December 2022 - Linux-stable-mirror

[GIT PULL] virtio,vhost,vdpa: features, fixes, cleanups

by Michael S. Tsirkin

The following changes since commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476: Linux 6.1 (2022-12-11 14:15:18 -0800) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to 98dd6b2ef50d6f7876606a86c8d8a767c9fef6f5: virtio_blk: mark all zone fields LE (2022-12-22 14:32:36 -0500) Note: merging this upstream results in a conflict between commit: de4eda9de2d9 ("use less confusing names for iov_iter direction initializers") from Linus' tree and commit: ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") from this tree. This resolution below fixes it up, due to Stephen Rothwell diff --cc drivers/vhost/vsock.c index cd6f7776013a,830bc823addc..000000000000 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@@ -165,8 -157,9 +157,9 @@@ vhost_transport_do_send_pkt(struct vhos break; } - iov_iter_init(&iov_iter, READ, &vq->iov[out], in, iov_len); + iov_iter_init(&iov_iter, ITER_DEST, &vq->iov[out], in, iov_len); - payload_len = pkt->len - pkt->off; + payload_len = skb->len; + hdr = virtio_vsock_hdr(skb); /* If the packet is greater than the space available in the * buffer, we split it using multiple buffers. @@@ -366,18 -340,21 +340,22 @@@ vhost_vsock_alloc_skb(struct vhost_virt return NULL; } - pkt = kzalloc(sizeof(*pkt), GFP_KERNEL); - if (!pkt) + len = iov_length(vq->iov, out); + + /* len contains both payload and hdr */ + skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); + if (!skb) return NULL; - iov_iter_init(&iov_iter, WRITE, vq->iov, out, len); + len = iov_length(vq->iov, out); + iov_iter_init(&iov_iter, ITER_SOURCE, vq->iov, out, len); - nbytes = copy_from_iter(&pkt->hdr, sizeof(pkt->hdr), &iov_iter); - if (nbytes != sizeof(pkt->hdr)) { + hdr = virtio_vsock_hdr(skb); + nbytes = copy_from_iter(hdr, sizeof(*hdr), &iov_iter); + if (nbytes != sizeof(*hdr)) { vq_err(vq, "Expected %zu bytes for pkt->hdr, got %zu bytes\n", - sizeof(pkt->hdr), nbytes); - kfree(pkt); + sizeof(*hdr), nbytes); + kfree_skb(skb); return NULL; } It can also be found in linux-next, see next-20221220. ---------------------------------------------------------------- virtio,vhost,vdpa: features, fixes, cleanups zoned block device support lifetime stats support (for virtio devices backed by memory supporting that) vsock rework to use skbuffs ifcvf features provisioning new SolidNET DPU driver Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Alvaro Karsz (5): Add SolidRun vendor id New PCI quirk for SolidRun SNET DPU. virtio: vdpa: new SolidNET DPU driver. virtio_blk: add VIRTIO_BLK_F_LIFETIME feature support virtio: vdpa: fix snprintf size argument in snet_vdpa driver Angus Chen (2): virtio_pci: modify ENOENT to EINVAL virtio_blk: use UINT_MAX instead of -1U Bobby Eshleman (1): virtio/vsock: replace virtio_vsock_pkt with sk_buff Cindy Lu (2): vhost_vdpa: fix the crash in unmap a large memory vdpa_sim_net: should not drop the multicast/broadcast packet Colin Ian King (1): RDMA/mlx5: remove variable i Davidlohr Bueso (2): tools/virtio: remove stray characters tools/virtio: remove smp_read_barrier_depends() Dawei Li (1): virtio: Implementing attribute show with sysfs_emit Dmitry Fomichev (2): virtio-blk: use a helper to handle request queuing errors virtio-blk: add support for zoned block devices Eli Cohen (8): vdpa/mlx5: Fix rule forwarding VLAN to TIR vdpa/mlx5: Return error on vlan ctrl commands if not supported vdpa/mlx5: Fix wrong mac address deletion vdpa/mlx5: Avoid using reslock in event_handler vdpa/mlx5: Avoid overwriting CVQ iotlb vdpa/mlx5: Move some definitions to a new header file vdpa/mlx5: Add debugfs subtree vdpa/mlx5: Add RX counters to debugfs Eugenio Pérez (1): vdpa_sim_net: Offer VIRTIO_NET_F_STATUS Harshit Mogalapalli (1): vduse: Validate vq_num in vduse_validate_config() Jason Wang (2): vdpa: conditionally fill max max queue pair for stats vdpasim: fix memory leak when freeing IOTLBs Michael S. Tsirkin (3): virtio_blk: temporary variable type tweak virtio_blk: zone append in header type tweak virtio_blk: mark all zone fields LE Michael Sammler (1): virtio_pmem: populate numa information Rafael Mendonca (1): virtio_blk: Fix signedness bug in virtblk_prep_rq() Ricardo Cañuelo (2): tools/virtio: initialize spinlocks in vring_test.c docs: driver-api: virtio: virtio on Linux Rong Wang (1): vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove Shaomin Deng (1): tools: Delete the unneeded semicolon after curly braces Shaoqin Huang (2): virtio_pci: use helper function is_power_of_2() virtio_ring: use helper function is_power_of_2() Si-Wei Liu (1): vdpa: merge functionally duplicated dev_features attributes Stefano Garzarella (4): vringh: fix range used in iotlb_translate() vhost: fix range used in translate_desc() vhost-vdpa: fix an iotlb memory leak vdpa_sim: fix vringh initialization in vdpasim_queue_ready() Wei Yongjun (1): virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() Yuan Can (1): vhost/vsock: Fix error handling in vhost_vsock_init() Zhu Lingshan (12): vDPA/ifcvf: decouple hw features manipulators from the adapter vDPA/ifcvf: decouple config space ops from the adapter vDPA/ifcvf: alloc the mgmt_dev before the adapter vDPA/ifcvf: decouple vq IRQ releasers from the adapter vDPA/ifcvf: decouple config IRQ releaser from the adapter vDPA/ifcvf: decouple vq irq requester from the adapter vDPA/ifcvf: decouple config/dev IRQ requester and vectors allocator from the adapter vDPA/ifcvf: ifcvf_request_irq works on ifcvf_hw vDPA/ifcvf: manage ifcvf_hw in the mgmt_dev vDPA/ifcvf: allocate the adapter in dev_add() vDPA/ifcvf: retire ifcvf_private_to_vf vDPA/ifcvf: implement features provisioning ruanjinjie (1): vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init() wangjianli (1): tools/virtio: Variable type completion Documentation/driver-api/index.rst | 1 + Documentation/driver-api/virtio/index.rst | 11 + Documentation/driver-api/virtio/virtio.rst | 144 +++ .../driver-api/virtio/writing_virtio_drivers.rst | 197 ++++ MAINTAINERS | 6 + drivers/block/virtio_blk.c | 522 ++++++++- .../crypto/virtio/virtio_crypto_skcipher_algs.c | 3 +- drivers/nvdimm/virtio_pmem.c | 11 +- drivers/pci/quirks.c | 8 + drivers/vdpa/Kconfig | 22 + drivers/vdpa/Makefile | 1 + drivers/vdpa/ifcvf/ifcvf_base.c | 32 +- drivers/vdpa/ifcvf/ifcvf_base.h | 10 +- drivers/vdpa/ifcvf/ifcvf_main.c | 162 ++- drivers/vdpa/mlx5/Makefile | 2 +- drivers/vdpa/mlx5/core/mlx5_vdpa.h | 5 +- drivers/vdpa/mlx5/core/mr.c | 46 +- drivers/vdpa/mlx5/net/debug.c | 152 +++ drivers/vdpa/mlx5/net/mlx5_vnet.c | 252 +++-- drivers/vdpa/mlx5/net/mlx5_vnet.h | 94 ++ drivers/vdpa/solidrun/Makefile | 6 + drivers/vdpa/solidrun/snet_hwmon.c | 188 ++++ drivers/vdpa/solidrun/snet_main.c | 1111 ++++++++++++++++++++ drivers/vdpa/solidrun/snet_vdpa.h | 196 ++++ drivers/vdpa/vdpa.c | 11 +- drivers/vdpa/vdpa_sim/vdpa_sim.c | 7 +- drivers/vdpa/vdpa_sim/vdpa_sim_blk.c | 4 +- drivers/vdpa/vdpa_sim/vdpa_sim_net.c | 8 +- drivers/vdpa/vdpa_user/vduse_dev.c | 3 + drivers/vdpa/virtio_pci/vp_vdpa.c | 2 +- drivers/vhost/vdpa.c | 52 +- drivers/vhost/vhost.c | 4 +- drivers/vhost/vringh.c | 5 +- drivers/vhost/vsock.c | 224 ++-- drivers/virtio/virtio.c | 12 +- drivers/virtio/virtio_pci_modern.c | 4 +- drivers/virtio/virtio_ring.c | 2 +- include/linux/pci_ids.h | 2 + include/linux/virtio_config.h | 8 +- include/linux/virtio_vsock.h | 126 ++- include/uapi/linux/vdpa.h | 4 +- include/uapi/linux/virtio_blk.h | 133 +++ include/uapi/linux/virtio_blk_ioctl.h | 44 + net/vmw_vsock/virtio_transport.c | 149 +-- net/vmw_vsock/virtio_transport_common.c | 420 ++++---- net/vmw_vsock/vsock_loopback.c | 51 +- tools/virtio/ringtest/main.h | 37 +- tools/virtio/virtio-trace/trace-agent-ctl.c | 2 +- tools/virtio/virtio_test.c | 2 +- tools/virtio/vringh_test.c | 2 + 50 files changed, 3661 insertions(+), 839 deletions(-) create mode 100644 Documentation/driver-api/virtio/index.rst create mode 100644 Documentation/driver-api/virtio/virtio.rst create mode 100644 Documentation/driver-api/virtio/writing_virtio_drivers.rst create mode 100644 drivers/vdpa/mlx5/net/debug.c create mode 100644 drivers/vdpa/mlx5/net/mlx5_vnet.h create mode 100644 drivers/vdpa/solidrun/Makefile create mode 100644 drivers/vdpa/solidrun/snet_hwmon.c create mode 100644 drivers/vdpa/solidrun/snet_main.c create mode 100644 drivers/vdpa/solidrun/snet_vdpa.h create mode 100644 include/uapi/linux/virtio_blk_ioctl.h

2 years, 11 months

3
8
0 0

[PATCH v3 1/2] mm/MADV_COLLAPSE: don't expand collapse when vm_end is past requested end

by Zach O'Keefe

MADV_COLLAPSE acts on one hugepage-aligned/sized region at a time, until it has collapsed all eligible memory contained within the bounds supplied by the user. At the top of each hugepage iteration we (re)lock mmap_lock and (re)validate the VMA for eligibility and update variables that might have changed while mmap_lock was dropped. One thing that might occur, is that the VMA could be resized, and as such, we refetch vma->vm_end to make sure we don't collapse past the end of the VMA's new end. However, it's possible that when refetching vma>vm_end that we expand the region acted on by MADV_COLLAPSE if vma->vm_end is greater than size+len supplied by the user. The consequence here is that we may attempt to collapse more memory than requested, possibly yielding either "too much success" or "false failure" user-visible results. An example of the former is if we MADV_COLLAPSE the first 4MiB of a 2TiB mmap()'d file, the incorrect refetch would cause the operation to block for much longer than anticipated as we attempt to collapse the entire TiB region. An example of the latter is that applying MADV_COLLPSE to a 4MiB file mapped to the start of a 6MiB VMA will successfully collapse the first 4MiB, then incorrectly attempt to collapse the last hugepage-aligned/sized region -- fail (since readahead/page cache lookup will fail) -- and report a failure to the user. Don't expand the acted-on region when refetching vma->vm_end. Fixes: 4d24de9425f7 ("mm: MADV_COLLAPSE: refetch vm_end after reacquiring mmap_lock") Reported-by: Hugh Dickins <hughd(a)google.com> Signed-off-by: Zach O'Keefe <zokeefe(a)google.com> Cc: Yang Shi <shy828301(a)gmail.com> Cc: stable(a)vger.kernel.org --- v2->v3: Add 'Cc: stable(a)vger.kernel.org' as per stable-kernel-rules. v1->v2: Updated changelog to make clear what user-visible issues this patch addresses, as well makes the case for backporting (Andrew Morton). While there aren't any stability risks, without this patch there exist trivial examples where MADV_COLLAPSE won't work; as such, this should be backported to stable 6.1.X to make MADV_COLLAPSE dependable in such cases. v1: https://lore.kernel.org/linux-mm/CAAa6QmRx_b2UCJWE2XZ3=3c3-_N3R4cDGX6Wm4OT7… --- mm/khugepaged.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 5cb401aa2b9d..b4d2ec0a94ed 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2649,7 +2649,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, goto out_nolock; } - hend = vma->vm_end & HPAGE_PMD_MASK; + hend = min(hend, vma->vm_end & HPAGE_PMD_MASK); } mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); -- 2.39.0.314.g84b9a713c41-goog

2 years, 11 months

1
1
0 0

[PATCH v2 1/2] mm/MADV_COLLAPSE: don't expand collapse when vm_end is past requested end

by Zach O'Keefe

MADV_COLLAPSE acts on one hugepage-aligned/sized region at a time, until it has collapsed all eligible memory contained within the bounds supplied by the user. At the top of each hugepage iteration we (re)lock mmap_lock and (re)validate the VMA for eligibility and update variables that might have changed while mmap_lock was dropped. One thing that might occur, is that the VMA could be resized, and as such, we refetch vma->vm_end to make sure we don't collapse past the end of the VMA's new end. However, it's possible that when refetching vma>vm_end that we expand the region acted on by MADV_COLLAPSE if vma->vm_end is greater than size+len supplied by the user. The consequence here is that we may attempt to collapse more memory than requested, possibly yielding either "too much success" or "false failure" user-visible results. An example of the former is if we MADV_COLLAPSE the first 4MiB of a 2TiB mmap()'d file, the incorrect refetch would cause the operation to block for much longer than anticipated as we attempt to collapse the entire TiB region. An example of the latter is that applying MADV_COLLPSE to a 4MiB file mapped to the start of a 6MiB VMA will successfully collapse the first 4MiB, then incorrectly attempt to collapse the last hugepage-aligned/sized region -- fail (since readahead/page cache lookup will fail) -- and report a failure to the user. Don't expand the acted-on region when refetching vma->vm_end. Fixes: 4d24de9425f7 ("mm: MADV_COLLAPSE: refetch vm_end after reacquiring mmap_lock") Reported-by: Hugh Dickins <hughd(a)google.com> Signed-off-by: Zach O'Keefe <zokeefe(a)google.com> Cc: Yang Shi <shy828301(a)gmail.com> --- v1->v2 : Updated changelog to make clear what user-visible issues this patch addresses, as well makes the case for backporting (Andrew Morton). While there aren't any stability risks, without this patch there exist trivial examples where MADV_COLLAPSE won't work; as such, this should be backported to stable 6.1.X to make MADV_COLLAPSE dependable in such cases. v1: https://lore.kernel.org/linux-mm/CAAa6QmRx_b2UCJWE2XZ3=3c3-_N3R4cDGX6Wm4OT7… --- mm/khugepaged.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 5cb401aa2b9d..b4d2ec0a94ed 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2649,7 +2649,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, goto out_nolock; } - hend = vma->vm_end & HPAGE_PMD_MASK; + hend = min(hend, vma->vm_end & HPAGE_PMD_MASK); } mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); -- 2.39.0.314.g84b9a713c41-goog

2 years, 11 months

2
2
0 0

[PATCH AUTOSEL 4.9 1/4] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index bbbb067de8ec..be01d49abb62 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -806,6 +806,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register - initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -816,8 +819,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
3
0 0

[PATCH AUTOSEL 4.14 1/4] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index bbbb067de8ec..be01d49abb62 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -806,6 +806,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register - initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -816,8 +819,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
3
0 0

[PATCH AUTOSEL 4.19 1/6] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index 97d86dc17c42..1eb1230a2d28 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -821,6 +821,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register - initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -831,8 +834,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
5
0 0

[PATCH AUTOSEL 5.4 1/7] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index 0c6d17503a11..3ce572d7c26d 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -869,6 +869,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register() - Initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -879,8 +882,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
6
0 0

[PATCH AUTOSEL 5.10 01/11] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index ea53b30cf483..743e629d60d2 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -866,6 +866,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register() - Initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -876,8 +879,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
10
0 0

[PATCH AUTOSEL 5.15 01/14] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index ea53b30cf483..743e629d60d2 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -866,6 +866,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register() - Initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -876,8 +879,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
13
0 0

[PATCH AUTOSEL 6.0 01/18] kset: fix memory leak when kset_register() returns error

by Sasha Levin

From: Yang Yingliang <yangyingliang(a)huawei.com> [ Upstream commit 1662cea4623f75d8251adf07370bbaa958f0355d ] Inject fault while loading module, kset_register() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name() which must be called before a call to kset_register() may be leaked, since refcount of kobj was set in kset_init(). To mitigate this, we free the name in kset_register() when an error is encountered, i.e. when kset_register() returns an error. A kset may be embedded in a larger structure which may be dynamically allocated in callers, it needs to be freed in ktype.release() or error path in callers, in this case, we can not call kset_put() in kset_register(), or it will cause double free, so just call kfree_const() to free the name and set it to NULL to avoid accessing bad pointer in callers. With this fix, the callers don't need care about freeing the name and may call kset_put() if kset_register() fails. Suggested-by: Luben Tuikov <luben.tuikov(a)amd.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: <luben.tuikov(a)amd.com> Link: https://lore.kernel.org/r/20221025071549.1280528-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- lib/kobject.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index 5f0e71ab292c..0f9cc0b93d99 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -834,6 +834,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register() - Initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -844,8 +847,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; } -- 2.35.1

2 years, 11 months

1
17
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2022