March 2019 - Linux-stable-mirror

[PATCH 4.19 1/5] staging: erofs: add error handling for xattr submodule

by Gao Xiang

commit cadf1ccf1b0021d0b7a9347e102ac5258f9f98c8 upstream. This patch enhances the missing error handling code for xattr submodule, which improves the stability for the rare cases. Reviewed-by: Chao Yu <yuchao0(a)huawei.com> Signed-off-by: Chao Yu <yuchao0(a)huawei.com> Signed-off-by: Gao Xiang <gaoxiang25(a)huawei.com> --- This series resolves the following conflicts: FAILED: patch "[PATCH] staging: erofs: fix fast symlink w/o xattr when fs xattr is" failed to apply to 4.19-stable tree FAILED: patch "[PATCH] staging: erofs: fix memleak of inode's shared xattr array" failed to apply to 4.19-stable tree FAILED: patch "[PATCH] staging: erofs: fix race of initializing xattrs of a inode at" failed to apply to 4.19-stable tree FAILED: patch "[PATCH] staging: erofs: keep corrupted fs from crashing kernel in" failed to apply to 4.19-stable tree In addition, there is another patch called staging: erofs: add error handling for xattr submodule that needs to be backported to 4.19 as well (4.20+ already has this patch.) drivers/staging/erofs/internal.h | 5 +- drivers/staging/erofs/xattr.c | 112 +++++++++++++++++++++++++++------------ 2 files changed, 81 insertions(+), 36 deletions(-) diff --git a/drivers/staging/erofs/internal.h b/drivers/staging/erofs/internal.h index 9f44ed8f0023..1c048c412fb2 100644 --- a/drivers/staging/erofs/internal.h +++ b/drivers/staging/erofs/internal.h @@ -485,8 +485,9 @@ struct erofs_map_blocks_iter { }; -static inline struct page *erofs_get_inline_page(struct inode *inode, - erofs_blk_t blkaddr) +static inline struct page * +erofs_get_inline_page(struct inode *inode, + erofs_blk_t blkaddr) { return erofs_get_meta_page(inode->i_sb, blkaddr, S_ISDIR(inode->i_mode)); diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c index 0e9cfeccdf99..d4bccb57e7c3 100644 --- a/drivers/staging/erofs/xattr.c +++ b/drivers/staging/erofs/xattr.c @@ -24,16 +24,25 @@ struct xattr_iter { static inline void xattr_iter_end(struct xattr_iter *it, bool atomic) { - /* only init_inode_xattrs use non-atomic once */ + /* the only user of kunmap() is 'init_inode_xattrs' */ if (unlikely(!atomic)) kunmap(it->page); else kunmap_atomic(it->kaddr); + unlock_page(it->page); put_page(it->page); } -static void init_inode_xattrs(struct inode *inode) +static inline void xattr_iter_end_final(struct xattr_iter *it) +{ + if (!it->page) + return; + + xattr_iter_end(it, true); +} + +static int init_inode_xattrs(struct inode *inode) { struct xattr_iter it; unsigned i; @@ -43,7 +52,7 @@ static void init_inode_xattrs(struct inode *inode) bool atomic_map; if (likely(inode_has_inited_xattr(inode))) - return; + return 0; vi = EROFS_V(inode); BUG_ON(!vi->xattr_isize); @@ -53,7 +62,8 @@ static void init_inode_xattrs(struct inode *inode) it.ofs = erofs_blkoff(iloc(sbi, vi->nid) + vi->inode_isize); it.page = erofs_get_inline_page(inode, it.blkaddr); - BUG_ON(IS_ERR(it.page)); + if (IS_ERR(it.page)) + return PTR_ERR(it.page); /* read in shared xattr array (non-atomic, see kmalloc below) */ it.kaddr = kmap(it.page); @@ -62,9 +72,12 @@ static void init_inode_xattrs(struct inode *inode) ih = (struct erofs_xattr_ibody_header *)(it.kaddr + it.ofs); vi->xattr_shared_count = ih->h_shared_count; - vi->xattr_shared_xattrs = (unsigned *)kmalloc_array( - vi->xattr_shared_count, sizeof(unsigned), - GFP_KERNEL | __GFP_NOFAIL); + vi->xattr_shared_xattrs = kmalloc_array(vi->xattr_shared_count, + sizeof(uint), GFP_KERNEL); + if (!vi->xattr_shared_xattrs) { + xattr_iter_end(&it, atomic_map); + return -ENOMEM; + } /* let's skip ibody header */ it.ofs += sizeof(struct erofs_xattr_ibody_header); @@ -77,7 +90,8 @@ static void init_inode_xattrs(struct inode *inode) it.page = erofs_get_meta_page(inode->i_sb, ++it.blkaddr, S_ISDIR(inode->i_mode)); - BUG_ON(IS_ERR(it.page)); + if (IS_ERR(it.page)) + return PTR_ERR(it.page); it.kaddr = kmap_atomic(it.page); atomic_map = true; @@ -90,6 +104,7 @@ static void init_inode_xattrs(struct inode *inode) xattr_iter_end(&it, atomic_map); inode_set_inited_xattr(inode); + return 0; } struct xattr_iter_handlers { @@ -99,18 +114,25 @@ struct xattr_iter_handlers { void (*value)(struct xattr_iter *, unsigned, char *, unsigned); }; -static void xattr_iter_fixup(struct xattr_iter *it) +static inline int xattr_iter_fixup(struct xattr_iter *it) { - if (unlikely(it->ofs >= EROFS_BLKSIZ)) { - xattr_iter_end(it, true); + if (it->ofs < EROFS_BLKSIZ) + return 0; - it->blkaddr += erofs_blknr(it->ofs); - it->page = erofs_get_meta_page(it->sb, it->blkaddr, false); - BUG_ON(IS_ERR(it->page)); + xattr_iter_end(it, true); - it->kaddr = kmap_atomic(it->page); - it->ofs = erofs_blkoff(it->ofs); + it->blkaddr += erofs_blknr(it->ofs); + it->page = erofs_get_meta_page(it->sb, it->blkaddr, false); + if (IS_ERR(it->page)) { + int err = PTR_ERR(it->page); + + it->page = NULL; + return err; } + + it->kaddr = kmap_atomic(it->page); + it->ofs = erofs_blkoff(it->ofs); + return 0; } static int inline_xattr_iter_begin(struct xattr_iter *it, @@ -132,21 +154,24 @@ static int inline_xattr_iter_begin(struct xattr_iter *it, it->ofs = erofs_blkoff(iloc(sbi, vi->nid) + inline_xattr_ofs); it->page = erofs_get_inline_page(inode, it->blkaddr); - BUG_ON(IS_ERR(it->page)); - it->kaddr = kmap_atomic(it->page); + if (IS_ERR(it->page)) + return PTR_ERR(it->page); + it->kaddr = kmap_atomic(it->page); return vi->xattr_isize - xattr_header_sz; } static int xattr_foreach(struct xattr_iter *it, - struct xattr_iter_handlers *op, unsigned *tlimit) + const struct xattr_iter_handlers *op, unsigned int *tlimit) { struct erofs_xattr_entry entry; unsigned value_sz, processed, slice; int err; /* 0. fixup blkaddr, ofs, ipage */ - xattr_iter_fixup(it); + err = xattr_iter_fixup(it); + if (err) + return err; /* * 1. read xattr entry to the memory, @@ -178,7 +203,9 @@ static int xattr_foreach(struct xattr_iter *it, if (it->ofs >= EROFS_BLKSIZ) { BUG_ON(it->ofs > EROFS_BLKSIZ); - xattr_iter_fixup(it); + err = xattr_iter_fixup(it); + if (err) + goto out; it->ofs = 0; } @@ -210,7 +237,10 @@ static int xattr_foreach(struct xattr_iter *it, while (processed < value_sz) { if (it->ofs >= EROFS_BLKSIZ) { BUG_ON(it->ofs > EROFS_BLKSIZ); - xattr_iter_fixup(it); + + err = xattr_iter_fixup(it); + if (err) + goto out; it->ofs = 0; } @@ -270,7 +300,7 @@ static void xattr_copyvalue(struct xattr_iter *_it, memcpy(it->buffer + processed, buf, len); } -static struct xattr_iter_handlers find_xattr_handlers = { +static const struct xattr_iter_handlers find_xattr_handlers = { .entry = xattr_entrymatch, .name = xattr_namematch, .alloc_buffer = xattr_checkbuffer, @@ -291,8 +321,11 @@ static int inline_getxattr(struct inode *inode, struct getxattr_iter *it) ret = xattr_foreach(&it->it, &find_xattr_handlers, &remaining); if (ret >= 0) break; + + if (ret != -ENOATTR) /* -ENOMEM, -EIO, etc. */ + break; } - xattr_iter_end(&it->it, true); + xattr_iter_end_final(&it->it); return ret < 0 ? ret : it->buffer_size; } @@ -315,8 +348,10 @@ static int shared_getxattr(struct inode *inode, struct getxattr_iter *it) xattr_iter_end(&it->it, true); it->it.page = erofs_get_meta_page(inode->i_sb, - blkaddr, false); - BUG_ON(IS_ERR(it->it.page)); + blkaddr, false); + if (IS_ERR(it->it.page)) + return PTR_ERR(it->it.page); + it->it.kaddr = kmap_atomic(it->it.page); it->it.blkaddr = blkaddr; } @@ -324,9 +359,12 @@ static int shared_getxattr(struct inode *inode, struct getxattr_iter *it) ret = xattr_foreach(&it->it, &find_xattr_handlers, NULL); if (ret >= 0) break; + + if (ret != -ENOATTR) /* -ENOMEM, -EIO, etc. */ + break; } if (vi->xattr_shared_count) - xattr_iter_end(&it->it, true); + xattr_iter_end_final(&it->it); return ret < 0 ? ret : it->buffer_size; } @@ -351,7 +389,9 @@ int erofs_getxattr(struct inode *inode, int index, if (unlikely(name == NULL)) return -EINVAL; - init_inode_xattrs(inode); + ret = init_inode_xattrs(inode); + if (ret) + return ret; it.index = index; @@ -494,7 +534,7 @@ static int xattr_skipvalue(struct xattr_iter *_it, return 1; } -static struct xattr_iter_handlers list_xattr_handlers = { +static const struct xattr_iter_handlers list_xattr_handlers = { .entry = xattr_entrylist, .name = xattr_namelist, .alloc_buffer = xattr_skipvalue, @@ -516,7 +556,7 @@ static int inline_listxattr(struct listxattr_iter *it) if (ret < 0) break; } - xattr_iter_end(&it->it, true); + xattr_iter_end_final(&it->it); return ret < 0 ? ret : it->buffer_ofs; } @@ -538,8 +578,10 @@ static int shared_listxattr(struct listxattr_iter *it) xattr_iter_end(&it->it, true); it->it.page = erofs_get_meta_page(inode->i_sb, - blkaddr, false); - BUG_ON(IS_ERR(it->it.page)); + blkaddr, false); + if (IS_ERR(it->it.page)) + return PTR_ERR(it->it.page); + it->it.kaddr = kmap_atomic(it->it.page); it->it.blkaddr = blkaddr; } @@ -549,7 +591,7 @@ static int shared_listxattr(struct listxattr_iter *it) break; } if (vi->xattr_shared_count) - xattr_iter_end(&it->it, true); + xattr_iter_end_final(&it->it); return ret < 0 ? ret : it->buffer_ofs; } @@ -560,7 +602,9 @@ ssize_t erofs_listxattr(struct dentry *dentry, int ret; struct listxattr_iter it; - init_inode_xattrs(d_inode(dentry)); + ret = init_inode_xattrs(d_inode(dentry)); + if (ret) + return ret; it.dentry = dentry; it.buffer = buffer; -- 2.14.5

5 years, 9 months

2
5
0 0

[PATCH RESEND for-5.0 1/2] staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()

by Gao Xiang

commit 419d6efc50e94bcf5d6b35cd8c71f79edadec564 upstream. As Al pointed out, " ... and while we are at it, what happens to unsigned int nameoff = le16_to_cpu(de[mid].nameoff); unsigned int matched = min(startprfx, endprfx); struct qstr dname = QSTR_INIT(data + nameoff, unlikely(mid >= ndirents - 1) ? maxsize - nameoff : le16_to_cpu(de[mid + 1].nameoff) - nameoff); /* string comparison without already matched prefix */ int ret = dirnamecmp(name, &dname, &matched); if le16_to_cpu(de[...].nameoff) is not monotonically increasing? I.e. what's to prevent e.g. (unsigned)-1 ending up in dname.len? Corrupted fs image shouldn't oops the kernel.. " Revisit the related lookup flow to address the issue. Fixes: d72d1ce60174 ("staging: erofs: add namei functions") Cc: <stable(a)vger.kernel.org> # 4.19+ Suggested-by: Al Viro <viro(a)ZenIV.linux.org.uk> Signed-off-by: Gao Xiang <gaoxiang25(a)huawei.com> --- resend: - add LKML and linux-erofs mailing list to cc This series resolves the following conflicts: FAILED: patch "[PATCH] staging: erofs: keep corrupted fs from crashing kernel in" failed to apply to 5.0-stable tree FAILED: patch "[PATCH] staging: erofs: compressed_pages should not be accessed again" failed to apply to 5.0-stable tree drivers/staging/erofs/namei.c | 183 ++++++++++++++++++++++-------------------- 1 file changed, 97 insertions(+), 86 deletions(-) diff --git a/drivers/staging/erofs/namei.c b/drivers/staging/erofs/namei.c index 5596c52e246d..ecc51ef0753f 100644 --- a/drivers/staging/erofs/namei.c +++ b/drivers/staging/erofs/namei.c @@ -15,74 +15,77 @@ #include <trace/events/erofs.h> -/* based on the value of qn->len is accurate */ -static inline int dirnamecmp(struct qstr *qn, - struct qstr *qd, unsigned int *matched) +struct erofs_qstr { + const unsigned char *name; + const unsigned char *end; +}; + +/* based on the end of qn is accurate and it must have the trailing '\0' */ +static inline int dirnamecmp(const struct erofs_qstr *qn, + const struct erofs_qstr *qd, + unsigned int *matched) { - unsigned int i = *matched, len = min(qn->len, qd->len); -loop: - if (unlikely(i >= len)) { - *matched = i; - if (qn->len < qd->len) { - /* - * actually (qn->len == qd->len) - * when qd->name[i] == '\0' - */ - return qd->name[i] == '\0' ? 0 : -1; + unsigned int i = *matched; + + /* + * on-disk error, let's only BUG_ON in the debugging mode. + * otherwise, it will return 1 to just skip the invalid name + * and go on (in consideration of the lookup performance). + */ + DBG_BUGON(qd->name > qd->end); + + /* qd could not have trailing '\0' */ + /* However it is absolutely safe if < qd->end */ + while (qd->name + i < qd->end && qd->name[i] != '\0') { + if (qn->name[i] != qd->name[i]) { + *matched = i; + return qn->name[i] > qd->name[i] ? 1 : -1; } - return (qn->len > qd->len); + ++i; } - - if (qn->name[i] != qd->name[i]) { - *matched = i; - return qn->name[i] > qd->name[i] ? 1 : -1; - } - - ++i; - goto loop; + *matched = i; + /* See comments in __d_alloc on the terminating NUL character */ + return qn->name[i] == '\0' ? 0 : 1; } -static struct erofs_dirent *find_target_dirent( - struct qstr *name, - u8 *data, int maxsize) +#define nameoff_from_disk(off, sz) (le16_to_cpu(off) & ((sz) - 1)) + +static struct erofs_dirent *find_target_dirent(struct erofs_qstr *name, + u8 *data, + unsigned int dirblksize, + const int ndirents) { - unsigned int ndirents, head, back; + int head, back; unsigned int startprfx, endprfx; struct erofs_dirent *const de = (struct erofs_dirent *)data; - /* make sure that maxsize is valid */ - BUG_ON(maxsize < sizeof(struct erofs_dirent)); - - ndirents = le16_to_cpu(de->nameoff) / sizeof(*de); - - /* corrupted dir (may be unnecessary...) */ - BUG_ON(!ndirents); - - head = 0; + /* since the 1st dirent has been evaluated previously */ + head = 1; back = ndirents - 1; startprfx = endprfx = 0; while (head <= back) { - unsigned int mid = head + (back - head) / 2; - unsigned int nameoff = le16_to_cpu(de[mid].nameoff); + const int mid = head + (back - head) / 2; + const int nameoff = nameoff_from_disk(de[mid].nameoff, + dirblksize); unsigned int matched = min(startprfx, endprfx); - - struct qstr dname = QSTR_INIT(data + nameoff, - unlikely(mid >= ndirents - 1) ? - maxsize - nameoff : - le16_to_cpu(de[mid + 1].nameoff) - nameoff); + struct erofs_qstr dname = { + .name = data + nameoff, + .end = unlikely(mid >= ndirents - 1) ? + data + dirblksize : + data + nameoff_from_disk(de[mid + 1].nameoff, + dirblksize) + }; /* string comparison without already matched prefix */ int ret = dirnamecmp(name, &dname, &matched); - if (unlikely(!ret)) + if (unlikely(!ret)) { return de + mid; - else if (ret > 0) { + } else if (ret > 0) { head = mid + 1; startprfx = matched; - } else if (unlikely(mid < 1)) /* fix "mid" overflow */ - break; - else { + } else { back = mid - 1; endprfx = matched; } @@ -91,12 +94,12 @@ static struct erofs_dirent *find_target_dirent( return ERR_PTR(-ENOENT); } -static struct page *find_target_block_classic( - struct inode *dir, - struct qstr *name, int *_diff) +static struct page *find_target_block_classic(struct inode *dir, + struct erofs_qstr *name, + int *_ndirents) { unsigned int startprfx, endprfx; - unsigned int head, back; + int head, back; struct address_space *const mapping = dir->i_mapping; struct page *candidate = ERR_PTR(-ENOENT); @@ -105,41 +108,43 @@ static struct page *find_target_block_classic( back = inode_datablocks(dir) - 1; while (head <= back) { - unsigned int mid = head + (back - head) / 2; + const int mid = head + (back - head) / 2; struct page *page = read_mapping_page(mapping, mid, NULL); - if (IS_ERR(page)) { -exact_out: - if (!IS_ERR(candidate)) /* valid candidate */ - put_page(candidate); - return page; - } else { - int diff; - unsigned int ndirents, matched; - struct qstr dname; + if (!IS_ERR(page)) { struct erofs_dirent *de = kmap_atomic(page); - unsigned int nameoff = le16_to_cpu(de->nameoff); - - ndirents = nameoff / sizeof(*de); + const int nameoff = nameoff_from_disk(de->nameoff, + EROFS_BLKSIZ); + const int ndirents = nameoff / sizeof(*de); + int diff; + unsigned int matched; + struct erofs_qstr dname; - /* corrupted dir (should have one entry at least) */ - BUG_ON(!ndirents || nameoff > PAGE_SIZE); + if (unlikely(!ndirents)) { + DBG_BUGON(1); + kunmap_atomic(de); + put_page(page); + page = ERR_PTR(-EIO); + goto out; + } matched = min(startprfx, endprfx); dname.name = (u8 *)de + nameoff; - dname.len = ndirents == 1 ? - /* since the rest of the last page is 0 */ - EROFS_BLKSIZ - nameoff - : le16_to_cpu(de[1].nameoff) - nameoff; + if (ndirents == 1) + dname.end = (u8 *)de + EROFS_BLKSIZ; + else + dname.end = (u8 *)de + + nameoff_from_disk(de[1].nameoff, + EROFS_BLKSIZ); /* string comparison without already matched prefix */ diff = dirnamecmp(name, &dname, &matched); kunmap_atomic(de); if (unlikely(!diff)) { - *_diff = 0; - goto exact_out; + *_ndirents = 0; + goto out; } else if (diff > 0) { head = mid + 1; startprfx = matched; @@ -147,45 +152,51 @@ static struct page *find_target_block_classic( if (likely(!IS_ERR(candidate))) put_page(candidate); candidate = page; + *_ndirents = ndirents; } else { put_page(page); - if (unlikely(mid < 1)) /* fix "mid" overflow */ - break; - back = mid - 1; endprfx = matched; } + continue; } +out: /* free if the candidate is valid */ + if (!IS_ERR(candidate)) + put_page(candidate); + return page; } - *_diff = 1; return candidate; } int erofs_namei(struct inode *dir, - struct qstr *name, - erofs_nid_t *nid, unsigned int *d_type) + struct qstr *name, + erofs_nid_t *nid, unsigned int *d_type) { - int diff; + int ndirents; struct page *page; - u8 *data; + void *data; struct erofs_dirent *de; + struct erofs_qstr qn; if (unlikely(!dir->i_size)) return -ENOENT; - diff = 1; - page = find_target_block_classic(dir, name, &diff); + qn.name = name->name; + qn.end = name->name + name->len; + + ndirents = 0; + page = find_target_block_classic(dir, &qn, &ndirents); if (unlikely(IS_ERR(page))) return PTR_ERR(page); data = kmap_atomic(page); /* the target page has been mapped */ - de = likely(diff) ? - /* since the rest of the last page is 0 */ - find_target_dirent(name, data, EROFS_BLKSIZ) : - (struct erofs_dirent *)data; + if (ndirents) + de = find_target_dirent(&qn, data, EROFS_BLKSIZ, ndirents); + else + de = (struct erofs_dirent *)data; if (likely(!IS_ERR(de))) { *nid = le64_to_cpu(de->nid); -- 2.14.5

5 years, 9 months

2
3
0 0

[PATCH for-4.20] staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()

by Gao Xiang

commit 419d6efc50e94bcf5d6b35cd8c71f79edadec564 upstream. As Al pointed out, " ... and while we are at it, what happens to unsigned int nameoff = le16_to_cpu(de[mid].nameoff); unsigned int matched = min(startprfx, endprfx); struct qstr dname = QSTR_INIT(data + nameoff, unlikely(mid >= ndirents - 1) ? maxsize - nameoff : le16_to_cpu(de[mid + 1].nameoff) - nameoff); /* string comparison without already matched prefix */ int ret = dirnamecmp(name, &dname, &matched); if le16_to_cpu(de[...].nameoff) is not monotonically increasing? I.e. what's to prevent e.g. (unsigned)-1 ending up in dname.len? Corrupted fs image shouldn't oops the kernel.. " Revisit the related lookup flow to address the issue. Fixes: d72d1ce60174 ("staging: erofs: add namei functions") Cc: <stable(a)vger.kernel.org> # 4.19+ Suggested-by: Al Viro <viro(a)ZenIV.linux.org.uk> Signed-off-by: Gao Xiang <gaoxiang25(a)huawei.com> --- This series resolves the following conflicts: FAILED: patch "[PATCH] staging: erofs: keep corrupted fs from crashing kernel in" failed to apply to 4.20-stable tree drivers/staging/erofs/namei.c | 183 ++++++++++++++++++++++-------------------- 1 file changed, 97 insertions(+), 86 deletions(-) diff --git a/drivers/staging/erofs/namei.c b/drivers/staging/erofs/namei.c index 5596c52e246d..ecc51ef0753f 100644 --- a/drivers/staging/erofs/namei.c +++ b/drivers/staging/erofs/namei.c @@ -15,74 +15,77 @@ #include <trace/events/erofs.h> -/* based on the value of qn->len is accurate */ -static inline int dirnamecmp(struct qstr *qn, - struct qstr *qd, unsigned int *matched) +struct erofs_qstr { + const unsigned char *name; + const unsigned char *end; +}; + +/* based on the end of qn is accurate and it must have the trailing '\0' */ +static inline int dirnamecmp(const struct erofs_qstr *qn, + const struct erofs_qstr *qd, + unsigned int *matched) { - unsigned int i = *matched, len = min(qn->len, qd->len); -loop: - if (unlikely(i >= len)) { - *matched = i; - if (qn->len < qd->len) { - /* - * actually (qn->len == qd->len) - * when qd->name[i] == '\0' - */ - return qd->name[i] == '\0' ? 0 : -1; + unsigned int i = *matched; + + /* + * on-disk error, let's only BUG_ON in the debugging mode. + * otherwise, it will return 1 to just skip the invalid name + * and go on (in consideration of the lookup performance). + */ + DBG_BUGON(qd->name > qd->end); + + /* qd could not have trailing '\0' */ + /* However it is absolutely safe if < qd->end */ + while (qd->name + i < qd->end && qd->name[i] != '\0') { + if (qn->name[i] != qd->name[i]) { + *matched = i; + return qn->name[i] > qd->name[i] ? 1 : -1; } - return (qn->len > qd->len); + ++i; } - - if (qn->name[i] != qd->name[i]) { - *matched = i; - return qn->name[i] > qd->name[i] ? 1 : -1; - } - - ++i; - goto loop; + *matched = i; + /* See comments in __d_alloc on the terminating NUL character */ + return qn->name[i] == '\0' ? 0 : 1; } -static struct erofs_dirent *find_target_dirent( - struct qstr *name, - u8 *data, int maxsize) +#define nameoff_from_disk(off, sz) (le16_to_cpu(off) & ((sz) - 1)) + +static struct erofs_dirent *find_target_dirent(struct erofs_qstr *name, + u8 *data, + unsigned int dirblksize, + const int ndirents) { - unsigned int ndirents, head, back; + int head, back; unsigned int startprfx, endprfx; struct erofs_dirent *const de = (struct erofs_dirent *)data; - /* make sure that maxsize is valid */ - BUG_ON(maxsize < sizeof(struct erofs_dirent)); - - ndirents = le16_to_cpu(de->nameoff) / sizeof(*de); - - /* corrupted dir (may be unnecessary...) */ - BUG_ON(!ndirents); - - head = 0; + /* since the 1st dirent has been evaluated previously */ + head = 1; back = ndirents - 1; startprfx = endprfx = 0; while (head <= back) { - unsigned int mid = head + (back - head) / 2; - unsigned int nameoff = le16_to_cpu(de[mid].nameoff); + const int mid = head + (back - head) / 2; + const int nameoff = nameoff_from_disk(de[mid].nameoff, + dirblksize); unsigned int matched = min(startprfx, endprfx); - - struct qstr dname = QSTR_INIT(data + nameoff, - unlikely(mid >= ndirents - 1) ? - maxsize - nameoff : - le16_to_cpu(de[mid + 1].nameoff) - nameoff); + struct erofs_qstr dname = { + .name = data + nameoff, + .end = unlikely(mid >= ndirents - 1) ? + data + dirblksize : + data + nameoff_from_disk(de[mid + 1].nameoff, + dirblksize) + }; /* string comparison without already matched prefix */ int ret = dirnamecmp(name, &dname, &matched); - if (unlikely(!ret)) + if (unlikely(!ret)) { return de + mid; - else if (ret > 0) { + } else if (ret > 0) { head = mid + 1; startprfx = matched; - } else if (unlikely(mid < 1)) /* fix "mid" overflow */ - break; - else { + } else { back = mid - 1; endprfx = matched; } @@ -91,12 +94,12 @@ static struct erofs_dirent *find_target_dirent( return ERR_PTR(-ENOENT); } -static struct page *find_target_block_classic( - struct inode *dir, - struct qstr *name, int *_diff) +static struct page *find_target_block_classic(struct inode *dir, + struct erofs_qstr *name, + int *_ndirents) { unsigned int startprfx, endprfx; - unsigned int head, back; + int head, back; struct address_space *const mapping = dir->i_mapping; struct page *candidate = ERR_PTR(-ENOENT); @@ -105,41 +108,43 @@ static struct page *find_target_block_classic( back = inode_datablocks(dir) - 1; while (head <= back) { - unsigned int mid = head + (back - head) / 2; + const int mid = head + (back - head) / 2; struct page *page = read_mapping_page(mapping, mid, NULL); - if (IS_ERR(page)) { -exact_out: - if (!IS_ERR(candidate)) /* valid candidate */ - put_page(candidate); - return page; - } else { - int diff; - unsigned int ndirents, matched; - struct qstr dname; + if (!IS_ERR(page)) { struct erofs_dirent *de = kmap_atomic(page); - unsigned int nameoff = le16_to_cpu(de->nameoff); - - ndirents = nameoff / sizeof(*de); + const int nameoff = nameoff_from_disk(de->nameoff, + EROFS_BLKSIZ); + const int ndirents = nameoff / sizeof(*de); + int diff; + unsigned int matched; + struct erofs_qstr dname; - /* corrupted dir (should have one entry at least) */ - BUG_ON(!ndirents || nameoff > PAGE_SIZE); + if (unlikely(!ndirents)) { + DBG_BUGON(1); + kunmap_atomic(de); + put_page(page); + page = ERR_PTR(-EIO); + goto out; + } matched = min(startprfx, endprfx); dname.name = (u8 *)de + nameoff; - dname.len = ndirents == 1 ? - /* since the rest of the last page is 0 */ - EROFS_BLKSIZ - nameoff - : le16_to_cpu(de[1].nameoff) - nameoff; + if (ndirents == 1) + dname.end = (u8 *)de + EROFS_BLKSIZ; + else + dname.end = (u8 *)de + + nameoff_from_disk(de[1].nameoff, + EROFS_BLKSIZ); /* string comparison without already matched prefix */ diff = dirnamecmp(name, &dname, &matched); kunmap_atomic(de); if (unlikely(!diff)) { - *_diff = 0; - goto exact_out; + *_ndirents = 0; + goto out; } else if (diff > 0) { head = mid + 1; startprfx = matched; @@ -147,45 +152,51 @@ static struct page *find_target_block_classic( if (likely(!IS_ERR(candidate))) put_page(candidate); candidate = page; + *_ndirents = ndirents; } else { put_page(page); - if (unlikely(mid < 1)) /* fix "mid" overflow */ - break; - back = mid - 1; endprfx = matched; } + continue; } +out: /* free if the candidate is valid */ + if (!IS_ERR(candidate)) + put_page(candidate); + return page; } - *_diff = 1; return candidate; } int erofs_namei(struct inode *dir, - struct qstr *name, - erofs_nid_t *nid, unsigned int *d_type) + struct qstr *name, + erofs_nid_t *nid, unsigned int *d_type) { - int diff; + int ndirents; struct page *page; - u8 *data; + void *data; struct erofs_dirent *de; + struct erofs_qstr qn; if (unlikely(!dir->i_size)) return -ENOENT; - diff = 1; - page = find_target_block_classic(dir, name, &diff); + qn.name = name->name; + qn.end = name->name + name->len; + + ndirents = 0; + page = find_target_block_classic(dir, &qn, &ndirents); if (unlikely(IS_ERR(page))) return PTR_ERR(page); data = kmap_atomic(page); /* the target page has been mapped */ - de = likely(diff) ? - /* since the rest of the last page is 0 */ - find_target_dirent(name, data, EROFS_BLKSIZ) : - (struct erofs_dirent *)data; + if (ndirents) + de = find_target_dirent(&qn, data, EROFS_BLKSIZ, ndirents); + else + de = (struct erofs_dirent *)data; if (likely(!IS_ERR(de))) { *nid = le64_to_cpu(de->nid); -- 2.14.5

5 years, 9 months

2
1
0 0

[PATCH] gfs2: Fix missed wakeups in find_insert_glock

by Andreas Gruenbacher

commit 605b0487f0bc1ae9963bf52ece0f5c8055186f81 upstream. Mark Syms has reported seeing tasks that are stuck waiting in find_insert_glock. It turns out that struct lm_lockname contains four padding bytes on 64-bit architectures that function glock_waitqueue doesn't skip when hashing the glock name. As a result, we can end up waking up the wrong waitqueue, and the waiting tasks may be stuck forever. Fix that by using ht_parms.key_len instead of sizeof(struct lm_lockname) for the key length. Reported-by: Mark Syms <mark.syms(a)citrix.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Bob Peterson <rpeterso(a)redhat.com> Cc: stable(a)vger.kernel.org # v4.14+ --- fs/gfs2/glock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c index f66773c71bcde..d32964cd11176 100644 --- a/fs/gfs2/glock.c +++ b/fs/gfs2/glock.c @@ -107,7 +107,7 @@ static int glock_wake_function(wait_queue_entry_t *wait, unsigned int mode, static wait_queue_head_t *glock_waitqueue(struct lm_lockname *name) { - u32 hash = jhash2((u32 *)name, sizeof(*name) / 4, 0); + u32 hash = jhash2((u32 *)name, ht_parms.key_len / 4, 0); return glock_wait_table + hash_32(hash, GLOCK_WAIT_TABLE_BITS); } -- 2.20.1

5 years, 9 months

2
1
0 0

[PATCH stable v4.9+] ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420

by Krzysztof Kozlowski

commit 28928a3ce142b2e4e5a7a0f067cefb41a3d2c3f9 upstream. In Odroid XU3 Lite board, the temperature levels reported for thermal zone 0 were weird. In warm room: /sys/class/thermal/thermal_zone0/temp:32000 /sys/class/thermal/thermal_zone1/temp:51000 /sys/class/thermal/thermal_zone2/temp:55000 /sys/class/thermal/thermal_zone3/temp:54000 /sys/class/thermal/thermal_zone4/temp:51000 Sometimes after booting the value was even equal to ambient temperature which is highly unlikely to be a real temperature of sensor in SoC. The thermal sensor's calibration (trimming) is based on fused values. In case of the board above, the fused values are: 35, 52, 43, 58 and 43 (corresponding to each TMU device). However driver defined a minimum value for fused data as 40 and for smaller values it was using a hard-coded 55 instead. This lead to mapping data from sensor to wrong temperatures for thermal zone 0. Various vendor 3.10 trees (Hardkernel's based on Samsung LSI, Artik 10) do not impose any limits on fused values. Since we do not have any knowledge about these limits, use 0 as a minimum accepted fused value. This should essentially allow accepting any reasonable fused value thus behaving like vendor driver. The exynos5420-tmu-sensor-conf.dtsi is copied directly from existing exynos4412 with one change - the samsung,tmu_min_efuse_value. Signed-off-by: Krzysztof Kozlowski <krzk(a)kernel.org> Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie(a)samsung.com> Acked-by: Eduardo Valentin <edubezval(a)gmail.com> Reviewed-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Tested-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Reviewed-by: Anand Moon <linux.amoon(a)gmail.com> Tested-by: Anand Moon <linux.amoon(a)gmail.com> --- arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi | 25 +++++++++++++++++++++++ arch/arm/boot/dts/exynos5420.dtsi | 10 ++++----- 2 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi diff --git a/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi new file mode 100644 index 000000000000..c8771c660550 --- /dev/null +++ b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi @@ -0,0 +1,25 @@ +/* + * Device tree sources for Exynos5420 TMU sensor configuration + * + * Copyright (c) 2014 Lukasz Majewski <l.majewski(a)samsung.com> + * Copyright (c) 2017 Krzysztof Kozlowski <krzk(a)kernel.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + */ + +#include <dt-bindings/thermal/thermal_exynos.h> + +#thermal-sensor-cells = <0>; +samsung,tmu_gain = <8>; +samsung,tmu_reference_voltage = <16>; +samsung,tmu_noise_cancel_mode = <4>; +samsung,tmu_efuse_value = <55>; +samsung,tmu_min_efuse_value = <0>; +samsung,tmu_max_efuse_value = <100>; +samsung,tmu_first_point_trim = <25>; +samsung,tmu_second_point_trim = <85>; +samsung,tmu_default_temp_offset = <50>; +samsung,tmu_cal_type = <TYPE_ONE_POINT_TRIMMING>; diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi index 00c4cfa54839..52f3d911f67f 100644 --- a/arch/arm/boot/dts/exynos5420.dtsi +++ b/arch/arm/boot/dts/exynos5420.dtsi @@ -694,7 +694,7 @@ interrupts = <0 65 0>; clocks = <&clock CLK_TMU>; clock-names = "tmu_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_cpu1: tmu@10064000 { @@ -703,7 +703,7 @@ interrupts = <0 183 0>; clocks = <&clock CLK_TMU>; clock-names = "tmu_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_cpu2: tmu@10068000 { @@ -712,7 +712,7 @@ interrupts = <0 184 0>; clocks = <&clock CLK_TMU>, <&clock CLK_TMU>; clock-names = "tmu_apbif", "tmu_triminfo_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_cpu3: tmu@1006c000 { @@ -721,7 +721,7 @@ interrupts = <0 185 0>; clocks = <&clock CLK_TMU>, <&clock CLK_TMU_GPU>; clock-names = "tmu_apbif", "tmu_triminfo_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_gpu: tmu@100a0000 { @@ -730,7 +730,7 @@ interrupts = <0 215 0>; clocks = <&clock CLK_TMU_GPU>, <&clock CLK_TMU>; clock-names = "tmu_apbif", "tmu_triminfo_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; sysmmu_g2dr: sysmmu@0x10A60000 { -- 2.7.4

5 years, 9 months

2
1
0 0

[PATCH stable v4.4+] ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420

by Krzysztof Kozlowski

commit 28928a3ce142b2e4e5a7a0f067cefb41a3d2c3f9 upstream. In Odroid XU3 Lite board, the temperature levels reported for thermal zone 0 were weird. In warm room: /sys/class/thermal/thermal_zone0/temp:32000 /sys/class/thermal/thermal_zone1/temp:51000 /sys/class/thermal/thermal_zone2/temp:55000 /sys/class/thermal/thermal_zone3/temp:54000 /sys/class/thermal/thermal_zone4/temp:51000 Sometimes after booting the value was even equal to ambient temperature which is highly unlikely to be a real temperature of sensor in SoC. The thermal sensor's calibration (trimming) is based on fused values. In case of the board above, the fused values are: 35, 52, 43, 58 and 43 (corresponding to each TMU device). However driver defined a minimum value for fused data as 40 and for smaller values it was using a hard-coded 55 instead. This lead to mapping data from sensor to wrong temperatures for thermal zone 0. Various vendor 3.10 trees (Hardkernel's based on Samsung LSI, Artik 10) do not impose any limits on fused values. Since we do not have any knowledge about these limits, use 0 as a minimum accepted fused value. This should essentially allow accepting any reasonable fused value thus behaving like vendor driver. The exynos5420-tmu-sensor-conf.dtsi is copied directly from existing exynos4412 with one change - the samsung,tmu_min_efuse_value. Signed-off-by: Krzysztof Kozlowski <krzk(a)kernel.org> Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie(a)samsung.com> Acked-by: Eduardo Valentin <edubezval(a)gmail.com> Reviewed-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Tested-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Reviewed-by: Anand Moon <linux.amoon(a)gmail.com> Tested-by: Anand Moon <linux.amoon(a)gmail.com> --- arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi | 25 +++++++++++++++++++++++ arch/arm/boot/dts/exynos5420.dtsi | 10 ++++----- 2 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi diff --git a/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi new file mode 100644 index 000000000000..c8771c660550 --- /dev/null +++ b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi @@ -0,0 +1,25 @@ +/* + * Device tree sources for Exynos5420 TMU sensor configuration + * + * Copyright (c) 2014 Lukasz Majewski <l.majewski(a)samsung.com> + * Copyright (c) 2017 Krzysztof Kozlowski <krzk(a)kernel.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + */ + +#include <dt-bindings/thermal/thermal_exynos.h> + +#thermal-sensor-cells = <0>; +samsung,tmu_gain = <8>; +samsung,tmu_reference_voltage = <16>; +samsung,tmu_noise_cancel_mode = <4>; +samsung,tmu_efuse_value = <55>; +samsung,tmu_min_efuse_value = <0>; +samsung,tmu_max_efuse_value = <100>; +samsung,tmu_first_point_trim = <25>; +samsung,tmu_second_point_trim = <85>; +samsung,tmu_default_temp_offset = <50>; +samsung,tmu_cal_type = <TYPE_ONE_POINT_TRIMMING>; diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi index 1b3d6c769a3c..d5edb7766942 100644 --- a/arch/arm/boot/dts/exynos5420.dtsi +++ b/arch/arm/boot/dts/exynos5420.dtsi @@ -777,7 +777,7 @@ interrupts = <0 65 0>; clocks = <&clock CLK_TMU>; clock-names = "tmu_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_cpu1: tmu@10064000 { @@ -786,7 +786,7 @@ interrupts = <0 183 0>; clocks = <&clock CLK_TMU>; clock-names = "tmu_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_cpu2: tmu@10068000 { @@ -795,7 +795,7 @@ interrupts = <0 184 0>; clocks = <&clock CLK_TMU>, <&clock CLK_TMU>; clock-names = "tmu_apbif", "tmu_triminfo_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_cpu3: tmu@1006c000 { @@ -804,7 +804,7 @@ interrupts = <0 185 0>; clocks = <&clock CLK_TMU>, <&clock CLK_TMU_GPU>; clock-names = "tmu_apbif", "tmu_triminfo_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; tmu_gpu: tmu@100a0000 { @@ -813,7 +813,7 @@ interrupts = <0 215 0>; clocks = <&clock CLK_TMU_GPU>, <&clock CLK_TMU>; clock-names = "tmu_apbif", "tmu_triminfo_apbif"; - #include "exynos4412-tmu-sensor-conf.dtsi" + #include "exynos5420-tmu-sensor-conf.dtsi" }; thermal-zones { -- 2.7.4

5 years, 9 months

2
4
0 0

Re: Patch "sk_msg: Always cancel strp work before freeing the psock" has been added to the 4.20-stable tree

by Jakub Sitnicki

Hi, On Mon, Mar 11, 2019 at 08:17 PM CET, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > sk_msg: Always cancel strp work before freeing the psock > > to the 4.20-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > sk_msg-always-cancel-strp-work-before-freeing-the-ps.patch > and it can be found in the queue-4.20 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. There is a follow-up fix for this change - e8e3437762ad ("bpf: Stop the psock parser before canceling its work") in bpf tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=e8e3… I think this patch should not go to into stable without the follow-up fix. Otherwise kselftests for bpf will be noisy due to kernel warnings. Thanks, Jakub > > > > commit d3747ebdfd2fd5e12d8d04ad3f6261503ce52913 > Author: Jakub Sitnicki <jakub(a)cloudflare.com> > Date: Mon Jan 28 10:13:35 2019 +0100 > > sk_msg: Always cancel strp work before freeing the psock > > [ Upstream commit 1d79895aef18fa05789995d86d523c9b2ee58a02 ] > > Despite having stopped the parser, we still need to deinitialize it > by calling strp_done so that it cancels its work. Otherwise the worker > thread can run after we have freed the parser, and attempt to access > its workqueue resulting in a use-after-free: > > ================================================================== > BUG: KASAN: use-after-free in pwq_activate_delayed_work+0x1b/0x1d0 > Read of size 8 at addr ffff888069975240 by task kworker/u2:2/93 > > CPU: 0 PID: 93 Comm: kworker/u2:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 > Workqueue: (null) (kstrp) > Call Trace: > print_address_description+0x6e/0x2b0 > ? pwq_activate_delayed_work+0x1b/0x1d0 > kasan_report+0xfd/0x177 > ? pwq_activate_delayed_work+0x1b/0x1d0 > ? pwq_activate_delayed_work+0x1b/0x1d0 > pwq_activate_delayed_work+0x1b/0x1d0 > ? process_one_work+0x4aa/0x660 > pwq_dec_nr_in_flight+0x9b/0x100 > worker_thread+0x82/0x680 > ? process_one_work+0x660/0x660 > kthread+0x1b9/0x1e0 > ? __kthread_create_on_node+0x250/0x250 > ret_from_fork+0x1f/0x30 > > Allocated by task 111: > sk_psock_init+0x3c/0x1b0 > sock_map_link.isra.2+0x103/0x4b0 > sock_map_update_common+0x94/0x270 > sock_map_update_elem+0x145/0x160 > __se_sys_bpf+0x152e/0x1e10 > do_syscall_64+0xb2/0x3e0 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > Freed by task 112: > kfree+0x7f/0x140 > process_one_work+0x40b/0x660 > worker_thread+0x82/0x680 > kthread+0x1b9/0x1e0 > ret_from_fork+0x1f/0x30 > > The buggy address belongs to the object at ffff888069975180 > which belongs to the cache kmalloc-512 of size 512 > The buggy address is located 192 bytes inside of > 512-byte region [ffff888069975180, ffff888069975380) > The buggy address belongs to the page: > page:ffffea0001a65d00 count:1 mapcount:0 mapping:ffff88806d401280 index:0x0 compound_mapcount: 0 > flags: 0x4000000000010200(slab|head) > raw: 4000000000010200 dead000000000100 dead000000000200 ffff88806d401280 > raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888069975100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888069975180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff888069975200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888069975280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888069975300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > Reported-by: Marek Majkowski <marek(a)cloudflare.com> > Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> > Link: https://lore.kernel.org/netdev/CAJPywTLwgXNEZ2dZVoa=udiZmtrWJ0q5SuBW64aYs0Y… > Acked-by: Song Liu <songliubraving(a)fb.com> > Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/core/skmsg.c b/net/core/skmsg.c > index 54d854807630..4932861d7b88 100644 > --- a/net/core/skmsg.c > +++ b/net/core/skmsg.c > @@ -545,8 +545,7 @@ static void sk_psock_destroy_deferred(struct work_struct *gc) > struct sk_psock *psock = container_of(gc, struct sk_psock, gc); > > /* No sk_callback_lock since already detached. */ > - if (psock->parser.enabled) > - strp_done(&psock->parser.strp); > + strp_done(&psock->parser.strp); > > cancel_work_sync(&psock->work); >

5 years, 9 months

3
4
0 0

[PATCH 5.0 00/46] 5.0.1-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.0.1 release. There are 46 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Mar 10 12:48:36 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.1-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.0.1-rc1 YueHaibing <yuehaibing(a)huawei.com> exec: Fix mem leak in kernel_read_file Matthias Kaehlcke <mka(a)chromium.org> Bluetooth: Fix locking in bt_accept_enqueue() for BH context Kai-Heng Feng <kai.heng.feng(a)canonical.com> Bluetooth: btrtl: Restore old logic to assume firmware is already loaded Luis Chamberlain <mcgrof(a)kernel.org> selftests: firmware: fix verify_reqs() return value Luis Chamberlain <mcgrof(a)kernel.org> Revert "selftests: firmware: remove use of non-standard diff -Z option" Luis Chamberlain <mcgrof(a)kernel.org> Revert "selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config" Karoly Pados <pados(a)pados.hu> USB: serial: cp210x: fix GPIO in autosuspend Johan Hovold <johan(a)kernel.org> gnss: sirf: fix premature wakeup interrupt enable Max Filippov <jcmvbkbc(a)gmail.com> xtensa: fix get_wchan Bart Van Assche <bvanassche(a)acm.org> aio: Fix locking in aio_poll() Liu Xiang <liu.xiang6(a)zte.com.cn> MIPS: irq: Allocate accurate order pages for irq stack Arnd Bergmann <arnd(a)arndb.de> alpha: wire up io_pgetevents system call Gustavo A. R. Silva <gustavo(a)embeddedor.com> applicom: Fix potential Spectre v1 vulnerabilities Balaji Manoharan <m.balaji(a)intel.com> usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on INTEL_SUNRISEPOINT_LP_XHCI Thierry Reding <treding(a)nvidia.com> xhci: tegra: Prevent error pointer dereference Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> tracing: Fix event filters and triggers to handle negative numbers Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/boot/compressed/64: Do not read legacy ROM on EFI system Jiaxun Yang <jiaxun.yang(a)flygoat.com> x86/CPU/AMD: Set the CPB bit unconditionally on F17h Erik Hugne <erik.hugne(a)gmail.com> tipc: fix RDM/DGRAM connect() regression Ido Schimmel <idosch(a)mellanox.com> team: Free BPF filter when unregistering netdev Kai-Heng Feng <kai.heng.feng(a)canonical.com> sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 Xin Long <lucien.xin(a)gmail.com> sctp: call iov_iter_revert() after sending ABORT Kristian Evensen <kristian.evensen(a)gmail.com> qmi_wwan: Add support for Quectel EG12/EM12 YueHaibing <yuehaibing(a)huawei.com> net-sysfs: Fix mem leak in netdev_register_kobject Eric Dumazet <edumazet(a)google.com> net: sched: put back q.qlen into a single location Kavya Sree Kotagiri <kavyasree.kotagiri(a)microchip.com> net: mscc: Enable all ports in QSGMII Heiner Kallweit <hkallweit1(a)gmail.com> net: dsa: mv8e6xxx: fix number of internal PHYs for 88E6x90 family Heiner Kallweit <hkallweit1(a)gmail.com> net: dsa: mv88e6xxx: handle unknown duplex modes gracefully in mv88e6xxx_port_set_duplex Heiner Kallweit <hkallweit1(a)gmail.com> net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework Ido Schimmel <idosch(a)mellanox.com> ip6mr: Do not call __IP6_INC_STATS() from preemptible context Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held. Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> staging: android: ashmem: Don't call fallocate() with ashmem_mutex held. Qing Xia <saberlily.xia(a)hisilicon.com> staging: android: ion: fix sys heap pool's gfp_flags Ajay Singh <ajay.kathat(a)microchip.com> staging: wilc1000: fix to set correct value for 'vif_num' Gustavo A. R. Silva <gustavo(a)embeddedor.com> staging: comedi: ni_660x: fix missing break in switch statement Gao Xiang <gaoxiang25(a)huawei.com> staging: erofs: fix illegal address access under memory pressure Gao Xiang <gaoxiang25(a)huawei.com> staging: erofs: fix race of initializing xattrs of a inode at the same time Sheng Yong <shengyong1(a)huawei.com> staging: erofs: fix memleak of inode's shared xattr array Gao Xiang <gaoxiang25(a)huawei.com> staging: erofs: fix fast symlink w/o xattr when fs xattr is on Geert Uytterhoeven <geert+renesas(a)glider.be> driver core: Postpone DMA tear-down until after devres release Mans Rullgard <mans(a)mansr.com> USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 Ivan Mironov <mironov.ivan(a)gmail.com> USB: serial: cp210x: add ID for Ingenico 3070 Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit ME910 ECM composition Todd Kjos <tkjos(a)android.com> binder: create node flag to request sender's security context Gao Xiang <gaoxiang25(a)huawei.com> staging: erofs: fix mis-acted TAIL merging behavior Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Use struct kobj_attribute instead of struct global_attr ------------- Diffstat: Makefile | 4 +- arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/irq.c | 4 +- arch/x86/boot/compressed/pgtable_64.c | 19 +++- arch/x86/kernel/cpu/amd.c | 8 +- arch/xtensa/kernel/process.c | 4 +- drivers/android/binder.c | 106 +++++++++++++++++----- drivers/base/dd.c | 2 +- drivers/bluetooth/btrtl.c | 10 +- drivers/char/applicom.c | 35 ++++--- drivers/cpufreq/cpufreq.c | 6 +- drivers/cpufreq/intel_pstate.c | 23 ++--- drivers/gnss/sirf.c | 32 ++++--- drivers/net/dsa/mv88e6xxx/chip.c | 13 +-- drivers/net/dsa/mv88e6xxx/port.c | 2 +- drivers/net/ethernet/marvell/sky2.c | 24 ++++- drivers/net/ethernet/mscc/ocelot_board.c | 14 ++- drivers/net/team/team_mode_loadbalance.c | 15 +++ drivers/net/usb/qmi_wwan.c | 26 ++++-- drivers/staging/android/ashmem.c | 67 +++++++++----- drivers/staging/android/ion/ion_system_heap.c | 2 +- drivers/staging/comedi/drivers/ni_660x.c | 1 + drivers/staging/erofs/inode.c | 8 +- drivers/staging/erofs/internal.h | 11 ++- drivers/staging/erofs/unzip_vle.c | 77 ++++++++++------ drivers/staging/erofs/xattr.c | 65 ++++++++++--- drivers/staging/wilc1000/linux_wlan.c | 4 +- drivers/usb/host/xhci-pci.c | 1 + drivers/usb/host/xhci-tegra.c | 4 +- drivers/usb/serial/cp210x.c | 12 +++ drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 6 ++ drivers/usb/serial/option.c | 2 + fs/aio.c | 12 ++- fs/exec.c | 2 +- include/linux/cpufreq.h | 12 +-- include/net/bluetooth/bluetooth.h | 2 +- include/net/sch_generic.h | 31 +++---- include/uapi/linux/android/binder.h | 19 ++++ kernel/trace/trace_events_filter.c | 5 +- net/bluetooth/af_bluetooth.c | 16 +++- net/bluetooth/l2cap_sock.c | 2 +- net/bluetooth/rfcomm/sock.c | 2 +- net/bluetooth/sco.c | 2 +- net/core/gen_stats.c | 2 - net/core/net-sysfs.c | 3 + net/ipv6/ip6mr.c | 8 +- net/sched/sch_generic.c | 13 ++- net/sctp/socket.c | 1 + net/tipc/socket.c | 2 +- tools/testing/selftests/firmware/config | 1 - tools/testing/selftests/firmware/fw_filesystem.sh | 9 +- tools/testing/selftests/firmware/fw_lib.sh | 2 +- 53 files changed, 521 insertions(+), 235 deletions(-)

5 years, 9 months

7
58
0 0

✅ PASS: Test report for kernel 5.0.1.cki (stable)

by CKI Project

Hello, We ran automated tests on a recent commit from this kernel tree: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Commit: 283506fcd65d - Linux 5.0.1 The results of these automated tests are provided below. Overall result: PASSED Compile: OK Tests: OK We hope that these logs can help you find the problem quickly. For the full detail on our testing procedures, please scroll to the bottom of this message. Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Compile testing --------------- We compiled the kernel for 3 architectures: arm64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/283506fcd65de1bc10fcc6e2ca… powerpc: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/283506fcd65de1bc10fcc6e2ca… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/283506fcd65de1bc10fcc6e2ca6… Hardware testing ---------------- We booted each kernel and ran the following tests: arm64: Boot test [0] LTP lite - release 20190115 [1] Loopdev Sanity [2] xfstests: ext4 [3] xfstests: xfs [3] Memory function: memfd_create [4] AMTU (Abstract Machine Test Utility) [5] Ethernet drivers sanity [6] Networking route: pmtu [7] httpd: mod_ssl smoke sanity [8] ⚠ httpd: php sanity [9] ⚠ i2c: i2cdetect sanity [10] ⚠ redhat-rpm-config: detect-kabi-provides sanity [11] ⚠ redhat-rpm-config: kabi-whitelist-not-found sanity [12] ⚠ tuned: tune-processes-through-perf [13] ⚠ Usex - version 1.9-29 [14] lvm thinp sanity [15] powerpc: Boot test [0] LTP lite - release 20190115 [1] Loopdev Sanity [2] xfstests: ext4 [3] xfstests: xfs [3] Memory function: memfd_create [4] AMTU (Abstract Machine Test Utility) [5] Ethernet drivers sanity [6] Networking route: pmtu [7] httpd: mod_ssl smoke sanity [8] ⚠ httpd: php sanity [9] ⚠ i2c: i2cdetect sanity [10] ⚠ redhat-rpm-config: detect-kabi-provides sanity [11] ⚠ redhat-rpm-config: kabi-whitelist-not-found sanity [12] ⚠ tuned: tune-processes-through-perf [13] ⚠ Usex - version 1.9-29 [14] lvm thinp sanity [15] x86_64: Boot test [0] LTP lite - release 20190115 [1] Loopdev Sanity [2] xfstests: ext4 [3] xfstests: xfs [3] Memory function: memfd_create [4] AMTU (Abstract Machine Test Utility) [5] Ethernet drivers sanity [6] Networking route: pmtu [7] httpd: mod_ssl smoke sanity [8] ⚠ httpd: php sanity [9] ⚠ i2c: i2cdetect sanity [10] ⚠ redhat-rpm-config: detect-kabi-provides sanity [11] ⚠ redhat-rpm-config: kabi-whitelist-not-found sanity [12] ⚠ tuned: tune-processes-through-perf [13] ⚠ Usex - version 1.9-29 [14] lvm thinp sanity [15] Test source: [0]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [1]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [2]: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… [3]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… [4]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/memory/func… [5]: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu [6]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… [7]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… [8]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [9]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [10]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/packages/i2… [11]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/red… [12]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/red… [13]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… [14]: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… [15]: https://github.com/CKI-project/tests-beaker/archive/master.zip#storage/lvm/… Experimental tests (marked with ⚠ ) ----------------------------------- This test run included experimental tests. These tests are still under development and they may not pass or fail correctly under certain conditions.

5 years, 9 months

1
0
0 0

[patch 02/38] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv

by akpm＠linux-foundation.org

From: Zev Weiss <zev(a)bewilderbeest.net> Subject: kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv This bug has apparently existed since the introduction of this function in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git, "[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of neighbour sysctls."). As a minimal fix we can simply duplicate the corresponding check in do_proc_dointvec_conv(). Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net Signed-off-by: Zev Weiss <zev(a)bewilderbeest.net> Cc: Brendan Higgins <brendanhiggins(a)google.com> Cc: Iurii Zaikin <yzaikin(a)google.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Luis Chamberlain <mcgrof(a)kernel.org> Cc: <stable(a)vger.kernel.org> [2.6.2+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- --- a/kernel/sysctl.c~kernel-sysctlc-add-missing-range-check-in-do_proc_dointvec_minmax_conv +++ a/kernel/sysctl.c @@ -2645,7 +2645,16 @@ static int do_proc_dointvec_minmax_conv( { struct do_proc_dointvec_minmax_conv_param *param = data; if (write) { - int val = *negp ? -*lvalp : *lvalp; + int val; + if (*negp) { + if (*lvalp > (unsigned long) INT_MAX + 1) + return -EINVAL; + val = -*lvalp; + } else { + if (*lvalp > (unsigned long) INT_MAX) + return -EINVAL; + val = *lvalp; + } if ((param->min && *param->min > val) || (param->max && *param->max < val)) return -EINVAL; _

5 years, 9 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2019