1. 05 Jun, 2023 7 commits
    • Chuck Lever's avatar
      442a6290
    • Chuck Lever's avatar
      SUNRPC: Trace struct svc_sock lifetime events · c42bebca
      Chuck Lever authored
      Capture a timestamp and pointer address during the creation and
      destruction of struct svc_sock to record its lifetime. This helps
      to diagnose transport reference counting issues.
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      c42bebca
    • Chuck Lever's avatar
      SUNRPC: Improve observability in svc_tcp_accept() · d7900dae
      Chuck Lever authored
      The -ENOMEM arm could fire repeatedly if the system runs low on
      memory, so remove it.
      
      Don't bother to trace -EAGAIN error events, since those fire after
      a listener is created (with no work done) and once again after an
      accept has been handled successfully (again, with no work done).
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      d7900dae
    • Chuck Lever's avatar
      SUNRPC: Remove dprintk() in svc_handle_xprt() · cce4ee9c
      Chuck Lever authored
      When enabled, this dprintk() fires for every incoming RPC, which is
      an enormous amount of log traffic. These days, after the first few
      hundred log messages, the system journald is just going to mute it,
      along with all other NFSD debug output.
      
      Let's rely on trace points for this high-traffic information
      instead.
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      cce4ee9c
    • Chuck Lever's avatar
      SUNRPC: Fix an incorrect comment · e8277327
      Chuck Lever authored
      The correct function name is svc_tcp_listen_data_ready().
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      e8277327
    • Ding Hui's avatar
      SUNRPC: Fix UAF in svc_tcp_listen_data_ready() · fc80fc2d
      Ding Hui authored
      After the listener svc_sock is freed, and before invoking svc_tcp_accept()
      for the established child sock, there is a window that the newsock
      retaining a freed listener svc_sock in sk_user_data which cloning from
      parent. In the race window, if data is received on the newsock, we will
      observe use-after-free report in svc_tcp_listen_data_ready().
      
      Reproduce by two tasks:
      
      1. while :; do rpc.nfsd 0 ; rpc.nfsd; done
      2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done
      
      KASAN report:
      
        ==================================================================
        BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
        Read of size 8 at addr ffff888139d96228 by task nc/102553
        CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18
        Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
        Call Trace:
         <IRQ>
         dump_stack_lvl+0x33/0x50
         print_address_description.constprop.0+0x27/0x310
         print_report+0x3e/0x70
         kasan_report+0xae/0xe0
         svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
         tcp_data_queue+0x9f4/0x20e0
         tcp_rcv_established+0x666/0x1f60
         tcp_v4_do_rcv+0x51c/0x850
         tcp_v4_rcv+0x23fc/0x2e80
         ip_protocol_deliver_rcu+0x62/0x300
         ip_local_deliver_finish+0x267/0x350
         ip_local_deliver+0x18b/0x2d0
         ip_rcv+0x2fb/0x370
         __netif_receive_skb_one_core+0x166/0x1b0
         process_backlog+0x24c/0x5e0
         __napi_poll+0xa2/0x500
         net_rx_action+0x854/0xc90
         __do_softirq+0x1bb/0x5de
         do_softirq+0xcb/0x100
         </IRQ>
         <TASK>
         ...
         </TASK>
      
        Allocated by task 102371:
         kasan_save_stack+0x1e/0x40
         kasan_set_track+0x21/0x30
         __kasan_kmalloc+0x7b/0x90
         svc_setup_socket+0x52/0x4f0 [sunrpc]
         svc_addsock+0x20d/0x400 [sunrpc]
         __write_ports_addfd+0x209/0x390 [nfsd]
         write_ports+0x239/0x2c0 [nfsd]
         nfsctl_transaction_write+0xac/0x110 [nfsd]
         vfs_write+0x1c3/0xae0
         ksys_write+0xed/0x1c0
         do_syscall_64+0x38/0x90
         entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
        Freed by task 102551:
         kasan_save_stack+0x1e/0x40
         kasan_set_track+0x21/0x30
         kasan_save_free_info+0x2a/0x50
         __kasan_slab_free+0x106/0x190
         __kmem_cache_free+0x133/0x270
         svc_xprt_free+0x1e2/0x350 [sunrpc]
         svc_xprt_destroy_all+0x25a/0x440 [sunrpc]
         nfsd_put+0x125/0x240 [nfsd]
         nfsd_svc+0x2cb/0x3c0 [nfsd]
         write_threads+0x1ac/0x2a0 [nfsd]
         nfsctl_transaction_write+0xac/0x110 [nfsd]
         vfs_write+0x1c3/0xae0
         ksys_write+0xed/0x1c0
         do_syscall_64+0x38/0x90
         entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready()
      if state != TCP_LISTEN, that will avoid dereferencing svsk for all
      child socket.
      
      Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/
      Fixes: fa9251af ("SUNRPC: Call the default socket callbacks instead of open coding")
      Signed-off-by: default avatarDing Hui <dinghui@sangfor.com.cn>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      fc80fc2d
    • Christian Brauner's avatar
      nfsd: use vfs setgid helper · 2d8ae8c4
      Christian Brauner authored
      We've aligned setgid behavior over multiple kernel releases. The details
      can be found in commit cf619f89 ("Merge tag 'fs.ovl.setgid.v6.2' of
      git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping") and
      commit 426b4ca2 ("Merge tag 'fs.setgid.v6.0' of
      git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux").
      Consistent setgid stripping behavior is now encapsulated in the
      setattr_should_drop_sgid() helper which is used by all filesystems that
      strip setgid bits outside of vfs proper. Usually ATTR_KILL_SGID is
      raised in e.g., chown_common() and is subject to the
      setattr_should_drop_sgid() check to determine whether the setgid bit can
      be retained. Since nfsd is raising ATTR_KILL_SGID unconditionally it
      will cause notify_change() to strip it even if the caller had the
      necessary privileges to retain it. Ensure that nfsd only raises
      ATR_KILL_SGID if the caller lacks the necessary privileges to retain the
      setgid bit.
      
      Without this patch the setgid stripping tests in LTP will fail:
      
      > As you can see, the problem is S_ISGID (0002000) was dropped on a
      > non-group-executable file while chown was invoked by super-user, while
      
      [...]
      
      > fchown02.c:66: TFAIL: testfile2: wrong mode permissions 0100700, expected 0102700
      
      [...]
      
      > chown02.c:57: TFAIL: testfile2: wrong mode permissions 0100700, expected 0102700
      
      With this patch all tests pass.
      Reported-by: default avatarSherry Yang <sherry.yang@oracle.com>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      2d8ae8c4
  2. 04 Jun, 2023 9 commits
    • Linus Torvalds's avatar
      Linux 6.4-rc5 · 9561de3a
      Linus Torvalds authored
      9561de3a
    • Linus Torvalds's avatar
      Merge tag 'irq_urgent_for_v6.4_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6f64a5eb
      Linus Torvalds authored
      Pull irq fix from Borislav Petkov:
      
       - Fix open firmware quirks validation so that they don't get applied
         wrongly
      
      * tag 'irq_urgent_for_v6.4_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/gic: Correctly validate OF quirk descriptors
      6f64a5eb
    • Linus Torvalds's avatar
      Merge tag 'media/v6.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 5e89d62e
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "Some driver fixes:
         - a regression fix for the verisilicon driver
         - uvcvideo: don't expose unsupported video formats to userspace
         - camss-video: don't zero subdev format after init
         - mediatek: some fixes for 4K decoder formats
         - fix a Sphinx build warning (missing doc for client_caps)
         - some fixes for imx and atomisp staging drivers
      
        And two CEC core fixes:
         - don't set last_initiator if TX in progress
         - disable adapter in cec_devnode_unregister"
      
      * tag 'media/v6.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: uvcvideo: Don't expose unsupported formats to userspace
        media: v4l2-subdev: Fix missing kerneldoc for client_caps
        media: staging: media: imx: initialize hs_settle to avoid warning
        media: v4l2-mc: Drop subdev check in v4l2_create_fwnode_links_to_pad()
        media: staging: media: atomisp: init high & low vars
        media: cec: core: don't set last_initiator if tx in progress
        media: cec: core: disable adapter in cec_devnode_unregister
        media: mediatek: vcodec: Only apply 4K frame sizes on decoder formats
        media: camss: camss-video: Don't zero subdev format again after initialization
        media: verisilicon: Additional fix for the crash when opening the driver
      5e89d62e
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 209835e8
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are a bunch of tiny char/misc/other driver fixes for 6.4-rc5 that
        resolve a number of reported issues. Included in here are:
      
         - iio driver fixes
      
         - fpga driver fixes
      
         - test_firmware bugfixes
      
         - fastrpc driver tiny bugfixes
      
         - MAINTAINERS file updates for some subsystems
      
        All of these have been in linux-next this past week with no reported
        issues"
      
      * tag 'char-misc-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (34 commits)
        test_firmware: fix the memory leak of the allocated firmware buffer
        test_firmware: fix a memory leak with reqs buffer
        test_firmware: prevent race conditions by a correct implementation of locking
        firmware_loader: Fix a NULL vs IS_ERR() check
        MAINTAINERS: Vaibhav Gupta is the new ipack maintainer
        dt-bindings: fpga: replace Ivan Bornyakov maintainership
        MAINTAINERS: update Microchip MPF FPGA reviewers
        misc: fastrpc: reject new invocations during device removal
        misc: fastrpc: return -EPIPE to invocations on device removal
        misc: fastrpc: Reassign memory ownership only for remote heap
        misc: fastrpc: Pass proper scm arguments for secure map request
        iio: imu: inv_icm42600: fix timestamp reset
        iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag
        dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value
        iio: dac: mcp4725: Fix i2c_master_send() return value handling
        iio: accel: kx022a fix irq getting
        iio: bu27034: Ensure reset is written
        iio: dac: build ad5758 driver when AD5758 is selected
        iio: addac: ad74413: fix resistance input processing
        iio: light: vcnl4035: fixed chip ID check
        ...
      209835e8
    • Linus Torvalds's avatar
      Merge tag 'driver-core-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · 41f3ab2d
      Linus Torvalds authored
      Pull driver core fixes from Greg KH:
       "Here are two small driver core cacheinfo fixes for 6.4-rc5 that
        resolve a number of reported issues with that file. These changes have
        been in linux-next this past week with no reported problems"
      
      * tag 'driver-core-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        drivers: base: cacheinfo: Update cpu_map_populated during CPU Hotplug
        drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU hotplug
      41f3ab2d
    • Linus Torvalds's avatar
      Merge tag 'tty-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 12c2f77b
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small tty/serial driver fixes for 6.4-rc5 that have all
        been in linux-next this past week with no reported problems. Included
        in here are:
      
         - 8250_tegra driver bugfix
      
         - fsl uart driver bugfixes
      
         - Kconfig fix for dependancy issue
      
         - dt-bindings fix for the 8250_omap driver"
      
      * tag 'tty-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        dt-bindings: serial: 8250_omap: add rs485-rts-active-high
        serial: cpm_uart: Fix a COMPILE_TEST dependency
        soc: fsl: cpm1: Fix TSA and QMC dependencies in case of COMPILE_TEST
        tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
        serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
      12c2f77b
    • Linus Torvalds's avatar
      Merge tag 'usb-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 8b435e40
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some USB driver and core fixes for 6.4-rc5. Most of these are
        tiny driver fixes, including:
      
         - udc driver bugfix
      
         - f_fs gadget driver bugfix
      
         - cdns3 driver bugfix
      
         - typec bugfixes
      
        But the "big" thing in here is a fix yet-again for how the USB buffers
        are handled from userspace when dealing with DMA issues. The changes
        were discussed a lot, and tested a lot, on the list, and acked by the
        relevant mm maintainers and have been in linux-next all this past week
        with no reported problems"
      
      * tag 'usb-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: tps6598x: Fix broken polling mode after system suspend/resume
        mm: page_table_check: Ensure user pages are not slab pages
        mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM
        usb: usbfs: Use consistent mmap functions
        usb: usbfs: Enforce page requirements for mmap
        dt-bindings: usb: snps,dwc3: Fix "snps,hsphy_interface" type
        usb: gadget: udc: fix NULL dereference in remove()
        usb: gadget: f_fs: Add unbind event before functionfs_unbind
        usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM
      8b435e40
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · b066935b
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "ARM:
      
         - Address some fallout of the locking rework, this time affecting the
           way the vgic is configured
      
         - Fix an issue where the page table walker frees a subtree and then
           proceeds with walking what it has just freed...
      
         - Check that a given PA donated to the guest is actually memory (only
           affecting pKVM)
      
         - Correctly handle MTE CMOs by Set/Way
      
         - Fix the reported address of a watchpoint forwarded to userspace
      
         - Fix the freeing of the root of stage-2 page tables
      
         - Stop creating spurious PMU events to perform detection of the
           default PMU and use the existing PMU list instead
      
        x86:
      
         - Fix a memslot lookup bug in the NX recovery thread that could
           theoretically let userspace bypass the NX hugepage mitigation
      
         - Fix a s/BLOCKING/PENDING bug in SVM's vNMI support
      
         - Account exit stats for fastpath VM-Exits that never leave the super
           tight run-loop
      
         - Fix an out-of-bounds bug in the optimized APIC map code, and add a
           regression test for the race"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: selftests: Add test for race in kvm_recalculate_apic_map()
        KVM: x86: Bail from kvm_recalculate_phys_map() if x2APIC ID is out-of-bounds
        KVM: x86: Account fastpath-only VM-Exits in vCPU stats
        KVM: SVM: vNMI pending bit is V_NMI_PENDING_MASK not V_NMI_BLOCKING_MASK
        KVM: x86/mmu: Grab memslot for correct address space in NX recovery worker
        KVM: arm64: Document default vPMU behavior on heterogeneous systems
        KVM: arm64: Iterate arm_pmus list to probe for default PMU
        KVM: arm64: Drop last page ref in kvm_pgtable_stage2_free_removed()
        KVM: arm64: Populate fault info for watchpoint
        KVM: arm64: Reload PTE after invoking walker callback on preorder traversal
        KVM: arm64: Handle trap of tagged Set/Way CMOs
        arm64: Add missing Set/Way CMO encodings
        KVM: arm64: Prevent unconditional donation of unmapped regions from the host
        KVM: arm64: vgic: Fix a comment
        KVM: arm64: vgic: Fix locking comment
        KVM: arm64: vgic: Wrap vgic_its_create() with config_lock
        KVM: arm64: vgic: Fix a circular locking issue
      b066935b
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 9455b4b6
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix link errors in new aes-gcm-p10 code when built-in with other
         drivers
      
       - Limit number of TCEs passed to H_STUFF_TCE hcall as per spec
      
       - Use KSYM_NAME_LEN in xmon array size to avoid possible OOB write
      
      Thanks to Gaurav Batra and Maninder Singh Vishal Chourasia.
      
      * tag 'powerpc-6.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/xmon: Use KSYM_NAME_LEN in array size
        powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
        powerpc/crypto: Fix aes-gcm-p10 link errors
      9455b4b6
  3. 03 Jun, 2023 10 commits
  4. 02 Jun, 2023 14 commits