- Linux-stable-mirror - lists.linaro.org

✅ PASS: Test report for kernel 5.6.15-48bb9b5.cki (stable-queue)

by CKI Project

Hello, We ran automated tests on a recent commit from this kernel tree: Kernel repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Commit: 48bb9b5eed6c - parisc: Fix kernel panic in mem_init() The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK All kernel binaries, config files, and logs are available for download here: https://cki-artifacts.s3.us-east-2.amazonaws.com/index.html?prefix=dataware… Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Compile testing --------------- We compiled the kernel for 4 architectures: aarch64: make options: -j30 INSTALL_MOD_STRIP=1 targz-pkg ppc64le: make options: -j30 INSTALL_MOD_STRIP=1 targz-pkg s390x: make options: -j30 INSTALL_MOD_STRIP=1 targz-pkg x86_64: make options: -j30 INSTALL_MOD_STRIP=1 targz-pkg Hardware testing ---------------- We booted each kernel and ran the following tests: aarch64: Host 1: ✅ Boot test ✅ Podman system integration test - as root ✅ Podman system integration test - as user ✅ LTP ✅ Loopdev Sanity ✅ Memory function: memfd_create ✅ AMTU (Abstract Machine Test Utility) ✅ Networking bridge: sanity ✅ Ethernet drivers sanity ✅ Networking socket: fuzz ✅ Networking: igmp conformance test ✅ Networking route: pmtu ✅ Networking route_func - local ✅ Networking route_func - forward ✅ Networking TCP: keepalive test ✅ Networking UDP: socket ✅ Networking tunnel: geneve basic test ✅ Networking tunnel: gre basic ✅ L2TP basic test ✅ Networking tunnel: vxlan basic ✅ Networking ipsec: basic netns - transport ✅ Networking ipsec: basic netns - tunnel ✅ Libkcapi AF_ALG test ✅ pciutils: update pci ids test ✅ ALSA PCM loopback test ✅ ALSA Control (mixer) Userspace Element test ✅ storage: SCSI VPD 🚧 ✅ CIFS Connectathon 🚧 ✅ POSIX pjd-fstest suites 🚧 ✅ jvm - DaCapo Benchmark Suite 🚧 ✅ jvm - jcstress tests 🚧 ✅ Memory function: kaslr 🚧 ✅ Networking firewall: basic netfilter test 🚧 ✅ audit: audit testsuite test 🚧 ✅ trace: ftrace/tracer 🚧 ✅ kdump - kexec_boot Host 2: ✅ Boot test ✅ xfstests - ext4 ✅ xfstests - xfs ✅ selinux-policy: serge-testsuite ✅ storage: software RAID testing 🚧 ✅ IPMI driver test 🚧 ✅ IPMItool loop stress test 🚧 ✅ Storage blktests ppc64le: Host 1: ⚡ Internal infrastructure issues prevented one or more tests (marked with ⚡⚡⚡) from running on this architecture. This is not the fault of the kernel that was tested. ⚡⚡⚡ Boot test ⚡⚡⚡ xfstests - ext4 ⚡⚡⚡ xfstests - xfs ⚡⚡⚡ selinux-policy: serge-testsuite ⚡⚡⚡ storage: software RAID testing 🚧 ⚡⚡⚡ IPMI driver test 🚧 ⚡⚡⚡ IPMItool loop stress test 🚧 ⚡⚡⚡ Storage blktests Host 2: ⚡ Internal infrastructure issues prevented one or more tests (marked with ⚡⚡⚡) from running on this architecture. This is not the fault of the kernel that was tested. ⚡⚡⚡ Boot test ⚡⚡⚡ Podman system integration test - as root ⚡⚡⚡ Podman system integration test - as user ⚡⚡⚡ LTP ⚡⚡⚡ Loopdev Sanity ⚡⚡⚡ Memory function: memfd_create ⚡⚡⚡ AMTU (Abstract Machine Test Utility) ⚡⚡⚡ Networking bridge: sanity ⚡⚡⚡ Ethernet drivers sanity ⚡⚡⚡ Networking socket: fuzz ⚡⚡⚡ Networking route: pmtu ⚡⚡⚡ Networking route_func - local ⚡⚡⚡ Networking route_func - forward ⚡⚡⚡ Networking TCP: keepalive test ⚡⚡⚡ Networking UDP: socket ⚡⚡⚡ Networking tunnel: geneve basic test ⚡⚡⚡ Networking tunnel: gre basic ⚡⚡⚡ L2TP basic test ⚡⚡⚡ Networking tunnel: vxlan basic ⚡⚡⚡ Networking ipsec: basic netns - tunnel ⚡⚡⚡ Libkcapi AF_ALG test ⚡⚡⚡ pciutils: update pci ids test ⚡⚡⚡ ALSA PCM loopback test ⚡⚡⚡ ALSA Control (mixer) Userspace Element test 🚧 ⚡⚡⚡ CIFS Connectathon 🚧 ⚡⚡⚡ POSIX pjd-fstest suites 🚧 ⚡⚡⚡ jvm - DaCapo Benchmark Suite 🚧 ⚡⚡⚡ jvm - jcstress tests 🚧 ⚡⚡⚡ Memory function: kaslr 🚧 ⚡⚡⚡ Networking firewall: basic netfilter test 🚧 ⚡⚡⚡ audit: audit testsuite test 🚧 ⚡⚡⚡ trace: ftrace/tracer Host 3: ✅ Boot test 🚧 ✅ kdump - sysrq-c Host 4: ✅ Boot test ✅ Podman system integration test - as root ✅ Podman system integration test - as user ✅ LTP ✅ Loopdev Sanity ✅ Memory function: memfd_create ✅ AMTU (Abstract Machine Test Utility) ✅ Networking bridge: sanity ✅ Ethernet drivers sanity ✅ Networking socket: fuzz ✅ Networking route: pmtu ✅ Networking route_func - local ✅ Networking route_func - forward ✅ Networking TCP: keepalive test ✅ Networking UDP: socket ✅ Networking tunnel: geneve basic test ✅ Networking tunnel: gre basic ✅ L2TP basic test ✅ Networking tunnel: vxlan basic ✅ Networking ipsec: basic netns - tunnel ✅ Libkcapi AF_ALG test ✅ pciutils: update pci ids test ✅ ALSA PCM loopback test ✅ ALSA Control (mixer) Userspace Element test 🚧 ✅ CIFS Connectathon 🚧 ✅ POSIX pjd-fstest suites 🚧 ✅ jvm - DaCapo Benchmark Suite 🚧 ✅ jvm - jcstress tests 🚧 ✅ Memory function: kaslr 🚧 ✅ Networking firewall: basic netfilter test 🚧 ✅ audit: audit testsuite test 🚧 ✅ trace: ftrace/tracer Host 5: ✅ Boot test ✅ xfstests - ext4 ✅ xfstests - xfs ✅ selinux-policy: serge-testsuite ✅ storage: software RAID testing 🚧 ✅ IPMI driver test 🚧 ✅ IPMItool loop stress test 🚧 ✅ Storage blktests s390x: Host 1: ✅ Boot test 🚧 ✅ kdump - sysrq-c Host 2: ✅ Boot test ✅ stress: stress-ng 🚧 ✅ Storage blktests Host 3: ✅ Boot test ✅ Podman system integration test - as root ✅ Podman system integration test - as user ✅ LTP ✅ Loopdev Sanity ✅ Memory function: memfd_create ✅ Networking bridge: sanity ✅ Ethernet drivers sanity ✅ Networking route: pmtu ✅ Networking route_func - local ✅ Networking route_func - forward ✅ Networking TCP: keepalive test ✅ Networking UDP: socket ✅ Networking tunnel: geneve basic test ✅ Networking tunnel: gre basic ✅ L2TP basic test ✅ Networking tunnel: vxlan basic ✅ Networking ipsec: basic netns - transport ✅ Networking ipsec: basic netns - tunnel ✅ Libkcapi AF_ALG test 🚧 ✅ CIFS Connectathon 🚧 ✅ POSIX pjd-fstest suites 🚧 ✅ jvm - DaCapo Benchmark Suite 🚧 ✅ jvm - jcstress tests 🚧 ✅ Memory function: kaslr 🚧 ✅ Networking firewall: basic netfilter test 🚧 ❌ audit: audit testsuite test 🚧 ✅ trace: ftrace/tracer 🚧 ✅ kdump - kexec_boot x86_64: Host 1: ✅ Boot test ✅ Podman system integration test - as root ✅ Podman system integration test - as user ✅ LTP ✅ Loopdev Sanity ✅ Memory function: memfd_create ✅ AMTU (Abstract Machine Test Utility) ✅ Networking bridge: sanity ✅ Ethernet drivers sanity ✅ Networking socket: fuzz ✅ Networking: igmp conformance test ✅ Networking route: pmtu ✅ Networking route_func - local ✅ Networking route_func - forward ✅ Networking TCP: keepalive test ✅ Networking UDP: socket ✅ Networking tunnel: geneve basic test ✅ Networking tunnel: gre basic ✅ L2TP basic test ✅ Networking tunnel: vxlan basic ✅ Networking ipsec: basic netns - transport ✅ Networking ipsec: basic netns - tunnel ✅ Libkcapi AF_ALG test ✅ pciutils: sanity smoke test ✅ pciutils: update pci ids test ✅ ALSA PCM loopback test ✅ ALSA Control (mixer) Userspace Element test ✅ storage: SCSI VPD 🚧 ✅ CIFS Connectathon 🚧 ✅ POSIX pjd-fstest suites 🚧 ✅ jvm - DaCapo Benchmark Suite 🚧 ✅ jvm - jcstress tests 🚧 ❌ Memory function: kaslr 🚧 ✅ Networking firewall: basic netfilter test 🚧 ✅ audit: audit testsuite test 🚧 ✅ trace: ftrace/tracer 🚧 ✅ kdump - kexec_boot Host 2: ✅ Boot test ✅ xfstests - ext4 ✅ xfstests - xfs ✅ selinux-policy: serge-testsuite ✅ storage: software RAID testing ✅ stress: stress-ng 🚧 ❌ CPU: Frequency Driver Test 🚧 ✅ CPU: Idle Test 🚧 ✅ IOMMU boot test 🚧 ✅ IPMI driver test 🚧 ✅ IPMItool loop stress test 🚧 ✅ Storage blktests Host 3: ✅ Boot test 🚧 ✅ kdump - sysrq-c Test sources: https://github.com/CKI-project/tests-beaker 💚 Pull requests are welcome for new tests or improvements to existing tests! Aborted tests ------------- Tests that didn't complete running successfully are marked with ⚡⚡⚡. If this was caused by an infrastructure issue, we try to mark that explicitly in the report. Waived tests ------------ If the test run included waived tests, they are marked with 🚧. Such tests are executed but their results are not taken into account. Tests are waived when their results are not reliable enough, e.g. when they're just introduced or are being fixed. Testing timeout --------------- We aim to provide a report within reasonable timeframe. Tests that haven't finished running yet are marked with ⏱.

