1. 07 Dec, 2022 1 commit
    • Harshit Mogalapalli's avatar
      io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() · 998b30c3
      Harshit Mogalapalli authored
      Syzkaller reports a NULL deref bug as follows:
      
       BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
       Read of size 4 at addr 0000000000000138 by task file1/1955
      
       CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea4 #75
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
       Call Trace:
        <TASK>
        dump_stack_lvl+0xcd/0x134
        ? io_tctx_exit_cb+0x53/0xd3
        kasan_report+0xbb/0x1f0
        ? io_tctx_exit_cb+0x53/0xd3
        kasan_check_range+0x140/0x190
        io_tctx_exit_cb+0x53/0xd3
        task_work_run+0x164/0x250
        ? task_work_cancel+0x30/0x30
        get_signal+0x1c3/0x2440
        ? lock_downgrade+0x6e0/0x6e0
        ? lock_downgrade+0x6e0/0x6e0
        ? exit_signals+0x8b0/0x8b0
        ? do_raw_read_unlock+0x3b/0x70
        ? do_raw_spin_unlock+0x50/0x230
        arch_do_signal_or_restart+0x82/0x2470
        ? kmem_cache_free+0x260/0x4b0
        ? putname+0xfe/0x140
        ? get_sigframe_size+0x10/0x10
        ? do_execveat_common.isra.0+0x226/0x710
        ? lockdep_hardirqs_on+0x79/0x100
        ? putname+0xfe/0x140
        ? do_execveat_common.isra.0+0x238/0x710
        exit_to_user_mode_prepare+0x15f/0x250
        syscall_exit_to_user_mode+0x19/0x50
        do_syscall_64+0x42/0xb0
        entry_SYSCALL_64_after_hwframe+0x63/0xcd
       RIP: 0023:0x0
       Code: Unable to access opcode bytes at 0xffffffffffffffd6.
       RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
       RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
       R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
        </TASK>
       Kernel panic - not syncing: panic_on_warn set ...
      
      This happens because the adding of task_work from io_ring_exit_work()
      isn't synchronized with canceling all work items from eg exec. The
      execution of the two are ordered in that they are both run by the task
      itself, but if io_tctx_exit_cb() is queued while we're canceling all
      work items off exec AND gets executed when the task exits to userspace
      rather than in the main loop in io_uring_cancel_generic(), then we can
      find current->io_uring == NULL and hit the above crash.
      
      It's safe to add this NULL check here, because the execution of the two
      paths are done by the task itself.
      
      Cc: stable@vger.kernel.org
      Fixes: d56d938b ("io_uring: do ctx initiated file note removal")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarHarshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
      Link: https://lore.kernel.org/r/20221206093833.3812138-1-harshit.m.mogalapalli@oracle.com
      [axboe: add code comment and also put an explanation in the commit msg]
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      998b30c3
  2. 25 Nov, 2022 5 commits
    • Jens Axboe's avatar
      io_uring: clear TIF_NOTIFY_SIGNAL if set and task_work not available · 7cfe7a09
      Jens Axboe authored
      With how task_work is added and signaled, we can have TIF_NOTIFY_SIGNAL
      set and no task_work pending as it got run in a previous loop. Treat
      TIF_NOTIFY_SIGNAL like get_signal(), always clear it if set regardless
      of whether or not task_work is pending to run.
      
      Cc: stable@vger.kernel.org
      Fixes: 46a525e1 ("io_uring: don't gate task_work run on TIF_NOTIFY_SIGNAL")
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7cfe7a09
    • Lin Ma's avatar
      io_uring/poll: fix poll_refs race with cancelation · 12ad3d2d
      Lin Ma authored
      There is an interesting race condition of poll_refs which could result
      in a NULL pointer dereference. The crash trace is like:
      
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      CPU: 0 PID: 30781 Comm: syz-executor.2 Not tainted 6.0.0-g493ffd66 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      1.13.0-1ubuntu1.1 04/01/2014
      RIP: 0010:io_poll_remove_entry io_uring/poll.c:154 [inline]
      RIP: 0010:io_poll_remove_entries+0x171/0x5b4 io_uring/poll.c:190
      Code: ...
      RSP: 0018:ffff88810dfefba0 EFLAGS: 00010202
      RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000040000
      RDX: ffffc900030c4000 RSI: 000000000003ffff RDI: 0000000000040000
      RBP: 0000000000000008 R08: ffffffff9764d3dd R09: fffffbfff3836781
      R10: fffffbfff3836781 R11: 0000000000000000 R12: 1ffff11003422d60
      R13: ffff88801a116b04 R14: ffff88801a116ac0 R15: dffffc0000000000
      FS:  00007f9c07497700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007ffb5c00ea98 CR3: 0000000105680005 CR4: 0000000000770ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       <TASK>
       io_apoll_task_func+0x3f/0xa0 io_uring/poll.c:299
       handle_tw_list io_uring/io_uring.c:1037 [inline]
       tctx_task_work+0x37e/0x4f0 io_uring/io_uring.c:1090
       task_work_run+0x13a/0x1b0 kernel/task_work.c:177
       get_signal+0x2402/0x25a0 kernel/signal.c:2635
       arch_do_signal_or_restart+0x3b/0x660 arch/x86/kernel/signal.c:869
       exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
       exit_to_user_mode_prepare+0xc2/0x160 kernel/entry/common.c:201
       __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
       syscall_exit_to_user_mode+0x58/0x160 kernel/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      The root cause for this is a tiny overlooking in
      io_poll_check_events() when cocurrently run with poll cancel routine
      io_poll_cancel_req().
      
