1. 21 Dec, 2021 1 commit
    • Wu Bo's avatar
      ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module · ffb76a86
      Wu Bo authored
      Hi,
      
      When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,
      the system crashed.
      
      The log as follows:
      [  141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a
      [  141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0
      [  141.087464] Oops: 0010 [#1] SMP NOPTI
      [  141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47
      [  141.088009] Workqueue: events 0xffffffffc09b3a40
      [  141.088009] RIP: 0010:0xffffffffc09b3a5a
      [  141.088009] Code: Bad RIP value.
      [  141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246
      [  141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000
      [  141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
      [  141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1
      [  141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700
      [  141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8
      [  141.088009] FS:  0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000
      [  141.088009] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0
      [  141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  141.088009] PKRU: 55555554
      [  141.088009] Call Trace:
      [  141.088009]  ? process_one_work+0x195/0x390
      [  141.088009]  ? worker_thread+0x30/0x390
      [  141.088009]  ? process_one_work+0x390/0x390
      [  141.088009]  ? kthread+0x10d/0x130
      [  141.088009]  ? kthread_flush_work_fn+0x10/0x10
      [  141.088009]  ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a
      [  200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0
      [  200.223464] Oops: 0010 [#1] SMP NOPTI
      [  200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46
      [  200.224008] Workqueue: events 0xffffffffc0b28a40
      [  200.224008] RIP: 0010:0xffffffffc0b28a5a
      [  200.224008] Code: Bad RIP value.
      [  200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246
      [  200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000
      [  200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
      [  200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5
      [  200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700
      [  200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8
      [  200.224008] FS:  0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000
      [  200.224008] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0
      [  200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  200.224008] PKRU: 55555554
      [  200.224008] Call Trace:
      [  200.224008]  ? process_one_work+0x195/0x390
      [  200.224008]  ? worker_thread+0x30/0x390
      [  200.224008]  ? process_one_work+0x390/0x390
      [  200.224008]  ? kthread+0x10d/0x130
      [  200.224008]  ? kthread_flush_work_fn+0x10/0x10
      [  200.224008]  ? ret_from_fork+0x35/0x40
      [  200.224008] kernel fault(0x1) notification starting on CPU 63
      [  200.224008] kernel fault(0x1) notification finished on CPU 63
      [  200.224008] CR2: ffffffffc0b28a5a
      [  200.224008] ---[ end trace c82a412d93f57412 ]---
      
      The reason is as follows:
      T1: rmmod ipmi_si.
          ->ipmi_unregister_smi()
              -> ipmi_bmc_unregister()
                  -> __ipmi_bmc_unregister()
                      -> kref_put(&bmc->usecount, cleanup_bmc_device);
                          -> schedule_work(&bmc->remove_work);
      
      T2: rmmod ipmi_msghandler.
          ipmi_msghander module uninstalled, and the module space
          will be freed.
      
      T3: bmc->remove_work doing cleanup the bmc resource.
          -> cleanup_bmc_work()
              -> platform_device_unregister(&bmc->pdev);
                  -> platform_device_del(pdev);
                      -> device_del(&pdev->dev);
                          -> kobject_uevent(&dev->kobj, KOBJ_REMOVE);
                              -> kobject_uevent_env()
                                  -> dev_uevent()
                                      -> if (dev->type && dev->type->name)
      
         'dev->type'(bmc_device_type) pointer space has freed when uninstall
          ipmi_msghander module, 'dev->type->name' cause the system crash.
      
      drivers/char/ipmi/ipmi_msghandler.c:
      2820 static const struct device_type bmc_device_type = {
      2821         .groups         = bmc_dev_attr_groups,
      2822 };
      
      Steps to reproduce:
      Add a time delay in cleanup_bmc_work() function,
      and uninstall ipmi_si and ipmi_msghandler module.
      
      2910 static void cleanup_bmc_work(struct work_struct *work)
      2911 {
      2912         struct bmc_device *bmc = container_of(work, struct bmc_device,
      2913                                               remove_work);
      2914         int id = bmc->pdev.id; /* Unregister overwrites id */
      2915
      2916         msleep(3000);   <---
      2917         platform_device_unregister(&bmc->pdev);
      2918         ida_simple_remove(&ipmi_bmc_ida, id);
      2919 }
      
      Use 'remove_work_wq' instead of 'system_wq' to solve this issues.
      
      Fixes: b2cfd8ab ("ipmi: Rework device id and guid handling to catch changing BMCs")
      Signed-off-by: default avatarWu Bo <wubo40@huawei.com>
      Message-Id: <1640070034-56671-1-git-send-email-wubo40@huawei.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      ffb76a86
  2. 17 Dec, 2021 2 commits
  3. 08 Dec, 2021 1 commit
    • Mian Yousaf Kaukab's avatar
      ipmi: ssif: initialize ssif_info->client early · 34f35f8f
      Mian Yousaf Kaukab authored
      During probe ssif_info->client is dereferenced in error path. However,
      it is set when some of the error checking has already been done. This
      causes following kernel crash if an error path is taken:
      
      [   30.645593][  T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present
      [   30.657616][  T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
      ...
      [   30.657723][  T674] pc : __dev_printk+0x28/0xa0
      [   30.657732][  T674] lr : _dev_err+0x7c/0xa0
      ...
      [   30.657772][  T674] Call trace:
      [   30.657775][  T674]  __dev_printk+0x28/0xa0
      [   30.657778][  T674]  _dev_err+0x7c/0xa0
      [   30.657781][  T674]  ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]
      [   30.657791][  T674]  i2c_device_probe+0x37c/0x3c0
      ...
      
      Initialize ssif_info->client before any error path can be taken. Clear
      i2c_client data in the error path to prevent the dangling pointer from
      leaking.
      
      Fixes: c4436c91 ("ipmi_ssif: avoid registering duplicate ssif interface")
      Cc: stable@vger.kernel.org # 5.4.x
      Suggested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMian Yousaf Kaukab <ykaukab@suse.de>
      Message-Id: <20211208093239.4432-1-ykaukab@suse.de>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      34f35f8f
  4. 03 Dec, 2021 9 commits
    • Linus Torvalds's avatar
      Merge tag 'vfio-v5.16-rc4' of git://github.com/awilliam/linux-vfio · 12119cfa
      Linus Torvalds authored
      Pull VFIO fixes from Alex Williamson:
      
       - Fix OpRegion pointer arithmetic (Zhenyu Wang)
      
       - Fix comment format triggering kernel-doc warnings (Randy Dunlap)
      
      * tag 'vfio-v5.16-rc4' of git://github.com/awilliam/linux-vfio:
        vfio/pci: Fix OpRegion read
        vfio: remove all kernel-doc notation
      12119cfa
    • Linus Torvalds's avatar
      Merge tag 'pm-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 4ec6afd6
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a CPU hot-add issue in the cpufreq core, fix a comment in
        the cpufreq core code and update its documentation, and disable the
        DTPM (Dynamic Thermal Power Management) code for the time being to
        prevent it from causing issues to appear.
      
        Specifics:
      
         - Disable DTPM for this cycle to prevent it from causing issues to
           appear on otherwise functional systems (Daniel Lezcano)
      
         - Fix cpufreq sysfs interface failure related to physical CPU hot-add
           (Xiongfeng Wang)
      
         - Fix comment in cpufreq core and update its documentation (Tang
           Yizhou)"
      
      * tag 'pm-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        powercap: DTPM: Drop unused local variable from init_dtpm()
        cpufreq: docs: Update core.rst
        cpufreq: Fix a comment in cpufreq_policy_free
        powercap/drivers/dtpm: Disable DTPM at boot time
        cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
      4ec6afd6
    • Linus Torvalds's avatar
      Merge tag 's390-5.16-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 757f3e6d
      Linus Torvalds authored
      Pull s390 fixes from Heiko Carstens:
      
       - Fix potential overlap of pseudo-MMIO addresses with MIO addresses
      
       - Fix stack unwinder test case inline assembly compile error that
         happens with LLVM's integrated assembler
      
       - Update defconfigs
      
      * tag 's390-5.16-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390/pci: move pseudo-MMIO to prevent MIO overlap
        s390/test_unwind: use raw opcode instead of invalid instruction
      757f3e6d
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · a2aeaeab
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Three arm64 fixes for -rc4.
      
        One of them is just a trivial documentation fix, whereas the other two
        address a warning in the kexec code and a crash in ftrace on systems
        implementing BTI.
      
        The latter patch has a couple of ugly ifdefs which Mark plans to clean
        up separately, but as-is the patch is straightforward for backporting
        to stable kernels.
      
        Summary:
      
         - Add missing BTI landing instructions to the ftrace*_caller
           trampolines
      
         - Fix kexec() WARN when DEBUG_VIRTUAL is enabled
      
         - Fix PAC documentation by removing stale references to compiler
           flags"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: ftrace: add missing BTIs
        arm64: kexec: use __pa_symbol(empty_zero_page)
        arm64: update PAC description for kernel
      a2aeaeab
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · f66062c7
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "I2C has another set of driver bugfixes, mostly for the stm32f7 driver"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: rk3x: Handle a spurious start completion interrupt flag
        i2c: stm32f7: use proper DMAENGINE API for termination
        i2c: stm32f7: stop dma transfer in case of NACK
        i2c: stm32f7: recover the bus on access timeout
        i2c: stm32f7: flush TX FIFO upon transfer errors
        i2c: cbus-gpio: set atomic transfer callback
      f66062c7
    • Linus Torvalds's avatar
      Merge tag 'libata-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · a44f27e4
      Linus Torvalds authored
      Pull libata fixes from Damien Le Moal:
       "Two sparse warning fixes and a couple of patches to fix an issue with
        sata_fsl driver module removal:
      
         - A couple of patches to avoid sparse warnings in libata-sata and in
           the pata_falcon driver (from Yang and Finn).
      
         - A couple of sata_fsl driver patches fixing IRQ free and proc
           unregister on module removal (from Baokun)"
      
      * tag 'libata-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: replace snprintf in show functions with sysfs_emit
        sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
        sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
        pata_falcon: Avoid type warnings from sparse
      a44f27e4
    • Linus Torvalds's avatar
      fget: check that the fd still exists after getting a ref to it · 054aa8d4
      Linus Torvalds authored
      Jann Horn points out that there is another possible race wrt Unix domain
      socket garbage collection, somewhat reminiscent of the one fixed in
      commit cbcf0112 ("af_unix: fix garbage collect vs MSG_PEEK").
      
      See the extended comment about the garbage collection requirements added
      to unix_peek_fds() by that commit for details.
      
      The race comes from how we can locklessly look up a file descriptor just
      as it is in the process of being closed, and with the right artificial
      timing (Jann added a few strategic 'mdelay(500)' calls to do that), the
      Unix domain socket garbage collector could see the reference count
      decrement of the close() happen before fget() took its reference to the
      file and the file was attached onto a new file descriptor.
      
      This is all (intentionally) correct on the 'struct file *' side, with
      RCU lookups and lockless reference counting very much part of the
      design.  Getting that reference count out of order isn't a problem per
      se.
      
      But the garbage collector can get confused by seeing this situation of
      having seen a file not having any remaining external references and then
      seeing it being attached to an fd.
      
      In commit cbcf0112 ("af_unix: fix garbage collect vs MSG_PEEK") the
      fix was to serialize the file descriptor install with the garbage
      collector by taking and releasing the unix_gc_lock.
      
      That's not really an option here, but since this all happens when we are
      in the process of looking up a file descriptor, we can instead simply
      just re-check that the file hasn't been closed in the meantime, and just
      re-do the lookup if we raced with a concurrent close() of the same file
      descriptor.
      Reported-and-tested-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      054aa8d4
    • Rafael J. Wysocki's avatar
      Merge branch 'powercap' · 404c9121
      Rafael J. Wysocki authored
      Merge DTPM fixes for 5.16-rc4.
      
      * powercap:
        powercap: DTPM: Drop unused local variable from init_dtpm()
        powercap/drivers/dtpm: Disable DTPM at boot time
      404c9121
    • Rafael J. Wysocki's avatar
      powercap: DTPM: Drop unused local variable from init_dtpm() · 1ac5e21d
      Rafael J. Wysocki authored
      The dtpm_descr variable in init_dtpm() is not used after commit
      f751db8a ("powercap/drivers/dtpm: Disable DTPM at boot time"),
      so drop it.
      
      Fixes: f751db8a ("powercap/drivers/dtpm: Disable DTPM at boot time")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      1ac5e21d
  5. 02 Dec, 2021 27 commits
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2021-12-03-1' of git://anongit.freedesktop.org/drm/drm · 5f58da2b
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Bit of an uptick in patch count this week, though it's all relatively
        small overall.
      
        I suspect msm has been queuing up a few fixes to skew it here.
        Otherwise amdgpu has a scattered bunch of small fixes, and then some
        vc4, i915.
      
        virtio-gpu changes an rc1 introduced uAPI mistake, and makes it
        operate more like other drivers. This should be fine as no userspace
        relies on the behaviour yet.
      
        Summary:
      
        dma-buf:
         - memory leak fix
      
        msm:
         - kasan found memory overwrite
         - mmap flags
         - fencing error bug
         - ioctl NULL ptr
         - uninit var
         - devfreqless devices fix
         - dsi lanes fix
         - dp: avoid unpowered aux xfers
      
        amdgpu:
         - IP discovery based enumeration fixes
         - vkms fixes
         - DSC fixes for DP MST
         - Audio fix for hotplug with tiled displays
         - Misc display fixes
         - DP tunneling fix
         - DP fix
         - Aldebaran fix
      
        amdkfd:
         - Locking fix
         - Static checker fix
         - Fix double free
      
        i915:
         - backlight regression
         - Intel HDR backlight detection fix
         - revert TGL workaround that caused hangs
      
        virtio-gpu:
         - switch back to drm_poll
      
        vc4:
         - memory leak
         - error check fix
         - HVS modesetting fixes"
      
      * tag 'drm-fixes-2021-12-03-1' of git://anongit.freedesktop.org/drm/drm: (41 commits)
        Revert "drm/i915: Implement Wa_1508744258"
        drm/amdkfd: process_info lock not needed for svm
        drm/amdgpu: adjust the kfd reset sequence in reset sriov function
        drm/amd/display: add connector type check for CRC source set
        drm/amdkfd: fix double free mem structure
        drm/amdkfd: set "r = 0" explicitly before goto
        drm/amd/display: Add work around for tunneled MST.
        drm/amd/display: Fix for the no Audio bug with Tiled Displays
        drm/amd/display: Clear DPCD lane settings after repeater training
        drm/amd/display: Allow DSC on supported MST branch devices
        drm/amdgpu: Don't halt RLC on GFX suspend
        drm/amdgpu: fix the missed handling for SDMA2 and SDMA3
        drm/amdgpu: check atomic flag to differeniate with legacy path
        drm/amdgpu: cancel the correct hrtimer on exit
        drm/amdgpu/sriov/vcn: add new vcn ip revision check case for SIENNA_CICHLID
        drm/i915/dp: Perform 30ms delay after source OUI write
        dma-buf: system_heap: Use 'for_each_sgtable_sg' in pages free flow
        drm/i915: Add support for panels with VESA backlights with PWM enable/disable
        drm/vc4: kms: Fix previous HVS commit wait
        drm/vc4: kms: Don't duplicate pending commit
        ...
      5f58da2b
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2021-12-02' of... · a687efed
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2021-12-02' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Fixing a regression where the backlight brightness control stopped working.
      
      - Fix the Intel HDR backlight support detection.
      
      - Reverting a w/a to fix a gpu Hang in TGL. The w/a itself was also
      for a hang, but in a much rarer scenario. The proper solution need
      to be done with help from user space and it will be addressed later.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Yakf9hdnR5or+zNP@intel.com
      a687efed
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2021-12-02' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 1152b168
      Dave Airlie authored
      Switch back to drm_poll for virtio, multiple fixes (memory leak,
      improper error check, some functional fixes too) for vc4, memory leak
      fix in dma-buf,
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <maxime@cerno.tech>
      Link: https://patchwork.freedesktop.org/patch/msgid/20211202084440.u3b7lbeulj7k3ltg@houat
      1152b168
    • Linus Torvalds's avatar
      Merge tag 'net-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · a51e3ac4
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from wireless, and wireguard.
      
        Mostly scattered driver changes this week, with one big clump in
        mv88e6xxx. Nothing of note, really.
      
        Current release - regressions:
      
         - smc: keep smc_close_final()'s error code during active close
      
        Current release - new code bugs:
      
         - iwlwifi: various static checker fixes (int overflow, leaks, missing
           error codes)
      
         - rtw89: fix size of firmware header before transfer, avoid crash
      
         - mt76: fix timestamp check in tx_status; fix pktid leak;
      
         - mscc: ocelot: fix missing unlock on error in ocelot_hwstamp_set()
      
        Previous releases - regressions:
      
         - smc: fix list corruption in smc_lgr_cleanup_early
      
         - ipv4: convert fib_num_tclassid_users to atomic_t
      
        Previous releases - always broken:
      
         - tls: fix authentication failure in CCM mode
      
         - vrf: reset IPCB/IP6CB when processing outbound pkts, prevent
           incorrect processing
      
         - dsa: mv88e6xxx: fixes for various device errata
      
         - rds: correct socket tunable error in rds_tcp_tune()
      
         - ipv6: fix memory leak in fib6_rule_suppress
      
         - wireguard: reset peer src endpoint when netns exits
      
         - wireguard: improve resilience to DoS around incoming handshakes
      
         - tcp: fix page frag corruption on page fault which involves TCP
      
         - mpls: fix missing attributes in delete notifications
      
         - mt7915: fix NULL pointer dereference with ad-hoc mode
      
        Misc:
      
         - rt2x00: be more lenient about EPROTO errors during start
      
         - mlx4_en: update reported link modes for 1/10G"
      
      * tag 'net-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (85 commits)
        net: dsa: b53: Add SPI ID table
        gro: Fix inconsistent indenting
        selftests: net: Correct case name
        net/rds: correct socket tunable error in rds_tcp_tune()
        mctp: Don't let RTM_DELROUTE delete local routes
        net/smc: Keep smc_close_final rc during active close
        ibmvnic: drop bad optimization in reuse_tx_pools()
        ibmvnic: drop bad optimization in reuse_rx_pools()
        net/smc: fix wrong list_del in smc_lgr_cleanup_early
        Fix Comment of ETH_P_802_3_MIN
        ethernet: aquantia: Try MAC address from device tree
        ipv4: convert fib_num_tclassid_users to atomic_t
        net: avoid uninit-value from tcp_conn_request
        net: annotate data-races on txq->xmit_lock_owner
        octeontx2-af: Fix a memleak bug in rvu_mbox_init()
        net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
        vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
        net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
        net: dsa: mv88e6xxx: Link in pcs_get_state() if AN is bypassed
        net: dsa: mv88e6xxx: Fix inband AN for 2500base-x on 88E6393X family
        ...
      a51e3ac4
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 2b2c0f24
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Three tracing fixes:
      
         - Allow compares of strings when using signed and unsigned characters
      
         - Fix kmemleak false positive for histogram entries
      
         - Handle negative numbers for user defined kretprobe data sizes"
      
      * tag 'trace-v5.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        kprobes: Limit max data_size of the kretprobe instances
        tracing: Fix a kmemleak false positive in tracing_map
        tracing/histograms: String compares should not care about signed values
      2b2c0f24
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.16-2' of git://github.com/cminyard/linux-ipmi · df365887
      Linus Torvalds authored
      Pull IPMI fixes from Corey Minyard:
       "Some changes that went in 5.16 had issues. When working on the design
        a piece was redesigned and things got missed. And the message type was
        not being initialized when it was allocated, resulting in crashes.
      
        In addition, the IPMI driver has had a shutdown issue where it could
        still have an item in a system workqueue after it had been shutdown.
        Move to a private workqueue to avoid that problem"
      
      * tag 'for-linus-5.16-2' of git://github.com/cminyard/linux-ipmi:
        ipmi:ipmb: Fix unknown command response
        ipmi: fix IPMI_SMI_MSG_TYPE_IPMB_DIRECT response length checking
        ipmi: fix oob access due to uninit smi_msg type
        ipmi: msghandler: Make symbol 'remove_work_wq' static
        ipmi: Move remove_work to dedicated workqueue
      df365887
    • Heiko Carstens's avatar
      s390: update defconfigs · 3c088b1e
      Heiko Carstens authored
      Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      3c088b1e
    • José Roberto de Souza's avatar
      Revert "drm/i915: Implement Wa_1508744258" · 72641d8d
      José Roberto de Souza authored
      This workarounds are causing hangs, because I missed the fact that it
      needs to be enabled for all cases and disabled when doing a resolve
      pass.
      
      So KMD only needs to whitelist it and UMD will be the one setting it
      on per case.
      
      This reverts commit 28ec02c9.
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4145Signed-off-by: default avatarJosé Roberto de Souza <jose.souza@intel.com>
      Fixes: 28ec02c9 ("drm/i915: Implement Wa_1508744258")
      Reviewed-by: default avatarMatt Atwood <matthew.s.atwood@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20211119140931.32791-1-jose.souza@intel.com
      (cherry picked from commit f3799ff1)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      72641d8d
    • Florian Fainelli's avatar
      net: dsa: b53: Add SPI ID table · 88362ebf
      Florian Fainelli authored
      Currently autoloading for SPI devices does not use the DT ID table, it
      uses SPI modalises. Supporting OF modalises is going to be difficult if
      not impractical, an attempt was made but has been reverted, so ensure
      that module autoloading works for this driver by adding an id_table
      listing the SPI IDs for everything.
      
      Fixes: 96c8395e ("spi: Revert modalias changes")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88362ebf
    • Jiapeng Chong's avatar
      gro: Fix inconsistent indenting · 1ebb87cc
      Jiapeng Chong authored
      Eliminate the follow smatch warning:
      
      net/ipv6/ip6_offload.c:249 ipv6_gro_receive() warn: inconsistent
      indenting.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: default avatarJiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ebb87cc
    • Li Zhijian's avatar
      selftests: net: Correct case name · a05431b2
      Li Zhijian authored
      ipv6_addr_bind/ipv4_addr_bind are function names. Previously, bind test
      would not be run by default due to the wrong case names
      
      Fixes: 34d0302a ("selftests: Add ipv6 address bind tests to fcnal-test")
      Fixes: 75b2b2b3 ("selftests: Add ipv4 address bind tests to fcnal-test")
      Signed-off-by: default avatarLi Zhijian <lizhijian@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a05431b2
    • William Kucharski's avatar
      net/rds: correct socket tunable error in rds_tcp_tune() · 19f36edf
      William Kucharski authored
      Correct an error where setting /proc/sys/net/rds/tcp/rds_tcp_rcvbuf would
      instead modify the socket's sk_sndbuf and would leave sk_rcvbuf untouched.
      
      Fixes: c6a58ffe ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket")
      Signed-off-by: default avatarWilliam Kucharski <william.kucharski@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19f36edf
    • Matt Johnston's avatar
      mctp: Don't let RTM_DELROUTE delete local routes · 76d00160
      Matt Johnston authored
      We need to test against the existing route type, not
      the rtm_type in the netlink request.
      
      Fixes: 83f0a0b7 ("mctp: Specify route types, require rtm_type in RTM_*ROUTE messages")
      Signed-off-by: default avatarMatt Johnston <matt@codeconstruct.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76d00160
    • Tony Lu's avatar
      net/smc: Keep smc_close_final rc during active close · 00e158fb
      Tony Lu authored
      When smc_close_final() returns error, the return code overwrites by
      kernel_sock_shutdown() in smc_close_active(). The return code of
      smc_close_final() is more important than kernel_sock_shutdown(), and it
      will pass to userspace directly.
      
      Fix it by keeping both return codes, if smc_close_final() raises an
      error, return it or kernel_sock_shutdown()'s.
      
      Link: https://lore.kernel.org/linux-s390/1f67548e-cbf6-0dce-82b5-10288a4583bd@linux.ibm.com/
      Fixes: 606a63c9 ("net/smc: Ensure the active closing peer first closes clcsock")
      Suggested-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarTony Lu <tonylu@linux.alibaba.com>
      Reviewed-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Acked-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      00e158fb
    • Sukadev Bhattiprolu's avatar
      ibmvnic: drop bad optimization in reuse_tx_pools() · 5b085601
      Sukadev Bhattiprolu authored
      When trying to decide whether or not reuse existing rx/tx pools
      we tried to allow a range of values for the pool parameters rather
      than exact matches. This was intended to reuse the resources for
      instance when switching between two VIO servers with different
      default parameters.
      
      But this optimization is incomplete and breaks when we try to
      change the number of queues for instance. The optimization needs
      to be updated, so drop it for now and simplify the code.
      
      Fixes: bbd80930 ("ibmvnic: Reuse tx pools when possible")
      Reported-by: default avatarDany Madden <drt@linux.ibm.com>
      Signed-off-by: default avatarSukadev Bhattiprolu <sukadev@linux.ibm.com>
      Reviewed-by: default avatarDany Madden <drt@linux.ibm.com>
      Reviewed-by: default avatarRick Lindsley <ricklind@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b085601
    • Sukadev Bhattiprolu's avatar
      ibmvnic: drop bad optimization in reuse_rx_pools() · 0584f494
      Sukadev Bhattiprolu authored
      When trying to decide whether or not reuse existing rx/tx pools
      we tried to allow a range of values for the pool parameters rather
      than exact matches. This was intended to reuse the resources for
      instance when switching between two VIO servers with different
      default parameters.
      
      But this optimization is incomplete and breaks when we try to
      change the number of queues for instance. The optimization needs
      to be updated, so drop it for now and simplify the code.
      
      Fixes: 489de956 ("ibmvnic: Reuse rx pools when possible")
      Reported-by: default avatarDany Madden <drt@linux.ibm.com>
      Signed-off-by: default avatarSukadev Bhattiprolu <sukadev@linux.ibm.com>
      Reviewed-by: default avatarDany Madden <drt@linux.ibm.com>
      Reviewed-by: default avatarRick Lindsley <ricklind@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0584f494
    • Dust Li's avatar
      net/smc: fix wrong list_del in smc_lgr_cleanup_early · 789b6cc2
      Dust Li authored
      smc_lgr_cleanup_early() meant to delete the link
      group from the link group list, but it deleted
      the list head by mistake.
      
