August 2023 - Linux-stable-mirror

FAILED: patch "[PATCH] ASoC: cs42l51: fix driver to properly autoload with automatic" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e51df4f81b02bcdd828a04de7c1eb6a92988b61e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023072301-online-accent-4365@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: e51df4f81b02 ("ASoC: cs42l51: fix driver to properly autoload with automatic module loading") 4a4043456cb8 ("ASoC: cs*: use simple i2c probe function") f8593e885400 ("ASoC: cs42l42: Handle system suspend") 5982b5a8ec7d ("ASoC: cs42l42: Change jack_detect_mutex to a lock of all IRQ handling") 8d06f797f844 ("ASoC: cs42l42: Report full jack status when plug is detected") a319cb32e7cf ("ASoC: cs4265: Add a remove() function") fdd535283779 ("ASoC: cs42l42: Report initial jack state") c778c01d3e66 ("ASoC: cs42l42: Remove unused runtime_suspend/runtime_resume callbacks") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e51df4f81b02bcdd828a04de7c1eb6a92988b61e Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni <thomas.petazzoni(a)bootlin.com> Date: Thu, 13 Jul 2023 13:21:12 +0200 Subject: [PATCH] ASoC: cs42l51: fix driver to properly autoload with automatic module loading In commit 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer"), 9 years ago, some random guy fixed the cs42l51 after it was split into a core part and an I2C part to properly match based on a Device Tree compatible string. However, the fix in this commit is wrong: the MODULE_DEVICE_TABLE(of, ....) is in the core part of the driver, not the I2C part. Therefore, automatic module loading based on module.alias, based on matching with the DT compatible string, loads the core part of the driver, but not the I2C part. And threfore, the i2c_driver is not registered, and the codec is not known to the system, nor matched with a DT node with the corresponding compatible string. In order to fix that, we move the MODULE_DEVICE_TABLE(of, ...) into the I2C part of the driver. The cs42l51_of_match[] array is also moved as well, as it is not possible to have this definition in one file, and the MODULE_DEVICE_TABLE(of, ...) invocation in another file, due to how MODULE_DEVICE_TABLE works. Thanks to this commit, the I2C part of the driver now properly autoloads, and thanks to its dependency on the core part, the core part gets autoloaded as well, resulting in a functional sound card without having to manually load kernel modules. Fixes: 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Petazzoni <thomas.petazzoni(a)bootlin.com> Link: https://lore.kernel.org/r/20230713112112.778576-1-thomas.petazzoni@bootlin.… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/codecs/cs42l51-i2c.c b/sound/soc/codecs/cs42l51-i2c.c index b2106ff6a7cb..e7db7bcd0296 100644 --- a/sound/soc/codecs/cs42l51-i2c.c +++ b/sound/soc/codecs/cs42l51-i2c.c @@ -19,6 +19,12 @@ static struct i2c_device_id cs42l51_i2c_id[] = { }; MODULE_DEVICE_TABLE(i2c, cs42l51_i2c_id); +const struct of_device_id cs42l51_of_match[] = { + { .compatible = "cirrus,cs42l51", }, + { } +}; +MODULE_DEVICE_TABLE(of, cs42l51_of_match); + static int cs42l51_i2c_probe(struct i2c_client *i2c) { struct regmap_config config; diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c index a67cd3ee84e0..a7079ae0ca09 100644 --- a/sound/soc/codecs/cs42l51.c +++ b/sound/soc/codecs/cs42l51.c @@ -823,13 +823,6 @@ int __maybe_unused cs42l51_resume(struct device *dev) } EXPORT_SYMBOL_GPL(cs42l51_resume); -const struct of_device_id cs42l51_of_match[] = { - { .compatible = "cirrus,cs42l51", }, - { } -}; -MODULE_DEVICE_TABLE(of, cs42l51_of_match); -EXPORT_SYMBOL_GPL(cs42l51_of_match); - MODULE_AUTHOR("Arnaud Patard <arnaud.patard(a)rtp-net.org>"); MODULE_DESCRIPTION("Cirrus Logic CS42L51 ALSA SoC Codec Driver"); MODULE_LICENSE("GPL"); diff --git a/sound/soc/codecs/cs42l51.h b/sound/soc/codecs/cs42l51.h index a79343e8a54e..125703ede113 100644 --- a/sound/soc/codecs/cs42l51.h +++ b/sound/soc/codecs/cs42l51.h @@ -16,7 +16,6 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap); void cs42l51_remove(struct device *dev); int __maybe_unused cs42l51_suspend(struct device *dev); int __maybe_unused cs42l51_resume(struct device *dev); -extern const struct of_device_id cs42l51_of_match[]; #define CS42L51_CHIP_ID 0x1B #define CS42L51_CHIP_REV_A 0x00

9 months, 3 weeks

3
4
0 0

stable-rc/linux-5.4.y build: 17 builds: 0 failed, 17 passed, 26 warnings (v5.4.251-81-g59122d38d25b)

by kernelci.org bot

stable-rc/linux-5.4.y build: 17 builds: 0 failed, 17 passed, 26 warnings (v5.4.251-81-g59122d38d25b) Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-5.4.y/kernel/v5.4.251-81-… Tree: stable-rc Branch: linux-5.4.y Git Describe: v5.4.251-81-g59122d38d25b Git Commit: 59122d38d25b0ce0eeda91ecf9bc946f8610b37d Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Built: 7 unique architectures Warnings Detected: arc: arm64: defconfig (gcc-10): 2 warnings defconfig+arm64-chromebook (gcc-10): 2 warnings arm: i386: allnoconfig (gcc-10): 2 warnings i386_defconfig (gcc-10): 2 warnings tinyconfig (gcc-10): 2 warnings mips: riscv: x86_64: allnoconfig (gcc-10): 4 warnings tinyconfig (gcc-10): 4 warnings x86_64_defconfig (gcc-10): 4 warnings x86_64_defconfig+x86-chromebook (gcc-10): 4 warnings Warnings summary: 7 ld: warning: creating DT_TEXTREL in a PIE 4 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' 4 arch/arm64/include/asm/memory.h:238:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 3 ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' 2 arch/x86/entry/entry_64.o: warning: objtool: If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE. 2 arch/x86/entry/entry_64.o: warning: objtool: .entry.text+0x1c1: unsupported intra-function call 2 arch/x86/entry/entry_64.o: warning: objtool: .entry.text+0x151: unsupported intra-function call 2 arch/x86/entry/entry_64.S:1756: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret' Section mismatches summary: 1 WARNING: vmlinux.o(___ksymtab_gpl+vic_init_cascaded+0x0): Section mismatch in reference from the variable __ksymtab_vic_init_cascaded to the function .init.text:vic_init_cascaded() ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- 32r2el_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- allnoconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- allnoconfig (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches Warnings: arch/x86/entry/entry_64.S:1756: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret' arch/x86/entry/entry_64.o: warning: objtool: .entry.text+0x151: unsupported intra-function call ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (arm64, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: arch/arm64/include/asm/memory.h:238:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] arch/arm64/include/asm/memory.h:238:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] -------------------------------------------------------------------------------- defconfig+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: arch/arm64/include/asm/memory.h:238:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] arch/arm64/include/asm/memory.h:238:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] -------------------------------------------------------------------------------- haps_hs_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches Section mismatches: WARNING: vmlinux.o(___ksymtab_gpl+vic_init_cascaded+0x0): Section mismatch in reference from the variable __ksymtab_vic_init_cascaded to the function .init.text:vic_init_cascaded() -------------------------------------------------------------------------------- multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- tinyconfig (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches Warnings: arch/x86/entry/entry_64.S:1756: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret' arch/x86/entry/entry_64.o: warning: objtool: .entry.text+0x151: unsupported intra-function call ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches Warnings: arch/x86/entry/entry_64.o: warning: objtool: .entry.text+0x1c1: unsupported intra-function call arch/x86/entry/entry_64.o: warning: objtool: If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE. ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches Warnings: arch/x86/entry/entry_64.o: warning: objtool: .entry.text+0x1c1: unsupported intra-function call arch/x86/entry/entry_64.o: warning: objtool: If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE. ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE --- For more info write to <info(a)kernelci.org>

9 months, 3 weeks

1
0
0 0

[PATCH v3] ceph: defer stopping the mdsc delayed_work

by xiubli＠redhat.com

From: Xiubo Li <xiubli(a)redhat.com> Flushing the dirty buffer may take a long time if the Rados is overloaded or if there is network issue. So we should ping the MDSs periodically to keep alive, else the MDS will blocklist the kclient. Cc: stable(a)vger.kernel.org Cc: Venky Shankar <vshankar(a)redhat.com> URL: https://tracker.ceph.com/issues/61843 Reviewed-by: Milind Changire <mchangir(a)redhat.com> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> --- V3: - Rebased to the master branch fs/ceph/mds_client.c | 4 ++-- fs/ceph/mds_client.h | 5 +++++ fs/ceph/super.c | 10 ++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 66048a86c480..5fb367b1d4b0 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -4764,7 +4764,7 @@ static void delayed_work(struct work_struct *work) dout("mdsc delayed_work\n"); - if (mdsc->stopping) + if (mdsc->stopping >= CEPH_MDSC_STOPPING_FLUSHED) return; mutex_lock(&mdsc->mutex); @@ -4943,7 +4943,7 @@ void send_flush_mdlog(struct ceph_mds_session *s) void ceph_mdsc_pre_umount(struct ceph_mds_client *mdsc) { dout("pre_umount\n"); - mdsc->stopping = 1; + mdsc->stopping = CEPH_MDSC_STOPPING_BEGIN; ceph_mdsc_iterate_sessions(mdsc, send_flush_mdlog, true); ceph_mdsc_iterate_sessions(mdsc, lock_unlock_session, false); diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h index 724307ff89cd..86d2965e68a1 100644 --- a/fs/ceph/mds_client.h +++ b/fs/ceph/mds_client.h @@ -380,6 +380,11 @@ struct cap_wait { int want; }; +enum { + CEPH_MDSC_STOPPING_BEGIN = 1, + CEPH_MDSC_STOPPING_FLUSHED = 2, +}; + /* * mds client state */ diff --git a/fs/ceph/super.c b/fs/ceph/super.c index 3fc48b43cab0..a5f52013314d 100644 --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -1374,6 +1374,16 @@ static void ceph_kill_sb(struct super_block *s) ceph_mdsc_pre_umount(fsc->mdsc); flush_fs_workqueues(fsc); + /* + * Though the kill_anon_super() will finally trigger the + * sync_filesystem() anyway, we still need to do it here + * and then bump the stage of shutdown to stop the work + * queue as earlier as possible. + */ + sync_filesystem(s); + + fsc->mdsc->stopping = CEPH_MDSC_STOPPING_FLUSHED; + kill_anon_super(s); fsc->client->extra_mon_dispatch = NULL; -- 2.39.1

9 months, 3 weeks

3
3
0 0

[PATCH 4.14] net/sched: cls_u32: Fix reference counter leak leading to overflow

by Rishabh Bhatnagar

From: Lee Jones <lee(a)kernel.org> Upstream commit 04c55383fa5689357bcdd2c8036725a55ed632bc. In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Lee Jones <lee(a)kernel.org> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Acked-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Rishabh Bhatnagar <risbhat(a)amazon.com> --- net/sched/cls_u32.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index fdbdcba44917..a4e01220a53a 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -774,11 +774,22 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, struct nlattr *est, bool ovr) { int err; +#ifdef CONFIG_NET_CLS_IND + int ifindex = -1; +#endif err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr); if (err < 0) return err; +#ifdef CONFIG_NET_CLS_IND + if (tb[TCA_U32_INDEV]) { + ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV]); + if (ifindex < 0) + return -EINVAL; + } +#endif + if (tb[TCA_U32_LINK]) { u32 handle = nla_get_u32(tb[TCA_U32_LINK]); struct tc_u_hnode *ht_down = NULL, *ht_old; @@ -806,14 +817,10 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, } #ifdef CONFIG_NET_CLS_IND - if (tb[TCA_U32_INDEV]) { - int ret; - ret = tcf_change_indev(net, tb[TCA_U32_INDEV]); - if (ret < 0) - return -EINVAL; - n->ifindex = ret; - } + if (ifindex >= 0) + n->ifindex = ifindex; #endif + return 0; } -- 2.40.1

9 months, 3 weeks

3
2
0 0

[PATCH 4.14,5.4] net/sched: sch_qfq: account for stab overhead in qfq_enqueue

by Shaoying Xu

[ Upstream commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 ] Lion says: ------- In the QFQ scheduler a similar issue to CVE-2023-31436 persists. Consider the following code in net/sched/sch_qfq.c: static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) { unsigned int len = qdisc_pkt_len(skb), gso_segs; // ... if (unlikely(cl->agg->lmax < len)) { pr_debug("qfq: increasing maxpkt from %u to %u for class %u", cl->agg->lmax, len, cl->common.classid); err = qfq_change_agg(sch, cl, cl->agg->class_weight, len); if (err) { cl->qstats.drops++; return qdisc_drop(skb, sch, to_free); } // ... } Similarly to CVE-2023-31436, "lmax" is increased without any bounds checks according to the packet length "len". Usually this would not impose a problem because packet sizes are naturally limited. This is however not the actual packet length, rather the "qdisc_pkt_len(skb)" which might apply size transformations according to "struct qdisc_size_table" as created by "qdisc_get_stab()" in net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc. A user may choose virtually any size using such a table. As a result the same issue as in CVE-2023-31436 can occur, allowing heap out-of-bounds read / writes in the kmalloc-8192 cache. ------- We can create the issue with the following commands: tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \ overhead 999999999 linklayer ethernet qfq tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k tc filter add dev $DEV parent 1: matchall classid 1:1 ping -I $DEV 1.1.1.2 This is caused by incorrectly assuming that qdisc_pkt_len() returns a length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX. Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Reported-by: Lion <nnamrec(a)gmail.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Signed-off-by: Pedro Tammela <pctammela(a)mojatatu.com> Reviewed-by: Simon Horman <simon.horman(a)corigine.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [Backport patch for stable kernels 4.14 and 5.4. Since QFQ_MAX_LMAX is not defined, replace it with 1UL << QFQ_MTU_SHIFT.] Cc: <stable(a)vger.kernel.org> # 4.14, 5.4 Signed-off-by: Shaoying Xu <shaoyi(a)amazon.com> --- net/sched/sch_qfq.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 603bd3097bd8..34a54dcd95f2 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -375,8 +375,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight, u32 lmax) { struct qfq_sched *q = qdisc_priv(sch); - struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight); + struct qfq_aggregate *new_agg; + /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */ + if (lmax > (1UL << QFQ_MTU_SHIFT)) + return -EINVAL; + + new_agg = qfq_find_agg(q, lmax, weight); if (new_agg == NULL) { /* create new aggregate */ new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC); if (new_agg == NULL) -- 2.40.1

9 months, 3 weeks

2
1
0 0

[PATCH 4.19] net/sched: cls_fw: Fix improper refcount update leads to use-after-free

by SeongJae Park

From: M A Ramdhan <ramdhan(a)starlabs.sg> [ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ] In the event of a failure in tcf_change_indev(), fw_set_parms() will immediately return an error after incrementing or decrementing reference counter in tcf_bind_filter(). If attacker can control reference counter to zero and make reference freed, leading to use after free. In order to prevent this, move the point of possible failure above the point where the TC_FW_CLASSID is handled. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: M A Ramdhan <ramdhan(a)starlabs.sg> Signed-off-by: M A Ramdhan <ramdhan(a)starlabs.sg> Acked-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Reviewed-by: Pedro Tammela <pctammela(a)mojatatu.com> Message-ID: <20230705161530.52003-1-ramdhan(a)starlabs.sg> Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: SeongJae Park <sj(a)kernel.org> --- net/sched/cls_fw.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c index cb2c62605fc76..5284a473c697f 100644 --- a/net/sched/cls_fw.c +++ b/net/sched/cls_fw.c @@ -221,11 +221,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, if (err < 0) return err; - if (tb[TCA_FW_CLASSID]) { - f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); - tcf_bind_filter(tp, &f->res, base); - } - #ifdef CONFIG_NET_CLS_IND if (tb[TCA_FW_INDEV]) { int ret; @@ -244,6 +239,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, } else if (head->mask != 0xFFFFFFFF) return err; + if (tb[TCA_FW_CLASSID]) { + f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); + tcf_bind_filter(tp, &f->res, base); + } + return 0; } -- 2.40.1

9 months, 3 weeks

2
1
0 0

[PATCH v2 1/1] test_firmware: prevent race conditions by a correct implementation of locking

by Mirsad Todorovac

[ Upstream commit 4acfe3dfde685a5a9eaec5555351918e2d7266a1 ] Dan Carpenter spotted a race condition in a couple of situations like these in the test_firmware driver: static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) { u8 val; int ret; ret = kstrtou8(buf, 10, &val); if (ret) return ret; mutex_lock(&test_fw_mutex); *(u8 *)cfg = val; mutex_unlock(&test_fw_mutex); /* Always return full write size even if we didn't consume all */ return size; } static ssize_t config_num_requests_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { int rc; mutex_lock(&test_fw_mutex); if (test_fw_config->reqs) { pr_err("Must call release_all_firmware prior to changing config\n"); rc = -EINVAL; mutex_unlock(&test_fw_mutex); goto out; } mutex_unlock(&test_fw_mutex); // NOTE: HERE is the race!!! Function can be preempted! // test_fw_config->reqs can change between the release of // the lock about and acquire of the lock in the // test_dev_config_update_u8() rc = test_dev_config_update_u8(buf, count, &test_fw_config->num_requests); out: return rc; } static ssize_t config_read_fw_idx_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { return test_dev_config_update_u8(buf, count, &test_fw_config->read_fw_idx); } The function test_dev_config_update_u8() is called from both the locked and the unlocked context, function config_num_requests_store() and config_read_fw_idx_store() which can both be called asynchronously as they are driver's methods, while test_dev_config_update_u8() and siblings change their argument pointed to by u8 *cfg or similar pointer. To avoid deadlock on test_fw_mutex, the lock is dropped before calling test_dev_config_update_u8() and re-acquired within test_dev_config_update_u8() itself, but alas this creates a race condition. Having two locks wouldn't assure a race-proof mutual exclusion. This situation is best avoided by the introduction of a new, unlocked function __test_dev_config_update_u8() which can be called from the locked context and reducing test_dev_config_update_u8() to: static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) { int ret; mutex_lock(&test_fw_mutex); ret = __test_dev_config_update_u8(buf, size, cfg); mutex_unlock(&test_fw_mutex); return ret; } doing the locking and calling the unlocked primitive, which enables both locked and unlocked versions without duplication of code. Fixes: c92316bf8e948 ("test_firmware: add batched firmware tests") Cc: Luis R. Rodriguez <mcgrof(a)kernel.org> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Russ Weight <russell.h.weight(a)intel.com> Cc: Takashi Iwai <tiwai(a)suse.de> Cc: Tianfei Zhang <tianfei.zhang(a)intel.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Colin Ian King <colin.i.king(a)gmail.com> Cc: Randy Dunlap <rdunlap(a)infradead.org> Cc: linux-kselftest(a)vger.kernel.org Cc: stable(a)vger.kernel.org # v5.4 Suggested-by: Dan Carpenter <error27(a)gmail.com> Link: https://lore.kernel.org/r/20230509084746.48259-1-mirsad.todorovac@alu.unizg… Signed-off-by: Mirsad Todorovac <mirsad.todorovac(a)alu.unizg.hr> [ NOTE: This patch is tested against 5.4 stable. Some of the fixes from the upstream ] [ patch to stable 5.10+ do not apply. ] --- v2: minor clarification and consistency improvements. no change to code. lib/test_firmware.c | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/lib/test_firmware.c b/lib/test_firmware.c index 38553944e967..92d7195d5b5b 100644 --- a/lib/test_firmware.c +++ b/lib/test_firmware.c @@ -301,16 +301,26 @@ static ssize_t config_test_show_str(char *dst, return len; } -static int test_dev_config_update_bool(const char *buf, size_t size, - bool *cfg) +static inline int __test_dev_config_update_bool(const char *buf, size_t size, + bool *cfg) { int ret; - mutex_lock(&test_fw_mutex); if (strtobool(buf, cfg) < 0) ret = -EINVAL; else ret = size; + + return ret; +} + +static int test_dev_config_update_bool(const char *buf, size_t size, + bool *cfg) +{ + int ret; + + mutex_lock(&test_fw_mutex); + ret = __test_dev_config_update_bool(buf, size, cfg); mutex_unlock(&test_fw_mutex); return ret; @@ -340,7 +350,7 @@ static ssize_t test_dev_config_show_int(char *buf, int cfg) return snprintf(buf, PAGE_SIZE, "%d\n", val); } -static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) +static inline int __test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) { int ret; long new; @@ -352,14 +362,23 @@ static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) if (new > U8_MAX) return -EINVAL; - mutex_lock(&test_fw_mutex); *(u8 *)cfg = new; - mutex_unlock(&test_fw_mutex); /* Always return full write size even if we didn't consume all */ return size; } +static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) +{ + int ret; + + mutex_lock(&test_fw_mutex); + ret = __test_dev_config_update_u8(buf, size, cfg); + mutex_unlock(&test_fw_mutex); + + return ret; +} + static ssize_t test_dev_config_show_u8(char *buf, u8 cfg) { u8 val; @@ -392,10 +411,10 @@ static ssize_t config_num_requests_store(struct device *dev, mutex_unlock(&test_fw_mutex); goto out; } - mutex_unlock(&test_fw_mutex); - rc = test_dev_config_update_u8(buf, count, - &test_fw_config->num_requests); + rc = __test_dev_config_update_u8(buf, count, + &test_fw_config->num_requests); + mutex_unlock(&test_fw_mutex); out: return rc; -- 2.34.1

9 months, 3 weeks

1
0
0 0

stable-rc/linux-4.19.y build: 19 builds: 3 failed, 16 passed, 24 warnings (v4.19.289-282-g3e92182b0828a)

by kernelci.org bot

stable-rc/linux-4.19.y build: 19 builds: 3 failed, 16 passed, 24 warnings (v4.19.289-282-g3e92182b0828a) Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.19.y/kernel/v4.19.289-2… Tree: stable-rc Branch: linux-4.19.y Git Describe: v4.19.289-282-g3e92182b0828a Git Commit: 3e92182b0828a62eede33da6ee5e9dfcc562cf88 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Built: 7 unique architectures Build Failures Detected: riscv: allnoconfig: (gcc-10) FAIL defconfig: (gcc-10) FAIL tinyconfig: (gcc-10) FAIL Warnings Detected: arc: arm64: defconfig (gcc-10): 3 warnings defconfig+arm64-chromebook (gcc-10): 3 warnings arm: i386: allnoconfig (gcc-10): 2 warnings i386_defconfig (gcc-10): 2 warnings tinyconfig (gcc-10): 2 warnings mips: riscv: x86_64: allnoconfig (gcc-10): 2 warnings tinyconfig (gcc-10): 2 warnings x86_64_defconfig (gcc-10): 4 warnings x86_64_defconfig+x86-chromebook (gcc-10): 4 warnings Warnings summary: 7 ld: warning: creating DT_TEXTREL in a PIE 6 aarch64-linux-gnu-ld: warning: -z norelro ignored 4 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' 3 ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' 2 drivers/gpu/drm/drm_edid.o: warning: objtool: validate_displayid.constprop.0()+0x6a: return with modified stack frame 2 drivers/gpu/drm/drm_edid.o: warning: objtool: validate_displayid.constprop.0()+0x0: stack state mismatch: cfa1=7+112 cfa2=7+8 Section mismatches summary: 3 WARNING: modpost: Found 1 section mismatch(es). ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- 32r2el_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- allnoconfig (x86_64, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- allnoconfig (riscv, gcc-10) — FAIL, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- allnoconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- defconfig (riscv, gcc-10) — FAIL, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches Warnings: aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored Section mismatches: WARNING: modpost: Found 1 section mismatch(es). -------------------------------------------------------------------------------- defconfig+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches Warnings: aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored Section mismatches: WARNING: modpost: Found 1 section mismatch(es). -------------------------------------------------------------------------------- haps_hs_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches Section mismatches: WARNING: modpost: Found 1 section mismatch(es). -------------------------------------------------------------------------------- multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (riscv, gcc-10) — FAIL, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (x86_64, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- tinyconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches Warnings: drivers/gpu/drm/drm_edid.o: warning: objtool: validate_displayid.constprop.0()+0x6a: return with modified stack frame drivers/gpu/drm/drm_edid.o: warning: objtool: validate_displayid.constprop.0()+0x0: stack state mismatch: cfa1=7+112 cfa2=7+8 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches Warnings: drivers/gpu/drm/drm_edid.o: warning: objtool: validate_displayid.constprop.0()+0x6a: return with modified stack frame drivers/gpu/drm/drm_edid.o: warning: objtool: validate_displayid.constprop.0()+0x0: stack state mismatch: cfa1=7+112 cfa2=7+8 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE --- For more info write to <info(a)kernelci.org>

9 months, 3 weeks

1
0
0 0

stable-rc/linux-6.1.y build: 20 builds: 0 failed, 20 passed, 1 warning (v6.1.42-221-gf40ed79b9e80)

by kernelci.org bot

stable-rc/linux-6.1.y build: 20 builds: 0 failed, 20 passed, 1 warning (v6.1.42-221-gf40ed79b9e80) Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-6.1.y/kernel/v6.1.42-221-… Tree: stable-rc Branch: linux-6.1.y Git Describe: v6.1.42-221-gf40ed79b9e80 Git Commit: f40ed79b9e80b61b5ef079dbb21b2c7b450191a2 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Built: 7 unique architectures Warnings Detected: arc: arm64: arm: i386: mips: 32r2el_defconfig (gcc-10): 1 warning riscv: x86_64: Warnings summary: 1 arch/mips/boot/dts/img/boston.dts:128.19-178.5: Warning (pci_device_reg): /pci@14000000/pci2_root@0,0,0: PCI unit address format error, expected "0,0" ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- 32r2el_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches Warnings: arch/mips/boot/dts/img/boston.dts:128.19-178.5: Warning (pci_device_reg): /pci@14000000/pci2_root@0,0,0: PCI unit address format error, expected "0,0" -------------------------------------------------------------------------------- allnoconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- allnoconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- haps_hs_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nommu_k210_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nommu_k210_sdcard_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- rv32_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tinyconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

9 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/client: Fix memory leak in drm_client_target_cloned" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023072326-snuff-obnoxious-af01@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: c2a88e8bdf5f ("drm/client: Fix memory leak in drm_client_target_cloned") cf13909aee05 ("drm/fb-helper: Move out modeset config code") aafa9e066872 ("drm/fb-helper: Prepare to move out modeset config code") e5852bee90d6 ("drm/fb-helper: Remove drm_fb_helper_connector") aec3925f093d ("drm/fb-helper: Move out commit code") eade2a17ddc5 ("drm/fb-helper: Prepare to move out commit code") d81294afeecd ("drm/fb-helper: Remove drm_fb_helper_crtc") 4672b1d65fc9 ("Merge remote-tracking branch 'drm/drm-next' into drm-misc-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 From: Jocelyn Falempe <jfalempe(a)redhat.com> Date: Tue, 11 Jul 2023 11:20:43 +0200 Subject: [PATCH] drm/client: Fix memory leak in drm_client_target_cloned dmt_mode is allocated and never freed in this function. It was found with the ast driver, but most drivers using generic fbdev setup are probably affected. This fixes the following kmemleak report: backtrace: [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] [<00000000987f19bb>] local_pci_probe+0xdc/0x180 [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 [<0000000000b85301>] process_one_work+0x8b7/0x1540 [<000000003375b17c>] worker_thread+0x70a/0xed0 [<00000000b0d43cd9>] kthread+0x29f/0x340 [<000000008d770833>] ret_from_fork+0x1f/0x30 unreferenced object 0xff11000333089a00 (size 128): cc: <stable(a)vger.kernel.org> Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") Reported-by: Zhang Yi <yizhan(a)redhat.com> Signed-off-by: Jocelyn Falempe <jfalempe(a)redhat.com> Reviewed-by: Javier Martinez Canillas <javierm(a)redhat.com> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalem… diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c index 1b12a3c201a3..a4a62aa99984 100644 --- a/drivers/gpu/drm/drm_client_modeset.c +++ b/drivers/gpu/drm/drm_client_modeset.c @@ -311,6 +311,9 @@ static bool drm_client_target_cloned(struct drm_device *dev, can_clone = true; dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + if (!dmt_mode) + goto fail; + for (i = 0; i < connector_count; i++) { if (!enabled[i]) continue; @@ -326,11 +329,13 @@ static bool drm_client_target_cloned(struct drm_device *dev, if (!modes[i]) can_clone = false; } + kfree(dmt_mode); if (can_clone) { DRM_DEBUG_KMS("can clone using 1024x768\n"); return true; } +fail: DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); return false; }

9 months, 3 weeks

3
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2023