1. 04 May, 2024 4 commits
    • Steven Rostedt (Google)'s avatar
      tracefs: Still use mount point as default permissions for instances · 6599bd55
      Steven Rostedt (Google) authored
      If the instances directory's permissions were never change, then have it
      and its children use the mount point permissions as the default.
      
      Currently, the permissions of instance directories are determined by the
      instance directory's permissions itself. But if the tracefs file system is
      remounted and changes the permissions, the instance directory and its
      children should use the new permission.
      
      But because both the instance directory and its children use the instance
      directory's inode for permissions, it misses the update.
      
      To demonstrate this:
      
        # cd /sys/kernel/tracing/
        # mkdir instances/foo
        # ls -ld instances/foo
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 18:57 current_tracer
      
        # mount -o remount,gid=1002 .
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo/
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 18:57 current_tracer
      
      Notice that changing the group id to that of "lkp" did not affect the
      instances directory nor its children. It should have been:
      
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 19:19 current_tracer
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:25 instances/foo/
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 19:19 instances
      
        # mount -o remount,gid=1002 .
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 19:19 current_tracer
        # ls -ld instances
       drwxr-x--- 3 root lkp 0 May  1 19:19 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root lkp 0 May  1 19:25 instances/foo/
      
      Where all files were updated by the remount gid update.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.686838327@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      6599bd55
    • Steven Rostedt (Google)'s avatar
      tracefs: Reset permissions on remount if permissions are options · baa23a8d
      Steven Rostedt (Google) authored
      There's an inconsistency with the way permissions are handled in tracefs.
      Because the permissions are generated when accessed, they default to the
      root inode's permission if they were never set by the user. If the user
      sets the permissions, then a flag is set and the permissions are saved via
      the inode (for tracefs files) or an internal attribute field (for
      eventfs).
      
      But if a remount happens that specify the permissions, all the files that
      were not changed by the user gets updated, but the ones that were are not.
      If the user were to remount the file system with a given permission, then
      all files and directories within that file system should be updated.
      
      This can cause security issues if a file's permission was updated but the
      admin forgot about it. They could incorrectly think that remounting with
      permissions set would update all files, but miss some.
      
      For example:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 current_tracer
       # ls -l
      [..]
       -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer
       -rw-r-----  1 root root 0 May  1 21:25 dynamic_events
       -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root root 0 May  1 21:25 enabled_functions
      
      Where current_tracer now has group "lkp".
      
       # mount -o remount,gid=1001 .
       # ls -l
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer
       -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events
       -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions
      
      Everything changed but the "current_tracer".
      
      Add a new link list that keeps track of all the tracefs_inodes which has
      the permission flags that tell if the file/dir should use the root inode's
      permission or not. Then on remount, clear all the flags so that the
      default behavior of using the root inode's permission is done for all
      files and directories.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.529542160@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      baa23a8d
    • Steven Rostedt (Google)'s avatar
      eventfs: Free all of the eventfs_inode after RCU · ee4e0379
      Steven Rostedt (Google) authored
      The freeing of eventfs_inode via a kfree_rcu() callback. But the content
      of the eventfs_inode was being freed after the last kref. This is
      dangerous, as changes are being made that can access the content of an
      eventfs_inode from an RCU loop.
      
      Instead of using kfree_rcu() use call_rcu() that calls a function to do
      all the freeing of the eventfs_inode after a RCU grace period has expired.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.370261163@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 43aa6f97 ("eventfs: Get rid of dentry pointers without refcounts")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      ee4e0379
    • Steven Rostedt (Google)'s avatar
      eventfs/tracing: Add callback for release of an eventfs_inode · b63db58e
      Steven Rostedt (Google) authored
      Synthetic events create and destroy tracefs files when they are created
      and removed. The tracing subsystem has its own file descriptor
      representing the state of the events attached to the tracefs files.
      There's a race between the eventfs files and this file descriptor of the
      tracing system where the following can cause an issue:
      
      With two scripts 'A' and 'B' doing:
      
        Script 'A':
          echo "hello int aaa" > /sys/kernel/tracing/synthetic_events
          while :
          do
            echo 0 > /sys/kernel/tracing/events/synthetic/hello/enable
          done
      
        Script 'B':
          echo > /sys/kernel/tracing/synthetic_events
      
      Script 'A' creates a synthetic event "hello" and then just writes zero
      into its enable file.
      
      Script 'B' removes all synthetic events (including the newly created
      "hello" event).
      
