mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-04 01:24:12 +08:00
6560cfcfb4
1267002 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Roded Zats
|
1aec77b2bb |
rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a
struct ifla_vf_vlan_info so the size of such attribute needs to be at least
of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.
The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)
which is less than sizeof(struct ifla_vf_vlan_info) so this validation
is not enough and a too small attribute might be cast to a
struct ifla_vf_vlan_info, this might result in an out of bands
read access when accessing the saved (casted) entry in ivvl.
Fixes:
|
||
Jakub Kicinski
|
d0de616739 |
ipsec-2024-05-02
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmYzUX4ACgkQrB3Eaf9P W7e7qQ/+LgkDkL/LyXv3kAPN8b2SapIiIajarlRfgdPYdM6PP+kzGJxC/t5NZ2HE Q1N6K0hIL042rna1/grkUKHeQn4PXUlfT6y8YgjiuCvpFDVNb2ofyl3AmxjJnH1A iwMWf6EhwGoxbVs3DbDJ554U8T0nBJeZ+MXLF/4BI13bNdj7stbcKRqj6KHC5sQO JgtFVX+ip6LLGL7rR4YMv2h2p1sSu3Vp6bMcfM85I4ENec0UIjgsAF9P0buPl4gr 2oKtMxga86CQWcymKo6DI+MsBBk91wvM+5/T9zQtpdxDuNEQNrotCoCc0Kd03xmP EGzJagwVGFj08kYJ7qICDwpXWCpLDVumoxWFNBWmAW9uNEkUW8Tiqmm8eW2Azs3d VAUFcyzHr7mkAaqSDDdE4J+L276Z+dS+BHPnoF6Sp+ctuvSmmeS6lyY9mGnFGH7H OiqFKonjBEC5iNAMIXF3WRKueMDdbbDFwHK4NEiTIUSeAMqETUP2sBC1GNTaN8YJ soKYtwUtiag2P44ZYy5UYeKJlaBnT1FOZHLs24iCOY1XjqJerwjefQuBO6HDBz/I vkaSY6ak6uRsAdfst45uQNPfxlJkFDbwRDowFCdhu5qG7bifqnXstQmNta2U1109 4e3vt5jPowN/9bCtMx7Z+ftmmTsapxYCu5ZYRVAq82WahsXFPtE= =aeD1 -----END PGP SIGNATURE----- Merge tag 'ipsec-2024-05-02' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2024-05-02 1) Fix an error pointer dereference in xfrm_in_fwd_icmp. From Antony Antony. 2) Preserve vlan tags for ESP transport mode software GRO. From Paul Davey. 3) Fix a spelling mistake in an uapi xfrm.h comment. From Anotny Antony. * tag 'ipsec-2024-05-02' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec: xfrm: Correct spelling mistake in xfrm.h comment xfrm: Preserve vlan tags for transport mode software GRO xfrm: fix possible derferencing in error path ==================== Link: https://lore.kernel.org/r/20240502084838.2269355-1-steffen.klassert@secunet.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
||
|
Jakub Kicinski
|
f2d859045e |
bluetooth pull request for net:
- mediatek: mt8183-pico6: Fix bluetooth node - sco: Fix use-after-free bugs caused by sco_sock_timeout - l2cap: fix null-ptr-deref in l2cap_chan_timeout - qca: Various fixes - l2cap: Fix slab-use-after-free in l2cap_connect() - msft: fix slab-use-after-free in msft_do_close() - HCI: Fix potential null-ptr-deref -----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmY1G94ZHGx1aXoudm9u LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKQB2D/9bBlIaHu5KflLqLaNjmkmv LLfXaQk6YvVP4yxR8fx1b+4gOCOgmadIhZUpWDNw0yuvDmCnt/NDXFdruS5OWBb/ w0IWtjD3pyrmT7kx+pwPVT8oT7cdtEuBPwiRGnb5iBemkp3gs5eIlqXClioGs5l2 9NCyYaSc7Xh546rLh95jPZ7T1EKH16acC9HeIGi8NzmNOfwhyJNLmJOpeJZnsF28 QoANpB4Ls9mEChTWTi6TdiZsYvMb2IuYunSRJJgZYmcHjtGxVDQ9YN9j+uR+PpYm g2DvG9mMR+6VvHmfMVt5ETjVha8Mp0Ec5QyXtZSJwqFTHnV2tBnQ2Nm03wxYllgi b3X9flOXsM4Z862rZTK3A83lihMKDQBmkhesm+mMbOo415EtOi9KOzLaAIL4SoR6 wai2I8kbjW4NRNY6fFi5rcTta8ONDsqmlDl+0dVU5CwQ9h25HeOHz+PHkOjsb+vc cVeh8UGWQ8Ewe9mS/tYQ0lxGqUoEBoZqVjbpdVzRTYb4sfvBiTq8gO7gg0TlZoGF OiNCRmqbLNqRPu2GfAcapp5HpzNd8zkd3pagUvxOaB+tbghoqzqgEaShsvl3bxjp /FK0IRSlfr9u9USkhB2vjJPk6GTptiPtxhTTjcXdvCWP1vI6FqYpP3kzo8+1AB8b M5Rzy/QWtrZXMzHKds4muw== =0uMr -----END PGP SIGNATURE----- Merge tag 'for-net-2024-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - mediatek: mt8183-pico6: Fix bluetooth node - sco: Fix use-after-free bugs caused by sco_sock_timeout - l2cap: fix null-ptr-deref in l2cap_chan_timeout - qca: Various fixes - l2cap: Fix slab-use-after-free in l2cap_connect() - msft: fix slab-use-after-free in msft_do_close() - HCI: Fix potential null-ptr-deref * tag 'for-net-2024-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: qca: fix firmware check error path Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout Bluetooth: HCI: Fix potential null-ptr-deref arm64: dts: mediatek: mt8183-pico6: Fix bluetooth node Bluetooth: qca: fix info leak when fetching board id Bluetooth: qca: fix info leak when fetching fw build id Bluetooth: qca: generalise device address check Bluetooth: qca: fix NVM configuration parsing Bluetooth: qca: add missing firmware sanity checks Bluetooth: msft: fix slab-use-after-free in msft_do_close() Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Bluetooth: qca: fix wcn3991 device address check Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout ==================== Link: https://lore.kernel.org/r/20240503171933.3851244-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
||
Marek Vasut
|
e0863634bf |
net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs
Currently the driver uses local_bh_disable()/local_bh_enable() in its
IRQ handler to avoid triggering net_rx_action() softirq on exit from
netif_rx(). The net_rx_action() could trigger this driver .start_xmit
callback, which is protected by the same lock as the IRQ handler, so
calling the .start_xmit from netif_rx() from the IRQ handler critical
section protected by the lock could lead to an attempt to claim the
already claimed lock, and a hang.
The local_bh_disable()/local_bh_enable() approach works only in case
the IRQ handler is protected by a spinlock, but does not work if the
IRQ handler is protected by mutex, i.e. this works for KS8851 with
Parallel bus interface, but not for KS8851 with SPI bus interface.
Remove the BH manipulation and instead of calling netif_rx() inside
the IRQ handler code protected by the lock, queue all the received
SKBs in the IRQ handler into a queue first, and once the IRQ handler
exits the critical section protected by the lock, dequeue all the
queued SKBs and push them all into netif_rx(). At this point, it is
safe to trigger the net_rx_action() softirq, since the netif_rx()
call is outside of the lock that protects the IRQ handler.
Fixes:
|
||
Linus Torvalds
|
ddb4c3f25b |
xen: branch for v6.9-rc7
-----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCZjTV0gAKCRCAXGG7T9hj vlCoAP4wxpMiuAi7AR2PGUiSeGjH/RwDBJR8xBXJawwpzou8TwD/eWK0uYGYyfAr R1P2KQcOynBibNQ8iNvVkYjO270v5QY= =/4ly -----END PGP SIGNATURE----- Merge tag 'for-linus-6.9a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fixes from Juergen Gross: "Two fixes when running as Xen PV guests for issues introduced in the 6.9 merge window, both related to apic id handling" * tag 'for-linus-6.9a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/xen: return a sane initial apic id when running as PV guest x86/xen/smp_pv: Register the boot CPU APIC properly |
||
|
Linus Torvalds
|
f094ee78e0 |
EFI fix for v6.9 (#1)
- Avoid triggering the softlockup watchdog when accepting large chunks of memory from the hypervisor -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQQQm/3uucuRGn1Dmh0wbglWLn0tXAUCZjS4yAAKCRAwbglWLn0t XIOQAPkBZlRdhlbegKjguyvVk9S6EKAgA1j94L/gK8ZL9olbUwD/fEuBIm+U2wtv Ntulu0l5kiHSJzC8lwsUdtUSd+ovUQg= =o5dU -----END PGP SIGNATURE----- Merge tag 'efi-urgent-for-v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fix from Ard Biesheuvel: "This works around a shortcoming in the memory acceptation API, which may apparently hog the CPU for long enough to trigger the softlockup watchdog. Note that this only affects confidential VMs running under the Intel TDX hypervisor, which is why I accepted this for now, but this should obviously be fixed properly in the future" * tag 'efi-urgent-for-v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi/unaccepted: touch soft lockup during memory accept |
||
Johan Hovold
|
40d442f969 |
Bluetooth: qca: fix firmware check error path
A recent commit fixed the code that parses the firmware files before
downloading them to the controller but introduced a memory leak in case
the sanity checks ever fail.
Make sure to free the firmware buffer before returning on errors.
Fixes:
|
||
Duoming Zhou
|
adf0398cee |
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
There is a race condition between l2cap_chan_timeout() and
l2cap_chan_del(). When we use l2cap_chan_del() to delete the
channel, the chan->conn will be set to null. But the conn could
be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
As a result the null pointer dereference bug will happen. The
KASAN report triggered by POC is shown below:
[ 472.074580] ==================================================================
[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
[ 472.075308]
[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.075308] Workqueue: events l2cap_chan_timeout
[ 472.075308] Call Trace:
[ 472.075308] <TASK>
[ 472.075308] dump_stack_lvl+0x137/0x1a0
[ 472.075308] print_report+0x101/0x250
[ 472.075308] ? __virt_addr_valid+0x77/0x160
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_report+0x139/0x170
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_check_range+0x2c3/0x2e0
[ 472.075308] mutex_lock+0x68/0xc0
[ 472.075308] l2cap_chan_timeout+0x181/0x300
[ 472.075308] process_one_work+0x5d2/0xe00
[ 472.075308] worker_thread+0xe1d/0x1660
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] kthread+0x2b7/0x350
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork+0x4d/0x80
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork_asm+0x11/0x20
[ 472.075308] </TASK>
[ 472.075308] ==================================================================
[ 472.094860] Disabling lock debugging due to kernel taint
[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 472.096136] #PF: supervisor write access in kernel mode
[ 472.096136] #PF: error_code(0x0002) - not-present page
[ 472.096136] PGD 0 P4D 0
[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.096136] Workqueue: events l2cap_chan_timeout
[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
[ 472.096136] Call Trace:
[ 472.096136] <TASK>
[ 472.096136] ? __die_body+0x8d/0xe0
[ 472.096136] ? page_fault_oops+0x6b8/0x9a0
[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0
[ 472.096136] ? do_user_addr_fault+0x1027/0x1340
[ 472.096136] ? _printk+0x7a/0xa0
[ 472.096136] ? mutex_lock+0x68/0xc0
[ 472.096136] ? add_taint+0x42/0xd0
[ 472.096136] ? exc_page_fault+0x6a/0x1b0
[ 472.096136] ? asm_exc_page_fault+0x26/0x30
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] ? mutex_lock+0x88/0xc0
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] l2cap_chan_timeout+0x181/0x300
[ 472.096136] process_one_work+0x5d2/0xe00
[ 472.096136] worker_thread+0xe1d/0x1660
[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
[ 472.096136] kthread+0x2b7/0x350
[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
[ 472.096136] ? kthread_blkcg+0xd0/0xd0
[ 472.096136] ret_from_fork+0x4d/0x80
[ 472.096136] ? kthread_blkcg+0xd0/0xd0
[ 472.096136] ret_from_fork_asm+0x11/0x20
[ 472.096136] </TASK>
[ 472.096136] Modules linked in:
[ 472.096136] CR2: 0000000000000158
[ 472.096136] ---[ end trace 0000000000000000 ]---
[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
[ 472.132932] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
[ 472.132932] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
[ 472.132932] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 472.132932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 472.132932] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
[ 472.132932] Kernel panic - not syncing: Fatal exception
[ 472.132932] Kernel Offset: disabled
[ 472.132932] ---[ end Kernel panic - not syncing: Fatal exception ]---
Add a check to judge whether the conn is null in l2cap_chan_timeout()
in order to mitigate the bug.
Fixes:
|
||
Sungwoo Kim
|
d2706004a1 |
Bluetooth: HCI: Fix potential null-ptr-deref
Fix potential null-ptr-deref in hci_le_big_sync_established_evt().
Fixes:
|
||
Chen-Yu Tsai
|
cd17bcbd2b |
arm64: dts: mediatek: mt8183-pico6: Fix bluetooth node
Bluetooth is not a random device connected to the MMC/SD controller. It
is function 2 of the SDIO device.
Fix the address of the bluetooth node. Also fix the node name and drop
the label.
Fixes:
|
||
|
Johan Hovold
|
0adcf6be14 |
Bluetooth: qca: fix info leak when fetching board id
Add the missing sanity check when fetching the board id to avoid leaking
slab data when later requesting the firmware.
Fixes:
|
||
|
Johan Hovold
|
cda0d6a198 |
Bluetooth: qca: fix info leak when fetching fw build id
Add the missing sanity checks and move the 255-byte build-id buffer off
the stack to avoid leaking stack data through debugfs in case the
build-info reply is malformed.
Fixes:
|
||
|
Johan Hovold
|
dd336649ba |
Bluetooth: qca: generalise device address check
The default device address apparently comes from the NVM configuration
file and can differ quite a bit between controllers.
Store the default address when parsing the configuration file and use it
to determine whether the controller has been provisioned with an
address.
This makes sure that devices without a unique address start as
unconfigured unless a valid address has been provided in the devicetree.
Fixes:
|
||
|
Johan Hovold
|
a112d3c72a |
Bluetooth: qca: fix NVM configuration parsing
The NVM configuration files used by WCN3988 and WCN3990/1/8 have two sets of configuration tags that are enclosed by a type-length header of type four which the current parser fails to account for. Instead the driver happily parses random data as if it were valid tags, something which can lead to the configuration data being corrupted if it ever encounters the words 0x0011 or 0x001b. As is clear from commit |
||
|
Johan Hovold
|
2e4edfa1e2 |
Bluetooth: qca: add missing firmware sanity checks
Add the missing sanity checks when parsing the firmware files before
downloading them to avoid accessing and corrupting memory beyond the
vmalloced buffer.
Fixes:
|
||
|
Sungwoo Kim
|
10f9f426ac |
Bluetooth: msft: fix slab-use-after-free in msft_do_close()
Tying the msft->data lifetime to hdev by freeing it in
hci_release_dev() to fix the following case:
[use]
msft_do_close()
msft = hdev->msft_data;
if (!msft) ...(1) <- passed.
return;
mutex_lock(&msft->filter_lock); ...(4) <- used after freed.
[free]
msft_unregister()
msft = hdev->msft_data;
hdev->msft_data = NULL; ...(2)
kfree(msft); ...(3) <- msft is freed.
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common
kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30
kernel/locking/mutex.c:752
Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309
Fixes:
|
||
|
Sungwoo Kim
|
4d7b41c0e4 |
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
Extend a critical section to prevent chan from early freeing.
Also make the l2cap_connect() return type void. Nothing is using the
returned value but it is ugly to return a potentially freed pointer.
Making it void will help with backports because earlier kernels did use
the return value. Now the compile will break for kernels where this
patch is not a complete fix.
Call stack summary:
[use]
l2cap_bredr_sig_cmd
l2cap_connect
┌ mutex_lock(&conn->chan_lock);
│ chan = pchan->ops->new_connection(pchan); <- alloc chan
│ __l2cap_chan_add(conn, chan);
│ l2cap_chan_hold(chan);
│ list_add(&chan->list, &conn->chan_l); ... (1)
└ mutex_unlock(&conn->chan_lock);
chan->conf_state ... (4) <- use after free
[free]
l2cap_conn_del
┌ mutex_lock(&conn->chan_lock);
│ foreach chan in conn->chan_l: ... (2)
│ l2cap_chan_put(chan);
│ l2cap_chan_destroy
│ kfree(chan) ... (3) <- chan freed
└ mutex_unlock(&conn->chan_lock);
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0
net/bluetooth/l2cap_core.c:4260
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
Fixes:
|
||
|
Johan Hovold
|
66c39332d0 |
Bluetooth: qca: fix wcn3991 device address check
Qualcomm Bluetooth controllers may not have been provisioned with a
valid device address and instead end up using the default address
00:00:00:00:5a:ad.
This address is now used to determine if a controller has a valid
address or if one needs to be provided through devicetree or by user
space before the controller can be used.
It turns out that the WCN3991 controllers used in Chromium Trogdor
machines use a different default address, 39:98:00:00:5a:ad, which also
needs to be marked as invalid so that the correct address is fetched
from the devicetree.
Qualcomm has unfortunately not yet provided any answers as to whether
the 39:98 encodes a hardware id and if there are other variants of the
default address that needs to be handled by the driver.
For now, add the Trogdor WCN3991 default address to the device address
check to avoid having these controllers start with the default address
instead of their assigned addresses.
