1. 10 May, 2024 6 commits
  2. 09 May, 2024 4 commits
  3. 08 May, 2024 6 commits
  4. 07 May, 2024 2 commits
  5. 06 May, 2024 2 commits
  6. 05 May, 2024 13 commits
    • Linus Torvalds's avatar
      Linux 6.9-rc7 · dd5a440a
      Linus Torvalds authored
      dd5a440a
    • Linus Torvalds's avatar
      epoll: be better about file lifetimes · 4efaa5ac
      Linus Torvalds authored
      epoll can call out to vfs_poll() with a file pointer that may race with
      the last 'fput()'. That would make f_count go down to zero, and while
      the ep->mtx locking means that the resulting file pointer tear-down will
      be blocked until the poll returns, it means that f_count is already
      dead, and any use of it won't actually get a reference to the file any
      more: it's dead regardless.
      
      Make sure we have a valid ref on the file pointer before we call down to
      vfs_poll() from the epoll routines.
      
      Link: https://lore.kernel.org/lkml/0000000000002d631f0615918f1e@google.com/
      Reported-by: syzbot+045b454ab35fd82a35fb@syzkaller.appspotmail.com
      Reviewed-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4efaa5ac
    • Linus Torvalds's avatar
      Merge tag 'edac_urgent_for_v6.9_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras · f462ae0e
      Linus Torvalds authored
      Pull EDAC fixes from Borislav Petkov:
      
       - Fix error logging and check user-supplied data when injecting an
         error in the versal EDAC driver
      
      * tag 'edac_urgent_for_v6.9_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
        EDAC/versal: Do not log total error counts
        EDAC/versal: Check user-supplied data before injecting an error
        EDAC/versal: Do not register for NOC errors
      f462ae0e
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ef095257
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix incorrect delay handling in the plpks (keystore) code
      
       - Fix a panic when an LPAR boots with a frozen PE
      
      Thanks to Andrew Donnellan, Gaurav Batra, Nageswara R Sastry, and Nayna
      Jain.
      
      * tag 'powerpc-6.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE
        powerpc/pseries: make max polling consistent for longer H_CALLs
      ef095257
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d099637d
      Linus Torvalds authored
      Pull misc x86 fixes from Ingo Molnar:
      
       - Remove the broken vsyscall emulation code from
         the page fault code
      
       - Fix kexec crash triggered by certain SEV RMP
         table layouts
      
       - Fix unchecked MSR access error when disabling
         the x2APIC via iommu=off
      
      * tag 'x86-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Remove broken vsyscall emulation code from the page fault code
        x86/apic: Don't access the APIC when disabling x2APIC
        x86/sev: Add callback to apply RMP table fixups for kexec
        x86/e820: Add a new e820 table update helper
      d099637d
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 80f8b450
      Linus Torvalds authored
      Pull irq fix from Ingo Molnar:
       "Fix suspicious RCU usage in __do_softirq()"
      
      * tag 'irq-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        softirq: Fix suspicious RCU usage in __do_softirq()
      80f8b450
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · b9158815
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char/misc/other driver fixes and new device ids
        for 6.9-rc7 that resolve some reported problems.
      
        Included in here are:
      
         - iio driver fixes
      
         - mei driver fix and new device ids
      
         - dyndbg bugfix
      
         - pvpanic-pci driver bugfix
      
         - slimbus driver bugfix
      
         - fpga new device id
      
        All have been in linux-next with no reported problems"
      
