1. 17 Dec, 2023 7 commits
  2. 16 Dec, 2023 3 commits
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 3b8a9b2e
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Fix eventfs to check creating new files for events with names greater
         than NAME_MAX. The eventfs lookup needs to check the return result of
         simple_lookup().
      
       - Fix the ring buffer to check the proper max data size. Events must be
         able to fit on the ring buffer sub-buffer, if it cannot, then it
         fails to be written and the logic to add the event is avoided. The
         code to check if an event can fit failed to add the possible absolute
         timestamp which may make the event not be able to fit. This causes
         the ring buffer to go into an infinite loop trying to find a
         sub-buffer that would fit the event. Luckily, there's a check that
         will bail out if it looped over a 1000 times and it also warns.
      
         The real fix is not to add the absolute timestamp to an event that is
         starting at the beginning of a sub-buffer because it uses the
         sub-buffer timestamp.
      
         By avoiding the timestamp at the start of the sub-buffer allows
         events that pass the first check to always find a sub-buffer that it
         can fit on.
      
       - Have large events that do not fit on a trace_seq to print "LINE TOO
         BIG" like it does for the trace_pipe instead of what it does now
         which is to silently drop the output.
      
       - Fix a memory leak of forgetting to free the spare page that is saved
         by a trace instance.
      
       - Update the size of the snapshot buffer when the main buffer is
         updated if the snapshot buffer is allocated.
      
       - Fix ring buffer timestamp logic by removing all the places that tried
         to put the before_stamp back to the write stamp so that the next
         event doesn't add an absolute timestamp. But each of these updates
         added a race where by making the two timestamp equal, it was
         validating the write_stamp so that it can be incorrectly used for
         calculating the delta of an event.
      
       - There's a temp buffer used for printing the event that was using the
         event data size for allocation when it needed to use the size of the
         entire event (meta-data and payload data)
      
       - For hardening, use "%.*s" for printing the trace_marker output, to
         limit the amount that is printed by the size of the event. This was
         discovered by development that added a bug that truncated the '\0'
         and caused a crash.
      
       - Fix a use-after-free bug in the use of the histogram files when an
         instance is being removed.
      
       - Remove a useless update in the rb_try_to_discard of the write_stamp.
         The before_stamp was already changed to force the next event to add
         an absolute timestamp that the write_stamp is not used. But the
         write_stamp is modified again using an unneeded 64-bit cmpxchg.
      
       - Fix several races in the 32-bit implementation of the
         rb_time_cmpxchg() that does a 64-bit cmpxchg.
      
       - While looking at fixing the 64-bit cmpxchg, I noticed that because
         the ring buffer uses normal cmpxchg, and this can be done in NMI
         context, there's some architectures that do not have a working
         cmpxchg in NMI context. For these architectures, fail recording
         events that happen in NMI context.
      
      * tag 'trace-v6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI
        ring-buffer: Have rb_time_cmpxchg() set the msb counter too
        ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
        ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
        ring-buffer: Remove useless update to write_stamp in rb_try_to_discard()
        ring-buffer: Do not try to put back write_stamp
        tracing: Fix uaf issue when open the hist or hist_debug file
        tracing: Add size check when printing trace_marker output
        ring-buffer: Have saved event hold the entire event
        ring-buffer: Do not update before stamp when switching sub-buffers
        tracing: Update snapshot buffer on resize if it is allocated
        ring-buffer: Fix memory leak of free page
        eventfs: Fix events beyond NAME_MAX blocking tasks
        tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
        ring-buffer: Fix writing to the buffer with max_data_size
      3b8a9b2e
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · c8e97fc6
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Arm CMN perf: fix the DTC allocation failure path which can end up
         erroneously clearing live counters
      
       - arm64/mm: fix hugetlb handling of the dirty page state leading to a
         continuous fault loop in user on hardware without dirty bit
         management (DBM). That's caused by the dirty+writeable information
         not being properly preserved across a series of mprotect(PROT_NONE),
         mprotect(PROT_READ|PROT_WRITE)
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
        perf/arm-cmn: Fail DTC counter allocation correctly
      c8e97fc6
    • Linus Torvalds's avatar
      Merge tag 'pci-v6.7-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci · 2e3f280b
      Linus Torvalds authored
      Pull pci fixes from Bjorn Helgaas:
      
       - Limit Max_Read_Request_Size (MRRS) on some MIPS Loongson systems
         because they don't all support MRRS > 256, and firmware doesn't
         always initialize it correctly, which meant some PCIe devices didn't
         work (Jiaxun Yang)
      
       - Add and use pci_enable_link_state_locked() to prevent potential
         deadlocks in vmd and qcom drivers (Johan Hovold)
      
       - Revert recent (v6.5) acpiphp resource assignment changes that fixed
         issues with hot-adding devices on a root bus or with large BARs, but
         introduced new issues with GPU initialization and hot-adding SCSI
         disks in QEMU VMs and (Bjorn Helgaas)
      
