From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D78FC38145 for ; Fri, 2 Sep 2022 12:22:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236125AbiIBMWx (ORCPT ); Fri, 2 Sep 2022 08:22:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235928AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15094870AC; Fri, 2 Sep 2022 05:21:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A449F620E6; Fri, 2 Sep 2022 12:21:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B2BC7C433C1; Fri, 2 Sep 2022 12:21:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121267; bh=4paDaTJbkFXv9kZPbYAlYaeoy1x0FGqkIA2Hg3M2Fnk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PHLO/DMIE63/xuqhfP3wvAgheUAJxrq+ZutTg9iQ5h0Sia54Kes5Vuji2X2qOcLO0 Mru+wpsMoZ+EK4hezwjkR95PyJYCWuN21GpYEmdckUL3hvU+4DUzIeU+ltLwb8ratQ 5Lhc/rlQOQ3xXI9m15vdRwUMgHRunmAIgM3D2HtY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Helge Deller Subject: [PATCH 4.9 01/31] parisc: Fix exception handler for fldw and fstw instructions Date: Fri, 2 Sep 2022 14:18:27 +0200 Message-Id: <20220902121356.799456924@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Helge Deller commit 7ae1f5508d9a33fd58ed3059bd2d569961e3b8bd upstream. The exception handler is broken for unaligned memory acceses with fldw and fstw instructions, because it trashes or uses randomly some other floating point register than the one specified in the instruction word on loads and stores. The instruction "fldw 0(addr),%fr22L" (and the other fldw/fstw instructions) encode the target register (%fr22) in the rightmost 5 bits of the instruction word. The 7th rightmost bit of the instruction word defines if the left or right half of %fr22 should be used. While processing unaligned address accesses, the FR3() define is used to extract the offset into the local floating-point register set. But the calculation in FR3() was buggy, so that for example instead of %fr22, register %fr12 [((22 * 2) & 0x1f) =3D 12] was used. This bug has been since forever in the parisc kernel and I wonder why it wasn't detected earlier. Interestingly I noticed this bug just because the libime debian package failed to build on *native* hardware, while it successfully built in qemu. This patch corrects the bitshift and masking calculation in FR3(). Signed-off-by: Helge Deller Cc: Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- arch/parisc/kernel/unaligned.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/parisc/kernel/unaligned.c +++ b/arch/parisc/kernel/unaligned.c @@ -120,7 +120,7 @@ #define R1(i) (((i)>>21)&0x1f) #define R2(i) (((i)>>16)&0x1f) #define R3(i) ((i)&0x1f) -#define FR3(i) ((((i)<<1)&0x1f)|(((i)>>6)&1)) +#define FR3(i) ((((i)&0x1f)<<1)|(((i)>>6)&1)) #define IM(i,n) (((i)>>1&((1<<(n-1))-1))|((i)&1?((0-1L)<<(n-1)):0)) #define IM5_2(i) IM((i)>>16,5) #define IM5_3(i) IM((i),5) From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2848C54EE9 for ; Fri, 2 Sep 2022 12:21:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232681AbiIBMVb (ORCPT ); Fri, 2 Sep 2022 08:21:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235891AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66A1D1C918; Fri, 2 Sep 2022 05:20:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2964FB82A8F; Fri, 2 Sep 2022 12:20:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 834E2C433D6; Fri, 2 Sep 2022 12:20:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121218; bh=pFKhXZLCEw9lbHn/kXTMOmBZMFo1jHjmSiJceNQgyTQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RFg4bdDL5cQs2w6e74lG1wquZ58PgEWBVR2TMkgtB5peqK8nLXrE32dGhe3HOUcfB yePxKCKVcCDbP3WXIQZFNyGgM/OzTbVi6Nf5gEHA6LK7q39AAWZgV/DWFkGXG5zGfZ aGh+fH4GWOfLyIbrOtX6bNXMojR1MqLc/gzjtSE8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Xiong , Xin Tan , Steffen Klassert , Sasha Levin Subject: [PATCH 4.9 02/31] xfrm: fix refcount leak in __xfrm_policy_check() Date: Fri, 2 Sep 2022 14:18:28 +0200 Message-Id: <20220902121356.838472344@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Xin Xiong [ Upstream commit 9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe ] The issue happens on an error path in __xfrm_policy_check(). When the fetching process of the object `pols[1]` fails, the function simply returns 0, forgetting to decrement the reference count of `pols[0]`, which is incremented earlier by either xfrm_sk_policy_lookup() or xfrm_policy_lookup(). This may result in memory leaks. Fix it by decreasing the reference count of `pols[0]` in that path. Fixes: 134b0fc544ba ("IPsec: propagate security module errors up from flow_= cache_lookup") Signed-off-by: Xin Xiong Signed-off-by: Xin Tan Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/xfrm/xfrm_policy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 0894108f561cb..ae90a273475c0 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2538,6 +2538,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, str= uct sk_buff *skb, if (pols[1]) { if (IS_ERR(pols[1])) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); + xfrm_pol_put(pols[0]); return 0; } pols[1]->curlft.use_time =3D get_seconds(); --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9DCD9C38145 for ; Fri, 2 Sep 2022 12:22:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236120AbiIBMWR (ORCPT ); Fri, 2 Sep 2022 08:22:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235811AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A851E5F126; Fri, 2 Sep 2022 05:20:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4006E620E6; Fri, 2 Sep 2022 12:20:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DF5EC433C1; Fri, 2 Sep 2022 12:20:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121242; bh=yjFbBlaMaiW1xyHU4qJxXDx2fbTonaU5u23wM7iThqU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1QO10Ysz98stHZCAWoFD9yL01dBiz8wHxBu/cdrCwpnJQRCAxR/NPzuXfqHjrAQuv +rfB/0F9bTaxzSeDN75VRIyRiO8b/5Uhz4+Zb/BdPW3ybE/lzJWys8mBIntjKdj0wu gqBi65WytJoDm1IPc6AfZi3Q4VRpP2nxyU10DnoU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Abhishek Shah , Herbert Xu , Steffen Klassert , Sasha Levin Subject: [PATCH 4.9 03/31] af_key: Do not call xfrm_probe_algs in parallel Date: Fri, 2 Sep 2022 14:18:29 +0200 Message-Id: <20220902121356.874120507@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Herbert Xu [ Upstream commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5 ] When namespace support was added to xfrm/afkey, it caused the previously single-threaded call to xfrm_probe_algs to become multi-threaded. This is buggy and needs to be fixed with a mutex. Reported-by: Abhishek Shah Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") Signed-off-by: Herbert Xu Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/key/af_key.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/key/af_key.c b/net/key/af_key.c index 0737fc7b7ebdb..88d4a3a02ab72 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1724,9 +1724,12 @@ static int pfkey_register(struct sock *sk, struct sk= _buff *skb, const struct sad pfk->registered |=3D (1<sadb_msg_satype); } =20 + mutex_lock(&pfkey_mutex); xfrm_probe_algs(); =20 supp_skb =3D compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + mutex_unlock(&pfkey_mutex); + if (!supp_skb) { if (hdr->sadb_msg_satype !=3D SADB_SATYPE_UNSPEC) pfk->registered &=3D ~(1<sadb_msg_satype); --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A41E4ECAAD5 for ; Fri, 2 Sep 2022 12:22:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236071AbiIBMW1 (ORCPT ); Fri, 2 Sep 2022 08:22:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235901AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34BBF6EF2F; Fri, 2 Sep 2022 05:20:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D547EB82A91; Fri, 2 Sep 2022 12:20:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 45175C433D6; Fri, 2 Sep 2022 12:20:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121245; bh=Kn2s8tdB0gGYnmYlCvGMFy/dxgMScaJPMm5FD/Y2eSg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fS39vehZHGb5v3+OgdmDX1IaJVqXc3MhFfWenTGxPkj89ohyl9NAxkVcFgjG1Inqk auD5nIU5ERZMXfQWupnNZ7+UV4UXObI1ZTOSYyDVh1svimSI923+xFjxek8gZ2ssJp U0bFNIETToJeyJD65HgtruwelcbMFpvSv/40/HR4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bernard Pidoux , Francois Romieu , Thomas DL9SAU Osterried , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 04/31] rose: check NULL rose_loopback_neigh->loopback Date: Fri, 2 Sep 2022 14:18:30 +0200 Message-Id: <20220902121356.908084146@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Bernard Pidoux [ Upstream commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ] Commit 3b3fd068c56e3fbea30090859216a368398e39bf added NULL check for `rose_loopback_neigh->dev` in rose_loopback_timer() but omitted to check rose_loopback_neigh->loopback. It thus prevents *all* rose connect. The reason is that a special rose_neigh loopback has a NULL device. /proc/net/rose_neigh illustrates it via rose_neigh_show() function : [...] seq_printf(seq, "%05d %-9s %-4s %3d %3d %3s %3s %3lu %3lu", rose_neigh->number, (rose_neigh->loopback) ? "RSLOOP-0" : ax2asc(buf, &rose_neigh->callsign= ), rose_neigh->dev ? rose_neigh->dev->name : "???", rose_neigh->count, /proc/net/rose_neigh displays special rose_loopback_neigh->loopback as callsign RSLOOP-0: addr callsign dev count use mode restart t0 tf digipeaters 00001 RSLOOP-0 ??? 1 2 DCE yes 0 0 By checking rose_loopback_neigh->loopback, rose_rx_call_request() is called even in case rose_loopback_neigh->dev is NULL. This repairs rose connection= s. Verification with rose client application FPAC: FPAC-Node v 4.1.3 (built Aug 5 2022) for LINUX (help =3D h) F6BVP-4 (Commands =3D ?) : u Users - AX.25 Level 2 sessions : Port Callsign Callsign AX.25 state ROSE state NetRom status axudp F6BVP-5 -> F6BVP-9 Connected Connected --------- Fixes: 3b3fd068c56e ("rose: Fix Null pointer dereference in rose_send_frame= ()") Signed-off-by: Bernard Pidoux Suggested-by: Francois Romieu Cc: Thomas DL9SAU Osterried Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/rose/rose_loopback.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c index 0f371e50d9c4e..e6526c8ecacc0 100644 --- a/net/rose/rose_loopback.c +++ b/net/rose/rose_loopback.c @@ -99,7 +99,8 @@ static void rose_loopback_timer(unsigned long param) } =20 if (frametype =3D=3D ROSE_CALL_REQUEST) { - if (!rose_loopback_neigh->dev) { + if (!rose_loopback_neigh->dev && + !rose_loopback_neigh->loopback) { kfree_skb(skb); continue; } --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63C0FECAAD5 for ; Fri, 2 Sep 2022 12:22:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236105AbiIBMWL (ORCPT ); Fri, 2 Sep 2022 08:22:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235903AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AA7E7CA92; Fri, 2 Sep 2022 05:20:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CB394B82A90; Fri, 2 Sep 2022 12:20:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30489C433B5; Fri, 2 Sep 2022 12:20:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121248; bh=ZMWaJo5CykCTwhf8tVV/9lOdC2N4HDzR9rVeLsNOKRA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=j4f1YyJfwpvb2E8h0YHYa3/qtgvkXrhzQZ2XSeffbQubbf7wYwwoHLu6nusXLdqCh zSaZ+Vhx2En+X0e+6eD8Qmrkg9gigtrigeKuPlbNqYQsGZ1t0v28hb5CTgvKeae9H+ C2Dp2/55WDmpTGqCtDIB7RRTTihvILLSsbq1/XGs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jonathan Toppins , Jay Vosburgh , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.9 05/31] bonding: 802.3ad: fix no transmission of LACPDUs Date: Fri, 2 Sep 2022 14:18:31 +0200 Message-Id: <20220902121356.952773780@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jonathan Toppins [ Upstream commit d745b5062ad2b5da90a5e728d7ca884fc07315fd ] This is caused by the global variable ad_ticks_per_sec being zero as demonstrated by the reproducer script discussed below. This causes all timer values in __ad_timer_to_ticks to be zero, resulting in the periodic timer to never fire. To reproduce: Run the script in `tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh` which puts bonding into a state where it never transmits LACPDUs. line 44: ip link add fbond type bond mode 4 miimon 200 \ xmit_hash_policy 1 ad_actor_sys_prio 65535 lacp_rate fast setting bond param: ad_actor_sys_prio given: params.ad_actor_system =3D 0 call stack: bond_option_ad_actor_sys_prio() -> bond_3ad_update_ad_actor_settings() -> set ad.system.sys_priority =3D bond->params.ad_actor_sys_prio -> ad.system.sys_mac_addr =3D bond->dev->dev_addr; because params.ad_actor_system =3D=3D 0 results: ad.system.sys_mac_addr =3D bond->dev->dev_addr line 48: ip link set fbond address 52:54:00:3B:7C:A6 setting bond MAC addr call stack: bond->dev->dev_addr =3D new_mac line 52: ip link set fbond type bond ad_actor_sys_prio 65535 setting bond param: ad_actor_sys_prio given: params.ad_actor_system =3D 0 call stack: bond_option_ad_actor_sys_prio() -> bond_3ad_update_ad_actor_settings() -> set ad.system.sys_priority =3D bond->params.ad_actor_sys_prio -> ad.system.sys_mac_addr =3D bond->dev->dev_addr; because params.ad_actor_system =3D=3D 0 results: ad.system.sys_mac_addr =3D bond->dev->dev_addr line 60: ip link set veth1-bond down master fbond given: params.ad_actor_system =3D 0 params.mode =3D BOND_MODE_8023AD ad.system.sys_mac_addr =3D=3D bond->dev->dev_addr call stack: bond_enslave -> bond_3ad_initialize(); because first slave -> if ad.system.sys_mac_addr !