lineage-22.1
81527 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Chao Yu
|
84a8d913fb |
f2fs: clean up i_compress_flag and i_compress_level usage
[ Upstream commit b90e5086df6bf5ba819216d5ecf0667370bd565f ]
.i_compress_level was introduced by commit
|
||
David Howells
|
4713b7c756 |
splice, net: Add a splice_eof op to file-ops and socket-ops
[ Upstream commit 2bfc66850952b6921b2033b09729ec59eabbc81d ] Add an optional method, ->splice_eof(), to allow splice to indicate the premature termination of a splice to struct file_operations and struct proto_ops. This is called if sendfile() or splice() encounters all of the following conditions inside splice_direct_to_actor(): (1) the user did not set SPLICE_F_MORE (splice only), and (2) an EOF condition occurred (->splice_read() returned 0), and (3) we haven't read enough to fulfill the request (ie. len > 0 still), and (4) we have already spliced at least one byte. A further patch will modify the behaviour of SPLICE_F_MORE to always be passed to the actor if either the user set it or we haven't yet read sufficient data to fulfill the request. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/CAHk-=wh=V579PDYvkpnTobCLGczbgxpMgGmmhqiTyE34Cpi5Gg@mail.gmail.com/ Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jakub Kicinski <kuba@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Christoph Hellwig <hch@lst.de> cc: Al Viro <viro@zeniv.linux.org.uk> cc: Matthew Wilcox <willy@infradead.org> cc: Jan Kara <jack@suse.cz> cc: Jeff Layton <jlayton@kernel.org> cc: David Hildenbrand <david@redhat.com> cc: Christian Brauner <brauner@kernel.org> cc: Chuck Lever <chuck.lever@oracle.com> cc: Boris Pismenny <borisp@nvidia.com> cc: John Fastabend <john.fastabend@gmail.com> cc: linux-mm@kvack.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Shyam Prasad N
|
3152a7d361 |
cifs: do not depend on release_iface for maintaining iface_list
commit 09eeb0723f219fbd96d8865bf9b935e03ee2ec22 upstream.
parse_server_interfaces should be in complete charge of maintaining
the iface_list linked list. Today, iface entries are removed
from the list only when the last refcount is dropped.
i.e. in release_iface. However, this can result in undercounting
of refcount if the server stops advertising interfaces (which
Azure SMB server does).
This change puts parse_server_interfaces in full charge of
maintaining the iface_list. So if an empty list is returned
by the server, the entries in the list will immediately be
removed. This way, a following call to the same function will
not find entries in the list.
Fixes:
|
||
|
Shyam Prasad N
|
5982a625fc |
cifs: cifs_chan_is_iface_active should be called with chan_lock held
commit 7257bcf3bdc785eabc4eef1f329a59815b032508 upstream.
cifs_chan_is_iface_active checks the channels of a session to see
if the associated iface is active. This should always happen
with chan_lock held. However, these two callers of this function
were missing this locking.
This change makes sure the function calls are protected with
proper locking.
Fixes:
|
||
Greg Kroah-Hartman
|
0177cfb2a2 |
Merge tag 'android14-6.1.68_r00' into branch 'android14-6.1'
This merges the changes up to 6.1.68 LTS into the android14-6.1 branch. Included in here are the following commits: * |
||
NeilBrown
|
f9a01938e0 |
NFSD: fix possible oops when nfsd/pool_stats is closed.
commit 88956eabfdea7d01d550535af120d4ef265b1d02 upstream.
If /proc/fs/nfsd/pool_stats is open when the last nfsd thread exits, then
when the file is closed a NULL pointer is dereferenced.
This is because nfsd_pool_stats_release() assumes that the
pointer to the svc_serv cannot become NULL while a reference is held.
This used to be the case but a recent patch split nfsd_last_thread() out
from nfsd_put(), and clearing the pointer is done in nfsd_last_thread().
This is easily reproduced by running
rpc.nfsd 8 ; ( rpc.nfsd 0;true) < /proc/fs/nfsd/pool_stats
Fortunately nfsd_pool_stats_release() has easy access to the svc_serv
pointer, and so can call svc_put() on it directly.
Fixes: 9f28a971ee9f ("nfsd: separate nfsd_last_thread() from nfsd_put()")
Signed-off-by: NeilBrown <neilb@suse.de>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Namjae Jeon
|
7a3bbbadac |
ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
commit d10c77873ba1e9e6b91905018e29e196fd5f863d upstream. If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, ksmbd_check_message doesn't validate request buffer it correctly. So slab-out-of-bounds warning from calling smb_strndup_from_utf16() in smb2_open() could happen. If ->NameLength is non-zero, Set the larger of the two sums (Name and CreateContext size) as the offset and length of the data area. Reported-by: Yang Chaoming <lometsj@live.com> Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
NeilBrown
|
bb4f791cb2 |
nfsd: call nfsd_last_thread() before final nfsd_put()
[ Upstream commit 2a501f55cd641eb4d3c16a2eab0d678693fac663 ]
If write_ports_addfd or write_ports_addxprt fail, they call nfsd_put()
without calling nfsd_last_thread(). This leaves nn->nfsd_serv pointing
to a structure that has been freed.
So remove 'static' from nfsd_last_thread() and call it when the
nfsd_serv is about to be destroyed.
Fixes:
|
||
|
NeilBrown
|
03d68ffc48 |
nfsd: separate nfsd_last_thread() from nfsd_put()
[ Upstream commit 9f28a971ee9fdf1bf8ce8c88b103f483be610277 ]
Now that the last nfsd thread is stopped by an explicit act of calling
svc_set_num_threads() with a count of zero, we only have a limited
number of places that can happen, and don't need to call
nfsd_last_thread() in nfsd_put()
So separate that out and call it at the two places where the number of
threads is set to zero.
Move the clearing of ->nfsd_serv and the call to svc_xprt_destroy_all()
into nfsd_last_thread(), as they are really part of the same action.
nfsd_put() is now a thin wrapper around svc_put(), so make it a static
inline.
nfsd_put() cannot be called after nfsd_last_thread(), so in a couple of
places we have to use svc_put() instead.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: 2a501f55cd64 ("nfsd: call nfsd_last_thread() before final nfsd_put()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
98235bc13a |
ksmbd: fix wrong allocation size update in smb2_open()
[ Upstream commit a9f106c765c12d2f58aa33431bd8ce8e9d8a404a ] When client send SMB2_CREATE_ALLOCATION_SIZE create context, ksmbd update old size to ->AllocationSize in smb2 create response. ksmbd_vfs_getattr() should be called after it to get updated stat result. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
04b8e04f8f |
ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack()
[ Upstream commit 658609d9a618d8881bf549b5893c0ba8fcff4526 ] opinfo_put() could be called twice on error of smb21_lease_break_ack(). It will cause UAF issue if opinfo is referenced on other places. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
34f7d5b5c9 |
ksmbd: lazy v2 lease break on smb2_write()
[ Upstream commit c2a721eead71202a0d8ddd9b56ec8dce652c71d1 ] Don't immediately send directory lease break notification on smb2_write(). Instead, It postpones it until smb2_close(). Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
500c7a5e9a |
ksmbd: send v2 lease break notification for directory
[ Upstream commit d47d9886aeef79feba7adac701a510d65f3682b5 ] If client send different parent key, different client guid, or there is no parent lease key flags in create context v2 lease, ksmbd send lease break to client. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
1993959460 |
ksmbd: downgrade RWH lease caching state to RH for directory
[ Upstream commit eb547407f3572d2110cb1194ecd8865b3371a7a4 ] RWH(Read + Write + Handle) caching state is not supported for directory. ksmbd downgrade it to RH for directory if client send RWH caching lease state. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
2fcb46df34 |
ksmbd: set v2 lease capability
[ Upstream commit 18dd1c367c31d0a060f737d48345747662369b64 ] Set SMB2_GLOBAL_CAP_DIRECTORY_LEASING to ->capabilities to inform server support directory lease to client. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
3eddc811a7 |
ksmbd: set epoch in create context v2 lease
[ Upstream commit d045850b628aaf931fc776c90feaf824dca5a1cf ] To support v2 lease(directory lease), ksmbd set epoch in create context v2 lease response. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
52a32eafd0 |
ksmbd: don't update ->op_state as OPLOCK_STATE_NONE on error
[ Upstream commit cd80ce7e68f1624ac29cd0a6b057789d1236641e ] ksmbd set ->op_state as OPLOCK_STATE_NONE on lease break ack error. op_state of lease should not be updated because client can send lease break ack again. This patch fix smb2.lease.breaking2 test failure. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
0bc46c2370 |
ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId
[ Upstream commit 9ac45ac7cf65b0623ceeab9b28b307a08efa22dc ] Directly set SMB2_FLAGS_ASYNC_COMMAND flags and AsyncId in smb2 header of interim response instead of current response header. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
d9aa5c1908 |
ksmbd: release interim response after sending status pending response
[ Upstream commit 2a3f7857ec742e212d6cee7fbbf7b0e2ae7f5161 ] Add missing release async id and delete interim response entry after sending status pending response. This only cause when smb2 lease is enable. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
013bf453af |
ksmbd: move oplock handling after unlock parent dir
[ Upstream commit 2e450920d58b4991a436c8cecf3484bcacd8e535 ] ksmbd should process secound parallel smb2 create request during waiting oplock break ack. parent lock range that is too large in smb2_open() causes smb2_open() to be serialized. Move the oplock handling to the bottom of smb2_open() and make it called after parent unlock. This fixes the failure of smb2.lease.breaking1 testcase. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
20dd92c237 |
ksmbd: separately allocate ci per dentry
[ Upstream commit 4274a9dc6aeb9fea66bffba15697a35ae8983b6a ] xfstests generic/002 test fail when enabling smb2 leases feature. This test create hard link file, but removeal failed. ci has a file open count to count file open through the smb client, but in the case of hard link files, The allocation of ci per inode cause incorrectly open count for file deletion. This patch allocate ci per dentry to counts open counts for hard link. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
d5651972e5 |
ksmbd: fix possible deadlock in smb2_open
[ Upstream commit 864fb5d3716303a045c3ffb397f651bfd37bfb36 ] [ 8743.393379] ====================================================== [ 8743.393385] WARNING: possible circular locking dependency detected [ 8743.393391] 6.4.0-rc1+ #11 Tainted: G OE [ 8743.393397] ------------------------------------------------------ [ 8743.393402] kworker/0:2/12921 is trying to acquire lock: [ 8743.393408] ffff888127a14460 (sb_writers#8){.+.+}-{0:0}, at: ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393510] but task is already holding lock: [ 8743.393515] ffff8880360d97f0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: ksmbd_vfs_kern_path_locked+0x181/0x670 [ksmbd] [ 8743.393618] which lock already depends on the new lock. [ 8743.393623] the existing dependency chain (in reverse order) is: [ 8743.393628] -> #1 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}: [ 8743.393648] down_write_nested+0x9a/0x1b0 [ 8743.393660] filename_create+0x128/0x270 [ 8743.393670] do_mkdirat+0xab/0x1f0 [ 8743.393680] __x64_sys_mkdir+0x47/0x60 [ 8743.393690] do_syscall_64+0x5d/0x90 [ 8743.393701] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 8743.393711] -> #0 (sb_writers#8){.+.+}-{0:0}: [ 8743.393728] __lock_acquire+0x2201/0x3b80 [ 8743.393737] lock_acquire+0x18f/0x440 [ 8743.393746] mnt_want_write+0x5f/0x240 [ 8743.393755] ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393839] ksmbd_vfs_set_dos_attrib_xattr+0xcc/0x110 [ksmbd] [ 8743.393924] compat_ksmbd_vfs_set_dos_attrib_xattr+0x39/0x50 [ksmbd] [ 8743.394010] smb2_open+0x3432/0x3cc0 [ksmbd] [ 8743.394099] handle_ksmbd_work+0x2c9/0x7b0 [ksmbd] [ 8743.394187] process_one_work+0x65a/0xb30 [ 8743.394198] worker_thread+0x2cf/0x700 [ 8743.394209] kthread+0x1ad/0x1f0 [ 8743.394218] ret_from_fork+0x29/0x50 This patch add mnt_want_write() above parent inode lock and remove nested mnt_want_write calls in smb2_open(). Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Cc: stable@vger.kernel.org Reported-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Zongmin Zhou
|
aabc944ebf |
ksmbd: prevent memory leak on error return
[ Upstream commit 90044481e7cca6cb3125b3906544954a25f1309f ]
When allocated memory for 'new' failed,just return
will cause memory leak of 'ar'.
Fixes: 1819a9042999 ("ksmbd: reorganize ksmbd_iov_pin_rsp()")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202311031837.H3yo7JVl-lkp@intel.com/
Signed-off-by: Zongmin Zhou<zhouzongmin@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
b4a269bb89 |
ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked()
[ Upstream commit f6049712e520287ad695e9d4f1572ab76807fa0c ] Fix argument list that the kdoc format and script verified in ksmbd_vfs_kern_path_locked(). fs/smb/server/vfs.c:1207: warning: Function parameter or member 'parent_path' not described in 'ksmbd_vfs_kern_path_locked' Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
699ad8d03c |
ksmbd: no need to wait for binded connection termination at logoff
[ Upstream commit 67797da8a4b82446d42c52b6ee1419a3100d78ff ] The connection could be binded to the existing session for Multichannel. session will be destroyed when binded connections are released. So no need to wait for that's connection at logoff. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
3cf4455081 |
ksmbd: add support for surrogate pair conversion
[ Upstream commit 0c180317c654a494fe429adbf7bc9b0793caf9e2 ] ksmbd is missing supporting to convert filename included surrogate pair characters. It triggers a "file or folder does not exist" error in Windows client. [Steps to Reproduce for bug] 1. Create surrogate pair file touch $(echo -e '\xf0\x9d\x9f\xa3') touch $(echo -e '\xf0\x9d\x9f\xa4') 2. Try to open these files in ksmbd share through Windows client. This patch update unicode functions not to consider about surrogate pair (and IVS). Reviewed-by: Marios Makassikis <mmakassikis@freebox.fr> Tested-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Kangjing Huang
|
d26e024a5e |
ksmbd: fix missing RDMA-capable flag for IPoIB device in ksmbd_rdma_capable_netdev()
[ Upstream commit ecce70cf17d91c3dd87a0c4ea00b2d1387729701 ] Physical ib_device does not have an underlying net_device, thus its association with IPoIB net_device cannot be retrieved via ops.get_netdev() or ib_device_get_by_netdev(). ksmbd reads physical ib_device port GUID from the lower 16 bytes of the hardware addresses on IPoIB net_device and match its underlying ib_device using ib_find_gid() Signed-off-by: Kangjing Huang <huangkangjing@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Tom Talpey <tom@talpey.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Marios Makassikis
|
5113f72225 |
ksmbd: fix recursive locking in vfs helpers
[ Upstream commit 807252f028c59b9a3bac4d62ad84761548c10f11 ]
Running smb2.rename test from Samba smbtorture suite against a kernel built
with lockdep triggers a "possible recursive locking detected" warning.
This is because mnt_want_write() is called twice with no mnt_drop_write()
in between:
-> ksmbd_vfs_mkdir()
-> ksmbd_vfs_kern_path_create()
-> kern_path_create()
-> filename_create()
-> mnt_want_write()
-> mnt_want_write()
Fix this by removing the mnt_want_write/mnt_drop_write calls from vfs
helpers that call kern_path_create().
Full lockdep trace below:
============================================
WARNING: possible recursive locking detected
6.6.0-rc5 #775 Not tainted
--------------------------------------------
kworker/1:1/32 is trying to acquire lock:
ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: ksmbd_vfs_mkdir+0xe1/0x410
but task is already holding lock:
ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sb_writers#5);
lock(sb_writers#5);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/1:1/32:
#0: ffff8880064e4138 ((wq_completion)ksmbd-io){+.+.}-{0:0}, at: process_one_work+0x40e/0x980
#1: ffff888005b0fdd0 ((work_completion)(&work->work)){+.+.}-{0:0}, at: process_one_work+0x40e/0x980
#2: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260
#3: ffff8880057ce760 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x123/0x260
Cc: stable@vger.kernel.org
Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions")
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
42e56982be |
ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr()
[ Upstream commit 3354db668808d5b6d7c5e0cb19ff4c9da4bb5e58 ] Fix argument list that the kdoc format and script verified in ksmbd_vfs_setxattr(). fs/smb/server/vfs.c:929: warning: Function parameter or member 'path' not described in 'ksmbd_vfs_setxattr' Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
533e6dc446 |
ksmbd: reorganize ksmbd_iov_pin_rsp()
[ Upstream commit 1819a904299942b309f687cc0f08b123500aa178 ]
If ksmbd_iov_pin_rsp fail, io vertor should be rollback.
This patch moves memory allocations to before setting the io vector
to avoid rollbacks.
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Cheng-Han Wu
|
1d95c5a541 |
ksmbd: Remove unused field in ksmbd_user struct
[ Upstream commit eacc655e18d1dec9b50660d16a1ddeeb4d6c48f2 ] fs/smb/server/mgmt/user_config.h:21: Remove the unused field 'failed_login_count' from the ksmbd_user struct. Signed-off-by: Cheng-Han Wu <hank20010209@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
5929e98f3b |
ksmbd: fix potential double free on smb2_read_pipe() error path
[ Upstream commit 1903e6d0578118e9aab1ee23f4a9de55737d1d05 ]
Fix new smatch warnings:
fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp'
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
a7aae713ea |
ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
[ Upstream commit 414849040fcf11d45025b8ae26c9fd91da1465da ]
Coverity Scan report the following one. This report is a false alarm.
Because fp is never NULL when rc is zero. This patch add null check for fp
in ksmbd_update_fstate to make alarm silence.
*** CID 1568583: Null pointer dereferences (FORWARD_NULL)
/fs/smb/server/smb2pdu.c: 3408 in smb2_open()
3402 path_put(&path);
3403 path_put(&parent_path);
3404 }
3405 ksmbd_revert_fsids(work);
3406 err_out1:
3407 if (!rc) {
>>> CID 1568583: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "fp" to "ksmbd_update_fstate", which dereferences it.
3408 ksmbd_update_fstate(&work->sess->file_table, fp, FP_INITED);
3409 rc = ksmbd_iov_pin_rsp(work, (void *)rsp, iov_len);
3410 }
3411 if (rc) {
3412 if (rc == -EINVAL)
3413 rsp->hdr.Status = STATUS_INVALID_PARAMETER;
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Reported-by: Coverity Scan <scan-admin@coverity.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
943cebf9ea |
ksmbd: fix wrong error response status by using set_smb2_rsp_status()
[ Upstream commit be0f89d4419dc5413a1cf06db3671c9949be0d52 ]
set_smb2_rsp_status() after __process_request() sets the wrong error
status. This patch resets all iov vectors and sets the error status
on clean one.
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
7b58ee8d0b |
ksmbd: fix race condition between tree conn lookup and disconnect
[ Upstream commit 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e ]
if thread A in smb2_write is using work-tcon, other thread B use
smb2_tree_disconnect free the tcon, then thread A will use free'd tcon.
Time
+
Thread A | Thread A
smb2_write | smb2_tree_disconnect
|
|
| kfree(tree_conn)
|
// UAF! |
work->tcon->share_conf |
+
This patch add state, reference count and lock for tree conn to fix race
condition issue.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
0090f0bfc2 |
ksmbd: fix race condition from parallel smb2 lock requests
[ Upstream commit 75ac9a3dd65f7eab4d12b0a0f744234b5300a491 ]
There is a race condition issue between parallel smb2 lock request.
Time
+
Thread A | Thread A
smb2_lock | smb2_lock
|
insert smb_lock to lock_list |
spin_unlock(&work->conn->llist_lock) |
|
| spin_lock(&conn->llist_lock);
| kfree(cmp_lock);
|
// UAF! |
list_add(&smb_lock->llist, &rollback_list) +
This patch swaps the line for adding the smb lock to the rollback list and
adding the lock list of connection to fix the race issue.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
6584ca894f |
ksmbd: fix race condition from parallel smb2 logoff requests
[ Upstream commit 7ca9da7d873ee8024e9548d3366101c2b6843eab ] If parallel smb2 logoff requests come in before closing door, running request count becomes more than 1 even though connection status is set to KSMBD_SESS_NEED_RECONNECT. It can't get condition true, and sleep forever. This patch fix race condition problem by returning error if connection status was already set to KSMBD_SESS_NEED_RECONNECT. Reported-by: luosili <rootlab@huawei.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
b3a843caed |
ksmbd: fix race condition with fp
[ Upstream commit 5a7ee91d1154f35418367a6eaae74046fd06ed89 ]
fp can used in each command. If smb2_close command is coming at the
same time, UAF issue can happen by race condition.
Time
+
Thread A | Thread B1 B2 .... B5
smb2_open | smb2_close
|
__open_id |
insert fp to file_table |
|
| atomic_dec_and_test(&fp->refcount)
| if fp->refcount == 0, free fp by kfree.
// UAF! |
use fp |
+
This patch add f_state not to use freed fp is used and not to free fp in
use.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
7345f5dbf6 |
ksmbd: check iov vector index in ksmbd_conn_write()
[ Upstream commit 73f949ea87c7d697210653501ca21efe57295327 ] If ->iov_idx is zero, This means that the iov vector for the response was not added during the request process. In other words, it means that there is a problem in generating a response, So this patch return as an error to avoid NULL pointer dereferencing problem. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
8beae8a0a0 |
ksmbd: return invalid parameter error response if smb2 request is invalid
[ Upstream commit f2f11fca5d7112e2f91c4854cddd68a059fdaa4a ] If smb2 request from client is invalid, The following kernel oops could happen. The patch e2b76ab8b5c9: "ksmbd: add support for read compound" leads this issue. When request is invalid, It doesn't set anything in the response buffer. This patch add missing set invalid parameter error response. [ 673.085542] ksmbd: cli req too short, len 184 not 142. cmd:5 mid:109 [ 673.085580] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 673.085591] #PF: supervisor read access in kernel mode [ 673.085600] #PF: error_code(0x0000) - not-present page [ 673.085608] PGD 0 P4D 0 [ 673.085620] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 673.085631] CPU: 3 PID: 1039 Comm: kworker/3:0 Not tainted 6.6.0-rc2-tmt #16 [ 673.085643] Hardware name: AZW U59/U59, BIOS JTKT001 05/05/2022 [ 673.085651] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 673.085719] RIP: 0010:ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.085808] RAX: 0000000000000000 RBX: ffff88811ade4f00 RCX: 0000000000000000 [ 673.085817] RDX: 0000000000000000 RSI: ffff88810c2a9780 RDI: ffff88810c2a9ac0 [ 673.085826] RBP: ffffc900005e3e00 R08: 0000000000000000 R09: 0000000000000000 [ 673.085834] R10: ffffffffa3168160 R11: 63203a64626d736b R12: ffff8881057c8800 [ 673.085842] R13: ffff8881057c8820 R14: ffff8882781b2380 R15: ffff8881057c8800 [ 673.085852] FS: 0000000000000000(0000) GS:ffff888278180000(0000) knlGS:0000000000000000 [ 673.085864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 673.085872] CR2: 0000000000000000 CR3: 000000015b63c000 CR4: 0000000000350ee0 [ 673.085883] Call Trace: [ 673.085890] <TASK> [ 673.085900] ? show_regs+0x6a/0x80 [ 673.085916] ? __die+0x25/0x70 [ 673.085926] ? page_fault_oops+0x154/0x4b0 [ 673.085938] ? tick_nohz_tick_stopped+0x18/0x50 [ 673.085954] ? __irq_work_queue_local+0xba/0x140 [ 673.085967] ? do_user_addr_fault+0x30f/0x6c0 [ 673.085979] ? exc_page_fault+0x79/0x180 [ 673.085992] ? asm_exc_page_fault+0x27/0x30 [ 673.086009] ? ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.086067] ? ksmbd_conn_write+0x46/0xc0 [ksmbd] [ 673.086123] handle_ksmbd_work+0x28d/0x4b0 [ksmbd] [ 673.086177] process_one_work+0x178/0x350 [ 673.086193] ? __pfx_worker_thread+0x10/0x10 [ 673.086202] worker_thread+0x2f3/0x420 [ 673.086210] ? _raw_spin_unlock_irqrestore+0x27/0x50 [ 673.086222] ? __pfx_worker_thread+0x10/0x10 [ 673.086230] kthread+0x103/0x140 [ 673.086242] ? __pfx_kthread+0x10/0x10 [ 673.086253] ret_from_fork+0x39/0x60 [ 673.086263] ? __pfx_kthread+0x10/0x10 [ 673.086274] ret_from_fork_asm+0x1b/0x30 Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: Tom Talpey <tom@talpey.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
e523a26c05 |
ksmbd: fix passing freed memory 'aux_payload_buf'
[ Upstream commit 59d8d24f4610333560cf2e8fe3f44cafe30322eb ]
The patch e2b76ab8b5c9: "ksmbd: add support for read compound" leads
to the following Smatch static checker warning:
fs/smb/server/smb2pdu.c:6329 smb2_read()
warn: passing freed memory 'aux_payload_buf'
It doesn't matter that we're passing a freed variable because nbytes is
zero. This patch set "aux_payload_buf = NULL" to make smatch silence.
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
b4b3fd1a95 |
ksmbd: remove unneeded mark_inode_dirty in set_info_sec()
[ Upstream commit e4e14095cc68a2efefba6f77d95efe1137e751d4 ] mark_inode_dirty will be called in notify_change(). This patch remove unneeded mark_inode_dirty in set_info_sec(). Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Steve French
|
1ee419e08f |
ksmbd: remove experimental warning
[ Upstream commit f5069159f32c8c943e047f22731317463c8e9b84 ] ksmbd has made significant improvements over the past two years and is regularly tested and used. Remove the experimental warning. Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
83b01f7330 |
ksmbd: add missing calling smb2_set_err_rsp() on error
[ Upstream commit 0e2378eaa2b3a663726cf740d4aaa8a801e2cb31 ] If some error happen on smb2_sess_setup(), Need to call smb2_set_err_rsp() to set error response. This patch add missing calling smb2_set_err_rsp() on error. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Yang Li
|
422c0cd016 |
ksmbd: Fix one kernel-doc comment
[ Upstream commit bf26f1b4e0918f017775edfeacf6d867204b680b ] Fix one kernel-doc comment to silence the warning: fs/smb/server/smb2pdu.c:4160: warning: Excess function parameter 'infoclass_size' description in 'buffer_check_err' Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Atte Heikkilä
|
c20105a897 |
ksmbd: fix force create mode' and force directory mode'
[ Upstream commit 65656f5242e500dcfeffa6a0a1519eae14724f86 ] `force create mode' and `force directory mode' should be bitwise ORed with the perms after `create mask' and `directory mask' have been applied, respectively. Signed-off-by: Atte Heikkilä <atteh.mailbox@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
f8cf1ebb7d |
ksmbd: fix wrong interim response on compound
[ Upstream commit 041bba4414cda37d00063952c9bff9c3d5812a19 ] If smb2_lock or smb2_open request is compound, ksmbd could send wrong interim response to client. ksmbd allocate new interim buffer instead of using resonse buffer to support compound request. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
9f297df20d |
ksmbd: add support for read compound
[ Upstream commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d ] MacOS sends a compound request including read to the server (e.g. open-read-close). So far, ksmbd has not handled read as a compound request. For compatibility between ksmbd and an OS that supports SMB, This patch provides compound support for read requests. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Yang Yingliang
|
673e60c691 |
ksmbd: switch to use kmemdup_nul() helper
[ Upstream commit 084ba46fc41c21ba827fd92e61f78def7a6e52ea ] Use kmemdup_nul() helper instead of open-coding to simplify the code. Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
0a9b91f45e |
ksmbd: check if a mount point is crossed during path lookup
[ Upstream commit 2b57a4322b1b14348940744fdc02f9a86cbbdbeb ]
Since commit 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and
->d_name"), ksmbd can not lookup cross mount points. If last component is
a cross mount point during path lookup, check if it is crossed to follow it
down. And allow path lookup to cross a mount point when a crossmnt
parameter is set to 'yes' in smb.conf.
Cc: stable@vger.kernel.org
Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Wang Ming
|
d782f42eed |
ksmbd: Fix unsigned expression compared with zero
[ Upstream commit 0266a2f791294e0b4ba36f4a1d89b8615ea3cac0 ] The return value of the ksmbd_vfs_getcasexattr() is signed. However, the return value is being assigned to an unsigned variable and subsequently recasted, causing warnings. Use a signed type. Signed-off-by: Wang Ming <machel@vivo.com> Acked-by: Tom Talpey <tom@talpey.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Gustavo A. R. Silva
|
48cc493840 |
ksmbd: Replace one-element array with flexible-array member
[ Upstream commit 11d5e2061e973a8d4ff2b95a114b4b8ef8652633 ] One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element array with flexible-array member in struct smb_negotiate_req. This results in no differences in binary output. Link: https://github.com/KSPP/linux/issues/79 Link: https://github.com/KSPP/linux/issues/317 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Gustavo A. R. Silva
|
63fbfd212c |
ksmbd: Use struct_size() helper in ksmbd_negotiate_smb_dialect()
[ Upstream commit 5211cc8727ed9701b04976ab47602955e5641bda ] Prefer struct_size() over open-coded versions. Link: https://github.com/KSPP/linux/issues/160 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Lu Hongfei
|
e7ab53bd81 |
ksmbd: Replace the ternary conditional operator with min()
[ Upstream commit f65fadb0422537d73f9a6472861852dc2f7a6a5b ] It would be better to replace the traditional ternary conditional operator with min() in compare_sids. Signed-off-by: Lu Hongfei <luhongfei@vivo.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
143da652ce |
ksmbd: use kvzalloc instead of kvmalloc
[ Upstream commit 81a94b27847f7d2e499415db14dd9dc7c22b19b0 ] Use kvzalloc instead of kvmalloc. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Lu Hongfei
|
de43cdaa88 |
ksmbd: Change the return value of ksmbd_vfs_query_maximal_access to void
[ Upstream commit ccb5889af97c03c67a83fcd649602034578c0d61 ] The return value of ksmbd_vfs_query_maximal_access is meaningless, it is better to modify it to void. Signed-off-by: Lu Hongfei <luhongfei@vivo.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
deb79f20be |
ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked()
[ Upstream commit cf5e7f734f445588a30350591360bca2f6bf016f ] Return a literal instead of 'err' in ksmbd_vfs_kern_path_locked(). Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
fe7977b872 |
ksmbd: use kzalloc() instead of __GFP_ZERO
[ Upstream commit f87d4f85f43f0d4b12ef64b015478d8053e1a33e ] Use kzalloc() instead of __GFP_ZERO. Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
294a275f37 |
ksmbd: remove unused ksmbd_tree_conn_share function
[ Upstream commit 7bd9f0876fdef00f4e155be35e6b304981a53f80 ] Remove unused ksmbd_tree_conn_share function. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
b069977b2b |
ksmbd: add mnt_want_write to ksmbd vfs functions
[ Upstream commit 40b268d384a22276dca1450549f53eed60e21deb ] ksmbd is doing write access using vfs helpers. There are the cases that mnt_want_write() is not called in vfs helper. This patch add missing mnt_want_write() to ksmbd vfs functions. Cc: stable@vger.kernel.org Cc: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
13a5045011 |
ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR()
[ Upstream commit 25933573ef48f3586f559c2cac6c436c62dcf63f ]
Dan reported the following error message:
fs/smb/server/smbacl.c:1296 smb_check_perm_dacl()
error: 'posix_acls' dereferencing possible ERR_PTR()
fs/smb/server/vfs.c:1323 ksmbd_vfs_make_xattr_posix_acl()
error: 'posix_acls' dereferencing possible ERR_PTR()
fs/smb/server/vfs.c:1830 ksmbd_vfs_inherit_posix_acl()
error: 'acls' dereferencing possible ERR_PTR()
__get_acl() returns a mix of error pointers and NULL. This change it
with IS_ERR_OR_NULL().
Fixes:
|
||
|
Namjae Jeon
|
1524884c3e |
ksmbd: call putname after using the last component
[ Upstream commit 6fe55c2799bc29624770c26f98ba7b06214f43e0 ]
last component point filename struct. Currently putname is called after
vfs_path_parent_lookup(). And then last component is used for
lookup_one_qstr_excl(). name in last component is freed by previous
calling putname(). And It cause file lookup failure when testing
generic/464 test of xfstest.
Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
30a1344198 |
ksmbd: fix uninitialized pointer read in smb2_create_link()
[ Upstream commit df14afeed2e6c1bbadef7d2f9c46887bbd6d8d94 ]
There is a case that file_present is true and path is uninitialized.
This patch change file_present is set to false by default and set to
true when patch is initialized.
Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
Reported-by: Coverity Scan <scan-admin@coverity.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
6d4e21e369 |
ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename()
[ Upstream commit 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 ]
Uninitialized rd.delegated_inode can be used in vfs_rename().
Fix this by setting rd.delegated_inode to NULL to avoid the uninitialized
read.
Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
Reported-by: Coverity Scan <scan-admin@coverity.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Namjae Jeon
|
6927ffe747 |
ksmbd: fix racy issue from using ->d_parent and ->d_name
[ Upstream commit 74d7970febf7e9005375aeda0df821d2edffc9f7 ] Al pointed out that ksmbd has racy issue from using ->d_parent and ->d_name in ksmbd_vfs_unlink and smb2_vfs_rename(). and use new lock_rename_child() to lock stable parent while underlying rename racy. Introduce vfs_path_parent_lookup helper to avoid out of share access and export vfs functions like the following ones to use vfs_path_parent_lookup(). - rename __lookup_hash() to lookup_one_qstr_excl(). - export lookup_one_qstr_excl(). - export getname_kernel() and putname(). vfs_path_parent_lookup() is used for parent lookup of destination file using absolute pathname given from FILE_RENAME_INFORMATION request. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Al Viro
|
6e99fbb429 |
fs: introduce lock_rename_child() helper
[ Upstream commit 9bc37e04823b5280dd0f22b6680fc23fe81ca325 ] Pass the dentry of a source file and the dentry of a destination directory to lock parent inodes for rename. As soon as this function returns, ->d_parent of the source file dentry is stable and inodes are properly locked for calling vfs-rename. This helper is needed for ksmbd server. rename request of SMB protocol has to rename an opened file, no matter which directory it's in. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
David Disseldorp
|
965eb86507 |
ksmbd: remove unused compression negotiate ctx packing
[ Upstream commit af36c51e0e111de4e908328d49cba49de758f66e ] build_compression_ctxt() is currently unreachable due to conn.compress_algorithm remaining zero (SMB3_COMPRESS_NONE). It appears to have been broken in a couple of subtle ways over the years: - prior to |
||
|
David Disseldorp
|
49d9f6ad1e |
ksmbd: avoid duplicate negotiate ctx offset increments
[ Upstream commit a12a07a85aff72e19520328f78b1c64d2281a1ec ] Both pneg_ctxt and ctxt_size change in unison, with each adding the length of the previously added context, rounded up to an eight byte boundary. Drop pneg_ctxt increments and instead use the ctxt_size offset when passing output pointers to per-context helper functions. This slightly simplifies offset tracking and shaves off a few text bytes. Before (x86-64 gcc 7.5): text data bss dec hex filename 213234 8677 672 222583 36577 ksmbd.ko After: text data bss dec hex filename 213218 8677 672 222567 36567 ksmbd.ko Signed-off-by: David Disseldorp <ddiss@suse.de> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Disseldorp
|
2182d96ec0 |
ksmbd: set NegotiateContextCount once instead of every inc
[ Upstream commit 34e8ccf9ce24b6b2e275bbe35cd392e18fbbd369 ] There are no early returns, so marshalling the incremented NegotiateContextCount with every context is unnecessary. Signed-off-by: David Disseldorp <ddiss@suse.de> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
8d271ef5e5 |
ksmbd: delete asynchronous work from list
[ Upstream commit 3a9b557f44ea8f216aab515a7db20e23f0eb51b9 ] When smb2_lock request is canceled by smb2_cancel or smb2_close(), ksmbd is missing deleting async_request_entry async_requests list. Because calling init_smb2_rsp_hdr() in smb2_lock() mark ->synchronous as true and then it will not be deleted in ksmbd_conn_try_dequeue_request(). This patch add release_async_work() to release the ones allocated for async work. Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Tom Rix
|
4ef3fd2f85 |
ksmbd: remove unused is_char_allowed function
[ Upstream commit 2824861773eb512b37547516d81ef78108032cb2 ]
clang with W=1 reports
fs/ksmbd/unicode.c:122:19: error: unused function
'is_char_allowed' [-Werror,-Wunused-function]
static inline int is_char_allowed(char *ch)
^
This function is not used so remove it.
Signed-off-by: Tom Rix <trix@redhat.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Jiapeng Chong
|
226aaaa593 |
ksmbd: Fix parameter name and comment mismatch
[ Upstream commit 63f09a9986eb58578ed6ad0e27a6e2c54e49f797 ] fs/ksmbd/vfs.c:965: warning: Function parameter or member 'attr_value' not described in 'ksmbd_vfs_setxattr'. Reported-by: Abaci Robot <abaci@linux.alibaba.com> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3946 Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Colin Ian King
|
e8c49f9364 |
ksmbd: Fix spelling mistake "excceed" -> "exceeded"
[ Upstream commit 7a17c61ee3b2683c40090179c273f4701fca9677 ] There is a spelling mistake in an error message. Fix it. Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Steve French
|
ada8bcc48a |
ksmbd: update Kconfig to note Kerberos support and fix indentation
[ Upstream commit d280a958f8b2b62610c280ecdf35d780e7922620 ] Fix indentation of server config options, and also since support for very old, less secure, NTLM authentication was removed (and quite a while ago), remove the mention of that in Kconfig, but do note Kerberos (not just NTLMv2) which are supported and much more secure. Acked-by: Namjae Jeon <linkinjeon@kernel.org> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Dawei Li
|
5c0306b0ab |
ksmbd: Remove duplicated codes
[ Upstream commit 7010357004096e54c884813e702d71147dc081f8 ] ksmbd_neg_token_init_mech_token() and ksmbd_neg_token_targ_resp_token() share same implementation, unify them. Signed-off-by: Dawei Li <set_pte_at@outlook.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Dawei Li
|
b6502c34cf |
ksmbd: fix typo, syncronous->synchronous
[ Upstream commit f8d6e7442aa716a233c7eba99dec628f8885e00b ] syncronous->synchronous Signed-off-by: Dawei Li <set_pte_at@outlook.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Dawei Li
|
052b41ef2a |
ksmbd: Implements sess->rpc_handle_list as xarray
[ Upstream commit b685757c7b08d5073046fb379be965fd6c06aafc ] For some ops on rpc handle: 1. ksmbd_session_rpc_method(), possibly on high frequency. 2. ksmbd_session_rpc_close(). id is used as indexing key to lookup channel, in that case, linear search based on list may suffer a bit for performance. Implements sess->rpc_handle_list as xarray. Signed-off-by: Dawei Li <set_pte_at@outlook.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
ye xingchen
|
264547e13f |
ksmbd: Convert to use sysfs_emit()/sysfs_emit_at() APIs
[ Upstream commit 72ee45fd46d0d3578c4e6046f66fae3218543ce3 ] Follow the advice of the Documentation/filesystems/sysfs.rst and show() should only use sysfs_emit() or sysfs_emit_at() when formatting the value to be returned to user space. Signed-off-by: ye xingchen <ye.xingchen@zte.com.cn> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Marios Makassikis
|
87ffbb9e24 |
ksmbd: Fix resource leak in smb2_lock()
[ Upstream commit 01f6c61bae3d658058ee6322af77acea26a5ee3a ] "flock" is leaked if an error happens before smb2_lock_init(), as the lock is not added to the lock_list to be cleaned up. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jeff Layton
|
d847b75883 |
ksmbd: use F_SETLK when unlocking a file
[ Upstream commit 7ecbe92696bb7fe32c80b6cf64736a0d157717a9 ] ksmbd seems to be trying to use a cmd value of 0 when unlocking a file. That activity requires a type of F_UNLCK with a cmd of F_SETLK. For local POSIX locking, it doesn't matter much since vfs_lock_file ignores @cmd, but filesystems that define their own ->lock operation expect to see it set sanely. Cc: David Howells <dhowells@redhat.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: David Howells <dhowells@redhat.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Namjae Jeon
|
343d667dee |
ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share
[ Upstream commit 37ba7b005a7a4454046bd8659c7a9c5330552396 ] Currently, SMB2_SESSION_FLAG_ENCRYPT_DATA is always set session setup response. Since this forces data encryption from the client, there is a problem that data is always encrypted regardless of the use of the cifs seal mount option. SMB2_SESSION_FLAG_ENCRYPT_DATA should be set according to KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION flags, and in case of KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF, encryption mode is turned off for all connections. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Gustavo A. R. Silva
|
ab69d3e8f7 |
ksmbd: replace one-element arrays with flexible-array members
[ Upstream commit d272e01fa0a2f15c5c331a37cd99c6875c7b7186 ] One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element arrays with flexible-array members in multiple structs in fs/ksmbd/smb_common.h and one in fs/ksmbd/smb2pdu.h. Important to mention is that doing a build before/after this patch results in no binary output differences. This helps with the ongoing efforts to tighten the FORTIFY_SOURCE routines on memcpy() and help us make progress towards globally enabling -fstrict-flex-arrays=3 [1]. Link: https://github.com/KSPP/linux/issues/242 Link: https://github.com/KSPP/linux/issues/79 Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-October/602902.html [1] Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/Y3OxronfaPYv9qGP@work Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
c9b484c69d |
This is the 6.1.68 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV57F0ACgkQONu9yGCS
aT5Ihg//f5xvyjEEbZyE7tFaBBgx8ceQCtteRyi+Jw3Hy65/9neETij0t97IhG37
I89TIAddzNIl51ifl8UYZMWI780HbnW1YdbVLMElbngbmT5rHzIsGpAVCC+SDmMK
NPWXrqWIw6yTVSbTwqKIqOLlEiLxGjdWnPxjoMXBVyje+EcmANBe+fe9qkLq98XC
ZgzrRZyriS8QLMMscy/GmdxIyC32nxebdHDwwE6qgYM8GWNfqLLektX798VGFhra
ByR9bvsJ0PD5m9siCGcx37lVusJDLMjJp4FtMIFTrH63i0sMQm7HKiggJmbCm4lH
Sgbo4iwvSVa2xf1glPJagE9tiah5b0feLqgrQf/ONO2PdCjcERN47472IcQgRvQ+
SDYKScZBSp1/Jd063dHiK/u79uxEBFEdisAkPG2MstjCySEDuhvDrV5R0iKDpQBP
y2FXb4RArqZFrGwS4Zfxx/EQnj3MYJ11a4AE5I0yUGIj7vrFdddayBDBVdwhog84
QhHPH0F/eC/zSMATYSQSCZTTSZ2UoR8NODXyOryoH5tmXlgxXWKq1oFi5nUnysoP
SkGDT0dg+kbReQNA+eyj5qTS4lzincIyP2B4Ple9d75zpx1UENlqVm1xvWLccyFt
3eV/XNRg8dAapsbqvEtW+iev6izutWgcG6p1hToObnbg5uHy6fI=
=+iTJ
-----END PGP SIGNATURE-----
Merge 6.1.68 into android14-6.1-lts
Changes in 6.1.68
vdpa/mlx5: preserve CVQ vringh index
hrtimers: Push pending hrtimers away from outgoing CPU earlier
i2c: designware: Fix corrupted memory seen in the ISR
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
zstd: Fix array-index-out-of-bounds UBSAN warning
tg3: Move the [rt]x_dropped counters to tg3_napi
tg3: Increment tx_dropped in tg3_tso_bug()
kconfig: fix memory leak from range properties
drm/amdgpu: correct chunk_ptr to a pointer to chunk.
x86: Introduce ia32_enabled()
x86/coco: Disable 32-bit emulation by default on TDX and SEV
x86/entry: Convert INT 0x80 emulation to IDTENTRY
x86/entry: Do not allow external 0x80 interrupts
x86/tdx: Allow 32-bit emulation by default
dt: dt-extract-compatibles: Handle cfile arguments in generator function
dt: dt-extract-compatibles: Don't follow symlinks when walking tree
platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code
of: dynamic: Fix of_reconfig_get_state_change() return value documentation
platform/x86: wmi: Skip blocks with zero instances
ipv6: fix potential NULL deref in fib6_add()
octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam
octeontx2-af: Check return value of nix_get_nixlf before using nixlf
hv_netvsc: rndis_filter needs to select NLS
r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
r8152: Add RTL8152_INACCESSIBLE checks to more loops
r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
mlxbf-bootctl: correctly identify secure boot with development keys
platform/mellanox: Add null pointer checks for devm_kasprintf()
platform/mellanox: Check devm_hwmon_device_register_with_groups() return value
arcnet: restoring support for multiple Sohard Arcnet cards
octeontx2-pf: consider both Rx and Tx packet stats for adaptive interrupt coalescing
net: stmmac: fix FPE events losing
xsk: Skip polling event check for unbound socket
octeontx2-af: fix a use-after-free in rvu_npa_register_reporters
i40e: Fix unexpected MFS warning message
iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero
net: bnxt: fix a potential use-after-free in bnxt_init_tc
tcp: fix mid stream window clamp.
ionic: fix snprintf format length warning
ionic: Fix dim work handling in split interrupt mode
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
net: atlantic: Fix NULL dereference of skb pointer in
net: hns: fix wrong head when modify the tx feature when sending packets
net: hns: fix fake link up on xge port
octeontx2-af: Adjust Tx credits when MCS external bypass is disabled
octeontx2-af: Fix mcs sa cam entries size
octeontx2-af: Fix mcs stats register address
octeontx2-af: Add missing mcs flr handler call
octeontx2-af: Update Tx link register range
dt-bindings: interrupt-controller: Allow #power-domain-cells
netfilter: nft_exthdr: add boolean DCCP option matching
netfilter: nf_tables: fix 'exist' matching on bigendian arches
netfilter: nf_tables: bail out on mismatching dynset and set expressions
netfilter: nf_tables: validate family when identifying table via handle
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
tcp: do not accept ACK of bytes we never sent
bpf: sockmap, updating the sg structure should also update curr
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
mm/damon/sysfs: eliminate potential uninitialized variable warning
tee: optee: Fix supplicant based device enumeration
RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm
RDMA/irdma: Do not modify to SQD on error
RDMA/irdma: Add wait for suspend on SQD
arm64: dts: rockchip: Expand reg size of vdec node for RK3328
arm64: dts: rockchip: Expand reg size of vdec node for RK3399
ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP
RDMA/rtrs-srv: Do not unconditionally enable irq
RDMA/rtrs-clt: Start hb after path_up
RDMA/rtrs-srv: Check return values while processing info request
RDMA/rtrs-srv: Free srv_mr iu only when always_invalidate is true
RDMA/rtrs-srv: Destroy path files after making sure no IOs in-flight
RDMA/rtrs-clt: Fix the max_send_wr setting
RDMA/rtrs-clt: Remove the warnings for req in_use check
RDMA/bnxt_re: Correct module description string
RDMA/irdma: Refactor error handling in create CQP
RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info()
hwmon: (acpi_power_meter) Fix 4.29 MW bug
ASoC: codecs: lpass-tx-macro: set active_decimator correct default value
hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
RDMA/irdma: Avoid free the non-cqp_request scratch
drm/bridge: tc358768: select CONFIG_VIDEOMODE_HELPERS
arm64: dts: imx8mq: drop usb3-resume-missing-cas from usb
arm64: dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
ARM: dts: imx6ul-pico: Describe the Ethernet PHY clock
tracing: Fix a warning when allocating buffered events fails
scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
ARM: dts: imx28-xea: Pass the 'model' property
riscv: fix misaligned access handling of C.SWSP and C.SDSP
md: introduce md_ro_state
md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
iommu: Avoid more races around device probe
rethook: Use __rcu pointer for rethook::handler
kprobes: consistent rcu api usage for kretprobe holder
ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA
io_uring/af_unix: disable sending io_uring over sockets
nvme-pci: Add sleep quirk for Kingston drives
io_uring: fix mutex_unlock with unreferenced ctx
ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
ALSA: hda/realtek: add new Framework laptop to quirks
ALSA: hda/realtek: Add Framework laptop 16 to quirks
ring-buffer: Test last update in 32bit version of __rb_time_read()
nilfs2: fix missing error check for sb_set_blocksize call
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
cgroup_freezer: cgroup_freezing: Check if not frozen
checkstack: fix printed address
tracing: Always update snapshot buffer size
tracing: Disable snapshot buffer when stopping instance tracers
tracing: Fix incomplete locking when disabling buffered events
tracing: Fix a possible race when disabling buffered events
packet: Move reference count in packet_sock to atomic_long_t
r8169: fix rtl8125b PAUSE frames blasting when suspended
regmap: fix bogus error on regcache_sync success
platform/surface: aggregator: fix recv_buf() return value
hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
mm: fix oops when filemap_map_pmd() without prealloc_pte
powercap: DTPM: Fix missing cpufreq_cpu_put() calls
md/raid6: use valid sector values to determine if an I/O should wait on the reshape
arm64: dts: mediatek: mt7622: fix memory node warning check
arm64: dts: mediatek: mt8183-kukui-jacuzzi: fix dsi unnecessary cells properties
arm64: dts: mediatek: cherry: Fix interrupt cells for MT6360 on I2C7
arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
arm64: dts: mediatek: mt8195: Fix PM suspend/resume with venc clocks
arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory
arm64: dts: mediatek: mt8183: Move thermal-zones to the root node
arm64: dts: mediatek: mt8183-evb: Fix unit_address_vs_reg warning on ntc
binder: fix memory leaks of spam and pending work
coresight: etm4x: Make etm4_remove_dev() return void
coresight: etm4x: Remove bogous __exit annotation for some functions
hwtracing: hisi_ptt: Add dummy callback pmu::read()
misc: mei: client.c: return negative error code in mei_cl_write
misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write
LoongArch: BPF: Don't sign extend memory load operand
LoongArch: BPF: Don't sign extend function return value
ring-buffer: Force absolute timestamp on discard of event
tracing: Set actual size after ring buffer resize
tracing: Stop current tracer when resizing buffer
parisc: Reduce size of the bug_table on 64-bit kernel by half
parisc: Fix asm operand number out of range build error in bug table
arm64: dts: mediatek: add missing space before {
arm64: dts: mt8183: kukui: Fix underscores in node names
perf: Fix perf_event_validate_size()
x86/sev: Fix kernel crash due to late update to read-only ghcb_version
gpiolib: sysfs: Fix error handling on failed export
drm/amdgpu: fix memory overflow in the IB test
drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
drm/amdgpu: correct the amdgpu runtime dereference usage count
drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10
drm/amdgpu: Add EEPROM I2C address support for ip discovery
drm/amdgpu: Remove redundant I2C EEPROM address
drm/amdgpu: Decouple RAS EEPROM addresses from chips
drm/amdgpu: Add support for RAS table at 0x40000
drm/amdgpu: Remove second moot switch to set EEPROM I2C address
drm/amdgpu: Return from switch early for EEPROM I2C address
drm/amdgpu: simplify amdgpu_ras_eeprom.c
drm/amdgpu: Add I2C EEPROM support on smu v13_0_6
drm/amdgpu: Update EEPROM I2C address for smu v13_0_0
usb: gadget: f_hid: fix report descriptor allocation
serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART
parport: Add support for Brainboxes IX/UC/PX parallel cards
cifs: Fix non-availability of dedup breaking generic/304
Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
smb: client: fix potential NULL deref in parse_dfs_referrals()
usb: typec: class: fix typec_altmode_put_partner to put plugs
ARM: PL011: Fix DMA support
serial: sc16is7xx: address RX timeout interrupt errata
serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
serial: 8250_omap: Add earlycon support for the AM654 UART controller
devcoredump: Send uevent once devcd is ready
x86/CPU/AMD: Check vendor in the AMD microcode callback
USB: gadget: core: adjust uevent timing on gadget unbind
cifs: Fix flushing, invalidation and file size with copy_file_range()
cifs: Fix flushing, invalidation and file size with FICLONE
MIPS: kernel: Clear FPU states when setting up kernel threads
KVM: s390/mm: Properly reset no-dat
KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
MIPS: Loongson64: Reserve vgabios memory on boot
MIPS: Loongson64: Handle more memory types passed from firmware
MIPS: Loongson64: Enable DMA noncoherent support
netfilter: nft_set_pipapo: skip inactive elements during set walk
riscv: Kconfig: Add select ARM_AMBA to SOC_STARFIVE
drm/i915/display: Drop check for doublescan mode in modevalid
drm/i915/lvds: Use REG_BIT() & co.
drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo
drm/i915: Skip some timing checks on BXT/GLK DSI transcoders
Linux 6.1.68
Change-Id: I0a824071a80b24dc4a2e0077f305b7cac42235b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Treehugger Robot
|
59f96234bf | Merge "Merge 6.1.66 into android14-6.1-lts" into android14-6.1-lts | ||
Jaegeuk Kim
|
8fc25d7862 |
FROMGIT: f2fs: do not return EFSCORRUPTED, but try to run online repair
If we return the error, there's no way to recover the status as of now, since fsck does not fix the xattr boundary issue. Bug: 305658663 Cc: stable@vger.kernel.org Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit 50a472bbc79ff9d5a88be8019a60e936cadf9f13 https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev) Change-Id: I55060a4eede3f5f85066aba22a6ab7155517e5c4 (cherry picked from commit 70113b9d489050d3e7a6f28e0cd6e43f104fc132) (cherry picked from commit 2c1f3789d609bd549f14c019b6c7b311bfd2fa64) |
||
Gao Xiang
|
37e0a5b868 |
BACKPORT: FROMGIT: erofs: enable sub-page compressed block support
Let's just disable cached decompression and inplace I/Os for partial pages as the first step in order to enable sub-page block initial support. In other words, currently it works primarily based on temporary short-lived pages. Don't expect too much in terms of performance. Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20231206091057.87027-6-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: I00238aa437f20c46d015bbe5ab7b706b80b8cfd7 (cherry picked from commit 0ee3a0d59e007320167a2e9f4b8bf1304ada7771 https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev) [dhavale: resolved conflicts in inode.c in erofs_fill_inode()] Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
f466d52164 |
FROMGIT: erofs: refine z_erofs_transform_plain() for sub-page block support
Sub-page block support is still unusable even with previous commits if
interlaced PLAIN pclusters exist. Such pclusters can be found if the
fragment feature is enabled.
This commit tries to handle "the head part" of interlaced PLAIN
pclusters first: it was once explained in commit
|
||
|
Gao Xiang
|
a18efa4e4a |
FROMGIT: erofs: fix ztailpacking for subpage compressed blocks
`pageofs_in` should be the compressed data offset of the page rather than of the block. Acked-by: Chao Yu <chao@kernel.org> Reviewed-by: Yue Hu <huyue2@coolpad.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20231214161337.753049-1-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: I0997a69b22b0f42c327c810359f55f5fa6a76275 (cherry picked from commit e5aba911dee5e20fa82efbe13e0af8f38ea459e7 https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev) Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
0c6a18c75b |
BACKPORT: FROMGIT: erofs: fix up compacted indexes for block size < 4096
Previously, the block size always equaled to PAGE_SIZE, therefore `lclusterbits` couldn't be less than 12. Since sub-page compressed blocks are now considered, `lobits` for a lcluster in each pack cannot always be `lclusterbits` as before. Otherwise, there is no enough room for the special value `Z_EROFS_VLE_DI_D0_CBLKCNT`. To support smaller block sizes, `lobits` for each compacted lcluster is now calculated as: lobits = max(lclusterbits, ilog2(Z_EROFS_VLE_DI_D0_CBLKCNT) + 1) Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20231206091057.87027-4-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: Iacd89e2b33ddf39ea40b90e88a2bf99bb5a83b31 (cherry picked from commit 8d2517aaeea3ab8651bb517bca8f3c8664d318ea https: //git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev) [dhavale: resolved conflicts in zmap.c due to older naming of constants and updated commit message also to use the older names] Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
d7bb85f1cb |
FROMGIT: erofs: record pclustersize in bytes instead of pages
Currently, compressed sizes are recorded in pages using `pclusterpages`, However, for tailpacking pclusters, `tailpacking_size` is used instead. This approach doesn't work when dealing with sub-page blocks. To address this, let's switch them to the unified `pclustersize` in bytes. Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20231206091057.87027-3-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: Ia8c50a7b4adcf6cd161b1d6f8bfc5a7fd3371079 (cherry picked from commit 54ed3fdd66055d073cb1cd2c6c65bbc0683c40cf https: //git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev) Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
9d259220ac |
FROMGIT: erofs: support I/O submission for sub-page compressed blocks
Add a basic I/O submission path first to support sub-page blocks: - Temporary short-lived pages will be used entirely; - In-place I/O pages can be used partially, but compressed pages need to be able to be mapped in contiguous virtual memory. As a start, currently cache decompression is explicitly disabled for sub-page blocks, which will be supported in the future. Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20231206091057.87027-2-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: Ib2cb6120805ab479a450580fc8774af131271791 (cherry picked from commit 192351616a9dde686492bcb9d1e4895a1411a527 https: //git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev) Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
8a49ea9441 |
FROMGIT: erofs: fix lz4 inplace decompression
Currently EROFS can map another compressed buffer for inplace decompression, that was used to handle the cases that some pages of compressed data are actually not in-place I/O. However, like most simple LZ77 algorithms, LZ4 expects the compressed data is arranged at the end of the decompressed buffer and it explicitly uses memmove() to handle overlapping: __________________________________________________________ |_ direction of decompression --> ____ |_ compressed data _| Although EROFS arranges compressed data like this, it typically maps two individual virtual buffers so the relative order is uncertain. Previously, it was hardly observed since LZ4 only uses memmove() for short overlapped literals and x86/arm64 memmove implementations seem to completely cover it up and they don't have this issue. Juhyung reported that EROFS data corruption can be found on a new Intel x86 processor. After some analysis, it seems that recent x86 processors with the new FSRM feature expose this issue with "rep movsb". Let's strictly use the decompressed buffer for lz4 inplace decompression for now. Later, as an useful improvement, we could try to tie up these two buffers together in the correct order. Reported-and-tested-by: Juhyung Park <qkrwngud825@gmail.com> Closes: https://lore.kernel.org/r/CAD14+f2AVKf8Fa2OO1aAUdDNTDsVzzR6ctU_oJSmTyd6zSYR2Q@mail.gmail.com Fixes: |
||
|
Gao Xiang
|
bdc5d268ba |
FROMGIT: erofs: fix memory leak on short-lived bounced pages
Both MicroLZMA and DEFLATE algorithms can use short-lived pages on
demand for the overlapped inplace I/O decompression.
However, those short-lived pages are actually added to
`be->compressed_pages`. Thus, it should be checked instead of
`pcl->compressed_bvecs`.
The LZ4 algorithm doesn't work like this, so it won't be impacted.
Fixes:
|
||
|
Gao Xiang
|
0d329bbe5c |
BACKPORT: erofs: tidy up z_erofs_do_read_page()
- Fix a typo: spiltted => split; - Move !EROFS_MAP_MAPPED and EROFS_MAP_FRAGMENT upwards; - Increase `split` in advance to avoid unnecessary repeats. Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20230817082813.81180-4-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: I465fd33c7cbbe91d5da4b4ee2343a7b319534148 (cherry picked from commit e4c1cf523d820730a86cae2c6d55924833b6f7ac) [dhavale: resolved small conflict in zdata.c in z_erofs_do_read_page()] Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
dc94c3cc6b |
UPSTREAM: erofs: move preparation logic into z_erofs_pcluster_begin()
Some preparation logic should be part of z_erofs_pcluster_begin() instead of z_erofs_do_read_page(). Let's move now. Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20230817082813.81180-3-hsiangkao@linux.alibaba.com Bug: 318378021 (cherry picked from commit aeebae9d77217709f8ae3edb0cd7858ec8c7a9d6) Change-Id: I4bf438d719742a18a6f3065a78bf027de5dae293 Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
7751567a71 |
BACKPORT: erofs: avoid obsolete {collector,collection} terms
{collector,collection} were once reserved in order to indicate different
runtime logical extent instance of multi-reference pclusters.
However, de-duplicated decompression has been landed in a more flexable
way, thus `struct z_erofs_collection` was formally removed in commit
|
||
|
Gao Xiang
|
d0dbf74792 |
BACKPORT: erofs: simplify z_erofs_read_fragment()
A trivial cleanup to make the fragment handling logic more clear. Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20230817082813.81180-1-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: I50c09c65b7d3da5022cfc2ede27aa31a1b331d29 (cherry picked from commit 8b00be163f7b57cbf957b3d27b5a7ca1e2495cfa) [dhavale: resolved conflict around erofs_bread() in zdata.c] Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
4067dd9969 |
UPSTREAM: erofs: get rid of the remaining kmap_atomic()
It's unnecessary to use kmap_atomic() compared with kmap_local_page(). In addition, kmap_atomic() is deprecated now. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Link: https://lore.kernel.org/r/20230627161240.331-1-hsiangkao@linux.alibaba.com Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Bug: 318378021 (cherry picked from commit 123ec246ebe323d468c5ca996700ea4739d20ddf) Change-Id: I7efee861bb4f079fe6b79123d554be2e1867d13b Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
365ca16da2 |
UPSTREAM: erofs: simplify z_erofs_transform_plain()
Use memcpy_to_page() instead of open-coding them. In addition, add a missing flush_dcache_page() even though almost all modern architectures clear `PG_dcache_clean` flag for new file cache pages so that it doesn't change anything in practice. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Chao Yu <chao@kernel.org> Link: https://lore.kernel.org/r/20230627161240.331-2-hsiangkao@linux.alibaba.com Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Bug: 318378021 (cherry picked from commit c5539762f32e97c5e16215fa1336e32095b8b0fd) Change-Id: I4cb665b592936502ca95e2aee20e1c3a56103ff5 Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
187d034575 |
BACKPORT: erofs: adapt managed inode operations into folios
This patch gets rid of erofs_try_to_free_cached_page() and fold it into .release_folio(). It also moves managed inode operations into zdata.c, which simplifies the code a bit. No logic changes. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Yue Hu <huyue2@coolpad.com> Link: https://lore.kernel.org/r/20230526201459.128169-5-hsiangkao@linux.alibaba.com Bug: 318378021 Change-Id: I5cb1e44769f68edce788cb4f8084bb3d45b594b3 (cherry picked from commit 7b4e372c36fcd33c74ba3cbd65fa534b9c558184) [dhavale: changes to internal.h applied manually] Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
3d93182661 |
UPSTREAM: erofs: avoid on-stack pagepool directly passed by arguments
On-stack pagepool is used so that short-lived temporary pages could be shared within a single I/O request (e.g. among multiple pclusters). Moving the remaining frontend-related uses into z_erofs_decompress_frontend to avoid too many arguments. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Yue Hu <huyue2@coolpad.com> Link: https://lore.kernel.org/r/20230526201459.128169-3-hsiangkao@linux.alibaba.com Bug: 318378021 (cherry picked from commit 6ab5eed6002edc5a29b683285e90459a7df6ce2b) Change-Id: I57d3ba6087904bb40c55b780aca50c16bfba2c0f Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Gao Xiang
|
5c1827383a |
UPSTREAM: erofs: allocate extra bvec pages directly instead of retrying
If non-bootstrap bvecs cannot be kept in place (very rarely), an extra short-lived page is allocated. Let's just allocate it immediately rather than do unnecessary -EAGAIN return first and retry as a cleanup. Also it's unnecessary to use __GFP_NOFAIL here since we could gracefully fail out this case instead. Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Yue Hu <huyue2@coolpad.com> Link: https://lore.kernel.org/r/20230526201459.128169-2-hsiangkao@linux.alibaba.com Bug: 318378021 (cherry picked from commit 05b63d2beb8b0f752d1f5cdd051c8bdbf532cedd) Change-Id: I2ac45a943060406bcbb741c5f7aa1094f783f906 Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
Yue Hu
|
bed20ed1d3 |
UPSTREAM: erofs: clean up z_erofs_pcluster_readmore()
`end` parameter is no needed since it's pointless for !backmost, we can
handle it with backmost internally. And we only expand the trailing
edge, so the newstart can be replaced with ->headoffset.
Also, remove linux/prefetch.h inclusion since that is not used anymore
after commit
|
||
|
Yue Hu
|
5e861fa97e |
UPSTREAM: erofs: remove the member readahead from struct z_erofs_decompress_frontend
The struct member is only used to add REQ_RAHEAD during I/O submission. So it is cleaner to pass it as a parameter than keep it in the struct. Also, rename function z_erofs_get_sync_decompress_policy() to z_erofs_is_sync_decompress() for better clarity and conciseness. Signed-off-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20230524063944.1655-1-zbestahu@gmail.com Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Bug: 318378021 (cherry picked from commit ef4b4b46c6aaf8edeea9a79320627fe10993f153) Change-Id: I59cc13e7499968a1e93e13df1cb43a5123d510d9 Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
|
Yue Hu
|
66595bb17c |
UPSTREAM: erofs: fold in z_erofs_decompress()
No need this helper since it's just a simple wrapper for decompress method and only one caller. So, let's fold in directly instead. Signed-off-by: Yue Hu <huyue2@coolpad.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20230426084449.12781-1-zbestahu@gmail.com Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Bug: 318378021 (cherry picked from commit 597e2953ae9b4a391e883c1f1a4cda5878e2dbed) Change-Id: I849360f088016cf97542858e8a5a9cee671a2f61 Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
Jingbo Xu
|
88a1939504 |
UPSTREAM: erofs: enable large folios for iomap mode
Enable large folios for iomap mode. Then the readahead routine will pass down large folios containing multiple pages. Let's enable this for non-compressed format for now, until the compression part supports large folios later. When large folios supported, the iomap routine will allocate iomap_page for each large folio and thus we need iomap_release_folio() and iomap_invalidate_folio() to free iomap_page when these folios get reclaimed or invalidated. Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Chao Yu <chao@kernel.org> Link: https://lore.kernel.org/r/20221130060455.44532-1-jefflexu@linux.alibaba.com Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Bug: 318378021 Change-Id: Iedbb9a2daf132399b7a1b5ea6905977ba123ba3c (cherry picked from commit ce529cc25b184e93397b94a8a322128fc0095cbb) Signed-off-by: Sandeep Dhavale <dhavale@google.com> |
||
Krister Johansen
|
706448f716 |
fuse: share lookup state between submount and its parent
commit c4d361f66ac91db8fc65061a9671682f61f4ca9d upstream.
Fuse submounts do not perform a lookup for the nodeid that they inherit
from their parent. Instead, the code decrements the nlookup on the
submount's fuse_inode when it is instantiated, and no forget is
performed when a submount root is evicted.
Trouble arises when the submount's parent is evicted despite the
submount itself being in use. In this author's case, the submount was
in a container and deatched from the initial mount namespace via a
MNT_DEATCH operation. When memory pressure triggered the shrinker, the
inode from the parent was evicted, which triggered enough forgets to
render the submount's nodeid invalid.
Since submounts should still function, even if their parent goes away,
solve this problem by sharing refcounted state between the parent and
its submount. When all of the references on this shared state reach
zero, it's safe to forget the final lookup of the fuse nodeid.
Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
Cc: stable@vger.kernel.org
Fixes:
|
||
Konstantin Meskhidze
|
1c250f2c5f |
ubifs: fix possible dereference after free
[ Upstream commit d81efd66106c03771ffc8637855a6ec24caa6350 ]
'old_idx' could be dereferenced after free via 'rb_link_node' function
call.
Fixes: b5fda08ef213 ("ubifs: Fix memleak when insert_old_idx() failed")
Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Naohiro Aota
|
3c42cc437d |
btrfs: zoned: no longer count fresh BG region as zone unusable
[ Upstream commit 6a8ebc773ef64c8f12d6d60fd6e53d5ccc81314b ]
Now that we switched to write time activation, we no longer need to (and
must not) count the fresh region as zone unusable. This commit is similar
to revert of commit fa2068d7e922b434eb ("btrfs: zoned: count fresh BG
region as zone unusable").
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Paulo Alcantara
|
c60e10d154 |
smb: client: fix OOB in smbCalcSize()
commit b35858b3786ddbb56e1c35138ba25d6adf8d0bef upstream. Validate @smb->WordCount to avoid reading off the end of @smb and thus causing the following KASAN splat: BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __phys_addr+0x46/0x90 kasan_report+0xd8/0x110 ? smbCalcSize+0x32/0x40 [cifs] ? smbCalcSize+0x32/0x40 [cifs] kasan_check_range+0x105/0x1b0 smbCalcSize+0x32/0x40 [cifs] checkSMB+0x162/0x370 [cifs] ? __pfx_checkSMB+0x10/0x10 [cifs] cifs_handle_standard+0xbc/0x2f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 cifs_demultiplex_thread+0xed1/0x1360 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? __pfx_lock_release+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? mark_held_locks+0x1a/0x90 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kthread_parkme+0xce/0xf0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x18d/0x1d0 ? kthread+0xdb/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> This fixes CVE-2023-6606. Reported-by: j51569436@gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paulo Alcantara
|
bef4315f19 |
smb: client: fix OOB in SMB2_query_info_init()
commit 33eae65c6f49770fec7a662935d4eb4a6406d24b upstream.
A small CIFS buffer (448 bytes) isn't big enough to hold
SMB2_QUERY_INFO request along with user's input data from
CIFS_QUERY_INFO ioctl. That is, if the user passed an input buffer >
344 bytes, the client will memcpy() off the end of @req->Buffer in
SMB2_query_info_init() thus causing the following KASAN splat:
BUG: KASAN: slab-out-of-bounds in SMB2_query_info_init+0x242/0x250 [cifs]
Write of size 1023 at addr ffff88801308c5a8 by task a.out/1240
CPU: 1 PID: 1240 Comm: a.out Not tainted 6.7.0-rc4 #5
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x80
print_report+0xcf/0x650
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __phys_addr+0x46/0x90
kasan_report+0xd8/0x110
? SMB2_query_info_init+0x242/0x250 [cifs]
? SMB2_query_info_init+0x242/0x250 [cifs]
kasan_check_range+0x105/0x1b0
__asan_memcpy+0x3c/0x60
SMB2_query_info_init+0x242/0x250 [cifs]
? __pfx_SMB2_query_info_init+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? smb_rqst_len+0xa6/0xc0 [cifs]
smb2_ioctl_query_info+0x4f4/0x9a0 [cifs]
? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
? __pfx_cifsConvertToUTF16+0x10/0x10 [cifs]
? kasan_set_track+0x25/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? __kasan_kmalloc+0x8f/0xa0
? srso_alias_return_thunk+0x5/0xfbef5
? cifs_strndup_to_utf16+0x12d/0x1a0 [cifs]
? __build_path_from_dentry_optional_prefix+0x19d/0x2d0 [cifs]
? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
cifs_ioctl+0x11c7/0x1de0 [cifs]
? __pfx_cifs_ioctl+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? rcu_is_watching+0x23/0x50
? srso_alias_return_thunk+0x5/0xfbef5
? __rseq_handle_notify_resume+0x6cd/0x850
? __pfx___schedule+0x10/0x10
? blkcg_iostat_update+0x250/0x290
? srso_alias_return_thunk+0x5/0xfbef5
? ksys_write+0xe9/0x170
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f893dde49cf
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48
89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89>
c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007ffc03ff4160 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc03ff4378 RCX: 00007f893dde49cf
RDX: 00007ffc03ff41d0 RSI: 00000000c018cf07 RDI: 0000000000000003
RBP: 00007ffc03ff4260 R08: 0000000000000410 R09: 0000000000000001
R10: 00007f893dce7300 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc03ff4388 R14: 00007f893df15000 R15: 0000000000406de0
</TASK>
Fix this by increasing size of SMB2_QUERY_INFO request buffers and
validating input length to prevent other callers from overflowing @req
in SMB2_query_info_init() as well.
Fixes:
|
||
|
Paulo Alcantara
|
71fe685b6a |
smb: client: fix potential OOB in cifs_dump_detail()
commit b50492b05fd02887b46aef079592207fb5c97a4c upstream. Validate SMB message with ->check_message() before calling ->calc_smb_size(). Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Cc: stable@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paulo Alcantara
|
277832a306 |
smb: client: fix OOB in cifsd when receiving compounded resps
commit a8f68b11158f09754418de62e6b3e7b9b7a50cc9 upstream.
Validate next header's offset in ->next_header() so that it isn't
smaller than MID_HEADER_SIZE(server) and then standard_receive3() or
->receive() ends up writing off the end of the buffer because
'pdu_length - MID_HEADER_SIZE(server)' wraps up to a huge length:
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x4fc/0x840
Write of size 701 at addr ffff88800caf407f by task cifsd/1090
CPU: 0 PID: 1090 Comm: cifsd Not tainted 6.7.0-rc4 #5
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4a/0x80
print_report+0xcf/0x650
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __phys_addr+0x46/0x90
kasan_report+0xd8/0x110
? _copy_to_iter+0x4fc/0x840
? _copy_to_iter+0x4fc/0x840
kasan_check_range+0x105/0x1b0
__asan_memcpy+0x3c/0x60
_copy_to_iter+0x4fc/0x840
? srso_alias_return_thunk+0x5/0xfbef5
? hlock_class+0x32/0xc0
? srso_alias_return_thunk+0x5/0xfbef5
? __pfx__copy_to_iter+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? lock_is_held_type+0x90/0x100
? srso_alias_return_thunk+0x5/0xfbef5
? __might_resched+0x278/0x360
? __pfx___might_resched+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
__skb_datagram_iter+0x2c2/0x460
? __pfx_simple_copy_to_iter+0x10/0x10
skb_copy_datagram_iter+0x6c/0x110
tcp_recvmsg_locked+0x9be/0xf40
? __pfx_tcp_recvmsg_locked+0x10/0x10
? mark_held_locks+0x5d/0x90
? srso_alias_return_thunk+0x5/0xfbef5
tcp_recvmsg+0xe2/0x310
? __pfx_tcp_recvmsg+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? lock_acquire+0x14a/0x3a0
? srso_alias_return_thunk+0x5/0xfbef5
inet_recvmsg+0xd0/0x370
? __pfx_inet_recvmsg+0x10/0x10
? __pfx_lock_release+0x10/0x10
? do_raw_spin_trylock+0xd1/0x120
sock_recvmsg+0x10d/0x150
cifs_readv_from_socket+0x25a/0x490 [cifs]
? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
cifs_read_from_socket+0xb5/0x100 [cifs]
? __pfx_cifs_read_from_socket+0x10/0x10 [cifs]
? __pfx_lock_release+0x10/0x10
? do_raw_spin_trylock+0xd1/0x120
? _raw_spin_unlock+0x23/0x40
? srso_alias_return_thunk+0x5/0xfbef5
? __smb2_find_mid+0x126/0x230 [cifs]
cifs_demultiplex_thread+0xd39/0x1270 [cifs]
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
? __pfx_lock_release+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? mark_held_locks+0x1a/0x90
? lockdep_hardirqs_on_prepare+0x136/0x210
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __kthread_parkme+0xce/0xf0
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
kthread+0x18d/0x1d0
? kthread+0xdb/0x1d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes:
|
||
|
David Howells
|
9b4c95a63e |
afs: Fix use-after-free due to get/remove race in volume tree
[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ]
When an afs_volume struct is put, its refcount is reduced to 0 before
the cell->volume_lock is taken and the volume removed from the
cell->volumes tree.
Unfortunately, this means that the lookup code can race and see a volume
with a zero ref in the tree, resulting in a use-after-free:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
...
RIP: 0010:refcount_warn_saturate+0x7a/0xda
...
Call Trace:
afs_get_volume+0x3d/0x55
afs_create_volume+0x126/0x1de
afs_validate_fc+0xfe/0x130
afs_get_tree+0x20/0x2e5
vfs_get_tree+0x1d/0xc9
do_new_mount+0x13b/0x22e
do_mount+0x5d/0x8a
__do_sys_mount+0x100/0x12a
do_syscall_64+0x3a/0x94
entry_SYSCALL_64_after_hwframe+0x62/0x6a
Fix this by:
(1) When putting, use a flag to indicate if the volume has been removed
from the tree and skip the rb_erase if it has.
(2) When looking up, use a conditional ref increment and if it fails
because the refcount is 0, replace the node in the tree and set the
removal flag.
Fixes:
|
||
|
David Howells
|
17605162e2 |
afs: Fix overwriting of result of DNS query
[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ]
In afs_update_cell(), ret is the result of the DNS lookup and the errors
are to be handled by a switch - however, the value gets clobbered in
between by setting it to -ENOMEM in case afs_alloc_vlserver_list()
fails.
Fix this by moving the setting of -ENOMEM into the error handling for
OOM failure. Further, only do it if we don't have an alternative error
to return.
Found by Linux Verification Center (linuxtesting.org) with SVACE. Based
on a patch from Anastasia Belova [1].
Fixes:
|
||
|
David Howells
|
087b96adc6 |
afs: Fix dynamic root lookup DNS check
[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ]
In the afs dynamic root directory, the ->lookup() function does a DNS check
on the cell being asked for and if the DNS upcall reports an error it will
report an error back to userspace (typically ENOENT).
However, if a failed DNS upcall returns a new-style result, it will return
a valid result, with the status field set appropriately to indicate the
type of failure - and in that case, dns_query() doesn't return an error and
we let stat() complete with no error - which can cause confusion in
userspace as subsequent calls that trigger d_automount then fail with
ENOENT.
Fix this by checking the status result from a valid dns_query() and
returning an error if it indicates a failure.
Fixes:
|
||
|
David Howells
|
9c6ea7abe3 |
afs: Fix the dynamic root's d_delete to always delete unused dentries
[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ]
Fix the afs dynamic root's d_delete function to always delete unused
dentries rather than only deleting them if they're positive. With things
as they stand upstream, negative dentries stemming from failed DNS lookups
stick around preventing retries.
Fixes:
|
||
Paul Lawrence
|
613d8368e3 |
ANDROID: fuse-bpf: Follow mounts in lookups
Bug: 292925770 Test: fuse_test run. The following steps on Android also now pass: Create /data/123 and /data/media/0/Android/data/45 directories Mount /data/123 directory to /data/media/0/Android/data/45 directory Create 1.txt under the /data/123 directory File 1.txt should appear in /storage/emulated/0/Android/data/45 Change-Id: I1fe27d743ca2981e624a9aa87d9ab6deb313aadc Signed-off-by: Paul Lawrence <paullawrence@google.com> |
||
|
Paulo Alcantara
|
8c3b77ad4e |
smb: client: fix OOB in smb2_query_reparse_point()
commit 3a42709fa909e22b0be4bb1e2795aa04ada732a3 upstream.
Validate @ioctl_rsp->OutputOffset and @ioctl_rsp->OutputCount so that
their sum does not wrap to a number that is smaller than @reparse_buf
and we end up with a wild pointer as follows:
BUG: unable to handle page fault for address: ffff88809c5cd45f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 4a01067 P4D 4a01067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 1260 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
Code: ff ff e8 f3 51 fe ff 41 89 c6 58 5a 45 85 f6 0f 85 14 fe ff ff
49 8b 57 48 8b 42 60 44 8b 42 64 42 8d 0c 00 49 39 4f 50 72 40 <8b>
04 02 48 8b 9d f0 fe ff ff 49 8b 57 50 89 03 48 8b 9d e8 fe ff
RSP: 0018:ffffc90000347a90 EFLAGS: 00010212
RAX: 000000008000001f RBX: ffff88800ae11000 RCX: 00000000000000ec
RDX: ffff88801c5cd440 RSI: 0000000000000000 RDI: ffffffff82004aa4
RBP: ffffc90000347bb0 R08: 00000000800000cd R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000024 R12: ffff8880114d4100
R13: ffff8880114d4198 R14: 0000000000000000 R15: ffff8880114d4000
FS: 00007f02c07babc0(0000) GS:ffff88806ba00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88809c5cd45f CR3: 0000000011750000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x181/0x480
? search_module_extables+0x19/0x60
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x1b6/0x1c0
? asm_exc_page_fault+0x26/0x30
? _raw_spin_unlock_irqrestore+0x44/0x60
? smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
cifs_get_fattr+0x16e/0xa50 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? lock_acquire+0xbf/0x2b0
cifs_root_iget+0x163/0x5f0 [cifs]
cifs_smb3_do_mount+0x5bd/0x780 [cifs]
smb3_get_tree+0xd9/0x290 [cifs]
vfs_get_tree+0x2c/0x100
? capable+0x37/0x70
path_mount+0x2d7/0xb80
? srso_alias_return_thunk+0x5/0xfbef5
? _raw_spin_unlock_irqrestore+0x44/0x60
__x64_sys_mount+0x11a/0x150
do_syscall_64+0x47/0xf0
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f02c08d5b1e
Fixes:
|
||
|
Paulo Alcantara
|
d8541c50c6 |
smb: client: fix NULL deref in asn1_ber_decoder()
commit 90d025c2e953c11974e76637977c473200593a46 upstream. If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset, smb2_get_data_area() sets @len to non-zero but return NULL, so decode_negTokeninit() ends up being called with a NULL @security_blob: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:asn1_ber_decoder+0x173/0xc80 Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00 RSP: 0018:ffffc9000063f950 EFLAGS: 00010202 RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000 FS: 00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x181/0x480 ? __stack_depot_save+0x1e6/0x480 ? exc_page_fault+0x6f/0x1c0 ? asm_exc_page_fault+0x26/0x30 ? asn1_ber_decoder+0x173/0xc80 ? check_object+0x40/0x340 decode_negTokenInit+0x1e/0x30 [cifs] SMB2_negotiate+0xc99/0x17c0 [cifs] ? smb2_negotiate+0x46/0x60 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 smb2_negotiate+0x46/0x60 [cifs] cifs_negotiate_protocol+0xae/0x130 [cifs] cifs_get_smb_ses+0x517/0x1040 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? queue_delayed_work_on+0x5d/0x90 cifs_mount_get_session+0x78/0x200 [cifs] dfs_mount_share+0x13a/0x9f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lock_acquire+0xbf/0x2b0 ? find_nls+0x16/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 cifs_mount+0x7e/0x350 [cifs] cifs_smb3_do_mount+0x128/0x780 [cifs] smb3_get_tree+0xd9/0x290 [cifs] vfs_get_tree+0x2c/0x100 ? capable+0x37/0x70 path_mount+0x2d7/0xb80 ? srso_alias_return_thunk+0x5/0xfbef5 ? _raw_spin_unlock_irqrestore+0x44/0x60 __x64_sys_mount+0x11a/0x150 do_syscall_64+0x47/0xf0 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fce52c2ab1e Fix this by setting @len to zero when @off == 0 so callers won't attempt to dereference non-existing data areas. Reported-by: Robert Morris <rtm@csail.mit.edu> Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paulo Alcantara
|
9f528a8e68 |
smb: client: fix OOB in receive_encrypted_standard()
commit eec04ea119691e65227a97ce53c0da6b9b74b0b7 upstream.
Fix potential OOB in receive_encrypted_standard() if server returned a
large shdr->NextCommand that would end up writing off the end of
@next_buffer.
Fixes:
|
||
Boris Burkov
|
730b3322b8 |
btrfs: don't clear qgroup reserved bit in release_folio
commit a86805504b88f636a6458520d85afdf0634e3c6b upstream. The EXTENT_QGROUP_RESERVED bit is used to "lock" regions of the file for duplicate reservations. That is two writes to that range in one transaction shouldn't create two reservations, as the reservation will only be freed once when the write finally goes down. Therefore, it is never OK to clear that bit without freeing the associated qgroup reserve. At this point, we don't want to be freeing the reserve, so mask off the bit. CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Boris Burkov <boris@bur.io> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Boris Burkov
|
9b670e1b64 |
btrfs: free qgroup reserve when ORDERED_IOERR is set
commit f63e1164b90b385cd832ff0fdfcfa76c3cc15436 upstream. An ordered extent completing is a critical moment in qgroup reserve handling, as the ownership of the reservation is handed off from the ordered extent to the delayed ref. In the happy path we release (unlock) but do not free (decrement counter) the reservation, and the delayed ref drives the free. However, on an error, we don't create a delayed ref, since there is no ref to add. Therefore, free on the error path. CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Boris Burkov <boris@bur.io> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Baokun Li
|
0b071a3266 |
ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
commit 2dcf5fde6dffb312a4bfb8ef940cea2d1f402e32 upstream. For files with logical blocks close to EXT_MAX_BLOCKS, the file size predicted in ext4_mb_normalize_request() may exceed EXT_MAX_BLOCKS. This can cause some blocks to be preallocated that will not be used. And after [Fixes], the following issue may be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:4653! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 1 PID: 2357 Comm: xfs_io 6.7.0-rc2-00195-g0f5cc96c367f Hardware name: linux,dummy-virt (DT) pc : ext4_mb_use_inode_pa+0x148/0x208 lr : ext4_mb_use_inode_pa+0x98/0x208 Call trace: ext4_mb_use_inode_pa+0x148/0x208 ext4_mb_new_inode_pa+0x240/0x4a8 ext4_mb_use_best_found+0x1d4/0x208 ext4_mb_try_best_found+0xc8/0x110 ext4_mb_regular_allocator+0x11c/0xf48 ext4_mb_new_blocks+0x790/0xaa8 ext4_ext_map_blocks+0x7cc/0xd20 ext4_map_blocks+0x170/0x600 ext4_iomap_begin+0x1c0/0x348 ========================================================= Here is a calculation when adjusting ac_b_ex in ext4_mb_new_inode_pa(): ex.fe_logical = orig_goal_end - EXT4_C2B(sbi, ex.fe_len); if (ac->ac_o_ex.fe_logical >= ex.fe_logical) goto adjust_bex; The problem is that when orig_goal_end is subtracted from ac_b_ex.fe_len it is still greater than EXT_MAX_BLOCKS, which causes ex.fe_logical to overflow to a very small value, which ultimately triggers a BUG_ON in ext4_mb_new_inode_pa() because pa->pa_free < len. The last logical block of an actual write request does not exceed EXT_MAX_BLOCKS, so in ext4_mb_normalize_request() also avoids normalizing the last logical block to exceed EXT_MAX_BLOCKS to avoid the above issue. The test case in [Link] can reproduce the above issue with 64k block size. Link: https://patchwork.kernel.org/project/fstests/list/?series=804003 Cc: <stable@kernel.org> # 6.4 Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()") Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20231127063313.3734294-1-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Josef Bacik
|
56f762659a |
btrfs: do not allow non subvolume root targets for snapshot
commit a8892fd71933126ebae3d60aec5918d4dceaae76 upstream. Our btrfs subvolume snapshot <source> <destination> utility enforces that <source> is the root of the subvolume, however this isn't enforced in the kernel. Update the kernel to also enforce this limitation to avoid problems with other users of this ioctl that don't have the appropriate checks in place. Reported-by: Martin Michaelis <code@mgjm.de> CC: stable@vger.kernel.org # 4.14+ Reviewed-by: Neal Gompa <neal@gompa.dev> Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Namjae Jeon
|
73c240e1ec |
ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
commit 13736654481198e519059d4a2e2e3b20fa9fdb3e upstream.
MS confirm that "AISi" name of SMB2_CREATE_ALLOCATION_SIZE in MS-SMB2
specification is a typo. cifs/ksmbd have been using this wrong name from
MS-SMB2. It should be "AlSi". Also It will cause problem when running
smb2.create.open test in smbtorture against ksmbd.
Cc: stable@vger.kernel.org
Fixes:
|
||
Hangyu Hua
|
0dc6a06c48 |
fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
commit 7f8ed28d1401320bcb02dda81b3c23ab2dc5a6d8 upstream.
fuse_dax_conn_free() will be called when fuse_fill_super_common() fails
after fuse_dax_conn_alloc(). Then deactivate_locked_super() in
virtio_fs_get_tree() will call virtio_kill_sb() to release the discarded
superblock. This will call fuse_dax_conn_free() again in fuse_conn_put(),
resulting in a possible double free.
Fixes:
|
||
|
David Howells
|
e0cda159c8 |
afs: Fix refcount underflow from error handling race
[ Upstream commit 52bf9f6c09fca8c74388cd41cc24e5d1bff812a9 ]
If an AFS cell that has an unreachable (eg. ENETUNREACH) server listed (VL
server or fileserver), an asynchronous probe to one of its addresses may
fail immediately because sendmsg() returns an error. When this happens, a
refcount underflow can happen if certain events hit a very small window.
The way this occurs is:
(1) There are two levels of "call" object, the afs_call and the
rxrpc_call. Each of them can be transitioned to a "completed" state
in the event of success or failure.
(2) Asynchronous afs_calls are self-referential whilst they are active to
prevent them from evaporating when they're not being processed. This
reference is disposed of when the afs_call is completed.
Note that an afs_call may only be completed once; once completed
completing it again will do nothing.
(3) When a call transmission is made, the app-side rxrpc code queues a Tx
buffer for the rxrpc I/O thread to transmit. The I/O thread invokes
sendmsg() to transmit it - and in the case of failure, it transitions
the rxrpc_call to the completed state.
(4) When an rxrpc_call is completed, the app layer is notified. In this
case, the app is kafs and it schedules a work item to process events
pertaining to an afs_call.
(5) When the afs_call event processor is run, it goes down through the
RPC-specific handler to afs_extract_data() to retrieve data from rxrpc
- and, in this case, it picks up the error from the rxrpc_call and
returns it.
The error is then propagated to the afs_call and that is completed
too. At this point the self-reference is released.
(6) If the rxrpc I/O thread manages to complete the rxrpc_call within the
window between rxrpc_send_data() queuing the request packet and
checking for call completion on the way out, then
rxrpc_kernel_send_data() will return the error from sendmsg() to the
app.
(7) Then afs_make_call() will see an error and will jump to the error
handling path which will attempt to clean up the afs_call.
(8) The problem comes when the error handling path in afs_make_call()
tries to unconditionally drop an async afs_call's self-reference.
This self-reference, however, may already have been dropped by
afs_extract_data() completing the afs_call
(9) The refcount underflows when we return to afs_do_probe_vlserver() and
that tries to drop its reference on the afs_call.
Fix this by making afs_make_call() attempt to complete the afs_call rather
than unconditionally putting it. That way, if afs_extract_data() manages
to complete the call first, afs_make_call() won't do anything.
The bug can be forced by making do_udp_sendmsg() return -ENETUNREACH and
sticking an msleep() in rxrpc_send_data() after the 'success:' label to
widen the race window.
The error message looks something like:
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 720 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
...
RIP: 0010:refcount_warn_saturate+0xba/0x110
...
afs_put_call+0x1dc/0x1f0 [kafs]
afs_fs_get_capabilities+0x8b/0xe0 [kafs]
afs_fs_probe_fileserver+0x188/0x1e0 [kafs]
afs_lookup_server+0x3bf/0x3f0 [kafs]
afs_alloc_server_list+0x130/0x2e0 [kafs]
afs_create_volume+0x162/0x400 [kafs]
afs_get_tree+0x266/0x410 [kafs]
vfs_get_tree+0x25/0xc0
fc_mount+0xe/0x40
afs_d_automount+0x1b3/0x390 [kafs]
__traverse_mounts+0x8f/0x210
step_into+0x340/0x760
path_openat+0x13a/0x1260
do_filp_open+0xaf/0x160
do_sys_openat2+0xaf/0x170
or something like:
refcount_t: underflow; use-after-free.
...
RIP: 0010:refcount_warn_saturate+0x99/0xda
...
afs_put_call+0x4a/0x175
afs_send_vl_probes+0x108/0x172
afs_select_vlserver+0xd6/0x311
afs_do_cell_detect_alias+0x5e/0x1e9
afs_cell_detect_alias+0x44/0x92
afs_validate_fc+0x9d/0x134
afs_get_tree+0x20/0x2e6
vfs_get_tree+0x1d/0xc9
fc_mount+0xe/0x33
afs_d_automount+0x48/0x9d
__traverse_mounts+0xe0/0x166
step_into+0x140/0x274
open_last_lookups+0x1c1/0x1df
path_openat+0x138/0x1c3
do_filp_open+0x55/0xb4
do_sys_openat2+0x6c/0xb6
Fixes:
|
||
Zizhi Wo
|
a7e6477cc3 |
ksmbd: fix memory leak in smb2_lock()
[ Upstream commit 8f1752723019db900fb60a5b9d0dfd3a2bdea36c ]
In smb2_lock(), if setup_async_work() executes successfully,
work->cancel_argv will bind the argv that generated by kmalloc(). And
release_async_work() is called in ksmbd_conn_try_dequeue_request() or
smb2_lock() to release argv.
However, when setup_async_work function fails, work->cancel_argv has not
been bound to the argv, resulting in the previously allocated argv not
being released. Call kfree() to fix it.
Fixes:
|
||
Jan Kara
|
8925ab33b3 |
ext4: fix warning in ext4_dio_write_end_io()
[ Upstream commit 619f75dae2cf117b1d07f27b046b9ffb071c4685 ]
The syzbot has reported that it can hit the warning in
ext4_dio_write_end_io() because i_size < i_disksize. Indeed the
reproducer creates a race between DIO IO completion and truncate
expanding the file and thus ext4_dio_write_end_io() sees an inconsistent
inode state where i_disksize is already updated but i_size is not
updated yet. Since we are careful when setting up DIO write and consider
it extending (and thus performing the IO synchronously with i_rwsem held
exclusively) whenever it goes past either of i_size or i_disksize, we
can use the same test during IO completion without risking entering
ext4_handle_inode_extension() without i_rwsem held. This way we make it
obvious both i_size and i_disksize are large enough when we report DIO
completion without relying on unreliable WARN_ON.
Reported-by: <syzbot+47479b71cdfc78f56d30@syzkaller.appspotmail.com>
Fixes: 91562895f803 ("ext4: properly sync file size update after O_SYNC direct IO")
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20231130095653.22679-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
ee16988743 |
Merge 6.1.65 into android14-6.1-lts
Changes in 6.1.65 afs: Fix afs_server_list to be cleaned up with RCU afs: Make error on cell lookup failure consistent with OpenAFS drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence drm/panel: auo,b101uan08.3: Fine tune the panel power sequence drm/panel: simple: Fix Innolux G101ICE-L01 bus flags drm/panel: simple: Fix Innolux G101ICE-L01 timings wireguard: use DEV_STATS_INC() octeontx2-pf: Fix memory leak during interface down ata: pata_isapnp: Add missing error check for devm_ioport_map() drm/i915: do not clean GT table on error path drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full HID: fix HID device resource race between HID core and debugging support ipv4: Correct/silence an endian warning in __ip_do_redirect net: usb: ax88179_178a: fix failed operations during ax88179_reset net/smc: avoid data corruption caused by decline arm/xen: fix xen_vcpu_info allocation alignment octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF amd-xgbe: handle corner-case during sfp hotplug amd-xgbe: handle the corner-case during tx completion amd-xgbe: propagate the correct speed and duplex status net: axienet: Fix check for partial TX checksum afs: Return ENOENT if no cell DNS record can be found afs: Fix file locking on R/O volumes to operate in local mode mm,kfence: decouple kfence from page granularity mapping judgement arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y i40e: use ERR_PTR error print in i40e messages i40e: Fix adding unsupported cloud filters nvmet: nul-terminate the NQNs passed in the connect command USB: dwc3: qcom: fix resource leaks on probe deferral USB: dwc3: qcom: fix ACPI platform device leak lockdep: Fix block chain corruption cifs: minor cleanup of some headers smb3: allow dumping session and tcon id to improve stats analysis and debugging cifs: print last update time for interface list cifs: distribute channels across interfaces based on speed cifs: account for primary channel in the interface list cifs: fix leak of iface for primary channel MIPS: KVM: Fix a build warning about variable set but not used media: camss: Split power domain management media: camss: Convert to platform remove callback returning void media: qcom: Initialise V4L2 async notifier later media: qcom: camss: Fix V4L2 async notifier error path media: qcom: camss: Fix genpd cleanup ext4: add a new helper to check if es must be kept ext4: factor out __es_alloc_extent() and __es_free_extent() ext4: use pre-allocated es in __es_insert_extent() ext4: use pre-allocated es in __es_remove_extent() ext4: using nofail preallocation in ext4_es_remove_extent() ext4: using nofail preallocation in ext4_es_insert_delayed_block() ext4: using nofail preallocation in ext4_es_insert_extent() ext4: fix slab-use-after-free in ext4_es_insert_extent() ext4: make sure allocate pending entry not fail NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update() NFSD: Fix checksum mismatches in the duplicate reply cache arm64: dts: imx8mn-var-som: add 20ms delay to ethernet regulator enable ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA swiotlb-xen: provide the "max_mapping_size" method bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() md: fix bi_status reporting in md_end_clone_io bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race io_uring/fs: consider link->flags when getting path for LINKAT s390/dasd: protect device queue against concurrent access USB: serial: option: add Luat Air72*U series products hv_netvsc: fix race of netvsc and VF register_netdevice hv_netvsc: Fix race of register_netdevice_notifier and VF register hv_netvsc: Mark VF as slave before exposing it to user-mode dm-delay: fix a race between delay_presuspend and delay_bio bcache: check return value from btree_node_alloc_replacement() bcache: prevent potential division by zero error bcache: fixup init dirty data errors bcache: fixup lock c->root error usb: cdnsp: Fix deadlock issue during using NCM gadget USB: serial: option: add Fibocom L7xx modules USB: serial: option: fix FM101R-GL defines USB: serial: option: don't claim interface 4 for ZTE MF290 usb: typec: tcpm: Skip hard reset when in error recovery USB: dwc2: write HCINT with INTMASK applied usb: dwc3: Fix default mode initialization usb: dwc3: set the dma max_seg_size USB: dwc3: qcom: fix software node leak on probe errors USB: dwc3: qcom: fix wakeup after probe deferral io_uring: fix off-by one bvec index Linux 6.1.65 Change-Id: Iea9267bee56905028a77d03c7fad8def8969246e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
a01e106f08 |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This catches the android14-6.1-lts branch up with the latest changes and abi updates. Included in here are the following commits: |
||
|
Greg Kroah-Hartman
|
6b1e1d37f1 |
This is the 6.1.66 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyywAACgkQONu9yGCS aT420Q//RK1ZeDdGWqAEH84PtuOzFA7gl5aXjmt1r9I1sDFr06ktk9rc67BNo87b Ugubto1UUpM/ZJfpezH1M4DMQ5f67thkRhCv5qvolh80v21duD7G7i1kX3rJsWk1 daJ76RcYXH63/Qv59uT+ADjSIIAH7yF/FGnUSShyznDRwDh/TqujEoh0e25X4YlV MhcCGBS0NE9Rcuwv2XPp84D4psXhPhmOuUVEPVnPLVnXg09XqOVjMV5uW+X4Sqft sc/bzveBmHoPOVtkz71qo1oxsVkKNMcdmD88+Xn9rSBgAkti5MpV/ZCAxRSVZbwF wyBh23gzRQzHXTn45Bf/1wS5zzQ+PIkadCo7hlPbQHguOMGXkdqTgNJf9EwB09I2 DEAWnCNH5orNk0Sltbfo/7Ja2oJtSHkiaUWk4nP1fZN9Vt9yt1xnRkpkaoBh0L7q NmXBFuvrylC44cfQNXIZSqAXduwCvMPyQDm1txSxYDZVrOy82/zVRWcOrytb0PnO zfqSuQKZPoF29ESq2Ti65Zk5e47EjSjYca91gzOlSVBNXx+xTuSoXCL0RXYclT7H umxK5/wmDSQX6wJzd+JNy7H86U753DuSIzA1112IC1GdWNlWWsjca5omEMgt+lqu Xc9q13vg3Ox+tv0MRv+P398b7NwzuMVcLbMoHE+1EzMH0JS636E= =p/en -----END PGP SIGNATURE----- Merge 6.1.66 into android14-6.1-lts Changes in 6.1.66 cifs: Fix FALLOC_FL_ZERO_RANGE by setting i_size if EOF moved cifs: Fix FALLOC_FL_INSERT_RANGE by setting i_size after EOF moved smb: client: report correct st_size for SMB and NFS symlinks pinctrl: avoid reload of p state in list iteration firewire: core: fix possible memory leak in create_units() mmc: sdhci-pci-gli: Disable LPM during initialization mmc: cqhci: Increase recovery halt timeout mmc: cqhci: Warn of halt or task clear failure mmc: cqhci: Fix task clearing in CQE error recovery mmc: block: Retry commands in CQE error recovery mmc: block: Do not lose cache flush during CQE error recovery mmc: block: Be sure to wait while busy in CQE error recovery ALSA: hda: Disable power-save on KONTRON SinglePC ALSA: hda/realtek: Headset Mic VREF to 100% ALSA: hda/realtek: Add supported ALC257 for ChromeOS dm-verity: align struct dm_verity_fec_io properly scsi: Change SCSI device boolean fields to single bit flags scsi: sd: Fix system start for ATA devices drm/amd: Enable PCIe PME from D3 drm/amdgpu: Force order between a read and write to the same address drm/amd/display: Include udelay when waiting for INBOX0 ACK drm/amd/display: Remove min_dst_y_next_start check for Z8 drm/amd/display: Use DRAM speed from validation for dummy p-state drm/amd/display: Update min Z8 residency time to 2100 for DCN314 drm/amd/display: fix ABM disablement dm verity: initialize fec io before freeing it dm verity: don't perform FEC for failed readahead IO nvme: check for valid nvme_identify_ns() before using it powercap: DTPM: Fix unneeded conversions to micro-Watts cpufreq/amd-pstate: Fix the return value of amd_pstate_fast_switch() dma-buf: fix check in dma_resv_add_fence bcache: revert replacing IS_ERR_OR_NULL with IS_ERR iommu/vt-d: Add MTL to quirk list to skip TE disabling KVM: PPC: Book3S HV: Fix KVM_RUN clobbering FP/VEC user registers powerpc: Don't clobber f0/vs0 during fp|altivec register save parisc: Mark ex_table entries 32-bit aligned in assembly.h parisc: Mark ex_table entries 32-bit aligned in uaccess.h parisc: Use natural CPU alignment for bug_table parisc: Mark lock_aligned variables 16-byte aligned on SMP parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes parisc: Mark jump_table naturally aligned parisc: Ensure 32-bit alignment on parisc unwind section parisc: Mark altinstructions read-only and 32-bit aligned btrfs: add dmesg output for first mount and last unmount of a filesystem btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() btrfs: fix off-by-one when checking chunk map includes logical address btrfs: send: ensure send_fd is writable btrfs: make error messages more clear when getting a chunk map btrfs: fix 64bit compat send ioctl arguments not initializing version member Input: xpad - add HyperX Clutch Gladiate Support auxdisplay: hd44780: move cursor home after clear display command serial: sc16is7xx: Put IOControl register into regmap_volatile serial: sc16is7xx: add missing support for rs485 devicetree properties wifi: cfg80211: fix CQM for non-range use USB: xhci-plat: fix legacy PHY double init USB: core: Change configuration warnings to notices usb: config: fix iteration issue in 'usb_get_bos_descriptor()' ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet dpaa2-eth: increase the needed headroom to account for alignment uapi: propagate __struct_group() attributes to the container union selftests/net: ipsec: fix constant out of range selftests/net: fix a char signedness issue selftests/net: unix: fix unused variable compiler warning selftests/net: mptcp: fix uninitialized variable warnings octeontx2-af: Fix possible buffer overflow net: stmmac: xgmac: Disable FPE MMC interrupts octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 octeontx2-af: Install TC filter rules in hardware based on priority octeontx2-pf: Restore TC ingress police rules when interface is up r8169: prevent potential deadlock in rtl8169_close ravb: Fix races between ravb_tx_timeout_work() and net related ops net: ravb: Check return value of reset_control_deassert() net: ravb: Use pm_runtime_resume_and_get() net: ravb: Make write access to CXR35 first before accessing other EMAC registers net: ravb: Start TX queues after HW initialization succeeded net: ravb: Stop DMA in case of failures on ravb_open() net: ravb: Keep reverse order of operations in ravb_remove() KVM: x86: Fix lapic timer interrupt lost after loading a snapshot. PCI: Lengthen reset delay for VideoPropulsion Torrent QN16e card octeontx2-af: Initialize 'cntr_val' to fix uninitialized symbol error PCI: qcom-ep: Add dedicated callback for writing to DBI2 registers fbdev: stifb: Make the STI next font pointer a 32-bit signed offset spi: Fix null dereference on suspend drm/amd/display: Restore rptr/wptr for DMCUB as workaround drm/amd/display: Guard against invalid RPTR/WPTR being set cpufreq: imx6q: don't warn for disabling a non-existing frequency cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily iommu/vt-d: Omit devTLB invalidation requests when TES=0 iommu/vt-d: Allocate pasid table in device probe path iommu/vt-d: Add device_block_translation() helper iommu/vt-d: Disable PCI ATS in legacy passthrough mode iommu/vt-d: Make context clearing consistent with context mapping drm/amd/pm: fix a memleak in aldebaran_tables_init mmc: core: add helpers mmc_regulator_enable/disable_vqmmc mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled drm/amd/display: Expand kernel doc for DC drm/amd/display: clean code-style issues in dcn30_set_mpc_shaper_3dlut drm/amd/display: Fix the delta clamping for shaper LUT drm/amd/display: Fix MPCC 1DLUT programming r8169: disable ASPM in case of tx timeout r8169: fix deadlock on RTL8125 in jumbo mtu mode xen: Allow platform PCI interrupt to be shared xen: simplify evtchn_do_upcall() call maze x86/xen: fix percpu vcpu_info allocation x86/apic/msi: Fix misconfigured non-maskable MSI quirk iomap: update ki_pos a little later in iomap_dio_complete Linux 6.1.66 Note, this merge point merges out the following two scsi changes due to them needing to be reverted due to abi breakage and reliance on previous commits that we have already reverted: |
||
|
Greg Kroah-Hartman
|
157836a2ab |
This is the 6.1.65 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVsIPcACgkQONu9yGCS aT7+WBAAzFMBvadFg+miHsQM+j94gOCSSq4F01gjjchdyeB3ybE/CBfIEa9abfmZ X1qaor8H7Khxh0aPr4KiRsmjKXBGJ6lR1RjdOKeLwffs/1iUk1zHqC3V4jGELhAM WumR5Lyc1UOMA5oCk/oxGoDZ0YNzXwBwB3hTrhpvuogCw8A3qMiyzo7J928PmNr9 sPo2TDi8HvQLlOZ8G9omVP9FTK20owJvfAj1u+gJyN/NGVXGqAQSvDpdhZ6BMYNG 0Z6DlMdCkOF/iSCdsZBCwPXH697Qt4pkPoeYpqNEi9H54B/LQaRDg6K5z7ON+w+7 jH9gwwSUXZLsohdpVkPWTnUThAQJDK4Wr5Pnf3GN1avePyxW4X7meathyeqP4jxD Oc8Igh464VraTunddwHJ03paoZ8/jXkheB0kxIsJ/jeKqUzxb/7gC6aYKZ3+DF3a 0WicxlLCNTeai2zJCYPiQsxejJmwQ37PU6dcZzLyZefXqIVPBmLJ72HJ8j2zocm0 zY6ezASdUjzzTQIM3CuzJfTOJ0VSeaUnyqUK64Ye7cKbiAKRbZMiSjaTfoNRo9MP 8KasX7pEzyEjpO0rtpHKc0hM7imltXsYjcdDfJYkKBXSUMWRTI/wPH9RFE4sJHqh NmEG/8bAE0v6HaQJK83lEMHZJFGFTvXWySsXowU4gXpcw82/F54= =OY6r -----END PGP SIGNATURE----- Merge 6.1.65 into android14-6.1-lts Changes in 6.1.65 afs: Fix afs_server_list to be cleaned up with RCU afs: Make error on cell lookup failure consistent with OpenAFS drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence drm/panel: auo,b101uan08.3: Fine tune the panel power sequence drm/panel: simple: Fix Innolux G101ICE-L01 bus flags drm/panel: simple: Fix Innolux G101ICE-L01 timings wireguard: use DEV_STATS_INC() octeontx2-pf: Fix memory leak during interface down ata: pata_isapnp: Add missing error check for devm_ioport_map() drm/i915: do not clean GT table on error path drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full HID: fix HID device resource race between HID core and debugging support ipv4: Correct/silence an endian warning in __ip_do_redirect net: usb: ax88179_178a: fix failed operations during ax88179_reset net/smc: avoid data corruption caused by decline arm/xen: fix xen_vcpu_info allocation alignment octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF amd-xgbe: handle corner-case during sfp hotplug amd-xgbe: handle the corner-case during tx completion amd-xgbe: propagate the correct speed and duplex status net: axienet: Fix check for partial TX checksum afs: Return ENOENT if no cell DNS record can be found afs: Fix file locking on R/O volumes to operate in local mode mm,kfence: decouple kfence from page granularity mapping judgement arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y i40e: use ERR_PTR error print in i40e messages i40e: Fix adding unsupported cloud filters nvmet: nul-terminate the NQNs passed in the connect command USB: dwc3: qcom: fix resource leaks on probe deferral USB: dwc3: qcom: fix ACPI platform device leak lockdep: Fix block chain corruption cifs: minor cleanup of some headers smb3: allow dumping session and tcon id to improve stats analysis and debugging cifs: print last update time for interface list cifs: distribute channels across interfaces based on speed cifs: account for primary channel in the interface list cifs: fix leak of iface for primary channel MIPS: KVM: Fix a build warning about variable set but not used media: camss: Split power domain management media: camss: Convert to platform remove callback returning void media: qcom: Initialise V4L2 async notifier later media: qcom: camss: Fix V4L2 async notifier error path media: qcom: camss: Fix genpd cleanup ext4: add a new helper to check if es must be kept ext4: factor out __es_alloc_extent() and __es_free_extent() ext4: use pre-allocated es in __es_insert_extent() ext4: use pre-allocated es in __es_remove_extent() ext4: using nofail preallocation in ext4_es_remove_extent() ext4: using nofail preallocation in ext4_es_insert_delayed_block() ext4: using nofail preallocation in ext4_es_insert_extent() ext4: fix slab-use-after-free in ext4_es_insert_extent() ext4: make sure allocate pending entry not fail NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update() NFSD: Fix checksum mismatches in the duplicate reply cache arm64: dts: imx8mn-var-som: add 20ms delay to ethernet regulator enable ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA swiotlb-xen: provide the "max_mapping_size" method bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() md: fix bi_status reporting in md_end_clone_io bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race io_uring/fs: consider link->flags when getting path for LINKAT s390/dasd: protect device queue against concurrent access USB: serial: option: add Luat Air72*U series products hv_netvsc: fix race of netvsc and VF register_netdevice hv_netvsc: Fix race of register_netdevice_notifier and VF register hv_netvsc: Mark VF as slave before exposing it to user-mode dm-delay: fix a race between delay_presuspend and delay_bio bcache: check return value from btree_node_alloc_replacement() bcache: prevent potential division by zero error bcache: fixup init dirty data errors bcache: fixup lock c->root error usb: cdnsp: Fix deadlock issue during using NCM gadget USB: serial: option: add Fibocom L7xx modules USB: serial: option: fix FM101R-GL defines USB: serial: option: don't claim interface 4 for ZTE MF290 usb: typec: tcpm: Skip hard reset when in error recovery USB: dwc2: write HCINT with INTMASK applied usb: dwc3: Fix default mode initialization usb: dwc3: set the dma max_seg_size USB: dwc3: qcom: fix software node leak on probe errors USB: dwc3: qcom: fix wakeup after probe deferral io_uring: fix off-by one bvec index Linux 6.1.65 Change-Id: Iea9267bee56905028a77d03c7fad8def8969246e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Manish Varma
|
956a0d3998 |
ANDROID: fs: Add vendor hooks for ep_create_wakeup_source & timerfd_create
timerfd doesn't create any wakelocks, but eventpoll can. When it does, it names them after the underlying file descriptor, and since all timerfd file descriptors are named "[timerfd]" (which saves memory on systems like desktops with potentially many timerfd instances), all wakesources created as a result of using the eventpoll-on-timerfd idiom are called... "[timerfd]". However, it becomes impossible to tell which "[timerfd]" wakesource is affliated with which process and hence troubleshooting is difficult. Adding vendor hooks to allow vendor to assign appropriate names to timerfd descriptors and eventoll wakesource. Bug: 155142106 Signed-off-by: Manish Varma <varmam@google.com> Change-Id: I330a42ab48bed4b26d5eb2f636925c66061165ec (cherry picked from commit 0ff110fbb309be385126a42ac9f7004ba9b0644e) |
||
|
David Howells
|
358bd5f436 |
cifs: Fix flushing, invalidation and file size with FICLONE
commit c54fc3a4f375663f2361a9cbb2955fb4ef912879 upstream.
Fix a number of issues in the cifs filesystem implementation of the FICLONE
ioctl in cifs_remap_file_range(). This is analogous to the previously
fixed bug in cifs_file_copychunk_range() and can share the helper
functions.
Firstly, the invalidation of the destination range is handled incorrectly:
We shouldn't just invalidate the whole file as dirty data in the file may
get lost and we can't just call truncate_inode_pages_range() to invalidate
the destination range as that will erase parts of a partial folio at each
end whilst invalidating and discarding all the folios in the middle. We
need to force all the folios covering the range to be reloaded, but we
mustn't lose dirty data in them that's not in the destination range.
Further, we shouldn't simply round out the range to PAGE_SIZE at each end
as cifs should move to support multipage folios.
Secondly, there's an issue whereby a write may have extended the file
locally, but not have been written back yet. This can leaves the local
idea of the EOF at a later point than the server's EOF. If a clone request
is issued, this will fail on the server with STATUS_INVALID_VIEW_SIZE
(which gets translated to -EIO locally) if the clone source extends past
the server's EOF.
Fix this by:
(0) Flush the source region (already done). The flush does nothing and
the EOF isn't moved if the source region has no dirty data.
(1) Move the EOF to the end of the source region if it isn't already at
least at this point. If we can't do this, for instance if the server
doesn't support it, just flush the entire source file.
(2) Find the folio (if present) at each end of the range, flushing it and
increasing the region-to-be-invalidated to cover those in their
entirety.
(3) Fully discard all the folios covering the range as we want them to be
reloaded.
(4) Then perform the extent duplication.
Thirdly, set i_size after doing the duplicate_extents operation as this
value may be used by various things internally. stat() hides the issue
because setting ->time to 0 causes cifs_getatr() to revalidate the
attributes.
These were causing the cifs/001 xfstest to fail.
Fixes:
|
||
|
David Howells
|
18b02e4343 |
cifs: Fix flushing, invalidation and file size with copy_file_range()
commit 7b2404a886f8b91250c31855d287e632123e1746 upstream.
Fix a number of issues in the cifs filesystem implementation of the
copy_file_range() syscall in cifs_file_copychunk_range().
Firstly, the invalidation of the destination range is handled incorrectly:
We shouldn't just invalidate the whole file as dirty data in the file may
get lost and we can't just call truncate_inode_pages_range() to invalidate
the destination range as that will erase parts of a partial folio at each
end whilst invalidating and discarding all the folios in the middle. We
need to force all the folios covering the range to be reloaded, but we
mustn't lose dirty data in them that's not in the destination range.
Further, we shouldn't simply round out the range to PAGE_SIZE at each end
as cifs should move to support multipage folios.
Secondly, there's an issue whereby a write may have extended the file
locally, but not have been written back yet. This can leaves the local
idea of the EOF at a later point than the server's EOF. If a copy request
is issued, this will fail on the server with STATUS_INVALID_VIEW_SIZE
(which gets translated to -EIO locally) if the copy source extends past the
server's EOF.
Fix this by:
(0) Flush the source region (already done). The flush does nothing and
the EOF isn't moved if the source region has no dirty data.
(1) Move the EOF to the end of the source region if it isn't already at
least at this point. If we can't do this, for instance if the server
doesn't support it, just flush the entire source file.
(2) Find the folio (if present) at each end of the range, flushing it and
increasing the region-to-be-invalidated to cover those in their
entirety.
(3) Fully discard all the folios covering the range as we want them to be
reloaded.
(4) Then perform the copy.
Thirdly, set i_size after doing the copychunk_range operation as this value
may be used by various things internally. stat() hides the issue because
setting ->time to 0 causes cifs_getatr() to revalidate the attributes.
These were causing the generic/075 xfstest to fail.
Fixes:
|
||
|
Paulo Alcantara
|
b12ccef705 |
smb: client: fix potential NULL deref in parse_dfs_referrals()
commit 92414333eb375ed64f4ae92d34d579e826936480 upstream.
If server returned no data for FSCTL_DFS_GET_REFERRALS, @dfs_rsp will
remain NULL and then parse_dfs_referrals() will dereference it.
Fix this by returning -EIO when no output data is returned.
Besides, we can't fix it in SMB2_ioctl() as some FSCTLs are allowed to
return no data as per MS-SMB2 2.2.32.
Fixes:
|
||
|
David Howells
|
9ce109b748 |
cifs: Fix non-availability of dedup breaking generic/304
commit 691a41d8da4b34fe72f09393505f55f28a8f34ec upstream. Deduplication isn't supported on cifs, but cifs doesn't reject it, instead treating it as extent duplication/cloning. This can cause generic/304 to go silly and run for hours on end. Fix cifs to indicate EOPNOTSUPP if REMAP_FILE_DEDUP is set in ->remap_file_range(). Note that it's unclear whether or not commit |
||
Ryusuke Konishi
|
3907e9cc85 |
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
commit 675abf8df1353e0e3bde314993e0796c524cfbf0 upstream. If nilfs2 reads a disk image with corrupted segment usage metadata, and its segment usage information is marked as an error for the segment at the write location, nilfs_sufile_set_segment_usage() can trigger WARN_ONs during log writing. Segments newly allocated for writing with nilfs_sufile_alloc() will not have this error flag set, but this unexpected situation will occur if the segment indexed by either nilfs->ns_segnum or nilfs->ns_nextnum (active segment) was marked in error. Fix this issue by inserting a sanity check to treat it as a file system corruption. Since error returns are not allowed during the execution phase where nilfs_sufile_set_segment_usage() is used, this inserts the sanity check into nilfs_sufile_mark_dirty() which pre-reads the buffer containing the segment usage record to be updated and sets it up in a dirty state for writing. In addition, nilfs_sufile_set_segment_usage() is also called when canceling log writing and undoing segment usage update, so in order to avoid issuing the same kernel warning in that case, in case of cancellation, avoid checking the error flag in nilfs_sufile_set_segment_usage(). Link: https://lkml.kernel.org/r/20231205085947.4431-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+14e9f834f6ddecece094@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=14e9f834f6ddecece094 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
c344e99dd8 |
nilfs2: fix missing error check for sb_set_blocksize call
commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream. When mounting a filesystem image with a block size larger than the page size, nilfs2 repeatedly outputs long error messages with stack traces to the kernel log, such as the following: getblk(): invalid block size 8192 requested logical block size: 512 ... Call Trace: dump_stack_lvl+0x92/0xd4 dump_stack+0xd/0x10 bdev_getblk+0x33a/0x354 __breadahead+0x11/0x80 nilfs_search_super_root+0xe2/0x704 [nilfs2] load_nilfs+0x72/0x504 [nilfs2] nilfs_mount+0x30f/0x518 [nilfs2] legacy_get_tree+0x1b/0x40 vfs_get_tree+0x18/0xc4 path_mount+0x786/0xa88 __ia32_sys_mount+0x147/0x1a8 __do_fast_syscall_32+0x56/0xc8 do_fast_syscall_32+0x29/0x58 do_SYSENTER_32+0x15/0x18 entry_SYSENTER_32+0x98/0xf1 ... This overloads the system logger. And to make matters worse, it sometimes crashes the kernel with a memory access violation. This is because the return value of the sb_set_blocksize() call, which should be checked for errors, is not checked. The latter issue is due to out-of-buffer memory being accessed based on a large block size that caused sb_set_blocksize() to fail for buffers read with the initial minimum block size that remained unupdated in the super_block structure. Since nilfs2 mkfs tool does not accept block sizes larger than the system page size, this has been overlooked. However, it is possible to create this situation by intentionally modifying the tool or by passing a filesystem image created on a system with a large page size to a system with a smaller page size and mounting it. Fix this issue by inserting the expected error handling for the call to sb_set_blocksize(). Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
f1bc13cb9d |
This is the 6.1.64 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVmHpsACgkQONu9yGCS aT5uvw//SzcE0GImnHnfeN7iXtpFE9O0fhTxsjZCi8/HTXmGWPtQgWscd9y81bAd EHBVr456GXqd6KuIF+03g/r/FYinwWqK375meLfaybw1vSBP+fZttrEGqz6nTnYD yqOxw2bqgz8Xjp63UeNHD6mifpBvVtuAvzrfO1E2Ie/U1OU2uKdjRRv0iijKNeWN liOYTXaddIkVfZR0z6dVTl0hb5dPWsxNmF77kfVpKz4ALIHJcO13DlUuKtQz6Sb6 0ElmJpuonHuUxHzb8e9LLsFy3IvbBqomSscwcd0tngtdUTzhMYFIZLjg2+WQ9Ovq raMGqvS/bKsoyoTBNKL83QB2NyXQb3vkfL0NgLsq9IwDl+r96mP9ctANYGwSjhND o/4sa/fbMFzeInA8Rzh7i56RCNstOBKApJPhBzWuY0f/6b1BZpvZaONyX3fFksWO dMeYT16GgO4lhQXnG3O6mtDT8eoZ1fLf7ZdGEZ2NktcOzXYelNc4aXJke7qdlIop CVxM+Ur+juj+DJymo59a6baXjEgIROdHq83N3CZwetGviPHneGqgYc0K7ETtA33H sH/0KGYAT8SzzjMlnXB0lpjp68WViJfzzo9Wxdf2aDZbL3SdI14GPKMUeDqqeSyU 8bB2Hb4ItccRFW9RriiE3BPGnLGu7PDTkn5TgXDG/bDX54Cb5DQ= =YPzI -----END PGP SIGNATURE----- Merge 6.1.64 into android14-6.1-lts Changes in 6.1.64 locking/ww_mutex/test: Fix potential workqueue corruption lib/generic-radix-tree.c: Don't overflow in peek() perf/core: Bail out early if the request AUX area is out of bound srcu: Fix srcu_struct node grpmask overflow on 64-bit systems selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config clocksource/drivers/timer-imx-gpt: Fix potential memory leak clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware smp,csd: Throw an error if a CSD lock is stuck for too long cpu/hotplug: Don't offline the last non-isolated CPU workqueue: Provide one lock class key per work_on_cpu() callsite x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size wifi: plfxlc: fix clang-specific fortify warning wifi: mac80211_hwsim: fix clang-specific fortify warning wifi: mac80211: don't return unset power in ieee80211_get_tx_power() atl1c: Work around the DMA RX overflow issue bpf: Detect IP == ksym.end as part of BPF program wifi: ath9k: fix clang-specific fortify warnings wifi: ath10k: fix clang-specific fortify warning net: annotate data-races around sk->sk_tx_queue_mapping net: annotate data-races around sk->sk_dst_pending_confirm wifi: ath10k: Don't touch the CE interrupt registers after power up vsock: read from socket's error queue bpf: Ensure proper register state printing for cond jumps Bluetooth: btusb: Add date->evt_skb is NULL check Bluetooth: Fix double free in hci_conn_cleanup ACPI: EC: Add quirk for HP 250 G7 Notebook PC tsnep: Fix tsnep_request_irq() format-overflow warning platform/chrome: kunit: initialize lock for fake ec_dev platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e drm/gma500: Fix call trace when psb_gem_mm_init() fails drm/komeda: drop all currently held locks if deadlock happens drm/amdgpu: not to save bo in the case of RAS err_event_athub drm/amdkfd: Fix a race condition of vram buffer unref in svm code drm/amd: Update `update_pcie_parameters` functions to use uint8_t arguments drm/amd/display: use full update for clip size increase of large plane source string.h: add array-wrappers for (v)memdup_user() kernel: kexec: copy user-array safely kernel: watch_queue: copy user-array safely drm_lease.c: copy user-array safely drm: vmwgfx_surface.c: copy user-array safely drm/msm/dp: skip validity check for DP CTS EDID checksum drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga drm/amdgpu: Fix potential null pointer derefernce drm/panel: fix a possible null pointer dereference drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference drm/radeon: fix a possible null pointer dereference drm/amdgpu/vkms: fix a possible null pointer dereference drm/panel: st7703: Pick different reset sequence drm/amdkfd: Fix shift out-of-bounds issue drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size selftests/efivarfs: create-read: fix a resource leak ASoC: soc-card: Add storage for PCI SSID ASoC: SOF: Pass PCI SSID to machine driver crypto: pcrypt - Fix hungtask for PADATA_RESET ASoC: SOF: ipc4: handle EXCEPTION_CAUGHT notification from firmware RDMA/hfi1: Use FIELD_GET() to extract Link Width scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool fs/jfs: Add check for negative db_l2nbperpage fs/jfs: Add validity check for db_maxag and db_agpref jfs: fix array-index-out-of-bounds in dbFindLeaf jfs: fix array-index-out-of-bounds in diAlloc HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround ARM: 9320/1: fix stack depot IRQ stack filter ALSA: hda: Fix possible null-ptr-deref when assigning a stream PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields PCI: mvebu: Use FIELD_PREP() with Link Width atm: iphase: Do PCI error checks on own line PCI: Do error check on own line to split long "if" conditions scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() PCI: Use FIELD_GET() to extract Link Width PCI: Extract ATS disabling to a helper function PCI: Disable ATS for specific Intel IPU E2000 devices misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk ASoC: Intel: soc-acpi-cht: Add Lenovo Yoga Tab 3 Pro YT3-X90 quirk crypto: hisilicon/qm - prevent soft lockup in receive loop HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W exfat: support handle zero-size directory mfd: intel-lpss: Add Intel Lunar Lake-M PCI IDs iio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe() thunderbolt: Apply USB 3.x bandwidth quirk only in software connection manager tty: vcc: Add check for kstrdup() in vcc_probe() usb: dwc3: core: configure TX/RX threshold for DWC3_IP soundwire: dmi-quirks: update HP Omen match f2fs: fix error handling of __get_node_page usb: gadget: f_ncm: Always set current gadget in ncm_bind() 9p/trans_fd: Annotate data-racy writes to file::f_flags 9p: v9fs_listxattr: fix %s null argument warning i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler i2c: fix memleak in i2c_new_client_device() i2c: sun6i-p2wi: Prevent potential division by zero virtio-blk: fix implicit overflow on virtio_max_dma_size i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. media: gspca: cpia1: shift-out-of-bounds in set_flicker media: vivid: avoid integer overflow gfs2: ignore negated quota changes gfs2: fix an oops in gfs2_permission media: cobalt: Use FIELD_GET() to extract Link Width media: ccs: Fix driver quirk struct documentation media: imon: fix access to invalid resource for the second interface drm/amd/display: Avoid NULL dereference of timing generator kgdb: Flush console before entering kgdb on panic i2c: dev: copy userspace array safely ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings drm/qxl: prevent memory leak ALSA: hda/realtek: Add quirk for ASUS UX7602ZM drm/amdgpu: fix software pci_unplug on some chips pwm: Fix double shift bug mtd: rawnand: tegra: add missing check for platform_get_irq() wifi: iwlwifi: Use FW rate for non-data frames sched/core: Optimize in_task() and in_interrupt() a bit SUNRPC: ECONNRESET might require a rebind mtd: rawnand: intel: check return value of devm_kasprintf() mtd: rawnand: meson: check return value of devm_kasprintf() NFSv4.1: fix handling NFS4ERR_DELAY when testing for session trunking SUNRPC: Add an IS_ERR() check back to where it was NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO SUNRPC: Fix RPC client cleaned up the freed pipefs dentries gfs2: Silence "suspicious RCU usage in gfs2_permission" warning vhost-vdpa: fix use after free in vhost_vdpa_probe() net: set SOCK_RCU_FREE before inserting socket into hashtable ipvlan: add ipvlan_route_v6_outbound() helper tty: Fix uninit-value access in ppp_sync_receive() net: hns3: fix add VLAN fail issue net: hns3: add barrier in vf mailbox reply process net: hns3: fix incorrect capability bit display for copper port net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs net: hns3: fix variable may not initialized problem in hns3_init_mac_addr() net: hns3: fix VF reset fail issue net: hns3: fix VF wrong speed and duplex issue tipc: Fix kernel-infoleak due to uninitialized TLV value net: mvneta: fix calls to page_pool_get_stats ppp: limit MRU to 64K xen/events: fix delayed eoi list handling ptp: annotate data-race around q->head and q->tail bonding: stop the device in bond_setup_by_slave() net: ethernet: cortina: Fix max RX frame define net: ethernet: cortina: Handle large frames net: ethernet: cortina: Fix MTU max setting af_unix: fix use-after-free in unix_stream_read_actor() netfilter: nf_conntrack_bridge: initialize err to 0 netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() net: stmmac: fix rx budget limit check net: stmmac: avoid rx queue overrun net/mlx5e: fix double free of encap_header net/mlx5e: fix double free of encap_header in update funcs net/mlx5e: Fix pedit endianness net/mlx5e: Reduce the size of icosq_str net/mlx5e: Check return value of snprintf writing to fw_version buffer net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors macvlan: Don't propagate promisc change to lower dev in passthru tools/power/turbostat: Fix a knl bug tools/power/turbostat: Enable the C-state Pre-wake printing cifs: spnego: add ';' in HOST_KEY_LEN cifs: fix check of rc in function generate_smb3signingkey i915/perf: Fix NULL deref bugs with drm_dbg() calls media: venus: hfi: add checks to perform sanity on queue pointers perf intel-pt: Fix async branch flags powerpc/perf: Fix disabling BHRB and instruction sampling randstruct: Fix gcc-plugin performance mode to stay in group bpf: Fix check_stack_write_fixed_off() to correctly spill imm bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END scsi: mpt3sas: Fix loop logic scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers scsi: qla2xxx: Fix system crash due to bad pointer access crypto: x86/sha - load modules based on CPU features x86/cpu/hygon: Fix the CPU topology evaluation for real KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space KVM: x86: Ignore MSR_AMD64_TW_CFG access KVM: x86: Clear bit12 of ICR after APIC-write VM-exit audit: don't take task_lock() in audit_exe_compare() code path audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare() proc: sysctl: prevent aliased sysctls from getting passed to init tty/sysrq: replace smp_processor_id() with get_cpu() tty: serial: meson: fix hard LOCKUP on crtscts mode hvc/xen: fix console unplug hvc/xen: fix error path in xen_hvc_init() to always register frontend driver hvc/xen: fix event channel handling for secondary consoles PCI/sysfs: Protect driver's D3cold preference from user space mm/damon/sysfs: remove requested targets when online-commit inputs mm/damon/sysfs: update monitoring target regions for online input commit watchdog: move softlockup_panic back to early_param mm/damon/lru_sort: avoid divide-by-zero in hot threshold calculation mm/damon/ops-common: avoid divide-by-zero during region hotness calculation mm/damon: implement a function for max nr_accesses safe calculation mm/damon/sysfs: check error from damon_sysfs_update_target() ACPI: resource: Do IRQ override on TongFang GMxXGxx regmap: Ensure range selector registers are updated after cache sync wifi: ath11k: fix temperature event locking wifi: ath11k: fix dfs radar event locking wifi: ath11k: fix htt pktlog locking wifi: ath11k: fix gtk offload status event locking mmc: meson-gx: Remove setting of CMD_CFG_ERROR genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware KEYS: trusted: tee: Refactor register SHM usage KEYS: trusted: Rollback init_trusted() consistently PCI: keystone: Don't discard .remove() callback PCI: keystone: Don't discard .probe() callback arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer parisc/pdc: Add width field to struct pdc_model parisc/power: Add power soft-off when running on qemu clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks ksmbd: handle malformed smb1 message ksmbd: fix slab out of bounds write in smb_inherit_dacl() mmc: vub300: fix an error code mmc: sdhci_am654: fix start loop index for TAP value parsing mmc: Add quirk MMC_QUIRK_BROKEN_CACHE_FLUSH for Micron eMMC Q2J54A PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common() PCI: kirin: Don't discard .remove() callback PCI: exynos: Don't discard .remove() callback wifi: wilc1000: use vmm_table as array in wilc struct svcrdma: Drop connection after an RDMA Read error rcu/tree: Defer setting of jiffies during stall reset arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM PM: hibernate: Use __get_safe_page() rather than touching the list PM: hibernate: Clean up sync_read handling in snapshot_write_next() rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects btrfs: don't arbitrarily slow down delalloc if we're committing arm64: dts: qcom: ipq8074: Fix hwlock index for SMEM firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit ACPI: FPDT: properly handle invalid FPDT subtables arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size mfd: qcom-spmi-pmic: Fix reference leaks in revid helper mfd: qcom-spmi-pmic: Fix revid implementation ima: annotate iint mutex to avoid lockdep false positive warnings ima: detect changes to the backing overlay file netfilter: nf_tables: remove catchall element in GC sync path netfilter: nf_tables: split async and sync catchall in two functions selftests/resctrl: Remove duplicate feature check from CMT test selftests/resctrl: Move _GNU_SOURCE define into Makefile selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests hid: lenovo: Resend all settings on reset_resume for compact keyboards ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev quota: explicitly forbid quota files from being encrypted kernel/reboot: emergency_restart: Set correct system_state i2c: core: Run atomic i2c xfer when !preemptible tracing: Have the user copy of synthetic event address use correct context driver core: Release all resources during unbind before updating device links mcb: fix error handling for different scenarios when parsing dmaengine: stm32-mdma: correct desc prep when channel running s390/cmma: fix detection of DAT pages mm/cma: use nth_page() in place of direct struct page manipulation mm/memory_hotplug: use pfn math in place of direct struct page manipulation mtd: cfi_cmdset_0001: Byte swap OTP info i3c: master: cdns: Fix reading status register i3c: master: svc: fix race condition in ibi work thread i3c: master: svc: fix wrong data return when IBI happen during start frame i3c: master: svc: fix ibi may not return mandatory data byte i3c: master: svc: fix check wrong status register in irq handler i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen parisc: Prevent booting 64-bit kernels on PA1.x machines parisc/pgtable: Do not drop upper 5 address bits of physical address parisc/power: Fix power soft-off when running on qemu xhci: Enable RPM on controllers that support low-power states fs: add ctime accessors infrastructure smb3: fix creating FIFOs when mounting with "sfu" mount option smb3: fix touch -h of symlink smb3: fix caching of ctime on setxattr smb: client: fix use-after-free bug in cifs_debug_data_proc_show() smb: client: fix potential deadlock when releasing mids cifs: reconnect helper should set reconnect for the right channel cifs: force interface update before a fresh session setup cifs: do not reset chan_max if multichannel is not supported at mount xfs: recovery should not clear di_flushiter unconditionally btrfs: zoned: wait for data BG to be finished on direct IO allocation ALSA: info: Fix potential deadlock at disconnection ALSA: hda/realtek: Enable Mute LED on HP 255 G8 ALSA: hda/realtek - Add Dell ALC295 to pin fall back table ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC ALSA: hda/realtek: Enable Mute LED on HP 255 G10 ALSA: hda/realtek: Add quirks for HP Laptops pmdomain: bcm: bcm2835-power: check if the ASB register is equal to enable pmdomain: imx: Make imx pgc power domain also set the fwnode cpufreq: stats: Fix buffer overflow detection in trans_stats() clk: visconti: remove unused visconti_pll_provider::regmap clk: visconti: Fix undefined behavior bug in struct visconti_pll_provider Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 bluetooth: Add device 0bda:887b to device tables bluetooth: Add device 13d3:3571 to device tables Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE drm/amd/display: enable dsc_clk even if dsc_pg disabled cxl/region: Validate region mode vs decoder mode cxl/region: Cleanup target list on attach error cxl/region: Move region-position validation to a helper cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails i3c: master: svc: add NACK check after start byte sent i3c: master: svc: fix random hot join failure since timeout error cxl: Unify debug messages when calling devm_cxl_add_port() cxl/mem: Move devm_cxl_add_endpoint() from cxl_core to cxl_mem tools/testing/cxl: Define a fixed volatile configuration to parse cxl/region: Fix x1 root-decoder granularity calculations Revert ncsi: Propagate carrier gain/loss events to the NCSI controller Revert "i2c: pxa: move to generic GPIO recovery" lsm: fix default return value for vm_enough_memory lsm: fix default return value for inode_getsecctx sbsa_gwdt: Calculate timeout with 64-bit math i2c: designware: Disable TX_EMPTY irq while waiting for block length byte s390/ap: fix AP bus crash on early config change callback invocation net: ethtool: Fix documentation of ethtool_sprintf() net: dsa: lan9303: consequently nested-lock physical MDIO net: phylink: initialize carrier state at creation i2c: i801: fix potential race in i801_block_transaction_byte_by_byte f2fs: do not return EFSCORRUPTED, but try to run online repair f2fs: avoid format-overflow warning media: lirc: drop trailing space from scancode transmit media: sharp: fix sharp encoding media: venus: hfi_parser: Add check to keep the number of codecs within range media: venus: hfi: fix the check to handle session buffer requirement media: venus: hfi: add checks to handle capabilities from firmware media: ccs: Correctly initialise try compose rectangle drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection drm/mediatek/dp: fix memory leak on ->get_edid callback error path dm-verity: don't use blocking calls from tasklets nfsd: fix file memleak on client_opens_release LoongArch: Mark __percpu functions as always inline riscv: mm: Update the comment of CONFIG_PAGE_OFFSET riscv: correct pt_level name via pgtable_l5/4_enabled riscv: kprobes: allow writing to x0 mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2 mm: fix for negative counter: nr_file_hugepages mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors mptcp: deal with large GSO size mptcp: add validity check for sending RM_ADDR mptcp: fix setsockopt(IP_TOS) subflow locking r8169: fix network lost after resume on DASH systems r8169: add handling DASH when DASH is disabled mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER media: qcom: camss: Fix pm_domain_on sequence in probe media: qcom: camss: Fix vfe_get() error jump media: qcom: camss: Fix VFE-17x vfe_disable_output() media: qcom: camss: Fix VFE-480 vfe_disable_output() media: qcom: camss: Fix missing vfe_lite clocks check media: qcom: camss: Fix invalid clock enable bit disjunction media: qcom: camss: Fix csid-gen2 for test pattern generator Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" ext4: apply umask if ACL support is disabled ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: mark buffer new if it is unwritten to avoid stale data exposure ext4: correct return value of ext4_convert_meta_bg ext4: correct the start block of counting reserved clusters ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks ext4: add missed brelse in update_backups ext4: properly sync file size update after O_SYNC direct IO drm/amd/pm: Handle non-terminated overdrive commands. drm/i915: Bump GLK CDCLK frequency when driving multiple pipes drm/i915: Fix potential spectre vulnerability drm/amd/pm: Fix error of MACO flag setting code drm/amdgpu/smu13: drop compute workload workaround drm/amdgpu: don't use pci_is_thunderbolt_attached() drm/amdgpu: don't use ATRM for external devices drm/amdgpu: fix error handling in amdgpu_bo_list_get() drm/amdgpu: lower CS errors to debug severity drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer() drm/amd/display: Enable fast plane updates on DCN3.2 and above drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox powerpc/powernv: Fix fortify source warnings in opal-prd.c tracing: Have trace_event_file have ref counters Input: xpad - add VID for Turtle Beach controllers mmc: sdhci-pci-gli: GL9755: Mask the replay timer timeout of AER cxl/port: Fix NULL pointer access in devm_cxl_add_port() RISC-V: drop error print from riscv_hartid_to_cpuid() Linux 6.1.64 Change-Id: I9284282aeae5d0f9da957a58147efe0114f8e60a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
0c2e40b9a3 |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This catches the android14-6.1-lts branch up with the latest changes in the android14-6.1 branch, including a number of important symbols being added for tracking. This includes the following commits: * |
||
Christoph Hellwig
|
ea574927fc |
iomap: update ki_pos a little later in iomap_dio_complete
commit 936e114a245b6e38e0dbf706a67e7611fc993da1 upstream. Move the ki_pos update down a bit to prepare for a better common helper that invalidates pages based of an iocb. Link: https://lkml.kernel.org/r/20230601145904.1385409-3-hch@lst.de Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Andreas Gruenbacher <agruenba@redhat.com> Cc: Anna Schumaker <anna@kernel.org> Cc: Chao Yu <chao@kernel.org> Cc: Christian Brauner <brauner@kernel.org> Cc: Ilya Dryomov <idryomov@gmail.com> Cc: Jaegeuk Kim <jaegeuk@kernel.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Miklos Szeredi <miklos@szeredi.hu> Cc: Miklos Szeredi <mszeredi@redhat.com> Cc: Theodore Ts'o <tytso@mit.edu> Cc: Trond Myklebust <trond.myklebust@hammerspace.com> Cc: Xiubo Li <xiubli@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20231205122122.dfhhoaswsfscuhc3@quack3 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
David Sterba
|
7a105de275 |
btrfs: fix 64bit compat send ioctl arguments not initializing version member
commit 5de0434bc064606d6b7467ec3e5ad22963a18c04 upstream. When the send protocol versioning was added in 5.16 |
||
Filipe Manana
|
32912ee869 |
btrfs: make error messages more clear when getting a chunk map
commit 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 upstream. When getting a chunk map, at btrfs_get_chunk_map(), we do some sanity checks to verify we found a chunk map and that map found covers the logical address the caller passed in. However the messages aren't very clear in the sense that don't mention the issue is with a chunk map and one of them prints the 'length' argument as if it were the end offset of the requested range (while the in the string format we use %llu-%llu which suggests a range, and the second %llu-%llu is actually a range for the chunk map). So improve these two details in the error messages. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Josef Bacik <josef@toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Jann Horn
|
4fc9c61c02 |
btrfs: send: ensure send_fd is writable
commit 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c upstream. kernel_write() requires the caller to ensure that the file is writable. Let's do that directly after looking up the ->send_fd. We don't need a separate bailout path because the "out" path already does fput() if ->send_filp is non-NULL. This has no security impact for two reasons: - the ioctl requires CAP_SYS_ADMIN - __kernel_write() bails out on read-only files - but only since 5.8, see commit |
||
|
Filipe Manana
|
86742a963f |
btrfs: fix off-by-one when checking chunk map includes logical address
commit 5fba5a571858ce2d787fdaf55814e42725bfa895 upstream. At btrfs_get_chunk_map() we get the extent map for the chunk that contains the given logical address stored in the 'logical' argument. Then we do sanity checks to verify the extent map contains the logical address. One of these checks verifies if the extent map covers a range with an end offset behind the target logical address - however this check has an off-by-one error since it will consider an extent map whose start offset plus its length matches the target logical address as inclusive, while the fact is that the last byte it covers is behind the target logical address (by 1). So fix this condition by using '<=' rather than '<' when comparing the extent map's "start + length" against the target logical address. CC: stable@vger.kernel.org # 4.14+ Reviewed-by: Josef Bacik <josef@toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Bragatheswaran Manickavel
|
9fe447c485 |
btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod()
commit f91192cd68591c6b037da345bc9fcd5e50540358 upstream. In btrfs_ref_tree_mod(), when !parent 're' was allocated through kmalloc(). In the following code, if an error occurs, the execution will be redirected to 'out' or 'out_unlock' and the function will be exited. However, on some of the paths, 're' are not deallocated and may lead to memory leaks. For example: lookup_block_entry() for 'be' returns NULL, the out label will be invoked. During that flow ref and 'ra' are freed but not 're', which can potentially lead to a memory leak. CC: stable@vger.kernel.org # 5.10+ Reported-and-tested-by: syzbot+d66de4cbf532749df35f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d66de4cbf532749df35f Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Qu Wenruo
|
3f26d9b257 |
btrfs: add dmesg output for first mount and last unmount of a filesystem
commit 2db313205f8b96eea467691917138d646bb50aef upstream. There is a feature request to add dmesg output when unmounting a btrfs. There are several alternative methods to do the same thing, but with their own problems: - Use eBPF to watch btrfs_put_super()/open_ctree() Not end user friendly, they have to dip their head into the source code. - Watch for directory /sys/fs/<uuid>/ This is way more simple, but still requires some simple device -> uuid lookups. And a script needs to use inotify to watch /sys/fs/. Compared to all these, directly outputting the information into dmesg would be the most simple one, with both device and UUID included. And since we're here, also add the output when mounting a filesystem for the first time for parity. A more fine grained monitoring of subvolume mounts should be done by another layer, like audit. Now mounting a btrfs with all default mkfs options would look like this: [81.906566] BTRFS info (device dm-8): first mount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2 [81.907494] BTRFS info (device dm-8): using crc32c (crc32c-intel) checksum algorithm [81.908258] BTRFS info (device dm-8): using free space tree [81.912644] BTRFS info (device dm-8): auto enabling async discard [81.913277] BTRFS info (device dm-8): checking UUID tree [91.668256] BTRFS info (device dm-8): last unmount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2 CC: stable@vger.kernel.org # 5.4+ Link: https://github.com/kdave/btrfs-progs/issues/689 Reviewed-by: Anand Jain <anand.jain@oracle.com> Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> [ update changelog ] Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paulo Alcantara
|
74820f7406 |
smb: client: report correct st_size for SMB and NFS symlinks
commit 9d63509547a940225d06d7eba1dc412befae255d upstream. We can't rely on FILE_STANDARD_INFORMATION::EndOfFile for reparse points as they will be always zero. Set it to symlink target's length as specified by POSIX. This will make stat() family of syscalls return the correct st_size for such files. Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
David Howells
|
60fed17ca5 |
cifs: Fix FALLOC_FL_INSERT_RANGE by setting i_size after EOF moved
commit 88010155f02b2c3b03c71609ba6ceeb457ece095 upstream.
Fix the cifs filesystem implementations of FALLOC_FL_INSERT_RANGE, in
smb3_insert_range(), to set i_size after extending the file on the server
and before we do the copy to open the gap (as we don't clean up the EOF
marker if the copy fails).
Fixes:
|
||
|
David Howells
|
6406cce4b2 |
cifs: Fix FALLOC_FL_ZERO_RANGE by setting i_size if EOF moved
commit 83d5518b124dfd605f10a68128482c839a239f9d upstream.
Fix the cifs filesystem implementations of FALLOC_FL_ZERO_RANGE, in
smb3_zero_range(), to set i_size after extending the file on the server.
Fixes:
|
||
Eric Biggers
|
6b972d6047 |
BACKPORT: fscrypt: support crypto data unit size less than filesystem block size
Until now, fscrypt has always used the filesystem block size as the granularity of file contents encryption. Two scenarios have come up where a sub-block granularity of contents encryption would be useful: 1. Inline crypto hardware that only supports a crypto data unit size that is less than the filesystem block size. 2. Support for direct I/O at a granularity less than the filesystem block size, for example at the block device's logical block size in order to match the traditional direct I/O alignment requirement. (1) first came up with older eMMC inline crypto hardware that only supports a crypto data unit size of 512 bytes. That specific case ultimately went away because all systems with that hardware continued using out of tree code and never actually upgraded to the upstream inline crypto framework. But, now it's coming back in a new way: some current UFS controllers only support a data unit size of 4096 bytes, and there is a proposal to increase the filesystem block size to 16K. (2) was discussed as a "nice to have" feature, though not essential, when support for direct I/O on encrypted files was being upstreamed. Still, the fact that this feature has come up several times does suggest it would be wise to have available. Therefore, this patch implements it by using one of the reserved bytes in fscrypt_policy_v2 to allow users to select a sub-block data unit size. Supported data unit sizes are powers of 2 between 512 and the filesystem block size, inclusively. Support is implemented for both the FS-layer and inline crypto cases. This patch focuses on the basic support for sub-block data units. Some things are out of scope for this patch but may be addressed later: - Supporting sub-block data units in combination with FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64, in most cases. Unfortunately this combination usually causes data unit indices to exceed 32 bits, and thus fscrypt_supported_policy() correctly disallows it. The users who potentially need this combination are using f2fs. To support it, f2fs would need to provide an option to slightly reduce its max file size. - Supporting sub-block data units in combination with FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32. This has the same problem described above, but also it will need special code to make DUN wraparound still happen on a FS block boundary. - Supporting use case (2) mentioned above. The encrypted direct I/O code will need to stop requiring and assuming FS block alignment. This won't be hard, but it belongs in a separate patch. - Supporting this feature on filesystems other than ext4 and f2fs. (Filesystems declare support for it via their fscrypt_operations.) On UBIFS, sub-block data units don't make sense because UBIFS encrypts variable-length blocks as a result of compression. CephFS could support it, but a bit more work would be needed to make the fscrypt_*_block_inplace functions play nicely with sub-block data units. I don't think there's a use case for this on CephFS anyway. Link: https://lore.kernel.org/r/20230925055451.59499-6-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Bug: 299136786 Bug: 302588300 (cherry picked from commit 5b11888471806edf699316d4dcb9b426caebbef2) (Reworked this commit to not change struct fscrypt_operations and not depend on other commits that changed struct fscrypt_operations. Also resolved conflicts with the HW-wrapped key support.) Change-Id: Ic3dc56ef3f42d123f812e9037e2cc6f0b24bacc1 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
Chuck Lever
|
5d9ddbf4b5 |
NFSD: Fix checksum mismatches in the duplicate reply cache
[ Upstream commit bf51c52a1f3c238d72c64e14d5e7702d3a245b82 ] nfsd_cache_csum() currently assumes that the server's RPC layer has been advancing rq_arg.head[0].iov_base as it decodes an incoming request, because that's the way it used to work. On entry, it expects that buf->head[0].iov_base points to the start of the NFS header, and excludes the already-decoded RPC header. These days however, head[0].iov_base now points to the start of the RPC header during all processing. It no longer points at the NFS Call header when execution arrives at nfsd_cache_csum(). In a retransmitted RPC the XID and the NFS header are supposed to be the same as the original message, but the contents of the retransmitted RPC header can be different. For example, for krb5, the GSS sequence number will be different between the two. Thus if the RPC header is always included in the DRC checksum computation, the checksum of the retransmitted message might not match the checksum of the original message, even though the NFS part of these messages is identical. The result is that, even if a matching XID is found in the DRC, the checksum mismatch causes the server to execute the retransmitted RPC transaction again. Reviewed-by: Jeff Layton <jlayton@kernel.org> Tested-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Chuck Lever
|
b597f3c85d |
NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update()
[ Upstream commit 1caf5f61dd8430ae5a0b4538afe4953ce7517cbb ] The "statp + 1" pointer that is passed to nfsd_cache_update() is supposed to point to the start of the egress NFS Reply header. In fact, it does point there for AUTH_SYS and RPCSEC_GSS_KRB5 requests. But both krb5i and krb5p add fields between the RPC header's accept_stat field and the start of the NFS Reply header. In those cases, "statp + 1" points at the extra fields instead of the Reply. The result is that nfsd_cache_update() caches what looks to the client like garbage. A connection break can occur for a number of reasons, but the most common reason when using krb5i/p is a GSS sequence number window underrun. When an underrun is detected, the server is obliged to drop the RPC and the connection to force a retransmit with a fresh GSS sequence number. The client presents the same XID, it hits in the server's DRC, and the server returns the garbage cache entry. The "statp + 1" argument has been used since the oldest changeset in the kernel history repo, so it has been in nfsd_dispatch() literally since before history began. The problem arose only when the server-side GSS implementation was added twenty years ago. Reviewed-by: Jeff Layton <jlayton@kernel.org> Tested-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Zhang Yi
|
d7eb37615b |
ext4: make sure allocate pending entry not fail
[ Upstream commit 8e387c89e96b9543a339f84043cf9df15fed2632 ] __insert_pending() allocate memory in atomic context, so the allocation could fail, but we are not handling that failure now. It could lead ext4_es_remove_extent() to get wrong reserved clusters, and the global data blocks reservation count will be incorrect. The same to extents_status entry preallocation, preallocate pending entry out of the i_es_lock with __GFP_NOFAIL, make sure __insert_pending() and __revise_pending() always succeeds. Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230824092619.1327976-3-yi.zhang@huaweicloud.com Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
8384d8c5cc |
ext4: fix slab-use-after-free in ext4_es_insert_extent()
[ Upstream commit 768d612f79822d30a1e7d132a4d4b05337ce42ec ] Yikebaer reported an issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_es_insert_extent+0xc68/0xcb0 fs/ext4/extents_status.c:894 Read of size 4 at addr ffff888112ecc1a4 by task syz-executor/8438 CPU: 1 PID: 8438 Comm: syz-executor Not tainted 6.5.0-rc5 #1 Call Trace: [...] kasan_report+0xba/0xf0 mm/kasan/report.c:588 ext4_es_insert_extent+0xc68/0xcb0 fs/ext4/extents_status.c:894 ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680 ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462 ext4_zero_range fs/ext4/extents.c:4622 [inline] ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721 [...] Allocated by task 8438: [...] kmem_cache_zalloc include/linux/slab.h:693 [inline] __es_alloc_extent fs/ext4/extents_status.c:469 [inline] ext4_es_insert_extent+0x672/0xcb0 fs/ext4/extents_status.c:873 ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680 ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462 ext4_zero_range fs/ext4/extents.c:4622 [inline] ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721 [...] Freed by task 8438: [...] kmem_cache_free+0xec/0x490 mm/slub.c:3823 ext4_es_try_to_merge_right fs/ext4/extents_status.c:593 [inline] __es_insert_extent+0x9f4/0x1440 fs/ext4/extents_status.c:802 ext4_es_insert_extent+0x2ca/0xcb0 fs/ext4/extents_status.c:882 ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680 ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462 ext4_zero_range fs/ext4/extents.c:4622 [inline] ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721 [...] ================================================================== The flow of issue triggering is as follows: 1. remove es raw es es removed es1 |-------------------| -> |----|.......|------| 2. insert es es insert es1 merge with es es1 merge with es and free es1 |----|.......|------| -> |------------|------| -> |-------------------| es merges with newes, then merges with es1, frees es1, then determines if es1->es_len is 0 and triggers a UAF. The code flow is as follows: ext4_es_insert_extent es1 = __es_alloc_extent(true); es2 = __es_alloc_extent(true); __es_remove_extent(inode, lblk, end, NULL, es1) __es_insert_extent(inode, &newes, es1) ---> insert es1 to es tree __es_insert_extent(inode, &newes, es2) ext4_es_try_to_merge_right ext4_es_free_extent(inode, es1) ---> es1 is freed if (es1 && !es1->es_len) // Trigger UAF by determining if es1 is used. We determine whether es1 or es2 is used immediately after calling __es_remove_extent() or __es_insert_extent() to avoid triggering a UAF if es1 or es2 is freed. Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com> Closes: https://lore.kernel.org/lkml/CALcu4raD4h9coiyEBL4Bm0zjDwxC2CyPiTwsP3zFuhot6y9Beg@mail.gmail.com Fixes: 2a69c450083d ("ext4: using nofail preallocation in ext4_es_insert_extent()") Cc: stable@kernel.org Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230815070808.3377171-1-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
9164978bce |
ext4: using nofail preallocation in ext4_es_insert_extent()
[ Upstream commit 2a69c450083db164596c75c0f5b4d9c4c0e18eba ] Similar to in ext4_es_insert_delayed_block(), we use preallocations that do not fail to avoid inconsistencies, but we do not care about es that are not must be kept, and we return 0 even if such es memory allocation fails. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-9-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
614b383d01 |
ext4: using nofail preallocation in ext4_es_insert_delayed_block()
[ Upstream commit 4a2d98447b37bcb68a7f06a1078edcb4f7e6ce7e ] Similar to in ext4_es_remove_extent(), we use a no-fail preallocation to avoid inconsistencies, except that here we may have to preallocate two extent_status. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-8-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
51cef2a5c6 |
ext4: using nofail preallocation in ext4_es_remove_extent()
[ Upstream commit e9fe2b882bd5b26b987c9ba110c2222796f72af5 ] If __es_remove_extent() returns an error it means that when splitting extent, allocating an extent that must be kept failed, where returning an error directly would cause the extent tree to be inconsistent. So we use GFP_NOFAIL to pre-allocate an extent_status and pass it to __es_remove_extent() to avoid this problem. In addition, since the allocated memory is outside the i_es_lock, the extent_status tree may change and the pre-allocated extent_status is no longer needed, so we release the pre-allocated extent_status when es->es_len is not initialized. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-7-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
f1c2369366 |
ext4: use pre-allocated es in __es_remove_extent()
[ Upstream commit bda3efaf774fb687c2b7a555aaec3006b14a8857 ] When splitting extent, if the second extent can not be dropped, we return -ENOMEM and use GFP_NOFAIL to preallocate an extent_status outside of i_es_lock and pass it to __es_remove_extent() to be used as the second extent. This ensures that __es_remove_extent() is executed successfully, thus ensuring consistency in the extent status tree. If the second extent is not undroppable, we simply drop it and return 0. Then retry is no longer necessary, remove it. Now, __es_remove_extent() will always remove what it should, maybe more. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-6-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
ce581f8631 |
ext4: use pre-allocated es in __es_insert_extent()
[ Upstream commit 95f0b320339a977cf69872eac107122bf536775d ] Pass a extent_status pointer prealloc to __es_insert_extent(). If the pointer is non-null, it is used directly when a new extent_status is needed to avoid memory allocation failures. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-5-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
594a5f00e5 |
ext4: factor out __es_alloc_extent() and __es_free_extent()
[ Upstream commit 73a2f033656be11298912201ad50615307b4477a ] Factor out __es_alloc_extent() and __es_free_extent(), which only allocate and free extent_status in these two helpers. The ext4_es_alloc_extent() function is split into __es_alloc_extent() and ext4_es_init_extent(). In __es_alloc_extent() we allocate memory using GFP_KERNEL | __GFP_NOFAIL | __GFP_ZERO if the memory allocation cannot fail, otherwise we use GFP_ATOMIC. and the ext4_es_init_extent() is used to initialize extent_status and update related variables after a successful allocation. This is to prepare for the use of pre-allocated extent_status later. Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-4-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
9381ff6512 |
ext4: add a new helper to check if es must be kept
[ Upstream commit 9649eb18c6288f514cacffdd699d5cd999c2f8f6 ] In the extent status tree, we have extents which we can just drop without issues and extents we must not drop - this depends on the extent's status - currently ext4_es_is_delayed() extents must stay, others may be dropped. A helper function is added to help determine if the current extent can be dropped, although only ext4_es_is_delayed() extents cannot be dropped currently. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230424033846.4732-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Shyam Prasad N
|
e9c3d6b09c |
cifs: fix leak of iface for primary channel
[ Upstream commit 29954d5b1e0d67a4cd61c30c2201030c97e94b1e ]
My last change in this area introduced a change which
accounted for primary channel in the interface ref count.
However, it did not reduce this ref count on deallocation
of the primary channel. i.e. during umount.
Fixing this leak here, by dropping this ref count for
primary channel while freeing up the session.
Fixes: fa1d0508bdd4 ("cifs: account for primary channel in the interface list")
Cc: stable@vger.kernel.org
Reported-by: Paulo Alcantara <pc@manguebit.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Shyam Prasad N
|
b24d42b52b |
cifs: account for primary channel in the interface list
[ Upstream commit fa1d0508bdd4a68c5e40f85f635712af8c12f180 ] The refcounting of server interfaces should account for the primary channel too. Although this is not strictly necessary, doing so will account for the primary channel in DebugData. Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Shyam Prasad N
|
548893404c |
cifs: distribute channels across interfaces based on speed
[ Upstream commit a6d8fb54a515f0546ffdb7870102b1238917e567 ]
Today, if the server interfaces RSS capable, we simply
choose the fastest interface to setup a channel. This is not
a scalable approach, and does not make a lot of attempt to
distribute the connections.
This change does a weighted distribution of channels across
all the available server interfaces, where the weight is
a function of the advertised interface speed.
Also make sure that we don't mix rdma and non-rdma for channels.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: fa1d0508bdd4 ("cifs: account for primary channel in the interface list")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Shyam Prasad N
|
5607a415d4 |
cifs: print last update time for interface list
[ Upstream commit 05844bd661d9fd478df1175b6639bf2d9398becb ]
We store the last updated time for interface list while
parsing the interfaces. This change is to just print that
info in DebugData.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: fa1d0508bdd4 ("cifs: account for primary channel in the interface list")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Steve French
|
f4dff37111 |
smb3: allow dumping session and tcon id to improve stats analysis and debugging
[ Upstream commit de4eceab578ead12a71e5b5588a57e142bbe8ceb ] When multiple mounts are to the same share from the same client it was not possible to determine which section of /proc/fs/cifs/Stats (and DebugData) correspond to that mount. In some recent examples this turned out to be a significant problem when trying to analyze performance data - since there are many cases where unless we know the tree id and session id we can't figure out which stats (e.g. number of SMB3.1.1 requests by type, the total time they take, which is slowest, how many fail etc.) apply to which mount. The only existing loosely related ioctl CIFS_IOC_GET_MNT_INFO does not return the information needed to uniquely identify which tcon is which mount although it does return various flags and device info. Add a cifs.ko ioctl CIFS_IOC_GET_TCON_INFO (0x800ccf0c) to return tid, session id, tree connect count. Cc: stable@vger.kernel.org Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Steve French
|
fbc666a9ac |
cifs: minor cleanup of some headers
[ Upstream commit c19204cbd65c12fdcd34fb8f5d645007238ed5cd ]
checkpatch showed formatting problems with extra spaces,
and extra semicolon and some missing blank lines in some
cifs headers.
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Germano Percossi <germano.percossi@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: de4eceab578e ("smb3: allow dumping session and tcon id to improve stats analysis and debugging")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
David Howells
|
48b3ee0134 |
afs: Fix file locking on R/O volumes to operate in local mode
[ Upstream commit b590eb41be766c5a63acc7e8896a042f7a4e8293 ]
AFS doesn't really do locking on R/O volumes as fileservers don't maintain
state with each other and thus a lock on a R/O volume file on one
fileserver will not be be visible to someone looking at the same file on
another fileserver.
Further, the server may return an error if you try it.
Fix this by doing what other AFS clients do and handle filelocking on R/O
volume files entirely within the client and don't touch the server.
Fixes:
|
||
|
David Howells
|
f9cf17836e |
afs: Return ENOENT if no cell DNS record can be found
[ Upstream commit 0167236e7d66c5e1e85d902a6abc2529b7544539 ]
Make AFS return error ENOENT if no cell SRV or AFSDB DNS record (or
cellservdb config file record) can be found rather than returning
EDESTADDRREQ.
Also add cell name lookup info to the cursor dump.
Fixes:
|
||
|
David Howells
|
d2b3bc8c7f |
afs: Make error on cell lookup failure consistent with OpenAFS
[ Upstream commit 2a4ca1b4b77850544408595e2433f5d7811a9daa ]
When kafs tries to look up a cell in the DNS or the local config, it will
translate a lookup failure into EDESTADDRREQ whereas OpenAFS translates it
into ENOENT. Applications such as West expect the latter behaviour and
fail if they see the former.
This can be seen by trying to mount an unknown cell:
# mount -t afs %example.com:cell.root /mnt
mount: /mnt: mount(2) system call failed: Destination address required.
Fixes:
|
||
|
David Howells
|
790ea5bc40 |
afs: Fix afs_server_list to be cleaned up with RCU
[ Upstream commit e6bace7313d61e31f2b16fa3d774fd8cb3cb869e ]
afs_server_list is accessed with the rcu_read_lock() held from
volume->servers, so it needs to be cleaned up correctly.
Fix this by using kfree_rcu() instead of kfree().
Fixes:
|
||
|
Paul Lawrence
|
cfdfc17a46 |
ANDROID: fuse-bpf: Ignore readaheads unless they go to the daemon
readpages will be triggered on the fuse fs in passthrough mode though system calls like fadvise. If the daemon isn't aware of the file, this will likely cause a hang. For the moment, simply ignore fadvise in this situation Bug: 301201239 Test: fuse_test, atest ScopedStorageDeviceTest both pass Signed-off-by: Paul Lawrence <paullawrence@google.com> Change-Id: I524a84aeeb1b1593e51264fcc37f7cfa66757168 |
||
|
Jaegeuk Kim
|
354b1b716c |
FROMGIT: f2fs: skip adding a discard command if exists
When recovering zoned UFS, sometimes we add the same zone to discard multiple times. Simple workaround is to bypass adding it. Reviewed-by: Chao Yu <chao@kernel.org> Change-Id: Ic1501caa02aea8bdc9d7f00a8bd0d35be2ef4ba1 Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit bbd3efed3383e332191c665786c61653826d2ac3 https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev) |
||
Daeho Jeong
|
ccbea4f458 |
UPSTREAM: f2fs: clean up zones when not successfully unmounted
We can't trust write pointers when the previous mount was not successfully unmounted. Change-Id: If67696db9ab820a805711b43cabb50c796c9f75f Signed-off-by: Daeho Jeong <daehojeong@google.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit 9f792ab8e33de727993bbd84ece892e72de18c85) |
||
|
Daeho Jeong
|
88cccede6d |
UPSTREAM: f2fs: use finish zone command when closing a zone
Use the finish zone command first when a zone should be closed. Change-Id: Ie38800c2787392980f7914ad10b5f92f6d59e99b Signed-off-by: Daeho Jeong <daehojeong@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit 3b7166121402a5062d18dcf4e3bce083fb9e4201) |
||
|
Daeho Jeong
|
b2d3a555d3 |
UPSTREAM: f2fs: check zone write pointer points to the end of zone
We don't need to report an issue, when the zone write pointer already points to the end of the zone, since the zone mismatch is already taken care. Change-Id: Ifc967abe44521cd239ebac509353c25e36cc7a18 Signed-off-by: Daeho Jeong <daehojeong@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit c9667b19e2cf13735fe2620f9d97b788897cd4af) |
||
|
Daeho Jeong
|
c9e29a0073 |
UPSTREAM: f2fs: close unused open zones while mounting
Zoned UFS allows only 6 open zones at the same time, so we need to take care of the count of open zones while mounting. Change-Id: Ie197b9e9e47b3397446ce2cf97168c9f68fea431 Signed-off-by: Daeho Jeong <daehojeong@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit 04abeb699ddce800837c4039ea1cc7d4d139bb36) |
||
|
Daeho Jeong
|
e92b866e22 |
UPSTREAM: f2fs: maintain six open zones for zoned devices
To keep six open zone constraints, make them not to be open over six open zones. Change-Id: If5d02581073f90db4cadd8f928cef9abc5bac8a7 Signed-off-by: Daeho Jeong <daehojeong@google.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit e067dc3c6b9c419bac43c6a0be2d85f44681f863) |
||
|
Jan Kara
|
dc4542861e |
ext4: properly sync file size update after O_SYNC direct IO
commit 91562895f8030cb9a0470b1db49de79346a69f91 upstream.
Gao Xiang has reported that on ext4 O_SYNC direct IO does not properly
sync file size update and thus if we crash at unfortunate moment, the
file can have smaller size although O_SYNC IO has reported successful
completion. The problem happens because update of on-disk inode size is
handled in ext4_dio_write_iter() *after* iomap_dio_rw() (and thus
dio_complete() in particular) has returned and generic_file_sync() gets
called by dio_complete(). Fix the problem by handling on-disk inode size
update directly in our ->end_io completion handler.
References: https://lore.kernel.org/all/02d18236-26ef-09b0-90ad-030c4fe3ee20@linux.alibaba.com
Reported-by: Gao Xiang <hsiangkao@linux.alibaba.com>
CC: stable@vger.kernel.org
Fixes:
|
||
Kemeng Shi
|
e1d0f68bc0 |
ext4: add missed brelse in update_backups
commit 9adac8b01f4be28acd5838aade42b8daa4f0b642 upstream. add missed brelse in update_backups Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com> Reviewed-by: Theodore Ts'o <tytso@mit.edu> Link: https://lore.kernel.org/r/20230826174712.4059355-3-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Kemeng Shi
|
1793dc461e |
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
commit 40dd7953f4d606c280074f10d23046b6812708ce upstream.
Wrong check of gdb backup in meta bg as following:
first_group is the first group of meta_bg which contains target group, so
target group is always >= first_group. We check if target group has gdb
backup by comparing first_group with [group + 1] and [group +
EXT4_DESC_PER_BLOCK(sb) - 1]. As group >= first_group, then [group + N] is
> first_group. So no copy of gdb backup in meta bg is done in
setup_new_flex_group_blocks.
No need to do gdb backup copy in meta bg from setup_new_flex_group_blocks
as we always copy updated gdb block to backups at end of
ext4_flex_group_add as following:
ext4_flex_group_add
/* no gdb backup copy for meta bg any more */
setup_new_flex_group_blocks
/* update current group number */
ext4_update_super
sbi->s_groups_count += flex_gd->count;
/*
* if group in meta bg contains backup is added, the primary gdb block
* of the meta bg will be copy to backup in new added group here.
*/
for (; gdb_num <= gdb_num_end; gdb_num++)
update_backups(...)
In summary, we can remove wrong gdb backup copy code in
setup_new_flex_group_blocks.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Link: https://lore.kernel.org/r/20230826174712.4059355-5-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Zhang Yi
|
80ddcf21e7 |
ext4: correct the start block of counting reserved clusters
commit 40ea98396a3659062267d1fe5f99af4f7e4f05e3 upstream.
When big allocate feature is enabled, we need to count and update
reserved clusters before removing a delayed only extent_status entry.
{init|count|get}_rsvd() have already done this, but the start block
number of this counting isn't correct in the following case.
lblk end
| |
v v
-------------------------
| | orig_es
-------------------------
^ ^
len1 is 0 | len2 |
If the start block of the orig_es entry founded is bigger than lblk, we
passed lblk as start block to count_rsvd(), but the length is correct,
finally, the range to be counted is offset. This patch fix this by
passing the start blocks to 'orig_es->lblk + len1'.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20230824092619.1327976-2-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kemeng Shi
|
ec4ba3d62f |
ext4: correct return value of ext4_convert_meta_bg
commit 48f1551592c54f7d8e2befc72a99ff4e47f7dca0 upstream. Avoid to ignore error in "err". Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com> Link: https://lore.kernel.org/r/20230826174712.4059355-4-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Ojaswin Mujoo
|
32b9fb9a67 |
ext4: mark buffer new if it is unwritten to avoid stale data exposure
commit 2cd8bdb5efc1e0d5b11a4b7ba6b922fd2736a87f upstream.
** Short Version **
In ext4 with dioread_nolock, we could have a scenario where the bh returned by
get_blocks (ext4_get_block_unwritten()) in __block_write_begin_int() has
UNWRITTEN and MAPPED flag set. Since such a bh does not have NEW flag set we
never zero out the range of bh that is not under write, causing whatever stale
data is present in the folio at that time to be written out to disk. To fix this
mark the buffer as new, in case it is unwritten, in ext4_get_block_unwritten().
** Long Version **
The issue mentioned above was resulting in two different bugs:
1. On block size < page size case in ext4, generic/269 was reliably
failing with dioread_nolock. The state of the write was as follows:
* The write was extending i_size.
* The last block of the file was fallocated and had an unwritten extent
* We were near ENOSPC and hence we were switching to non-delayed alloc
allocation.
In this case, the back trace that triggers the bug is as follows:
ext4_da_write_begin()
/* switch to nodelalloc due to low space */
ext4_write_begin()
ext4_should_dioread_nolock() // true since mount flags still have delalloc
__block_write_begin(..., ext4_get_block_unwritten)
__block_write_begin_int()
for(each buffer head in page) {
/* first iteration, this is bh1 which contains i_size */
if (!buffer_mapped)
get_block() /* returns bh with only UNWRITTEN and MAPPED */
/* second iteration, bh2 */
if (!buffer_mapped)
get_block() /* we fail here, could be ENOSPC */
}
if (err)
/*
* this would zero out all new buffers and mark them uptodate.
* Since bh1 was never marked new, we skip it here which causes
* the bug later.
*/
folio_zero_new_buffers();
/* ext4_wrte_begin() error handling */
ext4_truncate_failed_write()
ext4_truncate()
ext4_block_truncate_page()
__ext4_block_zero_page_range()
if(!buffer_uptodate())
ext4_read_bh_lock()
ext4_read_bh() -> ... ext4_submit_bh_wbc()
BUG_ON(buffer_unwritten(bh)); /* !!! */
2. The second issue is stale data exposure with page size >= blocksize
with dioread_nolock. The conditions needed for it to happen are same as
the previous issue ie dioread_nolock around ENOSPC condition. The issue
is also similar where in __block_write_begin_int() when we call
ext4_get_block_unwritten() on the buffer_head and the underlying extent
is unwritten, we get an unwritten and mapped buffer head. Since it is
not new, we never zero out the partial range which is not under write,
thus writing stale data to disk. This can be easily observed with the
following reproducer:
fallocate -l 4k testfile
xfs_io -c "pwrite 2k 2k" testfile
# hexdump output will have stale data in from byte 0 to 2k in testfile
hexdump -C testfile
NOTE: To trigger this, we need dioread_nolock enabled and write happening via
ext4_write_begin(), which is usually used when we have -o nodealloc. Since
dioread_nolock is disabled with nodelalloc, the only alternate way to call
ext4_write_begin() is to ensure that delayed alloc switches to nodelalloc ie
ext4_da_write_begin() calls ext4_write_begin(). This will usually happen when
ext4 is almost full like the way generic/269 was triggering it in Issue 1 above.
This might make the issue harder to hit. Hence, for reliable replication, I used
the below patch to temporarily allow dioread_nolock with nodelalloc and then
mount the disk with -o nodealloc,dioread_nolock. With this you can hit the stale
data issue 100% of times:
@@ -508,8 +508,8 @@ static inline int ext4_should_dioread_nolock(struct inode *inode)
if (ext4_should_journal_data(inode))
return 0;
/* temporary fix to prevent generic/422 test failures */
- if (!test_opt(inode->i_sb, DELALLOC))
- return 0;
+ // if (!test_opt(inode->i_sb, DELALLOC))
+ // return 0;
return 1;
}
After applying this patch to mark buffer as NEW, both the above issues are
fixed.
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Cc: stable@kernel.org
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/d0ed09d70a9733fbb5349c5c7b125caac186ecdf.1695033645.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kemeng Shi
|
f0cc1368fa |
ext4: correct offset of gdb backup in non meta_bg group to update_backups
commit 31f13421c004a420c0e9d288859c9ea9259ea0cc upstream.
Commit 0aeaa2559d6d5 ("ext4: fix corruption when online resizing a 1K
bigalloc fs") found that primary superblock's offset in its group is
not equal to offset of backup superblock in its group when block size
is 1K and bigalloc is enabled. As group descriptor blocks are right
after superblock, we can't pass block number of gdb to update_backups
for the same reason.
The root casue of the issue above is that leading 1K padding block is
count as data block offset for primary block while backup block has no
padding block offset in its group.
Remove padding data block count to fix the issue for gdb backups.
For meta_bg case, update_backups treat blk_off as block number, do no
conversion in this case.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Link: https://lore.kernel.org/r/20230826174712.4059355-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Max Kellermann
|
af075d06b3 |
ext4: apply umask if ACL support is disabled
commit 484fd6c1de13b336806a967908a927cc0356e312 upstream. The function ext4_init_acl() calls posix_acl_create() which is responsible for applying the umask. But without CONFIG_EXT4_FS_POSIX_ACL, ext4_init_acl() is an empty inline function, and nobody applies the umask. This fixes a bug which causes the umask to be ignored with O_TMPFILE on ext4: https://github.com/MusicPlayerDaemon/MPD/issues/558 https://bugs.gentoo.org/show_bug.cgi?id=686142#c3 https://bugzilla.kernel.org/show_bug.cgi?id=203625 Reviewed-by: "J. Bruce Fields" <bfields@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann@ionos.com> Link: https://lore.kernel.org/r/20230919081824.1096619-1-max.kellermann@ionos.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Mahmoud Adam
|
1bb61fb790 |
nfsd: fix file memleak on client_opens_release
commit bc1b5acb40201a0746d68a7d7cfc141899937f4f upstream.
seq_release should be called to free the allocated seq_file
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Fixes:
|
||
Su Hui
|
526dd7540a |
f2fs: avoid format-overflow warning
commit e0d4e8acb3789c5a8651061fbab62ca24a45c063 upstream.
With gcc and W=1 option, there's a warning like this:
fs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:
fs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between
1 and 7 bytes into a region of size between 5 and 8
[-Werror=format-overflow=]
1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev),
MINOR(dev));
| ^~
String "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up
to 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35".
slab_name's size should be 35 rather than 32.
Cc: stable@vger.kernel.org
Signed-off-by: Su Hui <suhui@nfschina.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jaegeuk Kim
|
6122b72ce5 |
f2fs: do not return EFSCORRUPTED, but try to run online repair
commit 50a472bbc79ff9d5a88be8019a60e936cadf9f13 upstream. If we return the error, there's no way to recover the status as of now, since fsck does not fix the xattr boundary issue. Cc: stable@vger.kernel.org Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Naohiro Aota
|
a0d43e0f7c |
btrfs: zoned: wait for data BG to be finished on direct IO allocation
commit 776a838f1fa95670c1c1cf7109a898090b473fa3 upstream.
Running the fio command below on a ZNS device results in "Resource
temporarily unavailable" error.
$ sudo fio --name=w --directory=/mnt --filesize=1GB --bs=16MB --numjobs=16 \
--rw=write --ioengine=libaio --iodepth=128 --direct=1
fio: io_u error on file /mnt/w.2.0: Resource temporarily unavailable: write offset=117440512, buflen=16777216
fio: io_u error on file /mnt/w.2.0: Resource temporarily unavailable: write offset=134217728, buflen=16777216
...
This happens because -EAGAIN error returned from btrfs_reserve_extent()
called from btrfs_new_extent_direct() is spilling over to the userland.
btrfs_reserve_extent() returns -EAGAIN when there is no active zone
available. Then, the caller should wait for some other on-going IO to
finish a zone and retry the allocation.
This logic is already implemented for buffered write in cow_file_range(),
but it is missing for the direct IO counterpart. Implement the same logic
for it.
Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Fixes:
|
||
Dave Chinner
|
9ad4c7f065 |
xfs: recovery should not clear di_flushiter unconditionally
commit 7930d9e103700cde15833638855b750715c12091 upstream.
Because on v3 inodes, di_flushiter doesn't exist. It overlaps with
zero padding in the inode, except when NREXT64=1 configurations are
in use and the zero padding is no longer padding but holds the 64
bit extent counter.
This manifests obviously on big endian platforms (e.g. s390) because
the log dinode is in host order and the overlap is the LSBs of the
extent count field. It is not noticed on little endian machines
because the overlap is at the MSB end of the extent count field and
we need to get more than 2^^48 extents in the inode before it
manifests. i.e. the heat death of the universe will occur before we
see the problem in little endian machines.
This is a zero-day issue for NREXT64=1 configuraitons on big endian
machines. Fix it by only clearing di_flushiter on v2 inodes during
recovery.
Fixes:
|
||
|
Shyam Prasad N
|
209379924a |
cifs: do not reset chan_max if multichannel is not supported at mount
commit 6e5e64c9477d58e73cb1a0e83eacad1f8df247cf upstream. If the mount command has specified multichannel as a mount option, but multichannel is found to be unsupported by the server at the time of mount, we set chan_max to 1. Which means that the user needs to remount the share if the server starts supporting multichannel. This change removes this reset. What it means is that if the user specified multichannel or max_channels during mount, and at this time, multichannel is not supported, but the server starts supporting it at a later point, the client will be capable of scaling out the number of channels. Cc: stable@vger.kernel.org Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Shyam Prasad N
|
c9569bfd28 |
cifs: force interface update before a fresh session setup
commit d9a6d78096056a3cb5c5f07a730ab92f2f9ac4e6 upstream. During a session reconnect, it is possible that the server moved to another physical server (happens in case of Azure files). So at this time, force a query of server interfaces again (in case of multichannel session), such that the secondary channels connect to the right IP addresses (possibly updated now). Cc: stable@vger.kernel.org Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Shyam Prasad N
|
5bdf34ca32 |
cifs: reconnect helper should set reconnect for the right channel
commit c3326a61cdbf3ce1273d9198b6cbf90965d7e029 upstream.
We introduced a helper function to be used by non-cifsd threads to
mark the connection for reconnect. For multichannel, when only
a particular channel needs to be reconnected, this had a bug.
This change fixes that by marking that particular channel
for reconnect.
Fixes:
|
||
|
Paulo Alcantara
|
9eb44db68c |
smb: client: fix potential deadlock when releasing mids
commit e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 upstream.
All release_mid() callers seem to hold a reference of @mid so there is
no need to call kref_put(&mid->refcount, __release_mid) under
@server->mid_lock spinlock. If they don't, then an use-after-free bug
would have occurred anyways.
By getting rid of such spinlock also fixes a potential deadlock as
shown below
CPU 0 CPU 1
------------------------------------------------------------------
cifs_demultiplex_thread() cifs_debug_data_proc_show()
release_mid()
spin_lock(&server->mid_lock);
spin_lock(&cifs_tcp_ses_lock)
spin_lock(&server->mid_lock)
__release_mid()
smb2_find_smb_tcon()
spin_lock(&cifs_tcp_ses_lock) *deadlock*
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Paulo Alcantara
|
558817597d |
smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream. Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |