lineage-22.0
72895 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Olaf Hering
|
60da25076f |
mount: handle OOM on mnt_warn_timestamp_expiry
[ Upstream commit 4bcda1eaf184e308f07f9c61d3a535f9ce477ce8 ]
If no page could be allocated, an error pointer was used as format
string in pr_warn.
Rearrange the code to return early in case of OOM. Also add a check
for the return value of d_path.
Fixes:
|
||
Andy Shevchenko
|
f0a39ba6e0 |
fs/namespace: fnic: Switch to use %ptTd
[ Upstream commit 74e60b8b2f0fe3702710e648a31725ee8224dbdf ]
Use %ptTd instead of open-coded variant to print contents
of time64_t type in human readable form.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Stable-dep-of: 4bcda1eaf184 ("mount: handle OOM on mnt_warn_timestamp_expiry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Anthony Iliopoulos
|
396e9c5cbf |
mount: warn only once about timestamp range expiration
[ Upstream commit a128b054ce029554a4a52fc3abb8c1df8bafcaef ]
Commit
|
||
Christoph Hellwig
|
9722aa53fa |
fs: explicitly unregister per-superblock BDIs
[ Upstream commit 0b3ea0926afb8dde70cfab00316ae0a70b93a7cc ] Add a new SB_I_ flag to mark superblocks that have an ephemeral bdi associated with them, and unregister it when the superblock is shut down. Link: https://lkml.kernel.org/r/20211021124441.668816-4-hch@lst.de Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Jan Kara <jack@suse.cz> Cc: Miquel Raynal <miquel.raynal@bootlin.com> Cc: Richard Weinberger <richard@nod.at> Cc: Vignesh Raghavendra <vigneshr@ti.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 4bcda1eaf184 ("mount: handle OOM on mnt_warn_timestamp_expiry") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Ferry Meng
|
57a3d89831 |
ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
[ Upstream commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 ] xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images. Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com> Reported-by: lei lu <llfamsec@gmail.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Jun Piao <piaojun@huawei.com> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Mark Fasheh <mark@fasheh.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Ferry Meng
|
34759b7e44 |
ocfs2: add bounds checking to ocfs2_xattr_find_entry()
[ Upstream commit 9e3041fecdc8f78a5900c3aa51d3d756e73264d6 ] Add a paranoia check to make sure it doesn't stray beyond valid memory region containing ocfs2 xattr entries when scanning for a match. It will prevent out-of-bound access in case of crafted images. Link: https://lkml.kernel.org/r/20240520024024.1976129-1-joseph.qi@linux.alibaba.com Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com> Reported-by: lei lu <llfamsec@gmail.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: af77c4fc1871 ("ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Trond Myklebust
|
14341f28a3 |
NFS: Avoid unnecessary rescanning of the per-server delegation list
[ Upstream commit f92214e4c312f6ea9d78650cc6291d200f17abb6 ] If the call to nfs_delegation_grab_inode() fails, we will not have dropped any locks that require us to rescan the list. Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jeff Layton
|
f08589057f |
btrfs: update target inode's ctime on unlink
[ Upstream commit 3bc2ac2f8f0b78a13140fc72022771efe0c9b778 ] Unlink changes the link count on the target inode. POSIX mandates that the ctime must also change when this occurs. According to https://pubs.opengroup.org/onlinepubs/9699919799/functions/unlink.html: "Upon successful completion, unlink() shall mark for update the last data modification and last file status change timestamps of the parent directory. Also, if the file's link count is not 0, the last file status change timestamp of the file shall be marked for update." Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: David Sterba <dsterba@suse.com> [ add link to the opengroup docs ] Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Gabriel Krisman Bertazi
|
51b9e859a4 |
UPSTREAM: unicode: Don't special case ignorable code points
We don't need to handle them separately. Instead, just let them decompose/casefold to themselves. Change-Id: I01c3f2c98ae4d84269586cec09f18239cbee0abb Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de> (cherry picked from commit 5c26d2f1d3f5e4be3e196526bead29ecb139cf91) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Kalesh Singh
|
66aebe42e6 |
ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
In some cases VMAs are split without the mmap write lock held; later the lock is taken to fixup vm_flags of the original VMA. Since some uppper bits of vm_flags are used to encode the ELF padding ranges, they need to be modified on splits. This is usually handled correctly by __split_vma(). However in the above case, the flags get over witten later under the write lock. Preserve vm_flag bits on reset to correctly represent padding. Bug: 357901498 Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2 Signed-off-by: Kalesh Singh <kaleshsingh@google.com> |
||
Michael Bestas
|
deec4e9c07
|
Merge tag 'ASB-2024-09-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-09-01 CVE-2024-36972 * tag 'ASB-2024-09-05_12-5.10' of https://android.googlesource.com/kernel/common: (1565 commits) ANDROID: delete tool added by mistake ANDROID: GKI: Add initialization for rwsem's oem_data and vendor_data. ANDROID: GKI: Add initialization for mutex oem_data. ANDROID: fix ENOMEM check of binder_proc_ext ANDROID: binder: fix KMI issues due to frozen notification BACKPORT: FROMGIT: binder: frozen notification binder_features flag BACKPORT: FROMGIT: binder: frozen notification UPSTREAM: selftests/binderfs: add test for feature files UPSTREAM: docs: binderfs: add section about feature files UPSTREAM: binderfs: add support for feature files ANDROID: GKI: Add symbol to symbol list for vivo. ANDROID: vendor_hooks: add hooks to modify pageflags ANDROID: GKI: Add pageflags for OEM ANDROID: GKI: Update symbol list for vivo ANDROID: vendor_hooks: add vendor hooks for fuse request UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune() ANDROID: Update the GKI symbol list and ABI XML ANDROID: irqchip/irq-gic-v3: Add vendor hook for gic suspend FROMLIST: binder: fix UAF caused by offsets overwrite ANDROID: gki - set CONFIG_USB_NET_AX88179_178A=y (usb gbit ethernet dongle) ... Conflicts: Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml Documentation/devicetree/bindings/sound/rt5645.txt Documentation/devicetree/bindings~HEAD drivers/scsi/ufs/ufs-qcom.c net/qrtr/af_qrtr.c net/qrtr/ns.c net/qrtr/qrtr.h Change-Id: I50a93cfc0ff67778b19609e93cb577f63a517baa |
||
Greg Kroah-Hartman
|
bfa0f472d5 |
Revert "udf: Avoid excessive partition lengths"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
7d3ca1ed3f |
This is the 5.10.226 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbiry8ACgkQONu9yGCS
aT6N3g//bWYo3l5q543ygloK7UBTkuyJFWb0ENBbu0J9qlnYaSeKDvqjmMUPBHKi
ZCAzL5nHmAfPMSbjRnltsl54Z7X69264BNLv62M86VnGVDrD7Y93Sn+Ts9jJoTYR
k97HrSojKsqrC2MZLaLuDnoeReoHpeAn4rwIs8mAaApxv48NfRh65KRkipkkRi0N
S7UXC82a8NyjF9wQaB2+Cdt2S0SD2706074X/0jXBAM3YR+5lF3NFgXylmUULTWi
kmCCauGhvfsR9vGIXBAYfX/thF3FSuffJjrWQ3i3/v75PyfoLZ4CruRGXIKM5UBN
TDEqx1Fx+fDXjgH07DYjFLBxQnv9wTgAtflXJj4qfaULO3NonBZHW3xIBe8foO2b
6858JdPcSA2LJ1wUxTc8BuYzgiwz5aCbGa0cLJCyJKYhJXGToweFyDM1nS2V66MD
TF43J/8zv9OAbj6TIT8WisfCgDMIIeMg/RsoaduGZViEN2Sg46XHN4ciZ7eakJOq
j3JFaAan+WPDlYpBLv1tCz+e6IDexugnbP43+E+eY8Xl6UDKUaXd3NiT728W84ll
0KULycqOteiFy7KN6NJx0oLA3YarQciatRm99zA8pnBBvqy0yJXYxWxmmaSQiGo+
VvNTrz6uc+ISP9TJfuPm8KH7NwQVhrjsndXaW2HWgoQ+fWgSZjU=
=abQi
-----END PGP SIGNATURE-----
Merge 5.10.226 into android12-5.10-lts
Changes in 5.10.226
drm: panel-orientation-quirks: Add quirk for OrangePi Neo
ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown
ALSA: hda/conexant: Mute speakers at suspend / shutdown
i2c: Fix conditional for substituting empty ACPI functions
dma-debug: avoid deadlock between dma debug vs printk and netconsole
net: usb: qmi_wwan: add MeiG Smart SRM825L
drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
drm/amdgpu: fix overflowed array index read warning
drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
drm/amd/pm: fix warning using uninitialized value of max_vid_step
drm/amd/pm: fix the Out-of-bounds read warning
drm/amdgpu: fix uninitialized scalar variable warning
drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
drm/amdgpu: avoid reading vf2pf info size from FB
drm/amd/display: Check gpio_id before used as array index
drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
drm/amd/display: Add array index check for hdcp ddc access
drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
drm/amd/display: Check msg_id before processing transcation
drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create
drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
drm/amdgpu: Fix out-of-bounds write warning
drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
drm/amdgpu: fix ucode out-of-bounds read warning
drm/amdgpu: fix mc_data out-of-bounds read warning
drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device
apparmor: fix possible NULL pointer dereference
drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs
drm/amdgpu: the warning dereferencing obj for nbio_v7_4
drm/amd/pm: check negtive return for table entries
wifi: iwlwifi: remove fw_running op
PCI: al: Check IORESOURCE_BUS existence during probe
hwspinlock: Introduce hwspin_lock_bust()
ionic: fix potential irq name truncation
usbip: Don't submit special requests twice
usb: typec: ucsi: Fix null pointer dereference in trace
fsnotify: clear PARENT_WATCHED flags lazily
smack: tcp: ipv4, fix incorrect labeling
drm/meson: plane: Add error handling
wifi: cfg80211: make hash table duplicates more survivable
block: remove the blk_flush_integrity call in blk_integrity_unregister
drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
media: uvcvideo: Enforce alignment of frame and interval
block: initialize integrity buffer to zero before writing it to media
drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode
net: set SOCK_RCU_FREE before inserting socket into hashtable
virtio_net: Fix napi_skb_cache_put warning
rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
udf: Limit file size to 4TB
ext4: handle redirtying in ext4_bio_write_page()
i2c: Use IS_REACHABLE() for substituting empty ACPI functions
bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt
sch/netem: fix use after free in netem_dequeue
ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices
ALSA: hda/realtek: add patch for internal mic in Lenovo V145
ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx
ata: libata: Fix memory leak for error path in ata_host_alloc()
irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE"
Bluetooth: MGMT: Ignore keys being loaded with invalid type
mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
mmc: sdhci-of-aspeed: fix module autoloading
fuse: update stats for pages in dropped aux writeback list
fuse: use unsigned type for getxattr/listxattr size truncation
clk: qcom: clk-alpha-pll: Fix the pll post div mask
clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
tracing: Avoid possible softlockup in tracing_iter_reset()
ila: call nf_unregister_net_hooks() sooner
sched: sch_cake: fix bulk flow accounting logic for host fairness
nilfs2: fix missing cleanup on rollforward recovery error
nilfs2: fix state management in error path of log writing function
btrfs: fix use-after-free after failure to create a snapshot
mptcp: pr_debug: add missing \n at the end
mptcp: pm: avoid possible UaF when selecting endp
nfsd: move reply cache initialization into nfsd startup
nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
NFSD: Refactor nfsd_reply_cache_free_locked()
NFSD: Rename nfsd_reply_cache_alloc()
NFSD: Replace nfsd_prune_bucket()
NFSD: Refactor the duplicate reply cache shrinker
NFSD: simplify error paths in nfsd_svc()
NFSD: Rewrite synopsis of nfsd_percpu_counters_init()
NFSD: Fix frame size warning in svc_export_parse()
sunrpc: don't change ->sv_stats if it doesn't exist
nfsd: stop setting ->pg_stats for unused stats
sunrpc: pass in the sv_stats struct through svc_create_pooled
sunrpc: remove ->pg_stats from svc_program
sunrpc: use the struct net as the svc proc private
nfsd: rename NFSD_NET_* to NFSD_STATS_*
nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
nfsd: make all of the nfsd stats per-network namespace
nfsd: remove nfsd_stats, make th_cnt a global counter
nfsd: make svc_stat per-network namespace instead of global
ALSA: hda: Add input value sanity checks to HDMI channel map controls
smack: unix sockets: fix accept()ed socket label
irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
af_unix: Remove put_pid()/put_cred() in copy_peercred().
iommu: sun50i: clear bypass register
netfilter: nf_conncount: fix wrong variable type
udf: Avoid excessive partition lengths
media: vivid: fix wrong sizeimage value for mplane
leds: spi-byte: Call of_node_put() on error path
wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
usb: uas: set host status byte on data completion error
media: vivid: don't set HDMI TX controls if there are no HDMI outputs
PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
pcmcia: Use resource_size function on resource object
can: bcm: Remove proc entry when dev is unregistered.
igb: Fix not clearing TimeSync interrupts for 82580
svcrdma: Catch another Reply chunk overflow case
platform/x86: dell-smbios: Fix error path in dell_smbios_init()
tcp_bpf: fix return value of tcp_bpf_sendmsg()
igc: Unlock on error in igc_io_resume()
drivers/net/usb: Remove all strcpy() uses
net: usb: don't write directly to netdev->dev_addr
usbnet: modern method to get random MAC
bareudp: Fix device stats updates.
fou: remove sparse errors
gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
fou: Fix null-ptr-deref in GRO.
net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
net: dsa: vsc73xx: fix possible subblocks range of CAPT block
ASoC: topology: Properly initialize soc_enum values
dm init: Handle minors larger than 255
iommu/vt-d: Handle volatile descriptor status read
cgroup: Protect css->cgroup write under css_set_lock
um: line: always fill *error_out in setup_one_line()
devres: Initialize an uninitialized struct member
pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
hwmon: (adc128d818) Fix underflows seen when writing limit attributes
hwmon: (lm95234) Fix underflows seen when writing limit attributes
hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
btrfs: replace BUG_ON with ASSERT in walk_down_proc()
btrfs: clean up our handling of refs == 0 in snapshot delete
PCI: Add missing bridge lock to pci_bus_lock()
net: dpaa: avoid on-stack arrays of NR_CPUS elements
kselftests: dmabuf-heaps: Ensure the driver name is null-terminated
btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry()
s390/vmlinux.lds.S: Move ro_after_init section behind rodata section
HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
Input: uinput - reject requests with unreasonable number of slots
usbnet: ipheth: race between ipheth_close and error handling
Squashfs: sanity check symbolic link size
of/irq: Prevent device address out-of-bounds read in interrupt map walk
lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed
ata: pata_macio: Use WARN instead of BUG
NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations
staging: iio: frequency: ad9834: Validate frequency parameter value
iio: buffer-dmaengine: fix releasing dma channel on error
iio: fix scale application in iio_convert_raw_to_processed_unlocked
iio: adc: ad7124: fix chip ID mismatch
binder: fix UAF caused by offsets overwrite
nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX
clocksource/drivers/imx-tpm: Fix next event not taking effect sometime
clocksource/drivers/timer-of: Remove percpu irq related code
uprobes: Use kzalloc to allocate xol area
perf/aux: Fix AUX buffer serialization
nilfs2: replace snprintf in show functions with sysfs_emit
nilfs2: protect references to superblock parameters exposed in sysfs
ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add()
ACPI: processor: Fix memory leaks in error paths of processor_add()
arm64: acpi: Move get_cpu_for_acpi_id() to a header
arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
nvmet-tcp: fix kernel crash if commands allocation fails
drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused
drm/i915/fence: Mark debug_fence_free() with __maybe_unused
mmc: cqhci: Fix checking of CQHCI_HALT state
rtmutex: Drop rt_mutex::wait_lock before scheduling
x86/mm: Fix PTI for i386 some more
net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
memcg: protect concurrent access to mem_cgroup_idr
Linux 5.10.226
Change-Id: I3c0afd32ba78775f67cde6d73b4dbf931bbc4770
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
70fe52b634 |
Revert "Merge 751777a79a ("nfsd: make svc_stat per-network namespace instead of global") into android12-5.10-lts"
This reverts commit 44e9ffcf8f27f726358477ec3a99826d583922cc, reversing
changes made to
|
||
|
Greg Kroah-Hartman
|
c3e9a280ba |
Merge 751777a79a ("nfsd: make svc_stat per-network namespace instead of global") into android12-5.10-lts
Steps on the way to 5.10.226 Merge around the nfsd changes as we do not want/need them here. Change-Id: I1535c7c685034e09055ee05b34972fcefd49506f Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
b22678f8ef |
Merge ddee5b4b6a ("mptcp: pm: avoid possible UaF when selecting endp") into android12-5.10-lts
Steps on the way to 5.10.226 Change-Id: I4ee8b8e793b6ecb98c7078125d994b46b1165c2e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Ryusuke Konishi
|
157c0d94b4 |
nilfs2: protect references to superblock parameters exposed in sysfs
[ Upstream commit 683408258917541bdb294cd717c210a04381931e ]
The superblock buffers of nilfs2 can not only be overwritten at runtime
for modifications/repairs, but they are also regularly swapped, replaced
during resizing, and even abandoned when degrading to one side due to
backing device issues. So, accessing them requires mutual exclusion using
the reader/writer semaphore "nilfs->ns_sem".
Some sysfs attribute show methods read this superblock buffer without the
necessary mutual exclusion, which can cause problems with pointer
dereferencing and memory access, so fix it.
Link: https://lkml.kernel.org/r/20240811100320.9913-1-konishi.ryusuke@gmail.com
Fixes:
|
||
Qing Wang
|
0630e3d435 |
nilfs2: replace snprintf in show functions with sysfs_emit
[ Upstream commit 3bcd6c5bd483287f4a09d3d59a012d47677b6edc ] Patch series "nilfs2 updates". This patch (of 2): coccicheck complains about the use of snprintf() in sysfs show functions. Fix the coccicheck warning: WARNING: use scnprintf or sprintf. Use sysfs_emit instead of scnprintf or sprintf makes more sense. Link: https://lkml.kernel.org/r/1635151862-11547-1-git-send-email-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/1634095759-4625-1-git-send-email-wangqing@vivo.com Link: https://lkml.kernel.org/r/1635151862-11547-2-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Qing Wang <wangqing@vivo.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 683408258917 ("nilfs2: protect references to superblock parameters exposed in sysfs") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Trond Myklebust
|
d8a61e69f8 |
NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations
[ Upstream commit a017ad1313fc91bdf235097fd0a02f673fc7bb11 ] We're seeing reports of soft lockups when iterating through the loops, so let's add rescheduling points. Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Phillip Lougher
|
5c8906de98 |
Squashfs: sanity check symbolic link size
[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ] Syzkiller reports a "KMSAN: uninit-value in pick_link" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.uk Reported-by: Lizhi Xu <lizhi.xu@windriver.com> Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/ V2: fix spelling mistake. Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
David Sterba
|
912bcdc51b |
btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry()
[ Upstream commit b8e947e9f64cac9df85a07672b658df5b2bcff07 ]
Some arch + compiler combinations report a potentially unused variable
location in btrfs_lookup_dentry(). This is a false alert as the variable
is passed by value and always valid or there's an error. The compilers
cannot probably reason about that although btrfs_inode_by_name() is in
the same file.
> + /kisskb/src/fs/btrfs/inode.c: error: 'location.objectid' may be used
+uninitialized in this function [-Werror=maybe-uninitialized]: => 5603:9
> + /kisskb/src/fs/btrfs/inode.c: error: 'location.type' may be used
+uninitialized in this function [-Werror=maybe-uninitialized]: => 5674:5
m68k-gcc8/m68k-allmodconfig
mips-gcc8/mips-allmodconfig
powerpc-gcc5/powerpc-all{mod,yes}config
powerpc-gcc5/ppc64_defconfig
Initialize it to zero, this should fix the warnings and won't change the
behaviour as btrfs_inode_by_name() accepts only a root or inode item
types, otherwise returns an error.
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/linux-btrfs/bd4e9928-17b3-9257-8ba7-6b7f9bbb639a@linux-m68k.org/
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Josef Bacik
|
c60676b81f |
btrfs: clean up our handling of refs == 0 in snapshot delete
[ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ] In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Josef Bacik
|
ed1b61398c |
btrfs: replace BUG_ON with ASSERT in walk_down_proc()
[ Upstream commit 1f9d44c0a12730a24f8bb75c5e1102207413cc9b ] We have a couple of areas where we check to make sure the tree block is locked before looking up or messing with references. This is old code so it has this as BUG_ON(). Convert this to ASSERT() for developers. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jan Kara
|
551966371e |
udf: Avoid excessive partition lengths
[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ] Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap. Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Josef Bacik
|
751777a79a |
nfsd: make svc_stat per-network namespace instead of global
[ Upstream commit 16fb9808ab2c99979f081987752abcbc5b092eac ] The final bit of stats that is global is the rpc svc_stat. Move this into the nfsd_net struct and use that everywhere instead of the global struct. Remove the unused global struct. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
f8219c4b80 |
nfsd: remove nfsd_stats, make th_cnt a global counter
[ Upstream commit e41ee44cc6a473b1f414031782c3b4283d7f3e5f ] This is the last global stat, take it out of the nfsd_stats struct and make it a global part of nfsd, report it the same as always. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
f2fe1ec906 |
nfsd: make all of the nfsd stats per-network namespace
[ Upstream commit 4b14885411f74b2b0ce0eb2b39d0fffe54e5ca0d ] We have a global set of counters that we modify for all of the nfsd operations, but now that we're exposing these stats across all network namespaces we need to make the stats also be per-network namespace. We already have some caching stats that are per-network namespace, so move these definitions into the same counter and then adjust all the helpers and users of these stats to provide the appropriate nfsd_net struct so that the stats are maintained for the per-network namespace objects. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> [ cel: adjusted to apply to v5.10.y ] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
5545496966 |
nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
[ Upstream commit 93483ac5fec62cc1de166051b219d953bb5e4ef4 ] We are running nfsd servers inside of containers with their own network namespace, and we want to monitor these services using the stats found in /proc. However these are not exposed in the proc inside of the container, so we have to bind mount the host /proc into our containers to get at this information. Separate out the stat counters init and the proc registration, and move the proc registration into the pernet operations entry and exit points so that these stats can be exposed inside of network namespaces. This is an intermediate step, this just exposes the global counters in the network namespace. Subsequent patches will move these counters into the per-network namespace container. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
fec6561e75 |
nfsd: rename NFSD_NET_* to NFSD_STATS_*
[ Upstream commit d98416cc2154053950610bb6880911e3dcbdf8c5 ] We're going to merge the stats all into per network namespace in subsequent patches, rename these nn counters to be consistent with the rest of the stats. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
e0fba78ab9 |
sunrpc: remove ->pg_stats from svc_program
[ Upstream commit 3f6ef182f144dcc9a4d942f97b6a8ed969f13c95 ] Now that this isn't used anywhere, remove it. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> [ cel: adjusted to apply to v5.10.y ] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
7f2476914e |
sunrpc: pass in the sv_stats struct through svc_create_pooled
[ Upstream commit f094323867668d50124886ad884b665de7319537 ] Since only one service actually reports the rpc stats there's not much of a reason to have a pointer to it in the svc_program struct. Adjust the svc_create_pooled function to take the sv_stats as an argument and pass the struct through there as desired instead of getting it from the svc_program->pg_stats. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> [ cel: adjusted to apply to v5.10.y ] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Josef Bacik
|
d06254ae7d |
nfsd: stop setting ->pg_stats for unused stats
[ Upstream commit a2214ed588fb3c5b9824a21cff870482510372bb ] A lot of places are setting a blank svc_stats in ->pg_stats and never utilizing these stats. Remove all of these extra structs as we're not reporting these stats anywhere. Signed-off-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Chuck Lever
|
d47c660e8c |
NFSD: Fix frame size warning in svc_export_parse()
[ Upstream commit 6939ace1f22681fface7841cdbf34d3204cc94b5 ]
fs/nfsd/export.c: In function 'svc_export_parse':
fs/nfsd/export.c:737:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]
737 | }
On my systems, svc_export_parse() has a stack frame of over 800
bytes, not 1040, but nonetheless, it could do with some reduction.
When a struct svc_export is on the stack, it's a temporary structure
used as an argument, and not visible as an actual exported FS. No
need to reserve space for export_stats in such cases.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202310012359.YEw5IrK6-lkp@intel.com/
Cc: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: 4b14885411f7 ("nfsd: make all of the nfsd stats per-network namespace")
[ cel: adjusted to apply to v5.10.y ]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Filipe Manana
|
7e4c72dbaf |
btrfs: fix use-after-free after failure to create a snapshot
commit 28b21c558a3753171097193b6f6602a94169093a upstream. At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and then attach it to the transaction's list of pending snapshots. After that we call btrfs_commit_transaction(), and if that returns an error we jump to 'fail' label, where we kfree() the pending snapshot structure. This can result in a later use-after-free of the pending snapshot: 1) We allocated the pending snapshot and added it to the transaction's list of pending snapshots; 2) We call btrfs_commit_transaction(), and it fails either at the first call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups(). In both cases, we don't abort the transaction and we release our transaction handle. We jump to the 'fail' label and free the pending snapshot structure. We return with the pending snapshot still in the transaction's list; 3) Another task commits the transaction. This time there's no error at all, and then during the transaction commit it accesses a pointer to the pending snapshot structure that the snapshot creation task has already freed, resulting in a user-after-free. This issue could actually be detected by smatch, which produced the following warning: fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list So fix this by not having the snapshot creation ioctl directly add the pending snapshot to the transaction's list. Instead add the pending snapshot to the transaction handle, and then at btrfs_commit_transaction() we add the snapshot to the list only when we can guarantee that any error returned after that point will result in a transaction abort, in which case the ioctl code can safely free the pending snapshot and no one can access it anymore. CC: stable@vger.kernel.org # 5.10+ Signed-off-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Chuck Lever
|
a8aaffc0c1 |
NFSD: Rewrite synopsis of nfsd_percpu_counters_init()
[ Upstream commit 5ec39944f874e1ecc09f624a70dfaa8ac3bf9d08 ]
In function ‘export_stats_init’,
inlined from ‘svc_export_alloc’ at fs/nfsd/export.c:866:6:
fs/nfsd/export.c:337:16: warning: ‘nfsd_percpu_counters_init’ accessing 40 bytes in a region of size 0 [-Wstringop-overflow=]
337 | return nfsd_percpu_counters_init(&stats->counter, EXP_STATS_COUNTERS_NUM);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/nfsd/export.c:337:16: note: referencing argument 1 of type ‘struct percpu_counter[0]’
fs/nfsd/stats.h: In function ‘svc_export_alloc’:
fs/nfsd/stats.h:40:5: note: in a call to function ‘nfsd_percpu_counters_init’
40 | int nfsd_percpu_counters_init(struct percpu_counter counters[], int num);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
Cc: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: 93483ac5fec6 ("nfsd: expose /proc/net/sunrpc/nfsd in net namespaces")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ryusuke Konishi
|
efdde00d4a |
nilfs2: fix state management in error path of log writing function
commit 6576dd6695f2afca3f4954029ac4a64f82ba60ab upstream. After commit |
||
NeilBrown
|
c532274202 |
NFSD: simplify error paths in nfsd_svc()
[ Upstream commit bf32075256e9dd9c6b736859e2c5813981339908 ]
The error paths in nfsd_svc() are needlessly complex and can result in a
final call to svc_put() without nfsd_last_thread() being called. This
results in the listening sockets not being closed properly.
The per-netns setup provided by nfsd_startup_new() and removed by
nfsd_shutdown_net() is needed precisely when there are running threads.
So we don't need nfsd_up_before. We don't need to know if it *was* up.
We only need to know if any threads are left. If none are, then we must
call nfsd_shutdown_net(). But we don't need to do that explicitly as
nfsd_last_thread() does that for us.
So simply call nfsd_last_thread() before the last svc_put() if there are
no running threads. That will always do the right thing.
Also discard:
pr_info("nfsd: last server has exited, flushing export cache\n");
It may not be true if an attempt to start the first server failed, and
it isn't particularly helpful and it simply reports normal behaviour.
Signed-off-by: NeilBrown <neilb@suse.de>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Chuck Lever
|
ebfce8dd7e |
NFSD: Refactor the duplicate reply cache shrinker
[ Upstream commit c135e1269f34dfdea4bd94c11060c83a3c0b3c12 ] Avoid holding the bucket lock while freeing cache entries. This change also caps the number of entries that are freed when the shrinker calls to reduce the shrinker's impact on the cache's effectiveness. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Chuck Lever
|
895807268a |
NFSD: Replace nfsd_prune_bucket()
[ Upstream commit a9507f6af1450ed26a4a36d979af518f5bb21e5d ]
Enable nfsd_prune_bucket() to drop the bucket lock while calling
kfree(). Use the same pattern that Jeff recently introduced in the
NFSD filecache.
A few percpu operations are moved outside the lock since they
temporarily disable local IRQs which is expensive and does not
need to be done while the lock is held.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: c135e1269f34 ("NFSD: Refactor the duplicate reply cache shrinker")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Chuck Lever
|
a02f9d6ea3 |
NFSD: Rename nfsd_reply_cache_alloc()
[ Upstream commit ff0d169329768c1102b7b07eebe5a9839aa1c143 ]
For readability, rename to match the other helpers.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: 4b14885411f7 ("nfsd: make all of the nfsd stats per-network namespace")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Chuck Lever
|
73b72f4b3b |
NFSD: Refactor nfsd_reply_cache_free_locked()
[ Upstream commit 35308e7f0fc3942edc87d9c6dc78c4a096428957 ]
To reduce contention on the bucket locks, we must avoid calling
kfree() while each bucket lock is held.
Start by refactoring nfsd_reply_cache_free_locked() into a helper
that removes an entry from the bucket (and must therefore run under
the lock) and a second helper that frees the entry (which does not
need to hold the lock).
For readability, rename the helpers nfsd_cacherep_<verb>.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: a9507f6af145 ("NFSD: Replace nfsd_prune_bucket()")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jeff Layton
|
3025d489f9 |
nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
[ Upstream commit ed9ab7346e908496816cffdecd46932035f66e2e ]
Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd
startup") moved the initialization of the reply cache into nfsd startup,
but didn't account for the stats counters, which can be accessed before
nfsd is ever started. The result can be a NULL pointer dereference when
someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still
shut down.
This is a regression and a user-triggerable oops in the right situation:
- non-x86_64 arch
- /proc/fs/nfsd is mounted in the namespace
- nfsd is not started in the namespace
- unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats"
Although this is easy to trigger on some arches (like aarch64), on
x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the
fixed_percpu_data. That struct looks just enough like a newly
initialized percpu var to allow nfsd_reply_cache_stats_show to access
it without Oopsing.
Move the initialization of the per-net+per-cpu reply-cache counters
back into nfsd_init_net, while leaving the rest of the reply cache
allocations to be done at nfsd startup time.
Kudos to Eirik who did most of the legwork to track this down.
Cc: stable@vger.kernel.org # v6.3+
Fixes: f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup")
Reported-and-tested-by: Eirik Fuller <efuller@redhat.com>
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2215429
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: 4b14885411f7 ("nfsd: make all of the nfsd stats per-network namespace")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jeff Layton
|
4e18b58b10 |
nfsd: move reply cache initialization into nfsd startup
[ Upstream commit f5f9d4a314da88c0a5faa6d168bf69081b7a25ae ]
There's no need to start the reply cache before nfsd is up and running,
and doing so means that we register a shrinker for every net namespace
instead of just the ones where nfsd is running.
Move it to the per-net nfsd startup instead.
Reported-by: Dai Ngo <dai.ngo@oracle.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: ed9ab7346e90 ("nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ryusuke Konishi
|
07e4dc2fe0 |
nilfs2: fix missing cleanup on rollforward recovery error
commit 5787fcaab9eb5930f5378d6a1dd03d916d146622 upstream.
In an error injection test of a routine for mount-time recovery, KASAN
found a use-after-free bug.
It turned out that if data recovery was performed using partial logs
created by dsync writes, but an error occurred before starting the log
writer to create a recovered checkpoint, the inodes whose data had been
recovered were left in the ns_dirty_files list of the nilfs object and
were not freed.
Fix this issue by cleaning up inodes that have read the recovery data if
the recovery routine fails midway before the log writer starts.
Link: https://lkml.kernel.org/r/20240810065242.3701-1-konishi.ryusuke@gmail.com
Fixes:
|
||
Jann Horn
|
0811d57384 |
fuse: use unsigned type for getxattr/listxattr size truncation
commit b18915248a15eae7d901262f108d6ff0ffb4ffc1 upstream.
The existing code uses min_t(ssize_t, outarg.size, XATTR_LIST_MAX) when
parsing the FUSE daemon's response to a zero-length getxattr/listxattr
request.
On 32-bit kernels, where ssize_t and outarg.size are the same size, this is
wrong: The min_t() will pass through any size values that are negative when
interpreted as signed.
fuse_listxattr() will then return this userspace-supplied negative value,
which callers will treat as an error value.
This kind of bug pattern can lead to fairly bad security bugs because of
how error codes are used in the Linux kernel. If a caller were to convert
the numeric error into an error pointer, like so:
struct foo *func(...) {
int len = fuse_getxattr(..., NULL, 0);
if (len < 0)
return ERR_PTR(len);
...
}
then it would end up returning this userspace-supplied negative value cast
to a pointer - but the caller of this function wouldn't recognize it as an
error pointer (IS_ERR_VALUE() only detects values in the narrow range in
which legitimate errno values are), and so it would just be treated as a
kernel pointer.
I think there is at least one theoretical codepath where this could happen,
but that path would involve virtio-fs with submounts plus some weird
SELinux configuration, so I think it's probably not a concern in practice.
Cc: stable@vger.kernel.org # v4.9
Fixes:
|
||
Joanne Koong
|
9d38c704b4 |
fuse: update stats for pages in dropped aux writeback list
commit f7790d67785302b3116bbbfda62a5a44524601a3 upstream.
In the case where the aux writeback list is dropped (e.g. the pages
have been truncated or the connection is broken), the stats for
its pages and backing device info need to be updated as well.
Fixes:
|
||
|
Jan Kara
|
dfc8eb4d7e |
ext4: handle redirtying in ext4_bio_write_page()
commit 04e568a3b31cfbd545c04c8bfc35c20e5ccfce0f upstream. Since we want to transition transaction commits to use ext4_writepages() for writing back ordered, add handling of page redirtying into ext4_bio_write_page(). Also move buffer dirty bit clearing into the same place other buffer state handling. Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20221207112722.22220-1-jack@suse.cz Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jan Kara
|
5895541d73 |
udf: Limit file size to 4TB
commit c2efd13a2ed4f29bf9ef14ac2fbb7474084655f8 upstream. UDF disk format supports in principle file sizes up to 1<<64-1. However the file space (including holes) is described by a linked list of extents, each of which can have at most 1GB. Thus the creation and handling of extents gets unusably slow beyond certain point. Limit the file size to 4TB to avoid locking up the kernel too easily. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Amir Goldstein
|
3f3ef1d9f6 |
fsnotify: clear PARENT_WATCHED flags lazily
[ Upstream commit 172e422ffea20a89bfdc672741c1aad6fbb5044e ] In some setups directories can have many (usually negative) dentries. Hence __fsnotify_update_child_dentry_flags() function can take a significant amount of time. Since the bulk of this function happens under inode->i_lock this causes a significant contention on the lock when we remove the watch from the directory as the __fsnotify_update_child_dentry_flags() call from fsnotify_recalc_mask() races with __fsnotify_update_child_dentry_flags() calls from __fsnotify_parent() happening on children. This can lead upto softlockup reports reported by users. Fix the problem by calling fsnotify_update_children_dentry_flags() to set PARENT_WATCHED flags only when parent starts watching children. When parent stops watching children, clear false positive PARENT_WATCHED flags lazily in __fsnotify_parent() for each accessed child. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
4951c68022 |
Merge 5.10.225 into android12-5.10-lts
Changes in 5.10.225 fuse: Initialize beyond-EOF page contents before setting uptodate ALSA: usb-audio: Support Yamaha P-125 quirk entry xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration thunderbolt: Mark XDomain as unplugged when router is removed s390/dasd: fix error recovery leading to data corruption on ESE devices arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE dm resume: don't return EINVAL when signalled dm persistent data: fix memory allocation failure vfs: Don't evict inode under the inode lru traversing context bitmap: introduce generic optimized bitmap_size() fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE selinux: fix potential counting error in avc_add_xperms_decision() btrfs: tree-checker: add dev extent item checks drm/amdgpu: Actually check flags for all context ops. memcg_write_event_control(): fix a user-triggerable oops drm/amdgpu/jpeg2: properly set atomics vmid field s390/cio: rename bitmap_size() -> idset_bitmap_size() btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() s390/uv: Panic for set and remove shared access UVC errors net/mlx5e: Correctly report errors for ethtool rx flows atm: idt77252: prevent use after free in dequeue_rx() net: axienet: Fix register defines comment description net: dsa: vsc73xx: pass value in phy_write operation net: dsa: vsc73xx: use read_poll_timeout instead delay loop net: dsa: vsc73xx: check busy flag in MDIO operations mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size netfilter: flowtable: initialise extack before use net: hns3: fix wrong use of semaphore up net: hns3: fix a deadlock problem when config TC during resetting ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 ssb: Fix division by zero issue in ssb_calc_clock_rate wifi: mac80211: fix BA session teardown race wifi: cw1200: Avoid processing an invalid TIM IE i2c: riic: avoid potential division by zero RDMA/rtrs: Fix the problem of variable not initialized fully s390/smp,mcck: fix early IPI handling media: radio-isa: use dev_name to fill in bus_info staging: iio: resolver: ad2s1210: fix use before initialization drm/amd/display: Validate hw_points_num before using it staging: ks7010: disable bh on tx_dev_lock binfmt_misc: cleanup on filesystem umount media: qcom: venus: fix incorrect return value scsi: spi: Fix sshdr use gfs2: setattr_chown: Add missing initialization wifi: iwlwifi: abort scan when rfkill on but device enabled IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu nvmet-trace: avoid dereferencing pointer too early ext4: do not trim the group with corrupted block bitmap quota: Remove BUG_ON from dqget() media: pci: cx23885: check cx23885_vdev_init() return fs: binfmt_elf_efpic: don't use missing interpreter's properties scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() net/sun3_82586: Avoid reading past buffer in debug output drm/lima: set gp bus_stop bit before hard reset virtiofs: forbid newlines in tags netlink: hold nlk->cb_mutex longer in __netlink_dump_start() md: clean up invalid BUG_ON in md_ioctl x86: Increase brk randomness entropy for 64-bit systems memory: stm32-fmc2-ebi: check regmap_read return value parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 powerpc/boot: Handle allocation failure in simple_realloc() powerpc/boot: Only free if realloc() succeeds btrfs: change BUG_ON to assertion when checking for delayed_node root btrfs: handle invalid root reference found in may_destroy_subvol() btrfs: send: handle unexpected data in header buffer in begin_cmd() btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() f2fs: fix to do sanity check in update_sit_entry usb: gadget: fsl: Increase size of name buffer for endpoints Bluetooth: bnep: Fix out-of-bound access net: hns3: add checking for vf id of mailbox nvmet-tcp: do not continue for invalid icreq NFS: avoid infinite loop in pnfs_update_layout. openrisc: Call setup_memory() earlier in the init sequence s390/iucv: fix receive buffer virtual vs physical address confusion usb: dwc3: core: Skip setting event buffers for host only controllers irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc ext4: set the type of max_zeroout to unsigned int to avoid overflow nvmet-rdma: fix possible bad dereference when freeing rsps hrtimer: Prevent queuing of hrtimer without a function callback gtp: pull network headers in gtp_dev_xmit() block: use "unsigned long" for blk_validate_block_size(). media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) dm suspend: return -ERESTARTSYS instead of -EINTR Bluetooth: hci_core: Fix LE quote calculation Bluetooth: SMP: Fix assumption of Central always being Initiator tc-testing: don't access non-existent variable on exception kcm: Serialise kcm_sendmsg() for the same socket. netfilter: nft_counter: Synchronize nft_counter_reset() against reader. ip6_tunnel: Fix broken GRO bonding: fix bond_ipsec_offload_ok return type bonding: fix null pointer deref in bond_ipsec_offload_ok bonding: fix xfrm real_dev null pointer dereference bonding: fix xfrm state handling when clearing active slave ice: fix ICE_LAST_OFFSET formula net: dsa: mv88e6xxx: read FID when handling ATU violations net: dsa: mv88e6xxx: replace ATU violation prints with trace points net: dsa: mv88e6xxx: Fix out-of-bound access netem: fix return value if duplicate enqueue fails ipv6: prevent UAF in ip6_send_skb() net: xilinx: axienet: Always disable promiscuous mode net: xilinx: axienet: Fix dangling multicast addresses drm/msm/dpu: don't play tricks with debug macros drm/msm/dp: reset the link phy params before link training mmc: mmc_test: Fix NULL dereference on allocation failure Bluetooth: MGMT: Add error handling to pair_device() binfmt_misc: pass binfmt_misc flags to the interpreter MIPS: Loongson64: Set timer mode in cpu-probe HID: wacom: Defer calculation of resolution until resolution_code is known HID: microsoft: Add rumble support to latest xbox controllers cxgb4: add forgotten u64 ivlan cast before shift KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 mmc: dw_mmc: allow biu and ciu clocks to defer Revert "drm/amd/display: Validate hw_points_num before using it" ALSA: timer: Relax start tick time check for slave timer elements nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg(). Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO Input: MT - limit max slots tools: move alignment-related macros to new <linux/align.h> drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc KVM: arm64: Don't use cbz/adr with external symbols pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins pinctrl: single: fix potential NULL dereference in pcs_get_function() wifi: mwifiex: duplicate static structs used in driver instances mptcp: sched: check both backup in retrans ipc: replace costly bailout check in sysvipc_find_ipc() drm/amdkfd: don't allow mapping the MMIO HDP page with large pages media: uvcvideo: Fix integer overflow calculating timestamp Revert "Input: ioc3kbd - convert to platform remove callback returning void" ata: libata-core: Fix null pointer dereference on error cgroup/cpuset: Prevent UAF in proc_cpuset_show() net:rds: Fix possible deadlock in rds_message_put ovl: do not fail because of O_NOATIME soundwire: stream: fix programming slave ports for non-continous port maps dmaengine: dw: Add peripheral bus width verification dmaengine: dw: Add memory bus width verification ethtool: check device is present when getting link settings gtp: fix a potential NULL pointer dereference net: busy-poll: use ktime_get_ns() instead of local_clock() nfc: pn533: Add poll mod list filling check soc: qcom: cmd-db: Map shared memory as WC, not WB cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller USB: serial: option: add MeiG Smart SRM825L usb: dwc3: omap: add missing depopulate in probe error path usb: dwc3: core: Prevent USB core invalid event buffer address access usb: dwc3: st: fix probed platform device ref count on probe error path usb: dwc3: st: add missing depopulate in probe error path usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() scsi: aacraid: Fix double-free on probe failure apparmor: fix policy_unpack_test on big endian systems Linux 5.10.225 Change-Id: I5028ef07db680262d45fba4096094fe8b19dd052 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Miklos Szeredi
|
acddd7c6b7 |
ovl: do not fail because of O_NOATIME
commit b6650dab404c701d7fe08a108b746542a934da84 upstream. In case the file cannot be opened with O_NOATIME because of lack of capabilities, then clear O_NOATIME instead of failing. Remove WARN_ON(), since it would now trigger if O_NOATIME was cleared. Noticed by Amir Goldstein. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Laurent Vivier
|
7fd3a59268 |
binfmt_misc: pass binfmt_misc flags to the interpreter
commit 2347961b11d4079deace3c81dceed460c08a8fc1 upstream. It can be useful to the interpreter to know which flags are in use. For instance, knowing if the preserve-argv[0] is in use would allow to skip the pathname argument. This patch uses an unused auxiliary vector, AT_FLAGS, to add a flag to inform interpreter if the preserve-argv[0] is enabled. Note by Helge Deller: The real-world user of this patch is qemu-user, which needs to know if it has to preserve the argv[0]. See Debian bug #970460. Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: YunQiang Su <ysu@wavecomp.com> URL: http://bugs.debian.org/970460 Signed-off-by: Helge Deller <deller@gmx.de> Cc: Thorsten Glaser <tg@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Baokun Li
|
2143cba143 |
ext4: set the type of max_zeroout to unsigned int to avoid overflow
[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ] The max_zeroout is of type int and the s_extent_max_zeroout_kb is of type uint, and the s_extent_max_zeroout_kb can be freely modified via the sysfs interface. When the block size is 1024, max_zeroout may overflow, so declare it as unsigned int to avoid overflow. Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
e5272645a0 |
NFS: avoid infinite loop in pnfs_update_layout.
[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ] If pnfsd_update_layout() is called on a file for which recovery has failed it will enter a tight infinite loop. NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so nfs4_client_recover_expired_lease() will not wait. So the code will loop indefinitely. Break the loop by testing the validity of the open stateid at the top of the loop. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Zhiguo Niu
|
bf0c603ab4 |
f2fs: fix to do sanity check in update_sit_entry
[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ] If GET_SEGNO return NULL_SEGNO for some unecpected case, update_sit_entry will access invalid memory address, cause system crash. It is better to do sanity check about GET_SEGNO just like update_segment_mtime & locate_dirty_segment. Also remove some redundant judgment code. Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Sterba
|
8ec052c544 |
btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent()
[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ]
The BUG_ON is deep in the qgroup code where we can expect that it
exists. A NULL pointer would cause a crash.
It was added long ago in
|
||
|
David Sterba
|
0c1d7b960f |
btrfs: send: handle unexpected data in header buffer in begin_cmd()
[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ] Change BUG_ON to a proper error handling in the unlikely case of seeing data when the command is started. This is supposed to be reset when the command is finished (send_cmd, send_encoded_extent). Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Sterba
|
94a7dff229 |
btrfs: handle invalid root reference found in may_destroy_subvol()
[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ] The may_destroy_subvol() looks up a root by a key, allowing to do an inexact search when key->offset is -1. It's never expected to find such item, as it would break the allowed range of a root id. Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Sterba
|
3dd13074e7 |
btrfs: change BUG_ON to assertion when checking for delayed_node root
[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ] The pointer to root is initialized in btrfs_init_delayed_node(), no need to check for it again. Change the BUG_ON to assertion. Reviewed-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Anand Jain <anand.jain@oracle.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefan Hajnoczi
|
316bf51edd |
virtiofs: forbid newlines in tags
[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ] Newlines in virtiofs tags are awkward for users and potential vectors for string injection attacks. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Max Filippov
|
a441ce39ad |
fs: binfmt_elf_efpic: don't use missing interpreter's properties
[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ] Static FDPIC executable may get an executable stack even when it has non-executable GNU_STACK segment. This happens when STACK segment has rw permissions, but does not specify stack size. In that case FDPIC loader uses permissions of the interpreter's stack, and for static executables with no interpreter it results in choosing the arch-default permissions for the stack. Fix that by using the interpreter's properties only when the interpreter is actually used. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Jan Kara
|
00d4f971fa |
quota: Remove BUG_ON from dqget()
[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ] dqget() checks whether dquot->dq_sb is set when returning it using BUG_ON. Firstly this doesn't work as an invalidation check for quite some time (we release dquot with dq_sb set these days), secondly using BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still hashed instead. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
239c5e988e |
ext4: do not trim the group with corrupted block bitmap
[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ] Otherwise operating on an incorrupted block bitmap can lead to all sorts of unknown problems. Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Andreas Gruenbacher
|
d483de53d4 |
gfs2: setattr_chown: Add missing initialization
[ Upstream commit 2d8d7990619878a848b1d916c2f936d3012ee17d ] Add a missing initialization of variable ap in setattr_chown(). Without, chown() may be able to bypass quotas. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Christian Brauner
|
a43edc7abc |
binfmt_misc: cleanup on filesystem umount
[ Upstream commit 1c5976ef0f7ad76319df748ccb99a4c7ba2ba464 ] Currently, registering a new binary type pins the binfmt_misc filesystem. Specifically, this means that as long as there is at least one binary type registered the binfmt_misc filesystem survives all umounts, i.e. the superblock is not destroyed. Meaning that a umount followed by another mount will end up with the same superblock and the same binary type handlers. This is a behavior we tend to discourage for any new filesystems (apart from a few special filesystems such as e.g. configfs or debugfs). A umount operation without the filesystem being pinned - by e.g. someone holding a file descriptor to an open file - should usually result in the destruction of the superblock and all associated resources. This makes introspection easier and leads to clearly defined, simple and clean semantics. An administrator can rely on the fact that a umount will guarantee a clean slate making it possible to reinitialize a filesystem. Right now all binary types would need to be explicitly deleted before that can happen. This allows us to remove the heavy-handed calls to simple_pin_fs() and simple_release_fs() when creating and deleting binary types. This in turn allows us to replace the current brittle pinning mechanism abusing dget() which has caused a range of bugs judging from prior fixes in [2] and [3]. The additional dget() in load_misc_binary() pins the dentry but only does so for the sake to prevent ->evict_inode() from freeing the node when a user removes the binary type and kill_node() is run. Which would mean ->interpreter and ->interp_file would be freed causing a UAF. This isn't really nicely documented nor is it very clean because it relies on simple_pin_fs() pinning the filesystem as long as at least one binary type exists. Otherwise it would cause load_misc_binary() to hold on to a dentry belonging to a superblock that has been shutdown. Replace that implicit pinning with a clean and simple per-node refcount and get rid of the ugly dget() pinning. A similar mechanism exists for e.g. binderfs (cf. [4]). All the cleanup work can now be done in ->evict_inode(). In a follow-up patch we will make it possible to use binfmt_misc in sandboxes. We will use the cleaner semantics where a umount for the filesystem will cause the superblock and all resources to be deallocated. In preparation for this apply the same semantics to the initial binfmt_misc mount. Note, that this is a user-visible change and as such a uapi change but one that we can reasonably risk. We've discussed this in earlier versions of this patchset (cf. [1]). The main user and provider of binfmt_misc is systemd. Systemd provides binfmt_misc via autofs since it is configurable as a kernel module and is used by a few exotic packages and users. As such a binfmt_misc mount is triggered when /proc/sys/fs/binfmt_misc is accessed and is only provided on demand. Other autofs on demand filesystems include EFI ESP which systemd umounts if the mountpoint stays idle for a certain amount of time. This doesn't apply to the binfmt_misc autofs mount which isn't touched once it is mounted meaning this change can't accidently wipe binary type handlers without someone having explicitly unmounted binfmt_misc. After speaking to systemd folks they don't expect this change to affect them. In line with our general policy, if we see a regression for systemd or other users with this change we will switch back to the old behavior for the initial binfmt_misc mount and have binary types pin the filesystem again. But while we touch this code let's take the chance and let's improve on the status quo. [1]: https://lore.kernel.org/r/20191216091220.465626-2-laurent@vivier.eu [2]: commit |
||
Alexander Lobakin
|
6bcd0f95b8 |
btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
commit 4ca532d64648d4776d15512caed3efea05ca7195 upstream. bitmap_set_bits() does not start with the FS' prefix and may collide with a new generic helper one day. It operates with the FS-specific types, so there's no change those two could do the same thing. Just add the prefix to exclude such possible conflict. Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Acked-by: David Sterba <dsterba@suse.com> Reviewed-by: Yury Norov <yury.norov@gmail.com> Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Qu Wenruo
|
d88083916f |
btrfs: tree-checker: add dev extent item checks
commit 008e2512dc5696ab2dc5bf264e98a9fe9ceb830e upstream.
[REPORT]
There is a corruption report that btrfs refused to mount a fs that has
overlapping dev extents:
BTRFS error (device sdc): dev extent devid 4 physical offset 14263979671552 overlap with previous dev extent end 14263980982272
BTRFS error (device sdc): failed to verify dev extents against chunks: -117
BTRFS error (device sdc): open_ctree failed
[CAUSE]
The direct cause is very obvious, there is a bad dev extent item with
incorrect length.
With btrfs check reporting two overlapping extents, the second one shows
some clue on the cause:
ERROR: dev extent devid 4 offset 14263979671552 len 6488064 overlap with previous dev extent end 14263980982272
ERROR: dev extent devid 13 offset 2257707008000 len 6488064 overlap with previous dev extent end 2257707270144
ERROR: errors found in extent allocation tree or chunk allocation
The second one looks like a bitflip happened during new chunk
allocation:
hex(2257707008000) = 0x20da9d30000
hex(2257707270144) = 0x20da9d70000
diff = 0x00000040000
So it looks like a bitflip happened during new dev extent allocation,
resulting the second overlap.
Currently we only do the dev-extent verification at mount time, but if the
corruption is caused by memory bitflip, we really want to catch it before
writing the corruption to the storage.
Furthermore the dev extent items has the following key definition:
(<device id> DEV_EXTENT <physical offset>)
Thus we can not just rely on the generic key order check to make sure
there is no overlapping.
[ENHANCEMENT]
Introduce dedicated dev extent checks, including:
- Fixed member checks
* chunk_tree should always be BTRFS_CHUNK_TREE_OBJECTID (3)
* chunk_objectid should always be
BTRFS_FIRST_CHUNK_CHUNK_TREE_OBJECTID (256)
- Alignment checks
* chunk_offset should be aligned to sectorsize
* length should be aligned to sectorsize
* key.offset should be aligned to sectorsize
- Overlap checks
If the previous key is also a dev-extent item, with the same
device id, make sure we do not overlap with the previous dev extent.
Reported: Stefan N <stefannnau@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CA+W5K0rSO3koYTo=nzxxTm1-Pdu1HYgVxEpgJ=aGc7d=E8mGEg@mail.gmail.com/
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Al Viro
|
fe5bf14881 |
fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
commit 9a2fa1472083580b6c66bdaf291f591e1170123a upstream. copy_fd_bitmaps(new, old, count) is expected to copy the first count/BITS_PER_LONG bits from old->full_fds_bits[] and fill the rest with zeroes. What it does is copying enough words (BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest. That works fine, *if* all bits past the cutoff point are clear. Otherwise we are risking garbage from the last word we'd copied. For most of the callers that is true - expand_fdtable() has count equal to old->max_fds, so there's no open descriptors past count, let alone fully occupied words in ->open_fds[], which is what bits in ->full_fds_bits[] correspond to. The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds), which is the smallest multiple of BITS_PER_LONG that covers all opened descriptors below max_fds. In the common case (copying on fork()) max_fds is ~0U, so all opened descriptors will be below it and we are fine, by the same reasons why the call in expand_fdtable() is safe. Unfortunately, there is a case where max_fds is less than that and where we might, indeed, end up with junk in ->full_fds_bits[] - close_range(from, to, CLOSE_RANGE_UNSHARE) with * descriptor table being currently shared * 'to' being above the current capacity of descriptor table * 'from' being just under some chunk of opened descriptors. In that case we end up with observably wrong behaviour - e.g. spawn a child with CLONE_FILES, get all descriptors in range 0..127 open, then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending up with descriptor #128, despite #64 being observably not open. The minimally invasive fix would be to deal with that in dup_fd(). If this proves to add measurable overhead, we can go that way, but let's try to fix copy_fd_bitmaps() first. * new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size). * make copy_fd_bitmaps() take the bitmap size in words, rather than bits; it's 'count' argument is always a multiple of BITS_PER_LONG, so we are not losing any information, and that way we can use the same helper for all three bitmaps - compiler will see that count is a multiple of BITS_PER_LONG for the large ones, so it'll generate plain memcpy()+memset(). Reproducer added to tools/testing/selftests/core/close_range_test.c Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Zhihao Cheng
|
03880af02a |
vfs: Don't evict inode under the inode lru traversing context
commit 2a0629834cd82f05d424bbc193374f9a43d1f87d upstream.
The inode reclaiming process(See function prune_icache_sb) collects all
reclaimable inodes and mark them with I_FREEING flag at first, at that
time, other processes will be stuck if they try getting these inodes
(See function find_inode_fast), then the reclaiming process destroy the
inodes by function dispose_list(). Some filesystems(eg. ext4 with
ea_inode feature, ubifs with xattr) may do inode lookup in the inode
evicting callback function, if the inode lookup is operated under the
inode lru traversing context, deadlock problems may happen.
Case 1: In function ext4_evict_inode(), the ea inode lookup could happen
if ea_inode feature is enabled, the lookup process will be stuck
under the evicting context like this:
1. File A has inode i_reg and an ea inode i_ea
2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea
3. Then, following three processes running like this:
PA PB
echo 2 > /proc/sys/vm/drop_caches
shrink_slab
prune_dcache_sb
// i_reg is added into lru, lru->i_ea->i_reg
prune_icache_sb
list_lru_walk_one
inode_lru_isolate
i_ea->i_state |= I_FREEING // set inode state
inode_lru_isolate
__iget(i_reg)
spin_unlock(&i_reg->i_lock)
spin_unlock(lru_lock)
rm file A
i_reg->nlink = 0
iput(i_reg) // i_reg->nlink is 0, do evict
ext4_evict_inode
ext4_xattr_delete_inode
ext4_xattr_inode_dec_ref_all
ext4_xattr_inode_iget
ext4_iget(i_ea->i_ino)
iget_locked
find_inode_fast
__wait_on_freeing_inode(i_ea) ----→ AA deadlock
dispose_list // cannot be executed by prune_icache_sb
wake_up_bit(&i_ea->i_state)
Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file
deleting process holds BASEHD's wbuf->io_mutex while getting the
xattr inode, which could race with inode reclaiming process(The
reclaiming process could try locking BASEHD's wbuf->io_mutex in
inode evicting function), then an ABBA deadlock problem would
happen as following:
1. File A has inode ia and a xattr(with inode ixa), regular file B has
inode ib and a xattr.
2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa
3. Then, following three processes running like this:
PA PB PC
echo 2 > /proc/sys/vm/drop_caches
shrink_slab
prune_dcache_sb
// ib and ia are added into lru, lru->ixa->ib->ia
prune_icache_sb
list_lru_walk_one
inode_lru_isolate
ixa->i_state |= I_FREEING // set inode state
inode_lru_isolate
__iget(ib)
spin_unlock(&ib->i_lock)
spin_unlock(lru_lock)
rm file B
ib->nlink = 0
rm file A
iput(ia)
ubifs_evict_inode(ia)
ubifs_jnl_delete_inode(ia)
ubifs_jnl_write_inode(ia)
make_reservation(BASEHD) // Lock wbuf->io_mutex
ubifs_iget(ixa->i_ino)
iget_locked
find_inode_fast
__wait_on_freeing_inode(ixa)
| iput(ib) // ib->nlink is 0, do evict
| ubifs_evict_inode
| ubifs_jnl_delete_inode(ib)
↓ ubifs_jnl_write_inode
ABBA deadlock ←-----make_reservation(BASEHD)
dispose_list // cannot be executed by prune_icache_sb
wake_up_bit(&ixa->i_state)
Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING
to pin the inode in memory while inode_lru_isolate() reclaims its pages
instead of using ordinary inode reference. This way inode deletion
cannot be triggered from inode_lru_isolate() thus avoiding the deadlock.
evict() is made to wait for I_LRU_ISOLATING to be cleared before
proceeding with inode cleanup.
Link: https://lore.kernel.org/all/37c29c42-7685-d1f0-067d-63582ffac405@huaweicloud.com/
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219022
Fixes:
|
||
|
Jann Horn
|
4690e2171f |
fuse: Initialize beyond-EOF page contents before setting uptodate
commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.
fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).
So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.
The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().
This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable@kernel.org
Fixes:
|
||
|
Greg Kroah-Hartman
|
b84ad15be5 |
This is the 5.10.224 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbCv24ACgkQONu9yGCS
aT7lNRAAzP2lSCUHROaMTldoQdahqoWqwFSiMI9p32HYLTerpg1GHVsi1IUvD+pv
zhmUG9w+ACbSbZ9337G61FeEDCIBzgqaIXLCtbK2Be9nWMa9I1ZtMSFUKoSmVJBw
YbrI/UOscJmAf44G6DeMp+N+/S2o7INK463u51SYjufo/zhFF8KsYElm23p06kgn
lTkkUAoo9mSVvEr64zbjwLrWyBWTlcvYH/xrkWeJWXl+hBv0K5Ig9IBm0sc0DSQR
fErADzDLFkmD9pduZbMwbzUUzC8ST41KKjTgClaHQhSMeoLoWT8CJM5Swwds4XVE
JkoClkqnj3+stYFpLFm9UUgZ12wu/9slzgRCN6fTraSNT8gE9F9BRJXFGL+3S5OO
oHKZYEEPTZDsD3PihgufJ4Ft27+KpMUzAgQUmVH/y47wrVJ2pf4fCK8LKT0MbjBi
pjZaDRCxwo1aORL3+jYJBVRecrNqQ0DhacYOKznhb2KKeaHojIwLaE6k/W/0Q8U5
1uMYv+NJ3LWDNzGcNUTCfNtuDELOpkp24Xc8RN0MK2iMMMyfjMpgKssjSBZtz0QW
NH0UVpfiWKECKH+m03NeFnYdMuK8/VyM8vatkcemz0FfgJP2UazeiVwSujfS2r2S
0TtsCMPP3kgKa9mAnni7lQs4wkG+OTNDNZqbuDqFZ1rHUS2Usrg=
=8i2e
-----END PGP SIGNATURE-----
Merge 5.10.224 into android12-5.10-lts
Changes in 5.10.224
EDAC/skx_common: Add new ADXL components for 2-level memory
EDAC, i10nm: make skx_common.o a separate module
platform/chrome: cros_ec_debugfs: fix wrong EC message version
hfsplus: fix to avoid false alarm of circular locking
x86/of: Return consistent error type from x86_of_pci_irq_enable()
x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
x86/pci/xen: Fix PCIBIOS_* return code handling
x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
hwmon: (adt7475) Fix default duty on fan is disabled
pwm: stm32: Always do lazy disabling
hwmon: (max6697) Fix underflow when writing limit attributes
hwmon: (max6697) Fix swapped temp{1,8} critical alarms
arm64: dts: qcom: sdm845: add power-domain to UFS PHY
soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data() callers
arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
soc: qcom: pdr: protect locator_addr with the main mutex
soc: qcom: pdr: fix parsing of domains lists
arm64: dts: rockchip: Increase VOP clk rate on RK3328
ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
ARM: dts: imx6qdl-kontron-samx6i: fix board reset
ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects
ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property
arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
arm64: dts: amlogic: gx: correct hdmi clocks
m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
x86/xen: Convert comma to semicolon
m68k: cmpxchg: Fix return value for default case in __arch_xchg()
ARM: pxa: spitz: use gpio descriptors for audio
ARM: spitz: fix GPIO assignment for backlight
firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout()
firmware: turris-mox-rwtm: Initialize completion before mailbox
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
selftests/bpf: Fix prog numbers in test_sockmap
net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
net/smc: Allow SMC-D 1MB DMB allocations
net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined
selftests/bpf: Check length of recv in test_sockmap
lib: objagg: Fix general protection fault
mlxsw: spectrum_acl_erp: Fix object nesting warning
mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more flexible
mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors
ath11k: dp: stop rx pktlog before suspend
wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
net: fec: Refactor: #define magic constants
net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
ipvs: Avoid unnecessary calls to skb_is_gso_sctp
netfilter: nf_tables: rise cap on SELinux secmark context
perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
perf: Fix perf_aux_size() for greater-than 32-bit size
perf: Prevent passing zero nr_pages to rb_alloc_aux()
qed: Improve the stack space of filter_config()
wifi: virt_wifi: avoid reporting connection success with wrong SSID
gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
wifi: virt_wifi: don't use strlen() in const context
selftests/bpf: Close fd in error path in drop_on_reuseport
bpf: annotate BTF show functions with __printf
bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o
selftests: forwarding: devlink_lib: Wait for udev events after reloading
xdp: fix invalid wait context of page_pool_destroy()
drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators
drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()
media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()
media: imon: Fix race getting ictx->lock
saa7134: Unchecked i2c_transfer function result fixed
media: uvcvideo: Allow entity-defined get_info and get_cur
media: uvcvideo: Override default flags
media: renesas: vsp1: Fix _irqsave and _irq mix
media: renesas: vsp1: Store RPF partition configuration per RPF instance
leds: trigger: Unregister sysfs attributes before calling deactivate()
perf report: Fix condition in sort__sym_cmp()
drm/etnaviv: fix DMA direction handling for cached RW buffers
drm/qxl: Add check for drm_cvt_mode
Revert "leds: led-core: Fix refcount leak in of_led_get()"
ext4: fix infinite loop when replaying fast_commit
media: venus: flush all buffers in output plane streamoff
mfd: omap-usb-tll: Use struct_size to allocate tll
xprtrdma: Rename frwr_release_mr()
xprtrdma: Fix rpcrdma_reqs_reset()
SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
ext4: avoid writing unitialized memory to disk in EA inodes
sparc64: Fix incorrect function signature and add prototype for prom_cif_init
SUNRPC: Fixup gss_status tracepoint error output
PCI: Fix resource double counting on remove & rescan
coresight: Fix ref leak when of_coresight_parse_endpoint() fails
Input: qt1050 - handle CHIP_ID reading error
RDMA/mlx4: Fix truncated output warning in mad.c
RDMA/mlx4: Fix truncated output warning in alias_GUID.c
RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
ASoC: max98088: Check for clk_prepare_enable() error
mtd: make mtd_test.c a separate module
RDMA/device: Return error earlier if port in not valid
Input: elan_i2c - do not leave interrupt disabled on suspend failure
MIPS: Octeron: remove source file executable bit
powerpc/xmon: Fix disassembly CPU feature checks
macintosh/therm_windtunnel: fix module unload.
RDMA/hns: Fix missing pagesize and alignment check in FRMR
bnxt_re: Fix imm_data endianness
netfilter: ctnetlink: use helper function to calculate expect ID
net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports
net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports
pinctrl: rockchip: update rk3308 iomux routes
pinctrl: core: fix possible memory leak when pinctrl_enable() fails
pinctrl: single: fix possible memory leak when pinctrl_enable() fails
pinctrl: ti: ti-iodelay: Drop if block with always false condition
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails
pinctrl: freescale: mxs: Fix refcount of child
fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
fs/nilfs2: remove some unused macros to tame gcc
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
rtc: interface: Add RTC offset to alarm after fix-up
dt-bindings: thermal: correct thermal zone node name limit
tick/broadcast: Make takeover of broadcast hrtimer reliable
net: netconsole: Disable target before netpoll cleanup
af_packet: Handle outgoing VLAN packets without hardware offloading
ipv6: take care of scope when choosing the src addr
sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks
char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
media: venus: fix use after free in vdec_close
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
ext2: Verify bitmap and itable block numbers before using them
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
scsi: qla2xxx: Fix optrom version displayed in FDMI
drm/amd/display: Check for NULL pointer
sched/fair: Use all little CPUs for CPU-bound workloads
apparmor: use kvfree_sensitive to free data->data
task_work: s/task_work_cancel()/task_work_cancel_func()/
task_work: Introduce task_work_cancel() again
udf: Avoid using corrupted block bitmap buffer
m68k: amiga: Turn off Warp1260 interrupts during boot
ext4: check dot and dotdot of dx_root before making dir indexed
ext4: make sure the first directory block is not a hole
wifi: mwifiex: Fix interface type change
leds: ss4200: Convert PCIBIOS_* return codes to errnos
jbd2: make jbd2_journal_get_max_txn_bufs() internal
KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()
tools/memory-model: Fix bug in lock.cat
hwrng: amd - Convert PCIBIOS_* return codes to errnos
PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
binder: fix hang of unregistered readers
dev/parport: fix the array out-of-bounds risk
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
f2fs: fix to don't dirty inode for readonly filesystem
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
ubi: eba: properly rollback inside self_check_eba
decompress_bunzip2: fix rare decompression failure
kbuild: Fix '-S -c' in x86 stack protector scripts
kobject_uevent: Fix OOB access within zap_modalias_env()
devres: Fix devm_krealloc() wasting memory
rtc: cmos: Fix return value of nvmem callbacks
scsi: qla2xxx: During vport delete send async logout explicitly
scsi: qla2xxx: Fix for possible memory corruption
scsi: qla2xxx: Fix flash read failure
scsi: qla2xxx: Complete command early within lock
scsi: qla2xxx: validate nvme_local_port correctly
perf/x86/intel/pt: Fix topa_entry base length
perf/x86/intel/pt: Fix a topa_entry base address calculation
rtc: isl1208: Fix return value of nvmem callbacks
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
platform: mips: cpu_hwmon: Disable driver on unsupported hardware
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
selftests/sigaltstack: Fix ppc64 GCC build
rbd: don't assume rbd_is_lock_owner() for exclusive mappings
MIPS: ip30: ip30-console: Add missing include
MIPS: Loongson64: env: Hook up Loongsson-2K
drm/panfrost: Mark simple_ondemand governor as softdep
rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
io_uring/io-wq: limit retrying worker initialisation
kernel: rerun task_work while freezing in get_signal()
kdb: address -Wformat-security warnings
kdb: Use the passed prompt in kdb_position_cursor()
jfs: Fix array-index-out-of-bounds in diFree
um: time-travel: fix time-travel-start option
f2fs: fix start segno of large section
libbpf: Fix no-args func prototype BTF dumping syntax
dma: fix call order in dmam_free_coherent
MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
ipv4: Fix incorrect source address in Record Route option
net: bonding: correctly annotate RCU in bond_should_notify_peers()
netfilter: nft_set_pipapo_avx2: disable softinterrupts
tipc: Return non-zero value from tipc_udp_addr2str() on error
net: stmmac: Correct byte order of perfect_match
net: nexthop: Initialize all fields in dumped nexthops
bpf: Fix a segment issue when downgrading gso_size
mISDN: Fix a use after free in hfcmulti_tx()
apparmor: Fix null pointer deref when receiving skb during sock creation
powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
lirc: rc_dev_get_from_fd(): fix file leak
ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
ceph: fix incorrect kmalloc size of pagevec mempool
nvme: split command copy into a helper
nvme-pci: add missing condition check for existence of mapped data
fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC
fuse: name fs_context consistently
fuse: verify {g,u}id mount options correctly
sysctl: always initialize i_uid/i_gid
ext4: factor out a common helper to query extent map
ext4: check the extent status again before inserting delalloc block
soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver
drivers: soc: xilinx: check return status of get_api_version()
driver core: Cast to (void *) with __force for __percpu pointer
devres: Fix memory leakage caused by driver API devm_free_percpu()
genirq: Allow the PM device to originate from irq domain
irqchip/imx-irqsteer: Constify irq_chip struct
irqchip/imx-irqsteer: Add runtime PM support
irqchip/imx-irqsteer: Handle runtime power management correctly
remoteproc: imx_rproc: ignore mapping vdev regions
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
remoteproc: imx_rproc: Skip over memory region when node value is NULL
drm/nouveau: prime: fix refcount underflow
drm/vmwgfx: Fix overlay when using Screen Targets
sched: act_ct: take care of padding in struct zones_ht_key
net/iucv: fix use after free in iucv_sock_close()
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
ipv6: fix ndisc_is_useropt() handling for PIO
riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
platform/chrome: cros_ec_proto: Lock device when updating MKBP version
HID: wacom: Modify pen IDs
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
ALSA: usb-audio: Correct surround channels in UAC1 channel map
ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
mptcp: fix duplicate data handling
netfilter: ipset: Add list flush to cancel_gc
genirq: Allow irq_chip registration functions to take a const irq_chip
irqchip/mbigen: Fix mbigen node address layout
x86/mm: Fix pti_clone_pgtable() alignment assumption
x86/mm: Fix pti_clone_entry_text() for i386
sctp: move hlist_node and hashent out of sctp_ep_common
sctp: Fix null-ptr-deref in reuseport_add_sock().
net: usb: qmi_wwan: fix memory leak for not ip packets
net: linkwatch: use system_unbound_wq
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
l2tp: fix lockdep splat
net: fec: Stop PPS on driver remove
rcutorture: Fix rcu_torture_fwd_cb_cr() data race
md: do not delete safemode_timer in mddev_suspend
md/raid5: avoid BUG_ON() while continue reshape after reassembling
clocksource/drivers/sh_cmt: Address race condition for clock events
ACPI: battery: create alarm sysfs attribute atomically
ACPI: SBS: manage alarm sysfs attribute through psy core
selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
PCI: Add Edimax Vendor ID to pci_ids.h
udf: prevent integer overflow in udf_bitmap_free_blocks()
wifi: nl80211: don't give key data to userspace
btrfs: fix bitmap leak when loading free space cache on duplicate entry
drm/amdgpu: Fix the null pointer dereference to ras_manager
drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules
media: uvcvideo: Ignore empty TS packets
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
s390/sclp: Prevent release of buffer in I/O
SUNRPC: Fix a race to wake a sync task
sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
ext4: fix wrong unit use in ext4_mb_find_by_goal
arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space
arm64: Add Neoverse-V2 part
arm64: cputype: Add Cortex-X4 definitions
arm64: cputype: Add Neoverse-V3 definitions
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
arm64: cputype: Add Cortex-X3 definitions
arm64: cputype: Add Cortex-A720 definitions
arm64: cputype: Add Cortex-X925 definitions
arm64: errata: Unify speculative SSBS errata logic
arm64: errata: Expand speculative SSBS workaround
arm64: cputype: Add Cortex-X1C definitions
arm64: cputype: Add Cortex-A725 definitions
arm64: errata: Expand speculative SSBS workaround (again)
i2c: smbus: Improve handling of stuck alerts
ASoC: codecs: wsa881x: Correct Soundwire ports mask
i2c: smbus: Send alert notifications to all devices if source not found
bpf: kprobe: remove unused declaring of bpf_kprobe_override
kprobes: Fix to check symbol prefixes correctly
spi: spi-fsl-lpspi: Fix scldiv calculation
ALSA: usb-audio: Re-add ScratchAmp quirk entries
drm/client: fix null pointer dereference in drm_client_modeset_probe
ALSA: line6: Fix racy access to midibuf
ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
usb: vhci-hcd: Do not drop references before new references are gained
USB: serial: debug: do not echo input by default
usb: gadget: core: Check for unset descriptor
usb: gadget: u_serial: Set start_delayed during suspend
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
tick/broadcast: Move per CPU pointer access into the atomic section
ntp: Clamp maxerror and esterror to operating range
driver core: Fix uevent_show() vs driver detach race
ntp: Safeguard against time_constant overflow
scsi: mpt3sas: Remove scsi_dma_map() error messages
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
irqchip/meson-gpio: support more than 8 channels gpio irq
irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t'
serial: core: check uartclk for zero to avoid divide by zero
irqchip/xilinx: Fix shift out of bounds
genirq/irqdesc: Honor caller provided affinity in alloc_desc()
power: supply: axp288_charger: Fix constant_charge_voltage writes
power: supply: axp288_charger: Round constant_charge_voltage writes down
tracing: Fix overflow in get_free_elt()
padata: Fix possible divide-by-0 panic in padata_mt_helper()
x86/mtrr: Check if fixed MTRRs exist before saving them
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
drm/mgag200: Set DDC timeout in milliseconds
mptcp: sched: check both directions for backup
mptcp: distinguish rcv vs sent backup flag in requests
mptcp: fix NL PM announced address accounting
mptcp: mib: count MPJ with backup flag
mptcp: export local_address
mptcp: pm: fix backup support in signal endpoints
samples: Add fs error monitoring example
samples: Make fs-monitor depend on libc and headers
Add gitignore file for samples/fanotify/ subdirectory
Fix gcc 4.9 build issue in 5.10.y
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
netfilter: nf_tables: set element extended ACK reporting support
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: allow clone callbacks to sleep
netfilter: nf_tables: prefer nft_chain_validate
drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
arm64: cpufeature: Fix the visibility of compat hwcaps
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
exec: Fix ToCToU between perm check and set-uid/gid usage
nvme/pci: Add APST quirk for Lenovo N60z laptop
vdpa: Make use of PFN_PHYS/PFN_UP/PFN_DOWN helper macro
vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()"
Linux 5.10.224
Change-Id: I7cd19d506c4c86df918a280598946060a494a161
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
liliangliang
|
89d09e01fa |
ANDROID: vendor_hooks: add vendor hooks for fuse request
Add hooks to fuse queue request and request end so we can do boost to those background tasks which block the UX related task. Bug: 333220630 Change-Id: I9be59ed88675c5102c57ba9cbd26cf4df3d2fd7f Signed-off-by: liliangliang <liliangliang@vivo.com> (cherry picked from commit e520c2932df0d1bbf83ae45c82ac01fd41655d77) (cherry picked from commit e9fd05e64568bfb9fe1fb4c319d7be17ab1c448a) |
||
|
Greg Kroah-Hartman
|
95fd17f446 |
Merge tag 'android12-5.10.223_r00' into android12-5.10
This merges up to the 5.10.222 LTS release into the android12-5.10 branch. Included in here are the following commits: * |
||
Kees Cook
|
15469d46ba |
exec: Fix ToCToU between perm check and set-uid/gid usage
commit f50733b45d865f91db90919f8311e2127ce5a0cb upstream. When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. Reported-by: Marco Vanotti <mvanotti@google.com> Tested-by: Marco Vanotti <mvanotti@google.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@vger.kernel.org Cc: Eric Biederman <ebiederm@xmission.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Christian Brauner <brauner@kernel.org> Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Kemeng Shi
|
69299a4282 |
ext4: fix wrong unit use in ext4_mb_find_by_goal
[ Upstream commit 99c515e3a860576ba90c11acbc1d6488dfca6463 ] We need start in block unit while fe_start is in cluster unit. Use ext4_grp_offs_to_block helper to convert fe_start to get start in block unit. Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com> Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Link: https://lore.kernel.org/r/20230603150327.3596033-4-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kemeng Shi
|
1a6b4240b0 |
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
[ Upstream commit cc102aa24638b90e04364d64e4f58a1fa91a1976 ] The new_bh is from alloc_buffer_head, we should call free_buffer_head to free it in error case. Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com> Reviewed-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20240514112438.1269037-2-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Filipe Manana
|
1d4e65fa62 |
btrfs: fix bitmap leak when loading free space cache on duplicate entry
[ Upstream commit 320d8dc612660da84c3b70a28658bb38069e5a9a ] If we failed to link a free space entry because there's already a conflicting entry for the same offset, we free the free space entry but we don't free the associated bitmap that we had just allocated before. Fix that by freeing the bitmap before freeing the entry. Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Roman Smirnov
|
934f815345 |
udf: prevent integer overflow in udf_bitmap_free_blocks()
[ Upstream commit 56e69e59751d20993f243fb7dd6991c4e522424c ] An overflow may occur if the function is called with the last block and an offset greater than zero. It is necessary to add a check to avoid this. Found by Linux Verification Center (linuxtesting.org) with Svace. [JK: Make test cover also unalloc table freeing] Link: https://patch.msgid.link/20240620072413.7448-1-r.smirnov@omp.ru Suggested-by: Jan Kara <jack@suse.com> Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Al Viro
|
08775b3d6e |
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1 upstream.
both callers have verified that fd is not greater than ->max_fds;
however, misprediction might end up with
tofree = fdt->fd[fd];
being speculatively executed. That's wrong for the same reasons
why it's wrong in close_fd()/file_close_fd_locked(); the same
solution applies - array_index_nospec(fd, fdt->max_fds) could differ
from fd only in case of speculative execution on mispredicted path.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Zhang Yi
|
58b07286ae |
ext4: check the extent status again before inserting delalloc block
[ Upstream commit 0ea6560abb3bac1ffcfa4bf6b2c4d344fdc27b3c ]
ext4_da_map_blocks looks up for any extent entry in the extent status
tree (w/o i_data_sem) and then the looks up for any ondisk extent
mapping (with i_data_sem in read mode).
If it finds a hole in the extent status tree or if it couldn't find any
entry at all, it then takes the i_data_sem in write mode to add a da
entry into the extent status tree. This can actually race with page
mkwrite & fallocate path.
Note that this is ok between
1. ext4 buffered-write path v/s ext4_page_mkwrite(), because of the
folio lock
2. ext4 buffered write path v/s ext4 fallocate because of the inode
lock.
But this can race between ext4_page_mkwrite() & ext4 fallocate path
ext4_page_mkwrite() ext4_fallocate()
block_page_mkwrite()
ext4_da_map_blocks()
//find hole in extent status tree
ext4_alloc_file_blocks()
ext4_map_blocks()
//allocate block and unwritten extent
ext4_insert_delayed_block()
ext4_da_reserve_space()
//reserve one more block
ext4_es_insert_delayed_block()
//drop unwritten extent and add delayed extent by mistake
Then, the delalloc extent is wrong until writeback and the extra
reserved block can't be released any more and it triggers below warning:
EXT4-fs (pmem2): Inode 13 (00000000bbbd4d23): i_reserved_data_blocks(1) not cleared!
Fix the problem by looking up extent status tree again while the
i_data_sem is held in write mode. If it still can't find any entry, then
we insert a new da entry into the extent status tree.
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240517124005.347221-3-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Zhang Yi
|
4b6d9a0fe7 |
ext4: factor out a common helper to query extent map
[ Upstream commit 8e4e5cdf2fdeb99445a468b6b6436ad79b9ecb30 ] Factor out a new common helper ext4_map_query_blocks() from the ext4_da_map_blocks(), it query and return the extent map status on the inode's extent path, no logic changes. Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Link: https://patch.msgid.link/20240517124005.347221-2-yi.zhang@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: 0ea6560abb3b ("ext4: check the extent status again before inserting delalloc block") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Thomas Weißschuh
|
b2591c89a6 |
sysctl: always initialize i_uid/i_gid
[ Upstream commit 98ca62ba9e2be5863c7d069f84f7166b45a5b2f4 ] Always initialize i_uid/i_gid inside the sysfs core so set_ownership() can safely skip setting them. Commit |
||
Eric Sandeen
|
88f053a1dd |
fuse: verify {g,u}id mount options correctly
[ Upstream commit 525bd65aa759ec320af1dc06e114ed69733e9e23 ]
As was done in
0200679fc795 ("tmpfs: verify {g,u}id mount options correctly")
we need to validate that the requested uid and/or gid is representable in
the filesystem's idmapping.
Cribbing from the above commit log,
The contract for {g,u}id mount options and {g,u}id values in general set
from userspace has always been that they are translated according to the
caller's idmapping. In so far, fuse has been doing the correct thing.
But since fuse is mountable in unprivileged contexts it is also
necessary to verify that the resulting {k,g}uid is representable in the
namespace of the superblock.
Fixes:
|
||
|
Miklos Szeredi
|
997d3c9cbe |
fuse: name fs_context consistently
[ Upstream commit 84c215075b5723ab946708a6c74c26bd3c51114c ]
Naming convention under fs/fuse/:
struct fuse_conn *fc;
struct fs_context *fsc;
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Stable-dep-of: 525bd65aa759 ("fuse: verify {g,u}id mount options correctly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Seth Forshee (DigitalOcean)
|
d28869a145 |
fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
[ Upstream commit e1c5ae59c0f22f7fe5c07fb5513a29e4aad868c9 ]
Christian noticed that it is possible for a privileged user to mount
most filesystems with a non-initial user namespace in sb->s_user_ns.
When fsopen() is called in a non-init namespace the caller's namespace
is recorded in fs_context->user_ns. If the returned file descriptor is
then passed to a process priviliged in init_user_ns, that process can
call fsconfig(fd_fs, FSCONFIG_CMD_CREATE), creating a new superblock
with sb->s_user_ns set to the namespace of the process which called
fsopen().
This is problematic. We cannot assume that any filesystem which does not
set FS_USERNS_MOUNT has been written with a non-initial s_user_ns in
mind, increasing the risk for bugs and security issues.
Prevent this by returning EPERM from sget_fc() when FS_USERNS_MOUNT is
not set for the filesystem and a non-initial user namespace will be
used. sget() does not need to be updated as it always uses the user
namespace of the current context, or the initial user namespace if
SB_SUBMOUNT is set.
Fixes:
|
||
ethanwu
|
b59013d264 |
ceph: fix incorrect kmalloc size of pagevec mempool
[ Upstream commit 03230edb0bd831662a7c08b6fef66b2a9a817774 ]
The kmalloc size of pagevec mempool is incorrectly calculated.
It misses the size of page pointer and only accounts the number for the array.
Fixes:
|
||
Sheng Yong
|
ff2387553f |
f2fs: fix start segno of large section
[ Upstream commit 8c409989678e92e4a737e7cd2bb04f3efb81071a ]
get_ckpt_valid_blocks() checks valid ckpt blocks in current section.
It counts all vblocks from the first to the last segment in the
large section. However, START_SEGNO() is used to get the first segno
in an SIT block. This patch fixes that to get the correct start segno.
Fixes: 61461fc921b7 ("f2fs: fix to avoid touching checkpointed data in get_victim()")
Signed-off-by: Sheng Yong <shengyong@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Jeongjun Park
|
538a27c804 |
jfs: Fix array-index-out-of-bounds in diFree
[ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ]
Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
5f0a6800b8 |
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
commit 4811f7af6090e8f5a398fbdd766f903ef6c0d787 upstream.
Syzbot reported that a buffer state inconsistency was detected in
nilfs_btnode_create_block(), triggering a kernel bug.
It is not appropriate to treat this inconsistency as a bug; it can occur
if the argument block address (the buffer index of the newly created
block) is a virtual block number and has been reallocated due to
corruption of the bitmap used to manage its allocation state.
So, modify nilfs_btnode_create_block() and its callers to treat it as a
possible filesystem error, rather than triggering a kernel bug.
Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@gmail.com
Fixes:
|
||
Chao Yu
|
54bc4e8844 |
f2fs: fix to don't dirty inode for readonly filesystem
commit 192b8fb8d1c8ca3c87366ebbef599fa80bb626b8 upstream.
syzbot reports f2fs bug as below:
kernel BUG at fs/f2fs/inode.c:933!
RIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933
Call Trace:
evict+0x2a4/0x620 fs/inode.c:664
dispose_list fs/inode.c:697 [inline]
evict_inodes+0x5f8/0x690 fs/inode.c:747
generic_shutdown_super+0x9d/0x2c0 fs/super.c:675
kill_block_super+0x44/0x90 fs/super.c:1667
kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894
deactivate_locked_super+0xc1/0x130 fs/super.c:484
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256
task_work_run+0x24a/0x300 kernel/task_work.c:180
ptrace_notify+0x2cd/0x380 kernel/signal.c:2399
ptrace_report_syscall include/linux/ptrace.h:411 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
syscall_exit_work kernel/entry/common.c:251 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296
do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The root cause is:
- do_sys_open
- f2fs_lookup
- __f2fs_find_entry
- f2fs_i_depth_write
- f2fs_mark_inode_dirty_sync
- f2fs_dirty_inode
- set_inode_flag(inode, FI_DIRTY_INODE)
- umount
- kill_f2fs_super
- kill_block_super
- generic_shutdown_super
- sync_filesystem
: sb is readonly, skip sync_filesystem()
- evict_inodes
- iput
- f2fs_evict_inode
- f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))
: trigger kernel panic
When we try to repair i_current_depth in readonly filesystem, let's
skip dirty inode to avoid panic in later f2fs_evict_inode().
Cc: stable@vger.kernel.org
Reported-by: syzbot+31e4659a3fe953aec2f4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000e890bc0609a55cff@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jan Kara
|
cdbcb4e9f6 |
jbd2: make jbd2_journal_get_max_txn_bufs() internal
commit 4aa99c71e42ad60178c1154ec24e3df9c684fb67 upstream. There's no reason to have jbd2_journal_get_max_txn_bufs() public function. Currently all users are internal and can use journal->j_max_transaction_buffers instead. This saves some unnecessary recomputations of the limit as a bonus which becomes important as this function gets more complex in the following patch. CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Reviewed-by: Zhang Yi <yi.zhang@huawei.com> Link: https://patch.msgid.link/20240624170127.3253-1-jack@suse.cz Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Baokun Li
|
de2a011a13 |
ext4: make sure the first directory block is not a hole
commit f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6 upstream.
The syzbot constructs a directory that has no dirblock but is non-inline,
i.e. the first directory block is a hole. And no errors are reported when
creating files in this directory in the following flow.
ext4_mknod
...
ext4_add_entry
// Read block 0
ext4_read_dirblock(dir, block, DIRENT)
bh = ext4_bread(NULL, inode, block, 0)
if (!bh && (type == INDEX || type == DIRENT_HTREE))
// The first directory block is a hole
// But type == DIRENT, so no error is reported.
After that, we get a directory block without '.' and '..' but with a valid
dentry. This may cause some code that relies on dot or dotdot (such as
make_indexed_dir()) to crash.
Therefore when ext4_read_dirblock() finds that the first directory block
is a hole report that the filesystem is corrupted and return an error to
avoid loading corrupted data from disk causing something bad.
Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
Fixes:
|
||
|
Baokun Li
|
42d4205170 |
ext4: check dot and dotdot of dx_root before making dir indexed
commit 50ea741def587a64e08879ce6c6a30131f7111e7 upstream.
Syzbot reports a issue as follows:
============================================
BUG: unable to handle page fault for address: ffffed11022e24fe
PGD 23ffee067 P4D 23ffee067 PUD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0
Call Trace:
<TASK>
make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451
ext4_rename fs/ext4/namei.c:3936 [inline]
ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214
[...]
============================================
The immediate cause of this problem is that there is only one valid dentry
for the block to be split during do_split, so split==0 results in out of
bounds accesses to the map triggering the issue.
do_split
unsigned split
dx_make_map
count = 1
split = count/2 = 0;
continued = hash2 == map[split - 1].hash;
---> map[4294967295]
The maximum length of a filename is 255 and the minimum block size is 1024,
so it is always guaranteed that the number of entries is greater than or
equal to 2 when do_split() is called.
But syzbot's crafted image has no dot and dotdot in dir, and the dentry
distribution in dirblock is as follows:
bus dentry1 hole dentry2 free
|xx--|xx-------------|...............|xx-------------|...............|
0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024
So when renaming dentry1 increases its name_len length by 1, neither hole
nor free is sufficient to hold the new dentry, and make_indexed_dir() is
called.
In make_indexed_dir() it is assumed that the first two entries of the
dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root
because they are treated as dot and dotdot, and only dentry2 is moved
to the new leaf block. That's why count is equal to 1.
Therefore add the ext4_check_dx_root() helper function to add more sanity
checks to dot and dotdot before starting the conversion to avoid the above
issue.
Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
Fixes:
|
||
|
Jan Kara
|
2199e157a4 |
udf: Avoid using corrupted block bitmap buffer
commit a90d4471146de21745980cba51ce88e7926bcc4f upstream. When the filesystem block bitmap is corrupted, we detect the corruption while loading the bitmap and fail the allocation with error. However the next allocation from the same bitmap will notice the bitmap buffer is already loaded and tries to allocate from the bitmap with mixed results (depending on the exact nature of the bitmap corruption). Fix the problem by using BH_verified bit to indicate whether the bitmap is valid or not. Reported-by: syzbot+5f682cd029581f9edfd1@syzkaller.appspotmail.com CC: stable@vger.kernel.org Link: https://patch.msgid.link/20240617154201.29512-2-jack@suse.cz Fixes: 1e0d4adf17e7 ("udf: Check consistency of Space Bitmap Descriptor") Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jan Kara
|
86f4ca8b3b |
ext2: Verify bitmap and itable block numbers before using them
commit 322a6aff03937aa1ece33b4e46c298eafaf9ac41 upstream. Verify bitmap block numbers and inode table blocks are sane before using them for checking bits in the block bitmap. CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Chao Yu
|
10f7163bfb |
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
commit 26a2ed107929a855155429b11e1293b83e6b2a8b upstream. Syzbot reports uninitialized value access issue as below: loop0: detected capacity change from 0 to 64 ===================================================== BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 d_revalidate fs/namei.c:862 [inline] lookup_fast+0x89e/0x8e0 fs/namei.c:1649 walk_component fs/namei.c:2001 [inline] link_path_walk+0x817/0x1480 fs/namei.c:2332 path_lookupat+0xd9/0x6f0 fs/namei.c:2485 filename_lookup+0x22e/0x740 fs/namei.c:2515 user_path_at_empty+0x8b/0x390 fs/namei.c:2924 user_path_at include/linux/namei.h:57 [inline] do_mount fs/namespace.c:3689 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x66b/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline] BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 hfs_ext_read_extent fs/hfs/extent.c:196 [inline] hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271 hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39 filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426 do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553 do_read_cache_page mm/filemap.c:3595 [inline] read_cache_page+0xfb/0x2f0 mm/filemap.c:3604 read_mapping_page include/linux/pagemap.h:755 [inline] hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78 hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204 hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406 mount_bdev+0x628/0x920 fs/super.c:1359 hfs_mount+0xcd/0xe0 fs/hfs/super.c:456 legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610 vfs_get_tree+0xdc/0x5d0 fs/super.c:1489 do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145 path_mount+0xf98/0x26a0 fs/namespace.c:3475 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674 __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2190 [inline] allocate_slab mm/slub.c:2354 [inline] new_slab+0x2d7/0x1400 mm/slub.c:2407 ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540 __slab_alloc mm/slub.c:3625 [inline] __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3018 [inline] hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165 alloc_inode+0x83/0x440 fs/inode.c:260 new_inode_pseudo fs/inode.c:1005 [inline] new_inode+0x38/0x4f0 fs/inode.c:1031 hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186 hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228 vfs_mkdir+0x49a/0x700 fs/namei.c:4126 do_mkdirat+0x529/0x810 fs/namei.c:4149 __do_sys_mkdirat fs/namei.c:4164 [inline] __se_sys_mkdirat fs/namei.c:4162 [inline] __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b It missed to initialize .tz_secondswest, .cached_start and .cached_blocks fields in struct hfs_inode_info after hfs_alloc_inode(), fix it. Cc: stable@vger.kernel.org Reported-by: syzbot+3ae6be33a50b5aae4dab@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-fsdevel/0000000000005ad04005ee48897f@google.com Signed-off-by: Chao Yu <chao@kernel.org> Link: https://lore.kernel.org/r/20240616013841.2217-1-chao@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
84ffa27eb0 |
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
[ Upstream commit 0f3819e8c483771a59cf9d3190cd68a7a990083c ] According to the C standard 3.4.3p3, the result of signed integer overflow is undefined. The macro nilfs_cnt32_ge(), which compares two sequence numbers, uses signed integer subtraction that can overflow, and therefore the result of the calculation may differ from what is expected due to undefined behavior in different environments. Similar to an earlier change to the jiffies-related comparison macros in commit |
||
Alex Shi
|
9d6571b1c4 |
fs/nilfs2: remove some unused macros to tame gcc
[ Upstream commit e7920b3e9d9f5470d5ff7d883e72a47addc0a137 ] There some macros are unused and cause gcc warning. Remove them. fs/nilfs2/segment.c:137:0: warning: macro "nilfs_cnt32_gt" is not used [-Wunused-macros] fs/nilfs2/segment.c:144:0: warning: macro "nilfs_cnt32_le" is not used [-Wunused-macros] fs/nilfs2/segment.c:143:0: warning: macro "nilfs_cnt32_lt" is not used [-Wunused-macros] Link: https://lkml.kernel.org/r/1607552733-24292-1-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 0f3819e8c483 ("nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
David Hildenbrand
|
3c6fa67023 |
fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
[ Upstream commit 3f9f022e975d930709848a86a1c79775b0585202 ]
Patch series "fs/proc: move page_mapcount() to fs/proc/internal.h".
With all other page_mapcount() users in the tree gone, move
page_mapcount() to fs/proc/internal.h, rename it and extend the
documentation to prevent future (ab)use.
... of course, I find some issues while working on that code that I sort
first ;)
We'll now only end up calling page_mapcount() [now
folio_precise_page_mapcount()] on pages mapped via present page table
entries. Except for /proc/kpagecount, that still does questionable
things, but we'll leave that legacy interface as is for now.
Did a quick sanity check. Likely we would want some better selfestest for
/proc/$/pagemap + smaps. I'll see if I can find some time to write some
more.
This patch (of 6):
Looks like we never taught pagemap_pmd_range() about the existence of
PMD-mapped file THPs. Seems to date back to the times when we first added
support for non-anon THPs in the form of shmem THP.
Link: https://lkml.kernel.org/r/20240607122357.115423-1-david@redhat.com
Link: https://lkml.kernel.org/r/20240607122357.115423-2-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Fixes:
|
||
|
Jan Kara
|
3d096f2a99 |
ext4: avoid writing unitialized memory to disk in EA inodes
[ Upstream commit 65121eff3e4c8c90f8126debf3c369228691c591 ]
If the extended attribute size is not a multiple of block size, the last
block in the EA inode will have uninitialized tail which will get
written to disk. We will never expose the data to userspace but still
this is not a good practice so just zero out the tail of the block as it
isn't going to cause a noticeable performance overhead.
Fixes:
|
||
Luis Henriques (SUSE)
|
5ed0496e38 |
ext4: fix infinite loop when replaying fast_commit
[ Upstream commit 907c3fe532253a6ef4eb9c4d67efb71fab58c706 ]
When doing fast_commit replay an infinite loop may occur due to an
uninitialized extent_status struct. ext4_ext_determine_insert_hole() does
not detect the replay and calls ext4_es_find_extent_range(), which will
return immediately without initializing the 'es' variable.
Because 'es' contains garbage, an integer overflow may happen causing an
infinite loop in this function, easily reproducible using fstest generic/039.
This commit fixes this issue by unconditionally initializing the structure
in function ext4_es_find_extent_range().
Thanks to Zhang Yi, for figuring out the real problem!
Fixes:
|
||
|
Chao Yu
|
97795f23a8 |
hfsplus: fix to avoid false alarm of circular locking
[ Upstream commit be4edd1642ee205ed7bbf66edc0453b1be1fb8d7 ]
Syzbot report potential ABBA deadlock as below:
loop0: detected capacity change from 0 to 1024
======================================================
WARNING: possible circular locking dependency detected
6.9.0-syzkaller-10323-g8f6a15f095a6 #0 Not tainted
------------------------------------------------------
syz-executor171/5344 is trying to acquire lock:
ffff88807cb980b0 (&tree->tree_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x811/0xb50 fs/hfsplus/extents.c:595
but task is already holding lock:
ffff88807a930108 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x2da/0xb50 fs/hfsplus/extents.c:576
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
hfsplus_file_extend+0x21b/0x1b70 fs/hfsplus/extents.c:457
hfsplus_bmap_reserve+0x105/0x4e0 fs/hfsplus/btree.c:358
hfsplus_rename_cat+0x1d0/0x1050 fs/hfsplus/catalog.c:456
hfsplus_rename+0x12e/0x1c0 fs/hfsplus/dir.c:552
vfs_rename+0xbdb/0xf00 fs/namei.c:4887
do_renameat2+0xd94/0x13f0 fs/namei.c:5044
__do_sys_rename fs/namei.c:5091 [inline]
__se_sys_rename fs/namei.c:5089 [inline]
__x64_sys_rename+0x86/0xa0 fs/namei.c:5089
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&tree->tree_lock){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
hfsplus_file_truncate+0x811/0xb50 fs/hfsplus/extents.c:595
hfsplus_setattr+0x1ce/0x280 fs/hfsplus/inode.c:265
notify_change+0xb9d/0xe70 fs/attr.c:497
do_truncate+0x220/0x310 fs/open.c:65
handle_truncate fs/namei.c:3308 [inline]
do_open fs/namei.c:3654 [inline]
path_openat+0x2a3d/0x3280 fs/namei.c:3807
do_filp_open+0x235/0x490 fs/namei.c:3834
do_sys_openat2+0x13e/0x1d0 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_creat fs/open.c:1497 [inline]
__se_sys_creat fs/open.c:1491 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1491
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock);
This is a false alarm as tree_lock mutex are different, one is
from sbi->cat_tree, and another is from sbi->ext_tree:
Thread A Thread B
- hfsplus_rename
- hfsplus_rename_cat
- hfs_find_init
- mutext_lock(cat_tree->tree_lock)
- hfsplus_setattr
- hfsplus_file_truncate
- mutex_lock(hip->extents_lock)
- hfs_find_init
- mutext_lock(ext_tree->tree_lock)
- hfs_bmap_reserve
- hfsplus_file_extend
- mutex_lock(hip->extents_lock)
So, let's call mutex_lock_nested for tree_lock mutex lock, and pass
correct lock class for it.
Fixes:
|
||
|
Michael Bestas
|
d613c46b79
|
Merge tag 'ASB-2024-08-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-08-01 CVE-2024-36971 * tag 'ASB-2024-08-05_12-5.10' of https://android.googlesource.com/kernel/common: ANDROID: GKI: remove export of tracing control functions ANDROID: Incremental fs: Retry page faults on non-fatal errors ANDROID: update ABI XML due to struct clk_core change UPSTREAM: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() UPSTREAM: f2fs: avoid false alarm of circular locking UPSTREAM: f2fs: fix deadlock in i_xattr_sem and inode page lock ANDROID: userfaultfd: Fix use-after-free in userfaultfd_using_sigbus() ANDROID: 16K: Don't set padding vm_flags on 32-bit archs ANDROID: update .xml file due to struct clk_core abi change ANDROID: mark DRM_VMWGFX as BROKEN Revert "ANDROID: Setting up GS before calling __restore_processor_state." Revert "block: introduce zone_write_granularity limit" Revert "block: Clear zone limits for a non-zoned stacked queue" Revert "scsi: sd: Fix wrong zone_write_granularity value during revalidate" Revert "PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities()" Revert "PCI: Cache PCIe Device Capabilities register" Revert "PCI: Work around Intel I210 ROM BAR overlap defect" Revert "PCI/ASPM: Make Intel DG2 L1 acceptable latency unlimited" Revert "PCI/DPC: Quirk PIO log size for certain Intel Root Ports" Revert "PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports" Revert "PCI/DPC: Quirk PIO log size for Intel Raptor Lake Root Ports" Revert "timers: Rename del_timer_sync() to timer_delete_sync()" Linux 5.10.218 docs: kernel_include.py: Cope with docutils 0.21 serial: kgdboc: Fix NMI-safety problems from keyboard reset code usb: typec: ucsi: displayport: Fix potential deadlock drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() mptcp: ensure snd_nxt is properly initialized on connect firmware: arm_scmi: Harden accesses to the reset domains KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection netlink: annotate lockless accesses to nlk->max_recvmsg_len ima: fix deadlock when traversing "ima_default_rules". net: bcmgenet: synchronize UMAC_CMD access net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" x86/xen: Drop USERGS_SYSRET64 paravirt call pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Linux 5.10.217 md: fix kmemleak of rdev->serial keys: Fix overwrite of key expiration on instantiation regulator: core: fix debugfs creation regression hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us net: fix out-of-bounds access in ops_init drm/vmwgfx: Fix invalid reads in fence signaled events mei: me: add lunar lake point M DID dyndbg: fix old BUG_ON in >control parser ASoC: tegra: Fix DSPK 16-bit playback net: bcmgenet: synchronize use of bcmgenet_set_rx_mode() tipc: fix UAF in error path iio: accel: mxc4005: Interrupt handling fixes iio:imu: adis16475: Fix sync mode setting ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU usb: dwc3: core: Prevent phy suspend during init usb: xhci-plat: Don't include xhci.h usb: gadget: f_fs: Fix a race condition when processing setup packets. usb: gadget: composite: fix OS descriptors w_value logic usb: ohci: Prevent missed ohci interrupts usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed device usb: typec: ucsi: Fix connector check on init usb: typec: ucsi: Check for notifications after init arm64: dts: qcom: Fix 'interrupt-map' parent address cells firewire: nosy: ensure user_length is taken into account when fetching packet contents btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send() net: hns3: use appropriate barrier function after setting a bit value ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() net: bridge: fix corrupted ethernet header on multicast-to-unicast kcov: Remove kcov include from sched.h and move it to its users. phonet: fix rtm_phonet_notify() skb allocation hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock hwmon: (corsair-cpro) Use complete_all() instead of complete() in ccp_raw_event() hwmon: (corsair-cpro) Use a separate buffer for sending commands rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets xfrm: Preserve vlan tags for transport mode software GRO net:usb:qmi_wwan: support Rolling modules drm/nouveau/dp: Don't probe eDP ports twice harder fs/9p: drop inodes immediately on non-.L too clk: Don't hold prepare_lock when calling kref_put() gpio: crystalcove: Use -ENOTSUPP consistently gpio: wcove: Use -ENOTSUPP consistently 9p: explicitly deny setlease attempts fs/9p: translate O_TRUNC into OTRUNC fs/9p: only translate RWX permissions for plain 9P2000 selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior MIPS: scall: Save thread_info.syscall unconditionally on entry gpu: host1x: Do not setup DMA for virtual devices blk-iocost: avoid out of bounds shift scsi: target: Fix SELinux error when systemd-modules loads the target module btrfs: always clear PERTRANS metadata during commit btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve tools/power turbostat: Fix Bzy_MHz documentation typo tools/power turbostat: Fix added raw MSR output firewire: ohci: mask bus reset interrupts between ISR and bottom half ata: sata_gemini: Check clk_enable() result net: bcmgenet: Reset RBUF on first open ALSA: line6: Zero-initialize message buffers btrfs: return accurate error code on open failure in open_fs_devices() scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload net: mark racy access on sk->sk_rcvbuf wifi: cfg80211: fix rdev_dump_mpp() arguments order wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc gfs2: Fix invalid metadata access in punch_hole scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change net: gro: add flush check in udp_gro_receive_segment tipc: fix a possible memleak in tipc_buf_append net: core: reject skb_copy(_expand) for fraglist GSO skbs net: bridge: fix multicast-to-unicast with fraglist GSO net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341 cxgb4: Properly lock TX queue for the selftest. ASoC: meson: cards: select SND_DYNAMIC_MINORS ASoC: Fix 7/8 spaces indentation in Kconfig net: qede: use return from qede_parse_actions() net: qede: use return from qede_parse_flow_attr() for flow_spec net: qede: use return from qede_parse_flow_attr() for flower net: qede: sanitize 'rc' in qede_add_tc_flower_fltr() s390/vdso: Add CFI for RA register to asm macro vdso_func net l2tp: drop flow hash on forward nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). octeontx2-af: avoid off-by-one read from userspace bna: ensure the copied buf is NUL terminated s390/mm: Fix clearing storage keys for huge pages s390/mm: Fix storage key clearing for guest huge pages regulator: mt6360: De-capitalize devicetree regulator subnodes pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() power: rt9455: hide unused rt9455_boost_voltage_values nfs: Handle error of rpc_proc_register() in nfs_net_init(). nfs: make the rpc_stat per net namespace nfs: expose /proc/net/sunrpc/nfs in net namespaces sunrpc: add a struct rpc_stats arg to rpc_create_args pinctrl: mediatek: paris: Rework support for PIN_CONFIG_{INPUT,OUTPUT}_ENABLE pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic pinctrl: core: delete incorrect free in pinctrl_enable() pinctrl/meson: fix typo in PDM's pin name pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T eeprom: at24: fix memory corruption race condition eeprom: at24: Probe for DDR3 thermal sensor in the SPD case eeprom: at24: Use dev_err_probe for nvmem register failure wifi: nl80211: don't free NULL coalescing rule dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state" dmaengine: pl330: issue_pending waits until WFP state Linux 5.10.216 riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled serial: core: fix kernel-doc for uart_port_unlock_irqrestore() udp: preserve the connected status if only UDP cmsg bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up i2c: smbus: fix NULL function pointer dereference riscv: Fix TASK_SIZE on 64-bit NOMMU riscv: fix VMALLOC_START definition dma: xilinx_dpdma: Fix locking idma64: Don't try to serve interrupts when device is powered off dmaengine: owl: fix register access functions tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() tcp: Clean up kernel listener's reqsk in inet_twsk_purge() mtd: diskonchip: work around ubsan link failure stackdepot: respect __GFP_NOLOCKDEP allocation flag net: b44: set pause params only when interface is up ethernet: Add helper for assigning packet type when dest address does not match device address irqchip/gic-v3-its: Prevent double free on error drm/amdgpu: Fix leak when GPU memory allocation fails drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma cpu: Re-enable CPU mitigations by default for !X86 architectures btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() PM / devfreq: Fix buffer overflow in trans_stat_show tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together tracing: Show size of requested perf buffer net/mlx5e: Fix a race in command alloc flow Revert "crypto: api - Disallow identical driver names" serial: mxs-auart: add spinlock around changing cts state serial: core: Provide port lock wrappers af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets iavf: Fix TC config comparison with existing adapter TC config i40e: Report MFS in decimal base instead of hex i40e: Do not use WQ_MEM_RECLAIM flag for workqueue netfilter: nf_tables: honor table dormant flag from netdev release event path mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work mlxsw: spectrum_acl_tcam: Fix incorrect list API usage mlxsw: spectrum_acl_tcam: Fix warning during rehash mlxsw: spectrum_acl_tcam: Fix memory leak during rehash mlxsw: spectrum_acl_tcam: Rate limit error message mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work net: openvswitch: Fix Use-After-Free in ovs_ct_exit ipvs: Fix checksumming on GSO of SCTP packets net: gtp: Fix Use-After-Free in gtp_dellink net: usb: ax88179_178a: stop lying about skb->truesize ipv4: check for NULL idev in ip_route_use_hint() NFC: trf7970a: disable all regulators on removal mlxsw: core: Unregister EMAD trap using FORWARD action vxlan: drop packets from invalid src-address wifi: iwlwifi: mvm: remove old PASN station when adding a new one ARC: [plat-hsdk]: Remove misplaced interrupt-cells property arm64: dts: mediatek: mt2712: fix validation errors arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block arm64: dts: mediatek: mt7622: fix ethernet controller "compatible" arm64: dts: mediatek: mt7622: fix IR nodename arm64: dts: mediatek: mt7622: fix clock controllers arm64: dts: mediatek: mt7622: introduce nodes for Wireless Ethernet Dispatch arm64: dts: mediatek: mt7622: add support for coherent DMA arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma arm64: dts: rockchip: fix alphabetical ordering RK3399 puma nilfs2: fix OOB in nilfs_set_de_type nouveau: fix instmem race condition around ptr stores drm/amdgpu: validate the parameters of bo mapping operations more clearly init/main.c: Fix potential static_command_line memory overflow fs: sysfs: Fix reference leak in sysfs_break_active_protection() speakup: Avoid crash on very long word mei: me: disable RPL-S on SPS and IGN firmwares usb: Disable USB3 LPM at shutdown usb: dwc2: host: Fix dereference issue in DDMA completion flow. Revert "usb: cdc-wdm: close race between read and workqueue" USB: serial: option: add Telit FN920C04 rmnet compositions USB: serial: option: add Rolling RW101-GL and RW135-GL support USB: serial: option: support Quectel EM060K sub-models USB: serial: option: add Lonsung U8300/U9300 product USB: serial: option: add support for Fibocom FM650/FG650 USB: serial: option: add Fibocom FM135-GL variants serial/pmac_zilog: Remove flawed mitigation for rx irq flood comedi: vmk80xx: fix incomplete endpoint checking thunderbolt: Fix wake configurations after device unplug thunderbolt: Avoid notify PM core about runtime PM resume binder: check offset alignment in binder_get_object() x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ clk: Get runtime PM before walking tree during disable_unused clk: Initialize struct clk_core kref earlier clk: Print an info line before disabling unused clocks clk: remove extra empty line clk: Mark 'all_lists' as const clk: Remove prepare_lock hold assertion in __clk_release() drm/panel: visionox-rm69299: don't unregister DSI device drm: nv04: Fix out of bounds access RDMA/mlx5: Fix port number for counter query in multi-port configuration RDMA/cm: Print the old state when cm_destroy_id gets timeout RDMA/rxe: Fix the problem "mutex_destroy missing" tun: limit printing rate when illegal packet received by tun dev netfilter: nft_set_pipapo: do not free live element netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Revert "tracing/trigger: Fix to return error if failed to alloc snapshot" kprobes: Fix possible use-after-free issue on kprobe registration selftests/ftrace: Limit length in subsystem-enable tests riscv: process: Fix kernel gp leakage riscv: Enable per-task stack canaries btrfs: record delayed inode root in transaction irqflags: Explicitly ignore lockdep_hrtimer_exit() argument x86/apic: Force native_apic_mem_read() to use the MOV instruction selftests: timers: Fix abs() warning in posix_timers test x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n vhost: Add smp_rmb() in vhost_vq_avail_empty() drm/client: Fully protect modes[] with dev->mode_config.mutex btrfs: qgroup: correctly model root qgroup rsv in convert mailbox: imx: fix suspend failue iommu/vt-d: Allocate local memory for page request queue net: ena: Fix incorrect descriptor free behavior net: ena: Wrong missing IO completions check order net: ena: Fix potential sign extension issue af_unix: Fix garbage collector racing against connect() af_unix: Do not use atomic ops for unix_sk(sk)->inflight. net/mlx5: Properly link new fs rules into the tree netfilter: complete validation of user input Bluetooth: SCO: Fix not validating setsockopt user input ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr ipv4/route: avoid unused-but-set-variable warning ipv6: fib: hide unused 'pn' variable octeontx2-af: Fix NIX SQ mode and BP config geneve: fix header validation in geneve[6]_xmit_skb xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file net: openvswitch: fix unwanted error log on timeout policy probing nouveau: fix function cast warning media: cec: core: remove length check of Timer Status Bluetooth: Fix memory leak in hci_req_sync_complete() batman-adv: Avoid infinite loop trying to resize local TT Linux 5.10.215 x86/head/64: Re-enable stack protection x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk scsi: sd: Fix wrong zone_write_granularity value during revalidate kbuild: dummy-tools: adjust to stricter stackprotector check VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Bluetooth: btintel: Fixe build regression drm/i915/gt: Reset queue_priority_hint on parking x86/mm/pat: fix VM_PAT handling in COW mappings virtio: reenable config if freezing device failed tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc netfilter: nf_tables: discard table flag update with pending basechain deletion netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path netfilter: nf_tables: release batch on table validation from abort path fbmon: prevent division by zero in fb_videomode_from_videomode() drivers/nvme: Add quirks for device 126f:2262 fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined usb: typec: tcpci: add generic tcpci fallback compatible tools: iio: replace seekdir() in iio_generic_buffer ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in concurrent environment ktest: force $buildonly = 1 for 'make_warnings_file' test type platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet Input: allocate keycode for Display refresh rate toggle RDMA/cm: add timeout to cm_destroy_id wait block: prevent division by zero in blk_rq_stat_sum() libperf evlist: Avoid out-of-bounds access Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default" SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int drm/amd/display: Fix nanosec stat overflow ext4: forbid commit inconsistent quota data when errors=remount-ro ext4: add a hint for block bitmap corrupt state in mb_groups media: sta2x11: fix irq handler cast isofs: handle CDs with bad root inode but good Joliet root directory scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() sysv: don't call sb_bread() with pointers_lock held pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails Bluetooth: btintel: Fix null ptr deref in btintel_read_version net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() btrfs: send: handle path ref underflow in header iterate_inode_ref() btrfs: export: handle invalid inode or root reference in btrfs_get_parent() btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() pstore/zone: Add a null pointer check to the psz_kmsg_read ionic: set adminq irq affinity arm64: dts: rockchip: fix rk3399 hdmi ports node arm64: dts: rockchip: fix rk3328 hdmi ports node panic: Flush kernel log buffer at the end VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() wifi: ath9k: fix LNA selection in ath_ant_try_scan() objtool: Add asm version of STACK_FRAME_NON_STANDARD x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word mptcp: don't account accept() of non-MPC client as fallback to TCP x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO x86/bugs: Fix the SRSO mitigation on Zen3/4 riscv: Fix spurious errors from __get/put_kernel_nofault s390/entry: align system call table on 8 bytes x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() of: dynamic: Synchronize of_changeset_destroy() with the devlink removals driver core: Introduce device_link_wait_removal() ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone ata: sata_mv: Fix PCI device ID table declaration compilation warning scsi: mylex: Fix sysfs buffer lengths ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken arm64: dts: qcom: sc7180: Remove clock for bluetooth on Trogdor net: ravb: Always process TX descriptor ring udp: do not accept non-tunnel GSO skbs landing in a tunnel Revert "usb: phy: generic: Get the vbus supply" scsi: qla2xxx: Update manufacturer detail scsi: qla2xxx: Update manufacturer details i40e: fix vf may be used uninitialized in this function warning i40e: fix i40e_count_filters() to count only active/new filters octeontx2-pf: check negative error code in otx2_open() udp: do not transition UDP GRO fraglist partial checksums to unnecessary ipv6: Fix infinite recursion in fib6_dump_done(). selftests: reuseaddr_conflict: add missing new line at the end of the output erspan: make sure erspan_base_hdr is present in skb->head net: stmmac: fix rx queue priority assignment net/sched: act_skbmod: prevent kernel-infoleak bpf, sockmap: Prevent lock inversion deadlock in map delete elem vboxsf: Avoid an spurious warning if load_nls_xxx() fails netfilter: validate user input for expected length netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() netfilter: nf_tables: flush pending destroy work before exit_net release netfilter: nf_tables: reject new basechain after table flag update block: add check that partition length needs to be aligned with block size x86/srso: Add SRSO mitigation for Hygon processors mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." io_uring: ensure '0' is returned on file registration success vfio/fsl-mc: Block calling interrupt handler without trigger vfio/platform: Create persistent IRQ handlers vfio/pci: Create persistent INTx handler vfio: Introduce interface to flush virqfd inject workqueue vfio/pci: Lock external INTx masking ops vfio/pci: Disable auto-enable of exclusive INTx IRQ net/rds: fix possible cp null dereference netfilter: nf_tables: disallow timeout for anonymous sets Bluetooth: Fix TOCTOU in HCI debugfs implementation Bluetooth: hci_event: set the conn encrypted before conn establishes x86/cpufeatures: Add new word for scattered features r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d dm integrity: fix out-of-range warning Octeontx2-af: fix pause frame configuration in GMP mode bpf: Protect against int overflow for stack access size ACPICA: debugger: check status of acpi_evaluate_object() in acpi_db_walk_for_fields() tcp: properly terminate timers for kernel sockets ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet USB: core: Fix deadlock in usb_deauthorize_interface() scsi: lpfc: Correct size for wqe for memset() PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled scsi: qla2xxx: Delay I/O Abort on PCI error scsi: qla2xxx: Fix command flush on cable pull scsi: qla2xxx: Split FCE|EFT trace control usb: typec: ucsi: Clear UCSI_CCI_RESET_COMPLETE before reset usb: typec: ucsi: Ack unsupported commands usb: udc: remove warning when queue disabled ep usb: dwc2: gadget: LPM flow fix usb: dwc2: host: Fix ISOC flow in DDMA mode usb: dwc2: host: Fix hibernation flow usb: dwc2: host: Fix remote wakeup from hibernation USB: core: Add hub_get() and hub_put() routines staging: vc04_services: fix information leak in create_component() staging: vc04_services: changen strncpy() to strscpy_pad() scsi: core: Fix unremoved procfs host directory regression ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs usb: cdc-wdm: close race between read and workqueue net: ll_temac: platform_get_resource replaced by wrong function mmc: core: Avoid negative index with array access mmc: core: Initialize mmc_blk_ioc_data hexagon: vmlinux.lds.S: handle attributes section exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes init: open /initrd.image with O_LARGEFILE mm/migrate: set swap entry values of THP tail pages properly. mm/memory-failure: fix an incorrect use of tail pages serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO powerpc: xor_vmx: Add '-mhard-float' to CFLAGS efivarfs: Request at most 512 bytes for variable names perf/core: Fix reentry problem in perf_output_read_group() KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests x86/rfds: Mitigate Register File Data Sampling (RFDS) Documentation/hw-vuln: Add documentation for RFDS x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set KVM/VMX: Move VERW closer to VMentry for MDS mitigation KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key x86/entry_32: Add VERW just before userspace transition x86/entry_64: Add VERW just before userspace transition x86/bugs: Add asm helpers for executing VERW x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix btrfs: allocate btrfs_ioctl_defrag_range_args on stack printk: Update @console_may_schedule in console_trylock_spinning() xen/events: close evtchn after mapping cleanup tee: optee: Fix kernel panic caused by incorrect error handling fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion vt: fix unicode buffer corruption when deleting characters mei: me: add arrow lake point H DID mei: me: add arrow lake point S DID tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled usb: port: Don't try to peer unused USB ports based on location usb: gadget: ncm: Fix handling of zero block length packets USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() xfrm: Avoid clang fortify warning in copy_to_user_tmpl() Drivers: hv: vmbus: Calculate ring buffer size for more efficient use of memory netfilter: nf_tables: reject constant set with timeout netfilter: nf_tables: disallow anonymous set with timeout flag netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout cpufreq: brcmstb-avs-cpufreq: fix up "add check for cpufreq_cpu_get's return value" comedi: comedi_test: Prevent timers rescheduling during deletion scripts: kernel-doc: Fix syntax error due to undeclared args variable x86/pm: Work around false positive kmemleak report in msr_build_context() x86/stackprotector/32: Make the canary into a regular percpu variable vxge: remove unnecessary cast in kfree() dm snapshot: fix lockup in dm_exception_table_exit drm/amd/display: Fix noise issue on HDMI AV mute drm/amd/display: Return the correct HDCP error code ahci: asm1064: asm1166: don't limit reported ports ahci: asm1064: correct count of reported ports wireguard: netlink: access device through ctx instead of peer wireguard: netlink: check for dangling peer via is_dead instead of empty list net: hns3: tracing: fix hclgevf trace event strings x86/CPU/AMD: Update the Zenbleed microcode revisions cpufreq: dt: always allocate zeroed cpumask nilfs2: prevent kernel bug at submit_bh_wbc() nilfs2: fix failure to detect DAT corruption in btree and direct mappings memtest: use {READ,WRITE}_ONCE in memory scanning drm/vc4: hdmi: do not return negative values from .get_modes() drm/imx/ipuv3: do not return negative values from .get_modes() drm/exynos: do not return negative values from .get_modes() drm/panel: do not return negative error codes from drm_panel_get_modes() s390/zcrypt: fix reference counting on zcrypt card objects soc: fsl: qbman: Use raw spinlock for cgr_lock soc: fsl: qbman: Add CGR update function soc: fsl: qbman: Add helper for sanity checking cgr ops soc: fsl: qbman: Always disable interrupts when taking cgr_lock ring-buffer: Fix full_waiters_pending in poll ring-buffer: Fix resetting of shortest_full ring-buffer: Do not set shortest_full when full target is hit ring-buffer: Fix waking up ring buffer readers vfio/platform: Disable virqfds on cleanup PCI: dwc: endpoint: Fix advertised resizable BAR size kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 nfs: fix UAF in direct writes PCI/AER: Block runtime suspend when handling errors PCI/ERR: Clear AER status only when we control AER speakup: Fix 8bit characters from direct synth usb: gadget: tegra-xudc: Fix USB3 PHY retrieval logic usb: gadget: tegra-xudc: Use dev_err_probe() phy: tegra: xusb: Add API to retrieve the port number of phy slimbus: core: Remove usage of the deprecated ida_simple_xx() API nvmem: meson-efuse: fix function pointer type mismatch ext4: fix corruption during on-line resize hwmon: (amc6821) add of_match table drm/etnaviv: Restore some id values mmc: core: Fix switch on gp3 partition mm: swap: fix race between free_swap_and_cache() and swapoff() mac802154: fix llsec key resources release in mac802154_llsec_key_del dm-raid: fix lockdep waring in "pers->hot_add_disk" Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" PCI/DPC: Quirk PIO log size for Intel Raptor Lake Root Ports PCI/DPC: Quirk PIO log size for certain Intel Root Ports PCI/ASPM: Make Intel DG2 L1 acceptable latency unlimited PCI: Work around Intel I210 ROM BAR overlap defect PCI: Cache PCIe Device Capabilities register PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() PCI/PM: Drain runtime-idle callbacks before driver removal PCI: Drop pci_device_remove() test of pci_dev->driver btrfs: fix off-by-one chunk length calculation at contains_pending_extent() serial: Lock console when calling into driver before registration printk/console: Split out code that enables default console usb: typec: ucsi: Clean up UCSI_CABLE_PROP macros fuse: don't unhash root fuse: fix root lookup with nonzero generation mmc: tmio: avoid concurrent runs of mmc_request_done() PM: sleep: wakeirq: fix wake irq warning in system suspend USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M USB: serial: option: add MeiG Smart SLM320 product USB: serial: cp210x: add ID for MGP Instruments PDS100 USB: serial: add device ID for VeriFone adapter USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB powerpc/fsl: Fix mfpmr build errors with newer binutils clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays clk: qcom: gcc-ipq6018: fix terminating of frequency table arrays PM: suspend: Set mem_sleep_current during kernel command line setup parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds parisc: Fix csum_ipv6_magic on 64-bit systems parisc: Fix csum_ipv6_magic on 32-bit systems parisc: Fix ip_fast_csum parisc: Avoid clobbering the C/B bits in the PSW with tophys and tovirt macros mtd: rawnand: meson: fix scrambling mode value in command macro ubi: correct the calculation of fastmap size ubi: Check for too small LEB size in VTBL code ubifs: Set page uptodate in the correct place fat: fix uninitialized field in nostale filehandles bounds: support non-power-of-two CONFIG_NR_CPUS block: Clear zone limits for a non-zoned stacked queue block: introduce zone_write_granularity limit ext4: correct best extent lstart adjustment logic selftests/mqueue: Set timeout to 180 seconds crypto: qat - resolve race condition during AER recovery crypto: qat - fix double free during reset sparc: vDSO: fix return value of __setup handler sparc64: NMI watchdog: fix return value of __setup handler KVM: Always flush async #PF workqueue when vCPU is being destroyed media: xc4000: Fix atomicity violation in xc4000_get_frequency serial: max310x: fix NULL pointer dereference in I2C instantiation drm/vmwgfx: Fix possible null pointer derefence with invalid contexts drm/vmwgfx: Fix some static checker warnings drm/vmwgfx/vmwgfx_cmdbuf_res: Remove unused variable 'ret' drm/vmwgfx: switch over to the new pin interface v2 drm/vmwgfx: stop using ttm_bo_create v2 arm: dts: marvell: Fix maxium->maxim typo in brownstone dts smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd media: staging: ipu3-imgu: Set fields before media_entity_pads_init() wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach timers: Rename del_timer_sync() to timer_delete_sync() timers: Use del_timer_sync() even on UP timers: Update kernel-doc for various functions x86/bugs: Use sysfs_emit() x86/cpu: Support AMD Automatic IBRS Documentation/hw-vuln: Update spectre doc amdkfd: use calloc instead of kzalloc to avoid integer overflow Change-Id: I7279a2f07527db00e298b47f8f8f44c457fa2ef6 |
||
|
Greg Kroah-Hartman
|
dc67fccdbe |
ANDROID: properly backport filelock fix in 5.10.223
In commit |
||
|
Greg Kroah-Hartman
|
72f4574b8d |
Revert "ext4: Send notifications on error"
This reverts commit |
||
|
Greg Kroah-Hartman
|
8c417688f0 |
This is the 5.10.223 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmaksnwACgkQONu9yGCS
aT4PcQ//fATT8wjblT5zZ2dKy/LsTD8xKD8YfNKJDYvuYIMtli1hXmpQeeY237yt
d/zepYo4pN6onVa00S0gob2TUeR+Zz1/o++blIGsHzU26wme6hkSyvrFys88dR+h
BDTscrW9Q5ApFg7pJxvqkj+kpirqskXVXS1g2b7OA/8JY1hmDX6X9vxlwXJTaam2
wjUv+xblOAptmuTmZWxvgiezqJ6nwU8085+F60TOhDdOjx5MAmDbdVqDv2hXQE/U
VIjZqhUFXxomckwjaN9B2lAFYWxT30aR9+OKUzuck3eLEe4xrcohv6NdZ88obHRM
8YWqjjubYhpkfnQ+AsCTPFFNeK3NbnhDADwLIazPdyNUnd76HhVfs/yZOuE/hWPi
mLz7o+UUBwdmR13qJzYwAgN/ddLZV4VGCmRma3XneSwOAQhEkHomlSjplOc7GafG
QgKTxM7tmbcdM/NTH6Am+Bc3y9nI2NkjgV5fafant6xj++n7HDAI07UK5L/vUMcF
QxA/jn74MB9YG71BKXRT6xfVRhUGLQ/OMXBxdyUvUOFCa7nggYm7qCI+S5KdUz50
UP7KPmBBntsd6Mr06QaH+fgXszjZSSHXhHgeL5QRFZDUVvOWK66XS5S3Z+Ll3xgc
/26iJ1qYuGFj4k34ab6lM3q2ZuHAT1jS5URY6uVwxWN2BJDvGDQ=
=7Kf2
-----END PGP SIGNATURE-----
Merge 5.10.223 into android12-5.10-lts
Changes in 5.10.223
gcc-plugins: Rename last_stmt() for GCC 14+
filelock: Remove locks reliably when fcntl/close race is detected
scsi: qedf: Set qed_slowpath_params to zero before use
ACPI: EC: Abort address space access upon error
ACPI: EC: Avoid returning AE_OK on errors in address space handler
wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata
wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
selftests/openat2: Fix build warnings on ppc64
Input: silead - Always support 10 fingers
net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()
ila: block BH in ila_output()
arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process
null_blk: fix validation of block size
kconfig: gconf: give a proper initial state to the Save button
kconfig: remove wrong expr_trans_bool()
fs/file: fix the check in find_next_fd()
mei: demote client disconnect warning on suspend to debug
wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
ALSA: hda/realtek: Add more codec ID to no shutup pins list
mips: fix compat_sys_lseek syscall
Input: elantech - fix touchpad state on resume for Lenovo N24
Input: i8042 - add Ayaneo Kun to i8042 quirk table
bytcr_rt5640 : inverse jack detect for Archos 101 cesium
ALSA: dmaengine: Synchronize dma channel after drop()
ASoC: ti: davinci-mcasp: Set min period size using FIFO config
ASoC: ti: omap-hdmi: Fix too long driver name
can: kvaser_usb: fix return value for hif_usb_send_regout
s390/sclp: Fix sclp_init() cleanup on failure
btrfs: qgroup: fix quota root leak after quota disable failure
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx
ALSA: dmaengine_pcm: terminate dmaengine before synchronize
net: usb: qmi_wwan: add Telit FN912 compositions
net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()
powerpc/pseries: Whitelist dtl slub object for copying to userspace
powerpc/eeh: avoid possible crash when edev->pdev changes
scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed
Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
fs: better handle deep ancestor chains in is_subdir()
spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
selftests/vDSO: fix clang build errors and warnings
hfsplus: fix uninit-value in copy_name
spi: mux: set ctlr->bits_per_word_mask
ARM: 9324/1: fix get_user() broken with veneer
ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
bpf: Fix overrunning reservations in ringbuf
bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
scsi: core: Fix a use-after-free
ext4: fix error code saved on super block during file system abort
ext4: Send notifications on error
drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()
net: relax socket state check at accept time.
ocfs2: add bounds checking to ocfs2_check_dir_entry()
jfs: don't walk off the end of ealist
ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360
arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB
ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused
filelock: Fix fcntl/close race recovery compat path
tun: add missing verification for short frame
tap: add missing verification for short frame
Linux 5.10.223
Change-Id: I588f4e47f0b1d442e0bf6d14ac923105e2e1909c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Jann Horn
|
911cc83e56 |
filelock: Fix fcntl/close race recovery compat path
commit f8138f2ad2f745b9a1c696a05b749eabe44337ea upstream.
When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when
fcntl/close race is detected"), I missed that there are two copies of the
code I was patching: The normal version, and the version for 64-bit offsets
on 32-bit kernels.
Thanks to Greg KH for stumbling over this while doing the stable
backport...
Apply exactly the same fix to the compat path for 32-bit kernels.
Fixes:
|
||
lei lu
|
6386f1b6a1 |
jfs: don't walk off the end of ealist
commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream. Add a check before visiting the members of ea to make sure each ea stays within the ealist. Signed-off-by: lei lu <llfamsec@gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
lei lu
|
77495e5da5 |
ocfs2: add bounds checking to ocfs2_check_dir_entry()
commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream. This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com Signed-off-by: lei lu <llfamsec@gmail.com> Reviewed-by: Heming Zhao <heming.zhao@suse.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Gabriel Krisman Bertazi
|
9760c6ceb2 |
ext4: Send notifications on error
commit 9a089b21f79b47eed240d4da7ea0d049de7c9b4d upstream. Send a FS_ERROR message via fsnotify to a userspace monitoring tool whenever a ext4 error condition is triggered. This follows the existing error conditions in ext4, so it is hooked to the ext4_error* functions. Link: https://lore.kernel.org/r/20211025192746.66445-30-krisman@collabora.com Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com> Acked-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Jan Kara <jack@suse.cz> [Ajay: - Modified to apply on v5.10.y - Added fsnotify for __ext4_abort()] Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Gabriel Krisman Bertazi
|
88e44424a6 |
ext4: fix error code saved on super block during file system abort
commit 124e7c61deb27d758df5ec0521c36cf08d417f7a upstream. ext4_abort will eventually call ext4_errno_to_code, which translates the errno to an EXT4_ERR specific error. This means that ext4_abort expects an errno. By using EXT4_ERR_ here, it gets misinterpreted (as an errno), and ends up saving EXT4_ERR_EBUSY on the superblock during an abort, which makes no sense. ESHUTDOWN will get properly translated to EXT4_ERR_SHUTDOWN, so use that instead. Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com> Link: https://lore.kernel.org/r/20211026173302.84000-1-krisman@collabora.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Edward Adam Davis
|
34f8efd274 |
hfsplus: fix uninit-value in copy_name
[ Upstream commit 0570730c16307a72f8241df12363f76600baf57d ] [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. Reported-and-tested-by: syzbot+efde959319469ff8d4d7@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Link: https://lore.kernel.org/r/tencent_8BBB6433BC9E1C1B7B4BDF1BF52574BA8808@qq.com Reported-and-tested-by: syzbot+01ade747b16e9c8030e0@syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Christian Brauner
|
f65bffb464 |
fs: better handle deep ancestor chains in is_subdir()
[ Upstream commit 391b59b045004d5b985d033263ccba3e941a7740 ] Jan reported that 'cd ..' may take a long time in deep directory hierarchies under a bind-mount. If concurrent renames happen it is possible to livelock in is_subdir() because it will keep retrying. Change is_subdir() from simply retrying over and over to retry once and then acquire the rename lock to handle deep ancestor chains better. The list of alternatives to this approach were less then pleasant. Change the scope of rcu lock to cover the whole walk while at it. A big thanks to Jan and Linus. Both Jan and Linus had proposed effectively the same thing just that one version ended up being slightly more elegant. Reported-by: Jan Kara <jack@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Filipe Manana
|
94818bdb00 |
btrfs: qgroup: fix quota root leak after quota disable failure
[ Upstream commit a7e4c6a3031c74078dba7fa36239d0f4fe476c53 ]
If during the quota disable we fail when cleaning the quota tree or when
deleting the root from the root tree, we jump to the 'out' label without
ever dropping the reference on the quota root, resulting in a leak of the
root since fs_info->quota_root is no longer pointing to the root (we have
set it to NULL just before those steps).
Fix this by always doing a btrfs_put_root() call under the 'out' label.
This is a problem that exists since qgroups were first added in 2012 by
commit
|
||
Yuntao Wang
|
229bce543b |
fs/file: fix the check in find_next_fd()
[ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, gives the value of bitbit, which can never be greater than maxfd, it can only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' will never be true. Moreover, when bitbit equals maxfd, it indicates that there are no unused fds, and the function can directly return. Fix this check. Signed-off-by: Yuntao Wang <yuntao.wang@linux.dev> Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Jann Horn
|
5661b9c7ec |
filelock: Remove locks reliably when fcntl/close race is detected
commit 3cad1bc010416c6dd780643476bc59ed742436b9 upstream.
When fcntl_setlk() races with close(), it removes the created lock with
do_lock_file_wait().
However, LSMs can allow the first do_lock_file_wait() that created the lock
while denying the second do_lock_file_wait() that tries to remove the lock.
In theory (but AFAIK not in practice), posix_lock_file() could also fail to
remove a lock due to GFP_KERNEL allocation failure (when splitting a range
in the middle).
After the bug has been triggered, use-after-free reads will occur in
lock_get_status() when userspace reads /proc/locks. This can likely be used
to read arbitrary kernel memory, but can't corrupt kernel memory.
This only affects systems with SELinux / Smack / AppArmor / BPF-LSM in
enforcing mode and only works from some security contexts.
Fix it by calling locks_remove_posix() instead, which is designed to
reliably get rid of POSIX locks associated with the given file and
files_struct and is also used by filp_flush().
Fixes:
|
||
Paul Lawrence
|
08892fdf71 |
ANDROID: Incremental fs: Retry page faults on non-fatal errors
In order to not freeze on corrupt data, we need to turn off FAULT_FLAG_ALLOW_RETRY. However, this means we no longer retry on EINTR, so an interrupted read will lead to page faults. The fault handler does not seem to allow dynamic decisions as to whether to turn on or off this flag. To resolve both issues, add a flag to indicate if there are corrupt pages in a file, and only if there are turn off this flag. Also fsanitize changed the behavior of mlock - mlock should fail if the page reads fail, but with fsanitize it returns 0 then page faults on access. This broke this test, and fsanitize offers little value on test code, so disable it. Test: incfs_test passes Bug: 343532239 Change-Id: Id2ced4be3310109206d65dcc92dea05c05131182 Signed-off-by: Paul Lawrence <paullawrence@google.com> |
||
Jens Reidel
|
3d6f8a6ec1
|
Merge tag 'ASB-2024-07-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-07-01 CVE-2024-26923 * tag 'ASB-2024-07-05_12-5.10' of https://android.googlesource.com/kernel/common: FROMLIST: binder_alloc: Replace kcalloc with kvcalloc to mitigate OOM issues ANDROID: fix kernelci build breaks due to hid/uhid cyclic dependency UPSTREAM: af_unix: Fix garbage collector racing against connect() ANDROID: uid_sys_stats: Use llist for deferred work ANDROID: uid_sys_stats: Use a single work for deferred updates ANDROID: GKI: Add new ABI symbol list ANDROID: 16K: Only check basename of linker context UPSTREAM: af_unix: Do not use atomic ops for unix_sk(sk)->inflight. ANDROID: cpufreq: brcmstb-avs-cpufreq: fix build error Revert "remoteproc: Add new get_loaded_rsc_table() to rproc_ops" Revert "remoteproc: stm32: Move resource table setup to rproc_ops" Revert "remoteproc: stm32: Fix incorrect type assignment returned by stm32_rproc_get_loaded_rsc_tablef" Revert "remoteproc: stm32: fix phys_addr_t format string" Revert "remoteproc: stm32: use correct format strings on 64-bit" Revert "remoteproc: stm32: Fix incorrect type in assignment for va" Revert "block: add a new set_read_only method" Revert "md: implement ->set_read_only to hook into BLKROSET processing" Revert "md: Don't clear MD_CLOSING when the raid is about to stop" Revert "bpf: Defer the free of inner map when necessary" Revert "net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()" Revert "regmap: allow to define reg_update_bits for no bus configuration" Revert "regmap: Add bulk read/write callbacks into regmap_config" Revert "serial: max310x: make accessing revision id interface-agnostic" Revert "serial: max310x: implement I2C support" Revert "serial: max310x: fix IO data corruption in batched operations" Revert "geneve: make sure to pull inner header in geneve_rx()" Revert "mptcp: fix lockless access in subflow ULP diag" Revert "net: dev: Convert sa_data to flexible array in struct sockaddr" Revert "arp: Prevent overflow in arp_req_get()." Revert "usb: roles: fix NULL pointer issue when put module's reference" Revert "usb: roles: don't get/set_role() when usb_role_switch is unregistered" Linux 5.10.214 remoteproc: stm32: fix phys_addr_t format string regmap: Add missing map->bus check spi: spi-mt65xx: Fix NULL pointer access in interrupt handler bpf: report RCU QS in cpumap kthread rcu: add a helper to report consolidated flavor QS netfilter: nf_tables: do not compare internal table flags on updates ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and vcc1v2 scsi: fc: Update formal FPIN descriptor definitions netfilter: nft_set_pipapo: release elements in clone only from destroy path octeontx2-af: Use separate handlers for interrupts net/bnx2x: Prevent access to a freed page in page_pool hsr: Handle failures in module init rds: introduce acquire/release ordering in acquire/release_in_xmit() wireguard: receive: annotate data-race around receiving_counter.counter net: dsa: mt7530: prevent possible incorrect XTAL frequency selection packet: annotate data-races around ignore_outgoing hsr: Fix uninit-value access in hsr_get_node() soc: fsl: dpio: fix kcalloc() argument order s390/vtime: fix average steal time calculation octeontx2-af: Use matching wake_up API variant in CGX command interface io_uring: don't save/restore iowait state usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin staging: greybus: fix get_channel_from_mode() failure path serial: 8250_exar: Don't remove GPIO device on suspend rtc: mt6397: select IRQ_DOMAIN instead of depending on it kconfig: fix infinite loop when expanding a macro at the end of file tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT serial: max310x: fix syntax error in IRQ error message tty: vt: fix 20 vs 0x20 typo in EScsiignore remoteproc: stm32: Fix incorrect type assignment returned by stm32_rproc_get_loaded_rsc_tablef remoteproc: stm32: Fix incorrect type in assignment for va remoteproc: stm32: use correct format strings on 64-bit remoteproc: stm32: Move resource table setup to rproc_ops remoteproc: Add new get_loaded_rsc_table() to rproc_ops remoteproc: stm32: Constify st_rproc_ops afs: Revert "afs: Hide silly-rename files from userspace" NFS: Fix an off by one in root_nfs_cat() watchdog: stm32_iwdg: initialize default timeout NFSv4.2: fix listxattr maximum XDR buffer size NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn RDMA/device: Fix a race between mad_client and cm_client init scsi: csiostor: Avoid function pointer casts f2fs: compress: fix to check unreleased compressed cluster RDMA/srpt: Do not register event handler until srpt device is fully setup ALSA: usb-audio: Stop parsing channels bits when all channels are found. ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops clk: Fix clk_core_get NULL dereference sparc32: Fix section mismatch in leon_pci_grpci backlight: lp8788: Fully initialize backlight_properties during probe backlight: lm3639: Fully initialize backlight_properties during probe backlight: da9052: Fully initialize backlight_properties during probe backlight: lm3630a: Don't set bl->props.brightness in get_brightness backlight: lm3630a: Initialize backlight_properties on init leds: sgm3140: Add missing timer cleanup and flash gpio control leds: aw2013: Unlock mutex before destroying it powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc. drm/msm/dpu: add division of drm_display_mode's hskew parameter powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip media: mediatek: vcodec: avoid -Wcast-function-type-strict warning media: ttpci: fix two memleaks in budget_av_attach media: go7007: fix a memleak in go7007_load_encoder media: dvb-frontends: avoid stack overflow warnings with clang media: pvrusb2: fix uaf in pvr2_context_set_notify drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int() ASoC: meson: axg-tdm-interface: add frame rate constraint ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs mtd: rawnand: lpc32xx_mlc: fix irq handler prototype mtd: maps: physmap-core: fix flash size larger than 32-bit drm/tidss: Fix initial plane zpos values crypto: arm/sha - fix function cast warnings mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref drm/tegra: put drm_gem_object ref on error in tegra_fb_create clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister() PCI: Mark 3ware-9650SE Root Port Extended Tags as broken drm/mediatek: dsi: Fix DSI RGB666 formats and definitions clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times media: pvrusb2: fix pvr2_stream_callback casts media: pvrusb2: remove redundant NULL check media: go7007: add check of return value of go7007_read_addr() media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak media: sun8i-di: Fix chroma difference threshold media: sun8i-di: Fix power on/off sequences media: sun8i-di: Fix coefficient writes ASoC: meson: t9015: fix function pointer type mismatch ASoC: meson: aiu: fix function pointer type mismatch ASoC: meson: Use dev_err_probe() helper perf stat: Avoid metric-only segv ALSA: seq: fix function cast warnings drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode() perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str() crypto: xilinx - call finalize with bh disabled PCI: switchtec: Fix an error handling path in switchtec_pci_probe() quota: Fix rcu annotations of inode dquot pointers quota: Fix potential NULL pointer dereference quota: simplify drop_dquot_ref() clk: qcom: reset: Ensure write completion on reset de/assertion clk: qcom: reset: Commonize the de/assert functions pinctrl: mediatek: Drop bogus slew rate register range for MT8192 media: edia: dvbdev: fix a use-after-free media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity media: v4l2-tpg: fix some memleaks in tpg_alloc media: em28xx: annotate unchecked call to media_device_register() perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample() drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()' drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()' HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd perf record: Fix possible incorrect free in record__switch_output() PCI/DPC: Print all TLP Prefixes, not just the first media: tc358743: register v4l2 async device only after successful setup dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA drm/lima: fix a memleak in lima_heap_alloc drm/rockchip: lvds: do not print scary message when probing defer drm/rockchip: lvds: do not overwrite error code drm: Don't treat 0 as -1 in drm_fixp2int_ceil drm/rockchip: inno_hdmi: Fix video timing drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths of tegra_output_probe() drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe() drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe() drm/tegra: dsi: Make use of the helper function dev_err_probe() drm/tegra: dsi: Add missing check for of_find_device_by_node dm: call the resume method on internal suspend dm raid: fix false positive for requeue needed during reshape nfp: flower: handle acti_netdevs allocation failure net/x25: fix incorrect parameter validation in the x25_getsockopt() function net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function udp: fix incorrect parameter validation in the udp_lib_getsockopt() function l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument net/ipv4/ipv6: Replace one-element arraya with flexible-array members net/ipv4: Revert use of struct_size() helper net/ipv4: Replace one-element array with flexible-array member tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function OPP: debugfs: Fix warning around icc_get_name() net: phy: dp83822: Fix RGMII TX delay configuration net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii net: hns3: fix port duplex configure error in IMP reset net: phy: fix phy_get_internal_delay accessing an empty array net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() ipv6: fib6_rules: flush route cache when rule is changed bpf: Fix stackmap overflow check on 32-bit arches bpf: Fix hashtab overflow check on 32-bit arches bpf: Fix DEVMAP_HASH overflow check on 32-bit arches bpf: Eliminate rlimit-based memory accounting for devmap maps sr9800: Add check for usbnet_get_endpoints Bluetooth: hci_core: Fix possible buffer overflow Bluetooth: Remove superfluous call to hci_conn_check_pending() igb: Fix missing time sync events igb: move PEROUT and EXTTS isr logic to separate functions iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected PCI: Make pci_dev_is_disconnected() helper public for other drivers wifi: rtw88: 8821c: Fix false alarm count mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function SUNRPC: fix some memleaks in gssx_dec_option_array x86, relocs: Ignore relocations in .notes section ACPI: scan: Fix device check notification handling arm64: dts: marvell: reorder crypto interrupts on Armada SoCs ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address ARM: dts: imx6dl-yapp4: Move phy reset into switch node ARM: dts: arm: realview: Fix development chip ROM compatible value net: ena: Remove ena_select_queue wifi: brcmsmac: avoid function pointer casts iommu/amd: Mark interrupt as managed bus: tegra-aconnect: Update dependency to ARCH_TEGRA ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces wireless: Remove redundant 'flush_workqueue()' calls bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly bpf: Factor out bpf_spin_lock into helpers. arm64: dts: mediatek: mt7622: add missing "device_type" to memory nodes wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() net: blackhole_dev: fix build warning for ethh set but not used wifi: iwlwifi: fix EWRD table validity check wifi: iwlwifi: dbg-tlv: ensure NUL termination wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc(). bpftool: Silence build warning about calloc() inet_diag: annotate data-races around inet_diag_table[] sock_diag: annotate data-races around sock_diag_handlers[family] cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir() wifi: wilc1000: fix multi-vif management when deleting a vif wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work wifi: wilc1000: fix RCU usage in connect path wifi: wilc1000: fix declarations ordering wifi: b43: Disable QoS for bcm4331 wifi: b43: Stop correct queue in DMA worker when QoS is disabled wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() timekeeping: Fix cross-timestamp interpolation for non-x86 timekeeping: Fix cross-timestamp interpolation corner case decision timekeeping: Fix cross-timestamp interpolation on counter wrap aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts md: Don't clear MD_CLOSING when the raid is about to stop md: implement ->set_read_only to hook into BLKROSET processing block: add a new set_read_only method fs/select: rework stack allocation hack for clang nbd: null check for nla_nest_start do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak x86/paravirt: Fix build due to __text_gen_insn() backport ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC Input: gpio_keys_polled - suppress deferred probe error for gpio ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet firewire: core: use long bus reset on gap count error Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security scsi: mpt3sas: Prevent sending diag_reset when the controller is ready dm-verity, dm-crypt: align "struct bvec_iter" correctly block: sed-opal: handle empty atoms when parsing response parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check net/iucv: fix the allocation size of iucv_path_table array x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h RDMA/mlx5: Relax DEVX access upon modify commands RDMA/mlx5: Fix fortify source warning while accessing Eth segment gen_compile_commands: fix invalid escape sequence warning HID: multitouch: Add required quirk for Synaptics 0xcddc device MIPS: Clear Cause.BD in instruction_pointer_set x86/xen: Add some null pointer checking to smp.c ASoC: rt5645: Make LattePanda board DMI match more precise selftests: tls: use exact comparison in recv_partial bpf: Defer the free of inner map when necessary rcu-tasks: Provide rcu_trace_implies_rcu_gp() io_uring: drop any code related to SCM_RIGHTS io_uring/unix: drop usage of io_uring socket Linux 5.10.213 serial: max310x: fix IO data corruption in batched operations serial: max310x: implement I2C support serial: max310x: make accessing revision id interface-agnostic regmap: Add bulk read/write callbacks into regmap_config regmap: allow to define reg_update_bits for no bus configuration Drivers: hv: vmbus: Drop error message when 'No request id available' serial: max310x: Unprepare and disable clock in error path getrusage: use sig->stats_lock rather than lock_task_sighand() getrusage: use __for_each_thread() getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() getrusage: add the "signal_struct *sig" local variable mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE mm/hugetlb: change hugetlb_reserve_pages() to type bool hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed hv_netvsc: use netif_is_bond_master() instead of open code hv_netvsc: Make netvsc/VF binding check both MAC and serial number hv_netvsc: Process NETDEV_GOING_DOWN on VF hot remove hv_netvsc: Wait for completion on request SWITCH_DATA_PATH hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening ext4: convert to exclusive lock while inserting delalloc extents ext4: refactor ext4_da_map_blocks() ext4: make ext4_es_insert_extent() return void lsm: fix default return value of the socket_getpeersec_*() hooks lsm: make security_socket_getpeersec_stream() sockptr_t safe bpf: net: Change sk_getsockopt() to take the sockptr_t argument net: Change sock_getsockopt() to take the sk ptr instead of the sock ptr serial: max310x: prevent infinite while() loop in port startup serial: max310x: use a separate regmap for each port serial: max310x: use regmap methods for SPI batch operations serial: max310x: Make use of device properties serial: max310x: fail probe if clock crystal is unstable serial: max310x: Try to get crystal clock rate from property serial: max310x: Use devm_clk_get_optional() to get the input clock xhci: handle isoc Babble and Buffer Overrun events properly xhci: process isoc TD properly when there was a transaction error mid TD. xhci: prevent double-fetch of transfer and transfer event TRBs xhci: remove extra loop in interrupt context um: allow not setting extra rpaths in the linux binary selftests: mm: fix map_hugetlb failure on 64K page size systems selftests/mm: switch to bash from sh netrom: Fix data-races around sysctl_net_busy_read netrom: Fix a data-race around sysctl_netrom_link_fails_count netrom: Fix a data-race around sysctl_netrom_routing_control netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size netrom: Fix a data-race around sysctl_netrom_transport_busy_delay netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries netrom: Fix a data-race around sysctl_netrom_transport_timeout netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser netrom: Fix a data-race around sysctl_netrom_default_path_quality netfilter: nf_conntrack_h323: Add protection for bmp length out of range netfilter: nft_ct: fix l3num expectations with inet pseudo family net/rds: fix WARNING in rds_conn_connect_if_down cpumap: Zero-initialise xdp_rxq_info struct before running XDP program net/ipv6: avoid possible UAF in ip6_route_mpath_notify() net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() geneve: make sure to pull inner header in geneve_rx() tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string i40e: disable NAPI right after disabling irqs when handling xsk_pool ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able net: lan78xx: fix runtime PM count underflow on link stop lan78xx: Fix race conditions in suspend/resume handling lan78xx: Fix partial packet errors on suspend/resume lan78xx: Add missing return code checks lan78xx: Fix white space and style issues mmc: mmci: stm32: fix DMA API overlapping mappings warning mmc: mmci: stm32: use a buffer for unaligned DMA requests Linux 5.10.212 mptcp: fix double-free on socket dismantle mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG gpio: fix resource unwinding order in error path gpiolib: Fix the error path order in gpiochip_add_data_with_key() gpio: 74x164: Enable output pins after registers are reset fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super cachefiles: fix memory leak in cachefiles_add_cache() ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() mptcp: fix possible deadlock in subflow diag x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation mmc: sdhci-xenon: fix PHY init clock stability mmc: sdhci-xenon: add timeout for PHY init complete mmc: core: Fix eMMC initialization with 1-bit bus connection dmaengine: fsl-qdma: init irq after reg initialization dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read btrfs: dev-replace: properly validate device names wifi: nl80211: reject iftype change with mesh ID change gtp: fix use-after-free and null-ptr-deref in gtp_newlink() tomoyo: fix UAF write bug in tomoyo_write_control() riscv: Sparse-Memory/vmemmap out-of-bounds fix afs: Fix endless loop in directory parsing ALSA: Drop leftover snd-rtctimer stuff from Makefile power: supply: bq27xxx-i2c: Do not free non existing IRQ efi/capsule-loader: fix incorrect allocation size rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Bluetooth: Enforce validation on max value of connection interval Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR Bluetooth: Avoid potential use-after-free in hci_error_reset net: usb: dm9601: fix wrong return value in dm9601_mdio_read lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() tun: Fix xdp_rxq_info's queue_index when detaching net: ip_tunnel: prevent perpetual headroom growth netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter mtd: spinand: gigadevice: Fix the get ecc status issue mtd: spinand: gigadevice: Support GD5F1GQ5UExxG crypto: virtio/akcipher - Fix stack overflow on memcpy platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names Linux 5.10.211 ext4: regenerate buddy after block freeing failed if under fc replay arp: Prevent overflow in arp_req_get(). fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio block: ataflop: more blk-mq refactoring fixes drm/amd/display: Fix memory leak in dm_sw_fini() drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3 netfilter: nf_tables: set dormant flag on hook register failure tls: stop recv() if initial process_rx_list gave us non-DATA tls: rx: drop pointless else after goto tls: rx: jump to a more appropriate label s390: use the correct count for __iowrite64_copy() net: dev: Convert sa_data to flexible array in struct sockaddr packet: move from strlcpy with unused retval to strscpy ipv6: sr: fix possible use-after-free and null-ptr-deref afs: Increase buffer size in afs_update_volume_status() ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid nouveau: fix function cast warnings scsi: jazz_esp: Only build if SCSI core is builtin bpf, scripts: Correct GPL license name RDMA/srpt: fix function pointer cast warnings arm64: dts: rockchip: set num-cs property for spi on px30 RDMA/qedr: Fix qedr_create_user_qp error flow RDMA/srpt: Support specifying the srpt_service_guid parameter RDMA/bnxt_re: Return error for SRQ resize IB/hfi1: Fix a memleak in init_credit_return mptcp: fix lockless access in subflow ULP diag usb: roles: don't get/set_role() when usb_role_switch is unregistered usb: roles: fix NULL pointer issue when put module's reference usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs usb: cdns3: fix memory double free when handle zero packet usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() x86/alternative: Make custom return thunk unconditional Revert "x86/alternative: Make custom return thunk unconditional" x86/returnthunk: Allow different return thunks x86/ftrace: Use alternative RET encoding x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch() x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR Revert "x86/ftrace: Use alternative RET encoding" ARM: ep93xx: Add terminator to gpiod_lookup_table l2tp: pass correct message length to ip6_append_data PCI/MSI: Prevent MSI hardware interrupt number truncation gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler dm-crypt: don't modify the data when using authenticated encryption s390/cio: fix invalid -EBUSY on ccw_device_start IB/hfi1: Fix sdma.h tx->num_descs off-by-one error erofs: fix lz4 inplace decompression x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint jbd2: recheck chechpointing non-dirty buffer jbd2: remove redundant buffer io error checks iwlwifi: mvm: write queue_sync_state only for sync iwlwifi: mvm: do more useful queue sync accounting platform/x86: intel-vbtn: Support for tablet mode on HP Pavilion 13 x360 PC lan743x: fix for potential NULL pointer dereference with bare card btrfs: do not pin logs too early during renames btrfs: unify lookup return value when dir entry is missing btrfs: introduce btrfs_lookup_match_dir btrfs: tree-checker: check for overlapping extent items task_stack, x86/cea: Force-inline stack helpers ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use ASoC: Intel: boards: get codec device with ACPI instead of bus search ASoC: Intel: boards: harden codec property handling mtd: spinand: macronix: Add support for MX35LFxGE4AD cifs: add a warning when the in-flight count goes negative powerpc/watchpoints: Annotate atomic context in more places powerpc/watchpoint: Workaround P10 DD1 issue with VSX-32 byte instructions block: ataflop: fix breakage introduced at blk-mq refactoring seccomp: Invalidate seccomp mode to catch death failures x86/uaccess: Implement macros for CMPXCHG on user addresses hsr: Avoid double remove of a node. hvc/xen: prevent concurrent accesses to the shared ring media: av7110: prevent underflow in write_ts_to_decoder() ASoC: fsl_micfil: register platform component before registering cpu dai ARM: dts: imx: Set default tuning step for imx6sx usdhc irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger pmdomain: renesas: r8a77980-sysc: CR7 must be always on virtio-blk: Ensure no requests in virtqueues before deleting vqs. firewire: core: send bus reset promptly on gap count error scsi: lpfc: Use unsigned type for num_sge hwmon: (coretemp) Enlarge per package core count limit efi: Don't add memblocks for soft-reserved memory efi: runtime: Fix potential overflow of soft-reserved region size Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table ext4: correct the hole length returned by ext4_map_blocks() nvmet-fc: abort command when there is no binding nvmet-fc: release reference on target port nvmet-fcloop: swap the list_add_tail arguments nvme-fc: do not wait in vain when unloading module netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new spi: sh-msiof: avoid integer overflow in constants ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616 nvmet-tcp: fix nvme tcp ida memory leak regulator: pwm-regulator: Add validity checks in continuous .get_voltage dmaengine: ti: edma: Add some null pointer checks to the edma_probe ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers ahci: asm1166: correct count of reported ports spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected fbdev: sis: Error out if pixclock equals zero fbdev: savage: Error out if pixclock equals zero wifi: mac80211: fix race condition on enabling fast-xmit wifi: cfg80211: fix missing interfaces when dumping dmaengine: fsl-qdma: increase size of 'irq_name' dmaengine: shdma: increase size of 'dev_id' scsi: target: core: Add TMF to tmr_list handling sched/rt: Disallow writing invalid values to sched_rt_period_us sched/rt: Fix sysctl_sched_rr_timeslice intial value zonefs: Improve error handling userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset smb: client: fix parsing of SMB3.1.1 POSIX create context smb: client: fix potential OOBs in smb2_parse_contexts() smb: client: fix OOB in receive_encrypted_standard() net/sched: Retire dsmark qdisc net/sched: Retire ATM qdisc net/sched: Retire CBQ qdisc Change-Id: I27b365859804c2c84cb821e94fb84a971429c6d0 |
||
|
Greg Kroah-Hartman
|
b7647fb740 |
Merge branch 'android12-5.10' into branch 'android12-5.10-lts'
Do a backmerge to catch the android12-5.10-lts branch up with recent changes done in android12-5.10. Included in here are the following commits: * |
||
|
Greg Kroah-Hartman
|
c761121f9a |
Merge tag 'android12-5.10.218_r00' into android12-5.10
This merges the 5.10.218 LTS kernel into the android12-5.10 branch. Included in here are the following commits: * |
||
|
Greg Kroah-Hartman
|
875057880e |
This is the 5.10.222 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmaY9zYACgkQONu9yGCS aT6v5g//WMifSZz85CUFaqgs65rwVfhTMpYtUeL5LiDuy+SMou6ViV3A93FpTkmj FJBvrr2y0bn8Y5Dp/fwYj10XUz+THZte/yEVnPh/NkV107FZD3fKa6GTnJY7H/XY 4SoOGfPB4yfx+MpN6ZpLsu4cAt6FW8P+QfKOxBEboGkJSGpjEbGYFMtyZAMjknia QE8cKQ3LnMrQzHIizil5dZVlYaiMgJtlKTtUeVI1ixmaGDb3rCsnCVvMRvZnW95V aSgyJNrNix7a5tRgYwZHZp4t3p9iT2lyIFM3/y7TKcglVCMPw4nbsDdLNNq11qrk RdTdScR+9eKyJsEGVYOhXZFUFzOgHW22xyx0CCZmDMeu08WPNl4vhGewnndQy3yd 6jdTRYDrU6SQNQ0AjRZXcdmfopIQxetHE7ZEKvbgBW6+u9oySYU8phPCNkma2JWr O2eY5AOF8zgPAdAzvF9Bt/qTlwLNjP0zczoIRX7HSvV03Nh9cQvgzKdSCfuPDU4a FX7mlokgweYa7WoWGPkzOlgMaJZksqstDnhbuwONoMPrNFTUjgm429K87iPdwzqC Yv4uDrpFXgkhfD4Aoks4wDpE2LgBKWz5Wnpo+WW4fjcrXtcIV2tTD9FkMjBv3ECv A8TTWsXxQtm3V54R4h7fAXg9KnZBuIYYDnB2u1317ZdaDkZRuPQ= =X2/A -----END PGP SIGNATURE----- Merge 5.10.222 into android12-5.10-lts Changes in 5.10.222 Compiler Attributes: Add __uninitialized macro drm/lima: fix shared irq handling on driver remove media: dvb: as102-fe: Fix as10x_register_addr packing media: dvb-usb: dib0700_devices: Add missing release_firmware() IB/core: Implement a limit on UMAD receive List scsi: qedf: Make qedf_execute_tmf() non-preemptible crypto: aead,cipher - zeroize key buffer after use drm/amdgpu: Initialize timestamp for some legacy SOCs drm/amd/display: Check index msg_id before read or write drm/amd/display: Check pipe offset before setting vblank drm/amd/display: Skip finding free audio for unknown engine_id media: dw2102: Don't translate i2c read into write sctp: prefer struct_size over open coded arithmetic firmware: dmi: Stop decoding on broken entry Input: ff-core - prefer struct_size over open coded arithmetic net: dsa: mv88e6xxx: Correct check for empty list media: dvb-frontends: tda18271c2dd: Remove casting during div media: s2255: Use refcount_t instead of atomic_t for num_channels media: dvb-frontends: tda10048: Fix integer overflow i2c: i801: Annotate apanel_addr as __ro_after_init powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n orangefs: fix out-of-bounds fsid access kunit: Fix timeout message powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD jffs2: Fix potential illegal address access in jffs2_free_inode s390/pkey: Wipe sensitive data on failure UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() tcp_metrics: validate source addr length wifi: wilc1000: fix ies_len type in connect path bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() selftests: fix OOM in msg_zerocopy selftest selftests: make order checking verbose in msg_zerocopy selftest inet_diag: Initialize pad field in struct inet_diag_req_v2 nilfs2: fix inode number range checks nilfs2: add missing check for inode numbers on directory entries mm: optimize the redundant loop of mm_update_owner_next() mm: avoid overflows in dirty throttling logic Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct fsnotify: Do not generate events for O_PATH file descriptors Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes drm/amdgpu/atomfirmware: silence UBSAN warning mtd: rawnand: Bypass a couple of sanity checks during NAND identification bnx2x: Fix multiple UBSAN array-index-out-of-bounds bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues ima: Avoid blocking in RCU read-side critical section media: dw2102: fix a potential buffer overflow i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 nvme-multipath: find NUMA path only for online numa-node nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro nvmet: fix a possible leak when destroy a ctrl during qp establishment kbuild: fix short log for AS in link-vmlinux.sh nilfs2: fix incorrect inode allocation from reserved inodes mm: prevent derefencing NULL ptr in pfn_section_valid() filelock: fix potential use-after-free in posix_lock_inode fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading vfs: don't mod negative dentry count when on shrinker list tcp: fix incorrect undo caused by DSACK of TLP retransmit octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability() net: lantiq_etop: add blank line after declaration net: ethernet: lantiq_etop: fix double free in detach ppp: reject claimed-as-LCP but actually malformed packets ethtool: netlink: do not return SQI value if link is down udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). net/sched: Fix UAF when resolving a clash s390: Mark psw in __load_psw_mask() as __unitialized ARM: davinci: Convert comma to semicolon octeontx2-af: fix detection of IP layer tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() tcp: avoid too many retransmit packets net: ks8851: Fix potential TX stall after interface reopen USB: serial: option: add Telit generic core-dump composition USB: serial: option: add Telit FN912 rmnet compositions USB: serial: option: add Fibocom FM350-GL USB: serial: option: add support for Foxconn T99W651 USB: serial: option: add Netprisma LCUK54 series modules USB: serial: option: add Rolling RW350-GL variants USB: serial: mos7840: fix crash on resume USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor hpet: Support 32-bit userspace nvmem: meson-efuse: Fix return value of nvmem callbacks ALSA: hda/realtek: Enable Mute LED on HP 250 G7 ALSA: hda/realtek: Limit mic boost on VAIO PRO PX libceph: fix race between delayed_work() and ceph_monc_stop() wireguard: allowedips: avoid unaligned 64-bit memory accesses wireguard: queueing: annotate intentional data race in cpu round robin wireguard: send: annotate intentional data race in checking empty queue x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk efi: ia64: move IA64-only declarations to new asm/efi.h header ipv6: annotate data-races around cnf.disable_ipv6 ipv6: prevent NULL dereference in ip6_output() bpf: Allow reads from uninit stack nilfs2: fix kernel bug on rename operation of broken directory i2c: rcar: bring hardware to known state when probing i2c: mark HostNotify target address as used i2c: rcar: Add R-Car Gen4 support i2c: rcar: reset controller is mandatory for Gen3+ i2c: rcar: introduce Gen4 devices i2c: rcar: ensure Gen3+ reset does not disturb local targets i2c: rcar: clear NO_RXDMA flag after resetting i2c: rcar: fix error code in probe() Linux 5.10.222 Change-Id: I39dedaef039a49c1b8b53dd83b83d481593ffb95 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Jaegeuk Kim
|
e0ab5345d6 |
UPSTREAM: f2fs: avoid false alarm of circular locking
====================================================== WARNING: possible circular locking dependency detected 6.5.0-rc5-syzkaller-00353-gae545c3283dc #0 Not tainted ------------------------------------------------------ syz-executor273/5027 is trying to acquire lock: ffff888077fe1fb0 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_down_write fs/f2fs/f2fs.h:2133 [inline] ffff888077fe1fb0 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_add_inline_entry+0x300/0x6f0 fs/f2fs/inline.c:644 but task is already holding lock: ffff888077fe07c8 (&fi->i_xattr_sem){.+.+}-{3:3}, at: f2fs_down_read fs/f2fs/f2fs.h:2108 [inline] ffff888077fe07c8 (&fi->i_xattr_sem){.+.+}-{3:3}, at: f2fs_add_dentry+0x92/0x230 fs/f2fs/dir.c:783 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&fi->i_xattr_sem){.+.+}-{3:3}: down_read+0x9c/0x470 kernel/locking/rwsem.c:1520 f2fs_down_read fs/f2fs/f2fs.h:2108 [inline] f2fs_getxattr+0xb1e/0x12c0 fs/f2fs/xattr.c:532 __f2fs_get_acl+0x5a/0x900 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:377 [inline] f2fs_init_acl+0x15c/0xb30 fs/f2fs/acl.c:420 f2fs_init_inode_metadata+0x159/0x1290 fs/f2fs/dir.c:558 f2fs_add_regular_entry+0x79e/0xb90 fs/f2fs/dir.c:740 f2fs_add_dentry+0x1de/0x230 fs/f2fs/dir.c:788 f2fs_do_add_link+0x190/0x280 fs/f2fs/dir.c:827 f2fs_add_link fs/f2fs/f2fs.h:3554 [inline] f2fs_mkdir+0x377/0x620 fs/f2fs/namei.c:781 vfs_mkdir+0x532/0x7e0 fs/namei.c:4117 do_mkdirat+0x2a9/0x330 fs/namei.c:4140 __do_sys_mkdir fs/namei.c:4160 [inline] __se_sys_mkdir fs/namei.c:4158 [inline] __x64_sys_mkdir+0xf2/0x140 fs/namei.c:4158 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (&fi->i_sem){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5144 lock_acquire kernel/locking/lockdep.c:5761 [inline] lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726 down_write+0x93/0x200 kernel/locking/rwsem.c:1573 f2fs_down_write fs/f2fs/f2fs.h:2133 [inline] f2fs_add_inline_entry+0x300/0x6f0 fs/f2fs/inline.c:644 f2fs_add_dentry+0xa6/0x230 fs/f2fs/dir.c:784 f2fs_do_add_link+0x190/0x280 fs/f2fs/dir.c:827 f2fs_add_link fs/f2fs/f2fs.h:3554 [inline] f2fs_mkdir+0x377/0x620 fs/f2fs/namei.c:781 vfs_mkdir+0x532/0x7e0 fs/namei.c:4117 ovl_do_mkdir fs/overlayfs/overlayfs.h:196 [inline] ovl_mkdir_real+0xb5/0x370 fs/overlayfs/dir.c:146 ovl_workdir_create+0x3de/0x820 fs/overlayfs/super.c:309 ovl_make_workdir fs/overlayfs/super.c:711 [inline] ovl_get_workdir fs/overlayfs/super.c:864 [inline] ovl_fill_super+0xdab/0x6180 fs/overlayfs/super.c:1400 vfs_get_super+0xf9/0x290 fs/super.c:1152 vfs_get_tree+0x88/0x350 fs/super.c:1519 do_new_mount fs/namespace.c:3335 [inline] path_mount+0x1492/0x1ed0 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __x64_sys_mount+0x293/0x310 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&fi->i_xattr_sem); lock(&fi->i_sem); lock(&fi->i_xattr_sem); lock(&fi->i_sem); Bug: 349265158 Change-Id: I4d9a7107b45eb81ea4d9b0cdc65333ec0aeb26b1 Cc: <stable@vger.kernel.org> Reported-and-tested-by: syzbot+e5600587fa9cbf8e3826@syzkaller.appspotmail.com Fixes: 5eda1ad1aaff "f2fs: fix deadlock in i_xattr_sem and inode page lock" Tested-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Sayali Lokhande <quic_sayalil@quicinc.com> (cherry picked from commit 5c13e2388bf3426fd69a89eb46e50469e9624e56) |
||
|
Jaegeuk Kim
|
758dd4cd50 |
UPSTREAM: f2fs: fix deadlock in i_xattr_sem and inode page lock
Thread #1:
[122554.641906][ T92] f2fs_getxattr+0xd4/0x5fc
-> waiting for f2fs_down_read(&F2FS_I(inode)->i_xattr_sem);
[122554.641927][ T92] __f2fs_get_acl+0x50/0x284
[122554.641948][ T92] f2fs_init_acl+0x84/0x54c
[122554.641969][ T92] f2fs_init_inode_metadata+0x460/0x5f0
[122554.641990][ T92] f2fs_add_inline_entry+0x11c/0x350
-> Locked dir->inode_page by f2fs_get_node_page()
[122554.642009][ T92] f2fs_do_add_link+0x100/0x1e4
[122554.642025][ T92] f2fs_create+0xf4/0x22c
[122554.642047][ T92] vfs_create+0x130/0x1f4
Thread #2:
[123996.386358][ T92] __get_node_page+0x8c/0x504
-> waiting for dir->inode_page lock
[123996.386383][ T92] read_all_xattrs+0x11c/0x1f4
[123996.386405][ T92] __f2fs_setxattr+0xcc/0x528
[123996.386424][ T92] f2fs_setxattr+0x158/0x1f4
-> f2fs_down_write(&F2FS_I(inode)->i_xattr_sem);
[123996.386443][ T92] __f2fs_set_acl+0x328/0x430
[123996.386618][ T92] f2fs_set_acl+0x38/0x50
[123996.386642][ T92] posix_acl_chmod+0xc8/0x1c8
[123996.386669][ T92] f2fs_setattr+0x5e0/0x6bc
[123996.386689][ T92] notify_change+0x4d8/0x580
[123996.386717][ T92] chmod_common+0xd8/0x184
[123996.386748][ T92] do_fchmodat+0x60/0x124
[123996.386766][ T92] __arm64_sys_fchmodat+0x28/0x3c
Bug: 349265158
Change-Id: Idea03a410190499375e0dbdc848cdb20cd9a0cab
Cc: <stable@vger.kernel.org>
Fixes:
|
||
Lokesh Gidra
|
6f61666ab1 |
ANDROID: userfaultfd: Fix use-after-free in userfaultfd_using_sigbus()
In 582c6d188ec1 ("ANDROID: userfaultfd: allow SPF for
UFFD_FEATURE_SIGBUS on private+anon"), we allowed userfaultfd
registered VMAs using SIGBUS to be handled with SPF. But during
page-fault handling, before userfaultfd_ctx is dereferenced,
another thread may call userfaultfd_release(), unlink the VMA
and then deallocate the same userfaultfd_ctx, leaving a dangling
pointer behind for dereference.
It is insufficient to do the access under rcu read-lock as the context
may have been deallocated before entering the critical section. Checking
vma has not changed in the critical section ensures we are not looking at
dangling pointer to userfaultfd_ctx.
Change-Id: I9c3ba0f1352e49f0ea387b92c18b5f1b5dcad7f1
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
Bug: 349936398
(cherry picked from commit c75b369e72da0283a20f794c0070c478b490f453)
|
||
|
Ryusuke Konishi
|
a9a466a69b |
nilfs2: fix kernel bug on rename operation of broken directory
commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
Syzbot reported that in rename directory operation on broken directory on
nilfs2, __block_write_begin_int() called to prepare block write may fail
BUG_ON check for access exceeding the folio/page size.
This is because nilfs_dotdot(), which gets parent directory reference
entry ("..") of the directory to be moved or renamed, does not check
consistency enough, and may return location exceeding folio/page size for
broken directories.
Fix this issue by checking required directory entries ("." and "..") in
the first chunk of the directory in nilfs_dotdot().
Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
Fixes:
|
||
Brian Foster
|
1b95de9433 |
vfs: don't mod negative dentry count when on shrinker list
[ Upstream commit aabfe57ebaa75841db47ea59091ec3c5a06d2f52 ]
The nr_dentry_negative counter is intended to only account negative
dentries that are present on the superblock LRU. Therefore, the LRU
add, remove and isolate helpers modify the counter based on whether
the dentry is negative, but the shrinker list related helpers do not
modify the counter, and the paths that change a dentry between
positive and negative only do so if DCACHE_LRU_LIST is set.
The problem with this is that a dentry on a shrinker list still has
DCACHE_LRU_LIST set to indicate ->d_lru is in use. The additional
DCACHE_SHRINK_LIST flag denotes whether the dentry is on LRU or a
shrink related list. Therefore if a relevant operation (i.e. unlink)
occurs while a dentry is present on a shrinker list, and the
associated codepath only checks for DCACHE_LRU_LIST, then it is
technically possible to modify the negative dentry count for a
dentry that is off the LRU. Since the shrinker list related helpers
do not modify the negative dentry count (because non-LRU dentries
should not be included in the count) when the dentry is ultimately
removed from the shrinker list, this can cause the negative dentry
count to become permanently inaccurate.
This problem can be reproduced via a heavy file create/unlink vs.
drop_caches workload. On an 80xcpu system, I start 80 tasks each
running a 1k file create/delete loop, and one task spinning on
drop_caches. After 10 minutes or so of runtime, the idle/clean cache
negative dentry count increases from somewhere in the range of 5-10
entries to several hundred (and increasingly grows beyond
nr_dentry_unused).
Tweak the logic in the paths that turn a dentry negative or positive
to filter out the case where the dentry is present on a shrink
related list. This allows the above workload to maintain an accurate
negative dentry count.
Fixes:
|
||
linke li
|
7092f1e582 |
fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading
[ Upstream commit 8bfb40be31ddea0cb4664b352e1797cfe6c91976 ] Currently, the __d_clear_type_and_inode() writes the value flags to dentry->d_flags, then immediately re-reads it in order to use it in a if statement. This re-read is useless because no other update to dentry->d_flags can occur at this point. This commit therefore re-use flags in the if statement instead of re-reading dentry->d_flags. Signed-off-by: linke li <lilinke99@qq.com> Link: https://lore.kernel.org/r/tencent_5E187BD0A61BA28605E85405F15228254D0A@qq.com Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> Stable-dep-of: aabfe57ebaa7 ("vfs: don't mod negative dentry count when on shrinker list") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Jeff Layton
|
7d4c14f4b5 |
filelock: fix potential use-after-free in posix_lock_inode
[ Upstream commit 1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92 ]
Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
The request pointer had been changed earlier to point to a lock entry
that was added to the inode's list. However, before the tracepoint could
fire, another task raced in and freed that lock.
Fix this by moving the tracepoint inside the spinlock, which should
ensure that this doesn't happen.
Fixes: 74f6f5912693 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock")
Link: https://lore.kernel.org/linux-fsdevel/724ffb0a2962e912ea62bb0515deadf39c325112.camel@kernel.org/
Reported-by: Light Hsieh (謝明燈) <Light.Hsieh@mediatek.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/20240702-filelock-6-10-v1-1-96e766aadc98@kernel.org
Reviewed-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Ryusuke Konishi
|
1e99ce37e9 |
nilfs2: fix incorrect inode allocation from reserved inodes
commit 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 upstream.
If the bitmap block that manages the inode allocation status is corrupted,
nilfs_ifile_create_inode() may allocate a new inode from the reserved
inode area where it should not be allocated.
Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of
struct nilfs_root"), fixed the problem that reserved inodes with inode
numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to
bitmap corruption, but since the start number of non-reserved inodes is
read from the super block and may change, in which case inode allocation
may occur from the extended reserved inode area.
If that happens, access to that inode will cause an IO error, causing the
file system to degrade to an error state.
Fix this potential issue by adding a wraparound option to the common
metadata object allocation routine and by modifying
nilfs_ifile_create_inode() to disable the option so that it only allocates
inodes with inode numbers greater than or equal to the inode number read
in "nilfs->ns_first_ino", regardless of the bitmap status of reserved
inodes.
Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ryusuke Konishi
|
2f2fa9cf7c |
nilfs2: add missing check for inode numbers on directory entries
commit bb76c6c274683c8570ad788f79d4b875bde0e458 upstream. Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8 Reported-by: Jan Kara <jack@suse.cz> Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Hillf Danton <hdanton@sina.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
731011ac6c |
nilfs2: fix inode number range checks
commit e2fec219a36e0993642844be0f345513507031f4 upstream. Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Hillf Danton <hdanton@sina.com> Cc: Jan Kara <jack@suse.cz> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Wang Yong
|
6d6d94287f |
jffs2: Fix potential illegal address access in jffs2_free_inode
[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] During the stress testing of the jffs2 file system,the following abnormal printouts were found: [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 [ 2430.649622] Mem abort info: [ 2430.649829] ESR = 0x96000004 [ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits [ 2430.650564] SET = 0, FnV = 0 [ 2430.650795] EA = 0, S1PTW = 0 [ 2430.651032] FSC = 0x04: level 0 translation fault [ 2430.651446] Data abort info: [ 2430.651683] ISV = 0, ISS = 0x00000004 [ 2430.652001] CM = 0, WnR = 0 [ 2430.652558] [0069696969696948] address between user and kernel address ranges [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 [ 2430.655008] Hardware name: linux,dummy-virt (DT) [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2430.656142] pc : kfree+0x78/0x348 [ 2430.656630] lr : jffs2_free_inode+0x24/0x48 [ 2430.657051] sp : ffff800009eebd10 [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 [ 2430.664217] Call trace: [ 2430.664528] kfree+0x78/0x348 [ 2430.664855] jffs2_free_inode+0x24/0x48 [ 2430.665233] i_callback+0x24/0x50 [ 2430.665528] rcu_do_batch+0x1ac/0x448 [ 2430.665892] rcu_core+0x28c/0x3c8 [ 2430.666151] rcu_core_si+0x18/0x28 [ 2430.666473] __do_softirq+0x138/0x3cc [ 2430.666781] irq_exit+0xf0/0x110 [ 2430.667065] handle_domain_irq+0x6c/0x98 [ 2430.667447] gic_handle_irq+0xac/0xe8 [ 2430.667739] call_on_irq_stack+0x28/0x54 The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of the jffs_inode_info structure. It was found that all variables in the jffs_inode_info structure were 5a5a5a5a, except for the first member sem. It is suspected that these variables are not initialized because they were set to 5a5a5a5a during memory testing, which is meant to detect uninitialized memory.The sem variable is initialized in the function jffs2_i_init_once, while other members are initialized in the function jffs2_init_inode_info. The function jffs2_init_inode_info is called after iget_locked, but in the iget_locked function, the destroy_inode process is triggered, which releases the inode and consequently, the target member of the inode is not initialized.In concurrent high pressure scenarios, iget_locked may enter the destroy_inode branch as described in the code. Since the destroy_inode functionality of jffs2 only releases the target, the fix method is to set target to NULL in jffs2_i_init_once. Signed-off-by: Wang Yong <wang.yong12@zte.com.cn> Reviewed-by: Lu Zhongjun <lu.zhongjun@zte.com.cn> Reviewed-by: Yang Tao <yang.tao172@zte.com.cn> Cc: Xu Xin <xu.xin16@zte.com.cn> Cc: Yang Yang <yang.yang29@zte.com.cn> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Mike Marshall
|
1617249e24 |
orangefs: fix out-of-bounds fsid access
[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] Arnd Bergmann sent a patch to fsdevel, he says: "orangefs_statfs() copies two consecutive fields of the superblock into the statfs structure, which triggers a warning from the string fortification helpers" Jan Kara suggested an alternate way to do the patch to make it more readable. I ran both ideas through xfstests and both seem fine. This patch is based on Jan Kara's suggestion. Signed-off-by: Mike Marshall <hubcap@omnibond.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
2ebd481b31 |
Merge 5.10.221 into android12-5.10-lts
Changes in 5.10.221 tracing/selftests: Fix kprobe event name test for .isra. functions null_blk: Print correct max open zones limit in null_init_zoned_dev() wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: cfg80211: pmsr: use correct nla_get_uX functions wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef wifi: iwlwifi: mvm: check n_ssids before accessing the ssids wifi: iwlwifi: mvm: don't read past the mfuart notifcation wifi: mac80211: correctly parse Spatial Reuse Parameter Set element net/ncsi: add NCSI Intel OEM command to keep PHY up net/ncsi: Simplify Kconfig/dts control flow net/ncsi: Fix the multi thread manner of NCSI driver ipv6: sr: block BH in seg6_output_core() and seg6_input_core() net: sched: sch_multiq: fix possible OOB write in multiq_tune() vxlan: Fix regression when dropping packets due to invalid src addresses tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP ptp: Fix error message on failed pin verification af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). ipv6: fix possible race in __fib6_drop_pcpu_from() usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete drm/amd/display: Handle Y carry-over in VCP X.Y calculation serial: sc16is7xx: replace hardcoded divisor value with BIT() macro serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler mmc: davinci: Don't strip remove function when driver is builtin selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages selftests/mm: conform test to TAP format output selftests/mm: compaction_test: fix bogus test success on Aarch64 btrfs: fix leak of qgroup extent records after transaction abort nilfs2: Remove check for PageError nilfs2: return the mapped address from nilfs_get_page() nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages mei: me: release irq in mei_me_pci_resume error path jfs: xattr: fix buffer overflow for invalid xattr xhci: Set correct transferred length for cancelled bulk transfers xhci: Apply reset resume quirk to Etron EJ188 xHCI host xhci: Apply broken streams quirk to Etron EJ188 xHCI host scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory powerpc/uaccess: Fix build errors seen with GCC 13/14 Input: try trimming too long modalias strings SUNRPC: return proper error from gss_wrap_req_priv gpio: tqmx86: fix typo in Kconfig label HID: core: remove unnecessary WARN_ON() in implement() gpio: tqmx86: store IRQ trigger type and unmask status separately iommu/amd: Introduce pci segment structure iommu/amd: Fix sysfs leak in iommu init iommu: Return right value in iommu_sva_bind_device() HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() drm/vmwgfx: 3D disabled should not effect STDU memory limits net: sfp: Always call `sfp_sm_mod_remove()` on remove net: hns3: add cond_resched() to hns3 ring buffer init process liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet drm/komeda: check for error-valued pointer drm/bridge/panel: Fix runtime warning on panel bridge release tcp: fix race in tcp_v6_syn_recv_sock() net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters net/ipv6: Fix the RT cache flush via sysctl using a previous delay ionic: fix use after netif_napi_del() iio: adc: ad9467: fix scan type sign iio: dac: ad5592r: fix temperature channel scaling value iio: imu: inv_icm42600: delete unneeded update watermark call drivers: core: synchronize really_probe() and dev_uevent() drm/exynos/vidi: fix memory leak in .get_modes() drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found vmci: prevent speculation leaks by sanitizing event in event_deliver() fs/proc: fix softlockup in __read_vmcore ocfs2: use coarse time for new created files ocfs2: fix races between hole punching and AIO+DIO PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id dmaengine: axi-dmac: fix possible race in remove() remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs intel_th: pci: Add Granite Rapids support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Lunar Lake support nilfs2: fix potential kernel bug due to lack of writeback flag waiting tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level hugetlb_encode.h: fix undefined behaviour (34 << 26) mptcp: ensure snd_una is properly initialized on connect mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID mptcp: pm: update add_addr counters after connect remoteproc: k3-r5: Jump to error handling labels in start/stop errors greybus: Fix use-after-free bug in gb_interface_release due to race condition. usb-storage: alauda: Check whether the media is initialized i2c: at91: Fix the functionality flags of the slave-only interface i2c: designware: Fix the functionality flags of the slave-only interface zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING padata: Disable BH when taking works lock on MT path rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment rcutorture: Fix invalid context warning when enable srcu barrier testing block/ioctl: prefer different overflow check selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh selftests/bpf: Fix flaky test btf_map_in_map/lookup_update batman-adv: bypass empty buckets in batadv_purge_orig_ref() wifi: ath9k: work around memset overflow warning af_packet: avoid a false positive warning in packet_setsockopt() drop_monitor: replace spin_lock by raw_spin_lock scsi: qedi: Fix crash while reading debugfs attribute kselftest: arm64: Add a null pointer check netpoll: Fix race condition in netpoll_owner_active HID: Add quirk for Logitech Casa touchpad ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl drm/amd/display: Exit idle optimizations before HDCP execution ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 drm/lima: add mask irq callback to gp and pp drm/lima: mask irqs in timeout path before hard reset powerpc/pseries: Enforce hcall result buffer validity and size powerpc/io: Avoid clang null pointer arithmetic warnings power: supply: cros_usbpd: provide ID table for avoiding fallback match iommu/arm-smmu-v3: Free MSIs in case of ENOMEM f2fs: remove clear SB_INLINECRYPT flag in default_options usb: misc: uss720: check for incompatible versions of the Belkin F5U002 udf: udftime: prevent overflow in udf_disk_stamp_to_time() PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports MIPS: Octeon: Add PCIe link status check serial: exar: adding missing CTI and Exar PCI ids MIPS: Routerboard 532: Fix vendor retry check code mips: bmips: BCM6358: make sure CBR is correctly set tracing: Build event generation tests only as modules cipso: fix total option length computation netrom: Fix a memory leak in nr_heartbeat_expiry() ipv6: prevent possible NULL deref in fib6_nh_init() ipv6: prevent possible NULL dereference in rt6_probe() xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() netns: Make get_net_ns() handle zero refcount net qca_spi: Make interrupt remembering atomic net/sched: act_api: rely on rcu in tcf_idr_check_alloc net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() tipc: force a dst refcount before doing decryption net/sched: act_ct: set 'net' pointer when creating new nf_flow_table sched: act_ct: add netns into the key of tcf_ct_flow_table net: stmmac: No need to calculate speed divider when offload is disabled virtio_net: checksum offloading handling fix netfilter: ipset: Fix suspicious rcu_dereference_protected() net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings regulator: core: Fix modpost error "regulator_get_regmap" undefined dmaengine: ioat: switch from 'pci_' to 'dma_' API dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() dmaengine: ioatdma: Fix leaking on version mismatch dmaengine: ioat: use PCI core macros for PCIe Capability dmaengine: ioatdma: Fix error path in ioat3_dma_probe() dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() dmaengine: ioatdma: Fix missing kmem_cache_destroy() ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." RDMA/mlx5: Add check for srq max_sge attribute ALSA: hda/realtek: Limit mic boost on N14AP7 drm/radeon: fix UBSAN warning in kv_dpm.c gcov: add support for GCC 14 kcov: don't lose track of remote references during softirqs i2c: ocores: set IACK bit after core is enabled dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema drm/amd/display: revert Exit idle optimizations before HDCP execution ARM: dts: samsung: smdkv310: fix keypad no-autorepeat ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat ARM: dts: samsung: smdk4412: fix keypad no-autorepeat rtlwifi: rtl8192de: Style clean-ups wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power pmdomain: ti-sci: Fix duplicate PD referrals knfsd: LOOKUP can return an illegal error value spmi: hisi-spmi-controller: Do not override device identifier bcache: fix variable length array abuse in btree_iter tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test x86/cpu/vfm: Add new macros to work with (vendor/family/model) values x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL r8169: remove unneeded memory barrier in rtl_tx r8169: improve rtl_tx r8169: improve rtl8169_start_xmit r8169: remove nr_frags argument from rtl_tx_slots_avail r8169: remove not needed check in rtl8169_start_xmit r8169: Fix possible ring buffer corruption on fragmented Tx packets. Revert "kheaders: substituting --sort in archive creation" kheaders: explicitly define file modes for archived headers perf/core: Fix missing wakeup when waiting for context reference PCI: Add PCI_ERROR_RESPONSE and related definitions x86/amd_nb: Check for invalid SMN reads cifs: missed ref-counting smb session in find smb: client: fix deadlock in smb2_find_smb_tcon() ACPI: Add quirks for AMD Renoir/Lucienne CPUs to force the D3 hint ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable ACPI: x86: Add another system to quirk list for forcing StorageD3Enable ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable ACPI: x86: Force StorageD3Enable on more products Input: ili210x - fix ili251x_read_touch_data() return value pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins pinctrl/rockchip: separate struct rockchip_pin_bank to a head file pinctrl: rockchip: use dedicated pinctrl type for RK3328 pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set drm/amdgpu: fix UBSAN warning in kv_dpm.c netfilter: nf_tables: validate family when identifying table via handle SUNRPC: Fix null pointer dereference in svc_rqst_free() SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency() SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation SUNRPC: Fix svcxdr_init_encode's buflen calculation nfsd: hold a lighter-weight client reference over CB_RECALL_ANY ASoC: fsl-asoc-card: set priv->pdev before using it net: dsa: microchip: fix initial port flush problem net: phy: micrel: add Microchip KSZ 9477 to the device table xdp: Move the rxq_info.mem clearing to unreg_mem_model() xdp: Allow registering memory model without rxq reference xdp: Remove WARN() from __xdp_reg_mem_model() sparc: fix old compat_sys_select() sparc: fix compat recv/recvfrom syscalls parisc: use correct compat recv/recvfrom syscalls netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep mtd: partitions: redboot: Added conversion of operands to a larger type bpf: Add a check for struct bpf_fib_lookup size net/iucv: Avoid explicit cpumask var allocation on stack net/dpaa2: Avoid explicit cpumask var allocation on stack ALSA: emux: improve patch ioctl data validation media: dvbdev: Initialize sbuf soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message drm/radeon/radeon_display: Decrease the size of allocated memory nvme: fixup comment for nvme RDMA Provider Type drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA gpio: davinci: Validate the obtained number of IRQs gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) x86: stop playing stack games in profile_pc() ocfs2: fix DIO failure due to insufficient transaction credits mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos mmc: sdhci: Do not invert write-protect twice mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() counter: ti-eqep: enable clock at probe iio: adc: ad7266: Fix variable checking bug iio: chemical: bme680: Fix pressure value output iio: chemical: bme680: Fix calibration data variable iio: chemical: bme680: Fix overflows in compensate() functions iio: chemical: bme680: Fix sensor data read operation net: usb: ax88179_178a: improve link status logs usb: gadget: printer: SS+ support usb: gadget: printer: fix races against disable usb: musb: da8xx: fix a resource leak in probe() usb: atm: cxacru: fix endpoint checking in cxacru_bind() serial: 8250_omap: Implementation of Errata i2310 tty: mcf: MCF54418 has 10 UARTS net: can: j1939: Initialize unused data in j1939_send_one() net: can: j1939: recover socket queue on CAN bus error during BAM transmission net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new kbuild: Install dtb files as 0644 in Makefile.dtbinst csky, hexagon: fix broken sys_sync_file_range hexagon: fix fadvise64_64 calling conventions drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes drm/i915/gt: Fix potential UAF by revoke of fence registers drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes batman-adv: Don't accept TT entries for out-of-spec VIDs ata: ahci: Clean up sysfs file on error ata: libata-core: Fix double free on error ftruncate: pass a signed offset syscalls: fix compat_sys_io_pgetevents_time64 usage mtd: spinand: macronix: Add support for serial NAND flash pwm: stm32: Refuse too small period requests nfs: Leave pages in the pagecache if readpage failed ipv6: annotate some data-races around sk->sk_prot ipv6: Fix data races around sk->sk_prot. tcp: Fix data races around icsk->icsk_af_ops. drivers: fix typo in firmware/efi/memmap.c efi: Correct comment on efi_memmap_alloc efi: memmap: Move manipulation routines into x86 arch tree efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures efi/x86: Free EFI memory map only when installing a new one. KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node arm64: dts: rockchip: Add sound-dai-cells for RK3368 xdp: xdp_mem_allocator can be NULL in trace_mem_connect(). serial: 8250_omap: Fix Errata i2310 with RX FIFO level check tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Linux 5.10.221 Change-Id: Icac1c62fcbda5102be7ea031121f28d6fee36875 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
88eb084d18 |
Revert "Merge 5.10.220 into android12-5.10-lts"
This reverts commit |
||
|
Greg Kroah-Hartman
|
87a7f35a24 |
Merge 5.10.220 into android12-5.10-lts
Changes in 5.10.220
SUNRPC: Rename svc_encode_read_payload()
NFSD: Invoke svc_encode_result_payload() in "read" NFSD encoders
NFSD: A semicolon is not needed after a switch statement.
nfsd/nfs3: remove unused macro nfsd3_fhandleres
NFSD: Clean up the show_nf_may macro
NFSD: Remove extra "0x" in tracepoint format specifier
NFSD: Add SPDX header for fs/nfsd/trace.c
nfsd: Fix error return code in nfsd_file_cache_init()
SUNRPC: Add xdr_set_scratch_page() and xdr_reset_scratch_buffer()
SUNRPC: Prepare for xdr_stream-style decoding on the server-side
NFSD: Add common helpers to decode void args and encode void results
NFSD: Add tracepoints in nfsd_dispatch()
NFSD: Add tracepoints in nfsd4_decode/encode_compound()
NFSD: Replace the internals of the READ_BUF() macro
NFSD: Replace READ* macros in nfsd4_decode_access()
NFSD: Replace READ* macros in nfsd4_decode_close()
NFSD: Replace READ* macros in nfsd4_decode_commit()
NFSD: Change the way the expected length of a fattr4 is checked
NFSD: Replace READ* macros that decode the fattr4 size attribute
NFSD: Replace READ* macros that decode the fattr4 acl attribute
NFSD: Replace READ* macros that decode the fattr4 mode attribute
NFSD: Replace READ* macros that decode the fattr4 owner attribute
NFSD: Replace READ* macros that decode the fattr4 owner_group attribute
NFSD: Replace READ* macros that decode the fattr4 time_set attributes
NFSD: Replace READ* macros that decode the fattr4 security label attribute
NFSD: Replace READ* macros that decode the fattr4 umask attribute
NFSD: Replace READ* macros in nfsd4_decode_fattr()
NFSD: Replace READ* macros in nfsd4_decode_create()
NFSD: Replace READ* macros in nfsd4_decode_delegreturn()
NFSD: Replace READ* macros in nfsd4_decode_getattr()
NFSD: Replace READ* macros in nfsd4_decode_link()
NFSD: Relocate nfsd4_decode_opaque()
NFSD: Add helpers to decode a clientid4 and an NFSv4 state owner
NFSD: Add helper for decoding locker4
NFSD: Replace READ* macros in nfsd4_decode_lock()
NFSD: Replace READ* macros in nfsd4_decode_lockt()
NFSD: Replace READ* macros in nfsd4_decode_locku()
NFSD: Replace READ* macros in nfsd4_decode_lookup()
NFSD: Add helper to decode NFSv4 verifiers
NFSD: Add helper to decode OPEN's createhow4 argument
NFSD: Add helper to decode OPEN's openflag4 argument
NFSD: Replace READ* macros in nfsd4_decode_share_access()
NFSD: Replace READ* macros in nfsd4_decode_share_deny()
NFSD: Add helper to decode OPEN's open_claim4 argument
NFSD: Replace READ* macros in nfsd4_decode_open()
NFSD: Replace READ* macros in nfsd4_decode_open_confirm()
NFSD: Replace READ* macros in nfsd4_decode_open_downgrade()
NFSD: Replace READ* macros in nfsd4_decode_putfh()
NFSD: Replace READ* macros in nfsd4_decode_read()
NFSD: Replace READ* macros in nfsd4_decode_readdir()
NFSD: Replace READ* macros in nfsd4_decode_remove()
NFSD: Replace READ* macros in nfsd4_decode_rename()
NFSD: Replace READ* macros in nfsd4_decode_renew()
NFSD: Replace READ* macros in nfsd4_decode_secinfo()
NFSD: Replace READ* macros in nfsd4_decode_setattr()
NFSD: Replace READ* macros in nfsd4_decode_setclientid()
NFSD: Replace READ* macros in nfsd4_decode_setclientid_confirm()
NFSD: Replace READ* macros in nfsd4_decode_verify()
NFSD: Replace READ* macros in nfsd4_decode_write()
NFSD: Replace READ* macros in nfsd4_decode_release_lockowner()
NFSD: Replace READ* macros in nfsd4_decode_cb_sec()
NFSD: Replace READ* macros in nfsd4_decode_backchannel_ctl()
NFSD: Replace READ* macros in nfsd4_decode_bind_conn_to_session()
NFSD: Add a separate decoder to handle state_protect_ops
NFSD: Add a separate decoder for ssv_sp_parms
NFSD: Add a helper to decode state_protect4_a
NFSD: Add a helper to decode nfs_impl_id4
NFSD: Add a helper to decode channel_attrs4
NFSD: Replace READ* macros in nfsd4_decode_create_session()
NFSD: Replace READ* macros in nfsd4_decode_destroy_session()
NFSD: Replace READ* macros in nfsd4_decode_free_stateid()
NFSD: Replace READ* macros in nfsd4_decode_getdeviceinfo()
NFSD: Replace READ* macros in nfsd4_decode_layoutcommit()
NFSD: Replace READ* macros in nfsd4_decode_layoutget()
NFSD: Replace READ* macros in nfsd4_decode_layoutreturn()
NFSD: Replace READ* macros in nfsd4_decode_secinfo_no_name()
NFSD: Replace READ* macros in nfsd4_decode_sequence()
NFSD: Replace READ* macros in nfsd4_decode_test_stateid()
NFSD: Replace READ* macros in nfsd4_decode_destroy_clientid()
NFSD: Replace READ* macros in nfsd4_decode_reclaim_complete()
NFSD: Replace READ* macros in nfsd4_decode_fallocate()
NFSD: Replace READ* macros in nfsd4_decode_nl4_server()
NFSD: Replace READ* macros in nfsd4_decode_copy()
NFSD: Replace READ* macros in nfsd4_decode_copy_notify()
NFSD: Replace READ* macros in nfsd4_decode_offload_status()
NFSD: Replace READ* macros in nfsd4_decode_seek()
NFSD: Replace READ* macros in nfsd4_decode_clone()
NFSD: Replace READ* macros in nfsd4_decode_xattr_name()
NFSD: Replace READ* macros in nfsd4_decode_setxattr()
NFSD: Replace READ* macros in nfsd4_decode_listxattrs()
NFSD: Make nfsd4_ops::opnum a u32
NFSD: Replace READ* macros in nfsd4_decode_compound()
NFSD: Remove macros that are no longer used
nfsd: only call inode_query_iversion in the I_VERSION case
nfsd: simplify nfsd4_change_info
nfsd: minor nfsd4_change_attribute cleanup
nfsd4: don't query change attribute in v2/v3 case
Revert "nfsd4: support change_attr_type attribute"
nfsd: add a new EXPORT_OP_NOWCC flag to struct export_operations
nfsd: allow filesystems to opt out of subtree checking
nfsd: close cached files prior to a REMOVE or RENAME that would replace target
exportfs: Add a function to return the raw output from fh_to_dentry()
nfsd: Fix up nfsd to ensure that timeout errors don't result in ESTALE
nfsd: Set PF_LOCAL_THROTTLE on local filesystems only
nfsd: Record NFSv4 pre/post-op attributes as non-atomic
exec: Don't open code get_close_on_exec
exec: Move unshare_files to fix posix file locking during exec
exec: Simplify unshare_files
exec: Remove reset_files_struct
kcmp: In kcmp_epoll_target use fget_task
bpf: In bpf_task_fd_query use fget_task
proc/fd: In proc_fd_link use fget_task
Revert "fget: clarify and improve __fget_files() implementation"
file: Rename __fcheck_files to files_lookup_fd_raw
file: Factor files_lookup_fd_locked out of fcheck_files
file: Replace fcheck_files with files_lookup_fd_rcu
file: Rename fcheck lookup_fd_rcu
file: Implement task_lookup_fd_rcu
proc/fd: In tid_fd_mode use task_lookup_fd_rcu
kcmp: In get_file_raw_ptr use task_lookup_fd_rcu
file: Implement task_lookup_next_fd_rcu
proc/fd: In proc_readfd_common use task_lookup_next_fd_rcu
proc/fd: In fdinfo seq_show don't use get_files_struct
file: Merge __fd_install into fd_install
file: In f_dupfd read RLIMIT_NOFILE once.
file: Merge __alloc_fd into alloc_fd
file: Rename __close_fd to close_fd and remove the files parameter
file: Replace ksys_close with close_fd
inotify: Increase default inotify.max_user_watches limit to 1048576
fs/lockd: convert comma to semicolon
NFSD: Fix sparse warning in nfssvc.c
NFSD: Restore NFSv4 decoding's SAVEMEM functionality
SUNRPC: Make trace_svc_process() display the RPC procedure symbolically
SUNRPC: Display RPC procedure names instead of proc numbers
SUNRPC: Move definition of XDR_UNIT
NFSD: Update GETATTR3args decoder to use struct xdr_stream
NFSD: Update ACCESS3arg decoder to use struct xdr_stream
NFSD: Update READ3arg decoder to use struct xdr_stream
NFSD: Update WRITE3arg decoder to use struct xdr_stream
NFSD: Update READLINK3arg decoder to use struct xdr_stream
NFSD: Fix returned READDIR offset cookie
NFSD: Add helper to set up the pages where the dirlist is encoded
NFSD: Update READDIR3args decoders to use struct xdr_stream
NFSD: Update COMMIT3arg decoder to use struct xdr_stream
NFSD: Update the NFSv3 DIROPargs decoder to use struct xdr_stream
NFSD: Update the RENAME3args decoder to use struct xdr_stream
NFSD: Update the LINK3args decoder to use struct xdr_stream
NFSD: Update the SETATTR3args decoder to use struct xdr_stream
NFSD: Update the CREATE3args decoder to use struct xdr_stream
NFSD: Update the MKDIR3args decoder to use struct xdr_stream
NFSD: Update the SYMLINK3args decoder to use struct xdr_stream
NFSD: Update the MKNOD3args decoder to use struct xdr_stream
NFSD: Update the NFSv2 GETATTR argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 READ argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 WRITE argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 READLINK argument decoder to use struct xdr_stream
NFSD: Add helper to set up the pages where the dirlist is encoded
NFSD: Update the NFSv2 READDIR argument decoder to use struct xdr_stream
NFSD: Update NFSv2 diropargs decoding to use struct xdr_stream
NFSD: Update the NFSv2 RENAME argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 LINK argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 SETATTR argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 CREATE argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 SYMLINK argument decoder to use struct xdr_stream
NFSD: Remove argument length checking in nfsd_dispatch()
NFSD: Update the NFSv2 GETACL argument decoder to use struct xdr_stream
NFSD: Add an xdr_stream-based decoder for NFSv2/3 ACLs
NFSD: Update the NFSv2 SETACL argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL GETATTR argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL ACCESS argument decoder to use struct xdr_stream
NFSD: Clean up after updating NFSv2 ACL decoders
NFSD: Update the NFSv3 GETACL argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 SETACL argument decoder to use struct xdr_stream
NFSD: Clean up after updating NFSv3 ACL decoders
nfsd: remove unused stats counters
nfsd: protect concurrent access to nfsd stats counters
nfsd: report per-export stats
nfsd4: simplify process_lookup1
nfsd: simplify process_lock
nfsd: simplify nfsd_renew
nfsd: rename lookup_clientid->set_client
nfsd: refactor set_client
nfsd: find_cpntf_state cleanup
nfsd: remove unused set_client argument
nfsd: simplify nfsd4_check_open_reclaim
nfsd: cstate->session->se_client -> cstate->clp
NFSv4_2: SSC helper should use its own config.
nfs: use change attribute for NFS re-exports
nfsd: skip some unnecessary stats in the v4 case
inotify, memcg: account inotify instances to kmemcg
module: unexport find_module and module_mutex
module: use RCU to synchronize find_module
kallsyms: refactor {,module_}kallsyms_on_each_symbol
kallsyms: only build {,module_}kallsyms_on_each_symbol when required
fs: add file and path permissions helpers
namei: introduce struct renamedata
NFSD: Extract the svcxdr_init_encode() helper
NFSD: Update the GETATTR3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 ACCESS3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 LOOKUP3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 wccstat result encoder to use struct xdr_stream
NFSD: Update the NFSv3 READLINK3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 READ3res encode to use struct xdr_stream
NFSD: Update the NFSv3 WRITE3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 CREATE family of encoders to use struct xdr_stream
NFSD: Update the NFSv3 RENAMEv3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 LINK3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 FSSTAT3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 FSINFO3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 PATHCONF3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 COMMIT3res encoder to use struct xdr_stream
NFSD: Add a helper that encodes NFSv3 directory offset cookies
NFSD: Count bytes instead of pages in the NFSv3 READDIR encoder
NFSD: Update the NFSv3 READDIR3res encoder to use struct xdr_stream
NFSD: Update NFSv3 READDIR entry encoders to use struct xdr_stream
NFSD: Remove unused NFSv3 directory entry encoders
NFSD: Reduce svc_rqst::rq_pages churn during READDIR operations
NFSD: Update the NFSv2 stat encoder to use struct xdr_stream
NFSD: Update the NFSv2 attrstat encoder to use struct xdr_stream
NFSD: Update the NFSv2 diropres encoder to use struct xdr_stream
NFSD: Update the NFSv2 READLINK result encoder to use struct xdr_stream
NFSD: Update the NFSv2 READ result encoder to use struct xdr_stream
NFSD: Update the NFSv2 STATFS result encoder to use struct xdr_stream
NFSD: Add a helper that encodes NFSv3 directory offset cookies
NFSD: Count bytes instead of pages in the NFSv2 READDIR encoder
NFSD: Update the NFSv2 READDIR result encoder to use struct xdr_stream
NFSD: Update the NFSv2 READDIR entry encoder to use struct xdr_stream
NFSD: Remove unused NFSv2 directory entry encoders
NFSD: Add an xdr_stream-based encoder for NFSv2/3 ACLs
NFSD: Update the NFSv2 GETACL result encoder to use struct xdr_stream
NFSD: Update the NFSv2 SETACL result encoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL GETATTR result encoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL ACCESS result encoder to use struct xdr_stream
NFSD: Clean up after updating NFSv2 ACL encoders
NFSD: Update the NFSv3 GETACL result encoder to use struct xdr_stream
NFSD: Update the NFSv3 SETACL result encoder to use struct xdr_stream
NFSD: Clean up after updating NFSv3 ACL encoders
NFSD: Add a tracepoint to record directory entry encoding
NFSD: Clean up NFSDDBG_FACILITY macro
nfsd: helper for laundromat expiry calculations
nfsd: Log client tracking type log message as info instead of warning
nfsd: Fix typo "accesible"
nfsd: COPY with length 0 should copy to end of file
nfsd: don't ignore high bits of copy count
nfsd: report client confirmation status in "info" file
SUNRPC: Export svc_xprt_received()
UAPI: nfsfh.h: Replace one-element array with flexible-array member
NFSD: Use DEFINE_SPINLOCK() for spinlock
fsnotify: allow fsnotify_{peek,remove}_first_event with empty queue
Revert "fanotify: limit number of event merge attempts"
fanotify: reduce event objectid to 29-bit hash
fanotify: mix event info and pid into merge key hash
fsnotify: use hash table for faster events merge
fanotify: limit number of event merge attempts
fanotify: configurable limits via sysfs
fanotify: support limited functionality for unprivileged users
fanotify_user: use upper_32_bits() to verify mask
nfsd: remove unused function
nfsd: removed unused argument in nfsd_startup_generic()
nfsd: hash nfs4_files by inode number
nfsd: track filehandle aliasing in nfs4_files
nfsd: reshuffle some code
nfsd: grant read delegations to clients holding writes
nfsd: Fix fall-through warnings for Clang
NFSv4.2: Remove ifdef CONFIG_NFSD from NFSv4.2 client SSC code.
NFS: fix nfs_fetch_iversion()
fanotify: fix permission model of unprivileged group
NFSD: Add an RPC authflavor tracepoint display helper
NFSD: Add nfsd_clid_cred_mismatch tracepoint
NFSD: Add nfsd_clid_verf_mismatch tracepoint
NFSD: Remove trace_nfsd_clid_inuse_err
NFSD: Add nfsd_clid_confirmed tracepoint
NFSD: Add nfsd_clid_reclaim_complete tracepoint
NFSD: Add nfsd_clid_destroyed tracepoint
NFSD: Add a couple more nfsd_clid_expired call sites
NFSD: Add tracepoints for SETCLIENTID edge cases
NFSD: Add tracepoints for EXCHANGEID edge cases
NFSD: Constify @fh argument of knfsd_fh_hash()
NFSD: Capture every CB state transition
NFSD: Drop TRACE_DEFINE_ENUM for NFSD4_CB_<state> macros
NFSD: Add cb_lost tracepoint
NFSD: Adjust cb_shutdown tracepoint
NFSD: Enhance the nfsd_cb_setup tracepoint
NFSD: Add an nfsd_cb_lm_notify tracepoint
NFSD: Add an nfsd_cb_offload tracepoint
NFSD: Replace the nfsd_deleg_break tracepoint
NFSD: Add an nfsd_cb_probe tracepoint
NFSD: Remove the nfsd_cb_work and nfsd_cb_done tracepoints
NFSD: Update nfsd_cb_args tracepoint
nfsd: Prevent truncation of an unlinked inode from blocking access to its directory
nfsd: move some commit_metadata()s outside the inode lock
NFSD add vfs_fsync after async copy is done
NFSD: delay unmount source's export after inter-server copy completed.
nfsd: move fsnotify on client creation outside spinlock
nfsd4: Expose the callback address and state of each NFS4 client
nfsd: fix kernel test robot warning in SSC code
NFSD: Fix error return code in nfsd4_interssc_connect()
nfsd: rpc_peeraddr2str needs rcu lock
lockd: Remove stale comments
lockd: Create a simplified .vs_dispatch method for NLM requests
lockd: Common NLM XDR helpers
lockd: Update the NLMv1 void argument decoder to use struct xdr_stream
lockd: Update the NLMv1 TEST arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 LOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 CANCEL arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 UNLOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 nlm_res arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 SM_NOTIFY arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 SHARE arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 FREE_ALL arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 void results encoder to use struct xdr_stream
lockd: Update the NLMv1 TEST results encoder to use struct xdr_stream
lockd: Update the NLMv1 nlm_res results encoder to use struct xdr_stream
lockd: Update the NLMv1 SHARE results encoder to use struct xdr_stream
lockd: Update the NLMv4 void arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 TEST arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 LOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 CANCEL arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 UNLOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 nlm_res arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 SM_NOTIFY arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 SHARE arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 FREE_ALL arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 void results encoder to use struct xdr_stream
lockd: Update the NLMv4 TEST results encoder to use struct xdr_stream
lockd: Update the NLMv4 nlm_res results encoder to use struct xdr_stream
lockd: Update the NLMv4 SHARE results encoder to use struct xdr_stream
nfsd: remove redundant assignment to pointer 'this'
NFSD: Prevent a possible oops in the nfs_dirent() tracepoint
nfsd: fix NULL dereference in nfs3svc_encode_getaclres
kernel/pid.c: remove static qualifier from pidfd_create()
kernel/pid.c: implement additional checks upon pidfd_create() parameters
fanotify: minor cosmetic adjustments to fid labels
fanotify: introduce a generic info record copying helper
fanotify: add pidfd support to the fanotify API
fsnotify: replace igrab() with ihold() on attach connector
fsnotify: count s_fsnotify_inode_refs for attached connectors
fsnotify: count all objects with attached connectors
fsnotify: optimize the case of no marks of any type
NFSD: Clean up splice actor
SUNRPC: Add svc_rqst_replace_page() API
NFSD: Batch release pages during splice read
NFSD: remove vanity comments
sysctl: introduce new proc handler proc_dobool
lockd: change the proc_handler for nsm_use_hostnames
nlm: minor nlm_lookup_file argument change
nlm: minor refactoring
lockd: update nlm_lookup_file reexport comment
Keep read and write fds with each nlm_file
nfs: don't atempt blocking locks on nfs reexports
lockd: don't attempt blocking locks on nfs reexports
nfs: don't allow reexport reclaims
SUNRPC: Add svc_rqst::rq_auth_stat
SUNRPC: Set rq_auth_stat in the pg_authenticate() callout
SUNRPC: Eliminate the RQ_AUTHERR flag
NFS: Add a private local dispatcher for NFSv4 callback operations
NFS: Remove unused callback void decoder
fsnotify: fix sb_connectors leak
NLM: Fix svcxdr_encode_owner()
nfsd: Fix a warning for nfsd_file_close_inode
fsnotify: pass data_type to fsnotify_name()
fsnotify: pass dentry instead of inode data
fsnotify: clarify contract for create event hooks
fsnotify: Don't insert unmergeable events in hashtable
fanotify: Fold event size calculation to its own function
fanotify: Split fsid check from other fid mode checks
inotify: Don't force FS_IN_IGNORED
fsnotify: Add helper to detect overflow_event
fsnotify: Add wrapper around fsnotify_add_event
fsnotify: Retrieve super block from the data field
fsnotify: Protect fsnotify_handle_inode_event from no-inode events
fsnotify: Pass group argument to free_event
fanotify: Support null inode event in fanotify_dfid_inode
fanotify: Allow file handle encoding for unhashed events
fanotify: Encode empty file handle when no inode is provided
fanotify: Require fid_mode for any non-fd event
fsnotify: Support FS_ERROR event type
fanotify: Reserve UAPI bits for FAN_FS_ERROR
fanotify: Pre-allocate pool of error events
fanotify: Support enqueueing of error events
fanotify: Support merging of error events
fanotify: Wrap object_fh inline space in a creator macro
fanotify: Add helpers to decide whether to report FID/DFID
fanotify: WARN_ON against too large file handles
fanotify: Report fid info for file related file system errors
fanotify: Emit generic error info for error event
fanotify: Allow users to request FAN_FS_ERROR events
SUNRPC: Trace calls to .rpc_call_done
NFSD: Optimize DRC bucket pruning
NFSD: move filehandle format declarations out of "uapi".
NFSD: drop support for ancient filehandles
NFSD: simplify struct nfsfh
NFSD: Initialize pointer ni with NULL and not plain integer 0
NFSD: Have legacy NFSD WRITE decoders use xdr_stream_subsegment()
SUNRPC: Replace the "__be32 *p" parameter to .pc_decode
SUNRPC: Change return value type of .pc_decode
NFSD: Save location of NFSv4 COMPOUND status
SUNRPC: Replace the "__be32 *p" parameter to .pc_encode
SUNRPC: Change return value type of .pc_encode
nfsd: update create verifier comment
NFSD:fix boolreturn.cocci warning
nfsd4: remove obselete comment
NFSD: Fix exposure in nfsd4_decode_bitmap()
NFSD: Fix READDIR buffer overflow
fsnotify: clarify object type argument
fsnotify: separate mark iterator type from object type enum
fanotify: introduce group flag FAN_REPORT_TARGET_FID
fsnotify: generate FS_RENAME event with rich information
fanotify: use macros to get the offset to fanotify_info buffer
fanotify: use helpers to parcel fanotify_info buffer
fanotify: support secondary dir fh and name in fanotify_info
fanotify: record old and new parent and name in FAN_RENAME event
fanotify: record either old name new name or both for FAN_RENAME
fanotify: report old and/or new parent+name in FAN_RENAME event
fanotify: wire up FAN_RENAME event
exit: Implement kthread_exit
exit: Rename module_put_and_exit to module_put_and_kthread_exit
NFSD: Fix sparse warning
NFSD: handle errors better in write_ports_addfd()
SUNRPC: change svc_get() to return the svc.
SUNRPC/NFSD: clean up get/put functions.
SUNRPC: stop using ->sv_nrthreads as a refcount
nfsd: make nfsd_stats.th_cnt atomic_t
SUNRPC: use sv_lock to protect updates to sv_nrthreads.
NFSD: narrow nfsd_mutex protection in nfsd thread
NFSD: Make it possible to use svc_set_num_threads_sync
SUNRPC: discard svo_setup and rename svc_set_num_threads_sync()
NFSD: simplify locking for network notifier.
lockd: introduce nlmsvc_serv
lockd: simplify management of network status notifiers
lockd: move lockd_start_svc() call into lockd_create_svc()
lockd: move svc_exit_thread() into the thread
lockd: introduce lockd_put()
lockd: rename lockd_create_svc() to lockd_get()
SUNRPC: move the pool_map definitions (back) into svc.c
SUNRPC: always treat sv_nrpools==1 as "not pooled"
lockd: use svc_set_num_threads() for thread start and stop
NFS: switch the callback service back to non-pooled.
NFSD: Remove be32_to_cpu() from DRC hash function
NFSD: Fix inconsistent indenting
NFSD: simplify per-net file cache management
NFSD: Combine XDR error tracepoints
nfsd: improve stateid access bitmask documentation
NFSD: De-duplicate nfsd4_decode_bitmap4()
nfs: block notification on fs with its own ->lock
nfsd4: add refcount for nfsd4_blocked_lock
NFSD: Fix zero-length NFSv3 WRITEs
nfsd: map EBADF
nfsd: Add errno mapping for EREMOTEIO
nfsd: Retry once in nfsd_open on an -EOPENSTALE return
NFSD: Clean up nfsd_vfs_write()
NFSD: De-duplicate net_generic(SVC_NET(rqstp), nfsd_net_id)
NFSD: De-duplicate net_generic(nf->nf_net, nfsd_net_id)
nfsd: Add a tracepoint for errors in nfsd4_clone_file_range()
NFSD: Write verifier might go backwards
NFSD: Clean up the nfsd_net::nfssvc_boot field
NFSD: Rename boot verifier functions
NFSD: Trace boot verifier resets
Revert "nfsd: skip some unnecessary stats in the v4 case"
NFSD: Move fill_pre_wcc() and fill_post_wcc()
nfsd: fix crash on COPY_NOTIFY with special stateid
fanotify: remove variable set but not used
lockd: fix server crash on reboot of client holding lock
lockd: fix failure to cleanup client locks
NFSD: Fix the behavior of READ near OFFSET_MAX
NFSD: Fix ia_size underflow
NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
NFSD: COMMIT operations must not return NFS?ERR_INVAL
NFSD: Deprecate NFS_OFFSET_MAX
nfsd: Add support for the birth time attribute
NFSD: De-duplicate hash bucket indexing
NFSD: Skip extra computation for RC_NOCACHE case
NFSD: Streamline the rare "found" case
SUNRPC: Remove the .svo_enqueue_xprt method
SUNRPC: Merge svc_do_enqueue_xprt() into svc_enqueue_xprt()
SUNRPC: Remove svo_shutdown method
SUNRPC: Rename svc_create_xprt()
SUNRPC: Rename svc_close_xprt()
SUNRPC: Remove svc_shutdown_net()
NFSD: Remove svc_serv_ops::svo_module
NFSD: Move svc_serv_ops::svo_function into struct svc_serv
NFSD: Remove CONFIG_NFSD_V3
NFSD: Clean up _lm_ operation names
nfsd: fix using the correct variable for sizeof()
fsnotify: fix merge with parent's ignored mask
fsnotify: optimize FS_MODIFY events with no ignored masks
fsnotify: remove redundant parameter judgment
SUNRPC: Return true/false (not 1/0) from bool functions
nfsd: Fix a write performance regression
nfsd: Clean up nfsd_file_put()
fanotify: do not allow setting dirent events in mask of non-dir
fs/lock: documentation cleanup. Replace inode->i_lock with flc_lock.
inotify: move control flags from mask to mark flags
fsnotify: pass flags argument to fsnotify_alloc_group()
fsnotify: make allow_dups a property of the group
fsnotify: create helpers for group mark_mutex lock
inotify: use fsnotify group lock helpers
nfsd: use fsnotify group lock helpers
dnotify: use fsnotify group lock helpers
fsnotify: allow adding an inode mark without pinning inode
fanotify: create helper fanotify_mark_user_flags()
fanotify: factor out helper fanotify_mark_update_flags()
fanotify: implement "evictable" inode marks
fanotify: use fsnotify group lock helpers
fanotify: enable "evictable" inode marks
fsnotify: introduce mark type iterator
fsnotify: consistent behavior for parent not watching children
fanotify: fix incorrect fmode_t casts
NFSD: Clean up nfsd_splice_actor()
NFSD: add courteous server support for thread with only delegation
NFSD: add support for share reservation conflict to courteous server
NFSD: move create/destroy of laundry_wq to init_nfsd and exit_nfsd
fs/lock: add helper locks_owner_has_blockers to check for blockers
fs/lock: add 2 callbacks to lock_manager_operations to resolve conflict
NFSD: add support for lock conflict to courteous server
NFSD: Show state of courtesy client in client info
NFSD: Clean up nfsd3_proc_create()
NFSD: Avoid calling fh_drop_write() twice in do_nfsd_create()
NFSD: Refactor nfsd_create_setattr()
NFSD: Refactor NFSv3 CREATE
NFSD: Refactor NFSv4 OPEN(CREATE)
NFSD: Remove do_nfsd_create()
NFSD: Clean up nfsd_open_verified()
NFSD: Instantiate a struct file when creating a regular NFSv4 file
NFSD: Remove dprintk call sites from tail of nfsd4_open()
NFSD: Fix whitespace
NFSD: Move documenting comment for nfsd4_process_open2()
NFSD: Trace filecache opens
NFSD: Clean up the show_nf_flags() macro
SUNRPC: Use RMW bitops in single-threaded hot paths
nfsd: Unregister the cld notifier when laundry_wq create failed
nfsd: Fix null-ptr-deref in nfsd_fill_super()
nfsd: destroy percpu stats counters after reply cache shutdown
NFSD: Modernize nfsd4_release_lockowner()
NFSD: Add documenting comment for nfsd4_release_lockowner()
NFSD: nfsd_file_put() can sleep
NFSD: Fix potential use-after-free in nfsd_file_put()
SUNRPC: Optimize xdr_reserve_space()
fanotify: refine the validation checks on non-dir inode mask
NFS: restore module put when manager exits.
NFSD: Decode NFSv4 birth time attribute
lockd: set fl_owner when unlocking files
lockd: fix nlm_close_files
fs: inotify: Fix typo in inotify comment
fanotify: prepare for setting event flags in ignore mask
fanotify: cleanups for fanotify_mark() input validations
fanotify: introduce FAN_MARK_IGNORE
fsnotify: Fix comment typo
nfsd: eliminate the NFSD_FILE_BREAK_* flags
SUNRPC: Fix xdr_encode_bool()
NLM: Defend against file_lock changes after vfs_test_lock()
NFSD: Fix space and spelling mistake
nfsd: remove redundant assignment to variable len
NFSD: Demote a WARN to a pr_warn()
NFSD: Report filecache LRU size
NFSD: Report count of calls to nfsd_file_acquire()
NFSD: Report count of freed filecache items
NFSD: Report average age of filecache items
NFSD: Add nfsd_file_lru_dispose_list() helper
NFSD: Refactor nfsd_file_gc()
NFSD: Refactor nfsd_file_lru_scan()
NFSD: Report the number of items evicted by the LRU walk
NFSD: Record number of flush calls
NFSD: Zero counters when the filecache is re-initialized
NFSD: Hook up the filecache stat file
NFSD: WARN when freeing an item still linked via nf_lru
NFSD: Trace filecache LRU activity
NFSD: Leave open files out of the filecache LRU
NFSD: Fix the filecache LRU shrinker
NFSD: Never call nfsd_file_gc() in foreground paths
NFSD: No longer record nf_hashval in the trace log
NFSD: Remove lockdep assertion from unhash_and_release_locked()
NFSD: nfsd_file_unhash can compute hashval from nf->nf_inode
NFSD: Refactor __nfsd_file_close_inode()
NFSD: nfsd_file_hash_remove can compute hashval
NFSD: Remove nfsd_file::nf_hashval
NFSD: Replace the "init once" mechanism
NFSD: Set up an rhashtable for the filecache
NFSD: Convert the filecache to use rhashtable
NFSD: Clean up unused code after rhashtable conversion
NFSD: Separate tracepoints for acquire and create
NFSD: Move nfsd_file_trace_alloc() tracepoint
NFSD: NFSv4 CLOSE should release an nfsd_file immediately
NFSD: Ensure nf_inode is never dereferenced
NFSD: refactoring v4 specific code to a helper in nfs4state.c
NFSD: keep track of the number of v4 clients in the system
NFSD: limit the number of v4 clients to 1024 per 1GB of system memory
nfsd: silence extraneous printk on nfsd.ko insertion
NFSD: Optimize nfsd4_encode_operation()
NFSD: Optimize nfsd4_encode_fattr()
NFSD: Clean up SPLICE_OK in nfsd4_encode_read()
NFSD: Add an nfsd4_read::rd_eof field
NFSD: Optimize nfsd4_encode_readv()
NFSD: Simplify starting_len
NFSD: Use xdr_pad_size()
NFSD: Clean up nfsd4_encode_readlink()
NFSD: Fix strncpy() fortify warning
NFSD: nfserrno(-ENOMEM) is nfserr_jukebox
NFSD: Shrink size of struct nfsd4_copy_notify
NFSD: Shrink size of struct nfsd4_copy
NFSD: Reorder the fields in struct nfsd4_op
NFSD: Make nfs4_put_copy() static
NFSD: Replace boolean fields in struct nfsd4_copy
NFSD: Refactor nfsd4_cleanup_inter_ssc() (1/2)
NFSD: Refactor nfsd4_cleanup_inter_ssc() (2/2)
NFSD: Refactor nfsd4_do_copy()
NFSD: Remove kmalloc from nfsd4_do_async_copy()
NFSD: Add nfsd4_send_cb_offload()
NFSD: Move copy offload callback arguments into a separate structure
NFSD: drop fh argument from alloc_init_deleg
NFSD: verify the opened dentry after setting a delegation
NFSD: introduce struct nfsd_attrs
NFSD: set attributes when creating symlinks
NFSD: add security label to struct nfsd_attrs
NFSD: add posix ACLs to struct nfsd_attrs
NFSD: change nfsd_create()/nfsd_symlink() to unlock directory before returning.
NFSD: always drop directory lock in nfsd_unlink()
NFSD: only call fh_unlock() once in nfsd_link()
NFSD: reduce locking in nfsd_lookup()
NFSD: use explicit lock/unlock for directory ops
NFSD: use (un)lock_inode instead of fh_(un)lock for file operations
NFSD: discard fh_locked flag and fh_lock/fh_unlock
lockd: detect and reject lock arguments that overflow
NFSD: fix regression with setting ACLs.
nfsd_splice_actor(): handle compound pages
NFSD: move from strlcpy with unused retval to strscpy
lockd: move from strlcpy with unused retval to strscpy
NFSD enforce filehandle check for source file in COPY
NFSD: remove redundant variable status
nfsd: Avoid some useless tests
nfsd: Propagate some error code returned by memdup_user()
NFSD: Increase NFSD_MAX_OPS_PER_COMPOUND
NFSD: Protect against send buffer overflow in NFSv2 READDIR
NFSD: Protect against send buffer overflow in NFSv3 READDIR
NFSD: Protect against send buffer overflow in NFSv2 READ
NFSD: Protect against send buffer overflow in NFSv3 READ
NFSD: drop fname and flen args from nfsd_create_locked()
NFSD: Fix handling of oversized NFSv4 COMPOUND requests
nfsd: clean up mounted_on_fileid handling
nfsd: remove nfsd4_prepare_cb_recall() declaration
NFSD: Add tracepoints to report NFSv4 callback completions
NFSD: Add a mechanism to wait for a DELEGRETURN
NFSD: Refactor nfsd_setattr()
NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY
NFSD: Make nfsd4_rename() wait before returning NFS4ERR_DELAY
NFSD: Make nfsd4_remove() wait before returning NFS4ERR_DELAY
NFSD: keep track of the number of courtesy clients in the system
NFSD: add shrinker to reap courtesy clients on low memory condition
SUNRPC: Parametrize how much of argsize should be zeroed
NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing
NFSD: Refactor common code out of dirlist helpers
NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks
NFSD: Clean up WRITE arg decoders
NFSD: Clean up nfs4svc_encode_compoundres()
NFSD: Remove "inline" directives on op_rsize_bop helpers
NFSD: Remove unused nfsd4_compoundargs::cachetype field
NFSD: Pack struct nfsd4_compoundres
nfsd: use DEFINE_PROC_SHOW_ATTRIBUTE to define nfsd_proc_ops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define export_features_fops and supported_enctypes_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define client_info_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_reply_cache_stats_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_file_cache_stats_fops
NFSD: Rename the fields in copy_stateid_t
NFSD: Cap rsize_bop result based on send buffer size
nfsd: only fill out return pointer on success in nfsd4_lookup_stateid
nfsd: fix comments about spinlock handling with delegations
nfsd: make nfsd4_run_cb a bool return function
nfsd: extra checks when freeing delegation stateids
fs/notify: constify path
fsnotify: remove unused declaration
fanotify: Remove obsoleted fanotify_event_has_path()
nfsd: fix nfsd_file_unhash_and_dispose
nfsd: rework hashtable handling in nfsd_do_file_acquire
NFSD: unregister shrinker when nfsd_init_net() fails
nfsd: fix net-namespace logic in __nfsd_file_cache_purge
nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint
nfsd: put the export reference in nfsd4_verify_deleg_dentry
NFSD: Fix reads with a non-zero offset that don't end on a page boundary
filelock: add a new locks_inode_context accessor function
lockd: use locks_inode_context helper
nfsd: use locks_inode_context helper
NFSD: Simplify READ_PLUS
NFSD: Remove redundant assignment to variable host_err
NFSD: Finish converting the NFSv2 GETACL result encoder
NFSD: Finish converting the NFSv3 GETACL result encoder
nfsd: ignore requests to disable unsupported versions
nfsd: move nfserrno() to vfs.c
nfsd: allow disabling NFSv2 at compile time
exportfs: use pr_debug for unreachable debug statements
NFSD: Pass the target nfsd_file to nfsd_commit()
NFSD: Revert "NFSD: NFSv4 CLOSE should release an nfsd_file immediately"
NFSD: Add an NFSD_FILE_GC flag to enable nfsd_file garbage collection
NFSD: Flesh out a documenting comment for filecache.c
NFSD: Clean up nfs4_preprocess_stateid_op() call sites
NFSD: Trace stateids returned via DELEGRETURN
NFSD: Trace delegation revocations
NFSD: Use const pointers as parameters to fh_ helpers
NFSD: Update file_hashtbl() helpers
NFSD: Clean up nfsd4_init_file()
NFSD: Add a nfsd4_file_hash_remove() helper
NFSD: Clean up find_or_add_file()
NFSD: Refactor find_file()
NFSD: Use rhashtable for managing nfs4_file objects
NFSD: Fix licensing header in filecache.c
nfsd: remove the pages_flushed statistic from filecache
nfsd: reorganize filecache.c
nfsd: fix up the filecache laundrette scheduling
NFSD: Add an nfsd_file_fsync tracepoint
lockd: set other missing fields when unlocking files
nfsd: return error if nfs4_setacl fails
NFSD: Use struct_size() helper in alloc_session()
lockd: set missing fl_flags field when retrieving args
lockd: ensure we use the correct file descriptor when unlocking
lockd: fix file selection in nlmsvc_cancel_blocked
NFSD: pass range end to vfs_fsync_range() instead of count
NFSD: refactoring courtesy_client_reaper to a generic low memory shrinker
NFSD: add support for sending CB_RECALL_ANY
NFSD: add delegation reaper to react to low memory condition
NFSD: Use only RQ_DROPME to signal the need to drop a reply
NFSD: Avoid clashing function prototypes
nfsd: rework refcounting in filecache
nfsd: fix handling of cached open files in nfsd4_open codepath
Revert "SUNRPC: Use RMW bitops in single-threaded hot paths"
NFSD: Use set_bit(RQ_DROPME)
NFSD: fix use-after-free in nfsd4_ssc_setup_dul()
NFSD: register/unregister of nfsd-client shrinker at nfsd startup/shutdown time
NFSD: replace delayed_work with work_struct for nfsd_client_shrinker
nfsd: don't free files unconditionally in __nfsd_file_cache_purge
nfsd: don't destroy global nfs4_file table in per-net shutdown
NFSD: enhance inter-server copy cleanup
nfsd: allow nfsd_file_get to sanely handle a NULL pointer
nfsd: clean up potential nfsd_file refcount leaks in COPY codepath
NFSD: fix leaked reference count of nfsd4_ssc_umount_item
nfsd: don't hand out delegation on setuid files being opened for write
NFSD: fix problems with cleanup on errors in nfsd4_copy
nfsd: fix courtesy client with deny mode handling in nfs4_upgrade_open
nfsd: don't fsync nfsd_files on last close
NFSD: copy the whole verifier in nfsd_copy_write_verifier
NFSD: Protect against filesystem freezing
lockd: set file_lock start and end when decoding nlm4 testargs
nfsd: don't replace page in rq_pages if it's a continuation of last page
NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
nfsd: call op_release, even when op_func returns an error
nfsd: don't open-code clear_and_wake_up_bit
nfsd: NFSD_FILE_KEY_INODE only needs to find GC'ed entries
nfsd: simplify test_bit return in NFSD_FILE_KEY_FULL comparator
nfsd: don't kill nfsd_files because of lease break error
nfsd: add some comments to nfsd_file_do_acquire
nfsd: don't take/put an extra reference when putting a file
nfsd: update comment over __nfsd_file_cache_purge
nfsd: allow reaping files still under writeback
NFSD: Convert filecache to rhltable
nfsd: simplify the delayed disposal list code
NFSD: Fix problem of COMMIT and NFS4ERR_DELAY in infinite loop
nfsd: make a copy of struct iattr before calling notify_change
nfsd: fix double fget() bug in __write_ports_addfd()
lockd: drop inappropriate svc_get() from locked_get()
NFSD: Add an nfsd4_encode_nfstime4() helper
nfsd: Fix creation time serialization order
nfsd: don't allow nfsd threads to be signalled.
nfsd: Simplify code around svc_exit_thread() call in nfsd()
nfsd: separate nfsd_last_thread() from nfsd_put()
Documentation: Add missing documentation for EXPORT_OP flags
NFSD: fix possible oops when nfsd/pool_stats is closed.
nfsd: call nfsd_last_thread() before final nfsd_put()
nfsd: drop the nfsd_put helper
nfsd: fix RELEASE_LOCKOWNER
nfsd: don't take fi_lock in nfsd_break_deleg_cb()
nfsd: don't call locks_release_private() twice concurrently
nfsd: Fix a regression in nfsd_setattr()
Linux 5.10.220
Change-Id: I589ec5e63d1f985ab69f9755b9a87330627d44c5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
fedef46c69 |
This is the 5.10.219 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZuzl4ACgkQONu9yGCS
aT7+ohAAyRkTis6xeME1FWIJthCJl8FzUq9nfN+OccK3TwCbXyZKXlZK8lVz0T5U
DvG1Tg+rR76+hIJghMIy2FEPRBA19WMq9a+Ms2ZyyggPrlgksFivO8N8YgnIxabb
EJPN7pAzO+GA+vd8YeGeK1ldq8QUISlN35s+hkur1jeBctWRcpHeOTjIej/Qytmj
ny1o7hCp179+SPygSEYEYtguACaQflhfBjOgAQ9DwWjP6vO2W9Vb16X4tiT0udHm
ExPjOwxbEMN/7m9gKrnl6WcIROSOy55FnfcYZP+NRY4jBlANUgXF1ca9hAhcIKSv
oOyeRN5S3FZAdxIHG9SFU9b6MPwJSeO5ETQyfiRGNFRkXOa2tKknNSsuACu8kSwx
SKJIpcuW1DkortwsYFbilXdl6TrK6oCcEczV5qtludcRoDznfUGejb5e81v3yYkO
no6ORvBJSBnEObY+gpexvxQp2Ae1+YkSLJaDzYWMC+JHBIgWTz2F2qJJkP6bRAUV
QduFTdTenDnL7zW3DseZGJKotU95cUoKNAwa7wfboZeygHc2+KaUOchKcqI0P9dZ
pS27RzcAJJ2uufujofyxOOhzFKw98WFurfNsMZTDBwHuqReoiRAS7pi0PeTMuqUv
GC8V1eIKgeWdI+pdTZLXylziiM41IylLjU/hxCrsykb+EwFa5NY=
=B1lK
-----END PGP SIGNATURE-----
Merge 5.10.219 into android12-5.10-lts
Changes in 5.10.219
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
speakup: Fix sizeof() vs ARRAY_SIZE() bug
ring-buffer: Fix a race between readers and resize checks
net: smc91x: Fix m68k kernel compilation for ColdFire CPU
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
nilfs2: fix potential hang in nilfs_detach_log_writer()
ALSA: core: Fix NULL module pointer assignment at card init
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
net: usb: qmi_wwan: add Telit FN920C04 compositions
drm/amd/display: Set color_mgmt_changed to true on unsuspend
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
regulator: vqmmc-ipq4019: fix module autoloading
ASoC: rt715: add vendor clear control register
ASoC: da7219-aad: fix usage of device_get_named_child_node()
drm/amdkfd: Flush the process wq before creating a kfd_process
nvme: find numa distance only if controller has valid numa id
openpromfs: finish conversion to the new mount API
crypto: bcm - Fix pointer arithmetic
firmware: raspberrypi: Use correct device for DMA mappings
ecryptfs: Fix buffer size for tag 66 packet
nilfs2: fix out-of-range warning
parisc: add missing export of __cmpxchg_u8()
crypto: ccp - drop platform ifdef checks
crypto: x86/nh-avx2 - add missing vzeroupper
crypto: x86/sha256-avx2 - add missing vzeroupper
s390/cio: fix tracepoint subchannel type field
jffs2: prevent xattr node from overflowing the eraseblock
soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE
null_blk: Fix missing mutex_destroy() at module removal
md: fix resync softlockup when bitmap size is less than array size
wifi: ath10k: poll service ready message before failing
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
qed: avoid truncating work queue length
scsi: ufs: qcom: Perform read back after writing reset bit
scsi: ufs-qcom: Fix ufs RST_n spec violation
scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US
scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0
scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5
scsi: ufs: qcom: Perform read back after writing unipro mode
scsi: ufs: qcom: Perform read back after writing CGC enable
scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
irqchip/alpine-msi: Fix off-by-one in allocation error path
irqchip/loongson-pch-msi: Fix off-by-one on allocation error path
ACPI: disable -Wstringop-truncation
gfs2: Fix "ignore unlock failures after withdraw"
selftests/bpf: Fix umount cgroup2 error in test_sockmap
cpufreq: Reorganize checks in cpufreq_offline()
cpufreq: Split cpufreq_offline()
cpufreq: Rearrange locking in cpufreq_remove_dev()
cpufreq: exit() callback is optional
net: export inet_lookup_reuseport and inet6_lookup_reuseport
net: remove duplicate reuseport_lookup functions
udp: Avoid call to compute_score on multiple sites
scsi: libsas: Fix the failure of adding phy with zero-address to port
scsi: hpsa: Fix allocation size for Scsi_Host private data
x86/purgatory: Switch to the position-independent small code model
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
wifi: ath10k: populate board data for WCN3990
tcp: avoid premature drops in tcp_add_backlog()
net: give more chances to rcu in netdev_wait_allrefs_any()
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
wifi: carl9170: add a proper sanity check for endpoints
wifi: ar5523: enable proper endpoint verification
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
Revert "sh: Handle calling csum_partial with misaligned data"
selftests/binderfs: use the Makefile's rules, not Make's implicit rules
HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
scsi: bfa: Ensure the copied buf is NUL terminated
scsi: qedf: Ensure the copied buf is NUL terminated
wifi: mwl8k: initialize cmd->addr[] properly
usb: aqc111: stop lying about skb->truesize
net: usb: sr9700: stop lying about skb->truesize
m68k: Fix spinlock race in kernel thread creation
m68k: mac: Fix reboot hang on Mac IIci
net: ipv6: fix wrong start position when receive hop-by-hop fragment
eth: sungem: remove .ndo_poll_controller to avoid deadlocks
net: ethernet: cortina: Locking fixes
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
net: usb: smsc95xx: stop lying about skb->truesize
net: openvswitch: fix overwriting ct original tuple for ICMPv6
ipv6: sr: add missing seg6_local_exit
ipv6: sr: fix incorrect unregister order
ipv6: sr: fix invalid unregister error path
net/mlx5: Discard command completions in internal error
drm/amd/display: Fix potential index out of bounds in color transformation function
ASoC: soc-acpi: add helper to identify parent driver.
ASoC: Intel: Disable route checks for Skylake boards
mtd: rawnand: hynix: fixed typo
fbdev: shmobile: fix snprintf truncation
drm/meson: vclk: fix calculation of 59.94 fractional rates
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
powerpc/fsl-soc: hide unused const variable
fbdev: sisfb: hide unused variables
media: ngene: Add dvb_ca_en50221_init return value check
media: radio-shark2: Avoid led_names truncations
drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
fbdev: sh7760fb: allow modular build
media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries
drm/arm/malidp: fix a possible null pointer dereference
drm: vc4: Fix possible null pointer dereference
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
drm/bridge: lt9611: Don't log an error when DSI host can't be found
drm/bridge: tc358775: Don't log an error when DSI host can't be found
drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
drm/mipi-dsi: use correct return type for the DSC functions
RDMA/hns: Refactor the hns_roce_buf allocation flow
RDMA/hns: Create QP with selected QPN for bank load balance
RDMA/hns: Fix incorrect symbol types
RDMA/hns: Fix return value in hns_roce_map_mr_sg
RDMA/hns: Use complete parentheses in macros
RDMA/hns: Modify the print level of CQE error
clk: qcom: mmcc-msm8998: fix venus clock issue
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ext4: avoid excessive credit estimate in ext4_tmpfile()
sunrpc: removed redundant procp check
ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple
ext4: fix unit mismatch in ext4_mb_new_blocks_simple
ext4: try all groups in ext4_mb_new_blocks_simple
ext4: remove unused parameter from ext4_mb_new_blocks_simple()
ext4: fix potential unnitialized variable
SUNRPC: Fix gss_free_in_token_pages()
selftests/kcmp: Make the test output consistent and clear
selftests/kcmp: remove unused open mode
RDMA/IPoIB: Fix format truncation compilation errors
net: qrtr: fix null-ptr-deref in qrtr_ns_remove
net: qrtr: ns: Fix module refcnt
netrom: fix possible dead-lock in nr_rt_ioctl()
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
greybus: lights: check return of get_channel_from_mode
f2fs: fix to wait on page writeback in __clone_blkaddrs()
soundwire: cadence: fix invalid PDI offset
dmaengine: idma64: Add check for dma_set_max_seg_size
firmware: dmi-id: add a release callback function
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Fix bitwise types
greybus: arche-ctrl: move device table to its right location
serial: sc16is7xx: add proper sched.h include for sched_set_fifo()
f2fs: compress: support chksum
f2fs: add compress_mode mount option
f2fs: compress: clean up parameter of __f2fs_cluster_blocks()
f2fs: compress: remove unneeded preallocation
f2fs: introduce FI_COMPRESS_RELEASED instead of using IMMUTABLE bit
f2fs: compress: fix to relocate check condition in f2fs_{release,reserve}_compress_blocks()
f2fs: add cp_error check in f2fs_write_compressed_pages
f2fs: fix to force keeping write barrier for strict fsync mode
f2fs: do not allow partial truncation on pinned file
f2fs: fix typos in comments
f2fs: fix to relocate check condition in f2fs_fallocate()
f2fs: fix to check pinfile flag in f2fs_move_file_range()
iio: pressure: dps310: support negative temperature values
fpga: region: change FPGA indirect article to an
fpga: region: Rename dev to parent for parent device
docs: driver-api: fpga: avoid using UTF-8 chars
fpga: region: Use standard dev_release for class driver
fpga: region: add owner module and take its refcount
microblaze: Remove gcc flag for non existing early_printk.c file
microblaze: Remove early printk call from cpuinfo-static.c
usb: gadget: u_audio: Clear uac pointer when freed.
stm class: Fix a double free in stm_register_device()
ppdev: Remove usage of the deprecated ida_simple_xx() API
ppdev: Add an error check in register_device
extcon: max8997: select IRQ_DOMAIN instead of depending on it
PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3
PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3
f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock
f2fs: fix to release node block count in error path of f2fs_new_node_page()
f2fs: compress: don't allow unaligned truncation on released compress inode
serial: sh-sci: protect invalidating RXDMA on shutdown
libsubcmd: Fix parse-options memory leak
s390/ipl: Fix incorrect initialization of len fields in nvme reipl block
s390/ipl: Fix incorrect initialization of nvme dump block
Input: ims-pcu - fix printf string overflow
Input: ioc3kbd - convert to platform remove callback returning void
Input: ioc3kbd - add device table
mmc: sdhci_am654: Add tuning algorithm for delay chain
mmc: sdhci_am654: Write ITAPDLY for DDR52 timing
mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel
mmc: sdhci_am654: Add OTAP/ITAP delay enable
mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock
mmc: sdhci_am654: Fix ITAPDLY for HS400 timing
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
drm/msm/dpu: Always flush the slave INTF on the CTL
um: Fix return value in ubd_init()
um: Add winch to winch_handlers before registering winch IRQ
um: vector: fix bpfflash parameter evaluation
drm/bridge: tc358775: fix support for jeida-18 and jeida-24
media: stk1160: fix bounds checking in stk1160_copy_video()
scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
media: flexcop-usb: clean up endpoint sanity checks
media: flexcop-usb: fix sanity check of bNumEndpoints
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
um: Fix the -Wmissing-prototypes warning for __switch_mm
media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
media: cec: cec-api: add locking in cec_release()
media: core headers: fix kernel-doc warnings
media: cec: fix a deadlock situation
media: cec: call enable_adap on s_log_addrs
media: cec: abort if the current transmit was canceled
media: cec: correctly pass on reply results
media: cec: use call_op and check for !unregistered
media: cec-adap.c: drop activate_cnt, use state info instead
media: cec: core: avoid recursive cec_claim_log_addrs
media: cec: core: avoid confusing "transmit timed out" message
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
regulator: bd71828: Don't overwrite runtime voltages
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
nfc: nci: Fix uninit-value in nci_rx_work
ASoC: tas2552: Add TX path for capturing AUDIO-OUT data
sunrpc: fix NFSACL RPC retry on soft mount
rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL
ipv6: sr: fix memleak in seg6_hmac_init_algo
params: lift param_set_uint_minmax to common code
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
openvswitch: Set the skbuff pkt_type for proper pmtud support.
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
net: fec: avoid lock evasion when reading pps_enable
tls: fix missing memory barrier in tls_init
nfc: nci: Fix kcov check in nci_rx_work()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
netfilter: nft_payload: restore vlan q-in-q match support
spi: Don't mark message DMA mapped when no transfer in it is
nvmet: fix ns enable/disable possible hang
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
bpf: Fix potential integer overflow in resolve_btfids
enic: Validate length of nl attributes in enic_set_vf_port
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
bpf: Allow delete from sockmap/sockhash only if update is allowed
net:fec: Add fec_enet_deinit()
netfilter: tproxy: bail out if IP has been disabled on the device
kconfig: fix comparison to constant symbols, 'm', 'n'
spi: stm32: Don't warn about spurious interrupts
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
hwmon: (shtc1) Fix property misspelling
ALSA: timer: Set lower bound of start tick time
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
media: cec: core: add adap_nb_transmit_canceled() callback
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
binder: fix max_thread type inconsistency
mmc: core: Do not force a retune before RPMB switch
io_uring: fail NOP if non-zero op flags is passed in
afs: Don't cross .backup mountpoint from backup volume
nilfs2: fix use-after-free of timer for log writer thread
vxlan: Fix regression when dropping packets due to invalid src addresses
x86/mm: Remove broken vsyscall emulation code from the page fault code
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
media: lgdt3306a: Add a check against null-pointer-def
drm/amdgpu: add error handle to avoid out-of-bounds
ata: pata_legacy: make legacy_exit() work again
ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx
arm64: tegra: Correct Tegra132 I2C alias
arm64: dts: qcom: qcs404: fix bluetooth device address
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE
wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path
arm64: dts: hi3798cv200: fix the size of GICR
media: mc: mark the media devnode as registered from the, start
media: mxl5xx: Move xpt structures off stack
media: v4l2-core: hold videodev_lock until dev reg, finishes
mmc: core: Add mmc_gpiod_set_cd_config() function
mmc: sdhci-acpi: Sort DMI quirks alphabetically
mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working
mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A
fbdev: savage: Handle err return when savagefb_check_var failed
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
crypto: ecrdsa - Fix module auto-load on add_key
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
net/ipv6: Fix route deleting failure when metric equals 0
net/9p: fix uninit-value in p9_client_rpc()
intel_th: pci: Add Meteor Lake-S CPU support
sparc64: Fix number of online CPUs
watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin
kdb: Fix buffer overflow during tab-complete
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Merge identical case statements in kdb_read()
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
net: fix __dst_negative_advice() race
sparc: move struct termio to asm/termios.h
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
s390/ap: Fix crash in AP internal function modify_bitmap()
nfs: fix undefined behavior in nfs_block_bits()
NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS
scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5
f2fs: compress: fix compression chksum
RDMA/hns: Use mutex instead of spinlock for ida allocation
RDMA/hns: Fix CQ and QP cache affinity
Linux 5.10.219
Change-Id: I0e21ff44d28df2a2802a9fb35f0959bb5ab528fc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Matthew Wilcox (Oracle)
|
ed07b26c54 |
nfs: Leave pages in the pagecache if readpage failed
commit 0b768a9610c6de9811c6d33900bebfb665192ee1 upstream. The pagecache handles readpage failing by itself; it doesn't want filesystems to remove pages from under it. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Arnd Bergmann
|
84bf6b64a1 |
ftruncate: pass a signed offset
commit 4b8e88e563b5f666446d002ad0dc1e6e8e7102b0 upstream.
The old ftruncate() syscall, using the 32-bit off_t misses a sign
extension when called in compat mode on 64-bit architectures. As a
result, passing a negative length accidentally succeeds in truncating
to file size between 2GiB and 4GiB.
Changing the type of the compat syscall to the signed compat_off_t
changes the behavior so it instead returns -EINVAL.
The native entry point, the truncate() syscall and the corresponding
loff_t based variants are all correct already and do not suffer
from this mistake.
Fixes:
|
||
|
Jan Kara
|
a68b896aa5 |
ocfs2: fix DIO failure due to insufficient transaction credits
commit be346c1a6eeb49d8fda827d2a9522124c2f72f36 upstream.
The code in ocfs2_dio_end_io_write() estimates number of necessary
transaction credits using ocfs2_calc_extend_credits(). This however does
not take into account that the IO could be arbitrarily large and can
contain arbitrary number of extents.
Extent tree manipulations do often extend the current transaction but not
in all of the cases. For example if we have only single block extents in
the tree, ocfs2_mark_extent_written() will end up calling
ocfs2_replace_extent_rec() all the time and we will never extend the
current transaction and eventually exhaust all the transaction credits if
the IO contains many single block extents. Once that happens a
WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in
jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to
this error. This was actually triggered by one of our customers on a
heavily fragmented OCFS2 filesystem.
To fix the issue make sure the transaction always has enough credits for
one extent insert before each call of ocfs2_mark_extent_written().
Heming Zhao said:
------
PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error"
PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA"
#0 machine_kexec at ffffffff8c069932
#1 __crash_kexec at ffffffff8c1338fa
#2 panic at ffffffff8c1d69b9
#3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]
#4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]
#5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]
#6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]
#7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]
#8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]
#9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]
#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]
#11 dio_complete at ffffffff8c2b9fa7
#12 do_blockdev_direct_IO at ffffffff8c2bc09f
#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]
#14 generic_file_direct_write at ffffffff8c1dcf14
#15 __generic_file_write_iter at ffffffff8c1dd07b
#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]
#17 aio_write at ffffffff8c2cc72e
#18 kmem_cache_alloc at ffffffff8c248dde
#19 do_io_submit at ffffffff8c2ccada
#20 do_syscall_64 at ffffffff8c004984
#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba
Link: https://lkml.kernel.org/r/20240617095543.6971-1-jack@suse.cz
Link: https://lkml.kernel.org/r/20240614145243.8837-1-jack@suse.cz
Fixes:
|
||
|
Jeff Layton
|
229e145a81 |
nfsd: hold a lighter-weight client reference over CB_RECALL_ANY
[ Upstream commit 10396f4df8b75ff6ab0aa2cd74296565466f2c8d ]
Currently the CB_RECALL_ANY job takes a cl_rpc_users reference to the
client. While a callback job is technically an RPC that counter is
really more for client-driven RPCs, and this has the effect of
preventing the client from being unhashed until the callback completes.
If nfsd decides to send a CB_RECALL_ANY just as the client reboots, we
can end up in a situation where the callback can't complete on the (now
dead) callback channel, but the new client can't connect because the old
client can't be unhashed. This usually manifests as a NFS4ERR_DELAY
return on the CREATE_SESSION operation.
The job is only holding a reference to the client so it can clear a flag
after the RPC completes. Fix this by having CB_RECALL_ANY instead hold a
reference to the cl_nfsdfs.cl_ref. Typically we only take that sort of
reference when dealing with the nfsdfs info files, but it should work
appropriately here to ensure that the nfs4_client doesn't disappear.
Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
Reported-by: Vladimir Benes <vbenes@redhat.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Enzo Matsumiya
|
b055752675 |
smb: client: fix deadlock in smb2_find_smb_tcon()
[ Upstream commit 02c418774f76a0a36a6195c9dbf8971eb4130a15 ] Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock. Cc: stable@vger.kernel.org Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Shyam Prasad N
|
78ebec450e |
cifs: missed ref-counting smb session in find
[ Upstream commit e695a9ad0305af6e8b0cbc24a54976ac2120cbb3 ]
When we lookup an smb session based on session id,
we did not up the ref-count for the session. This can
potentially cause issues if the session is freed from under us.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: 02c418774f76 ("smb: client: fix deadlock in smb2_find_smb_tcon()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Trond Myklebust
|
90551062fd |
knfsd: LOOKUP can return an illegal error value
[ Upstream commit e221c45da3770962418fb30c27d941bbc70d595a ] The 'NFS error' NFSERR_OPNOTSUPP is not described by any of the official NFS related RFCs, but appears to have snuck into some older .x files for NFSv2. Either way, it is not in RFC1094, RFC1813 or any of the NFSv4 RFCs, so should not be returned by the knfsd server, and particularly not by the "LOOKUP" operation. Instead, let's return NFSERR_STALE, which is more appropriate if the filesystem encodes the filehandle as FILEID_INVALID. Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Roman Smirnov
|
bffff80d10 |
udf: udftime: prevent overflow in udf_disk_stamp_to_time()
[ Upstream commit 3b84adf460381169c085e4bc09e7b57e9e16db0a ] An overflow can occur in a situation where src.centiseconds takes the value of 255. This situation is unlikely, but there is no validation check anywere in the code. Found by Linux Verification Center (linuxtesting.org) with Svace. Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> Signed-off-by: Jan Kara <jack@suse.cz> Message-Id: <20240327132755.13945-1-r.smirnov@omp.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Yunlei He
|
38a82c8d00 |
f2fs: remove clear SB_INLINECRYPT flag in default_options
[ Upstream commit ac5eecf481c29942eb9a862e758c0c8b68090c33 ]
In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.
If create new file or open file during this gap, these files
will not use inlinecrypt. Worse case, it may lead to data
corruption if wrappedkey_v0 is enable.
Thread A: Thread B:
-f2fs_remount -f2fs_file_open or f2fs_new_inode
-default_options
<- clear SB_INLINECRYPT flag
-fscrypt_select_encryption_impl
-parse_options
<- set SB_INLINECRYPT again
Signed-off-by: Yunlei He <heyunlei@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Ryusuke Konishi
|
0ecfe3a928 |
nilfs2: fix potential kernel bug due to lack of writeback flag waiting
commit a4ca369ca221bb7e06c725792ac107f0e48e82e7 upstream.
Destructive writes to a block device on which nilfs2 is mounted can cause
a kernel bug in the folio/page writeback start routine or writeback end
routine (__folio_start_writeback in the log below):
kernel BUG at mm/page-writeback.c:3070!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
...
RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
...
Call Trace:
<TASK>
nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
kthread+0x2f0/0x390
ret_from_fork+0x4b/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
This is because when the log writer starts a writeback for segment summary
blocks or a super root block that use the backing device's page cache, it
does not wait for the ongoing folio/page writeback, resulting in an
inconsistent writeback state.
Fix this issue by waiting for ongoing writebacks when putting
folios/pages on the backing device into writeback state.
Link: https://lkml.kernel.org/r/20240530141556.4411-1-konishi.ryusuke@gmail.com
Fixes:
|
||
Su Yue
|
050ce8af68 |
ocfs2: fix races between hole punching and AIO+DIO
commit 952b023f06a24b2ad6ba67304c4c84d45bea2f18 upstream.
After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",
fstests/generic/300 become from always failed to sometimes failed:
========================================================================
[ 473.293420 ] run fstests generic/300
[ 475.296983 ] JBD2: Ignoring recovery information on journal
[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
[ 494.292018 ] OCFS2: File system is now read-only.
[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072
=========================================================================
In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
extents to a list. extents are also inserted into extent tree in
ocfs2_write_begin_nolock. Then another thread call fallocate to puch a
hole at one of the unwritten extent. The extent at cpos was removed by
ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list
found there is no such extent at the cpos.
T1 T2 T3
inode lock
...
insert extents
...
inode unlock
ocfs2_fallocate
__ocfs2_change_file_space
inode lock
lock ip_alloc_sem
ocfs2_remove_inode_range inode
ocfs2_remove_btree_range
ocfs2_remove_extent
^---remove the extent at cpos 78723
...
unlock ip_alloc_sem
inode unlock
ocfs2_dio_end_io
ocfs2_dio_end_io_write
lock ip_alloc_sem
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_search_extent_list
^---failed to find extent
...
unlock ip_alloc_sem
In most filesystems, fallocate is not compatible with racing with AIO+DIO,
so fix it by adding to wait for all dio before fallocate/punch_hole like
ext4.
Link: https://lkml.kernel.org/r/20240408082041.20925-3-glass.su@suse.com
Fixes:
|
||
|
Su Yue
|
11a075a1c8 |
ocfs2: use coarse time for new created files
commit b8cb324277ee16f3eca3055b96fce4735a5a41c6 upstream.
The default atime related mount option is '-o realtime' which means file
atime should be updated if atime <= ctime or atime <= mtime. atime should
be updated in the following scenario, but it is not:
==========================================================
$ rm /mnt/testfile;
$ echo test > /mnt/testfile
$ stat -c "%X %Y %Z" /mnt/testfile
1711881646 1711881646 1711881646
$ sleep 5
$ cat /mnt/testfile > /dev/null
$ stat -c "%X %Y %Z" /mnt/testfile
1711881646 1711881646 1711881646
==========================================================
And the reason the atime in the test is not updated is that ocfs2 calls
ktime_get_real_ts64() in __ocfs2_mknod_locked during file creation. Then
inode_set_ctime_current() is called in inode_set_ctime_current() calls
ktime_get_coarse_real_ts64() to get current time.
ktime_get_real_ts64() is more accurate than ktime_get_coarse_real_ts64().
In my test box, I saw ctime set by ktime_get_coarse_real_ts64() is less
than ktime_get_real_ts64() even ctime is set later. The ctime of the new
inode is smaller than atime.
The call trace is like:
ocfs2_create
ocfs2_mknod
__ocfs2_mknod_locked
....
ktime_get_real_ts64 <------- set atime,ctime,mtime, more accurate
ocfs2_populate_inode
...
ocfs2_init_acl
ocfs2_acl_set_mode
inode_set_ctime_current
current_time
ktime_get_coarse_real_ts64 <-------less accurate
ocfs2_file_read_iter
ocfs2_inode_lock_atime
ocfs2_should_update_atime
atime <= ctime ? <-------- false, ctime < atime due to accuracy
So here call ktime_get_coarse_real_ts64 to set inode time coarser while
creating new files. It may lower the accuracy of file times. But it's
not a big deal since we already use coarse time in other places like
ocfs2_update_inode_atime and inode_set_ctime_current.
Link: https://lkml.kernel.org/r/20240408082041.20925-5-glass.su@suse.com
Fixes:
|
||
Rik van Riel
|
70c1835e77 |
fs/proc: fix softlockup in __read_vmcore
commit 5cbcb62dddf5346077feb82b7b0c9254222d3445 upstream. While taking a kernel core dump with makedumpfile on a larger system, softlockup messages often appear. While softlockup warnings can be harmless, they can also interfere with things like RCU freeing memory, which can be problematic when the kdump kexec image is configured with as little memory as possible. Avoid the softlockup, and give things like work items and RCU a chance to do their thing during __read_vmcore by adding a cond_resched. Link: https://lkml.kernel.org/r/20240507091858.36ff767f@imladris.surriel.com Signed-off-by: Rik van Riel <riel@surriel.com> Acked-by: Baoquan He <bhe@redhat.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |