1. 19 Dec, 2022 6 commits
  2. 16 Dec, 2022 2 commits
  3. 11 Dec, 2022 3 commits
  4. 10 Dec, 2022 10 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 296a7b7e
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "One further ARM fix for 6.1 from Wang Kefeng, fixing up the handling
        for kfence faults"
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 9278/1: kfence: only handle translation faults
      296a7b7e
    • Tejun Heo's avatar
      memcg: fix possible use-after-free in memcg_write_event_control() · 4a7ba45b
      Tejun Heo authored
      memcg_write_event_control() accesses the dentry->d_name of the specified
      control fd to route the write call.  As a cgroup interface file can't be
      renamed, it's safe to access d_name as long as the specified file is a
      regular cgroup file.  Also, as these cgroup interface files can't be
      removed before the directory, it's safe to access the parent too.
      
      Prior to 347c4a87 ("memcg: remove cgroup_event->cft"), there was a
      call to __file_cft() which verified that the specified file is a regular
      cgroupfs file before further accesses.  The cftype pointer returned from
      __file_cft() was no longer necessary and the commit inadvertently dropped
      the file type check with it allowing any file to slip through.  With the
      invarients broken, the d_name and parent accesses can now race against
      renames and removals of arbitrary files and cause use-after-free's.
      
      Fix the bug by resurrecting the file type check in __file_cft().  Now that
      cgroupfs is implemented through kernfs, checking the file operations needs
      to go through a layer of indirection.  Instead, let's check the superblock
      and dentry type.
      
      Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org
      Fixes: 347c4a87 ("memcg: remove cgroup_event->cft")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarRoman Gushchin <roman.gushchin@linux.dev>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Muchun Song <songmuchun@bytedance.com>
      Cc: Shakeel Butt <shakeelb@google.com>
      Cc: <stable@vger.kernel.org>	[3.14+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      4a7ba45b
    • Muchun Song's avatar
      MAINTAINERS: update Muchun Song's email · a501788a
      Muchun Song authored
      I'm moving to the @linux.dev account.  Map my old addresses and update it
      to my new address.
      
      Link: https://lkml.kernel.org/r/20221208115548.85244-1-songmuchun@bytedance.comSigned-off-by: default avatarMuchun Song <songmuchun@bytedance.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      a501788a
    • John Starks's avatar
      mm/gup: fix gup_pud_range() for dax · fcd0ccd8
      John Starks authored
      For dax pud, pud_huge() returns true on x86. So the function works as long
      as hugetlb is configured. However, dax doesn't depend on hugetlb.
      Commit 414fd080 ("mm/gup: fix gup_pmd_range() for dax") fixed
      devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
      well.
      
      This fixes the below kernel panic:
      
      general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
      	< snip >
      Call Trace:
      <TASK>
      get_user_pages_fast+0x1f/0x40
      iov_iter_get_pages+0xc6/0x3b0
      ? mempool_alloc+0x5d/0x170
      bio_iov_iter_get_pages+0x82/0x4e0
      ? bvec_alloc+0x91/0xc0
      ? bio_alloc_bioset+0x19a/0x2a0
      blkdev_direct_IO+0x282/0x480
      ? __io_complete_rw_common+0xc0/0xc0
      ? filemap_range_has_page+0x82/0xc0
      generic_file_direct_write+0x9d/0x1a0
      ? inode_update_time+0x24/0x30
      __generic_file_write_iter+0xbd/0x1e0
      blkdev_write_iter+0xb4/0x150
      ? io_import_iovec+0x8d/0x340
      io_write+0xf9/0x300
      io_issue_sqe+0x3c3/0x1d30
      ? sysvec_reschedule_ipi+0x6c/0x80
      __io_queue_sqe+0x33/0x240
      ? fget+0x76/0xa0
      io_submit_sqes+0xe6a/0x18d0
      ? __fget_light+0xd1/0x100
      __x64_sys_io_uring_enter+0x199/0x880
      ? __context_tracking_enter+0x1f/0x70
      ? irqentry_exit_to_user_mode+0x24/0x30
      ? irqentry_exit+0x1d/0x30
      ? __context_tracking_exit+0xe/0x70
      do_syscall_64+0x3b/0x90
      entry_SYSCALL_64_after_hwframe+0x61/0xcb
      RIP: 0033:0x7fc97c11a7be
      	< snip >
      </TASK>
      ---[ end trace 48b2e0e67debcaeb ]---
      RIP: 0010:internal_get_user_pages_fast+0x340/0x990
      	< snip >
      Kernel panic - not syncing: Fatal exception
      Kernel Offset: disabled
      
      Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com
      Fixes: 414fd080 ("mm/gup: fix gup_pmd_range() for dax")
      Signed-off-by: default avatarJohn Starks <jostarks@microsoft.com>
      Signed-off-by: default avatarSaurabh Sengar <ssengar@linux.microsoft.com>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Yu Zhao <yuzhao@google.com>
      Cc: Jason Gunthorpe <jgg@nvidia.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Alistair Popple <apopple@nvidia.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      fcd0ccd8
    • Liam Howlett's avatar
      mmap: fix do_brk_flags() modifying obviously incorrect VMAs · 6c28ca64
      Liam Howlett authored
      Add more sanity checks to the VMA that do_brk_flags() will expand.  Ensure
      the VMA matches basic merge requirements within the function before
      calling can_vma_merge_after().
      
      Drop the duplicate checks from vm_brk_flags() since they will be enforced
      later.
      
      The old code would expand file VMAs on brk(), which is functionally
      wrong and also dangerous in terms of locking because the brk() path
      isn't designed for file VMAs and therefore doesn't lock the file
      mapping.  Checking can_vma_merge_after() ensures that new anonymous
      VMAs can't be merged into file VMAs.
      
      See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
      
      Link: https://lkml.kernel.org/r/20221205192304.1957418-1-Liam.Howlett@oracle.com
      Fixes: 2e7ce7d3 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
      Signed-off-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Suggested-by: default avatarJann Horn <jannh@google.com>
      Cc: Jason A. Donenfeld <Jason@zx2c4.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: SeongJae Park <sj@kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Yu Zhao <yuzhao@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      6c28ca64
    • David Hildenbrand's avatar
      mm/swap: fix SWP_PFN_BITS with CONFIG_PHYS_ADDR_T_64BIT on 32bit · 630dc25e
      David Hildenbrand authored
      We use "unsigned long" to store a PFN in the kernel and phys_addr_t to
      store a physical address.
      
      On a 64bit system, both are 64bit wide.  However, on a 32bit system, the
      latter might be 64bit wide.  This is, for example, the case on x86 with
      PAE: phys_addr_t and PTEs are 64bit wide, while "unsigned long" only spans
      32bit.
      
      The current definition of SWP_PFN_BITS without MAX_PHYSMEM_BITS misses
      that case, and assumes that the maximum PFN is limited by an 32bit
      phys_addr_t.  This implies, that SWP_PFN_BITS will currently only be able
      to cover 4 GiB - 1 on any 32bit system with 4k page size, which is wrong.
      
      Let's rely on the number of bits in phys_addr_t instead, but make sure to
      not exceed the maximum swap offset, to not make the BUILD_BUG_ON() in
      is_pfn_swap_entry() unhappy.  Note that swp_entry_t is effectively an
      unsigned long and the maximum swap offset shares that value with the swap
      type.
      
      For example, on an 8 GiB x86 PAE system with a kernel config based on
      Debian 11.5 (-> CONFIG_FLATMEM=y, CONFIG_X86_PAE=y), we will currently
      fail removing migration entries (remove_migration_ptes()), because
      mm/page_vma_mapped.c:check_pte() will fail to identify a PFN match as
      swp_offset_pfn() wrongly masks off PFN bits.  For example,
      split_huge_page_to_list()->...->remap_page() will leave migration entries
      in place and continue to unlock the page.
      
      Later, when we stumble over these migration entries (e.g., via
      /proc/self/pagemap), pfn_swap_entry_to_page() will BUG_ON() because these
      migration entries shouldn't exist anymore and the page was unlocked.
      
      [   33.067591] kernel BUG at include/linux/swapops.h:497!
      [   33.067597] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      [   33.067602] CPU: 3 PID: 742 Comm: cow Tainted: G            E      6.1.0-rc8+ #16
      [   33.067605] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
      [   33.067606] EIP: pagemap_pmd_range+0x644/0x650
      [   33.067612] Code: 00 00 00 00 66 90 89 ce b9 00 f0 ff ff e9 ff fb ff ff 89 d8 31 db e8 48 c6 52 00 e9 23 fb ff ff e8 61 83 56 00 e9 b6 fe ff ff <0f> 0b bf 00 f0 ff ff e9 38 fa ff ff 3e 8d 74 26 00 55 89 e5 57 31
      [   33.067615] EAX: ee394000 EBX: 00000002 ECX: ee394000 EDX: 00000000
      [   33.067617] ESI: c1b0ded4 EDI: 00024a00 EBP: c1b0ddb4 ESP: c1b0dd68
      [   33.067619] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
      [   33.067624] CR0: 80050033 CR2: b7a00000 CR3: 01bbbd20 CR4: 00350ef0
      [   33.067625] Call Trace:
      [   33.067628]  ? madvise_free_pte_range+0x720/0x720
      [   33.067632]  ? smaps_pte_range+0x4b0/0x4b0
      [   33.067634]  walk_pgd_range+0x325/0x720
      [   33.067637]  ? mt_find+0x1d6/0x3a0
      [   33.067641]  ? mt_find+0x1d6/0x3a0
      [   33.067643]  __walk_page_range+0x164/0x170
      [   33.067646]  walk_page_range+0xf9/0x170
      [   33.067648]  ? __kmem_cache_alloc_node+0x2a8/0x340
      [   33.067653]  pagemap_read+0x124/0x280
      [   33.067658]  ? default_llseek+0x101/0x160
      [   33.067662]  ? smaps_account+0x1d0/0x1d0
      [   33.067664]  vfs_read+0x90/0x290
      [   33.067667]  ? do_madvise.part.0+0x24b/0x390
      [   33.067669]  ? debug_smp_processor_id+0x12/0x20
      [   33.067673]  ksys_pread64+0x58/0x90
      [   33.067675]  __ia32_sys_ia32_pread64+0x1b/0x20
      [   33.067680]  __do_fast_syscall_32+0x4c/0xc0
      [   33.067683]  do_fast_syscall_32+0x29/0x60
      [   33.067686]  do_SYSENTER_32+0x15/0x20
      [   33.067689]  entry_SYSENTER_32+0x98/0xf1
      
      Decrease the indentation level of SWP_PFN_BITS and SWP_PFN_MASK to keep it
      readable and consistent.
      
      [david@redhat.com: rely on sizeof(phys_addr_t) and min_t() instead]
        Link: https://lkml.kernel.org/r/20221206105737.69478-1-david@redhat.com
      [david@redhat.com: use "int" for comparison, as we're only comparing numbers < 64]
        Link: https://lkml.kernel.org/r/1f157500-2676-7cef-a84e-9224ed64e540@redhat.com
      Link: https://lkml.kernel.org/r/20221205150857.167583-1-david@redhat.com
      Fixes: 0d206b5d ("mm/swap: add swp_offset_pfn() to fetch PFN from swap entry")
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarPeter Xu <peterx@redhat.com>
      Reviewed-by: default avatarYang Shi <shy828301@gmail.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      630dc25e
    • Hugh Dickins's avatar
      tmpfs: fix data loss from failed fallocate · 44bcabd7
      Hugh Dickins authored
      Fix tmpfs data loss when the fallocate system call is interrupted by a
      signal, or fails for some other reason.  The partial folio handling in
      shmem_undo_range() forgot to consider this unfalloc case, and was liable
      to erase or truncate out data which had already been committed earlier.
      
      It turns out that none of the partial folio handling there is appropriate
      for the unfalloc case, which just wants to proceed to removal of whole
      folios: which find_get_entries() provides, even when partially covered.
      
      Original patch by Rui Wang.
      
      Link: https://lore.kernel.org/linux-mm/33b85d82.7764.1842e9ab207.Coremail.chenguoqic@163.com/
      Link: https://lkml.kernel.org/r/a5dac112-cf4b-7af-a33-f386e347fd38@google.com
      Fixes: b9a8a419 ("truncate,shmem: Handle truncates that split large folios")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reported-by: default avatarGuoqi Chen <chenguoqic@163.com>
        Link: https://lore.kernel.org/all/20221101032248.819360-1-kernel@hev.cc/
      Cc: Rui Wang <kernel@hev.cc>
      Cc: Huacai Chen <chenhuacai@loongson.cn>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Vishal Moola (Oracle) <vishal.moola@gmail.com>
      Cc: <stable@vger.kernel.org>	[5.17+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      44bcabd7
    • Michal Hocko's avatar
      kselftests: cgroup: update kmem test precision tolerance · de16d6e4
      Michal Hocko authored
      1813e51e ("memcg: increase MEMCG_CHARGE_BATCH to 64") has changed
      the batch size while this test case has been left behind. This has led
      to a test failure reported by test bot:
      not ok 2 selftests: cgroup: test_kmem # exit=1
      
      Update the tolerance for the pcp charges to reflect the
      MEMCG_CHARGE_BATCH change to fix this.
      
      [akpm@linux-foundation.org: update comments, per Roman]
      Link: https://lkml.kernel.org/r/Y4m8Unt6FhWKC6IH@dhcp22.suse.cz
      Fixes: 1813e51e ("memcg: increase MEMCG_CHARGE_BATCH to 64")
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarkernel test robot <yujie.liu@intel.com>
        Link: https://lore.kernel.org/oe-lkp/202212010958.c1053bd3-yujie.liu@intel.comAcked-by: default avatarShakeel Butt <shakeelb@google.com>
      Acked-by: default avatarRoman Gushchin <roman.gushchin@linux.dev>
      Tested-by: default avatarYujie Liu <yujie.liu@intel.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Feng Tang <feng.tang@intel.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: "Michal Koutný" <mkoutny@suse.com>
      Cc: Muchun Song <songmuchun@bytedance.com>
      Cc: Soheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      de16d6e4
    • Jason A. Donenfeld's avatar
      mm: do not BUG_ON missing brk mapping, because userspace can unmap it · f5ad5083
      Jason A. Donenfeld authored
      The following program will trigger the BUG_ON that this patch removes,
      because the user can munmap() mm->brk:
      
        #include <sys/syscall.h>
        #include <sys/mman.h>
        #include <assert.h>
        #include <unistd.h>
      
        static void *brk_now(void)
        {
          return (void *)syscall(SYS_brk, 0);
        }
      
        static void brk_set(void *b)
        {
          assert(syscall(SYS_brk, b) != -1);
        }
      
        int main(int argc, char *argv[])
        {
          void *b = brk_now();
          brk_set(b + 4096);
          assert(munmap(b - 4096, 4096 * 2) == 0);
          brk_set(b);
          return 0;
        }
      
      Compile that with musl, since glibc actually uses brk(), and then
      execute it, and it'll hit this splat:
      
        kernel BUG at mm/mmap.c:229!
        invalid opcode: 0000 [#1] PREEMPT SMP
        CPU: 12 PID: 1379 Comm: a.out Tainted: G S   U             6.1.0-rc7+ #419
        RIP: 0010:__do_sys_brk+0x2fc/0x340
        Code: 00 00 4c 89 ef e8 04 d3 fe ff eb 9a be 01 00 00 00 4c 89 ff e8 35 e0 fe ff e9 6e ff ff ff 4d 89 a7 20>
        RSP: 0018:ffff888140bc7eb0 EFLAGS: 00010246
        RAX: 0000000000000000 RBX: 00000000007e7000 RCX: ffff8881020fe000
        RDX: ffff8881020fe001 RSI: ffff8881955c9b00 RDI: ffff8881955c9b08
        RBP: 0000000000000000 R08: ffff8881955c9b00 R09: 00007ffc77844000
        R10: 0000000000000000 R11: 0000000000000001 R12: 00000000007e8000
        R13: 00000000007e8000 R14: 00000000007e7000 R15: ffff8881020fe000
        FS:  0000000000604298(0000) GS:ffff88901f700000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000603fe0 CR3: 000000015ba9a005 CR4: 0000000000770ee0
        PKRU: 55555554
        Call Trace:
         <TASK>
         do_syscall_64+0x2b/0x50
         entry_SYSCALL_64_after_hwframe+0x46/0xb0
        RIP: 0033:0x400678
        Code: 10 4c 8d 41 08 4c 89 44 24 10 4c 8b 01 8b 4c 24 08 83 f9 2f 77 0a 4c 8d 4c 24 20 4c 01 c9 eb 05 48 8b>
        RSP: 002b:00007ffc77863890 EFLAGS: 00000212 ORIG_RAX: 000000000000000c
        RAX: ffffffffffffffda RBX: 000000000040031b RCX: 0000000000400678
        RDX: 00000000004006a1 RSI: 00000000007e6000 RDI: 00000000007e7000
        RBP: 00007ffc77863900 R08: 0000000000000000 R09: 00000000007e6000
        R10: 00007ffc77863930 R11: 0000000000000212 R12: 00007ffc77863978
        R13: 00007ffc77863988 R14: 0000000000000000 R15: 0000000000000000
         </TASK>
      
      Instead, just return the old brk value if the original mapping has been
      removed.
      
      [akpm@linux-foundation.org: fix changelog, per Liam]
      Link: https://lkml.kernel.org/r/20221202162724.2009-1-Jason@zx2c4.com
      Fixes: 2e7ce7d3 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Reviewed-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Reviewed-by: default avatarSeongJae Park <sj@kernel.org>
      Cc: Yu Zhao <yuzhao@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Sven Schnelle <svens@linux.ibm.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Jann Horn <jannh@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      f5ad5083
    • Matti Vaittinen's avatar
      mailmap: update Matti Vaittinen's email address · 38f1d4ae
      Matti Vaittinen authored
      The email backend used by ROHM keeps labeling patches as spam.  This can
      result in missing the patches.
      