=3D bond->dev->dev_addr return results: Nothing is run in bond_3ad_initialize() because dev_addr equals sys_mac_addr leaving the global ad_ticks_per_sec zero as it is never initialized anywhere else. The if check around the contents of bond_3ad_initialize() is no longer needed due to commit 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings changes immediately") which sets ad.system.sys_mac_addr if any one of the bonding parameters whos set function calls bond_3ad_update_ad_actor_settings(). This is because if ad.system.sys_mac_addr is zero it will be set to the current bond mac address, this causes the if check to never be true. Fixes: 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings changes immedia= tely") Signed-off-by: Jonathan Toppins Acked-by: Jay Vosburgh Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- drivers/net/bonding/bond_3ad.c | 38 ++++++++++++++-------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c index 8ec0671f97113..7ba724ecef302 100644 --- a/drivers/net/bonding/bond_3ad.c +++ b/drivers/net/bonding/bond_3ad.c @@ -1941,30 +1941,24 @@ void bond_3ad_initiate_agg_selection(struct bonding= *bond, int timeout) */ void bond_3ad_initialize(struct bonding *bond, u16 tick_resolution) { - /* check that the bond is not initialized yet */ - if (!MAC_ADDRESS_EQUAL(&(BOND_AD_INFO(bond).system.sys_mac_addr), - bond->dev->dev_addr)) { - - BOND_AD_INFO(bond).aggregator_identifier =3D 0; - - BOND_AD_INFO(bond).system.sys_priority =3D - bond->params.ad_actor_sys_prio; - if (is_zero_ether_addr(bond->params.ad_actor_system)) - BOND_AD_INFO(bond).system.sys_mac_addr =3D - *((struct mac_addr *)bond->dev->dev_addr); - else - BOND_AD_INFO(bond).system.sys_mac_addr =3D - *((struct mac_addr *)bond->params.ad_actor_system); + BOND_AD_INFO(bond).aggregator_identifier =3D 0; + BOND_AD_INFO(bond).system.sys_priority =3D + bond->params.ad_actor_sys_prio; + if (is_zero_ether_addr(bond->params.ad_actor_system)) + BOND_AD_INFO(bond).system.sys_mac_addr =3D + *((struct mac_addr *)bond->dev->dev_addr); + else + BOND_AD_INFO(bond).system.sys_mac_addr =3D + *((struct mac_addr *)bond->params.ad_actor_system); =20 - /* initialize how many times this module is called in one - * second (should be about every 100ms) - */ - ad_ticks_per_sec =3D tick_resolution; + /* initialize how many times this module is called in one + * second (should be about every 100ms) + */ + ad_ticks_per_sec =3D tick_resolution; =20 - bond_3ad_initiate_agg_selection(bond, - AD_AGGREGATOR_SELECTION_TIMER * - ad_ticks_per_sec); - } + bond_3ad_initiate_agg_selection(bond, + AD_AGGREGATOR_SELECTION_TIMER * + ad_ticks_per_sec); } =20 /** --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FEC3ECAAD5 for ; Fri, 2 Sep 2022 12:22:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236162AbiIBMWb (ORCPT ); Fri, 2 Sep 2022 08:22:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235912AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28F937D798; Fri, 2 Sep 2022 05:20:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D580DB82A8F; Fri, 2 Sep 2022 12:20:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 27D2BC433D6; Fri, 2 Sep 2022 12:20:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121251; bh=vZCk4txwF/aCxzpP/iO0kid2gcsE12OeCX2/T3fqKCk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RmgrWIM7OMypxP5WGl7V2EJ0jmDGamSxtq6SxtU4Jn+egNrVnZt5hibZZE+A0WvBh WR01xc54/XLMeh/sDgfnzEaKfZy2ay6oSxgcFw0tVbSaTDkcaQofgJ52IHo1zHRMvJ 6oEgNE/UEpfHBnfB6ZkZ4nsjJS+3ddyvSeceKflo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.9 06/31] netfilter: nft_payload: report ERANGE for too long offset and length Date: Fri, 2 Sep 2022 14:18:32 +0200 Message-Id: <20220902121356.981865358@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pablo Neira Ayuso [ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ] Instead of offset and length are truncation to u8, report ERANGE. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/netfilter/nft_payload.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index f73d47b3ffb72..82bcd14fbcb3d 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -287,6 +287,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, { enum nft_payload_bases base; unsigned int offset, len; + int err; =20 if (tb[NFTA_PAYLOAD_BASE] =3D=3D NULL || tb[NFTA_PAYLOAD_OFFSET] =3D=3D NULL || @@ -312,8 +313,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, if (tb[NFTA_PAYLOAD_DREG] =3D=3D NULL) return ERR_PTR(-EINVAL); =20 - offset =3D ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); - len =3D ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); + err =3D nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset); + if (err < 0) + return ERR_PTR(err); + + err =3D nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len); + if (err < 0) + return ERR_PTR(err); =20 if (len <=3D 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && base !=3D NFT_PAYLOAD_LL_HEADER) --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBFFFECAAD5 for ; Fri, 2 Sep 2022 12:22:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236059AbiIBMWW (ORCPT ); Fri, 2 Sep 2022 08:22:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47062 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235907AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEBE77F0A1; Fri, 2 Sep 2022 05:20:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5DCD4620EB; Fri, 2 Sep 2022 12:20:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5316DC433D6; Fri, 2 Sep 2022 12:20:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121254; bh=0VtpXqFvjdzolSkUYnkn3ks1g0xBS+pk9oJcQgLaFCA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GqJeItBXxICCJSz05bSCTGN3UmI1WLKK5BCscS6z7VoIeX9BfJiwCMFOqBbdwErHr 7jQ9DQZu+BQA7hIzEIt9v0vOLWpHR0wwdtYMyRSeB4Xf+RrypMAUc0ThXo5dB6BEL2 iQ67h3caXtZNjjvqWsOy1JHSJFi26CvX6CiGwY6Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 07/31] ratelimit: Fix data-races in ___ratelimit(). Date: Fri, 2 Sep 2022 14:18:33 +0200 Message-Id: <20220902121357.020913818@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 6bae8ceb90ba76cdba39496db936164fa672b9be ] While reading rs->interval and rs->burst, they can be changed concurrently via sysctl (e.g. net_ratelimit_state). Thus, we need to add READ_ONCE() to their readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- lib/ratelimit.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/ratelimit.c b/lib/ratelimit.c index d01f471352390..b805702de84dd 100644 --- a/lib/ratelimit.c +++ b/lib/ratelimit.c @@ -27,10 +27,16 @@ */ int ___ratelimit(struct ratelimit_state *rs, const char *func) { + /* Paired with WRITE_ONCE() in .proc_handler(). + * Changing two values seperately could be inconsistent + * and some message could be lost. (See: net_ratelimit_state). + */ + int interval =3D READ_ONCE(rs->interval); + int burst =3D READ_ONCE(rs->burst); unsigned long flags; int ret; =20 - if (!rs->interval) + if (!interval) return 1; =20 /* @@ -45,7 +51,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *= func) if (!rs->begin) rs->begin =3D jiffies; =20 - if (time_is_before_jiffies(rs->begin + rs->interval)) { + if (time_is_before_jiffies(rs->begin + interval)) { if (rs->missed) { if (!(rs->flags & RATELIMIT_MSG_ON_RELEASE)) { printk_deferred(KERN_WARNING @@ -57,7 +63,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *= func) rs->begin =3D jiffies; rs->printed =3D 0; } - if (rs->burst && rs->burst > rs->printed) { + if (burst && burst > rs->printed) { rs->printed++; ret =3D 1; } else { --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9F3AECAAD5 for ; Fri, 2 Sep 2022 12:22:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235999AbiIBMWh (ORCPT ); Fri, 2 Sep 2022 08:22:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47882 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235915AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7E4E832D5; Fri, 2 Sep 2022 05:20:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 65A84620E6; Fri, 2 Sep 2022 12:20:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4C0F1C433D6; Fri, 2 Sep 2022 12:20:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121257; bh=RHODq5FtyWYxRG+5DjCHDRBIpW/miY78MvDSDQSm8U4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ao9gXhHs2RXRb0WGcJWYh+6qy+eSifolUCAZbXDLVom6scRj8ouJfdqvO/kyHy5jr w0Eq00MiKLeRTzou3+li1+gMJmpk5jMYANmL8bvn3zFKElGeIGBymod2pyhCWzepvm S2IhQnDbW238E5aZqrglm7w3KsuFLeHwmATKfV7I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 08/31] net: Fix a data-race around sysctl_tstamp_allow_data. Date: Fri, 2 Sep 2022 14:18:34 +0200 Message-Id: <20220902121357.057918976@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit d2154b0afa73c0159b2856f875c6b4fe7cf6a95e ] While reading sysctl_tstamp_allow_data, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: b245be1f4db1 ("net-timestamp: no-payload only sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/core/skbuff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 22b216629f9bc..022e26c180241 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3905,7 +3905,7 @@ static bool skb_may_tx_timestamp(struct sock *sk, boo= l tsonly) { bool ret; =20 - if (likely(sysctl_tstamp_allow_data || tsonly)) + if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly)) return true; =20 read_lock_bh(&sk->sk_callback_lock); --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FE74ECAAD5 for ; Fri, 2 Sep 2022 12:22:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234195AbiIBMWj (ORCPT ); Fri, 2 Sep 2022 08:22:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235804AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F4079CCD7; Fri, 2 Sep 2022 05:21:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1141FB82A8F; Fri, 2 Sep 2022 12:21:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6011AC433D6; Fri, 2 Sep 2022 12:21:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121260; bh=ShxWmdastEh/OaWYqrIvumXK97FZMf4Sx12fYRQGky4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DvZjSK4uDTr31vh4G/mSF+xkzfo48jCTC62zxcKCoZnfIIuqxzwZ1hpm/IPUuRQxE ovvnax6NWD18wCvvb6J/Q7V5LmPP2KJgxYBR024oOZP4tK1iUFhA7nROS5qb0911yX 0yR5u7445w1wNoRlnZelsdBhZsRR8kXVjanZq+Hs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 09/31] net: Fix a data-race around sysctl_net_busy_poll. Date: Fri, 2 Sep 2022 14:18:35 +0200 Message-Id: <20220902121357.096918197@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit c42b7cddea47503411bfb5f2f93a4154aaffa2d9 ] While reading sysctl_net_busy_poll, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 060212928670 ("net: add low latency socket poll") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- include/net/busy_poll.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h index 2fbeb1313c0f4..e522187cb6935 100644 --- a/include/net/busy_poll.h +++ b/include/net/busy_poll.h @@ -39,7 +39,7 @@ extern unsigned int sysctl_net_busy_poll __read_mostly; =20 static inline bool net_busy_loop_on(void) { - return sysctl_net_busy_poll; + return READ_ONCE(sysctl_net_busy_poll); } =20 static inline u64 busy_loop_us_clock(void) --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16984C38145 for ; Fri, 2 Sep 2022 12:22:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236108AbiIBMWr (ORCPT ); Fri, 2 Sep 2022 08:22:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235922AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F058B9E6A2; Fri, 2 Sep 2022 05:21:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8C093620C5; Fri, 2 Sep 2022 12:21:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 88058C433D6; Fri, 2 Sep 2022 12:21:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121264; bh=YpPCSFJZjYQX+u7yAHu3e5lF3mBjH9JLx9Fx7DDAunA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iZ5Y2bX0WPSpHnGJRJrnyLoQVZr61q5R5ihLyuAxXyMw1H4BwF9YXOuol4g5DyPks S/GOooeUrttlTb3hxGK5UGWauC3dnvDIkSTmMHCc18XpWFl79sKJVgg20V5wVaW/gB KADJjxjZZeq57XQ1pdyQTseEbnEt7SicJIgFzh20= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 10/31] net: Fix a data-race around sysctl_net_busy_read. Date: Fri, 2 Sep 2022 14:18:36 +0200 Message-Id: <20220902121357.135932728@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit e59ef36f0795696ab229569c153936bfd068d21c ] While reading sysctl_net_busy_read, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 2d48d67fa8cd ("net: poll/select low latency socket support") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/core/sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/sock.c b/net/core/sock.c index 1845a37d9f7e1..e4b28c10901ec 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2508,7 +2508,7 @@ void sock_init_data(struct socket *sock, struct sock = *sk) =20 #ifdef CONFIG_NET_RX_BUSY_POLL sk->sk_napi_id =3D 0; - sk->sk_ll_usec =3D sysctl_net_busy_read; + sk->sk_ll_usec =3D READ_ONCE(sysctl_net_busy_read); #endif =20 sk->sk_max_pacing_rate =3D ~0U; --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FC31C6FA82 for ; Fri, 2 Sep 2022 12:21:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235990AbiIBMVZ (ORCPT ); Fri, 2 Sep 2022 08:21:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46584 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235877AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C81673C159; Fri, 2 Sep 2022 05:20:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 63679620C5; Fri, 2 Sep 2022 12:20:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5A77EC433C1; Fri, 2 Sep 2022 12:20:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121221; bh=ehXEKIgpyo2pSGUzFyaSoLNWJBLVOk7DMOiMXqXX/WQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0330HgO42X72CSr4nH8pkU7A9k+SdAmNKAZfAt/3zUaYT3GagKawLojuel6cZTh3Y LlRCMo4wA3RNw3ug9m2Px4vnRJLTMdcKKbzDa4t3pFY7LsfGTKIaJCySJ1iQ8kMsgd TpezG9J8Sm6EKDbhZXfsycsiULN5m4HvVN/M78p0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 11/31] net: Fix a data-race around sysctl_somaxconn. Date: Fri, 2 Sep 2022 14:18:37 +0200 Message-Id: <20220902121357.167948574@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 3c9ba81d72047f2e81bb535d42856517b613aba7 ] While reading sysctl_somaxconn, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/socket.c b/net/socket.c index ab64ae80ca2cd..6f1abcba0e360 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1403,7 +1403,7 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) =20 sock =3D sockfd_lookup_light(fd, &err, &fput_needed); if (sock) { - somaxconn =3D sock_net(sock->sk)->core.sysctl_somaxconn; + somaxconn =3D READ_ONCE(sock_net(sock->sk)->core.sysctl_somaxconn); if ((unsigned int)backlog > somaxconn) backlog =3D somaxconn; =20 --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA46AC6FA85 for ; Fri, 2 Sep 2022 12:21:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235492AbiIBMVg (ORCPT ); Fri, 2 Sep 2022 08:21:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235881AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6055B3C15D; Fri, 2 Sep 2022 05:20:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 02BFDB82A8B; Fri, 2 Sep 2022 12:20:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B967C433C1; Fri, 2 Sep 2022 12:20:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121224; bh=bBMwxlnCupzasEmfZOY3YHzEtdMkEomBiehJIwl0mWw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KrvYIkiWEltR6y4m51YwDI8+P6NHMBHgC3uPOwqI0ctycLIpeB6f9N0kthMb0PrqA +jzdAQl9ye4EA4lVQB7GBFtocKYGRH4a5232ioOW+DixkLgDDhBtKK4LWvs/JuMGY6 Syqy59ObMtCsTJ3T52IMcH1wiUQxEi4TYhwGamMs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve Payne , Ilya Evenbach , Jacob Keller , Tony Nguyen , Sasha Levin , Gurucharan Subject: [PATCH 4.9 12/31] ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter Date: Fri, 2 Sep 2022 14:18:38 +0200 Message-Id: <20220902121357.205916742@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jacob Keller [ Upstream commit 25d7a5f5a6bb15a2dae0a3f39ea5dda215024726 ] The ixgbe_ptp_start_cyclecounter is intended to be called whenever the cyclecounter parameters need to be changed. Since commit a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices"), this function has cleared the SYSTIME registers and reset the TSAUXC DISABLE_SYSTIME bit. While these need to be cleared during ixgbe_ptp_reset, it is wrong to clear them during ixgbe_ptp_start_cyclecounter. This function may be called during both reset and link status change. When link changes, the SYSTIME counter is still operating normally, but the cyclecounter should be updated to account for the possibly changed parameters. Clearing SYSTIME when link changes causes the timecounter to jump because the cycle counter now reads zero. Extract the SYSTIME initialization out to a new function and call this during ixgbe_ptp_reset. This prevents the timecounter adjustment and avoids an unnecessary reset of the current time. This also restores the original SYSTIME clearing that occurred during ixgbe_ptp_reset before the commit above. Reported-by: Steve Payne Reported-by: Ilya Evenbach Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices") Signed-off-by: Jacob Keller Tested-by: Gurucharan (A Contingent worker at Int= el) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 59 +++++++++++++++----- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/eth= ernet/intel/ixgbe/ixgbe_ptp.c index a93a1b3bb8e4d..2ae59af3e16f0 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c @@ -1080,7 +1080,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapte= r *adapter) struct cyclecounter cc; unsigned long flags; u32 incval =3D 0; - u32 tsauxc =3D 0; u32 fuse0 =3D 0; =20 /* For some of the boards below this mask is technically incorrect. @@ -1115,18 +1114,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapt= er *adapter) case ixgbe_mac_x550em_a: case ixgbe_mac_X550: cc.read =3D ixgbe_ptp_read_X550; - - /* enable SYSTIME counter */ - IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); - IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); - IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); - tsauxc =3D IXGBE_READ_REG(hw, IXGBE_TSAUXC); - IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, - tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); - IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); - IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); - - IXGBE_WRITE_FLUSH(hw); break; case ixgbe_mac_X540: cc.read =3D ixgbe_ptp_read_82599; @@ -1158,6 +1145,50 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapt= er *adapter) spin_unlock_irqrestore(&adapter->tmreg_lock, flags); } =20 +/** + * ixgbe_ptp_init_systime - Initialize SYSTIME registers + * @adapter: the ixgbe private board structure + * + * Initialize and start the SYSTIME registers. + */ +static void ixgbe_ptp_init_systime(struct ixgbe_adapter *adapter) +{ + struct ixgbe_hw *hw =3D &adapter->hw; + u32 tsauxc; + + switch (hw->mac.type) { + case ixgbe_mac_X550EM_x: + case ixgbe_mac_x550em_a: + case ixgbe_mac_X550: + tsauxc =3D IXGBE_READ_REG(hw, IXGBE_TSAUXC); + + /* Reset SYSTIME registers to 0 */ + IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); + IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); + IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); + + /* Reset interrupt settings */ + IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); + IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); + + /* Activate the SYSTIME counter */ + IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, + tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); + break; + case ixgbe_mac_X540: + case ixgbe_mac_82599EB: + /* Reset SYSTIME registers to 0 */ + IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); + IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); + break; + default: + /* Other devices aren't supported */ + return; + }; + + IXGBE_WRITE_FLUSH(hw); +} + /** * ixgbe_ptp_reset * @adapter: the ixgbe private board structure @@ -1184,6 +1215,8 @@ void ixgbe_ptp_reset(struct ixgbe_adapter *adapter) =20 ixgbe_ptp_start_cyclecounter(adapter); =20 + ixgbe_ptp_init_systime(adapter); + spin_lock_irqsave(&adapter->tmreg_lock, flags); timecounter_init(&adapter->hw_tc, &adapter->hw_cc, ktime_to_ns(ktime_get_real())); --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 878D0ECAAD5 for ; Fri, 2 Sep 2022 12:21:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235673AbiIBMVl (ORCPT ); Fri, 2 Sep 2022 08:21:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235631AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73053422F9; Fri, 2 Sep 2022 05:20:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2F351B82A8F; Fri, 2 Sep 2022 12:20:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 744F8C433D6; Fri, 2 Sep 2022 12:20:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121227; bh=AIEknmOfKkXVC+4GIuxKJQWEsOndGqgmkeZKzfxZG0Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sbrmJn45UlO3L5NUL7wHw6dctQCQoUHdozH/GaZE+6yE7EeNLkKH+wWaTf9Va8+zX 4lWkomIWsn5Hpknz+u1wEFccvrR+Mdw304UAjaPlBkEG89+giatWl8//XBUARPW4Xw dd4esO1I+NEtB6JCNtfW0Ff4hocsyCRQW9h9Y0Xs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Filipe Manana , Goldwyn Rodrigues , David Sterba Subject: [PATCH 4.9 13/31] btrfs: check if root is readonly while setting security xattr Date: Fri, 2 Sep 2022 14:18:39 +0200 Message-Id: <20220902121357.243832041@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Goldwyn Rodrigues commit b51111271b0352aa596c5ae8faf06939e91b3b68 upstream. For a filesystem which has btrfs read-only property set to true, all write operations including xattr should be denied. However, security xattr can still be changed even if btrfs ro property is true. This happens because xattr_permission() does not have any restrictions on security.*, system.* and in some cases trusted.* from VFS and the decision is left to the underlying filesystem. See comments in xattr_permission() for more details. This patch checks if the root is read-only before performing the set xattr operation. Testcase: DEV=3D/dev/vdb MNT=3D/mnt mkfs.btrfs -f $DEV mount $DEV $MNT echo "file one" > $MNT/f1 setfattr -n "security.one" -v 2 $MNT/f1 btrfs property set /mnt ro true setfattr -n "security.one" -v 1 $MNT/f1 umount $MNT CC: stable@vger.kernel.org # 4.9+ Reviewed-by: Qu Wenruo Reviewed-by: Filipe Manana Signed-off-by: Goldwyn Rodrigues Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- fs/btrfs/xattr.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/btrfs/xattr.c +++ b/fs/btrfs/xattr.c @@ -375,6 +375,9 @@ static int btrfs_xattr_handler_get(const struct dentry *unused, struct inode *inode, const char *name, void *buffer, size_t size) { + if (btrfs_root_readonly(BTRFS_I(inode)->root)) + return -EROFS; + name =3D xattr_full_name(handler, name); return __btrfs_getxattr(inode, name, buffer, size); } From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F6C2ECAAD5 for ; Fri, 2 Sep 2022 12:21:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235614AbiIBMVt (ORCPT ); Fri, 2 Sep 2022 08:21:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235774AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 356754D251; Fri, 2 Sep 2022 05:20:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C4B0A620C5; Fri, 2 Sep 2022 12:20:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B36C9C433D6; Fri, 2 Sep 2022 12:20:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121231; bh=01KB4X1Lm1hVLMRWDMNTi4UfXBMeRJrbmHAD7ql4puc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Hp61bOcixj5vpfUlgf+qrtdlFMcYZjJ4T/sDBTfDCAt3GVaa0JQlmIy9rXVrQUExP R8Y3zhyjfqBt+Xcvy9vyclOh8bRVRjadAz28v4HCqyFFFGKGQVcsW4Na5/DHZ+uuOY LiZ4cYfeRdWM2N9uzaqPvR1JSkn8dUso2DnFS5Qw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Matthew Wilcox (Oracle)" , Siddh Raman Pant , Christoph Hellwig , Jens Axboe , syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.com Subject: [PATCH 4.9 14/31] loop: Check for overflow while configuring loop Date: Fri, 2 Sep 2022 14:18:40 +0200 Message-Id: <20220902121357.276618508@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Siddh Raman Pant commit c490a0b5a4f36da3918181a8acdc6991d967c5f3 upstream. The userspace can configure a loop using an ioctl call, wherein a configuration of type loop_config is passed (see lo_ioctl()'s case on line 1550 of drivers/block/loop.c). This proceeds to call loop_configure() which in turn calls loop_set_status_from_info() (see line 1050 of loop.c), passing &config->info which is of type loop_info64*. This function then sets the appropriate values, like the offset. loop_device has lo_offset of type loff_t (see line 52 of loop.c), which is typdef-chained to long long, whereas loop_info64 has lo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h). The function directly copies offset from info to the device as follows (See line 980 of loop.c): lo->lo_offset =3D info->lo_offset; This results in an overflow, which triggers a warning in iomap_iter() due to a call to iomap_iter_done() which has: WARN_ON_ONCE(iter->iomap.offset > iter->pos); Thus, check for negative value during loop_set_status_from_info(). Bug report: https://syzkaller.appspot.com/bug?id=3Dc620fe14aac810396d3c3edc= 9ad73848bf69a29e Reported-and-tested-by: syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.c= om Cc: stable@vger.kernel.org Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Siddh Raman Pant Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220823160810.181275-1-code@siddh.me Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- drivers/block/loop.