      The interleaving to trigger use-after-free:
      
      CPU0                                       |  CPU1
                                                 |
      io_apoll_task_func()                       |  io_poll_cancel_req()
       io_poll_check_events()                    |
        // do while first loop                   |
        v = atomic_read(...)                     |
        // v = poll_refs = 1                     |
        ...                                      |  io_poll_mark_cancelled()
                                                 |   atomic_or()
                                                 |   // poll_refs =
      IO_POLL_CANCEL_FLAG | 1
                                                 |
        atomic_sub_return(...)                   |
        // poll_refs = IO_POLL_CANCEL_FLAG       |
        // loop continue                         |
                                                 |
                                                 |  io_poll_execute()
                                                 |   io_poll_get_ownership()
                                                 |   // poll_refs =
      IO_POLL_CANCEL_FLAG | 1
                                                 |   // gets the ownership
        v = atomic_read(...)                     |
        // poll_refs not change                  |
                                                 |
        if (v & IO_POLL_CANCEL_FLAG)             |
         return -ECANCELED;                      |
        // io_poll_check_events return           |
        // will go into                          |
        // io_req_complete_failed() free req     |
                                                 |
                                                 |  io_apoll_task_func()
                                                 |  // also go into
      io_req_complete_failed()
      
      And the interleaving to trigger the kernel WARNING:
      
      CPU0                                       |  CPU1
                                                 |
      io_apoll_task_func()                       |  io_poll_cancel_req()
       io_poll_check_events()                    |
        // do while first loop                   |
        v = atomic_read(...)                     |
        // v = poll_refs = 1                     |
        ...                                      |  io_poll_mark_cancelled()
                                                 |   atomic_or()
                                                 |   // poll_refs =
      IO_POLL_CANCEL_FLAG | 1
                                                 |
        atomic_sub_return(...)                   |
        // poll_refs = IO_POLL_CANCEL_FLAG       |
        // loop continue                         |
                                                 |
        v = atomic_read(...)                     |
        // v = IO_POLL_CANCEL_FLAG               |
                                                 |  io_poll_execute()
                                                 |   io_poll_get_ownership()
                                                 |   // poll_refs =
      IO_POLL_CANCEL_FLAG | 1
                                                 |   // gets the ownership
                                                 |
        WARN_ON_ONCE(!(v & IO_POLL_REF_MASK)))   |
        // v & IO_POLL_REF_MASK = 0 WARN         |
                                                 |
                                                 |  io_apoll_task_func()
                                                 |  // also go into
      io_req_complete_failed()
      
      By looking up the source code and communicating with Pavel, the
      implementation of this atomic poll refs should continue the loop of
      io_poll_check_events() just to avoid somewhere else to grab the
      ownership. Therefore, this patch simply adds another AND operation to
      make sure the loop will stop if it finds the poll_refs is exactly equal
      to IO_POLL_CANCEL_FLAG. Since io_poll_cancel_req() grabs ownership and
      will finally make its way to io_req_complete_failed(), the req will
      be reclaimed as expected.
      
      Fixes: aa43477b ("io_uring: poll rework")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      [axboe: tweak description and code style]
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      12ad3d2d
    • Lin Ma's avatar
      io_uring/filetable: fix file reference underflow · 9d94c04c
      Lin Ma authored
      There is an interesting reference bug when -ENOMEM occurs in calling of
      io_install_fixed_file(). KASan report like below:
      
      [   14.057131] ==================================================================
      [   14.059161] BUG: KASAN: use-after-free in unix_get_socket+0x10/0x90
      [   14.060975] Read of size 8 at addr ffff88800b09cf20 by task kworker/u8:2/45
      [   14.062684]
      [   14.062768] CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted 6.1.0-rc4 #1
      [   14.063099] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      [   14.063666] Workqueue: events_unbound io_ring_exit_work
      [   14.063936] Call Trace:
      [   14.064065]  <TASK>
      [   14.064175]  dump_stack_lvl+0x34/0x48
      [   14.064360]  print_report+0x172/0x475
      [   14.064547]  ? _raw_spin_lock_irq+0x83/0xe0
      [   14.064758]  ? __virt_addr_valid+0xef/0x170
      [   14.064975]  ? unix_get_socket+0x10/0x90
      [   14.065167]  kasan_report+0xad/0x130
      [   14.065353]  ? unix_get_socket+0x10/0x90
      [   14.065553]  unix_get_socket+0x10/0x90
      [   14.065744]  __io_sqe_files_unregister+0x87/0x1e0
      [   14.065989]  ? io_rsrc_refs_drop+0x1c/0xd0
      [   14.066199]  io_ring_exit_work+0x388/0x6a5
      [   14.066410]  ? io_uring_try_cancel_requests+0x5bf/0x5bf
      [   14.066674]  ? try_to_wake_up+0xdb/0x910
      [   14.066873]  ? virt_to_head_page+0xbe/0xbe
      [   14.067080]  ? __schedule+0x574/0xd20
      [   14.067273]  ? read_word_at_a_time+0xe/0x20
      [   14.067492]  ? strscpy+0xb5/0x190
      [   14.067665]  process_one_work+0x423/0x710
      [   14.067879]  worker_thread+0x2a2/0x6f0
      [   14.068073]  ? process_one_work+0x710/0x710
      [   14.068284]  kthread+0x163/0x1a0
      [   14.068454]  ? kthread_complete_and_exit+0x20/0x20
      [   14.068697]  ret_from_fork+0x22/0x30
      [   14.068886]  </TASK>
      [   14.069000]
      [   14.069088] Allocated by task 289:
      [   14.069269]  kasan_save_stack+0x1e/0x40
      [   14.069463]  kasan_set_track+0x21/0x30
      [   14.069652]  __kasan_slab_alloc+0x58/0x70
      [   14.069899]  kmem_cache_alloc+0xc5/0x200
      [   14.070100]  __alloc_file+0x20/0x160
      [   14.070283]  alloc_empty_file+0x3b/0xc0
      [   14.070479]  path_openat+0xc3/0x1770
      [   14.070689]  do_filp_open+0x150/0x270
      [   14.070888]  do_sys_openat2+0x113/0x270
      [   14.071081]  __x64_sys_openat+0xc8/0x140
      [   14.071283]  do_syscall_64+0x3b/0x90
      [   14.071466]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [   14.071791]
      [   14.071874] Freed by task 0:
      [   14.072027]  kasan_save_stack+0x1e/0x40
      [   14.072224]  kasan_set_track+0x21/0x30
      [   14.072415]  kasan_save_free_info+0x2a/0x50
      [   14.072627]  __kasan_slab_free+0x106/0x190
      [   14.072858]  kmem_cache_free+0x98/0x340
      [   14.073075]  rcu_core+0x427/0xe50
      [   14.073249]  __do_softirq+0x110/0x3cd
      [   14.073440]
      [   14.073523] Last potentially related work creation:
      [   14.073801]  kasan_save_stack+0x1e/0x40
      [   14.074017]  __kasan_record_aux_stack+0x97/0xb0
      [   14.074264]  call_rcu+0x41/0x550
      [   14.074436]  task_work_run+0xf4/0x170
      [   14.074619]  exit_to_user_mode_prepare+0x113/0x120
      [   14.074858]  syscall_exit_to_user_mode+0x1d/0x40
      [   14.075092]  do_syscall_64+0x48/0x90
      [   14.075272]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [   14.075529]
      [   14.075612] Second to last potentially related work creation:
      [   14.075900]  kasan_save_stack+0x1e/0x40
      [   14.076098]  __kasan_record_aux_stack+0x97/0xb0
      [   14.076325]  task_work_add+0x72/0x1b0
      [   14.076512]  fput+0x65/0xc0
      [   14.076657]  filp_close+0x8e/0xa0
      [   14.076825]  __x64_sys_close+0x15/0x50
      [   14.077019]  do_syscall_64+0x3b/0x90
      [   14.077199]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [   14.077448]
      [   14.077530] The buggy address belongs to the object at ffff88800b09cf00
      [   14.077530]  which belongs to the cache filp of size 232
      [   14.078105] The buggy address is located 32 bytes inside of
      [   14.078105]  232-byte region [ffff88800b09cf00, ffff88800b09cfe8)
      [   14.078685]
      [   14.078771] The buggy address belongs to the physical page:
      [   14.079046] page:000000001bd520e7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800b09de00 pfn:0xb09c
      [   14.079575] head:000000001bd520e7 order:1 compound_mapcount:0 compound_pincount:0
      [   14.079946] flags: 0x100000000010200(slab|head|node=0|zone=1)
      [   14.080244] raw: 0100000000010200 0000000000000000 dead000000000001 ffff88800493cc80
      [   14.080629] raw: ffff88800b09de00 0000000080190018 00000001ffffffff 0000000000000000
      [   14.081016] page dumped because: kasan: bad access detected
      [   14.081293]
      [   14.081376] Memory state around the buggy address:
      [   14.081618]  ffff88800b09ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   14.081974]  ffff88800b09ce80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
      [   14.082336] >ffff88800b09cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   14.082690]                                ^
      [   14.082909]  ffff88800b09cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
      [   14.083266]  ffff88800b09d000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
      [   14.083622] ==================================================================
      
      The actual tracing of this bug is shown below:
      
      commit 8c71fe75 ("io_uring: ensure fput() called correspondingly
      when direct install fails") adds an additional fput() in
      io_fixed_fd_install() when io_file_bitmap_get() returns error values. In
      that case, the routine will never make it to io_install_fixed_file() due
      to an early return.
      
      static int io_fixed_fd_install(...)
      {
        if (alloc_slot) {
          ...
          ret = io_file_bitmap_get(ctx);
          if (unlikely(ret < 0)) {
            io_ring_submit_unlock(ctx, issue_flags);
            fput(file);
            return ret;
          }
          ...
        }
        ...
        ret = io_install_fixed_file(req, file, issue_flags, file_slot);
        ...
      }
      
      In the above scenario, the reference is okay as io_fixed_fd_install()
      ensures the fput() is called when something bad happens, either via
      bitmap or via inner io_install_fixed_file().
      
      However, the commit 61c1b44a ("io_uring: fix deadlock on iowq file
      slot alloc") breaks the balance because it places fput() into the common
      path for both io_file_bitmap_get() and io_install_fixed_file(). Since
      io_install_fixed_file() handles the fput() itself, the reference
      underflow come across then.
      
      There are some extra commits make the current code into
      io_fixed_fd_install() -> __io_fixed_fd_install() ->
      io_install_fixed_file()
      
      However, the fact that there is an extra fput() is called if
      io_install_fixed_file() calls fput(). Traversing through the code, I
      find that the existing two callers to __io_fixed_fd_install():
      io_fixed_fd_install() and io_msg_send_fd() have fput() when handling
      error return, this patch simply removes the fput() in
      io_install_fixed_file() to fix the bug.
      
      Fixes: 61c1b44a ("io_uring: fix deadlock on iowq file slot alloc")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Link: https://lore.kernel.org/r/be4ba4b.5d44.184a0a406a4.Coremail.linma@zju.edu.cnSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      9d94c04c
    • Pavel Begunkov's avatar
      io_uring: make poll refs more robust · a26a35e9
      Pavel Begunkov authored
      poll_refs carry two functions, the first is ownership over the request.
      The second is notifying the io_poll_check_events() that there was an
      event but wake up couldn't grab the ownership, so io_poll_check_events()
      should retry.
      
      We want to make poll_refs more robust against overflows. Instead of
      always incrementing it, which covers two purposes with one atomic, check
      if poll_refs is elevated enough and if so set a retry flag without
      attempts to grab ownership. The gap between the bias check and following
      atomics may seem racy, but we don't need it to be strict. Moreover there
      might only be maximum 4 parallel updates: by the first and the second
      poll entries, __io_arm_poll_handler() and cancellation. From those four,
      only poll wake ups may be executed multiple times, but they're protected
      by a spin.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarLin Ma <linma@zju.edu.cn>
      Fixes: aa43477b ("io_uring: poll rework")
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/c762bc31f8683b3270f3587691348a7119ef9c9d.1668963050.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      a26a35e9
    • Pavel Begunkov's avatar
      io_uring: cmpxchg for poll arm refs release · 2f389343
      Pavel Begunkov authored
      Replace atomically substracting the ownership reference at the end of
      arming a poll with a cmpxchg. We try to release ownership by setting 0
      assuming that poll_refs didn't change while we were arming. If it did
      change, we keep the ownership and use it to queue a tw, which is fully
      capable to process all events and (even tolerates spurious wake ups).
      
      It's a bit more elegant as we reduce races b/w setting the cancellation
      flag and getting refs with this release, and with that we don't have to
      worry about any kinds of underflows. It's not the fastest path for
      polling. The performance difference b/w cmpxchg and atomic dec is
      usually negligible and it's not the fastest path.
      
      Cc: stable@vger.kernel.org
      Fixes: aa43477b ("io_uring: poll rework")
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/0c95251624397ea6def568ff040cad2d7926fd51.1668963050.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      2f389343
  3. 18 Nov, 2022 1 commit
  4. 17 Nov, 2022 4 commits
  5. 11 Nov, 2022 2 commits
  6. 10 Nov, 2022 1 commit
  7. 08 Nov, 2022 1 commit
    • Dylan Yudaken's avatar
      io_uring: calculate CQEs from the user visible value · 0fc8c2ac
      Dylan Yudaken authored
      io_cqring_wait (and it's wake function io_has_work) used cached_cq_tail in
      order to calculate the number of CQEs. cached_cq_tail is set strictly
      before the user visible rings->cq.tail
      
      However as far as userspace is concerned,  if io_uring_enter(2) is called
      with a minimum number of events, they will verify by checking
      rings->cq.tail.
      
      It is therefore possible for io_uring_enter(2) to return early with fewer
      events visible to the user.
      
      Instead make the wait functions read from the user visible value, so there
      will be no discrepency.
      
      This is triggered eventually by the following reproducer:
      
      struct io_uring_sqe *sqe;
      struct io_uring_cqe *cqe;
      unsigned int cqe_ready;
      struct io_uring ring;
      int ret, i;
      
      ret = io_uring_queue_init(N, &ring, 0);
      assert(!ret);
      while(true) {
      	for (i = 0; i < N; i++) {
      		sqe = io_uring_get_sqe(&ring);
      		io_uring_prep_nop(sqe);
      		sqe->flags |= IOSQE_ASYNC;
      	}
      	ret = io_uring_submit(&ring);
      	assert(ret == N);
      
      	do {
      		ret = io_uring_wait_cqes(&ring, &cqe, N, NULL, NULL);
      	} while(ret == -EINTR);
      	cqe_ready = io_uring_cq_ready(&ring);
      	assert(!ret);
      	assert(cqe_ready == N);
      	io_uring_cq_advance(&ring, N);
      }
      
      Fixes: ad3eb2c8 ("io_uring: split overflow state into SQ and CQ side")
      Signed-off-by: default avatarDylan Yudaken <dylany@meta.com>
      Link: https://lore.kernel.org/r/20221108153016.1854297-1-dylany@meta.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      0fc8c2ac
  8. 06 Nov, 2022 1 commit
  9. 02 Nov, 2022 1 commit
  10. 27 Oct, 2022 2 commits
  11. 22 Oct, 2022 3 commits
  12. 20 Oct, 2022 1 commit
    • Rafael Mendonca's avatar
      io-wq: Fix memory leak in worker creation · 996d3efe
      Rafael Mendonca authored
      If the CPU mask allocation for a node fails, then the memory allocated for
      the 'io_wqe' struct of the current node doesn't get freed on the error
      handling path, since it has not yet been added to the 'wqes' array.
      
      This was spotted when fuzzing v6.1-rc1 with Syzkaller:
      BUG: memory leak
      unreferenced object 0xffff8880093d5000 (size 1024):
        comm "syz-executor.2", pid 7701, jiffies 4295048595 (age 13.900s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000cb463369>] __kmem_cache_alloc_node+0x18e/0x720
          [<00000000147a3f9c>] kmalloc_node_trace+0x2a/0x130
          [<000000004e107011>] io_wq_create+0x7b9/0xdc0
          [<00000000c38b2018>] io_uring_alloc_task_context+0x31e/0x59d
          [<00000000867399da>] __io_uring_add_tctx_node.cold+0x19/0x1ba
          [<000000007e0e7a79>] io_uring_setup.cold+0x1b80/0x1dce
          [<00000000b545e9f6>] __x64_sys_io_uring_setup+0x5d/0x80
          [<000000008a8a7508>] do_syscall_64+0x5d/0x90
          [<000000004ac08bec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 0e03496d ("io-wq: use private CPU mask")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRafael Mendonca <rafaelmendsr@gmail.com>
      Link: https://lore.kernel.org/r/20221020014710.902201-1-rafaelmendsr@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      996d3efe
  13. 19 Oct, 2022 1 commit
    • Harshit Mogalapalli's avatar
      io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd() · 16bbdfe5
      Harshit Mogalapalli authored
      Syzkaller produced the below call trace:
      
       BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0
       Write of size 8 at addr 0000000000000070 by task repro/16399
      
       CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7
       Call Trace:
        <TASK>
        dump_stack_lvl+0xcd/0x134
        ? io_msg_ring+0x3cb/0x9f0
        kasan_report+0xbc/0xf0
        ? io_msg_ring+0x3cb/0x9f0
        kasan_check_range+0x140/0x190
        io_msg_ring+0x3cb/0x9f0
        ? io_msg_ring_prep+0x300/0x300
        io_issue_sqe+0x698/0xca0
        io_submit_sqes+0x92f/0x1c30
        __do_sys_io_uring_enter+0xae4/0x24b0
      ....
       RIP: 0033:0x7f2eaf8f8289
       RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
       RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289
       RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004
       RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039
       R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0
       R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000
        </TASK>
       Kernel panic - not syncing: panic_on_warn set ...
      
      We don't have a NULL check on file_ptr in io_msg_send_fd() function,
      so when file_ptr is NUL src_file is also NULL and get_file()
      dereferences a NULL pointer and leads to above crash.
      
      Add a NULL check to fix this issue.
      
      Fixes: e6130eba ("io_uring: add support for passing fixed file descriptors")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarHarshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
      Link: https://lore.kernel.org/r/20221019171218.1337614-1-harshit.m.mogalapalli@oracle.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      16bbdfe5
  14. 16 Oct, 2022 15 commits
    • Jens Axboe's avatar
      io_uring/rw: remove leftover debug statement · 5c61795e
      Jens Axboe authored
      This debug statement was never meant to go into the upstream release,
      kill it off before it ends up in a release. It was just part of the
      testing for the initial version of the patch.
      
      Fixes: 2ec33a6c ("io_uring/rw: ensure kiocb_end_write() is always called")
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      5c61795e
    • Pavel Begunkov's avatar
      io_uring: don't iopoll from io_ring_ctx_wait_and_kill() · 02bac94b
      Pavel Begunkov authored
      We should not be completing requests from a task context that has already
      undergone io_uring cancellations, i.e. __io_uring_cancel(), as there are
      some assumptions, e.g. around cached task refs draining. Remove
      iopolling from io_ring_ctx_wait_and_kill() as it can be called later
      after PF_EXITING is set with the last task_work run.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/7c03cc91455c4a1af49c6b9cbda4e57ea467aa11.1665891182.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      02bac94b
    • Pavel Begunkov's avatar
      io_uring: reuse io_alloc_req() · 34f0bc42
      Pavel Begunkov authored
      Don't duplicate io_alloc_req() in io_req_caches_free() but reuse the
      helper.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/6005fc88274864a49fc3096c22d8bdd605cf8576.1665891182.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      34f0bc42
    • Pavel Begunkov's avatar
      io_uring: kill hot path fixed file bitmap debug checks · 4d505951
      Pavel Begunkov authored
      We test file_table.bitmap in io_file_get_fixed() to check invariants,
      don't do it, it's expensive and was showing up in profiles. No reports of
      this triggering has come in. Move the check to the file clear instead,
      which will still catch any wrong usage.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/cf77f2ded68d2e5b2bc7355784d969837d48e023.1665891182.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      4d505951
    • Pavel Begunkov's avatar
      io_uring: remove FFS_SCM · 38eddb2c
      Pavel Begunkov authored
      THe lifetime of SCM'ed files is bound to ring_sock, which is destroyed
      strictly after we're done with registered file tables. This means there
      is no need for the FFS_SCM hack, which was not available on 32-bit builds
      anyway.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/984226a1045adf42dc35d8bd7fb5a8bbfa472ce1.1665891182.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      38eddb2c
    • Linus Torvalds's avatar
      Linux 6.1-rc1 · 9abf2313
      Linus Torvalds authored
      9abf2313
    • Linus Torvalds's avatar
      Merge tag 'random-6.1-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · f1947d7c
      Linus Torvalds authored
      Pull more random number generator updates from Jason Donenfeld:
       "This time with some large scale treewide cleanups.
      
        The intent of this pull is to clean up the way callers fetch random
        integers. The current rules for doing this right are:
      
         - If you want a secure or an insecure random u64, use get_random_u64()
      
         - If you want a secure or an insecure random u32, use get_random_u32()
      
           The old function prandom_u32() has been deprecated for a while
           now and is just a wrapper around get_random_u32(). Same for
           get_random_int().
      
         - If you want a secure or an insecure random u16, use get_random_u16()
      
         - If you want a secure or an insecure random u8, use get_random_u8()
      
         - If you want secure or insecure random bytes, use get_random_bytes().
      
           The old function prandom_bytes() has been deprecated for a while
           now and has long been a wrapper around get_random_bytes()
      
         - If you want a non-uniform random u32, u16, or u8 bounded by a
           certain open interval maximum, use prandom_u32_max()
      
           I say "non-uniform", because it doesn't do any rejection sampling
           or divisions. Hence, it stays within the prandom_*() namespace, not
           the get_random_*() namespace.
      
           I'm currently investigating a "uniform" function for 6.2. We'll see
           what comes of that.
      
        By applying these rules uniformly, we get several benefits:
      
         - By using prandom_u32_max() with an upper-bound that the compiler
           can prove at compile-time is ≤65536 or ≤256, internally
           get_random_u16() or get_random_u8() is used, which wastes fewer
           batched random bytes, and hence has higher throughput.
      
         - By using prandom_u32_max() instead of %, when the upper-bound is
           not a constant, division is still avoided, because
           prandom_u32_max() uses a faster multiplication-based trick instead.
      
         - By using get_random_u16() or get_random_u8() in cases where the
           return value is intended to indeed be a u16 or a u8, we waste fewer
           batched random bytes, and hence have higher throughput.
      
        This series was originally done by hand while I was on an airplane
        without Internet. Later, Kees and I worked on retroactively figuring
        out what could be done with Coccinelle and what had to be done
        manually, and then we split things up based on that.
      
        So while this touches a lot of files, the actual amount of code that's
        hand fiddled is comfortably small"
      
      * tag 'random-6.1-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        prandom: remove unused functions
        treewide: use get_random_bytes() when possible
        treewide: use get_random_u32() when possible
        treewide: use get_random_{u8,u16}() when possible, part 2
        treewide: use get_random_{u8,u16}() when possible, part 1
        treewide: use prandom_u32_max() when possible, part 2
        treewide: use prandom_u32_max() when possible, part 1
      f1947d7c
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-for-v6.1-2-2022-10-16' of... · 8636df94
      Linus Torvalds authored
      Merge tag 'perf-tools-for-v6.1-2-2022-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull more perf tools updates from Arnaldo Carvalho de Melo:
      
       - Use BPF CO-RE (Compile Once, Run Everywhere) to support old kernels
         when using bperf (perf BPF based counters) with cgroups.
      
       - Support HiSilicon PCIe Performance Monitoring Unit (PMU), that
         monitors bandwidth, latency, bus utilization and buffer occupancy.
      
         Documented in Documentation/admin-guide/perf/hisi-pcie-pmu.rst.
      
       - User space tasks can migrate between CPUs, so when tracing selected
         CPUs, system-wide sideband is still needed, fix it in the setup of
         Intel PT on hybrid systems.
      
       - Fix metricgroups title message in 'perf list', it should state that
         the metrics groups are to be used with the '-M' option, not '-e'.
      
       - Sync the msr-index.h copy with the kernel sources, adding support for
         using "AMD64_TSC_RATIO" in filter expressions in 'perf trace' as well
         as decoding it when printing the MSR tracepoint arguments.
      
       - Fix program header size and alignment when generating a JIT ELF in
         'perf inject'.
      
       - Add multiple new Intel PT 'perf test' entries, including a jitdump
         one.
      
       - Fix the 'perf test' entries for 'perf stat' CSV and JSON output when
         running on PowerPC due to an invalid topology number in that arch.
      
       - Fix the 'perf test' for arm_coresight failures on the ARM Juno
         system.
      
       - Fix the 'perf test' attr entry for PERF_FORMAT_LOST, adding this
         option to the or expression expected in the intercepted
         perf_event_open() syscall.
      
       - Add missing condition flags ('hs', 'lo', 'vc', 'vs') for arm64 in the
         'perf annotate' asm parser.
      
       - Fix 'perf mem record -C' option processing, it was being chopped up
         when preparing the underlying 'perf record -e mem-events' and thus
         being ignored, requiring using '-- -C CPUs' as a workaround.
      
       - Improvements and tidy ups for 'perf test' shell infra.
      
       - Fix Intel PT information printing segfault in uClibc, where a NULL
         format was being passed to fprintf.
      
      * tag 'perf-tools-for-v6.1-2-2022-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: (23 commits)
        tools arch x86: Sync the msr-index.h copy with the kernel sources
        perf auxtrace arm64: Add support for parsing HiSilicon PCIe Trace packet
        perf auxtrace arm64: Add support for HiSilicon PCIe Tune and Trace device driver
        perf auxtrace arm: Refactor event list iteration in auxtrace_record__init()
        perf tests stat+json_output: Include sanity check for topology
        perf tests stat+csv_output: Include sanity check for topology
        perf intel-pt: Fix system_wide dummy event for hybrid
        perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc
        perf test: Fix attr tests for PERF_FORMAT_LOST
        perf test: test_intel_pt.sh: Add 9 tests
        perf inject: Fix GEN_ELF_TEXT_OFFSET for jit
        perf test: test_intel_pt.sh: Add jitdump test
        perf test: test_intel_pt.sh: Tidy some alignment
        perf test: test_intel_pt.sh: Print a message when skipping kernel tracing
        perf test: test_intel_pt.sh: Tidy some perf record options
        perf test: test_intel_pt.sh: Fix return checking again
        perf: Skip and warn on unknown format 'configN' attrs
        perf list: Fix metricgroups title message
        perf mem: Fix -C option behavior for perf mem record
        perf annotate: Add missing condition flags for arm64
        ...
      8636df94
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.1' of... · 2df76606
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y compile error for the
         combination of Clang >= 14 and GAS <= 2.35.
      
       - Drop vmlinux.bz2 from the rpm package as it just annoyingly increased
         the package size.
      
       - Fix modpost error under build environments using musl.
      
       - Make *.ll files keep value names for easier debugging
      
       - Fix single directory build
      
       - Prevent RISC-V from selecting the broken DWARF5 support when Clang
         and GAS are used together.
      
      * tag 'kbuild-fixes-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5
        kbuild: fix single directory build
        kbuild: add -fno-discard-value-names to cmd_cc_ll_c
        scripts/clang-tools: Convert clang-tidy args to list
        modpost: put modpost options before argument
        kbuild: Stop including vmlinux.bz2 in the rpm's
        Kconfig.debug: add toolchain checks for DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
        Kconfig.debug: simplify the dependency of DEBUG_INFO_DWARF4/5
      2df76606
    • Linus Torvalds's avatar
      Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 2fcd8f10
      Linus Torvalds authored
      Pull more clk updates from Stephen Boyd:
       "This is the final part of the clk patches for this merge window.
      
        The clk rate range series needed another week to fully bake. Maxime
        fixed the bug that broke clk notifiers and prevented this from being
        included in the first pull request. He also added a unit test on top
        to make sure it doesn't break so easily again. The majority of the
        series fixes up how the clk_set_rate_*() APIs work, particularly
        around when the rate constraints are dropped and how they move around
        when reparenting clks. Overall it's a much needed improvement to the
        clk rate range APIs that used to be pretty broken if you looked
        sideways.
      
        Beyond the core changes there are a few driver fixes for a compilation
        issue or improper data causing clks to fail to register or have the
        wrong parents. These are good to get in before the first -rc so that
        the system actually boots on the affected devices"
      
      * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (31 commits)
        clk: tegra: Fix Tegra PWM parent clock
        clk: at91: fix the build with binutils 2.27
        clk: qcom: gcc-msm8660: Drop hardcoded fixed board clocks
        clk: mediatek: clk-mux: Add .determine_rate() callback
        clk: tests: Add tests for notifiers
        clk: Update req_rate on __clk_recalc_rates()
        clk: tests: Add missing test case for ranges
        clk: qcom: clk-rcg2: Take clock boundaries into consideration for gfx3d
        clk: Introduce the clk_hw_get_rate_range function
        clk: Zero the clk_rate_request structure
        clk: Stop forwarding clk_rate_requests to the parent
        clk: Constify clk_has_parent()
        clk: Introduce clk_core_has_parent()
        clk: Switch from __clk_determine_rate to clk_core_round_rate_nolock
        clk: Add our request boundaries in clk_core_init_rate_req
        clk: Introduce clk_hw_init_rate_request()
        clk: Move clk_core_init_rate_req() from clk_core_round_rate_nolock() to its caller
        clk: Change clk_core_init_rate_req prototype
        clk: Set req_rate on reparenting
        clk: Take into account uncached clocks in clk_set_rate_range()
        ...
      2fcd8f10
    • Linus Torvalds's avatar
      Merge tag '6.1-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · b08cd744
      Linus Torvalds authored
      Pull more cifs updates from Steve French:
      
       - fix a regression in guest mounts to old servers
      
       - improvements to directory leasing (caching directory entries safely
         beyond the root directory)
      
       - symlink improvement (reducing roundtrips needed to process symlinks)
      
       - an lseek fix (to problem where some dir entries could be skipped)
      
       - improved ioctl for returning more detailed information on directory
         change notifications
      
       - clarify multichannel interface query warning
      
       - cleanup fix (for better aligning buffers using ALIGN and round_up)
      
       - a compounding fix
      
       - fix some uninitialized variable bugs found by Coverity and the kernel
         test robot
      
      * tag '6.1-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: improve SMB3 change notification support
        cifs: lease key is uninitialized in two additional functions when smb1
        cifs: lease key is uninitialized in smb1 paths
        smb3: must initialize two ACL struct fields to zero
        cifs: fix double-fault crash during ntlmssp
        cifs: fix static checker warning
        cifs: use ALIGN() and round_up() macros
        cifs: find and use the dentry for cached non-root directories also
        cifs: enable caching of directories for which a lease is held
        cifs: prevent copying past input buffer boundaries
        cifs: fix uninitialised var in smb2_compound_op()
        cifs: improve symlink handling for smb2+
        smb3: clarify multichannel warning
        cifs: fix regression in very old smb1 mounts
        cifs: fix skipping to incorrect offset in emit_cached_dirents
      b08cd744
    • Tetsuo Handa's avatar
      Revert "cpumask: fix checking valid cpu range". · 80493877
      Tetsuo Handa authored
      This reverts commit 78e5a339 ("cpumask: fix checking valid cpu range").
      
      syzbot is hitting WARN_ON_ONCE(cpu >= nr_cpumask_bits) warning at
      cpu_max_bits_warn() [1], for commit 78e5a339 ("cpumask: fix checking
      valid cpu range") is broken.  Obviously that patch hits WARN_ON_ONCE()
      when e.g.  reading /proc/cpuinfo because passing "cpu + 1" instead of
      "cpu" will trivially hit cpu == nr_cpumask_bits condition.
      
      Although syzbot found this problem in linux-next.git on 2022/09/27 [2],
      this problem was not fixed immediately.  As a result, that patch was
      sent to linux.git before the patch author recognizes this problem, and
      syzbot started failing to test changes in linux.git since 2022/10/10
      [3].
      
      Andrew Jones proposed a fix for x86 and riscv architectures [4].  But
      [2] and [5] indicate that affected locations are not limited to arch
      code.  More delay before we find and fix affected locations, less tested
      kernel (and more difficult to bisect and fix) before release.
      
      We should have inspected and fixed basically all cpumask users before
      applying that patch.  We should not crash kernels in order to ask
      existing cpumask users to update their code, even if limited to
      CONFIG_DEBUG_PER_CPU_MAPS=y case.
      
      Link: https://syzkaller.appspot.com/bug?extid=d0fd2bf0dd6da72496dd [1]
      Link: https://syzkaller.appspot.com/bug?extid=21da700f3c9f0bc40150 [2]
      Link: https://syzkaller.appspot.com/bug?extid=51a652e2d24d53e75734 [3]
      Link: https://lkml.kernel.org/r/20221014155845.1986223-1-ajones@ventanamicro.com [4]
      Link: https://syzkaller.appspot.com/bug?extid=4d46c43d81c3bd155060 [5]
      Reported-by: default avatarAndrew Jones <ajones@ventanamicro.com>
      Reported-by: syzbot+d0fd2bf0dd6da72496dd@syzkaller.appspotmail.com
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Yury Norov <yury.norov@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      80493877
    • Nathan Chancellor's avatar
      lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5 · 0a6de78c
      Nathan Chancellor authored
      When building with a RISC-V kernel with DWARF5 debug info using clang
      and the GNU assembler, several instances of the following error appear:
      
        /tmp/vgettimeofday-48aa35.s:2963: Error: non-constant .uleb128 is not supported
      
      Dumping the .s file reveals these .uleb128 directives come from
      .debug_loc and .debug_ranges:
      
        .Ldebug_loc0:
                .byte   4                               # DW_LLE_offset_pair
                .uleb128 .Lfunc_begin0-.Lfunc_begin0    #   starting offset
                .uleb128 .Ltmp1-.Lfunc_begin0           #   ending offset
                .byte   1                               # Loc expr size
                .byte   90                              # DW_OP_reg10
                .byte   0                               # DW_LLE_end_of_list
      
        .Ldebug_ranges0:
                .byte   4                               # DW_RLE_offset_pair
                .uleb128 .Ltmp6-.Lfunc_begin0           #   starting offset
                .uleb128 .Ltmp27-.Lfunc_begin0          #   ending offset
                .byte   4                               # DW_RLE_offset_pair
                .uleb128 .Ltmp28-.Lfunc_begin0          #   starting offset
                .uleb128 .Ltmp30-.Lfunc_begin0          #   ending offset
                .byte   0                               # DW_RLE_end_of_list
      
      There is an outstanding binutils issue to support a non-constant operand
      to .sleb128 and .uleb128 in GAS for RISC-V but there does not appear to
      be any movement on it, due to concerns over how it would work with
      linker relaxation.
      
      To avoid these build errors, prevent DWARF5 from being selected when
      using clang and an assembler that does not have support for these symbol
      deltas, which can be easily checked in Kconfig with as-instr plus the
      small test program from the dwz test suite from the binutils issue.
      
      Link: https://sourceware.org/bugzilla/show_bug.cgi?id=27215
      Link: https://github.com/ClangBuiltLinux/linux/issues/1719Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      0a6de78c
    • Masahiro Yamada's avatar
      kbuild: fix single directory build · 3753af77
      Masahiro Yamada authored
      Commit f110e5a2 ("kbuild: refactor single builds of *.ko") was wrong.
      
      KBUILD_MODULES _is_ needed for single builds.
      
      Otherwise, "make foo/bar/baz/" does not build module objects at all.
      
      Fixes: f110e5a2 ("kbuild: refactor single builds of *.ko")
      Reported-by: default avatarDavid Sterba <dsterba@suse.cz>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Tested-by: default avatarDavid Sterba <dsterba@suse.com>
      3753af77
    • Linus Torvalds's avatar
      Merge tag 'slab-for-6.1-rc1-hotfix' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab · 1501278b
      Linus Torvalds authored
      Pull slab hotfix from Vlastimil Babka:
       "A single fix for the common-kmalloc series, for warnings on mips and
        sparc64 reported by Guenter Roeck"
      
      * tag 'slab-for-6.1-rc1-hotfix' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab:
        mm/slab: use kmalloc_node() for off slab freelist_idx_t array allocation
      1501278b
  15. 15 Oct, 2022 1 commit