1. 10 Jun, 2023 2 commits
  2. 09 Jun, 2023 8 commits
  3. 08 Jun, 2023 16 commits
  4. 07 Jun, 2023 14 commits
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 5f63595e
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - a fix for unbalanced open count for inhibited input devices
      
       - fixups in Elantech PS/2 and Cyppress TTSP v5 drivers
      
       - a quirk to soc_button_array driver to make it work with Lenovo
         Yoga Book X90F / X90L
      
       - a removal of erroneous entry from xpad driver
      
      * tag 'input-for-v6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
        Input: psmouse - fix OOB access in Elantech protocol
        Input: soc_button_array - add invalid acpi_index DMI quirk handling
        Input: fix open count when closing inhibited device
        Input: cyttsp5 - fix array length
      5f63595e
    • Thomas Gleixner's avatar
      MAINTAINERS: Add entry for debug objects · 25bda386
      Thomas Gleixner authored
      This is overdue and an oversight.
      
      Add myself to this file deespite the fact that I'm trying to reduce the
      number of entries in this file which have my name attached, but in the
      hope that patches wont get picked up elsewhere completely unreviewed and
      unnoticed.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      25bda386
    • David Howells's avatar
      afs: Fix setting of mtime when creating a file/dir/symlink · a27648c7
      David Howells authored
      kafs incorrectly passes a zero mtime (ie. 1st Jan 1970) to the server when
      creating a file, dir or symlink because the mtime recorded in the
      afs_operation struct gets passed to the server by the marshalling routines,
      but the afs_mkdir(), afs_create() and afs_symlink() functions don't set it.
      
      This gets masked if a file or directory is subsequently modified.
      
      Fix this by filling in op->mtime before calling the create op.
      
      Fixes: e49c7b2f ("afs: Build an abstraction around an "operation" concept")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      Reviewed-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a27648c7
    • Jiri Olsa's avatar
      bpf: Add extra path pointer check to d_path helper · f46fab0e
      Jiri Olsa authored
      Anastasios reported crash on stable 5.15 kernel with following
      BPF attached to lsm hook:
      
        SEC("lsm.s/bprm_creds_for_exec")
        int BPF_PROG(bprm_creds_for_exec, struct linux_binprm *bprm)
        {
                struct path *path = &bprm->executable->f_path;
                char p[128] = { 0 };
      
                bpf_d_path(path, p, 128);
                return 0;
        }
      
      But bprm->executable can be NULL, so bpf_d_path call will crash:
      
        BUG: kernel NULL pointer dereference, address: 0000000000000018
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
        ...
        RIP: 0010:d_path+0x22/0x280
        ...
        Call Trace:
         <TASK>
         bpf_d_path+0x21/0x60
         bpf_prog_db9cf176e84498d9_bprm_creds_for_exec+0x94/0x99
         bpf_trampoline_6442506293_0+0x55/0x1000
         bpf_lsm_bprm_creds_for_exec+0x5/0x10
         security_bprm_creds_for_exec+0x29/0x40
         bprm_execve+0x1c1/0x900
         do_execveat_common.isra.0+0x1af/0x260
         __x64_sys_execve+0x32/0x40
      
      It's problem for all stable trees with bpf_d_path helper, which was
      added in 5.9.
      
      This issue is fixed in current bpf code, where we identify and mark
      trusted pointers, so the above code would fail even to load.
      
      For the sake of the stable trees and to workaround potentially broken
      verifier in the future, adding the code that reads the path object from
      the passed pointer and verifies it's valid in kernel space.
      
      Fixes: 6e22ab9d ("bpf: Add d_path helper")
      Reported-by: default avatarAnastasios Papagiannis <tasos.papagiannnis@gmail.com>
      Suggested-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarStanislav Fomichev <sdf@google.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20230606181714.532998-1-jolsa@kernel.org
      f46fab0e
    • Hangyu Hua's avatar
      net: sched: fix possible refcount leak in tc_chain_tmplt_add() · 44f8baaf
      Hangyu Hua authored
      try_module_get will be called in tcf_proto_lookup_ops. So module_put needs
      to be called to drop the refcount if ops don't implement the required
      function.
      
      Fixes: 9f407f17 ("net: sched: introduce chain templates")
      Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
      Reviewed-by: default avatarLarysa Zaremba <larysa.zaremba@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44f8baaf
    • Eric Dumazet's avatar
      net: sched: act_police: fix sparse errors in tcf_police_dump() · 682881ee
      Eric Dumazet authored
      Fixes following sparse errors:
      
      net/sched/act_police.c:360:28: warning: dereference of noderef expression
      net/sched/act_police.c:362:45: warning: dereference of noderef expression
      net/sched/act_police.c:362:45: warning: dereference of noderef expression
      net/sched/act_police.c:368:28: warning: dereference of noderef expression
      net/sched/act_police.c:370:45: warning: dereference of noderef expression
      net/sched/act_police.c:370:45: warning: dereference of noderef expression
      net/sched/act_police.c:376:45: warning: dereference of noderef expression
      net/sched/act_police.c:376:45: warning: dereference of noderef expression
      
      Fixes: d1967e49 ("net_sched: act_police: add 2 new attributes to support police 64bit rate and peakrate")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      682881ee
    • Eelco Chaudron's avatar
      net: openvswitch: fix upcall counter access before allocation · de9df6c6
      Eelco Chaudron authored
      Currently, the per cpu upcall counters are allocated after the vport is
      created and inserted into the system. This could lead to the datapath
      accessing the counters before they are allocated resulting in a kernel
      Oops.
      
      Here is an example:
      
        PID: 59693    TASK: ffff0005f4f51500  CPU: 0    COMMAND: "ovs-vswitchd"
         #0 [ffff80000a39b5b0] __switch_to at ffffb70f0629f2f4
         #1 [ffff80000a39b5d0] __schedule at ffffb70f0629f5cc
         #2 [ffff80000a39b650] preempt_schedule_common at ffffb70f0629fa60
         #3 [ffff80000a39b670] dynamic_might_resched at ffffb70f0629fb58
         #4 [ffff80000a39b680] mutex_lock_killable at ffffb70f062a1388
         #5 [ffff80000a39b6a0] pcpu_alloc at ffffb70f0594460c
         #6 [ffff80000a39b750] __alloc_percpu_gfp at ffffb70f05944e68
         #7 [ffff80000a39b760] ovs_vport_cmd_new at ffffb70ee6961b90 [openvswitch]
         ...
      
        PID: 58682    TASK: ffff0005b2f0bf00  CPU: 0    COMMAND: "kworker/0:3"
         #0 [ffff80000a5d2f40] machine_kexec at ffffb70f056a0758
         #1 [ffff80000a5d2f70] __crash_kexec at ffffb70f057e2994
         #2 [ffff80000a5d3100] crash_kexec at ffffb70f057e2ad8
         #3 [ffff80000a5d3120] die at ffffb70f0628234c
         #4 [ffff80000a5d31e0] die_kernel_fault at ffffb70f062828a8
         #5 [ffff80000a5d3210] __do_kernel_fault at ffffb70f056a31f4
         #6 [ffff80000a5d3240] do_bad_area at ffffb70f056a32a4
         #7 [ffff80000a5d3260] do_translation_fault at ffffb70f062a9710
         #8 [ffff80000a5d3270] do_mem_abort at ffffb70f056a2f74
         #9 [ffff80000a5d32a0] el1_abort at ffffb70f06297dac
        #10 [ffff80000a5d32d0] el1h_64_sync_handler at ffffb70f06299b24
        #11 [ffff80000a5d3410] el1h_64_sync at ffffb70f056812dc
        #12 [ffff80000a5d3430] ovs_dp_upcall at ffffb70ee6963c84 [openvswitch]
        #13 [ffff80000a5d3470] ovs_dp_process_packet at ffffb70ee6963fdc [openvswitch]
        #14 [ffff80000a5d34f0] ovs_vport_receive at ffffb70ee6972c78 [openvswitch]
        #15 [ffff80000a5d36f0] netdev_port_receive at ffffb70ee6973948 [openvswitch]
        #16 [ffff80000a5d3720] netdev_frame_hook at ffffb70ee6973a28 [openvswitch]
        #17 [ffff80000a5d3730] __netif_receive_skb_core.constprop.0 at ffffb70f06079f90
      
      We moved the per cpu upcall counter allocation to the existing vport
      alloc and free functions to solve this.
      
      Fixes: 95637d91 ("net: openvswitch: release vport resources on failure")
      Fixes: 1933ea36 ("net: openvswitch: Add support to count upcall packets")
      Signed-off-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Acked-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de9df6c6
    • Eric Dumazet's avatar
      net: sched: move rtm_tca_policy declaration to include file · 886bc7d6
      Eric Dumazet authored
      rtm_tca_policy is used from net/sched/sch_api.c and net/sched/cls_api.c,
      thus should be declared in an include file.
      
      This fixes the following sparse warning:
      net/sched/sch_api.c:1434:25: warning: symbol 'rtm_tca_policy' was not declared. Should it be static?
      
      Fixes: e331473f ("net/sched: cls_api: add missing validation of netlink attributes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      886bc7d6
    • Michal Schmidt's avatar
      ice: make writes to /dev/gnssX synchronous · bf15bb38
      Michal Schmidt authored
      The current ice driver's GNSS write implementation buffers writes and
      works through them asynchronously in a kthread. That's bad because:
       - The GNSS write_raw operation is supposed to be synchronous[1][2].
       - There is no upper bound on the number of pending writes.
         Userspace can submit writes much faster than the driver can process,
         consuming unlimited amounts of kernel memory.
      
      A patch that's currently on review[3] ("[v3,net] ice: Write all GNSS
      buffers instead of first one") would add one more problem:
       - The possibility of waiting for a very long time to flush the write
         work when doing rmmod, softlockups.
      
      To fix these issues, simplify the implementation: Drop the buffering,
      the write_work, and make the writes synchronous.
      
      I tested this with gpsd and ubxtool.
      
      [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/12/The-GNSS-Subsystem-Johan-Hovold-Hovold-Consulting-AB.pdf
          "User interface" slide.
      [2] A comment in drivers/gnss/core.c:gnss_write():
              /* Ignoring O_NONBLOCK, write_raw() is synchronous. */
      [3] https://patchwork.ozlabs.org/project/intel-wired-lan/patch/20230217120541.16745-1-karol.kolacinski@intel.com/
      
      Fixes: d6b98c8d ("ice: add write functionality for GNSS TTY")
      Signed-off-by: default avatarMichal Schmidt <mschmidt@redhat.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf15bb38
    • Eric Dumazet's avatar
      net: sched: add rcu annotations around qdisc->qdisc_sleeping · d636fc5d
      Eric Dumazet authored
      syzbot reported a race around qdisc->qdisc_sleeping [1]
      
      It is time we add proper annotations to reads and writes to/from
      qdisc->qdisc_sleeping.
      
      [1]
      BUG: KCSAN: data-race in dev_graft_qdisc / qdisc_lookup_rcu
      
      read to 0xffff8881286fc618 of 8 bytes by task 6928 on cpu 1:
      qdisc_lookup_rcu+0x192/0x2c0 net/sched/sch_api.c:331
      __tcf_qdisc_find+0x74/0x3c0 net/sched/cls_api.c:1174
      tc_get_tfilter+0x18f/0x990 net/sched/cls_api.c:2547
      rtnetlink_rcv_msg+0x7af/0x8c0 net/core/rtnetlink.c:6386
      netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2546
      rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6413
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1913
      sock_sendmsg_nosec net/socket.c:724 [inline]
      sock_sendmsg net/socket.c:747 [inline]
      ____sys_sendmsg+0x375/0x4c0 net/socket.c:2503
      ___sys_sendmsg net/socket.c:2557 [inline]
      __sys_sendmsg+0x1e3/0x270 net/socket.c:2586
      __do_sys_sendmsg net/socket.c:2595 [inline]
      __se_sys_sendmsg net/socket.c:2593 [inline]
      __x64_sys_sendmsg+0x46/0x50 net/socket.c:2593
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      write to 0xffff8881286fc618 of 8 bytes by task 6912 on cpu 0:
      dev_graft_qdisc+0x4f/0x80 net/sched/sch_generic.c:1115
      qdisc_graft+0x7d0/0xb60 net/sched/sch_api.c:1103
      tc_modify_qdisc+0x712/0xf10 net/sched/sch_api.c:1693
      rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6395
      netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2546
      rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6413
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1913
      sock_sendmsg_nosec net/socket.c:724 [inline]
      sock_sendmsg net/socket.c:747 [inline]
      ____sys_sendmsg+0x375/0x4c0 net/socket.c:2503
      ___sys_sendmsg net/socket.c:2557 [inline]
      __sys_sendmsg+0x1e3/0x270 net/socket.c:2586
      __do_sys_sendmsg net/socket.c:2595 [inline]
      __se_sys_sendmsg net/socket.c:2593 [inline]
      __x64_sys_sendmsg+0x46/0x50 net/socket.c:2593
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 6912 Comm: syz-executor.5 Not tainted 6.4.0-rc3-syzkaller-00190-g0d85b27b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
      
      Fixes: 3a7d0d07 ("net: sched: extend Qdisc with rcu")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Vlad Buslov <vladbu@nvidia.com>
      Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d636fc5d
    • David S. Miller's avatar
      Merge branch 'rfs-lockless-annotate' · e3144ff5
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      rfs: annotate lockless accesses
      
      rfs runs without locks held, so we should annotate
      read and writes to shared variables.
      
      It should prevent compilers forcing writes
      in the following situation:
      
        if (var != val)
           var = val;
      
      A compiler could indeed simply avoid the conditional:
      
          var = val;
      
      This matters if var is shared between many cpus.
      
      v2: aligns one closing bracket (Simon)
          adds Fixes: tags (Jakub)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3144ff5
    • Eric Dumazet's avatar
      rfs: annotate lockless accesses to RFS sock flow table · 5c3b74a9
      Eric Dumazet authored
      Add READ_ONCE()/WRITE_ONCE() on accesses to the sock flow table.
      
      This also prevents a (smart ?) compiler to remove the condition in:
      
      if (table->ents[index] != newval)
              table->ents[index] = newval;
      
      We need the condition to avoid dirtying a shared cache line.
      
      Fixes: fec5e652 ("rfs: Receive Flow Steering")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c3b74a9
    • Eric Dumazet's avatar
      rfs: annotate lockless accesses to sk->sk_rxhash · 1e5c647c
      Eric Dumazet authored
      Add READ_ONCE()/WRITE_ONCE() on accesses to sk->sk_rxhash.
      
      This also prevents a (smart ?) compiler to remove the condition in:
      
      if (sk->sk_rxhash != newval)
      	sk->sk_rxhash = newval;
      
      We need the condition to avoid dirtying a shared cache line.
      
      Fixes: fec5e652 ("rfs: Receive Flow Steering")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e5c647c
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · ab39b113
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fixes to debugfs registration
       - Fix use-after-free in hci_remove_ltk/hci_remove_irk
       - Fixes to ISO channel support
       - Fix missing checks for invalid L2CAP DCID
       - Fix l2cap_disconnect_req deadlock
       - Add lock to protect HCI_UNREGISTER
      
      * tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: L2CAP: Add missing checks for invalid DCID
        Bluetooth: ISO: use correct CIS order in Set CIG Parameters event
        Bluetooth: ISO: don't try to remove CIG if there are bound CIS left
        Bluetooth: Fix l2cap_disconnect_req deadlock
        Bluetooth: hci_qca: fix debugfs registration
        Bluetooth: fix debugfs registration
        Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER
        Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
        Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG
        Bluetooth: ISO: consider right CIS when removing CIG at cleanup
      ====================
      
      Link: https://lore.kernel.org/r/20230606003454.2392552-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ab39b113