- Linux-stable-mirror - lists.linaro.org

Re: [LKP] Re: [KEYS] 4ea62d6823: WARNING:at_mm/page_alloc.c:#__alloc_pages_nodemask

by Chen, Rong A

On 4/27/2020 10:58 AM, Waiman Long wrote: > On 4/26/20 6:48 AM, kernel test robot wrote: >> Greeting, >> >> FYI, we noticed the following commit (built with gcc-7): >> >> commit: 4ea62d6823c55fb914ba1195349b86a50efe8597 ("KEYS: Don't write >> out to userspace while holding key semaphore") >> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git >> queue/5.6 >> >> in testcase: trinity >> with following parameters: >> >> runtime: 300s >> >> test-description: Trinity is a linux system call fuzz tester. >> test-url: http://codemonkey.org.uk/projects/trinity/ >> >> >> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp >> 2 -m 8G >> >> caused below changes (please refer to attached dmesg/kmsg for entire >> log/backtrace): >> >> >> +----------------------------------------------------+------------+------------+ >> >> | | 0f7bd4ba0b | >> 4ea62d6823 | >> +----------------------------------------------------+------------+------------+ >> >> | boot_successes | 5 | >> 2 | >> | boot_failures | 1 | >> 9 | >> | BUG:kernel_hang_in_boot_stage | 1 >> | | >> | BUG:kernel_hang_in_early-boot_stage | 0 | >> 1 | >> | WARNING:at_mm/page_alloc.c:#__alloc_pages_nodemask | 0 | >> 8 | >> | RIP:__alloc_pages_nodemask | 0 | >> 8 | >> +----------------------------------------------------+------------+------------+ >> >> >> >> If you fix the issue, kindly add following tag >> Reported-by: kernel test robot <rong.a.chen(a)intel.com> >> >> >> [ 387.389621] WARNING: CPU: 1 PID: 5301 at mm/page_alloc.c:4713 >> __alloc_pages_nodemask+0x1d1/0x340 >> [ 387.392619] Modules linked in: 8021q garp stp mrp llc dlci af_key >> ieee802154_socket ieee802154 mpls_router ip_tunnel vsock_loopback >> vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock >> vmw_vmci hidp cmtp kernelcapi bnep rfcomm bluetooth ecdh_generic ecc >> rfkill can_bcm can_raw can pptp gre l2tp_ppp l2tp_netlink l2tp_core >> ip6_udp_tunnel udp_tunnel pppoe pppox ppp_generic slhc crypto_user >> nfnetlink scsi_transport_iscsi dccp_ipv6 atm sctp libcrc32c dccp_ipv4 >> dccp sr_mod cdrom ata_generic pata_acpi bochs_drm drm_vram_helper >> drm_ttm_helper ttm intel_rapl_msr intel_rapl_common drm_kms_helper >> snd_pcm syscopyarea crct10dif_pclmul crc32_pclmul crc32c_intel >> ghash_clmulni_intel sysfillrect snd_timer ppdev snd sysimgblt >> fb_sys_fops aesni_intel ata_piix soundcore crypto_simd parport_pc >> cryptd joydev drm glue_helper serio_raw pcspkr libata i2c_piix4 >> parport floppy >> [ 387.417621] CPU: 1 PID: 5301 Comm: trinity-c1 Not tainted >> 5.6.6-00162-g4ea62d6823c55 #1 >> [ 387.420344] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), >> BIOS 1.12.0-1 04/01/2014 >> [ 387.423093] RIP: 0010:__alloc_pages_nodemask+0x1d1/0x340 >> [ 387.425419] Code: ff ff ff 65 48 8b 04 25 c0 8b 01 00 48 05 60 0c >> 00 00 41 be 01 00 00 00 48 89 44 24 08 e9 02 ff ff ff 81 e7 00 20 00 >> 00 75 02 <0f> 0b 45 31 f6 eb 95 44 8b 64 24 18 65 8b 05 fc 9f 39 5e >> 89 c0 48 >> [ 387.431026] RSP: 0018:ffff9ee900f27e60 EFLAGS: 00010246 >> [ 387.433373] RAX: 0000000000000000 RBX: fffffffffffffff4 RCX: >> 0000000000000000 >> [ 387.435902] RDX: 0000000000000000 RSI: 0000000000000034 RDI: >> 0000000000000000 >> [ 387.438438] RBP: 0000000000000034 R08: 0000000000000000 R09: >> fffffffffffffff9 >> [ 387.440946] R10: 0000000000000000 R11: 0000000000000000 R12: >> 0000000000000cc0 >> [ 387.443369] R13: fffffffffffffffb R14: 0000000000000034 R15: >> 0000000000000000 >> [ 387.445759] FS: 0000000002a06880(0000) GS:ffff8dfd37d00000(0000) >> knlGS:0000000000000000 >> [ 387.448352] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 387.450614] CR2: 00007f6be3b0f47c CR3: 000000018f17c000 CR4: >> 00000000000406e0 >> [ 387.453073] DR0: 00007f6be1da7000 DR1: 0000000000000000 DR2: >> 0000000000000000 >> [ 387.455531] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: >> 0000000000030602 >> [ 387.457999] Call Trace: >> [ 387.459933] kmalloc_order+0x18/0x70 >> [ 387.461817] kmalloc_order_trace+0x1d/0xb0 >> [ 387.463770] keyctl_read_key+0xb6/0x140 >> [ 387.465697] do_syscall_64+0x5b/0x1f0 >> [ 387.467572] entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> [ 387.469596] RIP: 0033:0x463519 >> [ 387.471409] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 >> 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 >> 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 59 00 00 c3 66 2e 0f 1f 84 00 >> 00 00 00 >> [ 387.476350] RSP: 002b:00007ffde88f9338 EFLAGS: 00000246 ORIG_RAX: >> 00000000000000fa >> [ 387.479670] RAX: ffffffffffffffda RBX: 00000000000000fa RCX: >> 0000000000463519 >> [ 387.481811] RDX: fffffffffffffffb RSI: fffffffffffffffd RDI: >> 000000000000000b >> [ 387.484045] RBP: 00007f6be26d4000 R08: ffffffffffffffe0 R09: >> ffffffffffffb1b1 >> [ 387.486279] R10: fffffffffffffff9 R11: 0000000000000246 R12: >> 0000000000000002 >> [ 387.488396] R13: 00007f6be26d4058 R14: 0000000002a06850 R15: >> 00007f6be26d4000 >> [ 387.490515] ---[ end trace 3c2d530d0a271c54 ]--- >> >> >> To reproduce: >> >> # build kernel >> cd linux >> cp config-5.6.6-00162-g4ea62d6823c55 .config >> make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig prepare >> modules_prepare bzImage >> >> git clone https://github.com/intel/lkp-tests.git >> cd lkp-tests >> bin/lkp qemu -k <bzImage> job-script # job-script is >> attached in this email >> >> >> >> Thanks, >> Rong Chen ( >> > To fix that, we have to backport the commit 4f0882491a14 ("KEYS: Avoid > false positive ENOMEM error on key read") to 5.6-stable as well. > > Cheers, > Longman Thanks a lot, cc stable(a)vger.kernel.org Best Regards, Rong Chen

