1. 07 Dec, 2023 13 commits
    • Sumanth Korikkar's avatar
      mm/memory_hotplug: add missing mem_hotplug_lock · 001002e7
      Sumanth Korikkar authored
      From Documentation/core-api/memory-hotplug.rst:
      When adding/removing/onlining/offlining memory or adding/removing
      heterogeneous/device memory, we should always hold the mem_hotplug_lock
      in write mode to serialise memory hotplug (e.g. access to global/zone
      variables).
      
      mhp_(de)init_memmap_on_memory() functions can change zone stats and
      struct page content, but they are currently called w/o the
      mem_hotplug_lock.
      
      When memory block is being offlined and when kmemleak goes through each
      populated zone, the following theoretical race conditions could occur:
      CPU 0:					     | CPU 1:
      memory_offline()			     |
      -> offline_pages()			     |
      	-> mem_hotplug_begin()		     |
      	   ...				     |
      	-> mem_hotplug_done()		     |
      					     | kmemleak_scan()
      					     | -> get_online_mems()
      					     |    ...
      -> mhp_deinit_memmap_on_memory()	     |
        [not protected by mem_hotplug_begin/done()]|
        Marks memory section as offline,	     |   Retrieves zone_start_pfn
        poisons vmemmap struct pages and updates   |   and struct page members.
        the zone related data			     |
         					     |    ...
         					     | -> put_online_mems()
      
      Fix this by ensuring mem_hotplug_lock is taken before performing
      mhp_init_memmap_on_memory().  Also ensure that
      mhp_deinit_memmap_on_memory() holds the lock.
      
      online/offline_pages() are currently only called from
      memory_block_online/offline(), so it is safe to move the locking there.
      
      Link: https://lkml.kernel.org/r/20231120145354.308999-2-sumanthk@linux.ibm.com
      Fixes: a08a2ae3 ("mm,memory_hotplug: allocate memmap from the added memory range")
      Signed-off-by: default avatarSumanth Korikkar <sumanthk@linux.ibm.com>
      Reviewed-by: default avatarGerald Schaefer <gerald.schaefer@linux.ibm.com>
      Acked-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: Alexander Gordeev <agordeev@linux.ibm.com>
      Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Cc: Anshuman Khandual <anshuman.khandual@arm.com>
      Cc: Heiko Carstens <hca@linux.ibm.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Oscar Salvador <osalvador@suse.de>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: kernel test robot <lkp@intel.com>
      Cc: <stable@vger.kernel.org>	[5.15+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      001002e7
    • Chester Lin's avatar
      .mailmap: add a new address mapping for Chester Lin · c540b038
      Chester Lin authored
      My company email address is going to be disabled so let's create a mapping
      that links to my private/community email just in case people might still
      try to reach me via the old one.
      
      Link: https://lkml.kernel.org/r/20231117022807.29461-1-clin@suse.comSigned-off-by: default avatarChester Lin <clin@suse.com>
      Cc: Chester Lin <chester62515@gmail.com>
      Cc: Bjorn Andersson <quic_bjorande@quicinc.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Heiko Stuebner <heiko@sntech.de>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Konrad Dybcio <konrad.dybcio@linaro.org>
      Cc: Oleksij Rempel <o.rempel@pengutronix.de>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Conor Dooley <conor.dooley@microchip.com>
      Cc: Matthias Brugger <mbrugger@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      c540b038
    • Hugh Dickins's avatar
      mm: fix oops when filemap_map_pmd() without prealloc_pte · 9aa1345d
      Hugh Dickins authored
      syzbot reports oops in lockdep's __lock_acquire(), called from
      __pte_offset_map_lock() called from filemap_map_pages(); or when I run the
      repro, the oops comes in pmd_install(), called from filemap_map_pmd()
      called from filemap_map_pages(), just before the __pte_offset_map_lock().
      
      The problem is that filemap_map_pmd() has been assuming that when it finds
      pmd_none(), a page table has already been prepared in prealloc_pte; and
      indeed do_fault_around() has been careful to preallocate one there, when
      it finds pmd_none(): but what if *pmd became none in between?
      
      My 6.6 mods in mm/khugepaged.c, avoiding mmap_lock for write, have made it
      easy for *pmd to be cleared while servicing a page fault; but even before
      those, a huge *pmd might be zapped while a fault is serviced.
      
      The difference in symptomatic stack traces comes from the "memory model"
      in use: pmd_install() uses pmd_populate() uses page_to_pfn(): in some
      models that is strict, and will oops on the NULL prealloc_pte; in other
      models, it will construct a bogus value to be populated into *pmd, then
      __pte_offset_map_lock() oops when trying to access split ptlock pointer
      (or some other symptom in normal case of ptlock embedded not pointer).
      
      Link: https://lore.kernel.org/linux-mm/20231115065506.19780-1-jose.pekkarinen@foxhound.fi/
      Link: https://lkml.kernel.org/r/6ed0c50c-78ef-0719-b3c5-60c0c010431c@google.com
      Fixes: f9ce0be7 ("mm: Cleanup faultaround and finish_fault() codepaths")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reported-and-tested-by: syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/linux-mm/0000000000005e44550608a0806c@google.com/Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: Jann Horn <jannh@google.com>,
      Cc: José Pekkarinen <jose.pekkarinen@foxhound.fi>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: <stable@vger.kernel.org>    [5.12+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      9aa1345d
    • Lizhi Xu's avatar
      squashfs: squashfs_read_data need to check if the length is 0 · eb66b8ab
      Lizhi Xu authored
      When the length passed in is 0, the pagemap_scan_test_walk() caller should
      bail.  This error causes at least a WARN_ON().
      
      Link: https://lkml.kernel.org/r/20231116031352.40853-1-lizhi.xu@windriver.com
      Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com
      Closes: https://lkml.kernel.org/r/0000000000000526f2060a30a085@google.comSigned-off-by: default avatarLizhi Xu <lizhi.xu@windriver.com>
      Reviewed-by: default avatarPhillip Lougher <phillip@squashfs.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      eb66b8ab
    • Peter Xu's avatar
      mm/selftests: fix pagemap_ioctl memory map test · 3f3cac5c
      Peter Xu authored
      __FILE__ is not guaranteed to exist in current dir.  Replace that with
      argv[0] for memory map test.
      
      Link: https://lkml.kernel.org/r/20231116201547.536857-4-peterx@redhat.com
      Fixes: 46fd75d4 ("selftests: mm: add pagemap ioctl tests")
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: Andrei Vagin <avagin@gmail.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      3f3cac5c
    • Peter Xu's avatar
      mm/pagemap: fix wr-protect even if PM_SCAN_WP_MATCHING not set · 4980e837
      Peter Xu authored
      The new pagemap ioctl contains a fast path for wr-protections without
      looking into category masks.  It forgets to check PM_SCAN_WP_MATCHING
      before applying the wr-protections.  It can cause, e.g., pte markers
      installed on archs that do not even support uffd wr-protect.
      
      WARNING: CPU: 0 PID: 5059 at mm/memory.c:1520 zap_pte_range mm/memory.c:1520 [inline]
      
      Link: https://lkml.kernel.org/r/20231116201547.536857-3-peterx@redhat.com
      Fixes: 12f6b01a ("fs/proc/task_mmu: add fast paths to get/clear PAGE_IS_WRITTEN flag")
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Reported-by: syzbot+7ca4b2719dc742b8d0a4@syzkaller.appspotmail.com
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarAndrei Vagin <avagin@gmail.com>
      Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      4980e837
    • Peter Xu's avatar
      mm/pagemap: fix ioctl(PAGEMAP_SCAN) on vma check · 0dff1b40
      Peter Xu authored
      Patch series "mm/pagemap: A few fixes to the recent PAGEMAP_SCAN".
      
      This series should fix two known reports from syzbot on the new
      PAGEMAP_SCAN ioctl():
      
      https://lore.kernel.org/all/000000000000b0e576060a30ee3b@google.com/
      https://lore.kernel.org/all/000000000000773fa7060a31e2cc@google.com/
      
      The 3rd patch is something I found when testing these patches.
      
      
      This patch (of 3):
      
      The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided
      by userfault, however in the vma test it didn't explicitly require the vma
      to have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is
      set.
      
      It means the pagemap code can now apply uffd-wp bit to a page in the vma
      even if not registered to userfaultfd at all.
      
      Then in whatever way as long as the pte got written and page fault
      resolved, we'll apply the write bit even if uffd-wp bit is set.  We'll see
      a pte that has both UFFD_WP and WRITE bit set.  Anything later that looks
      up the pte for uffd-wp bit will trigger the warning:
      
      WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_wp arch/x86/include/asm/pgtable.h:403 [inline]
      
      Fix it by doing proper check over the vma attributes when
      PM_SCAN_WP_MATCHING is specified.
      
      Link: https://lkml.kernel.org/r/20231116201547.536857-1-peterx@redhat.com
      Link: https://lkml.kernel.org/r/20231116201547.536857-2-peterx@redhat.com
      Fixes: 52526ca7 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Reported-by: syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarAndrei Vagin <avagin@gmail.com>
      Reviewed-by: default avatarMuhammad Usama Anjum <usama.anjum@collabora.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      0dff1b40
    • Roman Gushchin's avatar
      mm: kmem: properly initialize local objcg variable in current_obj_cgroup() · 5f79489a
      Roman Gushchin authored
      Erhard reported that the 6.7-rc1 kernel panics on boot if being
      built with clang-16. The problem was not reproducible with gcc.
      
      [    5.975049] general protection fault, probably for non-canonical address 0xf555515555555557: 0000 [#1] SMP KASAN PTI
      [    5.976422] KASAN: maybe wild-memory-access in range [0xaaaaaaaaaaaaaab8-0xaaaaaaaaaaaaaabf]
      [    5.977475] CPU: 3 PID: 1 Comm: systemd Not tainted 6.7.0-rc1-Zen3 #77
      [    5.977860] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
      [    5.977860] RIP: 0010:obj_cgroup_charge_pages+0x27/0x2d5
      [    5.977860] Code: 90 90 90 55 41 57 41 56 41 55 41 54 53 89 d5 41 89 f6 49 89 ff 48 b8 00 00 00 00 00 fc ff df 49 83 c7 10 4d3
      [    5.977860] RSP: 0018:ffffc9000001fb18 EFLAGS: 00010a02
      [    5.977860] RAX: dffffc0000000000 RBX: aaaaaaaaaaaaaaaa RCX: ffff8883eb9a8b08
      [    5.977860] RDX: 0000000000000005 RSI: 0000000000400cc0 RDI: aaaaaaaaaaaaaaaa
      [    5.977860] RBP: 0000000000000005 R08: 3333333333333333 R09: 0000000000000000
      [    5.977860] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8883eb9a8b18
      [    5.977860] R13: 1555555555555557 R14: 0000000000400cc0 R15: aaaaaaaaaaaaaaba
      [    5.977860] FS:  00007f2976438b40(0000) GS:ffff8883eb980000(0000) knlGS:0000000000000000
      [    5.977860] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    5.977860] CR2: 00007f29769e0060 CR3: 0000000107222003 CR4: 0000000000370eb0
      [    5.977860] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    5.977860] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    5.977860] Call Trace:
      [    5.977860]  <TASK>
      [    5.977860]  ? __die_body+0x16/0x75
      [    5.977860]  ? die_addr+0x4a/0x70
      [    5.977860]  ? exc_general_protection+0x1c9/0x2d0
      [    5.977860]  ? cgroup_mkdir+0x455/0x9fb
      [    5.977860]  ? __x64_sys_mkdir+0x69/0x80
      [    5.977860]  ? asm_exc_general_protection+0x26/0x30
      [    5.977860]  ? obj_cgroup_charge_pages+0x27/0x2d5
      [    5.977860]  obj_cgroup_charge+0x114/0x1ab
      [    5.977860]  pcpu_alloc+0x1a6/0xa65
      [    5.977860]  ? mem_cgroup_css_alloc+0x1eb/0x1140
      [    5.977860]  ? cgroup_apply_control_enable+0x26b/0x7c0
      [    5.977860]  mem_cgroup_css_alloc+0x23f/0x1140
      [    5.977860]  cgroup_apply_control_enable+0x26b/0x7c0
      [    5.977860]  ? cgroup_kn_set_ugid+0x2d/0x1a0
      [    5.977860]  cgroup_mkdir+0x455/0x9fb
      [    5.977860]  ? __cfi_cgroup_mkdir+0x10/0x10
      [    5.977860]  kernfs_iop_mkdir+0x130/0x170
      [    5.977860]  vfs_mkdir+0x405/0x530
      [    5.977860]  do_mkdirat+0x188/0x1f0
      [    5.977860]  __x64_sys_mkdir+0x69/0x80
      [    5.977860]  do_syscall_64+0x7d/0x100
      [    5.977860]  ? do_syscall_64+0x89/0x100
      [    5.977860]  ? do_syscall_64+0x89/0x100
      [    5.977860]  ? do_syscall_64+0x89/0x100
      [    5.977860]  ? do_syscall_64+0x89/0x100
      [    5.977860]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
      [    5.977860] RIP: 0033:0x7f297671defb
      [    5.977860] Code: 8b 05 39 7f 0d 00 bb ff ff ff ff 64 c7 00 16 00 00 00 e9 61 ff ff ff e8 23 0c 02 00 0f 1f 00 f3 0f 1e fa b88
      [    5.977860] RSP: 002b:00007ffee6242bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
      [    5.977860] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f297671defb
      [    5.977860] RDX: 0000000000000000 RSI: 00000000000001ed RDI: 000055c6b449f0e0
      [    5.977860] RBP: 00007ffee6242bf0 R08: 000000000000000e R09: 0000000000000000
      [    5.977860] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c6b445db80
      [    5.977860] R13: 00000000000003a0 R14: 00007f2976a68651 R15: 00000000000003a0
      [    5.977860]  </TASK>
      [    5.977860] Modules linked in:
      [    6.014095] ---[ end trace 0000000000000000 ]---
      [    6.014701] RIP: 0010:obj_cgroup_charge_pages+0x27/0x2d5
      [    6.015348] Code: 90 90 90 55 41 57 41 56 41 55 41 54 53 89 d5 41 89 f6 49 89 ff 48 b8 00 00 00 00 00 fc ff df 49 83 c7 10 4d3
      [    6.017575] RSP: 0018:ffffc9000001fb18 EFLAGS: 00010a02
      [    6.018255] RAX: dffffc0000000000 RBX: aaaaaaaaaaaaaaaa RCX: ffff8883eb9a8b08
      [    6.019120] RDX: 0000000000000005 RSI: 0000000000400cc0 RDI: aaaaaaaaaaaaaaaa
      [    6.019983] RBP: 0000000000000005 R08: 3333333333333333 R09: 0000000000000000
      [    6.020849] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8883eb9a8b18
      [    6.021747] R13: 1555555555555557 R14: 0000000000400cc0 R15: aaaaaaaaaaaaaaba
      [    6.022609] FS:  00007f2976438b40(0000) GS:ffff8883eb980000(0000) knlGS:0000000000000000
      [    6.023593] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    6.024296] CR2: 00007f29769e0060 CR3: 0000000107222003 CR4: 0000000000370eb0
      [    6.025279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    6.026139] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    6.027000] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      Actually the problem is caused by uninitialized local variable in
      current_obj_cgroup().  If the root memory cgroup is set as an active
      memory cgroup for a charging scope (as in the trace, where systemd tries
      to create the first non-root cgroup, so the parent cgroup is the root
      cgroup), the "for" loop is skipped and uninitialized objcg is returned,
      causing a panic down the accounting stack.
      
      The fix is trivial: initialize the objcg variable to NULL unconditionally
      before the "for" loop.
      
      [vbabka@suse.cz: remove redundant assignment]
        Link: https://lkml.kernel.org/r/4bd106d5-c3e3-6731-9a74-cff81e2392de@suse.cz
      Link: https://lkml.kernel.org/r/20231116025109.3775055-1-roman.gushchin@linux.dev
      Fixes: e86828e5 ("mm: kmem: scoped objcg protection")
      Signed-off-by: default avatarRoman Gushchin (Cruise) <roman.gushchin@linux.dev>
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Reported-by: default avatarErhard Furtner <erhard_f@mailbox.org>
      Closes: https://github.com/ClangBuiltLinux/linux/issues/1959Tested-by: default avatarErhard Furtner <erhard_f@mailbox.org>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarShakeel Butt <shakeelb@google.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dennis Zhou <dennis@kernel.org>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Muchun Song <muchun.song@linux.dev>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      5f79489a
    • Liu Shixin's avatar
      mm/kmemleak: move set_track_prepare() outside raw_spinlocks · d63385a7
      Liu Shixin authored
      set_track_prepare() will call __alloc_pages() which attempts to acquire
      zone->lock(spinlocks), so move it outside object->lock(raw_spinlocks)
      because it's not right to acquire spinlocks while holding raw_spinlocks in
      RT mode.
      
      Link: https://lkml.kernel.org/r/20231115082138.2649870-3-liushixin2@huawei.comSigned-off-by: default avatarLiu Shixin <liushixin2@huawei.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Cc: Geert Uytterhoeven <geert+renesas@glider.be>
      Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
      Cc: Patrick Wang <patrick.wang.shcn@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      d63385a7
    • Liu Shixin's avatar
      Revert "mm/kmemleak: move the initialisation of object to __link_object" · 4eff7d62
      Liu Shixin authored
      Patch series "Fix invalid wait context of set_track_prepare()".
      
      Geert reported an invalid wait context[1] which is resulted by moving
      set_track_prepare() inside kmemleak_lock.  This is not allowed because in
      RT mode, the spinlocks can be preempted but raw_spinlocks can not, so it
      is not allowd to acquire spinlocks while holding raw_spinlocks.  The
      second patch fix same problem in kmemleak_update_trace().
      
      
      This patch (of 2):
      
      Move the initialisation of object back to__alloc_object() because
      set_track_prepare() attempt to acquire zone->lock(spinlocks) while
      __link_object is holding kmemleak_lock(raw_spinlocks).  This is not right
      for RT mode.
      
      This reverts commit 245245c2 ("mm/kmemleak: move the initialisation
      of object to __link_object").
      
      Link: https://lkml.kernel.org/r/20231115082138.2649870-1-liushixin2@huawei.com
      Link: https://lkml.kernel.org/r/20231115082138.2649870-2-liushixin2@huawei.com
      Fixes: 245245c2 ("mm/kmemleak: move the initialisation of object to __link_object")
      Signed-off-by: default avatarLiu Shixin <liushixin2@huawei.com>
      Reported-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Closes: https://lore.kernel.org/linux-mm/CAMuHMdWj0UzwNaxUvcocTfh481qRJpOWwXxsJCTJfu1oCqvgdA@mail.gmail.com/ [1]
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
      Cc: Patrick Wang <patrick.wang.shcn@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      4eff7d62
    • Andrew Morton's avatar
      mm/memory.c:zap_pte_range() print bad swap entry · 727d16f1
      Andrew Morton authored
      We have a report of this WARN() triggering.  Let's print the offending
      swp_entry_t to help diagnosis.
      
      Link: https://lkml.kernel.org/r/000000000000b0e576060a30ee3b@google.com
      Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      727d16f1
    • Mike Kravetz's avatar
      hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write · 187da0f8
      Mike Kravetz authored
      The routine __vma_private_lock tests for the existence of a reserve map
      associated with a private hugetlb mapping.  A pointer to the reserve map
      is in vma->vm_private_data.  __vma_private_lock was checking the pointer
      for NULL.  However, it is possible that the low bits of the pointer could
      be used as flags.  In such instances, vm_private_data is not NULL and not
      a valid pointer.  This results in the null-ptr-deref reported by syzbot:
      
      general protection fault, probably for non-canonical address 0xdffffc000000001d:
       0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
      CPU: 0 PID: 5048 Comm: syz-executor139 Not tainted 6.6.0-rc7-syzkaller-00142-g88
      8cf78c29e2 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 1
      0/09/2023
      RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
      ...
      Call Trace:
       <TASK>
       lock_acquire kernel/locking/lockdep.c:5753 [inline]
       lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
       down_write+0x93/0x200 kernel/locking/rwsem.c:1573
       hugetlb_vma_lock_write mm/hugetlb.c:300 [inline]
       hugetlb_vma_lock_write+0xae/0x100 mm/hugetlb.c:291
       __hugetlb_zap_begin+0x1e9/0x2b0 mm/hugetlb.c:5447
       hugetlb_zap_begin include/linux/hugetlb.h:258 [inline]
       unmap_vmas+0x2f4/0x470 mm/memory.c:1733
       exit_mmap+0x1ad/0xa60 mm/mmap.c:3230
       __mmput+0x12a/0x4d0 kernel/fork.c:1349
       mmput+0x62/0x70 kernel/fork.c:1371
       exit_mm kernel/exit.c:567 [inline]
       do_exit+0x9ad/0x2a20 kernel/exit.c:861
       __do_sys_exit kernel/exit.c:991 [inline]
       __se_sys_exit kernel/exit.c:989 [inline]
       __x64_sys_exit+0x42/0x50 kernel/exit.c:989
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Mask off low bit flags before checking for NULL pointer.  In addition, the
      reserve map only 'belongs' to the OWNER (parent in parent/child
      relationships) so also check for the OWNER flag.
      
      Link: https://lkml.kernel.org/r/20231114012033.259600-1-mike.kravetz@oracle.com
      Reported-by: syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/linux-mm/00000000000078d1e00608d7878b@google.com/
      Fixes: bf491692 ("hugetlbfs: extend hugetlb_vma_lock to private VMAs")
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Reviewed-by: default avatarRik van Riel <riel@surriel.com>
      Cc: Edward Adam Davis <eadavis@qq.com>
      Cc: Muchun Song <muchun.song@linux.dev>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Tom Rix <trix@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      187da0f8
    • Andrew Morton's avatar
      MAINTAINERS: add Andrew Morton for lib/* · b197d166
      Andrew Morton authored
      Add myself as the fallthough maintainer for material under lib/.
      
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      b197d166
  2. 24 Nov, 2023 13 commits
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20231124' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 5b7ad877
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
      
       - Fix the afs_server_list struct to be cleaned up with RCU
      
       - Fix afs to translate a no-data result from a DNS lookup into ENOENT,
         not EDESTADDRREQ for consistency with OpenAFS
      
       - Fix afs to translate a negative DNS lookup result into ENOENT rather
         than EDESTADDRREQ
      
       - Fix file locking on R/O volumes to operate in local mode as the
         server doesn't handle exclusive locks on such files
      
       - Set SB_RDONLY on superblocks for RO and Backup volumes so that the
         VFS can see that they're read only
      
      * tag 'afs-fixes-20231124' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        afs: Mark a superblock for an R/O or Backup volume as SB_RDONLY
        afs: Fix file locking on R/O volumes to operate in local mode
        afs: Return ENOENT if no cell DNS record can be found
        afs: Make error on cell lookup failure consistent with OpenAFS
        afs: Fix afs_server_list to be cleaned up with RCU
      5b7ad877
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.7-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · fa2b906f
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
      
       - Avoid calling back into LSMs from vfs_getattr_nosec() calls.
      
         IMA used to query inode properties accessing raw inode fields without
         dedicated helpers. That was finally fixed a few releases ago by
         forcing IMA to use vfs_getattr_nosec() helpers.
      
         The goal of the vfs_getattr_nosec() helper is to query for attributes
         without calling into the LSM layer which would be quite problematic
         because incredibly IMA is called from __fput()...
      
           __fput()
             -> ima_file_free()
      
         What it does is to call back into the filesystem to update the file's
         IMA xattr. Querying the inode without using vfs_getattr_nosec() meant
         that IMA didn't handle stacking filesystems such as overlayfs
         correctly. So the switch to vfs_getattr_nosec() is quite correct. But
         the switch to vfs_getattr_nosec() revealed another bug when used on
         stacking filesystems:
      
           __fput()
             -> ima_file_free()
                -> vfs_getattr_nosec()
                   -> i_op->getattr::ovl_getattr()
                      -> vfs_getattr()
                         -> i_op->getattr::$WHATEVER_UNDERLYING_FS_getattr()
                            -> security_inode_getattr() # calls back into LSMs
      
         Now, if that __fput() happens from task_work_run() of an exiting task
         current->fs and various other pointer could already be NULL. So
         anything in the LSM layer relying on that not being NULL would be
         quite surprised.
      
         Fix that by passing the information that this is a security request
         through to the stacking filesystem by adding a new internal
         ATT_GETATTR_NOSEC flag. Now the callchain becomes:
      
           __fput()
             -> ima_file_free()
                -> vfs_getattr_nosec()
                   -> i_op->getattr::ovl_getattr()
                      -> if (AT_GETATTR_NOSEC)
                                vfs_getattr_nosec()
                         else
                                vfs_getattr()
                         -> i_op->getattr::$WHATEVER_UNDERLYING_FS_getattr()
      
       - Fix a bug introduced with the iov_iter rework from last cycle.
      
         This broke /proc/kcore by copying too much and without the correct
         offset.
      
       - Add a missing NULL check when allocating the root inode in
         autofs_fill_super().
      
       - Fix stable writes for multi-device filesystems (xfs, btrfs etc) and
         the block device pseudo filesystem.
      
         Stable writes used to be a superblock flag only, making it a per
         filesystem property. Add an additional AS_STABLE_WRITES mapping flag
         to allow for fine-grained control.
      
       - Ensure that offset_iterate_dir() returns 0 after reaching the end of
         a directory so it adheres to getdents() convention.
      
      * tag 'vfs-6.7-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        libfs: getdents() should return 0 after reaching EOD
        xfs: respect the stable writes flag on the RT device
        xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags
        block: update the stable_writes flag in bdev_add
        filemap: add a per-mapping stable writes flag
        autofs: add: new_inode check in autofs_fill_super()
        iov_iter: fix copy_page_to_iter_nofault()
        fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
      fa2b906f
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-11-24' of git://anongit.freedesktop.org/drm/drm · afa0f6ee
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Back to regular scheduled fixes pull request, mainly a bunch of msm,
        some i915 and otherwise a few scattered, one memory crasher in the
        nouveau GSP paths is helping stabilise that work.
      
        msm:
         - Fix the VREG_CTRL_1 for 4nm CPHY to match downstream
         - Remove duplicate call to drm_kms_helper_poll_init() in
           msm_drm_init()
         - Fix the safe_lut_tbl[] for sc8280xp to match downstream
         - Don't attach the drm_dp_set_subconnector_property() for eDP
         - Fix to attach drm_dp_set_subconnector_property() for DP. Otherwise
           there is a bootup crash on multiple targets
         - Remove unnecessary NULL check left behind during cleanup
      
        i915:
         - Fix race between DP MST connectore registration and setup
         - Fix GT memory leak on probe error path
      
        panel:
         - Fixes for innolux and auo,b101uan08.3 panel.
         - Fix Himax83102-j02 timings.
      
        ivpu:
         - Fix ivpu MMIO reset.
      
        ast:
         - AST fix on connetor disconnection.
      
        nouveau:
         - gsp memory corruption fix
      
        rockchip:
         - color fix"
      
      * tag 'drm-fixes-2023-11-24' of git://anongit.freedesktop.org/drm/drm:
        nouveau/gsp: allocate enough space for all channel ids.
        drm/panel: boe-tv101wum-nl6: Fine tune Himax83102-j02 panel HFP and HBP
        drm/ast: Disconnect BMC if physical connector is connected
        accel/ivpu/37xx: Fix hangs related to MMIO reset
        drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
        drm/i915: do not clean GT table on error path
        drm/i915/dp_mst: Fix race between connector registration and setup
        drm/panel: simple: Fix Innolux G101ICE-L01 timings
        drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
        drm/msm: remove unnecessary NULL check
        drm/panel: auo,b101uan08.3: Fine tune the panel power sequence
        drm/msm/dp: attach the DP subconnector property
        drm/msm/dp: don't touch DP subconnector property in eDP case
        drm/msm/dpu: Add missing safe_lut_tbl in sc8280xp catalog
        drm/msm: remove exra drm_kms_helper_poll_init() call
        drm/msm/dsi: use the correct VREG_CTRL_1 value for 4nm cphy
      afa0f6ee
    • David Howells's avatar
      afs: Mark a superblock for an R/O or Backup volume as SB_RDONLY · 68516f60
      David Howells authored
      Mark a superblock that is for for an R/O or Backup volume as SB_RDONLY when
      mounting it.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      68516f60
    • David Howells's avatar
      afs: Fix file locking on R/O volumes to operate in local mode · b590eb41
      David Howells authored
      AFS doesn't really do locking on R/O volumes as fileservers don't maintain
      state with each other and thus a lock on a R/O volume file on one
      fileserver will not be be visible to someone looking at the same file on
      another fileserver.
      
      Further, the server may return an error if you try it.
      
      Fix this by doing what other AFS clients do and handle filelocking on R/O
      volume files entirely within the client and don't touch the server.
      
      Fixes: 6c6c1d63 ("afs: Provide mount-time configurable byte-range file locking emulation")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      b590eb41
    • David Howells's avatar
      afs: Return ENOENT if no cell DNS record can be found · 0167236e
      David Howells authored
      Make AFS return error ENOENT if no cell SRV or AFSDB DNS record (or
      cellservdb config file record) can be found rather than returning
      EDESTADDRREQ.
      
      Also add cell name lookup info to the cursor dump.
      
      Fixes: d5c32c89 ("afs: Fix cell DNS lookup")
      Reported-by: default avatarMarkus Suvanto <markus.suvanto@gmail.com>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      0167236e
    • Linus Torvalds's avatar
      Merge tag 'ata-6.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · f1a09972
      Linus Torvalds authored
      Pull ata fix from Damien Le Moal:
      
       - Add a missing error check in the adapter initialization of the
         pata_isapnp driver (Chen)
      
      * tag 'ata-6.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: pata_isapnp: Add missing error check for devm_ioport_map()
      f1a09972
    • Linus Torvalds's avatar
      Merge tag 'block-6.7-2023-11-23' of git://git.kernel.dk/linux · bc893f74
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A bit bigger than usual at this time, but nothing really earth
        shattering:
      
         - NVMe pull request via Keith:
             - TCP TLS fixes (Hannes)
             - Authentifaction fixes (Mark, Hannes)
             - Properly terminate target names (Christoph)
      
         - MD pull request via Song, fixing a raid5 corruption issue
      
         - Disentanglement of the dependency mess in nvme introduced with the
           tls additions. Now it should actually build on all configs (Arnd)
      
         - Series of bcache fixes (Coly)
      
         - Removal of a dead helper (Damien)
      
         - s390 dasd fix (Muhammad, Jan)
      
         - lockdep blk-cgroup fixes (Ming)"
      
      * tag 'block-6.7-2023-11-23' of git://git.kernel.dk/linux: (33 commits)
        nvme: tcp: fix compile-time checks for TLS mode
        nvme: target: fix Kconfig select statements
        nvme: target: fix nvme_keyring_id() references
        nvme: move nvme_stop_keep_alive() back to original position
        nbd: pass nbd_sock to nbd_read_reply() instead of index
        s390/dasd: protect device queue against concurrent access
        s390/dasd: resolve spelling mistake
        block/null_blk: Fix double blk_mq_start_request() warning
        nvmet-tcp: always initialize tls_handshake_tmo_work
        nvmet: nul-terminate the NQNs passed in the connect command
        nvme: blank out authentication fabrics options if not configured
        nvme: catch errors from nvme_configure_metadata()
        nvme-tcp: only evaluate 'tls' option if TLS is selected
        nvme-auth: set explanation code for failure2 msgs
        nvme-auth: unlock mutex in one place only
        block: Remove blk_set_runtime_active()
        nbd: fix null-ptr-dereference while accessing 'nbd->config'
        nbd: factor out a helper to get nbd_config without holding 'config_lock'
        nbd: fold nbd config initialization into nbd_alloc_config()
        bcache: avoid NULL checking to c->root in run_cache_set()
        ...
      bc893f74
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.7-2023-11-23' of git://git.kernel.dk/linux · 00444238
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A fix for ensuring that LINKAT always propagates flags correctly, and
        a fix for an off-by-one in segment skipping for registered buffers.
      
        Both heading to stable as well"
      
      * tag 'io_uring-6.7-2023-11-23' of git://git.kernel.dk/linux:
        io_uring: fix off-by one bvec index
        io_uring/fs: consider link->flags when getting path for LINKAT
      00444238
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2023112301' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 1f342790
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - revert of commit that caused regression to many Logitech unifying
         receiver users (Jiri Kosina)
      
       - power management fix for hid-mcp2221 (Hamish Martin)
      
       - fix for race condition between HID core and HID debug (Charles Yi)
      
       - a couple of assorted device-ID-specific quirks
      
      * tag 'for-linus-2023112301' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
        HID: hid-asus: reset the backlight brightness level on resume
        HID: hid-asus: add const to read-only outgoing usb buffer
        Revert "HID: logitech-dj: Add support for a new lightspeed receiver iteration"
        HID: add ALWAYS_POLL quirk for Apple kb
        HID: glorious: fix Glorious Model I HID report
        HID: fix HID device resource race between HID core and debugging support
        HID: apple: add Jamesdonkey and A3R to non-apple keyboards list
        HID: mcp2221: Allow IO to start during probe
        HID: mcp2221: Set driver data before I2C adapter add
      1f342790
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2023-11-23' of... · b3ca8a08
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2023-11-23' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      drm/i915 fixes for v6.7-rc3:
      - Fix race between DP MST connectore registration and setup
      - Fix GT memory leak on probe error path
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/87y1eol98h.fsf@intel.com
      b3ca8a08
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-11-23' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 86921609
      Dave Airlie authored
      Fixes for v6.7-rc3:
      - Panel fixes for innolux and auo,b101uan08.3 panel.
      - Fix ivpu MMIO reset.
      - AST fix on connetor disconnection.
      - nouveau gsp fix.
      - rockchip color fix.
      - Fix Himax83102-j02 timings.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/12322257-2e0c-43d3-8241-876aafc10e4a@linux.intel.com
      86921609
    • Dave Airlie's avatar
      Merge tag 'drm-msm-fixes-2023-11-21' of https://gitlab.freedesktop.org/drm/msm into drm-fixes · fca9a805
      Dave Airlie authored
      Fixes for v6.7-rc3:
      
      - Fix the VREG_CTRL_1 for 4nm CPHY to match downstream
      - Remove duplicate call to drm_kms_helper_poll_init() in msm_drm_init()
      - Fix the safe_lut_tbl[] for sc8280xp to match downstream
      - Don't attach the drm_dp_set_subconnector_property() for eDP
      - Fix to attach drm_dp_set_subconnector_property() for DP. Otherwise
        there is a bootup crash on multiple targets
      - Remove unnecessary NULL check left behind during cleanup
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Rob Clark <robdclark@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGtkna3P3mvaF53n2ARJACaXQU+OFfShayTrsUVmqCOmNQ@mail.gmail.com
      fca9a805
  3. 23 Nov, 2023 14 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · d3fa86b1
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf.
      
        Current release - regressions:
      
         - Revert "net: r8169: Disable multicast filter for RTL8168H and
           RTL8107E"
      
         - kselftest: rtnetlink: fix ip route command typo
      
        Current release - new code bugs:
      
         - s390/ism: make sure ism driver implies smc protocol in kconfig
      
         - two build fixes for tools/net
      
        Previous releases - regressions:
      
         - rxrpc: couple of ACK/PING/RTT handling fixes
      
        Previous releases - always broken:
      
         - bpf: verify bpf_loop() callbacks as if they are called unknown
           number of times
      
         - improve stability of auto-bonding with Hyper-V
      
         - account BPF-neigh-redirected traffic in interface statistics
      
        Misc:
      
         - net: fill in some more MODULE_DESCRIPTION()s"
      
      * tag 'net-6.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits)
        tools: ynl: fix duplicate op name in devlink
        tools: ynl: fix header path for nfsd
        net: ipa: fix one GSI register field width
        tls: fix NULL deref on tls_sw_splice_eof() with empty record
        net: axienet: Fix check for partial TX checksum
        vsock/test: fix SEQPACKET message bounds test
        i40e: Fix adding unsupported cloud filters
        ice: restore timestamp configuration after device reset
        ice: unify logic for programming PFINT_TSYN_MSK
        ice: remove ptp_tx ring parameter flag
        amd-xgbe: propagate the correct speed and duplex status
        amd-xgbe: handle the corner-case during tx completion
        amd-xgbe: handle corner-case during sfp hotplug
        net: veth: fix ethtool stats reporting
        octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF
        net: usb: qmi_wwan: claim interface 4 for ZTE MF290
        Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
        net/smc: avoid data corruption caused by decline
        nfc: virtual_ncidev: Add variable to check if ndev is running
        dpll: Fix potential msg memleak when genlmsg_put_reply failed
        ...
      d3fa86b1
    • Jakub Kicinski's avatar
      tools: ynl: fix duplicate op name in devlink · 39f04b14
      Jakub Kicinski authored
      We don't support CRUD-inspired message types in YNL too well.
      One aspect that currently trips us up is the fact that single
      message ID can be used in multiple commands (as the response).
      This leads to duplicate entries in the id-to-string tables:
      
      devlink-user.c:19:34: warning: initialized field overwritten [-Woverride-init]
         19 |         [DEVLINK_CMD_PORT_NEW] = "port-new",
            |                                  ^~~~~~~~~~
      devlink-user.c:19:34: note: (near initialization for ‘devlink_op_strmap[7]’)
      
      Fixes tag points at where the code was generated, the "real" problem
      is that the code generator does not support CRUD.
      
      Fixes: f2f9dd16 ("netlink: specs: devlink: add the remaining command to generate complete split_ops")
      Link: https://lore.kernel.org/r/20231123030558.1611831-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      39f04b14
    • Jakub Kicinski's avatar
      tools: ynl: fix header path for nfsd · 2be35a61
      Jakub Kicinski authored
      The makefile dependency is trying to include the wrong header:
      
      <command-line>: fatal error: ../../../../include/uapi//linux/nfsd.h: No such file or directory
      
      The guard also looks wrong.
      
      Fixes: f14122b2 ("tools: ynl: Add source files for nfsd netlink protocol")
      Reviewed-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Link: https://lore.kernel.org/r/20231123030624.1611925-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2be35a61
    • Alex Elder's avatar
      net: ipa: fix one GSI register field width · 37f02055
      Alex Elder authored
      The width of the R_LENGTH field of the EV_CH_E_CNTXT_1 GSI register
      is 24 bits (not 20 bits) starting with IPA v5.0.  Fix this.
      
      Fixes: faf0678e ("net: ipa: add IPA v5.0 GSI register definitions")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Link: https://lore.kernel.org/r/20231122231708.896632-1-elder@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      37f02055
    • Jann Horn's avatar
      tls: fix NULL deref on tls_sw_splice_eof() with empty record · 53f2cb49
      Jann Horn authored
      syzkaller discovered that if tls_sw_splice_eof() is executed as part of
      sendfile() when the plaintext/ciphertext sk_msg are empty, the send path
      gets confused because the empty ciphertext buffer does not have enough
      space for the encryption overhead. This causes tls_push_record() to go on
      the `split = true` path (which is only supposed to be used when interacting
      with an attached BPF program), and then get further confused and hit the
      tls_merge_open_record() path, which then assumes that there must be at
      least one populated buffer element, leading to a NULL deref.
      
      It is possible to have empty plaintext/ciphertext buffers if we previously
      bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.
      tls_sw_push_pending_record() already handles this case correctly; let's do
      the same check in tls_sw_splice_eof().
      
      Fixes: df720d28 ("tls/sw: Use splice_eof() to flush")
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+40d43509a099ea756317@syzkaller.appspotmail.com
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Link: https://lore.kernel.org/r/20231122214447.675768-1-jannh@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      53f2cb49
    • Samuel Holland's avatar
      net: axienet: Fix check for partial TX checksum · fd0413bb
      Samuel Holland authored
      Due to a typo, the code checked the RX checksum feature in the TX path.
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarSamuel Holland <samuel.holland@sifive.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarRadhey Shyam Pandey <radhey.shyam.pandey@amd.com>
      Link: https://lore.kernel.org/r/20231122004219.3504219-1-samuel.holland@sifive.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fd0413bb
    • Arseniy Krasnov's avatar
      vsock/test: fix SEQPACKET message bounds test · f0863888
      Arseniy Krasnov authored
      Tune message length calculation to make this test work on machines
      where 'getpagesize()' returns >32KB. Now maximum message length is not
      hardcoded (on machines above it was smaller than 'getpagesize()' return
      value, thus we get negative value and test fails), but calculated at
      runtime and always bigger than 'getpagesize()' result. Reproduced on
      aarch64 with 64KB page size.
      
      Fixes: 5c338112 ("test/vsock: rework message bounds test")
      Signed-off-by: default avatarArseniy Krasnov <avkrasnov@salutedevices.com>
      Reported-by: default avatarBogdan Marcynkov <bmarcynk@redhat.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20231121211642.163474-1-avkrasnov@salutedevices.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f0863888
    • Ivan Vecera's avatar
      i40e: Fix adding unsupported cloud filters · 4e20655e
      Ivan Vecera authored
      If a VF tries to add unsupported cloud filter through virtchnl
      then i40e_add_del_cloud_filter(_big_buf) returns -ENOTSUPP but
      this error code is stored in 'ret' instead of 'aq_ret' that
      is used as error code sent back to VF. In this scenario where
      one of the mentioned functions fails the value of 'aq_ret'
      is zero so the VF will incorrectly receive a 'success'.
      
      Use 'aq_ret' to store return value and remove 'ret' local
      variable. Additionally fix the issue when filter allocation
      fails, in this case no notification is sent back to the VF.
      
      Fixes: e284fc28 ("i40e: Add and delete cloud filter")
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Tested-by: default avatarRafal Romanowski <rafal.romanowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Link: https://lore.kernel.org/r/20231121211338.3348677-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4e20655e
    • Paolo Abeni's avatar
      Merge branch 'ice-restore-timestamp-config-after-reset' · e50a8061
      Paolo Abeni authored
      Tony Nguyen says:
      
      ====================
      ice: restore timestamp config after reset
      
      Jake Keller says:
      
      We recently discovered during internal validation that the ice driver has
      not been properly restoring Tx timestamp configuration after a device reset,
      which resulted in application failures after a device reset.
      
      After some digging, it turned out this problem is two-fold. Since the
      introduction of the PTP support the driver has been clobbering the storage
      of the current timestamp configuration during reset. Thus after a reset, the
      driver will no longer perform Tx or Rx timestamps, and will report
      timestamp configuration as disabled if SIOCGHWTSTAMP ioctl is issued.
      
      In addition, the recently merged auxiliary bus support code missed that
      PFINT_TSYN_MSK must be reprogrammed on the clock owner for E822 devices.
      Failure to restore this register configuration results in the driver no
      longer responding to interrupts from other ports. Depending on the traffic
      pattern, this can either result in increased latency responding to
      timestamps on the non-owner ports, or it can result in the driver never
      reporting any timestamps. The configuration of PFINT_TSYN_MSK was only done
      during initialization. Due to this, the Tx timestamp issue persists even if
      userspace reconfigures timestamping.
      
      This series fixes both issues, as well as removes a redundant Tx ring field
      since we can rely on the skb flag as the primary detector for a Tx timestamp
      request.
      
      Note that I don't think this series will directly apply to older stable
      releases (even v6.6) as we recently refactored a lot of the PTP code to
      support auxiliary bus. Patch 2/3 only matters for the post-auxiliary bus
      implementation. The principle of patch 1/3 and 3/3 could apply as far back
      as the initial PTP support, but I don't think it will apply cleanly as-is.
      ====================
      
      Link: https://lore.kernel.org/r/20231121211259.3348630-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e50a8061
    • Jacob Keller's avatar
      ice: restore timestamp configuration after device reset · 77580179
      Jacob Keller authored
      The driver calls ice_ptp_cfg_timestamp() during ice_ptp_prepare_for_reset()
      to disable timestamping while the device is resetting. This operation
      destroys the user requested configuration. While the driver does call
      ice_ptp_cfg_timestamp in ice_rebuild() to restore some hardware settings
      after a reset, it unconditionally passes true or false, resulting in
      failure to restore previous user space configuration.
      
      This results in a device reset forcibly disabling timestamp configuration
      regardless of current user settings.
      
      This was not detected previously due to a quirk of the LinuxPTP ptp4l
      application. If ptp4l detects a missing timestamp, it enters a fault state
      and performs recovery logic which includes executing SIOCSHWTSTAMP again,
      restoring the now accidentally cleared configuration.
      
      Not every application does this, and for these applications, timestamps
      will mysteriously stop after a PF reset, without being restored until an
      application restart.
      
      Fix this by replacing ice_ptp_cfg_timestamp() with two new functions:
      
      1) ice_ptp_disable_timestamp_mode() which unconditionally disables the
         timestamping logic in ice_ptp_prepare_for_reset() and ice_ptp_release()
      
      2) ice_ptp_restore_timestamp_mode() which calls
         ice_ptp_restore_tx_interrupt() to restore Tx timestamping configuration,
         calls ice_set_rx_tstamp() to restore Rx timestamping configuration, and
         issues an immediate TSYN_TX interrupt to ensure that timestamps which
         may have occurred during the device reset get processed.
      
      Modify the ice_ptp_set_timestamp_mode to directly save the user
      configuration and then call ice_ptp_restore_timestamp_mode. This way, reset
      no longer destroys the saved user configuration.
      
      This obsoletes the ice_set_tx_tstamp() function which can now be safely
      removed.
      
      With this change, all devices should now restore Tx and Rx timestamping
      functionality correctly after a PF reset without application intervention.
      
      Fixes: 77a78115 ("ice: enable receive hardware timestamping")
      Fixes: ea9b847c ("ice: enable transmit timestamps for E810 devices")
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      77580179
    • Jacob Keller's avatar
      ice: unify logic for programming PFINT_TSYN_MSK · 7d606a1e
      Jacob Keller authored
      Commit d938a8cc ("ice: Auxbus devices & driver for E822 TS") modified
      how Tx timestamps are handled for E822 devices. On these devices, only the
      clock owner handles reading the Tx timestamp data from firmware. To do
      this, the PFINT_TSYN_MSK register is modified from the default value to one
      which enables reacting to a Tx timestamp on all PHY ports.
      
      The driver currently programs PFINT_TSYN_MSK in different places depending
      on whether the port is the clock owner or not. For the clock owner, the
      PFINT_TSYN_MSK value is programmed during ice_ptp_init_owner just before
      calling ice_ptp_tx_ena_intr to program the PHY ports.
      
      For the non-clock owner ports, the PFINT_TSYN_MSK is programmed during
      ice_ptp_init_port.
      
      If a large enough device reset occurs, the PFINT_TSYN_MSK register will be
      reset to the default value in which only the PHY associated directly with
      the PF will cause the Tx timestamp interrupt to trigger.
      
      The driver lacks logic to reprogram the PFINT_TSYN_MSK register after a
      device reset. For the E822 device, this results in the PF no longer
      responding to interrupts for other ports. This results in failure to
      deliver Tx timestamps to user space applications.
      
      Rename ice_ptp_configure_tx_tstamp to ice_ptp_cfg_tx_interrupt, and unify
      the logic for programming PFINT_TSYN_MSK and PFINT_OICR_ENA into one place.
      This function will program both registers according to the combination of
      user configuration and device requirements.
      
      This ensures that PFINT_TSYN_MSK is always restored when we configure the
      Tx timestamp interrupt.
      
      Fixes: d938a8cc ("ice: Auxbus devices & driver for E822 TS")
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7d606a1e
    • Jacob Keller's avatar
      ice: remove ptp_tx ring parameter flag · 0ffb08b1
      Jacob Keller authored
      Before performing a Tx timestamp in ice_stamp(), the driver checks a ptp_tx
      ring variable to see if timestamping is enabled on that ring. This value is
      set for all rings whenever userspace configures Tx timestamping.
      
      Ostensibly this was done to avoid wasting cycles checking other fields when
      timestamping has not been enabled. However, for Tx timestamps we already
      get an individual per-SKB flag indicating whether userspace wants to
      request a timestamp on that packet. We do not gain much by also having
      a separate flag to check for whether timestamping was enabled.
      
      In fact, the driver currently fails to restore the field after a PF reset.
      Because of this, if a PF reset occurs, timestamps will be disabled.
      
      Since this flag doesn't add value in the hotpath, remove it and always
      provide a timestamp if the SKB flag has been set.
      
      A following change will fix the reset path to properly restore user
      timestamping configuration completely.
      
      This went unnoticed for some time because one of the most common
      applications using Tx timestamps, ptp4l, will reconfigure the socket as
      part of its fault recovery logic.
      
      Fixes: ea9b847c ("ice: enable transmit timestamps for E810 devices")
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      0ffb08b1
    • Paolo Abeni's avatar
      Merge branch 'amd-xgbe-fixes-to-handle-corner-cases' · d9775fb6
      Paolo Abeni authored
      Raju Rangoju says:
      
      ====================
      amd-xgbe: fixes to handle corner-cases
      
      This series include bug fixes to amd-xgbe driver.
      ====================
      
      Link: https://lore.kernel.org/r/20231121191435.4049995-1-Raju.Rangoju@amd.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d9775fb6
    • Raju Rangoju's avatar
      amd-xgbe: propagate the correct speed and duplex status · 7a2323ac
      Raju Rangoju authored
      xgbe_get_link_ksettings() does not propagate correct speed and duplex
      information to ethtool during cable unplug. Due to which ethtool reports
      incorrect values for speed and duplex.
      
      Address this by propagating correct information.
      
      Fixes: 7c12aa08 ("amd-xgbe: Move the PHY support into amd-xgbe")
      Acked-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarRaju Rangoju <Raju.Rangoju@amd.com>
      Reviewed-by: default avatarWojciech Drewek <wojciech.drewek@intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7a2323ac