mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
792 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Richard Raya
|
00fa45c0a6 |
This is the 4.14.355 OpenELA-Extended LTS stable release
-----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEERFwmR4yFob14UDOYC8702P6YulgFAmciUfMZHHZlZ2FyZC5u b3NzdW1Ab3JhY2xlLmNvbQAKCRALzvTY/pi6WLuWD/9Ygfcw1geLS8AUG78WElHy l9L6JBbhAMCd7UTIn6ulSxNalJSMUg9P5xbtBVwz64qLCeJYEpJZ23UOj1fNK9Sm +zBI3R3LURhRr/qwRVN8xJvKfGNODx8LsI61H8bcowKOjC1zdtd11vtZfu+KmumM G26MeAabNszHOaFzoAoD/0VR6xxbHbvWv9oiyaCvyyB1iPU2wpGfO26dQ6YOO87K 914tsdY+I70tpAgCks3DyZaN+h0kXGww9k9YCG8awxHHgAvxsVQ5+cZtC0QO04bN uEwOHapieFtoFGG/c6cUq9ARiVkWdgXV0+xeGzefDbygcfZjfC4b6a+iSf9j42oq X1hM7mGxJMvzoiweXOF9XhfrmBKpnXcLgZqpFTk3Iy/EALstd9AnvY7SJCJLa+u8 Dp2NOZ/9tKfvrfiI/AA+uwjlFLeA1dbfvf5HcUtfKuJ7Y1Qq4q9QxRr9svk+7+ZG nbrYxNfpxmrgffrm5W9gt/02M8v+ymC9fIFK82V6EEPbnikPE8SGJ2JAuirjiG1i u1bvIzTCBtu6074tuqCjHKAyTUFNZMKS8xxT+prEolXguBiuEmlJodK7kkJKFurc uAiLlYpMZNvFJox5E0vCLD8HInTHNR3yd8D/kNg733ukg6o2mKvLkR83lHpvhe67 0bxx5K76GV7p4I/wvIJ6zw== =JpII -----END PGP SIGNATURE----- Merge tag 'v4.14.355-openela' of https://github.com/openela/kernel-lts This is the 4.14.355 OpenELA-Extended LTS stable release * tag 'v4.14.355-openela' of https://github.com/openela/kernel-lts: (79 commits) LTS: Update to 4.14.355 Revert "parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367" netns: restore ops before calling ops_exit_list cx82310_eth: fix error return code in cx82310_bind() rtmutex: Drop rt_mutex::wait_lock before scheduling locking/rtmutex: Handle non enqueued waiters gracefully in remove_waiter() drm/i915/fence: Mark debug_fence_free() with __maybe_unused ACPI: processor: Fix memory leaks in error paths of processor_add() ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() netns: add pre_exit method to struct pernet_operations net: Add comment about pernet_operations methods and synchronization nilfs2: protect references to superblock parameters exposed in sysfs nilfs2: replace snprintf in show functions with sysfs_emit nilfs2: use time64_t internally tracing: Avoid possible softlockup in tracing_iter_reset() ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance() uprobes: Use kzalloc to allocate xol area clocksource/drivers/imx-tpm: Fix next event not taking effect sometime clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX VMCI: Fix use-after-free when removing resource in vmci_resource_remove() ... Change-Id: I237799395c31c147d9e602b34bff999c65fe9ef0 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
Ryusuke Konishi
|
2d65330b26 |
nilfs2: protect references to superblock parameters exposed in sysfs
[ Upstream commit 683408258917541bdb294cd717c210a04381931e ] The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it. Link: https://lkml.kernel.org/r/20240811100320.9913-1-konishi.ryusuke@gmail.com Fixes: da7141fb78db ("nilfs2: add /sys/fs/nilfs2/<device> group") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b90beafac05931cbfcb6b1bd4f67c1923f47040e) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
Qing Wang
|
c77787e1b9 |
nilfs2: replace snprintf in show functions with sysfs_emit
[ Upstream commit 3bcd6c5bd483287f4a09d3d59a012d47677b6edc ] Patch series "nilfs2 updates". This patch (of 2): coccicheck complains about the use of snprintf() in sysfs show functions. Fix the coccicheck warning: WARNING: use scnprintf or sprintf. Use sysfs_emit instead of scnprintf or sprintf makes more sense. Link: https://lkml.kernel.org/r/1635151862-11547-1-git-send-email-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/1634095759-4625-1-git-send-email-wangqing@vivo.com Link: https://lkml.kernel.org/r/1635151862-11547-2-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Qing Wang <wangqing@vivo.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 683408258917 ("nilfs2: protect references to superblock parameters exposed in sysfs") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 51af9b589ab68a94485ee55811d1243c6bf665b4) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
Arnd Bergmann
|
3b10ade515 |
nilfs2: use time64_t internally
The superblock and segment timestamps are used only internally in nilfs2 and can be read out using sysfs. Since we are using the old 'get_seconds()' interface and store the data as timestamps, the behavior differs slightly between 64-bit and 32-bit kernels, the latter will show incorrect timestamps after 2038 in sysfs, and presumably fail completely in 2106 as comparisons go wrong. This changes nilfs2 to use time64_t with ktime_get_real_seconds() to handle timestamps, making the behavior consistent and correct on both 32-bit and 64-bit machines. The on-disk format already uses 64-bit timestamps, so nothing changes there. Link: http://lkml.kernel.org/r/20180122211050.1286441-1-arnd@arndb.de Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Cc: Jens Axboe <axboe@kernel.dk> Cc: Ingo Molnar <mingo@kernel.org> Cc: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit fb04b91bc2c3a83e9e2ba9c5ce0f0124dd3ffef0) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Ryusuke Konishi
|
faf0987376 |
nilfs2: fix state management in error path of log writing function
commit 6576dd6695f2afca3f4954029ac4a64f82ba60ab upstream.
After commit a694291a6211 ("nilfs2: separate wait function from
nilfs_segctor_write") was applied, the log writing function
nilfs_segctor_do_construct() was able to issue I/O requests continuously
even if user data blocks were split into multiple logs across segments,
but two potential flaws were introduced in its error handling.
First, if nilfs_segctor_begin_construction() fails while creating the
second or subsequent logs, the log writing function returns without
calling nilfs_segctor_abort_construction(), so the writeback flag set on
pages/folios will remain uncleared. This causes page cache operations to
hang waiting for the writeback flag. For example,
truncate_inode_pages_final(), which is called via nilfs_evict_inode() when
an inode is evicted from memory, will hang.
Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared.
As a result, if the next log write involves checkpoint creation, that's
fine, but if a partial log write is performed that does not, inodes with
NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files"
list, and their data and b-tree blocks may not be written to the device,
corrupting the block mapping.
Fix these issues by uniformly calling nilfs_segctor_abort_construction()
on failure of each step in the loop in nilfs_segctor_do_construct(),
having it clean up logs and segment usages according to progress, and
correcting the conditions for calling nilfs_redirty_inodes() to ensure
that the NILFS_I_COLLECTED flag is cleared.
Link: https://lkml.kernel.org/r/20240814101119.4070-1-konishi.ryusuke@gmail.com
Fixes: a694291a6211 ("nilfs2: separate wait function from nilfs_segctor_write")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 40a2757de2c376ef8a08d9ee9c81e77f3c750adf)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
812eaaab95 |
nilfs2: fix missing cleanup on rollforward recovery error
commit 5787fcaab9eb5930f5378d6a1dd03d916d146622 upstream. In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts. Link: https://lkml.kernel.org/r/20240810065242.3701-1-konishi.ryusuke@gmail.com Fixes: 0f3e1c7f23f8 ("nilfs2: recovery functions") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 35a9a7a7d94662146396199b0cfd95f9517cdd14) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Richard Raya
|
1b9f971175 |
This is the 4.14.353 OpenELA-Extended LTS stable release
-----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEERFwmR4yFob14UDOYC8702P6YulgFAmcHrG8ZHHZlZ2FyZC5u b3NzdW1Ab3JhY2xlLmNvbQAKCRALzvTY/pi6WIQuEACCYf9xCGBALlKFb0pXX3eF oiRkceNyy5NWSndD7t9p/3d2g4YrVptGxtTZN12IltfG4wfCQ+qC/0g2Mu4ho0Yp 2ExKVaIli1t2csIjXCUUyjh3jU0JOkDwJap9n5QemACsX8zrDfKVwdlj9hw+e7vi fBWwdfl1duK5cfVbbyvL74It4WeMnjuAYrBnMTxhYBTq56xFLrbBILl8BLxAV5NN 5wGoNCeUtj8LxUrL2qs5QoT3Bf7uoDlLnu1Ly7jDMMX34/oNh5huOjZdDFbQYxS3 DsEe6ljOYOyB/awdUhScERfxVPimumN3nHWnRJbsQhX36uXT6U7HNJah4zauchRk UlKUSfG3YyOqKIwFH+8oGmkuCm6wZbVjVsNNkYhT804BCCHrasJ1SHXsSB9R0MpU x3IQOoiuc33bUYrSqWAO7utvt+PwG++3GHz0XQwPfZn4DHY18/e+VNsGtQTPqzRG tsywZVTN0DC0nO7L772nkQDb7z2mhmJGgN8q3FPbMTfp/I1phIh9C17pckfpHKAl ippTmTMaIYDU3Rlc1g/cu363GOaXWRN4t03VSEu/BLV0IElRktUnmuBU3B/rMb+F ItaBmhnZGXHUrulMTxDtzItrYMwx00USw6IrG3iYjob0MhhxhLVxEh0vKc7Te2w5 2FZEjj2BxinK66mJgAolZw== =BQd/ -----END PGP SIGNATURE----- Merge tag 'v4.14.353-openela' of https://github.com/openela/kernel-lts This is the 4.14.353 OpenELA-Extended LTS stable release * tag 'v4.14.353-openela' of https://github.com/openela/kernel-lts: (173 commits) LTS: Update to 4.14.353 net: fix __dst_negative_advice() race selftests: make order checking verbose in msg_zerocopy selftest selftests: fix OOM in msg_zerocopy selftest Revert "selftests/net: reap zerocopy completions passed up as ancillary data." Revert "selftests: fix OOM in msg_zerocopy selftest" Revert "selftests: make order checking verbose in msg_zerocopy selftest" nvme/pci: Add APST quirk for Lenovo N60z laptop exec: Fix ToCToU between perm check and set-uid/gid usage drm/i915/gem: Fix Virtual Memory mapping boundaries calculation drm/i915: Try GGTT mmapping whole object as partial netfilter: nf_tables: set element extended ACK reporting support kbuild: Fix '-S -c' in x86 stack protector scripts drm/mgag200: Set DDC timeout in milliseconds drm/bridge: analogix_dp: properly handle zero sized AUX transactions drm/bridge: analogix_dp: Properly log AUX CH errors drm/bridge: analogix_dp: Reset aux channel if an error occurred drm/bridge: analogix_dp: Check AUX_EN status when doing AUX transfer x86/mtrr: Check if fixed MTRRs exist before saving them tracing: Fix overflow in get_free_elt() ... Change-Id: I0e92a979e31d4fa6c526c6b70a1b61711d9747bb Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
|
Ryusuke Konishi
|
0e318baa08 |
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
commit 4811f7af6090e8f5a398fbdd766f903ef6c0d787 upstream. Syzbot reported that a buffer state inconsistency was detected in nilfs_btnode_create_block(), triggering a kernel bug. It is not appropriate to treat this inconsistency as a bug; it can occur if the argument block address (the buffer index of the newly created block) is a virtual block number and has been reallocated due to corruption of the bitmap used to manage its allocation state. So, modify nilfs_btnode_create_block() and its callers to treat it as a possible filesystem error, rather than triggering a kernel bug. Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@gmail.com Fixes: a60be987d45d ("nilfs2: B-tree node cache") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+89cc4f2324ed37988b60@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=89cc4f2324ed37988b60 Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 19cce46238ffe3546e44b9c74057103ff8b24c62) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Ryusuke Konishi
|
440e5d6b0d |
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
[ Upstream commit 0f3819e8c483771a59cf9d3190cd68a7a990083c ]
According to the C standard 3.4.3p3, the result of signed integer overflow
is undefined. The macro nilfs_cnt32_ge(), which compares two sequence
numbers, uses signed integer subtraction that can overflow, and therefore
the result of the calculation may differ from what is expected due to
undefined behavior in different environments.
Similar to an earlier change to the jiffies-related comparison macros in
commit 5a581b367b5d ("jiffies: Avoid undefined behavior from signed
overflow"), avoid this potential issue by changing the definition of the
macro to perform the subtraction as unsigned integers, then cast the
result to a signed integer for comparison.
Link: https://lkml.kernel.org/r/20130727225828.GA11864@linux.vnet.ibm.com
Link: https://lkml.kernel.org/r/20240702183512.6390-1-konishi.ryusuke@gmail.com
Fixes: 9ff05123e3bf ("nilfs2: segment constructor")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d2b9bc7dfd6b0fa1a37eb91e68bca3175cb5ef50)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
Alex Shi
|
2891e08c6f |
fs/nilfs2: remove some unused macros to tame gcc
[ Upstream commit e7920b3e9d9f5470d5ff7d883e72a47addc0a137 ] There some macros are unused and cause gcc warning. Remove them. fs/nilfs2/segment.c:137:0: warning: macro "nilfs_cnt32_gt" is not used [-Wunused-macros] fs/nilfs2/segment.c:144:0: warning: macro "nilfs_cnt32_le" is not used [-Wunused-macros] fs/nilfs2/segment.c:143:0: warning: macro "nilfs_cnt32_lt" is not used [-Wunused-macros] Link: https://lkml.kernel.org/r/1607552733-24292-1-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 0f3819e8c483 ("nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 175ac70d8af52bc0f5b100901702fdb2bc662885) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Richard Raya
|
59448bba68 |
This is the 4.14.351 OpenELA-Extended LTS stable release
-----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEERFwmR4yFob14UDOYC8702P6YulgFAmbJhFAZHHZlZ2FyZC5u b3NzdW1Ab3JhY2xlLmNvbQAKCRALzvTY/pi6WM9AD/9T4mE7CXds1QYHF3wzFinF t4oHyXvOiY4Mrsdy20A4FIvYfrYi5PyZ39E7G38e2FH2jG7qwHTyHXOjh94cL9gV 5zlU7+jxWQenDKTl6LV3veYP/QNp9Yh9iQn0sgwC3HTUeq+zNd8rxvBjcAfDNiIM taC98s63QjtjZtQPzAaS461LH/U14dKFChuPEC36dei/M4T2UDTHZqvRdFBWB8h2 fC/dJgtuohXTFexpGgk8p6GKNpFjyE62hBI3Xc+/k24j88r0cFqLLp6NhgF6JIpc 6L6zGUKeyLXaIR/xoshK3MdgJ/XbocqKlRexJOFxCYmAEreAnQelS8v7QG3j6j33 8AiUasZfpDPFNEH1CNJC0BiNs76NByFCJny+QUYlq0O9ZjfYQt+PvZZXSCx8jIn6 A75ryAXLERNlXvh5XuEXlNJsOrN3enWnhgeJXMJOfKxtOfn7CRLmfSvpiS2/SfT3 sxU4aNQNenbYoWwPQRPLXfNO4UvkmLfk6I6+AqRiHdykYQswhZRnpWxsPRSUwrhI 6mErDGIXmryid/p+P/eMuviH3AO+KEpjoDzLFMFJWMpLQouTDl5qCwGu3QwVjybS /MOlfhi5z1so1e5qBIUmY498jZfVbZ5VMC76bOdhtC2USmvotcBSu611x5JtPaZo Cv3jKYl+/S0DVIZdEMPA8g== =wFNA -----END PGP SIGNATURE----- Merge tag 'v4.14.351-openela' of https://github.com/openela/kernel-lts This is the 4.14.351 OpenELA-Extended LTS stable release * tag 'v4.14.351-openela' of https://github.com/openela/kernel-lts: (58 commits) LTS: Update to 4.14.351 i2c: rcar: bring hardware to known state when probing nilfs2: fix kernel bug on rename operation of broken directory tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() libceph: fix race between delayed_work() and ceph_monc_stop() hpet: Support 32-bit userspace USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k USB: serial: option: add Rolling RW350-GL variants USB: serial: option: add Netprisma LCUK54 series modules USB: serial: option: add support for Foxconn T99W651 USB: serial: option: add Fibocom FM350-GL USB: serial: option: add Telit FN912 rmnet compositions USB: serial: option: add Telit generic core-dump composition ARM: davinci: Convert comma to semicolon ppp: reject claimed-as-LCP but actually malformed packets net: ethernet: lantiq_etop: fix double free in detach net: lantiq_etop: add blank line after declaration tcp: fix incorrect undo caused by DSACK of TLP retransmit ... Change-Id: I8bb6496007a068b83dd95a991e2f3afb0e18da82 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
|
Ryusuke Konishi
|
2a8372159b |
nilfs2: fix kernel bug on rename operation of broken directory
commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
Syzbot reported that in rename directory operation on broken directory on
nilfs2, __block_write_begin_int() called to prepare block write may fail
BUG_ON check for access exceeding the folio/page size.
This is because nilfs_dotdot(), which gets parent directory reference
entry ("..") of the directory to be moved or renamed, does not check
consistency enough, and may return location exceeding folio/page size for
broken directories.
Fix this issue by checking required directory entries ("." and "..") in
the first chunk of the directory in nilfs_dotdot().
Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ff9767ba2cb949701e45e6e4287f8af82986b703)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
75fb795f98 |
nilfs2: fix incorrect inode allocation from reserved inodes
commit 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 upstream.
If the bitmap block that manages the inode allocation status is corrupted,
nilfs_ifile_create_inode() may allocate a new inode from the reserved
inode area where it should not be allocated.
Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of
struct nilfs_root"), fixed the problem that reserved inodes with inode
numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to
bitmap corruption, but since the start number of non-reserved inodes is
read from the super block and may change, in which case inode allocation
may occur from the extended reserved inode area.
If that happens, access to that inode will cause an IO error, causing the
file system to degrade to an error state.
Fix this potential issue by adding a wraparound option to the common
metadata object allocation routine and by modifying
nilfs_ifile_create_inode() to disable the option so that it only allocates
inodes with inode numbers greater than or equal to the inode number read
in "nilfs->ns_first_ino", regardless of the bitmap status of reserved
inodes.
Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit de9d81daaca2b7b3c853bf2ff729353e84f06b18)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
ba6206b639 |
nilfs2: add missing check for inode numbers on directory entries
commit bb76c6c274683c8570ad788f79d4b875bde0e458 upstream. Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8 Reported-by: Jan Kara <jack@suse.cz> Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Hillf Danton <hdanton@sina.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c33c2b0d92aa1c2262d999b2598ad6fbd53bd479) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Ryusuke Konishi
|
72ae23ea4e |
nilfs2: fix inode number range checks
commit e2fec219a36e0993642844be0f345513507031f4 upstream. Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Hillf Danton <hdanton@sina.com> Cc: Jan Kara <jack@suse.cz> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57235c3c88bb430043728d0d02f44a4efe386476) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Richard Raya
|
15a5216c8c |
Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (133 commits) LTS: Update to 4.14.350 SUNRPC: Fix RPC client cleaned up the freed pipefs dentries arm64: dts: rockchip: Add sound-dai-cells for RK3368 tcp: Fix data races around icsk->icsk_af_ops. ipv6: Fix data races around sk->sk_prot. ipv6: annotate some data-races around sk->sk_prot pwm: stm32: Refuse too small period requests ftruncate: pass a signed offset batman-adv: Don't accept TT entries for out-of-spec VIDs batman-adv: include gfp.h for GFP_* defines drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes hexagon: fix fadvise64_64 calling conventions tty: mcf: MCF54418 has 10 UARTS usb: atm: cxacru: fix endpoint checking in cxacru_bind() usb: musb: da8xx: fix a resource leak in probe() usb: gadget: printer: SS+ support net: usb: ax88179_178a: improve link status logs iio: adc: ad7266: Fix variable checking bug mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos ... Change-Id: I0ab862e0932a48f13c64657e5456f3034b766445 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
|
Ryusuke Konishi
|
948b6135a2 |
nilfs2: fix potential kernel bug due to lack of writeback flag waiting
commit a4ca369ca221bb7e06c725792ac107f0e48e82e7 upstream. Destructive writes to a block device on which nilfs2 is mounted can cause a kernel bug in the folio/page writeback start routine or writeback end routine (__folio_start_writeback in the log below): kernel BUG at mm/page-writeback.c:3070! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI ... RIP: 0010:__folio_start_writeback+0xbaa/0x10e0 Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f> 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00 ... Call Trace: <TASK> nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2] nilfs_segctor_construct+0x181/0x6b0 [nilfs2] nilfs_segctor_thread+0x548/0x11c0 [nilfs2] kthread+0x2f0/0x390 ret_from_fork+0x4b/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> This is because when the log writer starts a writeback for segment summary blocks or a super root block that use the backing device's page cache, it does not wait for the ongoing folio/page writeback, resulting in an inconsistent writeback state. Fix this issue by waiting for ongoing writebacks when putting folios/pages on the backing device into writeback state. Link: https://lkml.kernel.org/r/20240530141556.4411-1-konishi.ryusuke@gmail.com Fixes: 9ff05123e3bf ("nilfs2: segment constructor") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 95f6f81e50d858a7c9aa7c795ec14a0ac3819118) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Ryusuke Konishi
|
c5682abd08 |
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
[ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ] The error handling in nilfs_empty_dir() when a directory folio/page read fails is incorrect, as in the old ext2 implementation, and if the folio/page cannot be read or nilfs_check_folio() fails, it will falsely determine the directory as empty and corrupt the file system. In addition, since nilfs_empty_dir() does not immediately return on a failed folio/page read, but continues to loop, this can cause a long loop with I/O if i_size of the directory's inode is also corrupted, causing the log writer thread to wait and hang, as reported by syzbot. Fix these issues by making nilfs_empty_dir() immediately return a false value (0) if it fails to get a directory folio/page. Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87 Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2ac8a2fe22bdde9eecce2a42cf5cab79333fb428) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
Matthew Wilcox (Oracle)
|
52c1c33e0d |
nilfs2: return the mapped address from nilfs_get_page()
[ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ] In prepartion for switching from kmap() to kmap_local(), return the kmap address from nilfs_get_page() instead of having the caller look up page_address(). [konishi.ryusuke: fixed a missing blank line after declaration] Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 7ed62ec616a3441aa3859150d50fadf5fd117aa8) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Matthew Wilcox (Oracle)
|
71bf6edd5d |
nilfs2: Remove check for PageError
[ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ]
If read_mapping_page() encounters an error, it returns an errno, not a
page with PageError set, so this test is not needed.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c158e493640ce76e76241f0529cebe19770ba5b2)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Richard Raya
|
fad3b5236d |
This is the 4.14.349 OpenELA-Extended LTS stable release
-----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEERFwmR4yFob14UDOYC8702P6YulgFAmaYMNYZHHZlZ2FyZC5u b3NzdW1Ab3JhY2xlLmNvbQAKCRALzvTY/pi6WI+2EACbJP/GYZL4iZezt3yp9J6y ObeobshL3ODENH9J4Rpjo7EJNdRbiJmqK07C6g3gxfEBqYhMDxYCBbhwTTvvHmu7 ezr1rmQmUlyzf2qW905a+rTawUrKztZpvZ0ycRXgfQHjX8w64salq/G5X9kJ1CZQ 0TYwhDXXYRc1yuhJkVH0+ZUP+FvSBYXY42QZQ8tRzviBKgHUqyQ2JiLN7yGXStSp PEOCeXuEsQxkzbFU1rG7J9KXfUYndih+fiGSvuUUZF6WTHNobfkh+nrGzsdadtUp UW9nEdHjjEhTpTr125uOGc3H2Y1rWVPrcZ9kvJBhzf4WKNBFu2v7Bc5i2/Yz/jKU 5cz7bjqpSnFOAmNe1f+pOO2oIsBk/xhAbMrPHS1eTJfUJmVL21HgDS3nXfV3yYcR 0cHH10HGf7DEx2PRh3DM53XzaiumOXY3e/eFt+syYFWtsPY0XKHjsfwLeoujCVgh Sb6yiV1HTNg2hkGck+CQKTvHKZhSs1uE+vGSHiSTpryrsXYCTRJySSXEdiU0QpeL c9xzRE0PrUaUKNucdimGr6EqvXL11M1I59Z3ygk8vyLGI13vSmkRZ9Sl7m0tbirA 0K1Ws2PkwuYQEOut8Esp6DJ2n38Uz3j0lnb2lreC0KbfXMvPWQfP81M1Lc+Pkpn6 Zgbbs68F6jYs0KV/iRty2A== =RvUO -----END PGP SIGNATURE----- Merge tag 'v4.14.349-openela' of https://github.com/openela/kernel-lts This is the 4.14.349 OpenELA-Extended LTS stable release * tag 'v4.14.349-openela' of https://github.com/openela/kernel-lts: (160 commits) LTS: Update to 4.14.349 x86/kvm: Disable all PV features on crash x86/kvm: Disable kvmclock on all CPUs on shutdown x86/kvm: Teardown PV features on boot CPU as well crypto: algif_aead - fix uninitialized ctx->init nfs: fix undefined behavior in nfs_block_bits() ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() sparc: move struct termio to asm/termios.h kdb: Use format-specifiers rather than memset() for padding in kdb_read() kdb: Merge identical case statements in kdb_read() kdb: Fix console handling when editing and tab-completing commands kdb: Use format-strings rather than '\0' injection in kdb_read() kdb: Fix buffer overflow during tab-complete sparc64: Fix number of online CPUs intel_th: pci: Add Meteor Lake-S CPU support net/9p: fix uninit-value in p9_client_rpc() crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode netfilter: nft_dynset: relax superfluous check on set updates netfilter: nft_dynset: report EOPNOTSUPP on missing set feature ... Change-Id: Idb0053e6b2186ef17f31e15fdb601ae451c81283 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
|
Ryusuke Konishi
|
705fabd903 |
nilfs2: fix use-after-free of timer for log writer thread
commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream. Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: "Bai, Shuangpeng" <sjb7183@psu.edu> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 822ae5a8eac30478578a75f7e064f0584931bf2d) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
Kees Cook
|
042d63a097 |
fs/nilfs2: convert timers to use timer_setup()
In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. This requires adding a pointer to hold the timer's target task, as the lifetime of sc_task doesn't appear to match the timer's task. Link: http://lkml.kernel.org/r/20171016235900.GA102729@beast Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 7554e9c4cfa208acf3164a86c05aaa967b043425) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Arnd Bergmann
|
7ee6938a59 |
nilfs2: fix out-of-range warning
[ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ]
clang-14 points out that v_size is always smaller than a 64KB
page size if that is configured by the CPU architecture:
fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare]
if (argv->v_size > PAGE_SIZE)
~~~~~~~~~~~~ ^ ~~~~~~~~~
This is ok, so just shut up that warning with a cast.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org
Fixes: 3358b4aaa84f ("nilfs2: fix problems of memory allocation in ioctl")
Acked-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reviewed-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 7610fd35b74211ab8def4e124095e600a1ae945b)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
6696ef522e |
nilfs2: fix potential hang in nilfs_detach_log_writer()
commit eb85dace897c5986bc2f36b3c783c6abb8a4292e upstream.
Syzbot has reported a potential hang in nilfs_detach_log_writer() called
during nilfs2 unmount.
Analysis revealed that this is because nilfs_segctor_sync(), which
synchronizes with the log writer thread, can be called after
nilfs_segctor_destroy() terminates that thread, as shown in the call trace
below:
nilfs_detach_log_writer
nilfs_segctor_destroy
nilfs_segctor_kill_thread --> Shut down log writer thread
flush_work
nilfs_iput_work_func
nilfs_dispose_list
iput
nilfs_evict_inode
nilfs_transaction_commit
nilfs_construct_segment (if inode needs sync)
nilfs_segctor_sync --> Attempt to synchronize with
log writer thread
*** DEADLOCK ***
Fix this issue by changing nilfs_segctor_sync() so that the log writer
thread returns normally without synchronizing after it terminates, and by
forcing tasks that are already waiting to complete once after the thread
terminates.
The skipped inode metadata flushout will then be processed together in the
subsequent cleanup work in nilfs_segctor_destroy().
Link: https://lkml.kernel.org/r/20240520132621.4054-4-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+e3973c409251e136fdd0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e3973c409251e136fdd0
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Cc: "Bai, Shuangpeng" <sjb7183@psu.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 911d38be151921a5d152bb55e81fd752384c6830)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
39d470c1d6 |
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
commit 936184eadd82906992ff1f5ab3aada70cce44cee upstream. A potential and reproducible race issue has been identified where nilfs_segctor_sync() would block even after the log writer thread writes a checkpoint, unless there is an interrupt or other trigger to resume log writing. This turned out to be because, depending on the execution timing of the log writer thread running in parallel, the log writer thread may skip responding to nilfs_segctor_sync(), which causes a call to schedule() waiting for completion within nilfs_segctor_sync() to lose the opportunity to wake up. The reason why waking up the task waiting in nilfs_segctor_sync() may be skipped is that updating the request generation issued using a shared sequence counter and adding an wait queue entry to the request wait queue to the log writer, are not done atomically. There is a possibility that log writing and request completion notification by nilfs_segctor_wakeup() may occur between the two operations, and in that case, the wait queue entry is not yet visible to nilfs_segctor_wakeup() and the wake-up of nilfs_segctor_sync() will be carried over until the next request occurs. Fix this issue by performing these two operations simultaneously within the lock section of sc_state_lock. Also, following the memory barrier guidelines for event waiting loops, move the call to set_current_state() in the same location into the event waiting loop to ensure that a memory barrier is inserted just before the event condition determination. Link: https://lkml.kernel.org/r/20240520132621.4054-3-konishi.ryusuke@gmail.com Fixes: 9ff05123e3bf ("nilfs2: segment constructor") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Cc: "Bai, Shuangpeng" <sjb7183@psu.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 072980bc50626c4557694ce54e3f6f2bde02b6e0) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Richard Raya
|
3143685e95 |
Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (278 commits) LTS: Update to 4.14.348 docs: kernel_include.py: Cope with docutils 0.21 serial: kgdboc: Fix NMI-safety problems from keyboard reset code btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() dm: limit the number of targets and parameter size area Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" LTS: Update to 4.14.347 rds: Fix build regression. RDS: IB: Use DEFINE_PER_CPU_SHARED_ALIGNED for rds_ib_stats af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). net: fix out-of-bounds access in ops_init drm/vmwgfx: Fix invalid reads in fence signaled events dyndbg: fix old BUG_ON in >control parser tipc: fix UAF in error path usb: gadget: f_fs: Fix a race condition when processing setup packets. usb: gadget: composite: fix OS descriptors w_value logic firewire: nosy: ensure user_length is taken into account when fetching packet contents af_unix: Fix garbage collector racing against connect() af_unix: Do not use atomic ops for unix_sk(sk)->inflight. ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() ... Change-Id: If329d39dd4e95e14045bb7c58494c197d1352d60 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
Jeongjun Park
|
6688170373 |
nilfs2: fix OOB in nilfs_set_de_type
commit c4a7dc9523b59b3e73fd522c73e95e072f876b16 upstream.
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
which uses this array, specifies the index to read from the array in the
same way as "(mode & S_IFMT) >> S_SHIFT".
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
*inode)
{
umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
}
However, when the index is determined this way, an out-of-bounds (OOB)
error occurs by referring to an index that is 1 larger than the array size
when the condition "mode & S_IFMT == S_IFMT" is satisfied. Therefore, a
patch to resize the nilfs_type_by_mode array should be applied to prevent
OOB errors.
Link: https://lkml.kernel.org/r/20240415182048.7144-1-konishi.ryusuke@gmail.com
Reported-by: syzbot+2e22057de05b9f3b30d8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 054f29e9ca05be3906544c5f2a2c7321c30a4243)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
a3a1048f65 |
nilfs2: prevent kernel bug at submit_bh_wbc()
[ Upstream commit 269cdf353b5bdd15f1a079671b0f889113865f20 ] Fix a bug where nilfs_get_block() returns a successful status when searching and inserting the specified block both fail inconsistently. If this inconsistent behavior is not due to a previously fixed bug, then an unexpected race is occurring, so return a temporary error -EAGAIN instead. This prevents callers such as __block_write_begin_int() from requesting a read into a buffer that is not mapped, which would cause the BUG_ON check for the BH_Mapped flag in submit_bh_wbc() to fail. Link: https://lkml.kernel.org/r/20240313105827.5296-3-konishi.ryusuke@gmail.com Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 91e4c4595fae5e87069e44687ae879091783c183) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
Joe Perches
|
f54f17b7da |
nilfs2: use a more common logging style
[ Upstream commit a1d0747a393a079631130d61faa2a61027d1c789 ] Add macros for nilfs_<level>(sb, fmt, ...) and convert the uses of 'nilfs_msg(sb, KERN_<LEVEL>, ...)' to 'nilfs_<level>(sb, ...)' so nilfs2 uses a logging style more like the typical kernel logging style. Miscellanea: o Realign arguments for these uses Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Link: http://lkml.kernel.org/r/1595860111-3920-4-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 269cdf353b5b ("nilfs2: prevent kernel bug at submit_bh_wbc()") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5c8f85e9ff21ee1fc6d20fcd73a15877556c3bbe) [Vegard: fix conflicts due to missing commit 1751e8a6cb935e555fcdbcb9ab4f0446e322ca3e ("Rename superblock flags (MS_xyz -> SB_xyz)").] Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Ryusuke Konishi
|
592973ee7e |
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
[ Upstream commit f2f26b4a84a0ef41791bd2d70861c8eac748f4ba ] Patch series "nilfs2: fix kernel bug at submit_bh_wbc()". This resolves a kernel BUG reported by syzbot. Since there are two flaws involved, I've made each one a separate patch. The first patch alone resolves the syzbot-reported bug, but I think both fixes should be sent to stable, so I've tagged them as such. This patch (of 2): Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data to a nilfs2 file system whose metadata is corrupted. There are two flaws involved in this issue. The first flaw is that when nilfs_get_block() locates a data block using btree or direct mapping, if the disk address translation routine nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata corruption, it can be passed back to nilfs_get_block(). This causes nilfs_get_block() to misidentify an existing block as non-existent, causing both data block lookup and insertion to fail inconsistently. The second flaw is that nilfs_get_block() returns a successful status in this inconsistent state. This causes the caller __block_write_begin_int() or others to request a read even though the buffer is not mapped, resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc() failing. This fixes the first issue by changing the return value to code -EINVAL when a conversion using DAT fails with code -ENOENT, avoiding the conflicting condition that leads to the kernel bug described above. Here, code -EINVAL indicates that metadata corruption was detected during the block lookup, which will be properly handled as a file system error and converted to -EIO when passing through the nilfs2 bmap layer. Link: https://lkml.kernel.org/r/20240313105827.5296-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240313105827.5296-2-konishi.ryusuke@gmail.com Fixes: c3a7abf06ce7 ("nilfs2: support contiguous lookup of blocks") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+cfed5b56649bddf80d6e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cfed5b56649bddf80d6e Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b67189690eb4b7ecc84ae16fa1e880e0123eaa35) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Richard Raya
|
a9e2d194be |
Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (350 commits) LTS: Update to 4.14.340 fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() PCI/MSI: Prevent MSI hardware interrupt number truncation s390: use the correct count for __iowrite64_copy() packet: move from strlcpy with unused retval to strscpy ipv6: sr: fix possible use-after-free and null-ptr-deref nouveau: fix function cast warnings scsi: jazz_esp: Only build if SCSI core is builtin RDMA/srpt: fix function pointer cast warnings RDMA/srpt: Support specifying the srpt_service_guid parameter IB/hfi1: Fix a memleak in init_credit_return usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs l2tp: pass correct message length to ip6_append_data gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() dm-crypt: don't modify the data when using authenticated encryption mm: memcontrol: switch to rcu protection in drain_all_stock() s390/qeth: Fix potential loss of L3-IP@ in case of network issues virtio-blk: Ensure no requests in virtqueues before deleting vqs. firewire: core: send bus reset promptly on gap count error ... Change-Id: Ieafdd459ee41343bf15ed781b3e45adc2be29cc1 Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
|
Richard Raya
|
669eb74484 |
Merge branch 'deprecated/android-4.14-stable' of https://android.googlesource.com/kernel/common into HEAD
* 'deprecated/android-4.14-stable' of https://android.googlesource.com/kernel/common: (101 commits) Linux 4.14.336 mmc: core: Cancel delayed work before releasing host mmc: rpmb: fixes pause retune on all RPMB partitions. firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards i40e: fix use-after-free in i40e_aqc_add_filters() net: bcmgenet: Fix FCS generation for fragmented skbuffs net: sched: em_text: fix possible memory leak in em_text_destroy() nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local UPSTREAM: drm: Fix doc warning in drm_connector_attach_edid_property() BACKPORT: lib/vsprintf: Hash legacy clock addresses UPSTREAM: xfrm: fix gro_cells leak when remove virtual xfrm interfaces UPSTREAM: xfrm: Make function xfrmi_get_link_net() static UPSTREAM: cpuidle: menu: Retain tick when shallow state is selected UPSTREAM: bpf: fix rcu annotations in compute_effective_progs() UPSTREAM: bpf: bpf_prog_array_alloc() should return a generic non-rcu pointer UPSTREAM: sched/util_est: Fix util_est_dequeue() for throttled cfs_rq UPSTREAM: softirq: Reorder trace_softirqs_on to prevent lockdep splat UPSTREAM: l2tp: fix refcount leakage on PPPoL2TP sockets UPSTREAM: HID: steam: select CONFIG_POWER_SUPPLY BACKPORT: mac80211_hwsim: fix a possible memory leak in hwsim_new_radio_nl() ... Change-Id: I1c98fbb0918986a06bee16b0c11fe8bee003fd3f Signed-off-by: Richard Raya <rdxzv.dev@gmail.com> |
||
|
Ryusuke Konishi
|
c352221909 |
nilfs2: replace WARN_ONs for invalid DAT metadata block requests
commit 5124a0a549857c4b87173280e192eea24dea72ad upstream. If DAT metadata file block access fails due to corruption of the DAT file or abnormal virtual block numbers held by b-trees or inodes, a kernel warning is generated. This replaces the WARN_ONs by error output, so that a kernel, booted with panic_on_warn, does not panic. This patch also replaces the detected return code -ENOENT with another internal code -EINVAL to notify the bmap layer of metadata corruption. When the bmap layer sees -EINVAL, it handles the abnormal situation with nilfs_bmap_convert_error() and finally returns code -EIO as it should. Link: https://lkml.kernel.org/r/0000000000005cc3d205ea23ddcf@google.com Link: https://lkml.kernel.org/r/20230126164114.6911-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: <syzbot+5d5d25f90f195a3cfcb4@syzkaller.appspotmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b06dec684e11ea944d896ac78cec1602e5157eb8) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> |
||
|
Ryusuke Konishi
|
9dc394f2da |
nilfs2: fix potential bug in end_buffer_async_write
commit 5bc09b397cbf1221f8a8aacb1152650c9195b02b upstream.
According to a syzbot report, end_buffer_async_write(), which handles the
completion of block device writes, may detect abnormal condition of the
buffer async_write flag and cause a BUG_ON failure when using nilfs2.
Nilfs2 itself does not use end_buffer_async_write(). But, the async_write
flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue
with race condition of competition between segments for dirty blocks") as
a means of resolving double list insertion of dirty blocks in
nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the
resulting crash.
This modification is safe as long as it is used for file data and b-tree
node blocks where the page caches are independent. However, it was
irrelevant and redundant to also introduce async_write for segment summary
and super root blocks that share buffers with the backing device. This
led to the possibility that the BUG_ON check in end_buffer_async_write
would fail as described above, if independent writebacks of the backing
device occurred in parallel.
The use of async_write for segment summary buffers has already been
removed in a previous change.
Fix this issue by removing the manipulation of the async_write flag for
the remaining super root block buffer.
Link: https://lkml.kernel.org/r/20240203161645.4992-1-konishi.ryusuke@gmail.com
Fixes: 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+5c04210f7c7f897c1e7f@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/00000000000019a97c05fd42f8c8@google.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c4a09fdac625e64abe478dcf88bfa20406616928)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Ryusuke Konishi
|
188292ff81 |
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
commit 38296afe3c6ee07319e01bb249aa4bb47c07b534 upstream. Syzbot reported a hang issue in migrate_pages_batch() called by mbind() and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2. While migrate_pages_batch() locks a folio and waits for the writeback to complete, the log writer thread that should bring the writeback to completion picks up the folio being written back in nilfs_lookup_dirty_data_buffers() that it calls for subsequent log creation and was trying to lock the folio. Thus causing a deadlock. In the first place, it is unexpected that folios/pages in the middle of writeback will be updated and become dirty. Nilfs2 adds a checksum to verify the validity of the log being written and uses it for recovery at mount, so data changes during writeback are suppressed. Since this is broken, an unclean shutdown could potentially cause recovery to fail. Investigation revealed that the root cause is that the wait for writeback completion in nilfs_page_mkwrite() is conditional, and if the backing device does not require stable writes, data may be modified without waiting. Fix these issues by making nilfs_page_mkwrite() wait for writeback to finish regardless of the stable write requirement of the backing device. Link: https://lkml.kernel.org/r/20240131145657.4209-1-konishi.ryusuke@gmail.com Fixes: 1d1d1a767206 ("mm: only enforce stable page writes if the backing device requires it") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+ee2ae68da3b22d04cd8d@syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/00000000000047d819061004ad6c@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 228742b2ddfb99dfd71e5a307e6088ab6836272e) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Ryusuke Konishi
|
a53d021d96 |
nilfs2: fix data corruption in dsync block recovery for small block sizes
commit 67b8bcbaed4777871bb0dcc888fb02a614a98ab1 upstream. The helper function nilfs_recovery_copy_block() of nilfs_recovery_dsync_blocks(), which recovers data from logs created by data sync writes during a mount after an unclean shutdown, incorrectly calculates the on-page offset when copying repair data to the file's page cache. In environments where the block size is smaller than the page size, this flaw can cause data corruption and leak uninitialized memory bytes during the recovery process. Fix these issues by correcting this byte offset calculation on the page. Link: https://lkml.kernel.org/r/20240124121936.10575-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5278c3eb6bf5896417572b52adb6be9d26e92f65) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
Greg Kroah-Hartman
|
8382692884 |
This is the 4.14.333 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV50c4ACgkQONu9yGCS aT7NBxAAtKBLAoVN5J4r4/i/H6ac1RonF4Lq6Y2S0CgV81IYPH602dV6OsC6bGh6 UrSBiA0p2jBDLSFcDJOyrneMxJHveA0KSczAPNscE+ml7bVmiT47ySw6KxdM8wEU 3fnSdmUZ96Sa0CQoJSU50ot7lhzAiiMG8JWCLRPDRofIN0+qpTw5oCSnwKGsqyO8 LJkRujzKfWAykYQIrUYXqeIzzxww0JbE/8MRbeNT+2OfjG/jZamZwBQPFUWih67Q qAGFxV4n1MUdo4+kd5rpaYw5/5boPoVo8KIaxnrCWbauXn2MUT0ZWLDKnGu5hptL 6PHy66FFTYQjFJpuTc4+X7vzqptSJta8SSDqpcJ9FX9bVUdTuH07QDkA5yGmttb6 2W1fJKR9rTyt1+J526xBWgNdyilv08IUP4R6g4RUe2aRuqDMFrPAegcCyeQ7g99f cpg5z/knynn1qvJ4CznM83z1ZxwgG861G94ZJPPd2hKTPRltQpt9fF35ekeaHzcF f8vZfnYzD228R0FgtDcA8d9VIU/K3gICbhr1SCASy8uUyt+8RRtxxjGX4QUOwbZW PQwdX500xLzV5Lg7fOzyuaM/6+oYk+vU5iYJnkeglg5ReYtfEerHNtVRh4PAtgEu 04G81HY9cHjSqne6I5MTE/sx9L3JZj5dED8ZqDMqag5pB+G/1EQ= =ey14 -----END PGP SIGNATURE----- Merge 4.14.333 into android-4.14-stable Changes in 4.14.333 tg3: Move the [rt]x_dropped counters to tg3_napi tg3: Increment tx_dropped in tg3_tso_bug() drm/amdgpu: correct chunk_ptr to a pointer to chunk. net: hns: fix fake link up on xge port tcp: do not accept ACK of bytes we never sent RDMA/bnxt_re: Correct module description string hwmon: (acpi_power_meter) Fix 4.29 MW bug tracing: Fix a warning when allocating buffered events fails scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() ALSA: pcm: fix out-of-bounds in snd_pcm_state_names nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() tracing: Always update snapshot buffer size tracing: Fix incomplete locking when disabling buffered events tracing: Fix a possible race when disabling buffered events packet: Move reference count in packet_sock to atomic_long_t parport: Add support for Brainboxes IX/UC/PX parallel cards serial: sc16is7xx: address RX timeout interrupt errata serial: 8250_omap: Add earlycon support for the AM654 UART controller KVM: s390/mm: Properly reset no-dat nilfs2: fix missing error check for sb_set_blocksize call netlink: don't call ->netlink_bind with table lock held genetlink: add CAP_NET_ADMIN test for multicast bind psample: Require 'CAP_NET_ADMIN' when joining "packets" group drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group Linux 4.14.333 Change-Id: Iebcaaf9d6c5e2ef71dd23c3c6246f6cef45d296a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ryusuke Konishi
|
5c18041b65 |
nilfs2: fix missing error check for sb_set_blocksize call
commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream. When mounting a filesystem image with a block size larger than the page size, nilfs2 repeatedly outputs long error messages with stack traces to the kernel log, such as the following: getblk(): invalid block size 8192 requested logical block size: 512 ... Call Trace: dump_stack_lvl+0x92/0xd4 dump_stack+0xd/0x10 bdev_getblk+0x33a/0x354 __breadahead+0x11/0x80 nilfs_search_super_root+0xe2/0x704 [nilfs2] load_nilfs+0x72/0x504 [nilfs2] nilfs_mount+0x30f/0x518 [nilfs2] legacy_get_tree+0x1b/0x40 vfs_get_tree+0x18/0xc4 path_mount+0x786/0xa88 __ia32_sys_mount+0x147/0x1a8 __do_fast_syscall_32+0x56/0xc8 do_fast_syscall_32+0x29/0x58 do_SYSENTER_32+0x15/0x18 entry_SYSENTER_32+0x98/0xf1 ... This overloads the system logger. And to make matters worse, it sometimes crashes the kernel with a memory access violation. This is because the return value of the sb_set_blocksize() call, which should be checked for errors, is not checked. The latter issue is due to out-of-buffer memory being accessed based on a large block size that caused sb_set_blocksize() to fail for buffers read with the initial minimum block size that remained unupdated in the super_block structure. Since nilfs2 mkfs tool does not accept block sizes larger than the system page size, this has been overlooked. However, it is possible to create this situation by intentionally modifying the tool or by passing a filesystem image created on a system with a large page size to a system with a smaller page size and mounting it. Fix this issue by inserting the expected error handling for the call to sb_set_blocksize(). Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
37ba50fefc |
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
commit 675abf8df1353e0e3bde314993e0796c524cfbf0 upstream. If nilfs2 reads a disk image with corrupted segment usage metadata, and its segment usage information is marked as an error for the segment at the write location, nilfs_sufile_set_segment_usage() can trigger WARN_ONs during log writing. Segments newly allocated for writing with nilfs_sufile_alloc() will not have this error flag set, but this unexpected situation will occur if the segment indexed by either nilfs->ns_segnum or nilfs->ns_nextnum (active segment) was marked in error. Fix this issue by inserting a sanity check to treat it as a file system corruption. Since error returns are not allowed during the execution phase where nilfs_sufile_set_segment_usage() is used, this inserts the sanity check into nilfs_sufile_mark_dirty() which pre-reads the buffer containing the segment usage record to be updated and sets it up in a dirty state for writing. In addition, nilfs_sufile_set_segment_usage() is also called when canceling log writing and undoing segment usage update, so in order to avoid issuing the same kernel warning in that case, in case of cancellation, avoid checking the error flag in nilfs_sufile_set_segment_usage(). Link: https://lkml.kernel.org/r/20231205085947.4431-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+14e9f834f6ddecece094@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=14e9f834f6ddecece094 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Richard Raya
|
9cdc78c354 |
Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common
* 'android-4.14-stable' of https://android.googlesource.com/kernel/common: (2966 commits) Linux 4.14.331 net: sched: fix race condition in qdisc_graft() scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks ext4: correct return value of ext4_convert_meta_bg ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: apply umask if ACL support is disabled media: venus: hfi: fix the check to handle session buffer requirement media: sharp: fix sharp encoding i2c: i801: fix potential race in i801_block_transaction_byte_by_byte net: dsa: lan9303: consequently nested-lock physical MDIO ALSA: info: Fix potential deadlock at disconnection parisc/pgtable: Do not drop upper 5 address bits of physical address parisc: Prevent booting 64-bit kernels on PA1.x machines mcb: fix error handling for different scenarios when parsing jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware mmc: meson-gx: Remove setting of CMD_CFG_ERROR PM: hibernate: Clean up sync_read handling in snapshot_write_next() PM: hibernate: Use __get_safe_page() rather than touching the list ... Change-Id: I755d2aa7c525ace28adc4aee433572b3110ea39b |
||
|
Greg Kroah-Hartman
|
27c2ecdf37 |
This is the 4.14.327 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUlqXsACgkQONu9yGCS
aT7KDQ//QlDFupXGqqqAkyOVgKr1eIP0/V6LarJFCRsHt+zTzdijtex7UrAX26R0
d8cN6oGZmuPJSRifvJkNI2zijVq/K/nYoN5+RA9+TjiYX7+kOsZcmWcjkwEfbDGZ
SMU13d7owzsqmM48pMQtPkqjxvo+3486icaiNLl+gEPex4BERVSX5k2Nu48J+JKX
kH4ebxCpiAqlCBXvz0cuR3Eto97cWJV7KiLGdgllhiCInDguIySA5GduPytvm4qx
+W+Ya1JN3lUxziODoFZ7eG1WrRaw4EigG1YQTvqafu3FVJcm/0Uxl1RHmeMDTcwP
vWmPHvrCR1x/vYEiAOmV5sOjDJSDKR/LZ8eVi2psgD3BTRo+ESOGtAj7rDyMyznU
02SzorFdRUm4VXJOjSnZer3Mv+0vLhXwIM2KYkdcDpXCnvfN3bIvlip17dI6p4yz
2/DxB82wr1C/OGPW/jQzKLpZh2JAT3N0Fmoy1R96UTa6tTdiGE7jS7xarwbPJnwZ
IuF45Vq4Y9FKI3xIn0+7FjbVi7O3X1z95b9v9SH8YoKhzAoKUaRh9RtoPjZmAJt3
s0JHeMMX7fPJl4C8mjMW1UGcAfysootll1/naGopgNXAl7qj8YrOWpQK8Pavn21q
AdoAwUOOsM9INMfDFpgJ89dgkixw1jeDSsHMEZtBAj3nWcjIj+8=
=ac+3
-----END PGP SIGNATURE-----
Merge 4.14.327 into android-4.14-stable
Changes in 4.14.327
NFS/pNFS: Report EINVAL errors from connect() to the server
ipv4: fix null-deref in ipv4_link_failure
powerpc/perf/hv-24x7: Update domain value check
dccp: fix dccp_v4_err()/dccp_v6_err() again
team: fix null-ptr-deref when team device type is changed
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
clk: tegra: fix error return case for recalc_rate
xtensa: boot: don't add include-dirs
xtensa: boot/lib: fix function prototypes
parisc: sba: Fix compile warning wrt list of SBA devices
parisc: iosapic.c: Fix sparse warnings
parisc: irq: Make irq_stack_union static to avoid sparse warning
selftests/ftrace: Correctly enable event in instance-event.tc
ring-buffer: Avoid softlockup in ring_buffer_resize()
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
fbdev/sh7760fb: Depend on FB=y
ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
ata: libahci: clear pending interrupt status
watchdog: iTCO_wdt: No need to stop the timer in probe
watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
serial: 8250_port: Check IRQ data before use
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
i2c: i801: unregister tco_pdev in i801_probe() error path
btrfs: properly report 0 avail for very full file systems
ata: libata-core: Fix ata_port_request_pm() locking
ata: libata-core: Fix port and device removal
ata: libata-sata: increase PMP SRST timeout to 10s
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
ext4: fix rec_len verify error
net/sched: sch_hfsc: Ensure inner classes have fsc curve
ata: libata: disallow dev-initiated LPM transitions to unsupported states
media: dvb: symbol fixup for dvb_attach() - again
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
wifi: mwifiex: Fix tlv_buf_left calculation
ubi: Refuse attaching if mtd's erasesize is 0
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
scsi: target: core: Fix deadlock due to recursive locking
modpost: add missing else to the "of" check
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
tcp: fix delayed ACKs for MSS boundary condition
sctp: update transport state when processing a dupcook packet
sctp: update hb timer immediately after users change hb_interval
cpupower: add Makefile dependencies for install targets
IB/mlx4: Fix the size of a buffer in add_port_entries()
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
RDMA/cma: Fix truncation compilation warning in make_cma_ports
RDMA/mlx5: Fix NULL string error
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
Revert "rtnetlink: Reject negative ifindexes in RTM_NEWLINK"
rtnetlink: Reject negative ifindexes in RTM_NEWLINK
xen/events: replace evtchn_rwlock with RCU
Linux 4.14.327
Change-Id: Id05d43bbb2482e858390f6cb31f43ba16c669675
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Pan Bian
|
fb1084e63e |
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
commit 7ee29facd8a9c5a26079148e36bcf07141b3a6bc upstream. In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. [konishi.ryusuke@gmail.com: NOTE added to the commit log] Link: https://lkml.kernel.org/r/1543201709-53191-1-git-send-email-bianpan2016@163.com Link: https://lkml.kernel.org/r/20230921141731.10073-1-konishi.ryusuke@gmail.com Fixes: a3d93f709e89 ("nilfs2: block cache for garbage collection") Signed-off-by: Pan Bian <bianpan2016@163.com> Reported-by: Ferry Meng <mengferry@linux.alibaba.com> Closes: https://lkml.kernel.org/r/20230818092022.111054-1-mengferry@linux.alibaba.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
3b3807ea9f |
This is the 4.14.326 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUOphQACgkQONu9yGCS
aT48SA//UAwiChca8ejeMfb5naUV7yr0r7Vpe32I7+Z+vY+YmuKO2UWOdBi4rvrY
+PYIFCA7nfLpp6hXZg14ljX3w1Qh8WftXwlIeml5PJX+/IpyGT2FAx+CcYXAKdQk
KqANTdDAogw4wfPF+jY0hqRUP0NuIW2jzPU9cMQHm6/reRs8sSqs9wHo5tqlLLBN
YF66O+MyI/FZRwD3HxSeVlaNk1Rrk6I7CtdnXaUqMo7CosagayoiODn5vPMUJXZW
I7WOz4hFYJJhvnJKYKCoMUwmpsEQrQwxyeBipfXsoCjdSOn7TBJaTNEqo0cTq1aQ
kD34afHBY5cZaS2d0EKFcCYVxRwtzh0N73RuimPNTT3Rfkot9ARFwQjk+eOHrJDh
UQlx4aWq2vX400V68LeE6nSxwAoml888mISVrVqeLu4Xzt9dl4JlLD99GC0tu2GG
xKZp3BZ2spxEUciGT4Hby3f6PEGO3oJ/m8MSTNsn5wqdeZMbTUQ4O8yWLQZPaacc
M+FEHK/beW5inq5mi2hy0rs2uvhbSQoLV79jbS0EeN2x5Z6MTyWfifRqLx1VzvgF
oZHw7AeSv97oJGQfqF5j9BIUOC8jMzMircmxY5z/MmWvvjpkoMtTi0Fm66KbR6c/
Ydm83ptyuPg0XotdjlGAc1tGkVQatx7c1XzYqeOhKDBxvY4l13A=
=RCAu
-----END PGP SIGNATURE-----
Merge 4.14.326 into android-4.14-stable
Changes in 4.14.326
ARM: pxa: remove use of symbol_get()
mmc: au1xmmc: force non-modular build and remove symbol_get usage
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
USB: serial: option: add Quectel EM05G variant (0x030e)
USB: serial: option: add FOXCONN T99W368/T99W373 product
HID: wacom: remove the battery when the EKR is off
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
serial: sc16is7xx: fix bug when first setting GPIO direction
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
pinctrl: amd: Don't show `Invalid config param` errors
lib/ubsan: remove returns-nonnull-attribute checks
9p: virtio: make sure 'offs' is initialized in zc_request
ASoC: da7219: Flush pending AAD IRQ when suspending
ethernet: atheros: fix return value check in atl1c_tso_csum()
m68k: Fix invalid .section syntax
s390/dasd: use correct number of retries for ERP requests
fs/nls: make load_nls() take a const parameter
ASoc: codecs: ES8316: Fix DMIC config
security: keys: perform capable check only on privileged operations
net: usb: qmi_wwan: add Quectel EM05GV2
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
bnx2x: fix page fault following EEH recovery
sctp: handle invalid error codes without calling BUG()
cifs: add a warning when the in-flight count goes negative
ALSA: seq: oss: Fix racy open/close of MIDI devices
powerpc/32: Include .branch_lt in data section
powerpc/32s: Fix assembler warning about r0
udf: Check consistency of Space Bitmap Descriptor
udf: Handle error when adding extent to a file
Revert "net: macsec: preserve ingress frame ordering"
reiserfs: Check the return value from __getblk()
fs: Fix error checking for d_hash_and_lookup()
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
regmap: rbtree: Use alloc_flags for memory allocations
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
wifi: mwifiex: Fix OOB and integer underflow when rx packets
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
net: tcp: fix unexcepted socket die when snd_wnd is 0
crypto: caam - fix unchecked return value error
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
fs: ocfs2: namei: check return value of ocfs2_add_entry()
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
wifi: mwifiex: Fix missed return in oob checks failed path
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: mwifiex: avoid possible NULL skb pointer dereference
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
net: arcnet: Do not call kfree_skb() under local_irq_disable()
netrom: Deny concurrent connect().
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
drm: adv7511: Fix low refresh rate register for ADV7533/5
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
smackfs: Prevent underflow in smk_set_cipso()
audit: fix possible soft lockup in __audit_inode_child()
ALSA: ac97: Fix possible error value of *rac97
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
clk: sunxi-ng: Modify mismatched function name
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
PCI: pciehp: Use RMW accessors for changing LNKCTL
wifi: ath10k: Use RMW accessors for changing LNKCTL
nfs/blocklayout: Use the passed in gfp flags
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
jfs: validate max amount of blocks before allocation.
fs: lockd: avoid possible wrong NULL parameter
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
drivers: usb: smsusb: fix error handling code in smsusb_init_device
media: dib7000p: Fix potential division by zero
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: cx24120: Add retval check for cx24120_message_send()
media: mediatek: vcodec: Return NULL if no vdec_fb is found
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: qla4xxx: Add length check when parsing nlattrs
x86/APM: drop the duplicate APM_MINOR_DEV macro
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
dma-buf/sync_file: Fix docs syntax
media: go7007: Remove redundant if statement
USB: gadget: f_mass_storage: Fix unused variable warning
cgroup:namespace: Remove unused cgroup_namespaces_init()
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
amba: bus: fix refcount leak
Revert "IB/isert: Fix incorrect release of isert connection"
HID: multitouch: Correct devm device reference for hidinput input_dev name
rpmsg: glink: Add check for kstrdup
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
netfilter: xt_u32: validate user space input
netfilter: xt_sctp: validate the flag_info count
igb: set max size RX buffer when store bad packet is enabled
PM / devfreq: Fix leak in devfreq_dev_release()
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
backlight/gpio_backlight: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/lv5207lp: Compare against struct fb_info.device
media: dvb: symbol fixup for dvb_attach()
ntb: Drop packets when qp link is down
ntb: Clean up tx tail index on link down
ntb: Fix calculation ntb_transport_tx_free_entry()
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
procfs: block chmod on /proc/thread-self/comm
parisc: Fix /proc/cpuinfo output for lscpu
dccp: Fix out of bounds access in DCCP error handler
X.509: if signature is unsupported skip validation
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
pstore/ram: Check start of empty przs during init
crypto: stm32 - fix loop iterating through scatterlist for DMA
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Turn off noisy message log
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
drm/ast: Fix DRAM init on AST2200
parisc: led: Fix LAN receive and transmit LEDs
parisc: led: Reduce CPU overhead for disk & lan LED computation
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
pwm: lpc32xx: Remove handling of PWM channels
net: read sk->sk_family once in sk_mc_loop()
igb: disable virtualization features on 82580
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
af_unix: Fix data-races around user->unix_inflight.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data race around sk->sk_err.
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
kcm: Destroy mutex in kcm_exit_net()
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
kcm: Fix memory leak in error path of kcm_sendmsg()
ixgbe: fix timestamp configuration code
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
parisc: Drop loops_per_jiffy from per_cpu struct
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
btrfs: output extra debug info if we failed to find an inline backref
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
hw_breakpoint: fix single-stepping when using bpf_overflow_handler
wifi: ath9k: fix printk specifier
wifi: mwifiex: fix fortify warning
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
tpm_tis: Resend command to recover from data transfer errors
alx: fix OOB-read compiler warning
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
md: raid1: fix potential OOB in raid1_remove_disk()
ext2: fix datatype of block number in ext2_xattr_set2()
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
media: anysee: fix null-ptr-deref in anysee_master_xfer
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
iio: core: Use min() instead of min_t() to make code more robust
media: tuners: qt1010: replace BUG_ON with a regular error
media: pci: cx23885: replace BUG with error return
usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
serial: cpm_uart: Avoid suspicious locking
kobject: Add sanity check for kset->kobj.ktype in kset_register()
md/raid1: fix error: ISO C90 forbids mixed declarations
attr: block mode changes of symlinks
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
nfsd: fix change_info in NFSv4 RENAME replies
mtd: rawnand: brcmnand: Fix crash during the panic_write
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
net/sched: Retire rsvp classifier
Linux 4.14.326
Change-Id: I22815ecf1b4b346f889ccaa561b7cb9a20f204ce
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Ryusuke Konishi
|
4737956105 |
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
commit cdaac8e7e5a059f9b5e816cda257f08d0abffacd upstream.
A syzbot stress test using a corrupted disk image reported that
mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or
nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can
panic if the kernel is booted with panic_on_warn.
This is because nilfs2 keeps buffer pointers in local structures for some
metadata and reuses them, but such buffers may be forcibly discarded by
nilfs_clear_dirty_page() in some critical situations.
This issue is reported to appear after commit 28a65b49eb53 ("nilfs2: do
not write dirty data after degenerating to read-only"), but the issue has
potentially existed before.
Fix this issue by checking the uptodate flag when attempting to reuse an
internally held buffer, and reloading the metadata instead of reusing the
buffer if the flag was lost.
Link: https://lkml.kernel.org/r/20230818131804.7758-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+cdfcae656bac88ba0e2d@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/0000000000003da75f05fdeffd12@google.com
Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org> # 3.10+
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ryusuke Konishi
|
f4e9e1a996 |
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream. A syzbot stress test reported that create_empty_buffers() called from nilfs_lookup_dirty_data_buffers() can cause a general protection fault. Analysis using its reproducer revealed that the back reference "mapping" from a page/folio has been changed to NULL after dirty page/folio gang lookup in nilfs_lookup_dirty_data_buffers(). Fix this issue by excluding pages/folios from being collected if, after acquiring a lock on each page/folio, its back reference "mapping" differs from the pointer to the address space struct that held the page/folio. Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
b778a6929d |
This is the 4.14.323 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmTc9RMACgkQONu9yGCS aT5dJRAAyJ6TlWC+bZv27UKgjXo+h3T5iVbfcJve/NKTgEcuFBcJFe5xb/znTog6 kovmrMQ8yG/lq19aUXI1QlVNCnCRpwzsNRl+27OtDL3emKtdgreyT9K+vtNLSqOT men0os0wJERKDfBMloZrvh/WeiYc+/uwWFz34kZjRMrWWoY7LBUCi+YOrh4VpkP4 B3CoC55IkC+OQz5mkrLJM9q1fpefNYcsv8tNtu2lLGfZuq6t35xQHW5cqF4TH7SN DvO6SWB4N0c39kSaBez3bJgIOSzAexL86nt5C3HI4soHDPJstKV6+mktPDGNx0pF H4DbewzYwpUE6pj0LBv9Fasj3gZjUMba+RECHaNqeCSRynYY1PW6AA0I428p87vq AWhCYLdSIs0tAcwPPfYo9q3Po3lOEBnHZNFpCpbLJiuWBf3H8HnIW/5Xvpb+tcGh HwhryJ3D55egUGuzeYtqurZAo2X6ubS8ig+MH9K2nMHl1p7YNMdXnxsWukv6bJUE QXSv87HG7ASv+WKQfSbFt5U+L7ihIGnAKdDEe4FaOxtNMj0aJQMMrJVsuNyXiBoO iP6BPEMGxCgdUVrDF04COVFf+jZE33RdHAi2rRwwaKlHfu5DoL90b/m8UcVt9/jH lQjsj5ydINt5tXU58Q3kLqJ/in/RM64TMKi/3L2wbwbaKZfbCPE= =Pod4 -----END PGP SIGNATURE----- Merge 4.14.323 into android-4.14-stable Changes in 4.14.323 sparc: fix up arch_cpu_finalize_init() build breakage. mmc: moxart: read scr register without changing byte order ipv6: adjust ndisc_is_useropt() to also return true for PIO dmaengine: pl330: Return DMA_PAUSED when transaction is paused radix tree test suite: fix incorrect allocation size for pthreads nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation iio: cros_ec: Fix the allocation size for cros_ec_command usb-storage: alauda: Fix uninit-value in alauda_check_media() usb: dwc3: Properly handle processing of pending events x86/mm: Fix VDSO and VVAR placement on 5-level paging machines x86: Move gds_ucode_mitigated() declaration to header drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes net/packet: annotate data-races around tp->status bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves dccp: fix data-race around dp->dccps_mss_cache drivers: net: prevent tun_build_skb() to exceed the packet size limit IB/hfi1: Fix possible panic during hotplug remove btrfs: don't stop integrity writeback too early netfilter: nf_tables: report use refcount overflow scsi: core: Fix legacy /proc parsing buffer overflow scsi: storvsc: Fix handling of virtual Fibre Channel timeouts scsi: 53c700: Check that command slot is not NULL scsi: snic: Fix possible memory leak if device_add() fails scsi: core: Fix possible memory leak if device_add() fails alpha: remove __init annotation from exported page_is_ram() Linux 4.14.323 Change-Id: Ie5983e040b787ee04a08ea1e7326a3571080f084 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ryusuke Konishi
|
11afd67f1b |
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
commit f8654743a0e6909dc634cbfad6db6816f10f3399 upstream.
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").
However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():
nilfs_detach_log_writer()
nilfs_dispose_list()
iput()
mark_inode_dirty_sync()
__mark_inode_dirty()
nilfs_dirty_inode()
__nilfs_mark_inode_dirty()
nilfs_load_inode_block() --> causes UAF of nilfs_root struct
This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.
This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.
Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().
Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount. The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail. The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.
Link: https://lkml.kernel.org/r/20230728191318.33047-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+74db8b3087f293d3a13a@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/000000000000b4e906060113fd63@google.com
Fixes: 0ae45f63d4ef ("vfs: add support for a lazytime mount option")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org> # 4.0+
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
ecca894374 |
This is the 4.14.320 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmSb6+YACgkQONu9yGCS aT6k8xAAwMV8dM19J1KpSGIZc67DMWH4nXoehnuVROhJKZjLfJvQr9Vwab7+2gIy rXeCQgQjxKpPOgmkH67qFoD11prwXYCOj/69qeAyQTyXYjwrF3jEzCds6yBePY2U dU0og8UipoisMqO5HPtLYoFT1kYyOGTB+EmFpy0xTrudYj9ctmlqIe71oAXup766 G2AvOHBggGWdvtkecuz/bbMFrdjIOhzl1Qq68X8GmxhHsFPGt+i3e+MpzcyM+DVi WmBfzYNO3phCYvAKk21hWI7rhp/3yGFNTvZVeC39pwEtLH2Xk+5gjQHYjW/HqHyR xD9Li8A03wYbjy5501Hyt1W3Se0kLAgdDUOZX//1TOrLXLuNn91mfu2N7grhfsML +EwH7asrnQsJUn9Pr+ZKcV3Rruw5JUHuIa4vCmrsrqjqi+LTjFwTpK4Y02zefjhM qLhsIdSOU1DrmAnd5AbQPIeQnqWEe29lsG/K5OWha1qr94x37CqaFB3DeKzNnxjO qJ0ByN3GIi1KbBv2ymIkpAhOLbPEni+Kakmi5+YdPGsnsPAXHzGUf0JxBi6U6Pj5 P/VXAq5b5ZN4VbGWZa+PORahRBPy2BMlNfi6VeWsYDh4YZfoCjidy4mmrE86c+iY WMJpszU7QF6ZSqf0QXVCJEjJwVVHgvObCM2Hguyzy6oGb5usJ/w= =TkTj -----END PGP SIGNATURE----- Merge 4.14.320 into android-4.14-stable Changes in 4.14.320 serial: lantiq: add missing interrupt ack nilfs2: reject devices with insufficient block count nilfs2: fix buffer corruption due to concurrent device reads Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs cgroup: Do not corrupt task iteration when rebinding subsystem nilfs2: prevent general protection fault in nilfs_clear_dirty_page() xfrm: Linearize the skb after offloading if needed. net: qca_spi: Avoid high load if QCA7000 is not available mmc: mtk-sd: fix deferred probing mmc: omap: fix deferred probing mmc: omap_hsmmc: fix deferred probing mmc: usdhi60rol0: fix deferred probing be2net: Extend xmit workaround to BE3 chip netfilter: nf_tables: disallow element updates of bound anonymous sets scsi: target: iscsi: Prevent login threads from racing between each other HID: wacom: Add error check to wacom_parse_and_register() arm64: Add missing Set/Way CMO encodings nfcsim.c: Fix error checking for debugfs_create_dir fbdev: imsttfb: Release framebuffer and dealloc cmap on error path usb: gadget: udc: fix NULL dereference in remove() s390/cio: unregister device when the only path is gone drm/exynos: vidi: fix a wrong error return drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle Linux 4.14.320 Change-Id: Ie099bcd37431671a217ea32b54bef6d5f29c122d Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ryusuke Konishi
|
1ae24bbbb3 |
nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream. In a syzbot stress test that deliberately causes file system errors on nilfs2 with a corrupted disk image, it has been reported that nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a general protection fault. In nilfs_clear_dirty_pages(), when looking up dirty pages from the page cache and calling nilfs_clear_dirty_page() for each dirty page/folio retrieved, the back reference from the argument page to "mapping" may have been changed to NULL (and possibly others). It is necessary to check this after locking the page/folio. So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio after locking it in nilfs_clear_dirty_pages() if the back reference "mapping" from the page/folio is different from the "mapping" that held the page/folio just before. Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |