- 03 6月, 2021 40 次提交
-
-
由 Yufeng Mo 提交于
stable inclusion from stable-5.10.38 commit bd4d527ea5f757dba64a05368b691fd0e6378654 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 568a54bd ] The message sent to VF should be initialized, otherwise random value of some contents may cause improper processing by the target. So add a initialization to message in hclge_get_link_mode(). Fixes: 9194d18b ("net: hns3: fix the problem that the supported port is empty") Signed-off-by: NYufeng Mo <moyufeng@huawei.com> Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Yufeng Mo 提交于
stable inclusion from stable-5.10.38 commit 5d326e253501868538da2c7ac602ef797b3720b1 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 2867298d ] According to the UM, the type and enable status of igu_egu_hw_err should be configured separately. Currently, the type field is incorrect when disable this error. So fix it by configuring these two fields separately. Fixes: bf1faf94 ("net: hns3: Add enable and process hw errors from IGU, EGU and NCSI") Signed-off-by: NYufeng Mo <moyufeng@huawei.com> Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Nobuhiro Iwamatsu 提交于
stable inclusion from stable-5.10.38 commit 494ade7aba117f8054f78addc5c36f1a622b17e8 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 204756f0 ] rx8130 wday specifies the bit position, not BCD. Fixes: ee0981be ("rtc: ds1307: Add support for Epson RX8130CE") Signed-off-by: NNobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> Signed-off-by: NAlexandre Belloni <alexandre.belloni@bootlin.com> Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jpSigned-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Can Guo 提交于
stable inclusion from stable-5.10.38 commit 5515b85e1a010153cb1fcba2290612540f94ce70 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit ce4f62f9 ] If spm_lvl is set to 0 or 1, when system suspend kicks start and HBA is runtime active, system suspend may just bail without doing anything (the fast path), leaving other contexts still running, e.g., clock gating and clock scaling. When system resume kicks start, concurrency can happen between ufshcd_resume() and these contexts, leading to various stability issues. Add a check against HBA's runtime state and allowing fast path only if HBA is runtime suspended, otherwise let system suspend go ahead call ufshcd_suspend(). This will guarantee that these contexts are stopped by either runtime suspend or system suspend. Link: https://lore.kernel.org/r/1619408921-30426-4-git-send-email-cang@codeaurora.org Fixes: 0b257734 ("scsi: ufs: optimize system suspend handling") Reviewed-by: NDaejun Park <daejun7.park@samsung.com> Signed-off-by: NCan Guo <cang@codeaurora.org> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Can Guo 提交于
stable inclusion from stable-5.10.38 commit e8295def80b7b318b6c2b3b10e6aa8fc5b1140f2 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 637822e6 ] During ufs system suspend, leaving rpm_dev_flush_recheck_work running or pending is risky because concurrency may happen between system suspend/resume and runtime resume routine. Fix this by cancelling rpm_dev_flush_recheck_work synchronously during system suspend. Link: https://lore.kernel.org/r/1619408921-30426-3-git-send-email-cang@codeaurora.org Fixes: 51dd905b ("scsi: ufs: Fix WriteBooster flush during runtime suspend") Reviewed-by: NDaejun Park <daejun7.park@samsung.com> Signed-off-by: NCan Guo <cang@codeaurora.org> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Can Guo 提交于
stable inclusion from stable-5.10.38 commit 591602738e00f7f62befda6866266676cbc53eca bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 23043dd8 ] During resume, if link is broken due to AH8 failure, make sure ufshcd_resume() does not put UFS power back into LPM. Link: https://lore.kernel.org/r/1619408921-30426-2-git-send-email-cang@codeaurora.org Fixes: 4db7a236 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths") Reviewed-by: NDaejun Park <daejun7.park@samsung.com> Signed-off-by: NCan Guo <cang@codeaurora.org> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Anastasia Kovaleva 提交于
