- Linux-stable-mirror - lists.linaro.org

[PATCH] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly

by Jason Gunthorpe

The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 Cc: stable(a)vger.kernel.org Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") Reported-by: syzbot+938fcd548c303fe33c1a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/68dc3dac.a00a0220.102ee.004f.GAE@google.com Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> --- drivers/infiniband/core/addr.c | 33 ++++++++++----------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c index 61596cda2b65f3..35ba852a172aad 100644 --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c @@ -80,37 +80,25 @@ static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = { .min = sizeof(struct rdma_nla_ls_gid)}, }; -static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh) +static void ib_nl_process_ip_rsep(const struct nlmsghdr *nlh) { struct nlattr *tb[LS_NLA_TYPE_MAX] = {}; + union ib_gid gid; + struct addr_req *req; + int found = 0; int ret; if (nlh->nlmsg_flags & RDMA_NL_LS_F_ERR) - return false; + return; ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh), nlmsg_len(nlh), ib_nl_addr_policy, NULL); if (ret) - return false; + return; - return true; -} - -static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh) -{ - const struct nlattr *head, *curr; - union ib_gid gid; - struct addr_req *req; - int len, rem; - int found = 0; - - head = (const struct nlattr *)nlmsg_data(nlh); - len = nlmsg_len(nlh); - - nla_for_each_attr(curr, head, len, rem) { - if (curr->nla_type == LS_NLA_TYPE_DGID) - memcpy(&gid, nla_data(curr), nla_len(curr)); - } + if (!tb[LS_NLA_TYPE_DGID]) + return; + memcpy(&gid, nla_data(tb[LS_NLA_TYPE_DGID]), sizeof(gid)); spin_lock_bh(&lock); list_for_each_entry(req, &req_list, list) { @@ -137,8 +125,7 @@ int ib_nl_handle_ip_res_resp(struct sk_buff *skb, !(NETLINK_CB(skb).sk)) return -EPERM; - if (ib_nl_is_good_ip_resp(nlh)) - ib_nl_process_good_ip_rsep(nlh); + ib_nl_process_ip_rsep(nlh); return 0; } base-commit: 80a85a771deb113cfe2e295fb9e84467a43ebfe4 -- 2.43.0

2 weeks

1
1
0 0

[PATCH] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe

by Miaoqian Lin

When clk_bulk_prepare_enable() fails, the error path jumps to err_resetc_assert, skipping clk_bulk_put_all() and leaking the clock references acquired by clk_bulk_get_all(). Add err_clk_put_all label to properly release clock resources in all error paths. Found via static analysis and code review. Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/dwc3/dwc3-of-simple.c b/drivers/usb/dwc3/dwc3-of-simple.c index a4954a21be93..c116143335d9 100644 --- a/drivers/usb/dwc3/dwc3-of-simple.c +++ b/drivers/usb/dwc3/dwc3-of-simple.c @@ -70,11 +70,11 @@ static int dwc3_of_simple_probe(struct platform_device *pdev) simple->num_clocks = ret; ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks); if (ret) - goto err_resetc_assert; + goto err_clk_put_all; ret = of_platform_populate(np, NULL, NULL, dev); if (ret) - goto err_clk_put; + goto err_clk_disable; pm_runtime_set_active(dev); pm_runtime_enable(dev); @@ -82,8 +82,9 @@ static int dwc3_of_simple_probe(struct platform_device *pdev) return 0; -err_clk_put: +err_clk_disable: clk_bulk_disable_unprepare(simple->num_clocks, simple->clks); +err_clk_put_all: clk_bulk_put_all(simple->num_clocks, simple->clks); err_resetc_assert: -- 2.25.1

