- 26 7月, 2023 40 次提交
-
-
由 Pawan Gupta 提交于
stable inclusion from stable-v5.10.158 commit 5e3d4a68e2e11dbe561fa7de919ff9c82547a215 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5e3d4a68e2e11dbe561fa7de919ff9c82547a215 -------------------------------- commit aaa65d17 upstream. Support for the TSX control MSR is enumerated in MSR_IA32_ARCH_CAPABILITIES. This is different from how other CPU features are enumerated i.e. via CPUID. Currently, a call to tsx_ctrl_is_supported() is required for enumerating the feature. In the absence of a feature bit for TSX control, any code that relies on checking feature bits directly will not work. In preparation for adding a feature bit check in MSR save/restore during suspend/resume, set a new feature bit X86_FEATURE_TSX_CTRL when MSR_IA32_TSX_CTRL is present. [ bp: Remove tsx_ctrl_is_supported()] [Pawan: Resolved conflicts in backport; Removed parts of commit message referring to removed function tsx_ctrl_is_supported()] Suggested-by: NAndrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: NPawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: NBorislav Petkov <bp@suse.de> Reviewed-by: NDave Hansen <dave.hansen@linux.intel.com> Cc: <stable@kernel.org> Link: https://lore.kernel.org/r/de619764e1d98afbb7a5fa58424f1278ede37b45.1668539735.git.pawan.kumar.gupta@linux.intel.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com> Conflicts: arch/x86/include/asm/cpufeatures.h
-
由 Fedor Pchelkin 提交于
stable inclusion from stable-v5.10.158 commit b7f7a0402eb7332e1f81241368766044f40475ac category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b7f7a0402eb7332e1f81241368766044f40475ac -------------------------------- commit acdab4cb upstream. This reverts commit 902e02ea. The above commit is reverted as the usage of tx_mutex seems not to solve the problem described in 902e02ea ("tty: n_gsm: avoid call of sleeping functions from atomic context") and just moves the bug to another place. Signed-off-by: NFedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru> Reviewed-by: NDaniel Starke <daniel.starke@siemens.com> Link: https://lore.kernel.org/r/20221008110221.13645-2-pchelkin@ispras.ruSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Ido Schimmel 提交于
stable inclusion from stable-v5.10.158 commit 481f9ed8ebdcca43064813c220c1c2835102b1a9 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=481f9ed8ebdcca43064813c220c1c2835102b1a9 -------------------------------- [ Upstream commit d5082d38 ] When the kernel receives a route deletion request from user space it tries to delete a route that matches the route attributes specified in the request. If only prefix information is specified in the request, the kernel should delete the first matching FIB alias regardless of its associated FIB info. However, an error is currently returned when the FIB info is backed by a nexthop object: # ip nexthop add id 1 via 192.0.2.2 dev dummy10 # ip route add 198.51.100.0/24 nhid 1 # ip route del 198.51.100.0/24 RTNETLINK answers: No such process Fix by matching on such a FIB info when legacy nexthop attributes are not specified in the request. An earlier check already covers the case where a nexthop ID is specified in the request. Add tests that cover these flows. Before the fix: # ./fib_nexthops.sh -t ipv4_fcnal ... TEST: Delete route when not specifying nexthop attributes [FAIL] Tests passed: 11 Tests failed: 1 After the fix: # ./fib_nexthops.sh -t ipv4_fcnal ... TEST: Delete route when not specifying nexthop attributes [ OK ] Tests passed: 12 Tests failed: 0 No regressions in other tests: # ./fib_nexthops.sh ... Tests passed: 228 Tests failed: 0 # ./fib_tests.sh ... Tests passed: 186 Tests failed: 0 Cc: stable@vger.kernel.org Reported-by: NJonas Gorski <jonas.gorski@gmail.com> Tested-by: NJonas Gorski <jonas.gorski@gmail.com> Fixes: 493ced1a ("ipv4: Allow routes to use nexthop objects") Fixes: 6bf92d70 ("net: ipv4: fix route with nexthop object delete warning") Fixes: 61b91eb3 ("ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference") Signed-off-by: NIdo Schimmel <idosch@nvidia.com> Reviewed-by: NNikolay Aleksandrov <razor@blackwall.org> Reviewed-by: NDavid Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20221124210932.2470010-1-idosch@nvidia.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 David Ahern 提交于
stable inclusion from stable-v5.10.158 commit 0b5394229ebae09afc07aabccb5ffd705ffd250e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b5394229ebae09afc07aabccb5ffd705ffd250e -------------------------------- [ Upstream commit 61b91eb3 ] Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object. Fixes: 493ced1a ("ipv4: Allow routes to use nexthop objects") Fixes: 6bf92d70 ("net: ipv4: fix route with nexthop object delete warning") Reported-by: NGwangun Jung <exsociety@gmail.com> Signed-off-by: NDavid Ahern <dsahern@kernel.org> Reviewed-by: NIdo Schimmel <idosch@nvidia.com> Tested-by: NIdo Schimmel <idosch@nvidia.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Stable-dep-of: d5082d38 ("ipv4: Fix route deletion when nexthop info is not specified") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Nikolay Aleksandrov 提交于
stable inclusion from stable-v5.10.158 commit 4919503426c93c5a254148db08796a695245bf94 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4919503426c93c5a254148db08796a695245bf94 -------------------------------- [ Upstream commit 692930cc ] I made a stupid typo when adding the nexthop route warning selftest and added both $IP and ip after it (double ip) on the cleanup path. The error doesn't show up when running the test, but obviously it doesn't cleanup properly after it. Fixes: 392baa33 ("selftests: net: add delete nexthop route warning test") Signed-off-by: NNikolay Aleksandrov <razor@blackwall.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Stable-dep-of: d5082d38 ("ipv4: Fix route deletion when nexthop info is not specified") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Nikolay Aleksandrov 提交于
stable inclusion from stable-v5.10.158 commit 7ca14c5f24dbc74253a7e14988d7ab63f0bb71a7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7ca14c5f24dbc74253a7e14988d7ab63f0bb71a7 -------------------------------- [ Upstream commit 392baa33 ] Add a test which causes a WARNING on kernels which treat a nexthop route like a normal route when comparing for deletion and a device is specified. That is, a route is found but we hit a warning while matching it. The warning is from fib_info_nh() in include/net/nexthop.h because we run it on a fib_info with nexthop object. The call chain is: inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a nexthop fib_info and also with fc_oif set thus calling fib_info_nh on the fib_info and triggering the warning). Repro steps: $ ip nexthop add id 12 via 172.16.1.3 dev veth1 $ ip route add 172.16.101.1/32 nhid 12 $ ip route delete 172.16.101.1/32 dev veth1 Signed-off-by: NNikolay Aleksandrov <razor@blackwall.org> Reviewed-by: NDavid Ahern <dsahern@kernel.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Stable-dep-of: d5082d38 ("ipv4: Fix route deletion when nexthop info is not specified") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Lee Jones 提交于
stable inclusion from stable-v5.10.158 commit f09ac62f0e3f1b4a490d9922a3ac95f554297828 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f09ac62f0e3f1b4a490d9922a3ac95f554297828 -------------------------------- [ Upstream commit 152fe65f ] When enabled, KASAN enlarges function's stack-frames. Pushing quite a few over the current threshold. This can mainly be seen on 32-bit architectures where the present limit (when !GCC) is a lowly 1024-Bytes. Link: https://lkml.kernel.org/r/20221125120750.3537134-3-lee@kernel.orgSigned-off-by: NLee Jones <lee@kernel.org> Acked-by: NArnd Bergmann <arnd@arndb.de> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: "Christian König" <christian.koenig@amd.com> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: David Airlie <airlied@gmail.com> Cc: Harry Wentland <harry.wentland@amd.com> Cc: Leo Li <sunpeng.li@amd.com> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: "Pan, Xinhui" <Xinhui.Pan@amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Tom Rix <trix@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Helge Deller 提交于
stable inclusion from stable-v5.10.158 commit 19d91d3798e7f8725ee9e3a48b290c03964c09ae category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=19d91d3798e7f8725ee9e3a48b290c03964c09ae -------------------------------- [ Upstream commit 8d192bec ] PA-RISC uses a much bigger frame size for functions than other architectures. So increase it to 2048 for 32- and 64-bit kernels. This fixes e.g. a warning in lib/xxhash.c. Reported-by: Nkernel test robot <lkp@intel.com> Signed-off-by: NHelge Deller <deller@gmx.de> Stable-dep-of: 152fe65f ("Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Guenter Roeck 提交于
stable inclusion from stable-v5.10.158 commit fcf20da0997458bb3cb6a23d78577b3fa6d9a5db category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fcf20da0997458bb3cb6a23d78577b3fa6d9a5db -------------------------------- [ Upstream commit 86705024 ] xtensa frame size is larger than the frame size for almost all other architectures. This results in more than 50 "the frame size of <n> is larger than 1024 bytes" errors when trying to build xtensa:allmodconfig. Increase frame size for xtensa to 1536 bytes to avoid compile errors due to frame size limits. Link: https://lkml.kernel.org/r/20210912025235.3514761-1-linux@roeck-us.netSigned-off-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NMax Filippov <jcmvbkbc@gmail.com> Cc: Chris Zankel <chris@zankel.net> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 152fe65f ("Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Helge Deller 提交于
stable inclusion from stable-v5.10.158 commit a1877001ed6d7be80aa6dbd2cb6698e74473205e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a1877001ed6d7be80aa6dbd2cb6698e74473205e -------------------------------- [ Upstream commit 55b70eed ] parisc uses much bigger frames than other architectures, so increase the stack frame check value to avoid compiler warnings. Cc: Arnd Bergmann <arnd@arndb.de> Cc: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com> Cc: Christoph Hellwig <hch@infradead.org> Signed-off-by: NHelge Deller <deller@gmx.de> Stable-dep-of: 152fe65f ("Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Xiongfeng Wang 提交于
stable inclusion from stable-v5.10.158 commit a5c65cd56aed027f8a97fda8b691caaeb66d115e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a5c65cd56aed027f8a97fda8b691caaeb66d115e -------------------------------- [ Upstream commit 4bedbbd7 ] for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the error path to avoid reference count leak. Fixes: 2e455289 ("iommu/vt-d: Unify the way to process DMAR device scope array") Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Link: https://lore.kernel.org/r/20221121113649.190393-3-wangxiongfeng2@huawei.comSigned-off-by: NLu Baolu <baolu.lu@linux.intel.com> Signed-off-by: NJoerg Roedel <jroedel@suse.de> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Xiongfeng Wang 提交于
stable inclusion from stable-v5.10.158 commit 10ed7655a17f6a3eaecd1293830488259ccd5723 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=10ed7655a17f6a3eaecd1293830488259ccd5723 -------------------------------- [ Upstream commit afca9e19 ] for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() before 'return true' to avoid reference count leak. Fixes: 89a6079d ("iommu/vt-d: Force IOMMU on for platform opt in hint") Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Link: https://lore.kernel.org/r/20221121113649.190393-2-wangxiongfeng2@huawei.comSigned-off-by: NLu Baolu <baolu.lu@linux.intel.com> Signed-off-by: NJoerg Roedel <jroedel@suse.de> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Maxim Korotkov 提交于
stable inclusion from stable-v5.10.158 commit 302edce1dd426f7e2abfed35563dec8d5aed0667 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=302edce1dd426f7e2abfed35563dec8d5aed0667 -------------------------------- [ Upstream commit 64c15033 ] There is a possibility of dividing by zero due to the pcs->bits_per_pin if pcs->fmask() also has a value of zero and called fls from asm-generic/bitops/builtin-fls.h or arch/x86/include/asm/bitops.h. The function pcs_probe() has the branch that assigned to fmask 0 before pcs_allocate_pin_table() was called Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 4e7e8017 ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules") Signed-off-by: NMaxim Korotkov <korotkov.maxim.s@gmail.com> Reviewed-by: NTony Lindgren <tony@atomide.com> Link: https://lore.kernel.org/r/20221117123034.27383-1-korotkov.maxim.s@gmail.comSigned-off-by: NLinus Walleij <linus.walleij@linaro.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Mark Brown 提交于
stable inclusion from stable-v5.10.158 commit b50c9641897274c3faef5f95ac852f54b94be2e8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b50c9641897274c3faef5f95ac852f54b94be2e8 -------------------------------- [ Upstream commit 698813ba ] For _sx controls the semantics of the max field is not the usual one, max is the number of steps rather than the maximum value. This means that our check in snd_soc_put_volsw_sx() needs to just check against the maximum value. Fixes: 4f1e50d6 ("ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()") Signed-off-by: NMark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/20220511134137.169575-1-broonie@kernel.orgSigned-off-by: NMark Brown <broonie@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Steven Rostedt (Google) 提交于
stable inclusion from stable-v5.10.158 commit be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d -------------------------------- commit 4313e5a6 upstream. After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" bash-1515 [007] ..... 534.299093: foo: (do_sys_openat2+0x0/0x240) arg1="kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk���������@��4Z����;Y�����U And dmesg has: ================================================================== BUG: KASAN: use-after-free in string+0xd4/0x1c0 Read of size 1 at addr ffff88805fdbbfa0 by task cat/2049 CPU: 0 PID: 2049 Comm: cat Not tainted 6.1.0-rc6-test+ #641 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 Call Trace: <TASK> dump_stack_lvl+0x5b/0x77 print_report+0x17f/0x47b kasan_report+0xad/0x130 string+0xd4/0x1c0 vsnprintf+0x500/0x840 seq_buf_vprintf+0x62/0xc0 trace_seq_printf+0x10e/0x1e0 print_type_string+0x90/0xa0 print_kprobe_event+0x16b/0x290 print_trace_line+0x451/0x8e0 s_show+0x72/0x1f0 seq_read_iter+0x58e/0x750 seq_read+0x115/0x160 vfs_read+0x11d/0x460 ksys_read+0xa9/0x130 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fc2e972ade2 Code: c0 e9 b2 fe ff ff 50 48 8d 3d b2 3f 0a 00 e8 05 f0 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007ffc64e687c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fc2e972ade2 RDX: 0000000000020000 RSI: 00007fc2e980d000 RDI: 0000000000000003 RBP: 00007fc2e980d000 R08: 00007fc2e980c010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020f00 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 </TASK> The buggy address belongs to the physical page: page:ffffea00017f6ec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5fdbb flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffea00017f6ec8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88805fdbbe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88805fdbbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88805fdbbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88805fdbc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88805fdbc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== This was found when Zheng Yejian sent a patch to convert the event type number assignment to use IDA, which gives the next available number, and this bug showed up in the fuzz testing by Yujie Liu and the kernel test robot. But after further analysis, I found that this behavior is the same as when the event type numbers go past the 16bit max (and the above shows that). As modules have a similar issue, but is dealt with by setting a "WAS_ENABLED" flag when a module event is enabled, and when the module is freed, if any of its events were enabled, the ring buffer that holds that event is also cleared, to prevent reading stale events. The same can be done for dynamic events. If any dynamic event that is being removed was enabled, then make sure the buffers they were enabled in are now cleared. Link: https://lkml.kernel.org/r/20221123171434.545706e3@gandalf.local.home Link: https://lore.kernel.org/all/20221110020319.1259291-1-zhengyejian1@huawei.com/ Cc: stable@vger.kernel.org Cc: Andrew Morton <akpm@linux-foundation.org> Depends-on: e18eb878 ("tracing: Add tracing_reset_all_online_cpus_unlocked() function") Depends-on: 5448d44c ("tracing: Add unified dynamic event framework") Depends-on: 6212dd29 ("tracing/kprobes: Use dyn_event framework for kprobe events") Depends-on: 065e63f9 ("tracing: Only have rmmod clear buffers that its events were active in") Depends-on: 575380da ("tracing: Only clear trace buffer on module unload if event was traced") Fixes: 77b44d1b ("tracing/kprobes: Rename Kprobe-tracer to kprobe-event") Reported-by: NZheng Yejian <zhengyejian1@huawei.com> Reported-by: NYujie Liu <yujie.liu@intel.com> Reported-by: Nkernel test robot <yujie.liu@intel.com> Acked-by: NMasami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Janusz Krzysztofik 提交于
stable inclusion from stable-v5.10.158 commit 648b92e5760721fbf230e242950182d7e9222143 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=648b92e5760721fbf230e242950182d7e9222143 -------------------------------- commit 12b8b046 upstream. Users of intel_gt_retire_requests_timeout() expect 0 return value on success. However, we have no protection from passing back 0 potentially returned by a call to dma_fence_wait_timeout() when it succedes right after its timeout has expired. Replace 0 with -ETIME before potentially using the timeout value as return code, so -ETIME is returned if there are still some requests not retired after timeout, 0 otherwise. v3: Use conditional expression, more compact but also better reflecting intention standing behind the change. v2: Move the added lines down so flush_submission() is not affected. Fixes: f33a8a51 ("drm/i915: Merge wait_for_timelines with retire_request") Signed-off-by: NJanusz Krzysztofik <janusz.krzysztofik@linux.intel.com> Reviewed-by: NAndrzej Hajda <andrzej.hajda@intel.com> Cc: stable@vger.kernel.org # v5.5+ Signed-off-by: NTvrtko Ursulin <tvrtko.ursulin@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20221121145655.75141-3-janusz.krzysztofik@linux.intel.com (cherry picked from commit f301a29f) Signed-off-by: NTvrtko Ursulin <tvrtko.ursulin@intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Lee Jones 提交于
stable inclusion from stable-v5.10.158 commit 8649c023c427c1c934043e3083e575a7e69d53bb category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8649c023c427c1c934043e3083e575a7e69d53bb -------------------------------- commit 6f6cb171 upstream. Patch series "Fix a bunch of allmodconfig errors", v2. Since b339ec9c ("kbuild: Only default to -Werror if COMPILE_TEST") WERROR now defaults to COMPILE_TEST meaning that it's enabled for allmodconfig builds. This leads to some interesting build failures when using Clang, each resolved in this set. With this set applied, I am able to obtain a successful allmodconfig Arm build. This patch (of 2): calculate_bandwidth() is presently broken on all !(X86_64 || SPARC64 || ARM64) architectures built with Clang (all released versions), whereby the stack frame gets blown up to well over 5k. This would cause an immediate kernel panic on most architectures. We'll revert this when the following bug report has been resolved: https://github.com/llvm/llvm-project/issues/41896. Link: https://lkml.kernel.org/r/20221125120750.3537134-1-lee@kernel.org Link: https://lkml.kernel.org/r/20221125120750.3537134-2-lee@kernel.orgSigned-off-by: NLee Jones <lee@kernel.org> Suggested-by: NArnd Bergmann <arnd@arndb.de> Acked-by: NArnd Bergmann <arnd@arndb.de> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: "Christian König" <christian.koenig@amd.com> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: David Airlie <airlied@gmail.com> Cc: Harry Wentland <harry.wentland@amd.com> Cc: Lee Jones <lee@kernel.org> Cc: Leo Li <sunpeng.li@amd.com> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: "Pan, Xinhui" <Xinhui.Pan@amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Tom Rix <trix@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Adrian Hunter 提交于
stable inclusion from stable-v5.10.158 commit 940b774069f164b0c6f25b13946f1ef166e8d439 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=940b774069f164b0c6f25b13946f1ef166e8d439 -------------------------------- commit c981cdfb upstream. Commit 20b92a30 ("mmc: sdhci: update signal voltage switch code") removed voltage switch delays from sdhci because mmc core had been enhanced to support them. However that assumed that sdhci_set_ios() did a single clock change, which it did not, and so the delays in mmc core, which should have come after the first clock change, were not effective. Fix by avoiding re-configuring UHS and preset settings when the clock is turning on and the settings have not changed. That then also avoids the associated clock changes, so that then sdhci_set_ios() does a single clock change when voltage switching, and the mmc core delays become effective. To do that has meant keeping track of driver strength (host->drv_type), and cases of reinitialization (host->reinit_uhs). Note also, the 'turning_on_clk' restriction should not be necessary but is done to minimize the impact of the change on stable kernels. Fixes: 20b92a30 ("mmc: sdhci: update signal voltage switch code") Cc: stable@vger.kernel.org Signed-off-by: NAdrian Hunter <adrian.hunter@intel.com> Link: https://lore.kernel.org/r/20221128133259.38305-2-adrian.hunter@intel.comSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Wenchao Chen 提交于
stable inclusion from stable-v5.10.158 commit ed1966245307bad007b74068759d5af5aadf6b3f category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ed1966245307bad007b74068759d5af5aadf6b3f -------------------------------- commit dd30dcfa upstream. After switching the voltage, no reset data and command will cause CMD2 timeout. Fixes: 29ca763f ("mmc: sdhci-sprd: Add pin control support for voltage switch") Signed-off-by: NWenchao Chen <wenchao.chen@unisoc.com> Acked-by: NAdrian Hunter <adrian.hunter@intel.com> Reviewed-by: NBaolin Wang <baolin.wang@linux.alibaba.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20221130121328.25553-1-wenchao.chen@unisoc.comSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Sebastian Falbesoner 提交于
stable inclusion from stable-v5.10.158 commit ef767907e77d00f46d0b59e5530b4f2e2d34f5ba category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ef767907e77d00f46d0b59e5530b4f2e2d34f5ba -------------------------------- commit a3cab1d2 upstream. With the current logic the "failed to exit halt state" error would be shown even if any other bit than CQHCI_HALT was set in the CQHCI_CTL register, since the right hand side is always true. Fix this by using the correct operator (bit-wise instead of logical AND) to only check for the halt bit flag, which was obviously intended here. Fixes: 85236d2b ("mmc: sdhci-esdhc-imx: clear the HALT bit when enable CQE") Signed-off-by: NSebastian Falbesoner <sebastian.falbesoner@gmail.com> Acked-by: NHaibo Chen <haibo.chen@nxp.com> Acked-by: NAdrian Hunter <adrian.hunter@intel.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20221121105721.1903878-1-sebastian.falbesoner@gmail.comSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Christian Löhle 提交于
stable inclusion from stable-v5.10.158 commit 46ee041cd655edfb43bb9c867fdb9e2151c2f52c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=46ee041cd655edfb43bb9c867fdb9e2151c2f52c -------------------------------- commit 489d1445 upstream. Clean up the MMC_TRIM_ARGS define that became ambiguous with DISCARD introduction. While at it, let's fix one usage where MMC_TRIM_ARGS falsely included DISCARD too. Fixes: b3bf9153 ("mmc: core: new discard feature support at eMMC v4.5") Signed-off-by: NChristian Loehle <cloehle@hyperstone.com> Acked-by: NAdrian Hunter <adrian.hunter@intel.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/11376b5714964345908f3990f17e0701@hyperstone.comSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Ye Bin 提交于
stable inclusion from stable-v5.10.158 commit b79be962b567e857470b454d564baea5014ee94b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b79be962b567e857470b454d564baea5014ee94b -------------------------------- commit f4307b4d upstream. In __mmc_test_register_dbgfs_file(), we need to assign 'file', as it's being used when removing the debugfs files when the mmc_test module is removed. Fixes: a04c50aa ("mmc: core: no need to check return value of debugfs_create functions") Signed-off-by: NYe Bin <yebin10@huawei.com> Acked-by: NAdrian Hunter <adrian.hunter@intel.com> Cc: stable@vger.kernel.org [Ulf: Re-wrote the commit msg] Link: https://lore.kernel.org/r/20221123095506.1965691-1-yebin@huaweicloud.comSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Goh, Wei Sheng 提交于
stable inclusion from stable-v5.10.158 commit d4fc344c0d9c06ea1c1fafa69efac4fed9cd0dd2 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d4fc344c0d9c06ea1c1fafa69efac4fed9cd0dd2 -------------------------------- commit cc3d2b5f upstream. Currently, pause frame register GMAC_RX_FLOW_CTRL_RFE is not updated correctly when 'ethtool -A <IFACE> autoneg off rx off tx off' command is issued. This fix ensures the flow control change is reflected directly in the GMAC_RX_FLOW_CTRL_RFE register. Fixes: 46f69ded ("net: stmmac: Use resolved link config in mac_link_up()") Cc: <stable@vger.kernel.org> # 5.10.x Signed-off-by: NGoh, Wei Sheng <wei.sheng.goh@intel.com> Signed-off-by: NNoor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Andy Shevchenko 提交于
stable inclusion from stable-v5.10.158 commit 549e24409ac579b4ad871d43d8781a1dc9b4aaeb category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=549e24409ac579b4ad871d43d8781a1dc9b4aaeb -------------------------------- commit 6989ea48 upstream. The firmware on some systems may configure GPIO pins to be an interrupt source in so called "direct IRQ" mode. In such cases the GPIO controller driver has no idea if those pins are being used or not. At the same time, there is a known bug in the firmwares that don't restore the pin settings correctly after suspend, i.e. by an unknown reason the Rx value becomes inverted. Hence, let's save and restore the pins that are configured as GPIOs in the input mode with GPIROUTIOXAPIC bit set. Cc: stable@vger.kernel.org Reported-and-tested-by: NDale Smith <dalepsmith@gmail.com> Reported-and-tested-by: NJohn Harris <jmharris@gmail.com> BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214749Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com> Acked-by: NMika Westerberg <mika.westerberg@linux.intel.com> Link: https://lore.kernel.org/r/20221124222926.72326-1-andriy.shevchenko@linux.intel.comSigned-off-by: NLinus Walleij <linus.walleij@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Pawan Gupta 提交于
stable inclusion from stable-v5.10.158 commit 471fb7b735bf9dd1caf2c8751158b81a3d9a5584 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=471fb7b735bf9dd1caf2c8751158b81a3d9a5584 -------------------------------- commit 66065157 upstream. The "force" argument to write_spec_ctrl_current() is currently ambiguous as it does not guarantee the MSR write. This is due to the optimization that writes to the MSR happen only when the new value differs from the cached value. This is fine in most cases, but breaks for S3 resume when the cached MSR value gets out of sync with the hardware MSR value due to S3 resetting it. When x86_spec_ctrl_current is same as x86_spec_ctrl_base, the MSR write is skipped. Which results in SPEC_CTRL mitigations not getting restored. Move the MSR write from write_spec_ctrl_current() to a new function that unconditionally writes to the MSR. Update the callers accordingly and rename functions. [ bp: Rework a bit. ] Fixes: caa0ff24 ("x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value") Suggested-by: NBorislav Petkov <bp@alien8.de> Signed-off-by: NPawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: NBorislav Petkov (AMD) <bp@alien8.de> Reviewed-by: NThomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org> Link: https://lore.kernel.org/r/806d39b0bfec2fe8f50dc5446dff20f5bb24a959.1669821572.git.pawan.kumar.gupta@linux.intel.comSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 ZhangPeng 提交于
stable inclusion from stable-v5.10.158 commit e858917ab785afe83c14f5ac141301216ccda847 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e858917ab785afe83c14f5ac141301216ccda847 -------------------------------- commit f0a0ccda upstream. Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfs_dat_commit_alloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(). If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and causes the NULL pointer dereference above in nilfs_palloc_commit_free_entry() function, which leads to a crash. Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations. Link: https://lkml.kernel.org/r/00000000000097c20205ebaea3d6@google.com Link: https://lkml.kernel.org/r/20221114040441.1649940-1-zhangpeng362@huawei.com Link: https://lkml.kernel.org/r/20221119120542.17204-1-konishi.ryusuke@gmail.comSigned-off-by: NZhangPeng <zhangpeng362@huawei.com> Signed-off-by: NRyusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+ebe05ee8e98f755f61d0@syzkaller.appspotmail.com Tested-by: NRyusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Tiezhu Yang 提交于
stable inclusion from stable-v5.10.158 commit 6ddf788400dd3f5b75f807164bf91a59ee6b3b32 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6ddf788400dd3f5b75f807164bf91a59ee6b3b32 -------------------------------- commit a435874b upstream. The latest version of grep claims the egrep is now obsolete so the build now contains warnings that look like: egrep: warning: egrep is obsolescent; using grep -E fix this up by moving the related file to use "grep -E" instead. sed -i "s/egrep/grep -E/g" `grep egrep -rwl tools/vm` Here are the steps to install the latest grep: wget http://ftp.gnu.org/gnu/grep/grep-3.8.tar.gz tar xf grep-3.8.tar.gz cd grep-3.8 && ./configure && make sudo make install export PATH=/usr/local/bin:$PATH Link: https://lkml.kernel.org/r/1668825419-30584-1-git-send-email-yangtiezhu@loongson.cnSigned-off-by: NTiezhu Yang <yangtiezhu@loongson.cn> Reviewed-by: NSergey Senozhatsky <senozhatsky@chromium.org> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Steven Rostedt (Google) 提交于
stable inclusion from stable-v5.10.158 commit c099d12c5502b3eff5dd7b22815e480ff9aefe16 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c099d12c5502b3eff5dd7b22815e480ff9aefe16 -------------------------------- commit a4412fdd upstream. The config to be able to inject error codes into any function annotated with ALLOW_ERROR_INJECTION() is enabled when FUNCTION_ERROR_INJECTION is enabled. But unfortunately, this is always enabled on x86 when KPROBES is enabled, and there's no way to turn it off. As kprobes is useful for observability of the kernel, it is useful to have it enabled in production environments. But error injection should be avoided. Add a prompt to the config to allow it to be disabled even when kprobes is enabled, and get rid of the "def_bool y". This is a kernel debug feature (it's in Kconfig.debug), and should have never been something enabled by default. Cc: stable@vger.kernel.org Fixes: 540adea3 ("error-injection: Separate error-injection from kprobe") Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jisheng Zhang 提交于