stable inclusion from stable-5.10.38 commit 429ac0fb8375ba2ded1097c4c564b512d3615cce bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit fcb16d9a ] In a case when the initiator in P2P mode by some circumstances does not send PRLI, the target, in a case when the target port's WWPN is less than initiator's, changes the discovery state in DSC_GNL. When gnl completes it sends PRLI to the initiator. Usually the initiator in P2P mode always sends PRLI. We caught this issue on Linux stable v5.4.6 https://www.spinics.net/lists/stable/msg458515.html. Fix this particular corner case in the behaviour of the P2P mod target login state machine. Link: https://lore.kernel.org/r/20210422153414.4022-1-a.kovaleva@yadro.com Fixes: a9ed06d4 ("scsi: qla2xxx: Allow PLOGI in target mode") Reviewed-by: NRoman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: NHimanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by: NAnastasia Kovaleva <a.kovaleva@yadro.com> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Jeff Layton 提交于
stable inclusion from stable-5.10.38 commit bf45c9fe99aa8003d2703f1bd353f956dea47e40 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 1775c7dd ] Fixes: 878dabb6 ("ceph: don't return -ESTALE if there's still an open file") Signed-off-by: NJeff Layton <jlayton@kernel.org> Reviewed-by: NXiubo Li <xiubli@redhat.com> Signed-off-by: NIlya Dryomov <idryomov@gmail.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Claire Chang 提交于
stable inclusion from stable-5.10.38 commit a01572e21f0941a1c8b7d39369fec3bd9b7e5e85 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 95b079d8 ] Fix the type of index from unsigned int to int since find_slots() might return -1. Fixes: 26a7e094 ("swiotlb: refactor swiotlb_tbl_map_single") Reviewed-by: NChristoph Hellwig <hch@lst.de> Signed-off-by: NClaire Chang <tientzu@chromium.org> Signed-off-by: NKonrad Rzeszutek Wilk <konrad@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chuck Lever 提交于
stable inclusion from stable-5.10.38 commit 04dad2ca1f5e460296b983d332cff642055c4def bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 1363e638 ] The rpcrdma_mr_pop() earlier in the function has already cleared out mr_list, so it must not be done again in the error path. Fixes: 84756894 ("xprtrdma: Remove fr_state") Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chuck Lever 提交于
stable inclusion from stable-5.10.38 commit eddae8be7944096419c2ae29477a45f767d0fcd4 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 35d8b10a ] After a reconnect, the reply handler is opening the cwnd (and thus enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() can post enough Receive WRs to receive their replies. This causes an RNR and the new connection is lost immediately. The race is most clearly exposed when KASAN and disconnect injection are enabled. This slows down rpcrdma_rep_create() enough to allow the send side to post a bunch of RPC Calls before the Receive completion handler can invoke ib_post_recv(). Fixes: 2ae50ad6 ("xprtrdma: Close window between waking RPC senders and posting Receives") Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chuck Lever 提交于
stable inclusion from stable-5.10.38 commit 89a31bf85c7b99e8f501f5b8559577983017e27e bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 32e6b681 ] Commit e340c2d6 ("xprtrdma: Reduce the doorbell rate (Receive)") increased the number of Receive WRs that are posted by the client, but did not increase the size of the Receive Queue allocated during transport set-up. This is usually not an issue because RPCRDMA_BACKWARD_WRS is defined as (32) when SUNRPC_BACKCHANNEL is defined. In cases where it isn't, there is a real risk of Receive Queue wrapping. Fixes: e340c2d6 ("xprtrdma: Reduce the doorbell rate (Receive)") Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Reviewed-by: NTom Talpey <tom@talpey.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Uwe Kleine-König 提交于
stable inclusion from stable-5.10.38 commit b22e8f427c3de299c47350caae2a4f80f6d7eb61 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 453e8b3d ] The CDTY register contains the number of inactive cycles. .apply() does this correctly, however .get_state() got this wrong. Fixes: 651b510a ("pwm: atmel: Implement .get_state()") Signed-off-by: NUwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: NThierry Reding <thierry.reding@gmail.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Dan Carpenter 提交于
stable inclusion from stable-5.10.38 commit 0a9decf2dd4d859bdc791165abc2b646a85dd00f bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit cb579086 ] This code is supposed to pass negative "err" values for tracing but it passes positive values instead. The problem is that the trace_svcsock_tcp_send() function takes a long but "err" is an int and "sent" is a u32. The negative is first type promoted to u32 so it becomes a high positive then it is promoted to long and it stays positive. Fix this by casting "err" directly to long. Fixes: 998024de ("SUNRPC: Add more svcsock tracepoints") Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Dave Jiang 提交于
stable inclusion from stable-5.10.38 commit dd41a0e515322221954258e2fd27b726bef6383a bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 04922b74 ] The char device setup and cleanup has device lifetime issues regarding when parts are initialized and cleaned up. The initialization of struct device is done incorrectly. device_initialize() needs to be called on the 'struct device' and then additional changes can be added. The ->release() function needs to be setup via device_type before dev_set_name() to allow proper cleanup. The change re-parents the cdev under the wq->conf_dev to get natural reference inheritance. No known dependency on the old device path exists. Reported-by: NJason Gunthorpe <jgg@nvidia.com> Fixes: 42d279f9 ("dmaengine: idxd: add char driver to expose submission portal to userland") Signed-off-by: NDave Jiang <dave.jiang@intel.com> Reviewed-by: NDan Williams <dan.j.williams@intel.com> Link: https://lore.kernel.org/r/161852987721.2203940.1478218825576630810.stgit@djiang5-desk3.ch.intel.comSigned-off-by: NVinod Koul <vkoul@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Dave Jiang 提交于
stable inclusion from stable-5.10.38 commit 975c4b2b997659c47dfae1d8073cf4370f96e598 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 39786285 ] The devm managed lifetime is incompatible with 'struct device' objects that resides in idxd context. This is one of the series that clean up the idxd driver 'struct device' lifetime. Remove embedding of dma_device and dma_chan in idxd since it's not the only interface that idxd will use. The freeing of the dma_device will be managed by the ->release() function. Reported-by: NJason Gunthorpe <jgg@nvidia.com> Fixes: bfe1d560 ("dmaengine: idxd: Init and probe for Intel data accelerators") Signed-off-by: NDave Jiang <dave.jiang@intel.com> Reviewed-by: NDan Williams <dan.j.williams@intel.com> Link: https://lore.kernel.org/r/161852983001.2203940.14817017492384561719.stgit@djiang5-desk3.ch.intel.comSigned-off-by: NVinod Koul <vkoul@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Colin Ian King 提交于
stable inclusion from stable-5.10.38 commit 5756f757c72501ef1a16f5f63f940623044180e9 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 28ac8e03 ] There are calls to idxd_cmd_exec that pass a null status pointer however a recent commit has added an assignment to *status that can end up with a null pointer dereference. The function expects a null status pointer sometimes as there is a later assignment to *status where status is first null checked. Fix the issue by null checking status before making the assignment. Addresses-Coverity: ("Explicit null dereferenced") Fixes: 89e3becd ("dmaengine: idxd: check device state before issue command") Signed-off-by: NColin Ian King <colin.king@canonical.com> Acked-by: NDave Jiang <dave.jiang@intel.com> Link: https://lore.kernel.org/r/20210415110654.1941580-1-colin.king@canonical.comSigned-off-by: NVinod Koul <vkoul@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Michael Walle 提交于
stable inclusion from stable-5.10.38 commit 0f9d467ff1396c66f64e9bd2de3ec25bfc10b7a0 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 7fcb8618 ] The module doesn't load automatically. Fix it by adding the missing MODULE_TABLE(). Fixes: 7b0b551d ("rtc: fsl-ftm-alarm: add FTM alarm driver") Signed-off-by: NMichael Walle <michael@walle.cc> Signed-off-by: NAlexandre Belloni <alexandre.belloni@bootlin.com> Link: https://lore.kernel.org/r/20210414084006.17933-1-michael@walle.ccSigned-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 J. Bruce Fields 提交于
