5GGKGiszb6FpQlZ71baqGgV8zrSFtrlxAuXejPea6LGi7+roqM FLtXtmVbje0ffFC6FxgrPeK+Ei2pSRxsKax8c1oG3CyUYB0U+rYQs0M52vpLeM54wh i1I5wqbDbYWqgSZTcsZXFRYgHsuStFpsQGa7yqgU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Takashi Iwai Subject: [PATCH 4.9 027/101] ALSA: bcd2000: Fix a UAF bug on the error path of probing Date: Tue, 23 Aug 2022 10:03:00 +0200 Message-Id: <20220823080035.619883178@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Zheyu Ma commit ffb2759df7efbc00187bfd9d1072434a13a54139 upstream. When the driver fails in snd_card_register() at probe time, it will free the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. The following log can reveal it: [ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0= x2e0 [snd_bcd2000] [ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 [ 50.729530] Call Trace: [ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] Fix this by adding usb_kill_urb() before usb_free_urb(). Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device") Signed-off-by: Zheyu Ma Cc: Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- sound/usb/bcd2000/bcd2000.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/usb/bcd2000/bcd2000.c +++ b/sound/usb/bcd2000/bcd2000.c @@ -350,7 +350,8 @@ static int bcd2000_init_midi(struct bcd2 static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k, struct usb_interface *interface) { - /* usb_kill_urb not necessary, urb is aborted automatically */ + usb_kill_urb(bcd2k->midi_out_urb); + usb_kill_urb(bcd2k->midi_in_urb); =20 usb_free_urb(bcd2k->midi_out_urb); usb_free_urb(bcd2k->midi_in_urb); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5039BC32793 for ; Tue, 23 Aug 2022 08:18:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242728AbiHWISg (ORCPT ); Tue, 23 Aug 2022 04:18:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242048AbiHWINd (ORCPT ); Tue, 23 Aug 2022 04:13:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB68D6C76A; Tue, 23 Aug 2022 01:09:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 74CB8B81C25; Tue, 23 Aug 2022 08:09:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ACAEEC433C1; Tue, 23 Aug 2022 08:09:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242154; bh=BITwDc7HCAhUTG2hPw8EvofbLIg6dJhSahwCDwKFeng=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l4/dnDGbzE1nT2ce5vxzMD94kgTs12hRsRlmIv4bL83NueaqiXvTVotRm6fB34mrr aYWHD2CyeqKierrWoow+J4UYaruK2nxT7V9fa6djpME59W9tLzpCOznOLt4zc8mJ2M j5xYV4psuT5VGYgCsouQiGGwW7dceVamVVFWFhrc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mikulas Patocka , "Matthew Wilcox (Oracle)" , Linus Torvalds Subject: [PATCH 4.9 028/101] add barriers to buffer_uptodate and set_buffer_uptodate Date: Tue, 23 Aug 2022 10:03:01 +0200 Message-Id: <20220823080035.659046535@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Mikulas Patocka commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream. Let's have a look at this piece of code in __bread_slow: get_bh(bh); bh->b_end_io =3D end_buffer_read_sync; submit_bh(REQ_OP_READ, 0, bh); wait_on_buffer(bh); if (buffer_uptodate(bh)) return bh; Neither wait_on_buffer nor buffer_uptodate contain any memory barrier. Consequently, if someone calls sb_bread and then reads the buffer data, the read of buffer data may be executed before wait_on_buffer(bh) on architectures with weak memory ordering and it may return invalid data. Fix this bug by adding a memory barrier to set_buffer_uptodate and an acquire barrier to buffer_uptodate (in a similar way as folio_test_uptodate and folio_mark_uptodate). Signed-off-by: Mikulas Patocka Reviewed-by: Matthew Wilcox (Oracle) Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/linux/buffer_head.h | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) --- a/include/linux/buffer_head.h +++ b/include/linux/buffer_head.h @@ -113,7 +113,6 @@ static __always_inline int test_clear_bu * of the form "mark_buffer_foo()". These are higher-level functions which * do something in addition to setting a b_state bit. */ -BUFFER_FNS(Uptodate, uptodate) BUFFER_FNS(Dirty, dirty) TAS_BUFFER_FNS(Dirty, dirty) BUFFER_FNS(Lock, locked) @@ -131,6 +130,30 @@ BUFFER_FNS(Meta, meta) BUFFER_FNS(Prio, prio) BUFFER_FNS(Defer_Completion, defer_completion) =20 +static __always_inline void set_buffer_uptodate(struct buffer_head *bh) +{ + /* + * make it consistent with folio_mark_uptodate + * pairs with smp_load_acquire in buffer_uptodate + */ + smp_mb__before_atomic(); + set_bit(BH_Uptodate, &bh->b_state); +} + +static __always_inline void clear_buffer_uptodate(struct buffer_head *bh) +{ + clear_bit(BH_Uptodate, &bh->b_state); +} + +static __always_inline int buffer_uptodate(const struct buffer_head *bh) +{ + /* + * make it consistent with folio_test_uptodate + * pairs with smp_mb__before_atomic in set_buffer_uptodate + */ + return (smp_load_acquire(&bh->b_state) & (1UL << BH_Uptodate)) !=3D 0; +} + #define bh_offset(bh) ((unsigned long)(bh)->b_data & ~PAGE_MASK) =20 /* If we *know* page->private refers to buffer_heads */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42933C32796 for ; Tue, 23 Aug 2022 08:18:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242754AbiHWISm (ORCPT ); Tue, 23 Aug 2022 04:18:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242279AbiHWINh (ORCPT ); Tue, 23 Aug 2022 04:13:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 100EA2F3B9; Tue, 23 Aug 2022 01:09:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 64C4D6122D; Tue, 23 Aug 2022 08:09:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 74FD5C433D6; Tue, 23 Aug 2022 08:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242160; bh=7bAQYRZWWoac27b39EA9+FvRROhCHa3Fi6s9dE20Cqo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2h1c46tZqknIh9u2jWId9uI59kLrXZ5gadtlDfzUad7Rdbl1eRE+SOyZf9OSxsGMB X98zffotfi3UgfiD7OAl17KXmVGjcXIJOwLbdaHPq62r/F/qSpgmOKF9FPQJFRhlvG YB0/BXSozPcKRRTUDaBPg0+LQMGhmt5seQrCp8XY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , "Maciej S. Szmigiero" , Paolo Bonzini Subject: [PATCH 4.9 029/101] KVM: SVM: Dont BUG if userspace injects an interrupt with GIF=0 Date: Tue, 23 Aug 2022 10:03:02 +0200 Message-Id: <20220823080035.708495251@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Maciej S. Szmigiero commit f17c31c48e5cde9895a491d91c424eeeada3e134 upstream. Don't BUG/WARN on interrupt injection due to GIF being cleared, since it's trivial for userspace to force the situation via KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct for KVM internally generated injections). kernel BUG at arch/x86/kvm/svm/svm.c:3386! invalid opcode: 0000 [#1] SMP CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd] Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53 RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0 RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000 FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000= 000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0 Call Trace: inject_pending_event+0x2f7/0x4c0 [kvm] kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm] kvm_vcpu_ioctl+0x26d/0x650 [kvm] __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection") Cc: stable@vger.kernel.org Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Maciej S. Szmigiero Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej= .szmigiero@oracle.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/x86/kvm/svm.c | 2 -- 1 file changed, 2 deletions(-) --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -4492,8 +4492,6 @@ static void svm_set_irq(struct kvm_vcpu { struct vcpu_svm *svm =3D to_svm(vcpu); =20 - BUG_ON(!(gif_set(svm))); - trace_kvm_inj_virq(vcpu->arch.interrupt.nr); ++vcpu->stat.irq_injections; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99EB6C32774 for ; Tue, 23 Aug 2022 08:18:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242780AbiHWISu (ORCPT ); Tue, 23 Aug 2022 04:18:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33314 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242162AbiHWIOD (ORCPT ); Tue, 23 Aug 2022 04:14:03 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 497276C74B; Tue, 23 Aug 2022 01:09:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C0187611DD; Tue, 23 Aug 2022 08:09:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AF6E9C433D6; Tue, 23 Aug 2022 08:09:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242167; bh=6aPiWU1DmthuuDEU+s0sTpbF8usqvd3MVqimuy22VTM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zUPCawR5rtI4Ut8XaSjIHgnB7o9iNrQ5xA3LA35iqau8D6sFTstADG63pjfvi8LHu Mqo/AivpFpgd8aEoEhJkpHh8s187lfryv881l/K8IJr/2YaQ8f4C4j8FHWyBoRiOsZ 4UMcutgsJAvRYeIFw/shi1773p6BGmcPKVV43hT0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com, Tetsuo Handa , Hou Wenlong , Sean Christopherson , Maxim Levitsky Subject: [PATCH 4.9 030/101] KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks Date: Tue, 23 Aug 2022 10:03:03 +0200 Message-Id: <20220823080035.739214317@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Sean Christopherson commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream. Wait to mark the TSS as busy during LTR emulation until after all fault checks for the LTR have passed. Specifically, don't mark the TSS busy if the new TSS base is non-canonical. Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the only reason for the early check was to avoid marking a !PRESENT TSS as busy, i.e. the common !PRESENT is now done before setting the busy bit. Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on L= LDT/LTR") Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Cc: Tetsuo Handa Cc: Hou Wenlong Signed-off-by: Sean Christopherson Reviewed-by: Maxim Levitsky Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/x86/kvm/emulate.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -1713,16 +1713,6 @@ static int __load_segment_descriptor(str case VCPU_SREG_TR: if (seg_desc.s || (seg_desc.type !=3D 1 && seg_desc.type !=3D 9)) goto exception; - if (!seg_desc.p) { - err_vec =3D NP_VECTOR; - goto exception; - } - old_desc =3D seg_desc; - seg_desc.type |=3D 2; /* busy */ - ret =3D ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_des= c, - sizeof(seg_desc), &ctxt->exception); - if (ret !=3D X86EMUL_CONTINUE) - return ret; break; case VCPU_SREG_LDTR: if (seg_desc.s || seg_desc.type !=3D 2) @@ -1763,6 +1753,15 @@ static int __load_segment_descriptor(str ((u64)base3 << 32))) return emulate_gp(ctxt, 0); } + + if (seg =3D=3D VCPU_SREG_TR) { + old_desc =3D seg_desc; + seg_desc.type |=3D 2; /* busy */ + ret =3D ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_des= c, + sizeof(seg_desc), &ctxt->exception); + if (ret !=3D X86EMUL_CONTINUE) + return ret; + } load: ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); if (desc) From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F635C32774 for ; Tue, 23 Aug 2022 08:19:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242807AbiHWIS7 (ORCPT ); Tue, 23 Aug 2022 04:18:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242221AbiHWIOJ (ORCPT ); Tue, 23 Aug 2022 04:14:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3366A6CD28; Tue, 23 Aug 2022 01:09:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4D65E611DD; Tue, 23 Aug 2022 08:09:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 42005C433C1; Tue, 23 Aug 2022 08:09:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242173; bh=P8UEV1N27KxK4rVs22ewqoJc9ap4u38E5X9Mm+pEotI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jCn4Mt+MbfOwkr+qNiRsZRNYRNEKylseFLQzEDuIzD3RVFUs4scfIQNKQWTQf6j8t tHInW0KSbia+raG9F7Pw7SsZheV3s7T4pMctYwslCoIePrfe9YbbHZ5r7ngK8HogzV CKkDr7DVkrdkxgrhgU6GJgqMY+iL36pRQtBD3uh0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Meng Tang , Takashi Iwai Subject: [PATCH 4.9 031/101] ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model Date: Tue, 23 Aug 2022 10:03:04 +0200 Message-Id: <20220823080035.773347754@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Meng Tang commit f83bb2592482fe94c6eea07a8121763c80f36ce5 upstream. There is another LENOVO 20149 (Type1Sku0) Notebook model with CX20590, the device PCI SSID is 17aa:3977, which headphones are not responding, that requires the quirk CXT_PINCFG_LENOVO_NOTEBOOK. Add the corresponding entry to the quirk table. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220808073406.19460-1-tangmeng@uniontech.c= om Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- sound/pci/hda/patch_conexant.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/sound/pci/hda/patch_conexant.c +++ b/sound/pci/hda/patch_conexant.c @@ -238,6 +238,7 @@ enum { CXT_PINCFG_LEMOTE_A1205, CXT_PINCFG_COMPAQ_CQ60, CXT_FIXUP_STEREO_DMIC, + CXT_PINCFG_LENOVO_NOTEBOOK, CXT_FIXUP_INC_MIC_BOOST, CXT_FIXUP_HEADPHONE_MIC_PIN, CXT_FIXUP_HEADPHONE_MIC, @@ -698,6 +699,14 @@ static const struct hda_fixup cxt_fixups .type =3D HDA_FIXUP_FUNC, .v.func =3D cxt_fixup_stereo_dmic, }, + [CXT_PINCFG_LENOVO_NOTEBOOK] =3D { + .type =3D HDA_FIXUP_PINS, + .v.pins =3D (const struct hda_pintbl[]) { + { 0x1a, 0x05d71030 }, + { } + }, + .chain_id =3D CXT_FIXUP_STEREO_DMIC, + }, [CXT_FIXUP_INC_MIC_BOOST] =3D { .type =3D HDA_FIXUP_FUNC, .v.func =3D cxt5066_increase_mic_boost, @@ -860,7 +869,7 @@ static const struct snd_pci_quirk cxt506 SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC), SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMI= C), + SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_PINCFG_LENOVO_NO= TEBOOK), SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC), SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI), From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9ECADC32789 for ; Tue, 23 Aug 2022 08:22:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242848AbiHWIWR (ORCPT ); Tue, 23 Aug 2022 04:22:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242358AbiHWIOU (ORCPT ); Tue, 23 Aug 2022 04:14:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FC186CD10; Tue, 23 Aug 2022 01:09:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 596A9611DD; Tue, 23 Aug 2022 08:09:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 64678C433C1; Tue, 23 Aug 2022 08:09:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242179; bh=aQR3DJEg3kHfSmbwMTdsmvUZ/TBQcuNlem3MABWTKe4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OhFGjjn/nv3EVO186tOPk7gfpiJk8+6P5zEW68jU0jxGSU09mJpVJviiEsCYfZRSF hTg4q4PUcC9O1MjRAPe2bvytoTFsaxGE7APs/lzL+THDMZN4Y++00A34PCNGEOQOaL VP2+4NxguC6S0hpTo5ockMZGJpDKU4JoiKGCCoKQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Allen Ballway , Takashi Iwai Subject: [PATCH 4.9 032/101] ALSA: hda/cirrus - support for iMac 12,1 model Date: Tue, 23 Aug 2022 10:03:05 +0200 Message-Id: <20220823080035.805745771@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Allen Ballway commit 74bba640d69914cf832b87f6bbb700e5ba430672 upstream. The 12,1 model requires the same configuration as the 12,2 model to enable headphones but has a different codec SSID. Adds 12,1 SSID for matching quirk. [ re-sorted in SSID order by tiwai ] Signed-off-by: Allen Ballway Cc: Link: https://lore.kernel.org/r/20220810152701.1.I902c2e591bbf8de9acb649d13= 22fa1f291849266@changeid Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- sound/pci/hda/patch_cirrus.c | 1 + 1 file changed, 1 insertion(+) --- a/sound/pci/hda/patch_cirrus.c +++ b/sound/pci/hda/patch_cirrus.c @@ -409,6 +409,7 @@ static const struct snd_pci_quirk cs420x =20 /* codec SSID */ SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x0900, "iMac 12,1", CS420X_IMAC27_122), SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81), SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122), SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101), From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E862C32774 for ; Tue, 23 Aug 2022 08:19:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242827AbiHWITL (ORCPT ); Tue, 23 Aug 2022 04:19:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242376AbiHWIOh (ORCPT ); Tue, 23 Aug 2022 04:14:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1F796CF41; Tue, 23 Aug 2022 01:09:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F1E716126A; Tue, 23 Aug 2022 08:09:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B5CADC433C1; Tue, 23 Aug 2022 08:09:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242189; bh=6U83wbLARbMC175D+M8iSXUKvFzWTq2N2fBB1jY3bHg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GSI32Wiu1I+I1dfF3UIqeb4vnbH+nYbn+9NZXksouwF2k2HqvxWVmQ/1FDKqmIWWy r3ROVN0hqmbrgjxXKbJibeKoj3KnUUlxpCO1lNWP159k+ficS+p6RJ7ZJ2MdKvQ/2V JDv7GKBniyP2emvJZ+TSHmE1loedETMLEUmUHSPY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Jeff Layton , Namjae Jeon , stable@kernel.org, Alexander Viro , Steve French , Hyunchul Lee , Chuck Lever , Dave Wysochanski , Linus Torvalds Subject: [PATCH 4.9 033/101] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Tue, 23 Aug 2022 10:03:06 +0200 Message-Id: <20220823080035.847056784@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Howells commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/attr.c +++ b/fs/attr.c @@ -111,6 +111,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E20D1C32774 for ; Tue, 23 Aug 2022 08:19:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242657AbiHWITW (ORCPT ); Tue, 23 Aug 2022 04:19:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242167AbiHWIOz (ORCPT ); Tue, 23 Aug 2022 04:14:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EFF46CF44; Tue, 23 Aug 2022 01:09:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2B2816126A; Tue, 23 Aug 2022 08:09:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2D292C433C1; Tue, 23 Aug 2022 08:09:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242195; bh=+SzV2j3mKb6C/dGCOU8fZHy34MjFU/Y5qxgDjnVjrw8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s/3BKX1TxAX37gf0+TDHPB2UcuHqze4vB930oixL1Gjrs6IXx4kCJvPBiLgEFOEiU DntYL75/7AwT4MWMFyXiU5FdvC0X2uQ9mBgXrC7r2PwFIJm2hA7MLXqzqtnX9g5IPX WPqsKtQB1xxUSs6UG2iaQdjGbUoyKaFJ+viMjm4c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Oleksij Rempel , Lukas Wunner , Oliver Neukum , Jakub Kicinski Subject: [PATCH 4.9 034/101] usbnet: Fix linkwatch use-after-free on disconnect Date: Tue, 23 Aug 2022 10:03:07 +0200 Message-Id: <20220823080035.888712866@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Lukas Wunner commit a69e617e533edddf3fa3123149900f36e0a6dc74 upstream. usbnet uses the work usbnet_deferred_kevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": https://git.kernel.org/tglx/history/c/0f138bbfd83c The change was made because back then, the kernel's workqueue implementation did not allow waiting for a single work. One had to wait for completion of *all* work by calling flush_scheduled_work(), and that could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex held in ->ndo_stop(). The commit solved one problem but created another: It causes a use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, ax88179_178a.c, ch9200.c and smsc75xx.c: * If the drivers receive a link change interrupt immediately before disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) ->status() callback and schedule usbnet_deferred_kevent(). * usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, which calls netif_carrier_{on,off}(). * That in turn schedules the work linkwatch_event(). Because usbnet_deferred_kevent() is awaited after unregister_netdev(), netif_carrier_{on,off}() may operate on an unregistered netdev and linkwatch_event() may run after free_netdev(), causing a use-after-free. In 2010, usbnet was changed to only wait for a single instance of usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf ("drivers/net: don't use flush_scheduled_work()"). Unfortunately the commit neglected to move the wait back to ->ndo_stop(). Rectify that omission at long last. Reported-by: Jann Horn Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-p= a5M=3D7Bi-jZrEA@mail.gmail.com/ Reported-by: Oleksij Rempel Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/ Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org Acked-by: Oliver Neukum Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.16= 55987888.git.lukas@wunner.de Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/usbnet.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -847,13 +847,11 @@ int usbnet_stop (struct net_device *net) =20 mpn =3D !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags); =20 - /* deferred work (task, timer, softirq) must also stop. - * can't flush_scheduled_work() until we drop rtnl (later), - * else workers could deadlock; so make workers a NOP. - */ + /* deferred work (timer, softirq, task) must also stop */ dev->flags =3D 0; del_timer_sync (&dev->delay); tasklet_kill (&dev->bh); + cancel_work_sync(&dev->kevent); if (!pm) usb_autopm_put_interface(dev->intf); =20 @@ -1577,8 +1575,6 @@ void usbnet_disconnect (struct usb_inter net =3D dev->net; unregister_netdev (net); =20 - cancel_work_sync(&dev->kevent); - usb_scuttle_anchored_urbs(&dev->deferred); =20 if (dev->driver_info->unbind) From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8CFEC32774 for ; Tue, 23 Aug 2022 08:19:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242664AbiHWIT3 (ORCPT ); Tue, 23 Aug 2022 04:19:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45918 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242325AbiHWIPL (ORCPT ); Tue, 23 Aug 2022 04:15:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C90D1EEEB; Tue, 23 Aug 2022 01:10:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AB05061284; Tue, 23 Aug 2022 08:10:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98829C433C1; Tue, 23 Aug 2022 08:10:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242202; bh=BrFXwbNfEskmHA1m12s7QDvxCiFqcliIkI/8VwguhzE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=i48qIdq03Q0cOr5ui1Xelr0rkx76RorBsJsr67BvsUaBQrhJ9+zgrPCmdV6J5Xix0 yZCJFmSgvvrkeASvT9oEaEuPlpWouUTR4rkZLRsZX5bNJIPBBQ69l840H4v0Exk2IQ S5h1R1KeuoZvr/mBbF74nvnbIZpvr03+bcSvB7xI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Helge Deller Subject: [PATCH 4.9 035/101] parisc: Fix device names in /proc/iomem Date: Tue, 23 Aug 2022 10:03:08 +0200 Message-Id: <20220823080035.921656131@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Helge Deller commit cab56b51ec0e69128909cef4650e1907248d821b upstream. Fix the output of /proc/iomem to show the real hardware device name including the pa_pathname, e.g. "Merlin 160 Core Centronics [8:16:0]". Up to now only the pa_pathname ("[8:16.0]") was shown. Signed-off-by: Helge Deller Cc: # v4.9+ Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/parisc/kernel/drivers.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- a/arch/parisc/kernel/drivers.c +++ b/arch/parisc/kernel/drivers.c @@ -504,7 +504,6 @@ alloc_pa_dev(unsigned long hpa, struct h dev->id.hversion_rev =3D iodc_data[1] & 0x0f; dev->id.sversion =3D ((iodc_data[4] & 0x0f) << 16) | (iodc_data[5] << 8) | iodc_data[6]; - dev->hpa.name =3D parisc_pathname(dev); dev->hpa.start =3D hpa; /* This is awkward. The STI spec says that gfx devices may occupy * 32MB or 64MB. Unfortunately, we don't know how to tell whether @@ -518,10 +517,10 @@ alloc_pa_dev(unsigned long hpa, struct h dev->hpa.end =3D hpa + 0xfff; } dev->hpa.flags =3D IORESOURCE_MEM; - name =3D parisc_hardware_description(&dev->id); - if (name) { - strlcpy(dev->name, name, sizeof(dev->name)); - } + dev->hpa.name =3D dev->name; + name =3D parisc_hardware_description(&dev->id) ? : "unknown"; + snprintf(dev->name, sizeof(dev->name), "%s [%s]", + name, parisc_pathname(dev)); =20 /* Silently fail things like mouse ports which are subsumed within * the keyboard controller From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AEE5C32789 for ; Tue, 23 Aug 2022 08:22:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242905AbiHWITh (ORCPT ); Tue, 23 Aug 2022 04:19:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242470AbiHWIPX (ORCPT ); Tue, 23 Aug 2022 04:15:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E48AA6CF7A; Tue, 23 Aug 2022 01:10:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8075361298; Tue, 23 Aug 2022 08:10:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 83FBEC433D6; Tue, 23 Aug 2022 08:10:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242207; bh=38z5+1E7HVbT6HeQjqkDPqJFtUVE6OakjVGr/qrHk+k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h3iPVD5B+6fizRvEQACLzP6L+nRPB472DH0BCC6LhpMEreHS/6V1K76vbAXNUlb9e WowP4jxkB03c9xrv8hNWgoXI3SDQu1OaTiihYRNkM+gOWgZgieX4+6e3r5XBgzeuR6 0GC7AQVsAcwhTD74yxU9eg36XbMFJvqbC5y2i+4o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Timur Tabi , Karol Herbst , Lyude Paul Subject: [PATCH 4.9 036/101] drm/nouveau: fix another off-by-one in nvbios_addr Date: Tue, 23 Aug 2022 10:03:09 +0200 Message-Id: <20220823080035.956589692@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Timur Tabi commit c441d28945fb113220d48d6c86ebc0b090a2b677 upstream. This check determines whether a given address is part of image 0 or image 1. Image 1 starts at offset image0_size, so that address should be included. Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds access= es to image") Cc: # v4.8+ Signed-off-by: Timur Tabi Reviewed-by: Karol Herbst Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220511163716.3520591-= 1-ttabi@nvidia.com Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c @@ -33,7 +33,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 { u32 p =3D *addr; =20 - if (*addr > bios->image0_size && bios->imaged_addr) { + if (*addr >=3D bios->image0_size && bios->imaged_addr) { *addr -=3D bios->image0_size; *addr +=3D bios->imaged_addr; } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8029C32774 for ; Tue, 23 Aug 2022 08:19:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242923AbiHWITq (ORCPT ); Tue, 23 Aug 2022 04:19:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242631AbiHWIPj (ORCPT ); Tue, 23 Aug 2022 04:15:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BBB956D9D9; Tue, 23 Aug 2022 01:10:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B94BBB81C22; Tue, 23 Aug 2022 08:10:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2ACC1C433D6; Tue, 23 Aug 2022 08:10:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242213; bh=dpotEm7dc6Kgd+lBiw8ygGH4KNcLBsJs5OmMAjOPzU8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZX3OQ0ACkC3VD4IeIifnBiU4zi028L+pLZ7EK8fbhuntL7/x6TTpqucHhr6usOdHm y/C93lowSa7gf5PyeeHbQFOoVKfARaVXa0tZRn4A2kCj/YfjFxFh2u0OlcvJggD39J I7IzGwTLAJe1JalrPN/pUoU269c+Cx5N/wM54O9c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , Alexei Starovoitov , "David S. Miller" , Quentin Monnet Subject: [PATCH 4.9 037/101] bpf: fix overflow in prog accounting Date: Tue, 23 Aug 2022 10:03:10 +0200 Message-Id: <20220823080035.990269412@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Daniel Borkmann commit 5ccb071e97fbd9ffe623a0d3977cc6d013bee93c upstream. Commit aaac3ba95e4c ("bpf: charge user for creation of BPF maps and programs") made a wrong assumption of charging against prog->pages. Unlike map->pages, prog->pages are still subject to change when we need to expand the program through bpf_prog_realloc(). This can for example happen during verification stage when we need to expand and rewrite parts of the program. Should the required space cross a page boundary, then prog->pages is not the same anymore as its original value that we used to bpf_prog_charge_memlock() on. Thus, we'll hit a wrap-around during bpf_prog_uncharge_memlock() when prog is freed eventually. I noticed this that despite having unlimited memlock, programs suddenly refused to load with EPERM error due to insufficient memlock. There are two ways to fix this issue. One would be to add a cached variable to struct bpf_prog that takes a snapshot of prog->pages at the time of charging. The other approach is to also account for resizes. I chose to go with the latter for a couple of reasons: i) We want accounting rather to be more accurate instead of further fooling limits, ii) adding yet another page counter on struct bpf_prog would also be a waste just for this purpose. We also do want to charge as early as possible to avoid going into the verifier just to find out later on that we crossed limits. The only place that needs to be fixed is bpf_prog_realloc(), since only here we expand the program, so we try to account for the needed delta and should we fail, call-sites check for outcome anyway. On cBPF to eBPF migrations, we don't grab a reference to the user as they are charged differently. With that in place, my test case worked fine. Fixes: aaac3ba95e4c ("bpf: charge user for creation of BPF maps and program= s") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller [Quentin: backport to 4.9: Adjust context in bpf.h ] Signed-off-by: Quentin Monnet Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/linux/bpf.h | 11 +++++++++++ kernel/bpf/core.c | 16 +++++++++++++--- kernel/bpf/syscall.c | 36 ++++++++++++++++++++++++++++-------- 3 files changed, 52 insertions(+), 11 deletions(-) --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -246,6 +246,8 @@ struct bpf_prog *bpf_prog_get_type(u32 u struct bpf_prog *bpf_prog_add(struct bpf_prog *prog, int i); struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); void bpf_prog_put(struct bpf_prog *prog); +int __bpf_prog_charge(struct user_struct *user, u32 pages); +void __bpf_prog_uncharge(struct user_struct *user, u32 pages); =20 struct bpf_map *bpf_map_get_with_uref(u32 ufd); struct bpf_map *__bpf_map_get(struct fd f); @@ -328,6 +330,15 @@ static inline struct bpf_prog *bpf_prog_ return ERR_PTR(-EOPNOTSUPP); } =20 +static inline int __bpf_prog_charge(struct user_struct *user, u32 pages) +{ + return 0; +} + +static inline void __bpf_prog_uncharge(struct user_struct *user, u32 pages) +{ +} + static inline bool unprivileged_ebpf_enabled(void) { return false; --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -107,19 +107,29 @@ struct bpf_prog *bpf_prog_realloc(struct gfp_t gfp_flags =3D GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO | gfp_extra_flags; struct bpf_prog *fp; + u32 pages, delta; + int ret; =20 BUG_ON(fp_old =3D=3D NULL); =20 size =3D round_up(size, PAGE_SIZE); - if (size <=3D fp_old->pages * PAGE_SIZE) + pages =3D size / PAGE_SIZE; + if (pages <=3D fp_old->pages) return fp_old; =20 + delta =3D pages - fp_old->pages; + ret =3D __bpf_prog_charge(fp_old->aux->user, delta); + if (ret) + return NULL; + fp =3D __vmalloc(size, gfp_flags, PAGE_KERNEL); - if (fp !=3D NULL) { + if (fp =3D=3D NULL) { + __bpf_prog_uncharge(fp_old->aux->user, delta); + } else { kmemcheck_annotate_bitfield(fp, meta); =20 memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE); - fp->pages =3D size / PAGE_SIZE; + fp->pages =3D pages; fp->aux->prog =3D fp; =20 /* We keep fp->aux from fp_old around in the new --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -581,19 +581,39 @@ static void free_used_maps(struct bpf_pr kfree(aux->used_maps); } =20 +int __bpf_prog_charge(struct user_struct *user, u32 pages) +{ + unsigned long memlock_limit =3D rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + unsigned long user_bufs; + + if (user) { + user_bufs =3D atomic_long_add_return(pages, &user->locked_vm); + if (user_bufs > memlock_limit) { + atomic_long_sub(pages, &user->locked_vm); + return -EPERM; + } + } + + return 0; +} + +void __bpf_prog_uncharge(struct user_struct *user, u32 pages) +{ + if (user) + atomic_long_sub(pages, &user->locked_vm); +} + static int bpf_prog_charge_memlock(struct bpf_prog *prog) { struct user_struct *user =3D get_current_user(); - unsigned long memlock_limit; - - memlock_limit =3D rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + int ret; =20 - atomic_long_add(prog->pages, &user->locked_vm); - if (atomic_long_read(&user->locked_vm) > memlock_limit) { - atomic_long_sub(prog->pages, &user->locked_vm); + ret =3D __bpf_prog_charge(user, prog->pages); + if (ret) { free_uid(user); - return -EPERM; + return ret; } + prog->aux->user =3D user; return 0; } @@ -602,7 +622,7 @@ static void bpf_prog_uncharge_memlock(st { struct user_struct *user =3D prog->aux->user; =20 - atomic_long_sub(prog->pages, &user->locked_vm); + __bpf_prog_uncharge(user, prog->pages); free_uid(user); } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DAB3C32774 for ; Tue, 23 Aug 2022 08:20:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239496AbiHWIUA (ORCPT ); Tue, 23 Aug 2022 04:20:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242746AbiHWIPx (ORCPT ); Tue, 23 Aug 2022 04:15:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5DCFF6DAD8; Tue, 23 Aug 2022 01:10:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1EF65B81C26; Tue, 23 Aug 2022 08:10:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 640A9C433D6; Tue, 23 Aug 2022 08:10:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242222; bh=gl2ec1/9WIGA+Cbo3C9Q12gKyFZ9vUECTlF+qnQ3z+c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uU+ybIjSYGpI064SIikmBvCp+h+rrUIVYn/8hoRibGV5BJrEjLS8dhHvDGn770nHL APn8N/w77wTousdPb5xjcEKblpEeNHhAyCVyyba3sXnZQyAlTGcHO+DZq/FQWUtV1Z DzRFREs6Vziq3zJ6qKssCNzK2auPqgrcAuKxa2IY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miklos Szeredi Subject: [PATCH 4.9 038/101] fuse: limit nsec Date: Tue, 23 Aug 2022 10:03:11 +0200 Message-Id: <20220823080036.019985254@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Miklos Szeredi commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream. Limit nanoseconds to 0..999999999. Fixes: d8a5ba45457e ("[PATCH] FUSE - core") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/fuse/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -173,6 +173,12 @@ void fuse_change_attributes_common(struc inode->i_uid =3D make_kuid(&init_user_ns, attr->uid); inode->i_gid =3D make_kgid(&init_user_ns, attr->gid); inode->i_blocks =3D attr->blocks; + + /* Sanitize nsecs */ + attr->atimensec =3D min_t(u32, attr->atimensec, NSEC_PER_SEC - 1); + attr->mtimensec =3D min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1); + attr->ctimensec =3D min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1); + inode->i_atime.tv_sec =3D attr->atime; inode->i_atime.tv_nsec =3D attr->atimensec; /* mtime from server may be stale due to local buffered write */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E731C32774 for ; Tue, 23 Aug 2022 08:20:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242974AbiHWIUN (ORCPT ); Tue, 23 Aug 2022 04:20:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242793AbiHWIP5 (ORCPT ); Tue, 23 Aug 2022 04:15:57 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A6FE67158; Tue, 23 Aug 2022 01:10:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1CDEC61242; Tue, 23 Aug 2022 08:10:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2531EC433D6; Tue, 23 Aug 2022 08:10:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242228; bh=RXCyhZRzrtJghnYc9X17cARJaYAxXVaAfZazdDgnS5E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t5ENj6F5k3ywv+BoCCCg7Moi+pvnAK+iMqufd+9lJowPJW4i+3VOD1b+QXw57A/pl P6HM1IAw7YaIY1G4vXzZHO5aX4YQLJgXuMUTtZNgqhkAtA2qY1EFPo03ppG4lT9RTc 1ZME0HL6+INfCqK3Gcstohwv5Pht9w6Oe6o+X9Zk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mikulas Patocka , Song Liu , Jens Axboe Subject: [PATCH 4.9 039/101] md-raid10: fix KASAN warning Date: Tue, 23 Aug 2022 10:03:12 +0200 Message-Id: <20220823080036.055423414@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Mikulas Patocka commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream. There's a KASAN warning in raid10_remove_disk when running the lvm test lvconvert-raid-reshape.sh. We fix this warning by verifying that the value "number" is valid. BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/= 2014 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x45/0x57a ? __lock_text_start+0x18/0x18 ? raid10_remove_disk+0x61/0x2a0 [raid10] kasan_report+0xa8/0xe0 ? raid10_remove_disk+0x61/0x2a0 [raid10] raid10_remove_disk+0x61/0x2a0 [raid10] Buffer I/O error on dev dm-76, logical block 15344, async page read ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 remove_and_add_spares+0x367/0x8a0 [md_mod] ? super_written+0x1c0/0x1c0 [md_mod] ? mutex_trylock+0xac/0x120 ? _raw_spin_lock+0x72/0xc0 ? _raw_spin_lock_bh+0xc0/0xc0 md_check_recovery+0x848/0x960 [md_mod] raid10d+0xcf/0x3360 [raid10] ? sched_clock_cpu+0x185/0x1a0 ? rb_erase+0x4d4/0x620 ? var_wake_function+0xe0/0xe0 ? psi_group_change+0x411/0x500 ? preempt_count_sub+0xf/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? raid10_sync_request+0x36c0/0x36c0 [raid10] ? preempt_count_sub+0xf/0xc0 ? _raw_spin_unlock_irqrestore+0x19/0x40 ? del_timer_sync+0xa9/0x100 ? try_to_del_timer_sync+0xc0/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? _raw_spin_unlock_irq+0x11/0x24 ? __list_del_entry_valid+0x68/0xa0 ? finish_wait+0xa3/0x100 md_thread+0x161/0x260 [md_mod] ? unregister_md_personality+0xa0/0xa0 [md_mod] ? _raw_spin_lock_irqsave+0x78/0xc0 ? prepare_to_wait_event+0x2c0/0x2c0 ? unregister_md_personality+0xa0/0xa0 [md_mod] kthread+0x148/0x180 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Allocated by task 124495: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x80/0xa0 setup_conf+0x140/0x5c0 [raid10] raid10_run+0x4cd/0x740 [raid10] md_run+0x6f9/0x1300 [md_mod] raid_ctr+0x2531/0x4ac0 [dm_raid] dm_table_add_target+0x2b0/0x620 [dm_mod] table_load+0x1c8/0x400 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x9e/0xc0 kvfree_call_rcu+0x84/0x480 timerfd_release+0x82/0x140 L __fput+0xfa/0x400 task_work_run+0x80/0xc0 exit_to_user_mode_prepare+0x155/0x160 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x42/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x9e/0xc0 kvfree_call_rcu+0x84/0x480 timerfd_release+0x82/0x140 __fput+0xfa/0x400 task_work_run+0x80/0xc0 exit_to_user_mode_prepare+0x155/0x160 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x42/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff889108f3d200 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes to the right of 256-byte region [ffff889108f3d200, ffff889108f3d300) The buggy address belongs to the physical page: page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:= 0x0 pfn:0x1108f3c head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=3D2) raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Song Liu Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/md/raid10.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1785,9 +1785,12 @@ static int raid10_remove_disk(struct mdd int err =3D 0; int number =3D rdev->raid_disk; struct md_rdev **rdevp; - struct raid10_info *p =3D conf->mirrors + number; + struct raid10_info *p; =20 print_conf(conf); + if (unlikely(number >=3D mddev->raid_disks)) + return 0; + p =3D conf->mirrors + number; if (rdev =3D=3D p->rdev) rdevp =3D &p->rdev; else if (rdev =3D=3D p->replacement) From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F095C32774 for ; Tue, 23 Aug 2022 08:22:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242999AbiHWIUV (ORCPT ); Tue, 23 Aug 2022 04:20:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242851AbiHWIQD (ORCPT ); Tue, 23 Aug 2022 04:16:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BF2867C91; Tue, 23 Aug 2022 01:10:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 190E5B81C23; Tue, 23 Aug 2022 08:10:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 497A7C433D6; Tue, 23 Aug 2022 08:10:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242234; bh=e3aMXbjLjJFXWg8t0FJRpF8xQC0xpUH+N3XN8tF3TQE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=i1AjJatMyAuv8lra9SlQLBTZnDW5aO5Nd44S8GX5tTKWg5kxmADSKinazFjH5sSkV jQ0ShLvK6QpVcuaF70aUEK2hc/V9vkkS/DMaB7uZ5yqMTnxz8x3fvN5bwU5Iv+FND2 JkX9s4wA4kBf994KWw5N/+DH0497IZK5UrUIe6Hk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , Alexander Lobakin , Andy Shevchenko , Yury Norov Subject: [PATCH 4.9 040/101] ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() Date: Tue, 23 Aug 2022 10:03:13 +0200 Message-Id: <20220823080036.088798465@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Alexander Lobakin commit e5a16a5c4602c119262f350274021f90465f479d upstream. test_bit(), as any other bitmap op, takes `unsigned long *` as a second argument (pointer to the actual bitmap), as any bitmap itself is an array of unsigned longs. However, the ia64_get_irr() code passes a ref to `u64` as a second argument. This works with the ia64 bitops implementation due to that they have `void *` as the second argument and then cast it later on. This works with the bitmap API itself due to that `unsigned long` has the same size on ia64 as `u64` (`unsigned long long`), but from the compiler PoV those two are different. Define @irr as `unsigned long` to fix that. That implies no functional changes. Has been hidden for 16 years! Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") Cc: stable@vger.kernel.org # 2.6.16+ Reported-by: kernel test robot Signed-off-by: Alexander Lobakin Reviewed-by: Andy Shevchenko Reviewed-by: Yury Norov Signed-off-by: Yury Norov Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/ia64/include/asm/processor.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/ia64/include/asm/processor.h +++ b/arch/ia64/include/asm/processor.h @@ -554,7 +554,7 @@ ia64_get_irr(unsigned int vector) { unsigned int reg =3D vector / 64; unsigned int bit =3D vector % 64; - u64 irr; + unsigned long irr; =20 switch (reg) { case 0: irr =3D ia64_getreg(_IA64_REG_CR_IRR0); break; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B01AC32793 for ; Tue, 23 Aug 2022 08:22:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243073AbiHWIU2 (ORCPT ); Tue, 23 Aug 2022 04:20:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242896AbiHWIQH (ORCPT ); Tue, 23 Aug 2022 04:16:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37C736DF84; Tue, 23 Aug 2022 01:10:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1CD116123D; Tue, 23 Aug 2022 08:10:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2C632C433D6; Tue, 23 Aug 2022 08:10:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242240; bh=Im3HBT1P0qQtoTxutY2VSJuAcACWfwsb36WFZEL1AcA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lcAyzliBANqfmzcYxMUAvjM7SIA5WTZU36Hp1dF3ZFW3AUbvwHwpSr8cgSaGPG+CV w50pl6Qtvb7KCoAiFrGDlJtozWIsZPQRZTiI4GLAYOwelQk0ZwX4JTjfiuwyrt6z7n v5zwi1MEfHIGm9by/iVFnkXSwefmv2b+SSsrbGGg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Pali=20Roh=C3=A1r?= , Bjorn Helgaas , Naresh Kamboju , Guenter Roeck Subject: [PATCH 4.9 041/101] PCI: Add defines for normal and subtractive PCI bridges Date: Tue, 23 Aug 2022 10:03:14 +0200 Message-Id: <20220823080036.120136049@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pali Roh=C3=A1r commit 904b10fb189cc15376e9bfce1ef0282e68b0b004 upstream. Add these PCI class codes to pci_ids.h: PCI_CLASS_BRIDGE_PCI_NORMAL PCI_CLASS_BRIDGE_PCI_SUBTRACTIVE Use these defines in all kernel code for describing PCI class codes for normal and subtractive PCI bridges. [bhelgaas: similar change in pci-mvebu.c] Link: https://lore.kernel.org/r/20220214114109.26809-1-pali@kernel.org Signed-off-by: Pali Roh=C3=A1r Signed-off-by: Bjorn Helgaas Cc: Guenter Roeck a Cc: Naresh Kamboju [ gregkh - take only the pci_ids.h portion for stable backports ] Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/linux/pci_ids.h | 2 ++ 1 file changed, 2 insertions(+) --- a/include/linux/pci_ids.h +++ b/include/linux/pci_ids.h @@ -55,6 +55,8 @@ #define PCI_CLASS_BRIDGE_EISA 0x0602 #define PCI_CLASS_BRIDGE_MC 0x0603 #define PCI_CLASS_BRIDGE_PCI 0x0604 +#define PCI_CLASS_BRIDGE_PCI_NORMAL 0x060400 +#define PCI_CLASS_BRIDGE_PCI_SUBTRACTIVE 0x060401 #define PCI_CLASS_BRIDGE_PCMCIA 0x0605 #define PCI_CLASS_BRIDGE_NUBUS 0x0606 #define PCI_CLASS_BRIDGE_CARDBUS 0x0607 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56CB8C32774 for ; Tue, 23 Aug 2022 08:22:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242943AbiHWIWe (ORCPT ); Tue, 23 Aug 2022 04:22:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242990AbiHWIQZ (ORCPT ); Tue, 23 Aug 2022 04:16:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A8F863C8; Tue, 23 Aug 2022 01:10:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 22C246126A; Tue, 23 Aug 2022 08:10:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 12E62C433D6; Tue, 23 Aug 2022 08:10:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242246; bh=2aHTUycXkri3A1Jm6kJsITOtTncPDRgxibmlOA+RV+U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hQg7GxbAgwubu3xlPD8bnE2kTKogS1exgIg3ECnwsrMH4hsIZPLvEvyFDQ38sl7H8 sQn0VrCTsxVazd3CKplTrgtyvEGg4TjOEf1bOIRnkVq60B8/lcilLnqYXyfZp/d29P /E3cgAOBam+MSKpShwX5saaQO9xyilM+gP23JoAg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Pali=20Roh=C3=A1r?= , Michael Ellerman Subject: [PATCH 4.9 042/101] powerpc/fsl-pci: Fix Class Code of PCIe Root Port Date: Tue, 23 Aug 2022 10:03:15 +0200 Message-Id: <20220823080036.149960090@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pali Roh=C3=A1r commit 0c551abfa004ce154d487d91777bf221c808a64f upstream. By default old pre-3.0 Freescale PCIe controllers reports invalid PCI Class Code 0x0b20 for PCIe Root Port. It can be seen by lspci -b output on P2020 board which has this pre-3.0 controller: $ lspci -bvnn 00:00.0 Power PC [0b20]: Freescale Semiconductor Inc P2020E [1957:0070] (= rev 21) !!! Invalid class 0b20 for header type 01 Capabilities: [4c] Express Root Port (Slot-), MSI 00 Fix this issue by programming correct PCI Class Code 0x0604 for PCIe Root Port to the Freescale specific PCIe register 0x474. With this change lspci -b output is: $ lspci -bvnn 00:00.0 PCI bridge [0604]: Freescale Semiconductor Inc P2020E [1957:0070]= (rev 21) (prog-if 00 [Normal decode]) Capabilities: [4c] Express Root Port (Slot-), MSI 00 Without any "Invalid class" error. So class code was properly reflected into standard (read-only) PCI register 0x08. Same fix is already implemented in U-Boot pcie_fsl.c driver in commit: http://source.denx.de/u-boot/u-boot/-/commit/d18d06ac35229345a0af80977a408c= fbe1d1015b Fix activated by U-Boot stay active also after booting Linux kernel. But boards which use older U-Boot version without that fix are affected and still require this fix. So implement this class code fix also in kernel fsl_pci.c driver. Cc: stable@vger.kernel.org Signed-off-by: Pali Roh=C3=A1r Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220706101043.4867-1-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/powerpc/sysdev/fsl_pci.c | 8 ++++++++ arch/powerpc/sysdev/fsl_pci.h | 1 + 2 files changed, 9 insertions(+) --- a/arch/powerpc/sysdev/fsl_pci.c +++ b/arch/powerpc/sysdev/fsl_pci.c @@ -524,6 +524,7 @@ int fsl_add_bridge(struct platform_devic struct resource rsrc; const int *bus_range; u8 hdr_type, progif; + u32 class_code; struct device_node *dev; struct ccsr_pci __iomem *pci; u16 temp; @@ -597,6 +598,13 @@ int fsl_add_bridge(struct platform_devic PPC_INDIRECT_TYPE_SURPRESS_PRIMARY_BUS; if (fsl_pcie_check_link(hose)) hose->indirect_type |=3D PPC_INDIRECT_TYPE_NO_PCIE_LINK; + /* Fix Class Code to PCI_CLASS_BRIDGE_PCI_NORMAL for pre-3.0 controller = */ + if (in_be32(&pci->block_rev1) < PCIE_IP_REV_3_0) { + early_read_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, &class_code= ); + class_code &=3D 0xff; + class_code |=3D PCI_CLASS_BRIDGE_PCI_NORMAL << 8; + early_write_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, class_code= ); + } } else { /* * Set PBFR(PCI Bus Function Register)[10] =3D 1 to --- a/arch/powerpc/sysdev/fsl_pci.h +++ b/arch/powerpc/sysdev/fsl_pci.h @@ -23,6 +23,7 @@ struct platform_device; =20 #define PCIE_LTSSM 0x0404 /* PCIE Link Training and Status */ #define PCIE_LTSSM_L0 0x16 /* L0 state */ +#define PCIE_FSL_CSR_CLASSCODE 0x474 /* FSL GPEX CSR */ #define PCIE_IP_REV_2_2 0x02080202 /* PCIE IP block version Rev2.2 */ #define PCIE_IP_REV_3_0 0x02080300 /* PCIE IP block version Rev3.0 */ #define PIWAR_EN 0x80000000 /* Enable */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 512E4C32774 for ; Tue, 23 Aug 2022 08:22:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242998AbiHWIWo (ORCPT ); Tue, 23 Aug 2022 04:22:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243041AbiHWIQb (ORCPT ); Tue, 23 Aug 2022 04:16:31 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7699D696FF; Tue, 23 Aug 2022 01:10:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BB7396125C; Tue, 23 Aug 2022 08:10:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB454C433C1; Tue, 23 Aug 2022 08:10:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242256; bh=7JAZnDt9lcHI9LQLfpATVy4VPp1dPuVcZFLyzYVRfB8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pUpPF8b5Z4Co5+lkFP5mE/4Jf6upBWyTENqXNPer64L3aNsxWSMN9/sdmzRDl3iHy Vv/CAR0tDk69xoU1o7exmplTEQgj1zsDczLfBfSpNYpma+c9nEuSNIprXjQW4QIHyo enpJwmqOj/08hmNwwq8S5veMlZx+UlP2WfigbaEQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Jason A. Donenfeld" , Michael Ellerman Subject: [PATCH 4.9 043/101] powerpc/powernv: Avoid crashing if rng is NULL Date: Tue, 23 Aug 2022 10:03:16 +0200 Message-Id: <20220823080036.179213506@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Michael Ellerman commit 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a upstream. On a bare-metal Power8 system that doesn't have an "ibm,power-rng", a malicious QEMU and guest that ignore the absence of the KVM_CAP_PPC_HWRNG flag, and calls H_RANDOM anyway, will dereference a NULL pointer. In practice all Power8 machines have an "ibm,power-rng", but let's not rely on that, add a NULL check and early return in powernv_get_random_real_mode(). Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM impl= ementation.") Cc: stable@vger.kernel.org # v4.1+ Signed-off-by: Jason A. Donenfeld Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220727143219.2684192-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/powerpc/platforms/powernv/rng.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/powerpc/platforms/powernv/rng.c +++ b/arch/powerpc/platforms/powernv/rng.c @@ -67,6 +67,8 @@ int powernv_get_random_real_mode(unsigne struct powernv_rng *rng; =20 rng =3D raw_cpu_read(powernv_rng); + if (!rng) + return 0; =20 *v =3D rng_whiten(rng, in_rm64(rng->regs_real)); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB860C32774 for ; Tue, 23 Aug 2022 08:23:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243199AbiHWIXo (ORCPT ); Tue, 23 Aug 2022 04:23:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243048AbiHWIQb (ORCPT ); Tue, 23 Aug 2022 04:16:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0CDE69F47; Tue, 23 Aug 2022 01:11:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 994E6B81C21; Tue, 23 Aug 2022 08:11:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0C927C433C1; Tue, 23 Aug 2022 08:11:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242262; bh=jfx9wh8uosd78AL1NIjHUT0Kyi87J6lpHbyFZ/VZkjs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n0h9hRl93UbhJsqaL01UNgTF9ET0rdXqItg0D2saVUDm1xJohibVEf14KBSdN3/EF z3z5tzXZ3DS8xSLZ5PXkzxrvx1keEyz49phC5hB/kp9Gb64Vs2JV/TKaYd3yfn6RG/ dbSq+bo9xoacKErvu9JPLPlVcd28s1rsEkmEa5aM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Huacai Chen , Thomas Bogendoerfer Subject: [PATCH 4.9 044/101] MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Date: Tue, 23 Aug 2022 10:03:17 +0200 Message-Id: <20220823080036.210365370@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Huacai Chen commit e1a534f5d074db45ae5cbac41d8912b98e96a006 upstream. When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, cpu_max_bits_warn() generates a runtime warning similar as below while we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_c= puinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/L= oongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta= 7 04/27 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9= 000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9= 000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 f= fffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 9= 00000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0= 000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0= 000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0= 000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0= 000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 0= 0007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0= 000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<98000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<980000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/mips/kernel/proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/kernel/proc.c +++ b/arch/mips/kernel/proc.c @@ -162,7 +162,7 @@ static void *c_start(struct seq_file *m, { unsigned long i =3D *pos; =20 - return i < NR_CPUS ? (void *) (i + 1) : NULL; + return i < nr_cpu_ids ? (void *) (i + 1) : NULL; } =20 static void *c_next(struct seq_file *m, void *v, loff_t *pos) From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F26DEC32774 for ; Tue, 23 Aug 2022 08:22:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242968AbiHWIWj (ORCPT ); Tue, 23 Aug 2022 04:22:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243058AbiHWIQc (ORCPT ); Tue, 23 Aug 2022 04:16:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A331E1BF; Tue, 23 Aug 2022 01:11:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3F81B61257; Tue, 23 Aug 2022 08:11:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30F93C433C1; Tue, 23 Aug 2022 08:11:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242268; bh=X3AJkPmUqLdsQc3MyHd3FN2wXTjAslfCmRrWYx2Pk8U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zI3sT51cMjRKYJYCSzJ+GyzOkTQXz5KNdtN+hq2YzPlfX+bJbNuoIr1MXHjyIC8iu VviQdit0i5cMO7NDg4IaNL3rj3j97ykg8lNaVKhPSuwlSCG9w+XLZf6WyawiOEbkgA Dja0Kr+oQPCK7/PMwEx8A+OpsxKST/PTbZSTWaE4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable , Alan Stern , Weitao Wang Subject: [PATCH 4.9 045/101] USB: HCD: Fix URB giveback issue in tasklet function Date: Tue, 23 Aug 2022 10:03:18 +0200 Message-Id: <20220823080036.259251159@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Weitao Wang commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 upstream. Usb core introduce the mechanism of giveback of URB in tasklet context to reduce hardware interrupt handling time. On some test situation(such as FIO with 4KB block size), when tasklet callback function called to giveback URB, interrupt handler add URB node to the bh->head list also. If check bh->head list again after finish all URB giveback of local_list, then it may introduce a "dynamic balance" between giveback URB and add URB to bh->head list. This tasklet callback function may not exit for a long time, which will cause other tasklet function calls to be delayed. Some real-time applications(such as KB and Mouse) will see noticeable lag. In order to prevent the tasklet function from occupying the cpu for a long time at a time, new URBS will not be added to the local_list even though the bh->head list is not empty. But also need to ensure the left URB giveback to be processed in time, so add a member high_prio for structure giveback_urb_bh to prioritize tasklet and schelule this tasklet again if bh->head list is not empty. At the same time, we are able to prioritize tasklet through structure member high_prio. So, replace the local high_prio_bh variable with this structure member in usb_hcd_giveback_urb. Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context") Cc: stable Reviewed-by: Alan Stern Signed-off-by: Weitao Wang Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin= .com Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/usb/core/hcd.c | 26 +++++++++++++++----------- include/linux/usb/hcd.h | 1 + 2 files changed, 16 insertions(+), 11 deletions(-) --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -1803,7 +1803,6 @@ static void usb_giveback_urb_bh(unsigned =20 spin_lock_irq(&bh->lock); bh->running =3D true; - restart: list_replace_init(&bh->head, &local_list); spin_unlock_irq(&bh->lock); =20 @@ -1817,10 +1816,17 @@ static void usb_giveback_urb_bh(unsigned bh->completing_ep =3D NULL; } =20 - /* check if there are new URBs to giveback */ + /* + * giveback new URBs next time to prevent this function + * from not exiting for a long time. + */ spin_lock_irq(&bh->lock); - if (!list_empty(&bh->head)) - goto restart; + if (!list_empty(&bh->head)) { + if (bh->high_prio) + tasklet_hi_schedule(&bh->bh); + else + tasklet_schedule(&bh->bh); + } bh->running =3D false; spin_unlock_irq(&bh->lock); } @@ -1845,7 +1851,7 @@ static void usb_giveback_urb_bh(unsigned void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status) { struct giveback_urb_bh *bh; - bool running, high_prio_bh; + bool running; =20 /* pass status to tasklet via unlinked */ if (likely(!urb->unlinked)) @@ -1856,13 +1862,10 @@ void usb_hcd_giveback_urb(struct usb_hcd return; } =20 - if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) { + if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) bh =3D &hcd->high_prio_bh; - high_prio_bh =3D true; - } else { + else bh =3D &hcd->low_prio_bh; - high_prio_bh =3D false; - } =20 spin_lock(&bh->lock); list_add_tail(&urb->urb_list, &bh->head); @@ -1871,7 +1874,7 @@ void usb_hcd_giveback_urb(struct usb_hcd =20 if (running) ; - else if (high_prio_bh) + else if (bh->high_prio) tasklet_hi_schedule(&bh->bh); else tasklet_schedule(&bh->bh); @@ -2880,6 +2883,7 @@ int usb_add_hcd(struct usb_hcd *hcd, =20 /* initialize tasklets */ init_giveback_urb_bh(&hcd->high_prio_bh); + hcd->high_prio_bh.high_prio =3D true; init_giveback_urb_bh(&hcd->low_prio_bh); =20 /* enable irqs just before we start the controller, --- a/include/linux/usb/hcd.h +++ b/include/linux/usb/hcd.h @@ -65,6 +65,7 @@ =20 struct giveback_urb_bh { bool running; + bool high_prio; spinlock_t lock; struct list_head head; struct tasklet_struct bh; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21225C32774 for ; Tue, 23 Aug 2022 08:22:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242390AbiHWIWs (ORCPT ); Tue, 23 Aug 2022 04:22:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243081AbiHWIQd (ORCPT ); Tue, 23 Aug 2022 04:16:33 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21540C6D; Tue, 23 Aug 2022 01:11:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B1F38612DA; Tue, 23 Aug 2022 08:11:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D893C433D6; Tue, 23 Aug 2022 08:11:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242275; bh=VBY8pSavty0a8/be3ESWT8pu5JPwtob0ZB5UChZI1Fg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TvrNcQFl8RqnBoekP9GA5ksXnvjzJXIUQhkPIgHRaCXuL88w2r6+e4RIkMfZnHqoo eMbISDkG7BZjwqlPfJ4veHP9x8Z/cEnRaQJkjm2R0KXvLCYw4DgMGLquo/RAY/D0JD 0es6HQ+EU7mMYRwWsuoNWmC9COzMbMJDWubAFRY8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, mingi cho , Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.9 046/101] netfilter: nf_tables: fix null deref due to zeroed list head Date: Tue, 23 Aug 2022 10:03:19 +0200 Message-Id: <20220823080036.308057139@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Florian Westphal commit 580077855a40741cf511766129702d97ff02f4d9 upstream. In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a null dereference: BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 Call Trace: nft_trans_destroy+0x26/0x59 nf_tables_newtable+0x4bc/0x9bc [..] Its sane to assume that nft_trans_destroy() can be called on the transaction object returned by nft_trans_alloc(), so make sure the list head is initialised. Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastruct= ure to handle table") Reported-by: mingi cho Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -119,6 +119,7 @@ static struct nft_trans *nft_trans_alloc if (trans =3D=3D NULL) return NULL; =20 + INIT_LIST_HEAD(&trans->list); trans->msg_type =3D msg_type; trans->ctx =3D *ctx; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 141ABC32774 for ; Tue, 23 Aug 2022 08:23:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243140AbiHWIXG (ORCPT ); Tue, 23 Aug 2022 04:23:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243089AbiHWIQe (ORCPT ); Tue, 23 Aug 2022 04:16:34 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF53221C; Tue, 23 Aug 2022 01:11:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 44C23CE1B34; Tue, 23 Aug 2022 08:11:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 586DFC433C1; Tue, 23 Aug 2022 08:11:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242281; bh=3kgCWr/9Yz/w42SG8TGD1zCe+nVKHUMGdTqNB2qWAzE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=axI3Vxbt/VxXJGrVbhE5ZMXnCsLN3/KjUowCV3sJjd3D30iyhgXgf3yX9fes8wudu FhvAOq+gz5lj1JgkPiBKmCJFfSXCz5sQVkFXd7iYDymi1AmwhkUeECCJsu7b8yUR2Y I/C12jvVD6zxI8ZDq+VNQjPRefcbejENpaNO4AgU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Benjamin Block , Steffen Maier , "Martin K. Petersen" Subject: [PATCH 4.9 047/101] scsi: zfcp: Fix missing auto port scan and thus missing target ports Date: Tue, 23 Aug 2022 10:03:20 +0200 Message-Id: <20220823080036.337944190@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Steffen Maier commit 4da8c5f76825269f28d6a89fa752934a4bcb6dfa upstream. Case (1): The only waiter on wka_port->completion_wq is zfcp_fc_wka_port_get() trying to open a WKA port. As such it should only be woken up by WKA port *open* responses, not by WKA port close responses. Case (2): A close WKA port response coming in just after having sent a new open WKA port request and before blocking for the open response with wait_event() in zfcp_fc_wka_port_get() erroneously renders the wait_event a NOP because the close handler overwrites wka_port->status. Hence the wait_event condition is erroneously true and it does not enter blocking state. With non-negligible probability, the following time space sequence happens depending on timing without this fix: user process ERP thread zfcp work queue tasklet system work queue =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D $ echo 1 > online zfcp_ccw_set_online zfcp_ccw_activate zfcp_erp_adapter_reopen msleep scan backoff zfcp_erp_strategy | ... | zfcp_erp_action_cleanup | ... | queue delayed scan_work | queue ns_up_work | ns_up_work: | zfcp_fc_wka_port_get | open wka request | open response | GSPN FC-GS | RSPN FC-GS [NPIV-only] | zfcp_fc_wka_port_put | (--wka->refcount=3D=3D0) | sched delayed wka->work | ~~~Case (1)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ zfcp_erp_wait flush scan_work | wka->work: | wka->status=3DCLOSING | close wka request | scan_work: | zfcp_fc_wka_port_get | (wka->status=3D=3DCLOSING) | wka->status=3DOPENING | open wka request | wait_event | | close response | | wka->status=3DOFFLINE | | wake_up /*WRONG*/ ~~~Case (2)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | wka->work: | wka->status=3DCLOSING | close wka request zfcp_erp_wait flush scan_work | scan_work: | zfcp_fc_wka_port_get | (wka->status=3D=3DCLOSING) | wka->status=3DOPENING | open wka request | close response | wka->status=3DOFFLINE | wake_up /*WRONG&NOP*/ | wait_event /*NOP*/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | (wka->status!=3DONLINE) | return -EIO | return early open response wka->status=3DONLINE wake_up /*NOP*/ So we erroneously end up with no automatic port scan. This is a big problem when it happens during boot. The timing is influenced by v3.19 commit 18f87a67e6d6 ("zfcp: auto port scan resiliency"). Fix it by fully mutually excluding zfcp_fc_wka_port_get() and zfcp_fc_wka_port_offline(). For that to work, we make the latter block until we got the response for a close WKA port. In order not to penalize the system workqueue, we move wka_port->work to our own adapter workqueue. Note that before v2.6.30 commit 828bc1212a68 ("[SCSI] zfcp: Set WKA-port to offline on adapter deactivation"), zfcp did block in zfcp_fc_wka_port_offline() as well, but with a different condition. While at it, make non-functional cleanups to improve code reading in zfcp_fc_wka_port_get(). If we cannot send the WKA port open request, don't rely on the subsequent wait_event condition to immediately let this case pass without blocking. Also don't want to rely on the additional condition handling the refcount to be skipped just to finally return with -EIO. Link: https://lore.kernel.org/r/20220729162529.1620730-1-maier@linux.ibm.com Fixes: 5ab944f97e09 ("[SCSI] zfcp: attach and release SAN nameserver port o= n demand") Cc: #v2.6.28+ Reviewed-by: Benjamin Block Signed-off-by: Steffen Maier Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/s390/scsi/zfcp_fc.c | 29 ++++++++++++++++++++--------- drivers/s390/scsi/zfcp_fc.h | 6 ++++-- drivers/s390/scsi/zfcp_fsf.c | 4 ++-- 3 files changed, 26 insertions(+), 13 deletions(-) --- a/drivers/s390/scsi/zfcp_fc.c +++ b/drivers/s390/scsi/zfcp_fc.c @@ -144,27 +144,33 @@ void zfcp_fc_enqueue_event(struct zfcp_a =20 static int zfcp_fc_wka_port_get(struct zfcp_fc_wka_port *wka_port) { + int ret =3D -EIO; + if (mutex_lock_interruptible(&wka_port->mutex)) return -ERESTARTSYS; =20 if (wka_port->status =3D=3D ZFCP_FC_WKA_PORT_OFFLINE || wka_port->status =3D=3D ZFCP_FC_WKA_PORT_CLOSING) { wka_port->status =3D ZFCP_FC_WKA_PORT_OPENING; - if (zfcp_fsf_open_wka_port(wka_port)) + if (zfcp_fsf_open_wka_port(wka_port)) { + /* could not even send request, nothing to wait for */ wka_port->status =3D ZFCP_FC_WKA_PORT_OFFLINE; + goto out; + } } =20 - mutex_unlock(&wka_port->mutex); - - wait_event(wka_port->completion_wq, + wait_event(wka_port->opened, wka_port->status =3D=3D ZFCP_FC_WKA_PORT_ONLINE || wka_port->status =3D=3D ZFCP_FC_WKA_PORT_OFFLINE); =20 if (wka_port->status =3D=3D ZFCP_FC_WKA_PORT_ONLINE) { atomic_inc(&wka_port->refcount); - return 0; + ret =3D 0; + goto out; } - return -EIO; +out: + mutex_unlock(&wka_port->mutex); + return ret; } =20 static void zfcp_fc_wka_port_offline(struct work_struct *work) @@ -180,9 +186,12 @@ static void zfcp_fc_wka_port_offline(str =20 wka_port->status =3D ZFCP_FC_WKA_PORT_CLOSING; if (zfcp_fsf_close_wka_port(wka_port)) { + /* could not even send request, nothing to wait for */ wka_port->status =3D ZFCP_FC_WKA_PORT_OFFLINE; - wake_up(&wka_port->completion_wq); + goto out; } + wait_event(wka_port->closed, + wka_port->status =3D=3D ZFCP_FC_WKA_PORT_OFFLINE); out: mutex_unlock(&wka_port->mutex); } @@ -192,13 +201,15 @@ static void zfcp_fc_wka_port_put(struct if (atomic_dec_return(&wka_port->refcount) !=3D 0) return; /* wait 10 milliseconds, other reqs might pop in */ - schedule_delayed_work(&wka_port->work, HZ / 100); + queue_delayed_work(wka_port->adapter->work_queue, &wka_port->work, + msecs_to_jiffies(10)); } =20 static void zfcp_fc_wka_port_init(struct zfcp_fc_wka_port *wka_port, u32 d= _id, struct zfcp_adapter *adapter) { - init_waitqueue_head(&wka_port->completion_wq); + init_waitqueue_head(&wka_port->opened); + init_waitqueue_head(&wka_port->closed); =20 wka_port->adapter =3D adapter; wka_port->d_id =3D d_id; --- a/drivers/s390/scsi/zfcp_fc.h +++ b/drivers/s390/scsi/zfcp_fc.h @@ -169,7 +169,8 @@ enum zfcp_fc_wka_status { /** * struct zfcp_fc_wka_port - representation of well-known-address (WKA) FC= port * @adapter: Pointer to adapter structure this WKA port belongs to - * @completion_wq: Wait for completion of open/close command + * @opened: Wait for completion of open command + * @closed: Wait for completion of close command * @status: Current status of WKA port * @refcount: Reference count to keep port open as long as it is in use * @d_id: FC destination id or well-known-address @@ -179,7 +180,8 @@ enum zfcp_fc_wka_status { */ struct zfcp_fc_wka_port { struct zfcp_adapter *adapter; - wait_queue_head_t completion_wq; + wait_queue_head_t opened; + wait_queue_head_t closed; enum zfcp_fc_wka_status status; atomic_t refcount; u32 d_id; --- a/drivers/s390/scsi/zfcp_fsf.c +++ b/drivers/s390/scsi/zfcp_fsf.c @@ -1582,7 +1582,7 @@ static void zfcp_fsf_open_wka_port_handl wka_port->status =3D ZFCP_FC_WKA_PORT_ONLINE; } out: - wake_up(&wka_port->completion_wq); + wake_up(&wka_port->opened); } =20 /** @@ -1640,7 +1640,7 @@ static void zfcp_fsf_close_wka_port_hand } =20 wka_port->status =3D ZFCP_FC_WKA_PORT_OFFLINE; - wake_up(&wka_port->completion_wq); + wake_up(&wka_port->closed); } =20 /** From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69532C32774 for ; Tue, 23 Aug 2022 08:23:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243146AbiHWIXL (ORCPT ); Tue, 23 Aug 2022 04:23:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243093AbiHWIQf (ORCPT ); Tue, 23 Aug 2022 04:16:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A2A86331; Tue, 23 Aug 2022 01:11:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 73631612DC; Tue, 23 Aug 2022 08:11:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 80E62C433D6; Tue, 23 Aug 2022 08:11:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242290; bh=ttLvW3MfLOd5HkB/xUpnfI6bCZM/YFhvYh+VBRclgbE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yCgdnMIhyh4vZBA5YW809sQmYU47qznWzuYXhJ0lCBoOUWpkMZ6a1uU+4zewvKd/B T5f28Ada9sdxrnZhbOA7eOd4G3mnPen/Y1DEa6wkh2z+pqQZDsQfJ1ulbKvRSRLLW7 /8pSbJziUyHiFESPDgEMNCVT46wDV44i5Ij9w3AE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guenter Roeck , kernel test robot , Alexander Lobakin , Yury Norov Subject: [PATCH 4.9 048/101] x86/olpc: fix logical not is only applied to the left hand side Date: Tue, 23 Aug 2022 10:03:21 +0200 Message-Id: <20220823080036.369144154@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Alexander Lobakin commit 3a2ba42cbd0b669ce3837ba400905f93dd06c79f upstream. The bitops compile-time optimization series revealed one more problem in olpc-xo1-sci.c:send_ebook_state(), resulted in GCC warnings: arch/x86/platform/olpc/olpc-xo1-sci.c: In function 'send_ebook_state': arch/x86/platform/olpc/olpc-xo1-sci.c:83:63: warning: logical not is only a= pplied to the left hand side of comparison [-Wlogical-not-parentheses] 83 | if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) =3D= =3D state) | ^~ arch/x86/platform/olpc/olpc-xo1-sci.c:83:13: note: add parentheses around l= eft hand side expression to silence this warning Despite this code working as intended, this redundant double negation of boolean value, together with comparing to `char` with no explicit conversion to bool, makes compilers think the author made some unintentional logical mistakes here. Make it the other way around and negate the char instead to silence the warnings. Fixes: d2aa37411b8e ("x86/olpc/xo1/sci: Produce wakeup events for buttons a= nd switches") Cc: stable@vger.kernel.org # 3.5+ Reported-by: Guenter Roeck Reported-by: kernel test robot Reviewed-and-tested-by: Guenter Roeck Signed-off-by: Alexander Lobakin Signed-off-by: Yury Norov Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/x86/platform/olpc/olpc-xo1-sci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/platform/olpc/olpc-xo1-sci.c +++ b/arch/x86/platform/olpc/olpc-xo1-sci.c @@ -85,7 +85,7 @@ static void send_ebook_state(void) return; } =20 - if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) =3D=3D state) + if (test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) =3D=3D !!state) return; /* Nothing new to report. */ =20 input_report_switch(ebook_switch_idev, SW_TABLET_MODE, state); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72A9AC32774 for ; Tue, 23 Aug 2022 08:24:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243252AbiHWIYB (ORCPT ); Tue, 23 Aug 2022 04:24:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242515AbiHWIRf (ORCPT ); Tue, 23 Aug 2022 04:17:35 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE9571F2F9; Tue, 23 Aug 2022 01:11:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9443AB81C29; Tue, 23 Aug 2022 08:11:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CA6D9C433B5; Tue, 23 Aug 2022 08:11:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242297; bh=rVd4J0guZ65vkhwgCDxawhFODU/bU6NhtmHAr44jMRY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dKJxMvch6CSK/dDCpiSqT8+Ni5a5iSMCEaHSl88yS4uipVnsbdkRsyU4ck7crFGW+ pRfZu1IVT0WK2KkmTW/XeXfjz9rjK1QiNg5sT/bharbjXcvr09s6kxBwcB7ir0e70D 8AMLZdX40o1Y9vvMQVNadegXy0ctLCqgLu7TtXgc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stephen Boyd , "Steven Rostedt (Google)" , David Collins Subject: [PATCH 4.9 049/101] spmi: trace: fix stack-out-of-bound access in SPMI tracing functions Date: Tue, 23 Aug 2022 10:03:22 +0200 Message-Id: <20220823080036.420431808@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Collins commit 2af28b241eea816e6f7668d1954f15894b45d7e3 upstream. trace_spmi_write_begin() and trace_spmi_read_end() both call memcpy() with a length of "len + 1". This leads to one extra byte being read beyond the end of the specified buffer. Fix this out-of-bound memory access by using a length of "len" instead. Here is a KASAN log showing the issue: BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d= 0/0x234 Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 ... Call trace: dump_backtrace+0x0/0x3e8 show_stack+0x2c/0x3c dump_stack_lvl+0xdc/0x11c print_address_description+0x74/0x384 kasan_report+0x188/0x268 kasan_check_range+0x270/0x2b0 memcpy+0x90/0xe8 trace_event_raw_event_spmi_read_end+0x1d0/0x234 spmi_read_cmd+0x294/0x3ac spmi_ext_register_readl+0x84/0x9c regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi] _regmap_raw_read+0x40c/0x754 regmap_raw_read+0x3a0/0x514 regmap_bulk_read+0x418/0x494 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3] ... __arm64_sys_read+0x4c/0x60 invoke_syscall+0x80/0x218 el0_svc_common+0xec/0x1c8 ... addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at o= ffset 32 in frame: adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3] this frame has 1 object: [32, 33) 'status' Memory state around the buggy address: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fixes: a9fce374815d ("spmi: add command tracepoints for SPMI") Cc: stable@vger.kernel.org Reviewed-by: Stephen Boyd Acked-by: Steven Rostedt (Google) Signed-off-by: David Collins Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quic= inc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/trace/events/spmi.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/include/trace/events/spmi.h +++ b/include/trace/events/spmi.h @@ -20,15 +20,15 @@ TRACE_EVENT(spmi_write_begin, __field ( u8, sid ) __field ( u16, addr ) __field ( u8, len ) - __dynamic_array ( u8, buf, len + 1 ) + __dynamic_array ( u8, buf, len ) ), =20 TP_fast_assign( __entry->opcode =3D opcode; __entry->sid =3D sid; __entry->addr =3D addr; - __entry->len =3D len + 1; - memcpy(__get_dynamic_array(buf), buf, len + 1); + __entry->len =3D len; + memcpy(__get_dynamic_array(buf), buf, len); ), =20 TP_printk("opc=3D%d sid=3D%02d addr=3D0x%04x len=3D%d buf=3D0x[%*phD]", @@ -91,7 +91,7 @@ TRACE_EVENT(spmi_read_end, __field ( u16, addr ) __field ( int, ret ) __field ( u8, len ) - __dynamic_array ( u8, buf, len + 1 ) + __dynamic_array ( u8, buf, len ) ), =20 TP_fast_assign( @@ -99,8 +99,8 @@ TRACE_EVENT(spmi_read_end, __entry->sid =3D sid; __entry->addr =3D addr; __entry->ret =3D ret; - __entry->len =3D len + 1; - memcpy(__get_dynamic_array(buf), buf, len + 1); + __entry->len =3D len; + memcpy(__get_dynamic_array(buf), buf, len); ), =20 TP_printk("opc=3D%d sid=3D%02d addr=3D0x%04x ret=3D%d len=3D%02d buf=3D0x= [%*phD]", From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7904C32772 for ; Tue, 23 Aug 2022 08:26:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243291AbiHWIYU (ORCPT ); Tue, 23 Aug 2022 04:24:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242697AbiHWISd (ORCPT ); Tue, 23 Aug 2022 04:18:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3A9C422E8; Tue, 23 Aug 2022 01:11:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AB01AB81C21; Tue, 23 Aug 2022 08:11:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04B53C43144; Tue, 23 Aug 2022 08:11:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242303; bh=oqrS4n14+Oiy+cBgNOK85Sl/fYlDaSOeoodCMoHgjw4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MSLnCqnqWBq4xWOfKRlFY3BiSt3sFSd7lObCZbzvr+PmEE7xr9bCv28uBFCQ4i9Kw w7BJq5DgJb79XIRT9vdlEjnQoiHB6BErkqBqCPBDN+dIoxUe7XabPcHXL7A/lckzsa yw3VRhmGPa3SXgysWN6d/tVK2c/3WTvqSchRgnEA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Baokun Li , Jan Kara , "Ritesh Harjani (IBM)" , Theodore Tso Subject: [PATCH 4.9 050/101] ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h Date: Tue, 23 Aug 2022 10:03:23 +0200 Message-Id: <20220823080036.470780979@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Baokun Li commit 179b14152dcb6a24c3415200603aebca70ff13af upstream. When adding an xattr to an inode, we must ensure that the inode_size is not less than EXT4_GOOD_OLD_INODE_SIZE + extra_isize + pad. Otherwise, the end position may be greater than the start position, resulting in UAF. Signed-off-by: Baokun Li Reviewed-by: Jan Kara Reviewed-by: Ritesh Harjani (IBM) Link: https://lore.kernel.org/r/20220616021358.2504451-2-libaokun1@huawei.c= om Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/xattr.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/fs/ext4/xattr.h +++ b/fs/ext4/xattr.h @@ -76,6 +76,19 @@ struct ext4_xattr_entry { =20 #define EXT4_ZERO_XATTR_VALUE ((void *)-1) =20 +/* + * If we want to add an xattr to the inode, we should make sure that + * i_extra_isize is not 0 and that the inode size is not less than + * EXT4_GOOD_OLD_INODE_SIZE + extra_isize + pad. + * EXT4_GOOD_OLD_INODE_SIZE extra_isize header entry pad data + * |--------------------------|------------|------|---------|---|-------| + */ +#define EXT4_INODE_HAS_XATTR_SPACE(inode) \ + ((EXT4_I(inode)->i_extra_isize !=3D 0) && \ + (EXT4_GOOD_OLD_INODE_SIZE + EXT4_I(inode)->i_extra_isize + \ + sizeof(struct ext4_xattr_ibody_header) + EXT4_XATTR_PAD <=3D \ + EXT4_INODE_SIZE((inode)->i_sb))) + struct ext4_xattr_info { int name_index; const char *name; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A8D2C32772 for ; Tue, 23 Aug 2022 08:27:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238613AbiHWIYY (ORCPT ); Tue, 23 Aug 2022 04:24:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242221AbiHWITB (ORCPT ); Tue, 23 Aug 2022 04:19:01 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5572E4057F; Tue, 23 Aug 2022 01:11:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B6E5DB81C25; Tue, 23 Aug 2022 08:11:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0DEEEC433D6; Tue, 23 Aug 2022 08:11:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242309; bh=e6CbxlTdKoiBbHXhARdur1EgTYEw0P1/1u6sqts1RDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GKH1NOqKVYMosSPF4DR/kMwecoWq/L6SnhcKnU5JpRCBA7s9/c2BQPy0lRzjv0CP7 2wGVneJaM8CRMZsVbz8rWxUbLPjAfEMem0eJFf/Xv3zUkcGRHuJFXsgR3B+xNmAf7b ahK0Dx3BgFRNIanvE6pbdD5O42OKmCBhTNAT7IXY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Lukas Czerner , Andreas Dilger , Theodore Tso Subject: [PATCH 4.9 051/101] ext4: make sure ext4_append() always allocates new block Date: Tue, 23 Aug 2022 10:03:24 +0200 Message-Id: <20220823080036.510604201@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Lukas Czerner commit b8a04fe77ef1360fbf73c80fddbdfeaa9407ed1b upstream. ext4_append() must always allocate a new block, otherwise we run the risk of overwriting existing directory block corrupting the directory tree in the process resulting in all manner of problems later on. Add a sanity check to see if the logical block is already allocated and error out if it is. Cc: stable@kernel.org Signed-off-by: Lukas Czerner Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20220704142721.157985-2-lczerner@redhat.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/namei.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -51,6 +51,7 @@ static struct buffer_head *ext4_append(h struct inode *inode, ext4_lblk_t *block) { + struct ext4_map_blocks map; struct buffer_head *bh; int err; =20 @@ -60,6 +61,21 @@ static struct buffer_head *ext4_append(h return ERR_PTR(-ENOSPC); =20 *block =3D inode->i_size >> inode->i_sb->s_blocksize_bits; + map.m_lblk =3D *block; + map.m_len =3D 1; + + /* + * We're appending new directory block. Make sure the block is not + * allocated yet, otherwise we will end up corrupting the + * directory. + */ + err =3D ext4_map_blocks(NULL, inode, &map, 0); + if (err < 0) + return ERR_PTR(err); + if (err) { + EXT4_ERROR_INODE(inode, "Logical block already allocated"); + return ERR_PTR(-EFSCORRUPTED); + } =20 bh =3D ext4_bread(handle, inode, *block, EXT4_GET_BLOCKS_CREATE); if (IS_ERR(bh)) From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99E35C32774 for ; Tue, 23 Aug 2022 08:24:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242976AbiHWIYc (ORCPT ); Tue, 23 Aug 2022 04:24:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242687AbiHWITl (ORCPT ); Tue, 23 Aug 2022 04:19:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53F8869F67; Tue, 23 Aug 2022 01:11:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E7F13612D7; Tue, 23 Aug 2022 08:11:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F1A33C433D6; Tue, 23 Aug 2022 08:11:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242315; bh=J8KRrfhzhtbRWYUbDPBvLVt7Z01/iLBlYnQG6r9ACww=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=baeytRZc/yOZMPNeFOe78hfY4V/7yoCVVJXYzDyz5wugK5Fs9cFVh0k/sjphFucI8 71l984n0KFkAluQbw37O93o2OnQr8vrwRtTcVt9Hy4QG24y1oaQZjU05CiBK/PMxbf HolHVNU/FEaPYEcmySuFIY3IwllvTNQzj+Cea7rA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Hulk Robot , Baokun Li , "Ritesh Harjani (IBM)" , Jan Kara , Theodore Tso Subject: [PATCH 4.9 052/101] ext4: fix use-after-free in ext4_xattr_set_entry Date: Tue, 23 Aug 2022 10:03:25 +0200 Message-Id: <20220823080036.549277980@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Baokun Li commit 67d7d8ad99beccd9fe92d585b87f1760dc9018e3 upstream. Hulk Robot reported a issue: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500 Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092 CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17 Call Trace: [...] memcpy+0x34/0x50 mm/kasan/kasan.c:303 ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747 ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205 ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386 ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498 __vfs_setxattr+0x112/0x170 fs/xattr.c:149 __vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180 __vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238 vfs_setxattr+0xed/0x270 fs/xattr.c:255 setxattr+0x235/0x330 fs/xattr.c:520 path_setxattr+0x176/0x190 fs/xattr.c:539 __do_sys_lsetxattr fs/xattr.c:561 [inline] __se_sys_lsetxattr fs/xattr.c:557 [inline] __x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557 do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x459fe9 RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9 RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140 RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80 [...] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Above issue may happen as follows: Reported-by: Hulk Robot Reported-by: Linux Kernel Functional Testing Reviewed-by: Jan Kara Reviewed-by: Ritesh Harjani (IBM) Tested-by: Shuah Khan ------------------------------------- ext4_xattr_set ext4_xattr_set_handle ext4_xattr_ibody_find >> s->end < s->base >> no EXT4_STATE_XATTR >> xattr_check_inode is not executed ext4_xattr_ibody_set ext4_xattr_set_entry >> size_t min_offs =3D s->end - s->base >> UAF in memcpy we can easily reproduce this problem with the following commands: mkfs.ext4 -F /dev/sda mount -o debug_want_extra_isize=3D128 /dev/sda /mnt touch /mnt/file setfattr -n user.cat -v `seq -s z 4096|tr -d '[:digit:]'` /mnt/file In ext4_xattr_ibody_find, we have the following assignment logic: header =3D IHDR(inode, raw_inode) =3D raw_inode + EXT4_GOOD_OLD_INODE_SIZE + i_extra_isize is->s.base =3D IFIRST(header) =3D header + sizeof(struct ext4_xattr_ibody_header) is->s.end =3D raw_inode + s_inode_size In ext4_xattr_set_entry min_offs =3D s->end - s->base =3D s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) last =3D s->first free =3D min_offs - ((void *)last - s->base) - sizeof(__u32) =3D s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) - sizeof(__u32) In the calculation formula, all values except s_inode_size and i_extra_size are fixed values. When i_extra_size is the maximum value s_inode_size - EXT4_GOOD_OLD_INODE_SIZE, min_offs is -4 and free is -8. The value overflows. As a result, the preceding issue is triggered when memcpy is executed. Therefore, when finding xattr or setting xattr, check whether there is space for storing xattr in the inode to resolve this issue. Cc: stable@kernel.org Reported-by: Hulk Robot Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-3-libaokun1@huawei.c= om Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman --- fs/ext4/xattr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1053,8 +1053,9 @@ int ext4_xattr_ibody_find(struct inode * struct ext4_inode *raw_inode; int error; =20 - if (EXT4_I(inode)->i_extra_isize =3D=3D 0) + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) return 0; + raw_inode =3D ext4_raw_inode(&is->iloc); header =3D IHDR(inode, raw_inode); is->s.base =3D is->s.first =3D IFIRST(header); @@ -1107,8 +1108,9 @@ static int ext4_xattr_ibody_set(handle_t struct ext4_xattr_search *s =3D &is->s; int error; =20 - if (EXT4_I(inode)->i_extra_isize =3D=3D 0) + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) return -ENOSPC; + error =3D ext4_xattr_set_entry(i, s, inode); if (error) return error; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C11B1C32774 for ; Tue, 23 Aug 2022 08:24:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243353AbiHWIYm (ORCPT ); Tue, 23 Aug 2022 04:24:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243211AbiHWIUp (ORCPT ); Tue, 23 Aug 2022 04:20:45 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5933A2C664; Tue, 23 Aug 2022 01:12:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C7C1FB81C22; Tue, 23 Aug 2022 08:12:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 008C7C433D6; Tue, 23 Aug 2022 08:12:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242324; bh=3ziDYwt+y+FELl9+y1MQMtELjPf4hifJ5vanJV4Z5fA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sRrrKKl/I5AYPxFbCr0F6hB0GQZ0PkqOfojxAIYgz2C17NNjXZKUv9K04wQ3/I2kd tflkU7ni9nHRxkGHKp/c+E9yPTJIBzfaU6nQdWkeUc+fkB8Y+8Dl1wtEjMA02UdeIS 572P7fgxMyGNW5LaGwsU9qFA6qQBrN5+wA1pdTME= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , stable@kernel.org, Andreas Dilger Subject: [PATCH 4.9 053/101] ext4: update s_overhead_clusters in the superblock during an on-line resize Date: Tue, 23 Aug 2022 10:03:26 +0200 Message-Id: <20220823080036.585623693@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Theodore Ts'o commit de394a86658ffe4e89e5328fd4993abfe41b7435 upstream. When doing an online resize, the on-disk superblock on-disk wasn't updated. This means that when the file system is unmounted and remounted, and the on-disk overhead value is non-zero, this would result in the results of statfs(2) to be incorrect. This was partially fixed by Commits 10b01ee92df5 ("ext4: fix overhead calculation to account for the reserved gdt blocks"), 85d825dbf489 ("ext4: force overhead calculation if the s_overhead_cluster makes no sense"), and eb7054212eac ("ext4: update the cached overhead value in the superblock"). However, since it was too expensive to forcibly recalculate the overhead for bigalloc file systems at every mount, this didn't fix the problem for bigalloc file systems. This commit should address the problem when resizing file systems with the bigalloc feature enabled. Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20220629040026.112371-1-tytso@mit.edu Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/resize.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -1446,6 +1446,7 @@ static void ext4_update_super(struct sup * Update the fs overhead information */ ext4_calculate_overhead(sb); + es->s_overhead_clusters =3D cpu_to_le32(sbi->s_overhead); =20 if (test_opt(sb, DEBUG)) printk(KERN_DEBUG "EXT4-fs: added group %u:" From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC823C32793 for ; Tue, 23 Aug 2022 08:27:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243380AbiHWIYx (ORCPT ); Tue, 23 Aug 2022 04:24:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243370AbiHWIVE (ORCPT ); Tue, 23 Aug 2022 04:21:04 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2D016EF14; Tue, 23 Aug 2022 01:12:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C94E9B81C25; Tue, 23 Aug 2022 08:12:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 342EAC433D6; Tue, 23 Aug 2022 08:12:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242330; bh=Dk8WOCncWIQfD3LI7kIaw3Mjv8xoez6Dudme09wCtIo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rHPoG+k0n271BG4JRbg6Noj+V84CcxUZUVeJfbmqfm9qRYsdvHbNVYyh5Xun40C1S 6bNu/1cFh1q0KYvg1RqnhYe+vibHsxPJGoD1jLZ53XSS2poRwtD/G6C0YNhFvJLBvQ BXC5YjMrZW2ywzG2utoc51RVAXw9uqzgbbkdJFnk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Ye Bin , Eric Whitney , Theodore Tso Subject: [PATCH 4.9 054/101] ext4: fix extent status tree race in writeback error recovery path Date: Tue, 23 Aug 2022 10:03:27 +0200 Message-Id: <20220823080036.617733993@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Whitney commit 7f0d8e1d607c1a4fa9a27362a108921d82230874 upstream. A race can occur in the unlikely event ext4 is unable to allocate a physical cluster for a delayed allocation in a bigalloc file system during writeback. Failure to allocate a cluster forces error recovery that includes a call to mpage_release_unused_pages(). That function removes any corresponding delayed allocated blocks from the extent status tree. If a new delayed write is in progress on the same cluster simultaneously, resulting in the addition of an new extent containing one or more blocks in that cluster to the extent status tree, delayed block accounting can be thrown off if that delayed write then encounters a similar cluster allocation failure during future writeback. Write lock the i_data_sem in mpage_release_unused_pages() to fix this problem. Ext4's block/cluster accounting code for bigalloc relies on i_data_sem for mutual exclusion, as is found in the delayed write path, and the locking in mpage_release_unused_pages() is missing. Cc: stable@kernel.org Reported-by: Ye Bin Signed-off-by: Eric Whitney Link: https://lore.kernel.org/r/20220615160530.1928801-1-enwlinux@gmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -1659,7 +1659,14 @@ static void mpage_release_unused_pages(s ext4_lblk_t start, last; start =3D index << (PAGE_SHIFT - inode->i_blkbits); last =3D end << (PAGE_SHIFT - inode->i_blkbits); + + /* + * avoid racing with extent status tree scans made by + * ext4_insert_delayed_block() + */ + down_write(&EXT4_I(inode)->i_data_sem); ext4_es_remove_extent(inode, start, last - start + 1); + up_write(&EXT4_I(inode)->i_data_sem); } =20 pagevec_init(&pvec, 0); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C40FCC3F6B0 for ; Tue, 23 Aug 2022 08:32:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244066AbiHWIar (ORCPT ); Tue, 23 Aug 2022 04:30:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44886 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243564AbiHWI1G (ORCPT ); Tue, 23 Aug 2022 04:27:06 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E213F74CC2; Tue, 23 Aug 2022 01:14:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CED79612DA; Tue, 23 Aug 2022 08:14:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D019EC433C1; Tue, 23 Aug 2022 08:14:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242447; bh=fMHn/Vf6sz9I5BG9XFOTBqc05WPfoxjFlUueGrdfOEI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O+nkrvqY1kSOT/dfnT+A+gS4TVmlcLYGdD94ZSBe/6Wi5zlguFL87gcmI5YMVfDP9 1vt3MlhrUXTl5P8Zp8Z1d49HgxKwErkvTjbhCjijC5uVBZklvKVLPpaQi5c1zrFNqV kDnU3+M/dvmr+kyXaKuEUe3X/r1KXiYn7rNBJsxg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Baokun Li , "Ritesh Harjani (IBM)" , Jan Kara , Theodore Tso Subject: [PATCH 4.9 055/101] ext4: correct max_inline_xattr_value_size computing Date: Tue, 23 Aug 2022 10:03:28 +0200 Message-Id: <20220823080036.657404616@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Baokun Li commit c9fd167d57133c5b748d16913c4eabc55e531c73 upstream. If the ext4 inode does not have xattr space, 0 is returned in the get_max_inline_xattr_value_size function. Otherwise, the function returns a negative value when the inode does not contain EXT4_STATE_XATTR. Cc: stable@kernel.org Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-4-libaokun1@huawei.c= om Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/inline.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -40,6 +40,9 @@ static int get_max_inline_xattr_value_si struct ext4_inode *raw_inode; int free, min_offs; =20 + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) + return 0; + min_offs =3D EXT4_SB(inode->i_sb)->s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - EXT4_I(inode)->i_extra_isize - From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A41B5C32772 for ; Tue, 23 Aug 2022 08:33:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236907AbiHWIdy (ORCPT ); Tue, 23 Aug 2022 04:33:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344685AbiHWIbf (ORCPT ); Tue, 23 Aug 2022 04:31:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CEF766128; Tue, 23 Aug 2022 01:15:59 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3F7E461321; Tue, 23 Aug 2022 08:15:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 47543C433C1; Tue, 23 Aug 2022 08:15:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242514; bh=CWO5cFi5S/7DCwalQ4rsgZB2IdcrAI+RfNDTo4EngAY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1BIw3SK5GAXj+jXrVSwOggdpypn9s/J1tNCZssupVYwL2tEo7moYWnKTZxYOTWEyx duILYV6C/rIiVXKHaoMj+IilcymbLmDZCwhA4rVLdOEtWmDDN/lbtTnGkCIysucjwQ uy2z3c7/UH05Tx3YClMe1V2rxAExaRiSNJFH30sk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mikulas Patocka , Mike Snitzer Subject: [PATCH 4.9 056/101] dm raid: fix address sanitizer warning in raid_status Date: Tue, 23 Aug 2022 10:03:29 +0200 Message-Id: <20220823080036.696134505@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Mikulas Patocka commit 1fbeea217d8f297fe0e0956a1516d14ba97d0396 upstream. There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi= _raid =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3. #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: dump_stack_lvl+0x6a/0x9c print_address_description.constprop.0+0x1f/0x1e0 print_report.cold+0x55/0x244 kasan_report+0xc9/0x100 raid_status+0x1747/0x2820 [dm_raid] dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod] table_load+0x35c/0x630 [dm_mod] ctl_ioctl+0x411/0x630 [dm_mod] dm_ctl_ioctl+0xa/0x10 [dm_mod] __x64_sys_ioctl+0x12a/0x1a0 do_syscall_64+0x5b/0x80 The warning is caused by reading conf->max_nr_stripes in raid_status. The code in raid_status reads mddev->private, casts it to struct r5conf and reads the entry max_nr_stripes. However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it. Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6. Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/md/dm-raid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/md/dm-raid.c +++ b/drivers/md/dm-raid.c @@ -3173,7 +3173,7 @@ static void raid_status(struct dm_target { struct raid_set *rs =3D ti->private; struct mddev *mddev =3D &rs->md; - struct r5conf *conf =3D mddev->private; + struct r5conf *conf =3D rs_is_raid456(rs) ? mddev->private : NULL; int i, max_nr_stripes =3D conf ? conf->max_nr_stripes : 0; bool array_in_sync; unsigned int raid_param_cnt =3D 1; /* at least 1 for chunksize */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAE97C32772 for ; Tue, 23 Aug 2022 08:34:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243668AbiHWIee (ORCPT ); Tue, 23 Aug 2022 04:34:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346299AbiHWIby (ORCPT ); Tue, 23 Aug 2022 04:31:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C7996DAE5; Tue, 23 Aug 2022 01:16:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 13007B81C39; Tue, 23 Aug 2022 08:15:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 59E86C433C1; Tue, 23 Aug 2022 08:15:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242529; bh=MEyPEQu33UrEyYdLAvPi0L0i3N561Iev1cfZTRp8dhY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HM90hG2xMMQ/fqPDtaqxyEI8NSpW+RxMyWfT9duyuAJAChDkcoPFOQLDvb64mnnFT b33e9M6wWm0n+XBBS1THGMoB+zBiGJUyc7AdGVQFvd5Q2WY9uxKzfzTzQMLuh3xeSm bz2gqZ+TTUfWyiKXQPj0i3rSXsB6ULOkYzeenr4M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhenpeng Lin , Thadeu Lima de Souza Cascardo , Kamal Mostafa , Jamal Hadi Salim , Jakub Kicinski Subject: [PATCH 4.9 057/101] net_sched: cls_route: remove from list when handle is 0 Date: Tue, 23 Aug 2022 10:03:30 +0200 Message-Id: <20220823080036.741699554@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Thadeu Lima de Souza Cascardo commit 9ad36309e2719a884f946678e0296be10f0bb4c1 upstream. When a route filter is replaced and the old filter has a 0 handle, the old one won't be removed from the hashtable, while it will still be freed. The test was there since before commit 1109c00547fc ("net: sched: RCU cls_route"), when a new filter was not allocated when there was an old one. The old filter was reused and the reinserting would only be necessary if an old filter was replaced. That was still wrong for the same case where the old handle was 0. Remove the old filter from the list independently from its handle value. This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. Reported-by: Zhenpeng Lin Signed-off-by: Thadeu Lima de Souza Cascardo Reviewed-by: Kamal Mostafa Cc: Acked-by: Jamal Hadi Salim Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.= com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/sched/cls_route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/sched/cls_route.c +++ b/net/sched/cls_route.c @@ -534,7 +534,7 @@ static int route4_change(struct net *net rcu_assign_pointer(f->next, f1); rcu_assign_pointer(*fp, f); =20 - if (fold && fold->handle && f->handle !=3D fold->handle) { + if (fold) { th =3D to_hash(fold->handle); h =3D from_hash(fold->handle >> 16); b =3D rtnl_dereference(head->table[th]); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0198DC32792 for ; Tue, 23 Aug 2022 08:27:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243460AbiHWIZ2 (ORCPT ); Tue, 23 Aug 2022 04:25:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243496AbiHWIVQ (ORCPT ); Tue, 23 Aug 2022 04:21:16 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBEBC6F560; Tue, 23 Aug 2022 01:12:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 52C7EB81C4A; Tue, 23 Aug 2022 08:12:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 74677C433C1; Tue, 23 Aug 2022 08:12:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242348; bh=rjjBHXoP7pxnv7fCJOqFLvOtZtIYyDWZRkjY5upDNlY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TNdgDx/jeh48a8or45FzY8gqPHS4XBh7mDjAVKYZLMLln/bapHw/7z7XB7KhcUcFt Qk8eNlvKgvHx6QVEZPsoEomBOuDhmjjT7swcwiSQnJ76JHwrXhrKs0qxJemW+kN4Fs x0Hh+9FGjGUGX7sQA1F6cAyhaD+I0kqWqyxAW7Oo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , David Sterba Subject: [PATCH 4.9 058/101] btrfs: reject log replay if there is unsupported RO compat flag Date: Tue, 23 Aug 2022 10:03:31 +0200 Message-Id: <20220823080036.782860749@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Qu Wenruo commit dc4d31684974d140250f3ee612c3f0cab13b3146 upstream. [BUG] If we have a btrfs image with dirty log, along with an unsupported RO compatible flag: log_root 30474240 ... compat_flags 0x0 compat_ro_flags 0x40000003 ( FREE_SPACE_TREE | FREE_SPACE_TREE_VALID | unknown flag: 0x40000000 ) Then even if we can only mount it RO, we will still cause metadata update for log replay: BTRFS info (device dm-1): flagging fs with big metadata feature BTRFS info (device dm-1): using free space tree BTRFS info (device dm-1): has skinny extents BTRFS info (device dm-1): start tree-log replay This is definitely against RO compact flag requirement. [CAUSE] RO compact flag only forces us to do RO mount, but we will still do log replay for plain RO mount. Thus this will result us to do log replay and update metadata. This can be very problematic for new RO compat flag, for example older kernel can not understand v2 cache, and if we allow metadata update on RO mount and invalidate/corrupt v2 cache. [FIX] Just reject the mount unless rescue=3Dnologreplay is provided: BTRFS error (device dm-1): cannot replay dirty log with unsupport optiona= l features (0x40000000), try rescue=3Dnologreplay instead We don't want to set rescue=3Dnologreply directly, as this would make the end user to read the old data, and cause confusion. Since the such case is really rare, we're mostly fine to just reject the mount with an error message, which also includes the proper workaround. CC: stable@vger.kernel.org #4.9+ Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/btrfs/disk-io.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -2774,6 +2774,20 @@ int open_ctree(struct super_block *sb, err =3D -EINVAL; goto fail_alloc; } + /* + * We have unsupported RO compat features, although RO mounted, we + * should not cause any metadata write, including log replay. + * Or we could screw up whatever the new feature requires. + */ + if (unlikely(features && btrfs_super_log_root(disk_super) && + !btrfs_test_opt(fs_info, NOLOGREPLAY))) { + btrfs_err(fs_info, +"cannot replay dirty log with unsupported compat_ro features (0x%llx), try= rescue=3Dnologreplay", + features); + err =3D -EINVAL; + goto fail_alloc; + } + =20 max_active =3D fs_info->thread_pool_size; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97746C32772 for ; Tue, 23 Aug 2022 08:25:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243426AbiHWIZM (ORCPT ); Tue, 23 Aug 2022 04:25:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243493AbiHWIVP (ORCPT ); Tue, 23 Aug 2022 04:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE76D6F553; Tue, 23 Aug 2022 01:12:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7DF5DB81C36; Tue, 23 Aug 2022 08:12:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BBAEDC43144; Tue, 23 Aug 2022 08:12:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242355; bh=exLWc5wfuhzLstDPxiLLQ/227evYWkphKy8CKnPSkFA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TroV75M1an1zq5WHYxrk76CQgec1eeUUAJXmxvV5q7y2cZa6FjGoPmZccNTu+ZphW Y7N4ZxupZKFsUSRqSHeBlk+59w3CLnET7HX+F/+MwdwQhaLBxxRLQQMYv1KrlUwUjq 5kj/AhubztSq9RhbLZ40Al7nPcmR1cKLyWC9jcvo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Soheil Hassas Yeganeh , Shakeel Butt , Wei Wang , "David S. Miller" Subject: [PATCH 4.9 059/101] tcp: fix over estimation in sk_forced_mem_schedule() Date: Tue, 23 Aug 2022 10:03:32 +0200 Message-Id: <20220823080036.832741502@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit c4ee118561a0f74442439b7b5b486db1ac1ddfeb upstream. sk_forced_mem_schedule() has a bug similar to ones fixed in commit 7c80b038d23e ("net: fix sk_wmem_schedule() and sk_rmem_schedule() errors") While this bug has little chance to trigger in old kernels, we need to fix it before the following patch. Fixes: d83769a580f1 ("tcp: fix possible deadlock in tcp_send_fin()") Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Reviewed-by: Shakeel Butt Reviewed-by: Wei Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/ipv4/tcp_output.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2986,11 +2986,12 @@ begin_fwd: */ void sk_forced_mem_schedule(struct sock *sk, int size) { - int amt; + int delta, amt; =20 - if (size <=3D sk->sk_forward_alloc) + delta =3D size - sk->sk_forward_alloc; + if (delta <=3D 0) return; - amt =3D sk_mem_pages(size); + amt =3D sk_mem_pages(delta); sk->sk_forward_alloc +=3D amt * SK_MEM_QUANTUM; sk_memory_allocated_add(sk, amt); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C012CC32792 for ; Tue, 23 Aug 2022 08:28:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243531AbiHWI2Y (ORCPT ); Tue, 23 Aug 2022 04:28:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243032AbiHWIWt (ORCPT ); Tue, 23 Aug 2022 04:22:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52685719A1; Tue, 23 Aug 2022 01:13:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 53B62B81C25; Tue, 23 Aug 2022 08:12:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8EBF7C433C1; Tue, 23 Aug 2022 08:12:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242361; bh=+4mqkUOQ6qxlFBMqnZ3APWQWTom/BEONGf/ObWlgZYk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dCIzdXWbUwqf5aPPghHjomZdjF3FAvciZmJOVVMiTJ9BQ0Q5qUIOTIaxxo/pN3B6j lCBE3FKaz9tQvC7bpCLyLwIOzK4u+n1QOc+5sAkKkcAUEpB4yL5ouUV3wEcjVylBc/ HusDCgSv7/VVe/GQpj04Bt2MNl63nGekGug6l+o0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Douglas Gilbert , Tony Battersby , "Martin K. Petersen" Subject: [PATCH 4.9 060/101] scsi: sg: Allow waiting for commands to complete on removed device Date: Tue, 23 Aug 2022 10:03:33 +0200 Message-Id: <20220823080036.885931244@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Tony Battersby commit 3455607fd7be10b449f5135c00dc306b85dc0d21 upstream. When a SCSI device is removed while in active use, currently sg will immediately return -ENODEV on any attempt to wait for active commands that were sent before the removal. This is problematic for commands that use SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel when userspace frees or reuses it after getting ENODEV, leading to corrupted userspace memory (in the case of READ-type commands) or corrupted data being sent to the device (in the case of WRITE-type commands). This has been seen in practice when logging out of a iscsi_tcp session, where the iSCSI driver may still be processing commands after the device has been marked for removal. Change the policy to allow userspace to wait for active sg commands even when the device is being removed. Return -ENODEV only when there are no more responses to read. Link: https://lore.kernel.org/r/5ebea46f-fe83-2d0b-233d-d0dcb362dd0a@cybern= etics.com Cc: Acked-by: Douglas Gilbert Signed-off-by: Tony Battersby Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/scsi/sg.c | 57 ++++++++++++++++++++++++++++++++-----------------= ----- 1 file changed, 34 insertions(+), 23 deletions(-) --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -196,7 +196,7 @@ static void sg_link_reserve(Sg_fd * sfp, static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp); static Sg_fd *sg_add_sfp(Sg_device * sdp); static void sg_remove_sfp(struct kref *); -static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id); +static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy); static Sg_request *sg_add_request(Sg_fd * sfp); static int sg_remove_request(Sg_fd * sfp, Sg_request * srp); static Sg_device *sg_get_dev(int dev); @@ -418,6 +418,7 @@ sg_read(struct file *filp, char __user * Sg_fd *sfp; Sg_request *srp; int req_pack_id =3D -1; + bool busy; sg_io_hdr_t *hp; struct sg_header *old_hdr =3D NULL; int retval =3D 0; @@ -465,25 +466,19 @@ sg_read(struct file *filp, char __user * } else req_pack_id =3D old_hdr->pack_id; } - srp =3D sg_get_rq_mark(sfp, req_pack_id); + srp =3D sg_get_rq_mark(sfp, req_pack_id, &busy); if (!srp) { /* now wait on packet to arrive */ - if (atomic_read(&sdp->detaching)) { - retval =3D -ENODEV; - goto free_old_hdr; - } if (filp->f_flags & O_NONBLOCK) { retval =3D -EAGAIN; goto free_old_hdr; } retval =3D wait_event_interruptible(sfp->read_wait, - (atomic_read(&sdp->detaching) || - (srp =3D