2 weeks

2
1
0 0

+ mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/memory-failure: fix missing ->mf_stats count in hugetlb poison has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Jane Chu <jane.chu(a)oracle.com> Subject: mm/memory-failure: fix missing ->mf_stats count in hugetlb poison Date: Tue, 16 Dec 2025 14:56:21 -0700 When a newly poisoned subpage ends up in an already poisoned hugetlb folio, 'num_poisoned_pages' is incremented, but the per node ->mf_stats is not. Fix the inconsistency by designating action_result() to update them both. Link: https://lkml.kernel.org/r/20251216215621.920093-1-jane.chu@oracle.com Fixes: 18f41fa616ee4 ("mm: memory-failure: bump memory failure stats to pglist_data") Signed-off-by: Jane Chu <jane.chu(a)oracle.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Jiaqi Yan <jiaqiyan(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: William Roche <william.roche(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/hugetlb.h | 4 ++-- include/linux/mm.h | 4 ++-- mm/hugetlb.c | 4 ++-- mm/memory-failure.c | 22 +++++++++++++--------- 4 files changed, 19 insertions(+), 15 deletions(-) --- a/include/linux/hugetlb.h~mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison +++ a/include/linux/hugetlb.h @@ -156,7 +156,7 @@ long hugetlb_unreserve_pages(struct inod bool folio_isolate_hugetlb(struct folio *folio, struct list_head *list); int get_hwpoison_hugetlb_folio(struct folio *folio, bool *hugetlb, bool unpoison); int get_huge_page_for_hwpoison(unsigned long pfn, int flags, - bool *migratable_cleared); + bool *migratable_cleared, bool *samepg); void folio_putback_hugetlb(struct folio *folio); void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int reason); void hugetlb_fix_reserve_counts(struct inode *inode); @@ -418,7 +418,7 @@ static inline int get_hwpoison_hugetlb_f } static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags, - bool *migratable_cleared) + bool *migratable_cleared, bool *samepg) { return 0; } --- a/include/linux/mm.h~mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison +++ a/include/linux/mm.h @@ -4351,7 +4351,7 @@ extern int soft_offline_page(unsigned lo extern const struct attribute_group memory_failure_attr_group; extern void memory_failure_queue(unsigned long pfn, int flags); extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, - bool *migratable_cleared); + bool *migratable_cleared, bool *samepg); void num_poisoned_pages_inc(unsigned long pfn); void num_poisoned_pages_sub(unsigned long pfn, long i); #else @@ -4360,7 +4360,7 @@ static inline void memory_failure_queue( } static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, - bool *migratable_cleared) + bool *migratable_cleared, bool *samepg) { return 0; } --- a/mm/hugetlb.c~mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison +++ a/mm/hugetlb.c @@ -7132,12 +7132,12 @@ int get_hwpoison_hugetlb_folio(struct fo } int get_huge_page_for_hwpoison(unsigned long pfn, int flags, - bool *migratable_cleared) + bool *migratable_cleared, bool *samepg) { int ret; spin_lock_irq(&hugetlb_lock); - ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared); + ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared, samepg); spin_unlock_irq(&hugetlb_lock); return ret; } --- a/mm/memory-failure.c~mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison +++ a/mm/memory-failure.c @@ -1883,7 +1883,8 @@ static unsigned long __folio_free_raw_hw return count; } -static int folio_set_hugetlb_hwpoison(struct folio *folio, struct page *page) +static int folio_set_hugetlb_hwpoison(struct folio *folio, struct page *page, + bool *samepg) { struct llist_head *head; struct raw_hwp_page *raw_hwp; @@ -1899,17 +1900,16 @@ static int folio_set_hugetlb_hwpoison(st return -EHWPOISON; head = raw_hwp_list_head(folio); llist_for_each_entry(p, head->first, node) { - if (p->page == page) + if (p->page == page) { + *samepg = true; return -EHWPOISON; + } } raw_hwp = kmalloc(sizeof(struct raw_hwp_page), GFP_ATOMIC); if (raw_hwp) { raw_hwp->page = page; llist_add(&raw_hwp->node, head); - /* the first error event will be counted in action_result(). */ - if (ret) - num_poisoned_pages_inc(page_to_pfn(page)); } else { /* * Failed to save raw error info. We no longer trace all @@ -1966,7 +1966,7 @@ void folio_clear_hugetlb_hwpoison(struct * -EHWPOISON - the hugepage is already hwpoisoned */ int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, - bool *migratable_cleared) + bool *migratable_cleared, bool *samepg) { struct page *page = pfn_to_page(pfn); struct folio *folio = page_folio(page); @@ -1991,7 +1991,7 @@ int __get_huge_page_for_hwpoison(unsigne goto out; } - if (folio_set_hugetlb_hwpoison(folio, page)) { + if (folio_set_hugetlb_hwpoison(folio, page, samepg)) { ret = -EHWPOISON; goto out; } @@ -2024,11 +2024,12 @@ static int try_memory_failure_hugetlb(un struct page *p = pfn_to_page(pfn); struct folio *folio; unsigned long page_flags; + bool samepg = false; bool migratable_cleared = false; *hugetlb = 1; retry: - res = get_huge_page_for_hwpoison(pfn, flags, &migratable_cleared); + res = get_huge_page_for_hwpoison(pfn, flags, &migratable_cleared, &samepg); if (res == 2) { /* fallback to normal page handling */ *hugetlb = 0; return 0; @@ -2037,7 +2038,10 @@ retry: folio = page_folio(p); res = kill_accessing_process(current, folio_pfn(folio), flags); } - action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); + if (samepg) + action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); + else + action_result(pfn, MF_MSG_HUGE, MF_FAILED); return res; } else if (res == -EBUSY) { if (!(flags & MF_NO_RETRY)) { _ Patches currently in -mm which might be from jane.chu(a)oracle.com are mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch

2 weeks

1
0
0 0

LDI Show 2025 Contacts

by Caroline Turner

Hi Exhibitor, Hope you had a successful experience at LDI Show 2025 (Dec 3–9, Las Vegas). We have access to a verified list of 16,594 attendees and 312 exhibitors across the live events, lighting, audio, staging, and production-technology sectors. This includes lighting designers, audio engineers, production managers, AV integrators, stage/rigging technicians, venue operations heads, broadcast specialists, and other key live-event decision-makers. Don’t miss the opportunity to connect with high-quality prospects after the event. If interested, kindly reply “Send Pricing” to receive the details. Best regards, Caroline Turner Senior Market Analyst To opt-out, reply “Not Interested”.

2 weeks

1
0
0 0

[PATCH v2 0/1] fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()

by Joanne Koong

This patch reverts fuse back to its original behavior of sync being a no-op. This fixes the userspace regression reported by Athul and J. upstream in [1][2] where if there is a bug in a fuse server that causes the server to never complete writeback, it will make wait_sb_inodes() wait forever. Thanks, Joanne [1] https://lore.kernel.org/regressions/CAJnrk1ZjQ8W8NzojsvJPRXiv9TuYPNdj8Ye7=C… [2] https://lore.kernel.org/linux-fsdevel/aT7JRqhUvZvfUQlV@eldamar.lan/ Changelog: v1: https://lore.kernel.org/linux-mm/20251120184211.2379439-1-joannelkoong@gmai… * Change AS_WRITEBACK_MAY_HANG to AS_NO_DATA_INTEGRITY and keep AS_WRITEBACK_MAY_DEADLOCK_ON_RECLAIM as is. Joanne Koong (1): fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes() fs/fs-writeback.c | 3 ++- fs/fuse/file.c | 4 +++- include/linux/pagemap.h | 11 +++++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) -- 2.47.3

2 weeks

3
4
0 0

[PATCH 2/2] xfs: fix the zoned RT growfs check for zone alignment

by Christoph Hellwig

The grofs code for zoned RT subvolums already tries to check for zone alignment, but gets it wrong by using the old instead of the new mount structure. Fixes: 01b71e64bb87 ("xfs: support growfs on zoned file systems") Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Cc: <stable(a)vger.kernel.org> # v6.15 --- fs/xfs/xfs_rtalloc.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c index 6907e871fa15..e063f4f2f2e6 100644 --- a/fs/xfs/xfs_rtalloc.c +++ b/fs/xfs/xfs_rtalloc.c @@ -1255,12 +1255,10 @@ xfs_growfs_check_rtgeom( min_logfsbs = min_t(xfs_extlen_t, xfs_log_calc_minimum_size(nmp), nmp->m_rsumblocks * 2); - kfree(nmp); - trace_xfs_growfs_check_rtgeom(mp, min_logfsbs); if (min_logfsbs > mp->m_sb.sb_logblocks) - return -EINVAL; + goto out_inval; if (xfs_has_zoned(mp)) { uint32_t gblocks = mp->m_groups[XG_TYPE_RTG].blocks; @@ -1268,16 +1266,20 @@ xfs_growfs_check_rtgeom( if (rextsize != 1) return -EINVAL; - div_u64_rem(mp->m_sb.sb_rblocks, gblocks, &rem); + div_u64_rem(nmp->m_sb.sb_rblocks, gblocks, &rem); if (rem) { xfs_warn(mp, "new RT volume size (%lld) not aligned to RT group size (%d)", - mp->m_sb.sb_rblocks, gblocks); - return -EINVAL; + nmp->m_sb.sb_rblocks, gblocks); + goto out_inval; } } + kfree(nmp); return 0; +out_inval: + kfree(nmp); + return -EINVAL; } /* -- 2.47.3

2 weeks

1
0
0 0

[PATCH 1/2] xfs: validate that zoned RT devices are zone aligned

by Christoph Hellwig

Garbage collection assumes all zones contain the full amount of blocks. Mkfs already ensures this happens, but make the kernel check it as well to avoid getting into trouble due to fuzzers or mkfs bugs. Fixes: 2167eaabe2fa ("xfs: define the zoned on-disk format") Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Cc: <stable(a)vger.kernel.org> # v6.15 --- fs/xfs/libxfs/xfs_sb.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c index cdd16dd805d7..94c272a2ae26 100644 --- a/fs/xfs/libxfs/xfs_sb.c +++ b/fs/xfs/libxfs/xfs_sb.c @@ -301,6 +301,21 @@ xfs_validate_rt_geometry( sbp->sb_rbmblocks != xfs_expected_rbmblocks(sbp)) return false; + if (xfs_sb_is_v5(sbp) && + (sbp->sb_features_incompat & XFS_SB_FEAT_INCOMPAT_ZONED)) { + uint32_t mod; + + /* + * Zoned RT devices must be aligned to the RT group size, + * because garbage collection assumes that all zones have the + * same size to avoid insane complexity if that weren't the + * case. + */ + div_u64_rem(sbp->sb_rextents, sbp->sb_rgextents, &mod); + if (mod) + return false; + } + return true; } -- 2.47.3

2 weeks

1
0
0 0

El 68% de líderes sobrestima su desempeño

by Luis Rodríguez

¿Tus líderes realmente lideran bien? body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } El 68% de líderes sobrestima su desempeño. Evaluación 360° te da la verdad. Hola, , ¿Sabías que el 68% de los líderes sobrestima su propio desempeño? El problema es simple: solo reciben feedback de su jefe inmediato. Pero, ¿qué opinan sus pares y colaboradores? Ahí está la verdad. Con Feedback 360° de Vorecol obtienes una visión completa del liderazgo en tu empresa: Feedback anónimo y honesto de jefes, pares y colaboradores Reportes visuales claros con fortalezas y áreas de mejora identificadas Competencias personalizables según tu cultura organizacional 100% en la nube, fácil de aplicar y confidencial Resultado: Líderes más conscientes, equipos más comprometidos, mejor clima laboral. ¿Quieres ver cómo funciona? Responde este correo y agendamos una demo personalizada gratuita. Saludos, -------------- Atte.: Luis Rodríguez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqyqseup">click aquí</a>

2 weeks

1
0
0 0

[PATCH v2 0/2] PCI: AtomicOps: Fix pci_enable_atomic_ops_to_root()

by Gerd Bayer

Hi Bjorn et al. this series addresses a few issues that have come up with the helper function that enables Atomic Op Requests to be initiated by PCI enpoints: A. Most in-tree users of this helper use it incorrectly [0]. B. On s390, Atomic Op Requests are enabled, although the helper cannot know whether the root port is really supporting them. C. Loop control in the helper function does not guarantee that a root port's capabilities are ever checked against those requested by the caller. Address these issue with the following patches: Patch 1: Make it harder to mis-use the enablement function, Patch 2: Addresses issues B. and C. I did test that issue B is fixed with these patches. Also, I verified that Atomic Ops enablement on a Mellanox/Nvidia ConnectX-6 adapter plugged straight into the root port of a x86 system still gets AtomicOp Requests enabled. However, I did not test this with any PCIe switches between root port and endpoint. Ideally, both patches would be incorporated immediately, so we could start correcting the mis-uses in the device drivers. I don't know of any complaints when using Atomic Ops on devices where the driver is mis-using the helper. Patch 2 however, is fixing an obseved issue. [0]: https://lore.kernel.org/all/fbe34de16f5c0bf25a16f9819a57fdd81e5bb08c.camel@… [1]: https://lore.kernel.org/all/20251105-mlxatomics-v1-0-10c71649e08d@linux.ibm… Signed-off-by: Gerd Bayer <gbayer(a)linux.ibm.com> --- Changes in v2: - rebase to 6.19-rc1 - otherwise unchanged to v1 - Link to v1: https://lore.kernel.org/r/20251110-fix_pciatops-v1-0-edc58a57b62e@linux.ibm… --- Gerd Bayer (2): PCI: AtomicOps: Define valid root port capabilities PCI: AtomicOps: Fix logic in enable function drivers/pci/pci.c | 43 +++++++++++++++++++++---------------------- include/uapi/linux/pci_regs.h | 8 ++++++++ 2 files changed, 29 insertions(+), 22 deletions(-) --- base-commit: 40fbbd64bba6c6e7a72885d2f59b6a3be9991eeb change-id: 20251106-fix_pciatops-7e8608eccb03 Best regards, -- Gerd Bayer <gbayer(a)linux.ibm.com>

2 weeks

1
1
0 0

[PATCH net v3 1/1] atm: mpoa: Fix UAF on qos_head list in procfs

by Minseong Kim

The global QoS list 'qos_head' in net/atm/mpc.c is accessed from the /proc/net/atm/mpc procfs interface without proper synchronization. The read-side seq_file show path (mpc_show() -> atm_mpoa_disp_qos()) walks qos_head without any lock, while the write-side path (proc_mpc_write() -> parse_qos() -> atm_mpoa_delete_qos()) can unlink and kfree() entries immediately. Concurrent read/write therefore leads to a use-after-free. Fix this by serializing all qos_head list operations with a mutex. A mutex is used because seq_printf() may sleep. To avoid returning an unprotected pointer (and the resulting lifetime race), replace atm_mpoa_search_qos() with atm_mpoa_get_qos(), which copies the QoS under lock. Also add atm_mpoa_delete_qos_by_ip() so search+unlink+free is atomic under the same lock, preventing concurrent double-free/UAF scenarios. KASAN report: [ 15.911538] BUG: KASAN: slab-use-after-free in atm_mpoa_disp_qos+0x202/0x380 [ 15.911988] Read of size 8 at addr ffff888007517380 by task mpoa_uaf_poc/89 [ 15.912123] [ 15.912717] CPU: 0 UID: 0 PID: 89 Comm: mpoa_uaf_poc Not tainted 6.17.8 #1 PREEMPT(voluntary) [ 15.912950] Hardware name: QEMU Ubuntu 25.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.913110] Call Trace: [ 15.913167] <TASK> [ 15.913247] dump_stack_lvl+0x4e/0x70 [ 15.913343] ? atm_mpoa_disp_qos+0x202/0x380 [ 15.913364] print_report+0x174/0x4f6 [ 15.913386] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 15.913412] ? atm_mpoa_disp_qos+0x202/0x380 [ 15.913430] kasan_report+0xce/0x100 [ 15.913453] ? atm_mpoa_disp_qos+0x202/0x380 [ 15.913475] atm_mpoa_disp_qos+0x202/0x380 [ 15.913496] mpc_show+0x575/0x700 [ 15.913515] ? kasan_save_track+0x14/0x30 [ 15.913532] ? __pfx_mpc_show+0x10/0x10 [ 15.913550] ? __pfx_mutex_lock+0x10/0x10 [ 15.913565] ? seq_read_iter+0x697/0x1110 [ 15.913584] seq_read_iter+0x2bc/0x1110 [ 15.913607] seq_read+0x267/0x3d0 [ 15.913623] ? __pfx_seq_read+0x10/0x10 [ 15.913650] proc_reg_read+0x1ab/0x270 [ 15.913669] vfs_read+0x175/0xa10 [ 15.913687] ? do_sys_openat2+0x103/0x170 [ 15.913701] ? kmem_cache_free+0xc4/0x360 [ 15.913718] ? getname_flags.part.0+0xf3/0x470 [ 15.913734] ? __pfx_vfs_read+0x10/0x10 [ 15.913751] ? mutex_lock+0x81/0xe0 [ 15.913766] ? __pfx_mutex_lock+0x10/0x10 [ 15.913782] ? __rseq_handle_notify_resume+0x4c4/0xac0 [ 15.913802] ? fdget_pos+0x24d/0x4b0 [ 15.913829] ksys_read+0xf7/0x1c0 [ 15.913850] ? __pfx_ksys_read+0x10/0x10 [ 15.913877] do_syscall_64+0xa4/0x290 [ 15.913917] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 15.913981] RIP: 0033:0x45c982 [ 15.914171] Code: 08 0f 85 71 ea ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 55 48 89 e5 [ 15.914239] RSP: 002b:00007f4b2b2cb0d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 15.914315] RAX: ffffffffffffffda RBX: 00007f4b2b2cc6c0 RCX: 000000000045c982 [ 15.914352] RDX: 0000000000000fff RSI: 00007f4b2b2cb220 RDI: 0000000000000014 [ 15.914382] RBP: 00007f4b2b2cb100 R08: 0000000000000000 R09: 0000000000000000 [ 15.914413] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a [ 15.914445] R13: ffffffffffffffd0 R14: 0000000000000000 R15: 00007ffd386450c0 [ 15.914483] </TASK> [ 15.914533] [ 15.916812] Allocated by task 78: [ 15.916975] kasan_save_stack+0x30/0x50 [ 15.917047] kasan_save_track+0x14/0x30 [ 15.917105] __kasan_kmalloc+0x8f/0xa0 [ 15.917162] atm_mpoa_add_qos+0x1bb/0x3c0 [ 15.917220] parse_qos.cold+0x73/0x7d [ 15.917276] proc_mpc_write+0xf4/0x150 [ 15.917331] proc_reg_write+0x1ab/0x270 [ 15.917379] vfs_write+0x1ce/0xd30 [ 15.917431] ksys_write+0xf7/0x1c0 [ 15.917476] do_syscall_64+0xa4/0x290 [ 15.917523] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 15.917586] [ 15.917628] Freed by task 78: [ 15.917665] kasan_save_stack+0x30/0x50 [ 15.917714] kasan_save_track+0x14/0x30 [ 15.917762] kasan_save_free_info+0x3b/0x70 [ 15.917811] __kasan_slab_free+0x3e/0x50 [ 15.918058] kfree+0x121/0x340 [ 15.918135] atm_mpoa_delete_qos+0xad/0xd0 [ 15.918196] parse_qos+0x1e5/0x1f0 [ 15.918339] proc_mpc_write+0xf4/0x150 [ 15.918438] proc_reg_write+0x1ab/0x270 [ 15.918494] vfs_write+0x1ce/0xd30 [ 15.918538] ksys_write+0xf7/0x1c0 [ 15.918589] do_syscall_64+0xa4/0x290 [ 15.918634] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 15.918694] [ 15.918751] The buggy address belongs to the object at ffff888007517380 [ 15.918751] which belongs to the cache kmalloc-96 of size 96 [ 15.918911] The buggy address is located 0 bytes inside of [ 15.918911] freed 96-byte region [ffff888007517380, ffff8880075173e0) [ 15.919027] [ 15.919101] The buggy address belongs to the physical page: [ 15.919416] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888007517300 pfn:0x7517 [ 15.919679] anon flags: 0x100000000000000(node=0|zone=1) [ 15.920064] page_type: f5(slab) [ 15.920361] raw: 0100000000000000 ffff888006c41280 0000000000000000 dead000000000001 [ 15.920460] raw: ffff888007517300 0000000080200007 00000000f5000000 0000000000000000 [ 15.920577] page dumped because: kasan: bad access detected [ 15.920634] [ 15.920663] Memory state around the buggy address: [ 15.920860] ffff888007517280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 15.920944] ffff888007517300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 15.921017] >ffff888007517380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 15.921088] ^ [ 15.921163] ffff888007517400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 15.921222] ffff888007517480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Reported-by: Minseong Kim <ii4gsp(a)gmail.com> Closes: https://lore.kernel.org/netdev/CAKrymDR1X3XTX_1ZW3XXXnuYH+kzsnv7Av5uivzR1st… Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Minseong Kim <ii4gsp(a)gmail.com> --- net/atm/mpc.c | 184 ++++++++++++++++++++++++++++++++---------- net/atm/mpc.h | 3 +- net/atm/mpoa_caches.c | 17 ++-- net/atm/mpoa_proc.c | 2 +- 4 files changed, 149 insertions(+), 57 deletions(-) diff --git a/net/atm/mpc.c b/net/atm/mpc.c index f6b447bba329..650081dd82d1 100644 --- a/net/atm/mpc.c +++ b/net/atm/mpc.c @@ -9,6 +9,7 @@ #include <linux/bitops.h> #include <linux/capability.h> #include <linux/seq_file.h> +#include <linux/mutex.h> /* We are an ethernet device */ #include <linux/if_ether.h> @@ -122,6 +123,7 @@ static struct notifier_block mpoa_notifier = { struct mpoa_client *mpcs = NULL; /* FIXME */ static struct atm_mpoa_qos *qos_head = NULL; +static DEFINE_MUTEX(qos_mutex); /* Protect qos_head list */ static DEFINE_TIMER(mpc_timer, mpc_cache_check); @@ -172,67 +174,63 @@ static struct mpoa_client *find_mpc_by_lec(struct net_device *dev) */ /* - * Overwrites the old entry or makes a new one. + * Search for a QoS entry. Caller must hold qos_mutex. + * Returns pointer to entry if found, NULL otherwise. */ -struct atm_mpoa_qos *atm_mpoa_add_qos(__be32 dst_ip, struct atm_qos *qos) +static struct atm_mpoa_qos *__atm_mpoa_search_qos(__be32 dst_ip) { - struct atm_mpoa_qos *entry; - - entry = atm_mpoa_search_qos(dst_ip); - if (entry != NULL) { - entry->qos = *qos; - return entry; - } + struct atm_mpoa_qos *qos = qos_head; - entry = kmalloc(sizeof(struct atm_mpoa_qos), GFP_KERNEL); - if (entry == NULL) { - pr_info("mpoa: out of memory\n"); - return entry; + while (qos) { + if (qos->ipaddr == dst_ip) + return qos; + qos = qos->next; } - - entry->ipaddr = dst_ip; - entry->qos = *qos; - - entry->next = qos_head; - qos_head = entry; - - return entry; + return NULL; } -struct atm_mpoa_qos *atm_mpoa_search_qos(__be32 dst_ip) +/* + * Get a QoS entry by copying its value. + * Caller gets a COPY of qos under lock. + * Returns true if found and copied, false if not found. + * This avoids lifetime issues with the returned pointer. + */ +bool atm_mpoa_get_qos(__be32 dst_ip, struct atm_qos *out) { - struct atm_mpoa_qos *qos; + struct atm_mpoa_qos *q; - qos = qos_head; - while (qos) { - if (qos->ipaddr == dst_ip) - break; - qos = qos->next; - } + if (!out) + return false; - return qos; + mutex_lock(&qos_mutex); + q = __atm_mpoa_search_qos(dst_ip); + if (q) + *out = q->qos; + mutex_unlock(&qos_mutex); + + return q; } /* - * Returns 0 for failure + * Delete a QoS entry from the list. Caller must hold qos_mutex. + * Returns 1 if found and deleted, 0 if not found. */ -int atm_mpoa_delete_qos(struct atm_mpoa_qos *entry) +static int __atm_mpoa_delete_qos_locked(struct atm_mpoa_qos *entry) { struct atm_mpoa_qos *curr; - if (entry == NULL) + if (!entry) return 0; + if (entry == qos_head) { - qos_head = qos_head->next; - kfree(entry); + qos_head = entry->next; return 1; } curr = qos_head; - while (curr != NULL) { + while (curr) { if (curr->next == entry) { curr->next = entry->next; - kfree(entry); return 1; } curr = curr->next; @@ -241,15 +239,107 @@ int atm_mpoa_delete_qos(struct atm_mpoa_qos *entry) return 0; } +/* + * Delete a QoS entry by IP address. + * This is atomic: search+unlink+free happens entirely under lock, + * avoiding the double-free issue with atm_mpoa_delete_qos(atm_mpoa_search_qos(ipaddr)). + */ +int atm_mpoa_delete_qos_by_ip(__be32 dst_ip) +{ + struct atm_mpoa_qos *entry; + int ret = 0; + + mutex_lock(&qos_mutex); + entry = __atm_mpoa_search_qos(dst_ip); + if (entry) { + ret = __atm_mpoa_delete_qos_locked(entry); + if (ret) + kfree(entry); + } + mutex_unlock(&qos_mutex); + + return ret; +} + +/* + * Overwrites the old entry or makes a new one. + */ +struct atm_mpoa_qos *atm_mpoa_add_qos(__be32 dst_ip, struct atm_qos *qos) +{ + struct atm_mpoa_qos *entry; + struct atm_mpoa_qos *new; + + /* Fast path: update existing entry */ + mutex_lock(&qos_mutex); + entry = __atm_mpoa_search_qos(dst_ip); + if (entry) { + entry->qos = *qos; + mutex_unlock(&qos_mutex); + return entry; + } + mutex_unlock(&qos_mutex); + + /* Allocate outside lock */ + new = kmalloc(sizeof(*new), GFP_KERNEL); + if (!new) + return NULL; + + new->ipaddr = dst_ip; + new->qos = *qos; + + /* Re-check under lock to avoid duplicates */ + mutex_lock(&qos_mutex); + entry = __atm_mpoa_search_qos(dst_ip); + if (entry) { + entry->qos = *qos; + mutex_unlock(&qos_mutex); + kfree(new); + return entry; + } + + new->next = qos_head; + qos_head = new; + mutex_unlock(&qos_mutex); + + return new; +} + +/* + * Delete a QoS entry by pointer. + * WARNING: This function is unsafe if called with an entry pointer + * obtained outside of qos_mutex protection. The entry may have been + * freed by another thread between the time the pointer was obtained + * and when this function is called. + * Use atm_mpoa_delete_qos_by_ip() instead for safe deletion by IP address. + * Returns 0 for failure, 1 for success + */ +int atm_mpoa_delete_qos(struct atm_mpoa_qos *entry) +{ + int ret; + + if (!entry) + return 0; + + mutex_lock(&qos_mutex); + ret = __atm_mpoa_delete_qos_locked(entry); + if (ret) + kfree(entry); + mutex_unlock(&qos_mutex); + + return ret; +} + /* this is buggered - we need locking for qos_head */ void atm_mpoa_disp_qos(struct seq_file *m) { struct atm_mpoa_qos *qos; - qos = qos_head; seq_printf(m, "QoS entries for shortcuts:\n"); - seq_printf(m, "IP address\n TX:max_pcr pcr min_pcr max_cdv max_sdu\n RX:max_pcr pcr min_pcr max_cdv max_sdu\n"); + seq_printf(m, "IP address\n TX:max_pcr pcr min_pcr max_cdv max_sdu\n" + " RX:max_pcr pcr min_pcr max_cdv max_sdu\n"); + mutex_lock(&qos_mutex); + qos = qos_head; while (qos != NULL) { seq_printf(m, "%pI4\n %-7d %-7d %-7d %-7d %-7d\n %-7d %-7d %-7d %-7d %-7d\n", &qos->ipaddr, @@ -265,6 +355,7 @@ void atm_mpoa_disp_qos(struct seq_file *m) qos->qos.rxtp.max_sdu); qos = qos->next; } + mutex_unlock(&qos_mutex); } static struct net_device *find_lec_by_itfnum(int itf) @@ -1118,13 +1209,16 @@ static void check_qos_and_open_shortcut(struct k_message *msg, in_cache_entry *entry) { __be32 dst_ip = msg->content.in_info.in_dst_ip; - struct atm_mpoa_qos *qos = atm_mpoa_search_qos(dst_ip); + struct atm_qos tmp_qos; + bool has_qos; eg_cache_entry *eg_entry = client->eg_ops->get_by_src_ip(dst_ip, client); + has_qos = atm_mpoa_get_qos(dst_ip, &tmp_qos); + if (eg_entry && eg_entry->shortcut) { if (eg_entry->shortcut->qos.txtp.traffic_class & msg->qos.txtp.traffic_class & - (qos ? qos->qos.txtp.traffic_class : ATM_UBR | ATM_CBR)) { + (has_qos ? tmp_qos.txtp.traffic_class : ATM_UBR | ATM_CBR)) { if (eg_entry->shortcut->qos.txtp.traffic_class == ATM_UBR) entry->shortcut = eg_entry->shortcut; else if (eg_entry->shortcut->qos.txtp.max_pcr > 0) @@ -1142,9 +1236,9 @@ static void check_qos_and_open_shortcut(struct k_message *msg, /* No luck in the egress cache we must open an ingress SVC */ msg->type = OPEN_INGRESS_SVC; - if (qos && - (qos->qos.txtp.traffic_class == msg->qos.txtp.traffic_class)) { - msg->qos = qos->qos; + if (has_qos && + tmp_qos.txtp.traffic_class == msg->qos.txtp.traffic_class) { + msg->qos = tmp_qos; pr_info("(%s) trying to get a CBR shortcut\n", client->dev->name); } else @@ -1521,8 +1615,10 @@ static void __exit atm_mpoa_cleanup(void) mpc = tmp; } + mutex_lock(&qos_mutex); qos = qos_head; qos_head = NULL; + mutex_unlock(&qos_mutex); while (qos != NULL) { nextqos = qos->next; dprintk("freeing qos entry %p\n", qos); diff --git a/net/atm/mpc.h b/net/atm/mpc.h index 454abd07651a..0536946989ad 100644 --- a/net/atm/mpc.h +++ b/net/atm/mpc.h @@ -47,8 +47,9 @@ struct atm_mpoa_qos { /* MPOA QoS operations */ struct atm_mpoa_qos *atm_mpoa_add_qos(__be32 dst_ip, struct atm_qos *qos); -struct atm_mpoa_qos *atm_mpoa_search_qos(__be32 dst_ip); +bool atm_mpoa_get_qos(__be32 dst_ip, struct atm_qos *out); int atm_mpoa_delete_qos(struct atm_mpoa_qos *qos); +int atm_mpoa_delete_qos_by_ip(__be32 dst_ip); /* Display QoS entries. This is for the procfs */ struct seq_file; diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c index f7a2f0e41105..30c5b10ee562 100644 --- a/net/atm/mpoa_caches.c +++ b/net/atm/mpoa_caches.c @@ -132,7 +132,6 @@ static in_cache_entry *in_cache_add_entry(__be32 dst_ip, static int cache_hit(in_cache_entry *entry, struct mpoa_client *mpc) { - struct atm_mpoa_qos *qos; struct k_message msg; entry->count++; @@ -144,9 +143,8 @@ static int cache_hit(in_cache_entry *entry, struct mpoa_client *mpc) msg.type = SND_MPOA_RES_RQST; msg.content.in_info = entry->ctrl_info; memcpy(msg.MPS_ctrl, mpc->mps_ctrl_addr, ATM_ESA_LEN); - qos = atm_mpoa_search_qos(entry->ctrl_info.in_dst_ip); - if (qos != NULL) - msg.qos = qos->qos; + if (!atm_mpoa_get_qos(entry->ctrl_info.in_dst_ip, &msg.qos)) + memset(&msg.qos, 0, sizeof(msg.qos)); msg_to_mpoad(&msg, mpc); entry->reply_wait = ktime_get_seconds(); entry->entry_state = INGRESS_RESOLVING; @@ -167,9 +165,8 @@ static int cache_hit(in_cache_entry *entry, struct mpoa_client *mpc) msg.type = SND_MPOA_RES_RQST; memcpy(msg.MPS_ctrl, mpc->mps_ctrl_addr, ATM_ESA_LEN); msg.content.in_info = entry->ctrl_info; - qos = atm_mpoa_search_qos(entry->ctrl_info.in_dst_ip); - if (qos != NULL) - msg.qos = qos->qos; + if (!atm_mpoa_get_qos(entry->ctrl_info.in_dst_ip, &msg.qos)) + memset(&msg.qos, 0, sizeof(msg.qos)); msg_to_mpoad(&msg, mpc); entry->reply_wait = ktime_get_seconds(); } @@ -249,7 +246,6 @@ static void clear_count_and_expired(struct mpoa_client *client) static void check_resolving_entries(struct mpoa_client *client) { - struct atm_mpoa_qos *qos; in_cache_entry *entry; time64_t now; struct k_message msg; @@ -283,9 +279,8 @@ static void check_resolving_entries(struct mpoa_client *client) msg.type = SND_MPOA_RES_RTRY; memcpy(msg.MPS_ctrl, client->mps_ctrl_addr, ATM_ESA_LEN); msg.content.in_info = entry->ctrl_info; - qos = atm_mpoa_search_qos(entry->ctrl_info.in_dst_ip); - if (qos != NULL) - msg.qos = qos->qos; + if (!atm_mpoa_get_qos(entry->ctrl_info.in_dst_ip, &msg.qos)) + memset(&msg.qos, 0, sizeof(msg.qos)); msg_to_mpoad(&msg, client); entry->reply_wait = ktime_get_seconds(); } diff --git a/net/atm/mpoa_proc.c b/net/atm/mpoa_proc.c index aaf64b953915..600075c6022e 100644 --- a/net/atm/mpoa_proc.c +++ b/net/atm/mpoa_proc.c @@ -254,7 +254,7 @@ static int parse_qos(const char *buff) if (sscanf(buff, "del %hhu.%hhu.%hhu.%hhu", ip, ip+1, ip+2, ip+3) == 4) { ipaddr = *(__be32 *)ip; - return atm_mpoa_delete_qos(atm_mpoa_search_qos(ipaddr)); + return atm_mpoa_delete_qos_by_ip(ipaddr); } if (sscanf(buff, "add %hhu.%hhu.%hhu.%hhu tx=%d,%d rx=tx", -- 2.39.5 (Apple Git-154)

2 weeks

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror