1. 12 Apr, 2024 10 commits
    • Linus Torvalds's avatar
      Merge tag 'block-6.9-20240412' of git://git.kernel.dk/linux · d7ad0581
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - MD pull request via Song:
             - UAF fix (Yu)
      
       - Avoid out-of-bounds shift in blk-iocost (Rik)
      
       - Fix for q->blkg_list corruption (Ming)
      
       - Relax virt boundary mask/size segment checking (Ming)
      
      * tag 'block-6.9-20240412' of git://git.kernel.dk/linux:
        block: fix that blk_time_get_ns() doesn't update time after schedule
        block: allow device to have both virt_boundary_mask and max segment size
        block: fix q->blkg_list corruption during disk rebind
        blk-iocost: avoid out of bounds shift
        raid1: fix use-after-free for original bio in raid1_write_request()
      d7ad0581
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.9-20240412' of git://git.kernel.dk/linux · c7adbe2e
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix for sigmask restoring while waiting for events (Alexey)
      
       - Typo fix in comment (Haiyue)
      
       - Fix for a msg_control retstore on SEND_ZC retries (Pavel)
      
      * tag 'io_uring-6.9-20240412' of git://git.kernel.dk/linux:
        io-uring: correct typo in comment for IOU_F_TWQ_LAZY_WAKE
        io_uring/net: restore msg_control on sendzc retry
        io_uring: Fix io_cqring_wait() not restoring sigmask on get_timespec64() failure
      c7adbe2e
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.9-rc4' of https://github.com/ceph/ceph-client · 90d3eaaf
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "Two CephFS fixes marked for stable and a MAINTAINERS update"
      
      * tag 'ceph-for-6.9-rc4' of https://github.com/ceph/ceph-client:
        MAINTAINERS: remove myself as a Reviewer for Ceph
        ceph: switch to use cap_delay_lock for the unlink delay list
        ceph: redirty page before returning AOP_WRITEPAGE_ACTIVATE
      90d3eaaf
    • Linus Torvalds's avatar
      Kconfig: add some hidden tabs on purpose · d5cf50da
      Linus Torvalds authored
      Commit d96c3600 ("tracing: Fix FTRACE_RECORD_RECURSION_SIZE Kconfig
      entry") removed a hidden tab because it apparently showed breakage in
      some third-party kernel config parsing tool.
      
      It wasn't clear what tool it was, but let's make sure it gets fixed.
      Because if you can't parse tabs as whitespace, you should not be parsing
      the kernel Kconfig files.
      
      In fact, let's make such breakage more obvious than some esoteric ftrace
      record size option.  If you can't parse tabs, you can't have page sizes.
      
      Yes, tab-vs-space confusion is sadly a traditional Unix thing, and
      'make' is famous for being broken in this regard.  But no, that does not
      mean that it's ok.
      
      I'd add more random tabs to our Kconfig files, but I don't want to make
      things uglier than necessary.  But it *might* bbe necessary if it turns
      out we see more of this kind of silly tooling.
      
      Fixes: d96c3600 ("tracing: Fix FTRACE_RECORD_RECURSION_SIZE Kconfig entry")
      Link: https://lore.kernel.org/lkml/CAHk-=wj-hLLN_t_m5OL4dXLaxvXKy_axuoJYXif7iczbfgAevQ@mail.gmail.com/Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d5cf50da
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 5939d451
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Fix the buffer_percent accounting as it is dependent on three
         variables:
      
           1) pages_read - number of subbuffers read
           2) pages_lost - number of subbuffers lost due to overwrite
           3) pages_touched - number of pages that a writer entered
      
         These three counters only increment, and to know how many active
         pages there are on the buffer at any given time, the pages_read and
         pages_lost are subtracted from pages_touched.
      
         But the pages touched was incremented whenever any writer went to the
         next subbuffer even if it wasn't the only one, so it was incremented
         more than it should be causing the counter for how many subbuffers
         currently have content incorrect, which caused the buffer_percent
         that holds waiters until the ring buffer is filled to a given
         percentage to wake up early.
      
       - Fix warning of unused functions when PERF_EVENTS is not configured in
      
       - Replace bad tab with space in Kconfig for FTRACE_RECORD_RECURSION_SIZE
      
       - Fix to some kerneldoc function comments in eventfs code.
      
      * tag 'trace-v6.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        ring-buffer: Only update pages_touched when a new page is touched
        tracing: hide unused ftrace_event_id_fops
        tracing: Fix FTRACE_RECORD_RECURSION_SIZE Kconfig entry
        eventfs: Fix kernel-doc comments to functions
      5939d451
    • Linus Torvalds's avatar
      Merge tag 'mips-fixes_6.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · e00011a1
      Linus Torvalds authored
      Pull MIPS fix from Thomas Bogendoerfer:
       "Fix for syscall_get_nr() to make it work even if tracing is disabled"
      
      * tag 'mips-fixes_6.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: scall: Save thread_info.syscall unconditionally on entry
      e00011a1
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-04-12' of https://gitlab.freedesktop.org/drm/kernel · d1c13e80
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Looks like everyone woke up after holidays, this weeks pull has a
        bunch of stuff all over, 2 weeks worth of amdgpu is a lot of it, then
        i915/xe have a few, a bunch of msm fixes, then some scattered driver
        fixes.
      
        I expect things will settle down for rc5.
      
        client:
         - Protect connector modes with mode_config mutex
      
        ast:
         - Fix soft lockup
      
        host1x:
         - Do not setup DMA for virtual addresses
      
        ivpu:
         - Fix deadlock in context_xa
         - PCI fixes
         - Fixes to error handling
      
        nouveau:
         - gsp: Fix OOB access
         - Fix casting
      
        panfrost:
         - Fix error path in MMU code
      
        qxl:
         - Revert "drm/qxl: simplify qxl_fence_wait"
      
        vmwgfx:
         - Enable DMA for SEV mappings
      
        i915:
         - Couple CDCLK programming fixes
         - HDCP related fix
         - 4 Bigjoiner related fixes
         - Fix for a circular locking around GuC on reset+wedged case
      
        xe:
         - Fix double display mutex initializations
         - Fix u32 -> u64 implicit conversions
         - Fix RING_CONTEXT_CONTROL not marked as masked
      
        msm:
         - DP refcount leak fix on disconnect
         - Add missing newlines to prints in msm_fb and msm_kms
         - fix dpu debugfs entry permissions
         - Fix the interface table for the catalog of X1E80100
         - fix irq message printing
         - Bindings fix to add DP node as child of mdss for mdss node
         - Minor typo fix in DP driver API which handles port status change
         - fix CHRASHDUMP_READ()
         - fix HHB (highest bank bit) for a619 to fix UBWC corruption
      
        amdgpu:
         - GPU reset fixes
         - Fix some confusing logging
         - UMSCH fix
         - Aborted suspend fix
         - DCN 3.5 fixes
         - S4 fix
         - MES logging fixes
         - SMU 14 fixes
         - SDMA 4.4.2 fix
         - KASAN fix
         - SMU 13.0.10 fix
         - VCN partition fix
         - GFX11 fixes
         - DWB fixes
         - Plane handling fix
         - FAMS fix
         - DCN 3.1.6 fix
         - VSC SDP fixes
         - OLED panel fix
         - GFX 11.5 fix
      
        amdkfd:
         - GPU reset fixes
         - fix ioctl integer overflow"
      
      * tag 'drm-fixes-2024-04-12' of https://gitlab.freedesktop.org/drm/kernel: (65 commits)
        amdkfd: use calloc instead of kzalloc to avoid integer overflow
        drm/xe: Label RING_CONTEXT_CONTROL as masked
        drm/xe/xe_migrate: Cast to output precision before multiplying operands
        drm/xe/hwmon: Cast result to output precision on left shift of operand
        drm/xe/display: Fix double mutex initialization
        drm/amdgpu: differentiate external rev id for gfx 11.5.0
        drm/amd/display: Adjust dprefclk by down spread percentage.
        drm/amd/display: Set VSC SDP Colorimetry same way for MST and SST
        drm/amd/display: Program VSC SDP colorimetry for all DP sinks >= 1.4
        drm/amd/display: fix disable otg wa logic in DCN316
        drm/amd/display: Do not recursively call manual trigger programming
        drm/amd/display: always reset ODM mode in context when adding first plane
        drm/amdgpu: fix incorrect number of active RBs for gfx11
        drm/amd/display: Return max resolution supported by DWB
        amd/amdkfd: sync all devices to wait all processes being evicted
        drm/amdgpu: clear set_q_mode_offs when VM changed
        drm/amdgpu: Fix VCN allocation in CPX partition
        drm/amd/pm: fix the high voltage issue after unload
        drm/amd/display: Skip on writeback when it's not applicable
        drm/amdgpu: implement IRQ_STATE_ENABLE for SDMA v4.4.2
        ...
      d1c13e80
    • Yu Kuai's avatar
      block: fix that blk_time_get_ns() doesn't update time after schedule · 3ec48489
      Yu Kuai authored
      While monitoring the throttle time of IO from iocost, it's found that
      such time is always zero after the io_schedule() from ioc_rqos_throttle,
      for example, with the following debug patch:
      
      +       printk("%s-%d: %s enter %llu\n", current->comm, current->pid, __func__, blk_time_get_ns());
              while (true) {
                      set_current_state(TASK_UNINTERRUPTIBLE);
                      if (wait.committed)
                              break;
                      io_schedule();
              }
      +       printk("%s-%d: %s exit  %llu\n", current->comm, current->pid, __func__, blk_time_get_ns());
      
      It can be observerd that blk_time_get_ns() always return the same time:
      
      [ 1068.096579] fio-1268: ioc_rqos_throttle enter 1067901962288
      [ 1068.272587] fio-1268: ioc_rqos_throttle exit  1067901962288
      [ 1068.274389] fio-1268: ioc_rqos_throttle enter 1067901962288
      [ 1068.472690] fio-1268: ioc_rqos_throttle exit  1067901962288
      [ 1068.474485] fio-1268: ioc_rqos_throttle enter 1067901962288
      [ 1068.672656] fio-1268: ioc_rqos_throttle exit  1067901962288
      [ 1068.674451] fio-1268: ioc_rqos_throttle enter 1067901962288
      [ 1068.872655] fio-1268: ioc_rqos_throttle exit  1067901962288
      
      And I think the root cause is that 'PF_BLOCK_TS' is always cleared
      by blk_flush_plug() before scheduel(), hence blk_plug_invalidate_ts()
      will never be called:
      
      blk_time_get_ns
       plug->cur_ktime = ktime_get_ns();
       current->flags |= PF_BLOCK_TS;
      
      io_schedule:
       io_schedule_prepare
        blk_flush_plug
         __blk_flush_plug
          /* the flag is cleared, while time is not */
          current->flags &= ~PF_BLOCK_TS;
       schedule
       sched_update_worker
        /* the flag is not set, hence plug->cur_ktime is not cleared */
        if (tsk->flags & PF_BLOCK_TS)
         blk_plug_invalidate_ts()
      
      blk_time_get_ns
       /* got the time stashed before schedule */
       return plug->cur_ktime;
      
      Fix the problem by clearing cached time in __blk_flush_plug().
      
      Fixes: 06b23f92 ("block: update cached timestamp post schedule/preemption")
      Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
      Link: https://lore.kernel.org/r/20240411032349.3051233-2-yukuai1@huaweicloud.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      3ec48489
    • Dave Airlie's avatar
      amdkfd: use calloc instead of kzalloc to avoid integer overflow · 3b0daecf
      Dave Airlie authored
      This uses calloc instead of doing the multiplication which might
      overflow.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      3b0daecf
    • Dave Airlie's avatar
      Merge tag 'drm-msm-next-2024-04-11' of https://gitlab.freedesktop.org/drm/msm into drm-fixes · 6d837271
      Dave Airlie authored
      Fixes for v6.9
      
      Display:
      - Fixes for PM refcount leak when DP goes to disconnected state and
        also when link training fails. This is also one of the issues found
        with the pm runtime series
      - Add missing newlines to prints in msm_fb and msm_kms
      - Change permissions of some dpu debugfs entries which write to const
        data from catalog to read-only to avoid protection faults
      - Fix the interface table for the catalog of X1E80100. This is an
        important fix to bringup DP for X1E80100.
      - Logging fix to print the callback symbol in the invalid IRQ message
        case rather than printing when its known to be NULL.
      - Bindings fix to add DP node as child of mdss for mdss node
      - Minor typo fix in DP driver API which handles port status change
      
      GPU:
      - fix CHRASHDUMP_READ()
      - fix HHB (highest bank bit) for a619 to fix UBWC corruption
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Rob Clark <robdclark@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGvFwRUcHGWva7oDeydq1PTiZMduuykCD2MWaFrT4iMGZA@mail.gmail.com
      6d837271
  2. 11 Apr, 2024 30 commits
    • Linus Torvalds's avatar
      Merge tag 'cxl-fixes-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · 586b5dfb
      Linus Torvalds authored
      Pull cxl fixes from Dave Jiang:
      
       - Fix index of Clear Event Record handles in cxl_clear_event_record()
      
       - Fix use before init of map->reg_type in cxl_decode_regblock()
      
       - Fix initialization of mbox_cmd.size_out in cxl_mem_get_records_log()
      
       - Fix CXL path access_coordinate computation:
           - Remove unneded check of iter in loop
           - Fix of retrieving of access_coordinate in PCI topology walk
           - Fix of incorrect region access_coordinate data calculation
           - Consolidate of access_coordinates attached to downstream port
             context
           - Add check to validate access_coordinate validity to prevent
             incorrect data being exposed via sysfs
      
      * tag 'cxl-fixes-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl: Add checks to access_coordinate calculation to fail missing data
        cxl: Consolidate dport access_coordinate ->hb_coord and ->sw_coord into ->coord
        cxl: Fix incorrect region perf data calculation
        cxl: Fix retrieving of access_coordinates in PCIe path
        cxl: Remove checking of iter in cxl_endpoint_get_perf_coordinates()
        cxl/core: Fix initialization of mbox_cmd.size_out in get event
        cxl/core/regs: Fix usage of map->reg_type in cxl_decode_regblock() before assigned
        cxl/mem: Fix for the index of Clear Event Record Handle
      586b5dfb
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20240411' of... · 52e5070f
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20240411' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyperv fixes from Wei Liu:
      
       - Some cosmetic changes (Erni Sri Satya Vennela, Li Zhijian)
      
       - Introduce hv_numa_node_to_pxm_info() (Nuno Das Neves)
      
       - Fix KVP daemon to handle IPv4 and IPv6 combination for keyfile format
         (Shradha Gupta)
      
       - Avoid freeing decrypted memory in a confidential VM (Rick Edgecombe
         and Michael Kelley)
      
      * tag 'hyperv-fixes-signed-20240411' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted
        uio_hv_generic: Don't free decrypted memory
        hv_netvsc: Don't free decrypted memory
        Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl
        Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
        hv/hv_kvp_daemon: Handle IPv4 and Ipv6 combination for keyfile format
        hv: vmbus: Convert sprintf() family to sysfs_emit() family
        mshyperv: Introduce hv_numa_node_to_pxm_info()
        x86/hyperv: Cosmetic changes for hv_apic.c
      52e5070f
    • Steven Rostedt (Google)'s avatar
      ring-buffer: Only update pages_touched when a new page is touched · ffe3986f
      Steven Rostedt (Google) authored
      The "buffer_percent" logic that is used by the ring buffer splice code to
      only wake up the tasks when there's no data after the buffer is filled to
      the percentage of the "buffer_percent" file is dependent on three
      variables that determine the amount of data that is in the ring buffer:
      
       1) pages_read - incremented whenever a new sub-buffer is consumed
       2) pages_lost - incremented every time a writer overwrites a sub-buffer
       3) pages_touched - incremented when a write goes to a new sub-buffer
      
      The percentage is the calculation of:
      
        (pages_touched - (pages_lost + pages_read)) / nr_pages
      
      Basically, the amount of data is the total number of sub-bufs that have been
      touched, minus the number of sub-bufs lost and sub-bufs consumed. This is
      divided by the total count to give the buffer percentage. When the
      percentage is greater than the value in the "buffer_percent" file, it
      wakes up splice readers waiting for that amount.
      
