1. 21 Dec, 2023 20 commits
    • David Howells's avatar
      afs: Fix use-after-free due to get/remove race in volume tree · 9a6b294a
      David Howells authored
      When an afs_volume struct is put, its refcount is reduced to 0 before
      the cell->volume_lock is taken and the volume removed from the
      cell->volumes tree.
      
      Unfortunately, this means that the lookup code can race and see a volume
      with a zero ref in the tree, resulting in a use-after-free:
      
          refcount_t: addition on 0; use-after-free.
          WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
          ...
          RIP: 0010:refcount_warn_saturate+0x7a/0xda
          ...
          Call Trace:
           afs_get_volume+0x3d/0x55
           afs_create_volume+0x126/0x1de
           afs_validate_fc+0xfe/0x130
           afs_get_tree+0x20/0x2e5
           vfs_get_tree+0x1d/0xc9
           do_new_mount+0x13b/0x22e
           do_mount+0x5d/0x8a
           __do_sys_mount+0x100/0x12a
           do_syscall_64+0x3a/0x94
           entry_SYSCALL_64_after_hwframe+0x62/0x6a
      
      Fix this by:
      
       (1) When putting, use a flag to indicate if the volume has been removed
           from the tree and skip the rb_erase if it has.
      
       (2) When looking up, use a conditional ref increment and if it fails
           because the refcount is 0, replace the node in the tree and set the
           removal flag.
      
      Fixes: 20325960 ("afs: Reorganise volume and server trees to be rooted on the cell")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9a6b294a
    • Matthew Wilcox (Oracle)'s avatar
      ida: Fix crash in ida_free when the bitmap is empty · af73483f
      Matthew Wilcox (Oracle) authored
      The IDA usually detects double-frees, but that detection failed to
      consider the case when there are no nearby IDs allocated and so we have a
      NULL bitmap rather than simply having a clear bit.  Add some tests to the
      test-suite to be sure we don't inadvertently reintroduce this problem.
      Unfortunately they're quite noisy so include a message to disregard
      the warnings.
      Reported-by: default avatarZhenghan Wang <wzhmmmmm@gmail.com>
      Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      af73483f
    • David Howells's avatar
      afs: Fix overwriting of result of DNS query · a9e01ac8
      David Howells authored
      In afs_update_cell(), ret is the result of the DNS lookup and the errors
      are to be handled by a switch - however, the value gets clobbered in
      between by setting it to -ENOMEM in case afs_alloc_vlserver_list()
      fails.
      
      Fix this by moving the setting of -ENOMEM into the error handling for
      OOM failure.  Further, only do it if we don't have an alternative error
      to return.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.  Based
      on a patch from Anastasia Belova [1].
      
      Fixes: d5c32c89 ("afs: Fix cell DNS lookup")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      cc: Anastasia Belova <abelova@astralinux.ru>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      cc: lvc-project@linuxtesting.org
      Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1]
      Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a9e01ac8
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20231221' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 937fd403
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
       "Improve the interaction of arbitrary lookups in the AFS dynamic root
        that hit DNS lookup failures [1] where kafs behaves differently from
        openafs and causes some applications to fail that aren't expecting
        that. Further, negative DNS results aren't getting removed and are
        causing failures to persist.
      
         - Always delete unused (particularly negative) dentries as soon as
           possible so that they don't prevent future lookups from retrying.
      
         - Fix the handling of new-style negative DNS lookups in ->lookup() to
           make them return ENOENT so that userspace doesn't get confused when
           stat succeeds but the following open on the looked up file then
           fails.
      
         - Fix key handling so that DNS lookup results are reclaimed almost as
           soon as they expire rather than sitting round either forever or for
           an additional 5 mins beyond a set expiry time returning
           EKEYEXPIRED. They persist for 1s as /bin/ls will do a second stat
           call if the first fails"
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637 [1]
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      
      * tag 'afs-fixes-20231221' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
        afs: Fix dynamic root lookup DNS check
        afs: Fix the dynamic root's d_delete to always delete unused dentries
      937fd403
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.7-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 13b73446
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Fix another kerneldoc warning
      
       - Fix eventfs files to inherit the ownership of its parent directory.
      
         The dynamic creation of dentries in eventfs did not take into account
         if the tracefs file system was mounted with a gid/uid, and would
         still default to the gid/uid of root. This is a regression.
      
       - Fix warning when synthetic event testing is enabled along with
         startup event tracing testing is enabled
      
      * tag 'trace-v6.7-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing / synthetic: Disable events after testing in synth_event_gen_test_init()
        eventfs: Have event files and directories default to parent uid and gid
        tracing/synthetic: fix kernel-doc warnings
      13b73446
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 7c5e046b
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from WiFi and bpf.
      
        Current release - regressions:
      
         - bpf: syzkaller found null ptr deref in unix_bpf proto add
      
         - eth: i40e: fix ST code value for clause 45
      
        Previous releases - regressions:
      
         - core: return error from sk_stream_wait_connect() if sk_wait_event()
           fails
      
         - ipv6: revert remove expired routes with a separated list of routes
      
         - wifi rfkill:
             - set GPIO direction
             - fix crash with WED rx support enabled
      
         - bluetooth:
             - fix deadlock in vhci_send_frame
             - fix use-after-free in bt_sock_recvmsg
      
         - eth: mlx5e: fix a race in command alloc flow
      
         - eth: ice: fix PF with enabled XDP going no-carrier after reset
      
         - eth: bnxt_en: do not map packet buffers twice
      
        Previous releases - always broken:
      
         - core:
             - check vlan filter feature in vlan_vids_add_by_dev() and
               vlan_vids_del_by_dev()
             - check dev->gso_max_size in gso_features_check()
      
         - mptcp: fix inconsistent state on fastopen race
      
         - phy: skip LED triggers on PHYs on SFP modules
      
         - eth: mlx5e:
             - fix double free of encap_header
             - fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()"
      
      * tag 'net-6.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (69 commits)
        net: check dev->gso_max_size in gso_features_check()
        kselftest: rtnetlink.sh: use grep_fail when expecting the cmd fail
        net/ipv6: Revert remove expired routes with a separated list of routes
        net: avoid build bug in skb extension length calculation
        net: ethernet: mtk_wed: fix possible NULL pointer dereference in mtk_wed_wo_queue_tx_clean()
        net: stmmac: fix incorrect flag check in timestamp interrupt
        selftests: add vlan hw filter tests
        net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
        net: hns3: add new maintainer for the HNS3 ethernet driver
        net: mana: select PAGE_POOL
        net: ks8851: Fix TX stall caused by TX buffer overrun
        ice: Fix PF with enabled XDP going no-carrier after reset
        ice: alter feature support check for SRIOV and LAG
        ice: stop trashing VF VSI aggregator node ID information
        mailmap: add entries for Geliang Tang
        mptcp: fill in missing MODULE_DESCRIPTION()
        mptcp: fix inconsistent state on fastopen race
        selftests: mptcp: join: fix subflow_send_ack lookup
        net: phy: skip LED triggers on PHYs on SFP modules
        bpf: Add missing BPF_LINK_TYPE invocations
        ...
      7c5e046b
    • Steven Rostedt (Google)'s avatar
      tracing / synthetic: Disable events after testing in synth_event_gen_test_init() · 88b30c7f
      Steven Rostedt (Google) authored
      The synth_event_gen_test module can be built in, if someone wants to run
      the tests at boot up and not have to load them.
      
      The synth_event_gen_test_init() function creates and enables the synthetic
      events and runs its tests.
      
      The synth_event_gen_test_exit() disables the events it created and
      destroys the events.
      
      If the module is builtin, the events are never disabled. The issue is, the
      events should be disable after the tests are run. This could be an issue
      if the rest of the boot up tests are enabled, as they expect the events to
      be in a known state before testing. That known state happens to be
      disabled.
      
      When CONFIG_SYNTH_EVENT_GEN_TEST=y and CONFIG_EVENT_TRACE_STARTUP_TEST=y
      a warning will trigger:
      
       Running tests on trace events:
       Testing event create_synth_test:
       Enabled event during self test!
       ------------[ cut here ]------------
       WARNING: CPU: 2 PID: 1 at kernel/trace/trace_events.c:4150 event_trace_self_tests+0x1c2/0x480
       Modules linked in:
       CPU: 2 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-test-00031-gb803d7c6-dirty #276
       Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
       RIP: 0010:event_trace_self_tests+0x1c2/0x480
       Code: bb e8 a2 ab 5d fc 48 8d 7b 48 e8 f9 3d 99 fc 48 8b 73 48 40 f6 c6 01 0f 84 d6 fe ff ff 48 c7 c7 20 b6 ad bb e8 7f ab 5d fc 90 <0f> 0b 90 48 89 df e8 d3 3d 99 fc 48 8b 1b 4c 39 f3 0f 85 2c ff ff
       RSP: 0000:ffffc9000001fdc0 EFLAGS: 00010246
       RAX: 0000000000000029 RBX: ffff88810399ca80 RCX: 0000000000000000
       RDX: 0000000000000000 RSI: ffffffffb9f19478 RDI: ffff88823c734e64
       RBP: ffff88810399f300 R08: 0000000000000000 R09: fffffbfff79eb32a
       R10: ffffffffbcf59957 R11: 0000000000000001 R12: ffff888104068090
       R13: ffffffffbc89f0a0 R14: ffffffffbc8a0f08 R15: 0000000000000078
       FS:  0000000000000000(0000) GS:ffff88823c700000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 00000001f6282001 CR4: 0000000000170ef0
       Call Trace:
        <TASK>
        ? __warn+0xa5/0x200
        ? event_trace_self_tests+0x1c2/0x480
        ? report_bug+0x1f6/0x220
        ? handle_bug+0x6f/0x90
        ? exc_invalid_op+0x17/0x50
        ? asm_exc_invalid_op+0x1a/0x20
        ? tracer_preempt_on+0x78/0x1c0
        ? event_trace_self_tests+0x1c2/0x480
        ? __pfx_event_trace_self_tests_init+0x10/0x10
        event_trace_self_tests_init+0x27/0xe0
        do_one_initcall+0xd6/0x3c0
        ? __pfx_do_one_initcall+0x10/0x10
        ? kasan_set_track+0x25/0x30
        ? rcu_is_watching+0x38/0x60
        kernel_init_freeable+0x324/0x450
        ? __pfx_kernel_init+0x10/0x10
        kernel_init+0x1f/0x1e0
        ? _raw_spin_unlock_irq+0x33/0x50
        ret_from_fork+0x34/0x60
        ? __pfx_kernel_init+0x10/0x10
        ret_from_fork_asm+0x1b/0x30
        </TASK>
      
      This is because the synth_event_gen_test_init() left the synthetic events
      that it created enabled. By having it disable them after testing, the
      other selftests will run fine.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20231220111525.2f0f49b0@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Tom Zanussi <zanussi@kernel.org>
      Fixes: 9fe41efa ("tracing: Add synth event generation test module")
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Reported-by: default avatarAlexander Graf <graf@amazon.com>
      Tested-by: default avatarAlexander Graf <graf@amazon.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      88b30c7f
    • Steven Rostedt (Google)'s avatar
      eventfs: Have event files and directories default to parent uid and gid · 0dfc852b
      Steven Rostedt (Google) authored
      Dongliang reported:
      
        I found that in the latest version, the nodes of tracefs have been
        changed to dynamically created.
      
        This has caused me to encounter a problem where the gid I specified in
        the mounting parameters cannot apply to all files, as in the following
        situation:
      
        /data/tmp/events # mount | grep tracefs
        tracefs on /data/tmp type tracefs (rw,seclabel,relatime,gid=3012)
      
        gid 3012 = readtracefs
      
        /data/tmp # ls -lh
        total 0
        -r--r-----   1 root readtracefs 0 1970-01-01 08:00 README
        -r--r-----   1 root readtracefs 0 1970-01-01 08:00 available_events
      
        ums9621_1h10:/data/tmp/events # ls -lh
        total 0
        drwxr-xr-x 2 root root 0 2023-12-19 00:56 alarmtimer
        drwxr-xr-x 2 root root 0 2023-12-19 00:56 asoc
      
        It will prevent certain applications from accessing tracefs properly, I
        try to avoid this issue by making the following modifications.
      
      To fix this, have the files created default to taking the ownership of
      the parent dentry unless the ownership was previously set by the user.
      
      Link: https://lore.kernel.org/linux-trace-kernel/1703063706-30539-1-git-send-email-dongliang.cui@unisoc.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20231220105017.1489d790@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Hongyu Jin  <hongyu.jin@unisoc.com>
      Fixes: 28e12c09 ("eventfs: Save ownership and mode")
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Reported-by: default avatarDongliang Cui <cuidongliang390@gmail.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      0dfc852b
    • David Howells's avatar
      keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry · 39299bdd
      David Howells authored
      If a key has an expiration time, then when that time passes, the key is
      left around for a certain amount of time before being collected (5 mins by
      default) so that EKEYEXPIRED can be returned instead of ENOKEY.  This is a
      problem for DNS keys because we want to redo the DNS lookup immediately at
      that point.
      
      Fix this by allowing key types to be marked such that keys of that type
      don't have this extra period, but are reclaimed as soon as they expire and
      turn this on for dns_resolver-type keys.  To make this easier to handle,
      key->expiry is changed to be permanent if TIME64_MAX rather than 0.
      
      Furthermore, give such new-style negative DNS results a 1s default expiry
      if no other expiry time is set rather than allowing it to stick around
      indefinitely.  This shouldn't be zero as ls will follow a failing stat call
      immediately with a second with AT_SYMLINK_NOFOLLOW added.
      
      Fixes: 1a4240f4 ("DNS: Separate out CIFS DNS Resolver code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarkus Suvanto <markus.suvanto@gmail.com>
      cc: Wang Lei <wang840925@gmail.com>
      cc: Jeff Layton <jlayton@redhat.com>
      cc: Steve French <smfrench@gmail.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: Jarkko Sakkinen <jarkko@kernel.org>
      cc: "David S. Miller" <davem@davemloft.net>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Jakub Kicinski <kuba@kernel.org>
      cc: Paolo Abeni <pabeni@redhat.com>
      cc: linux-afs@lists.infradead.org
      cc: linux-cifs@vger.kernel.org
      cc: linux-nfs@vger.kernel.org
      cc: ceph-devel@vger.kernel.org
      cc: keyrings@vger.kernel.org
      cc: netdev@vger.kernel.org
      39299bdd
    • Paolo Abeni's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 74769d81
      Paolo Abeni authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-12-21
      
      Hi David, hi Jakub, hi Paolo, hi Eric,
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 3 non-merge commits during the last 5 day(s) which contain
      a total of 4 files changed, 45 insertions(+).
      
      The main changes are:
      
      1) Fix a syzkaller splat which triggered an oob issue in bpf_link_show_fdinfo(),
         from Jiri Olsa.
      
      2) Fix another syzkaller-found issue which triggered a NULL pointer dereference
         in BPF sockmap for unconnected unix sockets, from John Fastabend.
      
      bpf-for-netdev
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Add missing BPF_LINK_TYPE invocations
        bpf: sockmap, test for unconnected af_unix sock
        bpf: syzkaller found null ptr deref in unix_bpf proto add
      ====================
      
      Link: https://lore.kernel.org/r/20231221104844.1374-1-daniel@iogearbox.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      74769d81
    • Eric Dumazet's avatar
      net: check dev->gso_max_size in gso_features_check() · 24ab059d
      Eric Dumazet authored
      Some drivers might misbehave if TSO packets get too big.
      
      GVE for instance uses a 16bit field in its TX descriptor,
      and will do bad things if a packet is bigger than 2^16 bytes.
      
      Linux TCP stack honors dev->gso_max_size, but there are
      other ways for too big packets to reach an ndo_start_xmit()
      handler : virtio_net, af_packet, GRO...
      
      Add a generic check in gso_features_check() and fallback
      to GSO when needed.
      
      gso_max_size was added in the blamed commit.
      
      Fixes: 82cc1a7a ("[NET]: Add per-connection option to set max TSO frame size")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      24ab059d
    • Hangbin Liu's avatar
      kselftest: rtnetlink.sh: use grep_fail when expecting the cmd fail · b8056f2c
      Hangbin Liu authored
      run_cmd_grep_fail should be used when expecting the cmd fail, or the ret
      will be set to 1, and the total test return 1 when exiting. This would cause
      the result report to fail if run via run_kselftest.sh.
      
      Before fix:
       # ./rtnetlink.sh -t kci_test_addrlft
       PASS: preferred_lft addresses have expired
       # echo $?
       1
      
      After fix:
       # ./rtnetlink.sh -t kci_test_addrlft
       PASS: preferred_lft addresses have expired
       # echo $?
       0
      
      Fixes: 9c2a19f7 ("kselftest: rtnetlink.sh: add verbose flag")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20231219065737.1725120-1-liuhangbin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b8056f2c
    • David Ahern's avatar
      net/ipv6: Revert remove expired routes with a separated list of routes · dade3f6a
      David Ahern authored
      This reverts commit 3dec89b1.
      
      The commit has some race conditions given how expires is managed on a
      fib6_info in relation to gc start, adding the entry to the gc list and
      setting the timer value leading to UAF. Revert the commit and try again
      in a later release.
      
      Fixes: 3dec89b1 ("net/ipv6: Remove expired routes with a separated list of routes")
      Cc: Kui-Feng Lee <thinker.li@gmail.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20231219030243.25687-1-dsahern@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      dade3f6a
    • Paolo Abeni's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · b414020f
      Paolo Abeni authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-18 (ice)
      
      This series contains updates to ice driver only.
      
      Jakes stops clearing of needed aggregator information.
      
      Dave adds a check for LAG device support before initializing the
      associated event handler.
      
      Larysa restores accounting of XDP queues in TC configurations.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: Fix PF with enabled XDP going no-carrier after reset
        ice: alter feature support check for SRIOV and LAG
        ice: stop trashing VF VSI aggregator node ID information
      ====================
      
      Link: https://lore.kernel.org/r/20231218192708.3397702-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b414020f
    • Thomas Weißschuh's avatar
      net: avoid build bug in skb extension length calculation · d6e5794b
      Thomas Weißschuh authored
      GCC seems to incorrectly fail to evaluate skb_ext_total_length() at
      compile time under certain conditions.
      
      The issue even occurs if all values in skb_ext_type_len[] are "0",
      ruling out the possibility of an actual overflow.
      
      As the patch has been in mainline since v6.6 without triggering the
      problem it seems to be a very uncommon occurrence.
      
      As the issue only occurs when -fno-tree-loop-im is specified as part of
      CFLAGS_GCOV, disable the BUILD_BUG_ON() only when building with coverage
      reporting enabled.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202312171924.4FozI5FG-lkp@intel.com/Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/lkml/487cfd35-fe68-416f-9bfd-6bb417f98304@app.fastmail.com/
      Fixes: 5d21d0a6 ("net: generalize calculation of skb extensions length")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarThomas Weißschuh <linux@weissschuh.net>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20231218-net-skbuff-build-bug-v1-1-eefc2fb0a7d3@weissschuh.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d6e5794b
    • Lorenzo Bianconi's avatar
      net: ethernet: mtk_wed: fix possible NULL pointer dereference in mtk_wed_wo_queue_tx_clean() · 7cb8cd4d
      Lorenzo Bianconi authored
      In order to avoid a NULL pointer dereference, check entry->buf pointer before running
      skb_free_frag in mtk_wed_wo_queue_tx_clean routine.
      
      Fixes: 79968444 ("net: ethernet: mtk_wed: introduce wed wo support")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/3c1262464d215faa8acebfc08869798c81c96f4a.1702827359.git.lorenzo@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7cb8cd4d
    • Linus Torvalds's avatar
      posix-timers: Get rid of [COMPAT_]SYS_NI() uses · a4aebe93
      Linus Torvalds authored
      Only the posix timer system calls use this (when the posix timer support
      is disabled, which does not actually happen in any normal case), because
      they had debug code to print out a warning about missing system calls.
      
      Get rid of that special case, and just use the standard COND_SYSCALL
      interface that creates weak system call stubs that return -ENOSYS for
      when the system call does not exist.
      
      This fixes a kCFI issue with the SYS_NI() hackery:
      
        CFI failure at int80_emulation+0x67/0xb0 (target: sys_ni_posix_timers+0x0/0x70; expected type: 0xb02b34d9)
        WARNING: CPU: 0 PID: 48 at int80_emulation+0x67/0xb0
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Reviewed-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Tested-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a4aebe93
    • Linus Torvalds's avatar
      Merge tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · eee7f5b4
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
      
       - two multichannel reconnect fixes, one fixing an important refcounting
         problem that can lead to umount problems
      
       - atime fix
      
       - five fixes for various potential OOB accesses, including a CVE fix,
         and two additional fixes for problems pointed out by Robert Morris's
         fuzzing investigation
      
      * tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: do not let cifs_chan_update_iface deallocate channels
        cifs: fix a pending undercount of srv_count
        fs: cifs: Fix atime update check
        smb: client: fix potential OOB in smb2_dump_detail()
        smb: client: fix potential OOB in cifs_dump_detail()
        smb: client: fix OOB in smbCalcSize()
        smb: client: fix OOB in SMB2_query_info_init()
        smb: client: fix OOB in cifsd when receiving compounded resps
      eee7f5b4
    • Linus Torvalds's avatar
      Merge tag 's390-6.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 1bf5c892
      Linus Torvalds authored
      Pull s390 fixes from Alexander Gordeev:
      
       - Fix virtual vs physical address confusion in Storage Class Memory
         (SCM) block device driver.
      
       - Fix saving and restoring of FPU kernel context, which could lead to
         corruption of vector registers 8-15
      
       - Update defconfigs
      
      * tag 's390-6.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390/vx: fix save/restore of fpu kernel context
        s390/scm: fix virtual vs physical address confusion
      1bf5c892
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 87c71dd6
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "There are only a handful of bugfixes this time, which feels almost too
        small, so I hope we are not missing something important.
      
         - One more mediatek dts warning fix after the previous larger set,
           this should finally result in a clean defconfig build.
      
         - TI OMAP dts fixes for a spurious hang on am335x and invalid data on
           DTA7
      
         - One DTS fix for ethernet on Oriange Pi Zero (Allwinner H616)
      
         - A regression fix for ti-sysc interconnect target module driver to
           not access registers after reset if srst_udelay quirk is needed
      
         - Reset controller driver fixes for a crash during error handling and
           a build warning"
      
      * tag 'soc-fixes-6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        arm64: dts: mediatek: mt8395-genio-1200-evk: add interrupt-parent for mt6360
        ARM: dts: Fix occasional boot hang for am3 usb
        reset: Fix crash when freeing non-existent optional resets
        ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init
        ARM: dts: dra7: Fix DRA7 L3 NoC node register size
        bus: ti-sysc: Flush posted write only after srst_udelay
        reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
        arm64: dts: allwinner: h616: update emac for Orange Pi Zero 3
      87c71dd6
  2. 20 Dec, 2023 14 commits
  3. 19 Dec, 2023 6 commits
    • Kent Overstreet's avatar
    • Kent Overstreet's avatar
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 55cb5f43
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "While working on the ring buffer, I found one more bug with the
        timestamp code, and the fix for this removed the need for the final
        64-bit cmpxchg!
      
        The ring buffer events hold a "delta" from the previous event. If it
        is determined that the delta can not be calculated, it falls back to
        adding an absolute timestamp value. The way to know if the delta can
        be used is via two stored timestamps in the per-cpu buffer meta data:
      
         before_stamp and write_stamp
      
        The before_stamp is written by every event before it tries to allocate
        its space on the ring buffer. The write_stamp is written after it
        allocates its space and knows that nothing came in after it read the
        previous before_stamp and write_stamp and the two matched.
      
        A previous fix dd939425 ("ring-buffer: Do not try to put back
        write_stamp") removed putting back the write_stamp to match the
        before_stamp so that the next event could use the delta, but races
        were found where the two would match, but not be for of the previous
        event.
      
        It was determined to allow the event reservation to not have a valid
        write_stamp when it is finished, and this fixed a lot of races.
      
        The last use of the 64-bit timestamp cmpxchg depended on the
        write_stamp being valid after an interruption. But this is no longer
        the case, as if an event is interrupted by a softirq that writes an
        event, and that event gets interrupted by a hardirq or NMI and that
        writes an event, then the softirq could finish its reservation without
        a valid write_stamp.
      
        In the slow path of the event reservation, a delta can still be used
        if the write_stamp is valid. Instead of using a cmpxchg against the
        write stamp, the before_stamp needs to be read again to validate the
        write_stamp. The cmpxchg is not needed.
      
        This updates the slowpath to validate the write_stamp by comparing it
        to the before_stamp and removes all rb_time_cmpxchg() as there are no
        more users of that function.
      
        The removal of the 32-bit updates of rb_time_t will be done in the
        next merge window"
      
      * tag 'trace-v6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        ring-buffer: Fix slowpath of interrupted event
      55cb5f43
    • Linus Torvalds's avatar
      Merge tag 'arc-6.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 9c749e61
      Linus Torvalds authored
      Pull ARC fixes from Vineet Gupta:
      
       - build error for hugetlb, sparse and smatch fixes
      
       - removal of VIPT aliasing cache code
      
      * tag 'arc-6.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: add hugetlb definitions
        ARC: fix smatch warning
        ARC: fix spare error
        ARC: mm: retire support for aliasing VIPT D$
        ARC: entry: move ARCompact specific bits out of entry.h
        ARC: entry: SAVE_ABI_CALLEE_REG: ISA/ABI specific helper
      9c749e61
    • Shyam Prasad N's avatar
      cifs: do not let cifs_chan_update_iface deallocate channels · 12d1e301
      Shyam Prasad N authored
      cifs_chan_update_iface is meant to check and update the server
      interface used for a channel when the existing server interface
      is no longer available.
      
      So far, this handler had the code to remove an interface entry
      even if a new candidate interface is not available. Allowing
      this leads to several corner cases to handle.
      
      This change makes the logic much simpler by not deallocating
      the current channel interface entry if a new interface is not
      found to replace it with.
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      12d1e301
    • Shyam Prasad N's avatar
      cifs: fix a pending undercount of srv_count · f30bbc38
      Shyam Prasad N authored
      The following commit reverted the changes to ref count
      the server struct while scheduling a reconnect work:
      82334252 Revert "cifs: reconnect work should have reference on server struct"
      
      However, a following change also introduced scheduling
      of reconnect work, and assumed ref counting. This change
      fixes that as well.
      
      Fixes umount problems like:
      
      [73496.157838] CPU: 5 PID: 1321389 Comm: umount Tainted: G        W  OE      6.7.0-060700rc6-generic #202312172332
      [73496.157841] Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET67W (1.50 ) 12/15/2022
      [73496.157843] RIP: 0010:cifs_put_tcp_session+0x17d/0x190 [cifs]
      [73496.157906] Code: 5d 31 c0 31 d2 31 f6 31 ff c3 cc cc cc cc e8 4a 6e 14 e6 e9 f6 fe ff ff be 03 00 00 00 48 89 d7 e8 78 26 b3 e5 e9 e4 fe ff ff <0f> 0b e9 b1 fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90
      [73496.157908] RSP: 0018:ffffc90003bcbcb8 EFLAGS: 00010286
      [73496.157911] RAX: 00000000ffffffff RBX: ffff8885830fa800 RCX: 0000000000000000
      [73496.157913] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      [73496.157915] RBP: ffffc90003bcbcc8 R08: 0000000000000000 R09: 0000000000000000
      [73496.157917] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      [73496.157918] R13: ffff8887d56ba800 R14: 00000000ffffffff R15: ffff8885830fa800
      [73496.157920] FS:  00007f1ff0e33800(0000) GS:ffff88887ba80000(0000) knlGS:0000000000000000
      [73496.157922] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [73496.157924] CR2: 0000115f002e2010 CR3: 00000003d1e24005 CR4: 00000000003706f0
      [73496.157926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [73496.157928] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [73496.157929] Call Trace:
      [73496.157931]  <TASK>
      [73496.157933]  ? show_regs+0x6d/0x80
      [73496.157936]  ? __warn+0x89/0x160
      [73496.157939]  ? cifs_put_tcp_session+0x17d/0x190 [cifs]
      [73496.157976]  ? report_bug+0x17e/0x1b0
      [73496.157980]  ? handle_bug+0x51/0xa0
      [73496.157983]  ? exc_invalid_op+0x18/0x80
      [73496.157985]  ? asm_exc_invalid_op+0x1b/0x20
      [73496.157989]  ? cifs_put_tcp_session+0x17d/0x190 [cifs]
      [73496.158023]  ? cifs_put_tcp_session+0x1e/0x190 [cifs]
      [73496.158057]  __cifs_put_smb_ses+0x2b5/0x540 [cifs]
      [73496.158090]  ? tconInfoFree+0xc2/0x120 [cifs]
      [73496.158130]  cifs_put_tcon.part.0+0x108/0x2b0 [cifs]
      [73496.158173]  cifs_put_tlink+0x49/0x90 [cifs]
      [73496.158220]  cifs_umount+0x56/0xb0 [cifs]
      [73496.158258]  cifs_kill_sb+0x52/0x60 [cifs]
      [73496.158306]  deactivate_locked_super+0x32/0xc0
      [73496.158309]  deactivate_super+0x46/0x60
      [73496.158311]  cleanup_mnt+0xc3/0x170
      [73496.158314]  __cleanup_mnt+0x12/0x20
      [73496.158330]  task_work_run+0x5e/0xa0
      [73496.158333]  exit_to_user_mode_loop+0x105/0x130
      [73496.158336]  exit_to_user_mode_prepare+0xa5/0xb0
      [73496.158338]  syscall_exit_to_user_mode+0x29/0x60
      [73496.158341]  do_syscall_64+0x6c/0xf0
      [73496.158344]  ? syscall_exit_to_user_mode+0x37/0x60
      [73496.158346]  ? do_syscall_64+0x6c/0xf0
      [73496.158349]  ? exit_to_user_mode_prepare+0x30/0xb0
      [73496.158353]  ? syscall_exit_to_user_mode+0x37/0x60
      [73496.158355]  ? do_syscall_64+0x6c/0xf0
      Reported-by: default avatarRobert Morris <rtm@csail.mit.edu>
      Fixes: 705fc522 ("cifs: handle when server starts supporting multichannel")
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      f30bbc38