stable inclusion from stable-5.10.38 commit 90e8fa8bdfb38fa4c8425dbb92985441cb7467c0 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 217fd6f6 ] If nfsd already has an open file that it plans to use for IO from another, it may not need to do another vfs open, but it still may need to break any delegations in case the existing opens are for another client. Symptoms are that we may incorrectly fail to break a delegation on a write open from a different client, when the delegation-holding client already has a write open. Fixes: 28df3d15 ("nfsd: clients don't need to break their own delegations") Signed-off-by: NJ. Bruce Fields <bfields@redhat.com> Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Trond Myklebust 提交于
stable inclusion from stable-5.10.38 commit b4bf335acaccd6de239bb00c1edebbb8612761e6 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 8926cc83 ] If the NFS super block is being unmounted, then we currently may end up telling the server that we've forgotten the layout while it is actually still in use by the client. In that case, just assume that the client will soon return the layout anyway, and so return NFS4ERR_DELAY in response to the layout recall. Fixes: 58ac3e59 ("NFSv4/pnfs: Clean up nfs_layout_find_inode()") Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Guangqing Zhu 提交于
stable inclusion from stable-5.10.38 commit 5d254e17ca86fb51d9e5030578636d8bb0649a60 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit f4136863 ] Fixes coccicheck error: drivers/thermal/qcom/tsens.c:759:4-10: ERROR: missing put_device; call of_find_device_by_node on line 715, but without a corresponding object release within this function. Fixes: a7ff8297 ("drivers: thermal: tsens: Merge tsens-common.c into tsens.c") Signed-off-by: NGuangqing Zhu <zhuguangqing83@gmail.com> Reviewed-by: NBjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: NDaniel Lezcano <daniel.lezcano@linaro.org> Link: https://lore.kernel.org/r/20210404125431.12208-1-zhuguangqing83@gmail.comSigned-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chris Dion 提交于
stable inclusion from stable-5.10.38 commit 4f86a0a5eb6158048040d8a8ffb112c92caa013f bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 09252177 ] Currently if a major timeout value is reached, but the minor value has not been reached, an ETIMEOUT will not be sent back to the caller. This can occur if the v4 server is not responding to requests and retrans is configured larger than the default of two. For example, A TCP mount with a configured timeout value of 50 and a retransmission count of 3 to a v4 server which is not responding: 1. Initial value and increment set to 5s, maxval set to 20s, retries at 3 2. Major timeout is set to 20s, minor timeout set to 5s initially 3. xport_adjust_timeout() is called after 5s, retry with 10s timeout, minor timeout is bumped to 10s 4. And again after another 10s, 15s total time with minor timeout set to 15s 5. After 20s total time xport_adjust_timeout is called as major timeout is reached, but skipped because the minor timeout is not reached - After this time the cpu spins continually calling xport_adjust_timeout() and returning 0 for 10 seconds. As seen on perf sched: 39243.913182 [0005] mount.nfs[3794] 4607.938 0.017 9746.863 6. This continues until the 15s minor timeout condition is reached (in this case for 10 seconds). After which the ETIMEOUT is processed back to the caller, the cpu spinning stops, and normal operations continue Fixes: 7de62bc0 ("SUNRPC dont update timeout value on connection reset") Signed-off-by: NChris Dion <Christopher.Dion@dell.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chuck Lever 提交于
stable inclusion from stable-5.10.38 commit 8efd19bf754b14c9456e60db57af72c52c28f636 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 6cf23783 ] This tracepoint can crash when dereferencing snd_task because when some transports connect, they put a cookie in that field instead of a pointer to an rpc_task. BUG: KASAN: use-after-free in trace_event_raw_event_xprt_writelock_event+0x141/0x18e [sunrpc] Read of size 2 at addr ffff8881a83bd3a0 by task git/331872 CPU: 11 PID: 331872 Comm: git Tainted: G S 5.12.0-rc2-00007-g3ab6e585a7f9 #1453 Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 Call Trace: dump_stack+0x9c/0xcf print_address_description.constprop.0+0x18/0x239 kasan_report+0x174/0x1b0 trace_event_raw_event_xprt_writelock_event+0x141/0x18e [sunrpc] xprt_prepare_transmit+0x8e/0xc1 [sunrpc] call_transmit+0x4d/0xc6 [sunrpc] Fixes: 9ce07ae5 ("SUNRPC: Replace dprintk() call site in xprt_prepare_transmit") Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chuck Lever 提交于