      It was observed that over time, the amount read from the splice was
      constantly decreasing the longer the trace was running. That is, if one
      asked for 60%, it would read over 60% when it first starts tracing, but
      then it would be woken up at under 60% and would slowly decrease the
      amount of data read after being woken up, where the amount becomes much
      less than the buffer percent.
      
      This was due to an accounting of the pages_touched incrementation. This
      value is incremented whenever a writer transfers to a new sub-buffer. But
      the place where it was incremented was incorrect. If a writer overflowed
      the current sub-buffer it would go to the next one. If it gets preempted
      by an interrupt at that time, and the interrupt performs a trace, it too
      will end up going to the next sub-buffer. But only one should increment
      the counter. Unfortunately, that was not the case.
      
      Change the cmpxchg() that does the real switch of the tail-page into a
      try_cmpxchg(), and on success, perform the increment of pages_touched. This
      will only increment the counter once for when the writer moves to a new
      sub-buffer, and not when there's a race and is incremented for when a
      writer and its preempting writer both move to the same new sub-buffer.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240409151309.0d0e5056@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Fixes: 2c2b0a78 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      ffe3986f
    • Arnd Bergmann's avatar
      tracing: hide unused ftrace_event_id_fops · 5281ec83
      Arnd Bergmann authored
      When CONFIG_PERF_EVENTS, a 'make W=1' build produces a warning about the
      unused ftrace_event_id_fops variable:
      
      kernel/trace/trace_events.c:2155:37: error: 'ftrace_event_id_fops' defined but not used [-Werror=unused-const-variable=]
       2155 | static const struct file_operations ftrace_event_id_fops = {
      
      Hide this in the same #ifdef as the reference to it.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240403080702.3509288-7-arnd@kernel.org
      
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Zheng Yejian <zhengyejian1@huawei.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Ajay Kaher <akaher@vmware.com>
      Cc: Jinjie Ruan <ruanjinjie@huawei.com>
      Cc: Clément Léger <cleger@rivosinc.com>
      Cc: Dan Carpenter <dan.carpenter@linaro.org>
      Cc: "Tzvetomir Stoyanov (VMware)" <tz.stoyanov@gmail.com>
      Fixes: 620a30e9 ("tracing: Don't pass file_operations array to event_create_dir()")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      5281ec83
    • Prasad Pandit's avatar
      tracing: Fix FTRACE_RECORD_RECURSION_SIZE Kconfig entry · d96c3600
      Prasad Pandit authored
      Fix FTRACE_RECORD_RECURSION_SIZE entry, replace tab with
      a space character. It helps Kconfig parsers to read file
      without error.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240322121801.1803948-1-ppandit@redhat.com
      
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Fixes: 773c1670 ("ftrace: Add recording of functions that caused recursion")
      Signed-off-by: default avatarPrasad Pandit <pjp@fedoraproject.org>
      Reviewed-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d96c3600
    • Yang Li's avatar
      eventfs: Fix kernel-doc comments to functions · a8fa658e
      Yang Li authored
      This commit fix kernel-doc style comments with complete parameter
      descriptions for the lookup_file(),lookup_dir_entry() and
      lookup_file_dentry().
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240322062604.28862-1-yang.lee@linux.alibaba.comSigned-off-by: default avatarYang Li <yang.lee@linux.alibaba.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      a8fa658e
    • Jeff Layton's avatar
      MAINTAINERS: remove myself as a Reviewer for Ceph · d3e04693
      Jeff Layton authored
      It has been a couple of years since I stepped down as CephFS maintainer.
      I'm not involved in any meaningful way with the project these days, so
      while I'm happy to help review the occasional patch, I don't need to be
      cc'ed on all of them.
      Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      d3e04693
    • Xiubo Li's avatar
      ceph: switch to use cap_delay_lock for the unlink delay list · 17f8dc2d
      Xiubo Li authored
      The same list item will be used in both cap_delay_list and
      cap_unlink_delay_list, so it's buggy to use two different locks
      to protect them.
      
      Cc: stable@vger.kernel.org
      Fixes: dbc347ef ("ceph: add ceph_cap_unlink_work to fire check_caps() immediately")
      Link: https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/AODC76VXRAMXKLFDCTK4TKFDDPWUSCN5Reported-by: default avatarMarc Ruhmann <ruhmann@luis.uni-hannover.de>
      Signed-off-by: default avatarXiubo Li <xiubli@redhat.com>
      Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Tested-by: default avatarMarc Ruhmann <ruhmann@luis.uni-hannover.de>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      17f8dc2d
    • Dave Airlie's avatar
      Merge tag 'drm-xe-fixes-2024-04-11' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · 1bafeaf2
      Dave Airlie authored
      - Fix double display mutex initializations
      - Fix u32 -> u64 implicit conversions
      - Fix RING_CONTEXT_CONTROL not marked as masked
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Lucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ewvvtgcb2gonxvccws6nt6fqswoyfp4g43t5ex24vpqwtrxdzm@hgjoz5uirmxx
      1bafeaf2
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2024-04-11' of... · 1b24b3cd
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2024-04-11' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
      
      Short summary of fixes pull:
      
      ast:
      - Fix soft lockup
      
      client:
      - Protect connector modes with mode_config mutex
      
      host1x:
      - Do not setup DMA for virtual addresses
      
      ivpu:
      - Fix deadlock in context_xa
      - PCI fixes
      - Fixes to error handling
      
      nouveau:
      - gsp: Fix OOB access
      - Fix casting
      
      panfrost:
      - Fix error path in MMU code
      
      qxl:
      - Revert "drm/qxl: simplify qxl_fence_wait"
      
      vmwgfx:
      - Enable DMA for SEV mappings
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240411073403.GA9895@localhost.localdomain
      1b24b3cd
    • Linus Torvalds's avatar
      Merge tag 'acpi-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 00dcf5d8
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix the handling of dependencies between devices in the ACPI
        device enumeration code and address a _UID matching regression from
        the 6.8 development cycle.
      