      What happens is that the opening of the "enable" file has:
      
       {
      	struct trace_event_file *file = inode->i_private;
      	int ret;
      
      	ret = tracing_check_open_get_tr(file->tr);
       [..]
      
      But deleting the events frees the "file" descriptor, and a "use after
      free" happens with the dereference at "file->tr".
      
      The file descriptor does have a reference counter, but there needs to be a
      way to decrement it from the eventfs when the eventfs_inode is removed
      that represents this file descriptor.
      
      Add an optional "release" callback to the eventfs_entry array structure,
      that gets called when the eventfs file is about to be removed. This allows
      for the creating on the eventfs file to increment the tracing file
      descriptor ref counter. When the eventfs file is deleted, it can call the
      release function that will call the put function for the tracing file
      descriptor.
      
      This will protect the tracing file from being freed while a eventfs file
      that references it is being opened.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240426073410.17154-1-Tze-nan.Wu@mediatek.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20240502090315.448cba46@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Fixes: 5790b1fb ("eventfs: Remove eventfs_file and just use eventfs_inode")
      Reported-by: default avatarTze-nan wu <Tze-nan.Wu@mediatek.com>
      Tested-by: default avatarTze-nan Wu (吳澤南) <Tze-nan.Wu@mediatek.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      b63db58e
  2. 28 Apr, 2024 6 commits
  3. 27 Apr, 2024 9 commits
    • Linus Torvalds's avatar
      Merge tag 'rust-fixes-6.9' of https://github.com/Rust-for-Linux/linux · 2c815938
      Linus Torvalds authored
      Pull Rust fixes from Miguel Ojeda:
      
       - Soundness: make internal functions generated by the 'module!' macro
         inaccessible, do not implement 'Zeroable' for 'Infallible' and
         require 'Send' for the 'Module' trait.
      
       - Build: avoid errors with "empty" files and workaround 'rustdoc' ICE.
      
       - Kconfig: depend on '!CFI_CLANG' and avoid selecting 'CONSTRUCTORS'.
      
       - Code docs: remove non-existing key from 'module!' macro example.
      
       - Docs: trivial rendering fix in arch table.
      
      * tag 'rust-fixes-6.9' of https://github.com/Rust-for-Linux/linux:
        rust: remove `params` from `module` macro example
        kbuild: rust: force `alloc` extern to allow "empty" Rust files
        kbuild: rust: remove unneeded `@rustc_cfg` to avoid ICE
        rust: kernel: require `Send` for `Module` implementations
        rust: phy: implement `Send` for `Registration`
        rust: make mutually exclusive with CFI_CLANG
        rust: macros: fix soundness issue in `module!` macro
        rust: init: remove impl Zeroable for Infallible
        docs: rust: fix improper rendering in Arch Support page
        rust: don't select CONSTRUCTORS
      2c815938
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 57865f39
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - A fix for TASK_SIZE on rv64/NOMMU, to reflect the lack of user/kernel
         separation
      
       - A fix to avoid loading rv64/NOMMU kernel past the start of RAM
      
       - A fix for RISCV_HWPROBE_EXT_ZVFHMIN on ilp32 to avoid signed integer
         overflow in the bitmask
      
       - The sud_test kselftest has been fixed to properly swizzle the syscall
         number into the return register, which are not the same on RISC-V
      
       - A fix for a build warning in the perf tools on rv32
      
       - A fix for the CBO selftests, to avoid non-constants leaking into the
         inline asm
      
       - A pair of fixes for T-Head PBMT errata probing, which has been
         renamed MAE by the vendor
      
      * tag 'riscv-for-linus-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: selftests: cbo: Ensure asm operands match constraints, take 2
        perf riscv: Fix the warning due to the incompatible type
        riscv: T-Head: Test availability bit before enabling MAE errata
        riscv: thead: Rename T-Head PBMT to MAE
        selftests: sud_test: return correct emulated syscall value on RISC-V
        riscv: hwprobe: fix invalid sign extension for RISCV_HWPROBE_EXT_ZVFHMIN
        riscv: Fix loading 64-bit NOMMU kernels past the start of RAM
        riscv: Fix TASK_SIZE on 64-bit NOMMU
      57865f39
    • Linus Torvalds's avatar
      Merge tag '6.9-rc5-cifs-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · d43df69f
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
       "Three smb3 client fixes, all also for stable:
      
         - two small locking fixes spotted by Coverity
      
         - FILE_ALL_INFO and network_open_info packing fix"
      
      * tag '6.9-rc5-cifs-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: fix lock ordering potential deadlock in cifs_sync_mid_result
        smb3: missing lock when picking channel
        smb: client: Fix struct_group() usage in __packed structs
      d43df69f
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 5d12ed4b
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Fix a race condition in the at24 eeprom handler, a NULL pointer
        exception in the I2C core for controllers only using target modes,
        drop a MAINTAINERS entry, and fix an incorrect DT binding for at24"
      
      * tag 'i2c-for-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: smbus: fix NULL function pointer dereference
        MAINTAINERS: Drop entry for PCA9541 bus master selector
        eeprom: at24: fix memory corruption race condition
        dt-bindings: eeprom: at24: Fix ST M24C64-D compatible schema
      5d12ed4b
    • Tetsuo Handa's avatar
      profiling: Remove create_prof_cpu_mask(). · 2e5449f4
      Tetsuo Handa authored
      create_prof_cpu_mask() is no longer used after commit 1f44a225 ("s390:
      convert interrupt handling to use generic hardirq").
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      2e5449f4
    • Linus Torvalds's avatar
      Merge tag 'soundwire-6.9-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire · 8a5c3ef7
      Linus Torvalds authored
      Pull soundwire fix from Vinod Koul:
      
       - Single AMD driver fix for wake interrupt handling in clockstop mode
      
      * tag 'soundwire-6.9-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
        soundwire: amd: fix for wake interrupt handling for clockstop mode
      8a5c3ef7
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine · 6fba14a7
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - Revert pl330 issue_pending waits until WFP state due to regression
         reported in Bluetooth loading
      
       - Xilinx driver fixes for synchronization, buffer offsets, locking and
         kdoc
      
       - idxd fixes for spinlock and preventing the migration of the perf
         context to an invalid target
      
       - idma driver fix for interrupt handling when powered off
      
       - Tegra driver residual calculation fix
      
       - Owl driver register access fix
      
      * tag 'dmaengine-fix-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine:
        dmaengine: idxd: Fix oops during rmmod on single-CPU platforms
        dmaengine: xilinx: xdma: Clarify kdoc in XDMA driver
        dmaengine: xilinx: xdma: Fix synchronization issue
        dmaengine: xilinx: xdma: Fix wrong offsets in the buffers addresses in dma descriptor
        dma: xilinx_dpdma: Fix locking
        dmaengine: idxd: Convert spinlock to mutex to lock evl workqueue
        idma64: Don't try to serve interrupts when device is powered off
        dmaengine: tegra186: Fix residual calculation
        dmaengine: owl: fix register access functions
        dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
      6fba14a7
    • Linus Torvalds's avatar
      Merge tag 'phy-fixes-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy · 63407d30
      Linus Torvalds authored
      Pull phy fixes from Vinod Koul:
      
       - static checker (array size, bounds) fix for marvel driver
      
       - Rockchip rk3588 pcie fixes for bifurcation and mux
      
       - Qualcomm qmp-compbo fix for VCO, register base and regulator name for
         m31 driver
      
       - charger det crash fix for ti driver
      
      * tag 'phy-fixes-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
        phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered
        phy: qcom: qmp-combo: fix VCO div offset on v5_5nm and v6
        phy: phy-rockchip-samsung-hdptx: Select CONFIG_RATIONAL
        phy: qcom: m31: match requested regulator name with dt schema
        phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE
        phy: qcom: qmp-combo: Fix VCO div offset on v3
        phy: rockchip: naneng-combphy: Fix mux on rk3588
        phy: rockchip-snps-pcie3: fix clearing PHP_GRF_PCIESEL_CON bits
        phy: rockchip-snps-pcie3: fix bifurcation on rk3588
        phy: freescale: imx8m-pcie: fix pcie link-up instability
        phy: marvell: a3700-comphy: Fix hardcoded array size
        phy: marvell: a3700-comphy: Fix out of bounds read
      63407d30
    • Wolfram Sang's avatar
      i2c: smbus: fix NULL function pointer dereference · 91811a31
      Wolfram Sang authored
      Baruch reported an OOPS when using the designware controller as target
      only. Target-only modes break the assumption of one transfer function
      always being available. Fix this by always checking the pointer in
      __i2c_transfer.
      Reported-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Closes: https://lore.kernel.org/r/4269631780e5ba789cf1ae391eec1b959def7d99.1712761976.git.baruch@tkos.co.il
      Fixes: 4b1acc43 ("i2c: core changes for slave support")
      [wsa: dropped the simplification in core-smbus to avoid theoretical regressions]
      Signed-off-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Tested-by: default avatarBaruch Siach <baruch@tkos.co.il>
      91811a31
  4. 26 Apr, 2024 21 commits