sg_get_rq_mark(sfp, req_pack_id)))); - if (atomic_read(&sdp->detaching)) { - retval =3D -ENODEV; - goto free_old_hdr; - } - if (retval) { - /* -ERESTARTSYS as signal hit process */ + ((srp =3D sg_get_rq_mark(sfp, req_pack_id, &busy)) || + (!busy && atomic_read(&sdp->detaching)))); + if (!srp) { + /* signal or detaching */ + if (!retval) + retval =3D -ENODEV; goto free_old_hdr; } } @@ -936,9 +931,7 @@ sg_ioctl(struct file *filp, unsigned int if (result < 0) return result; result =3D wait_event_interruptible(sfp->read_wait, - (srp_done(sfp, srp) || atomic_read(&sdp->detaching))); - if (atomic_read(&sdp->detaching)) - return -ENODEV; + srp_done(sfp, srp)); write_lock_irq(&sfp->rq_list_lock); if (srp->done) { srp->done =3D 2; @@ -2095,19 +2088,28 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_reques } =20 static Sg_request * -sg_get_rq_mark(Sg_fd * sfp, int pack_id) +sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy) { Sg_request *resp; unsigned long iflags; =20 + *busy =3D false; write_lock_irqsave(&sfp->rq_list_lock, iflags); list_for_each_entry(resp, &sfp->rq_list, entry) { - /* look for requests that are ready + not SG_IO owned */ - if ((1 =3D=3D resp->done) && (!resp->sg_io_owned) && + /* look for requests that are not SG_IO owned */ + if ((!resp->sg_io_owned) && ((-1 =3D=3D pack_id) || (resp->header.pack_id =3D=3D pack_id))) { - resp->done =3D 2; /* guard against other readers */ - write_unlock_irqrestore(&sfp->rq_list_lock, iflags); - return resp; + switch (resp->done) { + case 0: /* request active */ + *busy =3D true; + break; + case 1: /* request done; response ready to return */ + resp->done =3D 2; /* guard against other readers */ + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + return resp; + case 2: /* response already being returned */ + break; + } } } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); @@ -2161,6 +2163,15 @@ sg_remove_request(Sg_fd * sfp, Sg_reques res =3D 1; } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + /* + * If the device is detaching, wakeup any readers in case we just + * removed the last response, which would leave nothing for them to + * return other than -ENODEV. + */ + if (unlikely(atomic_read(&sfp->parentdp->detaching))) + wake_up_interruptible_all(&sfp->read_wait); + return res; } From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFF65C32793 for ; Tue, 23 Aug 2022 08:27:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243488AbiHWI1i (ORCPT ); Tue, 23 Aug 2022 04:27:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242889AbiHWIWX (ORCPT ); Tue, 23 Aug 2022 04:22:23 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C6D26B8CA; Tue, 23 Aug 2022 01:13:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 47294B81C28; Tue, 23 Aug 2022 08:12:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 88665C433C1; Tue, 23 Aug 2022 08:12:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242367; bh=OaRJyxx/1ocTQP4heOmBoJQJynAMAxskczaYHFrbYc8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1lnzzLj8sj5YtdkzR0+JPXYf04yx1F/91Qz4IRCn3Mo+57VI+ELpMCcL5f/PR7mTJ M2Q23jBsfDAB98AKH5FaIYV4eVSPP7Swyiv8ng4Z2ZEEEtgAyZnZ/CbGgHA5FQ79ec 8lbsvzhY8va1uZiuhQ95Llw9e5ZU7QFOVxR0D5Jg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ronald Wahl , Jose Alonso , "David S. Miller" Subject: [PATCH 4.9 061/101] Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Date: Tue, 23 Aug 2022 10:03:34 +0200 Message-Id: <20220823080036.917269178@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jose Alonso commit 6fd2c17fb6e02a8c0ab51df1cfec82ce96b8e83d upstream. This reverts commit 36a15e1cb134c0395261ba1940762703f778438c. The usage of FLAG_SEND_ZLP causes problems to other firmware/hardware versions that have no issues. The FLAG_SEND_ZLP is not safe to use in this context. See: https://patchwork.ozlabs.org/project/netdev/patch/1270599787.8900.8.camel@L= inuxdev4-laptop/#118378 The original problem needs another way to solve. Fixes: 36a15e1cb134 ("net: usb: ax88179_178a needs FLAG_SEND_ZLP") Cc: stable@vger.kernel.org Reported-by: Ronald Wahl Link: https://bugzilla.kernel.org/show_bug.cgi?id=3D216327 Link: https://bugs.archlinux.org/task/75491 Signed-off-by: Jose Alonso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/usb/ax88179_178a.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) --- a/drivers/net/usb/ax88179_178a.c +++ b/drivers/net/usb/ax88179_178a.c @@ -1703,7 +1703,7 @@ static const struct driver_info ax88179_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1716,7 +1716,7 @@ static const struct driver_info ax88178a .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1729,7 +1729,7 @@ static const struct driver_info cypress_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1742,7 +1742,7 @@ static const struct driver_info dlink_du .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1755,7 +1755,7 @@ static const struct driver_info sitecom_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1768,7 +1768,7 @@ static const struct driver_info samsung_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1781,7 +1781,7 @@ static const struct driver_info lenovo_i .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A84FAC32772 for ; Tue, 23 Aug 2022 08:28:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243491AbiHWI1w (ORCPT ); Tue, 23 Aug 2022 04:27:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243222AbiHWIXx (ORCPT ); Tue, 23 Aug 2022 04:23:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3D602716; Tue, 23 Aug 2022 01:13:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1087AB81C3D; Tue, 23 Aug 2022 08:12:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7AEEDC433C1; Tue, 23 Aug 2022 08:12:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242372; bh=t9EAyhTB6WaOrs6vp1R5UqNAeAWhZro/XkIxBgAHZao=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GM8m7WY0eBOAlOG5rnFv1r/zlR2EWfR4XyXsJkX2L9HaOfNTZXLlYMb0QtPGFsqds WwC2ahRSSPFV651EfBOCju6/mBD0zBu6NIijCTgAMPk6q5nSrIPaFi3jwbPRrQJHSR fdwKUzZjxJFTdo7f4hzUcH90SYpDGIWiz1NaLvnM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Luiz Augusto von Dentz Subject: [PATCH 4.9 062/101] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Date: Tue, 23 Aug 2022 10:03:35 +0200 Message-Id: <20220823080036.947499547@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 332f1795ca202489c665a75e62e18ff6284de077 upstream. The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch static checker warning: net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm() error: we previously assumed 'c' could be null (see line 1996) Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_= chan_put") Reported-by: Dan Carpenter Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/bluetooth/l2cap_core.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -1804,11 +1804,11 @@ static struct l2cap_chan *l2cap_global_c bdaddr_t *dst, u8 link_type) { - struct l2cap_chan *c, *c1 =3D NULL; + struct l2cap_chan *c, *tmp, *c1 =3D NULL; =20 read_lock(&chan_list_lock); =20 - list_for_each_entry(c, &chan_list, global_l) { + list_for_each_entry_safe(c, tmp, &chan_list, global_l) { if (state && c->state !=3D state) continue; =20 @@ -1827,11 +1827,10 @@ static struct l2cap_chan *l2cap_global_c dst_match =3D !bacmp(&c->dst, dst); if (src_match && dst_match) { c =3D l2cap_chan_hold_unless_zero(c); - if (!c) - continue; - - read_unlock(&chan_list_lock); - return c; + if (c) { + read_unlock(&chan_list_lock); + return c; + } } =20 /* Closest match */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4358C32772 for ; Tue, 23 Aug 2022 08:28:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243589AbiHWI2n (ORCPT ); Tue, 23 Aug 2022 04:28:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243328AbiHWIY3 (ORCPT ); Tue, 23 Aug 2022 04:24:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 684AB1836B; Tue, 23 Aug 2022 01:13:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C9AB361324; Tue, 23 Aug 2022 08:13:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C22B0C433C1; Tue, 23 Aug 2022 08:13:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242382; bh=198MJV5Vfc/FGWCXHEV8mqffz6z2Dlc0B5J2AMGuxB8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tzAox7Vvg2s3HR7LbJhj0OMtp/ITaM78a42faJLH+8RfabHB7twnEz9OzwenVmwWr EAbLD1TJpV9PGMEJ9RBOpLSox4HD3G9CXhEt7TYBSCDavcoiS2cIroC95jdOvqTBKx tvqZ3i8KSa0ajnl8tNFriTh2VoKf5WaRG9fyZ58Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Laura Abbott , Kees Cook , Daniel Micay , Guenter Roeck Subject: [PATCH 4.9 063/101] nios2: time: Read timer in get_cycles only if initialized Date: Tue, 23 Aug 2022 10:03:36 +0200 Message-Id: <20220823080036.986294626@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Guenter Roeck commit 65d1e3ddeae117f6a224535e10a09145f0f96508 upstream. Mainline crashes as follows when running nios2 images. On node 0 totalpages: 65536 free_area_init_node: node 0, pgdat c8408fa0, node_mem_map c8726000 Normal zone: 512 pages used for memmap Normal zone: 0 pages reserved Normal zone: 65536 pages, LIFO batch:15 Unable to handle kernel NULL pointer dereference at virtual address 00000000 ea =3D c8003cb0, ra =3D c81cbf40, cause =3D 15 Kernel panic - not syncing: Oops Problem is seen because get_cycles() is called before the timer it depends on is initialized. Returning 0 in that situation fixes the problem. Fixes: 33d72f3822d7 ("init/main.c: extract early boot entropy from the ..") Cc: Laura Abbott Cc: Kees Cook Cc: Daniel Micay Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/kernel/time.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/arch/nios2/kernel/time.c +++ b/arch/nios2/kernel/time.c @@ -107,7 +107,10 @@ static struct nios2_clocksource nios2_cs =20 cycles_t get_cycles(void) { - return nios2_timer_read(&nios2_cs.cs); + /* Only read timer if it has been initialized */ + if (nios2_cs.timer.base) + return nios2_timer_read(&nios2_cs.cs); + return 0; } EXPORT_SYMBOL(get_cycles); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DB90C32772 for ; Tue, 23 Aug 2022 08:28:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243627AbiHWI2y (ORCPT ); Tue, 23 Aug 2022 04:28:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46572 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243532AbiHWIZf (ORCPT ); Tue, 23 Aug 2022 04:25:35 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C31FF5EDDA; Tue, 23 Aug 2022 01:13:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 646EEB81C39; Tue, 23 Aug 2022 08:13:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CB50AC433D6; Tue, 23 Aug 2022 08:13:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242388; bh=7VVa0jMI40XAqw0ec5vegBfGZZUkDAlrWifIwxJk7WI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pugy4Irp9+uZkZaZRoLUD/VKgxUCK75QmHKmr+2Q7uzj3qspLdR1w5bHGKMyyueCY /pGJMY5LpYiFTZr8LfHgQtz1rHZdt/R1QNpgd24ow7xYTZ3bEIva8J5KnxzOWbdN9T TmKjUcHgYOYfS92psYDpzSqpje5XNhy6HaVwwzpQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tyler Hicks , Christian Schoenebeck , Dominique Martinet Subject: [PATCH 4.9 064/101] net/9p: Initialize the iounit field during fid creation Date: Tue, 23 Aug 2022 10:03:37 +0200 Message-Id: <20220823080037.026540537@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Tyler Hicks commit aa7aeee169480e98cf41d83c01290a37e569be6d upstream. Ensure that the fid's iounit field is set to zero when a new fid is created. Certain 9P operations, such as OPEN and CREATE, allow the server to reply with an iounit size which the client code assigns to the p9_fid struct shortly after the fid is created by p9_fid_create(). On the other hand, an XATTRWALK operation doesn't allow for the server to specify an iounit value. The iounit field of the newly allocated p9_fid struct remained uninitialized in that case. Depending on allocation patterns, the iounit value could have been something reasonable that was carried over from previously freed fids or, in the worst case, could have been arbitrary values from non-fid related usages of the memory location. The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel after the uninitialized iounit field resulted in the typical sequence of two getxattr(2) syscalls, one to get the size of an xattr and another after allocating a sufficiently sized buffer to fit the xattr value, to hit an unexpected ERANGE error in the second call to getxattr(2). An uninitialized iounit field would sometimes force rsize to be smaller than the xattr value size in p9_client_read_once() and the 9P server in WSL refused to chunk up the READ on the attr_fid and, instead, returned ERANGE to the client. The virtfs server in QEMU seems happy to chunk up the READ and this problem goes undetected there. Link: https://lkml.kernel.org/r/20220710141402.803295-1-tyhicks@linux.micro= soft.com Fixes: ebf46264a004 ("fs/9p: Add support user. xattr") Cc: stable@vger.kernel.org Signed-off-by: Tyler Hicks Reviewed-by: Christian Schoenebeck Signed-off-by: Dominique Martinet [tyhicks: Adjusted context due to: - Lack of fid refcounting introduced in v5.11 commit 6636b6dcc3db ("9p: add refcount to p9_fid struct") - Difference in how buffer sizes are specified v5.16 commit 6e195b0f7c8e ("9p: fix a bunch of checkpatch warnings") - Reimplementation of the fidlist as an IDR in v4.19 commit f28cdf0430fc ("9p: Replace the fidlist with an IDR")] Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/9p/client.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/net/9p/client.c +++ b/net/9p/client.c @@ -891,7 +891,7 @@ static struct p9_fid *p9_fid_create(stru unsigned long flags; =20 p9_debug(P9_DEBUG_FID, "clnt %p\n", clnt); - fid =3D kmalloc(sizeof(struct p9_fid), GFP_KERNEL); + fid =3D kzalloc(sizeof(struct p9_fid), GFP_KERNEL); if (!fid) return ERR_PTR(-ENOMEM); =20 @@ -902,11 +902,9 @@ static struct p9_fid *p9_fid_create(stru } fid->fid =3D ret; =20 - memset(&fid->qid, 0, sizeof(struct p9_qid)); fid->mode =3D -1; fid->uid =3D current_fsuid(); fid->clnt =3D clnt; - fid->rdir =3D NULL; spin_lock_irqsave(&clnt->lock, flags); list_add(&fid->flist, &clnt->fidlist); spin_unlock_irqrestore(&clnt->lock, flags); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29613C32792 for ; Tue, 23 Aug 2022 08:28:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243619AbiHWI2v (ORCPT ); Tue, 23 Aug 2022 04:28:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243544AbiHWIZf (ORCPT ); Tue, 23 Aug 2022 04:25:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7ED0C6A4BC; Tue, 23 Aug 2022 01:13:40 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 909C761257; Tue, 23 Aug 2022 08:13:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9ECCFC433D6; Tue, 23 Aug 2022 08:13:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242394; bh=uGThrt33mi1eSMf2gxBEVQ79aDsfgcKb82P3o+mpreY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KEerS4iYBk1WCArn2tJ6CYhEYHA7fVNNcdZQxLUYa8Yg2gSET9+gOOo4Xg4/Y1Wpe YiLTZRSSnWPXuYxU6Fkx0cxJrIHAuGgsI2v9iPfSmnAWWymxlzrdOC+PRJka1Iif+g JvrTo9394MOEMyqsY7X7+YyDwLfbdzu7zrtQ2CH8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jamal Hadi Salim , Stephen Hemminger , "David S. Miller" Subject: [PATCH 4.9 065/101] net_sched: cls_route: disallow handle of 0 Date: Tue, 23 Aug 2022 10:03:38 +0200 Message-Id: <20220823080037.066078661@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jamal Hadi Salim commit 02799571714dc5dd6948824b9d080b44a295f695 upstream. Follows up on: https://lore.kernel.org/all/20220809170518.164662-1-cascardo@canonical.com/ handle of 0 implies from/to of universe realm which is not very sensible. Lets see what this patch will do: $sudo tc qdisc add dev $DEV root handle 1:0 prio //lets manufacture a way to insert handle of 0 $sudo tc filter add dev $DEV parent 1:0 protocol ip prio 100 \ route to 0 from 0 classid 1:10 action ok //gets rejected... Error: handle of 0 is not valid. We have an error talking to the kernel, -1 //lets create a legit entry.. sudo tc filter add dev $DEV parent 1:0 protocol ip prio 100 route from 10 \ classid 1:10 action ok //what did the kernel insert? $sudo tc filter ls dev $DEV parent 1:0 filter protocol ip pref 100 route chain 0 filter protocol ip pref 100 route chain 0 fh 0x000a8000 flowid 1:10 from 10 action order 1: gact action pass random type none pass val 0 index 1 ref 1 bind 1 //Lets try to replace that legit entry with a handle of 0 $ sudo tc filter replace dev $DEV parent 1:0 protocol ip prio 100 \ handle 0x000a8000 route to 0 from 0 classid 1:10 action drop Error: Replacing with handle of 0 is invalid. We have an error talking to the kernel, -1 And last, lets run Cascardo's POC: $ ./poc 0 0 -22 -22 -22 Signed-off-by: Jamal Hadi Salim Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/sched/cls_route.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/sched/cls_route.c +++ b/net/sched/cls_route.c @@ -427,6 +427,9 @@ static int route4_set_parms(struct net * goto errout; } =20 + if (!nhandle) + return -EINVAL; + h1 =3D to_hash(nhandle); b =3D rtnl_dereference(head->table[h1]); if (!b) { @@ -486,6 +489,9 @@ static int route4_change(struct net *net int err; bool new =3D true; =20 + if (!handle) + return -EINVAL; + if (opt =3D=3D NULL) return handle ? -EINVAL : 0; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 813C1C32772 for ; Tue, 23 Aug 2022 08:28:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243493AbiHWI2O (ORCPT ); Tue, 23 Aug 2022 04:28:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243243AbiHWIX6 (ORCPT ); Tue, 23 Aug 2022 04:23:58 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 045A465F7; Tue, 23 Aug 2022 01:13:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B85566134B; Tue, 23 Aug 2022 08:13:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C3A1AC433D6; Tue, 23 Aug 2022 08:13:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242401; bh=IKMkzTsYh/OjMKBcBRBsOD5re4x3laIipvrW/22RXUE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yrn5uY1+JX7LDq7Xbb2WtgBqLw7TZf9OSDu9OjA23Nmgh0J4I23BgdNHkE43EHki8 NJW97zFeelfG4YotrPDO2DRJug+95pjmf7k0lKy/21Mt8qg3monv7DO2kWrS2inZKZ Vs7HTOEYCorvsvIzG8Fhpih239sTUzYWlqjKiiJM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= , Takashi Iwai Subject: [PATCH 4.9 066/101] ALSA: info: Fix llseek return value when using callback Date: Tue, 23 Aug 2022 10:03:39 +0200 Message-Id: <20220823080037.095268727@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Amadeusz S=C5=82awi=C5=84ski commit 9be080edcca330be4af06b19916c35227891e8bc upstream. When using callback there was a flow of ret =3D -EINVAL if (callback) { offset =3D callback(); goto out; } ... offset =3D some other value in case of no callback; ret =3D offset; out: return ret; which causes the snd_info_entry_llseek() to return -EINVAL when there is callback handler. Fix this by setting "ret" directly to callback return value before jumping to "out". Fixes: 73029e0ff18d ("ALSA: info - Implement common llseek for binary mode") Signed-off-by: Amadeusz S=C5=82awi=C5=84ski Cc: Link: https://lore.kernel.org/r/20220817124924.3974577-1-amadeuszx.slawinsk= i@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- sound/core/info.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/sound/core/info.c +++ b/sound/core/info.c @@ -127,9 +127,9 @@ static loff_t snd_info_entry_llseek(stru entry =3D data->entry; mutex_lock(&entry->access); if (entry->c.ops->llseek) { - offset =3D entry->c.ops->llseek(entry, - data->file_private_data, - file, offset, orig); + ret =3D entry->c.ops->llseek(entry, + data->file_private_data, + file, offset, orig); goto out; } =20 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB820C32796 for ; Tue, 23 Aug 2022 08:29:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243553AbiHWI23 (ORCPT ); Tue, 23 Aug 2022 04:28:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243281AbiHWIYP (ORCPT ); Tue, 23 Aug 2022 04:24:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5371F26E8; Tue, 23 Aug 2022 01:13:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B16D8B81C20; Tue, 23 Aug 2022 08:13:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76D4BC433C1; Tue, 23 Aug 2022 08:13:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242407; bh=2YyPwhEPNlXy6bkw80TQrnvTxmp42HXmghTdlFH98xE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AnbFxEB8ara9zZEBaSoKm2cvdmgInE2wm1UTuX73u0XwzlBveORA5kgrsokDBJBQi RofvVj7/5SODyypMC9BOztnBN+mN/5M5qYxCempiNhInvz/hE9lut5tqyRRnbGU/CQ jXREonfl5BCRwmeQeuSvRih+47QB99DG4fcTpkEk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mikulas Patocka , "David S. Miller" Subject: [PATCH 4.9 067/101] rds: add missing barrier to release_refill Date: Tue, 23 Aug 2022 10:03:40 +0200 Message-Id: <20220823080037.128726077@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Mikulas Patocka commit 9f414eb409daf4f778f011cf8266d36896bb930b upstream. The functions clear_bit and set_bit do not imply a memory barrier, thus it may be possible that the waitqueue_active function (which does not take any locks) is moved before clear_bit and it could miss a wakeup event. Fix this bug by adding a memory barrier after clear_bit. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/rds/ib_recv.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rds/ib_recv.c +++ b/net/rds/ib_recv.c @@ -356,6 +356,7 @@ static int acquire_refill(struct rds_con static void release_refill(struct rds_connection *conn) { clear_bit(RDS_RECV_REFILL, &conn->c_flags); + smp_mb__after_atomic(); =20 /* We don't use wait_on_bit()/wake_up_bit() because our waking is in a * hot path and finding waiters is very rare. We don't want to walk From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 787D8C32792 for ; Tue, 23 Aug 2022 08:29:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241399AbiHWI3D (ORCPT ); Tue, 23 Aug 2022 04:29:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243556AbiHWIZg (ORCPT ); Tue, 23 Aug 2022 04:25:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 087F85F12C; Tue, 23 Aug 2022 01:13:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0A1FAB81C20; Tue, 23 Aug 2022 08:13:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A7E8C433D6; Tue, 23 Aug 2022 08:13:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242416; bh=HIut+ifAS/YY2VN6FjXSCaSRFQIQTRFcNbZeJN5myoE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sjs4s6S59270ruUYtkoVoD20TibODD27At/iAO1kb32JVPNO0UrlMQoD1O8J3hyBP dYvgyoxpL1aQU8dqAsKy+Rs/+SapcnxV57d0MaLs8AWXLLUZxa4UFTDci0O+HRliG7 FtGUribHQUDa15ohKeOeMunRG2ukegcNt5b7MIjs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Damien Le Moal , Hannes Reinecke Subject: [PATCH 4.9 068/101] ata: libata-eh: Add missing command name Date: Tue, 23 Aug 2022 10:03:41 +0200 Message-Id: <20220823080037.158674349@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Damien Le Moal commit d3122bf9aa4c974f5e2c0112f799757b3a2779da upstream. Add the missing command name for ATA_CMD_NCQ_NON_DATA to ata_get_cmd_name(). Fixes: 661ce1f0c4a6 ("libata/libsas: Define ATA_CMD_NCQ_NON_DATA") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/ata/libata-eh.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/ata/libata-eh.c +++ b/drivers/ata/libata-eh.c @@ -2439,6 +2439,7 @@ const char *ata_get_cmd_descript(u8 comm { ATA_CMD_WRITE_QUEUED_FUA_EXT, "WRITE DMA QUEUED FUA EXT" }, { ATA_CMD_FPDMA_READ, "READ FPDMA QUEUED" }, { ATA_CMD_FPDMA_WRITE, "WRITE FPDMA QUEUED" }, + { ATA_CMD_NCQ_NON_DATA, "NCQ NON-DATA" }, { ATA_CMD_FPDMA_SEND, "SEND FPDMA QUEUED" }, { ATA_CMD_FPDMA_RECV, "RECEIVE FPDMA QUEUED" }, { ATA_CMD_PIO_READ, "READ SECTOR(S)" }, From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96EBCC32772 for ; Tue, 23 Aug 2022 08:30:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243803AbiHWIaA (ORCPT ); Tue, 23 Aug 2022 04:30:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244207AbiHWI0a (ORCPT ); Tue, 23 Aug 2022 04:26:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06E6A72FD4; Tue, 23 Aug 2022 01:14:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DF24BB81C26; Tue, 23 Aug 2022 08:13:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39EDBC433C1; Tue, 23 Aug 2022 08:13:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242422; bh=1R4vBcGtvywwK6mm74BckJoc44zv4MEOsFxv7R4miYo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mvkVtz83tox0/kM20mpb2XrSGGUJTaI5eQkqyg6prJLRHHz4Y6bTxHOM2eB1KFhVg NfKs/M9i+GJminagW0VQhCkoX6q17OmuD5PomXk/Fm4q7InsaliyJPz3ggybwXFDLb neUOmntVfn1+fjY8kRcN2Ua1ZTEjzdDxu5zP0/lI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Filipe Manana , David Sterba Subject: [PATCH 4.9 069/101] btrfs: fix lost error handling when looking up extended ref on log replay Date: Tue, 23 Aug 2022 10:03:42 +0200 Message-Id: <20220823080037.197439038@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Filipe Manana commit 7a6b75b79902e47f46328b57733f2604774fa2d9 upstream. During log replay, when processing inode references, if we get an error when looking up for an extended reference at __add_inode_ref(), we ignore it and proceed, returning success (0) if no other error happens after the lookup. This is obviously wrong because in case an extended reference exists and it encodes some name not in the log, we need to unlink it, otherwise the filesystem state will not match the state it had after the last fsync. So just make __add_inode_ref() return an error it gets from the extended reference lookup. Fixes: f186373fef005c ("btrfs: extended inode refs") CC: stable@vger.kernel.org # 4.9+ Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/btrfs/tree-log.