May 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] ftrace: Fix possible use-after-free issue in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e60b613df8b6253def41215402f72986fee3fc8d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052757-fantasy-resent-77c6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e60b613df8b6253def41215402f72986fee3fc8d Mon Sep 17 00:00:00 2001 From: Zheng Yejian <zhengyejian1(a)huawei.com> Date: Fri, 10 May 2024 03:28:59 +0800 Subject: [PATCH] ftrace: Fix possible use-after-free issue in ftrace_location() KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. Call synchronize_rcu() before freeing any ftrace pages both in ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem(). Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengye… Cc: stable(a)vger.kernel.org Cc: <mhiramat(a)kernel.org> Cc: <mark.rutland(a)arm.com> Cc: <mathieu.desnoyers(a)efficios.com> Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization") Suggested-by: Steven Rostedt <rostedt(a)goodmis.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 5a01d72f66db..2308c0a2fd29 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1595,12 +1595,15 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end) unsigned long ftrace_location_range(unsigned long start, unsigned long end) { struct dyn_ftrace *rec; + unsigned long ip = 0; + rcu_read_lock(); rec = lookup_rec(start, end); if (rec) - return rec->ip; + ip = rec->ip; + rcu_read_unlock(); - return 0; + return ip; } /** @@ -1614,25 +1617,22 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) */ unsigned long ftrace_location(unsigned long ip) { - struct dyn_ftrace *rec; + unsigned long loc; unsigned long offset; unsigned long size; - rec = lookup_rec(ip, ip); - if (!rec) { + loc = ftrace_location_range(ip, ip); + if (!loc) { if (!kallsyms_lookup_size_offset(ip, &size, &offset)) goto out; /* map sym+0 to __fentry__ */ if (!offset) - rec = lookup_rec(ip, ip + size - 1); + loc = ftrace_location_range(ip, ip + size - 1); } - if (rec) - return rec->ip; - out: - return 0; + return loc; } /** @@ -6591,6 +6591,8 @@ static int ftrace_process_locs(struct module *mod, /* We should have used all pages unless we skipped some */ if (pg_unuse) { WARN_ON(!skipped); + /* Need to synchronize with ftrace_location_range() */ + synchronize_rcu(); ftrace_free_pages(pg_unuse); } return ret; @@ -6804,6 +6806,9 @@ void ftrace_release_mod(struct module *mod) out_unlock: mutex_unlock(&ftrace_lock); + /* Need to synchronize with ftrace_location_range() */ + if (tmp_page) + synchronize_rcu(); for (pg = tmp_page; pg; pg = tmp_page) { /* Needs to be called outside of ftrace_lock */ @@ -7137,6 +7142,7 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) unsigned long start = (unsigned long)(start_ptr); unsigned long end = (unsigned long)(end_ptr); struct ftrace_page **last_pg = &ftrace_pages_start; + struct ftrace_page *tmp_page = NULL; struct ftrace_page *pg; struct dyn_ftrace *rec; struct dyn_ftrace key; @@ -7178,12 +7184,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) ftrace_update_tot_cnt--; if (!pg->index) { *last_pg = pg->next; - if (pg->records) { - free_pages((unsigned long)pg->records, pg->order); - ftrace_number_of_pages -= 1 << pg->order; - } - ftrace_number_of_groups--; - kfree(pg); + pg->next = tmp_page; + tmp_page = pg; pg = container_of(last_pg, struct ftrace_page, next); if (!(*last_pg)) ftrace_pages = pg; @@ -7200,6 +7202,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) clear_func_from_hashes(func); kfree(func); } + /* Need to synchronize with ftrace_location_range() */ + if (tmp_page) { + synchronize_rcu(); + ftrace_free_pages(tmp_page); + } } void __init ftrace_free_init_mem(void)

4 months, 3 weeks

1
0
0 0

[PATCH 6.8.y] sunrpc: use the struct net as the svc proc private

by cel＠kernel.org

From: Josef Bacik <josef(a)toxicpanda.com> [ Upstream commit 418b9687dece5bd763c09b5c27a801a7e3387be9 ] nfsd is the only thing using this helper, and it doesn't use the private currently. When we switch to per-network namespace stats we will need the struct net * in order to get to the nfsd_net. Use the net as the proc private so we can utilize this when we make the switch over. Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- net/sunrpc/stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) This pre-requisite is needed for upstream commit 4b14885411f7 ("nfsd: make all of the nfsd stats per-network namespace"). diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c index 65fc1297c6df..383860cb1d5b 100644 --- a/net/sunrpc/stats.c +++ b/net/sunrpc/stats.c @@ -314,7 +314,7 @@ EXPORT_SYMBOL_GPL(rpc_proc_unregister); struct proc_dir_entry * svc_proc_register(struct net *net, struct svc_stat *statp, const struct proc_ops *proc_ops) { - return do_register(net, statp->program->pg_name, statp, proc_ops); + return do_register(net, statp->program->pg_name, net, proc_ops); } EXPORT_SYMBOL_GPL(svc_proc_register); -- 2.45.1

4 months, 3 weeks

2
1
0 0

x86/tsc: Trust initial offset in architectural TSC-adjust MSRs

by Daniel J Blueman

On present kernels, HPET fallback occurs on some 8-16 socket x86 systems due to the TSC adjust architectural MSR not being respected. This was fixed upstream in commit 455f9075f14484f358b3c1d6845b4a438de198a7. Please backport this fix to -stable for 6.9, 6.8, 6.6, 6.1, 5.15, 5.10, 5.4 and 4.19 branches to allow correct TSC operation on existing distros using these kernels. The patch cleanly applies to all of these latest -stable branches. Many thanks, Daniel -- Daniel J Blueman

4 months, 3 weeks

2
1
0 0

[PATCH v3] kcov, usb: disable interrupts in kcov_remote_start_usb_softirq

by andrey.konovalov＠linux.dev

From: Andrey Konovalov <andreyknvl(a)gmail.com> After commit 8fea0c8fda30 ("usb: core: hcd: Convert from tasklet to BH workqueue"), usb_giveback_urb_bh() runs in the BH workqueue with interrupts enabled. Thus, the remote coverage collection section in usb_giveback_urb_bh()-> __usb_hcd_giveback_urb() might be interrupted, and the interrupt handler might invoke __usb_hcd_giveback_urb() again. This breaks KCOV, as it does not support nested remote coverage collection sections within the same context (neither in task nor in softirq). Update kcov_remote_start/stop_usb_softirq() to disable interrupts for the duration of the coverage collection section to avoid nested sections in the softirq context (in addition to such in the task context, which are already handled). Reported-by: Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp> Closes: https://lore.kernel.org/linux-usb/0f4d1964-7397-485b-bc48-11c01e2fcbca@I-lo… Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2 Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Fixes: 8fea0c8fda30 ("usb: core: hcd: Convert from tasklet to BH workqueue") Cc: stable(a)vger.kernel.org Acked-by: Dmitry Vyukov <dvyukov(a)google.com> Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> --- Changes v2->v3: - Cc: stable(a)vger.kernel.org. --- drivers/usb/core/hcd.c | 12 ++++++----- include/linux/kcov.h | 47 ++++++++++++++++++++++++++++++++++-------- 2 files changed, 45 insertions(+), 14 deletions(-) diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index c0e005670d67..fb1aa0d4fc28 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -1623,6 +1623,7 @@ static void __usb_hcd_giveback_urb(struct urb *urb) struct usb_hcd *hcd = bus_to_hcd(urb->dev->bus); struct usb_anchor *anchor = urb->anchor; int status = urb->unlinked; + unsigned long flags; urb->hcpriv = NULL; if (unlikely((urb->transfer_flags & URB_SHORT_NOT_OK) && @@ -1640,13 +1641,14 @@ static void __usb_hcd_giveback_urb(struct urb *urb) /* pass ownership to the completion handler */ urb->status = status; /* - * This function can be called in task context inside another remote - * coverage collection section, but kcov doesn't support that kind of - * recursion yet. Only collect coverage in softirq context for now. + * Only collect coverage in the softirq context and disable interrupts + * to avoid scenarios with nested remote coverage collection sections + * that KCOV does not support. + * See the comment next to kcov_remote_start_usb_softirq() for details. */ - kcov_remote_start_usb_softirq((u64)urb->dev->bus->busnum); + flags = kcov_remote_start_usb_softirq((u64)urb->dev->bus->busnum); urb->complete(urb); - kcov_remote_stop_softirq(); + kcov_remote_stop_softirq(flags); usb_anchor_resume_wakeups(anchor); atomic_dec(&urb->use_count); diff --git a/include/linux/kcov.h b/include/linux/kcov.h index b851ba415e03..1068a7318d89 100644 --- a/include/linux/kcov.h +++ b/include/linux/kcov.h @@ -55,21 +55,47 @@ static inline void kcov_remote_start_usb(u64 id) /* * The softirq flavor of kcov_remote_*() functions is introduced as a temporary - * work around for kcov's lack of nested remote coverage sections support in - * task context. Adding support for nested sections is tracked in: - * https://bugzilla.kernel.org/show_bug.cgi?id=210337 + * workaround for KCOV's lack of nested remote coverage sections support. + * + * Adding support is tracked in https://bugzilla.kernel.org/show_bug.cgi?id=210337. + * + * kcov_remote_start_usb_softirq(): + * + * 1. Only collects coverage when called in the softirq context. This allows + * avoiding nested remote coverage collection sections in the task context. + * For example, USB/IP calls usb_hcd_giveback_urb() in the task context + * within an existing remote coverage collection section. Thus, KCOV should + * not attempt to start collecting coverage within the coverage collection + * section in __usb_hcd_giveback_urb() in this case. + * + * 2. Disables interrupts for the duration of the coverage collection section. + * This allows avoiding nested remote coverage collection sections in the + * softirq context (a softirq might occur during the execution of a work in + * the BH workqueue, which runs with in_serving_softirq() > 0). + * For example, usb_giveback_urb_bh() runs in the BH workqueue with + * interrupts enabled, so __usb_hcd_giveback_urb() might be interrupted in + * the middle of its remote coverage collection section, and the interrupt + * handler might invoke __usb_hcd_giveback_urb() again. */ -static inline void kcov_remote_start_usb_softirq(u64 id) +static inline unsigned long kcov_remote_start_usb_softirq(u64 id) { - if (in_serving_softirq()) + unsigned long flags = 0; + + if (in_serving_softirq()) { + local_irq_save(flags); kcov_remote_start_usb(id); + } + + return flags; } -static inline void kcov_remote_stop_softirq(void) +static inline void kcov_remote_stop_softirq(unsigned long flags) { - if (in_serving_softirq()) + if (in_serving_softirq()) { kcov_remote_stop(); + local_irq_restore(flags); + } } #ifdef CONFIG_64BIT @@ -103,8 +129,11 @@ static inline u64 kcov_common_handle(void) } static inline void kcov_remote_start_common(u64 id) {} static inline void kcov_remote_start_usb(u64 id) {} -static inline void kcov_remote_start_usb_softirq(u64 id) {} -static inline void kcov_remote_stop_softirq(void) {} +static inline unsigned long kcov_remote_start_usb_softirq(u64 id) +{ + return 0; +} +static inline void kcov_remote_stop_softirq(unsigned long flags) {} #endif /* CONFIG_KCOV */ #endif /* _LINUX_KCOV_H */ -- 2.25.1

4 months, 3 weeks

1
0
0 0

Re: [regression] nfsstat/nfsd crash system "general protection fault, probably for non-canonical address ..." after 6.8.9->6.8.10 update

by Linux regression tracking (Thorsten Leemhuis)

[CCing Greg and stable and regressions list] Hi, Thorsten here, the Linux kernel's regression tracker. Top-posting for once, to make this easily accessible to everyone. Please correct me if I'm wrong, but since 6.8.10 we afaics have below regression report about a general protection fault as well as two reports about NFSd related NULL pointer dereferences[1] that got some attention[2]. From a quick look I saw no fixes for those queued for the next 6.8.y release. And the series might be EOL soon. Hmmm. That sounds not really good. Is there some easy way to fix this? Chuck, you earlier mentioned (see quote below) that Greg pulled in three changes as dep into 6.8.10 that might be unneeded. Might reverting all three be the best way forward? Ciao, Thorsten [1] https://lore.kernel.org/all/CAK2bqVJoT3yy2m0OmTnqH9EAKkj6O1iTk42EyyMtvvxKh6… and https://lore.kernel.org/all/A8DQDS.ZXN0FMYZ3DIM1@gmail.com/ [2] https://x.com/spendergrsec/status/1793489498443252143 On 24.05.24 20:21, Chuck Lever III wrote: >> On May 24, 2024, at 4:59 AM, Jaroslav Pulchart <jaroslav.pulchart(a)gooddata.com> wrote: >> >>> >>>> >>>> On Wed, May 22, 2024 at 04:36:57AM -0400, Jaroslav Pulchart wrote: >>>>> Hello, >>>>> >>>>> I would like to report some issue causing a "general protection fault" >>>>> crash (constantly) after we updated the kernel from 6.8.9 to 6.8.10. >>>>> This is triggered when monitoring is using nfsstat on a server where >>>>> nfsd is running. >>>>> >>>>> [ 3049.260633] general protection fault, probably for non-canonical >>>>> address 0x66fb103e19e9cc89: 0000 [#1] PREEMPT SMP NOPTI >>>>> [ 3049.261628] CPU: 22 PID: 74991 Comm: nfsstat Tainted: G >>>>> E 6.8.10-1.gdc.el9.x86_64 #1 >>>>> [ 3049.262336] Hardware name: RDO OpenStack Compute/RHEL, BIOS >>>>> edk2-20240214-2.el9 02/14/2024 >>>>> [ 3049.263003] RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40 >>>>> [ 3049.263487] Code: cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 >>>>> 90 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 a6 92 f5 42 31 c0 ba 01 >>>>> 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 d0 >>>>> 07 00 >>>>> [ 3049.264882] RSP: 0018:ffffb1bca6b9bd00 EFLAGS: 00010046 >>>>> [ 3049.265365] RAX: 0000000000000000 RBX: 66fb103e19e9c989 RCX: 0000000000000001 >>>>> [ 3049.265953] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 66fb103e19e9cc89 >>>>> [ 3049.266542] RBP: ffffffffc15df280 R08: 0000000000000001 R09: ffffa049a1785cb8 >>>>> [ 3049.267112] R10: ffffb1bca6b9bd70 R11: ffffa04964e49000 R12: 0000000000000246 >>>>> [ 3049.267702] R13: 66fb103e19e9cc89 R14: ffffa048445590a0 R15: 0000000000000001 >>>>> [ 3049.268278] FS: 00007fa3ddf03740(0000) GS:ffffa05703d00000(0000) >>>>> knlGS:0000000000000000 >>>>> [ 3049.268928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>>>> [ 3049.269443] CR2: 00007fa3dddfca50 CR3: 0000000342d1e004 CR4: 0000000000770ef0 >>>>> [ 3049.270025] PKRU: 55555554 >>>>> [ 3049.270371] Call Trace: >>>>> [ 3049.270723] <TASK> >>>>> [ 3049.271035] ? die_addr+0x33/0x90 >>>>> [ 3049.271423] ? exc_general_protection+0x1ea/0x450 >>>>> [ 3049.271879] ? asm_exc_general_protection+0x22/0x30 >>>>> [ 3049.272344] ? _raw_spin_lock_irqsave+0x19/0x40 >>>>> [ 3049.272803] __percpu_counter_sum+0xd/0x70 >>>>> [ 3049.273219] nfsd_show+0x4f/0x1d0 [nfsd] >>>>> [ 3049.273666] seq_read_iter+0x11d/0x4d0 >>>>> [ 3049.274073] ? avc_has_perm+0x42/0xc0 >>>>> [ 3049.274489] seq_read+0xfe/0x140 >>>>> [ 3049.274866] proc_reg_read+0x56/0xa0 >>>>> [ 3049.275257] vfs_read+0xa7/0x340 >>>>> [ 3049.275647] ? __do_sys_newfstat+0x57/0x60 >>>>> [ 3049.276059] ksys_read+0x5f/0xe0 >>>>> [ 3049.276439] do_syscall_64+0x5e/0x170 >>>>> [ 3049.276836] entry_SYSCALL_64_after_hwframe+0x78/0x80 >>>>> [ 3049.277296] RIP: 0033:0x7fa3ddcfd9b2 >>>>> [ 3049.277719] Code: c0 e9 b2 fe ff ff 50 48 8d 3d ea 1d 0c 00 e8 c5 >>>>> fd 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 >>>>> 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 >>>>> 54 24 >>>>> [ 3049.279139] RSP: 002b:00007ffd930672e8 EFLAGS: 00000246 ORIG_RAX: >>>>> 0000000000000000 >>>>> [ 3049.279788] RAX: ffffffffffffffda RBX: 0000555ded47c2a0 RCX: 00007fa3ddcfd9b2 >>>>> [ 3049.280402] RDX: 0000000000000400 RSI: 0000555ded47c480 RDI: 0000000000000003 >>>>> [ 3049.281046] RBP: 00007fa3dddf75e0 R08: 0000000000000003 R09: 0000000000000077 >>>>> [ 3049.281673] R10: 000000000000005d R11: 0000000000000246 R12: 0000555ded47c2a0 >>>>> [ 3049.282307] R13: 0000000000000d68 R14: 00007fa3dddf69e0 R15: 0000000000000d68 >>>>> [ 3049.282928] </TASK> >>>>> [ 3049.283310] Modules linked in: mptcp_diag(E) xsk_diag(E) >>>>> raw_diag(E) unix_diag(E) af_packet_diag(E) netlink_diag(E) udp_diag(E) >>>>> tcp_diag(E) inet_diag(E) tun(E) br_netfilter(E) bridge(E) stp(E) >>>>> llc(E) nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) sunrpc(E) >>>>> nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) binfmt_misc(E) >>>>> zram(E) tls(E) isofs(E) vfat(E) fat(E) intel_rapl_msr(E) >>>>> intel_rapl_common(E) kvm_amd(E) ccp(E) kvm(E) irqbypass(E) >>>>> virtio_net(E) i2c_i801(E) virtio_gpu(E) i2c_smbus(E) net_failover(E) >>>>> virtio_balloon(E) failover(E) virtio_dma_buf(E) fuse(E) ext4(E) >>>>> mbcache(E) jbd2(E) sr_mod(E) cdrom(E) sg(E) ahci(E) libahci(E) >>>>> crct10dif_pclmul(E) crc32_pclmul(Ea) polyval_clmulni(E) >>>>> polyval_generic(E) libata(E) ghash_clmulni_intel(E) sha512_ssse3(E) >>>>> virtio_blk(E) serio_raw(E) btrfs(E) xor(E) zstd_compress(E) >>>>> raid6_pq(E) libcrc32c(E) crc32c_intel(E) dm_mirror(E) >>>>> dm_region_hash(E) dm_log(E) dm_mod(E) >>>>> [ 3049.283345] Unloaded tainted modules: edac_mce_amd(E):1 padlock_aes(E) >>>>> >>>>> Any suggestion on how to fix it is appreciated. >>>> >>>> Bisect between v6.8.9 and v6.8.10 would give us the exact point >>>> where the failures were introduced. >>>> >>>> I see that GregKH pulled in: >>>> >>>> 26a0ddb04230 ("nfsd: rename NFSD_NET_* to NFSD_STATS_*") >>>> b7b05f98f3f0 ("nfsd: expose /proc/net/sunrpc/nfsd in net namespaces") >>>> abf5fb593c90 ("nfsd: make all of the nfsd stats per-network namespace") >>>> >>>> for v6.8.10 as a Stable-Dep-of: 18180a4550d0 ("NFSD: Fix nfsd4_encode_fattr4() crasher") >>>> >>>> Which is a little baffling, I don't see how those two change sets >>>> are mechanically related to each other. But I suspect the culprit is >>>> one of those three stat-related patches. >>>> >>>> >>>> -- >>>> Chuck Lever >>> >>> >>> Hello, >>> >>> I run bisecting. It was easy to reproduce, simple execution of >>> "nfsstat" from terminal stuck the server: >>> >>> abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566 is the first bad commit >>> >>> >>> $ git bisect bad >>> abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566 is the first bad commit >>> commit abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566 (HEAD) >>> Author: Josef Bacik <josef(a)toxicpanda.com> >>> Date: Fri Jan 26 10:39:47 2024 -0500 >>> >>> nfsd: make all of the nfsd stats per-network namespace >>> >>> [ Upstream commit 4b14885411f74b2b0ce0eb2b39d0fffe54e5ca0d ] >>> >>> We have a global set of counters that we modify for all of the nfsd >>> operations, but now that we're exposing these stats across all network >>> namespaces we need to make the stats also be per-network namespace. We >>> already have some caching stats that are per-network namespace, so move >>> these definitions into the same counter and then adjust all the helpers >>> and users of these stats to provide the appropriate nfsd_net struct so >>> that the stats are maintained for the per-network namespace objects. >>> >>> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> >>> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> >>> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> >>> Stable-dep-of: 18180a4550d0 ("NFSD: Fix nfsd4_encode_fattr4() crasher") >>> Signed-off-by: Sasha Levin <sashal(a)kernel.org> >>> >>> fs/nfsd/cache.h | 2 -- >>> fs/nfsd/netns.h | 17 +++++++++++++++-- >>> fs/nfsd/nfs4proc.c | 6 +++--- >>> fs/nfsd/nfs4state.c | 3 ++- >>> fs/nfsd/nfscache.c | 36 +++++++----------------------------- >>> fs/nfsd/nfsctl.c | 12 +++--------- >>> fs/nfsd/nfsfh.c | 3 ++- >>> fs/nfsd/stats.c | 26 ++++++++++++++------------ >>> fs/nfsd/stats.h | 54 +++++++++++++++++++----------------------------------- >>> fs/nfsd/vfs.c | 6 ++++-- >>> 10 files changed, 69 insertions(+), 96 deletions(-) >>> >>> $ git bisect log >>> git bisect start >>> # status: waiting for both good and bad commits >>> # good: [f3d61438b613b87afb63118bea6fb18c50ba7a6b] Linux 6.8.9 >>> git bisect good f3d61438b613b87afb63118bea6fb18c50ba7a6b >>> # status: waiting for bad commit, 1 good commit known >>> # bad: [a0c69a570e420e86c7569b8c052913213eef2b45] Linux 6.8.10 >>> git bisect bad a0c69a570e420e86c7569b8c052913213eef2b45 >>> # bad: [4aaed9dbe8acd2b6114458f0498a617283d6275b] hv_netvsc: Don't >>> free decrypted memory >>> git bisect bad 4aaed9dbe8acd2b6114458f0498a617283d6275b >>> # bad: [ee190d04c2f99c8e557b00e997621c04592baed1] net: gro: add flush >>> check in udp_gro_receive_segment >>> git bisect bad ee190d04c2f99c8e557b00e997621c04592baed1 >>> # bad: [781e34b736014188ba9e46a71535237313dcda81] efi/unaccepted: >>> touch soft lockup during memory accept >>> git bisect bad 781e34b736014188ba9e46a71535237313dcda81 >>> # bad: [6a7b07689af6e4e023404bf69b1230f43b2a15bc] NFSD: Fix >>> nfsd4_encode_fattr4() crasher >>> git bisect bad 6a7b07689af6e4e023404bf69b1230f43b2a15bc >>> # good: [e05194baae299f2148ab5f6bab659c6ce8d1f6d3] nfs: expose >>> /proc/net/sunrpc/nfs in net namespaces >>> git bisect good e05194baae299f2148ab5f6bab659c6ce8d1f6d3 >>> # good: [946ab150335d92f852288c1c6b0f0466b5d6e97f] power: supply: >>> mt6360_charger: Fix of_match for usb-otg-vbus regulator >>> git bisect good 946ab150335d92f852288c1c6b0f0466b5d6e97f >>> # good: [b7b05f98f3f06fea3986b46e5c7fe2928676b02d] nfsd: expose >>> /proc/net/sunrpc/nfsd in net namespaces >>> git bisect good b7b05f98f3f06fea3986b46e5c7fe2928676b02d >>> # bad: [0e8003af77879572dbc1df56860cbe2bfa8498f0] NFSD: add support >>> for CB_GETATTR callback >>> git bisect bad 0e8003af77879572dbc1df56860cbe2bfa8498f0 >>> # bad: [abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566] nfsd: make all of >>> the nfsd stats per-network namespace >>> git bisect bad abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566 >>> # first bad commit: [abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566] nfsd: >>> make all of the nfsd stats per-network namespace >> >> I built a full 6.8.10 with reverted single commit >> "abf5fb593c90d3ab55d6cf1dea7bec8ee0bf3566". The server does not get >> stuck when calling "nfsstat". > > Good to know, but I don't think it's entirely safe to revert > only that patch -- all three would have to come off. > > I can't seem to get nfsstat to trigger a problem on my > server. > > > -- > Chuck Lever > >

4 months, 3 weeks

2
2
0 0

[PATCH 1/1] Bluetooth: hci_bcm4377: Convert PCIBIOS_* return codes to errnos

by Ilpo Järvinen

bcm4377_init_cfg() uses pci_{read,write}_config_dword() that return PCIBIOS_* codes. The return codes are returned into the calling bcm4377_probe() which directly returns the error which is of incorrect type (a probe should return normal errnos). Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal errno before returning it from bcm4377_init_cfg. This conversion is the easiest by adding a label next to return and doing the conversion there once rather than adding pcibios_err_to_errno() into every single return statement. Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards") Cc: stable(a)vger.kernel.org Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> --- drivers/bluetooth/hci_bcm4377.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c index 0c2f15235b4c..b00240109dc3 100644 --- a/drivers/bluetooth/hci_bcm4377.c +++ b/drivers/bluetooth/hci_bcm4377.c @@ -2134,44 +2134,46 @@ static int bcm4377_init_cfg(struct bcm4377_data *bcm4377) BCM4377_PCIECFG_BAR0_WINDOW1, bcm4377->hw->bar0_window1); if (ret) - return ret; + goto fail; ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR0_WINDOW2, bcm4377->hw->bar0_window2); if (ret) - return ret; + goto fail; ret = pci_write_config_dword( bcm4377->pdev, BCM4377_PCIECFG_BAR0_CORE2_WINDOW1, BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT); if (ret) - return ret; + goto fail; if (bcm4377->hw->has_bar0_core2_window2) { ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR0_CORE2_WINDOW2, bcm4377->hw->bar0_core2_window2); if (ret) - return ret; + goto fail; } ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR2_WINDOW, BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT); if (ret) - return ret; + goto fail; ret = pci_read_config_dword(bcm4377->pdev, BCM4377_PCIECFG_SUBSYSTEM_CTRL, &ctrl); if (ret) - return ret; + goto fail; if (bcm4377->hw->clear_pciecfg_subsystem_ctrl_bit19) ctrl &= ~BIT(19); ctrl |= BIT(16); - return pci_write_config_dword(bcm4377->pdev, - BCM4377_PCIECFG_SUBSYSTEM_CTRL, ctrl); + ret = pci_write_config_dword(bcm4377->pdev, + BCM4377_PCIECFG_SUBSYSTEM_CTRL, ctrl); +fail: + return pcibios_err_to_errno(ret); } static int bcm4377_probe_dmi(struct bcm4377_data *bcm4377) -- 2.39.2

4 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 4.19 1/2] powerpc/pseries: Enforce hcall result buffer validity and size

by Sasha Levin

From: Nathan Lynch <nathanl(a)linux.ibm.com> [ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ] plpar_hcall(), plpar_hcall9(), and related functions expect callers to provide valid result buffers of certain minimum size. Currently this is communicated only through comments in the code and the compiler has no idea. For example, if I write a bug like this: long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...); This compiles with no diagnostics emitted, but likely results in stack corruption at runtime when plpar_hcall9() stores results past the end of the array. (To be clear this is a contrived example and I have not found a real instance yet.) To make this class of error less likely, we can use explicitly-sized array parameters instead of pointers in the declarations for the hcall APIs. When compiled with -Warray-bounds[1], the code above now provokes a diagnostic like this: error: array argument is too small; is of size 32, callee requires at least 72 [-Werror,-Warray-bounds] 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, | ^ ~~~~~~ [1] Enabled for LLVM builds but not GCC for now. See commit 0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and related changes. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240408-pseries-hvcall-retbuf-v1-1-ebc73d7253cf@linux.i… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/powerpc/include/asm/hvcall.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h index a0b17f9f1ea4e..8347f57e1c6a3 100644 --- a/arch/powerpc/include/asm/hvcall.h +++ b/arch/powerpc/include/asm/hvcall.h @@ -383,7 +383,7 @@ long plpar_hcall_norets(unsigned long opcode, ...); * Used for all but the craziest of phyp interfaces (see plpar_hcall9) */ #define PLPAR_HCALL_BUFSIZE 4 -long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...); +long plpar_hcall(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...); /** * plpar_hcall_raw: - Make a hypervisor call without calculating hcall stats @@ -397,7 +397,7 @@ long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...); * plpar_hcall, but plpar_hcall_raw works in real mode and does not * calculate hypervisor call statistics. */ -long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...); +long plpar_hcall_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...); /** * plpar_hcall9: - Make a pseries hypervisor call with up to 9 return arguments @@ -408,8 +408,8 @@ long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...); * PLPAR_HCALL9_BUFSIZE to size the return argument buffer. */ #define PLPAR_HCALL9_BUFSIZE 9 -long plpar_hcall9(unsigned long opcode, unsigned long *retbuf, ...); -long plpar_hcall9_raw(unsigned long opcode, unsigned long *retbuf, ...); +long plpar_hcall9(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...); +long plpar_hcall9_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...); struct hvcall_mpp_data { unsigned long entitled_mem; -- 2.43.0

4 months, 3 weeks

1
1
0 0

[PATCH AUTOSEL 5.4 1/3] media: lgdt3306a: Add a check against null-pointer-def

by Sasha Levin

From: Zheyu Ma <zheyuma97(a)gmail.com> [ Upstream commit c1115ddbda9c930fba0fdd062e7a8873ebaf898d ] The driver should check whether the client provides the platform_data. The following log reveals it: [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 [ 29.612820] Call Trace: [ 29.613030] <TASK> [ 29.613201] dump_stack_lvl+0x56/0x6f [ 29.613496] ? kmemdup+0x30/0x40 [ 29.613754] print_report.cold+0x494/0x6b7 [ 29.614082] ? kmemdup+0x30/0x40 [ 29.614340] kasan_report+0x8a/0x190 [ 29.614628] ? kmemdup+0x30/0x40 [ 29.614888] kasan_check_range+0x14d/0x1d0 [ 29.615213] memcpy+0x20/0x60 [ 29.615454] kmemdup+0x30/0x40 [ 29.615700] lgdt3306a_probe+0x52/0x310 [ 29.616339] i2c_device_probe+0x951/0xa90 Link: https://lore.kernel.org/linux-media/20220405095018.3993578-1-zheyuma97@gmai… Signed-off-by: Zheyu Ma <zheyuma97(a)gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/lgdt3306a.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/dvb-frontends/lgdt3306a.c b/drivers/media/dvb-frontends/lgdt3306a.c index 0e7d97e7b0f50..a4d881c721b82 100644 --- a/drivers/media/dvb-frontends/lgdt3306a.c +++ b/drivers/media/dvb-frontends/lgdt3306a.c @@ -2199,6 +2199,11 @@ static int lgdt3306a_probe(struct i2c_client *client, struct dvb_frontend *fe; int ret; + if (!client->dev.platform_data) { + dev_err(&client->dev, "platform data is mandatory\n"); + return -EINVAL; + } + config = kmemdup(client->dev.platform_data, sizeof(struct lgdt3306a_config), GFP_KERNEL); if (config == NULL) { -- 2.43.0

4 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 5.15 1/6] drm/amd/display: Exit idle optimizations before HDCP execution

by Sasha Levin

From: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> [ Upstream commit f30a3bea92bdab398531129d187629fb1d28f598 ] [WHY] PSP can access DCN registers during command submission and we need to ensure that DCN is not in PG before doing so. [HOW] Add a callback to DM to lock and notify DC for idle optimization exit. It can't be DC directly because of a potential race condition with the link protection thread and the rest of DM operation. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Acked-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ++++++++++ drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c index 3e81850a7ffe3..47bb973669d85 100644 --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c @@ -88,6 +88,14 @@ static uint8_t is_cp_desired_hdcp2(struct mod_hdcp *hdcp) !hdcp->connection.is_hdcp2_revoked; } +static void exit_idle_optimizations(struct mod_hdcp *hdcp) +{ + struct mod_hdcp_dm *dm = &hdcp->config.dm; + + if (dm->funcs.exit_idle_optimizations) + dm->funcs.exit_idle_optimizations(dm->handle); +} + static enum mod_hdcp_status execution(struct mod_hdcp *hdcp, struct mod_hdcp_event_context *event_ctx, union mod_hdcp_transition_input *input) @@ -507,6 +515,8 @@ enum mod_hdcp_status mod_hdcp_process_event(struct mod_hdcp *hdcp, memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context)); event_ctx.event = event; + exit_idle_optimizations(hdcp); + /* execute and transition */ exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input); trans_status = transition( diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h index f37101f5a7777..8a620c34396c7 100644 --- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h +++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h @@ -154,6 +154,13 @@ struct mod_hdcp_ddc { } funcs; }; +struct mod_hdcp_dm { + void *handle; + struct { + void (*exit_idle_optimizations)(void *handle); + } funcs; +}; + struct mod_hdcp_psp { void *handle; void *funcs; @@ -269,6 +276,7 @@ struct mod_hdcp_display_query { struct mod_hdcp_config { struct mod_hdcp_psp psp; struct mod_hdcp_ddc ddc; + struct mod_hdcp_dm dm; uint8_t index; }; -- 2.43.0

4 months, 3 weeks

1
5
0 0

[PATCH AUTOSEL 6.1 01/11] drm/amd/display: Exit idle optimizations before HDCP execution

by Sasha Levin

From: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> [ Upstream commit f30a3bea92bdab398531129d187629fb1d28f598 ] [WHY] PSP can access DCN registers during command submission and we need to ensure that DCN is not in PG before doing so. [HOW] Add a callback to DM to lock and notify DC for idle optimization exit. It can't be DC directly because of a potential race condition with the link protection thread and the rest of DM operation. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Acked-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ++++++++++ drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c index 5e01c6e24cbc8..9a5a1726acaf8 100644 --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c @@ -88,6 +88,14 @@ static uint8_t is_cp_desired_hdcp2(struct mod_hdcp *hdcp) !hdcp->connection.is_hdcp2_revoked; } +static void exit_idle_optimizations(struct mod_hdcp *hdcp) +{ + struct mod_hdcp_dm *dm = &hdcp->config.dm; + + if (dm->funcs.exit_idle_optimizations) + dm->funcs.exit_idle_optimizations(dm->handle); +} + static enum mod_hdcp_status execution(struct mod_hdcp *hdcp, struct mod_hdcp_event_context *event_ctx, union mod_hdcp_transition_input *input) @@ -543,6 +551,8 @@ enum mod_hdcp_status mod_hdcp_process_event(struct mod_hdcp *hdcp, memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context)); event_ctx.event = event; + exit_idle_optimizations(hdcp); + /* execute and transition */ exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input); trans_status = transition( diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h index 3348bb97ef81a..dfa8168e51890 100644 --- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h +++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h @@ -155,6 +155,13 @@ struct mod_hdcp_ddc { } funcs; }; +struct mod_hdcp_dm { + void *handle; + struct { + void (*exit_idle_optimizations)(void *handle); + } funcs; +}; + struct mod_hdcp_psp { void *handle; void *funcs; @@ -271,6 +278,7 @@ struct mod_hdcp_display_query { struct mod_hdcp_config { struct mod_hdcp_psp psp; struct mod_hdcp_ddc ddc; + struct mod_hdcp_dm dm; uint8_t index; }; -- 2.43.0

4 months, 3 weeks

1
10
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2024