June 2024 - Linux-stable-mirror

[PATCH] net: usb: ax88179_178a: fix link status when link is set to down/up

by Jose Ignacio Tornos Martinez

The idea was to keep only one reset at initialization stage in order to reduce the total delay, or the reset from usbnet_probe or the reset from usbnet_open. I have seen that restarting from usbnet_probe is necessary to avoid doing too complex things. But when the link is set to down/up (for example to configure a different mac address) the link is not correctly recovered unless a reset is commanded from usbnet_open. So, detect the initialization stage (first call) to not reset from usbnet_open after the reset from usbnet_probe and after this stage, always reset from usbnet_open too (when the link needs to be rechecked). Apply to all the possible devices, the behavior now is going to be the same. cc: stable(a)vger.kernel.org # 6.6+ Fixes: 56f78615bcb1 ("net: usb: ax88179_178a: avoid writing the mac address before first reading") Reported-by: Isaac Ganoung <inventor500(a)vivaldi.net> Reported-by: Yongqin Liu <yongqin.liu(a)linaro.org> Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> --- drivers/net/usb/ax88179_178a.c | 37 ++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c index 377be0d9ef14..a0edb410f746 100644 --- a/drivers/net/usb/ax88179_178a.c +++ b/drivers/net/usb/ax88179_178a.c @@ -174,6 +174,7 @@ struct ax88179_data { u32 wol_supported; u32 wolopts; u8 disconnecting; + u8 initialized; }; struct ax88179_int_data { @@ -1672,6 +1673,18 @@ static int ax88179_reset(struct usbnet *dev) return 0; } +static int ax88179_net_reset(struct usbnet *dev) +{ + struct ax88179_data *ax179_data = dev->driver_priv; + + if (ax179_data->initialized) + ax88179_reset(dev); + else + ax179_data->initialized = 1; + + return 0; +} + static int ax88179_stop(struct usbnet *dev) { u16 tmp16; @@ -1691,6 +1704,7 @@ static const struct driver_info ax88179_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1703,6 +1717,7 @@ static const struct driver_info ax88178a_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1715,7 +1730,7 @@ static const struct driver_info cypress_GX3_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1728,7 +1743,7 @@ static const struct driver_info dlink_dub1312_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1741,7 +1756,7 @@ static const struct driver_info sitecom_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1754,7 +1769,7 @@ static const struct driver_info samsung_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1767,7 +1782,7 @@ static const struct driver_info lenovo_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1780,7 +1795,7 @@ static const struct driver_info belkin_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1793,7 +1808,7 @@ static const struct driver_info toshiba_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1806,7 +1821,7 @@ static const struct driver_info mct_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1819,7 +1834,7 @@ static const struct driver_info at_umc2000_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1832,7 +1847,7 @@ static const struct driver_info at_umc200_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, @@ -1845,7 +1860,7 @@ static const struct driver_info at_umc2000sp_info = { .unbind = ax88179_unbind, .status = ax88179_status, .link_reset = ax88179_link_reset, - .reset = ax88179_reset, + .reset = ax88179_net_reset, .stop = ax88179_stop, .flags = FLAG_ETHER | FLAG_FRAMING_AX, .rx_fixup = ax88179_rx_fixup, -- 2.44.0

1 year

4
12
0 0

[PATCH 6.6] backport: fix 6.6 backport of changes to fork

by Leah Rumancik

The original backport didn't move the code to link the vma into the MT and also the code to increment the map_count causing ~15 xfstests (including ext4/303 generic/051 generic/054 generic/069) to hard fail on some platforms. This patch resolves test failures. Fixes: cec11fa2eb51 ("fork: defer linking file vma until vma is fully initialized") Signed-off-by: Leah Rumancik <leah.rumancik(a)gmail.com> --- kernel/fork.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 2eab916b504b..3bf0203c2195 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -733,6 +733,12 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, if (is_vm_hugetlb_page(tmp)) hugetlb_dup_vma_private(tmp); + /* Link the vma into the MT */ + if (vma_iter_bulk_store(&vmi, tmp)) + goto fail_nomem_vmi_store; + + mm->map_count++; + if (tmp->vm_ops && tmp->vm_ops->open) tmp->vm_ops->open(tmp); @@ -752,11 +758,6 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, i_mmap_unlock_write(mapping); } - /* Link the vma into the MT */ - if (vma_iter_bulk_store(&vmi, tmp)) - goto fail_nomem_vmi_store; - - mm->map_count++; if (!(tmp->vm_flags & VM_WIPEONFORK)) retval = copy_page_range(tmp, mpnt); -- 2.45.1.288.g0e0cd299f1-goog

1 year

3
6
0 0

[PATCH v2] kcov: don't lose track of remote references during softirqs

by Aleksandr Nogikh

In kcov_remote_start()/kcov_remote_stop(), we swap the previous KCOV metadata of the current task into a per-CPU variable. However, the kcov_mode_enabled(mode) check is not sufficient in the case of remote KCOV coverage: current->kcov_mode always remains KCOV_MODE_DISABLED for remote KCOV objects. If the original task that has invoked the KCOV_REMOTE_ENABLE ioctl happens to get interrupted and kcov_remote_start() is called, it ultimately leads to kcov_remote_stop() NOT restoring the original KCOV reference. So when the task exits, all registered remote KCOV handles remain active forever. Fix it by introducing a special kcov_mode that is assigned to the task that owns a KCOV remote object. It makes kcov_mode_enabled() return true and yet does not trigger coverage collection in __sanitizer_cov_trace_pc() and write_comp_data(). Cc: stable(a)vger.kernel.org Signed-off-by: Aleksandr Nogikh <nogikh(a)google.com> Reviewed-by: Dmitry Vyukov <dvyukov(a)google.com> Reviewed-by: Andrey Konovalov <andreyknvl(a)gmail.com> Tested-by: Andrey Konovalov <andreyknvl(a)gmail.com> Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts") --- Changes v1 -> v2: * Replaced WRITE_ONCE() with an ordinary assignment. * Added stable(a)vger.kernel.org to the Cc list. --- include/linux/kcov.h | 2 ++ kernel/kcov.c | 1 + 2 files changed, 3 insertions(+) diff --git a/include/linux/kcov.h b/include/linux/kcov.h index b851ba415e03..3b479a3d235a 100644 --- a/include/linux/kcov.h +++ b/include/linux/kcov.h @@ -21,6 +21,8 @@ enum kcov_mode { KCOV_MODE_TRACE_PC = 2, /* Collecting comparison operands mode. */ KCOV_MODE_TRACE_CMP = 3, + /* The process owns a KCOV remote reference. */ + KCOV_MODE_REMOTE = 4, }; #define KCOV_IN_CTXSW (1 << 30) diff --git a/kernel/kcov.c b/kernel/kcov.c index c3124f6d5536..f0a69d402066 100644 --- a/kernel/kcov.c +++ b/kernel/kcov.c @@ -632,6 +632,7 @@ static int kcov_ioctl_locked(struct kcov *kcov, unsigned int cmd, return -EINVAL; kcov->mode = mode; t->kcov = kcov; + t->kcov_mode = KCOV_MODE_REMOTE; kcov->t = t; kcov->remote = true; kcov->remote_size = remote_arg->area_size; -- 2.45.2.627.g7a2c4fd464-goog

1 year

1
0
0 0

[GIT PULL] memblock:fix validation of NUMA coverage

by Mike Rapoport

Hi Linus, The following changes since commit 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0: Linux 6.10-rc1 (2024-05-26 15:20:12 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock for you to fetch changes up to 3ac36aa7307363b7247ccb6f6a804e11496b2b36: x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() (2024-06-06 22:20:39 +0300) ---------------------------------------------------------------- Jan Beulich (2): memblock: make memblock_set_node() also warn about use of MAX_NUMNODES x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node() arch/x86/mm/numa.c | 6 +++--- mm/memblock.c | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) -- Sincerely yours, Mike.

1 year

4
7
0 0

[PATCH] net: do not leave dangling sk pointer in inet_create()/inet6_create()

by Ignat Korchagin

It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded): [ 78.328507][ T299] ================================================================== [ 78.329018][ T299] BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) [ 78.329366][ T299] Read of size 8 at addr ffff888007110dd8 by task traceroute/299 [ 78.329366][ T299] [ 78.329366][ T299] CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 [ 78.329366][ T299] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 78.329366][ T299] Call Trace: [ 78.329366][ T299] <TASK> [ 78.329366][ T299] dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) [ 78.329366][ T299] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) [ 78.329366][ T299] ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) [ 78.329366][ T299] kasan_report (mm/kasan/report.c:603) [ 78.329366][ T299] ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) [ 78.329366][ T299] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [ 78.329366][ T299] __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) [ 78.329366][ T299] bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) [ 78.329366][ T299] bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e [ 78.329366][ T299] bpf_trampoline_6442506592+0x47/0xaf [ 78.329366][ T299] __sock_release (net/socket.c:652) [ 78.329366][ T299] __sock_create (net/socket.c:1601) [ 78.329366][ T299] ? srso_return_thunk (arch/x86/lib/retpoline.S:224) [ 78.329366][ T299] __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) [ 78.329366][ T299] ? __pfx___sys_socket (net/socket.c:1702) [ 78.329366][ T299] ? srso_return_thunk (arch/x86/lib/retpoline.S:224) [ 78.329366][ T299] ? up_read (./arch/x86/include/asm/atomic64_64.h:79 ./include/linux/atomic/atomic-arch-fallback.h:2749 ./include/linux/atomic/atomic-long.h:184 ./include/linux/atomic/atomic-instrumented.h:3317 kernel/locking/rwsem.c:1347 kernel/locking/rwsem.c:1622) [ 78.329366][ T299] ? srso_return_thunk (arch/x86/lib/retpoline.S:224) [ 78.329366][ T299] ? do_user_addr_fault (arch/x86/mm/fault.c:1419) [ 78.329366][ T299] __x64_sys_socket (net/socket.c:1718) [ 78.329366][ T299] ? srso_return_thunk (arch/x86/lib/retpoline.S:224) [ 78.329366][ T299] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 78.329366][ T299] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 78.329366][ T299] RIP: 0033:0x7f4022818ca7 [ 78.329366][ T299] Code: 73 01 c3 48 8b 0d 59 71 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 29 71 0c 00 f7 d8 64 89 01 48 All code ======== 0: 73 01 jae 0x3 2: c3 ret 3: 48 8b 0d 59 71 0c 00 mov 0xc7159(%rip),%rcx # 0xc7163 a: f7 d8 neg %eax c: 64 89 01 mov %eax,%fs:(%rcx) f: 48 83 c8 ff or $0xffffffffffffffff,%rax 13: c3 ret 14: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1b: 00 00 00 1e: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 23: b8 29 00 00 00 mov $0x29,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 29 71 0c 00 mov 0xc7129(%rip),%rcx # 0xc7163 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 29 71 0c 00 mov 0xc7129(%rip),%rcx # 0xc7139 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 78.329366][ T299] RSP: 002b:00007ffd57e63db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 [ 78.329366][ T299] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4022818ca7 [ 78.329366][ T299] RDX: 0000000000000001 RSI: 0000000000000002 RDI: 0000000000000002 [ 78.329366][ T299] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000564be3dc8ec0 [ 78.329366][ T299] R10: 0c41e8ba3f6107df R11: 0000000000000246 R12: 0000564bbab801e0 [ 78.329366][ T299] R13: 0000000000000000 R14: 0000564bbab7db18 R15: 00007f4022934020 [ 78.329366][ T299] </TASK> [ 78.329366][ T299] [ 78.329366][ T299] Allocated by task 299 on cpu 2 at 78.328492s: [ 78.329366][ T299] kasan_save_stack (mm/kasan/common.c:48) [ 78.329366][ T299] kasan_save_track (mm/kasan/common.c:68) [ 78.329366][ T299] __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) [ 78.329366][ T299] kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) [ 78.329366][ T299] sk_prot_alloc (net/core/sock.c:2075) [ 78.329366][ T299] sk_alloc (net/core/sock.c:2134) [ 78.329366][ T299] inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) [ 78.329366][ T299] __sock_create (net/socket.c:1572) [ 78.329366][ T299] __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) [ 78.329366][ T299] __x64_sys_socket (net/socket.c:1718) [ 78.329366][ T299] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 78.329366][ T299] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 78.329366][ T299] [ 78.329366][ T299] Freed by task 299 on cpu 2 at 78.328502s: [ 78.329366][ T299] kasan_save_stack (mm/kasan/common.c:48) [ 78.329366][ T299] kasan_save_track (mm/kasan/common.c:68) [ 78.329366][ T299] kasan_save_free_info (mm/kasan/generic.c:582) [ 78.329366][ T299] poison_slab_object (mm/kasan/common.c:242) [ 78.329366][ T299] __kasan_slab_free (mm/kasan/common.c:256) [ 78.329366][ T299] kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) [ 78.329366][ T299] __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) [ 78.329366][ T299] inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) [ 78.329366][ T299] __sock_create (net/socket.c:1572) [ 78.329366][ T299] __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) [ 78.329366][ T299] __x64_sys_socket (net/socket.c:1718) [ 78.329366][ T299] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 78.329366][ T299] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 78.329366][ T299] [ 78.329366][ T299] The buggy address belongs to the object at ffff888007110d80 [ 78.329366][ T299] which belongs to the cache PING of size 976 [ 78.329366][ T299] The buggy address is located 88 bytes inside of [ 78.329366][ T299] freed 976-byte region [ffff888007110d80, ffff888007111150) [ 78.329366][ T299] [ 78.329366][ T299] The buggy address belongs to the physical page: [ 78.329366][ T299] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7110 [ 78.329366][ T299] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 78.329366][ T299] flags: 0x1ffff800000040(head|node=0|zone=1|lastcpupid=0x1ffff) [ 78.329366][ T299] page_type: 0xffffefff(slab) [ 78.329366][ T299] raw: 001ffff800000040 ffff888002f328c0 dead000000000122 0000000000000000 [ 78.329366][ T299] raw: 0000000000000000 00000000801c001c 00000001ffffefff 0000000000000000 [ 78.329366][ T299] head: 001ffff800000040 ffff888002f328c0 dead000000000122 0000000000000000 [ 78.329366][ T299] head: 0000000000000000 00000000801c001c 00000001ffffefff 0000000000000000 [ 78.329366][ T299] head: 001ffff800000003 ffffea00001c4401 ffffffffffffffff 0000000000000000 [ 78.329366][ T299] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 78.329366][ T299] page dumped because: kasan: bad access detected [ 78.329366][ T299] [ 78.329366][ T299] Memory state around the buggy address: [ 78.329366][ T299] ffff888007110c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.329366][ T299] ffff888007110d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.329366][ T299] >ffff888007110d80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.329366][ T299] ^ [ 78.329366][ T299] ffff888007110e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.329366][ T299] ffff888007110e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.329366][ T299] ================================================================== [ 78.366431][ T299] Disabling lock debugging due to kernel taint Fix this by ensuring the error path of inet_create()/inet6_create do not leave a dangling sk pointer after sk was released. Fixes: 086c653f5862 ("sock: struct proto hash function may error") Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") Cc: stable(a)vger.kernel.org Signed-off-by: Ignat Korchagin <ignat(a)cloudflare.com> --- net/ipv4/af_inet.c | 3 +++ net/ipv6/af_inet6.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index b24d74616637..db53701db29e 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -378,6 +378,7 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, err = sk->sk_prot->hash(sk); if (err) { sk_common_release(sk); + sock->sk = NULL; goto out; } } @@ -386,6 +387,7 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, err = sk->sk_prot->init(sk); if (err) { sk_common_release(sk); + sock->sk = NULL; goto out; } } @@ -394,6 +396,7 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); if (err) { sk_common_release(sk); + sock->sk = NULL; goto out; } } diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 8041dc181bd4..6d5ebb2af928 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -254,6 +254,7 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, err = sk->sk_prot->hash(sk); if (err) { sk_common_release(sk); + sock->sk = NULL; goto out; } } @@ -261,6 +262,7 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, err = sk->sk_prot->init(sk); if (err) { sk_common_release(sk); + sock->sk = NULL; goto out; } } @@ -269,6 +271,7 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); if (err) { sk_common_release(sk); + sock->sk = NULL; goto out; } } -- 2.39.2

1 year

2
4
0 0

[PATCH v2] kasan: fix bad call to unpoison_slab_object

by andrey.konovalov＠linux.dev

From: Andrey Konovalov <andreyknvl(a)gmail.com> Commit 29d7355a9d05 ("kasan: save alloc stack traces for mempool") messed up one of the calls to unpoison_slab_object: the last two arguments are supposed to be GFP flags and whether to init the object memory. Fix the call. Without this fix, __kasan_mempool_unpoison_object provides the object's size as GFP flags to unpoison_slab_object, which can cause LOCKDEP reports (and probably other issues). Fixes: 29d7355a9d05 ("kasan: save alloc stack traces for mempool") Reported-by: Brad Spengler <spender(a)grsecurity.net> Cc: stable(a)vger.kernel.org Acked-by: Marco Elver <elver(a)google.com> Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> --- Changes v1->v2: - Fix typo in commit message. - CC stable. --- mm/kasan/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/kasan/common.c b/mm/kasan/common.c index e7c9a4dc89f8..85e7c6b4575c 100644 --- a/mm/kasan/common.c +++ b/mm/kasan/common.c @@ -532,7 +532,7 @@ void __kasan_mempool_unpoison_object(void *ptr, size_t size, unsigned long ip) return; /* Unpoison the object and save alloc info for non-kmalloc() allocations. */ - unpoison_slab_object(slab->slab_cache, ptr, size, flags); + unpoison_slab_object(slab->slab_cache, ptr, flags, false); /* Poison the redzone and save alloc info for kmalloc() allocations. */ if (is_kmalloc_cache(slab->slab_cache)) -- 2.25.1

1 year

1
0
0 0

[PATCH v2 1/2] drm/i915/mso: using joiner is not possible with eDP MSO

by Jani Nikula

It's not possible to use the joiner at the same time with eDP MSO. When a panel needs MSO, it's not optional, so MSO trumps joiner. While just reporting false for intel_dp_has_joiner() should be sufficient, also skip creation of the joiner force enable debugfs to better handle this in testing. Cc: stable(a)vger.kernel.org Cc: Ville Syrjala <ville.syrjala(a)linux.intel.com> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1668 Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- drivers/gpu/drm/i915/display/intel_display_debugfs.c | 8 ++++++-- drivers/gpu/drm/i915/display/intel_dp.c | 4 ++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_display_debugfs.c b/drivers/gpu/drm/i915/display/intel_display_debugfs.c index 91757fed9c6d..5eb31404436c 100644 --- a/drivers/gpu/drm/i915/display/intel_display_debugfs.c +++ b/drivers/gpu/drm/i915/display/intel_display_debugfs.c @@ -1546,8 +1546,12 @@ void intel_connector_debugfs_add(struct intel_connector *connector) if (DISPLAY_VER(i915) >= 11 && (connector_type == DRM_MODE_CONNECTOR_DisplayPort || connector_type == DRM_MODE_CONNECTOR_eDP)) { - debugfs_create_bool("i915_bigjoiner_force_enable", 0644, root, - &connector->force_bigjoiner_enable); + struct intel_dp *intel_dp = intel_attached_dp(connector); + + /* eDP MSO is not compatible with joiner */ + if (!intel_dp->mso_link_count) + debugfs_create_bool("i915_bigjoiner_force_enable", 0644, root, + &connector->force_bigjoiner_enable); } if (connector_type == DRM_MODE_CONNECTOR_DSI || diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index 9a9bb0f5b7fe..ab33c9de393a 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -465,6 +465,10 @@ bool intel_dp_has_joiner(struct intel_dp *intel_dp) struct intel_encoder *encoder = &intel_dig_port->base; struct drm_i915_private *dev_priv = to_i915(encoder->base.dev); + /* eDP MSO is not compatible with joiner */ + if (intel_dp->mso_link_count) + return false; + return DISPLAY_VER(dev_priv) >= 12 || (DISPLAY_VER(dev_priv) == 11 && encoder->port != PORT_A); -- 2.39.2

1 year

2
2
0 0

Please backport 2d43cc701b96 to v6.9 and v6.6

by Michael Ellerman

Hi stable team, Can you please backport: 2d43cc701b96 ("powerpc/uaccess: Fix build errors seen with GCC 13/14") To v6.9 and v6.6. It was marked for backporting, but hasn't been picked up AFAICS. I'm not sure if it clashed with the asm_goto_output changes or something. But it backports cleanly to the current stable branches. It needs a custom backport for earlier kernels, I'll send those. cheers

1 year

2
2
0 0

[PATCH v6.1] powerpc/uaccess: Fix build errors seen with GCC 13/14

by Michael Ellerman

commit 2d43cc701b96f910f50915ac4c2a0cae5deb734c upstream. Building ppc64le_defconfig with GCC 14 fails with assembler errors: CC fs/readdir.o /tmp/ccdQn0mD.s: Assembler messages: /tmp/ccdQn0mD.s:212: Error: operand out of domain (18 is not a multiple of 4) /tmp/ccdQn0mD.s:226: Error: operand out of domain (18 is not a multiple of 4) ... [6 lines] /tmp/ccdQn0mD.s:1699: Error: operand out of domain (18 is not a multiple of 4) A snippet of the asm shows: # ../fs/readdir.c:210: unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); ld 9,0(29) # MEM[(u64 *)name_38(D) + _88 * 1], MEM[(u64 *)name_38(D) + _88 * 1] # 210 "../fs/readdir.c" 1 1: std 9,18(8) # put_user # *__pus_addr_52, MEM[(u64 *)name_38(D) + _88 * 1] The 'std' instruction requires a 4-byte aligned displacement because it is a DS-form instruction, and as the assembler says, 18 is not a multiple of 4. A similar error is seen with GCC 13 and CONFIG_UBSAN_SIGNED_WRAP=y. The fix is to change the constraint on the memory operand to put_user(), from "m" which is a general memory reference to "YZ". The "Z" constraint is documented in the GCC manual PowerPC machine constraints, and specifies a "memory operand accessed with indexed or indirect addressing". "Y" is not documented in the manual but specifies a "memory operand for a DS-form instruction". Using both allows the compiler to generate a DS-form "std" or X-form "stdx" as appropriate. Unfortunately clang doesn't support the "Y" constraint so that has to be behind an ifdef. Although the build error is only seen with GCC 13/14, that appears to just be luck. The constraint has been incorrect since it was first added. Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()") Suggested-by: Kewen Lin <linkw(a)gcc.gnu.org> [mpe: Drop CONFIG_PPC_KERNEL_PREFIXED ifdef for backport] Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240529123029.146953-1-mpe@ellerman.id.au --- arch/powerpc/include/asm/uaccess.h | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index 45d4c9cf3f3a..661046150e49 100644 --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -80,9 +80,20 @@ __pu_failed: \ : \ : label) +#ifdef CONFIG_CC_IS_CLANG +#define DS_FORM_CONSTRAINT "Z<>" +#else +#define DS_FORM_CONSTRAINT "YZ<>" +#endif + #ifdef __powerpc64__ -#define __put_user_asm2_goto(x, ptr, label) \ - __put_user_asm_goto(x, ptr, label, "std") +#define __put_user_asm2_goto(x, addr, label) \ + asm goto ("1: std%U1%X1 %0,%1 # put_user\n" \ + EX_TABLE(1b, %l2) \ + : \ + : "r" (x), DS_FORM_CONSTRAINT (*addr) \ + : \ + : label) #else /* __powerpc64__ */ #define __put_user_asm2_goto(x, addr, label) \ asm goto( \ -- 2.45.1

1 year

1
0
0 0

[PATCH v5.15] powerpc/uaccess: Fix build errors seen with GCC 13/14

by Michael Ellerman

commit 2d43cc701b96f910f50915ac4c2a0cae5deb734c upstream. Building ppc64le_defconfig with GCC 14 fails with assembler errors: CC fs/readdir.o /tmp/ccdQn0mD.s: Assembler messages: /tmp/ccdQn0mD.s:212: Error: operand out of domain (18 is not a multiple of 4) /tmp/ccdQn0mD.s:226: Error: operand out of domain (18 is not a multiple of 4) ... [6 lines] /tmp/ccdQn0mD.s:1699: Error: operand out of domain (18 is not a multiple of 4) A snippet of the asm shows: # ../fs/readdir.c:210: unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); ld 9,0(29) # MEM[(u64 *)name_38(D) + _88 * 1], MEM[(u64 *)name_38(D) + _88 * 1] # 210 "../fs/readdir.c" 1 1: std 9,18(8) # put_user # *__pus_addr_52, MEM[(u64 *)name_38(D) + _88 * 1] The 'std' instruction requires a 4-byte aligned displacement because it is a DS-form instruction, and as the assembler says, 18 is not a multiple of 4. A similar error is seen with GCC 13 and CONFIG_UBSAN_SIGNED_WRAP=y. The fix is to change the constraint on the memory operand to put_user(), from "m" which is a general memory reference to "YZ". The "Z" constraint is documented in the GCC manual PowerPC machine constraints, and specifies a "memory operand accessed with indexed or indirect addressing". "Y" is not documented in the manual but specifies a "memory operand for a DS-form instruction". Using both allows the compiler to generate a DS-form "std" or X-form "stdx" as appropriate. Unfortunately clang doesn't support the "Y" constraint so that has to be behind an ifdef. Although the build error is only seen with GCC 13/14, that appears to just be luck. The constraint has been incorrect since it was first added. Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()") Suggested-by: Kewen Lin <linkw(a)gcc.gnu.org> [mpe: Drop CONFIG_PPC_KERNEL_PREFIXED ifdef for backport] Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240529123029.146953-1-mpe@ellerman.id.au --- arch/powerpc/include/asm/uaccess.h | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index b2680070d65d..6013a7fc74ba 100644 --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -90,9 +90,20 @@ __pu_failed: \ : \ : label) +#ifdef CONFIG_CC_IS_CLANG +#define DS_FORM_CONSTRAINT "Z<>" +#else +#define DS_FORM_CONSTRAINT "YZ<>" +#endif + #ifdef __powerpc64__ -#define __put_user_asm2_goto(x, ptr, label) \ - __put_user_asm_goto(x, ptr, label, "std") +#define __put_user_asm2_goto(x, addr, label) \ + asm goto ("1: std%U1%X1 %0,%1 # put_user\n" \ + EX_TABLE(1b, %l2) \ + : \ + : "r" (x), DS_FORM_CONSTRAINT (*addr) \ + : \ + : label) #else /* __powerpc64__ */ #define __put_user_asm2_goto(x, addr, label) \ asm_volatile_goto( \ -- 2.45.1

1 year

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2024