1. 21 Jul, 2023 11 commits
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · d192f538
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "I've picked up a handful of arm64 fixes while Catalin's been away, so
        here they are. Below is the usual summary, but we have basically have
        two cleanups, a fix for an SME crash and a fix for hibernation:
      
         - Fix saving of SME state after SVE vector length is changed
      
         - Fix sparse warnings for missing vDSO function prototypes
      
         - Fix hibernation resume path when kfence is enabled
      
         - Fix field names for the HFGxTR_EL2 register"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes
        arm64: vdso: Clear common make C=2 warnings
        arm64: mm: Make hibernation aware of KFENCE
        arm64: Fix HFGxTR_EL2 field naming
      d192f538
    • Linus Torvalds's avatar
      Merge tag 'pm-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 892d7c1b
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "Revert three recent intel_idle commits that introduced a functional
        issue, included a coding mistake and have been questioned at the
        design level"
      
      * tag 'pm-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        Revert "intel_idle: Add support for using intel_idle in a VM guest using just hlt"
        Revert "intel_idle: Add a "Long HLT" C1 state for the VM guest mode"
        Revert "intel_idle: Add __init annotation to matchup_vm_state_with_baremetal()"
      892d7c1b
    • Linus Torvalds's avatar
      Merge tag 'sound-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 3c05547a
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A pile of fixes that have been gathered since the previous pull. Most
        of changes are device-specific, and nothing looks too scary.
      
         - A memory leak fix in ALSA sequencer code in 6.5-rc
      
         - Many fixes for ASoC Qualcomm CODEC drivers, covering SoundWire
           probe problems
      
         - A series of ASoC AMD fixes
      
         - A few fixes and cleanups of selftest stuff
      
         - HD-audio codec fixes and quirks for Clevo, HP, Lenovo, Dell"
      
      * tag 'sound-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (52 commits)
        ALSA: hda/realtek: Add support for DELL Oasis 13/14/16 laptops
        ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp
        ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx
        selftests: ALSA: Add test-pcmtest-driver to .gitignore
        ALSA: hda/realtek: Add quirk for Clevo NS70AU
        ASoC: fsl_sai: Disable bit clock with transmitter
        ALSA: seq: Fix memory leak at error path in snd_seq_create_port()
        ASoC: SOF: ipc3-dtrace: uninitialized data in dfsentry_trace_filter_write()
        ASoC: cs42l51: fix driver to properly autoload with automatic module loading
        MAINTAINERS: Redo addition of ssm3515 to APPLE SOUND
        ASoC: rt5640: Fix the issue of speaker noise
        ALSA: hda/realtek - remove 3k pull low procedure
        selftests: ALSA: Fix fclose on an already fclosed file pointer
        ALSA: pcmtest: Don't use static storage to track per device data
        ALSA: pcmtest: Convert to platform remove callback returning void
        ASoC: dt-bindings: audio-graph-card2: Drop incomplete example
        ASoC: dt-bindings: Update maintainer email id
        ASoC: amd: ps: Fix extraneous error messages
        ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode"
        ASoC: codecs: SND_SOC_WCD934X should select REGMAP_IRQ
        ...
      3c05547a
    • Linus Torvalds's avatar
      Merge tag 'fbdev-for-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev · 55c225fb
      Linus Torvalds authored
      Pull fbdev fixes and cleanups from Helge Deller:
       "Just the usual bunch of code cleanups in various drivers, this time
        mostly in vgacon and imxfb:
      
         - Code cleanup in vgacon (Jiri Slaby)
      
         - Explicitly include correct DT includes (Rob Herring)
      
         - imxfb code cleanup (Yangtao Li, Martin Kaiser)
      
         - kyrofb: make arrays const and smaller (Colin Ian King)
      
         - ep93xx-fb: return value check fix (Yuanjun Gong)
      
         - au1200fb: add missing IRQ check (Zhang Shurong)"
      
      * tag 'fbdev-for-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev:
        fbdev: Explicitly include correct DT includes
        fbdev: ep93xx-fb: fix return value check in ep93xxfb_probe
        fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
        fbdev: kyro: make some const read-only arrays static and reduce type size
        fbcon: remove unused display (p) from fbcon_redraw()
        sticon: make sticon_set_def_font() void and remove op parameter
        vgacon: cache vc_cell_height in vgacon_cursor()
        vgacon: let vgacon_doresize() return void
        vgacon: remove unused xpos from vgacon_set_cursor_size()
        vgacon: remove unneeded forward declarations
        vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen()
        fbdev: imxfb: remove unneeded labels
        fbdev: imxfb: Convert to devm_platform_ioremap_resource()
        fbdev: imxfb: Convert to devm_kmalloc_array()
        fbdev: imxfb: Removed unneeded release_mem_region
        fbdev: imxfb: switch to DEFINE_SIMPLE_DEV_PM_OPS
        fbdev: imxfb: warn about invalid left/right margin
      55c225fb
    • Daniel Vetter's avatar
      drm/atomic: Fix potential use-after-free in nonblocking commits · 4e076c73
      Daniel Vetter authored
      This requires a bit of background.  Properly done a modeset driver's
      unload/remove sequence should be
      
      	drm_dev_unplug();
      	drm_atomic_helper_shutdown();
      	drm_dev_put();
      
      The trouble is that the drm_dev_unplugged() checks are by design racy,
      they do not synchronize against all outstanding ioctl.  This is because
      those ioctl could block forever (both for modeset and for driver
      specific ioctls), leading to deadlocks in hotunplug.  Instead the code
      sections that touch the hardware need to be annotated with
      drm_dev_enter/exit, to avoid accessing hardware resources after the
      unload/remove has finished.
      
      To avoid use-after-free issues all the involved userspace visible
      objects are supposed to hold a reference on the underlying drm_device,
      like drm_file does.
      
      The issue now is that we missed one, the atomic modeset ioctl can be run
      in a nonblocking fashion, and in that case it cannot rely on the implied
      drm_device reference provided by the ioctl calling context.  This can
      result in a use-after-free if an nonblocking atomic commit is carefully
      raced against a driver unload.
      
      Fix this by unconditionally grabbing a drm_device reference for any
      drm_atomic_state structures.  Strictly speaking this isn't required for
      blocking commits and TEST_ONLY calls, but it's the simpler approach.
      
      Thanks to shanzhulig for the initial idea of grabbing an unconditional
      reference, I just added comments, a condensed commit message and fixed a
      minor potential issue in where exactly we drop the final reference.
      Reported-by: default avatarshanzhulig <shanzhulig@gmail.com>
      Suggested-by: default avatarshanzhulig <shanzhulig@gmail.com>
      Reviewed-by: default avatarMaxime Ripard <mripard@kernel.org>
      Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: David Airlie <airlied@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4e076c73
    • Mark Brown's avatar
      arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes · d4d5be94
      Mark Brown authored
      When we reconfigure the SVE vector length we discard the backing storage
      for the SVE vectors and then reallocate on next SVE use, leaving the SME
      specific state alone. This means that we do not enable SME traps if they
      were already disabled. That means that userspace code can enter streaming
      mode without trapping, putting the task in a state where if we try to save
      the state of the task we will fault.
      
      Since the ABI does not specify that changing the SVE vector length disturbs
      SME state, and since SVE code may not be aware of SME code in the process,
      we shouldn't simply discard any ZA state. Instead immediately reallocate
      the storage for SVE, and disable SME if we change the SVE vector length
      while there is no SME state active.
      
      Disabling SME traps on SVE vector length changes would make the overall
      code more complex since we would have a state where we have valid SME state
      stored but might get a SME trap.
      
      Fixes: 9e4ab6c8 ("arm64/sme: Implement vector length configuration prctl()s")
      Reported-by: default avatarDavid Spickett <David.Spickett@arm.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20230720-arm64-fix-sve-sme-vl-change-v2-1-8eea06b82d57@kernel.orgSigned-off-by: default avatarWill Deacon <will@kernel.org>
      d4d5be94
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-07-21' of git://anongit.freedesktop.org/drm/drm · f7e3a1ba
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Mostly amdgpu fixes, a couple of i915 fixes, some nouveau and then a
        few misc accel and other fixes.
      
        client:
         - memory leak fix
      
        dma-buf:
         - memory leak fix
      
        qaic:
         - bound check fixes
         - map_user_pages leak
         - int overflow fixes
      
        habanalabs:
         - debugfs stub helper
      
        nouveau:
         - aux event slot fixes
         - anx9805 cards fixes
      
        i915:
         - Add sentinel to xehp_oa_b_counters
         - Revert "drm/i915: use localized __diag_ignore_all() instead of per
           file"
      
        amdgpu:
         - More PCIe DPM fixes for Intel platforms
         - DCN3.0.1 fixes
         - Virtual display timer fix
         - Async flip fix
         - SMU13 clock reporting fixes
         - Add missing PSP firmware declaration
         - DP MST fix
         - DCN3.1.x fixes
         - Slab out of bounds fix"
      
      * tag 'drm-fixes-2023-07-21' of git://anongit.freedesktop.org/drm/drm: (31 commits)
        accel/habanalabs: add more debugfs stub helpers
        drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP
        drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts
        drm/nouveau/i2c: fix number of aux event slots
        drm/amdgpu: use a macro to define no xcp partition case
        drm/amdgpu/vm: use the same xcp_id from root PD
        drm/amdgpu: fix slab-out-of-bounds issue in amdgpu_vm_pt_create
        drm/amdgpu: Allocate root PD on correct partition
        drm/amd/display: Keep PHY active for DP displays on DCN31
        drm/amd/display: Prevent vtotal from being set to 0
        drm/amd/display: Disable MPC split by default on special asic
        drm/amd/display: check TG is non-null before checking if enabled
        drm/amd/display: Add polling method to handle MST reply packet
        drm/amd/display: Clean up errors & warnings in amdgpu_dm.c
        drm/amdgpu: Allow the initramfs generator to include psp_13_0_6_ta
        drm/amdgpu/pm: make mclk consistent for smu 13.0.7
        drm/amdgpu/pm: make gfxclock consistent for sienna cichlid
        drm/amd/display: only accept async flips for fast updates
        drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel
        drm/amd/display: add DCN301 specific logic for OTG programming
        ...
      f7e3a1ba
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.5-2023-07-20' of... · 28801cc8
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.5-2023-07-20' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.5-2023-07-20:
      
      amdgpu:
      - More PCIe DPM fixes for Intel platforms
      - DCN3.0.1 fixes
      - Virtual display timer fix
      - Async flip fix
      - SMU13 clock reporting fixes
      - Add missing PSP firmware declaration
      - DP MST fix
      - DCN3.1.x fixes
      - Slab out of bounds fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230720133456.7826-1-alexander.deucher@amd.com
      28801cc8
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2023-07-20' of... · 534a7915
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2023-07-20' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Add sentinel to xehp_oa_b_counters [perf] (Andrzej Hajda)
      - Revert "drm/i915: use localized __diag_ignore_all() instead of per file" (Jani Nikula)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZLjuwhLhwab5B7RY@tursulin-desk
      534a7915
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-07-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · f4f19c03
      Dave Airlie authored
      Memory leak fixes in drm/client, memory access/leak fixes for
      accel/qaic, another leak fix in dma-buf and three nouveau fixes around
      hotplugging.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <mripard@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/fmj5nok7zggux2lcpdtls2iknweba54wfc6o4zxq6i6s3dgi2r@7z3eawwhyhen
      f4f19c03
    • Linus Torvalds's avatar
      Merge tag 'ata-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 12a5088e
      Linus Torvalds authored
      Pull ata fix from Damien Le Moal:
      
       - Add missing MODULE_DESCRIPTION() in the many of the protocol modules
         for the pata_parport driver to avoid compilation warnings with "make
         W=1".
      
      * tag 'ata-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: pata_parport: Add missing protocol modules description
      12a5088e
  2. 20 Jul, 2023 29 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 57f1f9dd
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from BPF, netfilter, bluetooth and CAN.
      
        Current release - regressions:
      
         - eth: r8169: multiple fixes for PCIe ASPM-related problems
      
         - vrf: fix RCU lockdep splat in output path
      
        Previous releases - regressions:
      
         - gso: fall back to SW segmenting with GSO_UDP_L4 dodgy bit set
      
         - dsa: mv88e6xxx: do a final check before timing out when polling
      
         - nf_tables: fix sleep in atomic in nft_chain_validate
      
        Previous releases - always broken:
      
         - sched: fix undoing tcf_bind_filter() in multiple classifiers
      
         - bpf, arm64: fix BTI type used for freplace attached functions
      
         - can: gs_usb: fix time stamp counter initialization
      
         - nft_set_pipapo: fix improper element removal (leading to UAF)
      
        Misc:
      
         - net: support STP on bridge in non-root netns, STP prevents packet
           loops so not supporting it results in freezing systems of
           unsuspecting users, and in turn very upset noises being made
      
         - fix kdoc warnings
      
         - annotate various bits of TCP state to prevent data races"
      
      * tag 'net-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (95 commits)
        net: phy: prevent stale pointer dereference in phy_init()
        tcp: annotate data-races around fastopenq.max_qlen
        tcp: annotate data-races around icsk->icsk_user_timeout
        tcp: annotate data-races around tp->notsent_lowat
        tcp: annotate data-races around rskq_defer_accept
        tcp: annotate data-races around tp->linger2
        tcp: annotate data-races around icsk->icsk_syn_retries
        tcp: annotate data-races around tp->keepalive_probes
        tcp: annotate data-races around tp->keepalive_intvl
        tcp: annotate data-races around tp->keepalive_time
        tcp: annotate data-races around tp->tsoffset
        tcp: annotate data-races around tp->tcp_tx_delay
        Bluetooth: MGMT: Use correct address for memcpy()
        Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014
        Bluetooth: SCO: fix sco_conn related locking and validity issues
        Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
        Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
        Bluetooth: coredump: fix building with coredump disabled
        Bluetooth: ISO: fix iso_conn related locking and validity issues
        Bluetooth: hci_event: call disconnect callback before deleting conn
        ...
      57f1f9dd
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-07-20' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 75d42b35
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix building with coredump disabled
       - Fix use-after-free in hci_remove_adv_monitor
       - Use RCU for hci_conn_params and iterate safely in hci_sync
       - Fix locking issues on ISO and SCO
       - Fix bluetooth on Intel Macbook 2014
      
      * tag 'for-net-2023-07-20' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: MGMT: Use correct address for memcpy()
        Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014
        Bluetooth: SCO: fix sco_conn related locking and validity issues
        Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
        Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
        Bluetooth: coredump: fix building with coredump disabled
        Bluetooth: ISO: fix iso_conn related locking and validity issues
        Bluetooth: hci_event: call disconnect callback before deleting conn
        Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
      ====================
      
      Link: https://lore.kernel.org/r/20230720190201.446469-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      75d42b35
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-07-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 9b39f758
      Jakub Kicinski authored
      Florian Westphal says:
      
      ====================
      Netfilter fixes for net:
      
      The following patchset contains Netfilter fixes for net:
      
      1. Fix spurious -EEXIST error from userspace due to
         padding holes, this was broken since 4.9 days
         when 'ignore duplicate entries on insert' feature was
         added.
      
      2. Fix a sched-while-atomic bug, present since 5.19.
      
      3. Properly remove elements if they lack an "end range".
         nft userspace always sets an end range attribute, even
         when its the same as the start, but the abi doesn't
         have such a restriction. Always broken since it was
         added in 5.6, all three from myself.
      
      4 + 5: Bound chain needs to be skipped in netns release
         and on rule flush paths, from Pablo Neira.
      
      * tag 'nf-23-07-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: skip bound chain on rule flush
        netfilter: nf_tables: skip bound chain in netns release path
        netfilter: nft_set_pipapo: fix improper element removal
        netfilter: nf_tables: can't schedule in nft_chain_validate
        netfilter: nf_tables: fix spurious set element insertion failure
      ====================
      
      Link: https://lore.kernel.org/r/20230720165143.30208-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9b39f758
    • Vladimir Oltean's avatar
      net: phy: prevent stale pointer dereference in phy_init() · 1c613bea
      Vladimir Oltean authored
      mdio_bus_init() and phy_driver_register() both have error paths, and if
      those are ever hit, ethtool will have a stale pointer to the
      phy_ethtool_phy_ops stub structure, which references memory from a
      module that failed to load (phylib).
      
      It is probably hard to force an error in this code path even manually,
      but the error teardown path of phy_init() should be the same as
      phy_exit(), which is now simply not the case.
      
      Fixes: 55d8f053 ("net: phy: Register ethtool PHY operations")
      Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/Suggested-by: default avatarRussell King (Oracle) <linux@armlinux.org.uk>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1c613bea
    • Jakub Kicinski's avatar
      Merge branch 'tcp-add-missing-annotations' · 7998c0ad
      Jakub Kicinski authored
      Eric Dumazet says:
      
      ====================
      tcp: add missing annotations
      
      This series was inspired by one syzbot (KCSAN) report.
      
      do_tcp_getsockopt() does not lock the socket, we need to
      annotate most of the reads there (and other places as well).
      
      This is a first round, another series will come later.
      ====================
      
      Link: https://lore.kernel.org/r/20230719212857.3943972-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7998c0ad
    • Eric Dumazet's avatar
      tcp: annotate data-races around fastopenq.max_qlen · 70f360dd
      Eric Dumazet authored
      This field can be read locklessly.
      
      Fixes: 1536e285 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      70f360dd
    • Eric Dumazet's avatar
      tcp: annotate data-races around icsk->icsk_user_timeout · 26023e91
      Eric Dumazet authored
      This field can be read locklessly from do_tcp_getsockopt()
      
      Fixes: dca43c75 ("tcp: Add TCP_USER_TIMEOUT socket option.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      26023e91
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->notsent_lowat · 1aeb87bc
      Eric Dumazet authored
      tp->notsent_lowat can be read locklessly from do_tcp_getsockopt()
      and tcp_poll().
      
      Fixes: c9bee3b7 ("tcp: TCP_NOTSENT_LOWAT socket option")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1aeb87bc
    • Eric Dumazet's avatar
      tcp: annotate data-races around rskq_defer_accept · ae488c74
      Eric Dumazet authored
      do_tcp_getsockopt() reads rskq_defer_accept while another cpu
      might change its value.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ae488c74
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->linger2 · 9df5335c
      Eric Dumazet authored
      do_tcp_getsockopt() reads tp->linger2 while another cpu
      might change its value.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9df5335c
    • Eric Dumazet's avatar
      tcp: annotate data-races around icsk->icsk_syn_retries · 3a037f0f
      Eric Dumazet authored
      do_tcp_getsockopt() and reqsk_timer_handler() read
      icsk->icsk_syn_retries while another cpu might change its value.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3a037f0f
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->keepalive_probes · 6e5e1de6
      Eric Dumazet authored
      do_tcp_getsockopt() reads tp->keepalive_probes while another cpu
      might change its value.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6e5e1de6
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->keepalive_intvl · 5ecf9d4f
      Eric Dumazet authored
      do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu
      might change its value.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5ecf9d4f
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->keepalive_time · 4164245c
      Eric Dumazet authored
      do_tcp_getsockopt() reads tp->keepalive_time while another cpu
      might change its value.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4164245c
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->tsoffset · dd23c9f1
      Eric Dumazet authored
      do_tcp_getsockopt() reads tp->tsoffset while another cpu
      might change its value.
      
      Fixes: 93be6ce0 ("tcp: set and get per-socket timestamp")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-3-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dd23c9f1
    • Eric Dumazet's avatar
      tcp: annotate data-races around tp->tcp_tx_delay · 348b81b6
      Eric Dumazet authored
      do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu
      might change its value.
      
      Fixes: a842fe14 ("tcp: add optional per socket transmit delay")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      348b81b6
    • Andy Shevchenko's avatar
      Bluetooth: MGMT: Use correct address for memcpy() · d1f0a981
      Andy Shevchenko authored
      In function ‘fortify_memcpy_chk’,
          inlined from ‘get_conn_info_complete’ at net/bluetooth/mgmt.c:7281:2:
      include/linux/fortify-string.h:592:25: error: call to
      ‘__read_overflow2_field’ declared with attribute warning: detected read
      beyond size of field (2nd parameter); maybe use struct_group()?
      [-Werror=attribute-warning]
        592 |                         __read_overflow2_field(q_size_field, size);
            |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      cc1: all warnings being treated as errors
      
      This is due to the wrong member is used for memcpy(). Use correct one.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      d1f0a981
    • Tomasz Moń's avatar
      Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014 · 95b70154
      Tomasz Moń authored
      Commit c13380a5 ("Bluetooth: btusb: Do not require hardcoded
      interface numbers") inadvertedly broke bluetooth on Intel Macbook 2014.
      The intention was to keep behavior intact when BTUSB_IFNUM_2 is set and
      otherwise allow any interface numbers. The problem is that the new logic
      condition omits the case where bInterfaceNumber is 0.
      
      Fix BTUSB_IFNUM_2 handling by allowing both interface number 0 and 2
      when the flag is set.
      
      Fixes: c13380a5 ("Bluetooth: btusb: Do not require hardcoded interface numbers")
      Reported-by: default avatarJohn Holland <johnbholland@icloud.com>
      Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217651Signed-off-by: default avatarTomasz Moń <tomasz.mon@nordicsemi.no>
      Tested-by: John Holland<johnbholland@icloud.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      95b70154
    • Pauli Virtanen's avatar
      Bluetooth: SCO: fix sco_conn related locking and validity issues · 3dcaa192
      Pauli Virtanen authored
      Operations that check/update sk_state and access conn should hold
      lock_sock, otherwise they can race.
      
      The order of taking locks is hci_dev_lock > lock_sock > sco_conn_lock,
      which is how it is in connect/disconnect_cfm -> sco_conn_del ->
      sco_chan_del.
      
      Fix locking in sco_connect to take lock_sock around updating sk_state
      and conn.
      
      sco_conn_del must not occur during sco_connect, as it frees the
      sco_conn. Hold hdev->lock longer to prevent that.
      
      sco_conn_add shall return sco_conn with valid hcon. Make it so also when
      reusing an old SCO connection waiting for disconnect timeout (see
      __sco_sock_close where conn->hcon is set to NULL).
      
      This should not reintroduce the issue fixed in the earlier
      commit 9a8ec9e8 ("Bluetooth: SCO: Fix possible circular locking
      dependency on sco_connect_cfm"), the relevant fix of releasing lock_sock
      in sco_sock_connect before acquiring hdev->lock is retained.
      
      These changes mirror similar fixes earlier in ISO sockets.
      
      Fixes: 9a8ec9e8 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      3dcaa192
    • Siddh Raman Pant's avatar
      Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link · b4066eb0
      Siddh Raman Pant authored
      hci_connect_sco currently returns NULL when there is no link (i.e. when
      hci_conn_link() returns NULL).
      
      sco_connect() expects an ERR_PTR in case of any error (see line 266 in
      sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which
      tries to get hcon->hdev, resulting in dereferencing a NULL pointer as
      reported by syzkaller.
      
      The same issue exists for iso_connect_cis() calling hci_connect_cis().
      
      Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR
      instead of NULL.
      
      Reported-and-tested-by: syzbot+37acd5d80d00d609d233@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=37acd5d80d00d609d233
      Fixes: 06149746 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
      Signed-off-by: default avatarSiddh Raman Pant <code@siddh.me>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      b4066eb0
    • Douglas Anderson's avatar
      Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() · de6dfcef
      Douglas Anderson authored
      KASAN reports that there's a use-after-free in
      hci_remove_adv_monitor(). Trawling through the disassembly, you can
      see that the complaint is from the access in bt_dev_dbg() under the
      HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because
      msft_remove_monitor() can end up freeing the monitor
      structure. Specifically:
        hci_remove_adv_monitor() ->
        msft_remove_monitor() ->
        msft_remove_monitor_sync() ->
        msft_le_cancel_monitor_advertisement_cb() ->
        hci_free_adv_monitor()
      
      Let's fix the problem by just stashing the relevant data when it's
      still valid.
      
      Fixes: 7cf5c297 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      de6dfcef
    • Arnd Bergmann's avatar
      Bluetooth: coredump: fix building with coredump disabled · 6910e2eb
      Arnd Bergmann authored
      The btmtk driver uses an IS_ENABLED() check to conditionally compile
      the coredump support, but this fails to build because the hdev->dump
      member is in an #ifdef:
      
      drivers/bluetooth/btmtk.c: In function 'btmtk_process_coredump':
      drivers/bluetooth/btmtk.c:386:30: error: 'struct hci_dev' has no member named 'dump'
        386 |   schedule_delayed_work(&hdev->dump.dump_timeout,
            |                              ^~
      
      The struct member doesn't really make a huge difference in the total size,
      so just remove the #ifdef around it to avoid adding similar checks
      around each user.
      
      Fixes: 872f8c253cb9e ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
      Fixes: 9695ef87 ("Bluetooth: Add support for hci devcoredump")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      6910e2eb
    • Pauli Virtanen's avatar
      Bluetooth: ISO: fix iso_conn related locking and validity issues · d40ae85e
      Pauli Virtanen authored
      sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations
      that check/update sk_state and access conn should hold lock_sock,
      otherwise they can race.
      
      The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock,
      which is how it is in connect/disconnect_cfm -> iso_conn_del ->
      iso_chan_del.
      
      Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock
      around updating sk_state and conn.
      
      iso_conn_del must not occur during iso_connect_cis/bis, as it frees the
      iso_conn. Hold hdev->lock longer to prevent that.
      
      This should not reintroduce the issue fixed in commit 241f5193
      ("Bluetooth: ISO: Avoid circular locking dependency"), since the we
      acquire locks in order. We retain the fix in iso_sock_connect to release
      lock_sock before iso_connect_* acquires hdev->lock.
      
      Similarly for commit 6a5ad251 ("Bluetooth: ISO: Fix possible
      circular locking dependency"). We retain the fix in iso_conn_ready to
      not acquire iso_conn_lock before lock_sock.
      
      iso_conn_add shall return iso_conn with valid hcon. Make it so also when
      reusing an old CIS connection waiting for disconnect timeout (see
      __iso_sock_close where conn->hcon is set to NULL).
      
      Trace with iso_conn_del after iso_chan_add in iso_connect_cis:
      ===============================================================
      iso_sock_create:771: sock 00000000be9b69b7
      iso_sock_init:693: sk 000000004dff667e
      iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1
      iso_sock_setsockopt:1289: sk 000000004dff667e
      iso_sock_setsockopt:1289: sk 000000004dff667e
      iso_sock_setsockopt:1289: sk 000000004dff667e
      iso_sock_connect:875: sk 000000004dff667e
      iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da
      iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e
      __iso_chan_add:214: conn 00000000daf8625e
      iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12
      iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16
      iso_sock_clear_timer:117: sock 000000004dff667e state 3
          <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still
          running at this point>
      iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16
      hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535
      hci_conn_unlink:1102: hci0: hcon 000000007b65d182
      hci_chan_list_flush:2780: hcon 000000007b65d182
      iso_sock_getsockopt:1376: sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_getsockopt:1376: sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1
      __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7
           <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets
           BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it
           must be that iso_chan_del occurred between iso_chan_add and end of
           iso_connect_cis.>
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth
      ===============================================================
      
      Trace with iso_conn_del before iso_chan_add in iso_connect_cis:
      ===============================================================
      iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      ...
      iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504
      hci_dev_put:1487: hci0 orig refcnt 21
      hci_event_packet:7607: hci0: event 0x0e
      hci_cmd_complete_evt:4231: hci0: opcode 0x2062
      hci_cc_le_set_cig_params:3846: hci0: status 0x07
      hci_sent_cmd_data:3107: hci0 opcode 0x2062
      iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7
      iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12
      hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535
      hci_conn_unlink:1102: hci0: hcon 0000000093bc551f
      hci_chan_list_flush:2780: hcon 0000000093bc551f
      __iso_chan_add:214: conn 00000000768ae504
          <Note: this conn was already freed in iso_conn_del above>
      iso_sock_clear_timer:117: sock 0000000098323f95 state 3
      general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI
      CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G            E      6.3.0-rc7+ #4
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:detach_if_pending+0x28/0xd0
      Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <>
      RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007
      RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000
      RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8
      RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88
      R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80
      R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338
      FS:  00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0
      Call Trace:
       <TASK>
       timer_delete+0x48/0x80
       try_to_grab_pending+0xdf/0x170
       __cancel_work+0x37/0xb0
       iso_connect_cis+0x141/0x400 [bluetooth]
      ===============================================================
      
      Trace with NULL conn->hcon in state BT_CONNECT:
      ===============================================================
      __iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5
      ...
      __iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5
      iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104
      ...
      iso_sock_connect:862: sk 00000000129b56c3
      iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a
      hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a
      hci_dev_hold:1495: hci0 orig refcnt 19
      __iso_chan_add:214: conn 0000000022c03a7e
          <Note: reusing old conn>
      iso_sock_clear_timer:117: sock 00000000129b56c3 state 3
      ...
      iso_sock_ready:1485: sk 00000000129b56c3
      ...
      iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3
      BUG: kernel NULL pointer dereference, address: 00000000000006a8
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      CPU: 1 PID: 1403 Comm: wireplumber Tainted: G            E      6.3.0-rc7+ #4
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth]
      ===============================================================
      
      Fixes: 241f5193 ("Bluetooth: ISO: Avoid circular locking dependency")
      Fixes: 6a5ad251 ("Bluetooth: ISO: Fix possible circular locking dependency")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      d40ae85e
    • Pauli Virtanen's avatar
      Bluetooth: hci_event: call disconnect callback before deleting conn · 7f7cfcb6
      Pauli Virtanen authored
      In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
      
      ISO, L2CAP and SCO connections refer to the hci_conn without
      hci_conn_get, so disconn_cfm must be called so they can clean up their
      conn, otherwise use-after-free occurs.
      
      ISO:
      ==========================================================
      iso_sock_connect:880: sk 00000000eabd6557
      iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      ...
      iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
      hci_dev_put:1487: hci0 orig refcnt 17
      __iso_chan_add:214: conn 00000000b6251073
      iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
      ...
      hci_rx_work:4085: hci0 Event packet
      hci_event_packet:7601: hci0: event 0x0f
      hci_cmd_status_evt:4346: hci0: opcode 0x0406
      hci_cs_disconnect:2760: hci0: status 0x0c
      hci_sent_cmd_data:3107: hci0 opcode 0x0406
      hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
      hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
      hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
      hci_chan_list_flush:2780: hcon 000000001696f1fd
      hci_dev_put:1487: hci0 orig refcnt 21
      hci_dev_put:1487: hci0 orig refcnt 20
      hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
      ... <no iso_* activity on sk/conn> ...
      iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
      BUG: kernel NULL pointer dereference, address: 0000000000000668
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
      ==========================================================
      
      L2CAP:
      ==================================================================
      hci_cmd_status_evt:4359: hci0: opcode 0x0406
      hci_cs_disconnect:2760: hci0: status 0x0c
      hci_sent_cmd_data:3085: hci0 opcode 0x0406
      hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
      hci_conn_unlink:1102: hci0: hcon ffff88800c999000
      hci_chan_list_flush:2780: hcon ffff88800c999000
      hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
      ...
      BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
      Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
      
      CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G            E      6.4.0-rc4+ #2
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x5b/0x90
       print_report+0xcf/0x670
       ? __virt_addr_valid+0xf8/0x180
       ? hci_send_acl+0x2d/0x540 [bluetooth]
       kasan_report+0xa8/0xe0
       ? hci_send_acl+0x2d/0x540 [bluetooth]
       hci_send_acl+0x2d/0x540 [bluetooth]
       ? __pfx___lock_acquire+0x10/0x10
       l2cap_chan_send+0x1fd/0x1300 [bluetooth]
       ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
       ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
       ? lock_release+0x1d5/0x3c0
       ? mark_held_locks+0x1a/0x90
       l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
       sock_write_iter+0x275/0x280
       ? __pfx_sock_write_iter+0x10/0x10
       ? __pfx___lock_acquire+0x10/0x10
       do_iter_readv_writev+0x176/0x220
       ? __pfx_do_iter_readv_writev+0x10/0x10
       ? find_held_lock+0x83/0xa0
       ? selinux_file_permission+0x13e/0x210
       do_iter_write+0xda/0x340
       vfs_writev+0x1b4/0x400
       ? __pfx_vfs_writev+0x10/0x10
       ? __seccomp_filter+0x112/0x750
       ? populate_seccomp_data+0x182/0x220
       ? __fget_light+0xdf/0x100
       ? do_writev+0x19d/0x210
       do_writev+0x19d/0x210
       ? __pfx_do_writev+0x10/0x10
       ? mark_held_locks+0x1a/0x90
       do_syscall_64+0x60/0x90
       ? lockdep_hardirqs_on_prepare+0x149/0x210
       ? do_syscall_64+0x6c/0x90
       ? lockdep_hardirqs_on_prepare+0x149/0x210
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      RIP: 0033:0x7ff45cb23e64
      Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
      RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64
      RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017
      RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40
      R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0
      R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040
       </TASK>
      
      Allocated by task 771:
       kasan_save_stack+0x33/0x60
       kasan_set_track+0x25/0x30
       __kasan_kmalloc+0xaa/0xb0
       hci_chan_create+0x67/0x1b0 [bluetooth]
       l2cap_conn_add.part.0+0x17/0x590 [bluetooth]
       l2cap_connect_cfm+0x266/0x6b0 [bluetooth]
       hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth]
       hci_event_packet+0x38d/0x800 [bluetooth]
       hci_rx_work+0x287/0xb20 [bluetooth]
       process_one_work+0x4f7/0x970
       worker_thread+0x8f/0x620
       kthread+0x17f/0x1c0
       ret_from_fork+0x2c/0x50
      
      Freed by task 771:
       kasan_save_stack+0x33/0x60
       kasan_set_track+0x25/0x30
       kasan_save_free_info+0x2e/0x50
       ____kasan_slab_free+0x169/0x1c0
       slab_free_freelist_hook+0x9e/0x1c0
       __kmem_cache_free+0xc0/0x310
       hci_chan_list_flush+0x46/0x90 [bluetooth]
       hci_conn_cleanup+0x7d/0x330 [bluetooth]
       hci_cs_disconnect+0x35d/0x530 [bluetooth]
       hci_cmd_status_evt+0xef/0x2b0 [bluetooth]
       hci_event_packet+0x38d/0x800 [bluetooth]
       hci_rx_work+0x287/0xb20 [bluetooth]
       process_one_work+0x4f7/0x970
       worker_thread+0x8f/0x620
       kthread+0x17f/0x1c0
       ret_from_fork+0x2c/0x50
      ==================================================================
      
      Fixes: b8d29052 ("Bluetooth: clean up connection in hci_cs_disconnect")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7f7cfcb6
    • Pauli Virtanen's avatar
      Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync · 195ef75e
      Pauli Virtanen authored
      hci_update_accept_list_sync iterates over hdev->pend_le_conns and
      hdev->pend_le_reports, and waits for controller events in the loop body,
      without holding hdev lock.
      
      Meanwhile, these lists and the items may be modified e.g. by
      le_scan_cleanup. This can invalidate the list cursor or any other item
      in the list, resulting to invalid behavior (eg use-after-free).
      
      Use RCU for the hci_conn_params action lists. Since the loop bodies in
      hci_sync block and we cannot use RCU or hdev->lock for the whole loop,
      copy list items first and then iterate on the copy. Only the flags field
      is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we
      read valid values.
      
      Free params everywhere with hci_conn_params_free so the cleanup is
      guaranteed to be done properly.
      
      This fixes the following, which can be triggered e.g. by BlueZ new
      mgmt-tester case "Add + Remove Device Nowait - Success", or by changing
      hci_le_set_cig_params to always return false, and running iso-tester:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
      
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      Workqueue: hci0 hci_cmd_sync_work
      Call Trace:
      <TASK>
      dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
      print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
      ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
      ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      kasan_report (mm/kasan/report.c:538)
      ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
      ? mutex_lock (kernel/locking/mutex.c:282)
      ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
      ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
      ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
      hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
      process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
      worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
      ? __pfx_worker_thread (kernel/workqueue.c:2480)
      kthread (kernel/kthread.c:376)
      ? __pfx_kthread (kernel/kthread.c:331)
      ret_from_fork (arch/x86/entry/entry_64.S:314)
      </TASK>
      
      Allocated by task 31:
      kasan_save_stack (mm/kasan/common.c:46)
      kasan_set_track (mm/kasan/common.c:52)
      __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
      hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
      hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
      hci_connect_cis (net/bluetooth/hci_conn.c:2266)
      iso_connect_cis (net/bluetooth/iso.c:390)
      iso_sock_connect (net/bluetooth/iso.c:899)
      __sys_connect (net/socket.c:2003 net/socket.c:2020)
      __x64_sys_connect (net/socket.c:2027)
      do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
      entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      
      Freed by task 15:
      kasan_save_stack (mm/kasan/common.c:46)
      kasan_set_track (mm/kasan/common.c:52)
      kasan_save_free_info (mm/kasan/generic.c:523)
      __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
      __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
      hci_conn_params_del (net/bluetooth/hci_core.c:2323)
      le_scan_cleanup (net/bluetooth/hci_conn.c:202)
      process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
      worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
      kthread (kernel/kthread.c:376)
      ret_from_fork (arch/x86/entry/entry_64.S:314)
      ==================================================================
      
      Fixes: e8907f76 ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      195ef75e
    • Linus Torvalds's avatar
      Merge tag 'iomap-6.5-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · e599e16c
      Linus Torvalds authored
      Pull iomap fix from Darrick Wong:
       "Fix partial write regression.
      
        It turns out that fstests doesn't have any test coverage for short
        writes, but LTP does. Fortunately, this was caught right after -rc1
        was tagged.
      
        Summary:
      
         - Fix a bug wherein a failed write could clobber short write status"
      
      * tag 'iomap-6.5-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        iomap: micro optimize the ki_pos assignment in iomap_file_buffered_write
        iomap: fix a regression for partial write errors
      e599e16c
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.5-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 69435880
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "Flexarray declaration conversions.
      
        This probably should've been done with the merge window open, but I
        was not aware that the UBSAN knob would be getting turned up for 6.5,
        and the fstests failures due to the kernel warnings are getting in the
        way of testing.
      
        Summary:
      
         - Convert all the array[1] declarations into the accepted flex
           array[] declarations so that UBSAN and friends will not get
           confused"
      
      * tag 'xfs-6.5-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: convert flex-array declarations in xfs attr shortform objects
        xfs: convert flex-array declarations in xfs attr leaf blocks
        xfs: convert flex-array declarations in struct xfs_attrlist*
      69435880
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: skip bound chain on rule flush · 6eaf41e8
      Pablo Neira Ayuso authored
      Skip bound chain when flushing table rules, the rule that owns this
      chain releases these objects.
      
      Otherwise, the following warning is triggered:
      
        WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
        CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1
        RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
      
      Fixes: d0e2c7de ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
      Reported-by: default avatarKevin Rich <kevinrich1337@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      6eaf41e8
    • Linus Torvalds's avatar
      Merge tag 'for-6.5-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 46670259
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Stable fixes:
      
         - fix race between balance and cancel/pause
      
         - various iput() fixes
      
         - fix use-after-free of new block group that became unused
      
         - fix warning when putting transaction with qgroups enabled after
           abort
      
         - fix crash in subpage mode when page could be released between map
           and map read
      
         - when scrubbing raid56 verify the P/Q stripes unconditionally
      
         - fix minor memory leak in zoned mode when a block group with an
           unexpected superblock is found
      
        Regression fixes:
      
         - fix ordered extent split error handling when submitting direct IO
      
         - user irq-safe locking when adding delayed iputs"
      
      * tag 'for-6.5-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix warning when putting transaction with qgroups enabled after abort
        btrfs: fix ordered extent split error handling in btrfs_dio_submit_io
        btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand
        btrfs: raid56: always verify the P/Q contents for scrub
        btrfs: use irq safe locking when running and adding delayed iputs
        btrfs: fix iput() on error pointer after error during orphan cleanup
        btrfs: fix double iput() on inode after an error during orphan cleanup
        btrfs: zoned: fix memory leak after finding block group with super blocks
        btrfs: fix use-after-free of new block group that became unused
        btrfs: be a bit more careful when setting mirror_num_ret in btrfs_map_block
        btrfs: fix race between balance and cancel/pause
      46670259