From: Duoming Zhou <duoming(a)zju.edu.cn>
mainline inclusion
from mainline-v6.1-rc1
commit 175302f6b79ebbb207c2d58d6d3e679465de23b0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNYW
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The function hfcpci_softirq() is a timer handler. If it
is running, the timer_pending() will return 0 and the
del_timer_sync() in HFC_cleanup() will not be executed.
As a result, the use-after-free bug will happen. The
process is shown below:
(cleanup routine) | (timer handler)
HFC_cleanup() | hfcpci_softirq()
if (timer_pending(&hfc_tl)) |
del_timer_sync() |
... | ...
pci_unregister_driver(hc) |
driver_unregister | driver_for_each_device
bus_remove_driver | _hfcpci_softirq
driver_detach | ...
put_device(dev) //[1]FREE |
| dev_get_drvdata(dev) //[2]USE
The device is deallocated is position [1] and used in
position [2].
Fix by removing the "timer_pending" check in HFC_cleanup(),
which makes sure that the hfcpci_softirq() have finished
before the resource is deallocated.
Fixes: 009fc857c5f6 ("mISDN: fix possible use-after-free in HFC_cleanup()")
Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com>
---
drivers/isdn/hardware/mISDN/hfcpci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
index d6cf01c32a33..fe391de1aba3 100644
--- a/drivers/isdn/hardware/mISDN/hfcpci.c
+++ b/drivers/isdn/hardware/mISDN/hfcpci.c
@@ -2350,8 +2350,7 @@ HFC_init(void)
static void __exit
HFC_cleanup(void)
{
- if (timer_pending(&hfc_tl))
- del_timer_sync(&hfc_tl);
+ del_timer_sync(&hfc_tl);
pci_unregister_driver(&hfc_driver);
}
--
2.34.1
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9UNQS
CVE: NA
------------------------------------------
While running xfstests, specifically test xfs/032, the following errors
were reported:
XFS (sdb): ino 4a data fork has delalloc extent at [0x3c:0x10]
XFS: Assertion failed: 0, file: fs/xfs/xfs_icache.c, line: 1854
The issue stems from the dirty state of sub-pages not being set during mmap
writes. This behavior was observed after the introduction of the commit
99e9a55ba32b ("iomap: add support to track dirty state of sub-pages"),
which enabled iomap to track the dirty state of sub-pages when the block
size is smaller than the page size. Currently, iomap updates the sub-page
dirty state only in `__iomap_write_end()`. However, the mmap write path
does not invoke this function, resulting in dirty pages created by mmap
writes not being scheduled for write-back.
This patch fixes the issue by ensuring that the sub-page dirty state is
set during mmap writes.
Fixes: 99e9a55ba32b ("iomap: add support to track dirty state of sub pages")
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/iomap/buffered-io.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 25448d5827d2..569296ad9215 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -158,9 +158,6 @@ iomap_set_range_dirty(struct page *page, unsigned int off, unsigned int len)
if (PageError(page))
return;
- if (len)
- iomap_set_page_dirty(page);
-
if (!page_has_private(page))
return;
@@ -757,6 +754,7 @@ static size_t __iomap_write_end(struct inode *inode, loff_t pos, size_t len,
if (unlikely(copied < len && !PageUptodate(page)))
return 0;
iomap_set_range_uptodate(page, offset_in_page(pos), len);
+ iomap_set_page_dirty(page);
iomap_set_range_dirty(page, offset_in_page(pos), len);
return copied;
}
@@ -1074,6 +1072,7 @@ iomap_page_mkwrite_actor(struct inode *inode, loff_t pos, loff_t length,
} else {
WARN_ON_ONCE(!PageUptodate(page));
set_page_dirty(page);
+ iomap_set_range_dirty(page, offset_in_page(pos), length);
}
return length;
--
2.31.1
From: David Arinzon <darinzon(a)amazon.com>
stable inclusion
from stable-v5.10.216
commit b26aa765f7437e1bbe8db4c1641b12bd5dd378f0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRO8
CVE: CVE-2024-35958
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit bf02d9fe00632d22fa91d34749c7aacf397b6cde ]
ENA has two types of TX queues:
- queues which only process TX packets arriving from the network stack
- queues which only process TX packets forwarded to it by XDP_REDIRECT
or XDP_TX instructions
The ena_free_tx_bufs() cycles through all descriptors in a TX queue
and unmaps + frees every descriptor that hasn't been acknowledged yet
by the device (uncompleted TX transactions).
The function assumes that the processed TX queue is necessarily from
the first category listed above and ends up using napi_consume_skb()
for descriptors belonging to an XDP specific queue.
This patch solves a bug in which, in case of a VF reset, the
descriptors aren't freed correctly, leading to crashes.
Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action")
Signed-off-by: Shay Agroskin <shayagr(a)amazon.com>
Signed-off-by: David Arinzon <darinzon(a)amazon.com>
Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com>
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Li Huafei <lihuafei1(a)huawei.com>
---
drivers/net/ethernet/amazon/ena/ena_netdev.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
index 52414ac2c901a..8b766c5c35c4c 100644
--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
@@ -1104,8 +1104,11 @@ static void ena_unmap_tx_buff(struct ena_ring *tx_ring,
static void ena_free_tx_bufs(struct ena_ring *tx_ring)
{
bool print_once = true;
+ bool is_xdp_ring;
u32 i;
+ is_xdp_ring = ENA_IS_XDP_INDEX(tx_ring->adapter, tx_ring->qid);
+
for (i = 0; i < tx_ring->ring_size; i++) {
struct ena_tx_buffer *tx_info = &tx_ring->tx_buffer_info[i];
@@ -1125,10 +1128,15 @@ static void ena_free_tx_bufs(struct ena_ring *tx_ring)
ena_unmap_tx_buff(tx_ring, tx_info);
- dev_kfree_skb_any(tx_info->skb);
+ if (is_xdp_ring)
+ xdp_return_frame(tx_info->xdpf);
+ else
+ dev_kfree_skb_any(tx_info->skb);
}
- netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev,
- tx_ring->qid));
+
+ if (!is_xdp_ring)
+ netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev,
+ tx_ring->qid));
}
static void ena_free_all_tx_bufs(struct ena_adapter *adapter)
--
2.25.1
From: David Arinzon <darinzon(a)amazon.com>
stable inclusion
from stable-v5.10.216
commit b26aa765f7437e1bbe8db4c1641b12bd5dd378f0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRO8
CVE: CVE-2024-35958
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit bf02d9fe00632d22fa91d34749c7aacf397b6cde ]
ENA has two types of TX queues:
- queues which only process TX packets arriving from the network stack
- queues which only process TX packets forwarded to it by XDP_REDIRECT
or XDP_TX instructions
The ena_free_tx_bufs() cycles through all descriptors in a TX queue
and unmaps + frees every descriptor that hasn't been acknowledged yet
by the device (uncompleted TX transactions).
The function assumes that the processed TX queue is necessarily from
the first category listed above and ends up using napi_consume_skb()
for descriptors belonging to an XDP specific queue.
This patch solves a bug in which, in case of a VF reset, the
descriptors aren't freed correctly, leading to crashes.
Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action")
Signed-off-by: Shay Agroskin <shayagr(a)amazon.com>
Signed-off-by: David Arinzon <darinzon(a)amazon.com>
Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com>
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Li Huafei <lihuafei1(a)huawei.com>
---
drivers/net/ethernet/amazon/ena/ena_netdev.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
index e13ae04d2f0fd..fc81db75b19d0 100644
--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
@@ -1105,8 +1105,11 @@ static void ena_unmap_tx_buff(struct ena_ring *tx_ring,
static void ena_free_tx_bufs(struct ena_ring *tx_ring)
{
bool print_once = true;
+ bool is_xdp_ring;
u32 i;
+ is_xdp_ring = ENA_IS_XDP_INDEX(tx_ring->adapter, tx_ring->qid);
+
for (i = 0; i < tx_ring->ring_size; i++) {
struct ena_tx_buffer *tx_info = &tx_ring->tx_buffer_info[i];
@@ -1126,10 +1129,15 @@ static void ena_free_tx_bufs(struct ena_ring *tx_ring)
ena_unmap_tx_buff(tx_ring, tx_info);
- dev_kfree_skb_any(tx_info->skb);
+ if (is_xdp_ring)
+ xdp_return_frame(tx_info->xdpf);
+ else
+ dev_kfree_skb_any(tx_info->skb);
}
- netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev,
- tx_ring->qid));
+
+ if (!is_xdp_ring)
+ netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev,
+ tx_ring->qid));
}
static void ena_free_all_tx_bufs(struct ena_adapter *adapter)
--
2.25.1