mailweb.openeuler.org
Manage this list

Keyboard Shortcuts

Thread View

  • j: Next unread message
  • k: Previous unread message
  • j a: Jump to all threads
  • j l: Jump to MailingList overview

Kernel

Threads by month
  • ----- 2025 -----
  • July
  • June
  • May
  • April
  • March
  • February
  • January
  • ----- 2024 -----
  • December
  • November
  • October
  • September
  • August
  • July
  • June
  • May
  • April
  • March
  • February
  • January
  • ----- 2023 -----
  • December
  • November
  • October
  • September
  • August
  • July
  • June
  • May
  • April
  • March
  • February
  • January
  • ----- 2022 -----
  • December
  • November
  • October
  • September
  • August
  • July
  • June
  • May
  • April
  • March
  • February
  • January
  • ----- 2021 -----
  • December
  • November
  • October
  • September
  • August
  • July
  • June
  • May
  • April
  • March
  • February
  • January
  • ----- 2020 -----
  • December
  • November
  • October
  • September
  • August
  • July
  • June
  • May
  • April
  • March
  • February
  • January
  • ----- 2019 -----
  • December
kernel@openeuler.org

  • 66 participants
  • 19418 discussions
[PATCH openEuler-1.0-LTS] regulator: da9211: Use irq handler when ready
by Cui GaoSheng 03 Sep '24

03 Sep '24
From: Ricardo Ribalda <ribalda(a)chromium.org> stable inclusion from stable-v4.19.270 commit f75cde714e0a67f73ef169aa50d4ed77d04f7236 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALM7R CVE: CVE-2022-48891 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 02228f6aa6a64d588bc31e3267d05ff184d772eb ] If the system does not come from reset (like when it is kexec()), the regulator might have an IRQ waiting for us. If we enable the IRQ handler before its structures are ready, we crash. This patch fixes: [ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078 [ 1.316096] Call trace: [ 1.316101] blocking_notifier_call_chain+0x20/0xa8 [ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests [ 1.327823] regulator_notifier_call_chain+0x1c/0x2c [ 1.327825] da9211_irq_handler+0x68/0xf8 [ 1.327829] irq_thread+0x11c/0x234 [ 1.327833] kthread+0x13c/0x154 Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> Reviewed-by: Adam Ward <DLG-Adam.Ward.opensource(a)dm.renesas.com> Link: https://lore.kernel.org/r/20221124-da9211-v2-0-1779e3c5d491@chromium.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/regulator/da9211-regulator.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/regulator/da9211-regulator.c b/drivers/regulator/da9211-regulator.c index 6c122b3df5d0..8847d15c2b90 100644 --- a/drivers/regulator/da9211-regulator.c +++ b/drivers/regulator/da9211-regulator.c @@ -469,6 +469,12 @@ static int da9211_i2c_probe(struct i2c_client *i2c, chip->chip_irq = i2c->irq; + ret = da9211_regulator_init(chip); + if (ret < 0) { + dev_err(chip->dev, "Failed to initialize regulator: %d\n", ret); + return ret; + } + if (chip->chip_irq != 0) { ret = devm_request_threaded_irq(chip->dev, chip->chip_irq, NULL, da9211_irq_handler, @@ -483,11 +489,6 @@ static int da9211_i2c_probe(struct i2c_client *i2c, dev_warn(chip->dev, "No IRQ configured\n"); } - ret = da9211_regulator_init(chip); - - if (ret < 0) - dev_err(chip->dev, "Failed to initialize regulator: %d\n", ret); - return ret; } -- 2.34.1
2 1
0 0
[PATCH openEuler-1.0-LTS] devres: Fix memory leakage caused by driver API devm_free_percpu()
by Zhang Zekun 03 Sep '24

03 Sep '24
From: Zijun Hu <quic_zijuhu(a)quicinc.com> stable inclusion from stable-v4.19.320 commit 700e8abd65b10792b2f179ce4e858f2ca2880f85 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALERD CVE: CVE-2024-43871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ----------------------------------------------- [ Upstream commit bd50a974097bb82d52a458bd3ee39fb723129a0c ] It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). Fixes: ff86aae3b411 ("devres: add devm_alloc_percpu()") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/r/1719931914-19035-3-git-send-email-quic_zijuhu@qui… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/base/devres.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index d68b52cf9225..0813c16e31a3 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -1057,7 +1057,11 @@ EXPORT_SYMBOL_GPL(__devm_alloc_percpu); */ void devm_free_percpu(struct device *dev, void __percpu *pdata) { - WARN_ON(devres_destroy(dev, devm_percpu_release, devm_percpu_match, + /* + * Use devres_release() to prevent memory leakage as + * devm_free_pages() does. + */ + WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, (void *)pdata)); } EXPORT_SYMBOL_GPL(devm_free_percpu); -- 2.17.1
2 1
0 0
[PATCH openEuler-1.0-LTS] jfs: Fix array-index-out-of-bounds in diFree
by Zhang Zekun 03 Sep '24

03 Sep '24
From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v4.19.320 commit 55b732c8b09b41148eaab2fa8e31b0af47671e00 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ4Y CVE: CVE-2024-43858 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------------------------------- [ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] Reported-by: syzbot+241c815bda521982cb49(a)syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- fs/jfs/jfs_imap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 529630106320..5088182e2ef7 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -304,7 +304,7 @@ int diSync(struct inode *ipimap) int diRead(struct inode *ip) { struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); - int iagno, ino, extno, rc; + int iagno, ino, extno, rc, agno; struct inode *ipimap; struct dinode *dp; struct iag *iagp; @@ -353,8 +353,11 @@ int diRead(struct inode *ip) /* get the ag for the iag */ agstart = le64_to_cpu(iagp->agstart); + agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); release_metapage(mp); + if (agno >= MAXAG || agno < 0) + return -EIO; rel_inode = (ino & (INOSPERPAGE - 1)); pageno = blkno >> sbi->l2nbperpage; -- 2.17.1
2 1
0 0
[PATCH openEuler-22.03-LTS-SP1 V2] ext4: sanity check for NULL pointer after ext4_force_shutdown
by Zizhi Wo 03 Sep '24

03 Sep '24
From: Wojciech Gładysz <wojciech.gladysz(a)infogain.com> stable inclusion from stable-6.6.47 commit 3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMM9L CVE: CVE-2024-43898 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 83f4414b8f84249d538905825b088ff3ae555652 ] Test case: 2 threads write short inline data to a file. In ext4_page_mkwrite the resulting inline data is converted. Handling ext4_grp_locked_error with description "block bitmap and bg descriptor inconsistent: X vs Y free clusters" calls ext4_force_shutdown. The conversion clears EXT4_STATE_MAY_INLINE_DATA but fails for ext4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due to ext4_forced_shutdown. The restoration of inline data fails for the same reason not setting EXT4_STATE_MAY_INLINE_DATA. Without the flag set a regular process path in ext4_da_write_end follows trying to dereference page folio private pointer that has not been set. The fix calls early return with -EIO error shall the pointer to private be NULL. Sample crash report: Unable to handle kernel paging request at virtual address dfff800000000004 KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000004] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 lr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160 sp : ffff8000a1957600 x29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0 x26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000 x23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020 x20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196 x17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0 x14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020 x2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0 Call trace: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 block_write_end+0xb4/0x104 fs/buffer.c:2253 ext4_da_do_write_end fs/ext4/inode.c:2955 [inline] ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028 generic_perform_write+0x394/0x588 mm/filemap.c:3985 ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299 ext4_file_write_iter+0x188/0x1780 call_write_iter include/linux/fs.h:2110 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x968/0xc3c fs/read_write.c:590 ksys_write+0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: 97f85911 f94002da 91008356 d343fec8 (38796908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 97f85911 bl 0xffffffffffe16444 4: f94002da ldr x26, [x22] 8: 91008356 add x22, x26, #0x20 c: d343fec8 lsr x8, x22, #3 * 10: 38796908 ldrb w8, [x8, x25] <-- trapping instruction Reported-by: syzbot+18df508cf00a0598d9a6(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=18df508cf00a0598d9a6 Link: https://lore.kernel.org/all/000000000000f19a1406109eb5c5@google.com/T/ Signed-off-by: Wojciech Gładysz <wojciech.gladysz(a)infogain.com> Link: https://patch.msgid.link/20240703070112.10235-1-wojciech.gladysz@infogain.c… Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/buffer.c fs/ext4/inode.c [Since folio is not defined in the earlier version, page_private is judged ahead of time.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/buffer.c | 3 +++ fs/ext4/inode.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/fs/buffer.c b/fs/buffer.c index 93324b06ecb4..9b169f2987b8 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2070,6 +2070,9 @@ static int __block_commit_write(struct inode *inode, struct page *page, unsigned blocksize; struct buffer_head *bh, *head; + if (!page_has_buffers(page)) + return 0; + bh = head = page_buffers(page); blocksize = bh->b_size; diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 690f7866dc0c..d5b462d03978 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3089,6 +3089,11 @@ static int ext4_da_do_write_end(struct address_space *mapping, bool disksize_changed = false; loff_t new_i_size; + if (unlikely(!page_has_buffers(page))) { + unlock_page(page); + put_page(page); + return -EIO; + } /* * block_write_end() will mark the inode as dirty with I_DIRTY_PAGES * flag, which all that's needed to trigger page writeback. -- 2.39.2
2 1
0 0
[PATCH OLK-5.10 V2] ext4: sanity check for NULL pointer after ext4_force_shutdown
by Zizhi Wo 03 Sep '24

03 Sep '24
From: Wojciech Gładysz <wojciech.gladysz(a)infogain.com> stable inclusion from stable-6.6.47 commit 3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMM9L CVE: CVE-2024-43898 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 83f4414b8f84249d538905825b088ff3ae555652 ] Test case: 2 threads write short inline data to a file. In ext4_page_mkwrite the resulting inline data is converted. Handling ext4_grp_locked_error with description "block bitmap and bg descriptor inconsistent: X vs Y free clusters" calls ext4_force_shutdown. The conversion clears EXT4_STATE_MAY_INLINE_DATA but fails for ext4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due to ext4_forced_shutdown. The restoration of inline data fails for the same reason not setting EXT4_STATE_MAY_INLINE_DATA. Without the flag set a regular process path in ext4_da_write_end follows trying to dereference page folio private pointer that has not been set. The fix calls early return with -EIO error shall the pointer to private be NULL. Sample crash report: Unable to handle kernel paging request at virtual address dfff800000000004 KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000004] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 lr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160 sp : ffff8000a1957600 x29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0 x26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000 x23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020 x20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196 x17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0 x14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020 x2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0 Call trace: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 block_write_end+0xb4/0x104 fs/buffer.c:2253 ext4_da_do_write_end fs/ext4/inode.c:2955 [inline] ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028 generic_perform_write+0x394/0x588 mm/filemap.c:3985 ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299 ext4_file_write_iter+0x188/0x1780 call_write_iter include/linux/fs.h:2110 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x968/0xc3c fs/read_write.c:590 ksys_write+0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: 97f85911 f94002da 91008356 d343fec8 (38796908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 97f85911 bl 0xffffffffffe16444 4: f94002da ldr x26, [x22] 8: 91008356 add x22, x26, #0x20 c: d343fec8 lsr x8, x22, #3 * 10: 38796908 ldrb w8, [x8, x25] <-- trapping instruction Reported-by: syzbot+18df508cf00a0598d9a6(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=18df508cf00a0598d9a6 Link: https://lore.kernel.org/all/000000000000f19a1406109eb5c5@google.com/T/ Signed-off-by: Wojciech Gładysz <wojciech.gladysz(a)infogain.com> Link: https://patch.msgid.link/20240703070112.10235-1-wojciech.gladysz@infogain.c… Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/buffer.c fs/ext4/inode.c [Since folio is not defined in the earlier version, page_private is judged ahead of time.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/buffer.c | 3 +++ fs/ext4/inode.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/fs/buffer.c b/fs/buffer.c index a74312b1bb42..fb8cb9993fc1 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2070,6 +2070,9 @@ static int __block_commit_write(struct inode *inode, struct page *page, unsigned blocksize; struct buffer_head *bh, *head; + if (!page_has_buffers(page)) + return 0; + bh = head = page_buffers(page); blocksize = bh->b_size; diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 8e4407120cbc..ad7918c8df7b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3078,6 +3078,11 @@ static int ext4_da_do_write_end(struct address_space *mapping, bool disksize_changed = false; loff_t new_i_size; + if (unlikely(!page_has_buffers(page))) { + unlock_page(page); + put_page(page); + return -EIO; + } /* * block_write_end() will mark the inode as dirty with I_DIRTY_PAGES * flag, which all that's needed to trigger page writeback. -- 2.39.2
2 1
0 0
[PATCH openEuler-1.0-LTS V2] ext4: sanity check for NULL pointer after ext4_force_shutdown
by Zizhi Wo 03 Sep '24

03 Sep '24
From: Wojciech Gładysz <wojciech.gladysz(a)infogain.com> stable inclusion from stable-6.6.47 commit 3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMM9L CVE: CVE-2024-43898 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 83f4414b8f84249d538905825b088ff3ae555652 ] Test case: 2 threads write short inline data to a file. In ext4_page_mkwrite the resulting inline data is converted. Handling ext4_grp_locked_error with description "block bitmap and bg descriptor inconsistent: X vs Y free clusters" calls ext4_force_shutdown. The conversion clears EXT4_STATE_MAY_INLINE_DATA but fails for ext4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due to ext4_forced_shutdown. The restoration of inline data fails for the same reason not setting EXT4_STATE_MAY_INLINE_DATA. Without the flag set a regular process path in ext4_da_write_end follows trying to dereference page folio private pointer that has not been set. The fix calls early return with -EIO error shall the pointer to private be NULL. Sample crash report: Unable to handle kernel paging request at virtual address dfff800000000004 KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000004] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 lr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160 sp : ffff8000a1957600 x29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0 x26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000 x23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020 x20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196 x17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0 x14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020 x2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0 Call trace: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 block_write_end+0xb4/0x104 fs/buffer.c:2253 ext4_da_do_write_end fs/ext4/inode.c:2955 [inline] ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028 generic_perform_write+0x394/0x588 mm/filemap.c:3985 ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299 ext4_file_write_iter+0x188/0x1780 call_write_iter include/linux/fs.h:2110 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x968/0xc3c fs/read_write.c:590 ksys_write+0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: 97f85911 f94002da 91008356 d343fec8 (38796908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 97f85911 bl 0xffffffffffe16444 4: f94002da ldr x26, [x22] 8: 91008356 add x22, x26, #0x20 c: d343fec8 lsr x8, x22, #3 * 10: 38796908 ldrb w8, [x8, x25] <-- trapping instruction Reported-by: syzbot+18df508cf00a0598d9a6(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=18df508cf00a0598d9a6 Link: https://lore.kernel.org/all/000000000000f19a1406109eb5c5@google.com/T/ Signed-off-by: Wojciech Gładysz <wojciech.gladysz(a)infogain.com> Link: https://patch.msgid.link/20240703070112.10235-1-wojciech.gladysz@infogain.c… Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/buffer.c fs/ext4/inode.c [Since folio is not defined in the earlier version, page_private is judged ahead of time.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/buffer.c | 3 +++ fs/ext4/inode.c | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/fs/buffer.c b/fs/buffer.c index af88734d1d38..ab98aefd8de3 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2037,6 +2037,9 @@ static int __block_commit_write(struct inode *inode, struct page *page, unsigned blocksize; struct buffer_head *bh, *head; + if (!page_has_buffers(page)) + return 0; + bh = head = page_buffers(page); blocksize = bh->b_size; diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 35033bb43149..939def774e17 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3155,6 +3155,12 @@ static int ext4_da_write_end(struct file *file, if (unlikely(copied < len) && !PageUptodate(page)) copied = 0; + if (unlikely(!page_has_buffers(page))) { + unlock_page(page); + put_page(page); + return -EIO; + } + start = pos & (PAGE_SIZE - 1); end = start + copied - 1; -- 2.39.2
2 1
0 0
[openeuler:OLK-5.10 25143/30000] drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:104: warning: Excess function parameter 'direction' description in 'rnpgbevf_set_ring_vector'
by kernel test robot 03 Sep '24

03 Sep '24
tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b7bed6628b750ffd687d1da0a170dece4b0c08bd commit: 656d579e9c4f700f9f7debda0c2541f34fc39a35 [25143/30000] drivers: initial support for rnpgbevf drivers from Mucse Technology config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240903/202409030213.Wm0NsmFj-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240903/202409030213.Wm0NsmFj-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409030213.Wm0NsmFj-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:104: warning: Function parameter or member 'rnpgbevf_queue' not described in 'rnpgbevf_set_ring_vector' drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:104: warning: Function parameter or member 'rnpgbevf_msix_vector' not described in 'rnpgbevf_set_ring_vector' >> drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:104: warning: Excess function parameter 'direction' description in 'rnpgbevf_set_ring_vector' >> drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:104: warning: Excess function parameter 'queue' description in 'rnpgbevf_set_ring_vector' >> drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:104: warning: Excess function parameter 'msix_vector' description in 'rnpgbevf_set_ring_vector' drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:892: warning: Excess function parameter 'skb' description in 'rnpgbevf_is_non_eop' drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:1738: warning: Excess function parameter 'rx_ring' description in 'rnpgbevf_pull_tail' drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:2049: warning: Function parameter or member 'type' not described in 'rnpgbevf_update_itr' drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:3728: warning: Function parameter or member 't' not described in 'rnpgbevf_watchdog' drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c:3728: warning: Excess function parameter 'data' description in 'rnpgbevf_watchdog' vim +104 drivers/net/ethernet/mucse/rnpgbevf/rnpgbevf_main.c 94 95 /** 96 * rnpgbevf_set_ivar - set IVAR registers - maps interrupt causes to vectors 97 * @adapter: pointer to adapter struct 98 * @direction: 0 for Rx, 1 for Tx, -1 for other causes 99 * @queue: queue to map the corresponding interrupt to 100 * @msix_vector: the vector to map to the corresponding queue 101 */ 102 static void rnpgbevf_set_ring_vector(struct rnpgbevf_adapter *adapter, 103 u8 rnpgbevf_queue, u8 rnpgbevf_msix_vector) > 104 { 105 struct rnpgbevf_hw *hw = &adapter->hw; 106 u32 data = 0; 107 108 data = hw->vfnum << 24; 109 data |= (rnpgbevf_msix_vector << 8); 110 data |= (rnpgbevf_msix_vector << 0); 111 DPRINTK(IFUP, INFO, 112 "Set Ring-Vector queue:%d (reg:0x%x) <-- Rx-MSIX:%d, Tx-MSIX:%d\n", 113 rnpgbevf_queue, RING_VECTOR(rnpgbevf_queue), 114 rnpgbevf_msix_vector, rnpgbevf_msix_vector); 115 116 rnpgbevf_wr_reg(hw->ring_msix_base + RING_VECTOR(rnpgbevf_queue), data); 117 } 118 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
1 0
0 0
[PATCH openEuler-1.0-LTS] netfilter: ctnetlink: use helper function to calculate expect ID
by Zhang Changzhong 02 Sep '24

02 Sep '24
From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v4.19.320 commit 66e7650dbbb8e236e781c670b167edc81e771450 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IANOZB CVE: CVE-2024-44944 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 782161895eb4ac45cf7cfa8db375bd4766cb8299 ] Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace. Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") Reported-by: zdi-disclosures(a)trendmicro.com Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/netfilter/nf_conntrack_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 58bba2e2691f..331839218a1c 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3142,7 +3142,8 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, if (cda[CTA_EXPECT_ID]) { __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); - if (ntohl(id) != (u32)(unsigned long)exp) { + + if (id != nf_expect_get_id(exp)) { nf_ct_expect_put(exp); return -ENOENT; } -- 2.34.1
2 1
0 0
[PATCH openEuler-22.03-LTS-SP1] netfilter: ctnetlink: use helper function to calculate expect ID
by Zhang Changzhong 02 Sep '24

02 Sep '24
From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v5.10.224 commit eb4ca1a97e08ff5b920664ba292e576257e2d184 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IANOZB CVE: CVE-2024-44944 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 782161895eb4ac45cf7cfa8db375bd4766cb8299 ] Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace. Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") Reported-by: zdi-disclosures(a)trendmicro.com Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/netfilter/nf_conntrack_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index d44af1f3e7c5..e69a19357ade 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3385,7 +3385,8 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, if (cda[CTA_EXPECT_ID]) { __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); - if (ntohl(id) != (u32)(unsigned long)exp) { + + if (id != nf_expect_get_id(exp)) { nf_ct_expect_put(exp); return -ENOENT; } -- 2.34.1
2 1
0 0
[PATCH OLK-5.10] netfilter: ctnetlink: use helper function to calculate expect ID
by Zhang Changzhong 02 Sep '24

02 Sep '24
From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v5.10.224 commit eb4ca1a97e08ff5b920664ba292e576257e2d184 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IANOZB CVE: CVE-2024-44944 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 782161895eb4ac45cf7cfa8db375bd4766cb8299 ] Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace. Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") Reported-by: zdi-disclosures(a)trendmicro.com Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/netfilter/nf_conntrack_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index c4c2659d0600..78329f4e171b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3387,7 +3387,8 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, if (cda[CTA_EXPECT_ID]) { __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); - if (ntohl(id) != (u32)(unsigned long)exp) { + + if (id != nf_expect_get_id(exp)) { nf_ct_expect_put(exp); return -ENOENT; } -- 2.34.1
2 1
0 0
  • ← Newer
  • 1
  • ...
  • 710
  • 711
  • 712
  • 713
  • 714
  • 715
  • 716
  • ...
  • 1942
  • Older →

HyperKitty Powered by HyperKitty