      * tag 'pci-v6.7-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
        Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
        PCI/ASPM: Add pci_disable_link_state_locked() lockdep assert
        PCI/ASPM: Clean up __pci_disable_link_state() 'sem' parameter
        PCI: qcom: Clean up ASPM comment
        PCI: qcom: Fix potential deadlock when enabling ASPM
        PCI: vmd: Fix potential deadlock when enabling ASPM
        PCI/ASPM: Add pci_enable_link_state_locked()
        PCI: loongson: Limit MRRS to 256
      2e3f280b
  3. 15 Dec, 2023 22 commits
  4. 14 Dec, 2023 8 commits
    • Al Viro's avatar
      io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation · 1ba0e9d6
      Al Viro authored
      	In 8e9fad0e "io_uring: Add io_uring command support for sockets"
      you've got an include of asm-generic/ioctls.h done in io_uring/uring_cmd.c.
      That had been done for the sake of this chunk -
      +               ret = prot->ioctl(sk, SIOCINQ, &arg);
      +               if (ret)
      +                       return ret;
      +               return arg;
      +       case SOCKET_URING_OP_SIOCOUTQ:
      +               ret = prot->ioctl(sk, SIOCOUTQ, &arg);
      
      SIOC{IN,OUT}Q are defined to symbols (FIONREAD and TIOCOUTQ) that come from
      ioctls.h, all right, but the values vary by the architecture.
      
      FIONREAD is
      	0x467F on mips
      	0x4004667F on alpha, powerpc and sparc
      	0x8004667F on sh and xtensa
      	0x541B everywhere else
      TIOCOUTQ is
      	0x7472 on mips
      	0x40047473 on alpha, powerpc and sparc
      	0x80047473 on sh and xtensa
      	0x5411 everywhere else
      
      ->ioctl() expects the same values it would've gotten from userland; all
      places where we compare with SIOC{IN,OUT}Q are using asm/ioctls.h, so
      they pick the correct values.  io_uring_cmd_sock(), OTOH, ends up
      passing the default ones.
      
      Fixes: 8e9fad0e ("io_uring: Add io_uring command support for sockets")
      Cc:  <stable@vger.kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Link: https://lore.kernel.org/r/20231214213408.GT1674809@ZenIVSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      1ba0e9d6
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c7402612
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
      "Current release - regressions:
      
         - tcp: fix tcp_disordered_ack() vs usec TS resolution
      
        Current release - new code bugs:
      
         - dpll: sanitize possible null pointer dereference in
           dpll_pin_parent_pin_set()
      
         - eth: octeon_ep: initialise control mbox tasks before using APIs
      
        Previous releases - regressions:
      
         - io_uring/af_unix: disable sending io_uring over sockets
      
         - eth: mlx5e:
             - TC, don't offload post action rule if not supported
             - fix possible deadlock on mlx5e_tx_timeout_work
      
         - eth: iavf: fix iavf_shutdown to call iavf_remove instead iavf_close
      
         - eth: bnxt_en: fix skb recycling logic in bnxt_deliver_skb()
      
         - eth: ena: fix DMA syncing in XDP path when SWIOTLB is on
      
         - eth: team: fix use-after-free when an option instance allocation
           fails
      
        Previous releases - always broken:
      
         - neighbour: don't let neigh_forced_gc() disable preemption for long
      
         - net: prevent mss overflow in skb_segment()
      
         - ipv6: support reporting otherwise unknown prefix flags in
           RTM_NEWPREFIX
      
         - tcp: remove acked SYN flag from packet in the transmit queue
           correctly
      
         - eth: octeontx2-af:
             - fix a use-after-free in rvu_nix_register_reporters
             - fix promisc mcam entry action
      
         - eth: dwmac-loongson: make sure MDIO is initialized before use
      
         - eth: atlantic: fix double free in ring reinit logic"
      
      * tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        net: atlantic: fix double free in ring reinit logic
        appletalk: Fix Use-After-Free in atalk_ioctl
        net: stmmac: Handle disabled MDIO busses from devicetree
        net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
        dpaa2-switch: do not ask for MDB, VLAN and FDB replay
        dpaa2-switch: fix size of the dma_unmap
        net: prevent mss overflow in skb_segment()
        vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
        Revert "tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set"
        MIPS: dts: loongson: drop incorrect dwmac fallback compatible
        stmmac: dwmac-loongson: drop useless check for compatible fallback
        stmmac: dwmac-loongson: Make sure MDIO is initialized before use
        tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set
        dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
        net: ena: Fix XDP redirection error
        net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
        net: ena: Fix xdp drops handling due to multibuf packets
        net: ena: Destroy correct number of xdp queues upon failure
        net: Remove acked SYN flag from packet in the transmit queue correctly
        qed: Fix a potential use-after-free in qed_cxt_tables_alloc
        ...
      c7402612
    • Linus Torvalds's avatar
      Merge tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · bdb2701f
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
        "Some fixes to quota accounting code, mostly around error handling and
         correctness:
      
         - free reserves on various error paths, after IO errors or
           transaction abort
      