stable inclusion from stable-5.10.38 commit 7b906077fd990b1888a5bd49ffb1782077ca6509 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 7638e0bf ] I've hit some crashes that occur in the xprt_rdma_inject_disconnect path. It appears that, for some provides, rdma_disconnect() can take so long that the transport can disconnect and release its hardware resources while rdma_disconnect() is still running, resulting in a UAF in the provider. The transport's fault injection method may depend on the stability of transport data structures. That means it needs to be invoked only from contexts that hold the transport write lock. Fixes: 4a068258 ("SUNRPC: Transport fault injection") Signed-off-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Olga Kornievskaia 提交于
stable inclusion from stable-5.10.38 commit bfeb4e607d00a01586116a134f4090ceb23a4eb3 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 73f5c88f ] Currently the client ignores the value of the sr_eof of the SEEK operation. According to the spec, if the server didn't find the requested extent and reached the end of the file, the server would return sr_eof=true. In case the request for DATA and no data was found (ie in the middle of the hole), then the lseek expects that ENXIO would be returned. Fixes: 1c6dcbe5 ("NFS: Implement SEEK") Signed-off-by: NOlga Kornievskaia <kolga@netapp.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Nikola Livic 提交于
stable inclusion from stable-5.10.38 commit 1fbea60ea658ab887fb899532d783732b04e53e6 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit ed34695e ] We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym bazalii) observed the check: if (fh->size > sizeof(struct nfs_fh)) should not use the size of the nfs_fh struct which includes an extra two bytes from the size field. struct nfs_fh { unsigned short size; unsigned char data[NFS_MAXFHSIZE]; } but should determine the size from data[NFS_MAXFHSIZE] so the memcpy will not write 2 bytes beyond destination. The proposed fix is to compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs code base. Fixes: d67ae825 ("pnfs/flexfiles: Add the FlexFile Layout Driver") Signed-off-by: NNikola Livic <nlivic@gmail.com> Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Yang Yingliang 提交于
stable inclusion from stable-5.10.38 commit fd65cac30d45305848f0ea1591b3cf011e3dd25a bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit acaef798 ] Add the missing destroy_workqueue() before return from pci_epf_test_init() in the error handling case and add destroy_workqueue() in pci_epf_test_exit(). Link: https://lore.kernel.org/r/20210331084012.2091010-1-yangyingliang@huawei.com Fixes: 349e7a85 ("PCI: endpoint: functions: Add an EP function to test PCI") Reported-by: NHulk Robot <hulkci@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Trond Myklebust 提交于
stable inclusion from stable-5.10.38 commit d21a5950cca69d5ac199f011752c90e171f6c5d1 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 9fdbfad1 ] We need to use unsigned long subtraction and then convert to signed in order to deal correcly with C overflow rules. Fixes: f5062003 ("NFS: Set an attribute barrier on all updates") Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Trond Myklebust 提交于
stable inclusion from stable-5.10.38 commit cbc868ea28a8db2daab63cfb4d8c08ccafda5c10 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 99f23783 ] Whether we're allocating or delallocating space, we should flush out the pending writes in order to avoid races with attribute updates. Fixes: 1e564d3d ("NFSv4.2: Fix a race in nfs42_proc_deallocate()") Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Trond Myklebust 提交于
stable inclusion from stable-5.10.38 commit a09afbb63620e9e36fd2a0c1536fb5a93be99c8f bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit e99812e1 ] We can't use nfs4_fattr_bitmap as a bitmask, because it hasn't been filtered to represent the attributes supported by the server. Instead, let's revert to using server->cache_consistency_bitmask after adding in the missing SPACE_USED attribute. Fixes: 913eca1a ("NFS: Fallocate should use the nfs4_fattr_bitmap") Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Trond Myklebust 提交于
stable inclusion from stable-5.10.38 commit ce2b470addedf54ca508f024006a8f8e00c60864 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 332d1a03 ] As currently set, the calls to nfs4_bitmask_adjust() will end up overwriting the contents of the nfs_server cache_consistency_bitmask field. The intention here should be to modify a private copy of that mask in the close/delegreturn/write arguments. Fixes: 76bd5c01 ("NFSv4: make cache consistency bitmask dynamic") Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Jia-Ju Bai 提交于
stable inclusion from stable-5.10.38 commit 0627cbc9b8752382213fb87cfc6984b537146096 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 26594c6b ] When idr_find() returns NULL to intent, no error return code of qcom_glink_rx_data() is assigned. To fix this bug, ret is assigned with -ENOENT in this case. Fixes: 64f95f87 ("rpmsg: glink: Use the local intents when receiving data") Reported-by: NTOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by: NJia-Ju Bai <baijiaju1990@gmail.com> Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.comSigned-off-by: NBjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chao Yu 提交于
stable inclusion from stable-5.10.38 commit b59194c7ca29cbfa29426aadc07ca043437178bc bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 25ae837e ] Callers may pass fio parameter with NULL value to f2fs_allocate_data_block(), so we should make sure accessing fio's field after fio's validation check. Fixes: f608c38c ("f2fs: clean up parameter of f2fs_allocate_data_block()") Signed-off-by: NChao Yu <yuchao0@huawei.com> Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Yi Zhuang 提交于
stable inclusion from stable-5.10.38 commit 1fd6a0641040330eff8042b2ca9c4a2142dd237f bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit be1ee45d ] In the cache writing process, if it is an atomic file, increase the page count of F2FS_WB_CP_DATA, otherwise increase the page count of F2FS_WB_DATA. When you step into the hook branch due to insufficient memory in f2fs_write_begin, f2fs_drop_inmem_pages_all will be called to traverse all atomic inodes and clear the FI_ATOMIC_FILE mark of all atomic files. In f2fs_drop_inmem_pages,first acquire the inmem_lock , revoke all the inmem_pages, and then clear the FI_ATOMIC_FILE mark. Before this mark is cleared, other threads may hold inmem_lock to add inmem_pages to the inode that has just been emptied inmem_pages, and increase the page count of F2FS_WB_CP_DATA. When the IO returns, it is found that the FI_ATOMIC_FILE flag is cleared by f2fs_drop_inmem_pages_all, and f2fs_is_atomic_file returns false,which causes the page count of F2FS_WB_DATA to be decremented. The page count of F2FS_WB_CP_DATA cannot be cleared. Finally, hungtask is triggered in f2fs_wait_on_all_pages because get_pages will never return zero. process A: process B: f2fs_drop_inmem_pages_all ->f2fs_drop_inmem_pages of inode#1 ->mutex_lock(&fi->inmem_lock) ->__revoke_inmem_pages of inode#1 f2fs_ioc_commit_atomic_write ->mutex_unlock(&fi->inmem_lock) ->f2fs_commit_inmem_pages of inode#1 ->mutex_lock(&fi->inmem_lock) ->__f2fs_commit_inmem_pages ->f2fs_do_write_data_page ->f2fs_outplace_write_data ->do_write_page ->f2fs_submit_page_write ->inc_page_count(sbi, F2FS_WB_CP_DATA ) ->mutex_unlock(&fi->inmem_lock) ->spin_lock(&sbi->inode_lock[ATOMIC_FILE]); ->clear_inode_flag(inode, FI_ATOMIC_FILE) ->spin_unlock(&sbi->inode_lock[ATOMIC_FILE]) f2fs_write_end_io ->dec_page_count(sbi, F2FS_WB_DATA ); We can fix the problem by putting the action of clearing the FI_ATOMIC_FILE mark into the inmem_lock lock. This operation can ensure that no one will submit the inmem pages before the FI_ATOMIC_FILE mark is cleared, so that there will be no atomic writes waiting for writeback. Fixes: 57864ae5 ("f2fs: limit # of inmemory pages") Signed-off-by: NYi Zhuang <zhuangyi1@huawei.com> Reviewed-by: NChao Yu <yuchao0@huawei.com> Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chao Yu 提交于
stable inclusion from stable-5.10.38 commit 98ccee81fe9640eb646aa7f983b75a5419a43577 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 823d13e1 ] In order to avoid race with f2fs_do_replace_block(). Fixes: f5a53edc ("f2fs: support aligned pinned file") Signed-off-by: NChao Yu <yuchao0@huawei.com> Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chao Yu 提交于
