summaryrefslogtreecommitdiff
path: root/fs (follow)
Commit message (Collapse)AuthorAge
...
| | * cifs: fix incorrect check for null pointer in header_assembleSteve French2021-10-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 9ed38fd4a15417cac83967360cf20b853bfab9b6 upstream. Although very unlikely that the tlink pointer would be null in this case, get_next_mid function can in theory return null (but not an error) so need to check for null (not for IS_ERR, which can not be returned here). Address warning: fs/smbfs_client/connect.c:2392 cifs_match_super() warn: 'tlink' isn't an ERR_PTR Pointed out by Dan Carpenter via smatch code analysis tool CC: stable@vger.kernel.org Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | Merge 4.4.285 into android-4.4-pGreg Kroah-Hartman2021-09-26
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.285 s390/bpf: Fix optimizing out zero-extensions PM / wakeirq: Fix unbalanced IRQ enable for wakeirq sctp: validate chunk size in __rcv_asconf_lookup sctp: add param size validation for SCTP_PARAM_SET_PRIMARY thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() 9p/trans_virtio: Remove sysfs file on probe failure prctl: allow to setup brk for et_dyn executables profiling: fix shift-out-of-bounds bugs dmaengine: acpi-dma: check for 64-bit MMIO address dmaengine: acpi: Avoid comparison GSI with Linux vIRQ parisc: Move pci_dev_is_behind_card_dino to where it is used dmaengine: ioat: depends on !UML ceph: lockdep annotations for try_nonblocking_invalidate nilfs2: fix memory leak in nilfs_sysfs_create_device_group nilfs2: fix NULL pointer in nilfs_##name##_attr_release nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV sctp: validate from_addr_param return Linux 4.4.285 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I10ef4f8fa6f8c53aaedfa2e6c5212b1faecad1b4
| | * nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_groupNanyong Sun2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 17243e1c3072b8417a5ebfc53065d0a87af7ca77 ] kobject_put() should be used to cleanup the memory associated with the kobject instead of kobject_del(). See the section "Kobject removal" of "Documentation/core-api/kobject.rst". Link: https://lkml.kernel.org/r/20210629022556.3985106-7-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-7-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_groupNanyong Sun2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit b2fe39c248f3fa4bbb2a20759b4fdd83504190f7 ] If kobject_init_and_add returns with error, kobject_put() is needed here to avoid memory leak, because kobject_init_and_add may return error without freeing the memory associated with the kobject it allocated. Link: https://lkml.kernel.org/r/20210629022556.3985106-6-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-6-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_groupNanyong Sun2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit a3e181259ddd61fd378390977a1e4e2316853afa ] The kobject_put() should be used to cleanup the memory associated with the kobject instead of kobject_del. See the section "Kobject removal" of "Documentation/core-api/kobject.rst". Link: https://lkml.kernel.org/r/20210629022556.3985106-5-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-5-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * nilfs2: fix memory leak in nilfs_sysfs_create_##name##_groupNanyong Sun2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 24f8cb1ed057c840728167dab33b32e44147c86f ] If kobject_init_and_add return with error, kobject_put() is needed here to avoid memory leak, because kobject_init_and_add may return error without freeing the memory associated with the kobject it allocated. Link: https://lkml.kernel.org/r/20210629022556.3985106-4-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-4-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * nilfs2: fix NULL pointer in nilfs_##name##_attr_releaseNanyong Sun2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit dbc6e7d44a514f231a64d9d5676e001b660b6448 ] In nilfs_##name##_attr_release, kobj->parent should not be referenced because it is a NULL pointer. The release() method of kobject is always called in kobject_put(kobj), in the implementation of kobject_put(), the kobj->parent will be assigned as NULL before call the release() method. So just use kobj to get the subgroups, which is more efficient and can fix a NULL pointer reference problem. Link: https://lkml.kernel.org/r/20210629022556.3985106-3-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-3-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * nilfs2: fix memory leak in nilfs_sysfs_create_device_groupNanyong Sun2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 5f5dec07aca7067216ed4c1342e464e7307a9197 ] Patch series "nilfs2: fix incorrect usage of kobject". This patchset from Nanyong Sun fixes memory leak issues and a NULL pointer dereference issue caused by incorrect usage of kboject in nilfs2 sysfs implementation. This patch (of 6): Reported by syzkaller: BUG: memory leak unreferenced object 0xffff888100ca8988 (size 8): comm "syz-executor.1", pid 1930, jiffies 4294745569 (age 18.052s) hex dump (first 8 bytes): 6c 6f 6f 70 31 00 ff ff loop1... backtrace: kstrdup+0x36/0x70 mm/util.c:60 kstrdup_const+0x35/0x60 mm/util.c:83 kvasprintf_const+0xf1/0x180 lib/kasprintf.c:48 kobject_set_name_vargs+0x56/0x150 lib/kobject.c:289 kobject_add_varg lib/kobject.c:384 [inline] kobject_init_and_add+0xc9/0x150 lib/kobject.c:473 nilfs_sysfs_create_device_group+0x150/0x7d0 fs/nilfs2/sysfs.c:986 init_nilfs+0xa21/0xea0 fs/nilfs2/the_nilfs.c:637 nilfs_fill_super fs/nilfs2/super.c:1046 [inline] nilfs_mount+0x7b4/0xe80 fs/nilfs2/super.c:1316 legacy_get_tree+0x105/0x210 fs/fs_context.c:592 vfs_get_tree+0x8e/0x2d0 fs/super.c:1498 do_new_mount fs/namespace.c:2905 [inline] path_mount+0xf9b/0x1990 fs/namespace.c:3235 do_mount+0xea/0x100 fs/namespace.c:3248 __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount fs/namespace.c:3433 [inline] __x64_sys_mount+0x14b/0x1f0 fs/namespace.c:3433 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae If kobject_init_and_add return with error, then the cleanup of kobject is needed because memory may be allocated in kobject_init_and_add without freeing. And the place of cleanup_dev_kobject should use kobject_put to free the memory associated with the kobject. As the section "Kobject removal" of "Documentation/core-api/kobject.rst" says, kobject_del() just makes the kobject "invisible", but it is not cleaned up. And no more cleanup will do after cleanup_dev_kobject, so kobject_put is needed here. Link: https://lkml.kernel.org/r/1625651306-10829-1-git-send-email-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/1625651306-10829-2-git-send-email-konishi.ryusuke@gmail.com Reported-by: Hulk Robot <hulkci@huawei.com> Link: https://lkml.kernel.org/r/20210629022556.3985106-2-sunnanyong@huawei.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * ceph: lockdep annotations for try_nonblocking_invalidateJeff Layton2021-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 3eaf5aa1cfa8c97c72f5824e2e9263d6cc977b03 ] Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| * | Merge 4.4.284 into android-4.4-pGreg Kroah-Hartman2021-09-22
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.284 ext4: fix race writing to an inline_data file while its xattrs are changing xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG ARC: fix allnoconfig build warning qede: Fix memset corruption cryptoloop: add a deprecation warning ARM: 8918/2: only build return_address() if needed ALSA: pcm: fix divide error in snd_pcm_lib_ioctl ath: Use safer key clearing with key cache entries ath9k: Clear key cache explicitly on disabling hardware ath: Export ath_hw_keysetmac() ath: Modify ath_key_delete() to not need full key entry ath9k: Postpone key cache entry deletion for TXQ frames reference it media: stkwebcam: fix memory leak in stk_camera_probe igmp: Add ip_mc_list lock in ip_check_mc_rcu usb: phy: isp1301: Fix build warning when CONFIG_OF is disabled USB: serial: mos7720: improve OOM-handling in read_mos_reg() PM / wakeirq: Enable dedicated wakeirq for suspend tc358743: fix register i2c_rd/wr function fix ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) s390/disassembler: correct disassembly lines alignment mm/kmemleak.c: make cond_resched() rate-limiting more efficient powerpc/module64: Fix comment in R_PPC64_ENTRY handling powerpc/boot: Delete unneeded .globl _zimage_start net: ll_temac: Remove left-over debug message mm/page_alloc: speed up the iteration of max_order Revert "btrfs: compression: don't try to compress if we don't have enough pages" x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions PCI: Call Max Payload Size-related fixup quirks early crypto: mxs-dcp - Check for DMA mapping errors crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() power: supply: max17042_battery: fix typo in MAx17042_TOFF libata: fix ata_host_start() crypto: qat - do not ignore errors from enable_vf2pf_comms() crypto: qat - fix reuse of completion variable udf_get_extendedattr() had no boundary checks. m68k: emu: Fix invalid free in nfeth_cleanup() certs: Trigger creation of RSA module signing key if it's not an RSA key media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init media: dvb-usb: fix uninit-value in vp702x_read_mac_addr media: go7007: remove redundant initialization Bluetooth: sco: prevent information leak in sco_conn_defer_accept() tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos net: cipso: fix warnings in netlbl_cipsov4_add_std i2c: highlander: add IRQ check PCI: PM: Enable PME if it can be signaled from D3cold Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 Bluetooth: fix repeated calls to sco_sock_kill drm/msm/dsi: Fix some reference counted resource leaks usb: gadget: udc: at91: add IRQ check usb: phy: fsl-usb: add IRQ check usb: phy: twl6030: add IRQ checks Bluetooth: Move shutdown callback before flushing tx and rx queue usb: host: ohci-tmio: add IRQ check usb: phy: tahvo: add IRQ check usb: gadget: mv_u3d: request_irq() after initializing UDC Bluetooth: add timeout sanity check to hci_inquiry i2c: iop3xx: fix deferred probing i2c: s3c2410: fix IRQ check mmc: dw_mmc: Fix issue with uninitialized dma_slave_config mmc: moxart: Fix issue with uninitialized dma_slave_config CIFS: Fix a potencially linear read overflow i2c: mt65xx: fix IRQ check usb: ehci-orion: Handle errors of clk_prepare_enable() in probe ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() bcma: Fix memory leak for internally-handled cores ipv4: make exception cache less predictible tty: Fix data race between tiocsti() and flush_to_ldisc() KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted clk: kirkwood: Fix a clocking boot regression fbmem: don't allow too huge resolutions rtc: tps65910: Correct driver module alias PCI/MSI: Skip masking MSI-X on Xen PV xen: fix setting of max_pfn in shared_info power: supply: max17042: handle fails of reading status register VMCI: fix NULL pointer dereference when unmapping queue pair media: uvc: don't do DMA on stack media: rc-loopback: return number of emitters rather than error libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs ARM: 9105/1: atags_to_fdt: don't warn about stack size PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure openrisc: don't printk() unconditionally pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() crypto: mxs-dcp - Use sg_mapping_iter to copy data PCI: Use pci_update_current_state() in pci_enable_device_flags() iio: dac: ad5624r: Fix incorrect handling of an optional regulator. video: fbdev: kyro: fix a DoS bug by restricting user input netlink: Deal with ESRCH error in nlmsg_notify() Smack: Fix wrong semantics in smk_access_entry() usb: host: fotg210: fix the actual_length of an iso packet usb: gadget: u_ether: fix a potential null pointer dereference tty: serial: jsm: hold port lock when reporting modem line changes bpf/tests: Fix copy-and-paste error in double word test bpf/tests: Do not PASS tests without actually testing the result video: fbdev: asiliantfb: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: riva: Error out if 'pixclock' equals zero ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() s390/jump_label: print real address in a case of a jump label bug serial: 8250: Define RX trigger levels for OxSemi 950 devices xtensa: ISS: don't panic in rs_init hvsi: don't panic on tty_register_driver failure serial: 8250_pci: make setup_port() parameters explicitly unsigned Bluetooth: skip invalid hci_sync_conn_complete_evt gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() ARM: tegra: tamonten: Fix UART pad setting rpc: fix gss_svc_init cleanup on failure gfs2: Don't call dlm after protocol is unmounted mmc: rtsx_pci: Fix long reads when clock is prescaled cifs: fix wrong release in sess_alloc_buffer() failed path Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" parport: remove non-zero check on count ath9k: fix OOB read ar9300_eeprom_restore_internal net: fix NULL pointer reference in cipso_v4_doi_free parisc: fix crash with signals and alloca platform/chrome: cros_ec_proto: Send command again when timeout occurs bnx2x: Fix enabling network interfaces without VFs net-caif: avoid user-triggerable WARN_ON(1) ptp: dp83640: don't define PAGE0 dccp: don't duplicate ccid when cloning dccp sock net/l2tp: Fix reference count leak in l2tp_udp_recv_core r6040: Restore MDIO clock frequency after MAC reset tipc: increase timeout in tipc_sk_enqueue() net/af_unix: fix a data-race in unix_dgram_poll x86/mm: Fix kern_addr_valid() to cope with existing but not present entries dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation ethtool: Fix an error code in cxgb2.c PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' ARC: export clear_user_page() for modules qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom net: renesas: sh_eth: Fix freeing wrong tx descriptor s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant Linux 4.4.284 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Idf3220461e42648ba134a245e9670231dbd18b5c
| | * cifs: fix wrong release in sess_alloc_buffer() failed pathDing Hui2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit d72c74197b70bc3c95152f351a568007bffa3e11 ] smb_buf is allocated by small_smb_init_no_tc(), and buf type is CIFS_SMALL_BUFFER, so we should use cifs_small_buf_release() to release it in failed path. Signed-off-by: Ding Hui <dinghui@sangfor.com.cn> Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * gfs2: Don't call dlm after protocol is unmountedBob Peterson2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit d1340f80f0b8066321b499a376780da00560e857 ] In the gfs2 withdraw sequence, the dlm protocol is unmounted with a call to lm_unmount. After a withdraw, users are allowed to unmount the withdrawn file system. But at that point we may still have glocks left over that we need to free via unmount's call to gfs2_gl_hash_clear. These glocks may have never been completed because of whatever problem caused the withdraw (IO errors or whatever). Before this patch, function gdlm_put_lock would still try to call into dlm to unlock these leftover glocks, which resulted in dlm returning -EINVAL because the lock space was abandoned. These glocks were never freed because there was no mechanism after that to free them. This patch adds a check to gdlm_put_lock to see if the locking protocol was inactive (DFL_UNMOUNT flag) and if so, free the glock and not make the invalid call into dlm. I could have combined this "if" with the one that follows, related to leftover glock LVBs, but I felt the code was more readable with its own if clause. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * CIFS: Fix a potencially linear read overflowLen Baker2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ] strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated. Also, the strnlen() call does not avoid the read overflow in the strlcpy function when a not NUL-terminated string is passed. So, replace this block by a call to kstrndup() that avoids this type of overflow and does the same. Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") Signed-off-by: Len Baker <len.baker@gmx.com> Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * udf_get_extendedattr() had no boundary checks.Stian Skjelstad2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ] When parsing the ExtendedAttr data, malicous or corrupt attribute length could cause kernel hangs and buffer overruns in some special cases. Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * Revert "btrfs: compression: don't try to compress if we don't have enough pages"Qu Wenruo2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 4e9655763b82a91e4c341835bb504a2b1590f984 upstream. This reverts commit f2165627319ffd33a6217275e5690b1ab5c45763. [BUG] It's no longer possible to create compressed inline extent after commit f2165627319f ("btrfs: compression: don't try to compress if we don't have enough pages"). [CAUSE] For compression code, there are several possible reasons we have a range that needs to be compressed while it's no more than one page. - Compressed inline write The data is always smaller than one sector and the test lacks the condition to properly recognize a non-inline extent. - Compressed subpage write For the incoming subpage compressed write support, we require page alignment of the delalloc range. And for 64K page size, we can compress just one page into smaller sectors. For those reasons, the requirement for the data to be more than one page is not correct, and is already causing regression for compressed inline data writeback. The idea of skipping one page to avoid wasting CPU time could be revisited in the future. [FIX] Fix it by reverting the offending commit. Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org> Link: https://lore.kernel.org/linux-btrfs/afa2742.c084f5d6.17b6b08dffc@tnonline.net Fixes: f2165627319f ("btrfs: compression: don't try to compress if we don't have enough pages") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * ext4: fix race writing to an inline_data file while its xattrs are changingTheodore Ts'o2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit a54c4613dac1500b40e4ab55199f7c51f028e848 upstream. The location of the system.data extended attribute can change whenever xattr_sem is not taken. So we need to recalculate the i_inline_off field since it mgiht have changed between ext4_write_begin() and ext4_write_end(). This means that caching i_inline_off is probably not helpful, so in the long run we should probably get rid of it and shrink the in-memory ext4 inode slightly, but let's fix the race the simple way for now. Cc: stable@kernel.org Fixes: f19d5870cbf72 ("ext4: add normal write support for inline data") Reported-by: syzbot+13146364637c7363a7de@syzkaller.appspotmail.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge remote-tracking branch 'common/android-4.4-p' into ↵Michael Bestas2021-09-16
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | lineage-18.1-caf-msm8998 # By Thomas Gleixner (11) and others # Via Greg Kroah-Hartman * google/common/android-4.4-p: Linux 4.4.283 Revert "floppy: reintroduce O_NDELAY fix" fbmem: add margin check to fb_check_caps() vt_kdsetmode: extend console locking vringh: Use wiov->used to check for read/write desc order virtio: Improve vq->broken access to avoid any compiler optimization net: marvell: fix MVNETA_TX_IN_PRGRS bit number e1000e: Fix the max snoop/no-snoop latency for 10M USB: serial: option: add new VID/PID to support Fibocom FG150 Revert "USB: serial: ch341: fix character loss at high transfer rates" can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters Linux 4.4.282 mmc: dw_mmc: Fix occasional hang after tuning on eMMC ASoC: intel: atom: Fix breakage for PCM buffer address setup ipack: tpci200: fix many double free issues in tpci200_pci_probe ALSA: hda - fix the 'Capture Switch' value change notifications mmc: dw_mmc: Fix hang on data CRC error mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default mmc: dw_mmc: Wait for data transfer after response errors. net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 net: 6pack: fix slab-out-of-bounds in decode_data dccp: add do-while-0 stubs for dccp_pr_debug macros Bluetooth: hidp: use correct wait queue when removing ctrl_wait scsi: core: Avoid printing an error if target_alloc() returns -ENXIO scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) vmlinux.lds.h: Handle clang's module.{c,d}tor sections PCI/MSI: Enforce MSI[X] entry updates to be visible PCI/MSI: Enforce that MSI-X table entry is masked for update PCI/MSI: Mask all unused MSI-X entries PCI/MSI: Protect msi_desc::masked for multi-MSI PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() PCI/MSI: Correct misleading comments PCI/MSI: Do not set invalid bits in MSI mask PCI/MSI: Enable and mask MSI-X early x86/tools: Fix objdump version check again xen/events: Fix race in set_evtchn_to_irq net: Fix memory leak in ieee802154_raw_deliver i2c: dev: zero out array used for i2c reads from userspace ASoC: intel: atom: Fix reference to PCM buffer address ANDROID: xt_quota2: set usersize in xt_match registration object ANDROID: xt_quota2: clear quota2_log message before sending ANDROID: xt_quota2: remove trailing junk which might have a digit in it UPSTREAM: netfilter: x_tables: fix pointer leaks to userspace Linux 4.4.281 ovl: prevent private clone if bind mount is not allowed net: xilinx_emaclite: Do not print real IOMEM pointer USB:ehci:fix Kunpeng920 ehci hardware problem pipe: increase minimum default pipe size to 2 pages net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset alpha: Send stop IPI to send to online CPUs reiserfs: check directory items on read from disk reiserfs: add check for root_inode in reiserfs_fill_super pcmcia: i82092: fix a null pointer dereference bug MIPS: Malta: Do not byte-swap accesses to the CBUS UART serial: 8250: Mask out floating 16/32-bit bus bits media: rtl28xxu: fix zero-length control request scripts/tracing: fix the bug that can't parse raw_trace_func USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 USB: serial: ch341: fix character loss at high transfer rates USB: serial: option: add Telit FD980 composition 0x1056 Bluetooth: defer cleanup of resources in hci_unregister_dev() net: vxge: fix use-after-free in vxge_device_unregister net: pegasus: fix uninit-value in get_interrupt_interval bnx2x: fix an error code in bnx2x_nic_load() mips: Fix non-POSIX regexp net: natsemi: Fix missing pci_disable_device() in probe and remove media: videobuf2-core: dequeue if start_streaming fails scsi: sr: Return correct event when media event code is 3 ALSA: seq: Fix racy deletion of subscriber Linux 4.4.280 rcu: Update documentation of rcu_read_unlock() futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() futex: Avoid freeing an active timer futex: Handle transient "ownerless" rtmutex state correctly rtmutex: Make wait_lock irq safe futex: Futex_unlock_pi() determinism futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() futex: Pull rt_mutex_futex_unlock() out from under hb->lock futex,rt_mutex: Introduce rt_mutex_init_waiter() futex: Cleanup refcounting futex: Rename free_pi_state() to put_pi_state() Linux 4.4.279 can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled" net: Fix zero-copy head len calculation. r8152: Fix potential PM refcount imbalance regulator: rt5033: Fix n_voltages settings for BUCK and LDO btrfs: mark compressed range uptodate only if all bio succeed Conflicts: net/bluetooth/hci_core.c net/netfilter/xt_quota2.c Change-Id: I66e2384c8cc40448a7bff34bb935c74e6103e924
| * | Merge 4.4.281 into android-4.4-pGreg Kroah-Hartman2021-08-15
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.281 ALSA: seq: Fix racy deletion of subscriber scsi: sr: Return correct event when media event code is 3 media: videobuf2-core: dequeue if start_streaming fails net: natsemi: Fix missing pci_disable_device() in probe and remove mips: Fix non-POSIX regexp bnx2x: fix an error code in bnx2x_nic_load() net: pegasus: fix uninit-value in get_interrupt_interval net: vxge: fix use-after-free in vxge_device_unregister Bluetooth: defer cleanup of resources in hci_unregister_dev() USB: serial: option: add Telit FD980 composition 0x1056 USB: serial: ch341: fix character loss at high transfer rates USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 scripts/tracing: fix the bug that can't parse raw_trace_func media: rtl28xxu: fix zero-length control request serial: 8250: Mask out floating 16/32-bit bus bits MIPS: Malta: Do not byte-swap accesses to the CBUS UART pcmcia: i82092: fix a null pointer dereference bug reiserfs: add check for root_inode in reiserfs_fill_super reiserfs: check directory items on read from disk alpha: Send stop IPI to send to online CPUs net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset pipe: increase minimum default pipe size to 2 pages USB:ehci:fix Kunpeng920 ehci hardware problem net: xilinx_emaclite: Do not print real IOMEM pointer ovl: prevent private clone if bind mount is not allowed Linux 4.4.281 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I23014eec5c0648b030387cc4469a1cdfaa2c14a1
| | * ovl: prevent private clone if bind mount is not allowedMiklos Szeredi2021-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 427215d85e8d1476da1a86b8d67aceb485eb3631 upstream. Add the following checks from __do_loopback() to clone_private_mount() as well: - verify that the mount is in the current namespace - verify that there are no locked children Reported-by: Alois Wohlschlager <alois1@gmx-topmail.de> Fixes: c771d683a62e ("vfs: introduce clone_private_mount()") Cc: <stable@vger.kernel.org> # v3.18 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * pipe: increase minimum default pipe size to 2 pagesAlex Xu (Hello71)2021-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 upstream. This program always prints 4096 and hangs before the patch, and always prints 8192 and exits successfully after: int main() { int pipefd[2]; for (int i = 0; i < 1025; i++) if (pipe(pipefd) == -1) return 1; size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ); printf("%zd\n", bufsz); char *buf = calloc(bufsz, 1); write(pipefd[1], buf, bufsz); read(pipefd[0], buf, bufsz-1); write(pipefd[1], buf, 1); } Note that you may need to increase your RLIMIT_NOFILE before running the program. Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes") Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/ Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/ Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * reiserfs: check directory items on read from diskShreyansh Chouhan2021-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ] While verifying the leaf item that we read from the disk, reiserfs doesn't check the directory items, this could cause a crash when we read a directory item from the disk that has an invalid deh_location. This patch adds a check to the directory items read from the disk that does a bounds check on deh_location for the directory entries. Any directory entry header with a directory entry offset greater than the item length is considered invalid. Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * reiserfs: add check for root_inode in reiserfs_fill_superYu Kuai2021-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ] Our syzcaller report a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0 Oops: 0010 [#1] SMP KASAN CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888114e779b8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0 RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001 R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00 R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0 FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __lookup_slow+0x116/0x2d0 ? page_put_link+0x120/0x120 ? __d_lookup+0xfc/0x320 ? d_lookup+0x49/0x90 lookup_one_len+0x13c/0x170 ? __lookup_slow+0x2d0/0x2d0 ? reiserfs_schedule_old_flush+0x31/0x130 reiserfs_lookup_privroot+0x64/0x150 reiserfs_fill_super+0x158c/0x1b90 ? finish_unfinished+0xb10/0xb10 ? bprintf+0xe0/0xe0 ? __mutex_lock_slowpath+0x30/0x30 ? __kasan_check_write+0x20/0x30 ? up_write+0x51/0xb0 ? set_blocksize+0x9f/0x1f0 mount_bdev+0x27c/0x2d0 ? finish_unfinished+0xb10/0xb10 ? reiserfs_kill_sb+0x120/0x120 get_super_block+0x19/0x30 legacy_get_tree+0x76/0xf0 vfs_get_tree+0x49/0x160 ? capable+0x1d/0x30 path_mount+0xacc/0x1380 ? putname+0x97/0xd0 ? finish_automount+0x450/0x450 ? kmem_cache_free+0xf8/0x5a0 ? putname+0x97/0xd0 do_mount+0xe2/0x110 ? path_mount+0x1380/0x1380 ? copy_mount_options+0x69/0x140 __x64_sys_mount+0xf0/0x190 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae This is because 'root_inode' is initialized with wrong mode, and it's i_op is set to 'reiserfs_special_inode_operations'. Thus add check for 'root_inode' to fix the problem. Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com Signed-off-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
| * | Merge 4.4.279 into android-4.4-pGreg Kroah-Hartman2021-08-08
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.279 btrfs: mark compressed range uptodate only if all bio succeed regulator: rt5033: Fix n_voltages settings for BUCK and LDO r8152: Fix potential PM refcount imbalance net: Fix zero-copy head len calculation. Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled" can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF Linux 4.4.279 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie3e6cadbc9c8291c2be61e0a3427225458891c18
| | * btrfs: mark compressed range uptodate only if all bio succeedGoldwyn Rodrigues2021-08-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 240246f6b913b0c23733cfd2def1d283f8cc9bbe ] In compression write endio sequence, the range which the compressed_bio writes is marked as uptodate if the last bio of the compressed (sub)bios is completed successfully. There could be previous bio which may have failed which is recorded in cb->errors. Set the writeback range as uptodate only if cb->errors is zero, as opposed to checking only the last bio's status. Backporting notes: in all versions up to 4.4 the last argument is always replaced by "!cb->errors". CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
* | | seq/proc: modify seq_put_decimal_[u]ll to take a const char *, not charJoe Perches2021-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow some seq_puts removals by taking a string instead of a single char. [akpm@linux-foundation.org: update vmstat_show(), per Joe] Link: http://lkml.kernel.org/r/667e1cf3d436de91a5698170a1e98d882905e956.1470704995.git.joe@perches.com Signed-off-by: Joe Perches <joe@perches.com> Cc: Joe Perches <joe@perches.com> Cc: Andi Kleen <andi@firstfloor.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: Iff69c72cb3ed6a73fe0348f65f22bfe3d1ee00c7
* | | proc: faster /proc/*/statusAlexey Dobriyan2021-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | top(1) opens the following files for every PID: /proc/*/stat /proc/*/statm /proc/*/status This patch switches /proc/*/status away from seq_printf(). The result is 13.5% speedup. Benchmark is open("/proc/self/status")+read+close 1.000.000 million times. BEFORE $ perf stat -r 10 taskset -c 3 ./proc-self-status Performance counter stats for 'taskset -c 3 ./proc-self-status' (10 runs): 10748.474301 task-clock (msec) # 0.954 CPUs utilized ( +- 0.91% ) 12 context-switches # 0.001 K/sec ( +- 1.09% ) 1 cpu-migrations # 0.000 K/sec 104 page-faults # 0.010 K/sec ( +- 0.45% ) 37,424,127,876 cycles # 3.482 GHz ( +- 0.04% ) 8,453,010,029 stalled-cycles-frontend # 22.59% frontend cycles idle ( +- 0.12% ) 3,747,609,427 stalled-cycles-backend # 10.01% backend cycles idle ( +- 0.68% ) 65,632,764,147 instructions # 1.75 insn per cycle # 0.13 stalled cycles per insn ( +- 0.00% ) 13,981,324,775 branches # 1300.773 M/sec ( +- 0.00% ) 138,967,110 branch-misses # 0.99% of all branches ( +- 0.18% ) 11.263885428 seconds time elapsed ( +- 0.04% ) ^^^^^^^^^^^^ AFTER $ perf stat -r 10 taskset -c 3 ./proc-self-status Performance counter stats for 'taskset -c 3 ./proc-self-status' (10 runs): 9010.521776 task-clock (msec) # 0.925 CPUs utilized ( +- 1.54% ) 11 context-switches # 0.001 K/sec ( +- 1.54% ) 1 cpu-migrations # 0.000 K/sec ( +- 11.11% ) 103 page-faults # 0.011 K/sec ( +- 0.60% ) 32,352,310,603 cycles # 3.591 GHz ( +- 0.07% ) 7,849,199,578 stalled-cycles-frontend # 24.26% frontend cycles idle ( +- 0.27% ) 3,269,738,842 stalled-cycles-backend # 10.11% backend cycles idle ( +- 0.73% ) 56,012,163,567 instructions # 1.73 insn per cycle # 0.14 stalled cycles per insn ( +- 0.00% ) 11,735,778,795 branches # 1302.453 M/sec ( +- 0.00% ) 98,084,459 branch-misses # 0.84% of all branches ( +- 0.28% ) 9.741247736 seconds time elapsed ( +- 0.07% ) ^^^^^^^^^^^ Link: http://lkml.kernel.org/r/20160806125608.GB1187@p183.telecom.by Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: Joe Perches <joe@perches.com> Cc: Andi Kleen <andi@firstfloor.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I97f5017503ec1ed13bc635fbd96506b13b98e36f
* | | Merge branch 'android-4.4-p' of ↵Michael Bestas2021-08-12
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998 # By Pavel Skripkin (6) and others # Via Greg Kroah-Hartman * android-4.4-p: Linux 4.4.278 sis900: Fix missing pci_disable_device() in probe and remove tulip: windbond-840: Fix missing pci_disable_device() in probe and remove net: llc: fix skb_over_panic mlx4: Fix missing error code in mlx4_load_one() tipc: fix sleeping in tipc accept routine netfilter: nft_nat: allow to specify layer 4 protocol NAT only cfg80211: Fix possible memory leak in function cfg80211_bss_update x86/asm: Ensure asm/proto.h can be included stand-alone NIU: fix incorrect error return, missed in previous revert can: esd_usb2: fix memory leak can: ems_usb: fix memory leak can: usb_8dev: fix memory leak ocfs2: issue zeroout to EOF blocks ocfs2: fix zero out valid data ARM: ensure the signal page contains defined contents lib/string.c: add multibyte memset functions ARM: dts: versatile: Fix up interrupt controller node names hfs: add lock nesting notation to hfs_find_init hfs: fix high memory mapping in hfs_bnode_read hfs: add missing clean-up in hfs_fill_super sctp: move 198 addresses from unusable to private scope net/802/garp: fix memleak in garp_request_join() net/802/mrp: fix memleak in mrp_request_join() workqueue: fix UAF in pwq_unbound_release_workfn() af_unix: fix garbage collect vs MSG_PEEK net: split out functions related to registering inflight socket files Linux 4.4.277 btrfs: compression: don't try to compress if we don't have enough pages iio: accel: bma180: Fix BMA25x bandwidth register values iio: accel: bma180: Use explicit member assignment net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick USB: serial: cp210x: fix comments for GE CS1000 USB: serial: option: add support for u-blox LARA-R6 family usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() usb: max-3421: Prevent corruption of freed memory USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS usb: hub: Disable USB 3 device initiated lpm if exit latency is too high KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow xhci: Fix lost USB 2 remote wake ALSA: sb: Fix potential ABBA deadlock in CSP driver s390/ftrace: fix ftrace_update_ftrace_func implementation proc: Avoid mixing integer types in mem_rw() Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" scsi: target: Fix protect handling in WRITE SAME(32) scsi: iscsi: Fix iface sysfs attr detection netrom: Decrease sock refcount when sock timers expire net: decnet: Fix sleeping inside in af_decnet net: fix uninit-value in caif_seqpkt_sendmsg s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] perf probe-file: Delete namelist in del_events() on the error path perf test bpf: Free obj_buf igb: Check if num of q_vectors is smaller than max before array access iavf: Fix an error handling path in 'iavf_probe()' ipv6: tcp: drop silly ICMPv6 packet too big messages tcp: annotate data races around tp->mtu_info net: validate lwtstate->data before returning from skb_tunnel_info() net: ti: fix UAF in tlan_remove_one net: moxa: fix UAF in moxart_mac_probe net: bcmgenet: Ensure all TX/RX queues DMAs are disabled net: ipv6: fix return value of ip6_skb_dst_mtu x86/fpu: Make init_fpstate correct with optimized XSAVE Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure" sched/fair: Fix CFS bandwidth hrtimer expiry type scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set thermal/core: Correct function name thermal_zone_device_unregister() ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info ARM: dts: imx6: phyFLEX: Fix UART hardware flow control ARM: dts: BCM63xx: Fix NAND nodes names ARM: brcmstb: dts: fix NAND nodes names Change-Id: Id59b93b8704270f45923f262facbadde4c486a15
| * | Merge 4.4.278 into android-4.4-pGreg Kroah-Hartman2021-08-04
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.278 net: split out functions related to registering inflight socket files af_unix: fix garbage collect vs MSG_PEEK workqueue: fix UAF in pwq_unbound_release_workfn() net/802/mrp: fix memleak in mrp_request_join() net/802/garp: fix memleak in garp_request_join() sctp: move 198 addresses from unusable to private scope hfs: add missing clean-up in hfs_fill_super hfs: fix high memory mapping in hfs_bnode_read hfs: add lock nesting notation to hfs_find_init ARM: dts: versatile: Fix up interrupt controller node names lib/string.c: add multibyte memset functions ARM: ensure the signal page contains defined contents ocfs2: fix zero out valid data ocfs2: issue zeroout to EOF blocks can: usb_8dev: fix memory leak can: ems_usb: fix memory leak can: esd_usb2: fix memory leak NIU: fix incorrect error return, missed in previous revert x86/asm: Ensure asm/proto.h can be included stand-alone cfg80211: Fix possible memory leak in function cfg80211_bss_update netfilter: nft_nat: allow to specify layer 4 protocol NAT only tipc: fix sleeping in tipc accept routine mlx4: Fix missing error code in mlx4_load_one() net: llc: fix skb_over_panic tulip: windbond-840: Fix missing pci_disable_device() in probe and remove sis900: Fix missing pci_disable_device() in probe and remove Linux 4.4.278 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I51e4e7e9cc9db03de57626e25e3785c400ced81f
| | * ocfs2: issue zeroout to EOF blocksJunxiao Bi2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 9449ad33be8480f538b11a593e2dda2fb33ca06d upstream. For punch holes in EOF blocks, fallocate used buffer write to zero the EOF blocks in last cluster. But since ->writepage will ignore EOF pages, those zeros will not be flushed. This "looks" ok as commit 6bba4471f0cc ("ocfs2: fix data corruption by fallocate") will zero the EOF blocks when extend the file size, but it isn't. The problem happened on those EOF pages, before writeback, those pages had DIRTY flag set and all buffer_head in them also had DIRTY flag set, when writeback run by write_cache_pages(), DIRTY flag on the page was cleared, but DIRTY flag on the buffer_head not. When next write happened to those EOF pages, since buffer_head already had DIRTY flag set, it would not mark page DIRTY again. That made writeback ignore them forever. That will cause data corruption. Even directio write can't work because it will fail when trying to drop pages caches before direct io, as it found the buffer_head for those pages still had DIRTY flag set, then it will fall back to buffer io mode. To make a summary of the issue, as writeback ingores EOF pages, once any EOF page is generated, any write to it will only go to the page cache, it will never be flushed to disk even file size extends and that page is not EOF page any more. The fix is to avoid zero EOF blocks with buffer write. The following code snippet from qemu-img could trigger the corruption. 656 open("6b3711ae-3306-4bdd-823c-cf1c0060a095.conv.2", O_RDWR|O_DIRECT|O_CLOEXEC) = 11 ... 660 fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2275868672, 327680 <unfinished ...> 660 fallocate(11, 0, 2275868672, 327680) = 0 658 pwrite64(11, " Link: https://lkml.kernel.org/r/20210722054923.24389-2-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Jun Piao <piaojun@huawei.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * ocfs2: fix zero out valid dataJunxiao Bi2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit f267aeb6dea5e468793e5b8eb6a9c72c0020d418 upstream. If append-dio feature is enabled, direct-io write and fallocate could run in parallel to extend file size, fallocate used "orig_isize" to record i_size before taking "ip_alloc_sem", when ocfs2_zeroout_partial_cluster() zeroout EOF blocks, i_size maybe already extended by ocfs2_dio_end_io_write(), that will cause valid data zeroed out. Link: https://lkml.kernel.org/r/20210722054923.24389-1-junxiao.bi@oracle.com Fixes: 6bba4471f0cc ("ocfs2: fix data corruption by fallocate") Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Jun Piao <piaojun@huawei.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * hfs: add lock nesting notation to hfs_find_initDesmond Cheong Zhi Xi2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit b3b2177a2d795e35dc11597b2609eb1e7e57e570 ] Syzbot reports a possible recursive lock in [1]. This happens due to missing lock nesting information. From the logs, we see that a call to hfs_fill_super is made to mount the hfs filesystem. While searching for the root inode, the lock on the catalog btree is grabbed. Then, when the parent of the root isn't found, a call to __hfs_bnode_create is made to create the parent of the root. This eventually leads to a call to hfs_ext_read_extent which grabs a lock on the extents btree. Since the order of locking is catalog btree -> extents btree, this lock hierarchy does not lead to a deadlock. To tell lockdep that this locking is safe, we add nesting notation to distinguish between catalog btrees, extents btrees, and attributes btrees (for HFS+). This has already been done in hfsplus. Link: https://syzkaller.appspot.com/bug?id=f007ef1d7a31a469e3be7aeb0fde0769b18585db [1] Link: https://lkml.kernel.org/r/20210701030756.58760-4-desmondcheongzx@gmail.com Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reported-by: syzbot+b718ec84a87b7e73ade4@syzkaller.appspotmail.com Tested-by: syzbot+b718ec84a87b7e73ade4@syzkaller.appspotmail.com Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Gustavo A. R. Silva <gustavoars@kernel.org> Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * hfs: fix high memory mapping in hfs_bnode_readDesmond Cheong Zhi Xi2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 54a5ead6f5e2b47131a7385d0c0af18e7b89cb02 ] Pages that we read in hfs_bnode_read need to be kmapped into kernel address space. However, currently only the 0th page is kmapped. If the given offset + length exceeds this 0th page, then we have an invalid memory access. To fix this, we kmap relevant pages one by one and copy their relevant portions of data. An example of invalid memory access occurring without this fix can be seen in the following crash report: ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: use-after-free in hfs_bnode_read+0xc4/0xe0 fs/hfs/bnode.c:26 Read of size 2 at addr ffff888125fdcffe by task syz-executor5/4634 CPU: 0 PID: 4634 Comm: syz-executor5 Not tainted 5.13.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x195/0x1f8 lib/dump_stack.c:120 print_address_description.constprop.0+0x1d/0x110 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7b/0xd4 mm/kasan/report.c:436 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x154/0x1b0 mm/kasan/generic.c:186 memcpy+0x24/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] hfs_bnode_read+0xc4/0xe0 fs/hfs/bnode.c:26 hfs_bnode_read_u16 fs/hfs/bnode.c:34 [inline] hfs_bnode_find+0x880/0xcc0 fs/hfs/bnode.c:365 hfs_brec_find+0x2d8/0x540 fs/hfs/bfind.c:126 hfs_brec_read+0x27/0x120 fs/hfs/bfind.c:165 hfs_cat_find_brec+0x19a/0x3b0 fs/hfs/catalog.c:194 hfs_fill_super+0xc13/0x1460 fs/hfs/super.c:419 mount_bdev+0x331/0x3f0 fs/super.c:1368 hfs_mount+0x35/0x40 fs/hfs/super.c:457 legacy_get_tree+0x10c/0x220 fs/fs_context.c:592 vfs_get_tree+0x93/0x300 fs/super.c:1498 do_new_mount fs/namespace.c:2905 [inline] path_mount+0x13f5/0x20e0 fs/namespace.c:3235 do_mount fs/namespace.c:3248 [inline] __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount fs/namespace.c:3433 [inline] __x64_sys_mount+0x2b8/0x340 fs/namespace.c:3433 do_syscall_64+0x37/0xc0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x45e63a Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 88 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9404d410d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000248 RCX: 000000000045e63a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9404d41120 RBP: 00007f9404d41120 R08: 00000000200002c0 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 0000000000000003 R14: 00000000004ad5d8 R15: 0000000000000000 The buggy address belongs to the page: page:00000000dadbcf3e refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x125fdc flags: 0x2fffc0000000000(node=0|zone=2|lastcpupid=0x3fff) raw: 02fffc0000000000 ffffea000497f748 ffffea000497f6c8 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888125fdce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888125fdcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888125fdcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888125fdd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888125fdd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Link: https://lkml.kernel.org/r/20210701030756.58760-3-desmondcheongzx@gmail.com Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Gustavo A. R. Silva <gustavoars@kernel.org> Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * hfs: add missing clean-up in hfs_fill_superDesmond Cheong Zhi Xi2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 16ee572eaf0d09daa4c8a755fdb71e40dbf8562d ] Patch series "hfs: fix various errors", v2. This series ultimately aims to address a lockdep warning in hfs_find_init reported by Syzbot [1]. The work done for this led to the discovery of another bug, and the Syzkaller repro test also reveals an invalid memory access error after clearing the lockdep warning. Hence, this series is broken up into three patches: 1. Add a missing call to hfs_find_exit for an error path in hfs_fill_super 2. Fix memory mapping in hfs_bnode_read by fixing calls to kmap 3. Add lock nesting notation to tell lockdep that the observed locking hierarchy is safe This patch (of 3): Before exiting hfs_fill_super, the struct hfs_find_data used in hfs_find_init should be passed to hfs_find_exit to be cleaned up, and to release the lock held on the btree. The call to hfs_find_exit is missing from an error path. We add it back in by consolidating calls to hfs_find_exit for error paths. Link: https://syzkaller.appspot.com/bug?id=f007ef1d7a31a469e3be7aeb0fde0769b18585db [1] Link: https://lkml.kernel.org/r/20210701030756.58760-1-desmondcheongzx@gmail.com Link: https://lkml.kernel.org/r/20210701030756.58760-2-desmondcheongzx@gmail.com Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Cc: Gustavo A. R. Silva <gustavoars@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
| * | Merge 4.4.277 into android-4.4-pGreg Kroah-Hartman2021-07-28
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.277 ARM: brcmstb: dts: fix NAND nodes names ARM: dts: BCM63xx: Fix NAND nodes names ARM: dts: imx6: phyFLEX: Fix UART hardware flow control ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info thermal/core: Correct function name thermal_zone_device_unregister() kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 sched/fair: Fix CFS bandwidth hrtimer expiry type Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure" x86/fpu: Make init_fpstate correct with optimized XSAVE net: ipv6: fix return value of ip6_skb_dst_mtu net: bcmgenet: Ensure all TX/RX queues DMAs are disabled net: moxa: fix UAF in moxart_mac_probe net: ti: fix UAF in tlan_remove_one net: validate lwtstate->data before returning from skb_tunnel_info() tcp: annotate data races around tp->mtu_info ipv6: tcp: drop silly ICMPv6 packet too big messages iavf: Fix an error handling path in 'iavf_probe()' igb: Check if num of q_vectors is smaller than max before array access perf test bpf: Free obj_buf perf probe-file: Delete namelist in del_events() on the error path s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] net: fix uninit-value in caif_seqpkt_sendmsg net: decnet: Fix sleeping inside in af_decnet netrom: Decrease sock refcount when sock timers expire scsi: iscsi: Fix iface sysfs attr detection scsi: target: Fix protect handling in WRITE SAME(32) Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" proc: Avoid mixing integer types in mem_rw() s390/ftrace: fix ftrace_update_ftrace_func implementation ALSA: sb: Fix potential ABBA deadlock in CSP driver xhci: Fix lost USB 2 remote wake KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow usb: hub: Disable USB 3 device initiated lpm if exit latency is too high USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS usb: max-3421: Prevent corruption of freed memory usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() USB: serial: option: add support for u-blox LARA-R6 family USB: serial: cp210x: fix comments for GE CS1000 USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear iio: accel: bma180: Use explicit member assignment iio: accel: bma180: Fix BMA25x bandwidth register values btrfs: compression: don't try to compress if we don't have enough pages Linux 4.4.277 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I7159a9fb5545e504222fcee566c6661c1070c8f7
| | * btrfs: compression: don't try to compress if we don't have enough pagesDavid Sterba2021-07-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit f2165627319ffd33a6217275e5690b1ab5c45763 upstream The early check if we should attempt compression does not take into account the number of input pages. It can happen that there's only one page, eg. a tail page after some ranges of the BTRFS_MAX_UNCOMPRESSED have been processed, or an isolated page that won't be converted to an inline extent. The single page would be compressed but a later check would drop it again because the result size must be at least one block shorter than the input. That can never work with just one page. CC: stable@vger.kernel.org # 4.4+ Signed-off-by: David Sterba <dsterba@suse.com> [sudip: adjust context] Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * proc: Avoid mixing integer types in mem_rw()Marcelo Henrique Cerri2021-07-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] Use size_t when capping the count argument received by mem_rw(). Since count is size_t, using min_t(int, ...) can lead to a negative value that will later be passed to access_remote_vm(), which can cause unexpected behavior. Since we are capping the value to at maximum PAGE_SIZE, the conversion from size_t to int when passing it to access_remote_vm() as "len" shouldn't be a problem. Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com Reviewed-by: David Disseldorp <ddiss@suse.de> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Souza Cascardo <cascardo@canonical.com> Cc: Christian Brauner <christian.brauner@ubuntu.com> Cc: Michel Lespinasse <walken@google.com> Cc: Helge Deller <deller@gmx.de> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Lorenzo Stoakes <lstoakes@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
* | | Merge branch 'android-4.4-p' of ↵Michael Bestas2021-07-22
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998 This brings LA.UM.9.2.r1-03400-SDMxx0.0 up to date with https://android.googlesource.com/kernel/common/ android-4.4-p at commit: e5239ed489f64 Merge 4.4.276 into android-4.4-p Change-Id: I5f3fdc31e61b229b299cf72014710d36e42863d8
| * | Merge 4.4.276 into android-4.4-pGreg Kroah-Hartman2021-07-20
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.276 ALSA: usb-audio: fix rate on Ozone Z90 USB headset media: dvb-usb: fix wrong definition Input: usbtouchscreen - fix control-request directions net: can: ems_usb: fix use-after-free in ems_usb_disconnect() usb: gadget: eem: fix echo command packet response issue USB: cdc-acm: blacklist Heimann USB Appset device ntfs: fix validity check for file name attribute iov_iter_fault_in_readable() should do nothing in xarray case Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl ARM: dts: at91: sama5d4: fix pinctrl muxing btrfs: clear defrag status of a root if starting transaction fails ext4: fix kernel infoleak via ext4_extent_header ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit ext4: remove check for zero nr_to_scan in ext4_es_scan() ext4: fix avefreec in find_group_orlov SUNRPC: Fix the batch tasks count wraparound. SUNRPC: Should wake up the privileged task firstly. s390/cio: dont call css_wait_for_slow_path() inside a lock iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR iio: ltr501: ltr501_read_ps(): add missing endianness conversion serial_cs: Add Option International GSM-Ready 56K/ISDN modem ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() ssb: sdio: Don't overwrite const buffer if block_write fails seq_buf: Make trace_seq_putmem_hex() support data longer than 8 fuse: check connected before queueing on fpq->io spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() spi: omap-100k: Fix the length judgment problem crypto: nx - add missing MODULE_DEVICE_TABLE media: cpia2: fix memory leak in cpia2_usb_probe media: pvrusb2: fix warning in pvr2_i2c_core_done crypto: qat - check return code of qat_hal_rd_rel_reg() crypto: qat - remove unused macro in FW loader media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release media: bt8xx: Fix a missing check bug in bt878_probe mmc: via-sdmmc: add a check against NULL pointer dereference crypto: shash - avoid comparing pointers to exported functions under CFI media: dvb_net: avoid speculation from net slot btrfs: disable build on platforms having page size 256K regulator: da9052: Ensure enough delay time for .set_voltage_time_sel ACPI: processor idle: Fix up C-state latency if not ordered block_dump: remove block_dump feature in mark_inode_dirty() fs: dlm: cancel work sync othercon random32: Fix implicit truncation warning in prandom_seed_state() ACPI: bus: Call kobject_put() in acpi_init() error path platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() ia64: mca_drv: fix incorrect array size calculation crypto: ixp4xx - dma_unmap the correct address crypto: ux500 - Fix error return code in hash_hw_final() sata_highbank: fix deferred probing pata_rb532_cf: fix deferred probing media: I2C: change 'RST' to "RSET" to fix multiple build errors pata_octeon_cf: avoid WARN_ON() in ata_host_activate() pata_ep93xx: fix deferred probing media: tc358743: Fix error return code in tc358743_probe_of() media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() mmc: usdhi6rol0: fix error return code in usdhi6_probe() media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx spi: spi-sun6i: Fix chipselect/clock bug crypto: nx - Fix RCU warning in nx842_OF_upd_status ACPI: sysfs: Fix a buffer overrun problem with description_show() net: pch_gbe: Propagate error from devm_gpio_request_one() ehea: fix error return code in ehea_restart_qps() drm: qxl: ensure surf.data is ininitialized wireless: carl9170: fix LEDS build errors & warnings brcmsmac: mac80211_if: Fix a resource leak in an error handling path ath10k: Fix an error code in ath10k_add_interface() netlabel: Fix memory leak in netlbl_mgmt_add_common netfilter: nft_exthdr: check for IPv6 packet before further processing net: ethernet: aeroflex: fix UAF in greth_of_remove net: ethernet: ezchip: fix UAF in nps_enet_remove net: ethernet: ezchip: fix error handling vxlan: add missing rcu_read_lock() in neigh_reduce() i40e: Fix error handling in i40e_vsi_open writeback: fix obtain a reference to a freeing memcg css tty: nozomi: Fix a resource leak in an error handling function iio: adis_buffer: do not return ints in irq handlers iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp() Input: hil_kbd - fix error return code in hil_dev_connect() char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol() tty: nozomi: Fix the error handling path of 'nozomi_card_init()' scsi: FlashPoint: Rename si_flags field s390: appldata depends on PROC_SYSCTL staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() staging: gdm724x: check for overflow in gdm_lte_netif_rx() scsi: mpt3sas: Fix error return value in _scsih_expander_add() phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() extcon: sm5502: Drop invalid register write in sm5502_reg_data extcon: max8997: Add missing modalias string mmc: vub3000: fix control-request direction scsi: core: Retry I/O for Notify (Enable Spinup) Required error net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() hugetlb: clear huge pte during flush function on mips platform atm: iphase: fix possible use-after-free in ia_module_exit() mISDN: fix possible use-after-free in HFC_cleanup() atm: nicstar: Fix possible use-after-free in nicstar_cleanup() net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT reiserfs: add check for invalid 1st journal block drm/virtio: Fix double free on probe failure udf: Fix NULL pointer dereference in udf_symlink function e100: handle eeprom as little endian ipv6: use prandom_u32() for ID generation RDMA/cxgb4: Fix missing error code in create_qp() dm space maps: don't reset space map allocation cursor when committing net: micrel: check return value after calling platform_get_resource() selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC xfrm: Fix error reporting in xfrm_state_construct. wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP wl1251: Fix possible buffer overflow in wl1251_cmd_scan cw1200: add missing MODULE_DEVICE_TABLE atm: nicstar: use 'dma_free_coherent' instead of 'kfree' atm: nicstar: register the interrupt handler in the right place sfc: avoid double pci_remove of VFs sfc: error code if SRIOV cannot be disabled wireless: wext-spy: Fix out-of-bounds warning RDMA/cma: Fix rdma_resolve_route() memory leak Bluetooth: Fix the HCI to MGMT status conversion table Bluetooth: Shutdown controller after workqueues are flushed or cancelled Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. sctp: add size validation when walking chunks fuse: reject internal errno can: gw: synchronize rcu operations before removing gw job entry can: bcm: delay release of struct bcm_op after synchronize_rcu() mac80211: fix memory corruption in EAPOL handling powerpc/barrier: Avoid collision with clang's __lwsync macro mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode ata: ahci_sunxi: Disable DIPM ASoC: tegra: Set driver_name=tegra for all machine drivers ipmi/watchdog: Stop watchdog timer when the current action is 'none' power: supply: ab8500: Fix an old bug seq_buf: Fix overflow in seq_buf_putmem_hex() ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe dm btree remove: assign new_root only when removal succeeds media: zr364xx: fix memory leak in zr364xx_start_readpipe media: gspca/sq905: fix control-request direction media: gspca/sunplus: fix zero-length control requests media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K jfs: fix GPF in diFree KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero misc/libmasm/module: Fix two use after free in ibmasm_init_one Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology tty: serial: 8250: serial_cs: Fix a memory leak in error handling path fs/jfs: Fix missing error code in lmLogInit() scsi: iscsi: Add iscsi_cls_conn refcount helpers mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE ALSA: sb: Fix potential double-free of CSP mixer elements powerpc/ps3: Add dma_mask to ps3_dma_region gpio: zynq: Check return value of pm_runtime_get_sync ALSA: ppc: fix error return code in snd_pmac_probe() selftests/powerpc: Fix "no_handler" EBB selftest ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() ALSA: bebob: add support for ToneWeal FW66 usb: gadget: f_hid: fix endianness issue with descriptors usb: gadget: hid: fix error return code in hid_bind() powerpc/boot: Fixup device-tree on little endian backlight: lm3630a: Fix return code of .update_status() callback ALSA: hda: Add IRQ check for platform_get_irq() lib/decompress_unlz4.c: correctly handle zero-padding around initrds. pwm: spear: Don't modify HW state in .remove callback power: supply: ab8500: Avoid NULL pointers power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 watchdog: Fix possible use-after-free in wdt_startup() watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() watchdog: Fix possible use-after-free by calling del_timer_sync() ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty power: supply: charger-manager: add missing MODULE_DEVICE_TABLE power: supply: ab8500: add missing MODULE_DEVICE_TABLE virtio-blk: Fix memory leak among suspend/resume procedure virtio_console: Assure used length from device is limited PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun um: fix error return code in slip_open() um: fix error return code in winch_tramp() nfs: fix acl memory leak of posix_acl_create() ALSA: isa: Fix error return code in snd_cmi8330_probe() hexagon: use common DISCARDS macro ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 rtc: fix snprintf() checking in is_rtc_hctosys() memory: fsl_ifc: fix leak of IO mapping on probe failure memory: fsl_ifc: fix leak of private memory on probe failure scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() mips: disable branch profiling in boot/decompress.o MIPS: vdso: Invalid GIC access through VDSO seq_file: disallow extremely large seq buffer allocations Linux 4.4.276 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If7756927f46fbb8a74337ee1eae8031c0d3579e2
| | * seq_file: disallow extremely large seq buffer allocationsEric Sandeen2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b upstream. There is no reasonable need for a buffer larger than this, and it avoids int overflow pitfalls. Fixes: 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") Suggested-by: Al Viro <viro@zeniv.linux.org.uk> Reported-by: Qualys Security Advisory <qsa@qualys.com> Signed-off-by: Eric Sandeen <sandeen@redhat.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * nfs: fix acl memory leak of posix_acl_create()Gao Xiang2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 1fcb6fcd74a222d9ead54d405842fc763bb86262 ] When looking into another nfs xfstests report, I found acl and default_acl in nfs3_proc_create() and nfs3_proc_mknod() error paths are possibly leaked. Fix them in advance. Fixes: 013cdf1088d7 ("nfs: use generic posix ACL infrastructure for v3 Posix ACLs") Cc: Trond Myklebust <trond.myklebust@hammerspace.com> Cc: Anna Schumaker <anna.schumaker@netapp.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Joseph Qi <joseph.qi@linux.alibaba.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirtyJeff Layton2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 22d41cdcd3cfd467a4af074165357fcbea1c37f5 ] The checks for page->mapping are odd, as set_page_dirty is an address_space operation, and I don't see where it would be called on a non-pagecache page. The warning about the page lock also seems bogus. The comment over set_page_dirty() says that it can be called without the page lock in some rare cases. I don't think we want to warn if that's the case. Reported-by: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * fs/jfs: Fix missing error code in lmLogInit()Jiapeng Chong2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 492109333c29e1bb16d8732e1d597b02e8e0bf2e ] The error code is missing in this code scenario, add the error code '-EINVAL' to the return value 'rc. Eliminate the follow smatch warning: fs/jfs/jfs_logmgr.c:1327 lmLogInit() warn: missing error code 'rc'. Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * jfs: fix GPF in diFreePavel Skripkin2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 9d574f985fe33efd6911f4d752de6f485a1ea732 upstream. Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; struct inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() will return invalid pointer when ipimap == NULL Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * fuse: reject internal errnoMiklos Szeredi2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 49221cf86d18bb66fe95d3338cb33bd4b9880ca5 upstream. Don't allow userspace to report errors that could be kernel-internal. Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Fixes: 334f485df85a ("[PATCH] FUSE - device functions") Cc: <stable@vger.kernel.org> # v2.6.14 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * udf: Fix NULL pointer dereference in udf_symlink functionArturo Giusti2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ] In function udf_symlink, epos.bh is assigned with the value returned by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c and returns the value of sb_getblk function that could be NULL. Then, epos.bh is used without any check, causing a possible NULL pointer dereference when sb_getblk fails. This fix adds a check to validate the value of epos.bh. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083 Signed-off-by: Arturo Giusti <koredump@protonmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * reiserfs: add check for invalid 1st journal blockPavel Skripkin2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ] syzbot reported divide error in reiserfs. The problem was in incorrect journal 1st block. Syzbot's reproducer manualy generated wrong superblock with incorrect 1st block. In journal_init() wasn't any checks about this particular case. For example, if 1st journal block is before superblock 1st block, it can cause zeroing important superblock members in do_journal_end(). Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * writeback: fix obtain a reference to a freeing memcg cssMuchun Song2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ] The caller of wb_get_create() should pin the memcg, because wb_get_create() relies on this guarantee. The rcu read lock only can guarantee that the memcg css returned by css_from_id() cannot be released, but the reference of the memcg can be zero. rcu_read_lock() memcg_css = css_from_id() wb_get_create(memcg_css) cgwb_create(memcg_css) // css_get can change the ref counter from 0 back to 1 css_get(memcg_css) rcu_read_unlock() Fix it by holding a reference to the css before calling wb_get_create(). This is not a problem I encountered in the real world. Just the result of a code review. Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates") Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com Signed-off-by: Muchun Song <songmuchun@bytedance.com> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * fs: dlm: cancel work sync otherconAlexander Aring2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ] These rx tx flags arguments are for signaling close_connection() from which worker they are called. Obviously the receive worker cannot cancel itself and vice versa for swork. For the othercon the receive worker should only be used, however to avoid deadlocks we should pass the same flags as the original close_connection() was called. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * block_dump: remove block_dump feature in mark_inode_dirty()zhangyi (F)2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ] block_dump is an old debugging interface, one of it's functions is used to print the information about who write which file on disk. If we enable block_dump through /proc/sys/vm/block_dump and turn on debug log level, we can gather information about write process name, target file name and disk from kernel message. This feature is realized in block_dump___mark_inode_dirty(), it print above information into kernel message directly when marking inode dirty, so it is noisy and can easily trigger log storm. At the same time, get the dentry refcount is also not safe, we found it will lead to deadlock on ext4 file system with data=journal mode. After tracepoints has been introduced into the kernel, we got a tracepoint in __mark_inode_dirty(), which is a better replacement of block_dump___mark_inode_dirty(). The only downside is that it only trace the inode number and not a file name, but it probably doesn't matter because the original printed file name in block_dump is not accurate in some cases, and we can still find it through the inode number and device id. So this patch delete the dirting inode part of block_dump feature. Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * btrfs: disable build on platforms having page size 256KChristophe Leroy2021-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ] With a config having PAGE_SIZE set to 256K, BTRFS build fails with the following message include/linux/compiler_types.h:326:38: error: call to '__compiletime_assert_791' declared with attribute error: BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0 BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with 256K pages at the time being. There are two platforms that can select 256K pages: - hexagon - powerpc Disable BTRFS when 256K page size is selected. Supporting this would require changes to the subpage mode that's currently being developed. Given that 256K is many times larger than page sizes commonly used and for what the algorithms and structures have been tuned, it's out of scope and disabling build is a reasonable option. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> [ update changelog ] Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org>