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -1202,6 +1202,11 @@ loop_get_status(struct loop_device *lo, info->lo_rdevice =3D huge_encode_dev(lo->lo_device ? stat.rdev : stat.dev= ); info->lo_offset =3D lo->lo_offset; info->lo_sizelimit =3D lo->lo_sizelimit; + + /* loff_t vars have been assigned __u64 */ + if (lo->lo_offset < 0 || lo->lo_sizelimit < 0) + return -EOVERFLOW; + info->lo_flags =3D lo->lo_flags; memcpy(info->lo_file_name, lo->lo_file_name, LO_NAME_SIZE); memcpy(info->lo_crypt_name, lo->lo_crypt_name, LO_NAME_SIZE); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA0B4ECAAD5 for ; Fri, 2 Sep 2022 12:22:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235893AbiIBMV7 (ORCPT ); Fri, 2 Sep 2022 08:21:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235781AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FC6958DC5; Fri, 2 Sep 2022 05:20:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 37FBBB82A8B; Fri, 2 Sep 2022 12:20:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F4C0C433C1; Fri, 2 Sep 2022 12:20:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121233; bh=xYIxUvuIY1hzLkJEAooH7lGYZCqnNTrSF4GTpYxX+x4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MYI+KDPmq5yn9XhtqbRKHZIfnJN66AADODHQh8ATZcq3rmz82q89eIp9r3ZiQfefA wb2fjGQzAJoe4b6rbVLHKT1Y34JaWQuqdqSckA11uRhRcZyDfX5imWJFBEXpRSQ1W+ LqREiSAJlzUkeVezICg4zxrTOt6YuOZsQ2u2KIs0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Quanyang Wang , Ard Biesheuvel , Arnd Bergmann , Thierry Reding , Andrew Morton Subject: [PATCH 4.9 15/31] asm-generic: sections: refactor memory_intersects Date: Fri, 2 Sep 2022 14:18:41 +0200 Message-Id: <20220902121357.315057848@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Quanyang Wang commit 0c7d7cc2b4fe2e74ef8728f030f0f1674f9f6aee upstream. There are two problems with the current code of memory_intersects: First, it doesn't check whether the region (begin, end) falls inside the region (virt, vend), that is (virt < begin && vend > end). The second problem is if vend is equal to begin, it will return true but this is wrong since vend (virt + size) is not the last address of the memory region but (virt + size -1) is. The wrong determination will trigger the misreporting when the function check_for_illegal_area calls memory_intersects to check if the dma region intersects with stext region. The misreporting is as below (stext is at 0x80100000): WARNING: CPU: 0 PID: 77 at kernel/dma/debug.c:1073 check_for_illegal_area+= 0x130/0x168 DMA-API: chipidea-usb2 e0002000.usb: device driver maps memory from kernel= text or rodata [addr=3D800f0000] [len=3D65536] Modules linked in: CPU: 1 PID: 77 Comm: usb-storage Not tainted 5.19.0-yocto-standard #5 Hardware name: Xilinx Zynq Platform unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0xb0/0x198 __warn from warn_slowpath_fmt+0x80/0xb4 warn_slowpath_fmt from check_for_illegal_area+0x130/0x168 check_for_illegal_area from debug_dma_map_sg+0x94/0x368 debug_dma_map_sg from __dma_map_sg_attrs+0x114/0x128 __dma_map_sg_attrs from dma_map_sg_attrs+0x18/0x24 dma_map_sg_attrs from usb_hcd_map_urb_for_dma+0x250/0x3b4 usb_hcd_map_urb_for_dma from usb_hcd_submit_urb+0x194/0x214 usb_hcd_submit_urb from usb_sg_wait+0xa4/0x118 usb_sg_wait from usb_stor_bulk_transfer_sglist+0xa0/0xec usb_stor_bulk_transfer_sglist from usb_stor_bulk_srb+0x38/0x70 usb_stor_bulk_srb from usb_stor_Bulk_transport+0x150/0x360 usb_stor_Bulk_transport from usb_stor_invoke_transport+0x38/0x440 usb_stor_invoke_transport from usb_stor_control_thread+0x1e0/0x238 usb_stor_control_thread from kthread+0xf8/0x104 kthread from ret_from_fork+0x14/0x2c Refactor memory_intersects to fix the two problems above. Before the 1d7db834a027e ("dma-debug: use memory_intersects() directly"), memory_intersects is called only by printk_late_init: printk_late_init -> init_section_intersects ->memory_intersects. There were few places where memory_intersects was called. When commit 1d7db834a027e ("dma-debug: use memory_intersects() directly") was merged and CONFIG_DMA_API_DEBUG is enabled, the DMA subsystem uses it to check for an illegal area and the calltrace above is triggered. [akpm@linux-foundation.org: fix nearby comment typo] Link: https://lkml.kernel.org/r/20220819081145.948016-1-quanyang.wang@windr= iver.com Fixes: 979559362516 ("asm/sections: add helpers to check for section data") Signed-off-by: Quanyang Wang Cc: Ard Biesheuvel Cc: Arnd Bergmann Cc: Thierry Reding Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- include/asm-generic/sections.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/include/asm-generic/sections.h +++ b/include/asm-generic/sections.h @@ -87,7 +87,7 @@ static inline bool memory_contains(void /** * memory_intersects - checks if the region occupied by an object intersec= ts * with another memory region - * @begin: virtual address of the beginning of the memory regien + * @begin: virtual address of the beginning of the memory region * @end: virtual address of the end of the memory region * @virt: virtual address of the memory object * @size: size of the memory object @@ -100,7 +100,10 @@ static inline bool memory_intersects(voi { void *vend =3D virt + size; =20 - return (virt >=3D begin && virt < end) || (vend >=3D begin && vend < end); + if (virt < end && vend > begin) + return true; + + return false; } =20 /** From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 815A4ECAAD5 for ; Fri, 2 Sep 2022 12:21:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236090AbiIBMV4 (ORCPT ); Fri, 2 Sep 2022 08:21:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235893AbiIBMVO (ORCPT ); Fri, 2 Sep 2022 08:21:14 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE6665A805; Fri, 2 Sep 2022 05:20:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 796C1620C5; Fri, 2 Sep 2022 12:20:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5AE9DC433D7; Fri, 2 Sep 2022 12:20:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121236; bh=LPK7LUEdWosLDTY2fwGlakH/k2dsftkVIYa7AY5+akY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FTPrwEkpo9ZILG0vrJgVAoJRkbHTXZlLX8hHsVb8B8kmtpcEqX9mOnt7YKsPj31Im mtEA0/pE9xDvkmfudBaK6Afdbaftdi7sd0Oi7xQfjoJZKI5SCNPro6ZfA1HiqxPYX3 0Gtq9kLFDi4HZjls7xM3nBsiFvpzoerNtLmzcGX8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Hildenbrand , Mike Kravetz , Peter Feiner , "Kirill A. Shutemov" , Cyrill Gorcunov , Pavel Emelyanov , Jamie Liu , Hugh Dickins , Naoya Horiguchi , Bjorn Helgaas , Muchun Song , Peter Xu , Andrew Morton Subject: [PATCH 4.9 16/31] mm/hugetlb: fix hugetlb not supporting softdirty tracking Date: Fri, 2 Sep 2022 14:18:42 +0200 Message-Id: <20220902121357.345037868@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Hildenbrand commit f96f7a40874d7c746680c0b9f57cef2262ae551f upstream. Patch series "mm/hugetlb: fix write-fault handling for shared mappings", v2. I observed that hugetlb does not support/expect write-faults in shared mappings that would have to map the R/O-mapped page writable -- and I found two case where we could currently get such faults and would erroneously map an anon page into a shared mapping. Reproducers part of the patches. I propose to backport both fixes to stable trees. The first fix needs a small adjustment. This patch (of 2): Staring at hugetlb_wp(), one might wonder where all the logic for shared mappings is when stumbling over a write-protected page in a shared mapping. In fact, there is none, and so far we thought we could get away with that because e.g., mprotect() should always do the right thing and map all pages directly writable. Looks like we were wrong: Reviewed-by: Mike Kravetz Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan -------------------------------------------------------------------------- #include #include #include #include #include #include #include #define HUGETLB_SIZE (2 * 1024 * 1024u) static void clear_softdirty(void) { int fd =3D open("/proc/self/clear_refs", O_WRONLY); const char *ctrl =3D "4"; int ret; if (fd < 0) { fprintf(stderr, "open(clear_refs) failed\n"); exit(1); } ret =3D write(fd, ctrl, strlen(ctrl)); if (ret !=3D strlen(ctrl)) { fprintf(stderr, "write(clear_refs) failed\n"); exit(1); } close(fd); } int main(int argc, char **argv) { char *map; int fd; fd =3D open("/dev/hugepages/tmp", O_RDWR | O_CREAT); if (!fd) { fprintf(stderr, "open() failed\n"); return -errno; } if (ftruncate(fd, HUGETLB_SIZE)) { fprintf(stderr, "ftruncate() failed\n"); return -errno; } map =3D mmap(NULL, HUGETLB_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED,= fd, 0); if (map =3D=3D MAP_FAILED) { fprintf(stderr, "mmap() failed\n"); return -errno; } *map =3D 0; if (mprotect(map, HUGETLB_SIZE, PROT_READ)) { fprintf(stderr, "mmprotect() failed\n"); return -errno; } clear_softdirty(); if (mprotect(map, HUGETLB_SIZE, PROT_READ|PROT_WRITE)) { fprintf(stderr, "mmprotect() failed\n"); return -errno; } *map =3D 0; return 0; } -------------------------------------------------------------------------- Above test fails with SIGBUS when there is only a single free hugetlb page. # echo 1 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages # ./test Bus error (core dumped) And worse, with sufficient free hugetlb pages it will map an anonymous page into a shared mapping, for example, messing up accounting during unmap and breaking MAP_SHARED semantics: # echo 2 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages # ./test # cat /proc/meminfo | grep HugePages_ HugePages_Total: 2 HugePages_Free: 1 HugePages_Rsvd: 18446744073709551615 HugePages_Surp: 0 Reason in this particular case is that vma_wants_writenotify() will return "true", removing VM_SHARED in vma_set_page_prot() to map pages write-protected. Let's teach vma_wants_writenotify() that hugetlb does not support softdirty tracking. Link: https://lkml.kernel.org/r/20220811103435.188481-1-david@redhat.com Link: https://lkml.kernel.org/r/20220811103435.188481-2-david@redhat.com Fixes: 64e455079e1b ("mm: softdirty: enable write notifications on VMAs aft= er VM_SOFTDIRTY cleared") Signed-off-by: David Hildenbrand Reviewed-by: Mike Kravetz Cc: Peter Feiner Cc: Kirill A. Shutemov Cc: Cyrill Gorcunov Cc: Pavel Emelyanov Cc: Jamie Liu Cc: Hugh Dickins Cc: Naoya Horiguchi Cc: Bjorn Helgaas Cc: Muchun Song Cc: Peter Xu Cc: [3.18+] Signed-off-by: Andrew Morton Signed-off-by: David Hildenbrand Signed-off-by: Greg Kroah-Hartman --- mm/mmap.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1593,8 +1593,12 @@ int vma_wants_writenotify(struct vm_area pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags))) return 0; =20 - /* Do we need to track softdirty? */ - if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY)) + /* + * Do we need to track softdirty? hugetlb does not support softdirty + * tracking yet. + */ + if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY) && + !is_vm_hugetlb_page(vma)) return 1; =20 /* Specialty mapping? */ From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CA22ECAAD5 for ; Fri, 2 Sep 2022 12:22:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236037AbiIBMWH (ORCPT ); Fri, 2 Sep 2022 08:22:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235900AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72FB65F117; Fri, 2 Sep 2022 05:20:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1EF5FB82A90; Fri, 2 Sep 2022 12:20:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6D716C433C1; Fri, 2 Sep 2022 12:20:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121239; bh=CaPcejMvq5lnvRq2Ub3CTht8iOus3RIxbKRjKmiWj2s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xVlR/vSt0sZyT0nwViKMfRWHnrZ05XnDZ7TLJDFFFzeP9jALuYCRn+HCygGYt02Wq TvU4FH/icyIN3Qqhct+oGX9eLcPVXXMl4cX4oAFgKkhzELEuh2K9qDl/qYfwsPJPES JndOnjW2q18TvmMTTEUfkxtMRAbY0sl57l51Tu+w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Jann Horn Subject: [PATCH 4.9 17/31] mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() Date: Fri, 2 Sep 2022 14:18:43 +0200 Message-Id: <20220902121357.380353210@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jann Horn commit b67fbebd4cf980aecbcc750e1462128bffe8ae15 upstream. Some drivers rely on having all VMAs through which a PFN might be accessible listed in the rmap for correctness. However, on X86, it was possible for a VMA with stale TLB entries to not be listed in the rmap. This was fixed in mainline with commit b67fbebd4cf9 ("mmu_gather: Force tlb-flush VM_PFNMAP vmas"), but that commit relies on preceding refactoring in commit 18ba064e42df3 ("mmu_gather: Let there be one tlb_{start,end}_vma() implementation") and commit 1e9fdf21a4339 ("mmu_gather: Remove per arch tlb_{start,end}_vma()"). This patch provides equivalent protection without needing that refactoring, by forcing a TLB flush between removing PTEs in unmap_vmas() and the call to unlink_file_vma() in free_pgtables(). [This is a stable-specific rewrite of the upstream commit!] Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- mm/mmap.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2529,6 +2529,18 @@ static void unmap_region(struct mm_struc tlb_gather_mmu(&tlb, mm, start, end); update_hiwater_rss(mm); unmap_vmas(&tlb, vma, start, end); + + /* + * Ensure we have no stale TLB entries by the time this mapping is + * removed from the rmap. + * Note that we don't have to worry about nested flushes here because + * we're holding the mm semaphore for removing the mapping - so any + * concurrent flush in this region has to be coming through the rmap, + * and we synchronize against that using the rmap lock. + */ + if ((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) !=3D 0) + tlb_flush_mmu(&tlb); + free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS, next ? next->vm_start : USER_PGTABLES_CEILING); tlb_finish_mmu(&tlb, start, end); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 785ABECAAD5 for ; Fri, 2 Sep 2022 12:24:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236330AbiIBMY3 (ORCPT ); Fri, 2 Sep 2022 08:24:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236293AbiIBMXu (ORCPT ); Fri, 2 Sep 2022 08:23:50 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8D63D91D8; Fri, 2 Sep 2022 05:22:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id EA9C8620EB; Fri, 2 Sep 2022 12:21:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1EDCC433C1; Fri, 2 Sep 2022 12:21:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121309; bh=XxsNR4FPcXRUdwg6ca8TZN1PIrBZLP+n3UGnOVKXkAo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Lx9YtOvqzU79hu/R/Ox768kjUNeJBpO3IHq7fC37YPUqLP2A7+6bdXYhOtC3yrWyH Z5dasqohuJavpLtUnuFgNW/rr7vvruy3BP5M3VZDnDWFtkisOOK/e+kw7actwjn5TY 7FxVu397HepgU51XzccHg7zttbTssxWBJxlMZ1oA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Hildenbrand , Heiko Carstens , Gerald Schaefer , Vasily Gorbik Subject: [PATCH 4.9 18/31] s390/mm: do not trigger write fault when vma does not allow VM_WRITE Date: Fri, 2 Sep 2022 14:18:44 +0200 Message-Id: <20220902121357.431340840@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Gerald Schaefer commit 41ac42f137080bc230b5882e3c88c392ab7f2d32 upstream. For non-protection pXd_none() page faults in do_dat_exception(), we call do_exception() with access =3D=3D (VM_READ | VM_WRITE | VM_EXEC). In do_exception(), vma->vm_flags is checked against that before calling handle_mm_fault(). Since commit 92f842eac7ee3 ("[S390] store indication fault optimization"), we call handle_mm_fault() with FAULT_FLAG_WRITE, when recognizing that it was a write access. However, the vma flags check is still only checking against (VM_READ | VM_WRITE | VM_EXEC), and therefore also calling handle_mm_fault() with FAULT_FLAG_WRITE in cases where the vma does not allow VM_WRITE. Fix this by changing access check in do_exception() to VM_WRITE only, when recognizing write access. Link: https://lkml.kernel.org/r/20220811103435.188481-3-david@redhat.com Fixes: 92f842eac7ee3 ("[S390] store indication fault optimization") Cc: Reported-by: David Hildenbrand Reviewed-by: Heiko Carstens Signed-off-by: Gerald Schaefer Signed-off-by: Vasily Gorbik Signed-off-by: Gerald Schaefer Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- arch/s390/mm/fault.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/arch/s390/mm/fault.c +++ b/arch/s390/mm/fault.c @@ -409,7 +409,9 @@ static inline int do_exception(struct pt flags =3D FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; if (user_mode(regs)) flags |=3D FAULT_FLAG_USER; - if (access =3D=3D VM_WRITE || (trans_exc_code & store_indication) =3D=3D = 0x400) + if ((trans_exc_code & store_indication) =3D=3D 0x400) + access =3D VM_WRITE; + if (access =3D=3D VM_WRITE) flags |=3D FAULT_FLAG_WRITE; down_read(&mm->mmap_sem); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0F06C38145 for ; Fri, 2 Sep 2022 12:22:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236219AbiIBMW4 (ORCPT ); Fri, 2 Sep 2022 08:22:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235936AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7F9686FE1; Fri, 2 Sep 2022 05:21:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6FA6EB82A8F; Fri, 2 Sep 2022 12:21:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 94011C433D6; Fri, 2 Sep 2022 12:21:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121270; bh=iAOuRObImeftCmpLIn8rH+IQRg9TxZTmsm9QwblKeRo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hHp+OAKDWJ2c8VqL/Nwbuof4i+EjNlFr8jNNdkhUCzoZ4WqOFvBrxQ5xWUFPg+Ulc QB7bQeh/SKby6hDw1dqsszliIBUfqJCqgtKxIoiqBP9zsFTK6Ue3OhfEQzCv8cMgP1 P13HodsjIqaoI1ANHFHF0Phq22H9hxgy2rK2VJL0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tony Luck , Gayatri Kammela , Linus Torvalds , Peter Zijlstra , Rahul Tanwar , Thomas Gleixner , Ingo Molnar , Pawan Gupta Subject: [PATCH 4.9 19/31] x86/cpu: Add Tiger Lake to Intel family Date: Fri, 2 Sep 2022 14:18:45 +0200 Message-Id: <20220902121357.468592657@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Gayatri Kammela commit 6e1c32c5dbb4b90eea8f964c2869d0bde050dbe0 upstream. Add the model numbers/CPUIDs of Tiger Lake mobile and desktop to the Intel family. Suggested-by: Tony Luck Signed-off-by: Gayatri Kammela Signed-off-by: Tony Luck Reviewed-by: Tony Luck Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Rahul Tanwar Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20190905193020.14707-2-tony.luck@intel.com Signed-off-by: Ingo Molnar Signed-off-by: Pawan Gupta Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- arch/x86/include/asm/intel-family.h | 3 +++ 1 file changed, 3 insertions(+) --- a/arch/x86/include/asm/intel-family.h +++ b/arch/x86/include/asm/intel-family.h @@ -70,6 +70,9 @@ #define INTEL_FAM6_ALDERLAKE 0x97 #define INTEL_FAM6_ALDERLAKE_L 0x9A =20 +#define INTEL_FAM6_TIGERLAKE_L 0x8C +#define INTEL_FAM6_TIGERLAKE 0x8D + /* "Small Core" Processors (Atom) */ =20 #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8D97ECAAD5 for ; Fri, 2 Sep 2022 12:23:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236145AbiIBMXM (ORCPT ); Fri, 2 Sep 2022 08:23:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236073AbiIBMVo (ORCPT ); Fri, 2 Sep 2022 08:21:44 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A7F1D3EED; Fri, 2 Sep 2022 05:21:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 69498B82A8F; Fri, 2 Sep 2022 12:21:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B7FDDC433C1; Fri, 2 Sep 2022 12:21:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121285; bh=isQSgYB18bLpdmT/ZezJ3xIc/XkM3HmSrt7CHBktjxk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LQwKCz/hGpJkj8pfGN7C8OTJ1B1Lv9RJCJidz+rJjRM1OkMT7Cnzwi+QI1BHpR3Tr VU+lhIoUgAEfDCIHEcrLZev0qX2M5d2F6pcOAG2mkn8X6rrL5eoeCpx19EUW/zKhbx Zbxn2aY7+R1s/gAJdBVXYuel4hl0/ig5nbvG2I6Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrew Cooper , Tony Luck , Pawan Gupta , Borislav Petkov Subject: [PATCH 4.9 20/31] x86/bugs: Add "unknown" reporting for MMIO Stale Data Date: Fri, 2 Sep 2022 14:18:46 +0200 Message-Id: <20220902121357.499428870@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pawan Gupta commit 7df548840c496b0141fb2404b889c346380c2b22 upstream. Older Intel CPUs that are not in the affected processor list for MMIO Stale Data vulnerabilities currently report "Not affected" in sysfs, which may not be correct. Vulnerability status for these older CPUs is unknown. Add known-not-affected CPUs to the whitelist. Report "unknown" mitigation status for CPUs that are not in blacklist, whitelist and also don't enumerate MSR ARCH_CAPABILITIES bits that reflect hardware immunity to MMIO Stale Data vulnerabilities. Mitigation is not deployed when the status is unknown. [ bp: Massage, fixup. ] Fixes: 8d50cdf8b834 ("x86/speculation/mmio: Add sysfs reporting for Process= or MMIO Stale Data") Suggested-by: Andrew Cooper Suggested-by: Tony Luck Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/a932c154772f2121794a5f2eded1a11013114711.16= 57846269.git.pawan.kumar.gupta@linux.intel.com Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- Documentation/hw-vuln/processor_mmio_stale_data.rst | 14 ++++++++ arch/x86/include/asm/cpufeatures.h | 1=20 arch/x86/kernel/cpu/bugs.c | 14 +++++++- arch/x86/kernel/cpu/common.c | 34 +++++++++++++--= ----- 4 files changed, 50 insertions(+), 13 deletions(-) --- a/Documentation/hw-vuln/processor_mmio_stale_data.rst +++ b/Documentation/hw-vuln/processor_mmio_stale_data.rst @@ -230,6 +230,20 @@ The possible values in this file are: * - 'Mitigation: Clear CPU buffers' - The processor is vulnerable and the CPU buffer clearing mitigatio= n is enabled. + * - 'Unknown: No mitigations' + - The processor vulnerability status is unknown because it is + out of Servicing period. Mitigation is not attempted. + +Definitions: +------------ + +Servicing period: The process of providing functional and security updates= to +Intel processors or platforms, utilizing the Intel Platform Update (IPU) +process or other similar mechanisms. + +End of Servicing Updates (ESU): ESU is the date at which Intel will no +longer provide Servicing, such as through IPU or other similar update +processes. ESU dates will typically be aligned to end of quarter. =20 If the processor is vulnerable then the following information is appended = to the above information: --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -363,5 +363,6 @@ #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during cer= tain page attribute changes */ #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitiga= ted */ #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Process= or MMIO Stale Data vulnerabilities */ +#define X86_BUG_MMIO_UNKNOWN X86_BUG(26) /* CPU is too old and its MMIO S= tale Data status is unknown */ =20 #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -395,7 +395,8 @@ static void __init mmio_select_mitigatio u64 ia32_cap; =20 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) || - cpu_mitigations_off()) { + boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) || + cpu_mitigations_off()) { mmio_mitigation =3D MMIO_MITIGATION_OFF; return; } @@ -500,6 +501,8 @@ out: pr_info("TAA: %s\n", taa_strings[taa_mitigation]); if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]); + else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN)) + pr_info("MMIO Stale Data: Unknown: No mitigations\n"); } =20 static void __init md_clear_select_mitigation(void) @@ -1824,6 +1827,9 @@ static ssize_t tsx_async_abort_show_stat =20 static ssize_t mmio_stale_data_show_state(char *buf) { + if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN)) + return sysfs_emit(buf, "Unknown: No mitigations\n"); + if (mmio_mitigation =3D=3D MMIO_MITIGATION_OFF) return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]); =20 @@ -1934,6 +1940,7 @@ static ssize_t cpu_show_common(struct de return srbds_show_state(buf); =20 case X86_BUG_MMIO_STALE_DATA: + case X86_BUG_MMIO_UNKNOWN: return mmio_stale_data_show_state(buf); =20 default: @@ -1990,6 +1997,9 @@ ssize_t cpu_show_srbds(struct device *de =20 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribu= te *attr, char *buf) { - return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); + if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN)) + return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN); + else + return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); } #endif --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -899,6 +899,7 @@ static void identify_cpu_without_cpuid(s #define MSBDS_ONLY BIT(5) #define NO_SWAPGS BIT(6) #define NO_ITLB_MULTIHIT BIT(7) +#define NO_MMIO BIT(8) =20 #define VULNWL(_vendor, _family, _model, _whitelist) \ { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } @@ -916,6 +917,11 @@ static const __initconst struct x86_cpu_ VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION), =20 /* Intel Family 6 */ + VULNWL_INTEL(TIGERLAKE, NO_MMIO), + VULNWL_INTEL(TIGERLAKE_L, NO_MMIO), + VULNWL_INTEL(ALDERLAKE, NO_MMIO), + VULNWL_INTEL(ALDERLAKE_L, NO_MMIO), + VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION | NO_ITLB_MULTIHIT), VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION | NO_ITLB_MULTIHIT), VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT), @@ -933,9 +939,9 @@ static const __initconst struct x86_cpu_ =20 VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITL= B_MULTIHIT), =20 - VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTI= HIT), - VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MUL= TIHIT), - VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_M= ULTIHIT), + VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTI= HIT | NO_MMIO), + VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MUL= TIHIT | NO_MMIO), + VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_M= ULTIHIT | NO_MMIO), =20 /* * Technically, swapgs isn't serializing on AMD (despite it previously @@ -946,13 +952,13 @@ static const __initconst struct x86_cpu_ */ =20 /* AMD Family 0xf - 0x12 */ - VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT), - VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT), - VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT), - VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT), + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT | NO_MMIO), =20 /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ - VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | N= O_ITLB_MULTIHIT), + VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | N= O_ITLB_MULTIHIT | NO_MMIO), {} }; =20 @@ -1092,10 +1098,16 @@ static void __init cpu_set_bug_bits(stru * Affected CPU list is generally enough to enumerate the vulnerability, * but for virtualization case check for ARCH_CAP MSR bits also, VMM may * not want the guest to enumerate the bug. + * + * Set X86_BUG_MMIO_UNKNOWN for CPUs that are neither in the blacklist, + * nor in the whitelist and also don't enumerate MSR ARCH_CAP MMIO bits. */ - if (cpu_matches(cpu_vuln_blacklist, MMIO) && - !arch_cap_mmio_immune(ia32_cap)) - setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); + if (!arch_cap_mmio_immune(ia32_cap)) { + if (cpu_matches(cpu_vuln_blacklist, MMIO)) + setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); + else if (!cpu_matches(cpu_vuln_whitelist, NO_MMIO)) + setup_force_cpu_bug(X86_BUG_MMIO_UNKNOWN); + } =20 if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return; From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9630DECAAD5 for ; Fri, 2 Sep 2022 12:23:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236094AbiIBMXi (ORCPT ); Fri, 2 Sep 2022 08:23:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236081AbiIBMWh (ORCPT ); Fri, 2 Sep 2022 08:22:37 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07A68D477D; Fri, 2 Sep 2022 05:21:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AB03AB82A8B; Fri, 2 Sep 2022 12:21:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DEC50C433C1; Fri, 2 Sep 2022 12:21:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121288; bh=lFrJ5b/r1x+uUtrX8t1nEyxRMS2asjNZ1cChTPFOAK0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kMGuasyU9dO74C5BCFW/0Rp9OZHpF+aXRQ2jKAg83KdXTT7cmaair5zwSekfVjYiN WNyFtSWiSkUy2xkQXdiwQK34sjX3RTmFtabDI/FCtwW5Lh8AL71BnvWsuJ5rZlcwS/ vL14UzKWyA6Sv3mEeQtGQTpp0HVl81nUoWQrb1vQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jing Leng , Masahiro Yamada , Nicolas Schier Subject: [PATCH 4.9 21/31] kbuild: Fix include path in scripts/Makefile.modpost Date: Fri, 2 Sep 2022 14:18:47 +0200 Message-Id: <20220902121357.540870777@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jing Leng commit 23a0cb8e3225122496bfa79172005c587c2d64bf upstream. When building an external module, if users don't need to separate the compilation output and source code, they run the following command: "make -C $(LINUX_SRC_DIR) M=3D$(PWD)". At this point, "$(KBUILD_EXTMOD)" and "$(src)" are the same. If they need to separate them, they run "make -C $(KERNEL_SRC_DIR) O=3D$(KERNEL_OUT_DIR) M=3D$(OUT_DIR) src=3D$(PWD)". Before running the command, they need to copy "Kbuild" or "Makefile" to "$(OUT_DIR)" to prevent compilation failure. So the kernel should change the included path to avoid the copy operation. Signed-off-by: Jing Leng [masahiro: I do not think "M=3D$(OUT_DIR) src=3D$(PWD)" is the official way, but this patch is a nice clean up anyway.] Signed-off-by: Masahiro Yamada [nsc: updated context for v4.19] Signed-off-by: Nicolas Schier Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- scripts/Makefile.modpost | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/scripts/Makefile.modpost +++ b/scripts/Makefile.modpost @@ -50,8 +50,7 @@ obj :=3D $(KBUILD_EXTMOD) src :=3D $(obj) =20 # Include the module's Makefile to find KBUILD_EXTRA_SYMBOLS -include $(if $(wildcard $(KBUILD_EXTMOD)/Kbuild), \ - $(KBUILD_EXTMOD)/Kbuild, $(KBUILD_EXTMOD)/Makefile) +include $(if $(wildcard $(src)/Kbuild), $(src)/Kbuild, $(src)/Makefile) endif =20 include scripts/Makefile.lib From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0388ECAAD5 for ; Fri, 2 Sep 2022 12:23:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236250AbiIBMXR (ORCPT ); Fri, 2 Sep 2022 08:23:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235974AbiIBMWZ (ORCPT ); Fri, 2 Sep 2022 08:22:25 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BB22D5E82; Fri, 2 Sep 2022 05:21:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 88374B82A90; Fri, 2 Sep 2022 12:21:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED74AC433D6; Fri, 2 Sep 2022 12:21:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121291; bh=JQFNrQh+IOFH4m7hcCdP9BS4HmO5CZMsPhFqdg8qEUM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2sXizUrkSeMOgkDMcVrLGxUifRUG/FoDJlczpWyrPzR4fSak7MNoWGYkhktBnKWFW 47CtmleKVL8ue/pWeivTZRaH3mcJwmM0c7kU8ZidN3bJMVW4ktZjN9OWtnqu0+sfn/ k/9v0/sk3jmTfVR/XTlhTzCia1yxQm5YcRhLktfk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luiz Augusto von Dentz , Sudip Mukherjee Subject: [PATCH 4.9 22/31] Bluetooth: L2CAP: Fix build errors in some archs Date: Fri, 2 Sep 2022 14:18:48 +0200 Message-Id: <20220902121357.578821105@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit b840304fb46cdf7012722f456bce06f151b3e81b upstream. This attempts to fix the follow errors: In function 'memcmp', inlined from 'bacmp' at ./include/net/bluetooth/bluetooth.h:347:9, inlined from 'l2cap_global_chan_by_psm' at net/bluetooth/l2cap_core.c:2003:15: ./include/linux/fortify-string.h:44:33: error: '__builtin_memcmp' specified bound 6 exceeds source size 0 [-Werror=3Dstringop-overread] 44 | #define __underlying_memcmp __builtin_memcmp | ^ ./include/linux/fortify-string.h:420:16: note: in expansion of macro '__underlying_memcmp' 420 | return __underlying_memcmp(p, q, size); | ^~~~~~~~~~~~~~~~~~~ In function 'memcmp', inlined from 'bacmp' at ./include/net/bluetooth/bluetooth.h:347:9, inlined from 'l2cap_global_chan_by_psm' at net/bluetooth/l2cap_core.c:2004:15: ./include/linux/fortify-string.h:44:33: error: '__builtin_memcmp' specified bound 6 exceeds source size 0 [-Werror=3Dstringop-overread] 44 | #define __underlying_memcmp __builtin_memcmp | ^ ./include/linux/fortify-string.h:420:16: note: in expansion of macro '__underlying_memcmp' 420 | return __underlying_memcmp(p, q, size); | ^~~~~~~~~~~~~~~~~~~ Fixes: 332f1795ca20 ("Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regres= sion") Signed-off-by: Luiz Augusto von Dentz Cc: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/bluetooth/l2cap_core.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -1826,11 +1826,11 @@ static struct l2cap_chan *l2cap_global_c src_match =3D !bacmp(&c->src, src); dst_match =3D !bacmp(&c->dst, dst); if (src_match && dst_match) { - c =3D l2cap_chan_hold_unless_zero(c); - if (c) { - read_unlock(&chan_list_lock); - return c; - } + if (!l2cap_chan_hold_unless_zero(c)) + continue; + + read_unlock(&chan_list_lock); + return c; } =20 /* Closest match */ From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3EB3C38145 for ; Fri, 2 Sep 2022 12:23:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236280AbiIBMXn (ORCPT ); Fri, 2 Sep 2022 08:23:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236195AbiIBMWi (ORCPT ); Fri, 2 Sep 2022 08:22:38 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77AE2D572E; Fri, 2 Sep 2022 05:21:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A5350B82A98; Fri, 2 Sep 2022 12:21:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3CE5C4314E; Fri, 2 Sep 2022 12:21:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121294; bh=LXFuGh52Ih6ViWxD28QZenZPx37roNq6XBQnL5p6ONg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bNSsLdOAkcOrJF2jS0/J8H8nmLSzvYtJs016Egh1bn/cmNQtT9lz2IZSKmOuqQe8Q o55az21jHwv41ZZEgmrXbCd0Olna3tEY+NvopWpHZD878CO6gyCMrPRL6TOh5RPcpc 1rZbJMEVtXq14TnQh2trjn72M0k1Ed2xZK7H6siw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+77b432d57c4791183ed4@syzkaller.appspotmail.com, Dongliang Mu , Hans Verkuil , Mauro Carvalho Chehab Subject: [PATCH 4.9 23/31] media: pvrusb2: fix memory leak in pvr_probe Date: Fri, 2 Sep 2022 14:18:49 +0200 Message-Id: <20220902121357.611984352@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Dongliang Mu commit 945a9a8e448b65bec055d37eba58f711b39f66f0 upstream. The error handling code in pvr2_hdw_create forgets to unregister the v4l2 device. When pvr2_hdw_create returns back to pvr2_context_create, it calls pvr2_context_destroy to destroy context, but mp->hdw is NULL, which leads to that pvr2_hdw_destroy directly returns. Fix this by adding v4l2_device_unregister to decrease the refcount of usb interface. Reported-by: syzbot+77b432d57c4791183ed4@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -2656,6 +2656,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct del_timer_sync(&hdw->encoder_run_timer); del_timer_sync(&hdw->encoder_wait_timer); flush_work(&hdw->workpoll); + v4l2_device_unregister(&hdw->v4l2_dev); usb_free_urb(hdw->ctl_read_urb); usb_free_urb(hdw->ctl_write_urb); kfree(hdw->ctl_read_buffer); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EAB4ECAAD5 for ; Fri, 2 Sep 2022 12:23:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236253AbiIBMXr (ORCPT ); Fri, 2 Sep 2022 08:23:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236201AbiIBMWn (ORCPT ); Fri, 2 Sep 2022 08:22:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B33FD5E88; Fri, 2 Sep 2022 05:21:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id EB04F620C5; Fri, 2 Sep 2022 12:21:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 07DDEC433C1; Fri, 2 Sep 2022 12:21:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121297; bh=ggkzR7fXpZd66zV4XncdCKBI8YV+okgrGR8z07c89yk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ss8vjLUQSGodLcIZgP1SaS4jeLIY6QMKK4e41oOO5DQ7TiLzY8fPTBbFOF8M1vuqn ItLBYhpHD2P4/hWl3Hoxej/DeITI/eRYVJpLBzgJPx2HVWDQKK/+FYUX7Y8+INtQLU 6qnmQlfT4pdqC0Y58ouHSsXAfSN9CBOtk+DC/1Ek= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f59100a0428e6ded9443@syzkaller.appspotmail.com, Karthik Alapati , Jiri Kosina Subject: [PATCH 4.9 24/31] HID: hidraw: fix memory leak in hidraw_release() Date: Fri, 2 Sep 2022 14:18:50 +0200 Message-Id: <20220902121357.642923635@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Karthik Alapati commit a5623a203cffe2d2b84d2f6c989d9017db1856af upstream. Free the buffered reports before deleting the list entry. BUG: memory leak unreferenced object 0xffff88810e72f180 (size 32): comm "softirq", pid 0, jiffies 4294945143 (age 16.080s) hex dump (first 32 bytes): 64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmemdup+0x23/0x50 mm/util.c:128 [] kmemdup include/linux/fortify-string.h:440 [inline] [] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.= c:521 [] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-c= ore.c:1992 [] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.= c:2065 [] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core= .c:284 [] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core= /hcd.c:1670 [] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/= hcd.c:1747 [] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/du= mmy_hcd.c:1988 [] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474 [] expire_timers kernel/time/timer.c:1519 [inline] [] __run_timers.part.0+0x316/0x430 kernel/time/timer.= c:1790 [] __run_timers kernel/time/timer.c:1768 [inline] [] run_timer_softirq+0x44/0x90 kernel/time/timer.c:18= 03 [] __do_softirq+0xe6/0x2ea kernel/softirq.c:571 [] invoke_softirq kernel/softirq.c:445 [inline] [] __irq_exit_rcu kernel/softirq.c:650 [inline] [] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662 [] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/ker= nel/apic/apic.c:1106 [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86= /include/asm/idtentry.h:649 [] native_safe_halt arch/x86/include/asm/irqflags.h:5= 1 [inline] [] arch_safe_halt arch/x86/include/asm/irqflags.h:89 = [inline] [] acpi_safe_halt drivers/acpi/processor_idle.c:111 [= inline] [] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processo= r_idle.c:554 Link: https://syzkaller.appspot.com/bug?id=3D19a04b43c75ed1092021010419b5e5= 60a8172c4f Reported-by: syzbot+f59100a0428e6ded9443@syzkaller.appspotmail.com Signed-off-by: Karthik Alapati Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- drivers/hid/hidraw.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -354,10 +354,13 @@ static int hidraw_release(struct inode * unsigned int minor =3D iminor(inode); struct hidraw_list *list =3D file->private_data; unsigned long flags; + int i; =20 mutex_lock(&minors_lock); =20 spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); + for (i =3D list->tail; i < list->head; i++) + kfree(list->buffer[i].value); list_del(&list->node); spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); kfree(list); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83AE0C38145 for ; Fri, 2 Sep 2022 12:24:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236172AbiIBMX6 (ORCPT ); Fri, 2 Sep 2022 08:23:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236237AbiIBMXG (ORCPT ); Fri, 2 Sep 2022 08:23:06 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCB69D87E0; Fri, 2 Sep 2022 05:21:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D0E00620ED; Fri, 2 Sep 2022 12:21:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DEBF2C433C1; Fri, 2 Sep 2022 12:21:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121300; bh=X2kyHRGmPFA4IG7DMX7lJ498RS9kJ6XcbHqpncdeLrk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Aw3XBgfwTPJpXaX3MBwXEOlqqqik8ZfAybFJx2CO6JcTzqE8mBpsdU41OWEgmUo6 z0251/s3SxmvohcMgM/rmuRNPOB/HbS/6RWClecfx3g8QcywPyS1MYK706luHrFyFJ q0rliq4MXp6fCQbMMvddrfSbZZ6ExkyyZVgQBK/c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Letu Ren , Helge Deller Subject: [PATCH 4.9 25/31] fbdev: fb_pm2fb: Avoid potential divide by zero error Date: Fri, 2 Sep 2022 14:18:51 +0200 Message-Id: <20220902121357.673526487@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Letu Ren commit 19f953e7435644b81332dd632ba1b2d80b1e37af upstream. In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be copied from user, then go through `fb_set_var()` and `info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`. Along the path, `var->pixclock` won't be modified. This function checks whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is zero, there will be a divide by zero error. So, it is necessary to check whether denominator is zero to avoid crash. As this bug is found by Syzkaller, logs are listed below. divide error in pm2fb_check_var Call Trace: fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 Reported-by: Zheyu Ma Signed-off-by: Letu Ren Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- drivers/video/fbdev/pm2fb.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/video/fbdev/pm2fb.c +++ b/drivers/video/fbdev/pm2fb.c @@ -614,6 +614,11 @@ static int pm2fb_check_var(struct fb_var return -EINVAL; } =20 + if (!var->pixclock) { + DPRINTK("pixclock is zero\n"); + return -EINVAL; + } + if (PICOS2KHZ(var->pixclock) > PM2_MAX_PIXCLOCK) { DPRINTK("pixclock too high (%ldKHz)\n", PICOS2KHZ(var->pixclock)); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46308C38145 for ; Fri, 2 Sep 2022 12:23:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236164AbiIBMXv (ORCPT ); Fri, 2 Sep 2022 08:23:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236117AbiIBMWt (ORCPT ); Fri, 2 Sep 2022 08:22:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2D03D7D2E; Fri, 2 Sep 2022 05:21:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6216DB82A91; Fri, 2 Sep 2022 12:21:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B06F0C433C1; Fri, 2 Sep 2022 12:21:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121303; bh=e7jvzLJ4xkatYaKX3SS3SbMecQCTJzC7+f0vHrbkEco=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EtimhdcFXbK9Kj41FBYyUrXv+9JyY2El51kxVJ5j8QiIRDTKRygARQljaHpFJPi8f QZsxVnlxOsvQ5W6emQjNlcu6tpBI4pWmef+OrxeUU2eDe1NehReJ+eQkXe+pI0zxXs xeQ9CPeYLZzpyzCkY2AudHZs6tmobchIOYy7X3tU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steven Rostedt , Yang Jihong Subject: [PATCH 4.9 26/31] ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead Date: Fri, 2 Sep 2022 14:18:52 +0200 Message-Id: <20220902121357.702815495@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Yang Jihong commit c3b0f72e805f0801f05fa2aa52011c4bfc694c44 upstream. ftrace_startup does not remove ops from ftrace_ops_list when ftrace_startup_enable fails: register_ftrace_function ftrace_startup __register_ftrace_function ... add_ftrace_ops(&ftrace_ops_list, ops) ... ... ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is= set to 1 ... return 0 // ops is in the ftrace_ops_list. When ftrace_disabled =3D 1, unregister_ftrace_function simply returns witho= ut doing anything: unregister_ftrace_function ftrace_shutdown if (unlikely(ftrace_disabled)) return -ENODEV; // return here, __unregister_ftrace_function i= s not executed, // as a result, ops is still in the ftrace_ops= _list __unregister_ftrace_function ... If ops is dynamically allocated, it will be free later, in this case, is_ftrace_trampoline accesses NULL pointer: is_ftrace_trampoline ftrace_ops_trampoline do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL! Syzkaller reports as follows: [ 1203.506103] BUG: kernel NULL pointer dereference, address: 0000000000000= 10b [ 1203.508039] #PF: supervisor read access in kernel mode [ 1203.508798] #PF: error_code(0x0000) - not-present page [ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0 [ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI [ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W = 5.10.0 #8 [ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS = rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0 [ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff = 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48= > 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00 [ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246 [ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a3= 31866 [ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000= 0010b [ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df= 18b07 [ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 00000000004= 78399 [ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 00000000000= 00008 [ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:= 0000000000000000 [ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003= 706e0 [ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000= 00000 [ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000= 00400 Therefore, when ftrace_startup_enable fails, we need to rollback registrati= on process and remove ops from ftrace_ops_list. Link: https://lkml.kernel.org/r/20220818032659.56209-1-yangjihong1@huawei.c= om Suggested-by: Steven Rostedt Signed-off-by: Yang Jihong Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- kernel/trace/ftrace.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -2737,6 +2737,16 @@ static int ftrace_startup(struct ftrace_ =20 ftrace_startup_enable(command); =20 + /* + * If ftrace is in an undefined state, we just remove ops from list + * to prevent the NULL pointer, instead of totally rolling it back and + * free trampoline, because those actions could cause further damage. + */ + if (unlikely(ftrace_disabled)) { + __unregister_ftrace_function(ops); + return -ENODEV; + } + ops->flags &=3D ~FTRACE_OPS_FL_ADDING; =20 return 0; From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18125C38145 for ; Fri, 2 Sep 2022 12:23:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236299AbiIBMXz (ORCPT ); Fri, 2 Sep 2022 08:23:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236214AbiIBMWs (ORCPT ); Fri, 2 Sep 2022 08:22:48 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1F59D7D2A; Fri, 2 Sep 2022 05:21:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C21036210A; Fri, 2 Sep 2022 12:21:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3CDAC433C1; Fri, 2 Sep 2022 12:21:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121306; bh=OMHiNt1YikKt3MUFMW0UMBSOVzf0m8ARmas6rDbfFeU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D9bS/9FG+81bOlMjS+ioTazyPt5pjaYgx/TyvoBQVFVtqw0MevKNjXgM62AcLrKXU 7FQpL8ESnJTmGitdaSY0jAlPwti0AK2XAqfEuhv+uxeyZrVz1YVKgz35s9qID6YvOy v63Leg1H8DK5MCvOFJ/Pgw2/wQiChA8nnox+RfkA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hsin-Yi Wang , Stephen Boyd , Mike Rapoport , Will Deacon , Michael Bestas Subject: [PATCH 4.9 27/31] arm64: map FDT as RW for early_init_dt_scan() Date: Fri, 2 Sep 2022 14:18:53 +0200 Message-Id: <20220902121357.730656291@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hsin-Yi Wang commit e112b032a72c78f15d0c803c5dc6be444c2e6c66 upstream. Currently in arm64, FDT is mapped to RO before it's passed to early_init_dt_scan(). However, there might be some codes (eg. commit "fdt: add support for rng-seed") that need to modify FDT during init. Map FDT to RO after early fixups are done. Signed-off-by: Hsin-Yi Wang Reviewed-by: Stephen Boyd Reviewed-by: Mike Rapoport Signed-off-by: Will Deacon [mkbestas: fixed trivial conflicts for 4.9 backport] Signed-off-by: Michael Bestas Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- arch/arm64/include/asm/mmu.h | 2 +- arch/arm64/kernel/kaslr.c | 5 +---- arch/arm64/kernel/setup.c | 9 ++++++++- arch/arm64/mm/mmu.c | 15 +-------------- 4 files changed, 11 insertions(+), 20 deletions(-) --- a/arch/arm64/include/asm/mmu.h +++ b/arch/arm64/include/asm/mmu.h @@ -90,7 +90,7 @@ extern void init_mem_pgprot(void); extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, unsigned long virt, phys_addr_t size, pgprot_t prot, bool allow_block_mappings); -extern void *fixmap_remap_fdt(phys_addr_t dt_phys); +extern void *fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t pro= t); =20 #endif /* !__ASSEMBLY__ */ #endif --- a/arch/arm64/kernel/kaslr.c +++ b/arch/arm64/kernel/kaslr.c @@ -65,9 +65,6 @@ out: return default_cmdline; } =20 -extern void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, - pgprot_t prot); - /* * This routine will be executed with the kernel mapped at its default vir= tual * address, and if it returns successfully, the kernel will be remapped, a= nd @@ -96,7 +93,7 @@ u64 __init kaslr_early_init(u64 dt_phys, * attempt at mapping the FDT in setup_machine() */ early_fixmap_init(); - fdt =3D __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL); + fdt =3D fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL); if (!fdt) return 0; =20 --- a/arch/arm64/kernel/setup.c +++ b/arch/arm64/kernel/setup.c @@ -178,7 +178,11 @@ static void __init smp_build_mpidr_hash( =20 static void __init setup_machine_fdt(phys_addr_t dt_phys) { - void *dt_virt =3D fixmap_remap_fdt(dt_phys); + int size; + void *dt_virt =3D fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL); + + if (dt_virt) + memblock_reserve(dt_phys, size); =20 if (!dt_virt || !early_init_dt_scan(dt_virt)) { pr_crit("\n" @@ -191,6 +195,9 @@ static void __init setup_machine_fdt(phy cpu_relax(); } =20 + /* Early fixups are done, map the FDT as read-only now */ + fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL_RO); + dump_stack_set_arch_desc("%s (DT)", of_flat_dt_get_machine_name()); } =20 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -718,7 +718,7 @@ void __set_fixmap(enum fixed_addresses i } } =20 -void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t p= rot) +void *__init fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t pro= t) { const u64 dt_virt_base =3D __fix_to_virt(FIX_FDT); int offset; @@ -771,19 +771,6 @@ void *__init __fixmap_remap_fdt(phys_add return dt_virt; } =20 -void *__init fixmap_remap_fdt(phys_addr_t dt_phys) -{ - void *dt_virt; - int size; - - dt_virt =3D __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL_RO); - if (!dt_virt) - return NULL; - - memblock_reserve(dt_phys, size); - return dt_virt; -} - int __init arch_ioremap_pud_supported(void) { /* From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7222C38145 for ; Fri, 2 Sep 2022 12:22:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236200AbiIBMWn (ORCPT ); Fri, 2 Sep 2022 08:22:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46584 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235826AbiIBMVP (ORCPT ); Fri, 2 Sep 2022 08:21:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FF10A9265; Fri, 2 Sep 2022 05:21:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C2185620E6; Fri, 2 Sep 2022 12:21:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B7F5DC433C1; Fri, 2 Sep 2022 12:21:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121273; bh=EjhUaWhI2U+NFj+HyzZDRmEuXJdOa2MKK3y3jt7QK4M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wCCVqAdBKwmPnvAsvIiImcg/Vs5f9yWFr2/i1TcqNa9rFY8Q2Fxf188yFjZ6YvZgZ cpU7Dt38cfj0mI8J8IAhenEnr888pKw1+R0qs/nrl9vaqGGaEzWenTYJM0Lg2fUiKr mnCGGAu0pi81skmRqXPYS6npJUNkKTketOftNtsY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Juergen Gross , Heiko Carstens , Christian Borntraeger , Alexander Gordeev , Sasha Levin Subject: [PATCH 4.9 28/31] s390/hypfs: avoid error message under KVM Date: Fri, 2 Sep 2022 14:18:54 +0200 Message-Id: <20220902121357.770385533@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Juergen Gross [ Upstream commit 7b6670b03641ac308aaa6fa2e6f964ac993b5ea3 ] When booting under KVM the following error messages are issued: hypfs.7f5705: The hardware system does not support hypfs hypfs.7a79f0: Initialization of hypfs failed with rc=3D-61 Demote the severity of first message from "error" to "info" and issue the second message only in other error cases. Signed-off-by: Juergen Gross Acked-by: Heiko Carstens Acked-by: Christian Borntraeger Link: https://lore.kernel.org/r/20220620094534.18967-1-jgross@suse.com [arch/s390/hypfs/hypfs_diag.c changed description] Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- arch/s390/hypfs/hypfs_diag.c | 2 +- arch/s390/hypfs/inode.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/s390/hypfs/hypfs_diag.c b/arch/s390/hypfs/hypfs_diag.c index 794bebb43d23d..64448c0998eb5 100644 --- a/arch/s390/hypfs/hypfs_diag.c +++ b/arch/s390/hypfs/hypfs_diag.c @@ -436,7 +436,7 @@ __init int hypfs_diag_init(void) int rc; =20 if (diag204_probe()) { - pr_err("The hardware system does not support hypfs\n"); + pr_info("The hardware system does not support hypfs\n"); return -ENODATA; } if (diag204_info_type =3D=3D DIAG204_INFO_EXT) { diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c index 224aeda1e8ccf..d73d2d001a620 100644 --- a/arch/s390/hypfs/inode.c +++ b/arch/s390/hypfs/inode.c @@ -493,9 +493,9 @@ static int __init hypfs_init(void) hypfs_vm_exit(); fail_hypfs_diag_exit: hypfs_diag_exit(); + pr_err("Initialization of hypfs failed with rc=3D%i\n", rc); fail_dbfs_exit: hypfs_dbfs_exit(); - pr_err("Initialization of hypfs failed with rc=3D%i\n", rc); return rc; } =20 --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DADEC38145 for ; Fri, 2 Sep 2022 12:23:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235745AbiIBMW7 (ORCPT ); Fri, 2 Sep 2022 08:22:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235509AbiIBMVS (ORCPT ); Fri, 2 Sep 2022 08:21:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C2FA5F126; Fri, 2 Sep 2022 05:21:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F036F620C5; Fri, 2 Sep 2022 12:21:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7231C433C1; Fri, 2 Sep 2022 12:21:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121276; bh=1joMZukgXquhe1JldLqq3I638jPaO+RsxpsC/BmR6iE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IIPsjh3BYMekfTaYmaItSjQlUncF7yCz9YMnxs64T4lCVvjY93BQksgGi1i5fK6eq u2i21RwGNC1mOl6e/nywG0GbfFOPmZLuM5JdAOhR+dtnmIV9DJ5zvYVXjbc+Byo00i Dj7i2IUa9OamtINOaqH86hR3f9fKh/O4iT2aVYmg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Geert Uytterhoeven , Florian Westphal , Sasha Levin Subject: [PATCH 4.9 29/31] netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y Date: Fri, 2 Sep 2022 14:18:55 +0200 Message-Id: <20220902121357.800280384@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Geert Uytterhoeven [ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ] NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09 ("netfilter: provide config option to disable ancient procfs parts") in v3.3. Signed-off-by: Geert Uytterhoeven Signed-off-by: Florian Westphal Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- net/netfilter/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index dacd2d34a790b..f7cc20641b09f 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -96,7 +96,6 @@ config NF_CONNTRACK_ZONES =20 config NF_CONNTRACK_PROCFS bool "Supply CT list in procfs (OBSOLETE)" - default y depends on PROC_FS ---help--- This option enables for the list of known conntrack entries --=20 2.35.1 From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E904C38145 for ; Fri, 2 Sep 2022 12:23:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236232AbiIBMXE (ORCPT ); Fri, 2 Sep 2022 08:23:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235984AbiIBMVV (ORCPT ); Fri, 2 Sep 2022 08:21:21 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7EF17C6E8C; Fri, 2 Sep 2022 05:21:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CBA3B620E6; Fri, 2 Sep 2022 12:21:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CB4B9C43140; Fri, 2 Sep 2022 12:21:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121279; bh=0QXl4JqaFq4iPz9u4o3OB7ub7UpUJipo4GZ/K8OT0eM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tqlo0brOng6HJAro3Y2OrAYDOWOlObDJ7P6+gbs0EUbVxoIUIAfdlQ4EILWekNuR0 ZmiPckaJDLsbcUaqX3MjnioEpJRUxFvKSapfrYFIXg0RyXUdFCuLDPWWeZYFPUhJql F1lGMTE9ulMe+0VFy4h4vySe5PQOvWLPidnIKOPQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Michal Hocko , Vlastimil Babka , Jann Horn , Linus Torvalds Subject: [PATCH 4.9 30/31] mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse Date: Fri, 2 Sep 2022 14:18:56 +0200 Message-Id: <20220902121357.839647776@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jann Horn commit 2555283eb40df89945557273121e9393ef9b542b upstream. anon_vma->degree tracks the combined number of child anon_vmas and VMAs that use the anon_vma as their ->anon_vma. anon_vma_clone() then assumes that for any anon_vma attached to src->anon_vma_chain other than src->anon_vma, it is impossible for it to be a leaf node of the VMA tree, meaning that for such VMAs ->degree is elevated by 1 because of a child anon_vma, meaning that if ->degree equals 1 there are no VMAs that use the anon_vma as their ->anon_vma. This assumption is wrong because the ->degree optimization leads to leaf nodes being abandoned on anon_vma_clone() - an existing anon_vma is reused and no new parent-child relationship is created. So it is possible to reuse an anon_vma for one VMA while it is still tied to another VMA. This is an issue because is_mergeable_anon_vma() and its callers assume that if two VMAs have the same ->anon_vma, the list of anon_vmas attached to the VMAs is guaranteed to be the same. When this assumption is violated, vma_merge() can merge pages into a VMA that is not attached to the corresponding anon_vma, leading to dangling page->mapping pointers that will be dereferenced during rmap walks. Fix it by separately tracking the number of child anon_vmas and the number of VMAs using the anon_vma as their ->anon_vma. Fixes: 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy") Cc: stable@kernel.org Acked-by: Michal Hocko Acked-by: Vlastimil Babka Signed-off-by: Jann Horn Signed-off-by: Linus Torvalds [manually fixed up different indentation in stable] Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- include/linux/rmap.h | 7 +++++-- mm/rmap.c | 31 +++++++++++++++++-------------- 2 files changed, 22 insertions(+), 16 deletions(-) --- a/include/linux/rmap.h +++ b/include/linux/rmap.h @@ -37,12 +37,15 @@ struct anon_vma { atomic_t refcount; =20 /* - * Count of child anon_vmas and VMAs which points to this anon_vma. + * Count of child anon_vmas. Equals to the count of all anon_vmas that + * have ->parent pointing to this one, including itself. * * This counter is used for making decision about reusing anon_vma * instead of forking new one. See comments in function anon_vma_clone. */ - unsigned degree; + unsigned long num_children; + /* Count of VMAs whose ->anon_vma pointer points to this object. */ + unsigned long num_active_vmas; =20 struct anon_vma *parent; /* Parent of this anon_vma */ =20 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -78,7 +78,8 @@ static inline struct anon_vma *anon_vma_ anon_vma =3D kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL); if (anon_vma) { atomic_set(&anon_vma->refcount, 1); - anon_vma->degree =3D 1; /* Reference for first vma */ + anon_vma->num_children =3D 0; + anon_vma->num_active_vmas =3D 0; anon_vma->parent =3D anon_vma; /* * Initialise the anon_vma root to point to itself. If called @@ -187,6 +188,7 @@ int anon_vma_prepare(struct vm_area_stru anon_vma =3D anon_vma_alloc(); if (unlikely(!anon_vma)) goto out_enomem_free_avc; + anon_vma->num_children++; /* self-parent link for new root */ allocated =3D anon_vma; } =20 @@ -196,8 +198,7 @@ int anon_vma_prepare(struct vm_area_stru if (likely(!vma->anon_vma)) { vma->anon_vma =3D anon_vma; anon_vma_chain_link(vma, avc, anon_vma); - /* vma reference or self-parent link for new root */ - anon_vma->degree++; + anon_vma->num_active_vmas++; allocated =3D NULL; avc =3D NULL; } @@ -276,19 +277,19 @@ int anon_vma_clone(struct vm_area_struct anon_vma_chain_link(dst, avc, anon_vma); =20 /* - * Reuse existing anon_vma if its degree lower than two, - * that means it has no vma and only one anon_vma child. + * Reuse existing anon_vma if it has no vma and only one + * anon_vma child. * - * Do not chose parent anon_vma, otherwise first child - * will always reuse it. Root anon_vma is never reused: + * Root anon_vma is never reused: * it has self-parent reference and at least one child. */ - if (!dst->anon_vma && anon_vma !=3D src->anon_vma && - anon_vma->degree < 2) + if (!dst->anon_vma && + anon_vma->num_children < 2 && + anon_vma->num_active_vmas =3D=3D 0) dst->anon_vma =3D anon_vma; } if (dst->anon_vma) - dst->anon_vma->degree++; + dst->anon_vma->num_active_vmas++; unlock_anon_vma_root(root); return 0; =20 @@ -338,6 +339,7 @@ int anon_vma_fork(struct vm_area_struct anon_vma =3D anon_vma_alloc(); if (!anon_vma) goto out_error; + anon_vma->num_active_vmas++; avc =3D anon_vma_chain_alloc(GFP_KERNEL); if (!avc) goto out_error_free_anon_vma; @@ -358,7 +360,7 @@ int anon_vma_fork(struct vm_area_struct vma->anon_vma =3D anon_vma; anon_vma_lock_write(anon_vma); anon_vma_chain_link(vma, avc, anon_vma); - anon_vma->parent->degree++; + anon_vma->parent->num_children++; anon_vma_unlock_write(anon_vma); =20 return 0; @@ -390,7 +392,7 @@ void unlink_anon_vmas(struct vm_area_str * to free them outside the lock. */ if (RB_EMPTY_ROOT(&anon_vma->rb_root)) { - anon_vma->parent->degree--; + anon_vma->parent->num_children--; continue; } =20 @@ -398,7 +400,7 @@ void unlink_anon_vmas(struct vm_area_str anon_vma_chain_free(avc); } if (vma->anon_vma) - vma->anon_vma->degree--; + vma->anon_vma->num_active_vmas--; unlock_anon_vma_root(root); =20 /* @@ -409,7 +411,8 @@ void unlink_anon_vmas(struct vm_area_str list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) { struct anon_vma *anon_vma =3D avc->anon_vma; =20 - VM_WARN_ON(anon_vma->degree); + VM_WARN_ON(anon_vma->num_children); + VM_WARN_ON(anon_vma->num_active_vmas); put_anon_vma(anon_vma); =20 list_del(&avc->same_vma); From nobody Wed Apr 8 10:32:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C90EECAAD5 for ; Fri, 2 Sep 2022 12:23:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236143AbiIBMXH (ORCPT ); Fri, 2 Sep 2022 08:23:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235983AbiIBMVY (ORCPT ); Fri, 2 Sep 2022 08:21:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24865C7BA9; Fri, 2 Sep 2022 05:21:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A710E620E6; Fri, 2 Sep 2022 12:21:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F0F6C433D6; Fri, 2 Sep 2022 12:21:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121282; bh=Y/pUW4qRVI0lIi6e/ZrRwlGWlPvSO+C3ncU7lK2YWkQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jzGJXDwVMaYbM1/Fo0ovq1JWaLQSpUfUzHQjFEszOmVgpnqFp+ywGlAf7QnMK+uhy PY3WHrEcth2a1L6aIn3Ok9uGu+YavSfLaXeS0G3TbPK4u4n1TX0HvwpQ9IIR/zoe5N 2j8ginSbliLeY29EOmKEBcnpCIA/zlK2LNF+Wsnc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , Ayushman Dutta , "Naveen N. Rao" , Anil S Keshavamurthy , "David S. Miller" , Masami Hiramatsu , Wang Nan , Kuniyuki Iwashima , Andrew Morton Subject: [PATCH 4.9 31/31] kprobes: dont call disarm_kprobe() for disabled kprobes Date: Fri, 2 Sep 2022 14:18:57 +0200 Message-Id: <20220902121357.880910913@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121356.732130937@linuxfoundation.org> References: <20220902121356.732130937@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit 9c80e79906b4ca440d09e7f116609262bb747909 upstream. The assumption in __disable_kprobe() is wrong, and it could try to disarm an already disarmed kprobe and fire the WARN_ONCE() below. [0] We can easily reproduce this issue. 1. Write 0 to /sys/kernel/debug/kprobes/enabled. # echo 0 > /sys/kernel/debug/kprobes/enabled 2. Run execsnoop. At this time, one kprobe is disabled. # /usr/share/bcc/tools/execsnoop & [1] 2460 PCOMM PID PPID RET ARGS # cat /sys/kernel/debug/kprobes/list ffffffff91345650 r __x64_sys_execve+0x0 [FTRACE] ffffffff91345650 k __x64_sys_execve+0x0 [DISABLED][FTRACE] 3. Write 1 to /sys/kernel/debug/kprobes/enabled, which changes kprobes_all_disarmed to false but does not arm the disabled kprobe. # echo 1 > /sys/kernel/debug/kprobes/enabled # cat /sys/kernel/debug/kprobes/list ffffffff91345650 r __x64_sys_execve+0x0 [FTRACE] ffffffff91345650 k __x64_sys_execve+0x0 [DISABLED][FTRACE] 4. Kill execsnoop, when __disable_kprobe() calls disarm_kprobe() for the disabled kprobe and hits the WARN_ONCE() in __disarm_kprobe_ftrace(). # fg /usr/share/bcc/tools/execsnoop ^C Actually, WARN_ONCE() is fired twice, and __unregister_kprobe_top() misses some cleanups and leaves the aggregated kprobe in the hash table. Then, __unregister_trace_kprobe() initialises tk->rp.kp.list and creates an infinite loop like this. aggregated kprobe.list -> kprobe.list -. ^ | '.__.' In this situation, these commands fall into the infinite loop and result in RCU stall or soft lockup. cat /sys/kernel/debug/kprobes/list : show_kprobe_addr() enters into the infinite loop with RCU. /usr/share/bcc/tools/execsnoop : warn_kprobe_rereg() holds kprobe_mutex, and __get_valid_kprobe() is stuck in the loop. To avoid the issue, make sure we don't call disarm_kprobe() for disabled kprobes. [0] Failed to disarm kprobe-ftrace at __x64_sys_execve+0x0/0x40 (error -2) WARNING: CPU: 6 PID: 2460 at kernel/kprobes.c:1130 __disarm_kprobe_ftrace.i= sra.19 (kernel/kprobes.c:1129) Modules linked in: ena CPU: 6 PID: 2460 Comm: execsnoop Not tainted 5.19.0+ #28 Hardware name: Amazon EC2 c5.2xlarge/, BIOS 1.0 10/16/2017 RIP: 0010:__disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129) Code: 24 8b 02 eb c1 80 3d c4 83 f2 01 00 75 d4 48 8b 75 00 89 c2 48 c7 c7 = 90 fa 0f 92 89 04 24 c6 05 ab 83 01 e8 e4 94 f0 ff <0f> 0b 8b 04 24 eb b1 8= 9 c6 48 c7 c7 60 fa 0f 92 89 04 24 e8 cc 94 RSP: 0018:ffff9e6ec154bd98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff930f7b00 RCX: 0000000000000001 RDX: 0000000080000001 RSI: ffffffff921461c5 RDI: 00000000ffffffff RBP: ffff89c504286da8 R08: 0000000000000000 R09: c0000000fffeffff R10: 0000000000000000 R11: ffff9e6ec154bc28 R12: ffff89c502394e40 R13: ffff89c502394c00 R14: ffff9e6ec154bc00 R15: 0000000000000000 FS: 00007fe800398740(0000) GS:ffff89c812d80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00057f010 CR3: 0000000103b54006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __disable_kprobe (kernel/kprobes.c:1716) disable_kprobe (kernel/kprobes.c:2392) __disable_trace_kprobe (kernel/trace/trace_kprobe.c:340) disable_trace_kprobe (kernel/trace/trace_kprobe.c:429) perf_trace_event_unreg.isra.2 (./include/linux/tracepoint.h:93 kernel/trac= e/trace_event_perf.c:168) perf_kprobe_destroy (kernel/trace/trace_event_perf.c:295) _free_event (kernel/events/core.c:4971) perf_event_release_kernel (kernel/events/core.c:5176) perf_release (kernel/events/core.c:5186) __fput (fs/file_table.c:321) task_work_run (./include/linux/sched.h:2056 (discriminator 1) kernel/task_= work.c:179 (discriminator 1)) exit_to_user_mode_prepare (./include/linux/resume_user_mode.h:49 kernel/en= try/common.c:169 kernel/entry/common.c:201) syscall_exit_to_user_mode (./arch/x86/include/asm/jump_label.h:55 ./arch/x= 86/include/asm/nospec-branch.h:384 ./arch/x86/include/asm/entry-common.h:94= kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:87) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x7fe7ff210654 Code: 15 79 89 20 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb be 0f 1f 00 8b = 05 9a cd 20 00 48 63 ff 85 c0 75 11 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff f= f 77 3a f3 c3 48 83 ec 18 48 89 7c 24 08 e8 34 fc RSP: 002b:00007ffdbd1d3538 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00007fe7ff210654 RDX: 0000000000000000 RSI: 0000000000002401 RDI: 0000000000000008 RBP: 0000000000000000 R08: 94ae31d6fda838a4 R0900007fe8001c9d30 R10: 00007ffdbd1d34b0 R11: 0000000000000246 R12: 00007ffdbd1d3600 R13: 0000000000000000 R14: fffffffffffffffc R15: 00007ffdbd1d3560 Link: https://lkml.kernel.org/r/20220813020509.90805-1-kuniyu@amazon.com Fixes: 69d54b916d83 ("kprobes: makes kprobes/enabled works correctly for op= timized kprobes.") Signed-off-by: Kuniyuki Iwashima Reported-by: Ayushman Dutta Cc: "Naveen N. Rao" Cc: Anil S Keshavamurthy Cc: "David S. Miller" Cc: Masami Hiramatsu Cc: Wang Nan Cc: Kuniyuki Iwashima Cc: Kuniyuki Iwashima Cc: Ayushman Dutta Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) = =20 Tested-by: Shuah Khan --- kernel/kprobes.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1616,12 +1616,14 @@ static struct kprobe *__disable_kprobe(s /* Try to disarm and disable this/parent probe */ if (p =3D=3D orig_p || aggr_kprobe_disabled(orig_p)) { /* - * If kprobes_all_disarmed is set, orig_p - * should have already been disarmed, so - * skip unneed disarming process. + * Don't be lazy here. Even if 'kprobes_all_disarmed' + * is false, 'orig_p' might not have been armed yet. + * Note arm_all_kprobes() __tries__ to arm all kprobes + * on the best effort basis. */ - if (!kprobes_all_disarmed) + if (!kprobes_all_disarmed && !kprobe_disabled(orig_p)) disarm_kprobe(orig_p, true); + orig_p->flags |=3D KPROBE_FLAG_DISABLED; } }