5 years, 7 months

1
0
0 0

[PATCH] PM: hibernate: Freeze kernel threads in software_resume()

by Dexuan Cui

Currently the kernel threads are not frozen in software_resume(), so between dpm_suspend_start(PMSG_QUIESCE) and resume_target_kernel(), system_freezable_power_efficient_wq can still try to submit SCSI commands and this can cause a panic since the low level SCSI driver (e.g. hv_storvsc) has quiesced the SCSI adapter and can not accept any SCSI commands: https://lkml.org/lkml/2020/4/10/47 At first I posted a fix (https://lkml.org/lkml/2020/4/21/1318) trying to resolve the issue from hv_storvsc, but with the help of Bart Van Assche, I realized it's better to fix software_resume(), since this looks like a generic issue, not only pertaining to SCSI. Cc: Bart Van Assche <bvanassche(a)acm.org> Cc: stable(a)vger.kernel.org Signed-off-by: Dexuan Cui <decui(a)microsoft.com> --- kernel/power/hibernate.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index 86aba8706b16..30bd28d1d418 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -898,6 +898,13 @@ static int software_resume(void) error = freeze_processes(); if (error) goto Close_Finish; + + error = freeze_kernel_threads(); + if (error) { + thaw_processes(); + goto Close_Finish; + } + error = load_image_and_restore(); thaw_processes(); Finish: -- 2.19.1

5 years, 7 months

5
5
0 0

[PATCH] ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter

by Hui Wang

This new Lenovo ThinkCenter has two front mics which can't be handled by PA so far, so apply the fixup ALC283_FIXUP_HEADSET_MIC to change the location for one of the mics. Cc: <stable(a)vger.kernel.org> Signed-off-by: Hui Wang <hui.wang(a)canonical.com> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index c1a85c8f7b69..c16f63957c5a 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -7420,6 +7420,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1558, 0x8561, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS), + SND_PCI_QUIRK(0x17aa, 0x1048, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE), SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE), SND_PCI_QUIRK(0x17aa, 0x21b8, "Thinkpad Edge 14", ALC269_FIXUP_SKU_IGNORE), -- 2.17.1

5 years, 7 months

2
1
0 0

[PATCH v2] riscv: set max_pfn to the PFN of the last page

by Vincent Chen

The current max_pfn equals to zero. In this case, I found it caused users cannot get some page information through /proc such as kpagecount in v5.6 kernel because of new sanity checks. The following message is displayed by stress-ng test suite with the command "stress-ng --verbose --physpage 1 -t 1" on HiFive unleashed board. # stress-ng --verbose --physpage 1 -t 1 stress-ng: debug: [109] 4 processors online, 4 processors configured stress-ng: info: [109] dispatching hogs: 1 physpage stress-ng: debug: [109] cache allocate: reducing cache level from L3 (too high) to L0 stress-ng: debug: [109] get_cpu_cache: invalid cache_level: 0 stress-ng: info: [109] cache allocate: using built-in defaults as no suitable cache found stress-ng: debug: [109] cache allocate: default cache size: 2048K stress-ng: debug: [109] starting stressors stress-ng: debug: [109] 1 stressor spawned stress-ng: debug: [110] stress-ng-physpage: started [110] (instance 0) stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd34de000 in /proc/kpagecount, errno=0 (Success) stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success) ... stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success) stress-ng: debug: [110] stress-ng-physpage: exited [110] (instance 0) stress-ng: debug: [109] process [110] terminated stress-ng: info: [109] successful run completed in 1.00s # After applying this patch, the kernel can pass the test. # stress-ng --verbose --physpage 1 -t 1 stress-ng: debug: [104] 4 processors online, 4 processors configured stress-ng: info: [104] dispatching hogs: 1 physpage stress-ng: info: [104] cache allocate: using defaults, can't determine cache details from sysfs stress-ng: debug: [104] cache allocate: default cache size: 2048K stress-ng: debug: [104] starting stressors stress-ng: debug: [104] 1 stressor spawned stress-ng: debug: [105] stress-ng-physpage: started [105] (instance 0) stress-ng: debug: [105] stress-ng-physpage: exited [105] (instance 0) stress-ng: debug: [104] process [105] terminated stress-ng: info: [104] successful run completed in 1.01s # Fixes: 0651c263c8e3 (RISC-V: Move setup_bootmem() to mm/init.c) Cc: stable(a)vger.kernel.org Signed-off-by: Vincent Chen <vincent.chen(a)sifive.com> Reviewed-by: Anup Patel <anup(a)brainfault.ort> Reviewed-by: Yash Shah <yash.shah(a)sifive.com> Tested-by: Yash Shah <yash.shah(a)sifive.com> Changes since v1: 1. Add Fixes line and Cc stable kernel --- arch/riscv/mm/init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c index fab855963c73..157924baa191 100644 --- a/arch/riscv/mm/init.c +++ b/arch/riscv/mm/init.c @@ -149,7 +149,8 @@ void __init setup_bootmem(void) memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start); set_max_mapnr(PFN_DOWN(mem_size)); - max_low_pfn = PFN_DOWN(memblock_end_of_DRAM()); + max_pfn = PFN_DOWN(memblock_end_of_DRAM()); + max_low_pfn = max_pfn; #ifdef CONFIG_BLK_DEV_INITRD setup_initrd(); -- 2.7.4

5 years, 7 months

2
1
0 0

[PATCH V2 01/14] KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)

by Huacai Chen

From: Xing Li <lixing(a)loongson.cn> The code in decode_config4() of arch/mips/kernel/cpu-probe.c asid_mask = MIPS_ENTRYHI_ASID; if (config4 & MIPS_CONF4_AE) asid_mask |= MIPS_ENTRYHI_ASIDX; set_cpu_asid_mask(c, asid_mask); set asid_mask to cpuinfo->asid_mask. So in order to support variable ASID_MASK, KVM_ENTRYHI_ASID should also be changed to cpu_asid_mask(&boot_cpu_data). Cc: stable(a)vger.kernel.org Signed-off-by: Xing Li <lixing(a)loongson.cn> [Huacai: Change current_cpu_data to boot_cpu_data for optimization] Signed-off-by: Huacai Chen <chenhc(a)lemote.com> --- arch/mips/include/asm/kvm_host.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h index 2c343c3..a01cee9 100644 --- a/arch/mips/include/asm/kvm_host.h +++ b/arch/mips/include/asm/kvm_host.h @@ -275,7 +275,7 @@ enum emulation_result { #define MIPS3_PG_FRAME 0x3fffffc0 #define VPN2_MASK 0xffffe000 -#define KVM_ENTRYHI_ASID MIPS_ENTRYHI_ASID +#define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data) #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G) #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK) #define TLB_ASID(x) ((x).tlb_hi & KVM_ENTRYHI_ASID) -- 2.7.0

5 years, 7 months

2
2
0 0

[4.19-stable] Security fixes for KVM

by Ben Hutchings

Here are some fixes that required backporting for 4.19, this time all in KVM. All of them are already present in later stable branches. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom

5 years, 7 months

2
1
0 0

Re: [PATCH v2 1/1] NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION

by Sasha Levin

Hi [This is an automated email] This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all The bot has tested the following trees: v5.6.7, v5.4.35, v4.19.118, v4.14.177, v4.9.220, v4.4.220. v5.6.7: Build OK! v5.4.35: Failed to apply! Possible dependencies: Unable to calculate v4.19.118: Failed to apply! Possible dependencies: 07d02a67b7fa ("SUNRPC: Simplify lookup code") 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") 79b181810285 ("SUNRPC: Convert auth creds to use refcount_t") 8276c902bbe9 ("SUNRPC: remove uid and gid from struct auth_cred") 95cd623250ad ("SUNRPC: Clean up the AUTH cache code") 97f68c6b02e0 ("SUNRPC: add 'struct cred *' to auth_cred and rpc_cred") a52458b48af1 ("NFS/NFSD/SUNRPC: replace generic creds with 'struct cred'.") fc0664fd9bcc ("SUNRPC: remove groupinfo from struct auth_cred.") v4.14.177: Failed to apply! Possible dependencies: 07d02a67b7fa ("SUNRPC: Simplify lookup code") 12f275cdd163 ("NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID.") 1eb5d98f16f6 ("nfs: convert to new i_version API") 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") 35156bfff3c0 ("NFSv4: Fix the nfs_inode_set_delegation() arguments") 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") 79b181810285 ("SUNRPC: Convert auth creds to use refcount_t") 95cd623250ad ("SUNRPC: Clean up the AUTH cache code") 97f68c6b02e0 ("SUNRPC: add 'struct cred *' to auth_cred and rpc_cred") a52458b48af1 ("NFS/NFSD/SUNRPC: replace generic creds with 'struct cred'.") b3dce6a2f060 ("pnfs/blocklayout: handle transient devices") fc0664fd9bcc ("SUNRPC: remove groupinfo from struct auth_cred.") v4.9.220: Failed to apply! Possible dependencies: 172d9de15a0d ("NFS: Change nfs4_get_session() to take an nfs_client structure") 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") 3be0f80b5fe9 ("NFSv4.1: Fix up replays of interrupted requests") 42e1cca7e91e ("NFS: Change nfs4_setup_sequence() to take an nfs_client structure") 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") 6de7e12f53a1 ("NFS: Use nfs4_setup_sequence() everywhere") 7981c8a65914 ("NFS: Create a single nfs4_setup_sequence() function") efc6f4aa742d ("NFS: Move nfs4_get_session() into nfs4_session.h") v4.4.220: Failed to apply! Possible dependencies: 172d9de15a0d ("NFS: Change nfs4_get_session() to take an nfs_client structure") 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") 3be0f80b5fe9 ("NFSv4.1: Fix up replays of interrupted requests") 42e1cca7e91e ("NFS: Change nfs4_setup_sequence() to take an nfs_client structure") 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") 5f83d86cf531 ("NFSv4.x: Fix wraparound issues when validing the callback sequence id") 68d264cf02b0 ("NFS42: handle layoutstats stateid error") 6de7e12f53a1 ("NFS: Use nfs4_setup_sequence() everywhere") 80f9642724af ("NFSv4.x: Enforce the ca_maxresponsesize_cached on the back channel") 810d82e68301 ("NFSv4.x: Allow multiple callbacks in flight") 9a0fe86745b8 ("pNFS: Handle NFS4ERR_OLD_STATEID correctly in LAYOUTSTAT calls") efc6f4aa742d ("NFS: Move nfs4_get_session() into nfs4_session.h") f74a834a0e1b ("NFSv4.x: CB_SEQUENCE should return NFS4ERR_DELAY if still executing") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch? -- Thanks Sasha

5 years, 7 months

2
2
0 0

Re: [PATCH v5.7] iwlwifi: pcie: handle QuZ configs with killer NICs as well

by Sasha Levin

Hi [This is an automated email] This commit has been processed because it contains a "Fixes:" tag fixing commit: 5a8c31aa6357 ("iwlwifi: pcie: fix recognition of QuZ devices"). The bot has tested the following trees: v5.6.7, v5.4.35. v5.6.7: Failed to apply! Possible dependencies: 32ed101aa140 ("iwlwifi: convert all Qu with Jf devices to the new config table") 56ba371a5288 ("iwlwifi: move the remaining 0x2526 configs to the new table") 5e003982b07a ("iwlwifi: move AX200 devices to the new table") 67eb556da609 ("iwlwifi: combine 9260 cfgs that only change names") 95939551e28c ("iwlwifi: add GNSS differentiation to the device tables") d6f2134a3831 ("iwlwifi: add mac/rf types and 160MHz to the device tables") fe25b1518f72 ("iwlwifi: move TH1 devices to the new table") v5.4.35: Failed to apply! Possible dependencies: 32ed101aa140 ("iwlwifi: convert all Qu with Jf devices to the new config table") 3681021fc6af ("iwlwifi: remove IWL_DEVICE_22560/IWL_DEVICE_FAMILY_22560") 3b589d5624ce ("iwlwifi: dbg_ini: use new trigger TLV in dump flow") 593fae3e5e90 ("iwlwifi: dbg_ini: add monitor dumping support") 69f0e5059b09 ("iwlwifi: dbg: remove multi buffers infra") bfc3e9fdbfb8 ("iwlwifi: 22000: fix some indentation") c042f0c77f3d ("iwlwifi: allocate more receive buffers for HE devices") c9fe75e9f347 ("iwlwifi: dbg_ini: use new region TLV in dump flow") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch? -- Thanks Sasha

5 years, 7 months

1
0
0 0

[PATCH] propogate_mnt: Handle the first propogated copy being a slave

by TuQuan

commit 5ec0811d30378ae104f250bfc9b3640242d81e3f upstream When the first propgated copy was a slave the following oops would result: > BUG: unable to handle kernel NULL pointer dereference at > 0000000000000010 > IP: [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0 > PGD bacd4067 PUD bac66067 PMD 0 > Oops: 0000 [#1] SMP > Modules linked in: > CPU: 1 PID: 824 Comm: mount Not tainted 4.6.0-rc5userns+ #1523 > Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 > task: ffff8800bb0a8000 ti: ffff8800bac3c000 task.ti: ffff8800bac3c000 > RIP: 0010:[<ffffffff811fba4e>] [<ffffffff811fba4e>] > propagate_one+0xbe/0x1c0 > RSP: 0018:ffff8800bac3fd38 EFLAGS: 00010283 > RAX: 0000000000000000 RBX: ffff8800bb77ec00 RCX: 0000000000000010 > RDX: 0000000000000000 RSI: ffff8800bb58c000 RDI: ffff8800bb58c480 > RBP: ffff8800bac3fd48 R08: 0000000000000001 R09: 0000000000000000 > R10: 0000000000001ca1 R11: 0000000000001c9d R12: 0000000000000000 > R13: ffff8800ba713800 R14: ffff8800bac3fda0 R15: ffff8800bb77ec00 > FS: 00007f3c0cd9b7e0(0000) GS:ffff8800bfb00000(0000) > knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000010 CR3: 00000000bb79d000 CR4: 00000000000006e0 > Stack: > ffff8800bb77ec00 0000000000000000 ffff8800bac3fd88 ffffffff811fbf85 > ffff8800bac3fd98 ffff8800bb77f080 ffff8800ba713800 ffff8800bb262b40 > 0000000000000000 0000000000000000 ffff8800bac3fdd8 ffffffff811f1da0 > Call Trace: > [<ffffffff811fbf85>] propagate_mnt+0x105/0x140 > [<ffffffff811f1da0>] attach_recursive_mnt+0x120/0x1e0 > [<ffffffff811f1ec3>] graft_tree+0x63/0x70 > [<ffffffff811f1f6b>] do_add_mount+0x9b/0x100 > [<ffffffff811f2c1a>] do_mount+0x2aa/0xdf0 > [<ffffffff8117efbe>] ? strndup_user+0x4e/0x70 > [<ffffffff811f3a45>] SyS_mount+0x75/0xc0 > [<ffffffff8100242b>] do_syscall_64+0x4b/0xa0 > [<ffffffff81988f3c>] entry_SYSCALL64_slow_path+0x25/0x25 > Code: 00 00 75 ec 48 89 0d 02 22 22 01 8b 89 10 01 00 00 48 89 05 fd > 21 22 01 39 8e 10 01 00 00 0f 84 e0 00 00 00 48 8b 80 d8 00 00 00 <48> > 8b 50 10 48 89 05 df 21 22 01 48 89 15 d0 21 22 01 8b 53 30 > RIP [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0 > RSP <ffff8800bac3fd38> > CR2: 0000000000000010 > ---[ end trace 2725ecd95164f217 ]--- This oops happens with the namespace_sem held and can be triggered by non-root users. An all around not pleasant experience. To avoid this scenario when finding the appropriate source mount to copy stop the walk up the mnt_master chain when the first source mount is encountered. Further rewrite the walk up the last_source mnt_master chain so that it is clear what is going on. The reason why the first source mount is special is that it it's mnt_parent is not a mount in the dest_mnt propagation tree, and as such termination conditions based up on the dest_mnt mount propgation tree do not make sense. To avoid other kinds of confusion last_dest is not changed when computing last_source. last_dest is only used once in propagate_one and that is above the point of the code being modified, so changing the global variable is meaningless and confusing. Cc: stable(a)vger.kernel.org fixes: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 ("smarter propagate_mnt()") Reported-by: Tycho Andersen <tycho.andersen(a)canonical.com> Reviewed-by: Seth Forshee <seth.forshee(a)canonical.com> Tested-by: Seth Forshee <seth.forshee(a)canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm(a)xmission.com> --- 7u/fs/pnode.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/7u/fs/pnode.c b/7u/fs/pnode.c index 30d9a548d..52c262e71 100644 --- a/7u/fs/pnode.c +++ b/7u/fs/pnode.c @@ -198,10 +198,15 @@ static struct mount *next_group(struct mount *m, struct mount *origin) /* all accesses are serialized by namespace_sem */ static struct user_namespace *user_ns; -static struct mount *last_dest, *last_source, *dest_master; +static struct mount *last_dest, *first_source, *last_source, *dest_master; static struct mountpoint *mp; static struct list_head *list; +static inline bool peers(struct mount *m1, struct mount *m2) +{ + return m1->mnt_group_id == m2->mnt_group_id && m1->mnt_group_id; +} + static int propagate_one(struct mount *m) { struct mount *child; @@ -212,24 +217,26 @@ static int propagate_one(struct mount *m) /* skip if mountpoint isn't covered by it */ if (!is_subdir(mp->m_dentry, m->mnt.mnt_root)) return 0; - if (m->mnt_group_id == last_dest->mnt_group_id) { + if (peers(m, last_dest)) { type = CL_MAKE_SHARED; } else { struct mount *n, *p; + bool done; for (n = m; ; n = p) { p = n->mnt_master; - if (p == dest_master || IS_MNT_MARKED(p)) { - while (last_dest->mnt_master != p) { - last_source = last_source->mnt_master; - last_dest = last_source->mnt_parent; - } - if (n->mnt_group_id != last_dest->mnt_group_id) { - last_source = last_source->mnt_master; - last_dest = last_source->mnt_parent; - } + if (p == dest_master || IS_MNT_MARKED(p)) break; - } } + do { + struct mount *parent = last_source->mnt_parent; + if (last_source == first_source) + break; + done = parent->mnt_master == p; + if (done && peers(n, parent)) + break; + last_source = last_source->mnt_master; + } while (!done); + type = CL_SLAVE; /* beginning of peer group among the slaves? */ if (IS_MNT_SHARED(m)) @@ -280,6 +287,7 @@ int propagate_mnt(struct mount *dest_mnt, struct mountpoint *dest_mp, */ user_ns = current->nsproxy->mnt_ns->user_ns; last_dest = dest_mnt; + first_source = source_mnt; last_source = source_mnt; mp = dest_mp; list = tree_list; -- 2.14.4.44.g2045bb6

5 years, 7 months

1
0
0 0

[4.19-stable] Security fixes

by Ben Hutchings

Here are some fixes that required backporting for 4.19. All of them are already present in later stable branches. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom

5 years, 7 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror