June 2021 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.195 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/imx6q-dhcom-som.dtsi | 12 ++ arch/arm/boot/dts/imx6qdl-sabresd.dtsi | 12 ++ arch/arm/boot/dts/imx6qdl.dtsi | 6 - arch/mips/lib/mips-atomic.c | 12 +- arch/powerpc/boot/dts/fsl/p1010si-post.dtsi | 8 + arch/powerpc/boot/dts/fsl/p2041si-post.dtsi | 16 +++ drivers/gpu/drm/drm_auth.c | 3 drivers/gpu/drm/drm_ioctl.c | 9 +- drivers/i2c/busses/i2c-mpc.c | 95 +++++++++++++++++++++- drivers/infiniband/hw/mlx4/main.c | 5 - drivers/infiniband/hw/mlx5/cq.c | 9 -- drivers/isdn/hardware/mISDN/netjet.c | 1 drivers/net/appletalk/cops.c | 4 drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 4 drivers/net/ethernet/cadence/macb_main.c | 3 drivers/net/ethernet/mellanox/mlx4/fw.c | 3 drivers/net/ethernet/mellanox/mlx4/fw.h | 1 drivers/net/ethernet/mellanox/mlx4/main.c | 6 + drivers/net/ethernet/qlogic/qla3xxx.c | 2 drivers/net/phy/mdio_bus.c | 3 drivers/nvme/host/fabrics.c | 5 + drivers/regulator/core.c | 6 + drivers/regulator/max77620-regulator.c | 7 + drivers/scsi/bnx2fc/bnx2fc_io.c | 1 drivers/scsi/hosts.c | 33 ++++--- drivers/scsi/qla2xxx/qla_target.c | 2 drivers/scsi/vmw_pvscsi.c | 8 + drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 2 drivers/usb/dwc3/ep0.c | 3 drivers/usb/gadget/config.c | 8 + drivers/usb/gadget/function/f_ecm.c | 2 drivers/usb/gadget/function/f_eem.c | 6 - drivers/usb/gadget/function/f_fs.c | 3 drivers/usb/gadget/function/f_hid.c | 3 drivers/usb/gadget/function/f_loopback.c | 2 drivers/usb/gadget/function/f_ncm.c | 10 +- drivers/usb/gadget/function/f_printer.c | 3 drivers/usb/gadget/function/f_rndis.c | 2 drivers/usb/gadget/function/f_serial.c | 2 drivers/usb/gadget/function/f_sourcesink.c | 3 drivers/usb/gadget/function/f_subset.c | 2 drivers/usb/gadget/function/f_tcm.c | 3 drivers/usb/serial/cp210x.c | 20 ++++ drivers/usb/serial/ftdi_sio.c | 1 drivers/usb/serial/ftdi_sio_ids.h | 1 drivers/usb/serial/omninet.c | 2 drivers/usb/serial/quatech2.c | 6 - drivers/usb/typec/ucsi/ucsi.c | 1 fs/btrfs/file.c | 4 fs/nfs/client.c | 2 fs/nfs/nfs4_fs.h | 1 fs/nfs/nfs4client.c | 2 fs/nfs/nfs4proc.c | 29 ++++++ fs/proc/base.c | 11 ++ include/asm-generic/vmlinux.lds.h | 1 include/linux/kvm_host.h | 10 ++ include/linux/mlx4/device.h | 1 include/linux/usb/pd.h | 2 kernel/cgroup/cgroup-v1.c | 4 kernel/cgroup/cgroup.c | 13 +-- kernel/events/core.c | 22 +++-- kernel/sched/fair.c | 2 kernel/trace/ftrace.c | 8 + kernel/trace/trace.c | 2 kernel/workqueue.c | 12 ++ net/netlink/af_netlink.c | 6 - net/nfc/rawsock.c | 2 net/rds/connection.c | 23 +++-- net/rds/tcp.c | 4 net/rds/tcp.h | 3 net/rds/tcp_listen.c | 6 + sound/soc/codecs/sti-sas.c | 1 sound/soc/intel/boards/bytcr_rt5640.c | 25 +++++ tools/perf/util/session.c | 1 76 files changed, 452 insertions(+), 110 deletions(-) Alaa Hleihel (1): IB/mlx5: Fix initializing CQ fragments buffer Alexander Kuznetsov (1): cgroup1: don't allow '\n' in renaming Alexandre GRIVEAUX (1): USB: serial: omninet: add device id for Zyxel Omni 56K Plus Anna Schumaker (1): NFS: Fix use-after-free in nfs4_init_client() Anson Huang (1): ARM: dts: imx6qdl-sabresd: Assign corresponding power supply for LDOs Chris Packham (4): powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers i2c: mpc: Make use of i2c_recover_bus() i2c: mpc: implement erratum A-004447 workaround Dai Ngo (1): NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. Dan Carpenter (2): net: mdiobus: get rid of a BUG_ON() NFS: Fix a potential NULL dereference in nfs_get_client() Desmond Cheong Zhi Xi (2): drm: Fix use-after-free read in drm_getunique() drm: Lock pointer access in drm_master_release() Dmitry Baryshkov (1): regulator: core: resolve supply for boot-on/always-on regulators Dmitry Bogdanov (1): scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Dmitry Osipenko (1): regulator: max77620: Use device_set_of_node_from_dev() George McCollister (1): USB: serial: ftdi_sio: add NovaTech OrionMX product ID Greg Kroah-Hartman (1): Linux 4.19.195 Hannes Reinecke (1): nvme-fabrics: decode host pathing error for connect Hans de Goede (2): ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Javed Hasan (1): scsi: bnx2fc: Return failure if io_req is already in ABTS processing Jeimon (1): net/nfc/rawsock.c: fix a permission check bug Jiapeng Chong (1): bnx2x: Fix missing error code in bnx2x_iov_init_one() Johan Hovold (1): USB: serial: quatech2: fix control-request directions Johannes Berg (2): bonding: init notify_work earlier to avoid uninitialized use netlink: disable IRQs for netlink_lock_table() Kees Cook (1): proc: Track /proc/$pid/attr/ opener mm_struct Kyle Tso (1): usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms Leo Yan (1): perf session: Correct buffer copying when peeking events Liangyan (1): tracing: Correct the length check which causes memory corruption Linus Torvalds (1): proc: only require mm_struct for writing Linyu Yuan (1): usb: gadget: eem: fix wrong eem header operation Maciej Żenczykowski (4): USB: f_ncm: ncm_bitrate (speed) is unsigned usb: f_ncm: only first packet of aggregate needs to start timer usb: fix various gadgets null ptr deref on 10gbps cabling. usb: fix various gadget panics on 10gbps cabling Marco Elver (1): perf: Fix data race between pin_count increment/decrement Marek Vasut (1): ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators Marian-Cristian Rotariu (1): usb: dwc3: ep0: fix NULL pointer exception Matt Wang (1): scsi: vmw_pvscsi: Set correct residual data length Mayank Rana (1): usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path Ming Lei (3): scsi: core: Fix error handling of scsi_host_alloc() scsi: core: Put .shost_dev in failure path if host state changes to RUNNING scsi: core: Only put parent device if host state differs from SHOST_CREATED Nathan Chancellor (1): vmlinux.lds.h: Avoid orphan section with !SMP Paolo Bonzini (2): kvm: avoid speculation-based attacks from out-of-range memslot accesses kvm: fix previous commit for 32-bit builds Peter Zijlstra (1): perf/core: Fix endless multiplex timer Rao Shoaib (1): RDS tcp loopback connection can hang Ritesh Harjani (1): btrfs: return value from btrfs_mark_extent_written() in case of error Saubhik Mukherjee (1): net: appletalk: cops: Fix data race in cops_probe1 Sergey Senozhatsky (1): wq: handle VM suspension in stall detection Shakeel Butt (1): cgroup: disable controllers at parse time Shay Drory (1): RDMA/mlx4: Do not map the core_clock page to user space unless enabled Stefan Agner (1): USB: serial: cp210x: fix alternate function for CP2102N QFN20 Steven Rostedt (VMware) (1): ftrace: Do not blindly read the ip address in ftrace_bug() Tiezhu Yang (1): MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Trond Myklebust (2): NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() NFSv4: Fix second deadlock in nfs4_evict_inode() Vincent Guittot (1): sched/fair: Make sure to update tg contrib for blocked load Wenli Looi (1): staging: rtl8723bs: Fix uninitialized variables Wesley Cheng (1): usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind Zheyu Ma (2): isdn: mISDN: netjet: Fix crash in nj_probe: net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Zong Li (1): net: macb: ensure the device is available before accessing GEMGXL control registers Zou Wei (1): ASoC: sti-sas: add missing MODULE_DEVICE_TABLE

4 years

2
2
0 0

Linux 5.10.45

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.45 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/mach-omap1/pm.c | 10 +++- arch/arm/mach-omap2/board-n8x0.c | 2 arch/riscv/Makefile | 9 +++ drivers/bluetooth/btusb.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c | 42 +++++++++--------- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 1 drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 3 - drivers/gpu/drm/amd/amdgpu/psp_v3_1.c | 3 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 - drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 2 drivers/gpu/drm/tegra/sor.c | 41 +++++++++-------- drivers/gpu/host1x/bus.c | 30 ++++++++++-- drivers/hid/Kconfig | 4 - drivers/hid/hid-a4tech.c | 2 drivers/hid/hid-core.c | 3 + drivers/hid/hid-debug.c | 1 drivers/hid/hid-gt683r.c | 1 drivers/hid/hid-ids.h | 3 + drivers/hid/hid-input.c | 3 + drivers/hid/hid-multitouch.c | 8 +-- drivers/hid/hid-quirks.c | 3 + drivers/hid/hid-sensor-hub.c | 13 +++-- drivers/hid/usbhid/hid-core.c | 2 drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 drivers/nvme/target/loop.c | 11 +++- drivers/scsi/qedf/qedf_main.c | 20 +++----- drivers/scsi/scsi_devinfo.c | 1 drivers/target/target_core_transport.c | 4 - fs/gfs2/file.c | 5 +- fs/gfs2/glock.c | 26 +++++++++-- include/linux/hid.h | 3 - include/linux/host1x.h | 30 ++++++++++-- include/uapi/linux/input-event-codes.h | 1 net/compat.c | 2 net/core/fib_rules.c | 2 net/core/rtnetlink.c | 4 + net/ieee802154/nl802154.c | 9 ++- net/ipv4/ipconfig.c | 13 +++-- net/x25/af_x25.c | 2 40 files changed, 221 insertions(+), 107 deletions(-) Ahelenia Ziemiańska (1): HID: multitouch: set Stylus suffix for Stylus-application devices, too Andreas Gruenbacher (1): gfs2: Prevent direct-I/O write fallback errors from getting lost Anirudh Rayabharam (1): HID: usbhid: fix info leak in hid_submit_ctrl Bindu Ramamurthy (1): drm/amd/display: Allow bandwidth validation for 0 streams. Bixuan Cui (1): HID: gt683r: add missing MODULE_DEVICE_TABLE Bob Peterson (1): gfs2: fix a deadlock on withdraw-during-mount Dan Robertson (1): net: ieee802154: fix null deref in parse dev addr Daniel Wagner (1): scsi: qedf: Do not put host in qedf_vport_create() unconditionally Dmitry Torokhov (1): HID: hid-input: add mapping for emoji picker key Ewan D. Milne (1): scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Greg Kroah-Hartman (1): Linux 5.10.45 Hannes Reinecke (4): nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() nvme-loop: do not warn for deleted controllers during reset Hillf Danton (1): gfs2: Fix use-after-free in gfs2_glock_shrink_scan Jiansong Chen (1): drm/amdgpu: refine amdgpu_fru_get_product_info Jiapeng Chong (2): ethernet: myri10ge: Fix missing error code in myri10ge_probe() rtnetlink: Fix missing error code in rtnl_bridge_notify() Josh Triplett (1): net: ipconfig: Don't override command-line hostnames or domains Khem Raj (1): riscv: Use -mno-relax when using lld linker Larry Finger (1): Bluetooth: Add a new USB ID for RTL8822CE Maciej Falkowski (1): ARM: OMAP1: Fix use of possibly uninitialized irq variable Mark Bolhuis (1): HID: Add BUS_VIRTUAL to hid_connect logging Mateusz Jończyk (1): HID: a4tech: use A4_2WHEEL_MOUSE_HACK_B8 for A4TECH NB-95 Maurizio Lombardi (1): scsi: target: core: Fix warning on realtime kernels Nirenjan Krishnan (1): HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Pavel Machek (CIP) (1): drm/tegra: sor: Do not leak runtime PM reference Roman Li (1): drm/amd/display: Fix potential memory leak in DMUB hw_init Saeed Mirzamohammadi (1): HID: quirks: Add quirk for Lenovo optical mouse Srinivas Pandruvada (1): HID: hid-sensor-hub: Return error for hid_set_field() failure Thierry Reding (2): gpu: host1x: Split up client initalization and registration drm/tegra: sor: Fully initialize SOR before registration Victor Zhao (1): drm/amd/amdgpu:save psp ring wptr to avoid attack Yongqiang Liu (1): ARM: OMAP2+: Fix build warning when mmc_omap is not built Zheng Yongjun (3): net/x25: Return the correct errno code net: Return the correct errno code fib: Return the correct errno code

4 years

2
2
0 0

Linux 5.4.127

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.127 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - arch/arm/mach-omap2/board-n8x0.c | 2 - arch/riscv/Makefile | 9 ++++++++ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 2 - drivers/gpu/drm/tegra/sor.c | 14 +++++++++--- drivers/hid/hid-core.c | 3 ++ drivers/hid/hid-debug.c | 1 drivers/hid/hid-gt683r.c | 1 drivers/hid/hid-ids.h | 2 + drivers/hid/hid-input.c | 3 ++ drivers/hid/hid-multitouch.c | 8 +++---- drivers/hid/hid-quirks.c | 2 + drivers/hid/hid-sensor-hub.c | 13 ++++++++--- drivers/hid/usbhid/hid-core.c | 2 - drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 drivers/nvme/target/loop.c | 5 +++- drivers/scsi/qedf/qedf_main.c | 20 ++++++++---------- drivers/scsi/scsi_devinfo.c | 1 drivers/target/target_core_transport.c | 4 --- fs/gfs2/file.c | 5 +++- fs/gfs2/glock.c | 2 - include/linux/hid.h | 3 -- include/uapi/linux/input-event-codes.h | 1 net/compat.c | 2 - net/core/fib_rules.c | 2 - net/core/rtnetlink.c | 4 ++- net/ieee802154/nl802154.c | 9 ++++---- net/ipv4/ipconfig.c | 13 +++++++---- net/x25/af_x25.c | 2 - 29 files changed, 90 insertions(+), 48 deletions(-) Ahelenia Ziemiańska (1): HID: multitouch: set Stylus suffix for Stylus-application devices, too Andreas Gruenbacher (1): gfs2: Prevent direct-I/O write fallback errors from getting lost Anirudh Rayabharam (1): HID: usbhid: fix info leak in hid_submit_ctrl Bindu Ramamurthy (1): drm/amd/display: Allow bandwidth validation for 0 streams. Bixuan Cui (1): HID: gt683r: add missing MODULE_DEVICE_TABLE Dan Robertson (1): net: ieee802154: fix null deref in parse dev addr Daniel Wagner (1): scsi: qedf: Do not put host in qedf_vport_create() unconditionally Dmitry Torokhov (1): HID: hid-input: add mapping for emoji picker key Ewan D. Milne (1): scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Greg Kroah-Hartman (1): Linux 5.4.127 Hannes Reinecke (3): nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Hillf Danton (1): gfs2: Fix use-after-free in gfs2_glock_shrink_scan Jiapeng Chong (2): ethernet: myri10ge: Fix missing error code in myri10ge_probe() rtnetlink: Fix missing error code in rtnl_bridge_notify() Josh Triplett (1): net: ipconfig: Don't override command-line hostnames or domains Khem Raj (1): riscv: Use -mno-relax when using lld linker Mark Bolhuis (1): HID: Add BUS_VIRTUAL to hid_connect logging Maurizio Lombardi (1): scsi: target: core: Fix warning on realtime kernels Nirenjan Krishnan (1): HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Pavel Machek (CIP) (1): drm/tegra: sor: Do not leak runtime PM reference Saeed Mirzamohammadi (1): HID: quirks: Add quirk for Lenovo optical mouse Srinivas Pandruvada (1): HID: hid-sensor-hub: Return error for hid_set_field() failure Yongqiang Liu (1): ARM: OMAP2+: Fix build warning when mmc_omap is not built Zheng Yongjun (3): net/x25: Return the correct errno code net: Return the correct errno code fib: Return the correct errno code

4 years

2
2
0 0

[net 5/5] net: can: ems_usb: fix use-after-free in ems_usb_disconnect()

by Marc Kleine-Budde

From: Pavel Skripkin <paskripkin(a)gmail.com> In ems_usb_disconnect() dev pointer, which is netdev private data, is used after free_candev() call: | if (dev) { | unregister_netdev(dev->netdev); | free_candev(dev->netdev); | | unlink_all_urbs(dev); | | usb_free_urb(dev->intr_urb); | | kfree(dev->intr_in_buffer); | kfree(dev->tx_msg_buffer); | } Fix it by simply moving free_candev() at the end of the block. Fail log: | BUG: KASAN: use-after-free in ems_usb_disconnect | Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895 | | CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4 | Workqueue: usb_hub_wq hub_event | Call Trace: | dump_stack (lib/dump_stack.c:122) | print_address_description.constprop.0.cold (mm/kasan/report.c:234) | kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436) | ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058) Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/ems_usb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c index 5af69787d9d5..0a37af4a3fa4 100644 --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -1053,7 +1053,6 @@ static void ems_usb_disconnect(struct usb_interface *intf) if (dev) { unregister_netdev(dev->netdev); - free_candev(dev->netdev); unlink_all_urbs(dev); @@ -1061,6 +1060,8 @@ static void ems_usb_disconnect(struct usb_interface *intf) kfree(dev->intr_in_buffer); kfree(dev->tx_msg_buffer); + + free_candev(dev->netdev); } } -- 2.30.2

4 years

1
0
0 0

[net 4/5] can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done

by Marc Kleine-Budde

From: Oleksij Rempel <o.rempel(a)pengutronix.de> Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion. Without this patch, we will run in to j1939_can_recv() after priv was freed by j1939_sk_release()->j1939_sk_sock_destruct() Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") Link: https://lore.kernel.org/r/20210617130623.12705-1-o.rempel@pengutronix.de Cc: linux-stable <stable(a)vger.kernel.org> Reported-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reported-by: syzbot+bdf710cfc41c186fdff3(a)syzkaller.appspotmail.com Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/j1939/main.c | 4 ++++ net/can/j1939/socket.c | 3 +++ 2 files changed, 7 insertions(+) diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c index da3a7a7bcff2..08c8606cfd9c 100644 --- a/net/can/j1939/main.c +++ b/net/can/j1939/main.c @@ -193,6 +193,10 @@ static void j1939_can_rx_unregister(struct j1939_priv *priv) can_rx_unregister(dev_net(ndev), ndev, J1939_CAN_ID, J1939_CAN_MASK, j1939_can_recv, priv); + /* The last reference of priv is dropped by the RCU deferred + * j1939_sk_sock_destruct() of the last socket, so we can + * safely drop this reference here. + */ j1939_priv_put(priv); } diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c index 56aa66147d5a..fce8bc8afeb7 100644 --- a/net/can/j1939/socket.c +++ b/net/can/j1939/socket.c @@ -398,6 +398,9 @@ static int j1939_sk_init(struct sock *sk) atomic_set(&jsk->skb_pending, 0); spin_lock_init(&jsk->sk_session_queue_lock); INIT_LIST_HEAD(&jsk->sk_session_queue); + + /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */ + sock_set_flag(sk, SOCK_RCU_FREE); sk->sk_destruct = j1939_sk_sock_destruct; sk->sk_protocol = CAN_J1939; -- 2.30.2

4 years

1
0
0 0

[net 3/5] can: isotp: isotp_release(): omit unintended hrtimer restart on socket release

by Marc Kleine-Budde

From: Oliver Hartkopp <socketcan(a)hartkopp.net> When closing the isotp socket, the potentially running hrtimers are canceled before removing the subscription for CAN identifiers via can_rx_unregister(). This may lead to an unintended (re)start of a hrtimer in isotp_rcv_cf() and isotp_rcv_fc() in the case that a CAN frame is received by isotp_rcv() while the subscription removal is processed. However, isotp_rcv() is called under RCU protection, so after calling can_rx_unregister, we may call synchronize_rcu in order to wait for any RCU read-side critical sections to finish. This prevents the reception of CAN frames after hrtimer_cancel() and therefore the unintended (re)start of the hrtimers. Link: https://lore.kernel.org/r/20210618173713.2296-1-socketcan@hartkopp.net Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/isotp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/can/isotp.c b/net/can/isotp.c index be6183f8ca11..234cc4ad179a 100644 --- a/net/can/isotp.c +++ b/net/can/isotp.c @@ -1028,9 +1028,6 @@ static int isotp_release(struct socket *sock) lock_sock(sk); - hrtimer_cancel(&so->txtimer); - hrtimer_cancel(&so->rxtimer); - /* remove current filters & unregister */ if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST))) { if (so->ifindex) { @@ -1042,10 +1039,14 @@ static int isotp_release(struct socket *sock) SINGLE_MASK(so->rxid), isotp_rcv, sk); dev_put(dev); + synchronize_rcu(); } } } + hrtimer_cancel(&so->txtimer); + hrtimer_cancel(&so->rxtimer); + so->ifindex = 0; so->bound = 0; -- 2.30.2

4 years

1
0
0 0

[net 2/5] can: gw: synchronize rcu operations before removing gw job entry

by Marc Kleine-Budde

From: Oliver Hartkopp <socketcan(a)hartkopp.net> can_can_gw_rcv() is called under RCU protection, so after calling can_rx_unregister(), we have to call synchronize_rcu in order to wait for any RCU read-side critical sections to finish before removing the kmem_cache entry with the referenced gw job entry. Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing") Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/gw.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/can/gw.c b/net/can/gw.c index ba4124805602..d8861e862f15 100644 --- a/net/can/gw.c +++ b/net/can/gw.c @@ -596,6 +596,7 @@ static int cgw_notifier(struct notifier_block *nb, if (gwj->src.dev == dev || gwj->dst.dev == dev) { hlist_del(&gwj->list); cgw_unregister_filter(net, gwj); + synchronize_rcu(); kmem_cache_free(cgw_cache, gwj); } } @@ -1154,6 +1155,7 @@ static void cgw_remove_all_jobs(struct net *net) hlist_for_each_entry_safe(gwj, nx, &net->can.cgw_list, list) { hlist_del(&gwj->list); cgw_unregister_filter(net, gwj); + synchronize_rcu(); kmem_cache_free(cgw_cache, gwj); } } @@ -1222,6 +1224,7 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh, hlist_del(&gwj->list); cgw_unregister_filter(net, gwj); + synchronize_rcu(); kmem_cache_free(cgw_cache, gwj); err = 0; break; -- 2.30.2

4 years

1
0
0 0

[net 1/5] can: bcm: delay release of struct bcm_op after synchronize_rcu()

by Marc Kleine-Budde

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> can_rx_register() callbacks may be called concurrently to the call to can_rx_unregister(). The callbacks and callback data, though, are protected by RCU and the struct sock reference count. So the callback data is really attached to the life of sk, meaning that it should be released on sk_destruct. However, bcm_remove_op() calls tasklet_kill(), and RCU callbacks may be called under RCU softirq, so that cannot be used on kernels before the introduction of HRTIMER_MODE_SOFT. However, bcm_rx_handler() is called under RCU protection, so after calling can_rx_unregister(), we may call synchronize_rcu() in order to wait for any RCU read-side critical sections to finish. That is, bcm_rx_handler() won't be called anymore for those ops. So, we only free them, after we do that synchronize_rcu(). Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com Cc: linux-stable <stable(a)vger.kernel.org> Reported-by: syzbot+0f7e7e5e2f4f40fa89c0(a)syzkaller.appspotmail.com Reported-by: Norbert Slusarek <nslusarek(a)gmx.net> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Acked-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/bcm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/can/bcm.c b/net/can/bcm.c index f3e4d9528fa3..0928a39c4423 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -785,6 +785,7 @@ static int bcm_delete_rx_op(struct list_head *ops, struct bcm_msg_head *mh, bcm_rx_handler, op); list_del(&op->list); + synchronize_rcu(); bcm_remove_op(op); return 1; /* done */ } @@ -1533,9 +1534,13 @@ static int bcm_release(struct socket *sock) REGMASK(op->can_id), bcm_rx_handler, op); - bcm_remove_op(op); } + synchronize_rcu(); + + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + #if IS_ENABLED(CONFIG_PROC_FS) /* remove procfs entry */ if (net->can.bcmproc_dir && bo->bcm_proc_read) base-commit: dda2626b86c2c1813b7bfdd10d2fdd849611fc97 -- 2.30.2

4 years

1
0
0 0

[tip: smp/urgent] cpu/hotplug: Cure the cpusets trainwreck

by tip-bot2 for Thomas Gleixner

The following commit has been merged into the smp/urgent branch of tip: Commit-ID: 64c71be97c02c3d3f24dea7c290912ad300538b9 Gitweb: https://git.kernel.org/tip/64c71be97c02c3d3f24dea7c290912ad300538b9 Author: Thomas Gleixner <tglx(a)linutronix.de> AuthorDate: Sat, 27 Mar 2021 22:01:36 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Sat, 19 Jun 2021 22:26:07 +02:00 cpu/hotplug: Cure the cpusets trainwreck Alexey and Joshua tried to solve a cpusets related hotplug problem which is user space visible and results in unexpected behaviour for some time after a CPU has been plugged in and the corresponding uevent was delivered. cpusets delegate the hotplug work (rebuilding cpumasks etc.) to a workqueue. This is done because the cpusets code has already a lock nesting of cgroups_mutex -> cpu_hotplug_lock. A synchronous callback or waiting for the work to finish with cpu_hotplug_lock held can and will deadlock because that results in the reverse lock order. As a consequence the uevent can be delivered before cpusets have consistent state which means that a user space invocation of sched_setaffinity() to move a task to the plugged CPU fails up to the point where the scheduled work has been processed. The same is true for CPU unplug, but that does not create user observable failure (yet). It's still inconsistent to claim that an operation is finished before it actually is and that's the real issue at hand. uevents just make it reliably observable. Obviously the problem should be fixed in cpusets/cgroups, but untangling that is pretty much impossible because according to the changelog of the commit which introduced this 8 years ago: 3a5a6d0c2b03("cpuset: don't nest cgroup_mutex inside get_online_cpus()") the lock order cgroups_mutex -> cpu_hotplug_lock is a design decision and the whole code is built around that. So bite the bullet and invoke the relevant cpuset function, which waits for the work to finish, in _cpu_up/down() after dropping cpu_hotplug_lock and only when tasks are not frozen by suspend/hibernate because that would obviously wait forever. Waiting there with cpu_add_remove_lock, which is protecting the present and possible CPU maps, held is not a problem at all because neither work queues nor cpusets/cgroups have any lockchains related to that lock. Waiting in the hotplug machinery is not problematic either because there are already state callbacks which wait for hardware queues to drain. It makes the operations slightly slower, but hotplug is slow anyway. This ensures that state is consistent before returning from a hotplug up/down operation. It's still inconsistent during the operation, but that's a different story. Add a large comment which explains why this is done and why this is not a dump ground for the hack of the day to work around half thought out locking schemes. Document also the implications vs. hotplug operations and serialization or the lack of it. Thanks to Alexy and Joshua for analyzing why this temporary sched_setaffinity() failure happened. Fixes: 3a5a6d0c2b03("cpuset: don't nest cgroup_mutex inside get_online_cpus()") Reported-by: Alexey Klimov <aklimov(a)redhat.com> Reported-by: Joshua Baker <jobaker(a)redhat.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Tested-by: Alexey Klimov <aklimov(a)redhat.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/87tuowcnv3.ffs@nanos.tec.linutronix.de --- kernel/cpu.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/kernel/cpu.c b/kernel/cpu.c index e538518..eccc8cf 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -32,6 +32,7 @@ #include <linux/relay.h> #include <linux/slab.h> #include <linux/percpu-rwsem.h> +#include <linux/cpuset.h> #include <trace/events/power.h> #define CREATE_TRACE_POINTS @@ -919,6 +920,52 @@ void clear_tasks_mm_cpumask(int cpu) rcu_read_unlock(); } +/* + * + * Serialize hotplug trainwrecks outside of the cpu_hotplug_lock + * protected region. + * + * The operation is still serialized against concurrent CPU hotplug via + * cpu_add_remove_lock, i.e. CPU map protection. But it is _not_ + * serialized against other hotplug related activity like adding or + * removing of state callbacks and state instances, which invoke either the + * startup or the teardown callback of the affected state. + * + * This is required for subsystems which are unfixable vs. CPU hotplug and + * evade lock inversion problems by scheduling work which has to be + * completed _before_ cpu_up()/_cpu_down() returns. + * + * Don't even think about adding anything to this for any new code or even + * drivers. It's only purpose is to keep existing lock order trainwrecks + * working. + * + * For cpu_down() there might be valid reasons to finish cleanups which are + * not required to be done under cpu_hotplug_lock, but that's a different + * story and would be not invoked via this. + */ +static void cpu_up_down_serialize_trainwrecks(bool tasks_frozen) +{ + /* + * cpusets delegate hotplug operations to a worker to "solve" the + * lock order problems. Wait for the worker, but only if tasks are + * _not_ frozen (suspend, hibernate) as that would wait forever. + * + * The wait is required because otherwise the hotplug operation + * returns with inconsistent state, which could even be observed in + * user space when a new CPU is brought up. The CPU plug uevent + * would be delivered and user space reacting on it would fail to + * move tasks to the newly plugged CPU up to the point where the + * work has finished because up to that point the newly plugged CPU + * is not assignable in cpusets/cgroups. On unplug that's not + * necessarily a visible issue, but it is still inconsistent state, + * which is the real problem which needs to be "fixed". This can't + * prevent the transient state between scheduling the work and + * returning from waiting for it. + */ + if (!tasks_frozen) + cpuset_wait_for_hotplug(); +} + /* Take this CPU down. */ static int take_cpu_down(void *_param) { @@ -1108,6 +1155,7 @@ out: */ lockup_detector_cleanup(); arch_smt_update(); + cpu_up_down_serialize_trainwrecks(tasks_frozen); return ret; } @@ -1302,6 +1350,7 @@ static int _cpu_up(unsigned int cpu, int tasks_frozen, enum cpuhp_state target) out: cpus_write_unlock(); arch_smt_update(); + cpu_up_down_serialize_trainwrecks(tasks_frozen); return ret; }

4 years

1
0
0 0

[PATCH 5.10 00/38] 5.10.45-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.45 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 18 Jun 2021 15:28:19 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.45-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.45-rc1 Zheng Yongjun <zhengyongjun3(a)huawei.com> fib: Return the correct errno code Zheng Yongjun <zhengyongjun3(a)huawei.com> net: Return the correct errno code Zheng Yongjun <zhengyongjun3(a)huawei.com> net/x25: Return the correct errno code Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> rtnetlink: Fix missing error code in rtnl_bridge_notify() Victor Zhao <Victor.Zhao(a)amd.com> drm/amd/amdgpu:save psp ring wptr to avoid attack Roman Li <roman.li(a)amd.com> drm/amd/display: Fix potential memory leak in DMUB hw_init Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Fix overlay validation by considering cursors Jiansong Chen <Jiansong.Chen(a)amd.com> drm/amdgpu: refine amdgpu_fru_get_product_info Bindu Ramamurthy <bindu.r(a)amd.com> drm/amd/display: Allow bandwidth validation for 0 streams. Josh Triplett <josh(a)joshtriplett.org> net: ipconfig: Don't override command-line hostnames or domains Hannes Reinecke <hare(a)suse.de> nvme-loop: do not warn for deleted controllers during reset Hannes Reinecke <hare(a)suse.de> nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Hannes Reinecke <hare(a)suse.de> nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Hannes Reinecke <hare(a)suse.de> nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Ewan D. Milne <emilne(a)redhat.com> scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Larry Finger <Larry.Finger(a)lwfinger.net> Bluetooth: Add a new USB ID for RTL8822CE Daniel Wagner <dwagner(a)suse.de> scsi: qedf: Do not put host in qedf_vport_create() unconditionally Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> ethernet: myri10ge: Fix missing error code in myri10ge_probe() Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: core: Fix warning on realtime kernels Hillf Danton <hdanton(a)sina.com> gfs2: Fix use-after-free in gfs2_glock_shrink_scan Khem Raj <raj.khem(a)gmail.com> riscv: Use -mno-relax when using lld linker Bixuan Cui <cuibixuan(a)huawei.com> HID: gt683r: add missing MODULE_DEVICE_TABLE Bob Peterson <rpeterso(a)redhat.com> gfs2: fix a deadlock on withdraw-during-mount Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Prevent direct-I/O write fallback errors from getting lost Yongqiang Liu <liuyongqiang13(a)huawei.com> ARM: OMAP2+: Fix build warning when mmc_omap is not built Maciej Falkowski <maciej.falkowski9(a)gmail.com> ARM: OMAP1: Fix use of possibly uninitialized irq variable Thierry Reding <treding(a)nvidia.com> drm/tegra: sor: Fully initialize SOR before registration Thierry Reding <treding(a)nvidia.com> gpu: host1x: Split up client initalization and registration Pavel Machek (CIP) <pavel(a)denx.de> drm/tegra: sor: Do not leak runtime PM reference Anirudh Rayabharam <mail(a)anirudhrb.com> HID: usbhid: fix info leak in hid_submit_ctrl Mark Bolhuis <mark(a)bolhuis.dev> HID: Add BUS_VIRTUAL to hid_connect logging Ahelenia Ziemiańska <nabijaczleweli(a)nabijaczleweli.xyz> HID: multitouch: set Stylus suffix for Stylus-application devices, too Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> HID: quirks: Add quirk for Lenovo optical mouse Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> HID: hid-sensor-hub: Return error for hid_set_field() failure Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: hid-input: add mapping for emoji picker key Mateusz Jończyk <mat.jonczyk(a)o2.pl> HID: a4tech: use A4_2WHEEL_MOUSE_HACK_B8 for A4TECH NB-95 Nirenjan Krishnan <nirenjan(a)gmail.com> HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Dan Robertson <dan(a)dlrobertson.com> net: ieee802154: fix null deref in parse dev addr ------------- Diffstat: Makefile | 4 +-- arch/arm/mach-omap1/pm.c | 10 ++++-- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/riscv/Makefile | 9 +++++ drivers/bluetooth/btusb.c | 2 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c | 42 ++++++++++++---------- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 1 + drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 3 +- drivers/gpu/drm/amd/amdgpu/psp_v3_1.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++-- .../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 2 +- drivers/gpu/drm/tegra/sor.c | 41 +++++++++++---------- drivers/gpu/host1x/bus.c | 30 ++++++++++++---- drivers/hid/Kconfig | 4 +-- drivers/hid/hid-a4tech.c | 2 ++ drivers/hid/hid-core.c | 3 ++ drivers/hid/hid-debug.c | 1 + drivers/hid/hid-gt683r.c | 1 + drivers/hid/hid-ids.h | 3 ++ drivers/hid/hid-input.c | 3 ++ drivers/hid/hid-multitouch.c | 8 ++--- drivers/hid/hid-quirks.c | 3 ++ drivers/hid/hid-sensor-hub.c | 13 ++++--- drivers/hid/usbhid/hid-core.c | 2 +- drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 + drivers/nvme/target/loop.c | 11 ++++-- drivers/scsi/qedf/qedf_main.c | 20 +++++------ drivers/scsi/scsi_devinfo.c | 1 + drivers/target/target_core_transport.c | 4 +-- fs/gfs2/file.c | 5 ++- fs/gfs2/glock.c | 26 +++++++++++--- include/linux/hid.h | 3 +- include/linux/host1x.h | 30 ++++++++++++---- include/uapi/linux/input-event-codes.h | 1 + net/compat.c | 2 +- net/core/fib_rules.c | 2 +- net/core/rtnetlink.c | 4 ++- net/ieee802154/nl802154.c | 9 ++--- net/ipv4/ipconfig.c | 13 ++++--- net/x25/af_x25.c | 2 +- 40 files changed, 231 insertions(+), 109 deletions(-)

4 years

11
50
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2021