This is the start of the stable review cycle for the 4.19.240 release.
There are 53 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 28 Apr 2022 08:17:22 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.240-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.19.240-rc1
Marek Vasut <[email protected]>
Revert "net: micrel: fix KS8851_MLL Kconfig"
Duoming Zhou <[email protected]>
ax25: Fix UAF bugs in ax25 timers
Duoming Zhou <[email protected]>
ax25: Fix NULL pointer dereferences in ax25 timers
Duoming Zhou <[email protected]>
ax25: fix NPD bug in ax25_disconnect
Duoming Zhou <[email protected]>
ax25: fix UAF bug in ax25_send_control()
Duoming Zhou <[email protected]>
ax25: Fix refcount leaks caused by ax25_cb_del()
Duoming Zhou <[email protected]>
ax25: fix UAF bugs of net_device caused by rebinding operation
Duoming Zhou <[email protected]>
ax25: fix reference count leaks of ax25_dev
Duoming Zhou <[email protected]>
ax25: add refcount in ax25_dev to avoid UAF bugs
Khazhismel Kumykov <[email protected]>
block/compat_ioctl: fix range check in BLKGETSIZE
Lee Jones <[email protected]>
staging: ion: Prevent incorrect reference counting behavour
Theodore Ts'o <[email protected]>
ext4: force overhead calculation if the s_overhead_cluster makes no sense
Theodore Ts'o <[email protected]>
ext4: fix overhead calculation to account for the reserved gdt blocks
Tadeusz Struk <[email protected]>
ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
Ye Bin <[email protected]>
ext4: fix symlink file size not match to file content
Rob Herring <[email protected]>
arm_pmu: Validate single/group leader events
Sergey Matyukevich <[email protected]>
ARC: entry: fix syscall_trace_exit argument
Sasha Neftin <[email protected]>
e1000e: Fix possible overflow in LTR decoding
Xiaomeng Tong <[email protected]>
ASoC: soc-dapm: fix two incorrect uses of list iterator
Paolo Valerio <[email protected]>
openvswitch: fix OOB access in reserve_sfa_size()
Athira Rajeev <[email protected]>
powerpc/perf: Fix power9 event alternatives
Dave Stevenson <[email protected]>
drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
Dave Stevenson <[email protected]>
drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
Xiaomeng Tong <[email protected]>
dma: at_xdmac: fix a missing check on list iterator
Zheyu Ma <[email protected]>
ata: pata_marvell: Check the 'bmdma_addr' beforing reading
Mikulas Patocka <[email protected]>
stat: fix inconsistency between struct stat and struct compat_stat
Tomas Melin <[email protected]>
net: macb: Restart tx only if queue pointer is lagging
Xiaoke Wang <[email protected]>
drm/msm/mdp5: check the return of kzalloc()
Lv Ruyi <[email protected]>
dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info()
Borislav Petkov <[email protected]>
brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant
Borislav Petkov <[email protected]>
mt76: Fix undefined behavior due to shift overflowing the constant
David Howells <[email protected]>
cifs: Check the IOCB_DIRECT flag, not O_DIRECT
Hongbin Wang <[email protected]>
vxlan: fix error return code in vxlan_fdb_append
Borislav Petkov <[email protected]>
ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant
Jiapeng Chong <[email protected]>
platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative
Sameer Pujar <[email protected]>
reset: tegra-bpmp: Restore Handle errors in BPMP response
Kees Cook <[email protected]>
ARM: vexpress/spc: Avoid negative array index when !SMP
Eric Dumazet <[email protected]>
netlink: reset network and mac headers in netlink_dump()
Eric Dumazet <[email protected]>
net/sched: cls_u32: fix possible leak in u32_init_knode()
Hangbin Liu <[email protected]>
net/packet: fix packet_sock xmit return value checking
David Howells <[email protected]>
rxrpc: Restore removed timer deletion
Miaoqian Lin <[email protected]>
dmaengine: imx-sdma: Fix error checking in sdma_event_remap
Miaoqian Lin <[email protected]>
ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component
Mark Brown <[email protected]>
ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
Kuniyuki Iwashima <[email protected]>
tcp: Fix potential use-after-free due to double kfree()
Ricardo Dias <[email protected]>
tcp: fix race condition when creating child sockets from syncookies
Takashi Iwai <[email protected]>
ALSA: usb-audio: Clear MIDI port active flag after draining
Bob Peterson <[email protected]>
gfs2: assign rgrp glock before compute_bitstructs
Mikulas Patocka <[email protected]>
dm integrity: fix memory corruption when tag_size is less than digest size
Hangyu Hua <[email protected]>
can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
Daniel Bristot de Oliveira <[email protected]>
tracing: Dump stacktrace trigger to the corresponding instance
Xiongwei Song <[email protected]>
mm: page_alloc: fix building error on -Werror=array-compare
Kees Cook <[email protected]>
etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead
-------------
Diffstat:
Makefile | 4 +-
arch/arc/kernel/entry.S | 1 +
arch/arm/mach-vexpress/spc.c | 2 +-
arch/powerpc/perf/power9-pmu.c | 8 +--
arch/x86/include/asm/compat.h | 6 +-
block/compat_ioctl.c | 2 +-
drivers/ata/pata_marvell.c | 2 +
drivers/dma/at_xdmac.c | 12 ++--
drivers/dma/imx-sdma.c | 4 +-
drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 +
.../gpu/drm/panel/panel-raspberrypi-touchscreen.c | 13 ++++-
drivers/md/dm-integrity.c | 7 ++-
drivers/net/can/usb/usb_8dev.c | 30 +++++-----
drivers/net/ethernet/cadence/macb_main.c | 8 +++
drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 8 ++-
drivers/net/ethernet/intel/e1000e/ich8lan.c | 4 +-
drivers/net/ethernet/micrel/Kconfig | 1 -
drivers/net/vxlan.c | 4 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt76x2_pci.c | 2 +-
drivers/perf/arm_pmu.c | 10 ++--
drivers/platform/x86/samsung-laptop.c | 2 -
drivers/reset/tegra/reset-bpmp.c | 9 ++-
drivers/staging/android/ion/ion.c | 3 +
fs/cifs/cifsfs.c | 2 +-
fs/ext4/inode.c | 11 +++-
fs/ext4/page-io.c | 4 +-
fs/ext4/super.c | 19 ++++--
fs/gfs2/rgrp.c | 9 +--
fs/stat.c | 19 +++---
include/linux/etherdevice.h | 5 +-
include/net/ax25.h | 12 ++++
include/net/inet_hashtables.h | 5 +-
kernel/trace/trace_events_trigger.c | 9 ++-
mm/page_alloc.c | 2 +-
net/ax25/af_ax25.c | 38 +++++++++---
net/ax25/ax25_dev.c | 28 +++++++--
net/ax25/ax25_route.c | 13 ++++-
net/ax25/ax25_subr.c | 20 +++++--
net/dccp/ipv4.c | 2 +-
net/dccp/ipv6.c | 2 +-
net/ipv4/inet_connection_sock.c | 2 +-
net/ipv4/inet_hashtables.c | 68 +++++++++++++++++++---
net/ipv4/tcp_ipv4.c | 13 ++++-
net/ipv6/tcp_ipv6.c | 13 ++++-
net/netlink/af_netlink.c | 7 +++
net/openvswitch/flow_netlink.c | 2 +-
net/packet/af_packet.c | 13 +++--
net/rxrpc/net_ns.c | 2 +
net/sched/cls_u32.c | 8 +--
sound/soc/atmel/sam9g20_wm8731.c | 61 -------------------
sound/soc/codecs/msm8916-wcd-digital.c | 9 ++-
sound/soc/soc-dapm.c | 6 +-
sound/usb/midi.c | 1 +
sound/usb/usbaudio.h | 2 +-
55 files changed, 359 insertions(+), 195 deletions(-)
From: Sameer Pujar <[email protected]>
[ Upstream commit d1da1052ffad63aa5181b69f20a6952e31f339c2 ]
This reverts following commit 69125b4b9440 ("reset: tegra-bpmp: Revert
Handle errors in BPMP response").
The Tegra194 HDA reset failure is fixed by commit d278dc9151a0 ("ALSA:
hda/tegra: Fix Tegra194 HDA reset failure"). The temporary revert of
original commit c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP
response") can be removed now.
Signed-off-by: Sameer Pujar <[email protected]>
Tested-by: Jon Hunter <[email protected]>
Reviewed-by: Jon Hunter <[email protected]>
Acked-by: Thierry Reding <[email protected]>
Signed-off-by: Philipp Zabel <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/reset/tegra/reset-bpmp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/reset/tegra/reset-bpmp.c b/drivers/reset/tegra/reset-bpmp.c
index 5daf2ee1a396..f9790b60f996 100644
--- a/drivers/reset/tegra/reset-bpmp.c
+++ b/drivers/reset/tegra/reset-bpmp.c
@@ -23,6 +23,7 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc,
struct tegra_bpmp *bpmp = to_tegra_bpmp(rstc);
struct mrq_reset_request request;
struct tegra_bpmp_message msg;
+ int err;
memset(&request, 0, sizeof(request));
request.cmd = command;
@@ -33,7 +34,13 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc,
msg.tx.data = &request;
msg.tx.size = sizeof(request);
- return tegra_bpmp_transfer(bpmp, &msg);
+ err = tegra_bpmp_transfer(bpmp, &msg);
+ if (err)
+ return err;
+ if (msg.rx.ret)
+ return -EINVAL;
+
+ return 0;
}
static int tegra_bpmp_reset_module(struct reset_controller_dev *rstc,
--
2.35.1
On Tue, 26 Apr 2022 at 13:57, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.240 release.
> There are 53 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Apr 2022 08:17:22 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.240-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
## Build
* kernel: 4.19.240-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-4.19.y
* git commit: 5e5c9d690926bf43bc1405d163e02768a56c56dc
* git describe: v4.19.239-54-g5e5c9d690926
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.239-54-g5e5c9d690926
## Test Regressions (compared to v4.19.239)
No test regressions found.
## Metric Regressions (compared to v4.19.239)
No metric regressions found.
## Test Fixes (compared to v4.19.239)
No test fixes found.
## Metric Fixes (compared to v4.19.239)
No metric fixes found.
## Test result summary
total: 81844, pass: 65248, fail: 1145, skip: 13273, xfail: 2178
## Build Summary
* arm: 281 total, 275 passed, 6 failed
* arm64: 39 total, 39 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 19 total, 19 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 27 total, 27 passed, 0 failed
* powerpc: 60 total, 54 passed, 6 failed
* s390: 12 total, 12 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 38 total, 38 passed, 0 failed
## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
From: Tadeusz Struk <[email protected]>
commit 2da376228a2427501feb9d15815a45dbdbdd753e upstream.
Syzbot found an issue [1] in ext4_fallocate().
The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul,
and offset 0x1000000ul, which, when added together exceed the
bitmap_maxbytes for the inode. This triggers a BUG in
ext4_ind_remove_space(). According to the comments in this function
the 'end' parameter needs to be one block after the last block to be
removed. In the case when the BUG is triggered it points to the last
block. Modify the ext4_punch_hole() function and add constraint that
caps the length to satisfy the one before laster block requirement.
LINK: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331
LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000
Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality")
Reported-by: [email protected]
Signed-off-by: Tadeusz Struk <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Theodore Ts'o <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/ext4/inode.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4314,7 +4314,8 @@ int ext4_punch_hole(struct inode *inode,
struct super_block *sb = inode->i_sb;
ext4_lblk_t first_block, stop_block;
struct address_space *mapping = inode->i_mapping;
- loff_t first_block_offset, last_block_offset;
+ loff_t first_block_offset, last_block_offset, max_length;
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
handle_t *handle;
unsigned int credits;
int ret = 0;
@@ -4360,6 +4361,14 @@ int ext4_punch_hole(struct inode *inode,
offset;
}
+ /*
+ * For punch hole the length + offset needs to be within one block
+ * before last range. Adjust the length if it goes beyond that limit.
+ */
+ max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize;
+ if (offset + length > max_length)
+ length = max_length - offset;
+
if (offset & (sb->s_blocksize - 1) ||
(offset + length) & (sb->s_blocksize - 1)) {
/*
From: Xiaomeng Tong <[email protected]>
commit f730a46b931d894816af34a0ff8e4ad51565b39f upstream.
These two bug are here:
list_for_each_entry_safe_continue(w, n, list,
power_list);
list_for_each_entry_safe_continue(w, n, list,
power_list);
After the list_for_each_entry_safe_continue() exits, the list iterator
will always be a bogus pointer which point to an invalid struct objdect
containing HEAD member. The funciton poniter 'w->event' will be a
invalid value which can lead to a control-flow hijack if the 'w' can be
controlled.
The original intention was to continue the outer list_for_each_entry_safe()
loop with the same entry if w->event is NULL, but misunderstanding the
meaning of list_for_each_entry_safe_continue().
So just add a 'continue;' to fix the bug.
Cc: [email protected]
Fixes: 163cac061c973 ("ASoC: Factor out DAPM sequence execution")
Signed-off-by: Xiaomeng Tong <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/soc/soc-dapm.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -1635,8 +1635,7 @@ static void dapm_seq_run(struct snd_soc_
switch (w->id) {
case snd_soc_dapm_pre:
if (!w->event)
- list_for_each_entry_safe_continue(w, n, list,
- power_list);
+ continue;
if (event == SND_SOC_DAPM_STREAM_START)
ret = w->event(w,
@@ -1648,8 +1647,7 @@ static void dapm_seq_run(struct snd_soc_
case snd_soc_dapm_post:
if (!w->event)
- list_for_each_entry_safe_continue(w, n, list,
- power_list);
+ continue;
if (event == SND_SOC_DAPM_STREAM_START)
ret = w->event(w,
From: Xiongwei Song <[email protected]>
commit ca831f29f8f25c97182e726429b38c0802200c8f upstream.
Arthur Marsh reported we would hit the error below when building kernel
with gcc-12:
CC mm/page_alloc.o
mm/page_alloc.c: In function `mem_init_print_info':
mm/page_alloc.c:8173:27: error: comparison between two arrays [-Werror=array-compare]
8173 | if (start <= pos && pos < end && size > adj) \
|
In C++20, the comparision between arrays should be warned.
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Xiongwei Song <[email protected]>
Reported-by: Arthur Marsh <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Cc: Khem Raj <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
mm/page_alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -7117,7 +7117,7 @@ void __init mem_init_print_info(const ch
*/
#define adj_init_size(start, end, size, pos, adj) \
do { \
- if (start <= pos && pos < end && size > adj) \
+ if (&start[0] <= &pos[0] && &pos[0] < &end[0] && size > adj) \
size -= adj; \
} while (0)
From: Zheyu Ma <[email protected]>
commit aafa9f958342db36c17ac2a7f1b841032c96feb4 upstream.
Before detecting the cable type on the dma bar, the driver should check
whether the 'bmdma_addr' is zero, which means the adapter does not
support DMA, otherwise we will get the following error:
[ 5.146634] Bad IO access at port 0x1 (return inb(port))
[ 5.147206] WARNING: CPU: 2 PID: 303 at lib/iomap.c:44 ioread8+0x4a/0x60
[ 5.150856] RIP: 0010:ioread8+0x4a/0x60
[ 5.160238] Call Trace:
[ 5.160470] <TASK>
[ 5.160674] marvell_cable_detect+0x6e/0xc0 [pata_marvell]
[ 5.161728] ata_eh_recover+0x3520/0x6cc0
[ 5.168075] ata_do_eh+0x49/0x3c0
Signed-off-by: Zheyu Ma <[email protected]>
Signed-off-by: Damien Le Moal <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/ata/pata_marvell.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/ata/pata_marvell.c
+++ b/drivers/ata/pata_marvell.c
@@ -82,6 +82,8 @@ static int marvell_cable_detect(struct a
switch(ap->port_no)
{
case 0:
+ if (!ap->ioaddr.bmdma_addr)
+ return ATA_CBL_PATA_UNK;
if (ioread8(ap->ioaddr.bmdma_addr + 1) & 1)
return ATA_CBL_PATA40;
return ATA_CBL_PATA80;
On Tue, Apr 26, 2022 at 10:20:40AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.240 release.
> There are 53 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Apr 2022 08:17:22 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 156 pass: 156 fail: 0
Qemu test results:
total: 425 pass: 425 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
From: Rob Herring <[email protected]>
commit e5c23779f93d45e39a52758ca593bd7e62e9b4be upstream.
In the case where there is only a cycle counter available (i.e.
PMCR_EL0.N is 0) and an event other than CPU cycles is opened, the open
should fail as the event can never possibly be scheduled. However, the
event validation when an event is opened is skipped when the group
leader is opened. Fix this by always validating the group leader events.
Reported-by: Al Grant <[email protected]>
Cc: Will Deacon <[email protected]>
Cc: Mark Rutland <[email protected]>
Signed-off-by: Rob Herring <[email protected]>
Acked-by: Mark Rutland <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/perf/arm_pmu.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/perf/arm_pmu.c
+++ b/drivers/perf/arm_pmu.c
@@ -321,6 +321,9 @@ validate_group(struct perf_event *event)
if (!validate_event(event->pmu, &fake_pmu, leader))
return -EINVAL;
+ if (event == leader)
+ return 0;
+
for_each_sibling_event(sibling, leader) {
if (!validate_event(event->pmu, &fake_pmu, sibling))
return -EINVAL;
@@ -418,12 +421,7 @@ __hw_perf_event_init(struct perf_event *
local64_set(&hwc->period_left, hwc->sample_period);
}
- if (event->group_leader != event) {
- if (validate_group(event) != 0)
- return -EINVAL;
- }
-
- return 0;
+ return validate_group(event);
}
static int armpmu_event_init(struct perf_event *event)
From: Paolo Valerio <[email protected]>
commit cefa91b2332d7009bc0be5d951d6cbbf349f90f8 upstream.
Given a sufficiently large number of actions, while copying and
reserving memory for a new action of a new flow, if next_offset is
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
bytes increasing actions_len by req_size. This can then lead to an OOB
write access, especially when further actions need to be copied.
Fix it by rearranging the flow action size check.
KASAN splat below:
==================================================================
BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
Write of size 65360 at addr ffff888147e4001c by task handler15/836
CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
...
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5a
print_report.cold+0x5e/0x5db
? __lock_text_start+0x8/0x8
? reserve_sfa_size+0x1ba/0x380 [openvswitch]
kasan_report+0xb5/0x130
? reserve_sfa_size+0x1ba/0x380 [openvswitch]
kasan_check_range+0xf5/0x1d0
memcpy+0x39/0x60
reserve_sfa_size+0x1ba/0x380 [openvswitch]
__add_action+0x24/0x120 [openvswitch]
ovs_nla_add_action+0xe/0x20 [openvswitch]
ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
? __kernel_text_address+0xe/0x30
? unwind_get_return_address+0x56/0xa0
? create_prof_cpu_mask+0x20/0x20
? ovs_ct_verify+0xf0/0xf0 [openvswitch]
? prep_compound_page+0x198/0x2a0
? __kasan_check_byte+0x10/0x40
? kasan_unpoison+0x40/0x70
? ksize+0x44/0x60
? reserve_sfa_size+0x75/0x380 [openvswitch]
__ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
? __zone_watermark_ok+0x420/0x420
? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
? __alloc_pages+0x1a9/0x3e0
? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
? unwind_next_frame+0x991/0x1e40
? __mod_node_page_state+0x99/0x120
? __mod_lruvec_page_state+0x2e3/0x470
? __kasan_kmalloc_large+0x90/0xe0
ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
...
Cc: [email protected]
Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
Signed-off-by: Paolo Valerio <[email protected]>
Acked-by: Eelco Chaudron <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/openvswitch/flow_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2316,7 +2316,7 @@ static struct nlattr *reserve_sfa_size(s
new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
+ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
OVS_NLERR(log, "Flow action size exceeds max %u",
MAX_ACTIONS_BUFSIZE);
return ERR_PTR(-EMSGSIZE);
Hi!
> This is the start of the stable review cycle for the 4.19.240 release.
> There are 53 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Apr 2022 08:17:22 +0000.
> Anything received after that time might be too late.
I still see problems on socfpga:
[ 1.227759] mmcblk0: p1 p2 p3
[ 1.269825] Micrel KSZ9031 Gigabit PHY stmmac-0:01: attached PHY driver [Micrel KSZ9031 Gigabit PHY] (mii_bus:phy_addr=stmmac-0:01, irq=POLL)
[ 1.284600] socfpga-dwmac ff702000.ethernet eth0: No Safety Features support found
[ 1.292374] socfpga-dwmac ff702000.ethernet eth0: registered PTP clock
[ 1.299247] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 5.444552] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 5.452609] pgd = (ptrval)
[ 5.455322] [00000000] *pgd=00000000
[ 5.458890] Internal error: Oops: 805 [#1] SMP ARM
[ 5.463660] Modules linked in:
[ 5.466708] CPU: 0 PID: 766 Comm: kworker/0:2 Not tainted 4.19.240-rc1-g5e5c9d690926 #1
[ 5.474674] Hardware name: Altera SOCFPGA
[ 5.478679] Workqueue: events_power_efficient phy_state_machine
[ 5.484579] PC is at socfpga_dwmac_fix_mac_speed+0x3c/0xbc
[ 5.490044] LR is at arm_heavy_mb+0x2c/0x48
[ 5.494208] pc : [<c05d9a2c>] lr : [<c01182e8>] psr: 60000013
[ 5.500446] sp : ee84de58 ip : ee84de48 fp : ee84de7c
[ 5.505648] r10: 00000001 r9 : ee8fb800 r8 : 00000000
[ 5.510848] r7 : 00000000 r6 : 000003e8 r5 : eebe4000 r4 : eeb0a880
[ 5.517343] r3 : 00000001 r2 : 00000730 r1 : 00000000 r0 : eeb0a880
[ 5.523842] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 5.530945] Control: 10c5387d Table: 0000404a DAC: 00000051
[ 5.536665] Process kworker/0:2 (pid: 766, stack limit = 0x(ptrval))
[ 5.542989] Stack: (0xee84de58 to 0xee84e000)
[ 5.547328] de40: ee8fb800 eebe4000
[ 5.555470] de60: eebe5000 eebe4538 00610c8c eebe4500 ee84deb4 ee84de80 c05cd084 c05d99fc
[ 5.563613] de80: c07058f0 c018fabc eebe4000 ee8fb800 eebe4000 ee8fba90 00000000 00000000
[ 5.571756] dea0: c0c77830 00000000 ee84decc ee84deb8 c05baf3c c05ccef0 ee8fba64 ee8fb800
[ 5.579899] dec0: ee84def4 ee84ded0 c05b921c c05baf08 ee8fba64 ef1cda80 ef7d2fc0 ef7d6500
[ 5.588041] dee0: 00000000 c0c77830 ee84df34 ee84def8 c013e18c c05b8ee0 ef7d2fc0 ef7d2fc0
[ 5.596183] df00: 00000008 ef7d2fd8 c0c02d00 ef1cda80 ef1cda94 ef7d2fc0 00000008 ef7d2fd8
[ 5.604327] df20: c0c02d00 ef7d2fc0 ee84df74 ee84df38 c013f178 c013df74 c013f118 c09e2128
[ 5.612469] df40: c0c77250 ffffe000 ee84df74 ef375140 ef3b9900 00000000 ee84c000 ef1cda80
[ 5.620612] df60: c013f118 ef127e74 ee84dfac ee84df78 c0144ac8 c013f124 ef37515c ef37515c
[ 5.628754] df80: ee84dfac ef3b9900 c014495c 00000000 00000000 00000000 00000000 00000000
[ 5.636896] dfa0: 00000000 ee84dfb0 c01010e8 c0144968 00000000 00000000 00000000 00000000
[ 5.645038] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 5.653180] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[ 5.661317] Backtrace:
[ 5.663767] [<c05d99f0>] (socfpga_dwmac_fix_mac_speed) from [<c05cd084>] (stmmac_adjust_link+0x1a0/0x21c)
[ 5.673294] r9:eebe4500 r8:00610c8c r7:eebe4538 r6:eebe5000 r5:eebe4000 r4:ee8fb800
[ 5.681009] [<c05ccee4>] (stmmac_adjust_link) from [<c05baf3c>] (phy_link_change+0x40/0x4c)
[ 5.689323] r10:00000000 r9:c0c77830 r8:00000000 r7:00000000 r6:ee8fba90 r5:eebe4000
[ 5.697116] r4:ee8fb800
[ 5.699644] [<c05baefc>] (phy_link_change) from [<c05b921c>] (phy_state_machine+0x348/0x580)
[ 5.708042] r5:ee8fb800 r4:ee8fba64
[ 5.711610] [<c05b8ed4>] (phy_state_machine) from [<c013e18c>] (process_one_work+0x224/0x518)
[ 5.720098] r9:c0c77830 r8:00000000 r7:ef7d6500 r6:ef7d2fc0 r5:ef1cda80 r4:ee8fba64
[ 5.727811] [<c013df68>] (process_one_work) from [<c013f178>] (worker_thread+0x60/0x5ac)
[ 5.735866] r10:ef7d2fc0 r9:c0c02d00 r8:ef7d2fd8 r7:00000008 r6:ef7d2fc0 r5:ef1cda94
[ 5.743658] r4:ef1cda80
[ 5.746187] [<c013f118>] (worker_thread) from [<c0144ac8>] (kthread+0x16c/0x174)
[ 5.753551] r10:ef127e74 r9:c013f118 r8:ef1cda80 r7:ee84c000 r6:00000000 r5:ef3b9900
[ 5.761342] r4:ef375140
[ 5.763869] [<c014495c>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
[ 5.771057] Exception stack(0xee84dfb0 to 0xee84dff8)
[ 5.776087] dfa0: 00000000 00000000 00000000 00000000
[ 5.784229] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 5.792370] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 5.798955] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c014495c
[ 5.806747] r4:ef3b9900
[ 5.809273] Code: e59394b8 f57ff04e ebecfa24 e3a03001 (e1c830b0)
[ 5.815374] ---[ end trace 922ea6407635ba6b ]---
https://lava.ciplatform.org/scheduler/job/669257
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/2377419824
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
From: Ricardo Dias <[email protected]>
[ Upstream commit 01770a166165738a6e05c3d911fb4609cc4eb416 ]
When the TCP stack is in SYN flood mode, the server child socket is
created from the SYN cookie received in a TCP packet with the ACK flag
set.
The child socket is created when the server receives the first TCP
packet with a valid SYN cookie from the client. Usually, this packet
corresponds to the final step of the TCP 3-way handshake, the ACK
packet. But is also possible to receive a valid SYN cookie from the
first TCP data packet sent by the client, and thus create a child socket
from that SYN cookie.
Since a client socket is ready to send data as soon as it receives the
SYN+ACK packet from the server, the client can send the ACK packet (sent
by the TCP stack code), and the first data packet (sent by the userspace
program) almost at the same time, and thus the server will equally
receive the two TCP packets with valid SYN cookies almost at the same
instant.
When such event happens, the TCP stack code has a race condition that
occurs between the momement a lookup is done to the established
connections hashtable to check for the existence of a connection for the
same client, and the moment that the child socket is added to the
established connections hashtable. As a consequence, this race condition
can lead to a situation where we add two child sockets to the
established connections hashtable and deliver two sockets to the
userspace program to the same client.
This patch fixes the race condition by checking if an existing child
socket exists for the same client when we are adding the second child
socket to the established connections socket. If an existing child
socket exists, we drop the packet and discard the second child socket
to the same client.
Signed-off-by: Ricardo Dias <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
include/net/inet_hashtables.h | 5 +-
net/dccp/ipv4.c | 2 -
net/dccp/ipv6.c | 2 -
net/ipv4/inet_connection_sock.c | 2 -
net/ipv4/inet_hashtables.c | 68 +++++++++++++++++++++++++++++++++++-----
net/ipv4/tcp_ipv4.c | 15 +++++++-
net/ipv6/tcp_ipv6.c | 13 +++++++
7 files changed, 91 insertions(+), 16 deletions(-)
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -232,8 +232,9 @@ void inet_hashinfo2_init(struct inet_has
unsigned long low_limit,
unsigned long high_limit);
-bool inet_ehash_insert(struct sock *sk, struct sock *osk);
-bool inet_ehash_nolisten(struct sock *sk, struct sock *osk);
+bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk);
+bool inet_ehash_nolisten(struct sock *sk, struct sock *osk,
+ bool *found_dup_sk);
int __inet_hash(struct sock *sk, struct sock *osk);
int inet_hash(struct sock *sk);
void inet_unhash(struct sock *sk);
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -428,7 +428,7 @@ struct sock *dccp_v4_request_recv_sock(c
if (__inet_inherit_port(sk, newsk) < 0)
goto put_and_exit;
- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
if (*own_req)
ireq->ireq_opt = NULL;
else
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -538,7 +538,7 @@ static struct sock *dccp_v6_request_recv
dccp_done(newsk);
goto out;
}
- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
/* Clone pktoptions received with SYN, if we own the req */
if (*own_req && ireq->pktopts) {
newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC);
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -793,7 +793,7 @@ static void reqsk_queue_hash_req(struct
timer_setup(&req->rsk_timer, reqsk_timer_handler, TIMER_PINNED);
mod_timer(&req->rsk_timer, jiffies + timeout);
- inet_ehash_insert(req_to_sk(req), NULL);
+ inet_ehash_insert(req_to_sk(req), NULL, NULL);
/* before letting lookups find us, make sure all req fields
* are committed to memory and refcnt initialized.
*/
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -24,6 +24,9 @@
#include <net/addrconf.h>
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
+#if IS_ENABLED(CONFIG_IPV6)
+#include <net/inet6_hashtables.h>
+#endif
#include <net/secure_seq.h>
#include <net/ip.h>
#include <net/tcp.h>
@@ -513,10 +516,52 @@ static u32 inet_sk_port_offset(const str
inet->inet_dport);
}
-/* insert a socket into ehash, and eventually remove another one
- * (The another one can be a SYN_RECV or TIMEWAIT
+/* Searches for an exsiting socket in the ehash bucket list.
+ * Returns true if found, false otherwise.
*/
-bool inet_ehash_insert(struct sock *sk, struct sock *osk)
+static bool inet_ehash_lookup_by_sk(struct sock *sk,
+ struct hlist_nulls_head *list)
+{
+ const __portpair ports = INET_COMBINED_PORTS(sk->sk_dport, sk->sk_num);
+ const int sdif = sk->sk_bound_dev_if;
+ const int dif = sk->sk_bound_dev_if;
+ const struct hlist_nulls_node *node;
+ struct net *net = sock_net(sk);
+ struct sock *esk;
+
+ INET_ADDR_COOKIE(acookie, sk->sk_daddr, sk->sk_rcv_saddr);
+
+ sk_nulls_for_each_rcu(esk, node, list) {
+ if (esk->sk_hash != sk->sk_hash)
+ continue;
+ if (sk->sk_family == AF_INET) {
+ if (unlikely(INET_MATCH(esk, net, acookie,
+ sk->sk_daddr,
+ sk->sk_rcv_saddr,
+ ports, dif, sdif))) {
+ return true;
+ }
+ }
+#if IS_ENABLED(CONFIG_IPV6)
+ else if (sk->sk_family == AF_INET6) {
+ if (unlikely(INET6_MATCH(esk, net,
+ &sk->sk_v6_daddr,
+ &sk->sk_v6_rcv_saddr,
+ ports, dif, sdif))) {
+ return true;
+ }
+ }
+#endif
+ }
+ return false;
+}
+
+/* Insert a socket into ehash, and eventually remove another one
+ * (The another one can be a SYN_RECV or TIMEWAIT)
+ * If an existing socket already exists, socket sk is not inserted,
+ * and sets found_dup_sk parameter to true.
+ */
+bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
{
struct inet_hashinfo *hashinfo = sk->sk_prot->h.hashinfo;
struct hlist_nulls_head *list;
@@ -535,16 +580,23 @@ bool inet_ehash_insert(struct sock *sk,
if (osk) {
WARN_ON_ONCE(sk->sk_hash != osk->sk_hash);
ret = sk_nulls_del_node_init_rcu(osk);
+ } else if (found_dup_sk) {
+ *found_dup_sk = inet_ehash_lookup_by_sk(sk, list);
+ if (*found_dup_sk)
+ ret = false;
}
+
if (ret)
__sk_nulls_add_node_rcu(sk, list);
+
spin_unlock(lock);
+
return ret;
}
-bool inet_ehash_nolisten(struct sock *sk, struct sock *osk)
+bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, bool *found_dup_sk)
{
- bool ok = inet_ehash_insert(sk, osk);
+ bool ok = inet_ehash_insert(sk, osk, found_dup_sk);
if (ok) {
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
@@ -588,7 +640,7 @@ int __inet_hash(struct sock *sk, struct
int err = 0;
if (sk->sk_state != TCP_LISTEN) {
- inet_ehash_nolisten(sk, osk);
+ inet_ehash_nolisten(sk, osk, NULL);
return 0;
}
WARN_ON(!sk_unhashed(sk));
@@ -683,7 +735,7 @@ int __inet_hash_connect(struct inet_time
tb = inet_csk(sk)->icsk_bind_hash;
spin_lock_bh(&head->lock);
if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) {
- inet_ehash_nolisten(sk, NULL);
+ inet_ehash_nolisten(sk, NULL, NULL);
spin_unlock_bh(&head->lock);
return 0;
}
@@ -759,7 +811,7 @@ ok:
inet_bind_hash(sk, tb, port);
if (sk_unhashed(sk)) {
inet_sk(sk)->inet_sport = htons(port);
- inet_ehash_nolisten(sk, (struct sock *)tw);
+ inet_ehash_nolisten(sk, (struct sock *)tw, NULL);
}
if (tw)
inet_twsk_bind_unhash(tw, hinfo);
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1415,6 +1415,7 @@ struct sock *tcp_v4_syn_recv_sock(const
bool *own_req)
{
struct inet_request_sock *ireq;
+ bool found_dup_sk = false;
struct inet_sock *newinet;
struct tcp_sock *newtp;
struct sock *newsk;
@@ -1485,12 +1486,22 @@ struct sock *tcp_v4_syn_recv_sock(const
if (__inet_inherit_port(sk, newsk) < 0)
goto put_and_exit;
- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash),
+ &found_dup_sk);
if (likely(*own_req)) {
tcp_move_syn(newtp, req);
ireq->ireq_opt = NULL;
} else {
- newinet->inet_opt = NULL;
+ if (!req_unhash && found_dup_sk) {
+ /* This code path should only be executed in the
+ * syncookie case only
+ */
+ bh_unlock_sock(newsk);
+ sock_put(newsk);
+ newsk = NULL;
+ } else {
+ newinet->inet_opt = NULL;
+ }
}
return newsk;
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1090,6 +1090,7 @@ static struct sock *tcp_v6_syn_recv_sock
struct ipv6_txoptions *opt;
struct tcp6_sock *newtcp6sk;
struct inet_sock *newinet;
+ bool found_dup_sk = false;
struct tcp_sock *newtp;
struct sock *newsk;
#ifdef CONFIG_TCP_MD5SIG
@@ -1258,7 +1259,8 @@ static struct sock *tcp_v6_syn_recv_sock
tcp_done(newsk);
goto out;
}
- *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
+ *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash),
+ &found_dup_sk);
if (*own_req) {
tcp_move_syn(newtp, req);
@@ -1273,6 +1275,15 @@ static struct sock *tcp_v6_syn_recv_sock
skb_set_owner_r(newnp->pktoptions, newsk);
}
}
+ } else {
+ if (!req_unhash && found_dup_sk) {
+ /* This code path should only be executed in the
+ * syncookie case only
+ */
+ bh_unlock_sock(newsk);
+ sock_put(newsk);
+ newsk = NULL;
+ }
}
return newsk;
From: Ye Bin <[email protected]>
commit a2b0b205d125f27cddfb4f7280e39affdaf46686 upstream.
We got issue as follows:
[home]# fsck.ext4 -fn ram0yb
e2fsck 1.45.6 (20-Mar-2020)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Symlink /p3/d14/d1a/l3d (inode #3494) is invalid.
Clear? no
Entry 'l3d' in /p3/d14/d1a (3383) has an incorrect filetype (was 7, should be 0).
Fix? no
As the symlink file size does not match the file content. If the writeback
of the symlink data block failed, ext4_finish_bio() handles the end of IO.
However this function fails to mark the buffer with BH_write_io_error and
so when unmount does journal checkpoint it cannot detect the writeback
error and will cleanup the journal. Thus we've lost the correct data in the
journal area. To solve this issue, mark the buffer as BH_write_io_error in
ext4_finish_bio().
Cc: [email protected]
Signed-off-by: Ye Bin <[email protected]>
Reviewed-by: Jan Kara <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/ext4/page-io.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -105,8 +105,10 @@ static void ext4_finish_bio(struct bio *
continue;
}
clear_buffer_async_write(bh);
- if (bio->bi_status)
+ if (bio->bi_status) {
+ set_buffer_write_io_error(bh);
buffer_io_error(bh);
+ }
} while ((bh = bh->b_this_page) != head);
bit_spin_unlock(BH_Uptodate_Lock, &head->b_state);
local_irq_restore(flags);
From: Theodore Ts'o <[email protected]>
commit 10b01ee92df52c8d7200afead4d5e5f55a5c58b1 upstream.
The kernel calculation was underestimating the overhead by not taking
into account the reserved gdt blocks. With this change, the overhead
calculated by the kernel matches the overhead calculation in mke2fs.
Signed-off-by: Theodore Ts'o <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/ext4/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3440,9 +3440,11 @@ static int count_overhead(struct super_b
ext4_fsblk_t first_block, last_block, b;
ext4_group_t i, ngroups = ext4_get_groups_count(sb);
int s, j, count = 0;
+ int has_super = ext4_bg_has_super(sb, grp);
if (!ext4_has_feature_bigalloc(sb))
- return (ext4_bg_has_super(sb, grp) + ext4_bg_num_gdb(sb, grp) +
+ return (has_super + ext4_bg_num_gdb(sb, grp) +
+ (has_super ? le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) : 0) +
sbi->s_itb_per_group + 2);
first_block = le32_to_cpu(sbi->s_es->s_first_data_block) +
From: Athira Rajeev <[email protected]>
[ Upstream commit 0dcad700bb2776e3886fe0a645a4bf13b1e747cd ]
When scheduling a group of events, there are constraint checks done to
make sure all events can go in a group. Example, one of the criteria is
that events in a group cannot use the same PMC. But platform specific
PMU supports alternative event for some of the event codes. During
perf_event_open(), if any event group doesn't match constraint check
criteria, further lookup is done to find alternative event.
By current design, the array of alternatives events in PMU code is
expected to be sorted by column 0. This is because in
find_alternative() the return criteria is based on event code
comparison. ie. "event < ev_alt[i][0])". This optimisation is there
since find_alternative() can be called multiple times. In power9 PMU
code, the alternative event array is not sorted properly and hence there
is breakage in finding alternative events.
To work with existing logic, fix the alternative event array to be
sorted by column 0 for power9-pmu.c
Results:
With alternative events, multiplexing can be avoided. That is, for
example, in power9 PM_LD_MISS_L1 (0x3e054) has alternative event,
PM_LD_MISS_L1_ALT (0x400f0). This is an identical event which can be
programmed in a different PMC.
Before:
# perf stat -e r3e054,r300fc
Performance counter stats for 'system wide':
1057860 r3e054 (50.21%)
379 r300fc (49.79%)
0.944329741 seconds time elapsed
Since both the events are using PMC3 in this case, they are
multiplexed here.
After:
# perf stat -e r3e054,r300fc
Performance counter stats for 'system wide':
1006948 r3e054
182 r300fc
Fixes: 91e0bd1e6251 ("powerpc/perf: Add PM_LD_MISS_L1 and PM_BR_2PATH to power9 event list")
Signed-off-by: Athira Rajeev <[email protected]>
Reviewed-by: Madhavan Srinivasan <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/powerpc/perf/power9-pmu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/perf/power9-pmu.c b/arch/powerpc/perf/power9-pmu.c
index c07b1615ee39..1aa083db77f1 100644
--- a/arch/powerpc/perf/power9-pmu.c
+++ b/arch/powerpc/perf/power9-pmu.c
@@ -143,11 +143,11 @@ int p9_dd22_bl_ev[] = {
/* Table of alternatives, sorted by column 0 */
static const unsigned int power9_event_alternatives[][MAX_ALT] = {
- { PM_INST_DISP, PM_INST_DISP_ALT },
- { PM_RUN_CYC_ALT, PM_RUN_CYC },
- { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL },
- { PM_LD_MISS_L1, PM_LD_MISS_L1_ALT },
{ PM_BR_2PATH, PM_BR_2PATH_ALT },
+ { PM_INST_DISP, PM_INST_DISP_ALT },
+ { PM_RUN_CYC_ALT, PM_RUN_CYC },
+ { PM_LD_MISS_L1, PM_LD_MISS_L1_ALT },
+ { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL },
};
static int power9_get_alternatives(u64 event, unsigned int flags, u64 alt[])
--
2.35.1
From: Kees Cook <[email protected]>
commit 2618a0dae09ef37728dab89ff60418cbe25ae6bd upstream.
With GCC 12, -Wstringop-overread was warning about an implicit cast from
char[6] to char[8]. However, the extra 2 bytes are always thrown away,
alignment doesn't matter, and the risk of hitting the edge of unallocated
memory has been accepted, so this prototype can just be converted to a
regular char *. Silences:
net/core/dev.c: In function ‘bpf_prog_run_generic_xdp’: net/core/dev.c:4618:21: warning: ‘ether_addr_equal_64bits’ reading 8 bytes from a region of size 6 [-Wstringop-overread]
4618 | orig_host = ether_addr_equal_64bits(eth->h_dest, > skb->dev->dev_addr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/dev.c:4618:21: note: referencing argument 1 of type ‘const u8[8]’ {aka ‘const unsigned char[8]’}
net/core/dev.c:4618:21: note: referencing argument 2 of type ‘const u8[8]’ {aka ‘const unsigned char[8]’}
In file included from net/core/dev.c:91: include/linux/etherdevice.h:375:20: note: in a call to function ‘ether_addr_equal_64bits’
375 | static inline bool ether_addr_equal_64bits(const u8 addr1[6+2],
| ^~~~~~~~~~~~~~~~~~~~~~~
Reported-by: Marc Kleine-Budde <[email protected]>
Tested-by: Marc Kleine-Budde <[email protected]>
Link: https://lore.kernel.org/netdev/[email protected]
Cc: Jakub Kicinski <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Khem Raj <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/etherdevice.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/include/linux/etherdevice.h
+++ b/include/linux/etherdevice.h
@@ -130,7 +130,7 @@ static inline bool is_multicast_ether_ad
#endif
}
-static inline bool is_multicast_ether_addr_64bits(const u8 addr[6+2])
+static inline bool is_multicast_ether_addr_64bits(const u8 *addr)
{
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
#ifdef __BIG_ENDIAN
@@ -344,8 +344,7 @@ static inline bool ether_addr_equal(cons
* Please note that alignment of addr1 & addr2 are only guaranteed to be 16 bits.
*/
-static inline bool ether_addr_equal_64bits(const u8 addr1[6+2],
- const u8 addr2[6+2])
+static inline bool ether_addr_equal_64bits(const u8 *addr1, const u8 *addr2)
{
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
u64 fold = (*(const u64 *)addr1) ^ (*(const u64 *)addr2);
From: Duoming Zhou <[email protected]>
commit 9fd75b66b8f68498454d685dc4ba13192ae069b0 upstream.
The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to
avoid UAF bugs") and commit feef318c855a ("ax25: fix UAF bugs of
net_device caused by rebinding operation") increase the refcounts of
ax25_dev and net_device in ax25_bind() and decrease the matching refcounts
in ax25_kill_by_device() in order to prevent UAF bugs, but there are
reference count leaks.
The root cause of refcount leaks is shown below:
(Thread 1) | (Thread 2)
ax25_bind() |
... |
ax25_addr_ax25dev() |
ax25_dev_hold() //(1) |
... |
dev_hold_track() //(2) |
... | ax25_destroy_socket()
| ax25_cb_del()
| ...
| hlist_del_init() //(3)
|
|
(Thread 3) |
ax25_kill_by_device() |
... |
ax25_for_each(s, &ax25_list) { |
if (s->ax25_dev == ax25_dev) //(4) |
... |
Firstly, we use ax25_bind() to increase the refcount of ax25_dev in
position (1) and increase the refcount of net_device in position (2).
Then, we use ax25_cb_del() invoked by ax25_destroy_socket() to delete
ax25_cb in hlist in position (3) before calling ax25_kill_by_device().
Finally, the decrements of refcounts in ax25_kill_by_device() will not
be executed, because no s->ax25_dev equals to ax25_dev in position (4).
This patch adds decrements of refcounts in ax25_release() and use
lock_sock() to do synchronization. If refcounts decrease in ax25_release(),
the decrements of refcounts in ax25_kill_by_device() will not be
executed and vice versa.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Fixes: 87563a043cef ("ax25: fix reference count leaks of ax25_dev")
Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
Reported-by: Thomas Osterried <[email protected]>
Signed-off-by: Duoming Zhou <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[OP: backport to 4.19: adjust dev_put_track()->dev_put()]
Signed-off-by: Ovidiu Panait <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ax25/af_ax25.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -101,8 +101,10 @@ again:
spin_unlock_bh(&ax25_list_lock);
lock_sock(sk);
s->ax25_dev = NULL;
- dev_put(ax25_dev->dev);
- ax25_dev_put(ax25_dev);
+ if (sk->sk_socket) {
+ dev_put(ax25_dev->dev);
+ ax25_dev_put(ax25_dev);
+ }
release_sock(sk);
ax25_disconnect(s, ENETUNREACH);
spin_lock_bh(&ax25_list_lock);
@@ -981,14 +983,20 @@ static int ax25_release(struct socket *s
{
struct sock *sk = sock->sk;
ax25_cb *ax25;
+ ax25_dev *ax25_dev;
if (sk == NULL)
return 0;
sock_hold(sk);
- sock_orphan(sk);
lock_sock(sk);
+ sock_orphan(sk);
ax25 = sk_to_ax25(sk);
+ ax25_dev = ax25->ax25_dev;
+ if (ax25_dev) {
+ dev_put(ax25_dev->dev);
+ ax25_dev_put(ax25_dev);
+ }
if (sk->sk_type == SOCK_SEQPACKET) {
switch (ax25->state) {
Hi Greg,
On Tue, Apr 26, 2022 at 10:20:40AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.240 release.
> There are 53 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Apr 2022 08:17:22 +0000.
> Anything received after that time might be too late.
Build test:
mips (gcc version 11.2.1 20220408): 63 configs -> no failure
arm (gcc version 11.2.1 20220408): 116 configs -> no new failure
arm64 (gcc version 11.2.1 20220408): 2 configs -> no failure
x86_64 (gcc version 11.2.1 20220408): 4 configs -> no failure
Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
[1]. https://openqa.qa.codethink.co.uk/tests/1065
Tested-by: Sudip Mukherjee <[email protected]>
--
Regards
Sudip