      * tag 'char-misc-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        slimbus: qcom-ngd-ctrl: Add timeout for wait operation
        dyndbg: fix old BUG_ON in >control parser
        misc/pvpanic-pci: register attributes via pci_driver
        fpga: dfl-pci: add PCI subdevice ID for Intel D5005 card
        mei: me: add lunar lake point M DID
        mei: pxp: match against PCI_CLASS_DISPLAY_OTHER
        iio:imu: adis16475: Fix sync mode setting
        iio: accel: mxc4005: Reset chip on probe() and resume()
        iio: accel: mxc4005: Interrupt handling fixes
        dt-bindings: iio: health: maxim,max30102: fix compatible check
        iio: pressure: Fixes SPI support for BMP3xx devices
        iio: pressure: Fixes BME280 SPI driver data
      b9158815
    • Linus Torvalds's avatar
      Merge tag 'usb-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 3c152370
      Linus Torvalds authored
      Pull USB driver fixes from Greg KH:
       "Here are some small USB driver fixes for reported problems for
        6.9-rc7. Included in here are:
      
         - usb core fixes for found issues
      
         - typec driver fixes for reported problems
      
         - usb gadget driver fixes for reported problems
      
         - xhci build fixes
      
         - dwc3 driver fixes for reported issues
      
        All of these have been in linux-next this past week with no reported
        problems"
      
      * tag 'usb-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: tcpm: Check for port partner validity before consuming it
        usb: typec: tcpm: enforce ready state when queueing alt mode vdm
        usb: typec: tcpm: unregister existing source caps before re-registration
        usb: typec: tcpm: clear pd_event queue in PORT_RESET
        usb: typec: tcpm: queue correct sop type in tcpm_queue_vdm_unlocked
        usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed device
        usb: ohci: Prevent missed ohci interrupts
        usb: typec: qcom-pmic: fix pdphy start() error handling
        usb: typec: qcom-pmic: fix use-after-free on late probe errors
        usb: gadget: f_fs: Fix a race condition when processing setup packets.
        USB: core: Fix access violation during port device removal
        usb: dwc3: core: Prevent phy suspend during init
        usb: xhci-plat: Don't include xhci.h
        usb: gadget: uvc: use correct buffer size when parsing configfs lists
        usb: gadget: composite: fix OS descriptors w_value logic
        usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
      3c152370
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 3f1d0865
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - a new ID for ASUS ROG RAIKIRI controllers added to xpad driver
      
       - amimouse driver structure annotated with __refdata to prevent section
         mismatch warnings.
      
      * tag 'input-for-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: amimouse - mark driver struct with __refdata to prevent section mismatch
        Input: xpad - add support for ASUS ROG RAIKIRI
      3f1d0865
    • Linus Torvalds's avatar
      Merge tag 'probes-fixes-v6.9-rc6' of... · 2c17a1cd
      Linus Torvalds authored
      Merge tag 'probes-fixes-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull probes fix from Masami Hiramatsu:
      
       - probe-events: Fix memory leak in parsing probe argument.
      
         There is a memory leak (forget to free an allocated buffer) in a
         memory allocation failure path. Fix it to jump to the correct error
         handling code.
      
      * tag 'probes-fixes-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing/probes: Fix memory leak in traceprobe_parse_probe_arg_body()
      2c17a1cd
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.9-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · e92b99ae
      Linus Torvalds authored
      Pull tracing and tracefs fixes from Steven Rostedt:
      
       - Fix RCU callback of freeing an eventfs_inode.
      
         The freeing of the eventfs_inode from the kref going to zero freed
         the contents of the eventfs_inode and then used kfree_rcu() to free
         the inode itself. But the contents should also be protected by RCU.
         Switch to a call_rcu() that calls a function to free all of the
         eventfs_inode after the RCU synchronization.
      
       - The tracing subsystem maps its own descriptor to a file represented
         by eventfs. The freeing of this descriptor needs to know when the
         last reference of an eventfs_inode is released, but currently there
         is no interface for that.
      
         Add a "release" callback to the eventfs_inode entry array that allows
         for freeing of data that can be referenced by the eventfs_inode being
         opened. Then increment the ref counter for this descriptor when the
         eventfs_inode file is created, and decrement/free it when the last
         reference to the eventfs_inode is released and the file is removed.
         This prevents races between freeing the descriptor and the opening of
         the eventfs file.
      
