Michael Bestas
6725684c74
Merge tag 'ASB-2024-12-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
...
https://source.android.com/docs/security/bulletin/2024-12-01
* tag 'ASB-2024-12-05_12-5.10' of https://android.googlesource.com/kernel/common : (649 commits)
ANDROID: ABI: update symbol list for honor
ANDROID: fs: add vendor hook to collect IO statistics
ANDROID: tools/objtool: Pass CFLAGS to libsubcmd build via EXTRA_CFLAGS
UPSTREAM: HID: core: zero-initialize the report buffer
ANDROID: libsubcmd: Hoist iterator variable declarations in parse_options_subcommand()
ANDROID: mm: Fix SPF-aware fast-mremap
UPSTREAM: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
UPSTREAM: f2fs: support SEEK_DATA and SEEK_HOLE for compression files
Revert "genetlink: hold RCU in genlmsg_mcast()"
ANDROID: add file for recording allowed ABI breaks
ANDROID: GKI: update symbol list for honor
ANDROID: Allow vendor modules perform more operations on memleak detect
UPSTREAM: drm/omap: fix misleading indentation in pixinc()
UPSTREAM: bitfield: build kunit tests without structleak plugin
BACKPORT: FROMGIT: binder: add delivered_freeze to debugfs output
BACKPORT: FROMGIT: binder: fix memleak of proc->delivered_freeze
FROMGIT: binder: allow freeze notification for dead nodes
FROMGIT: binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs
FROMGIT: binder: fix BINDER_WORK_FROZEN_BINDER debug logs
BACKPORT: FROMGIT: binder: fix freeze UAF in binder_release_work()
...
Conflicts:
android/abi_gki_aarch64.xml
net/qrtr/af_qrtr.c
Change-Id: I4f416cf6c90e71fbdc0bea2c76a620842a2a2288
2024-12-16 00:43:42 +02:00
Rui Chen
5f45a7ef79
ANDROID: fs: add vendor hook to collect IO statistics
...
Add vendor hook to get metainfo of direct/buffered read and write.
Determine hot files in each performance-sensitive user scenario.
Bug: 380502059
Change-Id: Ie7604852df637d6664afd72e87bd6d4b14bbc2a2
Signed-off-by: Rui Chen <chenrui9@honor.com>
2024-12-02 19:22:28 +00:00
Greg Kroah-Hartman
b0e9b554c3
Merge tag 'android12-5.10.228_r00' into android12-5.10
...
This merges up to the 5.10.228 LTS release into the android12-5.10
branch. Changes included in here are:
* 38dc270ca0c515597aec02874ca52d02874ca52ddf848523d68605ca4bd00329056e0775f828e944649d646506c9b774380720e27c7739bf83ba3c556e1659b674472088ffb1511ca93509cf9ddf9ed97f1ef591856c151aeb6d5c345c47e86af43ec3bfed31aba8ce8c1e6717f64af714e823b632114677f48eaf4e88aacf6e28ae56dbb74b6a2c7dd3ca6bdf6fed0a2a78aaf54ad5718609f51859df170bde9076d449e7dbe51dd516c17e5cbbb1012423e6bd5a8fa04b2a2abe57d62a25e86fb0aec1d0476885c38add9ac0fde99e972b609937aa96b7d7b7fc876f44a5fc159ab38a1cdb8462805788e475220d641826b6d69b9f8ddf14fa0fc55ec9fc608b626f71fc2cb5e3af63d6a3b078516655749af80375f275dc99dfa2babf3ab8e1c22d06787b70ffc41743099504153a48c27133637ac4c2211b123abc1ebea30782809c01df75c78bfe6ddcaee2443bc6d0f8b7eca3edf876e7c0f8ca3b0ab77a47e3c5e57863d777fa260620dfa4b5d4bad047095095b12ef2d4df66b98c4f1854a987b41d71fbc3af3de8e599a635417d5838ca043f055261bf1a022222cafa5942bdce43c48cdc3728b4eb27673a1c5a29dbe055567a5f47cdeeefaf2f7573ea705b0910420ba4653710eac1c5bfc193500164159f76a9d1847ad1ad5a554911610c7a4911610c7ab585ecc2c905cc42d60105cc42d60195f62e5a783adb1be04fab6c9463b10825c5ff244bf1bd3fff73f75d2b5a548d0102dc68ad5da6cafcda074c98e7a1d51b391d7fc802a7f8dea2fede9b1caf0550a7564b1606a7564b16068669bca53f799a06ca7fab6bc15e991d5f85f1b736b054324d30d91a478d4098b691025cb5d157556fc602a28c725352903981d8cb7a3e3502b1a2973502b1a297037145e2a2d98558fe26740de19877ff0e27a0f9265bf63e24265bf63e2423e139f90badbc3eef43d79af3af2fc70e05b92936fd66cb51ca21e0d3a80e91c4b4840e91c4b484a7c9402bbc9f3407aa6c0109267c1ea625acf221e13ffbf5fdef44274daecce8419b818a517d1845fe238ddf856c71f56f4f21b5af7f0c21b5af7f0cf892165c5664f1b4922b1fc13f6a41993ce09fe6e22e091f95de5a059e36de5a059e36252f147b18f4149eec9656452dbc0ad8ac7378bc4ce662fe4b30ea38665d4c83143fc6b677b94a9137c181e389b65018968763047187a5a28703d4d4e4f218455cf3e0a8b7d4b10c1ca941713adaf0ec24318116c4345d3c0bf2c2097d5efbdced2c9d661cd197813e029aa36ba34f4a6d70d7546fb43a2e90a6a070a82a22a03cae2622c805ab2622c805ab2aa861ec729b82d737d2f2fd1a959725b00216200b4dc46f87421795b064a009e88cc96063d72b6139fffca5726592347f062f6da71e9dda964de4c120557232c9991e8b0bab238d5c541e281edfa1cd96a5139526570e257621570e257621411e2e1d011aeaa7e8d8f561b48d63042d3e267624afda042124afda04219df353ca13c45edd5942ce691439c0f46870ab3d5d9c84863ff8a7c34232f8a7c342328fb88ba5dedde4c1e166dde4c1e166e62d85f9ba6ff56ef7f76ff56ef7f7b5e0cda160d223126bb0d223126bb0ed3c3589439bd3443e349bd3443e3493d28c0f5a8b55076b7b8b55076b7b6e988ae353bfab5fbc12bfab5fbc1225d36c65fbc54aa7d750c54aa7d7509fbdcfe7bb70b60c8d9b70b60c8d9bd476e18cbfd73d48acf3d73d48acf3657f07546b67db431b8567db431b8517c42250e81a819c7f851a819c7f85c53240428e509ddbb2b8f976d964a6f976d964a6bf8363e46fe33fe25b1e68e579316c68c77a70e31d108095d560b69683414445bc6e9f3f73da56af5443e70fb7ed0d5103f9f63461af2c7ae7ada29a0ea4333c6796cad5da79f692160d3ee01e9ae43e61b84013e5bf605ae98d3f1ca6ba5414114d8148aac31d654a8e3bf36636ff1500fe26a5437858567fabacb337481e8f18a22bda8973513e8862875fa63fdf20ccea7dead20425ec5c873c6766937d03b6c29c8f3d5e811066c58c26d9e53e4286a041837bcdef04d0e52f933598133ff0d78f6a00671aec2c08dfc99f2c08dfc99fc36ff6948c64d315aeecb078a7eee1afa9990523d6b22a2d558ab638bb49f53c2b55d02c1effc22546c72b01399b8bc33ad610dde0c1fbe45803c71f7624223155eda94fc74be3b57186f453b1999cfdb0cb4561fca34416ec26e82df17e5f29f38894570a377fcaceaec72bfbc1cf387300b8f9213351237ab69af56ac130a3c09ead89f833430167d570f6e2743d0a03831e8a816ee407715e7a8b1dcf25c22451e5917cfd026b6b67f9db7bb1128d54001f8d49ded70954b48eba851f1ebfa666381ebfa66638de9e7f68765652c448da9e493f002dd9245b9296ceff6f5e71e6897e299f79681036a398111af338219587bca2e2b200c50235733d1a606ee6835f82aa4e9056df1756918f5147be40b69802c1725eb295a91802e4b7cbdd6b1ba479b653d5669d337aa1bf60b4f587e2b2558971cbb67e245da40e7a2b807cd004102b0f26f269441f61d5092562b8a46ba8baa474b07874c63fd01674c63fd01630cd2158f24440bac6f01245542856ac6e862b8da7f0073fcded418cad83b02eb7c86f2171e1d750000bab8753b820cb910ff7785c4498f10d29b1087c93044298f13b04cf654ec4641df5a73d996436c9668503e42d320d9de7148fdc3c7d30def367fa6da4bbeb16dd70c8a89e16b66c46b6566a931a14ba26060a29185df15984c8bb4e2d5f6f91c0260d531754952f531754952f7675fe977b181fbbdd466136b834d6cdd86fb75fcdd86fb75fca36d6c1a4fd7fcd802ef55e003d2632ee78823d3948c73c926b9a551b83767b71f2929f1c4edee8742a1b69c052f7cab2901472dd897f118a0c3e55cc1de441350f8e74a0610e5083481447a632e5c6bf509ca62f6ea76e19d66b3b25311d263d04df066dacc0b66746c40794607d0079d644a239ff33c547a68c75050eecd2ee23b2cb101b9bd41d6653461b2137f6c9cef1056ee685c2f7bd575e3a031dfadbffe7be5544f1816749f76b69ab9c45a765f4ba4b081991c42e20b69b8662720f2daaa295fa38dcc7148bf45dc30558e6c5e89f92509361c12c72b1fa83e1df431c5cd41b4b84f4d4470360aadf84be13175be789bf3f1affbacb9897b946c55ebcb216aaaf3cd0a7f291dc4cbc2dbc4b7bac4b81a9f92b0e6378dd9bbfe249c1518926201447089aece01aba624f656a50460579fef6317d304fe0dbda9f26e0dbda9f260e233e78a8db9c5f08eedb9c5f08eee45c637aa56c36857fe56c36857fe58acb711851ec31cf42fcec31cf42fc69acbd579598d14164c098d14164c013cdfa4cd3338a0582b2338a0582b2973b583bb8dcf48ab3cadcf48ab3ca0407f5e40e1429a9260f1429a9260f0c170b1e9110348fb6fe64add9aaf7d4951dd16ecf0674248d1ea56cd9a6b7413dbc630ed35dd547d612d419a56f2eeba7c33dc483f0e687aceb1ce6db930da9477b5476f0610f1d007bbe9f03f0016f40d5787354ef7e34237edd598ac57d502dac909e322911a2e607f0f643d71e6195dc7a6258c4fb8dd06fbe0b872a2894e90c5353f8ec59d8c75b8a9160073591436fcb4bbbecda5751e56b47d930c2c7a99e4337ab9c428fa328246d613c2077867ef6d48cf71990ea3ce45320999e57ad45460ce9d893430ce9d8934388ba7cd9f42efe8da2ddf29951897ac289903b7abadbd736e66ae3b9aee445f826f6c8ca34aa378211396ba4f8a10a7d6d17727660723eea837ae511d20674f316e2290906bb24bf40740a7fc22c3b3fe65f6987362e073a579f22d591d91608c63b7962c4227a38ab4766ba108b3a1a31a38f28fbbd0ce7dd417529c04e1c8c12ca9374068b36c2db6acd8c3467a941265ad69f5a04306efef84bcc52d5282a04eb60af432c9b228938a0a8b7bebecb9134aa0986da3c79b802657ced6072fa5f700ee9e482e1e5d041301f309dffbbd7b85ce4075ddecfca8b26a9fe93cd663514531e3b820338e66cba36820265a06b38aedfdc5f37e8c415e37fead06aaf2fb608e95f943045eccd8810561665f9be0348278ec259527661e90a609fb482fdf35c1997f7adc59f57f3f18202306e9f9efa58381ad7a7dd2966932559f25a514a1508c3167e4371efaeed49dd2bcdb20b703e42a9899e5697586fbd69ad0b53e4b506ceed8efffb3cd974fb5f19060ab063c7417ad44bc4272e254d2760df0f3630a18846a819a496d2e1277ae780cab9ff7fe8207503742c3df68f37c55755eabda2e296245ca8b48fae67883b84799ea276851c70a5cb1f7ef1f42accdb38c13703e18a91b6dce5b5a85cc00913c11a11a1a532557418e170f232916fab793e01f996f8e0ca3049635ccdcd987b0724f7a90723ddb2d139c1012f5f1c0c097ded4bb459040db0947eca2a60da25076ff0a39ba6e0396e9c5cbf9722aa53fa005dcd6bc4a0c1e2da6516e0ab9ed350cff34dee31292316c54abf18416865fd90e3541880a324afe6be2e1ebc9705f447bf0e7814b0286a53e5def7a684b45a779d682e89c45badd0ae8bff89db14c645a81667e057a3d8983134759b7e44d5624db232bbd11db41b040511d9f23d39061b7b9c6d4649f2de46b1d24fdb81677f4bdd34ef88d51a8e85289e2e5052143c9f08d024edfff183aa3c0f4da063a1007180fcb65a2cc2bb811f05cd743bae96b02b9dae96b02b9d609260542c1f31f51bfcf2b13ec208392f6a97fcb9063702a0097cc80396e7a9cca35ea38c552abfb9d15b50b2e829dbaf7678078862f014341f28a34f0e49164400d54431b044eb6658899deecde6373f7183e28ff08589057f43662ba6caacb4baa4843b9ca02300b06bb81ef984413279548a30bee7f518eef3d55a8a30bee7f58a30bee7f51ac06676586b3af2ad53e477d44e5f
2024-11-28 17:25:42 +00:00
Daeho Jeong
a8339e7fd0
UPSTREAM: f2fs: support SEEK_DATA and SEEK_HOLE for compression files
...
Fix to support SEEK_DATA and SEEK_HOLE for compression files
Bug: 325092012
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit a94c7fded76bfd1a061deae7be80fedbfa26774e)
(cherry picked from https://android-review.googlesource.com/q/commit:268f1fed504a7bc9cfba291fe994ad767eda7a70 )
Merged-In: Iba62c53e634682205f84c8dc3566ab8df9079158
Change-Id: Iba62c53e634682205f84c8dc3566ab8df9079158
2024-11-23 00:50:57 +00:00
Greg Kroah-Hartman
c515597aec
Merge 02874ca52d ("tracing: Consider the NULL character when validating the event length") into android12-5.10-lts
...
Steps on the way to 5.10.229
Resolves conflicts in:
drivers/net/macsec.c
Change-Id: Ibc2583ddd810808fa9ce619e71935aeb5f97805a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-21 22:24:39 +00:00
Greg Kroah-Hartman
012423e6bd
Merge 5.10.228 into android12-5.10-lts
...
Changes in 5.10.228
ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2
net: enetc: add missing static descriptor and inline keyword
posix-clock: Fix missing timespec64 check in pc_clock_settime()
arm64: probes: Remove broken LDR (literal) uprobe support
arm64: probes: Fix simulate_ldr*_literal()
net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY
irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1
fat: fix uninitialized variable
mm/swapfile: skip HugeTLB pages for unuse_vma
wifi: mac80211: fix potential key use-after-free
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
io_uring/sqpoll: do not allow pinning outside of cpuset
io_uring/sqpoll: retain test for whether the CPU is valid
io_uring/sqpoll: do not put cpumask on stack
s390/sclp_vt220: Convert newlines to CRLF instead of LFCR
KVM: s390: Change virtual to physical address access in diag 0x258 handler
x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET
x86/cpufeatures: Add a IBPB_NO_RET BUG flag
x86/entry: Have entry_ibpb() invalidate return predictions
x86/bugs: Skip RSB fill at VMEXIT
x86/bugs: Do not use UNTRAIN_RET with IBPB on entry
blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race
io_uring/sqpoll: close race on waiting for sqring entries
drm/radeon: Fix encoder->possible_clones
drm/vmwgfx: Handle surface check failure correctly
iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig
iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig
iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig
iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency()
iio: light: veml6030: fix ALS sensor resolution
iio: light: veml6030: fix IIO device retrieval from embedded device
iio: light: opt3001: add missing full-scale range value
iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
Bluetooth: Remove debugfs directory on module init failure
Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001
xhci: Fix incorrect stream context type macro
USB: serial: option: add support for Quectel EG916Q-GL
USB: serial: option: add Telit FN920C04 MBIM compositions
parport: Proper fix for array out-of-bounds access
x86/resctrl: Annotate get_mem_config() functions as __init
x86/apic: Always explicitly disarm TSC-deadline timer
x86/entry_32: Do not clobber user EFLAGS.ZF
x86/entry_32: Clear CPU buffers after register restore in NMI return
irqchip/gic-v4: Don't allow a VMOVP on a dying VPE
mptcp: track and update contiguous data status
mptcp: handle consistently DSS corruption
tcp: fix mptcp DSS corruption due to large pmtu xmit
nilfs2: propagate directory read errors from nilfs_find_entry()
powerpc/mm: Always update max/min_low_pfn in mem_topology_setup()
ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2
Linux 5.10.228
Change-Id: I46a08618e1091915449af89690af27a230a28855
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-17 20:12:50 +00:00
Greg Kroah-Hartman
6c71f56f4f
Merge 21b5af7f0c ("net: phy: dp83869: fix memory corruption when enabling fiber") into android12-5.10-lts
...
Steps on the way to 5.10.227
Resolves merge conflicts in:
fs/nfsd/filecache.c
Change-Id: Ied16cae04e74a6303fdf827703d9f9caf57f971a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-17 11:50:07 +00:00
Greg Kroah-Hartman
e22e091f95
Merge de5a059e36 ("RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: Ie75a10f12b4c90baa487a120d138956dd5a09da8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-17 08:15:32 +00:00
Greg Kroah-Hartman
2a22a03cae
Merge 2622c805ab ("kallsyms: Make module_kallsyms_on_each_symbol generally available") into android12-5.10-lts
...
Steps on the way to 5.10.227
Resolves merge conflicts in:
include/linux/kallsyms.h
include/linux/module.h
kernel/kallsyms.c
Change-Id: I207acf2f76d2f2bc3be7b811edec98d988365f60
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-17 08:15:15 +00:00
Greg Kroah-Hartman
ce691439c0
Revert "ext4: properly sync file size update after O_SYNC direct IO"
...
This reverts commit dde4c1e166
2024-11-16 18:27:09 +00:00
Greg Kroah-Hartman
f46870ab3d
Revert "ext4: dax: fix overflowing extents beyond inode size when partially writing"
...
This reverts commit f8a7c34232
2024-11-16 18:26:45 +00:00
Greg Kroah-Hartman
5d9c84863f
Merge f8a7c34232 ("ext4: dax: fix overflowing extents beyond inode size when partially writing") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: Ifa9c84d819e26b5ec9a4503dbf77f3e48ff0782c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-16 16:40:19 +00:00
Greg Kroah-Hartman
8fb88ba5de
Merge dde4c1e166 ("ext4: properly sync file size update after O_SYNC direct IO") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: If19e4b34d65d6f90dabc6fce79809aea1675bd0a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-16 16:40:14 +00:00
Greg Kroah-Hartman
9fbdcfe7bb
Merge 70b60c8d9b ("btrfs: wait for fixup workers before stopping cleaner kthread during umount") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: Ie897a82549a26d8832c1cd233ac507bdaa083cdb
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-16 16:39:36 +00:00
Greg Kroah-Hartman
d476e18cbf
Merge d73d48acf3 ("btrfs: fix a NULL pointer dereference when failed to start a new trasacntion") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: Id9261beea462bed16ae80004e8eb46eb8cb4cbeb
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-16 16:39:30 +00:00
Greg Kroah-Hartman
509ddbb2b8
Merge f976d964a6 ("Input: adp5589-keys - fix adp5589_gpio_get_value()") into android12-5.10-lts
...
Steps on the way to 5.10.227
Resolves merge conflicts in:
fs/nfsd/nfs4xdr.c
fs/nfsd/vfs.c
Change-Id: I8ed4156759977aa5c53d577990f4b72e61530ebf
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-14 11:34:30 +00:00
Greg Kroah-Hartman
6a00671aec
Merge 2c08dfc99f ("ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9") into android12-5.10-lts
...
Steps on the way to 5.10.227
Resolves merge conflicts in:
fs/ext4/namei.c
Change-Id: I7dfbf5a9d8837593f8e4a7ddb5ba34e256d94953
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-14 11:33:02 +00:00
Greg Kroah-Hartman
b48eba851f
Merge 1ebfa66638 ("drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: I5e69192f2ecbbda523c18c2749bb1f181837e99c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-14 11:32:05 +00:00
Greg Kroah-Hartman
baa474b078
Merge 74c63fd016 ("ACPICA: Fix memory leak if acpi_ps_get_next_field() fails") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: Ie190b64ce17dea26ec0ac8910bbcb5fb144aede0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-14 11:30:34 +00:00
Greg Kroah-Hartman
6136b834d6
Merge cdd86fb75f ("net/mlx5: Added cond_resched() to crdump collection") into android12-5.10-lts
...
Steps on the way to 5.10.227
Change-Id: I780b041f7c72ac3204110981ba8c0ce36764d971
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-14 09:58:25 +00:00
Greg Kroah-Hartman
0407f5e40e
Merge 1429a9260f ("Revert "dm: requeue IO if mapping table not yet available"") into android12-5.10-lts
...
Steps on the way to 5.10.226
Resolves merge conflicts in:
fs/f2fs/xattr.c
fs/nfsd/filecache.c
Change-Id: I09ff012f62cfc2cd08550684766f05eac93951fb
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-14 07:16:40 +00:00
Chao Yu
ee2e0e624b
BACKPORT: f2fs: compress: fix to update i_compr_blocks correctly
...
Previously, we account reserved blocks and compressed blocks into
@compr_blocks, then, f2fs_i_compr_blocks_update(,compr_blocks) will
update i_compr_blocks incorrectly, fix it.
Meanwhile, for the case all blocks in cluster were reserved, fix to
update dn->ofs_in_node correctly.
Bug: 378001005
Fixes: eb8fbaa53374 ("f2fs: compress: fix to check unreleased compressed cluster")
Change-Id: Ie195fc57a1d55ff9f42fe4855edd21da1c88bb90
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 186e7d71534df4589405925caca5597af7626c12)
2024-11-12 20:33:44 +00:00
Greg Kroah-Hartman
9e57ad4546
Merge 0ce9d89343 ("clk: ti: dra7-atl: Fix leak of of_nodes") into android12-5.10-lts
...
Steps on the way to 5.10.226
Resolves merge conflicts in:
drivers/dma-buf/heaps/heap-helpers.c
drivers/usb/dwc3/core.h
fs/ext4/inline.c
Change-Id: Id7ab496884e549fc85b6fff8254fb56d6785d78c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-12 17:29:46 +00:00
Greg Kroah-Hartman
1f05cd743b
Merge ae96b02b9d ("soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps"") into android12-5.10-lts
...
Steps on the way to 5.10.226
Change-Id: I92c594018a2ec1c562a580e493117d780fade779
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2024-11-12 12:44:11 +00:00
Dave Kleikamp
df848523d6
jfs: Fix sanity check in dbMount
...
[ Upstream commit 67373ca8404fe57eb1bb4b57f314cff77ce54932 ]
MAXAG is a legitimate value for bmp->db_numag
Fixes: e63866a47556 ("jfs: fix out-of-bounds in dbNextAG() and diAlloc()")
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-08 16:21:59 +01:00
Christoph Hellwig
649d646506
iomap: update ki_pos a little later in iomap_dio_complete
...
upstream 936e114a245b6e38e0dbf706a67e7611fc993da1 commit.
Move the ki_pos update down a bit to prepare for a better common helper
that invalidates pages based of an iocb.
Link: https://lkml.kernel.org/r/20230601145904.1385409-3-hch@lst.de
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Cc: Anna Schumaker <anna@kernel.org>
Cc: Chao Yu <chao@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Ilya Dryomov <idryomov@gmail.com>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Miklos Szeredi <mszeredi@redhat.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-08 16:21:58 +01:00
Mateusz Guzik
c9b7743807
exec: don't WARN for racy path_noexec check
...
[ Upstream commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 ]
Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact
of the previous implementation. They used to legitimately check for the
condition, but that got moved up in two commits:
633fb6ac390fd338b2d2https://lore.kernel.org/r/20240805131721.765484-1-mjguzik@gmail.com
[brauner: keep redundant path_noexec() check]
Signed-off-by: Christian Brauner <brauner@kernel.org>
[cascardo: keep exit label and use it]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-08 16:21:58 +01:00
Paulo Alcantara
ed31aba8ce
smb: client: fix OOBs when building SMB2_IOCTL request
...
[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ]
When using encryption, either enforced by the server or when using
'seal' mount option, the client will squash all compound request buffers
down for encryption into a single iov in smb2_set_next_command().
SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
SMB2_IOCTL request in the first iov, and if the user passes an input
buffer that is greater than 328 bytes, smb2_set_next_command() will
end up writing off the end of @rqst->iov[0].iov_base as shown below:
mount.cifs //srv/share /mnt -o ...,seal
ln -s $(perl -e "print('a')for 1..1024") /mnt/link
BUG: KASAN: slab-out-of-bounds in
smb2_set_next_command.cold+0x1d6/0x24c [cifs]
Write of size 4116 at addr ffff8881148fcab8 by task ln/859
CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-2.fc40 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
print_report+0x156/0x4d9
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
? __virt_addr_valid+0x145/0x310
? __phys_addr+0x46/0x90
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
kasan_report+0xda/0x110
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
kasan_check_range+0x10f/0x1f0
__asan_memcpy+0x3c/0x60
smb2_set_next_command.cold+0x1d6/0x24c [cifs]
smb2_compound_op+0x238c/0x3840 [cifs]
? kasan_save_track+0x14/0x30
? kasan_save_free_info+0x3b/0x70
? vfs_symlink+0x1a1/0x2c0
? do_symlinkat+0x108/0x1c0
? __pfx_smb2_compound_op+0x10/0x10 [cifs]
? kmem_cache_free+0x118/0x3e0
? cifs_get_writable_path+0xeb/0x1a0 [cifs]
smb2_get_reparse_inode+0x423/0x540 [cifs]
? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
? rcu_is_watching+0x20/0x50
? __kmalloc_noprof+0x37c/0x480
? smb2_create_reparse_symlink+0x257/0x490 [cifs]
? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
smb2_create_reparse_symlink+0x38f/0x490 [cifs]
? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
? find_held_lock+0x8a/0xa0
? hlock_class+0x32/0xb0
? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
cifs_symlink+0x24f/0x960 [cifs]
? __pfx_make_vfsuid+0x10/0x10
? __pfx_cifs_symlink+0x10/0x10 [cifs]
? make_vfsgid+0x6b/0xc0
? generic_permission+0x96/0x2d0
vfs_symlink+0x1a1/0x2c0
do_symlinkat+0x108/0x1c0
? __pfx_do_symlinkat+0x10/0x10
? strncpy_from_user+0xaa/0x160
__x64_sys_symlinkat+0xb9/0xf0
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08d75c13bb
Reported-by: David Howells <dhowells@redhat.com>
Fixes: e77fe73c7e
2024-11-08 16:21:58 +01:00
Michael Bestas
529ffa5672
Merge tag 'ASB-2024-11-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
...
https://source.android.com/docs/security/bulletin/2024-11-01
CVE-2024-36978
CVE-2024-46740
* tag 'ASB-2024-11-05_12-5.10' of https://android.googlesource.com/kernel/common : (702 commits)
UPSTREAM: dma-buf: heaps: Fix off-by-one in CMA heap fault handler
BACKPORT: firmware: arm_scmi: Queue in scmi layer for mailbox implementation
BACKPORT: gso: fix udp gso fraglist segmentation after pull from frag_list
ANDROID: usb: Optimization the transfer rate of accessory mode in USB3.2 mode
UPSTREAM: unicode: Don't special case ignorable code points
ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
ANDROID: 16K: Introduce pgsize_migration_inline.h
Revert "udf: Avoid excessive partition lengths"
Revert "bareudp: Fix device stats updates."
ANDROID: fix up change to pti_clone_pgtable()
Revert "perf/aux: Fix AUX buffer serialization"
Revert "clocksource/drivers/timer-of: Remove percpu irq related code"
Revert "Merge 751777a79a
2024-11-07 10:53:18 +02:00
Greg Kroah-Hartman
b9d4c135c7
Merge tag 'android12-5.10.226_r00' into android12-5.10
...
This merges up to the 5.10.226 LTS release into android12-5.10.
Included in here are the following commits:
* bfa0f472d590336334a0bcfc839140ebdacb61763c59c9aebf7d3ca1ed3fceb091e2c4912736a04302ee1976eddad75cf2c31401da1486c6bd80f585b35d3c8181b8dfa35f0050632b877c4c3b21204accb95b37e93658388cd35dac987d1b157c0d94b40630e3d4357882923f1c0f511f28400af6b80dac3ded318cf0cf6ffb16886c563a2985359ea5edc91d8e020e5138cd8bde8a3a8154bb4ad0d3edb56e1719ebc8e3f3a54c27ba41cc91e313d8a61e69f86fb7b7f5bad3ff0f98a599418ec7769d1e9f08765c8906de982f14160d9f51fa08edd834185de73d3206e4a4b0912bcdc51b3eaad59258e6f3008de8e2355d513bc60676b81fed1b61398c8780129cbc9813770f25fb2257089a56cfdeb2c78a1e958e2659c1fb98742a3add62f1bc1faed19d9b884bdc29c8944d449f1434b72a2d70854bf0038a7ef20bf7583b5d2d4343b442c97219af8a23a1231c235d2f0ea3f2798d77ad44ee33bc18f3c8063c0cedc22c32cbafeebf594cc1dba098a4cabf87acd29851373efe53eb22ee1c2ecf7b45c0c747df449d70b16baec92dbebdee50abebdc9380fe33abebbdbbc5801fa40e0d2744a595f8973ab3ee41259e28a1df18e73b63f138551966371e66234da64df56089a1801c5bad90e0ec08e30082500e4bf673414736fcb770fe52b634751777a79ac3e9a280ba751777a79a751777a79af8219c4b80f2fe1ec9065545496966fec6561e759eb5d44b8fe0fba78ab97f2476914ed06254ae7d2197b23edad47c660e8ca8aaffc0c1c532274202ebfce8dd7e895807268aa02f9d6ea373b72f4b3b3025d489f94e18b58b1000588cd66dc2345ad899fe709a1a77b22678f8efddee5b4b6addee5b4b6a91fb0512a07e4c72dbafefdde00d4a07e4dc2fe07725152b5493ee345ba3e3ad85c4773a49b6b1ca6949a97f6df540bc71d50811d573849d38c704b44be36d9d182793f42389b2ead09489029e462bb4cb27399b3de0b122a8f60f27b8c07e2ef683b058adc688a5058ca21e7a2798c75d761806e7be6934b140074560dfc8eb4d7e5895541d7317c43211d4842a97b5e4c8e5439b5bcf002be3b82ac9deb7e03fd11fe4f20623c9f371c083c8be6b5eb04f98940305a885ccd24bc270b7a948ec99353f3ef1d9f67e64cabe81bd13c1119ac7975f09aee85cf9a5a47eb78880219aa7dd5e31ed7e9ed973614564a5b2008933832a52338a3aa70842db679d310b9d83635f09fa5e0a725b728cc0c253b87c7c60097df93874c5d8b05791608305467c47dd2e922a63c90c7a754321ed6340c2e8bc11e24fa827291d0c85d0fc59ac79129738e32a0d83d592768c17a601129c78774bae3b8d28b539bbcc40d0fedacfff5af3f9b5712921d2ab0e69cf9b65221ebded43e78bc7099c52c4910c654951c68022b57d01c66f7e8bad2cf39e96dea7ef4538335cc259579a627a6aee4c5635b72da4d89b16cc6114c9f84d5dccc8612843f842f5a5a5a0e98ddaea033d7e5d5c4ae78bbb9e4e0e842a40c7272e8e93dea09cfe7c53fef8e1c92868acddd7c6b7338a3ba30c688325078ae83405e75df2b6cd1335777d9c223ef7276cdc190365c9029a2933b4f8a61388df72dc4e9436375fd57e6298cca45ee4c98ddf02642c21239b1cacce05dd9aabd056b82e6ff393000b2949b009444700b891438bc392915fa73415818af2f765e79c9437d1623e7b438c0a21d37dfc73103a947fd3a592689df9783bd89b9ba386d74370448fcae54b082752ff6607a4772884e73978cb5880a0dec414000da1050e7274ab5885217d665d8aed3ca6544571911b5c1448354421816b696c81216b9352e8c85f2ff36e630e1d774d42a2257beb06c8d302f4b762cf7e095a1f19d47a4e7a0c6bce70b091500ba3401777d1bd8e0a11cbb9a969fc5970a540dab09a5ec8de2143cba143f14cd618269e1c4d0d6a1b8e318f99d0414f5436e5272645a09e0414220b5ee7495ac2c7c43a784fbf2f79970bbf0c603ab48ec052c5440c1d7b960f94a7dff2293dd13074e7e21448a49b486fb5ebd505c21f285d4e5464005b25d31baf9276ec27b70995e49b9258316bf51eddbe49c4f2a1aa469c3d285fb0cbf84ba441ce39ade7385510e200d4f971fa239c5e988e0f6425d90d5380f1b2b9372928e8be7138c59856d483de53d480456d39f03663e78faba43edc7abcc13541c5efdb3b679f66cc49ee343301fa4415c30f83d77926aeda7043c4bbb662d0c25335c7f8db11b0c7323c5fe7bdbe4fdfa894f7eafc250eca15dbdbadec8ae5ceff219650c914b0e68e8d306f3b351ad72c50665a4caa9caa9ce4193c1cece837e34b730a14758e0e6b15ab6bcd0f95b8c10ac31a72e24625310cad149f55850452e15e7fd88083916fbbcdda4b0dfe5bf14881de7be1940c03880af02aee030e4ffa63fd38af881b21a791afe245a18281747bc154570f0654318e4905e56f7b4690e2171f39a8a0618d0c105dabe6e62a1579e0b5df17128a6943c015b03141b23999b84ad15be5b2add7c50b2de18b5cc3e1ee1c419880ac0cc9c0a563f1243006e9e6ac59b21ea49e6e15469d46bad39e0f582bec54634f91fb6675db0450111a809831c35f9f89d5f87c11117b17de2a71191fc44395c52f9e1a9e7e62564d5e329eae03d09bdf0624bd5b9f49cc863f84b37abb44165604dd9b9a64ef9a96f3c8a8501008f2bcbc381cad7a0832b133fb78fd65cf86ca450b6b22acab8b397d59eb223bf01eca2ea2dec151e8360d94a26bcfeea3db959cdfe652b138f102227d455e6c7dddf560e25f1aa8ce648f209716eaf3405f4997f098e8fc72dc335b92e5668c6c4a7e005c318981ef1b208ca87cc9ebcfe5f1205a5aad4dacdb9720d993cb25efc7c1ca6e25e7e7d2b1805291d4f73444e11ae8f9c9c11ece5ac6ba5147329ddd5e7835455769ebb656f106d2c45605992ad4706f18a8faf261c5d8d0bdae104b094a500d4bdcbf0d247dfb17ff37fe4577741cdc25b8d683f5b59f7ba00782d8029a49c8c46b7570c955920e407a5b9ae6bb3369299a42821d21d417503b2b169fada3e52a4c221a6b4240b0e48a901ce6de305abd36c1749313f3d81c1eeb331d4e65fa6229ce18d767934f81534565b982b9af55985e3aa18e665ccc5285d8fe79a364ac0c0235c384dd4f1f5ccf99545c464d242868adc491f3e7865948628ab7b8d9f5e601150020c0085fb116c4e87f52225e52319d9d2f17a93a8201ba4e59f34cd00c9b4bbc75880302cfc476c5c7bb12fa993433e93fa44f073deac6f686646e9e90718b0a5709ac7b745257ff08775b3d6ee4b2b0306bb12a67976b59be4a16777d72f519518e97cc828dc65f72eec67c03ab555eb17eeed7cd906372e7536b50462b475991ef8e7aa4ed3286a53a2884a44e0548b54d0a06a93b7203652e7b4d73ef56dcdca881484ab2856bb9cc6e2579ec4cde1d58b07286ae4b6d9a0fe7b2591c89a688f053a1dd997d3c9cbe2fa82af6fdd28869a145be23ae6308ce90f30157b59013d264eb1b7575fe3ff4316953ea72a88810347dcb84a49460ac3dd1dda518dea65cc4d71ddadc2a655437aa38bf7489cf791b98fec8ae5939f43bf09eab40f62a9cc0c2257193083e641b7a8920ff2387553f721190921a538a27c8041c089efe76f0ad62559f65dba3c9ceb839175c065f0a6800b89fa8eca2594d3eb40ccd1fccae3fd752d8d27fd676b62f303577411a2d22636163de034e8f70d3cc24933a55bf94ee7ff99b9667d46f8a19f108b3d19cba1ec637a49321257f3b8e1b7d26a3ab508a4857ba756371b0c39dcbd887db8d7b75e5ed6a26ff2fcd485289d4d814159f648d54904641dd9636410730ea8502bed9580165ae99754cd854bc4e8844b848b40794a44f88f757388ee7a4d3ac2459460ce5bae95306af1d27f88e43aab4483d9d289ce917cdbcb4e9f66d5223be1335f8c9ac0cde2a011a1342d420517038463947852199e157a45c59cb8dd91fd27cc6f0973155ca67eb463671879ce89824ff748e9ad7c06735d02eadb6ac46a00186f4ca8b3b10f7163bfb4c9d235630e65cccfae7cf0c713c695c5b02d48983e2dfadcb7e36a3c7019ef7190228f2c2c4cc5a14083dc69b84ffa27eb09d6571b1c43c6fa6702321a15d52bcd2de7746e573303a4a8f15014206f98c3bef7ca853f2d5bce101c0341e98ef6af29942eb4ca1a97e9118c408eeedc2dee07a29723ad948445ffbccd038a7e4b8bf3009d371a237a484f771695d70c60bab2114f6ff771f129bed506e71b0e16bf3cf61f326b6512d5d2be7e240563d1c4bf57d81053182108f1dc3f33f3d096f2a9991c22df70184edcf61bd974294806bcf9141d2f772ac78ec1a5ed0496e38c9106ad5ea4e87f592a4cd105977b16ef4f1e98109c1583f0e3c9071a87139444840059459f33175115d814d6ae470e95616f3968b3d3cbcc963f5917aaa368c68fb20da8338be9d08ff1096178b12c8859bc763746ce46045f928c8fce2071ccb1399bdbe53b70fc0f851ff5c6e05c4488a0eb33dd450867f132aca18a2450206c0a497a6b72bd4f4188ecf0d08015bee2912a0d13629254059a12e201b3d1672e470089f4055275ca32aa1739334dae1ab7040aa98eb074036a9996e0222ae17a267ada0c31925249adb30cb15c2ec7c288d0d50a8b72f5738bdd61302433dc61eb5751e23085dc942896f3cb1fd6b7b7d06a3103ae2ec97d8ba1d2ecfcf4a49ce2d63e04654f4254745535fcebe5ca40647b1e9396ac4a992c88fbbc79a7cad41efd89b5db5bbfa9a71ae31a9a0958b5cc525351beab05737eea584e5d3f7eedd9fd98639f4cb508ed3e6b30c9c15770a1476ae8bd075a9d8571b9a83685976438b010441f083c995bea85ee2fdf7b79f97795f23a8c0748b76843070e816099bff9479e1767b3cdf4f
2024-10-28 18:51:06 +00:00
Ryusuke Konishi
c1d0476885
nilfs2: propagate directory read errors from nilfs_find_entry()
...
commit 08cfa12adf888db98879dbd735bc741360a34168 upstream.
Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
test for nilfs2.
The root cause of this problem is that in nilfs_find_entry(), which
searches for directory entries, ignores errors when loading a directory
page/folio via nilfs_get_folio() fails.
If the filesystem images is corrupted, and the i_size of the directory
inode is large, and the directory page/folio is successfully read but
fails the sanity check, for example when it is zero-filled,
nilfs_check_folio() may continue to spit out error messages in bursts.
Fix this issue by propagating the error to the callers when loading a
page/folio fails in nilfs_find_entry().
The current interface of nilfs_find_entry() and its callers is outdated
and cannot propagate error codes such as -EIO and -ENOMEM returned via
nilfs_find_entry(), so fix it together.
Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com
Fixes: 2ba466d74ehttps://lkml.kernel.org/r/20240927013806.3577931-1-lizhi.xu@windriver.com
Reported-by: syzbot+8a192e8d090fa9a31135@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8a192e8d090fa9a31135
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-22 15:39:30 +02:00
OGAWA Hirofumi
043f055261
fat: fix uninitialized variable
...
commit 963a7f4d3b90ee195b895ca06b95757fcba02d1a upstream.
syszbot produced this with a corrupted fs image. In theory, however an IO
error would trigger this also.
This affects just an error report, so should not be a serious error.
Link: https://lkml.kernel.org/r/87r08wjsnh.fsf@mail.parknet.co.jp
Link: https://lkml.kernel.org/r/66ff2c95.050a0220.49194.03e9.GAE@google.com
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reported-by: syzbot+ef0d7bc412553291aa86@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-22 15:39:24 +02:00
Jan Kara
4911610c7a
ext4: fix warning in ext4_dio_write_end_io()
...
commit 619f75dae2cf117b1d07f27b046b9ffb071c4685 upstream.
The syzbot has reported that it can hit the warning in
ext4_dio_write_end_io() because i_size < i_disksize. Indeed the
reproducer creates a race between DIO IO completion and truncate
expanding the file and thus ext4_dio_write_end_io() sees an inconsistent
inode state where i_disksize is already updated but i_size is not
updated yet. Since we are careful when setting up DIO write and consider
it extending (and thus performing the IO synchronously with i_rwsem held
exclusively) whenever it goes past either of i_size or i_disksize, we
can use the same test during IO completion without risking entering
ext4_handle_inode_extension() without i_rwsem held. This way we make it
obvious both i_size and i_disksize are large enough when we report DIO
completion without relying on unreliable WARN_ON.
Reported-by: <syzbot+47479b71cdfc78f56d30@syzkaller.appspotmail.com>
Fixes: 91562895f803 ("ext4: properly sync file size update after O_SYNC direct IO")
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20231130095653.22679-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:39 +02:00
Yanjun Zhang
f892165c56
NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()
...
[ Upstream commit a848c29e3486189aaabd5663bc11aea50c5bd144 ]
On the node of an NFS client, some files saved in the mountpoint of the
NFS server were copied to another location of the same NFS server.
Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference
crash with the following syslog:
[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
[232066.588586] Mem abort info:
[232066.588701] ESR = 0x0000000096000007
[232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits
[232066.589084] SET = 0, FnV = 0
[232066.589216] EA = 0, S1PTW = 0
[232066.589340] FSC = 0x07: level 3 translation fault
[232066.589559] Data abort info:
[232066.589683] ISV = 0, ISS = 0x00000007
[232066.589842] CM = 0, WnR = 0
[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400
[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000
[232066.590757] Internal error: Oops: 96000007 [#1 ] SMP
[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2
[232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs
[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1
[232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06
[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]
[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]
[232066.598595] sp : ffff8000f568fc70
[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000
[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001
[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050
[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000
[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000
[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6
[232066.600498] x11: 0000000000000000 x10: 0000000000000008 x9 : ffff8000054e5828
[232066.600784] x8 : 00000000ffffffbf x7 : 0000000000000001 x6 : 000000000a9eb14a
[232066.601062] x5 : 0000000000000000 x4 : ffff70ff8a14a800 x3 : 0000000000000058
[232066.601348] x2 : 0000000000000001 x1 : 54dce46366daa6c6 x0 : 0000000000000000
[232066.601636] Call trace:
[232066.601749] nfs4_reclaim_open_state+0x220/0x800 [nfsv4]
[232066.601998] nfs4_do_reclaim+0x1b8/0x28c [nfsv4]
[232066.602218] nfs4_state_manager+0x928/0x10f0 [nfsv4]
[232066.602455] nfs4_run_state_manager+0x78/0x1b0 [nfsv4]
[232066.602690] kthread+0x110/0x114
[232066.602830] ret_from_fork+0x10/0x20
[232066.602985] Code: 1400000d f9403f20 f9402e61 91016003 (f9402c00)
[232066.603284] SMP: stopping secondary CPUs
[232066.606936] Starting crashdump kernel...
[232066.607146] Bye!
Analysing the vmcore, we know that nfs4_copy_state listed by destination
nfs_server->ss_copies was added by the field copies in handle_async_copy(),
and we found a waiting copy process with the stack as:
PID: 3511963 TASK: ffff710028b47e00 CPU: 0 COMMAND: "cp"
#0 [ffff8001116ef740] __switch_to at ffff8000081b92f4
#1 [ffff8001116ef760] __schedule at ffff800008dd0650
#2 [ffff8001116ef7c0] schedule at ffff800008dd0a00
#3 [ffff8001116ef7e0] schedule_timeout at ffff800008dd6aa0
#4 [ffff8001116ef860] __wait_for_common at ffff800008dd166c
#5 [ffff8001116ef8e0] wait_for_completion_interruptible at ffff800008dd1898
#6 [ffff8001116ef8f0] handle_async_copy at ffff8000055142f4 [nfsv4]
#7 [ffff8001116ef970] _nfs42_proc_copy at ffff8000055147c8 [nfsv4]
#8 [ffff8001116efa80] nfs42_proc_copy at ffff800005514cf0 [nfsv4]
#9 [ffff8001116efc50] __nfs4_copy_file_range.constprop.0 at ffff8000054ed694 [nfsv4]
The NULL-pointer dereference was due to nfs42_complete_copies() listed
the nfs_server->ss_copies by the field ss_copies of nfs4_copy_state.
So the nfs4_copy_state address ffff0100f98fa3f0 was offset by 0x10 and
the data accessed through this pointer was also incorrect. Generally,
the ordered list nfs4_state_owner->so_states indicate open(O_RDWR) or
open(O_WRITE) states are reclaimed firstly by nfs4_reclaim_open_state().
When destination state reclaim is failed with NFS_STATE_RECOVERY_FAILED
and copies are not deleted in nfs_server->ss_copies, the source state
may be passed to the nfs42_complete_copies() process earlier, resulting
in this crash scene finally. To solve this issue, we add a list_head
nfs_server->ss_src_copies for a server-to-server copy specially.
Fixes: 0e65a32c8a
2024-10-17 15:08:33 +02:00
Dan Carpenter
64f1b4922b
SUNRPC: Fix integer overflow in decode_rc_list()
...
[ Upstream commit 6dbf1f341b6b35bcc20ff95b6b315e509f6c5369 ]
The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
integer overflow. Add bounds checking on rc_list->rcl_nrefcalls to fix
that.
Fixes: 4aece6a19c
2024-10-17 15:08:33 +02:00
Chuck Lever
993ce09fe6
NFSD: Mark filecache "down" if init fails
...
[ Upstream commit dc0d0f885aa422f621bc1c2124133eff566b0bc8 ]
NeilBrown says:
> The handling of NFSD_FILE_CACHE_UP is strange. nfsd_file_cache_init()
> sets it, but doesn't clear it on failure. So if nfsd_file_cache_init()
> fails for some reason, nfsd_file_cache_shutdown() would still try to
> clean up if it was called.
Reported-by: NeilBrown <neilb@suse.de>
Fixes: c7b824c3d06c ("NFSD: Replace the "init once" mechanism")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-10-17 15:08:33 +02:00
Wojciech Gładysz
c2097d5efb
ext4: nested locking for xattr inode
...
[ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ]
Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning
while handling xattr inode on file open syscall at ext4_xattr_inode_iget.
Backtrace
EXT4-fs (loop0): Ignoring removed oldalloc option
======================================================
WARNING: possible circular locking dependency detected
5.10.0-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor543/2794 is trying to acquire lock:
ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
but task is already holding lock:
ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ei->i_data_sem/3){++++}-{3:3}:
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline]
ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline]
ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline]
ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662
ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228
ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385
ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498
ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40
__vfs_setxattr+0x404/0x450 fs/xattr.c:177
__vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208
__vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266
vfs_setxattr+0x112/0x2c0 fs/xattr.c:283
setxattr+0x1db/0x3e0 fs/xattr.c:548
path_setxattr+0x15a/0x240 fs/xattr.c:567
__do_sys_setxattr fs/xattr.c:582 [inline]
__se_sys_setxattr fs/xattr.c:578 [inline]
__x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:2988 [inline]
check_prevs_add kernel/locking/lockdep.c:3113 [inline]
validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
__lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
inode_lock include/linux/fs.h:782 [inline]
ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
__ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
__ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
notify_change+0xbb6/0xe60 fs/attr.c:435
do_truncate+0x1de/0x2c0 fs/open.c:64
handle_truncate fs/namei.c:2970 [inline]
do_open fs/namei.c:3311 [inline]
path_openat+0x29f3/0x3290 fs/namei.c:3425
do_filp_open+0x20b/0x450 fs/namei.c:3452
do_sys_openat2+0x124/0x460 fs/open.c:1207
do_sys_open fs/open.c:1223 [inline]
__do_sys_open fs/open.c:1231 [inline]
__se_sys_open fs/open.c:1227 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1227
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ei->i_data_sem/3);
lock(&ea_inode->i_rwsem#7/1);
lock(&ei->i_data_sem/3);
lock(&ea_inode->i_rwsem#7/1);
*** DEADLOCK ***
5 locks held by syz-executor543/2794:
#0 : ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365
#1 : ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
#1 : ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62
#2 : ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519
#3 : ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
#4 : ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
#4 : ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline]
#4 : ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018
stack backtrace:
CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x177/0x211 lib/dump_stack.c:118
print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002
check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123
check_prev_add kernel/locking/lockdep.c:2988 [inline]
check_prevs_add kernel/locking/lockdep.c:3113 [inline]
validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
__lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
inode_lock include/linux/fs.h:782 [inline]
ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
__ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
__ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
notify_change+0xbb6/0xe60 fs/attr.c:435
do_truncate+0x1de/0x2c0 fs/open.c:64
handle_truncate fs/namei.c:2970 [inline]
do_open fs/namei.c:3311 [inline]
path_openat+0x29f3/0x3290 fs/namei.c:3425
do_filp_open+0x20b/0x450 fs/namei.c:3452
do_sys_openat2+0x124/0x460 fs/open.c:1207
do_sys_open fs/open.c:1223 [inline]
__do_sys_open fs/open.c:1231 [inline]
__se_sys_open fs/open.c:1227 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1227
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f0cde4ea229
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229
RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0
RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0
R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003
EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13 : comm syz-executor543: corrupted in-inode xattr
Signed-off-by: Wojciech Gładysz <wojciech.gladysz@infogain.com>
Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-10-17 15:08:30 +02:00
Gabriel Krisman Bertazi
39fffca572
unicode: Don't special case ignorable code points
...
commit 5c26d2f1d3f5e4be3e196526bead29ecb139cf91 upstream.
We don't need to handle them separately. Instead, just let them
decompose/casefold to themselves.
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:28 +02:00
zhanchengbin
2f6da71e9d
ext4: fix inode tree inconsistency caused by ENOMEM
...
commit 3f5424790d4377839093b68c12b130077a4e4510 upstream.
If ENOMEM fails when the extent is splitting, we need to restore the length
of the split extent.
In the ext4_split_extent_at function, only in ext4_ext_create_new_leaf will
it alloc memory and change the shape of the extent tree,even if an ENOMEM
is returned at this time, the extent tree is still self-consistent, Just
restore the split extent lens in the function ext4_split_extent_at.
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
1)ext4_ext_split
ext4_find_extent
2)ext4_ext_grow_indepth
ext4_find_extent
Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230103022812.130603-1-zhanchengbin1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:28 +02:00
Zhihao Cheng
f8a7c34232
ext4: dax: fix overflowing extents beyond inode size when partially writing
...
[ Upstream commit dda898d7ffe85931f9cca6d702a51f33717c501e ]
The dax_iomap_rw() does two things in each iteration: map written blocks
and copy user data to blocks. If the process is killed by user(See signal
handling in dax_iomap_iter()), the copied data will be returned and added
on inode size, which means that the length of written extents may exceed
the inode size, then fsck will fail. An example is given as:
dd if=/dev/urandom of=file bs=4M count=1
dax_iomap_rw
iomap_iter // round 1
ext4_iomap_begin
ext4_iomap_alloc // allocate 0~2M extents(written flag)
dax_iomap_iter // copy 2M data
iomap_iter // round 2
iomap_iter_advance
iter->pos += iter->processed // iter->pos = 2M
ext4_iomap_begin
ext4_iomap_alloc // allocate 2~4M extents(written flag)
dax_iomap_iter
fatal_signal_pending
done = iter->pos - iocb->ki_pos // done = 2M
ext4_handle_inode_extension
ext4_update_inode_size // inode size = 2M
fsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?
Fix the problem by truncating extents if the written length is smaller
than expected.
Fixes: 776722e85dstable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219136
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://patch.msgid.link/20240809121532.2105494-1-chengzhihao@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-10-17 15:08:26 +02:00
Jan Kara
dde4c1e166
ext4: properly sync file size update after O_SYNC direct IO
...
[ Upstream commit 91562895f8030cb9a0470b1db49de79346a69f91 ]
Gao Xiang has reported that on ext4 O_SYNC direct IO does not properly
sync file size update and thus if we crash at unfortunate moment, the
file can have smaller size although O_SYNC IO has reported successful
completion. The problem happens because update of on-disk inode size is
handled in ext4_dio_write_iter() *after* iomap_dio_rw() (and thus
dio_complete() in particular) has returned and generic_file_sync() gets
called by dio_complete(). Fix the problem by handling on-disk inode size
update directly in our ->end_io completion handler.
References: https://lore.kernel.org/all/02d18236-26ef-09b0-90ad-030c4fe3ee20@linux.alibaba.com
Reported-by: Gao Xiang <hsiangkao@linux.alibaba.com>
CC: stable@vger.kernel.org
Fixes: 378f32bab3https://lore.kernel.org/r/20231013121350.26872-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: dda898d7ffe8 ("ext4: dax: fix overflowing extents beyond inode size when partially writing")
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-10-17 15:08:26 +02:00
Filipe Manana
70b60c8d9b
btrfs: wait for fixup workers before stopping cleaner kthread during umount
...
commit 41fd1e94066a815a7ab0a7025359e9b40e4b3576 upstream.
During unmount, at close_ctree(), we have the following steps in this order:
1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
halts its execution (wake ups against it work but do nothing);
2) We stop the cleaner kthread - this results in freeing the respective
struct task_struct;
3) We call btrfs_stop_all_workers() which waits for any jobs running in all
the work queues and then free the work queues.
Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.
Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.
The stack traces reported by syzbot were the following:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-fixup btrfs_work_helper
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154
btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842
btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 2:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
copy_process+0x5d1/0x3d50 kernel/fork.c:2206
kernel_clone+0x223/0x880 kernel/fork.c:2787
kernel_thread+0x1bc/0x240 kernel/fork.c:2849
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 61:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kmem_cache_free+0x1a2/0x420 mm/slub.c:4682
put_task_struct include/linux/sched/task.h:144 [inline]
delayed_put_task_struct+0x125/0x300 kernel/exit.c:228
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1037
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
__call_rcu_common kernel/rcu/tree.c:3086 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190
context_switch kernel/sched/core.c:5318 [inline]
__schedule+0x184b/0x4ae0 kernel/sched/core.c:6675
schedule_idle+0x56/0x90 kernel/sched/core.c:6793
do_idle+0x56a/0x5d0 kernel/sched/idle.c:354
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
start_secondary+0x102/0x110 arch/x86/kernel/smpboot.c:314
common_startup_64+0x13e/0x147
The buggy address belongs to the object at ffff8880272a8000
which belongs to the cache task_struct of size 7424
The buggy address is located 2584 bytes inside of
freed 7424-byte region [ffff8880272a8000, ffff8880272a9d00)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x272a8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000
head: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00009caa01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71247381401, free_ts 71214998153
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4187
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
copy_process+0x5d1/0x3d50 kernel/fork.c:2206
kernel_clone+0x223/0x880 kernel/fork.c:2787
kernel_thread+0x1bc/0x240 kernel/fork.c:2849
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 5230 tgid 5230 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880272a8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880272a8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880272a8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880272a8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880272a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reported-by: syzbot+8aaf2df2ef0164ffe1fb@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/66fb36b1.050a0220.aab67.003b.GAE@google.com/
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:25 +02:00
Qu Wenruo
d73d48acf3
btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
...
commit c3b47f49e83197e8dffd023ec568403bcdbb774b upstream.
[BUG]
Syzbot reported a NULL pointer dereference with the following crash:
FAULT_INJECTION: forcing a failure.
start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676
prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642
relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678
...
BTRFS info (device loop0): balance: ended with status: -12
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1 ] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]
RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926
Call Trace:
<TASK>
commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496
btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430
del_balance_item fs/btrfs/volumes.c:3678 [inline]
reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742
btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574
btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
[CAUSE]
The allocation failure happens at the start_transaction() inside
prepare_to_relocate(), and during the error handling we call
unset_reloc_control(), which makes fs_info->balance_ctl to be NULL.
Then we continue the error path cleanup in btrfs_balance() by calling
reset_balance_state() which will call del_balance_item() to fully delete
the balance item in the root tree.
However during the small window between set_reloc_contrl() and
unset_reloc_control(), we can have a subvolume tree update and created a
reloc_root for that subvolume.
Then we go into the final btrfs_commit_transaction() of
del_balance_item(), and into btrfs_update_reloc_root() inside
commit_fs_roots().
That function checks if fs_info->reloc_ctl is in the merge_reloc_tree
stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer
dereference.
[FIX]
Just add extra check on fs_info->reloc_ctl inside
btrfs_update_reloc_root(), before checking
fs_info->reloc_ctl->merge_reloc_tree.
That DEAD_RELOC_TREE handling is to prevent further modification to the
reloc tree during merge stage, but since there is no reloc_ctl at all,
we do not need to bother that.
Reported-by: syzbot+283673dbc38527ef9f3d@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/66f6bfa7.050a0220.38ace9.0019.GAE@google.com/
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:25 +02:00
Chuck Lever
7ae7ada29a
NFSD: Fix NFSv4's PUTPUBFH operation
...
commit 202f39039a11402dcbcd5fece8d9fa6be83f49ae upstream.
According to RFC 8881, all minor versions of NFSv4 support PUTPUBFH.
Replace the XDR decoder for PUTPUBFH with a "noop" since we no
longer want the minorversion check, and PUTPUBFH has no arguments to
decode. (Ideally nfsd4_decode_noop should really be called
nfsd4_decode_void).
PUTPUBFH should now behave just like PUTROOTFH.
Reported-by: Cedric Blancher <cedric.blancher@gmail.com>
Fixes: e1a90ebd8bstable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:23 +02:00
Li Lingfeng
0ea4333c67
nfsd: map the EBADMSG to nfserr_io to avoid warning
...
commit 340e61e44c1d2a15c42ec72ade9195ad525fd048 upstream.
Ext4 will throw -EBADMSG through ext4_readdir when a checksum error
occurs, resulting in the following WARNING.
Fix it by mapping EBADMSG to nfserr_io.
nfsd_buffered_readdir
iterate_dir // -EBADMSG -74
ext4_readdir // .iterate_shared
ext4_dx_readdir
ext4_htree_fill_tree
htree_dirblock_to_tree
ext4_read_dirblock
__ext4_read_dirblock
ext4_dirblock_csum_verify
warn_no_space_for_csum
__warn_no_space_for_csum
return ERR_PTR(-EFSBADCRC) // -EBADMSG -74
nfserrno // WARNING
[ 161.115610] ------------[ cut here ]------------
[ 161.116465] nfsd: non-standard errno: -74
[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0
[ 161.118596] Modules linked in:
[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138
[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe
mu.org 04/01/2014
[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0
[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6
05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33
[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286
[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a
[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827
[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021
[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8
[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000
[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0
[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 161.141519] PKRU: 55555554
[ 161.142076] Call Trace:
[ 161.142575] ? __warn+0x9b/0x140
[ 161.143229] ? nfserrno+0x9d/0xd0
[ 161.143872] ? report_bug+0x125/0x150
[ 161.144595] ? handle_bug+0x41/0x90
[ 161.145284] ? exc_invalid_op+0x14/0x70
[ 161.146009] ? asm_exc_invalid_op+0x12/0x20
[ 161.146816] ? nfserrno+0x9d/0xd0
[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0
[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0
[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170
[ 161.151004] ? generic_file_llseek_size+0x48/0x160
[ 161.151895] nfsd_readdir+0x132/0x190
[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.153516] ? nfsd_unlink+0x380/0x380
[ 161.154256] ? override_creds+0x45/0x60
[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0
[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210
[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0
[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0
[ 161.158494] ? lock_downgrade+0x90/0x90
[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10
[ 161.160092] nfsd4_encode_operation+0x15a/0x440
[ 161.160959] nfsd4_proc_compound+0x718/0xe90
[ 161.161818] nfsd_dispatch+0x18e/0x2c0
[ 161.162586] svc_process_common+0x786/0xc50
[ 161.163403] ? nfsd_svc+0x380/0x380
[ 161.164137] ? svc_printk+0x160/0x160
[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380
[ 161.165808] ? nfsd_svc+0x380/0x380
[ 161.166523] ? rcu_is_watching+0x23/0x40
[ 161.167309] svc_process+0x1a5/0x200
[ 161.168019] nfsd+0x1f5/0x380
[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260
[ 161.169554] kthread+0x1c4/0x210
[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80
[ 161.171246] ret_from_fork+0x1f/0x30
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:23 +02:00
NeilBrown
96cad5da79
nfsd: fix delegation_blocked() to block correctly for at least 30 seconds
...
commit 45bb63ed20e02ae146336412889fe5450316a84f upstream.
The pair of bloom filtered used by delegation_blocked() was intended to
block delegations on given filehandles for between 30 and 60 seconds. A
new filehandle would be recorded in the "new" bit set. That would then
be switch to the "old" bit set between 0 and 30 seconds later, and it
would remain as the "old" bit set for 30 seconds.
Unfortunately the code intended to clear the old bit set once it reached
30 seconds old, preparing it to be the next new bit set, instead cleared
the *new* bit set before switching it to be the old bit set. This means
that the "old" bit set is always empty and delegations are blocked
between 0 and 30 seconds.
This patch updates bd->new before clearing the set with that index,
instead of afterwards.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 6282cd5655
2024-10-17 15:08:22 +02:00
Yuezhang Mo
f692160d3e
exfat: fix memory leak in exfat_load_bitmap()
...
commit d2b537b3e533f28e0d97293fe9293161fe8cd137 upstream.
If the first directory entry in the root directory is not a bitmap
directory entry, 'bh' will not be released and reassigned, which
will cause a memory leak.
Fixes: 1e49a94cf7stable@vger.kernel.org
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Reviewed-by: Aoyama Wataru <wataru.aoyama@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:22 +02:00
Lizhi Xu
61b84013e5
ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
...
commit 33b525cef4cff49e216e4133cc48452e11c0391e upstream.
When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger
NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if
bh is NULL.
Link: https://lkml.kernel.org/r/20240902023636.1843422-3-joseph.qi@linux.alibaba.com
Fixes: cf76c78595
2024-10-17 15:08:22 +02:00
Julian Sun
bf605ae98d
ocfs2: fix null-ptr-deref when journal load failed.
...
commit 5784d9fcfd43bd853654bb80c87ef293b9e8e80a upstream.
During the mounting process, if journal_reset() fails because of too short
journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer.
Subsequently, ocfs2_journal_shutdown() calls
jbd2_journal_flush()->jbd2_cleanup_journal_tail()->
__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()
->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer
dereference error.
To resolve this issue, we should check the JBD2_LOADED flag to ensure the
journal was properly loaded. Additionally, use journal instead of
osb->journal directly to simplify the code.
Link: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f
Link: https://lkml.kernel.org/r/20240902030844.422725-1-sunjunchao2870@gmail.com
Fixes: f6f50e28f0syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:22 +02:00
Lizhi Xu
3f1ca6ba54
ocfs2: remove unreasonable unlock in ocfs2_read_blocks
...
commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream.
Patch series "Misc fixes for ocfs2_read_blocks", v5.
This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix
the issue reported by syzbot, which detects bad unlock balance in
ocfs2_read_blocks(). The second patch fixes an issue reported by Heming
Zhao when reviewing above fix.
This patch (of 2):
There was a lock release before exiting, so remove the unreasonable unlock.
Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.com
Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.com
Fixes: cf76c78595syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5
Tested-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org> [4.20+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:08:22 +02:00
Michael Bestas
Rui Chen
Greg Kroah-Hartman
Daeho Jeong
Chao Yu
Dave Kleikamp
Christoph Hellwig
Mateusz Guzik
Paulo Alcantara
Ryusuke Konishi
OGAWA Hirofumi
Jan Kara
Yanjun Zhang
Dan Carpenter
Chuck Lever
Wojciech Gładysz
Gabriel Krisman Bertazi
zhanchengbin
Zhihao Cheng
Filipe Manana
Qu Wenruo
Li Lingfeng
NeilBrown
Yuezhang Mo
Lizhi Xu
Julian Sun