Ext4 needs to serialize unaligned direct AIO because the zeroing of
partial blocks of two competing unaligned AIOs can result in data
corruption.
However it decides not to serialize if the potentially unaligned aio is
past i_size with the rationale that no pending writes are possible past
i_size. Unfortunately if the i_size is not block aligned and the second
unaligned write lands past i_size, but still into the same block, it has
the potential of corrupting the previous unaligned write to the same
block.
This is (very simplified) reproducer from Frank
// 41472 = (10 * 4096) + 512
// 37376 = 41472 - 4096
ftruncate(fd, 41472);
io_prep_pwrite(iocbs[0], fd, buf[0], 4096, 37376);
io_prep_pwrite(iocbs[1], fd, buf[1], 4096, 41472);
io_submit(io_ctx, 1, &iocbs[1]);
io_submit(io_ctx, 1, &iocbs[2]);
io_getevents(io_ctx, 2, 2, events, NULL);
Without this patch the 512B range from 40960 up to the start of the
second unaligned write (41472) is going to be zeroed overwriting the data
written by the first write. This is a data corruption.
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
*
0000a000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
With this patch the data corruption is avoided because we will recognize
the unaligned_aio and wait for the unwritten extent conversion.
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
*
0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
*
0000b200
Reported-by: Frank Sorenson <fsorenso(a)redhat.com>
Signed-off-by: Lukas Czerner <lczerner(a)redhat.com>
Fixes: e9e3bcecf44c ("ext4: serialize unaligned asynchronous DIO")
Cc: <stable(a)vger.kernel.org>
---
fs/ext4/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index 69d65d49837b..98ec11f69cd4 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -125,7 +125,7 @@ ext4_unaligned_aio(struct inode *inode, struct iov_iter *from, loff_t pos)
struct super_block *sb = inode->i_sb;
int blockmask = sb->s_blocksize - 1;
- if (pos >= i_size_read(inode))
+ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize))
return 0;
if ((pos | iov_iter_alignment(from)) & blockmask)
--
2.20.1
On Thu, Mar 14, 2019 at 07:59:00PM +0000, Alan J. Wylie wrote:
> Greg KH <gregkh(a)linuxfoundation.org> writes:
>
> > I'm announcing the release of the 5.0.2 kernel.
>
> There is a regression for AMD-only builds.
Adding the stable list, which people should do...
>
> See also Alec Ari's report:
> https://lkml.org/lkml/2019/3/13/1113
>
> > If CONFIG_CPU_SUP_INTEL is disabled with either the 5.0.2 or 4.20.16
> > kernel, it errors out right away:
>
> $ grep "CONFIG_CPU_SUP_" .config
> # CONFIG_CPU_SUP_INTEL is not set
> CONFIG_CPU_SUP_AMD=y
> # CONFIG_CPU_SUP_HYGON is not set
> # CONFIG_CPU_SUP_CENTAUR is not set
>
> CC arch/x86/events/core.o
> In file included from arch/x86/events/core.c:44:
> arch/x86/events/perf_event.h:1035:45: warning: ‘struct cpu_hw_event’ declared inside parameter list will not be visible outside of this definition or declaration
> static inline int intel_cpuc_prepare(struct cpu_hw_event *cpuc, int cpu)
> ^~~~~~~~~~~~
> arch/x86/events/perf_event.h:1040:45: warning: ‘struct cpu_hw_event’ declared inside parameter list will not be visible outside of this definition or declaration
> static inline void intel_cpuc_finish(struct cpu_hw_event *cpuc)
> ^~~~~~~~~~~~
> arch/x86/events/core.c: In function ‘free_fake_cpuc’:
> arch/x86/events/core.c:1998:20: error: passing argument 1 of ‘intel_cpuc_finish’ from incompatible pointer type [-Werror=incompatible-pointer-types]
> intel_cpuc_finish(cpuc);
> ^~~~
> In file included from arch/x86/events/core.c:44:
> arch/x86/events/perf_event.h:1040:59: note: expected ‘struct cpu_hw_event *’ but argument is of type ‘struct cpu_hw_events *’
> static inline void intel_cpuc_finish(struct cpu_hw_event *cpuc)
> ~~~~~~~~~~~~~~~~~~~~~^~~~
> arch/x86/events/core.c: In function ‘allocate_fake_cpuc’:
> arch/x86/events/core.c:2012:25: error: passing argument 1 of ‘intel_cpuc_prepare’ from incompatible pointer type [-Werror=incompatible-pointer-types]
> if (intel_cpuc_prepare(cpuc, cpu))
> ^~~~
> In file included from arch/x86/events/core.c:44:
> arch/x86/events/perf_event.h:1035:59: note: expected ‘struct cpu_hw_event *’ but argument is of type ‘struct cpu_hw_events *’
> static inline int intel_cpuc_prepare(struct cpu_hw_event *cpuc, int cpu)
> ~~~~~~~~~~~~~~~~~~~~~^~~~
> cc1: some warnings being treated as errors
Is this a regression? If so, what commit caused this? Is this also an
issue in Linus's tree right now?
thanks,
greg k-h
Hello!
While trying to add Perf tests to LKFT [1], we encountered some
problems building it for two specific combinations:
* 4.4 and x86-64
* 4.14 and x86-32
On 4.4, this is what the build failure looks like:
| bench/mem-memcpy-x86-64-asm.S:4:10: fatal error:
../../../arch/x86/lib/memcpy_64.S: No such file or directory
| #include "../../../arch/x86/lib/memcpy_64.S"
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This was fixed in mainline by commit 7d7d1bf1d1da ("perf bench: Copy
kernel files needed to build mem{cpy,set} x86_64 benchmarks"). Instead
of just cherry-picking, it requires a proper backport as it needs to
copy the existing files in 4.4, not the ones contained in that commit
(which are from v4.7-rc5+).
On 4.14, this is what the build failure looks like:
| In file included from util/libunwind/x86_32.c:33:0:
| util/libunwind/../../arch/x86/util/unwind-libunwind.c: In function
'libunwind__x86_reg_id':
| util/libunwind/../../arch/x86/util/unwind-libunwind.c:110:11: error:
'EINVAL' undeclared (first use in this function); did you mean
'UNW_EINVAL'?
| return -EINVAL;
| ^~~~~~
| UNW_EINVAL
This was fixed by 44df1afdb174 ("perf tools: Fix compile error with
libunwind x86"); it applies cleanly on top of v4.14.106.
Thanks and greetings!
Daniel Díaz
daniel.diaz(a)linaro.org
[1] https://lkft.linaro.org/about/
Hello,
Syzkaller has triggered a kernel BUG when fuzzing a 4.4 kernel with the following stacktrace.
Call Trace:
[<ffffffff818568d5>] construct_alloc_key security/keys/request_key.c:388 [inline]
[<ffffffff818568d5>] construct_key_and_link security/keys/request_key.c:479 [inline]
[<ffffffff818568d5>] request_key_and_link+0x49b/0x8c5 security/keys/request_key.c:594
[<ffffffff8184fb08>] SYSC_request_key security/keys/keyctl.c:213 [inline]
[<ffffffff8184fb08>] SyS_request_key+0x1ac/0x2a2 security/keys/keyctl.c:158
[<ffffffff832bec3a>] entry_SYSCALL_64_fastpath+0x31/0xb3
Could the following patches be applied to v4.4.y?
* 4aa68e07d845 ("KEYS: restrict /proc/keys by credentials at open time")
* ede0fa98a900 ("KEYS: always initialize keyring_index_key::desc_len")
Note: queue-4.4 currently has a backport for "keys-always-initialize-keyring_index_key-desc_len.patch".
This request is to apply the 2 patches above instead of just one, to 4.4.y,
as the first patch is a bugfix as well. They apply cleanly if applied one after another.
Tests:
* Chrome OS tryjob
* Syzkaller reproducer
* Test to check if 4aa68e07d845 works as intended
Thanks,
- Zubin
From: Eric Biggers <ebiggers(a)google.com>
commit 4aa68e07d845562561f5e73c04aa521376e95252 upstream
When checking for permission to view keys whilst reading from
/proc/keys, we should use the credentials with which the /proc/keys file
was opened. This is because, in a classic type of exploit, it can be
possible to bypass checks for the *current* credentials by passing the
file descriptor to a suid program.
Following commit 34dbbcdbf633 ("Make file credentials available to the
seqfile interfaces") we can finally fix it. So let's do it.
Signed-off-by: Eric Biggers <ebiggers(a)google.com>
Signed-off-by: David Howells <dhowells(a)redhat.com>
Signed-off-by: Zubin Mithra <zsm(a)chromium.org>
---
* A test confirmed that when reading from a file descriptor
corresponding to /proc/keys the permissions for the reader were being
used instead of the permissions of the user who opened the file.
This patch is required for 4.4.y as well; however, the original patch
will apply cleanly there. I'll send a separate request for the same.
security/keys/proc.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/security/keys/proc.c b/security/keys/proc.c
index ec493ddadd111..f2c7e090a66d7 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -187,7 +187,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
struct keyring_search_context ctx = {
.index_key = key->index_key,
- .cred = current_cred(),
+ .cred = m->file->f_cred,
.match_data.cmp = lookup_user_key_possessed,
.match_data.raw_data = key,
.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
@@ -207,11 +207,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
}
}
- /* check whether the current task is allowed to view the key (assuming
- * non-possession)
- * - the caller holds a spinlock, and thus the RCU read lock, making our
- * access to __current_cred() safe
- */
+ /* check whether the current task is allowed to view the key */
rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
if (rc < 0)
return 0;
--
2.21.0.360.g471c308f928-goog
commit upstream 8b23570ab001c1982c8a068cde468ff067255314
This commit ("ACPICA: Reference Counts: increase max to 0x4000 for large servers") fixes an issue that has been seen on large memory systems. The first release with the fix was 4.19.
It's a low risk fix, and the value has been bumped in the past already. It should be fine on anything below 4.19, but I've only included 4.9 and 4.14 here, since the issue was actually observed on those versions.
Thanks,
Frank
I'm announcing the release of the 5.0.2 kernel.
All users of the 5.0 kernel series must upgrade.
The updated 5.0.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.0.y
and can be browsed at the normal kernel.org git web browser:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2
arch/arm/boot/dts/exynos3250.dtsi | 3
arch/arm/boot/dts/exynos4412-odroid-common.dtsi | 13 -
arch/arm/boot/dts/exynos5422-odroid-core.dtsi | 2
arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts | 2
arch/arm64/boot/dts/xilinx/zynqmp-zcu100-revC.dts | 1
arch/x86/events/core.c | 13 -
arch/x86/events/intel/core.c | 154 ++++++++++++++----
arch/x86/events/perf_event.h | 17 +-
arch/x86/include/asm/cpufeatures.h | 1
arch/x86/include/asm/msr-index.h | 6
arch/x86/pci/fixup.c | 16 +
drivers/firmware/iscsi_ibft.c | 1
drivers/input/mouse/elan_i2c_core.c | 1
drivers/input/tablet/wacom_serial4.c | 2
drivers/media/rc/rc-main.c | 13 +
drivers/media/usb/uvc/uvc_driver.c | 14 +
drivers/net/wireless/ath/ath9k/init.c | 6
drivers/pci/pcie/pme.c | 27 ---
drivers/scsi/aacraid/commsup.c | 5
drivers/staging/erofs/namei.c | 183 +++++++++++-----------
drivers/staging/erofs/unzip_vle.c | 38 ++--
drivers/staging/erofs/unzip_vle.h | 3
drivers/staging/erofs/unzip_vle_lz4.c | 19 --
fs/gfs2/glock.c | 2
include/drm/drm_cache.h | 18 ++
net/core/skmsg.c | 1
scripts/gdb/linux/constants.py.in | 12 -
scripts/gdb/linux/proc.py | 12 -
29 files changed, 365 insertions(+), 222 deletions(-)
Alexander Shishkin (1):
x86/PCI: Fixup RTIT_BAR of Intel Denverton Trace Hub
Alistair Strachan (2):
media: uvcvideo: Fix 'type' check leading to overflow
arm64: dts: hikey: Revert "Enable HS200 mode on eMMC"
Andreas Gruenbacher (1):
gfs2: Fix missed wakeups in find_insert_glock
Ard Biesheuvel (1):
drm: disable uncached DMA optimization for ARM and arm64
Daniel F. Dickinson (1):
ath9k: Avoid OF no-EEPROM quirks without qca,no-eeprom
Gao Xiang (2):
staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()
staging: erofs: compressed_pages should not be accessed again after freed
Greg Kroah-Hartman (1):
Linux 5.0.2
Gustavo A. R. Silva (2):
iscsi_ibft: Fix missing break in switch statement
scsi: aacraid: Fix missing break in switch statement
Jackie Liu (1):
scripts/gdb: replace flags (MS_xyz -> SB_xyz)
Jakub Sitnicki (1):
bpf: Stop the psock parser before canceling its work
Jan Kiszka (2):
arm64: dts: zcu100-revC: Give wifi some time after power-on
arm64: dts: hikey: Give wifi some time after power-on
Jason Gerecke (1):
Input: wacom_serial4 - add support for Wacom ArtPad II tablet
Marek Szyprowski (3):
ARM: dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3
ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
ARM: dts: exynos: Fix max voltage for buck8 regulator on Odroid XU3/XU4
Mika Westerberg (1):
Revert "PCI/PME: Implement runtime PM callbacks"
Peter Zijlstra (Intel) (4):
perf/x86/intel: Make cpuc allocations consistent
perf/x86/intel: Generalize dynamic constraint creation
x86: Add TSX Force Abort CPUID/MSR
perf/x86/intel: Implement support for TSX Force Abort
Sean Young (1):
media: Revert "media: rc: some events are dropped by userspace"
Vincent Batts (1):
Input: elan_i2c - add id for touchpad found in Lenovo s21e-20