5 years, 7 months

1
0
0 0

[PATCH] ext4: avoid utf8_strncasecmp() with unstable name

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then it may be concurrently modified by a rename. This can cause undefined behavior (possibly out-of-bounds memory accesses or crashes) in utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings that may be concurrently modified. Fix this by first copying the filename to a stack buffer if needed. This way we get a stable snapshot of the filename. Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups") Cc: <stable(a)vger.kernel.org> # v5.2+ Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Daniel Rosenberg <drosen(a)google.com> Cc: Gabriel Krisman Bertazi <krisman(a)collabora.co.uk> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- fs/ext4/dir.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c index c654205f648dd..19aef8328bb18 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -675,6 +675,7 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len, struct qstr qstr = {.name = str, .len = len }; const struct dentry *parent = READ_ONCE(dentry->d_parent); const struct inode *inode = READ_ONCE(parent->d_inode); + char strbuf[DNAME_INLINE_LEN]; if (!inode || !IS_CASEFOLDED(inode) || !EXT4_SB(inode->i_sb)->s_encoding) { @@ -683,6 +684,22 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len, return memcmp(str, name->name, len); } + /* + * If the dentry name is stored in-line, then it may be concurrently + * modified by a rename. If this happens, the VFS will eventually retry + * the lookup, so it doesn't matter what ->d_compare() returns. + * However, it's unsafe to call utf8_strncasecmp() with an unstable + * string. Therefore, we have to copy the name into a temporary buffer. + */ + if (len <= DNAME_INLINE_LEN - 1) { + unsigned int i; + + for (i = 0; i < len; i++) + strbuf[i] = READ_ONCE(str[i]); + strbuf[len] = 0; + qstr.name = strbuf; + } + return ext4_ci_compare(inode, name, &qstr, false); } -- 2.26.2

5 years, 7 months

4
8
0 0

patch "gnss: sirf: fix error return code in sirf_probe()" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled gnss: sirf: fix error return code in sirf_probe() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 43d7ce70ae43dd8523754b17f567417e0e75dbce Mon Sep 17 00:00:00 2001 From: Wei Yongjun <weiyongjun1(a)huawei.com> Date: Thu, 7 May 2020 09:42:52 +0000 Subject: gnss: sirf: fix error return code in sirf_probe() Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. This avoids a use-after-free in case the driver is later unbound. Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers") Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Wei Yongjun <weiyongjun1(a)huawei.com> [ johan: amend commit message; mention potential use-after-free ] Cc: stable <stable(a)vger.kernel.org> # 4.19 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gnss/sirf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gnss/sirf.c b/drivers/gnss/sirf.c index effed3a8d398..2ecb1d3e8eeb 100644 --- a/drivers/gnss/sirf.c +++ b/drivers/gnss/sirf.c @@ -439,14 +439,18 @@ static int sirf_probe(struct serdev_device *serdev) data->on_off = devm_gpiod_get_optional(dev, "sirf,onoff", GPIOD_OUT_LOW); - if (IS_ERR(data->on_off)) + if (IS_ERR(data->on_off)) { + ret = PTR_ERR(data->on_off); goto err_put_device; + } if (data->on_off) { data->wakeup = devm_gpiod_get_optional(dev, "sirf,wakeup", GPIOD_IN); - if (IS_ERR(data->wakeup)) + if (IS_ERR(data->wakeup)) { + ret = PTR_ERR(data->wakeup); goto err_put_device; + } ret = regulator_enable(data->vcc); if (ret) -- 2.26.2

5 years, 7 months

1
0
0 0

[PATCH] RISC-V: Don't mark init section as non-executable

by Anup Patel

The head text section (i.e. _start, secondary_start_sbi, etc) and the init section fall under same page table level-1 mapping. Currently, the runtime CPU hotplug is broken because we are marking init section as non-executable which in-turn marks head text section as non-executable. Further investigating other architectures, it seems marking the init section as non-executable is redundant because the init section pages are anyway poisoned and freed. To fix broken runtime CPU hotplug, we simply remove the code marking the init section as non-executable. Fixes: d27c3c90817e ("riscv: add STRICT_KERNEL_RWX support") Cc: stable(a)vger.kernel.org Signed-off-by: Anup Patel <anup.patel(a)wdc.com> --- arch/riscv/mm/init.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c index 736de6c8739f..e0f8ccab8a41 100644 --- a/arch/riscv/mm/init.c +++ b/arch/riscv/mm/init.c @@ -482,11 +482,6 @@ static void __init setup_vm_final(void) void free_initmem(void) { - unsigned long init_begin = (unsigned long)__init_begin; - unsigned long init_end = (unsigned long)__init_end; - - /* Make the region as non-execuatble. */ - set_memory_nx(init_begin, (init_end - init_begin) >> PAGE_SHIFT); free_initmem_default(POISON_FREE_INITMEM); } -- 2.25.1

5 years, 7 months

2
1
0 0

[PATCH AUTOSEL 4.19 01/19] ARM: dts: rockchip: fix phy nodename for rk3228-evb

by Sasha Levin

From: Johan Jonker <jbx6244(a)gmail.com> [ Upstream commit 287e0d538fcec2f6e8eb1e565bf0749f3b90186d ] A test with the command below gives for example this error: arch/arm/boot/dts/rk3228-evb.dt.yaml: phy@0: '#phy-cells' is a required property The phy nodename is normally used by a phy-handle. This node is however compatible with "ethernet-phy-id1234.d400", "ethernet-phy-ieee802.3-c22" which is just been added to 'ethernet-phy.yaml'. So change nodename to 'ethernet-phy' for which '#phy-cells' is not a required property make ARCH=arm dtbs_check DT_SCHEMA_FILES=~/.local/lib/python3.5/site-packages/dtschema/schemas/ phy/phy-provider.yaml Signed-off-by: Johan Jonker <jbx6244(a)gmail.com> Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> Link: https://lore.kernel.org/r/20200416170321.4216-1-jbx6244@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm/boot/dts/rk3228-evb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/rk3228-evb.dts b/arch/arm/boot/dts/rk3228-evb.dts index 5670b33fd1bd..aed879db6c15 100644 --- a/arch/arm/boot/dts/rk3228-evb.dts +++ b/arch/arm/boot/dts/rk3228-evb.dts @@ -46,7 +46,7 @@ #address-cells = <1>; #size-cells = <0>; - phy: phy@0 { + phy: ethernet-phy@0 { compatible = "ethernet-phy-id1234.d400", "ethernet-phy-ieee802.3-c22"; reg = <0>; clocks = <&cru SCLK_MAC_PHY>; -- 2.25.1

5 years, 7 months

2
19
0 0

[PATCH AUTOSEL 5.4 01/26] ARC: Fix ICCM & DCCM runtime size checks

by Sasha Levin

From: Eugeniy Paltsev <Eugeniy.Paltsev(a)synopsys.com> [ Upstream commit 43900edf67d7ef3ac8909854d75b8a1fba2d570c ] As of today the ICCM and DCCM size checks are incorrectly using mismatched units (KiB checked against bytes). The CONFIG_ARC_DCCM_SZ and CONFIG_ARC_ICCM_SZ are in KiB, but the size calculated in runtime and stored in cpu->dccm.sz and cpu->iccm.sz is in bytes. Fix that. Reported-by: Paul Greco <pmgreco(a)us.ibm.com> Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev(a)synopsys.com> Signed-off-by: Vineet Gupta <vgupta(a)synopsys.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arc/kernel/setup.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c index 7ee89dc61f6e..23dc002aa574 100644 --- a/arch/arc/kernel/setup.c +++ b/arch/arc/kernel/setup.c @@ -12,6 +12,7 @@ #include <linux/clocksource.h> #include <linux/console.h> #include <linux/module.h> +#include <linux/sizes.h> #include <linux/cpu.h> #include <linux/of_fdt.h> #include <linux/of.h> @@ -409,12 +410,12 @@ static void arc_chk_core_config(void) if ((unsigned int)__arc_dccm_base != cpu->dccm.base_addr) panic("Linux built with incorrect DCCM Base address\n"); - if (CONFIG_ARC_DCCM_SZ != cpu->dccm.sz) + if (CONFIG_ARC_DCCM_SZ * SZ_1K != cpu->dccm.sz) panic("Linux built with incorrect DCCM Size\n"); #endif #ifdef CONFIG_ARC_HAS_ICCM - if (CONFIG_ARC_ICCM_SZ != cpu->iccm.sz) + if (CONFIG_ARC_ICCM_SZ * SZ_1K != cpu->iccm.sz) panic("Linux built with incorrect ICCM Size\n"); #endif -- 2.25.1

5 years, 7 months

2
26
0 0

[PATCH 5.6 000/126] 5.6.15-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.6.15 release. There are 126 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 28 May 2020 18:36:22 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.6.15-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.6.15-rc1 Phil Auld <pauld(a)redhat.com> sched/fair: Fix enqueue_task_fair() warning some more Vincent Guittot <vincent.guittot(a)linaro.org> sched/fair: Fix reordering of enqueue/dequeue_task_fair() Vincent Guittot <vincent.guittot(a)linaro.org> sched/fair: Reorder enqueue/dequeue_task_fair path Andrii Nakryiko <andriin(a)fb.com> bpf: Prevent mmap()'ing read-only maps as writable David Howells <dhowells(a)redhat.com> rxrpc: Fix ack discard David Howells <dhowells(a)redhat.com> rxrpc: Trace discarded ACKs Josh Poimboeuf <jpoimboe(a)redhat.com> x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks Jakub Sitnicki <jakub(a)cloudflare.com> flow_dissector: Drop BPF flow dissector prog ref on netns cleanup Philipp Rudo <prudo(a)linux.ibm.com> s390/kexec_file: fix initrd location for kdump kernel Loïc Yhuel <loic.yhuel(a)gmail.com> tpm: check event log version before reading final events Qiushi Wu <wu000273(a)umn.edu> rxrpc: Fix a memory leak in rxkad_verify_response() David Howells <dhowells(a)redhat.com> rxrpc: Fix the excessive initial retransmission timeout Dan Carpenter <dan.carpenter(a)oracle.com> iio: imu: st_lsm6dsx: unlock on error in st_lsm6dsx_shub_write_raw() Uladzislau Rezki <uladzislau.rezki(a)sony.com> z3fold: fix use-after-free when freeing handles Mike Rapoport <rppt(a)linux.ibm.com> sparc32: fix page table traversal in srmmu_nocache_init() Mike Rapoport <rppt(a)linux.ibm.com> sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() Arnd Bergmann <arnd(a)arndb.de> sh: include linux/time_types.h for sockios Marco Elver <elver(a)google.com> kasan: disable branch tracing for core runtime John Hubbard <jhubbard(a)nvidia.com> rapidio: fix an error in get_user_pages_fast() error handling David Hildenbrand <david(a)redhat.com> device-dax: don't leak kernel memory to user space after unloading kmem Gerald Schaefer <gerald.schaefer(a)de.ibm.com> s390/kaslr: add support for R_390_JMP_SLOT relocation type Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix s390_mmio_read/write with MIO Wei Yongjun <weiyongjun1(a)huawei.com> ipack: tpci200: fix error return code in tpci200_register() Alexander Usyskin <alexander.usyskin(a)intel.com> mei: release me_cl object reference Sagar Shrikant Kadam <sagar.kadam(a)sifive.com> tty: serial: add missing spin_lock_init for SiFive serial console Klaus Doth <kdlnx(a)doth.eu> misc: rtsx: Add short delay after exit from ASPM Saravana Kannan <saravanak(a)google.com> driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links Saravana Kannan <saravanak(a)google.com> driver core: Fix SYNC_STATE_ONLY device link implementation Gregory CLEMENT <gregory.clement(a)bootlin.com> iio: adc: ti-ads8344: Fix channel selection Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: sca3000: Remove an erroneous 'get_device()' Fabrice Gasnier <fabrice.gasnier(a)st.com> iio: adc: stm32-dfsdm: fix device used to request dma Fabrice Gasnier <fabrice.gasnier(a)st.com> iio: adc: stm32-adc: fix device used to request dma Oscar Carter <oscar.carter(a)gmx.com> staging: greybus: Fix uninitialized scalar variable Wei Yongjun <weiyongjun1(a)huawei.com> staging: kpc2000: fix error return code in kp2000_pcie_probe() Dan Carpenter <dan.carpenter(a)oracle.com> staging: wfx: unlock on error path Dragos Bogdan <dragos.bogdan(a)analog.com> staging: iio: ad2s1210: Fix SPI reading Kees Cook <keescook(a)chromium.org> kbuild: Remove debug info from kallsyms linking Steven Rostedt (VMware) <rostedt(a)goodmis.org> tools/bootconfig: Fix apply_xbc() to return zero on success Sasha Levin <sashal(a)kernel.org> Revert "driver core: platform: Initialize dma_parms for platform devices" Michael S. Tsirkin <mst(a)redhat.com> virtio-balloon: Revert "virtio-balloon: Switch back to OOM handler for VIRTIO_BALLOON_F_DEFLATE_ON_OOM" Bob Peterson <rpeterso(a)redhat.com> Revert "gfs2: Don't demote a glock until its revokes are written" Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915: Propagate error from completed fences Colin Xu <colin.xu(a)intel.com> drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance. Ilya Dryomov <idryomov(a)gmail.com> vsprintf: don't obfuscate NULL and error pointers Cristian Ciocaltea <cristian.ciocaltea(a)gmail.com> dmaengine: owl: Use correct lock in owl_dma_get_pchan() Dave Jiang <dave.jiang(a)intel.com> dmaengine: idxd: fix interrupt completion after unmasking Vladimir Murzin <vladimir.murzin(a)arm.com> dmaengine: dmatest: Restore default for channel Dan Carpenter <dan.carpenter(a)oracle.com> drm/etnaviv: Fix a leak in submit_pin_objects() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' Xiyu Yang <xiyuyang19(a)fudan.edu.cn> apparmor: Fix aa_label refcnt leak in policy_update Xiyu Yang <xiyuyang19(a)fudan.edu.cn> apparmor: fix potential label refcnt leak in aa_change_profile Navid Emamdoost <navid.emamdoost(a)gmail.com> apparmor: Fix use-after-free in aa_audit_rule_init Venkata Narendra Kumar Gutta <vnkgutta(a)codeaurora.org> pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip Christian Gmeiner <christian.gmeiner(a)gmail.com> drm/etnaviv: fix perfmon domain interation Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Disable STRICT_KERNEL_RWX Keno Fischer <keno(a)juliacomputing.com> arm64: Fix PTRACE_SYSEMU semantics Bodo Stroesser <bstroesser(a)ts.fujitsu.com> scsi: target: Put lun_ref at end of tmr processing Ewan D. Milne <emilne(a)redhat.com> scsi: qla2xxx: Do not log message when reading port speed via sysfs PeiSen Hou <pshou(a)realtek.com> ALSA: hda/realtek - Add more fixup entries for Clevo machines Christian Lachner <gladiac(a)gmail.com> ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme Brent Lu <brent.lu(a)intel.com> ALSA: pcm: fix incorrect hw_base increase Scott Bahling <sbahling(a)suse.com> ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range Daniel Borkmann <daniel(a)iogearbox.net> bpf: Restrict bpf_probe_read{, str}() only to archs where they work Jian-Hong Pan <jian-hong(a)endlessm.com> ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 Jian-Hong Pan <jian-hong(a)endlessm.com> ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 Chris Chiu <chiu(a)endlessm.com> ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 Mike Pozulp <pozulp.kernel(a)gmail.com> ALSA: hda/realtek: Add quirk for Samsung Notebook Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Add HP new mute led supported for ALC236 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Add supported new mute Led for HP Aymeric Agon-Rambosson <aymeric.agon(a)yandex.com> scripts/gdb: repair rb_first() and rb_last() Yunfeng Ye <yeyunfeng(a)huawei.com> tools/bootconfig: Fix resource leak in apply_xbc() Thomas Gleixner <tglx(a)linutronix.de> ARM: futex: Address build warning Peter Xu <peterx(a)redhat.com> KVM: selftests: Fix build for evmcs.h Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: Prevent dpcd reads with passive dongles Roman Li <roman.li(a)amd.com> drm/amd/display: fix counter in wait_for_no_pipes_pending Joerg Roedel <jroedel(a)suse.de> iommu/amd: Call domain_flush_complete() in update_domain() Joerg Roedel <jroedel(a)suse.de> iommu/amd: Do not loop forever when trying to increase address space Hans de Goede <hdegoede(a)redhat.com> platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA Alan Stern <stern(a)rowland.harvard.edu> USB: core: Fix misleading driver bug report Maxim Petrov <mmrmaximuzz(a)gmail.com> stmmac: fix pointer check after utilization in stmmac_interrupt Wu Bo <wubo40(a)huawei.com> ceph: fix double unlock in handle_cap_export() Hans de Goede <hdegoede(a)redhat.com> HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock Yoshiyuki Kurauchi <ahochauwaaaaa(a)gmail.com> gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() Thomas Gleixner <tglx(a)linutronix.de> x86/apic: Move TSC deadline timer debug printk Shuah Khan <skhan(a)linuxfoundation.org> selftests: fix kvm relocatable native/cross builds and installs Alan Maguire <alan.maguire(a)oracle.com> ftrace/selftest: make unresolved cases cause failure if --fail-unresolved set Juliet Kim <julietk(a)linux.vnet.ibm.com> ibmvnic: Skip fatal error reset after passive init Daniel Playfair Cal <daniel.playfair.cal(a)gmail.com> HID: i2c-hid: reset Synaptics SYNA2393 on resume Tyrel Datwyler <tyreld(a)linux.ibm.com> scsi: ibmvscsi: Fix WARN_ON during event pool release Gavin Shan <gshan(a)redhat.com> net/ena: Fix build warning in ena_xdp_set() James Hilliard <james.hilliard1(a)gmail.com> component: Silence bind error on -EPROBE_DEFER Richard Clark <richard.xnu.clark(a)gmail.com> aquantia: Fix the media type of AQC100 ethernet controller in the driver Stefano Garzarella <sgarzare(a)redhat.com> vhost/vsock: fix packet delivery order to monitoring devices Xiyu Yang <xiyuyang19(a)fudan.edu.cn> configfs: fix config_item refcnt leak in configfs_rmdir() Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Delete all sessions before unregister local nvme port Arun Easi <aeasi(a)marvell.com> scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV Jiri Kosina <jkosina(a)suse.cz> HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead Artem Borisov <dedsa2002(a)gmail.com> HID: alps: Add AUI1657 device ID Fabian Schindlatz <fabian.schindlatz(a)fau.de> HID: logitech: Add support for Logitech G11 extra keys Sebastian Reichel <sebastian.reichel(a)collabora.com> HID: multitouch: add eGalaxTouch P80H84 support Frédéric Pierret (fepitre) <frederic.pierret(a)qubes-os.org> gcc-common.h: Update for GCC 10 Masahiro Yamada <masahiroy(a)kernel.org> net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report() Masahiro Yamada <masahiroy(a)kernel.org> kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check Joerg Roedel <jroedel(a)suse.de> iommu: Fix deferred domain attachment Ricardo Ribalda Delgado <ribalda(a)kernel.org> mtd: Fix mtd not registered due to nvmem name collision David Howells <dhowells(a)redhat.com> afs: Don't unlock fetched data pages until the op completes successfully Richard Weinberger <richard(a)nod.at> ubi: Fix seq_file usage in detailed_erase_block_info debugfs file Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' Dan Carpenter <dan.carpenter(a)oracle.com> evm: Fix a small race in init_desc() Raul E Rangel <rrangel(a)chromium.org> iommu/amd: Fix get_acpihid_device_id() Alexander Monakov <amonakov(a)ispras.ru> iommu/amd: Fix over-read of ACPI UID from IVRS table Alain Volmat <alain.volmat(a)st.com> i2c: fix missing pm_runtime_put_sync in i2c_device_probe Christoph Hellwig <hch(a)lst.de> ubifs: remove broken lazytime support Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> pipe: Fix pipe_full() test in opipe_prep(). Al Viro <viro(a)zeniv.linux.org.uk> fix multiplication overflow in copy_fdtable() Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: Propagate ECC information to the MTD structure Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive Eric Biggers <ebiggers(a)google.com> ubifs: fix wrong use of crypto_shash_descsize() Dan Carpenter <dan.carpenter(a)oracle.com> ovl: potential crash in ovl_fid_to_fh() Roberto Sassu <roberto.sassu(a)huawei.com> ima: Fix return value of ima_write_policy() Roberto Sassu <roberto.sassu(a)huawei.com> evm: Check also if *tfm is an error pointer in init_desc() Roberto Sassu <roberto.sassu(a)huawei.com> ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() Eugeniy Paltsev <Eugeniy.Paltsev(a)synopsys.com> ARC: [plat-hsdk]: fix USB regression Kevin Hao <haokexin(a)gmail.com> i2c: dev: Fix the race between the release of i2c_dev and cdev ------------- Diffstat: Makefile | 12 +- arch/arc/configs/hsdk_defconfig | 1 + arch/arm/Kconfig | 1 + arch/arm/include/asm/futex.h | 9 +- arch/arm64/Kconfig | 1 + arch/arm64/kernel/ptrace.c | 7 +- arch/powerpc/Kconfig | 2 +- arch/s390/include/asm/pci_io.h | 10 +- arch/s390/kernel/machine_kexec_file.c | 2 +- arch/s390/kernel/machine_kexec_reloc.c | 1 + arch/s390/pci/pci_mmio.c | 213 ++++++++++++++++++++- arch/sh/include/uapi/asm/sockios.h | 2 + arch/sparc/mm/srmmu.c | 6 +- arch/x86/Kconfig | 1 + arch/x86/kernel/apic/apic.c | 27 +-- arch/x86/kernel/unwind_orc.c | 7 + drivers/acpi/ec.c | 6 +- drivers/acpi/sleep.c | 15 +- drivers/base/component.c | 8 +- drivers/base/core.c | 55 ++++-- drivers/base/platform.c | 2 - drivers/dax/kmem.c | 14 +- drivers/dma/dmatest.c | 9 +- drivers/dma/idxd/device.c | 7 + drivers/dma/idxd/irq.c | 26 ++- drivers/dma/owl-dma.c | 8 +- drivers/dma/tegra210-adma.c | 2 +- drivers/firmware/efi/libstub/tpm.c | 5 +- drivers/firmware/efi/tpm.c | 5 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 17 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 5 +- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 4 +- drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 2 +- drivers/gpu/drm/i915/gvt/display.c | 49 ++++- drivers/gpu/drm/i915/i915_request.c | 4 +- drivers/hid/hid-alps.c | 1 + drivers/hid/hid-ids.h | 8 +- drivers/hid/hid-lg-g15.c | 4 + drivers/hid/hid-multitouch.c | 3 + drivers/hid/hid-quirks.c | 1 + drivers/hid/i2c-hid/i2c-hid-core.c | 2 + drivers/i2c/i2c-core-base.c | 22 ++- drivers/i2c/i2c-dev.c | 48 ++--- drivers/i2c/muxes/i2c-demux-pinctrl.c | 1 + drivers/iio/accel/sca3000.c | 2 +- drivers/iio/adc/stm32-adc.c | 8 +- drivers/iio/adc/stm32-dfsdm-adc.c | 21 +- drivers/iio/adc/ti-ads8344.c | 8 +- drivers/iio/dac/vf610_dac.c | 1 + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_shub.c | 7 +- drivers/iommu/amd_iommu.c | 17 +- drivers/iommu/amd_iommu_init.c | 9 +- drivers/iommu/iommu.c | 17 +- drivers/ipack/carriers/tpci200.c | 1 + drivers/misc/cardreader/rtsx_pcr.c | 3 + drivers/misc/mei/client.c | 2 + drivers/mtd/mtdcore.c | 2 +- drivers/mtd/nand/spi/core.c | 4 + drivers/mtd/ubi/debug.c | 12 +- drivers/net/ethernet/amazon/ena/ena_netdev.h | 2 +- .../net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.c | 3 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +- drivers/net/gtp.c | 9 +- drivers/pinctrl/qcom/pinctrl-msm.c | 25 +++ drivers/platform/x86/asus-nb-wmi.c | 24 +++ drivers/rapidio/devices/rio_mport_cdev.c | 5 + drivers/scsi/ibmvscsi/ibmvscsi.c | 4 - drivers/scsi/qla2xxx/qla_attr.c | 5 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/staging/greybus/uart.c | 4 +- drivers/staging/iio/resolver/ad2s1210.c | 17 +- drivers/staging/kpc2000/kpc2000/core.c | 9 +- drivers/staging/wfx/scan.c | 4 +- drivers/target/target_core_transport.c | 1 + drivers/tty/serial/sifive.c | 1 + drivers/usb/core/message.c | 4 +- drivers/vhost/vsock.c | 10 +- drivers/virtio/virtio_balloon.c | 107 ++++++----- fs/afs/fs_probe.c | 18 +- fs/afs/fsclient.c | 8 +- fs/afs/vl_probe.c | 18 +- fs/afs/yfsclient.c | 8 +- fs/ceph/caps.c | 1 + fs/configfs/dir.c | 1 + fs/file.c | 2 +- fs/gfs2/glock.c | 3 - fs/overlayfs/export.c | 3 + fs/splice.c | 2 +- fs/ubifs/auth.c | 17 +- fs/ubifs/file.c | 6 +- fs/ubifs/replay.c | 13 +- include/linux/platform_device.h | 1 - include/net/af_rxrpc.h | 2 +- include/net/drop_monitor.h | 2 +- include/trace/events/rxrpc.h | 52 ++++- init/Kconfig | 3 + kernel/bpf/syscall.c | 17 +- kernel/bpf/verifier.c | 4 +- kernel/sched/fair.c | 50 ++--- kernel/trace/bpf_trace.c | 6 +- lib/test_printf.c | 19 +- lib/vsprintf.c | 7 + mm/kasan/Makefile | 8 +- mm/kasan/generic.c | 1 - mm/kasan/tags.c | 1 - mm/z3fold.c | 11 +- net/core/flow_dissector.c | 26 ++- net/rxrpc/Makefile | 1 + net/rxrpc/ar-internal.h | 25 ++- net/rxrpc/call_accept.c | 2 +- net/rxrpc/call_event.c | 22 +-- net/rxrpc/input.c | 44 ++++- net/rxrpc/misc.c | 5 - net/rxrpc/output.c | 9 +- net/rxrpc/peer_event.c | 46 ----- net/rxrpc/peer_object.c | 12 +- net/rxrpc/proc.c | 8 +- net/rxrpc/rtt.c | 195 +++++++++++++++++++ net/rxrpc/rxkad.c | 3 +- net/rxrpc/sendmsg.c | 26 +-- net/rxrpc/sysctl.c | 9 - scripts/gcc-plugins/Makefile | 1 + scripts/gcc-plugins/gcc-common.h | 4 + scripts/gdb/linux/rbtree.py | 4 +- scripts/link-vmlinux.sh | 28 ++- security/apparmor/apparmorfs.c | 3 +- security/apparmor/audit.c | 3 +- security/apparmor/domain.c | 3 +- security/integrity/evm/evm_crypto.c | 44 ++--- security/integrity/ima/ima_crypto.c | 12 +- security/integrity/ima/ima_fs.c | 3 +- sound/core/pcm_lib.c | 1 + sound/pci/hda/patch_realtek.c | 162 ++++++++++++++++ sound/pci/ice1712/ice1712.c | 3 +- tools/bootconfig/main.c | 10 +- tools/testing/selftests/bpf/prog_tests/mmap.c | 13 +- tools/testing/selftests/bpf/progs/test_mmap.c | 8 + tools/testing/selftests/ftrace/ftracetest | 8 +- tools/testing/selftests/kvm/Makefile | 29 ++- tools/testing/selftests/kvm/include/evmcs.h | 4 +- tools/testing/selftests/kvm/lib/x86_64/vmx.c | 3 + 142 files changed, 1489 insertions(+), 568 deletions(-)

5 years, 7 months

9
140
0 0

[PATCH v3] virtio_vsock: Fix race condition in virtio_transport_recv_pkt

by Jia He

When client on the host tries to connect(SOCK_STREAM, O_NONBLOCK) to the server on the guest, there will be a panic on a ThunderX2 (armv8a server): [ 463.718844] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 463.718848] Mem abort info: [ 463.718849] ESR = 0x96000044 [ 463.718852] EC = 0x25: DABT (current EL), IL = 32 bits [ 463.718853] SET = 0, FnV = 0 [ 463.718854] EA = 0, S1PTW = 0 [ 463.718855] Data abort info: [ 463.718856] ISV = 0, ISS = 0x00000044 [ 463.718857] CM = 0, WnR = 1 [ 463.718859] user pgtable: 4k pages, 48-bit VAs, pgdp=0000008f6f6e9000 [ 463.718861] [0000000000000000] pgd=0000000000000000 [ 463.718866] Internal error: Oops: 96000044 [#1] SMP [...] [ 463.718977] CPU: 213 PID: 5040 Comm: vhost-5032 Tainted: G O 5.7.0-rc7+ #139 [ 463.718980] Hardware name: GIGABYTE R281-T91-00/MT91-FS1-00, BIOS F06 09/25/2018 [ 463.718982] pstate: 60400009 (nZCv daif +PAN -UAO) [ 463.718995] pc : virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common] [ 463.718999] lr : virtio_transport_recv_pkt+0x1fc/0xd40 [vmw_vsock_virtio_transport_common] [ 463.719000] sp : ffff80002dbe3c40 [...] [ 463.719025] Call trace: [ 463.719030] virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common] [ 463.719034] vhost_vsock_handle_tx_kick+0x360/0x408 [vhost_vsock] [ 463.719041] vhost_worker+0x100/0x1a0 [vhost] [ 463.719048] kthread+0x128/0x130 [ 463.719052] ret_from_fork+0x10/0x18 The race condition is as follows: Task1 Task2 ===== ===== __sock_release virtio_transport_recv_pkt __vsock_release vsock_find_bound_socket (found sk) lock_sock_nested vsock_remove_sock sock_orphan sk_set_socket(sk, NULL) sk->sk_shutdown = SHUTDOWN_MASK ... release_sock lock_sock virtio_transport_recv_connecting sk->sk_socket->state (panic!) The root cause is that vsock_find_bound_socket can't hold the lock_sock, so there is a small race window between vsock_find_bound_socket() and lock_sock(). If __vsock_release() is running in another task, sk->sk_socket will be set to NULL inadvertently. This fixes it by checking sk->sk_shutdown(suggested by Stefano) after lock_sock since sk->sk_shutdown is set to SHUTDOWN_MASK under the protection of lock_sock_nested. Signed-off-by: Jia He <justin.he(a)arm.com> Cc: stable(a)vger.kernel.org Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> --- v3: - describe the fix of race condition more clearly - refine the commit log net/vmw_vsock/virtio_transport_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 69efc891885f..0edda1edf988 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1132,6 +1132,14 @@ void virtio_transport_recv_pkt(struct virtio_transport *t, lock_sock(sk); + /* Check if sk has been released before lock_sock */ + if (sk->sk_shutdown == SHUTDOWN_MASK) { + (void)virtio_transport_reset_no_sock(t, pkt); + release_sock(sk); + sock_put(sk); + goto free_pkt; + } + /* Update CID in case it has changed after a transport reset event */ vsk->local_addr.svm_cid = dst.svm_cid; -- 2.17.1

5 years, 7 months

2
1
0 0

[PATCH] f2fs: avoid utf8_strncasecmp() with unstable name

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then it may be concurrently modified by a rename. This can cause undefined behavior (possibly out-of-bounds memory accesses or crashes) in utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings that may be concurrently modified. Fix this by first copying the filename to a stack buffer if needed. This way we get a stable snapshot of the filename. Fixes: 2c2eb7a300cd ("f2fs: Support case-insensitive file name lookups") Cc: <stable(a)vger.kernel.org> # v5.4+ Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Daniel Rosenberg <drosen(a)google.com> Cc: Gabriel Krisman Bertazi <krisman(a)collabora.co.uk> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- fs/f2fs/dir.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c index 44bfc464df787..5c179b72eb8a8 100644 --- a/fs/f2fs/dir.c +++ b/fs/f2fs/dir.c @@ -1083,6 +1083,7 @@ static int f2fs_d_compare(const struct dentry *dentry, unsigned int len, struct qstr qstr = {.name = str, .len = len }; const struct dentry *parent = READ_ONCE(dentry->d_parent); const struct inode *inode = READ_ONCE(parent->d_inode); + char strbuf[DNAME_INLINE_LEN]; if (!inode || !IS_CASEFOLDED(inode)) { if (len != name->len) @@ -1090,6 +1091,22 @@ static int f2fs_d_compare(const struct dentry *dentry, unsigned int len, return memcmp(str, name->name, len); } + /* + * If the dentry name is stored in-line, then it may be concurrently + * modified by a rename. If this happens, the VFS will eventually retry + * the lookup, so it doesn't matter what ->d_compare() returns. + * However, it's unsafe to call utf8_strncasecmp() with an unstable + * string. Therefore, we have to copy the name into a temporary buffer. + */ + if (len <= DNAME_INLINE_LEN - 1) { + unsigned int i; + + for (i = 0; i < len; i++) + strbuf[i] = READ_ONCE(str[i]); + strbuf[len] = 0; + qstr.name = strbuf; + } + return f2fs_ci_compare(inode, name, &qstr, false); } -- 2.26.2

5 years, 7 months

2
1
0 0

Re: [PATCH v3] virtio_vsock: Fix race condition in virtio_transport_recv_pkt()

by Markus Elfring

> This fixes it by checking sk->sk_shutdown(suggested by Stefano) after > lock_sock since sk->sk_shutdown is set to SHUTDOWN_MASK under the > protection of lock_sock_nested. How do you think about a wording variant like the following? Thus check the data structure member “sk_shutdown” (suggested by Stefano) after a call of the function “lock_sock” since this field is set to “SHUTDOWN_MASK” under the protection of “lock_sock_nested”. Would you like to add the tag “Fixes” to the commit message? Regards, Markus

5 years, 7 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror