1. 03 Apr, 2023 1 commit
    • Tze-nan Wu's avatar
      tracing/synthetic: Fix races on freeing last_cmd · 4ccf11c4
      Tze-nan Wu authored
      Currently, the "last_cmd" variable can be accessed by multiple processes
      asynchronously when multiple users manipulate synthetic_events node
      at the same time, it could lead to use-after-free or double-free.
      
      This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed
      asynchronously.
      
      ================================================================
      
      It's easy to reproduce in the KASAN environment by running the two
      scripts below in different shells.
      
      script 1:
              while :
              do
                      echo -n -e '\x88' > /sys/kernel/tracing/synthetic_events
              done
      
      script 2:
              while :
              do
                      echo -n -e '\xb0' > /sys/kernel/tracing/synthetic_events
              done
      
      ================================================================
      double-free scenario:
      
          process A                       process B
      -------------------               ---------------
      1.kstrdup last_cmd
                                        2.free last_cmd
      3.free last_cmd(double-free)
      
      ================================================================
      use-after-free scenario:
      
          process A                       process B
      -------------------               ---------------
      1.kstrdup last_cmd
                                        2.free last_cmd
      3.tracing_log_err(use-after-free)
      
      ================================================================
      
      Appendix 1. KASAN report double-free:
      
      BUG: KASAN: double-free in kfree+0xdc/0x1d4
      Free of addr ***** by task sh/4879
      Call trace:
              ...
              kfree+0xdc/0x1d4
              create_or_delete_synth_event+0x60/0x1e8
              trace_parse_run_command+0x2bc/0x4b8
              synth_events_write+0x20/0x30
              vfs_write+0x200/0x830
              ...
      
      Allocated by task 4879:
              ...
              kstrdup+0x5c/0x98
              create_or_delete_synth_event+0x6c/0x1e8
              trace_parse_run_command+0x2bc/0x4b8
              synth_events_write+0x20/0x30
              vfs_write+0x200/0x830
              ...
      
      Freed by task 5464:
              ...
              kfree+0xdc/0x1d4
              create_or_delete_synth_event+0x60/0x1e8
              trace_parse_run_command+0x2bc/0x4b8
              synth_events_write+0x20/0x30
              vfs_write+0x200/0x830
              ...
      
      ================================================================
      Appendix 2. KASAN report use-after-free:
      
      BUG: KASAN: use-after-free in strlen+0x5c/0x7c
      Read of size 1 at addr ***** by task sh/5483
      sh: CPU: 7 PID: 5483 Comm: sh
              ...
              __asan_report_load1_noabort+0x34/0x44
              strlen+0x5c/0x7c
              tracing_log_err+0x60/0x444
              create_or_delete_synth_event+0xc4/0x204
              trace_parse_run_command+0x2bc/0x4b8
              synth_events_write+0x20/0x30
              vfs_write+0x200/0x830
              ...
      
      Allocated by task 5483:
              ...
              kstrdup+0x5c/0x98
              create_or_delete_synth_event+0x80/0x204
              trace_parse_run_command+0x2bc/0x4b8
              synth_events_write+0x20/0x30
              vfs_write+0x200/0x830
              ...
      
      Freed by task 5480:
              ...
              kfree+0xdc/0x1d4
              create_or_delete_synth_event+0x74/0x204
              trace_parse_run_command+0x2bc/0x4b8
              synth_events_write+0x20/0x30
              vfs_write+0x200/0x830
              ...
      
      Link: https://lore.kernel.org/linux-trace-kernel/20230321110444.1587-1-Tze-nan.Wu@mediatek.com
      
      Fixes: 27c888da ("tracing: Remove size restriction on synthetic event cmd error logging")
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
      Cc: "Tom Zanussi" <zanussi@kernel.org>
      Signed-off-by: default avatarTze-nan Wu <Tze-nan.Wu@mediatek.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      4ccf11c4
  2. 02 Apr, 2023 5 commits
  3. 01 Apr, 2023 5 commits
    • Linus Torvalds's avatar
      Merge tag '6.3-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · f7772da6
      Linus Torvalds authored
      Pull cifs client fixes from Steve French:
       "Four cifs/smb3 client (reconnect and DFS related) fixes, including two
        for stable:
      
         - DFS oops fix
      
         - DFS reconnect recursion fix
      
         - An SMB1 parallel reconnect fix
      
         - Trivial dead code removal in smb2_reconnect"
      
      * tag '6.3-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: get rid of dead check in smb2_reconnect()
        cifs: prevent infinite recursion in CIFSGetDFSRefer()
        cifs: avoid races in parallel reconnects in smb1
        cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
      f7772da6
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 00c7b5f4
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - fixes to ALPS and Focaltech PS/2 drivers dealing with the breakage of
         switching to -funsigned-char
      
       - quirks to i8042 to better handle Lifebook A574/H and TUXEDO devices
      
       - a quirk to Goodix touchscreen driver to handle Yoga Book X90F
      
       - a fix for incorrectly merged patch to xpad game controller driver
      
      * tag 'input-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: i8042 - add TUXEDO devices to i8042 quirk tables for partial fix
        Input: alps - fix compatibility with -funsigned-char
        Input: focaltech - use explicitly signed char type
        Input: xpad - fix incorrectly applied patch for MAP_PROFILE_BUTTON
        Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table
        Input: i8042 - add quirk for Fujitsu Lifebook A574/H
      00c7b5f4
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 93e2b017
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Some pin control fixes for the v6.3 series.
      
        The most notable and urgent one is probably the AMD fix which affects
        AMD laptops, found by the Chromium people.
      
        Summary:
      
         - Fix up the Kconfig options for MediaTek MT7981
      
         - Fix the irq domain name in the AT91-PIO4 driver
      
         - Fix some alternative muxing modes in the Ocelot driver
      
         - Allocate the GPIO numbers dynamically in the STM32 driver
      
         - Disable and mask interrupts on resume in the AMD driver
      
         - Fix a typo in the Qualcomm SM8550 pin control device tree bindings"
      
      * tag 'pinctrl-v6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        dt-bindings: pinctrl: qcom,sm8550-lpass-lpi: allow input-enabled and bias-bus-hold
        pinctrl: amd: Disable and mask interrupts on resume
        pinctrl: stm32: use dynamic allocation of GPIO base
        pinctrl: ocelot: Fix alt mode for ocelot
        pinctrl: at91-pio4: fix domain name assignment
        pinctrl: mediatek: fix naming inconsistency
        pinctrl: mediatek: add missing options to PINCTRL_MT7981
      93e2b017
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.3-2' of... · ce0c2375
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix linux-headers debian package
      
       - Fix a merge_config.sh error due to a misspelled variable
      
       - Fix modversion for 32-bit build machines
      
      * tag 'kbuild-fixes-v6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        modpost: Fix processing of CRCs on 32-bit build machines
        scripts: merge_config: Fix typo in variable name.
        kbuild: deb-pkg: set version for linux-headers paths
      ce0c2375
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 92367fdf
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - Maintainer update for S390 IOMMU driver
      
       - A fix for the set_platform_dma_ops() call-back in the Exynos
         IOMMU driver
      
       - Intel VT-d fixes from Lu Baolu:
          - Fix a lockdep splat
          - Fix a supplement of the specification
          - Fix a warning in perfmon code
      
      * tag 'iommu-fixes-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/vt-d: Fix an IOMMU perfmon warning when CPU hotplug
        iommu/vt-d: Allow zero SAGAW if second-stage not supported
        iommu/vt-d: Remove unnecessary locking in intel_irq_remapping_alloc()
        iommu/exynos: Fix set_platform_dma_ops() callback
        MAINTAINERS: Update s390-iommu driver maintainer information
      92367fdf
  4. 31 Mar, 2023 19 commits
  5. 30 Mar, 2023 10 commits
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.3-2023-03-31' of git://git.infradead.org/users/hch/dma-mapping · 62bad54b
      Linus Torvalds authored
      Pull dma-mapping fixes from Christoph Hellwig:
      
       - fix for swiotlb deadlock due to wrong alignment checks (GuoRui.Yu,
         Petr Tesarik)
      
      * tag 'dma-mapping-6.3-2023-03-31' of git://git.infradead.org/users/hch/dma-mapping:
        swiotlb: fix slot alignment checks
        swiotlb: use wrap_area_index() instead of open-coding it
        swiotlb: fix the deadlock in swiotlb_do_find_slots
      62bad54b
    • Paulo Alcantara's avatar
      cifs: get rid of dead check in smb2_reconnect() · e0367710
      Paulo Alcantara authored
      The SMB2_IOCTL check in the switch statement will never be true as we
      return earlier from smb2_reconnect() if @smb2_command == SMB2_IOCTL.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      e0367710
    • Paulo Alcantara's avatar
      cifs: prevent infinite recursion in CIFSGetDFSRefer() · 09ba47b4
      Paulo Alcantara authored
      We can't call smb_init() in CIFSGetDFSRefer() as cifs_reconnect_tcon()
      may end up calling CIFSGetDFSRefer() again to get new DFS referrals
      and thus causing an infinite recursion.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Cc: stable@vger.kernel.org # 6.2
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      09ba47b4
    • Paulo Alcantara's avatar
      cifs: avoid races in parallel reconnects in smb1 · 6cc041e9
      Paulo Alcantara authored
      Prevent multiple threads of doing negotiate, session setup and tree
      connect by holding @ses->session_mutex in cifs_reconnect_tcon() while
      reconnecting session and tcon.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      6cc041e9
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 10f76dc3
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Four small fixes, three in drivers. The core fix is yet another
        attempt to insulate us from UFS devices' weird behaviour for VPD
        pages"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: mpt3sas: Don't print sense pool info twice
        scsi: core: Improve scsi_vpd_inquiry() checks
        scsi: megaraid_sas: Fix crash after a double completion
        scsi: megaraid_sas: Fix fw_crash_buffer_show()
      10f76dc3
    • Jens Axboe's avatar
      Merge tag 'nvme-6.3-2023-03-31' of git://git.infradead.org/nvme into block-6.3 · 1a06ed2d
      Jens Axboe authored
      Pull NVMe fixes from Christoph:
      
      "nvme fixes for Linux 6.3
      
       - mark Lexar NM760 as IGNORE_DEV_SUBNQN (Juraj Pecigos)
       - fix a possible UAF when failing to allocate an TCP io queue
         (Sagi Grimberg)"
      
      * tag 'nvme-6.3-2023-03-31' of git://git.infradead.org/nvme:
        nvme-tcp: fix a possible UAF when failing to allocate an io queue
        nvme-pci: mark Lexar NM760 as IGNORE_DEV_SUBNQN
      1a06ed2d
    • David Disseldorp's avatar
      cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL · 179a88a8
      David Disseldorp authored
      When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount
      is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to
      S_AUTOMOUNT and corresponding dentry flags is retained regardless of
      CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in
      VFS follow_automount() when traversing a DFS referral link:
        BUG: kernel NULL pointer dereference, address: 0000000000000000
        ...
        Call Trace:
         <TASK>
         __traverse_mounts+0xb5/0x220
         ? cifs_revalidate_mapping+0x65/0xc0 [cifs]
         step_into+0x195/0x610
         ? lookup_fast+0xe2/0xf0
         path_lookupat+0x64/0x140
         filename_lookup+0xc2/0x140
         ? __create_object+0x299/0x380
         ? kmem_cache_alloc+0x119/0x220
         ? user_path_at_empty+0x31/0x50
         user_path_at_empty+0x31/0x50
         __x64_sys_chdir+0x2a/0xd0
         ? exit_to_user_mode_prepare+0xca/0x100
         do_syscall_64+0x42/0x90
         entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler
      when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to
      avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This
      approach was chosen as it provides more control over the error path.
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      179a88a8
    • Linus Torvalds's avatar
      Merge tag 'net-6.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · b2bc47e9
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from CAN and WPAN.
      
        Still quite a few bugs from this release. This pull is a bit smaller
        because major subtrees went into the previous one. Or maybe people
        took spring break off?
      
        Current release - regressions:
      
         - phy: micrel: correct KSZ9131RNX EEE capabilities and advertisement
      
        Current release - new code bugs:
      
         - eth: wangxun: fix vector length of interrupt cause
      
         - vsock/loopback: consistently protect the packet queue with
           sk_buff_head.lock
      
         - virtio/vsock: fix header length on skb merging
      
         - wpan: ca8210: fix unsigned mac_len comparison with zero
      
        Previous releases - regressions:
      
         - eth: stmmac: don't reject VLANs when IFF_PROMISC is set
      
         - eth: smsc911x: avoid PHY being resumed when interface is not up
      
         - eth: mtk_eth_soc: fix tx throughput regression with direct 1G links
      
         - eth: bnx2x: use the right build_skb() helper after core rework
      
         - wwan: iosm: fix 7560 modem crash on use on unsupported channel
      
        Previous releases - always broken:
      
         - eth: sfc: don't overwrite offload features at NIC reset
      
         - eth: r8169: fix RTL8168H and RTL8107E rx crc error
      
         - can: j1939: prevent deadlock by moving j1939_sk_errqueue()
      
         - virt: vmxnet3: use GRO callback when UPT is enabled
      
         - virt: xen: don't do grant copy across page boundary
      
         - phy: dp83869: fix default value for tx-/rx-internal-delay
      
         - dsa: ksz8: fix multiple issues with ksz8_fdb_dump
      
         - eth: mvpp2: fix classification/RSS of VLAN and fragmented packets
      
         - eth: mtk_eth_soc: fix flow block refcounting logic
      
        Misc:
      
         - constify fwnode pointers in SFP handling"
      
      * tag 'net-6.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (55 commits)
        net: ethernet: mtk_eth_soc: add missing ppe cache flush when deleting a flow
        net: ethernet: mtk_eth_soc: fix L2 offloading with DSA untag offload
        net: ethernet: mtk_eth_soc: fix flow block refcounting logic
        net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit()
        net: dsa: sync unicast and multicast addresses for VLAN filters too
        net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
        xen/netback: use same error messages for same errors
        test/vsock: new skbuff appending test
        virtio/vsock: WARN_ONCE() for invalid state of socket
        virtio/vsock: fix header length on skb merging
        bnxt_en: Add missing 200G link speed reporting
        bnxt_en: Fix typo in PCI id to device description string mapping
        bnxt_en: Fix reporting of test result in ethtool selftest
        i40e: fix registers dump after run ethtool adapter self test
        bnx2x: use the right build_skb() helper
        net: ipa: compute DMA pool size properly
        net: wwan: iosm: fixes 7560 modem crash
        net: ethernet: mtk_eth_soc: fix tx throughput regression with direct 1G links
        ice: fix invalid check for empty list in ice_sched_assoc_vsi_to_agg()
        ice: add profile conflict check for AVF FDIR
        ...
      b2bc47e9
    • Linus Torvalds's avatar
      Merge tag 'for-6.3/dm-fixes-2' of... · b527ac44
      Linus Torvalds authored
      Merge tag 'for-6.3/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix two DM core bugs in the code that handles splitting "abnormal" IO
         (discards, write same and secure erase) and issuing that IO to the
         correct underlying devices (and offsets within those devices).
      
      * tag 'for-6.3/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm: fix __send_duplicate_bios() to always allow for splitting IO
        dm: fix improper splitting for abnormal bios
      b527ac44
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-03-30' of git://anongit.freedesktop.org/drm/drm · 0d3ff808
      Linus Torvalds authored
      Pull drm fixes from Daniel Vetter:
       "Two regression fixes in here, otherwise just the usual stuff:
      
         - i915 fixes for color mgmt, psr, lmem flush, hibernate oops, and
           more
      
         - amdgpu: dp mst and hibernate regression fix
      
         - etnaviv: revert fdinfo support (incl drm/sched revert), leak fix
      
         - misc ivpu fixes, nouveau backlight, drm buddy allocator 32bit
           fixes"
      
      * tag 'drm-fixes-2023-03-30' of git://anongit.freedesktop.org/drm/drm: (27 commits)
        Revert "drm/scheduler: track GPU active time per entity"
        Revert "drm/etnaviv: export client GPU usage statistics via fdinfo"
        drm/etnaviv: fix reference leak when mmaping imported buffer
        drm/amdgpu: allow more APUs to do mode2 reset when go to S4
        drm/amd/display: Take FEC Overhead into Timeslot Calculation
        drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub
        drm: test: Fix 32-bit issue in drm_buddy_test
        drm: buddy_allocator: Fix buddy allocator init on 32-bit systems
        drm/nouveau/kms: Fix backlight registration
        drm/i915/perf: Drop wakeref on GuC RC error
        drm/i915/dpt: Treat the DPT BO as a framebuffer
        drm/i915/gem: Flush lmem contents after construction
        drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state
        drm/i915: Disable DC states for all commits
        drm/i915: Workaround ICL CSC_MODE sticky arming
        drm/i915: Add a .color_post_update() hook
        drm/i915: Move CSC load back into .color_commit_arm() when PSR is enabled on skl/glk
        drm/i915: Split icl_color_commit_noarm() from skl_color_commit_noarm()
        drm/i915/pmu: Use functions common with sysfs to read actual freq
        accel/ivpu: Fix IPC buffer header status field value
        ...
      0d3ff808