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -1074,7 +1074,9 @@ again: extref =3D btrfs_lookup_inode_extref(NULL, root, path, name, namelen, inode_objectid, parent_objectid, 0, 0); - if (!IS_ERR_OR_NULL(extref)) { + if (IS_ERR(extref)) { + return PTR_ERR(extref); + } else if (extref) { u32 item_size; u32 cur_offset =3D 0; unsigned long base; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78637C32772 for ; Tue, 23 Aug 2022 08:29:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243750AbiHWI3g (ORCPT ); Tue, 23 Aug 2022 04:29:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243706AbiHWIZt (ORCPT ); Tue, 23 Aug 2022 04:25:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3418971BE6; Tue, 23 Aug 2022 01:13:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CD22DB81C28; Tue, 23 Aug 2022 08:13:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 22E82C433D6; Tue, 23 Aug 2022 08:13:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242428; bh=xbUiAn6roGKlOVmttkOBenGDG4+k4twIaoCVAlzAAPA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=soSjLfYjxcylbJEiAmN670oIO5ys6iZKNt55kpu8D9ABZ4jFhvKweaGEgDPe0zT3/ n7+TsDwAnWRVbHkWaoe26r+Tp/u7KcQCX6NtIKGLMtBiJvvuOsdNFsOj2Mjy72bv0H FRETexu5BMQc+2GIvnwJ/jp0FjykDTqiAKF/0gM4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Gerhard Uttenthaler , Sebastian Haas , Marc Kleine-Budde Subject: [PATCH 4.9 070/101] can: ems_usb: fix clangs -Wunaligned-access warning Date: Tue, 23 Aug 2022 10:03:43 +0200 Message-Id: <20220823080037.228850981@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Marc Kleine-Budde commit a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f upstream. clang emits a -Wunaligned-access warning on struct __packed ems_cpc_msg. The reason is that the anonymous union msg (not declared as packed) is being packed right after some non naturally aligned variables (3*8 bits + 2*32) inside a packed struct: | struct __packed ems_cpc_msg { | u8 type; /* type of message */ | u8 length; /* length of data within union 'msg' */ | u8 msgid; /* confirmation handle */ | __le32 ts_sec; /* timestamp in seconds */ | __le32 ts_nsec; /* timestamp in nano seconds */ | /* ^ not naturally aligned */ | | union { | /* ^ not declared as packed */ | u8 generic[64]; | struct cpc_can_msg can_msg; | struct cpc_can_params can_params; | struct cpc_confirm confirmation; | struct cpc_overrun overrun; | struct cpc_can_error error; | struct cpc_can_err_counter err_counter; | u8 can_state; | } msg; | }; Starting from LLVM 14, having an unpacked struct nested in a packed struct triggers a warning. c.f. [1]. Fix the warning by marking the anonymous union as packed. [1] https://github.com/llvm/llvm-project/issues/55520 Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB i= nterface") Link: https://lore.kernel.org/all/20220802094021.959858-1-mkl@pengutronix.de Cc: Gerhard Uttenthaler Cc: Sebastian Haas Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/can/usb/ems_usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -206,7 +206,7 @@ struct __packed ems_cpc_msg { __le32 ts_sec; /* timestamp in seconds */ __le32 ts_nsec; /* timestamp in nano seconds */ =20 - union { + union __packed { u8 generic[64]; struct cpc_can_msg can_msg; struct cpc_can_params can_params; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0C6AC32772 for ; Tue, 23 Aug 2022 08:29:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243330AbiHWI3Z (ORCPT ); Tue, 23 Aug 2022 04:29:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243716AbiHWIZu (ORCPT ); Tue, 23 Aug 2022 04:25:50 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97E7252831; Tue, 23 Aug 2022 01:13:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 42024B81C20; Tue, 23 Aug 2022 08:13:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 78C1AC43141; Tue, 23 Aug 2022 08:13:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242435; bh=aWL0Z/O80bkDY1YmKqPRMfINCZANIFsBbAcWpD1QGP0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nd+x3dzp4FYtDM5VKHpX43id1Y0NBOGSWSXpd5wK4fq178jk0JUwc+8Zcha5z+tLP dDMRCL5UqhLRinhYSNcAhytYUZ8gA5O46USmROYJQTAR9X79Q1Y3BncU89AnGZMznR MD15C0ZBzfaGubUPRRmIzTnDUqqec1pzhc8HKyb0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhang Xianwei , Yi Wang , Trond Myklebust Subject: [PATCH 4.9 071/101] NFSv4.1: RECLAIM_COMPLETE must handle EACCES Date: Tue, 23 Aug 2022 10:03:44 +0200 Message-Id: <20220823080037.269266210@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Zhang Xianwei commit e35a5e782f67ed76a65ad0f23a484444a95f000f upstream. A client should be able to handle getting an EACCES error while doing a mount operation to reclaim state due to NFS4CLNT_RECLAIM_REBOOT being set. If the server returns RPC_AUTH_BADCRED because authentication failed when we execute "exportfs -au", then RECLAIM_COMPLETE will go a wrong way. After mount succeeds, all OPEN call will fail due to an NFS4ERR_GRACE error being returned. This patch is to fix it by resending a RPC request. Signed-off-by: Zhang Xianwei Signed-off-by: Yi Wang Fixes: aa5190d0ed7d ("NFSv4: Kill nfs4_async_handle_error() abuses by NFSv4= .1") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/nfs/nfs4proc.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -8229,6 +8229,9 @@ static int nfs41_reclaim_complete_handle rpc_delay(task, NFS4_POLL_RETRY_MAX); /* fall through */ case -NFS4ERR_RETRY_UNCACHED_REP: + case -EACCES: + dprintk("%s: failed to reclaim complete error %d for server %s, retrying= \n", + __func__, task->tk_status, clp->cl_hostname); return -EAGAIN; case -NFS4ERR_BADSESSION: case -NFS4ERR_DEADSESSION: From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 489F4C32772 for ; Tue, 23 Aug 2022 08:29:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243770AbiHWI3o (ORCPT ); Tue, 23 Aug 2022 04:29:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243790AbiHWIZ6 (ORCPT ); Tue, 23 Aug 2022 04:25:58 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87D4172878; Tue, 23 Aug 2022 01:14:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C60B761242; Tue, 23 Aug 2022 08:14:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CD5E6C433D6; Tue, 23 Aug 2022 08:14:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242441; bh=OQlvZM+K22KXk20z/y80Vu43gP5UH4g2hFg4EP4s7Wc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tTyhsHBKDp9sX+/UYMQV2jNXjYU+NRIwRXGRevcCEFCbORHJlubPs5dblOTHwyf7c eQ8P4V8p8UdxfFp2jBD4P55VjfbK9vzbtQCqVespyfwKx5kZseH60h0IUxIBbnJbpz kpiF9mKeVIZhdPQdq3hVzk3F/NfAy2GErvf5LppI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Trond Myklebust Subject: [PATCH 4.9 072/101] SUNRPC: Reinitialise the backchannel request buffers before reuse Date: Tue, 23 Aug 2022 10:03:45 +0200 Message-Id: <20220823080037.304300421@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Trond Myklebust commit 6622e3a73112fc336c1c2c582428fb5ef18e456a upstream. When we're reusing the backchannel requests instead of freeing them, then we should reinitialise any values of the send/receive xdr_bufs so that they reflect the available space. Fixes: 0d2a970d0ae5 ("SUNRPC: Fix a backchannel race") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/sunrpc/backchannel_rqst.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/net/sunrpc/backchannel_rqst.c +++ b/net/sunrpc/backchannel_rqst.c @@ -69,6 +69,17 @@ static void xprt_free_allocation(struct kfree(req); } =20 +static void xprt_bc_reinit_xdr_buf(struct xdr_buf *buf) +{ + buf->head[0].iov_len =3D PAGE_SIZE; + buf->tail[0].iov_len =3D 0; + buf->pages =3D NULL; + buf->page_len =3D 0; + buf->flags =3D 0; + buf->len =3D 0; + buf->buflen =3D PAGE_SIZE; +} + static int xprt_alloc_xdr_buf(struct xdr_buf *buf, gfp_t gfp_flags) { struct page *page; @@ -291,6 +302,9 @@ void xprt_free_bc_rqst(struct rpc_rqst * */ spin_lock_bh(&xprt->bc_pa_lock); if (xprt_need_to_requeue(xprt)) { + xprt_bc_reinit_xdr_buf(&req->rq_snd_buf); + xprt_bc_reinit_xdr_buf(&req->rq_rcv_buf); + req->rq_rcv_buf.len =3D PAGE_SIZE; list_add_tail(&req->rq_bc_pa_list, &xprt->bc_pa_list); xprt->bc_alloc_count++; req =3D NULL; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76C4AC32772 for ; Tue, 23 Aug 2022 08:29:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243793AbiHWI3z (ORCPT ); Tue, 23 Aug 2022 04:29:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244013AbiHWI0X (ORCPT ); Tue, 23 Aug 2022 04:26:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9F7B72FD1; Tue, 23 Aug 2022 01:14:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C402861242; Tue, 23 Aug 2022 08:14:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C97A6C433C1; Tue, 23 Aug 2022 08:14:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242450; bh=ROwYacelnhogMjbaFhx5Z+LfPE39x335YCVt9z0dvRA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gmrpIr7gb72Bs9NVmJzZTwsjsU9FmmXQ6alDZug+Ed9QoYr6B3srS0yJ32xa2eq+H Pz+itSMmtHzNdRa4bgeaoXGJe3bWhVBK7Z5y9CfQT+CgCPzLds9dMuuFsYVzeuTpei hMDLM+NeFxHIVNDs9xOoybheYIKSipJAcewhfVig= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miaoqian Lin , Linus Walleij Subject: [PATCH 4.9 073/101] pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map Date: Tue, 23 Aug 2022 10:03:46 +0200 Message-Id: <20220823080037.344231233@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Miaoqian Lin commit 4b32e054335ea0ce50967f63a7bfd4db058b14b9 upstream. of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak." Fixes: c2f6d059abfc ("pinctrl: nomadik: refactor DT parser to take two path= s") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220607111602.57355-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c +++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c @@ -1455,8 +1455,10 @@ static int nmk_pinctrl_dt_subnode_to_map =20 has_config =3D nmk_pinctrl_dt_get_config(np, &configs); np_config =3D of_parse_phandle(np, "ste,config", 0); - if (np_config) + if (np_config) { has_config |=3D nmk_pinctrl_dt_get_config(np_config, &configs); + of_node_put(np_config); + } if (has_config) { const char *gpio_name; const char *pin; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02D00C32793 for ; Tue, 23 Aug 2022 08:32:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242913AbiHWIcZ (ORCPT ); Tue, 23 Aug 2022 04:32:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243530AbiHWI2X (ORCPT ); Tue, 23 Aug 2022 04:28:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 048EE72FDB; Tue, 23 Aug 2022 01:15:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CE40A612D8; Tue, 23 Aug 2022 08:14:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C17CBC433D6; Tue, 23 Aug 2022 08:14:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242456; bh=fdew62UuZcMsFie8kfqEEAZhB9kWdQ/7hAK9yJC/+Ls=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GUJMwdOQPKhpmv+4MUGZFGF4ja269dYl7tyf1izAG8YKK3E0UtKgBgl3t7GY/ZWCO kou9kOdc3jkQmFqJQeAXE+b71ln6azqxqWlFMzxKlR9QX52pV6ZIgMnnYZJLN6EuqY z5YCNSv2LvVm0HUNlrLOFsR1vB/fw0Y2Rw27u6Rk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikita Travkin , Linus Walleij Subject: [PATCH 4.9 074/101] pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed Date: Tue, 23 Aug 2022 10:03:47 +0200 Message-Id: <20220823080037.392600095@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nikita Travkin commit 44339391c666e46cba522d19c65a6ad1071c68b7 upstream. GPIO 31, 32 can be muxed to GCC_CAMSS_GP(1,2)_CLK respectively but the function was never assigned to the pingroup (even though the function exists already). Add this mode to the related pins. Fixes: 5373a2c5abb6 ("pinctrl: qcom: Add msm8916 pinctrl driver") Signed-off-by: Nikita Travkin Link: https://lore.kernel.org/r/20220612145955.385787-4-nikita@trvn.ru Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/pinctrl/qcom/pinctrl-msm8916.c +++ b/drivers/pinctrl/qcom/pinctrl-msm8916.c @@ -852,8 +852,8 @@ static const struct msm_pingroup msm8916 PINGROUP(28, pwr_modem_enabled_a, NA, NA, NA, NA, NA, qdss_tracedata_b, N= A, atest_combodac), PINGROUP(29, cci_i2c, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_com= bodac), PINGROUP(30, cci_i2c, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), - PINGROUP(31, cci_timer0, NA, NA, NA, NA, NA, NA, NA, NA), - PINGROUP(32, cci_timer1, NA, NA, NA, NA, NA, NA, NA, NA), + PINGROUP(31, cci_timer0, flash_strobe, NA, NA, NA, NA, NA, NA, NA), + PINGROUP(32, cci_timer1, flash_strobe, NA, NA, NA, NA, NA, NA, NA), PINGROUP(33, cci_async, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b), PINGROUP(34, pwr_nav_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedat= a_b), PINGROUP(35, pwr_crypto_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_trace= data_b), From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5195C32772 for ; Tue, 23 Aug 2022 08:30:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243814AbiHWIaC (ORCPT ); Tue, 23 Aug 2022 04:30:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244257AbiHWI0b (ORCPT ); Tue, 23 Aug 2022 04:26:31 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B2C173921; Tue, 23 Aug 2022 01:14:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 24A016129A; Tue, 23 Aug 2022 08:14:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30644C433C1; Tue, 23 Aug 2022 08:14:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242462; bh=w/ws2DL+rOAPKGt41HhTtwj8mh2+FQSFUgu3NzsRKgY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kEadTVknMWwBbQ1z6SmS9/MUcrCyn/so+gazDohkZyumaK9D0nPKatmpABE+zgwV/ aZPZCMC0LWm3ZajY8pH1HIsa3+hRB1T/g7P1y2R4tCjRLO5BQqX5GnE4D6ddkCH1GQ kCHb44TRguP2n9zYLvBBpvgFUE1fL/JERxu59YFM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stefano Garzarella , Peilin Ye , "David S. Miller" , syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com Subject: [PATCH 4.9 075/101] vsock: Fix memory leak in vsock_connect() Date: Tue, 23 Aug 2022 10:03:48 +0200 Message-Id: <20220823080037.435200290@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Peilin Ye commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream. An O_NONBLOCK vsock_connect() request may try to reschedule @connect_work. Imagine the following sequence of vsock_connect() requests: 1. The 1st, non-blocking request schedules @connect_work, which will expire after 200 jiffies. Socket state is now SS_CONNECTING; 2. Later, the 2nd, blocking request gets interrupted by a signal after a few jiffies while waiting for the connection to be established. Socket state is back to SS_UNCONNECTED, but @connect_work is still pending, and will expire after 100 jiffies. 3. Now, the 3rd, non-blocking request tries to schedule @connect_work again. Since @connect_work is already scheduled, schedule_delayed_work() silently returns. sock_hold() is called twice, but sock_put() will only be called once in vsock_connect_timeout(), causing a memory leak reported by syzbot: BUG: memory leak unreferenced object 0xffff88810ea56a40 (size 1232): comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace: [] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930 [] sk_alloc+0x32/0x2e0 net/core/sock.c:1989 [] __vsock_create.constprop.0+0x38/0x320 net/vmw_vs= ock/af_vsock.c:734 [] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c= :2203 [] __sock_create+0x1ab/0x2b0 net/socket.c:1468 [] sock_create net/socket.c:1519 [inline] [] __sys_socket+0x6f/0x140 net/socket.c:1561 [] __do_sys_socket net/socket.c:1570 [inline] [] __se_sys_socket net/socket.c:1568 [inline] [] __x64_sys_socket+0x1a/0x20 net/socket.c:1568 [] do_syscall_x64 arch/x86/entry/common.c:50 [inlin= e] [] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:= 80 [] entry_SYSCALL_64_after_hwframe+0x44/0xae <...> Use mod_delayed_work() instead: if @connect_work is already scheduled, reschedule it, and undo sock_hold() to keep the reference count balanced. Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.c= om Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Co-developed-by: Stefano Garzarella Signed-off-by: Stefano Garzarella Reviewed-by: Stefano Garzarella Signed-off-by: Peilin Ye Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/vmw_vsock/af_vsock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -1205,7 +1205,14 @@ static int vsock_stream_connect(struct s * timeout fires. */ sock_hold(sk); - schedule_delayed_work(&vsk->connect_work, timeout); + + /* If the timeout function is already scheduled, + * reschedule it, then ungrab the socket refcount to + * keep it balanced. + */ + if (mod_delayed_work(system_wq, &vsk->connect_work, + timeout)) + sock_put(sk); =20 /* Skip ahead to preserve error code set above. */ goto out_wait; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5441C32772 for ; Tue, 23 Aug 2022 08:30:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243864AbiHWIaR (ORCPT ); Tue, 23 Aug 2022 04:30:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46572 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245198AbiHWI0l (ORCPT ); Tue, 23 Aug 2022 04:26:41 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0B5F6C137; Tue, 23 Aug 2022 01:14:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2AA0DB81C3A; Tue, 23 Aug 2022 08:14:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 754E7C433C1; Tue, 23 Aug 2022 08:14:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242468; bh=wpt7uKioQEW6C34e+ng7mA8HJn1XgbnbQsHPjPhBV4M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lK801emb3R7XX2spzOxIHt7krfq/6z94EmtuF+cDFkD4K1HJB/D9t5ddyPoXOENam oPwF/65TmLPj1r4KkL+Ow4hEWuTnciaD5aG4oEMkZO6FeTUWxuRky8IORS6R6xytsE ARo1fDGG+aDk/ZDml2+FVz4DLz3cbamZS7+G6oR0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Oleksandr Tyshchenko , Juergen Gross Subject: [PATCH 4.9 076/101] xen/xenbus: fix return type in xenbus_file_read() Date: Tue, 23 Aug 2022 10:03:49 +0200 Message-Id: <20220823080037.476671583@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Dan Carpenter commit 32ad11127b95236dfc52375f3707853194a7f4b4 upstream. This code tries to store -EFAULT in an unsigned int. The xenbus_file_read() function returns type ssize_t so the negative value is returned as a positive value to the user. This change forces another change to the min() macro. Originally, the min() macro used "unsigned" type which checkpatch complains about. Also unsigned type would break if "len" were not capped at MAX_RW_COUNT. Use size_t for the min(). (No effect on runtime for the min_t() change). Fixes: 2fb3683e7b16 ("xen: Add xenbus device driver") Signed-off-by: Dan Carpenter Reviewed-by: Oleksandr Tyshchenko Link: https://lore.kernel.org/r/YutxJUaUYRG/VLVc@kili Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/xen/xenbus/xenbus_dev_frontend.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -122,7 +122,7 @@ static ssize_t xenbus_file_read(struct f { struct xenbus_file_priv *u =3D filp->private_data; struct read_buffer *rb; - unsigned i; + ssize_t i; int ret; =20 mutex_lock(&u->reply_mutex); @@ -142,7 +142,7 @@ again: rb =3D list_entry(u->read_buffers.next, struct read_buffer, list); i =3D 0; while (i < len) { - unsigned sz =3D min((unsigned)len - i, rb->len - rb->cons); + size_t sz =3D min_t(size_t, len - i, rb->len - rb->cons); =20 ret =3D copy_to_user(ubuf + i, &rb->msg[rb->cons], sz); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C252C32772 for ; Tue, 23 Aug 2022 08:32:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243876AbiHWIaY (ORCPT ); Tue, 23 Aug 2022 04:30:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344319AbiHWI0w (ORCPT ); Tue, 23 Aug 2022 04:26:52 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB64D6C770; Tue, 23 Aug 2022 01:14:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1B6F0B81C20; Tue, 23 Aug 2022 08:14:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6CC8EC433D6; Tue, 23 Aug 2022 08:14:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242474; bh=29gV5ywJ765JIYijCbxFwS+rCez41jCO8sOYnCHIWMc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LfNYlUZj6hskW+Kt0OeEuEzLDQQYNyCe/MtsKOumv2Xad8TTp7Fdo/X2iAAZvurb8 ELeihNlhz5Q1wypMXWcnSv36E0xysqtKGGv2Bp9xQETTszBRdvxytZWVyu3UwjdOZS piXeH4bOpr1A3ZehU2FpAJs87i9Ujd88tPxguf1g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Duoming Zhou , Jakub Kicinski Subject: [PATCH 4.9 077/101] atm: idt77252: fix use-after-free bugs caused by tst_timer Date: Tue, 23 Aug 2022 10:03:50 +0200 Message-Id: <20220823080037.518434534@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Duoming Zhou commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream. There are use-after-free bugs caused by tst_timer. The root cause is that there are no functions to stop tst_timer in idt77252_exit(). One of the possible race conditions is shown below: (thread 1) | (thread 2) | idt77252_init_one | init_card | fill_tst | mod_timer(&card->tst_timer, ...) idt77252_exit | (wait a time) | tst_timer | | ... kfree(card) // FREE | | card->soft_tst[e] // USE The idt77252_dev is deallocated in idt77252_exit() and used in timer handler. This patch adds del_timer_sync() in idt77252_exit() in order that the timer handler could be stopped before the idt77252_dev is deallocated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/atm/idt77252.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -3777,6 +3777,7 @@ static void __exit idt77252_exit(void) card =3D idt77252_chain; dev =3D card->atmdev; idt77252_chain =3D card->next; + del_timer_sync(&card->tst_timer); =20 if (dev->phy->stop) dev->phy->stop(dev); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA3F9C32772 for ; Tue, 23 Aug 2022 08:32:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243892AbiHWIag (ORCPT ); Tue, 23 Aug 2022 04:30:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344524AbiHWI1A (ORCPT ); Tue, 23 Aug 2022 04:27:00 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FF696C746; Tue, 23 Aug 2022 01:14:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id DD2CF6132D; Tue, 23 Aug 2022 08:14:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D0055C433D6; Tue, 23 Aug 2022 08:14:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242484; bh=FiKJFq3p3hNMNAz/G+j1Jr63XmO/Uxj1ECLA2jSv+YM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xxiniz4ePqBgMc027Zpa5HNBif8u7o48pWXcOCC558+hiV2u4QNCVsl2jSficxu5B VMmNNsf79bfFEpGrEoaDfNvmYMn/J/0z0J9/Ec5RyYdrqqoEEEnUqq3c66IKTRmo0b keAkFB/vzLIkHFVu2ZMwSqwCApyjpM6dfRU58bYo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Dinh Nguyen Subject: [PATCH 4.9 078/101] nios2: page fault et.al. are *not* restartable syscalls... Date: Tue, 23 Aug 2022 10:03:51 +0200 Message-Id: <20220823080037.557315562@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro commit 8535c239ac674f7ead0f2652932d35c52c4123b2 upstream. make sure that ->orig_r2 is negative for everything except the syscalls. Fixes: 82ed08dd1b0e ("nios2: Exception handling") Signed-off-by: Al Viro Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/include/asm/entry.h | 3 ++- arch/nios2/kernel/entry.S | 4 +--- 2 files changed, 3 insertions(+), 4 deletions(-) --- a/arch/nios2/include/asm/entry.h +++ b/arch/nios2/include/asm/entry.h @@ -50,7 +50,8 @@ stw r13, PT_R13(sp) stw r14, PT_R14(sp) stw r15, PT_R15(sp) - stw r2, PT_ORIG_R2(sp) + movi r24, -1 + stw r24, PT_ORIG_R2(sp) stw r7, PT_ORIG_R7(sp) =20 stw ra, PT_RA(sp) --- a/arch/nios2/kernel/entry.S +++ b/arch/nios2/kernel/entry.S @@ -185,6 +185,7 @@ ENTRY(handle_system_call) ldw r5, PT_R5(sp) =20 local_restart: + stw r2, PT_ORIG_R2(sp) /* Check that the requested system call is within limits */ movui r1, __NR_syscalls bgeu r2, r1, ret_invsyscall @@ -336,9 +337,6 @@ external_interrupt: /* skip if no interrupt is pending */ beq r12, r0, ret_from_interrupt =20 - movi r24, -1 - stw r24, PT_ORIG_R2(sp) - /* * Process an external hardware interrupt. */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59357C32774 for ; Tue, 23 Aug 2022 08:32:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243916AbiHWIaj (ORCPT ); Tue, 23 Aug 2022 04:30:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46624 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344799AbiHWI1D (ORCPT ); Tue, 23 Aug 2022 04:27:03 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A281774CE7; Tue, 23 Aug 2022 01:14:59 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0044961345; Tue, 23 Aug 2022 08:14:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 087BAC4347C; Tue, 23 Aug 2022 08:14:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242490; bh=ZhkPRONPRsdklvEmDO5ZqnezVhTgjCAugxYUuo/Z7Lg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jjR4ZjHtIE/PXnkxP/LEAxs01od5YyrBibALML27IU4/OH9b0ahm9UG6GoEKikVJM 6cv9bG1kza+P2lWZ5ph6BdzrXUp5QDEL8oXfF+X6AlT0yypwq+sMWvE7zXB68L1Tfp oXszJLZr6f2p9C1DYvr1wVNaTmHXzAS7/rk8w2v4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Dinh Nguyen Subject: [PATCH 4.9 079/101] nios2: dont leave NULLs in sys_call_table[] Date: Tue, 23 Aug 2022 10:03:52 +0200 Message-Id: <20220823080037.597334264@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro commit 45ec746c65097c25e77d24eae8fee0def5b6cc5d upstream. fill the gaps in there with sys_ni_syscall, as everyone does... Fixes: 82ed08dd1b0e ("nios2: Exception handling") Signed-off-by: Al Viro Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/kernel/entry.S | 1 - arch/nios2/kernel/syscall_table.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) --- a/arch/nios2/kernel/entry.S +++ b/arch/nios2/kernel/entry.S @@ -193,7 +193,6 @@ local_restart: movhi r11, %hiadj(sys_call_table) add r1, r1, r11 ldw r1, %lo(sys_call_table)(r1) - beq r1, r0, ret_invsyscall =20 /* Check if we are being traced */ GET_THREAD_INFO r11 --- a/arch/nios2/kernel/syscall_table.c +++ b/arch/nios2/kernel/syscall_table.c @@ -25,5 +25,6 @@ #define __SYSCALL(nr, call) [nr] =3D (call), =20 void *sys_call_table[__NR_syscalls] =3D { + [0 ... __NR_syscalls-1] =3D sys_ni_syscall, #include }; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 254F6C3F6B0 for ; Tue, 23 Aug 2022 08:33:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244029AbiHWIdN (ORCPT ); Tue, 23 Aug 2022 04:33:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244740AbiHWIax (ORCPT ); Tue, 23 Aug 2022 04:30:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 634D674E3D; Tue, 23 Aug 2022 01:15:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 24043B81BF8; Tue, 23 Aug 2022 08:14:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F232C433D6; Tue, 23 Aug 2022 08:14:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242496; bh=fxlNh0LwhOpWUkF19exROe077tMNe7vdcr/NJnAVD5A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zyz2vY3IFtOq9rgU+bMiLO2GffPDQE+8xl9GT3b5Ii/oi1o8RirBBrYMxnScuIn+u UttikdML+6fEDxTfj0aXQp6SdDnFUeV90gkJWb1Rx531uPhHTLAnsFY/D6EiUJwugt wjJbBQv/OaSN7ClfwweZyLyot5dLBTpfJSRKl9FA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Dinh Nguyen Subject: [PATCH 4.9 080/101] nios2: traced syscall does need to check the syscall number Date: Tue, 23 Aug 2022 10:03:53 +0200 Message-Id: <20220823080037.627582154@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro commit 25ba820ef36bdbaf9884adeac69b6e1821a7df76 upstream. all checks done before letting the tracer modify the register state are worthless... Fixes: 82ed08dd1b0e ("nios2: Exception handling") Signed-off-by: Al Viro Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/kernel/entry.S | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/arch/nios2/kernel/entry.S +++ b/arch/nios2/kernel/entry.S @@ -255,9 +255,9 @@ traced_system_call: ldw r6, PT_R6(sp) ldw r7, PT_R7(sp) =20 - /* Fetch the syscall function, we don't need to check the boundaries - * since this is already done. - */ + /* Fetch the syscall function. */ + movui r1, __NR_syscalls + bgeu r2, r1, traced_invsyscall slli r1, r2, 2 movhi r11,%hiadj(sys_call_table) add r1, r1, r11 @@ -287,6 +287,11 @@ end_translate_rc_and_ret2: RESTORE_SWITCH_STACK br ret_from_exception =20 + /* If the syscall number was invalid return ENOSYS */ +traced_invsyscall: + movi r2, -ENOSYS + br translate_rc_and_ret2 + Luser_return: GET_THREAD_INFO r11 /* get thread_info pointer */ ldw r10, TI_FLAGS(r11) /* get thread_info->flags */ From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE0E2C32792 for ; Tue, 23 Aug 2022 08:32:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243736AbiHWIcv (ORCPT ); Tue, 23 Aug 2022 04:32:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59138 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243412AbiHWIaP (ORCPT ); Tue, 23 Aug 2022 04:30:15 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0338974E0B; Tue, 23 Aug 2022 01:15:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 71974CE1B35; Tue, 23 Aug 2022 08:15:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 879BCC433D7; Tue, 23 Aug 2022 08:15:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242502; bh=74BDVeIvMBWQuIu/Rh+9XV75YMCsgnfcdiv4ClaKEQU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=faJo7Th67wI3Y8hrR1CeMEKasabHROba2H7QK58JoivYuQATcinlfIlRfOulbzrlS MYCOs2I54Xey4PTPLtXQXe7aFnpb0vCZ69m5rx0M9W6mFzRs52trJIXMzasWS42VRb bvQdmP9BMVRTwmCK2GKI/jKiBb3oH4m/W8YYp9gA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Dinh Nguyen Subject: [PATCH 4.9 081/101] nios2: fix syscall restart checks Date: Tue, 23 Aug 2022 10:03:54 +0200 Message-Id: <20220823080037.661864419@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro commit 2d631bd58fe0ea3e3350212e23c9aba1fb606514 upstream. sys_foo() returns -512 (aka -ERESTARTSYS) =3D> do_signal() sees 512 in r2 and 1 in r1. sys_foo() returns 512 =3D> do_signal() sees 512 in r2 and 0 in r1. The former is restart-worthy; the latter obviously isn't. Fixes: b53e906d255d ("nios2: Signal handling support") Signed-off-by: Al Viro Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/kernel/signal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/nios2/kernel/signal.c +++ b/arch/nios2/kernel/signal.c @@ -240,7 +240,7 @@ static int do_signal(struct pt_regs *reg /* * If we were from a system call, check for system call restarting... */ - if (regs->orig_r2 >=3D 0) { + if (regs->orig_r2 >=3D 0 && regs->r1) { continue_addr =3D regs->ea; restart_addr =3D continue_addr - 4; retval =3D regs->r2; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44AA0C32792 for ; Tue, 23 Aug 2022 08:33:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244499AbiHWIdh (ORCPT ); Tue, 23 Aug 2022 04:33:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245696AbiHWIbI (ORCPT ); Tue, 23 Aug 2022 04:31:08 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63BA36D9E9; Tue, 23 Aug 2022 01:15:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 72CA06134C; Tue, 23 Aug 2022 08:15:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 73BDEC433D7; Tue, 23 Aug 2022 08:15:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242508; bh=fy9Hbiarz6gfSjxp30zSLiolvV9NwPqMSdgxPIu22Qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p5GpuMdOFj+DsGEJpRjzQKo1PW+xjtU2khuXDVcH+QpBWDVPqeRgMaRkK4Q/P3xlm RhJjgb63LsmWiIGWHRZZQ/ZA6JYTPbcYBsv+MG33wWoLNkTpBfT0nFD9qGJko8CyLI 06HdPHXZEEHcRqJSWNQ1dO6t6VCHoY2UwcgbdW4w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Dinh Nguyen Subject: [PATCH 4.9 082/101] nios2: restarts apply only to the first sigframe we build... Date: Tue, 23 Aug 2022 10:03:55 +0200 Message-Id: <20220823080037.691744892@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro commit 411a76b7219555c55867466c82d70ce928d6c9e1 upstream. Fixes: b53e906d255d ("nios2: Signal handling support") Signed-off-by: Al Viro Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/kernel/signal.