stable inclusion from stable-v5.10.158 commit 26b6f927bb86bf32b081866851688ad2cdfc9472 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=26b6f927bb86bf32b081866851688ad2cdfc9472 -------------------------------- commit 74f6bb55 upstream. lkp reported a build error, I tried the config and can reproduce build error as below: VDSOLD arch/riscv/kernel/vdso/vdso.so.dbg ld.lld: error: section .note file range overlaps with .text >>> .note range is [0x7C8, 0x803] >>> .text range is [0x800, 0x1993] ld.lld: error: section .text file range overlaps with .dynamic >>> .text range is [0x800, 0x1993] >>> .dynamic range is [0x808, 0x937] ld.lld: error: section .note virtual address range overlaps with .text >>> .note range is [0x7C8, 0x803] >>> .text range is [0x800, 0x1993] Fix it by setting DISABLE_BRANCH_PROFILING which will disable branch tracing for vdso, thus avoid useless _ftrace_annotated_branch section and _ftrace_branch section. Although we can also fix it by removing the hardcoded .text begin address, but I think that's another story and should be put into another patch. Link: https://lore.kernel.org/lkml/202210122123.Cc4FPShJ-lkp@intel.com/#rReported-by: Nkernel test robot <lkp@intel.com> Signed-off-by: NJisheng Zhang <jszhang@kernel.org> Link: https://lore.kernel.org/r/20221102170254.1925-1-jszhang@kernel.org Fixes: ad5d1122 ("riscv: use vDSO common flow to reduce the latency of the time-related functions") Cc: stable@vger.kernel.org Signed-off-by: NPalmer Dabbelt <palmer@rivosinc.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 YueHaibing 提交于
stable inclusion from stable-v5.10.158 commit 2b1d8f27e2051d9d35043edbf2e3f4e1354edf59 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2b1d8f27e2051d9d35043edbf2e3f4e1354edf59 -------------------------------- [ Upstream commit 52f7cf70 ] Smatch warns this: drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81 mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'. Initializing ret with -EOPNOTSUPP and fix missing action case. Fixes: 7838e172 ("net/mlx5: DR, Expose steering table functionality") Signed-off-by: NYueHaibing <yuehaibing@huawei.com> Reviewed-by: NRoi Dayan <roid@nvidia.com> Signed-off-by: NSaeed Mahameed <saeedm@nvidia.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Yang Yingliang 提交于
stable inclusion from stable-v5.10.158 commit c40db1e5f316792b557d2be37e447c20d9ac4635 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c40db1e5f316792b557d2be37e447c20d9ac4635 -------------------------------- [ Upstream commit 7dec1453 ] As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak. Fixes: 14513ee6 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary") Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.comSigned-off-by: NGuenter Roeck <linux@roeck-us.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Phil Auld 提交于
stable inclusion from stable-v5.10.158 commit f06e0cd01eab954bd5f2190c9faa79bb5357e05b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f06e0cd01eab954bd5f2190c9faa79bb5357e05b -------------------------------- [ Upstream commit a89ff5f5 ] If coretemp_add_core() gets an error then pdata->core_data[indx] is already NULL and has been kfreed. Don't pass that to sysfs_remove_group() as that will crash in sysfs_remove_group(). [Shortened for readability] [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' <cpu offline> [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 [91855.165103] #PF: supervisor read access in kernel mode [91855.194506] #PF: error_code(0x0000) - not-present page [91855.224445] PGD 0 P4D 0 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI ... [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 ... [91855.796571] Call Trace: [91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] [91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] [91855.871107] cpuhp_invoke_callback+0x105/0x4b0 [91855.893432] cpuhp_thread_fun+0x8e/0x150 ... Fix this by checking for NULL first. Signed-off-by: NPhil Auld <pauld@redhat.com> Cc: linux-hwmon@vger.kernel.org Cc: Fenghua Yu <fenghua.yu@intel.com> Cc: Jean Delvare <jdelvare@suse.com> Cc: Guenter Roeck <linux@roeck-us.net> Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com Fixes: 199e0de7 ("hwmon: (coretemp) Merge pkgtemp with coretemp") Signed-off-by: NGuenter Roeck <linux@roeck-us.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Yoshihiro Shimoda 提交于
stable inclusion from stable-v5.10.158 commit d93522d04f84c81ab9af899957fddfd3c7eb0bb6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d93522d04f84c81ab9af899957fddfd3c7eb0bb6 -------------------------------- [ Upstream commit d66233a3 ] After system resumed on some environment board, the promiscuous mode is disabled because the SoC turned off. So, call ravb_set_rx_mode() in the ravb_resume() to fix the issue. Reported-by: NTho Vu <tho.vu.wh@renesas.com> Fixes: 0184165b ("ravb: add sleep PM suspend/resume support") Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Reviewed-by: NPavan Chebbi <pavan.chebbi@broadcom.com> Reviewed-by: NSergey Shtylyov <s.shtylyov@omp.ru> Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Zhengchao Shao 提交于
stable inclusion from stable-v5.10.158 commit 176ee6c673ccd118e9392fd2dbb165423bdb99ca category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=176ee6c673ccd118e9392fd2dbb165423bdb99ca -------------------------------- [ Upstream commit 9ed7bfc7 ] When sctp_stream_outq_migrate() is called to release stream out resources, the memory pointed to by prio_head in stream out is not released. The memory leak information is as follows: unreferenced object 0xffff88801fe79f80 (size 64): comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s) hex dump (first 32 bytes): 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................ 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................ backtrace: [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60 [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770 [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0 [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30 [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0 [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0 [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120 [<ffffffff8755446a>] __sys_sendto+0x23a/0x340 [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0 [<ffffffff89978b49>] do_syscall_64+0x39/0xb0 [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 Fixes: 637784ad ("sctp: introduce priority based stream scheduler") Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: NXin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Willem de Bruijn 提交于
stable inclusion from stable-v5.10.158 commit 1c38c88acc9688e9e379c26fb64bdfbb853618d1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1c38c88acc9688e9e379c26fb64bdfbb853618d1 -------------------------------- [ Upstream commit b85f628a ] CHECKSUM_COMPLETE signals that skb->csum stores the sum over the entire packet. It does not imply that an embedded l4 checksum field has been validated. Fixes: 682f048b ("af_packet: pass checksum validation status to the user") Signed-off-by: NWillem de Bruijn <willemb@google.com> Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Shigeru Yoshida 提交于
stable inclusion from stable-v5.10.158 commit 5f442e1d403e0496bacb74a58e2be7f500695e6f category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5f442e1d403e0496bacb74a58e2be7f500695e6f -------------------------------- [ Upstream commit 5daadc86 ] syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done. Fixes: 83c1f36f ("tun: send netlink notification when the device is modified") Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1] Signed-off-by: NShigeru Yoshida <syoshida@redhat.com> Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.comSigned-off-by: NPaolo Abeni <pabeni@redhat.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 David Howells 提交于
stable inclusion from stable-v5.10.158 commit 5fa0fc5876b5979febf6d7c9906afde4489e5c81 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5fa0fc5876b5979febf6d7c9906afde4489e5c81 -------------------------------- [ Upstream commit ca57f022 ] The fileserver probing code attempts to work out the best fileserver to use for a volume by retrieving the RTT calculated by AF_RXRPC for the probe call sent to each server and comparing them. Sometimes, however, no RTT estimate is available and rxrpc_kernel_get_srtt() returns false, leading good fileservers to be given an RTT of UINT_MAX and thus causing the rotation algorithm to ignore them. Fix afs_select_fileserver() to ignore rxrpc_kernel_get_srtt()'s return value and just take the estimated RTT it provides - which will be capped at 1 second. Fixes: 1d4adfaf ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity") Signed-off-by: NDavid Howells <dhowells@redhat.com> Reviewed-by: NMarc Dionne <marc.dionne@auristor.com> Tested-by: NMarc Dionne <marc.dionne@auristor.com> cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/166965503999.3392585.13954054113218099395.stgit@warthog.procyon.org.uk/Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 YueHaibing 提交于
stable inclusion from stable-v5.10.158 commit 7ca81a161e406834a1fdc405fc83a572bd14b8d9 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7ca81a161e406834a1fdc405fc83a572bd14b8d9 -------------------------------- [ Upstream commit 7e177d32 ] The skb is delivered to netif_rx() which may free it, after calling this, dereferencing skb may trigger use-after-free. Fixes: f421436a ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: NYueHaibing <yuehaibing@huawei.com> Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Xin Long 提交于
stable inclusion from stable-v5.10.158 commit a1ba595e35aa3afbe417ff0af353afb9f65559c0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a1ba595e35aa3afbe417ff0af353afb9f65559c0 -------------------------------- [ Upstream commit 3067bc61 ] As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate(). Fixes: fc1b6d6d ("tipc: introduce TIPC encryption & authentication") Reported-by: NShuang Li <shuali@redhat.com> Signed-off-by: NXin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jerry Ray 提交于
stable inclusion from stable-v5.10.158 commit 4621bdfff5f84e511a7f412cfcfea1e920ae03ed category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4621bdfff5f84e511a7f412cfcfea1e920ae03ed -------------------------------- [ Upstream commit 39f59bca ] This patch changes the reported ethtool statistics for the lan9303 family of parts covered by this driver. The TxUnderRun statistic label is renamed to RxShort to accurately reflect what stat the device is reporting. I did not reorder the statistics as that might cause problems with existing user code that are expecting the stats at a certain offset. Fixes: a1292595 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") Signed-off-by: NJerry Ray <jerry.ray@microchip.com> Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com> Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-