        Specifics:
      
         - Modify the ACPI device enumeration code to avoid counting
           dependencies that have been met already as unmet (Hans de Goede)
      
         - Make _UID matching take the integer value of 0 into account as
           appropriate (Raag Jadav)"
      
      * tag 'acpi-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: bus: allow _UID matching for integer zero
        ACPI: scan: Do not increase dep_unmet for already met dependencies
      00dcf5d8
    • Linus Torvalds's avatar
      Merge tag 'pm-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 136eb5fd
      Linus Torvalds authored
      Pull power management fix from Rafael Wysocki:
       "Fix the suspend-to-idle core code to guarantee that timers queued on
        CPUs other than the one that has first left the idle state, which
        should expire directly after resume, will be handled (Anna-Maria
        Behnsen)"
      
      * tag 'pm-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM: s2idle: Make sure CPUs will wakeup directly on resume
      136eb5fd
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 2ae9a897
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bluetooth.
      
        Current release - new code bugs:
      
         - netfilter: complete validation of user input
      
         - mlx5: disallow SRIOV switchdev mode when in multi-PF netdev
      
        Previous releases - regressions:
      
         - core: fix u64_stats_init() for lockdep when used repeatedly in one
           file
      
         - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
      
         - bluetooth: fix memory leak in hci_req_sync_complete()
      
         - batman-adv: avoid infinite loop trying to resize local TT
      
         - drv: geneve: fix header validation in geneve[6]_xmit_skb
      
         - drv: bnxt_en: fix possible memory leak in
           bnxt_rdma_aux_device_init()
      
         - drv: mlx5: offset comp irq index in name by one
      
         - drv: ena: avoid double-free clearing stale tx_info->xdpf value
      
         - drv: pds_core: fix pdsc_check_pci_health deadlock
      
        Previous releases - always broken:
      
         - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
      
         - bluetooth: fix setsockopt not validating user input
      
         - af_unix: clear stale u->oob_skb.
      
         - nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
      
         - drv: virtio_net: fix guest hangup on invalid RSS update
      
         - drv: mlx5e: Fix mlx5e_priv_init() cleanup flow
      
         - dsa: mt7530: trap link-local frames regardless of ST Port State"
      
      * tag 'net-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (59 commits)
        net: ena: Set tx_info->xdpf value to NULL
        net: ena: Fix incorrect descriptor free behavior
        net: ena: Wrong missing IO completions check order
        net: ena: Fix potential sign extension issue
        af_unix: Fix garbage collector racing against connect()
        net: dsa: mt7530: trap link-local frames regardless of ST Port State
        Revert "s390/ism: fix receive message buffer allocation"
        net: sparx5: fix wrong config being used when reconfiguring PCS
        net/mlx5: fix possible stack overflows
        net/mlx5: Disallow SRIOV switchdev mode when in multi-PF netdev
        net/mlx5e: RSS, Block XOR hash with over 128 channels
        net/mlx5e: Do not produce metadata freelist entries in Tx port ts WQE xmit
        net/mlx5e: HTB, Fix inconsistencies with QoS SQs number
        net/mlx5e: Fix mlx5e_priv_init() cleanup flow
        net/mlx5e: RSS, Block changing channels number when RXFH is configured
        net/mlx5: Correctly compare pkt reformat ids
        net/mlx5: Properly link new fs rules into the tree
        net/mlx5: offset comp irq index in name by one
        net/mlx5: Register devlink first under devlink lock
        net/mlx5: E-switch, store eswitch pointer before registering devlink_param
        ...
      2ae9a897
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · ab4319fd
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "The most important fix is the sg one because the regression it fixes
        (spurious warning and use after final put) is already backported to
        stable.
      
        The next biggest impact is the target fix for wrong credentials used
        to load a module because it's affecting new kernels installed on
        selinux based distributions.
      
        The other three fixes are an obvious off by one and SATA protocol
        issues"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()
        scsi: hisi_sas: Modify the deadline for ata_wait_after_reset()
        scsi: hisi_sas: Handle the NCQ error returned by D2H frame
        scsi: target: Fix SELinux error when systemd-modules loads the target module
        scsi: sg: Avoid race in error handling & drop bogus warn
      ab4319fd
    • Linus Torvalds's avatar
      Merge tag 'loongarch-fixes-6.9-1' of... · 5de6b467
      Linus Torvalds authored
      Merge tag 'loongarch-fixes-6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
      
      Pull LoongArch fixes from Huacai Chen:
      
       - make {virt, phys, page, pfn} translation work with KFENCE for
         LoongArch (otherwise NVMe and virtio-blk cannot work with KFENCE
         enabled)
      
       - update dts files for Loongson-2K series to make devices work
         correctly
      
       - fix a build error
      
      * tag 'loongarch-fixes-6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
        LoongArch: Include linux/sizes.h in addrspace.h to prevent build errors
        LoongArch: Update dts for Loongson-2K2000 to support GMAC/GNET
        LoongArch: Update dts for Loongson-2K2000 to support PCI-MSI
        LoongArch: Update dts for Loongson-2K2000 to support ISA/LPC
        LoongArch: Update dts for Loongson-2K1000 to support ISA/LPC
        LoongArch: Make virt_addr_valid()/__virt_addr_valid() work with KFENCE
        LoongArch: Make {virt, phys, page, pfn} translation work with KFENCE
        mm: Move lowmem_page_address() a little later
      5de6b467
    • Linus Torvalds's avatar
      Merge tag 'bcachefs-2024-04-10' of https://evilpiepirate.org/git/bcachefs · e1dc191d
      Linus Torvalds authored
      Pull more bcachefs fixes from Kent Overstreet:
       "Notable user impacting bugs
      
         - On multi device filesystems, recovery was looping in
           btree_trans_too_many_iters(). This checks if a transaction has
           touched too many btree paths (because of iteration over many keys),
           and isuses a restart to drop unneeded paths.
      
           But it's now possible for some paths to exceed the previous limit
           without iteration in the interior btree update path, since the
           transaction commit will do alloc updates for every old and new
           btree node, and during journal replay we don't use the btree write
           buffer for locking reasons and thus those updates use btree paths
           when they wouldn't normally.
      
         - Fix a corner case in rebalance when moving extents on a
           durability=0 device. This wouldn't be hit when a device was
           formatted with durability=0 since in that case we'll only use it as
           a write through cache (only cached extents will live on it), but
           durability can now be changed on an existing device.
      
         - bch2_get_acl() could rarely forget to handle a transaction restart;
           this manifested as the occasional missing acl that came back after
           dropping caches.
      
         - Fix a major performance regression on high iops multithreaded write
           workloads (only since 6.9-rc1); a previous fix for a deadlock in
           the interior btree update path to check the journal watermark
           introduced a dependency on the state of btree write buffer flushing
           that we didn't want.
      
         - Assorted other repair paths and recovery fixes"
      
      * tag 'bcachefs-2024-04-10' of https://evilpiepirate.org/git/bcachefs: (25 commits)
        bcachefs: Fix __bch2_btree_and_journal_iter_init_node_iter()
        bcachefs: Kill read lock dropping in bch2_btree_node_lock_write_nofail()
        bcachefs: Fix a race in btree_update_nodes_written()
        bcachefs: btree_node_scan: Respect member.data_allowed
        bcachefs: Don't scan for btree nodes when we can reconstruct
        bcachefs: Fix check_topology() when using node scan
        bcachefs: fix eytzinger0_find_gt()
        bcachefs: fix bch2_get_acl() transaction restart handling
        bcachefs: fix the count of nr_freed_pcpu after changing bc->freed_nonpcpu list
        bcachefs: Fix gap buffer bug in bch2_journal_key_insert_take()
        bcachefs: Rename struct field swap to prevent macro naming collision
        MAINTAINERS: Add entry for bcachefs documentation
        Documentation: filesystems: Add bcachefs toctree
        bcachefs: JOURNAL_SPACE_LOW
        bcachefs: Disable errors=panic for BCH_IOCTL_FSCK_OFFLINE
        bcachefs: Fix BCH_IOCTL_FSCK_OFFLINE for encrypted filesystems
        bcachefs: fix rand_delete unit test
        bcachefs: fix ! vs ~ typo in __clear_bit_le64()
        bcachefs: Fix rebalance from durability=0 device
        bcachefs: Print shutdown journal sequence number
        ...
      e1dc191d
    • Linus Torvalds's avatar
      Merge tag 'tag-chrome-platform-fixes-for-v6.9-rc4' of... · 346668f0
      Linus Torvalds authored
      Merge tag 'tag-chrome-platform-fixes-for-v6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux
      
      Pull chrome platform fix from Tzung-Bi Shih:
       "Fix a NULL pointer dereference"
      
      * tag 'tag-chrome-platform-fixes-for-v6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
        platform/chrome: cros_ec_uart: properly fix race condition
      346668f0
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-bus' · d7da7e7c
      Rafael J. Wysocki authored
      * acpi-bus:
        ACPI: bus: allow _UID matching for integer zero
      d7da7e7c
    • NeilBrown's avatar
      ceph: redirty page before returning AOP_WRITEPAGE_ACTIVATE · b372e96b
      NeilBrown authored
      The page has been marked clean before writepage is called.  If we don't
      redirty it before postponing the write, it might never get written.
      
      Cc: stable@vger.kernel.org
      Fixes: 503d4fa6 ("ceph: remove reliance on bdi congestion")
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Reviewed-by: default avatarXiubo Li <xiubli@redhat.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      b372e96b
    • Ashutosh Dixit's avatar
      drm/xe: Label RING_CONTEXT_CONTROL as masked · f76646c8
      Ashutosh Dixit authored
      RING_CONTEXT_CONTROL is a masked register.
      
      v2: Also clean up setting register value (Lucas)
      Reviewed-by: default avatarMatt Roper <matthew.d.roper@intel.com>
      Reviewed-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      Signed-off-by: default avatarAshutosh Dixit <ashutosh.dixit@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240404161256.3852502-1-ashutosh.dixit@intel.com
      (cherry picked from commit dc30c6e7)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      f76646c8
    • Himal Prasad Ghimiray's avatar
      drm/xe/xe_migrate: Cast to output precision before multiplying operands · 9cb46b31
      Himal Prasad Ghimiray authored
      Addressing potential overflow in result of  multiplication of two lower
      precision (u32) operands before widening it to higher precision
      (u64).
      
      -v2
      Fix commit message and description. (Rodrigo)
      
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Signed-off-by: default avatarHimal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
      Reviewed-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240401175300.3823653-1-himal.prasad.ghimiray@intel.comSigned-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      (cherry picked from commit 34820967)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      9cb46b31
    • Karthik Poosa's avatar
      drm/xe/hwmon: Cast result to output precision on left shift of operand · a8ad8715
      Karthik Poosa authored
      Address potential overflow in result of left shift of a
      lower precision (u32) operand before assignment to higher
      precision (u64) variable.
      
      v2:
       - Update commit message. (Himal)
      
      Fixes: 4446fcf2 ("drm/xe/hwmon: Expose power1_max_interval")
      Signed-off-by: default avatarKarthik Poosa <karthik.poosa@intel.com>
      Reviewed-by: default avatarAnshuman Gupta <anshuman.gupta@intel.com>
      Cc: Badal Nilawar <badal.nilawar@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240405130127.1392426-5-karthik.poosa@intel.comSigned-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      (cherry picked from commit 883232b4)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      a8ad8715
    • Lucas De Marchi's avatar
      drm/xe/display: Fix double mutex initialization · 50a9b7fc
      Lucas De Marchi authored
      All of these mutexes are already initialized by the display side since
      commit 3fef3e6f ("drm/i915: move display mutex inits to display
      code"), so the xe shouldn´t initialize them.
      
      Fixes: 44e69495 ("drm/xe/display: Implement display support")
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: Arun R Murthy <arun.r.murthy@intel.com>
      Reviewed-by: default avatarJani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240405200711.2041428-1-lucas.demarchi@intel.comSigned-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      (cherry picked from commit 117de185)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      50a9b7fc
    • Paolo Abeni's avatar
      Merge branch 'ena-driver-bug-fixes' · 4e1ad31c
      Paolo Abeni authored
      David Arinzon says:
      
      ====================
      ENA driver bug fixes
      
      From: David Arinzon <darinzon@amazon.com>
      
      This patchset contains multiple bug fixes for the
      ENA driver.
      ====================
      
      Link: https://lore.kernel.org/r/20240410091358.16289-1-darinzon@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4e1ad31c
    • David Arinzon's avatar
      net: ena: Set tx_info->xdpf value to NULL · 36a1ca01
      David Arinzon authored
      The patch mentioned in the `Fixes` tag removed the explicit assignment
      of tx_info->xdpf to NULL with the justification that there's no need
      to set tx_info->xdpf to NULL and tx_info->num_of_bufs to 0 in case
      of a mapping error. Both values won't be used once the mapping function
      returns an error, and their values would be overridden by the next
      transmitted packet.
      
      While both values do indeed get overridden in the next transmission
      call, the value of tx_info->xdpf is also used to check whether a TX
      descriptor's transmission has been completed (i.e. a completion for it
      was polled).
      
      An example scenario:
      1. Mapping failed, tx_info->xdpf wasn't set to NULL
      2. A VF reset occurred leading to IO resource destruction and
         a call to ena_free_tx_bufs() function
      3. Although the descriptor whose mapping failed was freed by the
         transmission function, it still passes the check
           if (!tx_info->skb)
      
         (skb and xdp_frame are in a union)
      4. The xdp_frame associated with the descriptor is freed twice
      
      This patch returns the assignment of NULL to tx_info->xdpf to make the
      cleaning function knows that the descriptor is already freed.
      
      Fixes: 504fd6a5 ("net: ena: fix DMA mapping function issues in XDP")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      36a1ca01
    • David Arinzon's avatar
      net: ena: Fix incorrect descriptor free behavior · bf02d9fe
      David Arinzon authored
      ENA has two types of TX queues:
      - queues which only process TX packets arriving from the network stack
      - queues which only process TX packets forwarded to it by XDP_REDIRECT
        or XDP_TX instructions
      
      The ena_free_tx_bufs() cycles through all descriptors in a TX queue
      and unmaps + frees every descriptor that hasn't been acknowledged yet
      by the device (uncompleted TX transactions).
      The function assumes that the processed TX queue is necessarily from
      the first category listed above and ends up using napi_consume_skb()
      for descriptors belonging to an XDP specific queue.
      
      This patch solves a bug in which, in case of a VF reset, the
      descriptors aren't freed correctly, leading to crashes.
      
      Fixes: 548c4940 ("net: ena: Implement XDP_TX action")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      bf02d9fe
    • David Arinzon's avatar
      net: ena: Wrong missing IO completions check order · f7e41718
      David Arinzon authored
      Missing IO completions check is called every second (HZ jiffies).
      This commit fixes several issues with this check:
      
      1. Duplicate queues check:
         Max of 4 queues are scanned on each check due to monitor budget.
         Once reaching the budget, this check exits under the assumption that
         the next check will continue to scan the remainder of the queues,
         but in practice, next check will first scan the last already scanned
         queue which is not necessary and may cause the full queue scan to
         last a couple of seconds longer.
         The fix is to start every check with the next queue to scan.
         For example, on 8 IO queues:
         Bug: [0,1,2,3], [3,4,5,6], [6,7]
         Fix: [0,1,2,3], [4,5,6,7]
      
