1. 08 Dec, 2022 24 commits
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux · af145500
      Linus Torvalds authored
      Pull io_uring fix from Jens Axboe:
       "A single small fix for an issue related to ordering between
        cancelation and current->io_uring teardown"
      
      * tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux:
        io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
      af145500
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 010b6761
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, can and netfilter.
      
        Current release - new code bugs:
      
         - bonding: ipv6: correct address used in Neighbour Advertisement
           parsing (src vs dst typo)
      
         - fec: properly scope IRQ coalesce setup during link up to supported
           chips only
      
        Previous releases - regressions:
      
         - Bluetooth fixes for fake CSR clones (knockoffs):
             - re-add ERR_DATA_REPORTING quirk
             - fix crash when device is replugged
      
         - Bluetooth:
             - silence a user-triggerable dmesg error message
             - L2CAP: fix u8 overflow, oob access
             - correct vendor codec definition
             - fix support for Read Local Supported Codecs V2
      
         - ti: am65-cpsw: fix RGMII configuration at SPEED_10
      
         - mana: fix race on per-CQ variable NAPI work_done
      
        Previous releases - always broken:
      
         - af_unix: diag: fetch user_ns from in_skb in unix_diag_get_exact(),
           avoid null-deref
      
         - af_can: fix NULL pointer dereference in can_rcv_filter
      
         - can: slcan: fix UAF with a freed work
      
         - can: can327: flush TX_work on ldisc .close()
      
         - macsec: add missing attribute validation for offload
      
         - ipv6: avoid use-after-free in ip6_fragment()
      
         - nft_set_pipapo: actually validate intervals in fields after the
           first one
      
         - mvneta: prevent oob access in mvneta_config_rss()
      
         - ipv4: fix incorrect route flushing when table ID 0 is used, or when
           source address is deleted
      
         - phy: mxl-gpy: add workaround for IRQ bug on GPY215B and GPY215C"
      
      * tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (77 commits)
        net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
        s390/qeth: fix use-after-free in hsci
        macsec: add missing attribute validation for offload
        net: mvneta: Fix an out of bounds check
        net: thunderbolt: fix memory leak in tbnet_open()
        ipv6: avoid use-after-free in ip6_fragment()
        net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
        net: phy: mxl-gpy: add MDINT workaround
        net: dsa: mv88e6xxx: accept phy-mode = "internal" for internal PHY ports
        xen/netback: don't call kfree_skb() under spin_lock_irqsave()
        dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()
        ethernet: aeroflex: fix potential skb leak in greth_init_rings()
        tipc: call tipc_lxc_xmit without holding node_read_lock
        can: esd_usb: Allow REC and TEC to return to zero
        can: can327: flush TX_work on ldisc .close()
        can: slcan: fix freed work crash
        can: af_can: fix NULL pointer dereference in can_rcv_filter
        net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
        ipv4: Fix incorrect route flushing when table ID 0 is used
        ipv4: Fix incorrect route flushing when source address is deleted
        ...
      010b6761
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2022120801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · ce19275f
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
       "A regression fix for handling Logitech HID++ devices and memory
        corruption fixes:
      
         - regression fix (revert) for catch-all handling of Logitech HID++
           Bluetooth devices; there are devices that turn out not to work with
           this, and the root cause is yet to be properly understood. So we
           are dropping it for now, and it will be revisited for 6.2 or 6.3
           (Benjamin Tissoires)
      
         - memory corruption fix in HID core (ZhangPeng)
      
         - memory corruption fix in hid-lg4ff (Anastasia Belova)
      
         - Kconfig fix for I2C_HID (Benjamin Tissoires)
      
         - a few device-id specific quirks that piggy-back on top of the
           important fixes above"
      
      * tag 'for-linus-2022120801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        Revert "HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices"
        Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices"
        HID: usbhid: Add ALWAYS_POLL quirk for some mice
        HID: core: fix shift-out-of-bounds in hid_report_raw_event
        HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk
        HID: fix I2C_HID not selected when I2C_HID_OF_ELAN is
        HID: hid-lg4ff: Add check for empty lbuf
        HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10
        HID: uclogic: Fix frame templates for big endian architectures
      ce19275f
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · f3e84166
      Linus Torvalds authored
      Pull ARM SoC fix from Arnd Bergmann:
       "One last build fix came in, addressing a link failure when building
        without CONFIG_OUTER_CACHE"
      
      * tag 'soc-fixes-6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        ARM: at91: fix build for SAMA5D3 w/o L2 cache
      f3e84166
    • Benjamin Tissoires's avatar
      Revert "HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices" · a9d9e46c
      Benjamin Tissoires authored
      This reverts commit 532223c8.
      