      This may cause memory corruption since we didn't
      remove the real link group from the list and later
      memseted the link group structure.
      We got a list corruption panic when testing:
      
      [  231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000
      [  231.278222] ------------[ cut here ]------------
      [  231.278726] kernel BUG at lib/list_debug.c:53!
      [  231.279326] invalid opcode: 0000 [#1] SMP NOPTI
      [  231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435
      [  231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
      [  231.281248] Workqueue: events smc_link_down_work
      [  231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90
      [  231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c
      60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f>
      0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc
      [  231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292
      [  231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000
      [  231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040
      [  231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001
      [  231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001
      [  231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003
      [  231.288337] FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
      [  231.289160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0
      [  231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  231.291940] Call Trace:
      [  231.292211]  smc_lgr_terminate_sched+0x53/0xa0
      [  231.292677]  smc_switch_conns+0x75/0x6b0
      [  231.293085]  ? update_load_avg+0x1a6/0x590
      [  231.293517]  ? ttwu_do_wakeup+0x17/0x150
      [  231.293907]  ? update_load_avg+0x1a6/0x590
      [  231.294317]  ? newidle_balance+0xca/0x3d0
      [  231.294716]  smcr_link_down+0x50/0x1a0
      [  231.295090]  ? __wake_up_common_lock+0x77/0x90
      [  231.295534]  smc_link_down_work+0x46/0x60
      [  231.295933]  process_one_work+0x18b/0x350
      
      Fixes: a0a62ee1 ("net/smc: separate locks for SMCD and SMCR link group lists")
      Signed-off-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Acked-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Reviewed-by: default avatarTony Lu <tonylu@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      789b6cc2
    • Xiayu Zhang's avatar
      Fix Comment of ETH_P_802_3_MIN · 72f6a452
      Xiayu Zhang authored
      The description of ETH_P_802_3_MIN is misleading.
      The value of EthernetType in Ethernet II frame is more than 0x0600,
      the value of Length in 802.3 frame is less than 0x0600.
      Signed-off-by: default avatarXiayu Zhang <Xiayu.Zhang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72f6a452
    • Tianhao Chai's avatar
      ethernet: aquantia: Try MAC address from device tree · 553217c2
      Tianhao Chai authored
      Apple M1 Mac minis (2020) with 10GE NICs do not have MAC address in the
      card, but instead need to obtain MAC addresses from the device tree. In
      this case the hardware will report an invalid MAC.
      
      Currently atlantic driver does not query the DT for MAC address and will
      randomly assign a MAC if the NIC doesn't have a permanent MAC burnt in.
      This patch causes the driver to perfer a valid MAC address from OF (if
      present) over HW self-reported MAC and only fall back to a random MAC
      address when neither of them is valid.
      Signed-off-by: default avatarTianhao Chai <cth451@gmail.com>
      Reviewed-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Reviewed-by: default avatarHector Martin <marcan@marcan.st>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      553217c2
    • Eric Dumazet's avatar
      ipv4: convert fib_num_tclassid_users to atomic_t · 213f5f8f
      Eric Dumazet authored
      Before commit faa041a4 ("ipv4: Create cleanup helper for fib_nh")
      changes to net->ipv4.fib_num_tclassid_users were protected by RTNL.
      
      After the change, this is no longer the case, as free_fib_info_rcu()
      runs after rcu grace period, without rtnl being held.
      
      Fixes: faa041a4 ("ipv4: Create cleanup helper for fib_nh")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: David Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      213f5f8f
    • Mark Rutland's avatar
      arm64: ftrace: add missing BTIs · 35b6b28e
      Mark Rutland authored
      When branch target identifiers are in use, code reachable via an
      indirect branch requires a BTI landing pad at the branch target site.
      
      When building FTRACE_WITH_REGS atop patchable-function-entry, we miss
      BTIs at the start start of the `ftrace_caller` and `ftrace_regs_caller`
      trampolines, and when these are called from a module via a PLT (which
      will use a `BR X16`), we will encounter a BTI failure, e.g.
      
      | # insmod lkdtm.ko
      | lkdtm: No crash points registered, enable through debugfs
      | # echo function_graph > /sys/kernel/debug/tracing/current_tracer
      | # cat /sys/kernel/debug/provoke-crash/DIRECT
      | Unhandled 64-bit el1h sync exception on CPU0, ESR 0x34000001 -- BTI
      | CPU: 0 PID: 174 Comm: cat Not tainted 5.16.0-rc2-dirty #3
      | Hardware name: linux,dummy-virt (DT)
      | pstate: 60400405 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=jc)
      | pc : ftrace_caller+0x0/0x3c
      | lr : lkdtm_debugfs_open+0xc/0x20 [lkdtm]
      | sp : ffff800012e43b00
      | x29: ffff800012e43b00 x28: 0000000000000000 x27: ffff800012e43c88
      | x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000c171f200
      | x23: ffff0000c27b1e00 x22: ffff0000c2265240 x21: ffff0000c23c8c30
      | x20: ffff8000090ba380 x19: 0000000000000000 x18: 0000000000000000
      | x17: 0000000000000000 x16: ffff80001002bb4c x15: 0000000000000000
      | x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000900ff0
      | x11: ffff0000c4166310 x10: ffff800012e43b00 x9 : ffff8000104f2384
      | x8 : 0000000000000001 x7 : 0000000000000000 x6 : 000000000000003f
      | x5 : 0000000000000040 x4 : ffff800012e43af0 x3 : 0000000000000001
      | x2 : ffff8000090b0000 x1 : ffff0000c171f200 x0 : ffff0000c23c8c30
      | Kernel panic - not syncing: Unhandled exception
      | CPU: 0 PID: 174 Comm: cat Not tainted 5.16.0-rc2-dirty #3
      | Hardware name: linux,dummy-virt (DT)
      | Call trace:
      |  dump_backtrace+0x0/0x1a4
      |  show_stack+0x24/0x30
      |  dump_stack_lvl+0x68/0x84
      |  dump_stack+0x1c/0x38
      |  panic+0x168/0x360
      |  arm64_exit_nmi.isra.0+0x0/0x80
      |  el1h_64_sync_handler+0x68/0xd4
      |  el1h_64_sync+0x78/0x7c
      |  ftrace_caller+0x0/0x3c
      |  do_dentry_open+0x134/0x3b0
      |  vfs_open+0x38/0x44
      |  path_openat+0x89c/0xe40
      |  do_filp_open+0x8c/0x13c
      |  do_sys_openat2+0xbc/0x174
      |  __arm64_sys_openat+0x6c/0xbc
      |  invoke_syscall+0x50/0x120
      |  el0_svc_common.constprop.0+0xdc/0x100
      |  do_el0_svc+0x84/0xa0
      |  el0_svc+0x28/0x80
      |  el0t_64_sync_handler+0xa8/0x130
      |  el0t_64_sync+0x1a0/0x1a4
      | SMP: stopping secondary CPUs
      | Kernel Offset: disabled
      | CPU features: 0x0,00000f42,da660c5f
      | Memory Limit: none
      | ---[ end Kernel panic - not syncing: Unhandled exception ]---
      
      Fix this by adding the required `BTI C`, as we only require these to be
      reachable via BL for direct calls or BR X16/X17 for PLTs. For now, these
      are open-coded in the function prologue, matching the style of the
      `__hwasan_tag_mismatch` trampoline.
      
      In future we may wish to consider adding a new SYM_CODE_START_*()
      variant which has an implicit BTI.
      
      When ftrace is built atop mcount, the trampolines are marked with
      SYM_FUNC_START(), and so get an implicit BTI. We may need to change
      these over to SYM_CODE_START() in future for RELIABLE_STACKTRACE, in
      case we need to apply special care aroud the return address being
      rewritten.
      
      Fixes: 97fed779 ("arm64: bti: Provide Kconfig for kernel mode BTI")
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Will Deacon <will@kernel.org>
      Reviewed-by: default avatarMark Brown <broonie@kernel.org>
      Link: https://lore.kernel.org/r/20211129135709.2274019-1-mark.rutland@arm.comSigned-off-by: default avatarWill Deacon <will@kernel.org>
      35b6b28e
    • Mark Rutland's avatar
      arm64: kexec: use __pa_symbol(empty_zero_page) · 2f218324
      Mark Rutland authored
      In machine_kexec_post_load() we use __pa() on `empty_zero_page`, so that
      we can use the physical address during arm64_relocate_new_kernel() to
      switch TTBR1 to a new set of tables. While `empty_zero_page` is part of
      the old kernel, we won't clobber it until after this switch, so using it
      is benign.
      
      However, `empty_zero_page` is part of the kernel image rather than a
      linear map address, so it is not correct to use __pa(x), and we should
      instead use __pa_symbol(x) or __pa(lm_alias(x)). Otherwise, when the
      kernel is built with DEBUG_VIRTUAL, we'll encounter splats as below, as
      I've seen when fuzzing v5.16-rc3 with Syzkaller:
      
      | ------------[ cut here ]------------
      | virt_to_phys used for non-linear address: 000000008492561a (empty_zero_page+0x0/0x1000)
      | WARNING: CPU: 3 PID: 11492 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12
      | CPU: 3 PID: 11492 Comm: syz-executor.0 Not tainted 5.16.0-rc3-00001-g48bd452a045c #1
      | Hardware name: linux,dummy-virt (DT)
      | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      | pc : __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12
      | lr : __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12
      | sp : ffff80001af17bb0
      | x29: ffff80001af17bb0 x28: ffff1cc65207b400 x27: ffffb7828730b120
      | x26: 0000000000000e11 x25: 0000000000000000 x24: 0000000000000001
      | x23: ffffb7828963e000 x22: ffffb78289644000 x21: 0000600000000000
      | x20: 000000000000002d x19: 0000b78289644000 x18: 0000000000000000
      | x17: 74706d6528206131 x16: 3635323934383030 x15: 303030303030203a
      | x14: 1ffff000035e2eb8 x13: ffff6398d53f4f0f x12: 1fffe398d53f4f0e
      | x11: 1fffe398d53f4f0e x10: ffff6398d53f4f0e x9 : ffffb7827c6f76dc
      | x8 : ffff1cc6a9fa7877 x7 : 0000000000000001 x6 : ffff6398d53f4f0f
      | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff1cc66f2a99c0
      | x2 : 0000000000040000 x1 : d7ce7775b09b5d00 x0 : 0000000000000000
      | Call trace:
      |  __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12
      |  machine_kexec_post_load+0x284/0x670 arch/arm64/kernel/machine_kexec.c:150
      |  do_kexec_load+0x570/0x670 kernel/kexec.c:155
      |  __do_sys_kexec_load kernel/kexec.c:250 [inline]
      |  __se_sys_kexec_load kernel/kexec.c:231 [inline]
      |  __arm64_sys_kexec_load+0x1d8/0x268 kernel/kexec.c:231
      |  __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
      |  invoke_syscall+0x90/0x2e0 arch/arm64/kernel/syscall.c:52
      |  el0_svc_common.constprop.2+0x1e4/0x2f8 arch/arm64/kernel/syscall.c:142
      |  do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:181
      |  el0_svc+0x60/0x248 arch/arm64/kernel/entry-common.c:603
      |  el0t_64_sync_handler+0x90/0xb8 arch/arm64/kernel/entry-common.c:621
      |  el0t_64_sync+0x180/0x184 arch/arm64/kernel/entry.S:572
      | irq event stamp: 2428
      | hardirqs last  enabled at (2427): [<ffffb7827c6f2308>] __up_console_sem+0xf0/0x118 kernel/printk/printk.c:255
      | hardirqs last disabled at (2428): [<ffffb7828223df98>] el1_dbg+0x28/0x80 arch/arm64/kernel/entry-common.c:375
      | softirqs last  enabled at (2424): [<ffffb7827c411c00>] softirq_handle_end kernel/softirq.c:401 [inline]
      | softirqs last  enabled at (2424): [<ffffb7827c411c00>] __do_softirq+0xa28/0x11e4 kernel/softirq.c:587
      | softirqs last disabled at (2417): [<ffffb7827c59015c>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
      | softirqs last disabled at (2417): [<ffffb7827c59015c>] invoke_softirq kernel/softirq.c:439 [inline]
      | softirqs last disabled at (2417): [<ffffb7827c59015c>] __irq_exit_rcu kernel/softirq.c:636 [inline]
      | softirqs last disabled at (2417): [<ffffb7827c59015c>] irq_exit_rcu+0x53c/0x688 kernel/softirq.c:648
      | ---[ end trace 0ca578534e7ca938 ]---
      
      With or without DEBUG_VIRTUAL __pa() will fall back to __kimg_to_phys()
      for non-linear addresses, and will happen to do the right thing in this
      case, even with the warning. But we should not depend upon this, and to
      keep the warning useful we should fix this case.
      
      Fix this issue by using __pa_symbol(), which handles kernel image
      addresses (and checks its input is a kernel image address). This matches
      what we do elsewhere, e.g. in arch/arm64/include/asm/pgtable.h:
      
      | #define ZERO_PAGE(vaddr)       phys_to_page(__pa_symbol(empty_zero_page))
      
      Fixes: 3744b528 ("arm64: kexec: install a copy of the linear-map")
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
      Cc: Will Deacon <will@kernel.org>
      Reviewed-by: default avatarPasha Tatashin <pasha.tatashin@soleen.com>
      Link: https://lore.kernel.org/r/20211130121849.3319010-1-mark.rutland@arm.comSigned-off-by: default avatarWill Deacon <will@kernel.org>
      2f218324
    • Kuan-Ying Lee's avatar
      arm64: update PAC description for kernel · ce39d473
      Kuan-Ying Lee authored
      Remove the paragraph which has nothing to do with the kernel and
      add PAC description related to kernel.
      Suggested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarKuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
      Link: https://lore.kernel.org/r/20211201034014.20048-1-Kuan-Ying.Lee@mediatek.comSigned-off-by: default avatarWill Deacon <will@kernel.org>
      ce39d473
    • Yang Guang's avatar
      ata: replace snprintf in show functions with sysfs_emit · 06d5d558
      Yang Guang authored
      coccinelle report:
      ./drivers/ata/libata-sata.c:830:8-16:
      WARNING: use scnprintf or sprintf
      
      Use sysfs_emit instead of scnprintf or sprintf makes more sense.
      Reported-by: default avatarZeal Robot <zealci@zte.com.cn>
      Signed-off-by: default avatarYang Guang <yang.guang5@zte.com.cn>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@opensource.wdc.com>
      06d5d558
    • Eric Dumazet's avatar
      net: avoid uninit-value from tcp_conn_request · a37a0ee4
      Eric Dumazet authored
      A recent change triggers a KMSAN warning, because request
      sockets do not initialize @sk_rx_queue_mapping field.
      
      Add sk_rx_queue_update() helper to make our intent clear.
      
      BUG: KMSAN: uninit-value in sk_rx_queue_set include/net/sock.h:1922 [inline]
      BUG: KMSAN: uninit-value in tcp_conn_request+0x3bcc/0x4dc0 net/ipv4/tcp_input.c:6922
       sk_rx_queue_set include/net/sock.h:1922 [inline]
       tcp_conn_request+0x3bcc/0x4dc0 net/ipv4/tcp_input.c:6922
       tcp_v4_conn_request+0x218/0x2a0 net/ipv4/tcp_ipv4.c:1528
       tcp_rcv_state_process+0x2c5/0x3290 net/ipv4/tcp_input.c:6406
       tcp_v4_do_rcv+0xb4e/0x1330 net/ipv4/tcp_ipv4.c:1738
       tcp_v4_rcv+0x468d/0x4ed0 net/ipv4/tcp_ipv4.c:2100
       ip_protocol_deliver_rcu+0x760/0x10b0 net/ipv4/ip_input.c:204
       ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       ip_local_deliver+0x584/0x8c0 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:460 [inline]
       ip_sublist_rcv_finish net/ipv4/ip_input.c:551 [inline]
       ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
       ip_sublist_rcv+0x11fd/0x1520 net/ipv4/ip_input.c:609
       ip_list_rcv+0x95f/0x9a0 net/ipv4/ip_input.c:644
       __netif_receive_skb_list_ptype net/core/dev.c:5505 [inline]
       __netif_receive_skb_list_core+0xe34/0x1240 net/core/dev.c:5553
       __netif_receive_skb_list+0x7fc/0x960 net/core/dev.c:5605
       netif_receive_skb_list_internal+0x868/0xde0 net/core/dev.c:5696
       gro_normal_list net/core/dev.c:5850 [inline]
       napi_complete_done+0x579/0xdd0 net/core/dev.c:6587
       virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
       virtnet_poll+0x17b6/0x2350 drivers/net/virtio_net.c:1557
       __napi_poll+0x14e/0xbc0 net/core/dev.c:7020
       napi_poll net/core/dev.c:7087 [inline]
       net_rx_action+0x824/0x1880 net/core/dev.c:7174
       __do_softirq+0x1fe/0x7eb kernel/softirq.c:558
       invoke_softirq+0xa4/0x130 kernel/softirq.c:432
       __irq_exit_rcu kernel/softirq.c:636 [inline]
       irq_exit_rcu+0x76/0x130 kernel/softirq.c:648
       common_interrupt+0xb6/0xd0 arch/x86/kernel/irq.c:240
       asm_common_interrupt+0x1e/0x40
       smap_restore arch/x86/include/asm/smap.h:67 [inline]
       get_shadow_origin_ptr mm/kmsan/instrumentation.c:31 [inline]
       __msan_metadata_ptr_for_load_1+0x28/0x30 mm/kmsan/instrumentation.c:63
       tomoyo_check_acl+0x1b0/0x630 security/tomoyo/domain.c:173
       tomoyo_path_permission security/tomoyo/file.c:586 [inline]
       tomoyo_check_open_permission+0x61f/0xe10 security/tomoyo/file.c:777
       tomoyo_file_open+0x24f/0x2d0 security/tomoyo/tomoyo.c:311
       security_file_open+0xb1/0x1f0 security/security.c:1635
       do_dentry_open+0x4e4/0x1bf0 fs/open.c:809
       vfs_open+0xaf/0xe0 fs/open.c:957
       do_open fs/namei.c:3426 [inline]
       path_openat+0x52f1/0x5dd0 fs/namei.c:3559
       do_filp_open+0x306/0x760 fs/namei.c:3586
       do_sys_openat2+0x263/0x8f0 fs/open.c:1212
       do_sys_open fs/open.c:1228 [inline]
       __do_sys_open fs/open.c:1236 [inline]
       __se_sys_open fs/open.c:1232 [inline]
       __x64_sys_open+0x314/0x380 fs/open.c:1232
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       __alloc_pages+0xbc7/0x10a0 mm/page_alloc.c:5409
       alloc_pages+0x8a5/0xb80
       alloc_slab_page mm/slub.c:1810 [inline]
       allocate_slab+0x287/0x1c20 mm/slub.c:1947
       new_slab mm/slub.c:2010 [inline]
       ___slab_alloc+0xbdf/0x1e90 mm/slub.c:3039
       __slab_alloc mm/slub.c:3126 [inline]
       slab_alloc_node mm/slub.c:3217 [inline]
       slab_alloc mm/slub.c:3259 [inline]
       kmem_cache_alloc+0xbb3/0x11c0 mm/slub.c:3264
       reqsk_alloc include/net/request_sock.h:91 [inline]
       inet_reqsk_alloc+0xaf/0x8b0 net/ipv4/tcp_input.c:6712
       tcp_conn_request+0x910/0x4dc0 net/ipv4/tcp_input.c:6852
       tcp_v4_conn_request+0x218/0x2a0 net/ipv4/tcp_ipv4.c:1528
       tcp_rcv_state_process+0x2c5/0x3290 net/ipv4/tcp_input.c:6406
       tcp_v4_do_rcv+0xb4e/0x1330 net/ipv4/tcp_ipv4.c:1738
       tcp_v4_rcv+0x468d/0x4ed0 net/ipv4/tcp_ipv4.c:2100
       ip_protocol_deliver_rcu+0x760/0x10b0 net/ipv4/ip_input.c:204
       ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       ip_local_deliver+0x584/0x8c0 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:460 [inline]
       ip_sublist_rcv_finish net/ipv4/ip_input.c:551 [inline]
       ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
       ip_sublist_rcv+0x11fd/0x1520 net/ipv4/ip_input.c:609
       ip_list_rcv+0x95f/0x9a0 net/ipv4/ip_input.c:644
       __netif_receive_skb_list_ptype net/core/dev.c:5505 [inline]
       __netif_receive_skb_list_core+0xe34/0x1240 net/core/dev.c:5553
       __netif_receive_skb_list+0x7fc/0x960 net/core/dev.c:5605
       netif_receive_skb_list_internal+0x868/0xde0 net/core/dev.c:5696
       gro_normal_list net/core/dev.c:5850 [inline]
       napi_complete_done+0x579/0xdd0 net/core/dev.c:6587
       virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
       virtnet_poll+0x17b6/0x2350 drivers/net/virtio_net.c:1557
       __napi_poll+0x14e/0xbc0 net/core/dev.c:7020
       napi_poll net/core/dev.c:7087 [inline]
       net_rx_action+0x824/0x1880 net/core/dev.c:7174
       __do_softirq+0x1fe/0x7eb kernel/softirq.c:558
      
      Fixes: 342159ee ("net: avoid dirtying sk->sk_rx_queue_mapping")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20211130182939.2584764-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a37a0ee4
    • Eric Dumazet's avatar
      net: annotate data-races on txq->xmit_lock_owner · 7a10d8c8
      Eric Dumazet authored
      syzbot found that __dev_queue_xmit() is reading txq->xmit_lock_owner
      without annotations.
      
      No serious issue there, let's document what is happening there.
      
      BUG: KCSAN: data-race in __dev_queue_xmit / __dev_queue_xmit
      
      write to 0xffff888139d09484 of 4 bytes by interrupt on cpu 0:
       __netif_tx_unlock include/linux/netdevice.h:4437 [inline]
       __dev_queue_xmit+0x948/0xf70 net/core/dev.c:4229
       dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265
       macvlan_queue_xmit drivers/net/macvlan.c:543 [inline]
       macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567
       __netdev_start_xmit include/linux/netdevice.h:4987 [inline]
       netdev_start_xmit include/linux/netdevice.h:5001 [inline]
       xmit_one+0x105/0x2f0 net/core/dev.c:3590
       dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606
       sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342
       __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817
       __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194
       dev_queue_xmit+0x13/0x20 net/core/dev.c:4259
       neigh_hh_output include/net/neighbour.h:511 [inline]
       neigh_output include/net/neighbour.h:525 [inline]
       ip6_finish_output2+0x995/0xbb0 net/ipv6/ip6_output.c:126
       __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
       ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201
       NF_HOOK_COND include/linux/netfilter.h:296 [inline]
       ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224
       dst_output include/net/dst.h:450 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508
       ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702
       addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898
       call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421
       expire_timers+0x116/0x240 kernel/time/timer.c:1466
       __run_timers+0x368/0x410 kernel/time/timer.c:1734
       run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747
       __do_softirq+0x158/0x2de kernel/softirq.c:558
       __irq_exit_rcu kernel/softirq.c:636 [inline]
       irq_exit_rcu+0x37/0x70 kernel/softirq.c:648
       sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1097
       asm_sysvec_apic_timer_interrupt+0x12/0x20
      
      read to 0xffff888139d09484 of 4 bytes by interrupt on cpu 1:
       __dev_queue_xmit+0x5e3/0xf70 net/core/dev.c:4213
       dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265
       macvlan_queue_xmit drivers/net/macvlan.c:543 [inline]
       macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567
       __netdev_start_xmit include/linux/netdevice.h:4987 [inline]
       netdev_start_xmit include/linux/netdevice.h:5001 [inline]
       xmit_one+0x105/0x2f0 net/core/dev.c:3590
       dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606
       sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342
       __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817
       __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194
       dev_queue_xmit+0x13/0x20 net/core/dev.c:4259
       neigh_resolve_output+0x3db/0x410 net/core/neighbour.c:1523
       neigh_output include/net/neighbour.h:527 [inline]
       ip6_finish_output2+0x9be/0xbb0 net/ipv6/ip6_output.c:126
       __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
       ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201
       NF_HOOK_COND include/linux/netfilter.h:296 [inline]
       ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224
       dst_output include/net/dst.h:450 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508
       ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702
       addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898
       call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421
       expire_timers+0x116/0x240 kernel/time/timer.c:1466
       __run_timers+0x368/0x410 kernel/time/timer.c:1734
       run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747
       __do_softirq+0x158/0x2de kernel/softirq.c:558
       __irq_exit_rcu kernel/softirq.c:636 [inline]
       irq_exit_rcu+0x37/0x70 kernel/softirq.c:648
       sysvec_apic_timer_interrupt+0x8d/0xb0 arch/x86/kernel/apic/apic.c:1097
       asm_sysvec_apic_timer_interrupt+0x12/0x20
       kcsan_setup_watchpoint+0x94/0x420 kernel/kcsan/core.c:443
       folio_test_anon include/linux/page-flags.h:581 [inline]
       PageAnon include/linux/page-flags.h:586 [inline]
       zap_pte_range+0x5ac/0x10e0 mm/memory.c:1347
       zap_pmd_range mm/memory.c:1467 [inline]
       zap_pud_range mm/memory.c:1496 [inline]
       zap_p4d_range mm/memory.c:1517 [inline]
       unmap_page_range+0x2dc/0x3d0 mm/memory.c:1538
       unmap_single_vma+0x157/0x210 mm/memory.c:1583
       unmap_vmas+0xd0/0x180 mm/memory.c:1615
       exit_mmap+0x23d/0x470 mm/mmap.c:3170
       __mmput+0x27/0x1b0 kernel/fork.c:1113
       mmput+0x3d/0x50 kernel/fork.c:1134
       exit_mm+0xdb/0x170 kernel/exit.c:507
       do_exit+0x608/0x17a0 kernel/exit.c:819
       do_group_exit+0xce/0x180 kernel/exit.c:929
       get_signal+0xfc3/0x1550 kernel/signal.c:2852
       arch_do_signal_or_restart+0x8c/0x2e0 arch/x86/kernel/signal.c:868
       handle_signal_work kernel/entry/common.c:148 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
       exit_to_user_mode_prepare+0x113/0x190 kernel/entry/common.c:207
       __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
       syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:300
       do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      value changed: 0x00000000 -> 0xffffffff
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 28712 Comm: syz-executor.0 Tainted: G        W         5.16.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20211130170155.2331929-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7a10d8c8
    • Zhou Qingyang's avatar
      octeontx2-af: Fix a memleak bug in rvu_mbox_init() · e07a097b
      Zhou Qingyang authored
      In rvu_mbox_init(), mbox_regions is not freed or passed out
      under the switch-default region, which could lead to a memory leak.
      
      Fix this bug by changing 'return err' to 'goto free_regions'.
      
      This bug was found by a static analyzer. The analysis employs
      differential checking to identify inconsistent security operations
      (e.g., checks or kfrees) between two code paths and confirms that the
      inconsistent operations are not recovered in the current function or
      the callers, so they constitute bugs.
      
      Note that, as a bug found by static analysis, it can be a false
      positive or hard to trigger. Multiple researchers have cross-reviewed
      the bug.
      
      Builds with CONFIG_OCTEONTX2_AF=y show no new warnings,
      and our static analyzer no longer warns about this code.
      
      Fixes: 98c56111 (“octeontx2-af: cn10k: Add mbox support for CN10K platform”)
      Signed-off-by: default avatarZhou Qingyang <zhou1615@umn.edu>
      Link: https://lore.kernel.org/r/20211130165039.192426-1-zhou1615@umn.eduSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e07a097b