      2. Unbalanced queues check:
         In case the number of active IO queues is not a multiple of budget,
         there will be checks which don't utilize the full budget
         because the full scan exits when reaching the last queue id.
         The fix is to run every TX completion check with exact queue budget
         regardless of the queue id.
         For example, on 7 IO queues:
         Bug: [0,1,2,3], [4,5,6], [0,1,2,3]
         Fix: [0,1,2,3], [4,5,6,0], [1,2,3,4]
         The budget may be lowered in case the number of IO queues is less
         than the budget (4) to make sure there are no duplicate queues on
         the same check.
         For example, on 3 IO queues:
         Bug: [0,1,2,0], [1,2,0,1]
         Fix: [0,1,2], [0,1,2]
      
      Fixes: 1738cd3e ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
      Signed-off-by: default avatarAmit Bernstein <amitbern@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f7e41718
    • David Arinzon's avatar
      net: ena: Fix potential sign extension issue · 713a8519
      David Arinzon authored
      Small unsigned types are promoted to larger signed types in
      the case of multiplication, the result of which may overflow.
      In case the result of such a multiplication has its MSB
      turned on, it will be sign extended with '1's.
      This changes the multiplication result.
      
      Code example of the phenomenon:
      -------------------------------
      u16 x, y;
      size_t z1, z2;
      
      x = y = 0xffff;
      printk("x=%x y=%x\n",x,y);
      
      z1 = x*y;
      z2 = (size_t)x*y;
      
      printk("z1=%lx z2=%lx\n", z1, z2);
      
      Output:
      -------
      x=ffff y=ffff
      z1=fffffffffffe0001 z2=fffe0001
      
      The expected result of ffff*ffff is fffe0001, and without the
      explicit casting to avoid the unwanted sign extension we got
      fffffffffffe0001.
      
      This commit adds an explicit casting to avoid the sign extension
      issue.
      
      Fixes: 689b2bda ("net: ena: add functions for handling Low Latency Queues in ena_com")
      Signed-off-by: default avatarArthur Kiyanovski <akiyano@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      713a8519
    • Paolo Abeni's avatar
      Merge tag 'for-net-2024-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · fe3eb406
      Paolo Abeni authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
        - L2CAP: Don't double set the HCI_CONN_MGMT_CONNECTED bit
        - Fix memory leak in hci_req_sync_complete
        - hci_sync: Fix using the same interval and window for Coded PHY
        - Fix not validating setsockopt user input
      
      * tag 'for-net-2024-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: l2cap: Don't double set the HCI_CONN_MGMT_CONNECTED bit
        Bluetooth: hci_sock: Fix not validating setsockopt user input
        Bluetooth: ISO: Fix not validating setsockopt user input
        Bluetooth: L2CAP: Fix not validating setsockopt user input
        Bluetooth: RFCOMM: Fix not validating setsockopt user input
        Bluetooth: SCO: Fix not validating setsockopt user input
        Bluetooth: Fix memory leak in hci_req_sync_complete()
        Bluetooth: hci_sync: Fix using the same interval and window for Coded PHY
        Bluetooth: ISO: Don't reject BT_ISO_QOS if parameters are unset
      ====================
      
      Link: https://lore.kernel.org/r/20240410191610.4156653-1-luiz.dentz@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      fe3eb406
    • Michal Luczaj's avatar
      af_unix: Fix garbage collector racing against connect() · 47d8ac01
      Michal Luczaj authored
      Garbage collector does not take into account the risk of embryo getting
      enqueued during the garbage collection. If such embryo has a peer that
      carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
      different set of children. Leading to an incorrectly elevated inflight
      count, and then a dangling pointer within the gc_inflight_list.
      
      sockets are AF_UNIX/SOCK_STREAM
      S is an unconnected socket
      L is a listening in-flight socket bound to addr, not in fdtable
      V's fd will be passed via sendmsg(), gets inflight count bumped
      
      connect(S, addr)	sendmsg(S, [V]); close(V)	__unix_gc()
      ----------------	-------------------------	-----------
      
      NS = unix_create1()
      skb1 = sock_wmalloc(NS)
      L = unix_find_other(addr)
      unix_state_lock(L)
      unix_peer(S) = NS
      			// V count=1 inflight=0
      
       			NS = unix_peer(S)
       			skb2 = sock_alloc()
      			skb_queue_tail(NS, skb2[V])
      
      			// V became in-flight
      			// V count=2 inflight=1
      
      			close(V)
      
      			// V count=1 inflight=1
      			// GC candidate condition met
      
      						for u in gc_inflight_list:
      						  if (total_refs == inflight_refs)
      						    add u to gc_candidates
      
      						// gc_candidates={L, V}
      
      						for u in gc_candidates:
      						  scan_children(u, dec_inflight)
      
      						// embryo (skb1) was not
      						// reachable from L yet, so V's
      						// inflight remains unchanged
      __skb_queue_tail(L, skb1)
      unix_state_unlock(L)
      						for u in gc_candidates:
      						  if (u.inflight)
      						    scan_children(u, inc_inflight_move_tail)
      
      						// V count=1 inflight=2 (!)
      
      If there is a GC-candidate listening socket, lock/unlock its state. This
      makes GC wait until the end of any ongoing connect() to that socket. After
      flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
      there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
      this point, unix_inflight() can not happen because unix_gc_lock is already
      taken. Inflight graph remains unaffected.
      
      Fixes: 1fd05ba5 ("[AF_UNIX]: Rewrite garbage collector, fixes race.")
      Signed-off-by: default avatarMichal Luczaj <mhal@rbox.co>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.coSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      47d8ac01