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/nios2/kernel/signal.c +++ b/arch/nios2/kernel/signal.c @@ -261,6 +261,7 @@ static int do_signal(struct pt_regs *reg regs->ea =3D restart_addr; break; } + regs->orig_r2 =3D -1; } =20 if (get_signal(&ksig)) { From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CF5CC32772 for ; Tue, 23 Aug 2022 08:47:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241422AbiHWIrT (ORCPT ); Tue, 23 Aug 2022 04:47:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347652AbiHWIp3 (ORCPT ); Tue, 23 Aug 2022 04:45:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3E9E6E8AA; Tue, 23 Aug 2022 01:21:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 49CC1612D8; Tue, 23 Aug 2022 08:15:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 35791C433D7; Tue, 23 Aug 2022 08:15:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242517; bh=UlzcKidXqLG4HmGSEd5gPKAWOKksFX8ym+DBmzhofjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Mc44K3bXX3xjEqzdqKQvAip8UkrSO+YyNOe/jCcFOjpfW0o0BXxXByr9Q4W3G+Bb 4/AC/CKNlXihdvq1aoKAHA+wC8iBtP2SFJeTyi9TflfU/5+SBaWye1eOvIBT83LXNF 0K82408+kzAN2EBIRIIXWiVuWXsESWTKyO+1WMdo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Dinh Nguyen Subject: [PATCH 4.9 083/101] nios2: add force_successful_syscall_return() Date: Tue, 23 Aug 2022 10:03:56 +0200 Message-Id: <20220823080037.723244063@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro commit fd0c153daad135d0ec1a53c5dbe6936a724d6ae1 upstream. If we use the ancient SysV syscall ABI, we'd better have tell the kernel how to claim that a negative return value is a success. Use ->orig_r2 for that - it's inaccessible via ptrace, so it's a fair game for changes and it's normally[*] non-negative on return from syscall. Set to -1; syscall is not going to be restart-worthy by definition, so we won't interfere with that use either. [*] the only exception is rt_sigreturn(), where we skip the entire messing with r1/r2 anyway. Fixes: 82ed08dd1b0e ("nios2: Exception handling") Signed-off-by: Al Viro Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/nios2/include/asm/ptrace.h | 2 ++ arch/nios2/kernel/entry.S | 6 ++++++ 2 files changed, 8 insertions(+) --- a/arch/nios2/include/asm/ptrace.h +++ b/arch/nios2/include/asm/ptrace.h @@ -74,6 +74,8 @@ extern void show_regs(struct pt_regs *); ((struct pt_regs *)((unsigned long)current_thread_info() + THREAD_SIZE)\ - 1) =20 +#define force_successful_syscall_return() (current_pt_regs()->orig_r2 =3D = -1) + int do_syscall_trace_enter(void); void do_syscall_trace_exit(void); #endif /* __ASSEMBLY__ */ --- a/arch/nios2/kernel/entry.S +++ b/arch/nios2/kernel/entry.S @@ -213,6 +213,9 @@ local_restart: translate_rc_and_ret: movi r1, 0 bge r2, zero, 3f + ldw r1, PT_ORIG_R2(sp) + addi r1, r1, 1 + beq r1, zero, 3f sub r2, zero, r2 movi r1, 1 3: @@ -276,6 +279,9 @@ traced_system_call: translate_rc_and_ret2: movi r1, 0 bge r2, zero, 4f + ldw r1, PT_ORIG_R2(sp) + addi r1, r1, 1 + beq r1, zero, 4f sub r2, zero, r2 movi r1, 1 4: From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28A6FC32774 for ; Tue, 23 Aug 2022 08:35:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343970AbiHWIfI (ORCPT ); Tue, 23 Aug 2022 04:35:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345145AbiHWIbi (ORCPT ); Tue, 23 Aug 2022 04:31:38 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E96E6DAC8; Tue, 23 Aug 2022 01:16:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 334C161242; Tue, 23 Aug 2022 08:15:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 41B26C433D6; Tue, 23 Aug 2022 08:15:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242523; bh=myMdnGVdYAOwkYIWpgpdgy4cNjrQGpV3r6l/uJbrmlQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1C8A6gCOrnAVZD3rpz50A0LojhX/3mDMzg1UNM0o/9mKyIt8WLVbp+CVS2sElfKVz gT426LTo3AR4T8JhmlO4KDNVk9gv3b4MHQO80lxV+YzvlCwYVmtVCTE/A8NVqNeYBR zxRcIheFjI0uxqJKxdDFjiKITiJMOdlBh+k2L0Jw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso Subject: [PATCH 4.9 084/101] netfilter: nf_tables: really skip inactive sets when allocating name Date: Tue, 23 Aug 2022 10:03:57 +0200 Message-Id: <20220823080037.763250725@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pablo Neira Ayuso commit 271c5ca826e0c3c53e0eb4032f8eaedea1ee391c upstream. While looping to build the bitmap of used anonymous set names, check the current set in the iteration, instead of the one that is being created. Fixes: 37a9cc525525 ("netfilter: nf_tables: add generation mask to sets") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2515,7 +2515,7 @@ cont: list_for_each_entry(i, &ctx->table->sets, list) { int tmp; =20 - if (!nft_is_active_next(ctx->net, set)) + if (!nft_is_active_next(ctx->net, i)) continue; if (!sscanf(i->name, name, &tmp)) continue; From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FD86C32792 for ; Tue, 23 Aug 2022 08:39:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241267AbiHWIhu (ORCPT ); Tue, 23 Aug 2022 04:37:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345960AbiHWIf5 (ORCPT ); Tue, 23 Aug 2022 04:35:57 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2421275FCE; Tue, 23 Aug 2022 01:16:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A8D83B81C20; Tue, 23 Aug 2022 08:16:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04BEAC4347C; Tue, 23 Aug 2022 08:16:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242606; bh=wzYSU7PSI22ZxSnt8HJeG089qUc1YXYvyYmqR9gjY2Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tqxosq2w+aQ4XNfHYe8RaK9NUhGEfBRD640JjFu+Jds+X8ddEcPIzCaG21s7i6Qgd 3T3YSqgsUO16cIoD/i+bn+nC97Dxg8Vo7vpGejk9FaZVTm1UtQ6p+ElA8FIUT1Hs+v 7RCbJrLPFWo6Lv7j/QU3/ckIFNLgwjj4qL63m0U4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Cs=C3=B3k=C3=A1s=20Bence?= , Jakub Kicinski Subject: [PATCH 4.9 085/101] fec: Fix timer capture timing in `fec_ptp_enable_pps()` Date: Tue, 23 Aug 2022 10:03:58 +0200 Message-Id: <20220823080037.800216144@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Cs=C3=B3k=C3=A1s Bence commit 61d5e2a251fb20c2c5e998c3f1d52ed6d5360319 upstream. Code reimplements functionality already in `fec_ptp_read()`, but misses check for FEC_QUIRK_BUG_CAPTURE. Replace with function call. Fixes: 28b5f058cf1d ("net: fec: ptp: fix convergence issue to support Linux= PTP stack") Signed-off-by: Cs=C3=B3k=C3=A1s Bence Link: https://lore.kernel.org/r/20220811101348.13755-1-csokas.bence@prolan.= hu Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/net/ethernet/freescale/fec_ptp.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) --- a/drivers/net/ethernet/freescale/fec_ptp.c +++ b/drivers/net/ethernet/freescale/fec_ptp.c @@ -155,11 +155,7 @@ static int fec_ptp_enable_pps(struct fec * NSEC_PER_SEC - ts.tv_nsec. Add the remaining nanoseconds * to current timer would be next second. */ - tempval =3D readl(fep->hwp + FEC_ATIME_CTRL); - tempval |=3D FEC_T_CTRL_CAPTURE; - writel(tempval, fep->hwp + FEC_ATIME_CTRL); - - tempval =3D readl(fep->hwp + FEC_ATIME); + tempval =3D fep->cc.read(&fep->cc); /* Convert the ptp local counter to 1588 timestamp */ ns =3D timecounter_cyc2time(&fep->tc, tempval); ts =3D ns_to_timespec64(ns); From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F57CC32796 for ; Tue, 23 Aug 2022 08:42:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346749AbiHWImg (ORCPT ); Tue, 23 Aug 2022 04:42:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241908AbiHWIkN (ORCPT ); Tue, 23 Aug 2022 04:40:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB60C4D4DF; Tue, 23 Aug 2022 01:18:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E14E0B81C36; Tue, 23 Aug 2022 08:17:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39D33C433C1; Tue, 23 Aug 2022 08:17:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242673; bh=REnsOf1qaq3VcnLbeF/05iGYQcU3+3goKpVVWJlYh0I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=effRwk9QBqZkC0BZSbW9yhQF6Ce6YL4kCJi2t3Zggzcfdg8BD8ZJrjlFui+vu7FXo 9cyk3KR9DkraJGj1QMEH0FOOB5TjJ0NKDzPmgRtl1M4uj4zVA+vE7wQkLUZZ5+4wp0 Otx7QwqwfW/kcyvqcd8V30zU/IxaBPua7RIkvsYw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Masahiro Yamada , Nicolas Pitre Subject: [PATCH 4.9 086/101] kbuild: clear LDFLAGS in the top Makefile Date: Tue, 23 Aug 2022 10:03:59 +0200 Message-Id: <20220823080037.829968607@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Masahiro Yamada commit ce99d0bf312daf0178e640da9e3c93b773a67e7d upstream. Currently LDFLAGS is not cleared, so same flags are accumulated in LDFLAGS when the top Makefile is recursively invoked. I found unneeded rebuild for ARCH=3Darm64 when CONFIG_TRIM_UNUSED_KSYMS is enabled. If include/generated/autoksyms.h is updated, the top Makefile is recursively invoked, then arch/arm64/Makefile adds one more '-maarch64linux'. Due to the command line change, modules are rebuilt needlessly. Signed-off-by: Masahiro Yamada Acked-by: Nicolas Pitre Signed-off-by: Greg Kroah-Hartman Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- Makefile | 1 + 1 file changed, 1 insertion(+) --- a/Makefile +++ b/Makefile @@ -395,6 +395,7 @@ KBUILD_CFLAGS_KERNEL :=3D KBUILD_AFLAGS_MODULE :=3D -DMODULE KBUILD_CFLAGS_MODULE :=3D -DMODULE KBUILD_LDFLAGS_MODULE :=3D -T $(srctree)/scripts/module-common.lds +LDFLAGS :=3D GCC_PLUGINS_CFLAGS :=3D CLANG_FLAGS :=3D From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 214C5C32793 for ; Tue, 23 Aug 2022 08:42:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242559AbiHWImb (ORCPT ); Tue, 23 Aug 2022 04:42:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46618 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347128AbiHWIko (ORCPT ); Tue, 23 Aug 2022 04:40:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DFCC4DF04; Tue, 23 Aug 2022 01:19:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 567076137C; Tue, 23 Aug 2022 08:18:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4B399C433C1; Tue, 23 Aug 2022 08:18:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242682; bh=4w3lDk5hzKUuT+9+ilwQbT7hBop2B7aR7/BqfQaQuMM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RrdHCQaGAB4NPAECdyMJcpdnZO9/gXFLz9Qa4a031J4onVGwYy4GU/7SnV+BQlalS BNzBHOKNnzh4O3z6EsF4xyAn8xgkGDdz1VThpeJZcmTOUeiXW2ltptsyfWkfhDQl+O 9U0OXfo6tSVPwCDgPcvUpt0AqUfNTODe1iImwPi0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marc Zyngier , Sai Prakash Ranjan , Arnd Bergmann , Sasha Levin Subject: [PATCH 4.9 087/101] irqchip/tegra: Fix overflow implicit truncation warnings Date: Tue, 23 Aug 2022 10:04:00 +0200 Message-Id: <20220823080037.865505015@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sai Prakash Ranjan [ Upstream commit 443685992bda9bb4f8b17fc02c9f6c60e62b1461 ] Fix -Woverflow warnings for tegra irqchip driver which is a result of moving arm64 custom MMIO accessor macros to asm-generic function implementations giving a bonus type-checking now and uncovering these overflow warnings. drivers/irqchip/irq-tegra.c: In function =E2=80=98tegra_ictlr_suspend=E2=80= =99: drivers/irqchip/irq-tegra.c:151:18: warning: large integer implicitly trunc= ated to unsigned type [-Woverflow] writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ^ Suggested-by: Marc Zyngier Signed-off-by: Sai Prakash Ranjan Reviewed-by: Arnd Bergmann Cc: Marc Zyngier Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/irqchip/irq-tegra.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c index 3973a14bb15b..02ffefd5011a 100644 --- a/drivers/irqchip/irq-tegra.c +++ b/drivers/irqchip/irq-tegra.c @@ -157,10 +157,10 @@ static int tegra_ictlr_suspend(void) lic->cop_iep[i] =3D readl_relaxed(ictlr + ICTLR_COP_IEP_CLASS); =20 /* Disable COP interrupts */ - writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); + writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); =20 /* Disable CPU interrupts */ - writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); + writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); =20 /* Enable the wakeup sources of ictlr */ writel_relaxed(lic->ictlr_wake_mask[i], ictlr + ICTLR_CPU_IER_SET); @@ -181,12 +181,12 @@ static void tegra_ictlr_resume(void) =20 writel_relaxed(lic->cpu_iep[i], ictlr + ICTLR_CPU_IEP_CLASS); - writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); + writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); writel_relaxed(lic->cpu_ier[i], ictlr + ICTLR_CPU_IER_SET); writel_relaxed(lic->cop_iep[i], ictlr + ICTLR_COP_IEP_CLASS); - writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); + writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); writel_relaxed(lic->cop_ier[i], ictlr + ICTLR_COP_IER_SET); } @@ -321,7 +321,7 @@ static int __init tegra_ictlr_init(struct device_node *= node, lic->base[i] =3D base; =20 /* Disable all interrupts */ - writel_relaxed(~0UL, base + ICTLR_CPU_IER_CLR); + writel_relaxed(GENMASK(31, 0), base + ICTLR_CPU_IER_CLR); /* All interrupts target IRQ */ writel_relaxed(0, base + ICTLR_CPU_IEP_CLASS); =20 --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C86E7C32772 for ; Tue, 23 Aug 2022 08:43:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347090AbiHWInY (ORCPT ); Tue, 23 Aug 2022 04:43:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347835AbiHWIlH (ORCPT ); Tue, 23 Aug 2022 04:41:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B564792FE; Tue, 23 Aug 2022 01:19:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5F88D61238; Tue, 23 Aug 2022 08:18:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67BF1C433C1; Tue, 23 Aug 2022 08:18:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242688; bh=X32xtPBWcVE6Z6gxu3/jbMLK/pP7I1mcOKV4OxfaTWk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hnf+XXwi8AS0mgoaAvjKjgHElB21FC8VL98DwqMZrIRQBIQuVU12huz+JId8cK3WW JWln4XdpjNWI+gtwJwD9cek05OmBb2dpIMTtbMtBOlq9/gAuQDuOqYVezuIcWA3AIY cqT9tPcTmhyhBghcBdtawnAjoyznSQk7+67j+yN4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Liang He , Sasha Levin Subject: [PATCH 4.9 088/101] usb: host: ohci-ppc-of: Fix refcount leak bug Date: Tue, 23 Aug 2022 10:04:01 +0200 Message-Id: <20220823080037.906064363@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He [ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ] In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. Acked-by: Alan Stern Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/usb/host/ohci-ppc-of.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c index 4f87a5c61b08..d22a70363fbf 100644 --- a/drivers/usb/host/ohci-ppc-of.c +++ b/drivers/usb/host/ohci-ppc-of.c @@ -168,6 +168,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device= *op) release_mem_region(res.start, 0x4); } else pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__); + of_node_put(np); } =20 irq_dispose_mapping(irq); --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D0E8C32772 for ; Tue, 23 Aug 2022 08:36:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244188AbiHWIfX (ORCPT ); Tue, 23 Aug 2022 04:35:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347221AbiHWIcR (ORCPT ); Tue, 23 Aug 2022 04:32:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DEA06DF80; Tue, 23 Aug 2022 01:16:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 97ADF6132D; Tue, 23 Aug 2022 08:15:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 96DA1C433D6; Tue, 23 Aug 2022 08:15:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242545; bh=FRJzzAnCaxoDotjb7MHc+PSZZr5SJZD7UjAEYcm83gc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q8CG2NM3bOSpRTK7/FJEgVnuwXJOvuUTj5ke1cH5YKz90stVVw3O2mesLaaIsej8W iAsGAFrgVlPwzqUb+JmOC18i0H/0smNPc3Lr4bTu77skVfwOpdp6zSY/jtNS3Nc58c 4sKTaatbyXavj4wxl31012flgEwcZstRYta4TuOk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jozef Martiniak , Sasha Levin Subject: [PATCH 4.9 089/101] gadgetfs: ep_io - wait until IRQ finishes Date: Tue, 23 Aug 2022 10:04:02 +0200 Message-Id: <20220823080037.947955274@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jozef Martiniak [ Upstream commit 04cb742d4d8f30dc2e83b46ac317eec09191c68e ] after usb_ep_queue() if wait_for_completion_interruptible() is interrupted we need to wait until IRQ gets finished. Otherwise complete() from epio_complete() can corrupt stack. Signed-off-by: Jozef Martiniak Link: https://lore.kernel.org/r/20220708070645.6130-1-jomajm@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/usb/gadget/legacy/inode.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/= inode.c index 2b30b5a1b577..8d53b3ac31c6 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -365,6 +365,7 @@ ep_io (struct ep_data *epdata, void *buf, unsigned len) spin_unlock_irq (&epdata->dev->lock); =20 DBG (epdata->dev, "endpoint gone\n"); + wait_for_completion(&done); epdata->status =3D -ENODEV; } } --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E52BC32772 for ; Tue, 23 Aug 2022 08:34:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245506AbiHWIel (ORCPT ); Tue, 23 Aug 2022 04:34:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34386 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346347AbiHWIby (ORCPT ); Tue, 23 Aug 2022 04:31:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E776520BD1; Tue, 23 Aug 2022 01:16:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5067761344; Tue, 23 Aug 2022 08:15:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5D5A5C433C1; Tue, 23 Aug 2022 08:15:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242550; bh=VF22Iro7UbCbbWGEW7D3ybbI3jXsNuduTGF1qQpb4YA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wFMIRcBf2wjTw/DcPbLizjE6SJkiiQqZLn30QmShKED7V5Ae8WESJoLvkcCnIcCfr N++0Mw1hGK5JQk3SG65ApdknbHCacVVpsaMTkM+LqeCN76tTzFmgJA9dNunar2Qe8W NEepf8dnGubBy3Zpak5/JN/9Zh7X3S0fplL/H/pE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrew Donnellan , Christophe JAILLET , Sasha Levin Subject: [PATCH 4.9 090/101] cxl: Fix a memory leak in an error handling path Date: Tue, 23 Aug 2022 10:04:03 +0200 Message-Id: <20220823080037.992394869@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Christophe JAILLET [ Upstream commit 3a15b45b5454da862376b5d69a4967f5c6fa1368 ] A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the error handling path of afu_allocate_irqs(). Acked-by: Andrew Donnellan Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/ce5869418f5838187946eb6b11a52715a93ece3d.16= 57566849.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/misc/cxl/irq.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/misc/cxl/irq.c b/drivers/misc/cxl/irq.c index dec60f58a767..99e2bd65825f 100644 --- a/drivers/misc/cxl/irq.c +++ b/drivers/misc/cxl/irq.c @@ -302,6 +302,7 @@ int afu_allocate_irqs(struct cxl_context *ctx, u32 coun= t) =20 out: cxl_ops->release_irq_ranges(&ctx->irqs, ctx->afu->adapter); + bitmap_free(ctx->irq_bitmap); afu_irq_name_free(ctx); return -ENOMEM; } --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA589C3F6B0 for ; Tue, 23 Aug 2022 08:37:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242041AbiHWIg5 (ORCPT ); Tue, 23 Aug 2022 04:36:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243960AbiHWIdG (ORCPT ); Tue, 23 Aug 2022 04:33:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 285707549E; Tue, 23 Aug 2022 01:16:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E56F1B81C35; Tue, 23 Aug 2022 08:15:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 24A38C433C1; Tue, 23 Aug 2022 08:15:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242556; bh=WmoV+L1N+fDk24WcvLpFK8jLFwah7J6ezwwEFkIDOR4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xIrHQ1NhuIZzPdrbb3CPJ/U71bMMeLaE6bavDRutZEsXYnmqwvjSOSFzFRhG6YGbQ XH/0WatCncPSG0MYd8MBPp5+OiShCcOIoBE5VDWgECITYo3aOL+nROdPrDLB1gTUg9 tNch3g37FHfUDLN02bdE88Y4DEhAVk4WHEsq8+lI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wentao_Liang , Song Liu , Jens Axboe , Sasha Levin Subject: [PATCH 4.9 091/101] drivers:md:fix a potential use-after-free bug Date: Tue, 23 Aug 2022 10:04:04 +0200 Message-Id: <20220823080038.031410756@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Wentao_Liang [ Upstream commit 104212471b1c1817b311771d817fb692af983173 ] In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and may cause sh to be released. However, sh is subsequently used in lines 2886 "if (sh->batch_head && sh !=3D sh->batch_head)". This may result in an use-after-free bug. It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of the function. Signed-off-by: Wentao_Liang Signed-off-by: Song Liu Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/md/raid5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index b396e78b1b6d..bea171a5e663 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -2513,10 +2513,10 @@ static void raid5_end_write_request(struct bio *bi) if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags)) clear_bit(R5_LOCKED, &sh->dev[i].flags); set_bit(STRIPE_HANDLE, &sh->state); - raid5_release_stripe(sh); =20 if (sh->batch_head && sh !=3D sh->batch_head) raid5_release_stripe(sh->batch_head); + raid5_release_stripe(sh); } =20 static void raid5_build_block(struct stripe_head *sh, int i, int previous) --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B224C32772 for ; Tue, 23 Aug 2022 08:34:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245561AbiHWIeo (ORCPT ); Tue, 23 Aug 2022 04:34:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346657AbiHWIcB (ORCPT ); Tue, 23 Aug 2022 04:32:01 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F4177539C; Tue, 23 Aug 2022 01:16:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 15B566134C; Tue, 23 Aug 2022 08:16:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AABF0C433C1; Tue, 23 Aug 2022 08:16:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242563; bh=2htKD0ZVb8ymIyt/eORaBdYvZL9X0W3ftn7vz42gtyE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MTj6T79ubT4o0xwsnuQaxuo/EW0ufIoTJGbyY7hkMbZzIxzYaOoeb5dJOFQ0VOuqY JsG9TQX9fExCAKDhEZR4z3E+WpiEfHzhN5MsHeR+Cbw5yYEAOLuWAoB5CR3Z4KZs7F BgBDabtyQF1yrotfhyPTXg5/M+892dTaFaYQslrg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ye Bin , Jan Kara , Theodore Tso , Sasha Levin Subject: [PATCH 4.9 092/101] ext4: avoid remove directory when directory is corrupted Date: Tue, 23 Aug 2022 10:04:05 +0200 Message-Id: <20220823080038.061683696@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ye Bin [ Upstream commit b24e77ef1c6d4dbf42749ad4903c97539cc9755a ] Now if check directoy entry is corrupted, ext4_empty_dir may return true then directory will be removed when file system mounted with "errors=3Dcont= inue". In order not to make things worse just return false when directory is corru= pted. Signed-off-by: Ye Bin Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220622090223.682234-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/namei.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 84754700ebe1..1281181215aa 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -2793,11 +2793,8 @@ bool ext4_empty_dir(struct inode *inode) de =3D (struct ext4_dir_entry_2 *) (bh->b_data + (offset & (sb->s_blocksize - 1))); if (ext4_check_dir_entry(inode, NULL, de, bh, - bh->b_data, bh->b_size, offset)) { - offset =3D (offset | (sb->s_blocksize - 1)) + 1; - continue; - } - if (le32_to_cpu(de->inode)) { + bh->b_data, bh->b_size, offset) || + le32_to_cpu(de->inode)) { brelse(bh); return false; } --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D92AC32772 for ; Tue, 23 Aug 2022 08:35:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243995AbiHWIfQ (ORCPT ); Tue, 23 Aug 2022 04:35:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346666AbiHWIcB (ORCPT ); Tue, 23 Aug 2022 04:32:01 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 871F06D9DF; Tue, 23 Aug 2022 01:16:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 321F661242; Tue, 23 Aug 2022 08:16:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 24786C433C1; Tue, 23 Aug 2022 08:16:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242569; bh=YKgSrZytelvA7qH/EzilkzPS+8jp+NvQH+QwQtyN6Zk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cVfvlp5StC1WZmwopAWQMI3XUFKcAR2zLwZWIOiEUGqezlWZFMCO1pFBqiwshSMlP IP4QhN53PoUApJqvNOh7TpmtMCLMOazk2HaChm82XHNk9y8VbsHtyNThW0+xhzcPcC t3XcCgEaGwxmpQtK61D90NzvOEGSH3F48hymrmFA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oleg Kiselev , Theodore Tso , Sasha Levin Subject: [PATCH 4.9 093/101] ext4: avoid resizing to a partial cluster size Date: Tue, 23 Aug 2022 10:04:06 +0200 Message-Id: <20220823080038.112097785@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kiselev, Oleg [ Upstream commit 69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd ] This patch avoids an attempt to resize the filesystem to an unaligned cluster boundary. An online resize to a size that is not integral to cluster size results in the last iteration attempting to grow the fs by a negative amount, which trips a BUG_ON and leaves the fs with a corrupted in-memory superblock. Signed-off-by: Oleg Kiselev Link: https://lore.kernel.org/r/0E92A0AB-4F16-4F1A-94B7-702CC6504FDE@amazon= .com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- fs/ext4/resize.