January 2022 - Linux-stable-mirror

[PATCH v3 2/2] powerpc: Add set_memory_{p/np}() and remove set_memory_attr()

by Christophe Leroy

set_memory_attr() was implemented by commit 4d1755b6a762 ("powerpc/mm: implement set_memory_attr()") because the set_memory_xx() couldn't be used at that time to modify memory "on the fly" as explained it the commit. But set_memory_attr() uses set_pte_at() which leads to warnings when CONFIG_DEBUG_VM is selected, because set_pte_at() is unexpected for updating existing page table entries. The check could be bypassed by using __set_pte_at() instead, as it was the case before commit c988cfd38e48 ("powerpc/32: use set_memory_attr()") but since commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") it is now possible to use set_memory_xx() functions to update page table entries "on the fly" because the update is now atomic. For DEBUG_PAGEALLOC we need to clear and set back _PAGE_PRESENT. Add set_memory_np() and set_memory_p() for that. Replace all uses of set_memory_attr() by the relevant set_memory_xx() and remove set_memory_attr(). Reported-by: Maxime Bizon <mbizon(a)freebox.fr> Fixes: c988cfd38e48 ("powerpc/32: use set_memory_attr()") Cc: stable(a)vger.kernel.org Depends-on: 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Reviewed-by: Russell Currey <ruscur(a)russell.cc> Tested-by: Maxime Bizon <mbizon(a)freebox.fr> --- v3: Use _PAGE_PRESENT directly as all platforms have the bit v2: Add comment to SET_MEMORY_P and SET_MEMORY_NP --- arch/powerpc/include/asm/set_memory.h | 12 ++++++++- arch/powerpc/mm/pageattr.c | 39 +++++---------------------- arch/powerpc/mm/pgtable_32.c | 24 ++++++++--------- 3 files changed, 28 insertions(+), 47 deletions(-) diff --git a/arch/powerpc/include/asm/set_memory.h b/arch/powerpc/include/asm/set_memory.h index b040094f7920..7ebc807aa8cc 100644 --- a/arch/powerpc/include/asm/set_memory.h +++ b/arch/powerpc/include/asm/set_memory.h @@ -6,6 +6,8 @@ #define SET_MEMORY_RW 1 #define SET_MEMORY_NX 2 #define SET_MEMORY_X 3 +#define SET_MEMORY_NP 4 /* Set memory non present */ +#define SET_MEMORY_P 5 /* Set memory present */ int change_memory_attr(unsigned long addr, int numpages, long action); @@ -29,6 +31,14 @@ static inline int set_memory_x(unsigned long addr, int numpages) return change_memory_attr(addr, numpages, SET_MEMORY_X); } -int set_memory_attr(unsigned long addr, int numpages, pgprot_t prot); +static inline int set_memory_np(unsigned long addr, int numpages) +{ + return change_memory_attr(addr, numpages, SET_MEMORY_NP); +} + +static inline int set_memory_p(unsigned long addr, int numpages) +{ + return change_memory_attr(addr, numpages, SET_MEMORY_P); +} #endif diff --git a/arch/powerpc/mm/pageattr.c b/arch/powerpc/mm/pageattr.c index 8812454e70ff..85753e32a4de 100644 --- a/arch/powerpc/mm/pageattr.c +++ b/arch/powerpc/mm/pageattr.c @@ -46,6 +46,12 @@ static int change_page_attr(pte_t *ptep, unsigned long addr, void *data) case SET_MEMORY_X: pte_update_delta(ptep, addr, _PAGE_KERNEL_RO, _PAGE_KERNEL_ROX); break; + case SET_MEMORY_NP: + pte_update(&init_mm, addr, ptep, _PAGE_PRESENT, 0, 0); + break; + case SET_MEMORY_P: + pte_update(&init_mm, addr, ptep, 0, _PAGE_PRESENT, 0); + break; default: WARN_ON_ONCE(1); break; @@ -90,36 +96,3 @@ int change_memory_attr(unsigned long addr, int numpages, long action) return apply_to_existing_page_range(&init_mm, start, size, change_page_attr, (void *)action); } - -/* - * Set the attributes of a page: - * - * This function is used by PPC32 at the end of init to set final kernel memory - * protection. It includes changing the maping of the page it is executing from - * and data pages it is using. - */ -static int set_page_attr(pte_t *ptep, unsigned long addr, void *data) -{ - pgprot_t prot = __pgprot((unsigned long)data); - - spin_lock(&init_mm.page_table_lock); - - set_pte_at(&init_mm, addr, ptep, pte_modify(*ptep, prot)); - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - - spin_unlock(&init_mm.page_table_lock); - - return 0; -} - -int set_memory_attr(unsigned long addr, int numpages, pgprot_t prot) -{ - unsigned long start = ALIGN_DOWN(addr, PAGE_SIZE); - unsigned long sz = numpages * PAGE_SIZE; - - if (numpages <= 0) - return 0; - - return apply_to_existing_page_range(&init_mm, start, sz, set_page_attr, - (void *)pgprot_val(prot)); -} diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c index 906e4e4328b2..f71ededdc02a 100644 --- a/arch/powerpc/mm/pgtable_32.c +++ b/arch/powerpc/mm/pgtable_32.c @@ -135,10 +135,12 @@ void mark_initmem_nx(void) unsigned long numpages = PFN_UP((unsigned long)_einittext) - PFN_DOWN((unsigned long)_sinittext); - if (v_block_mapped((unsigned long)_sinittext)) + if (v_block_mapped((unsigned long)_sinittext)) { mmu_mark_initmem_nx(); - else - set_memory_attr((unsigned long)_sinittext, numpages, PAGE_KERNEL); + } else { + set_memory_nx((unsigned long)_sinittext, numpages); + set_memory_rw((unsigned long)_sinittext, numpages); + } } #ifdef CONFIG_STRICT_KERNEL_RWX @@ -152,18 +154,14 @@ void mark_rodata_ro(void) return; } - numpages = PFN_UP((unsigned long)_etext) - - PFN_DOWN((unsigned long)_stext); - - set_memory_attr((unsigned long)_stext, numpages, PAGE_KERNEL_ROX); /* - * mark .rodata as read only. Use __init_begin rather than __end_rodata - * to cover NOTES and EXCEPTION_TABLE. + * mark .text and .rodata as read only. Use __init_begin rather than + * __end_rodata to cover NOTES and EXCEPTION_TABLE. */ numpages = PFN_UP((unsigned long)__init_begin) - - PFN_DOWN((unsigned long)__start_rodata); + PFN_DOWN((unsigned long)_stext); - set_memory_attr((unsigned long)__start_rodata, numpages, PAGE_KERNEL_RO); + set_memory_ro((unsigned long)_stext, numpages); // mark_initmem_nx() should have already run by now ptdump_check_wx(); @@ -179,8 +177,8 @@ void __kernel_map_pages(struct page *page, int numpages, int enable) return; if (enable) - set_memory_attr(addr, numpages, PAGE_KERNEL); + set_memory_p(addr, numpages); else - set_memory_attr(addr, numpages, __pgprot(0)); + set_memory_np(addr, numpages); } #endif /* CONFIG_DEBUG_PAGEALLOC */ -- 2.33.1

2 years, 11 months

1
1
0 0

[PATCH 4.14 1/2] Bluetooth: schedule SCO timeouts with delayed_work

by Ovidiu Panait

From: Desmond Cheong Zhi Xi <desmondcheongzx(a)gmail.com> commit ba316be1b6a00db7126ed9a39f9bee434a508043 upstream. struct sock.sk_timer should be used as a sock cleanup timer. However, SCO uses it to implement sock timeouts. This causes issues because struct sock.sk_timer's callback is run in an IRQ context, and the timer callback function sco_sock_timeout takes a spin lock on the socket. However, other functions such as sco_conn_del and sco_conn_ready take the spin lock with interrupts enabled. This inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} lock usage could lead to deadlocks as reported by Syzbot [1]: CPU0 ---- lock(slock-AF_BLUETOOTH-BTPROTO_SCO); <Interrupt> lock(slock-AF_BLUETOOTH-BTPROTO_SCO); To fix this, we use delayed work to implement SCO sock timouts instead. This allows us to avoid taking the spin lock on the socket in an IRQ context, and corrects the misuse of struct sock.sk_timer. As a note, cancel_delayed_work is used instead of cancel_delayed_work_sync in sco_sock_set_timer and sco_sock_clear_timer to avoid a deadlock. In the future, the call to bh_lock_sock inside sco_sock_timeout should be changed to lock_sock to synchronize with other functions using lock_sock. However, since sco_sock_set_timer and sco_sock_clear_timer are sometimes called under the locked socket (in sco_connect and __sco_sock_close), cancel_delayed_work_sync might cause them to sleep until an sco_sock_timeout that has started finishes running. But sco_sock_timeout would also sleep until it can grab the lock_sock. Using cancel_delayed_work is fine because sco_sock_timeout does not change from run to run, hence there is no functional difference between: 1. waiting for a timeout to finish running before scheduling another timeout 2. scheduling another timeout while a timeout is running. Link: https://syzkaller.appspot.com/bug?id=9089d89de0502e120f234ca0fc8a703f7368b3… [1] Reported-by: syzbot+2f6d7c28bb4bf7e82060(a)syzkaller.appspotmail.com Tested-by: syzbot+2f6d7c28bb4bf7e82060(a)syzkaller.appspotmail.com Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [OP: adjusted context for 4.14] Signed-off-by: Ovidiu Panait <ovidiu.panait(a)windriver.com> --- Note: these 2 fixes are part of CVE-2021-3640 patchset and are already present in 4.14+ stable branches. For this backport, small contextual adjustments were done to account for the old setup_timer() API usage. net/bluetooth/sco.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index a5cc8942fc3f..69d489f1f363 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -48,6 +48,8 @@ struct sco_conn { spinlock_t lock; struct sock *sk; + struct delayed_work timeout_work; + unsigned int mtu; }; @@ -73,9 +75,20 @@ struct sco_pinfo { #define SCO_CONN_TIMEOUT (HZ * 40) #define SCO_DISCONN_TIMEOUT (HZ * 2) -static void sco_sock_timeout(unsigned long arg) +static void sco_sock_timeout(struct work_struct *work) { - struct sock *sk = (struct sock *)arg; + struct sco_conn *conn = container_of(work, struct sco_conn, + timeout_work.work); + struct sock *sk; + + sco_conn_lock(conn); + sk = conn->sk; + if (sk) + sock_hold(sk); + sco_conn_unlock(conn); + + if (!sk) + return; BT_DBG("sock %p state %d", sk, sk->sk_state); @@ -89,14 +102,21 @@ static void sco_sock_timeout(unsigned long arg) static void sco_sock_set_timer(struct sock *sk, long timeout) { + if (!sco_pi(sk)->conn) + return; + BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout); - sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout); + cancel_delayed_work(&sco_pi(sk)->conn->timeout_work); + schedule_delayed_work(&sco_pi(sk)->conn->timeout_work, timeout); } static void sco_sock_clear_timer(struct sock *sk) { + if (!sco_pi(sk)->conn) + return; + BT_DBG("sock %p state %d", sk, sk->sk_state); - sk_stop_timer(sk, &sk->sk_timer); + cancel_delayed_work(&sco_pi(sk)->conn->timeout_work); } /* ---- SCO connections ---- */ @@ -176,6 +196,9 @@ static void sco_conn_del(struct hci_conn *hcon, int err) sco_chan_del(sk, err); bh_unlock_sock(sk); sock_put(sk); + + /* Ensure no more work items will run before freeing conn. */ + cancel_delayed_work_sync(&conn->timeout_work); } hcon->sco_data = NULL; @@ -190,6 +213,8 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk, sco_pi(sk)->conn = conn; conn->sk = sk; + INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); + if (parent) bt_accept_enqueue(parent, sk, true); } @@ -466,8 +491,6 @@ static struct sock *sco_sock_alloc(struct net *net, struct socket *sock, sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT; - setup_timer(&sk->sk_timer, sco_sock_timeout, (unsigned long)sk); - bt_sock_link(&sco_sk_list, sk); return sk; } -- 2.25.1

2 years, 11 months

2
2
0 0

お問い合わせありがとうございます【株式会社占部製作所】 "[your-subject]"

by 株式会社占部製作所

?? Lillian liked you! Click Here: https://afly.co/xwy6?rlct ??様この度はお問い合わせありがとうございます。 ※お問い合わせの内容によっては、ご返答にお時間をいただく場合がございます。 ※お寄せいただいた個人情報はプライバシーに十分配慮し、厳重に管理致します。 ※メールアドレスの誤記、メールのフィルタリング、その他通信上の問題によりメールが届かない場合があります。万一お問い合わせから一週間経っても返信が届かない場合は誠にお手数ですが、お電話にてご連絡ください。 ━━━━━━━━━━━━━━━━━━━━━━━━ 以下の内容でメールを受け付けました。 ━━━━━━━━━━━━━━━━━━━━━━━━ メッセージ本文: 3wpu5i -- このメールは株式会社占部製作所 (http://urabess.com) のお問い合わせフォームから送信されました

2 years, 11 months

1
0
0 0

お問い合わせありがとうございます【株式会社占部製作所】 "[your-subject]"

by 株式会社占部製作所

?? Lillian liked you! Click Here: https://afly.co/xwy6?rlct ??様この度はお問い合わせありがとうございます。 ※お問い合わせの内容によっては、ご返答にお時間をいただく場合がございます。 ※お寄せいただいた個人情報はプライバシーに十分配慮し、厳重に管理致します。 ※メールアドレスの誤記、メールのフィルタリング、その他通信上の問題によりメールが届かない場合があります。万一お問い合わせから一週間経っても返信が届かない場合は誠にお手数ですが、お電話にてご連絡ください。 ━━━━━━━━━━━━━━━━━━━━━━━━ 以下の内容でメールを受け付けました。 ━━━━━━━━━━━━━━━━━━━━━━━━ メッセージ本文: 3wpu5i -- このメールは株式会社占部製作所 (http://urabess.com) のお問い合わせフォームから送信されました

2 years, 11 months

1
0
0 0

[PATCH v3] powerpc/32s: Fix kasan_init_region() for KASAN

by Christophe Leroy

It has been reported some configuration where the kernel doesn't boot with KASAN enabled. This is due to wrong BAT allocation for the KASAN area: ---[ Data Block Address Translation ]--- 0: 0xc0000000-0xcfffffff 0x00000000 256M Kernel rw m 1: 0xd0000000-0xdfffffff 0x10000000 256M Kernel rw m 2: 0xe0000000-0xefffffff 0x20000000 256M Kernel rw m 3: 0xf8000000-0xf9ffffff 0x2a000000 32M Kernel rw m 4: 0xfa000000-0xfdffffff 0x2c000000 64M Kernel rw m A BAT must have both virtual and physical addresses alignment matching the size of the BAT. This is not the case for BAT 4 above. Fix kasan_init_region() by using block_size() function that is in book3s32/mmu.c. To be able to reuse it here, make it non static and change its name to bat_block_size() in order to avoid name conflict with block_size() defined in <linux/blkdev.h> Also reuse find_free_bat() to avoid an error message from setbat() when no BAT is available. And allocate memory outside of linear memory mapping to avoid wasting that precious space. With this change we get correct alignment for BATs and KASAN shadow memory is allocated outside the linear memory space. ---[ Data Block Address Translation ]--- 0: 0xc0000000-0xcfffffff 0x00000000 256M Kernel rw 1: 0xd0000000-0xdfffffff 0x10000000 256M Kernel rw 2: 0xe0000000-0xefffffff 0x20000000 256M Kernel rw 3: 0xf8000000-0xfbffffff 0x7c000000 64M Kernel rw 4: 0xfc000000-0xfdffffff 0x7a000000 32M Kernel rw Reported-by: Maxime Bizon <mbizon(a)freebox.fr> Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()") Cc: stable(a)vger.kernel.org Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Tested-by: Maxime Bizon <mbizon(a)freebox.fr> --- v3: Rebased v2: - Allocate kasan shadow memory outside precious kernel linear memory - Properly zeroise kasan shadow memory --- arch/powerpc/include/asm/book3s/32/mmu-hash.h | 2 + arch/powerpc/mm/book3s32/mmu.c | 10 ++-- arch/powerpc/mm/kasan/book3s_32.c | 59 ++++++++++--------- 3 files changed, 38 insertions(+), 33 deletions(-) diff --git a/arch/powerpc/include/asm/book3s/32/mmu-hash.h b/arch/powerpc/include/asm/book3s/32/mmu-hash.h index 7be27862329f..78c6a5fde1d6 100644 --- a/arch/powerpc/include/asm/book3s/32/mmu-hash.h +++ b/arch/powerpc/include/asm/book3s/32/mmu-hash.h @@ -223,6 +223,8 @@ static __always_inline void update_user_segments(u32 val) update_user_segment(15, val); } +int __init find_free_bat(void); +unsigned int bat_block_size(unsigned long base, unsigned long top); #endif /* !__ASSEMBLY__ */ /* We happily ignore the smaller BATs on 601, we don't actually use diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c index 94045b265b6b..203735caf691 100644 --- a/arch/powerpc/mm/book3s32/mmu.c +++ b/arch/powerpc/mm/book3s32/mmu.c @@ -76,7 +76,7 @@ unsigned long p_block_mapped(phys_addr_t pa) return 0; } -static int __init find_free_bat(void) +int __init find_free_bat(void) { int b; int n = mmu_has_feature(MMU_FTR_USE_HIGH_BATS) ? 8 : 4; @@ -100,7 +100,7 @@ static int __init find_free_bat(void) * - block size has to be a power of two. This is calculated by finding the * highest bit set to 1. */ -static unsigned int block_size(unsigned long base, unsigned long top) +unsigned int bat_block_size(unsigned long base, unsigned long top) { unsigned int max_size = SZ_256M; unsigned int base_shift = (ffs(base) - 1) & 31; @@ -145,7 +145,7 @@ static unsigned long __init __mmu_mapin_ram(unsigned long base, unsigned long to int idx; while ((idx = find_free_bat()) != -1 && base != top) { - unsigned int size = block_size(base, top); + unsigned int size = bat_block_size(base, top); if (size < 128 << 10) break; @@ -201,12 +201,12 @@ void mmu_mark_initmem_nx(void) unsigned long size; for (i = 0; i < nb - 1 && base < top;) { - size = block_size(base, top); + size = bat_block_size(base, top); setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); base += size; } if (base < top) { - size = block_size(base, top); + size = bat_block_size(base, top); if ((top - base) > size) { size <<= 1; if (strict_kernel_rwx_enabled() && base + size > border) diff --git a/arch/powerpc/mm/kasan/book3s_32.c b/arch/powerpc/mm/kasan/book3s_32.c index 35b287b0a8da..450a67ef0bbe 100644 --- a/arch/powerpc/mm/kasan/book3s_32.c +++ b/arch/powerpc/mm/kasan/book3s_32.c @@ -10,48 +10,51 @@ int __init kasan_init_region(void *start, size_t size) { unsigned long k_start = (unsigned long)kasan_mem_to_shadow(start); unsigned long k_end = (unsigned long)kasan_mem_to_shadow(start + size); - unsigned long k_cur = k_start; - int k_size = k_end - k_start; - int k_size_base = 1 << (ffs(k_size) - 1); + unsigned long k_nobat = k_start; + unsigned long k_cur; + phys_addr_t phys; int ret; - void *block; - block = memblock_alloc(k_size, k_size_base); - - if (block && k_size_base >= SZ_128K && k_start == ALIGN(k_start, k_size_base)) { - int shift = ffs(k_size - k_size_base); - int k_size_more = shift ? 1 << (shift - 1) : 0; - - setbat(-1, k_start, __pa(block), k_size_base, PAGE_KERNEL); - if (k_size_more >= SZ_128K) - setbat(-1, k_start + k_size_base, __pa(block) + k_size_base, - k_size_more, PAGE_KERNEL); - if (v_block_mapped(k_start)) - k_cur = k_start + k_size_base; - if (v_block_mapped(k_start + k_size_base)) - k_cur = k_start + k_size_base + k_size_more; - - update_bats(); + while (k_nobat < k_end) { + unsigned int k_size = bat_block_size(k_nobat, k_end); + int idx = find_free_bat(); + + if (idx == -1) + break; + if (k_size < SZ_128K) + break; + phys = memblock_phys_alloc_range(k_size, k_size, 0, + MEMBLOCK_ALLOC_ANYWHERE); + if (!phys) + break; + + setbat(idx, k_nobat, phys, k_size, PAGE_KERNEL); + k_nobat += k_size; } + if (k_nobat != k_start) + update_bats(); - if (!block) - block = memblock_alloc(k_size, PAGE_SIZE); - if (!block) - return -ENOMEM; + if (k_nobat < k_end) { + phys = memblock_phys_alloc_range(k_end - k_nobat, PAGE_SIZE, 0, + MEMBLOCK_ALLOC_ANYWHERE); + if (!phys) + return -ENOMEM; + } ret = kasan_init_shadow_page_tables(k_start, k_end); if (ret) return ret; - kasan_update_early_region(k_start, k_cur, __pte(0)); + kasan_update_early_region(k_start, k_nobat, __pte(0)); - for (; k_cur < k_end; k_cur += PAGE_SIZE) { + for (k_cur = k_nobat; k_cur < k_end; k_cur += PAGE_SIZE) { pmd_t *pmd = pmd_off_k(k_cur); - void *va = block + k_cur - k_start; - pte_t pte = pfn_pte(PHYS_PFN(__pa(va)), PAGE_KERNEL); + pte_t pte = pfn_pte(PHYS_PFN(phys + k_cur - k_nobat), PAGE_KERNEL); __set_pte_at(&init_mm, k_cur, pte_offset_kernel(pmd, k_cur), pte, 0); } flush_tlb_kernel_range(k_start, k_end); + memset(kasan_mem_to_shadow(start), 0, k_end - k_start); + return 0; } -- 2.33.1

2 years, 11 months

2
1
0 0

[PATCH v2 1/1] nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()

by Krzysztof Kozlowski

Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer (which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM. KASAN report: BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0 Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899 CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x45/0x59 ? nfc_alloc_send_skb+0x2d/0xc0 __kasan_report.cold+0x117/0x11c ? mark_lock+0x480/0x4f0 ? nfc_alloc_send_skb+0x2d/0xc0 kasan_report+0x38/0x50 nfc_alloc_send_skb+0x2d/0xc0 nfc_llcp_send_ui_frame+0x18c/0x2a0 ? nfc_llcp_send_i_frame+0x230/0x230 ? __local_bh_enable_ip+0x86/0xe0 ? llcp_sock_connect+0x470/0x470 ? llcp_sock_connect+0x470/0x470 sock_sendmsg+0x8e/0xa0 ____sys_sendmsg+0x253/0x3f0 ... The issue was visible only with multiple simultaneous calls to bind() and sendmsg(), which resulted in most of the bind() calls to fail. The bind() was failing on checking if there is available WKS/SDP/SAP (respective bit in 'struct nfc_llcp_local' fields). When there was no available WKS/SDP/SAP, the bind returned error but the sendmsg() to such socket was able to trigger mentioned NULL pointer dereference of nfc_llcp_sock->dev. The code looks simply racy and currently it protects several paths against race with checks for (!nfc_llcp_sock->local) which is NULL-ified in error paths of bind(). The llcp_sock_sendmsg() did not have such check but called function nfc_llcp_send_ui_frame() had, although not protected with lock_sock(). Therefore the race could look like (same socket is used all the time): CPU0 CPU1 ==== ==== llcp_sock_bind() - lock_sock() - success - release_sock() - return 0 llcp_sock_sendmsg() - lock_sock() - release_sock() llcp_sock_bind(), same socket - lock_sock() - error - nfc_llcp_send_ui_frame() - if (!llcp_sock->local) - llcp_sock->local = NULL - nfc_put_device(dev) - dereference llcp_sock->dev - release_sock() - return -ERRNO The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the lock, which is racy and ineffective check. Instead, its caller llcp_sock_sendmsg(), should perform the check inside lock_sock(). Reported-and-tested-by: syzbot+7f23bcddf626e0593a39(a)syzkaller.appspotmail.com Fixes: b874dec21d1c ("NFC: Implement LLCP connection less Tx path") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> --- Changes since v1: 1. Only split to independent set and updating Syzbot tested tag. --- net/nfc/llcp_sock.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index 6cfd30fc0798..0b93a17b9f11 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -789,6 +789,11 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg, lock_sock(sk); + if (!llcp_sock->local) { + release_sock(sk); + return -ENODEV; + } + if (sk->sk_type == SOCK_DGRAM) { DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr, msg->msg_name); -- 2.32.0

2 years, 11 months

1
0
0 0

stable-rc/queue/4.14 baseline: 124 runs, 1 regressions (v4.14.262-13-g570864c71522)

by kernelci.org bot

stable-rc/queue/4.14 baseline: 124 runs, 1 regressions (v4.14.262-13-g570864c71522) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F4.14/kernel/v4.14.26… Test: baseline Tree: stable-rc Branch: queue/4.14 Describe: v4.14.262-13-g570864c71522 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 570864c71522719ffd68b0f3a49fa9ef2f6ee215 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/plan/id/61e7668b49db329435abbd11 Results: 4 PASS, 1 FAIL, 1 SKIP Full config: omap2plus_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.14/v4.14.262-13-g570864c715… HTML log: https://storage.kernelci.org//stable-rc/queue-4.14/v4.14.262-13-g570864c715… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61e7668b49db329435abbd17 failing since 0 day (last pass: v4.14.262-10-g93d10bded874, first fail: v4.14.262-13-g01f6e3343a5a) 2 lines 2022-01-19T01:16:41.019950 [ 20.074676] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=alert RESULT=pass UNITS=lines MEASUREMENT=0> 2022-01-19T01:16:41.063972 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/101 2022-01-19T01:16:41.072921 kern :emerg : lock: emif_lock+0x0/0xffffed3c [emif], .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0

2 years, 11 months

1
0
0 0

stable-rc/queue/4.4 baseline: 98 runs, 3 regressions (v4.4.299-9-gdb49fa813c04)

by kernelci.org bot

stable-rc/queue/4.4 baseline: 98 runs, 3 regressions (v4.4.299-9-gdb49fa813c04) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ----------+------+---------------+----------+---------------------+------------ beagle-xm | arm | lab-baylibre | gcc-10 | omap2plus_defconfig | 2 panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F4.4/kernel/v4.4.299-… Test: baseline Tree: stable-rc Branch: queue/4.4 Describe: v4.4.299-9-gdb49fa813c04 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: db49fa813c04eed3249f2cf736c389c25a661261 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ----------+------+---------------+----------+---------------------+------------ beagle-xm | arm | lab-baylibre | gcc-10 | omap2plus_defconfig | 2 Details: https://kernelci.org/test/plan/id/61e7564459e92da3f6abbd1b Results: 3 PASS, 2 FAIL, 1 SKIP Full config: omap2plus_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.4/v4.4.299-9-gdb49fa813c04/… HTML log: https://storage.kernelci.org//stable-rc/queue-4.4/v4.4.299-9-gdb49fa813c04/… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.dmesg.crit: https://kernelci.org/test/case/id/61e7564559e92da3f6abbd21 new failure (last pass: v4.4.299-9-gd634fb6b6f52) 1 lines 2022-01-19T00:07:16.024016 / # 2022-01-19T00:07:16.026330 # 2022-01-19T00:07:16.134194 / # # 2022-01-19T00:07:16.136207 2022-01-19T00:07:16.239747 / # #export SHELL=/bin/sh 2022-01-19T00:07:16.241190 2022-01-19T00:07:16.343818 / # export SHELL=/bin/sh. /lava-1416229/environment 2022-01-19T00:07:16.345260 2022-01-19T00:07:16.447880 / # . /lava-1416229/environment/lava-1416229/bin/lava-test-runner /lava-1416229/0 2022-01-19T00:07:16.451507 ... (9 line(s) more) * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61e7564559e92da3f6abbd23 new failure (last pass: v4.4.299-9-gd634fb6b6f52) 29 lines 2022-01-19T00:07:16.923268 [ 49.500030] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=alert RESULT=pass UNITS=lines MEASUREMENT=0> 2022-01-19T00:07:16.977132 kern :emerg : Internal error: Oops - BUG: 0 [#1] SMP ARM 2022-01-19T00:07:16.982204 kern :emerg : Process udevd (pid: 109, stack limit = 0xcb950218) 2022-01-19T00:07:16.986815 kern :emerg : Stack: (0xcb951cf8 to 0xcb952000) 2022-01-19T00:07:16.995062 kern :emerg : 1ce0: bf02bdc4 60000013 2022-01-19T00:07:17.007928 kern :emerg : 1d00: bf02bdc8 c06a3cdc 00000001 00[ 49.582916] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=emerg RESULT=fail UNITS=lines MEASUREMENT=29> platform | arch | lab | compiler | defconfig | regressions ----------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/plan/id/61e7564789adf68b19abbd1d Results: 4 PASS, 1 FAIL, 1 SKIP Full config: omap2plus_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-4.4/v4.4.299-9-gdb49fa813c04/… HTML log: https://storage.kernelci.org//stable-rc/queue-4.4/v4.4.299-9-gdb49fa813c04/… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61e7564789adf68b19abbd23 failing since 29 days (last pass: v4.4.295-12-gd8298cd08f0d, first fail: v4.4.295-23-gcec9bc2aa5d3) 2 lines 2022-01-19T00:07:16.238603 [ 19.254089] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=alert RESULT=pass UNITS=lines MEASUREMENT=0> 2022-01-19T00:07:16.288299 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/121 2022-01-19T00:07:16.297060 kern :emerg : lock: emif_lock+0x0/0xfffff25c [emif], .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0

2 years, 11 months

1
0
0 0

stable-rc/queue/5.4 baseline: 151 runs, 4 regressions (v5.4.171-34-g717ea32e61e8)

by kernelci.org bot

stable-rc/queue/5.4 baseline: 151 runs, 4 regressions (v5.4.171-34-g717ea32e61e8) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ qemu_arm-virt-gicv2-uefi | arm | lab-baylibre | gcc-10 | multi_v7_defconfig | 1 qemu_arm-virt-gicv2-uefi | arm | lab-broonie | gcc-10 | multi_v7_defconfig | 1 qemu_arm-virt-gicv3-uefi | arm | lab-baylibre | gcc-10 | multi_v7_defconfig | 1 qemu_arm-virt-gicv3-uefi | arm | lab-broonie | gcc-10 | multi_v7_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F5.4/kernel/v5.4.171-… Test: baseline Tree: stable-rc Branch: queue/5.4 Describe: v5.4.171-34-g717ea32e61e8 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 717ea32e61e84fdd6832226bb1be5a7db2b44e19 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ qemu_arm-virt-gicv2-uefi | arm | lab-baylibre | gcc-10 | multi_v7_defconfig | 1 Details: https://kernelci.org/test/plan/id/61e751236b99ff37a5abbd40 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: multi_v7_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… HTML log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.login: https://kernelci.org/test/case/id/61e751236b99ff37a5abbd41 failing since 34 days (last pass: v5.4.165-9-g27d736c7bdee, first fail: v5.4.165-18-ge938927511cb) platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ qemu_arm-virt-gicv2-uefi | arm | lab-broonie | gcc-10 | multi_v7_defconfig | 1 Details: https://kernelci.org/test/plan/id/61e75141f08bbc0bdaabbd1d Results: 0 PASS, 1 FAIL, 0 SKIP Full config: multi_v7_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… HTML log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.login: https://kernelci.org/test/case/id/61e75141f08bbc0bdaabbd1e failing since 34 days (last pass: v5.4.165-9-g27d736c7bdee, first fail: v5.4.165-18-ge938927511cb) platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ qemu_arm-virt-gicv3-uefi | arm | lab-baylibre | gcc-10 | multi_v7_defconfig | 1 Details: https://kernelci.org/test/plan/id/61e751216b99ff37a5abbd3d Results: 0 PASS, 1 FAIL, 0 SKIP Full config: multi_v7_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… HTML log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.login: https://kernelci.org/test/case/id/61e751216b99ff37a5abbd3e failing since 34 days (last pass: v5.4.165-9-g27d736c7bdee, first fail: v5.4.165-18-ge938927511cb) platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ qemu_arm-virt-gicv3-uefi | arm | lab-broonie | gcc-10 | multi_v7_defconfig | 1 Details: https://kernelci.org/test/plan/id/61e7513d6b99ff37a5abbd72 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: multi_v7_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… HTML log: https://storage.kernelci.org//stable-rc/queue-5.4/v5.4.171-34-g717ea32e61e8… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.login: https://kernelci.org/test/case/id/61e7513d6b99ff37a5abbd73 failing since 34 days (last pass: v5.4.165-9-g27d736c7bdee, first fail: v5.4.165-18-ge938927511cb)

2 years, 11 months

1
0
0 0

stable-rc/queue/5.10 baseline: 157 runs, 2 regressions (v5.10.91-49-g9703e54f4016)

by kernelci.org bot

stable-rc/queue/5.10 baseline: 157 runs, 2 regressions (v5.10.91-49-g9703e54f4016) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ imx6q-var-dt6customboard | arm | lab-baylibre | gcc-10 | multi_v7_defconfig | 2 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F5.10/kernel/v5.10.91… Test: baseline Tree: stable-rc Branch: queue/5.10 Describe: v5.10.91-49-g9703e54f4016 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 9703e54f40169134cce44987fb3c7556b816b0cb Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -------------------------+------+--------------+----------+--------------------+------------ imx6q-var-dt6customboard | arm | lab-baylibre | gcc-10 | multi_v7_defconfig | 2 Details: https://kernelci.org/test/plan/id/61e74bd11a4714cfefabbd27 Results: 4 PASS, 2 FAIL, 0 SKIP Full config: multi_v7_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//stable-rc/queue-5.10/v5.10.91-49-g9703e54f401… HTML log: https://storage.kernelci.org//stable-rc/queue-5.10/v5.10.91-49-g9703e54f401… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/buildroot-baseline/2022… * baseline.dmesg.alert: https://kernelci.org/test/case/id/61e74bd11a4714cfefabbd2e new failure (last pass: v5.10.91-47-g6c855c89aa97) 4 lines 2022-01-18T23:22:46.905892 kern :alert : 8<--- cut here --- 2022-01-18T23:22:46.906526 kern :alert : Unable to handle kernel NULL pointer dereference at virtual address 00000313 2022-01-18T23:22:46.907386 kern :alert : pgd = (ptrval)<8>[ 39.412823] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=alert RESULT=fail UNITS=lines MEASUREMENT=4> 2022-01-18T23:22:46.907775 2022-01-18T23:22:46.908034 kern :alert : [00000313] *pgd=00000000 * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61e74bd11a4714cfefabbd2f new failure (last pass: v5.10.91-47-g6c855c89aa97) 46 lines 2022-01-18T23:22:46.959349 kern :emerg : Internal error: Oops: 17 [#1] SMP ARM 2022-01-18T23:22:46.959642 kern :emerg : Process kworker/1:5 (pid: 96, stack limit = 0x(ptrval)) 2022-01-18T23:22:46.960158 kern :emerg : Stack: (0xc36ddd68 to 0xc36de000) 2022-01-18T23:22:46.960422 kern :emerg : dd60: c3a3a1b0 c3a3a1b4 c3a3a000 c3a3a000 c1445ce4 c09e3c94 2022-01-18T23:22:46.960670 kern :emerg : dd80: c36dc000 c1445ce4 0000000c c3a3a000 000002f3 c32ded00 c2001d80 ef85dbc0 2022-01-18T23:22:46.961165 kern :emerg : dda0: c09f13fc c1445ce4 0000000c c234b340 c19c7a10 09d03d33 00000001 c3a80d40 2022-01-18T23:22:47.002341 kern :emerg : ddc0: c3a87300 c3a3a000 c3a3a014 c1445ce4 0000000c c234b340 c19c7a10 c09f13d0 2022-01-18T23:22:47.002952 kern :emerg : dde0: c1443a08 00000000 c3a3a000 fffffdfb bf026000 c22d8c10 00000120 c09c73b0 2022-01-18T23:22:47.003244 kern :emerg : de00: c3a3a000 bf022120 c3a80340 c3b6cf08 c3b16dc0 c19c7a2c 00000120 c0a23da0 2022-01-18T23:22:47.003499 kern :emerg : de20: c3a80340 c3a80340 c2232c00 c3b16dc0 00000000 c3a80340 c19c7a24 bf08e0a8 ... (36 line(s) more)

2 years, 11 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2022