* [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show
@ 2022-03-01 20:22 Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 2/6] sr9700: sanity check for packet length Sasha Levin
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Sasha Levin @ 2022-03-01 20:22 UTC (permalink / raw)
To: linux-kernel, stable
Cc: suresh kumar, David S . Miller, Sasha Levin, kuba, atenart,
edumazet, netdev
From: suresh kumar <suresh2514@gmail.com>
[ Upstream commit 4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624 ]
When bringing down the netdevice or system shutdown, a panic can be
triggered while accessing the sysfs path because the device is already
removed.
[ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called
[ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called
...
[ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280
crash> bt
...
PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd"
...
#9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778
[exception RIP: dma_pool_alloc+0x1ab]
RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046
RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090
RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00
R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0
R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]
#11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]
#12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]
#13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]
#14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]
#15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]
#16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]
#17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46
#18 [ffff89240e1a3d48] speed_show at ffffffff8f277208
#19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3
#20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf
#21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596
#22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10
#23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5
#24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff
#25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f
#26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92
crash> net_device.state ffff89443b0c0000
state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER)
To prevent this scenario, we also make sure that the netdevice is present.
Signed-off-by: suresh kumar <suresh2514@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/net-sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 3fb5d8ecc8499..e42df58b88766 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -198,7 +198,7 @@ static ssize_t speed_show(struct device *dev,
if (!rtnl_trylock())
return restart_syscall();
- if (netif_running(netdev)) {
+ if (netif_running(netdev) && netif_device_present(netdev)) {
struct ethtool_link_ksettings cmd;
if (!__ethtool_get_link_ksettings(netdev, &cmd))
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 4.9 2/6] sr9700: sanity check for packet length
2022-03-01 20:22 [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show Sasha Levin
@ 2022-03-01 20:22 ` Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 3/6] gpio: Return EPROBE_DEFER if gc->to_irq is NULL Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2022-03-01 20:22 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Oliver Neukum, Grant Grundler, David S . Miller, Sasha Levin,
kuba, andrew, arnd, linux-usb, netdev
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit e9da0b56fe27206b49f39805f7dcda8a89379062 ]
A malicious device can leak heap data to user space
providing bogus frame lengths. Introduce a sanity check.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reviewed-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/sr9700.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
index aadfe1d1c37ee..f4c4df01874c3 100644
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -409,7 +409,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
/* ignore the CRC length */
len = (skb->data[1] | (skb->data[2] << 8)) - 4;
- if (len > ETH_FRAME_LEN)
+ if (len > ETH_FRAME_LEN || len > skb->len)
return 0;
/* the last packet of current skb */
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 4.9 3/6] gpio: Return EPROBE_DEFER if gc->to_irq is NULL
2022-03-01 20:22 [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 2/6] sr9700: sanity check for packet length Sasha Levin
@ 2022-03-01 20:22 ` Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 4/6] Revert "xen-netback: Check for hotplug-status existence before watching" Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2022-03-01 20:22 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Shreeya Patel, Linus Walleij, Andy Shevchenko, kernel test robot,
Bartosz Golaszewski, Sasha Levin, linux-gpio
From: Shreeya Patel <shreeya.patel@collabora.com>
[ Upstream commit ae42f9288846353982e2eab181fb41e7fd8bf60f ]
We are racing the registering of .to_irq when probing the
i2c driver. This results in random failure of touchscreen
devices.
Following explains the race condition better.
[gpio driver] gpio driver registers gpio chip
[gpio consumer] gpio is acquired
[gpio consumer] gpiod_to_irq() fails with -ENXIO
[gpio driver] gpio driver registers irqchip
gpiod_to_irq works at this point, but -ENXIO is fatal
We could see the following errors in dmesg logs when gc->to_irq is NULL
[2.101857] i2c_hid i2c-FTS3528:00: HID over i2c has not been provided an Int IRQ
[2.101953] i2c_hid: probe of i2c-FTS3528:00 failed with error -22
To avoid this situation, defer probing until to_irq is registered.
Returning -EPROBE_DEFER would be the first step towards avoiding
the failure of devices due to the race in registration of .to_irq.
Final solution to this issue would be to avoid using gc irq members
until they are fully initialized.
This issue has been reported many times in past and people have been
using workarounds like changing the pinctrl_amd to built-in instead
of loading it as a module or by adding a softdep for pinctrl_amd into
the config file.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209413
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Shreeya Patel <shreeya.patel@collabora.com>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 73d02f6089d56..a01bf4145beda 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2726,6 +2726,16 @@ int gpiod_to_irq(const struct gpio_desc *desc)
return retirq;
}
+#ifdef CONFIG_GPIOLIB_IRQCHIP
+ if (gc->irq.chip) {
+ /*
+ * Avoid race condition with other code, which tries to lookup
+ * an IRQ before the irqchip has been properly registered,
+ * i.e. while gpiochip is still being brought up.
+ */
+ return -EPROBE_DEFER;
+ }
+#endif
return -ENXIO;
}
EXPORT_SYMBOL_GPL(gpiod_to_irq);
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 4.9 4/6] Revert "xen-netback: Check for hotplug-status existence before watching"
2022-03-01 20:22 [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 2/6] sr9700: sanity check for packet length Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 3/6] gpio: Return EPROBE_DEFER if gc->to_irq is NULL Sasha Levin
@ 2022-03-01 20:22 ` Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 5/6] tracing: Ensure trace buffer is at least 4096 bytes large Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 6/6] selftests/memfd: clean up mapping in mfd_fail_write Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2022-03-01 20:22 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Marek Marczykowski-Górecki, Paul Durrant, Michael Brown,
Jakub Kicinski, Sasha Levin, wei.liu, davem, xen-devel, netdev
From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
[ Upstream commit e8240addd0a3919e0fd7436416afe9aa6429c484 ]
This reverts commit 2afeec08ab5c86ae21952151f726bfe184f6b23d.
The reasoning in the commit was wrong - the code expected to setup the
watch even if 'hotplug-status' didn't exist. In fact, it relied on the
watch being fired the first time - to check if maybe 'hotplug-status' is
already set to 'connected'. Not registering a watch for non-existing
path (which is the case if hotplug script hasn't been executed yet),
made the backend not waiting for the hotplug script to execute. This in
turns, made the netfront think the interface is fully operational, while
in fact it was not (the vif interface on xen-netback side might not be
configured yet).
This was a workaround for 'hotplug-status' erroneously being removed.
But since that is reverted now, the workaround is not necessary either.
More discussion at
https://lore.kernel.org/xen-devel/afedd7cb-a291-e773-8b0d-4db9b291fa98@ipxe.org/T/#u
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Michael Brown <mbrown@fensystems.co.uk>
Link: https://lore.kernel.org/r/20220222001817.2264967-2-marmarek@invisiblethingslab.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/xen-netback/xenbus.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c
index e6646c8a7bdbb..78788402edd8b 100644
--- a/drivers/net/xen-netback/xenbus.c
+++ b/drivers/net/xen-netback/xenbus.c
@@ -1040,15 +1040,11 @@ static void connect(struct backend_info *be)
xenvif_carrier_on(be->vif);
unregister_hotplug_status_watch(be);
- if (xenbus_exists(XBT_NIL, dev->nodename, "hotplug-status")) {
- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch,
- NULL, hotplug_status_changed,
- "%s/%s", dev->nodename,
- "hotplug-status");
- if (err)
- goto err;
+ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL,
+ hotplug_status_changed,
+ "%s/%s", dev->nodename, "hotplug-status");
+ if (!err)
be->have_hotplug_status_watch = 1;
- }
netif_tx_wake_all_queues(be->vif->dev);
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 4.9 5/6] tracing: Ensure trace buffer is at least 4096 bytes large
2022-03-01 20:22 [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show Sasha Levin
` (2 preceding siblings ...)
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 4/6] Revert "xen-netback: Check for hotplug-status existence before watching" Sasha Levin
@ 2022-03-01 20:22 ` Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 6/6] selftests/memfd: clean up mapping in mfd_fail_write Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2022-03-01 20:22 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sven Schnelle, Steven Rostedt, Sasha Levin, mingo
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit 7acf3a127bb7c65ff39099afd78960e77b2ca5de ]
Booting the kernel with 'trace_buf_size=1' give a warning at
boot during the ftrace selftests:
[ 0.892809] Running postponed tracer tests:
[ 0.892893] Testing tracer function:
[ 0.901899] Callback from call_rcu_tasks_trace() invoked.
[ 0.983829] Callback from call_rcu_tasks_rude() invoked.
[ 1.072003] .. bad ring buffer .. corrupted trace buffer ..
[ 1.091944] Callback from call_rcu_tasks() invoked.
[ 1.097695] PASSED
[ 1.097701] Testing dynamic ftrace: .. filter failed count=0 ..FAILED!
[ 1.353474] ------------[ cut here ]------------
[ 1.353478] WARNING: CPU: 0 PID: 1 at kernel/trace/trace.c:1951 run_tracer_selftest+0x13c/0x1b0
Therefore enforce a minimum of 4096 bytes to make the selftest pass.
Link: https://lkml.kernel.org/r/20220214134456.1751749-1-svens@linux.ibm.com
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 12bee7043be6f..90e0fd5621da9 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1077,10 +1077,12 @@ static int __init set_buf_size(char *str)
if (!str)
return 0;
buf_size = memparse(str, &str);
- /* nr_entries can not be zero */
- if (buf_size == 0)
- return 0;
- trace_buf_size = buf_size;
+ /*
+ * nr_entries can not be zero and the startup
+ * tests require some buffer space. Therefore
+ * ensure we have at least 4096 bytes of buffer.
+ */
+ trace_buf_size = max(4096UL, buf_size);
return 1;
}
__setup("trace_buf_size=", set_buf_size);
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 4.9 6/6] selftests/memfd: clean up mapping in mfd_fail_write
2022-03-01 20:22 [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show Sasha Levin
` (3 preceding siblings ...)
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 5/6] tracing: Ensure trace buffer is at least 4096 bytes large Sasha Levin
@ 2022-03-01 20:22 ` Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2022-03-01 20:22 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mike Kravetz, Joel Fernandes, Shuah Khan, Andrew Morton,
Linus Torvalds, Sasha Levin, gthelen, linux-kselftest
From: Mike Kravetz <mike.kravetz@oracle.com>
[ Upstream commit fda153c89af344d21df281009a9d046cf587ea0f ]
Running the memfd script ./run_hugetlbfs_test.sh will often end in error
as follows:
memfd-hugetlb: CREATE
memfd-hugetlb: BASIC
memfd-hugetlb: SEAL-WRITE
memfd-hugetlb: SEAL-FUTURE-WRITE
memfd-hugetlb: SEAL-SHRINK
fallocate(ALLOC) failed: No space left on device
./run_hugetlbfs_test.sh: line 60: 166855 Aborted (core dumped) ./memfd_test hugetlbfs
opening: ./mnt/memfd
fuse: DONE
If no hugetlb pages have been preallocated, run_hugetlbfs_test.sh will
allocate 'just enough' pages to run the test. In the SEAL-FUTURE-WRITE
test the mfd_fail_write routine maps the file, but does not unmap. As a
result, two hugetlb pages remain reserved for the mapping. When the
fallocate call in the SEAL-SHRINK test attempts allocate all hugetlb
pages, it is short by the two reserved pages.
Fix by making sure to unmap in mfd_fail_write.
Link: https://lkml.kernel.org/r/20220219004340.56478-1-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/memfd/memfd_test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c
index 26546892cd545..faab09215c88b 100644
--- a/tools/testing/selftests/memfd/memfd_test.c
+++ b/tools/testing/selftests/memfd/memfd_test.c
@@ -373,6 +373,7 @@ static void mfd_fail_write(int fd)
printf("mmap()+mprotect() didn't fail as expected\n");
abort();
}
+ munmap(p, mfd_def_size);
}
/* verify PUNCH_HOLE fails */
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-03-01 20:24 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-01 20:22 [PATCH AUTOSEL 4.9 1/6] net-sysfs: add check for netdevice being present to speed_show Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 2/6] sr9700: sanity check for packet length Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 3/6] gpio: Return EPROBE_DEFER if gc->to_irq is NULL Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 4/6] Revert "xen-netback: Check for hotplug-status existence before watching" Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 5/6] tracing: Ensure trace buffer is at least 4096 bytes large Sasha Levin
2022-03-01 20:22 ` [PATCH AUTOSEL 4.9 6/6] selftests/memfd: clean up mapping in mfd_fail_write Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).