       - Fix the permission processing of eventfs.
      
         The change to make the permissions of eventfs default to the mount
         point but keep track of when changes were made had a side effect that
         could cause security concerns. When the tracefs is remounted with a
         given gid or uid, all the files within it should inherit that gid or
         uid. But if the admin had changed the permission of some file within
         the tracefs file system, it would not get updated by the remount.
      
         This caused the kselftest of file permissions to fail the second time
         it is run. The first time, all changes would look fine, but the
         second time, because the changes were "saved", the remount did not
         reset them.
      
         Create a link list of all existing tracefs inodes, and clear the
         saved flags on them on a remount if the remount changes the
         corresponding gid or uid fields.
      
         This also simplifies the code by removing the distinction between the
         toplevel eventfs and an instance eventfs. They should both act the
         same. They were different because of a misconception due to the
         remount not resetting the flags. Now that remount resets all the
         files and directories to default to the root node if a uid/gid is
         specified, it makes the logic simpler to implement.
      
      * tag 'trace-v6.9-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        eventfs: Have "events" directory get permissions from its parent
        eventfs: Do not treat events directory different than other directories
        eventfs: Do not differentiate the toplevel events directory
        tracefs: Still use mount point as default permissions for instances
        tracefs: Reset permissions on remount if permissions are options
        eventfs: Free all of the eventfs_inode after RCU
        eventfs/tracing: Add callback for release of an eventfs_inode
      e92b99ae
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.9-2024-05-04' of git://git.infradead.org/users/hch/dma-mapping · 4fbcf585
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
      
       - fix the combination of restricted pools and dynamic swiotlb
         (Will Deacon)
      
      * tag 'dma-mapping-6.9-2024-05-04' of git://git.infradead.org/users/hch/dma-mapping:
        swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y
      4fbcf585
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 61ccc8c3
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of clk driver fixes:
      
         - Avoid a deadlock in the Qualcomm clk driver by making the regulator
           which supplies the GDSC optional
      
         - Restore RPM clks on Qualcomm msm8976 by setting num_clks
      
         - Fix Allwinner H6 CPU rate changing logic to avoid system crashes by
           temporarily reparenting the CPU clk to something that isn't being
           changed
      
         - Set a MIPI PLL min/max rate on Allwinner A64 to fix blank screens
           on some devices
      
         - Revert back to of_match_device() in the Samsung clkout driver to
           get the match data based on the parent device's compatible string"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: samsung: Revert "clk: Use device_get_match_data()"
        clk: sunxi-ng: a64: Set minimum and maximum rate for PLL-MIPI
        clk: sunxi-ng: common: Support minimum and maximum rate
        clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
        clk: qcom: smd-rpm: Restore msm8976 num_clk
        clk: qcom: gdsc: treat optional supplies as optional
      61ccc8c3
  7. 04 May, 2024 7 commits
    • Steven Rostedt (Google)'s avatar
      eventfs: Have "events" directory get permissions from its parent · d57cf30c
      Steven Rostedt (Google) authored
      The events directory gets its permissions from the root inode. But this
      can cause an inconsistency if the instances directory changes its
      permissions, as the permissions of the created directories under it should
      inherit the permissions of the instances directory when directories under
      it are created.
      
      Currently the behavior is:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 instances
       # mkdir instances/foo
       # ls -l instances/foo
      [..]
       -r--r-----  1 root lkp  0 May  1 18:55 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 18:55 current_tracer
       -rw-r-----  1 root lkp  0 May  1 18:55 error_log
       drwxr-xr-x  1 root root 0 May  1 18:55 events
       --w-------  1 root lkp  0 May  1 18:55 free_buffer
       drwxr-x---  2 root lkp  0 May  1 18:55 options
       drwxr-x--- 10 root lkp  0 May  1 18:55 per_cpu
       -rw-r-----  1 root lkp  0 May  1 18:55 set_event
      
      All the files and directories under "foo" has the "lkp" group except the
      "events" directory. That's because its getting its default value from the
      mount point instead of its parent.
      
      Have the "events" directory make its default value based on its parent's
      permissions. That now gives:
      
       # ls -l instances/foo
      [..]
       -rw-r-----  1 root lkp 0 May  1 21:16 buffer_subbuf_size_kb
       -r--r-----  1 root lkp 0 May  1 21:16 buffer_total_size_kb
       -rw-r-----  1 root lkp 0 May  1 21:16 current_tracer
       -rw-r-----  1 root lkp 0 May  1 21:16 error_log
       drwxr-xr-x  1 root lkp 0 May  1 21:16 events
       --w-------  1 root lkp 0 May  1 21:16 free_buffer
       drwxr-x---  2 root lkp 0 May  1 21:16 options
       drwxr-x--- 10 root lkp 0 May  1 21:16 per_cpu
       -rw-r-----  1 root lkp 0 May  1 21:16 set_event
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200906.161887248@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d57cf30c
    • Steven Rostedt (Google)'s avatar
      eventfs: Do not treat events directory different than other directories · 22e61e15
      Steven Rostedt (Google) authored
      Treat the events directory the same as other directories when it comes to
      permissions. The events directory was considered different because it's
      dentry is persistent, whereas the other directory dentries are created
      when accessed. But the way tracefs now does its ownership by using the
      root dentry's permissions as the default permissions, the events directory
      can get out of sync when a remount is performed setting the group and user
      permissions.
      
      Remove the special case for the events directory on setting the
      attributes. This allows the updates caused by remount to work properly as
      well as simplifies the code.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200906.002923579@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      22e61e15
    • Steven Rostedt (Google)'s avatar
      eventfs: Do not differentiate the toplevel events directory · d53891d3
      Steven Rostedt (Google) authored
      The toplevel events directory is really no different than the events
      directory of instances. Having the two be different caused
      inconsistencies and made it harder to fix the permissions bugs.
      
      Make all events directories act the same.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.846448710@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d53891d3
    • Steven Rostedt (Google)'s avatar
      tracefs: Still use mount point as default permissions for instances · 6599bd55
      Steven Rostedt (Google) authored
      If the instances directory's permissions were never change, then have it
      and its children use the mount point permissions as the default.
      
      Currently, the permissions of instance directories are determined by the
      instance directory's permissions itself. But if the tracefs file system is
      remounted and changes the permissions, the instance directory and its
      children should use the new permission.
      
      But because both the instance directory and its children use the instance
      directory's inode for permissions, it misses the update.
      
      To demonstrate this:
      
        # cd /sys/kernel/tracing/
        # mkdir instances/foo
        # ls -ld instances/foo
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 18:57 current_tracer
      
        # mount -o remount,gid=1002 .
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo/
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 18:57 current_tracer
      
      Notice that changing the group id to that of "lkp" did not affect the
      instances directory nor its children. It should have been:
      
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 19:19 current_tracer
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:25 instances/foo/
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 19:19 instances
      
        # mount -o remount,gid=1002 .
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 19:19 current_tracer
        # ls -ld instances
       drwxr-x--- 3 root lkp 0 May  1 19:19 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root lkp 0 May  1 19:25 instances/foo/
      
      Where all files were updated by the remount gid update.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.686838327@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      6599bd55
    • Steven Rostedt (Google)'s avatar
      tracefs: Reset permissions on remount if permissions are options · baa23a8d
      Steven Rostedt (Google) authored
      There's an inconsistency with the way permissions are handled in tracefs.
      Because the permissions are generated when accessed, they default to the
      root inode's permission if they were never set by the user. If the user
      sets the permissions, then a flag is set and the permissions are saved via
      the inode (for tracefs files) or an internal attribute field (for
      eventfs).
      
      But if a remount happens that specify the permissions, all the files that
      were not changed by the user gets updated, but the ones that were are not.
      If the user were to remount the file system with a given permission, then
      all files and directories within that file system should be updated.
      
      This can cause security issues if a file's permission was updated but the
      admin forgot about it. They could incorrectly think that remounting with
      permissions set would update all files, but miss some.
      
      For example:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 current_tracer
       # ls -l
      [..]
       -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer
       -rw-r-----  1 root root 0 May  1 21:25 dynamic_events
       -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root root 0 May  1 21:25 enabled_functions
      
      Where current_tracer now has group "lkp".
      
       # mount -o remount,gid=1001 .
       # ls -l
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer
       -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events
       -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions
      
      Everything changed but the "current_tracer".
      
      Add a new link list that keeps track of all the tracefs_inodes which has
      the permission flags that tell if the file/dir should use the root inode's
      permission or not. Then on remount, clear all the flags so that the
      default behavior of using the root inode's permission is done for all
      files and directories.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.529542160@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      baa23a8d
    • Steven Rostedt (Google)'s avatar
      eventfs: Free all of the eventfs_inode after RCU · ee4e0379
      Steven Rostedt (Google) authored
      The freeing of eventfs_inode via a kfree_rcu() callback. But the content
      of the eventfs_inode was being freed after the last kref. This is
      dangerous, as changes are being made that can access the content of an
      eventfs_inode from an RCU loop.
      
      Instead of using kfree_rcu() use call_rcu() that calls a function to do
      all the freeing of the eventfs_inode after a RCU grace period has expired.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.370261163@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 43aa6f97 ("eventfs: Get rid of dentry pointers without refcounts")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      ee4e0379
    • Steven Rostedt (Google)'s avatar
      eventfs/tracing: Add callback for release of an eventfs_inode · b63db58e
      Steven Rostedt (Google) authored
      Synthetic events create and destroy tracefs files when they are created
      and removed. The tracing subsystem has its own file descriptor
      representing the state of the events attached to the tracefs files.
      There's a race between the eventfs files and this file descriptor of the
      tracing system where the following can cause an issue:
      
      With two scripts 'A' and 'B' doing:
      
        Script 'A':
          echo "hello int aaa" > /sys/kernel/tracing/synthetic_events
          while :
          do
            echo 0 > /sys/kernel/tracing/events/synthetic/hello/enable
          done
      
        Script 'B':
          echo > /sys/kernel/tracing/synthetic_events
      
      Script 'A' creates a synthetic event "hello" and then just writes zero
      into its enable file.
      
      Script 'B' removes all synthetic events (including the newly created
      "hello" event).
      
      What happens is that the opening of the "enable" file has:
      
       {
      	struct trace_event_file *file = inode->i_private;
      	int ret;
      
      	ret = tracing_check_open_get_tr(file->tr);
       [..]
      
      But deleting the events frees the "file" descriptor, and a "use after
      free" happens with the dereference at "file->tr".
      
      The file descriptor does have a reference counter, but there needs to be a
      way to decrement it from the eventfs when the eventfs_inode is removed
      that represents this file descriptor.
      
      Add an optional "release" callback to the eventfs_entry array structure,
      that gets called when the eventfs file is about to be removed. This allows
      for the creating on the eventfs file to increment the tracing file
      descriptor ref counter. When the eventfs file is deleted, it can call the
      release function that will call the put function for the tracing file
      descriptor.
      
      This will protect the tracing file from being freed while a eventfs file
      that references it is being opened.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240426073410.17154-1-Tze-nan.Wu@mediatek.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20240502090315.448cba46@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Fixes: 5790b1fb ("eventfs: Remove eventfs_file and just use eventfs_inode")
      Reported-by: default avatarTze-nan wu <Tze-nan.Wu@mediatek.com>
      Tested-by: default avatarTze-nan Wu (吳澤南) <Tze-nan.Wu@mediatek.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      b63db58e