         - don't clear reserved range at the folio release time, it'll be
           properly cleared after final write
      
         - fix integer overflow due to int used when passing around size of
           freed reservations
      
         - fix a regression in squota accounting that missed some cases with
           delayed refs"
      
      * tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: ensure releasing squota reserve on head refs
        btrfs: don't clear qgroup reserved bit in release_folio
        btrfs: free qgroup pertrans reserve on transaction abort
        btrfs: fix qgroup_free_reserved_data int overflow
        btrfs: free qgroup reserve when ORDERED_IOERR is set
      bdb2701f
    • Igor Russkikh's avatar
      net: atlantic: fix double free in ring reinit logic · 7bb26ea7
      Igor Russkikh authored
      Driver has a logic leak in ring data allocation/free,
      where double free may happen in aq_ring_free if system is under
      stress and driver init/deinit is happening.
      
      The probability is higher to get this during suspend/resume cycle.
      
      Verification was done simulating same conditions with
      
          stress -m 2000 --vm-bytes 20M --vm-hang 10 --backoff 1000
          while true; do sudo ifconfig enp1s0 down; sudo ifconfig enp1s0 up; done
      
      Fixed by explicitly clearing pointers to NULL on deallocation
      
      Fixes: 018423e9 ("net: ethernet: aquantia: Add ring support code")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Closes: https://lore.kernel.org/netdev/CAHk-=wiZZi7FcvqVSUirHBjx0bBUZ4dFrMDVLc3+3HCrtq0rBA@mail.gmail.com/Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Link: https://lore.kernel.org/r/20231213094044.22988-1-irusskikh@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7bb26ea7
    • Gergo Koteles's avatar
      ALSA: hda/tas2781: reset the amp before component_add · 315deab2
      Gergo Koteles authored
      Calling component_add starts loading the firmware, the callback function
      writes the program to the amplifiers. If the module resets the
      amplifiers after component_add, it happens that one of the amplifiers
      does not work because the reset and program writing are interleaving.
      
      Call tas2781_reset before component_add to ensure reliable
      initialization.
      
      Fixes: 5be27f1e ("ALSA: hda/tas2781: Add tas2781 HDA driver")
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarGergo Koteles <soyer@irl.hu>
      Link: https://lore.kernel.org/r/4d23bf58558e23ee8097de01f70f1eb8d9de2d15.1702511246.git.soyer@irl.huSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      315deab2
    • Gergo Koteles's avatar
      ALSA: hda/tas2781: call cleanup functions only once · 6c6fa264
      Gergo Koteles authored
      If the module can load the RCA but not the firmware binary, it will call
      the cleanup functions. Then unloading the module causes general
      protection fault due to double free.
      
      Do not call the cleanup functions in tasdev_fw_ready.
      
      general protection fault, probably for non-canonical address
      0x6f2b8a2bff4c8fec: 0000 [#1] PREEMPT SMP NOPTI
      Call Trace:
       <TASK>
       ? die_addr+0x36/0x90
       ? exc_general_protection+0x1c5/0x430
       ? asm_exc_general_protection+0x26/0x30
       ? tasdevice_config_info_remove+0x6d/0xd0 [snd_soc_tas2781_fmwlib]
       tas2781_hda_unbind+0xaa/0x100 [snd_hda_scodec_tas2781_i2c]
       component_unbind+0x2e/0x50
       component_unbind_all+0x92/0xa0
       component_del+0xa8/0x140
       tas2781_hda_remove.isra.0+0x32/0x60 [snd_hda_scodec_tas2781_i2c]
       i2c_device_remove+0x26/0xb0
      
      Fixes: 5be27f1e ("ALSA: hda/tas2781: Add tas2781 HDA driver")
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarGergo Koteles <soyer@irl.hu>
      Link: https://lore.kernel.org/r/1a0885c424bb21172702d254655882b59ef6477a.1702510018.git.soyer@irl.huSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      6c6fa264
    • Hyunwoo Kim's avatar
      appletalk: Fix Use-After-Free in atalk_ioctl · 189ff167
      Hyunwoo Kim authored
      Because atalk_ioctl() accesses sk->sk_receive_queue
      without holding a sk->sk_receive_queue.lock, it can
      cause a race with atalk_recvmsg().
      A use-after-free for skb occurs with the following flow.
      ```
      atalk_ioctl() -> skb_peek()
      atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
      ```
      Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      189ff167
    • Andrew Halaney's avatar
      net: stmmac: Handle disabled MDIO busses from devicetree · e23c0d21
      Andrew Halaney authored
      Many hardware configurations have the MDIO bus disabled, and are instead
      using some other MDIO bus to talk to the MAC's phy.
      
      of_mdiobus_register() returns -ENODEV in this case. Let's handle it
      gracefully instead of failing to probe the MAC.
      
      Fixes: 47dd7a54 ("net: add support for STMicroelectronics Ethernet controllers.")
      Signed-off-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20231212-b4-stmmac-handle-mdio-enodev-v2-1-600171acf79f@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e23c0d21