Fixes:
|
||
|
Duoming Zhou
|
483bc08181 |
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
When the sco connection is established and then, the sco socket
is releasing, timeout_work will be scheduled to judge whether
the sco disconnection is timeout. The sock will be deallocated
later, but it is dereferenced again in sco_sock_timeout. As a
result, the use-after-free bugs will happen. The root cause is
shown below:
Cleanup Thread | Worker Thread
sco_sock_release |
sco_sock_close |
__sco_sock_close |
sco_sock_set_timer |
schedule_delayed_work |
sco_sock_kill | (wait a time)
sock_put(sk) //FREE | sco_sock_timeout
| sock_hold(sk) //USE
The KASAN report triggered by POC is shown below:
[ 95.890016] ==================================================================
[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
...
[ 95.890755] Workqueue: events sco_sock_timeout
[ 95.890755] Call Trace:
[ 95.890755] <TASK>
[ 95.890755] dump_stack_lvl+0x45/0x110
[ 95.890755] print_address_description+0x78/0x390
[ 95.890755] print_report+0x11b/0x250
[ 95.890755] ? __virt_addr_valid+0xbe/0xf0
[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
[ 95.890755] kasan_report+0x139/0x170
[ 95.890755] ? update_load_avg+0xe5/0x9f0
[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
[ 95.890755] kasan_check_range+0x2c3/0x2e0
[ 95.890755] sco_sock_timeout+0x5e/0x1c0
[ 95.890755] process_one_work+0x561/0xc50
[ 95.890755] worker_thread+0xab2/0x13c0
[ 95.890755] ? pr_cont_work+0x490/0x490
[ 95.890755] kthread+0x279/0x300
[ 95.890755] ? pr_cont_work+0x490/0x490
[ 95.890755] ? kthread_blkcg+0xa0/0xa0
[ 95.890755] ret_from_fork+0x34/0x60
[ 95.890755] ? kthread_blkcg+0xa0/0xa0
[ 95.890755] ret_from_fork_asm+0x11/0x20
[ 95.890755] </TASK>
[ 95.890755]
[ 95.890755] Allocated by task 506:
[ 95.890755] kasan_save_track+0x3f/0x70
[ 95.890755] __kasan_kmalloc+0x86/0x90
[ 95.890755] __kmalloc+0x17f/0x360
[ 95.890755] sk_prot_alloc+0xe1/0x1a0
[ 95.890755] sk_alloc+0x31/0x4e0
[ 95.890755] bt_sock_alloc+0x2b/0x2a0
[ 95.890755] sco_sock_create+0xad/0x320
[ 95.890755] bt_sock_create+0x145/0x320
[ 95.890755] __sock_create+0x2e1/0x650
[ 95.890755] __sys_socket+0xd0/0x280
[ 95.890755] __x64_sys_socket+0x75/0x80
[ 95.890755] do_syscall_64+0xc4/0x1b0
[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
[ 95.890755]
[ 95.890755] Freed by task 506:
[ 95.890755] kasan_save_track+0x3f/0x70
[ 95.890755] kasan_save_free_info+0x40/0x50
[ 95.890755] poison_slab_object+0x118/0x180
[ 95.890755] __kasan_slab_free+0x12/0x30
[ 95.890755] kfree+0xb2/0x240
[ 95.890755] __sk_destruct+0x317/0x410
[ 95.890755] sco_sock_release+0x232/0x280
[ 95.890755] sock_close+0xb2/0x210
[ 95.890755] __fput+0x37f/0x770
[ 95.890755] task_work_run+0x1ae/0x210
[ 95.890755] get_signal+0xe17/0xf70
[ 95.890755] arch_do_signal_or_restart+0x3f/0x520
[ 95.890755] syscall_exit_to_user_mode+0x55/0x120
[ 95.890755] do_syscall_64+0xd1/0x1b0
[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
[ 95.890755]
[ 95.890755] The buggy address belongs to the object at ffff88800c388000
[ 95.890755] which belongs to the cache kmalloc-1k of size 1024
[ 95.890755] The buggy address is located 128 bytes inside of
[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)
[ 95.890755]
[ 95.890755] The buggy address belongs to the physical page:
[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388
[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 95.890755] anon flags: 0x100000000000840(slab|head|node=0|zone=1)
[ 95.890755] page_type: 0xffffffff()
[ 95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
[ 95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
[ 95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
[ 95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
[ 95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff
[ 95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 95.890755] page dumped because: kasan: bad access detected
[ 95.890755]
[ 95.890755] Memory state around the buggy address:
[ 95.890755] ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 95.890755] ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] ^
[ 95.890755] ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] ==================================================================
Fix this problem by adding a check protected by sco_conn_lock to judget
whether the conn->hcon is null. Because the conn->hcon will be set to null,
when the sock is releasing.
Fixes:
|
||
Bjorn Helgaas
|
2e0239d47d |
PCI/ASPM: Clarify that pcie_aspm=off means leave ASPM untouched
Previously we claimed "pcie_aspm=off" meant that ASPM would be disabled, which is wrong. Correct this to say that with "pcie_aspm=off", Linux doesn't touch any ASPM configuration at all. ASPM may have been enabled by firmware, and that will be left unchanged. See "aspm_support_enabled". Link: https://lore.kernel.org/r/20240429191821.691726-1-helgaas@kernel.org Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: David E. Box <david.e.box@linux.intel.com> |
||
|
Linus Torvalds
|
3d25a941ea |
block-6.9-20240503
-----BEGIN PGP SIGNATURE----- iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmY09JYQHGF4Ym9lQGtl cm5lbC5kawAKCRD301j7KXHgpvYID/wNyZxtEc4VP7u6fqwzawdf6Cawi+rJ0MN+ 7fJATnV9Az7Jh7vy7XTDJ01yUe7u/uMvep4XrXuR38Pq5Kfu8jMx1BJ2M2tBJzr3 s2UWgiWSlCQuhKJsAstEVoimMBYggreS7fVYoTzs4b4ZixJF9mVyjUMxSIKj7N19 S3iyzb4CwJw5EhB7vZqIoi0wzaHfRvyXP0ssYlBC2yY7r04N+RjY1q7IrwsLey8f n6j6bHENbfKd/fY3clb0MilXAsfYMAdMhl4vyK/8Z0Lfe+sjeRz7z++1nRASd/cE Sc6GW/Dp4xtgJU63VT/bYEPxwo4ZLDoutgrq3SI0kxOVks+JDPnLBVoDdPyJhEct dZWm4ZThuD5DJ1kEIAsiDaHsy/konhvcPnR1tDZYgs4K4uOvP5XJKnl/qlAd+Hud 4MXahuoIrV8XONuUjKXWEQ5mdekPV00JpYGgc4BTKR6DiNkFx4OPR/gnYYR1aDLS uASXNBwaqYTu+iMiqYYW2m1ryagtCChVh510gjUZBxFTLGR95RwTZDTgVUqeVbTK ZkQh9uhmYGOzVWEKIlGc903TcmA2EByq+rPIewc7WJfFp/Ob1YamgUVUfWUVnAG6 KBKfWRGzeQHkf2QHOeThWVlGXr7gDHtS5fib27aPXaW/gTc3qveBl3GxfT1Nxo+z y1TbxWfnEA== =of/D -----END PGP SIGNATURE----- Merge tag 'block-6.9-20240503' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "Nothing major in here - an nvme pull request with mostly auth/tcp fixes, and a single fix for ublk not setting segment count and size limits" * tag 'block-6.9-20240503' of git://git.kernel.dk/linux: nvme-tcp: strict pdu pacing to avoid send stalls on TLS nvmet: fix nvme status code when namespace is disabled nvmet-tcp: fix possible memory leak when tearing down a controller nvme: cancel pending I/O if nvme controller is in terminal state nvmet-auth: replace pr_debug() with pr_err() to report an error. nvmet-auth: return the error code to the nvmet_auth_host_hash() callers nvme: find numa distance only if controller has valid numa id ublk: remove segment count and size limits nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH |
||
|
Linus Torvalds
|
7dc78c7b44 |
sound fixes for 6.9-rc7
As usual in a late stage, we received a fair amount of fixes for ASoC, and it became bigger than wished. But all fixes are rather device- specific, and they look pretty safe to apply. A major par of changes are series of fixes for ASoC meson and SOF drivers as well as for Realtek and Cirrus codecs. In addition, recent emu10k1 regression fixes and usual HD-audio quirks are included. -----BEGIN PGP SIGNATURE----- iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmY0n6wOHHRpd2FpQHN1 c2UuZGUACgkQLtJE4w1nLE8PqA/7BB6G1i3ARX7MusxZA/bqoEQ5nVhocs/WJGos WCUTc6GH9uWvpBE+dY3/9IQemnndb5LaKuIK8Bh1ooTdHiu431X4cXPqX5U2gvbW iHom2Mk7KFPVqQEzx0QV4i5gc68G3FMgwi2G6FMx4APaNn2XpyTweKoV9V8keBQq lpLQ5dxxeK4CJQFen5HOY0NqxtydSq4ee1wEK8UaxYWdI0U6EQ3aHqs+MvUytTvv zgfm0QUE1tWjpEg2NnVdsJsoJ7W8NQWJqhuELR+cZY2nE6c0yEZDSmVOcCe8SaDu GjsAQZ3RWIBtBnjeU9XYdtxOqviDAzxic0x0CQWS/WIk/AI4vLRBu8ke+0N92lrO XthqrbF+5Gf+SwGeh8UldInR/wFMnvatOhg91JGJfFFOq8lPSk6XG59CXc6o8Hqc G7fWxRkbPI93mSxmWdoOLfzoQLpCUw2hKt5CtKVpPs3Pw01lKUK5ypRMDxpr8yiv gJ8RpK9d1Rxvi6422B3f+/0uX/R2Lis1D28GzqJDAvR12GceJtX2Ngnto0xya3Hb n4nAUA2CP1OdaHX9652iC+7d7NI7RHFen1Pme/EvidH2aA93C5W6FzpcmI5J70AZ BCCaeHnAP4mLY2Xozi12RHb9+fBZ+OJ3nSg79EiTKyTzf11DqTZe1/QLg+gTl4Aa n4ZaTKY= =K8HF -----END PGP SIGNATURE----- Merge tag 'sound-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "As usual in a late stage, we received a fair amount of fixes for ASoC, and it became bigger than wished. But all fixes are rather device- specific, and they look pretty safe to apply. A major par of changes are series of fixes for ASoC meson and SOF drivers as well as for Realtek and Cirrus codecs. In addition, recent emu10k1 regression fixes and usual HD-audio quirks are included" * tag 'sound-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits) ALSA: hda/realtek: Fix build error without CONFIG_PM ALSA: hda/realtek: Fix conflicting PCI SSID 17aa:386f for Lenovo Legion models ALSA: hda/realtek - Set GPIO3 to default at S4 state for Thinkpad with ALC1318 ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node() ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection ASoC: cs35l56: fix usages of device_get_named_child_node() ASoC: da7219-aad: fix usage of device_get_named_child_node() ASoC: meson: cards: select SND_DYNAMIC_MINORS ASoC: meson: axg-tdm: add continuous clock support ASoC: meson: axg-tdm-interface: manage formatters in trigger ASoC: meson: axg-card: make links nonatomic ASoC: meson: axg-fifo: use threaded irq to check periods ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU ALSA: emu10k1: make E-MU FPGA writes potentially more reliable ALSA: emu10k1: fix E-MU dock initialization ALSA: emu10k1: use mutex for E-MU FPGA access locking ALSA: emu10k1: move the whole GPIO event handling to the workqueue ALSA: emu10k1: factor out snd_emu1010_load_dock_firmware() ALSA: emu10k1: fix E-MU card dock presence monitoring ASoC: rt715-sdca: volume step modification ... |
||
|
Linus Torvalds
|
b5a66609a6 |
drm fixes for 6.9-rc7
amdgpu: - Fix VRAM memory accounting - DCN 3.1 fixes - DCN 2.0 fix - DCN 3.1.5 fix - DCN 3.5 fix - DCN 3.2.1 fix - DP fixes - Seamless boot fix - Fix call order in amdgpu_ttm_move() - Fix doorbell regression - Disable panel replay temporarily amdkfd: - Flush wq before creating kfd process xe: - Fix UAF on rebind worker - Fix ADL-N display integration imagination: - fix page-count macro nouveau: - avoid page-table allocation failures - fix firmware memory allocation panel: - ili9341: avoid OF for device properties; respect deferred probe; fix usage of errno codes ttm: - fix status output vmwgfx: - fix legacy display unit - fix read length in fence signalling -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmY0XiIACgkQDHTzWXnE hr5d6w/9G8KU+0lrKnCmZtC/ViEwSz19SZwTkbajCtYsO+MaZA1caA7WNFa9aD+F sMGbNaeI+5nlc84bBEKCRtln2KK5U6oyY2oEmjb23T2W2qzrOHEBU0f98DOTaHeL HDSDYP50linfOVnASKoQ7jx0x8dnO7ITS62V5ooedK9JTG8V8hhheFT1xzKyuohE SNbaHlvKOCruJCvi5G/ygZmTI17pj72u5KEE0Vr8TmxGqloxMiYwdut+gluqPfMv E6D9D+zstnUi8vWtKYW94CeIinKvA8k3IQdP5T09uKwsrNL+uJZfexNMe5/swaSo 9ugF/gpAAKxG2Hvm2u62DafCs8SP77lTg/Qy0fo2Ie5nkShOGecM0dp2GW4x7Jmn 6T0Qa3XNOcRVKpIL8wda6FGr6l1UVQUNp8IrOUZiy1W7LQkBLW7QPwjfnh7Cn+Xg VpUOc+PAV666wPtG3fv0rCjBbslgvB8z1sLSnlUTxMaq0+VHsxczs9BAigkqMH+F Zi3wUgvFf23vjYefIEkNbQrUvcjFwzRVCM0EZeM/O2o8X0PYWIgS+0OIGXPbkAPu /RCWbEBHVQqgLME/vWbktfYVjm76vhizPvoHGi451zxMhAzaQo7bhqrEVp2+IRfk HiQljceUvU4eU1Ey8ApNC8SrVs8swjmKiJNess0ujebKiLco0Hw= =B5on -----END PGP SIGNATURE----- Merge tag 'drm-fixes-2024-05-03' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Weekly fixes, mostly made up from amdgpu and some panel changes. Otherwise xe, nouveau, vmwgfx and a couple of others, all seems pretty on track. amdgpu: - Fix VRAM memory accounting - DCN 3.1 fixes - DCN 2.0 fix - DCN 3.1.5 fix - DCN 3.5 fix - DCN 3.2.1 fix - DP fixes - Seamless boot fix - Fix call order in amdgpu_ttm_move() - Fix doorbell regression - Disable panel replay temporarily amdkfd: - Flush wq before creating kfd process xe: - Fix UAF on rebind worker - Fix ADL-N display integration imagination: - fix page-count macro nouveau: - avoid page-table allocation failures - fix firmware memory allocation panel: - ili9341: avoid OF for device properties; respect deferred probe; fix usage of errno codes ttm: - fix status output vmwgfx: - fix legacy display unit - fix read length in fence signalling" * tag 'drm-fixes-2024-05-03' of https://gitlab.freedesktop.org/drm/kernel: (25 commits) drm/xe/display: Fix ADL-N detection drm/panel: ili9341: Use predefined error codes drm/panel: ili9341: Respect deferred probe drm/panel: ili9341: Correct use of device property APIs drm/xe/vm: prevent UAF in rebind_work_func() drm/amd/display: Disable panel replay by default for now drm/amdgpu: fix doorbell regression drm/amdkfd: Flush the process wq before creating a kfd_process drm/amd/display: Disable seamless boot on 128b/132b encoding drm/amd/display: Fix DC mode screen flickering on DCN321 drm/amd/display: Add VCO speed parameter for DCN31 FPU drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2 drm/amd/display: Allocate zero bw after bw alloc enable drm/amd/display: Fix incorrect DSC instance for MST drm/amd/display: Atom Integrated System Info v2_2 for DCN35 drm/amd/display: Add dtbclk access to dcn315 drm/amd/display: Ensure that dmcub support flag is set for DCN20 drm/amd/display: Handle Y carry-over in VCP X.Y calculation drm/amdgpu: Fix VRAM memory accounting drm/vmwgfx: Fix invalid reads in fence signaled events ... |
||
|
Linus Torvalds
|
9fbc8bdf17 |
spi: Fixes for v6.9
A few small fixes for v6.9, the core fix is for issues with reuse of a spi_message in the case where we've got queued messages (a relatively rare occurrence with modern code so it wasn't noticed in testing). We also avoid an issue with the Kunpeng driver by simply removing the debug interface that could trigger it, and address issues with confusing and corrupted output when printing the IP version of the AXI SPI engine. -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmY0RbIACgkQJNaLcl1U h9Ao1wf/dSEewEiXc7VX1vVyF0LnHU71/36b/cJCLFErUNckHvDOa6Be3P0W8ThP WQrbpVizvSCr29hvyNwUtmWLdXFxjyj/69QsXT7NtNCofJTV9kQ5ILgtsj/Pe8Yr aVInONIqyuZlv3xEiRQIt+vnxmz3JM2zVdjFjcj1CrKpEbOob4VGUgwMLi0itvCJ F5WKiVDUMW/LnbEW5mPPyIPbAN1mKGKyGtW4Z9968/BYvUQzz5vzPOst0zvmkHJo SZ47n8G7rbcZXJB4TX62fOTp5gIm+/JQZKQ75MhmxlqYE4/ztZLsvqb9pG86c0+K NqJA/Yjs5rTE5oeIDwBUlSY8Orh0fA== =OIWj -----END PGP SIGNATURE----- Merge tag 'spi-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A few small fixes for v6.9, The core fix is for issues with reuse of a spi_message in the case where we've got queued messages (a relatively rare occurrence with modern code so it wasn't noticed in testing). We also avoid an issue with the Kunpeng driver by simply removing the debug interface that could trigger it, and address issues with confusing and corrupted output when printing the IP version of the AXI SPI engine" * tag 'spi-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: fix null pointer dereference within spi_sync spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs spi: axi-spi-engine: fix version format string |
||
Jerome Brunet
|
0800103312 |
drm/meson: dw-hdmi: add bandgap setting for g12
When no mode is set, the utility pin appears to be grounded. No signal
is getting through.
This is problematic because ARC and eARC use this line and may do so even
if no display mode is set.
This change enable the bandgap setting on g12 chip, which fix the problem
with the utility pin. This is done by restoring init values on PHY init and
disable.
Fixes:
|
||
|
Jerome Brunet
|
04703bfd7f |
drm/meson: dw-hdmi: power up phy on device init
The phy is not in a useful state right after init. It will become useful,
including for auxiliary function such as CEC or ARC, after the first mode
is set. This is a problem on systems where the display is using another
interface like DSI or CVBS.
This change refactor the init and mode change callback to power up the PHY
on init and leave only what is necessary for mode changes in the related
function. This is enough to fix CEC operation when HDMI display is not
enabled.
Fixes:
|
||
Viken Dadhaniya
|
98241a774d |
slimbus: qcom-ngd-ctrl: Add timeout for wait operation
In current driver qcom_slim_ngd_up_worker() indefinitely
waiting for ctrl->qmi_up completion object. This is
resulting in workqueue lockup on Kthread.
Added wait_for_completion_interruptible_timeout to
allow the thread to wait for specific timeout period and
bail out instead waiting infinitely.
Fixes:
|
||
Ben Wolsieffer
|
52b62e7a5d
|
spi: stm32: enable controller before asserting CS
On the STM32F4/7, the MOSI and CLK pins float while the controller is disabled. CS is a regular GPIO, and therefore always driven. Currently, the controller is enabled in the transfer_one() callback, which runs after CS is asserted. Therefore, there is a period where the SPI pins are floating while CS is asserted, making it possible for stray signals to disrupt communications. An analogous problem occurs at the end of the transfer when the controller is disabled before CS is released. This problem can be reliably observed by enabling the pull-up (if CPOL=0) or pull-down (if CPOL=1) on the clock pin. This will cause two extra unintended clock edges per transfer, when the controller is enabled and disabled. Note that this bug is likely not present on the STM32H7, because this driver sets the AFCNTR bit (not supported on F4/F7), which keeps the SPI pins driven even while the controller is disabled. Enabling/disabling the controller as part of runtime PM was suggested as an alternative approach, but this breaks the driver on the STM32MP1 (see [1]). The following quote from the manual may explain this: > To restart the internal state machine properly, SPI is strongly > suggested to be disabled and re-enabled before next transaction starts > despite its setting is not changed. This patch has been tested on an STM32F746 with a MAX14830 UART expander. [1] https://lore.kernel.org/lkml/ZXzRi_h2AMqEhMVw@dell-precision-5540/T/ Signed-off-by: Ben Wolsieffer <ben.wolsieffer@hefring.com> Link: https://lore.kernel.org/r/20240424135237.1329001-2-ben.wolsieffer@hefring.com Signed-off-by: Mark Brown <broonie@kernel.org> |
||
Kuniyuki Iwashima
|
f2db7230f7 |
tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit |
||
Eric Dumazet
|
94062790ae |
tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
TCP_SYN_RECV state is really special, it is only used by
cross-syn connections, mostly used by fuzzers.
In the following crash [1], syzbot managed to trigger a divide
by zero in tcp_rcv_space_adjust()
A socket makes the following state transitions,
without ever calling tcp_init_transfer(),
meaning tcp_init_buffer_space() is also not called.
TCP_CLOSE
connect()
TCP_SYN_SENT
TCP_SYN_RECV
shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
TCP_FIN_WAIT1
To fix this issue, change tcp_shutdown() to not
perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
which makes no sense anyway.
When tcp_rcv_state_process() later changes socket state
from TCP_SYN_RECV to TCP_ESTABLISH, then look at
sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
and send a FIN packet from a sane socket state.
This means tcp_send_fin() can now be called from BH
context, and must use GFP_ATOMIC allocations.
[1]
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1068
____sys_recvmsg+0x1db/0x470 net/socket.c:2803
___sys_recvmsg net/socket.c:2845 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faeb6363db9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
Fixes:
|
||
Dave Airlie
|
09e10499ee |
Short summary of fixes pull:
imagination: - fix page-count macro nouveau: - avoid page-table allocation failures - fix firmware memory allocation panel: - ili9341: avoid OF for device properties; respect deferred probe; fix usage of errno codes ttm: - fix status output vmwgfx: - fix legacy display unit - fix read length in fence signalling -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEchf7rIzpz2NEoWjlaA3BHVMLeiMFAmYz53QACgkQaA3BHVML eiP7Ggf/USKiwX3xhWFk3SLGCWYM+eflhPgyyTs4Ue8NYOd/0C7lDKtEWwSbPUlB 6Tg8FZW0OF0eLYQjl7/A0sufj/225mR8jKCmwbBg8KherqPfThxChRqh7kjcsaHR pG8yleio7oPGg4qB4hi/PENB5kVFw6s1tVPOz/X8W7V2aEVglO+9IGup6CB3TQKu 9kGHbgPVZ1SoDlXrmUmApfAy+Qqu4F8s3m8b6hYXvit3SqJl275aJIqL4fjw5Ufk DhbTfdL4ao28gOAIdRLuOlwpadMOl+rMTls8Q/FwW0Pk/S8Osu1QykhlhHBuBxzb bs3YmYwsMKeKofvLHwxrWqQVfH+TSA== =h9Cb -----END PGP SIGNATURE----- Merge tag 'drm-misc-fixes-2024-05-02' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes Short summary of fixes pull: imagination: - fix page-count macro nouveau: - avoid page-table allocation failures - fix firmware memory allocation panel: - ili9341: avoid OF for device properties; respect deferred probe; fix usage of errno codes ttm: - fix status output vmwgfx: - fix legacy display unit - fix read length in fence signalling Signed-off-by: Dave Airlie <airlied@redhat.com> From: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20240502192117.GA12158@linux.fritz.box |
||
|
Dave Airlie
|
5c75d68132 |
- Fix UAF on rebind worker
- Fix ADL-N display integration -----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEE6rM8lpABPHM5FqyDm6KlpjDL6lMFAmYzwBsZHGx1Y2FzLmRl bWFyY2hpQGludGVsLmNvbQAKCRCboqWmMMvqU1CtD/wN0VN/El51lYS/SZb0/PXA k1Ll+gVueVbiP2VdPq1e36B7PDZQXRCMPBCckTO5274fcaWdKF2/zHAEaMRoxn1n W3s00Tw36By6grD4fVQP5xBXiGOi1z7t80CHYblzK2lum3pEzWhwlvPtg1u8Y2p/ /3O+kKh4BXNTBgqrc8aMnbB1Ph6Ze/FmqjjRGlr/laaJQ3y76YwDD1gWj6xs5ADE HjA0tNB4AtSSQ0HosKcyeIYI+43FYf2AJBIPx0iflD/NLsujkhzFjRHHa5L97Lqb QUTRaP63GE1Ub0rtMUAMqpBQS/6u8hFmDAOXYLUj8hqjXZqnCr0kX+MEbA++A5QT XDnM2F4EMhHIEZuoVdG4OyWT6U0WjGTkl+RADqoejKsHoGIcTg/UHsr48iE1dClv K8D0bfjYiNMA7Gvw91z6SAanBc5fsE4vZ79i/2/P85WzhBEx9AWD5e8uz1i4yUI3 dteX/mHHW9+9fxkqSDeZm2ewzkiy1adzAy2zb/N8ARo7tldjB4BufRlR4a+HYCPP s2d+XWD7ia84ucQJlbkKhdRms252O5hsaXLJKe8aEr2pCfPYeZYPVsMghw7txXVQ FTGHfMo0AIZREdZ4r0z6gucI8B+Kr3mCT315f5PX09ubBmoBQMG9njcb7yPqD/nK skZ8MMPmd2ywoumBqbA32Q== =1BBP -----END PGP SIGNATURE----- Merge tag 'drm-xe-fixes-2024-05-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes - Fix UAF on rebind worker - Fix ADL-N display integration Signed-off-by: Dave Airlie <airlied@redhat.com> From: Lucas De Marchi <lucas.demarchi@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/6bontwst3mbxozs6u3ad5n3g5zmaucrngbfwv4hkfhpscnwlym@wlwjgjx6pwue |
||
|
Dave Airlie
|
306eca05a5 |
amd-drm-fixes-6.9-2024-05-01:
amdgpu: - Fix VRAM memory accounting - DCN 3.1 fixes - DCN 2.0 fix - DCN 3.1.5 fix - DCN 3.5 fix - DCN 3.2.1 fix - DP fixes - Seamless boot fix - Fix call order in amdgpu_ttm_move() - Fix doorbell regression - Disable panel replay temporarily amdkfd: - Flush wq before creating kfd process -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQQgO5Idg2tXNTSZAr293/aFa7yZ2AUCZjJG7gAKCRC93/aFa7yZ 2E2xAP9uleIcOO0Jfv79xbegZqOmt1pJfyC1+p3hKbbjJIuhTAEA3k+aMVVawjSH 15XWGthP2MsPwTqHBWUyS1n819xEgwM= =rcpg -----END PGP SIGNATURE----- Merge tag 'amd-drm-fixes-6.9-2024-05-01' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.9-2024-05-01: amdgpu: - Fix VRAM memory accounting - DCN 3.1 fixes - DCN 2.0 fix - DCN 3.1.5 fix - DCN 3.5 fix - DCN 3.2.1 fix - DP fixes - Seamless boot fix - Fix call order in amdgpu_ttm_move() - Fix doorbell regression - Disable panel replay temporarily amdkfd: - Flush wq before creating kfd process Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexander.deucher@amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240501135054.1919108-1-alexander.deucher@amd.com |
||
Josef Bacik
|
e03418abde |
btrfs: make sure that WRITTEN is set on all metadata blocks
We previously would call btrfs_check_leaf() if we had the check
integrity code enabled, which meant that we could only run the extended
leaf checks if we had WRITTEN set on the header flags.
This leaves a gap in our checking, because we could end up with
corruption on disk where WRITTEN isn't set on the leaf, and then the
extended leaf checks don't get run which we rely on to validate all of
the item pointers to make sure we don't access memory outside of the
extent buffer.
However, since
|
||
Qu Wenruo
|
b5357cb268 |
btrfs: qgroup: do not check qgroup inherit if qgroup is disabled
[BUG] After kernel commit |
||
|
Linus Torvalds
|
f03359bca0 |
for-6.9-rc6-tag
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAmYzivoACgkQxWXV+ddt WDu4TxAAgK+W1RSvrc2xe6MfHFMi2x2pL2qM0IEcYbmjNZJDQlmGYNj3jILho62/ /mHyA5skMr9hN58FFUJveiBj3qOds/lZD0640sGGpysFJKzA4/Wdg5xJvpsQtyDM jr6BcgZOQ+j7Pqe7zsm/sc0n5yG4P+cydnlCFMNvpRfZjg1kYIV9F92qEPAHtLCx BoDJyHhCEqFWWyH2nALu3syTHyvGECUCBEHLFgyGcG/IXT6Oq/BpsDZPm1j72NCt 9f58OY7/2R9QJYfCjYidFGnr3EYdI5CnCOtR2sQLcRUOISOOQSni52r5tonPdpm2 7QRPyuXTiVxpM909phGJt5wwyssK/JQgxUjUo3s0U04+qXb3cRoJny3vAcGcnuyk W7lYh08QRQa3dzZ/Q+GFxqPPovdZalTHXYMAYP7QGwLuv+fZkqh39oz6LQfw7F7c JxEjuSCSd8lJpFyIDkirZF9lELurjgt0Zn3RNe25BLiBpeqFvTQdAYGo5wML3Ug0 kHSmZVFC2En8Ad2AahpkGToVKGgUumo4RAZDiRGIUaHEoS7XfBbnPOAtC7Z1RKTS 9N++XVtJ1/uYQiLM5afiZRtUTkA/jqjSNH/v3YYTS18SczKEOWlHnpJeQSWK0rD1 rzbKZ+2MhBL5CGQnwkhUi0u07QorvMkQhWCHpf9au9rtUggg+nU= =zEs6 -----END PGP SIGNATURE----- Merge tag 'for-6.9-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - set correct ram_bytes when splitting ordered extent. This can be inconsistent on-disk but harmless as it's not used for calculations and it's only advisory for compression - fix lockdep splat when taking cleaner mutex in qgroups disable ioctl - fix missing mutex unlock on error path when looking up sys chunk for relocation * tag 'for-6.9-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: set correct ram_bytes when splitting ordered extent btrfs: take the cleaner_mutex earlier in qgroup disable btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() |
||
|
Linus Torvalds
|
da87c77ebb |
s390 updates for 6.9-rc7
- The function __storage_key_init_range() expects the end address to be the first byte outside the range to be initialized. Fix the callers that provide the last byte within the range instead. - 3270 Channel Command Word (CCW) may contain zero data address in case there is no data in the request. Add data availability check to avoid erroneous non-zero value as result of virt_to_dma32(NULL) application in cases there is no data - Add missing CFI directives for an unwinder to restore the return address in the vDSO assembler code - NUL-terminate kernel buffer when duplicating user space memory region on Channel IO (CIO) debugfs write inject - Fix wrong format string in zcrypt debug output - Return -EBUSY code when a CCA card is temporarily unavailabile - Restore a loop that retries derivation of a protected key from a secure key in cases the low level reports temporarily unavailability with -EBUSY code -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQQrtrZiYVkVzKQcYivNdxKlNrRb8AUCZjO8UhccYWdvcmRlZXZA bGludXguaWJtLmNvbQAKCRDNdxKlNrRb8C4cAQCgIOVXwXWum7VMG+2jfnR14mIb oVfiySCUevlKOZXTwgEAuZsEvYgb73YEODnCZrg2lUETfrPeG0Mm6C1L15ev9AE= =oRdp -----END PGP SIGNATURE----- Merge tag 's390-6.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Alexander Gordeev: - The function __storage_key_init_range() expects the end address to be the first byte outside the range to be initialized. Fix the callers that provide the last byte within the range instead. - 3270 Channel Command Word (CCW) may contain zero data address in case there is no data in the request. Add data availability check to avoid erroneous non-zero value as result of virt_to_dma32(NULL) application in cases there is no data - Add missing CFI directives for an unwinder to restore the return address in the vDSO assembler code - NUL-terminate kernel buffer when duplicating user space memory region on Channel IO (CIO) debugfs write inject - Fix wrong format string in zcrypt debug output - Return -EBUSY code when a CCA card is temporarily unavailabile - Restore a loop that retries derivation of a protected key from a secure key in cases the low level reports temporarily unavailability with -EBUSY code * tag 's390-6.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/paes: Reestablish retry loop in paes s390/zcrypt: Use EBUSY to indicate temp unavailability s390/zcrypt: Handle ep11 cprb return code s390/zcrypt: Fix wrong format string in debug feature printout s390/cio: Ensure the copied buf is NUL terminated s390/vdso: Add CFI for RA register to asm macro vdso_func s390/3270: Fix buffer assignment s390/mm: Fix clearing storage keys for huge pages s390/mm: Fix storage key clearing for guest huge pages |
||
|
Linus Torvalds
|
09bf0f196f |
Xtensa fixes for v6.9:
- fix unused variable warning caused by empty flush_dcache_page() definition - fix stack unwinding on windowed noMMU XIP configurations - fix Coccinelle warning 'opportunity for min()' in xtensa ISS platform code -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEK2eFS5jlMn3N6xfYUfnMkfg/oEQFAmYzg8gTHGpjbXZia2Jj QGdtYWlsLmNvbQAKCRBR+cyR+D+gRKD2D/9IAjvtl7FCj8GerGCuzZY5QY3ut/jx jnH9hyO2Clw1ZwREOP6CcTD7ppR59ZH8Yi8h4c/0j5hhDHlLUdPxgJNzBFiDKhTD l7LWaWF3D4ZnqMPKkNbN8BTu3U23+/PenT7na0NruLBLLVgIPcSGXWHCCpr4PLDX oZ4daDjgju7R/vGXhrsb4g+1/t65RKwmP5eBCvWw9dY5iT5ItTuxh2ONsAaRmkEG aBZwlMez7jhnCHix5IgzEkaqg+BxQ/Db6ZFjrq17nCMereq8mQRZmQQTwH89Q37B Vs3HkMqwRpp2Xn1FxNClW4/x5qHaczPH3o3ga1ZJlvnD6gUzHeyMdAGn+1Lixrwk 4SEf6Lefsjkv6jIHyrc+rSr7bBW0pkvdJrZJEsg4PvhL1AW34oN9YNEuaYVLaoPH MjRYF59mT4k6prpuTe2umGbitqgcXqzYSIo/CUdEUIxZQg/7rnW+xSwgOXa681M0 ZnSKvPftB1On/6N9bwM48rOl1DufOMp65iqMD99ms1FsKk2n79Pw6Py1mjyWQw+X Bc73C+O4MLw/NgKel5f3Ez+tVefM6RBCw81ot2WFGpS3xcT1FyWno82+QvmyB1jJ 9H+fHlbTDt6jm1h5jdm5M5vLxt0ScL1VHcYnPeLwpplM1+aMTLt7zljnZc7Mu4yz 7vo+KrAUsHJKUg== =GG+I -----END PGP SIGNATURE----- Merge tag 'xtensa-20240502' of https://github.com/jcmvbkbc/linux-xtensa Pull xtensa fixes from Max Filippov: - fix unused variable warning caused by empty flush_dcache_page() definition - fix stack unwinding on windowed noMMU XIP configurations - fix Coccinelle warning 'opportunity for min()' in xtensa ISS platform code * tag 'xtensa-20240502' of https://github.com/jcmvbkbc/linux-xtensa: xtensa: remove redundant flush_dcache_page and ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE macros tty: xtensa/iss: Use min() to fix Coccinelle warning xtensa: fix MAKE_PC_FROM_RA second argument |
||
Juergen Gross
|
802600ebdf |
x86/xen: return a sane initial apic id when running as PV guest
With recent sanity checks for topology information added, there are now
warnings issued for APs when running as a Xen PV guest:
[Firmware Bug]: CPU 1: APIC ID mismatch. CPUID: 0x0000 APIC: 0x0001
This is due to the initial APIC ID obtained via CPUID for PV guests is
always 0.
Avoid the warnings by synthesizing the CPUID data to contain the same
initial APIC ID as xen_pv_smp_config() is using for registering the
APIC IDs of all CPUs.
Fixes:
|
||
Lucas De Marchi
|
df04b152fc |
drm/xe/display: Fix ADL-N detection
Contrary to i915, in xe ADL-N is kept as a different platform, not a subplatform of ADL-P. Since the display side doesn't need to differentiate between P and N, i.e. IS_ALDERLAKE_P_N() is never called, just fixup the compat header to check for both P and N. Moving ADL-N to be a subplatform would be more complex as the firmware loading in xe only handles platforms, not subplatforms, as going forward the direction is to check on IP version rather than platforms/subplatforms. Fix warning when initializing display: xe 0000:00:02.0: [drm:intel_pch_type [xe]] Found Alder Lake PCH ------------[ cut here ]------------ xe 0000:00:02.0: drm_WARN_ON(!((dev_priv)->info.platform == XE_ALDERLAKE_S) && !((dev_priv)->info.platform == XE_ALDERLAKE_P)) And wrong paths being taken on the display side. Reviewed-by: Matt Roper <matthew.d.roper@intel.com> Acked-by: Jani Nikula <jani.nikula@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240425181610.2704633-1-lucas.demarchi@intel.com Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com> (cherry picked from commit |
||
|
Linus Torvalds
|
49a73b1652 |
firewire: fixes for v6.9-rc6
The following two driver fixes:
* The firewire-ohci driver for 1394 OHCI hardware does not fill time stamp
for response packet when handling asynchronous transaction to local
destination. This brings an inconvenience that the response packet is not
equivalent between the transaction to local and remote. It is fixed by
fulfilling the time stamp with hardware time. The fix should be
applied to Linux kernel v6.5 or later as well.
* The nosy driver for Texas Instruments TSB12LV21A (PCILynx) has
long-standing issue about the behaviour when user space application
passes less size of buffer than expected. It is fixed by returning zero
according to the convention of UNIX-like systems.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQE66IEYNDXNBPeGKSsLtaWM8LwEwUCZjN/5AAKCRCsLtaWM8Lw
E7lnAP9wMPBAsCTIGeoRO4CVReooSzxrVztLt8udrc+bhe/jjgD+LlbfjNQoeGYV
iWpZI1xTzx+LYKpgVRGjnE68QN8rQQ4=
=jGSI
-----END PGP SIGNATURE-----
Merge tag 'firewire-fixes-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394
Pull firewire fixes from Takashi Sakamoto:
"Two driver fixes:
- The firewire-ohci driver for 1394 OHCI hardware does not fill time
stamp for response packet when handling asynchronous transaction to
local destination. This brings an inconvenience that the response
packet is not equivalent between the transaction to local and
remote. It is fixed by fulfilling the time stamp with hardware
time. The fix should be applied to Linux kernel v6.5 or later as
well.
- The nosy driver for Texas Instruments TSB12LV21A (PCILynx) has
long-standing issue about the behaviour when user space application
passes less size of buffer than expected. It is fixed by returning
zero according to the convention of UNIX-like systems"
* tag 'firewire-fixes-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
firewire: ohci: fulfill timestamp for some local asynchronous transaction
firewire: nosy: ensure user_length is taken into account when fetching packet contents
|
||
Thomas Gleixner
|
8a95db3bf8 |
x86/xen/smp_pv: Register the boot CPU APIC properly
The topology core expects the boot APIC to be registered from earhy APIC
detection first and then again when the firmware tables are evaluated. This
is used for detecting the real BSP CPU on a kexec kernel.
The recent conversion of XEN/PV to register fake APIC IDs failed to
register the boot CPU APIC correctly as it only registers it once. This
causes the BSP detection mechanism to trigger wrongly:
CPU topo: Boot CPU APIC ID not the first enumerated APIC ID: 0 > 1
Additionally this results in one CPU being ignored.
Register the boot CPU APIC twice so that the XEN/PV fake enumeration
behaves like real firmware.
Reported-by: Juergen Gross <jgross@suse.com>
Fixes:
|
||
|
Linus Torvalds
|
6aed7b97fc |
Thermal control fixes for 6.9-rc7
Fix a memory leak and a few locking issues (that may cause the kernel to crash in principle if all goes wrong) in the thermal debug code introduced during the 6.8 development cycle. -----BEGIN PGP SIGNATURE----- iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAmYzct8SHHJqd0Byand5 c29ja2kubmV0AAoJEILEb/54YlRxVDsP/0HaZuSX87xjpKPE3+oxg7JyCNUhsnFu OeoJv4bj1TcDd6KV/g2yr9gXzAXFA6Eef0f5QfcORMzzCAyux8Rb6tLP9lWIxdNK BAGcwC9Moe7QgKEuBaktRtTZd/BPPcNoln32eKRUCIY8OGm6sxucMWmiwdSwZ+mm POUOerRKM3YouUDdPCn+HeRcLm5HFMOrFOaan/WT1X1ENVNJyIAR9MWtObPghqqr vz5COoGHbCwGW8u/Lvm+Ipm2Cyr/w3n7Ro+C/KMPwoP+YVPlYpXPqRF77+OXGw/0 7cg+/VA8gWxASRn2xmktxYgUJfmJexkHFjAEpkASeJCir3Lka5Qo7lxU2LNiESBA 2eC9HFfIk02EHTj76grqQRvQLvuI2pDR369IcWDA64u57e67b+vp/njjnBFg5rGi RbCqLJBRxuC65iLzOZb+KBL8zLtYtHScHYWf9BlU1aat9W1ZZeJUq7NkvC2oWXqc uuezM564gD3Ahh5vsRq+1nlP8rGFBaFs7NbFzVTI/18OHNf7Z6hHWEq6+cit9v3q rqwDdNPmWwukjIoPJc6cfsy70yRUskkkvYQKpafK9rBMDrz1T9Sqlm9wRWhLljcF HWoNwjtSYStYNyioe4tl2i0BX3lx/8K6UuDP7LBE1WE+9Xsxk41whT0u7KdZVZjj KWXqpdF2Iz3Q =bEdF -----END PGP SIGNATURE----- Merge tag 'thermal-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fixes from Rafael Wysocki: "Fix a memory leak and a few locking issues (that may cause the kernel to crash in principle if all goes wrong) in the thermal debug code introduced during the 6.8 development cycle" * tag 'thermal-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal/debugfs: Prevent use-after-free from occurring after cdev removal thermal/debugfs: Fix two locking issues with thermal zone debug thermal/debugfs: Free all thermal zone debug memory on zone removal |
||
|
Linus Torvalds
|
545c494465 |
Including fixes from bpf.
Relatively calm week, likely due to public holiday in most places.
No known outstanding regressions.
Current release - regressions:
- rxrpc: fix wrong alignmask in __page_frag_alloc_align()
- eth: e1000e: change usleep_range to udelay in PHY mdic access
Previous releases - regressions:
- gro: fix udp bad offset in socket lookup
- bpf: fix incorrect runtime stat for arm64
- tipc: fix UAF in error path
- netfs: fix a potential infinite loop in extract_user_to_sg()
- eth: ice: ensure the copied buf is NUL terminated
- eth: qeth: fix kernel panic after setting hsuid
Previous releases - always broken:
- bpf:
- verifier: prevent userspace memory access
- xdp: use flags field to disambiguate broadcast redirect
- bridge: fix multicast-to-unicast with fraglist GSO
- mptcp: ensure snd_nxt is properly initialized on connect
- nsh: fix outer header access in nsh_gso_segment().
- eth: bcmgenet: fix racing registers access
- eth: vxlan: fix stats counters.
Misc:
- a bunch of MAINTAINERS file updates
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQJGBAABCAAwFiEEg1AjqC77wbdLX2LbKSR5jcyPE6QFAmYzaRsSHHBhYmVuaUBy
ZWRoYXQuY29tAAoJECkkeY3MjxOkh70P/jzsTsvzHspu3RUwcsyvWpSoJPcxP2tF
5SKR66o8sbSjB5I26zUi/LtRZgbPO32GmLN2Y8GvP74h9lwKdDo4AY4volZKCT6f
lRG6GohvMa0lSPSn1fti7CKVzDOsaTHvLz3uBBr+Xb9ITCKh+I+zGEEDGj/47SQN
tmDWHPF8OMs2ezmYS5NqRIQ3CeRz6uyLmEoZhVm4SolypZ18oEg7GCtL3u6U48n+
e3XB3WwKl0ZxK8ipvPgUDwGIDuM5hEyAaeNon3zpYGoqitRsRITUjULpb9dT4DtJ
Jma3OkarFJNXgm4N/p/nAtQ9AdiAloF9ivZXs2t0XCdrrUZJUh05yuikoX+mLfpw
GedG2AbaVl6mdqNkrHeyf5SXKuiPgeCLVfF2xMjS0l1kFbY+Bt8BqnRSdOrcoUG0
zlSzBeBtajttMdnalWv2ZshjP8uo/NjXydUjoVNwuq8xGO5wP+zhNnwhOvecNyUg
t7q2PLokahlz4oyDqyY/7SQ0hSEndqxOlt43I6CthoWH0XkS83nTPdQXcTKQParD
ntJUk5QYwefUT1gimbn/N8GoP7a1+ysWiqcf/7+SNm932gJGiDt36+HOEmyhIfIG
IDWTWJJW64SnPBIUw59MrG7hMtbfaiZiFQqeUJQpFVrRr+tg5z5NUZ5thA+EJVd8
qiVDvmngZFiv
=f6KY
-----END PGP SIGNATURE-----
Merge tag 'net-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from bpf.
Relatively calm week, likely due to public holiday in most places. No
known outstanding regressions.
Current release - regressions:
- rxrpc: fix wrong alignmask in __page_frag_alloc_align()
- eth: e1000e: change usleep_range to udelay in PHY mdic access
Previous releases - regressions:
- gro: fix udp bad offset in socket lookup
- bpf: fix incorrect runtime stat for arm64
- tipc: fix UAF in error path
- netfs: fix a potential infinite loop in extract_user_to_sg()
- eth: ice: ensure the copied buf is NUL terminated
- eth: qeth: fix kernel panic after setting hsuid
Previous releases - always broken:
- bpf:
- verifier: prevent userspace memory access
- xdp: use flags field to disambiguate broadcast redirect
- bridge: fix multicast-to-unicast with fraglist GSO
- mptcp: ensure snd_nxt is properly initialized on connect
- nsh: fix outer header access in nsh_gso_segment().
- eth: bcmgenet: fix racing registers access
- eth: vxlan: fix stats counters.
Misc:
- a bunch of MAINTAINERS file updates"
* tag 'net-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (45 commits)
MAINTAINERS: mark MYRICOM MYRI-10G as Orphan
MAINTAINERS: remove Ariel Elior
net: gro: add flush check in udp_gro_receive_segment
net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb
ipv4: Fix uninit-value access in __ip_make_skb()
s390/qeth: Fix kernel panic after setting hsuid
vxlan: Pull inner IP header in vxlan_rcv().
tipc: fix a possible memleak in tipc_buf_append
tipc: fix UAF in error path
rxrpc: Clients must accept conn from any address
net: core: reject skb_copy(_expand) for fraglist GSO skbs
net: bridge: fix multicast-to-unicast with fraglist GSO
mptcp: ensure snd_nxt is properly initialized on connect
e1000e: change usleep_range to udelay in PHY mdic access
net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
cxgb4: Properly lock TX queue for the selftest.
rxrpc: Fix using alignmask being zero for __page_frag_alloc_align()
vxlan: Add missing VNI filter counter update in arp_reduce().
vxlan: Fix racy device stats updates.
net: qede: use return from qede_parse_actions()
...
|
||
Jens Axboe
|
fb15ffd061 |
Merge commit '50abcc179e0c9ca667feb223b26ea406d5c4c556' of git://git.infradead.org/nvme into block-6.9
Pull NVMe fixes from Keith. * git://git.infradead.org/nvme: nvme-tcp: strict pdu pacing to avoid send stalls on TLS nvmet: fix nvme status code when namespace is disabled nvmet-tcp: fix possible memory leak when tearing down a controller nvme: cancel pending I/O if nvme controller is in terminal state nvmet-auth: replace pr_debug() with pr_err() to report an error. nvmet-auth: return the error code to the nvmet_auth_host_hash() callers nvme: find numa distance only if controller has valid numa id nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH |
||
Will Deacon
|
75961ffb5c |
swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y
Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction
with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following
crash when initialising the restricted pools at boot-time:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
| Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
| pc : rmem_swiotlb_device_init+0xfc/0x1ec
| lr : rmem_swiotlb_device_init+0xf0/0x1ec
| Call trace:
| rmem_swiotlb_device_init+0xfc/0x1ec
| of_reserved_mem_device_init_by_idx+0x18c/0x238
| of_dma_configure_id+0x31c/0x33c
| platform_dma_configure+0x34/0x80
faddr2line reveals that the crash is in the list validation code:
include/linux/list.h:83
include/linux/rculist.h:79
include/linux/rculist.h:106
kernel/dma/swiotlb.c:306
kernel/dma/swiotlb.c:1695
because add_mem_pool() is trying to list_add_rcu() to a NULL
'mem->pools'.
Fix the crash by initialising the 'mem->pools' list_head in
rmem_swiotlb_device_init() before calling add_mem_pool().
Reported-by: Nikita Ioffe <ioffe@google.com>
Tested-by: Nikita Ioffe <ioffe@google.com>
Fixes:
|
||
|
Jakub Kicinski
|
78cfe54760 |
MAINTAINERS: mark MYRICOM MYRI-10G as Orphan
Chris's email address bounces and lore hasn't seen an email from anyone with his name for almost a decade. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240430233532.1356982-1-kuba@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> |
||
|
Jakub Kicinski
|
c9ccbcd9f1 |
MAINTAINERS: remove Ariel Elior
aelior@marvell.com bounces, we haven't seen Ariel on lore since March 2022. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20240430233305.1356105-1-kuba@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> |
||
Paolo Abeni
|
a257f093bf |
Merge branch 'net-gro-add-flush-flush_id-checks-and-fix-wrong-offset-in-udp'
Richard Gobert says: ==================== net: gro: add flush/flush_id checks and fix wrong offset in udp This series fixes a bug in the complete phase of UDP in GRO, in which socket lookup fails due to using network_header when parsing encapsulated packets. The fix is to add network_offset and inner_network_offset to napi_gro_cb and use these offsets for socket lookup. In addition p->flush/flush_id should be checked in all UDP flows. The same logic from tcp_gro_receive is applied for all flows in udp_gro_receive_segment. This prevents packets with mismatching network headers (flush/flush_id turned on) from merging in UDP GRO. The original series includes a change to vxlan test which adds the local parameter to prevent similar future bugs. I plan to submit it separately to net-next. This series is part of a previously submitted series to net-next: https://lore.kernel.org/all/20240408141720.98832-1-richardbgobert@gmail.com/ v3 -> v4: - Store network offsets, and use them only in udp_gro_complete flows - Correct commit hash used in Fixes tag - v3: https://lore.kernel.org/netdev/20240424163045.123528-1-richardbgobert@gmail.com/ v2 -> v3: - Add network_offsets and fix udp bug in a single commit to make backporting easier - Write to inner_network_offset in {inet,ipv6}_gro_receive - Use network_offsets union in tcp[46]_gro_complete as well - v2: https://lore.kernel.org/netdev/20240419153542.121087-1-richardbgobert@gmail.com/ v1 -> v2: - Use network_offsets instead of p_poff param as suggested by Willem - Check flush before postpull, and for all UDP GRO flows - v1: https://lore.kernel.org/netdev/20240412152120.115067-1-richardbgobert@gmail.com/ ==================== Link: https://lore.kernel.org/r/20240430143555.126083-1-richardbgobert@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> |
||
Richard Gobert
|
5babae777c |
net: gro: add flush check in udp_gro_receive_segment
GRO-GSO path is supposed to be transparent and as such L3 flush checks are
relevant to all UDP flows merging in GRO. This patch uses the same logic
and code from tcp_gro_receive, terminating merge if flush is non zero.
Fixes:
|