stable inclusion from stable-5.10.38 commit 105155a8146ddb54c119d8318964eef3859d109d bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 61461fc9 ] In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no checkpointed data, since after GC, section could not be set free for reuse. Previously, we only check valid chpt blocks in current segment rather than section, fix it. 2. SSR | AT_SSR are set to find target segment for writes which can be fully filled by checkpointed and newly written blocks, we should never select such segment, otherwise it can cause panic or data corruption during allocation, potential case is described as below: a) target segment has 'n' (n < 512) ckpt valid blocks b) GC migrates 'n' valid blocks to other segment (segment is still in dirty list) c) GC migrates '512 - n' blocks to target segment (segment has 'n' cp_vblocks and '512 - n' vblocks) d) If GC selects target segment via {AT,}SSR allocator, however there is no free space in targe segment. Fixes: 4354994f ("f2fs: checkpoint disabling") Fixes: 093749e2 ("f2fs: support age threshold based garbage collection") Signed-off-by: NChao Yu <yuchao0@huawei.com> Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Shradha Todi 提交于
stable inclusion from stable-5.10.38 commit bbed83d7060e07a5d309104d25a00f0a24441428 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 6613bc23 ] get_features ops of pci_epc_ops may return NULL, causing NULL pointer dereference in pci_epf_test_alloc_space function. Let us add a check for pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid any such NULL pointer dereference and return -ENOTSUPP in case pci_epc_feature is not found. When the patch is not applied and EPC features is not implemented in the platform driver, we see the following dump due to kernel NULL pointer dereference. Call trace: pci_epf_test_bind+0xf4/0x388 pci_epf_bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc_handler+0x70/0x88 el0_svc+0x8/0x640 Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) ---[ end trace a438e3c5a24f9df0 ]--- Link: https://lore.kernel.org/r/20210324101609.79278-1-shradha.t@samsung.com Fixes: 2c04c5b8 ("PCI: pci-epf-test: Use pci_epc_get_features() to get EPC features") Signed-off-by: NSriram Dash <dash.sriram@gmail.com> Signed-off-by: NShradha Todi <shradha.t@samsung.com> Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com> Reviewed-by: NPankaj Dubey <pankaj.dubey@samsung.com> Reviewed-by: NKishon Vijay Abraham I <kishon@ti.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Kishon Vijay Abraham I 提交于
stable inclusion from stable-5.10.38 commit d5e85b92b4574aac500153bc55a287f0b6947b50 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 0e27aecc ] Modify pci_epc_get_next_free_bar() and pci_epc_get_first_free_bar() to return error values if there are no free BARs available. Link: https://lore.kernel.org/r/20210201195809.7342-5-kishon@ti.comSigned-off-by: NKishon Vijay Abraham I <kishon@ti.com> Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com> Signed-off-by: NBjorn Helgaas <bhelgaas@google.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Kishon Vijay Abraham I 提交于
stable inclusion from stable-5.10.38 commit d98bfd4cc25886bb5691321df6735c6772e834de bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit fa8fef0e ] Add an API to get the next unreserved BAR starting from a given BAR number that can be used by the endpoint function. Link: https://lore.kernel.org/r/20210201195809.7342-4-kishon@ti.comSigned-off-by: NKishon Vijay Abraham I <kishon@ti.com> Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com> Signed-off-by: NBjorn Helgaas <bhelgaas@google.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Kishon Vijay Abraham I 提交于
stable inclusion from stable-5.10.38 commit 5974766170d8debdc970f9cf9e3dca6be40f8440 bugzilla: 51875 CVE: NA -------------------------------- [ Upstream commit 959a48d0 ] pci_epc_get_first_free_bar() uses only "reserved_bar" member in epc_features to get the first unreserved BAR. However if the reserved BAR is also a 64-bit BAR, then the next BAR shouldn't be returned (since 64-bit BAR uses two BARs). Make pci_epc_get_first_free_bar() take into account 64 bit BAR while returning the first free unreserved BAR. Link: https://lore.kernel.org/r/20210201195809.7342-3-kishon@ti.comSigned-off-by: NKishon Vijay Abraham I <kishon@ti.com> Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com> Signed-off-by: NBjorn Helgaas <bhelgaas@google.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NChen Jun <chenjun102@huawei.com> Acked-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-