This patch fixes assigning bi_crypt_key for moving data which was previously
encrypted by f2fs.
Note that, dm-default-key should not assign bi_crypt_key, if bi_crypt_skip is
set.
The bug sceanrios is:
1. write data with user key by f2fs
- ENC(KU, IVU, DATA)
2. log out user key
3. read data #1 w/o user key from LBA #a
4. dm-default-key assigns default key
- DEC(KD, LBA#a, ENC(KU, IVU, DATA))
5. write data #1 w/o user key into LBA #b
6. dm-default-key assigns default key
- ENC(KD, LBA#b, DEC(KD, LBA#a, ENC(KU, IVU, DATA)))
7. Read DATA out with valid logged-in user key
- DEC(KU, IVU, ENC(KD, LBA#b, DEC(KD, LBA#a, ENC(KU, IVU, DATA))))
So, this patch introduces bi_crypt_skip to avoid 4. ~ 6 with right flow:
1. write data with user key by f2fs
- ENC(KU, IVU, DATA)
2. log out user key
3. read data #1 w/o user key from LBA #a
4. dm-default-key skip to assign default key
- ENC(KU, IVU, DATA)
5. write data #1 w/o user key into LBA #b
6. dm-default-key skips to assign default key
- ENC(KU, IVU, DATA)
7. Try to read DATA with valid logged-in user key
- DEC(KU, IVU, ENC(KU, IVU, DATA))
Bug: 68721442
Change-Id: Icefe85f608b7c3c84beb2bfa4267efd0f3787453
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Signed-off-by: Shivaprasad Hongal <shongal@codeaurora.org>
Hardware File Based Encryption (FBE) uses inline crypto
engine to encrypt the user data.
1. security/pfk: changes to support per file
encryption for f2fs using hardware crypto engine.
2. fs/ext4: adapted crypto APIs for generic crypto layer.
3. fs/f2fs: support hardware crypto engine based per file
encryption.
4. fs/crypto: export APIs to support hardware crypto
engine based per file encryption.
5. security/pfe: added wrapped key support based on
upstream changes.
Other changes made to provide support framework for per
file encryption.
Reverting commit e02a4e21f640 ("ext4: Add HW File Based
Encryption on ext4 file system") and adding changes to
have FBE in sync with upstream implementation of FBE.
Change-Id: I17f9909c43ba744eb874f6d237745fbf88a2b848
Signed-off-by: Shivaprasad Hongal <shongal@codeaurora.org>
Currently, __debugfs_create_file allocates one struct debugfs_fsdata
instance for every file created. However, there are potentially many
debugfs file around, most of which are never touched by userspace.
Thus, defer the allocations to the first usage, i.e. to the first
debugfs_file_get().
A dentry's ->d_fsdata starts out to point to the "real", user provided
fops. After a debugfs_fsdata instance has been allocated (and the real
fops pointer has been moved over into its ->real_fops member),
->d_fsdata is changed to point to it from then on. The two cases are
distinguished by setting BIT(0) for the real fops case.
struct debugfs_fsdata's foremost purpose is to track active users and to
make debugfs_remove() block until they are done. Since no debugfs_fsdata
instance means no active users, make debugfs_remove() return immediately
in this case.
Take care of possible races between debugfs_file_get() and
debugfs_remove(): either debugfs_remove() must see a debugfs_fsdata
instance and thus wait for possible active users or debugfs_file_get() must
see a dead dentry and return immediately.
Make a dentry's ->d_release(), i.e. debugfs_release_dentry(), check whether
->d_fsdata is actually a debugfs_fsdata instance before kfree()ing it.
Similarly, make debugfs_real_fops() check whether ->d_fsdata is actually
a debugfs_fsdata instance before returning it, otherwise emit a warning.
The set of possible error codes returned from debugfs_file_get() has grown
from -EIO to -EIO and -ENOMEM. Make open_proxy_open() and full_proxy_open()
pass the -ENOMEM onwards to their callers.
Change-Id: I22d1f399ced795620cb7a887407465293317d43f
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 7d39bc50c47b3f8ed0e1a9d671ecb9ec02f10a2d
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
The current implementation of debugfs_real_fops() relies on a
debugfs_fsdata instance to be installed at ->d_fsdata.
With future patches introducing lazy allocation of these, this requirement
will be guaranteed to be fullfilled only inbetween a
debugfs_file_get()/debugfs_file_put() pair.
The full proxies' fops implemented by debugfs happen to be the only
offenders. Fix them up by moving their debugfs_real_fops() calls past those
to debugfs_file_get().
full_proxy_release() is special as it doesn't invoke debugfs_file_get() at
all. Leave it alone for now.
Change-Id: I418a5aea3e5b086a719a780e1b77e966b6034d43
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 154b9d7512ae012aca7b4e90af67a72419ad1941
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
Convert all calls to the now obsolete debugfs_use_file_start() and
debugfs_use_file_finish() from the debugfs core itself to the new
debugfs_file_get() and debugfs_file_put() API.
Change-Id: Ib0f291b138c7b9eacbe80678c283051f799f5042
Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 69d29f9e6a53559895e6f785f6cf72daa738f132
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
Currently, debugfs_real_fops() is annotated with a
__must_hold(&debugfs_srcu) sparse annotation.
With the conversion of the SRCU based protection of users against
concurrent file removals to a per-file refcount based scheme, this becomes
wrong.
Drop this annotation.
Change-Id: I261ad90f4af2fe28379be1256ec86a8b41f1dd08
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 055ab8e3e3d52e005d2047b14ce63551b3a8b8b5
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
Since commit 49d200deaa68 ("debugfs: prevent access to removed files'
private data"), accesses to a file's private data are protected from
concurrent removal by covering all file_operations with a SRCU read section
and sychronizing with those before returning from debugfs_remove() by means
of synchronize_srcu().
As pointed out by Johannes Berg, there are debugfs files with forever
blocking file_operations. Their corresponding SRCU read side sections would
block any debugfs_remove() forever as well, even unrelated ones. This
results in a livelock. Because a remover can't cancel any indefinite
blocking within foreign files, this is a problem.
Resolve this by introducing support for more granular protection on a
per-file basis.
This is implemented by introducing an 'active_users' refcount_t to the
per-file struct debugfs_fsdata state. At file creation time, it is set to
one and a debugfs_remove() will drop that initial reference. The new
debugfs_file_get() and debugfs_file_put(), intended to be used in place of
former debugfs_use_file_start() and debugfs_use_file_finish(), increment
and decrement it respectively. Once the count drops to zero,
debugfs_file_put() will signal a completion which is possibly being waited
for from debugfs_remove().
Thus, as long as there is a debugfs_file_get() not yet matched by a
corresponding debugfs_file_put() around, debugfs_remove() will block.
Actual users of debugfs_use_file_start() and -finish() will get converted
to the new debugfs_file_get() and debugfs_file_put() by followup patches.
Change-Id: Icfde769b8604854a2e6f91d1070ac72dc2a8f7fc
Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data")
Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: e9117a5a4bf65d8e99f060d356a04d27a60b436d
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
Currently, the user provided fops, "real_fops", are stored directly into
->d_fsdata.
In order to be able to store more per-file state and thus prepare for more
granular file removal protection, wrap the real_fops into a dynamically
allocated container struct, debugfs_fsdata.
A struct debugfs_fsdata gets allocated at file creation and freed from the
newly intoduced ->d_release().
Finally, move the implementation of debugfs_real_fops() out of the public
debugfs header such that struct debugfs_fsdata's declaration can be kept
private.
Change-Id: I3517697b316d5ed1bbc9e5b24b66463479c6fd4d
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 7c8d469877b16d2c1cecf101a0abb7b218db85bc
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
Commit 8844618d8aa7: "ext4: only look at the bg_flags field if it is
valid" will complain if block group zero does not have the
EXT4_BG_INODE_ZEROED flag set. Unfortunately, this is not correct,
since a freshly created file system has this flag cleared. It gets
almost immediately after the file system is mounted read-write --- but
the following somewhat unlikely sequence will end up triggering a
false positive report of a corrupted file system:
mkfs.ext4 /dev/vdc
mount -o ro /dev/vdc /vdc
mount -o remount,rw /dev/vdc
Instead, when initializing the inode table for block group zero, test
to make sure that itable_unused count is not too large, since that is
the case that will result in some or all of the reserved inodes
getting cleared.
This fixes the failures reported by Eric Whiteney when running
generic/230 and generic/231 in the the nojournal test case.
Fixes: 8844618d8aa7 ("ext4: only look at the bg_flags field if it is valid")
Reported-by: Eric Whitney <enwlinux@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-Commit: 5012284700775a4e6e3fbe7eac4c543c4874b559
Change-Id: I9ae663e67e6ee32ef0c0e98a9e0ae9193cf7c880
Signed-off-by: Ankit Jain <jankit@codeaurora.org>
* refs/heads/tmp-818299f
Linux 4.14.56
f2fs: give message and set need_fsck given broken node id
loop: remember whether sysfs_create_group() was done
RDMA/ucm: Mark UCM interface as BROKEN
PM / hibernate: Fix oops at snapshot_write()
loop: add recursion validation to LOOP_CHANGE_FD
netfilter: x_tables: initialise match/target check parameter struct
netfilter: nf_queue: augment nfqa_cfg_policy
uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn()
crypto: x86/salsa20 - remove x86 salsa20 implementations
nvme-pci: Remap CMB SQ entries on every controller reset
xen: setup pv irq ops vector earlier
iw_cxgb4: correctly enforce the max reg_mr depth
i2c: tegra: Fix NACK error handling
IB/hfi1: Fix incorrect mixing of ERR_PTR and NULL return values
tools build: fix # escaping in .cmd files for future Make
arm64: neon: Fix function may_use_simd() return error status
kbuild: delete INSTALL_FW_PATH from kbuild documentation
tracing: Reorder display of TGID to be after PID
mm: do not bug_on on incorrect length in __mm_populate()
fs, elf: make sure to page align bss in load_elf_library
fs/proc/task_mmu.c: fix Locked field in /proc/pid/smaps*
mm: do not drop unused pages when userfaultd is running
ALSA: hda - Handle pm failure during hotplug
ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION
scsi: megaraid_sas: fix selection of reply queue
scsi: megaraid_sas: Create separate functions to allocate ctrl memory
scsi: megaraid_sas: replace is_ventura with adapter_type checks
scsi: megaraid_sas: replace instance->ctrl_context checks with instance->adapter_type
scsi: megaraid_sas: use adapter_type for all gen controllers
genirq/affinity: assign vectors to all possible CPUs
Fix up non-directory creation in SGID directories
devpts: resolve devpts bind-mounts
devpts: hoist out check for DEVPTS_SUPER_MAGIC
xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
usb: quirks: add delay quirks for Corsair Strafe
USB: serial: mos7840: fix status-register error handling
USB: yurex: fix out-of-bounds uaccess in read handler
USB: serial: keyspan_pda: fix modem-status error handling
USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
USB: serial: ch341: fix type promotion bug in ch341_control_in()
ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
vmw_balloon: fix inflation with batching
ata: Fix ZBC_OUT all bit handling
ata: Fix ZBC_OUT command block check
staging: r8822be: Fix RTL8822be can't find any wireless AP
staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
ibmasm: don't write out of bounds in read handler
mmc: dw_mmc: fix card threshold control configuration
mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
MIPS: Fix ioremap() RAM check
MIPS: Use async IPIs for arch_trigger_cpumask_backtrace()
MIPS: Call dump_stack() from show_regs()
ASoC: mediatek: preallocate pages use platform device
media: rc: mce_kbd decoder: fix stuck keys
ANDROID: Fix massive cpufreq_times memory leaks
ANDROID: Reduce use of #ifdef CONFIG_CPU_FREQ_TIMES
Change-Id: I8181c52138e12e6cdd25b9cf0ffba19469593ab2
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAltNuVYACgkQONu9yGCS
aT7kTA/+MRHC5oFvdnhSsF6jAHsY9rgJNQXPtZCFhZnHhhYHtubQ2OJOmSZ7IfM0
9yhz/7vijC9+tLufXQxQnu2UUL3ojNu1+l+q9s0U1GUzNiONlJ9q/CyB4xjXFRCS
1RdiDZaQbIqUCYs38UCTsEJF65uKjzQ6dpF21XdIXp5FPxgiZawo4HpjQRJswbAl
Du97ybMEPN3XnAn207GjZwy58ubRLF5HDG1sqNGfjVWJ7oMTi+QJOCvY3PJtU3j2
unS0qjxLU432rOyDfaJK7Yj9s61zu0PurbJrHo+dw3O3hd/Og7soqoqohUEjZWXd
z7jjrntXZOZ/0st2yHmygfAPUJm/8jsh7Pd39Jgyfeu/3Clo51gO494rwATQsyE5
mwIdllyzyMNBEJI2F2fxE60WlFsbTjeBOX3BaOwnF8pGRJWsCAfbFknRbuKh1fO5
czFbUSOi00POw4WHT1rxV9u0yDBXmP47fy9zHquOim+PfK8pFvWuf6GSFjvqRTv8
20w1w7eixMi09ZXOkgTJ3S00MKHSpxoaenI3n2NcEVVRgDEVfh3C/zelvvfCDMHD
i36DN39Sj41PNA/R4n0TIA4W+ab9qBVzQl16yaj9JURR2rA92GyMVC1+Xjqo1Py3
GRFOf2Gprlm0/vfkiRsMu9coAJuKV6+8fHXQU4mzHulKUaDWuJ0=
=/wBU
-----END PGP SIGNATURE-----
Merge 4.14.56 into android-4.14
Changes in 4.14.56
media: rc: mce_kbd decoder: fix stuck keys
ASoC: mediatek: preallocate pages use platform device
MIPS: Call dump_stack() from show_regs()
MIPS: Use async IPIs for arch_trigger_cpumask_backtrace()
MIPS: Fix ioremap() RAM check
mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
mmc: dw_mmc: fix card threshold control configuration
ibmasm: don't write out of bounds in read handler
staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
staging: r8822be: Fix RTL8822be can't find any wireless AP
ata: Fix ZBC_OUT command block check
ata: Fix ZBC_OUT all bit handling
vmw_balloon: fix inflation with batching
ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
USB: serial: ch341: fix type promotion bug in ch341_control_in()
USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
USB: serial: keyspan_pda: fix modem-status error handling
USB: yurex: fix out-of-bounds uaccess in read handler
USB: serial: mos7840: fix status-register error handling
usb: quirks: add delay quirks for Corsair Strafe
xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
devpts: hoist out check for DEVPTS_SUPER_MAGIC
devpts: resolve devpts bind-mounts
Fix up non-directory creation in SGID directories
genirq/affinity: assign vectors to all possible CPUs
scsi: megaraid_sas: use adapter_type for all gen controllers
scsi: megaraid_sas: replace instance->ctrl_context checks with instance->adapter_type
scsi: megaraid_sas: replace is_ventura with adapter_type checks
scsi: megaraid_sas: Create separate functions to allocate ctrl memory
scsi: megaraid_sas: fix selection of reply queue
ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION
ALSA: hda - Handle pm failure during hotplug
mm: do not drop unused pages when userfaultd is running
fs/proc/task_mmu.c: fix Locked field in /proc/pid/smaps*
fs, elf: make sure to page align bss in load_elf_library
mm: do not bug_on on incorrect length in __mm_populate()
tracing: Reorder display of TGID to be after PID
kbuild: delete INSTALL_FW_PATH from kbuild documentation
arm64: neon: Fix function may_use_simd() return error status
tools build: fix # escaping in .cmd files for future Make
IB/hfi1: Fix incorrect mixing of ERR_PTR and NULL return values
i2c: tegra: Fix NACK error handling
iw_cxgb4: correctly enforce the max reg_mr depth
xen: setup pv irq ops vector earlier
nvme-pci: Remap CMB SQ entries on every controller reset
crypto: x86/salsa20 - remove x86 salsa20 implementations
uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn()
netfilter: nf_queue: augment nfqa_cfg_policy
netfilter: x_tables: initialise match/target check parameter struct
loop: add recursion validation to LOOP_CHANGE_FD
PM / hibernate: Fix oops at snapshot_write()
RDMA/ucm: Mark UCM interface as BROKEN
loop: remember whether sysfs_create_group() was done
f2fs: give message and set need_fsck given broken node id
Linux 4.14.56
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 24962af7e1041b7e50c1bc71d8d10dc678c556b5 upstream.
The current code does not make sure to page align bss before calling
vm_brk(), and this can lead to a VM_BUG_ON() in __mm_populate() due to
the requested lenght not being correctly aligned.
Let us make sure to align it properly.
Kees: only applicable to CONFIG_USELIB kernels: 32-bit and configured
for libc5.
Link: http://lkml.kernel.org/r/20180705145539.9627-1-osalvador@techadventures.net
Signed-off-by: Oscar Salvador <osalvador@suse.de>
Reported-by: syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com
Tested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e70cc2bd579e8a9d6d153762f0fe294d0e652ff0 upstream.
Thomas reports:
"While looking around in /proc on my v4.14.52 system I noticed that all
processes got a lot of "Locked" memory in /proc/*/smaps. A lot more
memory than a regular user can usually lock with mlock().
Commit 493b0e9d945f (in v4.14-rc1) seems to have changed the behavior
of "Locked".
Before that commit the code was like this. Notice the VM_LOCKED check.
(vma->vm_flags & VM_LOCKED) ?
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)) : 0);
After that commit Locked is now the same as Pss:
(unsigned long)(mss->pss >> (10 + PSS_SHIFT)));
This looks like a mistake."
Indeed, the commit has added mss->pss_locked with the correct value that
depends on VM_LOCKED, but forgot to actually use it. Fix it.
Link: http://lkml.kernel.org/r/ebf6c7fb-fec3-6a26-544f-710ed193c154@suse.cz
Fixes: 493b0e9d945f ("mm: add /proc/pid/smaps_rollup")
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Daniel Colascione <dancol@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream.
sgid directories have special semantics, making newly created files in
the directory belong to the group of the directory, and newly created
subdirectories will also become sgid. This is historically used for
group-shared directories.
But group directories writable by non-group members should not imply
that such non-group members can magically join the group, so make sure
to clear the sgid bit on non-directories for non-members (but remember
that sgid without group execute means "mandatory locking", just to
confuse things even more).
Reported-by: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a319b01d9095da6f6c54bd20c1f1300762506255 upstream.
Most libcs will still look at /dev/ptmx when opening the master fd of a pty
device. When /dev/ptmx is a bind-mount of /dev/pts/ptmx and the TIOCGPTPEER
ioctl() is used to safely retrieve a file descriptor for the slave side of
the pty based on the master fd, the /proc/self/fd/{0,1,2} symlinks will
point to /. A very simply reproducer for this issue presupposing a libc
that uses TIOCGPTPEER in its openpty() implementation is:
unshare --mount
mount --bind /dev/pts/ptmx /dev/ptmx
chmod 666 /dev/ptmx
script
ls -al /proc/self/fd/0
Having bind-mounts of /dev/pts/ptmx to /dev/ptmx not working correctly is a
regression. In addition, it is also a fairly common scenario in containers
employing user namespaces.
The reason for the current failure is that the kernel tries to verify the
useability of the devpts filesystem without resolving the /dev/ptmx
bind-mount first. This will lead it to detect that the dentry is escaping
its bind-mount. The reason is that while the devpts filesystem mounted at
/dev/pts has the devtmpfs mounted at /dev as its parent mount:
21 -- -- / /dev
-- 21 -- / /dev/pts
devtmpfs and devpts are on different devices
-- -- 0:6 / /dev
-- -- 0:20 / /dev/pts
This has the consequence that the pathname of the parent directory of the
devpts filesystem mount at /dev/pts is /. So if /dev/ptmx is a bind-mount
of /dev/pts/ptmx then the /dev/ptmx bind-mount and the devpts mount at
/dev/pts will end up being located on the same device which is recorded in
the superblock of their vfsmount. This means the parent directory of the
/dev/ptmx bind-mount will be /ptmx:
-- -- ---- /ptmx /dev/ptmx
Without the bind-mount resolution patch the kernel will now perform the
bind-mount escape check directly on /dev/ptmx. The function responsible for
this is devpts_ptmx_path() which calls pts_path() which in turn calls
path_parent_directory(). Based on the above explanation,
path_parent_directory() will yield / as the parent directory for the
/dev/ptmx bind-mount and not the expected /dev. Thus, the kernel detects
that /dev/ptmx is escaping its bind-mount and will set /proc/<pid>/fd/<nr>
to /.
This patch changes the logic to first resolve any bind-mounts. After the
bind-mounts have been resolved (i.e. we have traced it back to the
associated devpts mount) devpts_ptmx_path() can be called. In order to
guarantee correct path generation for the slave file descriptor the kernel
now requires that a pts directory is found in the parent directory of the
ptmx bind-mount. This implies that when doing bind-mounts the ptmx
bind-mount and the devpts mount should have a common parent directory. A
valid example is:
mount -t devpts devpts /dev/pts
mount --bind /dev/pts/ptmx /dev/ptmx
an invalid example is:
mount -t devpts devpts /dev/pts
mount --bind /dev/pts/ptmx /ptmx
This allows us to support:
- calling open on ptmx devices located inside non-standard devpts mounts:
mount -t devpts devpts /mnt
master = open("/mnt/ptmx", ...);
slave = ioctl(master, TIOCGPTPEER, ...);
- calling open on ptmx devices located outside the devpts mount with a
common ancestor directory:
mount -t devpts devpts /dev/pts
mount --bind /dev/pts/ptmx /dev/ptmx
master = open("/dev/ptmx", ...);
slave = ioctl(master, TIOCGPTPEER, ...);
while failing on ptmx devices located outside the devpts mount without a
common ancestor directory:
mount -t devpts devpts /dev/pts
mount --bind /dev/pts/ptmx /ptmx
master = open("/ptmx", ...);
slave = ioctl(master, TIOCGPTPEER, ...);
in which case save path generation cannot be guaranteed.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Eric Biederman <ebiederm@xmission.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7d71109df186d630a41280670c8d71d0cf9b0da9 upstream.
Hoist the check whether we have already found a suitable devpts filesystem
out of devpts_ptmx_path() in preparation for the devpts bind-mount
resolution patch. This is a non-functional change.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* remotes/origin/tmp-2e9aed1:
Linux 4.14.55
Revert mm/vmstat.c: fix vmstat_update() preemption BUG
sched, tracing: Fix trace_sched_pi_setprio() for deboosting
staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
netfilter: nf_log: don't hold nf_log_mutex during user access
mtd: cfi_cmdset_0002: Change erase functions to check chip good only
mtd: cfi_cmdset_0002: Change erase functions to retry for error
mtd: cfi_cmdset_0002: Change definition naming to retry write operation
dm: prevent DAX mounts if not supported
dm: set QUEUE_FLAG_DAX accordingly in dm_table_set_restrictions()
dax: check for QUEUE_FLAG_DAX in bdev_dax_supported()
dax: change bdev_dax_supported() to support boolean returns
fs: allow per-device dax status checking for filesystems
mtd: rawnand: mxc: set spare area size register explicitly
media: cx25840: Use subdev host data for PLL override
Kbuild: fix # escaping in .cmd files for future Make
Revert "dpaa_eth: fix error in dpaa_remove()"
f2fs: truncate preallocated blocks in error case
media: vb2: core: Finish buffers at the end of the stream
mm: hwpoison: disable memory error handling on 1GB hugepage
irq/core: Fix boot crash when the irqaffinity= boot parameter is passed on CPUMASK_OFFSTACK=y kernels(v1)
HID: debug: check length before copy_to_user()
HID: hiddev: fix potential Spectre v1
HID: i2c-hid: Fix "incomplete report" noise
block: cope with WRITE ZEROES failing in blkdev_issue_zeroout()
block: factor out __blkdev_issue_zero_pages()
ext4: check superblock mapped prior to committing
ext4: add more mount time checks of the superblock
ext4: add more inode number paranoia checks
ext4: avoid running out of journal credits when appending to an inline file
ext4: never move the system.data xattr out of the inode body
ext4: clear i_data in ext4_inode_info when removing inline data
ext4: include the illegal physical block in the bad map ext4_error msg
ext4: verify the depth of extent tree in ext4_find_extent()
ext4: only look at the bg_flags field if it is valid
ext4: always check block group bounds in ext4_init_block_bitmap()
ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
ext4: always verify the magic number in xattr blocks
ext4: add corruption check in ext4_xattr_set_entry()
jbd2: don't mark block as modified if the handle is out of credits
drm/udl: fix display corruption of the last line
drm: Use kvzalloc for allocating blob property memory
cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
cifs: Fix infinite loop when using hard mount option
cifs: Fix memory leak in smb2_set_ea()
cifs: Fix use after free of a mid_q_entry
vfio: Use get_user_pages_longterm correctly
drbd: fix access after free
s390: Correct register corruption in critical section cleanup
scsi: target: Fix truncated PR-in ReadKeys response
scsi: sg: mitigate read/write abuse
tracing: Fix missing return symbol in function_graph output
mm: hugetlb: yield when prepping struct pages
userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access
arm64: fix show_data fallout from KERN_CONT changes
Change-Id: I020c73a87142daffcc219230e476069e3bc98d2d
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAltGFEUACgkQONu9yGCS
aT5jMw//Y70OdIlEj7R/AjZZqAzwczZQhW/00ytJvCUZPzTazEhXxSbyc4d65VjQ
4mdrl6nfYLOR0bF8gdWlGFCZRc405CXAc9INvixEUbj0w5MPWPQOmqT9gyOCg+Mu
Iv5FXXEhk+H5vCIpN7g2PnoPFDFX7cC1vlqtbFfKRXCyGUZirmPl2vVcgID6scWN
gB3+oWWcgNaCWuyz+tXrzzEQOJhMW84Y55wga1T1gjpE3yBreMU0j6DOXPTxrf/E
VFs/h75ObR9yNB8O38d7zPrzQpaJHK1rhtqpJB+Thftxr0nO3Bn4Bg2FjnzMp8qP
HNQKseeFfn0C7uNPjl3Pc5DH5BWfveOUPfbUHzuzyQZbK8E5O22BLhMxu+yS9PO2
xzlN0OF8vP1VIR+gs12qopF9aGRCBM88YVCALb93fK+vEHhVOOa1kmfyTu3rCf/p
M3rqw1YuW3TSwcskeL2MlSjnmxmM7HR/PmLJGD4xdmCwQtLAljVTD/sIUZOiPchh
fH8CQc6QJEWo25oNSvdjQTdQtTTORMaU7JZ8TxEfbE7DRb4ziBpLNIxAanYc8vEw
qXRXkigTdOW/Fb2X7vLxANXxXc5Xd4gRxjRJZfvN0ekw8GSkyk7wpNyURGDGt9UY
kPMal06BUg7zEjHc16xVhrIed7PzE+FfTTzEspBOtbMkVzmHCTk=
=dpg4
-----END PGP SIGNATURE-----
Merge 4.14.55 into android-4.14
Changes in 4.14.55
userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access
mm: hugetlb: yield when prepping struct pages
tracing: Fix missing return symbol in function_graph output
scsi: sg: mitigate read/write abuse
scsi: target: Fix truncated PR-in ReadKeys response
s390: Correct register corruption in critical section cleanup
drbd: fix access after free
vfio: Use get_user_pages_longterm correctly
cifs: Fix use after free of a mid_q_entry
cifs: Fix memory leak in smb2_set_ea()
cifs: Fix infinite loop when using hard mount option
cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
drm: Use kvzalloc for allocating blob property memory
drm/udl: fix display corruption of the last line
jbd2: don't mark block as modified if the handle is out of credits
ext4: add corruption check in ext4_xattr_set_entry()
ext4: always verify the magic number in xattr blocks
ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
ext4: always check block group bounds in ext4_init_block_bitmap()
ext4: only look at the bg_flags field if it is valid
ext4: verify the depth of extent tree in ext4_find_extent()
ext4: include the illegal physical block in the bad map ext4_error msg
ext4: clear i_data in ext4_inode_info when removing inline data
ext4: never move the system.data xattr out of the inode body
ext4: avoid running out of journal credits when appending to an inline file
ext4: add more inode number paranoia checks
ext4: add more mount time checks of the superblock
ext4: check superblock mapped prior to committing
block: factor out __blkdev_issue_zero_pages()
block: cope with WRITE ZEROES failing in blkdev_issue_zeroout()
HID: i2c-hid: Fix "incomplete report" noise
HID: hiddev: fix potential Spectre v1
HID: debug: check length before copy_to_user()
irq/core: Fix boot crash when the irqaffinity= boot parameter is passed on CPUMASK_OFFSTACK=y kernels(v1)
mm: hwpoison: disable memory error handling on 1GB hugepage
media: vb2: core: Finish buffers at the end of the stream
f2fs: truncate preallocated blocks in error case
Revert "dpaa_eth: fix error in dpaa_remove()"
Kbuild: fix # escaping in .cmd files for future Make
media: cx25840: Use subdev host data for PLL override
mtd: rawnand: mxc: set spare area size register explicitly
fs: allow per-device dax status checking for filesystems
dax: change bdev_dax_supported() to support boolean returns
dax: check for QUEUE_FLAG_DAX in bdev_dax_supported()
dm: set QUEUE_FLAG_DAX accordingly in dm_table_set_restrictions()
dm: prevent DAX mounts if not supported
mtd: cfi_cmdset_0002: Change definition naming to retry write operation
mtd: cfi_cmdset_0002: Change erase functions to retry for error
mtd: cfi_cmdset_0002: Change erase functions to check chip good only
netfilter: nf_log: don't hold nf_log_mutex during user access
staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
sched, tracing: Fix trace_sched_pi_setprio() for deboosting
Revert mm/vmstat.c: fix vmstat_update() preemption BUG
Linux 4.14.55
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 80660f20252d6f76c9f203874ad7c7a4a8508cf8 upstream.
The function return values are confusing with the way the function is
named. We expect a true or false return value but it actually returns
0/-errno. This makes the code very confusing. Changing the return values
to return a bool where if DAX is supported then return true and no DAX
support returns false.
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ba23cba9b3bdc967aabdc6ff1e3e9b11ce05bb4f upstream.
Change bdev_dax_supported so it takes a bdev parameter. This enables
multi-device filesystems like xfs to check that a dax device can work for
the particular filesystem. Once that's in place, actually fix all the
parts of XFS where we need to be able to distinguish between datadev and
rtdev.
This patch fixes the problem where we screw up the dax support checking
in xfs if the datadev and rtdev have different dax capabilities.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
[rez: Re-added __bdev_dax_supported() for !CONFIG_FS_DAX cases]
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dc7a10ddee0c56c6d891dd18de5c4ee9869545e0 upstream.
If write is failed, we must deallocate the blocks that we couldn't write.
Cc: stable@vger.kernel.org
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a17712c8e4be4fa5404d20e9cd3b2b21eae7bc56 upstream.
This patch attempts to close a hole leading to a BUG seen with hot
removals during writes [1].
A block device (NVME namespace in this test case) is formatted to EXT4
without partitions. It's mounted and write I/O is run to a file, then
the device is hot removed from the slot. The superblock attempts to be
written to the drive which is no longer present.
The typical chain of events leading to the BUG:
ext4_commit_super()
__sync_dirty_buffer()
submit_bh()
submit_bh_wbc()
BUG_ON(!buffer_mapped(bh));
This fix checks for the superblock's buffer head being mapped prior to
syncing.
[1] https://www.spinics.net/lists/linux-ext4/msg56527.html
Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bfe0a5f47ada40d7984de67e59a7d3390b9b9ecc upstream.
The kernel's ext4 mount-time checks were more permissive than
e2fsprogs's libext2fs checks when opening a file system. The
superblock is considered too insane for debugfs or e2fsck to operate
on it, the kernel has no business trying to mount it.
This will make file system fuzzing tools work harder, but the failure
cases that they find will be more useful and be easier to evaluate.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c37e9e013469521d9adb932d17a1795c139b36db upstream.
If there is a directory entry pointing to a system inode (such as a
journal inode), complain and declare the file system to be corrupted.
Also, if the superblock's first inode number field is too small,
refuse to mount the file system.
This addresses CVE-2018-10882.
https://bugzilla.kernel.org/show_bug.cgi?id=200069
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
Use a separate journal transaction if it turns out that we need to
convert an inline file to use an data block. Otherwise we could end
up failing due to not having journal credits.
This addresses CVE-2018-10883.
https://bugzilla.kernel.org/show_bug.cgi?id=200071
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
When expanding the extra isize space, we must never move the
system.data xattr out of the inode body. For performance reasons, it
doesn't make any sense, and the inline data implementation assumes
that system.data xattr is never in the external xattr block.
This addresses CVE-2018-10880
https://bugzilla.kernel.org/show_bug.cgi?id=200005
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6e8ab72a812396996035a37e5ca4b3b99b5d214b upstream.
When converting from an inode from storing the data in-line to a data
block, ext4_destroy_inline_data_nolock() was only clearing the on-disk
copy of the i_blocks[] array. It was not clearing copy of the
i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually
used by ext4_map_blocks().
This didn't matter much if we are using extents, since the extents
header would be invalid and thus the extents could would re-initialize
the extents tree. But if we are using indirect blocks, the previous
contents of the i_blocks array will be treated as block numbers, with
potentially catastrophic results to the file system integrity and/or
user data.
This gets worse if the file system is using a 1k block size and
s_first_data is zero, but even without this, the file system can get
quite badly corrupted.
This addresses CVE-2018-10881.
https://bugzilla.kernel.org/show_bug.cgi?id=200015
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bc890a60247171294acc0bd67d211fa4b88d40ba upstream.
If there is a corupted file system where the claimed depth of the
extent tree is -1, this can cause a massive buffer overrun leading to
sadness.
This addresses CVE-2018-10877.
https://bugzilla.kernel.org/show_bug.cgi?id=199417
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8844618d8aa7a9973e7b527d038a2a589665002c upstream.
The bg_flags field in the block group descripts is only valid if the
uninit_bg or metadata_csum feature is enabled. We were not
consistently looking at this field; fix this.
Also block group #0 must never have uninitialized allocation bitmaps,
or need to be zeroed, since that's where the root inode, and other
special inodes are set up. Check for these conditions and mark the
file system as corrupted if they are detected.
This addresses CVE-2018-10876.
https://bugzilla.kernel.org/show_bug.cgi?id=199403
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 819b23f1c501b17b9694325471789e6b5cc2d0d2 upstream.
Regardless of whether the flex_bg feature is set, we should always
check to make sure the bits we are setting in the block bitmap are
within the block group bounds.
https://bugzilla.kernel.org/show_bug.cgi?id=199865
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 77260807d1170a8cf35dbb06e07461a655f67eee upstream.
It's really bad when the allocation bitmaps and the inode table
overlap with the block group descriptors, since it causes random
corruption of the bg descriptors. So we really want to head those off
at the pass.
https://bugzilla.kernel.org/show_bug.cgi?id=199865
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream.
In theory this should have been caught earlier when the xattr list was
verified, but in case it got missed, it's simple enough to add check
to make sure we don't overrun the xattr buffer.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e09463f220ca9a1a1ecfda84fcda658f99a1f12a upstream.
Do not set the b_modified flag in block's journal head should not
until after we're sure that jbd2_journal_dirty_metadat() will not
abort with an error due to there not being enough space reserved in
the jbd2 handle.
Otherwise, future attempts to modify the buffer may lead a large
number of spurious errors and warnings.
This addresses CVE-2018-10883.
https://bugzilla.kernel.org/show_bug.cgi?id=200071
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7ffbe65578b44fafdef577a360eb0583929f7c6e upstream.
For every request we send, whether it is SMB1 or SMB2+, we attempt to
reconnect tcon (cifs_reconnect_tcon or smb2_reconnect) before carrying
out the request.
So, while server->tcpStatus != CifsNeedReconnect, we wait for the
reconnection to succeed on wait_event_interruptible_timeout(). If it
returns, that means that either the condition was evaluated to true, or
timeout elapsed, or it was interrupted by a signal.
Since we're not handling the case where the process woke up due to a
received signal (-ERESTARTSYS), the next call to
wait_event_interruptible_timeout() will _always_ fail and we end up
looping forever inside either cifs_reconnect_tcon() or smb2_reconnect().
Here's an example of how to trigger that:
$ mount.cifs //foo/share /mnt/test -o
username=foo,password=foo,vers=1.0,hard
(break connection to server before executing bellow cmd)
$ stat -f /mnt/test & sleep 140
[1] 2511
$ ps -aux -q 2511
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 2511 0.0 0.0 12892 1008 pts/0 S 12:24 0:00 stat -f
/mnt/test
$ kill -9 2511
(wait for a while; process is stuck in the kernel)
$ ps -aux -q 2511
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 2511 83.2 0.0 12892 1008 pts/0 R 12:24 30:01 stat -f
/mnt/test
By using 'hard' mount point means that cifs.ko will keep retrying
indefinitely, however we must allow the process to be killed otherwise
it would hang the system.
Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Cc: stable@vger.kernel.org
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6aa0c114eceec8cc61715f74a4ce91b048d7561c upstream.
This patch fixes a memory leak when doing a setxattr(2) in SMB2+.
Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 696e420bb2a6624478105651d5368d45b502b324 upstream.
With protocol version 2.0 mounts we have seen crashes with corrupt mid
entries. Either the server->pending_mid_q list becomes corrupt with a
cyclic reference in one element or a mid object fetched by the
demultiplexer thread becomes overwritten during use.
Code review identified a race between the demultiplexer thread and the
request issuing thread. The demultiplexer thread seems to be written
with the assumption that it is the sole user of the mid object until
it calls the mid callback which either wakes the issuer task or
deletes the mid.
This assumption is not true because the issuer task can be woken up
earlier by a signal. If the demultiplexer thread has proceeded as far
as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
thread will happily end up calling cifs_delete_mid while the
demultiplexer thread still is using the mid object.
Inserting a delay in the cifs demultiplexer thread widens the race
window and makes reproduction of the race very easy:
if (server->large_buf)
buf = server->bigbuf;
+ usleep_range(500, 4000);
server->lstrp = jiffies;
To resolve this I think the proper solution involves putting a
reference count on the mid object. This patch makes sure that the
demultiplexer thread holds a reference until it has finished
processing the transaction.
Cc: stable@vger.kernel.org
Signed-off-by: Lars Persson <larper@axis.com>
Acked-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1e2c043628c7736dd56536d16c0ce009bc834ae7 upstream.
Use huge_ptep_get() to translate huge ptes to normal ptes so we can
check them with the huge_pte_* functions. Otherwise some architectures
will check the wrong values and will not wait for userspace to bring in
the memory.
Link: http://lkml.kernel.org/r/20180626132421.78084-1-frankja@linux.ibm.com
Fixes: 369cd2121be4 ("userfaultfd: hugetlbfs: userfaultfd_huge_must_wait for hugepmd ranges")
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* remotes/origin/tmp-a6d6913:
Linux 4.14.54
net: dsa: b53: Add BCM5389 support
net/sonic: Use dma_mapping_error()
platform/x86: asus-wmi: Fix NULL pointer dereference
sched/core: Require cpu_active() in select_task_rq(), for user tasks
sched/core: Fix rules for running on online && !active CPUs
fs: clear writeback errors in inode_init_always
perf bpf: Fix NULL return handling in bpf__prepare_load()
perf test: "Session topology" dumps core on s390
net: qmi_wwan: Add Netgear Aircard 779S
atm: zatm: fix memcmp casting
iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs
ipvs: fix buffer overflow with sync daemon and service
netfilter: nft_limit: fix packet ratelimiting
s390/dasd: use blk_mq_rq_from_pdu for per request data
netfilter: ebtables: handle string from userspace with care
afs: Fix directory permissions check
xfrm6: avoid potential infinite loop in _decode_session6()
mtd: rawnand: fix return value check for bad block status
ARM: dts: imx6q: Use correct SDMA script for SPI5 core
netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
netfilter: ip6t_rpfilter: provide input interface for route lookup
netfilter: don't set F_IFACE on ipv6 fib lookups
md: remove special meaning of ->quiesce(.., 2)
md: allow metadata update while suspending.
md: use mddev_suspend/resume instead of ->quiesce()
md: move suspend_hi/lo handling into core md code
md: don't call bitmap_create() while array is quiesced.
md: always hold reconfig_mutex when calling mddev_suspend()
netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()
netfilter: nf_tables: add missing netlink attrs to policies
netfilter: nf_tables: fix memory leak on error exit return
netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace()
netfilter: nf_tables: disable preemption in nft_update_chain_stats()
netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval
netfilter: nf_tables: bogus EBUSY in chain deletions
netfilter: nf_tables: don't assume chain stats are set when jumplabel is set
netfilter: nft_compat: fix handling of large matchinfo size
netfilter: nft_compat: prepare for indirect info storage
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
drm/i915: Enable provoking vertex fix on Gen9 systems.
drm/amdgpu: Refactor amdgpu_vram_mgr_bo_invisible_size helper
drm/amdgpu: Use kvmalloc_array for allocating VRAM manager nodes array
drm/atmel-hlcdc: check stride values in the first plane
drm/qxl: Call qxl_bo_unref outside atomic context
drm/amdgpu: fix the missed vcn fw version report
drm/amdgpu: Add APU support in vi_set_vce_clocks
drm/amdgpu: Add APU support in vi_set_uvd_clocks
vt: prevent leaking uninitialized data to userspace via /dev/vcs*
serdev: fix memleak on module unload
serial: 8250_pci: Remove stalled entries in blacklist
staging: android: ion: Return an ERR_PTR in ion_map_kernel
n_tty: Access echo_* variables carefully.
n_tty: Fix stall at n_tty_receive_char_special().
xhci: Fix kernel oops in trace_xhci_free_virt_device
usb: typec: ucsi: Fix for incorrect status data issue
usb: typec: ucsi: acpi: Workaround for cache mode issue
acpi: Add helper for deactivating memory region
usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub
USB: serial: cp210x: add Silicon Labs IDs for Windows Update
USB: serial: cp210x: add CESINEL device ids
usb: cdc_acm: Add quirk for Uniden UBC125 scanner
Conflicts:
kernel/sched/core.c
Change-Id: I3013b90524ff80708423429a3715b1bdf1f9ad4c
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAltCEg0ACgkQONu9yGCS
aT6p4hAAnnf0LGGJAg4dtOU/xwaTosd/gtqSi7qsy6h7SzK/GC+2zeQ2iqINs4Gy
EPJRRV7CgbhiRUzLl8hfn0jMHOZd4v8BeVxngLsbkFyHPHfph5e99b70i6SLx0BV
3Evo3KjLvnijWIai2JduaN3F92iwRanLUUoqYKIBs3a5vRrRE9tTpNdz7j7273sq
QvjWoE1d1oytRQZ4I493QaDhHuWi/dFGjHrHMczs1G5uRB3klMFV/MueQmsXLs6V
pi35VX6UjpGY0y6ZZwjExCZZPFdkk9DV9qkCC3CAYPEemymJZSHPtnLIUG345Nso
B0nExOFKSIa4RA1USzg/0OMPI3tpdP5AknSzpRXrNp10SGiXHQqev7chAx9YkBiI
f5ZWE9DmT5bTY8tnx+SLwpvObXXwKkqjaRT7BkhmYmgx8gLRxO766uzKX3ucjV2a
8YPuFcrx61T5zTjHlKEc3p4HkVJIEigF2EOrnRj0z80RAgsTyGS6ZF6T1cXSPJ9h
ZAX0m76bX2lhRo5RHOteYttpZQoHb26E2+I16tc6wX7ueeaOjQ1gzdsUVZxMnGhA
+ewyAP7GrJ+tVoe26g0Jmf5k4r3wtNnfSKnm9Tykwaps2LhtP4/LxmCTzVXafSlb
8HoUB42QclzgwoKRTyMVozTZleyeu7jAk+4Q/AVc1GkGF4AeWYA=
=c3A6
-----END PGP SIGNATURE-----
Merge 4.14.54 into android-4.14
Changes in 4.14.54
usb: cdc_acm: Add quirk for Uniden UBC125 scanner
USB: serial: cp210x: add CESINEL device ids
USB: serial: cp210x: add Silicon Labs IDs for Windows Update
usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub
acpi: Add helper for deactivating memory region
usb: typec: ucsi: acpi: Workaround for cache mode issue
usb: typec: ucsi: Fix for incorrect status data issue
xhci: Fix kernel oops in trace_xhci_free_virt_device
n_tty: Fix stall at n_tty_receive_char_special().
n_tty: Access echo_* variables carefully.
staging: android: ion: Return an ERR_PTR in ion_map_kernel
serial: 8250_pci: Remove stalled entries in blacklist
serdev: fix memleak on module unload
vt: prevent leaking uninitialized data to userspace via /dev/vcs*
drm/amdgpu: Add APU support in vi_set_uvd_clocks
drm/amdgpu: Add APU support in vi_set_vce_clocks
drm/amdgpu: fix the missed vcn fw version report
drm/qxl: Call qxl_bo_unref outside atomic context
drm/atmel-hlcdc: check stride values in the first plane
drm/amdgpu: Use kvmalloc_array for allocating VRAM manager nodes array
drm/amdgpu: Refactor amdgpu_vram_mgr_bo_invisible_size helper
drm/i915: Enable provoking vertex fix on Gen9 systems.
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
netfilter: nft_compat: prepare for indirect info storage
netfilter: nft_compat: fix handling of large matchinfo size
netfilter: nf_tables: don't assume chain stats are set when jumplabel is set
netfilter: nf_tables: bogus EBUSY in chain deletions
netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval
netfilter: nf_tables: disable preemption in nft_update_chain_stats()
netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace()
netfilter: nf_tables: fix memory leak on error exit return
netfilter: nf_tables: add missing netlink attrs to policies
netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()
md: always hold reconfig_mutex when calling mddev_suspend()
md: don't call bitmap_create() while array is quiesced.
md: move suspend_hi/lo handling into core md code
md: use mddev_suspend/resume instead of ->quiesce()
md: allow metadata update while suspending.
md: remove special meaning of ->quiesce(.., 2)
netfilter: don't set F_IFACE on ipv6 fib lookups
netfilter: ip6t_rpfilter: provide input interface for route lookup
netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
ARM: dts: imx6q: Use correct SDMA script for SPI5 core
mtd: rawnand: fix return value check for bad block status
xfrm6: avoid potential infinite loop in _decode_session6()
afs: Fix directory permissions check
netfilter: ebtables: handle string from userspace with care
s390/dasd: use blk_mq_rq_from_pdu for per request data
netfilter: nft_limit: fix packet ratelimiting
ipvs: fix buffer overflow with sync daemon and service
iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs
atm: zatm: fix memcmp casting
net: qmi_wwan: Add Netgear Aircard 779S
perf test: "Session topology" dumps core on s390
perf bpf: Fix NULL return handling in bpf__prepare_load()
fs: clear writeback errors in inode_init_always
sched/core: Fix rules for running on online && !active CPUs
sched/core: Require cpu_active() in select_task_rq(), for user tasks
platform/x86: asus-wmi: Fix NULL pointer dereference
net/sonic: Use dma_mapping_error()
net: dsa: b53: Add BCM5389 support
Linux 4.14.54
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 829bc787c1a0403e4d886296dd4d90c5f9c1744a ]
In inode_init_always(), we clear the inode mapping flags, which clears
any retained error (AS_EIO, AS_ENOSPC) bits. Unfortunately, we do not
also clear wb_err, which means that old mapping errors can leak through
to new inodes.
This is crucial for the XFS inode allocation path because we recycle old
in-core inodes and we do not want error state from an old file to leak
into the new file. This bug was discovered by running generic/036 and
generic/047 in a loop and noticing that the EIOs generated by the
collision of direct and buffered writes in generic/036 would survive the
remount between 036 and 047, and get reported to the fsyncs (on
different files!) in generic/047.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 ]
Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions
check code.
Fix this by just removing the BUG section. If no permissions are asked
for, just return okay if the file exists.
Also:
(1) Split up the directory check so that it has separate if-statements
rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the
check for MAY_READ and MAY_WRITE).
(2) Check for MAY_CHDIR as MAY_EXEC.
Without the main fix, the following BUG may occur:
kernel BUG at fs/afs/security.c:386!
invalid opcode: 0000 [#1] SMP PTI
...
RIP: 0010:afs_permission+0x19d/0x1a0 [kafs]
...
Call Trace:
? inode_permission+0xbe/0x180
? do_faccessat+0xdc/0x270
? do_syscall_64+0x60/0x1f0
? entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 00d3b7a4533e ("[AFS]: Add security support.")
Reported-by: Jonathan Billings <jsbillings@jsbillings.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
