1. 08 May, 2024 7 commits
  2. 05 May, 2024 13 commits
    • Linus Torvalds's avatar
      Linux 6.9-rc7 · dd5a440a
      Linus Torvalds authored
      dd5a440a
    • Linus Torvalds's avatar
      epoll: be better about file lifetimes · 4efaa5ac
      Linus Torvalds authored
      epoll can call out to vfs_poll() with a file pointer that may race with
      the last 'fput()'. That would make f_count go down to zero, and while
      the ep->mtx locking means that the resulting file pointer tear-down will
      be blocked until the poll returns, it means that f_count is already
      dead, and any use of it won't actually get a reference to the file any
      more: it's dead regardless.
      
      Make sure we have a valid ref on the file pointer before we call down to
      vfs_poll() from the epoll routines.
      
      Link: https://lore.kernel.org/lkml/0000000000002d631f0615918f1e@google.com/
      Reported-by: syzbot+045b454ab35fd82a35fb@syzkaller.appspotmail.com
      Reviewed-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4efaa5ac
    • Linus Torvalds's avatar
      Merge tag 'edac_urgent_for_v6.9_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras · f462ae0e
      Linus Torvalds authored
      Pull EDAC fixes from Borislav Petkov:
      
       - Fix error logging and check user-supplied data when injecting an
         error in the versal EDAC driver
      
      * tag 'edac_urgent_for_v6.9_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
        EDAC/versal: Do not log total error counts
        EDAC/versal: Check user-supplied data before injecting an error
        EDAC/versal: Do not register for NOC errors
      f462ae0e
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ef095257
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix incorrect delay handling in the plpks (keystore) code
      
       - Fix a panic when an LPAR boots with a frozen PE
      
      Thanks to Andrew Donnellan, Gaurav Batra, Nageswara R Sastry, and Nayna
      Jain.
      
      * tag 'powerpc-6.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE
        powerpc/pseries: make max polling consistent for longer H_CALLs
      ef095257
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d099637d
      Linus Torvalds authored
      Pull misc x86 fixes from Ingo Molnar:
      
       - Remove the broken vsyscall emulation code from
         the page fault code
      
       - Fix kexec crash triggered by certain SEV RMP
         table layouts
      
       - Fix unchecked MSR access error when disabling
         the x2APIC via iommu=off
      
      * tag 'x86-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Remove broken vsyscall emulation code from the page fault code
        x86/apic: Don't access the APIC when disabling x2APIC
        x86/sev: Add callback to apply RMP table fixups for kexec
        x86/e820: Add a new e820 table update helper
      d099637d
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 80f8b450
      Linus Torvalds authored
      Pull irq fix from Ingo Molnar:
       "Fix suspicious RCU usage in __do_softirq()"
      
      * tag 'irq-urgent-2024-05-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        softirq: Fix suspicious RCU usage in __do_softirq()
      80f8b450
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · b9158815
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char/misc/other driver fixes and new device ids
        for 6.9-rc7 that resolve some reported problems.
      
        Included in here are:
      
         - iio driver fixes
      
         - mei driver fix and new device ids
      
         - dyndbg bugfix
      
         - pvpanic-pci driver bugfix
      
         - slimbus driver bugfix
      
         - fpga new device id
      
        All have been in linux-next with no reported problems"
      
      * tag 'char-misc-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        slimbus: qcom-ngd-ctrl: Add timeout for wait operation
        dyndbg: fix old BUG_ON in >control parser
        misc/pvpanic-pci: register attributes via pci_driver
        fpga: dfl-pci: add PCI subdevice ID for Intel D5005 card
        mei: me: add lunar lake point M DID
        mei: pxp: match against PCI_CLASS_DISPLAY_OTHER
        iio:imu: adis16475: Fix sync mode setting
        iio: accel: mxc4005: Reset chip on probe() and resume()
        iio: accel: mxc4005: Interrupt handling fixes
        dt-bindings: iio: health: maxim,max30102: fix compatible check
        iio: pressure: Fixes SPI support for BMP3xx devices
        iio: pressure: Fixes BME280 SPI driver data
      b9158815
    • Linus Torvalds's avatar
      Merge tag 'usb-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 3c152370
      Linus Torvalds authored
      Pull USB driver fixes from Greg KH:
       "Here are some small USB driver fixes for reported problems for
        6.9-rc7. Included in here are:
      
         - usb core fixes for found issues
      
         - typec driver fixes for reported problems
      
         - usb gadget driver fixes for reported problems
      
         - xhci build fixes
      
         - dwc3 driver fixes for reported issues
      
        All of these have been in linux-next this past week with no reported
        problems"
      
      * tag 'usb-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: tcpm: Check for port partner validity before consuming it
        usb: typec: tcpm: enforce ready state when queueing alt mode vdm
        usb: typec: tcpm: unregister existing source caps before re-registration
        usb: typec: tcpm: clear pd_event queue in PORT_RESET
        usb: typec: tcpm: queue correct sop type in tcpm_queue_vdm_unlocked
        usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed device
        usb: ohci: Prevent missed ohci interrupts
        usb: typec: qcom-pmic: fix pdphy start() error handling
        usb: typec: qcom-pmic: fix use-after-free on late probe errors
        usb: gadget: f_fs: Fix a race condition when processing setup packets.
        USB: core: Fix access violation during port device removal
        usb: dwc3: core: Prevent phy suspend during init
        usb: xhci-plat: Don't include xhci.h
        usb: gadget: uvc: use correct buffer size when parsing configfs lists
        usb: gadget: composite: fix OS descriptors w_value logic
        usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
      3c152370
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 3f1d0865
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - a new ID for ASUS ROG RAIKIRI controllers added to xpad driver
      
       - amimouse driver structure annotated with __refdata to prevent section
         mismatch warnings.
      
      * tag 'input-for-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: amimouse - mark driver struct with __refdata to prevent section mismatch
        Input: xpad - add support for ASUS ROG RAIKIRI
      3f1d0865
    • Linus Torvalds's avatar
      Merge tag 'probes-fixes-v6.9-rc6' of... · 2c17a1cd
      Linus Torvalds authored
      Merge tag 'probes-fixes-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull probes fix from Masami Hiramatsu:
      
       - probe-events: Fix memory leak in parsing probe argument.
      
         There is a memory leak (forget to free an allocated buffer) in a
         memory allocation failure path. Fix it to jump to the correct error
         handling code.
      
      * tag 'probes-fixes-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing/probes: Fix memory leak in traceprobe_parse_probe_arg_body()
      2c17a1cd
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.9-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · e92b99ae
      Linus Torvalds authored
      Pull tracing and tracefs fixes from Steven Rostedt:
      
       - Fix RCU callback of freeing an eventfs_inode.
      
         The freeing of the eventfs_inode from the kref going to zero freed
         the contents of the eventfs_inode and then used kfree_rcu() to free
         the inode itself. But the contents should also be protected by RCU.
         Switch to a call_rcu() that calls a function to free all of the
         eventfs_inode after the RCU synchronization.
      
       - The tracing subsystem maps its own descriptor to a file represented
         by eventfs. The freeing of this descriptor needs to know when the
         last reference of an eventfs_inode is released, but currently there
         is no interface for that.
      
         Add a "release" callback to the eventfs_inode entry array that allows
         for freeing of data that can be referenced by the eventfs_inode being
         opened. Then increment the ref counter for this descriptor when the
         eventfs_inode file is created, and decrement/free it when the last
         reference to the eventfs_inode is released and the file is removed.
         This prevents races between freeing the descriptor and the opening of
         the eventfs file.
      
       - Fix the permission processing of eventfs.
      
         The change to make the permissions of eventfs default to the mount
         point but keep track of when changes were made had a side effect that
         could cause security concerns. When the tracefs is remounted with a
         given gid or uid, all the files within it should inherit that gid or
         uid. But if the admin had changed the permission of some file within
         the tracefs file system, it would not get updated by the remount.
      
         This caused the kselftest of file permissions to fail the second time
         it is run. The first time, all changes would look fine, but the
         second time, because the changes were "saved", the remount did not
         reset them.
      
         Create a link list of all existing tracefs inodes, and clear the
         saved flags on them on a remount if the remount changes the
         corresponding gid or uid fields.
      
         This also simplifies the code by removing the distinction between the
         toplevel eventfs and an instance eventfs. They should both act the
         same. They were different because of a misconception due to the
         remount not resetting the flags. Now that remount resets all the
         files and directories to default to the root node if a uid/gid is
         specified, it makes the logic simpler to implement.
      
      * tag 'trace-v6.9-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        eventfs: Have "events" directory get permissions from its parent
        eventfs: Do not treat events directory different than other directories
        eventfs: Do not differentiate the toplevel events directory
        tracefs: Still use mount point as default permissions for instances
        tracefs: Reset permissions on remount if permissions are options
        eventfs: Free all of the eventfs_inode after RCU
        eventfs/tracing: Add callback for release of an eventfs_inode
      e92b99ae
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.9-2024-05-04' of git://git.infradead.org/users/hch/dma-mapping · 4fbcf585
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
      
       - fix the combination of restricted pools and dynamic swiotlb
         (Will Deacon)
      
      * tag 'dma-mapping-6.9-2024-05-04' of git://git.infradead.org/users/hch/dma-mapping:
        swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y
      4fbcf585
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 61ccc8c3
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of clk driver fixes:
      
         - Avoid a deadlock in the Qualcomm clk driver by making the regulator
           which supplies the GDSC optional
      
         - Restore RPM clks on Qualcomm msm8976 by setting num_clks
      
         - Fix Allwinner H6 CPU rate changing logic to avoid system crashes by
           temporarily reparenting the CPU clk to something that isn't being
           changed
      
         - Set a MIPI PLL min/max rate on Allwinner A64 to fix blank screens
           on some devices
      
         - Revert back to of_match_device() in the Samsung clkout driver to
           get the match data based on the parent device's compatible string"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: samsung: Revert "clk: Use device_get_match_data()"
        clk: sunxi-ng: a64: Set minimum and maximum rate for PLL-MIPI
        clk: sunxi-ng: common: Support minimum and maximum rate
        clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
        clk: qcom: smd-rpm: Restore msm8976 num_clk
        clk: qcom: gdsc: treat optional supplies as optional
      61ccc8c3
  3. 04 May, 2024 7 commits
    • Steven Rostedt (Google)'s avatar
      eventfs: Have "events" directory get permissions from its parent · d57cf30c
      Steven Rostedt (Google) authored
      The events directory gets its permissions from the root inode. But this
      can cause an inconsistency if the instances directory changes its
      permissions, as the permissions of the created directories under it should
      inherit the permissions of the instances directory when directories under
      it are created.
      
      Currently the behavior is:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 instances
       # mkdir instances/foo
       # ls -l instances/foo
      [..]
       -r--r-----  1 root lkp  0 May  1 18:55 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 18:55 current_tracer
       -rw-r-----  1 root lkp  0 May  1 18:55 error_log
       drwxr-xr-x  1 root root 0 May  1 18:55 events
       --w-------  1 root lkp  0 May  1 18:55 free_buffer
       drwxr-x---  2 root lkp  0 May  1 18:55 options
       drwxr-x--- 10 root lkp  0 May  1 18:55 per_cpu
       -rw-r-----  1 root lkp  0 May  1 18:55 set_event
      
      All the files and directories under "foo" has the "lkp" group except the
      "events" directory. That's because its getting its default value from the
      mount point instead of its parent.
      
      Have the "events" directory make its default value based on its parent's
      permissions. That now gives:
      
       # ls -l instances/foo
      [..]
       -rw-r-----  1 root lkp 0 May  1 21:16 buffer_subbuf_size_kb
       -r--r-----  1 root lkp 0 May  1 21:16 buffer_total_size_kb
       -rw-r-----  1 root lkp 0 May  1 21:16 current_tracer
       -rw-r-----  1 root lkp 0 May  1 21:16 error_log
       drwxr-xr-x  1 root lkp 0 May  1 21:16 events
       --w-------  1 root lkp 0 May  1 21:16 free_buffer
       drwxr-x---  2 root lkp 0 May  1 21:16 options
       drwxr-x--- 10 root lkp 0 May  1 21:16 per_cpu
       -rw-r-----  1 root lkp 0 May  1 21:16 set_event
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200906.161887248@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d57cf30c
    • Steven Rostedt (Google)'s avatar
      eventfs: Do not treat events directory different than other directories · 22e61e15
      Steven Rostedt (Google) authored
      Treat the events directory the same as other directories when it comes to
      permissions. The events directory was considered different because it's
      dentry is persistent, whereas the other directory dentries are created
      when accessed. But the way tracefs now does its ownership by using the
      root dentry's permissions as the default permissions, the events directory
      can get out of sync when a remount is performed setting the group and user
      permissions.
      
      Remove the special case for the events directory on setting the
      attributes. This allows the updates caused by remount to work properly as
      well as simplifies the code.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200906.002923579@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      22e61e15
    • Steven Rostedt (Google)'s avatar
      eventfs: Do not differentiate the toplevel events directory · d53891d3
      Steven Rostedt (Google) authored
      The toplevel events directory is really no different than the events
      directory of instances. Having the two be different caused
      inconsistencies and made it harder to fix the permissions bugs.
      
      Make all events directories act the same.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.846448710@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d53891d3
    • Steven Rostedt (Google)'s avatar
      tracefs: Still use mount point as default permissions for instances · 6599bd55
      Steven Rostedt (Google) authored
      If the instances directory's permissions were never change, then have it
      and its children use the mount point permissions as the default.
      
      Currently, the permissions of instance directories are determined by the
      instance directory's permissions itself. But if the tracefs file system is
      remounted and changes the permissions, the instance directory and its
      children should use the new permission.
      
      But because both the instance directory and its children use the instance
      directory's inode for permissions, it misses the update.
      
      To demonstrate this:
      
        # cd /sys/kernel/tracing/
        # mkdir instances/foo
        # ls -ld instances/foo
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 18:57 current_tracer
      
        # mount -o remount,gid=1002 .
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo/
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 18:57 current_tracer
      
      Notice that changing the group id to that of "lkp" did not affect the
      instances directory nor its children. It should have been:
      
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 19:19 current_tracer
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:25 instances/foo/
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 19:19 instances
      
        # mount -o remount,gid=1002 .
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 19:19 current_tracer
        # ls -ld instances
       drwxr-x--- 3 root lkp 0 May  1 19:19 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root lkp 0 May  1 19:25 instances/foo/
      
      Where all files were updated by the remount gid update.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.686838327@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      6599bd55
    • Steven Rostedt (Google)'s avatar
      tracefs: Reset permissions on remount if permissions are options · baa23a8d
      Steven Rostedt (Google) authored
      There's an inconsistency with the way permissions are handled in tracefs.
      Because the permissions are generated when accessed, they default to the
      root inode's permission if they were never set by the user. If the user
      sets the permissions, then a flag is set and the permissions are saved via
      the inode (for tracefs files) or an internal attribute field (for
      eventfs).
      
      But if a remount happens that specify the permissions, all the files that
      were not changed by the user gets updated, but the ones that were are not.
      If the user were to remount the file system with a given permission, then
      all files and directories within that file system should be updated.
      
      This can cause security issues if a file's permission was updated but the
      admin forgot about it. They could incorrectly think that remounting with
      permissions set would update all files, but miss some.
      
      For example:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 current_tracer
       # ls -l
      [..]
       -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer
       -rw-r-----  1 root root 0 May  1 21:25 dynamic_events
       -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root root 0 May  1 21:25 enabled_functions
      
      Where current_tracer now has group "lkp".
      
       # mount -o remount,gid=1001 .
       # ls -l
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer
       -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events
       -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions
      
      Everything changed but the "current_tracer".
      
      Add a new link list that keeps track of all the tracefs_inodes which has
      the permission flags that tell if the file/dir should use the root inode's
      permission or not. Then on remount, clear all the flags so that the
      default behavior of using the root inode's permission is done for all
      files and directories.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.529542160@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      baa23a8d
    • Steven Rostedt (Google)'s avatar
      eventfs: Free all of the eventfs_inode after RCU · ee4e0379
      Steven Rostedt (Google) authored
      The freeing of eventfs_inode via a kfree_rcu() callback. But the content
      of the eventfs_inode was being freed after the last kref. This is
      dangerous, as changes are being made that can access the content of an
      eventfs_inode from an RCU loop.
      
      Instead of using kfree_rcu() use call_rcu() that calls a function to do
      all the freeing of the eventfs_inode after a RCU grace period has expired.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.370261163@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 43aa6f97 ("eventfs: Get rid of dentry pointers without refcounts")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      ee4e0379
    • Steven Rostedt (Google)'s avatar
      eventfs/tracing: Add callback for release of an eventfs_inode · b63db58e
      Steven Rostedt (Google) authored
      Synthetic events create and destroy tracefs files when they are created
      and removed. The tracing subsystem has its own file descriptor
      representing the state of the events attached to the tracefs files.
      There's a race between the eventfs files and this file descriptor of the
      tracing system where the following can cause an issue:
      
      With two scripts 'A' and 'B' doing:
      
        Script 'A':
          echo "hello int aaa" > /sys/kernel/tracing/synthetic_events
          while :
          do
            echo 0 > /sys/kernel/tracing/events/synthetic/hello/enable
          done
      
        Script 'B':
          echo > /sys/kernel/tracing/synthetic_events
      
      Script 'A' creates a synthetic event "hello" and then just writes zero
      into its enable file.
      
      Script 'B' removes all synthetic events (including the newly created
      "hello" event).
      
      What happens is that the opening of the "enable" file has:
      
       {
      	struct trace_event_file *file = inode->i_private;
      	int ret;
      
      	ret = tracing_check_open_get_tr(file->tr);
       [..]
      
      But deleting the events frees the "file" descriptor, and a "use after
      free" happens with the dereference at "file->tr".
      
      The file descriptor does have a reference counter, but there needs to be a
      way to decrement it from the eventfs when the eventfs_inode is removed
      that represents this file descriptor.
      
      Add an optional "release" callback to the eventfs_entry array structure,
      that gets called when the eventfs file is about to be removed. This allows
      for the creating on the eventfs file to increment the tracing file
      descriptor ref counter. When the eventfs file is deleted, it can call the
      release function that will call the put function for the tracing file
      descriptor.
      
      This will protect the tracing file from being freed while a eventfs file
      that references it is being opened.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240426073410.17154-1-Tze-nan.Wu@mediatek.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20240502090315.448cba46@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Fixes: 5790b1fb ("eventfs: Remove eventfs_file and just use eventfs_inode")
      Reported-by: default avatarTze-nan wu <Tze-nan.Wu@mediatek.com>
      Tested-by: default avatarTze-nan Wu (吳澤南) <Tze-nan.Wu@mediatek.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      b63db58e
  4. 03 May, 2024 11 commits
    • Linus Torvalds's avatar
      Merge tag 'cxl-fixes-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · 7367539a
      Linus Torvalds authored
      Pull cxl fix from Dave Jiang:
       "Add missing RCH support for endpoint access_coordinate calculation.
      
        A late bug was reported by Robert Richter that the Restricted CXL Host
        (RCH) support was missing in the CXL endpoint access_coordinate
        calculation.
      
        The missing support causes the topology iterator to stumble over a
        NULL pointer and triggers a kernel OOPS on a platform with CXL 1.1
        support.
      
        The fix bypasses RCH topology as the access_coordinate calculation is
        not necessary since RCH does not support hotplug and the memory region
        exported should be covered by the HMAT table already.
      
        A unit test is also added to cxl_test to check against future
        regressions on the topology iterator"
      
      * tag 'cxl-fixes-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl: Fix cxl_endpoint_get_perf_coordinate() support for RCH
      7367539a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.9a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · ddb4c3f2
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Two fixes when running as Xen PV guests for issues introduced in the
        6.9 merge window, both related to apic id handling"
      
      * tag 'for-linus-6.9a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: return a sane initial apic id when running as PV guest
        x86/xen/smp_pv: Register the boot CPU APIC properly
      ddb4c3f2
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-for-v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi · f094ee78
      Linus Torvalds authored
      Pull EFI fix from Ard Biesheuvel:
       "This works around a shortcoming in the memory acceptation API, which
        may apparently hog the CPU for long enough to trigger the softlockup
        watchdog.
      
        Note that this only affects confidential VMs running under the Intel
        TDX hypervisor, which is why I accepted this for now, but this should
        obviously be fixed properly in the future"
      
      * tag 'efi-urgent-for-v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
        efi/unaccepted: touch soft lockup during memory accept
      f094ee78
    • Linus Torvalds's avatar
      Merge tag 'block-6.9-20240503' of git://git.kernel.dk/linux · 3d25a941
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Nothing major in here - an nvme pull request with mostly auth/tcp
        fixes, and a single fix for ublk not setting segment count and size
        limits"
      
      * tag 'block-6.9-20240503' of git://git.kernel.dk/linux:
        nvme-tcp: strict pdu pacing to avoid send stalls on TLS
        nvmet: fix nvme status code when namespace is disabled
        nvmet-tcp: fix possible memory leak when tearing down a controller
        nvme: cancel pending I/O if nvme controller is in terminal state
        nvmet-auth: replace pr_debug() with pr_err() to report an error.
        nvmet-auth: return the error code to the nvmet_auth_host_hash() callers
        nvme: find numa distance only if controller has valid numa id
        ublk: remove segment count and size limits
        nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH
      3d25a941
    • Linus Torvalds's avatar
      Merge tag 'sound-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7dc78c7b
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "As usual in a late stage, we received a fair amount of fixes for ASoC,
        and it became bigger than wished. But all fixes are rather device-
        specific, and they look pretty safe to apply.
      
        A major par of changes are series of fixes for ASoC meson and SOF
        drivers as well as for Realtek and Cirrus codecs. In addition, recent
        emu10k1 regression fixes and usual HD-audio quirks are included"
      
      * tag 'sound-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits)
        ALSA: hda/realtek: Fix build error without CONFIG_PM
        ALSA: hda/realtek: Fix conflicting PCI SSID 17aa:386f for Lenovo Legion models
        ALSA: hda/realtek - Set GPIO3 to default at S4 state for Thinkpad with ALC1318
        ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()
        ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection
        ASoC: cs35l56: fix usages of device_get_named_child_node()
        ASoC: da7219-aad: fix usage of device_get_named_child_node()
        ASoC: meson: cards: select SND_DYNAMIC_MINORS
        ASoC: meson: axg-tdm: add continuous clock support
        ASoC: meson: axg-tdm-interface: manage formatters in trigger
        ASoC: meson: axg-card: make links nonatomic
        ASoC: meson: axg-fifo: use threaded irq to check periods
        ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU
        ALSA: emu10k1: make E-MU FPGA writes potentially more reliable
        ALSA: emu10k1: fix E-MU dock initialization
        ALSA: emu10k1: use mutex for E-MU FPGA access locking
        ALSA: emu10k1: move the whole GPIO event handling to the workqueue
        ALSA: emu10k1: factor out snd_emu1010_load_dock_firmware()
        ALSA: emu10k1: fix E-MU card dock presence monitoring
        ASoC: rt715-sdca: volume step modification
        ...
      7dc78c7b
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-05-03' of https://gitlab.freedesktop.org/drm/kernel · b5a66609
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes, mostly made up from amdgpu and some panel changes.
      
        Otherwise xe, nouveau, vmwgfx and a couple of others, all seems pretty
        on track.
      
        amdgpu:
         - Fix VRAM memory accounting
         - DCN 3.1 fixes
         - DCN 2.0 fix
         - DCN 3.1.5 fix
         - DCN 3.5 fix
         - DCN 3.2.1 fix
         - DP fixes
         - Seamless boot fix
         - Fix call order in amdgpu_ttm_move()
         - Fix doorbell regression
         - Disable panel replay temporarily
      
        amdkfd:
         - Flush wq before creating kfd process
      
        xe:
         - Fix UAF on rebind worker
         - Fix ADL-N display integration
      
        imagination:
         - fix page-count macro
      
        nouveau:
         - avoid page-table allocation failures
         - fix firmware memory allocation
      
        panel:
         - ili9341: avoid OF for device properties; respect deferred probe;
           fix usage of errno codes
      
        ttm:
         - fix status output
      
        vmwgfx:
         - fix legacy display unit
         - fix read length in fence signalling"
      
      * tag 'drm-fixes-2024-05-03' of https://gitlab.freedesktop.org/drm/kernel: (25 commits)
        drm/xe/display: Fix ADL-N detection
        drm/panel: ili9341: Use predefined error codes
        drm/panel: ili9341: Respect deferred probe
        drm/panel: ili9341: Correct use of device property APIs
        drm/xe/vm: prevent UAF in rebind_work_func()
        drm/amd/display: Disable panel replay by default for now
        drm/amdgpu: fix doorbell regression
        drm/amdkfd: Flush the process wq before creating a kfd_process
        drm/amd/display: Disable seamless boot on 128b/132b encoding
        drm/amd/display: Fix DC mode screen flickering on DCN321
        drm/amd/display: Add VCO speed parameter for DCN31 FPU
        drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2
        drm/amd/display: Allocate zero bw after bw alloc enable
        drm/amd/display: Fix incorrect DSC instance for MST
        drm/amd/display: Atom Integrated System Info v2_2 for DCN35
        drm/amd/display: Add dtbclk access to dcn315
        drm/amd/display: Ensure that dmcub support flag is set for DCN20
        drm/amd/display: Handle Y carry-over in VCP X.Y calculation
        drm/amdgpu: Fix VRAM memory accounting
        drm/vmwgfx: Fix invalid reads in fence signaled events
        ...
      b5a66609
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 9fbc8bdf
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A few small fixes for v6.9,
      
        The core fix is for issues with reuse of a spi_message in the case
        where we've got queued messages (a relatively rare occurrence with
        modern code so it wasn't noticed in testing).
      
        We also avoid an issue with the Kunpeng driver by simply removing the
        debug interface that could trigger it, and address issues with
        confusing and corrupted output when printing the IP version of the AXI
        SPI engine"
      
      * tag 'spi-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: fix null pointer dereference within spi_sync
        spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs
        spi: axi-spi-engine: fix version format string
      9fbc8bdf
    • Viken Dadhaniya's avatar
      slimbus: qcom-ngd-ctrl: Add timeout for wait operation · 98241a77
      Viken Dadhaniya authored
      In current driver qcom_slim_ngd_up_worker() indefinitely
      waiting for ctrl->qmi_up completion object. This is
      resulting in workqueue lockup on Kthread.
      
      Added wait_for_completion_interruptible_timeout to
      allow the thread to wait for specific timeout period and
      bail out instead waiting infinitely.
      
      Fixes: a899d324 ("slimbus: qcom-ngd-ctrl: add Sub System Restart support")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarKonrad Dybcio <konrad.dybcio@linaro.org>
      Signed-off-by: default avatarViken Dadhaniya <quic_vdadhani@quicinc.com>
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Link: https://lore.kernel.org/r/20240430091238.35209-2-srinivas.kandagatla@linaro.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98241a77
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2024-05-02' of... · 09e10499
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2024-05-02' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
      
      Short summary of fixes pull:
      
      imagination:
      - fix page-count macro
      
      nouveau:
      - avoid page-table allocation failures
      - fix firmware memory allocation
      
      panel:
      - ili9341: avoid OF for device properties; respect deferred probe; fix
      usage of errno codes
      
      ttm:
      - fix status output
      
      vmwgfx:
      - fix legacy display unit
      - fix read length in fence signalling
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240502192117.GA12158@linux.fritz.box
      09e10499
    • Dave Airlie's avatar
      Merge tag 'drm-xe-fixes-2024-05-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · 5c75d681
      Dave Airlie authored
      - Fix UAF on rebind worker
      - Fix ADL-N display integration
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Lucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/6bontwst3mbxozs6u3ad5n3g5zmaucrngbfwv4hkfhpscnwlym@wlwjgjx6pwue
      5c75d681
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.9-2024-05-01' of... · 306eca05
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.9-2024-05-01' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.9-2024-05-01:
      
      amdgpu:
      - Fix VRAM memory accounting
      - DCN 3.1 fixes
      - DCN 2.0 fix
      - DCN 3.1.5 fix
      - DCN 3.5 fix
      - DCN 3.2.1 fix
      - DP fixes
      - Seamless boot fix
      - Fix call order in amdgpu_ttm_move()
      - Fix doorbell regression
      - Disable panel replay temporarily
      
      amdkfd:
      - Flush wq before creating kfd process
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240501135054.1919108-1-alexander.deucher@amd.com
      306eca05
  5. 02 May, 2024 2 commits
    • Linus Torvalds's avatar
      Merge tag 'for-6.9-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · f03359bc
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - set correct ram_bytes when splitting ordered extent. This can be
         inconsistent on-disk but harmless as it's not used for calculations
         and it's only advisory for compression
      
       - fix lockdep splat when taking cleaner mutex in qgroups disable ioctl
      
       - fix missing mutex unlock on error path when looking up sys chunk for
         relocation
      
      * tag 'for-6.9-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: set correct ram_bytes when splitting ordered extent
        btrfs: take the cleaner_mutex earlier in qgroup disable
        btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
      f03359bc
    • Linus Torvalds's avatar
      Merge tag 's390-6.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · da87c77e
      Linus Torvalds authored
      Pull s390 fixes from Alexander Gordeev:
      
       - The function __storage_key_init_range() expects the end address to be
         the first byte outside the range to be initialized. Fix the callers
         that provide the last byte within the range instead.
      
       - 3270 Channel Command Word (CCW) may contain zero data address in case
         there is no data in the request. Add data availability check to avoid
         erroneous non-zero value as result of virt_to_dma32(NULL) application
         in cases there is no data
      
       - Add missing CFI directives for an unwinder to restore the return
         address in the vDSO assembler code
      
       - NUL-terminate kernel buffer when duplicating user space memory region
         on Channel IO (CIO) debugfs write inject
      
       - Fix wrong format string in zcrypt debug output
      
       - Return -EBUSY code when a CCA card is temporarily unavailabile
      
       - Restore a loop that retries derivation of a protected key from a
         secure key in cases the low level reports temporarily unavailability
         with -EBUSY code
      
      * tag 's390-6.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/paes: Reestablish retry loop in paes
        s390/zcrypt: Use EBUSY to indicate temp unavailability
        s390/zcrypt: Handle ep11 cprb return code
        s390/zcrypt: Fix wrong format string in debug feature printout
        s390/cio: Ensure the copied buf is NUL terminated
        s390/vdso: Add CFI for RA register to asm macro vdso_func
        s390/3270: Fix buffer assignment
        s390/mm: Fix clearing storage keys for huge pages
        s390/mm: Fix storage key clearing for guest huge pages
      da87c77e