October 2024 - Linux-stable-mirror

[PATCH 4.19] net: ipv6: ensure we call ipv6_mc_down() at most once

by hsimeliere.opensource＠witekio.com

From: "j.nixdorf(a)avm.de" <j.nixdorf(a)avm.de> commit 9995b408f17ff8c7f11bc725c8aa225ba3a63b1c upstream. There are two reasons for addrconf_notify() to be called with NETDEV_DOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them stays down while the other is toggled, we repeatedly call the code for NETDEV_DOWN, including ipv6_mc_down(), while never calling the corresponding ipv6_mc_up() in between. This will cause a new entry in idev->mc_tomb to be allocated for each multicast group the interface is subscribed to, which in turn leaks one struct ifmcaddr6 per nontrivial multicast group the interface is subscribed to. The following reproducer will leak at least $n objects: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); do ip link set up eth0; ip link set down eth0 done Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2) can also be used to create a nontrivial idev->mc_list, which will the leak objects with the right up-down-sequence. Based on both sources for NETDEV_DOWN events the interface IPv6 state should be considered: - not ready if the network interface is not ready OR IPv6 is disabled for it - ready if the network interface is ready AND IPv6 is enabled for it The functions ipv6_mc_up() and ipv6_down() should only be run when this state changes. Implement this by remembering when the IPv6 state is ready, and only run ipv6_mc_down() if it actually changed from ready to not ready. The other direction (not ready -> ready) already works correctly, as: - the interface notification triggered codepath for NETDEV_UP / NETDEV_CHANGE returns early if ipv6 is disabled, and - the disable_ipv6=0 triggered codepath skips fully initializing the interface as long as addrconf_link_ready(dev) returns false - calling ipv6_mc_up() repeatedly does not leak anything Fixes: 3ce62a84d53c ("ipv6: exit early in addrconf_notify() if IPv6 is disabled") Signed-off-by: Johannes Nixdorf <j.nixdorf(a)avm.de> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- net/ipv6/addrconf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 9058d59acd0a..7763b7f672fa 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3679,6 +3679,7 @@ static int addrconf_ifdown(struct net_device *dev, int how) struct inet6_ifaddr *ifa; LIST_HEAD(tmp_addr_list); bool keep_addr = false; + bool was_ready; int state, i; ASSERT_RTNL(); @@ -3744,7 +3745,10 @@ static int addrconf_ifdown(struct net_device *dev, int how) addrconf_del_rs_timer(idev); - /* Step 2: clear flags for stateless addrconf */ + /* Step 2: clear flags for stateless addrconf, repeated down + * detection + */ + was_ready = idev->if_flags & IF_READY; if (!how) idev->if_flags &= ~(IF_RS_SENT|IF_RA_RCVD|IF_READY); @@ -3824,7 +3828,7 @@ static int addrconf_ifdown(struct net_device *dev, int how) if (how) { ipv6_ac_destroy_dev(idev); ipv6_mc_destroy_dev(idev); - } else { + } else if (was_ready) { ipv6_mc_down(idev); } -- 2.43.0

6 months, 2 weeks

1
0
0 0

[PATCH 0/3] drm: logicvc: add of_node_put() and switch to a more secure approach

by Javier Carrasco

This driver has faced several issues due to the wrong or missing usage of of_node_put() to release device nodes after they are no longer required. The first implementation was missing the of_node_put() for 'layers_node', and it put 'layer_node' twice. Then commit 'd3a453416270 ("drm: fix device_node_continue.cocci warnings")' removed the extra of_node_put(layer_node), which would have been ok if it had stayed only in the error path. Later, commit 'e9fcc60ddd29 ("drm/logicvc: add missing of_node_put() in logicvc_layers_init()")' added the missing of_node_put(layers_node), but not the one for the child node. It should be clear how easy someone can mess up with this pattern, especially with variables that have similar names. To fix the bug for stable kernels, and provide a more robust solution that accounts for new error paths, this series provides a first patch with the classical approach of adding the missing of_node_put(), and two more patches to use the cleanup attribute and avoid issues with device nodes again. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (3): drm: logicvc: fix missing of_node_put() in for_each_child_of_node() drm: logicvc: switch to for_each_child_of_node_scoped() drm: logicvc: use automatic cleanup facility for layers_node drivers/gpu/drm/logicvc/logicvc_layer.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) --- base-commit: 0cca97bf23640ff68a6e8a74e9b6659fdc27f48c change-id: 20241010-logicvc_layer_of_node_put-bc4cb207280b Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] zram: free secondary algorithms names" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 684826f8271ad97580b138b9ffd462005e470b99 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100723-syndrome-yeast-a812@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 684826f8271a ("zram: free secondary algorithms names") f2bac7ad187d ("zram: introduce zcomp_params structure") 1d3100cf148d ("zram: add 842 compression backend support") 84112e314f69 ("zram: add zlib compression backend support") dbf2763cec21 ("zram: pass estimated src size hint to zstd") 73e7d81abbc8 ("zram: add zstd compression backend support") c60a4ef54446 ("zram: add lz4hc compression backend support") 22d651c3b339 ("zram: add lz4 compression backend support") 2152247c55b6 ("zram: add lzo and lzorle compression backends support") 917a59e81c34 ("zram: introduce custom comp backends API") 04cb7502a5d7 ("zsmalloc: use all available 24 bits of page_type") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 684826f8271ad97580b138b9ffd462005e470b99 Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 11 Sep 2024 11:54:56 +0900 Subject: [PATCH] zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 1f1bf175a6c3..0207a7fc0a97 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); }

6 months, 2 weeks

3
3
0 0

[PATCH 5.10.y 0/4] Backport fix commit for kprobe_non_uniq_symbol.tc test failure

by Sherry Yang

5.10.y backported the commit 09bcf9254838 ("selftests/ftrace: Add new test case which checks non unique symbol") which added a new test case to check non-unique symbol. However, 5.10.y didn't backport the kernel commit b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols")to support the functionality from kernel side. Backport it in this patch series. The first two patches are presiquisites. The 4th commit is a fix commit for the 3rd one. Build and test case passed. [73] Test failure of registering kprobe on non unique symbol [PASS] Andrii Nakryiko (1): tracing/kprobes: Fix symbol counting logic by looking at modules as well Francis Laniel (1): tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Jiri Olsa (2): kallsyms: Make kallsyms_on_each_symbol generally available kallsyms: Make module_kallsyms_on_each_symbol generally available include/linux/kallsyms.h | 7 +++- include/linux/module.h | 9 +++++ kernel/kallsyms.c | 2 - kernel/module.c | 2 - kernel/trace/trace_kprobe.c | 76 +++++++++++++++++++++++++++++++++++++ kernel/trace/trace_probe.h | 1 + 6 files changed, 92 insertions(+), 5 deletions(-) -- 2.46.0

6 months, 2 weeks

5
10
0 0

[PATCH 6.1 0/3] Fix block integrity violation of kobject rules

by Thadeu Lima de Souza Cascardo

integrity_kobj did not have a release function and with CONFIG_DEBUG_KOBJECT_RELEASE, a use-after-free would be triggered as its holding struct gendisk would be freed without relying on its refcount. Thomas Weißschuh (3): blk-integrity: use sysfs_emit blk-integrity: convert to struct device_attribute blk-integrity: register sysfs attributes on struct device block/blk-integrity.c | 175 ++++++++++++++--------------------------- block/blk.h | 10 +-- block/genhd.c | 12 +-- include/linux/blkdev.h | 3 - 4 files changed, 66 insertions(+), 134 deletions(-) -- 2.34.1

6 months, 2 weeks

2
4
0 0

[PATCH v6 5/8] clk: qcom: gcc-x1e80100: Fix halt_check for pipediv2 clocks

by Qiang Yu

The pipediv2_clk's source from the same mux as pipe clock. So they have same limitation, which is that the PHY sequence requires to enable these local CBCs before the PHY is actually outputting a clock to them. This means the clock won't actually turn on when we vote them. Hence, let's skip the halt bit check of the pipediv2_clk, otherwise pipediv2_clk may stuck at off state during bootup. Cc: stable(a)vger.kernel.org Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100") Suggested-by: Mike Tipton <quic_mdtipton(a)quicinc.com> Signed-off-by: Qiang Yu <quic_qianyu(a)quicinc.com> Reviewed-by: Konrad Dybcio <konradybcio(a)kernel.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/clk/qcom/gcc-x1e80100.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c index 0f578771071f..81ba5ceab342 100644 --- a/drivers/clk/qcom/gcc-x1e80100.c +++ b/drivers/clk/qcom/gcc-x1e80100.c @@ -3123,7 +3123,7 @@ static struct clk_branch gcc_pcie_3_pipe_clk = { static struct clk_branch gcc_pcie_3_pipediv2_clk = { .halt_reg = 0x58060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52020, .enable_mask = BIT(5), @@ -3248,7 +3248,7 @@ static struct clk_branch gcc_pcie_4_pipe_clk = { static struct clk_branch gcc_pcie_4_pipediv2_clk = { .halt_reg = 0x6b054, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52010, .enable_mask = BIT(27), @@ -3373,7 +3373,7 @@ static struct clk_branch gcc_pcie_5_pipe_clk = { static struct clk_branch gcc_pcie_5_pipediv2_clk = { .halt_reg = 0x2f054, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52018, .enable_mask = BIT(19), @@ -3511,7 +3511,7 @@ static struct clk_branch gcc_pcie_6a_pipe_clk = { static struct clk_branch gcc_pcie_6a_pipediv2_clk = { .halt_reg = 0x31060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52018, .enable_mask = BIT(28), @@ -3649,7 +3649,7 @@ static struct clk_branch gcc_pcie_6b_pipe_clk = { static struct clk_branch gcc_pcie_6b_pipediv2_clk = { .halt_reg = 0x8d060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52010, .enable_mask = BIT(28), -- 2.34.1

6 months, 2 weeks

1
0
0 0

[PATCH 5.15.y] RDMA/hns: Fix UAF for cq async event

by haixiao.yan.cn＠windriver.com

From: Chengchang Tang <tangchengchang(a)huawei.com> [ Upstream commit a942ec2745ca864cd8512142100e4027dc306a42 ] The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Signed-off-by: Chengchang Tang <tangchengchang(a)huawei.com> Signed-off-by: Junxian Huang <huangjunxian6(a)hisilicon.com> Link: https://lore.kernel.org/r/20240412091616.370789-6-huangjunxian6@hisilicon.c… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Haixiao Yan <haixiao.yan.cn(a)windriver.com> --- This commit is backporting a942ec2745ca to the branch linux-5.15.y to solve the CVE-2024-38545. Please merge this commit to linux-5.15.y. drivers/infiniband/hw/hns/hns_roce_cq.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c index d763f097599f..5ecd4075de93 100644 --- a/drivers/infiniband/hw/hns/hns_roce_cq.c +++ b/drivers/infiniband/hw/hns/hns_roce_cq.c @@ -125,7 +125,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) goto err_out; } - ret = xa_err(xa_store(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); + ret = xa_err(xa_store_irq(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); if (ret) { ibdev_err(ibdev, "failed to xa_store CQ, ret = %d.\n", ret); goto err_put; @@ -160,8 +160,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) return 0; err_xa: - xa_erase(&cq_table->array, hr_cq->cqn); - + xa_erase_irq(&cq_table->array, hr_cq->cqn); err_put: hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn); @@ -182,7 +181,7 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret, hr_cq->cqn); - xa_erase(&cq_table->array, hr_cq->cqn); + xa_erase_irq(&cq_table->array, hr_cq->cqn); /* Waiting interrupt process procedure carried out */ synchronize_irq(hr_dev->eq_table.eq[hr_cq->vector].irq); @@ -478,13 +477,6 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) struct ib_event event; struct ib_cq *ibcq; - hr_cq = xa_load(&hr_dev->cq_table.array, - cqn & (hr_dev->caps.num_cqs - 1)); - if (!hr_cq) { - dev_warn(dev, "Async event for bogus CQ 0x%06x\n", cqn); - return; - } - if (event_type != HNS_ROCE_EVENT_TYPE_CQ_ID_INVALID && event_type != HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR && event_type != HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW) { @@ -493,7 +485,16 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) return; } - refcount_inc(&hr_cq->refcount); + xa_lock(&hr_dev->cq_table.array); + hr_cq = xa_load(&hr_dev->cq_table.array, + cqn & (hr_dev->caps.num_cqs - 1)); + if (hr_cq) + refcount_inc(&hr_cq->refcount); + xa_unlock(&hr_dev->cq_table.array); + if (!hr_cq) { + dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn); + return; + } ibcq = &hr_cq->ib_cq; if (ibcq->event_handler) { -- 2.34.1

6 months, 2 weeks

1
0
0 0

[v2] xhci: tegra: fix checked USB2 port number

by Henry Lin

USB2 root hub in VF may contain less port number than supported USB2 phy number. Checking all USB2 phy number here would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f ... [ 117.213640] Call trace: [ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658 [ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68 [ 117.227260] pm_generic_runtime_suspend+0x30/0x50 [ 117.232847] __rpm_callback+0x84/0x3c0 [ 117.237038] rpm_suspend+0x2dc/0x740 [ 117.241229] pm_runtime_work+0xa0/0xb8 [ 117.245769] process_scheduled_works+0x24c/0x478 [ 117.251007] worker_thread+0x23c/0x328 [ 117.255547] kthread+0x104/0x1b0 [ 117.259389] ret_from_fork+0x10/0x20 [ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100) Cc: <stable(a)vger.kernel.org> # 6.3+ Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") Signed-off-by: Henry Lin <henryl(a)nvidia.com> --- v2: - Added Fixes tag and the cc stable line drivers/usb/host/xhci-tegra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c index 6246d5ad1468..76f228e7443c 100644 --- a/drivers/usb/host/xhci-tegra.c +++ b/drivers/usb/host/xhci-tegra.c @@ -2183,7 +2183,7 @@ static int tegra_xusb_enter_elpg(struct tegra_xusb *tegra, bool runtime) goto out; } - for (i = 0; i < tegra->num_usb_phys; i++) { + for (i = 0; i < xhci->usb2_rhub.num_ports; i++) { if (!xhci->usb2_rhub.ports[i]) continue; portsc = readl(xhci->usb2_rhub.ports[i]->addr); -- 2.25.1

6 months, 2 weeks

1
0
0 0

[PATCH v2] ALSA: scarlett2: Add error check after retrieving PEQ filter values

by Zhu Jun

Add error check after retrieving PEQ filter values in scarlett2_update_filter_values that ensure function returns error if PEQ filter value retrieval fails. Signed-off-by: Zhu Jun <zhujun2(a)cmss.chinamobile.com> Cc: <stable(a)vger.kernel.org> --- V1 -> V2: - commit wit a dot - add tag "Cc" - delete a blank before the return value check sound/usb/mixer_scarlett2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c index 1150cf104985..4cddf84db631 100644 --- a/sound/usb/mixer_scarlett2.c +++ b/sound/usb/mixer_scarlett2.c @@ -5613,6 +5613,8 @@ static int scarlett2_update_filter_values(struct usb_mixer_interface *mixer) info->peq_flt_total_count * SCARLETT2_BIQUAD_COEFFS, peq_flt_values); + if (err < 0) + return err; for (i = 0, dst_idx = 0; i < info->dsp_input_count; i++) { src_idx = i * -- 2.17.1

6 months, 2 weeks

2
1
0 0

[PATCH] HID: wacom: Hardcode (non-inverted) AES pens as BTN_TOOL_PEN

by Gerecke, Jason

From: Jason Gerecke <jason.gerecke(a)wacom.com> Unlike EMR tools which encode type information in their tool ID, tools for AES sensors are all "generic pens". It is inappropriate to make use of the wacom_intuos_get_tool_type function when dealing with these kinds of devices. Instead, we should only ever report BTN_TOOL_PEN or BTN_TOOL_RUBBER, as depending on the state of the Eraser and Invert bits. Fixes: 9c2913b962da ("HID: wacom: more appropriate tool type categorization") Signed-off-by: Jason Gerecke <jason.gerecke(a)wacom.com> Cc: stable(a)vger.kernel.org --- drivers/hid/wacom_wac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 59a13ad9371cd..413606bdf476d 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2567,6 +2567,8 @@ static void wacom_wac_pen_report(struct hid_device *hdev, /* Going into range select tool */ if (wacom_wac->hid_data.invert_state) wacom_wac->tool[0] = BTN_TOOL_RUBBER; + else if (wacom_wac->features.quirks & WACOM_QUIRK_AESPEN) + wacom_wac->tool[0] = BTN_TOOL_PEN; else if (wacom_wac->id[0]) wacom_wac->tool[0] = wacom_intuos_get_tool_type(wacom_wac->id[0]); else -- 2.46.2

6 months, 2 weeks

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024