1. 22 5月, 2019 40 次提交
    • A
      ext4: don't update s_rev_level if not required · e8816d3b
      Andreas Dilger 提交于
      commit c9e716eb9b3455a83ed7c5f5a81256a3da779a95 upstream.
      
      Don't update the superblock s_rev_level during mount if it isn't
      actually necessary, only if superblock features are being set by
      the kernel.  This was originally added for ext3 since it always
      set the INCOMPAT_RECOVER and HAS_JOURNAL features during mount,
      but this is not needed since no journal mode was added to ext4.
      
      That will allow Geert to mount his 20-year-old ext2 rev 0.0 m68k
      filesystem, as a testament of the backward compatibility of ext4.
      
      Fixes: 0390131b ("ext4: Allow ext4 to run without a journal")
      Signed-off-by: NAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8816d3b
    • Z
      ext4: fix compile error when using BUFFER_TRACE · 6172ae55
      zhangyi (F) 提交于
      commit ddccb6dbe780d68133191477571cb7c69e17bb8c upstream.
      
      Fix compile error below when using BUFFER_TRACE.
      
      fs/ext4/inode.c: In function ‘ext4_expand_extra_isize’:
      fs/ext4/inode.c:5979:19: error: request for member ‘bh’ in something not a structure or union
        BUFFER_TRACE(iloc.bh, "get_write_access");
      
      Fixes: c03b45b8 ("ext4, project: expand inode extra size if possible")
      Signed-off-by: Nzhangyi (F) <yi.zhang@huawei.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6172ae55
    • K
      pstore: Refactor compression initialization · 953e826e
      Kees Cook 提交于
      commit 95047b0519c17a28e09df5f38750f5354e3db4c4 upstream.
      
      This refactors compression initialization slightly to better handle
      getting potentially called twice (via early pstore_register() calls
      and later pstore_init()) and improves the comments and reporting to be
      more verbose.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NGuenter Roeck <groeck@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      953e826e
    • J
      pstore: Allocate compression during late_initcall() · fea8b847
      Joel Fernandes (Google) 提交于
      commit 416031653eb55f844e3547fb8f8576399a800da0 upstream.
      
      ramoops's call of pstore_register() was recently moved to run during
      late_initcall() because the crypto backend may not have been ready during
      postcore_initcall(). This meant early-boot crash dumps were not getting
      caught by pstore any more.
      
      Instead, lets allow calls to pstore_register() earlier, and once crypto
      is ready we can initialize the compression.
      Reported-by: NSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
      Signed-off-by: NJoel Fernandes (Google) <joel@joelfernandes.org>
      Tested-by: NSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
      Fixes: cb3bee03 ("pstore: Use crypto compress API")
      [kees: trivial rebase]
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NGuenter Roeck <groeck@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fea8b847
    • K
      pstore: Centralize init/exit routines · f4bf101b
      Kees Cook 提交于
      commit cb095afd44768bf495894b9ad063bd078e4bb201 upstream.
      
      In preparation for having additional actions during init/exit, this moves
      the init/exit into platform.c, centralizing the logic to make call outs
      to the fs init/exit.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NGuenter Roeck <groeck@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4bf101b
    • E
      iov_iter: optimize page_copy_sane() · 627bb2d9
      Eric Dumazet 提交于
      commit 6daef95b8c914866a46247232a048447fff97279 upstream.
      
      Avoid cache line miss dereferencing struct page if we can.
      
      page_copy_sane() mostly deals with order-0 pages.
      
      Extra cache line miss is visible on TCP recvmsg() calls dealing
      with GRO packets (typically 45 page frags are attached to one skb).
      
      Bringing the 45 struct pages into cpu cache while copying the data
      is not free, since the freeing of the skb (and associated
      page frags put_page()) can happen after cache lines have been evicted.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Cc: Matthew Wilcox <willy@infradead.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      627bb2d9
    • D
      libnvdimm/namespace: Fix label tracking error · 866f0111
      Dan Williams 提交于
      commit c4703ce11c23423d4b46e3d59aef7979814fd608 upstream.
      
      Users have reported intermittent occurrences of DIMM initialization
      failures due to duplicate allocations of address capacity detected in
      the labels, or errors of the form below, both have the same root cause.
      
          nd namespace1.4: failed to track label: 0
          WARNING: CPU: 17 PID: 1381 at drivers/nvdimm/label.c:863
      
          RIP: 0010:__pmem_label_update+0x56c/0x590 [libnvdimm]
          Call Trace:
           ? nd_pmem_namespace_label_update+0xd6/0x160 [libnvdimm]
           nd_pmem_namespace_label_update+0xd6/0x160 [libnvdimm]
           uuid_store+0x17e/0x190 [libnvdimm]
           kernfs_fop_write+0xf0/0x1a0
           vfs_write+0xb7/0x1b0
           ksys_write+0x57/0xd0
           do_syscall_64+0x60/0x210
      
      Unfortunately those reports were typically with a busy parallel
      namespace creation / destruction loop making it difficult to see the
      components of the bug. However, Jane provided a simple reproducer using
      the work-in-progress sub-section implementation.
      
      When ndctl is reconfiguring a namespace it may take an existing defunct
      / disabled namespace and reconfigure it with a new uuid and other
      parameters. Critically namespace_update_uuid() takes existing address
      resources and renames them for the new namespace to use / reconfigure as
      it sees fit. The bug is that this rename only happens in the resource
      tracking tree. Existing labels with the old uuid are not reaped leading
      to a scenario where multiple active labels reference the same span of
      address range.
      
      Teach namespace_update_uuid() to flag any references to the old uuid for
      reaping at the next label update attempt.
      
      Cc: <stable@vger.kernel.org>
      Fixes: bf9bccc1 ("libnvdimm: pmem label sets and namespace instantiation")
      Link: https://github.com/pmem/ndctl/issues/91Reported-by: NJane Chu <jane.chu@oracle.com>
      Reported-by: NJeff Moyer <jmoyer@redhat.com>
      Reported-by: NErwin Tsaur <erwin.tsaur@oracle.com>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      866f0111
    • R
      xen/pvh: set xen_domain_type to HVM in xen_pvh_init · 756eda9b
      Roger Pau Monne 提交于
      commit c9f804d64bb93c8dbf957df1d7e9de11380e522d upstream.
      
      Or else xen_domain() returns false despite xen_pvh being set.
      Signed-off-by: NRoger Pau Monné <roger.pau@citrix.com>
      Reviewed-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org # 4.19+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      756eda9b
    • M
      kbuild: turn auto.conf.cmd into a mandatory include file · 98bdd338
      Masahiro Yamada 提交于
      commit d2f8ae0e4c5c754f1b2a7b8388d19a1a977e698a upstream.
      
      syncconfig is responsible for keeping auto.conf up-to-date, so if it
      fails for any reason, the build must be terminated immediately.
      
      However, since commit 9390dff66a52 ("kbuild: invoke syncconfig if
      include/config/auto.conf.cmd is missing"), Kbuild continues running
      even after syncconfig fails.
      
      You can confirm this by intentionally making syncconfig error out:
      
      #  diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
      #  index 08ba146..307b9de 100644
      #  --- a/scripts/kconfig/confdata.c
      #  +++ b/scripts/kconfig/confdata.c
      #  @@ -1023,6 +1023,9 @@ int conf_write_autoconf(int overwrite)
      #          FILE *out, *tristate, *out_h;
      #          int i;
      #
      #  +       if (overwrite)
      #  +               return 1;
      #  +
      #          if (!overwrite && is_present(autoconf_name))
      #                  return 0;
      
      Then, syncconfig fails, but Make would not stop:
      
        $ make -s mrproper allyesconfig defconfig
        $ make
        scripts/kconfig/conf  --syncconfig Kconfig
      
        *** Error during sync of the configuration.
      
        make[2]: *** [scripts/kconfig/Makefile;69: syncconfig] Error 1
        make[1]: *** [Makefile;557: syncconfig] Error 2
        make: *** [include/config/auto.conf.cmd] Deleting file 'include/config/tristate.conf'
        make: Failed to remake makefile 'include/config/auto.conf'.
          SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
          SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
          SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
          SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
        [ continue running ... ]
      
      The reason is in the behavior of a pattern rule with multi-targets.
      
        %/auto.conf %/auto.conf.cmd %/tristate.conf: $(KCONFIG_CONFIG)
                $(Q)$(MAKE) -f $(srctree)/Makefile syncconfig
      
      GNU Make knows this rule is responsible for making all the three files
      simultaneously. As far as examined, auto.conf.cmd is the target in
      question when this rule is invoked. It is probably because auto.conf.cmd
      is included below the inclusion of auto.conf.
      
      The inclusion of auto.conf is mandatory, while that of auto.conf.cmd
      is optional. GNU Make does not care about the failure in the process
      of updating optional include files.
      
      I filed this issue (https://savannah.gnu.org/bugs/?56301) in case this
      behavior could be improved somehow in future releases of GNU Make.
      Anyway, it is quite easy to fix our Makefile.
      
      Given that auto.conf is already a mandatory include file, there is no
      reason to stick auto.conf.cmd optional. Make it mandatory as well.
      
      Cc: linux-stable <stable@vger.kernel.org> # 5.0+
      Fixes: 9390dff66a52 ("kbuild: invoke syncconfig if include/config/auto.conf.cmd is missing")
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      [commented out diff above to keep patch happy - gregkh]
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98bdd338
    • S
      KVM: lapic: Busy wait for timer to expire when using hv_timer · 38f11488
      Sean Christopherson 提交于
      commit ee66e453db13d4837a0dcf9d43efa7a88603161b upstream.
      
      ...now that VMX's preemption timer, i.e. the hv_timer, also adjusts its
      programmed time based on lapic_timer_advance_ns.  Without the delay, a
      guest can see a timer interrupt arrive before the requested time when
      KVM is using the hv_timer to emulate the guest's interrupt.
      
      Fixes: c5ce8235 ("KVM: VMX: Optimize tscdeadline timer latency")
      Cc: <stable@vger.kernel.org>
      Cc: Wanpeng Li <wanpengli@tencent.com>
      Reviewed-by: NLiran Alon <liran.alon@oracle.com>
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38f11488
    • S
      KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes · 3b5ea2df
      Sean Christopherson 提交于
      commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream.
      
      KVM allows userspace to violate consistency checks related to the
      guest's CPUID model to some degree.  Generally speaking, userspace has
      carte blanche when it comes to guest state so long as jamming invalid
      state won't negatively affect the host.
      
      Currently this is seems to be a non-issue as most of the interesting
      EFER checks are missing, e.g. NX and LME, but those will be added
      shortly.  Proactively exempt userspace from the CPUID checks so as not
      to break userspace.
      
      Note, the efer_reserved_bits check still applies to userspace writes as
      that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
      guest to run with NX=1 if it has been disabled in the host.
      
      Fixes: d8017474 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b5ea2df
    • C
      jbd2: fix potential double free · 5b856768
      Chengguang Xu 提交于
      commit 0d52154bb0a700abb459a2cbce0a30fc2549b67e upstream.
      
      When failing from creating cache jbd2_inode_cache, we will destroy the
      previously created cache jbd2_handle_cache twice.  This patch fixes
      this by moving each cache initialization/destruction to its own
      separate, individual function.
      Signed-off-by: NChengguang Xu <cgxu519@gmail.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b856768
    • M
      ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug · 95482af2
      Michał Wadowski 提交于
      commit 56df90b631fc027fe28b70d41352d820797239bb upstream.
      
      Add patch for realtek codec in Lenovo B50-70 that fixes inverted
      internal microphone channel.
      Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
      but first one is about fix the noise and it didn't seem help in a
      later kernel version.
      So I replaced IdeaPad Y410P device description with B50-70 and apply
      inverted microphone fix.
      
      Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215Signed-off-by: NMichał Wadowski <wadosm@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95482af2
    • K
      ALSA: hda/realtek - Fixup headphone noise via runtime suspend · e0e1dc65
      Kailang Yang 提交于
      commit dad3197da7a3817f27bb24f7fd3c135ffa707202 upstream.
      
      Dell platform with ALC298.
      system enter to runtime suspend. Headphone had noise.
      Let Headset Mic not shutup will solve this issue.
      
      [ Fixed minor coding style issues by tiwai ]
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0e1dc65
    • J
      ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14) · ae315512
      Jeremy Soller 提交于
      commit 891afcf2462d2cc4ef7caf94215358ca61fa32cb upstream.
      
      A mistake was made in the identification of the four variants of the
      System76 Gazelle (gaze14). This patch corrects the PCI ID of the
      17-inch, GTX 1660 Ti variant from 0x8560 to 0x8551. This patch also
      adds the correct fixups for the 15-inch and 17-inch GTX 1650 variants
      with PCI IDs 0x8560 and 0x8561.
      
      Tests were done on all four variants ensuring full audio capability.
      
      Fixes: 80a5052db751 ("ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)")
      Signed-off-by: NJeremy Soller <jeremy@system76.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae315512
    • J
      ext4: avoid panic during forced reboot due to aborted journal · 316063bf
      Jan Kara 提交于
      commit 2c1d0e3631e5732dba98ef49ac0bec1388776793 upstream.
      
      Handling of aborted journal is a special code path different from
      standard ext4_error() one and it can call panic() as well. Commit
      1dc1097ff60e ("ext4: avoid panic during forced reboot") forgot to update
      this path so fix that omission.
      
      Fixes: 1dc1097ff60e ("ext4: avoid panic during forced reboot")
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org # 5.1
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      316063bf
    • S
      ext4: fix use-after-free in dx_release() · c19db366
      Sahitya Tummala 提交于
      commit 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 upstream.
      
      The buffer_head (frames[0].bh) and it's corresping page can be
      potentially free'd once brelse() is done inside the for loop
      but before the for loop exits in dx_release(). It can be free'd
      in another context, when the page cache is flushed via
      drop_caches_sysctl_handler(). This results into below data abort
      when accessing info->indirect_levels in dx_release().
      
      Unable to handle kernel paging request at virtual address ffffffc17ac3e01e
      Call trace:
       dx_release+0x70/0x90
       ext4_htree_fill_tree+0x2d4/0x300
       ext4_readdir+0x244/0x6f8
       iterate_dir+0xbc/0x160
       SyS_getdents64+0x94/0x174
      Signed-off-by: NSahitya Tummala <stummala@codeaurora.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NAndreas Dilger <adilger@dilger.ca>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c19db366
    • L
      ext4: fix data corruption caused by overlapping unaligned and aligned IO · 0db24122
      Lukas Czerner 提交于
      commit 57a0da28ced8707cb9f79f071a016b9d005caf5a upstream.
      
      Unaligned AIO must be serialized because the zeroing of partial blocks
      of unaligned AIO can result in data corruption in case it's overlapping
      another in flight IO.
      
      Currently we wait for all unwritten extents before we submit unaligned
      AIO which protects data in case of unaligned AIO is following overlapping
      IO. However if a unaligned AIO is followed by overlapping aligned AIO we
      can still end up corrupting data.
      
      To fix this, we must make sure that the unaligned AIO is the only IO in
      flight by waiting for unwritten extents conversion not just before the
      IO submission, but right after it as well.
      
      This problem can be reproduced by xfstest generic/538
      Signed-off-by: NLukas Czerner <lczerner@redhat.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0db24122
    • S
      ext4: zero out the unused memory region in the extent tree block · 25d010f4
      Sriram Rajagopalan 提交于
      commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.
      
      This commit zeroes out the unused memory region in the buffer_head
      corresponding to the extent metablock after writing the extent header
      and the corresponding extent node entries.
      
      This is done to prevent random uninitialized data from getting into
      the filesystem when the extent block is synced.
      
      This fixes CVE-2019-11833.
      Signed-off-by: NSriram Rajagopalan <sriramr@arista.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25d010f4
    • A
      tty: Don't force RISCV SBI console as preferred console · c907ce3f
      Anup Patel 提交于
      commit f91253a3d005796404ae0e578b3394459b5f9b71 upstream.
      
      The Linux kernel will auto-disables all boot consoles whenever it
      gets a preferred real console.
      
      Currently on RISC-V systems, if we have a real console which is not
      RISCV SBI console then boot consoles (such as earlycon=sbi) are not
      auto-disabled when a real console (ttyS0 or ttySIF0) is available.
      This results in duplicate prints at boot-time after kernel starts
      using real console (i.e. ttyS0 or ttySIF0) if "earlycon=" kernel
      parameter was passed by bootloader.
      
      The reason for above issue is that RISCV SBI console always adds
      itself as preferred console which is causing other real consoles
      to be not used as preferred console.
      
      Ideally "console=" kernel parameter passed by bootloaders should
      be the one selecting a preferred real console.
      
      This patch fixes above issue by not forcing RISCV SBI console as
      preferred console.
      
      Fixes: afa6b1cc ("tty: New RISC-V SBI console driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: NAnup Patel <anup.patel@wdc.com>
      Reviewed-by: NAtish Patra <atish.patra@wdc.com>
      Signed-off-by: NPalmer Dabbelt <palmer@sifive.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c907ce3f
    • J
      fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount · 986d3453
      Jiufei Xue 提交于
      commit ec084de929e419e51bcdafaafe567d9e7d0273b7 upstream.
      
      synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb
      switch may not go to the workqueue after synchronize_rcu().  Thus
      previous scheduled switches was not finished even flushing the
      workqueue, which will cause a NULL pointer dereferenced followed below.
      
        VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds.  Have a nice day...
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000278
          evict+0xb3/0x180
          iput+0x1b0/0x230
          inode_switch_wbs_work_fn+0x3c0/0x6a0
          worker_thread+0x4e/0x490
          ? process_one_work+0x410/0x410
          kthread+0xe6/0x100
          ret_from_fork+0x39/0x50
      
      Replace the synchronize_rcu() call with a rcu_barrier() to wait for all
      pending callbacks to finish.  And inc isw_nr_in_flight after call_rcu()
      in inode_switch_wbs() to make more sense.
      
      Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.comSigned-off-by: NJiufei Xue <jiufei.xue@linux.alibaba.com>
      Acked-by: NTejun Heo <tj@kernel.org>
      Suggested-by: NTejun Heo <tj@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      986d3453
    • E
      crypto: ccm - fix incompatibility between "ccm" and "ccm_base" · a80da82d
      Eric Biggers 提交于
      commit 6a1faa4a43f5fabf9cbeaa742d916e7b5e73120f upstream.
      
      CCM instances can be created by either the "ccm" template, which only
      allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base",
      which allows choosing the ctr and cbcmac implementations, e.g.
      "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      However, a "ccm_base" instance prevents a "ccm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "ccm".  This can be used as a denial of service.
      Moreover, "ccm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "ccm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "ccm_base" instances set the same cra_name as "ccm" instances, e.g.
      "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      This requires extracting the block cipher name from the name of the ctr
      and cbcmac algorithms.  It also requires starting to verify that the
      algorithms are really ctr and cbcmac using the same block cipher, not
      something else entirely.  But it would be bizarre if anyone were
      actually using non-ccm-compatible algorithms with ccm_base, so this
      shouldn't break anyone in practice.
      
      Fixes: 4a49b499 ("[CRYPTO] ccm: Added CCM mode")
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      a80da82d
    • K
      ipmi:ssif: compare block number correctly for multi-part return messages · f6de0a3b
      Kamlakant Patel 提交于
      commit 55be8658c7e2feb11a5b5b33ee031791dbd23a69 upstream.
      
      According to ipmi spec, block number is a number that is incremented,
      starting with 0, for each new block of message data returned using the
      middle transaction.
      
      Here, the 'blocknum' is data[0] which always starts from zero(0) and
      'ssif_info->multi_pos' starts from 1.
      So, we need to add +1 to blocknum while comparing with multi_pos.
      
      Fixes: 7d6380cd40f79 ("ipmi:ssif: Fix handling of multi-part return messages").
      Reported-by: NKiran Kolukuluru <kirank@ami.com>
      Signed-off-by: NKamlakant Patel <kamlakantp@marvell.com>
      Message-Id: <1556106615-18722-1-git-send-email-kamlakantp@marvell.com>
      [Also added a debug log if the block numbers don't match.]
      Signed-off-by: NCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 4.4
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6de0a3b
    • C
      bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() · 88681649
      Coly Li 提交于
      commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream.
      
      In journal_reclaim() ja->cur_idx of each cache will be update to
      reclaim available journal buckets. Variable 'int n' is used to count how
      many cache is successfully reclaimed, then n is set to c->journal.key
      by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache()
      loop will write the jset data onto each cache.
      
      The problem is, if all jouranl buckets on each cache is full, the
      following code in journal_reclaim(),
      
      529 for_each_cache(ca, c, iter) {
      530       struct journal_device *ja = &ca->journal;
      531       unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets;
      532
      533       /* No space available on this device */
      534       if (next == ja->discard_idx)
      535               continue;
      536
      537       ja->cur_idx = next;
      538       k->ptr[n++] = MAKE_PTR(0,
      539                         bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
      540                         ca->sb.nr_this_dev);
      541 }
      542
      543 bkey_init(k);
      544 SET_KEY_PTRS(k, n);
      
      If there is no available bucket to reclaim, the if() condition at line
      534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS()
      will set KEY_PTRS field of c->journal.key to 0.
      
      Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in
      journal_write_unlocked() the journal data is written in following loop,
      
      649	for (i = 0; i < KEY_PTRS(k); i++) {
      650-671		submit journal data to cache device
      672	}
      
      If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data
      won't be written to cache device here. If system crahed or rebooted
      before bkeys of the lost journal entries written into btree nodes, data
      corruption will be reported during bcache reload after rebooting the
      system.
      
      Indeed there is only one cache in a cache set, there is no need to set
      KEY_PTRS field in journal_reclaim() at all. But in order to keep the
      for_each_cache() logic consistent for now, this patch fixes the above
      problem by not setting 0 KEY_PTRS of journal key, if there is no bucket
      available to reclaim.
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88681649
    • L
      bcache: fix a race between cache register and cacheset unregister · ecfc882f
      Liang Chen 提交于
      commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream.
      
      There is a race between cache device register and cache set unregister.
      For an already registered cache device, register_bcache will call
      bch_is_open to iterate through all cachesets and check every cache
      there. The race occurs if cache_set_free executes at the same time and
      clears the caches right before ca is dereferenced in bch_is_open_cache.
      To close the race, let's make sure the clean up work is protected by
      the bch_register_lock as well.
      
      This issue can be reproduced as follows,
      while true; do echo /dev/XXX> /sys/fs/bcache/register ; done&
      while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done &
      
      and results in the following oops,
      
      [  +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998
      [  +0.000457] #PF error: [normal kernel read fault]
      [  +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0
      [  +0.000388] Oops: 0000 [#1] SMP PTI
      [  +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6
      [  +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
      [  +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache]
      [  +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d
      [  +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202
      [  +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000
      [  +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001
      [  +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a
      [  +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0
      [  +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620
      [  +0.000384] FS:  00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000
      [  +0.000420] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0
      [  +0.000837] Call Trace:
      [  +0.000682]  ? _cond_resched+0x10/0x20
      [  +0.000691]  ? __kmalloc+0x131/0x1b0
      [  +0.000710]  kernfs_fop_write+0xfa/0x170
      [  +0.000733]  __vfs_write+0x2e/0x190
      [  +0.000688]  ? inode_security+0x10/0x30
      [  +0.000698]  ? selinux_file_permission+0xd2/0x120
      [  +0.000752]  ? security_file_permission+0x2b/0x100
      [  +0.000753]  vfs_write+0xa8/0x1a0
      [  +0.000676]  ksys_write+0x4d/0xb0
      [  +0.000699]  do_syscall_64+0x3a/0xf0
      [  +0.000692]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NLiang Chen <liangchen.linux@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ecfc882f
    • F
      Btrfs: do not start a transaction at iterate_extent_inodes() · 8a8f671b
      Filipe Manana 提交于
      commit bfc61c36260ca990937539cd648ede3cd749bc10 upstream.
      
      When finding out which inodes have references on a particular extent, done
      by backref.c:iterate_extent_inodes(), from the BTRFS_IOC_LOGICAL_INO (both
      v1 and v2) ioctl and from scrub we use the transaction join API to grab a
      reference on the currently running transaction, since in order to give
      accurate results we need to inspect the delayed references of the currently
      running transaction.
      
      However, if there is currently no running transaction, the join operation
      will create a new transaction. This is inefficient as the transaction will
      eventually be committed, doing unnecessary IO and introducing a potential
      point of failure that will lead to a transaction abort due to -ENOSPC, as
      recently reported [1].
      
      That's because the join, creates the transaction but does not reserve any
      space, so when attempting to update the root item of the root passed to
      btrfs_join_transaction(), during the transaction commit, we can end up
      failling with -ENOSPC. Users of a join operation are supposed to actually
      do some filesystem changes and reserve space by some means, which is not
      the case of iterate_extent_inodes(), it is a read-only operation for all
      contextes from which it is called.
      
      The reported [1] -ENOSPC failure stack trace is the following:
      
       heisenberg kernel: ------------[ cut here ]------------
       heisenberg kernel: BTRFS: Transaction aborted (error -28)
       heisenberg kernel: WARNING: CPU: 0 PID: 7137 at fs/btrfs/root-tree.c:136 btrfs_update_root+0x22b/0x320 [btrfs]
      (...)
       heisenberg kernel: CPU: 0 PID: 7137 Comm: btrfs-transacti Not tainted 4.19.0-4-amd64 #1 Debian 4.19.28-2
       heisenberg kernel: Hardware name: FUJITSU LIFEBOOK U757/FJNB2A5, BIOS Version 1.21 03/19/2018
       heisenberg kernel: RIP: 0010:btrfs_update_root+0x22b/0x320 [btrfs]
      (...)
       heisenberg kernel: RSP: 0018:ffffb5448828bd40 EFLAGS: 00010286
       heisenberg kernel: RAX: 0000000000000000 RBX: ffff8ed56bccef50 RCX: 0000000000000006
       heisenberg kernel: RDX: 0000000000000007 RSI: 0000000000000092 RDI: ffff8ed6bda166a0
       heisenberg kernel: RBP: 00000000ffffffe4 R08: 00000000000003df R09: 0000000000000007
       heisenberg kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff8ed63396a078
       heisenberg kernel: R13: ffff8ed092d7c800 R14: ffff8ed64f5db028 R15: ffff8ed6bd03d068
       heisenberg kernel: FS:  0000000000000000(0000) GS:ffff8ed6bda00000(0000) knlGS:0000000000000000
       heisenberg kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       heisenberg kernel: CR2: 00007f46f75f8000 CR3: 0000000310a0a002 CR4: 00000000003606f0
       heisenberg kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       heisenberg kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       heisenberg kernel: Call Trace:
       heisenberg kernel:  commit_fs_roots+0x166/0x1d0 [btrfs]
       heisenberg kernel:  ? _cond_resched+0x15/0x30
       heisenberg kernel:  ? btrfs_run_delayed_refs+0xac/0x180 [btrfs]
       heisenberg kernel:  btrfs_commit_transaction+0x2bd/0x870 [btrfs]
       heisenberg kernel:  ? start_transaction+0x9d/0x3f0 [btrfs]
       heisenberg kernel:  transaction_kthread+0x147/0x180 [btrfs]
       heisenberg kernel:  ? btrfs_cleanup_transaction+0x530/0x530 [btrfs]
       heisenberg kernel:  kthread+0x112/0x130
       heisenberg kernel:  ? kthread_bind+0x30/0x30
       heisenberg kernel:  ret_from_fork+0x35/0x40
       heisenberg kernel: ---[ end trace 05de912e30e012d9 ]---
      
      So fix that by using the attach API, which does not create a transaction
      when there is currently no running transaction.
      
      [1] https://lore.kernel.org/linux-btrfs/b2a668d7124f1d3e410367f587926f622b3f03a4.camel@scientia.net/Reported-by: NZygo Blaxell <ce3g8jdj@umail.furryterror.org>
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a8f671b
    • F
      Btrfs: do not start a transaction during fiemap · 0388d45a
      Filipe Manana 提交于
      commit 03628cdbc64db6262e50d0357960a4e9562676a1 upstream.
      
      During fiemap, for regular extents (non inline) we need to check if they
      are shared and if they are, set the shared bit. Checking if an extent is
      shared requires checking the delayed references of the currently running
      transaction, since some reference might have not yet hit the extent tree
      and be only in the in-memory delayed references.
      
      However we were using a transaction join for this, which creates a new
      transaction when there is no transaction currently running. That means
      that two more potential failures can happen: creating the transaction and
      committing it. Further, if no write activity is currently happening in the
      system, and fiemap calls keep being done, we end up creating and
      committing transactions that do nothing.
      
      In some extreme cases this can result in the commit of the transaction
      created by fiemap to fail with ENOSPC when updating the root item of a
      subvolume tree because a join does not reserve any space, leading to a
      trace like the following:
      
       heisenberg kernel: ------------[ cut here ]------------
       heisenberg kernel: BTRFS: Transaction aborted (error -28)
       heisenberg kernel: WARNING: CPU: 0 PID: 7137 at fs/btrfs/root-tree.c:136 btrfs_update_root+0x22b/0x320 [btrfs]
      (...)
       heisenberg kernel: CPU: 0 PID: 7137 Comm: btrfs-transacti Not tainted 4.19.0-4-amd64 #1 Debian 4.19.28-2
       heisenberg kernel: Hardware name: FUJITSU LIFEBOOK U757/FJNB2A5, BIOS Version 1.21 03/19/2018
       heisenberg kernel: RIP: 0010:btrfs_update_root+0x22b/0x320 [btrfs]
      (...)
       heisenberg kernel: RSP: 0018:ffffb5448828bd40 EFLAGS: 00010286
       heisenberg kernel: RAX: 0000000000000000 RBX: ffff8ed56bccef50 RCX: 0000000000000006
       heisenberg kernel: RDX: 0000000000000007 RSI: 0000000000000092 RDI: ffff8ed6bda166a0
       heisenberg kernel: RBP: 00000000ffffffe4 R08: 00000000000003df R09: 0000000000000007
       heisenberg kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff8ed63396a078
       heisenberg kernel: R13: ffff8ed092d7c800 R14: ffff8ed64f5db028 R15: ffff8ed6bd03d068
       heisenberg kernel: FS:  0000000000000000(0000) GS:ffff8ed6bda00000(0000) knlGS:0000000000000000
       heisenberg kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       heisenberg kernel: CR2: 00007f46f75f8000 CR3: 0000000310a0a002 CR4: 00000000003606f0
       heisenberg kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       heisenberg kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       heisenberg kernel: Call Trace:
       heisenberg kernel:  commit_fs_roots+0x166/0x1d0 [btrfs]
       heisenberg kernel:  ? _cond_resched+0x15/0x30
       heisenberg kernel:  ? btrfs_run_delayed_refs+0xac/0x180 [btrfs]
       heisenberg kernel:  btrfs_commit_transaction+0x2bd/0x870 [btrfs]
       heisenberg kernel:  ? start_transaction+0x9d/0x3f0 [btrfs]
       heisenberg kernel:  transaction_kthread+0x147/0x180 [btrfs]
       heisenberg kernel:  ? btrfs_cleanup_transaction+0x530/0x530 [btrfs]
       heisenberg kernel:  kthread+0x112/0x130
       heisenberg kernel:  ? kthread_bind+0x30/0x30
       heisenberg kernel:  ret_from_fork+0x35/0x40
       heisenberg kernel: ---[ end trace 05de912e30e012d9 ]---
      
      Since fiemap (and btrfs_check_shared()) is a read-only operation, do not do
      a transaction join to avoid the overhead of creating a new transaction (if
      there is currently no running transaction) and introducing a potential
      point of failure when the new transaction gets committed, instead use a
      transaction attach to grab a handle for the currently running transaction
      if any.
      Reported-by: NChristoph Anton Mitterer <calestyo@scientia.net>
      Link: https://lore.kernel.org/linux-btrfs/b2a668d7124f1d3e410367f587926f622b3f03a4.camel@scientia.net/
      Fixes: afce772e ("btrfs: fix check_shared for fiemap ioctl")
      CC: stable@vger.kernel.org # 4.14+
      Reviewed-by: NQu Wenruo <wqu@suse.com>
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0388d45a
    • F
      Btrfs: send, flush dellaloc in order to avoid data loss · 74ca0a76
      Filipe Manana 提交于
      commit 9f89d5de8631c7930898a601b6612e271aa2261c upstream.
      
      When we set a subvolume to read-only mode we do not flush dellaloc for any
      of its inodes (except if the filesystem is mounted with -o flushoncommit),
      since it does not affect correctness for any subsequent operations - except
      for a future send operation. The send operation will not be able to see the
      delalloc data since the respective file extent items, inode item updates,
      backreferences, etc, have not hit yet the subvolume and extent trees.
      
      Effectively this means data loss, since the send stream will not contain
      any data from existing delalloc. Another problem from this is that if the
      writeback starts and finishes while the send operation is in progress, we
      have the subvolume tree being being modified concurrently which can result
      in send failing unexpectedly with EIO or hitting runtime errors, assertion
      failures or hitting BUG_ONs, etc.
      
      Simple reproducer:
      
        $ mkfs.btrfs -f /dev/sdb
        $ mount /dev/sdb /mnt
      
        $ btrfs subvolume create /mnt/sv
        $ xfs_io -f -c "pwrite -S 0xea 0 108K" /mnt/sv/foo
      
        $ btrfs property set /mnt/sv ro true
        $ btrfs send -f /tmp/send.stream /mnt/sv
      
        $ od -t x1 -A d /mnt/sv/foo
        0000000 ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea ea
        *
        0110592
      
        $ umount /mnt
        $ mkfs.btrfs -f /dev/sdc
        $ mount /dev/sdc /mnt
      
        $ btrfs receive -f /tmp/send.stream /mnt
        $ echo $?
        0
        $ od -t x1 -A d /mnt/sv/foo
        0000000
        # ---> empty file
      
      Since this a problem that affects send only, fix it in send by flushing
      dellaloc for all the roots used by the send operation before send starts
      to process the commit roots.
      
      This is a problem that affects send since it was introduced (commit
      31db9f7c ("Btrfs: introduce BTRFS_IOC_SEND for btrfs send/receive"))
      but backporting it to older kernels has some dependencies:
      
      - For kernels between 3.19 and 4.20, it depends on commit 3cd24c698004d2
        ("btrfs: use tagged writepage to mitigate livelock of snapshot") because
        the function btrfs_start_delalloc_snapshot() does not exist before that
        commit. So one has to either pick that commit or replace the calls to
        btrfs_start_delalloc_snapshot() in this patch with calls to
        btrfs_start_delalloc_inodes().
      
      - For kernels older than 3.19 it also requires commit e5fa8f86
        ("Btrfs: ensure send always works on roots without orphans") because
        it depends on the function ensure_commit_roots_uptodate() which that
        commits introduced.
      
      - No dependencies for 5.0+ kernels.
      
      A test case for fstests follows soon.
      
      CC: stable@vger.kernel.org # 3.19+
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      74ca0a76
    • N
      btrfs: Honour FITRIM range constraints during free space trim · 8b13bb91
      Nikolay Borisov 提交于
      commit c2d1b3aae33605a61cbab445d8ae1c708ccd2698 upstream.
      
      Up until now trimming the freespace was done irrespective of what the
      arguments of the FITRIM ioctl were. For example fstrim's -o/-l arguments
      will be entirely ignored. Fix it by correctly handling those paramter.
      This requires breaking if the found freespace extent is after the end of
      the passed range as well as completing trim after trimming
      fstrim_range::len bytes.
      
      Fixes: 499f377f ("btrfs: iterate over unused chunk space in FITRIM")
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: NNikolay Borisov <nborisov@suse.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b13bb91
    • N
      btrfs: Correctly free extent buffer in case btree_read_extent_buffer_pages fails · 87dcf0c6
      Nikolay Borisov 提交于
      commit 537f38f019fa0b762dbb4c0fc95d7fcce9db8e2d upstream.
      
      If a an eb fails to be read for whatever reason - it's corrupted on disk
      and parent transid/key validations fail or IO for eb pages fail then
      this buffer must be removed from the buffer cache. Currently the code
      calls free_extent_buffer if an error occurs. Unfortunately this doesn't
      achieve the desired behavior since btrfs_find_create_tree_block returns
      with eb->refs == 2.
      
      On the other hand free_extent_buffer will only decrement the refs once
      leaving it added to the buffer cache radix tree.  This enables later
      code to look up the buffer from the cache and utilize it potentially
      leading to a crash.
      
      The correct way to free the buffer is call free_extent_buffer_stale.
      This function will correctly call atomic_dec explicitly for the buffer
      and subsequently call release_extent_buffer which will decrement the
      final reference thus correctly remove the invalid buffer from buffer
      cache. This change affects only newly allocated buffers since they have
      eb->refs == 2.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202755Reported-by: NJungyeon <jungyeon@gatech.edu>
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: NNikolay Borisov <nborisov@suse.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87dcf0c6
    • Q
      btrfs: Check the first key and level for cached extent buffer · d8925a1f
      Qu Wenruo 提交于
      commit 448de471cd4cab0cedd15770082567a69a784a11 upstream.
      
      [BUG]
      When reading a file from a fuzzed image, kernel can panic like:
      
        BTRFS warning (device loop0): csum failed root 5 ino 270 off 0 csum 0x98f94189 expected csum 0x00000000 mirror 1
        assertion failed: !memcmp_extent_buffer(b, &disk_key, offsetof(struct btrfs_leaf, items[0].key), sizeof(disk_key)), file: fs/btrfs/ctree.c, line: 2544
        ------------[ cut here ]------------
        kernel BUG at fs/btrfs/ctree.h:3500!
        invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
        RIP: 0010:btrfs_search_slot.cold.24+0x61/0x63 [btrfs]
        Call Trace:
         btrfs_lookup_csum+0x52/0x150 [btrfs]
         __btrfs_lookup_bio_sums+0x209/0x640 [btrfs]
         btrfs_submit_bio_hook+0x103/0x170 [btrfs]
         submit_one_bio+0x59/0x80 [btrfs]
         extent_read_full_page+0x58/0x80 [btrfs]
         generic_file_read_iter+0x2f6/0x9d0
         __vfs_read+0x14d/0x1a0
         vfs_read+0x8d/0x140
         ksys_read+0x52/0xc0
         do_syscall_64+0x60/0x210
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [CAUSE]
      The fuzzed image has a corrupted leaf whose first key doesn't match its
      parent:
      
        checksum tree key (CSUM_TREE ROOT_ITEM 0)
        node 29741056 level 1 items 14 free 107 generation 19 owner CSUM_TREE
        fs uuid 3381d111-94a3-4ac7-8f39-611bbbdab7e6
        chunk uuid 9af1c3c7-2af5-488b-8553-530bd515f14c
        	...
                key (EXTENT_CSUM EXTENT_CSUM 79691776) block 29761536 gen 19
      
        leaf 29761536 items 1 free space 1726 generation 19 owner CSUM_TREE
        leaf 29761536 flags 0x1(WRITTEN) backref revision 1
        fs uuid 3381d111-94a3-4ac7-8f39-611bbbdab7e6
        chunk uuid 9af1c3c7-2af5-488b-8553-530bd515f14c
                item 0 key (EXTENT_CSUM EXTENT_CSUM 8798638964736) itemoff 1751 itemsize 2244
                        range start 8798638964736 end 8798641262592 length 2297856
      
      When reading the above tree block, we have extent_buffer->refs = 2 in
      the context:
      
      - initial one from __alloc_extent_buffer()
        alloc_extent_buffer()
        |- __alloc_extent_buffer()
           |- atomic_set(&eb->refs, 1)
      
      - one being added to fs_info->buffer_radix
        alloc_extent_buffer()
        |- check_buffer_tree_ref()
           |- atomic_inc(&eb->refs)
      
      So if even we call free_extent_buffer() in read_tree_block or other
      similar situation, we only decrease the refs by 1, it doesn't reach 0
      and won't be freed right now.
      
      The staled eb and its corrupted content will still be kept cached.
      
      Furthermore, we have several extra cases where we either don't do first
      key check or the check is not proper for all callers:
      
      - scrub
        We just don't have first key in this context.
      
      - shared tree block
        One tree block can be shared by several snapshot/subvolume trees.
        In that case, the first key check for one subvolume doesn't apply to
        another.
      
      So for the above reasons, a corrupted extent buffer can sneak into the
      buffer cache.
      
      [FIX]
      Call verify_level_key in read_block_for_search to do another
      verification. For that purpose the function is exported.
      
      Due to above reasons, although we can free corrupted extent buffer from
      cache, we still need the check in read_block_for_search(), for scrub and
      shared tree blocks.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202755
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202757
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202759
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202761
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202767
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202769Reported-by: NYoon Jungyeon <jungyeon@gatech.edu>
      CC: stable@vger.kernel.org # 4.19+
      Signed-off-by: NQu Wenruo <wqu@suse.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8925a1f
    • D
      ext4: fix ext4_show_options for file systems w/o journal · 45123ae5
      Debabrata Banerjee 提交于
      commit 50b29d8f033a7c88c5bc011abc2068b1691ab755 upstream.
      
      Instead of removing EXT4_MOUNT_JOURNAL_CHECKSUM from s_def_mount_opt as
      I assume was intended, all other options were blown away leading to
      _ext4_show_options() output being incorrect.
      
      Fixes: 1e381f60 ("ext4: do not allow journal_opts for fs w/o journal")
      Signed-off-by: NDebabrata Banerjee <dbanerje@akamai.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45123ae5
    • K
      ext4: actually request zeroing of inode table after grow · f7952475
      Kirill Tkhai 提交于
      commit 310a997fd74de778b9a4848a64be9cda9f18764a upstream.
      
      It is never possible, that number of block groups decreases,
      since only online grow is supported.
      
      But after a growing occured, we have to zero inode tables
      for just created new block groups.
      
      Fixes: 19c5246d ("ext4: add new online resize interface")
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7952475
    • B
      ext4: fix use-after-free race with debug_want_extra_isize · 2a18c9c7
      Barret Rhoden 提交于
      commit 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 upstream.
      
      When remounting with debug_want_extra_isize, we were not performing the
      same checks that we do during a normal mount.  That allowed us to set a
      value for s_want_extra_isize that reached outside the s_inode_size.
      
      Fixes: e2b911c5 ("ext4: clean up feature test macros with predicate functions")
      Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NBarret Rhoden <brho@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a18c9c7
    • P
      ext4: avoid drop reference to iloc.bh twice · b12a8d80
      Pan Bian 提交于
      commit 8c380ab4b7b59c0c602743810be1b712514eaebc upstream.
      
      The reference to iloc.bh has been dropped in ext4_mark_iloc_dirty.
      However, the reference is dropped again if error occurs during
      ext4_handle_dirty_metadata, which may result in use-after-free bugs.
      
      Fixes: fb265c9cb49e("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases")
      Signed-off-by: NPan Bian <bianpan2016@163.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b12a8d80
    • T
      ext4: ignore e_value_offs for xattrs with value-in-ea-inode · f0f805f8
      Theodore Ts'o 提交于
      commit e5d01196c0428a206f307e9ee5f6842964098ff0 upstream.
      
      In other places in fs/ext4/xattr.c, if e_value_inum is non-zero, the
      code ignores the value in e_value_offs.  The e_value_offs *should* be
      zero, but we shouldn't depend upon it, since it might not be true in a
      corrupted/fuzzed file system.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202897
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202877Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0f805f8
    • J
      ext4: make sanity check in mballoc more strict · 71478ef6
      Jan Kara 提交于
      commit 31562b954b60f02acb91b7349dc6432d3f8c3c5f upstream.
      
      The sanity check in mb_find_extent() only checked that returned extent
      does not extend past blocksize * 8, however it should not extend past
      EXT4_CLUSTERS_PER_GROUP(sb). This can happen when clusters_per_group <
      blocksize * 8 and the tail of the bitmap is not properly filled by 1s
      which happened e.g. when ancient kernels have grown the filesystem.
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71478ef6
    • J
      jbd2: check superblock mapped prior to committing · 001fe0da
      Jiufei Xue 提交于
      commit 742b06b5628f2cd23cb51a034cb54dc33c6162c5 upstream.
      
      We hit a BUG at fs/buffer.c:3057 if we detached the nbd device
      before unmounting ext4 filesystem.
      
      The typical chain of events leading to the BUG:
      jbd2_write_superblock
        submit_bh
          submit_bh_wbc
            BUG_ON(!buffer_mapped(bh));
      
      The block device is removed and all the pages are invalidated. JBD2
      was trying to write journal superblock to the block device which is
      no longer present.
      
      Fix this by checking the journal superblock's buffer head prior to
      submitting.
      Reported-by: NEric Ren <renzhen@linux.alibaba.com>
      Signed-off-by: NJiufei Xue <jiufei.xue@linux.alibaba.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      001fe0da
    • S
      tty/vt: fix write/write race in ioctl(KDSKBSENT) handler · 0fd2df64
      Sergei Trofimovich 提交于
      commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream.
      
      The bug manifests as an attempt to access deallocated memory:
      
          BUG: unable to handle kernel paging request at ffff9c8735448000
          #PF error: [PROT] [WRITE]
          PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
          Oops: 0003 [#1] PREEMPT SMP
          CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
          Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
          RIP: 0010:__memmove+0x81/0x1a0
          Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
          RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
          RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
          RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
          RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
          R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
          R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
          FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
          Call Trace:
           vt_do_kdgkb_ioctl+0x34d/0x440
           vt_ioctl+0xba3/0x1190
           ? __bpf_prog_run32+0x39/0x60
           ? mem_cgroup_commit_charge+0x7b/0x4e0
           tty_ioctl+0x23f/0x920
           ? preempt_count_sub+0x98/0xe0
           ? __seccomp_filter+0x67/0x600
           do_vfs_ioctl+0xa2/0x6a0
           ? syscall_trace_enter+0x192/0x2d0
           ksys_ioctl+0x3a/0x70
           __x64_sys_ioctl+0x16/0x20
           do_syscall_64+0x54/0xe0
           entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The bug manifests on systemd systems with multiple vtcon devices:
        # cat /sys/devices/virtual/vtconsole/vtcon0/name
        (S) dummy device
        # cat /sys/devices/virtual/vtconsole/vtcon1/name
        (M) frame buffer device
      
      There systemd runs 'loadkeys' tool in tapallel for each vtcon
      instance. This causes two parallel ioctl(KDSKBSENT) calls to
      race into adding the same entry into 'func_table' array at:
      
          drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()
      
      The function has no locking around writes to 'func_table'.
      
      The simplest reproducer is to have initrams with the following
      init on a 8-CPU machine x86_64:
      
          #!/bin/sh
      
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
      
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          loadkeys -q windowkeys ru4 &
          wait
      
      The change adds lock on write path only. Reads are still racy.
      
      CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      CC: Jiri Slaby <jslaby@suse.com>
      Link: https://lkml.org/lkml/2019/2/17/256Signed-off-by: NSergei Trofimovich <slyfox@gentoo.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fd2df64
    • Y
      tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0 · d90824ec
      Yifeng Li 提交于
      commit 75ddbc1fb11efac87b611d48e9802f6fe2bb2163 upstream.
      
      Previously, in the userspace, it was possible to use the "setterm" command
      from util-linux to blank the VT console by default, using the following
      command.
      
      According to the man page,
      
      > The force option keeps the screen blank even if a key is pressed.
      
      It was implemented by calling TIOCL_BLANKSCREEN.
      
      	case BLANKSCREEN:
      		ioctlarg = TIOCL_BLANKSCREEN;
      		if (ioctl(STDIN_FILENO, TIOCLINUX, &ioctlarg))
      			warn(_("cannot force blank"));
      		break;
      
      However, after Linux 4.12, this command ceased to work anymore, which is
      unexpected. By inspecting the kernel source, it shows that the issue was
      triggered by the side-effect from commit a4199f5e ("tty: Disable
      default console blanking interval").
      
      The console blanking is implemented by function do_blank_screen() in vt.c:
      "blank_state" will be initialized to "blank_normal_wait" in con_init() if
      AND ONLY IF ("blankinterval" > 0). If "blankinterval" is 0, "blank_state"
      will be "blank_off" (== 0), and a call to do_blank_screen() will always
      abort, even if a forced blanking is required from the user by calling
      TIOCL_BLANKSCREEN, the console won't be blanked.
      
      This behavior is unexpected from a user's point-of-view, since it's not
      mentioned in any documentation. The setterm man page suggests it will
      always work, and the kernel comments in uapi/linux/tiocl.h says
      
      > /* keep screen blank even if a key is pressed */
      > #define TIOCL_BLANKSCREEN 14
      
      To fix it, we simply remove the "blank_state != blank_off" check, as
      pointed out by Nicolas Pitre, this check doesn't logically make sense
      and it's safe to remove.
      Suggested-by: NNicolas Pitre <nicolas.pitre@linaro.org>
      Fixes: a4199f5e ("tty: Disable default console blanking interval")
      Signed-off-by: NYifeng Li <tomli@tomli.me>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d90824ec