bka
3844 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
bengris32
|
c6aa1292ca |
Merge branch 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip into android-4.19.y-mediatek
* 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip: CIP: Bump version suffix to -cip124 after merge from cip/linux-4.19.y-st tree Update localversion-st, tree is up-to-date with 5.4.298. f2fs: fix to do sanity check on ino and xnid squashfs: fix memory leak in squashfs_fill_super pNFS: Handle RPC size limit for layoutcommits wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect usb: core: usb_submit_urb: downgrade type check udf: Verify partition map count f2fs: fix to avoid panic in f2fs_evict_inode usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() HID: asus: fix UAF via HID_CLAIMED_INPUT validation efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare sctp: initialize more fields in sctp_v6_from_sk() net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts net/mlx5e: Set local Xoff after FW update net: dlink: fix multicast stats being counted incorrectly atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). net/atm: remove the atmdev_ops {get, set}sockopt methods Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced powerpc/kvm: Fix ifdef to remove build warning net: ipv4: fix regression in local-broadcast routes vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() scsi: core: sysfs: Correct sysfs attributes access rights ftrace: Fix potential warning in trace_printk_seq during ftrace_dump alloc_fdtable(): change calling conventions. ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add ALSA: usb-audio: Fix size validation in convert_chmap_v3() scsi: qla4xxx: Prevent a potential error pointer dereference usb: xhci: Fix slot_id resource race conflict nfs: fix UAF in direct writes NFS: Fix up commit deadlocks Bluetooth: fix use-after-free in device_for_each_child() selftests: forwarding: tc_actions.sh: add matchall mirror test codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() sch_qfq: make qfq_qlen_notify() idempotent sch_hfsc: make hfsc_qlen_notify() idempotent sch_drr: make drr_qlen_notify() idempotent btrfs: populate otime when logging an inode item media: venus: hfi: explicitly release IRQ during teardown f2fs: fix to avoid out-of-boundary access in dnode page media: venus: protect against spurious interrupts during probe media: venus: vdec: Clamp param smaller than 1fps and bigger than 240. drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig usb: musb: omap2430: fix device leak at unbind NFS: Fix the setting of capabilities when automounting a new filesystem NFS: Fix up handling of outstanding layoutcommit in nfs_update_inode() NFSv4: Fix nfs4_bitmap_copy_adjust() usb: typec: fusb302: cache PD RX state cdc-acm: fix race between initial clearing halt and open USB: cdc-acm: do not log successful probe on later errors nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() tracing: Add down_write(trace_event_sem) when adding trace event usb: hub: Don't try to recover devices lost during warm reset. usb: hub: avoid warm port reset during USB3 disconnect x86/mce/amd: Add default names for MCA banks and blocks iio: hid-sensor-prox: Fix incorrect OFFSET calculation mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage() net: usbnet: Fix the wrong netif_carrier_on() call net: usbnet: Avoid potential RCU stall on LINK_CHANGE event PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value kbuild: Add KBUILD_CPPFLAGS to as-option invocation kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS kbuild: Add CLANG_FLAGS to as-instr mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation kbuild: Update assembler calls to use proper flags and language target ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS usb: dwc3: Ignore late xferNotReady event to prevent halt timeout USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles usb: storage: realtek_cr: Use correct byte order for bcs->Residue USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive iio: proximity: isl29501: fix buffered read on big-endian systems ftrace: Also allocate and copy hash for reading of filter files fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() fs/buffer: fix use-after-free when call bh_read() helper drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 media: venus: Add a check for packet size after reading from shared memory media: ov2659: Fix memory leaks in ov2659_probe() media: usbtv: Lock resolution while streaming media: gspca: Add bounds checking to firmware parser jbd2: prevent softlockup in jbd2_log_do_checkpoint() PCI: endpoint: Fix configfs group removal on driver teardown PCI: endpoint: Fix configfs group list head handling mtd: rawnand: fsmc: Add missing check after DMA map wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() zynq_fpga: use sgtable-based scatterlist wrappers ata: libata-scsi: Fix ata_to_sense_error() status handling ext4: fix reserved gdt blocks handling in fsmap ext4: fix fsmap end of range reporting with bigalloc ext4: check fast symlink for ea_inode correctly Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" vt: defkeymap: Map keycodes above 127 to K_HOLE usb: gadget: udc: renesas_usb3: fix device leak at unbind usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() m68k: Fix lost column on framebuffer debug console serial: 8250: fix panic due to PSLVERR media: uvcvideo: Do not mark valid metadata as invalid media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() btrfs: fix log tree replay failure due to file with 0 links and extents thunderbolt: Fix copy+paste error in match_service_id() misc: rtsx: usb: Ensure mmc child device is active when card is present scsi: lpfc: Remove redundant assignment to avoid memory leak rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe pNFS: Fix uninited ptr deref in block/scsi layout pNFS: Fix disk addr range check in block/scsi layout pNFS: Fix stripe mapping in block/scsi layout ipmi: Fix strcpy source and destination the same kconfig: lxdialog: fix 'space' to (de)select options kconfig: gconf: fix potential memory leak in renderer_edited() kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() scsi: aacraid: Stop using PCI_IRQ_AFFINITY scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans kconfig: nconf: Ensure null termination where strncpy is used kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c PCI: pnv_php: Work around switches with broken presence detection media: uvcvideo: Fix bandwidth issue for Alcor camera media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() media: usb: hdpvr: disable zero-length read messages media: tc358743: Increase FIFO trigger level to 374 media: tc358743: Return an appropriate colorspace from tc358743_set_fmt media: tc358743: Check I2C succeeded during probe pinctrl: stm32: Manage irq affinity settings scsi: mpt3sas: Correctly handle ATA device errors RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() MIPS: Don't crash in stack_top() for tasks without ABI or vDSO jfs: upper bound check of tree index in dbAllocAG jfs: Regular file corruption check jfs: truncate good inode pages when hard link is 0 scsi: bfa: Double-free fix MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} watchdog: dw_wdt: Fix default timeout fs/orangefs: use snprintf() instead of sprintf() scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr vhost: fail early when __vhost_add_used() fails uapi: in6: restore visibility of most IPv6 socket options net: ncsi: Fix buffer overflow in fetching version id net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs wifi: iwlegacy: Check rate_idx range after addition netmem: fix skb_frag_address_safe with unreadable skbs wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() net: fec: allow disable coalescing (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer s390/stp: Remove udelay from stp_sync_clock() wifi: iwlwifi: mvm: fix scan request validation net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() net: ipv4: fix incorrect MTU in broadcast routes wifi: cfg80211: Fix interface type validation et131x: Add missing check after DMA map be2net: Use correct byte order and format string for TCP seq and ack_seq s390/time: Use monotonic clock in get_cycles() wifi: cfg80211: reject HTC bit for management frames ktest.pl: Prevent recursion of default variable options ASoC: codecs: rt5640: Retry DEVICE_ID verification ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 ASoC: hdac_hdmi: Rate limit logging on connection and disconnection mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() ACPI: processor: fix acpi_object initialization PM: sleep: console: Fix the black screen issue thermal: sysfs: Return ENODATA instead of EAGAIN for reads selftests: tracing: Use mutex_unlock for testing glob filter ARM: tegra: Use I/O memcpy to write to IRAM gpio: tps65912: check the return value of regmap_update_bits() ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed cpufreq: Exit governor when failed to start old governor usb: xhci: Avoid showing errors during surprise removal usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command usb: xhci: Avoid showing warnings for dying controller selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t usb: xhci: print xhci->xhc_state when queue_command failed securityfs: don't pin dentries twice, once is enough... hfs: fix not erasing deleted b-tree node issue drbd: add missing kref_get in handle_write_conflicts arm64: Handle KCOV __init vs inline mismatches hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() hfs: fix slab-out-of-bounds in hfs_bnode_read() sctp: linearize cloned gso packets in sctp_rcv netfilter: ctnetlink: fix refcount leak on table dump udp: also consider secpath when evaluating ipsec use for checksumming fs: Prevent file descriptor table allocations exceeding INT_MAX sunvdc: Balance device refcount in vdc_port_mpgroup_check NFSD: detect mismatch of file handle and delegation stateid in OPEN op net: dpaa: fix device leak when querying time stamp info net: gianfar: fix device leak when querying time stamp info netlink: avoid infinite retry looping in netlink_unicast() ALSA: usb-audio: Validate UAC3 cluster segment descriptors ALSA: usb-audio: Validate UAC3 power domain descriptors, too usb: gadget : fix use-after-free in composite_dev_cleanup() MIPS: mm: tlb-r4k: Uniquify TLB entries on init USB: serial: option: add Foxconn T99W709 vsock: Do not allow binding to VMADDR_PORT_ANY net/packet: fix a race in packet_set_ring() and packet_notifier() perf/core: Prevent VMA split of buffer mappings perf/core: Exit early on perf_mmap() fail perf/core: Don't leak AUX buffer refcount on allocation failure pptp: fix pptp_xmit() error path smb: client: let recv_done() cleanup before notifying the callers. benet: fix BUG when creating VFs ipv6: reject malicious packets in ipv6_gso_segment() pptp: ensure minimal skb length in pptp_xmit() netpoll: prevent hanging NAPI when netcons gets enabled NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() pci/hotplug/pnv-php: Wrap warnings in macro pci/hotplug/pnv-php: Improve error msg on power state change failure usb: chipidea: udc: fix sleeping function called from invalid context f2fs: fix to avoid out-of-boundary access in devs.path f2fs: fix to avoid UAF in f2fs_sync_inode_meta() rtc: pcf8563: fix incorrect maximum clock rate handling rtc: hym8563: fix incorrect maximum clock rate handling rtc: ds1307: fix incorrect maximum clock rate handling mtd: rawnand: atmel: set pmecc data setup time mtd: rawnand: atmel: Fix dma_mapping_error() address jfs: fix metapage reference count leak in dbAllocCtl fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref crypto: qat - fix seq_file position update in adf_ring_next() dmaengine: nbpfaxi: Add missing check after DMA map dmaengine: mv_xor: Fix missing check after DMA map and missing unmap fs/orangefs: Allow 2 more characters in do_c_string() crypto: img-hash - Fix dma_unmap_sg() nents value scsi: isci: Fix dma_unmap_sg() nents value scsi: mvsas: Fix dma_unmap_sg() nents value scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value perf tests bp_account: Fix leaked file descriptor crypto: ccp - Fix crash when rebind ccp device for ccp.ko pinctrl: sunxi: Fix memory leak on krealloc failure power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set clk: davinci: Add NULL check in davinci_lpsc_clk_register() mtd: fix possible integer overflow in erase_xfer() crypto: marvell/cesa - Fix engine load inaccuracy PCI: rockchip-host: Fix "Unexpected Completion" log message vrf: Drop existing dst reference in vrf_ip6_input_dst netfilter: xt_nfacct: don't assume acct name is null-terminated can: kvaser_usb: Assign netdev.dev_port based on device channel index wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" mwl8k: Add missing check after DMA map wifi: rtl8xxxu: Fix RX skb size for aggregation disabled net/sched: Restrict conditions for adding duplicating netems to qdisc tree arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX netfilter: nf_tables: adjust lockdep assertions handling drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value m68k: Don't unregister boot console needlessly tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range iwlwifi: Add missing check for alloc_ordered_workqueue wifi: iwlwifi: Fix memory leak in iwl_mvm_init() wifi: rtl818x: Kill URBs before clearing tx status queue caif: reduce stack size, again staging: nvec: Fix incorrect null termination of battery manufacturer samples: mei: Fix building on musl libc usb: early: xhci-dbc: Fix early_ioremap leak Revert "vmci: Prevent the dispatching of uninitialized payloads" pps: fix poll support vmci: Prevent the dispatching of uninitialized payloads staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() ARM: dts: vfxxx: Correctly use two tuples for timer address ASoC: ops: dynamically allocate struct snd_ctl_elem_value hfsplus: remove mutex_lock check in hfsplus_free_extents ASoC: Intel: fix SND_SOC_SOF dependencies ethernet: intel: fix building with large NR_CPUS usb: phy: mxs: disconnect line when USB charger is attached usb: chipidea: udc: protect usb interrupt enable usb: chipidea: udc: add new API ci_hdrc_gadget_connect comedi: comedi_test: Fix possible deletion of uninitialized timers nilfs2: reject invalid file types when reading inodes i2c: qup: jump out of the loop in case of timeout net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class net: appletalk: Fix use-after-free in AARP proxy probe net: appletalk: fix kerneldoc warnings RDMA/core: Rate limit GID cache warning messages usb: hub: fix detection of high tier USB3 devices behind suspended hubs net_sched: sch_sfq: reject invalid perturb period net_sched: sch_sfq: move the limit validation net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: don't allow 1 packet limit net_sched: sch_sfq: handle bigger packets net_sched: sch_sfq: annotate data-races around q->perturb_period power: supply: bq24190_charger: Fix runtime PM imbalance on error xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS virtio-net: ensure the received length does not exceed allocated size usb: dwc3: qcom: Don't leave BCR asserted usb: musb: fix gadget state on disconnect net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Bluetooth: SMP: If an unallowed command is received consider it a failure Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() usb: net: sierra: check for no status endpoint net/sched: sch_qfq: Fix race condition on qfq_aggregate net: emaclite: Fix missing pointer increment in aligned_read() comedi: Fix use of uninitialized data in insn_rw_emulate_bits() comedi: Fix some signed shift left operations comedi: das6402: Fix bit shift out of bounds comedi: das16m1: Fix bit shift out of bounds comedi: aio_iiro_16: Fix bit shift out of bounds comedi: pcl812: Fix bit shift out of bounds iio: adc: max1363: Reorder mode_list[] entries iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled soc: aspeed: lpc-snoop: Cleanup resources in stack-order mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() isofs: Verify inode mode when loading from disk dmaengine: nbpfaxi: Fix memory corruption in probe() af_packet: fix soft lockup issue caused by tpacket_snd() af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() HID: core: do not bypass hid_hw_raw_request HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: ensure the allocated report buffer can contain the reserved report ID pch_uart: Fix dma_sync_sg_for_device() nents value Input: xpad - set correct controller type for Acer NGR200 i2c: stm32: fix the device used for the DMA map usb: gadget: configfs: Fix OOB read on empty string write USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI USB: serial: option: add Foxconn T99W640 USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition dma-mapping: add generic helpers for mapping sgtable objects usb: renesas_usbhs: Flush the notify_hotplug_work gpio: rcar: Use raw_spinlock to protect register access Change-Id: Ia6b8b00918487999c648f298d3550afc7eaaae03 Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
Souptick Joarder
|
e992b26aa5 |
BACKPORT: ext4: convert fault handler to use vm_fault_t type
Return type of ext4_page_mkwrite and ext4_filemap_fault are changed to use vm_fault_t type. With this patch all the callers of block_page_mkwrite_return() are changed to handle vm_fault_t. So converting the return type of block_page_mkwrite_return() to vm_fault_t. Add these changes for msm drivers as well. Change-Id: I4a274cc17da41dfbe34f4eaefff22db4a1754329 Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Matthew Wilcox <willy@infradead.org> |
||
|
Christoph Hellwig
|
0fcb75291f |
BACKPORT: mm: remove the pgprot argument to __vmalloc
The pgprot argument to __vmalloc is always PAGE_KERNEL now, so remove it. Change-Id: Iae5854c7005dec82942db58215d615a10bde1f31 Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Michael Kelley <mikelley@microsoft.com> [hyperv] Acked-by: Gao Xiang <xiang@kernel.org> [erofs] Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Wei Liu <wei.liu@kernel.org> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Christophe Leroy <christophe.leroy@c-s.fr> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: David Airlie <airlied@linux.ie> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Haiyang Zhang <haiyangz@microsoft.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: "K. Y. Srinivasan" <kys@microsoft.com> Cc: Laura Abbott <labbott@redhat.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Minchan Kim <minchan@kernel.org> Cc: Nitin Gupta <ngupta@vflare.org> Cc: Robin Murphy <robin.murphy@arm.com> Cc: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: Stephen Hemminger <sthemmin@microsoft.com> Cc: Sumit Semwal <sumit.semwal@linaro.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Paul Mackerras <paulus@ozlabs.org> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Will Deacon <will@kernel.org> Link: http://lkml.kernel.org/r/20200414131348.444715-22-hch@lst.de Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
bengris32
|
371880d690 |
Revert "[ALPS04983389] fs: make some fault handlers support spf"
This reverts commit
|
||
|
Ojaswin Mujoo
|
0f2bb59b37 |
ext4: fix reserved gdt blocks handling in fsmap
commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream.
In some cases like small FSes with no meta_bg and where the resize
doesn't need extra gdt blocks as it can fit in the current one,
s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0
length entry, which is incorrect.
$ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G
$ mount /dev/sda /mnt/scratch
$ xfs_io -c "fsmap -d" /mnt/scartch
0: 253:48 [0..127]: static fs metadata 128
1: 253:48 [128..255]: special 102:1 128
2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry
3: 253:48 [256..383]: special 102:3 128
Fix this by adding a check for this case.
Cc: stable@kernel.org
Fixes:
|
||
|
Ojaswin Mujoo
|
2a596acb42 |
ext4: fix fsmap end of range reporting with bigalloc
commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream.
With bigalloc enabled, the logic to report last extent has a bug since
we try to use cluster units instead of block units. This can cause an
issue where extra incorrect entries might be returned back to the
user. This was flagged by generic/365 with 64k bs and -O bigalloc.
** Details of issue **
The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has
only 1 bg.
$ xfs_io -c "fsmap -d" /mnt/scratch
0: 253:48 [0..127]: static fs metadata 128 /* sb */
1: 253:48 [128..255]: special 102:1 128 /* gdt */
3: 253:48 [256..383]: special 102:3 128 /* block bitmap */
4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */
5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */
6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */
7: 253:48 [4352..6911]: inodes 2560
8: 253:48 [6912..538623]: unknown 531712
9: 253:48 [538624..10485759]: free space
|
||
|
Andreas Dilger
|
7db0b8e039 |
ext4: check fast symlink for ea_inode correctly
commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream.
The check for a fast symlink in the presence of only an
external xattr inode is incorrect. If a fast symlink does
not have an xattr block (i_file_acl == 0), but does have
an external xattr inode that increases inode i_blocks, then
the check for a fast symlink will incorrectly fail and
__ext4_iget()->ext4_ind_check_inode() will report the inode
is corrupt when it "validates" i_data[] on the next read:
# ln -s foo /mnt/tmp/bar
# setfattr -h -n trusted.test \
-v "$(yes | head -n 4000)" /mnt/tmp/bar
# umount /mnt/tmp
# mount /mnt/tmp
# ls -l /mnt/tmp
ls: cannot access '/mnt/tmp/bar': Structure needs cleaning
total 4
? l?????????? ? ? ? ? ? bar
# dmesg | tail -1
EXT4-fs error (device dm-8): __ext4_iget:5098:
inode #24578: block 7303014: comm ls: invalid block
(note that "block 7303014" = 0x6f6f66 = "foo" in LE order).
ext4_inode_is_fast_symlink() should check the superblock
EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode
EXT4_EA_INODE_FL, since the latter is only set on the xattr
inode itself, and not on the inode that uses this xattr.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Theodore Ts'o
|
bef40c597c |
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ] A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data() and ext4_inline_data_truncate(). Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Ulrich Hecht <uli@kernel.org> |
||
|
bengris32
|
3b5670d492 |
Merge branch 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip into lineage-22.2
* 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip: CIP: Bump version suffix to -cip122 after merge from cip/linux-4.19.y-st tree Update localversion-st, tree is up-to-date with 5.4.295. ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms ARM: dts: am335x-bone-common: Increase MDIO reset deassert time ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board ARM: dts: am335x-bone-common: get rid of phy_id property mtd: nand: sunxi: Add randomizer configuration before randomizer enable mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() bridge: netfilter: Fix forwarding of fragmented packets vxlan: Annotate FDB data races hwmon: (gpio-fan) Add missing mutex locks nfs: handle failure of nfs_get_lock_context in unlock path sch_htb: make htb_deactivate() idempotent scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() perf: Fix sample vs do_exit() jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() mm/huge_memory: fix dereferencing invalid pmd migration entry posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() net: atm: fix /proc/net/atm/lec handling net: atm: add lec_mutex calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer atm: atmtcp: Free invalid length skb in atmtcp_c_send(). mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). wifi: carl9170: do not ping device which has failed to load firmware drm/nouveau/bl: increase buffer size to avoid truncate warning ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged ALSA: hda/intel: Add Thinkpad E15 to PM deny list Input: sparcspkr - avoid unannotated fall-through HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() atm: Revert atm_account_tx() if copy_from_iter_full() fails. selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len scsi: s390: zfcp: Ensure synchronous unit_add jffs2: check jffs2_prealloc_raw_node_refs() result in few other places jffs2: check that raw node were preallocated before writing summary drivers/rapidio/rio_cm.c: prevent possible heap overwrite Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery platform/x86: dell_rbu: Stop overwriting data buffer tee: Prevent size calculation wraparound on 32-bit kernels ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value watchdog: da9052_wdt: respect TWDMIN i40e: fix MMIO write access to an invalid page in i40e_clear_hw sock: Correct error checking condition for (assign|release)_proto_idx() vxlan: Do not treat dst cache initialization errors as fatal clk: rockchip: rk3036: mark ddrphy as critical wifi: mac80211: do not offer a mesh path if forwarding is disabled net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT tcp: always seek for minimal rtt in tcp_rcv_rtt_update() net: dlink: add synchronization for stats update sctp: Do not wake readers in __sctp_write_space() emulex/benet: correct command version selection in be_cmd_get_stats() i2c: designware: Invoke runtime suspend on quick slave re-registration net: macb: Check return value of dma_set_mask_and_coherent() cpufreq: Force sync policy boost with global boost on sysfs update nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() media: tc358743: ignore video while HPD is low drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB jfs: Fix null-ptr-deref in jfs_ioc_trim drm/amdgpu/gfx9: fix CSIB handling drm/amdgpu/gfx8: fix CSIB handling jfs: fix array-index-out-of-bounds read in add_missing_indices drm/amdgpu/gfx7: fix CSIB handling drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition sunrpc: update nextcheck time when adding new cache entries drm/amdgpu/gfx6: fix CSIB handling ACPI: battery: negate current when discharging power: supply: bq27xxx: Retrieve again when busy ACPICA: fix acpi parse and parseext cache leaks ACPICA: Avoid sequence overread in call to strncmp() ACPICA: fix acpi operand cache leak in dswstate.c PCI: Fix lock symmetry in pci_slot_unlock() regulator: max14577: Add error check for max14577_read_reg() staging: iio: ad5933: Correct settling cycles encoding per datasheet net: ch9200: fix uninitialised access during mii_nway_restart ftrace: Fix UAF when lookup kallsym after ftrace disabled dm-mirror: fix a tiny race condition mm: fix ratelimit_pages update error in dirty_ratio_handler() ipc: fix to protect IPCS lookups using RCU parisc: fix building with gcc-15 vgacon: Add check for vc_origin address range in vgacon_scroll() NFC: nci: uart: Set tty->disc_data only in success path f2fs: prevent kernel warning due to negative i_nlink from corrupted image Input: ims-pcu - check record size in ims_pcu_flash_firmware() ext4: fix calculation of credits for extent tree modification ext4: inline: fix len overflow in ext4_prepare_inline_data ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 media: v4l2-dev: fix error handling in __video_register_device() media: gspca: Add error handling for stv06xx_read_sensor() wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() gfs2: move msleep to sleepable context configfs: Do not override creating attribute file failure in populate_attrs() calipso: unlock rcu before returning -EAFNOSUPPORT usb: Flush altsetting 0 endpoints before reinitializating them after reset. fs/filesystems: Fix potential unsigned integer underflow in fs_name() net/mdiobus: Fix potential out-of-bounds read/write access MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option x86/boot/compressed: prefer cc-option for CFLAGS additions net: mdio: C22 is now optional, EOPNOTSUPP if not provided i40e: retry VFLR handling if there is ongoing VF reset i40e: return false from i40e_reset_vf if reset is in progress net_sched: sch_sfq: fix a potential crash on gso_skb handling scsi: iscsi: Fix incorrect error path labels for flashnode operations NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes NFSD: Fix ia_size underflow Input: synaptics-rmi - fix crash with unsupported versions of F34 Input: synaptics-rmi4 - convert to use sysfs_emit() APIs do_change_type(): refuse to operate on unmounted/not ours mounts net/mlx4_en: Prevent potential integer overflow calculating Hz rtc: Fix offset calculation for .start_secs < 0 rtc: sh: assign correct interrupts with DT perf tests switch-tracking: Fix timestamp comparison mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() perf ui browser hists: Set actions->thread before calling do_zoom_thread() fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() soc: aspeed: lpc: Fix impossible judgment condition arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device bus: fsl-mc: fix double-free on mc_dev nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() nilfs2: add pointer check for nilfs_direct_propagate() Squashfs: check return result of sb_min_blocksize ARM: dts: at91: at91sam9263: fix NAND chip selects ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select f2fs: fix to correct check conditions in f2fs_cross_rename f2fs: use d_inode(dentry) cleanup dentry->d_inode calipso: Don't call calipso functions for AF_INET sk. net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy wifi: ath9k_htc: Abort software beacon handling if disabled bpf: Fix WARN() in get_bpf_raw_tp_regs pinctrl: at91: Fix possible out-of-boundary access net: ncsi: Fix GCPS 64-bit member variables f2fs: fix to do sanity check on sbi->total_valid_block_count drm/tegra: rgb: Fix the unbound reference count drm: rcar-du: Fix memory leak in rcar_du_vsps_init() selftests/seccomp: fix syscall_restart test for arm compat firmware: psci: Fix refcount leak in psci_dt_init m68k: mac: Fix macintosh_config for Mac II drm/vmwgfx: Add seqno waiter for sync_files ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() crypto: marvell/cesa - Avoid empty transfer descriptor crypto: marvell/cesa - Handle zero-length skcipher requests x86/cpu: Sanitize CPUID(0x80000000) output perf/core: Fix broken throttling when max_samples_per_tick=1 gfs2: gfs2_create_inode error handling fix netfilter: nft_socket: fix sk refcount leaks thunderbolt: Do not double dequeue a configuration request usb: usbtmc: Fix timeout value in get_stb usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE pinctrl: armada-37xx: set GPIO output value before setting direction pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 tracing: Fix compilation warning on arm32 platform/x86: thinkpad_acpi: Ignore battery threshold change event notification platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys spi: spi-sun4i: fix early activation um: let 'make clean' properly clean underlying SUBARCH as well platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS nfs: don't share pNFS DS connections between net namespaces HID: quirks: Add ADATA XPG alpha wireless mouse support coredump: fix error handling for replace_fd() smb: client: Reset all search buffer pointers when releasing buffer smb: client: Fix use-after-free in cifs_fill_dirent drm/i915/gvt: fix unterminated-string-initialization warning netfilter: nf_tables: do not defer rule destruction via call_rcu netfilter: nf_tables: wait for rcu grace period on net_device removal netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx mm/page_alloc.c: avoid infinite retries caused by cpuset race llc: fix data loss when reading from a socket in llc_ui_recvmsg() ALSA: pcm: Fix race of buffer access at PCM OSS layer can: bcm: add missing rcu read protection for procfs content can: bcm: add locking for bcm_op runtime updates crypto: algif_hash - fix double free in hash_accept net: dwmac-sun8i: Use parsed internal PHY address instead of 1 __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock xenbus: Allow PVH dom0 a non-local xenstore btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 pinctrl: meson: define the pull up/down resistor value as 60 kOhm drm: Add valid clones check regulator: ad5398: Add device tree support bpftool: Fix readlink usage in get_fd_type HID: usbkbd: Fix the bit shift number for LED_KANA scsi: st: Restore some drive settings after reset scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine hwmon: (xgene-hwmon) use appropriate type for the latency value ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB net/mlx4_core: Avoid impossible mlx4_db_alloc() order value smack: recognize ipv4 CIPSO w/o categories pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map ASoC: ops: Enforce platform maximum on initial value ACPI: HED: Always initialize before evged PCI: Fix old_size lower bound in calculate_iosize() too EDAC/ie31200: work around false positive build warning net: pktgen: fix access outside of user given buffer in pktgen_thread_write() MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core MIPS: Use arch specific syscall name match function cpuidle: menu: Avoid discarding useful information x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() bonding: report duplicate MAC address in all situations net: xgene-v2: remove incorrect ACPI_PTR annotation x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 net: pktgen: fix mpls maximum labels list parsing pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" media: cx231xx: set device_caps for 417 dm cache: prevent BUG_ON by blocking retries on failed device resumes media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 ieee802154: ca8210: Use proper setters and getters for bitwise types rtc: ds1307: stop disabling alarms on probe powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 mmc: sdhci: Disable SD card clock before changing parameters posix-timers: Add cond_resched() to posix_timer_add() search loop xen: Add support for XenServer 6.1 platform device dm: restrict dm device size to 2^63-512 bytes kbuild: fix argument parsing in scripts/config scsi: st: ERASE does not change tape location scsi: st: Tighten the page format heuristics with MODE SELECT ext4: reorder capability check last um: Update min_low_pfn to match changes in uml_reserved um: Store full CSGSFS and SS register from mcontext btrfs: send: return -ENAMETOOLONG when attempting a path that is too long btrfs: avoid linker error in btrfs_find_create_tree_block() i2c: pxa: fix call balance of i2c->clk handling routines mmc: host: Wait for Vdd to settle on card power off pNFS/flexfiles: Report ENETDOWN as a connection error tools/build: Don't pass test log files to linker dql: Fix dql->limit value when reset. SUNRPC: rpc_clnt_set_transport() must not change the autobind setting NFSv4: Treat ENETUNREACH errors as fatal for state recovery fbdev: core: tileblit: Implement missing margin clearing for tileblit fbdev: fsl-diu-fb: add missing device_remove_file() mailbox: use error ret code of of_parse_phandle_with_args() kconfig: merge_config: use an empty file as initfile cgroup: Fix compilation issue due to cgroup_mutex not being exported dma-mapping: avoid potential unused data compilation warning scsi: target: iscsi: Fix timeout on deleted connection openvswitch: Fix unsafe attribute parsing in output_userspace() Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Input: synaptics - enable SMBus for HP Elitebook 850 G1 phy: Fix error handling in tegra_xusb_port_init ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() ACPI: PPTT: Fix processor subtable walk qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() ALSA: sh: SND_AICA should depend on SH_DMA_API spi: loopback-test: Do not split 1024-byte hexdumps RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug staging: axis-fifo: Correct handling of tx_fifo_depth for size validation staging: axis-fifo: avoid parsing ignored device tree properties platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection do_umount(): add missing barrier before refcount checks in sync case MIPS: Fix MAX_REG_OFFSET iio: adc: dln2: Use aligned_s64 for timestamp types: Complement the aligned types with signed 64-bit one USB: usbtmc: use interruptible sleep in usbtmc_read usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition ocfs2: stop quota recovery before disabling quotas ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: switch osb->disable_recovery to enum module: ensure that kobject_put() is safe for module type kobjects xenbus: Use kref to track req lifetime usb: uhci-platform: Make the clock really optional iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: adis16201: Correct inclinometer channel resolution Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dynabook Portege X30-D net: dsa: b53: fix learning on VLAN unaware bridges scsi: target: Fix WRITE_SAME No Data Buffer crash dm: fix copying after src array boundaries iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid irqchip/gic-v2m: Add const to of_device_id sch_htb: make htb_qlen_notify() idempotent of: module: add buffer overflow check in of_modalias() net: fec: ERR007885 Workaround for conventional TX lan743x: remove redundant initialization of variable current_head_index net: dlink: Correct endianness handling of led_mode tracing: Fix oob write in trace_seq_to_buffer() dm: always update the array size in realloc_argv on success wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload i2c: imx-lpi2c: Fix clock count when probe defers EDAC/altera: Set DDR and SDMMC interrupt mask before registration EDAC/altera: Test the correct error reg offset signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() x86/bugs: fix backport error in "x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline" Change-Id: Ia48bfc7454e776a311efd14a33b7c414038c8a6d |
||
|
Jan Kara
|
b6aa6e3450 |
ext4: fix calculation of credits for extent tree modification
commit 32a93f5bc9b9812fc710f43a4d8a6830f91e4988 upstream. Luis and David are reporting that after running generic/750 test for 90+ hours on 2k ext4 filesystem, they are able to trigger a warning in jbd2_journal_dirty_metadata() complaining that there are not enough credits in the running transaction started in ext4_do_writepages(). Indeed the code in ext4_do_writepages() is racy and the extent tree can change between the time we compute credits necessary for extent tree computation and the time we actually modify the extent tree. Thus it may happen that the number of credits actually needed is higher. Modify ext4_ext_index_trans_blocks() to count with the worst case of maximum tree depth. This can reduce the possible number of writers that can operate in the system in parallel (because the credit estimates now won't fit in one transaction) but for reasonably sized journals this shouldn't really be an issue. So just go with a safe and simple fix. Link: https://lore.kernel.org/all/20250415013641.f2ppw6wov4kn4wq2@offworld Reported-by: Davidlohr Bueso <dave@stgolabs.net> Reported-by: Luis Chamberlain <mcgrof@kernel.org> Tested-by: kdevops@lists.linux.dev Signed-off-by: Jan Kara <jack@suse.cz> Reviewed-by: Zhang Yi <yi.zhang@huawei.com> Link: https://patch.msgid.link/20250429175535.23125-2-jack@suse.cz Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ulrich Hecht <uli@kernel.org> |
||
|
Thadeu Lima de Souza Cascardo
|
f649e3ef46 |
ext4: inline: fix len overflow in ext4_prepare_inline_data
commit 227cb4ca5a6502164f850d22aec3104d7888b270 upstream.
When running the following code on an ext4 filesystem with inline_data
feature enabled, it will lead to the bug below.
fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666);
ftruncate(fd, 30);
pwrite(fd, "a", 1, (1UL << 40) + 5UL);
That happens because write_begin will succeed as when
ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len
will be truncated, leading to ext4_prepare_inline_data parameter to be 6
instead of 0x10000000006.
Then, later when write_end is called, we hit:
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
at ext4_write_inline_data.
Fix it by using a loff_t type for the len parameter in
ext4_prepare_inline_data instead of an unsigned int.
[ 44.545164] ------------[ cut here ]------------
[ 44.545530] kernel BUG at fs/ext4/inline.c:240!
[ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb
[ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100
[ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49
[ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216
[ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006
[ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738
[ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000
[ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738
[ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000
[ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0
[ 44.546523] PKRU: 55555554
[ 44.546523] Call Trace:
[ 44.546523] <TASK>
[ 44.546523] ext4_write_inline_data_end+0x126/0x2d0
[ 44.546523] generic_perform_write+0x17e/0x270
[ 44.546523] ext4_buffered_write_iter+0xc8/0x170
[ 44.546523] vfs_write+0x2be/0x3e0
[ 44.546523] __x64_sys_pwrite64+0x6d/0xc0
[ 44.546523] do_syscall_64+0x6a/0xf0
[ 44.546523] ? __wake_up+0x89/0xb0
[ 44.546523] ? xas_find+0x72/0x1c0
[ 44.546523] ? next_uptodate_folio+0x317/0x330
[ 44.546523] ? set_pte_range+0x1a6/0x270
[ 44.546523] ? filemap_map_pages+0x6ee/0x840
[ 44.546523] ? ext4_setattr+0x2fa/0x750
[ 44.546523] ? do_pte_missing+0x128/0xf70
[ 44.546523] ? security_inode_post_setattr+0x3e/0xd0
[ 44.546523] ? ___pte_offset_map+0x19/0x100
[ 44.546523] ? handle_mm_fault+0x721/0xa10
[ 44.546523] ? do_user_addr_fault+0x197/0x730
[ 44.546523] ? do_syscall_64+0x76/0xf0
[ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60
[ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90
[ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d
[ 44.546523] RIP: 0033:0x7f42999c6687
[ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012
[ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687
[ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003
[ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000
[ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000000000000000
[ 44.546523] R13: 00007ffeae4a7ac8 R14: 00007f4299b86000 R15: 000055ea61493dd8
[ 44.546523] </TASK>
[ 44.546523] Modules linked in:
[ 44.568501] ---[ end trace 0000000000000000 ]---
[ 44.568889] RIP: 0010:ext4_write_inline_data+0xfe/0x100
[ 44.569328] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49
[ 44.570931] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216
[ 44.571356] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006
[ 44.571959] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738
[ 44.572571] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 44.573148] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000
[ 44.573748] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738
[ 44.574335] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000
[ 44.575027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 44.575520] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0
[ 44.576112] PKRU: 55555554
[ 44.576338] Kernel panic - not syncing: Fatal exception
[ 44.576517] Kernel Offset: 0x1a600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Reported-by: syzbot+fe2a25dae02a207717a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fe2a25dae02a207717a0
Fixes:
|
||
|
Christian Göttsche
|
24719b94f4 |
ext4: reorder capability check last
[ Upstream commit 1b419c889c0767a5b66d0a6c566cae491f1cb0f7 ]
capable() calls refer to enabled LSMs whether to permit or deny the
request. This is relevant in connection with SELinux, where a
capability check results in a policy decision and by default a denial
message on insufficient permission is issued.
It can lead to three undesired cases:
1. A denial message is generated, even in case the operation was an
unprivileged one and thus the syscall succeeded, creating noise.
2. To avoid the noise from 1. the policy writer adds a rule to ignore
those denial messages, hiding future syscalls, where the task
performs an actual privileged operation, leading to hidden limited
functionality of that task.
3. To avoid the noise from 1. the policy writer adds a rule to permit
the task the requested capability, while it does not need it,
violating the principle of least privilege.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250302160657.127253-2-cgoettsche@seltendoof.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Ulrich Hecht <uli@kernel.org>
|
||
|
bengris32
|
b7c670dfff |
Merge branch 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip into lineage-22.2
* 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip: x86/bugs: fix backport error in "x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline" CIP: Bump version suffix to -cip121 after merge from cip/linux-4.19.y-st tree Update localversion-st, tree is up-to-date with 5.4.293. x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() PCI: Rename PCI_IRQ_LEGACY to PCI_IRQ_INTX MIPS: cm: Fix warning if MIPS_CM is disabled comedi: jr3_pci: Fix synchronous deletion of timer scsi: pm80xx: Set phy_attached to zero when device is gone ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls selftests: ublk: fix test_stripe_04 KVM: s390: Don't use %pK through tracepoints sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP ntb: reduce stack usage in idt_scan_mws qibfs: fix _another_ leak usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() usb: host: max3421-hcd: Add missing spi_device_id table parisc: PDT: Fix missing prototype warning MIPS: cm: Detect CM quirks from device tree USB: VLI disk crashes if LPM is used usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive usb: dwc3: gadget: check that event count does not exceed event buffer length USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) USB: serial: simple: add OWON HDS200 series oscilloscope support USB: serial: option: add Sierra Wireless EM9291 USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe USB: storage: quirk for ADATA Portable HDD CH94 mcb: fix a double free bug in chameleon_parse_gdd() virtio_console: fix missing byte order handling for cols and rows net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too net_sched: hfsc: Fix a UAF vulnerability in class handling tipc: fix NULL pointer dereference in tipc_mon_reinit_self() net: phy: leds: fix memory leak cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error misc: pci_endpoint_test: Use INTX instead of LEGACY net: dsa: mv88e6xxx: fix VTU methods for 6320 family ext4: fix OOB read when checking dotdot dir ext4: optimize __ext4_check_dir_entry() MIPS: ds1287: Match ds1287_set_base_clock() function types MIPS: cevt-ds1287: Add missing ds1287.h include MIPS: dec: Declare which_prom() as static virtio-net: Add validation for used length openvswitch: fix lockup on tx to unregistering netdev with carrier net: openvswitch: fix race on port output mmc: cqhci: Fix checking of CQHCI_HALT state nvmet-fc: Remove unused functions usb: dwc3: support continuous runtime PM with dual role misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). kbuild: Add '-fno-builtin-wcslen' drm/sti: remove duplicate object names drm/repaper: fix integer overflows in repeat functions module: sign with sha512 instead of sha1 by default isofs: Prevent the use of too small fid i2c: cros-ec-tunnel: defer probe if parent EC is not present hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key btrfs: correctly escape subvol in btrfs_show_options() nfs: move nfs_fhandle_hash to common include file NFSD: Constify @fh argument of knfsd_fh_hash() asus-laptop: Fix an uninitialized variable writeback: fix false warning in inode_to_wb() net: b53: enable BPDU reception for management port net: openvswitch: fix nested key length validation in the set() action Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Bluetooth: btrtl: Prevent potential NULL dereference Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() scsi: iscsi: Fix missing scsi_host_put() in error path wifi: wl1251: fix memory leak in wl1251_tx_work wifi: mac80211: Purge vif txq in ieee80211_do_stop() wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() wifi: at76c50x: fix use after free access in at76_disconnect HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Bluetooth: hci_uart: Fix another race during initialization x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() PCI: Fix reference leak in pci_alloc_child_bus() of/irq: Fix device node refcount leakages in of_irq_init() of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() gpio: zynq: Fix wakeup source leaks on device unbind ftrace: Add cond_resched() to ftrace_graph_set_hash() crypto: ccp - Fix check for the primary ASP device thermal/drivers/rockchip: Add missing rk3328 mapping entry sctp: detect and prevent references to a freed transport in sendmsg mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock sparc/mm: disable preemption in lazy mmu mode arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string mtd: inftlcore: Add error check for inftl_read_oob() lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets jbd2: remove wrong sb->s_sequence check ext4: fix off-by-one error in do_split media: venus: hfi_parser: add check to avoid out of bound access media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO media: i2c: ov7251: Set enable GPIO low in probe media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() media: streamzap: prevent processing IR data on URB failure mtd: rawnand: brcmnand: fix PM resume warning arm64: cputype: Add MIDR_CORTEX_A76AE xenfs/xensyms: respect hypervisor's "next" indication media: siano: Fix error handling in smsdvb_module_init() media: venus: hfi: add check to handle incorrect queue size media: venus: hfi: add a check to handle OOB in sfr region media: i2c: adv748x: Fix test pattern selection mask bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags bpf: Add endian modifiers to fix endian warnings fbdev: omapfb: Add 'plane' value check drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off drm/amdkfd: Fix pqm_destroy_queue race with GPU reset drm: allow encoder mode_set even when connectors change for crtc Bluetooth: hci_uart: fix race during initialization tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER net: vlan: don't propagate flags on open scsi: st: Fix array overflow in st_setup() ext4: ignore xattrs past end ext4: protect ext4_release_dquot against freezing ahci: add PCI ID for Marvell 88SE9215 SATA Controller ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode jfs: add sanity check for agwidth in dbMount jfs: Prevent copying of nlink with value 0 from disk inode fs/jfs: Prevent integer overflow in AG size calculation fs/jfs: cast inactags to s64 to prevent potential overflow ALSA: usb-audio: Fix CME quirk for UF series keyboards ALSA: hda: intel: Fix Optimus when GPU has no sound HID: pidff: Fix null pointer dereference in pidff_find_fields HID: pidff: Do not send effect envelope if it's empty HID: pidff: Convert infinite length from Linux API to PID standard perf: arm_pmu: Don't disable counter in armpmu_add() x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine pm: cpupower: bench: Prevent NULL dereference on malloc failure net: ppp: Add bound checking for skb data on ppp_sync_txmung ata: sata_sx4: Add error handling in pdc20621_i2c_read() ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones tipc: fix memory leak in tipc_link_xmit ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Conflicts: fs/ext4/dir.c Signed-off-by: bengris32 <bengris32@protonmail.ch> Change-Id: Ifff69aae6aeecbbab378fba35b117f05e6076c6e |
||
|
Acs, Jakub
|
5fbc126304 |
ext4: fix OOB read when checking dotdot dir
[ Upstream commit d5e206778e96e8667d3bde695ad372c296dc9353 ]
Mounting a corrupted filesystem with directory which contains '.' dir
entry with rec_len == block size results in out-of-bounds read (later
on, when the corrupted directory is removed).
ext4_empty_dir() assumes every ext4 directory contains at least '.'
and '..' as directory entries in the first data block. It first loads
the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
and then uses its rec_len member to compute the location of '..' dir
entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
same data block.
If the rec_len of '.' is precisely one block (4KB), it slips through the
sanity checks (it is considered the last directory entry in the data
block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
memory slot allocated to the data block. The following call to
ext4_check_dir_entry() on new value of de then dereferences this pointer
which results in out-of-bounds mem access.
Fix this by extending __ext4_check_dir_entry() to check for '.' dir
entries that reach the end of data block. Make sure to ignore the phony
dir entries for checksum (by checking name_len for non-zero).
Note: This is reported by KASAN as use-after-free in case another
structure was recently freed from the slot past the bound, but it is
really an OOB read.
This issue was found by syzkaller tool.
Call Trace:
[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
[ 38.595158]
[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 38.595304] Call Trace:
[ 38.595308] <TASK>
[ 38.595311] dump_stack_lvl+0xa7/0xd0
[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595349] print_report+0xaa/0x250
[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
[ 38.595378] kasan_report+0xab/0xe0
[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
[ 38.595410] ext4_empty_dir+0x465/0x990
[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
[ 38.595478] ? down_write+0xdb/0x140
[ 38.595487] ? __pfx_down_write+0x10/0x10
[ 38.595497] ext4_rmdir+0xee/0x140
[ 38.595506] vfs_rmdir+0x209/0x670
[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
[ 38.595529] do_rmdir+0x363/0x3c0
[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
[ 38.595570] do_syscall_64+0x5b/0x180
[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes:
|
||
|
Theodore Ts'o
|
ed68da4c4f |
ext4: optimize __ext4_check_dir_entry()
[ Upstream commit 707d1a2f601bea6110a5633054253c0cb71b44c1 ] Make __ext4_check_dir_entry() a bit easier to understand, and reduce the object size of the function by over 11%. Signed-off-by: Theodore Ts'o <tytso@mit.edu> Link: https://lore.kernel.org/r/20191209004346.38526-1-tytso@mit.edu Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: d5e206778e96 ("ext4: fix OOB read when checking dotdot dir") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Ulrich Hecht <uli@kernel.org> |
||
|
Artem Sadovnikov
|
6f3510ec13 |
ext4: fix off-by-one error in do_split
commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream. Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Cc: stable@vger.kernel.org Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()") Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ulrich Hecht <uli@kernel.org> |
||
|
Bhupesh
|
c4acbe5517 |
ext4: ignore xattrs past end
[ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ] Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> Signed-off-by: Bhupesh <bhupesh@igalia.com> Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Ulrich Hecht <uli@kernel.org> |
||
|
Ojaswin Mujoo
|
a7e81a7f32 |
ext4: protect ext4_release_dquot against freezing
[ Upstream commit 530fea29ef82e169cd7fe048c2b7baaeb85a0028 ] Protect ext4_release_dquot against freezing so that we don't try to start a transaction when FS is frozen, leading to warnings. Further, avoid taking the freeze protection if a transaction is already running so that we don't need end up in a deadlock as described in 46e294efc355 ext4: fix deadlock with fs freezing and EA inodes Suggested-by: Jan Kara <jack@suse.cz> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Reviewed-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20241121123855.645335-3-ojaswin@linux.ibm.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Ulrich Hecht <uli@kernel.org> |
||
|
bengris32
|
dc38585c87 |
Merge branch 'android-4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
* 'android-4.19-stable' of https://android.googlesource.com/kernel/common: Revert "UPSTREAM: unicode: Don't special case ignorable code points" Reapply "UPSTREAM: unicode: Don't special case ignorable code points" Revert "UPSTREAM: unicode: Don't special case ignorable code points" Linux 4.19.325 sh: intc: Fix use-after-free bug in register_intc_controller() modpost: remove incorrect code in do_eisa_entry() 9p/xen: fix release of IRQ 9p/xen: fix init sequence block: return unsigned int from bdev_io_min jffs2: fix use of uninitialized variable ubi: fastmap: Fix duplicate slab cache names while attaching ubifs: Correct the total block count by deducting journal reservation rtc: check if __rtc_read_time was successful in rtc_timer_do_work() NFSv4.0: Fix a use-after-free problem in the asynchronous open() um: Fix the return value of elf_core_copy_task_fpregs rpmsg: glink: Propagate TX failures in intentless mode as well NFSD: Prevent a potential integer overflow lib: string_helpers: silence snprintf() output truncation warning usb: dwc3: gadget: Fix checking for number of TRBs left media: wl128x: Fix atomicity violation in fmc_send_cmd() HID: wacom: Interpret tilt data from Intuos Pro BT as signed values block: fix ordering between checking BLK_MQ_S_STOPPED request adding arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK um: vector: Do not use drvdata in release serial: 8250: omap: Move pm_runtime_get_sync um: net: Do not use drvdata in release um: ubd: Do not use drvdata in release ubi: wl: Put source PEB into correct list if trying locking LEB failed spi: Fix acpi deferred irq probe netfilter: ipset: add missing range check in bitmap_ip_uadt Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" serial: sh-sci: Clean sci_ports[0] after at earlycon exit Revert "usb: gadget: composite: fix OS descriptors w_value logic" ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler PCI: Fix use-after-free of slot->bus on hot remove ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() jfs: xattr: check invalid xattr size more strictly ext4: fix FS_IOC_GETFSMAP handling ext4: supress data-race warnings in ext4_free_inodes_{count,set}() usb: ehci-spear: fix call balance of sehci clk handling routines apparmor: fix 'Do simple duplicate message elimination' misc: apds990x: Fix missing pm_runtime_disable() USB: chaoskey: Fix possible deadlock chaoskey_list_lock USB: chaoskey: fail open after removal usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read() net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken marvell: pxa168_eth: fix call balance of pep->clk handling routines net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device power: supply: core: Remove might_sleep() from power_supply_put() vfio/pci: Properly hide first-in-list PCIe extended capability NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir() NFSD: Prevent NULL dereference in nfsd4_process_cb_update() rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length rpmsg: glink: Fix GLINK command prefix rpmsg: glink: Send READ_NOTIFY command in FIFO full case rpmsg: glink: Add TX_DATA_CONT command while sending m68k: coldfire/device.c: only build FEC when HW macros are defined m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x PCI: cpqphp: Fix PCIBIOS_* return value confusion PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads perf probe: Correct demangled symbols in C++ program clk: clk-axi-clkgen: make sure to enable the AXI bus clock clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand dt-bindings: clock: axi-clkgen: include AXI clk dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() fbdev/sh7760fb: Alloc DMA memory from hardware device powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static ocfs2: fix uninitialized value in ocfs2_file_read_iter() scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() scsi: fusion: Remove unused variable 'rc' scsi: bfa: Fix use-after-free in bfad_im_module_exit() mfd: rt5033: Fix missing regmap_del_irq_chip() RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey mtd: rawnand: atmel: Fix possible memory leak cpufreq: loongson2: Unregister platform_driver on failure mfd: da9052-spi: Change read-mask to write-mask powerpc/vdso: Flag VDSO64 entry points as functions trace/trace_event_perf: remove duplicate samples on the first tracepoint event netpoll: Use rcu_access_pointer() in netpoll_poll_lock ALSA: 6fire: Release resources at card release ALSA: caiaq: Use snd_card_free_when_closed() at disconnection ALSA: us122l: Use snd_card_free_when_closed() at disconnection net: rfkill: gpio: Add check for clk_enable() drm/etnaviv: hold GPU lock across perfmon sampling drm/etnaviv: fix power register offset on GC300 drm/etnaviv: dump: fix sparse warnings drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() bpf: Fix the xdp_adjust_tail sample prog issue drm/omap: Fix locking in omap_gem_new_dmabuf() wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused firmware: arm_scpi: Check the DVFS OPP count returned by the firmware regmap: irq: Set lockdep class for hierarchical IRQ domains ARM: dts: cubieboard4: Fix DCDC5 regulator constraints mmc: mmc_spi: drop buggy snprintf() soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() time: Fix references to _msecs_to_jiffies() handling of values crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() crypto: bcm - add error check in the ahash_hmac_init function crypto: cavium - Fix the if condition to exit loop after timeout crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY EDAC/fsl_ddr: Fix bad bit shift operations hfsplus: don't query the device logical block size multiple times s390/syscalls: Avoid creation of arch/arch/ directory acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block() m68k: mvme147: Reinstate early console m68k: mvme16x: Add and use "mvme16x.h" m68k: mvme147: Fix SCSI controller IRQ numbers initramfs: avoid filename buffer overrun nvme: fix metadata handling in nvme-passthrough proc/softirqs: replace seq_printf with seq_put_decimal_ull_width net: usb: qmi_wwan: add Quectel RG650V x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB selftests/watchdog-test: Fix system accidentally reset after watchdog-test mac80211: fix user-power when emulating chanctx ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet mm: revert "mm: shmem: fix data-race in shmem_getattr()" kbuild: Use uname for LINUX_COMPILE_HOST detection media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint ocfs2: fix UBSAN warning in ocfs2_verify_volume() nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint ocfs2: uncache inode which has failed entering the group netlink: terminate outstanding dump on socket close Linux 4.19.324 9p: fix slab cache name creation for real net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition fs: Fix uninitialized value issue in from_kuid and from_kgid powerpc/powernv: Free name on error in opal_event_init() sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML bpf: use kvzmalloc to allocate BPF verifier environment HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad 9p: Avoid creating multiple slab caches with the same name ALSA: usb-audio: Add endianness annotations vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer ALSA: usb-audio: Add quirks for Dell WD19 dock ALSA: usb-audio: Support jack detection on Dell dock ALSA: usb-audio: Add custom mixer status quirks for RME CC devices ALSA: pcm: Return 0 when size < start_threshold in capture ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() irqchip/gic-v3: Force propagation of the active state with a read-back USB: serial: option: add Quectel RG650V USB: serial: option: add Fibocom FG132 0x0112 composition USB: serial: qcserial: add support for Sierra Wireless EM86xx USB: serial: io_edgeport: fix use after free in debug printk usb: musb: sunxi: Fix accessing an released usb phy fs/proc: fix compile warning about variable 'vmcore_mmap_ops' media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format net: bridge: xmit: make sure we have at least eth header len bytes bonding (gcc13): synchronize bond_{a,t}lb_xmit() types btrfs: reinitialize delayed ref list after deleting it from the list nfs: Fix KMSAN warning in decode_getfattr_attrs() dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow dm cache: fix potential out-of-bounds access on the first resume dm cache: optimize dirty bit checking with find_next_bit when resizing dm cache: fix out-of-bounds access to the dirty bitset when resizing dm cache: correct the number of origin blocks to match the target length drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() media: v4l2-tpg: prevent the risk of a division by zero media: cx24116: prevent overflows on SNR calculus media: s5p-jpeg: prevent buffer overflows ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() media: adv7604: prevent underflow condition when reporting colorspace media: dvb_frontend: don't play tricks with underflow values media: dvbdev: prevent the risk of out of memory access media: stb0899_algo: initialize cfr before using it net: hns3: fix kernel crash when uninstalling driver can: c_can: fix {rx,tx}_errors statistics sctp: properly validate chunk size in sctp_sf_ootb() security/keys: fix slab-out-of-bounds in key_task_permission HID: core: zero-initialize the report buffer ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin ARM: dts: rockchip: drop grf reference from rk3036 hdmi ARM: dts: rockchip: fix rk3036 acodec node arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator Linux 4.19.323 vt: prevent kernel-infoleak in con_font_get() mm: shmem: fix data-race in shmem_getattr() nilfs2: fix kernel bug due to missing clearing of checked flag ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow nilfs2: fix potential deadlock with newly created symlinks wifi: iwlegacy: Clear stale interrupts before resuming device wifi: ath10k: Fix memory leak in management tx wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Revert "driver core: Fix uevent_show() vs driver detach race" xhci: Fix Link TRB DMA in command ring stopped completion event usb: phy: Fix API devm_usb_put_phy() can not release the phy usbip: tools: Fix detach_port() invalid port error path misc: sgi-gru: Don't disable preemption in GRU driver net: amd: mvme147: Fix probe banner message firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() netfilter: nft_payload: sanitize offset and length before calling skb_checksum() net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension net: support ip generic csum processing in skb_csum_hwoffload_help bpf: Fix out-of-bounds write in trie_get_next_key() net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT gtp: allow -1 to be specified as file description from userspace gtp: simplify error handling code in 'gtp_encap_enable()' wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys cgroup: Fix potential overflow issue when checking max_depth usb: dwc3: core: Stop processing of pending events if controller is halted usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc usb: dwc3: remove generic PHY calibrate() calls xfrm: validate new SA's prefixlen using SA family when sel.family is unset arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning selinux: improve error checking in sel_write_load() hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event nilfs2: fix kernel bug due to missing clearing of buffer delay flag ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue drm/amd: Guard against bad data for ATIF ACPI method ALSA: hda/realtek: Update default depop procedure posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() net: usb: usbnet: fix name regression be2net: fix potential memory leak in be_xmit() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() jfs: Fix sanity check in dbMount udf: fix uninit-value use in udf_get_fileshortad KVM: s390: gaccess: Check if guest address is in memslot KVM: s390: gaccess: Cleanup access to guest pages KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Refactor gpa and length calculation arm64: probes: Fix uprobes for big-endian kernels arm64:uprobe fix the uprobe SWBP_INSN in big-endian Bluetooth: bnep: fix wild-memory-access in proto_unregister usb: typec: altmode should keep reference to parent net: systemport: fix potential memory leak in bcm_sysport_xmit() net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() macsec: don't increment counters for an unrelated SA drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation RDMA/bnxt_re: Return more meaningful error RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP RDMA/bnxt_re: Fix incorrect AVID type in WQE structure clk: Fix slab-out-of-bounds error in devm_clk_release() clk: Fix pointer casting to prevent oops in devm_clk_release() nilfs2: propagate directory read errors from nilfs_find_entry() x86/apic: Always explicitly disarm TSC-deadline timer parport: Proper fix for array out-of-bounds access USB: serial: option: add Telit FN920C04 MBIM compositions USB: serial: option: add support for Quectel EG916Q-GL xhci: Fix incorrect stream context type macro Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Bluetooth: Remove debugfs directory on module init failure iio: light: opt3001: add missing full-scale range value iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig drm/vmwgfx: Handle surface check failure correctly x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET KVM: s390: Change virtual to physical address access in diag 0x258 handler s390/sclp_vt220: Convert newlines to CRLF instead of LFCR net: dsa: mv88e6xxx: Fix out-of-bound access KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() fat: fix uninitialized variable PCI: Add function 0 DMA alias quirk for Glenfly Arise chip arm64: probes: Fix simulate_ldr*_literal() arm64: probes: Remove broken LDR (literal) uprobe support posix-clock: Fix missing timespec64 check in pc_clock_settime() net: Fix an unsafe loop on the list usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip usb: xhci: Fix problem with xhci resume from suspend Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" HID: plantronics: Workaround for an unexcepted opposite volume key CDC-NCM: avoid overflow in sanity checking net: ipv6: ensure we call ipv6_mc_down() at most once ppp: fix ppp_async_encode() illegal access net: ibm: emac: mal: fix wrong goto igb: Do not bring the device up after non-fatal error gpio: aspeed: Use devm_clk api to manage clock source clk: Provide new devm_clk helpers for prepared and enabled clocks clk: generalize devm_clk_get() a bit clk: Add (devm_)clk_get_optional() functions gpio: aspeed: Add the flush write to ensure the write complete. Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change netfilter: br_netfilter: fix panic with metadata_dst skb tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe SUNRPC: Fix integer overflow in decode_rc_list() NFS: Remove print_overflow_msg() fbdev: sisfb: Fix strbuf array overflow driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute tools/iio: Add memory allocation failure check for trigger_name usb: chipidea: udc: enable suspend interrupt after usb reset media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() PCI: Mark Creative Labs EMU20k2 INTx masking as broken i2c: i801: Use a different adapter-name for IDF adapters clk: bcm: bcm53573: fix OF node leak in init ktest.pl: Avoid false positives with grub2 skip regex s390/cpum_sf: Remove WARN_ON_ONCE statements ext4: nested locking for xattr inode s390/mm: Add cond_resched() to cmm_alloc/free_pages() s390/facility: Disable compile time optimization for decompressor code bpf: Check percpu map value size first Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal virtio_console: fix misc probe bugs drm/crtc: fix uninitialized variable use even harder drm: Move drm_mode_setcrtc() local re-init to failure path tracing: Remove precision vsnprintf() check from print event net: ethernet: cortina: Drop TSO support ext4: fix inode tree inconsistency caused by ENOMEM ACPI: battery: Fix possible crash when unregistering a battery hook ACPI: battery: Simplify battery hook locking rtc: at91sam9: fix OF node leak in probe() error path rtc: at91sam9: drop platform_data support nfsd: fix delegation_blocked() to block correctly for at least 30 seconds nfsd: use ktime_get_seconds() for timestamps uprobes: fix kernel info leak via "[uprobes]" vma arm64: errata: Expand speculative SSBS workaround once more arm64: cputype: Add Neoverse-N3 definitions arm64: Add Cortex-715 CPU part definition ext4: update orig_path in ext4_find_extent() ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path gpio: davinci: fix lazy disable btrfs: wait for fixup workers before stopping cleaner kthread during umount Input: adp5589-keys - fix adp5589_gpio_get_value() tomoyo: fallback to realpath if symlink's pathname does not exist iio: magnetometer: ak8975: Fix reading for ak099xx sensors media: venus: fix use after free bug in venus_remove due to race condition media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags clk: rockchip: fix error for unknown clocks aoe: fix the potential use-after-free problem in more places riscv: define ILLEGAL_POINTER_VALUE for 64bit ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate ocfs2: fix null-ptr-deref when journal load failed. ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2: reserve space for inline xattr before attaching reflink tree ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: fix the la space leak when unmounting an ocfs2 volume jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error of/irq: Support #msi-cells=<0> in of_msi_get_domain parisc: Fix 64-bit userspace syscall path ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() ext4: fix double brelse() the buffer of the extents path ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: no need to continue when the number of entries is 1 ALSA: core: add isascii() check to card ID generator parisc: Fix itlb miss handler for 64-bit programs perf/core: Fix small negative period being ignored spi: bcm63xx: Fix module autoloading i2c: xiic: Wait for TX empty to avoid missed TX NAKs selftests: vDSO: fix vDSO symbols lookup for powerpc64 selftests: breakpoints: use remaining time to check if suspend succeed spi: s3c64xx: fix timeout counters in flush_fifo ext4: fix i_data_sem unlock order in ext4_ind_migrate() ext4: ext4_search_dir should return a proper error of/irq: Refer to actual buffer size in of_irq_parse_one() drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() scsi: aacraid: Rearrange order of struct aac_srb_unit drm/printer: Allow NULL data in devcoredump printer drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/amd/display: Check stream before comparing them jfs: Fix uninit-value access of new_ea in ea_buffer jfs: check if leafidx greater than num leaves per dmap tree jfs: Fix uaf in dbFreeBits jfs: UBSAN: shift-out-of-bounds in dbFindBits ata: sata_sil: Rename sil_blacklist to sil_quirks power: reset: brcmstb: Do not go into infinite loop if reset fails fbdev: pxafb: Fix possible use after free in pxafb_task() ALSA: hdsp: Break infinite MIDI input flush loop ALSA: asihpi: Fix potential OOB array access signal: Replace BUG_ON()s wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() ACPICA: iasl: handle empty connection_node tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). net: mvpp2: Increase size of queue_name buffer tipc: guard against string buffer overrun ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() ACPI: EC: Do not release locks during operation region accesses ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails net: hisilicon: hns_mdio: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hip04: fix OF node leak in probe() wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() f2fs: Require FMODE_WRITE for atomic write ioctls ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start ipv4: ip_gre: Fix drops of small packets in ipgre_xmit net: add more sanity checks to qdisc_pkt_len_init() net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: ethernet: lantiq_etop: fix memory disclosure r8152: Factor out OOB link list waits netfilter: nf_tables: prevent nf_skb_duplicated corruption netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED ceph: remove the incorrect Fw reference check when dirtying pages mailbox: bcm2835: Fix timeout during suspend mode mailbox: rockchip: fix a typo in module autoloading usb: yurex: Fix inconsistent locking bug in yurex_read() i2c: isch: Add missed 'else' i2c: aspeed: Update the stop sw state when the bus recovery occurs pps: add an error check in parport_attach pps: remove usage of the deprecated ida_simple_xx() API USB: misc: yurex: fix race between read and write usb: yurex: Replace snprintf() with the safer scnprintf() variant soc: versatile: realview: fix soc_dev leak during device remove soc: versatile: realview: fix memory leak during device remove PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() nfs: fix memory leak in error path of nfs4_do_reclaim fs: Fix file_set_fowner LSM hook inconsistencies vfs: fix race between evice_inodes() and find_inode()&iput() f2fs: avoid potential int overflow in sanity_check_area_boundary() f2fs: prevent possible int overflow in dir_block_index() ACPI: sysfs: validate return type of _STR method drbd: Add NULL check for net_conf to prevent dereference in state validation drbd: Fix atomicity violation in drbd_uuid_set_bm() tty: rp2: Fix reset with non forgiving PCIe host bridges firmware_loader: Block path traversal USB: misc: cypress_cy7c63: check for short transfer USB: appledisplay: close race between probe and completion handler soc: versatile: integrator: fix OF node leak in probe() error path Remove *.orig pattern from .gitignore crypto: aead,cipher - zeroize key buffer after use netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS net: qrtr: Update packets cloning when broadcasting tcp: check skb is non-NULL in tcp_rto_delta_us() tcp: introduce tcp_skb_timestamp_us() helper net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() coresight: tmc: sg: Do not leak sg_table f2fs: reduce expensive checkpoint trigger frequency f2fs: remove unneeded check condition in __f2fs_setxattr() f2fs: fix to update i_ctime in __f2fs_setxattr() f2fs: fix typo f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() nfsd: call cache_put if xdr_reserve_space returns NULL ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() RDMA/cxgb4: Added NULL check for lookup_atid pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function clk: ti: dra7-atl: Fix leak of of_nodes pinctrl: single: fix missing error code in pcs_probe() RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency PCI: xilinx-nwl: Fix register misspelling drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 perf time-utils: Fix 32-bit nsec parsing perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time perf sched timehist: Fix missing free of session in perf_sched__timehist() nilfs2: fix potential oob read in nilfs_btree_check_delete() nilfs2: determine empty node blocks as corrupted nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() ext4: avoid OOB when system.data xattr changes underneath the filesystem ext4: return error on ext4_find_inline_entry ext4: avoid negative min_clusters in find_group_orlov() smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() kthread: fix task state in kthread worker if being frozen kthread: add kthread_work tracepoints xz: cleanup CRC32 edits from 2018 selftests/bpf: Fix error compiling test_lru_map.c xen/swiotlb: add alignment check for dma buffers xen/swiotlb: simplify range_straddles_page_boundary() xen: use correct end address of kernel for conflict checking drm/msm: fix %s null argument error ipmi: docs: don't advertise deprecated sysfs entries drm/msm/a5xx: fix races in preemption evaluation stage drm/msm/a5xx: properly clear preemption records on resume jfs: fix out-of-bounds in dbNextAG() and diAlloc() drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets drm/rockchip: vop: Allow 4096px width scaling drm/radeon: properly handle vbios fake edid sizing drm/radeon: Replace one-element array with flexible-array member drm/amdgpu: properly handle vbios fake edid sizing drm/amdgpu: Replace one-element array with flexible-array member drm/amd: fix typo drm/stm: Fix an error handling path in stm_drm_platform_probe() fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense hwmon: (ntc_thermistor) fix module autoloading mtd: slram: insert break after errors in parsing the map hwmon: (max16065) Fix overflows seen when writing limits clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() reset: berlin: fix OF node leak in probe() error path ARM: versatile: fix OF node leak in CPUs prepare spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ spi: ppc4xx: handle irq_of_parse_and_map() errors block, bfq: don't break merge chain in bfq_split_bfqq() block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() block, bfq: fix possible UAF for bfqq->bic with merge chain Bluetooth: btusb: Fix not handling ZPL/short-transfer can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire wifi: ath9k: Remove error checks when creating debugfs entries wifi: ath9k: fix parameter check in ath9k_init_debug() ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() USB: serial: pl2303: add device id for Macrosilicon MS3020 gpio: prevent potential speculation leaks in gpio_device_get_desc() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() ocfs2: add bounds checking to ocfs2_xattr_find_entry() x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency spi: bcm63xx: Enable module autoloading ASoC: tda7419: fix module autoloading wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() net: ftgmac100: Ensure tx descriptor updates are visible microblaze: don't treat zero reserved memory regions as error pinctrl: at91: make it work with current gpiolib ASoC: allow module autoloading for table db1200_pids selftests/kcmp: remove call to ksft_set_plan() selftests/vm: remove call to ksft_set_plan() soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" net: dpaa: Pad packets to ETH_ZLEN net: ftgmac100: Enable TX interrupt to avoid TX timeout net/mlx5: Update the list of the PCI supported devices arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma scripts: kconfig: merge_config: config files: add a trailing newline net: phy: vitesse: repair vsc73xx autonegotiation net: ethernet: use ip_hdrlen() instead of bit shift usbnet: ipheth: fix carrier detection in modes 1 and 4 staging: iio: frequency: ad9834: Validate frequency parameter value staging: iio: frequency: ad9833: Load clock using clock framework staging: iio: frequency: ad9833: Get frequency value statically Change-Id: Id96e4bf331d59a5f3f52791887390bc747dc31cb Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
Greg Kroah-Hartman
|
874391c94e |
Merge 4.19.325 into android-4.19-stable
Changes in 4.19.325
netlink: terminate outstanding dump on socket close
ocfs2: uncache inode which has failed entering the group
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
ocfs2: fix UBSAN warning in ocfs2_verify_volume()
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
kbuild: Use uname for LINUX_COMPILE_HOST detection
mm: revert "mm: shmem: fix data-race in shmem_getattr()"
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
mac80211: fix user-power when emulating chanctx
selftests/watchdog-test: Fix system accidentally reset after watchdog-test
x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB
net: usb: qmi_wwan: add Quectel RG650V
proc/softirqs: replace seq_printf with seq_put_decimal_ull_width
nvme: fix metadata handling in nvme-passthrough
initramfs: avoid filename buffer overrun
m68k: mvme147: Fix SCSI controller IRQ numbers
m68k: mvme16x: Add and use "mvme16x.h"
m68k: mvme147: Reinstate early console
acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()
s390/syscalls: Avoid creation of arch/arch/ directory
hfsplus: don't query the device logical block size multiple times
EDAC/fsl_ddr: Fix bad bit shift operations
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
crypto: cavium - Fix the if condition to exit loop after timeout
crypto: bcm - add error check in the ahash_hmac_init function
crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
time: Fix references to _msecs_to_jiffies() handling of values
soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
mmc: mmc_spi: drop buggy snprintf()
ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
regmap: irq: Set lockdep class for hierarchical IRQ domains
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
drm/omap: Fix locking in omap_gem_new_dmabuf()
bpf: Fix the xdp_adjust_tail sample prog issue
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu
drm/etnaviv: dump: fix sparse warnings
drm/etnaviv: fix power register offset on GC300
drm/etnaviv: hold GPU lock across perfmon sampling
net: rfkill: gpio: Add check for clk_enable()
ALSA: us122l: Use snd_card_free_when_closed() at disconnection
ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
ALSA: 6fire: Release resources at card release
netpoll: Use rcu_access_pointer() in netpoll_poll_lock
trace/trace_event_perf: remove duplicate samples on the first tracepoint event
powerpc/vdso: Flag VDSO64 entry points as functions
mfd: da9052-spi: Change read-mask to write-mask
cpufreq: loongson2: Unregister platform_driver on failure
mtd: rawnand: atmel: Fix possible memory leak
RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
mfd: rt5033: Fix missing regmap_del_irq_chip()
scsi: bfa: Fix use-after-free in bfad_im_module_exit()
scsi: fusion: Remove unused variable 'rc'
scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
ocfs2: fix uninitialized value in ocfs2_file_read_iter()
powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
fbdev/sh7760fb: Alloc DMA memory from hardware device
fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format
dt-bindings: clock: axi-clkgen: include AXI clk
clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
clk: clk-axi-clkgen: make sure to enable the AXI bus clock
perf probe: Correct demangled symbols in C++ program
PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
PCI: cpqphp: Fix PCIBIOS_* return value confusion
m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
m68k: coldfire/device.c: only build FEC when HW macros are defined
rpmsg: glink: Add TX_DATA_CONT command while sending
rpmsg: glink: Send READ_NOTIFY command in FIFO full case
rpmsg: glink: Fix GLINK command prefix
rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
vfio/pci: Properly hide first-in-list PCIe extended capability
power: supply: core: Remove might_sleep() from power_supply_put()
net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device
tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration
marvell: pxa168_eth: fix call balance of pep->clk handling routines
net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()
USB: chaoskey: fail open after removal
USB: chaoskey: Fix possible deadlock chaoskey_list_lock
misc: apds990x: Fix missing pm_runtime_disable()
apparmor: fix 'Do simple duplicate message elimination'
usb: ehci-spear: fix call balance of sehci clk handling routines
ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
ext4: fix FS_IOC_GETFSMAP handling
jfs: xattr: check invalid xattr size more strictly
ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()
PCI: Fix use-after-free of slot->bus on hot remove
tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler
Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
Revert "usb: gadget: composite: fix OS descriptors w_value logic"
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit"
netfilter: ipset: add missing range check in bitmap_ip_uadt
spi: Fix acpi deferred irq probe
ubi: wl: Put source PEB into correct list if trying locking LEB failed
um: ubd: Do not use drvdata in release
um: net: Do not use drvdata in release
serial: 8250: omap: Move pm_runtime_get_sync
um: vector: Do not use drvdata in release
sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
block: fix ordering between checking BLK_MQ_S_STOPPED request adding
HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
media: wl128x: Fix atomicity violation in fmc_send_cmd()
usb: dwc3: gadget: Fix checking for number of TRBs left
lib: string_helpers: silence snprintf() output truncation warning
NFSD: Prevent a potential integer overflow
rpmsg: glink: Propagate TX failures in intentless mode as well
um: Fix the return value of elf_core_copy_task_fpregs
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
ubifs: Correct the total block count by deducting journal reservation
ubi: fastmap: Fix duplicate slab cache names while attaching
jffs2: fix use of uninitialized variable
block: return unsigned int from bdev_io_min
9p/xen: fix init sequence
9p/xen: fix release of IRQ
modpost: remove incorrect code in do_eisa_entry()
sh: intc: Fix use-after-free bug in register_intc_controller()
Linux 4.19.325
Change-Id: I50250c8bd11f9ff4b40da75225c1cfb060e0c258
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Theodore Ts'o
|
d714aa0399 |
ext4: fix FS_IOC_GETFSMAP handling
commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream. The original implementation ext4's FS_IOC_GETFSMAP handling only worked when the range of queried blocks included at least one free (unallocated) block range. This is because how the metadata blocks were emitted was as a side effect of ext4_mballoc_query_range() calling ext4_getfsmap_datadev_helper(), and that function was only called when a free block range was identified. As a result, this caused generic/365 to fail. Fix this by creating a new function ext4_getfsmap_meta_helper() which gets called so that blocks before the first free block range in a block group can get properly reported. Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jeongjun Park
|
319bf0c0b8 |
ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream. find_group_other() and find_group_orlov() read *_lo, *_hi with ext4_free_inodes_count without additional locking. This can cause data-race warning, but since the lock is held for most writes and free inodes value is generally not a problem even if it is incorrect, it is more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking. ================================================================== BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1: ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405 __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216 ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 vfs_symlink+0xca/0x1d0 fs/namei.c:4615 do_symlinkat+0xe3/0x340 fs/namei.c:4641 __do_sys_symlinkat fs/namei.c:4657 [inline] __se_sys_symlinkat fs/namei.c:4654 [inline] __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0: ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349 find_group_other fs/ext4/ialloc.c:594 [inline] __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017 ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 vfs_symlink+0xca/0x1d0 fs/namei.c:4615 do_symlinkat+0xe3/0x340 fs/namei.c:4641 __do_sys_symlinkat fs/namei.c:4657 [inline] __se_sys_symlinkat fs/namei.c:4654 [inline] __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Cc: stable@vger.kernel.org Signed-off-by: Jeongjun Park <aha310510@gmail.com> Reviewed-by: Andreas Dilger <adilger@dilger.ca> Link: https://patch.msgid.link/20241003125337.47283-1-aha310510@gmail.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
2d76dea417 |
Merge 4.19.323 into android-4.19-stable
Changes in 4.19.323 staging: iio: frequency: ad9833: Get frequency value statically staging: iio: frequency: ad9833: Load clock using clock framework staging: iio: frequency: ad9834: Validate frequency parameter value usbnet: ipheth: fix carrier detection in modes 1 and 4 net: ethernet: use ip_hdrlen() instead of bit shift net: phy: vitesse: repair vsc73xx autonegotiation scripts: kconfig: merge_config: config files: add a trailing newline arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma net/mlx5: Update the list of the PCI supported devices net: ftgmac100: Enable TX interrupt to avoid TX timeout net: dpaa: Pad packets to ETH_ZLEN soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" selftests/vm: remove call to ksft_set_plan() selftests/kcmp: remove call to ksft_set_plan() ASoC: allow module autoloading for table db1200_pids pinctrl: at91: make it work with current gpiolib microblaze: don't treat zero reserved memory regions as error net: ftgmac100: Ensure tx descriptor updates are visible wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead ASoC: tda7419: fix module autoloading spi: bcm63xx: Enable module autoloading x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency ocfs2: add bounds checking to ocfs2_xattr_find_entry() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() gpio: prevent potential speculation leaks in gpio_device_get_desc() USB: serial: pl2303: add device id for Macrosilicon MS3020 ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() wifi: ath9k: fix parameter check in ath9k_init_debug() wifi: ath9k: Remove error checks when creating debugfs entries netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Bluetooth: btusb: Fix not handling ZPL/short-transfer block, bfq: fix possible UAF for bfqq->bic with merge chain block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() block, bfq: don't break merge chain in bfq_split_bfqq() spi: ppc4xx: handle irq_of_parse_and_map() errors spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ ARM: versatile: fix OF node leak in CPUs prepare reset: berlin: fix OF node leak in probe() error path clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() hwmon: (max16065) Fix overflows seen when writing limits mtd: slram: insert break after errors in parsing the map hwmon: (ntc_thermistor) fix module autoloading power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() drm/stm: Fix an error handling path in stm_drm_platform_probe() drm/amd: fix typo drm/amdgpu: Replace one-element array with flexible-array member drm/amdgpu: properly handle vbios fake edid sizing drm/radeon: Replace one-element array with flexible-array member drm/radeon: properly handle vbios fake edid sizing drm/rockchip: vop: Allow 4096px width scaling drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets jfs: fix out-of-bounds in dbNextAG() and diAlloc() drm/msm/a5xx: properly clear preemption records on resume drm/msm/a5xx: fix races in preemption evaluation stage ipmi: docs: don't advertise deprecated sysfs entries drm/msm: fix %s null argument error xen: use correct end address of kernel for conflict checking xen/swiotlb: simplify range_straddles_page_boundary() xen/swiotlb: add alignment check for dma buffers selftests/bpf: Fix error compiling test_lru_map.c xz: cleanup CRC32 edits from 2018 kthread: add kthread_work tracepoints kthread: fix task state in kthread worker if being frozen jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso ext4: avoid negative min_clusters in find_group_orlov() ext4: return error on ext4_find_inline_entry ext4: avoid OOB when system.data xattr changes underneath the filesystem nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() nilfs2: determine empty node blocks as corrupted nilfs2: fix potential oob read in nilfs_btree_check_delete() perf sched timehist: Fix missing free of session in perf_sched__timehist() perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time perf time-utils: Fix 32-bit nsec parsing clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error PCI: xilinx-nwl: Fix register misspelling RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency pinctrl: single: fix missing error code in pcs_probe() clk: ti: dra7-atl: Fix leak of of_nodes pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function RDMA/cxgb4: Added NULL check for lookup_atid ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() nfsd: call cache_put if xdr_reserve_space returns NULL f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() f2fs: fix typo f2fs: fix to update i_ctime in __f2fs_setxattr() f2fs: remove unneeded check condition in __f2fs_setxattr() f2fs: reduce expensive checkpoint trigger frequency coresight: tmc: sg: Do not leak sg_table netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition tcp: introduce tcp_skb_timestamp_us() helper tcp: check skb is non-NULL in tcp_rto_delta_us() net: qrtr: Update packets cloning when broadcasting netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS crypto: aead,cipher - zeroize key buffer after use Remove *.orig pattern from .gitignore soc: versatile: integrator: fix OF node leak in probe() error path USB: appledisplay: close race between probe and completion handler USB: misc: cypress_cy7c63: check for short transfer firmware_loader: Block path traversal tty: rp2: Fix reset with non forgiving PCIe host bridges drbd: Fix atomicity violation in drbd_uuid_set_bm() drbd: Add NULL check for net_conf to prevent dereference in state validation ACPI: sysfs: validate return type of _STR method f2fs: prevent possible int overflow in dir_block_index() f2fs: avoid potential int overflow in sanity_check_area_boundary() vfs: fix race between evice_inodes() and find_inode()&iput() fs: Fix file_set_fowner LSM hook inconsistencies nfs: fix memory leak in error path of nfs4_do_reclaim PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove usb: yurex: Replace snprintf() with the safer scnprintf() variant USB: misc: yurex: fix race between read and write pps: remove usage of the deprecated ida_simple_xx() API pps: add an error check in parport_attach i2c: aspeed: Update the stop sw state when the bus recovery occurs i2c: isch: Add missed 'else' usb: yurex: Fix inconsistent locking bug in yurex_read() mailbox: rockchip: fix a typo in module autoloading mailbox: bcm2835: Fix timeout during suspend mode ceph: remove the incorrect Fw reference check when dirtying pages netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED netfilter: nf_tables: prevent nf_skb_duplicated corruption r8152: Factor out OOB link list waits net: ethernet: lantiq_etop: fix memory disclosure net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() ipv4: ip_gre: Fix drops of small packets in ipgre_xmit sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin f2fs: Require FMODE_WRITE for atomic write ioctls wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPI: EC: Do not release locks during operation region accesses ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process ACPICA: iasl: handle empty connection_node wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() signal: Replace BUG_ON()s ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop fbdev: pxafb: Fix possible use after free in pxafb_task() power: reset: brcmstb: Do not go into infinite loop if reset fails ata: sata_sil: Rename sil_blacklist to sil_quirks jfs: UBSAN: shift-out-of-bounds in dbFindBits jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree jfs: Fix uninit-value access of new_ea in ea_buffer drm/amd/display: Check stream before comparing them drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/printer: Allow NULL data in devcoredump printer scsi: aacraid: Rearrange order of struct aac_srb_unit drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() ext4: ext4_search_dir should return a proper error ext4: fix i_data_sem unlock order in ext4_ind_migrate() spi: s3c64xx: fix timeout counters in flush_fifo selftests: breakpoints: use remaining time to check if suspend succeed selftests: vDSO: fix vDSO symbols lookup for powerpc64 i2c: xiic: Wait for TX empty to avoid missed TX NAKs spi: bcm63xx: Fix module autoloading perf/core: Fix small negative period being ignored parisc: Fix itlb miss handler for 64-bit programs ALSA: core: add isascii() check to card ID generator ext4: no need to continue when the number of entries is 1 ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() parisc: Fix 64-bit userspace syscall path of/irq: Support #msi-cells=<0> in of_msi_get_domain jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error ocfs2: fix the la space leak when unmounting an ocfs2 volume ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: reserve space for inline xattr before attaching reflink tree ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix null-ptr-deref when journal load failed. ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate riscv: define ILLEGAL_POINTER_VALUE for 64bit aoe: fix the potential use-after-free problem in more places clk: rockchip: fix error for unknown clocks media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags media: venus: fix use after free bug in venus_remove due to race condition iio: magnetometer: ak8975: Fix reading for ak099xx sensors tomoyo: fallback to realpath if symlink's pathname does not exist Input: adp5589-keys - fix adp5589_gpio_get_value() btrfs: wait for fixup workers before stopping cleaner kthread during umount gpio: davinci: fix lazy disable ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: update orig_path in ext4_find_extent() arm64: Add Cortex-715 CPU part definition arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more uprobes: fix kernel info leak via "[uprobes]" vma nfsd: use ktime_get_seconds() for timestamps nfsd: fix delegation_blocked() to block correctly for at least 30 seconds rtc: at91sam9: drop platform_data support rtc: at91sam9: fix OF node leak in probe() error path ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook ext4: fix inode tree inconsistency caused by ENOMEM net: ethernet: cortina: Drop TSO support tracing: Remove precision vsnprintf() check from print event drm: Move drm_mode_setcrtc() local re-init to failure path drm/crtc: fix uninitialized variable use even harder virtio_console: fix misc probe bugs Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal bpf: Check percpu map value size first s390/facility: Disable compile time optimization for decompressor code s390/mm: Add cond_resched() to cmm_alloc/free_pages() ext4: nested locking for xattr inode s390/cpum_sf: Remove WARN_ON_ONCE statements ktest.pl: Avoid false positives with grub2 skip regex clk: bcm: bcm53573: fix OF node leak in init i2c: i801: Use a different adapter-name for IDF adapters PCI: Mark Creative Labs EMU20k2 INTx masking as broken media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() usb: chipidea: udc: enable suspend interrupt after usb reset tools/iio: Add memory allocation failure check for trigger_name driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute fbdev: sisfb: Fix strbuf array overflow NFS: Remove print_overflow_msg() SUNRPC: Fix integer overflow in decode_rc_list() tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe netfilter: br_netfilter: fix panic with metadata_dst skb Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change gpio: aspeed: Add the flush write to ensure the write complete. clk: Add (devm_)clk_get_optional() functions clk: generalize devm_clk_get() a bit clk: Provide new devm_clk helpers for prepared and enabled clocks gpio: aspeed: Use devm_clk api to manage clock source igb: Do not bring the device up after non-fatal error net: ibm: emac: mal: fix wrong goto ppp: fix ppp_async_encode() illegal access net: ipv6: ensure we call ipv6_mc_down() at most once CDC-NCM: avoid overflow in sanity checking HID: plantronics: Workaround for an unexcepted opposite volume key Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" usb: xhci: Fix problem with xhci resume from suspend usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip net: Fix an unsafe loop on the list posix-clock: Fix missing timespec64 check in pc_clock_settime() arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() PCI: Add function 0 DMA alias quirk for Glenfly Arise chip fat: fix uninitialized variable KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() net: dsa: mv88e6xxx: Fix out-of-bound access s390/sclp_vt220: Convert newlines to CRLF instead of LFCR KVM: s390: Change virtual to physical address access in diag 0x258 handler x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET drm/vmwgfx: Handle surface check failure correctly iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() iio: light: opt3001: add missing full-scale range value Bluetooth: Remove debugfs directory on module init failure Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 xhci: Fix incorrect stream context type macro USB: serial: option: add support for Quectel EG916Q-GL USB: serial: option: add Telit FN920C04 MBIM compositions parport: Proper fix for array out-of-bounds access x86/apic: Always explicitly disarm TSC-deadline timer nilfs2: propagate directory read errors from nilfs_find_entry() clk: Fix pointer casting to prevent oops in devm_clk_release() clk: Fix slab-out-of-bounds error in devm_clk_release() RDMA/bnxt_re: Fix incorrect AVID type in WQE structure RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP RDMA/bnxt_re: Return more meaningful error drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation macsec: don't increment counters for an unrelated SA net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: systemport: fix potential memory leak in bcm_sysport_xmit() usb: typec: altmode should keep reference to parent Bluetooth: bnep: fix wild-memory-access in proto_unregister arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64: probes: Fix uprobes for big-endian kernels KVM: s390: gaccess: Refactor gpa and length calculation KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Cleanup access to guest pages KVM: s390: gaccess: Check if guest address is in memslot udf: fix uninit-value use in udf_get_fileshortad jfs: Fix sanity check in dbMount net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() net: usb: usbnet: fix name regression posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() ALSA: hda/realtek: Update default depop procedure drm/amd: Guard against bad data for ATIF ACPI method ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue nilfs2: fix kernel bug due to missing clearing of buffer delay flag hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event selinux: improve error checking in sel_write_load() arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning xfrm: validate new SA's prefixlen using SA family when sel.family is unset usb: dwc3: remove generic PHY calibrate() calls usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc usb: dwc3: core: Stop processing of pending events if controller is halted cgroup: Fix potential overflow issue when checking max_depth wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys gtp: simplify error handling code in 'gtp_encap_enable()' gtp: allow -1 to be specified as file description from userspace net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT bpf: Fix out-of-bounds write in trie_get_next_key() net: support ip generic csum processing in skb_csum_hwoffload_help net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension netfilter: nft_payload: sanitize offset and length before calling skb_checksum() firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() net: amd: mvme147: Fix probe banner message misc: sgi-gru: Don't disable preemption in GRU driver usbip: tools: Fix detach_port() invalid port error path usb: phy: Fix API devm_usb_put_phy() can not release the phy xhci: Fix Link TRB DMA in command ring stopped completion event Revert "driver core: Fix uevent_show() vs driver detach race" wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower wifi: ath10k: Fix memory leak in management tx wifi: iwlegacy: Clear stale interrupts before resuming device nilfs2: fix potential deadlock with newly created symlinks ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow nilfs2: fix kernel bug due to missing clearing of checked flag mm: shmem: fix data-race in shmem_getattr() vt: prevent kernel-infoleak in con_font_get() Linux 4.19.323 Change-Id: I2348f834187153067ab46b3b48b8fe7da9cee1f1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Wojciech Gładysz
|
c0f57dd0f1 |
ext4: nested locking for xattr inode
[ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ] Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning while handling xattr inode on file open syscall at ext4_xattr_inode_iget. Backtrace EXT4-fs (loop0): Ignoring removed oldalloc option ====================================================== WARNING: possible circular locking dependency detected 5.10.0-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor543/2794 is trying to acquire lock: ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline] ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425 but task is already holding lock: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&ei->i_data_sem/3){++++}-{3:3}: lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566 down_write+0x93/0x180 kernel/locking/rwsem.c:1564 ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline] ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline] ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline] ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662 ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228 ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385 ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498 ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40 __vfs_setxattr+0x404/0x450 fs/xattr.c:177 __vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208 __vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266 vfs_setxattr+0x112/0x2c0 fs/xattr.c:283 setxattr+0x1db/0x3e0 fs/xattr.c:548 path_setxattr+0x15a/0x240 fs/xattr.c:567 __do_sys_setxattr fs/xattr.c:582 [inline] __se_sys_setxattr fs/xattr.c:578 [inline] __x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578 do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62 entry_SYSCALL_64_after_hwframe+0x61/0xcb -> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:2988 [inline] check_prevs_add kernel/locking/lockdep.c:3113 [inline] validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729 __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955 lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566 down_write+0x93/0x180 kernel/locking/rwsem.c:1564 inode_lock include/linux/fs.h:782 [inline] ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425 ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485 ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline] ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline] ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774 __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline] __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018 ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562 notify_change+0xbb6/0xe60 fs/attr.c:435 do_truncate+0x1de/0x2c0 fs/open.c:64 handle_truncate fs/namei.c:2970 [inline] do_open fs/namei.c:3311 [inline] path_openat+0x29f3/0x3290 fs/namei.c:3425 do_filp_open+0x20b/0x450 fs/namei.c:3452 do_sys_openat2+0x124/0x460 fs/open.c:1207 do_sys_open fs/open.c:1223 [inline] __do_sys_open fs/open.c:1231 [inline] __se_sys_open fs/open.c:1227 [inline] __x64_sys_open+0x221/0x270 fs/open.c:1227 do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62 entry_SYSCALL_64_after_hwframe+0x61/0xcb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ei->i_data_sem/3); lock(&ea_inode->i_rwsem#7/1); lock(&ei->i_data_sem/3); lock(&ea_inode->i_rwsem#7/1); *** DEADLOCK *** 5 locks held by syz-executor543/2794: #0: ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365 #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline] #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62 #2: ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519 #3: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559 #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline] #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline] #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018 stack backtrace: CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x177/0x211 lib/dump_stack.c:118 print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002 check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123 check_prev_add kernel/locking/lockdep.c:2988 [inline] check_prevs_add kernel/locking/lockdep.c:3113 [inline] validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729 __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955 lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566 down_write+0x93/0x180 kernel/locking/rwsem.c:1564 inode_lock include/linux/fs.h:782 [inline] ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425 ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485 ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline] ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline] ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774 __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline] __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018 ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562 notify_change+0xbb6/0xe60 fs/attr.c:435 do_truncate+0x1de/0x2c0 fs/open.c:64 handle_truncate fs/namei.c:2970 [inline] do_open fs/namei.c:3311 [inline] path_openat+0x29f3/0x3290 fs/namei.c:3425 do_filp_open+0x20b/0x450 fs/namei.c:3452 do_sys_openat2+0x124/0x460 fs/open.c:1207 do_sys_open fs/open.c:1223 [inline] __do_sys_open fs/open.c:1231 [inline] __se_sys_open fs/open.c:1227 [inline] __x64_sys_open+0x221/0x270 fs/open.c:1227 do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f0cde4ea229 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229 RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0 RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0 R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003 EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13: comm syz-executor543: corrupted in-inode xattr Signed-off-by: Wojciech Gładysz <wojciech.gladysz@infogain.com> Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
zhanchengbin
|
eea5a4e7fe |
ext4: fix inode tree inconsistency caused by ENOMEM
commit 3f5424790d4377839093b68c12b130077a4e4510 upstream.
If ENOMEM fails when the extent is splitting, we need to restore the length
of the split extent.
In the ext4_split_extent_at function, only in ext4_ext_create_new_leaf will
it alloc memory and change the shape of the extent tree,even if an ENOMEM
is returned at this time, the extent tree is still self-consistent, Just
restore the split extent lens in the function ext4_split_extent_at.
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
1)ext4_ext_split
ext4_find_extent
2)ext4_ext_grow_indepth
ext4_find_extent
Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230103022812.130603-1-zhanchengbin1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Baokun Li
|
ec0c0beb9b |
ext4: update orig_path in ext4_find_extent()
[ Upstream commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 ]
In ext4_find_extent(), if the path is not big enough, we free it and set
*orig_path to NULL. But after reallocating and successfully initializing
the path, we don't update *orig_path, in which case the caller gets a
valid path but a NULL ppath, and this may cause a NULL pointer dereference
or a path memory leak. For example:
ext4_split_extent
path = *ppath = 2000
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*orig_path = path = NULL;
path = kcalloc() = 3000
ext4_split_extent_at(*ppath = NULL)
path = *ppath;
ex = path[depth].p_ext;
// NULL pointer dereference!
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000010
CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
RIP: 0010:ext4_split_extent_at+0x6d/0x560
Call Trace:
<TASK>
ext4_split_extent.isra.0+0xcb/0x1b0
ext4_ext_convert_to_initialized+0x168/0x6c0
ext4_ext_handle_unwritten_extents+0x325/0x4d0
ext4_ext_map_blocks+0x520/0xdb0
ext4_map_blocks+0x2b0/0x690
ext4_iomap_begin+0x20e/0x2c0
[...]
==================================================================
Therefore, *orig_path is updated when the extent lookup succeeds, so that
the caller can safely use path or *ppath.
Fixes:
|
||
|
Baokun Li
|
393a46f60e |
ext4: fix slab-use-after-free in ext4_split_extent_at()
[ Upstream commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f ]
We hit the following use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
Call Trace:
<TASK>
kasan_report+0x93/0xc0
ext4_split_extent_at+0xba8/0xcc0
ext4_split_extent.isra.0+0x18f/0x500
ext4_split_convert_extents+0x275/0x750
ext4_ext_handle_unwritten_extents+0x73e/0x1580
ext4_ext_map_blocks+0xe20/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
Allocated by task 40:
__kmalloc_noprof+0x1ac/0x480
ext4_find_extent+0xf3b/0x1e70
ext4_ext_map_blocks+0x188/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
Freed by task 40:
kfree+0xf1/0x2b0
ext4_find_extent+0xa71/0x1e70
ext4_ext_insert_extent+0xa22/0x3260
ext4_split_extent_at+0x3ef/0xcc0
ext4_split_extent.isra.0+0x18f/0x500
ext4_split_convert_extents+0x275/0x750
ext4_ext_handle_unwritten_extents+0x73e/0x1580
ext4_ext_map_blocks+0xe20/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
==================================================================
The flow of issue triggering is as follows:
ext4_split_extent_at
path = *ppath
ext4_ext_insert_extent(ppath)
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(orig_path)
path = *orig_path
read_extent_tree_block
// return -ENOMEM or -EIO
ext4_free_ext_path(path)
kfree(path)
*orig_path = NULL
a. If err is -ENOMEM:
ext4_ext_dirty(path + path->p_depth)
// path use-after-free !!!
b. If err is -EIO and we have EXT_DEBUG defined:
ext4_ext_show_leaf(path)
eh = path[depth].p_hdr
// path also use-after-free !!!
So when trying to zeroout or fix the extent length, call ext4_find_extent()
to update the path.
In addition we use *ppath directly as an ext4_ext_show_leaf() input to
avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
unnecessary path updates.
Fixes:
|
||
|
Theodore Ts'o
|
a0c3b0d448 |
ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
[ Upstream commit 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e ] We can't fail in the truncate path without requiring an fsck. Add work around for this by using a combination of retry loops and the __GFP_NOFAIL flag. From: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Anna Pendleton <pendleton@google.com> Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> Link: https://lore.kernel.org/r/20200507175028.15061-1-pendleton@google.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Luis Henriques (SUSE)
|
93fd249f19 |
ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()
commit dd589b0f1445e1ea1085b98edca6e4d5dedb98d0 upstream. Function ext4_wait_for_tail_page_commit() assumes that '0' is not a valid value for transaction IDs, which is incorrect. Don't assume that and invoke jbd2_log_wait_commit() if the journal had a committing transaction instead. Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20240724161119.13448-2-luis.henriques@linux.dev Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Baokun Li
|
d4574bda63 |
ext4: fix double brelse() the buffer of the extents path
commit dcaa6c31134c0f515600111c38ed7750003e1b9c upstream.
In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:
split2 map split1
|--------|-------|--------|
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_split_convert_extents
// path->p_depth == 0
ext4_split_extent
// 1. do split1
ext4_split_extent_at
|ext4_ext_insert_extent
| ext4_ext_create_new_leaf
| ext4_ext_grow_indepth
| le16_add_cpu(&neh->eh_depth, 1)
| ext4_find_extent
| // return -ENOMEM
|// get error and try zeroout
|path = ext4_find_extent
| path->p_depth = 1
|ext4_ext_try_to_merge
| ext4_ext_try_to_merge_up
| path->p_depth = 0
| brelse(path[1].p_bh) ---> not set to NULL here
|// zeroout success
// 2. update path
ext4_find_extent
// 3. do split2
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
le16_add_cpu(&neh->eh_depth, 1)
ext4_find_extent
path[0].p_bh = NULL;
path->p_depth = 1
read_extent_tree_block ---> return err
// path[1].p_bh is still the old value
ext4_free_ext_path
ext4_ext_drop_refs
// path->p_depth == 1
brelse(path[1].p_bh) ---> brelse a buffer twice
Finally got the following WARRNING when removing the buffer from lru:
============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:__brelse+0x58/0x90
Call Trace:
<TASK>
__find_get_block+0x6e7/0x810
bdev_getblk+0x2b/0x480
__ext4_get_inode_loc+0x48a/0x1240
ext4_get_inode_loc+0xb2/0x150
ext4_reserve_inode_write+0xb7/0x230
__ext4_mark_inode_dirty+0x144/0x6a0
ext4_ext_insert_extent+0x9c8/0x3230
ext4_ext_map_blocks+0xf45/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
============================================
Fixes:
|
||
|
Baokun Li
|
e17ebe4fdd |
ext4: aovid use-after-free in ext4_ext_insert_extent()
commit a164f3a432aae62ca23d03e6d926b122ee5b860d upstream.
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(ppath)
path = *ppath = 2000
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*ppath = path = NULL;
path = kcalloc() = 3000
*ppath = 3000;
return path;
/* here path is still 2000, UAF! */
eh = path[depth].p_hdr
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
<TASK>
ext4_ext_insert_extent+0x26d4/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
[...]
Allocated by task 179:
ext4_find_extent+0x81c/0x1f70
ext4_ext_map_blocks+0x146/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
Freed by task 179:
kfree+0xcb/0x240
ext4_find_extent+0x7c0/0x1f70
ext4_ext_insert_extent+0xa26/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
==================================================================
So use *ppath to update the path to avoid the above problem.
Reported-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Closes: https://lore.kernel.org/r/ZqyL6rmtwl6N4MWR@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com
Fixes:
|
||
|
Baokun Li
|
d38a882fad |
ext4: propagate errors from ext4_find_extent() in ext4_insert_range()
commit 369c944ed1d7c3fb7b35f24e4735761153afe7b3 upstream.
Even though ext4_find_extent() returns an error, ext4_insert_range() still
returns 0. This may confuse the user as to why fallocate returns success,
but the contents of the file are not as expected. So propagate the error
returned by ext4_find_extent() to avoid inconsistencies.
Fixes:
|
||
|
Edward Adam Davis
|
64c8c48424 |
ext4: no need to continue when the number of entries is 1
commit 1a00a393d6a7fb1e745a41edd09019bd6a0ad64c upstream.
Fixes:
|
||
|
Artem Sadovnikov
|
4192adefc9 |
ext4: fix i_data_sem unlock order in ext4_ind_migrate()
[ Upstream commit cc749e61c011c255d81b192a822db650c68b313f ] Fuzzing reports a possible deadlock in jbd2_log_wait_commit. This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require synchronous updates because the file descriptor is opened with O_SYNC. This can lead to the jbd2_journal_stop() function calling jbd2_might_wait_for_commit(), potentially causing a deadlock if the EXT4_IOC_MIGRATE call races with a write(2) system call. This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the jbd2_journal_stop function while i_data_sem is locked. This triggers lockdep because the jbd2_journal_start function might also lock the same jbd2_handle simultaneously. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Co-developed-by: Mikhail Ukhin <mish.uxin2012@yandex.ru> Signed-off-by: Mikhail Ukhin <mish.uxin2012@yandex.ru> Signed-off-by: Artem Sadovnikov <ancowi69@gmail.com> Rule: add Link: https://lore.kernel.org/stable/20240404095000.5872-1-mish.uxin2012%40yandex.ru Link: https://patch.msgid.link/20240829152210.2754-1-ancowi69@gmail.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Thadeu Lima de Souza Cascardo
|
a15514ec9f |
ext4: ext4_search_dir should return a proper error
[ Upstream commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f ] ext4_search_dir currently returns -1 in case of a failure, while it returns 0 when the name is not found. In such failure cases, it should return an error code instead. This becomes even more important when ext4_find_inline_entry returns an error code as well in the next commit. -EFSCORRUPTED seems appropriate as such error code as these failures would be caused by unexpected record lengths and is in line with other instances of ext4_check_dir_entry failures. In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was left as is to reduce the risk of regressions. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Thadeu Lima de Souza Cascardo
|
5b076d37e8 |
ext4: avoid OOB when system.data xattr changes underneath the filesystem
[ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ]
When looking up for an entry in an inlined directory, if e_value_offs is
changed underneath the filesystem by some change in the block device, it
will lead to an out-of-bounds access that KASAN detects as an UAF.
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
loop0: detected capacity change from 2048 to 2047
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
__ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
filename_create+0x297/0x540 fs/namei.c:3980
do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
__do_sys_symlinkat fs/namei.c:4610 [inline]
__se_sys_symlinkat fs/namei.c:4607 [inline]
__x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e73ced469
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
</TASK>
Calling ext4_xattr_ibody_find right after reading the inode with
ext4_get_inode_loc will lead to a check of the validity of the xattrs,
avoiding this problem.
Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
Fixes:
|
||
|
Thadeu Lima de Souza Cascardo
|
ce8f41fca0 |
ext4: return error on ext4_find_inline_entry
[ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ] In case of errors when reading an inode from disk or traversing inline directory entries, return an error-encoded ERR_PTR instead of returning NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns such encoded errors. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kemeng Shi
|
7b98a77cda |
ext4: avoid negative min_clusters in find_group_orlov()
[ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ]
min_clusters is signed integer and will be converted to unsigned
integer when compared with unsigned number stats.free_clusters.
If min_clusters is negative, it will be converted to a huge unsigned
value in which case all groups may not meet the actual desired free
clusters.
Set negative min_clusters to 0 to avoid unexpected behavior.
Fixes:
|
||
|
yangerkun
|
6f44db60f9 |
ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard
[ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ] Commit |
||
|
bengris32
|
6880313f90 |
Merge tag 'ASB-2024-09-05_4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
https://source.android.com/docs/security/bulletin/2024-09-01 CVE-2024-36972 * tag 'ASB-2024-09-05_4.19-stable' of https://android.googlesource.com/kernel/common: Linux 4.19.321 drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var ipc: remove memcg accounting for sops objects in do_semtimedop() scsi: aacraid: Fix double-free on probe failure usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() usb: dwc3: st: fix probed platform device ref count on probe error path usb: dwc3: core: Prevent USB core invalid event buffer address access usb: dwc3: omap: add missing depopulate in probe error path USB: serial: option: add MeiG Smart SRM825L cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller net: busy-poll: use ktime_get_ns() instead of local_clock() gtp: fix a potential NULL pointer dereference soundwire: stream: fix programming slave ports for non-continous port maps net: prevent mss overflow in skb_segment() ida: Fix crash in ida_free when the bitmap is empty net:rds: Fix possible deadlock in rds_message_put fbmem: Check virtual screen sizes in fb_set_var() fbcon: Prevent that screen size is smaller than font size memcg: enable accounting of ipc resources cgroup/cpuset: Prevent UAF in proc_cpuset_show() ata: libata-core: Fix null pointer dereference on error media: uvcvideo: Fix integer overflow calculating timestamp filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64 scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES dm suspend: return -ERESTARTSYS instead of -EINTR wifi: mwifiex: duplicate static structs used in driver instances pinctrl: single: fix potential NULL dereference in pcs_get_function() drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc tools: move alignment-related macros to new <linux/align.h> Input: MT - limit max slots Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO ALSA: timer: Relax start tick time check for slave timer elements mmc: dw_mmc: allow biu and ciu clocks to defer cxgb4: add forgotten u64 ivlan cast before shift HID: wacom: Defer calculation of resolution until resolution_code is known Bluetooth: MGMT: Add error handling to pair_device() mmc: mmc_test: Fix NULL dereference on allocation failure drm/msm/dpu: don't play tricks with debug macros drm/msm: use drm_debug_enabled() to check for debug categories net: xilinx: axienet: Always disable promiscuous mode ipv6: prevent UAF in ip6_send_skb() netfilter: nft_counter: Synchronize nft_counter_reset() against reader. kcm: Serialise kcm_sendmsg() for the same socket. Bluetooth: hci_core: Fix LE quote calculation Bluetooth: hci_core: Fix not handling link timeouts propertly Bluetooth: Make use of __check_timeout on hci_sched_le block: use "unsigned long" for blk_validate_block_size(). gtp: pull network headers in gtp_dev_xmit() hrtimer: Prevent queuing of hrtimer without a function callback nvmet-rdma: fix possible bad dereference when freeing rsps ext4: set the type of max_zeroout to unsigned int to avoid overflow irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc usb: dwc3: core: Skip setting event buffers for host only controllers s390/iucv: fix receive buffer virtual vs physical address confusion openrisc: Call setup_memory() earlier in the init sequence NFS: avoid infinite loop in pnfs_update_layout. Bluetooth: bnep: Fix out-of-bound access usb: gadget: fsl: Increase size of name buffer for endpoints f2fs: fix to do sanity check in update_sit_entry btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() btrfs: send: handle unexpected data in header buffer in begin_cmd() btrfs: handle invalid root reference found in may_destroy_subvol() btrfs: change BUG_ON to assertion when checking for delayed_node root powerpc/boot: Only free if realloc() succeeds powerpc/boot: Handle allocation failure in simple_realloc() parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 md: clean up invalid BUG_ON in md_ioctl net/sun3_82586: Avoid reading past buffer in debug output scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() fs: binfmt_elf_efpic: don't use missing interpreter's properties media: pci: cx23885: check cx23885_vdev_init() return quota: Remove BUG_ON from dqget() ext4: do not trim the group with corrupted block bitmap powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu wifi: iwlwifi: abort scan when rfkill on but device enabled gfs2: setattr_chown: Add missing initialization scsi: spi: Fix sshdr use binfmt_misc: cleanup on filesystem umount staging: ks7010: disable bh on tx_dev_lock i2c: riic: avoid potential division by zero wifi: cw1200: Avoid processing an invalid TIM IE ssb: Fix division by zero issue in ssb_calc_clock_rate net: dsa: vsc73xx: pass value in phy_write operation atm: idt77252: prevent use after free in dequeue_rx() net/mlx5e: Correctly report errors for ethtool rx flows btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() overflow: Implement size_t saturating arithmetic helpers overflow.h: Add flex_array_size() helper s390/cio: rename bitmap_size() -> idset_bitmap_size() memcg_write_event_control(): fix a user-triggerable oops drm/amdgpu: Actually check flags for all context ops. selinux: fix potential counting error in avc_add_xperms_decision() fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE bitmap: introduce generic optimized bitmap_size() dm persistent data: fix memory allocation failure dm resume: don't return EINVAL when signalled arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration ALSA: usb-audio: Support Yamaha P-125 quirk entry fuse: Initialize beyond-EOF page contents before setting uptodate Linux 4.19.320 nvme/pci: Add APST quirk for Lenovo N60z laptop exec: Fix ToCToU between perm check and set-uid/gid usage drm/i915/gem: Fix Virtual Memory mapping boundaries calculation media: uvcvideo: Use entity get_cur in uvc_ctrl_set arm64: cpufeature: Fix the visibility of compat hwcaps netfilter: nf_tables: prefer nft_chain_validate netfilter: nf_tables: use timestamp to check for set element timeout netfilter: nf_tables: set element extended ACK reporting support kbuild: Fix '-S -c' in x86 stack protector scripts drm/mgag200: Set DDC timeout in milliseconds drm/bridge: analogix_dp: properly handle zero sized AUX transactions x86/mtrr: Check if fixed MTRRs exist before saving them tracing: Fix overflow in get_free_elt() power: supply: axp288_charger: Round constant_charge_voltage writes down power: supply: axp288_charger: Fix constant_charge_voltage writes serial: core: check uartclk for zero to avoid divide by zero ntp: Safeguard against time_constant overflow driver core: Fix uevent_show() vs driver detach race ntp: Clamp maxerror and esterror to operating range tick/broadcast: Move per CPU pointer access into the atomic section scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic usb: gadget: core: Check for unset descriptor USB: serial: debug: do not echo input by default usb: vhci-hcd: Do not drop references before new references are gained ALSA: line6: Fix racy access to midibuf spi: spi-fsl-lpspi: Fix scldiv calculation spi: fsl-lpspi: remove unneeded array spi: lpspi: add the error info of transfer speed setting spi: lpspi: Add i.MX8 boards support for lpspi spi: lpspi: Let watermark change with send data length spi: lpspi: Add slave mode support spi: lpspi: Replace all "master" with "controller" bpf: kprobe: remove unused declaring of bpf_kprobe_override i2c: smbus: Send alert notifications to all devices if source not found i2c: smbus: Improve handling of stuck alerts i2c: smbus: Don't filter out duplicate alerts arm64: errata: Expand speculative SSBS workaround (again) arm64: cputype: Add Cortex-A725 definitions arm64: cputype: Add Cortex-X1C definitions arm64: errata: Expand speculative SSBS workaround arm64: errata: Unify speculative SSBS errata logic arm64: cputype: Add Cortex-X925 definitions arm64: cputype: Add Cortex-A720 definitions arm64: cputype: Add Cortex-X3 definitions arm64: errata: Add workaround for Arm errata 3194386 and 3312417 arm64: cputype: Add Neoverse-V3 definitions arm64: cputype: Add Cortex-X4 definitions arm64: Add Neoverse-V2 part arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space arm64: Add support for SB barrier and patch in over DSB; ISB sequences ext4: fix wrong unit use in ext4_mb_find_by_goal SUNRPC: Fix a race to wake a sync task s390/sclp: Prevent release of buffer in I/O jbd2: avoid memleak in jbd2_journal_write_metadata_buffer media: uvcvideo: Fix the bandwdith quirk on USB 3.x media: uvcvideo: Ignore empty TS packets btrfs: fix bitmap leak when loading free space cache on duplicate entry wifi: nl80211: don't give key data to userspace udf: prevent integer overflow in udf_bitmap_free_blocks() PCI: Add Edimax Vendor ID to pci_ids.h clocksource/drivers/sh_cmt: Address race condition for clock events md/raid5: avoid BUG_ON() while continue reshape after reassembling net: fec: Stop PPS on driver remove Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() net: linkwatch: use system_unbound_wq net: usb: qmi_wwan: fix memory leak for not ip packets x86/mm: Fix pti_clone_pgtable() alignment assumption irqchip/mbigen: Fix mbigen node address layout net: usb: sr9700: fix uninitialized variable use in sr_mdio_read ALSA: usb-audio: Correct surround channels in UAC1 channel map protect the fetch of ->fd[fd] in do_dup2() from mispredictions ipv6: fix ndisc_is_useropt() handling for PIO net/iucv: fix use after free in iucv_sock_close() drm/vmwgfx: Fix overlay when using Screen Targets remoteproc: imx_rproc: Skip over memory region when node value is NULL remoteproc: imx_rproc: Fix ignoring mapping vdev regions remoteproc: imx_rproc: ignore mapping vdev regions perf/x86/intel/pt: Fix a topa_entry base address calculation perf/x86/intel/pt: Split ToPA metadata and page layout perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation perf/x86/intel/pt: Use helpers to obtain ToPA entry size perf/x86/intel/pt: Export pt_cap_get() devres: Fix memory leakage caused by driver API devm_free_percpu() driver core: Cast to (void *) with __force for __percpu pointer dev/parport: fix the array out-of-bounds risk parport: Standardize use of printmode parport: Convert printk(KERN_<LEVEL> to pr_<level>( parport: parport_pc: Mark expected switch fall-through PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio PCI: rockchip: Make 'ep-gpios' DT property optional mm: avoid overflows in dirty throttling logic mISDN: Fix a use after free in hfcmulti_tx() tipc: Return non-zero value from tipc_udp_addr2str() on error net: bonding: correctly annotate RCU in bond_should_notify_peers() ipv4: Fix incorrect source address in Record Route option net: ip_rt_get_source() - use new style struct initializer instead of memset MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later dma: fix call order in dmam_free_coherent jfs: Fix array-index-out-of-bounds in diFree kdb: Use the passed prompt in kdb_position_cursor() kdb: address -Wformat-security warnings kdb: Fix bound check compiler warning nilfs2: handle inconsistent state in nilfs_btnode_create_block() selftests/sigaltstack: Fix ppc64 GCC build RDMA/iwcm: Fix a use-after-free related to destroying CM IDs platform: mips: cpu_hwmon: Disable driver on unsupported hardware watchdog/perf: properly initialize the turbo mode timestamp and rearm counter perf/x86/intel/pt: Fix topa_entry base length scsi: qla2xxx: validate nvme_local_port correctly scsi: qla2xxx: During vport delete send async logout explicitly rtc: cmos: Fix return value of nvmem callbacks kobject_uevent: Fix OOB access within zap_modalias_env() decompress_bunzip2: fix rare decompression failure ubi: eba: properly rollback inside self_check_eba clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use f2fs: fix to don't dirty inode for readonly filesystem scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds binder: fix hang of unregistered readers PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN hwrng: amd - Convert PCIBIOS_* return codes to errnos tools/memory-model: Fix bug in lock.cat leds: ss4200: Convert PCIBIOS_* return codes to errnos wifi: mwifiex: Fix interface type change ext4: make sure the first directory block is not a hole ext4: check dot and dotdot of dx_root before making dir indexed m68k: amiga: Turn off Warp1260 interrupts during boot drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() media: venus: fix use after free in vdec_close char: tpm: Fix possible memory leak in tpm_bios_measurements_open() ipv6: take care of scope when choosing the src addr af_packet: Handle outgoing VLAN packets without hardware offloading net: netconsole: Disable target before netpoll cleanup tick/broadcast: Make takeover of broadcast hrtimer reliable nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro fs/nilfs2: remove some unused macros to tame gcc pinctrl: freescale: mxs: Fix refcount of child pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails pinctrl: ti: ti-iodelay: Drop if block with always false condition pinctrl: single: fix possible memory leak when pinctrl_enable() fails pinctrl: core: fix possible memory leak when pinctrl_enable() fails netfilter: ctnetlink: use helper function to calculate expect ID ice: Rework flex descriptor programming bnxt_re: Fix imm_data endianness macintosh/therm_windtunnel: fix module unload. powerpc/xmon: Fix disassembly CPU feature checks MIPS: Octeron: remove source file executable bit Input: elan_i2c - do not leave interrupt disabled on suspend failure mtd: make mtd_test.c a separate module RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs RDMA/mlx4: Fix truncated output warning in alias_GUID.c RDMA/mlx4: Fix truncated output warning in mad.c PCI: Fix resource double counting on remove & rescan PCI: Equalize hotplug memory and io for occupied and empty slots sparc64: Fix incorrect function signature and add prototype for prom_cif_init ext4: avoid writing unitialized memory to disk in EA inodes mfd: omap-usb-tll: Use struct_size to allocate tll drm/etnaviv: fix DMA direction handling for cached RW buffers perf report: Fix condition in sort__sym_cmp() leds: trigger: Unregister sysfs attributes before calling deactivate() media: renesas: vsp1: Store RPF partition configuration per RPF instance media: renesas: vsp1: Fix _irqsave and _irq mix media: uvcvideo: Override default flags media: uvcvideo: Allow entity-defined get_info and get_cur saa7134: Unchecked i2c_transfer function result fixed media: imon: Fix race getting ictx->lock selftests: forwarding: devlink_lib: Wait for udev events after reloading bna: adjust 'name' buf size of bna_tcb and bna_ccb structures perf: Prevent passing zero nr_pages to rb_alloc_aux() perf: Fix perf_aux_size() for greater-than 32-bit size ipvs: Avoid unnecessary calls to skb_is_gso_sctp net: fec: Fix FEC_ECR_EN1588 being cleared on link-down net: fec: Refactor: #define magic constants wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() selftests/bpf: Check length of recv in test_sockmap net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined net/smc: Allow SMC-D 1MB DMB allocations wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device m68k: cmpxchg: Fix return value for default case in __arch_xchg() x86/xen: Convert comma to semicolon m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages arm64: dts: rockchip: Increase VOP clk rate on RK3328 hwmon: (max6697) Fix swapped temp{1,8} critical alarms hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO} hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants hwmon: (max6697) Fix underflow when writing limit attributes pwm: stm32: Always do lazy disabling hwmon: (adt7475) Fix default duty on fan is disabled x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos x86/pci/xen: Fix PCIBIOS_* return code handling x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling x86/of: Return consistent error type from x86_of_pci_irq_enable() hfsplus: fix to avoid false alarm of circular locking platform/chrome: cros_ec_debugfs: fix wrong EC message version Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" Linux 4.19.319 filelock: Fix fcntl/close race recovery compat path jfs: don't walk off the end of ealist ocfs2: add bounds checking to ocfs2_check_dir_entry() net: relax socket state check at accept time. ACPI: processor_idle: Fix invalid comparison with insertion sort for latency ARM: 9324/1: fix get_user() broken with veneer filelock: Remove locks reliably when fcntl/close race is detected hfsplus: fix uninit-value in copy_name selftests/vDSO: fix clang build errors and warnings spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices fs: better handle deep ancestor chains in is_subdir() Bluetooth: hci_core: cancel all works upon hci_unregister_dev() net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() net: usb: qmi_wwan: add Telit FN912 compositions ALSA: dmaengine_pcm: terminate dmaengine before synchronize s390/sclp: Fix sclp_init() cleanup on failure can: kvaser_usb: fix return value for hif_usb_send_regout bytcr_rt5640 : inverse jack detect for Archos 101 cesium Input: elantech - fix touchpad state on resume for Lenovo N24 wifi: cfg80211: wext: add extra SIOCSIWSCAN data check mei: demote client disconnect warning on suspend to debug fs/file: fix the check in find_next_fd() kconfig: remove wrong expr_trans_bool() kconfig: gconf: give a proper initial state to the Save button ila: block BH in ila_output() Input: silead - Always support 10 fingers wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata ACPI: EC: Avoid returning AE_OK on errors in address space handler ACPI: EC: Abort address space access upon error scsi: qedf: Set qed_slowpath_params to zero before use gcc-plugins: Rename last_stmt() for GCC 14+ Change-Id: I5d910141e3e22bc861c6b0343780dcfbf31b6341 Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
Greg Kroah-Hartman
|
d757552385 |
Merge 4.19.321 into android-4.19-stable
Changes in 4.19.321 fuse: Initialize beyond-EOF page contents before setting uptodate ALSA: usb-audio: Support Yamaha P-125 quirk entry xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE dm resume: don't return EINVAL when signalled dm persistent data: fix memory allocation failure bitmap: introduce generic optimized bitmap_size() fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE selinux: fix potential counting error in avc_add_xperms_decision() drm/amdgpu: Actually check flags for all context ops. memcg_write_event_control(): fix a user-triggerable oops s390/cio: rename bitmap_size() -> idset_bitmap_size() overflow.h: Add flex_array_size() helper overflow: Implement size_t saturating arithmetic helpers btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() net/mlx5e: Correctly report errors for ethtool rx flows atm: idt77252: prevent use after free in dequeue_rx() net: dsa: vsc73xx: pass value in phy_write operation ssb: Fix division by zero issue in ssb_calc_clock_rate wifi: cw1200: Avoid processing an invalid TIM IE i2c: riic: avoid potential division by zero staging: ks7010: disable bh on tx_dev_lock binfmt_misc: cleanup on filesystem umount scsi: spi: Fix sshdr use gfs2: setattr_chown: Add missing initialization wifi: iwlwifi: abort scan when rfkill on but device enabled powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu ext4: do not trim the group with corrupted block bitmap quota: Remove BUG_ON from dqget() media: pci: cx23885: check cx23885_vdev_init() return fs: binfmt_elf_efpic: don't use missing interpreter's properties scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() net/sun3_82586: Avoid reading past buffer in debug output md: clean up invalid BUG_ON in md_ioctl parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 powerpc/boot: Handle allocation failure in simple_realloc() powerpc/boot: Only free if realloc() succeeds btrfs: change BUG_ON to assertion when checking for delayed_node root btrfs: handle invalid root reference found in may_destroy_subvol() btrfs: send: handle unexpected data in header buffer in begin_cmd() btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() f2fs: fix to do sanity check in update_sit_entry usb: gadget: fsl: Increase size of name buffer for endpoints Bluetooth: bnep: Fix out-of-bound access NFS: avoid infinite loop in pnfs_update_layout. openrisc: Call setup_memory() earlier in the init sequence s390/iucv: fix receive buffer virtual vs physical address confusion usb: dwc3: core: Skip setting event buffers for host only controllers irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc ext4: set the type of max_zeroout to unsigned int to avoid overflow nvmet-rdma: fix possible bad dereference when freeing rsps hrtimer: Prevent queuing of hrtimer without a function callback gtp: pull network headers in gtp_dev_xmit() block: use "unsigned long" for blk_validate_block_size(). Bluetooth: Make use of __check_timeout on hci_sched_le Bluetooth: hci_core: Fix not handling link timeouts propertly Bluetooth: hci_core: Fix LE quote calculation kcm: Serialise kcm_sendmsg() for the same socket. netfilter: nft_counter: Synchronize nft_counter_reset() against reader. ipv6: prevent UAF in ip6_send_skb() net: xilinx: axienet: Always disable promiscuous mode drm/msm: use drm_debug_enabled() to check for debug categories drm/msm/dpu: don't play tricks with debug macros mmc: mmc_test: Fix NULL dereference on allocation failure Bluetooth: MGMT: Add error handling to pair_device() HID: wacom: Defer calculation of resolution until resolution_code is known cxgb4: add forgotten u64 ivlan cast before shift mmc: dw_mmc: allow biu and ciu clocks to defer ALSA: timer: Relax start tick time check for slave timer elements Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO Input: MT - limit max slots tools: move alignment-related macros to new <linux/align.h> drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc pinctrl: single: fix potential NULL dereference in pcs_get_function() wifi: mwifiex: duplicate static structs used in driver instances dm suspend: return -ERESTARTSYS instead of -EINTR scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64 media: uvcvideo: Fix integer overflow calculating timestamp ata: libata-core: Fix null pointer dereference on error cgroup/cpuset: Prevent UAF in proc_cpuset_show() memcg: enable accounting of ipc resources fbcon: Prevent that screen size is smaller than font size fbmem: Check virtual screen sizes in fb_set_var() net:rds: Fix possible deadlock in rds_message_put ida: Fix crash in ida_free when the bitmap is empty net: prevent mss overflow in skb_segment() soundwire: stream: fix programming slave ports for non-continous port maps gtp: fix a potential NULL pointer dereference net: busy-poll: use ktime_get_ns() instead of local_clock() cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller USB: serial: option: add MeiG Smart SRM825L usb: dwc3: omap: add missing depopulate in probe error path usb: dwc3: core: Prevent USB core invalid event buffer address access usb: dwc3: st: fix probed platform device ref count on probe error path usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() scsi: aacraid: Fix double-free on probe failure ipc: remove memcg accounting for sops objects in do_semtimedop() drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Linux 4.19.321 Change-Id: I5ee663c7c3343a99e3c73dd8f663ca5c4e298478 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Baokun Li
|
2f64ae3283 |
ext4: set the type of max_zeroout to unsigned int to avoid overflow
[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ] The max_zeroout is of type int and the s_extent_max_zeroout_kb is of type uint, and the s_extent_max_zeroout_kb can be freely modified via the sysfs interface. When the block size is 1024, max_zeroout may overflow, so declare it as unsigned int to avoid overflow. Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
cac7c9fcd1 |
ext4: do not trim the group with corrupted block bitmap
[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ] Otherwise operating on an incorrupted block bitmap can lead to all sorts of unknown problems. Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
bbc4834e22 |
Merge 4.19.320 into android-4.19-stable
Changes in 4.19.320
platform/chrome: cros_ec_debugfs: fix wrong EC message version
hfsplus: fix to avoid false alarm of circular locking
x86/of: Return consistent error type from x86_of_pci_irq_enable()
x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
x86/pci/xen: Fix PCIBIOS_* return code handling
x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
hwmon: (adt7475) Fix default duty on fan is disabled
pwm: stm32: Always do lazy disabling
hwmon: (max6697) Fix underflow when writing limit attributes
hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants
hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO}
hwmon: (max6697) Fix swapped temp{1,8} critical alarms
arm64: dts: rockchip: Increase VOP clk rate on RK3328
m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
x86/xen: Convert comma to semicolon
m68k: cmpxchg: Fix return value for default case in __arch_xchg()
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
net/smc: Allow SMC-D 1MB DMB allocations
net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined
selftests/bpf: Check length of recv in test_sockmap
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
net: fec: Refactor: #define magic constants
net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
ipvs: Avoid unnecessary calls to skb_is_gso_sctp
perf: Fix perf_aux_size() for greater-than 32-bit size
perf: Prevent passing zero nr_pages to rb_alloc_aux()
bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
selftests: forwarding: devlink_lib: Wait for udev events after reloading
media: imon: Fix race getting ictx->lock
saa7134: Unchecked i2c_transfer function result fixed
media: uvcvideo: Allow entity-defined get_info and get_cur
media: uvcvideo: Override default flags
media: renesas: vsp1: Fix _irqsave and _irq mix
media: renesas: vsp1: Store RPF partition configuration per RPF instance
leds: trigger: Unregister sysfs attributes before calling deactivate()
perf report: Fix condition in sort__sym_cmp()
drm/etnaviv: fix DMA direction handling for cached RW buffers
mfd: omap-usb-tll: Use struct_size to allocate tll
ext4: avoid writing unitialized memory to disk in EA inodes
sparc64: Fix incorrect function signature and add prototype for prom_cif_init
PCI: Equalize hotplug memory and io for occupied and empty slots
PCI: Fix resource double counting on remove & rescan
RDMA/mlx4: Fix truncated output warning in mad.c
RDMA/mlx4: Fix truncated output warning in alias_GUID.c
RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
mtd: make mtd_test.c a separate module
Input: elan_i2c - do not leave interrupt disabled on suspend failure
MIPS: Octeron: remove source file executable bit
powerpc/xmon: Fix disassembly CPU feature checks
macintosh/therm_windtunnel: fix module unload.
bnxt_re: Fix imm_data endianness
ice: Rework flex descriptor programming
netfilter: ctnetlink: use helper function to calculate expect ID
pinctrl: core: fix possible memory leak when pinctrl_enable() fails
pinctrl: single: fix possible memory leak when pinctrl_enable() fails
pinctrl: ti: ti-iodelay: Drop if block with always false condition
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails
pinctrl: freescale: mxs: Fix refcount of child
fs/nilfs2: remove some unused macros to tame gcc
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
tick/broadcast: Make takeover of broadcast hrtimer reliable
net: netconsole: Disable target before netpoll cleanup
af_packet: Handle outgoing VLAN packets without hardware offloading
ipv6: take care of scope when choosing the src addr
char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
media: venus: fix use after free in vdec_close
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
m68k: amiga: Turn off Warp1260 interrupts during boot
ext4: check dot and dotdot of dx_root before making dir indexed
ext4: make sure the first directory block is not a hole
wifi: mwifiex: Fix interface type change
leds: ss4200: Convert PCIBIOS_* return codes to errnos
tools/memory-model: Fix bug in lock.cat
hwrng: amd - Convert PCIBIOS_* return codes to errnos
PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
binder: fix hang of unregistered readers
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
f2fs: fix to don't dirty inode for readonly filesystem
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
ubi: eba: properly rollback inside self_check_eba
decompress_bunzip2: fix rare decompression failure
kobject_uevent: Fix OOB access within zap_modalias_env()
rtc: cmos: Fix return value of nvmem callbacks
scsi: qla2xxx: During vport delete send async logout explicitly
scsi: qla2xxx: validate nvme_local_port correctly
perf/x86/intel/pt: Fix topa_entry base length
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
platform: mips: cpu_hwmon: Disable driver on unsupported hardware
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
selftests/sigaltstack: Fix ppc64 GCC build
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
kdb: Fix bound check compiler warning
kdb: address -Wformat-security warnings
kdb: Use the passed prompt in kdb_position_cursor()
jfs: Fix array-index-out-of-bounds in diFree
dma: fix call order in dmam_free_coherent
MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
net: ip_rt_get_source() - use new style struct initializer instead of memset
ipv4: Fix incorrect source address in Record Route option
net: bonding: correctly annotate RCU in bond_should_notify_peers()
tipc: Return non-zero value from tipc_udp_addr2str() on error
mISDN: Fix a use after free in hfcmulti_tx()
mm: avoid overflows in dirty throttling logic
PCI: rockchip: Make 'ep-gpios' DT property optional
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
parport: parport_pc: Mark expected switch fall-through
parport: Convert printk(KERN_<LEVEL> to pr_<level>(
parport: Standardize use of printmode
dev/parport: fix the array out-of-bounds risk
driver core: Cast to (void *) with __force for __percpu pointer
devres: Fix memory leakage caused by driver API devm_free_percpu()
perf/x86/intel/pt: Export pt_cap_get()
perf/x86/intel/pt: Use helpers to obtain ToPA entry size
perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation
perf/x86/intel/pt: Split ToPA metadata and page layout
perf/x86/intel/pt: Fix a topa_entry base address calculation
remoteproc: imx_rproc: ignore mapping vdev regions
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
remoteproc: imx_rproc: Skip over memory region when node value is NULL
drm/vmwgfx: Fix overlay when using Screen Targets
net/iucv: fix use after free in iucv_sock_close()
ipv6: fix ndisc_is_useropt() handling for PIO
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
ALSA: usb-audio: Correct surround channels in UAC1 channel map
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
irqchip/mbigen: Fix mbigen node address layout
x86/mm: Fix pti_clone_pgtable() alignment assumption
net: usb: qmi_wwan: fix memory leak for not ip packets
net: linkwatch: use system_unbound_wq
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
net: fec: Stop PPS on driver remove
md/raid5: avoid BUG_ON() while continue reshape after reassembling
clocksource/drivers/sh_cmt: Address race condition for clock events
PCI: Add Edimax Vendor ID to pci_ids.h
udf: prevent integer overflow in udf_bitmap_free_blocks()
wifi: nl80211: don't give key data to userspace
btrfs: fix bitmap leak when loading free space cache on duplicate entry
media: uvcvideo: Ignore empty TS packets
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
s390/sclp: Prevent release of buffer in I/O
SUNRPC: Fix a race to wake a sync task
ext4: fix wrong unit use in ext4_mb_find_by_goal
arm64: Add support for SB barrier and patch in over DSB; ISB sequences
arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space
arm64: Add Neoverse-V2 part
arm64: cputype: Add Cortex-X4 definitions
arm64: cputype: Add Neoverse-V3 definitions
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
arm64: cputype: Add Cortex-X3 definitions
arm64: cputype: Add Cortex-A720 definitions
arm64: cputype: Add Cortex-X925 definitions
arm64: errata: Unify speculative SSBS errata logic
arm64: errata: Expand speculative SSBS workaround
arm64: cputype: Add Cortex-X1C definitions
arm64: cputype: Add Cortex-A725 definitions
arm64: errata: Expand speculative SSBS workaround (again)
i2c: smbus: Don't filter out duplicate alerts
i2c: smbus: Improve handling of stuck alerts
i2c: smbus: Send alert notifications to all devices if source not found
bpf: kprobe: remove unused declaring of bpf_kprobe_override
spi: lpspi: Replace all "master" with "controller"
spi: lpspi: Add slave mode support
spi: lpspi: Let watermark change with send data length
spi: lpspi: Add i.MX8 boards support for lpspi
spi: lpspi: add the error info of transfer speed setting
spi: fsl-lpspi: remove unneeded array
spi: spi-fsl-lpspi: Fix scldiv calculation
ALSA: line6: Fix racy access to midibuf
usb: vhci-hcd: Do not drop references before new references are gained
USB: serial: debug: do not echo input by default
usb: gadget: core: Check for unset descriptor
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
tick/broadcast: Move per CPU pointer access into the atomic section
ntp: Clamp maxerror and esterror to operating range
driver core: Fix uevent_show() vs driver detach race
ntp: Safeguard against time_constant overflow
serial: core: check uartclk for zero to avoid divide by zero
power: supply: axp288_charger: Fix constant_charge_voltage writes
power: supply: axp288_charger: Round constant_charge_voltage writes down
tracing: Fix overflow in get_free_elt()
x86/mtrr: Check if fixed MTRRs exist before saving them
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
drm/mgag200: Set DDC timeout in milliseconds
kbuild: Fix '-S -c' in x86 stack protector scripts
netfilter: nf_tables: set element extended ACK reporting support
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: prefer nft_chain_validate
arm64: cpufeature: Fix the visibility of compat hwcaps
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
exec: Fix ToCToU between perm check and set-uid/gid usage
nvme/pci: Add APST quirk for Lenovo N60z laptop
Linux 4.19.320
Change-Id: I12efa55c04d97f29d34f1a49511948735871b2bd
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Kemeng Shi
|
585b8d86c3 |
ext4: fix wrong unit use in ext4_mb_find_by_goal
[ Upstream commit 99c515e3a860576ba90c11acbc1d6488dfca6463 ] We need start in block unit while fe_start is in cluster unit. Use ext4_grp_offs_to_block helper to convert fe_start to get start in block unit. Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com> Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Link: https://lore.kernel.org/r/20230603150327.3596033-4-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Baokun Li
|
d81d7e347d |
ext4: make sure the first directory block is not a hole
commit f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6 upstream.
The syzbot constructs a directory that has no dirblock but is non-inline,
i.e. the first directory block is a hole. And no errors are reported when
creating files in this directory in the following flow.
ext4_mknod
...
ext4_add_entry
// Read block 0
ext4_read_dirblock(dir, block, DIRENT)
bh = ext4_bread(NULL, inode, block, 0)
if (!bh && (type == INDEX || type == DIRENT_HTREE))
// The first directory block is a hole
// But type == DIRENT, so no error is reported.
After that, we get a directory block without '.' and '..' but with a valid
dentry. This may cause some code that relies on dot or dotdot (such as
make_indexed_dir()) to crash.
Therefore when ext4_read_dirblock() finds that the first directory block
is a hole report that the filesystem is corrupted and return an error to
avoid loading corrupted data from disk causing something bad.
Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
Fixes: 4e19d6b65fb4 ("ext4: allow directory holes")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240702132349.2600605-3-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Baokun Li
|
b80575ffa9 |
ext4: check dot and dotdot of dx_root before making dir indexed
commit 50ea741def587a64e08879ce6c6a30131f7111e7 upstream.
Syzbot reports a issue as follows:
============================================
BUG: unable to handle page fault for address: ffffed11022e24fe
PGD 23ffee067 P4D 23ffee067 PUD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0
Call Trace:
<TASK>
make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451
ext4_rename fs/ext4/namei.c:3936 [inline]
ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214
[...]
============================================
The immediate cause of this problem is that there is only one valid dentry
for the block to be split during do_split, so split==0 results in out of
bounds accesses to the map triggering the issue.
do_split
unsigned split
dx_make_map
count = 1
split = count/2 = 0;
continued = hash2 == map[split - 1].hash;
---> map[4294967295]
The maximum length of a filename is 255 and the minimum block size is 1024,
so it is always guaranteed that the number of entries is greater than or
equal to 2 when do_split() is called.
But syzbot's crafted image has no dot and dotdot in dir, and the dentry
distribution in dirblock is as follows:
bus dentry1 hole dentry2 free
|xx--|xx-------------|...............|xx-------------|...............|
0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024
So when renaming dentry1 increases its name_len length by 1, neither hole
nor free is sufficient to hold the new dentry, and make_indexed_dir() is
called.
In make_indexed_dir() it is assumed that the first two entries of the
dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root
because they are treated as dot and dotdot, and only dentry2 is moved
to the new leaf block. That's why count is equal to 1.
Therefore add the ext4_check_dx_root() helper function to add more sanity
checks to dot and dotdot before starting the conversion to avoid the above
issue.
Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
Fixes:
|
||
|
Jan Kara
|
282e8d4e9d |
ext4: avoid writing unitialized memory to disk in EA inodes
[ Upstream commit 65121eff3e4c8c90f8126debf3c369228691c591 ]
If the extended attribute size is not a multiple of block size, the last
block in the EA inode will have uninitialized tail which will get
written to disk. We will never expose the data to userspace but still
this is not a good practice so just zero out the tail of the block as it
isn't going to cause a noticeable performance overhead.
Fixes:
|
||
|
bengris32
|
425dddb2d1 |
Merge tag 'ASB-2024-07-05_4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
https://source.android.com/docs/security/bulletin/2024-07-01 CVE-2024-26923 * tag 'ASB-2024-07-05_4.19-stable' of https://android.googlesource.com/kernel/common: Linux 4.19.317 arm64: dts: rockchip: Add sound-dai-cells for RK3368 tcp: Fix data races around icsk->icsk_af_ops. ipv6: Fix data races around sk->sk_prot. ipv6: annotate some data-races around sk->sk_prot pwm: stm32: Refuse too small period requests ftruncate: pass a signed offset ata: libata-core: Fix double free on error batman-adv: Don't accept TT entries for out-of-spec VIDs drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes hexagon: fix fadvise64_64 calling conventions tty: mcf: MCF54418 has 10 UARTS usb: atm: cxacru: fix endpoint checking in cxacru_bind() usb: musb: da8xx: fix a resource leak in probe() usb: gadget: printer: SS+ support net: usb: ax88179_178a: improve link status logs iio: chemical: bme680: Fix sensor data read operation iio: chemical: bme680: Fix overflows in compensate() functions iio: chemical: bme680: Fix calibration data variable iio: chemical: bme680: Fix pressure value output iio: adc: ad7266: Fix variable checking bug mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos x86: stop playing stack games in profile_pc() i2c: ocores: set IACK bit after core is enabled i2c: ocores: stop transfer on timeout gpio: davinci: Validate the obtained number of IRQs nvme: fixup comment for nvme RDMA Provider Type soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message media: dvbdev: Initialize sbuf ALSA: emux: improve patch ioctl data validation net/iucv: Avoid explicit cpumask var allocation on stack drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers ASoC: fsl-asoc-card: set priv->pdev before using it netfilter: nf_tables: validate family when identifying table via handle drm/amdgpu: fix UBSAN warning in kv_dpm.c pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER usb: xhci: do not perform Soft Retry for some xHCI hosts xhci: Set correct transferred length for cancelled bulk transfers xhci: Use soft retry to recover faster from transaction errors scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory scsi: mpt3sas: Gracefully handle online firmware update scsi: mpt3sas: Add ioc_<level> logging macros iio: dac: ad5592r: fix temperature channel scaling value iio: dac: ad5592r: un-indent code-block for scale read iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock x86/amd_nb: Check for invalid SMN reads PCI: Add PCI_ERROR_RESPONSE and related definitions perf/core: Fix missing wakeup when waiting for context reference tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test selftests/ftrace: Fix checkbashisms errors ARM: dts: samsung: smdk4412: fix keypad no-autorepeat ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat ARM: dts: samsung: smdkv310: fix keypad no-autorepeat gcov: add support for GCC 14 drm/radeon: fix UBSAN warning in kv_dpm.c ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." dmaengine: ioatdma: Fix missing kmem_cache_destroy() regulator: core: Fix modpost error "regulator_get_regmap" undefined net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings virtio_net: checksum offloading handling fix xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ipv6: prevent possible NULL dereference in rt6_probe() netrom: Fix a memory leak in nr_heartbeat_expiry() cipso: fix total option length computation MIPS: Routerboard 532: Fix vendor retry check code MIPS: Octeon: Add PCIe link status check PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports udf: udftime: prevent overflow in udf_disk_stamp_to_time() usb: misc: uss720: check for incompatible versions of the Belkin F5U002 powerpc/io: Avoid clang null pointer arithmetic warnings powerpc/pseries: Enforce hcall result buffer validity and size scsi: qedi: Fix crash while reading debugfs attribute batman-adv: bypass empty buckets in batadv_purge_orig_ref() rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment usb-storage: alauda: Check whether the media is initialized hugetlb_encode.h: fix undefined behaviour (34 << 26) hv_utils: drain the timesync packets on onchannelcallback nilfs2: fix potential kernel bug due to lack of writeback flag waiting intel_th: pci: Add Lunar Lake support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Granite Rapids support dmaengine: axi-dmac: fix possible race in remove() PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id ocfs2: fix races between hole punching and AIO+DIO ocfs2: use coarse time for new created files fs/proc: fix softlockup in __read_vmcore vmci: prevent speculation leaks by sanitizing event in event_deliver() drm/exynos/vidi: fix memory leak in .get_modes() drivers: core: synchronize really_probe() and dev_uevent() net/ipv6: Fix the RT cache flush via sysctl using a previous delay ipv6/route: Add a missing check on proc_dointvec Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ tcp: fix race in tcp_v6_syn_recv_sock() drm/bridge/panel: Fix runtime warning on panel bridge release liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet iommu/amd: Fix sysfs leak in iommu init HID: core: remove unnecessary WARN_ON() in implement() xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING Input: try trimming too long modalias strings xhci: Apply broken streams quirk to Etron EJ188 xHCI host xhci: Apply reset resume quirk to Etron EJ188 xHCI host jfs: xattr: fix buffer overflow for invalid xattr mei: me: release irq in mei_me_pci_resume error path USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors nilfs2: return the mapped address from nilfs_get_page() nilfs2: Remove check for PageError selftests/mm: compaction_test: fix bogus test success on Aarch64 selftests/mm: conform test to TAP format output selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages media: mc: mark the media devnode as registered from the, start serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler serial: sc16is7xx: replace hardcoded divisor value with BIT() macro drm/amd/display: Handle Y carry-over in VCP X.Y calculation usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). ptp: Fix error message on failed pin verification tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB vxlan: Fix regression when dropping packets due to invalid src addresses ipv6: sr: block BH in seg6_output_core() and seg6_input_core() wifi: iwlwifi: mvm: don't read past the mfuart notifcation wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects ANDROID: arm64: Place CFI jump table sections in .text Linux 4.19.316 nfs: fix undefined behavior in nfs_block_bits() s390/ap: Fix crash in AP internal function modify_bitmap() ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() sparc: move struct termio to asm/termios.h net: fix __dst_negative_advice() race kdb: Use format-specifiers rather than memset() for padding in kdb_read() kdb: Merge identical case statements in kdb_read() kdb: Fix console handling when editing and tab-completing commands kdb: Use format-strings rather than '\0' injection in kdb_read() kdb: Fix buffer overflow during tab-complete sparc64: Fix number of online CPUs intel_th: pci: Add Meteor Lake-S CPU support net/9p: fix uninit-value in p9_client_rpc() crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode netfilter: nf_tables: discard table flag update with pending basechain deletion netfilter: nf_tables: reject new basechain after table flag update netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout netfilter: nf_tables: do not compare internal table flags on updates netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() netfilter: nf_tables: set dormant flag on hook register failure netfilter: nft_set_rbtree: skip end interval element from gc netfilter: nf_tables: validate NFPROTO_* family netfilter: nf_tables: skip dead set elements in netlink dump netfilter: nf_tables: mark newset as dead on transaction abort netfilter: nft_dynset: relax superfluous check on set updates netfilter: nft_dynset: report EOPNOTSUPP on missing set feature netfilter: nftables: exthdr: fix 4-byte stack OOB write netfilter: nft_dynset: fix timeouts later than 23 days netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19) netfilter: nf_tables: disable toggling dormant table state more than once netfilter: nf_tables: fix table flag updates netfilter: nftables: update table flags from the commit phase netfilter: nf_tables: double hook unregistration in netns path netfilter: nf_tables: unregister flowtable hooks on netns exit netfilter: nf_tables: fix memleak when more than 255 elements expired netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction netfilter: nf_tables: defer gc run if previous batch is still pending netfilter: nf_tables: GC transaction race with abort path netfilter: nf_tables: GC transaction race with netns dismantle netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path netfilter: nf_tables: remove busy mark and gc batch API netfilter: nf_tables: adapt set backend to use GC transaction API netfilter: nf_tables: GC transaction API to avoid race with control plane netfilter: nf_tables: don't skip expired elements during walk netfilter: nft_set_rbtree: fix overlap expiration walk netfilter: nft_set_rbtree: fix null deref on element insertion netfilter: nft_set_rbtree: Switch to node list walk for overlap detection netfilter: nft_set_rbtree: Add missing expired checks netfilter: nft_set_rbtree: allow loose matching of closing element in interval netfilter: nf_tables: drop map element references from preparation phase netfilter: nftables: rename set element data activation/deactivation functions netfilter: nf_tables: pass context to nft_set_destroy() fbdev: savage: Handle err return when savagefb_check_var failed media: v4l2-core: hold videodev_lock until dev reg, finishes media: mxl5xx: Move xpt structures off stack arm64: dts: hi3798cv200: fix the size of GICR wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING arm64: tegra: Correct Tegra132 I2C alias ata: pata_legacy: make legacy_exit() work again neighbour: fix unaligned access to pneigh_entry vxlan: Fix regression when dropping packets due to invalid src addresses nilfs2: fix use-after-free of timer for log writer thread mmc: core: Do not force a retune before RPMB switch binder: fix max_thread type inconsistency SUNRPC: Fix loop termination condition in gss_free_in_token_pages() genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline ALSA: timer: Set lower bound of start tick time ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound kconfig: fix comparison to constant symbols, 'm', 'n' net:fec: Add fec_enet_deinit() net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM smsc95xx: use usbnet->driver_priv smsc95xx: remove redundant function arguments enic: Validate length of nl attributes in enic_set_vf_port dma-buf/sw-sync: don't enable IRQ from sync_print_obj() net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion nvmet: fix ns enable/disable possible hang spi: Don't mark message DMA mapped when no transfer in it is netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() nfc: nci: Fix kcov check in nci_rx_work() net: fec: avoid lock evasion when reading pps_enable virtio: delete vq in vp_find_vqs_msix() when request_irq() fails arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY openvswitch: Set the skbuff pkt_type for proper pmtud support. tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). params: lift param_set_uint_minmax to common code ipv6: sr: fix memleak in seg6_hmac_init_algo nfc: nci: Fix uninit-value in nci_rx_work x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() media: cec: cec-api: add locking in cec_release() media: cec: cec-adap: always cancel work in cec_transmit_msg_fh um: Fix the -Wmissing-prototypes warning for __switch_mm powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp media: stk1160: fix bounds checking in stk1160_copy_video() um: Add winch to winch_handlers before registering winch IRQ um: Fix return value in ubd_init() drm/msm/dpu: use kms stored hw mdp block Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation Input: ims-pcu - fix printf string overflow libsubcmd: Fix parse-options memory leak serial: sh-sci: protect invalidating RXDMA on shutdown serial: sh-sci: Extract sci_dma_rx_chan_invalidate() f2fs: fix to release node block count in error path of f2fs_new_node_page() f2fs: add error prints for debugging mount failure extcon: max8997: select IRQ_DOMAIN instead of depending on it ppdev: Add an error check in register_device ppdev: Remove usage of the deprecated ida_simple_xx() API stm class: Fix a double free in stm_register_device() usb: gadget: u_audio: Clear uac pointer when freed. microblaze: Remove early printk call from cpuinfo-static.c microblaze: Remove gcc flag for non existing early_printk.c file greybus: arche-ctrl: move device table to its right location serial: max3100: Fix bitwise types serial: max3100: Update uart_driver_registered on driver removal serial: max3100: Lock port->lock when calling uart_handle_cts_change() firmware: dmi-id: add a release callback function dmaengine: idma64: Add check for dma_set_max_seg_size greybus: lights: check return of get_channel_from_mode sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax af_packet: do not call packet_read_pending() from tpacket_destruct_skb() netrom: fix possible dead-lock in nr_rt_ioctl() RDMA/IPoIB: Fix format truncation compilation errors selftests/kcmp: remove unused open mode selftests/kcmp: Make the test output consistent and clear SUNRPC: Fix gss_free_in_token_pages() ext4: avoid excessive credit estimate in ext4_tmpfile() x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map RDMA/hns: Use complete parentheses in macros ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value drm/arm/malidp: fix a possible null pointer dereference fbdev: sh7760fb: allow modular build media: radio-shark2: Avoid led_names truncations media: ngene: Add dvb_ca_en50221_init return value check fbdev: sisfb: hide unused variables powerpc/fsl-soc: hide unused const variable drm/mediatek: Add 0 size check to mtk_drm_gem_obj fbdev: shmobile: fix snprintf truncation mtd: rawnand: hynix: fixed typo drm/amd/display: Fix potential index out of bounds in color transformation function ipv6: sr: fix invalid unregister error path ipv6: sr: fix incorrect unregister order ipv6: sr: add missing seg6_local_exit net: openvswitch: fix overwriting ct original tuple for ICMPv6 net: usb: smsc95xx: stop lying about skb->truesize af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg net: ethernet: cortina: Locking fixes m68k: mac: Fix reboot hang on Mac IIci m68k/mac: Use '030 reset method on SE/30 m68k: Fix spinlock race in kernel thread creation net: usb: sr9700: stop lying about skb->truesize wifi: mwl8k: initialize cmd->addr[] properly scsi: qedf: Ensure the copied buf is NUL terminated scsi: bfa: Ensure the copied buf is NUL terminated Revert "sh: Handle calling csum_partial with misaligned data" sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() wifi: ar5523: enable proper endpoint verification wifi: carl9170: add a proper sanity check for endpoints macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" macintosh/via-macii, macintosh/adb-iop: Clean up whitespace macintosh/via-macii: Remove BUG_ON assertions wifi: ath10k: populate board data for WCN3990 wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() x86/purgatory: Switch to the position-independent small code model scsi: hpsa: Fix allocation size for Scsi_Host private data scsi: libsas: Fix the failure of adding phy with zero-address to port ACPI: disable -Wstringop-truncation irqchip/alpine-msi: Fix off-by-one in allocation error path scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL scsi: ufs: core: Perform read back after disabling interrupts scsi: ufs: add a low-level __ufshcd_issue_tm_cmd helper scsi: ufs: cleanup struct utp_task_req_desc scsi: ufs: qcom: Perform read back after writing reset bit qed: avoid truncating work queue length x86/boot: Ignore relocations in .notes sections in walk_relocs() too wifi: ath10k: poll service ready message before failing nfsd: drop st_mutex before calling move_to_close_lru() power: supply: cros_usbpd: provide ID table for avoiding fallback match md: fix resync softlockup when bitmap size is less than array size null_blk: Fix missing mutex_destroy() at module removal jffs2: prevent xattr node from overflowing the eraseblock s390/cio: fix tracepoint subchannel type field crypto: ccp - drop platform ifdef checks crypto: ccp - Remove forward declaration parisc: add missing export of __cmpxchg_u8() nilfs2: fix out-of-range warning ecryptfs: Fix buffer size for tag 66 packet firmware: raspberrypi: Use correct device for DMA mappings crypto: bcm - Fix pointer arithmetic ASoC: da7219-aad: fix usage of device_get_named_child_node() ASoC: dt-bindings: rt5645: add cbj sleeve gpio property ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating drm/amd/display: Set color_mgmt_changed to true on unsuspend net: usb: qmi_wwan: add Telit FN920C04 compositions wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class tty: n_gsm: fix possible out-of-bounds in gsm0_receive() nilfs2: fix potential hang in nilfs_detach_log_writer() nilfs2: fix unexpected freezing of nilfs_segctor_sync() net: smc91x: Fix m68k kernel compilation for ColdFire CPU ring-buffer: Fix a race between readers and resize checks speakup: Fix sizeof() vs ARRAY_SIZE() bug x86/tsc: Trust initial offset in architectural TSC-adjust MSRs Change-Id: Ia8a0522057b7e917a9c165a869bec3a24bb9eb58 Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
Greg Kroah-Hartman
|
302e1d9773 |
Merge 4.19.316 into android-4.19-stable
Changes in 4.19.316
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
speakup: Fix sizeof() vs ARRAY_SIZE() bug
ring-buffer: Fix a race between readers and resize checks
net: smc91x: Fix m68k kernel compilation for ColdFire CPU
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
nilfs2: fix potential hang in nilfs_detach_log_writer()
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
net: usb: qmi_wwan: add Telit FN920C04 compositions
drm/amd/display: Set color_mgmt_changed to true on unsuspend
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
ASoC: da7219-aad: fix usage of device_get_named_child_node()
crypto: bcm - Fix pointer arithmetic
firmware: raspberrypi: Use correct device for DMA mappings
ecryptfs: Fix buffer size for tag 66 packet
nilfs2: fix out-of-range warning
parisc: add missing export of __cmpxchg_u8()
crypto: ccp - Remove forward declaration
crypto: ccp - drop platform ifdef checks
s390/cio: fix tracepoint subchannel type field
jffs2: prevent xattr node from overflowing the eraseblock
null_blk: Fix missing mutex_destroy() at module removal
md: fix resync softlockup when bitmap size is less than array size
power: supply: cros_usbpd: provide ID table for avoiding fallback match
nfsd: drop st_mutex before calling move_to_close_lru()
wifi: ath10k: poll service ready message before failing
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
qed: avoid truncating work queue length
scsi: ufs: qcom: Perform read back after writing reset bit
scsi: ufs: cleanup struct utp_task_req_desc
scsi: ufs: add a low-level __ufshcd_issue_tm_cmd helper
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
irqchip/alpine-msi: Fix off-by-one in allocation error path
ACPI: disable -Wstringop-truncation
scsi: libsas: Fix the failure of adding phy with zero-address to port
scsi: hpsa: Fix allocation size for Scsi_Host private data
x86/purgatory: Switch to the position-independent small code model
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
wifi: ath10k: populate board data for WCN3990
macintosh/via-macii: Remove BUG_ON assertions
macintosh/via-macii, macintosh/adb-iop: Clean up whitespace
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
wifi: carl9170: add a proper sanity check for endpoints
wifi: ar5523: enable proper endpoint verification
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
Revert "sh: Handle calling csum_partial with misaligned data"
scsi: bfa: Ensure the copied buf is NUL terminated
scsi: qedf: Ensure the copied buf is NUL terminated
wifi: mwl8k: initialize cmd->addr[] properly
net: usb: sr9700: stop lying about skb->truesize
m68k: Fix spinlock race in kernel thread creation
m68k/mac: Use '030 reset method on SE/30
m68k: mac: Fix reboot hang on Mac IIci
net: ethernet: cortina: Locking fixes
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
net: usb: smsc95xx: stop lying about skb->truesize
net: openvswitch: fix overwriting ct original tuple for ICMPv6
ipv6: sr: add missing seg6_local_exit
ipv6: sr: fix incorrect unregister order
ipv6: sr: fix invalid unregister error path
drm/amd/display: Fix potential index out of bounds in color transformation function
mtd: rawnand: hynix: fixed typo
fbdev: shmobile: fix snprintf truncation
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
powerpc/fsl-soc: hide unused const variable
fbdev: sisfb: hide unused variables
media: ngene: Add dvb_ca_en50221_init return value check
media: radio-shark2: Avoid led_names truncations
fbdev: sh7760fb: allow modular build
drm/arm/malidp: fix a possible null pointer dereference
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
RDMA/hns: Use complete parentheses in macros
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ext4: avoid excessive credit estimate in ext4_tmpfile()
SUNRPC: Fix gss_free_in_token_pages()
selftests/kcmp: Make the test output consistent and clear
selftests/kcmp: remove unused open mode
RDMA/IPoIB: Fix format truncation compilation errors
netrom: fix possible dead-lock in nr_rt_ioctl()
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
greybus: lights: check return of get_channel_from_mode
dmaengine: idma64: Add check for dma_set_max_seg_size
firmware: dmi-id: add a release callback function
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Fix bitwise types
greybus: arche-ctrl: move device table to its right location
microblaze: Remove gcc flag for non existing early_printk.c file
microblaze: Remove early printk call from cpuinfo-static.c
usb: gadget: u_audio: Clear uac pointer when freed.
stm class: Fix a double free in stm_register_device()
ppdev: Remove usage of the deprecated ida_simple_xx() API
ppdev: Add an error check in register_device
extcon: max8997: select IRQ_DOMAIN instead of depending on it
f2fs: add error prints for debugging mount failure
f2fs: fix to release node block count in error path of f2fs_new_node_page()
serial: sh-sci: Extract sci_dma_rx_chan_invalidate()
serial: sh-sci: protect invalidating RXDMA on shutdown
libsubcmd: Fix parse-options memory leak
Input: ims-pcu - fix printf string overflow
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
drm/msm/dpu: use kms stored hw mdp block
um: Fix return value in ubd_init()
um: Add winch to winch_handlers before registering winch IRQ
media: stk1160: fix bounds checking in stk1160_copy_video()
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
um: Fix the -Wmissing-prototypes warning for __switch_mm
media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
media: cec: cec-api: add locking in cec_release()
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
nfc: nci: Fix uninit-value in nci_rx_work
ipv6: sr: fix memleak in seg6_hmac_init_algo
params: lift param_set_uint_minmax to common code
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
openvswitch: Set the skbuff pkt_type for proper pmtud support.
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
net: fec: avoid lock evasion when reading pps_enable
nfc: nci: Fix kcov check in nci_rx_work()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
spi: Don't mark message DMA mapped when no transfer in it is
nvmet: fix ns enable/disable possible hang
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
enic: Validate length of nl attributes in enic_set_vf_port
smsc95xx: remove redundant function arguments
smsc95xx: use usbnet->driver_priv
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
net:fec: Add fec_enet_deinit()
kconfig: fix comparison to constant symbols, 'm', 'n'
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
ALSA: timer: Set lower bound of start tick time
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
binder: fix max_thread type inconsistency
mmc: core: Do not force a retune before RPMB switch
nilfs2: fix use-after-free of timer for log writer thread
vxlan: Fix regression when dropping packets due to invalid src addresses
neighbour: fix unaligned access to pneigh_entry
ata: pata_legacy: make legacy_exit() work again
arm64: tegra: Correct Tegra132 I2C alias
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
arm64: dts: hi3798cv200: fix the size of GICR
media: mxl5xx: Move xpt structures off stack
media: v4l2-core: hold videodev_lock until dev reg, finishes
fbdev: savage: Handle err return when savagefb_check_var failed
netfilter: nf_tables: pass context to nft_set_destroy()
netfilter: nftables: rename set element data activation/deactivation functions
netfilter: nf_tables: drop map element references from preparation phase
netfilter: nft_set_rbtree: allow loose matching of closing element in interval
netfilter: nft_set_rbtree: Add missing expired checks
netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
netfilter: nft_set_rbtree: fix null deref on element insertion
netfilter: nft_set_rbtree: fix overlap expiration walk
netfilter: nf_tables: don't skip expired elements during walk
netfilter: nf_tables: GC transaction API to avoid race with control plane
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: defer gc run if previous batch is still pending
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
netfilter: nf_tables: fix memleak when more than 255 elements expired
netfilter: nf_tables: unregister flowtable hooks on netns exit
netfilter: nf_tables: double hook unregistration in netns path
netfilter: nftables: update table flags from the commit phase
netfilter: nf_tables: fix table flag updates
netfilter: nf_tables: disable toggling dormant table state more than once
netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19)
netfilter: nft_dynset: fix timeouts later than 23 days
netfilter: nftables: exthdr: fix 4-byte stack OOB write
netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
netfilter: nft_dynset: relax superfluous check on set updates
netfilter: nf_tables: mark newset as dead on transaction abort
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: validate NFPROTO_* family
netfilter: nft_set_rbtree: skip end interval element from gc
netfilter: nf_tables: set dormant flag on hook register failure
netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
netfilter: nf_tables: do not compare internal table flags on updates
netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
netfilter: nf_tables: reject new basechain after table flag update
netfilter: nf_tables: discard table flag update with pending basechain deletion
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
net/9p: fix uninit-value in p9_client_rpc()
intel_th: pci: Add Meteor Lake-S CPU support
sparc64: Fix number of online CPUs
kdb: Fix buffer overflow during tab-complete
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Merge identical case statements in kdb_read()
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
net: fix __dst_negative_advice() race
sparc: move struct termio to asm/termios.h
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
s390/ap: Fix crash in AP internal function modify_bitmap()
nfs: fix undefined behavior in nfs_block_bits()
Linux 4.19.316
Change-Id: I51ad6b82ea33614c19b33c26ae939c4a95430d4f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|