1. 22 Oct, 2021 8 commits
    • Vasily Averin's avatar
      skb_expand_head() adjust skb->truesize incorrectly · 7f678def
      Vasily Averin authored
      Christoph Paasch reports [1] about incorrect skb->truesize
      after skb_expand_head() call in ip6_xmit.
      This may happen because of two reasons:
      - skb_set_owner_w() for newly cloned skb is called too early,
      before pskb_expand_head() where truesize is adjusted for (!skb-sk) case.
      - pskb_expand_head() does not adjust truesize in (skb->sk) case.
      In this case sk->sk_wmem_alloc should be adjusted too.
      
      [1] https://lkml.org/lkml/2021/8/20/1082
      
      Fixes: f1260ff1 ("skbuff: introduce skb_expand_head()")
      Fixes: 2d85a1b3 ("ipv6: ip6_finish_output2: set sk into newly allocated nskb")
      Reported-by: default avatarChristoph Paasch <christoph.paasch@gmail.com>
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/644330dd-477e-0462-83bf-9f514c41edd1@virtuozzo.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7f678def
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-net-2021-10-21' of... · 7fcb1c95
      Jakub Kicinski authored
      Merge tag 'mac80211-for-net-2021-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Two small fixes:
       * RCU misuse in scan processing in cfg80211
       * missing size check for HE data in mac80211 mesh
      
      * tag 'mac80211-for-net-2021-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211:
        cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
        mac80211: mesh: fix HE operation element length check
      ====================
      
      Link: https://lore.kernel.org/r/20211021154351.134297-1-johannes@sipsolutions.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7fcb1c95
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm · 64222515
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Nothing too crazy at the end of the cycle, the kmb modesetting fixes
        are probably a bit large but it's not a major driver, and its fixing
        monitor doesn't turn on type problems.
      
        Otherwise it's just a few minor patches, one ast regression revert, an
        msm power stability fix.
      
        ast:
         - fix regression with connector detect
      
        msm:
         - fix power stability issue
      
        msxfb:
         - fix crash on unload
      
        panel:
         - sync fix
      
        kmb:
         - modesetting fixes"
      
      * tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm:
        Revert "drm/ast: Add detect function support"
        drm/kmb: Enable ADV bridge after modeset
        drm/kmb: Corrected typo in handle_lcd_irq
        drm/kmb: Disable change of plane parameters
        drm/kmb: Remove clearing DPHY regs
        drm/kmb: Limit supported mode to 1080p
        drm/kmb: Work around for higher system clock
        drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel
        drm: mxsfb: Fix NULL pointer dereference crash on unload
        drm/msm/devfreq: Restrict idle clamping to a618 for now
      64222515
    • Mike Rapoport's avatar
      memblock: exclude MEMBLOCK_NOMAP regions from kmemleak · 658aafc8
      Mike Rapoport authored
      Vladimir Zapolskiy reports:
      
      Commit a7259df7 ("memblock: make memblock_find_in_range method
      private") invokes a kernel panic while running kmemleak on OF platforms
      with nomaped regions:
      
        Unable to handle kernel paging request at virtual address fff000021e00000
        [...]
          scan_block+0x64/0x170
          scan_gray_list+0xe8/0x17c
          kmemleak_scan+0x270/0x514
          kmemleak_write+0x34c/0x4ac
      
      The memory allocated from memblock is registered with kmemleak, but if
      it is marked MEMBLOCK_NOMAP it won't have linear map entries so an
      attempt to scan such areas will fault.
      
      Ideally, memblock_mark_nomap() would inform kmemleak to ignore
      MEMBLOCK_NOMAP memory, but it can be called before kmemleak interfaces
      operating on physical addresses can use __va() conversion.
      
      Make sure that functions that mark allocated memory as MEMBLOCK_NOMAP
      take care of informing kmemleak to ignore such memory.
      
      Link: https://lore.kernel.org/all/8ade5174-b143-d621-8c8e-dc6a1898c6fb@linaro.org
      Link: https://lore.kernel.org/all/c30ff0a2-d196-c50d-22f0-bd50696b1205@quicinc.com
      Fixes: a7259df7 ("memblock: make memblock_find_in_range method private")
      Reported-by: default avatarVladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
      Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarVladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
      Tested-by: default avatarQian Cai <quic_qiancai@quicinc.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      658aafc8
    • Mike Rapoport's avatar
      Revert "memblock: exclude NOMAP regions from kmemleak" · 6c9a5455
      Mike Rapoport authored
      Commit 6e44bd6d ("memblock: exclude NOMAP regions from kmemleak")
      breaks boot on EFI systems with kmemleak and VM_DEBUG enabled:
      
        efi: Processing EFI memory map:
        efi:   0x000090000000-0x000091ffffff [Conventional|   |  |  |  |  |  |  |  |  |   |WB|WT|WC|UC]
        efi:   0x000092000000-0x0000928fffff [Runtime Data|RUN|  |  |  |  |  |  |  |  |   |WB|WT|WC|UC]
        ------------[ cut here ]------------
        kernel BUG at mm/kmemleak.c:1140!
        Internal error: Oops - BUG: 0 [#1] SMP
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.0-rc6-next-20211019+ #104
        pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
        pc : kmemleak_free_part_phys+0x64/0x8c
        lr : kmemleak_free_part_phys+0x38/0x8c
        sp : ffff800011eafbc0
        x29: ffff800011eafbc0 x28: 1fffff7fffb41c0d x27: fffffbfffda0e068
        x26: 0000000092000000 x25: 1ffff000023d5f94 x24: ffff800011ed84d0
        x23: ffff800011ed84c0 x22: ffff800011ed83d8 x21: 0000000000900000
        x20: ffff800011782000 x19: 0000000092000000 x18: ffff800011ee0730
        x17: 0000000000000000 x16: 0000000000000000 x15: 1ffff0000233252c
        x14: ffff800019a905a0 x13: 0000000000000001 x12: ffff7000023d5ed7
        x11: 1ffff000023d5ed6 x10: ffff7000023d5ed6 x9 : dfff800000000000
        x8 : ffff800011eaf6b7 x7 : 0000000000000001 x6 : ffff800011eaf6b0
        x5 : 00008ffffdc2a12a x4 : ffff7000023d5ed7 x3 : 1ffff000023dbf99
        x2 : 1ffff000022f0463 x1 : 0000000000000000 x0 : ffffffffffffffff
        Call trace:
         kmemleak_free_part_phys+0x64/0x8c
         memblock_mark_nomap+0x5c/0x78
         reserve_regions+0x294/0x33c
         efi_init+0x2d0/0x490
         setup_arch+0x80/0x138
         start_kernel+0xa0/0x3ec
         __primary_switched+0xc0/0xc8
        Code: 34000041 97d526e7 f9418e80 36000040 (d4210000)
        random: get_random_bytes called from print_oops_end_marker+0x34/0x80 with crng_init=0
        ---[ end trace 0000000000000000 ]---
      
      The crash happens because kmemleak_free_part_phys() tries to use __va()
      before memstart_addr is initialized and this triggers a VM_BUG_ON() in
      arch/arm64/include/asm/memory.h:
      
      Revert 6e44bd6d ("memblock: exclude NOMAP regions from kmemleak"),
      the issue it is fixing will be fixed differently.
      Reported-by: default avatarQian Cai <quic_qiancai@quicinc.com>
      Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6c9a5455
    • Linus Torvalds's avatar
      Merge branch 'ucount-fixes-for-v5.15' of... · 9d235ac0
      Linus Torvalds authored
      Merge branch 'ucount-fixes-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
      
      Pull ucounts fixes from Eric Biederman:
       "There has been one very hard to track down bug in the ucount code that
        we have been tracking since roughly v5.14 was released. Alex managed
        to find a reliable reproducer a few days ago and then I was able to
        instrument the code and figure out what the issue was.
      
        It turns out the sigqueue_alloc single atomic operation optimization
        did not play nicely with ucounts multiple level rlimits. It turned out
        that either sigqueue_alloc or sigqueue_free could be operating on
        multiple levels and trigger the conditions for the optimization on
        more than one level at the same time.
      
        To deal with that situation I have introduced inc_rlimit_get_ucounts
        and dec_rlimit_put_ucounts that just focuses on the optimization and
        the rlimit and ucount changes.
      
        While looking into the big bug I found I couple of other little issues
        so I am including those fixes here as well.
      
        When I have time I would very much like to dig into process ownership
        of the shared signal queue and see if we could pick a single owner for
        the entire queue so that all of the rlimits can count to that owner.
        That should entirely remove the need to call get_ucounts and
        put_ucounts in sigqueue_alloc and sigqueue_free. It is difficult
        because Linux unlike POSIX supports setuid that works on a single
        thread"
      
      * 'ucount-fixes-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        ucounts: Move get_ucounts from cred_alloc_blank to key_change_session_keyring
        ucounts: Proper error handling in set_cred_ucounts
        ucounts: Pair inc_rlimit_ucounts with dec_rlimit_ucoutns in commit_creds
        ucounts: Fix signal ucount refcounting
      9d235ac0
    • Linus Torvalds's avatar
      Merge tag 'net-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6c2c7127
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, and can.
      
        We'll have one more fix for a socket accounting regression, it's still
        getting polished. Otherwise things look fine.
      
        Current release - regressions:
      
         - revert "vrf: reset skb conntrack connection on VRF rcv", there are
           valid uses for previous behavior
      
         - can: m_can: fix iomap_read_fifo() and iomap_write_fifo()
      
        Current release - new code bugs:
      
         - mlx5: e-switch, return correct error code on group creation failure
      
        Previous releases - regressions:
      
         - sctp: fix transport encap_port update in sctp_vtag_verify
      
         - stmmac: fix E2E delay mechanism (in PTP timestamping)
      
        Previous releases - always broken:
      
         - netfilter: ip6t_rt: fix out-of-bounds read of ipv6_rt_hdr
      
         - netfilter: xt_IDLETIMER: fix out-of-bound read caused by lack of
           init
      
         - netfilter: ipvs: make global sysctl read-only in non-init netns
      
         - tcp: md5: fix selection between vrf and non-vrf keys
      
         - ipv6: count rx stats on the orig netdev when forwarding
      
         - bridge: mcast: use multicast_membership_interval for IGMPv3
      
         - can:
            - j1939: fix UAF for rx_kref of j1939_priv abort sessions on
              receiving bad messages
      
            - isotp: fix TX buffer concurrent access in isotp_sendmsg() fix
              return error on FC timeout on TX path
      
         - ice: fix re-init of RDMA Tx queues and crash if RDMA was not inited
      
         - hns3: schedule the polling again when allocation fails, prevent
           stalls
      
         - drivers: add missing of_node_put() when aborting
           for_each_available_child_of_node()
      
         - ptp: fix possible memory leak and UAF in ptp_clock_register()
      
         - e1000e: fix packet loss in burst mode on Tiger Lake and later
      
         - mlx5e: ipsec: fix more checksum offload issues"
      
      * tag 'net-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (75 commits)
        usbnet: sanity check for maxpacket
        net: enetc: make sure all traffic classes can send large frames
        net: enetc: fix ethtool counter name for PM0_TERR
        ptp: free 'vclock_index' in ptp_clock_release()
        sfc: Don't use netif_info before net_device setup
        sfc: Export fibre-specific supported link modes
        net/mlx5e: IPsec: Fix work queue entry ethernet segment checksum flags
        net/mlx5e: IPsec: Fix a misuse of the software parser's fields
        net/mlx5e: Fix vlan data lost during suspend flow
        net/mlx5: E-switch, Return correct error code on group creation failure
        net/mlx5: Lag, change multipath and bonding to be mutually exclusive
        ice: Add missing E810 device ids
        igc: Update I226_K device ID
        e1000e: Fix packet loss on Tiger Lake and later
        e1000e: Separate TGP board type from SPT
        ptp: Fix possible memory leak in ptp_clock_register()
        net: stmmac: Fix E2E delay mechanism
        nfc: st95hf: Make spi remove() callback return zero
        net: hns3: disable sriov before unload hclge layer
        net: hns3: fix vf reset workqueue cannot exit
        ...
      6c2c7127
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 0a3221b6
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix a bug exposed by a previous fix, where running guests with
         certain SMT topologies could crash the host on Power8.
      
       - Fix atomic sleep warnings when re-onlining CPUs, when PREEMPT is
         enabled.
      
      Thanks to Nathan Lynch, Srikar Dronamraju, and Valentin Schneider.
      
      * tag 'powerpc-5.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/smp: do not decrement idle task preempt count in CPU offline
        powerpc/idle: Don't corrupt back chain when going idle
      0a3221b6
  2. 21 Oct, 2021 20 commits
  3. 20 Oct, 2021 12 commits