September 2024 - Linux-stable-mirror

[PATCH net 0/3] net: enetc: fix some issues of XDP

by Wei Fang

We found some bugs when testing the XDP function of enetc driver, and these bugs are easy to reproduce. This is not only causes XDP to not work, but also the network cannot be restored after exiting the XDP program. So the patch set is mainly to fix these bugs. For details, please see the commit message of each patch. Wei Fang (3): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: fix the issues of XDP_REDIRECT feature net: enetc: reset xdp_tx_in_flight when updating bpf program drivers/net/ethernet/freescale/enetc/enetc.c | 46 +++++++++++++++----- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + 2 files changed, 37 insertions(+), 10 deletions(-) -- 2.34.1

11 months, 1 week

5
23
0 0

[REGRESSION] Corruption on cifs / smb write on ARM, kernels 6.3-6.9

by James Young

I was benchmarking some compressors, piping to and from a network share on a NAS, and some consistently wrote corrupted data. First, apologies in advance: * if I'm not in the right place. I tried to follow the directions from the Regressions guide - https://www.kernel.org/doc/html/latest/admin-guide/reporting-regressions.ht… * I know there's a ton of context I don't know * I’m trying a different mail app, because the first one looked concussed with plain text. This might be worse. The detailed description: I was benchmarking some compressors on Debian on a Raspberry Pi, piping to and from a network share on a NAS, and found that some consistently had issues writing to my NAS. Specifically: * lzop * pigz - parallel gzip * pbzip2 - parallel bzip2 This is dependent on kernel version. I've done a survey, below. While I tripped over the issue on a Debian port (Debian 12, bookworm, kernel v6.6), I compiled my own vanilla / mainline kernels for testing and reporting this. Even more details: The Pi and the Synology NAS are directly connected by Gigabit Ethernet. Both sides are using self-assigned IP addresses. I'll note that at boot, getting the Pi to see the NAS requires some nudging of avahi-autoipd; while I think it's stable before testing, I'm not positive, and reconnection issues might be in play. The files in question are tars of sparse file systems, about 270 gig, compressing down to 10-30 gig. Compression seems to work, without complaint; decompression crashes the process, usually within the first gig of the compressed file. The output of the stream doesn't match what ends up written to disk. Trying decompression during compression gets further along than it does after compression finishes; this might point toward something with writes and caches. A previous attempt involved rpi-update, which: * good: let me install kernels without building myself * bad: updated the bootloader and firmware, to bleeding edge, with possible regressions; it definitely muddied the results of my tests I started over with a fresh install, and no results involving rpi-update are included in this email. A survey of major branches: * 5.15.167, LTS - good * 6.1.109, LTS - good * 6.2.16 - good * 6.3.13 - bad * 6.4.16 - bad * 6.5.13 - bad * 6.6.50, LTS - bad * 6.7.12 - bad * 6.8.12 - bad * 6.9.12 - bad * 6.10.9 - good * 6.11.0 - good I tried, but couldn't fully build 4.19.322 or 6.0.19, due to issues with modules. Important commits: It looked like both the breakage and the fix came in during rc1 releases. Breakage, v6.3-rc1: I manually bisected commits in fs/smb* and fs/cifs. 3d78fe73fa12 cifs: Build the RDMA SGE list directly from an iterator > lzop and pigz worked. last working. test in progress: pbzip2 607aea3cc2a8 cifs: Remove unused code > lzop didn't work. first broken Fix, v6.10-rc1: I manually bisected commits in fs/smb. 69c3c023af25 cifs: Implement netfslib hooks > lzop didn't work. last broken one 3ee1a1fc3981 cifs: Cut over to using netfslib > lzop, pigz, pbzip2, all worked. first fixed one To test / reproduce: It looks like this, on a mounted network share, with extra pv for progress meters: cat 1tb-rust-ext4.img.tar.gz | \ gzip -d | \ lzop -1 > \ 1tb-rust-ext4.img.tar.lzop # wait 40 minutes cat 1tb-rust-ext4.img.tar.lzop | \ lzop -d | \ sha1sum # either it works, and shows the right checksum # or it crashes early, due to a corrupt file, and shows an incorrect checksum As I re-read this, I realize it might look like the compressor behaves differently. I added a "tee $output | sha1sum; sha1sum $output" and ran it on a broken version. The checksums from the pipe and for the file on disk are different. Assorted info: This is a Raspberry Pi 4, with 4 GiB RAM, running Debian 12, bookworm, or a port. mount.cifs version: 7.0 # cat /proc/sys/kernel/tainted 1024 # cat /proc/version Linux version 6.2.0-3d78fe73f-v8-pronoiac+ (pronoiac@bisect) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #21 SMP PREEMPT Thu Sep 19 16:51:22 PDT 2024 DebugData: /proc/fs/cifs/DebugData Display Internal CIFS Data Structures for Debugging --------------------------------------------------- CIFS Version 2.41 Features: DFS,FSCACHE,STATS2,DEBUG,ALLOW_INSECURE_LEGACY,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL CIFSMaxBufSize: 16384 Active VFS Requests: 1 Servers: 1) ConnectionId: 0x1 Hostname: drums.local Number of credits: 8062 Dialect 0x300 TCP status: 1 Instance: 1 Local Users To Server: 1 SecMode: 0x1 Req On Wire: 2 In Send: 1 In MaxReq Wait: 0 Sessions: 1) Address: 169.254.132.219 Uses: 1 Capability: 0x300047 Session Status: 1 Security type: RawNTLMSSP SessionId: 0x4969841e User: 1000 Cred User: 0 Shares: 0) IPC: \\drums.local\IPC$ Mounts: 1 DevInfo: 0x0 Attributes: 0x0 PathComponentMax: 0 Status: 1 type: 0 Serial Number: 0x0 Share Capabilities: None Share Flags: 0x0 tid: 0xeb093f0b Maximal Access: 0x1f00a9 1) \\drums.local\billions Mounts: 1 DevInfo: 0x20 Attributes: 0x5007f PathComponentMax: 255 Status: 1 type: DISK Serial Number: 0x735a9af5 Share Capabilities: None Aligned, Partition Aligned, Share Flags: 0x0 tid: 0x5e6832e6 Optimal sector size: 0x200 Maximal Access: 0x1f01ff MIDs: State: 2 com: 9 pid: 3117 cbdata: 00000000e003293e mid 962892 State: 2 com: 9 pid: 3117 cbdata: 000000002610602a mid 962956 -- Let me know how I can help. The process of iterating can take hours, and it's not automated, so my resources are limited. #regzbot introduced: 607aea3cc2a8 #regzbot fix: 3ee1a1fc3981 -James

11 months, 1 week

3
4
0 0

[PATCH v2 00/10] iio: light: veml6030: fix issues and add support for veml6035

by Javier Carrasco

This series updates the driver for the veml6030 ALS and adds support for the veml6035, which shares most of its functionality with the former. The most relevant updates for the veml6030 are the resolution correction to meet the datasheet update that took place with Rev 1.7, 28-Nov-2023, a fix to avoid a segmentation fault when reading the in_illuminance_period_available attribute, and the removal of the processed value for the WHITE channel, as it uses the ALS resolution. Vishay does not host the Product Information Notification where the resolution correction was introduced, but it can still be found online[1], and the corrected value is the one listed on the latest version of the datasheet[2] (Rev. 1.7, 28-Nov-2023) and application note[3] (Rev. 17-Jan-2024). Link: https://www.farnell.com/datasheets/4379688.pdf [1] Link: https://www.vishay.com/docs/84366/veml6030.pdf [2] Link: https://www.vishay.com/docs/84367/designingveml6030.pdf [3] Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Changes in v2: - Rebase to iio/testing, dropping applied patches [1/7], [4/7]. - Drop [3/7] (applied to iio/fixes-togreg). - Add patch to use dev_err_probe() in probe error paths. - Add patch to use read_avail() for available attributes. - Add patches to use to support a regulator. - Add patch to ensure that the device is powered off in error paths after powering it on. - Add patch to drop processed values from the WHITE channel. - Use fsleep() instead of usleep_range() in veml6030_als_pwr_on() - Link to v1: https://lore.kernel.org/r/20240913-veml6035-v1-0-0b09c0c90418@gmail.com --- Javier Carrasco (10): iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: add set up delay after any power on sequence iio: light: veml6030: use dev_err_probe() dt-bindings: iio: light: veml6030: add vdd-supply property iio: light: veml6030: add support for a regulator iio: light: veml6030: use read_avail() for available attributes iio: light: veml6030: drop processed info for white channel iio: light: veml6030: power off device in probe error paths dt-bindings: iio: light: veml6030: add veml6035 iio: light: veml6030: add support for veml6035 .../bindings/iio/light/vishay,veml6030.yaml | 43 +- drivers/iio/light/Kconfig | 4 +- drivers/iio/light/veml6030.c | 453 ++++++++++++++++----- 3 files changed, 391 insertions(+), 109 deletions(-) --- base-commit: 8bea3878a1511bceadc2fbf284b00bcc5a2ef28d change-id: 20240903-veml6035-7a91bc088c6f Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

11 months, 1 week

2
2
0 0

[PATCH 5.15.y 0/3] x86: Complete backports for x86_match_cpu()

by Ricardo Neri

Hi, Upstream commit 93022482b294 ("x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL") introduced a flags member to struct x86_cpu_id. Bit 0 of x86_cpu.id.flags must be set to 1 for x86_match_cpu() to work correctly. This upstream commit has been backported to 5.15.y. Callers that use the X86_MATCH_*() family of macros to compose the argument of x86_match_cpu() function correctly. Callers that use their own custom mechanisms may not work if they fail to set x86_cpu_id.flags correctly. There are three remaining callers in 5.15.y that use their own mechanisms: a) setup_pcid(), b) rapl_msr_probe(), and c) goodix_add_acpi_gpio_ mappings(). a) caused a regression that Thomas Lindroth reported in [1]. b) works by luck but it still populates its x86_cpu_id[] array incorrectly. I am not aware of any reports on c), but inspecting the code reveals that it will fail to identify INTEL_FAM6_ATOM_SILVERMONT for the reason described above. I backported three patches that fix these bugs in mainline. Hopefully the authors and/or maintainers can ack the backports? I tested patches 2/3 and 3/3 on Alder Lake, and Meteor Lake systems as the two involved callers behave differently on these two systems. I wrote the testing details in each patch separately. I could not test patch 1/3 because I do not have access to Bay Trail hardware. Thanks and BR, Ricardo [1]. https://lore.kernel.org/all/eb709d67-2a8d-412f-905d-f3777d897bfa@gmail.com/ Hans de Goede (1): Input: goodix - use the new soc_intel_is_byt() helper Sumeet Pawnikar (1): powercap: RAPL: fix invalid initialization for pl4_supported field Tony Luck (1): x86/mm: Switch to new Intel CPU model defines arch/x86/mm/init.c | 16 ++++++---------- drivers/input/touchscreen/goodix.c | 18 ++---------------- drivers/powercap/intel_rapl_msr.c | 6 +++--- 3 files changed, 11 insertions(+), 29 deletions(-) -- 2.34.1

11 months, 1 week

1
3
0 0

[PATCH v6.1] drm/vmwgfx: Prevent unmapping active read buffers

by Shivani Agarwal

From: Zack Rusin <zack.rusin(a)broadcom.com> commit aba07b9a0587f50e5d3346eaa19019cf3f86c0ea upstream. The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. Fixes: 485d98d472d5 ("drm/vmwgfx: Add support for CursorMob and CursorBypass 4") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.19+ Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240816183332.31961-2-zack.r… Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Shivani: Modified to apply on v6.1.y] Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 12 +++++++++++- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 3 +++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c index c46f380d9149..733b0013eda1 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c @@ -348,6 +348,8 @@ void *vmw_bo_map_and_cache(struct vmw_buffer_object *vbo) void *virtual; int ret; + atomic_inc(&vbo->map_count); + virtual = ttm_kmap_obj_virtual(&vbo->map, &not_used); if (virtual) return virtual; @@ -370,10 +372,17 @@ void *vmw_bo_map_and_cache(struct vmw_buffer_object *vbo) */ void vmw_bo_unmap(struct vmw_buffer_object *vbo) { + int map_count; + if (vbo->map.bo == NULL) return; - ttm_bo_kunmap(&vbo->map); + map_count = atomic_dec_return(&vbo->map_count); + + if (!map_count) { + ttm_bo_kunmap(&vbo->map); + vbo->map.bo = NULL; + } } @@ -510,6 +519,7 @@ int vmw_bo_init(struct vmw_private *dev_priv, BUILD_BUG_ON(TTM_MAX_BO_PRIORITY <= 3); vmw_bo->base.priority = 3; vmw_bo->res_tree = RB_ROOT; + atomic_set(&vmw_bo->map_count, 0); size = ALIGN(size, PAGE_SIZE); drm_gem_private_object_init(vdev, &vmw_bo->base.base, size); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h index b0c23559511a..bca10214e0bf 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h @@ -116,6 +116,8 @@ struct vmwgfx_hash_item { * @base: The TTM buffer object * @res_tree: RB tree of resources using this buffer object as a backing MOB * @base_mapped_count: ttm BO mapping count; used by KMS atomic helpers. + * @map_count: The number of currently active maps. Will differ from the + * cpu_writers because it includes kernel maps. * @cpu_writers: Number of synccpu write grabs. Protected by reservation when * increased. May be decreased without reservation. * @dx_query_ctx: DX context if this buffer object is used as a DX query MOB @@ -129,6 +131,7 @@ struct vmw_buffer_object { /* For KMS atomic helpers: ttm bo mapping count */ atomic_t base_mapped_count; + atomic_t map_count; atomic_t cpu_writers; /* Not ref-counted. Protected by binding_mutex */ struct vmw_resource *dx_query_ctx; -- 2.39.4

11 months, 1 week

1
0
0 0

[PATCH v6.6] drm/vmwgfx: Prevent unmapping active read buffers

by Shivani Agarwal

From: Zack Rusin <zack.rusin(a)broadcom.com> commit aba07b9a0587f50e5d3346eaa19019cf3f86c0ea upstream. The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. Fixes: 485d98d472d5 ("drm/vmwgfx: Add support for CursorMob and CursorBypass 4") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.19+ Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240816183332.31961-2-zack.r… Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Shivani: Modified to apply on v6.6.y] Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 13 +++++++++++-- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 +++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c index ae796e0c64aa..fdc34283eeb9 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c @@ -331,6 +331,8 @@ void *vmw_bo_map_and_cache(struct vmw_bo *vbo) void *virtual; int ret; + atomic_inc(&vbo->map_count); + virtual = ttm_kmap_obj_virtual(&vbo->map, &not_used); if (virtual) return virtual; @@ -353,11 +355,17 @@ void *vmw_bo_map_and_cache(struct vmw_bo *vbo) */ void vmw_bo_unmap(struct vmw_bo *vbo) { + int map_count; + if (vbo->map.bo == NULL) return; - ttm_bo_kunmap(&vbo->map); - vbo->map.bo = NULL; + map_count = atomic_dec_return(&vbo->map_count); + + if (!map_count) { + ttm_bo_kunmap(&vbo->map); + vbo->map.bo = NULL; + } } @@ -390,6 +398,7 @@ static int vmw_bo_init(struct vmw_private *dev_priv, BUILD_BUG_ON(TTM_MAX_BO_PRIORITY <= 3); vmw_bo->tbo.priority = 3; vmw_bo->res_tree = RB_ROOT; + atomic_set(&vmw_bo->map_count, 0); params->size = ALIGN(params->size, PAGE_SIZE); drm_gem_private_object_init(vdev, &vmw_bo->tbo.base, params->size); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h index f349642e6190..156ea612fc2a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h @@ -68,6 +68,8 @@ struct vmw_bo_params { * @map: Kmap object for semi-persistent mappings * @res_tree: RB tree of resources using this buffer object as a backing MOB * @res_prios: Eviction priority counts for attached resources + * @map_count: The number of currently active maps. Will differ from the + * cpu_writers because it includes kernel maps. * @cpu_writers: Number of synccpu write grabs. Protected by reservation when * increased. May be decreased without reservation. * @dx_query_ctx: DX context if this buffer object is used as a DX query MOB @@ -86,6 +88,7 @@ struct vmw_bo { struct rb_root res_tree; u32 res_prios[TTM_MAX_BO_PRIORITY]; + atomic_t map_count; atomic_t cpu_writers; /* Not ref-counted. Protected by binding_mutex */ struct vmw_resource *dx_query_ctx; -- 2.39.4

11 months, 1 week

1
0
0 0

[PATCH v5.15-v6.1] selinux,smack: don't bypass permissions check in inode_setsecctx hook

by Shivani Agarwal

From: Scott Mayhew <smayhew(a)redhat.com> commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 upstream. Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. Cc: stable(a)kernel.org Reported-by: Marek Gresko <marek.gresko(a)protonmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809 Signed-off-by: Scott Mayhew <smayhew(a)redhat.com> Tested-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Acked-by: Casey Schaufler <casey(a)schaufler-ca.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Shivani: Modified to apply on v5.15.y-v6.1.y] Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- security/selinux/hooks.c | 4 ++-- security/smack/smack_lsm.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 78f3da39b031..626d397c2f86 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6631,8 +6631,8 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen */ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX, - ctx, ctxlen, 0); + return __vfs_setxattr_locked(&init_user_ns, dentry, XATTR_NAME_SELINUX, + ctx, ctxlen, 0, NULL); } static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c18366dbbfed..25995df15e82 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4714,8 +4714,8 @@ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SMACK, - ctx, ctxlen, 0); + return __vfs_setxattr_locked(&init_user_ns, dentry, XATTR_NAME_SMACK, + ctx, ctxlen, 0, NULL); } static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -- 2.39.4

11 months, 1 week

1
0
0 0

[PATCH v5.10] selinux,smack: don't bypass permissions check in inode_setsecctx hook

by Shivani Agarwal

From: Scott Mayhew <smayhew(a)redhat.com> commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 upstream. Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. Cc: stable(a)kernel.org Reported-by: Marek Gresko <marek.gresko(a)protonmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809 Signed-off-by: Scott Mayhew <smayhew(a)redhat.com> Tested-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Acked-by: Casey Schaufler <casey(a)schaufler-ca.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Shivani: Modified to apply on v5.10.y] Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- security/selinux/hooks.c | 3 ++- security/smack/smack_lsm.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 46c00a68bb4b..90935ed3d8d8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6570,7 +6570,8 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen */ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); + return __vfs_setxattr_locked(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0, + NULL); } static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 92bc6c9d793d..cb4801fcf9a8 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4651,7 +4651,8 @@ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); + return __vfs_setxattr_locked(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0, + NULL); } static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -- 2.39.4

11 months, 1 week

1
0
0 0

[PATCH v3] zram: don't free statically defined names

by Andrey Skvortsov

When CONFIG_ZRAM_MULTI_COMP isn't set ZRAM_SECONDARY_COMP can hold default_compressor, because it's the same offset as ZRAM_PRIMARY_COMP, so we need to make sure that we don't attempt to kfree() the statically defined compressor name. This is detected by KASAN. ================================================================== Call trace: kfree+0x60/0x3a0 zram_destroy_comps+0x98/0x198 [zram] zram_reset_device+0x22c/0x4a8 [zram] reset_store+0x1bc/0x2d8 [zram] dev_attr_store+0x44/0x80 sysfs_kf_write+0xfc/0x188 kernfs_fop_write_iter+0x28c/0x428 vfs_write+0x4dc/0x9b8 ksys_write+0x100/0x1f8 __arm64_sys_write+0x74/0xb8 invoke_syscall+0xd8/0x260 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 ================================================================== Signed-off-by: Andrey Skvortsov <andrej.skvortzov(a)gmail.com> Fixes: 684826f8271a ("zram: free secondary algorithms names") Cc: <stable(a)vger.kernel.org> --- Changes in v2: - removed comment from source code about freeing statically defined compression - removed part of KASAN report from commit description - added information about CONFIG_ZRAM_MULTI_COMP into commit description Changes in v3: - modified commit description based on Sergey's comment - changed start for-loop to ZRAM_PRIMARY_COMP drivers/block/zram/zram_drv.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index c3d245617083d..ad9c9bc3ccfc5 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2115,8 +2115,10 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } - for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { - kfree(zram->comp_algs[prio]); + for (prio = ZRAM_PRIMARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + /* Do not free statically defined compression algorithms */ + if (zram->comp_algs[prio] != default_compressor) + kfree(zram->comp_algs[prio]); zram->comp_algs[prio] = NULL; } -- 2.45.2

11 months, 1 week

5
17
0 0

[regression] frozen usb mouse pointer at boot

by Linux regression tracking (Thorsten Leemhuis)

Hi, Thorsten here, the Linux kernel's regression tracker. I noticed a report about a linux-6.6.y regression in bugzilla.kernel.org that appears to be caused by this commit from Dan applied by Greg: 15fffc6a5624b1 ("driver core: Fix uevent_show() vs driver detach race") [v6.11-rc3, v6.10.5, v6.6.46, v6.1.105, v5.15.165, v5.10.224, v5.4.282, v4.19.320] The reporter did not check yet if mainline is affected; decided to forward the report by mail nevertheless, as the maintainer for the subsystem is also the maintainer for the stable tree. ;-) To quote from https://bugzilla.kernel.org/show_bug.cgi?id=219244 : > The symptoms of this bug are as follows: > > - After booting (to the graphical login screen) the mouse pointer > would frozen and only after unplugging and plugging-in again the usb > plug of the mouse would the mouse be working as expected. > - If one would log in without fixing the mouse issue, the mouse > pointer would still be frozen after login. > - The usb keyboard usually is not affected even though plugged into > the same usb-hub - thus logging in is possible. > - The mouse pointer is also frozen if the usb connector is plugged > into a different usb-port (different from the usb-hub) > - The pointer is moveable via the inbuilt synaptics trackpad > > > The kernel log shows almost the same messages (not sure if the > differences mean anything in regards to this bug) for the initial > recognizing the mouse (frozen mouse pointer) and the re-plugged-in mouse > (and subsequently moveable mouse pointer): > > [kernel] [ 8.763158] usb 1-2.2.1.2: new low-speed USB device number 10 using xhci_hcd > [kernel] [ 8.956028] usb 1-2.2.1.2: New USB device found, idVendor=045e, idProduct=00cb, bcdDevice= 1.04 > [kernel] [ 8.956036] usb 1-2.2.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 > [kernel] [ 8.956039] usb 1-2.2.1.2: Product: Microsoft Basic Optical Mouse v2.0 > [kernel] [ 8.956041] usb 1-2.2.1.2: Manufacturer: Microsoft > [kernel] [ 8.963554] input: Microsoft Microsoft Basic Optical Mouse v2.0 as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2/1-2.2.1/1-2.2.1.2/1-2.2.1.2:1.0/0003:045E:00CB.0002/input/input18 > [kernel] [ 8.964417] hid-generic 0003:045E:00CB.0002: input,hidraw1: USB HID v1.11 Mouse [Microsoft Microsoft Basic Optical Mouse v2.0 ] on usb-0000:00:14.0-2.2.1.2/input0 > > [kernel] [ 31.258381] usb 1-2.2.1.2: USB disconnect, device number 10 > [kernel] [ 31.595051] usb 1-2.2.1.2: new low-speed USB device number 16 using xhci_hcd > [kernel] [ 31.804002] usb 1-2.2.1.2: New USB device found, idVendor=045e, idProduct=00cb, bcdDevice= 1.04 > [kernel] [ 31.804010] usb 1-2.2.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 > [kernel] [ 31.804013] usb 1-2.2.1.2: Product: Microsoft Basic Optical Mouse v2.0 > [kernel] [ 31.804016] usb 1-2.2.1.2: Manufacturer: Microsoft > [kernel] [ 31.812933] input: Microsoft Microsoft Basic Optical Mouse v2.0 as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2/1-2.2.1/1-2.2.1.2/1-2.2.1.2:1.0/0003:045E:00CB.0004/input/input20 > [kernel] [ 31.814028] hid-generic 0003:045E:00CB.0004: input,hidraw1: USB HID v1.11 Mouse [Microsoft Microsoft Basic Optical Mouse v2.0 ] on usb-0000:00:14.0-2.2.1.2/input0 > > Differences: > > ../0003:045E:00CB.0002/input/input18 vs ../0003:045E:00CB.0004/input/input20 > > and > > hid-generic 0003:045E:00CB.0002 vs hid-generic 0003:045E:00CB.0004 > > > The connector / usb-port was not changed in this case! > > > The symptoms of this bug have been present at one point in the > recent > past, but with kernel v6.6.45 (or maybe even some version before that) > it was fine. But with 6.6.45 it seems to be definitely fine. > > But with v6.6.46 the symptoms returned. That's the reason I > suspected > the kernel to be the cause of this issue. So I did some bisecting - > which wasn't easy because that bug would often times not appear if the > system was simply rebooted into the test kernel. > As the bug would definitely appear on the affected kernels (v6.6.46 > ff) after shutting down the system for the night and booting the next > day, I resorted to simulating the over-night powering-off by shutting > the system down, unplugging the power and pressing the power button to > get rid of residual voltage. But even then a few times the bug would > only appear if I repeated this procedure before booting the system again > with the respective kernel. > > This is on a Thinkpad with Kaby Lake and integrated Intel graphics. > Even though it is a laptop, it is used as a desktop device, and the > internal battery is disconnected, the removable battery is removed as > the system is plugged-in via the power cord at all times (when in use)! > Also, the system has no power (except for the bios battery, of > course) > over night as the power outlet is switched off if the device is not in use. > > Not sure if this affects the issue - or how it does. But for > successful bisecting I had to resort to the above procedure. > > Bisecting the issue (between the release commits of v6.6.45 and > v6.6.46) resulted in this commit [1] being the probable culprit. > > I then tested kernel v6.6.49. It still produced the bug for me. So I > reverted the changes of the assumed "bad commit" and re-compiled kernel > v6.6.49. With this modified kernel the bug seems to be gone. > > Now, I assume the commit has a reason for being introduced, but > maybe > needs some adjusting in order to avoid this bug I'm experiencing on my > system. > Also, I can't say why the issue appeared in the past even without > this > commit being present, as I haven't bisected any kernel version before > v6.6.45. > > > [1]: > > 4d035c743c3e391728a6f81cbf0f7f9ca700cf62 is the first bad commit > commit 4d035c743c3e391728a6f81cbf0f7f9ca700cf62 > Author: Dan Williams <dan.j.williams(a)intel.com> > Date: Fri Jul 12 12:42:09 2024 -0700 > > driver core: Fix uevent_show() vs driver detach race > > commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c upstream. > > uevent_show() wants to de-reference dev->driver->name. There is no clean See the ticket for more details. Note, you have to use bugzilla to reach the reporter, as I sadly[1] can not CCed them in mails like this. Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page. [1] because bugzilla.kernel.org tells users upon registration their "email address will never be displayed to logged out users" P.S.: let me use this mail to also add the report to the list of tracked regressions to ensure it's doesn't fall through the cracks: #regzbot introduced: 4d035c743c3e391728a6f81cbf0f7f9ca700cf62 #regzbot from: brmails+k #regzbot duplicate: https://bugzilla.kernel.org/show_bug.cgi?id=219244 #regzbot title: driver core: frozen usb mouse pointer at boot #regzbot ignore-activity

11 months, 1 week

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024