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index 60984bc54d55..e4f02572f69d 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -1941,6 +1941,16 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsbl= k_t n_blocks_count) } brelse(bh); =20 + /* + * For bigalloc, trim the requested size to the nearest cluster + * boundary to avoid creating an unusable filesystem. We do this + * silently, instead of returning an error, to avoid breaking + * callers that blindly resize the filesystem to the full size of + * the underlying block device. + */ + if (ext4_has_feature_bigalloc(sb)) + n_blocks_count &=3D ~((1 << EXT4_CLUSTER_BITS(sb)) - 1); + retry: o_blocks_count =3D ext4_blocks_count(es); =20 --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 949C9C32772 for ; Tue, 23 Aug 2022 08:37:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344854AbiHWIhd (ORCPT ); Tue, 23 Aug 2022 04:37:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344853AbiHWIfd (ORCPT ); Tue, 23 Aug 2022 04:35:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2324D75FC2; Tue, 23 Aug 2022 01:16:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CF1FBB81C29; Tue, 23 Aug 2022 08:16:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 31D67C433D6; Tue, 23 Aug 2022 08:16:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242578; bh=nKTuBtM4erHTsf5Z3wnlxZdKoymi6bvTtcHKXHd7hkU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nvNl2VA8ZfxuAwTtlEUYVHRROWXpl+aEwRW9IekVi8Nh8WIpqOyVbzNn3uk2yPmuj 9id3AT3LTjN8wIYPYaAVjEMEtyl4AOiWA2IqaeWiOeadRY5IPSHxSMmqFM84QOdzDf ztfVhIHuHtBWSk1N4KqCHKVUqasc6n4+XpfamsBg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Timur Tabi , Liang He , Sasha Levin Subject: [PATCH 4.9 094/101] tty: serial: Fix refcount leak bug in ucc_uart.c Date: Tue, 23 Aug 2022 10:04:07 +0200 Message-Id: <20220823080038.148330039@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He [ Upstream commit d24d7bb2cd947676f9b71fb944d045e09b8b282f ] In soc_info(), of_find_node_by_type() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. Acked-by: Timur Tabi Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220618060850.4058525-1-windhl@126.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/tty/serial/ucc_uart.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/tty/serial/ucc_uart.c b/drivers/tty/serial/ucc_uart.c index 481eb2989a1e..ed1658b61e54 100644 --- a/drivers/tty/serial/ucc_uart.c +++ b/drivers/tty/serial/ucc_uart.c @@ -1143,6 +1143,8 @@ static unsigned int soc_info(unsigned int *rev_h, uns= igned int *rev_l) /* No compatible property, so try the name. */ soc_string =3D np->name; =20 + of_node_put(np); + /* Extract the SOC number from the "PowerPC," string */ if ((sscanf(soc_string, "PowerPC,%u", &soc) !=3D 1) || !soc) return 0; --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C69BC32792 for ; Tue, 23 Aug 2022 08:36:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344413AbiHWIf3 (ORCPT ); Tue, 23 Aug 2022 04:35:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347254AbiHWIcS (ORCPT ); Tue, 23 Aug 2022 04:32:18 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AEAE4FEF; Tue, 23 Aug 2022 01:16:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CCBF4B81C36; Tue, 23 Aug 2022 08:16:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E957C433C1; Tue, 23 Aug 2022 08:16:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242584; bh=j3Uq1S6p1wxJpc6tFreDzh8tlF7KqJESrAe7E/cF9bg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XEfW3uGWgZC8JSvw8Hs5+lLI8uPWiORQw7fyFZ/YKLrdlBt8Y47cY+U8G2w8DUU9t w8YAjr96vBF4x7CS927PKegBVc48Pzj7aVnVu7P3GIX0AI2/NBnITaHLPbeJA3lzEn Ic2/k+Mn9ZPo7FqGE3cIPuEGLyJ3b+vv2PsqZJck= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Schspa Shi , Cornelia Huck , Alex Williamson , Sasha Levin Subject: [PATCH 4.9 095/101] vfio: Clear the caps->buf to NULL after free Date: Tue, 23 Aug 2022 10:04:08 +0200 Message-Id: <20220823080038.199805303@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Schspa Shi [ Upstream commit 6641085e8d7b3f061911517f79a2a15a0a21b97b ] On buffer resize failure, vfio_info_cap_add() will free the buffer, report zero for the size, and return -ENOMEM. As additional hardening, also clear the buffer pointer to prevent any chance of a double free. Signed-off-by: Schspa Shi Reviewed-by: Cornelia Huck Link: https://lore.kernel.org/r/20220629022948.55608-1-schspa@gmail.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/vfio/vfio.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index 881fc3a55edc..5798965f42b5 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1793,6 +1793,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct= vfio_info_cap *caps, buf =3D krealloc(caps->buf, caps->size + size, GFP_KERNEL); if (!buf) { kfree(caps->buf); + caps->buf =3D NULL; caps->size =3D 0; return ERR_PTR(-ENOMEM); } --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A713EC3F6B0 for ; Tue, 23 Aug 2022 08:36:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345124AbiHWIfe (ORCPT ); Tue, 23 Aug 2022 04:35:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243485AbiHWIcX (ORCPT ); Tue, 23 Aug 2022 04:32:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADD1C67459; Tue, 23 Aug 2022 01:16:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 94FD4612DA; Tue, 23 Aug 2022 08:16:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86D34C433C1; Tue, 23 Aug 2022 08:16:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242591; bh=/tKUeDNsWC4TjtU5BAtVdURhSCpADm0fbCBQrx2Hg4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Qn3Zip0bbzXZZ5wOcZwAzIFmjUmLpBhOX4XwcHM0qRsQzJcMgZb7cbfSslXxGz+3Q 51EobrpSBfuNloYlLlPxlSiavfvSsUgKGPapjkiwYXNTJAVProgQq83tE94AFe5lyT ZJrXYURE+i4FahViqRXCRW7v5LIWVhfeU5K6npjk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Liang He , Thomas Bogendoerfer , Sasha Levin Subject: [PATCH 4.9 096/101] mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start Date: Tue, 23 Aug 2022 10:04:09 +0200 Message-Id: <20220823080038.235159132@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He [ Upstream commit 7a9f743ceead60ed454c46fbc3085ee9a79cbebb ] We should call of_node_put() for the reference 'uctl_node' returned by of_get_parent() which will increase the refcount. Otherwise, there will be a refcount leak bug. Signed-off-by: Liang He Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/mips/cavium-octeon/octeon-platform.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-o= cteon/octeon-platform.c index 2ecc8d1b0539..f295be876390 100644 --- a/arch/mips/cavium-octeon/octeon-platform.c +++ b/arch/mips/cavium-octeon/octeon-platform.c @@ -130,11 +130,12 @@ static void octeon2_usb_clocks_start(struct device *d= ev) "refclk-frequency", &clock_rate); if (i) { dev_err(dev, "No UCTL \"refclk-frequency\"\n"); + of_node_put(uctl_node); goto exit; } i =3D of_property_read_string(uctl_node, "refclk-type", &clock_type); - + of_node_put(uctl_node); if (!i && strcmp("crystal", clock_type) =3D=3D 0) is_crystal_clock =3D true; } --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FD75C32772 for ; Tue, 23 Aug 2022 08:38:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344327AbiHWIii (ORCPT ); Tue, 23 Aug 2022 04:38:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244479AbiHWIdg (ORCPT ); Tue, 23 Aug 2022 04:33:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A5DA754BC; Tue, 23 Aug 2022 01:16:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CC0F961242; Tue, 23 Aug 2022 08:16:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBBD9C433C1; Tue, 23 Aug 2022 08:16:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242597; bh=iS9yqPrrykOoJinZudE3RI49uScGLU+2ThjG/LbrXTs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rU6Bq8tOgsHx+TQiWEjZs9Ck+7zuFTaUtnitz3G/MpHlbJ3W8Hz/cpKshudUtsV4v 08zqNajXUconTh41jqi8uab8OQ/pSaSJncZP6BJ1pVpLdcHjHdLGwGKbhxaSqpX6Gu cTctmKxAD4ZeYJWmWMjB5nzW+hsNQfpHRaquRtJE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Sasha Levin Subject: [PATCH 4.9 097/101] ALSA: core: Add async signal helpers Date: Tue, 23 Aug 2022 10:04:10 +0200 Message-Id: <20220823080038.265741569@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai [ Upstream commit ef34a0ae7a2654bc9e58675e36898217fb2799d8 ] Currently the call of kill_fasync() from an interrupt handler might lead to potential spin deadlocks, as spotted by syzkaller. Unfortunately, it's not so trivial to fix this lock chain as it's involved with the tasklist_lock that is touched in allover places. As a temporary workaround, this patch provides the way to defer the async signal notification in a work. The new helper functions, snd_fasync_helper() and snd_kill_faync() are replacements for fasync_helper() and kill_fasync(), respectively. In addition, snd_fasync_free() needs to be called at the destructor of the relevant file object. Link: https://lore.kernel.org/r/20220728125945.29533-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- include/sound/core.h | 8 ++++ sound/core/misc.c | 94 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) diff --git a/include/sound/core.h b/include/sound/core.h index 31079ea5e484..d5d0e5e53920 100644 --- a/include/sound/core.h +++ b/include/sound/core.h @@ -457,4 +457,12 @@ snd_pci_quirk_lookup_id(u16 vendor, u16 device, } #endif =20 +/* async signal helpers */ +struct snd_fasync; + +int snd_fasync_helper(int fd, struct file *file, int on, + struct snd_fasync **fasyncp); +void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll); +void snd_fasync_free(struct snd_fasync *fasync); + #endif /* __SOUND_CORE_H */ diff --git a/sound/core/misc.c b/sound/core/misc.c index f2e8226c88fb..efe26b8ca57f 100644 --- a/sound/core/misc.c +++ b/sound/core/misc.c @@ -25,6 +25,7 @@ #include #include #include +#include #include =20 #ifdef CONFIG_SND_DEBUG @@ -153,3 +154,96 @@ snd_pci_quirk_lookup(struct pci_dev *pci, const struct= snd_pci_quirk *list) } EXPORT_SYMBOL(snd_pci_quirk_lookup); #endif + +/* + * Deferred async signal helpers + * + * Below are a few helper functions to wrap the async signal handling + * in the deferred work. The main purpose is to avoid the messy deadlock + * around tasklist_lock and co at the kill_fasync() invocation. + * fasync_helper() and kill_fasync() are replaced with snd_fasync_helper() + * and snd_kill_fasync(), respectively. In addition, snd_fasync_free() has + * to be called at releasing the relevant file object. + */ +struct snd_fasync { + struct fasync_struct *fasync; + int signal; + int poll; + int on; + struct list_head list; +}; + +static DEFINE_SPINLOCK(snd_fasync_lock); +static LIST_HEAD(snd_fasync_list); + +static void snd_fasync_work_fn(struct work_struct *work) +{ + struct snd_fasync *fasync; + + spin_lock_irq(&snd_fasync_lock); + while (!list_empty(&snd_fasync_list)) { + fasync =3D list_first_entry(&snd_fasync_list, struct snd_fasync, list); + list_del_init(&fasync->list); + spin_unlock_irq(&snd_fasync_lock); + if (fasync->on) + kill_fasync(&fasync->fasync, fasync->signal, fasync->poll); + spin_lock_irq(&snd_fasync_lock); + } + spin_unlock_irq(&snd_fasync_lock); +} + +static DECLARE_WORK(snd_fasync_work, snd_fasync_work_fn); + +int snd_fasync_helper(int fd, struct file *file, int on, + struct snd_fasync **fasyncp) +{ + struct snd_fasync *fasync =3D NULL; + + if (on) { + fasync =3D kzalloc(sizeof(*fasync), GFP_KERNEL); + if (!fasync) + return -ENOMEM; + INIT_LIST_HEAD(&fasync->list); + } + + spin_lock_irq(&snd_fasync_lock); + if (*fasyncp) { + kfree(fasync); + fasync =3D *fasyncp; + } else { + if (!fasync) { + spin_unlock_irq(&snd_fasync_lock); + return 0; + } + *fasyncp =3D fasync; + } + fasync->on =3D on; + spin_unlock_irq(&snd_fasync_lock); + return fasync_helper(fd, file, on, &fasync->fasync); +} +EXPORT_SYMBOL_GPL(snd_fasync_helper); + +void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll) +{ + unsigned long flags; + + if (!fasync || !fasync->on) + return; + spin_lock_irqsave(&snd_fasync_lock, flags); + fasync->signal =3D signal; + fasync->poll =3D poll; + list_move(&fasync->list, &snd_fasync_list); + schedule_work(&snd_fasync_work); + spin_unlock_irqrestore(&snd_fasync_lock, flags); +} +EXPORT_SYMBOL_GPL(snd_kill_fasync); + +void snd_fasync_free(struct snd_fasync *fasync) +{ + if (!fasync) + return; + fasync->on =3D 0; + flush_work(&snd_fasync_work); + kfree(fasync); +} +EXPORT_SYMBOL_GPL(snd_fasync_free); --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3156FC32772 for ; Tue, 23 Aug 2022 08:37:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245139AbiHWIhG (ORCPT ); Tue, 23 Aug 2022 04:37:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245483AbiHWIec (ORCPT ); Tue, 23 Aug 2022 04:34:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65D7375CE1; Tue, 23 Aug 2022 01:16:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E0576612DA; Tue, 23 Aug 2022 08:16:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED507C433D6; Tue, 23 Aug 2022 08:16:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242603; bh=rlRyGuTULygd8M/Co4edd8lZ8zKBvxFllGezVHX8gSk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jfuYlvMfcPmkV4eSC3E2RkJw9KlBei1BRvJGN1Fq4H4lltZ3WZUvpcHHyjBDsiFFe 4MY6vxvHmmi7Zvi2NTekv020AWnFioGgtJ1fwGFpPfr3vHq9qitYqCqHK2/dpfPpnW L6pBb9dCE/kTVXjS+8Qk4SDfEWP+YHqwNA63+tAU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1ee0910eca9c94f71f25@syzkaller.appspotmail.com, syzbot+49b10793b867871ee26f@syzkaller.appspotmail.com, syzbot+8285e973a41b5aa68902@syzkaller.appspotmail.com, Takashi Iwai , Sasha Levin Subject: [PATCH 4.9 098/101] ALSA: timer: Use deferred fasync helper Date: Tue, 23 Aug 2022 10:04:11 +0200 Message-Id: <20220823080038.296659025@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai [ Upstream commit 95cc637c1afd83fb7dd3d7c8a53710488f4caf9c ] For avoiding the potential deadlock via kill_fasync() call, use the new fasync helpers to defer the invocation from PCI API. Note that it's merely a workaround. Reported-by: syzbot+1ee0910eca9c94f71f25@syzkaller.appspotmail.com Reported-by: syzbot+49b10793b867871ee26f@syzkaller.appspotmail.com Reported-by: syzbot+8285e973a41b5aa68902@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20220728125945.29533-3-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- sound/core/timer.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index 596ba572d6c4..1f5f05e76e59 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -74,7 +74,7 @@ struct snd_timer_user { unsigned int filter; struct timespec tstamp; /* trigger tstamp */ wait_queue_head_t qchange_sleep; - struct fasync_struct *fasync; + struct snd_fasync *fasync; struct mutex ioctl_lock; }; =20 @@ -1293,7 +1293,7 @@ static void snd_timer_user_interrupt(struct snd_timer= _instance *timeri, } __wake: spin_unlock(&tu->qlock); - kill_fasync(&tu->fasync, SIGIO, POLL_IN); + snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); wake_up(&tu->qchange_sleep); } =20 @@ -1330,7 +1330,7 @@ static void snd_timer_user_ccallback(struct snd_timer= _instance *timeri, spin_lock_irqsave(&tu->qlock, flags); snd_timer_user_append_to_tqueue(tu, &r1); spin_unlock_irqrestore(&tu->qlock, flags); - kill_fasync(&tu->fasync, SIGIO, POLL_IN); + snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); wake_up(&tu->qchange_sleep); } =20 @@ -1397,7 +1397,7 @@ static void snd_timer_user_tinterrupt(struct snd_time= r_instance *timeri, spin_unlock(&tu->qlock); if (append =3D=3D 0) return; - kill_fasync(&tu->fasync, SIGIO, POLL_IN); + snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); wake_up(&tu->qchange_sleep); } =20 @@ -1439,6 +1439,7 @@ static int snd_timer_user_release(struct inode *inode= , struct file *file) if (tu->timeri) snd_timer_close(tu->timeri); mutex_unlock(&tu->ioctl_lock); + snd_fasync_free(tu->fasync); kfree(tu->queue); kfree(tu->tqueue); kfree(tu); @@ -2026,7 +2027,7 @@ static int snd_timer_user_fasync(int fd, struct file = * file, int on) struct snd_timer_user *tu; =20 tu =3D file->private_data; - return fasync_helper(fd, file, on, &tu->fasync); + return snd_fasync_helper(fd, file, on, &tu->fasync); } =20 static ssize_t snd_timer_user_read(struct file *file, char __user *buffer, --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B2BEC32772 for ; Tue, 23 Aug 2022 08:38:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245566AbiHWIiU (ORCPT ); Tue, 23 Aug 2022 04:38:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347670AbiHWIgl (ORCPT ); Tue, 23 Aug 2022 04:36:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B7D37755D; Tue, 23 Aug 2022 01:17:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0472361360; Tue, 23 Aug 2022 08:16:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10CDCC433D7; Tue, 23 Aug 2022 08:16:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242612; bh=Ozh6pKstKR8EmXCauJAdcp4MKdVlb4V3CinW1snpBUI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lzB3Fm1adfy3ydhIlNKcNJhJytGvlNfTB1UOuVN9RmygEMZmQyA0m9tjjKnRBcp+X LKo4LU3Vj2hh38DEeYntle5rxB/Ghb6PfmvunyWcxiD7Ficn+NC4/oibEE1LXmKWZS XM8Jz4Fqdy86d1G01IVoh78FkvfTT4x2nIE74Tuo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Ellerman , Zhouyi Zhou , Sasha Levin Subject: [PATCH 4.9 099/101] powerpc/64: Init jump labels before parse_early_param() Date: Tue, 23 Aug 2022 10:04:12 +0200 Message-Id: <20220823080038.336486008@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Zhouyi Zhou [ Upstream commit ca829e05d3d4f728810cc5e4b468d9ebc7745eb3 ] On 64-bit, calling jump_label_init() in setup_feature_keys() is too late because static keys may be used in subroutines of parse_early_param() which is again subroutine of early_init_devtree(). For example booting with "threadirqs": static_key_enable_cpuslocked(): static key '0xc000000002953260' used befo= re call to jump_label_init() WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpusl= ocked+0xfc/0x120 ... NIP static_key_enable_cpuslocked+0xfc/0x120 LR static_key_enable_cpuslocked+0xf8/0x120 Call Trace: static_key_enable_cpuslocked+0xf8/0x120 (unreliable) static_key_enable+0x30/0x50 setup_forced_irqthreads+0x28/0x40 do_early_param+0xa0/0x108 parse_args+0x290/0x4e0 parse_early_options+0x48/0x5c parse_early_param+0x58/0x84 early_init_devtree+0xd4/0x518 early_setup+0xb4/0x214 So call jump_label_init() just before parse_early_param() in early_init_devtree(). Suggested-by: Michael Ellerman Signed-off-by: Zhouyi Zhou [mpe: Add call trace to change log and minor wording edits.] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220726015747.11754-1-zhouzhouyi@gmail.com Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/powerpc/kernel/prom.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c index 11b4ecec04ee..1413d72689d2 100644 --- a/arch/powerpc/kernel/prom.c +++ b/arch/powerpc/kernel/prom.c @@ -682,6 +682,13 @@ void __init early_init_devtree(void *params) of_scan_flat_dt(early_init_dt_scan_root, NULL); of_scan_flat_dt(early_init_dt_scan_memory_ppc, NULL); =20 + /* + * As generic code authors expect to be able to use static keys + * in early_param() handlers, we initialize the static keys just + * before parsing early params (it's fine to call jump_label_init() + * more than once). + */ + jump_label_init(); parse_early_param(); =20 /* make sure we've parsed cmdline for mem=3D before this */ --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA58CC32772 for ; Tue, 23 Aug 2022 08:38:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345658AbiHWIiB (ORCPT ); Tue, 23 Aug 2022 04:38:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33980 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346369AbiHWIgC (ORCPT ); Tue, 23 Aug 2022 04:36:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89DDB760DA; Tue, 23 Aug 2022 01:17:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B381A61344; Tue, 23 Aug 2022 08:16:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0E89C433D7; Tue, 23 Aug 2022 08:16:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242618; bh=QJRKZeqWyHOAMgpIQr673Jjz8RQb1Y0LVJw0ylK1rRM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wjmRA7DBDxbQbDhBeJUrXh82c+jJmI41s3NBFmbG7fXwj3dTesiAq6yH/dBkjj4fM wNek4EUwgGmMqGlGJPFYj9Bo3ywjPKc1Ue9T3c1gjF0n7XvXgDzwyn0jXNtCnUEQpP EW+hNzOcl57Zvxvqqera81tDgDOQajSbD42P3Ad8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Helge Deller , Sasha Levin Subject: [PATCH 4.9 100/101] video: fbdev: i740fb: Check the argument of i740_calc_vclk() Date: Tue, 23 Aug 2022 10:04:13 +0200 Message-Id: <20220823080038.368413437@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Zheyu Ma [ Upstream commit 40bf722f8064f50200b8c4f8946cd625b441dda9 ] Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug. If the user provides an improper 'pixclock' value that makes the argumet of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a divide-by-zero bug in: drivers/video/fbdev/i740fb.c:353 p_best =3D min(15, ilog2(I740_MAX_VCO_= FREQ / (freq / I740_RFREQ_FIX))); The following log can reveal it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 Fix this by checking the argument of i740_calc_vclk() first. Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- drivers/video/fbdev/i740fb.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index 7bc5f6056c77..4147a9534179 100644 --- a/drivers/video/fbdev/i740fb.c +++ b/drivers/video/fbdev/i740fb.c @@ -399,7 +399,7 @@ static int i740fb_decode_var(const struct fb_var_screen= info *var, u32 xres, right, hslen, left, xtotal; u32 yres, lower, vslen, upper, ytotal; u32 vxres, xoffset, vyres, yoffset; - u32 bpp, base, dacspeed24, mem; + u32 bpp, base, dacspeed24, mem, freq; u8 r7; int i; =20 @@ -641,7 +641,12 @@ static int i740fb_decode_var(const struct fb_var_scree= ninfo *var, par->atc[VGA_ATC_OVERSCAN] =3D 0; =20 /* Calculate VCLK that most closely matches the requested dot clock */ - i740_calc_vclk((((u32)1e9) / var->pixclock) * (u32)(1e3), par); + freq =3D (((u32)1e9) / var->pixclock) * (u32)(1e3); + if (freq < I740_RFREQ_FIX) { + fb_dbg(info, "invalid pixclock\n"); + freq =3D I740_RFREQ_FIX; + } + i740_calc_vclk(freq, par); =20 /* Since we program the clocks ourselves, always use VCLK2. */ par->misc |=3D 0x0C; --=20 2.35.1 From nobody Tue Apr 14 12:54:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3864C32772 for ; Tue, 23 Aug 2022 08:38:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346159AbiHWIin (ORCPT ); Tue, 23 Aug 2022 04:38:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345554AbiHWIfp (ORCPT ); Tue, 23 Aug 2022 04:35:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF7FE760FD; Tue, 23 Aug 2022 01:17:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D2DEF6131B; Tue, 23 Aug 2022 08:17:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DE0F4C433C1; Tue, 23 Aug 2022 08:17:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242624; bh=WnMkrFmRqTr/C6KW7WcHvuKKxCCcy1TaXXmxhygiNlc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d4XaXvpTh3XxVNzZ+Epitm6b1As9LQa73pqF+VuRyVmeT51PCP/Lo1kDN/B095XdC bmx1KrcQi+pyv/cHhPotTkWIW4CLiYJ8t8FrTvi0WNk1yAd8G+6BQOPCM3nTKWwkqq b16jStfX/7a1voW2y1i2LpU8dUaW6a/202i2XCE4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Sudip Mukherjee (Codethink)" , Nathan Chancellor , Thomas Bogendoerfer , Sasha Levin Subject: [PATCH 4.9 101/101] MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 Date: Tue, 23 Aug 2022 10:04:14 +0200 Message-Id: <20220823080038.398671207@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080034.579196046@linuxfoundation.org> References: <20220823080034.579196046@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nathan Chancellor [ Upstream commit 74de14fe05dd6b151d73cb0c73c8ec874cbdcde6 ] When CONFIG_XPA is enabled, Clang warns: arch/mips/mm/tlbex.c:629:24: error: converting the result of '<<' to a bo= olean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) !=3D 0'? [-Werror,-Wint-in-= bool-context] if (cpu_has_rixi && !!_PAGE_NO_EXEC) { ^ arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_= PAGE_NO_EXEC' # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) ^ arch/mips/mm/tlbex.c:2568:24: error: converting the result of '<<' to a b= oolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) !=3D 0'? [-Werror,-Wint-in= -bool-context] if (!cpu_has_rixi || !_PAGE_NO_EXEC) { ^ arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_= PAGE_NO_EXEC' # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) ^ 2 errors generated. _PAGE_NO_EXEC can be '0' or '1 << _PAGE_NO_EXEC_SHIFT' depending on the build and runtime configuration, which is what the negation operators are trying to convey. To silence the warning, explicitly compare against 0 so the result of the '<<' operator is not implicitly converted to a boolean. According to its documentation, GCC enables -Wint-in-bool-context with -Wall but this warning is not visible when building the same configuration with GCC. It appears GCC only warns when compiling C++, not C, although the documentation makes no note of this: https://godbolt.org/z/x39q3brxf Reported-by: Sudip Mukherjee (Codethink) Signed-off-by: Nathan Chancellor Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin Reported-by: Linux Kernel Functional Testing Tested-by: Shuah Khan --- arch/mips/mm/tlbex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c index f625fd20b21e..65fed205383e 100644 --- a/arch/mips/mm/tlbex.c +++ b/arch/mips/mm/tlbex.c @@ -637,7 +637,7 @@ static __maybe_unused void build_convert_pte_to_entrylo= (u32 **p, return; } =20 - if (cpu_has_rixi && !!_PAGE_NO_EXEC) { + if (cpu_has_rixi && _PAGE_NO_EXEC !=3D 0) { if (fill_includes_sw_bits) { UASM_i_ROTR(p, reg, reg, ilog2(_PAGE_GLOBAL)); } else { @@ -2518,7 +2518,7 @@ static void check_pabits(void) unsigned long entry; unsigned pabits, fillbits; =20 - if (!cpu_has_rixi || !_PAGE_NO_EXEC) { + if (!cpu_has_rixi || _PAGE_NO_EXEC =3D=3D 0) { /* * We'll only be making use of the fact that we can rotate bits * into the fill if the CPU supports RIXI, so don't bother --=20 2.35.1