- 14 3月, 2022 40 次提交
-
-
由 Max Kellermann 提交于
mainline inclusion from mainline-v5.17-rc6 commit 9d2231c5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4X1GI?from=project-issue CVE: NA -------------------------------- The functions copy_page_to_iter_pipe() and push_pipe() can both allocate a new pipe_buffer, but the "flags" member initializer is missing. Fixes: 241699cd ("new iov_iter flavour: pipe-backed") To: Alexander Viro <viro@zeniv.linux.org.uk> To: linux-fsdevel@vger.kernel.org To: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: NMax Kellermann <max.kellermann@ionos.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NZhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Ma Wupeng 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4SK3S CVE: NA ------------------------------------------ With this patch, reliable memory counter will be updated when NR_SHMEM is updated. Pervious shmem reliable memory counter is not accurate if swap is enabled. NR_SHMEM update in memcg secenario is ignored because this has nothing to do with the global counter. If shmem pages is migrated or collapsed from one region to another region, reliable memory counter need to be updated because these pages's reliable status may not be the same. Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Ma Wupeng 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4SK3S CVE: NA -------------------------------- The mapping between zoneref and zone will be updated if __GFP_THISNODE is defined and memory reliable fallback is enabled. This will put ZONE_MOVABLE in a wrong zonerefs slot and lead to the origin zone unselectable. With this patch, high_zoneidx is updated via gfp_zone() which ___GFP_RELIABILITY is removed from the origin gfp_mask. Perferred zoneref is recalculated after. Fixes: 3023a4b3 ("mm: Introduce fallback mechanism for memory reliable") Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Ma Wupeng 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4SK3S CVE: NA -------------------------------- Kdump only have limited memory and will lead to bugly memory reliable features if memory reliable if enabled. So disable memory reliable if kdump is in progress. Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Yu Liao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4XB9H CVE: NA -------------------------------- CONFIG_CLEAR_FREELIST_PAGE specifies the default value for clear freelist. Add a kernel parameter to make it possible to override the default. Keep clear_freelist disabled unless "clear_freelist" is explicitly specified. Signed-off-by: NYu Liao <liaoyu15@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Chen Wandun 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4SK3S CVE: NA ---------------------------------------------- It is inaccurate when accumulate percpu variable without lock, it will result in pagecache_reliable_pages to be negative in sometime, and will prevent pagecache using reliable memory. For more accurate statistic, replace percpu variable by percpu_counter. The additional percpu_counter will be access in alloc_pages, the init of these two percpu_conter is too late in late_initcall, allocations that use alloc_pages should have to check if the two counter has been inited, that will introduce latency, in order to sovle this, init the two percpu_counter in advance. Signed-off-by: NChen Wandun <chenwandun@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Jordy Zomer 提交于
mainline inclusion from mainline-v5.17-rc1 commit 4fbcc1a4 category: bugfix bugzilla: 186393 CVE: CVE-2022-26490 ------------------------------------------------- It appears that there are some buffer overflows in EVT_TRANSACTION. This happens because the length parameters that are passed to memcpy come directly from skb->data and are not guarded in any way. Signed-off-by: NJordy Zomer <jordy@pwning.systems> Reviewed-by: NKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NHuang Guobin <huangguobin4@huawei.com> Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Jan Kara 提交于
stable inclusion from linux-4.19.227 commit 6717900f775a6129a7b4d03ba4922218d8bf1caa -------------------------------- commit 68514dac upstream. A task can end up indefinitely sleeping in do_select() -> poll_schedule_timeout() when the following race happens: TASK1 (thread1) TASK2 TASK1 (thread2) do_select() setup poll_wqueues table with 'fd' write data to 'fd' pollwake() table->triggered = 1 closes 'fd' thread1 is waiting for poll_schedule_timeout() - sees table->triggered table->triggered = 0 return -EINTR loop back in do_select() But at this point when TASK1 loops back, the fdget() in the setup of poll_wqueues fails. So now so we never find 'fd' is ready for reading and sleep in poll_schedule_timeout() indefinitely. Treat an fd that got closed as a fd on which some event happened. This makes sure cannot block indefinitely in do_select(). Another option would be to return -EBADF in this case but that has a potential of subtly breaking applications that excercise this behavior and it happens to work for them. So returning fd as active seems like a safer choice. Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org> CC: stable@vger.kernel.org Signed-off-by: NJan Kara <jack@suse.cz> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Doyle, Patrick 提交于
stable inclusion from linux-4.19.226 commit 1550a97e4a5d8bf29071bd6c17355ca173e90f73 -------------------------------- commit fd0d8d85 upstream. In the unlikely event that both blocks 10 and 11 are marked as bad (on a 32 bit machine), then the process of marking block 10 as bad stomps on cached entry for block 11. There are (of course) other examples. Signed-off-by: NPatrick Doyle <pdoyle@irobot.com> Reviewed-by: NRichard Weinberger <richard@nod.at> Signed-off-by: NYoshio Furuyama <ytc-mb-yfuruyama7@kioxia.com> [<miquel.raynal@bootlin.com>: Fixed the title] Signed-off-by: NMiquel Raynal <miquel.raynal@bootlin.com> Cc: Frieder Schrempf <frieder.schrempf@kontron.de> Link: https://lore.kernel.org/linux-mtd/774a92693f311e7de01e5935e720a179fb1b2468.1616635406.git.ytc-mb-yfuruyama7@kioxia.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Eric Dumazet 提交于
stable inclusion from linux-4.19.226 commit 4048cedfd16a995b2ef4294b9539da17e2fea750 -------------------------------- commit 2836615a upstream. When under stress, cleanup_net() can have to dismantle netns in big numbers. ops_exit_list() currently calls many helpers [1] that have no schedule point, and we can end up with soft lockups, particularly on hosts with many cpus. Even for moderate amount of netns processed by cleanup_net() this patch avoids latency spikes. [1] Some of these helpers like fib_sync_up() and fib_sync_down_dev() are very slow because net/ipv4/fib_semantics.c uses host-wide hash tables, and ifindex is used as the only input of two hash functions. ifindexes tend to be the same for all netns (lo.ifindex==1 per instance) This will be fixed in a separate patch. Fixes: 72ad937a ("net: Add support for batching network namespace cleanups") Signed-off-by: NEric Dumazet <edumazet@google.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Eric Dumazet 提交于
stable inclusion from linux-4.19.226 commit cf3c4b5912cb208194507a21f6209e8ae4e6c260 -------------------------------- commit 9d6d7f1c upstream. wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress without synchronization. Adds READ_ONCE()/WRITE_ONCE() and their associated comments to better document the intent. BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0: unix_inflight+0x1e8/0x260 net/unix/scm.c:63 unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121 unix_scm_to_skb net/unix/af_unix.c:1674 [inline] unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1: wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196 unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000002 -> 0x00000004 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 9915672d ("af_unix: limit unix_tot_inflight") Signed-off-by: NEric Dumazet <edumazet@google.com> Reported-by: Nsyzbot <syzkaller@googlegroups.com> Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Marek Vasut 提交于
stable inclusion from linux-4.19.226 commit e670c4b7c1ca134463211b27af69695a3adcb846 -------------------------------- commit 29009604 upstream. The include/linux/crypto.h struct crypto_alg field cra_driver_name description states "Unique name of the transformation provider. " ... " this contains the name of the chip or provider and the name of the transformation algorithm." In case of the stm32-crc driver, field cra_driver_name is identical for all registered transformation providers and set to the name of the driver itself, which is incorrect. This patch fixes it by assigning a unique cra_driver_name to each registered transformation provider. The kernel crash is triggered when the driver calls crypto_register_shashes() which calls crypto_register_shash(), which calls crypto_register_alg(), which calls __crypto_register_alg(), which returns -EEXIST, which is propagated back through this call chain. Upon -EEXIST from crypto_register_shash(), the crypto_register_shashes() starts unregistering the providers back, and calls crypto_unregister_shash(), which calls crypto_unregister_alg(), and this is where the BUG() triggers due to incorrect cra_refcnt. Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module") Signed-off-by: NMarek Vasut <marex@denx.de> Cc: <stable@vger.kernel.org> # 4.12+ Cc: Alexandre Torgue <alexandre.torgue@foss.st.com> Cc: Fabien Dessenne <fabien.dessenne@st.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Lionel Debieve <lionel.debieve@st.com> Cc: Nicolas Toromanoff <nicolas.toromanoff@st.com> Cc: linux-arm-kernel@lists.infradead.org Cc: linux-stm32@st-md-mailman.stormreply.com To: linux-crypto@vger.kernel.org Acked-by: NNicolas Toromanoff <nicolas.toromanoff@foss.st.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Theodore Ts'o 提交于
stable inclusion from linux-4.19.226 commit 33446496d21753b5ceb55be4d6e593b487a61239 -------------------------------- commit 6eeaf88f upstream. We probably want to remove the indirect block to extents migration feature after a deprecation window, but until then, let's fix a potential data loss problem caused by the fact that we put the tmp_inode on the orphan list. In the unlikely case where we crash and do a journal recovery, the data blocks belonging to the inode being migrated are also represented in the tmp_inode on the orphan list --- and so its data blocks will get marked unallocated, and available for reuse. Instead, stop putting the tmp_inode on the oprhan list. So in the case where we crash while migrating the inode, we'll leak an inode, which is not a disaster. It will be easily fixed the next time we run fsck, and it's better than potentially having blocks getting claimed by two different files, and losing data as a result. Signed-off-by: NTheodore Ts'o <tytso@mit.edu> Reviewed-by: NLukas Czerner <lczerner@redhat.com> Cc: stable@kernel.org Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Luís Henriques 提交于
stable inclusion from linux-4.19.226 commit 9103cafdc4531285b6ededd0a3437effd71ff255 -------------------------------- commit e81c9302 upstream. When migrating to extents, the temporary inode will have it's own checksum seed. This means that, when swapping the inodes data, the inode checksums will be incorrect. This can be fixed by recalculating the extents checksums again. Or simply by copying the seed into the temporary inode. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213357Reported-by: NJeroen van Wolffelaar <jeroen@wolffelaar.nl> Signed-off-by: NLuís Henriques <lhenriques@suse.de> Link: https://lore.kernel.org/r/20211214175058.19511-1-lhenriques@suse.deSigned-off-by: NTheodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Jan Kara 提交于
stable inclusion from linux-4.19.226 commit 841bba6544e10cab41535b76bbdd37555a6ab9df -------------------------------- commit 15fc69bb upstream. When we hit an error when enabling quotas and setting inode flags, we do not properly shutdown quota subsystem despite returning error from Q_QUOTAON quotactl. This can lead to some odd situations like kernel using quota file while it is still writeable for userspace. Make sure we properly cleanup the quota subsystem in case of error. Signed-off-by: NJan Kara <jack@suse.cz> Cc: stable@kernel.org Link: https://lore.kernel.org/r/20211007155336.12493-2-jack@suse.czSigned-off-by: NTheodore Ts'o <tytso@mit.edu> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Jan Kara 提交于
stable inclusion from linux-4.19.226 commit ef41f72716c469a670b9d556b65e5ed83a3a5fd7 -------------------------------- commit 4013d47a upstream. When we succeed in enabling some quota type but fail to enable another one with quota feature, we correctly disable all enabled quota types. However we forget to reset i_data_sem lockdep class. When the inode gets freed and reused, it will inherit this lockdep class (i_data_sem is initialized only when a slab is created) and thus eventually lockdep barfs about possible deadlocks. Reported-and-tested-by: syzbot+3b6f9218b1301ddda3e2@syzkaller.appspotmail.com Signed-off-by: NJan Kara <jack@suse.cz> Cc: stable@kernel.org Link: https://lore.kernel.org/r/20211007155336.12493-3-jack@suse.czSigned-off-by: NTheodore Ts'o <tytso@mit.edu> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Andrey Ryabinin 提交于
stable inclusion from linux-4.19.226 commit 952514c8565cf72a966993b473fae1708c3684f3 -------------------------------- commit 9731698e upstream. cpuacct.stat in no-root cgroups shows user time without guest time included int it. This doesn't match with user time shown in root cpuacct.stat and /proc/<pid>/stat. This also affects cgroup2's cpu.stat in the same way. Make account_guest_time() to add user time to cgroup's cpustat to fix this. Fixes: ef12fefa ("cpuacct: add per-cgroup utime/stime statistics") Signed-off-by: NAndrey Ryabinin <arbn@yandex-team.com> Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: NDaniel Jordan <daniel.m.jordan@oracle.com> Acked-by: NTejun Heo <tj@kernel.org> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20211115164607.23784-1-arbn@yandex-team.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Lukas Wunner 提交于
stable inclusion from linux-4.19.226 commit 510aa43c9928ca38f1210b6c255373727d7ea312 -------------------------------- commit d3b3404d upstream. Commit a6845e1e ("serial: core: Consider rs485 settings to drive RTS") sought to deassert RTS when opening an rs485-enabled uart port. That way, the transceiver does not occupy the bus until it transmits data. Unfortunately, the commit mixed up the logic and *asserted* RTS instead of *deasserting* it: The commit amended uart_port_dtr_rts(), which raises DTR and RTS when opening an rs232 port. "Raising" actually means lowering the signal that's coming out of the uart, because an rs232 transceiver not only changes a signal's voltage level, it also *inverts* the signal. See the simplified schematic in the MAX232 datasheet for an example: https://www.ti.com/lit/ds/symlink/max232.pdf So, to raise RTS on an rs232 port, TIOCM_RTS is *set* in port->mctrl and that results in the signal being driven low. In contrast to rs232, the signal level for rs485 Transmit Enable is the identity, not the inversion: If the transceiver expects a "high" RTS signal for Transmit Enable, the signal coming out of the uart must also be high, so TIOCM_RTS must be *cleared* in port->mctrl. The commit did the exact opposite, but it's easy to see why given the confusing semantics of rs232 and rs485. Fix it. Fixes: a6845e1e ("serial: core: Consider rs485 settings to drive RTS") Cc: stable@vger.kernel.org # v4.14+ Cc: Rafael Gago Castano <rgc@hms.se> Cc: Jan Kiszka <jan.kiszka@siemens.com> Cc: Su Bao Cheng <baocheng.su@siemens.com> Signed-off-by: NLukas Wunner <lukas@wunner.de> Link: https://lore.kernel.org/r/9395767847833f2f3193c49cde38501eeb3b5669.1639821059.git.lukas@wunner.deSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Christoph Hellwig 提交于
stable inclusion from linux-4.19.226 commit b24ef0a4974a95c9ee1aade3f39b90fc30ac552d -------------------------------- [ Upstream commit d94d9496 ] The allocated buffers are used as a command payload, for which the block layer and/or DMA API do the proper bounce buffering if needed. Link: https://lore.kernel.org/r/20211222090842.920724-1-hch@lst.deReported-by: NBaoquan He <bhe@redhat.com> Reviewed-by: NBaoquan He <bhe@redhat.com> Signed-off-by: NChristoph Hellwig <hch@lst.de> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Joe Thornber 提交于
stable inclusion from linux-4.19.226 commit 7d585b602a5c054e810b8f47183069872ac2fdf6 -------------------------------- [ Upstream commit cba23ac1 ] Corrupted metadata could warrant returning error from sm_ll_lookup_bitmap(). Signed-off-by: NJoe Thornber <ejt@redhat.com> Signed-off-by: NMike Snitzer <snitzer@redhat.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Joe Thornber 提交于
stable inclusion from linux-4.19.226 commit 716e490c87e4421d5908f7818fc6b61536a17744 -------------------------------- [ Upstream commit 85bca3c0 ] Corrupt metadata could trigger an out of bounds write. Signed-off-by: NJoe Thornber <ejt@redhat.com> Signed-off-by: NMike Snitzer <snitzer@redhat.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Rafael J. Wysocki 提交于
stable inclusion from linux-4.19.226 commit addda1b65b5dfbbdff0f1e100aed0a72b8af5bb8 -------------------------------- [ Upstream commit 24ea5f90 ] ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class, acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to obtain return_desc which may require additional resolution with the help of acpi_ex_read_data_from_field (). If the latter fails, the reference counter of the original return_desc is decremented which is incorrect, because acpi_ns_get_attached_object () does not increment the reference counter of the object returned by it. This issue may lead to premature deletion of the attached object while it is still attached and a use-after-free and crash in the host OS. For example, this may happen when on evaluation of ref_of() a local region field where there is no registered handler for the given Operation Region. Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away after a acpi_ex_read_data_from_field () failure. Link: https://github.com/acpica/acpica/commit/d984f120 Link: https://github.com/acpica/acpica/pull/685Reported-by: NLenny Szubowicz <lszubowi@redhat.com> Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: NBob Moore <robert.moore@intel.com> Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Rafael J. Wysocki 提交于
stable inclusion from linux-4.19.226 commit e198165efa9032550f05441c78adee56e16850b4 -------------------------------- [ Upstream commit 1cdfe9e3 ] ACPICA commit c11af67d8f7e3d381068ce7771322f2b5324d687 If original_count is 0 in acpi_ut_update_ref_count (), acpi_ut_delete_internal_obj () is invoked for the target object, which is incorrect, because that object has been deleted once already and the memory allocated to store it may have been reclaimed and allocated for a different purpose by the host OS. Moreover, a confusing debug message following the "Reference Count is already zero, cannot decrement" warning is printed in that case. To fix this issue, make acpi_ut_update_ref_count () return after finding that original_count is 0 and printing the above warning. Link: https://github.com/acpica/acpica/commit/c11af67d Link: https://github.com/acpica/acpica/pull/652Reported-by: NMark Asselstine <mark.asselstine@windriver.com> Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: NBob Moore <robert.moore@intel.com> Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Kyeong Yoo 提交于
stable inclusion from linux-4.19.226 commit c0b59abaf8effbac022f6d8b526c4b0b620920b3 -------------------------------- [ Upstream commit aa39cc67 ] GC task can deadlock in read_cache_page() because it may attempt to release a page that is actually allocated by another task in jffs2_write_begin(). The reason is that in jffs2_write_begin() there is a small window a cache page is allocated for use but not set Uptodate yet. This ends up with a deadlock between two tasks: 1) A task (e.g. file copy) - jffs2_write_begin() locks a cache page - jffs2_write_end() tries to lock "alloc_sem" from jffs2_reserve_space() <-- STUCK 2) GC task (jffs2_gcd_mtd3) - jffs2_garbage_collect_pass() locks "alloc_sem" - try to lock the same cache page in read_cache_page() <-- STUCK So to avoid this deadlock, hold "alloc_sem" in jffs2_write_begin() while reading data in a cache page. Signed-off-by: NKyeong Yoo <kyeong.yoo@alliedtelesis.co.nz> Signed-off-by: NRichard Weinberger <richard@nod.at> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Paolo Abeni 提交于
stable inclusion from linux-4.19.226 commit f6d5eb174ee9b9ca4911b98f243f149fbfd19a43 -------------------------------- [ Upstream commit 2cbad989 ] The WARN_ONCE() in bpf_warn_invalid_xdp_action() can be triggered by any bugged program, and even attaching a correct program to a NIC not supporting the given action. The resulting splat, beyond polluting the logs, fouls automated tools: e.g. a syzkaller reproducers using an XDP program returning an unsupported action will never pass validation. Replace the WARN_ONCE with a less intrusive pr_warn_once(). Signed-off-by: NPaolo Abeni <pabeni@redhat.com> Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net> Acked-by: NToke Høiland-Jørgensen <toke@redhat.com> Link: https://lore.kernel.org/bpf/016ceec56e4817ebb2a9e35ce794d5c917df572c.1638189075.git.pabeni@redhat.comSigned-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Suresh Kumar 提交于
stable inclusion from linux-4.19.226 commit 4cca06db20796f60ad83943b80664ef0d652dcac -------------------------------- [ Upstream commit fee32de2 ] Currently "bond_should_notify_peers: slave ..." messages are printed whenever "bond_should_notify_peers" function is called. +++ Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Received LACPDU on port 1 Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Rx Machine: Port=1, Last State=6, Curr State=6 Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): partner sync=1 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 ... Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Received LACPDU on port 2 Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Rx Machine: Port=2, Last State=6, Curr State=6 Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): partner sync=1 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +++ This is confusing and can also clutter up debug logs. Print logs only when the peer notification happens. Signed-off-by: NSuresh Kumar <suresh2514@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Antoine Tenart 提交于
stable inclusion from linux-4.19.226 commit 35cad2003b6447932cfe91f795090586306738e8 -------------------------------- [ Upstream commit d7dac083 ] When updating Rx and Tx queue kobjects, the queue count should always be updated to match the queue kobjects count. This was not done in the net device unregistration path, fix it. Tracking all queue count updates will allow in a following up patch to detect illegal updates. Signed-off-by: NAntoine Tenart <atenart@kernel.org> Signed-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Arnd Bergmann 提交于
stable inclusion from linux-4.19.226 commit c976850fa06cca6675f24fdd5b44cb13ea9d7189 -------------------------------- [ Upstream commit 134c37fa ] The last driver referencing the slave_id on Marvell PXA and MMP platforms was the SPI driver, but this stopped doing so a long time ago, so the TODO from the earlier patch can no be removed. Fixes: b729bf34 ("spi/pxa2xx: Don't use slave_id of dma_slave_config") Fixes: 13b3006b ("dma: mmp_pdma: add filter function") Signed-off-by: NArnd Bergmann <arnd@arndb.de> Acked-by: NMark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/20211122222203.4103644-7-arnd@kernel.orgSigned-off-by: NVinod Koul <vkoul@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Bart Van Assche 提交于
stable inclusion from linux-4.19.226 commit 5e7fb994ccc7200e20d7f394aa3f082f4efb49ab -------------------------------- [ Upstream commit 21ad0e49 ] The driver data pointer must be set before any callbacks are registered that use that pointer. Hence move the initialization of that pointer from after the ufshcd_init() call to inside ufshcd_init(). Link: https://lore.kernel.org/r/20211203231950.193369-7-bvanassche@acm.org Fixes: 3b1d0580 ("[SCSI] ufs: Segregate PCI Specific Code") Reported-by: NAlexey Dobriyan <adobriyan@gmail.com> Tested-by: NBean Huo <beanhuo@micron.com> Reviewed-by: NBean Huo <beanhuo@micron.com> Signed-off-by: NBart Van Assche <bvanassche@acm.org> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Hector Martin 提交于
stable inclusion from linux-4.19.226 commit 4208239d748b5a8f32d5c2323d6f385dcb7f9b9e -------------------------------- [ Upstream commit 9abe2ac8 ] Table descriptors were being installed without properly formatting the address using paddr_to_iopte, which does not match up with the iopte_deref in __arm_lpae_map. This is incorrect for the LPAE pte format, as it does not handle the high bits properly. This was found on Apple T6000 DARTs, which require a new pte format (different shift); adding support for that to paddr_to_iopte/iopte_to_paddr caused it to break badly, as even <48-bit addresses would end up incorrect in that case. Fixes: 6c89928f ("iommu/io-pgtable-arm: Support 52-bit physical address") Acked-by: NRobin Murphy <robin.murphy@arm.com> Signed-off-by: NHector Martin <marcan@marcan.st> Link: https://lore.kernel.org/r/20211120031343.88034-1-marcan@marcan.stSigned-off-by: NJoerg Roedel <jroedel@suse.de> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Jan Kara 提交于
stable inclusion from linux-4.19.226 commit 1105c2dac8cb45c297401e32884cbefc0f123301 -------------------------------- [ Upstream commit 173b6e38 ] A user reported FITRIM ioctl failing for him on ext4 on some devices without apparent reason. After some debugging we've found out that these devices (being LVM volumes) report rather large discard granularity of 42MB and the filesystem had 1k blocksize and thus group size of 8MB. Because ext4 FITRIM implementation puts discard granularity into minlen, ext4_trim_fs() declared the trim request as invalid. However just silently doing nothing seems to be a more appropriate reaction to such combination of parameters since user did not specify anything wrong. CC: Lukas Czerner <lczerner@redhat.com> Fixes: 5c2ed62f ("ext4: Adjust minlen with discard_granularity in the FITRIM ioctl") Signed-off-by: NJan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20211112152202.26614-1-jack@suse.czSigned-off-by: NTheodore Ts'o <tytso@mit.edu> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Pavel Skripkin 提交于
stable inclusion from linux-4.19.226 commit e0b2cd310d0859907a9a7b4e4ef9a5bcce9d3d6d -------------------------------- [ Upstream commit d668769e ] Syzbot reported uninit value in mcs7830_bind(). The problem was in missing validation check for bytes read via usbnet_read_cmd(). usbnet_read_cmd() internally calls usb_control_msg(), that returns number of bytes read. Code should validate that requested number of bytes was actually read. So, this patch adds missing size validation check inside mcs7830_get_reg() to prevent uninit value bugs Reported-and-tested-by: syzbot+003c0a286b9af5412510@syzkaller.appspotmail.com Fixes: 2a36d708 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter") Signed-off-by: NPavel Skripkin <paskripkin@gmail.com> Reviewed-by: NArnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20220106225716.7425-1-paskripkin@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Chen Jun 提交于
stable inclusion from linux-4.19.226 commit f155b0fbde518857ee2d42f1fbfda6bdf0123363 -------------------------------- [ Upstream commit 0ef333f5 ] Locality is not appropriately requested before writing the int mask. Add the missing boilerplate. Fixes: e6aef069 ("tpm_tis: convert to using locality callbacks") Signed-off-by: NChen Jun <chenjun102@huawei.com> Reviewed-by: NJarkko Sakkinen <jarkko@kernel.org> Signed-off-by: NJarkko Sakkinen <jarkko@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Xin Xiong 提交于
stable inclusion from linux-4.19.226 commit f0351a2178fa64f87e609c341f07bf4260b10daf -------------------------------- [ Upstream commit d94a69cb ] The issue takes place in one error path of clusterip_tg_check(). When memcmp() returns nonzero, the function simply returns the error code, forgetting to decrease the reference count of a clusterip_config object, which is bumped earlier by clusterip_config_find_get(). This may incur reference count leak. Fix this issue by decrementing the refcount of the object in specific error path. Fixes: 06aa151a ("netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set") Signed-off-by: NXin Xiong <xiongx18@fudan.edu.cn> Signed-off-by: NXiyu Yang <xiyuyang19@fudan.edu.cn> Signed-off-by: NXin Tan <tanxin.ctf@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Antony Antony 提交于
stable inclusion from linux-4.19.226 commit a6ea2625df628d4d18b86f6ee21835c8962c8f23 -------------------------------- [ Upstream commit 68ac0f38 ] xfrm ineterface does not allow xfrm if_id = 0 fail to create or update xfrm state and policy. With this commit: ip xfrm policy add src 192.0.2.1 dst 192.0.2.2 dir out if_id 0 RTNETLINK answers: Invalid argument ip xfrm state add src 192.0.2.1 dst 192.0.2.2 proto esp spi 1 \ reqid 1 mode tunnel aead 'rfc4106(gcm(aes))' \ 0x1111111111111111111111111111111111111111 96 if_id 0 RTNETLINK answers: Invalid argument v1->v2 change: - add Fixes: tag Fixes: 9f8550e4 ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces") Signed-off-by: NAntony Antony <antony.antony@secunet.com> Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Antony Antony 提交于
stable inclusion from linux-4.19.226 commit f7594c07fb0270c5414460432d3344b8831789c2 -------------------------------- [ Upstream commit 8dce4391 ] xfrm interface if_id = 0 would cause xfrm policy lookup errors since Commit 9f8550e4. Now explicitly fail to create an xfrm interface when if_id = 0 With this commit: ip link add ipsec0 type xfrm dev lo if_id 0 Error: if_id must be non zero. v1->v2 change: - add Fixes: tag Fixes: 9f8550e4 ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces") Signed-off-by: NAntony Antony <antony.antony@secunet.com> Reviewed-by: NEyal Birger <eyal.birger@gmail.com> Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Nicolas Toromanoff 提交于
stable inclusion from linux-4.19.226 commit a803ac39fb163677b4eaf5317894a3dd62912b56 -------------------------------- [ Upstream commit 6c12e742 ] Delete extraneous lines in probe error handling code: pm was disabled twice. Fixes: 65f9aa36 ("crypto: stm32/cryp - Add power management support") Reported-by: NMarek Vasut <marex@denx.de> Signed-off-by: NNicolas Toromanoff <nicolas.toromanoff@foss.st.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Eric Dumazet 提交于
stable inclusion from linux-4.19.226 commit fcb8f503d607d18b9fc69613e38358aae9f9fa99 -------------------------------- [ Upstream commit 7770a39d ] copy_user_offload() will actually push a struct struct xfrm_user_offload, which is different than (struct xfrm_state *)->xso (struct xfrm_state_offload) Fixes: d77e38e6 ("xfrm: Add an IPsec hardware offloading API") Signed-off-by: NEric Dumazet <edumazet@google.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Li Hua 提交于
stable inclusion from linux-4.19.226 commit e6bc7279b16517fab9ed3cdbd58ad7b08060c246 -------------------------------- [ Upstream commit 9b58e976 ] When rt_runtime is modified from -1 to a valid control value, it may cause the task to be throttled all the time. Operations like the following will trigger the bug. E.g: 1. echo -1 > /proc/sys/kernel/sched_rt_runtime_us 2. Run a FIFO task named A that executes while(1) 3. echo 950000 > /proc/sys/kernel/sched_rt_runtime_us When rt_runtime is -1, The rt period timer will not be activated when task A enqueued. And then the task will be throttled after setting rt_runtime to 950,000. The task will always be throttled because the rt period timer is not activated. Fixes: d0b27fa7 ("sched: rt-group: synchonised bandwidth period") Reported-by: NHulk Robot <hulkci@huawei.com> Signed-off-by: NLi Hua <hucool.lihua@huawei.com> Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20211203033618.11895-1-hucool.lihua@huawei.comSigned-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-
由 Lino Sanfilippo 提交于
stable inclusion from linux-4.19.226 commit 0d9a1f0245ed6cadb37fabdf204b67f230160ca0 -------------------------------- [ Upstream commit d1180405 ] With commit 3873e2d7 ("drivers: PL011: refactor pl011_probe()") the function devm_ioremap() called from pl011_setup_port() was replaced with devm_ioremap_resource(). Since this function not only remaps but also requests the ports io memory region it now collides with the .config_port() callback which requests the same region at uart port registration. Since devm_ioremap_resource() already claims the memory successfully, the request in .config_port() fails. Later at uart port deregistration the attempt to release the unclaimed memory also fails. The failure results in a “Trying to free nonexistent resource" warning. Fix these issues by removing the callbacks that implement the redundant memory allocation/release. Also make sure that changing the drivers io memory base address via TIOCSSERIAL is not allowed any more. Fixes: 3873e2d7 ("drivers: PL011: refactor pl011_probe()") Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de> Link: https://lore.kernel.org/r/20211129174238.8333-1-LinoSanfilippo@gmx.deSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
-