1. 08 Jul, 2021 2 commits
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.14-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 316a2c9b
      Linus Torvalds authored
      Pull pci updates from Bjorn Helgaas:
       "Enumeration:
         - Fix dsm_label_utf16s_to_utf8s() buffer overrun (Krzysztof
           Wilczyński)
         - Rely on lengths from scnprintf(), dsm_label_utf16s_to_utf8s()
           (Krzysztof Wilczyński)
         - Use sysfs_emit() and sysfs_emit_at() in "show" functions (Krzysztof
           Wilczyński)
         - Fix 'resource_alignment' newline issues (Krzysztof Wilczyński)
         - Add 'devspec' newline (Krzysztof Wilczyński)
         - Dynamically map ECAM regions (Russell King)
      
        Resource management:
         - Coalesce host bridge contiguous apertures (Kai-Heng Feng)
      
        PCIe native device hotplug:
         - Ignore Link Down/Up caused by DPC (Lukas Wunner)
      
        Power management:
         - Leave Apple Thunderbolt controllers on for s2idle or standby
           (Konstantin Kharlamov)
      
        Virtualization:
         - Work around Huawei Intelligent NIC VF FLR erratum (Chiqijun)
         - Clarify error message for unbound IOV devices (Moritz Fischer)
         - Add pci_reset_bus_function() Secondary Bus Reset interface (Raphael
           Norwitz)
      
        Peer-to-peer DMA:
         - Simplify distance calculation (Christoph Hellwig)
         - Finish RCU conversion of pdev->p2pdma (Eric Dumazet)
         - Rename upstream_bridge_distance() and rework doc (Logan Gunthorpe)
         - Collect acs list in stack buffer to avoid sleeping (Logan
           Gunthorpe)
         - Use correct calc_map_type_and_dist() return type (Logan Gunthorpe)
         - Warn if host bridge not in whitelist (Logan Gunthorpe)
         - Refactor pci_p2pdma_map_type() (Logan Gunthorpe)
         - Avoid pci_get_slot(), which may sleep (Logan Gunthorpe)
      
        Altera PCIe controller driver:
         - Add Joyce Ooi as Altera PCIe maintainer (Joyce Ooi)
      
        Broadcom iProc PCIe controller driver:
         - Fix multi-MSI base vector number allocation (Sandor Bodo-Merle)
         - Support multi-MSI only on uniprocessor kernel (Sandor Bodo-Merle)
      
        Freescale i.MX6 PCIe controller driver:
         - Limit DBI register length for imx6qp PCIe (Richard Zhu)
         - Add "vph-supply" for PHY supply voltage (Richard Zhu)
         - Enable PHY internal regulator when supplied >3V (Richard Zhu)
         - Remove imx6_pcie_probe() redundant error message (Zhen Lei)
      
        Intel Gateway PCIe controller driver:
         - Fix INTx enable (Martin Blumenstingl)
      
        Marvell Aardvark PCIe controller driver:
         - Fix checking for PIO Non-posted Request (Pali Rohár)
         - Implement workaround for the readback value of VEND_ID (Pali Rohár)
      
        MediaTek PCIe controller driver:
         - Remove redundant error printing in mtk_pcie_subsys_powerup() (Zhen
           Lei)
      
        MediaTek PCIe Gen3 controller driver:
         - Add missing MODULE_DEVICE_TABLE (Zou Wei)
      
        Microchip PolarFlare PCIe controller driver:
         - Make struct event_descs static (Krzysztof Wilczyński)
      
        Microsoft Hyper-V host bridge driver:
         - Fix race condition when removing the device (Long Li)
         - Remove bus device removal unused refcount/functions (Long Li)
      
        Mobiveil PCIe controller driver:
         - Remove unused readl and writel functions (Krzysztof Wilczyński)
      
        NVIDIA Tegra PCIe controller driver:
         - Add missing MODULE_DEVICE_TABLE (Zou Wei)
      
        NVIDIA Tegra194 PCIe controller driver:
         - Fix tegra_pcie_ep_raise_msi_irq() ill-defined shift (Jon Hunter)
         - Fix host initialization during resume (Vidya Sagar)
      
        Rockchip PCIe controller driver:
         - Register IRQ handlers after device and data are ready (Javier
           Martinez Canillas)"
      
      * tag 'pci-v5.14-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: (48 commits)
        PCI/P2PDMA: Finish RCU conversion of pdev->p2pdma
        PCI: xgene: Annotate __iomem pointer
        PCI: Fix kernel-doc formatting
        PCI: cpcihp: Declare cpci_debug in header file
        MAINTAINERS: Add Joyce Ooi as Altera PCIe maintainer
        PCI: rockchip: Register IRQ handlers after device and data are ready
        PCI: tegra194: Fix tegra_pcie_ep_raise_msi_irq() ill-defined shift
        PCI: aardvark: Implement workaround for the readback value of VEND_ID
        PCI: aardvark: Fix checking for PIO Non-posted Request
        PCI: tegra194: Fix host initialization during resume
        PCI: tegra: Add missing MODULE_DEVICE_TABLE
        PCI: imx6: Enable PHY internal regulator when supplied >3V
        dt-bindings: imx6q-pcie: Add "vph-supply" for PHY supply voltage
        PCI: imx6: Limit DBI register length for imx6qp PCIe
        PCI: imx6: Remove imx6_pcie_probe() redundant error message
        PCI: intel-gw: Fix INTx enable
        PCI: iproc: Support multi-MSI only on uniprocessor kernel
        PCI: iproc: Fix multi-MSI base vector number allocation
        PCI: mediatek-gen3: Add missing MODULE_DEVICE_TABLE
        PCI: Dynamically map ECAM regions
        ...
      316a2c9b
    • Alexey Gladkov's avatar
      Fix UCOUNT_RLIMIT_SIGPENDING counter leak · f3791f4d
      Alexey Gladkov authored
      We must properly handle an errors when we increase the rlimit counter
      and the ucounts reference counter. We have to this with RCU protection
      to prevent possible use-after-free that could occur due to concurrent
      put_cred_rcu().
      
      The following reproducer triggers the problem:
      
        $ cat testcase.sh
        case "${STEP:-0}" in
        0)
      	ulimit -Si 1
      	ulimit -Hi 1
      	STEP=1 unshare -rU "$0"
      	killall sleep
      	;;
        1)
      	for i in 1 2 3 4 5; do unshare -rU sleep 5 & done
      	;;
        esac
      
      with the KASAN report being along the lines of
      
        BUG: KASAN: use-after-free in put_ucounts+0x17/0xa0
        Write of size 4 at addr ffff8880045f031c by task swapper/2/0
      
        CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.13.0+ #19
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-alt4 04/01/2014
        Call Trace:
         <IRQ>
         put_ucounts+0x17/0xa0
         put_cred_rcu+0xd5/0x190
         rcu_core+0x3bf/0xcb0
         __do_softirq+0xe3/0x341
         irq_exit_rcu+0xbe/0xe0
         sysvec_apic_timer_interrupt+0x6a/0x90
         </IRQ>
         asm_sysvec_apic_timer_interrupt+0x12/0x20
         default_idle_call+0x53/0x130
         do_idle+0x311/0x3c0
         cpu_startup_entry+0x14/0x20
         secondary_startup_64_no_verify+0xc2/0xcb
      
        Allocated by task 127:
         kasan_save_stack+0x1b/0x40
         __kasan_kmalloc+0x7c/0x90
         alloc_ucounts+0x169/0x2b0
         set_cred_ucounts+0xbb/0x170
         ksys_unshare+0x24c/0x4e0
         __x64_sys_unshare+0x16/0x20
         do_syscall_64+0x37/0x70
         entry_SYSCALL_64_after_hwframe+0x44/0xae
      
        Freed by task 0:
         kasan_save_stack+0x1b/0x40
         kasan_set_track+0x1c/0x30
         kasan_set_free_info+0x20/0x30
         __kasan_slab_free+0xeb/0x120
         kfree+0xaa/0x460
         put_cred_rcu+0xd5/0x190
         rcu_core+0x3bf/0xcb0
         __do_softirq+0xe3/0x341
      
        The buggy address belongs to the object at ffff8880045f0300
         which belongs to the cache kmalloc-192 of size 192
        The buggy address is located 28 bytes inside of
         192-byte region [ffff8880045f0300, ffff8880045f03c0)
        The buggy address belongs to the page:
        page:000000008de0a388 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880045f0000 pfn:0x45f0
        flags: 0x100000000000200(slab|node=0|zone=1)
        raw: 0100000000000200 ffffea00000f4640 0000000a0000000a ffff888001042a00
        raw: ffff8880045f0000 000000008010000d 00000001ffffffff 0000000000000000
        page dumped because: kasan: bad access detected
      
        Memory state around the buggy address:
         ffff8880045f0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
         ffff8880045f0280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
        >ffff8880045f0300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                    ^
         ffff8880045f0380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
         ffff8880045f0400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ==================================================================
        Disabling lock debugging due to kernel taint
      
      Fixes: d6469690 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarAlexey Gladkov <legion@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f3791f4d
  2. 07 Jul, 2021 38 commits