      Switch my mail address from a company mail to a personal one.
      
      Link: https://lkml.kernel.org/r/8f4498b66fedcbded37b3b87e0c516e659f8f583.1669912977.git.mazziesaccount@gmail.comSigned-off-by: default avatarMatti Vaittinen <mazziesaccount@gmail.com>
      Suggested-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Cc: Anup Patel <anup@brainfault.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Atish Patra <atishp@atishpatra.org>
      Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
      Cc: Ben Widawsky <bwidawsk@kernel.org>
      Cc: Bjorn Andersson <andersson@kernel.org>
      Cc: Christian Brauner <brauner@kernel.org>
      Cc: Colin Ian King <colin.i.king@gmail.com>
      Cc: Kirill Tkhai <tkhai@ya.ru>
      Cc: Qais Yousef <qyousef@layalina.io>
      Cc: Vasily Averin <vasily.averin@linux.dev>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      38f1d4ae
  5. 09 Dec, 2022 5 commits
  6. 08 Dec, 2022 14 commits
    • Linus Torvalds's avatar
      Merge tag 'block-6.1-2022-12-08' of git://git.kernel.dk/linux · 859c73d4
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "A small fix for initializing the NVMe quirks before initializing the
        subsystem"
      
      * tag 'block-6.1-2022-12-08' of git://git.kernel.dk/linux:
        nvme initialize core quirks before calling nvme_init_subsystem
      859c73d4
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux · af145500
      Linus Torvalds authored
      Pull io_uring fix from Jens Axboe:
       "A single small fix for an issue related to ordering between
        cancelation and current->io_uring teardown"
      
      * tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux:
        io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
      af145500
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 010b6761
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, can and netfilter.
      
        Current release - new code bugs:
      
         - bonding: ipv6: correct address used in Neighbour Advertisement
           parsing (src vs dst typo)
      
         - fec: properly scope IRQ coalesce setup during link up to supported
           chips only
      
        Previous releases - regressions:
      
         - Bluetooth fixes for fake CSR clones (knockoffs):
             - re-add ERR_DATA_REPORTING quirk
             - fix crash when device is replugged
      
         - Bluetooth:
             - silence a user-triggerable dmesg error message
             - L2CAP: fix u8 overflow, oob access
             - correct vendor codec definition
             - fix support for Read Local Supported Codecs V2
      
         - ti: am65-cpsw: fix RGMII configuration at SPEED_10
      
         - mana: fix race on per-CQ variable NAPI work_done
      
        Previous releases - always broken:
      
         - af_unix: diag: fetch user_ns from in_skb in unix_diag_get_exact(),
           avoid null-deref
      
         - af_can: fix NULL pointer dereference in can_rcv_filter
      
         - can: slcan: fix UAF with a freed work
      
         - can: can327: flush TX_work on ldisc .close()
      
         - macsec: add missing attribute validation for offload
      
         - ipv6: avoid use-after-free in ip6_fragment()
      
         - nft_set_pipapo: actually validate intervals in fields after the
           first one
      
         - mvneta: prevent oob access in mvneta_config_rss()
      
         - ipv4: fix incorrect route flushing when table ID 0 is used, or when
           source address is deleted
      
         - phy: mxl-gpy: add workaround for IRQ bug on GPY215B and GPY215C"
      
      * tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (77 commits)
        net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
        s390/qeth: fix use-after-free in hsci
        macsec: add missing attribute validation for offload
        net: mvneta: Fix an out of bounds check
        net: thunderbolt: fix memory leak in tbnet_open()
        ipv6: avoid use-after-free in ip6_fragment()
        net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
        net: phy: mxl-gpy: add MDINT workaround
        net: dsa: mv88e6xxx: accept phy-mode = "internal" for internal PHY ports
        xen/netback: don't call kfree_skb() under spin_lock_irqsave()
        dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()
        ethernet: aeroflex: fix potential skb leak in greth_init_rings()
        tipc: call tipc_lxc_xmit without holding node_read_lock
        can: esd_usb: Allow REC and TEC to return to zero
        can: can327: flush TX_work on ldisc .close()
        can: slcan: fix freed work crash
        can: af_can: fix NULL pointer dereference in can_rcv_filter
        net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
        ipv4: Fix incorrect route flushing when table ID 0 is used
        ipv4: Fix incorrect route flushing when source address is deleted
        ...
      010b6761
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2022120801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · ce19275f
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
       "A regression fix for handling Logitech HID++ devices and memory
        corruption fixes:
      
         - regression fix (revert) for catch-all handling of Logitech HID++
           Bluetooth devices; there are devices that turn out not to work with
           this, and the root cause is yet to be properly understood. So we
           are dropping it for now, and it will be revisited for 6.2 or 6.3
           (Benjamin Tissoires)
      
         - memory corruption fix in HID core (ZhangPeng)
      
         - memory corruption fix in hid-lg4ff (Anastasia Belova)
      
         - Kconfig fix for I2C_HID (Benjamin Tissoires)
      
         - a few device-id specific quirks that piggy-back on top of the
           important fixes above"
      
      * tag 'for-linus-2022120801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        Revert "HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices"
        Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices"
        HID: usbhid: Add ALWAYS_POLL quirk for some mice
        HID: core: fix shift-out-of-bounds in hid_report_raw_event
        HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk
        HID: fix I2C_HID not selected when I2C_HID_OF_ELAN is
        HID: hid-lg4ff: Add check for empty lbuf
        HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10
        HID: uclogic: Fix frame templates for big endian architectures
      ce19275f
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · f3e84166
      Linus Torvalds authored
      Pull ARM SoC fix from Arnd Bergmann:
       "One last build fix came in, addressing a link failure when building
        without CONFIG_OUTER_CACHE"
      
      * tag 'soc-fixes-6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        ARM: at91: fix build for SAMA5D3 w/o L2 cache
      f3e84166
    • Benjamin Tissoires's avatar
      Revert "HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices" · a9d9e46c
      Benjamin Tissoires authored
      This reverts commit 532223c8.
      
      As reported in [0], hid-logitech-hidpp now binds on all bluetooth mice,
      but there are corner cases where hid-logitech-hidpp just gives up on
      the mouse. This leads the end user with a dead mouse.
      
      Given that we are at -rc8, we are definitively too late to find a proper
      fix. We already identified 2 issues less than 24 hours after the bug
      report. One in that ->match() was never designed to be used anywhere else
      than in hid-generic, and the other that hid-logitech-hidpp has corner
      cases where it gives up on devices it is not supposed to.
      
      So we have no choice but postpone this patch to the next kernel release.
      
      [0] https://lore.kernel.org/linux-input/CAJZ5v0g-_o4AqMgNwihCb0jrwrcJZfRrX=jv8aH54WNKO7QB8A@mail.gmail.com/Reported-by: default avatarRafael J . Wysocki <rjw@rjwysocki.net>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      a9d9e46c
    • Benjamin Tissoires's avatar
      Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices" · 40f2432b
      Benjamin Tissoires authored
      This reverts commit 8544c812.
      
      We need to revert commit 532223c8 ("HID: logitech-hidpp: Enable HID++
      for all the Logitech Bluetooth devices") because that commit might make
      hid-logitech-hidpp bind on mice that are not well enough supported by
      hid-logitech-hidpp, and the end result is that the probe of those mice
      is now returning -ENODEV, leaving the end user with a dead mouse.
      
      Given that commit 8544c812 ("HID: logitech-hidpp: Remove special-casing
      of Bluetooth devices") is a direct dependency of 532223c8, revert it
      too.
      
      Note that this also adapt according to commit 908d325e ("HID:
      logitech-hidpp: Detect hi-res scrolling support") to re-add support of
      the devices that were removed from that commit too.
      
      I have locally an MX Master and I tested this device with that revert,
      ensuring we still have high-res scrolling.
      Reported-by: default avatarRafael J . Wysocki <rjw@rjwysocki.net>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      40f2432b
    • Linus Torvalds's avatar
      Merge tag 'loongarch-fixes-6.1-3' of... · 7f043b76
      Linus Torvalds authored
      Merge tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
      
      Pull LoongArch fixes from Huacai Chen:
       "Export smp_send_reschedule() for modules use, fix a huge page entry
        update issue, and add documents for booting description"
      
      * tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
        docs/zh_CN: Add LoongArch booting description's translation
        docs/LoongArch: Add booting description
        LoongArch: mm: Fix huge page entry update for virtual machine
        LoongArch: Export symbol for function smp_send_reschedule()
      7f043b76
    • Linus Torvalds's avatar
      Merge tag 'for-linus-xsa-6.1-rc9b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · a4c3a07e
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "A single fix for the recent security issue XSA-423"
      
      * tag 'for-linus-xsa-6.1-rc9b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/netback: fix build warning
      a4c3a07e
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 306ba240
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - fix a memory leak in gpiolib core
      
       - fix reference leaks in gpio-amd8111 and gpio-rockchip
      
      * tag 'gpio-fixes-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()
        gpio: amd8111: Fix PCI device reference count leak
        gpiolib: fix memory leak in gpiochip_setup_dev()
      306ba240
    • Linus Torvalds's avatar
      Merge tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 57fb3f66
      Linus Torvalds authored
      Pull ATA fix from Damien Le Moal:
      
       - Avoid a NULL pointer dereference in the libahci platform code that
         can happen on initialization when a device tree does not specify
         names for the adapter clocks (from Anders)
      
      * tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: libahci_platform: ahci_platform_find_clk: oops, NULL pointer
      57fb3f66
    • Tejun Heo's avatar
      memcg: Fix possible use-after-free in memcg_write_event_control() · fbf83212
      Tejun Heo authored
      memcg_write_event_control() accesses the dentry->d_name of the specified
      control fd to route the write call.  As a cgroup interface file can't be
      renamed, it's safe to access d_name as long as the specified file is a
      regular cgroup file.  Also, as these cgroup interface files can't be
      removed before the directory, it's safe to access the parent too.
      
      Prior to 347c4a87 ("memcg: remove cgroup_event->cft"), there was a
      call to __file_cft() which verified that the specified file is a regular
      cgroupfs file before further accesses.  The cftype pointer returned from
      __file_cft() was no longer necessary and the commit inadvertently
      dropped the file type check with it allowing any file to slip through.
      With the invarients broken, the d_name and parent accesses can now race
      against renames and removals of arbitrary files and cause
      use-after-free's.
      
      Fix the bug by resurrecting the file type check in __file_cft().  Now
      that cgroupfs is implemented through kernfs, checking the file
      operations needs to go through a layer of indirection.  Instead, let's
      check the superblock and dentry type.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Fixes: 347c4a87 ("memcg: remove cgroup_event->cft")
      Cc: stable@kernel.org # v3.14+
      Reported-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarRoman Gushchin <roman.gushchin@linux.dev>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fbf83212
    • Radu Nicolae Pirea (OSS)'s avatar
      net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() · f8bac7f9
      Radu Nicolae Pirea (OSS) authored
      The SJA1105 family has 45 L2 policing table entries
      (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
      (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
      accounting for the difference in port count (5 in SJA1105 vs 10 in
      SJA1110) does not fully explain the difference. Rather, the SJA1110 also
      has L2 ingress policers for multicast traffic. If a packet is classified
      as multicast, it will be processed by the policer index 99 + SRCPORT.
      
      The sja1105_init_l2_policing() function initializes all L2 policers such
      that they don't interfere with normal packet reception by default. To have
      a common code between SJA1105 and SJA1110, the index of the multicast
      policer for the port is calculated because it's an index that is out of
      bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
      performed.
      
      The code fails to do the proper thing when determining what to do with the
      multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
      index will be equal to 45, which is also equal to
      table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
      through the check. But at the same time, SJA1105 doesn't have multicast
      policers. So the code programs the SHARINDX field of an out-of-bounds
      element in the L2 Policing table of the static config.
      
      The comparison between index 45 and 45 entries should have determined the
      code to not access this policer index on SJA1105, since its memory wasn't
      even allocated.
      
      With enough bad luck, the out-of-bounds write could even overwrite other
      valid kernel data, but in this case, the issue was detected using KASAN.
      
      Kernel log:
      
      sja1105 spi5.0: Probed switch chip: SJA1105Q
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
      Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
      ...
      Workqueue: events_unbound deferred_probe_work_func
      Call trace:
      ...
      sja1105_setup+0x1cbc/0x2340
      dsa_register_switch+0x1284/0x18d0
      sja1105_probe+0x748/0x840
      ...
      Allocated by task 8:
      ...
      sja1105_setup+0x1bcc/0x2340
      dsa_register_switch+0x1284/0x18d0
      sja1105_probe+0x748/0x840
      ...
      
      Fixes: 38fbe91f ("net: dsa: sja1105: configure the multicast policers, if present")
      CC: stable@vger.kernel.org # 5.15+
      Signed-off-by: default avatarRadu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Link: https://lore.kernel.org/r/20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f8bac7f9
    • Alexandra Winter's avatar
      s390/qeth: fix use-after-free in hsci · ebaaadc3
      Alexandra Winter authored
      KASAN found that addr was dereferenced after br2dev_event_work was freed.
      
      ==================================================================
      BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
      Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
      CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
      Hardware name: IBM 8561 T01 703 (LPAR)
      Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
      Call Trace:
       [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
       [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
       [<000000016942d118>] print_report+0x110/0x1f8
       [<0000000167a7bd04>] kasan_report+0xfc/0x128
       [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
       [<00000001673edd1e>] process_one_work+0x76e/0x1128
       [<00000001673ee85c>] worker_thread+0x184/0x1098
       [<000000016740718a>] kthread+0x26a/0x310
       [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
       [<00000001694711da>] ret_from_fork+0xa/0x40
      Allocated by task 108338:
       kasan_save_stack+0x40/0x68
       kasan_set_track+0x36/0x48
       __kasan_kmalloc+0xa0/0xc0
       qeth_l2_switchdev_event+0x25a/0x738
       atomic_notifier_call_chain+0x9c/0xf8
       br_switchdev_fdb_notify+0xf4/0x110
       fdb_notify+0x122/0x180
       fdb_add_entry.constprop.0.isra.0+0x312/0x558
       br_fdb_add+0x59e/0x858
       rtnl_fdb_add+0x58a/0x928
       rtnetlink_rcv_msg+0x5f8/0x8d8
       netlink_rcv_skb+0x1f2/0x408
       netlink_unicast+0x570/0x790
       netlink_sendmsg+0x752/0xbe0
       sock_sendmsg+0xca/0x110
       ____sys_sendmsg+0x510/0x6a8
       ___sys_sendmsg+0x12a/0x180
       __sys_sendmsg+0xe6/0x168
       __do_sys_socketcall+0x3c8/0x468
       do_syscall+0x22c/0x328
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      Freed by task 540:
       kasan_save_stack+0x40/0x68
       kasan_set_track+0x36/0x48
       kasan_save_free_info+0x4c/0x68
       ____kasan_slab_free+0x14e/0x1a8
       __kasan_slab_free+0x24/0x30
       __kmem_cache_free+0x168/0x338
       qeth_l2_br2dev_worker+0x154/0x6b0
       process_one_work+0x76e/0x1128
       worker_thread+0x184/0x1098
       kthread+0x26a/0x310
       __ret_from_fork+0x8a/0xe8
       ret_from_fork+0xa/0x40
      Last potentially related work creation:
       kasan_save_stack+0x40/0x68
       __kasan_record_aux_stack+0xbe/0xd0
       insert_work+0x56/0x2e8
       __queue_work+0x4ce/0xd10
       queue_work_on+0xf4/0x100
       qeth_l2_switchdev_event+0x520/0x738
       atomic_notifier_call_chain+0x9c/0xf8
       br_switchdev_fdb_notify+0xf4/0x110
       fdb_notify+0x122/0x180
       fdb_add_entry.constprop.0.isra.0+0x312/0x558
       br_fdb_add+0x59e/0x858
       rtnl_fdb_add+0x58a/0x928
       rtnetlink_rcv_msg+0x5f8/0x8d8
       netlink_rcv_skb+0x1f2/0x408
       netlink_unicast+0x570/0x790
       netlink_sendmsg+0x752/0xbe0
       sock_sendmsg+0xca/0x110
       ____sys_sendmsg+0x510/0x6a8
       ___sys_sendmsg+0x12a/0x180
       __sys_sendmsg+0xe6/0x168
       __do_sys_socketcall+0x3c8/0x468
       do_syscall+0x22c/0x328
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      Second to last potentially related work creation:
       kasan_save_stack+0x40/0x68
       __kasan_record_aux_stack+0xbe/0xd0
       kvfree_call_rcu+0xb2/0x760
       kernfs_unlink_open_file+0x348/0x430
       kernfs_fop_release+0xc2/0x320
       __fput+0x1ae/0x768
       task_work_run+0x1bc/0x298
       exit_to_user_mode_prepare+0x1a0/0x1a8
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      The buggy address belongs to the object at 00000000fdcea400
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 64 bytes inside of
       96-byte region [00000000fdcea400, 00000000fdcea460)
      The buggy address belongs to the physical page:
      page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
      flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
      raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
      raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      >00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                 ^
       00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      ==================================================================
      
      Fixes: f7936b7b ("s390/qeth: Update MACs of LEARNING_SYNC device")
      Reported-by: default avatarThorsten Winkler <twinkler@linux.ibm.com>
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Reviewed-by: default avatarThorsten Winkler <twinkler@linux.ibm.com>
      Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ebaaadc3