未验证 提交 5a5e1a24 编写于 作者: O openeuler-ci-bot 提交者: Gitee

!347 Backport CVEs and fs bugfixes

Merge Pull Request from: @zhangjialin11 
 
Pull new CVEs:
CVE-2022-4662
CVE-2022-47946

fs bugfixes from Long Li and Baokun Li:
xfs: fix use-after-free in xattr node block inactivation
ext4: fix bad checksum after online resize
 
 
Link:https://gitee.com/openeuler/kernel/pulls/347 
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 
......@@ -5967,6 +5967,11 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
* the reset is over (using their post_reset method).
*
* Return: The same as for usb_reset_and_verify_device().
* However, if a reset is already in progress (for instance, if a
* driver doesn't have pre_reset() or post_reset() callbacks, and while
* being unbound or re-bound during the ongoing reset its disconnect()
* or probe() routine tries to perform a second, nested reset), the
* routine returns -EINPROGRESS.
*
* Note:
* The caller must own the device lock. For example, it's safe to use
......@@ -6000,6 +6005,10 @@ int usb_reset_device(struct usb_device *udev)
return -EISDIR;
}
if (udev->reset_in_progress)
return -EINPROGRESS;
udev->reset_in_progress = 1;
port_dev = hub->ports[udev->portnum - 1];
/*
......@@ -6064,6 +6073,7 @@ int usb_reset_device(struct usb_device *udev)
usb_autosuspend_device(udev);
memalloc_noio_restore(noio_flag);
udev->reset_in_progress = 0;
return ret;
}
EXPORT_SYMBOL_GPL(usb_reset_device);
......
......@@ -1440,8 +1440,6 @@ static void ext4_update_super(struct super_block *sb,
* active. */
ext4_r_blocks_count_set(es, ext4_r_blocks_count(es) +
reserved_blocks);
ext4_superblock_csum_set(sb);
unlock_buffer(sbi->s_sbh);
/* Update the free space counts */
percpu_counter_add(&sbi->s_freeclusters_counter,
......@@ -1469,6 +1467,8 @@ static void ext4_update_super(struct super_block *sb,
ext4_calculate_overhead(sb);
es->s_overhead_clusters = cpu_to_le32(sbi->s_overhead);
ext4_superblock_csum_set(sb);
unlock_buffer(sbi->s_sbh);
if (test_opt(sb, DEBUG))
printk(KERN_DEBUG "EXT4-fs: added group %u:"
"%llu blocks(%llu free %llu reserved)\n", flex_gd->count,
......
......@@ -9076,7 +9076,7 @@ static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
if (unlikely(ctx->sqo_dead)) {
ret = -EOWNERDEAD;
goto out;
break;
}
if (!io_sqring_full(ctx))
......@@ -9086,7 +9086,6 @@ static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
} while (!signal_pending(current));
finish_wait(&ctx->sqo_sq_wait, &wait);
out:
return ret;
}
......
......@@ -158,6 +158,7 @@ xfs_attr3_node_inactive(
}
child_fsb = be32_to_cpu(ichdr.btree[0].before);
xfs_trans_brelse(*trans, bp); /* no locks for later trans */
bp = NULL;
/*
* If this is the node level just above the leaves, simply loop
......@@ -211,12 +212,8 @@ xfs_attr3_node_inactive(
&child_bp);
if (error)
return error;
error = bp->b_error;
if (error) {
xfs_trans_brelse(*trans, child_bp);
return error;
}
xfs_trans_binval(*trans, child_bp);
child_bp = NULL;
/*
* If we're not done, re-read the parent to get the next
......@@ -233,6 +230,7 @@ xfs_attr3_node_inactive(
bp->b_addr);
child_fsb = be32_to_cpu(phdr.btree[i + 1].before);
xfs_trans_brelse(*trans, bp);
bp = NULL;
}
/*
* Atomically commit the whole invalidate stuff.
......
......@@ -580,6 +580,7 @@ struct usb3_lpm_parameters {
* @devaddr: device address, XHCI: assigned by HW, others: same as devnum
* @can_submit: URBs may be submitted
* @persist_enabled: USB_PERSIST enabled for this device
* @reset_in_progress: the device is being reset
* @have_langid: whether string_langid is valid
* @authorized: policy has said we can use it;
* (user space) policy determines if we authorize this device to be
......@@ -665,6 +666,7 @@ struct usb_device {
unsigned can_submit:1;
unsigned persist_enabled:1;
unsigned reset_in_progress:1;
unsigned have_langid:1;
unsigned authorized:1;
unsigned authenticated:1;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册