      As reported in [0], hid-logitech-hidpp now binds on all bluetooth mice,
      but there are corner cases where hid-logitech-hidpp just gives up on
      the mouse. This leads the end user with a dead mouse.
      
      Given that we are at -rc8, we are definitively too late to find a proper
      fix. We already identified 2 issues less than 24 hours after the bug
      report. One in that ->match() was never designed to be used anywhere else
      than in hid-generic, and the other that hid-logitech-hidpp has corner
      cases where it gives up on devices it is not supposed to.
      
      So we have no choice but postpone this patch to the next kernel release.
      
      [0] https://lore.kernel.org/linux-input/CAJZ5v0g-_o4AqMgNwihCb0jrwrcJZfRrX=jv8aH54WNKO7QB8A@mail.gmail.com/Reported-by: default avatarRafael J . Wysocki <rjw@rjwysocki.net>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      a9d9e46c
    • Benjamin Tissoires's avatar
      Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices" · 40f2432b
      Benjamin Tissoires authored
      This reverts commit 8544c812.
      
      We need to revert commit 532223c8 ("HID: logitech-hidpp: Enable HID++
      for all the Logitech Bluetooth devices") because that commit might make
      hid-logitech-hidpp bind on mice that are not well enough supported by
      hid-logitech-hidpp, and the end result is that the probe of those mice
      is now returning -ENODEV, leaving the end user with a dead mouse.
      
      Given that commit 8544c812 ("HID: logitech-hidpp: Remove special-casing
      of Bluetooth devices") is a direct dependency of 532223c8, revert it
      too.
      
      Note that this also adapt according to commit 908d325e ("HID:
      logitech-hidpp: Detect hi-res scrolling support") to re-add support of
      the devices that were removed from that commit too.
      
      I have locally an MX Master and I tested this device with that revert,
      ensuring we still have high-res scrolling.
      Reported-by: default avatarRafael J . Wysocki <rjw@rjwysocki.net>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      40f2432b
    • Linus Torvalds's avatar
      Merge tag 'loongarch-fixes-6.1-3' of... · 7f043b76
      Linus Torvalds authored
      Merge tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
      
      Pull LoongArch fixes from Huacai Chen:
       "Export smp_send_reschedule() for modules use, fix a huge page entry
        update issue, and add documents for booting description"
      
      * tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
        docs/zh_CN: Add LoongArch booting description's translation
        docs/LoongArch: Add booting description
        LoongArch: mm: Fix huge page entry update for virtual machine
        LoongArch: Export symbol for function smp_send_reschedule()
      7f043b76
    • Linus Torvalds's avatar
      Merge tag 'for-linus-xsa-6.1-rc9b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · a4c3a07e
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "A single fix for the recent security issue XSA-423"
      
      * tag 'for-linus-xsa-6.1-rc9b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/netback: fix build warning
      a4c3a07e
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 306ba240
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - fix a memory leak in gpiolib core
      
       - fix reference leaks in gpio-amd8111 and gpio-rockchip
      
      * tag 'gpio-fixes-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()
        gpio: amd8111: Fix PCI device reference count leak
        gpiolib: fix memory leak in gpiochip_setup_dev()
      306ba240
    • Linus Torvalds's avatar
      Merge tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 57fb3f66
      Linus Torvalds authored
      Pull ATA fix from Damien Le Moal:
      
       - Avoid a NULL pointer dereference in the libahci platform code that
         can happen on initialization when a device tree does not specify
         names for the adapter clocks (from Anders)
      
      * tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: libahci_platform: ahci_platform_find_clk: oops, NULL pointer
      57fb3f66
    • Tejun Heo's avatar
      memcg: Fix possible use-after-free in memcg_write_event_control() · fbf83212
      Tejun Heo authored
      memcg_write_event_control() accesses the dentry->d_name of the specified
      control fd to route the write call.  As a cgroup interface file can't be
      renamed, it's safe to access d_name as long as the specified file is a
      regular cgroup file.  Also, as these cgroup interface files can't be
      removed before the directory, it's safe to access the parent too.
      
      Prior to 347c4a87 ("memcg: remove cgroup_event->cft"), there was a
      call to __file_cft() which verified that the specified file is a regular
      cgroupfs file before further accesses.  The cftype pointer returned from
      __file_cft() was no longer necessary and the commit inadvertently
      dropped the file type check with it allowing any file to slip through.
      With the invarients broken, the d_name and parent accesses can now race
      against renames and removals of arbitrary files and cause
      use-after-free's.
      
      Fix the bug by resurrecting the file type check in __file_cft().  Now
      that cgroupfs is implemented through kernfs, checking the file
      operations needs to go through a layer of indirection.  Instead, let's
      check the superblock and dentry type.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Fixes: 347c4a87 ("memcg: remove cgroup_event->cft")
      Cc: stable@kernel.org # v3.14+
      Reported-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarRoman Gushchin <roman.gushchin@linux.dev>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fbf83212
    • Radu Nicolae Pirea (OSS)'s avatar
      net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() · f8bac7f9
      Radu Nicolae Pirea (OSS) authored
      The SJA1105 family has 45 L2 policing table entries
      (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
      (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
      accounting for the difference in port count (5 in SJA1105 vs 10 in
      SJA1110) does not fully explain the difference. Rather, the SJA1110 also
      has L2 ingress policers for multicast traffic. If a packet is classified
      as multicast, it will be processed by the policer index 99 + SRCPORT.
      
      The sja1105_init_l2_policing() function initializes all L2 policers such
      that they don't interfere with normal packet reception by default. To have
      a common code between SJA1105 and SJA1110, the index of the multicast
      policer for the port is calculated because it's an index that is out of
      bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
      performed.
      
      The code fails to do the proper thing when determining what to do with the
      multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
      index will be equal to 45, which is also equal to
      table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
      through the check. But at the same time, SJA1105 doesn't have multicast
      policers. So the code programs the SHARINDX field of an out-of-bounds
      element in the L2 Policing table of the static config.
      
      The comparison between index 45 and 45 entries should have determined the
      code to not access this policer index on SJA1105, since its memory wasn't
      even allocated.
      
      With enough bad luck, the out-of-bounds write could even overwrite other
      valid kernel data, but in this case, the issue was detected using KASAN.
      
      Kernel log:
      
      sja1105 spi5.0: Probed switch chip: SJA1105Q
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
      Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
      ...
      Workqueue: events_unbound deferred_probe_work_func
      Call trace:
      ...
      sja1105_setup+0x1cbc/0x2340
      dsa_register_switch+0x1284/0x18d0
      sja1105_probe+0x748/0x840
      ...
      Allocated by task 8:
      ...
      sja1105_setup+0x1bcc/0x2340
      dsa_register_switch+0x1284/0x18d0
      sja1105_probe+0x748/0x840
      ...
      
      Fixes: 38fbe91f ("net: dsa: sja1105: configure the multicast policers, if present")
      CC: stable@vger.kernel.org # 5.15+
      Signed-off-by: default avatarRadu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Link: https://lore.kernel.org/r/20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f8bac7f9
    • Alexandra Winter's avatar
      s390/qeth: fix use-after-free in hsci · ebaaadc3
      Alexandra Winter authored
      KASAN found that addr was dereferenced after br2dev_event_work was freed.
      
      ==================================================================
      BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
      Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
      CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
      Hardware name: IBM 8561 T01 703 (LPAR)
      Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
      Call Trace:
       [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
       [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
       [<000000016942d118>] print_report+0x110/0x1f8
       [<0000000167a7bd04>] kasan_report+0xfc/0x128
       [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
       [<00000001673edd1e>] process_one_work+0x76e/0x1128
       [<00000001673ee85c>] worker_thread+0x184/0x1098
       [<000000016740718a>] kthread+0x26a/0x310
       [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
       [<00000001694711da>] ret_from_fork+0xa/0x40
      Allocated by task 108338:
       kasan_save_stack+0x40/0x68
       kasan_set_track+0x36/0x48
       __kasan_kmalloc+0xa0/0xc0
       qeth_l2_switchdev_event+0x25a/0x738
       atomic_notifier_call_chain+0x9c/0xf8
       br_switchdev_fdb_notify+0xf4/0x110
       fdb_notify+0x122/0x180
       fdb_add_entry.constprop.0.isra.0+0x312/0x558
       br_fdb_add+0x59e/0x858
       rtnl_fdb_add+0x58a/0x928
       rtnetlink_rcv_msg+0x5f8/0x8d8
       netlink_rcv_skb+0x1f2/0x408
       netlink_unicast+0x570/0x790
       netlink_sendmsg+0x752/0xbe0
       sock_sendmsg+0xca/0x110
       ____sys_sendmsg+0x510/0x6a8
       ___sys_sendmsg+0x12a/0x180
       __sys_sendmsg+0xe6/0x168
       __do_sys_socketcall+0x3c8/0x468
       do_syscall+0x22c/0x328
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      Freed by task 540:
       kasan_save_stack+0x40/0x68
       kasan_set_track+0x36/0x48
       kasan_save_free_info+0x4c/0x68
       ____kasan_slab_free+0x14e/0x1a8
       __kasan_slab_free+0x24/0x30
       __kmem_cache_free+0x168/0x338
       qeth_l2_br2dev_worker+0x154/0x6b0
       process_one_work+0x76e/0x1128
       worker_thread+0x184/0x1098
       kthread+0x26a/0x310
       __ret_from_fork+0x8a/0xe8
       ret_from_fork+0xa/0x40
      Last potentially related work creation:
       kasan_save_stack+0x40/0x68
       __kasan_record_aux_stack+0xbe/0xd0
       insert_work+0x56/0x2e8
       __queue_work+0x4ce/0xd10
       queue_work_on+0xf4/0x100
       qeth_l2_switchdev_event+0x520/0x738
       atomic_notifier_call_chain+0x9c/0xf8
       br_switchdev_fdb_notify+0xf4/0x110
       fdb_notify+0x122/0x180
       fdb_add_entry.constprop.0.isra.0+0x312/0x558
       br_fdb_add+0x59e/0x858
       rtnl_fdb_add+0x58a/0x928
       rtnetlink_rcv_msg+0x5f8/0x8d8
       netlink_rcv_skb+0x1f2/0x408
       netlink_unicast+0x570/0x790
       netlink_sendmsg+0x752/0xbe0
       sock_sendmsg+0xca/0x110
       ____sys_sendmsg+0x510/0x6a8
       ___sys_sendmsg+0x12a/0x180
       __sys_sendmsg+0xe6/0x168
       __do_sys_socketcall+0x3c8/0x468
       do_syscall+0x22c/0x328
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      Second to last potentially related work creation:
       kasan_save_stack+0x40/0x68
       __kasan_record_aux_stack+0xbe/0xd0
       kvfree_call_rcu+0xb2/0x760
       kernfs_unlink_open_file+0x348/0x430
       kernfs_fop_release+0xc2/0x320
       __fput+0x1ae/0x768
       task_work_run+0x1bc/0x298
       exit_to_user_mode_prepare+0x1a0/0x1a8
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      The buggy address belongs to the object at 00000000fdcea400
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 64 bytes inside of
       96-byte region [00000000fdcea400, 00000000fdcea460)
      The buggy address belongs to the physical page:
      page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
      flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
      raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
      raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      >00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                 ^
       00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      ==================================================================
      
      Fixes: f7936b7b ("s390/qeth: Update MACs of LEARNING_SYNC device")
      Reported-by: default avatarThorsten Winkler <twinkler@linux.ibm.com>
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Reviewed-by: default avatarThorsten Winkler <twinkler@linux.ibm.com>
      Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ebaaadc3
    • Emeel Hakim's avatar
      macsec: add missing attribute validation for offload · 38099024
      Emeel Hakim authored
      Add missing attribute validation for IFLA_MACSEC_OFFLOAD
      to the netlink policy.
      
      Fixes: 791bb3fc ("net: macsec: add support for specifying offload upon link creation")
      Signed-off-by: default avatarEmeel Hakim <ehakim@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/20221207101618.989-1-ehakim@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      38099024
    • Dan Carpenter's avatar
      net: mvneta: Fix an out of bounds check · cdd97383
      Dan Carpenter authored
      In an earlier commit, I added a bounds check to prevent an out of bounds
      read and a WARN().  On further discussion and consideration that check
      was probably too aggressive.  Instead of returning -EINVAL, a better fix
      would be to just prevent the out of bounds read but continue the process.
      
      Background: The value of "pp->rxq_def" is a number between 0-7 by default,
      or even higher depending on the value of "rxq_number", which is a module
      parameter. If the value is more than the number of available CPUs then
      it will trigger the WARN() in cpu_max_bits_warn().
      
      Fixes: e8b4fc13 ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()")
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadamSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cdd97383
    • Zhengchao Shao's avatar
      net: thunderbolt: fix memory leak in tbnet_open() · ed14e590
      Zhengchao Shao authored
      When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in
      tb_xdomain_alloc_out_hopid() is not released. Add
      tb_xdomain_release_out_hopid() to the error path to release ida.
      
      Fixes: 180b0689 ("thunderbolt: Allow multiple DMA tunnels over a single XDomain connection")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20221207015001.1755826-1-shaozhengchao@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ed14e590
    • Yanteng Si's avatar
      docs/zh_CN: Add LoongArch booting description's translation · 1385313d
      Yanteng Si authored
      Translate ../loongarch/booting.rst into Chinese.
      Suggested-by: default avatarXiaotian Wu <wuxiaotian@loongson.cn>
      Signed-off-by: default avatarYanteng Si <siyanteng@loongson.cn>
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      1385313d
    • Yanteng Si's avatar
      docs/LoongArch: Add booting description · 38eb496d
      Yanteng Si authored
      1, Describe the information passed from BootLoader to kernel.
      2, Describe the meaning and values of the kernel image header field.
      Suggested-by: default avatarXiaotian Wu <wuxiaotian@loongson.cn>
      Signed-off-by: default avatarYanteng Si <siyanteng@loongson.cn>
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      38eb496d
    • Huacai Chen's avatar
      LoongArch: mm: Fix huge page entry update for virtual machine · b681604e
      Huacai Chen authored
      In virtual machine (guest mode), the tlbwr instruction can not write the
      last entry of MTLB, so we need to make it non-present by invtlb and then
      write it by tlbfill. This also simplify the whole logic.
      Signed-off-by: default avatarRui Wang <wangrui@loongson.cn>
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      b681604e
    • Bibo Mao's avatar
      LoongArch: Export symbol for function smp_send_reschedule() · 143d64bd
      Bibo Mao authored
      Function smp_send_reschedule() is standard kernel API, which is defined
      in header file include/linux/smp.h. However, on LoongArch it is defined
      as an inline function, this is confusing and kernel modules can not use
      this function.
      
      Now we define smp_send_reschedule() as a general function, and add a
      EXPORT_SYMBOL_GPL on this function, so that kernel modules can use it.
      Signed-off-by: default avatarBibo Mao <maobibo@loongson.cn>
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      143d64bd
    • Eric Dumazet's avatar
      ipv6: avoid use-after-free in ip6_fragment() · 803e8486
      Eric Dumazet authored
      Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
      
      It seems to not be always true, at least for UDP stack.
      
      syzbot reported:
      
      BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
      BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
      Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
      
      CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
       print_address_description mm/kasan/report.c:284 [inline]
       print_report+0x15e/0x45d mm/kasan/report.c:395
       kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
       ip6_dst_idev include/net/ip6_fib.h:245 [inline]
       ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
       __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
       ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
       NF_HOOK_COND include/linux/netfilter.h:291 [inline]
       ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
       dst_output include/net/dst.h:445 [inline]
       ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
       ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
       udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
       udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
       udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
       inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       sock_write_iter+0x295/0x3d0 net/socket.c:1108
       call_write_iter include/linux/fs.h:2191 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x9ed/0xdd0 fs/read_write.c:584
       ksys_write+0x1ec/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7fde3588c0d9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
      RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
      RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
       </TASK>
      
      Allocated by task 7618:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
       kasan_slab_alloc include/linux/kasan.h:201 [inline]
       slab_post_alloc_hook mm/slab.h:737 [inline]
       slab_alloc_node mm/slub.c:3398 [inline]
       slab_alloc mm/slub.c:3406 [inline]
       __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
       kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
       dst_alloc+0x14a/0x1f0 net/core/dst.c:92
       ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
       ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
       rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
       ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
       pol_lookup_func include/net/ip6_fib.h:582 [inline]
       fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
       ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
       ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
       ip6_route_output include/net/ip6_route.h:98 [inline]
       ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
       ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
       ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
       udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
       inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       __sys_sendto+0x23a/0x340 net/socket.c:2117
       __do_sys_sendto net/socket.c:2129 [inline]
       __se_sys_sendto net/socket.c:2125 [inline]
       __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 7599:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511
       ____kasan_slab_free mm/kasan/common.c:236 [inline]
       ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
       kasan_slab_free include/linux/kasan.h:177 [inline]
       slab_free_hook mm/slub.c:1724 [inline]
       slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
       slab_free mm/slub.c:3661 [inline]
       kmem_cache_free+0xee/0x5c0 mm/slub.c:3683
       dst_destroy+0x2ea/0x400 net/core/dst.c:127
       rcu_do_batch kernel/rcu/tree.c:2250 [inline]
       rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
       __do_softirq+0x1fb/0xadc kernel/softirq.c:571
      
      Last potentially related work creation:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
       call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
       dst_release net/core/dst.c:177 [inline]
       dst_release+0x7d/0xe0 net/core/dst.c:167
       refdst_drop include/net/dst.h:256 [inline]
       skb_dst_drop include/net/dst.h:268 [inline]
       skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838
       skb_release_all net/core/skbuff.c:852 [inline]
       __kfree_skb net/core/skbuff.c:868 [inline]
       kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891
       kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901
       kfree_skb_list include/linux/skbuff.h:1227 [inline]
       ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949
       __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
       ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
       NF_HOOK_COND include/linux/netfilter.h:291 [inline]
       ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
       dst_output include/net/dst.h:445 [inline]
       ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
       ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
       udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
       udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
       udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
       inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       sock_write_iter+0x295/0x3d0 net/socket.c:1108
       call_write_iter include/linux/fs.h:2191 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x9ed/0xdd0 fs/read_write.c:584
       ksys_write+0x1ec/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
       call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
       dst_release net/core/dst.c:177 [inline]
       dst_release+0x7d/0xe0 net/core/dst.c:167
       refdst_drop include/net/dst.h:256 [inline]
       skb_dst_drop include/net/dst.h:268 [inline]
       __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211
       dev_queue_xmit include/linux/netdevice.h:3008 [inline]
       neigh_resolve_output net/core/neighbour.c:1552 [inline]
       neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532
       neigh_output include/net/neighbour.h:546 [inline]
       ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
       __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
       ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
       NF_HOOK_COND include/linux/netfilter.h:291 [inline]
       ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
       dst_output include/net/dst.h:445 [inline]
       NF_HOOK include/linux/netfilter.h:302 [inline]
       NF_HOOK include/linux/netfilter.h:296 [inline]
       mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
       mld_send_cr net/ipv6/mcast.c:2121 [inline]
       mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
       process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
       worker_thread+0x669/0x1090 kernel/workqueue.c:2436
       kthread+0x2e8/0x3a0 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      
      The buggy address belongs to the object at ffff88801d403dc0
       which belongs to the cache ip6_dst_cache of size 240
      The buggy address is located 192 bytes inside of
       240-byte region [ffff88801d403dc0, ffff88801d403eb0)
      
      The buggy address belongs to the physical page:
      page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403
      memcg:ffff888022f49c81
      flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640
      raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441
       prep_new_page mm/page_alloc.c:2539 [inline]
       get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288
       __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555
       alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
       alloc_slab_page mm/slub.c:1794 [inline]
       allocate_slab+0x213/0x300 mm/slub.c:1939
       new_slab mm/slub.c:1992 [inline]
       ___slab_alloc+0xa91/0x1400 mm/slub.c:3180
       __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
       slab_alloc_node mm/slub.c:3364 [inline]
       slab_alloc mm/slub.c:3406 [inline]
       __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
       kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422
       dst_alloc+0x14a/0x1f0 net/core/dst.c:92
       ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
       icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261
       mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809
       mld_send_cr net/ipv6/mcast.c:2121 [inline]
       mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
       process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
       worker_thread+0x669/0x1090 kernel/workqueue.c:2436
       kthread+0x2e8/0x3a0 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      page last free stack trace:
       reset_page_owner include/linux/page_owner.h:24 [inline]
       free_pages_prepare mm/page_alloc.c:1459 [inline]
       free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
       free_unref_page_prepare mm/page_alloc.c:3387 [inline]
       free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
       __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
       qlink_free mm/kasan/quarantine.c:168 [inline]
       qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
       kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294
       __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302
       kasan_slab_alloc include/linux/kasan.h:201 [inline]
       slab_post_alloc_hook mm/slab.h:737 [inline]
       slab_alloc_node mm/slub.c:3398 [inline]
       kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443
       __alloc_skb+0x214/0x300 net/core/skbuff.c:497
       alloc_skb include/linux/skbuff.h:1267 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline]
       netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       __sys_sendto+0x23a/0x340 net/socket.c:2117
       __do_sys_sendto net/socket.c:2129 [inline]
       __se_sys_sendto net/socket.c:2125 [inline]
       __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 1758fd46 ("ipv6: remove unnecessary dst_hold() in ip6_fragment()")
      Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Wei Wang <weiwan@google.com>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      803e8486
    • Yang Yingliang's avatar
      net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() · 7d8c19bf
      Yang Yingliang authored
      It is not allowed to call kfree_skb() or consume_skb() from
      hardware interrupt context or with interrupts being disabled.
      So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq()
      and dev_consume_skb_irq() under spin_lock_irq().
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7d8c19bf
    • Michael Walle's avatar
      net: phy: mxl-gpy: add MDINT workaround · 5f4d487d
      Michael Walle authored
      At least the GPY215B and GPY215C has a bug where it is still driving the
      interrupt line (MDINT) even after the interrupt status register is read
      and its bits are cleared. This will cause an interrupt storm.
      
      Although the MDINT is multiplexed with a GPIO pin and theoretically we
      could switch the pinmux to GPIO input mode, this isn't possible because
      the access to this register will stall exactly as long as the interrupt
      line is asserted. We exploit this very fact and just read a random
      internal register in our interrupt handler. This way, it will be delayed
      until the external interrupt line is released and an interrupt storm is
      avoided.
      
      The internal register access via the mailbox was deduced by looking at
      the downstream PHY API because the datasheet doesn't mention any of
      this.
      
      Fixes: 7d901a1e ("net: phy: add Maxlinear GPY115/21x/24x driver")
      Signed-off-by: default avatarMichael Walle <michael@walle.cc>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20221205200453.3447866-1-michael@walle.ccSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5f4d487d
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-6.1-20221207' of... · 65e349f7
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-6.1-20221207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2022-12-07
      
      The 1st patch is by Oliver Hartkopp and fixes a potential NULL pointer
      deref found by syzbot in the AF_CAN protocol.
      
      The next 2 patches are by Jiri Slaby and Max Staudt and add the
      missing flush_work() before freeing the underlying memory in the slcan
      and can327 driver.
      
      The last patch is by Frank Jungclaus and target the esd_usb driver and
      fixes the CAN error counters, allowing them to return to zero.
      
      * tag 'linux-can-fixes-for-6.1-20221207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: esd_usb: Allow REC and TEC to return to zero
        can: can327: flush TX_work on ldisc .close()
        can: slcan: fix freed work crash
        can: af_can: fix NULL pointer dereference in can_rcv_filter
      ====================
      
      Link: https://lore.kernel.org/r/20221207105243.2483884-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      65e349f7
  2. 07 Dec, 2022 16 commits