April 2022 - Linux-stable-mirror

[PATCH] cgroup: don't queue css_release_work if one already pending

by Tadeusz Struk

Syzbot found a corrupted list bug scenario that can be triggered from cgroup css_create(). The reproduces writes to cgroup.subtree_control file, which invokes cgroup_apply_control_enable(), css_create(), and css_populate_dir(), which then randomly fails with a fault injected -ENOMEM. In such scenario the css_create() error path rcu enqueues css_free_rwork_fn work for an css->refcnt initialized with css_release() destructor, and there is a chance that the css_release() function will be invoked for a cgroup_subsys_state, for which a destroy_work has already been queued via css_create() error path. This causes a list_add corruption as can be seen in the syzkaller report [1]. This can be avoided by adding a check to css_release() that checks if it has already been enqueued. [1] https://syzkaller.appspot.com/bug?id=e26e54d6eac9d9fb50b221ec3e4627b327465d… Cc: Tejun Heo <tj(a)kernel.org> Cc: Zefan Li <lizefan.x(a)bytedance.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Daniel Borkmann <daniel(a)iogearbox.net> Cc: Andrii Nakryiko <andrii(a)kernel.org> Cc: Martin KaFai Lau <kafai(a)fb.com> Cc: Song Liu <songliubraving(a)fb.com> Cc: Yonghong Song <yhs(a)fb.com> Cc: John Fastabend <john.fastabend(a)gmail.com> Cc: KP Singh <kpsingh(a)kernel.org> Cc: <cgroups(a)vger.kernel.org> Cc: <netdev(a)vger.kernel.org> Cc: <bpf(a)vger.kernel.org> Cc: <stable(a)vger.kernel.org> Cc: <linux-kernel(a)vger.kernel.org> Reported-by: syzbot+e42ae441c3b10acf9e9d(a)syzkaller.appspotmail.com Fixes: 8f36aaec9c92 ("cgroup: Use rcu_work instead of explicit rcu and work item") Signed-off-by: Tadeusz Struk <tadeusz.struk(a)linaro.org> --- kernel/cgroup/cgroup.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index adb820e98f24..9ae2de29f8c9 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -5210,8 +5210,11 @@ static void css_release(struct percpu_ref *ref) struct cgroup_subsys_state *css = container_of(ref, struct cgroup_subsys_state, refcnt); - INIT_WORK(&css->destroy_work, css_release_work_fn); - queue_work(cgroup_destroy_wq, &css->destroy_work); + if (!test_and_set_bit(WORK_STRUCT_PENDING_BIT, + work_data_bits(&css->destroy_work))) { + INIT_WORK(&css->destroy_work, css_release_work_fn); + queue_work(cgroup_destroy_wq, &css->destroy_work); + } } static void init_and_link_css(struct cgroup_subsys_state *css, -- 2.35.1

3 years, 7 months

3
7
0 0

[PATCH] drm/bridge: fix anx6345 power up sequence

by Torsten Duwe

Align the power-up sequence with the known-good procedure documented in [1]: un-swap dvdd12 and dvdd25, and allow a little extra time for them to settle before de-asserting reset. Fixes: 6aa192698089b ("drm/bridge: Add Analogix anx6345 support") [1] https://github.com/OLIMEX/DIY-LAPTOP/blob/master/ HARDWARE/A64-TERES/TERES-PCB1-A64-MAIN/Rev.C/TERES_PCB1-A64-MAIN_Rev.C.pdf (page 5, blue comment down left) Reported-by: Harald Geyer <harald(a)ccbib.org> Signed-off-by: Torsten Duwe <duwe(a)lst.de> Cc: stable(a)vger.kernel.org --- This fixes the problem that e.g. X screensaver turns the screen black, and it stays black until the next reboot; definitely on the Teres-I, probably on the pinebook64, too. --- a/drivers/gpu/drm/bridge/analogix/analogix-anx6345.c +++ b/drivers/gpu/drm/bridge/analogix/analogix-anx6345.c @@ -309,27 +309,27 @@ static void anx6345_poweron(struct anx63 gpiod_set_value_cansleep(anx6345->gpiod_reset, 1); usleep_range(1000, 2000); - err = regulator_enable(anx6345->dvdd12); + err = regulator_enable(anx6345->dvdd25); if (err) { - DRM_ERROR("Failed to enable dvdd12 regulator: %d\n", + DRM_ERROR("Failed to enable dvdd25 regulator: %d\n", err); return; } - /* T1 - delay between VDD12 and VDD25 should be 0-2ms */ + /* T1 - delay between VDD25 and VDD12 should be 0-2ms */ usleep_range(1000, 2000); - err = regulator_enable(anx6345->dvdd25); + err = regulator_enable(anx6345->dvdd12); if (err) { - DRM_ERROR("Failed to enable dvdd25 regulator: %d\n", + DRM_ERROR("Failed to enable dvdd12 regulator: %d\n", err); return; } /* T2 - delay between RESETN and all power rail stable, - * should be 2-5ms + * should be at least 2-5ms, 10ms to be safe. */ - usleep_range(2000, 5000); + usleep_range(9000, 11000); gpiod_set_value_cansleep(anx6345->gpiod_reset, 0);

3 years, 7 months

2
6
0 0

[PATCH 1/2] x86/mpparse: avoid overwriting boot_cpu_physical_apicid

by Kevin Mitchell

When booting with ACPI unavailable or disabled, get_smp_config() ends up calling MP_processor_info() for each CPU found in the MPS table. Previously, this resulted in boot_cpu_physical_apicid getting unconditionally overwritten by the apicid of whatever processor had the CPU_BOOTPROCESSOR flag. This occurred even if boot_cpu_physical_apicid had already been more reliably determined in register_lapic_address() by calling read_apic_id() from the actual boot processor. Ordinariliy, this is not a problem because the boot processor really is the one with the CPU_BOOTPROCESSOR flag. However, kexec is an exception in which the kernel may be booted from any processor regardless of the MPS table contents. In this case, boot_cpu_physical_apicid may not indicate the actual boot processor. This was particularly problematic when the second kernel was booted with NR_CPUS fewer than the number of physical processors. It's the job of generic_processor_info() to decide which CPUs to bring up in this case. That obviously must include the real boot processor which it takes care to save a slot for. It relies upon the contents of boot_cpu_physical_apicid to do this, which if incorrect, may result in the boot processor getting left out. This condition can be discovered by smp_sanity_check() and rectified by adding the boot processor to the phys_cpu_present_map with the warning "weird, boot CPU (#%d) not listed by the BIOS". However, commit 3e730dad3b6da ("x86/apic: Unify interrupt mode setup for SMP-capable system") caused setup_local_APIC() to be called before this could happen resulting in a BUG_ON(!apic->apic_id_registered()): [ 0.655452] ------------[ cut here ]------------ [ 0.660610] Kernel BUG at setup_local_APIC+0x74/0x280 [verbose debug info unavailable] [ 0.669466] invalid opcode: 0000 [#1] SMP [ 0.673948] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.109.Ar-16509018.eostrunkkernel419 #1 [ 0.683670] Hardware name: Quanta Quanta LY6 (1LY6UZZ0FBC), BIOS 1.0.6.0-e7d6a55 11/26/2015 [ 0.693007] RIP: 0010:setup_local_APIC+0x74/0x280 [ 0.698264] Code: 80 e4 fe bf f0 00 00 00 89 c6 48 8b 05 0f 1a 8e 00 ff 50 10 e8 12 53 fd ff 48 8b 05 00 1a 8e 00 ff 90 a0 00 00 00 85 c0 75 02 <0f> 0b 48 8b 05 ed 19 8e 00 41 be 00 02 00 00 ff 90 b0 00 00 00 48 [ 0.719251] RSP: 0000:ffffffff81a03e20 EFLAGS: 00010246 [ 0.725091] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 0.733066] RDX: 0000000000000000 RSI: 000000000000000f RDI: 0000000000000020 [ 0.741041] RBP: ffffffff81a03e98 R08: 0000000000000002 R09: 0000000000000000 [ 0.749014] R10: ffffffff81a204e0 R11: ffffffff81b50ea7 R12: 0000000000000000 [ 0.756989] R13: ffffffff81aef920 R14: ffffffff81af60a0 R15: 0000000000000000 [ 0.764965] FS: 0000000000000000(0000) GS:ffff888036800000(0000) knlGS:0000000000000000 [ 0.774007] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.780427] CR2: ffff888035c01000 CR3: 0000000035a08000 CR4: 00000000000006b0 [ 0.788401] Call Trace: [ 0.791137] ? amd_iommu_prepare+0x15/0x2a [ 0.795717] apic_bsp_setup+0x55/0x75 [ 0.799808] apic_intr_mode_init+0x169/0x16e [ 0.804579] x86_late_time_init+0x10/0x17 [ 0.809062] start_kernel+0x37e/0x3fe [ 0.813154] x86_64_start_reservations+0x2a/0x2c [ 0.818316] x86_64_start_kernel+0x72/0x75 [ 0.822886] secondary_startup_64+0xa4/0xb0 [ 0.827564] ---[ end trace 237b64da0fd9b22e ]--- This change avoids these issues by only setting boot_cpu_physical_apicid from the MPS table if it is not already set, which can occur in the construct_default_ISA_mptable() path. Otherwise, boot_cpu_physical_apicid will already have been set in register_lapic_address() and should therefore remain untouched. Looking through all the places where boot_cpu_physical_apicid is accessed, nearly all of them assume that boot_cpu_physical_apicid should match read_apic_id() on the booting processor. The only place that might intend to use the BSP apicid listed in the MPS table is amd_numa_init(), which explicitly requires boot_cpu_physical_apicid to be the lowest apicid of all processors. Ironically, due to the early exit short circuit in early_get_smp_config(), it instead gets boot_cpu_physical_apicid = read_apic_id() rather than the MPS table BSP. The behaviour of amd_numa_init() is therefore unaffected by this change. Fixes: 3e730dad3b6da ("x86/apic: Unify interrupt mode setup for SMP-capable system") Signed-off-by: Kevin Mitchell <kevmitch(a)arista.com> Cc: <stable(a)vger.kernel.org> --- arch/x86/kernel/mpparse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c index afac7ccce72f..6f22f09bfe11 100644 --- a/arch/x86/kernel/mpparse.c +++ b/arch/x86/kernel/mpparse.c @@ -64,7 +64,8 @@ static void __init MP_processor_info(struct mpc_cpu *m) if (m->cpuflag & CPU_BOOTPROCESSOR) { bootup_cpu = " (Bootup-CPU)"; - boot_cpu_physical_apicid = m->apicid; + if (boot_cpu_physical_apicid == -1U) + boot_cpu_physical_apicid = m->apicid; } pr_info("Processor #%d%s\n", m->apicid, bootup_cpu); -- 2.26.2

3 years, 7 months

1
1
0 0

[PATCH] gpio: Revert regression in sysfs-gpio (gpiolib.c)

by Marcelo Roberto Jimenez

Some GPIO lines have stopped working after the patch commit 2ab73c6d8323f ("gpio: Support GPIO controllers without pin-ranges") And this has supposedly been fixed in the following patches commit 89ad556b7f96a ("gpio: Avoid using pin ranges with !PINCTRL") commit 6dbbf84603961 ("gpiolib: Don't free if pin ranges are not defined") But an erratic behavior where some GPIO lines work while others do not work has been introduced. This patch reverts those changes so that the sysfs-gpio interface works properly again. Signed-off-by: Marcelo Roberto Jimenez <marcelo.jimenez(a)gmail.com> --- Hi, My system is ARM926EJ-S rev 5 (v5l) (AT91SAM9G25), the board is an ACME Systems Arietta. The system used sysfs-gpio to manage a few gpio lines, and I have noticed that some have stopped working. The test script is very simple: #! /bin/bash cd /sys/class/gpio/ echo 24 > export cd pioA24 echo out > direction echo 0 > value cat value echo 1 > value cat value echo 0 > value cat value echo 1 > value cat value cd .. echo 24 > unexport In a "good" kernel, this script outputs 0, 1, 0, 1. In a bad kernel, the output result is 1, 1, 1, 1. Also it must be possible to run this script twice without errors, that was the issue with the gpiochip_generic_free() call that had been addressed in another patch. In my system PINCTRL is automatically selected by SOC_AT91SAM9 [=y] && ARCH_AT91 [=y] && ARCH_MULTI_V5 [=y] So it is not an option to disable it to make it work. Best regards, Marcelo. drivers/gpio/gpiolib.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index af5bb8fedfea..ac69ec8fb37a 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -1804,11 +1804,6 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) */ int gpiochip_generic_request(struct gpio_chip *gc, unsigned offset) { -#ifdef CONFIG_PINCTRL - if (list_empty(&gc->gpiodev->pin_ranges)) - return 0; -#endif - return pinctrl_gpio_request(gc->gpiodev->base + offset); } EXPORT_SYMBOL_GPL(gpiochip_generic_request); @@ -1820,11 +1815,6 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request); */ void gpiochip_generic_free(struct gpio_chip *gc, unsigned offset) { -#ifdef CONFIG_PINCTRL - if (list_empty(&gc->gpiodev->pin_ranges)) - return; -#endif - pinctrl_gpio_free(gc->gpiodev->base + offset); } EXPORT_SYMBOL_GPL(gpiochip_generic_free); -- 2.30.2

3 years, 7 months

9
27
0 0

Linux 5.17.5

by Greg Kroah-Hartman

I'm announcing the release of the 5.17.5 kernel. All users of the 5.17 kernel series must upgrade. The updated 5.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/filesystems/ext4/attributes.rst | 2 Makefile | 2 arch/arc/kernel/entry.S | 1 arch/arm/mach-vexpress/spc.c | 2 arch/arm/xen/enlighten.c | 9 - arch/arm64/boot/dts/freescale/imx8mm-var-som.dtsi | 8 - arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi | 8 - arch/arm64/boot/dts/qcom/sc7180.dtsi | 2 arch/arm64/boot/dts/qcom/sc7280.dtsi | 2 arch/arm64/boot/dts/qcom/sm8350.dtsi | 2 arch/arm64/include/asm/pgtable.h | 4 arch/powerpc/kernel/time.c | 29 +--- arch/powerpc/kvm/book3s_64_vio.c | 45 +++--- arch/powerpc/kvm/book3s_64_vio_hv.c | 44 +++--- arch/powerpc/perf/power10-pmu.c | 2 arch/powerpc/perf/power9-pmu.c | 8 - arch/riscv/kvm/vcpu.c | 21 +- arch/x86/include/asm/compat.h | 6 arch/x86/include/asm/kvm_host.h | 4 arch/x86/kvm/hyperv.c | 40 +---- arch/x86/kvm/hyperv.h | 2 arch/x86/kvm/pmu.h | 9 + arch/x86/kvm/svm/pmu.c | 1 arch/x86/kvm/svm/sev.c | 61 +++----- arch/x86/kvm/vmx/nested.c | 5 arch/x86/kvm/vmx/pmu_intel.c | 8 - arch/x86/kvm/vmx/vmx.c | 5 arch/x86/kvm/vmx/vmx.h | 1 arch/x86/kvm/x86.c | 29 ++-- arch/xtensa/kernel/coprocessor.S | 4 arch/xtensa/kernel/jump_label.c | 2 block/ioctl.c | 2 drivers/ata/pata_marvell.c | 2 drivers/dma/at_xdmac.c | 12 - drivers/dma/dw-edma/dw-edma-v0-core.c | 7 drivers/dma/idxd/device.c | 6 drivers/dma/idxd/submit.c | 5 drivers/dma/idxd/sysfs.c | 6 drivers/dma/imx-sdma.c | 32 ++-- drivers/dma/mediatek/mtk-uart-apdma.c | 9 - drivers/edac/synopsys_edac.c | 16 +- drivers/firmware/cirrus/cs_dsp.c | 3 drivers/gpio/gpiolib.c | 4 drivers/gpu/drm/amd/display/dc/dce/dmub_psr.c | 4 drivers/gpu/drm/i915/display/intel_psr.c | 38 ++--- drivers/gpu/drm/msm/adreno/adreno_device.c | 17 -- drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 2 drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 13 + drivers/gpu/drm/radeon/radeon_sync.c | 2 drivers/gpu/drm/vc4/vc4_dsi.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 43 ++---- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 8 - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 7 drivers/input/keyboard/omap4-keypad.c | 2 drivers/net/ethernet/Kconfig | 26 +-- drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 8 - drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 8 - drivers/net/ethernet/aquantia/atlantic/aq_vec.c | 24 +-- drivers/net/ethernet/cadence/macb_main.c | 8 + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 8 - drivers/net/ethernet/intel/e1000e/ich8lan.c | 4 drivers/net/ethernet/intel/ice/ice_eswitch.c | 3 drivers/net/ethernet/intel/ice/ice_eswitch.h | 2 drivers/net/ethernet/intel/ice/ice_nvm.c | 1 drivers/net/ethernet/intel/igc/igc_i225.c | 11 + drivers/net/ethernet/intel/igc/igc_phy.c | 4 drivers/net/ethernet/intel/igc/igc_ptp.c | 15 +- drivers/net/ethernet/mscc/ocelot.c | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 4 drivers/net/vxlan.c | 4 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 drivers/net/wireless/mediatek/mt76/mt76x2/pci.c | 2 drivers/nvme/host/core.c | 24 ++- drivers/nvme/host/nvme.h | 5 drivers/nvme/host/pci.c | 9 + drivers/perf/arm_pmu.c | 10 - drivers/platform/x86/samsung-laptop.c | 2 drivers/reset/reset-rzg2l-usbphy-ctrl.c | 4 drivers/reset/tegra/reset-bpmp.c | 9 + drivers/scsi/bnx2i/bnx2i_hwi.c | 2 drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 drivers/scsi/cxgbi/libcxgbi.c | 6 drivers/scsi/libiscsi.c | 27 ++- drivers/scsi/libiscsi_tcp.c | 2 drivers/scsi/qedi/qedi_iscsi.c | 69 ++++----- drivers/scsi/scsi_transport_iscsi.c | 71 ++++------ drivers/scsi/sr_ioctl.c | 15 +- drivers/scsi/ufs/ufshcd.c | 5 drivers/spi/atmel-quadspi.c | 3 drivers/spi/spi-cadence-quadspi.c | 19 ++ drivers/spi/spi-mtk-nor.c | 12 + fs/cifs/cifsfs.c | 2 fs/cifs/connect.c | 11 + fs/cifs/dfs_cache.c | 19 +- fs/ext4/ext4.h | 7 fs/ext4/extents.c | 32 +++- fs/ext4/inode.c | 18 ++ fs/ext4/ioctl.c | 16 ++ fs/ext4/namei.c | 4 fs/ext4/page-io.c | 4 fs/ext4/super.c | 21 ++ fs/gfs2/rgrp.c | 9 - fs/hugetlbfs/inode.c | 9 - fs/io_uring.c | 11 - fs/jbd2/commit.c | 4 fs/namei.c | 22 +-- fs/posix_acl.c | 10 + fs/stat.c | 19 +- fs/xattr.c | 6 include/linux/etherdevice.h | 5 include/linux/memcontrol.h | 5 include/linux/posix_acl_xattr.h | 4 include/linux/sched.h | 1 include/linux/sched/mm.h | 8 + include/net/esp.h | 2 include/net/netns/ipv6.h | 4 include/scsi/libiscsi.h | 9 - include/scsi/scsi_transport_iscsi.h | 2 kernel/events/core.c | 2 kernel/events/internal.h | 5 kernel/events/ring_buffer.c | 5 kernel/irq_work.c | 2 kernel/sched/fair.c | 10 - lib/xarray.c | 2 mm/memcontrol.c | 12 + mm/memory-failure.c | 13 + mm/mmap.c | 8 - mm/mmu_notifier.c | 14 + mm/oom_kill.c | 54 +++++-- mm/userfaultfd.c | 15 +- mm/workingset.c | 2 net/can/isotp.c | 10 + net/dsa/tag_hellcreek.c | 8 + net/ipv4/esp4.c | 5 net/ipv6/esp6.c | 5 net/ipv6/ip6_gre.c | 14 + net/ipv6/route.c | 11 - net/l3mdev/l3mdev.c | 2 net/netlink/af_netlink.c | 7 net/openvswitch/flow_netlink.c | 2 net/packet/af_packet.c | 13 + net/rxrpc/net_ns.c | 2 net/sched/cls_u32.c | 24 +-- net/smc/af_smc.c | 4 sound/hda/intel-dsp-config.c | 18 ++ sound/pci/hda/patch_hdmi.c | 6 sound/pci/hda/patch_realtek.c | 1 sound/soc/atmel/sam9g20_wm8731.c | 61 -------- sound/soc/codecs/msm8916-wcd-digital.c | 9 + sound/soc/codecs/rk817_codec.c | 2 sound/soc/codecs/rt5682.c | 11 - sound/soc/codecs/rt5682s.c | 11 - sound/soc/codecs/wcd934x.c | 26 --- sound/soc/soc-dapm.c | 6 sound/soc/soc-topology.c | 4 sound/soc/sof/topology.c | 43 ++++++ sound/usb/midi.c | 1 sound/usb/mixer_maps.c | 4 sound/usb/usbaudio.h | 2 tools/lib/perf/evlist.c | 3 tools/perf/builtin-report.c | 14 + tools/perf/builtin-script.c | 2 tools/testing/selftests/drivers/net/mlxsw/spectrum-2/vxlan_flooding_ipv6.sh | 17 ++ tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh | 17 ++ tools/testing/selftests/kvm/aarch64/arch_timer.c | 15 +- 166 files changed, 1109 insertions(+), 724 deletions(-) Adrian Hunter (1): perf tools: Fix segfault accessing sample_id xyarray Alex Elder (1): arm64: dts: qcom: add IPA qcom,qmp property Alexey Kardashevskiy (1): KVM: PPC: Fix TCE handling for VFIO Alistair Popple (1): mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove() Allen-KH Cheng (1): spi: spi-mtk-nor: initialize spi controller after resume Athira Rajeev (2): powerpc/perf: Fix power9 event alternatives powerpc/perf: Fix power10 event alternatives Atish Patra (2): RISC-V: KVM: Remove 's' & 'u' as valid ISA extension RISC-V: KVM: Restrict the extensions that can be disabled Bob Peterson (1): gfs2: assign rgrp glock before compute_bitstructs Borislav Petkov (3): ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant mt76: Fix undefined behavior due to shift overflowing the constant brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant Christian Brauner (1): fs: fix acl translation Christian König (1): drm/radeon: fix logic inversion in radeon_sync_resv Christoph Hellwig (3): nvme: add a quirk to disable namespace identifiers nvme-pci: disable namespace identifiers for the MAXIO MAP1002/1202 nvme-pci: disable namespace identifiers for Qemu controllers Christophe Leroy (1): mm, hugetlb: allow for "high" userspace addresses Darrick J. Wong (1): ext4: fix fallocate to use file_modified to update permissions consistently Dave Jiang (6): dmaengine: idxd: fix device cleanup on disable dmaengine: idxd: match type for retries var in idxd_enqcmds() dmaengine: idxd: fix retry value to be constant for duration of function call dmaengine: idxd: add RO check for wq max_batch_size write dmaengine: idxd: add RO check for wq max_transfer_size write dmaengine: idxd: skip clearing device context when device is read-only Dave Stevenson (2): drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare David Ahern (1): l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu David Howells (2): rxrpc: Restore removed timer deletion cifs: Check the IOCB_DIRECT flag, not O_DIRECT Eric Dumazet (4): net/sched: cls_u32: fix netns refcount changes in u32_change() net/sched: cls_u32: fix possible leak in u32_init_knode() ipv6: make ip6_rt_gc_expire an atomic_t netlink: reset network and mac headers in netlink_dump() Greg Kroah-Hartman (1): Linux 5.17.5 Guo Ren (1): xtensa: patch_text: Fixup last cpu should be master Hangbin Liu (1): net/packet: fix packet_sock xmit return value checking Heiner Kallweit (1): reset: renesas: Check return value of reset_control_deassert() Herve Codina (1): dmaengine: dw-edma: Fix unaligned 64bit access Hongbin Wang (1): vxlan: fix error return code in vxlan_fdb_append Ido Schimmel (2): selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets selftests: mlxsw: vxlan_flooding_ipv6: Prevent flooding of unwanted packets Jens Axboe (1): io_uring: free iovec if file assignment fails Jianglei Nie (1): ice: Fix memory leak in ice_get_orom_civd_data() Jiapeng Chong (1): platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative José Roberto de Souza (1): drm/i915/display/psr: Unset enable_psr2_sel_fetch if other checks in intel_psr2_config_valid() fails Kai Vehmanen (1): ALSA: hda/hdmi: fix warning about PCM count when used with SOF Kai-Heng Feng (1): net: atlantic: Avoid out-of-bounds indexing Kees Cook (2): etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead ARM: vexpress/spc: Avoid negative array index when !SMP Kevin Groeneveld (1): dmaengine: imx-sdma: fix init of uart scripts Kevin Hao (1): net: stmmac: Use readl_poll_timeout_atomic() in atomic state Khazhismel Kumykov (1): block/compat_ioctl: fix range check in BLKGETSIZE Kurt Kanzenbach (1): net: dsa: hellcreek: Calculate checksums in tagger Leo Yan (2): perf script: Always allow field 'data_src' for auxtrace perf report: Set PERF_SAMPLE_DATA_SRC bit for Arm SPE event Like Xu (1): KVM: x86/pmu: Update AMD PMC sample period to fix guest NMI-watchdog Lv Ruyi (1): dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info() Maciej Fijalkowski (1): ice: allow creating VFs for !CONFIG_NET_SWITCHDEV Manuel Ullmann (1): net: atlantic: invert deep par in pm functions, preventing null derefs Mario Limonciello (1): gpio: Request interrupts after IRQ is initialized Mark Brown (1): ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek Matthew Wilcox (Oracle) (1): XArray: Disallow sibling entries of nodes Matthias Schiffer (1): spi: cadence-quadspi: fix incorrect supports_op() return value Maurizio Avogadro (1): ALSA: usb-audio: add mapping for MSI MAG X570S Torpedo MAX. Max Filippov (1): xtensa: fix a7 clobbering in coprocessor context load/store Miaoqian Lin (6): ASoC: rk817: Use devm_clk_get() in rk817_platform_probe ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component dmaengine: imx-sdma: Fix error checking in sdma_event_remap Input: omap4-keypad - fix pm_runtime_get_sync() error checking drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage arm/xen: Fix some refcount leaks Michael Ellerman (1): powerpc/time: Always set decrementer in timer_interrupt() Mike Christie (4): scsi: iscsi: Release endpoint ID when its freed scsi: iscsi: Merge suspend fields scsi: iscsi: Fix NOP handling during conn recovery scsi: qedi: Fix failed disconnect handling Mikulas Patocka (1): stat: fix inconsistency between struct stat and struct compat_stat Mingwei Zhang (1): KVM: SVM: Flush when freeing encrypted pages even on SME_COHERENT CPUs Muchun Song (1): arm64: mm: fix p?d_leaf() Nadav Amit (1): userfaultfd: mark uffd_wp regardless of VM_WRITE flag NeilBrown (1): VFS: filename_create(): fix incorrect intent. Nicholas Kazlauskas (1): drm/amd/display: Only set PSR version when valid Nico Pache (1): oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup Oliver Hartkopp (1): can: isotp: stop timeout monitoring when no first frame was sent Oliver Upton (1): selftests: KVM: Free the GIC FD when cleaning up in arch_timer Paolo Valerio (1): openvswitch: fix OOB access in reserve_sfa_size() Paulo Alcantara (2): cifs: fix NULL ptr dereference in refresh_mounts() cifs: use correct lock type in cifs_reconnect() Pavel Begunkov (1): io_uring: fix leaks on IOPOLL and CQE_SKIP Peilin Ye (2): ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() ip6_gre: Fix skb_under_panic in __gre6_xmit() Peter Ujfalusi (1): ASoC: topology: Correct error handling in soc_tplg_dapm_widget_create() Peter Wang (1): scsi: ufs: core: scsi_get_lba() error fix Pierre-Louis Bossart (2): ALSA: hda: intel-dsp-config: update AlderLake PCI IDs ASoC: SOF: topology: cleanup dailinks on widget unload Richard Fitzgerald (1): firmware: cs_dsp: Fix overrun of unterminated control name string Rob Clark (2): drm/msm/gpu: Rename runtime suspend/resume functions drm/msm/gpu: Remove mutex from wait_event condition Rob Herring (2): arm64: dts: imx: Fix imx8*-var-som touchscreen property sizes arm_pmu: Validate single/group leader events Sabrina Dubroca (1): esp: limit skb_page_frag_refill use to a single page Sameer Pujar (1): reset: tegra-bpmp: Restore Handle errors in BPMP response Sasha Neftin (3): igc: Fix infinite loop in release_swfw_sync igc: Fix BUG: scheduling while atomic e1000e: Fix possible overflow in LTR decoding Sean Christopherson (4): KVM: x86: Don't re-acquire SRCU lock in complete_emulated_io() KVM: x86: Pend KVM_REQ_APICV_UPDATE during vCPU creation to fix a race KVM: nVMX: Defer APICv updates while L2 is active until L1 is active KVM: SVM: Simplify and harden helper to flush SEV guest page(s) Sergey Matyukevich (1): ARC: entry: fix syscall_trace_exit argument Shakeel Butt (1): memcg: sync flush only if periodic flush is delayed Shubhrajyoti Datta (1): EDAC/synopsys: Read the error count from the correct register Srinivas Kandagatla (1): ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in use Stephen Hemminger (1): net: restore alpha order to Ethernet devices in config Tadeusz Struk (1): ext4: limit length to bitmap_maxbytes - blocksize in punch_hole Takashi Iwai (1): ALSA: usb-audio: Clear MIDI port active flag after draining Theodore Ts'o (3): ext4: fix overhead calculation to account for the reserved gdt blocks ext4: force overhead calculation if the s_overhead_cluster makes no sense ext4: update the cached overhead value in the superblock Tim Crawford (1): ALSA: hda/realtek: Add quirk for Clevo NP70PNP Tom Rix (1): scsi: sr: Do not leak information in ioctl Tomas Melin (1): net: macb: Restart tx only if queue pointer is lagging Tony Lu (1): net/smc: Fix sock leak when release after smc_shutdown() Tudor Ambarus (1): spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and controller Vinicius Costa Gomes (1): igc: Fix suspending when PTM is active Vitaly Kuznetsov (1): KVM: x86: hyper-v: Avoid writing to TSC page without an active vCPU Vladimir Oltean (1): net: mscc: ocelot: fix broken IP multicast flooding Wojciech Drewek (1): ice: fix crash in switchdev mode Xiaoke Wang (2): drm/msm/disp: check the return value of kzalloc() drm/msm/mdp5: check the return of kzalloc() Xiaomeng Tong (4): dma: at_xdmac: fix a missing check on list iterator ASoC: rt5682: fix an incorrect NULL check on list iterator ASoC: soc-dapm: fix two incorrect uses of list iterator codecs: rt5682s: fix an incorrect NULL check on list iterator Xu Yu (1): mm/memory-failure.c: skip huge_zero_page in memory_failure() Ye Bin (3): ext4: fix symlink file size not match to file content ext4: fix use-after-free in ext4_search_dir jbd2: fix a potential race while discarding reserved buffers after an abort Zack Rusin (1): drm/vmwgfx: Fix gem refcounting and memory evictions Zheyu Ma (1): ata: pata_marvell: Check the 'bmdma_addr' beforing reading Zhipeng Xie (1): perf/core: Fix perf_mmap fail when CONFIG_PERF_USE_VMALLOC enabled Zqiang (1): irq_work: use kasan_record_aux_stack_noalloc() record callstack kuyo chang (1): sched/pelt: Fix attach_entity_load_avg() corner case wangjianjian (C) (1): ext4, doc: fix incorrect h_reserved size zhangqilong (1): dmaengine: mediatek:Fix PM usage reference leak of mtk_uart_apdma_alloc_chan_resources

3 years, 7 months

5
15
0 0

[PATCH] ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min

by Marek Vasut

While the $val/$val2 values passed in from userspace are always >= 0 integers, the limits of the control can be signed integers and the $min can be non-zero and less than zero. To correctly validate $val/$val2 against platform_max, add the $min offset to val first. Fixes: 817f7c9335ec0 ("ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()") Signed-off-by: Marek Vasut <marex(a)denx.de> Cc: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- sound/soc/soc-ops.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c index f24f7354f46fe..6389a512c4dc6 100644 --- a/sound/soc/soc-ops.c +++ b/sound/soc/soc-ops.c @@ -317,7 +317,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, mask = BIT(sign_bit + 1) - 1; val = ucontrol->value.integer.value[0]; - if (mc->platform_max && val > mc->platform_max) + if (mc->platform_max && ((int)val + min) > mc->platform_max) return -EINVAL; if (val > max - min) return -EINVAL; @@ -330,7 +330,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, val = val << shift; if (snd_soc_volsw_is_stereo(mc)) { val2 = ucontrol->value.integer.value[1]; - if (mc->platform_max && val2 > mc->platform_max) + if (mc->platform_max && ((int)val2 + min) > mc->platform_max) return -EINVAL; if (val2 > max - min) return -EINVAL; -- 2.34.1

3 years, 7 months

6
14
0 0

[PATCH v3] ext4: fix race condition between ext4_write and ext4_convert_inline_data

by Baokun Li

Hulk Robot reported a BUG_ON: ================================================================== EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters kernel BUG at fs/ext4/ext4_jbd2.c:53! invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1 RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline] RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116 [...] Call Trace: ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795 generic_perform_write+0x279/0x3c0 mm/filemap.c:3344 ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270 ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520 do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732 do_iter_write+0x107/0x430 fs/read_write.c:861 vfs_writev fs/read_write.c:934 [inline] do_pwritev+0x1e5/0x380 fs/read_write.c:1031 [...] ================================================================== Above issue may happen as follows: cpu1 cpu2 __________________________|__________________________ do_pwritev vfs_writev do_iter_write ext4_file_write_iter ext4_buffered_write_iter generic_perform_write ext4_da_write_begin vfs_fallocate ext4_fallocate ext4_convert_inline_data ext4_convert_inline_data_nolock ext4_destroy_inline_data_nolock clear EXT4_STATE_MAY_INLINE_DATA ext4_map_blocks ext4_ext_map_blocks ext4_mb_new_blocks ext4_mb_regular_allocator ext4_mb_good_group_nolock ext4_mb_init_group ext4_mb_init_cache ext4_mb_generate_buddy --> error ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) ext4_restore_inline_data set EXT4_STATE_MAY_INLINE_DATA ext4_block_write_begin ext4_da_write_end ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) ext4_write_inline_data_end handle=NULL ext4_journal_stop(handle) __ext4_journal_stop ext4_put_nojournal(handle) ref_cnt = (unsigned long)handle BUG_ON(ref_cnt == 0) ---> BUG_ON The lock held by ext4_convert_inline_data is xattr_sem, but the lock held by generic_perform_write is i_rwsem. Therefore, the two locks can be concurrent. To solve above issue, we add inode_lock() for ext4_convert_inline_data(). At the same time, move ext4_convert_inline_data() in front of ext4_punch_hole(), remove similar handling from ext4_punch_hole(). Fixes: 0c8d414f163f ("ext4: let fallocate handle inline data correctly") Cc: stable(a)vger.kernel.org Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- V1->V2: Increase the range of the inode_lock. V2->V3: Move the lock outside the ext4_convert_inline_data(). And reorganize ext4_fallocate(). fs/ext4/extents.c | 10 ++++++---- fs/ext4/inode.c | 9 --------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index e473fde6b64b..474479ce76e0 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -4693,15 +4693,17 @@ long ext4_fallocate(struct file *file, int mode, loff_t offset, loff_t len) FALLOC_FL_INSERT_RANGE)) return -EOPNOTSUPP; + inode_lock(inode); + ret = ext4_convert_inline_data(inode); + inode_unlock(inode); + if (ret) + goto exit; + if (mode & FALLOC_FL_PUNCH_HOLE) { ret = ext4_punch_hole(file, offset, len); goto exit; } - ret = ext4_convert_inline_data(inode); - if (ret) - goto exit; - if (mode & FALLOC_FL_COLLAPSE_RANGE) { ret = ext4_collapse_range(file, offset, len); goto exit; diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 646ece9b3455..4779673d733e 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3967,15 +3967,6 @@ int ext4_punch_hole(struct file *file, loff_t offset, loff_t length) trace_ext4_punch_hole(inode, offset, length, 0); - ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); - if (ext4_has_inline_data(inode)) { - filemap_invalidate_lock(mapping); - ret = ext4_convert_inline_data(inode); - filemap_invalidate_unlock(mapping); - if (ret) - return ret; - } - /* * Write out all dirty pages to avoid race conditions * Then release them. -- 2.31.1

3 years, 7 months

4
4
0 0

[PATCH AUTOSEL 5.15 01/27] gfs2: assign rgrp glock before compute_bitstructs

by Sasha Levin

From: Bob Peterson <rpeterso(a)redhat.com> [ Upstream commit 428f651cb80b227af47fc302e4931791f2fb4741 ] Before this patch, function read_rindex_entry called compute_bitstructs before it allocated a glock for the rgrp. But if compute_bitstructs found a problem with the rgrp, it called gfs2_consist_rgrpd, and that called gfs2_dump_glock for rgd->rd_gl which had not yet been assigned. read_rindex_entry compute_bitstructs gfs2_consist_rgrpd gfs2_dump_glock <---------rgd->rd_gl was not set. This patch changes read_rindex_entry so it assigns an rgrp glock before calling compute_bitstructs so gfs2_dump_glock does not reference an unassigned pointer. If an error is discovered, the glock must also be put, so a new goto and label were added. Reported-by: syzbot+c6fd14145e2f62ca0784(a)syzkaller.appspotmail.com Signed-off-by: Bob Peterson <rpeterso(a)redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/gfs2/rgrp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c index c3b00ba92ed2..e21f8e10d70b 100644 --- a/fs/gfs2/rgrp.c +++ b/fs/gfs2/rgrp.c @@ -922,15 +922,15 @@ static int read_rindex_entry(struct gfs2_inode *ip) spin_lock_init(&rgd->rd_rsspin); mutex_init(&rgd->rd_mutex); - error = compute_bitstructs(rgd); - if (error) - goto fail; - error = gfs2_glock_get(sdp, rgd->rd_addr, &gfs2_rgrp_glops, CREATE, &rgd->rd_gl); if (error) goto fail; + error = compute_bitstructs(rgd); + if (error) + goto fail_glock; + rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr; rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED); if (rgd->rd_data > sdp->sd_max_rg_data) @@ -944,6 +944,7 @@ static int read_rindex_entry(struct gfs2_inode *ip) } error = 0; /* someone else read in the rgrp; free it and ignore it */ +fail_glock: gfs2_glock_put(rgd->rd_gl); fail: -- 2.35.1

3 years, 7 months

2
30
0 0

[PATCH 2/2] ext4: Avoid cycles in directory h-tree

by Jan Kara

A maliciously corrupted filesystem can contain cycles in the h-tree stored inside a directory. That can easily lead to the kernel corrupting tree nodes that were already verified under its hands while doing a node split and consequently accessing unallocated memory. Fix the problem by verifying traversed block numbers are unique. CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/namei.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index ca6ee9940599..06441ad6104d 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -777,12 +777,14 @@ static struct dx_frame * dx_probe(struct ext4_filename *fname, struct inode *dir, struct dx_hash_info *hinfo, struct dx_frame *frame_in) { - unsigned count, indirect; + unsigned count, indirect, level, i; struct dx_entry *at, *entries, *p, *q, *m; struct dx_root *root; struct dx_frame *frame = frame_in; struct dx_frame *ret_err = ERR_PTR(ERR_BAD_DX_DIR); u32 hash; + ext4_lblk_t block; + ext4_lblk_t blocks[EXT4_HTREE_LEVEL]; memset(frame_in, 0, EXT4_HTREE_LEVEL * sizeof(frame_in[0])); frame->bh = ext4_read_dirblock(dir, 0, INDEX); @@ -854,6 +856,8 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, } dxtrace(printk("Look up %x", hash)); + level = 0; + blocks[0] = 0; while (1) { count = dx_get_count(entries); if (!count || count > dx_get_limit(entries)) { @@ -882,15 +886,27 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, dx_get_block(at))); frame->entries = entries; frame->at = at; - if (!indirect--) + + block = dx_get_block(at); + for (i = 0; i <= level; i++) { + if (blocks[i] == block) { + ext4_warning_inode(dir, + "dx entry: tree cycle block %u points back to block %u", + blocks[level], block); + goto fail; + } + } + blocks[++level] = block; + if (level > indirect) return frame; frame++; - frame->bh = ext4_read_dirblock(dir, dx_get_block(at), INDEX); + frame->bh = ext4_read_dirblock(dir, block, INDEX); if (IS_ERR(frame->bh)) { ret_err = (struct dx_frame *) frame->bh; frame->bh = NULL; goto fail; } + entries = ((struct dx_node *) frame->bh->b_data)->entries; if (dx_get_limit(entries) != dx_node_limit(dir)) { @@ -1278,7 +1294,7 @@ static int dx_make_map(struct inode *dir, struct buffer_head *bh, count++; cond_resched(); } - de = ext4_next_entry(de, blocksize); + de = ext4_next_entry(de, dir->i_sb->s_blocksize); } return count; } -- 2.34.1

3 years, 7 months

2
2
0 0

[PATCH 1/2] ext4: Verify dir block before splitting it

by Jan Kara

Before splitting a directory block verify its directory entries are sane so that the splitting code does not access memory it should not. CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/namei.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 767b4bfe39c3..ca6ee9940599 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -277,9 +277,9 @@ static struct dx_frame *dx_probe(struct ext4_filename *fname, struct dx_hash_info *hinfo, struct dx_frame *frame); static void dx_release(struct dx_frame *frames); -static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, - unsigned blocksize, struct dx_hash_info *hinfo, - struct dx_map_entry map[]); +static int dx_make_map(struct inode *dir, struct buffer_head *bh, + struct dx_hash_info *hinfo, + struct dx_map_entry *map_tail); static void dx_sort_map(struct dx_map_entry *map, unsigned count); static struct ext4_dir_entry_2 *dx_move_dirents(struct inode *dir, char *from, char *to, struct dx_map_entry *offsets, @@ -1249,15 +1249,23 @@ static inline int search_dirblock(struct buffer_head *bh, * Create map of hash values, offsets, and sizes, stored at end of block. * Returns number of entries mapped. */ -static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, - unsigned blocksize, struct dx_hash_info *hinfo, +static int dx_make_map(struct inode *dir, struct buffer_head *bh, + struct dx_hash_info *hinfo, struct dx_map_entry *map_tail) { int count = 0; - char *base = (char *) de; + struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *)bh->b_data; + unsigned int buflen = bh->b_size; + char *base = bh->b_data; struct dx_hash_info h = *hinfo; - while ((char *) de < base + blocksize) { + if (ext4_has_metadata_csum(dir->i_sb)) + buflen -= sizeof(struct ext4_dir_entry_tail); + + while ((char *) de < base + buflen) { + if (ext4_check_dir_entry(dir, NULL, de, bh, base, buflen, + ((char *)de) - base)) + return -EFSCORRUPTED; if (de->name_len && de->inode) { if (ext4_hash_in_dirent(dir)) h.hash = EXT4_DIRENT_HASH(de); @@ -1270,7 +1278,6 @@ static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, count++; cond_resched(); } - /* XXX: do we need to check rec_len == 0 case? -Chris */ de = ext4_next_entry(de, blocksize); } return count; @@ -1943,8 +1950,11 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, /* create map in the end of data2 block */ map = (struct dx_map_entry *) (data2 + blocksize); - count = dx_make_map(dir, (struct ext4_dir_entry_2 *) data1, - blocksize, hinfo, map); + count = dx_make_map(dir, *bh, hinfo, map); + if (count < 0) { + err = count; + goto journal_error; + } map -= count; dx_sort_map(map, count); /* Ensure that neither split block is over half full */ -- 2.34.1

3 years, 7 months

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2022